F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP LTM
  4. BIG-IP 15.1.5 Fixes and Known Issues
Supplemental Document : BIG-IP 15.1.5 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 15.1.5

BIG-IP APM

  • 15.1.5

BIG-IP Link Controller

  • 15.1.5

BIG-IP Analytics

  • 15.1.5

BIG-IP LTM

  • 15.1.5

BIG-IP AFM

  • 15.1.5

BIG-IP PEM

  • 15.1.5

BIG-IP DNS

  • 15.1.5

BIG-IP FPS

  • 15.1.5

BIG-IP ASM

  • 15.1.5
Updated Date: 05/26/2022

BIG-IP Release Information

Version: 15.1.5
Build: 10.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Cumulative fixes from BIG-IP v15.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.4 that are included in this release
Cumulative fixes from BIG-IP v15.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.3 that are included in this release
Cumulative fixes from BIG-IP v15.1.2.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.2 that are included in this release
Cumulative fixes from BIG-IP v15.1.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.1 that are included in this release
Known Issues in BIG-IP v15.1.x

Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
1015133-3 3-Major   Tail loss can cause TCP TLP to retransmit slowly. 14.1.4.5, 15.1.5


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
749332-2 2-Critical BT749332 Client-SSL Object's description can be updated using CLI and with REST PATCH operation 14.1.4.4, 15.1.5
1040929 2-Critical BT1040929 Change F5OS BIG-IP tenant name from VELOS to F5OS 15.1.5
1004929-2 2-Critical BT1004929 During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid. 14.1.4.5, 15.1.5
996001-1 3-Major BT996001 AVR Inspection Dashboard 'Last Month' does not show all data points 14.1.4.5, 15.1.5
940185-2 3-Major   icrd_child may consume excessive resources while processing REST requests 14.1.4.5, 15.1.5
940177-1 3-Major BT940177 Certificate instances tab shows incorrect number of instances in certain conditions 15.1.5
888869-2 3-Major BT888869 GUI reports General Database Error when accessing Instances Tab of SSL Certificates 15.1.5
1055785 3-Major BT1055785 SmartNIC 2.0: stats throughput logging is broken on Virtual Edition dashboard 15.1.5
1048917 3-Major   Image2disk does not work on F5OS BIG-IP tenant. 15.1.5
1032949 3-Major BT1032949 Dynamic CRL configured with client authentication profile as "Request" causes connection termination without certificate 15.1.5
1022637-2 3-Major BT1022637 A partition other than /Common may fail to save the configuration to disk 15.1.5
1019793 3-Major   Image2disk does not work on F5OS BIG-IP tenant. 15.1.5
528894-6 4-Minor BT528894 Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition 15.1.5


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1064649-1 2-Critical   Tmm crash after upgrade 15.1.5
1060093 2-Critical BT1060093 Upgrading BIG-IP tenant from 14.1.4.4-0.0.4 to 15.1.5-0.0.3 with blade in the 8th slot causes backplane CDP clustering issues 15.1.5
1056213 2-Critical   TMM core due to freeing of connflow, assuming it as http data 15.1.5
1047089 2-Critical   TMM may crash will processing TLS/DTLS traffic 15.1.5
1040361-2 2-Critical BT1040361 TMM crashes during its startup when TMC destination port list attached/deleted to virtual server 14.1.4.5, 15.1.5, 16.1.2
1013181-2 2-Critical BT1013181 TMM may produce core when dynamic CRL check is enabled on the client SSL profile 15.1.5
1000021-5 2-Critical   TMM may consume excessive resources while processing packet filters 15.1.5
999097-3 3-Major BT999097 SSL::profile may select profile with outdated configuration 14.1.4.5, 15.1.5
997193-1 3-Major   TCP connections may fail when AFM global syncookies are in operation. 14.1.4.5, 15.1.5
967093-1 3-Major   In SSL forward proxy when the signing CA cert and end-entity cert has a different signature algorithm, the SSL connection may fail 15.1.5
686395-3 3-Major BT686395 With DTLS version1, when client hello uses version1.2, handshake shall proceed 12.1.3.4, 15.1.5
608952-1 3-Major BT608952 MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2 12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.5
1065789-2 3-Major   TMM may send duplicated alerts while processing SSL connections 15.1.5
1038629 3-Major   DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client 14.1.4.5, 15.1.5
1034365-2 3-Major BT1034365 DTLS handshake fails with DTLS1.2 client version 14.1.4.5, 15.1.5
1015201 3-Major BT1015201 HTTP unchunking satellite leaks ERR_MORE_DATA which can cause connection to be aborted. 14.1.4.4, 15.1.5
1007749-1 3-Major BT1007749 URI TCL parse functions fail when there are interior segments with periods and semi-colons 15.1.5
1024761-3 4-Minor BT1024761 HTTP adds Transfer-Encoding and terminating chunk to responses that cannot have a body 15.1.5
1005109-2 4-Minor BT1005109 TMM crashes when changing traffic-group on IPv6 link-local address 14.1.4.5, 15.1.5
898929-4 5-Cosmetic BT898929 Tmm might crash when ASM, AVR, and pool connection queuing are in use 14.1.4.5, 15.1.5


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1035853-3 2-Critical   Transparent DNS Cache can consume excessive resources. 14.1.4.5, 15.1.5, 16.1.2
935249-2 3-Major BT935249 GTM virtual servers have the wrong status 15.1.5
1039553-2 3-Major BT1039553 Non-200 HTTP status codes fail to be matched by GTM HTTP(S) monitors 15.1.5
1024553-2 3-Major BT1024553 GTM Pool member set to monitor type "none" results in big3d: timed out 14.1.4.5, 15.1.5
1021061-3 3-Major BT1021061 Config fails to load for large config on platform with Platform FIPS license enabled 14.1.4.5, 15.1.5
1011285-2 3-Major BT1011285 The iControl REST API no longer accepts an empty 'lastResortPool' property for wide IP objects. 15.1.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
993613-5 2-Critical BT993613 Device fails to request full sync 14.1.4.5, 15.1.5
984593-2 3-Major BT984593 BD crash 14.1.4.5, 15.1.5
907025-3 3-Major BT907025 Live update error" 'Try to reload page' 14.1.4.5, 15.1.5
885765-3 3-Major BT885765 ASMConfig Handler undergoes frequent restarts 14.1.4.5, 15.1.5
580715-2 3-Major BT580715 ASM is not sending 64 KB remote logs over UDP 15.1.5
1045101-3 3-Major   Bd may crash while processing ASM traffic 15.1.5
1004069-1 3-Major BT1004069 Brute force attack is detected too soon 14.1.4.5, 15.1.5, 16.1.2
1003317-3 3-Major   ASM signatures do not match as expected 14.1.4.5, 15.1.5
886865-1 4-Minor BT886865 P3P header is added for all browsers, but required only for Internet Explorer 14.1.4.5, 15.1.5
1016033-2 4-Minor BT1016033 Remote logging of WS/WSS shows date_time equal to Unix epoch start time 15.1.5
1002385-3 4-Minor   Fixing issue with input normalization 15.1.5


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
1009093-1 2-Critical BT1009093 GUI widgets pages are not functioning correctly 15.1.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
883889-3 2-Critical BT883889 Tmm might crash when under memory pressure 14.1.4.5, 15.1.5
997761-2 3-Major BT997761 Subsessionlist entries leak if there is no RADIUS accounting agent in policy 15.1.5
973673-1 3-Major BT973673 CPU spikes when the LDAP operational timeout is set to 180 seconds 15.1.5
926973-1 3-Major BT926973 APM / OAuth issue with larger JWT validation 15.1.5
828761-1 3-Major BT828761 APM OAuth - Auth Server attached iRule works inconsistently 14.1.4.5, 15.1.5
738593-2 3-Major   Vmware Horizon session collaboration (shadow session) feature does not work through APM 14.1.4.5, 15.1.5
1020561-1 3-Major BT1020561 Session memory increases over time due to db_access_set_accessinfo can leak sresult key/data in error case 15.1.5
942965-2 4-Minor BT942965 Local users database can sometimes take more than 5 minutes to sync to the standby device 14.1.4.5, 15.1.5
886841-1 4-Minor BT886841 Allow LDAP Query and HTTP Connector for API Protection policies 15.1.5


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1047053-2 2-Critical   TMM may consume excessive resources while processing RTSP traffic 15.1.5
1029397-1 2-Critical   Tmm may crash with SIP-ALG deployment in a particular race condition 15.1.5
1056933-5 3-Major   TMM may crash while processing SIP traffic 15.1.5
1039329-1 3-Major   MRF per peer mode is not working in vCMP guest. 14.1.4.5, 15.1.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
919465-2 2-Critical BT919465 A dwbld core on configuration changes on IP Intelligence policy 15.1.5


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
956013-1 3-Major BT956013 System reports{{validation_errors}} 14.1.4.5, 15.1.5


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
922665-2 3-Major BT922665 The admd process is terminated by watchdog on some heavy load configuration process 14.1.4.5, 15.1.5
1023437-3 3-Major   Buffer overflow during attack with large HTTP Headers 14.1.4.5, 15.1.5


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
1050273-2 3-Major   ERR_BOUNDS errors observed with HTTP explicit proxy service in SSL Orchestrator 15.1.5
1038669-2 3-Major BT1038669 Antserver keeps restarting 15.1.5, 16.1.2
1032797-2 3-Major BT1032797 Tmm continuously cores when parsing custom category URLs 15.1.5, 16.1.2



Cumulative fixes from BIG-IP v15.1.4.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
988549-5 CVE-2020-29573 K27238230, BT988549 CVE-2020-29573: glibc vulnerability 14.1.4.5, 15.1.4.1, 16.1.2
966901-2 CVE-2020-14364 K09081535, BT966901 CVE-2020-14364: Qemu Vulnerability 14.1.4.4, 15.1.4.1
940317-4 CVE-2020-13692 K23157312, BT940317 CVE-2020-13692: PostgreSQL JDBC Driver vulnerability 14.1.4.4, 15.1.4.1, 16.1.2
1032405-3 CVE-2021-23037 K21435974, BT1032405 TMUI XSS vulnerability CVE-2021-23037 14.1.4.5, 15.1.4.1, 16.1.2
1012365-2 CVE-2021-20305 K33101555, BT1012365 Nettle cryptography library vulnerability CVE-2021-20305 14.1.4.5, 15.1.4.1, 16.1.2
988589-5 CVE-2019-25013 K68251873 CVE-2019-25013 glibc vulnerability: buffer over-read in iconv 15.1.4.1
975589-4 CVE-2020-8277 K07944249, BT975589 CVE-2020-8277 Node.js vulnerability 14.1.4.4, 15.1.4.1
973409-5 CVE-2020-1971 K42910051, BT973409 CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference 14.1.4.4, 15.1.4.1, 16.1.2
941649-2 CVE-2021-23043 K63163637, BT941649 Local File Inclusion Vulnerability 14.1.4.5, 15.1.4.1, 16.1.2
1001369-2 CVE-2020-12049 K16729408 D-Bus vulnerability CVE-2020-12049 15.1.4.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
754335-3 3-Major BT754335 Install ISO does not boot on BIG-IP VE 14.1.4.4, 15.1.4.1
985953-3 4-Minor BT985953 GRE Transparent Ethernet Bridging inner MAC overwrite 14.1.4.5, 15.1.4.1, 16.1.2


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1042993-2 1-Blocking K19272127, BT1042993 Provisioning high availability (HA) setup wizard fails to load, reports 'No Access' 14.1.4.5, 15.1.4.1
1039049 1-Blocking BT1039049 Installing EHF on particular platforms fails with error "RPM transaction failure" 14.1.4.5, 15.1.4.1, 16.1.2
997313-3 2-Critical BT997313 Unable to create APM policies in a sync-only folder 15.1.4.1, 16.1.2
942549-2 2-Critical BT942549 Dataplane INOPERABLE - Only 7 HSBs found. Expected 8 14.1.4.4, 15.1.4.1
897509-1 2-Critical BT897509 IPsec SAs are missing on HA standby, leading to packet drops after failover 15.1.4.1
831821-1 2-Critical BT831821 Corrupted DAG packets causes bcm56xxd core on VCMP host 14.1.4.5, 15.1.4.1
1043277-3 2-Critical K06520200, BT1043277 'No access' error page displays for APM policy export and apply options 14.1.4.5, 15.1.4.1
992053-1 3-Major BT992053 Pva_stats for server side connections do not update for redirected flows 15.1.4.1
989701-5 3-Major   CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response 14.1.4.5, 15.1.4.1, 16.1.2
965205-2 3-Major BT965205 BIG-IP dashboard downloads unused widgets 14.1.4.4, 15.1.4.1
958093-3 3-Major BT958093 IPv6 routes missing after BGP graceful restart 14.1.4.5, 15.1.4.1
947529-2 3-Major BT947529 Security tab in virtual server menu renders slowly 14.1.4.4, 15.1.4.1
940885-2 3-Major BT940885 Add embedded SR-IOV support for Mellanox CX5 Ex adapter 14.1.4.4, 15.1.4.1
922185-1 3-Major BT922185 LDAP referrals not supported for 'cert-ldap system-auth' 14.1.4.5, 15.1.4.1, 16.1.2
909197-3 3-Major BT909197 The mcpd process may become unresponsive 14.1.4, 15.1.4.1, 16.0.1.1
900933-1 3-Major BT900933 IPsec interoperability problem with ECP PFS 14.1.4.5, 15.1.4.1, 16.0.1.2
887117-2 3-Major BT887117 Invalid SessionDB messages are sent to Standby 15.1.4.1, 16.1.1
881085-3 3-Major BT881085 Intermittent auth failures with remote LDAP auth for BIG-IP managment 14.1.4.5, 15.1.4.1, 16.1.2
873641-1 3-Major BT873641 Re-offloading of TCP flows to hardware does not work 15.1.4.1
856953-4 3-Major BT856953 IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1 14.1.2.8, 15.1.4.1
809657-7 3-Major BT809657 HA Group score not computed correctly for an unmonitored pool when mcpd starts 14.1.4.4, 15.1.4.1
1045421-2 3-Major K16107301, BT1045421 No Access error when performing various actions in the TMOS GUI 14.1.4.5, 15.1.4.1, 16.1.2
1032737-1 3-Major BT1032737 IPsec: tmm SIGSEGV in getlocaladdr in ikev2_initiate 15.1.4.1, 16.1.2
1032077-2 3-Major BT1032077 TACACS authentication fails with tac_author_read: short author body 14.1.4.5, 15.1.4.1, 16.1.2
1028669-5 3-Major   Python vulnerability: CVE-2019-9948 14.1.4.5, 15.1.4.1, 16.1.2
1028573-5 3-Major   Perl vulnerability: CVE-2020-10878 14.1.4.5, 15.1.4.1, 16.1.2
1027713 3-Major BT1027713 SELinux avc: denied { signull } for pid=6207 comm="useradd" on vCMP guest during its deployment. 15.1.4.1
1026549-3 3-Major BT1026549 Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd 14.1.4.5, 15.1.4.1, 16.1.2
1024877-2 3-Major BT1024877 Systemd[]: systemd-ask-password-serial.service failed 14.1.4.4, 15.1.4.1
1019429-3 3-Major BT1019429 CMP Forwarded flows do not get syncache counter decremented when only server-side is PVA accelerated 15.1.4.1
1018309-3 3-Major BT1018309 Loading config file with imish removes the last character 15.1.4.1, 16.1.1
1015093-3 3-Major BT1015093 The "iq" column is missing from the ndal_tx_stats table 14.1.4.5, 15.1.4.1
1010245-1 3-Major BT1010245 Duplicate ipsec-sa SPI values shown by tmsh command 15.1.4.1
1009949-2 3-Major BT1009949 High CPU usage when upgrading from previous version 14.1.4.4, 15.1.4.1, 16.1.2
1009725-3 3-Major   Excessive resource usage when ixlv drivers are enabled 14.1.4.5, 15.1.4.1, 16.1.2
1003257-4 3-Major BT1003257 ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected 14.1.4.5, 15.1.4.1, 16.1.2
988533-1 4-Minor BT988533 GRE-encapsulated MPLS packet support 14.1.4.5, 15.1.4.1
966073-1 4-Minor BT966073 GENEVE protocol support 15.1.4.1
884165-3 4-Minor BT884165 Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG 14.1.4.4, 15.1.4.1
1030845-2 4-Minor BT1030845 Time change from TMSH not logged in /var/log/audit 14.1.4.5, 15.1.4.1, 16.1.2
1028497-5 4-Minor   libexpat vulnerability: CVE-2019-15903 14.1.4.5, 15.1.4.1, 16.1.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
999933-3 2-Critical   TMM may crash while processing DNS traffic on certain platforms 14.1.4.5, 15.1.4.1
991421-3 2-Critical   TMM may crash while processing TLS traffic 15.1.4.1, 16.1.2
989637-3 2-Critical   TMM may crash while processing SSL traffic 14.1.4.5, 15.1.4.1
862885-2 2-Critical BT862885 Virtual server-to-virtual server with 'Tail Loss Probe' enabled can result in 'no trailing data' error 14.1.4.5, 15.1.4.1
1020645-1 2-Critical BT1020645 When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered 15.1.4.1
1008077-5 2-Critical   TMM may crash while processing TCP traffic with a FastL4 VS 14.1.4.4, 15.1.4.1
1007489-5 2-Critical   TMM may crash while handling specific HTTP requests 14.1.4.5, 15.1.4.1, 16.1.2
985433-2 3-Major BT985433 Insertion of the X-Forwarded-For HTTP header can fail, causing the client's connection to be reset. 15.1.4.1
978833-2 3-Major BT978833 Use of CRL-based Certificate Monitoring Causes Memory Leak 14.1.4.4, 15.1.4.1
965037-1 3-Major BT965037 SSL Orchestrator does not send HTTP CONNECT tunnel payload to services 15.1.4.1
963705-3 3-Major BT963705 Proxy ssl server response not forwarded 14.1.4.5, 15.1.4.1
915773-1 3-Major BT915773 Restart of TMM after stale interface reference 14.1.4.4, 15.1.4.1, 16.1.2
910517-1 3-Major   TMM may crash while processing HTTP traffic 14.1.4.5, 15.1.4.1
904041-2 3-Major BT904041 Ephemeral pool members may be incorrect when modified via various actions 14.1.4.5, 15.1.4.1
803629-7 3-Major BT803629 SQL monitor fails with 'Analyze Response failure' message even if recv string is correct 14.1.4.5, 15.1.4.1, 16.0.1.1
758041-1 3-Major BT758041 Pool Members may not be updated accurately when multiple identical database monitors are configured 13.1.3.5, 14.1.2.7, 15.1.4.1
723112-8 3-Major BT723112 LTM policies does not work if a condition has more than 127 matches 14.1.4.4, 15.1.4.1
550928-5 3-Major   TMM may crash when processing HTTP traffic with a FastL4 virtual server 14.1.4.4, 15.1.4.1
1023365-1 3-Major BT1023365 SSL server response could be dropped on immediate client shutdown 15.1.4.1, 16.1.2
1018577-3 3-Major BT1018577 SASP monitor does not mark pool member with same IP Address but different Port from another pool member 14.1.4.5, 15.1.4.1, 16.1.2
1012009-1 3-Major BT1012009 MQTT Message Routing virtual may result in TMM crash 15.1.4.1
1008017-5 3-Major BT1008017 Validation failure on Enforce TLS Requirements and TLS Renegotiation 14.1.4.5, 15.1.4.1, 16.1.2
1006781-1 3-Major BT1006781 Server SYN is sent on VLAN 0 when destination MAC is multicast 15.1.4.1
949721-2 4-Minor BT949721 QUIC does not send control frames in PTO packets 15.1.4.1, 16.0.1.2
936773-2 4-Minor BT936773 Improve logging for "double flow removal" TMM Oops 14.1.4.4, 15.1.4.1
936557-2 4-Minor BT936557 Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled. 14.1.4.5, 15.1.4.1
890881-4 4-Minor BT890881 ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address 14.1.4.5, 15.1.4.1
1031901-1 4-Minor BT1031901 In HTTP2 deployment, RST_STREAM sent to client if server in CLOSING state is picked 15.1.4.1, 16.1.2
1002945-2 4-Minor BT1002945 Some connections are dropped on chained IPv6 to IPv4 virtual servers. 14.1.4.5, 15.1.4.1, 16.1.2


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
933405-2 1-Blocking K34257075, BT933405 Zonerunner GUI hangs when attempting to list Resource Records 14.1.4, 15.1.4.1, 16.0.1.1
1009037-3 2-Critical BT1009037 Tcl resume on invalid connection flow can cause tmm crash 14.1.4.5, 15.1.4.1, 16.1.2
847105-2 3-Major BT847105 The bigip_gtm.conf is reverted to default after rebooting with license expired 14.1.4.4, 15.1.4.1
1021417-3 3-Major BT1021417 Modifying GTM pool members with replace-all-with results in pool members with order 0 14.1.4.5, 15.1.4.1, 16.1.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
997137-3 2-Critical   CSRF token removal may allow WAF bypass on GET requests 14.1.4.4, 15.1.4.1
912149-5 2-Critical BT912149 ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476' 14.1.4.5, 15.1.4.1, 16.1.2
879841-4 2-Critical BT879841 Domain cookie same-site option is missing the "None" as value in GUI and rest 14.1.4.5, 15.1.4.1
1019853-2 2-Critical   Some signatures are not matched under specific conditions 14.1.4.5, 15.1.4.1, 16.1.2
1011065-2 2-Critical   Certain attack signatures may not match in multipart content 15.1.4.1, 16.1.2
1011061-2 2-Critical   Certain attack signatures may not match in multipart content 14.1.4.5, 15.1.4.1, 16.1.2
974341-2 3-Major   REST API: File upload 14.1.4.5, 15.1.4.1, 16.1.2
948805-1 3-Major BT948805 False positive "Null in Request" 14.1.4.5, 15.1.4.1
945789-1 3-Major BT945789 Live update cannot resolve hostname if IPv6 is configured. 15.1.4.1
932133-2 3-Major BT932133 Payloads with large number of elements in XML take a lot of time to process 14.1.4.4, 15.1.4.1, 16.1.2
920149-1 3-Major BT920149 Live Update default factory file for Server Technologies cannot be reinstalled 14.1.4.4, 15.1.4.1, 16.1.1
914277-2 3-Major BT914277 [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU 14.1.4.4, 15.1.4.1, 16.0.1.2
904133-1 3-Major BT904133 Creating a user-defined signature via iControl REST occasionally fails with a 400 response code 14.1.4.4, 15.1.4.1
882377-3 3-Major BT882377 ASM Application Security Editor Role User can update/install ASU 14.1.2.5, 15.1.4.1
857633-7 3-Major BT857633 Attack Type (SSRF) appears incorrectly in REST result 14.1.4.5, 15.1.4.1
842013-3 3-Major BT842013 ASM Configuration is Lost on License Reactivation 14.1.4.5, 15.1.4.1, 16.1.2
753715-2 3-Major BT753715 False positive JSON max array length violation 14.1.4.4, 15.1.4.1
1042069-2 3-Major   Some signatures are not matched under specific conditions 14.1.4.5, 15.1.4.1
1017153-2 3-Major BT1017153 Asmlogd suddenly deletes all request log protobuf files and records from the database. 14.1.4.5, 15.1.4.1, 16.1.2
1039805 4-Minor   Save button in Response and Blocking Pages section is enabled when there are no changes to save. 15.1.4.1
1003765-1 4-Minor BT1003765 Authorization header signature triggered even when explicitly disabled 15.1.4.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
932137-5 3-Major BT932137 AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade 14.1.4.4, 15.1.4.1, 16.1.2
922105-3 3-Major BT922105 Avrd core when connection to BIG-IQ data collection device is not available 14.1.4.4, 15.1.4.1, 16.1.2
832805-2 3-Major BT832805 AVR should make sure file permissions are correct (tmstat_tables.xml) 14.1.4.5, 15.1.4.1
787677-5 3-Major BT787677 AVRD stays at 100% CPU constantly on some systems 14.1.4.5, 15.1.4.1
1035133-3 3-Major BT1035133 Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab 14.1.4.5, 15.1.4.1, 16.1.2
948113-3 4-Minor BT948113 User-defined report scheduling fails 14.1.4.5, 15.1.4.1, 16.1.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1027217 1-Blocking BT1027217 Script errors in Network Access window using browser 15.1.4.1, 16.1.2
860617-3 2-Critical BT860617 Radius sever pool without attaching the load balancing algorithm will result into core 14.1.4.5, 15.1.4.1
817137-1 2-Critical BT817137 SSO setting for Portal Access resources in webtop sections cannot be updated. 15.1.4.1
1006893-2 2-Critical BT1006893 Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core 14.1.4.5, 15.1.4.1, 16.1.2
998473-2 3-Major BT998473 NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL) 15.1.4.1
993457-2 3-Major BT993457 TMM core with ACCESS::policy evaluate iRule 14.1.4.5, 15.1.4.1, 16.1.2
969317-3 3-Major BT969317 "Restrict to Single Client IP" option is ignored for vmware VDI 14.1.4.5, 15.1.4.1
968893-2 3-Major   TMM crash when processing APM traffic 15.1.4.1, 16.1.2
964037 3-Major BT964037 Error: Exception response while loading properties from server 15.1.4.1
949477-1 3-Major BT949477 NTLM RPC exception: Failed to verify checksum of the packet 14.1.4.4, 15.1.4.1
933129-2 3-Major BT933129 Portal Access resources are visible when they should not be 15.1.4.1
932213-2 3-Major BT932213 Local user db not synced to standby device when it is comes online after forced offline state 14.1.4.5, 15.1.4.1
918717-2 3-Major BT918717 Exception at rewritten Element.innerHTML='<a href></a>' 15.1.4.1
915509-1 3-Major BT915509 RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true 14.1.4.5, 15.1.4.1
891613-1 3-Major BT891613 RDP resource with user-defined address cannot be launched from webtop with modern customization 15.1.4.1
1021485-2 3-Major BT1021485 VDI desktops and apps freeze with Vmware and Citrix intermittently 14.1.4.5, 15.1.4.1, 16.1.2
1017233-1 3-Major BT1017233 APM uses wrong session key when iRule for ActiveSync is used resulting in passwords corruption 15.1.4.1, 16.1.2
1007677-1 3-Major BT1007677 Artifact resolution on SAML IdP fails with error 'SAML SSO: Cannot find SP connector' 15.1.4.1
1007629-1 3-Major BT1007629 APM policy configured with many ACL policies can create APM memory pressure 14.1.4.4, 15.1.4.1
1002557-2 3-Major BT1002557 Tcl free object list growth 14.1.4.4, 15.1.4.1
1001337-1 3-Major BT1001337 Cannot read single sign-on configuration from GUI when logged in as guest 14.1.4.5, 15.1.4.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1012721-1 2-Critical BT1012721 Tmm may crash with SIP-ALG deployment in a particular race condition 14.1.4.4, 15.1.4.1, 16.1.1
1012533-1 2-Critical BT1012533 `HTTP2::disable serverside` can cause cores 15.1.4.1
1007113-1 2-Critical BT1007113 Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds 14.1.4.5, 15.1.4.1, 16.1.2
1030689-2 3-Major   TMM may consume excessive resources while processing Diameter traffic 14.1.4.4, 15.1.4.1, 16.1.2
1025529-1 3-Major BT1025529 TMM generates core when iRule executes a nexthop command and SIP traffic is sent 14.1.4.5, 15.1.4.1
1018285-1 4-Minor BT1018285 MRF DIAMETER to select automatic removal of a persistence entry on completion of a transaction 15.1.4.1, 16.1.2
1003633-3 4-Minor BT1003633 There might be wrong memory handling when message routing feature is used 14.1.4.5, 15.1.4.1, 16.1.2


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
968533 2-Critical BT968533 Rate limiting is performed for all PUSH packets in the hardware even when "Only Count Suspicious Events" is enabled for the push flood vector. 15.1.4.1
1049229-2 2-Critical BT1049229 When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays. 14.1.4.5, 15.1.4.1, 16.1.2
997169 3-Major BT997169 AFM rule not triggered 15.1.4.1
995433 3-Major BT995433 IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT 14.1.4.5, 15.1.4.1
1032329 3-Major BT1032329 A user with role "Firewall Manager" cannot open the Rule List editor in UI 15.1.4.1
1031909-1 3-Major BT1031909 NAT policies page unusable due to the page load time 15.1.4.1
987345-1 5-Cosmetic BT987345 Disabling periodic-refresh-log has no effect 15.1.4.1


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
981693-1 2-Critical   TMM may consume excessive resources while processing IPSec ALG traffic 14.1.4.2, 15.1.4.1
981689-2 2-Critical BT981689 TMM memory leak with IPsec ALG 14.1.4.2, 15.1.4.1


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
984657-3 3-Major BT984657 Sysdb variable not working from tmsh 15.1.4.1, 16.0.1.2
686783-2 4-Minor BT686783 UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters. 14.1.4.5, 15.1.4.1, 16.1.2
1032689-3 4-Minor BT1032689 UlrCat Custom db feedlist is not working for www.croupiest.com with attached feedlist file 14.1.4.5, 15.1.4.1, 16.1.2


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
929213-1 3-Major BT929213 iAppLX packages not rolled forward after BIG-IP upgrade 14.1.4.4, 15.1.4.1, 16.1.2


iApp Technology Fixes

ID Number Severity Links to More Info Description Fixed Versions
946185-1 3-Major BT946185 Unable to view iApp component due to error 'An error has occurred while trying to process your request.' 14.1.4.4, 15.1.4.1, 16.1.2



Cumulative fixes from BIG-IP v15.1.4 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
949933-1 CVE-2021-22980 K29282483, BT949933 BIG-IP APM CTU vulnerability CVE-2021-22980 13.1.3.6, 14.1.4, 15.1.4, 16.0.1.1
1017973-2 CVE-2021-25215 K96223611, BT1017973 BIND Vulnerability CVE-2021-25215 14.1.4.4, 15.1.4, 16.0.1.2
1017965-2 CVE-2021-25214 K11426315, BT1017965 BIND Vulnerability CVE-2021-25214 14.1.4.4, 15.1.4, 16.0.1.2
981273-2 CVE-2021-23054 K41997459, BT981273 APM webtop hardening 15.1.4
965485-3 CVE-2019-5482 K41523201 CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
949889-3 CVE-2019-3900 K04107324, BT949889 CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx() 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
803965-7 CVE-2018-20843 K51011533, BT803965 Expat Vulnerability: CVE-2018-20843 14.1.4.5, 15.1.4, 16.1.2
797797-4 CVE-2019-11811 K01512680, BT797797 CVE-2019-11811 kernel: use-after-free in drivers 14.1.4.3, 15.1.4, 16.0.1.2, 16.1.1
797769-9 CVE-2019-11599 K51674118 Linux vulnerability : CVE-2019-11599 13.1.4.1, 15.1.4, 16.0.1.2
968733-6 CVE-2018-1120 K42202505, BT968733 CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
939421-2 CVE-2020-10029 K38481791, BT939421 CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow 14.1.4.3, 15.1.4, 16.0.1.2


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
913729-5 2-Critical BT913729 Support for DNSSEC Lookaside Validation (DLV) has been removed. 15.1.4, 16.0.1.2
907765-1 2-Critical BT907765 BIG-IP system does not respond to ARP requests if it has a route to the source IP address 15.1.4
1014433 2-Critical BT1014433 Time stamp format is not the same for all LTM logs 15.1.4
948073-2 3-Major BT948073 Dual stack download support for IP Intelligence Database 15.1.4
923301-2 3-Major BT923301 ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group 14.1.4.4, 15.1.4, 16.0.1.2
911141-3 3-Major BT911141 GTP v1 APN is not decoded/encoded properly 14.1.4.4, 15.1.4, 16.1.1
876937-3 3-Major BT876937 DNS Cache not functioning 14.1.4.3, 15.1.4
866073-2 3-Major BT866073 Add option to exclude stats collection in qkview to avoid very large data files 14.1.4.4, 15.1.4, 16.0.1.2
1001865-2 3-Major   No platform trunk information passed to tenant 15.1.4
751032-5 4-Minor BT751032 TCP receive window may open too slowly after zero-window 14.1.4.4, 15.1.4


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1032761 1-Blocking BT1032761 HA mirroring may not function correctly 15.1.4
1004833-2 1-Blocking BT1004833 NIST SP800-90B compliance 14.1.4.2, 15.1.4
1002109-3 1-Blocking BT1002109 Xen binaries do not follow security best practices 14.1.4.4, 15.1.4
988645 2-Critical BT988645 Traffic may be affected after tmm is aborted and restarted 15.1.4
987113-1 2-Critical BT987113 CMP state degraded while under heavy traffic 15.1.4
980325-5 2-Critical BT980325 Chmand core due to memory leak from dossier requests. 14.1.4.4, 15.1.4
974241-1 2-Critical BT974241 Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades 15.1.4, 16.1.1
967905-2 2-Critical BT967905 Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
944513-2 2-Critical BT944513 Apache configuration file hardening 15.1.4
941893-3 2-Critical BT941893 VE performance tests in Azure causes loss of connectivity to objects in configuration 15.1.4
928029-2 2-Critical BT928029 Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis 14.1.3, 15.1.4
1027637 2-Critical BT1027637 System controller failover may cause dropped requests 15.1.4
1004517-2 2-Critical BT1004517 BIG-IP tenants on VELOS cannot install EHFs 14.1.4.3, 15.1.4
1000973-3 2-Critical BT1000973 Unanticipated restart of TMM due to heartbeat failure 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
998221-3 3-Major BT998221 Accessing pool members from configuration utility is slow with large config 14.1.4.3, 15.1.4, 16.0.1.2, 16.1.2
996593-2 3-Major BT996593 Password change through REST or GUI not allowed if the password is expired 14.1.4.3, 15.1.4, 16.0.1.2
992865 3-Major BT992865 Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances 15.1.4
988793 3-Major BT988793 SecureVault on BIG-IP tenant does not store unit key securely 15.1.4
985537-1 3-Major BT985537 Upgrade Microsoft Hyper-V driver 15.1.4
976505-2 3-Major BT976505 Rotated restnoded logs will fail logintegrity verification. 14.1.4.2, 15.1.4, 16.0.1.2
975809-1 3-Major BT975809 Rotated restjavad logs fail logintegrity verification. 14.1.4.2, 15.1.4, 16.0.1.2
973201-2 3-Major BT973201 F5OS BIG-IP tenants allow OS upgrade to unsupported TMOS versions 14.1.4, 15.1.4
969713-1 3-Major BT969713 IPsec interface mode tunnel may fail to pass packets after first IPsec rekey 15.1.4
969105-2 3-Major BT969105 HA failover connections via the management address do not work on vCMP guests running on VIPRION 14.1.4.4, 15.1.4
964941-1 3-Major BT964941 IPsec interface-mode tunnel does not initiate or respond after config change 15.1.4
959629-2 3-Major BT959629 Logintegrity script for restjavad/restnoded fails 14.1.4.2, 15.1.4, 16.0.1.2
958353-2 3-Major BT958353 Restarting the mcpd messaging service renders the PAYG VE license invalid. 14.1.4.2, 15.1.4, 16.0.1.2
956293-2 3-Major BT956293 High CPU from analytics-related REST calls - Dashboard TMUI 14.1.4.4, 15.1.4
946089-2 3-Major BT946089 BIG-IP might send excessive multicast/broadcast traffic. 14.1.4.2, 15.1.4, 16.0.1.2
932497-3 3-Major BT932497 Autoscale groups require multiple syncs of datasync-global-dg 14.1.4.2, 15.1.4, 16.0.1.2
928697-2 3-Major BT928697 Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT 15.1.4, 16.0.1.2
919305-2 3-Major BT919305 Appliance mode is not working on BIG-IP 14.1.x tenant deployed on VELOS 15.1.4
913849-1 3-Major BT913849 Syslog-ng periodically logs nothing for 20 seconds 14.1.4.2, 15.1.4, 16.0.1.2
908601-2 3-Major BT908601 System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option 14.1.4.3, 15.1.4, 16.0.1.2
895781-2 3-Major BT895781 Round Robin disaggregation does not disaggregate globally 15.1.4
889045-3 3-Major   Virtual server may stop responding while processing TCP traffic 15.1.4
880289 3-Major BT880289 FPGA firmware changes during configuration loads 15.1.4
850193-4 3-Major BT850193 Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues 14.1.4.4, 15.1.4
849157-2 3-Major BT849157 An outgoing SCTP connection that retransmits the INIT chunk the maximum number of times does not expire and becomes stuck 15.1.4
841277-7 3-Major BT841277 C4800 LCD fails to load after annunciator hot-swap 14.1.4.3, 15.1.4
827033-1 3-Major BT827033 Boot marker is being logged before shutdown logs 14.1.4.4, 15.1.4
746861-3 3-Major BT746861 SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated 14.1.2.5, 15.1.4
1029105 3-Major BT1029105 Hardware SYN cookie mode state change logs bogus virtual server address 15.1.4
1024853 3-Major BT1024853 Platform Agent logs to ERROR severity on success 15.1.4
1013649-4 3-Major BT1013649 Leftover files in /var/run/key_mgmt after key export 15.1.4
1010393-4 3-Major BT1010393 Unable to relax AS-path attribute in multi-path selection 14.1.4.4, 15.1.4, 16.0.1.2
1008837-2 3-Major BT1008837 Control plane is sluggish when mcpd processes a query for virtual server and address statistics 14.1.4.4, 15.1.4
1002761-1 3-Major BT1002761 SCTP client's INIT chunks rejected repeatedly with ABORT during re-establishment of network link after failure 15.1.4, 16.0.1.2
962249-2 4-Minor BT962249 Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm 15.1.4
921365-1 4-Minor BT921365 IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby 15.1.4, 16.1.2
921065 4-Minor BT921065 BIG-IP systems not responding to DPD requests from initiator after failover 15.1.4
898441-1 4-Minor BT898441 Enable logging of IKE keys 14.1.4.4, 15.1.4
819053 4-Minor   CVE-2019-13232 unzip: overlapping of files in ZIP container 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
1004417-3 4-Minor BT1004417 Provisioning error message during boot up 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1029357 1-Blocking BT1029357 Performance drop during traffic test on VIPRION (B2250, C2400) platforms 15.1.4
945997-2 2-Critical BT945997 LTM policy applied to HTTP/2 traffic may crash TMM 14.1.4.2, 15.1.4, 16.0.1.2
943101-2 2-Critical BT943101 Tmm crash in cipher group delete. 14.1.3, 15.1.4
942185-2 2-Critical BT942185 Non-mirrored persistence records may accumulate over time 15.1.4, 16.0.1.2
934461-2 2-Critical BT934461 Connection error with server with TLS1.3 single-dh-use. 14.1.3, 15.1.4
1039145-3 2-Critical BT1039145 Tenant mirroring channel disconnects with peer and never reconnects after failover 15.1.4
1005489-2 2-Critical BT1005489 iRules with persist command might result in tmm crash. 15.1.4, 16.0.1.2
997929-3 3-Major BT997929 Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic 14.1.4.4, 15.1.4, 16.0.1.2
969637-2 3-Major BT969637 Config may fail to load with "FIPS 140 operations not available on this system" after upgrade 14.1.4.4, 15.1.4
963713-1 3-Major BT963713 HTTP/2 virtual server with translate-disable can core tmm 15.1.4
956133-3 3-Major BT956133 MAC address might be displayed as 'none' after upgrading 14.1.4.4, 15.1.4
944641-1 3-Major BT944641 HTTP2 send RST_STREAM when exceeding max streams 14.1.4, 15.1.4, 16.0.1.1
941481-2 3-Major BT941481 iRules LX - nodejs processes consuming excessive memory 14.1.4.4, 15.1.4
941257-1 3-Major BT941257 Occasional Nitrox3 ZIP engine hang 14.1.4.4, 15.1.4
940665-1 3-Major BT940665 DTLS 1.0 support for PFS ciphers 15.1.4, 16.0.1.2
930385-3 3-Major BT930385 SSL filter does not re-initialize when an OCSP object is modified 14.1.3, 15.1.4
912425-3 3-Major BT912425 Modifying in-TMM monitor configuration may not take effect, or may result in a TMM crash 14.1.4.2, 15.1.4, 16.0.1.2
891373-2 3-Major BT891373 BIG-IP does not shut a connection for a HEAD request 15.1.4, 16.0.1.2
887965-1 3-Major   Virtual server may stop responding while processing TCP traffic 14.1.4.4, 15.1.4
882549-2 3-Major BT882549 Sock driver does not use multiple queues in unsupported environments 14.1.4.3, 15.1.4, 16.0.1.2
819329-4 3-Major BT819329 Specific FIPS device errors will not trigger failover 14.1.3.1, 15.1.4, 16.0.1.2
818833-1 3-Major BT818833 TCP re-transmission during SYN Cookie activation results in high latency 14.1.4.4, 15.1.4
760050-8 3-Major BT760050 "cwnd too low" warning message seen in logs 13.1.4.1, 14.1.2.7, 15.1.4
1020941-2 3-Major BT1020941 HTTP/2 header frames decoding may fail with COMPRESSION_ERROR when frame delivered in multiple xfrags 14.1.4.5, 15.1.4
1016113-3 3-Major BT1016113 HTTP response-chunking 'sustain' profile option may not rechunk responses when also using a web acceleration profile. 15.1.4, 16.1.2
962433-4 4-Minor BT962433 HTTP::retry for a HEAD request fails to create new connection 13.1.4.1, 14.1.4.3, 15.1.4
962177-2 4-Minor BT962177 Results of POLICY::names and POLICY::rules commands may be incorrect 13.1.4.1, 14.1.4, 15.1.4, 16.0.1.2
912945-2 4-Minor BT912945 A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed 14.1.4.4, 15.1.4, 16.1.1
895557-2 4-Minor BT895557 NTLM profile logs error when used with profiles that do redirect 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2
751586-3 4-Minor BT751586 Http2 virtual does not honour translate-address disabled 12.1.4.1, 13.1.3.4, 14.1.2.1, 15.1.4
1018493-2 4-Minor BT1018493 Response code 304 from TMM Cache always closes TCP connection. 14.1.4.5, 15.1.4, 16.1.2


Performance Fixes

ID Number Severity Links to More Info Description Fixed Versions
910633-1 2-Critical BT910633 Continuous 'neurond restart' message on console 15.1.4
1004633-3 2-Critical BT1004633 Performance degradation on KVM and VMware platforms. 15.1.4
948417-2 3-Major BT948417 Network Management Agent (Azure NMAgent) updates causes Kernel Panic 15.1.4


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1039069-2 1-Blocking BT1039069 Multiple issues affecting the RESOLV::lookup iRule command following the fix to ID1007049. 15.1.4, 16.1.1
995853-2 2-Critical BT995853 Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error. 14.1.4.4, 15.1.4
918597-5 2-Critical BT918597 Under certain conditions, deleting a topology record can result in a crash. 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
993489-3 3-Major BT993489 GTM daemon leaks memory when reading GTM link objects 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
973261-2 3-Major BT973261 GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
937333-2 3-Major   Incomplete validation of input in unspecified forms 14.1.4.4, 15.1.4
912001-3 3-Major BT912001 TMM cores on secondary blades of the Chassis system. 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
864797-2 3-Major BT864797 Cached results for a record are sent following region modification 14.1.4.4, 15.1.4
857953-2 4-Minor BT857953 Non-functional disable/enable buttons present in GTM wide IP members page 14.1.4.2, 15.1.4, 16.0.1.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
996381-3 2-Critical   ASM attack signature may not match as expected 13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
970329-3 2-Critical   ASM hardening 14.1.4.4, 15.1.4, 16.1.1
965229-2 2-Critical BT965229 ASM Load hangs after upgrade 14.1.4.4, 15.1.4, 16.1.1
957965-1 2-Critical BT957965 Request is blocked by 'CSRF attack detected' violation with 'CSRF token absent' 15.1.4
898365-1 2-Critical BT898365 XML Policy cannot be imported 15.1.4
854001-2 2-Critical BT854001 TMM might crash in case of trusted bot signature and API protected url 14.1.4.2, 15.1.4, 16.0.1.2
791669-2 2-Critical BT791669 TMM might crash when Bot Defense is configured for multiple domains 14.1.2.3, 15.1.4, 16.0.1.2
1017645-2 2-Critical BT1017645 False positive HTTP compliance violation 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
986937-1 3-Major BT986937 Cannot create child policy when the signature staging setting is not equal in template and parent policy 15.1.4, 16.0.1.2, 16.1.1
981785-3 3-Major BT981785 Incorrect incident severity in Event Correlation statistics 14.1.4.3, 15.1.4, 16.0.1.2
981069-1 3-Major BT981069 Reset cause: "Internal error ( requested abort (payload release error))" 15.1.4, 16.1.1
964245-2 3-Major BT964245 ASM reports and enforces username always 14.1.4.4, 15.1.4
963485-1 3-Major BT963485 Performance issue with data guard 15.1.4
963461-1 3-Major BT963461 ASM performance drop on the response side 15.1.4, 16.0.1.2
962589-2 3-Major BT962589 Full Sync Requests Caused By Failed Relayed Call to delete_suggestion 14.1.4.4, 15.1.4, 16.1.1
962497 3-Major BT962497 BD crash after ICAP response 14.1.4.4, 15.1.4, 16.0.1.2
955017-2 3-Major BT955017 Excessive CPU consumption by asm_config_event_handler 13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2
954425-2 3-Major   Hardening of Live-Update 14.1.4.4, 15.1.4, 16.1.1
951133-2 3-Major BT951133 Live Update does not work properly after upgrade 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
950917-1 3-Major BT950917 Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034 13.1.4.1, 14.1.4.2, 15.1.4
946081-1 3-Major BT946081 Getcrc tool help displays directory structure instead of version 14.1.4.4, 15.1.4, 16.0.1.2
928717-3 3-Major BT928717 [ASM - AWS] - ASU fails to sync 14.1.4.4, 15.1.4
922261-2 3-Major BT922261 WebSocket server messages are logged even it is not configured 14.1.4.2, 15.1.4, 16.0.1.2
920197-3 3-Major BT920197 Brute force mitigation can stop mitigating without a notification 14.1.4.4, 15.1.4, 16.0.1.2
912089-2 3-Major BT912089 Some roles are missing necessary permission to perform Live Update 14.1.4.2, 15.1.4, 16.0.1.2
907337-2 3-Major BT907337 BD crash on specific scenario 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
888289-1 3-Major BT888289 Add option to skip percent characters during normalization 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1
883853-2 3-Major BT883853 Bot Defense Profile with staged signatures prevents signature update 14.1.4.2, 15.1.4
867825-4 3-Major BT867825 Export/Import on a parent policy leaves children in an inconsistent state 14.1.4.4, 15.1.4
862793-1 3-Major BT862793 ASM replies with JS-Challenge instead of blocking page upon "Virus detected" violation 15.1.4
846181-3 3-Major BT846181 Request samples for some of the learning suggestions are not visible 14.1.4.2, 15.1.4
837333-1 3-Major BT837333 User cannot update blocking response pages after upgrade 15.1.4
830341-2 3-Major BT830341 False positives Mismatched message key on ASM TS cookie 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
802873-2 3-Major BT802873 Manual changes to policy imported as XML may introduce corruption for Login Pages 14.1.2.7, 15.1.4
673272-2 3-Major BT673272 Search by "Signature ID is" does not return results for some signature IDs 13.1.4, 14.1.4.2, 15.1.4, 16.0.1.2
1022269-2 3-Major BT1022269 False positive RFC compliant violation 14.1.4.4, 15.1.4, 16.1.2
1005105-1 3-Major BT1005105 Requests are missing on traffic event logging 14.1.4.5, 15.1.4, 16.1.1
1000741-3 3-Major   Fixing issue with input normalization 14.1.4.4, 15.1.4, 16.1.1
952509-2 4-Minor BT952509 Cross origin AJAX requests are blocked in case there is no Origin header 14.1.4.4, 15.1.4, 16.0.1.2
944441-2 4-Minor BT944441 BD_XML logs memory usage at TS_DEBUG level 14.1.4.4, 15.1.4, 16.0.1.2
941929-2 4-Minor BT941929 Google Analytics shows incorrect stats, when Google link is redirected. 14.1.4.2, 15.1.4, 16.0.1.2
941625-1 4-Minor BT941625 BD sometimes encounters errors related to TS cookie building 15.1.4, 16.1.1
941249-2 4-Minor BT941249 Improvement to getcrc tool to print cookie names when cookie attributes are involved 14.1.4.4, 15.1.4, 16.0.1.2
911729-2 4-Minor BT911729 Redundant learning suggestion to set a Maximum Length when parameter is already at that value 14.1.4.2, 15.1.4, 16.0.1.2
1004537-1 4-Minor BT1004537 Traffic Learning: Accept actions for multiple suggestions not localized 15.1.4, 16.1.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
965581-2 2-Critical BT965581 Statistics are not reported to BIG-IQ 14.1.4, 15.1.4
932485-3 3-Major BT932485 Incorrect sum(hits_count) value in aggregate tables 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
913085-1 3-Major BT913085 Avrd core when avrd process is stopped or restarted 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1
909161-3 3-Major BT909161 A core file is generated upon avrd process restart or stop 14.1.4.4, 15.1.4, 16.1.1
833113-6 3-Major BT833113 Avrd core when sending large messages via https 13.1.3.4, 14.1.4.3, 15.0.1.3, 15.1.4


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
934393-2 1-Blocking BT934393 APM authentication fails due to delay in sessionDB readiness 14.1.3, 15.1.4
995029-3 2-Critical BT995029 Configuration is not updated during auto-discovery 14.1.4.2, 15.1.4
891505-3 2-Critical BT891505 TMM might leak memory when OAuth agent is used in APM per-request policy subroutine. 14.1.2.8, 15.1.4
874949-1 2-Critical BT874949 TMM may crash if traffic is run through APM per-request policy containing an empty variable assign agent. 15.1.4
997641 3-Major BT997641 APM policy ending with redirection results in policy execution failure 15.1.4
984765-1 3-Major BT984765 APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED) 14.1.4.4, 15.1.4
946125-2 3-Major BT946125 Tmm restart adds 'Revoked' tokens to 'Active' token count 14.1.4.4, 15.1.4
924521-2 3-Major BT924521 OneConnect does not work when WEBSSO is enabled/configured. 14.1.4.3, 15.1.4
903573 3-Major BT903573 AD group cache query performance 15.1.4
896125-2 3-Major BT896125 Reuse Windows Logon Credentials feature does not work with modern access policies 15.1.4
894885-3 3-Major BT894885 [SAML] SSO crash while processing client SSL request 14.1.4.2, 15.1.4
881641 3-Major BT881641 Errors on VPN client status window in non-English environment 15.1.4
869653-1 3-Major BT869653 VCMP guest secondary blade restarts when creating multiple APM profiles in a single transaction 15.1.4
866109-2 3-Major BT866109 JWK keys frequency does not support fewer than 60 minutes 13.1.4.1, 14.1.4.2, 15.1.4
827325-1 3-Major BT827325 JWT token verification failure 15.1.4
825493-1 3-Major BT825493 JWT token verification failure 15.1.4
738865-6 3-Major BT738865 MCPD might enter into loop during APM config validation 14.1.4.2, 15.1.4
470346-3 3-Major BT470346 Some IPv6 client connections get RST when connecting to APM virtual 14.1.4.3, 15.1.4
1001041-3 3-Major BT1001041 Reset cause 'Illegal argument' 14.1.4.4, 15.1.4
939877-1 4-Minor BT939877 OAuth refresh token not found 14.1.4.4, 15.1.4, 16.1.2
747234-7 4-Minor BT747234 Macro policy does not find corresponding access-profile directly 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
993913-2 2-Critical BT993913 TMM SIGSEGV core in Message Routing Framework 14.1.4.4, 15.1.4, 16.1.1
974881-2 2-Critical BT974881 Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic 14.1.4.2, 15.1.4, 16.0.1.2
1007821-1 2-Critical BT1007821 SIP message routing may cause tmm crash 15.1.4, 16.1.1
996113-1 3-Major BT996113 SIP messages with unbalanced escaped quotes in headers are dropped 14.1.4.4, 15.1.4, 16.1.1
989753-2 3-Major BT989753 In HA setup, standby fails to establish connection to server 14.1.4.2, 15.1.4, 16.0.1.2
957029-1 3-Major BT957029 MRF Diameter loop-detection is enabled by default 15.1.4, 16.0.1.2
805821-3 3-Major BT805821 GTP log message contains no useful information 14.1.4.4, 15.1.4, 16.1.1
788625-1 3-Major BT788625 A pool member is not marked up by the inband monitor even after successful connection to the pool member 14.1.4.3, 15.1.4, 16.0.1.2
1008561-1 3-Major   In very rare condition, BIG-IP may crash when SIP ALG is deployed 14.1.4.4, 15.1.4, 16.1.1
919301-3 4-Minor BT919301 GTP::ie count does not work with -message option 14.1.4.4, 15.1.4, 16.1.1
916781-1 4-Minor BT916781 Validation error while attaching DoS profile to GTP virtual 15.1.4, 16.0.1
913413-3 4-Minor BT913413 'GTP::header extension count' iRule command returns 0 14.1.4.4, 15.1.4, 16.1.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
987637-2 1-Blocking BT987637 DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware 15.1.4
1016633 2-Critical BT1016633 iprep.protocol with auto-detect fails when DNS takes time to resolve 15.1.4
992213-2 3-Major BT992213 Protocol Any displayed as HOPTOPT in AFM policy view 14.1.4.2, 15.1.4, 16.1.1
988761-1 3-Major BT988761 Cannot create Protected Object in GUI 15.1.4
988005-1 3-Major BT988005 Zero active rules counters in GUI 14.1.4.2, 15.1.4, 16.0.1.2
987605-2 3-Major BT987605 DDoS: ICMP attacks are not hardware-mitigated 15.1.4
759799-3 3-Major BT759799 New rules cannot be compiled 15.1.4
685904-1 3-Major BT685904 Firewall Rule hit counts are not auto-updated after a Reset is done 14.1.4.2, 15.1.4
1016309-1 3-Major BT1016309 When two policies with the same properties are configured with geo property, the geo for the second policy is ignored. 15.1.4
1012521-2 3-Major BT1012521 BIG-IP UI file permissions 14.1.4.4, 15.1.4, 16.0.1.2
1012413-3 3-Major BT1012413 Tmm performance impact for DDoS vector on virtual server when hardware mitigation is enabled 15.1.4
1000405-2 3-Major BT1000405 VLAN/Tunnels not listed when creating a new rule via GUI 15.1.4, 16.1.1
977005-1 4-Minor BT977005 Network Firewall Policy rules-list showing incorrect 'Any' for source column 14.1.4.2, 15.1.4
1014609 4-Minor BT1014609 Tunnel_src_ip support for dslite event log for type field list 15.1.4


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1019481 2-Critical BT1019481 Unable to provision PEM on VELOS platform 15.1.4


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
994985-2 3-Major BT994985 CGNAT GUI shows blank page when applying SIP profile 14.1.4.2, 15.1.4


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
968741-1 2-Critical BT968741 Traffic Intelligence pages not visible 15.1.4
913453-5 2-Critical BT913453 URL Categorization: wr_urldbd cores while processing urlcat-query 14.1.4.4, 15.1.4
901041-3 2-Critical BT901041 CEC update using incorrect method of determining number of blades in VIPRION chassis 15.1.4, 16.0.1.2
893721-2 2-Critical BT893721 PEM-provisioned systems may suffer random tmm crashes after upgrading 14.1.4.2, 15.1.4
958085-3 3-Major BT958085 IM installation fails with error: Spec file not found 14.1.4.4, 15.1.4
948573-4 3-Major BT948573 Wr_urldbd list of valid TLDs needs to be updated 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
846601-4 3-Major BT846601 Traffic classification does not update when an inactive slot becomes active after upgrade 14.1.4.2, 15.1.4, 16.0.1.2
974205-3 4-Minor BT974205 Unconstrained wr_urldbd size causing box to OOM 12.1.6, 14.1.4.4, 15.1.4


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
970829-5 2-Critical K03310534, BT970829 iSeries LCD incorrectly displays secure mode 14.1.4.4, 15.1.4, 16.0.1.2


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
1018145-1 3-Major BT1018145 Firewall Manager user role is not allowed to configure/view protocol inspection profiles 15.1.4, 16.1.1


Guided Configuration Fixes

ID Number Severity Links to More Info Description Fixed Versions
1013569 3-Major   Hardening of iApps processing 15.1.4, 16.1.1


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
822245-2 4-Minor BT822245 Large number of in-TMM monitors results in some monitors being marked down 14.1.4.4, 15.1.4


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
947925-1 3-Major BT947925 TMM may crash when executing L7 Protocol Lookup per-request policy agent 14.1.4.3, 15.1.4
918317-2 3-Major BT918317 SSL Orchestrator resets subsequent requests when HTTP services are being used. 14.1.4.4, 15.1.4



Cumulative fixes from BIG-IP v15.1.3.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
989317-12 CVE-2021-23023 K33757590, BT989317 Windows Edge Client does not follow best practice 15.1.3.1
989009-3 CVE-2021-23033 K05314769, BT989009 BD daemon may crash while processing WebSocket traffic 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
981461-4 CVE-2021-23032 K45407662, BT981461 Unspecified DNS responses cause TMM crash 14.1.4.4, 15.1.3.1
980125-3 CVE-2021-23030 K42051445, BT980125 BD Daemon may crash while processing WebSocket traffic 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
962341 CVE-2021-23028 K00602225, BT962341 BD crash while processing JSON content 13.1.4, 14.1.4.2, 15.1.3.1, 16.0.1.2
946377-2 CVE-2021-23027 K24301698, BT946377 HSM WebUI Hardening 14.1.4.3, 15.1.3.1, 16.0.1.2
1007049-3 CVE-2021-23034 K30523121, BT1007049 TMM may crash while processing DNS traffic 15.1.3.1
996753-2 CVE-2021-23050 K44553214, BT996753 ASM BD process may crash while processing HTML traffic 15.1.3.1, 16.0.1.2
984613-11 CVE-2021-23022 K08503505, BT984613 CVE-2020-5896 - Edge Client Installer Vulnerability 15.1.3.1
968349 CVE-2021-23048 K19012930, BT968349 TMM crashes with unspecified message 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
962069-3 CVE-2021-23047 K79428827, BT962069 Excessive resource consumption while processing OSCP requests via APM 14.1.4.4, 15.1.3.1
950017-2 CVE-2021-23045 K94941221, BT950017 TMM may crash while processing SCTP traffic 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
942701-2 CVE-2021-23044 K35408374, BT942701 TMM may consume excessive resources while processing HTTP traffic 13.1.4.1, 14.1.4.2, 15.1.3.1
906377-2 CVE-2021-23038 K61643620, BT906377 iRulesLX hardening 13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2
1015381-5 CVE-2021-23022 K08503505, BT1015381 Windows Edge Client does not follow best practices while installing 15.1.3.1
1009773 CVE-2021-23051 K01153535, BT1009773 AWS deployments of TMM may crash while processing traffic 15.1.3.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
737692-4 2-Critical BT737692 Handle x520 PF DOWN/UP sequence automatically by VE 15.1.3.1
1024421-1 3-Major BT1024421 At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log 15.1.3.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
994801-3 3-Major   SCP file transfer system 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
958465-2 3-Major BT958465 in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization 14.1.4.4, 15.1.3.1, 16.0.1.2
950849-4 3-Major BT950849 B4450N blades report page allocation failure. 14.1.4.4, 15.1.3.1
948717-3 3-Major BT948717 F5-pf_daemon_cond_restart uses excessive CPU 15.1.3.1
1032001-1 3-Major BT1032001 Statemirror address can be configured on management network or clusterd restarting 15.1.3.1
1006345-1 3-Major BT1006345 Static mac entry on trunk is not programmed on CPU-only blades 15.1.3.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1019081-3 2-Critical K97045220, BT1019081 HTTP/2 hardening 14.1.4.5, 15.1.3.1
980821-2 3-Major BT980821 Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured. 14.1.4.2, 15.1.3.1, 16.0.1.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
943913-3 2-Critical K30150004, BT943913 ASM attack signature does not match 13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
1020705-1 4-Minor BT1020705 tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name 14.1.4.4, 15.1.3.1, 16.1.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
999317-8 2-Critical K03544414, BT999317 Running Diagnostics report for Edge Client on Windows does not follow best practice 15.1.3.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1019453-3 3-Major BT1019453 Core generated for autodosd daemon when synchronization process is terminated 15.1.3.1


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
976365 3-Major BT976365 Traffic Classification hardening 14.1.4.3, 15.1.3.1



Cumulative fixes from BIG-IP v15.1.3 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
980809-2 CVE-2021-23031 K41351250, BT980809 ASM REST Signature Rule Keywords Tool Hardening 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
959121-4 CVE-2021-23015 K74151369, BT959121 Not following best practices in Guided Configuration Bundle Install worker 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
943081-3 CVE-2021-23009 K90603426, BT943081 Unspecified HTTP/2 traffic may cause TMM to crash 15.1.3, 16.0.1.1
935433-2 CVE-2021-23026 K53854428, BT935433 iControl SOAP 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
882633-2 CVE-2021-23008 K51213246, BT882633 Active Directory authentication does not follow current best practices 12.1.6, 13.1.4, 14.1.4, 15.1.3
990333-5 CVE-2021-23016 K75540265, BT990333 APM may return unexpected content when processing HTTP requests 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
975465-2 CVE-2021-23049 K65397301, BT975465 TMM may consume excessive resources while processing DNS iRules 15.1.3, 16.0.1.2
954429-2 CVE-2021-23014 K23203045, BT954429 User authorization changes for live update 14.1.4, 15.1.3, 16.0.1.1
948769-5 CVE-2021-23013 K05300051, BT948769 TMM panic with SCTP traffic 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
945109-2 CVE-2015-9382 K46641512, BT945109 Freetype Parser Skip Token Vulnerability CVE-2015-9382 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
938233-2 CVE-2021-23042 K93231374 An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
937637-3 CVE-2021-23002 K71891773, BT937637 BIG-IP APM VPN vulnerability CVE-2021-23002 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
937365-2 CVE-2021-23041 K42526507, BT937365 LTM UI does not follow best practices 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
907245-1 CVE-2021-23040 K94255403, BT907245 AFM UI Hardening 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
907201-2 CVE-2021-23039 K66782293, BT907201 TMM may crash when processing IPSec traffic 14.1.2.8, 15.1.3, 16.0.1.2
877109-1 CVE-2021-23012 K04234247 Unspecified input can break intended functionality in iHealth proxy 13.1.4, 14.1.4, 15.1.3, 16.0.1.1
842829-1 CVE-2018-16300 CVE-2018-14881 CVE-2018-14882 CVE-2018-16230 CVE-2018-16229 CVE-2018-16227 CVE-2019-15166 CVE-2018-16228 CVE-2018-16451 CVE-2018-16452 CVE-2018-10103 CVE-2018-10105 CVE-2018-14468 K04367730, BT842829 Multiple tcpdump vulnerabilities 13.1.4.1, 14.1.3.1, 15.1.3
832757 CVE-2017-18551 K48073202, BT832757 Linux kernel vulnerability CVE-2017-18551 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.3
803933-7 CVE-2018-20843 K51011533, BT803933 Expat XML parser vulnerability CVE-2018-20843 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
718189-9 CVE-2021-23011 K10751325, BT718189 Unspecified IP traffic can cause low-memory conditions 11.6.5.3, 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.1
1003557-3 CVE-2021-23015 K74151369, BT1003557 Not following best practices in Guided Configuration Bundle Install worker 13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2
1003105-3 CVE-2021-23015 K74151369, BT1003105 iControl Hardening 15.1.3, 16.0.1.2
1002561-5 CVE-2021-23007 K37451543, BT1002561 TMM vulnerability CVE-2021-23007 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
825413-4 CVE-2021-23053 K36942191, BT825413 ASM may consume excessive resources when matching signatures 13.1.3.6, 14.1.3.1, 15.1.3


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
933777-1 3-Major BT933777 Context use and syntax changes clarification 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
930005-2 3-Major BT930005 Recover previous QUIC cwnd value on spurious loss 15.1.3, 16.0.1.1
913829-4 3-Major BT913829 i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
794417-4 3-Major BT794417 Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
918097-3 4-Minor BT918097 Cookies set in the URI on Safari 14.1.4.1, 15.1.3, 16.0.1.2


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
995629-3 2-Critical BT995629 Loading UCS files may hang if ASM is provisioned 13.1.4.1, 14.1.4.1, 15.1.3, 16.0.1.2
990849-2 2-Critical BT990849 Loading UCS with platform-migrate option hangs and requires exiting from the command 13.1.4.1, 14.1.4, 15.1.3, 16.0.1.2
908517-3 2-Critical BT908517 LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)' 14.1.4, 15.1.3, 16.0.1.1
888341-7 2-Critical BT888341 HA Group failover may fail to complete Active/Standby state transition 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
886693-3 2-Critical BT886693 System may become unresponsive after upgrading 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
860349-3 2-Critical BT860349 Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication 14.1.2.8, 15.1.3
785017-3 2-Critical BT785017 Secondary blades go offline after new primary is elected 13.1.4, 14.1.4, 15.1.3
776393-3 2-Critical BT776393 Restjavad restarts frequently due to insufficient memory with relatively large configurations 14.1.4, 15.1.3, 16.0.1.1
969213-1 3-Major BT969213 VMware: management IP cannot be customized via net.mgmt.addr property 14.1.4.1, 15.1.3, 16.0.1.2
963049-1 3-Major BT963049 Unexpected config loss when modifying protected object 15.1.3
963017-2 3-Major BT963017 The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed 14.1.4, 15.1.3
946745-2 3-Major BT946745 'System Integrity: Invalid' after Engineering Hotfix installation 14.1.4, 15.1.3
945265-4 3-Major BT945265 BGP may advertise default route with incorrect parameters 14.1.4, 15.1.3, 16.0.1.1
939541-2 3-Major BT939541 TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE 14.1.4, 15.1.3, 16.0.1.1
936125-2 3-Major BT936125 SNMP request times out after configuring IPv6 trap destination 15.1.3, 16.0.1.1
934941-2 3-Major BT934941 Platform FIPS power-up self test failures not logged to console 14.1.3.1, 15.1.3
934065-1 3-Major BT934065 The turboflex-low-latency and turboflex-dns are missing. 15.1.3, 16.0.1.2
927941-5 3-Major BT927941 IPv6 static route BFD does not come up after OAMD restart 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
922297-2 3-Major BT922297 TMM does not start when using more than 11 interfaces with more than 11 vCPUs 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
914245-2 3-Major BT914245 Reboot after tmsh load sys config changes sys FPGA firmware-config value 14.1.4.1, 15.1.3, 16.0.1.2
914081-1 3-Major BT914081 Engineering Hotfixes missing bug titles 14.1.4, 15.1.3
913433-3 3-Major BT913433 On blade failure, some trunked egress traffic is dropped. 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
908021-1 3-Major BT908021 Management and VLAN MAC addresses are identical 13.1.3.5, 14.1.3.1, 15.1.3
896553-3 3-Major BT896553 On blade failure, some trunked egress traffic is dropped. 13.1.3.6, 14.1.4, 15.1.3
896473-2 3-Major BT896473 Duplicate internal connections can tear down the wrong connection 15.1.3
893885-3 3-Major BT893885 The tpm-status command returns: 'System Integrity: Invalid' after Engineering Hotfix installation 14.1.4, 15.1.3
891337-1 3-Major BT891337 'save_master_key(master): Not ready to save yet' errors in the logs 14.1.4, 15.1.3
889029-2 3-Major BT889029 Unable to login if LDAP user does not have search permissions 14.1.4, 15.1.3, 16.0.1.2
879829-2 3-Major BT879829 HA daemon sod cannot bind to ports numbered lower than 1024 14.1.4, 15.1.3, 16.0.1.2
876805-3 3-Major BT876805 Modifying address-list resets the route advertisement on virtual servers. 14.1.4, 15.1.3, 16.0.1.1
862937-3 3-Major BT862937 Running cpcfg after first boot can result in daemons stuck in restart loop 14.1.4, 15.1.3, 16.0.1.2
839121-3 3-Major K74221031, BT839121 A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade 14.1.4.1, 15.1.3, 16.0.1.2
829821-1 3-Major BT829821 Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
820845-3 3-Major BT820845 Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use. 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
809205-6 3-Major   CVE-2019-3855: libssh2 Vulnerability 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.1, 15.1.3, 16.0.1.2
803237-2 3-Major BT803237 PVA does not validate interface MTU when setting MSS 14.1.4, 15.1.3
799001-1 3-Major BT799001 Sflow agent does not handle disconnect from SNMPD manager correctly 14.1.4, 15.1.3
787885-2 3-Major BT787885 The device status is falsely showing as forced offline on the network map while actual device status is not. 14.1.4, 15.1.3, 16.0.1.1
749007-1 3-Major BT749007 South Sudan, Sint Maarten, and Curacao country missing in GTM region list 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
692218-1 3-Major BT692218 Audit log messages sent from the primary blade to the secondaries should not be logged. 14.1.4.1, 15.1.3, 16.0.1.2
675911-12 3-Major K13272442, BT675911 Different sections of the GUI can report incorrect CPU utilization 14.1.4.1, 15.1.3, 16.0.1.2
615934-6 3-Major BT615934 Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. 13.1.3.5, 14.1.4, 15.1.3
569859-7 3-Major BT569859 Password policy enforcement for root user when mcpd is not available 14.1.4.1, 15.1.3
966277-1 4-Minor BT966277 BFD down on multi-blade system 14.1.4, 15.1.3, 16.0.1.1
959889-2 4-Minor BT959889 Cannot update firewall rule with ip-protocol property as 'any' 14.1.4, 15.1.3
947865-2 4-Minor BT947865 Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read 14.1.4, 15.1.3
887505-1 4-Minor BT887505 Coreexpiration script improvement 15.1.3
879189-1 4-Minor BT879189 Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section 14.1.4.1, 15.1.3, 16.0.1.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
910653-5 2-Critical BT910653 iRule parking in clientside/serverside command may cause tmm restart 14.1.4, 15.1.3, 16.0.1.1
882157-1 2-Critical BT882157 One thread of pkcs11d consumes 100% without any traffic. 14.1.4, 15.1.3
738964-4 2-Critical   Instruction logger debugging enhancement 14.1.4.1, 15.1.3
1001509 2-Critical K11162395, BT1001509 Client going through to BIG-IP SSL forward proxy might not be able to trust forged certificates 14.1.4.3, 15.1.3
968641-2 3-Major BT968641 Fix for zero LACP priority 14.1.4, 15.1.3, 16.0.1.2
953845-1 3-Major BT953845 After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart 12.1.6, 14.1.4, 15.1.3, 16.0.1.1
946953-1 3-Major BT946953 HTTP::close used in iRule might not close connection. 15.1.3, 16.0.1.1
928857-2 3-Major BT928857 Use of OCSP responder may leak X509 store instances 14.1.4, 15.1.3
928805-2 3-Major BT928805 Use of OCSP responder may cause memory leakage 14.1.4, 15.1.3
928789-2 3-Major BT928789 Use of OCSP responder may leak SSL handshake instances 14.1.4, 15.1.3
921881-2 3-Major BT921881 Use of IPFIX log destination can result in increased CPU utilization 14.1.4, 15.1.3, 16.0.1.2
921721-1 3-Major BT921721 FIPS 140-2 SP800-56Arev3 compliance 14.1.3, 15.1.3
889601-3 3-Major K14903688, BT889601 OCSP revocation not properly checked 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
889165-3 3-Major BT889165 "http_process_state_cx_wait" errors in log and connection reset 14.1.4, 15.1.3
888517-2 3-Major BT888517 Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU. 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
858701-1 3-Major BT858701 Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
845333-6 3-Major BT845333 An iRule with a proc referencing a datagroup cannot be assigned to Transport Config 14.1.4, 15.1.3, 16.0.1.1
842517-2 3-Major BT842517 CKR_OBJECT_HANDLE_INVALID error seen in logs and SSL handshake fails 15.1.3
785877-5 3-Major BT785877 VLAN groups do not bridge non-link-local multicast traffic. 14.1.4, 15.1.3, 16.0.1.2
767341-1 3-Major BT767341 If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file. 14.1.4, 15.1.3, 16.0.1.2
756812-3 3-Major BT756812 Nitrox 3 instruction/request logger may fail due to SELinux permission error 14.1.4.1, 15.1.3
696755-5 3-Major BT696755 HTTP/2 may truncate a response body when served from cache 13.1.0.8, 14.1.0.6, 15.1.3, 16.0.1.2
804157-3 4-Minor BT804157 ICMP replies are forwarded with incorrect checksums causing them to be dropped 14.1.4, 15.1.3, 16.0.1.2
748333-5 4-Minor BT748333 DHCP Relay does not retain client source IP address for chained relay mode 14.1.4, 15.1.3, 16.0.1.1
743253-2 4-Minor BT743253 TSO in software re-segments L3 fragments. 14.1.4, 15.1.3, 16.0.1.2


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
960749-2 1-Blocking BT960749 TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
960437-2 2-Critical BT960437 The BIG-IP system may initially fail to resolve some DNS queries 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
971297-2 3-Major BT971297 DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade 14.1.4.1, 15.1.3, 16.0.1.2
921625-2 3-Major BT921625 The certs extend function does not work for GTM/DNS sync group 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
863917-2 3-Major BT863917 The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval. 13.1.4.1, 14.1.4.5, 15.1.3, 16.0.1.2
858973-1 3-Major BT858973 DNS request matches less specific WideIP when adding new wildcard wideips 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
835209-3 3-Major BT835209 External monitors mark objects down 14.1.4.2, 15.1.3
896861-2 4-Minor BT896861 PTR query enhancement for RESOLVER::name_lookup 15.1.3, 16.0.1.1
885201-2 4-Minor BT885201 BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log 14.1.4.1, 15.1.3


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
846057-3 2-Critical BT846057 UCS backup archive may include unnecessary files 13.1.4, 14.1.4, 15.1.3
960369-2 3-Major BT960369 Negative value suggested in Traffic Learning as max value 14.1.4, 15.1.3, 16.0.1.2
956373-2 3-Major BT956373 ASM sync files not cleaned up immediately after processing 14.1.4.1, 15.1.3, 16.0.1.2
947341-1 3-Major BT947341 MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files. 14.1.4.1, 15.1.3, 16.0.1.2, 16.1.2
941621-2 3-Major K91414704, BT941621 Brute Force breaks server's Post-Redirect-Get flow 13.1.4, 14.1.4, 15.1.3, 16.0.1.1
929077-2 3-Major BT929077 Bot Defense allow list does not apply when using default Route Domain and XFF header 14.1.4, 15.1.3, 16.0.1.1
929001-3 3-Major K48321015, BT929001 ASM form handling improvements 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
928685-2 3-Major K49549213, BT928685 ASM Brute Force mitigation not triggered as expected 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
921677-2 3-Major BT921677 Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI. 14.1.4, 15.1.3, 16.0.1.1
910253-2 3-Major BT910253 BD error on HTTP response after upgrade 15.1.3, 16.0.1.1
884425-2 3-Major   Creation of new allowed HTTP URL is not possible 14.1.3.1, 15.1.3
868053-3 3-Major BT868053 Live Update service indicates update available when the latest update was already installed 14.1.3.1, 15.1.3
867373-4 3-Major BT867373 Methods Missing From ASM Policy 14.1.4, 15.1.3
864677-1 3-Major BT864677 ASM causes high mcpd CPU usage 14.1.4, 15.1.3
856725-1 3-Major BT856725 Missing learning suggestion for "Illegal repeated parameter name" violation 15.1.3
964897-2 4-Minor BT964897 Live Update - Indication of "Update Available" when there is no available update 14.1.4, 15.1.3, 16.0.1.2
962817-2 4-Minor BT962817 Description field of a JSON policy overwrites policy templates description 15.1.3, 16.0.1.1
956105-2 4-Minor BT956105 Websocket URLs content profiles are not created as expected during JSON Policy import 15.1.3, 16.0.1.2
935293-2 4-Minor BT935293 'Detected Violation' Field for event logs not showing 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
922785-2 4-Minor BT922785 Live Update scheduled installation is not installing on set schedule 14.1.4, 15.1.3, 16.0.1.2
824093-5 4-Minor BT824093 Parameters payload parser issue 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
981385-3 3-Major BT981385 AVRD does not send HTTP events to BIG-IQ DCD 13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2
949593-3 3-Major BT949593 Unable to load config if AVR widgets were created under '[All]' partition 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
924945-3 3-Major BT924945 Fail to detach HTTP profile from virtual server 15.1.3, 16.0.1.2, 16.1.1
869049-4 3-Major BT869049 Charts discrepancy in AVR reports 14.1.4.1, 15.1.3, 16.0.1.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
894565-1 2-Critical BT894565 Autodosd.default crash with SIGFPE 14.1.4, 15.1.3
879401-1 2-Critical K90423190, BT879401 Memory corruption during APM SAML SSO 14.1.2.5, 15.1.3
976501-2 3-Major BT976501 Failed to establish VPN connection 13.1.3.6, 14.1.4, 15.1.3
952557-2 3-Major BT952557 Azure B2C Provider OAuth URLs are updated for B2Clogin.com 14.1.4, 15.1.3
925573-6 3-Major BT925573 SIGSEGV: receiving a sessiondb callback response after the flow is aborted 14.1.4, 15.1.3
916969-3 3-Major BT916969 Support of Microsoft Identity 2.0 platform 14.1.4, 15.1.3
888145-2 3-Major BT888145 When BIG-IP is deployed as SAML SP, allow APM session variables to be used in entityID property 15.1.3
883577-4 3-Major BT883577 ACCESS::session irule command does not work in HTTP_RESPONSE event 14.1.4.1, 15.1.3
831517-2 3-Major BT831517 TMM may crash when Network Access tunnel is used 14.1.2.7, 15.1.3


WebAccelerator Fixes

ID Number Severity Links to More Info Description Fixed Versions
833213-1 3-Major BT833213 Conditional requests are served incorrectly with AAM policy in webacceleration profile 13.1.3.4, 14.1.2.3, 15.0.1.3, 15.1.3


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
982869-1 3-Major BT982869 With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0 14.1.4.1, 15.1.3, 16.0.1.2
977053-2 3-Major BT977053 TMM crash on standby due to invalid MR router instance 14.1.4.1, 15.1.3, 16.0.1.2
966701-2 3-Major BT966701 Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP 14.1.4.1, 15.1.3, 16.0.1.2
952545-2 3-Major BT952545 'Current Sessions' statistics of HTTP2 pool may be incorrect 14.1.4, 15.1.3, 16.0.1.1
913373-2 3-Major BT913373 No connection error after failover with MRF, and no connection mirroring 14.1.4, 15.1.3, 16.0.1.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
945853-2 2-Critical BT945853 Tmm crash when multiple virtual servers are created, modified, or deleted in quick succession 15.1.3
969509-4 3-Major BT969509 Possible memory corruption due to DOS vector reset 14.1.4, 15.1.3, 16.0.1.2
965617-3 3-Major BT965617 HSB mitigation is not applied on BDoS signature with stress-based mitigation mode 14.1.4, 15.1.3, 16.0.1.1
963237-3 3-Major BT963237 Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector. 14.1.4, 15.1.3, 16.0.1.1
937749-3 3-Major BT937749 The 'total port blocks' value for NAT stats is limited to 64 bits of range 15.1.3
903561-3 3-Major BT903561 Autodosd returns small bad destination detection value when the actual traffic is high 14.1.4, 15.1.3
887017-3 3-Major BT887017 The dwbld daemon consumes a large amount of memory 14.1.4, 15.1.3
837233-3 3-Major BT837233 Application Security Administrator user role cannot use GUI to manage DoS profile 14.1.4, 15.1.3
716746-3 3-Major BT716746 Possible tmm restart when disabling single endpoint vector while attack is ongoing 13.1.0.7, 14.1.4.2, 15.1.3, 16.0.1.2
967889-1 4-Minor BT967889 Incorrect information for custom signature in DoS Protection:DoS Overview (non-http) 14.1.4, 15.1.3
748561-2 4-Minor BT748561 Network Firewall : Active Rules page does not list active rule entries for firewall policies associated with any context 14.1.4, 15.1.3


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
928553-3 2-Critical BT928553 LSN64 with hairpinning can lead to a tmm core in rare circumstances 14.1.4, 15.1.3, 16.0.1.1
966681-1 3-Major BT966681 NAT translation failures while using SP-DAG in a multi-blade chassis 14.1.4, 15.1.3, 16.0.1.1


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
998085-1 3-Major BT998085 BIG-IP DataSafe GUI does not save changes 15.1.3


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
932737-2 2-Critical BT932737 DNS & BADOS high-speed logger messages are mixed 14.1.4, 15.1.3, 16.0.1.2
922597-2 3-Major BT922597 BADOS default sensitivity of 50 creates false positive attack on some sites 14.1.4, 15.1.3
914293-3 3-Major BT914293 TMM SIGSEGV and crash 14.1.4.1, 15.1.3, 16.0.1.2


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
874677-1 2-Critical BT874677 Traffic Classification auto signature update fails from GUI 14.1.4.3, 15.1.3, 16.0.1.1


iApp Technology Fixes

ID Number Severity Links to More Info Description Fixed Versions
768085-4 4-Minor BT768085 Error in python script /usr/libexec/iAppsLX_save_pre line 79 14.1.4, 15.1.3, 16.0.1.1


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
964585-3 3-Major BT964585 "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update 14.1.4, 15.1.3, 16.0.1.2
825501-3 3-Major BT825501 IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline. 14.1.4, 15.1.3, 16.0.1.1
964577-3 4-Minor BT964577 IPS automatic IM download not working as expected 14.1.4.1, 15.1.3, 16.0.1.2


BIG-IP Risk Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
969385-2 3-Major BT969385 Automatic attach/detach BeWAF policy to virtual server stops working for all virtual servers. 15.1.3, 16.0.1.2



Cumulative fixes from BIG-IP v15.1.2.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
975233-2 CVE-2021-22992 K52510511, BT975233 Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
973333-5 CVE-2021-22991 K56715231, BT973333 TMM buffer-overflow vulnerability CVE-2021-22991 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
955145-2 CVE-2021-22986 K03009991, BT955145 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
954381-2 CVE-2021-22986 K03009991, BT954381 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
953677-2 CVE-2021-22987, CVE-2021-22988 K18132488 K70031188, BT953677 TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
951705-2 CVE-2021-22986 K03009991, BT951705 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 14.1.4, 15.1.2.1, 16.0.1.1
950077-2 CVE-2021-22987, CVE-2021-22988 K18132488 K70031188, BT950077 TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
981169-2 CVE-2021-22994 K66851119, BT981169 F5 TMUI XSS vulnerability CVE-2021-22994 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
953729-2 CVE-2021-22989, CVE-2021-22990 K56142644 K45056101, BT953729 Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
931837-1 CVE-2020-13817 K55376430, BT931837 NTP has predictable timestamps 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
976925-2 CVE-2021-23002 K71891773, BT976925 BIG-IP APM VPN vulnerability CVE-2021-23002 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
935401-2 CVE-2021-23001 K06440657, BT935401 BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
743105-2 CVE-2021-22998 K31934524, BT743105 BIG-IP SNAT vulnerability CVE-2021-22998 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
867793-1 3-Major BT867793 BIG-IP sending the wrong trap code for BGP peer state 14.1.4, 15.1.2.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
942497-1 2-Critical BT942497 Declarative onboarding unable to download and install RPM 15.1.2.1, 16.0.1.1
940021-3 2-Critical BT940021 Syslog-ng hang may lead to unexpected reboot 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
932437-2 2-Critical BT932437 Loading SCF file does not restore files from tar file 14.1.4, 15.1.2.1, 16.0.1.1
915305-5 2-Critical BT915305 Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1
838713 2-Critical BT838713 LCD buttons are not responsive during End User Diagnostics 'Front Port LED Test' 15.1.2.1
829277-2 2-Critical BT829277 A Large /config folder can cause memory exhaustion during live-install 14.1.3.1, 15.1.2.1
739505-3 2-Critical BT739505 Automatic ISO digital signature checking not required when FIPS license active 13.1.1.2, 14.1.4, 15.1.2.1, 16.0.1.1
967745 3-Major BT967745 Last resort pool error for the modify command for Wide IP 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1
956589-1 3-Major BT956589 The tmrouted daemon restarts and produces a core file 15.1.2.1
930905-4 3-Major BT930905 Management route lost after reboot. 14.1.4, 15.1.2.1, 16.0.1.1
904785-1 3-Major BT904785 Remotely authenticated users may experience difficulty logging in over the serial console 14.1.4, 15.1.2.1, 16.0.1.1
896817-2 3-Major BT896817 iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb 14.1.4, 15.1.2.1, 16.0.1.1
895837-3 3-Major BT895837 Mcpd crash when a traffic-matching-criteria destination-port-list is modified 14.1.4, 15.1.2.1, 16.0.1.1
865177-4 3-Major BT865177 Cert-LDAP returning only first entry in the sequence that matches san-other oid 14.1.3.1, 15.1.2.1, 16.0.1.1
842189-4 3-Major BT842189 Tunnels removed when going offline are not restored when going back online 12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.2.1
830413-3 3-Major BT830413 Intermittent Virtual Edition deployment failure due to inability to access the ssh host key in Azure 14.1.4, 15.1.2.1, 16.0.1.1
806073-1 3-Major BT806073 MySQL monitor fails to connect to MySQL Server v8.0 14.1.3.1, 15.1.2.1, 16.0.1.1
767737-4 3-Major BT767737 Timing issues during startup may make an HA peer stay in the inoperative state 13.1.3.5, 14.1.3.1, 15.1.2.1
853101-2 4-Minor BT853101 ERROR: syntax error at or near 'FROM' at character 17 15.1.2.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
926929-3 1-Blocking BT926929 RFC Compliance Enforcement lacks configuration availability 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.2
911041-3 2-Critical BT911041 Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash 14.1.3.1, 15.1.2.1, 16.0.1.2
846217-3 2-Critical BT846217 Translucent vlan-groups set local bit in destination MAC address 14.1.4.4, 15.1.2.1
841469-6 2-Critical BT841469 Application traffic may fail after an internal interface failure on a VIPRION system. 13.1.3.4, 15.1.2.1
812525-1 2-Critical K27551003, BT812525 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
974501-1 3-Major BT974501 Excessive memory usage by mirroring subsystem when remirroring 15.1.2.1
903581-1 3-Major BT903581 The pkcs11d process cannot recover under certain error condition 15.1.2.1
868209-3 3-Major BT868209 Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection 14.1.4, 15.1.2.1
863401-1 3-Major BT863401 QUIC congestion window sometimes increases inappropriately 15.1.2.1
858301-1 3-Major K27551003, BT858301 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
858297-1 3-Major K27551003, BT858297 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
858289-1 3-Major K27551003, BT858289 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
858285-1 3-Major K27551003, BT858285 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
818109-1 3-Major BT818109 Certain plaintext traffic may cause SSL Orchestrator to hang 14.1.4, 15.1.2.1
773253-5 4-Minor BT773253 The BIG-IP may send VLAN failsafe probes from a disabled blade 13.1.4, 14.1.4.2, 15.1.2.1
738032-3 4-Minor BT738032 BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed. 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
953393-2 1-Blocking BT953393 TMM crashes when performing iterative DNS resolutions. 15.1.2.1, 16.0.1.1
891093-1 3-Major BT891093 iqsyncer does not handle stale pidfile 14.1.4, 15.1.2.1, 16.0.1.1
853585-1 4-Minor BT853585 REST Wide IP object presents an inconsistent lastResortPool value 12.1.6, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
968421-2 2-Critical K30291321, BT968421 ASM attack signature doesn't matched 11.6.5.3, 12.1.6, 13.1.4.1, 14.1.4.2, 15.1.2.1, 16.0.1.2
865289-1 2-Critical BT865289 TMM crash following DNS resolve with Bot Defense profile 15.1.2.1
913757-1 3-Major BT913757 Error viewing security policy settings for virtual server with FTP Protocol Security 15.1.2.1, 16.0.1.1
758336-5 4-Minor BT758336 Incorrect recommendation in Online Help of Proactive Bot Defense 12.1.5, 13.1.1.5, 14.1.4, 15.1.2.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
934721-2 2-Critical BT934721 TMM core due to wrong assert 15.1.2.1, 16.0.1.1
743826-2 3-Major BT743826 Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0) 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
648242-6 3-Major K73521040, BT648242 Administrator users unable to access all partition via TMSH for AVR reports 12.1.3.2, 13.1.0.8, 14.0.0.5, 14.1.4, 15.1.2.1, 16.0.1.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
896709-3 2-Critical BT896709 Add support for Restart Desktop for webtop in VMware VDI 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
924929-2 3-Major BT924929 Logging improvements for VDI plugin 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
899009 3-Major BT899009 Azure Active Directory deployment fails on BIG-IP 15.1 15.1.2.1
760629-5 3-Major BT760629 Remove Obsolete APM keys in BigDB 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
939529-2 3-Major BT939529 Branch parameter not parsed properly when topmost via header received with comma separated values 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
870381-1 2-Critical BT870381 Network Firewall Active Rule page does not load 15.1.2.1
919381-1 3-Major   Extend AFM subscriber aware policy rule feature to support multiple subscriber groups 15.1.2.1
870385-5 3-Major BT870385 TMM may restart under very heavy traffic load 14.1.2.8, 15.1.2.1
906885-1 5-Cosmetic BT906885 Spelling mistake on AFM GUI Flow Inspector screen 14.1.2.8, 15.1.2.1


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
845313-3 2-Critical BT845313 Tmm crash under heavy load 14.1.4, 15.1.2.1
941169-4 3-Major BT941169 Subscriber Management is not working properly with IPv6 prefix flows. 14.1.4, 15.1.2.1
875401-2 3-Major BT875401 PEM subcriber lookup can fail for internet side new connections 14.1.4, 15.1.2.1


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
915489-2 4-Minor BT915489 LTM Virtual Server Health is not affected by iRule Requests dropped 14.1.4, 15.1.2.1, 16.0.1.1


BIG-IP Risk Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
921181 3-Major BT921181 Wrong error message upon bad credential stuffing configuration 15.1.2.1



Cumulative fixes from BIG-IP v15.1.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
943125-2 CVE-2021-23010 K18570111, BT943125 ASM bd may crash while processing WebSocket traffic 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
941449-2 CVE-2021-22993 K55237223, BT941449 BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
921337-2 CVE-2021-22976 K88230177, BT921337 BIG-IP ASM WebSocket vulnerability CVE-2021-22976 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
916821-2 CVE-2021-22974 K68652018, BT916821 iControl REST vulnerability CVE-2021-22974 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
882189-6 CVE-2020-5897 K20346072, BT882189 BIG-IP Edge Client for Windows vulnerability CVE-2020-5897 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
882185-6 CVE-2020-5897 K20346072, BT882185 BIG-IP Edge Client Windows ActiveX 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
881317-6 CVE-2020-5896 K15478554, BT881317 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
881293-6 CVE-2020-5896 K15478554, BT881293 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
939845-2 CVE-2021-23004 K31025212, BT939845 BIG-IP MPTCP vulnerability CVE-2021-23004 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
939841-2 CVE-2021-23003 K43470422, BT939841 BIG-IP MPTCP vulnerability CVE-2021-23003 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
924961-2 CVE-2019-20892 K45212738, BT924961 CVE-2019-20892: SNMP Vulnerability 15.1.2, 16.0.1.1
919989-2 CVE-2020-5947 K64571774, BT919989 TMM does not follow TCP best practices 15.1.2, 16.0.1
881445-7 CVE-2020-5898 K69154630, BT881445 BIG-IP Edge Client for Windows vulnerability CVE-2020-5898 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
880361-1 CVE-2021-22973 K13323323, BT880361 iRules LX vulnerability CVE-2021-22973 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
842717-6 CVE-2020-5855 K55102004, BT842717 BIG-IP Edge Client for Windows vulnerability CVE-2020-5855 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
693360-2 CVE-2020-27721 K52035247, BT693360 A virtual server status changes to yellow while still available 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1
773693-7 CVE-2020-5892 K15838353, BT773693 CVE-2020-5892: APM Client Vulnerability 11.6.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
920961-2 3-Major BT920961 Devices incorrectly report 'In Sync' after an incremental sync 14.1.3.1, 15.1.2, 16.0.1.1
756139-3 3-Major BT756139 Inconsistent logging of hostname files when hostname contains periods 14.1.3.1, 15.1.2, 16.0.1.1
754924-1 3-Major BT754924 New VLAN statistics added. 15.1.2
921421-3 4-Minor BT921421 iRule support to get/set UDP's Maximum Buffer Packets 14.1.3.1, 15.1.2, 16.0.1.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
957337-1 2-Critical BT957337 Tab complete in 'mgmt' tree is broken 14.1.3.1, 15.1.2, 16.0.1.1
933409-2 2-Critical BT933409 Tomcat upgrade via Engineering Hotfix causes live-update files removal 14.1.3.1, 15.1.2, 16.0.1.1
927033-2 2-Critical BT927033 Installer fails to calculate disk size of destination volume 14.1.3.1, 15.1.2, 16.0.1.1
910201-3 2-Critical BT910201 OSPF - SPF/IA calculation scheduling might get stuck infinitely 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
829677-2 2-Critical BT829677 .tmp files in /var/config/rest/ may cause /var directory exhaustion 13.1.3.5, 14.1.2.7, 15.1.2, 16.0.1.1
796601-2 2-Critical BT796601 Invalid parameter in errdefsd while processing hostname db_variable 13.1.3.5, 14.1.3.1, 15.1.2
943669-1 3-Major BT943669 B4450 blade reboot 15.1.2
935801-4 3-Major BT935801 HSB diagnostics are not provided under certain types of failures 14.1.4.5, 15.1.2
932233-2 3-Major BT932233 '@' no longer valid in SNMP community strings 15.1.2, 16.0.1.1
930741-2 3-Major BT930741 Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot 13.1.3.6, 14.1.3.1, 15.1.2
920301-1 3-Major BT920301 Unnecessarily high number of JavaScript Obfuscator instances when device is busy 14.1.3.1, 15.1.2
911809-2 3-Major BT911809 TMM might crash when sending out oversize packets. 14.1.3.1, 15.1.2
902401-5 3-Major BT902401 OSPFd SIGSEGV core when 'ospf clear' is done on remote device 14.1.3.1, 15.1.2, 16.0.1.1
898705-5 3-Major BT898705 IPv6 static BFD configuration is truncated or missing 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
889041-3 3-Major BT889041 Failover scripts fail to access resolv.conf due to permission issues 14.1.3.1, 15.1.2, 16.0.1.1
879405-1 3-Major BT879405 Incorrect value in Transparent Nexthop property 15.1.2, 16.0.1.1
867181-1 3-Major BT867181 ixlv: double tagging is not working 13.1.3.6, 14.1.3.1, 15.1.2
865241-1 3-Major BT865241 Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0" 13.1.3.6, 14.1.3.1, 15.1.2
860317-3 3-Major BT860317 JavaScript Obfuscator can hang indefinitely 14.1.3.1, 15.1.2
858197-2 3-Major BT858197 Merged crash when memory exhausted 13.1.3.5, 14.1.2.8, 15.1.2, 16.0.1.1
846441-2 3-Major BT846441 Flow-control is reset to default for secondary blade's interface 13.1.3.5, 14.1.3.1, 15.1.2
846137-4 3-Major BT846137 The icrd returns incorrect route names in some cases 13.1.3.5, 14.1.3.1, 15.1.2
843597-1 3-Major BT843597 Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle 13.1.3.6, 14.1.3.1, 15.1.2
841649-4 3-Major BT841649 Hardware accelerated connection mismatch resulting in tmm core 14.1.4.1, 15.1.2
838901-4 3-Major BT838901 TMM receives invalid rx descriptor from HSB hardware 13.1.4, 14.1.4, 15.1.2
826905-3 3-Major BT826905 Host traffic via IPv6 route pool uses incorrect source address 14.1.3.1, 15.1.2
816229-3 3-Major BT816229 Kernel Log Messages Logged Twice 14.1.2.4, 15.1.2
811053-6 3-Major BT811053 REBOOT REQUIRED prompt appears after failover and clsh reboot 14.1.2.7, 15.1.2
811041-7 3-Major BT811041 Out of shmem, increment amount in /etc/ha_table/ha_table.conf 15.1.2
810821-3 3-Major BT810821 Management interface flaps after rebooting the device. 13.1.3.5, 14.1.2.7, 15.1.2
789181-5 3-Major BT789181 Link Status traps are not issued on VE based BIG-IP systems 15.1.2
755197-5 3-Major BT755197 UCS creation might fail during frequent config save transactions 13.1.3.5, 14.1.3.1, 15.1.2
754932-1 3-Major BT754932 New SNMP MIB, sysVlanIfcStat, for VLAN statistics. 15.1.2
737098-1 3-Major BT737098 ASM Sync does not work when the configsync IP address is an IPv6 address 13.1.3.5, 14.1.3.1, 15.1.2
933461-4 4-Minor BT933461 BGP multi-path candidate selection does not work properly in all cases. 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
924429-2 4-Minor BT924429 Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values 14.1.3.1, 15.1.2, 16.0.1.1
892677-1 4-Minor BT892677 Loading config file with imish adds the newline character 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
882713-3 4-Minor BT882713 BGP SNMP trap has the wrong sysUpTime value 14.1.3.1, 15.1.2
583084-6 4-Minor K15101680, BT583084 iControl produces 404 error while creating records successfully 13.1.3.5, 14.1.3.1, 15.1.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
941089-3 2-Critical BT941089 TMM core when using Multipath TCP 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2
915957-1 2-Critical BT915957 The wocplugin may get into a restart loop when AAM is provisioned 14.1.3, 15.1.2
908873-1 2-Critical BT908873 Incorrect MRHTTP proxy handling of passthrough mode in certain scenarios may lead to tmm core 15.1.2
908621-2 2-Critical BT908621 Incorrect proxy handling of passthrough mode in certain scenarios may lead to tmm core 14.1.4.1, 15.1.2
891849-1 2-Critical BT891849 Running iRule commands while suspending iRule commands that are running can lead to a crash 14.1.3.1, 15.1.2
876801-5 2-Critical BT876801 Tmm crash: invalid route type 13.1.4, 14.1.4, 15.1.2
866481-2 2-Critical BT866481 TMM may sometimes core when HTTP-MR proxy attempts to go into passthrough mode 15.1.2
851345-1 2-Critical BT851345 The TMM may crash in certain rare scenarios involving HTTP/2 14.1.3.1, 15.1.2
850873-3 2-Critical BT850873 LTM global SNAT sets TTL to 255 on egress. 14.1.3.1, 15.1.2
726518-1 2-Critical BT726518 Tmsh show command terminated with CTRL-C can cause TMM to crash. 13.1.3.6, 14.1.2.8, 15.1.2
705768-2 2-Critical BT705768 The dynconfd process may core and restart with multiple DNS name servers configured 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2
949145-5 3-Major BT949145 Improve TCP's response to partial ACKs during loss recovery 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
948757-2 3-Major BT948757 A snat-translation address responds to ARP requests but not to ICMP ECHO requests. 14.1.3.1, 15.1.2, 16.0.1
940209 3-Major BT940209 Chunked responses with congested client connection may result in server-side TCP connections hanging until timeout. 14.1.4, 15.1.2
939961-2 3-Major BT939961 TCP connection is closed when necessary after HTTP::respond iRule. 15.1.2, 16.0.1.2
934993-2 3-Major BT934993 BIG-IP resets HTTP/2 connections when a peer exceeds a number of concurrent streams 15.1.2, 16.0.1.1
932033 3-Major BT932033 Chunked response may have DATA frame with END_STREAM prematurely 14.1.4, 15.1.2
915605-6 3-Major K56251674, BT915605 Image install fails if iRulesLX is provisioned and /usr mounted read-write 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
913249-2 3-Major BT913249 Restore missing UDP statistics 14.1.3.1, 15.1.2, 16.0.1.1
901929-2 3-Major BT901929 GARPs not sent on virtual server creation 14.1.3.1, 15.1.2, 16.0.1.1
892941-2 3-Major K20105555, BT892941 F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat) 14.1.4, 15.1.2, 16.0.1.1
888113-3 3-Major BT888113 TMM may core when the HTTP peer aborts the connection 15.1.2
879413-1 3-Major BT879413 Statsd fails to start if one or more of its *.info files becomes corrupted 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
878925-2 3-Major BT878925 SSL connection mirroring failover at end of TLS handshake 14.1.4.1, 15.1.2
860005-1 3-Major BT860005 Ephemeral nodes/pool members may be created for wrong FQDN name 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2
857845-1 3-Major BT857845 TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule 13.1.3.6, 14.1.3.1, 15.1.2
850145-1 3-Major BT850145 Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed 14.1.3.1, 15.1.2
820333-1 3-Major BT820333 LACP working member state may be inconsistent when blade is forced offline 14.1.3.1, 15.1.2
809701-7 3-Major BT809701 Documentation for HTTP::proxy is incorrect: 'HTTP::proxy dest' does not exist 14.1.3.1, 15.0.1.3, 15.1.2
803233-1 3-Major BT803233 Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1
790845-4 3-Major BT790845 An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default 13.1.3.5, 14.1.4, 15.1.2
724824-1 3-Major BT724824 Ephemeral nodes on peer devices report as unknown and unchecked after full config sync 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2
714642-2 3-Major BT714642 Ephemeral pool-member state on the standby is down 13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1
935593-4 4-Minor BT935593 Incorrect SYN re-transmission handling with FastL4 timestamp rewrite 14.1.3.1, 15.1.2, 16.0.1.1
895153 4-Minor BT895153 HTTP::has_responded returns incorrect values when using HTTP/2 14.1.3.1, 15.1.2
883105-1 4-Minor BT883105 HTTP/2-to-HTTP/2 virtual server with translate-address disabled does not connect 15.1.2
808409-4 4-Minor BT808409 Unable to specify if giaddr will be modified in DHCP relay chain 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
859717-2 5-Cosmetic BT859717 ICMP-limit-related warning messages in /var/log/ltm 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
918169-1 2-Critical BT918169 The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown. 13.1.3.6, 14.1.2.7, 15.1.2, 16.0.1.1
916753-2 2-Critical BT916753 RESOLV::lookup returns empty string when querying against a local virtual server, and results in possible tmm core 15.1.2, 16.0.1.1
905557-1 2-Critical BT905557 Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure 14.1.4, 15.1.2
850509-1 2-Critical BT850509 Zone Trusted Signature inadequately maintained, following change of master key 14.1.4.4, 15.1.2
837637-1 2-Critical K02038650, BT837637 Orphaned bigip_gtm.conf can cause config load failure after upgrading 14.1.3.1, 15.1.2, 16.0.1.1
926593-2 3-Major BT926593 GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout' 14.1.3.1, 15.1.2, 16.0.1.1
852101-1 3-Major BT852101 Monitor fails. 13.1.3.6, 14.1.3.1, 15.1.2
844689-1 3-Major BT844689 Possible temporary CPU usage increase with unusually large named.conf file 14.1.3.1, 15.1.2
746348-4 3-Major BT746348 On rare occasions, gtmd fails to process probe responses originating from the same system. 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.2
644192-2 3-Major K23022557, BT644192 Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN 11.6.5.3, 14.1.3.1, 15.1.2, 16.0.1.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
940249-2 2-Critical BT940249 Sensitive data is not masked after "Maximum Array/Object Elements" is reached 11.6.5.3, 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
927617-2 2-Critical BT927617 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
941853-1 3-Major BT941853 Logging Profiles do not disassociate from virtual server when multiple changes are made 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
940897-3 3-Major BT940897 Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
918933-2 3-Major K88162221, BT918933 The BIG-IP ASM system may not properly perform signature checks on cookies 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.2.8, 15.1.2, 16.0.1.1
913137-1 3-Major BT913137 No learning suggestion on ASM policies enabled via LTM policy 15.1.2, 16.0.1.1
904053-2 3-Major BT904053 Unable to set ASM Main Cookie/Domain Cookie hashing to Never 13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1
893061-2 3-Major BT893061 Out of memory for restjavad 14.1.3.1, 15.1.2, 16.0.1.1
882769-1 3-Major BT882769 Request Log: wrong filter applied when searching by Response contains or Response does not contain 13.1.3.5, 14.1.2.7, 15.1.2
919001-2 4-Minor BT919001 Live Update: Update Available notification is shown twice in rare conditions 14.1.2.8, 15.1.2, 16.0.1.1
896285-2 4-Minor BT896285 No parent entity in suggestion to add predefined-filetype as allowed filetype 14.1.2.7, 15.1.2, 16.0.1.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
924301-1 3-Major BT924301 Incorrect values in REST response for DNS/SIP 15.1.2, 16.0.1.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
910097-2 2-Critical BT910097 Changing per-request policy while tmm is under traffic load may drop heartbeats 14.1.3.1, 15.1.2, 16.0.1.1
924857-1 3-Major BT924857 Logout URL with parameters resets TCP connection 14.1.4.5, 15.1.2, 16.0.1.2
914649-3 3-Major BT914649 Support USB redirection through VVC (VMware virtual channel) with BlastX 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
739570-4 3-Major BT739570 Unable to install EPSEC package 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
833049-4 4-Minor BT833049 Category lookup tool in GUI may not match actual traffic categorization 13.1.3.5, 14.1.4, 15.1.2
766017-6 4-Minor BT766017 [APM][LocalDB] Local user database instance name length check inconsistencies 12.1.5.3, 13.1.3.5, 14.1.4.2, 15.1.2, 16.0.1.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
942581-1 1-Blocking BT942581 Timestamp cookies do not work with hardware accelerated flows 15.1.2
938165-1 2-Critical BT938165 TMM Core after attempted update of IP geolocation database file 14.1.3.1, 15.1.2, 16.0.1.1
938149-1 3-Major BT938149 Port Block Update log message is missing the "Start time" field 15.1.2, 16.0.1.1
910417-2 3-Major BT910417 TMM core may be seen when reattaching a vector to a DoS profile 14.1.4, 15.1.2, 16.0.1.2
872049-1 3-Major BT872049 Incorrect DoS static vectors mitigation threshold in multiplier based mode after run relearn thresholds command 15.1.2
871985-1 3-Major BT871985 No hardware mitigation for DoS attacks in auto-threshold mode with enabled attacked destinations detection 15.1.2
851745-3 3-Major BT851745 High cpu consumption due when enabling large number of virtual servers 14.1.4.1, 15.1.2
840809-2 3-Major BT840809 If "lsn-legacy-mode" is set to disabled, then LSN_PB_UPDATE events are not logged 14.1.4, 15.1.2


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
842989-6 3-Major BT842989 PEM: tmm could core when running iRules on overloaded systems 14.1.4, 15.1.2


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
944785-2 3-Major BT944785 Admd restarting constantly. Out of memory due to loading malformed state file 14.1.3.1, 15.1.2, 16.0.1.2
923125-2 3-Major BT923125 Huge amount of admd processes caused oom 14.1.3.1, 15.1.2


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
927993-1 1-Blocking K97501254, BT927993 Built-in SSL Orchestrator RPM installation failure 12.1.5.3, 13.1.3.6, 14.1.3, 14.1.4, 15.1.2, 16.0.1.1



Cumulative fixes from BIG-IP v15.1.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
935721-5 CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 K82252291, BT935721 ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.0.1
935029-3 CVE-2020-27720 K04048104, BT935029 TMM may crash while processing IPv6 NAT traffic 14.1.3.1, 15.1.1, 16.0.1
933741-2 CVE-2021-22979 K63497634, BT933741 BIG-IP FPS XSS vulnerability CVE-2021-22979 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
932065-2 CVE-2021-22978 K87502622, BT932065 iControl REST vulnerability CVE-2021-22978 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
931513-3 CVE-2021-22977 K14693346, BT931513 TMM vulnerability CVE-2021-22977 13.1.3.6, 14.1.3.1, 15.1.1, 16.0.1.1
928321-1 CVE-2020-27719 K19166530, BT928321 K19166530: XSS vulnerability CVE-2020-27719 14.1.3.1, 15.1.1, 16.0.1
917509-3 CVE-2020-27718 K58102101, BT917509 BIG-IP ASM vulnerability CVE-2020-27718 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
911761-2 CVE-2020-5948 K42696541, BT911761 F5 TMUI XSS vulnerability CVE-2020-5948 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
908673-5 CVE-2020-27717 K43850230, BT908673 TMM may crash while processing DNS traffic 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
904165-1 CVE-2020-27716 K51574311, BT904165 BIG-IP APM vulnerability CVE-2020-27716 14.1.3.1, 15.1.1
879745-4 CVE-2020-5942 K82530456 TMM may crash while processing Diameter traffic 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
876353-1 CVE-2020-5941 K03125360, BT876353 iRule command RESOLV::lookup may cause TMM to crash 15.1.1, 16.0.1
839453-6 CVE-2019-10744 K47105354, BT839453 lodash library vulnerability CVE-2019-10744 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.1.1
834257-1 CVE-2020-5931 K25400442, BT834257 TMM may crash when processing HTTP traffic 13.1.3.6, 14.1.2.5, 15.1.1
814953 CVE-2020-5940 K43310520, BT814953 TMUI dashboard hardening 14.1.2.5, 15.1.1, 16.0.1
754855-7 CVE-2020-27714 K60344652, BT754855 TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile 13.1.4, 14.1.3.1, 15.1.1
928037-2 CVE-2020-27729 K15310332, BT928037 APM Hardening 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
919841-3 CVE-2020-27728 K45143221, BT919841 AVRD may crash while processing Bot Defense traffic 14.1.3.1, 15.1.1, 16.0.1
917469-2 CVE-2020-5946 K53821711, BT917469 TMM may crash while processing FPS traffic 14.1.2.8, 15.1.1, 16.0.1
912969-2 CVE-2020-27727 K50343630, BT912969 iAppsLX REST vulnerability CVE-2020-27727 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
910017-2 CVE-2020-5945 K21540525, BT910017 Security hardening for the TMUI Interface page 14.1.2.8, 15.1.1, 16.0.1
905125-2 CVE-2020-27726 K30343902, BT905125 Security hardening for APM Webtop 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
904937-2 CVE-2020-27725 K25595031, BT904937 Excessive resource consumption in zxfrd 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1
889557-1 CVE-2019-11358 K20455158, BT889557 jQuery Vulnerability CVE-2019-11358 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
880001-1 CVE-2020-5937 K58290051, BT880001 TMM may crash while processing L4 behavioral DoS traffic 15.1.1
870273-5 CVE-2020-5936 K44020030, BT870273 TMM may consume excessive resources when processing SSL traffic 12.1.5.2, 14.1.2.8, 15.1.1
868349-1 CVE-2020-5935 K62830532, BT868349 TMM may crash while processing iRules with MQTT commands 13.1.3.4, 14.1.2.5, 15.1.1
858349-3 CVE-2020-5934 K44808538, BT858349 TMM may crash while processing SAML SLO traffic 14.1.2.5, 15.1.1
848405-2 CVE-2020-5933 K26244025, BT848405 TMM may consume excessive resources while processing compressed HTTP traffic 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.1.1
839761-1 CVE-2020-5932 K12002065, BT839761 Response Body preview hardening 15.1.1
778049-2 CVE-2018-13405 K00854051, BT778049 Linux Kernel Vulnerability: CVE-2018-13405 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1
887637-2 CVE-2019-3815 K22040951, BT887637 Systemd-journald Vulnerability: CVE-2019-3815 14.1.2.5, 15.0.1.4, 15.1.1
852929-6 CVE-2020-5920 K25160703, BT852929 AFM WebUI Hardening 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.1
818213-4 CVE-2019-10639 K32804955, BT818213 CVE-2019-10639: KASLR bypass using connectionless protocols 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
818177-6 CVE-2019-12295 K06725231, BT818177 CVE-2019-12295 Wireshark Vulnerability 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1
858537-2 CVE-2019-1010204 K05032915, BT858537 CVE-2019-1010204: Binutilis Vulnerability 14.1.2.8, 15.1.1
834533-7 CVE-2019-15916 K57418558, BT834533 Linux kernel vulnerability CVE-2019-15916 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
912289-1 2-Critical BT912289 Cannot roll back after upgrading on certain platforms 12.1.6, 14.1.4, 15.1.1
890229-1 3-Major BT890229 Source port preserve setting is not honored 13.1.3.5, 14.1.2.8, 15.1.1
858189-3 3-Major BT858189 Make restnoded/restjavad/icrd timeout configurable with sys db variables. 12.1.5.2, 14.1.2.7, 15.1.1
719338-1 4-Minor BT719338 Concurrent management SSH connections are unlimited 13.1.4, 14.1.4, 15.1.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
864513-1 1-Blocking K48234609, BT864513 ASM policies may not load after upgrading to 14.x or later from a previous major version 14.1.2.7, 15.1.1
896217-2 2-Critical BT896217 BIG-IP GUI unresponsive 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
876957-1 2-Critical BT876957 Reboot after tmsh load sys config changes sys FPGA firmware-config value 14.1.4.1, 15.1.1
871561-5 2-Critical BT871561 Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)' 14.1.2.8, 15.1.1, 16.0.1
860517-1 2-Critical BT860517 MCPD may crash on startup with many thousands of monitors on a system with many CPUs. 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1
818253-3 2-Critical BT818253 Generate signature files for logs 14.1.2.8, 15.1.1, 16.0.1.1
805417-3 2-Critical BT805417 Unable to enable LDAP system auth profile debug logging 14.1.2.7, 15.1.1
706521-2 2-Critical K21404407, BT706521 The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
593536-9 2-Critical K64445052, BT593536 Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations 14.1.2.8, 15.1.1
924493-2 3-Major BT924493 VMware EULA has been updated 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
921361-2 3-Major BT921361 SSL client and SSL server profile names truncated in GUI 15.1.1, 16.0.1.1
915825-2 3-Major BT915825 Configuration error caused by Drafts folder in a deleted custom partition while upgrading. 13.1.3.5, 14.1.3.1, 15.1.1
904845-2 3-Major BT904845 VMware guest OS customization works only partially in a dual stack environment. 14.1.3.1, 15.1.1, 16.0.1
904705-2 3-Major BT904705 Cannot clone Azure marketplace instances. 14.1.2.8, 15.1.1, 16.0.1
898461-2 3-Major BT898461 Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context' 14.1.3.1, 15.1.1, 16.0.1.1
886689-6 3-Major BT886689 Generic Message profile cannot be used in SCTP virtual 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1
880625-3 3-Major BT880625 Check-host-attr enabled in LDAP system-auth creates unusable config 14.1.2.8, 15.1.1, 16.0.1
880165-2 3-Major BT880165 Auto classification signature update fails 14.1.2.8, 15.1.1, 16.0.1
867013-2 3-Major BT867013 Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout 13.1.3.5, 14.1.2.7, 15.1.1
850777-3 3-Major BT850777 BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config 14.1.3.1, 15.1.1
838297-2 3-Major BT838297 Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication 14.1.2.8, 15.1.1
828789-1 3-Major BT828789 Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters 14.1.2.8, 15.1.1
807337-5 3-Major BT807337 Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed. 14.1.2.8, 15.1.1, 16.0.1.1
788577-7 3-Major BT788577 BFD sessions may be reset after CMP state change 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
759564-2 3-Major BT759564 GUI not available after upgrade 14.1.2.8, 15.1.1, 16.0.1
740589-4 3-Major BT740589 Mcpd crash with core after 'tmsh edit /sys syslog all-properties' 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
719555-3 3-Major BT719555 Interface listed as 'disable' after SFP insertion and enable 14.1.4, 15.1.1
489572-5 3-Major K60934489, BT489572 Sync fails if file object is created and deleted before sync to peer BIG-IP 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
431503-8 3-Major K14838, BT431503 TMSH crashes in rare initial tunnel configurations 13.1.3.5, 14.1.2.8, 15.1.1
921369 4-Minor BT921369 Signature verification for logs fails if the log files are modified during log rotation 15.1.1
914761-3 4-Minor BT914761 Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed. 14.1.2.8, 15.1.1, 16.0.1.1
906889-4 4-Minor BT906889 Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows. 14.1.2.8, 15.1.1, 16.0.1
902417-2 4-Minor BT902417 Configuration error caused by Drafts folder in a deleted custom partition 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1.1
890277-3 4-Minor BT890277 Full config sync to a device group operation takes a long time when there are a large number of partitions. 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
864757-3 4-Minor BT864757 Traps that were disabled are enabled after configuration save 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
822377-6 4-Minor   CVE-2019-10092: httpd mod_proxy cross-site scripting vulnerability 14.1.2.8, 15.1.1
779857-2 4-Minor BT779857 Misleading GUI error when installing a new version in another partition 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
751103-2 4-Minor BT751103 TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop 14.1.2.8, 15.1.1, 16.0.1
849085-1 5-Cosmetic BT849085 Lines with only asterisks filling message and user.log file 14.1.3.1, 15.1.1
714176-1 5-Cosmetic BT714176 UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
889209-2 2-Critical BT889209 Sflow receiver configuration may lead to egress traffic dropped after TMM starts. 14.1.4, 15.1.1
879409-3 2-Critical BT879409 TMM core with mirroring traffic due to unexpected interface name length 14.1.3.1, 15.1.1
858429-3 2-Critical BT858429 BIG-IP system sending ICMP packets on both virtual wire interface 14.1.2.8, 15.0.1.4, 15.1.1
851857-1 2-Critical BT851857 HTTP 100 Continue handling does not work when it arrives in multiple packets 13.1.3.5, 14.1.3.1, 15.1.1
851581-3 2-Critical BT851581 Server-side detach may crash TMM 14.1.2.8, 15.1.1
842937-6 2-Critical BT842937 TMM crash due to failed assertion 'valid node' 12.1.5.3, 14.1.2.7, 15.1.1
932825-2 3-Major BT932825 Delayed Gratuitous ARPs may cause traffic to go to the previous active BIG-IP device 15.1.1
915713-2 3-Major BT915713 Support QUIC and HTTP3 draft-29 15.1.1, 16.0.1.1
915689-1 3-Major BT915689 HTTP/2 dynamic header table may fail to identify indexed headers on the response side. 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
915281-2 3-Major BT915281 Do not rearm TCP Keep Alive timer under certain conditions 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
892385 3-Major BT892385 HTTP does not process WebSocket payload when received with server HTTP response 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1
883529-1 3-Major BT883529 HTTP/2 Method OPTIONS allows '*' (asterisk) as an only value for :path 15.1.1
851789-2 3-Major BT851789 SSL monitors flap with client certs with private key stored in FIPS 12.1.5.3, 14.1.2.5, 15.1.1
851477-1 3-Major BT851477 Memory allocation failures during proxy initialization are ignored leading to TMM cores 14.1.3.1, 15.1.1
851045-1 3-Major BT851045 LTM database monitor may hang when monitored DB server goes down 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.1
830797-3 3-Major BT830797 Standby high availability (HA) device passes traffic through virtual wire 14.1.2.3, 15.0.1.1, 15.1.1
825689-1 3-Major   Enhance FIPS crypto-user storage 12.1.6, 13.1.4, 14.1.4, 15.1.1
816881-2 3-Major BT816881 Serverside conection may use wrong VLAN when virtual wire is configured 14.1.2.8, 15.1.1
801497-3 3-Major BT801497 Virtual wire with LACP pinning to one link in trunk. 14.1.2.1, 15.1.1
932937-2 4-Minor BT932937 HTTP Explicit Proxy configurations can result in connections hanging until idle timeout. 14.1.3.1, 15.1.1, 16.0.1
926997-1 4-Minor BT926997 QUIC HANDSHAKE_DONE profile statistics are not reset 15.1.1, 16.0.1
852373-3 4-Minor BT852373 HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error 14.1.2.5, 15.0.1.4, 15.1.1
814037-6 4-Minor BT814037 No virtual server name in Hardware Syncookie activation logs. 13.1.3.5, 14.1.2.8, 15.1.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
919553-2 2-Critical BT919553 GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets. 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
788465-5 2-Critical BT788465 DNS cache idx synced across HA group could cause tmm crash 14.1.3.1, 15.1.1, 16.0.1
783125-1 2-Critical BT783125 iRule drop command on DNS traffic without Datagram-LB may cause TMM crash 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
898093-2 3-Major BT898093 Removing one member from a WideIP removes it from all WideIPs. 15.1.1
869361-1 3-Major BT869361 Link Controller inbound wide IP load balancing method incorrectly presented in GUI when updated 15.1.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
868641-3 2-Critical BT868641 Possible TMM crash when disabling bot profile for the entire connection 14.1.2.7, 15.1.1
843801-2 2-Critical BT843801 Like-named previous Signature Update installations block Live Update usage after upgrade 14.1.2.7, 15.1.1
918081-1 3-Major BT918081 Application Security Administrator role cannot create parent policy in the GUI 15.1.1, 16.0.1.1
913761-2 3-Major BT913761 Security - Options section in navigation menu is visible for only Administrator users 15.1.1, 16.0.1.2
903357-2 3-Major BT903357 Bot defense Profile list is loads too slow when there are 750 or more Virtual servers 14.1.2.7, 15.1.1, 16.0.1.1
901061-2 3-Major BT901061 Safari browser might be blocked when using Bot Defense profile and related domains. 14.1.2.8, 15.1.1, 16.0.1
898741-2 3-Major BT898741 Missing critical files causes FIPS-140 system to halt upon boot 14.1.2.7, 15.1.1
892637-1 3-Major BT892637 Microservices cannot be added or modified 15.1.1
888285-1 3-Major K18304067, BT888285 Sensitive positional parameter not masked in 'Referer' header value 14.1.2.8, 15.1.1
888261-1 3-Major BT888261 Policy created with declarative WAF does not use updated template. 15.1.1
881757-1 3-Major BT881757 Unnecessary HTML response parsing and response payload is not compressed 14.1.4.2, 15.1.1, 16.0.1.2
880753-3 3-Major K38157961, BT880753 Possible issues when using DoSL7 and Bot Defense profile on the same virtual server 14.1.2.7, 15.0.1.4, 15.1.1
879777-3 4-Minor BT879777 Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge 14.1.2.8, 15.1.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
908065-2 3-Major BT908065 Logrotation for /var/log/avr blocked by files with .1 suffix 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
819301-2 3-Major BT819301 Incorrect values in REST response for dos-l3 table 15.1.1, 16.0.1
866613-4 4-Minor BT866613 Missing MaxMemory Attribute 13.1.3.5, 14.1.2.8, 15.1.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
886729-2 2-Critical BT886729 Intermittent TMM crash in per-request-policy allow-ending agent 15.1.1
838861-3 2-Critical BT838861 TMM might crash once after upgrading SSL Orchestrator 14.1.2.7, 15.1.1
579219-5 2-Critical BT579219 Access keys missing from SessionDB after multi-blade reboot. 14.1.2.8, 15.1.1
892937-2 3-Major K20105555, BT892937 F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat) 14.1.4, 15.1.1, 16.0.1
857589-1 3-Major BT857589 On Citrix Workspace app clicking 'Refresh Apps' after signing out fails with message 'Refresh Failed' 15.1.1
771961-3 3-Major BT771961 While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core 14.1.3.1, 15.1.1
747020-2 3-Major BT747020 Requests that evaluate to same subsession can be processed concurrently 14.1.3.1, 15.1.1, 16.0.1
679751-2 4-Minor BT679751 Authorization header can cause a connection reset 13.1.3.5, 14.1.2.8, 15.1.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
868781-1 2-Critical BT868781 TMM crashes while processing MRF traffic 13.1.4.1, 14.1.4.2, 15.1.1
898997-2 3-Major BT898997 GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes 14.1.2.7, 15.1.1, 16.0.1
891385-2 3-Major BT891385 Add support for URI protocol type "urn" in MRF SIP load balancing 14.1.3.1, 15.1.1, 16.0.1
697331-2 3-Major BT697331 Some TMOS tools for querying various DBs fail when only a single TMM is running 14.1.3, 14.1.3.1, 15.1.1
924349-2 4-Minor   DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP 14.1.3.1, 15.1.1, 16.0.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
872645-2 3-Major BT872645 Protected Object Aggregate stats are causing elevated CPU usage 14.1.3.1, 15.1.1
852289-4 3-Major K23278332, BT852289 DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector 13.1.3.4, 14.1.2.5, 15.1.1
789857 3-Major BT789857 "TCP half open' reports drops made by LTM syn-cookies mitigation. 14.1.4, 15.1.1
920361-2 4-Minor BT920361 Standby device name sent in Traffic Statistics syslog/Splunk messages 14.1.3.1, 15.1.1


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
876581-2 3-Major BT876581 JavaScript engine file is empty if the original HTML page cached for too long 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
891729-2 4-Minor BT891729 Errors in datasyncd.log 14.1.2.8, 15.1.1, 16.0.1
759988-2 4-Minor BT759988 Geolocation information inconsistently formatted 15.1.1, 16.0.1
940401-2 5-Cosmetic BT940401 Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection' 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
937281-3 3-Major BT937281 SSL Orchestrator pool members are limited to 20 with Standalone license 15.1.1, 16.0.0.1



Cumulative fixes from BIG-IP v15.1.0.5 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
912221-1 CVE-2020-12662
CVE-2020-12663		 K37661551, BT912221 CVE-2020-12662 & CVE-2020-12663 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7, 15.1.0.5
900905-3 CVE-2020-5926 K42830212, BT900905 TMM may crash while processing SIP data 14.1.2.7, 15.0.1.4, 15.1.0.5
888417-5 CVE-2020-8840 K15320518, BT888417 Apache Vulnerability: CVE-2020-8840 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
883717-1 CVE-2020-5914 K37466356, BT883717 BD crash on specific server cookie scenario 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
841577-2 CVE-2020-5922 K20606443, BT841577 iControl REST hardening 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.0.5
838677-1 CVE-2019-10744 K47105354, BT838677 lodash library vulnerability CVE-2019-10744 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
837773-7 CVE-2020-5912 K12936322, BT837773 Restjavad Storage and Configuration Hardening 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
788057-3 CVE-2020-5921 K00103216, BT788057 MCPD may crash while processing syncookies 11.6.5.3, 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
917005-5 CVE-2020-8619 K19807532 ISC BIND Vulnerability: CVE-2020-8619 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7, 15.1.0.5, 16.0.1
909837-1 CVE-2020-5950 K05204103, BT909837 TMM may consume excessive resources when AFM is provisioned 13.1.3.5, 14.1.2.7, 15.1.0.5
902141-1 CVE-2020-5919 K94563369, BT902141 TMM may crash while processing APM data 15.1.0.5
898949-1 CVE-2020-27724 K04518313, BT898949 APM may consume excessive resources while processing VPN traffic 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.0.5, 16.0.1
888489-2 CVE-2020-5927 K55873574, BT888489 ASM UI hardening 14.1.2.7, 15.0.1.4, 15.1.0.5
886085-5 CVE-2020-5925 K45421311, BT886085 BIG-IP TMM vulnerability CVE-2020-5925 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5
872673-1 CVE-2020-5918 K26464312, BT872673 TMM can crash when processing SCTP traffic 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
856961-7 CVE-2018-12207 K17269881, BT856961 INTEL-SA-00201 MCE vulnerability CVE-2018-12207 13.1.3.5, 14.1.2.8, 15.0.1.4, 15.1.0.5
837837-2 CVE-2020-5917 K43404629, BT837837 F5 SSH server key size vulnerability CVE-2020-5917 12.1.5.2, 14.1.2.5, 15.0.1.4, 15.1.0.5
832885-1 CVE-2020-5923 K05975972, BT832885 Self-IP hardening 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.0.5
830481-1 CVE-2020-5916 K29923912, BT830481 SSL TMUI hardening 15.0.1.4, 15.1.0.5
816413-5 CVE-2019-1125 K31085564, BT816413 CVE-2019-1125: Spectre SWAPGS Gadget 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
811789-7 CVE-2020-5915 K57214921, BT811789 Device trust UI hardening 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
888493-2 CVE-2020-5928 K40843345, BT888493 ASM GUI Hardening 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
748122-8 CVE-2018-15333 K53620021, BT748122 BIG-IP Vulnerability CVE-2018-15333 14.1.2.5, 15.0.1.4, 15.1.0.5
746091-8 CVE-2019-19151 K21711352, BT746091 TMSH Vulnerability: CVE-2019-19151 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
717276-9 CVE-2020-5930 K20622530, BT717276 TMM Route Metrics Hardening 11.6.5.3, 12.1.5.3, 13.1.3.4, 14.1.2.8, 15.1.0.5
839145-3 CVE-2019-10744 K47105354, BT839145 CVE-2019-10744: lodash vulnerability 14.1.2.7, 15.1.0.5, 16.0.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
816233-1 2-Critical BT816233 Session and authentication cookies should use larger character set 14.1.2.7, 15.0.1.4, 15.1.0.5
890421-2 3-Major BT890421 New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers 15.0.1.3, 15.1.0.5
691499-5 3-Major BT691499 GTP::ie primitives in iRule to be certified 13.1.3.4, 14.1.2.7, 15.1.0.5
745465-4 4-Minor BT745465 The tcpdump file does not provide the correct extension 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
934241-2 1-Blocking BT934241 TMM may core when using FastL4's hardware offloading feature 15.1.0.5
891477-3 2-Critical BT891477 No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server 14.1.2.7, 15.0.1.4, 15.1.0.5
890513-2 2-Critical BT890513 MCPD fails to load configuration from binary database 14.1.4, 15.1.0.5
849405-2 2-Critical BT849405 LTM v14.1.2.1 does not log after upgrade 14.1.2.5, 15.1.0.5
842865-2 2-Critical BT842865 Add support for Auto MAC configuration (ixlv) 14.1.2.8, 15.0.1.4, 15.1.0.5
739507-3 2-Critical BT739507 Improve recovery method for BIG-IP system that has halted from a failed FIPS integrity check 13.1.1.2, 14.1.4, 15.1.0.5
927901-4 3-Major BT927901 After BIG-IP reboot, vxnet interfaces come up as uninitialized 15.1.0.5
915497-2 3-Major BT915497 New Traffic Class Page shows multiple question marks. 14.1.3.1, 15.1.0.5, 16.0.1.1
907549-1 3-Major BT907549 Memory leak in BWC::Measure 15.1.0.5
891721-3 3-Major BT891721 Anti-Fraud Profile URLs with query strings do not load successfully 14.1.2.7, 15.0.1.4, 15.1.0.5
888497-2 3-Major BT888497 Cacheable HTTP Response 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1
887089-1 3-Major BT887089 Upgrade can fail when filenames contain spaces 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5
877145-4 3-Major BT877145 Unable to log in to iControl REST via /mgmt/toc/, restjavad throwing NullPointerException 15.0.1.3, 15.1.0.5
871657-1 3-Major BT871657 Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
844085-1 3-Major BT844085 GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address 14.1.2.8, 15.1.0.5, 16.0.1
842125-6 3-Major BT842125 Unable to reconnect outgoing SCTP connections that have previously aborted 13.1.3.4, 14.1.2.5, 15.1.0.5
821309-1 3-Major BT821309 After an initial boot, mcpd has a defunct child "systemctl" process 14.1.2.7, 15.1.0.5
814585-1 3-Major BT814585 PPTP profile option not available when creating or modifying virtual servers in GUI 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1
807005-5 3-Major BT807005 Save-on-auto-sync is not working as expected with large configuration objects 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5
802685-2 3-Major BT802685 Unable to configure performance HTTP virtual server via GUI 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
797829-6 3-Major BT797829 The BIG-IP system may fail to deploy new or reconfigure existing iApps 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1
785741-3 3-Major K19131357, BT785741 Unable to login using LDAP with 'user-template' configuration 14.1.2.3, 15.0.1.4, 15.1.0.5
760622-5 3-Major BT760622 Allow Device Certificate renewal from BIG-IP Configuration Utility 15.1.0.5
405329-3 3-Major   The imish utility cores while checking help strings for OSPF6 vertex-threshold 15.1.0.5
919745-2 4-Minor BT919745 CSV files downloaded from the Dashboard have the first row with all 'NaN 14.1.2.8, 15.1.0.5, 16.0.1
918209-3 4-Minor BT918209 GUI Network Map icons color scheme is not section 508 compliant 14.1.2.8, 15.1.0.5, 16.0.1
851393-1 4-Minor BT851393 Tmipsecd leaves a zombie rm process running after starting up 14.1.4.4, 15.1.0.5
804309-1 4-Minor BT804309 [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument 13.1.3.5, 14.1.2.7, 15.1.0.5
713614-7 4-Minor BT713614 Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only) 15.1.0.5
767269-5 5-Cosmetic   Linux kernel vulnerability: CVE-2018-16884 14.1.2.8, 15.1.0.5


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
925989 2-Critical BT925989 Certain BIG-IP appliances with HSMs cannot upgrade to v15.1.0.4 15.1.0.5
839749-3 2-Critical BT839749 Virtual server with specific address list might fail to create via GUI 14.1.2.8, 15.0.1.1, 15.1.0.5
715032-1 2-Critical K73302459, BT715032 iRulesLX Hardening 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
916589-2 3-Major BT916589 QUIC drops 0RTT packets if CID length changes 15.1.0.5, 16.0.1.1
910521-2 3-Major BT910521 Support QUIC and HTTP draft-28 15.1.0.5, 16.0.1
893281-3 3-Major BT893281 Possible ssl stall on closed client handshake 14.1.2.7, 15.1.0.5
813701-6 3-Major BT813701 Proxy ARP failure 14.1.2.7, 15.1.0.5
788753-2 3-Major BT788753 GATEWAY_ICMP monitor marks node down with wrong error code 13.1.3.4, 14.1.2.8, 15.1.0.5
786517-5 3-Major BT786517 Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address 13.1.3.5, 14.1.3.1, 15.1.0.5
720440-6 3-Major BT720440 Radius monitor marks pool members down after 6 seconds 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.0.5
914681-2 4-Minor BT914681 Value of tmm.quic.log.level can differ between TMSH and GUI 15.1.0.5, 16.0.1.1
714502-3 4-Minor BT714502 bigd restarts after loading a UCS for the first time 14.1.2.7, 15.1.0.5


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
789421-4 3-Major BT789421 Resource-administrator cannot create GTM server object through GUI 14.1.2.7, 15.1.0.5, 16.0.1
774257-4 5-Cosmetic BT774257 tmsh show gtm pool and tmsh show gtm wideip print duplicate object types 14.1.2.7, 15.1.0.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
904593-1 2-Critical BT904593 Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled 14.1.2.7, 15.1.0.5
865461-1 2-Critical BT865461 BD crash on specific scenario 14.1.2.7, 15.1.0.5
850641-2 2-Critical BT850641 Incorrect parameter created for names with non-ASCII characters in non-UTF8 policies 15.1.0.5
900797-2 3-Major BT900797 Brute Force Protection (BFP) hash table entry cleanup 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
900793-1 3-Major K32055534, BT900793 APM Brute Force Protection resources do not scale automatically 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
900789-2 3-Major BT900789 Alert before Brute Force Protection (BFP) hash are fully utilized 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
892653-1 3-Major BT892653 Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI 14.1.2.7, 15.1.0.5, 16.0.1
880789-3 3-Major BT880789 ASMConfig Handler undergoes frequent restarts 14.1.2.7, 15.1.0.5
874753-3 3-Major   Filtering by Bot Categories on Bot Requests Log shows 0 events 14.1.2.7, 15.1.0.5
871905-2 3-Major K02705117, BT871905 Incorrect masking of parameters in event log 14.1.2.5, 15.0.1.4, 15.1.0.5
868721-1 3-Major BT868721 Transactions are held for a long time on specific server related conditions 14.1.2.7, 15.1.0.5
863609-4 3-Major BT863609 Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies 14.1.2.7, 15.1.0.5
854177-5 3-Major BT854177 ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.1.0.5
850677-4 3-Major BT850677 Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy 14.1.2.7, 15.1.0.5
848445-1 3-Major K86285055, BT848445 Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5
833685-5 3-Major BT833685 Idle async handlers can remain loaded for a long time doing nothing 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.5
809125-5 3-Major BT809125 CSRF false positive 12.1.5.1, 14.1.2.7, 15.1.0.5
799749-2 3-Major BT799749 Asm logrotate fails to rotate 14.1.2.7, 15.1.0.5
783165-1 3-Major BT783165 Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile 14.1.2.7, 15.1.0.5
742549-3 3-Major BT742549 Cannot create non-ASCII entities in non-UTF ASM policy using REST 13.1.3.6, 14.1.2.7, 15.1.0.5
722337-2 3-Major BT722337 Always show violations in request log when post request is large 13.1.3.5, 14.1.2.7, 15.1.0.5, 16.0.1.1
640842-5 3-Major BT640842 ASM end user using mobile might be blocked when CSRF is enabled 14.1.2.7, 15.1.0.5


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
828937-1 2-Critical K45725467, BT828937 Some systems can experience periodic high IO wait due to AVR data aggregation 13.1.3.4, 14.1.2.5, 15.1.0.5
902485-3 3-Major BT902485 Incorrect pool member concurrent connection value 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
841305-2 3-Major BT841305 HTTP/2 version chart reports are empty in GUI; error appears in GUI and reported in monpd log 15.1.0.5, 16.0.1
838685-4 3-Major BT838685 DoS report exist in per-widget but not under individual virtual 13.1.3.5, 14.1.2.7, 15.1.0.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
884797-4 3-Major BT884797 Portal Access: in some cases data is not delivered via WebSocket connection 14.1.2.5, 15.1.0.5


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
904373-3 3-Major BT904373 MRF GenericMessage: Implement limit to message queues size 14.1.3.1, 15.0.1.4, 15.1.0.5, 16.0.1
876953-2 3-Major BT876953 Tmm crash while passing diameter traffic 15.0.1.4, 15.1.0.5, 16.0.1
876077-1 3-Major BT876077 MRF DIAMETER: stale pending retransmission entries may not be cleaned up 14.1.2.5, 15.0.1.4, 15.1.0.5
868381-1 3-Major BT868381 MRF DIAMETER: Retransmission queue unable to delete stale entries 14.1.2.5, 15.0.1.4, 15.1.0.5
866021-1 3-Major BT866021 Diameter Mirror connection lost on the standby due to "process ingress error" 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
824149-5 3-Major BT824149 SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
815877-2 3-Major BT815877 Information Elements with zero-length value are rejected by the GTP parser 11.6.5.3, 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.0.1.4, 15.1.0.5
696348-5 3-Major BT696348 "GTP::ie insert" and "GTP::ie append" do not work without "-message" option 13.1.3.4, 14.1.2.7, 15.1.0.5
788513-6 4-Minor BT788513 Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5
793005-1 5-Cosmetic BT793005 'Current Sessions' statistic of MRF/Diameter pool may be incorrect 13.1.3.4, 14.1.2.7, 15.1.0.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
802421-6 2-Critical BT802421 The /var partition may become 100% full requiring manual intervention to clear space 14.1.2.7, 15.1.0.5
757279-3 3-Major BT757279 LDAP authenticated Firewall Manager role cannot edit firewall policies 13.1.1.5, 14.1.2.8, 15.1.0.5
896917 4-Minor BT896917 The fw_zone_stat 'Hits' field may not increment in some scenarios 15.1.0.5


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
839597-6 3-Major BT839597 Restjavad fails to start if provision.extramb has a large value 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
886717-1 3-Major BT886717 TMM crash while using SSL Orchestrator 15.1.0.5
886713-1 4-Minor BT886713 Error log seen in case of SSL Orchestrator configured with http service during connection close. 14.1.2.5, 15.1.0.5



Cumulative fixes from BIG-IP v15.1.0.4 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
900757-2 CVE-2020-5902 K52145254, BT900757 TMUI RCE vulnerability CVE-2020-5902 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895525-2 CVE-2020-5902 K52145254, BT895525 TMUI RCE vulnerability CVE-2020-5902 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
909237-6 CVE-2020-8617 K05544642 CVE-2020-8617: BIND Vulnerability 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
909233-6 CVE-2020-8616 K97810133, BT909233 DNS Hardening 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
905905-1 CVE-2020-5904 K31301245, BT905905 TMUI CSRF vulnerability CVE-2020-5904 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895993-2 CVE-2020-5902 K52145254, BT895993 TMUI RCE vulnerability CVE-2020-5902 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895981-2 CVE-2020-5902 K52145254, BT895981 TMUI RCE vulnerability CVE-2020-5902 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895881-1 CVE-2020-5903 K43638305, BT895881 BIG-IP TMUI XSS vulnerability CVE-2020-5903 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
891457-2 CVE-2020-5939 K75111593, BT891457 NIC driver may fail while transmitting data 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.4, 16.0.1
859089-7 CVE-2020-5907 K00091341, BT859089 TMSH allows SFTP utility access 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.4


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
909673 2-Critical BT909673 TMM crashes when VLAN SYN cookie feature is used on iSeries i2x00 and i4x00 platforms 15.1.0.4
882557-2 3-Major BT882557 TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher) 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.4
878893-3 3-Major BT878893 During system shutdown it is possible the for sflow_agent to core 15.1.0.4
858769-6 3-Major K82498430, BT858769 Net-snmp library must be upgraded to 5.8 in order to support SHA-2 15.1.0.4
829193-4 3-Major BT829193 REST system unavailable due to disk corruption 13.1.3.6, 14.1.3.1, 15.1.0.4
826265-5 3-Major BT826265 The SNMPv3 engineBoots value restarts at 1 after an upgrade 15.1.0.4
812493-4 3-Major BT812493 When engineID is reconfigured, snmp and alert daemons must be restarted 15.1.0.4
810381-2 3-Major BT810381 The SNMP max message size check is being incorrectly applied. 13.1.3.5, 14.1.2.8, 15.1.0.4
743234-6 3-Major BT743234 Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons 15.1.0.4
774617-3 4-Minor BT774617 SNMP daemon reports integer truncation error for values greater than 32 bits 14.1.4, 15.1.0.4


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
910177 2-Critical BT910177 Poor HTTP/3 throughput 15.1.0.4
848777-3 3-Major BT848777 Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node. 14.1.2.7, 15.1.0.4


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
892621-1 3-Major BT892621 Mismatch between calculation for IPv6 packets size metric in BDoS in hardware and software 14.1.3, 15.1.0.4



Cumulative fixes from BIG-IP v15.1.0.3 that are included in this release


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
889505 3-Major BT889505 Added SNMP OIDs for gathering total number of PBAs and percentage of PBAs available 15.1.0.3
888569 3-Major BT888569 Added PBA stats for total number of free PBAs, and percent free PBAs 15.1.0.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
795649-5 3-Major BT795649 Loading UCS from one iSeries model to another causes FPGA to fail to load 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.0.3


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
883513-1 3-Major BT883513 Support for QUIC and HTTP/3 draft-27 15.1.0.3
828601-1 3-Major BT828601 IPv6 Management route is preferred over IPv6 tmm route 13.1.3.5, 14.1.2.7, 15.1.0.3
758599-3 3-Major BT758599 IPv6 Management route is preferred over IPv6 tmm route 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.3


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
846713-1 2-Critical BT846713 Gtm_add does not restart named 15.1.0.3


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
903905-2 2-Critical BT903905 BIG-IQ or BIG-IP devices experience a service disruption during certain circumstances 15.1.0.3
889477-1 2-Critical BT889477 Modern customization does not enforce validation at password changing 15.1.0.3


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
888625 3-Major BT888625 CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks 14.1.2.7, 15.1.0.3



Cumulative fixes from BIG-IP v15.1.0.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
879025-2 CVE-2020-5913 K72752002, BT879025 When processing TLS traffic, LTM may not enforce certificate chain restrictions 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.1.0.2
871633-1 CVE-2020-5859 K61367237, BT871633 TMM may crash while processing HTTP/3 traffic 15.1.0.2
846917-1 CVE-2019-10744 K47105354, BT846917 lodash Vulnerability: CVE-2019-10744 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.3, 15.1.0.2
846365-1 CVE-2020-5878 K35750231, BT846365 TMM may crash while processing IP traffic 14.1.2.3, 15.0.1.2, 15.1.0.2
830401-1 CVE-2020-5877 K54200228, BT830401 TMM may crash while processing TCP traffic with iRules 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
819197-2 CVE-2019-13135 K20336394, BT819197 BIGIP: CVE-2019-13135 ImageMagick vulnerability 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
819189-1 CVE-2019-13136 K03512441, BT819189 BIGIP: CVE-2019-13136 ImageMagick vulnerability 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
636400 CVE-2019-6665 K26462555, BT636400 CPB (BIG-IP->BIGIQ log node) Hardening 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1, 15.1.0.2
873469-2 CVE-2020-5889 K24415506, BT873469 APM Portal Access: Base URL may be set to incorrectly 14.1.2.5, 15.0.1.3, 15.1.0.2
864109-1 CVE-2020-5889 K24415506, BT864109 APM Portal Access: Base URL may be set to incorrectly 14.1.2.5, 15.0.1.3, 15.1.0.2
858025-1 CVE-2021-22984 K33440533, BT858025 BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
838881-1 CVE-2020-5853 K73183618, BT838881 APM Portal Access Vulnerability: CVE-2020-5853 11.6.5.2, 12.1.5.2, 14.1.2.5, 15.0.1.3, 15.1.0.2
832021-3 CVE-2020-5888 K73274382, BT832021 Port lockdown settings may not be enforced as configured 14.1.2.5, 15.0.1.3, 15.1.0.2
832017-3 CVE-2020-5887 K10251014, BT832017 Port lockdown settings may not be enforced as configured 14.1.2.5, 15.0.1.3, 15.1.0.2
829121-1 CVE-2020-5886 K65720640, BT829121 State mirroring default does not require TLS 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.1.0.2
829117-1 CVE-2020-5885 K17663061, BT829117 State mirroring default does not require TLS 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.1.0.2
789921-5 CVE-2020-5881 K03386032, BT789921 TMM may restart while processing VLAN traffic 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
868097-3 CVE-2020-5891 K58494243, BT868097 TMM may crash while processing HTTP/2 traffic 14.1.2.5, 15.0.1.3, 15.1.0.2
846157-1 CVE-2020-5862 K01054113, BT846157 TMM may crash while processing traffic on AWS 14.1.2.3, 15.0.1.2, 15.1.0.2
838909-3 CVE-2020-5893 K97733133, BT838909 BIG-IP APM Edge Client vulnerability CVE-2020-5893 11.6.5.2, 12.1.5.2, 13.1.4, 14.1.2.4, 15.1.0.2
823893-7 CVE-2020-5890 K03318649, BT823893 Qkview may fail to completely sanitize LDAP bind credentials 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
870389-3 3-Major BT870389 Increase size of /var logical volume to 1.5 GiB for LTM-only VE images 14.1.2.5, 15.1.0.2
858229-5 3-Major K22493037, BT858229 XML with sensitive data gets to the ICAP server 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
854493-5 2-Critical BT854493 Kernel page allocation failures messages in kern.log 14.1.2.8, 15.1.0.2
841953-7 2-Critical BT841953 A tunnel can be expired when going offline, causing tmm crash 12.1.5.3, 14.1.2.8, 15.1.0.2
841581 2-Critical BT841581 License activation takes a long time to complete on Google GCE platform 15.1.0.2
841333-7 2-Critical BT841333 TMM may crash when tunnel used after returning from offline 12.1.5.3, 13.1.3.4, 14.1.2.8, 15.1.0.2
817709-3 2-Critical BT817709 IPsec: TMM cored with SIGFPE in racoon2 14.1.2.8, 15.1.0.2
811701-3 2-Critical BT811701 AWS instance using xnet driver not receiving packets on an interface. 14.1.2.7, 15.0.1.4, 15.1.0.2
811149-2 2-Critical BT811149 Remote users are unable to authenticate via serial console. 14.1.2.8, 15.0.1.4, 15.1.0.2
866925-5 3-Major BT866925 The TMM pages used and available can be viewed in the F5 system stats MIB 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
865225-1 3-Major BT865225 100G modules may not work properly in i15000 and i15800 platforms 13.1.3.4, 15.1.0.2
852001-1 3-Major BT852001 High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously 14.1.2.5, 15.0.1.3, 15.1.0.2
830717 3-Major BT830717 Appdata logical volume cannot be resized for some cloud images 15.1.0.2
829317-5 3-Major BT829317 Memory leak in icrd_child due to concurrent REST usage 13.1.4, 14.1.3, 14.1.3.1, 15.1.0.2
828873-3 3-Major BT828873 Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor 15.1.0.2
812981-6 3-Major BT812981 MCPD: memory leak on standby BIG-IP device 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
802281-3 3-Major BT802281 Gossip shows active even when devices are missing 13.1.3.5, 14.1.2.5, 15.1.0.2
793121-5 3-Major BT793121 Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication 13.1.3.2, 14.1.2.7, 15.0.1.3, 15.1.0.2
742628-1 3-Major BT742628 A tmsh session initiation adds increased control plane pressure 12.1.5.3, 13.1.3.4, 14.1.2.6, 14.1.4, 15.0.1.4, 15.1.0.2
605675-6 3-Major BT605675 Sync requests can be generated faster than they can be handled 11.6.5.2, 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.2
831293-5 4-Minor BT831293 SNMP address-related GET requests slow to respond. 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.2
755317-3 4-Minor BT755317 /var/log logical volume may run out of space due to agetty error message in /var/log/secure 14.1.2.5, 15.1.0.2
722230-1 4-Minor BT722230 Cannot delete FQDN template node if another FQDN node resolves to same IP address 12.1.5.2, 13.1.3.4, 14.1.3.1, 15.0.1.4, 15.1.0.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
860881-3 2-Critical BT860881 TMM can crash when handling a compressed response from HTTP server 14.1.2.5, 15.0.1.3, 15.1.0.2
839401-1 2-Critical BT839401 Moving a virtual-address from one floating traffic-group to another does not send GARPs out. 14.1.2.5, 15.0.1.4, 15.1.0.2
837617-1 2-Critical BT837617 Tmm may crash while processing a compression context 14.1.4.4, 15.1.0.2
872965-1 3-Major BT872965 HTTP/3 does not support draft-25 15.1.0.2
862597-7 3-Major BT862597 Improve MPTCP's SYN/ACK retransmission handling 13.1.3.5, 14.1.3.1, 15.1.0.2
853613-4 3-Major BT853613 Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp 14.1.2.5, 15.0.1.3, 15.1.0.2
852873-2 3-Major BT852873 Proprietary Multicast PVST+ packets are forwarded instead of dropped 14.1.2.7, 15.1.0.2
852861-1 3-Major BT852861 TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario 15.1.0.2
851445-1 3-Major BT851445 QUIC with HTTP/3 should allow the peer to create at least 3 concurrent uni-streams 15.1.0.2
850973-1 3-Major BT850973 Improve QUIC goodput for lossy links 15.1.0.2
850933-1 3-Major BT850933 Improve QUIC rate pacing functionality 15.1.0.2
847325-3 3-Major BT847325 Changing a virtual server that uses a OneConnect profile can trigger incorrect persistence behavior. 14.1.2.5, 15.0.1.3, 15.1.0.2
818853-1 3-Major BT818853 Duplicate MAC entries in FDB 13.1.3.5, 14.1.3.1, 15.1.0.2
809597-5 3-Major BT809597 Memory leak in icrd_child observed during REST usage 13.1.4, 14.1.3, 15.1.0.2
714372-5 3-Major BT714372 Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari 14.1.4.4, 15.0.1.1, 15.1.0.2
705112-6 3-Major BT705112 DHCP server flows are not re-established after expiration 11.5.9, 12.1.4.1, 13.1.3, 14.1.2.5, 15.1.0.2
859113-1 4-Minor BT859113 Using "reject" iRules command inside "after" may causes core 14.1.2.5, 15.1.0.2
839245-3 4-Minor BT839245 IPother profile with SNAT sets egress TTL to 255 14.1.2.5, 15.1.0.2
824365-5 4-Minor BT824365 Need informative messages for HTTP iRule runtime validation errors 13.1.3.6, 14.1.2.3, 15.0.1.1, 15.1.0.2
822025 4-Minor BT822025 HTTP response not forwarded to client during an early response 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.0.1.4, 15.1.0.2


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
760471-1 3-Major BT760471 GTM iQuery connections may be reset during SSL key renegotiation. 12.1.5.2, 13.1.3.5, 14.1.2.3, 15.0.1.4, 15.1.0.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
852437-3 2-Critical K25037027, BT852437 Overly aggressive file cleanup causes failed ASU installation 14.1.2.5, 15.1.0.2
846073-1 2-Critical BT846073 Installation of browser challenges fails through Live Update 15.1.0.2
850673-1 3-Major BT850673 BD sends bad ACKs to the bd_agent for configuration 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
842161-1 3-Major BT842161 Installation of Browser Challenges fails in 15.1.0 15.1.0.2
793017-3 3-Major BT793017 Files left behind by failed Attack Signature updates are not cleaned 14.1.2.3, 15.1.0.2
778261-2 3-Major BT778261 CPB connection is not refreshed when updating BIG-IQ logging node domain name or certificate 15.0.1.1, 15.1.0.2
739618-3 3-Major BT739618 When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy 13.1.3.2, 14.1.2.3, 15.1.0.2
681010-4 3-Major K33572148, BT681010 'Referer' is not masked when 'Query String' contains sensitive parameter 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
838709-4 2-Critical BT838709 Enabling DoS stats also enables page-load-time 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
870957-4 3-Major   "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
863161-1 3-Major BT863161 Scheduled reports are sent via TLS even if configured as non encrypted 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
835381-3 3-Major BT835381 HTTP custom analytics profile 'not found' when default profile is modified 14.1.2.5, 15.0.1.3, 15.1.0.2
830073-2 3-Major BT830073 AVRD may core when restarting due to data collection device connection timeout 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
865053-3 4-Minor BT865053 AVRD core due to a try to load vip lookup when AVRD is down 14.1.2.5, 15.0.1.3, 15.1.0.2
863069-1 4-Minor BT863069 Avrmail timeout is too small 14.1.2.5, 15.0.1.3, 15.1.0.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
876393-1 2-Critical BT876393 General database error while creating Access Profile via the GUI 15.1.0.2
871761-1 2-Critical BT871761 Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
871653-1 2-Critical BT871653 Access Policy cannot be created with 'modern' customization 15.1.0.2
866685-1 3-Major BT866685 Empty HSTS headers when HSTS mode for HTTP profile is disabled 14.1.2.5, 15.0.1.3, 15.1.0.2
866161-1 3-Major BT866161 Client port reuse causes RST when the security service attempts server connection reuse. 14.1.2.5, 15.0.1.3, 15.1.0.2
853325-1 3-Major BT853325 TMM Crash while parsing form parameters by SSO. 14.1.4.5, 15.0.1.3, 15.1.0.2
852313-4 3-Major BT852313 VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured 14.1.2.5, 15.0.1.3, 15.1.0.2
850277-1 3-Major BT850277 Memory leak when using OAuth 13.1.3.4, 14.1.4, 15.0.1.3, 15.1.0.2
844781-3 3-Major BT844781 [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection 14.1.4.4, 15.0.1.3, 15.1.0.2
844685-1 3-Major BT844685 Per-request policy is not exported if it contains HTTP Connector Agent 15.1.0.2
844573-1 3-Major BT844573 Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret. 15.1.0.2
844281-3 3-Major BT844281 [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files. 14.1.4.4, 15.0.1.3, 15.1.0.2
835309-1 3-Major   Some strings on BIG-IP APM Server pages are not localized 15.1.0.2
832881-1 3-Major BT832881 F5 Endpoint Inspection helper app is not updated 15.1.0.2
832569-3 3-Major BT832569 APM end-user connection reset 14.1.2.5, 15.0.1.3, 15.1.0.2
831781-4 3-Major BT831781 AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode 14.1.2.5, 15.0.1.3, 15.1.0.2
803825-5 3-Major BT803825 WebSSO does not support large NTLM target info length 13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2
761303-5 3-Major BT761303 Upgrade of standby BIG-IP system results in empty Local Database 15.0.1.3, 15.1.0.2
744407-1 3-Major BT744407 While the client has been closed, iRule function should not try to check on a closed session 13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2
706782-5 3-Major BT706782 Inefficient APM processing in large configurations. 14.1.2.8, 15.0.1.3, 15.1.0.2


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
853545-1 3-Major BT853545 MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event 14.1.2.5, 15.1.0.2
842625-5 3-Major BT842625 SIP message routing remembers a 'no connection' failure state forever 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.2
840821-1 3-Major BT840821 SCTP Multihoming not working within MRF Transport-config connections 15.1.0.2
825013-1 3-Major BT825013 GENERICMESSAGE::message's src and dst may get cleared in certain scenarios 14.1.2.7, 15.0.1.1, 15.1.0.2
803809-4 3-Major BT803809 SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled. 13.1.3.4, 14.1.2.7, 15.1.0.2
859721-1 4-Minor BT859721 Using GENERICMESSAGE create together with reject inside periodic after may cause core 14.1.2.5, 15.1.0.2
836357-5 4-Minor BT836357 SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
852557-3 2-Critical BT852557 Tmm core while using service chaining for SSL Orchestrator 14.1.2.5, 15.0.1.3, 15.1.0.2
864329-3 3-Major BT864329 Client port reuse causes RST when the backend server-side connection is open 14.1.2.5, 15.0.1.3, 15.1.0.2
852481-3 3-Major BT852481 Failure to check virtual-server context when closing server-side connection 14.1.2.5, 15.0.1.3, 15.1.0.2
852477-3 3-Major BT852477 Tmm core when SSL Orchestrator is enabled 14.1.2.5, 15.0.1.3, 15.1.0.2



Cumulative fixes from BIG-IP v15.1.0.1 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
834853 3-Major BT834853 Azure walinuxagent has been updated to v2.2.42 15.1.0.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
862557-1 3-Major BT862557 Client-ssl profiles derived from clientssl-quic fail validation 15.1.0.1

 

Cumulative fix details for BIG-IP v15.1.5 that are included in this release

999933-3 : TMM may crash while processing DNS traffic on certain platforms

Component: Local Traffic Manager

Symptoms:
Under certain conditions, hardware systems with a High-Speed Bridge (HSB) may crash while processing DNS traffic.

Conditions:
-DNS profile enabled
-Hardware system (or vCMP guests) with a High-Speed Bridge (HSB)

Impact:
TMM crash leading to a failover event.

Workaround:
N/A

Fix:
TMM now processes DNS traffic as expected.

Fixed Versions:
14.1.4.5, 15.1.4.1

999317-8 : Running Diagnostics report for Edge Client on Windows does not follow best practice

Links to More Info: K03544414, BT999317

Component: Access Policy Manager

Symptoms:
Running Diagnostics report for Edge Client on Windows does not follow best practice

Conditions:
Running Diagnostics report for Edge client on Windows system

Impact:
Edge client does not follow best practice

Workaround:
No workaround.

Fix:
Edge Client on Windows now follows best practice

Fixed Versions:
15.1.3.1

999097-3 : SSL::profile may select profile with outdated configuration

Links to More Info: BT999097

Component: Local Traffic Manager

Symptoms:
Under some circumstances, an iRule-selected SSL profile may a send previously configured certificate to the peer.

Conditions:
iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made in the profile's cert-key-chain field.

Impact:
The TLS client may receive an outdated certificate that does not match with the current configuration, potentially leading to handshake failures.

Workaround:
Avoid making changes to a profile that is actively being used by the iRule command.

Fix:
The system now makes sure that SSL profiles are properly reloaded after changes are made.

Fixed Versions:
14.1.4.5, 15.1.5

998473-2 : NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL)

Links to More Info: BT998473

Component: Access Policy Manager

Symptoms:
NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL)

Conditions:
1. NTLM front-end authentication is enabled.
2. Active Directory users are subscribed to more than one hundred groups.

Impact:
NTLM authentication for Active Directory users which are subscribed to more than hundred groups will fail.

Workaround:
None

Fix:
A fix has been provided to the sequence number handling which is used to calculate the RPC checksum as part of ID 949477.

Fixed Versions:
15.1.4.1

998221-3 : Accessing pool members from configuration utility is slow with large config

Links to More Info: BT998221

Component: TMOS

Symptoms:
Accessing the pool members page from the BIG-IP Configuration Utility/GUI is slow compared with accessing Pool members from TMSH/CLI.

Conditions:
-- Accessing pool member information through the BIG-IP configuration utility.
-- Thousands of pools and pool members in the configuration.

Impact:
In the GUI, it takes approximately 20-30 seconds, whereas the CLI returns results in less than 1 second,

Managing pool members from configuration utility is very slow causing performance impact.

Workaround:
None

Fix:
Optimized the GUI query used for retrieving pool members data.

Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2, 16.1.2

998085-1 : BIG-IP DataSafe GUI does not save changes

Links to More Info: BT998085

Component: Fraud Protection Services

Symptoms:
Due to a JavaScript error, the BIG-IP DataSafe GUI does not save changes.

Conditions:
-- Provision FPS.
-- License DataSafe.
-- Configure the system using the GUI.

Impact:
Configurations made for DataSafe using the BIG-IP Configuration Utility GUI cannot be saved.

Workaround:
Use tmsh to configure the BIG-IP system.

Fix:
BIG-IP DataSafe GUI is working properly and configurations are now saved.

Fixed Versions:
15.1.3

997929-3 : Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic

Links to More Info: BT997929

Component: Local Traffic Manager

Symptoms:
If a virtual server is using a traffic-matching-criteria (TMC) with a destination-inline-port of zero ('any'), and this is later changed (either to a non-zero port value, or to a port-list with non-zero port values) the virtual server stops processing traffic.

If tmm is restarted (which causes an outage) the virtual server resumes accepting traffic using the new ports. In addition, changing the virtual server's port back to 'any' also causes traffic processing to resume.

Conditions:
-- A virtual server using an address list for its destination, and 'any' (zero) for its destination port.

-- Changing the virtual server's destination port to a non-zero value, or to a port-list with non-zero port values.

Impact:
The virtual server stops processing traffic.

Workaround:
To recover, you can do either of the following:

-- Restart tmm:
bigstart restart tmm

-- Change the virtual server's port back to 'any' (0).

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2

997761-2 : Subsessionlist entries leak if there is no RADIUS accounting agent in policy

Links to More Info: BT997761

Component: Access Policy Manager

Symptoms:
Subsessionlist entries are not cleaned up when subsessions are deleted. For long-lived main sessions, use cases such as API protection, the number of leaked subsessionlist entries increases over time, resulting in increasing memory consumption. If high availability (HA) is configured, the standby device can experience even more memory pressure when a very large number of subsessionlist entries are sent to it for mirroring.

Conditions:
This issue occurs if the main session is long-lived and there is no RADIUS accounting agent in the policy.

Impact:
TMM may run out of memory and restart. Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
15.1.5

997641 : APM policy ending with redirection results in policy execution failure

Links to More Info: BT997641

Component: Access Policy Manager

Symptoms:
After successful authentication, the APM end user client connection gets reset.

/var/log/apm shows errors:
err tmm2[18140]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_VAL. File: ../modules/hudfilter/access/access.c, Function: access_rewrite_pdp_response_to_302, Line: 19766

Conditions:
Access policy has a path ending with a redirect.

Impact:
APM end user clients cannot access the backend resources protected by the policy.

Workaround:
None

Fix:
Fixed an issue with APM policies not working when they ended with redirect.

Fixed Versions:
15.1.4

997313-3 : Unable to create APM policies in a sync-only folder

Links to More Info: BT997313

Component: TMOS

Symptoms:
Unable to configure an APM policy in a sync-only folder, or the configuration fails to load after an upgrade, with an error message similar to:

-- err mcpd[mcpd_pid]: 01070734:3: Configuration error: Invalid Devicegroup Reference. The customization_group (/Common/sync-only/example_apm_customization) requires customization_source (/Common/standard) to be syncd to the same devices

Conditions:
-- Multiple BIG-IP devices configured in a sync-only device group, but different/non-overlapping failover device groups
-- APM policy being created in a folder or partition associated with sync-only device group.

Impact:
-- Unable to create the access policy.
-- The configuration fails to load and the device remains inoperative.

Workaround:
You can use either of the following strategies to prevent the issue:

--Do not create APM policies in a sync-only folder.

--Disable MCPD device-group reference validation for the sync-only folder, e.g.:
    tmsh modify sys folder /Common/sync-only no-ref-check true
    tmsh save sys config

Fixed Versions:
15.1.4.1, 16.1.2

997193-1 : TCP connections may fail when AFM global syncookies are in operation.

Component: Local Traffic Manager

Symptoms:
TCP connections are rejected by the BIG-IP system with reset cause "No flow found for ACK".

Conditions:
1) AFM is provisioned.

2) AFM global syncookies are in operation.

3a) The traffic arrives over an APM VPN tunnel, and is handled by one of the internal default APM listeners (not a more specific listener).

-or-

3b) The device is Active for multiple floating traffic-groups, said traffic-groups don't use MAC masquerading, and connection.syncookies.algorithm is set to software.

-or-

3c) The traffic belongs to traffic-group-local-only, and connection.syncookies.algorithm is set to software.

Impact:
Application failures as TCP connections fail.

Workaround:
You can work around this issue as follows.

- For the APM VPN case: define a listener (e.g. virtual server) over the tunnel to process the traffic (instead of relying on one of the default internal APM listeners). Note that the workaround may not work if the device is Active for multiple floating traffic-groups at the same time.

- For the device Active for multiple floating traffic-groups case: use MAC masquerading for all floating traffic-group, or set connection.syncookies.algorithm back to its default of hardware.

- For the traffic-group-local-only case: set connection.syncookies.algorithm back to its default of hardware, or disable AFM global syncookies by turning off the TCP Half-Open attack vector at the device level.

Fix:
TCP connections now establish successfully regardless of syncookies being in operation.

Fixed Versions:
14.1.4.5, 15.1.5

997169 : AFM rule not triggered

Links to More Info: BT997169

Component: Advanced Firewall Manager

Symptoms:
An AFM rule is not triggered when it should be.

Conditions:
-- Source and destination zone configured
-- A gateway pool is used in the route

Impact:
A firewall rule is not triggered and the default deny rule is used.

Workaround:
Alter the route to use an IP address and not a pool.

Fix:
Firewall rules are now triggered when gateway pools are used.

Fixed Versions:
15.1.4.1

997137-3 : CSRF token removal may allow WAF bypass on GET requests

Component: Application Security Manager

Symptoms:
Under certain conditions the "csrt" parameter is not processed as expected.

Conditions:
1. CSRF feature is configured
2. Request contains a crafted "csrt" parameter

Impact:
Malicious request will bypass signatures and will not raise any attack signature violation

Workaround:
N/A

Fix:
"csrt" parameter is now processed as expected.

Fixed Versions:
14.1.4.4, 15.1.4.1

996753-2 : ASM BD process may crash while processing HTML traffic

Links to More Info: K44553214, BT996753

996593-2 : Password change through REST or GUI not allowed if the password is expired

Links to More Info: BT996593

Component: TMOS

Symptoms:
When trying to update the expired password through REST or the GUI, the system reports and error:

Authentication failed: Password expired. Update password via /mgmt/shared/authz/users.

Conditions:
-- Password is expired.
-- Password change is done through either REST or the GUI.

Impact:
Expired password cannot be updated through REST or the GUI.

Workaround:
Update password using tmsh:

tmsh modify auth password <username>

Fix:
You can now change an expired password through REST or the GUI.

Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2

996381-3 : ASM attack signature may not match as expected

Component: Application Security Manager

Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.

Conditions:
- Attack signature 200000128 enabled.

Impact:
Processed traffic may not match all expected attack signatures

Workaround:
N/A

Fix:
Attack signature 200000128 now matches as expected.

Fixed Versions:
13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1

996113-1 : SIP messages with unbalanced escaped quotes in headers are dropped

Links to More Info: BT996113

Component: Service Provider

Symptoms:
Dropped SIP messages.

Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote

Impact:
Certain SIP messages are not being passed via MRF.

Workaround:
None

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1

996001-1 : AVR Inspection Dashboard 'Last Month' does not show all data points

Links to More Info: BT996001

Component: TMOS

Symptoms:
A daily-based report (report with resolution of one day in each data-point) can be provided to only request with up-to 30 days. A request with 31 days shows only 2 entries.

Conditions:
This occurs when generating a 'Last Month' report for a month that contains 31 days of data.

Impact:
AVR Inspection Dashboard displays less data than expected: 2 points instead of 31 points.

Workaround:
None

Fix:
Viewing a 'Last Month' graph now reports ~30 days worth of data, rather than a variable amount of data based on actual calendar periods.

Fixed Versions:
14.1.4.5, 15.1.5

995853-2 : Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error.

Links to More Info: BT995853

Component: Global Traffic Manager (DNS)

Symptoms:
Unable to create GLSB Server object with both IPv4 and IPv6 self IPs as device IPs.

Conditions:
-- DNS and LTM services enabled.
-- Configure two self IPs on the box for IPv4 and IPv6.
-- GLSB Server object creation with IPv4 and IPv6 addresses in device tab along with Virtual Server Discovery enable.

Impact:
GSLB Server object creation fails.

Workaround:
TMSH is not impacted. Use TMSH to create GSLB Server objects.

Fix:
GSLB Server object creation no longer fails.

Fixed Versions:
14.1.4.4, 15.1.4

995629-3 : Loading UCS files may hang if ASM is provisioned

Links to More Info: BT995629

Component: TMOS

Symptoms:
If a UCS file from a BIG-IP system running a different software version that also has an ASM configuration is loaded onto a device that already has ASM provisioned, the load may hang indefinitely.

Conditions:
-- A system that has ASM provisioned.
-- Loading a UCS file with an ASM configuration that comes from a different system.

Impact:
-- UCS load might fail.
-- Config save and load operations fail while the UCS load hangs. The failure of those operations may not be obvious, leaving the BIG-IP saved configuration different from the running configuration.

Workaround:
If you encounter this, run 'load sys config default' to de-provision ASM. The UCS file should then load successfully.

Note: If loading a UCS archive with the 'platform-migrate' argument, then there is no workaround. See: https://cdn.f5.com/product/bugtracker/ID990849.html

Fix:
Loading UCS files no longer hangs if ASM is provisioned.

Fixed Versions:
13.1.4.1, 14.1.4.1, 15.1.3, 16.0.1.2

995433 : IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT

Links to More Info: BT995433

Component: Advanced Firewall Manager

Symptoms:
The PPTP log entries for NAT64 traffic have a truncated IPv6 address.

Conditions:
This is encountered when viewing PPTP log entries.

Impact:
IPV6 addresses in PPTP logs are truncated.

Workaround:
None

Fix:
The full IPv6 address is now logged in PPTP logs.

Fixed Versions:
14.1.4.5, 15.1.4.1

995029-3 : Configuration is not updated during auto-discovery

Links to More Info: BT995029

Component: Access Policy Manager

Symptoms:
Auto-discovery fails, resulting in OAuth failure. In /var/log/apm:

-- OAuth Client: failed for server '<server>' using 'authorization_code' grant type (<grant type>), error: None of the configured JWK keys match the received JWT token

Conditions:
JSON Web Token (JWT) auto-discovery is enabled via JSON Web Keys (JWK).

Impact:
JWT auto-discovery fails and the configuration is not updated.

Workaround:
Use the GUI to manually retrieve the JWKs by clicking the 'Discovery' button for OpenID URI in 'Access :: Federation : OAuth Client / Resource Server : Provider :: <name of provider>.

Fix:
Fixed an issue with auto-discovery and JWKs.

Fixed Versions:
14.1.4.2, 15.1.4

994985-2 : CGNAT GUI shows blank page when applying SIP profile

Links to More Info: BT994985

Component: Carrier-Grade NAT

Symptoms:
The virtual server properties GUI page shows blank when a SIP profile is applied to the virtual server.

Conditions:
-- Create virtual server and attach a SIP profile.
-- Navigate to virtual server properties page.

Impact:
The virtual server properties page does not display the configuration.

Workaround:
None.

Fix:
The GUI shows virtual server config page with all config values

Fixed Versions:
14.1.4.2, 15.1.4

994801-3 : SCP file transfer system

Component: TMOS

Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.

Conditions:
A user assigned to a role, such as Resource Administrator, without Advanced Shell access can run arbitrary commands SCP file transfer.

Impact:
Users without Advanced Shell access can run SCP file trasnfer commands.

Workaround:
None

Fix:
This issue is fixed. The SCP file transfer system now follows current best practices. Users without Advanced Shell access cannot run SCP file transfer commands.

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2

993913-2 : TMM SIGSEGV core in Message Routing Framework

Links to More Info: BT993913

Component: Service Provider

Symptoms:
TMM crashes on SIGSEGV.

Conditions:
This can occur while passing traffic through the message routing framework.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1

993613-5 : Device fails to request full sync

Links to More Info: BT993613

Component: Application Security Manager

Symptoms:
Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs

Conditions:
-- A manual sync device group is configured and ASM sync is enabled.
-- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction.

Impact:
-- The device that is meant to receive the config sync never requests or receives it.
-- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic.
-- ASM GUI becomes unresponsive.
-- Large number of asm_config_server processes increases host memory usage

Workaround:
Halting asm_config_server on the stuck device restores the working state and request a new sync.

Fixed Versions:
14.1.4.5, 15.1.5

993489-3 : GTM daemon leaks memory when reading GTM link objects

Links to More Info: BT993489

Component: Global Traffic Manager (DNS)

Symptoms:
The gtmd process memory consumption is higher than expected.

Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.

Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.

Workaround:
None

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1

993457-2 : TMM core with ACCESS::policy evaluate iRule

Links to More Info: BT993457

Component: Access Policy Manager

Symptoms:
TMM segfaults in packtag_literal_pointer_release() during TCLRULE_CLIENT_CLOSED event attempting a session release.

Conditions:
-- The ACCESS::policy evaluate is still in progress when TCLRULE_CLIENT_CLOSED event is triggered.
-- While the TCLRULE_CLIENT_CLOSED is in process, the ACCESS::policy evaluation completes.

Impact:
This triggers a race condition and causes the tmm crash. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM no longer crashes and generates a core file during the ACCESS::policy evaluate iRule under these conditions.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

992865 : Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances

Links to More Info: BT992865

Component: TMOS

Symptoms:
On particular platforms, virtual servers do not correctly enter hardware SYN cookie mode. Software SYN cookie mode still functions correctly.

Conditions:
-- Virtual server under SYN flood attack.
-- One of the following platforms
  + BIG-IP i11000 series (C123)
  + BIG-IP i15000 series (D116)

Impact:
Software SYN cookies are enabled, this has a performance impact compared to the hardware mode.

Workaround:
None

Fix:
Virtual servers correctly enter hardware SYN cookie mode on all platforms.

Fixed Versions:
15.1.4

992213-2 : Protocol Any displayed as HOPTOPT in AFM policy view

Links to More Info: BT992213

Component: Advanced Firewall Manager

Symptoms:
The 'any' option for the AFM policy rule protocol is displayed incorrectly in the GUI.

Conditions:
-- Create a rule and set protocol as 'any'.
-- Navigate to active rules.

Impact:
GUI shows an incorrect value.

Workaround:
None

Fix:
GUI Shows correct value for rule protocol option.

Fixed Versions:
14.1.4.2, 15.1.4, 16.1.1

992053-1 : Pva_stats for server side connections do not update for redirected flows

Links to More Info: BT992053

Component: TMOS

Symptoms:
Pva_stats for server side connections do not update for the re-directed flows

Conditions:
-- Flows that are redirected to TMM.
-- Server flows are offloaded to PVA.

Impact:
PVA stats do not reflect the offloaded flow.

Workaround:
None

Fix:
Updated pva_stats to reflect server side flow.

Fixed Versions:
15.1.4.1

991421-3 : TMM may crash while processing TLS traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing TLS traffic

Conditions:
- Forward proxy configured
- Forward proxy passthrough
- TLS1.3 traffic

Impact:
Traffic disrupted while TMM restarts.

Workaround:
N/A

Fix:
TMM now processes TLS traffic as expected.

Fixed Versions:
15.1.4.1, 16.1.2

990849-2 : Loading UCS with platform-migrate option hangs and requires exiting from the command

Links to More Info: BT990849

Component: TMOS

Symptoms:
The UCS loading process with platform-migrate stops responding and hangs after printing:

Platform migrate loaded successfully. Saving configuration.

Conditions:
Load UCS with platform-migrate option:
tmsh load sys ucs <ucs_name> platform-migrate

Note: If you are loading a UCS archive created on a system running a different software version that also has an ASM configuration, there are other other aspects to consider. See: https://cdn.f5.com/product/bugtracker/ID995629.html

Impact:
The UCS loading process stops responding, causing the device to be in an INOPERATIVE state.

Workaround:
None.

Fix:
Loading UCS with the platform-migrate option executes smoothly without getting stuck.

Fixed Versions:
13.1.4.1, 14.1.4, 15.1.3, 16.0.1.2

990333-5 : APM may return unexpected content when processing HTTP requests

Links to More Info: K75540265, BT990333

989753-2 : In HA setup, standby fails to establish connection to server

Links to More Info: BT989753

Component: Service Provider

Symptoms:
In a high availability (HA) setup, standby fails to establish a connection to the server with the log message:

err tmm[819]: 01850008:3: MR: Received HA message targeting missing transport-config

Conditions:
In MRF (diameter/SIP) HA setup with connection mirroring enabled.

Impact:
Standby BIG-IP system fails to establish a connection to the server.

Workaround:
None.

Fix:
Standby is now able to establish a connection to the server.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2

989701-5 : CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response

Component: TMOS

Symptoms:
A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response allow for local memory corruption and possibly privilege escalation.

Conditions:
Mounting an unauthenticated server can cause this flaw

Impact:
Can cause local memory corruption and possibly privilege escalation.

Workaround:
While there is no known mitigation to this flaw, configuring authentication and only mounting authenticated NFSv4 servers will significantly reduce the risk of this flaw being successfully exploited.

Fix:
Kernel patched to resolve CVE-2020-25212

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

989637-3 : TMM may crash while processing SSL traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may consume excessive resources while processing SSL traffic

Conditions:
-SSL profile enabled
-Client authentication enabled

Impact:
TMM consumes excessive resources, potentially leading to a crash and failover event.

Workaround:
N/A

Fix:
TMM now processes SSL traffic as expected.

Fixed Versions:
14.1.4.5, 15.1.4.1

989317-12 : Windows Edge Client does not follow best practice

Links to More Info: K33757590, BT989317

989009-3 : BD daemon may crash while processing WebSocket traffic

Links to More Info: K05314769, BT989009

988793 : SecureVault on BIG-IP tenant does not store unit key securely

Links to More Info: BT988793

Component: TMOS

Symptoms:
BIG-IP tenants running on the VELOS platform do not store the SecureVault unit key securely.

Conditions:
BIG-IP tenant running on the VELOS platform.

Impact:
The BIG-IP tenant does not utilize secure storage for unit key.

Workaround:
None

Fix:
BIG-IP tenants running on the VELOS platform now securely store the unit key.

Fixed Versions:
15.1.4

988761-1 : Cannot create Protected Object in GUI

Links to More Info: BT988761

Component: Advanced Firewall Manager

Symptoms:
GUI Page stuck in loading phase and never completes the Protected Object creation step

Conditions:
This occurs in normal operation

Impact:
Cannot create Protected Objects using the GUI

Workaround:
Use tmsh to create Protected Objects

Fix:
GUI Page no longer gets stuck in loading phase and completes the Protected Object creation step.

Fixed Versions:
15.1.4

988645 : Traffic may be affected after tmm is aborted and restarted

Links to More Info: BT988645

Component: TMOS

Symptoms:
Traffic may be affected after tmm is aborted and restarted.
/var/log/tmm contains a lot of "DAG Proxy failed" messages.

Conditions:
-- A BIG-IP device is deployed in a VELOS tenant
-- Tmm aborts and restarts for some reason.

Impact:
Traffic disrupted while tmm restarts. Traffic may be disrupted even after tmm has restarted.

Workaround:
Reboot the tenant

Fix:
Fixed system behavior when tmm is aborted and restarted.

Fixed Versions:
15.1.4

988589-5 : CVE-2019-25013 glibc vulnerability: buffer over-read in iconv

Links to More Info: K68251873

988549-5 : CVE-2020-29573: glibc vulnerability

Links to More Info: K27238230, BT988549

988533-1 : GRE-encapsulated MPLS packet support

Links to More Info: BT988533

Component: TMOS

Symptoms:
There no facility to accept packets using GRE-encapsulated MPLS. The GUI gives only encapsulation options for IP address (0x0800) and transparent ethernet bridging (0x6558).

Conditions:
This is encountered when attempting to configure BIG-IP systems to handle GRE-encapsulated MPLS.

Impact:
Packets get dropped when they are GRE-encapsulated with MPLS.

Workaround:
None

Fix:
Encapsulated MPLS packets over GRE is now supported in a way similar to IP address and transparent ethernet bridging.

Fixed Versions:
14.1.4.5, 15.1.4.1

988005-1 : Zero active rules counters in GUI

Links to More Info: BT988005

Component: Advanced Firewall Manager

Symptoms:
When accessing Security :: Network Firewall :: Active Rules in UI, the active rules count is stuck at 0 (zero).

Conditions:
Access the following menu path:
Security :: Network Firewall :: Active Rules

Impact:
Incorrect information on active rules count is seen in the UI.

Workaround:
Disable firewall inline editor.

Fix:
The active rules count column now displays the correct number of times a rule has been hit.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2

987637-2 : DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware

Links to More Info: BT987637

Component: Advanced Firewall Manager

Symptoms:
BIG-IP systems mitigate traffic on all of the IP addresses in an address list when certain DoS vectors are detected on a virtual server.

Conditions:
-- BIG-IP hardware platform equipped with Neuron (BIG-IP iSeries)
-- Virtual server configured with a DoS profile
-- Flood traffic reaches the virtual server

Impact:
For Neuron-supported hardware, virtual servers with subnet destinations are not properly mitigated when flood vectors are detected.

Workaround:
None

Fixed Versions:
15.1.4

987605-2 : DDoS: ICMP attacks are not hardware-mitigated

Links to More Info: BT987605

Component: Advanced Firewall Manager

Symptoms:
ICMP/Fragments attacks against a virtual server with a DOS profile are not mitigated by hardware.

Conditions:
ICMP/Fragments attacks mitigation/detection is configured on a virtual system with neuron-capable hardware.

Impact:
ICMP/Fragments attacks mitigation/detection is handled in software. A large volume of attack traffic can spike the tmm CPU.

Workaround:
None

Fix:
Until the hardware is fixed, the software uses the SPVA in hardware to mitigate these attacks.

Fixed Versions:
15.1.4

987345-1 : Disabling periodic-refresh-log has no effect

Links to More Info: BT987345

Component: Advanced Firewall Manager

Symptoms:
Port Block Allocation (PBA) periodic-refresh-log set to '0' - disabled is not honored. You might see messages similar to the following logged in /var/log/ltm or sent to remote logging destinations:

info tmm[6215]: 23003168 "Port Block Periodic Log","10.10.10.10","0","","10.10.10.10","0","1024","1031","16164968240","","unknown".

Conditions:
PBA periodic-refresh-log set to '0'.

Impact:
System provides unnecessary, excessive logging.

Workaround:
None

Fix:
Port Block Allocation (PBA) periodic-refresh-log set to '0' - disabled is now honored."Port Block Periodic Log" messages are no longer logged with this configuration setting.

Fixed Versions:
15.1.4.1

987113-1 : CMP state degraded while under heavy traffic

Links to More Info: BT987113

Component: TMOS

Symptoms:
When a VELOS 8 blade system is under heavy traffic, the clustered multiprocessing (CMP) state could become degraded. The symptom could exhibit a dramatic traffic performance drop.

Conditions:
Exact conditions are unknown; the issue was observed while under heavy traffic with all 8 blades configured for a tenant.

Impact:
System performance drops dramatically.

Workaround:
Lower traffic load.

Fix:
Fixed an inconsistent CMP state.

Fixed Versions:
15.1.4

986937-1 : Cannot create child policy when the signature staging setting is not equal in template and parent policy

Links to More Info: BT986937

Component: Application Security Manager

Symptoms:
When trying to create a child policy, you get an error:

FAILURE: "Could not update the Policy policy1. Inherited values may not be changed."

Conditions:
-- Parent policy created with signature staging disabled.
-- Creating a new child policy with that policy as a parent.

Impact:
You are unable to create the child policy and the system presents an error.

Workaround:
Create the policy without assigning it to the parent, and then assign it to the parent policy on the Inheritance Settings page.

Fix:
The error no longer occurs on child policy creation.

Fixed Versions:
15.1.4, 16.0.1.2, 16.1.1

985953-3 : GRE Transparent Ethernet Bridging inner MAC overwrite

Links to More Info: BT985953

Component: TMOS

Symptoms:
Traffic not being collected by virtual server and therefore not being forwarded to the nodes.

Conditions:
Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address.

Impact:
Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel.

Workaround:
None

Fix:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.

Set the DB key to 'enable' to cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic:

tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config

This allows virtual servers on the BIG-IP system to process traffic.

Behavior Change:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.

To cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic, set the DB key to 'enable' and save the config:

tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config

This allows virtual servers on the BIG-IP system to process traffic.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

985537-1 : Upgrade Microsoft Hyper-V driver

Links to More Info: BT985537

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) on Azure has an issue where the BIG-IP system raises a kernel panic soon after a Network Management Agent update occurs on the host.

When performance tests are run on VE in Microsoft Azure, the BIG-IP system loses all connectivity to the pools and becomes unresponsive.

Conditions:
-- Azure Host performs a Network Management Agent (NMAgent) update while TMM is running.
-- Running performance tests of VE in Azure.

Impact:
The BIG-IP system might restart and the GUI becomes unresponsive during performance testing.

Workaround:
None.

Fix:
The Microsoft Hyper-V driver has been updated to v4.3.5.

Fixed Versions:
15.1.4

985433-2 : Insertion of the X-Forwarded-For HTTP header can fail, causing the client's connection to be reset.

Links to More Info: BT985433

Component: Local Traffic Manager

Symptoms:
Some client connections are being reset with rst-cause 'Unknown reason'.

Conditions:
--- Standard virtual server with the TCP and HTTP profiles.

--- The HTTP profile is configured to insert the X-Forwarded-For header.

--- The client supplies an empty X-Forwarded-For header in the HTTP request.

Impact:
Affected client connections are reset, leading to application failures.

Workaround:
You can work around this issue by disabling the header insertion in the HTTP profile and instead using an iRule similar to the following example:

when HTTP_REQUEST {
   HTTP::header replace X-Forwarded-For [IP::remote_addr]
}

Fix:
Insertion of the X-Forwarded-For header now works as expected, regardless of input client data.

Fixed Versions:
15.1.4.1

984765-1 : APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)

Links to More Info: BT984765

Component: Access Policy Manager

Symptoms:
NTLM User logon authentication fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED) from the Active Directory (AD) server.

Conditions:
-- Upgrading from legacy versions to BIG-IP v14.1.2 or later.
-- AD servers are updated with latest security patches from Microsoft.

Impact:
NTLM Authentication fails after a week. APM end user client logon (such as Outlook users, Remote Desktop Users, and Browser-based NTLM Auth logons that use BIG-IP APM as forward/reverse proxy) fails, and the service is down.

Workaround:
To resolve the issue temporarily, use either of the following:

-- Reset the NTLM Machine Account with the 'Renew Machine Password' option.

-- Run the command:
bigstart restart nlad

The problem can reappear after a week, so you must repeat these steps each time the issue occurs.

Fixed Versions:
14.1.4.4, 15.1.4

984657-3 : Sysdb variable not working from tmsh

Links to More Info: BT984657

Component: Traffic Classification Engine

Symptoms:
When cloud_only system db variable is enabled, urlcat_query returns categorization from webroot from tmsh

Conditions:
The following sys db variable is enabled: cloud_only

You attempt to run the following command:

tmsh list sys db urlcat_query

Impact:
Sysdb variables does not work from tmsh

Fix:
After the fix able to verify sysdb variables from tmsh

Fixed Versions:
15.1.4.1, 16.0.1.2

984613-11 : CVE-2020-5896 - Edge Client Installer Vulnerability

Links to More Info: K08503505, BT984613

984593-2 : BD crash

Links to More Info: BT984593

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None.

Fixed Versions:
14.1.4.5, 15.1.5

982869-1 : With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0

Links to More Info: BT982869

Component: Service Provider

Symptoms:
Tmm may crash.

Conditions:
This occurs when auto initialization is enabled for one or more Message Routing peers and during CMP transition when tmm_total_active_npus value is 0.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Tmm no longer crashes under these conditions.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2

981785-3 : Incorrect incident severity in Event Correlation statistics

Links to More Info: BT981785

Component: Application Security Manager

Symptoms:
When reported to AVR, incident severity reads "correlation" instead of "high" or "medium".

Conditions:
Usually happens for the first incident after ASM startup.

Impact:
Incorrect statistics in Event Correlation summary (Incident Severity graph), and also in tmsh analytics report.

Workaround:
Use severity info from the Incidents list.

Fix:
Event Correlation engine was fixed and now incident severity is reported properly to AVR.

Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2

981693-1 : TMM may consume excessive resources while processing IPSec ALG traffic

Component: Carrier-Grade NAT

Symptoms:
When processing IPSec ALG traffic, TMM may consume excessive resources.

Conditions:
-- IPsec ALG virtual server with ALG logging profile.
-- IPsec traffic is passed.

Impact:
TMM crash leading to a failover event.

Workaround:
N/A

Fix:
TMM now processes IPSec traffic as expected.

Fixed Versions:
14.1.4.2, 15.1.4.1

981689-2 : TMM memory leak with IPsec ALG

Links to More Info: BT981689

Component: Carrier-Grade NAT

Symptoms:
TMM crash due to out of memory.

Conditions:
-- IPsec ALG virtual server in BIG-IP passes traffic normally.
-- IPsec ALG connections are aborted. A common cause of IPsec ALG failure is CGNAT translation failures.

Impact:
TMM reaches memory limits. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Fixed a tmm memory leak related to IPsec ALG connections.

Fixed Versions:
14.1.4.2, 15.1.4.1

981461-4 : Unspecified DNS responses cause TMM crash

Links to More Info: K45407662, BT981461

981385-3 : AVRD does not send HTTP events to BIG-IQ DCD

Links to More Info: BT981385

Component: Application Visibility and Reporting

Symptoms:
AVRD does not send HTTP events to BIG-IQ data collection device (DCD).

Conditions:
This happens under normal operation.

Impact:
AVRD does not write Traffic Capture logs for analysis. Cannot analyze issues when Traffic Capture does not provide event information.

Workaround:
None.

Fixed Versions:
13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2

981273-2 : APM webtop hardening

Links to More Info: K41997459, BT981273

981169-2 : F5 TMUI XSS vulnerability CVE-2021-22994

Links to More Info: K66851119, BT981169

981069-1 : Reset cause: "Internal error ( requested abort (payload release error))"

Links to More Info: BT981069

Component: Application Security Manager

Symptoms:
An unexpected RST occurs on inbound traffic. The RST cause shows "Internal error ( requested abort (payload release error))"

Conditions:
When all the following conditions are met:
- The system was upgraded to a version where ID910253 is fixed
- TS cookie coming from a previous version
- data guard in non blocking (masking)
- response that is not zipped and has a textual content type

Impact:
Traffic is affected.

Workaround:
Any of the following actions can resolve the issue:

1. Turn off data guard or change it to blocking.
2. Make the server reply with zipped responses (perhaps by adding the accept-encoding: gzip using an iRule).
3. Add an additional response related feature.
4. Use the following iRule in case there aren't cookie related enforcement:
when HTTP_REQUEST {
  set cookies [HTTP::cookie names]
  foreach aCookie $cookies {
    if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
      HTTP::cookie remove $aCookie
    }
  }
}

Fix:
Fixed an issue that was triggering resets on traffic.

Fixed Versions:
15.1.4, 16.1.1

980821-2 : Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured.

Links to More Info: BT980821

Component: Local Traffic Manager

Symptoms:
Traffic is directed to a virtual server that is configured with port any even though there is a virtual server with a specific port that the traffic should match.

Conditions:
There are two virtual servers configured:
  - One with a specific port and ip-protocol 'any'
  - One with port any and a specific ip-protocol

Impact:
Traffic destined to the port matches the any-port virtual server rather than the specific port virtual server.

Workaround:
Create individual listeners for specific protocols.

For example, given the configuration:
  ltm virtual vs-port80-protoAny {
    destination 10.1.1.1:80
    ip-protocol any
    ...
  }
  ltm virtual vs-portAny-protoTCP {
    destination 10.1.1.1:0
    ip-protocol TCP
    ...
  }

Replace the vs-port80-protoAny with virtual servers configured for the specific protocols desired:
  ltm virtual vs-port80-protoTCP {
    destination 10.1.1.1:80
    ip-protocol TCP
    ...
  }
  ltm virtual vs-port80-protoUDP {
    destination 10.1.1.1:80
    ip-protcol UDP
    ...
  }

Fix:
More specific virtual server now gets more priority than wildcard virtual server to process traffic.

Fixed Versions:
14.1.4.2, 15.1.3.1, 16.0.1.2

980809-2 : ASM REST Signature Rule Keywords Tool Hardening

Links to More Info: K41351250, BT980809

980325-5 : Chmand core due to memory leak from dossier requests.

Links to More Info: BT980325

Component: TMOS

Symptoms:
Chmand generates a core file when get_dossier is run continuously.

Due to excessive dossier requests, there is a high consumption of memory. The program is terminated with signal SIGSEGV, Segmentation fault.

Conditions:
Repeated/continuous dossier requests during licensing operations.

Impact:
Chmand crashes; potential traffic impact while chmand restarts.

Workaround:
None.

Fixed Versions:
14.1.4.4, 15.1.4

980125-3 : BD Daemon may crash while processing WebSocket traffic

Links to More Info: K42051445, BT980125

978833-2 : Use of CRL-based Certificate Monitoring Causes Memory Leak

Links to More Info: BT978833

Component: Local Traffic Manager

Symptoms:
TMM memory use increases and the aggressive mode sweeper activates.

Conditions:
CRL certificate validator is configured.

Impact:
TMM ssl and ssl_compat memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart.

Workaround:
None.

Fix:
Use of CRL-based certificate monitoring no longer causes memory leak.

Fixed Versions:
14.1.4.4, 15.1.4.1

977053-2 : TMM crash on standby due to invalid MR router instance

Links to More Info: BT977053

Component: Service Provider

Symptoms:
In high availability (HA) setup, TMM on the standby device may crash due to an invalid Message Routing (MR) router instance.

Conditions:
-- HA environment.
-- Connection mirroring is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM on the standby device no longer crashes under these conditions.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2

977005-1 : Network Firewall Policy rules-list showing incorrect 'Any' for source column

Links to More Info: BT977005

Component: Advanced Firewall Manager

Symptoms:
Network Firewall Policy rules-list shows incorrect 'Any' for source column.

Conditions:
- Create a policy under Security :: Network Firewall : Policies.
- Create a rules list with some rules in it.
- Add the rules list to the Policy.
- Verify the GUI shows 'any' under the source column of the root tree of the policy.

Impact:
GUI shows 'Any' extra text under the source column

Workaround:
None

Fix:
The GUI no longer shows extra text

Fixed Versions:
14.1.4.2, 15.1.4

976925-2 : BIG-IP APM VPN vulnerability CVE-2021-23002

Links to More Info: K71891773, BT976925

976505-2 : Rotated restnoded logs will fail logintegrity verification.

Links to More Info: BT976505

Component: TMOS

Symptoms:
On enabling the logintegrity feature, the rotated restnoded logs fail logintegrity verification.

Conditions:
Logintegrity support feature is enabled:

list sys db logintegrity.support
sys db logintegrity.support {
    value "enable"
}

Impact:
Rotated restnoded logs fail logintegrity verification.

Workaround:
None

Fix:
Restnoded logs are now verified successfully by the logintegrity utility.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2

976501-2 : Failed to establish VPN connection

Links to More Info: BT976501

Component: Access Policy Manager

Symptoms:
VPN client exits with message "Failed to establish VPN connection"

Conditions:
-- Connect to Network Access using web browser.
-- Disconnect and then click on the Network Access resource again in the Webtop
-- Internet Explorer browser

Impact:
Client will be unable to launch the VPN tunnel from the browser.

Workaround:
Clear cache in the browser and retry.
Disable caching in the browser.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3

976365 : Traffic Classification hardening

Links to More Info: BT976365

Component: Traffic Classification Engine

Symptoms:
Traffic Classification IM packages do not follow current best practices.

Conditions:
- Traffic Classification enabled
- IM packages updated by an authenticated administrative user

Impact:
Traffic Classification IM packages do not follow current best practices.

Workaround:
No Workaround

Fix:
Traffic Classification IM packages now follow current best practices.

Fixed Versions:
14.1.4.3, 15.1.3.1

975809-1 : Rotated restjavad logs fail logintegrity verification.

Links to More Info: BT975809

Component: TMOS

Symptoms:
After enabling the logintegrity feature, the rotated restjavad logs fail logintegrity verification.

Conditions:
Logintegrity support feature is enabled:

list sys db logintegrity.support
sys db logintegrity.support {
    value "enable"
}

Impact:
Rotated restjavad logs fail logintegrity verification.

Workaround:
None

Fix:
Restjavad logs are now verified successfully by the logintegrity utility.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2

975589-4 : CVE-2020-8277 Node.js vulnerability

Links to More Info: K07944249, BT975589

975465-2 : TMM may consume excessive resources while processing DNS iRules

Links to More Info: K65397301, BT975465

975233-2 : Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992

Links to More Info: K52510511, BT975233

974881-2 : Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic

Links to More Info: BT974881

Component: Service Provider

Symptoms:
Currently, for diameter, a SNAT iRule can be configured with MR_INGRESS and MR_FAILED events. Certain events can cause tmm to crash.

Conditions:
A SNAT iRule is configured with the events CLIENT_ACCEPTED, DIAMETER_INGRESS and DIAMETER_EGRESS for diameter

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm crash related to handling certain events in an iRule.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2

974501-1 : Excessive memory usage by mirroring subsystem when remirroring

Links to More Info: BT974501

Component: Local Traffic Manager

Symptoms:
Aggressive sweeper messages are seen in /var/log/ltm similar to the following:
Dec 31 02:35:44 bigip1 warning tmm[25306]: 011e0002:4: sweeper_segment_cb_any: Aggressive mode /Common/default-eviction-policy activated (0) (global memory). (26227799/30854144 pages)

In severe cases, tmm might restart and generate a core file due to an out of memory condition.

Conditions:
The active BIG-IP has a large number of mirrored fastL4 connections.
The active BIG-IP reconnects the statemirror connection to the standby BIG-IP. This is indicated by messages similar to the following in /var/log/ltm:
Dec 31 02:35:37 bigip1 err tmm[25306]: 01340001:3: high availability (HA) Connection with peer 10.25.0.11:1029 for traffic-group /Common/traffic-group-1 established.

Impact:
A portion of the connections handled by the BIG-IP might be dropped causing traffic interruption for those connections. In severe cases, tmm might restart causing traffic interruption.

Fix:
The memory utilization when remirroring fastL4 flows has been improved to allow remirroring to handle a larger number of connections.

Fixed Versions:
15.1.2.1

974341-2 : REST API: File upload

Component: Application Security Manager

Symptoms:
Under certain conditions, the REST API does not process file uploads as expected

Conditions:
- REST API access
- File uploaded

Impact:
File uploads are not processed as expected.

Workaround:
N/A

Fix:
The REST API now handles file uploads as expected

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

974241-1 : Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades

Links to More Info: BT974241

Component: TMOS

Symptoms:
Mcpd exists with error similar to:

01070734:3: Configuration error: Configuration from primary failed validation: 010713cf:3: Configuration group '/Common/test1_end_deny_ag' has invalid source '/Common/standard'

Conditions:
1. VIPRION or vCMP guest with multiple blades in a cluster
2. Create a access policy with modern customization enabled

Impact:
Mcpd restarts leading to failover.

Workaround:
Use standard customization and not modern customization.

Fixed Versions:
15.1.4, 16.1.1

974205-3 : Unconstrained wr_urldbd size causing box to OOM

Links to More Info: BT974205

Component: Traffic Classification Engine

Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.

Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.

Impact:
The device eventually runs out of memory (OOM condition).

Workaround:
Restart the wr_urldbd process:
 restart sys service wr_urldbd

Fix:
Constrained the cache with Least Recently Used-based caching to prevent this issue from occurring.

Added two sys DB variables:

-- wr_urldbd.cloud_cache.log.level

Value Range:
sys db wr_urldbd.cloud_cache.log.level {
    value "debug"
    default-value "none"
    value-range "debug none"
}

-- wr_urldbd.cloud_cache.limit

Value Range:
sys db wr_urldbd.cloud_cache.limit {
    value "5500000"
    default-value "5500000"
    value-range "integer min:5000000 max:10000000"
}

Note: Both these variables are introduced for debugging purpose.

Fixed Versions:
12.1.6, 14.1.4.4, 15.1.4

973673-1 : CPU spikes when the LDAP operational timeout is set to 180 seconds

Links to More Info: BT973673

Component: Access Policy Manager

Symptoms:
By default, the LDAP operation timeout is 180 seconds, and this can cause CPU spikes.

Conditions:
-- BIG-IP configured with a per-request access policy.
-- A high traffic load containing a lot of LDAP Auth and LDAP Query operations occurs.

Impact:
High LDAP traffic load can cause cpu spikes and traffic disruption.

Fix:
Reduced LDAP operational timeout to 50 sec for per-request based LDAP Auth and LDAP Query requests as accessV2 mpi request timeout is 60 sec only.

Fixed Versions:
15.1.5

973409-5 : CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference

Links to More Info: K42910051, BT973409

973333-5 : TMM buffer-overflow vulnerability CVE-2021-22991

Links to More Info: K56715231, BT973333

973261-2 : GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects

Links to More Info: BT973261

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d does not try to open TCP connections if a HTTPS monitor contains a cert/key.
/var/log/gtm shows:

err big3d[19217]: 01333001:3: Start: SSL error:02001002:system library:fopen:No such file or directory
err big3d[19217]: 01333001:3: Start: SSL error:20074002:BIO routines:FILE_CTRL:system lib
err big3d[19217]: 01333001:3: Start: SSL error:140CE002:SSL routines:SSL_use_RSAPrivateKey_file:system lib
err big3d[19217]: 01330014:3: CSSLSocket:: Unable to get the session.

Conditions:
GTM HTTPS monitor with non-default cert/key.

Impact:
Unable to use HTTPs monitor.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2

973201-2 : F5OS BIG-IP tenants allow OS upgrade to unsupported TMOS versions

Links to More Info: BT973201

Component: TMOS

Symptoms:
Releases prior to BIG-IP 14.1.4 allow the installation of incompatible versions of BIG-IP software and cause the tenant to become unusable in F5OS.

Conditions:
This happens when you upload an incompatible version of BIG-IP software into the F5OS BIG-IP tenant and begins a live upgrade.

Impact:
Tenant is unusable when upgrading to an unsupported F5OS BIG-IP version.

Workaround:
None

Fix:
F5OS BIG-IP v14.1.4 and later prevents installation of an invalid F5OS BIG-IP version.

Fixed Versions:
14.1.4, 15.1.4

971297-2 : DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade

Links to More Info: BT971297

Component: Global Traffic Manager (DNS)

Symptoms:
DNSSEC keys which are stored on netHSM type is changed from FIPS external to internal during the upgrade.

Conditions:
-- BIG-IP with a NetHSM license
-- BIG-IP uses external DNSSEC keys stored in the NetHSM
-- The BIG-IP device is upgraded

Impact:
The keys are stored locally following the upgrade.

Workaround:
None.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2

970829-5 : iSeries LCD incorrectly displays secure mode

Links to More Info: K03310534, BT970829

Component: Device Management

Symptoms:
On iSeries platforms, the LCD continuously displays secure mode and does not respond to user input.

Conditions:
This occurs if the admin password is anything other than the default on iSeries platforms.

Impact:
The LCD does not respond to user input. The LCD continuously displays secure mode. The /var/log/touchscreen_lcd fills up with error messages:

-- err lcdui[1236]: URL: http://127.4.2.1/mgmt/tm/sys/failover, result: 'Host requires authentication' (204), HTTP method 2, status 401.


The restjavad-audit.*.log may contain similar messages

[I][19005][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/shared/identified-devices/config/device-info","status":401,"from":"127.4.2.2"}
[I][19007][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/global-settings","status":401,"from":"127.4.2.2"}
[I][19009][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/failover","status":401,"from":"127.4.2.2"}

Workaround:
None

Fix:
The LCD now functions normally, and no authentication errors appear in the logs.

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2

970329-3 : ASM hardening

Component: Application Security Manager

Symptoms:
Under certain conditions, ASM does not follow current best practices.

Conditions:
- ASM provisioned

Impact:
Attack detection is not triggered as expected

Workaround:
N/A

Fix:
Attack detection is now triggered as expected

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1

969713-1 : IPsec interface mode tunnel may fail to pass packets after first IPsec rekey

Links to More Info: BT969713

Component: TMOS

Symptoms:
IPsec tunnel initially works until the IPsec (ESP) SA is re-negotiated.

Conditions:
-- IKEv2
-- IPsec tunnel uses interface mode ipsec-policy
-- IPsec SAs are re-negotiated, for example after the SA lifetime expires
-- Traffic selector narrowing occurs due to the BIG-IP and remote peer having different selectors configured

Impact:
IPsec tunnel suddenly stops forwarding packets across the tunnel

Workaround:
-- Configure the traffic-selectors to be identical on both the BIG-IP and remote IPsec peer.

Fix:
IPsec tunnel forwards packets after IPsec SAs are re-established.

Fixed Versions:
15.1.4

969637-2 : Config may fail to load with "FIPS 140 operations not available on this system" after upgrade

Links to More Info: BT969637

Component: Local Traffic Manager

Symptoms:
After upgrade, configuration load fails with a log:
"FIPS 140 operations not available on this system"

Conditions:
-- A small subset of the following BIG-IP platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F

Impact:
Configuration load fails and the device does not come online.

Fixed Versions:
14.1.4.4, 15.1.4

969509-4 : Possible memory corruption due to DOS vector reset

Links to More Info: BT969509

Component: Advanced Firewall Manager

Symptoms:
Unpredictable result due to possible memory corruption

Conditions:
DOS vector configuration change

Impact:
Memory corruption

Fix:
Added correct logic to reset DOS vector.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2

969385-2 : Automatic attach/detach BeWAF policy to virtual server stops working for all virtual servers.

Links to More Info: BT969385

Component: BIG-IP Risk Engine

Symptoms:
Automatic attach/detach BeWAF policy to a virtual server stops working for all virtual servers if at least one virtual server has a regular ASM policy with TAP profile

Conditions:
Define Virtual Servers with DOS profiles, along with Virtual Servers that are managed by cloud (Cortex)

Impact:
Detaching virtual servers from DOS can cause the attach option to be disabled.

Workaround:
Do not define virtual servers with cloud along with virtual servers managed by cloud (Applications).

Fix:
None

Fixed Versions:
15.1.3, 16.0.1.2

969317-3 : "Restrict to Single Client IP" option is ignored for vmware VDI

Links to More Info: BT969317

Component: Access Policy Manager

Symptoms:
The Restrict to Single Client IP option in the Access Policy is not being honored for VMware VDI.

Conditions:
- Configure APM Webtop with vmware VDI.
- Set "Restrict to Single Client IP" option in Access Profile.
- Try to launch vmware desktop on one client. Copy the launch URI
- Try to launch vmware desktop from other client using the copied URI.

Impact:
A connection from the second client is allowed, but it should not be allowed.

Fix:
Restrict to Single Client IP is honored for VMware VDI for both PCOIP and Blast protocols.

Fixed Versions:
14.1.4.5, 15.1.4.1

969213-1 : VMware: management IP cannot be customized via net.mgmt.addr property

Links to More Info: BT969213

Component: TMOS

Symptoms:
IP addresses provided for VM customization in VMware are ignored. net.mgmt.addr and net.mgmt.gw properties supposed to be used when customization of IP addresses during VM setup is desired. But the addresses are ignored.

Conditions:
VMware only. Happens in any of the ways in which address are supplied via net.mgmt.addr and net.mgmt.gw. See https://clouddocs.f5.com/cloud/public/v1/vmware/vmware_setup.html for scenario where net.mgmt.addr and net.mgmt.gw can be set. VM customization profiles still work properly.

Impact:
Management IP cannot be customized in VMware during the VM setup.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2

969105-2 : HA failover connections via the management address do not work on vCMP guests running on VIPRION

Links to More Info: BT969105

Component: TMOS

Symptoms:
A high availability (HA) failover connection using the management IP addresses does not work on vCMP guests running on a VIPRION device.

BIG-IP instances running directly on hardware, on Virtual Edition, and as vCMP guests running on an appliance are unaffected.

HA failover connections using self IPs are unaffected.

Conditions:
-- vCMP guest running on a VIPRION device
-- high availability (HA) failover connection using the management IP addresses (unicast and/or multicast)

Impact:
Failover state determination over the management port is permanently down.

Workaround:
While self IP-based high availability (HA) failover connections are not affected by this issue, F5 recommends configuring failover connections over both management IPs and self IPs (as detailed in K37361453: Configuring network failover for redundant VIPRION systems :: https://support.f5.com/csp/article/K37361453).

To mitigate this issue, run the following command on each blade of every guest:
touch /var/run/chmand.pid


The workaround does not survive a reboot, so a more permanent workaround is to edit the file /config/startup and add a line to touch /var/run/chmand.pid.

Add this line to the end of /config/startup:

(sleep 120; touch /var/run/chmand.pid) &

Note: The sleep time of 120 seconds should be tested as it depends on how quickly or slowly the Guest starts up, so the appropriate value for one system may differ from another system.


Alternatively, You can use instructions in K11948: Configuring the BIG-IP system to run commands or scripts upon system startup :: https://support.f5.com/csp/article/K11948 to issue commands at system startup after verification if mcpd is up and ready, e.g.:

#!/bin/bash
source /usr/lib/bigstart/bigip-ready-functions
wait_bigip_ready

# Customized startup command(s) can be added below this line.
touch /var/run/chmand.pid
# Customized startup command(s) should end above this line.

You may also request an Engineering Hotfix from F5.

Fixed Versions:
14.1.4.4, 15.1.4

968893-2 : TMM crash when processing APM traffic

Component: Access Policy Manager

Symptoms:
Under certain conditions, TMM may crash while processing APM traffic that generates DNS lookups

Conditions:
- APM provisioned
- Undisclosed conditions

Impact:
TMM crash leading to traffic interruption and a failover event

Workaround:
N/A

Fix:
TMM now processes APM traffic as expected

Fixed Versions:
15.1.4.1, 16.1.2

968741-1 : Traffic Intelligence pages not visible

Links to More Info: BT968741

Component: Traffic Classification Engine

Symptoms:
When trying to access TCE Signature Update Page from the GUI:
Traffic Intelligence -> Applications -> Signature Update

The page will not load.

Conditions:
Clicking on Traffic Intelligence -> Applications -> Signature Update will show a blank page.

Impact:
You will not be able access the Traffic Intelligence -> Applications -> Signature page in the GUI.

Workaround:
None

Fix:
TMUI pages for Traffic classification will be accessible from TMUI : Traffic Intelligence -> Applications -> Signature

Fixed Versions:
15.1.4

968733-6 : CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service

Links to More Info: K42202505, BT968733

968641-2 : Fix for zero LACP priority

Links to More Info: BT968641

Component: Local Traffic Manager

Symptoms:
A LACP priority of zero prevents connectivity to Cisco trunks.

Conditions:
LACP priority becomes 0 when system MAC address has 00:00 at the end.

Impact:
BIG-IP may be unable to connect to Cisco trunks.

Workaround:
None.

Fix:
Eliminate LACP priority equal 0

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2

968533 : Rate limiting is performed for all PUSH packets in the hardware even when "Only Count Suspicious Events" is enabled for the push flood vector.

Links to More Info: BT968533

Component: Advanced Firewall Manager

Symptoms:
When a PUSH flood vector is programmed to hardware after a flood is detected, rate limiting is performed on all the PUSH packets even when "Only Count Suspicious Events" is enabled.

Conditions:
-- Push flood vector is triggered.
-- Rate limiting is enabled for the push flood vector.
-- The issue is observed only on the hardware platform.

Impact:
The packets with PUSH flag for the good connections also get dropped even though "Only Count Suspicious Events" is enabled.

Workaround:
None

Fix:
Fixed an issue with rate limiting on PUSH packets.

Fixed Versions:
15.1.4.1

968421-2 : ASM attack signature doesn't matched

Links to More Info: K30291321, BT968421

Component: Application Security Manager

Symptoms:
A specific attack signature doesn't match as expected.

Conditions:
Undisclosed conditions.

Impact:
Attack signature does not match as expected, request is not logged.

Workaround:
N/A

Fix:
Attack signature now matches as expected.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.4.1, 14.1.4.2, 15.1.2.1, 16.0.1.2

968349 : TMM crashes with unspecified message

Links to More Info: K19012930, BT968349

967905-2 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash

Links to More Info: BT967905

Component: TMOS

Symptoms:
Tmm crashes.

Conditions:
-- static bwc
-- virtual to virtual chain

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the static bwc on a virtual chain.

Fix:
Fixed a tmm crash.

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2

967889-1 : Incorrect information for custom signature in DoS Protection:DoS Overview (non-http)

Links to More Info: BT967889

Component: Advanced Firewall Manager

Symptoms:
Custom signature of virtual server shows incorrect attack information.

Conditions:
-- Virtual server has a custom signature
-- An attack is mitigated
-- View the custom signature information via Security :: DoS Protection : DoS Overview (non-HTTP)

Impact:
GUI shows incorrect information for custom signature

Fix:
GUI shows correct information for custom signature

Fixed Versions:
14.1.4, 15.1.3

967745 : Last resort pool error for the modify command for Wide IP

Links to More Info: BT967745

Component: TMOS

Symptoms:
System reports error for the modify command for Wide IP.

01b60021:3: Last resort pool type not specified for Wide IP 9084.example.com of type A.

Conditions:
Running the modify command involving last-resort-pool and not specifying a type or name for the object.

Impact:
The object is not modified, and the system reports an error.

Workaround:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.

Append the command with last-resort-pool a <pool_name>, for example:

modify a 9084.example.com aliases replace-all-with { 9084.example1.com } last-resort-pool a pool1_test

Fix:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.

Fixed Versions:
13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1

967093-1 : In SSL forward proxy when the signing CA cert and end-entity cert has a different signature algorithm, the SSL connection may fail

Component: Local Traffic Manager

Symptoms:
In SSL forward proxy, the client side handshake may fail with the message: fwdp lookup error.

Conditions:
The handshake failure occurs when the certificate chain consists of different key types. For example, the following cert chain may fail the handshake:

root CA (rsa) --> intermediate CA1 (rsa) --> intermediate CA2 (ec) --> end-entity cert (ec)

The signing CA which is intermediate CA2 has a key of EC type, but cert is signed by RSA signature. The end-entity cert has a key of EC type, but cert is signed by ECDSA.
In this case, the signer cert has different signature from that of the end-entity cert.

Impact:
SSL forward proxy handshake fails.

Fix:
Fixed an issue with SSL forward handshakes.

Fixed Versions:
15.1.5

966901-2 : CVE-2020-14364: Qemu Vulnerability

Links to More Info: K09081535, BT966901

966701-2 : Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP

Links to More Info: BT966701

Component: Service Provider

Symptoms:
Client connections are aborted when the generic message router profile is used in conjunction with the SCP transport profile.

Conditions:
-- SCTP transport profile
-- MRF generic msg router profile

Impact:
BIG-IP is unable to process the traffic received over the SCTP transport for MRF generic message routing

Fix:
Enable the return type in generic msg filter when data received over SCTP transport

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2

966681-1 : NAT translation failures while using SP-DAG in a multi-blade chassis

Links to More Info: BT966681

Component: Carrier-Grade NAT

Symptoms:
NAT translation fails

Conditions:
-- VIPRION multi-blade chassis
-- Configure AFM NAT/CGNAT and attach the AFM NAT Policy / lsnpool to the virtual server
-- Configure sp-dag on the vlans

Impact:
Traffic failure, performance degraded

Workaround:
Change the DB variable tm.lsn.retries to the maximum value of 4096

Fix:
Increase the number of attempts in selecting local translation IP (an IP when used makes the return packet to land on the same TMM where the NAT selection is happening). This can be controlled with DB variable tm.lsn.retries. The actual attempts is 16 times the value set in this db variable.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1

966277-1 : BFD down on multi-blade system

Links to More Info: BT966277

Component: TMOS

Symptoms:
After a secondary blade reboots in a multi-blade system, bi-directional forwarding detection (BFD) stops functioning.

Conditions:
-- Multi-blade VIPRION environment
-- BFD enabled
-- A secondary blade reboots

Impact:
BFD flaps on the secondary blade that was rebooted. The BFD session flap clears the routes on the peer.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1

966073-1 : GENEVE protocol support

Links to More Info: BT966073

Component: TMOS

Symptoms:
BIG-IP software does not support the GENEVE protocol.

Conditions:
-- AWS Gateway load balancer is in use, which uses the GENEVE protocol

Impact:
GENEVE protocol is unsupported.

Workaround:
None.

Fix:
BIG-IP software now supports the GENEVE protocol.

Fixed Versions:
15.1.4.1

965617-3 : HSB mitigation is not applied on BDoS signature with stress-based mitigation mode

Links to More Info: BT965617

Component: Advanced Firewall Manager

Symptoms:
BDoS signature attacks are mitigated in software rather than via HSB

Conditions:
Dynamic or custom signature in stress-based mitigation mode on appliance with HSB support

Impact:
More resources loading during DDoS attack

Fix:
Correct free spot search with offloading to HSB

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1

965581-2 : Statistics are not reported to BIG-IQ

Links to More Info: BT965581

Component: Application Visibility and Reporting

Symptoms:
After a BIG-IP system is attached to BIG-IQ, there are no statistics reported. The 'avrd' process periodically fails with a core on the BIG-IP system.

Conditions:
A BIG-IP system is attached to BIG-IQ.

Impact:
No statistics collected.

Fix:
The avrd process no longer fails, and statistics are collected as expected.

Fixed Versions:
14.1.4, 15.1.4

965485-3 : CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL

Links to More Info: K41523201

965229-2 : ASM Load hangs after upgrade

Links to More Info: BT965229

Component: Application Security Manager

Symptoms:
ASM upgrade hangs, and you see the following in
var/log/ts/asm_start.log:
-------------------------
asm_start|DEBUG|Nov 15 07:04:41.751|25365|F5::ConfigSync::restore_active_policies,,Restoring active policy - policy /Common/my_portal (id = 603)
... END OF FILE ...
-------------------------

In /var/log/asm:
-----------------------------
2020-11-15T06:01:23+00:00 localhost notice boot_marker : ---===[ HD1.cm6250 - BIG-IP 13.1.3.4 Build 0.255.5 <HD1.cm6250> ]===---
 info set_ibdata1_size.pl[20499]: Setting ibdata1 size finished successfully, a new size is: 9216M
 info tsconfig.pl[24675]: ASM initial configration script launched
 info tsconfig.pl[24675]: ASM initial configration script finished
 info asm_start[25365]: ASM config loaded
 err asm_tables_dump.pl[31430]: gave up waiting for ASM to start, please try again later
-----------------------------

Conditions:
-- ASM provisioned
-- 600 or more security policies
-- Performing an upgrade

Impact:
ASM post upgrade config load hangs and there are no logs or errors

Workaround:
None

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1

965205-2 : BIG-IP dashboard downloads unused widgets

Links to More Info: BT965205

Component: TMOS

Symptoms:
The BIG-IP dashboard page downloads all widgets, even widgets that are not visible on the dashboard.

Conditions:
This occurs when viewing the BIG-IP dashboard.

Impact:
Slower-than-necessary GUI response, and the dashboard shows higher-than-necessary CPU utilization.

Workaround:
None.

Fixed Versions:
14.1.4.4, 15.1.4.1

965037-1 : SSL Orchestrator does not send HTTP CONNECT tunnel payload to services

Links to More Info: BT965037

Component: Local Traffic Manager

Symptoms:
In some cases, when Services in SSL Orchestrator (service-connect agent in per-request policy) is inserted after Category lookup for CONNECT request hostname, the HTTP CONNECT tunnel payload/data is not sent to services.

Conditions:
SSL Orchestrator use case and Services are inserted after Category lookup for CONNECT request hostname

Impact:
HTTP CONNECT tunnel payload is not sent to services

Workaround:
None

Fix:
HTTP CONNECT tunnel payload is now sent to services.

Fixed Versions:
15.1.4.1

964941-1 : IPsec interface-mode tunnel does not initiate or respond after config change

Links to More Info: BT964941

Component: TMOS

Symptoms:
After reconfiguring an interface-mode IPsec tunnel, the IPsec tunnel may fail to initiate or negotiate as a Responder.

Conditions:
-- IPsec interface mode
-- Changing the IPsec tunnel configuration

Impact:
Remote networks cannot be reached because BIG-IP refuses to negotiate IPsec tunnel.

Workaround:
Reboot or restart tmm

Fix:
Valid changes to the IPsec tunnel configuration result in the tunnel negotiation happening.

Fixed Versions:
15.1.4

964897-2 : Live Update - Indication of "Update Available" when there is no available update

Links to More Info: BT964897

Component: Application Security Manager

Symptoms:
Live Update notifies you that an update is available even though there is no available update.

Conditions:
The latest file is installed but not present on the system and the second-latest file has an 'error' status

Impact:
Live Update erroneously indicates that an update is available.

Workaround:
1. upload the latest file that is not present on the system with scp to '/var/lib/hsqldb/live-update/update-files/'
2. restart 'tomcat' service:
> bigstart restart tomcat

Fix:
Fixed an issue with Live Update notification.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2

964585-3 : "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update

Links to More Info: BT964585

Component: Protocol Inspection

Symptoms:
- Protocol Inspection autoupdate logs "Non OK return code (400) received from API call" when the F5 download site does not contain Protocol Inspection Update container for the BIG-IP version.

Conditions:
- Protocol Inspection auto update is enabled.
- The BIG-IP version does not have the ProtocolInspection container in the relevant download section on F5 downloads.

Impact:
- The error message does not accurately explain the cause of the problem.

Workaround:
None.

Fix:
- More context is added to the log message when Protocol Inspection file is not present on the downloads site.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2

964577-3 : IPS automatic IM download not working as expected

Links to More Info: BT964577

Component: Protocol Inspection

Symptoms:
IPS automatic download of IM packages from the F5 Downloads site does not complete as expected.

IPS automatic IM download considers the BIG-IP software major and minor version numbers.

However, the IPS library is dependent only on major version numbers. The site should constrain IM package download only to those that are compatible with the major version.

Conditions:
Auto download of IM package for IPS.

Impact:
New minor releases, such as BIG-IP v15.1.1 and later, cannot download IPS IM packages.

Workaround:
Manually download the IM package and upload it onto the BIG-IP system.

Fix:
Minor releases of BIG-IP software can now automatically download the IM package without issue.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2

964245-2 : ASM reports and enforces username always

Links to More Info: BT964245

Component: Application Security Manager

Symptoms:
When session tracking is enabled and configured to enforce usernames for a specific list of login URLs, the username which arrives in an Authorization header is being enforced even if the request to the URL with the Authorization is not configured at all as a login URL.

Conditions:
Session tracking is enabled for login URLs with the Username Threshold set to 1.

Impact:
Username from the Authorization appears with status = BLOCK-ALL in the session tracking status list, even though session tracking is not configured for that URL.

Workaround:
None

Fix:
Username from the Authorization not appearing with status = BLOCK-ALL in session tracking status list.

Fixed Versions:
14.1.4.4, 15.1.4

964037 : Error: Exception response while loading properties from server

Links to More Info: BT964037

Component: Access Policy Manager

Symptoms:
The General Customization interface for Endpoint Security in the GUI cannot be used for Access Profile with modern customization due to interface error.

Conditions:
-- Access Profile with modern customization
-- General Customization interface for Endpoint Security

Impact:
You are unable to modify Endpoint Security interface strings

Fixed Versions:
15.1.4.1

963713-1 : HTTP/2 virtual server with translate-disable can core tmm

Links to More Info: BT963713

Component: Local Traffic Manager

Symptoms:
Tmm crashes while passing HTTP/2 traffic

Conditions:
-- HTTP/2 virtual server
-- Port and address translation disabled

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not configure an HTTP/2 virtual server with translate-disable

Fix:
Tmm does not crash anymore.

Fixed Versions:
15.1.4

963705-3 : Proxy ssl server response not forwarded

Links to More Info: BT963705

Component: Local Traffic Manager

Symptoms:
A server response may not be forwarded after TLS renegotiation.

Conditions:
-- Proxy ssl enabled
-- A server renegotiation occurs

Impact:
Server response may not be not forwarded

Fix:
Proxy ssl will now forward server response after renegotiation

Fixed Versions:
14.1.4.5, 15.1.4.1

963485-1 : Performance issue with data guard

Links to More Info: BT963485

Component: Application Security Manager

Symptoms:
End user clients encounter poor network performance. Due to a correlation with ID 963461 it can lead to a crash.

Conditions:
-- The server response is compressed.
-- Data guard is enabled.

Impact:
Slow response time.

Workaround:
-- Disable data guard or block the data instead of masking it.

-- Force server sending uncompressed response using an iRule:

when HTTP_REQUEST {
HTTP::header remove Accept-Encoding
}

Fixed Versions:
15.1.4

963461-1 : ASM performance drop on the response side

Links to More Info: BT963461

Component: Application Security Manager

Symptoms:
Clients encounter a longer time to respond from the BIG-IP

Conditions:
-- One of the following features is enabled:
   - convictions
   - csrf
   - ajax.
-- The response is HTML
-- The response has many tags

Impact:
Slow performance. May lead to a bd crash on specific responses. Traffic disrupted while bd restarts.

Fixed Versions:
15.1.4, 16.0.1.2

963237-3 : Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector.

Links to More Info: BT963237

Component: Advanced Firewall Manager

Symptoms:
When a client sends a DNS request to a NON EDNS capable server, the server may send a legitimate response with RCODE FORMERR and no DNS data. The MALFORM DNS vector blocks those requests.

Conditions:
-- The client sends a DNS request to NON EDNS capable server
-- The server replies with RCODE FORMERR and no DNS data.

Impact:
AFM erroneously detects an attack and mitigates it, and the client does not get a responses from the EDNS server

Workaround:
Disable DNS MALFORM vector mitigation or put the EDNS server in allow list.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1

963049-1 : Unexpected config loss when modifying protected object

Links to More Info: BT963049

Component: TMOS

Symptoms:
A virtual server configuration is changed unexpectedly.

Conditions:
- Create virtual server with two client SSL profiles
- Modify same virtual server in Protected Objects panel.

Impact:
Virtual servers client SSL profiles are removed if you have more than one profile.

Workaround:
None

Fix:
Virtual server client SSL profiles are no longer removed from the config if the update happens through Protected Objects panel in the GUI.

Fixed Versions:
15.1.3

963017-2 : The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed

Links to More Info: BT963017

Component: TMOS

Symptoms:
Upon booting a BIG-IP hardware system running an Engineering Hotfix version of BIG-IP v14.1.0 or later, messages of the following form may be logged in the LTM log file (/var/log/ltm):

err tpm-status[####]: System Integrity Status: Invalid
info tpm-status-check[####]: System Integrity Status: Invalid

In addition, a message similar to the following may appear on the serial console while the system is booting:

[ ###.######] tpm-status-check[####]: Checking System Integrity Status
[ ###.######] tpm-status-check[####]: sh: /bin/rpm: Permission denied
[ ###.######] tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid

Similar messages appear when viewing the status of the tpm-status-check service via the systemctl utility:

# systemctl -l status tpm-status-check.service
* tpm-status-check.service - F5 Trusted Platform Module
   Loaded: loaded (/usr/lib/systemd/system/tpm-status-check.service; static; vendor preset: enabled)
   Active: failed (Result: exit-code) since <...>
 Main PID: #### (code=exited, status=1/FAILURE)

<...> tpm-status-check[####]: Checking System Integrity Status
<...> tpm-status-check[####]: sh: /bin/rpm: Permission denied
<...> tpm-status[####]: TPM Status Version 15.1.1.0.6.6
<...> tpm-status[####]: TMOS BIG-IP 15.1.1-0.0.6.0
<...> tpm-status[####]: BIOS 0614 v3.10.032.0
<...> tpm-status[####]: BIOS SIRR 2019-05-30_08-46-02
<...> tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid
<...> systemd[1]: tpm-status-check.service: main process exited, code=exited, status=1/FAILURE
<...> systemd[1]: Unit tpm-status-check.service entered failed state.
<...> systemd[1]: tpm-status-check.service failed.


However, checking the System Integrity Status using the 'tpm-status' or 'tmsh run sys integrity status-check' command shows 'System Integrity Status: Valid'.

Conditions:
This may occur under the following conditions:

-- Running BIG-IP v14.1.0 or later.
-- Using Engineering Hotfixes containing fixes for the following bugs:
   - ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html)
   - ID946745 (https://cdn.f5.com/product/bugtracker/ID946745.html)
-- Using hardware platforms that include a Trusted Platform Module (TPM), including:
   - BIG-IP i2000, i4000, i5000, i7000, i10000, i11000, i15000 Series appliances
   - VIPRION B4450 blades

Impact:
The tpm-status-check service inaccurately indicates that the System Integrity Status is not Valid.

This is incorrect, and conflicts with the accurate System Integrity Status provided by the 'tpm-status' utility and 'tmsh run sys integrity status-check' command.

Workaround:
To observe the correct System Integrity Status, do either of the following:
-- Use the 'tpm-status' utility.
-- Run the command:
tmsh run sys integrity status-check

Fix:
This incorrect status reporting has been corrected.

Fixed Versions:
14.1.4, 15.1.3

962817-2 : Description field of a JSON policy overwrites policy templates description

Links to More Info: BT962817

Component: Application Security Manager

Symptoms:
Creating a UTF-8 policy using a template for the first time creates a binary policy the system uses the next time you create a UTF-8 policy with the same template.

If the creation occurs via JSON policy import, the description field of the JSON policy overwrites the description from the template, and the next time you create a UTF-8 policy using the same template, the system uses the description from the first JSON policy.

Conditions:
Create an initial UTF-8 policy with some template using a JSON policy with a custom description.

Impact:
The next time you create a UTF-8 policy with the same template, unless you provide a description, the system uses the one from the initially created JSON policy instead the template.

Workaround:
Before creating the second policy, remove the binary file that was created from the first run. For example if the template used was Fundamental:

rm -f /ts/install/policy_templates/fundamental.bin

Fix:
The binary file now contains the correct description.

Fixed Versions:
15.1.3, 16.0.1.1

962589-2 : Full Sync Requests Caused By Failed Relayed Call to delete_suggestion

Links to More Info: BT962589

Component: Application Security Manager

Symptoms:
When using parent policies with learning enabled in an auto-sync device group, in some use cases deleting an ignored suggestion on a parent policy will cause a full sync to occur.
This can cause unexpected delays in configuration being synchronized between peers, and in the event of repeated instances in quick succession could fill the /var partition

Conditions:
1) Device Group with ASM and auto-sync enabled
2) Parent Policies with learning are in use.
3) Ignored Suggestions are deleted on the parent policy after they have 0 suggesting children left.

Impact:
ASM configuration requests a full sync which can cause unexpected slowness in config synchronization and may fill the /var partition if done multiple times in quick succession.
A full /var partition can lead to bd cores.

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1

962497 : BD crash after ICAP response

Links to More Info: BT962497

Component: Application Security Manager

Symptoms:
BD crash when checking ICAP job after ICAP response

Conditions:
BD is used with ICAP feature

Impact:
Traffic disrupted while BD restarts.

Workaround:
N/A

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2

962433-4 : HTTP::retry for a HEAD request fails to create new connection

Links to More Info: BT962433

Component: Local Traffic Manager

Symptoms:
In case of a HEAD request, BIG-IP fails to set up a new connection to the server with the HTTP::retry iRule.

Conditions:
1.) Basic HTTP profile is configured on BIG-IP
2.) BIG-IP sends the HEAD request to the server and gets error response
3.) iRule with HTTP::retry is configured
4.) The system is using the default (non-debug) TMM version

Impact:
BIG-IP might send the retry HEAD request after the connection is closed, more specifically after the server has sent a FIN, the retry is leaked on the network.

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4

962341 : BD crash while processing JSON content

Links to More Info: K00602225, BT962341

962249-2 : Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm

Links to More Info: BT962249

Component: TMOS

Symptoms:
Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm

Conditions:
This message shows always on all platforms.

Impact:
No functional impact.

Fix:
Does not show this message on non-epva platforms.

Fixed Versions:
15.1.4

962177-2 : Results of POLICY::names and POLICY::rules commands may be incorrect

Links to More Info: BT962177

Component: Local Traffic Manager

Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.

Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.

Impact:
Traffic processing may not provide expected results.

Fix:
POLICY::names and POLICY::rules provide atomic results per transaction going over a same connection.

Fixed Versions:
13.1.4.1, 14.1.4, 15.1.4, 16.0.1.2

962069-3 : Excessive resource consumption while processing OSCP requests via APM

Links to More Info: K79428827, BT962069

960749-2 : TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic

Links to More Info: BT960749

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes, dumps a core file, and restarts.

Conditions:
-- The configuration includes one or more 'DNS Cache' or 'Network DNS Resolver' objects.

-- The DNS Cache or Network DNS Resolver objects receive traffic.

Impact:
Traffic disrupted while tmm restarts. A redundant unit will fail over.

Fix:
TMM no longer crashes when 'DNS Cache' or 'Network DNS Resolver' objects handle traffic.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1

960437-2 : The BIG-IP system may initially fail to resolve some DNS queries

Links to More Info: BT960437

Component: Global Traffic Manager (DNS)

Symptoms:
Configurations that use a 'DNS Cache' or 'Network DNS Resolver' are affected by an issue whereby the system may initially fail to resolve some DNS queries.

Subsequent queries for the same domain name, however, work as expected.

Only some domain names are affected.

Conditions:
- The BIG-IP system is configured with either a DNS Cache or Network DNS Resolver.

- The cache is still empty in regard to the domain name being resolved (for example, TMM has just started).

- The cache configuration specifies 'Use IPv6' (the default) but the system has no IPv6 default route.

Impact:
Initial DNS resolution of some domain names fails. Regardless of whether this happens via a DNS cache or Network DNS Resolver, the failure is returned to the client.

In the case of a DNS Cache, the client may just be returned with no record. In the case of a Network DNS Resolver, the failure will depend on the feature using the resolver.

For instance, SWG, SSL Orchestrator, or the HTTP Explicit Forward Proxy, in general, are examples of features that rely on a Network DNS Resolver. In this case, the client's browser will fail to connect to the requested destination, and the client will be shown a proxy error.

Workaround:
Disable 'Use IPv6' in the affected DNS Cache or Network DNS Resolver.

1a. Go to DNS :: Caches :: Cache list.
OR
1b. Go to Network :: DNS Resolvers :: DNS Resolver list.
2. Select the item you want to update in the list.
3. Uncheck 'Use IPv6'
4, Select Update.

You can keep the object in this state (with no consequences) until you define an IPv6 default route on the system, and you wish for the system to also use IPv6 to connect to Internet name-servers.

Fix:
DNS resolution works as expected, with domains resolving the first time they are queried.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1

960369-2 : Negative value suggested in Traffic Learning as max value

Links to More Info: BT960369

Component: Application Security Manager

Symptoms:
Negative value suggested in Traffic Learning as max value

Conditions:
A huge parameter value is seen in traffic

Impact:
Wrong learning suggestion issued

Workaround:
Manually change maximum allowed value on the parameter to ANY

Fix:
After fix correct suggestion is issued - suggest to change maximum parameter value to ANY

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2

959889-2 : Cannot update firewall rule with ip-protocol property as 'any'

Links to More Info: BT959889

Component: TMOS

Symptoms:
Cannot update the firewall rule with 'any' value as the ip-protocol from the BIG-IP system GUI.

Conditions:
-- Create a rule and set protocol to TCP or UDP
-- From the GUI, change the protocol to "Any" and update

Impact:
Cannot update the firewall rule from GUI.

Fix:
The GUI now allows updating firewall rules with 'any' as an ip-protocal.

Fixed Versions:
14.1.4, 15.1.3

959629-2 : Logintegrity script for restjavad/restnoded fails

Links to More Info: BT959629

Component: TMOS

Symptoms:
The logintegrity script used to rotate the signature files for restnoded results in frequent cron errors similar to:

find: '14232restnoded_log_pattern': No such file or directory.

Conditions:
When the logintegrity script runs.

Impact:
If the logintegrity script runs, the signature files for restnoded will not be in sync.

Workaround:
Modify the script file /usr/bin/rest_logintegrity:

1. mount -o remount,rw /usr

2. cp /usr/bin/rest_logintegrity /usr/bin/rest_logintegrity_original

3. vi /usr/bin/rest_logintegrity

4. Replace the following lines:
restnoded_log_pattern=/var/log/restnoded/restnoded.[1-9]*.log
restjavad_log_pattern=/var/log/restjavad*.[1-9]*.log

With the lines:
restjavad_log_pattern=/var/log/restjavad*[1-9]*.log
restnoded_log_pattern=/var/log/restnoded/restnoded[1-9]*.log

5. Replace the line:
wc_restnoded=$(find $$restnoded_log_pattern -cnewer $filename | wc -l)

With the line:
wc_restnoded=$(find $restnoded_log_pattern -cnewer $filename | wc -l)

6. mount -o remount,ro /usr

Fix:
When logintegrity is enabled, signature files for restnoded log files are now generated and rotated.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2

959121-4 : Not following best practices in Guided Configuration Bundle Install worker

Links to More Info: K74151369, BT959121

958465-2 : in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization

Links to More Info: BT958465

Component: TMOS

Symptoms:
TMM may prematurely shut down during its initialization when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):

MCP connection aborted, exiting.

Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).

Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.

Workaround:
None.

Fix:
A new TCL configuration element was added: "max_poll_pre_rfw", with a default value of 4, to modulate the function of "max_poll" in TMMs which are not yet Ready-For-World.

The value of "max_poll_pre_rfw" can be configured in the "tmm_base.tcl" file.

Fixed Versions:
14.1.4.4, 15.1.3.1, 16.0.1.2

958353-2 : Restarting the mcpd messaging service renders the PAYG VE license invalid.

Links to More Info: BT958353

Component: TMOS

Symptoms:
Upon mcpd service restart, the pay as you grow Virtual Edition license becomes invalid.

Conditions:
Restarting the mcpd messaging service.

Impact:
The license becomes expired. A message is displayed in the console:

mcpd[5122]: 01070608:0: License is not operational (expired or digital signature does not match contents).

Workaround:
If you cannot avoid restarting the mcpd messaging service, then you must issue the reloadlic command, or reboot the BIG-IP (using your preferred method).

Fix:
Fixed an issue with pay as you grow licenses following a mcpd restart.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2

958093-3 : IPv6 routes missing after BGP graceful restart

Links to More Info: BT958093

Component: TMOS

Symptoms:
When BGP graceful restart is configured for peers in IPv4 unicast and IPv6 unicast address families, after graceful restart for both IPv4 and Ipv6 address families, routes from IPv6 unicast address family might be missing.

Conditions:
- Different BGP peers configured in IPv4 unicast and IPv6 unicast address families.
- BGP graceful restart happens for both IPv4 unicast and IPv6 unicast.

Impact:
Routes from IPv6 peers are missing. They are also not present in the RIB.

Fixed Versions:
14.1.4.5, 15.1.4.1

958085-3 : IM installation fails with error: Spec file not found

Links to More Info: BT958085

Component: Traffic Classification Engine

Symptoms:
IM installation fails with an error message:

ERROR Error during switching: Spec file not found

Conditions:
This can occur when deleting an IM file that is actively installing on one volume, and the BIG-IP system is booted from another volume.

Impact:
Upgrading/Downgrading to another IM does not work until you install a new BIG-IP image on the same disk.

Workaround:
None.

Fix:
During the init process, the system now installs FactoryDefaults if the active IM file is not found on disk.

Fixed Versions:
14.1.4.4, 15.1.4

957965-1 : Request is blocked by 'CSRF attack detected' violation with 'CSRF token absent'

Links to More Info: BT957965

Component: Application Security Manager

Symptoms:
Request is blocked by 'CSRF attack detected' violation.

Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- CSRF protection enabled in an ASM policy

Impact:
False positive request blocking occurs.

Workaround:
Disable 'CSRF attack detected' violation in the ASM policy.

Fix:
'CSRF attack detected' now works as expected.

Fixed Versions:
15.1.4

957337-1 : Tab complete in 'mgmt' tree is broken

Links to More Info: BT957337

Component: TMOS

Symptoms:
TMSH Command: "list mgmt shared <tab>" does not display the tab complete option. You may see an error:

(tmos)# list mgmt shared echo *tab*
Unexpected Error: "Object contains no "method" child value"

Conditions:
When mgmt is used in a tmsh command and you attempt to tab complete

Impact:
You are unable to configure objects in mgmt.

This issue also prevents users with the admin role from accessing the following REST endpoints:

shared/authz/users
shared/echo-js

The error returned was HTTP/1.1 401 F5 Authorization Required

Fix:
Fixed an issue with tab completion for certain commands in the 'mgmt' tree.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1

957029-1 : MRF Diameter loop-detection is enabled by default

Links to More Info: BT957029

Component: Service Provider

Symptoms:
The default value of Message Routing Framework (MRF) Diameter loop detection is enabled.

Conditions:
Default diameter session profile loop detection configuration.

Impact:
System performance is impacted even if MRF Diameter loop detection is not used.

Workaround:
Disable loop detection in all message routing Diameter profiles when it is not needed.

Fix:
MRF Diameter loop detection is now disabled by default.

Note: If you expect MRF Diameter loop detection to be enabled, you must manually change the value after upgrading.

Fixed Versions:
15.1.4, 16.0.1.2

956589-1 : The tmrouted daemon restarts and produces a core file

Links to More Info: BT956589

Component: TMOS

Symptoms:
The tmrouted daemon restarts and produces a core file.

Conditions:
Exact trigger is unknown, but the issue was seen on a chassis setup during a blade failover

Impact:
Traffic disrupted while tmrouted restarts.

Workaround:
None

Fix:
Tmrouted daemon should not restart during blade reset

Fixed Versions:
15.1.2.1

956373-2 : ASM sync files not cleaned up immediately after processing

Links to More Info: BT956373

Component: Application Security Manager

Symptoms:
Some ASM sync files remain on disk after config sync finishes. They remain until periodic clean-up tasks activate

Conditions:
-- ASM provisioned
-- BIG-IP devices are in a sync group
-- Relatively small "/var" partition

Impact:
If the files are large it may lead to "lack of disk space" problem.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2

956293-2 : High CPU from analytics-related REST calls - Dashboard TMUI

Links to More Info: BT956293

Component: TMOS

Symptoms:
When opening the GUI > Main > Statistics > Dashboard - the control plane CPU usage is around 7-15% on a completely empty system and Java consumes 3-5% CPU.

Conditions:
Leaving UI dashboard page left open.

Impact:
System performance is impacted if the dashboard page is kept open.

Fixed Versions:
14.1.4.4, 15.1.4

956133-3 : MAC address might be displayed as 'none' after upgrading

Links to More Info: BT956133

Component: Local Traffic Manager

Symptoms:
The MAC Address of a BIG-IP Virtual Edition network interface is displayed as 'none' after upgrading.

Conditions:
1. The VLAN MTU is set to less than 1280 bytes on a BIG-IP network interface.
2. Upgrade BIG-IP to 14.1.0 or above from BIG-IP versions below 14.1.0.

Impact:
Traffic disrupted when the MAC address is set to 'none'.

Workaround:
None

Fix:
IPv6 link-local addresses are now created with MTU greater than 1280, so this issue is resolved.

Fixed Versions:
14.1.4.4, 15.1.4

956105-2 : Websocket URLs content profiles are not created as expected during JSON Policy import

Links to More Info: BT956105

Component: Application Security Manager

Symptoms:
Websocket URLs content profiles are not created as expected during JSON Policy import

Conditions:
Import JSON Policy with Websocket URLs configured with content profiles.

Impact:
Content profiles are not being added to the webscket URLs causing wrong configuration.

Workaround:
The content profiles can be manually associated after the import process using REST or GUI.

Fix:
Setting the correct profile reference during import.

Fixed Versions:
15.1.3, 16.0.1.2

956013-1 : System reports{{validation_errors}}

Links to More Info: BT956013

Component: Policy Enforcement Manager

Symptoms:
A {{validation_errors}} at Subscriber Management :: Control Plane Listeners and Data Plane Listeners with ipv6 addresses

Conditions:
Specifying an IPv6 address in the expression in Subscriber Management :: Control Plane Listeners and Policy Enforcement :: Data Plane Listeners.

Impact:
Cannot access the BIG-IP GUI through IPv6 address from any web browser. Admin/User cannot enter input through GUI.

Workaround:
None.

Fixed Versions:
14.1.4.5, 15.1.5

955145-2 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Links to More Info: K03009991, BT955145

955017-2 : Excessive CPU consumption by asm_config_event_handler

Links to More Info: BT955017

Component: Application Security Manager

Symptoms:
Asm_config_event_handler is consuming a lot of CPU while processing signatures after sync

Conditions:
This is encountered during a UCS load, or by a high availability (HA) configuration sync.

Impact:
Asm_config_server_rpc_handler.pl consumes excessive CPU and takes an exceedingly long time to complete.

Workaround:
Disable the signature staging action item for all policies.

Fixed Versions:
13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2

954429-2 : User authorization changes for live update

Links to More Info: K23203045, BT954429

954425-2 : Hardening of Live-Update

Component: Application Security Manager

Symptoms:
Under certain conditions, the Live-Update process does not follow current best practices.

Conditions:
- Live-Update in use
- Specially-crafted update files

Impact:
The Live-Update process does not follow current best practices.

Workaround:
N/A

Fix:
The Live-Update process now follows current best practices.

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1

954381-2 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Links to More Info: K03009991, BT954381

953845-1 : After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart

Links to More Info: BT953845

Component: Local Traffic Manager

Symptoms:
When re-initializing an onboard HSM on particular platforms, BIG-IP may disconnect from the HSM after a second restart of the MCPD daemon.

This can occur when using administrative commands such as:
   -- tmsh run util fips-util init
   -- fipsutil init
   -- tmsh run util fips-util loginreset -r
   -- fipsutil loginreset -r

Conditions:
-- Using the following platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F
  + vCMP guest on i5820-DF / i7820-DF
  + vCMP guest on 10350v-F

Impact:
BIG-IP is unable to communicate with the onboard HSM.

Workaround:
The last step in using "fipsutil init" is to restart all system services ("tmsh restart sys service all") or reboot.

Immediately before doing this:

-- open /config/bigip.conf in a text editor (e.g. vim or nano)
-- locate and delete the configuration "sys fipsuser f5cu" stanza, e.g.:

    sys fipsuser f5cu {
        password $M$Et$b3R0ZXJzCg==
    }

Fix:
Fixed an issue with re-initializing the onboard FIPS HSM.

Fixed Versions:
12.1.6, 14.1.4, 15.1.3, 16.0.1.1

953729-2 : Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990

Links to More Info: K56142644 K45056101, BT953729

953677-2 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988

Links to More Info: K18132488 K70031188, BT953677

953393-2 : TMM crashes when performing iterative DNS resolutions.

Links to More Info: BT953393

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes and produces a core file.

Conditions:
The BIG-IP system configuration includes a Network DNS Resolver, which is referenced by another object (for example, a HTTP Explicit Forward Proxy profile) for DNS resolution.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You may be able to work around this issue by having the Network DNS Resolver work in forwarding/recursive mode rather than in resolving/iterative mode.

To do so, you configure a Forward Zone in the Network DNS Resolver for '.' (the DNS root). This causes DNS to send all DNS requests to a different, external resolver of your choice, which will perform recursive resolution.

The servers you configure for the '.' Forward Zone could be resolvers internal to your organization or public resolvers (e.g. Google DNS).

Fix:
TMM no longer crashes.

Fixed Versions:
15.1.2.1, 16.0.1.1

952557-2 : Azure B2C Provider OAuth URLs are updated for B2Clogin.com

Links to More Info: BT952557

Component: Access Policy Manager

Symptoms:
Microsoft has deprecated login.microsoftonline.com OAuth Azure Active Directory B2C (Azure AD B2C) URLs. The OAuth Provider templates are updated to support the newer URLs B2Clogin.com.

Conditions:
Azure AD B2C Provider may be non functional if URLs are using logic.microsoftonline.com.

Impact:
Older AD B2C URLs using login.microsoftonline.com may not be functional.

Workaround:
Update existing URLs when creating OAuth B2C providers to use B2Clogin.com.

For more information, see Azure Active Directory B2C is deprecating login.microsoftonline.com :: https://azure.microsoft.com/en-us/updates/b2c-deprecate-msol/.

Fix:
Azure B2C Provider OAuth URLs have been updated to use B2Clogin.com.

Fixed Versions:
14.1.4, 15.1.3

952545-2 : 'Current Sessions' statistics of HTTP2 pool may be incorrect

Links to More Info: BT952545

Component: Service Provider

Symptoms:
In HTTP2 full proxy deployment, the LTM pool 'cur_sessions' statistics may show an unusually large number, such as 18446743927680663552

Conditions:
-- HTTP2 full proxy deployment
-- A client sends multiple requests over multiple streams

Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue and it can underflow.

Workaround:
None.

Fix:
'Current Sessions' statistics of HTTP2 pool reports correctly.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1

952509-2 : Cross origin AJAX requests are blocked in case there is no Origin header

Links to More Info: BT952509

Component: Application Security Manager

Symptoms:
When using Single Page Application, if a CORS request is sent without an Origin, the "Access-Control-Allowed-Origin" header is not set and the request is blocked.

Conditions:
-- ASM policy / DoS (with application) profile / Bot Defense Profile are attached to VS, with a "Single Page Application" flag enabled.
-- Client is using dosl7.allowed_origin option
-- CORS Request is sent without an Origin header.

Impact:
Request is blocked.

Workaround:
Use an iRule to add the Origin header according to the domain in the Referrer header.

Fix:
Check referrer header also when modifying CORS headers.

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2

951705-2 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Links to More Info: K03009991, BT951705

951133-2 : Live Update does not work properly after upgrade

Links to More Info: BT951133

Component: Application Security Manager

Symptoms:
After upgrading BIG-IP version the Live Update "Check for Update" button does not respond.

Conditions:
Upgrading from a version that did not have Live Update to a new version which includes Live Update

Impact:
Live Update can't query for new updates.

Workaround:
Restart tomcat process:
> bigstart restart tomcat

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1

950917-1 : Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034

Links to More Info: BT950917

Component: Application Security Manager

Symptoms:
Following Signature Update (-SignatureFile_20200921_124008 or later), newly added/activated policies may fail Apply Policy due to a duplicate key database error:

01310027:2: subsystem error (asm_config_server.pl,F5::SetActive::Impl::set_active): Setting policy active failed: Failed to insert to DCC.ACCOUNT_NEGSIG_SIGNATURE_PROPERTIES (DBD::mysql::db do failed: Duplicate entry '8112518117000363265' for key 'PRIMARY' at /usr/local/share/perl5/F5/BatchInsert.pm line 219. )

Conditions:
Signature Update -SignatureFile_20200921_124008 is installed, and a newly imported or inactive policy is applied.

Impact:
Apply policy fails.

Workaround:
You can use any of the following workarounds:

-- Install an older signature update -SignatureFile_20200917_175034

-- Disable staging for either signature 200101255 or signature 200101258 (or both) in the affected policies. The policy can then be successfully applied.

-- Run the following SQL command to correct all affected policies on the device:
----------------------------------------------------------------------
UPDATE PL_POLICY_NEGSIG_SIGNATURES policy_sigs INNER JOIN (select previous_enforced_rule_md5, policy_id, count(*) as mycount from PL_POLICY_NEGSIG_SIGNATURES where previous_enforced_rule_md5 != '' group by previous_enforced_rule_md5, policy_id having mycount > 1) as multi_sigs on policy_sigs.policy_id = multi_sigs.policy_id and policy_sigs.previous_enforced_rule_md5 = multi_sigs.previous_enforced_rule_md5 SET policy_sigs.previous_enforced_rule_md5 = '', policy_sigs.previous_enforced_rule = '';
----------------------------------------------------------------------

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4

950849-4 : B4450N blades report page allocation failure.

Links to More Info: BT950849

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures on B4450N blades to the /var/log/kern.log file like the following:

swapper/16: page allocation failure: order:2, mode:0x104020

After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This occurs on B4450N blades regardless of configuration.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You must perform the workaround on each blade installed in the system.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands:

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID950849' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID950849' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"

Fix:
The BIG-IP system no longer experiences kernel page allocation failures on B4450 (A114) blades.

Fixed Versions:
14.1.4.4, 15.1.3.1

950077-2 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988

Links to More Info: K18132488 K70031188, BT950077

950017-2 : TMM may crash while processing SCTP traffic

Links to More Info: K94941221, BT950017

949933-1 : BIG-IP APM CTU vulnerability CVE-2021-22980

Links to More Info: K29282483, BT949933

949889-3 : CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx()

Links to More Info: K04107324, BT949889

949721-2 : QUIC does not send control frames in PTO packets

Links to More Info: BT949721

Component: Local Traffic Manager

Symptoms:
When the QUIC PTO timer fires, it may resend some in-flight data. That data will not include any in-flight control frames.

Conditions:
A control frame is in-flight when the PTO timer fires.

Impact:
Minimal. The PTO timer is a mechanism to 'get ahead' of any lost packets and if a packet containing control frames is lost, those frames will be retransmitted.

Workaround:
None.

Fix:
Retransmittable control frames are now sent when the PTO timer fires.

Fixed Versions:
15.1.4.1, 16.0.1.2

949593-3 : Unable to load config if AVR widgets were created under '[All]' partition

Links to More Info: BT949593

Component: Application Visibility and Reporting

Symptoms:
When upgrading to or loading saved configuration on BIG-IP software v13.0.0 or later, if the configuration contains AVR widgets created under a partition of '[All]', the config load fails.

Conditions:
This occurs if one or more AVR widgets in the configuration was created under the read-only '[All]' pseudo-partition.
This could have occurred if you were running a version of BIG-IP which did not include the fix for ID 721408.

Impact:
Upgrading to or loading an affected configuration on BIG-IP v13.x or later fails.

Workaround:
Manually edit the /config/bigip.conf configuration file and change '[All]' to 'Common':

# sed -i 's/\\\[All\]/Common/g' /config/bigip.conf
# tmsh load sys config
# tmsh save sys config

This should be done before upgrading to BIG-IP v13.x or later, or before saving configuration to be loaded later, or before loading a saved configuration from the config files.

Fix:
It is possible to successfully upgrade from or load a configuration containing one or more AVR widgets created under the read-only '\[All]' pseudo-partition or under other not existing partitions. With the current fix all partitions are changed to "Common" during upgrade.

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2

949477-1 : NTLM RPC exception: Failed to verify checksum of the packet

Links to More Info: BT949477

Component: Access Policy Manager

Symptoms:
NTLM authentication fails with the error:

RPC exception: Failed to verify checksum of the packet.

Conditions:
-- Start nlad process with 'encryption'.
-- Configure a user, and map that user to a huge number of groups.
-- Configure NTLM front-end authentication.

Impact:
User authentication fails.

Workaround:
1. Run the 'nlad' process with '-encrypt no' in the file /etc/bigstart/startup/nlad.

2. Disable encryption for nlad:
   # vim /etc/bigstart/startup/nlad

   change:
   exec /usr/bin/${service} -use-log-tag 01620000

   to:
   exec /usr/bin/${service} -use-log-tag 01620000 -encrypt no

3. Restart nlad to make the change effective, and to force the schannel to be re-established:
   # bigstart restart nlad

Fixed Versions:
14.1.4.4, 15.1.4.1

949145-5 : Improve TCP's response to partial ACKs during loss recovery

Links to More Info: BT949145

Component: Local Traffic Manager

Symptoms:
- A bursty retransmission occurs during TCP's loss recovery period.

Conditions:
- TCP filter is used.
- TCP stack is used instead of TCP4 stack (based on profile settings).
- Packet loss occurs during the data transfer and TCP's loss recovery takes place.

Impact:
The bursty retransmissions may lead to more data getting lost due to large amount of data being injected into the network.

Workaround:
In versions prior to v16.0.0, use a TCP profile which selects the TCP4 stack instead of the TCP stack. There is no workaround for version 16.0.0.

Fix:
Partial ACK handling during loss recovery is improved.

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1

948805-1 : False positive "Null in Request"

Links to More Info: BT948805

Component: Application Security Manager

Symptoms:
A false positive violation "Null in Request" is thrown erroneously.

Conditions:
-- BIG-IP receives a query string in the "Referrer" header

Impact:
False positive violation "Null in Request" is thrown

Workaround:
None

Fix:
Fixed a false positive violation.

Fixed Versions:
14.1.4.5, 15.1.4.1

948769-5 : TMM panic with SCTP traffic

Links to More Info: K05300051, BT948769

948757-2 : A snat-translation address responds to ARP requests but not to ICMP ECHO requests.

Links to More Info: BT948757

Component: Local Traffic Manager

Symptoms:
A snat-translation address with ARP enabled responds to ARP requests but not ICMP ECHO requests.

Conditions:
A snat-translation address is configured with ARP enabled.

Impact:
Application traffic should not be impacted, as external hosts trying to resolve the snat-translation and return traffic to it should still be able to do so; however, ping is an important network troubleshooting tool, and not being able to ping the address may create confusion.

Workaround:
None.

Fix:
A snat-translation now correctly responds to both ARP requests and ICMP ECHO requests.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1

948717-3 : F5-pf_daemon_cond_restart uses excessive CPU

Links to More Info: BT948717

Component: TMOS

Symptoms:
The script /etc/init.d/f5-pf_daemon_cond_restart spawns a lot of ephemeral processes that collectively use about 10-15% of a core, regardless of the number of cores.

This is contributing to higher CPU usage after upgrading from an earlier version

Conditions:
On upgrade to a 15.1.x version, high CPU usage is observed.

Impact:
Higher CPU utilization on control plane, typically the equivalent of about 10-15% (of one core) extra.

Workaround:
None.

Fixed Versions:
15.1.3.1

948573-4 : Wr_urldbd list of valid TLDs needs to be updated

Links to More Info: BT948573

Component: Traffic Classification Engine

Symptoms:
Several new TLDs have been added and need to be classified. The classification results return "Unknown" when the new TLD is being queried.

Conditions:
New TLD is being queried

Impact:
The URL query with new TLDs can not be blocked with custom feed list.
Custom, Webroot, and Cloud returns Unknown category.

Workaround:
Configure CPM policy to classify traffic based on hostname or SNI rather than urlcat.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2

948417-2 : Network Management Agent (Azure NMAgent) updates causes Kernel Panic

Links to More Info: BT948417

Component: Performance

Symptoms:
- TMM crashes
- kernel panics
- BIG-IP core file created
- Cloud Failover Extension unexpected behavior (where applicable)

Conditions:
- BIG-IP Azure Virtual Edition
- Azure Host performs a Network Management Agent (NMAgent) update while TMM is running
- BIG-IP VE using Accelerated Networking

Impact:
- Traffic disrupted while tmm restarts
- BIG-IP restarts
- Cloud Failover Extension state data lost (where applicable)

Workaround:
- Disable Accelerated Networking on BIG-IP network interfaces (Reversed settings from Azure documentation)

     Individual VMs & VMs in an availability set
     First stop/deallocate the VM or, if an Availability Set, all the VMs in the Set:
           Azure CLI
                az vm deallocate \
                --resource-group myResourceGroup \
                --name myVM
    Important, please note, if your VM was created individually, without an availability set, you only need to stop/deallocate
    the individual VM to disable Accelerated Networking. If your VM was created with an availability set, all VMs contained in
    the availability set will need to be stopped/deallocated before disabling Accelerated Networking on any of the NICs.

    Once stopped, disable Accelerated Networking on the NIC of your VM:
           Azure CLI
                az network nic update \
                --name myNic \
                --resource-group myResourceGroup \
                --accelerated-networking false
    Restart your VM or, if in an Availability Set, all the VMs in the Set and confirm that Accelerated Networking is disabled:
           Azure CLI
                az vm start --resource-group myResourceGroup \
                --name myVM

Fixed Versions:
15.1.4

948113-3 : User-defined report scheduling fails

Links to More Info: BT948113

Component: Application Visibility and Reporting

Symptoms:
A scheduled report fails to be sent.

An error message with the following format may appear on /var/log/avr/monpd.log file (some parts of the error message were replaced with '.....' in here to leave only the common parts):
     DB|ERROR|....... Error (err-code 1054) executing SQL string :
.....
.....
.....
 Because : Unknown column ....... in 'order clause'

Conditions:
1. Using predefined-report in scheduled-report.
2. Predefined-report has more than one measure.
3. Sort-by value is different from the first measure on predefined-report

Impact:
Internal error for AVR report for ASM pre-defined.

Workaround:
First, remount /usr to read-write:
mount -o remount,rw /usr

Next, open file /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm and change the following line:
push(@measures,@{$base_request->{measures}}[0]);
to this:
push(@measures,@{$base_request->{sort_by}}[0]->{measure});

The above can be achieved with the following script-line (please first backup the Client.pm file and then verify it changed it correctly):
sed -i 's/push(@measures,@{\$base_request->{measures}}\[0\])/push(@measures,@{$base_request->{sort_by}}[0]->{measure})/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm

Lastly, remount /usr back to read-only:
mount -o remount,ro /usr

Fix:
Using 'sort-by' measure when building PDF (instead of the first value on measure-list)

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

948073-2 : Dual stack download support for IP Intelligence Database

Links to More Info: BT948073

Component: Advanced Firewall Manager

Symptoms:
IP Intelligence cannot function if the BIG-IP management IP network is strict IPv6.

Conditions:
- IP Intelligence License installed
- Management IP is configured with only IPv6 addresses.

Impact:
The BIG-IP systems configured with IPv6 management networks cannot use IP Intelligence features even though they have installed IP Intelligence licenses.

Workaround:
None

Fix:
BIG-IP can now download the IP Intelligence database over IPv4 and IPv6 management networks.

Behavior Change:
BIG-IP can now download the IP Intelligence database over IPv4 and IPv6 management networks.

Fixed Versions:
15.1.4

947925-1 : TMM may crash when executing L7 Protocol Lookup per-request policy agent

Links to More Info: BT947925

Component: SSL Orchestrator

Symptoms:
TMM may crash when executing the L7 Protocol Lookup per-request policy agent.

Conditions:
-- APM or SSL Orchestrator is licensed and provisioned.
-- L7 Protocol Lookup agent is included in the per-request policy for APM/SWG use cases.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM does not crash anymore when executing the L7 Protocol Lookup agent in the per-request policy.

Fixed Versions:
14.1.4.3, 15.1.4

947865-2 : Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read

Links to More Info: BT947865

Component: TMOS

Symptoms:
Pam-authenticator cores. There is a log message in /var/log/user/log:

err pam-authenticator: tac_author_read: short author header, -1 of 12: Connection reset by peer

Conditions:
-- TACACS auth configured on BIG-IP
-- A BIG-IP user authenticates and the user is a TACACS user
-- The TACACS server resets the connection.

Impact:
Pam-authenticator fails with segfault or sigabrt, and the user is unable to authenticate to BIG-IP.

Fixed Versions:
14.1.4, 15.1.3

947529-2 : Security tab in virtual server menu renders slowly

Links to More Info: BT947529

Component: TMOS

Symptoms:
When a large number of virtual servers use the same ASM policy from a manually-created LTM Traffic policy, the Security tab of the virtual server takes a long time to load.

Conditions:
Large number of virtual servers using the same ASM policy

Impact:
Loading of Security tab of a virtual server takes a long time

Workaround:
NA

Fix:
Security tab of a virtual server loads fast

Fixed Versions:
14.1.4.4, 15.1.4.1

947341-1 : MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files.

Links to More Info: BT947341

Component: Application Security Manager

Symptoms:
1) var/lib/mysql/mysqld.err is filled with log entries that contain:
------------
  200824 11:04:43 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
  200824 11:18:46 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
  200824 11:35:58 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
------------

2) There are a lot of PRX.REQUEST_LOG partitions, in some cases up to 1024, many of which are empty.

Conditions:
ASM/AVR provisioned

Impact:
MySQL runs out of resources when opening the file
PRX.REQUEST_LOG and an error message states the file is corrupt.

Workaround:
1. If the /appdata partition is filled to 100% and MySQL restarts continuously, refer to the following Knowledge Articles:
   https://support.f5.com/csp/article/K14956
   https://support.f5.com/csp/article/K42497314

2. To identify the empty partitions, look into:
   mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G"

3. For every partition that is empty, manually (or via shell script) execute this sql:
   mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "ALTER TABLE PRX.REQUEST_LOG DROP PARTITION <empty_partition_name>;"

   Note: <empty_partition_name> must be substituted with the partition name, for example p100001.


4. Increase 'open_files_limit' to '10000'.
--------------------------------

   In the /etc/my.cnf file:
   1. Change the value of the 'open_files_limit' parameter to 10000.
   2. Restart MySQL:
   bigstart restart mysql
--------------------------------

5. pkill asmlogd

Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.

Fix:
This release increases the default 'open_files_limit' to '10000'.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2, 16.1.2

946953-1 : HTTP::close used in iRule might not close connection.

Links to More Info: BT946953

Component: Local Traffic Manager

Symptoms:
HTTP::close used in an iRule might not close the connection. For example:

when HTTP_REQUEST {
    HTTP::close
    HTTP::respond 200 -version 1.1 content "OK" Content-Type text/plain
  }

Conditions:
Using HTTP::close along with HTTP::respond

Impact:
HTTP connection can be re-used.

Workaround:
Explicitly add close header in the HTTP::respond. For example:

HTTP::respond 200 content "OK" Connection close

Fix:
Fixed an issue where HTTP::close might not close a connection.

Fixed Versions:
15.1.3, 16.0.1.1

946745-2 : 'System Integrity: Invalid' after Engineering Hotfix installation

Links to More Info: BT946745

Component: TMOS

Symptoms:
The 'tmsh run sys integrity status-check -a -v' or 'tpm-status' commands incorrectly report system integrity status as 'Invalid' even when the system software has not been modified.

Conditions:
This occurs if all of the following conditions are true:

-- BIG-IP software v14.1.0 or later version.
-- Engineering Hotfix installed on TPM-supported BIG-IP platform.
-- The Engineering Hotfix contains a fix for ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html).
-- The Engineering Hotfix contains an updated 'sirr-tmos' package.

Impact:
Incorrect presentation of system software status; the status shows INVALID when it is actually valid.

Workaround:
None.

Fix:
Trusted Platform Module (TPM) status now shows the correct system integrity status when an Engineering Hotfix is installed.

Fixed Versions:
14.1.4, 15.1.3

946377-2 : HSM WebUI Hardening

Links to More Info: K24301698, BT946377

946185-1 : Unable to view iApp component due to error 'An error has occurred while trying to process your request.'

Links to More Info: BT946185

Component: iApp Technology

Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:

An error has occurred while trying to process your request.

Conditions:
-- With or without Partitions configured.
-- Navigate to GUI iApps :: Application Services : Applications, to view a custom iApp.
-- More likely to occur after upgrade.

Impact:
Unable to view/modify iApps via GUI iApps :: Application Services : Applications screen.

Workaround:
To reconfigure the iApp, do the following:

1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List

2. Click the Application Link :: Reconfigure.

Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.

Fix:
Viewing Application Service components now reports no errors in the GUI under these conditions.

Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2

946125-2 : Tmm restart adds 'Revoked' tokens to 'Active' token count

Links to More Info: BT946125

Component: Access Policy Manager

Symptoms:
End users are unable to access an application even though the active tokens are far less than allowed limit, with this error:
/Common/my_oauth:Common: Request Access Token from Source ID <id> IP <ip> failed. Error Code (access_denied) Error Description (This user has reached configured access token limit.)

Conditions:
1. configure per user access token limit
2. revoke some tokens
3. restart tmm

Impact:
User is denied access even though token limit per user is not reached

Fix:
Fixed an issue where users were unable to log in after a tmm restart.

Fixed Versions:
14.1.4.4, 15.1.4

946089-2 : BIG-IP might send excessive multicast/broadcast traffic.

Links to More Info: BT946089

Component: TMOS

Symptoms:
BIG-IP might transmit excessive multicast/broadcast traffic.

Conditions:
-- BIG-IP Virtual Edition with more than one TMM.
-- Number of excessive packets is directly proportional to the number of TMMs.

Impact:
Excessive multicast/broadcast traffic.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2

946081-1 : Getcrc tool help displays directory structure instead of version

Links to More Info: BT946081

Component: Application Security Manager

Symptoms:
When getcrc tool displays help to the end user, it displays a directory structure instead of version.

Conditions:
Displaying help in getcrc utility.

Impact:
Version information is not displayed.

Fix:
Getcrc utility help now displays version information.

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2

945997-2 : LTM policy applied to HTTP/2 traffic may crash TMM

Links to More Info: BT945997

Component: Local Traffic Manager

Symptoms:
When an LTM policy is applied to HTTP/2 traffic and refers to TCL expression(s), TMM may crash.

Conditions:
-- A virtual is configured with http and http2 profiles.
-- An LTM policy is published and refers to TCL expression(s).
-- The policy is attached to the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Fix:
BIG-IP properly processes LTM policy with TCL expression(s) when it is applied to a virtual handling HTTP/2 traffic.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2

945853-2 : Tmm crash when multiple virtual servers are created, modified, or deleted in quick succession

Links to More Info: BT945853

Component: Advanced Firewall Manager

Symptoms:
TMM crashes during a configuration change.

Conditions:
This occurs under the following conditions:

-- Create/modify/delete multiple virtual servers in quick succession.

-- Perform back-to-back config loads / UCS loads containing a large number of virtual server configurations.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes during a configuration change.

Fixed Versions:
15.1.3

945789-1 : Live update cannot resolve hostname if IPv6 is configured.

Links to More Info: BT945789

Component: Application Security Manager

Symptoms:
Live update does not work when BIG-IP DNS is configured to use IPv6.

Conditions:
BIG-IP DNS uses IPv6.

Impact:
-- Unable to install latest updates to signatures.
-- Unable to import user-defined signatures.

Workaround:
If possible, use IPv4 for DNS.

An alternative workaround could be to configure a working IPv4 address in the "/etc/hosts" file, by issuing the following command from the advanced shell (bash):

    echo "165.160.15.20 callhome.f5.net" >> /etc/hosts

Fix:
Replaced deprecated gethostbyname which does not work well with IPv6 with getaddrinfo.

Fixed Versions:
15.1.4.1

945265-4 : BGP may advertise default route with incorrect parameters

Links to More Info: BT945265

Component: TMOS

Symptoms:
If a BGP neighbor is configured with 'default originate,' the nexthop advertised for the default route may be incorrect.

Conditions:
-- Dynamic routing enabled.
-- Using BGP.
-- BGP neighbor configured with 'default originate'.

Impact:
The default route advertised via BGP is not acceptable to peers until the BGP session is cleared.

Workaround:
In imish, run the command:
clear ip bgp <affected neighbor address>

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1

945109-2 : Freetype Parser Skip Token Vulnerability CVE-2015-9382

Links to More Info: K46641512, BT945109

944785-2 : Admd restarting constantly. Out of memory due to loading malformed state file

Links to More Info: BT944785

Component: Anomaly Detection Services

Symptoms:
Admd consumes more than 10GB of RSS
Wrong signature statistics and possible memory corruption, potentially results in high memory consumption.

Conditions:
-- Upgrading from 13.x, 14.x to 15.x
-- Device service clustering configuration
-- App-Protect-DOS signatures configured.

Impact:
ADMD not working, ADMD constantly restarting, consuming all of the system memory. Out of memory. ADMD killed due to memory consumption

Workaround:
Make sure that all the devices within a cluster are running compatible state file version (either all with versions before 15.1.0.x or after), if not, then:
1. Stop ADMD on all of those devices: bigstart stop admd
2. Upgrade or Downgrade the BIG-IP version to match the above criteria.
3. Remove the old state files: rm -rf /var/run/adm/*
4. Start ADMD: bigstart start ADMD

If there is an issue on a single blade device, then:
1. Stop ADMD on all of those machines: bigstart stop admd
2. Remove the old state files: rm -rf /var/run/adm/*
3. Start ADMD: bigstart start ADMD

Fix:
No more memory corruption, no OOM nor ADMD restarts.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.2

944641-1 : HTTP2 send RST_STREAM when exceeding max streams

Links to More Info: BT944641

Component: Local Traffic Manager

Symptoms:
If the SETTINGS_MAX_CONCURRENT_STREAMS setting is exceeded, BIG-IP sends a GOAWAY frame; however, browsers expect a RST_STREAM and the GOAWAY frame results in a half-rendered web page.

Conditions:
The maximum streams setting is exceeded on a HTTP/2 connection.

Impact:
BIG-IP sends a GOAWAY frame, and the browser shows a half-rendered page.

Workaround:
None.

Fix:
BIG-IP now sends a RST_STREAM if the maximum streams setting is exceeded.

Fixed Versions:
14.1.4, 15.1.4, 16.0.1.1

944513-2 : Apache configuration file hardening

Links to More Info: BT944513

Component: TMOS

Symptoms:
Apache configuration file did not follow security best practice.

Conditions:
Normal system operation with httpd enabled.

Impact:
Apache configuration file did not follow security best practice.

Workaround:
None

Fix:
Apache configuration file has been hardened to follow security best practice.

Fixed Versions:
15.1.4

944441-2 : BD_XML logs memory usage at TS_DEBUG level

Links to More Info: BT944441

Component: Application Security Manager

Symptoms:
There are two messages in BD_XML logs that the system reports at the TS_DEBUG log level, but they should be logged as TS_INFO.

BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1687|after create of profile 754. (xml memory 5111702493 bytes)
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1586|add profile 755. name: /ws/replanifierIntervention_V1-0 is soap? 1 (xml memory before add 5111702493 bytes)

Conditions:
These messages can occur when XML/JSON profiles are configured.

Impact:
Messages that should be logged at the TS_INFO level are logged at the TS_DEBUG level. These are informational log messages.

Workaround:
None

Fix:
The relevant two BD_XML logs are now categorized as TS_INFO.

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2

943913-3 : ASM attack signature does not match

Links to More Info: K30150004, BT943913

Component: Application Security Manager

Symptoms:
When processing certain traffic, ASM attack signatures may not match as intended.

Conditions:
- ASM enabled
- Undisclosed attack signature variation

Impact:
ASM attack signature does not match or trigger further processing.

Workaround:
N/A

Fix:
ASM now processes traffic as expected.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2

943669-1 : B4450 blade reboot

Links to More Info: BT943669

Component: TMOS

Symptoms:
In a rare scenario, a B4450 blade suddenly reboots.

Conditions:
This occurs when there is heavy traffic load on VIPRION B4450 blades. The root cause is unknown. It happens extremely rarely.

Impact:
Traffic disrupted while the blade reboots.

Workaround:
None.

Fix:
The system now monitors the pause frames and reboots when needed.

Fixed Versions:
15.1.2

943125-2 : ASM bd may crash while processing WebSocket traffic

Links to More Info: K18570111, BT943125

943101-2 : Tmm crash in cipher group delete.

Links to More Info: BT943101

Component: Local Traffic Manager

Symptoms:
Deleting a cipher group associated with multiple profiles could cause tmm crash.

Conditions:
Deleting a cipher group associated with multiple profiles.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed an issue with cipher group delete.

Fixed Versions:
14.1.3, 15.1.4

943081-3 : Unspecified HTTP/2 traffic may cause TMM to crash

Links to More Info: K90603426, BT943081

942965-2 : Local users database can sometimes take more than 5 minutes to sync to the standby device

Links to More Info: BT942965

Component: Access Policy Manager

Symptoms:
Local db sync to standby devices take more than 5 minutes to sync

Conditions:
High availability (HA) setup
 - add a local db user in the active device
 - Wait for it to get synced to the standby device
 - Sometimes the sync may not happen in 5 minutes.

Impact:
Sync of the changes to the local user db may take several minutes to sync to the standby devices.

Workaround:
None.

Fixed Versions:
14.1.4.5, 15.1.5

942701-2 : TMM may consume excessive resources while processing HTTP traffic

Links to More Info: K35408374, BT942701

942581-1 : Timestamp cookies do not work with hardware accelerated flows

Links to More Info: BT942581

Component: Advanced Firewall Manager

Symptoms:
Time stamp cookies and hardware accelerated flows are mutually exclusive.

Conditions:
Time stamp cookie enabled for TCP flows on a VLAN with hardware offload enabled as well.

Impact:
Reduced traffic throughput and increased CPU usage

Fix:
FPGA and software enhancement to allow hardware accelerate of TCP flows that have time stamp cookie enabled.

Fixed Versions:
15.1.2

942549-2 : Dataplane INOPERABLE - Only 7 HSBs found. Expected 8

Links to More Info: BT942549

Component: TMOS

Symptoms:
During boot of a i15xxx system you see the message:

Dataplane INOPERABLE - Only 7 HSBs found. Expected 8

Conditions:
This issue can occur on any i15xxx device, although some devices exhibit the failure consistently and others never exhibit the issue.

Impact:
When this failure occurs in a system, the system is inoperable.

Workaround:
In order to workaround this issue, the system must be updated to install a script that is capable of resetting the hardware device during the HSB load process.

If it's not possible to install an EHF with the updated script or a version of BIG-IP with the fix, then it can be installed manually by providing the fw_update_post.init file and replacing it in /etc/init.d/fw_update_post. It is recommended that the existing fw_update_post is backed-up and this is only done in cases where the EHF or a fixed version of BIG-IP cannot be installed.

Fix:
A 'Dataplane INOPERABLE - Only 7 HSBs found. Expected 8' condition caused by a PCIE linking failure is resolved by an updated HSB load script which correctly resets BIG-IP i15xxx system hardware during boot.

Persistent 'Dataplane INOPERABLE' messages, after this fix is installed, indicate an unrelated failure.

Fixed Versions:
14.1.4.4, 15.1.4.1

942497-1 : Declarative onboarding unable to download and install RPM

Links to More Info: BT942497

Component: TMOS

Symptoms:
Installation of declarative onboarding RPM fails.

Conditions:
Use of icontrollx_package_urls in tmos_declared block to download/install RPMs via a URL.

Impact:
RPMs cannot be downloaded for declarative onboarding where RPMs are referenced via URL.

Workaround:
RPMs must be installed manually.

Fix:
The installation directory was updated to fix the RPM installation issue.

Fixed Versions:
15.1.2.1, 16.0.1.1

942185-2 : Non-mirrored persistence records may accumulate over time

Links to More Info: BT942185

Component: Local Traffic Manager

Symptoms:
Persistence records accumulate over time due to expiration process not reliably taking effect. The 'persist' memory type grows over time.

Conditions:
-- Non-cookie, non-mirrored persistence configured.
-- No high availability (HA) configured or HA connection permanently down.
-- Traffic that activates persistence is occurring.

Impact:
Memory pressure eventually impacts servicing of traffic in a variety of ways. Aggressive sweeper runs and terminates active connections. TMM may restart. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Persistence records are now reliably expired at the appropriate time.

Fixed Versions:
15.1.4, 16.0.1.2

941929-2 : Google Analytics shows incorrect stats, when Google link is redirected.

Links to More Info: BT941929

Component: Application Security Manager

Symptoms:
When server respond with a redirect, ASM challenge makes Google Analytics stats appear as if they are 'Direct' instead of 'Organic'.

Conditions:
-- Google link is responded to (by the server) with a redirect.

-- Bot defense profile or DoS Application profile attached to a virtual server with challenge mitigation enabled.

Impact:
Incorrect data is displayed in the Google Analytics dashboard.

Workaround:
None

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2

941893-3 : VE performance tests in Azure causes loss of connectivity to objects in configuration

Links to More Info: BT941893

Component: TMOS

Symptoms:
When performance tests are run on BIG-IP Virtual Edition (VE) in Microsoft Azure, the BIG-IP system loses all connectivity to the pools, virtual servers, and management address. It remains unresponsive until it is rebooted from the Azure console.

Conditions:
Running performance tests of VE in Azure.

Impact:
The GUI becomes unresponsive during performance testing. VE is unusable and must be rebooted from the Azure console.

Workaround:
Reboot from the Azure console to restore functionality.

Fixed Versions:
15.1.4

941853-1 : Logging Profiles do not disassociate from virtual server when multiple changes are made

Links to More Info: BT941853

Component: Application Security Manager

Symptoms:
When multiple Logging Profiles profile changes are made in a single update, the previous Logging Profiles are not disassociated from the virtual server. Additionally, when an Application Security Logging Profile change is made, newly added Protocol Security Logging Profile settings do not take effect.

Conditions:
Multiple Logging Profile changes are made in a single update.

Impact:
The previous Logging Profiles are not disassociated from the virtual server.

Workaround:
Perform each Log Profile change individually. For example, to change an Application Security Log Profile:
1. Remove the current association and save.
2. Add the new association and save again.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1

941649-2 : Local File Inclusion Vulnerability

Links to More Info: K63163637, BT941649

941625-1 : BD sometimes encounters errors related to TS cookie building

Links to More Info: BT941625

Component: Application Security Manager

Symptoms:
BD sometimes print errors related to TS cookie building when receiving ASM cookies with account_id:

-- BEM|ERR |May 19 17:49:55.800|0983|response_header_accumulator.c:0200|Error: CookieMgrBuildCookie failed. ans 1 job 2957561040.

-- IO_PLUGIN|ERR |May 19 17:49:55.800|0983|io_plugin.c:3320|TMEVT_RESPONSE: Cannot build a ts cookie.

Conditions:
-- Cookie protection is enabled.
-- The BIG-IP software is upgraded from a version that was earlier than 15.1.x.

Impact:
The cookie is not built and an error is logged.

Workaround:
None.

Fixed Versions:
15.1.4, 16.1.1

941621-2 : Brute Force breaks server's Post-Redirect-Get flow

Links to More Info: K91414704, BT941621

Component: Application Security Manager

Symptoms:
Brute Force breaks server's Post-Redirect-Get flow

Conditions:
ASM policy is attached to VS
Brute force protection is enabled.
CSI challenge or Captcha are in use.
Server implements Post-Redirect-Get flow.

Impact:
Brute Force breaks server's Post-Redirect-Get flow

Workaround:
None

Fix:
Support PRG mechanism in brute force mitigations.

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.1

941481-2 : iRules LX - nodejs processes consuming excessive memory

Links to More Info: BT941481

Component: Local Traffic Manager

Symptoms:
iRule LX nodejs processes can leak memory. The iRule LX plugin nodejs processes memory usage climbs over time and does not return to prior levels.

You can check the iRule LX plugins memory usage using the command:

tmsh show ilx plugin <PLUGIN_NAME>' under 'Memory (bytes):

Memory (bytes)
  Total Virtual Size 946.8M
  Resident Set Size 14.5K

Conditions:
-- iRulesLX in use.

Impact:
iRule LX nodejs processes memory usage keeps growing.
The unbounded memory growth can eventually impact other Linux host daemons.

Workaround:
Restart the iRule LX plugin that is leaking memory:

tmsh restart ilx plugin <PLUGIN_NAME>

Fixed Versions:
14.1.4.4, 15.1.4

941449-2 : BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993

Links to More Info: K55237223, BT941449

941257-1 : Occasional Nitrox3 ZIP engine hang

Links to More Info: BT941257

Component: Local Traffic Manager

Symptoms:
Occasionally the Nitrox3 ZIP engine hangs.

In /var/log/ltm:
 
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 02:00.1, discarded 1).
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=0): ctx dropped.

Conditions:
BIG-IP appliance that uses the Nitrox 3 hardware compression chip: 5xxx, 7xxx, 12250 and B2250.

You can check if your platform has the nitrox3 by running the following command:

tmctl -w 200 compress -s provider

provider
--------
bzip2
lzo
nitrox3 <--------
zlib

Impact:
The Nitrox3 hardware compression system becomes unavailable and the compression mode switches to software compression. This can lead to high CPU usage.

Workaround:
Disable http compression

Fixed Versions:
14.1.4.4, 15.1.4

941249-2 : Improvement to getcrc tool to print cookie names when cookie attributes are involved

Links to More Info: BT941249

Component: Application Security Manager

Symptoms:
The name provided by getcrc tool provides incorrect ASM cookie name when cookie attributes path or/and domain is/are present in response from server

Conditions:
This is applicable when domain and path cookie attributes are present in response from server

Impact:
ASM cookie name which is displayed is incorrect

Workaround:
None

Fix:
More options need to be added to getcrc tool such that it caters for path/domain cookie attribute/s

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2

941169-4 : Subscriber Management is not working properly with IPv6 prefix flows.

Links to More Info: BT941169

Component: Policy Enforcement Manager

Symptoms:
Flows for a PEM subscriber are not deleted from the system even after the subscriber is deleted.

Conditions:
When IPv6 prefix flows are configured on PEM (i.e., sys db variable tmm.pem.session.ipv6.prefix.len is configured with a value other than 128).

Impact:
Flows for a PEM subscriber are not deleted from the system even after the subscriber is deleted. Resources are not released from the system.

Workaround:
None.

Fixed Versions:
14.1.4, 15.1.2.1

941089-3 : TMM core when using Multipath TCP

Links to More Info: BT941089

Component: Local Traffic Manager

Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.

Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than to disable MPTCP.

Fix:
TMM no longer produces a core.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2

940897-3 : Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached

Links to More Info: BT940897

Component: Application Security Manager

Symptoms:
False positive violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached with enabled "Parse Parameter".

Conditions:
"JSON data does not comply with format settings" and "Illegal meta character in value" violations are enabled and content profile parsing is enabled in ASM.

Impact:
False positives detected, such as "Illegal meta character in value" violation and attack signature for incorrect context.

Workaround:
N/A

Fix:
No false positives detected.

Fixed Versions:
12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1

940885-2 : Add embedded SR-IOV support for Mellanox CX5 Ex adapter

Links to More Info: BT940885

Component: TMOS

Symptoms:
The Mellanox CX5 Ex adapter is not supported by the BIG-IP with a tmm embedded SR-IOV network driver.

Conditions:
A BIG-IP Virtual Edition system configured to use one or more Mellanox CX5 Ex adapters in SR-IOV mode.

Impact:
Systems using a CX5 Ex adapter will have to use the sock driver rather than the Mellanox driver.

Fix:
Added the CX5 Ex device ID to the BIG-IP's Mellanox SR-IOV driver so that it can be used with that adapter.

Fixed Versions:
14.1.4.4, 15.1.4.1

940665-1 : DTLS 1.0 support for PFS ciphers

Links to More Info: BT940665

Component: Local Traffic Manager

Symptoms:
When using DTLS 1.0 the following two PFS ciphers are no longer negotiated and they cannot be used in a DTLS handshake/connection.

* ECDHE-RSA-AES128-CBC-SHA
* ECDHE-RSA-AES256-CBC-SHA

Conditions:
DTLS 1.0 is configured in an SSL profile.

Impact:
ECDHE-RSA-AES128-CBC-SHA and ECDHE-RSA-AES256-CBC-SHA are unavailable.

Fixed Versions:
15.1.4, 16.0.1.2

940401-2 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'

Links to More Info: BT940401

Component: Fraud Protection Services

Symptoms:
MobileSafe SDK does not support iOS jailbreak detection, so the GUI should refer only to Android Rooting Detection.

Conditions:
-- Fraud Protection Service (FPS) provisioned.
-- FPS and MobileSafe Licensed.

Impact:
Introduces confusion when indicating that iOS jailbreak detection is supported, which it is not.

Workaround:
None.

Fix:
Section now reads 'Rooting Detection'.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1

940317-4 : CVE-2020-13692: PostgreSQL JDBC Driver vulnerability

Links to More Info: K23157312, BT940317

940249-2 : Sensitive data is not masked after "Maximum Array/Object Elements" is reached

Links to More Info: BT940249

Component: Application Security Manager

Symptoms:
If "Maximum Array/Object Elements" is reached and "JSON data does not comply with format settings" is detected, then all sensitive
data after last allowed element is not masked.

Conditions:
Define JSON profile, set "JSON data does not comply with format settings" to blocking and set "Maximum Array/Object Elements" to desired value.

Impact:
Data after last allowed element is not masked.

Fix:
Now the values are masked.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1

940209 : Chunked responses with congested client connection may result in server-side TCP connections hanging until timeout.

Links to More Info: BT940209

Component: Local Traffic Manager

Symptoms:
When an HTTP/2 profile is configured on the client side, chunked responses are always sent unchunked. When a connection to a client is congested, the BIG-IP system may not properly close established server-side connections causing subsequent HTTP/2 requests to stall.

Conditions:
-- A virtual server with an HTTP/2 profile configured on the client side.
-- A server responds with a chunked response.

Impact:
HTTP/2 requests intermittently stall due to the existing server-side TCP connection remaining open.

Workaround:
Configure an HTTP profile on the client side with a value of 'unchunk' on the response-chunking option.

Fix:
HTTP/2 requests no longer stall, as the server side TCP connection is properly closed.

Fixed Versions:
14.1.4, 15.1.2

940185-2 : icrd_child may consume excessive resources while processing REST requests

Component: TMOS

Symptoms:
Under certain conditions, icrd_child may consume excessive resources while processing REST requests

Conditions:
- Specially-crafted REST requests

Impact:
Increase in ICRD resource usage over time. Eventually host memory will be exhausted potentially leading to a failover event.

Workaround:
N/A

Fix:
icrd_child now processes REST requests as expected.

Fixed Versions:
14.1.4.5, 15.1.5

940177-1 : Certificate instances tab shows incorrect number of instances in certain conditions

Links to More Info: BT940177

Component: TMOS

Symptoms:
The SSL Certificate instances tab shows an incorrect number of instances when the Cert name and the Key name match. This does not occur when the cert and key are different names.

Conditions:
-- SSL certificate and key names match
-- Viewing the SSL certificate list in the GUI

Impact:
All the custom profiles will be listed when only select instances for ca-bundle cert are expected

Fix:
The correct number of instances of certificates is now displayed.

Fixed Versions:
15.1.5

940021-3 : Syslog-ng hang may lead to unexpected reboot

Links to More Info: BT940021

Component: TMOS

Symptoms:
A syslog-ng issue with remote logging to an invalid remote syslog server may lead to unexpected reboot.

The BIG-IP may unexpectedly reboot after a host watchdog timeout when syslog-ng gets hung up.

Logs via syslog-ng are no longer written, though logging not via syslog-ng continues unaffected.
This happens at the time of the last 'Syslog connection broken' in /var/log/messages before reboot.
That message will appear without a preceding 'Syslog connection established' just before it with same timestamp.

At this time syslog-ng typically spins, using near 100% CPU (just one core equivalent, not all CPU capacity on system).

Typically things appear fine on rest of system - there will usually be adequate CPU and memory.
Hours or days later graphs will have a gap of usually tens of minutes to hours before an unexpected reboot.

Post reboot logs (in /var/log/sel for iSeries or ltm log otherwise) show this is a host watchdog reboot.
After reboot the system runs correctly, though if the syslog-ng remote server was invalid this remains the case.

Conditions:
Invalid syslog-ng server configuration or broken connection from BIG-IP toward configured syslog-ng remote server.

A server is configured as a remote syslog destination on the BIG-IP, but it or an intervening system responds to stream of log messages by breaking connection eg by sending ICMP port unreachable to BIG-IP.

Syslog-ng will note the connection attempt and that it has broken usually in the same second, and do so every 60s when it retries.
There may be many of these log pairs, repeating every minute in /var/log/messages, such as:

  Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection established; fd='14', server='AF_INET(192.168.1.1:514)', local='AF_INET(0.0.0.0:0)'
  Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'

The final log will of a broken connection only, usually one minute after the last established/broken pair.

  Nov 25 03:15:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'

Impact:
Very rarely syslog-ng hangs in a non-functional state. Sometimes, this may lead to an unexpected reboot of BIG-IP. Loss of logs before restart and traffic disrupted while BIG-IP restarts.

Workaround:
Ensure syslog-ng server configuration is valid, and that the server is reachable.

Fix:
Fixed an issue with syslog-ng hang occasionally causing a system restart.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1

939961-2 : TCP connection is closed when necessary after HTTP::respond iRule.

Links to More Info: BT939961

Component: Local Traffic Manager

Symptoms:
After HTTP::respond iRule, when "Connection: close" header is sent to the client, TCP connection is not closed.

Conditions:
- TCP profile is used.
- HTTP profile is used.
- HTTP::respond iRule is used (via HTTP_RESPONSE).
- HTTP sends "Connection: close" header.

Impact:
TCP connection lives longer than needed.

Workaround:
N/A

Fix:
TCP connection is closed when necessary after responding with HTTP::respond iRule.

Fixed Versions:
15.1.2, 16.0.1.2

939877-1 : OAuth refresh token not found

Links to More Info: BT939877

Component: Access Policy Manager

Symptoms:
When an OAuth client sends a refresh token to renew the access token, BIG-IP reports an error:

err tmm[13354]: 01990004:3: /Common/my_OAuth_v1:Common: Request Refresh Token from Source ID ... failed. Error Code (id_not_found) Error Description (The refresh token is not found)

Conditions:
-- The refresh token expiration interval is longer than authcode and accesstoken.
-- The Authorization code table entry does not exist because of an internal clearing/purging operation.
-- tmm restarts or failover to standby thus losing refresh-token value from primarydb

Impact:
OAuth APM client end user fails to renew the access token even with a valid refresh token.

Workaround:
Clear/reset the Authorization code column value manually:

As a root user run below BIG-IP shell
(tmos)# list apm oauth db-instance
apm oauth db-instance oauthdb { db-name <db_name> description "Default OAuth DB." }

Copy the value corresponding to <db_name>.

Log into mysql from the bash prompt:
# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw)

mysql> use <db_name>;

mysql> update master set auth_code = NULL where refresh_token='affected_refresh_token_id';

(Substitute the affected refresh token ID with affected_refresh_token_id in the previous command.)

Fix:
Do not report error if the Authorization code does not exist when a valid refresh-token/access-token exists.

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.2

939845-2 : BIG-IP MPTCP vulnerability CVE-2021-23004

Links to More Info: K31025212, BT939845

939841-2 : BIG-IP MPTCP vulnerability CVE-2021-23003

Links to More Info: K43470422, BT939841

939541-2 : TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE

Links to More Info: BT939541

Component: TMOS

Symptoms:
TMM may prematurely shut down (during its initialization) when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):
MCP connection aborted, exiting.

Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).

Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.

Workaround:
None.

Fix:
TMM no longer shuts down prematurely during initialization.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1

939529-2 : Branch parameter not parsed properly when topmost via header received with comma separated values

Links to More Info: BT939529

Component: Service Provider

Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This Via header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP specification states that INVITE/CANCEL messages in a dialogue should contain the same branch header. The code used to encrypt the branch field returns a different branch ID for INVITE and CANCEL messages.

Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.
-- INVITE Via header received with multiple comma-separated values.

Impact:
Some SIP clients have code to verify the branch fields in the Via header. These clients expect the branch to be same for INVITE and CANCEL in a dialogue. Because the branch received is different, these clients are unable to identify the specific INVITE transaction. CANCEL is received and client sends a 481 error:

SIP/2.0 481 Call/Transaction Does Not Exist.

Workaround:
Use iRules to remove the topmost Via header and add new a new Via header that uses the same branch as INVITE and CANCEL while sending messages to SIP clients.

Fix:
The BIG-IP system now ensures the branch field inserted in the via header same for INVITE and CANCEL messages.

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1

939421-2 : CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow

Links to More Info: K38481791, BT939421

938233-2 : An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization

Links to More Info: K93231374

938165-1 : TMM Core after attempted update of IP geolocation database file

Links to More Info: BT938165

Component: Advanced Firewall Manager

Symptoms:
TMM crashes while running traffic that uses AFM Firewall policies.

Conditions:
-- Update IP geolocation database file to the latest version.
-- Configure AFM policies with logging enabled.
-- Run traffic which hits the AFM policies and triggers logging.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Revert to using the previously working version of the IP-geolocation file.

For more information, see K11176: Downloading and installing updates to the IP geolocation database :: https://support.f5.com/csp/article/K11176#restore.

Fix:
The BIG-IP system now validates the region/country strings returned by the geolocation database for IP addresses used in the traffic.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1

938149-1 : Port Block Update log message is missing the "Start time" field

Links to More Info: BT938149

Component: Advanced Firewall Manager

Symptoms:
Port Block Update log message is missing the "Start time" field.

Conditions:
-- Configure PBA mode in AFMNAT/CGNAT with subscriber awareness.
-- Trigger PBA Update log messages with change in susbsriber name for the same client IP address.

Impact:
NAT Log information is not usable for accounting purpose.

Fix:
Set the "start time" and "duration" log fields for all types of PBA log messages.

Fixed Versions:
15.1.2, 16.0.1.1

937749-3 : The 'total port blocks' value for NAT stats is limited to 64 bits of range

Links to More Info: BT937749

Component: Advanced Firewall Manager

Symptoms:
The 'total port blocks' value, which can be found in PBA 'tmctl' tables, 'tmsh show', and SNMP, is limited to 64 bits of range. The upper 64 bits of the value are not taken into account.

Conditions:
This always occurs, but affects only systems whose configuration makes the 'total port blocks' value exceed 64 bits of range.

Impact:
Incorrect statistics.

Workaround:
None.

Note: For those who really need this value, it is still possible to manually calculate it, but that is not a true workaround.

Fixed Versions:
15.1.3

937637-3 : BIG-IP APM VPN vulnerability CVE-2021-23002

Links to More Info: K71891773, BT937637

937365-2 : LTM UI does not follow best practices

Links to More Info: K42526507, BT937365

937333-2 : Incomplete validation of input in unspecified forms

Component: Global Traffic Manager (DNS)

Symptoms:
Incomplete validation of input in unspecified forms

Conditions:
DNS Provisioned

Impact:
Incomplete validation

Fix:
Proper input validation now performed

Fixed Versions:
14.1.4.4, 15.1.4

937281-3 : SSL Orchestrator pool members are limited to 20 with Standalone license

Links to More Info: BT937281

Component: SSL Orchestrator

Symptoms:
BIG-IP limits the SSL Orchestrator Standalone license to only allow six pool members.

Conditions:
-- SSL Orchestrator add-on license is installed

Impact:
You are only able to configure six pool members in SSLO.

Workaround:
None.

Fix:
BIG-IP supports up to 20 pool members (up from 6) with the SSL Orchestrator standalone license.

Fixed Versions:
15.1.1, 16.0.0.1

936773-2 : Improve logging for "double flow removal" TMM Oops

Links to More Info: BT936773

Component: Local Traffic Manager

Symptoms:
/var/log/tmm contains this entry
notice Oops @ 0x286feeb:1127: double flow removal

Conditions:
The conditions under which this message is logged are unknown or may vary. This item is for logging the flow tuple and virtual server name to aid in diagnosing the cause.

Impact:
None

Fixed Versions:
14.1.4.4, 15.1.4.1

936557-2 : Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled.

Links to More Info: BT936557

Component: Local Traffic Manager

Symptoms:
As the BIG-IP system attempts to open a TCP connection to a server-side object (e.g., a pool member), retransmissions of the initial SYN segment incorrectly use a non-zero acknowledgement number.

Conditions:
This issue occurs when the following conditions are true:

-- Standard TCP virtual server.

-- TCP profile with Verified Accept enabled.

-- Receipt of the client's ACK (as part of the client-side TCP 3-way handshake) is delayed. Due to Verified Accept being enabled, this delay causes the BIG-IP system to retransmit its SYN to the server until the client's ACK is received.

Impact:
Depending on the specific server implementation, or the security devices present on the BIG-IP system's server-side before the server, a SYN containing a non-zero acknowledgement number may be rejected. In turn, this may cause connections to fail to establish.

Workaround:
If compatible with your application and specific needs, you can work around this issue by disabling Verified Accept in the TCP profile.

Fix:
SYN segment retransmissions now correctly use 0 as the acknowledgement number.

Fixed Versions:
14.1.4.5, 15.1.4.1

936125-2 : SNMP request times out after configuring IPv6 trap destination

Links to More Info: BT936125

Component: TMOS

Symptoms:
SNMP request is times out.

Conditions:
This issue happens with TMOS version v15.1.0.4 or beyond after a IPv6 trap destination is configured.

Impact:
No response is returned for SNMP request.

Workaround:
Restart SNMP daemon by running the following TMSH command:

restart sys service snmpd

Fix:
N/A

Fixed Versions:
15.1.3, 16.0.1.1

935801-4 : HSB diagnostics are not provided under certain types of failures

Links to More Info: BT935801

Component: TMOS

Symptoms:
In rare cases where the HSB detects an error and triggers an high availability (HA) failover, HSB-specific diagnostic data is not provided.

An example are XLMAC errors, which can be seen in the LTM logs:

<13> Jul 25 18:49:41 notice The number of the HSB XLMAC recovery operation 11 or fcs failover count 0 reached threshold 11 on bus: 3.
<13> Jul 25 18:49:41 notice high availability (HA) failover action is triggered due to XLMAC/FCS erros on HSB1 on bus 3.

Conditions:
The HSB detects an internal error.

Impact:
There is less HSB data for analysis when an internal HSB occurs.

Workaround:
None.

Fix:
Dump HSB registers on all HSB initiated high availability (HA) failovers.

Fixed Versions:
14.1.4.5, 15.1.2

935721-5 : ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624

Links to More Info: K82252291, BT935721

935593-4 : Incorrect SYN re-transmission handling with FastL4 timestamp rewrite

Links to More Info: BT935593

Component: Local Traffic Manager

Symptoms:
FastL4 profiles configured with the TCP timestamp rewrite option enabled does not treat retransmitted SYNs in a correct manner.

Conditions:
FastL4 profile with TCP timestamp rewrite option is in use.

Impact:
Timestamp on some TCP packets sent by BIG-IP systems might be incorrect.

Workaround:
Do not use TCP timestamp rewrite.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1

935433-2 : iControl SOAP

Links to More Info: K53854428, BT935433

935401-2 : BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001

Links to More Info: K06440657, BT935401

935293-2 : 'Detected Violation' Field for event logs not showing

Links to More Info: BT935293

Component: Application Security Manager

Symptoms:
Violation is missing/details not populated in the event log page, when a POST request with large number of parameters are sent to the BIG IP system.

Conditions:
-- A large POST request with lots of parameters is sent to BIG-IP system.
-- 'Learn New Parameters' is enabled.

Impact:
You cannot see the violation details.

Workaround:
Disabling parameter learning helps.

Note: This happens only with a large number of parameters. Usually it works as expected.

Fix:
The eventlog is reserving space for violations.

Fixed Versions:
13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1

935249-2 : GTM virtual servers have the wrong status

Links to More Info: BT935249

Component: Global Traffic Manager (DNS)

Symptoms:
GTM virtual servers have the wrong status (up when they should be down, or down when they should be up).

Conditions:
-- The GTM virtual servers are monitored with an HTTP or HTTPS monitor that performs HTTP status matching.

-- The status code (for example, 200) being searched for in the response appears elsewhere than in the first line (for example, in a following header).

Impact:
The system incorrectly matches the status code in a response line which is not the Status-Line. As a result, the availability status reported for a virtual server may be incorrect. This may cause the GTM system to send traffic to unsuitable resources causing application disruptions.

Workaround:
You can work around this issue by not performing HTTP status matching in your HTTP/HTTPS GTM monitors.

Fix:
The HTTP status code is now correctly searched only in the first line of the response.

Fixed Versions:
15.1.5

935029-3 : TMM may crash while processing IPv6 NAT traffic

Links to More Info: K04048104, BT935029

934993-2 : BIG-IP resets HTTP/2 connections when a peer exceeds a number of concurrent streams

Links to More Info: BT934993

Component: Local Traffic Manager

Symptoms:
The HTTP/2 protocol allows informing a peer about the number of concurrent streams it is allowed to have. When this number is exceeded, the RFC stipulates that the system must serve all open streams and then terminate a connection.

Conditions:
-- The BIG-IP system has a virtual server with an HTTP/2 profile configured on the client side.
-- A client opens more streams than a configured value for concurrent-streams-per-connection in HTTP/2 profile.

Impact:
BIG-IP resets a connection and a client (browser) does not receive any response for outstanding requests. It requires manually reload of the webpage to address the issue.

Workaround:
None.

Fix:
When a peer exceeds a number of concurrent streams allowed by BIG-IP systems, it sends GOAWAY with a REFUSED_STREAM error code and allows graceful completion of all open streams, and then terminates the connection.

Fixed Versions:
15.1.2, 16.0.1.1

934941-2 : Platform FIPS power-up self test failures not logged to console

Links to More Info: BT934941

Component: TMOS

Symptoms:
The BIG-IP system does not log FIPS power-up self-test failures to the console.

Conditions:
A FIPS failure occurs during the power-up self test.

Impact:
Platform FIPS failures are made more difficult to identify and diagnose, because the system console fails to include anything at all that indicates a failure.

Workaround:
None.

Fixed Versions:
14.1.3.1, 15.1.3

934721-2 : TMM core due to wrong assert

Links to More Info: BT934721

Component: Application Visibility and Reporting

Symptoms:
TMM crashes with a core

Conditions:
AFM and AVR provisioned and collecting ACL statistics.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable the server-side statistics collection for the Network Firewall Rules using the following menu path:
Security :: Reporting : Settings : Reporting Settings : Network Firewall Rules.

Fix:
Fixed a tmm crash related to ACL statistics

Fixed Versions:
15.1.2.1, 16.0.1.1

934461-2 : Connection error with server with TLS1.3 single-dh-use.

Links to More Info: BT934461

Component: Local Traffic Manager

Symptoms:
Connection failure with TLS1.3 and single-dh-use configured.

Conditions:
14.1 with TLS1.3 single-dh-use.

Impact:
Connection failure in 14.1 versions.

Workaround:
Disable single-dh-use, or disable tls1.3.

Fix:
14.1 now supports TLS1.3 single-dh-use and hello retry on serverside.

Fixed Versions:
14.1.3, 15.1.4

934393-2 : APM authentication fails due to delay in sessionDB readiness

Links to More Info: BT934393

Component: Access Policy Manager

Symptoms:
APM Authentication fails, and apmd cores when trying to connect to sessionDB.

Conditions:
-- APM configured.
-- SAML SP configured.

Impact:
It takes a long time to create the configuration snapshot. Authentication fails and apmd cores.

Workaround:
Restart all services by entering the following command:
tmsh restart /sys service all

Note: Restarting all services causes temporary traffic disruption.

Fix:
The sessionDB readiness has been corrected so that authentication succeeds.

Fixed Versions:
14.1.3, 15.1.4

934241-2 : TMM may core when using FastL4's hardware offloading feature

Links to More Info: BT934241

Component: TMOS

Symptoms:
TMM cores.

Conditions:
FastL4's hardware offloading is used.

Because the error is an internal software logic implementation, there is no direct specific configuration that triggers this error condition. A quick traffic spike during a short period of time makes it more likely to occur.

Impact:
TMM cores and the system cannot process traffic. Traffic disrupted while tmm restarts.

Workaround:
Disable PVA/EPVA on all FastL4 profiles

Fix:
Fix the internal logic error.

Fixed Versions:
15.1.0.5

934065-1 : The turboflex-low-latency and turboflex-dns are missing.

Links to More Info: BT934065

Component: TMOS

Symptoms:
The turboflex-low-latency and turboflex-dns profiles are no longer available in 15.1.x and 16.0.x software releases.

Conditions:
The turboflex-low-latency or turboflex-dns in use.

Impact:
Unable to configure turboflex-low-latency or turboflex-dns profiles after an upgrade to 15.1.x or 16.0.x software release.

Workaround:
None.

Fix:
The turboflex-low-latency and turboflex-dns profiles are restored.

Fixed Versions:
15.1.3, 16.0.1.2

933777-1 : Context use and syntax changes clarification

Links to More Info: BT933777

Component: Application Visibility and Reporting

Symptoms:
There are two context and syntax-related issues:

-- In v14.x, the context for tmsh analytics commands related to server side connections changed. For example, 'total-server-side-conns' became a simple 'server-side-conns'.

-- In v13.x and 14.x, the calculation method for 'max-tps' changed from cumulative to commutative.

Conditions:
This occurs in either of the following scenarios:
-- Using tmsh analytics commands related to max-tps in v13.x or later.
-- Using tmsh analytics commands related to server side connections in BIG-IP v14.x and later.

Impact:
Stats names do not reflect their actual values. The 'max-tps' value is no longer valid for client IP context. These changes might have varied impacts, depending on your configuration.

Workaround:
None

Fix:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).

-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.

Behavior Change:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).

-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.

Fixed Versions:
13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2

933741-2 : BIG-IP FPS XSS vulnerability CVE-2021-22979

Links to More Info: K63497634, BT933741

933461-4 : BGP multi-path candidate selection does not work properly in all cases.

Links to More Info: BT933461

Component: TMOS

Symptoms:
ZebOS BGP might not properly clear the multi-path candidate flag when handling a BGP route.

Conditions:
An inbound route-map exists that modifies a route's path selection attribute.

Impact:
Incorrect path selection and/or a timer on a route getting refreshed every time the Routing Information Base (RIB) is scanned.

Workaround:
None.

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1

933409-2 : Tomcat upgrade via Engineering Hotfix causes live-update files removal

Links to More Info: BT933409

Component: TMOS

Symptoms:
After applying an Engineering Hotfix ISO that contains an updated tomcat package, live-update files are inadvertently removed and live update no longer works properly.

Conditions:
Occurs after installing an Engineering Hotfix that contains the tomcat package.

Impact:
Live-update functionality does not work properly.

Workaround:
Although there is no workaround, you can install an updated Engineering Hotfix that uses a fixed version of the live-install package.

Fix:
Fixed an issue with inadvertently removing live-update files while applying an Engineering Hotfix.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1

933405-2 : Zonerunner GUI hangs when attempting to list Resource Records

Links to More Info: K34257075, BT933405

Component: Global Traffic Manager (DNS)

Symptoms:
Zonerunner GUI hangs when attempting to list Resource Records; mcpd times out.

Conditions:
Attempt to list Resource Records in Zonerunner GUI.

Impact:
Zonerunner hangs.

Workaround:
Zonerunner GUI is unusable until this issue is resolved. Use tmsh.

Fixed Versions:
14.1.4, 15.1.4.1, 16.0.1.1

933129-2 : Portal Access resources are visible when they should not be

Links to More Info: BT933129

Component: Access Policy Manager

Symptoms:
For Access Policy created with Customization type: modern, Portal Access resource is still present on user's webtop after the checkbox "Publish on Webtop" is disabled in config

Conditions:
-- Access Policy created with Customization type: modern
-- Disable the checkbox "Publish on Webtop" for any Portal Access resource

Impact:
Disabled Portal Access resource visible on the webtop when it should be hidden.

Workaround:
Re-create Access Policy with Customization type: standard

Fix:
Disabled Portal Access resource is hidden on user's webtop

Fixed Versions:
15.1.4.1

932937-2 : HTTP Explicit Proxy configurations can result in connections hanging until idle timeout.

Links to More Info: BT932937

Component: Local Traffic Manager

Symptoms:
After an HTTP return code of 400 Bad Request or 403 Forbidden, connection table entries may not be removed from the connection table until they reach the idle timeout threshold.

Conditions:
-- HTTP Explicit Proxy Configuration.
-- BIG-IP HTTP response contains a 400 Bad Request or 403 Forbidden status code.

Impact:
The hanging connection table entries can cause subsequent connections from the same source port to fail. Also, the subsequent connection attempts can cause the idle timer to be reset.

Workaround:
Use an iRule to prevent connections from hanging:

when HTTP_REJECT {
    after 1
}

Fix:
HTTP Explicit Proxy configurations no longer results in connections hanging until idle timeout.

Fixed Versions:
14.1.3.1, 15.1.1, 16.0.1

932825-2 : Delayed Gratuitous ARPs may cause traffic to go to the previous active BIG-IP device

Links to More Info: BT932825

Component: Local Traffic Manager

Symptoms:
When the standby system in a High Availability (HA) group becomes active, it sends out gratuitous ARPs to advertise its ownership of IP addresses and direct traffic to itself. In rare conditions, when becoming active, other processes may send out traffic before Gratuitous ARPs are generated.

Conditions:
-- HA configured
-- Protocols in use that generate frequent and fast signaling messages

Impact:
This has been observed as an issue for IPsec during failover, causing tunnel stability issues after failover. No other protocols are known to be affected by the issue.

Workaround:
None

Fix:
When the standby device in an HA pair becomes active, Gratuitous ARPs are prioritized over other traffic.

Fixed Versions:
15.1.1

932737-2 : DNS & BADOS high-speed logger messages are mixed

Links to More Info: BT932737

Component: Anomaly Detection Services

Symptoms:
Both DNS and BADOS messages use the same family ID, and the reported messages are categorized together.

Conditions:
BADOS & DNS are run together and application is under attack (BADOS). At this point, BIG-IP will generate BADOS messages using an ID that conflicts with DNS messages.

Impact:
Reporting will be confusing.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2

932497-3 : Autoscale groups require multiple syncs of datasync-global-dg

Links to More Info: BT932497

Component: TMOS

Symptoms:
Datasync-global-dg is in 'sync pending' status and is not automatically synced as expected.

Conditions:
Browser Challenges update image is automatically downloaded.

Impact:
Peers are not synced.

Workaround:
Manually sync datasync-global-db group.

Fix:
Perform full sync for each change when having multiple live update changes in a row.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2

932485-3 : Incorrect sum(hits_count) value in aggregate tables

Links to More Info: BT932485

Component: Application Visibility and Reporting

Symptoms:
If the results gathered for sum(hits_count) are very large (e.g., 15000300000), the system does not report the correct values in the AVR tables.

Conditions:
-- Insert a very large amount of data (approximately 4.5 milliard or more) to one of AVR tables.
-- Review the value of the sum(hits_count) column.

Impact:
The system reports incorrect values in AVR tables when dealing with large numbers

Workaround:
None.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2

932437-2 : Loading SCF file does not restore files from tar file

Links to More Info: BT932437

Component: TMOS

Symptoms:
Loading an SCF configuration file does not restore file objects from the SCF's associated tar file.

Restoring the SCF fails with an error similar to this if the running configuration does not already contain the file:

01070712:3: Failed: name (/Common/test-crt) Cache path (/config/filestore/files_d/Common_d/certificate_d/:Common:test-crt) does not exist and there is no copy in trash-bin to restore from.
Unexpected Error: Loading configuration process failed.

Conditions:
Restore an SCF archive that references file objects, e.g.:
-- SSL certificates
-- SSL keys
-- iFiles

Impact:
Restoring SCF does not restore contents of file objects.

Workaround:
None.

Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1

932233-2 : '@' no longer valid in SNMP community strings

Links to More Info: BT932233

Component: TMOS

Symptoms:
The '@' character is no longer valid in SNMP community strings.

Conditions:
Attempting to use the '@' character in SNMP community strings.

Impact:
Unable to use the '@' character in SNMP community strings. The system cannot process SNMP commands with community strings that contain the '@' character, and the commands fail.

Workaround:
Use a community string that does not contain the '@' character.

Fixed Versions:
15.1.2, 16.0.1.1

932213-2 : Local user db not synced to standby device when it is comes online after forced offline state

Links to More Info: BT932213

Component: Access Policy Manager

Symptoms:
Local user db is not synced to the standby device when it comes online after being forced offline.

Conditions:
Valid high availability (HA) configuration.
- Make the standby device forced offline
- create a new local db user in the online device
- bring back the standby device online.

Impact:
The newly created user is not synced to the standby device unless localdbmgr is restarted on the standby.

Workaround:
None

Fix:
Fixed the issue by handling the forced offline scenario.

Fixed Versions:
14.1.4.5, 15.1.4.1

932137-5 : AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade

Links to More Info: BT932137

Component: Application Visibility and Reporting

Symptoms:
After upgrade, AFM statistics show non-relevant data.

Conditions:
BIG-IP system upgrade
-- Leftovers files remain in /shared/avr_afm partition from other versions.

Impact:
Non-relevant data are shown in AFM statistics.

Workaround:
Delete the non-relevant data manually from MariaDB/MySQL.

Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2

932133-2 : Payloads with large number of elements in XML take a lot of time to process

Links to More Info: BT932133

Component: Application Security Manager

Symptoms:
ASM experiences high CPU and latency usage while processing a large XML request.

Conditions:
-- ASM provisioned
-- HTTP request with a large XML payload (several MB) is sent to the backend server which triggers the XML parser.

Impact:
High CPU and latency occurs while bd processes the payload. This may cause a bottleneck for different requests that arrive concurrently with the large XML payload request.

Workaround:
None

Fix:
This fix includes performance improvements for large XML payloads.

Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2

932065-2 : iControl REST vulnerability CVE-2021-22978

Links to More Info: K87502622, BT932065

932033 : Chunked response may have DATA frame with END_STREAM prematurely

Links to More Info: BT932033

Component: Local Traffic Manager

Symptoms:
When an HTTP/2 profile is configured on the client side, chunked responses are always sent unchunked. When a connection to a client is congested, BIG-IP systems may send the END_STREAM flag before transmitting a whole payload.

Conditions:
-- A virtual server with an HTTP/2 profile configured on the client side.
-- A server responds with a chunked response.

Impact:
A browser may not receive the whole payload, or it may not recognize that the payload has been delivered fully (partially prior to the DATA frame with END_STREAM flag, partially after the frame).

Workaround:
Configure an HTTP profile on the client side with a value of 'unchunk' on the response-chunking option.

Fix:
BIG-IP systems no longer send a DATA frame with END_STREAM flag prematurely when a connection to a client is congested.

Fixed Versions:
14.1.4, 15.1.2

931837-1 : NTP has predictable timestamps

Links to More Info: K55376430, BT931837

931513-3 : TMM vulnerability CVE-2021-22977

Links to More Info: K14693346, BT931513

930905-4 : Management route lost after reboot.

Links to More Info: BT930905

Component: TMOS

Symptoms:
Management route lost after reboot, leading to no access to BIG-IP systems via management address.

Conditions:
-- 2NIC BIG-IP Virtual Edition template deployed in GCP (see https://github.com/F5Networks/f5-google-gdm-templates/tree/v3.0.3/supported/standalone/2nic/existing-stack/byol).

-- The instance is rebooted.

Impact:
After rebooting, the default route via the management interface no longer exists in the routing table. BIG-IP administrators are unable to connect to BIG-IP Virtual Edition via the management address.

Workaround:
Use either of the following workarounds:

-- Delete the route completely and reinstall the route.

-- Restart mcpd:
bigstart restart mcpd

Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1

930741-2 : Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot

Links to More Info: BT930741

Component: TMOS

Symptoms:
If there is a truncated BIG-IP software image in /shared/images, a kernel lockup and reboot could occur.

One way to have a truncated image in /shared/images is by using iControl/SOAP to upload the image. Using SOAP, the image is uploaded in chunks, so until the last chunk is uploaded, the image is not complete/is truncated.

Conditions:
-- Truncated BIG-IP image in /shared/images
-- Using SOAP to upload the image.

Impact:
Traffic disruption caused by the reboot.

Workaround:
If you are using SOAP to upload BIG-IP software images, upload them to /shared first and then move them to /shared/images.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2

930385-3 : SSL filter does not re-initialize when an OCSP object is modified

Links to More Info: BT930385

Component: Local Traffic Manager

Symptoms:
Create an OCSP object using DNS resolver ns1, associate the OCSP object to SSL profile and a virtual.

Then, modify the OCSP object to DNS resolver ns2.

After the modification, wait for cache-timeout and cache-error-timeout and then connect to virtual again. The nameserver contacted is still ns1.

Conditions:
An OCSP object is configured and modified.

Impact:
The wrong nameserver is used after modification to the OCSP object.

Fix:
After the fix, the correct nameserver will be contacted after the OCSP object is modified.

Fixed Versions:
14.1.3, 15.1.4

930005-2 : Recover previous QUIC cwnd value on spurious loss

Links to More Info: BT930005

Component: Local Traffic Manager

Symptoms:
If a QUIC packet is deemed lost, but an ACK for it is then received, the cwnd is halved despite there being no actual packet loss. Packet reordering can cause this situation to occur.

Conditions:
A QUIC packet is deemed lost, and an ACK for it is received before the ACK of its retransmission.

Impact:
Inefficient use of bandwidth in the presence of packet reordering.

Workaround:
None.

Fix:
QUIC congestion window is restored to its pre-recovery value on a spurious loss recovery.

Behavior Change:
QUIC congestion window is restored to its pre-recovery value on a spurious loss recovery.

Fixed Versions:
15.1.3, 16.0.1.1

929213-1 : iAppLX packages not rolled forward after BIG-IP upgrade

Links to More Info: BT929213

Component: Device Management

Symptoms:
Certain iAppLX packages are not rolled forward after a BIG-IP upgrade or restoring a UCS file generated from an affected system, and will be unavailable for use.

1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm

Conditions:
-> Installing any of the below iAppLX packages
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm

-> Performing an upgrade

-> Trying to access the LX packages from GUI by navigating to iApps -> Package Management LX

Impact:
After upgrading or restoring a UCS file generated from an affected system, the cloud-failover, service discovery, and telemetry iAppLX apps are not available for use, and will result in 404 error, while accessing them from GUI

Workaround:
The package needs to be uninstalled and installed again for use.

Steps:
-> From GUI, Navigate to iApps -> Package Management LX
-> select the package to uninstall and click on Uninstall
-> click on Import and provide the path of package to install again

Fix:
All installed package management LX such as AS3, DO, telemetry, failover extension, service discovery are available after upgrade

Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2

929077-2 : Bot Defense allow list does not apply when using default Route Domain and XFF header

Links to More Info: BT929077

Component: Application Security Manager

Symptoms:
When configuring an IP address allow list in Bot Defense Profile, using a default Route Domain, and a request with an X-Forwarded-For header the request might not be added to the allow list.

Conditions:
-- Bot Defense Profile is attached to virtual server.
-- Bot Defense Profile has an IP address allow list configured.
-- Using default Route Domain.
-- Sending a request with X-Forwarded-For header.
-- Might require heavy traffic.

Impact:
Request from an IP address that is on the allow list is blocked.

Workaround:
Allow the IP address using an iRule.

Fix:
The system now sets the correct route domain, and IP addresses on the allow list are allowed.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1

929001-3 : ASM form handling improvements

Links to More Info: K48321015, BT929001

Component: Application Security Manager

Symptoms:
Under certain conditions, the ASM form handler may not enforce as expected.

Conditions:
- Brute force protection is configured

Impact:
Enforcement not triggered as expected.

Workaround:
N/A

Fix:
ASM now processes forms as expected.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2

928857-2 : Use of OCSP responder may leak X509 store instances

Links to More Info: BT928857

Component: Local Traffic Manager

Symptoms:
The use of OCSP responder may cause X509 certificate store instances to be leaked, eventually causing memory pressure.

Conditions:
OCSP responder configured.

Impact:
TMM ssl_compat memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart. Traffic disrupted while tmm restarts.

Workaround:
No workaround.

Fixed Versions:
14.1.4, 15.1.3

928805-2 : Use of OCSP responder may cause memory leakage

Links to More Info: BT928805

Component: Local Traffic Manager

Symptoms:
Use of OCSP responder may cause small amounts of SSL memory to be leaked, eventually leading to memory pressure.

Conditions:
OCSP responder configured.

Impact:
TMM SSL memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart. Traffic disrupted while tmm restarts.

Workaround:
No workaround.

Fixed Versions:
14.1.4, 15.1.3

928789-2 : Use of OCSP responder may leak SSL handshake instances

Links to More Info: BT928789

Component: Local Traffic Manager

Symptoms:
Use of OCSP responder may cause SSL handshake instances to be leaked eventually leading to memory pressure.

Conditions:
OCSP responder configured.

Impact:
TMM ssl_hs memory usage grows over time, eventually causing memory pressure, and potentially a traffic disruption due to TMM restart.

Workaround:
No workaround.

Fixed Versions:
14.1.4, 15.1.3

928717-3 : [ASM - AWS] - ASU fails to sync

Links to More Info: BT928717

Component: Application Security Manager

Symptoms:
Live Update configuration is not updated.

Conditions:
-- The BIG-IP device being removed from the device group is also the last commit originator. (You might encounter this on AWS as a result of auto-scale.)
-- A new device is added to the device group.
-- Initial sync is pushed to the new device.

Impact:
Automatic signature updates (ASU) fail to sync.

Workaround:
Make a spurious change to Live Update from another device in the group and sync it to the group, for example:

1. Set the 'Installation of Automatically Downloaded Updates' to Scheduled and save.
2. Then return the setting to its previous state, and save again.

Fixed Versions:
14.1.4.4, 15.1.4

928697-2 : Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT

Links to More Info: BT928697

Component: TMOS

Symptoms:
When debug mode is enabled, racoon2 logs packet payloads during IKE negotiation. When multiple proposals are present in an IKE_SA_INIT packet, the logging of the proposal payloads is incorrect.

Conditions:
The initiator sends more than one proposal.

Impact:
Diagnosing connection issues is more difficult.

Workaround:
During debugging, ignore IKE_SA_INIT packet dump in the logs.

Fixed Versions:
15.1.4, 16.0.1.2

928685-2 : ASM Brute Force mitigation not triggered as expected

Links to More Info: K49549213, BT928685

Component: Application Security Manager

Symptoms:
Under certain conditions the Brute Force mitigation will not be triggered.

Conditions:
- ASM enabled
- Brute Force mitigation enabled

Impact:
Brute Force mitigation is not triggered as expected.

Workaround:
The following iRule will look for an issue with the authorization header and will raise an custom violation when this is happening:

when ASM_REQUEST_DONE

{
    if { [catch { HTTP::username } ] } {
     
     log local0. "ERROR: bad username";
     
     ASM::raise bad_auth_header_custom_violation 
   
   }
}

Fix:
Brute Force mitigation is now triggered as expected.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2

928553-3 : LSN64 with hairpinning can lead to a tmm core in rare circumstances

Links to More Info: BT928553

Component: Carrier-Grade NAT

Symptoms:
LSN64 with hairpinning configured can lead to a tmm core in rare circumstances.

Conditions:
- LSN64 virtual server.
- Hairpinning enabled.
- FLOW_INIT iRule.
- Full proxy config.

Impact:
Tmm cores. Traffic disrupted while tmm restarts.

Workaround:
Disable full proxy config of hairpinning.

Fix:
Tmm does not crash anymore.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1

928321-1 : K19166530: XSS vulnerability CVE-2020-27719

Links to More Info: K19166530, BT928321

928037-2 : APM Hardening

Links to More Info: K15310332, BT928037

928029-2 : Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis

Links to More Info: BT928029

Component: TMOS

Symptoms:
Wrong popup message for switchboot popup "This will restart the chassis. Continue?".

Conditions:
Run "switchboot" command

Impact:
A confusing popup message is displayed.

Workaround:
NA

Fix:
Updated the switchboot popup message "This will restart BIG-IP tenant. Continue?"

Fixed Versions:
14.1.3, 15.1.4

927993-1 : Built-in SSL Orchestrator RPM installation failure

Links to More Info: K97501254, BT927993

Component: SSL Orchestrator

Symptoms:
Attempting to install the built-in SSL Orchestrator RPM results in the following error:

Failed to load IApp artifacts from f5-iappslx-ssl-orchestrator: java.lang.IllegalStateException: Failed to post templates to block collection.

Conditions:
In the BIG-IP TMUI, the BIG-IP administrator navigates to the SSL Orchestrator Configuration page. This would automatically invoke the installation of the built-in SSL Orchestrator RPM, resulting in the failure.

Impact:
The built-in SSL Orchestrator RPM is not installed and SSL Orchestrator management is not possible.

Workaround:
Step 1. Run the following commands in the BIG-IP command line:

# Get ID for f5-ssl-orchestrator-dg-data:
id1=$(restcurl shared/iapp/blocks/ | jq -r '.items[] | select(.name == "f5-ssl-orchestrator-dg-data") | .id')

# Get ID for f5-ssl-orchestrator-dg-template:
id2=$(restcurl shared/iapp/blocks/ | jq -r '.items[] | select(.name == "f5-ssl-orchestrator-dg-template") | .id')

# Temporarily unlink the "f5-ssl-orchestrator-dg-data" (id1) dependency on "f5-ssl-orchestrator-dg-template" (id2).
restcurl -X PATCH -d "{\"baseReference\": {\"link\": \"https://localhost/mgmt/shared/iapp/blocks/$id1\"}}" shared/iapp/blocks/$id1

# Remove all SSL Orchestrator block templates.
restcurl shared/iapp/blocks | jq -r '.items[] | select(.state == "TEMPLATE") | select(.name | startswith("f5-ssl-orchestrator")) | .id' | for x in $(cat) ; do restcurl -X DELETE shared/iapp/blocks/$x; done

# Remove the SSL Orchestrator RPM installation references (if any).
restcurl -X DELETE shared/iapp/global-installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99
restcurl -X DELETE shared/iapp/installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99

---

Step 2. Use the BIG-IP TMUI:
Log in to the TMUI and navigate to SSL Orchestrator > Configuration. This would refresh the related page and install the SSL Orchestrator RPM. Wait for the SSL Orchestrator configuration page to complete loading.

---

Step 3. Run the following commands in the BIG-IP command line:

# Restore the "f5-ssl-orchestrator-dg-data" dependency on "f5-ssl-orchestrator-dg-template".
restcurl -X PATCH -d "{\"baseReference\": {\"link\": \"https://localhost/mgmt/shared/iapp/blocks/$id1\"}}" shared/iapp/blocks/$id2

---

Step 4. Use the BIG-IP TMUI:
Refresh the SSL Orchestrator > Configuration page.

Fix:
Built-in SSL Orchestrator RPM installation failure

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3, 14.1.4, 15.1.2, 16.0.1.1

927941-5 : IPv6 static route BFD does not come up after OAMD restart

Links to More Info: BT927941

Component: TMOS

Symptoms:
The Bidirectional Forwarding Detection (BFD) session for an IPv6 static route is not shown in response to the command:
imish -e "show bfd session"

Conditions:
-- BFD is configured with static route IPv6.
-- Restart the oamd process.

Impact:
BFD session is not shown in 'show bfd session'.

Workaround:
Restart tmrouted:
bigstart restart tmrouted

Fix:
IPv6 static route BFD session now comes up after restarting the oamd process.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1

927901-4 : After BIG-IP reboot, vxnet interfaces come up as uninitialized

Links to More Info: BT927901

Component: TMOS

Symptoms:
1. After BIG-IP reboots, the vxnet interfaces come up as uninitialized.
2. The driver does not log any issues:
 echo "device driver [client-specific driver info] mlxvf5" >> /config/tmm_init.tcl

Conditions:
Running BIG-IP Virtual Edition (VE) v15.1.0.4 software.

Impact:
Vxnet driver requires manual intervention after reboot.

Workaround:
Tmsh enable/disable interface brings it back up until next reboot.

Fixed Versions:
15.1.0.5

927617-2 : 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value

Links to More Info: BT927617

Component: Application Security Manager

Symptoms:
A valid request that should be passed to the backend server is blocked.

Conditions:
-- A cookie name is defined in Security :: Application Security : Headers : Cookies List :: New Cookie, with Base64 Decoding enabled.

-- The cookie header that contain the valid cookie value is encoded to base64.

Impact:
A request is blocked that should not be.

Workaround:
Disable 'Base64 Decoding' for the desired cookie.

Fix:
Requests with valid base64 encoding cookies are now correctly passed by the enforcer.

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1

927033-2 : Installer fails to calculate disk size of destination volume

Links to More Info: BT927033

Component: TMOS

Symptoms:
Installation fails with a 'Disk full (volume group)' error in var/log/liveinstall.log:

error: tm_install::Process::Process_full_install -- predicted size for BIGIP14125 is 12315728, current location size is 11120640, and vg has 0 remaining.

Conditions:
Platforms with software RAID that also have a symlink in /dev/md that looks like the following:

[root@bigip1] images # ls -l /dev/md/
total 8
-rw-r--r--. 1 root root 5 2020-07-09 16:12 autorebuild.pid
lrwxrwxrwx. 1 root root 8 2020-07-09 16:51 localhost:0 -> ../md127
-rw-------. 1 root root 66 2020-07-09 16:11 md-device-map

Impact:
Unable to successfully upgrade.

Workaround:
Create the expected symlink manually:

cd /dev/md
ln -s ../md127 _none_\:0

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1

926997-1 : QUIC HANDSHAKE_DONE profile statistics are not reset

Links to More Info: BT926997

Component: Local Traffic Manager

Symptoms:
QUIC HANDSHAKE_DONE profile statistics are not set back to 0 when statistics are reset.

Conditions:
A QUIC virtual server receives or sends HANDSHAKE_DONE frames, and the profile statistics are later reset.

Impact:
QUIC HANDSHAKE_DONE profile statistics are not reset.

Workaround:
Restart tmm to reset all statistics:

Impact of Workaround: Traffic disrupted while tmm restarts.

bigstart restart tmm

Fix:
QUIC HANDSHAKE_DONE profile statistics are reset properly.

Fixed Versions:
15.1.1, 16.0.1

926973-1 : APM / OAuth issue with larger JWT validation

Links to More Info: BT926973

Component: Access Policy Manager

Symptoms:
When the access profile type is OAuth-RS or ALL, and sends a request with a Bearer token longer than 4080 bytes in the Authorization header to the virtual server, OAuth fails with ERR_NOT_SUPPORTED.

Conditions:
Bearer token longer than 4080 bytes

Impact:
APM oauth fails with ERR_NOT_SUPPORTED.

Workaround:
None.

Fix:
OAuth can now handle bearer tokens longer than 4080 bytes.

Fixed Versions:
15.1.5

926929-3 : RFC Compliance Enforcement lacks configuration availability

Links to More Info: BT926929

Component: Local Traffic Manager

Symptoms:
Earlier versions contained fixes that enforce several RFC compliance items for HTTP request and response processing by BIG-IP systems. Enforcement for some of these items is unavoidable, but might cause issues for certain applications.

Conditions:
The configuration has a virtual server with an HTTP profile.

Impact:
Some applications that require certain constructions after a header name may not function.

Workaround:
None

Fix:
A configuration item has been introduced to manage RFC-compliance options.

In releases 13.1.4, 14.1.4, 15.1.2.1 and 16.0.1.2 and in subsequent releases in those families, a global flag is used to control the enforcement:

    sys db tmm.http.rfc.allowwsheadername

The possible values are "enabled" and "disabled"; the default is "enabled".

In release 16.1.0 and subsequent releases, there are two per-profile options; these have been added to the Configuration Utility's configuration page for HTTP profiles, in the 'Enforcement' section:

-- Enforce RFC Compliance
-- Allow Space Header Name

The following sample output shows how the RFC-compliance and whitespace-enforcement settings might appear in tmsh, if enabled:

(tmos)# list ltm profile http http-wsheader
ltm profile http http-wsheader {
app-service none
defaults-from http
enforcement {
allow-ws-header-name enabled
rfc-compliance enabled
}
proxy-type reverse
}

Fixed Versions:
13.1.4, 14.1.4, 15.1.2.1, 16.0.1.2

926593-2 : GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout'

Links to More Info: BT926593

Component: Global Traffic Manager (DNS)

Symptoms:
The GTM/DNS gateway_icmp monitor for IPv6 virtual servers sometimes returns 'state: timeout' even though big3d receives the packet successfully.

Conditions:
- GTM/DNS provisioned.
- IPv6 virtual server with gateway_icmp GTM/DNS monitor.

Impact:
IPv6 virtual servers are marked down unexpectedly.

Workaround:
Use a different gtm monitor type than gateway_icmp for IPv6 targets

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1

925989 : Certain BIG-IP appliances with HSMs cannot upgrade to v15.1.0.4

Links to More Info: BT925989

Component: Local Traffic Manager

Symptoms:
After upgrade to v15.1.0.4, config does not load. Logs show:

-- err mcpd[11863]: 01b50049:3: FipsUserMgr Error: Master key load failure.
-- err mcpd[11863]: 01070712:3: Caught configuration exception (0), FIPS 140 operations not available on this system.
-- err tmsh[14528]: 01420006:3: Loading configuration process failed.

Conditions:
-- Upgrading to v15.1.0.4.
-- Using the following platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F

Impact:
Cannot upgrade to v15.1.0.4, and the system is offline.

Important: Although you cannot prevent this from happening (except by not upgrading to 15.1.0.4), you can boot back into the previous configuration to recover BIG-IP system operation.

Workaround:
None.

Fixed Versions:
15.1.0.5

925573-6 : SIGSEGV: receiving a sessiondb callback response after the flow is aborted

Links to More Info: BT925573

Component: Access Policy Manager

Symptoms:
A SIGSEGV error occurs after a connection is ended. This is an intermittent issue that inconsistently recurs.

Conditions:
APM Per-Request is processing a flow that has already been reset (RST) by another filter, such as HTTP or HTTP/2.

Impact:
Connections might reset. You might experience a tmm crash. This is an intermittent issue. Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
14.1.4, 15.1.3

924961-2 : CVE-2019-20892: SNMP Vulnerability

Links to More Info: K45212738, BT924961

924945-3 : Fail to detach HTTP profile from virtual server

Links to More Info: BT924945

Component: Application Visibility and Reporting

Symptoms:
The virtual server might stay attached to the initial HTTP profile.

Conditions:
Attaching new HTTP profiles or just detaching an existing one.

Impact:
The virtual server stays attached to the former HTTP profile, meaning that the virtual server might be attached to a different HTTP profile than what the GUI displays. Configuration changes to the HTTP profile the GUI shows as attached are not reflected in the virtual server. For example, the new HTTP profile might enable XFF, but if the former attached profile does not enable it, the virtual server does not accept XFF.

Workaround:
Create new similar virtual server and attach it to the correct HTTP profile.

Fixed Versions:
15.1.3, 16.0.1.2, 16.1.1

924929-2 : Logging improvements for VDI plugin

Links to More Info: BT924929

Component: Access Policy Manager

Symptoms:
If the Virtual Desktop Interface (VDI) plugin aborts, the names of the events are not logged in the APM log file.

Conditions:
- Virtual Desktop Interface (VDI) configured
- The plugin encounters a problem and aborts

Impact:
Event names are not displayed in the APM log.

Workaround:
None.

Fix:
Event names along with the exceptions are also seen in the APM log file.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1

924857-1 : Logout URL with parameters resets TCP connection

Links to More Info: BT924857

Component: Access Policy Manager

Symptoms:
TCP connection reset when 'Logout URI Include' configured.

Conditions:
-- Access Policy with a valid 'Logout URI Include' string, e.g.:
 /logoff.html
-- Request to 'Logout URI Include' URI from user-agent that includes a query parameter string, e.g.:
 /logoff.html?a=b

Impact:
TCP connection resets, reporting BIG-IP APM error messages.

'Logout URI Include' does not support custom query strings in logout URIs to include. For example, with a 'Logout URI Include' value of /logoff.html, if a user-agent sends a logout URI request in the form of /logoff.html?a=b, logout URI validation resets the connection and reports an error:
-- Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_check_uri_type.


Note: BIG-IP APM prohibits the configuration of 'Logout URI Include' from containing a query string on the BIG-IP system. For example, attempting to configure 'Logout URI Include' with a URI in the form of /logoff.html?a=b fails and displays error messages:
-- Configuration error: Configured URI (/logoff.html?a=b) is not allowed to contain query parameter.

Workaround:
None

Fix:
The system now ignores unsupported query parameters.

Fixed Versions:
14.1.4.5, 15.1.2, 16.0.1.2

924521-2 : OneConnect does not work when WEBSSO is enabled/configured.

Links to More Info: BT924521

Component: Access Policy Manager

Symptoms:
OneConnect is a feature that reuses server-side connections. When WEBSSO is enabled, it always creates a new server-side connection, and does not reuse pooled connections.

Conditions:
Virtual server configured with both a WEBSSO and a OneConnect profile.

Impact:
Idle server-side connections that should be eligible for reuse by the virtual server are not used. This might lead to buildup of idle server-side connections, and may result in unexpected 'Inet port exhaustion' errors.

Workaround:
None.

Fix:
OneConnect now works when WEBSSO is enabled/configured, so that the system reuses the pooled server-side connections.

Fixed Versions:
14.1.4.3, 15.1.4

924493-2 : VMware EULA has been updated

Links to More Info: BT924493

Component: TMOS

Symptoms:
The End User License Agreement (EULA) presented in VMware is out of date.

Conditions:
The EULA is presented to the user when deploying an OVF template.

Impact:
The current EULA is version: DOC-0355-16 (as explained in K12902: End User License Agreement Change Notice :: https://support.f5.com/csp/article/K12902).

Although the OVA EULA for 16.0.0 shows: DOC-0355-12, the EULA presented during license activation is the EULA in force for this instance, so you can safely ignore the discrepancy; there is no functional impact.

Workaround:
None needed. The EULA presented during license activation is the EULA in force for this instance.

Fix:
The EULA presented in VMware was out of date and has been updated.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1

924429-2 : Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values

Links to More Info: BT924429

Component: TMOS

Symptoms:
While restoring a UCS archive, you get an error similar to the following example:

/var: Not enough free space
535162880 bytes required
326418432 bytes available
/shared/my.ucs: Not enough free disk space to install!
Operation aborted.
/var/tmp/configsync.spec: Error installing package
Config install aborted.
Unexpected Error: UCS loading process failed.

As part of restoring UCS archives, some files (for example, the contents of the filestore) are temporarily copied to the /var/tmp directory.

The script that ensures enough free disk space is available for the UCS restore operation incorrectly reports the /var filesystem's free disk space for the /var/tmp directory.

This is incorrect, as /var/tmp is a symlink to /shared/tmp, and so the free disk space of the /shared filesystem should be used instead.

Conditions:
-- Restoring a UCS file.
-- The UCS file contains large items that are temporarily stored under the /var/tmp directory (for example, many EPSEC files, many large external data-groups, etc.).
-- The /var filesystem has limited free disk space.

Impact:
The UCS installation fails even if /var/tmp has sufficient disk space.

Workaround:
None.

Fix:
The UCS installation script now reports the correct free disk space for the /var/tmp directory, allowing UCS archive installations to complete.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1

924349-2 : DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP

Component: Service Provider

Symptoms:
Current Diameter CER/CEA messages does not advertise all HostIPAddresses.

Conditions:
-- Exchange Diameter messages CER/CEA between peers, configure a SNAT pool and an alternate address in the SCTP profile.
-- The CER from BIG-IP contains snatpool IP addresses
-- The CEA from BIG-IP contains alternate addresses

Impact:
Unable to see multiple HostIPAddress in CER/CEA

Fix:
Able to validate HostIpAddress as per RFC6733 on Diameter over SCTP.

Fixed Versions:
14.1.3.1, 15.1.1, 16.0.1

924301-1 : Incorrect values in REST response for DNS/SIP

Links to More Info: BT924301

Component: Application Visibility and Reporting

Symptoms:
Some of the calculations are inaccurate/missing in the AVR publisher for DNS and SIP, and incorrect values are shown in the REST response.

Conditions:
-- Device vector detection and mitigation thresholds are set to 10.
-- A detection and mitigation threshold is reached

Impact:
An incorrect value is calculated in the REST response.

Fix:
Fixed an issue with incorrect calculation for DNS/SIP mitigation

Fixed Versions:
15.1.2, 16.0.1.1

923301-2 : ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group

Links to More Info: BT923301

Component: Application Security Manager

Symptoms:
From 14.1.0.2 and after, for ASMs in a device group, only the active device would update and install the attack signature update (ASU) and the ASU would then be synchronized and installed on other peer ASMs within the device group during a config sync.

Conditions:
Automatic installation of ASU on manual sync setup.

Impact:
- Since the standby ASM does not download/install the ASU during scheduled update, on a manual sync setup this would cause a difference in signature between the Active and Standby devices until a config sync takes place.
- When a failover occurs, the newly active device does not have the latest signature.

Workaround:
Manually sync the device group.

Fix:
A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.

Behavior Change:
A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2

923125-2 : Huge amount of admd processes caused oom

Links to More Info: BT923125

Component: Anomaly Detection Services

Symptoms:
The top command shows that a large number of admd processes are running.

Conditions:
-- Configuration with Sync-Failover device groups and BADOS.
-- Some stressful (unknown) condition occurs.

Impact:
Memory is exhausted.

Workaround:
Restart admd:
bigstart restart admd

Fix:
This issue no longer occurs.

Fixed Versions:
14.1.3.1, 15.1.2

922785-2 : Live Update scheduled installation is not installing on set schedule

Links to More Info: BT922785

Component: Application Security Manager

Symptoms:
A scheduled live update does not occur at the scheduled time.

Conditions:
A scheduled installation is set for only a single day, between 00:00-00:14.

Impact:
Automated installation does not initiate

Workaround:
There are two options:
1. Install the update manually.
2. Set two consecutive days where the second day is the day with the schedule set between 00:00-00:14

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2

922665-2 : The admd process is terminated by watchdog on some heavy load configuration process

Links to More Info: BT922665

Component: Anomaly Detection Services

Symptoms:
The watchdog process in the BIG-IP ASM monitors terminates the admd process.

Conditions:
On some heavy load configuration process, such as version upgrade.

Impact:
Restart of admd daemon. The restarts may be continuous. No stress-based anomaly detection or behavioral statistics aggregation until admd restarts.

Workaround:
For the case of continuous restarts, a partial solution is to disable admd during busy periods such as upgrades. To do so, issue the following two commands, in sequence, after the upgrade is complete:

bigstart stop admd
bigstart start admd

Fixed Versions:
14.1.4.5, 15.1.5

922597-2 : BADOS default sensitivity of 50 creates false positive attack on some sites

Links to More Info: BT922597

Component: Anomaly Detection Services

Symptoms:
False DoS attack detected. Behavioral DoS (ASM) might block legitimate traffic.

Conditions:
This can occur for some requests that have high latency and low TPS.

Impact:
False DoS attack detected. Behavioral DoS (ASM) can block legitimate traffic.

Workaround:
Modify the default sensitivity value from 50 to 500:
tmsh modify sys db adm.health.sensitivity value 500

For some sites with server latency issues, you might also have to increase the health.sensitivity value; 1000 is a reasonable number.

The results is that the attack is declared later than for the default value, but it is declared and the site is protected.

Fix:
Default sensitivity value 500 now illuminates false positive DoS attacks declaration.

Fixed Versions:
14.1.4, 15.1.3

922297-2 : TMM does not start when using more than 11 interfaces with more than 11 vCPUs

Links to More Info: BT922297

Component: TMOS

Symptoms:
TMM may not start when using more than 11 network interfaces with more than 11 vCPUs configured.

You see the following log entries in /var/log/tmm:

-- notice ixlv(1.1)[0:5.0]: Waiting for tmm10 to reach state 1...

In the TMM log for that TMM, you can see that it is waiting for tmm0, e.g.:

-- notice ixlv(1.10)[0:6.0]: Waiting for tmm0 to reach state 2...

Conditions:
-- BIG-IP Virtual Edition (VE).
-- More than 11 interfaces configured.
-- More than 11 vCPUs configured.

Impact:
TMM does not start.

Workaround:
Configure fewer network interfaces or vCPUs.

Fix:
Fixed a TMM startup deadloop stuck issue (when there are more than 10 interfaces and tmms/vCPUs).

Fixed Versions:
13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2

922261-2 : WebSocket server messages are logged even it is not configured

Links to More Info: BT922261

Component: Application Security Manager

Symptoms:
BIG-IP systems send unexpected WebSocket server messages to the remote logging server.

Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- More than one remote logging profile is attached to a virtual server.
-- One of the remote loggers has response-logging=all.

Impact:
Remote logging server overloaded with unexpected WebSocket messages.

Workaround:
Set response-logging=illegal in all remote logging profiles.

Fix:
BIG-IP sends WebSocket server messages to a remote logger only when it is enabled in the logging profile.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2

922185-1 : LDAP referrals not supported for 'cert-ldap system-auth'

Links to More Info: BT922185

Component: TMOS

Symptoms:
Admin users are unable to log in.

Conditions:
-- Remote LDAP auth enabled.
-- Administrative users are authenticated with the 'cert-ldap' source.
-- The admin user tries to log in.

Impact:
The cert-ldap authentication does not work, so login fails.

Workaround:
Manually edit the /etc/nslcd.conf and set the referrals to no.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

922105-3 : Avrd core when connection to BIG-IQ data collection device is not available

Links to More Info: BT922105

Component: Application Visibility and Reporting

Symptoms:
When a BIG-IP system is configured to work with BIG-IQ but cannot connect due to network problems, avrd restarts itself every 10 minutes. During such restarts, a core is sometimes generated.

Conditions:
BIG-IP system is registered on BIG-IQ, but there is no network connectivity for any number of reasons.

Impact:
No impact since there is no network connectivity with BIG-IQ, and the data from the BIG-IP system cannot be sent anywhere.

Workaround:
Attempts to connect to BIG-IQ can be disabled manually by the following command:

tmsh modify analytics global-settings use-offbox disabled

Fix:
Avrd no longer cores when the connection to the BIG-IQ data collection device is not available.

Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2

921881-2 : Use of IPFIX log destination can result in increased CPU utilization

Links to More Info: BT921881

Component: Local Traffic Manager

Symptoms:
-- Increased baseline CPU.

- The memory_usage_stats table shows a continuous increase in mds_* rows.

Conditions:
Configure IPFIX log destination and make regular changes to the associated configuration.

Impact:
Increased baseline CPU may result in exhaustion of CPU resources.

Workaround:
Limiting changes to associated configuration can slow the effects of this issue.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2

921721-1 : FIPS 140-2 SP800-56Arev3 compliance

Links to More Info: BT921721

Component: Local Traffic Manager

Symptoms:
BIG-IP is not compliant with a NIST revision to the SP800-56A standard for cryptographic algorithms.

Conditions:
Using cryptographic algorithms covered by this revision in a FIPS 140-2 deployment.

Impact:
BIG-IP will comply with the older standard.

Workaround:
Updated cryptographic key assurances and pair-wise consistency checks according to the SP800-56Arev3 standard.

Fixed Versions:
14.1.3, 15.1.3

921677-2 : Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI.

Links to More Info: BT921677

Component: Application Security Manager

Symptoms:
When deleting (via tmsh) bot-related ordered list items like bot white-lists, bot-microservices, and bot-microservices URLs, an error occurs when adding and saving new items via GUI:

Bot defense profile <profile full name> error: match-order should be unique.

Conditions:
1.Create three items with consecutive match-orders values via tmsh, for example: three bot allow list items, the first with match-order 1, the second with match-order 2, and the third with match-order 3.

2. Delete item with the value: match-order 2 (in tmsh), and save.

3. Switch to the GUI, add new allow list item, and save.

Impact:
The system reports an error, and the bot configuration cannot be saved via GUI. However, dragging between items (and then dragging back) overcomes this error.

Workaround:
Drag between two items, and then drag back.

Fix:
Deletion of bot-related ordered items via tmsh no longer causes errors when adding new items via GUI.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1

921625-2 : The certs extend function does not work for GTM/DNS sync group

Links to More Info: BT921625

Component: Global Traffic Manager (DNS)

Symptoms:
When GTM/DNS systems in the same sync group receive the error 'SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca', these systems cannot automatically connect to BIG-IP devices with which that GTM/DNS device has not already exchanged a SSL cert.

As part of normal functionality, when one GTM/DNS tries to connect to a BIG-IP server and receives 'unknown ca' SSL error, if its peer GTM/DNS has already built a connection with that BIG-IP server, then the second GTM/DNS system should also be able to connect to that BIG-IP server automatically. But it cannot because of this issue.

The problem exists only when the GTM/DNS device has not exchanged a cert with the BIG-IP server object, and there are two or more certs in /config/httpd/conf/ssl.crt/server.crt on that GTM/DNS device.

You might see messages similar to the following:

-- iqmgmt_ssl_connect: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
-- err gtmd[28112]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (336151576).
-- notice gtmd[28112]: 011ae03d:5: Probe to 10.10.0.3: buffer = <direct><![CDATA[<clientcert><ip>10.10.0.10</ip><target_ip>10.10.0.6</target_ip><cert>....

Conditions:
-- /config/httpd/conf/ssl.crt/server.crt file with two or more certs on the requesting GTM/DNS device, which results in that file being larger than 4000 bytes.

-- Configuration is as follows:
   1. GTMDNS1 and GTMDNS2 are in a same GTM/DNS sync group.
   2. GTMDNS1 has a self-authorized CA cert.
   3. You add a BIG-IP server that is reachable but with which GTMDNS1 has not exchanged SSL certs.

Impact:
Certain GTM/DNS systems in the sync group cannot automatically connect to BIG-IP devices as expected. You must run additional bigip_add commands on those GTM/DNS systems in the GTM/DNS sync group to add the BIG-IP server.

Workaround:
Run bigip_add on each GTM/DNS server to add the configured BIG-IP servers.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1

921421-3 : iRule support to get/set UDP's Maximum Buffer Packets

Links to More Info: BT921421

Component: Local Traffic Manager

Symptoms:
UDP profiles have a setting to set the Maximum Buffer Packets for UDP connections. This value cannot be modified with an iRule.

Conditions:
-- UDP profile is used.
-- You need to dynamically change the max buffer packets setting in an iRule.

Impact:
Unable to dynamically change the max buffer packets setting in an iRule.

Workaround:
None

Fix:
You can now dynamically change the max buffer packets setting in an iRule. The setting is UDP::max_buf_pkts

Behavior Change:
A new iRule command has been added, UDP::max_buf_pkts. This allows you to dynamically override the maximum number of packets setting in the UDP profile.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1

921369 : Signature verification for logs fails if the log files are modified during log rotation

Links to More Info: BT921369

Component: TMOS

Symptoms:
Rotated log files that are modified immediately after log rotation and before signature generation can cause signature verification failure.

Conditions:
-- Log integrity feature is enabled.
-- A log rotation event occurs

Impact:
Signature verification may fail on rotated log files.

Fix:
Fixed an issue with signature verification failing on valid log files.

Fixed Versions:
15.1.1

921365-1 : IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby

Links to More Info: BT921365

Component: TMOS

Symptoms:
IKE-SAs are deleted on standby BIG-IP systems after a failover.

Conditions:
-- High availability (HA) environment
-- Dead-peer detection (DPD) / liveness checks are enabled
-- An HA failover occurs

This is a timing issue and can occur intermittently during a normal failover.

Impact:
Some of the IKE-SAs are missing on the standby device. When a failover happens, IPsec traffic will be dropped for those missing SAs.

Workaround:
Set IKE DPD interval time to ZERO (i.e., disable).

Fix:
When the BIG-IP system is in standby mode, the system no longer retries sending IKE/IPSEC control messages, which prevents this issue from occurring.

Fixed Versions:
15.1.4, 16.1.2

921361-2 : SSL client and SSL server profile names truncated in GUI

Links to More Info: BT921361

Component: TMOS

Symptoms:
Unable to see the full name of the SSL client and SSL server profiles when assigning them in the GUI.

Conditions:
In Local Traffic :: Virtual Server :: Properties, the fields for the 'Selected' and 'Available' lists are narrower than they were in previous versions.

Impact:
With longer SSL profile names, the full name is not visible. Even the default, provided profiles, such as crypto-server-default-clientssl and crypto-client-default-serverssl, are truncated.

Note: The fields remain at the limited width even when the browser window is maximized.

Workaround:
Use tmsh to see the full SSL client and SSL server name.

Fixed Versions:
15.1.1, 16.0.1.1

921337-2 : BIG-IP ASM WebSocket vulnerability CVE-2021-22976

Links to More Info: K88230177, BT921337

921181 : Wrong error message upon bad credential stuffing configuration

Links to More Info: BT921181

Component: BIG-IP Risk Engine

Symptoms:
When you try to configure credential stuffing and provide invalid parameters, you see a misleading error:

HTML Tag-like Content in the Request URL/Body

Conditions:
Configuration of bad ApplicationID, Access Token or wrong service type, generates a validation error, but the error message is confusing.

Impact:
A misleading error is displayed.

Workaround:
None.

Fix:
Wrong error message upon bad credential stuffing configuration has been corrected.

Fixed Versions:
15.1.2.1

921065 : BIG-IP systems not responding to DPD requests from initiator after failover

Links to More Info: BT921065

Component: TMOS

Symptoms:
After failover, the active BIG-IP system fails to respond to DPD requests from some of its eNB neighbors, which results in deletion of IKE tunnel peer as well as the BIG-IP system.

Conditions:
-- The BIG-IP is configured with more than 300 IKE/IPsec tunnels.
-- The BIG-IP system fails over.

Impact:
Since BIG-IP systems do not respond to DPD requests, eNB deletes the IKE tunnel after a few retries.

Workaround:
None.

Fix:
Fixed an issue with the BIG-IP system not responding to DPD requests after failover.

Fixed Versions:
15.1.4

920961-2 : Devices incorrectly report 'In Sync' after an incremental sync

Links to More Info: BT920961

Component: Application Security Manager

Symptoms:
The security policies assigned to a virtual server are different among the devices in a traffic-group.

Conditions:
-- ASM provisioned.
-- Manual Sync Active-Standby Failover Device Group with ASM sync enabled.
-- An L7 ASM security policy is manually changed on a virtual server (not using the ASM wizard).

Impact:
After incremental sync, devices report 'In Sync' but there is a configuration discrepancy in the security policy assigned to the virtual server.

Workaround:
Modify the underlying LTM policy to be 'legacy':
   # tmsh modify ltm policy <LTM Policy Name> legacy

Fix:
An internal config parameter is now available to work around this issue. In order to use the workaround, you must enable a db variable.

To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1

Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------

NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.

Behavior Change:
There is now an internal config parameter that enables a workaround for this issue. In order to use the workaround, you must enable a db variable.

To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1

Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------

NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1

920361-2 : Standby device name sent in Traffic Statistics syslog/Splunk messages

Links to More Info: BT920361

Component: Advanced Firewall Manager

Symptoms:
'Traffic Statistics' syslog/Splunk messages are sent with the hostname of the standby device.

Conditions:
When a virtual server is configured with a security logging profile enabled for DoS Protection logging.

Impact:
'Traffic Statistics' syslog/Splunk messages show the wrong hostname. It should show the active device hostname.

Workaround:
None.

Fix:
Corrected Traffic Statistics syslog/Splunk messages to show the hostname of the active instead of the standby device in logging messages.

Fixed Versions:
14.1.3.1, 15.1.1

920301-1 : Unnecessarily high number of JavaScript Obfuscator instances when device is busy

Links to More Info: BT920301

Component: TMOS

Symptoms:
When the device has high CPU or I/O rate, it can cause the JavaScript Obfuscator to run multiple times simultaneously, causing even higher CPU usage.

Conditions:
-- ASM/DoS/FPS are provisioned.
-- BIG-IP device is experiencing a high CPU or I/O rate.

Impact:
High CPU Usage.

Workaround:
None.

Fix:
The system now avoids creating multiple JavaScript Obfuscator processes.

Fixed Versions:
14.1.3.1, 15.1.2

920197-3 : Brute force mitigation can stop mitigating without a notification

Links to More Info: BT920197

Component: Application Security Manager

Symptoms:
A brute force attack coming from an entity (such as an IP address, etc.) may be stopped prematurely.

Conditions:
-- Many brute force attacks are happening at once, coming from many sources.
-- Distributed attack is not detected (due to configuration).

Impact:
At some point, an entity might not be mitigated due to the sheer number of mitigated entities. When this occurs, there is no notification.

Workaround:
None.

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2

920149-1 : Live Update default factory file for Server Technologies cannot be reinstalled

Links to More Info: BT920149

Component: Application Security Manager

Symptoms:
Live Update default factory file for Server Technologies cannot be reinstalled once it is no longer the currently installed update file.

Conditions:
This occurs:

-- Once another update file for Server Technologies has been installed (most likely, a newer file).
-- If the device has been upgraded from a prior release such that the currently installed Server Technologies file is from the previous release, and is not the default factory file for the current release.

Impact:
Live Update default factory file for Server Technologies cannot be reinstalled.

Workaround:
None.

Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.1

919989-2 : TMM does not follow TCP best practices

Links to More Info: K64571774, BT919989

919841-3 : AVRD may crash while processing Bot Defense traffic

Links to More Info: K45143221, BT919841

919745-2 : CSV files downloaded from the Dashboard have the first row with all 'NaN

Links to More Info: BT919745

Component: TMOS

Symptoms:
In the Dashboard .csv file, all of the values in the first row are set to 'NaN'

Conditions:
This is encountered when loading the downloaded Dashboard .csv files with historical data from the GUI.

Impact:
The first row of the downloaded .csv from Dashboard shows all the values as 'NaN'.

Workaround:
None.

Fix:
Fixed an issue with 'NaN' being reported in the first line of the downloaded dashboard .csv files.

Fixed Versions:
14.1.2.8, 15.1.0.5, 16.0.1

919553-2 : GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.

Links to More Info: BT919553

Component: Global Traffic Manager (DNS)

Symptoms:
GTM/DNS monitors based on the TCP protocol may fail to find the configured receive string in the server's response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when the server's response spans multiple packets (for example, when the response is particularly large or includes dynamically generated content delivered in chunks).

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by ensuring your server returns a response to the BIG-IP GTM/DNS's monitor that fits in one packet.

Fix:
GTM/DNS monitors based on the TCP protocol no longer fail when the server's response spans multiple packets.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1

919465-2 : A dwbld core on configuration changes on IP Intelligence policy

Links to More Info: BT919465

Component: Advanced Firewall Manager

Symptoms:
A dwbld core occurs on configuration changes on IP Intelligence policy.

Conditions:
Configuration changes on IP Intelligence policy with assigned feed-list.

Impact:
A dwbld restart. Enforcement of dynamic white/black configuration does not occur while dwbld restarts.

Workaround:
None.

Fix:
Feed-list entries should not be present in list of entries with expiration.

Fixed Versions:
15.1.5

919381-1 : Extend AFM subscriber aware policy rule feature to support multiple subscriber groups

Component: Advanced Firewall Manager

Symptoms:
Currently AFM does not have support to match rules against multiple subscriber policies

Conditions:
-- AFM provisioned
-- You wish to match rules against multiple subscriber policies

Impact:
AFM rules cannot be matched against multiple subscriber policies

Workaround:
None

Fix:
Enhancing the AFM rules matching against multiple subscriber policies

Fixed Versions:
15.1.2.1

919305-2 : Appliance mode is not working on BIG-IP 14.1.x tenant deployed on VELOS

Links to More Info: BT919305

Component: TMOS

Symptoms:
Appliance mode does not enable on BIG-IP 14.1.x tenants deployed on VELOS

Conditions:
A BIG-IP 14.1.3 tenant is deployed on VELOS with Appliance Mode enabled.

Impact:
The appliance mode restriction is not working as expected. The root account still has bash access.

Fix:
Appliance mode will function when configured on a BIG-IP tenant deployed on VELOS

Fixed Versions:
15.1.4

919301-3 : GTP::ie count does not work with -message option

Links to More Info: BT919301

Component: Service Provider

Symptoms:
The 'GTP::ie count' iRule command does not work with the -message option. The command fails with an error:

wrong # args: should be "-type <ie-path>"

Conditions:
Issue the 'GTP::ie count' command with -message command, for example:

GTP::ie count -message $m -type apn

Impact:
iRules fails and it could cause connection abort.

Workaround:
Swap order of argument by moving -message to the end, for example:

GTP::ie count -type apn -message $m

There is a warning message due to iRules validation, but the command works in runtime.

Fix:
'GTP::ie' count is now working with -message option.

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1

919001-2 : Live Update: Update Available notification is shown twice in rare conditions

Links to More Info: BT919001

Component: Application Security Manager

Symptoms:
When entering Live Update page, sometimes Update Available notification is shown twice.

Conditions:
This can be encountered on the first load of the Live Update page.

Impact:
Notification is shown twice.

Workaround:
None.

Fix:
Notification is shown only once in all cases.

Fixed Versions:
14.1.2.8, 15.1.2, 16.0.1.1

918933-2 : The BIG-IP ASM system may not properly perform signature checks on cookies

Links to More Info: K88162221, BT918933

Component: Application Security Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Impact:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Workaround:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Fix:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.2.8, 15.1.2, 16.0.1.1

918717-2 : Exception at rewritten Element.innerHTML='<a href></a>'

Links to More Info: BT918717

Component: Access Policy Manager

Symptoms:
If the "href" attribute of an anchor tag in a web application does not have any value, an exception will be thrown.

Conditions:
-- Rewrite enabled
-- The href attribute of an anchor tag on a web page does not have a value, for example:

<script>
    d = document.createElement('div')
    try {
      d.innerHTML = "<a href b=1>click</a>"
    }catch(e){
      alert(e.message);
    }
  </script>

Impact:
Web page does not load properly.

Workaround:
Find the "href" attributes of anchor tag and give some empty value to it:

Before:
<a href></a>

After:
<a href=""></a>

Fix:
Fixed an issue with rewrite of anchors that contain an empty href attribute.

Fixed Versions:
15.1.4.1

918597-5 : Under certain conditions, deleting a topology record can result in a crash.

Links to More Info: BT918597

Component: Global Traffic Manager (DNS)

Symptoms:
During a topology load balancing decision, TMM can crash.

Conditions:
-- Topology records are deleted.
-- A load balancing decision using topology load balancing occurs.

Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Topology record changes are now done in a way that prevents the possibility of TMM crashing when making load balancing decisions in which the record is used.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2

918317-2 : SSL Orchestrator resets subsequent requests when HTTP services are being used.

Links to More Info: BT918317

Component: SSL Orchestrator

Symptoms:
When connections are reused for subsequent requests, the subsequent requests might get aborted with reset cause 'connector service reconnected'.

Conditions:
SSL Orchestrator with HTTP services and multiple requests in a connection.

Impact:
Subsequent requests might get aborted with reset cause 'connector service reconnected'.

Workaround:
None

Fix:
SSL Orchestrator no longer aborts subsequent requests in the same connection.

Fixed Versions:
14.1.4.4, 15.1.4

918209-3 : GUI Network Map icons color scheme is not section 508 compliant

Links to More Info: BT918209

Component: TMOS

Symptoms:
Network Map color scheme is not compliant with Section 508 of the Rehabilitation Act (section 508). There is no clear difference between a green/active node and the blue/square items. With the new system colors and flat shapes, the icons are nearly identical. Other than shape (circle vs. square), the new colors appear identical; the blue and green are nearly appearing as one color.

Conditions:
Accessing Network Map from GUI via Local Traffic :: Network Map.

Impact:
There is no clear color difference between a green/active node icon and the blue/square icon.

Workaround:
None.

Fix:
Modified the color codes. Now the Network Map icons color scheme is section 508 compliant.

Fixed Versions:
14.1.2.8, 15.1.0.5, 16.0.1

918169-1 : The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.

Links to More Info: BT918169

Component: Global Traffic Manager (DNS)

Symptoms:
The GTM/DNS HTTPS monitor may fail to find the configured receive string in a HTTP response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when all of the following conditions are true:

-- The server being monitored performs an unclean shutdown of the SSL session (the underlying TCP connection is closed without first issuing a close notify alert at the SSL level).

-- The server's HTTP response does not terminate with a newline.

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by performing any one of the following actions:

-- Ensure the server issues a close notify alert before it closes the underlying TCP connection.

-- Ensure the server's HTTP response ends with a newline.

Fix:
The GTM/DNS HTTPS monitor no longer fails when the SSL peer performs an unclean shutdown.

Fixed Versions:
13.1.3.6, 14.1.2.7, 15.1.2, 16.0.1.1

918097-3 : Cookies set in the URI on Safari

Links to More Info: BT918097

Component: Application Security Manager

Symptoms:
When Bot Defense performs a 307 Redirect, the cookie is set on the URL if Bot Defense detects the Safari browser.

Conditions:
-- Bot Defense profile is attached to virtual server.
-- 'Browser Verification' set to 'Verify Before Access' or 'Verify After Access'.
-- 'Cross Domain Requests' set to 'Validate Upon Request'.
-- Surfing on Safari browser to a related domain.

Impact:
A cookie is set on the URL.

Workaround:
None.

Fix:
A new db variable has been added, botdefense.safari_redirect_no_cookie_mode, to allow you to control whether the cookie is added to the URL.

Behavior Change:
BIG-IP systems now have an option to set the cookie using a set-cookie header in the response and not save it as part of the URL.

This is done by a new BigDB variable:
tmsh modify botdefense.safari_redirect_no_cookie_mode value disable

Default value is the original behavior (enable), which sets the cookie in the URl.

NOTE: If the site is using iFrames, changing this BigDB variable might cause the cookie to be ignored and therefore for requests to be blocked.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2

918081-1 : Application Security Administrator role cannot create parent policy in the GUI

Links to More Info: BT918081

Component: Application Security Manager

Symptoms:
In the GUI, for the Application Security Administrator role, when you create a new ASM policy, the Policy Type is greyed out and the parent policy cannot be created

Conditions:
-- Create user account with the Application Security Administrator user role.
-- Use that account to logon to the GUI and try to create/edit the parent policy.

Impact:
The following actions are restricted to accounts with roles Application Security Administrator:
-- Create/Edit parent policy.
-- Edit Inheritance Settings for parent policy.
-- Clone Policy, selecting policy type is disabled.

Workaround:
There are two possible workarounds:
-- Have the Administrator or Resource Administrator create a parent policy instead of the Application Security Administrator.
-- Create parent policy using tmsh or REST call.

Fix:
The Application Security Administrator role can now create the parent policy when required.

Fixed Versions:
15.1.1, 16.0.1.1

917509-3 : BIG-IP ASM vulnerability CVE-2020-27718

Links to More Info: K58102101, BT917509

917469-2 : TMM may crash while processing FPS traffic

Links to More Info: K53821711, BT917469

917005-5 : ISC BIND Vulnerability: CVE-2020-8619

Links to More Info: K19807532

916969-3 : Support of Microsoft Identity 2.0 platform

Links to More Info: BT916969

Component: Access Policy Manager

Symptoms:
BIG-IP does not support Template for Microsoft Identity Platform 2.0.

Conditions:
This is encountered if you want to use Template for Microsoft Identity Platform 2.0 as an identity provider.

Impact:
Unable to configure Microsoft Identity Platform 2.0 on BIG-IP.

Workaround:
OAuth provider has a custom template which provides the ability to configure and discover using new endpoints.

Fixed Versions:
14.1.4, 15.1.3

916821-2 : iControl REST vulnerability CVE-2021-22974

Links to More Info: K68652018, BT916821

916781-1 : Validation error while attaching DoS profile to GTP virtual

Links to More Info: BT916781

Component: Service Provider

Symptoms:
Validation error is observed while attaching DoS security profile to GPRS Tunneling Protocol (GTP) virtual server.

Conditions:
Attach DoS security profile to GTP virtual server.

Impact:
Validation error. Cannot attach DoS profile to GTP virtual server.

Workaround:
None.

Fix:
Create GTP virtual profile and attach DoS security profile to it. No validation error should be reported.

Fixed Versions:
15.1.4, 16.0.1

916753-2 : RESOLV::lookup returns empty string when querying against a local virtual server, and results in possible tmm core

Links to More Info: BT916753

Component: Global Traffic Manager (DNS)

Symptoms:
-- RESOLV::lookup returns an empty string.
-- TMM might crash.

Conditions:
An iRule runs RESOLV::lookup targeting the query toward a local virtual server. For instance:

    RESOLV::lookup @/Common/my_dns_virtual www.example.com

Impact:
RESOLV::lookup does not return the expected result;
tmm might crash. Traffic disrupted while tmm restarts.

Workaround:
In the RESOLV::lookup command, replace the name of the virtual server with its IP address, or the IP address of an external DNS server.

For instance, if /Common/my_dns_virtual has destination 192.0.2.53:53:

instead of this: RESOLV::lookup @/Common/my_dns_virtual
use this: RESOLV::lookup @192.0.2.53

Fixed Versions:
15.1.2, 16.0.1.1

916589-2 : QUIC drops 0RTT packets if CID length changes

Links to More Info: BT916589

Component: Local Traffic Manager

Symptoms:
QUIC sometimes rejects valid 0RTT packets.

Conditions:
-- QUIC enabled.
-- The Connection ID length assigned by the client for the server's CID does not match what the server assigned.

Impact:
QUIC drops 0RTT packets. Lost 0RTT packets increase latency.

Workaround:
None.

Fix:
Fixed an issue with 0RTT packets when using QUIC.

Fixed Versions:
15.1.0.5, 16.0.1.1

915957-1 : The wocplugin may get into a restart loop when AAM is provisioned

Links to More Info: BT915957

Component: Local Traffic Manager

Symptoms:
When AAM is provisioned the wocplugin resource allocation may fail, which could result in a restart loop of the plugin. This renders the AAM module nonfunctional.

Conditions:
Application Acceleration Manager (AAM) is provisioned

Impact:
AAM is not functional

Workaround:
None

Fix:
The wocplugin is now correctly provisioned and runs without restarts.

Fixed Versions:
14.1.3, 15.1.2

915825-2 : Configuration error caused by Drafts folder in a deleted custom partition while upgrading.

Links to More Info: BT915825

Component: TMOS

Symptoms:
A configuration error occurs during upgrade due to custom partition-associated Draft folder, which exists in configuration file after deleting a custom partition.

Configuration error: Can't associate folder (/User/Drafts) folder does not exist.

Conditions:
This occurs in the following scenario:

1. Create Partition.
2. Create Policy under that partition.
3. Delete Policy.
4. Delete Partition.
5. Upgrade.

Impact:
Upgrade fails when a Drafts folder exists under the custom partition folder, if the custom partition is deleted.

Workaround:
Manually remove the stale folders in the configuration file, or use a script to remove them.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1

915773-1 : Restart of TMM after stale interface reference

Links to More Info: BT915773

Component: Local Traffic Manager

Symptoms:
An assert is reported in the logs:
panic: ../net/ifc.c:975: Assertion "ifc ref valid" failed.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Tmm crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2

915713-2 : Support QUIC and HTTP3 draft-29

Links to More Info: BT915713

Component: Local Traffic Manager

Symptoms:
The BIG-IP system supports QUIC and HTTP/3 draft-27 and draft-28. IETF has released draft-29.

Conditions:
Browser requests draft-29.

Impact:
Connection downgrades to an older version, or fails if the browser cannot downgrade.

Workaround:
None.

Fix:
The BIG-IP system now supports draft-29 and draft-28, and has removed draft-27 support.

Fixed Versions:
15.1.1, 16.0.1.1

915689-1 : HTTP/2 dynamic header table may fail to identify indexed headers on the response side.

Links to More Info: BT915689

Component: Local Traffic Manager

Symptoms:
Some HTTP/2 response headers may be added to the dynamic header table even if this header is already stored in the table. Instead of subsequent responses using the correct dynamic header table index, these headers may be continually seen as being incrementally indexed.

Conditions:
-- HTTP/2 clientside profile.
-- Concurrent HTTP/2 responses contain headers.

Impact:
Select HTTP/2 response headers may fail to use the dynamic header table index. These headers are incrementally indexed on subsequent responses instead of using the existing table index.

Workaround:
None.

Fix:
HTTP/2 response headers now properly use the dynamic header table index when possible.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1

915605-6 : Image install fails if iRulesLX is provisioned and /usr mounted read-write

Links to More Info: K56251674, BT915605

Component: Local Traffic Manager

Symptoms:
If iRulesLX is provisioned the /usr mount points are mounted as read-write. This causes the installation of an image to fail.

tmsh show software status will report the status for the target volume as one of the following:

-- Could not access configuration source.
-- Unable to get hosting system product info.

Conditions:
-- iRulesLX is provisioned.
-- The /usr mount points are mounted as read-write.
-- Attempt an installation or upgrade.

Impact:
Unable to upgrade or more generally install an image on a new or existing volume.

Workaround:
Re-mount /usr as read-only:

mount -o remount,ro /usr

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1

915509-1 : RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true

Links to More Info: BT915509

Component: Access Policy Manager

Symptoms:
After enabling 'show-extended-error' on the RADIUS Auth agent, instead of seeing the expected message: 'The username or password is not correct. Please try again.', the system reports the message: (error: Access-Reject).

Conditions:
RADIUS Auth with 'show-extended-error' enabled.

Impact:
The content of the Reply Message is not reported. The actual reported error message is confusing and provides no assistance in resolving the condition causing the access error: username, password, passcode, or tokencode.

Workaround:
None.

Fixed Versions:
14.1.4.5, 15.1.4.1

915497-2 : New Traffic Class Page shows multiple question marks.

Links to More Info: BT915497

Component: TMOS

Symptoms:
When you navigate to the traffic class creation page by clicking Create button in the Traffic Class list page, Chinese characters are displayed with multiple question marks.

Conditions:
This is encountered when creating a new Traffic Class.

Impact:
Multi-byte characters are displayed incorrectly.

Workaround:
None.

Fix:
Fixed an issue with rendering multi-byte characters on the Traffic Class screen.

Fixed Versions:
14.1.3.1, 15.1.0.5, 16.0.1.1

915489-2 : LTM Virtual Server Health is not affected by iRule Requests dropped

Links to More Info: BT915489

Component: Anomaly Detection Services

Symptoms:
Virtual Server Health should not take into account deliberate drop requests.

Conditions:
-- DoS profile is attached to Virtual Server.
-- iRule that drops requests on some condition is also attached to the virtual server.

Impact:
Server Health reflects it is overloading status more precisely.

Workaround:
Do not use iRules to drop requests when Behavioral DoS is configured.

Fix:
Virtual Server Health is no longer affected while dropping requests using iRules.

Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1

915305-5 : Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded

Links to More Info: BT915305

Component: TMOS

Symptoms:
Dynamic routing changes do not cause point-to-point tunnel flows to refresh their connection entries causing tunneled traffic to be dropped/discarded.

Conditions:
Path to a remote tunnel endpoint is provided by a dynamic routing.

Impact:
Tunneled traffic might be dropped/discarded by the BIG-IP system.

Workaround:
Use static routing to provide a path to remote tunnel endpoint.

Fixed Versions:
13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1

915281-2 : Do not rearm TCP Keep Alive timer under certain conditions

Links to More Info: BT915281

Component: Local Traffic Manager

Symptoms:
Increased CPU usage due to zombie TCP flows rearming TCP Keep Alive timer continuously and unnecessarily.

Conditions:
-- A large number of zombie flows exists.
-- TCP Keep Alive timer is rearmed aggressively for zombie flows with very small idle_timeout (0) value.
-- TCP Keep alive timer keeps expiring and is rearmed continuously.

Impact:
Continuous rearming results in consuming CPU resources unnecessarily.

Workaround:
None.

Fix:
Rearming of TCP Keep Alive timer is improved.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1

914761-3 : Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed.

Links to More Info: BT914761

Component: TMOS

Symptoms:
Using crontab to automatically backup UCS file by scheduling cronjobs fails due to SELinux permissions. The failure produces the following error:

Unexpected Error: UCS saving process failed.

Conditions:
This is encountered when 'tmsh save sys ucs' is executed through a cronjob.

Impact:
UCS file is not successfully saved and backup fails.

Workaround:
None.

Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1.1

914681-2 : Value of tmm.quic.log.level can differ between TMSH and GUI

Links to More Info: BT914681

Component: Local Traffic Manager

Symptoms:
The value of the QUIC logging level is erroneously shown as 'Error' in the GUI.

Conditions:
Set tmm.quic.log.level to 'Info' or 'Critical' in TMSH.

Impact:
Misleading log level displayed in the GUI.

Workaround:
Use TMSH to set and view values for tmm.quic.log.level.

Fix:
GUI values for tmm.quic.log.level are now displayed properly.

Fixed Versions:
15.1.0.5, 16.0.1.1

914649-3 : Support USB redirection through VVC (VMware virtual channel) with BlastX

Links to More Info: BT914649

Component: Access Policy Manager

Symptoms:
USB is unavailable after opening VMware View Desktop.

Conditions:
1. Secure Tunnel disabled on VCS
2. Launch view virtual desktop via native view client from an APM webtop or from the View client

Impact:
USB is unavailable after opening VMware View Desktop

Workaround:
None.

Fix:
USB is now available after opening VMware View Desktop

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1

914293-3 : TMM SIGSEGV and crash

Links to More Info: BT914293

Component: Anomaly Detection Services

Symptoms:
Tmm crash when using iRule to reject connections when Behavioral DoS is enabled.

Conditions:
This can occur due to an interaction between a Behavioral DoS policy and an iRule designed to potentially drop some of the connections.

Impact:
With heavy traffic, the tmm process might crash. Traffic disrupted while tmm restarts.

Workaround:
Do not use iRules to reject connections that are bound to a virtual server with a Behavioral DoS policy attached.

Fix:
Fixed a tmm crash related to iRules and Behavioral DoS policies.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2

914277-2 : [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU

Links to More Info: BT914277

Component: Application Security Manager

Symptoms:
When a Cloud Auto Scaling deployment is set up using F5's Auto Scale Template, and ASM Live Update is configured with Automatic Download enabled, Live Update configuration may be overwritten during a scale out event when a new host joins the sync cluster. This is caused by a config sync from the new device to the master device, before the master has a chance to sync the configuration to the new device, causing the configuration in the master device to be overwritten.

Conditions:
-- Using F5's Auto Scaling template.
-- Auto Scale script is configured with --block-sync (which is the default).
-- ASM Live Update is configured with Automatic Download enabled.
-- A scale out event occurs.
-- New ASU is automatically downloaded by Live Update at the new host.

Impact:
Live Update configuration of all devices in the Auto Scale group is overwritten.

Workaround:
Disable ASM Live Update Automatic Download.

This can be done by disabling the liveupdate.autodownload DB variable using the onboard.js script, and adding '-d liveupdate.autodownload:disable'.

For example:
/usr/bin/f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js --log-level silly --signal ONBOARD_DONE -o /var/log/cloud/aws/onboard.log --host localhost --port 8443 -d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable --ping

-d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable

In order to still have automatic updates for the group, the db variable can be enabled for the master device. Then this setting will be applied on every new host after joining the group and receiving the initial sync from the master.

Fix:
Automatic downloads are quietly synced and do not have an impact on the device group sync status.

Fixed Versions:
14.1.4.4, 15.1.4.1, 16.0.1.2

914245-2 : Reboot after tmsh load sys config changes sys FPGA firmware-config value

Links to More Info: BT914245

Component: TMOS

Symptoms:
As a part of FPGA firmware update, "tmsh load sys config" fails.

Chmand reports errors:

chmand[19052]: FPGA firmware mismatch - auto update, No Interruption!
chmand[19052]: 012a0006:6: FPGA HSB firmware uploading now...use caution!
Reloading fw_update_post configuration (via systemctl): [FAILED]

Conditions:
Running either of the following commands:

tmsh load sys config
/etc/init.d/fw_update_post reload

Impact:
Firmware update fails.

Workaround:
Use this procedure:

1. Mount /usr:
mount -o rw,remount /usr

2. Add the following line to the '/usr/lib/systemd/system/fw_update_post.service' file:
ExecReload=/etc/init.d/fw_update_post reload

3. Reload systemctl:
systemctl daemon-reload

4. Reload the file:
/etc/init.d/fw_update_post reload

Fix:
Added the reload option in fw_update_post service file.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2

914081-1 : Engineering Hotfixes missing bug titles

Links to More Info: BT914081

Component: TMOS

Symptoms:
BIG-IP Engineering Hotfixes may not show the summary titles for fixed bugs (as appear for the affected bugs published via Bug Tracker).

-- The 'tmsh show sys version' command displays the bug numbers for fixes included in Engineering Hotfixes.
-- If a given bug has been published via Bug Tracker, the summary title of the bug is expected to be displayed as well.
-- Running BIG-IP Engineering Hotfixes built on or after March 18, 2019.

Conditions:
For affected BIG-IP Engineering Hotfixes, titles are not displayed for any bugs fixed in the Engineering Hotfix.

Impact:
Cannot see the summaries of the bugs fixed by running the 'tmsh show sys version' command.

Workaround:
For bugs that are published via Bug Tracker, you can query for the affected bug in Bug Tracker (https://support.f5.com/csp/bug-tracker).

Note: Not all bugs fixed in BIG-IP Engineering Hotfixes are published to Bug Tracker.

For information on such bugs, consult F5 support, or the original Service Request submitted to F5 in which the affected Engineering Hotfix was requested.

Fix:
BIG-IP Engineering Hotfixes now include the summary titles for fixed bugs that have been published via Bug Tracker.

Fixed Versions:
14.1.4, 15.1.3

913849-1 : Syslog-ng periodically logs nothing for 20 seconds

Links to More Info: BT913849

Component: TMOS

Symptoms:
Once per minute, syslog-ng logs nothing for 20 seconds.

Conditions:
-- A remote syslog server is specified by hostname, forcing syslog-ng to resolve it.
-- the DNS resolution times out (for example, if the DNS server is unreachable)

Impact:
When using DNS names to specify remote syslog destinations and DNS is unreachable, syslog-ng re-attempts to resolve the name every 60 seconds. This resolution has a 20 seconds timeout, and blocks the syslog process from writing logs to disk during that time.

Note that the logs are buffered, not lost, and will still be written to disk (with the correct timestamps) once the DNS query times out.

Workaround:
None.

Fix:
F5 patched syslog-ng to use a lower 1-second, 0-retries timeout back in 13.0.0, but this patch was made ineffective by the upgrade to centos 7 in 14.1.0. This fixes the patch so that it works again.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2

913829-4 : i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence

Links to More Info: BT913829

Component: TMOS

Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command:
tmsh show sys tmm-traffic

Conditions:
Source ports used to connect to i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades form an arithmetic sequence.

For example, some client devices always use even source port numbers for ephemeral connections they initiate. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8... 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.

Impact:
Traffic imbalance may result in tmm threads on different CPU cores having imbalanced workloads. While this can sometimes impact on performance, an overloaded tmm thread can usually redistribute load to less loaded threads in a way that does not impact performance. However the loads on the CPU cores will appear imbalanced still.

Workaround:
Where possible, configure devices to draw from the largest possible pool of source ports when connecting via a BIG-IP system.

Behavior Change:
This release introduces a new variable to mitigate this issue:
dagv2.pu.table.size.multiplier.

You must set the variable to 2 or 3 on the host, and then restart tmm on all host blades and then all guests to mitigate the issue. dag2.pu.table.size.multiplier.

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2

913761-2 : Security - Options section in navigation menu is visible for only Administrator users

Links to More Info: BT913761

Component: Application Security Manager

Symptoms:
The Security - Options section in the left navigation menu is visible for only for user accounts configured with the Administrator role.

Conditions:
You logged in as a user configured with a role other than Administrator.

Impact:
No direct access to many settings that are available only for user account configured with the Administrator role.

Workaround:
Direct links to the pages work for those with the appropriate roles.

Fix:
Security - Options section is available for all user roles when at least one of the following is enabled:
-- ASM
-- DoS
-- FPS
-- AFM

Fixed Versions:
15.1.1, 16.0.1.2

913757-1 : Error viewing security policy settings for virtual server with FTP Protocol Security

Links to More Info: BT913757

Component: Application Security Manager

Symptoms:
The system reports an error message when trying to navigate to 'Security :: Policies' under virtual server properties:

An error has occurred while trying to process your request.

Conditions:
-- An FTP or SMTP profile with protocol security enabled is attached to a virtual server.
-- Attempt to navigate to 'Security :: Policies'.

Impact:
-- No policies appear. You cannot perform any operations on the 'Security :: Policies' screen.
-- The following error message appears instead:

An error has occurred while trying to process your request.

Workaround:
As long as an FTP or SMTP profile with protocol security enabled is defined under virtual server properties (in another words, it is attached to a virtual server), this issue recurs. There are no true workarounds, but you can avoid the issue by using any of the following:

-- Use another profile, such as HTTP.
-- Set the FTP/SMTP profile under the virtual server settings to None.
-- Remove the profile via the GUI or the CLI (e.g., you can remove the profile from the virtual server in tmsh using this command:

 tmsh modify ltm virtual /Common/test-vs { profiles delete { ftp_security } }

Fix:
You can now attach FTP or SMTP profile with protocol security enabled and navigate to 'Security :: Policies' without error.

Fixed Versions:
15.1.2.1, 16.0.1.1

913729-5 : Support for DNSSEC Lookaside Validation (DLV) has been removed.

Links to More Info: BT913729

Component: Global Traffic Manager (DNS)

Symptoms:
Following the deprecation of DNSSEC lookaside validation (DLV) by the Internet Engineering Task Force (IETF), support for this feature has been removed from the product.

Conditions:
Attempting to use DLV.

Impact:
Cannot use DLV.

Workaround:
None. DLV is no longer supported.

Fix:
The BIG-IP DNS validating resolver no longer supports DNSSEC lookaside validation (DLV). If you roll forward a configuration that contains this feature, the system removes it from the configuration and prints a log message.

Behavior Change:
The BIG-IP DNS validating resolver no longer supports DNSSEC lookaside validation (DLV).

Fixed Versions:
15.1.4, 16.0.1.2

913453-5 : URL Categorization: wr_urldbd cores while processing urlcat-query

Links to More Info: BT913453

Component: Traffic Classification Engine

Symptoms:
The webroot daemon (wr_urldbd) cores.

Conditions:
This can occur while passing traffic when webroot is enabled.

Impact:
The wr_urldbd daemon cores. URL Categorization functionality may not work as expected.

Workaround:
None.

Fix:
Fixed a core with wr_urldb.

Fixed Versions:
14.1.4.4, 15.1.4

913433-3 : On blade failure, some trunked egress traffic is dropped.

Links to More Info: BT913433

Component: TMOS

Symptoms:
When a blade fails, other blades may try to forward traffic using trunked interfaces on the down blade.

Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- A blade is pulled or powered off.

Impact:
Some traffic is dropped until the failed blade is detected by clusterd (10 seconds by default.)

Workaround:
None.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1

913413-3 : 'GTP::header extension count' iRule command returns 0

Links to More Info: BT913413

Component: Service Provider

Symptoms:
The 'GTP::header extension count' iRule command always returns 0 (zero).

Conditions:
This is encountered when using 'GTP::header extension count' in an iRule.

Impact:
The command returns false information.

Workaround:
None

Fix:
'GTP::header extension count' command now returns number of header extension correctly.

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1

913373-2 : No connection error after failover with MRF, and no connection mirroring

Links to More Info: BT913373

Component: Service Provider

Symptoms:
-- Unable to establish MRF connection after failover.
-- Error reports 'no connection'.

Conditions:
- MRF configured.
- Using iRule for routing.
-- Failover occurs.

Impact:
Unable to establish new connection until existing sessions time out. No message is reported explaining the circumstances.

Workaround:
Any of the following:
-- Enable connection mirroring on the virtual server.
-- Disable session mirroring.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1

913249-2 : Restore missing UDP statistics

Links to More Info: BT913249

Component: Local Traffic Manager

Symptoms:
The following UDP statistics are missing:
-- bufdropdgram
-- maxrate_conns
-- maxrate_cur_conns
-- sendbuf_cur_bytes
-- queue_dropped_bytes

Conditions:
Viewing UDP statistics.

Impact:
Unable to view these UDP statistics.

Workaround:
None.

Fix:
The following UDP statistics are now restored:
-- bufdropdgram
-- maxrate_conns
-- maxrate_cur_conns
-- sendbuf_cur_bytes
-- queue_dropped_bytes

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1

913137-1 : No learning suggestion on ASM policies enabled via LTM policy

Links to More Info: BT913137

Component: Application Security Manager

Symptoms:
ASM policy has the option 'Learn only from non-bot traffic' enabled, but the Policy Builder detects that the client is a bot, and therefore does not issue learning suggestions for the traffic.

Conditions:
-- ASM policy is enabled via LTM policy.
-- ASM policy configured to learn only from non-bot traffic.

This applies to complex policies, and in some configurations may happen also when a simple policy is enabled via LTM policy.

Impact:
No learning suggestions.

Workaround:
Disable the option 'Learn only from non-bot traffic' on the ASM policy.

Fix:
Policy builder now classifies non-bot traffic and applies learning suggestions.

Fixed Versions:
15.1.2, 16.0.1.1

913085-1 : Avrd core when avrd process is stopped or restarted

Links to More Info: BT913085

Component: Application Visibility and Reporting

Symptoms:
When the avrd process is stopped or restarted, it fails with core before the exit. A core file with the name starting with SENDER_HTTPS (for example, SENDER_HTTPS.bld0.0.9.core.gz) can be found in /shared/cores/ directory.

Conditions:
A BIG-IP system is registered on BIG-IQ and has established an HTTPS connection with BIG-IQ for sending stats data.

Impact:
Avrd cores while exiting. There is no impact on BIG-IP system functionality.

Workaround:
None.

Fix:
Avrd no longer cores when avrd process is stopped or restarted.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1

912969-2 : iAppsLX REST vulnerability CVE-2020-27727

Links to More Info: K50343630, BT912969

912945-2 : A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed

Links to More Info: BT912945

Component: Local Traffic Manager

Symptoms:
In a virtual configured with multiple client SSL profiles, the profile with ECDSA-signed cert is not selected even though its CN/SAN matching the SNI extension of ClientHello.

Conditions:
-- A virtual server with multiple client SSL profiles.
-- The SNI of,,lientHello does not match the 'server name' of any profile.
-- The cert in the profile is ECDSA-signed and its CN/SAN matches SNI extension of ClientHello.
-- That profile in is not selected.

Impact:
The incorrect client SSL profile is selected.

Workaround:
Configure the 'Server Name' option in the client SSL profile.

Fix:
Fixed an issue with client SSL profile selection.

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1

912425-3 : Modifying in-TMM monitor configuration may not take effect, or may result in a TMM crash

Links to More Info: BT912425

Component: Local Traffic Manager

Symptoms:
Modification of in-TMM monitors may result in TMM crashing, or the changes to the monitor configuration not taking effect, or only taking effect for some monitor instances.

Conditions:
TMM may crash under some of the following conditions:

-- Performing configuration sync
-- Deleting and recreating monitor and SSL profile configurations.

Changes to monitor configuration may not take effect under the following conditions:

-- Modifying the SSL profile assigned to a monitor.
-- A monitor instance is currently in progress.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
Disable in-TMM monitors.

Fix:
This issue is now fixed.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2

912289-1 : Cannot roll back after upgrading on certain platforms

Links to More Info: BT912289

Component: Local Traffic Manager

Symptoms:
On certain platforms, after upgrade to particular software versions, you will not be able to boot back into an earlier software version. Contact F5 Support for the reversion process if this is required.

- BIG-IP v12.1.6 or later in the v12.x branch of code
- BIG-IP v13.1.4 or later in the v13.x branch of code
- BIG-IP v14.1.4 or later in the v14.x branch of code
- BIG-IP v15.1.1 or later in the v15.x branch of code
- BIG-IP v16.0.0 or later

Conditions:
-- Using the following platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F

-- Upgrade the software to one of the following software versions:

  + BIG-IP v12.1.6 or later in the v12.x branch of code
  + BIG-IP v13.1.4 or later in the v13.x branch of code
  + BIG-IP v14.1.4 or later in the v14.x branch of code
  + BIG-IP v15.1.1 or later in the v15.x branch of code
  + BIG-IP v16.0.0 or later

-- Attempt to roll back to a previous version.

Impact:
Cannot boot into a previous version. Contact F5 Support for the reversion process if this is required.

Workaround:
None.

Fix:
Contact F5 Support for the reversion process if this is required.

Behavior Change:
On certain platforms, after upgrade to particular software versions, you will not be able to boot back into an earlier software version. Contact F5 Support for the reversion process if this is required.

The particular platforms are:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F

The particular software versions are:
  + BIG-IP v12.1.6 or later in the v12.x branch of code
  + BIG-IP v13.1.4 or later in the v13.x branch of code
  + BIG-IP v14.1.4 or later in the v14.x branch of code
  + BIG-IP v15.1.1 or later in the v15.x branch of code
  + BIG-IP v16.0.0 or later

Fixed Versions:
12.1.6, 14.1.4, 15.1.1

912221-1 : CVE-2020-12662 & CVE-2020-12663

Links to More Info: K37661551, BT912221

912149-5 : ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476'

Links to More Info: BT912149

Component: Application Security Manager

Symptoms:
The system exhibits various symptoms related to sync and control plane, and reports errors similar to the following:

/var/log/:

asm:
-- (asm_config_server.pl,F5::Cgc::Channel::send): Failed to send a message, error:15638476.

ts_debug.log:
-- |ZEROMQ|May 21 23:27:31.840|24813|25914|25914|epoll.cpp:0060|~epoll_t()|(zmq_assert) Assertion failed: load.get () == 0

Conditions:
-- Two devices in a sync-failover/sync-only device group.
-- Other conditions required to reproduce this issue are under investigation.

Note: The occurrences of the Cgc::Channel message in the /var/log/ and /var/log/ts/asm_config_server logs are the most reliable indicator of this issue.

Impact:
-- Config-sync does not work, resulting in a different configuration among the devices in a sync group.

-- Security log profile changes are not propagated to other devices.

-- Portions of the GUI hang, e.g.: Security module tab, and 'security' menu under virtual server.

-- Policies with learning enabled do not generate learning suggestions.

Workaround:
Restart asm_config_server on the units in the device group.

# pkill -f asm_config_server

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

912089-2 : Some roles are missing necessary permission to perform Live Update

Links to More Info: BT912089

Component: Application Security Manager

Symptoms:
Certain roles, such as Resource Administrator and Application Security Operations Administrator, do not have sufficient permission levels to perform Live Update.

Conditions:
-- User with Resource Administrator or Application Security Operations Administrator role assigned.
-- Attempt to perform Live Update.

Impact:
Users with Resource Administrator and Application Security Operations Administrator role cannot perform Live Update.

Workaround:
None.

Fix:
The following roles can now perform live-update:
- Administrator
- Web Application Security Administrator
- Resource Administrator
- Application Security Operations Administrator

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2

912001-3 : TMM cores on secondary blades of the Chassis system.

Links to More Info: BT912001

Component: Global Traffic Manager (DNS)

Symptoms:
When using DNS Cache on chassis systems with a forward zone pointing at a self IP for communication with local BIND, the following assert triggers:

tmm_panic (... "../net/loop.c:572: %sIDX set on listener%s") at ../lib/stdio.c:1307

Conditions:
-- Chassis system is used.
-- Secondary TMMs core dump.
-- Primary works as expected.

Impact:
TMMs on secondary blades core dump. Traffic disrupted while tmm restarts.

Workaround:
1) Create another virtual server with a DNS profile to use configured to use the local bind server.
2) Set the forward zones to point to that virtual server instead of the self IP as name servers.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2

911809-2 : TMM might crash when sending out oversize packets.

Links to More Info: BT911809

Component: TMOS

Symptoms:
TMM crashes with an assert; Drop assertion similar to the following:
notice panic: ../dev/ndal/ndal.c:758: Assertion "pkt length cannot be greater than MAX_PKT_LEN" failed.

Conditions:
-- Xnet driver is used in BIG-IP Virtual Edition (VE).
-- TMM tries to send oversize packets.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
14.1.3.1, 15.1.2

911761-2 : F5 TMUI XSS vulnerability CVE-2020-5948

Links to More Info: K42696541, BT911761

911729-2 : Redundant learning suggestion to set a Maximum Length when parameter is already at that value

Links to More Info: BT911729

Component: Application Security Manager

Symptoms:
Policy Builder is issuing a learning suggestion to set a specific maximum length for a parameter when that parameter already has that exact maximum length already configured.

Conditions:
-- Response learning is turned on
-- Response parameter length is less than, but close to, the currently configured maximum length limit.

Impact:
Redundant learning suggestion is issued.

Workaround:
You can either:
-- Ignore the learning suggestion (Click the Ignore button).
-- Turn off Learn from response.

Fix:
Learning suggestion is no longer issued with already configured maximum parameter length value.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2

911141-3 : GTP v1 APN is not decoded/encoded properly

Links to More Info: BT911141

Component: Service Provider

Symptoms:
GTP v1 APN element was decoded/encoded as octetstring and Only GTP v2 APN element is decoded/encoded as DNS encoding.

Conditions:
- GTP version 1.
- APN element.

Impact:
iRules become more complex when dealing with GTP v1 APN element, as it may need to convert between octetstring and dotted style domain name value after decoding or before encoding the data.

Workaround:
Use iRules to convert between octetstring and dotted style domain name values.

Fix:
GTP version 1 APN information element is now decoded/encoded as DNS encoding.

Behavior Change:
GTP v1 apn element is now decoded/encoded using DNS-like encoding. Previously, it was decoded/encoded as octetstring.

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1

911041-3 : Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash

Links to More Info: BT911041

Component: Local Traffic Manager

Symptoms:
An iRule executing on the FLOW_INIT event can suspend. If it does so while connecting to a virtual-to-virtual flow, it can cause a TCP crash, which results in a tmm restart.

Conditions:
An iRule executing on the FLOW_INIT event suspends while connecting to a virtual-to-virtual flow.

Impact:
Tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
Do not include any iRules that suspend processing in FLOW_INIT.

Fix:
Suspending the iRule FLOW_INIT on a virtual-to-virtual flow no longer leads to a crash.

Fixed Versions:
14.1.3.1, 15.1.2.1, 16.0.1.2

910653-5 : iRule parking in clientside/serverside command may cause tmm restart

Links to More Info: BT910653

Component: Local Traffic Manager

Symptoms:
If an iRule utilizing the clientside or serverside command causes parking to occur while in the clientside/serverside command (table or after commands, for example), the connection is aborted while parked, and a subsequent iRule event attempts to run (CLIENT_CLOSED, for example), tmm may restart.

Conditions:
-- iRule using clientside or serverside command.
-- Use of commands that may park while in the clientside/serverside command.
-- Flow is aborted while iRule is parked.
-- iRule also has CLIENT_CLOSED or SERVER_CLOSED event handler.

For more information on the conditions that trigger iRule parking, see K12962: Some iRules commands temporarily suspend iRules processing, available at https://support.f5.com/csp/article/K12962.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following workarounds:

-- Rework iRules to avoid use of clientside/serverside command.
-- Eliminate parking within the clientside/serverside commands.

Fix:
iRule parking in clientside/serverside command no longer causes tmm to restart.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1

910633-1 : Continuous 'neurond restart' message on console

Links to More Info: BT910633

Component: Performance

Symptoms:
Neurond continuous restart after some TurboFlex configuration changes.

Conditions:
TurboFlex configuration modifications change underlying firmware without automatic reboot triggered.

Impact:
Features that utilize Neuron are not available.

Workaround:
Reboot the system.

Fixed Versions:
15.1.4

910521-2 : Support QUIC and HTTP draft-28

Links to More Info: BT910521

Component: Local Traffic Manager

Symptoms:
The BIG-IP system supports QUIC and HTTP/3 draft-25 and draft-27. IETF has released draft-28.

Conditions:
Browser requests draft-28.

Impact:
Connection downgrades to an older version, or fails if the browser cannot downgrade.

Workaround:
None.

Fix:
The BIG-IP system now supports draft-28 and draft-27, and has removed draft-25 support.

Fixed Versions:
15.1.0.5, 16.0.1

910517-1 : TMM may crash while processing HTTP traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing HTTP traffic

Conditions:
- Client HTTP profile
- Server SSL profile
- Server HTTP/2 profile
- Undisclosed request conditions

Impact:
TMM may crash, leading to a failover event.

Workaround:
N/A

Fix:
TMM now processes HTTP traffic as expected

Fixed Versions:
14.1.4.5, 15.1.4.1

910417-2 : TMM core may be seen when reattaching a vector to a DoS profile

Links to More Info: BT910417

Component: Advanced Firewall Manager

Symptoms:
TMM core resulting in potential loss of service.

Conditions:
Attaching and deleting the vector to a DoS profile multiple times while the traffic is ongoing.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now validates the tracker when deleting to ensure delete of the same tracker that was created, so there is no error.

Fixed Versions:
14.1.4, 15.1.2, 16.0.1.2

910253-2 : BD error on HTTP response after upgrade

Links to More Info: BT910253

Component: Application Security Manager

Symptoms:
After upgrade, some requests can cause BD errors on response:

BEM|ERR |May 19 17:49:55.800|0983|response_header_accumulator.c:0200|Error: CookieMgrBuildCookie failed. ans 1 job 2957561040

IO_PLUGIN|ERR |May 19 17:49:55.800|0983|io_plugin.c:3320|TMEVT_RESPONSE: Cannot build a ts cookie.

Conditions:
-- Upgrading BIG-IP systems to v15.0.0 or later from versions earlier than v15.0.0.
-- ASM policy is configured on a virtual server.

Impact:
For some requests, the response can arrive truncated or not arrive at all.

Workaround:
Add an iRule that deletes ASM cookies:

when HTTP_REQUEST {
  set cookies [HTTP::cookie names]
  foreach aCookie $cookies {
    if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
      HTTP::cookie remove $aCookie
    }
  }
}

Note: Performing this workaround affects cookie-related violations (they may need to be disabled to use this workaround), session, and login protection.

Fixed Versions:
15.1.3, 16.0.1.1

910201-3 : OSPF - SPF/IA calculation scheduling might get stuck infinitely

Links to More Info: BT910201

Component: TMOS

Symptoms:
After SPF/IA calculation gets suspended, it might enter a state where it never fires again.

Conditions:
SPF/IA calculation gets suspended;

This occurs for various reasons; BIG-IP end users have no influence on it occurring.

Impact:
OSPF routes are visible in the OSPF database, but not installed in the routing table.

Workaround:
Restart the routing daemons:
# bigstart restart tmrouted

Running this command allows you to recover from this situation, but does not prevent the event from reoccurring.

If due to a topology, SPF/IA calculation suspension occurs again after a restart, this workaround essentially has no effect.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1

910177 : Poor HTTP/3 throughput

Links to More Info: BT910177

Component: Local Traffic Manager

Symptoms:
HTTP/3 throughput is poor.

Conditions:
Virtual Server configured with an HTTP/3 profile.

Impact:
Performance might be severely degraded.

Workaround:
There is no alternative other than not using the HTTP/3 profile.

Fix:
Erroneously enabled debug logs are now turned off, so performance is improved.

Fixed Versions:
15.1.0.4

910097-2 : Changing per-request policy while tmm is under traffic load may drop heartbeats

Links to More Info: BT910097

Component: Access Policy Manager

Symptoms:
Cluster failover, tmm restart, and tmm killed due to missed heartbeats. tmm crash

Conditions:
TMM is under load due to heavy traffic while MCP attempts to configure per-request policy. This can be caused by a modification to the policy or one of its agents, or by a restart of the TMM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
When making changes to per-request policies, use a scheduled maintenance window so that impact to traffic is minimized.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1

910017-2 : Security hardening for the TMUI Interface page

Links to More Info: K21540525, BT910017

909837-1 : TMM may consume excessive resources when AFM is provisioned

Links to More Info: K05204103, BT909837

909673 : TMM crashes when VLAN SYN cookie feature is used on iSeries i2x00 and i4x00 platforms

Links to More Info: BT909673

Component: TMOS

Symptoms:
TMM crashes when VLAN SYN cookie feature is used.

Conditions:
-- Configuring for VLAN SYN cookie use.
-- Running on iSeries i2800/i2600 and i4800/i4600 platforms.

Impact:
Tmm crashes and traffic processing stops. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
VLAN SYN cookie processing now functions as expected.

Fixed Versions:
15.1.0.4

909237-6 : CVE-2020-8617: BIND Vulnerability

Links to More Info: K05544642

909233-6 : DNS Hardening

Links to More Info: K97810133, BT909233

909197-3 : The mcpd process may become unresponsive

Links to More Info: BT909197

Component: TMOS

Symptoms:
-- The mcpd process is killed with SIGABRT by the sod watchdog due to failed heartbeat check.
-- There is high memory usage by the mcpd process prior to getting killed.
-- There is an mcpd core file contains a very long string. The core might contain a repeating pattern of '{ } { } { } ...'.

Conditions:
The mcpd process receives a malformed message from one of the control plane daemons.

Impact:
-- There is a temporary lack of responsiveness related to actions of inspecting and/or modifying system configuration: GUI, TMSH, etc., operations may fail or time out.
-- SNMP queries might go unanswered.
-- System daemons restart.
-- Traffic disrupted while mcpd restarts.

Workaround:
None.

Fix:
Fixed handling of malformed messages by mcpd, so the problem should no longer occur.

Fixed Versions:
14.1.4, 15.1.4.1, 16.0.1.1

909161-3 : A core file is generated upon avrd process restart or stop

Links to More Info: BT909161

Component: Application Visibility and Reporting

Symptoms:
Sometime when avrd process is stopped or restarted, a core is generated.

Conditions:
Avrd process is stopped or restarted.

Impact:
Avrd creates a core file but there is no other negative impact to the system.

Workaround:
None

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1

908873-1 : Incorrect MRHTTP proxy handling of passthrough mode in certain scenarios may lead to tmm core

Links to More Info: BT908873

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
-- Virtual server has HTTP and HTTP Router profiles attached.
-- Certain scenarios where the proxy goes into passthrough mode.

This was encountered during internal testing of a certain iRule configurations.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
15.1.2

908673-5 : TMM may crash while processing DNS traffic

Links to More Info: K43850230, BT908673

908621-2 : Incorrect proxy handling of passthrough mode in certain scenarios may lead to tmm core

Links to More Info: BT908621

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
-- Virtual server has HTTP and HTTP Router profiles attached to it.
-- Certain scenarios where the proxy goes into passthrough mode.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now correctly manages proxy handling of passthrough mode in specific scenarios, so the tmm crash no longer occurs.

Fixed Versions:
14.1.4.1, 15.1.2

908601-2 : System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option

Links to More Info: BT908601

Component: TMOS

Symptoms:
When the BIG-IP system boots, mcpd continually restarts.

Conditions:
This may occur after you issue the 'diskinit' command with the '--style=volumes' option in the MOS (Maintenance Operating System) shell, install BIG-IP into the new volume, then boot into the new installation of the BIG-IP system.

Impact:
The BIG-IP system is unable to complete the boot process and become active.

Workaround:
In the MOS shell, do not issue the 'diskinit' command with the '--style=volumes' option.

Instead, on BIG-IP v14.1.2.1 and later, you may use the 'image2disk' utility with the '-format' option to recreate the desired volume.

You also can achieve the same result by following the shell guidance. To begin, type 'start<enter>'.


If the system is already in the defective state, use this shell command, and then reboot:

touch /.tmos.platform.init

The problem should be resolved.

Fix:
Running 'diskinit' from MOS with the '--style=volumes' option no longer causes continuous mcpd restarts.

Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2

908517-3 : LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)'

Links to More Info: BT908517

Component: TMOS

Symptoms:
LDAP authentication fails with an error message:

err nslcd[2867]: accept() failed: Too many open files

Conditions:
This problem occurs when user-template is used instead of Bind DN.

Impact:
You cannot logon to the system using LDAP authentication.

Workaround:
None.

Fix:
LDAP authentication now succeeds when user-template is used.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1

908065-2 : Logrotation for /var/log/avr blocked by files with .1 suffix

Links to More Info: BT908065

Component: Application Visibility and Reporting

Symptoms:
AVR logrotate reports errors in /var/log/avr:

error: error creating output file /var/log/avr/avrd.log.1: File exists
/var/log/avr/avrd.log will remain unchanged
/var/log/avr/avrd.log.1 will remain unchanged

Conditions:
Files ending with .1 exist in the log directory.

Impact:
Logrotate does not work. This might fill the disk with logs over time.

Workaround:
Remove or rename all of the .1 log files.

Fix:
Fixed an issue with logrotate failing when files ending with .1 exist in the log directory.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1

908021-1 : Management and VLAN MAC addresses are identical

Links to More Info: BT908021

Component: TMOS

Symptoms:
The 'tmsh show sys mac-address' command indicates the management interface is using the same MAC address as a VLAN.

Conditions:
This can occur on chassis based systems and on VCMP guests. The MAC address pool does not reserve specific MAC addresses for the management interfaces and so pool entries may be reused for VLANs.

Impact:
The management MAC address is the same as the VLAN MAC address, resulting in issues relating to the inability to differentiate traffic to the management port or to traffic ports.

Workaround:
None.

Fix:
The issue has been fixed for hardware platforms. That is, MAC addresses in the MAC address pool have been reserved for the management port. Due to the small MAC pool size for a few platforms (see K14513: MAC address assignment for interfaces, trunks, and VLANs :: https://support.f5.com/csp/article/K14513#vlans), entries cannot be reserved for VCMP guest management interfaces.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.3

907765-1 : BIG-IP system does not respond to ARP requests if it has a route to the source IP address

Links to More Info: BT907765

Component: Local Traffic Manager

Symptoms:
If the BIG-IP system receives an ARP request from a source IP address for which it has a route configured, the BIG-IP system does not give an ARP reply.

Conditions:
-- BIG-IP system receives an ARP who-is request for one of its self ip addresses.
-- The source IP address is in a different network, and the BIG-IP system has an L3 route configured for it.

Impact:
BIG-IP does not send an ARP reply.

Workaround:
None.

Fix:
A db variable has been added called 'arp.verifyreturnroute' that can disable the TMM process's checking for a valid return route for ARP requests. It defaults to 'enable', which is the normal BIG-IP behavior. It can be set to 'disable' to disable the dropping of the request if a return route exists.

Behavior Change:
A db variable has been added called 'arp.verifyreturnroute' that can disable the TMM process's checking for a valid return route for ARP requests. It defaults to 'enable', which is the normal BIG-IP behavior. It can be set to 'disable' to disable the dropping of the request if a return route exists.

Fixed Versions:
15.1.4

907549-1 : Memory leak in BWC::Measure

Links to More Info: BT907549

Component: TMOS

Symptoms:
Memory leak in BWC calculator.

Conditions:
When the HSL log publisher is attached to the BWC::Measure instance in the Bandwidth policy.

Impact:
A memory leak occurs.

Workaround:
None.

Fix:
Memory is not leaked.

Fixed Versions:
15.1.0.5

907337-2 : BD crash on specific scenario

Links to More Info: BT907337

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
A specific scenario that results in memory corruption.

Impact:
Failover, traffic disturbance. Traffic disrupted while BD restarts.

Workaround:
None.

Fix:
This BD crash no longer occurs.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2

907245-1 : AFM UI Hardening

Links to More Info: K94255403, BT907245

907201-2 : TMM may crash when processing IPSec traffic

Links to More Info: K66782293, BT907201

907025-3 : Live update error" 'Try to reload page'

Links to More Info: BT907025

Component: Application Security Manager

Symptoms:
When trying to update Attack Signatures. the following error message is shown:

Could not communicate with system. Try to reload page.

Conditions:
Insufficient disk space to update the Attack Signature.

Impact:
Live Update unable to restore the database during startup. Device runs out of disk space, which leads to failure in writing live update hsqldb log file. The liveupdatedb.script file, which is based on the .log file, is truncated and missing necessary settings in order to initialize the live update database.

Workaround:
This following procedure restores the database to its default, initial state:

1. Remove the sigfile.tmp.* directories under /var/ts/var/tmp.

2. Delete the script:
delete /var/lib/hsqldb/live-update/liveupdatedb.script

3. Create a new script:
create new /var/lib/hsqldb/live-update/liveupdatedb.script.

4. Add the following lines to create the live update database schema and set the SA user as expected:

 CREATE SCHEMA PUBLIC AUTHORIZATION DBA
 CREATE MEMORY TABLE AVAILABILITY(ID VARCHAR(255) NOT NULL,ERRORMESSAGE VARCHAR(255),LASTCHECKDATETIME BIGINT,LASTCHECKUPDATEFILE VARCHAR(255),STATUS VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT AVAILABILITY_PK PRIMARY KEY(ID))
 CREATE MEMORY TABLE INSTALLSCHEDULE(ID VARCHAR(255) NOT NULL,APPLYATALLTIMES BOOLEAN,APPLYONALLDAYS BOOLEAN,APPLYONFRIDAYS BOOLEAN,APPLYONMONDAYS BOOLEAN,APPLYONSATURDAYS BOOLEAN,APPLYONSUNDAYS BOOLEAN,APPLYONTHURSDAYS BOOLEAN,APPLYONTUESDAYS BOOLEAN,APPLYONWEDNESDAYS BOOLEAN,ENDTIME VARCHAR(255),FREQUENCY VARCHAR(255),STARTTIME VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT INSTALLSCHEDULE_PK PRIMARY KEY(ID))
 CREATE MEMORY TABLE UPDATEFILE(ID VARCHAR(255) NOT NULL,CREATEDATETIME BIGINT,FILELOCATION VARCHAR(255),FILENAME VARCHAR(255),ISFILEAVAILABLE BOOLEAN,ISFILEMANUALLYUPLOADED BOOLEAN,ISGENESIS BOOLEAN,MD5 VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT UPDATEFILE_PK PRIMARY KEY(ID))
 CREATE MEMORY TABLE INSTALLATION(ID VARCHAR(255) NOT NULL,ADDEDENTITIESCOUNT INTEGER,DELETEDENTITIESCOUNT INTEGER,ERRORMESSAGE VARCHAR(255),LASTREADMEFILENAME VARCHAR(255),LASTUPDATEMICROS BIGINT,LOADDATETIME BIGINT,MODIFIEDENTITIESCOUNT INTEGER,README VARCHAR(500000),STATUS VARCHAR(255),"TYPE" VARCHAR(255),UPDATEFILE_ID_OID VARCHAR(255),CONSTRAINT INSTALLATION_PK PRIMARY KEY(ID),CONSTRAINT INSTALLATION_FK1 FOREIGN KEY(UPDATEFILE_ID_OID) REFERENCES UPDATEFILE(ID))
 CREATE INDEX INSTALLATION_N49 ON INSTALLATION(UPDATEFILE_ID_OID)
 CREATE MEMORY TABLE INSTALLATION_DELETEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_DELETEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_DELETEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
 CREATE INDEX INSTALLATION_DELETEDENTITYLIST_N49 ON INSTALLATION_DELETEDENTITYLIST(ID_OID)
 CREATE MEMORY TABLE INSTALLATION_MODIFIEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
 CREATE INDEX INSTALLATION_MODIFIEDENTITYLIST_N49 ON INSTALLATION_MODIFIEDENTITYLIST(ID_OID)
 CREATE MEMORY TABLE INSTALLATION_ADDEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_ADDEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_ADDEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
 CREATE INDEX INSTALLATION_ADDEDENTITYLIST_N49 ON INSTALLATION_ADDEDENTITYLIST(ID_OID)
 CREATE USER SA PASSWORD ""
 GRANT DBA TO SA
 SET WRITE_DELAY 20
 SET SCHEMA PUBLIC

5. Restart the tomcat process:
bigstart restart tomcat

Fixed Versions:
14.1.4.5, 15.1.5

906889-4 : Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.

Links to More Info: BT906889

Component: TMOS

Symptoms:
Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.

Conditions:
Viewing New Flows under Security :: Debug :: Flow Inspector :: Get Flows.

Impact:
Calculation mistake in the GUI: shows 8 times the actual values, for example:

  Packets In 2 shows as 016 in the GUI
  Packets Out 0 shows as 8 in the GUI

Workaround:
View statistics in tmsh.

Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1

906885-1 : Spelling mistake on AFM GUI Flow Inspector screen

Links to More Info: BT906885

Component: Advanced Firewall Manager

Symptoms:
On the AFM GUI Flow Inspector screen, there is a spelling mistake 'Additinal Info'. It should read 'Additional Info'.

Conditions:
You can locate the spelling error by following these steps:
1. Navigate to Security :: Debug :: Flow Inspector :: Get Flows (should be blank).
2. Select New Flows and then Get Flows.
3. Select the flow (i.e., click anywhere on the result except the hyperlink).

Impact:
There is a spelling mistake on the word 'Additional'. There is no functional impact to the system; this is a cosmetic issue only.

Workaround:
None.

Fixed Versions:
14.1.2.8, 15.1.2.1

906377-2 : iRulesLX hardening

Links to More Info: K61643620, BT906377

905905-1 : TMUI CSRF vulnerability CVE-2020-5904

Links to More Info: K31301245, BT905905

905557-1 : Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure

Links to More Info: BT905557

Component: Global Traffic Manager (DNS)

Symptoms:
A TMM daemon logs a SIGSEGV error, halts, and then be restarted.

Conditions:
-- A BIG-IP system configured to perform DNS/GTM Global Server Load Balancing.
-- High Speed Logging (HSL) is configured.
-- Multiple HSL destinations are configured.
-- The enabled HSL settings include 'replication'.
-- At least one HSL destination is up.
-- At least one HSL destination is down.
-- A pool resource changes state from up to down.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure HSL with only a single log destination.

Fixed Versions:
14.1.4, 15.1.2

905125-2 : Security hardening for APM Webtop

Links to More Info: K30343902, BT905125

904937-2 : Excessive resource consumption in zxfrd

Links to More Info: K25595031, BT904937

904845-2 : VMware guest OS customization works only partially in a dual stack environment.

Links to More Info: BT904845

Component: TMOS

Symptoms:
The result of guest OS customization depends on the DHCP state on the management (mgmt) interface and the applied customization profile (i.e., IPv4 only, IPv4 and IPv6, or IPv6 with IPv4 prompt).

By default, DHCP is enabled on the management interface.

During configuration, you can customize only one IPv4 or one IPv6 address in a dual stack environment.

Conditions:
Applying a customization profile to VMware VM in a dual stack environment.

Impact:
You can only partially customize the mgmt interface IP profiles for VMware VMs in a dual stack environment.

Workaround:
Configure the mgmt interface addresses using the config script.

Fix:
VMware customization works only partially in a dual stack environment. To avoid misconfiguration, set the desired mgmt interface addresses using the config script.

Fixed Versions:
14.1.3.1, 15.1.1, 16.0.1

904785-1 : Remotely authenticated users may experience difficulty logging in over the serial console

Links to More Info: BT904785

Component: TMOS

Symptoms:
-- When a remotely authenticated user attempts login over the serial console, the username and password are accepted, but the session closes immediately thereafter.
-- Login over SSH is successful for the same user

Conditions:
-- Remote authentication (e.g., RADIUS, TACACS, LDAP) and role mapping configured on the BIG-IP system.
-- Attempted login over the serial console for a remotely authenticated user who has been assigned a role.

Impact:
Remotely authenticated users cannot log in over the serial console.

Workaround:
Using either of the following workaround:

-- Log in over SSH instead

-- If acceptable (taking into account security considerations), enable terminal access for all remote users regardless of assigned role, using 'tmsh modify auth remote-user remote-console-access tmsh' or within the GUI.

Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1

904705-2 : Cannot clone Azure marketplace instances.

Links to More Info: BT904705

Component: TMOS

Symptoms:
Cannot clone Azure marketplace instances because cloned instances do not properly retrieve publisher and product code from the metadata service.

Conditions:
Applies to any Azure marketplace instance.

Impact:
Cannot clone Azure marketplace instances.

Workaround:
None.

Fix:
Updated the version of the API used to get data from the metadata service. Cloned instances now properly retrieve the publisher and product code from the metadata service.

Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1

904593-1 : Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled

Links to More Info: BT904593

Component: Application Security Manager

Symptoms:
When a Cloud Auto Scaling deployment is set up using F5's Auto Scale Template, and ASM Live Update is configured with Automatic Download enabled, the configuration may be overwritten during a scale out event when a new host joins the sync cluster. This is caused by a config sync from the new device to the primary device, before the primary has a chance to sync the configuration to the new device, causing the configuration in the primary device to be overwritten.

Conditions:
-- Using F5's Auto Scaling template.
-- Auto Scale script is configured with --block-sync (which is the default).
-- ASM Live Update is configured with Automatic Download enabled.
-- A scale out event occurs.

Impact:
Configuration of all devices in the Auto Scale group is overwritten.

Workaround:
Disable ASM Live Update Automatic Download.

This can be done by disabling the liveupdate.autodownload DB variable using the onboard.js script, and adding '-d liveupdate.autodownload:disable'.

For example:
/usr/bin/f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js --log-level silly --signal ONBOARD_DONE -o /var/log/cloud/aws/onboard.log --host localhost --port 8443 -d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable --ping

-d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable

Fixed Versions:
14.1.2.7, 15.1.0.5

904373-3 : MRF GenericMessage: Implement limit to message queues size

Links to More Info: BT904373

Component: Service Provider

Symptoms:
The GenericMessage filter does not have a configurable limit to the number of messages that can be received.

Conditions:
If a message is waiting for an asynchronous iRule operation during a GENERICMESSAGE_INGRESS or GENERICMESSAGE_EGRESS iRule event, new messages are placed in either the ingress or egress queue. As the number of messages increase, more memory is required.

Impact:
If too many messages are queued, the system may exceed an internal count which could lead to a core.

Workaround:
None.

Fix:
The existing max_pending_messages attribute of the message router profile is used to limit the size of the queues.

Fixed Versions:
14.1.3.1, 15.0.1.4, 15.1.0.5, 16.0.1

904165-1 : BIG-IP APM vulnerability CVE-2020-27716

Links to More Info: K51574311, BT904165

904133-1 : Creating a user-defined signature via iControl REST occasionally fails with a 400 response code

Links to More Info: BT904133

Component: Application Security Manager

Symptoms:
Creating user-defined signature via iControl REST occasionally fails with a 400 response code.

Conditions:
You create a user-defined signature via iControl REST via this endpoint:

POST https://<BIG-IP>/mgmt/tm/asm/signatures

Impact:
Signature creation fails with 400 response code:

{
    "code": 400,
    "message": "remoteSender:10.10.10.10, method:POST ",
    "originalRequestBody": "{...}",
    "referer": "10.10.10.10",
    "restOperationId": 6716673,
    "kind": ":resterrorresponse"
}

Fix:
Creating user-defined signatures via REST works correctly.

Fixed Versions:
14.1.4.4, 15.1.4.1

904053-2 : Unable to set ASM Main Cookie/Domain Cookie hashing to Never

Links to More Info: BT904053

Component: Application Security Manager

Symptoms:
Disabling ASM Main Cookie/Domain Cookie hashing in a Policy's Learning and Blocking Setting with 'Never (wildcard only)' does not stop the ASM Main Cookie from continuing to hash server-provided cookies.

Conditions:
-- ASM enabled.
-- Learning mode enabled for Policy.
-- Learn New Cookies set to 'Never (wildcard only)' instead of default 'Selective'.

Impact:
A sufficient number of ASM Main Cookies and/or a sufficiently large number of cookies for each ASM Main cookie to hash can result in the HTTP header becoming prohibitively large, causing traffic to be refused by the server.

Workaround:
Disable Learning mode for the Policy disables Cookie hashing.

Note: This affects all learning, not just Cookie hashing.

Fix:
Cookie hashing can now be disabled at the policy level in the Cookie subsection of an ASM Policy's Learning and Blocking Settings by setting Learn New Cookies to "Never (wildcard only)".

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1

904041-2 : Ephemeral pool members may be incorrect when modified via various actions

Links to More Info: BT904041

Component: Local Traffic Manager

Symptoms:
Ephemeral pool members may not be in the expected state if the corresponding FQDN template pool member is modified by one of several actions.

For example:

A. Ephemeral pool members may be missing from a pool in a partition other than Common, after reloading the configuration of that partition.

B. Ephemeral pool members may not inherit the 'session' state from the corresponding FQDN template pool member if the FQDN template pool member is disabled (session == user-disabled), the config is synced between high availability (HA) members, and BIG-IP is restarted.

Conditions:
Scenario A may occur when reloading the configuration of non-'Common' partition, e.g.:
-- tmsh -c "cd /testpartition; load sys config current-partition"

Scenario B may occur when an FQDN template pool member is disabled (session == user-disabled), the config is synced between HA members, and BIG-IP is restarted.

Impact:
Impacts may include:
- Missing ephemeral pool members, inability to pass traffic as expected.
- Ephemeral pool members becoming enabled and receiving traffic when expected to be disabled.

Workaround:
For scenario A, reload the entire configuration instead of just the individual partition.

For scenario B, it may be possible to work around this issue by checking the status of ephemeral pool members after BIG-IP restart, and toggling the 'session' value between user-enabled and user-disabled.

Fix:
FQDN ephemeral pool members now better reflect expected states after the corresponding FQDN template pool member is modified by one of several actions such as config load, config sync and BIG-IP restart.

Fixed Versions:
14.1.4.5, 15.1.4.1

903905-2 : BIG-IQ or BIG-IP devices experience a service disruption during certain circumstances

Links to More Info: BT903905

Component: Access Policy Manager

Symptoms:
The TMM process might eventually run out of memory, which can result in a disruption in BIG-IP services.

Conditions:
-- BIG-IP device has been running for 8 weeks or longer without a TMM restart or system reboot.

-- The BIG-IP system's internal risk-policy subsystem (used by the security features) has not been configured to communicate with an external risk-policy server.

-- In a vCMP configuration, the BIG-IP 'host' instance is susceptible, since no security features can be configured in its context.

-- A BIG-IQ device running any BIG-IQ v8.x release prior to 8.1.0.1 is also susceptible.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
None.

Fix:
Default configuration of security mechanism no longer causes memory leak in TMM.

Fixed Versions:
15.1.0.3

903581-1 : The pkcs11d process cannot recover under certain error condition

Links to More Info: BT903581

Component: Local Traffic Manager

Symptoms:
When the connection between the BIG-IP system and HSM (SafeNet) is interrupted, pkcs11d is unable to recover in some case.

Conditions:
Connection between the BIG-IP system and the HSM device is interrupted.

Impact:
SSL handshake failure.

Workaround:
Restart the pkcs11d process using the following command:
restart /sys service pkcs11d

Fix:
Allow pkcs11d to re-initialize on error.

Fixed Versions:
15.1.2.1

903573 : AD group cache query performance

Links to More Info: BT903573

Component: Access Policy Manager

Symptoms:
Active Directory queries are slow.

Conditions:
-- Active Directory (AD) authentication used
-- There are lots of AD caches in the environment, and users are in deeply nested groups.

Impact:
Active Directory query time can be excessive.

Fix:
Improved AD cache optimization.

Fixed Versions:
15.1.4

903561-3 : Autodosd returns small bad destination detection value when the actual traffic is high

Links to More Info: BT903561

Component: Advanced Firewall Manager

Symptoms:
Bad destination detection threshold cannot accurately reflect the actual traffic pattern.

Conditions:
-- Enable bad destination and fully automatic mode.
-- Actual traffic is high.

Impact:
A small bad destination detection value is returned.

Workaround:
None.

Fix:
Fixed the threshold update algorithm.

Fixed Versions:
14.1.4, 15.1.3

903357-2 : Bot defense Profile list is loads too slow when there are 750 or more Virtual servers

Links to More Info: BT903357

Component: Application Security Manager

Symptoms:
Security :: Bot Defense : Bot Defense Profiles page loading takes a long time when there are profiles configured with hundreds of virtual servers. For example: a configuration with 750 virtual servers takes about 40 seconds to load the page. Configuration with 1300 virtual servers takes more than 70 seconds.

Conditions:
At least one Bot profile attached to hundreds of virtual servers. For 750 and more virtual servers attached the slow loading is significant.

Impact:
Bot Defense list page loading time can take more than 30 seconds.

Workaround:
None.

Fixed Versions:
14.1.2.7, 15.1.1, 16.0.1.1

902485-3 : Incorrect pool member concurrent connection value

Links to More Info: BT902485

Component: Application Visibility and Reporting

Symptoms:
In AVR pool-traffic report, 'server-concurrent-conns' reports a larger value than 'server-max-concurrent-conns'.

Conditions:
This is encountered when viewing the pool-traffic report.

Impact:
Incorrect stats reported in the pool-traffic report table

Workaround:
In /etc/avr/monpd/monp_tmstat_pool_traffic_measures.cfg, change the formula of server_concurrent_connections:

From this:
formula=round(sum(server_concurrent_conns),2)

Change it to this:
formula=round(sum(server_concurrent_conns)/count(distinct time_stamp),2)

Fix:
Changed the calculation formula of 'server-concurrent-conns' so it reports the correct statistics.

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1

902417-2 : Configuration error caused by Drafts folder in a deleted custom partition

Links to More Info: BT902417

Component: TMOS

Symptoms:
Error during config load due to custom partition associated Draft folder exists after deleting partition.

01070734:3: Configuration error: Can't associate folder (/User/Drafts) folder does not exist
Unexpected Error: Loading configuration process failed.

Conditions:
Create draft policy under custom partition

Impact:
Impacts the software upgrade.

Workaround:
Remove the Draft folder config from bigip_base.conf or use command "tmsh delete sys folder /User/Drafts" followed by "tmsh save sys config" after removing partition.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1.1

902401-5 : OSPFd SIGSEGV core when 'ospf clear' is done on remote device

Links to More Info: BT902401

Component: TMOS

Symptoms:
The ospfd process generates a core.

Conditions:
-- IA routes.
-- OSPF is in FULL/DR state.

Impact:
An OSPF daemon generates a core, potentially losing routing information and OSPF dynamic routes for a moment while the ospfd daemon restarts.

Workaround:
None.

Fix:
OSPF no longer cores when running 'clear ip ospf' on remote.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1

902141-1 : TMM may crash while processing APM data

Links to More Info: K94563369, BT902141

901929-2 : GARPs not sent on virtual server creation

Links to More Info: BT901929

Component: Local Traffic Manager

Symptoms:
When a virtual server is created, GARPs are not sent out.

Conditions:
-- Creating a new virtual server.

Impact:
Traffic could be impacted if other systems have the virtual server address already in their ARP caches.

Workaround:
After creating the virtual server, disable and re-enable the ARP setting on the corresponding virtual address.

Fix:
GARPs are now sent when a virtual server is created.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1

901061-2 : Safari browser might be blocked when using Bot Defense profile and related domains.

Links to More Info: BT901061

Component: Application Security Manager

Symptoms:
As a fix to ID879777 (https://cdn.f5.com/product/bugtracker/ID879777.html), when navigating to a related domain using Safari, requests might be blocked.

Conditions:
- Using Bot Defense profile, with "Cross Domain Requests" mode "Validate Upon Request"
- BIG-IP version containing fix of ID879777 (16.0 and higher or EngHF)
- Surfing the site using Safari browser.

Impact:
Some requests might be blocked.

Workaround:
None.

Fix:
Set the cookie so all requests in the target domain will contain it.

Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1

901041-3 : CEC update using incorrect method of determining number of blades in VIPRION chassis

Links to More Info: BT901041

Component: Traffic Classification Engine

Symptoms:
There is an issue with the script used for the Traffic Intelligence (CEC (Classification Engine Core)) Hitless Upgrade that misses installing on some blades during install/deploy on VIPRION systems.

Symptoms include:
-- POST error in the GUI.
-- Automatic classification updates are downloaded successfully, but downloaded packages disappear after some time if you do not proceed to install/deploy.

Conditions:
-- CEC hitless update.
-- Using VIPRION chassis.

Impact:
Unable to auto-update Classification signature package on all slots, because the slot count reported for CEC is 0. These packages are installed only on the current slot.

Workaround:
Install the package manually on each slot.

Note: When you refresh the GUI page, the downloaded package appears in the 'Available to Install' list, and you can proceed to install on each slot.

Fixed Versions:
15.1.4, 16.0.1.2

900933-1 : IPsec interoperability problem with ECP PFS

Links to More Info: BT900933

Component: TMOS

Symptoms:
IPsec tunnels fails to remain established after initially working.
 
On the first ESP Security Associations (SAs) establishment, an IPsec tunnel works. After the expiry of the SAs causes a re-key, the keys are calculated incorrectly by the BIG-IP system. The BIG-IP system sends ESP packets to the remote peer, but the remote peer cannot decrypt the packet. Likewise, the BIG-IP system cannot decrypt packets from the remote peer.

This may also immediately present as a problem when trying to establish a second tunnel to the same peer.

Conditions:
- IPsec IKEv2 tunnel.
- A remote peer that is not another BIG-IP system.
- Elliptic curve groups (ECP) is used for Perfect Forward Secrecy (PFS).

Impact:
Multiple IPsec tunnels to the same remote peer cannot be established concurrently, or tunnels fail after a period of time.

Workaround:
Do not use ECP for PFS.

Fix:
The ECP PFS state is now correctly maintained and will interoperate with other vendor IPsec products.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.0.1.2

900905-3 : TMM may crash while processing SIP data

Links to More Info: K42830212, BT900905

900797-2 : Brute Force Protection (BFP) hash table entry cleanup

Links to More Info: BT900797

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames.
There is a separate hash table for each virtual server.
When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed.
This scenario may cause mitigated entries to keep getting removed from the hash table by new entries.

Conditions:
There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter.
When it is set to 0, the size is determined automatically based on system memory.
Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled.
In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.

Impact:
Mitigated entries that keep getting removed from the hash table by new entries, may result in attacks not getting mitigated.

Workaround:
N/A

Fix:
Mitigated entries are kept in the hash table.

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1

900793-1 : APM Brute Force Protection resources do not scale automatically

Links to More Info: K32055534, BT900793

Component: Application Security Manager

Symptoms:
Under certain conditions, resources for Brute Force Protection must be manually scaled by administrators to provide full protection.

Conditions:
-- Many virtual server (hundreds) that have web application protection with brute force protection enabled.
-- Numerous failed login requests coming to all virtual servers all the time.

Impact:
Administrators must manually change the hash size upon need instead of relying on the automatic configuration.

Workaround:
Set the internal parameter external_entity_hash_size to 0 to allow automatic recalculation of the correct value.

Fix:
Brute Force Protection resources are now scaled automatically based on available system resources.

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1

900789-2 : Alert before Brute Force Protection (BFP) hash are fully utilized

Links to More Info: BT900789

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IP addresses and usernames. There is a separate hash table for each virtual server. When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed without logging a warning.

Conditions:
This can be encountered when Brute Force Protection is enabled and the hash table reaches its maximum capacity.

Impact:
No alert is sent when entries are evicted.

Workaround:
None.

Fix:
Alert/Warning is now announced in ASM logs, describing the status of the hash table.

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1

900757-2 : TMUI RCE vulnerability CVE-2020-5902

Links to More Info: K52145254, BT900757

899009 : Azure Active Directory deployment fails on BIG-IP 15.1

Links to More Info: BT899009

Component: Access Policy Manager

Symptoms:
In restnoded.log you see an error:

severe: [[azureUtils] ] Cannot get key data. Worker not available :/tm/access/certkey-file-helper/available, details: URI path /tm/access/certkey-file-helper/available not registered. Please verify URI is supported and wait for /available suffix to be responsive.

Conditions:
Azure Active Directory is enabled.

Impact:
Azure Active Directory can not be deployed on BIG-IP 15.1

Fixed Versions:
15.1.2.1

898997-2 : GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes

Links to More Info: BT898997

Component: Service Provider

Symptoms:
GTP message parsing fails and log maybe observed as below:

GTP:../modules/hudfilter/gtp/gtp_parser.c::242 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser_ver_2.c::153 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser.c::103 (Failing here).

Conditions:
- GTP profile is applied to virtual or GTP::parse command is used
- GTP message contains IE (information element) which is larger than 2048 bytes

Impact:
- message parsing fails, traffic maybe interupted

Fix:
GTP profile and GTP::parse iRules now support IE larger than 2048 bytes

Fixed Versions:
14.1.2.7, 15.1.1, 16.0.1

898949-1 : APM may consume excessive resources while processing VPN traffic

Links to More Info: K04518313, BT898949

898929-4 : Tmm might crash when ASM, AVR, and pool connection queuing are in use

Links to More Info: BT898929

Component: Local Traffic Manager

Symptoms:
TMM crashes and generates a core file.

Conditions:
-- System is provisioned for at least ASM, AVR, and LTM.
-- An LTM pool is configured to use connection queuing.
-- The LTM pool is used on a virtual server with an analytics profile.

Impact:
Tmm might crash. Traffic disrupted while tmm restarts.

Workaround:
Disable connection queuing on the pool.

Fixed Versions:
14.1.4.5, 15.1.5

898741-2 : Missing critical files causes FIPS-140 system to halt upon boot

Links to More Info: BT898741

Component: Application Security Manager

Symptoms:
After activating a FIPS 140-2 license on a device and rebooting, the device fails to boot.

Conditions:
-- Device is licensed for FIPS 140 mode
-- A critical system file is missing

Impact:
System halts during boot because of sys-eicheck.py failure.

Workaround:
Prior to rebooting into FIPS 140-2 mode, ensure that there are no missing critical files by running the sys-eicheck command.

If the missing files are due to missing signature update files:

- Manually upload the missing images in System ›› Software Management : Live Update - this will ensure that the image is associated with an installation record.

Fixed Versions:
14.1.2.7, 15.1.1

898705-5 : IPv6 static BFD configuration is truncated or missing

Links to More Info: BT898705

Component: TMOS

Symptoms:
-- When an IPv6 address used in the command 'ipv6 static <addr> <gateway> fall-over bfd' exceeds 19 characters, it gets truncated.

-- IPv6 static BFD configuration entries go missing during a daemon restart.

Conditions:
IPv6 static BFD configuration.

Impact:
The IPv6 static BFD configuration does not persist during reloads.

-- The long IPv6 addresses get truncated.
-- The configuration is removed upon daemon restart.

Workaround:
None.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1

898461-2 : Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'

Links to More Info: BT898461

Component: TMOS

Symptoms:
The following SCTP iRule commands:

-- SCTP::mss
-- SCTP::ppi
-- SCTP::collect
-- SCTP::respond
-- SCTP::client_port
-- SCTP::server_port

Are unavailable in the following MRF iRule events:

-- GENERICMESSAGE_EGRESS
-- GENERICMESSAGE_INGRESS
-- MR_EGRESS
-- MR_INGRESS

Attempts to use these commands in these events result in errors similar to:

01070151:3: Rule [/Common/sctp_TC] error: /Common/sctp1: error: [command is not valid in current event context (GENERICMESSAGE_EGRESS)][SCTP::ppi 46].

Conditions:
-- Using MRF and SCTP.
-- Using the specified set of iRule commands within the listed iRule events.

Impact:
Unable to use these iRule commands within these iRule events.

Workaround:
None.

Fix:
These iRule commands are now available within these iRule events.

Fixed Versions:
14.1.3.1, 15.1.1, 16.0.1.1

898441-1 : Enable logging of IKE keys

Links to More Info: BT898441

Component: TMOS

Symptoms:
IPsec debug level logging does not provide encryption and authentication key information for IKEv1 IKE negotiation. This information is commonly logged by IPsec vendors in order to allow network administrators the ability to decrypt failing ISAKMP exchanges.

Conditions:
-- The BIG-IP system has an IPsec IKEv2 tunnel configured.
-- debug level logging is enabled.

Impact:
Without the encryption and authentication key information, an ISAKMP negotiation cannot be inspected when troubleshooting tunnel negotiation.

Workaround:
None, although the remote peer may log this information.

Fix:
Added sys db variable 'ipsec.debug.logsk' to enable logging of IKE SA keys.

Fixed Versions:
14.1.4.4, 15.1.4

898365-1 : XML Policy cannot be imported

Links to More Info: BT898365

Component: Application Security Manager

Symptoms:
XML Export does not work in configurations that have metacharacters or method overrides defined on URLs.

Conditions:
A policy that has metacharacter or method overrides defined on a URL is exported to XML format.

Impact:
Such a policy cannot be imported.

Workaround:
Use binary export/import or move/remove the problematic elements from the XML file:
* <mandatory_body>
* <operation_id>

Fix:
XML Policy export generates files that correctly correspond to the expected schema and can be imported.

Fixed Versions:
15.1.4

898093-2 : Removing one member from a WideIP removes it from all WideIPs.

Links to More Info: BT898093

Component: Global Traffic Manager (DNS)

Symptoms:
When you use the 'Remove' button to remove a member from a WideIP, the member is removed from all WideIPs.

Conditions:
Use the 'Remove' button.

Impact:
Unintended configuration changes via GUI.

Workaround:
Use the 'Manage' button, rather than the 'Remove' button.

Fixed Versions:
15.1.1

897509-1 : IPsec SAs are missing on HA standby, leading to packet drops after failover

Links to More Info: BT897509

Component: TMOS

Symptoms:
IPsec Security Associations (SAs) are missing on the standby high availability (HA) device.

Conditions:
-- HA mirroring is configured
-- IKEv2 tunnels are started

Impact:
During an HA failover, IPsec tunnels may be disrupted because the newly active device is not aware of some IPsec SAs.

Workaround:
None

Fix:
IPsec SAs are now mirrored correctly to the HA standby device. Note that HA failover for IPsec tunnels is only supported when IKEv2 tunnels are in use.

Fixed Versions:
15.1.4.1

896917 : The fw_zone_stat 'Hits' field may not increment in some scenarios

Links to More Info: BT896917

Component: Advanced Firewall Manager

Symptoms:
The fw_zone_stat 'Hits' field does not reflect the current stats.

Conditions:
When the firewall rule has multiple VLANs defined as destinations (in a zone).

Impact:
The counter for all VLANs does not hit : fw_zone_stat. The corresponding stat value does not increment.

Workaround:
None.

Fixed Versions:
15.1.0.5

896861-2 : PTR query enhancement for RESOLVER::name_lookup

Links to More Info: BT896861

Component: Global Traffic Manager (DNS)

Symptoms:
Currently RESOLVER::name_lookup does not have PTR reverse domain mapping.

Conditions:
RESOLVER::name_lookup needs an additional iRule to make PTR query work

Impact:
Need an additional iRule to convert to reverse IP PTR query to work

Workaround:
Use an iRule to convert ip address reverse mapping

Fix:
Address IP address reverse mapping for PTR query

Fixed Versions:
15.1.3, 16.0.1.1

896817-2 : iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb

Links to More Info: BT896817

Component: TMOS

Symptoms:
When merging a configuration that modifies the list of iRules a virtual server uses, you may encounter an error similar to:

01070621:3: Rule priorities for virtual server (/Common/virtual1) must be unique.

Conditions:
-- Merging a configuration using the TMSH 'replace' verb.
-- Replacing a virtual server's iRule in a way that adjusts priorities of the iRules.

Impact:
Unable to replace configuration using TMSH's 'replace' verb.

Workaround:
None.

Fix:
When merging a configuration that modifies the list of iRules a virtual server uses using the TMSH 'replace' verb, no error is encountered.

Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1

896709-3 : Add support for Restart Desktop for webtop in VMware VDI

Links to More Info: BT896709

Component: Access Policy Manager

Symptoms:
VMware has a restart desktop option to reboot the Horizon Agents, but APM does not support this feature on the webtop.

Conditions:
You wish to use the VMware Restart desktop feature for the Horizon Agents that are managed by the vCenter Server.

Impact:
Cannot restart the desktop (Horizon Agent) from the webtop by clicking the restart icon.

Workaround:
None.

Fix:
APM now supports restart desktop option on webtop for VMware VDI.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1

896553-3 : On blade failure, some trunked egress traffic is dropped.

Links to More Info: BT896553

Component: TMOS

Symptoms:
When a blade fails (but not administratively disabled), other blades take 10 seconds (configured with db variable clusterd.peermembertimeout) to detect its absence. Until the blade failure is detected, egress traffic which used the failed blade's interfaces is dropped.

Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- Some blades do not have directly attached interfaces.
-- A blade which does have directly attached interfaces fails.

Impact:
Some traffic is dropped until the failed blade is detected (10 seconds by default.)

Workaround:
Attach interfaces to all blades.

Fix:
Failed blades are detected within a second.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3

896473-2 : Duplicate internal connections can tear down the wrong connection

Links to More Info: BT896473

Component: TMOS

Symptoms:
Handling of duplicate internal connections can tear down and clean up the newest connection. Instead it should always remove the oldest.

Conditions:
When internal connections are re-established.

Impact:
The cleanup of previous connections may incorrectly tear down the new connection. Error messages are reported in the log when this happens, for example:

Duplicate connections between BCM56XXD1 and stpd7749-2. Closing the new one.

Workaround:
None.

Fix:
The system now always removes the oldest connection.

Fixed Versions:
15.1.3

896285-2 : No parent entity in suggestion to add predefined-filetype as allowed filetype

Links to More Info: BT896285

Component: Application Security Manager

Symptoms:
No parent entity appears in an ASM Policy Builder suggestion to add to the policy a predefined-filetype to the allowed filetypes list.

Conditions:
The issue is encountered when filetypes are configured with learning mode which allows new filetypes to be added to the policy. Relevant learning modes to this issue are: Always, Selective and Compact.

Impact:
No parent entity appears in the sugestion.

Workaround:
None.

Fix:
Suggestions to add filetypes to the allowed-filetypes list in the policy now contain parent entity.

Fixed Versions:
14.1.2.7, 15.1.2, 16.0.1.1

896217-2 : BIG-IP GUI unresponsive

Links to More Info: BT896217

Component: TMOS

Symptoms:
When you try to log into the GUI via the management IP, you see only a single gray bar displayed in the middle of the window.

Conditions:
-- A GUI session expired while you were logged on.
-- The partition on which the GUI session expires is deleted.
-- You log on again.

Impact:
GUI becomes unresponsive.

Workaround:
Restart tomcat via SSH:
# bigstart restart tomcat

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1

896125-2 : Reuse Windows Logon Credentials feature does not work with modern access policies

Links to More Info: BT896125

Component: Access Policy Manager

Symptoms:
Client users are not automatically logged on to the Edge client using previously entered Microsoft Windows credentials, while client users on Windows computers are prompted with a logon page to enter the credentials.

Conditions:
-- Access policy "customization type" should be set to "modern"
-- In connectivity profile, click Customize Package :: Windows.
-- Under Available Components, select the check box to enable User Logon Credentials Access Service.

Impact:
Unable to automatically logon to Edge client and user is prompted for credentials

Workaround:
Use standard access policy in the virtual server.

Fixed Versions:
15.1.4

895993-2 : TMUI RCE vulnerability CVE-2020-5902

Links to More Info: K52145254, BT895993

895981-2 : TMUI RCE vulnerability CVE-2020-5902

Links to More Info: K52145254, BT895981

895881-1 : BIG-IP TMUI XSS vulnerability CVE-2020-5903

Links to More Info: K43638305, BT895881

895837-3 : Mcpd crash when a traffic-matching-criteria destination-port-list is modified

Links to More Info: BT895837

Component: TMOS

Symptoms:
Virtual server configured with:

-- Destination address in a non-default route-domain, for example:
0.0.0.0%100/0

-- The configuration uses a destination port list.

Conditions:
Modify the virtual server's port-list to a different one.

Impact:
Mcpd generates a core, and causes services to restart and failover.

Workaround:
None.

Fix:
Mcpd no longer crashes when modifying a traffic-matching-criteria's destination port list.

Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1

895781-2 : Round Robin disaggregation does not disaggregate globally

Links to More Info: BT895781

Component: TMOS

Symptoms:
Traffic is not disaggregated uniformly as expected.

Conditions:
-- A multi-blade chassis with one HSB.
-- Traffic is received on blade one.
-- The imbalance is more pronounced when the IP variation is small.

Impact:
Some TMMs may use relatively more CPU.

Workaround:
None.

Fix:
Traffic is now disaggregated uniformly in a round robin fashion.

Fixed Versions:
15.1.4

895557-2 : NTLM profile logs error when used with profiles that do redirect

Links to More Info: BT895557

Component: Local Traffic Manager

Symptoms:
As of BIG-IP version 14.1, HTTP iRule commands that inspect HTTP state after the commands HTTP::respond, HTTP::redirect, and HTTP::retry returns errors instead of returning corrupt data (https://support.f5.com/csp/article/K23237429).

When the NTLM profile is configured, it does the same through a built-in TCL rule where among several things, it tries to check if HTTP::cookie exists. If a profile like HTTP exists wherein a redirect/respond/retry is configured, it results in a TCL error informing the admin that they are accessing an invalid HTTP state.

Conditions:
-- NTLM profile is configured alongside HTTP profile
-- One of the redirect/respond/retry commands has been executed before the NTLM profile accesses the state of HTTP (for ex. HTTP::collect, HTTP::close, HTTP::cookie, etc.).

Impact:
Tcl error is seen in /var/log/ltm informing the admin that the iRule operation executed after HTTP::redirect/retry/respond is not supported.

For example -
TCL error: _plugin_rule_/Common/ntlm_default_iis <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::cookie exists [PROFILE::ntlm insert_cookie_name]"

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2

895525-2 : TMUI RCE vulnerability CVE-2020-5902

Links to More Info: K52145254, BT895525

895153 : HTTP::has_responded returns incorrect values when using HTTP/2

Links to More Info: BT895153

Component: Local Traffic Manager

Symptoms:
HTTP::has_responded is not detected in an iRule when the request comes across via HTTP/2. Instead, HTTP::has_responded always return the value 'false'.

Conditions:
-- HTTP/2 profile.
-- iRule containing the command HTTP::has_responded.

Impact:
Calls to HTTP::respond or HTTP::redirect are not correctly identified by HTTP::has_responded when using HTTP/2.

Workaround:
None.

Fix:
HTTP::has_responded is now properly detected in iRules where HTTP/2 is used.

Fixed Versions:
14.1.3.1, 15.1.2

894885-3 : [SAML] SSO crash while processing client SSL request

Links to More Info: BT894885

Component: Access Policy Manager

Symptoms:
-- Tmm crashes while processing a client SSO request.
-- Graphs show a high SWAP consumption and there are also some OOM events, although the process being terminated is avrd.

Log messages:
-- notice sod[4759]: 01140045:5: HA reports tmm NOT ready.
-- notice sod[4759]: 010c0050:5: Sod requests links down.

Conditions:
SAML SSO is configured and passing traffic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Fixed a crash that occurred while handling SSL Orchestrator traffic.

Fixed Versions:
14.1.4.2, 15.1.4

894565-1 : Autodosd.default crash with SIGFPE

Links to More Info: BT894565

Component: Access Policy Manager

Symptoms:
The autodosd process crashes occasionally due to the division by zero.

Conditions:
It happens when the autodosd process receives zero value from tmm.

Impact:
Autodosd is rebooted.

Fix:
The autodosd process does not crash with SIGFPE.

Fixed Versions:
14.1.4, 15.1.3

893885-3 : The tpm-status command returns: 'System Integrity: Invalid' after Engineering Hotfix installation

Links to More Info: BT893885

Component: TMOS

Symptoms:
The tpm-status command incorrectly reports system integrity status as 'Invalid' even when system software is not modified.

Conditions:
-- BIG-IP software v14.1.0 or later version.
-- Engineering Hotfix installed on Trusted Platform Module (TPM)-supported BIG-IP platforms.

Impact:
Incorrect presentation of system software status; the status shows INVALID when it is actually valid.

Workaround:
None.

Fix:
Trusted Platform Module (TPM) status now shows the correct system integrity status.

Fixed Versions:
14.1.4, 15.1.3

893721-2 : PEM-provisioned systems may suffer random tmm crashes after upgrading

Links to More Info: BT893721

Component: Traffic Classification Engine

Symptoms:
TMM crashes with SIGSEGV and a core file is written to /var/core/

Conditions:
This affects systems where PEM is provisioned and where the classification engine is running.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
None

Fixed Versions:
14.1.4.2, 15.1.4

893281-3 : Possible ssl stall on closed client handshake

Links to More Info: BT893281

Component: Local Traffic Manager

Symptoms:
If a client connection closes before finishing client ssl handshake, in some cases BIG-IP ssl does not close and connection remains until idle timeout.

Conditions:
Client ssl handshake and client FIN must arrive while BIG-IP server ssl finished is in crypto.

Impact:
Some ssl client connection remain until idle timeout.

Fix:
Allow transmit of any pending crypto during ssl shutdown.

Fixed Versions:
14.1.2.7, 15.1.0.5

893061-2 : Out of memory for restjavad

Links to More Info: BT893061

Component: Application Security Manager

Symptoms:
REST framework not available due to Out of memory error

Conditions:
Long list of Live Update installations

Impact:
Live Update GUI is not responding.

Workaround:
1) Increase memory assigned to the Linux host: (value dependant on platform)

# tmsh modify sys db provision.extramb value 1000

2) Allow restjavad to access the extra memory:

# tmsh modify sys db restjavad.useextramb value true

3) Save the config:

# tmsh save sys config

4) The re-provisioning will trigger a restart of the services. Wait until the unit is online again.

5) Increase the restjavad maxMessageBodySize property:

# curl -s -f -u admin: -H "Content-Type: application/json" -d '{"maxMessageBodySize":134217728}' -X POST http://localhost:8100/mgmt/shared/server/messaging/settings/8100 | jq .
{
  "maxMessageBodySize": 134217728,
  "localhostRestnodedConnectionLimit": 8,
  "defaultEventHandlerTimeoutInSeconds": 60,
  "minEventHandlerTimeoutInSeconds": 15,
  "maxEventHandlerTimeoutInSeconds": 60,
  "maxActiveLoginTokensPerUser": 100,
  "generation": 6,
  "lastUpdateMicros": 1558012004824502,
  "kind": "shared:server:messaging:settings:8100:restservermessagingpoststate",
  "selfLink": "https://localhost/mgmt/shared/server/messaging/settings/8100"
}

Ensure the command returns output showing the limit has been increased (as shown above).

6) Reboot the unit.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1

892941-2 : F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat)

Links to More Info: K20105555, BT892941

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Impact:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Workaround:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Fix:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Fixed Versions:
14.1.4, 15.1.2, 16.0.1.1

892937-2 : F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat)

Links to More Info: K20105555, BT892937

Component: Access Policy Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Impact:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Workaround:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Fix:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Fixed Versions:
14.1.4, 15.1.1, 16.0.1

892677-1 : Loading config file with imish adds the newline character

Links to More Info: BT892677

Component: TMOS

Symptoms:
While loading configuration from the file with IMISH ('imish -f <f_name>'), the newline character gets copied at the end of each line which causes problems with commands containing regex expressions.

In particular, this affects the bigip_imish_config Ansible module.

Conditions:
Loading a config with 'imish -f <f_name>' commands.

Note: This command is used with the bigip_imish_config Ansible module.

Impact:
Regex expressions are not created properly.

Workaround:
You can use either of the following workarounds:

-- Delete and re-add the offending commands using the imish interactive shell.

-- Restart tmrouted:
bigstart restart tmrouted

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1

892653-1 : Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI

Links to More Info: BT892653

Component: Application Security Manager

Symptoms:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.

Conditions:
This is encountered when configuring the Splunk Logging Format in the GUI

Impact:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.

Workaround:
Use tmsh to define the maximum query string size and maximum request size. For more information, see the tmsh command reference for the security log profile at https://clouddocs.f5.com/cli/tmsh-reference/v14/modules/security/security-log-profile.html

Fix:
Maximum Query String Size and Maximum Request Size fields will be shown in the GUI in case the Splunk Logging Format is selected.

Fixed Versions:
14.1.2.7, 15.1.0.5, 16.0.1

892637-1 : Microservices cannot be added or modified

Links to More Info: BT892637

Component: Application Security Manager

Symptoms:
The 'Add' button is grayed out on Security :: Application Security :: Microservices, where in previous version, minimal microservice creation/modification was available.

Conditions:
-- Navigate to Security :: Application Security :: Microservices.
-- Attempt to add a microservice.

Impact:
Cannot add or modify a microservice in this version, where it was available in previous versions.

Workaround:
None

Fix:
The 'Add' button is now available to create basic microservices for Application Security.

Fixed Versions:
15.1.1

892621-1 : Mismatch between calculation for IPv6 packets size metric in BDoS in hardware and software

Links to More Info: BT892621

Component: Advanced Firewall Manager

Symptoms:
BDoS Signature mitigated in software.

Conditions:
IP packets size metric in BDoS signature.

Impact:
BDoS Signature with IP packet size metric mitigated only in software for IPv6 packets.

Workaround:
None.

Fix:
IP packets size metric bin calculation algorithm for IPv6 packets in software now matches hardware version.

Fixed Versions:
14.1.3, 15.1.0.4

892385 : HTTP does not process WebSocket payload when received with server HTTP response

Links to More Info: BT892385

Component: Local Traffic Manager

Symptoms:
WebSocket connection hangs on the clientside if the serverside WebSocket payload is small and received in the same TCP packet with server HTTP response.

Conditions:
-- Virtual contains HTTP and WebSocket filters.
-- HTTP response and a small WebSocket payload is received in the same TCP packet from the server.
-- Small WebSocket payload is not delivered on the clientside.

Impact:
-- WebSocket connection hangs.

Workaround:
None.

Fix:
HTTP processes WebSocket payload without delay when payload is received with server HTTP response.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1

891849-1 : Running iRule commands while suspending iRule commands that are running can lead to a crash

Links to More Info: BT891849

Component: Local Traffic Manager

Symptoms:
Running iRule commands while suspending iRule commands that are running can lead to a crash.

Conditions:
-- Running iRule commands.
-- iRule commands that suspend iRules are running.

For more information on the conditions that trigger iRule suspend, see K12962: Some iRules commands temporarily suspend iRules processing, available at https://support.f5.com/csp/article/K12962.

Impact:
Tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Running iRule commands while suspending iRule commands are running no longer results in a tmm crash.

Fixed Versions:
14.1.3.1, 15.1.2

891729-2 : Errors in datasyncd.log

Links to More Info: BT891729

Component: Fraud Protection Services

Symptoms:
An error exists in datasyncd.log:
DATASYNCD|ERR |Mar 13 12:47:54.079|16301| datasyncd_main.c:1955|tbl_gen_state_machine: cannot start the generator for table CS_FPM

Conditions:
Upgrades from version 13.x to 14.0.0 or higher.

Impact:
FPS has a maximum of ~990 rows instead of 1001, and there are errors in datasyncd.log. However, the upgrade completes normally, and the system operates as expected.

Workaround:
These are benign error messages that you can safely ignore. Upgrade completes successfully, and the system operates as expected.

If you prefer, however, you can perform a clean install instead instead of upgrading. This has an impact on your configuration, as that information will be lost when you do a clean install.

Fix:
Now the max rows number is 1001 when upgrading from any version prior to 14.0.0.

Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1

891721-3 : Anti-Fraud Profile URLs with query strings do not load successfully

Links to More Info: BT891721

Component: TMOS

Symptoms:
When a URL containing a query string is added to an anti-fraud profile, the BIG-IP config load fails:

010719d8:3: Anti-Fraud URL '/url\?query=string' is invalid. Every protected URL should be a valid non-empty relative path specified in lower case in the case insensitive Anti-Fraud profile '/Common/antifraud'.
Unexpected Error: Loading configuration process failed.

Conditions:
Adding a query string to a URL for an anti-fraud profile.

Impact:
After a BIG-IP config save, loading of new bigip.conf fails.

Workaround:
Follow this procedure:

1. Remove the escaping characters \ (backslash) for ? (question mark) in the bigip.conf file.
2. Load the configuration.

Fix:
The issue has been fixed: Now Anti-fraud profile URLs support query strings such as /uri?query=data, and they can be successfully loaded.

Fixed Versions:
14.1.2.7, 15.0.1.4, 15.1.0.5

891613-1 : RDP resource with user-defined address cannot be launched from webtop with modern customization

Links to More Info: BT891613

Component: Access Policy Manager

Symptoms:
RDP resource with a user-defined address cannot be launched from the webtop when configured with modern customization.

After requesting the RDP file for a remote address, the RDP file fails to download and the system reports an error message:

Logon failed. Connection to your resource failed. Please click the Try Again button to try again or Close button to close this dialog.

Conditions:
-- Webtop with modern customization.
-- RDP resource with a user-defined address is assigned to the webtop.

Impact:
Cannot use remote desktop resource with user-defined addresses.

Workaround:
As the problem is with modern access policy with modern webtop, a quick workaround:

1. Create a standard access policy with standard webtop (it is similar to modern access policy and modern webtop):

-- 1.1 GUI: Access :: Profiles / Policies :: Create :: {choose Customization Type as 'Standard').
-- 1.2 GUI: Access :: Webtops :: Create :: {choose Customization Type as 'Standard').

Recreate similar access policy as modern access policy that is showing this problem.

If manually re-creating similar standard access policy is not possible, there is no workaround.

Fix:
Now, RDP resources with user-defined addresses can be used as expected on webtops with modern customization.

Fixed Versions:
15.1.4.1

891505-3 : TMM might leak memory when OAuth agent is used in APM per-request policy subroutine.

Links to More Info: BT891505

Component: Access Policy Manager

Symptoms:
TMM leaks memory and eventually crashes when it cannot allocate any more memory.

Conditions:
OAuth agent is used in APM per-request policy subroutine and authentication fails.

Impact:
Over a period of time, TMM crashes, as it is unable to allocate any more memory. Traffic is disrupted while tmm restarts.

Workaround:
None.

Fix:
When fixed, TMM works as expected and no longer leaks memory.

Fixed Versions:
14.1.2.8, 15.1.4

891477-3 : No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server

Links to More Info: BT891477

Component: TMOS

Symptoms:
When a bandwidth control policy is applied on a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.

Both static bandwidth control policies and dynamic bandwidth control policies can cause the problem.

Conditions:
This issue occurs when both of the following conditions are met:

-- Virtual server configured with a bandwidth control policy.
-- Standard type of virtual server.

Impact:
The BIG-IP system does not retransmit unacknowledged data segments.

Workaround:
None.

Fixed Versions:
14.1.2.7, 15.0.1.4, 15.1.0.5

891457-2 : NIC driver may fail while transmitting data

Links to More Info: K75111593, BT891457

891385-2 : Add support for URI protocol type "urn" in MRF SIP load balancing

Links to More Info: BT891385

Component: Service Provider

Symptoms:
MRF SIP load balancing does not support the urn URI protocol type.

Conditions:
-- Using MRF SIP in LB mode.
-- Clients are using the urn protocol type in their URIs.

Impact:
SIP messages with urn URIs are rejected.

Fix:
Added support for the urn URI protocol type.

Fixed Versions:
14.1.3.1, 15.1.1, 16.0.1

891373-2 : BIG-IP does not shut a connection for a HEAD request

Links to More Info: BT891373

Component: Local Traffic Manager

Symptoms:
When an HTTP request contains the 'Connection: close' header, the BIG-IP system shuts the TCP connection down. If a virtual server has a OneConnect profile configured, the BIG-IP system fails to close the connection for HEAD requests disregarding a client's demand.

Conditions:
-- A virtual server has HTTP and OneConnect profiles.
-- An HTTP request has the method HEAD and the header 'Connection: close'.

Impact:
Connection remains idle until it expires normally, consuming network resources.

Workaround:
None.

Fix:
When an HTTP HEAD request contains 'Connection: close' header and a OneConnect profile is configured on a virtual server, the BIG-IP system shuts a connection down after a response is served.

Fixed Versions:
15.1.4, 16.0.1.2

891337-1 : 'save_master_key(master): Not ready to save yet' errors in the logs

Links to More Info: BT891337

Component: TMOS

Symptoms:
During config sync, you see error messages in the logs:
save_master_key(master): Not ready to save yet.

Conditions:
UCS load or configuration synchronization that includes encrypted objects.

Impact:
Many errors seen in the logs.

Workaround:
None.

Fix:
Fixed an issue causing 'save_master_key(master): Not ready to save yet' errors.

Fixed Versions:
14.1.4, 15.1.3

891093-1 : iqsyncer does not handle stale pidfile

Links to More Info: BT891093

Component: Global Traffic Manager (DNS)

Symptoms:
Stale /var/run/iqsyncer.pid file is causing a new iqsyncer application to exit immediately after start.

Conditions:
iqsyncer applications is killed by Linux kernel or any other reason causing a stale iqsyncer pid file

Impact:
Gtm config changes and gtm_add operations are blocked

Workaround:
Remove iqsyncer pid file manually or reboot

Fix:
Stale iqsyncer pid file condition handled in iqsyncer application

Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1

890881-4 : ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address

Links to More Info: BT890881

Component: Local Traffic Manager

Symptoms:
Traffic drop occurs.

Conditions:
Source MAC in the ARP header and the Ethernet header do not match.

Impact:
The BIG-IP system drops these packets.

Workaround:
None.

Fixed Versions:
14.1.4.5, 15.1.4.1

890513-2 : MCPD fails to load configuration from binary database

Links to More Info: BT890513

Component: TMOS

Symptoms:
Mcpd errors are found in /var/log/ltm:

-- err mcpd[16068]: 01070734:3: Configuration error: MCPProcessor::initializeDB: basic_string::_S_create
-- err mcpd[16068]: 01070596:3: An unexpected failure has occurred, basic_string::_S_create, exiting...
-- err mcpd[16978]: 01b50049:3: FipsUserMgr Error: Master key load failure.

Conditions:
-- Restart MCPD (e.g. by rebooting the BIG-IP)
-- This affects BIG-IP v15.1.0.4 running on all platforms with the exception of the following:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F

Impact:
MCPD does not restore the configuration from its binary database, but instead re-reads the text config files (bigip.conf, et al.).

Workaround:
None.

Fix:
MCPD is again able to restore its configuration from the binary database during startup

Fixed Versions:
14.1.4, 15.1.0.5

890421-2 : New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers

Links to More Info: BT890421

Component: TMOS

Symptoms:
The Georedundancy traps introduced in 15.0.1.2 with trap IDs in the F5 enterprise MIB of .1.3.6.1.4.1.3375.2.4.0.206 to .1.3.6.1.4.1.3375.2.4.0.211 should have been numbered from .1.3.6.1.4.1.3375.2.4.0.212 to .1.3.6.1.4.1.3375.2.4.0.217

Conditions:
When 15.0.1.2 is upgraded to 15.1.0 then the traps would be renumbered.

Impact:
This may be confusing for SNMP clients expecting specific trap IDs.

Workaround:
None.

Fix:
The traps have been correctly numbered in 15.0.1.3.

Behavior Change:
New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers. These traps will be renumbered when you upgrade 15.0.1.2 to 15.1.0.

The Georedundancy traps introduced in 15.0.1.2 with trap IDs in the F5 enterprise MIB of .1.3.6.1.4.1.3375.2.4.0.206 to .1.3.6.1.4.1.3375.2.4.0.211 should have been numbered from .1.3.6.1.4.1.3375.2.4.0.212 to .1.3.6.1.4.1.3375.2.4.0.217

Fixed Versions:
15.0.1.3, 15.1.0.5

890277-3 : Full config sync to a device group operation takes a long time when there are a large number of partitions.

Links to More Info: BT890277

Component: TMOS

Symptoms:
When a full config sync is done to a device group with large number of partitions:
-- The config sync operation takes a long time to complete.
-- There is a spike in CPU usage on the device where config push is initiated.
-- The mcpd daemon is unresponsive to other daemons, such tmsh, GUI etc., as it is busy pushing the config sync.
-- iQuery connections are terminated due to high CPU utilization.

Conditions:
Full config sync on device with large number of partitions.

Impact:
The operation takes a long time to complete, minutes on a BIG-IP Virtual Edition (VE) configurations, and varies by platform and the size of the configuration. For example, config sync on a medium BIG-IP VE setup running v15.1.0.1 with 512 partitions takes ~3 minutes.

Impedes management of device as well as terminates iQuery connections to GTM/DNS devices.

Workaround:
Enable Manual Incremental Sync.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1

890229-1 : Source port preserve setting is not honored

Links to More Info: BT890229

Component: Local Traffic Manager

Symptoms:
The source port is always changed in source-port preserve mode even if the original source port with the other parameters would hash to the same TMM.

Conditions:
This issue occurs when both of the following conditions are met:

-- The virtual server is configured with source-port preserve (the default).
-- The system uses one of the following hash configurations including IP addresses.
    - Using RSS DAG as a default hash on BIG-IP Virtual Edition (VE) (Z100) or on 2000- and 4000-series devices.
    - Configuring a VLAN's 'CMP Hash' setting to a non-default value.
    - Using a special variable such as non-default udp.hash or tcp.hash.

Impact:
Applications relying on a specific, fixed source port might not work as expected.

Workaround:
Set source-port to preserve-strict.

Fix:
Now source-port preserve setting does best effort to preserve the source port.

Behavior Change:
Beginning with v16.0.0, the TM.PortFind.Src_Preserve BigDB variable introduced in v15.1.0 is no longer supported.

The source-port preserve setting now does best effort to preserve the source port.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1

889601-3 : OCSP revocation not properly checked

Links to More Info: K14903688, BT889601

Component: Local Traffic Manager

Symptoms:
The revocation status of un-trusted intermediate CA certs are not checked when ocsp object is configured.

Conditions:
When OCSP object revocation checking is configured in client and server SSL profiles

Impact:
The SSL handshake continues eve if a certificate is revoked.

Fix:
OCSP revocation checking now working properly.

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2

889557-1 : jQuery Vulnerability CVE-2019-11358

Links to More Info: K20455158, BT889557

889505 : Added SNMP OIDs for gathering total number of PBAs and percentage of PBAs available

Links to More Info: BT889505

Component: Advanced Firewall Manager

Symptoms:
Several SNMP OIDs need to be added to provide the total number of port block allocations (PBAs) and the percentage of PBAs that are available.

Conditions:
Attempting to retrieve total number of PBAs and percentage of PBAs that are available.

Impact:
Need to manually calculate the values.

Workaround:
Make manual calculations from the current stats or configuration.

Fix:
-- Can now directly gather the total number of PBA and percentage of ports available.

There are new SNMP OIDs from which to pull this data directly. Although there is way to get this information from the current stats or configuration by making some calculations, the SNMP OIDs enables pulling these values directly.

Behavior Change:
The following new MIBs are now available:

F5-BIGIP-LOCAL-MIB::ltmLsnPoolStatTotalPortBlocks
F5-BIGIP-LOCAL-MIB::ltmLsnPoolStatPercentFreePortBlocksSnmp

F5-BIGIP-LOCAL-MIB::ltmFwNatDynamicPoolStatPbaTotalPortBlocks
F5-BIGIP-LOCAL-MIB::ltmFwNatDynamicPoolStatPbaPercentFreePortBlocksSnmp

Fixed Versions:
15.1.0.3

889477-1 : Modern customization does not enforce validation at password changing

Links to More Info: BT889477

Component: Access Policy Manager

Symptoms:
You can change the password even if there are different values in the fields 'New Password' and 'Confirm Password' or if 'Confirm Password' is empty.

Conditions:
-- Access Policy with 'Modern' customization.
-- Configure an access policy with 'Logon Page' and 'AD Auth' agents.
-- When forced to change passwords, type different values in 'New Password' and 'Confirm Password', or leave 'Confirm Password' empty.

Impact:
The system allows the password change, even though the 'New Password' and 'Confirm Password' do not match.

Workaround:
None.

Fixed Versions:
15.1.0.3

889209-2 : Sflow receiver configuration may lead to egress traffic dropped after TMM starts.

Links to More Info: BT889209

Component: Local Traffic Manager

Symptoms:
Active Sflow receiver configuration may lead to all egress traffic getting dropped after TMM starts.

Conditions:
Enabled sflow receiver is configured.

Impact:
Egress traffic is dropped.

Workaround:
Disable Sflow receiver, save configuration, reboot. (You should not re-enable the sflow receiver in versions where this bug is present)

Fixed Versions:
14.1.4, 15.1.1

889165-3 : "http_process_state_cx_wait" errors in log and connection reset

Links to More Info: BT889165

Component: Local Traffic Manager

Symptoms:
Large POST requests are getting occasionally reset and you see the following in /var/log/ltm:

err tmm[19279]: 011f0007:3: http_process_state_cx_wait - Invalid action:0x100011 clientside

Conditions:
-- An HTTP iRule is configured on a virtual server
-- A large POST request arrives on the virtual server

Impact:
Possible connection failure.

Fix:
Fixed incorrect early release of HUDEVT_ACCEPTED during ssl handshake irules.

Fixed Versions:
14.1.4, 15.1.3

889045-3 : Virtual server may stop responding while processing TCP traffic

Component: TMOS

Symptoms:
On certain platforms, virtual servers may stop responding while processing TCP traffic.

Conditions:
- i2000 platform
- TCP virtual server enabled

Impact:
Virtual servers stop responding.

Workaround:
N/A

Fix:
Virtual servers respond as expected when processing TCP traffic

Fixed Versions:
15.1.4

889041-3 : Failover scripts fail to access resolv.conf due to permission issues

Links to More Info: BT889041

Component: TMOS

Symptoms:
When a failover is triggered, the floating IP addresses do not migrate to the newly active device. In /var/log/auditd/audit.log, you see the following errors:

/var/log/auditd/audit.log:type=AVC msg=audit(1583426470.463:27492): avc: denied { read } for pid=26865 comm="curl" name="resolv.conf" dev="dm-5" ino=32804 scontext=system_u:system_r:f5config_failover_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file

Conditions:
-- A failover event occurs.
-- oci-curl will be called when failover happens, which may be unable to read /etc/resolv.conf.

Impact:
Failover does not complete. Floating IP addresses do not move to the active device.

Workaround:
Run two commands:
tmsh modify sys db failover.selinuxallowscripts enable
setenforce 0

Impact of workaround: these commands disable SELinux policy enforcement.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1

889029-2 : Unable to login if LDAP user does not have search permissions

Links to More Info: BT889029

Component: TMOS

Symptoms:
A user is unable to log in using remote LDAP.

Conditions:
-- BIG-IP systems are configured to use LDAP authentication.
-- Remote user has no search permissions on directory

Impact:
Authentication does not work.

Workaround:
Grant search permissions to the user in LDAP.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2

888869-2 : GUI reports General Database Error when accessing Instances Tab of SSL Certificates

Links to More Info: BT888869

Component: TMOS

Symptoms:
A General Database Error message is shown when you click the Instances tab of a certificate bundle / certificate / Key listed under the System :: Certificate Management : Traffic Certificate Management : SSL Certificate List.

Conditions:
-- The selected SSL Certificate does not have a certificate or key listed under it.
-- You click the instances tab of the properties page of the SSL Certificate.

Impact:
GUI shows an error screen.

Workaround:
Avoid clicking the instance tab if there is no key or certificate associated with the SSL Certificate / Bundle.

Fixed Versions:
15.1.5

888625 : CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks

Links to More Info: BT888625

Component: Carrier-Grade NAT

Symptoms:
There is a difference in active port block counter between statistics collected in TMM and actual allocations in 'lsndb list pba'.

Conditions:
The issue happens when the port block allocation process fails after incrementing the active port blocks counter.

Impact:
No functional impact. But the stats counters will be incorrect.

Fix:
Update the active port block counter correctly when port block allocation fails.

Fixed Versions:
14.1.2.7, 15.1.0.3

888569 : Added PBA stats for total number of free PBAs, and percent free PBAs

Links to More Info: BT888569

Component: Advanced Firewall Manager

Symptoms:
There are several port block allocation (PBA) statistics that need to be added.

Conditions:
Attempting to retrieve total number of PBAs and percentage of PBAs that are available.

Impact:
Need to manually calculate the values.

Workaround:
Make manual calculations from the current stats or configuration.

Fix:
The first and second item described are available using the 'tmsh show' command, and the third item is available in the tmstat tables (e.g., reported in response to the command 'tmctl lsn_pool_pba_stat' as total_port_blocks).

-- Total number of port blocks available:
The total amount of port blocks available according to the PBA configuration. For example, if you have 3 IP addresses for NAT pool/source translation and blocks of 128 ports, and ports from 1024 to 65535, then this stat indicates that you have a total of 1509 port blocks. This number is the result of (64511 (ports available) / 128 (ports per block)) * 3 (number of IP addresses)).

-- Percentage of port available (percentage is available in TMSH only):
Using the same example, where there are 1509 total blocks and currently are assigned 600 blocks, then there are 909 blocks free. This stat show that are 60.23% of ports available. (100*free ports / total ports).

-- Directly gather the values.
There are new SNMP OIDs from which to pull this data directly. Although there is way to get this information from the current stats or configuration by making some calculations, the SNMP OIDs enables pulling these values directly.

Behavior Change:
The following new tmstat value is now available, in both 'tmctl fw_lsn_pool_pba_stat' and 'tmctl lsn_pool_pba_stat:

    total_port_blocks

The relevant TMSH show commands have been updated to include these new values:

-- Total Port Blocks
-- Percent Free Port Blocks

Fixed Versions:
15.1.0.3

888517-2 : Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU.

Links to More Info: BT888517

Component: Local Traffic Manager

Symptoms:
Tmm is running at 100% CPU even under light network load. The 'tmctl tmm/ndal_tx_stats' command shows a high number of packet drops. The 'tmctl tmm/ndal_tx_stats' indicates a large number of queue full events.

Conditions:
-- BIG-IP Virtual Edition.
-- There are underlying network performance issues causing the transmit queue to be full (e.g., a non-SR-IOV virtual machine environment).
-- Upgrading from BIG-IP v12.x to BIG-IP v14.x.

Impact:
NDAL's busy polling runs the tmm CPU usage to 100%.

Workaround:
Correct the underlying networking/virtualization issue.

Fix:
NDAL needs to provide visible information, for example, a log entry, when busy polling over a period of time.

Fixed Versions:
13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2

888497-2 : Cacheable HTTP Response

Links to More Info: BT888497

Component: TMOS

Symptoms:
JSESSIONID, BIGIPAUTHCOOKIE, BIGIPAUTH can be seen in the browser's debugging page.

Conditions:
-- Accessing the BIG-IP system using the GUI.
-- Viewing the browser's stored cache information.

Impact:
HTTPS session information is captured/seen in the browser's local cache, cookie.

Note: The BIG-IP system does not display and/or return sensitive data in the TMUI. Content that is marked appropriately as sensitive is never returned, so it is never cached. Data that is cached for TMUI in the client browser session is not considered secret.

Workaround:
Disable caching in browsers.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1

888493-2 : ASM GUI Hardening

Links to More Info: K40843345, BT888493

888489-2 : ASM UI hardening

Links to More Info: K55873574, BT888489

888417-5 : Apache Vulnerability: CVE-2020-8840

Links to More Info: K15320518, BT888417

888341-7 : HA Group failover may fail to complete Active/Standby state transition

Links to More Info: BT888341

Component: TMOS

Symptoms:
After a long uptime interval (i.e., the sod process has been running uninterrupted for a long time), HA Group failover may not complete despite an HA Group score change occurring. As a result, a BIG-IP unit with a lower HA Group score may remain as the Active device.

Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime, e.g.:

-- 1 floating traffic group: 2485~ days.
-- 2 floating traffic groups: 1242~ days.
-- 4 floating traffic groups: 621~ days.
-- 8 floating traffic groups: 310~ days.
-- 9 floating traffic groups: 276~ days.

Note: You can confirm sod process uptime in tmsh:

# tmsh show /sys service sod

Conditions:
HA Group failover configured.

Note: No other failover configuration is affected except for HA Group failover, specifically, these are not affected:

 o VLAN failsafe failover.
 o Gateway failsafe failover.
 o Failover triggered by loss of network failover heartbeat packets.
 o Failover caused by system failsafe (i.e., the tmm process was terminated on the Active unit).

Impact:
HA Group Active/Standby state transition may not complete despite HA Group score change.

Workaround:
There is no workaround.

The only option is to reboot all BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2

888289-1 : Add option to skip percent characters during normalization

Links to More Info: BT888289

Component: Application Security Manager

Symptoms:
An attack signature is not detected.

Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.

Impact:
An attack goes undetected.

Workaround:
Turn on the bad unescape violation or the metacharacter violation.

Fix:
Added an internal parameter, normalization_remove_percents. Its default is 0 (zero), meaning that the previous behavior is maintained. When enabled, the normalization of the data before running the signature removes the percent characters (as it does to high ASCII and space characters).

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1

888285-1 : Sensitive positional parameter not masked in 'Referer' header value

Links to More Info: K18304067, BT888285

Component: Application Security Manager

Symptoms:
When the URI and 'Referer' header share the same positional parameter, the 'Referer' positional parameter is not masked in logs.

Conditions:
Sending a request with positional parameter in URI and 'Referer' header.

Impact:
'Referer' header positional parameter value is not masked in logs.

Workaround:
None.

Fix:
'Referer' positional parameter value is masked as expected.

Fixed Versions:
14.1.2.8, 15.1.1

888261-1 : Policy created with declarative WAF does not use updated template.

Links to More Info: BT888261

Component: Application Security Manager

Symptoms:
When importing a declarative policy with an updated template, the operation uses the old version of the template, which is saved on the machine.

Conditions:
Declarative policy is created from a user-defined template and then re-created after updating the template.

Impact:
The re-created declarative policy is based on the old template, which is saved without the changes that were made in the template.

Workaround:
Create new template and use it when recreating the declarative policy.

Fix:
While creating the policy, if the saved template on the machine is older than the template file, the system replaces the file on the machine and uses the updated template.

Fixed Versions:
15.1.1

888145-2 : When BIG-IP is deployed as SAML SP, allow APM session variables to be used in entityID property

Links to More Info: BT888145

Component: Access Policy Manager

Symptoms:
The entityID property of SAML Service Provider (SP) object ('apm aaa saml') accepts only a valid URI as the value if host is empty. All other values are deemed invalid.

This creates a less than optimal configuration experience in certain use-cases. For instance, when the deployment contains two SAML SP configuration objects that are essentially identical, with the only difference being the entityID value, validation prevents reusing the same object, and mandates creation of two independent configuration objects.

Conditions:
-- The BIG-IP system is used as a SAML SP with two or more SP configuration objects.
-- The only difference between two (or more) configured SP configuration objects is the value of entityID.

Impact:
None. This is a usability enhancement.

Workaround:
Creating multiple SP objects.

Fix:
This enhancement supports configuring an APM session variable in the entityID property of SAML SP ('apm aaa saml') objects, thus reducing the number of nearly duplicate SP configuration objects.

NOTE: When a session variable is used in the entityID property of a SAML SP object, the SAML metadata exported by such object must be edited manually to replace the session variables with valid FQDN names before the metadata is shared with external parties.

Fixed Versions:
15.1.3

888113-3 : TMM may core when the HTTP peer aborts the connection

Links to More Info: BT888113

Component: Local Traffic Manager

Symptoms:
TMM cores in the HTTP proxy.

Conditions:
-- HTTP and HTTP Router profiles are configured on the virtual server.
-- The HTTP peer aborts the connection unexpectedly.

Impact:
Failover (in a DSC), or outage (standalone) as traffic is disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores in the HTTP proxy when the HTTP peer aborts the connection.

Fixed Versions:
15.1.2

887965-1 : Virtual server may stop responding while processing TCP traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, a virtual server may stop responding while processing TCP traffic.

Conditions:
- TCP virtual server with FastL4 and L7 (e.g., HTTP) profiles.
- Undisclosed conditions

Impact:
Affected virtual server becomes unavailable until conditions resolve. Other virtual servers on the system are not impacted.

Workaround:
None.

Fix:
TCP traffic is now processed as expected

Fixed Versions:
14.1.4.4, 15.1.4

887637-2 : Systemd-journald Vulnerability: CVE-2019-3815

Links to More Info: K22040951, BT887637

887505-1 : Coreexpiration script improvement

Links to More Info: BT887505

Component: TMOS

Symptoms:
Script fails with:
stat: cannot stat '/shared/core/*.core.*': No such file or directory.

In addition, the system reports a message in /var/log/user and /var/log/messages when there are no core files:
Deleting file /shared/core/*.core.*

Conditions:
Coreexpiration script is run.

Impact:
No core is produced. In addition, there is no core deleted.

Workaround:
To resolve the issue, add the following line to the script:

  for filename in /shared/core/*.core.*; do
   + [ -e "$filename" ] || continue
         # Time of last modification as seconds since Epoch

Fixed Versions:
15.1.3

887117-2 : Invalid SessionDB messages are sent to Standby

Links to More Info: BT887117

Component: TMOS

Symptoms:
SessionDB messages sent from Active to Standby are dropped due to inconsistencies detected in the message. You see logs in /var/log/ltm:

SessionDB ERROR: received invalid or corrupt HA message; dropped message.

Conditions:
-- High availability (HA) pair configuration.
-- SessionDB messages sent from Active to Standby.

Impact:
Standby drops these messages

Workaround:
None.

Fixed Versions:
15.1.4.1, 16.1.1

887089-1 : Upgrade can fail when filenames contain spaces

Links to More Info: BT887089

Component: TMOS

Symptoms:
Filenames with spaces in /config directory can cause upgrade/UCS load to fail because the im upgrade script that backs up the config, processes the lines in a file spec using white space characters. The number of spaces in the filename is significant because it determines how the process separates the name into various fields, including a path to the file, an md5sum, and some file properties (notably size). If the path contains white space, when the upgrade/UCS load process attempts to use a field, the operation encounters a value other than what it expects, so the upgrade/UCS load fails.

The file's content is also significant because that determines the md5sum value.

Although rarely occurring, a tangential issue exists when the sixth word is a large number. The sixth field is used to determine the amount of space needed for the installation. When the value is a very large number, you might see an error message at the end of the upgrade or installation process:

Not enough free disk space to install!

Conditions:
Filenames with spaces in /config directory.

Impact:
Upgrade or loading of UCS fails.

Workaround:
Remove the spaces in filenames and try the upgrade/UCS load again.

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5

887017-3 : The dwbld daemon consumes a large amount of memory

Links to More Info: BT887017

Component: Advanced Firewall Manager

Symptoms:
The dwbld daemon shows very large memory consumption after adding addresses to the shun-list.

Conditions:
-- Adding a large number of IP addresses to the shun-list (millions of IP addresses).
-- Viewing dwbl memory usage using:
config # top -p $(pidof dwbld)

Impact:
Excessive memory consumption. If memory is exhausted, enforcement does not occur.

Workaround:
None.

Fix:
Improvements to dwbld memory handling have been implemented.

Fixed Versions:
14.1.4, 15.1.3

886865-1 : P3P header is added for all browsers, but required only for Internet Explorer

Links to More Info: BT886865

Component: Application Security Manager

Symptoms:
The Bot Defense profile adds P3P headers to every response when a cookie is set, even if the client browser is something other than Microsoft Internet Explorer.

Conditions:
Bot Defense Profile is attached to a virtual server.

Impact:
Deprecated P3P header is inserted in all responses, even though it is only required for Internet Explorer.

Workaround:
The value of the P3P header is globally configurable in the DB variable dosl7.p3p_header.

It is also possible to set the value to '<null>' and thus prevent the P3P header from appearing, but this may cause legitimate Internet Explorer browsers to be be blocked from accessing the web application.

Fix:
The profile now adds the P3P header only to Internet Explorer browsers. There is still the option to add the header to all browsers (i.e., keep the old behavior, in case there is another browser that requires this) by setting a db variable:
tmsh modify sys db botdefense.always_add_p3p_header value enable

Fixed Versions:
14.1.4.5, 15.1.5

886841-1 : Allow LDAP Query and HTTP Connector for API Protection policies

Links to More Info: BT886841

Component: Access Policy Manager

Symptoms:
APM has several types of access policies for different deployment types, such as general per-request policies, OAuth policies, full webtop portal policies, and so on. One type of policy is designed for API clients, called API Protection.

API Protection requests are generally authenticated by user information present in an HTTP authorization header. APM then uses this authorization header data to authenticate users against an AAA server.

In addition to authentication, some deployments of API Protection also require authorization decisions to be performed against out-of-band data from external servers, typically group membership data from an external HTTP or LDAP server.

Conditions:
Administrators attempt to use HTTP Connector or LDAP Query in an API Protection type access policy.

Impact:
Administrators are not able to use HTTP Connector or LDAP Query in API Protection policies.

Fix:
Starting with 16.0, APM allows administrators to use HTTP Connector or LDAP Query inside of API Protection policies to make authorization decisions, greatly expanding the flexibility of APM's API Protection feature.

Fixed Versions:
15.1.5

886729-2 : Intermittent TMM crash in per-request-policy allow-ending agent

Links to More Info: BT886729

Component: Access Policy Manager

Symptoms:
TMM crash.

Conditions:
When user trying to access a URL with unique hostname in the current session.

Impact:
TMM crash. No access to the URL. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This intermittent TMM crash no longer occurs.

Fixed Versions:
15.1.1

886717-1 : TMM crash while using SSL Orchestrator

Links to More Info: BT886717

Component: SSL Orchestrator

Symptoms:
On a multiple process TMM system, if a TMM process crashes, other TMM processes crash.

Conditions:
-- SSL Orchestrator is running in a system with multiple TMM processes and one of the TMM processes crashes.
-- SSL Orchestrator has been configured with HTTP (explicit or transparent) services.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Subsequent TMM core is no longer seen when any other TMM process cores.

Fixed Versions:
15.1.0.5

886713-1 : Error log seen in case of SSL Orchestrator configured with http service during connection close.

Links to More Info: BT886713

Component: SSL Orchestrator

Symptoms:
An error is logged:

tmm2[24575]: 01c50003:3: Service : encountered error: ERR_UNKNOWN File: ../modules/hudfilter/service/service.c Function: hud_service_handler, Line: 778

Conditions:
SSL Orchestrator is configured with a http service and a connection closes.

Impact:
An error is logged, but it can be safely ignored.

Workaround:
None

Fix:
Error log is no longer seen in case of SSL Orchestrator configured with http service.

Fixed Versions:
14.1.2.5, 15.1.0.5

886693-3 : System may become unresponsive after upgrading

Links to More Info: BT886693

Component: TMOS

Symptoms:
After upgrading, the system encounters numerous issues:

-- Memory exhaustion (RAM plus swap) with no particular process consuming excessive memory.
-- High CPU usage with most cycles going to I/O wait.
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.

Conditions:
-- The configuration loads in the previous release, but does not load successfully on the first boot into the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.

Exact conditions that trigger this issue are unknown and could be varied. In the environment in which it occurs, a datagroup is deleted, but an iRule still references it, see: https://cdn.f5.com/product/bugtracker/ID688629.html

Impact:
-- System down, too busy to process traffic.
-- Difficulty logging in over SSH might require serial console access.

Workaround:
Reboot to an unaffected, pre-upgrade volume.

-- If the system is responsive enough, use 'tmsh reboot volume <N>' or switchboot to select an unaffected volume.

-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a BIG-IP Virtual Edition (VE) from an applicable management panel, and then select an unaffected volume from the GRUB menu manually.

Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch.

For more information, see:
-- K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296
-- K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658
-- K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.

Fix:
The system should now remain responsive if the configuration fails to load during an upgrade on the following platforms:

-- BIG-IP 2000s / 2200s
-- BIG-IP 4000s / 4200v
-- BIG-IP i850 / i2600 / i2800
-- BIG-IP Virtual Edition (VE)

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2

886689-6 : Generic Message profile cannot be used in SCTP virtual

Links to More Info: BT886689

Component: TMOS

Symptoms:
When creating virtual server or transport config containing both SCTP and Generic Message profile, it will fail with an error:

01070734:3: Configuration error: Profile(s) found on /Common/example_virtual that are not allowed: Only (TCP Profile, SCTP Profile, DIAMETER Profile, Diameter Session Profile, Diameter Router Profile, Diameter Endpoint, SIP Profile, SIP Session Profile, SIP Router Profile, DoS Profile, profile statistics)

Conditions:
Create virtual server or transport config which contains both SCTP and Generic Message profile.

Impact:
You are unable to combine the Generic Message profile with the SCTP profile.

Fix:
Generic Message profile can be used in SCTP virtual

Fixed Versions:
14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1

886085-5 : BIG-IP TMM vulnerability CVE-2020-5925

Links to More Info: K45421311, BT886085

885765-3 : ASMConfig Handler undergoes frequent restarts

Links to More Info: BT885765

Component: Application Security Manager

Symptoms:
Under some settings and load the RPC handler for the tsconfd process restarts frequently.

Conditions:
When processing a large number of configuration updates.

Impact:
The RPC handler for the tsconfd process restarts frequently, causing unnecessary churn and noisy logs

Workaround:
None

Fixed Versions:
14.1.4.5, 15.1.5

885201-2 : BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log

Links to More Info: BT885201

Component: Global Traffic Manager (DNS)

Symptoms:
Err (error) level messages in /var/log/gtm log when DNS (GTM) SSL monitors such as https are used and are unable to connect to the monitored target IP address:

err big3d[4658]: 01330014:3: CSSLSocket:: Unable to get the session.

These messages do not indicate the IP address or port of the target that failed to connect, and this ambiguity may cause concern.

Conditions:
-- SSL-based DNS (GTM) monitor assigned to a target, for example https
-- TCP fails to connect due to a layer 2-4 issue, for example:
   - No route to host.
   - Received a TCP RST.
   - TCP handshake timeout.

Impact:
The system reports unnecessary messages; the fact that the monitor failed is already detailed by the pool/virtual status change message, and the target changing to a red/down status.

These messages can be safely ignored.

Workaround:
If you want to suppress these messages, you can configure a syslog filter.

For more information, see K16932: Configuring the BIG-IP system to suppress sending SSL access and request messages to remote syslog servers :: https://support.f5.com/csp/article/K16932.

Fix:
Added debug messages for SSL probing with attached DB variable

Fixed Versions:
14.1.4.1, 15.1.3

884797-4 : Portal Access: in some cases data is not delivered via WebSocket connection

Links to More Info: BT884797

Component: Access Policy Manager

Symptoms:
If a client browser opens a WebSocket connection, Portal Access may not send data to the client if the first message in the new connection comes from the server.

Conditions:
- Web application with WebSocket connection
- First data in WebSocket connection is sent from server to client

Impact:
Data is not delivered to the client browser via the WebSocket connection.

Fix:
Now Portal Access can deliver data to the client browser via the WebSocket connection when the first data is sent from the server.

Fixed Versions:
14.1.2.5, 15.1.0.5

884425-2 : Creation of new allowed HTTP URL is not possible

Component: Application Security Manager

Symptoms:
When pressing 'Create' button in
Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs page, the requested page is not loaded.

Conditions:
Policy with about 5000 and more parameters causes long loading time, which results in loading failure.

Impact:
The requested page (New Allowed HTTP URL...) is not loaded.

Workaround:
Use fewer parameters (less than 5000) per policy.

Fixed Versions:
14.1.3.1, 15.1.3

884165-3 : Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG

Links to More Info: BT884165

Component: TMOS

Symptoms:
Frequent config syncs and spamming of logs are occurring on BIG-IP devices in a high availability (HA) configuration.

Conditions:
Datasync CAPTCHA table is re-generated while CAPTCHA is being consumed by users.

Impact:
Sync to the datasync groups cause the sync status of the devices to fluctuate.

Fixed Versions:
14.1.4.4, 15.1.4.1

883889-3 : Tmm might crash when under memory pressure

Links to More Info: BT883889

Component: Access Policy Manager

Symptoms:
Tmm might crash and restart when under memory pressure

Conditions:
SSL Orchestrator with service chaining (Security policy uses services).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
A condition where high tmm memory utilization results in memory corruption has been resolved.

Fixed Versions:
14.1.4.5, 15.1.5

883853-2 : Bot Defense Profile with staged signatures prevents signature update

Links to More Info: BT883853

Component: Application Security Manager

Symptoms:
When a trying to install a new bot defense signature, the installation fails with the following log message:

com.f5.liveupdate.update.dosbotsignatures.file.Update.applyChanges.pl|INFO|Feb 10 13:22:12.924|7347|F5::Dos::BotSignatures::load_from_xml,,Cannot send updated objects to mcp: 01070265:3: The Bot Defense Signature (/Common/Headless Chromium, Chrome) cannot be deleted because it is in use by a Bot Defense Profile Signature Staging.

Conditions:
-- A Bot Defense Profile has a staged signature.
-- The staged signature points to something that does not exist in the update file.

Impact:
The new file cannot be installed.

Workaround:
Enforce the staged signature.

Fix:
Before deleting the signature, the installation process checks to see whether the signature is staged, and if it is, the process unstages it.

Fixed Versions:
14.1.4.2, 15.1.4

883717-1 : BD crash on specific server cookie scenario

Links to More Info: K37466356, BT883717

883577-4 : ACCESS::session irule command does not work in HTTP_RESPONSE event

Links to More Info: BT883577

Component: Access Policy Manager

Symptoms:
When ACCESS::session irule is used in HTTP_RESPONSE event, the APM session creation fails with the following log in /var/log/ltm

No HTTP data available - command unsupported in event (line XX)session creation failed - Operation not supported (line XX)

Conditions:
Using ACCESS::session create command under HTTP_RESPONSE.

Impact:
Cannot create APM session using the ACCESS::session irule command.

Workaround:
The same irule ACCESS::session can be used under HTTP_REQUEST to create the APM session.

Fixed Versions:
14.1.4.1, 15.1.3

883529-1 : HTTP/2 Method OPTIONS allows '*' (asterisk) as an only value for :path

Links to More Info: BT883529

Component: Local Traffic Manager

Symptoms:
HTTP/2 request is not forwarded and RST_STREAM with PROTOCOL_ERROR is sent back to the client.

Conditions:
HTTP/2 request with method OPTIONS and pseudo header :path value equal to something other than '*' (asterisk).

Impact:
HTTP/2 request with Method OPTIONS is limited to :path '*' only. Any other URIs are not forwarded to the server but are rejected with RST_STREAM with PROTOCOL_ERROR.

Workaround:
None.

Fix:
HTTP/2 request with Method OPTIONS now allows the URI to be something other than '*'. This request is not rejected, but is forwarded to the server.

Fixed Versions:
15.1.1

883513-1 : Support for QUIC and HTTP/3 draft-27

Links to More Info: BT883513

Component: Local Traffic Manager

Symptoms:
The BIG-IP system supports QUIC and HTTP/3 draft-24 and draft-25. IETF released draft-27 in February 2020, and major browser vendors have announced they intend to widely deploy support for it, unlike previous drafts.

Conditions:
Browser requests draft-27.

Impact:
Connection downgrades to an older version, or fails if the browser cannot downgrade.

Workaround:
None.

Fix:
The BIG-IP system now supports draft-27. (The QUIC community skipped draft-26), has deleted draft-24 support from the implementation, and deprecates support for draft-25.

Fixed Versions:
15.1.0.3

883105-1 : HTTP/2-to-HTTP/2 virtual server with translate-address disabled does not connect

Links to More Info: BT883105

Component: Local Traffic Manager

Symptoms:
If a virtual server is configured with both client-side and server-side using HTTP/2, and with translate-address disabled, the connection to the server-side does not succeed.

Conditions:
-- HTTP/2 profiles on both client-side and server-side, using an http-router profile.
-- Translate-address is disabled.

Impact:
Connections fail.

Workaround:
None.

Fixed Versions:
15.1.2

882769-1 : Request Log: wrong filter applied when searching by Response contains or Response does not contain

Links to More Info: BT882769

Component: Application Security Manager

Symptoms:
When searching by "Response contains" or "Response does not contain", an incorrect filter is applied and displayed

Conditions:
This occurs in the GUI when selecting "Response contains" or "Response does not contain" filter

Impact:
You are unable to search by response in the GUI

Workaround:
There is no way to search in GUI, but you can search using REST API

Fix:
Correct filter applied and displayed for Response contains or Response does not contain filters

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.2

882713-3 : BGP SNMP trap has the wrong sysUpTime value

Links to More Info: BT882713

Component: TMOS

Symptoms:
The timestamp value of sysUpTime in SNMP traps reported by BGP is incorrect.

Conditions:
BGP connection with a peer flaps, and sends traps for the following:
bgpSnmpNotifyEstablished
bgpSnmpNotifyBackwardTransition

Impact:
The sysUpTime in the trap generated by BGP is incorrect.

Workaround:
None.

Fix:
Fixed an incorrect calculation of sysUpTime.

Fixed Versions:
14.1.3.1, 15.1.2

882633-2 : Active Directory authentication does not follow current best practices

Links to More Info: K51213246, BT882633

882557-2 : TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)

Links to More Info: BT882557

Component: TMOS

Symptoms:
If the underlying virtio platform specifies RX and/or TX queue sizes that are 4096 or larger, the BIG-IP system cannot allocate enough contiguous memory space to accommodate this. Errors similar to these are seen in the tmm log files:

ndal Error: Failed to allocate 2232336 (2228224 + 4096 + 16) bytes
virtio[0:7.0]: Error: Failed to allocate descriptor chain
virtio[0:7.0]: Error: Failed allocate indirect rx buffers

Conditions:
-- Using a BIG-IP Virtual Edition (VE) with virtio drivers.
-- The underlying platform specifies RX and/or TX queue sizes of 4096 or larger.

Impact:
TMM continually restarts.

Workaround:
Use the sock driver instead of virtio.

In your BIG-IP VE VM execute the lspci command to determine which virtio driver is present:

# lspci -nn | grep -i eth | grep -i virtio
00:03.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:04.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:0b.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]

Configure a socket driver:

echo "device driver vendor_dev 1af4:1000 sock" > /config/tmm_init.tcl

Reboot the instance

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.4

882549-2 : Sock driver does not use multiple queues in unsupported environments

Links to More Info: BT882549

Component: Local Traffic Manager

Symptoms:
In some unsupported environments, the underlying sock driver uses only only 1 queue. You can confirm whether it does so by executing the tmctl command to check the rxq column (which shows 0):
tmctl -d blade -i tmm/ndal_rx_stats' and

You can verify this on the tx side as well.

Conditions:
This occurs in certain unsupported environments.

Note: When you run 'ethtool -l', you can see: 'command not supported'.

Impact:
When multi-q is present, the use of single queue can impact performance when using the sock driver.

Workaround:
Use other available drivers.

You can check the available drivers by executing the tmctl command:
tmctl -d blade -i tmm/device_probed

Fix:
Fixed an issue with the sock driver.

Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2

882377-3 : ASM Application Security Editor Role User can update/install ASU

Links to More Info: BT882377

Component: Application Security Manager

Symptoms:
Live Update modifications are allowed for Application Security Editor Role.

Conditions:
Login as Application Security Editor user and try to install ASU.

Impact:
Application Security Editor Role role is permitted to update Attack Signatures when it shouldn't be.

Fixed Versions:
14.1.2.5, 15.1.4.1

882189-6 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5897

Links to More Info: K20346072, BT882189

882185-6 : BIG-IP Edge Client Windows ActiveX

Links to More Info: K20346072, BT882185

882157-1 : One thread of pkcs11d consumes 100% without any traffic.

Links to More Info: BT882157

Component: Local Traffic Manager

Symptoms:
One thread of pkcs11d consumes 100% without any traffic.

Conditions:
-- The BIG-IP system is licensed with NetHSM, and service pkcs11d is running.
-- The MCDP service is restarted.

Impact:
NetHSM configurations and statistics updates are not updated.

Workaround:
Restart the pkcs11d service:
tmsh restart sys service pkcs11d

Fix:
The system now watches for errors and prevents this error from occurring.

Fixed Versions:
14.1.4, 15.1.3

881757-1 : Unnecessary HTML response parsing and response payload is not compressed

Links to More Info: BT881757

Component: Application Security Manager

Symptoms:
When either DoS Application Profile or Bot Defense profiles are used, or a complex LTM policy is used, the Accept-Encoding request header is removed by the BIG-IP system, which causes the backend server to respond with uncompressed payload.

Second effect is that the Bot Defense Profile and L7 DoS profile are always, not conditionally, considered internally as a profile that modifies a body that satisfies HTTP profile chunking configuration 'sustain' (default mode) triggering client-side chunking. This causes a response in the server-side that is unchunked to be always chunked in client-side with the mode set to 'sustain'.

Conditions:
One of these options:
-- Bot Defense Profile is associated with the Virtual Server.
-- DoS Profile is associated with the Virtual Server and has Application (L7) enabled.
-- Policy is associated with the Virtual Server and has complex LTM Policy: multiple Policies, or additional rules.

Impact:
-- Response payload sent by the backend server is uncompressed.
-- Performance impact caused by response parsing.

Workaround:
For version 15.1.0 and later, you can use the following workaround:

Disable the option for modification of Referer header:
tmsh modify sys db asm.inject_referrer_hook value false

Note: Using this brings back the impact of ID792341 (see https://cdn.f5.com/product/bugtracker/ID792341.html).

For versions earlier than 15.1.0, there is no workaround.

Fix:
The system no longer removes the Accept-Encoding header and no longer parses response payload if not needed based on configuration.

Fixed Versions:
14.1.4.2, 15.1.1, 16.0.1.2

881641 : Errors on VPN client status window in non-English environment

Links to More Info: BT881641

Component: Access Policy Manager

Symptoms:
If Network Access resource or AppTunnel resource is being accessed using user interface language other than English, JavaScript errors may be shown in VPN client status window.

Conditions:
- Customization Type of Access policy is Modern
- Access Policy with languages other than English
- Network Access resource or AppTunnel resource assigned to this Access Policy
- standalone VPN client in non-English environment

Impact:
VPN connection or AppTunnel connection cannot be established.

Fix:
Now standalone VPN client can work correctly in non-English environment

Fixed Versions:
15.1.4

881445-7 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5898

Links to More Info: K69154630, BT881445

881317-6 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5896

Links to More Info: K15478554, BT881317

881293-6 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5896

Links to More Info: K15478554, BT881293

881085-3 : Intermittent auth failures with remote LDAP auth for BIG-IP managment

Links to More Info: BT881085

Component: TMOS

Symptoms:
There are intermittent auth failures when accessing the BIG-IP administration interfaces via SSH or the GUI.

Conditions:
-- Remote LDAP auth is configured.
-- An idle timeout RST is received on the LDAP connection before the configured auth LDAP idle-timeout expires. This RST might be generated by tmm (if the connection to the LDAP server is via a defined VLAN), some other intervening device on the network, or from the LDAP server itself (depending on its connection time limit).

Impact:
There might be intermittent remote-auth failures.

Workaround:
Set the auth ldap idle-timeout to a smaller value, for example, via tmsh:
modify auth ldap system-auth idle-timeout 299

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

880789-3 : ASMConfig Handler undergoes frequent restarts

Links to More Info: BT880789

Component: Application Security Manager

Symptoms:
Under some settings and load, the RPC handler for the botd process restarts frequently, causing unnecessary churn and message-cluttered logs.

Conditions:
-- Bot protection is enabled.
-- A high volume of bot attacks are handled.

Impact:
The RPC handler for the botd process restarts frequently, causing unnecessary churn and noisy logs

Workaround:
None.

Fix:
The botd handler is now restored to a more robust process lifecycle.

Fixed Versions:
14.1.2.7, 15.1.0.5

880753-3 : Possible issues when using DoSL7 and Bot Defense profile on the same virtual server

Links to More Info: K38157961, BT880753

Component: Application Security Manager

Symptoms:
When DoSL7 and Bot Defense profiles are configured together on the same Virtual Server, some requests might not be handled by the Bot Defense profile.

Conditions:
-- DoSL7 profile is attached to the virtual server (with Application).
-- Bot Defense profile is attached to the virtual server.
-- Another security module is attached to the virtual server (WebSafe, MobileSafe, ASM).

Impact:
Some requests might not be processed by the Bot Defense profile.

Workaround:
Disable dosl7.idle_fast_path:
tmsh modify sys db dosl7.idle_fast_path value disable

Fix:
The mechanism which caused this issue is now correctly enabled.

Fixed Versions:
14.1.2.7, 15.0.1.4, 15.1.1

880625-3 : Check-host-attr enabled in LDAP system-auth creates unusable config

Links to More Info: BT880625

Component: TMOS

Symptoms:
When configuring system auth to use LDAP, if you set check-host-attr to enabled, the resulting /config/bigip/pam.d/ldap/system-auth.conf that is generated cannot be parsed by nslcd.

Conditions:
-- Configuring system auth to use LDAP.
-- Setting check-host-attr to enabled.

Impact:
LDAP-based auth does not function.

Workaround:
None.

Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1

880361-1 : iRules LX vulnerability CVE-2021-22973

Links to More Info: K13323323, BT880361

880289 : FPGA firmware changes during configuration loads

Links to More Info: BT880289

Component: TMOS

Symptoms:
FPGA firmware on DDoS Hybrid Defender products might be changed unexpectedly during a configuration load or license update.

Conditions:
Configuration load or license update.

Impact:
FPGA firmware changes unexpectedly, reboot might be required to stabilize.

Workaround:
None.

Fixed Versions:
15.1.4

880165-2 : Auto classification signature update fails

Links to More Info: BT880165

Component: TMOS

Symptoms:
During classification update, you get an error:

"Error: Exception caught in script. Check logs (/var/log/hitless_upgrade.log) for details"

An additional diagnostic is that running the command "/usr/bin/crt_cache_path" reports "none".

Conditions:
This is encountered while updating the classification signatures or the protocol inspection updates.

It can occur when something goes wrong during license activation, but license activation ultimately succeeds.

Impact:
When this issue occurs, auto classification signature update will fail.

Workaround:
You may be able to recover by re-activating the BIG-IP license via tmsh.

Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1

880001-1 : TMM may crash while processing L4 behavioral DoS traffic

Links to More Info: K58290051, BT880001

879841-4 : Domain cookie same-site option is missing the "None" as value in GUI and rest

Links to More Info: BT879841

Component: Application Security Manager

Symptoms:
There isn't an option to add to a domain cookie with the attribute "SameSite=None". The value "None" which appears as an option is used will not add the attribute at all.

Conditions:
You want to have SameSite=none attribute added to a domain cookie.

Impact:
You are unable to set SameSite=None

Workaround:
Set the SameSite=None cookie value in the application. An iRule could also be added that inserts the cookie. For more information on the iRule, see the following DevCentral article: https://devcentral.f5.com/s/articles/iRule-to-set-SameSite-for-compatible-clients-and-remove-it-for-incompatible-clients-LTM-ASM-APM

Fixed Versions:
14.1.4.5, 15.1.4.1

879829-2 : HA daemon sod cannot bind to ports numbered lower than 1024

Links to More Info: BT879829

Component: TMOS

Symptoms:
If the network high availability (HA) daemon sod is configured to use a port number that is lower than 1024, the binding fails with a permission-denied error. This affects binding to ports on both management and self IP addresses.

Example log messages:
/var/log/ltm
err sod[2922]: 010c003b:3: bind fails on recv_sock_fd addr 1.2.3.4 port 1023 error Permission denied.
notice sod[2992]: 010c0078:5: Not listening for unicast failover packets on address 1.2.3.4 port 1023.

/var/log/auditd/audit.log
type=AVC msg=audit(1578067041.047:17108): avc: denied { net_bind_service } for pid=2922 comm="sod" capability=10 scontext=system_u:system_r:f5sod_t:s0 tcontext=system_u:system_r:f5sod_t:s0 tclass=capability

Conditions:
-- high availability (HA) daemon sod is configured to use a port lower than 1024 for network high availability (HA) operations.

-- Version 13.1.0 or later.

Impact:
A network high availability (HA) connection configured to use a port number lower than 1024 on an affected version does not function.

Workaround:
Change the port number to 1024 or higher.

Note: UDP port 1026 is the default.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2

879777-3 : Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge

Links to More Info: BT879777

Component: Application Security Manager

Symptoms:
After configuring the "validate upon request" option in "Cross Domain Requests" in a Bot Defense profile, JS challenges continue to be sent.

Conditions:
-- Bot Defense profile is enabled
-- "Cross Domain Request":"validate upon request" option is enabled
-- A browser navigates to a qualified (HTML) page from a related domain.

Impact:
Browser receives another JS challenge, instead of retrieving the cookie from the related domain. This causes extra latency for the client.

Workaround:
Use "validate in a bulk" option.

Fix:
Retrieving the cookie from the related domain even if the page is qualified.

Fixed Versions:
14.1.2.8, 15.1.1

879745-4 : TMM may crash while processing Diameter traffic

Links to More Info: K82530456

879413-1 : Statsd fails to start if one or more of its *.info files becomes corrupted

Links to More Info: BT879413

Component: Local Traffic Manager

Symptoms:
If one of the *.info files in /var/rrd becomes corrupted, statsd fails to load it and ends up restarting continuously. You see the following messages in /var/log/ltm:

-- err statsd[766]: 011b020b:3: Error 'Success' scanning buffer '' from file '/var/rrd/throughput.info'.
-- err statsd[766]: 011b0826:3: Cluster collection start error.Exitting.

Conditions:
Corrupted *.info file in /var/rrd.

Impact:
Stats are no longer accurate.

Workaround:
It might take multiple attempts to repair the *.info files. You might have to run the following command several times for different .info files, where <filename> is the actual name of the file (e.g., 'throughput.info'):

found=0;while [ $found != 1 ]; do filetype=`file throughput.info | cut -d " " -f2`;if [[ $filetype != "ASCII" ]]; then rm -f <filename>.info; else grep CRC <filename>.info;found=1;fi; done

Fix:
The system now detects corrupt *.info files and deletes and recreates them.

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1

879409-3 : TMM core with mirroring traffic due to unexpected interface name length

Links to More Info: BT879409

Component: Local Traffic Manager

Symptoms:
TMM cores.

Conditions:
-- Platform: B4400 Blade (BIG-IP VPR-B4450N).
-- High availability (HA) mirroring is set up.
-- Provisioned modules: LTM, AFM.
-- HA mirroring messages are received with unexpected interface name length.

Impact:
Processing of invalid length can cause memory corruption. The tmm process generates a core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now validates the length of the interface name before processing the HA message at the receiver side and ignores the HA message if the interface name length is wrong.

Fixed Versions:
14.1.3.1, 15.1.1

879405-1 : Incorrect value in Transparent Nexthop property

Links to More Info: BT879405

Component: TMOS

Symptoms:
Incorrect value in Transparent Nexthop property on virtual server page with assigned VLAN after a change is made via the DOS menu then another change is made on the advanced menu.

Conditions:
Starting with a working config if the admin makes changes
From the DoS menu
 - DoS configuration -> protected objects -> protected objects list
 - Select virtual server (eg: test_vpn_443) -> open Network & General -> set enabled on vlans to "test" and Transparent nexthop to "test" -> save

# Now make a change that cannot be made via the DoS menu

From the Advanced menu
 - Local Traffic -> Virtual server -> Virtual server list -> select virtual server (test_vpn_443)
 - Note that "Transparent Nexthop" is set to "none" despite being set to "test" in bigip.conf and DoS menu
 - Change clientssl profile (or whatever change) -> update

# Now go back and check the impact

From the DoS menu
 - DoS configuration -> protected objects -> protected objects list
 - Select virtual server (eg: test_vpn_443) -> open Network & General -> you can see that Transparent nexthop has been set to "none"

At this point connectivity could be broken and transparent nexthop will need to be reconfigured via the DoS menu.

Impact:
Incorrect value shown in Transparent Nexthop property field. which can cause connectivity to be lost between the affected locations.

Workaround:
There are multiple possible options:
either:
Use tmsh to complete the action successfully.
or
Do not configure the same VLAN group for the VLAN list and Transparent Next Hop
or
use the advanced menu as it performs as expected.

Fixed Versions:
15.1.2, 16.0.1.1

879401-1 : Memory corruption during APM SAML SSO

Links to More Info: K90423190, BT879401

Component: Access Policy Manager

Symptoms:
During processing of SAML SSO single logout (SLO) requests, a block of tmm memory may become corrupted. You might experience several types of unexpected actions, including a TMM restart and core-file generation.

Conditions:
-- BIG-IP system is configured as SAML SP.
-- External SAML IdP sends SLO request.

Impact:
Various possible negative effects, including TMM core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
BIG-IP systems configured as SAML SP no longer cause memory corruption when handling certain traffic.

Fixed Versions:
14.1.2.5, 15.1.3

879189-1 : Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section

Links to More Info: BT879189

Component: TMOS

Symptoms:
Network map shows error message: One or more profiles are inactive due to unprovisioned modules.

Conditions:
-- ASM provisioned.
-- A profile is attached to a virtual server, but the module supporting the profile is not provisioned.

Impact:
The Network Map shows an error message.

Workaround:
Provision the module that supports the profile.

Fix:
The button text has been modified to be more informative.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2

879025-2 : When processing TLS traffic, LTM may not enforce certificate chain restrictions

Links to More Info: K72752002, BT879025

878925-2 : SSL connection mirroring failover at end of TLS handshake

Links to More Info: BT878925

Component: Local Traffic Manager

Symptoms:
In some cases, HTTP requests may fail if system failover occurs immediately after the TLS handshake finishes.

Conditions:
-- System failover to standby device with SSL connection mirroring.
-- Failover occurs immediately after the TLS handshake completes but before the HTTP request.

Impact:
Connection might fail the HTTP request; in some cases, the server may reset HTTP 1.0 requests.

Workaround:
None.

Fix:
System now updates the high availability (HA) state at end of the TLS handshake to prevent this issue if failover occurs at end of the handshake but before client/server data.

Fixed Versions:
14.1.4.1, 15.1.2

878893-3 : During system shutdown it is possible the for sflow_agent to core

Links to More Info: BT878893

Component: TMOS

Symptoms:
The shutdown sequence of the sflow_agent can include a timeout waiting for a response that results in an assert and core file.

Conditions:
BIG-IP reboot can cause the sflow_agent to core.

Impact:
There is a core file in the /var/core directory after a system reboot.

Fix:
Fixed an issue causing a core of sflow_agent during shutdown.

Fixed Versions:
15.1.0.4

877145-4 : Unable to log in to iControl REST via /mgmt/toc/, restjavad throwing NullPointerException

Links to More Info: BT877145

Component: TMOS

Symptoms:
You are unable to log in to iControl REST via /mgmt/toc/.
Also a NullPointerException is logged to /var/log/restjavad log.

Conditions:
This can be encountered intermittently while using iControl REST.

Impact:
Login failure.

Workaround:
None.

Fix:
Fixed an issue related to authenticating to the iControl REST endpoint /mgmt/TOC.

Fixed Versions:
15.0.1.3, 15.1.0.5

877109-1 : Unspecified input can break intended functionality in iHealth proxy

Links to More Info: K04234247

876957-1 : Reboot after tmsh load sys config changes sys FPGA firmware-config value

Links to More Info: BT876957

Component: TMOS

Symptoms:
As a part of FPGA firmware update, "tmsh load sys config" fails.

Chmand reports errors:

chmand[19052]: FPGA firmware mismatch - auto update, No Interruption!
chmand[19052]: 012a0006:6: FPGA HSB firmware uploading now...use caution!
Reloading fw_update_post configuration (via systemctl): [FAILED]

Conditions:
Running either of the following commands:

tmsh load sys config
/etc/init.d/fw_update_post reload

Impact:
Firmware update fails.

Workaround:
Use this procedure:

1. Mount /usr:
mount -o rw,remount /usr

2. Add the following line to the '/usr/lib/systemd/system/fw_update_post.service' file:
ExecReload=/etc/init.d/fw_update_post reload

3. Reload systemctl:
systemctl daemon-reload

4. Reload the file:
/etc/init.d/fw_update_post reload

Fix:
Added the reload option in fw_update_post service file.

Fixed Versions:
14.1.4.1, 15.1.1

876953-2 : Tmm crash while passing diameter traffic

Links to More Info: BT876953

Component: Service Provider

Symptoms:
Tmm crashes with the following log message.

-- crit tmm1[11661]: 01010289:2: Oops @ 0x2a3f440:205: msg->ref > 0.

Conditions:
This can be encountered while passing diameter traffic when one or more of the pool members goes down and retransmissions occur.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm crash while passing diameter traffic.

Fixed Versions:
15.0.1.4, 15.1.0.5, 16.0.1

876937-3 : DNS Cache not functioning

Links to More Info: BT876937

Component: TMOS

Symptoms:
DNS queries are not being cached on the BIG-IP device.

Conditions:
-- DNS cache is enabled (System :: Configuration : Device : DNS Cache).
-- Device receives DNS queries.

Impact:
DNS queries are forwarded, but the BIG-IP system does not cache them.

Workaround:
None.

Fix:
DNS queries are now cached when DNS Cache is enabled.

Behavior Change:
Full DNS cache functionality has been restored. This results in performance degradation. You might notice it in OCSP performance, when compared to releases in which full DNS cache functionality is not present.

By default, DNS cache is disabled. To recapture performance, enable DNS cache.

Fixed Versions:
14.1.4.3, 15.1.4

876805-3 : Modifying address-list resets the route advertisement on virtual servers.

Links to More Info: BT876805

Component: TMOS

Symptoms:
If you modify an address list associated with a virtual server, any modifications done to virtual addresses are lost when the address list is modified.

This issue has also been shown to cause inconsistent ICMP response behavior when 'selective' mode is used.

Conditions:
This occurs in the following scenario:
-- Create an address list.
-- Assign it to a Virtual Server.
-- Modify some or all virtual addresses.
-- Modify the address list.

Impact:
-- Modifications made to virtual addresses are lost.
-- Possible ICMP response issues when 'selective' mode is used (e.g., responses when all pool members are disabled, or no responses when pool members are enabled).

Workaround:
None

Fix:
Virtual address properties are now preserved when an address list is modified.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1

876801-5 : Tmm crash: invalid route type

Links to More Info: BT876801

Component: Local Traffic Manager

Symptoms:
Tmm crashes. /var/log/tmm contains the log entries:

tmm1: notice panic: invalid route type
tmm1: notice ** SIGFPE **

Conditions:
The issue is intermittent.

1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. A new routing entry for child route domain is added.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
There is no way to workaround a problem, but there is a safe way to add and delete routes without putting a BIG-IP into a state where it could encounter this issue.

Safe way to add/delete a route.
1) Add routes to child route domains first, then to parent route domain.
2) Delete routes from parent route domain first, then from child route domain.

Fix:
Routing objects are now forced to reselect a routing entry after a new route is added to the child route domain's routing table and it's not causing a TMM crash anymore.

Fixed Versions:
13.1.4, 14.1.4, 15.1.2

876581-2 : JavaScript engine file is empty if the original HTML page cached for too long

Links to More Info: BT876581

Component: Fraud Protection Services

Symptoms:
JavaScript engine file is empty.

Conditions:
Original HTML page with FPS injected content is cached for too long due to some caching headers (e.g., ETag), so the JavaScript engine link becomes invalid.

Impact:
No FPS protection for that HTML page.

Workaround:
You can use either workaround:

-- Use an iRule to disable caching for protected HTML pages.

-- Set caching time for protected HTML pages to the same value as the datasync tables regeneration timer according to the active datasync profile (default value is two 2 days).

Fix:
FPS now also removes ETag headers from protected HTML pages.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1

876393-1 : General database error while creating Access Profile via the GUI

Links to More Info: BT876393

Component: Access Policy Manager

Symptoms:
While trying to create an Access profile, the GUI reports a general database error. There are errors in /var/log/tomcat:

profiles.ProfileUtils$SettingsHandler:error - java.sql.SQLException: Column not found: SOURCE in statement [INSERT into
profile_access

Conditions:
This occurs when you try to create an Access Profile of type SSO from the GUI.

Impact:
You are unable to create the profile using the GUI.

Workaround:
You can create the Access Profile using TMSH.

tmsh create access access_test_sso type sso accept-languages add { en } sso-name sso_test1

Fix:
Access Profile of type SSO can now be created and edited from the GUI.

Fixed Versions:
15.1.0.2

876353-1 : iRule command RESOLV::lookup may cause TMM to crash

Links to More Info: K03125360, BT876353

876077-1 : MRF DIAMETER: stale pending retransmission entries may not be cleaned up

Links to More Info: BT876077

Component: Service Provider

Symptoms:
DIAMETER router messages queued for retransmission may not be deleted until the connection closes.

Conditions:
-- Diameter transmission setting is enabled and a DIAMETER message is queued for retransmission.
-- The retransmission for the message is not triggered

Impact:
The memory used to hold the copy of the message in the retransmission queue is leaked.

Workaround:
None.

Fix:
Stale pending retransmission entries are cleaned up properly.

Fixed Versions:
14.1.2.5, 15.0.1.4, 15.1.0.5

875401-2 : PEM subcriber lookup can fail for internet side new connections

Links to More Info: BT875401

Component: Policy Enforcement Manager

Symptoms:
PEM subcriber lookup can fail for internet side new connections, as PEM might use the remote address to look up the session, which is not the subscriber.

Conditions:
-- PEM enabled and configured
-- Subscriber session has multiple IP's
-- Each IP lands on a different tmm

Impact:
PEM subscriber lookup can fail on the internet side

Workaround:
No workaround.

Fix:
PEM subcriber lookup now always succeeds for internet side new connections,

Fixed Versions:
14.1.4, 15.1.2.1

874949-1 : TMM may crash if traffic is run through APM per-request policy containing an empty variable assign agent.

Links to More Info: BT874949

Component: Access Policy Manager

Symptoms:
TMM may crash if traffic is run through APM per-request policy containing an empty variable assign agent.

Conditions:
Client traffic is run through virtual server with APM per-request policy that contains empty variable assign agent.

Impact:
TMM may crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
When client traffic is run through virtual server with APM per-request policy that contains empty variable assign agent, TMM will not crash.

Fixed Versions:
15.1.4

874753-3 : Filtering by Bot Categories on Bot Requests Log shows 0 events

Component: Application Security Manager

Symptoms:
A log that has 'Browser Automation’ as the ‘Bot Category’ exists.

When filtering for only Bot Category: Browser Automation, nothing Shows up.

Conditions:
-- ASM provisioned.
-- Filtering by Bot Categories on Bot Requests Log

Impact:
Legitimate requests being blocked but cannot filter on the category to narrow down their focus.

Workaround:
None.

Fix:
Filtering by Bot Categories on Bot Requests Log is now fixed on the GUI page.

Fixed Versions:
14.1.2.7, 15.1.0.5

874677-1 : Traffic Classification auto signature update fails from GUI

Links to More Info: BT874677

Component: Traffic Classification Engine

Symptoms:
Beginning in BIG-IP software v14.1.0, Traffic Classification auto signature update fails when performed using the GUI.

The system reports an error:
Error: Exception caught in the script. Check logs (/var/log/hitless_upgrade.log) for details.

Conditions:
Performing Traffic Classification auto signature update using the GUI.

Impact:
Fails to update the classification signature automatically.

Workaround:
You can use either of the following:

-- Perform Traffic Classification auto signature update operations from the CLI.
-- Use the GUI to manually update Traffic Classification signatures.

Fix:
Fixed the hitless upgrade script to download the IM packages from the EDSM server for point releases.

Fixed Versions:
14.1.4.3, 15.1.3, 16.0.1.1

873641-1 : Re-offloading of TCP flows to hardware does not work

Links to More Info: BT873641

Component: TMOS

Symptoms:
Once Hardware evicts the EPVA TCP flows due to Idle timeout, tmm does not reinsert the flows back when it receives a packet belonging to that flow.

Conditions:
This occurs when the TCP connection is kept idle for ~20 seconds.

Impact:
Performance can be impacted. Hardware acceleration will be disabled for the flows once the flow is removed from hardware due to Idle timeout.

Fix:
Fix will re-offload the flows to HW once SW starts receiving packets due to HW eviction of flows by Idle timeout.

Fixed Versions:
15.1.4.1

873469-2 : APM Portal Access: Base URL may be set to incorrectly

Links to More Info: K24415506, BT873469

872965-1 : HTTP/3 does not support draft-25

Links to More Info: BT872965

Component: Local Traffic Manager

Symptoms:
Clients attempting to connect with QUIC version 25 and ALPN h3-25 are unable to connect.

Conditions:
An end user client attempts to connect using QUIC version 25 and ALPN h3-25.

Impact:
Attempts to use HTTP/3 with some clients may fail.

Workaround:
None.

Fix:
The BIG-IP system now supports draft-24 and draft-25.

Fixed Versions:
15.1.0.2

872673-1 : TMM can crash when processing SCTP traffic

Links to More Info: K26464312, BT872673

872645-2 : Protected Object Aggregate stats are causing elevated CPU usage

Links to More Info: BT872645

Component: Advanced Firewall Manager

Symptoms:
Due to a large number of tables containing 'Protected Object Aggregate stats', the merged daemon might cause elevated CPU usage on odd-numbered CPU cores.

Conditions:
AFM, ASM, or DoS features are provisioned.

Impact:
Elevated CPU usage on odd-numbered cores caused by merged daemon.

Workaround:
None.

Fix:
Protected Object Aggregate stats no longer cause elevated CPU usage.

Fixed Versions:
14.1.3.1, 15.1.1

872049-1 : Incorrect DoS static vectors mitigation threshold in multiplier based mode after run relearn thresholds command

Links to More Info: BT872049

Component: Advanced Firewall Manager

Symptoms:
Value in mitigation thresholds are above infinite value (4294967295)

Conditions:
Multiplier based mitigation mode for Dos static vectors after run relearn thresholds command

Impact:
Incorrect display value for DoS thresholds in GUI and tmctl

Fix:
Do not apply multiplayer for infinite threshold value (4294967295).

Fixed Versions:
15.1.2

871985-1 : No hardware mitigation for DoS attacks in auto-threshold mode with enabled attacked destinations detection

Links to More Info: BT871985

Component: Advanced Firewall Manager

Symptoms:
There are no hardware mitigation for DoS attacks

Conditions:
Auto-threshold mode and detection for attacked destinations should be activate for DoS static vector

Impact:
DoS attack mitigation performed only by software

Fix:
Improved search in already hardware offloaded entities

Fixed Versions:
15.1.2

871905-2 : Incorrect masking of parameters in event log

Links to More Info: K02705117, BT871905

Component: Application Security Manager

Symptoms:
When using CSRF protection, sensitive parameters values can be masked incorrectly in the event log.

Conditions:
The request contains a CSRF token and sensitive parameters.

Impact:
Sensitive parameters values can be masked incorrectly in the event log.

Workaround:
None.

Fix:
Sensitive parameters values are now correctly masked in the event log when request contains CSRF token.

Fixed Versions:
14.1.2.5, 15.0.1.4, 15.1.0.5

871761-1 : Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS

Links to More Info: BT871761

Component: Access Policy Manager

Symptoms:
APM virtual server user's GUI (e.g., 'Logon page') cannot be rendered by browsers.

Conditions:
This issue is encountered when an XML profile is configured for the APM virtual server.

Impact:
APM end users are unable to get a logon page.

Workaround:
Disable the XML profile for the APM virtual server.

Fix:
There is no unexpected traffic interruption from the APM virtual server when the XML profile is configured for the virtual server.

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2

871657-1 : Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S

Links to More Info: BT871657

Component: TMOS

Symptoms:
Mcpd restarts and produces a core file.

Conditions:
This can occur while adding a pool member to a NAPTR GTM pool where the flag used is an uppercase 'A' or 'S' character.

Impact:
Mcpd crash and restart results in high availability (HA) failover.

Workaround:
Use a lowercase 'a' or 's' as the flag value.

Fix:
Mcpd no longer crashes under these conditions. The flag value is always stored in lowercase regardless of the case used as input in the REST call or tmsh command, etc.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5

871653-1 : Access Policy cannot be created with 'modern' customization

Links to More Info: BT871653

Component: Access Policy Manager

Symptoms:
Per-Request Policy (PRP) Access Policy with Customization Type set to Modern cannot be created due to internal error.

Conditions:
Creating a PRP Access Policy with Customization Type set to Modern.

Impact:
Administrator cannot use modern customization.

Workaround:
1. In bigip.conf find the following line:

     apm policy customization-source /Common/standard { }

2. Add the following line:

     apm policy customization-source /Common/modern { }

3. Save the changes.

4. Load the config:

     tmsh load sys config

Fix:
Now modern customization can be used for any Access Policy.

Fixed Versions:
15.1.0.2

871633-1 : TMM may crash while processing HTTP/3 traffic

Links to More Info: K61367237, BT871633

871561-5 : Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)'

Links to More Info: BT871561

Component: TMOS

Symptoms:
Software upgrades to an Engineering Hotfix on a vCMP guest might fail with one of the following messages:

failed (Software compatibility tests failed.)
failed (The requested product/version/build is not in the media.)

The failed installation is also indicated by log messages in /var/log/ltm similar to:

-- info lind[5500]: 013c0007:6: Install complete for volume=HD1.2: status=failed (Software compatibility tests failed.)
-- info lind[5500]: 013c0007:6: Install complete for volume=HD1.2: status=failed (The requested product/version/build is not in the media.)

Conditions:
This may occur when performing a software upgrade to an engineering hotfix on a vCMP guest running affected versions of BIG-IP software, when the software images are present on the vCMP host.

This can be accomplished by running the following command from the vCMP guest console:

tmsh install sys software block-device-hotfix <hotfix-image-name> volume <volume.name>

Impact:
Unable to perform software installations on vCMP guests using installation media located on the vCMP host.

Workaround:
Option 1:
===========
Make sure that the .iso files for both base image and engineering hotfix are copied to the vCMP guest (under /shared/images) before starting the installation. If installing the software from the command line, use syntax similar to the following:

tmsh install sys software hotfix <hotfix-image-name> volume <volume.name>

Option 2:
===========
Even if the engineering hotfix installation has failed, the base image should still have been installed properly. You can restart the vCMP guest and perform a hotfix installation on top of already installed base image, using syntax similar to the following:

tmsh install sys software hotfix <hotfix-image-name> volume <volume.name>

Option 3:
===========
Even if the engineering hotfix installation has failed, the base image should still have been installed properly. Ensure there is copy of the engineering hotfix image locally within the vCMP Guest.

Then restart the lind service on the vCMP Guest:
  tmsh restart sys service lind

If running the vCMP Guest on multiple slots, you may need to restart lind on all slots. From the primary slot on the vCMP Guest, run:
  clsh tmsh restart sys service lind

The hotfix installation should begin again, this time using the hotfix from within the /shared/images/ location on the vCMP Guest.

Option 4:
===========
Manually eject the CD from the vCMP guest's virtual CD drive, and then restart lind. On the vCMP Guest:

1. Confirm the wrong ISO image is still locked (inserted in the CD drive):
  isoinfo -d -i /dev/cdrom

Note: Pay attention to the volume ID in the output from within the vCMP guest.

2. Unlock (eject) the image:
  eject -r -F /dev/cdrom && vcmphc_tool -e

3. Verify the CD drive is now empty:
  isoinfo -d -i /dev/cdrom

The output should report an error that includes:
<...> Sense Code: 0x3A Qual 0x00 (medium not present) Fru 0x0 <…>

4. Restart lind:
  tmsh restart sys service lind

If running the vCMP Guest on multiple slots, you may need to restart lind on all vCMP Guest slots. From the primary slot on the vCMP Guest, run:
  clsh tmsh restart sys service lind

Fix:
Software upgrades on a vCMP guest complete successfully even when the software images are present on the vCMP hypervisor.

Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1

870957-4 : "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage

Component: Application Visibility and Reporting

Symptoms:
TMM CPU utilization around 100 percent under Security ›› Reporting : ASM Resources : CPU Utilization.

Conditions:
No special conditions. Only viewing at the stats of TMM CPU in 'Security ›› Reporting : ASM Resources : CPU Utilization'. They will always be in wrong scale, but when the TMM has ~1% CPU usage, it will be presented as 100% CPU usage.

Impact:
Wrong scale is presented and might cause machine's state to be interpreted wrongly.

Workaround:
1. Backup /etc/avr/monpd/monp_asm_cpu_info_measures.cfg file.
2. Run the following:
    $ sed -i 's|tmm_avg_cpu_util)/(count(distinct time_stamp)|tmm_avg_cpu_util)/(count(distinct time_stamp)*100|g' /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
3. Compare the backup file to /etc/avr/monpd/monp_asm_cpu_info_measures.cfg:
    Make sure that there are two lines modified, and that the modification is multiplying with 100 the denominator (i.e., actually dividing the TMM value with 100).
4. To make those changes take affect, run the following command:
    $ bigstart restart monpd

Fix:
Dividing the TMM value with 100 to fit correct scale.

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2

870389-3 : Increase size of /var logical volume to 1.5 GiB for LTM-only VE images

Links to More Info: BT870389

Component: TMOS

Symptoms:
The /var logical volume size of 950 MiB for LTM-only BIG-IP Virtual Edition (VE) images may be too small for some deployments. This can result in result in loss of SSH access.

Conditions:
This applies to deployments that use declarative onboarding for configuration.

Impact:
Complex declarative onboarding configurations may fill the /var logical volume. You are locked out because of the too-small volume.

Workaround:
The workaround is to manually extend the /var logical volume.

For more information, see K14952: Extending disk space on BIG-IP VE :: https://support.f5.com/csp/article/K14952.

Fix:
The size of the /var logical volume was increased from 950 MiB to 1.5 GiB for LTM-only VE images.

Behavior Change:
The size of the /var logical volume was increased from 950MiB to 1.5GiB for LTM-only Virtual Edition images.

Fixed Versions:
14.1.2.5, 15.1.0.2

870385-5 : TMM may restart under very heavy traffic load

Links to More Info: BT870385

Component: Advanced Firewall Manager

Symptoms:
TMM occasionally restarts when running heavy workloads. The crash is a timing-related issue between different tmm threads, and thus happens only occasionally.

Conditions:
-- AFM is provisioned with DoS functionality.
-- The BIG-IP system is under heavy workload.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer restarts under these conditions.

Fixed Versions:
14.1.2.8, 15.1.2.1

870381-1 : Network Firewall Active Rule page does not load

Links to More Info: BT870381

Component: Advanced Firewall Manager

Symptoms:
In the BIG-IP GUI, the Network Firewall Active Rule page is blank and nothing is visible.

Conditions:
This occurs when viewing the Active Rule page.

Impact:
You are unable to view active Rules in GUI.

Workaround:
None.

Fix:
Network Firewall Active Rule page is now visible in the GUI.

Fixed Versions:
15.1.2.1

870273-5 : TMM may consume excessive resources when processing SSL traffic

Links to More Info: K44020030, BT870273

869653-1 : VCMP guest secondary blade restarts when creating multiple APM profiles in a single transaction

Links to More Info: BT869653

Component: Access Policy Manager

Symptoms:
VCMP secondary blade restarts when creating more than one access profile in a transaction.

Conditions:
- In one transaction
- Create more than one access profiles

Impact:
Blade restarts and traffic is disrupted.

Fix:
All VCMP blades will continue to work when creating more than one access profile in a transaction.

Fixed Versions:
15.1.4

869361-1 : Link Controller inbound wide IP load balancing method incorrectly presented in GUI when updated

Links to More Info: BT869361

Component: Global Traffic Manager (DNS)

Symptoms:
Load balance methods for Link Controller inbound wide IP are always set to default values when the load balancing method is updated through GUI.

Conditions:
-- Multiple inbound wide IPs are configured;
-- Load balancing methods are updated through GUI once.

Impact:
Unable to manage wide IPs through the GUI.

Workaround:
Use tmsh to manage Inbound WideIPs.

Fixed Versions:
15.1.1

869049-4 : Charts discrepancy in AVR reports

Links to More Info: BT869049

Component: Application Visibility and Reporting

Symptoms:
Discrepancy in AVR reports. When filtering on the 'last month' interval, a specific number of total requests per virtual server is shown. Then when filtering to the present day from a date that encompasses that month, a lower number is reported.

Conditions:
-- Number of records in database exceeds the maximum mount of data that AVR can aggregate between different table-resolutions.
-- There are metrics on the report other than the default one (hits-count).

Impact:
Stats on DB get corrupted and incorrect.

Workaround:
None.

Fix:
Aggregation store-procedure is now fixed.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2

868781-1 : TMM crashes while processing MRF traffic

Links to More Info: BT868781

Component: Service Provider

Symptoms:
TMM panic occurs when processing overflowed the MPI messages due to incorrectly calculated master key length:

../dev/mpi/mpi_mem.c:1129: Assertion "tail not past head" failed.

Conditions:
-- Message Routing Framework (MRF) traffic of type Diameter and SIP.

-- Auto-initialization enabled on peer, but can happen without auto-initialization enabled, just at a less-predictable rate.

Impact:
Tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM crash no longer occurs under these conditions.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.1

868721-1 : Transactions are held for a long time on specific server related conditions

Links to More Info: BT868721

Component: Application Security Manager

Symptoms:
Long request buffers are kept around for a long time in bd.

Conditions:
-- The answer_100_continue internal parameter is turned off (non default) or the version is pre 15.1
-- The server closes the connection while request packets are accumulated.

Impact:
The long request buffers are consumed. You may see a "Too many concurrent long requests" log message and requests with large content lengths will get reset.

Workaround:
There is no workaround that can be done from ASM configuration.
If possible, change the server application settings to wait longer for the request payload in 100-continue request or change the client side application to not work with 100-continue.

Fix:
Add a check for this scenario so transactions will be released correctly.

Fixed Versions:
14.1.2.7, 15.1.0.5

868641-3 : Possible TMM crash when disabling bot profile for the entire connection

Links to More Info: BT868641

Component: Application Security Manager

Symptoms:
When using an iRule to disable bot profile, and causing it to be disabled (for the entire connection) during a CAPTCHA challenge -- TMM will crash.

Conditions:
-- Bot Defense profile is attached to the Virtual Server, with a CAPTCHA mitigation.
-- An iRule is attached to the virtual server, which disables bot profile.
-- Sending a request that is responded with a CAPTCHA, then sending (in the same connection), a request that disable the bot profile, and then answering the CAPTCHA.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
When using an iRule to disable bot defense profile on certain conditions, add an "else" clause for re-enabling the profile, taking note that all ::disable iRule commands are effective for the entire connection, and not just the transaction.

Fix:
TMM no longer crashes when disabling bot defense profile for the entire connection.

Fixed Versions:
14.1.2.7, 15.1.1

868381-1 : MRF DIAMETER: Retransmission queue unable to delete stale entries

Links to More Info: BT868381

Component: Service Provider

Symptoms:
DIAMETER messages queued for retransmission that do not receive answer responses may be missed by the sweeper logic and not be deleted until the connection closes.

Conditions:
-- A DIAMETER message is queued for retransmission without a timeout to tigger retransmission.
-- No answer response is received.

Impact:
The memory used to hold the copy of the message in the retransmission queue is leaked.

Workaround:
None.

Fix:
The retransmission queue has been fixes so all stale messages are deleted as expected.

Fixed Versions:
14.1.2.5, 15.0.1.4, 15.1.0.5

868349-1 : TMM may crash while processing iRules with MQTT commands

Links to More Info: K62830532, BT868349

868209-3 : Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection

Links to More Info: BT868209

Component: Local Traffic Manager

Symptoms:
When BIG-IP is configured with transparent vlan-group and traffic is matching a standard or fastl4 virtual-server and traffic hitting BIG-IP does not have a destination MAC address that belongs to BIG-IP - traffic will be L2 forwarded and pool member selection will not happen.

This defect will also cause active FTP data connections over vlan-group to fail.

Conditions:
All conditions must be met:
- Traffic over transparent vlan-group.
- Standard or fastl4 virtual-server.
- Traffic has a destination MAC address that does not belong to BIG-IP.

OR

- Standard virtual server with FTP profile is configured.
- Active FTP session is in use.
- Traffic flows over vlan-group.

Impact:
Server-side connections will fail.

Workaround:
Use opaque vlan-group instead.
OR
disable db variable connection.vgl2transparent (15.0+)

Fixed Versions:
14.1.4, 15.1.2.1

868097-3 : TMM may crash while processing HTTP/2 traffic

Links to More Info: K58494243, BT868097

868053-3 : Live Update service indicates update available when the latest update was already installed

Links to More Info: BT868053

Component: Application Security Manager

Symptoms:
When downloading and installing the latest ASU file manually the Live Update indicator located at the top left of the screen still indicates that there is a new update available.

Conditions:
-- The Live Update scheduler is not in auto mode (System :: Software Management :: Live Update :: Installation of Automatically Downloaded Updates = Disabled).
-- Upload and update the latest ASU file manually.

Impact:
The Live Update indicator continues to indicate on a new update though the latest file was installed.

Workaround:
None.

Fix:
The Live Update service no longer displays a false message regarding updates available.

Fixed Versions:
14.1.3.1, 15.1.3

867825-4 : Export/Import on a parent policy leaves children in an inconsistent state

Links to More Info: BT867825

Component: Application Security Manager

Symptoms:
When overwriting a parent policy with import/replace, elements from the parent policy that were deleted remain in the child policies.

Conditions:
-- A parent policy exists with a child policy that inherits a section in which new configuration elements can be created in the parent policy (like ip address exceptions).
-- An element is deleted from the parent policy, and then the parent policy is exported.
-- The parent policy is then imported to replace a parent policy on a different device to perform the same changes on its children.

Impact:
The children on the different devices are left unexpectedly in different states.

Fix:
Import/Replace for a parent policy for sections that remain inherited will now delete elements that were removed from the parent policy instead of disinheriting them.

Fixed Versions:
14.1.4.4, 15.1.4

867793-1 : BIG-IP sending the wrong trap code for BGP peer state

Links to More Info: BT867793

Component: TMOS

Symptoms:
When BGP peer is going down, the BIG-IP system sends the wrong 'bgpPeerState: 6(established)' with its SNMP trap.

Conditions:
-- BIG IP system is connected with a Cisco router to verify the traps.
-- BGP peer between the BIG-IP system and the Cisco router is going down.
-- Both devices release an SNMP trap.

Impact:
The BIG-IP system sends the wrong code with its SNMP trap. It should be 'bgpPeerState: idle(1)' when the peer is not connected.

Workaround:
None.

Fix:
BIG-IP now sends the correct trap code for BGP peer state.

Behavior Change:
The bgpPeerState for bgpBackwardTransNotification now reports the state after the state machine transition, i.e., the state into which the system is transitioning. In earlier releases, it reported the state prior to the state machine transition, which would always report idle because all backwards state transitions are into idle.

Fixed Versions:
14.1.4, 15.1.2.1

867373-4 : Methods Missing From ASM Policy

Links to More Info: BT867373

Component: Application Security Manager

Symptoms:
If the ASM http-methods are missing from the MCP configuration, importing an XML ASM policy creates a policy that has no allowed methods and will block all traffic.

Conditions:
-- BIG-IP system configuration is loaded without the required asm_base.conf.
-- An XML ASM policy is loaded.

Impact:
All traffic is blocked for the policy.

Workaround:
Recreate the required methods (GET, POST, etc.) in the policy.

Fix:
Lack of defined ASM http-methods in MCP no longer affects policy loading.

Fixed Versions:
14.1.4, 15.1.3

867181-1 : ixlv: double tagging is not working

Links to More Info: BT867181

Component: TMOS

Symptoms:
If a VLAN tag is configured on the Virtual Function in the host, and the BIG-IP guest is configured to use a tagged VLAN, packets that egress the host on this VLAN contain only the VLAN tag configured on the host (i.e. the BIG-IP's VLAN tag is lost).

Conditions:
- Using a BIG-IP VE.
- A VLAN tag is configured on both the host VF and on the BIG-IP.

Impact:
The BIG-IP's VLAN tag is lost.

Fix:
Both VLAN tags are now present in packets.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2

867013-2 : Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout

Links to More Info: BT867013

Component: TMOS

Symptoms:
You are unable to associate new ASM policies to LTM policies, due to REST timeout.

Conditions:
This can be encountered when there are a large number of policies configured in ASM.

Impact:
Unable to associate new ASM policies to LTM policies, due to rest timeout.

Workaround:
None.

Fix:
Modified REST query to get only fullPath to display the list of policies, so the timeout no longer occurs.

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.1

866925-5 : The TMM pages used and available can be viewed in the F5 system stats MIB

Links to More Info: BT866925

Component: TMOS

Symptoms:
The memory pages available and in use are tracked with system statistics. Previously those statistics were available only with the tmctl command in the shell.

Conditions:
When system resource decisions are being made, the information about memory usage is important.

Impact:
It is not feasible to query each BIG-IP device separately.

Workaround:
None.

Fix:
You can query these statistics with SNMP through the F5-BIGIP-SYSTEM-MIB::sysTmmPagesStat table.

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2

866685-1 : Empty HSTS headers when HSTS mode for HTTP profile is disabled

Links to More Info: BT866685

Component: Access Policy Manager

Symptoms:
HTTP Strict-Transport-Security (HSTS) headers have an empty value for some APM Access Policy-generated responses.

Conditions:
This occurs when the following conditions are met:
-- HTTP profile is configured with HSTS mode=disabled (which it is by default).
-- HTTP requests for APM renderer content, including CSS, JS, and image files from the webtop.

Impact:
Some audit scanners can consider the empty value of Strict-Transport-Security headers as a vulnerability. For browsers, the empty HSTS value equals no HSTS in response.

Workaround:
1. Enable HSTS mode for the HTTP profile.
2. Use an iRule to remove the empty HSTS header from responses:

when HTTP_RESPONSE_RELEASE {
    if { [HTTP::header value "Strict-Transport-Security"] eq "" } {
        HTTP::header remove "Strict-Transport-Security"
    }
}

Fix:
When the HTTP profile is configured with HSTS mode=disabled, responses from APM renderer content are now sent without an HSTS header.

Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2

866613-4 : Missing MaxMemory Attribute

Links to More Info: BT866613

Component: Application Visibility and Reporting

Symptoms:
The MaxMemory Attribute is not reported in the System Monitor statistics report.

Conditions:
This is encountered when viewing the System Monitor report.

Impact:
No 'MaxMemory' value label appears in System Monitor statistics. Instead, there are duplicate AvgMemory fields, for example:
...(AvgMemory='3818',AvgMemory='3818').

Workaround:
Use the AvgMemory value that is the higher of the two to represent MaxMemory.

Note: Sometimes, the AvgMemory and MaxMemory values are the same. In that case, use the second value.

Fix:
The MaxMemory attribute is now reported in System Monitor statistics.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1

866481-2 : TMM may sometimes core when HTTP-MR proxy attempts to go into passthrough mode

Links to More Info: BT866481

Component: Local Traffic Manager

Symptoms:
TMM may sometimes core when HTTP-MR proxy attempts to go into passthrough mode.

Conditions:
-- HTTP profile is attached to the virtual server.
-- The httprouter profile is attached to the virtual server.
-- HTTP goes into passthrough mode for any variety of reasons.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when HTTP-MR proxy attempts goes into passthrough mode.

Fixed Versions:
15.1.2

866161-1 : Client port reuse causes RST when the security service attempts server connection reuse.

Links to More Info: BT866161

Component: Access Policy Manager

Symptoms:
If the security service attempts server connection reuse, client port reuse causes RST on new connections.

Conditions:
-- Service profile is attached to virtual server.
   or
-- SSL Orchestrator (SSLO) is licensed and provisioned and Service chain is added in the security policy.
-- Security service reuses server-side connection.
-- Client reuses the source port.

Impact:
The BIG-IP system or SSLO rejects new connection from clients when a client reuses the port.

Workaround:
None.

Fix:
The BIG-IP system or SSLO no longer rejects the client connection when the service tries to the reuse server connection and the client reuses the port.

Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2

866109-2 : JWK keys frequency does not support fewer than 60 minutes

Links to More Info: BT866109

Component: Access Policy Manager

Symptoms:
When configuring the OAuth provider and trying to set the task frequency to fewer than 60 minutes, the BIG-IP reports an error:

01b70003:3: Discovery interval (10) for OAuth provider must be greater than (60) minutes.

Conditions:
This occurs when configuring the frequency interval of an OAuth provider to a value lower than 60 minutes.

Impact:
You are unable to create a provider with a frequency interval of fewer than 60 minutes.

Workaround:
Use a value of 60 minutes or higher.

Fix:
Auto discovery frequency now supported values lower than 60 minutes.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4

866073-2 : Add option to exclude stats collection in qkview to avoid very large data files

Links to More Info: BT866073

Component: TMOS

Symptoms:
Statistics collection may cause qkview files to be too large for the iHealth service to parse, or may cause memory allocation errors:

qkview: tmstat_map_file: mmap: Cannot allocate memory
qkview: tmstat_subscribe: /var/tmstat/blade/tmm5: Cannot allocate memory at 0xa08a938

Conditions:
Qkview is executed on an appliance or chassis that has a very large configuration.

Impact:
Qkview files may not be able to be parsed by the iHealth service.

Also, memory allocation error messages may be displayed when generating qkview.

Workaround:
None.

Fix:
Qkview now has a -x option that can be used to exclude statistics collection in the stat_module.xml file.

Behavior Change:
Qkview now has a -x option that can be used to exclude statistics collection.

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2

866021-1 : Diameter Mirror connection lost on the standby due to "process ingress error"

Links to More Info: BT866021

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, mirrored connections on the standby may be lost when the "process ingress error" log is observed only on the standby, and there is no matching log on the active.

Conditions:
This can happen when there is a large amount of mirror traffic, this includes the traffic processed by the active that requires mirroring and the high availability (HA) context synchronization such as persistence information, message state, etc.

Impact:
Diameter mirror connections are lost on the standby. When failover occurs, these connections may need to reconnect.

Fix:
Diameter mirror connection no longer lost due to "process ingress error" when there is high mirror traffic.

Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5

865461-1 : BD crash on specific scenario

Links to More Info: BT865461

Component: Application Security Manager

Symptoms:
BD crash on specific scenario

Conditions:
A brute force attack mitigation using captcha or client side challenge.

Impact:
BD crash, failover.

Workaround:
Add an iRule that removes the query string from the referrer header only for the login page POSTs.

Fixed Versions:
14.1.2.7, 15.1.0.5

865289-1 : TMM crash following DNS resolve with Bot Defense profile

Links to More Info: BT865289

Component: Application Security Manager

Symptoms:
TMM may crash when Bot Defense is enabled and network DNS is configured.

Conditions:
This can occur when is Bot Defense enabled and network DNS is configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when Bot Defense is enabled and network DNS is configured.

Fixed Versions:
15.1.2.1

865241-1 : Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"

Links to More Info: BT865241

Component: TMOS

Symptoms:
When BGP tries to print the address of the default route's peer but there is no matching address for IPv4 or IPv6 so the system returns a NULL and attempting to print results in a crash.

Conditions:
-- Running the show command: sh bgp ipv6 ::/0.
-- There is no matching IPv4 or IPv6 address for the peer.

The conditions that cause this to occur are unknown.

Impact:
Bgdp crashes. Routing may be affected while bgpd restarts.

Workaround:
None.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2

865225-1 : 100G modules may not work properly in i15000 and i15800 platforms

Links to More Info: BT865225

Component: TMOS

Symptoms:
The tuning values programmed in the switch are not correct for 100G OPT-0039 and OPT-0031 SFP modules.

Conditions:
-- Using OPT-0039 or OPT-0031 modules.

-- Running on i15000 and i15800 platforms.

Note: Use 'tmsh list net interface vendor-partnum', to identify the optic modules installed.

Impact:
You might see traffic drop.

Note: Potential issues related to incorrect tuning values come from F5-internal sources and have not been reported in production configurations.

Workaround:
None.

Fixed Versions:
13.1.3.4, 15.1.0.2

865177-4 : Cert-LDAP returning only first entry in the sequence that matches san-other oid

Links to More Info: BT865177

Component: TMOS

Symptoms:
Certificate-ldap only returns the first matching oid from the certificate file even though multiple matching san-other entries exists

Conditions:
When Certificate-ladp attribute ssl-cname-field set to san-other and certificate with multiple san-other oids

Impact:
Only the first matching oid is returned.

Fixed Versions:
14.1.3.1, 15.1.2.1, 16.0.1.1

865053-3 : AVRD core due to a try to load vip lookup when AVRD is down

Links to More Info: BT865053

Component: Application Visibility and Reporting

Symptoms:
AVRD cores during startup.

Conditions:
Avrd receives a SIGTERM while it is starting.

Impact:
This can lead to an AVRD core.

Fix:
Added some more checks while loading new configuration. Suppose to reduce the frequent of these occurrences. Still can happen in very rare occasions.

Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2

864797-2 : Cached results for a record are sent following region modification

Links to More Info: BT864797

Component: Global Traffic Manager (DNS)

Symptoms:
Changing the contents of a topology region record may result in DNS queries temporarily being directed as if the change had not happened for queries from the IP address of the last end user client to use topology load balancing.

Conditions:
-- A client at a single IP address makes multiple queries that are load balanced using topology, both before and after a change to a topology region record, where that change also modifies the result the single client receives.

-- If a query from a different client IP address is received and load balanced using topology, then the issue is corrected until the next change to a topology region record.

Impact:
After changing the contents of a topology region record, the last end user client to send a query before the change may receive the wrong load balancing decision if the change affected that decision. Queries from other end user clients are load balanced correctly and cause the issue to go away until the next topology region record change.

Workaround:
This issue can be temporarily corrected by sending a DNS query that is load balanced using topology after making changes to region records.

Fix:
The system now handles regions item changes as expected, so this issue no longer occurs.

Fixed Versions:
14.1.4.4, 15.1.4

864757-3 : Traps that were disabled are enabled after configuration save

Links to More Info: BT864757

Component: TMOS

Symptoms:
The ifLinkUpDownTrapEnable setting is not saved to config files nor UCS. If you have disabled 'link up/down' traps for an interface, save the config, and then load the config files or UCS, all interfaces will have traps enabled, even the ones that were explicitly disabled.

Conditions:
-- Disable 'link up/down' traps for an interface.
-- Save the configuration or UCS.
-- Reload the configuration or load the UCS.

Impact:
All interfaces have traps enabled, even the ones that were explicitly disabled.

Workaround:
None.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1

864677-1 : ASM causes high mcpd CPU usage

Links to More Info: BT864677

Component: Application Security Manager

Symptoms:
-- CPU utilization is high on the odd-numbered cores.

-- Messages appear at 60-second intervals in /var/log/ts/asm_start.log:
update_GTM_score

Conditions:
-- One or more virtual servers have FTP/SMTP/WEBSEC profiles attached to it.
-- ASM configured.

Impact:
Elevated CPU usage.

Workaround:
-- On the BIG-IP system, edit the file /etc/ts/tools/nwd.cfg to change the value EnforcerCpuReportTimeInterval from 60 to a higher value, e.g., 3600 for once an hour, or even larger.

-- Restart ASM:
bigstart restart asm

Fix:
This issue has been resolved so that CPU usage is no longer elevated under these conditions.

Fixed Versions:
14.1.4, 15.1.3

864513-1 : ASM policies may not load after upgrading to 14.x or later from a previous major version

Links to More Info: K48234609, BT864513

Component: TMOS

Symptoms:
ASM policies may not load immediately after upgrade due to SELinux policies issues relating to the upgrade process.

Conditions:
1. ASM is provisioned.
2. One or more ASM Security Policies is attached to one or more virtual servers.
3. Upgrade from v12.x or v13.x to v14.x or later.

Impact:
Traffic is not processed properly after upgrade due to failure to load ASM policies.

Workaround:
You can use either of the following workarounds.

-- Remove ASM Policies while upgrading:
  1. Prior to upgrade, remove all ASM Security Policies from all virtual servers.
  2. Upgrade.
  3. Reassociate each ASM Security Policy with its original virtual server.

-- Restore the UCS on a new boot location after upgrade:
  1. Prior to upgrade, create a UCS.
  2. Upgrade or create a new instance of the software version at the target location.
  3. Restore the UCS at the new location.

Fix:
ASM policies now load as expected after upgrading to 14.x or later from a previous major version.

Fixed Versions:
14.1.2.7, 15.1.1

864329-3 : Client port reuse causes RST when the backend server-side connection is open

Links to More Info: BT864329

Component: SSL Orchestrator

Symptoms:
The BIG-IP system or SSL Orchestrator does not close server-side connections when the security service closes the connection with the BIG-IP or SSL Orchestrator. So if client reuses the port, SSL Orchestrator rejects new connections by sending RST.

Conditions:
-- Service profile is attached to virtual server.
   or
-- SSL Orchestrator is licensed and provisioned and Service chain is added in the security policy.
-- Security service closes the server-side connection with SSL Orchestrator.
-- Client reuses the source port.

Impact:
The BIG-IP system or SSL Orchestrator rejects new connection from clients when a client reuses the port.

Workaround:
None.

Fix:
The BIG-IP system or SSL Orchestrator no longer rejects the client connection when the client reuses the port.

Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2

864109-1 : APM Portal Access: Base URL may be set to incorrectly

Links to More Info: K24415506, BT864109

863917-2 : The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval.

Links to More Info: BT863917

Component: Global Traffic Manager (DNS)

Symptoms:
Messages similar to the following may be seen in the DNS (GTM) logs:

The list processing time (32 seconds) exceeded the interval value. There may be too many monitor instances configured with a 30 second interval.

This message was introduced in 15.0.0 as an aid to help identifying overloaded DNS (GTM) systems, but it triggers too easily and can be logged when the device is not overloaded.

Conditions:
-- DNS (GTM) servers are present.
-- Virtual servers are configured on those DNS (GTM) servers.
-- A monitor is applied to the DNS (GTM) server.

Impact:
Messages are logged that imply the system is overloaded when it is not.

Workaround:
Create a log filter to suppress the messages

sys log-config filter gtm-warn {
    level warn
    message-id 011ae116
    source gtmd
}

Fixed Versions:
13.1.4.1, 14.1.4.5, 15.1.3, 16.0.1.2

863609-4 : Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies

Links to More Info: BT863609

Component: Application Security Manager

Symptoms:
After changing a parent policy's learning mode or other learning attributes in policy-builder settings, deploying the policy will result in differences in the child policies.

Conditions:
On BIG-IP and BIG-IQ:
1. Parent policy has a policy-building section that is inherited.
2. Child policy has wildcard default (*) elements such as urls.
On BIG-IQ:
3. Change parent learning mode from manual to disabled or vice versa
4. Deploy changes

Impact:
There are differences after deploy.

Workaround:
Discover and deploy again from BIG-IQ

Fix:
Changes are deployed from BIG-IQ without causing unexpected changes.

Fixed Versions:
14.1.2.7, 15.1.0.5

863401-1 : QUIC congestion window sometimes increases inappropriately

Links to More Info: BT863401

Component: Local Traffic Manager

Symptoms:
When QUIC is discovering the link bandwidth, it sometimes increases the congestion window when there is not enough available data to use the existing congestion window.

Conditions:
When the application is not generating enough data, or any streams with data are stream flow control limited.

Impact:
In some cases, the congestion window can be too large for the path and cause packet losses if it is later fully utilized.

Workaround:
None

Fix:
Correctly check for data limitations before increasing congestion window.

Fixed Versions:
15.1.2.1

863161-1 : Scheduled reports are sent via TLS even if configured as non encrypted

Links to More Info: BT863161

Component: Application Visibility and Reporting

Symptoms:
The scheduled report email is sent from BIG-IP using TLS even if configured to not use encryption. When the mail server TLS is outdated it may lead to failure of the mail delivery.

Conditions:
The scheduled reports are enabled and configured to use a mail server which reports TLS capability.

Impact:
The minor impact is unexpected behaviour. In rare cases it may lead to malfunction of the scheduled reports.

Fix:
The automatic TLS connection was introduced via udate of the phpmailer module. The current fix disables automatic behaviour such that encryption will be used according to BIG-IP configuration.

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2

863069-1 : Avrmail timeout is too small

Links to More Info: BT863069

Component: Application Visibility and Reporting

Symptoms:
AVR report mailer times out prematurely and reports errors:

AVRExpMail|ERROR|2019-11-26 21:01:08 ECT|avrmail.php:325| PHPMailer exception while trying to send the report: SMTP Error: data not accepted.

Conditions:
Configure reports, which will be sent to e-mail

Impact:
Error response from SMTP server, and the report is not sent

Workaround:
Increase timeout in avrmail.php via bash commands

Fix:
The timeout was increased in avrmail.php

Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2

862937-3 : Running cpcfg after first boot can result in daemons stuck in restart loop

Links to More Info: BT862937

Component: TMOS

Symptoms:
After running cpcfg and booting into the volume, daemons such as named and gtmd are stuck restarting. Additionally the SELinux audit log contains denial messages about gtmd and named being unable to read unlabeled_t files.

Conditions:
Running cpcfg on a volume that has already been booted into.

Impact:
Services do not come up.

Workaround:
In the bash shell, force SELinux to relabel at boot time. Then reboot:

# touch /.autorelabel
# reboot

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2

862885-2 : Virtual server-to-virtual server with 'Tail Loss Probe' enabled can result in 'no trailing data' error

Links to More Info: BT862885

Component: Local Traffic Manager

Symptoms:
A configuration with a virtual server-to-virtual server flow established, for example by the 'virtual' iRule command, and using a TCP stack with 'Tail Loss Probe' enabled, might encounter a race between the delayed ACK and the tail loss probe, which can lead to a tmm_panic or an OOPs message:
no trailing data.

Conditions:
-- Virtual server-to-virtual server flow established.
-- TCP profile with 'Tail Loss Probe' enabled.
-- Certain timing related traffic scenario.

Impact:
TMM generates a core and reports an OOPs message:
no trailing data.

Workaround:
Do not use a TCP stack with 'Tail Loss Probe' enabled in conjunction with a virtual server-to-virtual server flow configuration.

Fix:
Virtual server-to-virtual server with 'Tail Loss Probe' enabled can now be used without error.

Fixed Versions:
14.1.4.5, 15.1.4.1

862793-1 : ASM replies with JS-Challenge instead of blocking page upon "Virus detected" violation

Links to More Info: BT862793

Component: Application Security Manager

Symptoms:
When ASM detects "virus" (with help of external icap server), the response page will be JS-Challenge instead of blocking.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Anti-Virus protection enabled in ASM policy.
-- ASM finds a virus in a request.

Impact:
-- End user client gets JS-Challenge response instead of blocking page.
-- End user does not see ASM support ID.
-- Browser can run the JavaScript and resend the request to ASM, which is then forwarded to the backend server.

Workaround:
None.

Fix:
The software now replies with the blocking page, including the ASM support ID.

Fixed Versions:
15.1.4

862597-7 : Improve MPTCP's SYN/ACK retransmission handling

Links to More Info: BT862597

Component: Local Traffic Manager

Symptoms:
- MPTCP enabled TCP connection is in SYN_RECEIVED state.
- TMM cores.

Conditions:
- MPTCP is enabled.
- SYN/ACK (with MP_JOIN or MP_CAPABLE) sent by the BIG-IP is not ACKed and needs to be retransmitted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable MPTCP option in the TCP profile.

Fix:
MPTCP's SYN/ACK retransmission handling is improved.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.0.2

862557-1 : Client-ssl profiles derived from clientssl-quic fail validation

Links to More Info: BT862557

Component: Local Traffic Manager

Symptoms:
After configuring a clientssl-quic profile, you get a validation error:

01b40001:3: A cipher group must be configured when TLS 1.3 is enabled (validation failed for profile /Common/clientssl-f5quic-udp).

Conditions:
This can occur when using the clientssl-quic built-in profile to build a profile that can serve HTTP/3 over QUIC.

Impact:
You are unable to configure a clientssl profile to work with HTTP/3 + QUIC that is also customized to serve the right certificate, etc.

Workaround:
Modify the clientssl-quic profile to have the following properties:
    cipher-group quic
    ciphers none
This requires the following additional config objects:
ltm cipher group quic {
    allow {
        quic { }
    }
}
ltm cipher rule quic {
    cipher TLS13-AES128-GCM-SHA256,TLS13-AES256-GCM-SHA384
    description "Ciphers usable by QUIC"
}

Fix:
Update the built-in configuration to pass validation.

Fixed Versions:
15.1.0.1

860881-3 : TMM can crash when handling a compressed response from HTTP server

Links to More Info: BT860881

Component: Local Traffic Manager

Symptoms:
TMM crashes while handling HTTP response

Conditions:
HTTP virtual server performing decompression of response data from a server, e.g. because a rewrite profile is attached to the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable compression on the server.

Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2

860617-3 : Radius sever pool without attaching the load balancing algorithm will result into core

Links to More Info: BT860617

Component: Access Policy Manager

Symptoms:
Tmm crashes after configuring a radius server pool.

Conditions:
-- Radius server pool exists
-- Radius server pool does not have a designated load balancing algorithm.

Impact:
TMM will core while radius accounting stops. Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Pool selection counter gets incremented and message will be freed.

Fixed Versions:
14.1.4.5, 15.1.4.1

860517-1 : MCPD may crash on startup with many thousands of monitors on a system with many CPUs.

Links to More Info: BT860517

Component: TMOS

Symptoms:
MCPD can crash with out of memory when there are many bigd processes (systems with many CPU cores) and many pool members/nodes/monitors.

As a guideline, approximately 100,000 pool members, nodes, and monitors can crash a system that has 10 bigd processes (BIG-IP i11800 platforms). tmm crash

Conditions:
-- Tens of thousands of pool members, nodes, and/or monitors.
-- Multiple (generally 6 or more) bigd processes.
-- System startup or bigstart restart.

Impact:
The mcpd process crashes. Traffic disrupted while mcpd restarts.

Workaround:
Set the db variable bigd.numprocs to a number smaller than the number of bigd processes currently being started.

Fix:
The memory efficiency of MCPD has been improved. This allows very large BIG-IP configurations to be used successfully.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1

860349-3 : Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication

Links to More Info: BT860349

Component: TMOS

Symptoms:
After upgrading BIG-IP to 14.1 the LDAP/AD remote authentication will fail .

The /var/log/secure will show :

/secure:
Dec 6 15:27:44 hostname err httpd[9402]: pam_ldap(httpd:auth): error opening connection to nslcd: No such file or directory
Dec 6 15:27:44 hostname notice httpd[9402]: pam_ldap(httpd:auth): auth server unavailable, trying fallback
Dec 6 15:27:44 hostname warning httpd[9402]: pam_unix(httpd:auth): check pass; user unknown
Dec 6 15:27:44 hostname notice httpd[9402]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=192.168.227.145

/var/log/daemon.log will show ;

/daemon:
Dec 6 15:29:40 hostname notice systemd[1]: nslcd.service: main process exited, code=exited, status=1/FAILURE
Dec 6 15:29:40 hostname notice systemd[1]: Unit nslcd.service entered failed state.
Dec 6 15:29:40 hostname warning systemd[1]: nslcd.service failed.
Dec 6 15:35:47 hostname notice systemd[1]: nslcd.service: main process exited, code=exited, status=1/FAILURE
Dec 6 15:35:47 hostname notice systemd[1]: Unit nslcd.service entered failed state.
Dec 6 15:35:47 hostname warning systemd[1]: nslcd.service failed.


> Dec 06 15:35:47 hostname systemd[1]: Started Naming services LDAP client daemon..
> Dec 06 15:35:47 hostname systemd[1]: Starting Naming services LDAP client daemon....
> Dec 06 15:35:47 hostname nslcd[8050]: nslcd: /etc/nslcd.conf:15: usertemplate: too may arguments
> ===================== > This is the hint that user-template is at fault

Conditions:
LDAP/nslcd config , remote authentication , user-template used

The values within user-template include white spaces :

example: uid=%s,CN=my home,OU=Generic Users,OU=good Users,OU=users,DC=users,DC=org

Impact:
LDAP/nslcd process failed with "error opening connection to nslcd" when user-template includes white spaces.

Workaround:
Replace the white-space character with underscore "_" in the user-template if possible, or remove the user-template and restart nslcd daemon

Fixed Versions:
14.1.2.8, 15.1.3

860317-3 : JavaScript Obfuscator can hang indefinitely

Links to More Info: BT860317

Component: TMOS

Symptoms:
High CPU usage by obfuscator for an extended period of time.

Conditions:
Occurs very rarely, when FPS or L7 DDoS protection are enabled.

Impact:
High CPU Usage.

Workaround:
Kill the obfuscator process

Fix:
Datasyncd daemon kills hanging obfuscator processes if they stop responding.

Fixed Versions:
14.1.3.1, 15.1.2

860005-1 : Ephemeral nodes/pool members may be created for wrong FQDN name

Links to More Info: BT860005

Component: Local Traffic Manager

Symptoms:
Under rare timing conditions, one or more ephemeral nodes and pool members may be created for the wrong FQDN name, resulting in one or more ephemeral pool members being created incorrectly for a given pool.

Conditions:
This problem occurs when a DNS Request is sent to resolve a particular FQDN name with the same DNS Transaction ID (TXID) as another DNS Request currently pending with the same DNS name server. When this occurs, the IP addresses returned in the first DNS Response received with that TXID may be incorrectly associated with a pending DNS Request with the same TXID, but for a different FQDN name which does not actually resolve to those IP addresses.

The timing conditions that produce such duplicate TXIDs may be produced by one or more of the following factors:
1. Many FQDN names to be resolved.
2. Short DNS query interval values configured for the FQDN template nodes (or short TTL values returned by the DNS name server with the query interval configured as 'ttl').
3. Delayed responses from the DNS name server causing DNS queries to remain pending for several seconds.

Impact:
When this issue occurs, traffic may be load-balanced to the wrong members for a given pool.

Workaround:
It may be possible to mitigate this issue by one or more of the following actions:

-- Ensuring that the DNS servers used to resolve FQDN node names have sufficient resources to respond quickly to DNS requests.

-- Reducing the number of FQDN template nodes (FQDN names to be resolved).

-- Reducing the frequency of DNS queries to resolve FQDN node names (FQDN names) by either increasing the 'interval' value configured for FQDN template nodes, or by increasing the TTL values for DNS zone records for FQDN names for FQDN nodes configured with an 'interval' value of 'ttl'.

Fixed Versions:
12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2

859721-1 : Using GENERICMESSAGE create together with reject inside periodic after may cause core

Links to More Info: BT859721

Component: Service Provider

Symptoms:
In iRules, when "GENERICMESSAGE::message create" is called after "reject" command inside "after -periodic", it may cause core. Below is an example iRules.

when CLIENT_ACCEPTED {
    ... omitted ...
    after 1000 -periodic {
        ... omitted ...
        reject
        GENERICMESSAGE::message create "test"
    }
}

This relates to ID 859113.

Conditions:
GENERICMESSAGE::message create" is called after "reject" inside "after -periodic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event

Fix:
Using GENERICMESSAGE create together with reject inside periodic after no longer cause core

Fixed Versions:
14.1.2.5, 15.1.0.2

859717-2 : ICMP-limit-related warning messages in /var/log/ltm

Links to More Info: BT859717

Component: Local Traffic Manager

Symptoms:
'ICMP error limit reached' warning messages in /var/log/ltm:

warning tmm3[23425]: 01200015:4: Warning, ICMP error limit reached.

Conditions:
Viewing /var/log/ltm.

Impact:
Potentially numerous error messages, depending on the traffic and the BIG-IP configuration. No clear indication of how to remedy the situation.

Workaround:
None.

Fix:
The system better tracks what kind of traffic triggers the 'ICMP error limit reached' logs so the issue can be mitigated.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1

859113-1 : Using "reject" iRules command inside "after" may causes core

Links to More Info: BT859113

Component: Local Traffic Manager

Symptoms:
In iRules, when "reject" is used inside "after -periodic" and it is followed by "GENERICMESSAGE::message create". It may trigger a tmm core. Below is an example iRule.

when CLIENT_ACCEPTED {
    ... omitted ...
    after 1000 -periodic {
        ... omitted ...
        reject
        GENERICMESSAGE::message create "test"
    }
}

This relates to ID 859721

Conditions:
- "reject" is used inside "after -periodic"
- it is followed by "GENERICMESSAGE::message create"

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event

Fix:
Using "reject" iRules command inside "after" no longer cause core.

Fixed Versions:
14.1.2.5, 15.1.0.2

859089-7 : TMSH allows SFTP utility access

Links to More Info: K00091341, BT859089

858973-1 : DNS request matches less specific WideIP when adding new wildcard wideips

Links to More Info: BT858973

Component: Global Traffic Manager (DNS)

Symptoms:
After adding a new wildcard wideip, DNS requests start matching the wildcard even if a more specific wildcard wideip should match.

Conditions:
New less specific Wildcard WideIPs are created.

Impact:
DNS request matches less specific WideIP.

Workaround:
# tmsh load sys config gtm-only
or
restart tmm

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2

858769-6 : Net-snmp library must be upgraded to 5.8 in order to support SHA-2

Links to More Info: K82498430, BT858769

Component: TMOS

Symptoms:
The net-snmp 5.7.2 library does not support extended key lengths for SHA and AES protocols used for SNMPv3 authentication and privacy protocols.

Conditions:
When the BIG-IP net-snmp libraries are version 5.7.2, or earlier, than only SHA and AES are available for configuring trap sessions and users in SNMPv3.

Impact:
The longer keys lengths for SNMPv3 cannot be used.

Workaround:
None

Fix:
With the net-snmp 5.8 libraries there is SHA-2 support for longer SHA and AES keys. New options are: SHA-224, 256, 384, and 512 and AES-192, 192-C, 256, 256-C.

Fixed Versions:
15.1.0.4

858701-1 : Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x

Links to More Info: BT858701

Component: Local Traffic Manager

Symptoms:
When you upgrade an 11.x/12.x device with route advertisement enabled, you might discover a difference between the running configuration and the saved configuration post upgrade, which might result in route advertisement becoming disabled.

-- In the running configuration, the virtual-addresses route advertisement setting 'enabled' changes to 'selective'.
-- In bigip.conf, the virtual-addresses route advertisement setting is still set to 'enabled'.
-- After config load or after re-licensing, the virtual-addresses route advertisement reverts to disabled.

Conditions:
-- Upgrading an 11.x/12.x device with route advertisement enabled.
-- After saving the config, both the running-config and bigip.conf have the same value: i.e., 'selective'.
-- Loading the configuration (tmsh load sys config) results in route advertisement becoming disabled.

Impact:
The route-advertisement setting is 'enabled' in the config file, but 'selective' in the running configuration. This has the following impact:

If you save the configuration and then reload it, the route advertisement is changed to 'selective' in the config file and 'disabled' in the running config.

Workaround:
You can identify whether systems running v13.0.0 or higher are at risk of encountering this issue by checking a legacy internal setting, ROUTE_ADVERTISEMENT:

Procedure to identify whether virtual-addresses are affected, that have an incorrect setting in the legacy ROUTE_ADVERTISEMENT artifact:

  Virtual-addresses may be affected by this issue on v13.0.0 and higher if ROUTE_ADVERTISEMENT=true in mcpd.

  You can check this value with the guishell command:
    guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";

    Example:
      guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
        -----------------------------------------------------------
        | NAME | ROUTE_ADVERTISEMENT | RA_OPTION |
        -----------------------------------------------------------
        | /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled
        | /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective
        | /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled
        | /Common/10.32.101.47 | true | 0 | <<< MEDIUM RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use
        | /Common/10.32.101.49 | true | 1 | <<< HIGH RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled

      Any virtual address that shows ROUTE_ADVERTISEMENT=true is at risk. If true but route-advertisement is not in use, there is no risk until route-advertisement is configured later.

------------------------------------------------------------------------------------------
Procedure to remove the legacy ROUTE_ADVERTISEMENT artifact from the config on systems found to be affected:

1. Review Standby system (if available) and ensure Route Advertisement in running configuration is configured and functioning as desired with "tmsh list ltm virtual-address route-advertisement". If not, manually correct Route Advertisement to desired configuration and confirm functionality.

2. Fail over Active system to Standby status:
  tmsh run sys failover standby

3. Review former Active (now Standby) system and ensure Route Advertisement in running configuration is configured and functioning as desired. If not, manually correct Route Advertisement to desired configuration.

4. Save the config to disk:
  tmsh save sys config

5. Load the config from disk. This may temporarily cause route-advertisement to revert to disabled on at risk virtual-addresses:
  tmsh load sys config

6. Load the config a 2nd time. This removes the legacy artifact, re-enables route-advertisement as per the configuration, and leaves the system in a not-at-risk state:
  tmsh load sys config

7. Verify it worked:
  guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";

  Example of a fixed config:
    guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
      -----------------------------------------------------------
      | NAME | ROUTE_ADVERTISEMENT | RA_OPTION |
      -----------------------------------------------------------
      | /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled
      | /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective
      | /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled
      | /Common/10.32.101.47 | false | 0 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use
      | /Common/10.32.101.49 | false | 1 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled

------------------------------------------------------------------------------------------
If you encounter this issue and route-advertisement becomes disabled before cleaning the legacy ROUTE_ADVERTISEMENT artifact from the config, reload the configuration again using the following command to set the running config and saved config to 'selective':

tmsh load sys config

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2

858537-2 : CVE-2019-1010204: Binutilis Vulnerability

Links to More Info: K05032915, BT858537

858429-3 : BIG-IP system sending ICMP packets on both virtual wire interface

Links to More Info: BT858429

Component: Local Traffic Manager

Symptoms:
ICMP packets are forwarded to both virtual wire interface, which causes MAC-Flip on the connected switches.

Conditions:
-- Ingress ICMP packet is on one TMM.
-- Egress is on another TMM.

Impact:
Traffic is disrupted in the network.

Workaround:
None.

Fixed Versions:
14.1.2.8, 15.0.1.4, 15.1.1

858349-3 : TMM may crash while processing SAML SLO traffic

Links to More Info: K44808538, BT858349

858301-1 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it

Links to More Info: K27551003, BT858301

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Workaround:
None.

Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1

858297-1 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it

Links to More Info: K27551003, BT858297

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Workaround:
None.

Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1

858289-1 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it

Links to More Info: K27551003, BT858289

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Workaround:
None.

Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Fixed Versions:
13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1

858285-1 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it

Links to More Info: K27551003, BT858285

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Workaround:
None.

Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Fixed Versions:
13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1

858229-5 : XML with sensitive data gets to the ICAP server

Links to More Info: K22493037, BT858229

Component: Application Security Manager

Symptoms:
XML with sensitive data gets to the ICAP server, even when the XML profile is not configured to be inspected.

Conditions:
XML profile is configured with sensitive elements on a policy.
ICAP server is configured to inspect file uploads on that policy.

Impact:
Sensitive data will reach the ICAP server.

Workaround:
No immediate workaround except policy related changes

Fix:
An internal parameter, send_xml_sensitive_entities_to_icap was added. It's default is 1 as this is the expected behavior. To disable this functionality, change the internal parameter value to 0.

Behavior Change:
An internal parameter has been added, called send_xml_sensitive_entities_to_icap, and the default value is 1.

When this is changed to 0 (using this command):
 /usr/share/ts/bin/add_del_internal add send_xml_sensitive_entities_to_icap 0
XML requests with sensitive data will not be sent to ICAP.

Fixed Versions:
11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2

858197-2 : Merged crash when memory exhausted

Links to More Info: BT858197

Component: TMOS

Symptoms:
Merged crashes when system memory is exhausted

Conditions:
System memory is is at 0% available.

Impact:
Merged crashes, stopping stats updates

Workaround:
Reduce the configuration on the system

Fix:
Remove function call to drop row from table on error path where row was not successfully added.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.2, 16.0.1.1

858189-3 : Make restnoded/restjavad/icrd timeout configurable with sys db variables.

Links to More Info: BT858189

Component: Device Management

Symptoms:
When a large number of LTM objects are configured on BIG-IP, making updates via iControl REST can result in restjavad/restnoded/icrd errors.

Conditions:
Using iControl REST/iapp to update a data-group that contains a large number of records, e.g., 75,000 or more.

Impact:
REST operations can time out when they take too long, and it is not possible to increase the timeout.

Workaround:
None.

Fix:
ICRD/restjavad/restnoded timeouts are now configurable through sys db variables.

Behavior Change:
New Sys DB variables have been added to allow you to modify the timeout settings of restjavad, restnoded, and icrd:

restnoded.timeout
restjavad.timeout
icrd.timeout

The default value is 60 seconds for each of these.

A restart of restjavad and restnoded is required for the change to take effect.

tmsh restart /sys service restjavad
tmsh restart /sys service restnoded

Fixed Versions:
12.1.5.2, 14.1.2.7, 15.1.1

858025-1 : BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984

Links to More Info: K33440533, BT858025

857953-2 : Non-functional disable/enable buttons present in GTM wide IP members page

Links to More Info: BT857953

Component: Global Traffic Manager (DNS)

Symptoms:
Enable/disable buttons do not perform any action against the selected members when pressed.

Conditions:
-- GTM wide IP has members.
-- Navigate to the GTM wide IP members page.
-- Attempt to enable or disable a selected member./

Impact:
No action against the selected members occurs when the buttons are pressed.

Workaround:
None.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2

857845-1 : TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule

Links to More Info: BT857845

Component: Local Traffic Manager

Symptoms:
Whenever the server or client side data have not been drained, 'server drained' or 'client drained' appear in /var/log/tmm as errors.

Conditions:
-- Using iRule configuration with LB::detach or LB::connect.
-- Server- or client-side data has not been drained before those statements are triggered.

Impact:
TMM crashes and can cause an outage on standalone system or failover in a DSC. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes and the 'server not drained' or 'client not drained' message is logged instead. If tmm.oops is set to 'log', the OOPS messages is reported in /var/log/tmm.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2

857633-7 : Attack Type (SSRF) appears incorrectly in REST result

Links to More Info: BT857633

Component: Application Security Manager

Symptoms:
After ASM Signature update ASM-SignatureFile_20191117_112212.im is installed, a mistaken value for Attack Type (SSRF) appears incorrectly in REST query results.

Conditions:
ASM Signature update ASM-SignatureFile_20191117_112212.im is installed, even if another ASM Signature update is installed subsequently.

Impact:
A mistaken value for Attack Type (SSRF) appears incorrectly in REST query results. This impacts BIG-IQ usage and other REST clients.

Workaround:
Workaround:
1) Install a newer ASU to reassociate the affected signatures with the correct attack type
2) Run the following SQL on the affected BIG-IP devices:

DELETE FROM PLC.NEGSIG_ATTACK_TYPES WHERE attack_type_name = "Server-Side Request Forgery (SSRF)";

Fixed Versions:
14.1.4.5, 15.1.4.1

857589-1 : On Citrix Workspace app clicking 'Refresh Apps' after signing out fails with message 'Refresh Failed'

Links to More Info: BT857589

Component: Access Policy Manager

Symptoms:
On the Citrix Workspace app, clicking 'Refresh Apps' after signing out fails with message "Refresh Failed" with v15.1.x

Conditions:
-- Running the Citrix Workspace all.
-- Clicking 'Refresh Apps' after signing out.
-- Running software v15.1.x.

Impact:
The system reports a 'Refresh failed' error, and the app must to be reset.

Workaround:
None.

Fix:
The system now shows a prompt/pop-up for credentials and signs-in successfully.

Fixed Versions:
15.1.1

856961-7 : INTEL-SA-00201 MCE vulnerability CVE-2018-12207

Links to More Info: K17269881, BT856961

856953-4 : IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1

Links to More Info: BT856953

Component: TMOS

Symptoms:
In rare circumstances, TMM may core when changing the ike-peer configuration from IKEv2 to IKEv1.

Conditions:
- The BIG-IP system is attempting to establish an IKEv2 tunnel.
- The related ike-peer config is changed from IKEv2 to IKEv1.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not reconfigure the ike-peer configuration while the related IPsec tunnel is attempting to establish.

Fix:
TMM no longer cores.

Fixed Versions:
14.1.2.8, 15.1.4.1

856725-1 : Missing learning suggestion for "Illegal repeated parameter name" violation

Links to More Info: BT856725

Component: Application Security Manager

Symptoms:
Some URL/parameter related suggestions are not issued

Conditions:
The can occur on URLs that are configured with a method. It can also occur on URL-level parameters that are configured on such URLs.

Impact:
Some learning suggestions are not issued as expected

Workaround:
None

Fix:
After fix suggestions are issued as expected

Fixed Versions:
15.1.3

854493-5 : Kernel page allocation failures messages in kern.log

Links to More Info: BT854493

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:

swapper/16: page allocation failure: order:2, mode:0x104020

After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This issue is known to occur on the following VIPRION blade models:

- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
- B4450 (A114)

Please note the issue is known to occur regardless of whether or not the system is running in vCMP mode, and regardless of whether the system is Active or Standby.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this as follows:
-- 64 MB (65536 KB for 2250 blades)
-- 48 MB (49152 KB for B4300 blades)
-- 128 MB (131072 KB for 4450 blades)

You must do this on each blade installed in the system.

When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades, and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"

Fix:
The BIG-IP system no longer experiences kernel page allocation failures.

Fixed Versions:
14.1.2.8, 15.1.0.2

854177-5 : ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality

Links to More Info: BT854177

Component: Application Security Manager

Symptoms:
Whenever a pool IP address is modified, an update is sent to bd regardless of whether that pool is relevant to ASM. When these updates occur frequently, as can be the case for FQDN nodes that honor DNS TTL, latency can be introduced in ASM handling.

Conditions:
Pool nodes have frequent IP address updates, typically due to an FQDN node set to honor DNS TTL.

Impact:
Latency is introduced to ASM handling.

Workaround:
Set the fast changing nodes to static updates every hour.

Fix:
ASM now correctly ignores pool member updates that do not affect remote logging.

Fixed Versions:
12.1.5.1, 13.1.3.4, 14.1.2.5, 15.1.0.5

854001-2 : TMM might crash in case of trusted bot signature and API protected url

Links to More Info: BT854001

Component: Application Security Manager

Symptoms:
When sending request to a protected API URL, with a trusted bot signature, tmm tries to perform reverse DNS to verify the signature. During this process, the URL qualification might change. In this case - tmm crashes.

Conditions:
-- Bot Defense profile attached.
-- 'API Access for Browsers and Mobile Applications' is enabled.
-- A DNS server is configured.
-- Request is sent to an API-qualified URL.
-- Request is sent with a trusted bot signature.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable the 'API Access for Browsers and Mobile Applications' or remove the DNS server.

Fix:
An issue where tmm could crash when processing a request sent to a protected API URL with a trusted bot signature has been fixed.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2

853613-4 : Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp

Links to More Info: BT853613

Component: Local Traffic Manager

Symptoms:
A TCP connection hangs occasionally.

Conditions:
-- The TCP connection is on the clientside.
-- sys db tm.tcpsendrandomtimestamp is enabled (default is disabled).
-- A virtual server's TCP's Verified Accept and Timestamps are both enabled.

Impact:
TCP connections hangs, and data transfer cannot be completed.

Workaround:
You can use either of the following workarounds:
-- Disable tm.tcpsendrandomtimestamp.
-- Disable either the TCP's Verified Accept or Timestamps option.

Fix:
This release provides improved interaction between TCP's Verified Accept and Timestamps options and the tm.tcpsendrandomtimestamp setting.

Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2

853585-1 : REST Wide IP object presents an inconsistent lastResortPool value

Links to More Info: BT853585

Component: Global Traffic Manager (DNS)

Symptoms:
The output of a REST call to tm/gtm/wideip/<wideip_kind> returns objects that contain inconsistent values for the property 'lastResortPool'. For instance, for the kind 'aaaa', the output might be:

...
"lastResortPool": "aaaa \"\""
...

Conditions:
The BIG-IP admin has modified a Wide IP object via tmsh and used the following command structure:

tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind>

Impact:
The lastResortValue in the REST response might be confusing for an external orchestrator that consumes the BIG-IP configuration via iControl REST. BIG-IQ, for instance. BIG-IQ might not work as expected with these values.

Workaround:
Change the Wide IP object via the GUI and set the Last Resort Pool to None, then save the changes.

Fix:
The tmsh interpreter now enforces the structure 'tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind> <pool_name>'.

Fixed Versions:
12.1.6, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1

853545-1 : MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event

Links to More Info: BT853545

Component: Service Provider

Symptoms:
For each message dropped during GENERICMESSAGE_INGRESS, memory is leaked.

Conditions:
Usage of GENERICMESSAGE::message drop iRule command during GENERICMESSAGE_INGRESS event will leak memory.

Impact:
As more memory is leaked, less memory is available for message processing, eventually leading to a core.

Workaround:
Use MR::message drop during MR_INGRESS event instead to drop a message.

Fix:
Usage of GENERICMESSAGE::message drop iRule command no longer leaks memory.

Fixed Versions:
14.1.2.5, 15.1.0.2

853325-1 : TMM Crash while parsing form parameters by SSO.

Links to More Info: BT853325

Component: Access Policy Manager

Symptoms:
When a form is received in the response, TMM crashes when SSO identifies the form parameter, and logs the Form parameter value and type in SSOv2 form-based passthrough log.

Conditions:
-- When any of the form parameters that SSO receives in the response does not have a value.
-- Passthrough mode is enabled in SSO.

Impact:
TMM crash when Passthrough mode is enabled in SSO. Traffic disrupted while tmm restarts.

Workaround:
Do not use Passthrough mode with SSO.

Fix:
TMM does not crash when Passthrough mode is enabled in SSO, and SSO receives any valid form in a response.

Fixed Versions:
14.1.4.5, 15.0.1.3, 15.1.0.2

853101-2 : ERROR: syntax error at or near 'FROM' at character 17

Links to More Info: BT853101

Component: TMOS

Symptoms:
After clicking UI Security :: Network Firewall : Active Rules, /var/log/ltm reports the following error message:
--warning postgres ERROR: syntax error at or near 'FROM' at character 17.

Conditions:
Enabled turboflex-security and AFM module.

Impact:
-- Possible leak of postgres database connections.
-- A warning log message is created, but the system continues to function normally.

Workaround:
None.

Fix:
Correct is AFMProvisioned check was added to wrap database connection deallocation

Fixed Versions:
15.1.2.1

852929-6 : AFM WebUI Hardening

Links to More Info: K25160703, BT852929

852873-2 : Proprietary Multicast PVST+ packets are forwarded instead of dropped

Links to More Info: BT852873

Component: Local Traffic Manager

Symptoms:
Because the BIG-IP system does not recognize proprietary multicast MAC addresses such as PVST+ (01:00:0c:cc:cc:cd) and STP (01:80:c2:00:00:00), when STP is disabled the system does not drop those frames. Instead the system treats those as L2 multicast frames and forwards between 2 interfaces.

Conditions:
-- STP disabled
-- All platforms except 2000 series, 4000 series, i2000 series, i4000 series and i850.

Impact:
PVST+ (01:00:0c:cc:cc:cd), a proprietary multicast MAC is forwarded instead of discarded, even when STP is disabled.

Workaround:
None.

Fix:
Traffic with Destination MAC as PVST+ (01:00:0c:cc:cc:cd) or STP (01:80:c2:00:00:00) is sent to the BIG-IP system, egress traffic is monitored to check that MAC is dropped when either or both of the following db variables is enabled or vice-versa:
bcm56xxd.rules.badpdu_drop
bcm56xxd.rules.lldp_drop

Fixed Versions:
14.1.2.7, 15.1.0.2

852861-1 : TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario

Links to More Info: BT852861

Component: Local Traffic Manager

Symptoms:
TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario.

Conditions:
-- Virtual server with QUIC, HTTP/3, HTTP, SSL and httprouter profiles.
-- 0-RTT connection resumption in progress.

Impact:
TMM cores intermittently.

Workaround:
No workaround.

Fix:
Defer sending of early keys from SSL to QUIC. This results in delaying of ingress decryption. HTTP/3 is initialized before receiving decrypted data.

Fixed Versions:
15.1.0.2

852557-3 : Tmm core while using service chaining for SSL Orchestrator

Links to More Info: BT852557

Component: SSL Orchestrator

Symptoms:
Tmm core found when using service chaining for SSL Orchestrator (SSL Orchestrator).

Conditions:
SSL Orchestrator with service chaining.

Impact:
Tmm crashes and generates a core file. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Tmm no longer crashes while using service chaining for SSL Orchestrator.

Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2

852481-3 : Failure to check virtual-server context when closing server-side connection

Links to More Info: BT852481

Component: SSL Orchestrator

Symptoms:
The TMM process may fail with a segment fault (SIGSEGV) panic and deposit a core file.

Conditions:
-- SSL Orchestrator configuration.
-- Closing server-side connection.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer experiences panic when server-side connections are being closed.

Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2

852477-3 : Tmm core when SSL Orchestrator is enabled

Links to More Info: BT852477

Component: SSL Orchestrator

Symptoms:
The tmm process may fail with a segment fault (SIGSEGV) panic and deposit a core file.

Conditions:
This can occur when SSL Orchestrator is enabled and is passing traffic.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Tmm no longer experiences panic when draining data from server-side connections that are being closed.

Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2

852437-3 : Overly aggressive file cleanup causes failed ASU installation

Links to More Info: K25037027, BT852437

Component: Application Security Manager

Symptoms:
Directory cleanup for failed Attack Signature Updates (ASU) is too aggressive and may delete needed files in the middle of installation itself, which causes the update to fail.

Conditions:
An ASU runs at the same time as the file cleanup task.

Impact:
The ASU fails to complete successfully.

Workaround:
The default clean interval is 300 seconds (5 minutes).

1. Run the following command to monitor the clean activity:
#tailf /var/log/ts/asmcrond.log | grep CleanFiles

2. Watch for following message in the log:
asmcrond|INFO|Mar 20 21:54:44.389|24036|F5::PeriodicTask::Base::run,,Running Task: CleanFiles

3. Upgrade the ASU immediately.


If 5 minutes is not enough, you can increase the clean interval.

1. Adjust the interval in the /etc/ts/tools/asmcrond.cfg file:

From:
[CleanFiles]
Interval=300

To:
[CleanFiles]
Interval=3000

Important: Do not set Interval too high. 50 minutes (3000 seconds) should be enough.

2. Restart the asmcrond by killing the process. It respawns after several seconds.
ps -ef | grep asmcrond
kill <pid>

3. Monitor the asmcrond.log until you see another Cleanfiles log message.
# tailf /var/log/ts/asmcrond.log | grep CleanFiles

4. Install the ASU; the temp files can stay in the folder for 50 minutes.

5. After the ASU is installed, change the interval back to 300 and restart asmcrond.

6. Make sure asmcrond has been started correctly.
# ps -ef | grep asmcrond
# tailf /var/log/ts/asmcrond.log

Fix:
The directory cleanup does not clean up files that are being actively used for an installation.

Fixed Versions:
14.1.2.5, 15.1.0.2

852373-3 : HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error

Links to More Info: BT852373

Component: Local Traffic Manager

Symptoms:
HTTP/2 connection breaks and Tcl error is logged in /var/log/ltm similar to the following:

TCL error: /Common/http2_disable <CLIENT_ACCEPTED> - Unknown error (line 1) (line 1) invoked from within "HTTP2::disable".

Conditions:
Any of the following Tcl commands are used in any iRule event: HTTP2::enable, HTTP2::enable clientside, HTTP2::disable, HTTP2::disable clientside.

Impact:
HTTP/2 traffic is not passed to the serverside.

Workaround:
Do not use the following Tcl commands: HTTP2::enable, HTTP2::enable clientside, HTTP2::disable, HTTP2::disable clientside

Fix:
When the previously mentioned Tcl commands are used in appropriate HTTP iRule events, such as CLIENT_ACCEPTED, HTTP/2 filter is put into passthrough mode and traffic is delivered to the server.

Fixed Versions:
14.1.2.5, 15.0.1.4, 15.1.1

852313-4 : VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured

Links to More Info: BT852313

Component: Access Policy Manager

Symptoms:
VMware Horizon clients cannot ,connect to APM and /var/log/apm contains hte following error:
... err tmm3[12345]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_BOUNDS. File: ../modules/hudfilter/access/access.c, Function: access_do_internal_retry, Line: 16431

Conditions:
-- Access Policy has 'VMware View Logon Page' agent configured with 'Kerberos Authentication'.
-- The policy has been in use for some time.

Impact:
VMware Horizon client cannot connect to APM after some time.

Workaround:
None.

Fix:
Fixed an issue, where 'VMware View Logon Page' agent configured with 'Kerberos Authentication' does not process logon requests after some time.

Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2

852289-4 : DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector

Links to More Info: K23278332, BT852289

Component: Advanced Firewall Manager

Symptoms:
DNS over TCP packet is not rate-limited accurately by DoS device sweep and flood vector.

Conditions:
-- Setting the correct DNS pkt type in the DoS device sweep or flood vector.
-- Sending DNS over TCP.

Impact:
DNS over TCP is DDoS attack is not mitigated correctly.

Workaround:
Using DNS DoS vector to mitigate the attack.

Fix:
The attack mitigation by sweep and flood vector is accurate.

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.1.1

852101-1 : Monitor fails.

Links to More Info: BT852101

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d fails external monitor SIP_monitor because GTM SIP Monitors need to be running as privileged.

Conditions:
TLS SIP monitor on pool member requiring client auth.

Impact:
Big3d fails external monitor SIP_monitor.

Workaround:
The only workaround is to allow world reading of key files in the filestore, however, this is not ideal as it exposes potentially sensitive data.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2

852001-1 : High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously

Links to More Info: BT852001

Component: TMOS

Symptoms:
When using more than 4 BIG-IP devices connected in a device cluster, and adding 2 more devices to the trust domain, the mcpd processes of each device may get into a sync loop. This causes mcpd to reach up to 90% CPU utilization during this time, and causes other control-plane functionality to halt. This state may last 10-20 minutes in some cases, or continuous in other cases.

Conditions:
-- More than 4 BIG-IP devices are configured in a trust domain configuration.
-- Adding at least 2 more devices to the trust domain, one after the other, without waiting for the full sync to complete.
-- ASM, FPS, or DHD (DOS) is provisioned.

Impact:
High CPU utilization, GUI, TMSH, and REST API not responding or slow-responding, other system processes halted.

Workaround:
When adding a BIG-IP device to the trust domain, before adding any other device, wait a few minutes until the sync is complete, and no more sync logs display in /var/log/ltm.

Fix:
MCPD no longer utilizes high CPU resources when adding simultaneously 4 or more devices to CMI.

Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2

851857-1 : HTTP 100 Continue handling does not work when it arrives in multiple packets

Links to More Info: BT851857

Component: Local Traffic Manager

Symptoms:
If a 100 Continue response from a server arrives in mulitple packets, HTTP Parsing may not work as expected. The later server response payload may not be sent to the client.

Conditions:
The server responds with a 100 Continue response which has been broken into more than one packet.

Impact:
The response is not delivered to the client. Browsers may retry the request.

Workaround:
None.

Fix:
100 Continue responses are parsed correctly by the HTTP parser if they are broken into multiple packets.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1

851789-2 : SSL monitors flap with client certs with private key stored in FIPS

Links to More Info: BT851789

Component: Local Traffic Manager

Symptoms:
Bigd reporting 'overload' or 'overloaded' in /var/log/ltm.
SSL monitors flapping while the servers are available.

Conditions:
-- FIPS-enabled platform.
-- HTTPS monitors using client-cert authentication where the key is stored in FIPS HSM.
-- Large number of monitors or low interval.

Impact:
Periodic service interruption depending on which monitors are flapping. Reduced number of available servers.

Workaround:
-- Increase the interval on the monitors.
-- Switch the monitors to use software keys.

Fix:
Optimized FIPS API calls to improve performance of SSL monitors.

Fixed Versions:
12.1.5.3, 14.1.2.5, 15.1.1

851745-3 : High cpu consumption due when enabling large number of virtual servers

Links to More Info: BT851745

Component: Advanced Firewall Manager

Symptoms:
Observed autodosd CPU burst

Conditions:
Enable autodosd and a large number of virtual servers

Impact:
High cpu utilization in autodosd

Workaround:
Disable autodosd

Fix:
Autodosd no longer excessively consumes CPU cycles.

Fixed Versions:
14.1.4.1, 15.1.2

851581-3 : Server-side detach may crash TMM

Links to More Info: BT851581

Component: Local Traffic Manager

Symptoms:
TMM crash with 'server drained' panic string.

Conditions:
-- Server-side flow is detached while the proxy is still buffering data for the pool member and the client continues to send data.
-- The detach may be triggered by the LB::detach iRule commands or internally.

Impact:
TMM crash, failover, brief traffic outage. Traffic disrupted while tmm restarts.

Workaround:
-- In cases in which the detach is triggered internally, there is no workaround.

-- In cases in which the detach is triggered by LB::Detach, make sure the command is not executed when a request may still be in progress by using it in response events, for example HTTP_RESPONSE, USER_RESPONSE, etc.

Fix:
TMM does not crash no matter when the server-side detach is triggered.

Fixed Versions:
14.1.2.8, 15.1.1

851477-1 : Memory allocation failures during proxy initialization are ignored leading to TMM cores

Links to More Info: BT851477

Component: Local Traffic Manager

Symptoms:
Memory allocation failures during proxy initialization are ignored. TMM cores when trying to access uninitialized memory.

Conditions:
-- HTTP or HTTP/2 virtual server with httprouter profile.
-- Low memory or fragmented memory on the system when configuration is being loaded.

Impact:
TMM cores when accessing uninitialized memory.

Workaround:
No workaround.

Fix:
Memory allocation failures are now detected and virtual server ends up in DENY state. No connections are accepted in this state.

Fixed Versions:
14.1.3.1, 15.1.1

851445-1 : QUIC with HTTP/3 should allow the peer to create at least 3 concurrent uni-streams

Links to More Info: BT851445

Component: Local Traffic Manager

Symptoms:
QUIC profile has a field for maximum uni-streams. This represents the number of concurrent uni-streams that the peer can create. If HTTP/3 is also configured on the virtual, then the value for uni-streams should ne >=3. The peer should be able to create at least 3 uni-streams, for control, encoder and decoder.

Conditions:
QUIC, HTTP/3, SSL and httprouter profiles are configured on the virtual. QUIC client tries to establish a connection with Big-IP. HTTP/3 is negotiated in ALPN.

Impact:
If fewer than 3 max uni-streams are configured, HTTP/3 transactions will not be successful.

Workaround:
Configure correct value of max uni-streams in QUIC profile.

Fix:
Validation added to prevent a value of less than 3 to be configured when HTTP/3 is also on the virtual.

Fixed Versions:
15.1.0.2

851393-1 : Tmipsecd leaves a zombie rm process running after starting up

Links to More Info: BT851393

Component: TMOS

Symptoms:
After booting the system, you notice zombie 'rm' processes:

$ top -b | awk '$8=="Z"'
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm

Restarting tmipsecd will kill the zombied process but will start a new one.

Conditions:
-- IPsec is enabled.
-- Booting up the system.

Impact:
A zombie 'rm' process exists. There should be no other impact.

Workaround:
None.

Fixed Versions:
14.1.4.4, 15.1.0.5

851345-1 : The TMM may crash in certain rare scenarios involving HTTP/2

Links to More Info: BT851345

Component: Local Traffic Manager

Symptoms:
The HTTP/2 Gateway configuration is used without the HTTP MRF Router.

The TMM may crash in rare scenarios when a stream is being torn down.

Conditions:
-- HTTP/2 is configured in the Gateway scenario.
-- The HTTP MRF Router is not used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The TMM no longer crashes in rare scenarios when a stream is being torn down.

Fixed Versions:
14.1.3.1, 15.1.2

851045-1 : LTM database monitor may hang when monitored DB server goes down

Links to More Info: BT851045

Component: Local Traffic Manager

Symptoms:
When multiple database servers are monitored by LTM database (MSSQL, MySQL, PostgreSQL, Oracle) monitors and one database server goes down (such by stopping the database server process), a deadlock may occur in the LTM database monitor daemon (DBDaemon) which causes an interruption in monitoring of other database servers.
When this occurs, one database server going down may cause all monitored database servers to be marked Down for several minutes until the blocking operation times out and normal monitoring can resume.

Conditions:
This may occur when:
1. Running a version of BIG-IP or an Engineering Hotfix which contains fixes for bugs ID769309 and ID775901.
2. Stopping a monitored database server process (such as by halting the database service).

Impact:
Monitoring of database servers may be interrupted for up to several minutes, causing monitored database servers to be marked Down. This may persist for several minutes until the blocking operation times out, the backlog of blocked DB monitor threads are processed to completion, and normal DB monitoring resumes.

Workaround:
You can prevent this issue from occurring by using a different LTM monitor type (such as a TCP monitor or external monitor) to monitor the database servers.

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.1

850973-1 : Improve QUIC goodput for lossy links

Links to More Info: BT850973

Component: Local Traffic Manager

Symptoms:
QUIC gets lower goodput compared to TCP when tested on lossy links.

Conditions:
The tested links are lossy (e.g, 0.1% loss probability).

Impact:
QUIC completes the data transfer in longer time.

Workaround:
N/A

Fix:
QUIC achieves similar or better goodput compared to TCP on lossy links.

Fixed Versions:
15.1.0.2

850933-1 : Improve QUIC rate pacing functionality

Links to More Info: BT850933

Component: Local Traffic Manager

Symptoms:
QUIC rate pacing becomes dis-functional under some conditions.

Conditions:
- QUIC rate pacing is in use.
- Packet size becomes slightly larger than available rate pacing bytes.

Impact:
QUIC rate pacing becomes noneffective which leads to sending data more bursty.

Workaround:
N/A

Fix:
QUIC rate pacing does not become dis-functional under some conditions anymore.

Fixed Versions:
15.1.0.2

850873-3 : LTM global SNAT sets TTL to 255 on egress.

Links to More Info: BT850873

Component: Local Traffic Manager

Symptoms:
When using the global SNAT feature on LTM, IPv4 TTL/IPv6 Hop-Limit values may be erroneously set to 255/64 on egress.

Conditions:
Traffic is handled by global SNAT.

Impact:
TTL on egress is set to 255/; Hop-Limit on egress is set to 64.

Workaround:
None.

Fixed Versions:
14.1.3.1, 15.1.2

850777-3 : BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config

Links to More Info: BT850777

Component: TMOS

Symptoms:
After rebooting BIG-IP Virtual Edition (VE) deployed on a cloud provider, the instance enters LICENSE INOPERATIVE state.

Errors similar to one below are seen in an LTM log:

err chmand[4770]: Curl request to metadata service failed with error(7): 'Couldn't connect to server'.

Conditions:
- Static management IP address configuration.
- Instance is restarted.

Impact:
Instance is not operational after restart.

Workaround:
After instance is fully booted, reload the license with 'reloadlic'.

Fix:
In case of 1 NIC with static route, issuing "bigstart restart mcpd" will not be enough to bring system to the licensed state, issue "reboot" instead.

Fixed Versions:
14.1.3.1, 15.1.1

850677-4 : Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy

Links to More Info: BT850677

Component: Application Security Manager

Symptoms:
Non-ASCII parameter static values are garbled when created in a non-UTF-8 policy using REST.

Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII parameter static values using REST.

Impact:
Parameter static values containing non-ASCII characters are garbled when created using REST.

Workaround:
Use UTF-8.

Fix:
This release supports REST access in non-UTF-8 policies.

Fixed Versions:
14.1.2.7, 15.1.0.5

850673-1 : BD sends bad ACKs to the bd_agent for configuration

Links to More Info: BT850673

Component: Application Security Manager

Symptoms:
-- The bd_agents stops sending the configuration in the middle of startup or a configuration change.

-- The policy may be incomplete in the bd causing incorrect enforcement actions.

Conditions:
This is a rarely occurring issue, and the exact conditions that trigger it are unknown.

Impact:
-- The bd_agent hangs or restarts, which may cause a complete ASM restart (and failover).

-- A partial policy may exist in bd causing improper enforcement.

Workaround:
-- Unassign and reassign the policy.

-- if unassign/reassign does not help, export and then reimport the policy.

Fix:
Fixed inconsistency scenario between bd and bd_agent.

Fixed Versions:
12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2

850641-2 : Incorrect parameter created for names with non-ASCII characters in non-UTF8 policies

Links to More Info: BT850641

Component: Application Security Manager

Symptoms:
An incorrect parameter is created for names with non-ASCII characters, e.g., a parameter with Chinese characters in the name in a BIG-IP encoding policy.

Conditions:
Non-UTF8 policy parameters created using the GUI.

Impact:
The BIG-IP system does not enforce these parameters, and the list of parameters is not rendered correctly.

Workaround:
Create the parameter using REST API.

Fix:
Parameters are now created correctly in the GUI for any policy encoding and any characters in the parameter name.

Fixed Versions:
15.1.0.5

850509-1 : Zone Trusted Signature inadequately maintained, following change of master key

Links to More Info: BT850509

Component: Global Traffic Manager (DNS)

Symptoms:
During config load or system start-up, you may see the following error:

-- 01071769:3: Decryption of the field (privatekey) for object (13079) failed.
Unexpected Error: Loading configuration process failed.

In some instances, other errors resembling the following may appear:

-- Failed to sign zone transfer query for zone DNSZONE01 using TSIG key zone01key.pl.

-- Failed to transfer DNSZONE01 from 203.0.113.53, will attempt IXFR (Retry).

Conditions:
-- TSIG keys are present in the device configuration.
-- The device's master key is changed.

Impact:
Unable to view TSIG keys. Configuration cannot be loaded. Failures of DNS zone transfers may occur.

Workaround:
None.

Fix:
When master key changes, TSIG keys are now properly re-encrypted, so this problem no longer exists.

Fixed Versions:
14.1.4.4, 15.1.2

850277-1 : Memory leak when using OAuth

Links to More Info: BT850277

Component: Access Policy Manager

Symptoms:
Tmm memory usage keeps going up when passing multiple HTTP requests through a kept-alive TCP connection carrying an OAuth token as bearer in the Authorization header.

Conditions:
-- Multiple HTTP requests through a kept-alive TCP connection.
-- Requests carry an OAuth token as bearer in the Authorization header.

Impact:
Memory leak occurs in which tmm memory usage increases.

Workaround:
None.

Fixed Versions:
13.1.3.4, 14.1.4, 15.0.1.3, 15.1.0.2

850193-4 : Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues

Links to More Info: BT850193

Component: TMOS

Symptoms:
-- Uneven unic channel distribution and transmit errors (tx_errcnt) seen in /proc/unic.
-- Packet loss and increased retransmissions under load.

Conditions:
BIG-IP Virtual Edition (VE) in Hyper-V or Azure Cloud.

Impact:
-- Reduced throughput.
-- Packet loss and increased retransmissions under load.

Workaround:
None.

Fixed Versions:
14.1.4.4, 15.1.4

850145-1 : Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed

Links to More Info: BT850145

Component: Local Traffic Manager

Symptoms:
First HTTP request on a connection creates a connection to the server. Subsequent pipelined requests should be processed and use the established connection to the server. However, the requests were queued in the proxy and not processed resulting in connection hang.

Conditions:
- HTTP or HTTP/2 virtual server with httprouter profile.
- HTTP/1.1 connections with the client and server.
- Pipelined HTTP requests.

Impact:
Connection hangs and is eventually reset.

Workaround:
No workaround.

Fix:
If a connection to the server has been established, pipelined requests are now processed immediately and not queued.

Fixed Versions:
14.1.3.1, 15.1.2

849405-2 : LTM v14.1.2.1 does not log after upgrade

Links to More Info: BT849405

Component: TMOS

Symptoms:
After upgrading to v14.1.2.1, logs are not generated and sysstat.service is not running.

Conditions:
-- Upgrade from BIG-IP v12.1.x (which uses CentOS 6) to BIG-IP v14.1.2.1 or later (which uses CentOS 7).
-- The issue is momentary and is not always reproducible.

Impact:
Logs are not generated and sysstat.service is not running.

Workaround:
Once the BIG-IP system starts up, check for failed services:

systemctl list-units --failed

If results show sysstat.service as FAILED, run the following command:

restorecon -Rv /var/log/sa6 && systemctl start sysstat

Fixed Versions:
14.1.2.5, 15.1.0.5

849157-2 : An outgoing SCTP connection that retransmits the INIT chunk the maximum number of times does not expire and becomes stuck

Links to More Info: BT849157

Component: TMOS

Symptoms:
The outgoing SCTP connection does not expire after attempting to INIT the maximum number of times. It then becomes stuck and does not expire when it reaches its idle-timeout, and cannot be manually deleted.

Conditions:
An outgoing SCTP connection is permitted to attempt the INIT retransmit the maximum number of times configured with no responses (accepting or aborting) from the target endpoint.

Impact:
Stale SCTP connections are left in the system and start to use up memory. Traffic may be interrupted in certain configurations, as the system thinks it is still attempting to bring up the lost SCTP connection and does not ever try to create a new one.

Workaround:
To clear the stale connections, restart tmm:
bigstart restart tmm

Note: Restarting tmm causes an interruption to traffic.

Fix:
SCTP connections now expire properly after the maximum number of INITs have been attempted and can no longer get stuck in this case.

Fixed Versions:
15.1.4

849085-1 : Lines with only asterisks filling message and user.log file

Links to More Info: BT849085

Component: TMOS

Symptoms:
/var/log/message and /var/log/user.log files have lines that only contain asterisks.

For example:

Nov 12 10:40:57 bigip1 **********************************************

Conditions:
Snmp query an OID handled by sflow, for example:

snmpwalk -v2c -c public localhost SNMPv2-SMI::enterprises.14706.1.1.1

Impact:
The impact is cosmetic only, however it could make reading the logs more difficult if the sflow snmp tables are constantly being queried.

Workaround:
You have two options:
-- Filter out all sflow_agent log messages
-- Filter out all messages that contain a newline '\n' or carriage return character '\r'.

Both workarounds are done by editing the syslog template, this means that if the you upgrades, you must edit the template again to reinstate the workaround.

=============================================
Solution #1 - Filter out all sflow_agent logs:

1) remount /usr as read+write:
    mount -o rw,remount /usr

2) Make a backup copy of the template:
    cp /usr/share/defaults/config/templates/syslog.tmpl /usr/share/defaults/config/templates/syslog.tmpl.orig

3) Add write permissions to the template:
    chmod +w /usr/share/defaults/config/templates/syslog.tmpl

4) Add the filter to syslog.tmpl

4a) Open syslog.tmpl for edit:
vi /usr/share/defaults/config/templates/syslog.tmpl

4b) Add the new filter after the filter f_messages:
filter f_not_sflow {
not match ("sflow_agent" value("$PROGRAM"));
};

  For example:
filter f_messages {
level(UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESFROM..UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESTO)
and not facility(auth, authpriv, cron, daemon, mail, news)
and not message("WA");
};

filter f_not_sflow {
not match ("sflow_agent" value("$PROGRAM"));
};

4c) Add the filter to the log that sends all source local message to the syslog pipe:
log {
source(local);
filter(f_not_sflow);
destination(d_syslog_pipe);
}

5) Save the changes and quit vi.

6) In order for the BIG-IP system to write out the syslog conf with the modified template, you must change the syslog configuration. To do so, use tmsh to modify the 'daemon-from' to 'info' and then back to the default of 'notice':
tmsh modify /sys syslog daemon-from info
tmsh modify /sys syslog daemon-from notice

7) Ensure the changes were written to /etc/syslog-ng/syslog-ng.conf.

8) remount /usr as read-only
    mount -o ro,remount /usr

=============================================
Solution #2 - Filter out all messages with \n or \r:

1) remount /usr as r+w:
    mount -o rw,remount /usr

2) Make a backup copy of the template:
    cp /usr/share/defaults/config/templates/syslog.tmpl /usr/share/defaults/config/templates/syslog.tmpl.orig

3) Add write permissions to the template:
    chmod +w /usr/share/defaults/config/templates/syslog.tmpl

4) Add the filter to syslog.tmpl:

4a) Open syslog.tmpl for edit:
    vi /usr/share/defaults/config/templates/syslog.tmpl

4b) Add the new filter after the filter f_messages:
filter f_no_multi_line {
not (message('\n') or message('\r'));
    };

   For example:
filter f_messages {
level(UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESFROM..UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESTO)
and not facility(auth, authpriv, cron, daemon, mail, news)
and not message("WA");
};

filter f_no_multi_line {
not (message('\n') or message('\r'));
    };

4c) Add the filter to the log that sends all source local message to the syslog pipe:
log {
source(local);
filter(f_no_multi_line);
destination(d_syslog_pipe);
}

5) Save the changes and quit vi.

6) In order for the BIG-IP system to write out the syslog conf with the modified template, you must change the syslog configuration. To do so, use tmsh to modify the 'daemon-from' to 'info' and then back to the default of 'notice':

tmsh modify /sys syslog daemon-from info
tmsh modify /sys syslog daemon-from notice

7) Ensure the changes were written to /etc/syslog-ng/syslog-ng.conf.

8) remount /usr as read-only:
    mount -o ro,remount /usr

Fix:
The sflow log message that was a multiline message has been changed so that it is no longer multiline.

Fixed Versions:
14.1.3.1, 15.1.1

848777-3 : Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node.

Links to More Info: BT848777

Component: Local Traffic Manager

Symptoms:
Shared object address-list in non-default partition in non-default route-domain does not sync to peer node. The system reports the following exceptions when such an issue occurs:

-- err mcpd[4941]: 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).

-- err mcpd[4941]: 01071488:3: Remote transaction for device group /Common/DG1 to commit id 500 6754270728594498269 /Common/bigiptest1 0 failed with error 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).

Conditions:
-- Create custom partition.
-- Create custom route-domain.
-- Change custom partition.
-- Create address list in non-default route domain.
-- Create virtual server with previously created address list and any TCP port, or port list.
-- Now, try to Sync to high availability (HA) peer.

Impact:
Sync fails with error. Configuration does not sync to peer node.

On VIPRION systems this may cause mcpd on a secondary blade to crash and fail to come up.

Workaround:
None

Fix:
Configuration now syncs to peer node successfully.

Fixed Versions:
14.1.2.7, 15.1.0.4

848445-1 : Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer

Links to More Info: K86285055, BT848445

Component: Application Security Manager

Symptoms:
Global/URL/Flow Parameters with flag is_sensitive true are not masked in referrer and their value may be exposed in logs.

Conditions:
Global/URL/Flow Parameters with flag is_sensitive true are defined in the policy. In logs, the value of such parameter will be masked in QS, but will be exposed in the referrer.

Impact:
The parameter will not be masked in 'Referer' value header in logs, although it is masked in 'QS' string.

Workaround:
Can defined the parameters as global sensitive parameters.

Fix:
After the fix, such parameters will be treated like global sensitive parameters and will be covered also in the Referer

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5

848405-2 : TMM may consume excessive resources while processing compressed HTTP traffic

Links to More Info: K26244025, BT848405

847325-3 : Changing a virtual server that uses a OneConnect profile can trigger incorrect persistence behavior.

Links to More Info: BT847325

Component: Local Traffic Manager

Symptoms:
-- High tmm CPU utilization.
-- Stalled connections.
-- Incorrect persistence decisions.

Conditions:
-- A OneConnect profile is combined with certain persist profiles on a virtual server.

-- The virtual server configuration is changed while there is an ongoing connection to the virtual server. Any connections that make a request after the configuration change can be affected.

-- The persistence types that are affected are:
   - Source Address (but not hash-algorithm carp)
   - Destination Address (but not hash-algorithm carp)
   - Universal
   - Cookie (only cookie hash)
   - Host
   - SSL session
   - SIP
   - Hash (but not hash-algorithm carp)

Impact:
-- High tmm CPU utilization.
-- Stalled connections.
-- Incorrect persistence decisions.

Workaround:
None.

Fix:
Changing a virtual server that uses a OneConnect profile no longer triggers incorrect persistence behavior.

Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2

847105-2 : The bigip_gtm.conf is reverted to default after rebooting with license expired

Links to More Info: BT847105

Component: Global Traffic Manager (DNS)

Symptoms:
The bigip_gtm.conf is reverted to default after rebooting (or upgrading to a newer BIG-IP software release).

Conditions:
-- The BIG-IP license is expired prior to the reboot or upgrade.
-- GTM is configured.

Impact:
The GTM configuration (in /config/bigip_gtm.conf) information is lost in the newly installed boot location.

Workaround:
Renew license before reboot. Always reboot with valid license.

If you have already rebooted or upgraded with an expired license, and your configuration has been lost, you can restore it using the following procedure.

1. Re-activate the BIG-IP license
2. Restore bigip_gtm.conf from the auto-created backup (.bak) file:
   cp /config/bigip_gtm.conf.bak /config/bigip_gtm.conf
3. Load the replaced config:
   tmsh load sys config gtm-only

If this is a the result of a software upgrade, and the .bak file is not available or has been overwritten, you can boot back to the previous volume and re-copy the configuration from there (cpcfg or via the GUI) before rebooting back to the upgraded software release.

Fixed Versions:
14.1.4.4, 15.1.4.1

846917-1 : lodash Vulnerability: CVE-2019-10744

Links to More Info: K47105354, BT846917

846713-1 : Gtm_add does not restart named

Links to More Info: BT846713

Component: Global Traffic Manager (DNS)

Symptoms:
Running gtm_add failed to restart the named daemon.

Conditions:
Run gtm_add to completion.

Impact:
Named is not restarted. No BIND functionality.

Workaround:
Restart named:
bigstart start named

Fix:
Fixed an issue preventing 'named' from restarting after running the gtm_add script.

Fixed Versions:
15.1.0.3

846601-4 : Traffic classification does not update when an inactive slot becomes active after upgrade

Links to More Info: BT846601

Component: Traffic Classification Engine

Symptoms:
VIPRION platforms have an automated process of joining a newly inserted blade to a cluster. TMOS install, licensing, and configuration including iAppLX are synchronized from primary to the newly inserted blade automatically without manual intervention. Traffic classification update is not occurring as expected under these conditions.

Conditions:
-- Traffic classification configured.
-- Update installation.
-- VIPRION blade is inactive, and later comes online.

Impact:
Traffic policies/rules related to updated installation do not work on inactive slot when it returns to the online state.

Workaround:
To prevent this issue from occurring, ensure that all blades are online when installation begins.

If you insert a blade, run config sync manually from the active blade.

Fix:
Upgrade script now initiates install when the slot becomes active.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2

846441-2 : Flow-control is reset to default for secondary blade's interface

Links to More Info: BT846441

Component: TMOS

Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.

Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.

Impact:
The flow-control setting is reset to default (tx-rx).

Workaround:
Reload the configuration on the primary blade.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2

846365-1 : TMM may crash while processing IP traffic

Links to More Info: K35750231, BT846365

846217-3 : Translucent vlan-groups set local bit in destination MAC address

Links to More Info: BT846217

Component: Local Traffic Manager

Symptoms:
Translucent vlan-groups may set the locally-unique bit in a destination MAC address when sending traffic to a pool member/client.

Conditions:
On versions earlier than 15.0.0:
- Translucent vlan-group is in use.

On v15.0.0 and later:
-- Translucent vlan-group is in use.
-- The connection.vgl2transparent db variable is enabled.

Impact:
Traffic handled by translucent vlan-groups may not work properly.

Workaround:
On versions earlier than 15.0.0, there is no workaround.

-- On version 15.0.0 and later, you can disable the connection.vgl2transparent db variable to mitigate the problem:

tmsh modify sys db connection.vgl2transparent value disable

Note: connection.vgl2transparent is disabled by default.

Fixed Versions:
14.1.4.4, 15.1.2.1

846181-3 : Request samples for some of the learning suggestions are not visible

Links to More Info: BT846181

Component: Application Security Manager

Symptoms:
Learning suggestions created from single request do not show source 'request log' in the 'Suggestion' GUI section.

Conditions:
'Learning Suggestion' created from only one 'Request Log' record.

Impact:
Learning suggestions created from single request does not show source 'request log' in the 'Suggestion' GUI section

Workaround:
None.

Fixed Versions:
14.1.4.2, 15.1.4

846157-1 : TMM may crash while processing traffic on AWS

Links to More Info: K01054113, BT846157

846137-4 : The icrd returns incorrect route names in some cases

Links to More Info: BT846137

Component: TMOS

Symptoms:
The icrd returns an incorrect route names when a '.' (dot, or period) is present in the subPath, as it treats the subPath as an IP address and the leaf name as a subnet and considers its name as a whole. Also the subPath field is missed in the response route object. This happens only in the case of curl request.

Conditions:
-- The subPath contains a '.' in it.
-- A curl request is made.

Impact:
Result information is not compatible with actual result.

Workaround:
None.

Fix:
The system now verifies whether or not the leafname a numeric valuel, so this issue no longer occurs.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2

846073-1 : Installation of browser challenges fails through Live Update

Links to More Info: BT846073

Component: Application Security Manager

Symptoms:
Live Update of Browser Challenges fails installation.

Live Update provides an interface on the F5 Downloads site to manually install or configure automatic installation of various updates to BIG-IP ASM components, including ASM Attack Signatures, Server Technologies, Browser Challenges, and others.

Conditions:
-- From the F5 Downloads side, select a software version.
-- Click BrowserChallengesUpdates.
-- Attempt to download and install Download BrowserChallenges<version_number>.im.

Note: Browser Challenges perform browser verification, device and bot identification, and proactive bot defense.

Impact:
Browser Challenges update file cannot be installed.

Workaround:
None.

Fix:
Browser Challenges update file can now be installed via Live Update.

Fixed Versions:
15.1.0.2

846057-3 : UCS backup archive may include unnecessary files

Links to More Info: BT846057

Component: Application Security Manager

Symptoms:
UCS backup archive file size is much larger than UCS files in previous releases.

Conditions:
-- UCS backup process finishes with failure and does not clean temporary files.
-- A second UCS backup is attempted.

Impact:
Those files are included in the UCS archive, which results in an unusually large UCS backup files.

Workaround:
Before running the UCS backup process, remove directories:

/var/tmp/ts_db.save_dir_*.cstmp/

Fixed Versions:
13.1.4, 14.1.4, 15.1.3

845333-6 : An iRule with a proc referencing a datagroup cannot be assigned to Transport Config

Links to More Info: BT845333

Component: Local Traffic Manager

Symptoms:
If you try to assign an iRule to a Transport Config, and if the iRule has a proc that references a datagroup, the assignment fails with an error:
01070151:3: Rule [/Common/test2] error: Unable to find value_list (datagroup) referenced at line 6: [class lookup "first" datagroup]

Conditions:
-- Assign an iRule to a Transport Config.
-- The iRule has a proc.
-- The proc references a datagroup.

Impact:
Validation fails. An iRule with a proc referencing a datagroup cannot be assigned to Transport Config objects.

Workaround:
Make the datagroup a Tcl variable to bypass validation.

Fix:
Validation can recognize the datagroup on Transport Config objects.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1

845313-3 : Tmm crash under heavy load

Links to More Info: BT845313

Component: Policy Enforcement Manager

Symptoms:
Tmm crashes.

Conditions:
-- BIG-IP PEM is licensed and configured.
-- Heavy traffic is received by PEM virtual server.
-- The traffic pattern goes through subscriber add/delete frequently.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm crash related to PEM subscriber IDs.

Fixed Versions:
14.1.4, 15.1.2.1

844781-3 : [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection

Links to More Info: BT844781

Component: Access Policy Manager

Symptoms:
SELinux policy does not allow the rewrite plugin to create a directory and write troubleshooting data into /var/tmp/WebAppTrace.

Conditions:
Collecting Portal Access web applications traces per K13384: Performing a web applications trace (11.x - 14.x) :: https://support.f5.com/csp/article/K13384

Impact:
Cannot collect Portal Access web applications troubleshooting data as it described in in that AskF5 Article.

Workaround:
Connect via SSH using the root account and run this command:
restorecon -Rv /var/tmp/WebAppTrace/

Fix:
Fixed an issue with an SELinux policy blocking Portal Access from processing web applications traces.

Fixed Versions:
14.1.4.4, 15.0.1.3, 15.1.0.2

844689-1 : Possible temporary CPU usage increase with unusually large named.conf file

Links to More Info: BT844689

Component: Global Traffic Manager (DNS)

Symptoms:
You might see occasional and temporary CPU usage increases when named.conf file is unusually large.

Conditions:
Unusually large named.conf file and zones are checked for updates (when the SOA expires).

Impact:
When a zone file is updated, a downstream effect is the ZoneRunner process to parse again the named.conf file. The parsing of an unusually large file may cause a temporary increase in CPU usage.

Workaround:
None.

Fix:
ZoneRunner does not issue a reload command when zones are checked for updates, so no CPU usage increases occur.

Fixed Versions:
14.1.3.1, 15.1.2

844685-1 : Per-request policy is not exported if it contains HTTP Connector Agent

Links to More Info: BT844685

Component: Access Policy Manager

Symptoms:
Per-request policy cannot be exported if it contains an HTTP Connector agent.

Conditions:
-- Create a Per Request Policy.
-- In the sub-routine section, create a new sub-routine and
   attach HTTP Connector to that sub-routine.
-- After the policy creation is done, export the policy.

Impact:
Per-request policy cannot be exported and reports an error.

Workaround:
None.

Fix:
Create a valid HTTP Connector agent in tmsh and the per request policy gets exported as expected.

Fixed Versions:
15.1.0.2

844573-1 : Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret.

Links to More Info: BT844573

Component: Access Policy Manager

Symptoms:
The log message when OAuth client or resource server fails to generate the secret is assigned an incorrect log level, and is incorrectly logged at the emergency level.

Conditions:
This is encountered when this message is logged by mcpd.

Impact:
Log message cannot be grouped with messages at the correct log level.

Workaround:
None.

Fixed Versions:
15.1.0.2

844281-3 : [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files.

Links to More Info: BT844281

Component: Access Policy Manager

Symptoms:
Java applets are not patched when accessed through APM Portal Access.

/var/log/rewrite contains error messages similar to following:
-- notice rewrite - fm_patchers/java_patcher_engine/CryptoToolsManager.cpp:568 (0x1919ab0): CryptoToolsManager :: _ReadCA() - cannot open CA file.

/var/log/auditd/audit.log contains AVC denials for rewrite on attempt to read file under /config/filestore/.

Conditions:
Java patching is enabled via rewrite profile and Portal Access resource.

Impact:
Java applets cannot be patched by APM Portal Access rewriter.

Workaround:
None.

Fix:
Fixed an issue with SELinux policy blocking Portal Access code from reading Java Patcher certificates.

Fixed Versions:
14.1.4.4, 15.0.1.3, 15.1.0.2

844085-1 : GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address

Links to More Info: BT844085

Component: TMOS

Symptoms:
With multiple virtual servers that have the same destination address, changing all of them in the GUI to use an address list as their source address will result in the last one changed failing with an error similar to:

01070344:3: Cannot delete referenced virtual address /Common/1.2.3.4.

Conditions:
-- More than one virtual server with the same destination address.
-- Changing all the virtual servers that share the same destination address to use an address list for their source address.

Impact:
Unable to change the source address of a virtual server to an address list.

Workaround:
Use TMSH to manually create a traffic-matching criteria object and assign it to the virtual server:

tmsh create ltm traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination-address-inline <destination address of virtual server> destination-port-inline <destination port of virtual server> source-address-inline 0.0.0.0 source-address-list <address list name>
}

tmsh modify /ltm virtual <virtual server name> traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination 0.0.0.0:any

Fixed Versions:
14.1.2.8, 15.1.0.5, 16.0.1

843801-2 : Like-named previous Signature Update installations block Live Update usage after upgrade

Links to More Info: BT843801

Component: Application Security Manager

Symptoms:
Signature Update installations using ASU files with the same name on versions before 14.1.0 block Live Update usage after upgrade to 14.1.0 or later.

Conditions:
The same Signature Update file is installed multiple times on the device when running a version earlier than 14.1.0.

Impact:
Signature Update cannot be installed using Live Update, and errors appear in logs.

Workaround:
1. Delete the file: /var/lib/hsqldb/live-update/live-update-import.yaml.
2. Restart tomcat:
bigstart restart tomcat

This causes pre-upgrade records for Signature Update to be lost, but does not have any other functional impact.


** Another Workaround incase the above does not solve the issue:
1. stop the tomcat server:
   > bigstart stop tomcat
2. clean the live update db :
   > cd /var/lib/hsqldb/live-update
   > rm -f liveupdatedb.*
3. remove all *.im files which are not genesis file (factory-default files):
   3.1 get the list of genesis files:
     > less /etc/live-update-genesis.yaml | grep genes | cut -d":" -f2
   3.2 go to update file directory:
     > cd /var/lib/hsqldb/live-update/update-files
   3.3 manually remove the *.im files that are not genesis
4. restart the tomcat server:
   > bigstart start tomcat

Fixed Versions:
14.1.2.7, 15.1.1

843597-1 : Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle

Links to More Info: BT843597

Component: TMOS

Symptoms:
The vmxnet3 driver cannot handle MTUs larger than 9000 bytes. This issue can present itself in a few different ways, depending on the underlying platform. One example would be the BIG-IP failing to initialize vmxnet interfaces with messages similar to the following logged in /var/log/tmm:

 notice vmxnet3[1b:00.0]: MTU: 9198
 notice vmxnet3[1b:00.0]: Error: Activation command failed: 1

If the BIG-IP does successfully initialize its vmxnet interfaces, there can be unpredictable behavior (possibly with the hypervisor).

Conditions:
-- Using a BIG-IP Virtual Edition (VE) with the vmxnet3 driver.
-- If the BIG-IP is able to initialize the vmxnet interfaces: Passing packets larger than 9000 bytes.

Impact:
The BIG-IP system may not be able to initialize the vmxnet3 interfaces on startup. If it is able to do so, then packets may be dropped, or the hypervisor may crash on some platforms that do not handle this condition gracefully.

Workaround:
Modify the tmm_init.tcl file, adding the following line:

ndal mtu 9000 15ad:07b0

Fix:
The software now ensure that the default setting for the vmxnet3 driver MTU is 9000, which prevents the issue from occurring.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2

842989-6 : PEM: tmm could core when running iRules on overloaded systems

Links to More Info: BT842989

Component: Policy Enforcement Manager

Symptoms:
When sessions usage iRules are called on an already overloaded system it might crash.

Conditions:
Session iRule calls on heavily overloaded BIG-IP systems.

Impact:
Tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
Reduce the load on tmm or modify the optimize the irule.

Fixed Versions:
14.1.4, 15.1.2

842937-6 : TMM crash due to failed assertion 'valid node'

Links to More Info: BT842937

Component: Local Traffic Manager

Symptoms:
Under undetermined load pattern TMM may crash with message: Assertion 'valid node' fail.

Conditions:
This can occur while passing traffic with the Ram Cache profile enabled on a Virtual Server. Other conditions are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Refrain from using ramcache may mitigate the problem.

Fix:
Ramcache module stops handling messages after it is teared down, so it does not attempt to use data structures which have already been deinitialized.

Fixed Versions:
12.1.5.3, 14.1.2.7, 15.1.1

842865-2 : Add support for Auto MAC configuration (ixlv)

Links to More Info: BT842865

Component: TMOS

Symptoms:
Mac addresses are forced to be the same for ixlv trunks.

Conditions:
This happens when ixlv trunks are used.

Impact:
Mac addresses may not be as depicted on the device.

Workaround:
None.

Fix:
Unicast mac filters are used for ixlv trunks.

Fixed Versions:
14.1.2.8, 15.0.1.4, 15.1.0.5

842829-1 : Multiple tcpdump vulnerabilities

Links to More Info: K04367730, BT842829

842717-6 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5855

Links to More Info: K55102004, BT842717

842625-5 : SIP message routing remembers a 'no connection' failure state forever

Links to More Info: BT842625

Component: Service Provider

Symptoms:
When SIP message routing fails to route to a pool member (Triggering a MR_FAILED, MR::message status of 'no connection'), The BIG-IP system caches the failed state and continues to return this even after the pool member becomes reachable again.

Conditions:
When BIG-IP systen fails to route messages to the peer (server) due to unavailability of route or any other issues.

Impact:
The BIG-IP system is never be able to establish connection to the peer.

Workaround:
None.

Fix:
SIP message routing now recovers from a 'no connection' failure state.

Fixed Versions:
13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.2

842517-2 : CKR_OBJECT_HANDLE_INVALID error seen in logs and SSL handshake fails

Links to More Info: BT842517

Component: Local Traffic Manager

Symptoms:
SSL handshake fails with error in LTM logs.pkcs11d[10407]:
err pkcs11d[10407]: 01680048:3: C_Sign: pkcs11_rv=0x00000082, CKR_OBJECT_HANDLE_INVALID

Conditions:
Key created with Safenet NetHSM is used in SSL profile for virtual server. This error is seen randomly.

Impact:
SSL handshake fails.

Workaround:
Restart the PKCS11D.

Fixed Versions:
15.1.3

842189-4 : Tunnels removed when going offline are not restored when going back online

Links to More Info: BT842189

Component: TMOS

Symptoms:
When a BIG-IP instance goes offline, any functioning tunnel is removed from the active configuration. Upon restoration to online operation, the tunnel is not automatically restored.

Conditions:
-- Configuration includes tunnels.
-- BIG-IP instance goes offline and then comes back online.

Impact:
Failure of tunnel packet traffic.

Workaround:
Manually recreate the tunnel after the BIG-IP instance has been brought back online.

Fix:
Tunnels removed when going offline are now restored when going back online.

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.2.1

842161-1 : Installation of Browser Challenges fails in 15.1.0

Links to More Info: BT842161

Component: Application Security Manager

Symptoms:
Browser Challenges default installation fails in 15.1.0 after upgrade or resetting back to default.

BIG-IP software v15.1.0 ships with a BrowserChallenges_20191121_043810.im file that does not have a proper encryption, and when trying to install the file via the Live Update page the following error occurs:

gpg: WARNING: unsafe ownership on homedir `/ts/share/negsig/gpg_asm_sigfile_installer'
gpg: encrypted with 1024-bit ELG key, ID 7C3E3CE5, created 2007-03-20
      "asm_sigfile_installer"
gpg: Signature made Thu 21 Nov 2019 02:38:10 PM IST using RSA key ID BC67BA01
gpg: Can't check signature: No public key

Conditions:
Live Update file BrowserChallenges_20191121_043810.im has a different status than 'Currently Installed'.

Impact:
If the file 'BrowserChallenges_20191121_043810.im ' is the newest file then upgrade is not applicable.

Workaround:
None

Fix:
Browser Challenges update file can now be installed via Live Update.

Fixed Versions:
15.1.0.2

842125-6 : Unable to reconnect outgoing SCTP connections that have previously aborted

Links to More Info: BT842125

Component: TMOS

Symptoms:
When an outgoing SCTP connection is created using an ephemeral port, the connection may appear to be open after an SCTP connection halt. This prevents new connections to the same endpoint, as the connection appears to already exist.

Conditions:
-- A virtual server configured with an SCTP profile.
-- An outgoing SCTP connection after an existing connection to the same endpoint has halted.

Impact:
New connections are unable to be created resulting in dropped messages.

Workaround:
None.

Fix:
SCTP connections can now be halted and recreated to the same endpoint.

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.1.0.5

842013-3 : ASM Configuration is Lost on License Reactivation

Links to More Info: BT842013

Component: Application Security Manager

Symptoms:
After re-activating a BIG-IP license, if the configuration fails to load and reverts to a base config load, the ASM policy config contains 'default' or 'stub' policies, even after fixing the error that caused the configuration to fail to load.

Conditions:
1) A parsing error exists in the BIG-IP config such that 'tmsh load sys config verify' would fail
2) There is a license reactivation or the configuration is reloaded

Impact:
ASM policy configuration is lost and all policies are reverted to empty 'stubs'

Workaround:
In the case of license re-activation/before upgrade:

   Run the command "tmsh load sys config verify" prior to license activation on ASM units to be sure that the config will pass parsing and avoid the fallback to base configuration load.

   In a case of booting the system into the new version:

   Option 1:

      1. Using the steps in either K4423 or K8465, fix the issue that was preventing the config to load.
      2. Reload the config from the fixed UCS file using the command in K13132.

   Option 2:

      1. Roll back to the old version.
      2. Fix the issue that was preventing the config to load.
      3. Before activating the Boot Location of the new version at System >> Software Management : Boot Locations, make sure to set the option Install Configuration to Yes. see: K64400324

   Option 3: If one of the high availability (HA) units successfully upgraded, then use config-sync to push the working config to the failing unit.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

841953-7 : A tunnel can be expired when going offline, causing tmm crash

Links to More Info: BT841953

Component: TMOS

Symptoms:
When the system transitions from active or next active (standby), e.g., to offline, the internal flow of a tunnel can be expired.

If the device returns to active or standby, and if the tunnel is modified, a double flow removal can cause a tmm crash.

Conditions:
-- System transitions from active or next active.
-- Tunnel is modified.
-- Device returns to active or next active mode.

Impact:
The tmm process restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The tmm process no longer crashes under these conditions.

Fixed Versions:
12.1.5.3, 14.1.2.8, 15.1.0.2

841649-4 : Hardware accelerated connection mismatch resulting in tmm core

Links to More Info: BT841649

Component: TMOS

Symptoms:
Tmm receives an update from the ePVA for a hardware accelerated connection that is matched to the wrong correction. This can result in a tmm core, which is reported as a segment fault in the tmm log files.

Conditions:
One or more of the following:

-- A FastL4 virtual server that has hardware acceleration enabled.
-- A NAT or SNAT object without a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable hardware acceleration.

Fixed Versions:
14.1.4.1, 15.1.2

841581 : License activation takes a long time to complete on Google GCE platform

Links to More Info: BT841581

Component: TMOS

Symptoms:
The license installation and activation process takes a very long time to complete.

Conditions:
- BIG-IP Virtual Edition running on Google Compute Engine (GCE) Platform.
- Activating the BIG-IP license.

Impact:
It can take 2-3 minutes to report the device is licensed and 3-4 minutes for BIG-IP system to become Active after that.

Workaround:
None.

Fixed Versions:
15.1.0.2

841577-2 : iControl REST hardening

Links to More Info: K20606443, BT841577

841469-6 : Application traffic may fail after an internal interface failure on a VIPRION system.

Links to More Info: BT841469

Component: Local Traffic Manager

Symptoms:
Blades in a VIPRION system connect with one another over a data backplane and a management backplane.

For more information on the manner in which blades interconnect over the data backplane, please refer to K13306: Overview of the manner in which the VIPRION chassis and blades interconnect :: https://support.f5.com/csp/article/K13306.

Should an internal interface fail and thus block communication over the data backplane between two distinct blades, an unusual situation arises where different blades compute different CMP states.

For example, if on a 4-slot chassis, blades 2 and 3 become disconnected with one another, the following is TMM's computation of which slots are on-line:

slot1: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)
slot2: slots 1, 2, and 4 on-line (cmp state 0xb / 11)
slot3: slots 1, 3, and 4 on-line (cmp state 0xd / 13)
slot4: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)

As different slots are effectively operating under different assumptions of the state of the cluster, application traffic does not flow as expected. Some connections time out or are reset.

You can run the following command to inspect the CMP state of each slot:

clsh 'tmctl -d blade -s cmp_state tmm/cmp'

All slots should report the same state, for instance:

# clsh 'tmctl -d blade -s cmp_state tmm/cmp'
=== slot 2 addr 127.3.0.2 color green ===
cmp_state
---------
       15

=== slot 3 addr 127.3.0.3 color green ===
cmp_state
---------
       15

=== slot 4 addr 127.3.0.4 color green ===
cmp_state
---------
       15

=== slot 1 addr 127.3.0.1 color green ===
cmp_state
---------
       15

When this issue occurs, logs similar to the following example can be expected in the /var/log/ltm file:

-- info bcm56xxd[4276]: 012c0015:6: Link: 2/5.3 is DOWN
-- info bcm56xxd[4296]: 012c0015:6: Link: 3/5.1 is DOWN
-- info bcm56xxd[4296]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4339]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4214]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd

And a CMP transition will be visible in the /var/log/tmm file similar to the following example:

-- notice CDP: PG 2 timed out
-- notice CDP: New pending state 0f -> 0b
-- notice Immediately transitioning dissaggregator to state 0xb
-- notice cmp state: 0xb

For more information on troubleshooting VIPRION backplane hardware issues, please refer to K14764: Troubleshooting possible hardware issues on the VIPRION backplane :: https://support.f5.com/csp/article/K14764.

Conditions:
This issue arises after a very specific type of hardware failure. The condition is very unlikely to occur and is impossible to predict in advance.

Impact:
Application traffic is impacted and fails sporadically due to a mismatch in CMP states between the blades. Failures are likely to manifest as timeouts or resets from the BIG-IP system.

Workaround:
F5 recommends the following to minimize the impact of this potential issue:

1) For all highly available configurations (e.g., A/S, A/A, A/A/S, etc.).

The BIG-IP system has functionality, in all software versions, to enact a fast failover when the conditions described occur.

To ensure this functionality will trigger, the following configuration requirements must be met:

a) The mirroring strategy must be set to 'between'.
b) A mirroring channel to the next-active unit must be up.
c) The min-up-members option must be set to the number of blades in the chassis (e.g., 4 if there are 4 blades in the chassis).

Note: It is not required to actually configure connection mirroring on any virtual server; simply choosing the aforementioned strategy and ensuring a channel is up to the next-active unit will suffice. However, note that some configurations will benefit by also configuring connection mirroring on some virtual servers, as that can greatly reduce the number of affected connections during a failover.

2) For 'regular' standalone units.

If a VIPRION system is truly standalone (no kind of redundancy whatsoever), there is no applicable failsafe action, as you will want to keep that chassis online even if some traffic is impaired. Ensure suitable monitoring of the system is in place (e.g., remote syslog servers, SNMP traps, etc.), so that a BIG-IP Administrator can react quickly in the unlikely event this issue does occur.

3) For a standalone chassis which belongs to a pool on an upstream load-balancer.

If the virtual servers of a standalone VIPRION system are pool members on an upstream load-balancer, it makes sense for the virtual servers to report unavailable (e.g., by resetting all new connection attempts) so that the upstream load-balancer can select different pool members.

An Engineering Hotfix can be provided which introduces an enhancement for this particular use-case. A new DB key is made available under the Engineering Hotfix: tmm.cdp.requirematchingstates, which takes values 'enable' and 'disable'.

The default is 'disable', which makes the VIPRION system behave as in versions without the enhancement. When set to 'enable', the VIPRION system attempts to detect this failure and, if it does, resets all new connections. This should trigger some monitor failures on the upstream load-balancer and allow it to select different pool members.

Please note you should only request the Engineering Hotfix and enable this DB key when this specific use-case applies: a standalone VIPRION system which belongs to a pool on an upstream load-balancer.

When the new feature is enabled, the following log messages in the /var/log/ltm file indicate when this begins and stops triggering:

-- crit tmm[13733]: 01010366:2: CMP state discrepancy between blades detected, forcing maintenance mode. Unable to relinquish maintenance mode until event clears or feature (tmm.cdp.requirematchingstates) is disabled.

-- crit tmm[13262]: 01010367:2: CMP state discrepancy between blades cleared or feature (tmm.cdp.requirematchingstates) disabled, relinquishing maintenance mode.

Fix:
The system now includes the enhancement for the 'standalone chassis which belongs to a pool' use-case, as discussed under the Workaround section.

Fixed Versions:
13.1.3.4, 15.1.2.1

841333-7 : TMM may crash when tunnel used after returning from offline

Links to More Info: BT841333

Component: TMOS

Symptoms:
TMM may crash when a tunnel is used after the unit returns from offline status.

Conditions:
-- Tunnel is configured and active.
-- Unit is transitioned from offline to online.
-- Tunnel is used after online status is restored.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.2.8, 15.1.0.2

841305-2 : HTTP/2 version chart reports are empty in GUI; error appears in GUI and reported in monpd log

Links to More Info: BT841305

Component: Application Visibility and Reporting

Symptoms:
The HTTP/2 version appears in charts, but when clicking on the chart reports, errors are reported in monpd log and the chart is empty in the GUI, with an error reported in the GUI and in the monpd log:

-- DB|ERROR|Oct 21 06:12:24.578|22855|../src/db/MonpdDbAPI.cpp:mysql_query_safe:0209| Error (err-code 1054) executing SQL string :
-- DB|ERROR|Oct 21 06:12:24.578|22855|../src/db/MonpdDbAPI.cpp:runSqlQuery:0677| Error executing SQL query:
-- REPORTER|ERROR|Oct 21 06:12:24.578|22855|../src/reporter/handlers/ReportRunnerHandler.cpp:runReport:0409| Results for query came back as NULL
-- REPORTER|ERROR|Oct 21 06:12:24.578|22855|../src/reporter/ReporterUtils.cpp:throwInternalException:0105| throwing exception to client error code is 1 error msg is Internal error

Conditions:
-- Create a new policy or use an existing policy.
-- Go to Security :: Reporting : Application : Charts.
-- Select weekly charts.

Impact:
Charts are empty in the GUI, and the system logs errors in monpd.

Workaround:
None.

Fix:
Fixed an issue with HTTP stats database tables.

Fixed Versions:
15.1.0.5, 16.0.1

841277-7 : C4800 LCD fails to load after annunciator hot-swap

Links to More Info: BT841277

Component: TMOS

Symptoms:
After following F5-recommended procedures for hot-swapping the left annunciator card on a C4800 chassis and replacing the top bezel, the LCD screen fails to load.

Conditions:
- C4800 chassis with 2 annunciator cards.
- Hot-swap the left annunciator card and replace the top bezel.

Impact:
-- Status light on the top bezel turns amber.
-- LCD becomes unresponsive, and continuously displays 'F5 Networks Loading...'.

Workaround:
1. Run the command:
tmsh modify sys db platform.chassis.lcd value disable

2. Wait 10 seconds.

3. Run the command:
tmsh modify sys db platform.chassis.lcd value enable.

This forces the LCD to sync back up with the VIPRION system and returns it to normal operation. The top bezel status light should turn green.

Fix:
The LCD now automatically reloads once a functioning annunciator card is inserted into the left slot and the top bezel is replaced. It may take up to 10 seconds for the LCD to return to normal functionality.

Fixed Versions:
14.1.4.3, 15.1.4

840821-1 : SCTP Multihoming not working within MRF Transport-config connections

Links to More Info: BT840821

Component: Service Provider

Symptoms:
SCTP filter fails to create outgoing connections if the peer requests multihoming. The failure may produce a tmm core.

Conditions:
Usage of SCTP multi-homing with a MRF transport-config.

Impact:
The outgoing connection is aborted or tmm may core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
THe system is now able to create outgoing SCTP multihoming connections using a transport-config to define the connection.

Fixed Versions:
15.1.0.2

840809-2 : If "lsn-legacy-mode" is set to disabled, then LSN_PB_UPDATE events are not logged

Links to More Info: BT840809

Component: Advanced Firewall Manager

Symptoms:
When subscriber info changes, the log events for LSN_PB_UPDATE are not logged.

Conditions:
If subscriber info changes, for example, if a client is sending a radius message with IMSI A - LSN_PB_UPDATE logs are observed. And later when the IMSI is changed to B and another radius message is sent from the client, then LSN_PB_UPDATE log events are not observed.

Impact:
LSN_PB_UPDATE are not logged.

Fix:
Fix will send LSN_PB_UPDATE even if subscriber info is changed

Fixed Versions:
14.1.4, 15.1.2

839761-1 : Response Body preview hardening

Links to More Info: K12002065, BT839761

839749-3 : Virtual server with specific address list might fail to create via GUI

Links to More Info: BT839749

Component: Local Traffic Manager

Symptoms:
When a user tries to create a virtual server with address list, it might fail with below shown error:

01b90011:3: Virtual Server /Common/VS1's Traffic Matching Criteria /Common/testvs1 illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/testvs2 destination address, source address, service port.

Conditions:
-- One or more virtual servers that were created via the GUI already exist on the BIG-IP system.
-- Attempt to use the GUI to create another virtual server with address list.

Impact:
Cannot create the virtual server.

Fix:
You can now create virtual servers with address lists directly from the GUI.

Fixed Versions:
14.1.2.8, 15.0.1.1, 15.1.0.5

839597-6 : Restjavad fails to start if provision.extramb has a large value

Links to More Info: BT839597

Component: Device Management

Symptoms:
Rolling restarts of restjavad occur every few seconds and the following messages are seen in the daemon log:

daemon.log: emerg logger: Re-starting restjavad

The system reports similar message at the command line.

No obvious cause is logged in rest logs.

Conditions:
-- System DB variable provision.extramb has an unusually high value*:
  + above ~2700-2800 MB for v12.1.0 and earlier.
  + above ~2900-3000 MB for v13.0.0 and later.

-- On v13.0.0 and later, sys db variable restjavad.useextramb needs to have the value 'true'

*A range of values is shown. When the value is above the approximate range specified, constant restarts are extremely likely, and within tens of MB below that point may be less frequent.

To check the values of these system DB varaiables use:
tmsh list sys db provision.extramb

tmsh list sys db restjavad.useextramb

Impact:
This impacts the ability to use the REST API to manage the system.

Workaround:
If needing sys db restjavad.useextramb to have the value 'true', keep sys db provision.extramb well below the values listed (e.g., 2000 MB work without issue).

To set that at command line:

tmsh modify sys db provision.extramb value 2000


If continual restarts of restjavad are causing difficulties managing the unit on the command line:

1. Stop restjavad (you can copy this string and paste it into the command line on the BIG-IP system):
tmsh stop sys service restjavad

2. Reduce the large value of provision.extramb if necessary.

3. Restart the restjavad service:
tmsh start sys service restjavad

Fix:
Restjavad memory is now capped at a sensible maximum.

If provision.extramb is set to a value higher than 2500 MB it will be considered to be 2500 MB for the purposes of restjavad, and the system logs a message similar to the following in /var/log/ltm, where XXXX is the value of provision.extramb:

notice restjavad: JVM heap limit exceeded. Using maximum supported value of 2500 instead of provision.extramb XXXX.

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5

839453-6 : lodash library vulnerability CVE-2019-10744

Links to More Info: K47105354, BT839453

839401-1 : Moving a virtual-address from one floating traffic-group to another does not send GARPs out.

Links to More Info: BT839401

Component: Local Traffic Manager

Symptoms:
Gratuitous ARPs (GARPs) are not sent out when moving a virtual-address from one floating traffic-group to another (e.g., from traffic-group-1 to traffic-group-2).

Conditions:
-- Moving a virtual-address from one floating traffic-group to another.
-- The traffic-groups are active on different devices.

Impact:
Application traffic does not immediately resume after the virtual-address is moved. Instead, the surrounding network devices have to ARP out for the IP address after reaching a timeout condition.

Workaround:
After moving the virtual-address, disable and then re-enable the ARP setting for the virtual-address. This forces GARPs to be sent out.

Fix:
GARPs are sent out as expected.

Fixed Versions:
14.1.2.5, 15.0.1.4, 15.1.0.2

839245-3 : IPother profile with SNAT sets egress TTL to 255

Links to More Info: BT839245

Component: Local Traffic Manager

Symptoms:
BIG-IP may set TTL to 255 on forwarded packets.

Conditions:
Virtual-server with ipother profile and SNAT configured.

Impact:
Traffic leaves with egress TTL set to 255.

Workaround:
None.

Fix:
TTL is now decremented by 1 on forwarded packets.

Fixed Versions:
14.1.2.5, 15.1.0.2

839145-3 : CVE-2019-10744: lodash vulnerability

Links to More Info: K47105354, BT839145

839121-3 : A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade

Links to More Info: K74221031, BT839121

Component: TMOS

Symptoms:
After upgrading, the configuration fails to load and throws an error about a profile that is located in profile_base.conf using SSLv2. However, upon inspection you will notice that there is no SSLv2 cipher in use.

Conditions:
The upgrade failure is seen when all the following conditions are met:

-- BIG-IP system with SSLv2 as the ciphers option in an SSL profile running software v12.x/v13.x.
-- Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x.
(1) Modified root SSL profile (such as /Common/clientssl or /Common/serverssl) is present in bigip.conf.
(2) The modified root SSL profile contains an invalid keyword 'COMPAT', 'SSLv2', or 'RC2' in its ciphers
(3) The default profiles whose ciphers inherited from the root profile are not present in bigip.conf. The error for invalid ciphers is reported against these profiles.

Impact:
Beginning in version 14.x, SSLv2 has been changed from being a warning condition, and now prevents the configuration from loading. In most cases the upgrade script properly removes this, so there is no issue. However, if this issue is encountered, the configuration fails to load after upgrading.

Workaround:
There are two possible workarounds:

-- The easiest way to work around this is to comment out the modified base profile from bigip.conf and then run the command: tmsh load sys config.

-- If you are post upgrade, you can use sed to remove the !SSLv2 entries. To do so, perform these steps on the standby device:

 1. cp /config/bigip.conf /config/backup_bigip.conf
 2. Run: sed -i "s/\(\!SSLv2:\|:\!SSLv2\)//g" /config/bigip.conf
 3. tmsh load /sys config

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2

838909-3 : BIG-IP APM Edge Client vulnerability CVE-2020-5893

Links to More Info: K97733133, BT838909

838901-4 : TMM receives invalid rx descriptor from HSB hardware

Links to More Info: BT838901

Component: TMOS

Symptoms:
The HSB hardware returns an invalid receive (rx) descriptor to TMM. This results in a TMM core and can be seen as a SIGSEGV in the TMM logs. This also might result in continuous restarts of TMM, resulting in subsequent SIGSEGVs reported in the TMM logs until the unit is manually recovered.

Conditions:
The exact conditions under which this occurs are unknown.

Impact:
Traffic disrupted while tmm restarts. This may result in continuous TMM restarts until the BIG-IP system is rebooted.

Workaround:
None.

Fixed Versions:
13.1.4, 14.1.4, 15.1.2

838881-1 : APM Portal Access Vulnerability: CVE-2020-5853

Links to More Info: K73183618, BT838881

838861-3 : TMM might crash once after upgrading SSL Orchestrator

Links to More Info: BT838861

Component: Access Policy Manager

Symptoms:
TMM might crash due to SIGABRT.

Conditions:
-- Session check agent is present in APM per-request policy.
-- APM Access Profile scope changes during SSL Orchestrator upgrade.
-- This issue can occur for SSL Orchestrator upgrades from 14.x to 15.x and above.

Impact:
TMM might crash once. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Session check agent now exits and terminates the flow.

Fixed Versions:
14.1.2.7, 15.1.1

838713 : LCD buttons are not responsive during End User Diagnostics 'Front Port LED Test'

Links to More Info: BT838713

Component: TMOS

Symptoms:
During EUDSF3.9.1 Front Port LED Test on BIG-IP iSeries platforms, the LCD buttons are unresponsive.

Conditions:
-- Running the EUDSF3.9.1 Front Port LED Test.
-- Using BIG-IP iSeries platforms.

Impact:
Cannot execute the EUDSF3.9.1 Front Port LED Test on BIG-IP iSeries platforms..

Workaround:
Continue to use EUDSF 3.7.0. EUDSF3.9.1 is required only for iSeries i10010, where the test does not have this issue.

Fix:
The version EUD3.9.2 release contains a fix for this issus.

Fixed Versions:
15.1.2.1

838709-4 : Enabling DoS stats also enables page-load-time

Links to More Info: BT838709

Component: Application Visibility and Reporting

Symptoms:
If collect-all-dos-statistic is enabled, AVR 'promises' to the client a JavaScript injection in the response by adding the expected length of the JavaScript to the Content-length header.

Conditions:
Security :: reporting : settings : collect-all-dos-statistic is enabled.

Impact:
In addition to collecting DoS statistics, JavaScript injection also occurs.

Workaround:
Can use iRules to control which pages should get the JavaScript injection.

For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.

Fix:
Changed the condition that insert the JavaScript injection in case that "collect all dos stats" is enabled.

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2

838685-4 : DoS report exist in per-widget but not under individual virtual

Links to More Info: BT838685

Component: Application Visibility and Reporting

Symptoms:
'Undefined entity dosl7_vip was used' error message is reported on widgets whenever a 'Virtual Server' filter is selected on the 'Security :: Reporting : DoS : Custom Page' GUI page.

Conditions:
-- Navigate to Security :: Reporting : DoS : Custom Page in the GUI.
-- Filter widgets results with specific 'Virtual Server'.

Impact:
GUI widgets report errors and cannot show stats.

Workaround:
This GUI fix requires modifying a single PHP file in one location, which you can do directly on your BIG-IP system with a few bash commands:

1. Backup the file '/var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php':
   $ cp /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/

2. Change permissions to allow modifying it:
   $ chmod +w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

3. Change the file to include the fix:
   $ sed -i 's/dosl7_vip/vip/g' /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
   $ sed -i "s/ANALYTICS_MOD_DNS_DOS => 'vip'/ANALYTICS_MOD_DNS_DOS => 'dns_vip'/g" /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

4. Verify that the fix is as expected:
   $ vimdiff /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/dos_custom_overview_commons.php

   (** You should see two lines modified:
       1. ANALYTICS_MOD_DOSL7 => 'dosl7_vip' to ANALYTICS_MOD_DOSL7 => 'vip'.
       2. ANALYTICS_MOD_DNS_DOS => 'vip' to ANALYTICS_MOD_DNS_DOS => 'dns_vip')

5. Revert permissions of the file:
   $ chmod -w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

6. Log out and log back into the GUI, so that the new version of the file loads.

Fix:
GUI configuration for the 'Virtual Server' filter is fixed with the correct dimension name.

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.0.5

838677-1 : lodash library vulnerability CVE-2019-10744

Links to More Info: K47105354, BT838677

838297-2 : Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication

Links to More Info: BT838297

Component: TMOS

Symptoms:
Under certain conditions, the BIG-IP system requires you to change your password on every login.

Furthermore, the login then fails, and loops endlessly asking for the password, even though the password has not expired.

Conditions:
-- BIG-IP 14.0.0 and later.
-- LDAP authentication is used for remote users.
-- Active Directory (AD) user account has shadowLastChange attribute with a value of 0 (or anything lower than the number of days since 1-1-1970).

Impact:
Remote AD BIG-IP users are unable to login to the BIG-IP system using remote LDAP authentication

Workaround:
Clear the value of shadowLastChange within AD.

Fixed Versions:
14.1.2.8, 15.1.1

837837-2 : F5 SSH server key size vulnerability CVE-2020-5917

Links to More Info: K43404629, BT837837

837773-7 : Restjavad Storage and Configuration Hardening

Links to More Info: K12936322, BT837773

837637-1 : Orphaned bigip_gtm.conf can cause config load failure after upgrading

Links to More Info: K02038650, BT837637

Component: Global Traffic Manager (DNS)

Symptoms:
Configuration fails to load after upgrade with a message:

01420006:3: Can't find specified cli schema data for x.x.x.x

Where x.x.x.x indicates an older version of BIG-IP software than is currently running.

Conditions:
-- Orphaned bigip_gtm.conf from an older-version. This can occur if GTM/DNS is provisioned, then deprovisioned before upgrade, leaving behind a bigip_gtm.conf with the old schema.

-- Upgrading to a new version that does not contain the schema for the old version that the bigip_gtm.conf uses.

Impact:
Configuration fails to load after upgrade.

Workaround:
Before upgrading:

If the configuration in bigip_gtm.conf is not needed, then it can be renamed (or deleted) before upgrading:

   mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
   tmsh load sys config gtm-only

After upgrading (i.e., with the system in the Offline state) services must be restarted to pick up the change:

   mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
   tmsh restart sys service all

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1

837617-1 : Tmm may crash while processing a compression context

Links to More Info: BT837617

Component: Local Traffic Manager

Symptoms:
Tmm crashes on segfault.

Conditions:
Conditions are unknown.

Impact:
Traffic disrupted while tmm restarts.

Fixed Versions:
14.1.4.4, 15.1.0.2

837333-1 : User cannot update blocking response pages after upgrade

Links to More Info: BT837333

Component: Application Security Manager

Symptoms:
Response Pages screen is stuck after user tries to save changes

Conditions:
The device is upgraded from a pre-15.1 release to a newer version

Impact:
Impossible to update blocking response pages using the GUI

Workaround:
Blocking pages can be updated using the REST API

Fix:
Database upgrade script was fixed to preserve correct Server Technology settings that lead to errors in Response Pages screen

Fixed Versions:
15.1.4

837233-3 : Application Security Administrator user role cannot use GUI to manage DoS profile

Links to More Info: BT837233

Component: Advanced Firewall Manager

Symptoms:
BIG-IP GUI users configured with the Application Security Administrator role are not allowed to manage DoS profile page and settings.

Conditions:
This affects users logged in with the Application Security Administrator role

Impact:
DoS profiles cannot be edited from the GUI.

Workaround:
You can use either workaround:

-- Change the user role to one that allows managing DoS profile.
-- Have the Application Security Administrator user edit profiles from tmsh.

Fix:
The roles Application Security Operations Administrator and Application Security Administrator can now manage DoS profiles in the GUI.

Fixed Versions:
14.1.4, 15.1.3

836357-5 : SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2

Links to More Info: BT836357

Component: Service Provider

Symptoms:
In MBLB/SIP, if the BIG-IP system attempts to send messages to the destination over a TCP connection that is in FIN-wait2 stage, instead of returning a failure and silently dropping the message, the BIG-IP system attempts to create a new TCP connection by sending a SYN. Eventually, the attempt fails and causes the connection to be aborted.

Conditions:
-- This happens on MBLB/SIP deployment with TCP.
-- There is message sent from the server to the BIG-IP system.
-- The BIG-IP system forwards the message from the server-side to client-side.
-- The destination flow (for the BIG-IP system to forward the message to) is controlled by 'node <ip> <port>' and 'snat <ip> <port>' iRules command.
-- The destination flow is in the FIN-wait2 stage.

Impact:
This causes the BIG-IP system to abort the flow that originates the message.

Workaround:
None.

Fix:
SIP MBLB correctly initiates a new flow from a virtual IP to the client when an existing flow is in the FIN-wait2 stage.

Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2

835381-3 : HTTP custom analytics profile 'not found' when default profile is modified

Links to More Info: BT835381

Component: Application Visibility and Reporting

Symptoms:
Adding SMTP config to default HTTP analytics profile results in config parsing failures for child profiles that are assigned to virtual servers. Removing SMTP config resolves the issue. The 'tmsh load sys config' command fails with the following error:

-- 01020036:3: The requested profile (/Common/child-analytics) was not found.
-- Unexpected Error: Validating configuration process failed.

Conditions:
-- Child analytics profile applied to virtual server.
-- Parent analytics profile contains SMTP config.

Impact:
Loading configuration might fail.

Workaround:
None.

Fix:
The system now avoids setting SMTP field for child profiles on MCP validation when in load/merge phase.

Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2

835309-1 : Some strings on BIG-IP APM Server pages are not localized

Component: Access Policy Manager

Symptoms:
Some text in APM Server pages, such as the logout page, are presented in English even when using a different language.

Conditions:
Use APM with a localized language, and certain strings for pages like logout, Webtop, or EPS, would still be in English.

Impact:
Some strings are displayed in English instead of localized language.

Workaround:
None.

Fix:
BIG-IP APM Server pages have been updated to include translations for all the affected strings.

Fixed Versions:
15.1.0.2

835209-3 : External monitors mark objects down

Links to More Info: BT835209

Component: Global Traffic Manager (DNS)

Symptoms:
Object to which the external monitor is attached is marked down.

Conditions:
Executing external monitors trying to access something without appropriate permissions.

Impact:
Object to which the external monitor is attached is marked down.

Workaround:
None.

Fix:
This issue no longer occurs.

Fixed Versions:
14.1.4.2, 15.1.3

834853 : Azure walinuxagent has been updated to v2.2.42

Links to More Info: BT834853

Component: TMOS

Symptoms:
Some onboarding features are not available in the current version of walinuxagent.

Conditions:
Attempting to use a feature that is not available in the current version of the Azure walinuxagent that is included in the BIG-IP release.

Impact:
Cannot use new features in the Azure walinuxagent until the Azure walinuxagent is updated.

Workaround:
None.

Fix:
The Azure walinuxagent has been updated to v2.2.42

Fixed Versions:
15.1.0.1

834533-7 : Linux kernel vulnerability CVE-2019-15916

Links to More Info: K57418558, BT834533

834257-1 : TMM may crash when processing HTTP traffic

Links to More Info: K25400442, BT834257

833685-5 : Idle async handlers can remain loaded for a long time doing nothing

Links to More Info: BT833685

Component: Application Security Manager

Symptoms:
Idle async handlers can remain loaded for a long time doing nothing because they do not have an idle timer. The sum of such idle async handlers can add unnecessary memory pressure.

Conditions:
This issue might result from several sets of conditions. Here is one:

Exporting a large XML ASM policy and then leaving the BIG-IP system idle. The relevant asm_config_server handler process increases its memory consumption and remains that way, holding on to the memory until it is released with a restart.

Impact:
Depletion of memory by lingering idle async handlers may deprive other processes of sufficient memory, triggering out-of-memory conditions and process failures.

Workaround:
-- Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
-- Restart asm_config_server periodically using cron, as idle handlers are soon created again.

Fix:
Idle async handlers now exit after 5 minutes of not receiving any new calls.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.5

833213-1 : Conditional requests are served incorrectly with AAM policy in webacceleration profile

Links to More Info: BT833213

Component: WebAccelerator

Symptoms:
HTTP 1.1 allows a conditional request with header If-Modified-Since or If-Unmodified-Since to determine whether a resource changed since a specified date and time. If AAM is provisioned and its policy is assigned to a virtual server, it may incorrectly respond with 304 Not Modified, even after the resource was updated.

Conditions:
-- AAM is provisioned and webacceleration policy is attached to a virtual server.
-- Client sends a conditional request with If-Modified-Since or If-Unmodified-Since header.
-- The BIG-IP system responds from AAM cache.

Impact:
Client does not receive an updated resource.

Workaround:
Use webacceleration profile without AAM policy for resources that require conditional checks falling back into Ramcache.

Fix:
The BIG-IP system now respects If-Modified-Since or If-Unmodified-Since header and provides an appropriate response for the requested resource when compared to the date supplied in either header.

Fixed Versions:
13.1.3.4, 14.1.2.3, 15.0.1.3, 15.1.3

833113-6 : Avrd core when sending large messages via https

Links to More Info: BT833113

Component: Application Visibility and Reporting

Symptoms:
When sending large messages (>4KB) via HTTPs may cause avrd to core.

Conditions:
This typically happens when BIG-IP is managed by BIG-IQ and configuration is large and complex or traffic capturing is enabled.

Impact:
Messages to BIG-IQ are lost. In severe cases, analytics functionality may be unavailable due contiguous AVRD cores.

Workaround:
None.

Fix:
Fixed an avrd crash

Fixed Versions:
13.1.3.4, 14.1.4.3, 15.0.1.3, 15.1.4

833049-4 : Category lookup tool in GUI may not match actual traffic categorization

Links to More Info: BT833049

Component: Access Policy Manager

Symptoms:
Category Lookup agent has changed to include the IP in the categorization query. The BIG-IP TMUI does not do the same (Access Policy :: Secure Web Gateway : Database Settings : URL Category Lookup).

Conditions:
-- SWG or URLDB provisioned.
-- Run traffic with category lookup in the PRP and note the category produced.
-- Run the same URL through the GUI lookup tool or the command line tool.

Impact:
Some websites may be categorized differently depending on if the IP address is passed in or not.

Workaround:
None.

Fixed Versions:
13.1.3.5, 14.1.4, 15.1.2

832885-1 : Self-IP hardening

Links to More Info: K05975972, BT832885

832881-1 : F5 Endpoint Inspection helper app is not updated

Links to More Info: BT832881

Component: Access Policy Manager

Symptoms:
F5 Endpoint Inspection helper app is not updated, but other components such as F5 VPN helper App is auto updated.

Conditions:
Use a browser to establish VPN

Impact:
End users cannot to receive bug fixe or feature enhancement updates.

Workaround:
Download and install F5 Endpoint Inspection helper from BIG-IP.

https://APM_SERVER/public/download/f5epi_setup.exe

Fix:
F5 Endpoint Inspection helper app is auto updated.

Fixed Versions:
15.1.0.2

832805-2 : AVR should make sure file permissions are correct (tmstat_tables.xml)

Links to More Info: BT832805

Component: Application Visibility and Reporting

Symptoms:
By building rpm of avrd, few cfg files get wrong set of permissions (executable)

Conditions:
Any build of avrd rpm

Impact:
Apparently not having the right set of permissions can lead to system halt

Workaround:
Change permissions on file:

# chmod -x /etc/avr/tmstat_tables.xml

Fix:
AVR build the rpm cfg files with the right set of permissions, instead of building them as executable file, building them in 644 mode.

Fixed Versions:
14.1.4.5, 15.1.4.1

832757 : Linux kernel vulnerability CVE-2017-18551

Links to More Info: K48073202, BT832757

832569-3 : APM end-user connection reset

Links to More Info: BT832569

Component: Access Policy Manager

Symptoms:
When the URL being accessed exceeds a length of 8 KB, the BIG-IP resets the connection.

Conditions:
-- APM deployed with a per-request policy.
-- The per-request policy includes a category lookup.

Impact:
The APM end-user connection is reset, and the system posts an error message in /var/log/apm:

-- crit tmm[23363]: 01790601:2: [C] 10.62.118.27:65343 -> 65.5.55.254:443: Maximum URL size exceeded.

Workaround:
None.

Fix:
The URL length limit has been increased from 8 KB to 32 KB.

Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2

832021-3 : Port lockdown settings may not be enforced as configured

Links to More Info: K73274382, BT832021

832017-3 : Port lockdown settings may not be enforced as configured

Links to More Info: K10251014, BT832017

831821-1 : Corrupted DAG packets causes bcm56xxd core on VCMP host

Links to More Info: BT831821

Component: TMOS

Symptoms:
On VCMP host, bcm56xxd crashes when it receives a corrupted DAG packets.

Conditions:
Unknown.

Impact:
Device goes offline, traffic disruption.

Fixed Versions:
14.1.4.5, 15.1.4.1

831781-4 : AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode

Links to More Info: BT831781

Component: Access Policy Manager

Symptoms:
Both AD Query and LDAP Auth/Query fails.

Conditions:
-- AD Query Agent, LDAP Auth Agent, or LDAP Query Agent is configured in Per-Session or Per-Request Policy.
-- These agents are configured in Direct mode.
-- The AD and LDAP server address is configured as IPv6 address.

Impact:
Users may not be able to login to APM, and hence service is disrupted.

Workaround:
None.

Fix:
Users are now able to login to APM.

Fixed Versions:
14.1.2.5, 15.0.1.3, 15.1.0.2

831517-2 : TMM may crash when Network Access tunnel is used

Links to More Info: BT831517

Component: Access Policy Manager

Symptoms:
TMM may crash.

Conditions:
-- APM session is established.
-- Network Access tunnel is established and used;

Impact:
APM end users experience Network Access tunnel disconnected. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes a tmm crash.

Fixed Versions:
14.1.2.7, 15.1.3

831293-5 : SNMP address-related GET requests slow to respond.

Links to More Info: BT831293

Component: TMOS

Symptoms:
SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical are slow to respond.

Conditions:
Using SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical.

Impact:
Slow performance.

Workaround:
None.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.2

830797-3 : Standby high availability (HA) device passes traffic through virtual wire

Links to More Info: BT830797

Component: Local Traffic Manager

Symptoms:
Virtual wire is forwarding traffic on standby resulting in traffic loops and potential network outage.

Conditions:
-- High availability (HA) configured.
-- Virtual wire configured.

Impact:
Standby device is passing traffic, which may create traffic loops and bring down the network.

Workaround:
Do not configure virtual wire on standby devices.

Fix:
Although you can create this configuration, the standby no longer forwards any traffic, which prevents the traffic loop and potential network outage.

Fixed Versions:
14.1.2.3, 15.0.1.1, 15.1.1

830717 : Appdata logical volume cannot be resized for some cloud images

Links to More Info: BT830717

Component: TMOS

Symptoms:
When resizing the appdata logical volume, the change may not be honored. This is because sometimes the disk metadata does not support the change without unmounting and remounting the disk.

Conditions:
This issue applies to deployments that provision multiple modules requiring a large appdata logical volume.

Impact:
The appdata logical volume cannot be resized, so you must reduce the number of modules and the associated provisioning level so that the existing appdata logical volume size does support them.

Workaround:
None.

Fix:
Logic was added to disk resizing to account for scenarios where the disk must be unmounted and then remounted to make the change. If the disk must be unmounted and remounted, this also requires a reboot (automatic).

Fixed Versions:
15.1.0.2

830481-1 : SSL TMUI hardening

Links to More Info: K29923912, BT830481

830413-3 : Intermittent Virtual Edition deployment failure due to inability to access the ssh host key in Azure

Links to More Info: BT830413

Component: TMOS

Symptoms:
Deployment of BIG-IP Virtual Edition may result in an error "Failed to generate ssh host key".

Conditions:
Azure only. Observed for instances with password-based authentication.

Impact:
A timing issues exists with host key generation. The Virtual Machine is likely to be deployed, but users and automation tools might be unable to communicate with the instance.

Workaround:
BIG-IP may still be accessible despite the error.

Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1

830401-1 : TMM may crash while processing TCP traffic with iRules

Links to More Info: K54200228, BT830401

830341-2 : False positives Mismatched message key on ASM TS cookie

Links to More Info: BT830341

Component: Application Security Manager

Symptoms:
ASM system triggers false positives for ASM Cookie Hijacking violation with reason "Mismatched message key"

Conditions:
-- An HTTP request containing an old frame cookie with a different message key from the main ts cookie is rejected
-- The cookie is left intact

Impact:
All subsequent requests are rejected on ASM Cookie Hijacking violation

Workaround:
1. Disable "Learn Host Names" flag all policies. If the policy builder is on manual mode, they need to change it back to Auto mode, disable "Learn Host Names", then change to manual mode.

OR

2. Delete the mismatched cookie. This will cause the violations to stop occurring if the request comes from a legit endpoint

Fix:
ASM system does not trigger false positives

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2

830073-2 : AVRD may core when restarting due to data collection device connection timeout

Links to More Info: BT830073

Component: Application Visibility and Reporting

Symptoms:
Avrd crashes, one or more core avrd files exist in /var/core

Conditions:
-- A BIG-IP system is managed by BIG-IQ via secure channel
-- Avrd is restarted.

Impact:
Avrd cores as it is shutting down. During avrd shutdown, the BIG-IQ data collection device (DCD) is unreachable for 10 minutes

Workaround:
None.

Fix:
The AVRD HTTPS module now stops any connection attempts when shutdown sequence is in progress, so this issue no longer occurs.

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2

829821-1 : Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured

Links to More Info: BT829821

Component: TMOS

Symptoms:
If a very large amount of pool members are configured (tens of thousands), mcpd may miss its high availability (HA) heartbeat and be killed by sod.

Conditions:
-- A large number of pool members.
-- Pool member validation occurs (such as when loading a configuration or doing a configsync operation).

Impact:
Mcpd is killed by sod. This causes a failover (when the BIG-IP is in a DSC) or outage (if standalone).

Workaround:
None.

Fixed Versions:
13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2

829677-2 : .tmp files in /var/config/rest/ may cause /var directory exhaustion

Links to More Info: BT829677

Component: TMOS

Symptoms:
The /var partition might become completely full on the disk due to tmp files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemon restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open.

This issue is happening because a VIPRION process is not available because of a REST timeout.

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

Workaround:
Manually run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Fix:
Increased the rest socket timeout value and shellexecutor timeout value to 6 min to fix the timeout issue of viprion worker

The fix also includes automatic removal of unused tmp files.

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.2, 16.0.1.1

829317-5 : Memory leak in icrd_child due to concurrent REST usage

Links to More Info: BT829317

Component: TMOS

Symptoms:
When multiple users are issuing REST commands, memory may leak slowly in icrd_child.

Conditions:
-- The icrd_child process is running.
-- There are multiple users accessing device via REST.

Impact:
Memory slowly leaks in icrd_child.

Workaround:
None.

Fix:
Fixed a memory leak in icrd_child.

Fixed Versions:
13.1.4, 14.1.3, 14.1.3.1, 15.1.0.2

829277-2 : A Large /config folder can cause memory exhaustion during live-install

Links to More Info: BT829277

Component: TMOS

Symptoms:
-- Live install can fail at ~96% complete.
-- System memory might be exhausted, and the kernel terminates processes as a result.

Conditions:
-- During live-install.
-- Configuration roll-forward is enabled.
-- The uncompressed UCS size is larger than the available memory.

Impact:
The kernel terminates any number of processes; any/all critical applications might become nonfunctional.

Workaround:
You can use these two techniques to mitigate this situation:

-- Any file stored under /config is considered part of the configuration, so make sure there are no large, unnecessary files included in that directory.

-- If the configuration matches or is close to total system memory size, do not roll it forward as part of live install. Instead, save the UCS manually and restore it after rebooting to the new software.

To turn off config roll forward:
setdb liveinstall.saveconfig disable

For information about manually saving and restoring configurations, see K13132: Backing up and restoring BIG-IP configuration files with a UCS archive :: https://support.f5.com/csp/article/K13132.

Fixed Versions:
14.1.3.1, 15.1.2.1

829193-4 : REST system unavailable due to disk corruption

Links to More Info: BT829193

Component: TMOS

Symptoms:
-- The iControl REST commands respond with the following:

[INFO] Text: u'{"code":200,"message":"REST system unavailable due to disk corruption! See /var/log/restjavad.*.log for errors.","restOperationId":1472895,"kind":":resterrorresponse"}'

-- The GUI indicates that iAppLX sub-system is unresponsive.

-- On the BIG-IP device, /var/config/rest/storage/LOST-STORAGE.txt exists.

Conditions:
The conditions that trigger this are unknown. It might be due to a previous catastrophic event such as power loss or out-of-memory errors.

Manually creating the file /var/config/rest/storage/LOST-STORAGE.txt can also trigger this error.

Impact:
The iControl REST system is unavailable.

Workaround:
Run the following commands at the BIG-IP command prompt:

bigstart stop restjavad restnoded
rm -rf /var/config/rest/storage
rm -rf /var/config/rest/index
bigstart start restjavad restnoded
rm -f /var/config/rest/downloads/*.rpm
rm -f /var/config/rest/iapps/RPMS/*.rpm
tmsh restart sys service tomcat

Then, reinstall any iAppLX packages that were installed.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.0.4

829121-1 : State mirroring default does not require TLS

Links to More Info: K65720640, BT829121

829117-1 : State mirroring default does not require TLS

Links to More Info: K17663061, BT829117

828937-1 : Some systems can experience periodic high IO wait due to AVR data aggregation

Links to More Info: K45725467, BT828937

Component: Application Visibility and Reporting

Symptoms:
Systems with a large amount of statistics data collected in the local database (i.e., systems not working with BIG-IQ) can have high IO Wait CPU usage, peaking at 10 minutes, 1 hour, and 24 hours. This is caused by the data aggregation process that is running on the local database. Notice that large memory footprints, particularly for avrd might be a symptom for the phenomenon.

Conditions:
-- The BIG-IP system is collecting statistics locally (i.e., not sending data to BIG-IQ or another external device).
-- There is a large amount of statistics data.
-- May occur even if AVR is not explicitly provisioned (in that case, ASM, APM, PEM, AFM, or AAM must be provisioned).

Impact:
High IO can impact various processes on BIG-IP systems. Some of them can experience timeouts and might restart.

Workaround:
The most effective workaround is to lower the amount of data collected by setting the 'avr.stats.internal.maxentitiespertable' DB variable to a lower value. The recommended values are 20000 (on larger, more powerful systems with more than 8 cores) or 2148 (on smaller systems).


Note: After you lower the database value, continue to monitor the BIG-IP system for long I/O wait times and high CPU usage. If symptoms persist and the system continues to experience resource issues, you may need to reset the BIG-IP AVR statistics. For information about resetting BIG-IP AVR statistics, refer to K14956: Resetting BIG-IP AVR statistics :: https://support.f5.com/csp/article/K14956.

Fix:
Set default value of avr.stats.internal.maxentitiespertable DB variable to 2148 on systems with the number of CPU cores fewer than or equal to 8.

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.1.0.5

828873-3 : Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor

Links to More Info: BT828873

Component: TMOS

Symptoms:
In the deployment of BIG-IP 15.0.0 on Nutanix AHV Hypervisor, f5-label service is failing with inappropriate input device error.

Conditions:
Deployment of BIG-IP v15.0.0 on Nutanix AHV Hypervisor.

Impact:
Deployment of BIG-IP v15.0.0 is not stable to log into GUI or terminal on Nutanix AHV Hypervisor.

Workaround:
Steps:

1. Mount the drive:
mount -o rw,remount /usr

2. Add a comment below the line in the '/usr/lib/systemd/system/f5-label.service' service file:
#StandardInput=tty

3. Reload the daemon:
systemctl daemon-reload

4. Restart the service:
systemctl restart f5-label

Fix:
The I/O device has been changed to the default input device '/dev/null' to resolve the issue.

Fixed Versions:
15.1.0.2

828789-1 : Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters

Links to More Info: BT828789

Component: TMOS

Symptoms:
Certificate Subject Alternative Names are limited to 1023 characters.

Conditions:
Using a certificate with a Subject Alternative Name longer than 1023 characters.

Impact:
A certificate's Subject Alternative Name is not correct in the BIG-IP configuration.

This does not impact the BIG-IP system's ability to select the proper Client SSL profile on a virtual server that uses SNI matching to provide distinct certificates.

Workaround:
Specify fewer than 1023 character for the Certificate Subject Alternative Names.

Fixed Versions:
14.1.2.8, 15.1.1

828761-1 : APM OAuth - Auth Server attached iRule works inconsistently

Links to More Info: BT828761

Component: Access Policy Manager

Symptoms:
The iRule attached to the OAuth Resource Server (RS) is not triggered when the traffic hits the virtual server.

Conditions:
The issue occurs during a reboot of the BIG-IP device containing an OAuth server config and an attached iRule, or when the iRule is initially assigned to the OAuth Server.

Impact:
OAuth scope check agent fails with 'HTTP error 503': as the iRule attached to the RS virtual server is not triggered.

Workaround:
For existing OAuth servers with the iRule attached, modify the iRule, for example, adding a log. This makes the iRule trigger when it is initially attached or loaded.

Fix:
The iRule is triggered when a request comes to the OAuth RS virtual server.

Fixed Versions:
14.1.4.5, 15.1.5

828601-1 : IPv6 Management route is preferred over IPv6 tmm route

Links to More Info: BT828601

Component: Local Traffic Manager

Symptoms:
The IPv6 Management route has lower metrics than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the management interface.

Conditions:
-- Create an IPv6 management route, which is going to be a default gateway.

-- Receive another default gateway from a configured peer using any of dynamic routing protocols (BGP, OSPF, etc.)

Impact:
The incorrect routing table sends the traffic that matches the default route to the management interface.

Workaround:
None.

Fix:
IPv6 routes now prioritize TMM interfaces.

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.0.3

827325-1 : JWT token verification failure

Links to More Info: BT827325

Component: Access Policy Manager

Symptoms:
JWT token verification failure with error -1.

Conditions:
Token size larger than 4080.

Impact:
Request rejected and the log message simply says 'unknown error -1.'

Workaround:
None.

Fix:
The 4080 token size limitation is removed.

Fixed Versions:
15.1.4

827033-1 : Boot marker is being logged before shutdown logs

Links to More Info: BT827033

Component: TMOS

Symptoms:
When rebooting the BIG-IP, the boot marker appears before the shutdown logs

localhost notice boot_marker : ---===[ HD1.1 - BIG-IP 14.1.2 Build 0.0.37 ]===---
localhost.localdomain err logger[29153]: shutting down for system shutdown on behalf of root
localhost.localdomain notice mcpd[4645]: 01070406:5: Removed publication with publisher id shell_publish

Conditions:
Issue is observed while rebooting the device

Impact:
Creates confusion when trying to debug an issue using log files.

Workaround:
None

Fixed Versions:
14.1.4.4, 15.1.4

826905-3 : Host traffic via IPv6 route pool uses incorrect source address

Links to More Info: BT826905

Component: TMOS

Symptoms:
IPv6 route pool uses an incorrect source address rather than the self IP address. As a side symptom, if there are an even number of members in the pool, only half of the pool members are attempted during load balancing.

Conditions:
--IPv6 route pool is configured.

Impact:
Failed connections from the BIG-IP host that uses an IPv6 pool route.

Workaround:
None.

Fix:
IPv6 route pool uses the correct self IP address.

Fixed Versions:
14.1.3.1, 15.1.2

826265-5 : The SNMPv3 engineBoots value restarts at 1 after an upgrade

Links to More Info: BT826265

Component: TMOS

Symptoms:
Many SNMPv3 clients pay attention to the engineBoots value as part of server authentication. When the BIG-IP system is upgraded, the engineBoots value is not retained, so it restarts at 1.

Conditions:
Upgrading a BIG-IP system whose engineBoots value is greater than 1.

Impact:
The engineBoots value is reset to 1. This may look like an error condition for the SNMPv3 client.

Workaround:
1. Run the following command (where n = the value at which you want to start the engineBoots):

tmsh modify sys snmp include 'engineBoots n'

2. Restart SNMPD.

Fix:
This issue has been fixed: the engineBoots value is now kept as part of the configuration.

Fixed Versions:
15.1.0.4

825689-1 : Enhance FIPS crypto-user storage

Component: Local Traffic Manager

Symptoms:
Existing TMOS releases use legacy storage and generation facilities that have been supplanted in newer TMOS releases.

Conditions:
Crypto-officer access to TMSH / fipsutil.

Impact:
Did not leverage Secure Vault facilities.

Workaround:
None.

Fix:
FIPS crypto-user storage now leverages Secure Vault facilities.

Fixed Versions:
12.1.6, 13.1.4, 14.1.4, 15.1.1

825501-3 : IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.

Links to More Info: BT825501

Component: Protocol Inspection

Symptoms:
If the IPS IM package is installed on a multi-slot device, and one slot is offline, the IM package version might be different on the offline slot when it comes back online.

It also shows different versions of the Active IM package on different slots.

Conditions:
-- Multi-bladed clustered system.
-- One of the blades is offline.
-- The IPS IM package is installed to the primary blade.

Impact:
The primary blade syncs the IM package to all of the secondary blades that are online; however, when the offline blade comes back online, it does not have the updated IM package.

As a result, traffic being processed by different blades will be using different IPS libraries and might cause inconsistency in the functionality

Workaround:
Although there is no workaround, you can prevent the issue by ensuring that all blades are online when you install an IPS IM package.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1

825493-1 : JWT token verification failure

Links to More Info: BT825493

Component: Access Policy Manager

Symptoms:
JSON Web Token (JWT) verification failure with error -1.

Conditions:
Token size larger than 4080.

Impact:
Request is rejected.

Workaround:
None.

Fix:
Fixed an issue with JWT token verificaton.

Fixed Versions:
15.1.4

825413-4 : ASM may consume excessive resources when matching signatures

Links to More Info: K36942191, BT825413

825013-1 : GENERICMESSAGE::message's src and dst may get cleared in certain scenarios

Links to More Info: BT825013

Component: Service Provider

Symptoms:
The "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands may not work properly if iRule processing changes to a different TMM. These commands may return an empty string rather than correct data.

Conditions:
-- Using "GENERICMESSAGE::message src" and/or "GENERICMESSAGE::message dst" iRule commands.
-- iRule processing moves from one TMM to another TMM.

Impact:
Incorrect data returned from "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands.

Fix:
The "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands now return correct data.

Fixed Versions:
14.1.2.7, 15.0.1.1, 15.1.0.2

824365-5 : Need informative messages for HTTP iRule runtime validation errors

Links to More Info: BT824365

Component: Local Traffic Manager

Symptoms:
For HTTP iRule runtime validation errors, an ERR_NOT_SUPPORTED error message is appended (with rule name and event) to /var/log/ltm, but the message is not informative about the cause of the validation error:

err tmm1[20445]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri".

The system should post a more informative message, in this case:

err tmm[10662]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - can't call after responding - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri"

Conditions:
-- HTTP filter and HTTP iRules are used by a virtual server.
-- An HTTP iRule runtime validation error happens. For example, HTTP::uri is called after HTTP::respond () which is not supported.

Impact:
With no informative error messages, it is difficult to identify the validation error.

Workaround:
There is no workaround at this time.

Fix:
Informative messages are provided for HTTP iRule runtime validation errors.

Fixed Versions:
13.1.3.6, 14.1.2.3, 15.0.1.1, 15.1.0.2

824149-5 : SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured

Links to More Info: BT824149

Component: Service Provider

Symptoms:
In SIP ALG virtual with source-nat-policy assigned, if traffic processed by the virtual server does not match source-nat-policy, or if it matches source-nat-policy that does not have source-translation configured, tmm cores and restarts.

Conditions:
-- SIP ALG virtual server with an assigned source-nat-policy.
-- Traffic does not match the source-nat-policy, or traffic matches a source-nat-policy that has no source-translation configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure SIP ALG virtual so that the condition never happens. For example, apply a source attribute to the virtual server that filters out traffic that will not match the source-nat-policy. Never use a source-nat-policy that has no source-translation.

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5

824093-5 : Parameters payload parser issue

Links to More Info: BT824093

Component: Application Security Manager

Symptoms:
Incorrect parameter parsing occurs under some conditions. For example, in a signature violation, the 'Actual Parameter Name' value appears as 'attachment; filename'.

Conditions:
-- ASM in use.
-- Request contains multipart headers.

Impact:
Incorrect policy enforcement.

Workaround:
None.

Fix:
This release fixes an issue related to multipart requests.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3

823893-7 : Qkview may fail to completely sanitize LDAP bind credentials

Links to More Info: K03318649, BT823893

822377-6 : CVE-2019-10092: httpd mod_proxy cross-site scripting vulnerability

Component: TMOS

Symptoms:
A limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.

Conditions:
This flaw is only exploitable if Proxy* directives are used in Apache httpd configuration. The following command can be used to search for possible vulnerable configurations:

    grep -R '^\s*Proxy' /etc/httpd/

Impact:
An attacker could cause the link on the error page to be malformed and instead point to a page of their choice.

Workaround:
This flaw is only exploitable if Proxy* directives are used in Apache httpd configuration. As a Mitigation/Workaround, exclude Proxy* directives in Apache Httpd configuration.

Fix:
Removed request data from many other in-built error messages.

Fixed Versions:
14.1.2.8, 15.1.1

822245-2 : Large number of in-TMM monitors results in some monitors being marked down

Links to More Info: BT822245

Component: In-tmm monitors

Symptoms:
Pool members are marked down from the in-TMM monitor.

Conditions:
Device has a large number of in-TMM monitors.

Impact:
Monitor target may appear down when it is actually up.

Workaround:
Disable in-tmm monitors:
  tmsh modify sys db bigd.tmm value disable

Fixed Versions:
14.1.4.4, 15.1.4

822025 : HTTP response not forwarded to client during an early response

Links to More Info: BT822025

Component: Local Traffic Manager

Symptoms:
In early server responses, the client does not receive the intended response from the HTTP::respond iRule. The client instead receives an unexpected 500 internal server error.

Conditions:
-- A slow client.
-- early server response with the HTTP::respond iRule.

Impact:
A client does not receive the redirect from the HTTP::respond iRule.

Workaround:
None.

Fix:
The client now receives the redirect from the HTTP:respond iRule.

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.0.1.4, 15.1.0.2

821309-1 : After an initial boot, mcpd has a defunct child "systemctl" process

Links to More Info: BT821309

Component: TMOS

Symptoms:
Zombie "systemctl" process, as a child of mcpd.

Conditions:
Reboot of the BIG-IP.

Impact:
Minimal; a single zombie process is created.

Workaround:
To get rid of the process, you can restart mcpd.

Fixed Versions:
14.1.2.7, 15.1.0.5

820845-3 : Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use.

Links to More Info: BT820845

Component: TMOS

Symptoms:
BIG-IP systems might not respond to ( ARP / Neighbour Discovery ) requests received via EtherIP tunnels on a multi-blade system.

Conditions:
Decapsulated ( ARP / Neighbour Discovery ) requests for an address owned by the BIG-IP system is processed by a secondary blade.

Impact:
Some endpoints may not be able to resolve ( ARP / Neighbour protocol ) via EtherIP tunnel.

Workaround:
Create static ARP entries on affected endpoints.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1

820333-1 : LACP working member state may be inconsistent when blade is forced offline

Links to More Info: BT820333

Component: Local Traffic Manager

Symptoms:
Inconsistent (out-of-sync) LACP working member state.
Incorrect trunk high availability (HA) score.

Conditions:
LACP updates while blade is going offline.

Impact:
Incorrect high availability (HA) score may prevent the unit from automatically failing over.

Fixed Versions:
14.1.3.1, 15.1.2

819329-4 : Specific FIPS device errors will not trigger failover

Links to More Info: BT819329

Component: Local Traffic Manager

Symptoms:
When the FIPS device experiences a hardware failure during idle-time, the device may not fail over.

Conditions:
-- FIPS hardware failure occurs, but the device is idle

Impact:
The device may not fail over on FIPS hardware failure.

Fix:
Interpret rare FIPS card failure as failover event.

Fixed Versions:
14.1.3.1, 15.1.4, 16.0.1.2

819301-2 : Incorrect values in REST response for dos-l3 table

Links to More Info: BT819301

Component: Application Visibility and Reporting

Symptoms:
Some of the calculations in the AVR publisher are not performed, and incorrect values are shown in the REST response.

Conditions:
-- Device vector detection and mitigation thresholds are set to 10
-- The attack vector is triggered

Impact:
Wrong values appear in REST reponse

Fix:
Fixed an issue with incorrect values for mitigated attacks.

Fixed Versions:
15.1.1, 16.0.1

819197-2 : BIGIP: CVE-2019-13135 ImageMagick vulnerability

Links to More Info: K20336394, BT819197

819189-1 : BIGIP: CVE-2019-13136 ImageMagick vulnerability

Links to More Info: K03512441, BT819189

819053 : CVE-2019-13232 unzip: overlapping of files in ZIP container

Component: TMOS

Symptoms:
CVE-2019-13232 unzip: overlapping of files in ZIP container leads to denial of service

Conditions:
Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container

Impact:
UnZip overlapping will leading to denial of service.

Workaround:
N/A

Fix:
UnZip updated to resolve CVE-2019-13232

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2

818853-1 : Duplicate MAC entries in FDB

Links to More Info: BT818853

Component: Local Traffic Manager

Symptoms:
Forwarding DataBase (FDB) not updated when a MAC moves among interfaces.

Conditions:
-- Having multiple paths to a MAC in a given configuration.

Impact:
There are duplicate MAC address entries which come from multiple interfaces.

Workaround:
None.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.0.2

818833-1 : TCP re-transmission during SYN Cookie activation results in high latency

Links to More Info: BT818833

Component: Local Traffic Manager

Symptoms:
Issue is reported at the following system setup:

client <-> BIG-IP <-> concentrator <-> proxy <-> BIG-IP nat gateway <-> Internet

-- SYN Cookie got activated on F5 nat gateway.
-- Latency from 'Internet' (public host) is observed at 'Proxy' device sitting before F5 nat gw.
-- During the latency issue, SYN Cookie was active and evicting connections.
-- When SYN Cookie is enabled, it switches to l7 delayed binding as expected but it is not sending ACK for HTTP request so the client sends it again and again.

Conditions:
Haredware SYN Cookie is enabled on FastL4 profile

Impact:
High latency is observed.

Workaround:
Disable the SYN Cookie on the FastL4 profile

Fixed Versions:
14.1.4.4, 15.1.4

818253-3 : Generate signature files for logs

Links to More Info: BT818253

Component: TMOS

Symptoms:
To achieve DoDIN APL certification, the BIG-IP system must guarantee the integrity of log files using the standards' recommendation of encrypting those files on the local store. The BIG-IP system does not generate signature files for logs. As a result, the system stores the audit information (i.e., the log files stored in /var/log folder and other subfolders) without creating integrity files.

Conditions:
Viewing the audit information stored in /var/log and other locations.

Impact:
Audit log files are stored without integrity files on the local system.

Workaround:
Disable local logging for audit logs and send them to remote syslog, for example:

tmsh modify sys syslog include "filter f_audit { facility(local0) and not message(AUDIT); }; "

Fix:
There is now a LogIntegrity utility provided to generate signature files for logs.

-- To enable the feature:
 tmsh modify sys db logintegrity.support value enable

-- To set the LogIntegrity loglevel:
 tmsh modify sys db logintegrity.loglevel value debug

You must create private key and store it in SecureVault before enabling this feature. To do so:

1. Generate a private key with the name logfile_integrity.key, for example:
 tmsh create sys crypto key logfile_integrity.key key-type rsa-private key-size 2048 gen-certificate security-type password country US city Seattle state WA organization "Example, Inc." ou "Example-Creation Team" common-name www.example.com email-address admin@example.com lifetime 365

2. Generate RSA encrypted private SSL keys:

2a. Go to the filestore location on the BIG-IP system:
 cd /config/filestore/files_d/Common_d/certificate_key_d/

 ls | grep logfile_integrity:Common:logfile_integrity.key_63031_2

 openssl rsa -aes256 -in :Common:logfile_integrity.key_63031_2 -out logfile_integrity_secure.key

2b. Specify the PEM password/passphrase (e.g., root0101) to use to protect the SSL private key (in this example, logfile_integrity_secure.key is the password protected private key):

2c. run command to list the generated files
 ls | grep logfile_integrity :Common:logfile_integrity.key_63031_2 logfile_integrity_secure.key

3. Install the generated password protected SSL private key with the same password (e.g., root0101) used in step 2 to store in 'secure vault' on the BIG-IP system:

 tmsh install sys crypto key logfile_integrity.key passphrase example root0101 from-local-file logfile_integrity_secure.key


Once the feature is enabled and the private key installed, The signature files are generated under /var/log/digest whenever log files get rotated.


If you want to verify Signatures, follow these steps:

1. Go to the filestore location on the BIG-IP system :
 cd /config/filestore/files_d/Common_d/certificate_d
 
2. Execute the following command to generate the public key.
 openssl x509 -in :Common:logfile_integrity.key_63031_2 -noout -pubkey > certificatefile.pub.cer

3.Verify the signature file using public key:
 openssl dgst -sha256 -verify /config/filestore/files_d/Common_d/certificate_d/certificatefile.pub.cer -signature /var/log/digest/audit.1.sig /var/log/audit.1

Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1.1

818213-4 : CVE-2019-10639: KASLR bypass using connectionless protocols

Links to More Info: K32804955, BT818213

818177-6 : CVE-2019-12295 Wireshark Vulnerability

Links to More Info: K06725231, BT818177

818109-1 : Certain plaintext traffic may cause SSL Orchestrator to hang

Links to More Info: BT818109

Component: Local Traffic Manager

Symptoms:
After upgrading SSL Orchestrator to version 5.x, traffic gets reset, SSL Orchestrator hangs, and tcpdump analysis indicates that connections are being reset due to SSL handshake timeout exceeded.

Conditions:
-- SSL Orchestrator configured.
-- Initial plaintext traffic resembles SSLv2 hello message or has less-than-enough bytes for SSL to process.

Impact:
SSL Orchestrator hangs on that connection, unable to bypass traffic until the connection times out. Other connections handle traffic during this interval.

Workaround:
None.

Fix:
This release adds a db variable to enable/disable SSLv2 hello parsing. It is called tmm.ssl.v2compatibility and is disabled by default.

Fixed Versions:
14.1.4, 15.1.2.1

817709-3 : IPsec: TMM cored with SIGFPE in racoon2

Links to More Info: BT817709

Component: TMOS

Symptoms:
TMM asserted and cored in racoon2 with this panic message:

panic: iked/ikev2_child.c:2858: Assertion "Invalid Child SA proposal" failed.

Conditions:
When IKEv2 Phase 2 SA has no peer proposal associated with it.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This issue no longer occurs.

Fixed Versions:
14.1.2.8, 15.1.0.2

817137-1 : SSO setting for Portal Access resources in webtop sections cannot be updated.

Links to More Info: BT817137

Component: Access Policy Manager

Symptoms:
SSO setting for Portal Access (PA) resource assigned to any webtop section cannot be updated due to the following error:

No such atomic attribute:name in class:webtop_section_webtop_section_resource

Configuration with such a resource cannot be transferred to another BIG-IP system due to the same error.

Conditions:
BIG-IP system configuration with the following objects:
-- SSO configuration (any type).
-- PA resource with resource item.
-- The webtop section with the PA resource.
-- Full webtop.
-- Per-session access policy with resource assignment agent which assigns webtop, webtop section, and PA resource.

Impact:
Configuration cannot be updated or transferred.

Workaround:
Delete webtop sections from the configuration and re-create them after transfer / upgrade / update process.

Fix:
Now APM configuration with Portal Access resources in webtop sections can be transferred or upgraded.

Fixed Versions:
15.1.4.1

816881-2 : Serverside conection may use wrong VLAN when virtual wire is configured

Links to More Info: BT816881

Component: Local Traffic Manager

Symptoms:
Server syn is flowing on the wrong VLAN, when tmm tries to establish a server connection. The BIG-IP system sends RST packets of unmatched VLAN/MAC combination

Conditions:
-- Virtual wire is configured .
-- Clientside data and handshake come in on different VLANs.

Impact:
Some client connections fail to establish

Workaround:
None.

Fixed Versions:
14.1.2.8, 15.1.1

816413-5 : CVE-2019-1125: Spectre SWAPGS Gadget

Links to More Info: K31085564, BT816413

816233-1 : Session and authentication cookies should use larger character set

Links to More Info: BT816233

Component: TMOS

Symptoms:
The session and authentication cookies are created using a limited character set.

Conditions:
Creating session and authentication cookies.

Impact:
Cookies are created with a less broad character set than they could be.

Workaround:
None.

Fix:
JSESSIONIDs and AuthCookies are created using a wider character set.

Behavior Change:
This release changes the format of the BIGIPAuthCookie and JSESSIONID cookies to use a larger alphabet during encoding (case sensitive alphanumeric).

Fixed Versions:
14.1.2.7, 15.0.1.4, 15.1.0.5

816229-3 : Kernel Log Messages Logged Twice

Links to More Info: BT816229

Component: TMOS

Symptoms:
You see duplicate log messages in /var/log/kern.log

Conditions:
This can be encountered when viewing /var/log/kern.log right after startup in BIG-IP versions dating back to 14.1.0

Impact:
Viewing ('cat'ing) kern.log results in duplicated log messages in the buffer.

Fix:
Fixed an issue with duplicated log messages in /var/log/kern.log.

Fixed Versions:
14.1.2.4, 15.1.2

815877-2 : Information Elements with zero-length value are rejected by the GTP parser

Links to More Info: BT815877

Component: Service Provider

Symptoms:
When processing a GTP message containing zero-length IEs (which are allowed by the 3GPP Technical Specification), the message might get rejected.

Conditions:
Virtual server with GTP profile enabled processing GTP traffic.

Impact:
Well-formed GTP messages might get rejected.

Workaround:
Avoid sending GTP messages containing zero-length IEs.

Fix:
Zero-length IEs are now processed correctly.

Fixed Versions:
11.6.5.3, 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.0.1.4, 15.1.0.5

814953 : TMUI dashboard hardening

Links to More Info: K43310520, BT814953

814585-1 : PPTP profile option not available when creating or modifying virtual servers in GUI

Links to More Info: BT814585

Component: TMOS

Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.

Conditions:
Creating or modifying a virtual server in the GUI.

Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.

Workaround:
Use TMSH to add a PPTP profile to the virtual server.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1

814037-6 : No virtual server name in Hardware Syncookie activation logs.

Links to More Info: BT814037

Component: Local Traffic Manager

Symptoms:
Missing virtual server name in Hardware Syncookie activation logs. ltm/logs contains error messages:

notice tmm2[1150]: 01010240:5: Syncookie HW mode activated, server = 0.0.0.0:0, HSB modId = 2.

Conditions:
-- More than one virtual server with same Destination IP e.g., 'x.x.x.x'.
-- Port 'y' configured.
-- Hardware Syncookie activated.

Impact:
Difficult to determine which virtual server actually got the Syncookie activated.

Workaround:
None.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1

813701-6 : Proxy ARP failure

Links to More Info: BT813701

Component: Local Traffic Manager

Symptoms:
In certain configurations, and when the BIG-IP system does not have a directly connected route to the request sender, proxy ARP may fail, leading to dropped ARP replies.

Conditions:
-- Running v12.1.4.1 or 12.1.3.7 with engineering hotfix 0.89.2.
-- ARP requests and replies are processed by different TMMs.
-- A directly connected route to the request sender is not available.

Impact:
ARP replies are dropped, leading to connection failures.

Workaround:
Create a self IP in the same subnet as the ARP request senders. This creates the necessary directly connected route.

Fixed Versions:
14.1.2.7, 15.1.0.5

812981-6 : MCPD: memory leak on standby BIG-IP device

Links to More Info: BT812981

Component: TMOS

Symptoms:
MCPD memory consumption may increase on standby BIG-IP device if APM configuration is updated. Some of the allocated memory is not freed after configuration update.

Conditions:
-- BIG-IP high availability (HA) pair is installed and configured
-- APM is provisioned
-- Access Policy is configured and updated periodically

Impact:
MCPD may take a lot of memory on the standby device. Normal functionality of standby device may be stopped; reboot of the device is required.

Fix:
MCPD on standby BIG-IP device does not take more memory than the same daemon on active BIG-IP device.

Fixed Versions:
12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2

812525-1 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it

Links to More Info: K27551003, BT812525

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Workaround:
None.

Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Fixed Versions:
13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1

812493-4 : When engineID is reconfigured, snmp and alert daemons must be restarted

Links to More Info: BT812493

Component: TMOS

Symptoms:
The engineID, engineBoots, engineTime values in SNMPv3 traps are shared by both the SNMP and the Alert daemons and are included in traps raised by both daemons. When the engineID is reconfigured then both daemons must be restarted in order to resynchronize the new values.

Conditions:
Traps issued by the SNMP and Alert daemons may not have engine values that are in sync when the EngineID is first reconfigured. This can happen both with a configuration change and an upgrade.

Impact:
This may confuse the SNMP client receiving the trap.

Workaround:
Restart the snmp daemon and then the alert daemon when the engine ID is reconfigured for the first time and the first time after a software upgrade

tmsh restart sys service snmpd alertd

Fixed Versions:
15.1.0.4

811789-7 : Device trust UI hardening

Links to More Info: K57214921, BT811789

811701-3 : AWS instance using xnet driver not receiving packets on an interface.

Links to More Info: BT811701

Component: TMOS

Symptoms:
Packets are being sent to the AWS instance but no packets are seen on interface.

Conditions:
-- AWS instance using xnet driver.
-- Occurs when the instances are idle and then suddenly passes traffic again.
-- Other, more specific conditions are unknown at this time.

Impact:
Loss of packets in the interface, in turn, causing data loss.

Workaround:
A temporary way to avoid the problem is to configure BIG-IP Virtual Edition (VE) to use an alternative network driver in place of the default 'xnet' driver. In releases 14.1.0 and later, this would be the 'sock' driver.

Use the following command sequences from the BIG-IP instance's 'bash' prompt to configure the alternative driver. (Note the use of the 'greater-than' symbol.)

  # echo "device driver vendor_dev 1d0f:ec20 sock" > /config/tmm_init.tcl
  # echo "ndal force_sw_tcs off 1d0f:ec20" >> /config/tmm_init.tcl

[check that the file's contents are correct]

  # cat /config/tmm_init.tcl

[restart the BIG-IP system's TMM processes]

  # bigstart restart tmm

[make certain that the 'driver_in_use' is 'sock']

  # tmctl -dblade -i tmm/device_probed

Fixed Versions:
14.1.2.7, 15.0.1.4, 15.1.0.2

811149-2 : Remote users are unable to authenticate via serial console.

Links to More Info: BT811149

Component: TMOS

Symptoms:
Attempts to login to the serial console with remote user credentials (e.g., RADIUS, LDAP, TACACS remote auth) fail with one of the following error messages:

-- 'Cannot load user credentials for user' (v13.1.1.2)
-- 'Session setup problem, abort.' (v14.1.0.1)

Conditions:
Configure system for remote authentication and attempt authentication via serial console.

Impact:
Remote authentication users are unable to login via serial console.

Workaround:
There are two workarounds:
-- Remote authentication users can login using an SSH connection to the BIG-IP system's management IP address.

-- Use the credentials of a local user account to login to the serial console.

Fixed Versions:
14.1.2.8, 15.0.1.4, 15.1.0.2

811053-6 : REBOOT REQUIRED prompt appears after failover and clsh reboot

Links to More Info: BT811053

Component: TMOS

Symptoms:
In rare circumstances, when a reboot immediately follows a VIPRION blade failover, a REBOOT REQUIRED prompt will appear on one blade after the system starts up again.

Conditions:
This issue can be created by doing the following:
- using a VIPRION system with at least 2 blades running
- AAM is not provisioned
- reset the primary blade
- immediately following the blade reset, run 'clsh reboot' on a secondary blade.

Impact:
Following the clsh reboot, the REBOOT REQUIRED prompt appears on one blade:
[root@vip4480-r44-s18:/S2-yellow-S::REBOOT REQUIRED:Standalone] config #

Any blade with this prompt must be rebooted again.

Workaround:
None currently known.

Fixed Versions:
14.1.2.7, 15.1.2

811041-7 : Out of shmem, increment amount in /etc/ha_table/ha_table.conf

Links to More Info: BT811041

Component: TMOS

Symptoms:
System logs error:
err sod[8444]: 01140003:3: Out of shmem, increment amount in /etc/ha_table/ha_table.conf.

Conditions:
-- Large number of traffic groups.
-- A number of devices in the device cluster.
-- Heavy traffic resulting in numerous configsync or config save operations.

Impact:
Memory leak. Future changes to the high availability (HA) table may fail or be ignored. This could result in HA events not being tracked correctly.

Workaround:
None.

Fix:
The HA table no longer leaks memory if an entry is reinitialized.

Fixed Versions:
15.1.2

810821-3 : Management interface flaps after rebooting the device.

Links to More Info: BT810821

Component: TMOS

Symptoms:
The Management interface flaps after rebooting the device, which may cause a momentary active-active condition in a high availability (HA) configuration.

Conditions:
This can occur after rebooting the active or standby device in an HA configuration if the final management port configuration completes late in the startup sequence. This can be due to network conditions for the network the management port is connected to.

This problem has been observed only on hardware platforms.

Impact:
Devices go active-active for a few seconds and then resume normal operation.

Workaround:
You may be able to work around this by changing the management port speed to 100/Fixed Duplex.

For more information on changing the interface, see K14107: Configuring the media speed and duplex settings for network interfaces (11.x - 13.x), available at https://support.f5.com/csp/article/K14107.

or

Connecting serial failover cable between HA peers would prevent active/active issue from happening.

Fix:
The startup sequence has been changed to confirm that management port configuration is complete before proceeding with HA processing.

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.2

810381-2 : The SNMP max message size check is being incorrectly applied.

Links to More Info: BT810381

Component: TMOS

Symptoms:
If the SNMP server receives an SNMPv3 request with a small max message size then, it applies that check to all requests. This can cause SNMPv1 and SNMPv2c requests time out if they are too long or if their responses are too long, for example, large get bulk requests.

Conditions:
An SNMPv3 small max message size received while processing large SNMPv1 and SNMPv2c requests.

Impact:
Responses time out.

Workaround:
Do not send SNMPv3 requests to the BIG-IP system.

Fix:
SNMPv3 requests no longer impact SNMPv1 and SNMPv2c requests.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.0.4

809701-7 : Documentation for HTTP::proxy is incorrect: 'HTTP::proxy dest' does not exist

Links to More Info: BT809701

Component: Local Traffic Manager

Symptoms:
In BIG-IP GUI iRule definitions, when hovering over HTTP::proxy, the help text mentions 'HTTP::proxy dest', which is an invalid command.

Conditions:
The system displays incorrect information when the iRule help text is visible.

Impact:
The help text mentions 'HTTP::proxy dest', which is an invalid command option.

Workaround:
Do not use the invalid 'HTTP::proxy dest' command.

Fix:
The help text now shows 'HTTP::proxy', which is correct.

Fixed Versions:
14.1.3.1, 15.0.1.3, 15.1.2

809657-7 : HA Group score not computed correctly for an unmonitored pool when mcpd starts

Links to More Info: BT809657

Component: TMOS

Symptoms:
When mcpd starts up, unmonitored pools in an high availability (HA) group do not contribute to the HA group's score.

Conditions:
-- HA group configured with at least one pool.
-- At least one of the pools assigned to the HA group is not using monitoring.
-- mcpd is starting up (due to bigstart restart, or a reboot, etc.).

Impact:
Incorrect HA Group score.

Workaround:
Remove the unmonitored pools from the HA group and re-add them.

Fixed Versions:
14.1.4.4, 15.1.4.1

809597-5 : Memory leak in icrd_child observed during REST usage

Links to More Info: BT809597

Component: Local Traffic Manager

Symptoms:
When multiple users are issuing REST commands, memory may leak slowly in icrd_child.

Conditions:
-- The icrd_child process is running.
-- There are multiple users accessing device via REST.

Impact:
The memory leak is very progressive. Eventually, the icrd_child process runs out of memory.

Workaround:
None.

Fix:
Fixed a memory leak in icrd_child.

Fixed Versions:
13.1.4, 14.1.3, 15.1.0.2

809205-6 : CVE-2019-3855: libssh2 Vulnerability

Component: TMOS

Symptoms:
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server.

Conditions:
-- Authenticated administrative user with Advanced Shell Access.
-- Use of cURL from the command line to connect to a compromised SSH server.

Impact:
A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

Workaround:
None.

Fix:
libcurl updated

Fixed Versions:
12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.1, 15.1.3, 16.0.1.2

809125-5 : CSRF false positive

Links to More Info: BT809125

Component: Application Security Manager

Symptoms:
A CSRF false-positive violation.

Conditions:
CSRF enforcing security policy.

This is a very rare scenario, but it happens due to a specific parameter in the request, so the false-positive might repeat itself many times for the same configuration.

Impact:
False-positive Blocking / Violation

Workaround:
If this happens change the csrf parameter and restart the asm daemon:

1. Change the csrf parameter name internal parameter:
/usr/share/ts/bin/add_del_internal add csrf_token_name <string different than csrt>

2. Restart the asm daemon:
restart asm

Fixed Versions:
12.1.5.1, 14.1.2.7, 15.1.0.5

808409-4 : Unable to specify if giaddr will be modified in DHCP relay chain

Links to More Info: BT808409

Component: Local Traffic Manager

Symptoms:
ID746077 changed the dhcprelay behavior in order to comply with RFC 1542 Clarifications and Extensions for BOOTP.

However, as the change also encompasses the DHCP-to-DHCP relay scope, the behavior cannot be configurable with a db key.

Conditions:
DHCP Relay deployments where the giaddr needs to be changed.

Impact:
You are unable to specify whether giaddr will be changed.

Workaround:
None.

Fix:
A new sys db tmm.dhcp.relay.giaddr.overwrite is introduced

The default is :

sys db tmm.dhcp.relay.giaddr.overwrite {
    value "enable"
}

On versions with a fix to 746077, the sys db DOES NOT exist and BIG-IP will always retain the source IP

On versions with both this fix and ID748333 fix, this fix overrides the fix for 746077. To change the default, set to "disable" to retain

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1

807337-5 : Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.

Links to More Info: BT807337

Component: TMOS

Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction attempts 'delete key', and then 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.

Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object (such as delete, create, modify).

Impact:
The GUI shows misleading info about the pool monitor.The monitor-related object may be unchanged, or monitoring may stop for that object.

Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').

Fix:
Behavior is as-expected when a transaction executes multiple commands (such as 'delete', 'create', 'modify') upon the same monitor-related object (pool, pool_member, node_address, monitor).

Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1.1

807005-5 : Save-on-auto-sync is not working as expected with large configuration objects

Links to More Info: BT807005

Component: TMOS

Symptoms:
In device group has enabled 'save sys config' for all auto-sync operations using the following command:
modify cm device-group name save-on-auto-sync true

Warning: Enabling the save-on-auto-sync option can unexpectedly impact system performance when the BIG-IP system automatically saves a large configuration change to each device.

Conditions:
-- The save-on-auto-sync option is enabled.
-- Device has large configuration, such as 2,100 virtual servers and ~1100 partitions

Impact:
Configuration is not saved, which leads to out-of-sync condition.

Workaround:
You can avoid this issue by using manual sync instead of auto-sync, or by not enabling 'save-on-auto-sync'.

Fixed Versions:
11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5

806073-1 : MySQL monitor fails to connect to MySQL Server v8.0

Links to More Info: BT806073

Component: TMOS

Symptoms:
The LTM MySQL health monitor fails to connect to a MySQL server running MySQL Server v8.0.
A pool member configured for a MySQL server running MySQL Server v8.0 and using the MySQL health monitor will be marked DOWN.

Conditions:
This occurs when using the LTM MySQL health monitor to monitor a MySQL server running MySQL Server v8.0.

Impact:
BIG-IP cannot monitor the health of a MySQL server running MySQL Server v8.0 using the MySQL health monitor.

Fixed Versions:
14.1.3.1, 15.1.2.1, 16.0.1.1

805821-3 : GTP log message contains no useful information

Links to More Info: BT805821

Component: Service Provider

Symptoms:
GTP profile and GTP iRules provide no useful information in order to proceed with troubleshooting.

Conditions:
GTP profile or iRules fails to process message

Impact:
User lacks of information for troubleshooting

Workaround:
N/A

Fix:
GTP error log has been replaced with a more useful message. The new log message provides more intuitive information including the reason and, in some messages, location of data that causes the failure.

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1

805417-3 : Unable to enable LDAP system auth profile debug logging

Links to More Info: BT805417

Component: TMOS

Symptoms:
Beginning in version 14.1.0, LDAP debugging must be performed on nslcd logs and not pam_ldap logs; however, it is not possible to enable debug logging on nslcd via the configuration file.

Conditions:
This would be encountered only if you (or F5 Support) wanted to do troubleshooting of LDAP connections by enabling debug logging.

Impact:
LDAP system authentication 'debug' parameter does not provide sufficient levels of debug logs, but there is no functional impact to normal system operation.

Workaround:
To enable debug logging and have the system post log messages to the SSH/console window, start the nslcd process with -d option, which causes nslcd to run in the foreground until you press control-c to stop it:

   systemctl stop nslcd
   nslcd -d

Note: The -d setting does not persist, so each time you want to log debug output, you must complete this procedure.

You can increase the amount of debug output by specifying additional -d options (up to 3), e.g., '-ddd' or '-d -d -d'.

When done, stop nslcd with control-c, and then restart it with the default options via the normal systemctl daemon:

   systemctl start nslcd

Fix:
The nslcd logs are now visible on /var/log/secure file.

Fixed Versions:
14.1.2.7, 15.1.1

804309-1 : [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument

Links to More Info: BT804309

Component: TMOS

Symptoms:
Running the command 'tmsh list' on a pool or virtual server with the 'all-properties' argument generates a warning:

[api-status-warning] ltm/virtual, properties : deprecated : urldb-feed-policy

Conditions:
Including the 'all-properties' argument with the 'tmsh list' command.

Impact:
There is no impact to the system. The excessive [api-status-warning] at stderr and /var/log/ltm for tmsh list commands are spurious, benign, and can be ignored.

Workaround:
tmsh modify /mgmt shared settings api-status log resource-property deprecatedApiAllowed false

tmsh modify /mgmt shared settings api-status log resource deprecatedApiAllowed false

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.0.5

804157-3 : ICMP replies are forwarded with incorrect checksums causing them to be dropped

Links to More Info: BT804157

Component: Local Traffic Manager

Symptoms:
If a FastL4 virtual server receives an ICMP response without first receiving an ICMP request, the checksum on the ICMP response that is egressed by tmm will not be calculated correctly.

Conditions:
An ICMP response without a corresponding ICMP request, such as in non-symmetric routing scenarios.

Impact:
ICMP replies are forwarded with the incorrect checksum and likely will be dropped by the recipient or other devices on the network.

Workaround:
Ensure symmetric routing. Configure L7 virtual servers for use with ipother profiles.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2

803965-7 : Expat Vulnerability: CVE-2018-20843

Links to More Info: K51011533, BT803965

803933-7 : Expat XML parser vulnerability CVE-2018-20843

Links to More Info: K51011533, BT803933

803825-5 : WebSSO does not support large NTLM target info length

Links to More Info: BT803825

Component: Access Policy Manager

Symptoms:
WebSSO crashes.

Conditions:
When the optional field of the target info is about 1000 bytes or larger.

Impact:
WebSSO crashes and loss of service.

Workaround:
Config NTLM not to have large target info, recommend < 800.

Fixed Versions:
13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2

803809-4 : SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled.

Links to More Info: BT803809

Component: Service Provider

Symptoms:
When MRF SIP is configured in per-client mode and preserve-strict source port is enabled on a virtual server, messages may fail to forward due to port collisions when multiple clients try to use the same port (which is expected/accepted behavior with this configuration). After the port has been freed or the configuration changed, messages continue to fail for clients that had previous port collisions.

Conditions:
-- MRF SIP configured with: Per-Client connection mode and virtual server with preserve-strict source port enabled.
-- Multiple clients try to connect using the same local port.
-- Previously failed client connections attempt to connect again after the port has been freed or configuration changed.

Impact:
Calls from one or more clients are unable to be completed.

Workaround:
You can prevent this behavior using either workaround:
-- Configure a different connection mode (Per-TMM, for example).
-- Disable preserve-strict source port on the virtual server.

Fix:
Clients with previous connection failures are now able to connect when the port is no longer in use or the configuration has been changed.

Fixed Versions:
13.1.3.4, 14.1.2.7, 15.1.0.2

803629-7 : SQL monitor fails with 'Analyze Response failure' message even if recv string is correct

Links to More Info: BT803629

Component: Local Traffic Manager

Symptoms:
For a database (mssql, mysql, postgresql or oracle) monitor type, with a 'recv' string configured, a pool member configured to use the DB monitor may be marked down even if the server is working and includes the configured response string among the response data.

Debug logging of the SQL monitor indicates the following:
... [DBPinger-3778] - Response from server: Database: 'db1'Database: 'information_schema'
... [DBPinger-3778] - Checking for recv string: information_schema
... [DBPinger-3778] - Analyze Response failure

The log shows 'Analyze Response failure' error message even when the configured 'recv' string appears within the response message from the DB server.

Conditions:
This occurs when the string matching the configured 'recv' string value does not appear in the response from the DB server in the row indicated by the 'recv-row' value configured for the monitor.

The default value of 'none' for the 'recv-row' monitor configuration value is actually interpreted as 'row 1' by the DB monitor core implementation.
Therefore, with the default configuration, any 'recv' string configured must appear in the first row of the DB server response in order to be recognized as a match.

Impact:
The DB monitor fails, and the DB server (node) is marked as down even though it is reachable and responding correctly per the configured 'recv' string.

Workaround:
You may use one of the following methods to work around this issue:
1. Configure the DB monitor's 'recv' string to match on the first row in the server response message.
2. Configure the 'recv-row' value in the DB monitor to match the row of the DB server's response which contains the configured 'recv' string.
3. Do not configure 'send' or 'recv' string for the DB monitor.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.0.1.1

803237-2 : PVA does not validate interface MTU when setting MSS

Links to More Info: BT803237

Component: TMOS

Symptoms:
An incorrect MSS value might be used when hardware (HW) syncookies are used, and the MTU is smaller than the MSS.

Conditions:
-- The BIG-IP system sends TCP segments, fragmented across multiple IP packets, that exceed the size of the local interface MTU.
-- This occurs when HW Syncookies are enabled.

Impact:
TCP segments larger than the local interface MTU sent towards the client. These TCP segments are transmitted as IP fragments.

Workaround:
Increase MTU size.

Fixed Versions:
14.1.4, 15.1.3

803233-1 : Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable

Links to More Info: BT803233

Component: Local Traffic Manager

Symptoms:
Intermittently (depending the timing of operations that keep MCP busy):

1. Messages similar to the following may be logged in the LTM log, indicating that the virtual server associated with a pool became temporarily unavailable:

-- notice mcpd[4815]: 01071682:5: SNMP_TRAP: Virtual /Common/test_vs has become unavailable.
-- notice mcpd[4815]: 01071681:5: SNMP_TRAP: Virtual /Common/test_vs has become available.

2. Optionally, if a 'min-up-members' value is configured for the pool, a message similar to the following may be logged in the LTM log, indicating that the number of available pool members became less than the configured value:

-- notice mcpd[4815]: 01070282:3: Number of pool members 2 less than min up members 3.

Conditions:
1. The pool members are all FQDN pool members.
2. The DNS query to resolve pool member FQDNs returns a completely new (non-overlapping) set of IP addresses.
(This causes all existing Ephemeral pool members to be removed and replaced with new Ephemeral pool members.)
3. MCP is very busy and slow to process messages.

Impact:
Under these conditions, existing Ephemeral pool members may be removed before new Ephemeral pool members can be created to replace them, causing the pool member to become temporarily empty. This can result in intermittent loss of availability of the virtual server if all records returned by the DNS server for the referenced FQDN change from the previous response.

Workaround:
None.

Fix:
FQDN ephemeral pool members are created in a more timely manner when FQDN resolution via DNS returns new address records.

Fixed Versions:
12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1

802873-2 : Manual changes to policy imported as XML may introduce corruption for Login Pages

Links to More Info: BT802873

Component: Application Security Manager

Symptoms:
Manual changes to a policy imported as XML may introduce corruption for Response Pages. The following log appears:
ASM subsystem error (asm_config_server.pl ,F5::PrepareConf::Policy::prepare_alternate_response_file_tbl): failed to parse response headers - please check response page.

Conditions:
-- XML policy file is missing a response header.
-- Import the policy.

Impact:
The affected reponse page is not returned for traffic as expected, and an error is reported instead.

Workaround:
Mitigation:
Ensure that response_header exists in XML policy file before import.

Workaround:
Go to the affected policy's Response Pages: Login Page, click Save and then click Apply Policy.

Fix:
The system now gracefully ignores empty header for Login Page response page.

Fixed Versions:
14.1.2.7, 15.1.4

802685-2 : Unable to configure performance HTTP virtual server via GUI

Links to More Info: BT802685

Component: TMOS

Symptoms:
When creating 'performance HTTP' virtual servers via GUI, the following error is reported:
01070734:3: Configuration error: A Virtual Server(/Common/vfasthttp) cannot be associated with both fasthttp and L4 profile.

Conditions:
Use the GUI to create a virtual server of type Performance (HTTP).

Impact:
Failed to create a 'performance HTTP' virtual server.

Workaround:
Use TMSH to configure the performance HTTP virtual server:
tmsh create ltm virtual vfasthttp destination 1.1.1.1:80 ip-protocol tcp profiles add { fasthttp }

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5

802421-6 : The /var partition may become 100% full requiring manual intervention to clear space

Links to More Info: BT802421

Component: Advanced Firewall Manager

Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

Workaround:
Important: This workaround is temporary, and may need to be periodically performed either manually or from a script.

Impact of Workaround: While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.

Run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.

Fixed Versions:
14.1.2.7, 15.1.0.5

802281-3 : Gossip shows active even when devices are missing

Links to More Info: BT802281

Component: TMOS

Symptoms:
Gossip appears Active even when one or more devices go missing from device group. 'restcurl shared/gossip' shows active on both devices, even when the devices are not listed in 'restcurl shared/resolver/device-groups/tm-shared-allBIG-IPs/devices'.

Conditions:
The conditions under which this issue occurs are unknown. This is an intermittent issue.

Impact:
Gossip reports that it is working when it is not.

Workaround:
-- If the missing device is the active device, run the following command on the Active DSC Device:

restcurl -X POST -d '{}' tm/shared/bigip-failover-state

-- If the missing device is the standby device, reboot the device, make it active, and then run the following command:

restcurl -X POST -d '{}' tm/shared/bigip-failover-state

Fixed Versions:
13.1.3.5, 14.1.2.5, 15.1.0.2

801497-3 : Virtual wire with LACP pinning to one link in trunk.

Links to More Info: BT801497

Component: Local Traffic Manager

Symptoms:
A virtual-wire that uses interface trunks may use a single interface on egress.

Conditions:
Virtual-wire configured across multi-interface trunks.

Impact:
This may lead to unexpected link saturation.

Workaround:
None.

Fixed Versions:
14.1.2.1, 15.1.1

799749-2 : Asm logrotate fails to rotate

Links to More Info: BT799749

Component: Application Security Manager

Symptoms:
ASM logrotate reports errors in /var/log/asm.:

error: error creating output file /ts/log//bd.log.1: File exists

Conditions:
Files ending with .1 exists in the logs directories.

Impact:
Logrotate does not work. May fill disk with logs over time.

Workaround:
Remove or rename all of the .1 logs.

Fixed Versions:
14.1.2.7, 15.1.0.5

799001-1 : Sflow agent does not handle disconnect from SNMPD manager correctly

Links to More Info: BT799001

Component: TMOS

Symptoms:
If Sflow agent loses the connection with the SNMPD Manager, it tries to connect multiple times but fails to reconnect.

Conditions:
Sflow agent loses connection with the SNMPD Manager. The conditions that may trigger this are unknown.

Impact:
Snmpd service restarts repeatedly

Workaround:
Run 'tmsh restart sys service sflow_agent' to clear the session data in the sflow agent which results in successful re-connection with snmpd.

Fix:
No Fix. Execute 'tmsh restart sys service sflow_agent'

Fixed Versions:
14.1.4, 15.1.3

797829-6 : The BIG-IP system may fail to deploy new or reconfigure existing iApps

Links to More Info: BT797829

Component: TMOS

Symptoms:
The BIG-IP system may fail to deploy new or reconfigure existing iApps. When this happens, a long error message is displayed in the GUI that begins with:

script did not successfully complete: ('source-addr' unexpected argument while executing

The message is also logged to /var/log/audit by scriptd with a severity of 'notice'.

The unexpected argument mentioned in the error varies depending on the iApp being deployed and on the settings you configure. You may also see 'snatpool', 'ldap', etc.

Conditions:
This issue occurs when:

-- The BIG-IP system is configured with multiple users of varying roles.

-- The scriptd daemon has already spawned the maximum number (5) of allowed child processes to serve its queue, and all the processes were assigned a low 'security context'. This can happen, for instance, if a low-privileged user (such as an Auditor) has been looking at the configuration of iApps using the GUI a lot.

-- Subsequently, a high-privileged user (such as an Administrator) attempts to deploy a new iApp or reconfigure an existing one.

Note: You can inspect the number of child processes already created by scriptd by running the following command:

pstree -a -p -l | grep scriptd | grep -v grep

However, it is not possible to determine their current 'security context'.

Impact:
New iApps cannot be deployed. Existing iApps cannot be re-configured.

Workaround:
Restart scriptd. To restart scriptd, run:

bigstart restart scriptd

Running this command has no negative impact on the system.

The workaround is not permanent; the issue may occasionally recur depending on your system usage.

Fix:
The system now stops all scriptd child processes and creates new ones with the new user security-context when the user changes.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1

797797-4 : CVE-2019-11811 kernel: use-after-free in drivers

Links to More Info: K01512680, BT797797

797769-9 : Linux vulnerability : CVE-2019-11599

Links to More Info: K51674118

796601-2 : Invalid parameter in errdefsd while processing hostname db_variable

Links to More Info: BT796601

Component: TMOS

Symptoms:
Errdefsd crashes, creates a core file, and restarts.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Possible loss of some logged messages.

Workaround:
None.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2

795649-5 : Loading UCS from one iSeries model to another causes FPGA to fail to load

Links to More Info: BT795649

Component: TMOS

Symptoms:
When loading a UCS file from one iSeries model to a different iSeries model, the FPGA fails to load due to a symlink in the UCS file pointing to the firmware version for the source device.

The system will remain in INOPERATIVE state, and messages similar to the following will be seen repeatedly in /var/log/ltm:

-- emerg chmand[7806]: 012a0000:0: FPGA firmware mismatch - auto update, No Interruption!
-- emerg chmand[7806]: 012a0000:0: No HSBe2_v4 PCIs found yet. possible restart to recover Dataplane.
-- emerg chmand[7806]: 012a0000:0: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2
-- err chmand[7806]: 012a0003:3: HAL exception publishing switch config: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2

Conditions:
Loading a UCS from one iSeries model onto another model, for example, from an i7800 onto an i11400-ds, or from an i2600 to an i5600.

Impact:
FPGA fails to load; the BIG-IP system becomes unusable.

Workaround:
1. Update the symbolic link /config/firmware/hsb/current_version to point to the correct firmware file for the hardware model in use. Here are some examples:

-- For the i2800:

# ln -sf /usr/firmware/hsbe2v4_atlantis/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

-- For the i7800:

# ln -sf /usr/firmware/hsbe2v2_discovery/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

-- For the i11400-ds:

# ln -sf /usr/firmware/hsbe2_discovery_turbo/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

2. Reboot the system

Fixed Versions:
12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.0.3

794417-4 : Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not

Links to More Info: BT794417

Component: Local Traffic Manager

Symptoms:
On a single virtual server, when 'TLS Renegotiation' is enabled in an associated Client SSL profile, the system should prevent enabling the 'Enforce TLS Requirements' option in the associated HTTP/2 profile.

Conditions:
BIG-IP system validation does not prevent this configuration in the following scenario:

1. Disable the 'Enforce TLS Requirements' option in the HTTP/2 profile.
2. Enable 'TLS Renegotiation' in the Client SSL profile.
3. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile.

Impact:
The configuration does not load if saved, and reports an error:

01070734:3: Configuration error: In Virtual Server (/Common/http2vs) an http2 profile with enforce-tls-requirements enabled is incompatible with clientssl profile '/Common/my_clientssl'; renegotiation must be disabled.

Workaround:
If enabling 'Enforce TLS Requirements' in an HTTP/2 profile configured on a virtual server, ensure that 'TLS Renegotiation' is disabled in all Client SSL profiles on that virtual server.

Fix:
Added a missing validation check for TLS Renegotiation and Enforce TLS Requirements.

Behavior Change:
BIG-IP validation now requires TLS Renegotiation of the SSL profile to be disabled when the TLS Enforcement requirement (RFC7540) is enabled in the HTTP/2 profile

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2

793121-5 : Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication

Links to More Info: BT793121

Component: TMOS

Symptoms:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, high availability (HA) status, provisioning, and installed software information.

Conditions:
The TMUI redirect-http-to-https is enabled.

Impact:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, HA status, provisioning, and installed software information.

Workaround:
On the vCMP guest, disable sys httpd redirect-http-to-https.

Fixed Versions:
13.1.3.2, 14.1.2.7, 15.0.1.3, 15.1.0.2

793017-3 : Files left behind by failed Attack Signature updates are not cleaned

Links to More Info: BT793017

Component: Application Security Manager

Symptoms:
If an Attack Signature update encounters an error during installation, files that are meant to be temporary are left behind on disk and a not subject to a periodic cleanup. This can eventually lead to disk space issues.

Conditions:
Attack Signature update encounters an error during installation.

Impact:
This can eventually lead to disk space issues.

Workaround:
Old sigfile.tmp.* directories under /var/ts/var/tmp can be safely removed.

Fix:
These directories are now included in the periodic file cleanup task.

Fixed Versions:
14.1.2.3, 15.1.0.2

793005-1 : 'Current Sessions' statistic of MRF/Diameter pool may be incorrect

Links to More Info: BT793005

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, the LTM pool 'Current Sessions' statistics may show an unusually large number, such as 18446744073709551606.

Conditions:
There is a Diameter answer that does not match a pending request, the answer message is dropped, but BIG-IP system still decrements the 'Current Sessions' counter. If the counter is already zero, it can underflow.

Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue. When it underflows, the number becomes useless, making troubleshooting more difficult.

Workaround:
None.

Fix:
'Current Sessions' statistics of MRF/Diameter pool reports correctly.

Fixed Versions:
13.1.3.4, 14.1.2.7, 15.1.0.5

791669-2 : TMM might crash when Bot Defense is configured for multiple domains

Links to More Info: BT791669

Component: Application Security Manager

Symptoms:
TMM might crash and generate a core file when using a Bot Defense profile that is configured for multiple domains.

Conditions:
Bot Defense is configured with multiple 'Related Site Domains' and attached to a virtual server.

Impact:
TMM crash with core. Traffic disrupted while tmm restarts.

Workaround:
None,

Fix:
TMM no longer crashes when Bot Defense is configured for multiple domains.

Fixed Versions:
14.1.2.3, 15.1.4, 16.0.1.2

790845-4 : An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default

Links to More Info: BT790845

Component: Local Traffic Manager

Symptoms:
An In-TMM monitor may be marked down when the CMP-hash (Cluster Multiprocessing) is set to non-default value.

Conditions:
-- There is a configured In-TMM monitor (K11323537).
-- CMP-hash is set to non-default value.

Note: For information about In-TMM monitoring, see K11323537: Configuring In-TMM monitoring :: https://support.f5.com/csp/article/K11323537.

Impact:
An In-TMM monitor is falsely marked as down.

Workaround:
Use default settings for a CMP-hash.

Fix:
An In-TMM monitor is not marked down when a non-default CMP-hash is in use.

Fixed Versions:
13.1.3.5, 14.1.4, 15.1.2

789921-5 : TMM may restart while processing VLAN traffic

Links to More Info: K03386032, BT789921

789857 : "TCP half open' reports drops made by LTM syn-cookies mitigation.

Links to More Info: BT789857

Component: Advanced Firewall Manager

Symptoms:
'TCP half open' reports drops in logs/tmctl/AVR even though it is configured in detect-only mode.

Conditions:
-- 'TCP half open' attack is being actively detected.
-- LTM syn-cookie mitigation is enabled.
-- This is triggered when LTM syn-cookies mitigation begins.

Impact:
It will appear that 'TCP half open' is doing mitigation, but it is actually LTM syn-cookies dropping the connections.

Workaround:
If LTM syn-cookies are not needed, disable the option:

modify ltm global-settings connection default-vs-syn-challenge-threshold infinite global-syn-challenge-threshold infinite

Fixed Versions:
14.1.4, 15.1.1

789421-4 : Resource-administrator cannot create GTM server object through GUI

Links to More Info: BT789421

Component: Global Traffic Manager (DNS)

Symptoms:
Users logged in with a role of resource-administrator are unable to create a GTM server object via GUI. The warning banner reports 'No Access'.

Conditions:
A user with a role of resource-administrator attempts to create a GTM server object.

Impact:
Unable to create GTM server object via the GUI.

Workaround:
Use tmsh or iControl/REST.

Fixed Versions:
14.1.2.7, 15.1.0.5, 16.0.1

789181-5 : Link Status traps are not issued on VE based BIG-IP systems

Links to More Info: BT789181

Component: TMOS

Symptoms:
The Link Status traps, both F5 proprietary and standard LinkUp/LinkDown are issued on the BIG-IP hardware but not on BIG-IP Virtual Edition (VE) configurations.

Conditions:
This occurs when interfaces on hardware-based BIG-IP systems or VE-based BIG-IP configurations experience link status events (links go up or down, or are administratively enabled or disabled).

Impact:
Log messages are issued and SNMP traps are issued if an SNMP trap destination is configured.

On a VE-based BIG-IP system, these logs and traps do not occur.

An SNMP client waiting for a Link Status trap on an administrative enable or disable then, does not receive the trap.

Workaround:
None.

Fix:
VE now issues link status messages (which will cause traps to be issued) when interfaces on VEs are administratively disabled and enabled. The underlying interface status impacted by cables being plugged/unplugged must be monitored on the underlying system (the hypervisor) and is not logged by VE. If an interface on VE is not configured, then it is in the uninitialized state. If the interface in that state is disabled/enabled, the Link status message issued on enable is Link DOWN.

Fixed Versions:
15.1.2

788753-2 : GATEWAY_ICMP monitor marks node down with wrong error code

Links to More Info: BT788753

Component: Local Traffic Manager

Symptoms:
Pool state shows down when there is no route configured to node.

Conditions:
-- In-tmm gateway_icmp monitor configured for a node or pool member.
-- There is no route to the node or pool member.

Impact:
The pool member or node is marked down and the reason listed is 'timeout', instead of 'no route to host'.

Workaround:
None.

Fixed Versions:
13.1.3.4, 14.1.2.8, 15.1.0.5

788625-1 : A pool member is not marked up by the inband monitor even after successful connection to the pool member

Links to More Info: BT788625

Component: Service Provider

Symptoms:
1. Pool member is still shown as down even after BIG-IP has connected to it.
2. If a pool has only one pool member, continuous logs are seen in /var/log/ltm, at the frequency of auto-init interval and in-band timer interval mentioning about pool member being in-active and active respectively.

Conditions:
-- Auto-init is enabled to continuously try connecting the pool member
-- An inband monitor is configured
-- The inband monitor's retry interval is slightly less than auto-init interval

Impact:
Pool member marked down, even though the pool member is up

Workaround:
Configure the inband monitor's retry interval to be the lowest interval possible, which is 1 second.

Fix:
Pool member should be marked as up by the inband monitor, when the pool member comes up and connection to it is successful.

Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2

788577-7 : BFD sessions may be reset after CMP state change

Links to More Info: BT788577

Component: TMOS

Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.

This happens in the following instances:
  - Blade reset.
  - Booting up or shutting down.
  - Running 'bigstart restart'.
  - Setting a blade state from/to primary/secondary.

During these events, Bidirectional Forwarding Detection (BFD) session processing ownership might be migrating from old, processing TMMs to new, selected TMMs. This process is rapid and could lead to contest between several TMMs over who should be the next BFD processing owner.

It might also lead to a situation where the BFD session is deleted and immediately recreated.

This problem occurs rarely and only on a chassis with more than one blade.

Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BFD peering is configured.
-- CMP state change is occurred on one of the blades.
-- BFD connection is redistributed to the processing group (TMMs) on the blade that experienced the CMP state change and the contest between the old TMM owner and the new TMM owner occurs.

Impact:
When the BFD session is recreated, it marks corresponding routing protocol DOWN if it's configured. The protocol might be BGP, OSPF, or any other routing protocols that support BFD.

This causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.

In most cases, unexpected routing decision are from networks learnt by affected routing protocols when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
There are two workarounds, although the latter is probably impractical:

-- Change CMP hash of affected VLAN to the Default value.
-- Maintain a chassis with a single blade only. Disable or shut down all blades except one.

Fix:
BFD session is no longer reset during CMP state change.

Fixed Versions:
11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1

788513-6 : Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log

Links to More Info: BT788513

Component: Service Provider

Symptoms:
A configuration warning is produced when the RADIUS avp command is used with a variable instead of a constant, for example:

 warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:integer"102 45][RADIUS::avp replace USER-NAME $custom_name]

This appears to be benign, as the configuration loads successfully, and the script works as expected.

Conditions:
Using:
RADIUS::avp replace USER-NAME $custom_name

Instead of:
RADIUS::avp replace USER-NAME "static value"

Impact:
Incorrect warning in log. You can ignore these messages, as the configuration loads successfully, and the script works as expected.

Workaround:
This warning is benign, as the configuration loads successfully, and script works as expected.

Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5

788465-5 : DNS cache idx synced across HA group could cause tmm crash

Links to More Info: BT788465

Component: Global Traffic Manager (DNS)

Symptoms:
DNS cache idx conflicts and tmm crash.

Conditions:
-- High availability (HA) configuration.
-- DNS cache is configured and synced to the peer twice
-- A second DNS cache is configured on the peer.

Impact:
The idx conflicts will be observed. If the second DNS cache is of another type and is added to a virtual server, accessing that virtual server might cause a tmm core. Traffic disrupted while tmm restarts.

Workaround:
On the BIG-IP system that has the DNS cache idx conflicts, restart tmm:
# bigstart restart tmm

Fixed Versions:
14.1.3.1, 15.1.1, 16.0.1

788057-3 : MCPD may crash while processing syncookies

Links to More Info: K00103216, BT788057

787885-2 : The device status is falsely showing as forced offline on the network map while actual device status is not.

Links to More Info: BT787885

Component: TMOS

Symptoms:
Network Map in GUI shows incorrect [Forced Offline] status.

Conditions:
-- Multi-blade system
The device status in the network map is falsely shown [Forced Offline] when actual device status is something else other than [Forced Offline]. In other words, it is always shown as [Forced Offline].

-- Non multi-blade system
The device status in the network map is falsely shown [Forced Offline] when actual device status is something else other than [Active] or [Forced Offline]. In other words, it displays fine only for [Active] and [Forced Offline].

Impact:
The device status in the network map is not reliable

Workaround:
None.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1

787677-5 : AVRD stays at 100% CPU constantly on some systems

Links to More Info: BT787677

Component: Application Visibility and Reporting

Symptoms:
One thread of the avrd process spontaneously starts to consume 100% CPU.

Conditions:
The exact conditions under which this occurs are unknown, but might occur only on vCMP configurations.

Impact:
System performance degrades.

Workaround:
Restart TMM:
bigstart restart tmm

Fix:
Added processing that prevents AVRD from entering endless loops.

Fixed Versions:
14.1.4.5, 15.1.4.1

786517-5 : Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address

Links to More Info: BT786517

Component: Local Traffic Manager

Symptoms:
- Monitors are firing and are being sent to a pool-member or node address rather than a monitor's alias address.

- Running the command 'tmsh load /sys config' reports an error:
  01070038:3: Monitor /Common/a-tcp address type requires a port.

Conditions:
-- Create a monitor without an alias address.
-- Modify the monitor later in the TMUI to specify an alias address.

Impact:
Monitors are sent to an incorrect IP address.

tmsh load /sys config will fail to load the configuration.

Workaround:
There are two workarounds:
-- Delete and recreate the monitor and specify the correct alias address at creation time.

-- Fix the monitor definition using tmsh.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.0.5

785877-5 : VLAN groups do not bridge non-link-local multicast traffic.

Links to More Info: BT785877

Component: Local Traffic Manager

Symptoms:
VLAN groups do not bridge non-link-local multicast traffic.

Conditions:
-- VLAN groups configured.
-- Using non-link-local multicast traffic.

Impact:
Non-link-local multicast traffic does not get forwarded.

Workaround:
None.

Fix:
VLAN groups now bridge non-link-local multicast traffic.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2

785741-3 : Unable to login using LDAP with 'user-template' configuration

Links to More Info: K19131357, BT785741

Component: TMOS

Symptoms:
Unable to login as remote-user.

Conditions:
When the following are true:
-- LDAP remote-auth configured with user-template.
-- Remote-user configured to permit login.

Impact:
Unable to login with remote-user.

Workaround:
Use bind-dn for authentication.

Fixed Versions:
14.1.2.3, 15.0.1.4, 15.1.0.5

785017-3 : Secondary blades go offline after new primary is elected

Links to More Info: BT785017

Component: TMOS

Symptoms:
Secondary active blades go offline.

Conditions:
-- Cluster with three or more active blades.
-- Primary blade is rebooted.

For example, on a 4-bladed system, after slot 1 (primary blade) was rebooted and slot 2 (secondary blade) takes over as primary, slots 3 and 4 both go offline due to high availability (HA) table, with the logs showing reason as 'waiting for configuration load'.

Impact:
Cluster reduced to a single blade, which may impact performance.

Workaround:
None.

Fixed Versions:
13.1.4, 14.1.4, 15.1.3

783165-1 : Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile

Links to More Info: BT783165

Component: Application Security Manager

Symptoms:
When creating a whitelist in the Bot Defense profile with url "Any" - after modifying the Bot Defense log profile, the whitelist does not apply anymore.

Conditions:
-- Bot Defense profile is attached to the Virtual Server
-- Adding a whitelist to the Bot Defense profile with url "Any"
-- Modifying the Bot Defense profile afterwards.

Impact:
Whitelist does not apply - users from the defined IP/GEO location might be blocked.

Workaround:
Delete and add the whitelist after modifying the profile.

Fix:
Keep the whitelist as is when updating bot profile.

Fixed Versions:
14.1.2.7, 15.1.0.5

783125-1 : iRule drop command on DNS traffic without Datagram-LB may cause TMM crash

Links to More Info: BT783125

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM may crash and restart when an iRule on a DNS virtual server performs the 'drop' command while the BIG-IP system is handling both a DNS request and DNS response at the same time for the same DNS client IP and port without UDP Datagram-LB.

Conditions:
-- The BIG-IP instance has two or more TMM processes as a result of having two or more physical cores or virtual CPUs.
-- A virtual server with both DNS and UDP profiles and one or more iRules.
-- The UDP profile has Datagram LB disabled.
-- The iRules have a 'drop' command.
-- The iRules have a DNS_REQUEST and/or DNS_RESPONSE event with an iRule command that require coordinating data with another TMM on the system, such as the 'table' command.

Impact:
TMM crash or restart. Traffic impacted. Traffic disrupted while tmm restarts.

Workaround:
F5 strongly recommends using a UDP profile with Datagram-LB enabled for DNS UDP virtual servers.

Alternatively, replace the 'drop' command with DNS::drop in DNS_REQUEST and DNS_RESPONSE events, or with UDP::drop in other iRule events.

See the respective references pages for DNS::drop and UDP::drop for the Valid Events each iRule command is available in:
    https://clouddocs.f5.com/api/irules/DNS__drop.html
    https://clouddocs.f5.com/api/irules/UDP__drop.html

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1

779857-2 : Misleading GUI error when installing a new version in another partition

Links to More Info: BT779857

Component: TMOS

Symptoms:
While installing a new version in another partition, the GUI displays an error for a brief time:

'Install Status':Failed Troubleshooting

Conditions:
Install a new version in another partition.

Impact:
The GUI error is misleading. It is showing the install status as 'Failed Troubleshooting' even though the installation is proceeding normally. The installation process is proceeding normally; only the error is incorrect and does not indicate a problem with the installation.

Workaround:
If you click on the 'Troubleshooting' link on the GUI screen, the GUI indicates that it is actually installing properly without any error.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1

778261-2 : CPB connection is not refreshed when updating BIG-IQ logging node domain name or certificate

Links to More Info: BT778261

Component: Application Security Manager

Symptoms:
CPB Connection (between BIG-IP and BIG-IQ logging node) is not refreshed to use the new certificate / new domain name to validate the certificate.

Conditions:
Either:
-- BIG-IQ logging node domain name updated.
-- BIG-IQ logging node webd certificate is replaced (and updated using webd restart).

Impact:
CPB Connection (between BIG-IP and BIG-IQ logging node) remains the same and is not refreshed to use the new certificate.

Workaround:
Restart Policy Builder on the BIG-IP system:

killall -s SIGHUP pabnagd

Fix:
Policy Builder now resets the connection upon update of BIG-IQ logging node certificate / domain name.

Fixed Versions:
15.0.1.1, 15.1.0.2

778049-2 : Linux Kernel Vulnerability: CVE-2018-13405

Links to More Info: K00854051, BT778049

776393-3 : Restjavad restarts frequently due to insufficient memory with relatively large configurations

Links to More Info: BT776393

Component: TMOS

Symptoms:
Restjavad restarts frequently -- approximately every 5 minutes -- due to the JVM heap running out of memory

Conditions:
-- BIG-IP system with no extra memory given to restjavad.
-- The configuration contains a large number of configuration items related to APM access-policies, APM policy-items, APM policy agents, LTM nodes, LTM rules, DNS Requests, sys application services, LTM data-groups, LTM profiles, security bot-defense profiles, and sys file ssl-certs.

Impact:
REST API intermittently unavailable.

Workaround:
Give restjavad extra memory, using the following commands. The example below allocates 2 GB of extra memory to restjavad:

tmsh modify sys db restjavad.useextramb value true
tmsh modify sys db provision.extramb value 2000
bigstart restart restjavad

To persist the change above with system reboots, save the configuration with:

tmsh save sys config

Fix:
Default restjavad heap memory has been increased to 384MB

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1

774617-3 : SNMP daemon reports integer truncation error for values greater than 32 bits

Links to More Info: BT774617

Component: TMOS

Symptoms:
Some values sent to SNMP can grow too large over time, causing an integer truncation error.

Conditions:
Values greater than 32 bits sent to SNMP.

Impact:
SNMP values are truncated. An error message is logged in var/log/daemon.log:

err snmpd[20680]: truncating integer value > 32 bits

Workaround:
No current workaround.

Fixed Versions:
14.1.4, 15.1.0.4

774257-4 : tmsh show gtm pool and tmsh show gtm wideip print duplicate object types

Links to More Info: BT774257

Component: Global Traffic Manager (DNS)

Symptoms:
Tmsh show gtm pool and show gtm wideip commands with field-fmt will display the object type twice in the output. For example:

tmsh> show gtm pool a field-fmt
gtm pool pool emptypool:A

tmsh> show gtm wideip a field-fmt
gtm wideip wideip testwip.f5.com:A

Conditions:
This occurs when running the following tmsh commands:

tmsh show gtm pool <poolname> field-fmt
tmsh show gtm wideip <wideipname> field-fmt

Impact:
The output type is printed twice

Workaround:
None.

Fix:
The output becomes like this after fix:

gtm pool a emptypool

gtm wideip a testwip.f5.com

Fixed Versions:
14.1.2.7, 15.1.0.5

773693-7 : CVE-2020-5892: APM Client Vulnerability

Links to More Info: K15838353, BT773693

773253-5 : The BIG-IP may send VLAN failsafe probes from a disabled blade

Links to More Info: BT773253

Component: Local Traffic Manager

Symptoms:
The BIG-IP system sends multicast ping from a disabled blade. tmm core

Conditions:
-- There is one or more blades disabled on the VIPRION platform.
-- VLAN failsafe is enabled on one or more VLANs.
-- the VLAN failsafe-action is set to 'failover'.
-- There is more than one blade installed in the chassis or vCMP guest.

Impact:
The BIG-IP system sends unexpected multicast ping requests from a disabled blade.

Workaround:
To mitigate this issue, restart tmm on the disabled blade. This causes tmm to stop sending the multicast traffic.

Impact of workaround: Traffic disrupted while tmm restarts.

Fixed Versions:
13.1.4, 14.1.4.2, 15.1.2.1

771961-3 : While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core

Links to More Info: BT771961

Component: Access Policy Manager

Symptoms:
If the device is active at the time and is passing traffic, if the SSL Orchestrator configuration is deleted, tmm can core.

Conditions:
SSL Orchestrator device is active and passing traffic while being deleted.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm core related to deleting SSL Orchestrator.

Fixed Versions:
14.1.3.1, 15.1.1

768085-4 : Error in python script /usr/libexec/iAppsLX_save_pre line 79

Links to More Info: BT768085

Component: iApp Technology

Symptoms:
While creating a UCS file, you see a confusing error message, and the UCS file is not created:
Failed task: %s: %s"%(taskUri, taskResult['message']))"

Conditions:
This can be encountered while trying to create a UCS file.

Impact:
Certain failure messages are not interpreted correctly by the script, resulting in the actual error message not being displayed.

Workaround:
None.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1

767737-4 : Timing issues during startup may make an HA peer stay in the inoperative state

Links to More Info: BT767737

Component: TMOS

Symptoms:
When two BIG-IP systems are paired, it is possible during startup for the network connection to be made too early during the boot sequence. This may leave a peer in the inoperative state.

Conditions:
This is a timing-related issue that might occur during boot up of high availability (HA) peers.

Impact:
An HA peer does not become ACTIVE when it should.

Workaround:
None.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2.1

767341-1 : If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.

Links to More Info: BT767341

Component: Local Traffic Manager

Symptoms:
Repeated TMM service crash SIGBUS with memory copy operation at the top of stack trace.

Conditions:
TMM loads filestore file and size of this file is smaller than the size reported by mcp or if this ifile store is not present at all.

This condition is possible due to
- filesystem errors/corruption or
- BIG-IP user intervention.

Filesystem error might be due to power loss, full disk or other reasons.

Impact:
TMM crash.
The program terminated with signal SIGBUS, Bus error.

Workaround:
Manual copy of the "good" ifile store and forceload on the previously bad unit. Usually trivial, but error prone.

Another workaround is clean install, if possible/acceptable

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2

767269-5 : Linux kernel vulnerability: CVE-2018-16884

Component: TMOS

Symptoms:
Linux kernel NFS41+ subsystem use-after-free vulnerability when node have NFSv41+ mounts inside several net namespaces.

Conditions:
NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic.

Impact:
BIG-IP is not exposed to this vulnerability. use-after-free causes system panic, subsequent system reset.

Workaround:
None.

Fix:
Updated kernel to include patches for CVE-2018-16884.

Fixed Versions:
14.1.2.8, 15.1.0.5

766017-6 : [APM][LocalDB] Local user database instance name length check inconsistencies

Links to More Info: BT766017

Component: Access Policy Manager

Symptoms:
Tmsh accepts long localdb instance names, but ldbutil later refuses to work with names longer than 64 characters.

The GUI limits the instance name length to 64 characters including the partition prefix, but this is not obvious to the admin.

Conditions:
-- Create a 64 character long local user database instance using tmsh.
-- Try to add users to this instance or try to delete the instance from the GUI.

Impact:
A tmsh-created localdb instance with a name length greater than 64 characters can be created but cannot be used.

Workaround:
Delete instance from tmsh and re-create it with a shorter name.

Fix:
Tmsh now enforces the length limit for localdb instance names.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.4.2, 15.1.2, 16.0.1.1

761303-5 : Upgrade of standby BIG-IP system results in empty Local Database

Links to More Info: BT761303

Component: Access Policy Manager

Symptoms:
Upgrade of standby BIG-IP system results in empty Local Database.

Conditions:
This happens on standby device in a high availability (HA) setup.

Impact:
All previously existing local users disappear from the standby device. If a failover happens, then none of the local users will be able to login now.

Workaround:
To trigger a full database dump from the active BIG-IP system that returns the standby device's database to its original state, on the standby device, after rebooting into the volume with the upgraded installation, do the following:

1. Force stop the localdbmgr process:
bigstart stop localdbmgr
2. Wait at least 15 minutes.
3. Restart the localdbmgr:
bigstart restart localdbmgr

Fixed Versions:
15.0.1.3, 15.1.0.2

760629-5 : Remove Obsolete APM keys in BigDB

Links to More Info: BT760629

Component: Access Policy Manager

Symptoms:
Several APM/Access BigDB keys are obsolete

Conditions:
This is encountered on BIG-IP software installations.

Impact:
The db keys are obsolete and can be safely ignored.

Workaround:
None

Fix:
The following db keys have been removed from the system:

Log.AccessControl.Level
Log.ApmAcl.Level
Log.SSO.Level
Log.swg.Level
Log.AccessPerRequest.Level
Log.access.syslog
Log.access.db

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1

760622-5 : Allow Device Certificate renewal from BIG-IP Configuration Utility

Links to More Info: BT760622

Component: TMOS

Symptoms:
Unable to renew Device Certificate from System :: Certificate Management : Device Certificate Management : Device Certificate :: server.crt in non-English BIG-IP configurations.

Conditions:
Attempting to renew a device certificate on the System :: Certificate Management : Device Certificate Management : Device Certificate :: using the server.crt-equivalent on a non-English BIG-IP system.

Impact:
Unable to renew Device Certificate from the BIG-IP Configuration Utility.

Workaround:
Use a command of the following syntax, replacing key name, cert name, and # of days with your values:

openssl req -new -x509 -key ../ssl.key/server.key -days <# of days> -out server.crt

For example, to renew the siteserver.key and siteserver.crt for 90 days, use the following command:

openssl req -new -x509 -key ../ssl.key/siteserver.key -days 90 -out siteserver.crt

Fix:
The system now allows Device Certificate renewal from BIG-IP Configuration Utility.

Fixed Versions:
15.1.0.5

760471-1 : GTM iQuery connections may be reset during SSL key renegotiation.

Links to More Info: BT760471

Component: Global Traffic Manager (DNS)

Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.

Conditions:
This occurs occasionally during routine renegotiation. Renegotiation occurs once very 24 hours, per connection, by default (but can be controlled by the db key big3d.renegotiation.interval)

Impact:
The affected iQuery connection is briefly marked down as the connection is marked down before the connection is immediately re-established.

Workaround:
There is no workaround.

Fix:
GTM iQuery renegotiations no longer cause the error that reset the connection.

Fixed Versions:
12.1.5.2, 13.1.3.5, 14.1.2.3, 15.0.1.4, 15.1.0.2

760050-8 : "cwnd too low" warning message seen in logs

Links to More Info: BT760050

Component: Local Traffic Manager

Symptoms:
The following benign message appears in the log: "cwnd too low."

The message can be seen in both tmm logs (where it shows as 'notice' severity) and also in the ltm log (where it shows as 'crit' (critical) severity).

Conditions:
The TCP congestion window has dropped below one Maximum Segment Size, which should not happen.

Impact:
None. TCP resets the congestion window to 1 MSS.

Workaround:
This message does not indicate a functional issue, so you can safely ignore this message. There is no action to take, but the presence of the message can be useful information for debugging other TCP problems.

Fixed Versions:
13.1.4.1, 14.1.2.7, 15.1.4

759988-2 : Geolocation information inconsistently formatted

Links to More Info: BT759988

Component: Fraud Protection Services

Symptoms:
The ${geo} pattern in the Logging Profile has only GeoIP data; however, in alerts that are sent to either the alert server or to BIG-IQ, the GEO data includes both GeoIP and GeoLocation information.

Conditions:
Configure ${geo} pattern in Logging Profile template and trigger a logging event.

Impact:
GeoLocation data is missing in logs written by Logging Profile when using ${geo} pattern.

Fix:
The ${geo} pattern in Logging Profile template now provides full GEO informaion, both GeoIP and GeoLocation, in the same format as in alerts.

Fixed Versions:
15.1.1, 16.0.1

759799-3 : New rules cannot be compiled

Links to More Info: BT759799

Component: Advanced Firewall Manager

Symptoms:
When the number of firewall policy rules compiles to a blob sized over 2 GB, the blob size limit is exceeded and no new rules can be compiled. All traffic stops.

Conditions:
When compiled rules configured size exceeds 2 GB after a new rule is added.

Impact:
New rules cannot be compiled. Traffic stops.

Workaround:
Remove rules until the rules compile successfully.

Fixed Versions:
15.1.4

759564-2 : GUI not available after upgrade

Links to More Info: BT759564

Component: TMOS

Symptoms:
After installing over the top of a previous version, the Management GUI is inaccessible while SSH access works. You may see one or more of the following conditions

    Shell prompt may show logger[1234]: Re-starting named
    bigstart restart httpd fails
    bigstart start httpd fails

Conditions:
Installation over a previously used Boot Volume

Impact:
Corrupt install

Workaround:
Boot back to previous boot volume and then delete the boot volume containing the failed install.

Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1

758599-3 : IPv6 Management route is preferred over IPv6 tmm route

Links to More Info: BT758599

Component: Local Traffic Manager

Symptoms:
The IPv6 Management route has lower metric than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the mgmt interface.

Conditions:
Create an IPv6 mgmt route and a static IPv6 tmm route on the same BIG-IP system. IPv6 routes from TMM are injected at metric 1024.

Impact:
The incorrect routing table sends the traffic that matches the default route to the mgmt interface.

Workaround:
None.

Fix:
The IPv4 and IPv6 management routes now have a metric value of 4096. Default value of static routes are 1 for IPv4 and 1024 for IPv6. This makes static routes (TMM routes) preferred over management routes, which is correct behavior.

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.3

758336-5 : Incorrect recommendation in Online Help of Proactive Bot Defense

Links to More Info: BT758336

Component: Application Security Manager

Symptoms:
The online help of Proactive Bot Defense within the DoS profile shows the following under the 'Cross-Domain Requests' section:

Allow configured domains; validate in bulk: ... We recommend this option if your web site has many cross-domain resources.

Allow configured domains; validate upon request: ... We recommend this option if your web site does not have many cross-domain resources.

The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.

Conditions:
Application has multiple cross-domain resources.

Impact:
Confusing documentation. The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.

Workaround:
For many cross-domain resources, it is better to use 'validate upon request'.

Fix:
The online help of Proactive Bot Defense has been corrected under the 'Cross-Domain Requests' section.

Fixed Versions:
12.1.5, 13.1.1.5, 14.1.4, 15.1.2.1

758041-1 : Pool Members may not be updated accurately when multiple identical database monitors are configured

Links to More Info: BT758041

Component: Local Traffic Manager

Symptoms:
When two or more database monitors (MSSQL, MySQL, PostgreSQL, Oracle) with identical 'send' and 'recv' strings are configured and applied to different pools (with at least one pool member in each), the monitor status of some pool members may not be updated accurately.

Other parameters of the affected monitors that differ (such as 'recv row' or 'recv column' indicating where the specified 'recv' string should be found in the result set) may cause pool members using one of the affected monitors to connect to the same database to be marked UP, while pool members using another affected monitor may be marked DOWN.

As a result of this issue, pool members that should be marked UP or DOWN by the configured monitor may instead be marked according to another affected monitor's configuration, resulting in the affected pool members being intermittently marked with an incorrect state.

After the next monitor ping interval, affected pool members members may be marked with the correct state.

Conditions:
This may occur when multiple database monitors (MSSQL, MySQL, PostgreSQL, Oracle) are configured with identical 'send' and 'recv' parameters, and applied to different pools/members.

For example:
ltm monitor mysql mysql_monitor1 {
...
    recv none
    send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
    recv none
    send "select version();"
...
}

Impact:
Monitored pool members using a database monitor (MSSQL, MySQL, PostgreSQL, Oracle) randomly go offline/online.

Workaround:
To avoid this issue, configure each database monitor with values that make the combined parameters unique by changing either the 'send' or the 'recv' parameters, or both.

For example:
ltm monitor mysql mysql_monitor1 {
...
    recv none
    send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
    recv 5.7
    send "select version();"
...
}

Fix:
The system now correctly updates pool members when multiple identical database monitors are configured.

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.4.1

757279-3 : LDAP authenticated Firewall Manager role cannot edit firewall policies

Links to More Info: BT757279

Component: Advanced Firewall Manager

Symptoms:
The system posts the following message when the LDAP authenticated Firewall Manager role creates/modifies a firewall policy with rules or upgrading existing firewall policy:
User does not have modify access to object (fw_uuid_config).

Conditions:
-- Log in using an account with the Firewall Manager role.
-- Create/modify firewall policy with rules or upgrade existing firewall policy.

Impact:
Firewall modification operations fail with access to object (fw_uuid_config) error.

Workaround:
None.

Fix:
Firewall manager can now edit firewall policies.

Fixed Versions:
13.1.1.5, 14.1.2.8, 15.1.0.5

756812-3 : Nitrox 3 instruction/request logger may fail due to SELinux permission error

Links to More Info: BT756812

Component: Local Traffic Manager

Symptoms:
When the tmm Nitrox 3 queue stuck problem is encountered, the Nitrox 3 code tries to log the instruction/request, but it may fail due to SELinux permissions error.

The system posts messages in /var/log/ltm similar to the following:

-- crit tmm1[21300]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 00:09.7, discarded 54).
-- crit tmm1[21300]: 01010025:2: Device error: n3-compress0 Failed to open instruction log file '/shared/nitroxdiag/instrlog/tmm01_00:09.7_inst.log' err=2.

Conditions:
-- tmm Nitrox 3 queue stuck problem is encountered.
-- The Nitrox 3 code tries to log the instruction/request.

Impact:
Error messages occur, and the tmm Nitrox 3 code cannot log the instruction/request.

Workaround:
None.

Fix:
Nitrox 3 queue stuck occurrences are now logged as expected.

Fixed Versions:
14.1.4.1, 15.1.3

756139-3 : Inconsistent logging of hostname files when hostname contains periods

Links to More Info: BT756139

Component: TMOS

Symptoms:
Some logs write the hostname with periods (eg, say for FQDN. For example, /var/log/user.log and /var/log/messages files log just the hostname portion:

-- user.log:Aug 5 17:05:01 bigip1 ).
-- messages:Aug 5 16:57:32 bigip1 notice syslog-ng[2502]: Configuration reload request received, reloading configuration.


Whereas other log files write the full name:

-- daemon.log:Aug 5 16:58:34 bigip1.example.com info systemd[1]: Reloaded System Logger Daemon.
-- maillog:Aug 5 16:55:01 bigip1.example.com err sSMTP[12924]: Unable to connect to "localhost" port 25.
-- secure:Aug 5 17:02:54 bigip1.example.com info sshd(pam_audit)[2147]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=10.14.13.20 attempts=1 start="Mon Aug 5 17:02:30 2019" end="Mon Aug 5 17:02:54 2019".
-- ltm:Aug 5 17:02:42 bigip1.example.com warning tmsh[2200]: 01420013:4: Per-invocation log rate exceeded; throttling.

Conditions:
BIG-IP hostname contains periods or an FQDN:

[root@bigip1:Active:Standalone] log # tmsh list sys global-settings hostname
sys global-settings {
    hostname bigip1.example.com
}

Impact:
Hostname is logged inconsistently. Some logs write the full hostname (FQDN), while other log files write only the hostname portion. This can make searching on hostname more complicated.

Workaround:
None.

Fix:
Hostnames are now written consistently for all log files in /var/log directory.

Behavior Change:
Syslog-ng was using truncated hostname (without FQDN) while logging. This release adds fqdn use_fqdn(yes) in the syslog-ng template, so the system now logs the full hostname (FQDN).

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1

755317-3 : /var/log logical volume may run out of space due to agetty error message in /var/log/secure

Links to More Info: BT755317

Component: TMOS

Symptoms:
An agetty error message is output to the /var/log/secure log fil every 10 seconds while the instance remains on:

 agetty[<process_id>]: /dev/tty0 ttyS0: No such file or directory.

Conditions:
This agetty error message is an issue on all BIG-IP Virtual Edition and Cloud instances. It is not configuration-dependent.

Impact:
This may fill the /var/log/secure log file. When /var/log is full, certain system services may degrade or become unresponsive (e.g., DNS).

Workaround:
Manually extend the /var/log logical volume.

For more information, see Increase disk space for BIG-IP VE :: https://clouddocs.f5.com/cloud/public/v1/shared/disk_space.html.

Fix:
The issue causing the agetty error message in /var/log/secure has been resolved.

Fixed Versions:
14.1.2.5, 15.1.0.2

755197-5 : UCS creation might fail during frequent config save transactions

Links to More Info: BT755197

Component: TMOS

Symptoms:
If 'tmsh save sys config' is run simultaneously with 'tmsh save sys ucs <file>', there is the possibility of a race condition where a file gets scheduled to be added to the UCS file, but gets deleted by the save-config before it actually gets saved.

Conditions:
-- Run 'save sys config' at the same time as 'save sys ucs <file>' in tmsh.
-- Files are getting added by one tmsh command, yet deleted by the other. For example, when deleting a file that has not been saved to the configuration, while the system tried to create a UCS that contains that to-be-deleted file.

Note: There are many operations in which 'save sys config' is performed internally, so running the 'save sys ucs <file>' operation might encounter the timing error any time, even when you are not manually running 'save sys config'.

Impact:
The UCS is not created, and system posts messages similar to the following:
-- config/bigip_base.conf/: Cannot stat: No such file or directory.
-- Exiting with failure status due to previous errors.
-- Operation aborted.

This is a rare, timing-related occurrence. Even though the 'save sys ucs <file>' aborts and logs errors, simply re-running the command is likely to succeed.

Workaround:
Re-run the 'save sys ucs <file>' after it aborts. Nothing else needs to be changed or restored.

Fix:
The race condition is avoided and the 'save sys ucs <file>' now succeeds due to files removed by 'save sys config'.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2

754932-1 : New SNMP MIB, sysVlanIfcStat, for VLAN statistics.

Links to More Info: BT754932

Component: TMOS

Symptoms:
V16.0.0 and v15.1.2 have a new SNMP MIB, sysVlanIfcStat, for VLAN statistics. Previously there were no ways to retrieve PVA statistics for each VLAN.

Conditions:
Viewing VLAN statistics through SNMP queries.

Impact:
PVA stats are not displayed.

Fix:
The new MIB, sysVlanIfcStat, includes several new statistics, including PVA statistics.
Example:

snmpwalk -v2c -c public localhost F5-BIGIP-SYSTEM-MIB::sysVlanIfcStat
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatNumber.0 = INTEGER: 3
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatName."/Common/HA" = STRING: /Common/HA
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatName."/Common/external" = STRING: /Common/external
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatName."/Common/internal" = STRING: /Common/internal
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInDiscards."/Common/HA" = Gauge32: 3
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInDiscards."/Common/external" = Gauge32: 1
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInDiscards."/Common/internal" = Gauge32: 4
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInErrors."/Common/HA" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInErrors."/Common/external" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInErrors."/Common/internal" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInUnknownProtos."/Common/HA" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInUnknownProtos."/Common/external" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInUnknownProtos."/Common/internal" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatOutDiscards."/Common/HA" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatOutDiscards."/Common/external" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatOutDiscards."/Common/internal" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatOutErrors."/Common/HA" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatOutErrors."/Common/external" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatOutErrors."/Common/internal" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInOctets."/Common/HA" = Counter64: 498576
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInOctets."/Common/external" = Counter64: 4053194
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInOctets."/Common/internal" = Counter64: 499668
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInUcastPkts."/Common/HA" = Counter64: 3892
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInUcastPkts."/Common/external" = Counter64: 56086
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInUcastPkts."/Common/internal" = Counter64: 3898
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInMulticastPkts."/Common/HA" = Counter64: 3896
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInMulticastPkts."/Common/external" = Counter64: 3950
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInMulticastPkts."/Common/internal" = Counter64: 3896
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInBroadcastPkts."/Common/HA" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInBroadcastPkts."/Common/external" = Counter64: 30
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInBroadcastPkts."/Common/internal" = Counter64: 12
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutOctets."/Common/HA" = Counter64: 250558
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutOctets."/Common/external" = Counter64: 3792002
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutOctets."/Common/internal" = Counter64: 252154
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutUcastPkts."/Common/HA" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutUcastPkts."/Common/external" = Counter64: 52115
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutUcastPkts."/Common/internal" = Counter64: 6
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutMulticastPkts."/Common/HA" = Counter64: 3906
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutMulticastPkts."/Common/external" = Counter64: 3944
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutMulticastPkts."/Common/internal" = Counter64: 3906
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutBroadcastPkts."/Common/HA" = Counter64: 5
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutBroadcastPkts."/Common/external" = Counter64: 8
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutBroadcastPkts."/Common/internal" = Counter64: 29
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaInPkts."/Common/HA" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaInPkts."/Common/external" = Counter64: 53198
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaInPkts."/Common/internal" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaInOctets."/Common/HA" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaInOctets."/Common/external" = Counter64: 9901246
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaInOctets."/Common/internal" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaOutPkts."/Common/HA" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaOutPkts."/Common/external" = Counter64: 53198
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaOutPkts."/Common/internal" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaOutOctets."/Common/HA" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaOutOctets."/Common/external" = Counter64: 9901246
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaOutOctets."/Common/internal" = Counter64: 0

Fixed Versions:
15.1.2

754924-1 : New VLAN statistics added.

Links to More Info: BT754924

Component: TMOS

Symptoms:
The tmsh command 'show net vlan' only displays statistics for each VLAN's interface, and not each VLAN's statistics.

Conditions:
This is encountered when running the command 'tmsh show net vlan'.

Impact:
You are unable to view PVA statistics.

Fix:
The tmsh command 'show net vlan' now displays each VLAN's statistics, including PVA statistics.

Behavior Change:
Starting in v16.0.0, the command 'tmsh show net vlan' now outputs each vlan's stats retreived from TMM, including PVA stats, immediately following 'customer-tag' and right before the list of interfaces.
Example:

[root@localhost:Active:Standalone] config # tmsh sho net vlan

-------------------------------------
Net::Vlan: external
-------------------------------------
Interface Name external
Mac Address (True) f4:15:63:52:10:84
MTU 1500
Tag 4094
Customer-Tag

  | Incoming Discard Packets 2
  | Incoming Error Packets 0
  | Incoming Unknown Proto Packets 0
  | Outgoing Discard Packets 0
  | Outgoing Error Packets 0
  | HC Incoming Octets 28.8M
  | HC Incoming Unicast Packets 121.2K
  | HC Incoming Multicast Packets 121.2K
  | HC Incoming Broadcast Packets 0
  | HC Outgoing Octets 14.4M
  | HC Outgoing Unicast Packets 8
  | HC Outgoing Multicast Packets 121.2K
  | HC Outgoing Broadcast Packets 45
  | PVA Incoming Packets 5
  | PVA Incoming Octets 443
  | PVA Outgoing Packets 7
  | PVA Outgoing Octets 3.2K

  -----------------------
  | Net::Vlan-Member: 1.1
  -----------------------
  | Tagged no
  | Tag-Mode none

     --------------------------------------------------------------------
     | Net::Interface
     | Name Status Bits Bits Pkts Pkts Drops Errs Media
     | In Out In Out
     --------------------------------------------------------------------
     | 1.1 up 133.5M 31.5K 129.3K 17 36 0 10000SR-FD

-------------------------------------
Net::Vlan: internal
-------------------------------------
Interface Name internal
Mac Address (True) f4:15:63:52:10:85
MTU 1500
Tag 4093
Customer-Tag

  | Incoming Discard Packets 0
  | Incoming Error Packets 0
  | Incoming Unknown Proto Packets 0
  | Outgoing Discard Packets 0
  | Outgoing Error Packets 0
  | HC Incoming Octets 28.8M
  | HC Incoming Unicast Packets 121.2K
  | HC Incoming Multicast Packets 121.2K
  | HC Incoming Broadcast Packets 1
  | HC Outgoing Octets 14.4M
  | HC Outgoing Unicast Packets 15
  | HC Outgoing Multicast Packets 121.2K
  | HC Outgoing Broadcast Packets 17
  | PVA Incoming Packets 7
  | PVA Incoming Octets 3.2K
  | PVA Outgoing Packets 5
  | PVA Outgoing Octets 443

  -----------------------
  | Net::Vlan-Member: 1.2
  -----------------------
  | Tagged no
  | Tag-Mode none

     --------------------------------------------------------------------
     | Net::Interface
     | Name Status Bits Bits Pkts Pkts Drops Errs Media
     | In Out In Out
     --------------------------------------------------------------------
     | 1.2 up 133.5M 14.0K 129.3K 22 16 0 10000SR-FD

This feature is also available as of v15.1.2 on an 'opt-in' basis; default output is unchanged. A new db variable is available on v15.1.2 for controlling the output format. To change the output of 'tmsh show net vlan' so that it provides the new stats, run the command:

tmsh modify sys db vlan.pva.stats value enable

Output can be changed back to the old format at any time by running:

tmsh modify sys db vlan.pva.stats value disable

Fixed Versions:
15.1.2

754855-7 : TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile

Links to More Info: K60344652, BT754855

754335-3 : Install ISO does not boot on BIG-IP VE

Links to More Info: BT754335

Component: TMOS

Symptoms:
The install ISO does not boot on BIG-IP Virtual Edition (VE).

Conditions:
Attempting to boot a BIG-IP VE from a virtual DVD-ROM drive loaded with an affected ISO file.

Impact:
The system does not fully boot and hangs, preventing you from performing an installation or using the live environment for other recovery purposes.

Workaround:
To work around this issue, boot the BIG-IP VE from an ISO file earlier than 14.1.0. If necessary, install that version, and then upgrade to 14.1.0 using the live installer.

Fix:
Fixed an issue with iso images not booting.

Behavior Change:
The fix introduces a behavioral change in the serial console prompt when compared to the legacy console. During DVD, USB, PXE installations, MOS reboots on hardware platforms:

The login prompt will read 'localhost login:' before changing to the 'switch_root' prompt.

After logging in as root, the prompt changes to 'switch_root'.

Fixed Versions:
14.1.4.4, 15.1.4.1

753715-2 : False positive JSON max array length violation

Links to More Info: BT753715

Component: Application Security Manager

Symptoms:
False-positive JSON max array length violation is reported.

Conditions:
-- JSON profile is used.
-- The violation is coming for non-array under certain conditions.

Impact:
The system reports a false-positive violation.

Workaround:
None.

Fixed Versions:
14.1.4.4, 15.1.4.1

751586-3 : Http2 virtual does not honour translate-address disabled

Links to More Info: BT751586

Component: Local Traffic Manager

Symptoms:
Translate-address disabled on an HTTP/2 virtual server is ignored.

Conditions:
-- HTTP/2 virtual server configured.
-- Translate-address disabled.

Impact:
The traffic is still translated to the destination address to the pool member.

Workaround:
None.

Fix:
Translate-address disabled is working correctly now.

Fixed Versions:
12.1.4.1, 13.1.3.4, 14.1.2.1, 15.1.4

751103-2 : TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop

Links to More Info: BT751103

Component: TMOS

Symptoms:
Issuing the command 'tmsh save sys config' results in a question when display threshold is set and when management routes are configured. There is no prompt when no management routes are configured. This question is posted only when management-routes are configured, and does not appear when other provisioning commands are issued and the config is saved.

Conditions:
1. Set the cli preference display-threshold to a smaller value than the default.
2. Create management routes.
3. Issue the following command:
tmsh save sys config

Impact:
When there are more items configured than the threshold, the system presents a question:
Display all <number> items? (y/n)

Scripts are stopped until the prompt is answered.

Workaround:
To prevent the question from popping up, set display threshold to 0 (zero).


In the case of this script, you can also delete the management route definitions to prevent the question from being asked.

Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1

751032-5 : TCP receive window may open too slowly after zero-window

Links to More Info: BT751032

Component: Local Traffic Manager

Symptoms:
After a zero-window, TCP reopens its receive window with init-rwnd * mss bytes if sys db tm.tcpinitwinafterxon is enabled, and grows it as data is received. For a TCP connection with a large receive window, reaching the receive window limit might take some RTTs because init-rwnd is limited to 64.

Conditions:
-- A TCP profile with large receive window size.
-- A zero-window is sent.
-- TCP receive window is reopened when data is drained.

Impact:
TCP does not have the functionality to reopen its receive window more aggressively if needed, which might result in longer transfer times.

Workaround:
None

Fix:
A new sys db (tm.tcpinitwinmultiplierafterxon) is introduced to provide TCP the functionality to reopen its receive window more aggressively after zero-window.

Behavior Change:
A new sys db (tm.tcpinitwinmultiplierafterxon) has been introduced to provide TCP the functionality to reopen its receive window more aggressively after zero-window. It has a default minimum value of 1 and can be increased to a maximum of 100.

Fixed Versions:
14.1.4.4, 15.1.4

749332-2 : Client-SSL Object's description can be updated using CLI and with REST PATCH operation

Links to More Info: BT749332

Component: TMOS

Symptoms:
REST PUT fails to update the object description when proxy-ca-cert and proxy-ca-key are not configured, and triggers an error:
SSL forward proxy RSA CA key is missing.

Conditions:
Issue is seen only with REST PUT operation, and when proxy-ca-cert and proxy-ca-key are not configured.

Impact:
REST PUT operation cannot be used to update/modify the description.

Workaround:
You can use either of the following:

-- You can use TMSH to update/modify the description, even if proxy-ca-cert and proxy-ca-key are not configured.

-- You can also use PATCH operation and send only the required field which need modification.

Fixed Versions:
14.1.4.4, 15.1.5

749007-1 : South Sudan, Sint Maarten, and Curacao country missing in GTM region list

Links to More Info: BT749007

Component: TMOS

Symptoms:
South Sudan, Sint Maarten, and Curacao countries are missing from the region list.

Conditions:
-- Creating a GTM region record.
-- Create a GTM any region of Country South Sudan, Sint Maarten, or Curacao.

Impact:
Cannot select South Sudan county from GTM country list.

Workaround:
None

Fix:
South Sudan, Sint Maarten, and Curacao are now present in the GTM country list.

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1

748561-2 : Network Firewall : Active Rules page does not list active rule entries for firewall policies associated with any context

Links to More Info: BT748561

Component: Advanced Firewall Manager

Symptoms:
In Security :: Network Firewall :: Active Rules, when selecting any context (Global, Route Domain, Virtual Server, or SelfIP), the policy associated with the Virtual Server is listed, but not the rules within that policy.

Conditions:
Applies to any context policies.

Impact:
You cannot manage rules from the Active Rules page. This is GUI display issue and does not affect functionality.

Workaround:
In Security :: Options :: Network Firewall :: Firewall Options:
Disable Inline Rules.

This reverts to the legacy editor and displays the policy details.

Fix:
Network Firewall : Active Rules page now lists active rule entries for firewall policies associated with any context.

Fixed Versions:
14.1.4, 15.1.3

748333-5 : DHCP Relay does not retain client source IP address for chained relay mode

Links to More Info: BT748333

Component: Local Traffic Manager

Symptoms:
The second relay in a DHCP relay chain modifies the src-address. This is not correct.

Conditions:
Using DHCP chained relay mode.

Impact:
The src-address is changed when it should not be.

Workaround:
None.

Fix:
For chained relay mode there is now an option to preserve the src-ip, controllable by 'sys db tmm.dhcp.relay.change.src'.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1

748122-8 : BIG-IP Vulnerability CVE-2018-15333

Links to More Info: K53620021, BT748122

747234-7 : Macro policy does not find corresponding access-profile directly

Links to More Info: BT747234

Component: Access Policy Manager

Symptoms:
The discovery task runs but does not apply the 'Access Access Policy' for the access policy for which the Provider is configured.

Conditions:
-- Auto-discovery is enabled for a provider.
-- Discovery occurs.

Impact:
The Access Policy is not applied after successful auto-discovery. The policy must be applied manually.

Workaround:
Apply the Access Policy manually after auto-discovery.

Fix:
Fixed an issue with not automatically applying the access policy after discovery.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2

747020-2 : Requests that evaluate to same subsession can be processed concurrently

Links to More Info: BT747020

Component: Access Policy Manager

Symptoms:
Requests that evaluate to the same subsession can be processed concurrently in some cases

Conditions:
-- Per-Request policy with subroutines.
-- Duplicate requests are sent that match existing subsession gating criteria.

Impact:
The request gets aborted with error messages in /var/log/apm:
apmd_plugin.cpp func: "serialize_apmd_reply()" line: 495 Msg: AccessV2 agent execution error 4.

Workaround:
None.

Fixed Versions:
14.1.3.1, 15.1.1, 16.0.1

746861-3 : SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated

Links to More Info: BT746861

Component: TMOS

Symptoms:
The SFP interfaces do not come up or flap up and down repeatedly on BIG-IP 2000/4000 on boot up when both SFP interfaces are populated.

When interface flaps state changes such as those below are logged in ltm log:
info pfmand[PID]: 01660009:6: Link: 2.1 is UP
info pfmand[PID]: 01660009:6: Link: 2.1 is DOWN

Conditions:
Both SFP interfaces, 2.1 and 2.2, on BIG-IP 2000/4000 are populated.

This is typically observed after an upgrade to an affected version.

Impact:
Traffic cannot be sent/received from these interfaces.

Workaround:
None.

Fix:
The interfaces now come up successfully. Occasional link bounce may be seen on reboot.

Fixed Versions:
14.1.2.5, 15.1.4

746348-4 : On rare occasions, gtmd fails to process probe responses originating from the same system.

Links to More Info: BT746348

Component: Global Traffic Manager (DNS)

Symptoms:
On rare occasions, some resources are marked 'unavailable', with a reason of 'big3d: timed out' because gtmd fails to process some probe responses sent by the instance of big3d that is running on the same BIG-IP system.

Conditions:
The monitor response from big3d sent to the gtmd on the same device is being lost. Monitor responses sent to other gtmds are sent without issue. The conditions under which this occurs have not been identified.

Impact:
Some resources are marked 'unavailable' on the affected BIG-IP system, while the other BIG-IP systems in the sync group mark the resource as 'available'.

Workaround:
Restart gtmd on the affected BIG-IP system.

Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.2

746091-8 : TMSH Vulnerability: CVE-2019-19151

Links to More Info: K21711352, BT746091

745465-4 : The tcpdump file does not provide the correct extension

Links to More Info: BT745465

Component: TMOS

Symptoms:
The output file from tcpdump generation is named support.tcpdump even though it is a compressed file.

Conditions:
Whenever tcpdump is generated and downloaded.

Impact:
You must rename the file with the correct file extension and then decompress it to access the .dmp files.

Workaround:
Rename the downloaded file from support.tcpdump to <filename>.tar.gz and decompress it.

Fix:
File name changed to support.tcpdump.tar.gz.

Behavior Change:
The tcpdump file has a different name and file extension - support.tcpdump.tar.gz

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5

744407-1 : While the client has been closed, iRule function should not try to check on a closed session

Links to More Info: BT744407

Component: Access Policy Manager

Symptoms:
tmm cores. System posts a message:

access::session exists is used during CLIENT_CLOSED iRule event.

Conditions:
-- Client has closed the connection.
-- iRule function tries to check on a closed session.
-- An 'access session::exists' command is used inside the iRule event CLIENT_CLOSED.

Impact:
tmm may core. Traffic disrupted while tmm restarts.

Workaround:
Do not use the iRule command 'access session::exists' inside CLIENT_CLOSED.

Fix:
Command execution of 'access::session exists' is now prevented in the iRule event CLIENT_CLOSED.

Fixed Versions:
13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2

743826-2 : Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0)

Links to More Info: BT743826

Component: Application Visibility and Reporting

Symptoms:
When a pool member is defined with port any(0), calling the GetPoolMember() function, gives an incorrect error message that the pool member was not found.

Conditions:
Pool member with port any(0)

Impact:
Wrong error message printed to avrd.log

Fix:
Added a flag that indicates whether or not to print an error message to the GetPoolMember() function.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1

743253-2 : TSO in software re-segments L3 fragments.

Links to More Info: BT743253

Component: Local Traffic Manager

Symptoms:
FastL4 does not re-assemble fragments by default, but on a system with software-enabled TSO (sys db tm.tcpsegmentationoffload value disable), those fragments are erroneously re-segmented.

Conditions:
The behavior is encountered on BIG-IP Virtual Edition when setting sys db tm.tcpsegmentationoffload value disable, but does not cause a tmm core on Virtual Edition.

Impact:
Already-fragmented traffic is fragmented again.

Workaround:
None

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2

743234-6 : Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons

Links to More Info: BT743234

Component: TMOS

Symptoms:
Configuring EngineID for SNMPv3 does not take effect until
the SNMP and Alert daemons are restarted.

Conditions:
Configure the EngineID for SNMPv3 using the tmsh command:
modify sys snmp include 'EngineType n'

Impact:
The SNMPv3 value does not take effect.

Workaround:
Restart the daemons after changing the EngineID:

restart /sys service snmpd
restart /sys service alertd

Note: The SNMP daemon should be restarted before the Alert daemon.

Fix:
The new EngineID is used after being configured, and no longer requires daemon restart.

Fixed Versions:
15.1.0.4

743105-2 : BIG-IP SNAT vulnerability CVE-2021-22998

Links to More Info: K31934524, BT743105

742628-1 : A tmsh session initiation adds increased control plane pressure

Links to More Info: BT742628

Component: TMOS

Symptoms:
Under certain circumstances, the Traffic Management Shell (tmsh) can consume more system memory than expected.

Conditions:
-- Multiple users or remote processes connecting to the BIG-IP administrative command-line interface.

-- You are running certain versions of BIG-IP software, specifically:
   - 12.1.x versions earlier than 12.1.5.3.
   - 13.1.x versions earlier than 13.1.3.4.
   - Any 14.x version earlier than 14.1.4, except 14.1.2.6.
   - 15.0.x versions earlier than 15.0.1.2.
   - 15.1.x versions earlier than 15.1.0.4.

Impact:
Increased control plane pressure. Various delays may occur in both command-line and GUI response. Extreme instances may cause one or more processes to terminate, with potential disruptive effect. Risk of impact from this issue is increased when a large number of automated tmsh sessions are created.

Workaround:
For users with administrative privilege (who are permitted to use the 'bash' shell), the login shell can be changed to avoid invoking tmsh when it may not be needed:

tmsh modify /auth user ADMINUSERNAME shell bash

Fix:
This issue is fixed in the following releases:
-- 12.1.5.3 and later
-- 13.1.3.4 and later
-- 14.1.2.6
-- 14.1.4 and later
-- 15.0.1.2 and later
-- 15.1.0.4 and later
-- 16.0.0 and later

Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.2.6, 14.1.4, 15.0.1.4, 15.1.0.2

742549-3 : Cannot create non-ASCII entities in non-UTF ASM policy using REST

Links to More Info: BT742549

Component: Application Security Manager

Symptoms:
You cannot create non-ASCII entities (such as URLs and parameters) in a non-UTF-8 policy using REST.

Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII entries using REST.

Impact:
You cannot create an entity (such as a URL or parameter) which contains non-ASCII characters using REST.

Workaround:
Use UTF-8.

Fixed Versions:
13.1.3.6, 14.1.2.7, 15.1.0.5

740589-4 : Mcpd crash with core after 'tmsh edit /sys syslog all-properties'

Links to More Info: BT740589

Component: TMOS

Symptoms:
Syslog-ng consumes more than 95% CPU starving other processes of CPU time. This leads to eventual mcpd crash with core.

Conditions:
Configuring nonexistent local IP addresses and remote log server.

Impact:
Abnormal CPU usage. Potential eventual mcpd crash with core. Traffic disrupted while mcpd restarts.

Workaround:
To mitigate the issue, you can use either of the following:

-- Follow these two steps:
 1. Remove the remote log server from the configuration.
 2. Replace the nonexistent local IP addresses with self IP addresses.

-- Configure the remote destination host with a unique parameter in the configuration so that syslog does not get confused if there are multiple entries:
udp(192.0.2.1 port(512) localip(192.0.2.200) persist-name(r1));
udp(192.0.2.1 port(512) localip(192.0.2.201) persist-name(r2));
udp(192.0.2.100 port(512) localip(192.0.2.200) persist-name(r3));
udp(192.0.2.100 port(512) localip(192.0.2.201) persist-name(r4));

Fix:
Fixed circular loop due to configuration with empty (duplicate) persist-name

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1

739618-3 : When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy

Links to More Info: BT739618

Component: Application Security Manager

Symptoms:
When using AWAF or MSP license, you cannot use the BIG-IP Configuration Utility to set rule to control ASM in an LTM policy.

Conditions:
- AWAF or MSP license

Impact:
Admin cannot use the BIG-IP Configuration Utility create LTM policy that controls ASM, and must use TMSH.

Workaround:
Use TMSH to create the rule instead of GUI:
For example:
create ltm policy Drafts/test99 controls add { asm } requires add { http } rules add { rule1 { actions add { 0 { asm enable policy dummy2 }} ordinal 1 }}

Fix:
Users can now create LTM rule in the BIG-IP Configuration Utility that controls ASM if have AWAF or MSP license.

Fixed Versions:
13.1.3.2, 14.1.2.3, 15.1.0.2

739570-4 : Unable to install EPSEC package

Links to More Info: BT739570

Component: Access Policy Manager

Symptoms:
Installation of EPSEC package via tmsh fails with error:

Configuration error: Invalid mcpd context, folder not found (/Common/EPSEC/Images).

Conditions:
-- EPSEC package has never been installed on the BIG-IP device.
-- Running the command:
tmsh create apm epsec epsec-package <package_name>.iso local-path /shared/apm/images/<package_name>.iso

Impact:
First-time installation of EPSEC package through tmsh fails.

Workaround:
You can do a first-time installation of EPSEC with the following commands:

tmsh create sys folder /Common/EPSEC
tmsh create sys folder /Common/EPSEC/Images
tmsh install Upload/<package_name>.iso

Fix:
When EPSEC package is installed through tmsh command, the folder /Common/EPSEC/Images gets created if it does not exist.

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1

739507-3 : Improve recovery method for BIG-IP system that has halted from a failed FIPS integrity check

Links to More Info: BT739507

Component: TMOS

Symptoms:
After FIPS 140-2 license is installed on BIG-IP FIPS-certified hardware devices, the system halts while booting upon performing the FIPS integrity check.

Console shows messages similar to:
  Starting System Logger Daemon...
  [ OK ] Started System Logger Daemon.
  [ 14.943495] System halted.

Conditions:
-- The BIG-IP device has a license that includes the FIPS 140-2 option (FIPS full-box license).
-- System element monitored by FIPS 140-2 integrity check has changed.
-- The device is rebooted.

Impact:
The device halts and cannot be used.

Workaround:
Workaround:
[1] Connect a terminal to the BIG-IP serial console port.
[2] From the console, enter the GRUB menu and boot into a partition that does not have a FIPS 140-2-enabled license, or into TMOS Maintenance.
[3] Mount config from the inactive partition (see K51222154: Mounting the filesystem of an inactive partition :: https://support.f5.com/csp/article/K51222154) that was halted, and examine the contents of /config/f5_public/fipserr, which shows the files that were changed, leading to failure of the FIPS 140-2 license-enabled partition.
[4] Restore those files to their original ones.
[5] Truncate the inactive partition's /config/f5_public/fipserr, e.g., by running:
   cat /dev/null > /mnt/test/f5_public/fipserr
[6] Reboot.

If the system still halts, repeat from Step [1] above, until this no longer happens.

Fix:
If your device is running a version where ID 739507 is fixed:

[1] Connect a terminal to the BIG-IP serial console port
[2] From the serial console, enter the GRUB menu.
[3] Before the countdown expires, use the Up Arrow and Down Arrow keys to stop the countdown, and select the appropriate boot image.
[4] Press the key 'E' to start the edit options. A new GRUB menu displays.
[5] Use the Up Arrow and Down Arrow keys to navigate to the line that starts with 'linux', or the first line that starts with 'module'.
[6] Add a space, followed by NO_FIPS_INTEGRITY=1 (do not press ENTER).
[7] Press the Ctrl-X sequence or the F10 key to restart the system using the modified options.

The machine boots into the partition containing FIPS 140-2-enabled license.

[8] Examine the content of file /config/f5_public/fipserr to ascertain the cause of the FIPS module startup error.
[9] Fix the problem reported in the aforementioned error file.
[10] Run the test tool /usr/libexec/sys-eicheck.py to ensure that no fatal error is reported, such as:

Integrity Check Result: [ FAIL ]

If fatal errors persist, do not reboot (otherwise the system foes into the halt state, and the steps starting from Step [1] will need to be repeated). Instead, fix the problematic files reported. Rerun the test tool until no error is seen.

Note: You can find information on the sys-eicheck (FIPS) utility in the AskF5 Non-Diagnostic Article K00029945: Using the sys-eicheck (FIPS) utility :: https://support.f5.com/csp/article/K00029945.

[11] Truncate the file /config/f5_public/fipserr:
    cat /dev/null > /config/f5_public/fipserr

Fixed Versions:
13.1.1.2, 14.1.4, 15.1.0.5

739505-3 : Automatic ISO digital signature checking not required when FIPS license active

Links to More Info: BT739505

Component: TMOS

Symptoms:
Automatic ISO digital signature checking occurs but is not required when FIPS license active.

The system logs an error message upon an attempt to install or update the BIG-IP system:
 failed (Signature file not found - /shared/images/BIGIP-13.1.0.0.0.1868.iso.sig)

Conditions:
When the FIPS license is active, digital signature checking of the ISO is automatically performed. This requires that both the ISO and the digital signature (.sig) file are uploaded to the system.

Impact:
Installation does not complete if the .sig file is not present or not valid. Installation failure.

Workaround:
To validate the ISO on the BIG-IP system, follow the procedure described in K24341140: Verifying BIG-IP software images using .sig and .pem files :: https://support.f5.com/csp/article/K24341140.

Fix:
The restriction of requiring automatic signature checking of the ISO is removed. The procedure described in K24341140: Verifying BIG-IP software images using .sig and .pem files :: https://support.f5.com/csp/article/K24341140 to perform the checks on or off the BIG-IP system is still valid, but that checking is optional.

Fixed Versions:
13.1.1.2, 14.1.4, 15.1.2.1, 16.0.1.1

738964-4 : Instruction logger debugging enhancement

Component: Local Traffic Manager

Symptoms:
Specific platforms may experience a zip-engine lock-up for various reasons. When it happens, the symptoms follow a report pattern that declares the zip-engine requires reset. When resets persist, the instruction logger is unable to diagnose the value of the instructions sent to the zip-engine.

Conditions:
Invalid or unusual compression source data.

Impact:
Compression device goes off-line and CPU usage spikes as it takes over all compression responsibility. Lack of instruction logging makes it difficult to diagnose what occurred.

Workaround:
Disable hardware compression until issue is fixed.

Fix:
A new tcl variable, nitrox::comp_instr_logger has been added. It has four possible values: off, on, force-restart-tmm and force-reboot-host. This variable is used for diagnosing issues with the Nitrox compression engine.

Fixed Versions:
14.1.4.1, 15.1.3

738865-6 : MCPD might enter into loop during APM config validation

Links to More Info: BT738865

Component: Access Policy Manager

Symptoms:
Mcpd crashes after a config sync.

Conditions:
This can occur during configuration validation when APM is configured.

Impact:
Mcpd may take too long to validate the APM configuration and is killed by watchdog, causing a core

Workaround:
Use the Visual Policy Editor to configure access policy instead of tmsh commands.

The Visual Policy Editor does not allow policies to be created if they contain loops.

Fix:
Fixed an mcpd crash related to policy loop detection in APM.

Fixed Versions:
14.1.4.2, 15.1.4

738593-2 : Vmware Horizon session collaboration (shadow session) feature does not work through APM

Component: Access Policy Manager

Symptoms:
When the VMware virtual desktop interface (VDI) is configured, session collaboration or shadow session does not work.

Conditions:
-- VMware VDI configured and Desktop resource is accessed with native client or browser.
-- Shadow session is enabled in desktop

Impact:
Desktop's Shadow session resource icon is not showed on webtop or native client.

Workaround:
None

Fix:
Users should see Desktop's shadow session icon when resources are loaded on to webtop or native client.

Fixed Versions:
14.1.4.5, 15.1.5

738032-3 : BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed.

Links to More Info: BT738032

Component: Local Traffic Manager

Symptoms:
The BIG-IP system maintains an SSL session cache for SSL (https) monitors. After changing the properties of an SSL monitor that might affect the operation of SSL, the BIG-IP continues to reuse an existing SSL session ID.

Conditions:
-- The BIG-IP system has cached session ID from previous SSL session.
-- SSL properties of monitor that might affect the operation of SSL are changed.
-- Monitor is using bigd.

Impact:
Sessions still use cached session ID. If session continues to succeed, session uses cached session ID till expiry.

Workaround:
-- Restart bigd.
-- Remove the monitor from the object and re-apply.
-- Use in-tmm monitors.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1

737692-4 : Handle x520 PF DOWN/UP sequence automatically by VE

Links to More Info: BT737692

Component: TMOS

Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that is passed to the BIG-IP-VE). If an x520 device's PF is set down and then up, tmm does not recover traffic on that interface.

Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.

Impact:
VE does not process any traffic on that VF.

Workaround:
Reboot VE.

Fix:
tmm now restarts automatically when the PF comes back up after going down.

Behavior Change:
tmm now restarts automatically when the PF comes back up after going down.

Fixed Versions:
15.1.3.1

737098-1 : ASM Sync does not work when the configsync IP address is an IPv6 address

Links to More Info: BT737098

Component: TMOS

Symptoms:
If the configsync IP address of the device is configured to be an IPv6 address, changes in ASM configuration do not synchronize across the cluster.

Conditions:
Devices in a Device Group have an IPv6 address set as their configsync IP address.

Impact:
ASM configuration does not synchronize across the Device Group.

Workaround:
Set the configsync IP address to be an IPv4 address and restart the asm_config_server process. To restart the asm_config_server process, run the following command:
pkill -f asm_config_server

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2

726518-1 : Tmsh show command terminated with CTRL-C can cause TMM to crash.

Links to More Info: BT726518

Component: Local Traffic Manager

Symptoms:
TMM crash when running show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name]

Conditions:
-- Running the command:
show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name].
- The command is terminated by the client connection, aborting with CTRL-C.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not terminate tmsh show commands with CTRL-C.

Fixed Versions:
13.1.3.6, 14.1.2.8, 15.1.2

724824-1 : Ephemeral nodes on peer devices report as unknown and unchecked after full config sync

Links to More Info: BT724824

Component: Local Traffic Manager

Symptoms:
After a Full Configuration Sync is performed in a device cluster, Ephemeral (FQDN) nodes on peers to the device initiating the Configuration Sync will report their status as Unknown with monitor status of Unchecked.

Note: The nodes are still monitored properly by the peer devices even though they are not reported as such.

Conditions:
-- Full configuration sync performed in a device cluster.
-- Ephemeral (FQDN) nodes configured.

Impact:
Monitor status on the peer devices is reported incorrectly.

Workaround:
Any of the following three options will correct reporting status on the peer devices:

-- Restart bigd

-- Cause monitoring to the FQDN nodes to fail for at least one probing interval, and then restore monitoring accessibility.

-- Disable and then re-enable the FQDN node

Each of these workarounds results in the reported status of the FQDN node on the peer reporting correctly again. The workarounds do not prevent a subsequent configuration sync from placing the FQDN nodes back into Unknown status on peers, however.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2

723112-8 : LTM policies does not work if a condition has more than 127 matches

Links to More Info: BT723112

Component: Local Traffic Manager

Symptoms:
LTM policies do not work if number of matches for a particular condition exceeds 127.

Conditions:
LTM policy that has a condition with more than 127 matches.

Impact:
LTM policy does not match the expected condition.

Workaround:
There is no workaround at this time.

Fix:
LTM policy now works for a condition with more than 127 matches.

Fixed Versions:
14.1.4.4, 15.1.4.1

722337-2 : Always show violations in request log when post request is large

Links to More Info: BT722337

Component: Application Security Manager

Symptoms:
The system does not always show violations in request log when post request is large.

Conditions:
A large post request with many parameters is sent.

Impact:
Although the violations is handled correctly, it is not reported.

Workaround:
Disable learning mode.

The internal parameter pb_sampling_high_cpu_load can define what is seen as high CPU load above which sampling does not take place. The default is 60.

-- Using a lower value reduces the chances of sampling data.
-- Using 0 makes sampling never happen and thus this issue does not occur (this slows down automatic policy building).

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.0.5, 16.0.1.1

722230-1 : Cannot delete FQDN template node if another FQDN node resolves to same IP address

Links to More Info: BT722230

Component: TMOS

Symptoms:
If multiple FQDN nodes and corresponding pool members are created, with FQDN names that resolve to the same (or a common) IP address, you may not be able to delete any of the affected FQDN nodes even after its corresponding FQDN pool member has been deleted.

Conditions:
This occurs under the following conditions
-- Multiple FQDN template nodes exist with FQDN names that resolve to the same (or a common) IP address.
-- FQDN pool members exist for each FQDN template node, with corresponding ephemeral pool members for each which share the same IP address.
-- One of the FQDN pool members is removed from its pool.
-- You attempt to delete the corresponding FQDN template node.

Impact:
The FQDN template node remains in the configuration and cannot be deleted, while an ephemeral node or pool member exists with an IP address corresponding to that FQDN name.

Workaround:
To work around this issue:
1. Remove all remaining conflicting FQDN pool members (with FQDN names that resolve to the shared/conflicting IP address).
2. Delete the desired FQDN node.
3. Re-create the remaining FQDN pool members to replace those removed in step 1.

Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.3.1, 15.0.1.4, 15.1.0.2

720440-6 : Radius monitor marks pool members down after 6 seconds

Links to More Info: BT720440

Component: Local Traffic Manager

Symptoms:
The radius monitor marks a pool member down if it does not respond within 6 seconds, regardless of the interval or timeout settings in the monitor configuration.

Conditions:
A radius monitor is used, and the pool member takes more than 6 seconds to respond to a radius request.

Impact:
The pool member may be marked down incorrectly if the monitor interval is configured to be greater than 6 seconds.

Workaround:
There is no workaround at this time.

Fix:
The maximum length of time that the radius probe will wait for has been increased from 6 seconds to 30 seconds.

Fixed Versions:
12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.0.5

719555-3 : Interface listed as 'disable' after SFP insertion and enable

Links to More Info: BT719555

Component: TMOS

Symptoms:
If an unpopulated front panel interface is disabled, then an SFP inserted and the interface re-enabled, TMSH will continue to display the interface as 'disabled' in 'tmsh show net interface output' commands.

Conditions:
-- BIG-IP appliance or blade.
-- Unpopulated front panel interface is disabled.
-- SFP inserted and the interface re-enabled.
-- Running the command: tmsh show net interface output.

Impact:
Output of the command shows the interface is disabled even though it is enabled and fully operational.

Workaround:
This issue is cosmetic; the interface is functional so it may be used.

To correctly identify the enabled/disabled state of the interface, use the following command: tmsh list net interface

Fixed Versions:
14.1.4, 15.1.1

719338-1 : Concurrent management SSH connections are unlimited

Links to More Info: BT719338

Component: TMOS

Symptoms:
There is no limit to the number of users that can login concurrently onto a BIG-IP system.

Conditions:
Multiple users are logged into the BIG-IP device through SSH at the same time.

Impact:
System can potentially run out of memory.

Workaround:
Provide a way to limit the number of concurrent user SSH sessions.

Fix:
There are new db variables available for specifying SSH session limits, overall, per-user, and for a specific user.

-- Command: modify sys global-settings ssh-session-limit [enable/disable]
Specifies enable/disable of ssh session limit feature.
   + Enables the feature; feature is functional with default values.
   + Defaults: feature is not enabled for admin/root privileged user.
   + Total session limit for all users is 10 sessions.


-- Command: modify sys global-settings ssh-root-session-limit [enable/disable]
Specifies enable/disable of SSH session limit feature for root user.
   + Enables feature for admin/root privileged user.
   + Total session limit for all users is still 10 sessions.


-- Command: modify sys global-settings ssh-max-session-limit <value>
Specifies a global maximum number of SSH sessions.
   + Changes the default global setting limit of 10 to the specified value.


-- Command: modify sys global-settings ssh-max-session-limit-per-user <value>
Specifies a global maximum number of SSH sessions for each user.
   + Sets the maximum session limit per user.
   + Total sessions on the system are still enforced by the setting for ssh-max-session-limit.


-- Command: create auth user <> session-limit <value>
Specifies a user-specific SSH sessions limit.
   + Sets the maximum number of sessions for a particular user.
   + Total sessions on the system are still enforced by the setting for ssh-max-session-limit.

Behavior Change:
There are new db variables available for specifying SSH session limits, overall, per-user, and for a specific user.

-- Command: modify sys global-settings ssh-session-limit [enable/disable]
Specifies enable/disable of ssh session limit feature.
   + Enables the feature; feature is functional with default values.
   + Defaults: feature is not enabled for admin/root privileged user.
   + Total session limit for all users is 10 sessions.


-- Command: modify sys global-settings ssh-root-session-limit [enable/disable]
Specifies enable/disable of SSH session limit feature for root user.
   + Enables feature for admin/root privileged user.
   + Total session limit for all users is still 10 sessions.


-- Command: modify sys global-settings ssh-max-session-limit <value>
Specifies a global maximum number of SSH sessions.
   + Changes the default global setting limit of 10 to the specified value.


-- Command: modify sys global-settings ssh-max-session-limit-per-user <value>
Specifies a global maximum number of SSH sessions for each user.
   + Sets the maximum session limit per user.
   + Total sessions on the system are still enforced by the setting for ssh-max-session-limit.


-- Command: create auth user <> session-limit <value>
Specifies a user-specific SSH sessions limit.
   + Sets the maximum number of sessions for a particular user.
   + Total sessions on the system are still enforced by the setting for ssh-max-session-limit.

Fixed Versions:
13.1.4, 14.1.4, 15.1.1

718189-9 : Unspecified IP traffic can cause low-memory conditions

Links to More Info: K10751325, BT718189

717276-9 : TMM Route Metrics Hardening

Links to More Info: K20622530, BT717276

716746-3 : Possible tmm restart when disabling single endpoint vector while attack is ongoing

Links to More Info: BT716746

Component: Advanced Firewall Manager

Symptoms:
tmm restarts.

Conditions:
-- AFM DoS single endpoint (sweep or flood) vector is configured.
-- The attack is ongoing.
-- The attack vector is being mitigated in hardware (HW).
-- The vector is manually disabled.

Impact:
tmm can crash and restart. Traffic disrupted while tmm restarts.

Workaround:
If you do not want to mitigate, set the mitigation_threshold to infinite.

Note: Do not disable the single endpoint vectors when an attack is ongoing and the vector is being mitigated in HW.

Fix:
tmm no longer restarts when disabling single endpoint vector while an attack is ongoing.

Fixed Versions:
13.1.0.7, 14.1.4.2, 15.1.3, 16.0.1.2

715032-1 : iRulesLX Hardening

Links to More Info: K73302459, BT715032

Component: Local Traffic Manager

Symptoms:
iRulesLX does not follow current best practices and should be updated to ensure layered protections.

Conditions:
-iRulesLX in use

Impact:
iRulesLX does not follow current best practices.

Workaround:
None.

Fix:
iRulesLX now follows current best practices.

Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5

714642-2 : Ephemeral pool-member state on the standby is down

Links to More Info: BT714642

Component: Local Traffic Manager

Symptoms:
On a standby BIG-IP system, an ephemeral pool-members state remains user-down after re-enabling an FQDN node on the primary system.

Conditions:
Re-enabling a forced-down FQDN node on the primary system.

Impact:
On the standby system, the ephemeral pool-members are in state: user-down, (forced-down in GUI).

Workaround:
None.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1

714502-3 : bigd restarts after loading a UCS for the first time

Links to More Info: BT714502

Component: Local Traffic Manager

Symptoms:
bigd restarts when loading a UCS for the first time, where the load succeeds; and no related messages are reported in /var/log/ltm; and no bigd core file is produced.

Conditions:
bigd loads a UCS file for the first time, such as after the command:
tmsh load sys ucs no-license keep-current-management-ip no-platform-check

Impact:
The UCS file is correctly reloaded, and bigd restarts with the loaded configuration. No bigd core is produced, and no related messages are found in /var/log/ltm. After restart, bigd performs all system functions as expected.

Workaround:
System runs as expected after the bigd restart, and the user need not take any action.

Fixed Versions:
14.1.2.7, 15.1.0.5

714372-5 : Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari

Links to More Info: BT714372

Component: Local Traffic Manager

Symptoms:
If the BIG-IP system has a web-acceleration which provides a number of caching and optimization options suitable for HTTP/1.1. It uses 'Connection: Keep-Alive' header on a server side, which results in appearance of 'Keep-Alive' header in a response. Such a HTTP header was adopted by the industry but not standardized. When a web-acceleration profile is configured and provides a response, Safari clients do not accept responses with a such header and reject those with a RST_STREAM message.

Conditions:
-- BIG-IP has a virtual server with HTTP/2 profile and a web-acceleration profile.
-- A pool member responds with 'Keep-Alive' header in the following format: Keep-Alive: timeout=<number>, max=<number>.

Impact:
A response to a request is rejected, which might cause incorrect rendering of HTTP page.

Workaround:
Use an iRule to remove the Keep-Alive header:

when HTTP_RESPONSE_RELEASE {
    HTTP::header remove keep-alive
}

Alternatively use an LTM Policy where this header is removed from a server's response.

Fixed Versions:
14.1.4.4, 15.0.1.1, 15.1.0.2

714176-1 : UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed

Links to More Info: BT714176

Component: TMOS

Symptoms:
-- UCS archive restore fails
-- The Traffic Management Shell (TMSH) and/or /var/log/ltm file show following error message:
01071769:3: Decryption of the field (privatekey) for object (9717) failed. Unexpected Error: Loading configuration process failed.

Conditions:
- Restoring configuration from UCS.
- The UCS is being restored on a different BIG-IP system with a different master key.

Impact:
-- The UCS configuration is not applied.
-- The BIG-IP is not in a fully operational state.

Workaround:
If you encounter this error and dynad is not in use (dynamic debug) you can manually edit bigip_base.conf.

1. Locate the dynad config in /config/bigip_base.conf file:

For example, the dynad config will look like:
sys dynad key {
    key $M$jV$VX7HMp5q346nsTYDYFPnYdJLrBPyQSCrDTJYAz4je7KXJAC38fxtDJL35KtF66bq
}

2. Modify the dynad configuration lines to:
sys dynad key {
    key "test"
}

3, Save the updated bigip_base.conf file
4. Load the configuration with command: tmsh load sys config

Fix:
The log message is improved to provide the BIG-IP administrator with more specific detail that the dynad key failed to be decrypted.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1

713614-7 : Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only)

Links to More Info: BT713614

Component: TMOS

Symptoms:
Warning similar to below, referencing a non-floating self IP:
Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only)

Conditions:
Virtual Server is defined using the same IP address as a non-floating self IP.

Impact:
Virtual Server does not fail over with floating traffic group as expected.

Fixed Versions:
15.1.0.5

706782-5 : Inefficient APM processing in large configurations.

Links to More Info: BT706782

Component: Access Policy Manager

Symptoms:
In configurations with large numbers of virtual servers or other entities, the apmd, oauth, and localdbmgr processes may consume large amounts of system resources.

Conditions:
-- Large configuration.
-- APM provisioned.
-- Multiple traffic groups exacerbate the effect.

Impact:
Heavy use of odd-numbered CPU cores may slow all control-plane operations, including user-interface response.

Workaround:
None known.

Fixed Versions:
14.1.2.8, 15.0.1.3, 15.1.0.2

706521-2 : The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password

Links to More Info: K21404407, BT706521

Component: TMOS

Symptoms:
TACACS Shared Key is not encrypted in the DB key and is visible to admin and a read-only user.

Conditions:
Configure TACACS+ auditing forwarder.

Impact:
Exposes sensitive information.

Workaround:
None.

Fix:
The sensitive data is not exposed, and this issue is fixed.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1

705768-2 : The dynconfd process may core and restart with multiple DNS name servers configured

Links to More Info: BT705768

Component: Local Traffic Manager

Symptoms:
The dynconfd daemon may crash with a core and restart when processing a DNS query when there are multiple DNS name servers configured, or when the list of DNS name servers is changed.

Conditions:
This may occur rarely when FQDN nodes are configured and multiple DNS name servers are configured, including when a name server is added to or removed from the system DNS configuration while a DNS query is active.

Impact:
Resolution of FQDN names for FQDN nodes and pool members may be briefly interrupted while the dynconfd daemon restarts. This may cause a delay in propagation of DNS zone changes to the BIG-IP configuration.

Workaround:
This issue occurs rarely. There is currently no known workaround.

Fix:
The dynconfd process no longer cores and restarts with multiple DNS name servers configured.

Fixed Versions:
12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2

705112-6 : DHCP server flows are not re-established after expiration

Links to More Info: BT705112

Component: Local Traffic Manager

Symptoms:
DHCP relay agent does not have server flows connecting to all active DHCP servers after a while.

Conditions:
- More than one DHCP servers configured for a DHCP virtual.
- Server flows timeout in 60 seconds

Impact:
DHCP server traffic not load balanced.

Workaround:
None.

Fix:
A new logic to re-establish server flows is introduced to ensure a relay agent will have all DHCP servers connected.

Fixed Versions:
11.5.9, 12.1.4.1, 13.1.3, 14.1.2.5, 15.1.0.2

697331-2 : Some TMOS tools for querying various DBs fail when only a single TMM is running

Links to More Info: BT697331

Component: Service Provider

Symptoms:
Command returns "No route to host" error.

Conditions:
Running diadb, sipdb, genericmsgdb or lsndb when only a single TMM is running.

Impact:
Unable to query SIP, Diameter, Generic-Message and LSN information from its corresponded DB query tool.

Workaround:
N/A

Fix:
Tools for querying various DBs now work regardless of the number of TMMs.

Fixed Versions:
14.1.3, 14.1.3.1, 15.1.1

696755-5 : HTTP/2 may truncate a response body when served from cache

Links to More Info: BT696755

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide a client-side HTTP/2 Gateway protocol implementation in conjunction with HTTP 1.x on a server side. A response can be cached on the BIG-IP system with a web acceleration profile. Sometimes a response served from cache is prematurely marked with END_STREAM flag, causing the client to ignore the rest of the response body.

Conditions:
BIG-IP system has a virtual server for which HTTP/2 and Web Acceleration profiles are configured.

Impact:
Some clients' browsers do not retry a resource, causing incorrect rendering of an HTML page.

Workaround:
Adding the following iRule causes the body to be displayed:

when HTTP_RESPONSE_RELEASE {
    set con_len [string trim [HTTP::header value Content-Length]]
    HTTP::header remove Content-Length
    HTTP::header insert Content-Length "$con_len"
}

Fix:
With provided fix, HTTP/2 end users no longer experience the problem of incorrect page rendering due to this issue.

Fixed Versions:
13.1.0.8, 14.1.0.6, 15.1.3, 16.0.1.2

696348-5 : "GTP::ie insert" and "GTP::ie append" do not work without "-message" option

Links to More Info: BT696348

Component: Service Provider

Symptoms:
When adding "GTP::ie insert" and "GTP::ie append" without "-message" option to iRule, there is warning message:

[The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:VALUE"1290 38]

Conditions:
Using "GTP::ie insert" or "GTP::ie append" command without "-message" option

Impact:
The commands still be executed during runtime but the warning message may confuse user.

Fix:
There is no warning message when using "GTP::ie insert" and "GTP::ie append" without "-message" option.

Fixed Versions:
13.1.3.4, 14.1.2.7, 15.1.0.5

693360-2 : A virtual server status changes to yellow while still available

Links to More Info: K52035247, BT693360

692218-1 : Audit log messages sent from the primary blade to the secondaries should not be logged.

Links to More Info: BT692218

Component: TMOS

Symptoms:
Audit log messages sent from the primary blade to the secondaries are logged.

Conditions:
Multi-blade platform.

Impact:
Unnecessary messages in the log file.

Workaround:
None.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2

691499-5 : GTP::ie primitives in iRule to be certified

Links to More Info: BT691499

Component: Service Provider

Symptoms:
The following commands in iRules are created and available but not officially tested and approved:

GTP::ie set instance/value
GTP::ie insert
GTP::ie append
GTP::ie remove

Conditions:
Using the following iRule commands:

GTP::ie set instance/value
GTP::ie insert
GTP::ie append
GTP::ie remove

Impact:
Although you can use these iRule commands, their functionality has not been tested and approved.

Workaround:
None.

Fix:
GTP::ie primitives in iRule are now certified.

Behavior Change:
Certified pre-existing iRules:

-- GTP::ie set instance <ie-path> <instance>
  Assigns <instance> to the information element (IE) instance at <ie-path>.

-- GTP::ie set value <ie-path> <value>
  Assigns <value> to the IE value at <ie-path>.

-- GTP::ie insert <ie-path> <type> <instance> <value>
  Inserts a new IE of type <type> and instance <instance> with value <value> at <ie-path>

-- GTP::ie append [<ie-path>] <type> <instance> <value>
  Appends a new IE of type <type> and instance <instance> with value <value> to the end of embeded IE of grouped-IE specified by <ie-path> or to the end of message if the grouped-IE <ie-path> is absent.

-- GTP::ie remove <ie-path>
  Removes IE specified by <ie-path>.

Fixed Versions:
13.1.3.4, 14.1.2.7, 15.1.0.5

686783-2 : UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters.

Links to More Info: BT686783

Component: Traffic Classification Engine

Symptoms:
If a UrlCat custom database feed list has URLs containing a www prefix or capital letters, the URLs are not categorized when queried.

Conditions:
The UrlCat custom database feed list with URL containing www prefix or capital letters,

Impact:
Improper classification

Workaround:
Using an iRule can help classify the URL.

Fix:
Normalized the URL before putting in the custom database.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

686395-3 : With DTLS version1, when client hello uses version1.2, handshake shall proceed

Links to More Info: BT686395

Component: Local Traffic Manager

Symptoms:
With DTLS version1, when client hello uses version1.2, handshake fails with error of :unsupported version".

Conditions:
DTLS version1 handshake:
Handshake version 1.0 . (0xfeff)
Client hello version 1.2(0xfefd)

Impact:
DTLS functionalities.

Workaround:
N/A

Fix:
In this case, we shall still proceed to perform handshake instead of bailing out with "unsupported version" error.

Fixed Versions:
12.1.3.4, 15.1.5

685904-1 : Firewall Rule hit counts are not auto-updated after a Reset is done

Links to More Info: BT685904

Component: Advanced Firewall Manager

Symptoms:
When a rule is selected and the 'Reset Count' button is clicked, the command is executed but rule stats are not updated in the GUI.

Conditions:
This occurs when resetting the rule hit count stats in the GUI.

Impact:
Incorrect (stale) statistics are seen.

Workaround:
Refresh the page.

Fix:
Rule stats are now correctly updated in the UI after a 'Reset Count' is initiated.

Fixed Versions:
14.1.4.2, 15.1.4

681010-4 : 'Referer' is not masked when 'Query String' contains sensitive parameter

Links to More Info: K33572148, BT681010

Component: Application Security Manager

Symptoms:
While 'Query String' contains masked sensitive parameter value the 'Referer' header sensitive parameter value is exposed.

Conditions:
-- Sensitive parameter is defined in: 'Security :: Application Security : Parameters : Sensitive Parameters'.

-- 'Query String' contains the defined sensitive parameter.

Impact:
"Referer" header contains unmasked value of the sensitive parameter.

Workaround:
Enable 'Mask Value in Logs' in: 'Security :: Application Security : Headers : HTTP Headers :: referer'.

Fix:
The 'Referer' header value is masked in case of sensitive parameter in 'Query String'.

Fixed Versions:
11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2

679751-2 : Authorization header can cause a connection reset

Links to More Info: BT679751

Component: Access Policy Manager

Symptoms:
APM resets connections and reports an ERR_ARG from a simple web request.

Conditions:
-- APM profile with User Identification Method as HTTP.
-- APM profile with User Identification Method as OauthToken.
-- HTTP traffic arrives with certain types of Authorization headers.

Impact:
Connections are reset and APM logs ERR_ARG, which is not helpful for understanding the cause.

Workaround:
iRule workaround:

when HTTP_REQUEST {
    if { [HTTP::header "Authorization"] contains "Bearer" && [string tolower [HTTP::header "User-Agent"]] contains "onenote" } {
        HTTP::header replace Authorization [string map {"Bearer" ""} [HTTP::header Authorization]]
    }
  }

Fix:
APM no longer resets connections and reports an ERR_ARG from a simple web request.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1

675911-12 : Different sections of the GUI can report incorrect CPU utilization

Links to More Info: K13272442, BT675911

Component: TMOS

Symptoms:
The following sections of the GUI can report incorrect or higher than expected CPU utilization:

-- The 'download history' option found in the Flash dashboard.

-- Statistics :: Performance :: Traffic Report (section introduced in version 12.1.0).

Values such as 33%, 66%, and 99% may appear in these sections despite the system being completely idle.

Conditions:
HT-Split is enabled (default for platforms that support it).

Impact:
The CPU history in the exported comma-separated values (CSV) file does not match actual CPU usage.

Workaround:
-- You can obtain CPU history through various other means. One way is to use the sar utility.

   - In 12.x and higher versions:
     sar -f /var/log/sa6/sa

   - or for older data:
     sar -f /var/log/sa6/sa.1

   - The oldest data is found compressed in /var/log/sa6 and must be gunzipped before use.


   - In 11.x:
     sar -f /var/log/sa/sa

   - or for older data
     sar -f /var/log/sa/sa.1

   - The oldest data is found compressed in /var/log/sa and must be gunzipped before use.

-- Live CPU utilization can also be obtained through the Performance Graphs, SNMP polling, iControl polling, various command-line utilities such as top, etc.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2

673272-2 : Search by "Signature ID is" does not return results for some signature IDs

Links to More Info: BT673272

Component: Application Security Manager

Symptoms:
Search by "Signature ID is" does not return results for some signature IDs.

Conditions:
Request associated with signature that was previously enforced and is now in staging after the attack signature update.

Impact:
You are unable to filter requests by some signature IDs.

Fix:
Fixed an issue with searching by signature ID.

Fixed Versions:
13.1.4, 14.1.4.2, 15.1.4, 16.0.1.2

648242-6 : Administrator users unable to access all partition via TMSH for AVR reports

Links to More Info: K73521040, BT648242

Component: Application Visibility and Reporting

Symptoms:
Using the TMSH for AVR reports can fail if it contains partition based entities, even with an administrator user (which should have permissions to all partitions).

Conditions:
Using the TMSH for querying partitioned based stats with an administrator user.

Impact:
AVR reports via TMSH will fail when using partition based entities.

Workaround:
None.

Fix:
Allowing for administrator users to get all partitions available on query.

Fixed Versions:
12.1.3.2, 13.1.0.8, 14.0.0.5, 14.1.4, 15.1.2.1, 16.0.1.1

644192-2 : Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN

Links to More Info: K23022557, BT644192

Component: Global Traffic Manager (DNS)

Symptoms:
Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN.

Conditions:
A CNAME wide IP and a dnx with parent zone.
For example, CNAME wide IP for www.siterequest.com and a dnx zone for siterequest.com.

Impact:
Cache resolvers will remember NXDOMAIN for the entire name. So clients talking to those caches asking for A/AAAA records may actually get NXDOMAIN responses until the negative cache expires.

Workaround:
Option 1: Create a related "www.siterequest.com" txt record in ZoneRunner
Option 2: Create a ltm virtual server iRule, similar to this:
when DNS_RESPONSE {
  if { [DNS::question name] eq "www.siterequest.com" } {
    if { [DNS::header rcode] eq "NXDOMAIN" } {
        DNS::header rcode NOERROR
        DNS::authority clear
        return
    }
  }
}

Fix:
A new DB key, 'gtm.allownxdomainoverride', has been added to allow configuring the BIG-IP DNS system to respond with a NOERROR response.

Fixed Versions:
11.6.5.3, 14.1.3.1, 15.1.2, 16.0.1.1

640842-5 : ASM end user using mobile might be blocked when CSRF is enabled

Links to More Info: BT640842

Component: Application Security Manager

Symptoms:
Users report their access is blocked; when you look at the error log, you see CSRF errors.

Conditions:
-- CSRF enabled on ASM.
-- ASM client is using a mobile device.

Impact:
Client is blocked.

Workaround:
None.

Fix:
Enabling access for specific mobile application.

Fixed Versions:
14.1.2.7, 15.1.0.5

636400 : CPB (BIG-IP->BIGIQ log node) Hardening

Links to More Info: K26462555, BT636400

615934-6 : Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.

Links to More Info: BT615934

Component: TMOS

Symptoms:
Overwrite flag in key/certificate management iControl functions is ignored and might result in errors.

Conditions:
If there is an existing key/certificate, and the key/certificate management iControl/SOAP functions are used to overwrite the key/certificate by setting the overwrite flag, the flag is ignored, and an error is returned.

Impact:
Key/certificate overwrite using iControl operations might fail.

Fix:
The fix honors the overwrite flag, so that the key/certificate is overwritten when the flag is set to true.

Fixed Versions:
13.1.3.5, 14.1.4, 15.1.3

608952-1 : MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2

Links to More Info: BT608952

Component: Local Traffic Manager

Symptoms:
MSSQL health monitor always shows down.

Conditions:
The Microsoft SQL server that is being monitored has disabled support for legacy security protocols, and supports only versions TLSv1.1 and TLSv1.2.

Impact:
MSSQL monitor is unable to perform health checking when SQL Server is configured to require TLSv1.1 or TLSv1.2.

Workaround:
None.

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.5

605675-6 : Sync requests can be generated faster than they can be handled

Links to More Info: BT605675

Component: TMOS

Symptoms:
Configuration changes in quick succession might generate sync change messages faster than the receiving BIG-IP system can parse them. The sending BIG-IP system's queue for its peer connection fills up, mcp fails to allocate memory, and then the system generates a core file.

Conditions:
Configuration changes in quick succession that might generate sync-change messages.

Impact:
Core file and sync operation does not complete as expected. The possibility for this occurring depends on the size and complexity of the configuration, which impacts the time required to sync, and the traffic load occurring at the time of the sync operation.

Workaround:
None.

Fixed Versions:
11.6.5.2, 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.2

593536-9 : Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations

Links to More Info: K64445052, BT593536

Component: TMOS

Symptoms:
Devices do not have matching configuration, but system reports device group as being 'In Sync'.

Conditions:
This occurs when the following conditions are met:
-- Device Service Cluster Device Group with incremental sync is enabled.
-- A ConfigSync operation occurs where a configuration transaction fails validation.
-- A subsequent (or the final) configuration transaction is successful.

Impact:
The BIG-IP system incorrectly reports that the configuration is in-sync, despite the fact that it is not in sync. You might experience various, unexpected failures or unexplained behavior or traffic impact from this.

Workaround:
Turn off incremental sync (by enabling 'Full Sync' / 'full load on sync') for affected device groups.

Once the systems are in sync, you can turn back on incremental sync, and it will work as expected.

Fixed Versions:
14.1.2.8, 15.1.1

583084-6 : iControl produces 404 error while creating records successfully

Links to More Info: K15101680, BT583084

Component: TMOS

Symptoms:
iControl produces an HTTP 404 - Not Found error message while creating the BIG-IP DNS topology record successfully.

Conditions:
Creating GTM topology record without using full path via iControl.

Impact:
Resulting code/information is not compatible with actual result.

For a post request, the create command and the list command are formed and executed, and the name in the curl request and the name in the list response are compared to verify whether or not it is the actual object. When a create command is executed with properties that are not fullPath (e.g., in iControl), it still creates the object with fullPath. So list returns the name with fullPath and compares it with the name that does not contain the fullPath, and the comparison fails because the names do not match.

Workaround:
Use the full path when creating BIG-IP DNS topology records using iControl.

Fix:
The system now compares both names, ignoring the partition '/Common' if the exact comparison fails.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2

580715-2 : ASM is not sending 64 KB remote logs over UDP

Links to More Info: BT580715

Component: Application Security Manager

Symptoms:
REmote logs are missing. The following log messages appears in bd.log and asm.log:

ASM configuration error: event code L3350 Failed to write to remote logger vs_name_crc 1119927693 LoggingAccount.cpp:3348`remote log write FAILED res = -3 <Failed to send remote message (remote server not responding)> errno <Message too long>.

Conditions:
-- A remote logger configured for UDP.
-- Max message length of 64 KB.

Impact:
Missing logs in the remote logger.

Workaround:
You can use either of the following workarounds:

-- Change the remote logger to TCP.

-- Reduce the message length to 1 KB.

Fixed Versions:
15.1.5

579219-5 : Access keys missing from SessionDB after multi-blade reboot.

Links to More Info: BT579219

Component: Access Policy Manager

Symptoms:
Reboot a 4-blade vCMP guest. Now, only the master key for catalog remained. All subkeys are missing.

Conditions:
This can occur intermittently during a reboot in a multi-blade vCMP guest configured with APM.

Impact:
Some Access subkeys may be missing after the reboot.

Workaround:
Reboot the primary blade.

Fixed Versions:
14.1.2.8, 15.1.1

569859-7 : Password policy enforcement for root user when mcpd is not available

Links to More Info: BT569859

Component: TMOS

Symptoms:
When the mcpd configuration database is not available password policy is not enforced when changing passwords for the user 'root' using the command-line utility 'passwd' utility.

Conditions:
-- Advanced shell access
-- mcpd is not available.
-- Change root password with the 'passwd' utility.

Impact:
Root password may be set to a string that does not comply with the current password policy.

Workaround:
None.

Fix:
The system now enforces the password policy for root user, even when mcpd is not available.

Fixed Versions:
14.1.4.1, 15.1.3

550928-5 : TMM may crash when processing HTTP traffic with a FastL4 virtual server

Component: Local Traffic Manager

Symptoms:
When a FastL4 virtual server with HTTP profile is used, certain traffic flows may cause excessive resource consumption.

Conditions:
-- FastL4 virtual server with HTTP profile.

Impact:
Excessive resource consumption, potentially leading to a TMM crash and failover event.

Workaround:
-- If the HTTP profile is required, use a standard virtual server rather than performance (FastL4) type.
-- If the HTTP profile is not required, you can remove the HTTP profile from the virtual server.

Fix:
TMM now process FastL4 HTTP traffic as expected

Fixed Versions:
14.1.4.4, 15.1.4.1

528894-6 : Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition

Links to More Info: BT528894

Component: TMOS

Symptoms:
Configuration stanzas that do not belong in the files of a non-Common partition appear there. These stanzas could include, for example, 'net trunk' or 'sys ha-group' objects.

Conditions:
-- The system includes partitions other than Common.

-- Configuration in a partition other than Common is modified.

-- A Config-Sync operation not involving an overwrite takes place (it is also possible to reproduce this issue on a standalone BIG-IP system by doing a save operation like the following: "tmsh save sys config partitions { Common other }").

Impact:
/config/partitions/<partition_name>/bigip_base.conf will contain extraneous config stanzas (such as the ones mentioned in Symptoms).

/config/bigip_base.conf will no longer contain config stanzas that belong there.

Note that the impact is mostly cosmetic. An affected device will still be able to correctly load its configuration even if some config stanzas appear in the wrong flat config file.

However, Administrators performing audits of the flat config files will be perplexed as to why some stanzas are moving back and forth between partitions.

Workaround:
If you wish to restore your flat config files to their proper state after the issue has already occurred, simply run "tmsh save sys config" on the affected device.

Alternatively, to prevent the issue in the first place, you can Config-Sync using the following command "tmsh run cm config-sync force-full-load-push to-group <device-group>".

Note that neither workaround is permanent and the issue will reoccur.

Fixed Versions:
15.1.5

489572-5 : Sync fails if file object is created and deleted before sync to peer BIG-IP

Links to More Info: K60934489, BT489572

Component: TMOS

Symptoms:
Sync fails if you create/import a file object and delete it before triggering manual sync; ltm logs contain messages similar to the following:

Standby:
-- err mcpd[7339]: 01070712:3: Caught configuration exception (0), Failed to sync files..
-- err mcpd[7339]: 01071488:3: Remote transaction for device group /Common/test to commit id 42 6079477704784246664 /Common/test failed with error 01070712:3: Caught configuration exception (0), Failed to sync files...

Active:
-- err mcpd[6319]: 0107134a:3: File object by name (/Common/filename) is missing.

Conditions:
This occurs when the following conditions are met:
-- BIG-IP systems configured for high availability (HA) are not configured to sync automatically, and incremental synchronization is enabled (these are the default settings).
-- One or more file objects are created and deleted before performing a sync from Active to Standby.

Impact:
Sync fails.

Workaround:
When you create/add a file object, make sure to sync before deleting it.

If a system is already in this state, perform a full sync and overwrite the configuration, as described in K13887: Forcing a BIG-IP device group member to initiate a ConfigSync operation :: https://support.f5.com/csp/#/article/K13887.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1

470346-3 : Some IPv6 client connections get RST when connecting to APM virtual

Links to More Info: BT470346

Component: Access Policy Manager

Symptoms:
IPv6 clients connecting to APM virtual server that renders some page, e.g., logon page, webtop, or message box, might get connection resets.

Conditions:
IPv6 client has the last 4 bytes of the IP address set to some special-purpose address, e.g., multicast address.

Impact:
Client connection is reset.

Workaround:
Change the last 4 bytes of the client IPv6 address to avoid the IPv4 special-address range.

Fix:
All IPv6 clients can now connect through APM virtual server, regardless of the values of the last 4 bytes of the address.

Fixed Versions:
14.1.4.3, 15.1.4

431503-8 : TMSH crashes in rare initial tunnel configurations

Links to More Info: K14838, BT431503

Component: TMOS

Symptoms:
In rare BIG-IP configuration scenarios, TMM may crash during its startup process when the tunnel configurations are loaded.

Conditions:
During TMM startup, a tunnel is created, then immediately removed during the configuration load period, when TMM neighbor messages may be in flight via the tunnel. When the race condition fits, the neighbor message may land on an invalid tunnel.

Impact:
TMM crash in rare race conditions.

Workaround:
None.

Fix:
TMM no longer crashes on neighbor messages during the initial tunnel config load process.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1

405329-3 : The imish utility cores while checking help strings for OSPF6 vertex-threshold

Component: TMOS

Symptoms:
The imish (vtysh) utility dumps core while checking help strings for the OSPF6 vertex-threshold command from OSPF mode.

Conditions:
-- Routing enabled.
-- Configuring OSPF vertex-threshold for either IPv4 or IPv6.
-- Requesting help for the OSPF6 vertex-threshold command.

Impact:
There is an imish (vtysh) crash.

Workaround:
None.

Fix:
Updated with the proper help strings for the OSPF6 vertex-threshold command.

Fixed Versions:
15.1.0.5

1065789-2 : TMM may send duplicated alerts while processing SSL connections

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may send duplicated SSL alerts while processing encrypted connections.

Conditions:
- Fatal SSL error

Impact:
Increased resource usage, potentially leading to degraded performance.

Workaround:
N/A

Fix:
SSL alerts are now processed as expected.

Fixed Versions:
15.1.5

1064649-1 : Tmm crash after upgrade

Component: Local Traffic Manager

Symptoms:
After upgrading and provisioning the ASM module, tmm starts to crash and core

Conditions:
-- BIG-IP system is upgraded to version 15.1.4.1
-- ASM provisioned
-- The ARL table is empty (transparent VLAN group) and traffic is passed

Impact:
Traffic disrupted while tmm restarts.

Fixed Versions:
15.1.5

1060093 : Upgrading BIG-IP tenant from 14.1.4.4-0.0.4 to 15.1.5-0.0.3 with blade in the 8th slot causes backplane CDP clustering issues

Links to More Info: BT1060093

Component: Local Traffic Manager

Symptoms:
When upgrading from 14.1.x to 15.1.5.x, the 8th slot in a VELOS chassis does not cluster

Conditions:
Issue 'tmsh show sys cluster' shows 8th slot not active in the cluster

Impact:
8th slot in a cluster is not active

Workaround:
None

Fixed Versions:
15.1.5

1056933-5 : TMM may crash while processing SIP traffic

Component: Service Provider

Symptoms:
Under certain conditions, TMM may coredump while processing SIP traffic

Conditions:
- SIP ALG is configured

Impact:
TMM crash leading to a traffic interruption and failover event.

Workaround:
By using SIP::discard under specific conditions in SIP_RESPONSE iRule.

Fix:
SIP traffic is now processed as expected.

Fixed Versions:
15.1.5

1056213 : TMM core due to freeing of connflow, assuming it as http data

Component: Local Traffic Manager

Symptoms:
Tmm crashes while passing traffic.

Conditions:
-- HTTP virtual server with httprouter
-- irule with HTTP::disable followed by Header replace on
  HTTP_REQUEST
-- curl the virtual IP address until the core

Impact:
Traffic disrupted while tmm restarts.

Fixed Versions:
15.1.5

1055785 : SmartNIC 2.0: stats throughput logging is broken on Virtual Edition dashboard

Links to More Info: BT1055785

Component: TMOS

Symptoms:
When using a fastl4 acceleration profile on a virtual server, throughput on the dashboard shows a much lower number of packets than the same traffic with a non-accelerated profile.

Conditions:
A fastl4 profile is used on a virtual server when only using 1 virtual server.

Impact:
Smartnic 2.0 stats throughput data is incorrect.

Workaround:
None

Fix:
Set the snoop's TMM number to the correct TMID instead of the pde number.

Fixed Versions:
15.1.5

1050273-2 : ERR_BOUNDS errors observed with HTTP explicit proxy service in SSL Orchestrator

Component: SSL Orchestrator

Symptoms:
The following similar error log messages repeated many times:

err tmm[13905]: 01c80017:3: CONNECTOR: Listener=/Common/sslo_intercept.app/sslo_intercept-in-t-4, Profile=/Common/ssloS_httpEpxy.app/ssloS_httpEpxy-t-4-connector: Error forwarding egress to return virtual server (null) - ERR_BOUNDS
err tmm8[13905]: 01c50003:3: Service : encountered error: ERR_BOUNDS File: ../modules/hudfilter/service/service_common.c Function: service_cmp_send_data, Line: 477

Conditions:
1. SSL Orchestrator with HTTP explicit proxy as a service
2. System is under load
3. On VELOS platform

Impact:
SSL Orchestrator throughput is degraded.

Workaround:
None

Fix:
After the fix, no such errors are observed and the throughput is back to normal.

Fixed Versions:
15.1.5

1049229-2 : When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays.

Links to More Info: BT1049229

Component: Advanced Firewall Manager

Symptoms:
An authenticated administrative user tries to create a sub-rule under the Network Firewall rule list from the GUI and is redirected to a 'No Access' error page.

Conditions:
This error can occur when you create a sub-rule under the Network Firewall rule list in the TMOS GUI on a version of BIG-IP (including engineering hotfixes) that include the fixes for BIG-IP bugs ID1032405 and ID941649.

Impact:
The user cannot create a sub-rule under the Network Firewall rule list in the TMOS GUI.

Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.

Fix:
After the fixes for ID1032405 and ID941649 are installed, the "No Access" errors no longer occur when you create a sub-rule under the Network Firewall rule list in the TMOS GUI.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1048917 : Image2disk does not work on F5OS BIG-IP tenant.

Component: TMOS

Symptoms:
Image2disk fails to recognize the correct disk to install and installation fails.

Conditions:
This occurs with BIG-IP tenants that are running in F5OS partitions.

Impact:
Installation fails.

Workaround:
None

Fixed Versions:
15.1.5

1047089 : TMM may crash will processing TLS/DTLS traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions TMM may crash while processing TLS and DTLS traffic simultaneously.

Conditions:
- Virtual configured for server-side DTLS
- Virtual configured for client-side TLS

Impact:
TMM may crash, leading to a failover event.

Workaround:
N/A

Fix:
TMM may no longer be configured for DTLS/TLS gateway traffic.

Fixed Versions:
15.1.5

1047053-2 : TMM may consume excessive resources while processing RTSP traffic

Component: Service Provider

Symptoms:
Under certain conditions, TMM may consume excessive resources while processing RTSP traffic.

Due to lack of RTSP flow handling, xfrags are keep on growing significantly which is consuming the tmm memory and cur_allocs keeps on increasing and this will end up in tmm crash.

Conditions:
- RTSP profile enabled

Impact:
Excessive resource consumption potentially leading to memory exhaustion and a failover event.

Workaround:
N/A

Fix:
TMM now processes RTSP traffic as expected.

Fixed Versions:
15.1.5

1045421-2 : No Access error when performing various actions in the TMOS GUI

Links to More Info: K16107301, BT1045421

Component: TMOS

Symptoms:
An authenticated administrative user is redirected to a 'No Access' error page while performing various actions in the TMOS GUI, including when trying to:
-- Apply a policy to a virtual server
-- Import images (TMOS images / hotfixes / apmclients)
-- Export/apply an APM policy
-- Run the high availability (HA) setup wizard
-- Export a certificate/key through one of the following paths:
    ---- System / Certificate Management : Traffic Certificate Management : SSL Certificate List / test-renew-self-sign / Renew
    ---- DNS / GSLB : Pools : Pool List / Click Testpool / Click Members / Click Manage
    ---- System / Software Management : APM Clients / Import
    ---- System / Certificate Management : Traffic Certificate Management : SSL Certificate List / NewSSLCert / Certificate / Export / Click Download

Conditions:
This may occur when performing various actions in the TMOS GUI on a version of BIG-IP software (including Engineering Hotfixes) that includes fixes for ID1032405 :: https://cdn.f5.com/product/bugtracker/ID1032405.html and ID941649 :: https://cdn.f5.com/product/bugtracker/ID941649.html .

Impact:
Cannot perform various actions in the TMOS GUI.

Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.

Fix:
'No Access' errors no longer occur when performing various actions in the TMOS GUI under these conditions.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1045101-3 : Bd may crash while processing ASM traffic

Component: Application Security Manager

Symptoms:
Bd may crash when handling HTTP requests with APM and ASM.

Conditions:
- ASM and APM are provisioned
- Session awareness is enabled and "Use APM Username and Session ID" is selected in "Application Username" configuration
- Specially crafted HTTP request

Impact:
Bd crash leading to a traffic disruption and failover event.

Workaround:
N/A

Fix:
Bd now process ASM and APM traffic as expected.

Fixed Versions:
15.1.5

1043277-3 : 'No access' error page displays for APM policy export and apply options

Links to More Info: K06520200, BT1043277

Component: TMOS

Symptoms:
An authenticated administrative user is redirected to a 'NO ACCESS' error page while exporting/applying an APM policy in the TMOS GUI.

Conditions:
This may occur when exporting/applying an APM policy in the TMOS GUI on a version of BIG-IP software (including Engineering Hotfixes) that includes fixes for ID1032405 :: https://cdn.f5.com/product/bugtracker/ID1032405.html and ID941649 :: https://cdn.f5.com/product/bugtracker/ID941649.html .

Impact:
Cannot export/apply an APM policy in the TMOS GUI.

Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.

Fix:
'No Access' errors no longer occur when exporting/applying an APM policy in the TMOS GUI under these conditions.

Fixes introduced for ID1045421 :: https://bugzilla.olympus.f5net.com/show_bug.cgi?id=1045421 plus ID1049229 :: https://cdn.f5.com/product/bugtracker/ID1049229.html (i.e., both fixes) resolve this issue.

Fixed Versions:
14.1.4.5, 15.1.4.1

1042993-2 : Provisioning high availability (HA) setup wizard fails to load, reports 'No Access'

Links to More Info: K19272127, BT1042993

Component: TMOS

Symptoms:
An authenticated administrative user is redirected to a 'NO ACCESS' error page while running the high availability (HA) setup wizard.

Conditions:
This may occur when running the high availability (HA) setup wizard in the TMOS GUI on a version of BIG-IP software (including Engineering Hotfixes) that includes fixes for ID1032405 :: https://cdn.f5.com/product/bugtracker/ID1032405.html and ID941649 :: https://cdn.f5.com/product/bugtracker/ID941649.html .

Impact:
You are unable to run/finish the Config Sync/HA setup wizard to completion.

Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.

Fix:
'NO ACCESS' error pages no longer appear while running the high availability (HA) setup wizard in the TMOS GUI under these conditions.

Fixed Versions:
14.1.4.5, 15.1.4.1

1042069-2 : Some signatures are not matched under specific conditions

Component: Application Security Manager

Symptoms:
Some signatures are not matched and attack traffic can pass through.

Conditions:
There are more than 20 signatures that has a common keyword with a signature that does not match (which has a common keyword and new keyword).

Impact:
Attacking traffic can bypass the WAF.

Workaround:
None

Fix:
Attack signatures that share words with other attack signatures will be matched correctly now.

Fixed Versions:
14.1.4.5, 15.1.4.1

1040929 : Change F5OS BIG-IP tenant name from VELOS to F5OS

Links to More Info: BT1040929

Component: TMOS

Symptoms:
Bundle images used to create F5OS tenants contain the name VELOS

Conditions:
Prior to 15.1.4, Bundles images used to create F5OS tenants contain the name VELOS

Impact:
15.1.5 bundle images for F5OS and future releases now contain F5OS instead of VELOS

Workaround:
None

Fix:
In 15.1.5, bundle images now contain the word F5OS instead of VELOS

Fixed Versions:
15.1.5

1040361-2 : TMM crashes during its startup when TMC destination port list attached/deleted to virtual server

Links to More Info: BT1040361

Component: Local Traffic Manager

Symptoms:
-- Log message written to TMM log file:
   panic: ../kern/page_alloc.c:736: Assertion "vmem_hashlist_remove not found" failed.

Conditions:
-- Virtual Server using a traffic-matching-criteria (TMC) with a destination-port-list, with multiple distinct ranges of ports.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use Traffic Matching Criteria with destination port lists.

Fix:
TMM no longer crashes under these conditions.

Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2

1039805 : Save button in Response and Blocking Pages section is enabled when there are no changes to save.

Component: Application Security Manager

Symptoms:
Save button remains enabled even though previous changes were already saved.

Conditions:
1.Create Parent Security Policy in the following screen
  Security ›› Application Security : Security Policies :
  Policies List ›› Create New Policy...
2.Click on "Response and Blocking Pages" tab
3.Change any Blocking Response Page setting (e.g. XML, Blocking Page Default, etc.)
4.Click Save button
5. Button remains enabled, thus falsely indicating changes are not being saved

Impact:
No actual impact as the changed configuration is actually being saved once the Save button was clicked.

Workaround:
Ignore the enabled button, just refresh the page and you will see the changes were actually being saved if you already have clicked the Save button.

Fixed Versions:
15.1.4.1

1039553-2 : Non-200 HTTP status codes fail to be matched by GTM HTTP(S) monitors

Links to More Info: BT1039553

Component: Global Traffic Manager (DNS)

Symptoms:
GTM virtual servers have the wrong status (up when they should be down, or down when they should be up, depending on the monitor's configuration).

Conditions:
-- The GTM virtual servers are monitored with an HTTP or HTTPS monitor that performs HTTP status matching.

-- The monitor tries to match an HTTP status code other than 200 (for example, 301).

-- The monitor uses HTTP version 1.0 or 1.1 for the request (the default is 0.9).

Impact:
The system incorrectly considers all non-200 responses a failed monitor attempt, despite what the user specified as acceptable status codes in the monitor's configuration. As a result, the availability status reported for a virtual server may be incorrect. This may cause the GTM system to send traffic to unsuitable resources causing application disruptions.

Workaround:
You can work around this issue in any of the following ways:

-- Use HTTP version 0.9 for the monitor requests.

-- Match on the 200 HTTP status code.

-- Do not use HTTP status matching altogether.

Fix:
GTM HTTP(S) monitors using HTTP version 1.0 or 1.1 can now successfully match status codes other than 200 in the response.

Fixed Versions:
15.1.5

1039329-1 : MRF per peer mode is not working in vCMP guest.

Component: Service Provider

Symptoms:
MRF diameter setup, in peer profile "auto-initialization" and "per peer" mode are enabled, but no connection attempts towards the pool member occur.

When the mode is switched to "per tmm" or "per blade", connections are established.

Conditions:
The peer connection mode in the peer profile is set to "per peer".

Impact:
The "per peer" setting does not work.

Workaround:
Switch the connection mode to "per tmm" or "per blade"

Fixed Versions:
14.1.4.5, 15.1.5

1039145-3 : Tenant mirroring channel disconnects with peer and never reconnects after failover

Links to More Info: BT1039145

Component: Local Traffic Manager

Symptoms:
`tmctl -d blade ha_stat` shows missing mirroring connections

Conditions:
This occurs with high availability (HA) pairs.

Impact:
HA mirroring does not function correctly

Workaround:
None

Fix:
Fixed high availability (HA) mirroring connections

Fixed Versions:
15.1.4

1039069-2 : Multiple issues affecting the RESOLV::lookup iRule command following the fix to ID1007049.

Links to More Info: BT1039069

Component: Global Traffic Manager (DNS)

Symptoms:
For more information on the specific issues fixed, please refer to:

https://cdn.f5.com/product/bugtracker/ID1010697.html
https://cdn.f5.com/product/bugtracker/ID1037005.html
https://cdn.f5.com/product/bugtracker/ID1038921.html

Please note the only versions 15.1.3.1 and 16.1.0 are affected.

Conditions:
-- Running BIG-IP version 15.1.3.1 or 16.1.0
-- RESOLV::lookup iRule is used

Impact:
Multiple issues can occur with the RESOLV::lookup command, such as DNS resolutions failing or incorrect DNS responses being received.

Workaround:
None

Fix:
-

Fixed Versions:
15.1.4, 16.1.1

1039049 : Installing EHF on particular platforms fails with error "RPM transaction failure"

Links to More Info: BT1039049

Component: TMOS

Symptoms:
-- Installing an EHF fails with the error "RPM transaction failure"

-- Errors similar to the following are seen in the liveinstall.log file:

info: RPM: /var/tmp/rpm-tmp.LooFVF: line 11: syntax error: unexpected end of file
info: RPM: error: %preun(fpga-tools-atlantis-15.1.3-0.0.11.i686) scriptlet failed, exit status 2

Conditions:
-- Installing an EHF that contains an updated version of the 'fpga-tools-atlantis' package
-- Using the following platforms:
  + BIG-IP i4600 / i4800
  + BIG-IP i2600 / i2800
  + BIG-IP i850

Impact:
EHF installation fails.

Workaround:
None

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1038669-2 : Antserver keeps restarting

Links to More Info: BT1038669

Component: SSL Orchestrator

Symptoms:
Antserver keeps restarting, as indicated in /var/log/ecm:

notice ant_server.sh[5898]: starting ant_server on 057caae1e95a11d7ecd1118861fb49f30ce1c22d
notice ant_server.sh[6311]: no ant_server process
notice ant_server.sh[6312]: check: no running ant_server

Conditions:
The Secure Web Gateway is provisioned on i15800 or i15820 platform.

Impact:
User connection will be reset if request or response analytics agent is deployed with per-request policy.

Fix:
N/A

Fixed Versions:
15.1.5, 16.1.2

1038629 : DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client

Component: Local Traffic Manager

Symptoms:
With the DTLS virtual server, when client sends the CLOSE_NOTIFY alert, BIG-IP is simply closing the connection without sending the CLOSE_NOTIFY back to client as well as the backend server. This causes the backend server to not close/shutdown the connection completely.

Conditions:
This issue occurs with all DTLS virtual servers which has associated client-ssl and server-ssl profiles.

Impact:
Backend server and client will have a dangling connection for certain period of time (Based on the timeout implementation at the respective ends).

Fixed Versions:
14.1.4.5, 15.1.5

1035853-3 : Transparent DNS Cache can consume excessive resources.

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, the Transparent DNS Cache can consume excessive resources.

Conditions:
- Transparent DNS Cache enabled
- EDNS enabled

Impact:
Excessive resource consumption, which can lead to increased server-side load.

Workaround:
N/A

Fix:
The Transparent DNS Cache now consumes resources as expected.

Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2

1035133-3 : Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab

Links to More Info: BT1035133

Component: Application Visibility and Reporting

Symptoms:
In various BIG-IQ GUI forms under the "Monitoring" tab (for example Monitoring -> Local Traffic -> HTTP), data for some time periods are missing.

Multiple "Unexpected end of ZLIB input stream" errors appear in BIG-IQ DCD logs under /var/log/appiq/gc_agent-manager.log

Conditions:
BIG-IP is attached to BIG-IQ, traffic volume is high

Impact:
Data in BIG-IQ are missing therefore some graphs show incorrect information

Workaround:
None

Fix:
Fixed an issue with missing statistics.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1034365-2 : DTLS handshake fails with DTLS1.2 client version

Links to More Info: BT1034365

Component: Local Traffic Manager

Symptoms:
DTLS handshake will be unsuccessful when client initiates a handshake with BIG-IP with DTLS1.2 version

Conditions:
When there is a DTLS client which supports both DTLS 1.0 and DTLS 1.2, then this problem could occur.

Impact:
DTLS handshakes can fail.

Workaround:
If possible, force the client to use only DTLS 1.0 in the client hello negotiation.

Fixed Versions:
14.1.4.5, 15.1.5

1032949 : Dynamic CRL configured with client authentication profile as "Request" causes connection termination without certificate

Links to More Info: BT1032949

Component: TMOS

Symptoms:
When you configure Dynamic CRL and set the client authentication as "Request", the handshake fails when clients do not supply a certificate.

Conditions:
Clientssl profile configured with the following:

1. Dynamic CRL
2. Client Authentication enabled with "Request" option

Impact:
SSL handshake fails

Workaround:
Workaround 1:
Use Static CRL

Workaround2:
Use Client authentication with either "Require" or "Ignore"

Workaround3:
Disable TLS1.2 and below versions in the Client SSL profile.
Which means allow only TLS1.3 traffic.

Fixed Versions:
15.1.5

1032797-2 : Tmm continuously cores when parsing custom category URLs

Links to More Info: BT1032797

Component: SSL Orchestrator

Symptoms:
Tmm crashes when trying to parse more than 256 custom category URLs.

Conditions:
-- More than 256 URLs defined in custom url-category.

Impact:
Traffic disrupted while tmm restarts.

Fix:
TMM no longer crashes and it can parse more than 256 custom category URLs.

Fixed Versions:
15.1.5, 16.1.2

1032761 : HA mirroring may not function correctly

Links to More Info: BT1032761

Component: TMOS

Symptoms:
HA mirroring may not function correctly

Conditions:
-- VELOS chassis in use
-- High availability (HA) pair is formed using BIG-IP tenants.
-- tmctl -d blade tmm/sdaglib_hash_table shows different tables on the active and the next-active.

Impact:
High availability (HA) mirroring may not function correctly

Workaround:
None

Fix:
Fixed high availability (HA) mirroring.

Fixed Versions:
15.1.4

1032737-1 : IPsec: tmm SIGSEGV in getlocaladdr in ikev2_initiate

Links to More Info: BT1032737

Component: TMOS

Symptoms:
Tmm crashes while passing IPsec traffic

Conditions:
Wildcard selectors are used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Avoid the core dump by adding checks.

Fixed Versions:
15.1.4.1, 16.1.2

1032689-3 : UlrCat Custom db feedlist is not working for www.croupiest.com with attached feedlist file

Links to More Info: BT1032689

Component: Traffic Classification Engine

Symptoms:
The first URL getting normalized is not classified.

Conditions:
The URL contains caps or 'www' is not getting categorized in few cases.

Impact:
The 'custom' category is not displayed for all the apps available in the feedlist file.

Workaround:
None

Fix:
Starting normalized lines with \n

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1032405-3 : TMUI XSS vulnerability CVE-2021-23037

Links to More Info: K21435974, BT1032405

1032329 : A user with role "Firewall Manager" cannot open the Rule List editor in UI

Links to More Info: BT1032329

Component: Advanced Firewall Manager

Symptoms:
When a user with the role "Firewall Manger" attempts to access the Rule List editor page, they receive the error message "General database error retrieving information."

Conditions:
User has "Firewall Manager" role

Impact:
User cannot see details of Rule List via UI

Workaround:
Use TMSH to view Rule List details

Fixed Versions:
15.1.4.1

1032077-2 : TACACS authentication fails with tac_author_read: short author body

Links to More Info: BT1032077

Component: TMOS

Symptoms:
If a TACACS user is part of a group with 10s of attribute value pairs (AVPs) were the length of all the avp's combined is such that the authorization reply message from the TACACS server is segmented, the login will fail.

The error message that is logged when the login fails is
"tac_author_read: short author body, 4468 of 6920: Operation now in progress" Where the numbers 4468 and 6920 will vary.

Conditions:
- TACACS authentication
- TACACS user that is part of a group where the combined length of the AVPs is greater then the largest TCP segment the TACACS server is able to send.

Impact:
User is unable to login.

Workaround:
If possible, reduce the number of attributes of the TACACS group or user.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1032001-1 : Statemirror address can be configured on management network or clusterd restarting

Links to More Info: BT1032001

Component: TMOS

Symptoms:
- Able to create statemirror address on the same network as management or cluster network.
- Validation issues when attempting to remove a management address.
- Clusterd process restarts constantly.

Conditions:
- Management/cluster address set up with IPv6 and statemirror address is configured with IPv4.

Impact:
- Unable to make configuration changes to the management or cluster address until the statemirror address is removed.
- Clusterd process restarts constantly causing the blade or cluster to report as offline.

Fixed Versions:
15.1.3.1

1031909-1 : NAT policies page unusable due to the page load time

Links to More Info: BT1031909

Component: Advanced Firewall Manager

Symptoms:
You cannot work with the NAT polices page because the page takes too long to load.

Conditions:
-- The device has a large number of VLANs and virtual servers
-- The device has a large number of NAT policies and partitions
-- From GUI navigate to the NAT policies page

Impact:
NAT policies page takes a long time to load.

Fix:
With given sescenario page is loading and showing up policies

Fixed Versions:
15.1.4.1

1031901-1 : In HTTP2 deployment, RST_STREAM sent to client if server in CLOSING state is picked

Links to More Info: BT1031901

Component: Local Traffic Manager

Symptoms:
When request from client is forwarded to server which is in CLOSING state due to server sent GOAWAY but not yet close the connection, request will be failed to be forwarded to server and RST_STREAM will be sent to client

Conditions:
-- Virtual Server with HTTP2 profile
-- There is an open connection from BIG-IP to the server.
-- The server sends a GOAWAY message to the BIG-IP and the connection is kept open.
-- The client sends a request to BIG-IP, BIG-IP picks the connection mentioned above to forward the request to

Impact:
Traffic from the specific client is interrupted

Workaround:
N/A

Fix:
In HTTP2 deployment, RST_STREAM is no longer sent to client if server in CLOSING state is picked

Fixed Versions:
15.1.4.1, 16.1.2

1030845-2 : Time change from TMSH not logged in /var/log/audit

Links to More Info: BT1030845

Component: TMOS

Symptoms:
Whenever time is changed, the message is not logged in /var/log/audit

Conditions:
This occurs when the system time is changed manually using either the 'date' command or 'tmsh modify sys clock'.

Impact:
The time change is not logged to the audit log.

Workaround:
None

Fix:
Time changes are now logged to the audit log.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1030689-2 : TMM may consume excessive resources while processing Diameter traffic

Component: Service Provider

Symptoms:
Under certain conditions, TMM may consume excessive resources while processing Diameter traffic

Conditions:
- Diameter/MRF is deployed
- Peer uses TCP or SCTP as a transport
- Peer sends slow response

Impact:
Excessive resource consumption potentially leading to performance degradation or a traffic interruption and failover event.

Workaround:
None

Fix:
Diameter traffic is now processed as expected.

Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2

1029397-1 : Tmm may crash with SIP-ALG deployment in a particular race condition

Component: Service Provider

Symptoms:
Tmm crashes in SIP-ALG deployment, when lsn DB callback is returned from a different tmm, and the SIP connection has been lost on tmm where the REGISTER request arrived.

Conditions:
--- SIP-ALG is deployed
--- Processing of SIP REGISTER message at server side
--- lsn DB entry is mapped to a different tmm

Impact:
Traffic disrupted while tmm restarts

Workaround:
NA

Fix:
Tmm no longer crashes in this race condition

Fixed Versions:
15.1.5

1029357 : Performance drop during traffic test on VIPRION (B2250, C2400) platforms

Links to More Info: BT1029357

Component: Local Traffic Manager

Symptoms:
Huge TPS performance drop in Compression, L4, L7, Ramcache, SSL

Conditions:
TPS performance drop observed in VIPRION (B2250, C2400) with each of the following individual profiles with various file size(transactions):

1) httpcompression profile
2) FastL4
3) FastHTTP
4) HTTP with OneConnect, Web acceleration
5) TLS1.2 AES128-SHA

Impact:
Slowness in user response due to low TPS

Workaround:
None

Fix:
Make tmm's Daglib wrapper correctly handle hsb's edag versions

Fixed Versions:
15.1.4

1029105 : Hardware SYN cookie mode state change logs bogus virtual server address

Links to More Info: BT1029105

Component: TMOS

Symptoms:
When a virtual server enters or exits hardware SYN cookie mode, a bogus IP address is logged in /var/log/ltm. For example:

Syncookie HW mode activated, server name = /Common/vs server IP = 0.0.0.3:0

Conditions:
A virtual server enters or exits hardware SYN cookie mode.

Impact:
Only the logging information is wrong, the hardware SYN cookie mode functions correctly.

Workaround:
None

Fix:
TMM now logs the correct IP address of the virtual server.

Fixed Versions:
15.1.4

1028669-5 : Python vulnerability: CVE-2019-9948

Component: TMOS

Symptoms:
Urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it

Conditions:
Use of urllib in affected versions of python

Impact:
Easier to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

Workaround:
N/A

Fix:
Updated python to resolve CVE-2019-9948

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1028573-5 : Perl vulnerability: CVE-2020-10878

Component: TMOS

Symptoms:
Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation.

Conditions:
Crafted regular expression

Impact:
A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

Workaround:
N/A

Fix:
Perl updated to address CVE-2020-10878

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1028497-5 : libexpat vulnerability: CVE-2019-15903

Component: TMOS

Symptoms:
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.

Conditions:
Crafted XML input

Impact:
Heap-based buffer over-read

Workaround:
N/A

Fix:
libexpat updated to address CVE-2019-15903

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1027713 : SELinux avc: denied { signull } for pid=6207 comm="useradd" on vCMP guest during its deployment.

Links to More Info: BT1027713

Component: TMOS

Symptoms:
SELinux violations occur on vCMP guest during its deployment.

Conditions:
This occurs during vCMP guest deployment.

Impact:
An SELinux error is logged. If it occurs during vCMP guest deployment, it can be safely ignored.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
15.1.4.1

1027637 : System controller failover may cause dropped requests

Links to More Info: BT1027637

Component: TMOS

Symptoms:
A system controller failover may cause dropped requests to a change in the CMP hash algorithm.

Conditions:
1. The system controller fails over
2. The CMP hash algorithm changes

Impact:
Incorrect CMP hash settings

Workaround:
Change the CMP hash to another setting and back

Fix:
Fixed dropped requests to change CMP hash algorithm after a system controller failover

Fixed Versions:
15.1.4

1027217 : Script errors in Network Access window using browser

Links to More Info: BT1027217

Component: Access Policy Manager

Symptoms:
1. Users may receive JavaScript errors in browser when starting Network Access resources
2. User resources may fail to display when accessing a Full webtop
3. When logging out, users may be redirected to https://apm-virtual-server/vdesk/undefined and get a blank page
4. Logon Page from SWG Policies may fail to display inside a browser

Conditions:
The issue can be observed with at least one of these conditions.

1. Accessing APM virtual server using a browser
2. Accessing APM resources via a Full webtop
3. Starting APM resources via a Full webtop
4. Accessing Logon Page in SWG deployment

Impact:
1. Users cannot start Network Access resources
2. Users are unable to logout properly from full webtop
3. Logon page is not rendered and users will not be able to access resources.

Workaround:
1. Log into BIG-IP
2. mount -o remount,rw /usr/
3. Add “response_chunking 2” to _tmm_apm_portal_http in “/usr/lib/tmm/tmm_base.tcl” Example:

profile http _tmm_apm_portal_http {
    max_header_size 32768
    max_header_count 64
    known_methods "CONNECT DELETE GET HEAD LOCK OPTIONS POST PROPFIND PUT TRACE UNLOCK"
    response_chunking 2
}

4. Restart tmm once the above param is added.
5. Garbage values in JavaScript aren’t inserted after this change.
6. Remount the /usr directory as read-only.
  mount -o remount,ro /usr/
-------------------------

Fix:
Logon page is now rendered correctly, resources are properly displayed on webtop, users can start resources without JavaScript errors and users are no longer receiving blank pages upon logging out.

Fixed Versions:
15.1.4.1, 16.1.2

1026549-3 : Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd

Links to More Info: BT1026549

Component: TMOS

Symptoms:
For some BIG-IP Virtual Edition drivers, TMM may occasionally communicate an incorrect interface state change that might cause the interface to flap.

Conditions:
-- BIG-IP Virtual Edition using ixlv, ixvf, mlx5, or xnet drivers.
-- More TMMs and interfaces configured make this issue more likely to happen, but it happens randomly.

Impact:
In the case where the interface is part of a trunk a flap will occur when this happens.

There may be other as-yet unknown impacts for this issue.

Workaround:
Use a different VE driver than one of the ones listed above.

Fix:
BIG-IP Virtual Edition drivers no longer communicate incorrect interface states to mcpd.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1025529-1 : TMM generates core when iRule executes a nexthop command and SIP traffic is sent

Links to More Info: BT1025529

Component: Service Provider

Symptoms:
If an iRule uses the 'nexthop' command to select a VLAN for a virtual server, TMM may crash.

Conditions:
-- Virtual server with SIP profile and iRule that executes a 'nexthop' command
-- SIP network traffic occurs

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Avoid using 'nexthop vlan' in an iRule in a SIP environment.

Fix:
iRule creation does not cause any TMM core.

Fixed Versions:
14.1.4.5, 15.1.4.1

1024877-2 : Systemd[]: systemd-ask-password-serial.service failed

Links to More Info: BT1024877

Component: TMOS

Symptoms:
After doing PXE installation with BIG-IP iso, you encounter an error in the dmesg log:

systemd-ask-password-serial.service failed

Conditions:
This occurs after performing a PXE install.

Impact:
This log message is cosmetic and can be safely ignored.

Fixed Versions:
14.1.4.4, 15.1.4.1

1024853 : Platform Agent logs to ERROR severity on success

Links to More Info: BT1024853

Component: TMOS

Symptoms:
Platform Agent logs all messages at the ERROR level during tenant key processing.

Conditions:
This occurs during normal startup of the BIG-IP tenant.

Impact:
Logs that should be logged at the NOTICE or INFO level are actually logged at the ERROR level.

Workaround:
None

Fix:
Fixed the Platform Agent log levels.

Fixed Versions:
15.1.4

1024761-3 : HTTP adds Transfer-Encoding and terminating chunk to responses that cannot have a body

Links to More Info: BT1024761

Component: Local Traffic Manager

Symptoms:
When rechunking is requested, HTTP responses with methods or status codes indicating that no body be present (like HEAD or 304) are receiving a Transfer-Encoding header and a terminating chunk. These responses should not have a body of any sort.

Conditions:
HTTP virtual server with rewrite profile present with the server that does HTTP caching.

Impact:
HTTP clients are unable to connect.

Workaround:
Remove the rewrite profile.

Possibly change http profile response-chunking from sustain to unchunk. This resolves the issue for the 304, but means that all other requests are changed from either chunking or unchunked with Content-Length header to unchunked without Content-Length and with "Connection: Close".

Fixed Versions:
15.1.5

1024553-2 : GTM Pool member set to monitor type "none" results in big3d: timed out

Links to More Info: BT1024553

Component: Global Traffic Manager (DNS)

Symptoms:
A pool member is marked down with a 'none' type monitor attached.

Conditions:
-- GTM pool member with a 'none' monitor configured

Impact:
Setting a pool member to have "none" monitor should result in a blue "checking" status but it may mark the pool member as down/unavailable.

Workaround:
NA.

Fixed Versions:
14.1.4.5, 15.1.5

1024421-1 : At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log

Links to More Info: BT1024421

Component: TMOS

Symptoms:
TMM log shows clock advancing and MPI timeout messages:

notice slot1 MPI stream: connection to node aborted for reason: TCP RST from remote system (tcp.c:5201)
notice slot1 tmm[42900]: 01010029:5: Clock advanced by 6320 ticks

Conditions:
-- pva.standby.flush DB key set to 1 (enabled). The default is 0.
-- Processing high traffic volume for some time

Impact:
Upstream switch could receive flow response from both active and standby units and cause a traffic disturbance.

Fix:
Modified the "Pva.Standby.Flush" DB key to take two new values ("2" and "3"). This DB key defines actions that the system takes when a traffic-group goes standby.

The values of this DB key are now:

-- 0: do nothing (the default)
-- 1: evict all ePVA accelerated flows for all traffic-groups
-- 2: inform the ePVA to stop processing traffic destined for the MAC masquerade address for this traffic-group
-- 3: perform both of the above actions (evict all ePVA accelerated flows, and inform the ePVA to stop processing traffic for the MAC masquerade address)

Behavior Change:
The DB variable Pva.Standby.Flush accepts two new values ("2" and "3"). This DB key defines actions that the system takes when a traffic-group goes standby.

The values of this DB key are now:

-- 0: do nothing (the default)
-- 1: evict all ePVA accelerated flows for all traffic-groups
-- 2: inform the ePVA to stop processing traffic destined for the MAC masquerade address for this traffic-group
-- 3: perform both of the above actions (evict all ePVA accelerated flows, and inform the ePVA to stop processing traffic for the MAC masquerade address)

Fixed Versions:
15.1.3.1

1023437-3 : Buffer overflow during attack with large HTTP Headers

Component: Anomaly Detection Services

Symptoms:
When the HTTP Headers are larger than 1024 characters and one of the anomalous textual headers is located after 1024, a buffer overflow might occur.

Conditions:
HTTP or TLS Signature protection is activated and during attack anomalous request arrives.

Impact:
Most of the time results in bad characters in the signature name, more rarely results in Memory Access Violation which could be exploited as buffer overflow attack.

Fix:
Enforce HTTP metadata size limit to be within the first 1024 characters of the HTTP Headers payload.

Fixed Versions:
14.1.4.5, 15.1.5

1023365-1 : SSL server response could be dropped on immediate client shutdown

Links to More Info: BT1023365

Component: Local Traffic Manager

Symptoms:
SSL server response might be dropped if peer shutdown arrives before the server response

Conditions:
-- the virtual server is using a Server SSL profile
-- the client sends FIN/ACK before the server responds

Impact:
The response from the pool member may be dropped.

Workaround:
None.

Fix:
Serverssl response now received after peer shutdown

Fixed Versions:
15.1.4.1, 16.1.2

1022637-2 : A partition other than /Common may fail to save the configuration to disk

Links to More Info: BT1022637

Component: TMOS

Symptoms:
A mismatch between the running-configuration (i.e. what is returned by "tmsh list ...") and the saved-configuration (i.e. what is stored in the flat configuration files) for a partition other than /Common, despite a "tmsh save config" operation was just performed (either by the user or as a result of a config-sync).

Conditions:
- One or more partitions other than /Common exist on the system.

- One or more of said partitions have no more configuration objects defined in them (i.e. are empty).

- A config save operation similar to "tmsh save sys config partitions { Common part1 [...] }" occurs, either manually initiated by an Administrator or as a result of a config-sync operation (in which case the device-group must be configured for manual synchronization).

Impact:
Should a BIG-IP Administrator notice the mismatch, the only immediate impact is confusion as to why the config save operation was not effective.

However, as the flat config files are now out-of-date, performing a config load operation on a unit in this state will resurrect old configuration objects that had been previously deleted.

On an Active unit, this may affect traffic handling. On a redundant pair, there is the risk that the resurrected objects may make it to the Active unit after a future config-sync operation.

Workaround:
If you notice the mismatch, you can resolve it by performing a config save operation for all partitions (i.e. "tmsh save sys config").

Fix:
Non /Common partitions now get saved to disk as intended.

Fixed Versions:
15.1.5

1022269-2 : False positive RFC compliant violation

Links to More Info: BT1022269

Component: Application Security Manager

Symptoms:
False positive RFC compliant violation.

Conditions:
Authorization header with specific types.

Impact:
False positive violations.

Workaround:
Turn on an internal parameter:
 
/usr/share/ts/bin/add_del_internal add ignore_authorization_header_decode_failure 1

Fix:
Added tolerance to the authorization headers parser.

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.2

1021485-2 : VDI desktops and apps freeze with Vmware and Citrix intermittently

Links to More Info: BT1021485

Component: Access Policy Manager

Symptoms:
VMware VDI:
Blank screen is seen while opening remote desktop when VDI is configured with VMware.

Citrix:
Desktop freezes immediately after opening remote desktop when VDI is configured with Citrix.

Conditions:
VMware VDI:
-- VDI is configured with VMware
-- Desktop or App is launched using native client from Webtop.
wait till 2X inactivity timeout if inactivity timeout

Citrix:
-- VDI is configured with Citrix
-- Desktop or App is launched using native client from Webtop.
-- Configure Inactivity timeout to 0.

Impact:
VDI desktops freeze while opening or immediately after opening.
The following error is seen in APM logs:
"Session stats update failed: ERR_NOT_FOUND"

Workaround:
No

Fix:
Users should not experience any intermittent desktop freeze.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1021417-3 : Modifying GTM pool members with replace-all-with results in pool members with order 0

Links to More Info: BT1021417

Component: Global Traffic Manager (DNS)

Symptoms:
GTMpool has multiple members with order 0.

Conditions:
There is an overlap for the pool members for the command replace-all-with and the pool members to be replaced.

Impact:
Multiple pool members have the same order.

Workaround:
Perform this procedure:
1. Delete all pool members from the GTM pool.
2. Use replace-all-with.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1021061-3 : Config fails to load for large config on platform with Platform FIPS license enabled

Links to More Info: BT1021061

Component: Global Traffic Manager (DNS)

Symptoms:
Config fails to load.

Conditions:
-- Platforms with Platform FIPS license enabled.
-- There are several ways to encounter this. One is with a large GTM (DNS) configuration that requires extending the gtmd stats file.

Impact:
Config file fails to load. For the gtmd configuration, gtmd repeatedly logs error messages similar to:

err gtmd[14954]: 011af002:3: TMSTAT error 'Invalid argument' creating row '/Common/vs_45_53' in table 'gtm_vs_stat'

For merged daemon, reports messages similar to:
err merged[9166]: 011b0900:3: TMSTAT error tmstat_row_create: Invalid argument.

Workaround:
None

Fixed Versions:
14.1.4.5, 15.1.5

1020941-2 : HTTP/2 header frames decoding may fail with COMPRESSION_ERROR when frame delivered in multiple xfrags

Links to More Info: BT1020941

Component: Local Traffic Manager

Symptoms:
HTTP/2 request fails with COMPRESSION_ERROR.

Conditions:
HTTP/2 header frames are received in multiple xfrags in such a way that the first 2 bytes of 'encoded' header-field 'value-length' are the last 2 bytes of the xfrag, and the remaining bytes are in the next xfrag.

Impact:
The header value length is incorrectly updated, and the HTTP/2 request fails.

Workaround:
None

Fix:
HTTP/2 now parses the request, regardless of its xfrags distribution.

Fixed Versions:
14.1.4.5, 15.1.4

1020705-1 : tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name

Links to More Info: BT1020705

Component: Application Visibility and Reporting

Symptoms:
Output of "tmsh show analytics dos-l3 report view-by attack-id" command has changed from version 13.x to 15.x. "Attack type" was removed from the system, so it was automatically replaced by the first metric "allowed-requests-per-second". For DOS L3 "Attack type" was replaced by "Vector Name" but it currently is not shown in the report along wit "Attack ID"

Conditions:
AFM is provisioned

Impact:
This change might cause scripts to fail if they use the name of the field.

Workaround:
1) edit /etc/avr/monpd/monp_dosl3_entities.cfg file. Change [dosl3_attack_id] section the following way: add 'vector_name' to measures list and add an additional parameter 'default_measure' as specified below :

[dosl3_attack_id]
...
measures=allowed_requests_per_sec,count,drop_per_sec,drop_count,total_per_sec,total_count,attacks_count,attack_type_name,category_name,vip_name,period,vector_name
default_measure=vector_name
...

2) edit /etc/avr/monpd/monp_dosl3_measures.cfg file. Add in the end the following section:

[vector_name]
id=vector_crc
formula=IF(count(distinct FACT.vector_crc)>1,'Aggregated',attack_vector_str)
merge_formula=IF(count(distinct vector_name)>1,'Aggregated',vector_name)
dim=AVR_DIM_DOS_VIS_ATTACKS_VECTOR
dim_id=attack_vector_crc
tmsh_display_name=vector-name
display_name=Vector
comulative=false
priority=65

3) restart the BIG-IP system: bigstart restart

After the system is up you can apply the same tmsh command: "tmsh show analytics dos-l3 report view-by attack-id"
You will get a result similar to 13.x. Note that "attack_type_name" is replaced by "vector-name"

Fix:
Workaround applied as fix.

Fixed Versions:
14.1.4.4, 15.1.3.1, 16.1.2

1020645-1 : When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered

Links to More Info: BT1020645

Component: Local Traffic Manager

Symptoms:
In an explicit proxy configuration when an HTTP request is sent to an HTTPS destination server via proxy, the HTTP CONNECT method is sent, but the iRule event HTTP_RESPONSE_RELEASE is not fired.

Conditions:
- Simple HTTP explicit proxy virtual server
- An HTTP request from the client is sent to an 'https://' destination server

Impact:
iRule event HTTP_RESPONSE_RELEASE does not get triggered.

Workaround:
None

Fix:
When HTTP CONNECT is sent, the iRule event HTTP_RESPONSE_RELEASE is now triggered.

Fixed Versions:
15.1.4.1

1020561-1 : Session memory increases over time due to db_access_set_accessinfo can leak sresult key/data in error case

Links to More Info: BT1020561

Component: Access Policy Manager

Symptoms:
Session memory is growing over time. memory_usage_stat indicates 'session' is growing.

Conditions:
Db_access_set_accessinfo is hitting the error case

Impact:
Memory will leak in tmm daemons. This affects all modules that use tmm.

Workaround:
Restart the tmms periodically when the memory grows

Fixed Versions:
15.1.5

1019853-2 : Some signatures are not matched under specific conditions

Component: Application Security Manager

Symptoms:
Some signatures are not matched, attacking traffic may pass through.

Conditions:
- Undisclosed signature conditions

Impact:
Attacking traffic can bypass the WAF.

Workaround:
N/A

Fix:
Signatures are now matched as expected.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1019793 : Image2disk does not work on F5OS BIG-IP tenant.

Component: TMOS

Symptoms:
Image2disk fails to recognize the correct disk to install and installation fails.

Conditions:
This occurs with BIG-IP tenants that are running in F5OS partitions.

Impact:
Installation fails.

Workaround:
None

Fixed Versions:
15.1.5

1019481 : Unable to provision PEM on VELOS platform

Links to More Info: BT1019481

Component: Policy Enforcement Manager

Symptoms:
Unable to provision PEM on VELOS platform

Conditions:
When trying to provision PEM

Impact:
PEM functionality cannot be achieved

Workaround:
Change sys db provision.enforce value to false and load sys config

Fix:
Added VELOS platform to PEM provision list

Fixed Versions:
15.1.4

1019453-3 : Core generated for autodosd daemon when synchronization process is terminated

Links to More Info: BT1019453

Component: Advanced Firewall Manager

Symptoms:
Autodosd cores on SIGSEGV.

Conditions:
-- AFM DoS vectors configured
-- This can occur during normal operation but the specific conditions that trigger it are unknown

Impact:
Autodosd is restarted, but up to 15 seconds of history may be lost.

Workaround:
None

Fix:
Fixed an autodosd crash.

Fixed Versions:
15.1.3.1

1019429-3 : CMP Forwarded flows do not get syncache counter decremented when only server-side is PVA accelerated

Links to More Info: BT1019429

Component: TMOS

Symptoms:
Virtuals with CMP forwarded flows and PVA acceleration may see a higher than expected syncache counter which can lead to permanent syncookie activation.

Also, under certain conditions the internal listeners used for config-sync may have syncookies activated. Logs will show the syncookie counter increasing after every activation.

bigip1 warning tmm1[18356]: 01010038:4: Syncookie counter 9830 exceeded vip threshold 2496 for virtual = 192.168.1.1:4353
bigip1 warning tmm1[18356]: 01010038:4: Syncookie counter 9834 exceeded vip threshold 2497 for virtual = 192.168.1.1:4353

Conditions:
-- Virtual servers with CMP forwarded flows - commonly occurring when the FTP profile is in use.
-- A platform with PVA acceleration enabled.
-- Only the server-side flow of a connection is offloaded to hardware.

Impact:
Elevated syncache_curr, epva_connstat.embryonic_hw_conns, epva_connstat, embryonic_hw_tcp_conns stas. Improper syncooke activation. Syncookie activation on the config-sync listener may cause config-sync to fail.

Workaround:
Remove the ftp profile or disable PVA acceleration:

modify sys db pva.acceleration value none

Fix:
Counters are now correctly decremented.

Fixed Versions:
15.1.4.1

1019081-3 : HTTP/2 hardening

Links to More Info: K97045220, BT1019081

Component: Local Traffic Manager

Symptoms:
Under certain condition, the HTTP/2 profile does not follow current best practices

Conditions:
- HTTP/2 profile enabled

Impact:
The HTTP/2 profile does not follow current best practices.

Workaround:
N/A

Fix:
TMM now processes HTTP/2 traffic as expected

Fixed Versions:
14.1.4.5, 15.1.3.1

1018577-3 : SASP monitor does not mark pool member with same IP Address but different Port from another pool member

Links to More Info: BT1018577

Component: Local Traffic Manager

Symptoms:
When the LTM SASP monitor is applied to a pool with multiple members having the same IP Address but different Ports, only one of the pool members with the duplicated IP Address will be monitored (marked UP or DOWN as appropriate). Other pool members sharing the same IP Address will remain in a 'checking' state.

Conditions:
This occurs when using the SASP monitor in a pool with multiple members having the same IP Address but different Ports.
For example:
ltm pool sasp_test_pool {
    members {
        sasp_1:80 {
            address 10.10.10.1
        }
        sasp_1:8080 {
            address 10.10.10.1
        }
        sasp_2:80 {
            address 10.10.10.2
        }
        sasp_2:8080 {
            address 10.10.10.2
        }
    }
    monitor sasp_test
}

In this case, only one pool member with a given IP Address will be correctly monitored by the sasp monitor.
Any additional pool members with the same IP Address but different port will not be monitored by the SASP monitor and will remain in a 'checking' state.

Impact:
Not all pool members may be effectively/accurately monitored by the SASP monitor.

Fix:
The ltm sasp monitor correctly monitors members of a pool which share the same IP Address but different Ports.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1018493-2 : Response code 304 from TMM Cache always closes TCP connection.

Links to More Info: BT1018493

Component: Local Traffic Manager

Symptoms:
When a virtual server is configured to accelerate HTTP traffic, it caches responses with 200 and 304 response codes. Serving a response with "304 Not Modified" code, TMM may close a connection to a client.

Conditions:
-- A virtual server has a web-acceleration profile (without a web application for versions prior 16.0.0).
-- A response with code 304, stored in TMM cache, is served to a request.

Impact:
A client needs to open a new TCP connection every time when a response with "304 Not Modified" code is served.

Fix:
TMM correctly serves a response with "304 Not Modified" code, allowing to correctly handle TCP connection status.

Fixed Versions:
14.1.4.5, 15.1.4, 16.1.2

1018309-3 : Loading config file with imish removes the last character

Links to More Info: BT1018309

Component: TMOS

Symptoms:
While loading a configuration from the file with IMISH ('imish -f <f_name>'),truncating the last line.

printf 'log file /var/log/zebos.log1' >/shared/tmp/new.cfg
Running imish -r 0 -f /shared/tmp/new.cfg have the last character missing like below:
log file /var/log/zebos.log

Conditions:
Loading a config with 'imish -f <f_name>' commands.

Note: This command is used with the bigip_imish_config Ansible module.

Impact:
Configuration commands cannot be created properly.

Workaround:
For CLI, use extra control char at the end or \n.

Fixed Versions:
15.1.4.1, 16.1.1

1018285-1 : MRF DIAMETER to select automatic removal of a persistence entry on completion of a transaction

Links to More Info: BT1018285

Component: Service Provider

Symptoms:
MRF DIAMETER is not DIAMETER-application aware. It does not have application-specific business logic. When creating a DIAMETER solution, BIG-IP operators often need to write iRule scripts that remove a session persistence entry at the end of a transaction.

Conditions:
Some applications require removal of the persistence entry upon successful and unsuccessful completion of a transaction.

root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm rule log_dia_error
ltm rule log_dia_error {
when DIAMETER_INGRESS {
set cmd_code [DIAMETER::command]
if { $cmd_code == 272 } {
    set cc_req_type [DIAMETER::avp data get 416 integer32]
    if {[DIAMETER::is_response] && $cc_req_type == 3 } {
       log local0. "Persistence record delete-on-any"
       DIAMETER::persist delete-on-any
    }
 }
}

Impact:
iRule script is required.

Fix:
DIAMETER::persist irule are supported to remove a persistence entry based on the result status of a answer message.
below irule commands are supported.
DIAMETER::persist delete-on-any
DIAMETER::persist delete-on-success
DIAMETER::persist delete-on-failure
DIAMETER::persist delete-none

Fixed Versions:
15.1.4.1, 16.1.2

1018145-1 : Firewall Manager user role is not allowed to configure/view protocol inspection profiles

Links to More Info: BT1018145

Component: Protocol Inspection

Symptoms:
A user account with the "firewall-manager" role that is assigned permissions only to custom partitions will not be able to configure protocol inspection profiles.

Conditions:
-- A user account is created with the role firewall-manager.
-- A custom partition is created.
-- The newly created user is given access to the newly created partition.

Impact:
Any user account without access to "/Common" partition is not allowed to configure protocol inspection profiles.

Workaround:
- If the user account is provided access to "/Common" partition as well, the user should be able to configure protocol-inspection profiles in the newly created custom partitions.

Fix:
The permissions are granted for any non-admin user to configure protocol inspection profiles in a custom partition as long as they have access to "/Common" partition as well.

Fixed Versions:
15.1.4, 16.1.1

1017973-2 : BIND Vulnerability CVE-2021-25215

Links to More Info: K96223611, BT1017973

1017965-2 : BIND Vulnerability CVE-2021-25214

Links to More Info: K11426315, BT1017965

1017645-2 : False positive HTTP compliance violation

Links to More Info: BT1017645

Component: Application Security Manager

Symptoms:
False-positive HTTP compliance violation.

Conditions:
Authorization header with bearer token and/or some other authorization headers types.

Impact:
False-positive traffic blocking.

Workaround:
Turn on an internal parameter by entering the following command from the BIG-IP CLI:

/usr/share/ts/bin/add_del_internal add ignore_authorization_header_decode_failure 1

Then restart ASM for this to take effect:

bigstart restart asm

Fix:
The RFC compliance violation is no longer issued for unknown types of authorization headers.

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2

1017233-1 : APM uses wrong session key when iRule for ActiveSync is used resulting in passwords corruption

Links to More Info: BT1017233

Component: Access Policy Manager

Symptoms:
A corrupted password is sent as part of the "Authorization" header to the backend device and as a result, http 404 is returned

Conditions:
-- iRule for ActiveSync is used
-- The BIG-IP system has multiple tmms running

Impact:
User Authentication is failed by the backed server

Fixed Versions:
15.1.4.1, 16.1.2

1017153-2 : Asmlogd suddenly deletes all request log protobuf files and records from the database.

Links to More Info: BT1017153

Component: Application Security Manager

Symptoms:
Asmlogd suddenly deletes all request log protobuf files and records from the database.

Additionally, after the deletion happens, newly generated event logs seen in database do not show up in TMUI.

Conditions:
-- ASM provisioned
-- Config-sync setup, with frequent sync recovery and/or with a manual-sync device-group with ASM sync enabled.

Impact:
Sudden loss of request logs.

Workaround:
Delete all empty partitions and restart asmlogd.

1) View all the partitions:

   # perl -MF5::Db::Partition -MData::Dumper -MF5::DbUtils -e 'print Dumper(F5::Db::Partition::retrieve_partitions_info(dbh => F5::DbUtils::get_dbh(), table_name => "PRX.REQUEST_LOG"))'

Take note of the 'PARTITION_NAME' and 'TABLE_ROWS' for each partition.

2) For every partition_X (in PARTITION_NAME) with '0' in TABLE_ROWS, delete it by:

   # perl -MF5::Db::Partition -MF5::DbUtils -e 'F5::Db::Partition::delete_partition(dbh => F5::DbUtils::get_dbh(), table_name => "PRX.REQUEST_LOG", partition_name => "partition_X")'

3) restart asmlogd if and after done all deletes:

   # pkill -f asmlogd

NOTE: this workaround is temporary. Meaning, that the number of empty partitions will again accumulate and the same issue will happen again. The MAX number of partitions is - 100. Thus, it is advised to monitor the total number of *empty* partitions and repeat the workaround periodically. A cron script should work well. Normally, empty partitions should NOT accumulate. Thus, it is safe to run this script once an hour and remove all empty partitions.


Optionally, if you are having TMUI issue with newly generated event logs, perform the additional command below to delete rows from PRX.REQUEST_LOG_PROPERTIES for which no corresponding rows exist in PRX.REQUEST_LOG.

# mysql -t -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e 'delete from PRX.REQUEST_LOG_PROPERTIES where request_log_id > (select id from PRX.REQUEST_LOG order by id desc limit 1)'

Fix:
Upgrading to a fixed software version will not delete accumulated partitions and will not clear the symptom away. The fix will prevent ASM from accumulating partitions unnecessarily in the scenarios.

If your ASM system is experiencing this and partitions are accumulated, perform the workaround to clear the symptom. Using a fixed software version, you only need to perform the workaround once. You no longer have to perform it periodically.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1016633 : iprep.protocol with auto-detect fails when DNS takes time to resolve

Links to More Info: BT1016633

Component: Advanced Firewall Manager

Symptoms:
On some hardware platforms, after a reboot, DNS takes a significant amount of time to come up.

Conditions:
This is encountered on either a fresh installation, or upon a reboot of a BIG-IP system.

Impact:
DNS takes time to come up (after a reboot) and till then DNS resolution fails. During this, iprepd with auto-detect fails

Workaround:
None

Fix:
Fixed connectivity issues in case of auto-detect protocol mode.

Fixed Versions:
15.1.4

1016309-1 : When two policies with the same properties are configured with geo property, the geo for the second policy is ignored.

Links to More Info: BT1016309

Component: Advanced Firewall Manager

Symptoms:
If two policies are configured with rule lists of same type of properties (1 allow and 1 deny) with the geo property used, the geo settings of the first rule will be used in the second rule.

Conditions:
-- Two policies having the same type of rule lists (1 allow rule and 1 deny rule)
-- The same geo is configured in a rule in each of the rule lists.
-- One rule is configured to allow, one is configured to deny

Impact:
Connection requests for the second virtual server that uses the second policy will use the geo settings from the first policy.

Workaround:
None

Fix:
Connection request for second virtual server will be dropped and allowed as configured in the policy that is attached.

Fixed Versions:
15.1.4

1016113-3 : HTTP response-chunking 'sustain' profile option may not rechunk responses when also using a web acceleration profile.

Links to More Info: BT1016113

Component: Local Traffic Manager

Symptoms:
Configurations containing HTTP response-chunking 'sustain' and a Web Acceleration profile do not rechunk payload regardless of whether the web server responds with a chunked response.

Conditions:
-- Incoming response payload to the BIG-IP system is chunked.
-- HTTP profile is configured with response-chunking 'sustain'.
-- Web Acceleration profile also configured on the same virtual server.

Impact:
The BIG-IP response is not chunked, regardless of whether the associated web server responds with a chunked payload when the Web Acceleration is utilized.

Workaround:
For a chunked response to be delivered to the client, apply the iRule command 'HTTP::rechunk' to responses when a Web Acceleration profile is used.

Fix:
The BIG-IP response is chunked appropriately when a Web Acceleration profile is used.

Fixed Versions:
15.1.4, 16.1.2

1016033-2 : Remote logging of WS/WSS shows date_time equal to Unix epoch start time

Links to More Info: BT1016033

Component: Application Security Manager

Symptoms:
Enable the BD_MISC log and notice the REMOTE_LOG buffer printed in the bd logs. The date_time field will be set as closer to epoch time, for eg: "1969-12-31 16:27:00", instead of the current date. The same will be reflected in the remote logs as well.

Conditions:
Remote logging is enabled and the WS/WSS requests are sent to the BIG-IP

Impact:
The date_time information in WS traffic logged to a remote destination is incorrect. This makes correlating data difficult or impossible depending on the traffic.

Fixed Versions:
15.1.5

1015381-5 : Windows Edge Client does not follow best practices while installing

Links to More Info: K08503505, BT1015381

1015201 : HTTP unchunking satellite leaks ERR_MORE_DATA which can cause connection to be aborted.

Links to More Info: BT1015201

Component: Local Traffic Manager

Symptoms:
The HTTP unchunking satellite leaks ERR_MORE_DATA when processing payload - this error code is then returned to other filters which will abort the connection due to this unexpected error (like PLUGIN).

Conditions:
Virtual server with HTTP, compression and NTLM profiles.

Impact:
Connection is aborted

Fix:
HTTP unchunking satellite no longer leaks ERR_MORE_DATA.
Connection is not aborted and response is received by the client.

Fixed Versions:
14.1.4.4, 15.1.5

1015133-3 : Tail loss can cause TCP TLP to retransmit slowly.

Component: Local Traffic Manager

Symptoms:
If a long tail loss occurs during transmission, TCP might be slow to recover.

Conditions:
-- A virtual server is configured with the TCP profile attached.
-- SACK and TLP are enabled.
-- A tail loss of multiple packets sent by the BIG-IP occurs.

Impact:
BIG-IP retransmits one packet per RTT, causing a long recovery. The impact is more pronounced if an entire window is lost.

Workaround:
Disabling TLP may improve performance in this particular case, but may degrade performance in other situations.

Fix:
A new sys db key was added: tm.tcpaggressivepartialack (disabled by default). When enabled, more data is retransmitted every RTT, similar to slow-start.

Behavior Change:
A new sys db key was added: tm.tcpaggressivepartialack (disabled by default). When enabled, more data is retransmitted every RTT, similar to slow-start.

Fixed Versions:
14.1.4.5, 15.1.5

1015093-3 : The "iq" column is missing from the ndal_tx_stats table

Links to More Info: BT1015093

Component: TMOS

Symptoms:
When viewing the ndal_tx_stats statistics table, the "iq" column is not present.

Conditions:
-- BIG-IP Virtual Edition.
-- Viewing statistics tables.

Impact:
Missing statistic; less information available.

Fixed Versions:
14.1.4.5, 15.1.4.1

1014609 : Tunnel_src_ip support for dslite event log for type field list

Links to More Info: BT1014609

Component: Advanced Firewall Manager

Symptoms:
When storage-format is set to None the dslite_dst_ip and dslite_src_ip fields are displayed; however, the field list only displays dslite_dst_ip and you are unable to configure dslite_src_ip.

Conditions:
-- AFM configured
-- You are configuring a logging profile and are choosing fields from the field list

Impact:
The dslite_src_ip field cannot be selected in the logging profile when choosing fields from the field list.

Workaround:
Do not choose fields from the field list and dslite_src_ip will be logged.

Fix:
For NAPT mode dslite tunnel_src_ip is now supported for field list for all 6 event type (inbound start/stop, outbound start/stop, error and quota exceeded).

Fixed Versions:
15.1.4

1014433 : Time stamp format is not the same for all LTM logs

Links to More Info: BT1014433

Component: TMOS

Symptoms:
After the device reboots, the LTM logs time stamp provided for "boot_marker" and "Shutdown cleanly" are of two different formats.

Conditions:
This can be found in /var/log/ltm following a reboot.

Impact:
The time stamps are not the same.

Fix:
The boot marker log entry now uses a consistent time stamp.

Behavior Change:
The boot marker log entry now uses a consistent time stamp.

Fixed Versions:
15.1.4

1013649-4 : Leftover files in /var/run/key_mgmt after key export

Links to More Info: BT1013649

Component: TMOS

Symptoms:
Files accumulate in /var/run/key_mgmt
qkview grows too large to be processed by iHealth

Conditions:
iControl SOAP used for key export

Impact:
Thousands of files can eventually accumulate in /var/run/key_mgmt, impacting ability to process qkviews
it takes long time to process.

Workaround:
Delete files in /var/run/key_mgmt manually

Fix:
Earlier f5km_shutdown is called with DONT_DELETE argument, now it is called with DELETE_ENTIRE_KEYMGMT_DIR so it will clean up temp files in /var/run/key_mgmt properly.

Fixed Versions:
15.1.4

1013569 : Hardening of iApps processing

Component: Guided Configuration

Symptoms:
Under certain conditions, iApps do not follow current best practices.

Conditions:
- iApps in use

Impact:
iApps do not follow current best practices.

Workaround:
N/A

Fix:
iApps now follow current best practices.

Fixed Versions:
15.1.4, 16.1.1

1013181-2 : TMM may produce core when dynamic CRL check is enabled on the client SSL profile

Links to More Info: BT1013181

Component: Local Traffic Manager

Symptoms:
Possible tmm crash during ssl handshake with client SSL virtual server when dynamic CRL check is used.

Conditions:
All these 3 conditions need to be met.

- Client Certificate is set to "request" on the client SSL profile or using APM "On-Demand Cert Auth" agent set to "request".
- Dynamic CRL check is configured on the client SSL profile.
- Client does not submit its client certificate to the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
- Configure Client Certificate "require" on the client SSL profile or, if using APM "On-Demand Cert Auth" agent, configure it to "require".

or

- Disable Dynamic CRL check. You can use static CRL file on the client SSL profile instead.

Fixed Versions:
15.1.5

1012721-1 : Tmm may crash with SIP-ALG deployment in a particular race condition

Links to More Info: BT1012721

Component: Service Provider

Symptoms:
Tmm crashes in SIP-ALG deployment

Conditions:
--- SIP-ALG is deployed
--- While processing first SIP REGISTER at server-side

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Tmm no longer crashes in this race condition

Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.1

1012533-1 : `HTTP2::disable serverside` can cause cores

Links to More Info: BT1012533

Component: Service Provider

Symptoms:
If `HTTP2::disable serverside` is called on a flow that has no HTTP2 configured on the server-side then it can incorrectly report an error and RST the flow (this is ID1013597).

Because of the timing of this RST, tmm may crash.

Conditions:
1) iRule calls `HTTP2::disable serverside` on HTTP_REQUEST.
2) No HTTP2 configured on server-side.
3) server-side has already handled a flow.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Don't call `HTTP2::disable serverside` if there is no HTTP2 on server-side.

Fixed Versions:
15.1.4.1

1012521-2 : BIG-IP UI file permissions

Links to More Info: BT1012521

Component: Advanced Firewall Manager

Symptoms:
Some GUI files have incorrect permission settings.

Conditions:
Files installed by the security-ui rpm.

Impact:
File permissions are incorrect.

Fix:
Installation script updated to set permissions to remove write privileges for the Group and User level

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2

1012413-3 : Tmm performance impact for DDoS vector on virtual server when hardware mitigation is enabled

Links to More Info: BT1012413

Component: Advanced Firewall Manager

Symptoms:
When a DoS profile is attached to a virtual server, the mitigation limit is set to the system limit and not the HSB limit. This causes more packets to be handled by software. Depending on attack size, it could pass up to 200% of the set mitigation limit. This can impact tmm performance.

Conditions:
-- Dos profile is configured on virtual server.
-- Hardware platform that has HSB
-- Hardware mitigation is enabled

Impact:
Tmm performance may be degraded.

Workaround:
None

Fix:
The HSB limit is set to (vector configured mitigation limit) / (number of hsbs on BIG-IP)

Fixed Versions:
15.1.4

1012365-2 : Nettle cryptography library vulnerability CVE-2021-20305

Links to More Info: K33101555, BT1012365

1012009-1 : MQTT Message Routing virtual may result in TMM crash

Links to More Info: BT1012009

Component: Local Traffic Manager

Symptoms:
The BIG-IP system provides an option to use Message Routing virtual servers for MQTT traffic. It uses a different approach to associate a client side and a server side than a standard virtual server. In some instances, a server side is incorrectly handled.

Conditions:
-- A Message Routing virtual with MQTT protocol.
-- A client attempts to reconnect.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
When a client attempts to reconnect, and an existing server side connection is used, TMM correctly handles the connection's state and no longer crashes for this reason.

Fixed Versions:
15.1.4.1

1011285-2 : The iControl REST API no longer accepts an empty 'lastResortPool' property for wide IP objects.

Links to More Info: BT1011285

Component: Global Traffic Manager (DNS)

Symptoms:
If you attempt a POST or PATCH iControl REST request against a wide IP, and you include an empty 'lastResortPool' property in the JSON body, the system rejects the request as invalid and returns the following validation error:

{
  "code": 400,
  "message": "\"last-resort-pool\" requires a value",
  "errorStack": [],
  "apiError": 26214401
}

Conditions:
A POST or PATCH command against a wide IP object includes an empty lastResortPool property.

Impact:
Inability to create or modify the wide IP object.

Workaround:
You can use either of the following, depending on what you want to do:

-- To create a new wide IP object, remove the empty 'lastResortPool' property from the JSON body.

-- To remove the last-resort-pool from an already existing wide IP, define the property as follows instead:
"lastResortPool":"none"

Fixed Versions:
15.1.5

1011065-2 : Certain attack signatures may not match in multipart content

Component: Application Security Manager

Symptoms:
Under certain conditions, ASM may not correctly detect attack signatures.

Conditions:
- ASM provisioned
- Request contains multipart body that matches specific attack signatures.

Impact:
Attack detection is not triggered as expected.

Workaround:
None

Fix:
Attack detection is now triggered as expected.

Fixed Versions:
15.1.4.1, 16.1.2

1011061-2 : Certain attack signatures may not match in multipart content

Component: Application Security Manager

Symptoms:
Under certain conditions, ASM may not correctly detect attack signatures.

Conditions:
- ASM provisioned
- Request contains a specially-crafted multipart body

Impact:
Attack detection is not triggered as expected.

Workaround:
None

Fix:
Attack detection is now triggered as expected.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1010393-4 : Unable to relax AS-path attribute in multi-path selection

Links to More Info: BT1010393

Component: TMOS

Symptoms:
In BIG-IP versions where ID933461 (https://cdn.f5.com/product/bugtracker/ID933461.html) is fixed, you are unable to relax AS-path attribute in multi-path selections.

Conditions:
BGP multi-path routes with different AS_PATH attributes.

Impact:
Some routes might not be considered as multipath. ECMP routes are not installed properly.

Workaround:
Consider using 'bgp bestpath as-path ignore' or alter the AS_PATH attribute upstream.

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2

1010245-1 : Duplicate ipsec-sa SPI values shown by tmsh command

Links to More Info: BT1010245

Component: TMOS

Symptoms:
A tmsh command which shows ipsec-sa instances can display the 32-bit SPI more than once for the same security association (SA) but in different tmm instances.

Conditions:
Especially in the context of failover where Standby becomes Active, sometimes the same SA appears more than once when shown by a tmsh command, but in different tmms.

Impact:
The duplicate SPI displayed is a cosmetic effect only.

Workaround:
None

Fix:
Fixed an issue with duplicate SA reporting when using the tmsh show net ipsec ipsec-sa command.

Fixed Versions:
15.1.4.1

1009949-2 : High CPU usage when upgrading from previous version

Links to More Info: BT1009949

Component: TMOS

Symptoms:
When upgrading version from 12.x to 14.1.4, ospfd has high cpu utilization.

Conditions:
-- OSPF is enabled.
-- The BIG-IP system is upgraded from 12.x to 14.1.4.

Impact:
Performance Impact.

Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2

1009773 : AWS deployments of TMM may crash while processing traffic

Links to More Info: K01153535, BT1009773

1009725-3 : Excessive resource usage when ixlv drivers are enabled

Component: TMOS

Symptoms:
TMM may consume excessive resources while processing traffic on VE deployments with ixlv drivers.

Conditions:
- BIG-IP VE
- ixlv drivers.

Impact:
Excessive resource consumption, potentially leading to delayed traffic processing.

Workaround:
Disable TCP Segmentation Offload:

tmsh modify sys db tm.tcpsegmentationoffload value disable

Then restart TMM:

bigstart restart TMM

Note that restarting TMM will cause the BIG-IP to stop processing traffic (and failover, if it is in a device cluster).

Fix:
TMM now processes VE traffic as expected

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1009093-1 : GUI widgets pages are not functioning correctly

Links to More Info: BT1009093

Component: Application Visibility and Reporting

Symptoms:
Some links and drop-down fields are not available for 'pressing/clicking' on AVR-GUI widgets pages

Conditions:
AVR/ASM is provisioned

Impact:
Cannot use AVR GUI pages correctly

Workaround:
1. Back up the following file, and then edit it:
/var/ts/dms/amm/templates/overview.tpl

1.a. Remove the following line:
<script type="text/javascript" src="script/analytics_stats.js{{BIGIP_BUILD_VERSION_JS}}"></script>

1.b. Add the following lines after the 'var _default_smtp = '{{smtp_mailer}}';' line:
$(document).ready(function() {
        if(!window.AVR_LOCALIZATION) return;
        $('.need-localization-avr').each(function() {
            var item = $(this);
            if (item.is("input")) {
                var key = "avr." + item.val().replace(/\s/g, '');
                item.val(window.AVR_LOCALIZATION[key] || item.val());
            } else {
                var key = "avr." + item.text().replace(/\s/g, '');
                item.text(window.AVR_LOCALIZATION[key] || item.text());
            }
        }).removeClass('need-localization-avr');
    });

1.c. Save and exit (might require the 'force' save with root user).

2. Log out of the GUI.
3. Log back in.

Fix:
GUI widgets pages now function correctly.

Fixed Versions:
15.1.5

1009037-3 : Tcl resume on invalid connection flow can cause tmm crash

Links to More Info: BT1009037

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm crashes.
Tmm logs contain a line that looks like: "Oops @ 0x2bbd463:139: Unallocated flow while polling for rule work. Skipping."

Conditions:
1) iRule uses a function that may suspend iRule processing (see https://support.f5.com/csp/article/K12962 for more about this).
2) The connflow associated with the iRule is being torn down by tmm.
3) Depending upon the exact timing there is a rare chance that the iRule will resume on the wrong connflow which can cause a core.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1008837-2 : Control plane is sluggish when mcpd processes a query for virtual server and address statistics

Links to More Info: BT1008837

Component: TMOS

Symptoms:
When there are thousands of rows in the virtual_server_stat table and mcpd receives a query for for all virtual server or virtual address statistics, mcpd can take a long time to process the request.

There might be thousands of rows if thousands of virtual servers server are configured.

There could also be thousands of rows if there are virtual servers configured for source or destination address lists, where those lists contain tens or hundreds of addresses.

Conditions:
-- Thousands of virtual_server_stat rows.
-- mcpd processes a query_stats request for the virtual_server_stat table.

Impact:
When mcpd is processing a query for virtual server statistics:

-- TMSH and GUI access is very slow or non-responsive.
-- SNMP requests timeout.
-- mcpd CPU usage is high.

Workaround:
None

Fixed Versions:
14.1.4.4, 15.1.4

1008561-1 : In very rare condition, BIG-IP may crash when SIP ALG is deployed

Component: Service Provider

Symptoms:
Under certain conditions, BIG-IP may crashes while processing SIP ALG traffic

Conditions:
- SIP ALG is deployed
- Inbound call received

Impact:
TMM crash leading to a failover event. Traffic is interrupted during BIG-IP restart

Workaround:
N/A

Fix:
BIG-IP now processes SIP ALG traffic as expected

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1

1008077-5 : TMM may crash while processing TCP traffic with a FastL4 VS

Component: Local Traffic Manager

Symptoms:
Under certain conditions, FastL4 virtual servers may consume excessive resources while processing TCP traffic

Conditions:
- FastL4 virtual server
- TCP traffic

Impact:
Excessive resource consumption, potentially leading to a TMM crash and failover event.

Workaround:
N/A

Fix:
In versions where the vulnerability is fixed loose-close option enabled on a fastl4 profile is _strictly_ required for nPath deployments.

Fixed Versions:
14.1.4.4, 15.1.4.1

1008017-5 : Validation failure on Enforce TLS Requirements and TLS Renegotiation

Links to More Info: BT1008017

Component: Local Traffic Manager

Symptoms:
The configuration load fails with an error:

err mcpd[4182]: 0107186b:3: Invalid "enforce-tls-requirements" value for profile /prod/my_profile. In Virtual Server (/common/my_virtual_server) an http2 profile with enforce-tls-requirements enabled is incompatible with client-ssl/server-ssl profile with renegotiation enabled. Value must be disabled.

Conditions:
BIG-IP system allows this configuration and fails later:

-- Virtual server with HTTP/2, HTTP, and client SSL profiles (with renegotiation disabled).

1. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile (by default it is enabled).
2. Add server SSL profile with 'TLS Renegotiation' enabled.
3. Save the configuration.
4. Load the configuration.

Impact:
The configuration will not load if saved.

Workaround:
If enabling 'Enforce TLS Requirements' in a HTTP/2 profile configured on a virtual server, ensure that 'TLS Renegotiation' is disabled in the Server SSL profiles on that virtual server.

Fix:
There is now a validation check to prevent this configuration, which is the correct functionality.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1007821-1 : SIP message routing may cause tmm crash

Links to More Info: BT1007821

Component: Service Provider

Symptoms:
In very rare circumstances, tmm may core while performing SIP message routing.

Conditions:
This can occur while passing traffic when SIP message routing is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
SIP message routing no longer results in a core due to internal memory errors in message parsing.

Fixed Versions:
15.1.4, 16.1.1

1007749-1 : URI TCL parse functions fail when there are interior segments with periods and semi-colons

Links to More Info: BT1007749

Component: Local Traffic Manager

Symptoms:
URI::path, URI::basename, etc., return the wrong strings, e.g., URI::path can return a subset of what it should return.

Conditions:
This happens for URIs like these:
   /alpha/beta/Sample.text;param/trailer/
   /alpha/beta/Sample.text;param/file.txt

Impact:
iRules fail to work as expected for these types of URIs.

This occurs because the combination of the period and semi-colon in 'Some.thing;param' confuses the BIG-IP system parser, causing incorrect results to be returned.

Workaround:
If this is happening for known URIs, then it should be possible to process those URIs in a special way within iRules to do things like temporarily replacing interior periods with another character, like a plus sign.

Fixed Versions:
15.1.5

1007677-1 : Artifact resolution on SAML IdP fails with error 'SAML SSO: Cannot find SP connector'

Links to More Info: BT1007677

Component: Access Policy Manager

Symptoms:
SAML fails on APM SAML IdP after receiving the SAML ArtifactResolve Request, and needs to extract Artifact data from sessionDB to build the assertion. An error is logged:

-- err tmm[24421]: 014d1211:3: ::ee23458f:SAML SSO: Cannot find SP connector (/Common/example_idp)
-- err tmm[24421]: 014d0002:3: SSOv2 plugin error(12) in sso/saml.c:11864

Conditions:
The 'session-key' in the sessiondb includes a colon ':' in its value.

Impact:
SAML may fail on APM SAML IdP using artifact binding.

Fix:
The system now handles this occurrence of 'session-key'.

Fixed Versions:
15.1.4.1

1007629-1 : APM policy configured with many ACL policies can create APM memory pressure

Links to More Info: BT1007629

Component: Access Policy Manager

Symptoms:
High APM memory usage even in idle state when no traffic is flowing.

Conditions:
APM policies configured with resource assignment agents with ACL policies configured. The idle state memory usage will be proportional to the number of resource assignment agents and ACL policies configured

Impact:
If idle state memory of APM is high then less memory is available for use during traffic flow and thereby can lead to OOM crashes and failover.

Workaround:
None

Fix:
APM policy configured with many ACL policies no longer creates APM memory pressure

Fixed Versions:
14.1.4.4, 15.1.4.1

1007489-5 : TMM may crash while handling specific HTTP requests

Component: Local Traffic Manager

Symptoms:
BIG-IP system crashes while handling some HTTP requests

Conditions:
-- HTTP Security profile is added
-- HTTP Proxy Connect profile is added
-- HTTP Virtual Server

Impact:
Traffic disrupted while TMM restarts.

Workaround:
N/A

Fix:
TMM no longer crashes when handling some HTTP requests.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1007113-1 : Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds

Links to More Info: BT1007113

Component: Service Provider

Symptoms:
In case of diameter over SCTP, while aborting the connection of the pool member, if SCTP INIT is sent by the BIG-IP system before the SCTP ABORT is processed, the pool member is marked UP (provided the SCTP connection is established successfully), and then goes down later, immediately after ABORT is fully processed.

Conditions:
The time difference between SCTP ABORT and SCTP INIT is very small, i.e., 2 seconds or less

Impact:
Pool member is marked DOWN even though it is active

Workaround:
If the watchdog is configured in the diameter session profile (i.e., watchdog-timeout is greater than 0), the pool member is marked UP after DWA is received from the pool member.

Fix:
The system now marks the pool member as UP if DWA is received from the pool member.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1007049-3 : TMM may crash while processing DNS traffic

Links to More Info: K30523121, BT1007049

1006893-2 : Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core

Links to More Info: BT1006893

Component: Access Policy Manager

Symptoms:
When ACCESS::oauth is used after ACCESS::session create/delete in an iRule event, TMM may core.

Conditions:
ACCESS::oauth is used after ACCESS::session create/delete in an iRule event.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround

Fix:
TMM does not core and functionality works as expected.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1006781-1 : Server SYN is sent on VLAN 0 when destination MAC is multicast

Links to More Info: BT1006781

Component: Local Traffic Manager

Symptoms:
TCP connections cannot be established when a multicast destination MAC is used. Traffic outage occurs.

Conditions:
Virtual wire with multicast destination MAC used while establishing TCP connections.

Impact:
Traffic outage.

Workaround:
None

Fixed Versions:
15.1.4.1

1006345-1 : Static mac entry on trunk is not programmed on CPU-only blades

Links to More Info: BT1006345

Component: TMOS

Symptoms:
More traffic egressing out from primary link of lacp when there is DLFs (destination lookup failures) since static mac is not present on CPU-only blades

Conditions:
Static mac configured on trunk on all platforms except i4000, i850/i2000, 2000/2200, 4000/4200,4100

Impact:
DLFs (destination lookup failures) will cause the first interface in the trunk to egress all DLF'd traffic

Fixed Versions:
15.1.3.1

1005489-2 : iRules with persist command might result in tmm crash.

Links to More Info: BT1005489

Component: Local Traffic Manager

Symptoms:
BIG-IP systems may experience a tmm crash if iRules containing 'persist' command are being used.

Conditions:
-- BIG-IP systems with multiple TMMs
-- Virtual server with HTTP/HTTP/2 profile attached.
-- Virtual server has iRules containing the 'persist add' command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
15.1.4, 16.0.1.2

1005109-2 : TMM crashes when changing traffic-group on IPv6 link-local address

Links to More Info: BT1005109

Component: Local Traffic Manager

Symptoms:
TMM crashes when changing the traffic-group on an IPv6 link-local address.

Conditions:
Changing the traffic-group on an IPv6 link-local address.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
14.1.4.5, 15.1.5

1005105-1 : Requests are missing on traffic event logging

Links to More Info: BT1005105

Component: Application Security Manager

Symptoms:
Some traffic requests are missing in Security :: Event Logs.

Conditions:
-- Local logging enabled
-- Two or more virtual servers passing heavy traffic

Impact:
High CPU load prevents the Policy Builder from analyzing and sending all traffic requests to the request log.

Workaround:
None

Fix:
The Policy Builder now attempts to send traffic requests to the request log, even when learning analysis is limited due to high CPU load.

Fixed Versions:
14.1.4.5, 15.1.4, 16.1.1

1004929-2 : During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid.

Links to More Info: BT1004929

Component: TMOS

Symptoms:
While receiving a config sync operation, mcpd on a secondary blade may restart, logging:

err mcpd[6383]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020012:3: A unsigned four-byte integer message item is invalid.... failed validation with error 16908306

Conditions:
-- A VIPRION system (or cluster-based vCMP guest) with more than one blade processes a full configuration load, i.e. as a result of running "tmsh load sys config" or receiving a full-load config sync from peer BIG-IP.

-- The system generates a large number of warning messages during a configuration load, whose total length is larger than 65,535 bytes.

These warnings can be seen in the output of "tmsh load sys config" or "tmsh load sys config verify", or are logged under message ID 01071859

An example of such a warning is:

SSLv2 is no longer supported and has been removed. The 'sslv2' keyword in the cipher string of the ssl profile (/Common/ssl-profile-1) has been ignored.

Impact:
MCPD on secondary blades restart. Those blades are inoperative while services restart.

Workaround:
Address the warnings reported by the system.

Fixed Versions:
14.1.4.5, 15.1.5

1004833-2 : NIST SP800-90B compliance

Links to More Info: BT1004833

Component: TMOS

Symptoms:
Common Criteria and FIPS 140-2 certifications require compliance with NIST SP800-90B; this completes that compliance.

Conditions:
This applies to systems requiring Common Criteria and/or FIPS 140-2 compliance.

Impact:
BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 14.1.4.2 or BIG-IP 15.1.2.1) will not be running a Common Criteria and/or FIPS 140-2 certified configuration.

Workaround:
None

Fix:
Apply this fix to ensure that the system is compliant with NIST SP800-90B.

Fixed Versions:
14.1.4.2, 15.1.4

1004633-3 : Performance degradation on KVM and VMware platforms.

Links to More Info: BT1004633

Component: Performance

Symptoms:
CPU utilization is increased.

Conditions:
-- KVM or VMware platforms are deployed.
-- FastHTTP or L7 HTTP virtual servers are configured.

Impact:
A 3-13% increase in CPU utilization which may degrade throughput with higher volumes of traffic.

Fixed Versions:
15.1.4

1004537-1 : Traffic Learning: Accept actions for multiple suggestions not localized

Links to More Info: BT1004537

Component: Application Security Manager

Symptoms:
When you open the accept suggestions actions list, the actions are not localized. Labels are shown instead of text, for example asm.button.Accept instead of Accept.

Conditions:
This occurs after selecting several suggestions and opening the Accept suggestions actions list.

Impact:
Actions not localized.

Workaround:
None

Fix:
Fixed localization for Accept suggestions actions list.

Fixed Versions:
15.1.4, 16.1.2

1004517-2 : BIG-IP tenants on VELOS cannot install EHFs

Links to More Info: BT1004517

Component: TMOS

Symptoms:
BIG-IP tenants created on VELOS using v14.1.4 software earlier than v14.1.4.3 cannot accept engineering hotfixes (EHF).

Conditions:
Installing EHF updates to BIG-IP tenants on VELOS running BIG-IP v14.1.4 software earlier than v14.1.4.3.

Impact:
EHF installation fails.

Workaround:
None

Fix:
BIG-IP tenants on VELOS can now install EHFs.

Fixed Versions:
14.1.4.3, 15.1.4

1004417-3 : Provisioning error message during boot up

Links to More Info: BT1004417

Component: TMOS

Symptoms:
Error message in /var/log/ltm:
Could not retrieve DB variable for (provision.datastor)

Conditions:
Upgrade BIG-IP software from version 12.x to version 13.x or higher.

Impact:
The error message is logged after the first boot after the upgrade. There is no impact on functionality and the error message can be ignored.

Workaround:
None

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2

1004069-1 : Brute force attack is detected too soon

Links to More Info: BT1004069

Component: Application Security Manager

Symptoms:
A Brute force attack is detected too soon.

Conditions:
The login page has the expected header validation criteria.

Impact:
The attack is detected earlier than the setpoint.

Workaround:
N/A

Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2

1003765-1 : Authorization header signature triggered even when explicitly disabled

Links to More Info: BT1003765

Component: Application Security Manager

Symptoms:
Requests with base64 encoded Authorization header with disabled signatures might result in a blocking page even though the specific signature is disabled.

Conditions:
Base64 encoded Authorization header is included in the request.

Impact:
A signature violation is detected, even though the signature is disabled.

Workaround:
None

Fix:
No violation for disabled signatures.

Fixed Versions:
15.1.4.1

1003633-3 : There might be wrong memory handling when message routing feature is used

Links to More Info: BT1003633

Component: Service Provider

Symptoms:
The following log is observed from /var/log/ltm
Oops @ 0x28c3060:232: buf->ref == 0

Conditions:
Message routing is used either by
- Generic message (ltm message-routing generic) or
- HTTP2 with Message router option enabled

Impact:
For most cases, this kind of incorrect memory handling may only generate warning log message. In rare case, it might lead to a tmm crash.

Workaround:
N/A

Fix:
Wrong memory handling in message routing is fixed.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1003557-3 : Not following best practices in Guided Configuration Bundle Install worker

Links to More Info: K74151369, BT1003557

1003317-3 : ASM signatures do not match as expected

Component: Application Security Manager

Symptoms:
Under certain conditions, ASM signatures may not matched as expected.

Conditions:
- ASM enabled
- HTTP protocol compliance check disabled

Impact:
Signatures may not match as expected.

Workaround:
N/A

Fix:
ASM signatures are now matched as expected.

Fixed Versions:
14.1.4.5, 15.1.5

1003257-4 : ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected

Links to More Info: BT1003257

Component: TMOS

Symptoms:
ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' commands are not working properly. The address is always set to interface-configured global/local addresses respectively.

Conditions:
Using BGPv4 with IPv6 capability extension and a route-map with 'set ipv6 next-hop' and/or 'set ipv6 next-hop local' configuration.

Impact:
Wrong next-hop is advertised.

Workaround:
None.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1003105-3 : iControl Hardening

Links to More Info: K74151369, BT1003105

1002945-2 : Some connections are dropped on chained IPv6 to IPv4 virtual servers.

Links to More Info: BT1002945

Component: Local Traffic Manager

Symptoms:
IPv6 virtual servers targeting IPv4 virtual servers (for example, using the 'virtual' iRule command) might drop traffic coming from some clients unexpectedly.

Conditions:
- IPv6 to IPv4 virtual server chaining.

Impact:
Traffic is dropped.

Workaround:
None

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2

1002761-1 : SCTP client's INIT chunks rejected repeatedly with ABORT during re-establishment of network link after failure

Links to More Info: BT1002761

Component: TMOS

Symptoms:
A SCTP client's INIT chunks are rejected repeatedly.

Conditions:
-- Client-side SCTP association times out and is terminated with ABORT.
-- The client attempts to INIT the association again using the same source port.

Impact:
Client cannot reconnect to BIG-IP systems, even after the network failures are resolved.

Workaround:
Fail over and restart tmm on the affected device.

Fixed Versions:
15.1.4, 16.0.1.2

1002561-5 : TMM vulnerability CVE-2021-23007

Links to More Info: K37451543, BT1002561

1002557-2 : Tcl free object list growth

Links to More Info: BT1002557

Component: Access Policy Manager

Symptoms:
Apmd memory usage grows over time when a single agent with a Tcl object is shared across multiple threads.

Conditions:
This is encountered in APM environments when passing traffic.

Impact:
Tcl free object list grows and apmd memory usage increases over time.

Workaround:
None

Fixed Versions:
14.1.4.4, 15.1.4.1

1002385-3 : Fixing issue with input normalization

Component: Application Security Manager

Symptoms:
Under certain conditions, ASM does not follow current best practices.

Conditions:
- ASM provisioned

Impact:
Attack detection is not triggered as expected

Workaround:
N/A

Fix:
Attack detection is now triggered as expected

Fixed Versions:
15.1.5

1002109-3 : Xen binaries do not follow security best practices

Links to More Info: BT1002109

Component: TMOS

Symptoms:
The following xen* binaries have multiple violations of security best practices.
usr/bin/xenstore
/usr/bin/xenstore-exists
/usr/bin/xenstore-ls
/usr/bin/xenstore-read
/usr/bin/xenstore-rm
/usr/bin/xenstore-watch
/usr/bin/xenstore-chmod
/usr/bin/xenstore-list
/usr/bin/xenstore-write

Conditions:
The violations can be seen on BIG-IP by running following script.
https://github.com/slimm609/checksec.sh

Impact:
The issue lead to violation of security best practices.

Fix:
Fixed an issue with certain xen* binaries.

Fixed Versions:
14.1.4.4, 15.1.4

1001865-2 : No platform trunk information passed to tenant

Component: TMOS

Symptoms:
Trunk information is not being published to BIG-IP tenants for use in high availability (HA) group definitions.

Conditions:
When defining high availability (HA) groups.

Impact:
No trunk or trunk member information is reported. This reduces the usefulness of information used to compare the relative health of high availability (HA) peers and potentially initiating a tenant failover, depending on that output.

Workaround:
None

Fix:
Trunk information is now synchronized between the VELOS system and tenants, enhancing the tenant high availability (HA) health check.

Behavior Change:
Trunk information is now synchronized between the VELOS system and tenants, which increases the usefulness of information used to compare the relative health of high availability (HA) peers and potentially initiating a tenant failover, depending on that output.

Fixed Versions:
15.1.4

1001509 : Client going through to BIG-IP SSL forward proxy might not be able to trust forged certificates

Links to More Info: K11162395, BT1001509

Component: Local Traffic Manager

Symptoms:
-- A client system or browser does not trust forged certificates, and reports a cert verification warning: ERR_CERT_AUTHORITY_INVALID.
-- The forged certificate received by the client has the same values set for AKI and SKI certificate extensions.

Conditions:
Client SSL profile in SSL forward proxy is configured with the same certificate for Cert Key Chain and CA Cert Key Chain, and that certificate has an SKI extension.

Impact:
Client does not trust forged certificates and can not connect to the backend.

Workaround:
Modify the Cert Key Chain on the Client SSL profile to have a different certificate from CA Cert Key Chain.

You can find details in K11162395: A client browser may not trust the certificate issued by the BIG-IP SSL forward proxy :: https://support.f5.com/csp/article/K11162395

Fix:
Certificate forged by SSL forward proxy does not contain AKI and SKI extensions, so this issue no longer occurs.

Fixed Versions:
14.1.4.3, 15.1.3

1001369-2 : D-Bus vulnerability CVE-2020-12049

Links to More Info: K16729408

1001337-1 : Cannot read single sign-on configuration from GUI when logged in as guest

Links to More Info: BT1001337

Component: Access Policy Manager

Symptoms:
When logging in to the BIG-IP GUI and attempting to read an existing single sign-on configuration from Access :: Single Sign-On, you see the following error from GUI.

General database error retrieving information.

Conditions:
-- The logged in BIG-IP user account is configured with the guest role.
-- Go to Access :: Single Sign-On to read existing SSO configurations.

Impact:
Cannot read SSO configurations from the GUI when logged on as guest.

Workaround:
Use tmsh commands to read SSO configuration.

Fix:
BIG-IP users with guest user account roles can now read SSO configurations from the GUI.

Fixed Versions:
14.1.4.5, 15.1.4.1

1001041-3 : Reset cause 'Illegal argument'

Links to More Info: BT1001041

Component: Access Policy Manager

Symptoms:
Client connections get aborted usually after the full transfer of the HTTP Post request.

If logging of reset reason is enabled using:
tmsh modify sys db tm.rstcause.log value enable

LTM logs report the reset reason as 'Illegal Argument'.

Conditions:
Any transaction that takes a long time to complete can result in this issue. This issue can be triggered if there is a large POST request or if the backend server is slow in responding to the requests.

Impact:
Clients cannot post large files to backend servers with APM PingAccess support.

Workaround:
None

Fix:
The timeout is now properly handled for large post requests, so that no reset occurs.

Fixed Versions:
14.1.4.4, 15.1.4

1000973-3 : Unanticipated restart of TMM due to heartbeat failure

Links to More Info: BT1000973

Component: TMOS

Symptoms:
A tmm thread might stall while yielding the CPU, and trigger a failsafe restart of the tmm process. A core file might be generated without any message logged in /var/log/*.

High resolution timers (hrtimer) may be lost.

Conditions:
This occurs when data in kernel hrtimer module is corrupted by a kernel bug, so a tmm thread may fail to wake at the appropriate time after having entered a planned short sleep.

The precise details in this particular case are not knowable.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Very rarely, this might take a long time, in which case there is no mitigation except to wait for the operation to complete.

Alternatively, the unit might remain offline, in which rebooting the system is the better option.

Fix:
Fixed kernel issue that led to an unanticipated restart of tmm due to heartbeat failure.

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2

1000741-3 : Fixing issue with input normalization

Component: Application Security Manager

Symptoms:
Under certain conditions, ASM does not follow current best practices.

Conditions:
- ASM provisioned

Impact:
Attack detection is not triggered as expected

Workaround:
N/A

Fix:
Attack detection is now triggered as expected

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1

1000405-2 : VLAN/Tunnels not listed when creating a new rule via GUI

Links to More Info: BT1000405

Component: Advanced Firewall Manager

Symptoms:
Available tunnels are not displayed on the AFM rules-creation page in the GUI.

Conditions:
-- Navigate to the firewall network rules creation page in the GUI.
-- In the rules source section, under the VLAN/Tunnel dropdown, select the 'specify' option.

Impact:
Available tunnels do not display in the select box. Cannot specify tunnels for firewall rules from the GUI.

Workaround:
Use tmsh to specify tunnels for firewall rules.

Fix:
The available tunnels now display in the VLAN/Tunnels dropdown.

Fixed Versions:
15.1.4, 16.1.1

1000021-5 : TMM may consume excessive resources while processing packet filters

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may consume excessive resources while processing packet filters.

Conditions:
- Packet filters in use

Impact:
Excessive resource consumption, potentially leading to memory exhaustion and reduced performance or a failover event.

Workaround:
N/A

Fix:
TMM now processes packet filters as expected.

Fixed Versions:
15.1.5


Known Issues in BIG-IP v15.1.x


TMOS Issues

ID Number Severity Links to More Info Description
913713-2 1-Blocking BT913713 Rebooting a blade causes MCPd to core as it rejoins the cluster
858173-3 1-Blocking BT858173 SSL Orchestrator RPM not installed on HA-peer after upgrade from 14.1.2.1
1049085-2 1-Blocking BT1049085 Booting into a newly installed hotfix volume may stall on RAID-capable platforms
998945-2 2-Critical BT998945 Load sys config is failing with OOM in MCPD processing
997793-2 2-Critical K34172543, BT997793 Error log: Failed to reset strict operations; disconnecting from mcpd
993481-3 2-Critical   Jumbo Frame issue with DPDK-eNIC.
992097-2 2-Critical BT992097 Incorrect hostname is seen in logging files
990853-3 2-Critical BT990853 Mcpd restarts on Secondary VIPRION blades upon modifying a vCMP guest's management IP address or gateway.
989517-2 2-Critical BT989517 Acceleration section of virtual server page not available in DHD
979045-3 2-Critical BT979045 The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms
976669-2 2-Critical BT976669 FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade
967769-2 2-Critical BT967769 During reset of high-speed interfaces, TMMs may mistakenly continue hardware watchdog checks
967573-2 2-Critical BT967573 Qkview generation from Configuration Utility fails
957897-1 2-Critical BT957897 Unable to modify gateway-ICMP monitor fields in the GUI
950673-3 2-Critical BT950673 Hardware Syncookie mode not cleared when deleting/changing virtual server config.
950201 2-Critical BT950201 Tmm core on GCP
943109-2 2-Critical BT943109 Mcpd crash when bulk deleting Bot Defense profiles
940225-2 2-Critical BT940225 Not able to add more than 6 NICs on VE running in Azure
937481-2 2-Critical BT937481 Tomcat restarts with error java.lang.OutOfMemoryError
929133-2 2-Critical BT929133 TMM continually restarts with errors 'invalid index from net device' and 'device_init failed'
910325 2-Critical BT910325 DDoS Vector - TCP BAD ACK is not hardware-accelerated
907645-1 2-Critical BT907645 IPsec SAs may not be mirrored to HA standby
894133-1 2-Critical BT894133 After ISO upgrade the SSL Orchestrator guided configuration user interface is not available
888765-1 2-Critical BT888765 After upgrading from 13.1.0 to 15.1.0.1 CGNAT is deprovisioned and tmm is restarted by reloaded config from text files
882757-1 2-Critical BT882757 sflow_agent crash SIGABRT in the cleanup flow
865653-3 2-Critical BT865653 Wrong FDB table entries with same MAC and wrong VLAN combination
865329-1 2-Critical BT865329 WCCP crashes on "ServiceGroup size exceeded" exception
858877-3 2-Critical BT858877 SSL Orchestrator config sync issues between HA-pair devices
856713-3 2-Critical BT856713 IPsec crash during rekey
842669-3 2-Critical BT842669 Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log
840769-2 2-Critical BT840769 Having more than one IKE-Peer version value results in upgrade failure
808277-6 2-Critical BT808277 Root's crontab file may become empty
808149-2 2-Critical BT808149 Tmm crash
780437-6 2-Critical BT780437 Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
777389-5 2-Critical BT777389 In rare occurrences related to PostgreSQL monitor, the mcpd process restarts
776117-2 2-Critical BT776117 BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type
756830-5 2-Critical BT756830 BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'
750588-3 2-Critical BT750588 While loading large configurations on BIG-IP systems, some daemons may core intermittently.
742764-2 2-Critical BT742764 The raccoon daemon is spawned more then once on startup, one fails and cores.
742419-4 2-Critical BT742419 BIG-IP NIC teaming of SR-IOV interfaces does not work under VMware ESXi
718573-3 2-Critical BT718573 Internal SessionDB invalid state
671545-2 2-Critical BT671545 MCPD core while booting up device with error "Unexpected exception caught"
382363-3 2-Critical K30588577 min-up-members and using gateway-failsafe-device on the same pool.
1065041 2-Critical BT1065041 Web Application shows 'Not Found' in GUI
1048853-2 2-Critical BT1048853 "IKE VBUF" memory leak debug
1048141-2 2-Critical BT1048141 Sorting pool members by 'Member' causes 'General database error'
1041865-3 2-Critical BT1041865 Correctable machine check errors [mce] should be suppressed
1039609-3 2-Critical BT1039609 Unable to poll Dynamic routing protocols SNMP OID's on non-default route domain
1035121-3 2-Critical BT1035121 Configsync syncs the node's monitor status
1031357-1 2-Critical BT1031357 After reboot of standby and terminating peer, some IPsec traffic-selectors are still online
1029949-1 2-Critical BT1029949 IPsec traffic selector state may show incorrect state on high availability (HA) standby device
1027961-1 2-Critical BT1027961 Changes to an admin user's account properties may result in MCPD crash and failover
1024269-2 2-Critical BT1024269 Forcing a file system check on the next system reboot does not check all filesystems.
1023829 2-Critical BT1023829 Security->Policies in Virtual Server web page spins mcpd 100%, which later cores
1020049 2-Critical BT1020049 iControl REST 401 error caused by pam-authenticator failure
1014361-1 2-Critical BT1014361 Config sync fails after provisioning APM or changing BIG-IP license
1012493-4 2-Critical BT1012493 Systemauth.primaryadminuser set to anything but 'admin' causes internal error for mcp-state check
1011801 2-Critical BT1011801 L2 behavior becomes inconsistent while scaling address space
999125-2 3-Major BT999125 After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states.
999021-3 3-Major BT999021 IPsec IKEv1 tunnels fail after a config sync from Standby to Active
998957-3 3-Major BT998957 Mcpd consumes excessive CPU while collecting stats.
998649-3 3-Major BT998649 Log hostname should be consistent when it contains ' . '
997561-3 3-Major BT997561 TMM CPU imbalance with GRE/TB and GRE/MPLS traffic
997541-3 3-Major BT997541 Round-robin GRE Disaggregator for hardware and software
995605-1 3-Major BT995605 PVA accelerated traffic does not update route domain stats
995097-3 3-Major BT995097 Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file.
994365-3 3-Major BT994365 Inconsistency in tmsh 'object mode' for some configurations
994361-3 3-Major BT994361 Updatecheck script hangs/Multiple updatecheck processes
994305-1 3-Major BT994305 The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5
992813-2 3-Major BT992813 The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations.
992449-3 3-Major BT992449 The vCMP host does not report the correct number of guest CPUs on the guest page of the GUI
992253-2 3-Major BT992253 Cannot specify IPv6 management IP addresses using GUI
988745-3 3-Major BT988745 On reboot, 'could not find platform object' errors may be seen in /var/log/ltm
988165-2 3-Major   VMware CPU reservation is now enforced.
987301-1 3-Major BT987301 Software install on vCMP guest via block-device may fail with error 'reason unknown'
987081-3 3-Major BT987081 Alarm LED remains active on Secondary blades even after LCD alerts are cleared
984585-1 3-Major BT984585 IP Reputation option not shown in GUI.
981485-4 3-Major BT981485 Neurond enters a restart loop after FPGA update.
977953-2 3-Major BT977953 Show running config interface CLI could not fetch the interface info and crashes the imi
977657-2 3-Major BT977657 SELinux errors when deploying a vCMP guest.
977113-5 3-Major BT977113 Unable to configure dependency for GTM virtual server if pool member dependency exists
976013-4 3-Major BT976013 If bcm56xxd starts while an interface is disabled, the interface cannot be enabled afterwards
974225-2 3-Major BT974225 Link Status traps are not issued on VE based BIG-IP systems
972785-6 3-Major BT972785 Unable to create virtual server with a non-zero Route Domain for custom partition via iControl SOAP
971009-1 3-Major BT971009 SNMPv3 alerts are not sent after upgrade to post 15.1.0.3 firmware
969737-1 3-Major BT969737 Snmp requests not answered if V2 traps are configured
969329-2 3-Major BT969329 Dashboard: Chart title/legend 'Control Plane' needs to be modified within dashboard of BIG-IP
967557-2 3-Major BT967557 Improve apm logging when loading sys config fails due to corruption of epsec rpm database
966949-2 3-Major BT966949 Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node
965941-2 3-Major BT965941 Creating a net packet filter in the GUI does not work for ICMP for IPv6
964125-2 3-Major BT964125 Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.
963541-2 3-Major BT963541 Net-snmp5.8 crash
960029-2 3-Major BT960029 Viewing properties for IPv6 pool members in the Statistics page in the GUI returns an error
959241-2 3-Major BT959241 Fix for ID871561 might not work as expected on the VCMP host
959057-3 3-Major BT959057 Unable to create additional login tokens for the default admin user account
958833-1 3-Major BT958833 After mgmt ip change via GUI, brower is not redirected to new address
958601-2 3-Major BT958601 In the GUI, searching for virtual server addresses does not match address lists
957993-2 3-Major BT957993 Unable to set a port list in the GUI for an IPv6 address for a virtual server
957637-2 3-Major BT957637 Pfmand crash during bootup
956625-2 3-Major BT956625 Port and port-list type are both stored in a traffic-matching-criteria object
955953-2 3-Major BT955953 iRule command 'table' fails to resume when used with Diameter 'irule_scope_msg'
955897-2 3-Major BT955897 Configuration may fail to load with named virtual-address for 0.0.0.0 in a non-zero route domain
953477-3 3-Major BT953477 Syncookie HW mode not cleared when modifying VLAN config.
950153-2 3-Major BT950153 LDAP remote authentication fails when empty attribute is returned
948601-3 3-Major   File object checksum attribute is not updated when an external data-group file or external monitor file is edited from GU
948101-1 3-Major BT948101 Pair of phase 2 SAs missing after reboot of standby BIG-IP device
946121-2 3-Major BT946121 SNMP user added with password less than 8 characters through tmsh is allowed but fails during snmpwalk.
945413-3 3-Major BT945413 Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync
943793-2 3-Major BT943793 Neurond continuously restarting
943641-1 3-Major BT943641 IKEv1 IPsec in interface-mode may fail to establish after ike-peer reconfiguration
943577-2 3-Major BT943577 Full sync failure for traffic-matching-criteria with port list under certain conditions
943473-2 3-Major BT943473 LDAP monitor's test functionality has an incorrect and non-modifiable IP address field in GUI
943045-2 3-Major BT943045 Inconsistency in node object name and node IPv6 address when IPv6 pool-member is created without providing node object name.
941381-3 3-Major BT941381 MCP restarts when deleting an application service with a traffic-matching-criteria
940161 3-Major BT940161 iCall throws error: foreign key index (name_FK) do not point at an item that exists in the database
939249-3 3-Major BT939249 iSeries LCD changes to secure mode after multiple reboots
938145-1 3-Major BT938145 DAG redirects packets to non-existent tmm
937601-2 3-Major BT937601 The ip-tos-to-client setting does not affect traffic to the server.
936093-2 3-Major BT936093 Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline
935485-2 3-Major BT935485 BWC: flows might stall when using dynamic BWC policy
935177-2 3-Major BT935177 IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm
933329-2 3-Major BT933329 The process plane statistics do not accurately label some processes
931629-2 3-Major BT931629 External trunk fdb entries might end up with internal MAC addresses.
930825-4 3-Major BT930825 System should reboot (rather than restart services) when it sees a large number of HSB XLMAC errors
930633-3 3-Major BT930633 Delay in using new route updates by existing connections on BIG-IP.
928389-2 3-Major BT928389 GUI becomes inaccessible after importing certificate under import type 'certificate'
928353-2 3-Major BT928353 Error logged installing Engineering Hotfix: Argument isn't numeric
928161-1 3-Major BT928161 Local password policy not enforced when auth source is set to a remote type.
927025-3 3-Major BT927025 Sod restarts continuously
925797-2 3-Major BT925797 Full config sync fails and mcpd memory usage is very high on the receiving device with thousands of FQDN pools members
925469-1 3-Major BT925469 SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo
924297-2 3-Major BT924297 Ltm policy MCP objects are not being synced over to the peer device
923745-3 3-Major BT923745 Ctrl-Alt-Del reboots the system
922885-3 3-Major K27872027, BT922885 BIG-IP Virtual Edition does not pass traffic on ESXi 6.5
922613-2 3-Major BT922613 Tunnels using autolasthop might drop traffic with ICMP route unreachable
922153-2 3-Major BT922153 Tcpdump is failing on tmm 0.x interfaces
922069 3-Major BT922069 Increase iApp block configuration processor timeout
921149-1 3-Major BT921149 After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy
921121-4 3-Major BT921121 Tmm crash with iRule and a PEM Policy with BWC Enabled
920893-1 3-Major BT920893 GUI banner for configuration issues frozen after repeated forced VIPRION blade failover
920761-2 3-Major BT920761 Changing a virtual server type in the GUI may change some options; changing back to the original type does not restore original values
920517-2 3-Major BT920517 Rate Shaping Rate Class 'Queue Method' and 'Drop Policy' defaults are incorrect in the GUI
919401-2 3-Major BT919401 Disallow adding Request Adapt Profiles and Response Adapt Profiles to virtual servers in TMSH when ICAP is not licensed
919317-5 3-Major BT919317 NSM consumes 100% CPU processing nexthops for recursive ECMP routes
919185-2 3-Major BT919185 Request adapt and response adapt profile options should not be available in the GUI when ICAP is not licensed
918409-2 3-Major BT918409 BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures
915829-2 3-Major BT915829 Particular Users unable to login with LDAP Authentication Provider
915557-2 3-Major BT915557 The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status.
915493-4 3-Major BT915493 imish command hangs when ospfd is enabled
913573-2 3-Major BT913573 Unable to complete REST API PUT request for 'tm/ltm/data-group/internal' endpoint.
912253-1 3-Major BT912253 Non-admin users cannot run show running-config or list sys
909505-3 3-Major BT909505 Creating LTM data group external object fails.
909485-3 3-Major BT909485 Deleting LTM data-group external object incorrectly reports 200 when object fails to delete
908753-3 3-Major BT908753 Password memory not effective even when password policy is configured
906505-2 3-Major BT906505 Display of LCD System Menu cannot be configured via GUI on iSeries platforms
905749-1 3-Major BT905749 imish crash while checking for CLI help string in BGP mode
904401-1 3-Major BT904401 Guestagentd core
903265-3 3-Major BT903265 Single user mode faced sudden reboot
901989-2 3-Major BT901989 Boot_marker writes to /var/log/btmp
901669-4 3-Major BT901669 Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change.
901529 3-Major BT901529 AFM Debug Reroute feature not supported
900485-2 3-Major BT900485 Syslog-ng 'program' filter does not work
899933-2 3-Major BT899933 Listing property groups in TMSH without specifying properties lists the entire object
899085-6 3-Major BT899085 Configuration changes made by Certificate Manager role do not trigger saving config
898577-2 3-Major BT898577 Executing a command in "mgmt tm" using iControl REST results in tmsh error
898389-1 3-Major BT898389 Traffic is not classified when adding port-list to virtual server from GUI
895845-5 3-Major BT895845 Implement automatic conflict resolution for gossip-conflicts in REST
892445-2 3-Major BT892445 BWC policy names are limited to 128 characters
891221-2 3-Major BT891221 Router bgp neighbor password CLI help string is not helpful
888081-4 3-Major BT888081 BIG-IP VE Migration feature fails for 1NIC
886649-2 3-Major BT886649 Connections stall when dynamic BWC policy is changed via GUI and TMSH
884989-1 3-Major BT884989 IKE_SA's Not mirrored of on Standby device if it reboots
884729-2 3-Major BT884729 The vCMP CPU usage stats are incorrect
883149-1 3-Major BT883149 The fix for ID 439539 can cause mcpd to core.
882833-2 3-Major BT882833 SELinux issue cause zrd down
882709-4 3-Major BT882709 Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors
882609-1 3-Major BT882609 ConfigSync status remains 'Disconnected' after setting ConfigSync IP to 'none' and back
880689-2 3-Major BT880689 Update oprofile tools for compatibility with current architecture
880473-1 3-Major BT880473 Under certain conditions, the virtio driver may core during shutdown
880013-1 3-Major BT880013 Config load fails after changing the BIG-IP Master key which has an encrypted key in it's configuration
880009-1 3-Major BT880009 Tcpdump does not export the TLS1.3 early secret
879969-5 3-Major BT879969 FQDN node resolution fails if DNS response latency >5 seconds
879001-1 3-Major BT879001 LDAP data is not updated consistently which might affect authentication.
876809-3 3-Major BT876809 GUI cannot delete a cert with a name that starts with * and ends with .crt
872165-2 3-Major BT872165 LDAP remote authentication for REST API calls may fail during authorization
871705-6 3-Major BT871705 Restarting bigstart shuts down the system
867549-3 3-Major BT867549 LCD touch panel reports "Firmware update in progress" indefinitely
867253-3 3-Major BT867253 Systemd not deleting user journals
867249-1 3-Major BT867249 New SNMP authentication type and privacy protocol algorithms not available in UI
867177-3 3-Major BT867177 Outbound TFTP and Active FTP no longer work by default over the management port
864321-3 3-Major BT864321 Default Apache testing page is reachable at <mgmt-ip>/noindex
862693-6 3-Major BT862693 PAM_RHOST not set when authenticating BIG-IP using iControl REST
862525-1 3-Major   GUI Browser Cache Timeout option is not available via tmsh
860245-1 3-Major BT860245 SSL Orchestrator configuration not synchronized across HA peers after upgrade from 14.1.2.x
860181-1 3-Major BT860181 After sync failure due to lack of local self-IP on the peer, adding in the self-IP does not resolve the sync error
853617-1 3-Major BT853617 Validation does not prevent virtual server with UDP, HTTP, SSL, (and OneConnect) profiles
853161-4 3-Major BT853161 Restjavad has different behavior for error responses if the body is over 2k
852565-5 3-Major BT852565 On Device Management::Overview GUI page, device order changes
852265-1 3-Major BT852265 Virtual Server Client and Server SSL profile list boxes no longer automatically scale for width
851837-2 3-Major BT851837 Mcpd fails to start for single NIC VE devices configured in a trust domain
851785-3 3-Major BT851785 BIG-IP 10350V-F platform reported page allocation failures in N3FIPS driver
851021-1 3-Major BT851021 Under certain conditions, 'load sys config verify file /config/bigip.conf' may result in a 'folder does not exist' error
850997-1 3-Major BT850997 'SNMPD' no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page
850357-1 3-Major BT850357 LDAP - tmsh cannot add config to nslcd.conf
846141-1 3-Major BT846141 Unable to use Rest API to manage GTM pool members that have an pipe symbol '|' in the server name.
844925-3 3-Major BT844925 Command 'tmsh save /sys config' fails to save the configuration and hangs
843661-1 3-Major BT843661 TMSH allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command
841721-2 3-Major BT841721 BWC::policy detach appears to run, but BWC control is still enabled
838337-1 3-Major BT838337 The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.
837481-7 3-Major BT837481 SNMPv3 pass phrases should not be synced between high availability (HA) devices as that are based on each devices unique engineID
827293-3 3-Major BT827293 TMM may crash running remote tcpdump
827209-4 3-Major BT827209 HSB transmit lockup on i4600
827021-7 3-Major BT827021 MCP update message may be lost when primary blade changes in chassis
826313-6 3-Major BT826313 Error: Media type is incompatible with other trunk members
824809-6 3-Major BT824809 bcm56xxd watchdog restart
819457-1 3-Major BT819457 LTM high availability (HA) sync should not sync GTM zone configuration
819261-4 3-Major BT819261 Log HSB registers when parts of the device becomes unresponsive
818505-1 3-Major BT818505 Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
817089-3 3-Major   Incorrect source MAC address with hardware acceleration (ePVA) and asymmetric routing
814353-6 3-Major BT814353 Pool member silently changed to user-disabled from monitor-disabled
814273-1 3-Major BT814273 Multicast route entries are not populating to tmm after failover
810613-5 3-Major BT810613 GUI Login History hides informative message about max number of lines exceeded
807945-3 3-Major BT807945 Loading UCS file for the first time not updating MCP DB
807837-2 3-Major BT807837 Upgrade fails when client-ssl inherits proxy-ca-key/cert with error message: Client SSL profile (/Common/child): must have at least one set of CA type cert-key-chain.
806881-6 3-Major BT806881 Loading the configuration may not set the virtual server enabled status correctly
804529-2 3-Major BT804529 REST API to /mgmt/tm/ltm/pool/members/stats will fail for some pools
803457-3 3-Major BT803457 SNMP custom stats cannot access iStats
803157-3 3-Major BT803157 LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots
798885-4 3-Major BT798885 SNMP response times may be long when processing requests
796985-3 3-Major BT796985 Default IPv4 IP address is assigned to Alt-Address in isolated vCMP guest; vCMP host or guest are upgraded and guest is 'Inoperative'
791365-3 3-Major BT791365 Bad encryption password error on UCS save
791061-5 3-Major BT791061 Config load in /Common removes routing protocols from other partitions
788645-5 3-Major BT788645 BGP does not function on static interfaces with vlan names longer than 16 characters.
786633-2 3-Major BT786633 Debug-level messages are being logged even when the system is not set up for debug logging
781733-5 3-Major BT781733 SNMPv3 user name configuration allows illegal names to be entered
780745-3 3-Major BT780745 TMSH allows creation of duplicate community strings for SNMP v1/v2 access
778513-1 3-Major BT778513 APM intermittently drops log messages for per-request policies
778041-3 3-Major BT778041 tcpdump fails with an unclear message when the 'epva' option is used on non-epva platforms (directly or through 'all' option)
776489-5 3-Major BT776489 Remote authentication attempts to resolve only LDAP host against the first three name servers configured.
775845-1 3-Major BT775845 Httpd fails to start after restarting the service using the iControl REST API
775797-3 3-Major BT775797 Previously deleted user account might get authenticated
773577-5 3-Major BT773577 SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted
773173-2 3-Major BT773173 LTM Policy GUI is not working properly
771137-1 3-Major BT771137 vCMP host reports much larger 'Virtual-disk' usage than du reports on the guest
767305-5 3-Major BT767305 If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried
764969-2 3-Major BT764969 ILX no longer supports symlinks in workspaces as of v14.1.0
762097-3 3-Major BT762097 No swap memory available after upgrading to v14.1.0 and above
760982-1 3-Major BT760982 An NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command in some scenarios
760932-1 3-Major BT760932 Part of audit log messages are also in other logs when strings are long
760354-4 3-Major BT760354 Continual mcpd process restarts after removing big logs when /var/log is full
759737-3 3-Major BT759737 Control and Analysis Plane CPU usage statistics are inaccurate for single core vCMP guests
759258-5 3-Major BT759258 Instances shows incorrect pools if the same members are used in other pools
757787-3 3-Major BT757787 Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI.
755976-4 3-Major BT755976 ZebOS might miss kernel routes after mcpd deamon restart
751409-7 3-Major BT751409 MCP Validation does not detect when virtual servers differ only by overlapping VLANs
749757-1 3-Major BT749757 -s option in qkview help does not indicate maximum size
746758-1 3-Major BT746758 Qkview produces core file if interrupted while exiting
744924-2 3-Major BT744924 Bladed unit goes offline after UCS install
741702-2 3-Major BT741702 TMM crash
739820-7 3-Major BT739820 Validation does not reject IPv6 address for TACACS auth configuration
739118-5 3-Major BT739118 Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration
737739-2 3-Major BT737739 Bash shell still accessible for admin even if disabled
730852-1 3-Major BT730852 The tmrouted repeatedly crashes and produces core when new peer device is added
725646-2 3-Major BT725646 The tmsh utility cores when multiple tmsh instances are spawned and terminated quickly
724653-3 3-Major BT724653 In a device group, a non-empty partition can be deleted by a peer device during a config sync
720610-3 3-Major BT720610 Updatecheck logs bogus 'Update Server unavailable' on every run
718291-3 3-Major BT718291 iHealth upload error does not clear
714216-4 3-Major BT714216 Folder in a partition may result in load sys config error
711747-3 3-Major BT711747 Vcmp_pde_state_memcpy core during http traffic and pfmand resets
708991-3 3-Major BT708991 Newly entered password is not remembered
703226-2 3-Major BT703226 Failure when using transactions to create and publish policies
691219-2 3-Major BT691219 Hardware syncookie mode is used when global auto last hop is disabled.
690928-3 3-Major BT690928 System posts error message: 01010054:3: tmrouted connection closed
688231-3 3-Major BT688231 Unable to set VET, AZOT, and AZOST timezones
673952-5 3-Major BT673952 1NIC VE in high availability (HA) device-group shows 'Changes Pending' after reboot
662301-2 3-Major BT662301 'Unlicensed objects' error message appears despite there being no unlicensed config
658850-3 3-Major BT658850 Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP
654635-1 3-Major K34003145, BT654635 FTP virtual server connections may rapidly reuse ephemeral ports
639606-1 3-Major BT639606 If mcpd fails to load DNSSEC keys then signing does not happen and no error logged
627760-7 3-Major BT627760 Gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card
615329-1 3-Major BT615329 Special Virtual IP configuration required for IPv6 connectivity on some Virtual Edition interfaces
605966-5 3-Major BT605966 BGP route-map changes may not immediately trigger route updates
587821-10 3-Major BT587821 vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
554506-1 3-Major K47835034, BT554506 PMTU discovery from management does not work
538283-2 3-Major BT538283 iControl REST asynchronous tasks may block other tasks from running
528314-3 3-Major K16816, BT528314 Generating new default certificate and key pairs for BIG-IP ssl profiles via CLI will not be reflected in GUI or in tmsh
499348-11 3-Major BT499348 System statistics may fail to update, or report negative deltas due to delayed stats merging
469724-3 3-Major BT469724 When evaluation/demonstration features expire, features enabled by both evaluation and perpetual licenses also expire
398683-4 3-Major K12304 Use of a # in a TACACS secret causes remote auth to fail
385013-2 3-Major   Certain user roles do not trigger a sync for a 'modify auth password' command
1067797-2 3-Major BT1067797 Trunked interfaces that share a MAC address may be assigned in the incorrect order
1066285-3 3-Major BT1066285 Master Key decrypt failure - decrypt failure
1064893-2 3-Major BT1064893 Keymgmtd memory leak occurrs while configuring ca-bundle-manager
1064461-3 3-Major BT1064461 PIM-SM will not complete RP registration over tunnel interface when floating IP address is used
1064257-1 3-Major BT1064257 Bundled SSL certificates may not get revalidated successfully over OCSP after stapling parameters have been modified
1063473-1 3-Major BT1063473 During establishing a HA connection, the number of npus in DAG context may be overwritten incorrectly
1063237-3 3-Major BT1063237 Stats are incorrect when the management interface is not eth0
1062953-2 3-Major BT1062953 Unable to save configuration via tmsh or the GUI.
1062901-2 3-Major BT1062901 The 'trap-source' and 'network' SNMP properties are ineffective, and SNMP traps may be sent from an unintended interface.
1062857-2 3-Major BT1062857 Non TMM source logs stop populating after a system time change.
1061905-2 3-Major BT1061905 Adding peer unit into device trust changes the failover address family
1060181 3-Major BT1060181 SSL handshakes fail when using CRL certificate validator.
1060149-1 3-Major BT1060149 BIG-IP vCMP guest data-plane failure with turboflex-adc selected on the host.
1058789-3 3-Major BT1058789 Virtual addresses are not created from an address list that includes an IP address range.
1058765-3 3-Major BT1058765 Virtual Addresses created from an address list with prefix all say Offline (enabled)
1057709-3 3-Major BT1057709 Invalid Certificate for all BIG-IP VE OVA images on vCenter 7.0U2
1057501-3 3-Major BT1057501 Expired DST Root CA X3 resulting in http agent request failing
1057305-2 3-Major BT1057305 "-c" may be logged as the TMM process/thread name on deployments that use DPDK
1056993-1 3-Major   404 error is raised on GUI when clicking "App IQ."
1056741 3-Major BT1056741 ECDSA certificates signed by RSA CA are not selected based by SNI
1050457-2 3-Major BT1050457 The "Permitted Versions" field of "tmsh show sys license" only shows on first boot
1048541-2 3-Major BT1048541 Certificate Order Manager: renew requests to the Comodo (now Sectigo) CA are unsuccessful.
1047169-2 3-Major BT1047169 GTM AAAA pool can be deleted from the configuration despite being in use by an iRule.
1046669-2 3-Major BT1046669 The audit forwarders may prematurely time out waiting for TACACS responses
1046261-2 3-Major BT1046261 Asynchronous REST task IDs do not persist across process restarts
1045277-2 3-Major BT1045277 The /var partition may become 100% full requiring manual intervention to clear space
1044577-1 3-Major BT1044577 TMM crash on BIG-IP Virtual Edition using DPDK and xnet drivers
1044281-2 3-Major BT1044281 In some cases, cpcfg does not trigger selinux relabel, leaving files unlabeled
1044089-1 3-Major BT1044089 ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI
1044021-1 3-Major BT1044021 Searching for IPv4 strings in statistics module does not work.
1043141-2 3-Major BT1043141 Misleading 'Symmetric Unit Key decrypt failure - decrypt failure' when loading UCS from another BIG-IP
1042737-3 3-Major BT1042737 BGP sending malformed update missing Tot-attr-len of '0.
1042589-2 3-Major BT1042589 Wrong trunk_id is associated in bcm56xxd.
1042009-2 3-Major BT1042009 Mcpd fails to reply if a request is proxied to another daemon and the connection to that daemon closes
1041317-2 3-Major BT1041317 MCPD delay in processing a query_all message if the update_status bit is set
1040573-2 3-Major BT1040573 REST operation takes a long time when two different users perform tasks in parallel
1040117-1 3-Major BT1040117 BIG-IP Virtual Edition drops UDP packets
1036613-1 3-Major BT1036613 Client flow might not get offloaded to PVA in embryonic state
1036557-3 3-Major BT1036557 Monitor information not seen in GUI
1036541-3 3-Major BT1036541 Inherited-traffic-group setting of floating IP does not sync on incremental sync
1036461-3 3-Major BT1036461 icrd_child may core with high numbers of open file descriptors
1036097-3 3-Major BT1036097 VLAN failsafe does not trigger on guest
1036009-2 3-Major   Fix DPDK RSS configuration settings
1035661-2 3-Major BT1035661 REST Requests return 401 Unauthorized when using Basic Auth
1033689-2 3-Major BT1033689 BGP route map community value cannot be set to the required range when using AA::NN notation
1033333-3 3-Major BT1033333 FIPS: importing a stub SSL key file results in 2 keys that share the same FIPS device
1032821-5 3-Major BT1032821 Syslog: invalid level/facility from /usr/libexec/smart_parse.pl
1032257-2 3-Major BT1032257 Forwarded PVA offload requests fail on platforms with multiple PDE/TMM
1031413 3-Major BT1031413 "tmsh load sys config default" does not reset the configs to default in VELOS tenant after reboot
1031117-2 3-Major BT1031117 The mcpd error for virtual server profiles incompatible needs to have more details
1031025-2 3-Major BT1031025 Nitrox 3 FIPS: Upgrade from v12.1.x to v14.1.x results in new .key.exp files for the FIPS keys created before upgrade.
1028969-2 3-Major BT1028969 An unused traffic-selector can prevent an IKEv2 IPsec tunnel from working
1027601 3-Major BT1027601 AFM IP Error Checksum and Bad TCP Checksum vectors not supported
1027481-2 3-Major BT1027481 'error: /bin/haloptns unexpected error -- 768' log messages generated on A110 and D112 platforms
1027477-2 3-Major BT1027477 Virtual server created with address-list in custom partition non-RD0 does not create listener
1027237-3 3-Major BT1027237 Cannot edit virtual server in GUI after loading config with traffic-matching-criteria
1026989-2 3-Major BT1026989 More specific dynamic or static routes created for application traffic processing can erroneously replace the route to the management subnet.
1026973-2 3-Major BT1026973 Static routes created for application traffic processing can erroneously replace the route to the management subnet.
1026861-2 3-Major BT1026861 Live Update of Browser Challenges and Anti-Fraud are not cleaned up
1026581-1 3-Major BT1026581 NETFLOW/IPFIX observationTimeMilliseconds Information Element value is not populated correctly.
1026273-1 3-Major BT1026273 HA failover connectivity using the cluster management address does not work on VIPRION platforms
1025513-2 3-Major BT1025513 PAM Authenticator can cause authorization failure if it fails to lock /var/log/tallylog
1025261-2 3-Major BT1025261 When restjavad.useextramb is set, java immediately uses more resident memory in linux
1024661-2 3-Major BT1024661 SCTP forwarding flows based on VTAG for bigproto
1022997-3 3-Major BT1022997 TCP segments with an incorrect checksum are transmitted when the sock driver is used in AWS deployments (e.g., 1NIC)
1022757-3 3-Major BT1022757 Tmm core due to corrupt list of ike-sa instances for a connection
1021925-3 3-Major BT1021925 During bootup AWS BIG-IP endpoint was not licensed when custom gateway configured over management interface
1021873-2 3-Major BT1021873 TMM crash in IPIP tunnel creation with a pool route
1021109-3 3-Major BT1021109 The cmp-hash VLAN setting does not apply to trunked interfaces.
1020789-3 3-Major BT1020789 Cannot deploy a four-core vCMP guest if the remaining cores are in use
1020377-2 3-Major BT1020377 Missing IKEv2 listeners can send IKE packets to the IKEv1 racoon daemon
1020277-2 3-Major BT1020277 Mcpd may run out of memory when build image is missing
1020129-1 3-Major BT1020129 Turboflex page in GUI reports 'profile.Features is undefined' error
1020089-2 3-Major BT1020089 MCP validation should prevent defining multiple virtual servers with the same virtual address but with different subnet masks
1019829-1 3-Major BT1019829 Configsync.copyonswitch variable is not functioning on reboot
1019749-1 3-Major BT1019749 Enabling DHCP for management should not be allowed on vCMP guest
1019709-2 3-Major BT1019709 Modifying mgmt-dhcp options should not be allowed on VCMP guest
1019357-1 3-Major   Active fails to resend ipsec ikev2_message_id_sync if no response received
1019285-3 3-Major BT1019285 Systemd hangs and is unresponsive
1019129-3 3-Major BT1019129 Changing syslog remote port requires syslog-ng restart to take effect
1019085-1 3-Major BT1019085 Network virtual-addresses fail to retain the "icmp-echo enabled" property following an upgrade or reload of the configuration from file.
1018673-2 3-Major BT1018673 Virtual Edition systems replicate host traffic to all TMMs when a multicast MAC address is the traffic's nexthop
1018165-2 3-Major BT1018165 GUI display of DHCPv6 profile not correct for virtual server in non-default route-domain
1017897-2 3-Major BT1017897 Self IP address creation fails with 'ioctl failed: No such device'
1017857-3 3-Major BT1017857 Restore of UCS leads to incorrect UID on authorized_keys
1016433 3-Major BT1016433 URI rewriting is incorrect for "data:" and "javascript:"
1015645-1 3-Major BT1015645 IPSec SA's missing after reboot
1015453-3 3-Major BT1015453 Under some circumstances, the "Local Traffic" menu in System -> Configuration is inaccessible in the GUI
1014285-3 3-Major BT1014285 Set auto-failback-enabled moved to false after upgrade
1012601-2 3-Major BT1012601 Alarm LED and LCD alert cleared prematurely on startup for missing PSU input
1012449-3 3-Major BT1012449 Unable to edit custom inband monitor in the GUI
1012049-3 3-Major BT1012049 Incorrect virtual server list returned in response to status request
1011265-1 3-Major BT1011265 Failover script cannot read /config/partitions/ after upgrade
1010341-2 3-Major BT1010341 Slower REST calls after update for CVE-2021-22986
1009793-1 3-Major BT1009793 Tmm crash when using ipsec
1008269-3 3-Major BT1008269 Error: out of stack space
1007909-3 3-Major BT1007909 Tcpdump with :p (peer flow) flag does not capture forwarded between TMMs
1004469-2 3-Major BT1004469 SNMP OID ltmSipsessionProfileStatVsName and ltmSiprouterProfileStatVsName returns empty string
1002417-1 3-Major BT1002417 Switch L2 forwarding entries learnt on multi-blade trunk in one blade needs to be synchronized to other blades of that trunk
1001129-3 3-Major   Maximum Login Failures lockout for root and admin
1001069-3 3-Major BT1001069 VE CPU higher after upgrade, given same throughput
1000325-2 3-Major BT1000325 UCS load with 'reset-trust' may not work properly if base configuration fails to load
992241-1 4-Minor BT992241 Unable to change initial admin password from GUI after root password change
983021-2 4-Minor BT983021 Tmsh does not correctly handle the app-service for data-group records
976517-1 4-Minor BT976517 Tmsh run sys failover standby with a device specified but no traffic group fails
976337-1 4-Minor BT976337 i40evf Requested 4 queues, but PF only gave us 16.
964533-3 4-Minor BT964533 Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.
962605-4 4-Minor   BIG-IP may go offline after installing ASU file with insufficient disk space
957461-2 4-Minor BT957461 Creating virtual server with IPv6 address or port list in destination should display source address in IPv6 format
955593-2 4-Minor BT955593 "none" missing from the error string when snmp trap is configured with an invalid network type
955057-2 4-Minor BT955057 UCS archives containing a large number of DNS zone files may fail to restore.
944485-5 4-Minor BT944485 License activation through proxy server uses IP address in proxy CONNECT, not nameserver
943597-2 4-Minor BT943597 'Upper Bound' and 'Lower Bound' thresholds are not displayed in Connections line chart
939757-4 4-Minor BT939757 Deleting a virtual server might not trigger route injection update.
939517-4 4-Minor BT939517 DB variable scheduler.minsleepduration.ltm changes to default value after reboot
929813-2 4-Minor BT929813 "Error loading object from cursor" while updating a client SSL profile
929173-2 4-Minor BT929173 Watchdog reset due to CPU stall detected by rcu_sched
928665-2 4-Minor BT928665 Kernel nf_conntrack table might get full with large configurations.
927441-3 4-Minor BT927441 Guest user not able to see virtual server details when ASM policy attached
921001-4 4-Minor BT921001 After provisioning change, pfmand might keep interfaces down on particular platforms
919861-1 4-Minor BT919861 Tunnel Static Forwarding Table does not show entries per page
918013-1 4-Minor BT918013 Log message with large wchan value
915473-1 4-Minor BT915473 Accessing Dashboard page with AVR provisioned causes continuous audit logs
915141-2 4-Minor BT915141 Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown'
911713-3 4-Minor BT911713 Delay in Network Convergence with RSTP enabled
910645-1 4-Minor BT910645 Upgrade error 'Parsing default XML files. Failed to parse xml file'
908453-3 4-Minor BT908453 Trunks with names longer than 32 characters update working-mbr-count in vCMP guests incorrectly
906449-2 4-Minor BT906449 Node, Pool Member, and Monitor Instance timestamps may be updated by config sync/load
905881 4-Minor BT905881 MTU assignment to non-existent interface
904661-3 4-Minor BT904661 Mellanox NIC speeds may be reported incorrectly on Virtual Edition
901985-6 4-Minor BT901985 Extend logging for incomplete HTTP requests
899097-2 4-Minor BT899097 Existence of rewrite profile with HTTP profile response chunking mode 'sustain' always triggers client-side chunking
896693-4 4-Minor BT896693 Patch installation is failing for iControl REST endpoint.
896689-4 4-Minor BT896689 Asynchronous tasks can be managed via unintended endpoints
893813-3 4-Minor BT893813 Modifying pool enables address and port translation in TMUI
893093-2 4-Minor BT893093 An extraneous SSL CSR file in the /config/big3d or /config/gtm directory can prevent certain sections in the WebUI from showing.
889813-2 4-Minor BT889813 Show net bwc policy prints bytes-per-second instead of bits-per-second
884953-3 4-Minor BT884953 IKEv1 IPsec daemon racoon goes into an endless restart loop
878469-2 4-Minor BT878469 System uptime in bgpBackwardTransNotification is incorrect
869237-5 4-Minor   Management interface might become unreachable when alternating between DHCP/static address assignment.
860573-3 4-Minor BT860573 LTM iRule validation performance improvement by tracking procedure/event that have been validated
857045-1 4-Minor BT857045 LDAP system authentication may stop working
848681-7 4-Minor BT848681 Disabling the LCD on a VIPRION causes blade status lights to turn amber
846521-7 4-Minor BT846521 Config script does not refresh management address entry properly when alternating between dynamic and static
843293-3 4-Minor BT843293 When L7 performance FPGA is loaded, "tmsh show sys fpga" shows standard-balanced-fpga.
838925-7 4-Minor BT838925 Rewrite URI translation profile can cause connection reset while processing malformed CSS content
832665-1 4-Minor BT832665 The version of open-vm-tools included with BIG-IP Virtual Edition is 10.0.5
828625-3 4-Minor BT828625 User shouldn't be able to configure two identical traffic selectors
826189-3 4-Minor BT826189 The WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask.
824205-3 4-Minor BT824205 GUI displays error when a virtual server is modified if it is using an address-list
822253-1 4-Minor BT822253 After starting up, mcpd may have defunct child "run" and "xargs" processes
819429-5 4-Minor BT819429 Unable to scp to device after upgrade: path not allowed
818737-3 4-Minor BT818737 Improve error message if user did not select a address-list or port list in the GUI
818297-3 4-Minor BT818297 OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure
817989-1 4-Minor BT817989 Cannot change managemnet IP from GUI
816353-3 4-Minor BT816353 Unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1
809089-1 4-Minor BT809089 TMM crash after sessiondb ref_cnt overflow
808481-5 4-Minor BT808481 Hertfordshire county missing from GTM Region list
807309-3 4-Minor BT807309 Incorrect Active/Standby status in CLI Prompt after failover test
805325-6 4-Minor BT805325 tmsh help text contains a reference to bigpipe, which is no longer supported
795429-5 4-Minor BT795429 Unrelated iControl REST transaction error message is returned when committing a transaction without any tasks.
766321-2 4-Minor BT766321 boot slots created on pre-14.x systems lack ACLs
759852-4 4-Minor BT759852 SNMP configuration for trap destinations can cause a warning in the log
759606-3 4-Minor BT759606 REST error message is logged every five minutes on vCMP Guest
759590-6 4-Minor BT759590 Creation of RADIUS authentication fails with service types other than 'authenticate only'
758105-6 4-Minor BT758105 Drive model WDC WD1005FBYZ-01YCBB2 must be added to pendsect drives.xml
757167-3 4-Minor BT757167 TMM logs 'MSIX is not supported' error on vCMP guests
756714-1 4-Minor BT756714 UIDs on /home directory are scrambled after upgrade
753712-1 4-Minor BT753712 Incorrect warning: Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family.
742753-5 4-Minor BT742753 Accessing the BIG-IP system's WebUI via special proxy solutions may fail
742105-3 4-Minor BT742105 Displaying network map with virtual servers is slow
713183-4 4-Minor BT713183 Malformed JSON files may be present on vCMP host
712241-3 4-Minor BT712241 A vCMP guest may not provide guest health stats to the vCMP host
696363-4 4-Minor BT696363 Unable to create SNMP trap in the GUI
694765-6 4-Minor BT694765 Changing the system's admin user causes vCMP host guest health info to be unavailable
689147-3 4-Minor BT689147 Confusing log messages on certain user/role/partition misconfiguration when using remote role groups
675772-2 4-Minor BT675772 IPsec tunnels fail when traffic-selectors share one IPsec interface mode policy
674026-4 4-Minor BT674026 iSeries AOM web UI update fails to complete.
673573-1 4-Minor BT673573 tmsh logs boost assertion when running child process and reaches idle-timeout
659579-4 4-Minor BT659579 Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time
658943-3 4-Minor BT658943 Errors when platform-migrate loading UCS using trunks on vCMP guest
646768-1 4-Minor K71255118, BT646768 VCMP Guest CM device name not set to hostname when deployed
631083-5 4-Minor BT631083 Some files in home directory are overwritten on password change
603693-2 4-Minor K52239932, BT603693 Brace matching in switch statement of iRules can fail if literal strings use braces
550526-5 4-Minor K84370515, BT550526 Some time zones prevent configuring trust with a peer device using the GUI.
472645-2 4-Minor BT472645 Memory issues when there is a lot of data in /var/annotate (annotations for dashboard)
1067617-3 4-Minor BT1067617 BGP default route not advertised after mid-session OPEN.
1067105-1 4-Minor   Racoon logging shows incorrect SA length
1065821-3 4-Minor BT1065821 Cannot create an iRule with a newline between event and opening brace
1064753-3 4-Minor BT1064753 OSPF LSAs are dropped/rate limited incorrectly.
1062385-3 4-Minor BT1062385 BIG-IP has an incorrect limit on the number of monitored HA-group entries.
1060769-2 4-Minor BT1060769 The /mgmt/tm/sys/performance/all-stats and /mgmt/tm/sys/performance/throughput iControl REST endpoints cannot be successfully parsed by common JSON libraries.
1060721-1 4-Minor BT1060721 Unable to disable auto renew in Certificate order manager via GUI
1059441-2 4-Minor BT1059441 Upgrading with a configuration that contains objects with properties that override the TCP profile can result in incorrect property values being used.
1058677-1 4-Minor BT1058677 Not all SCTP connections are mirrored on the standby device when auto-init is enabled
1057925-3 4-Minor BT1057925 GTP iRule generates a warning.
1055053-3 4-Minor BT1055053 "tmsh load sys config default" does not clear Zebos config files.
1054497-2 4-Minor BT1054497 Tmsh command "show sys fpga" does not report firmware for all blades.
1053037-5 4-Minor BT1053037 MCP error on loading a UCS archive with a global flow eviction policy
1050413-3 4-Minor BT1050413 Drive model HGST HUS722T1TALA604 must be added to pendsect drives.xml
1046693-3 4-Minor BT1046693 TMM with BFD confgured might crash under significant memory pressure
1045717 4-Minor   IPSEC: IKEV1: Algorithms changing from one to another for authentication or encryption tunnel is not establishing
1045549-3 4-Minor BT1045549 BFD sessions remain DOWN after graceful TMM restart
1044893-3 4-Minor BT1044893 Kernel warnings from NIC driver Realtek 8139
1041765-1 4-Minor BT1041765 Racoon may crash in rare cases
1040821-3 4-Minor BT1040821 Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes
1036265-3 4-Minor BT1036265 Overlapping summary routes might not be advertised after ospf process restart.
1035017-2 4-Minor   Remove unused CA-bundles
1034589-2 4-Minor BT1034589 No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration.
1034509-4 4-Minor BT1034509 Sensor read errors on VIPRION C2200 chassis
1033969-3 4-Minor BT1033969 MPLS label stripping needs next protocol indicator
1032921-3 4-Minor BT1032921 VCMP Guest CPU usage shows abnormal values at the Host
1031425-2 4-Minor BT1031425 Provide a configuration flag to disable BGP peer-id check.
1030645-3 4-Minor BT1030645 BGP session resets during traffic-group failover
1029173-3 4-Minor BT1029173 MCP daemon does not log an error message upon connection failure to PostgreSQL server.
1025965-3 4-Minor BT1025965 Audit role users cannot see folder properties under sys-folder
1024621-3 4-Minor BT1024621 Re-establishing BFD session might take longer than expected.
1024301-2 4-Minor BT1024301 Missing required logs for "tmsh modify disk directory" command
1023817-1 4-Minor BT1023817 Misleading "Enabling NAT64 for virtual server with security NAT policy configured is redundant/not required." warning
1022417-2 4-Minor BT1022417 Ike stops with error ikev2_send_request: [WINDOW] full window
1022297-3 4-Minor BT1022297 In BIG-IP GUI using "Select All" with filters is not working appropriately for policies
1020109-2 4-Minor BT1020109 Subnet mask property of virtual addresses not displayed in management GUI
1011217-3 4-Minor BT1011217 TurboFlex Profile setting reverts to turboflex-base after upgrade
1011081-2 4-Minor BT1011081 Connection lost to the Postgres client during the BIG-IP bootup process
1010785-1 4-Minor BT1010785 Online help is missing for CRL in client SSL profile and server SSL profile
1010761-1 4-Minor BT1010761 Missing TMSH help description for client-ssl profile 'CRL'
1006449-2 4-Minor BT1006449 The default size of the subagent object cache possibly leading to slow snmp response time
1003469-2 4-Minor BT1003469 The BIG-IP GUI fails to reset the statistics for an IPv6 pool member and returns an error.
1003081-2 4-Minor BT1003081 GRE/TB-encapsulated fragments are not forwarded.
1002809-1 4-Minor BT1002809 OSPF vertex-threshold should be at least 100
989937-1 5-Cosmetic BT989937 Device Trust Certificates Expiring after 2038-01-19 show date of 1969
965457-4 5-Cosmetic BT965457 OSPF duplicate router detection might report false positives
964421-2 5-Cosmetic BT964421 Error '01070734:3: Configuration error: Signing key and signing certificate must be set simultaneously'
905893 5-Cosmetic BT905893 Modification of SmartNIC MTU not supported
832661 5-Cosmetic BT832661 Default provisioning for all instances is LTM nominal
818777-2 5-Cosmetic BT818777 MCPD error - Trouble allocating MAC address for VLAN object
353607-1 5-Cosmetic   cli global-settings { service number } appears to have no effect
1062053-1 5-Cosmetic BT1062053 Creating subfolder of a partition results in error but creates folder anyway
1022421-3 5-Cosmetic BT1022421 Pendsec utility incorrectly starts on i2x00/i4x00 platform with NON WD disk


Local Traffic Manager Issues

ID Number Severity Links to More Info Description
999669-2 2-Critical BT999669 Some HTTPS monitors are failing after upgrade when config has different SSL option
967249-2 2-Critical BT967249 TMM may leak memory early during its startup process, and may continue to do so indefinitely.
949137-3 2-Critical BT949137 Clusterd crash and vCMP guest failover
946481-1 2-Critical BT946481 Virtual Edition FIPS not compatible with TLS 1.3
944381-1 2-Critical BT944381 Dynamic CRL checking for client certificate is not working when TLS1.3 is used.
938545-3 2-Critical BT938545 Oversize plugin Tcl object results can result in 0-length messages and plugin crash
937777-2 2-Critical BT937777 The invalid configuration of using HTTP::payload in a PEM Policy may cause the TMM to crash.
937649-3 2-Critical BT937649 Flow fwd broken with statemirror.verify enabled and source-port preserve strict
935193-1 2-Critical BT935193 With APM and AFM provisioned, single logout ( SLO ) fails
927633-2 2-Critical BT927633 Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic
926985-2 2-Critical BT926985 HTTP/3 aborts stream on incomplete frame headers
914309-3 2-Critical BT914309 TMM crash seen with FTP and Classification profiles
910213-2 2-Critical BT910213 LB::down iRule command is ineffective, and can lead to inconsistent pool member status
886045-2 2-Critical BT886045 Multi-NIC instances fail to come up when trying to use memory-mapped virtio device
881401-1 2-Critical BT881401 TMM crash at Tcl_AfterCancelByUF() while deleting connections
864897-2 2-Critical BT864897 TMM may crash when using "SSL::extensions insert"
851385-1 2-Critical BT851385 Failover takes too long when traffic blade failure occurs
835505-1 2-Critical BT835505 Tmsh crash potentially related to NGFIPS SDK
824437-7 2-Critical BT824437 Chaining a standard virtual server and an ipother virtual server together can crash TMM.
797573-3 2-Critical BT797573 TMM assert crash with resulting in core generation in multi-blade chassis
763145-2 2-Critical BT763145 TMM Crash when using certain HTTP iRules with HTTP Security Profile
758491-3 2-Critical BT758491 When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys
743950-5 2-Critical BT743950 TMM crashes due to memory leak found during SSL OCSP with C3D feature enabled
632553-5 2-Critical K14947100, BT632553 DHCP: OFFER packets from server are intermittently dropped
625807-3 2-Critical BT625807 Tmm cores in bigproto_cookie_buffer_to_server
474797-8 2-Critical BT474797 Nitrox crypto hardware may attempt soft reset while currently resetting
1067669-2 2-Critical BT1067669 Following an upgrade, TCP/UDP virtual servers drop incoming traffic
1067397 2-Critical BT1067397 TMM cored after response, due to receipt of GOAWAY frame from server post TCP FIN
1064617-2 2-Critical BT1064617 DBDaemon process may write to monitor log file indefinitely
1063653-1 2-Critical BT1063653 TMM Crash while processing traffic on virtual server
1053305-1 2-Critical BT1053305 TMM crashes with assertion "vmem_hashlist_remove not found."
1048097 2-Critical BT1048097 Under certain conditions, using the HTTP::retry iRule command causes TMM to crash.
1047581-2 2-Critical BT1047581 Ramcache can crash when serving files from the hot cache
1041225-3 2-Critical BT1041225 Missing SHA-384 cipher suites in outgoing LDAP TLS ClientHello
1030185-3 2-Critical BT1030185 TMM may crash when looking up a persistence record using "persist lookup" iRule commands
1024241-2 2-Critical BT1024241 NULL TLS records from client to BIG-IP results in SSL session termination
1009161-1 2-Critical BT1009161 SSL mirroring protect for null sessions
999881-4 3-Major BT999881 Tcl command 'string first' not working if payload contains Unicode characters.
998253-2 3-Major BT998253 SNI configuration is not sent via HTTPS when in-tmm monitors are disabled
996649-4 3-Major BT996649 Improper handling of DHCP flows leading to orphaned server-side connections
995201-4 3-Major BT995201 IP fragments for the same flow are dropped if they are received on different VLANs and route domains.
994081-2 3-Major BT994081 Traffic may be dropped with an Immediate idle timeout setting.
993517-3 3-Major BT993517 Loading an upgraded config can result in a file object error in some cases
991501-3 3-Major BT991501 Pool members with HTTPS monitor may be incorrectly marked down.
991265-2 3-Major BT991265 Persistence entries point to the wrong servers for longer periods of time
987077-1 3-Major BT987077 TLS1.3 with client authentication handshake failure
985925-1 3-Major BT985925 Ipv6 Routing Header processing not compatible as per Segments Left value.
985749-3 3-Major BT985749 TCP exponential backoff algorithm does not comply with RFC 6298
985401-3 3-Major BT985401 ProxySSL virtual servers should work with web acceleration (ramcache) profiles attached
984897-3 3-Major BT984897 Some connections performing SSL mirroring are not handled correctly by the Standby unit.
980617-3 3-Major BT980617 SNAT iRule is not working with HTTP/2 and HTTP Router profiles
978953-2 3-Major BT978953 The value of the sys db variable vlan.backplane.mtu intermittently out-of-sync with the value of the MTU of the kernel interface tmm_bp during the initial boot up
977153-1 3-Major BT977153 Packet with routing header IPv6 as next header in IP layer fails to be forwarded
976525-3 3-Major BT976525 Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled
976101-2 3-Major BT976101 TMM crash after deleting an interface from a virtual wire vlan
975725-3 3-Major BT975725 Wildcard virtual servers do not forward L3 unicast traffic sent to L2 broadcast
975657 3-Major BT975657 With HTTP2 enabled, only partial sorry contents (< 32KB) can be sent to the client via HTTP::respond
971217-2 3-Major BT971217 AFM HTTP security profiles may treat POST requests with Content-Length: 0 as "Unparsable Request Content" violations.
968949-5 3-Major BT968949 Keepalives aren't sent in FIN_WAIT_2 when using a TCP profile
967425-2 3-Major   mcp error: 0x1020036 at ../mcp/db_pool.c:461
967353-3 3-Major BT967353 HTTP proxy should trim spaces between a header field-name and colon in its downstream responses.
967101-2 3-Major BT967101 when all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out.
963393-1 3-Major BT963393 Key handle 0 is treated as invalid for NetHSM devices
962913-4 3-Major BT962913 The number of native open connections in the SSL profile is higher than expected
961653-2 3-Major BT961653 Unable to retrieve DNS link statistics via SNMP OID gtmLinkStatRate
961001-2 3-Major BT961001 Arp requests not resolved for snatpool members when primary blade goes offline
958785-5 3-Major BT958785 FTP data transfer does not complete after QUIT signal
956109-2 3-Major BT956109 Modifying a traffic-matching-criteria with a port-list during a full sync may result in an incorrect configuration on the sync target
955617-2 3-Major BT955617 Cannot modify properties of a monitor that is already in use by a pool
953601-3 3-Major BT953601 HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions
950005-2 3-Major BT950005 TCP connection is not closed when necessary after HTTP::respond iRule
948065-3 3-Major BT948065 DNS Responses egress with an incorrect source IP address.
947125-2 3-Major BT947125 Unable to delete monitors after certain operations
945601-4 3-Major BT945601 An incorrect LTM policy rule may be matched when a policy consists of multiple rules with TCP address matching conditions.
945189-2 3-Major BT945189 HTTPS monitor fails due to missing ECDHE-RSA-AES256-CBC-SHA
944173-2 3-Major BT944173 SSL monitor stuck does not change TLS version
942217-3 3-Major BT942217 Virtual server keeps rejecting connections for rstcause 'VIP down' even though virtual status is 'available'
939209-1 3-Major BT939209 FIPS 140-2 SP800-56Arev3 compliance
939085-2 3-Major BT939085 /config/ssl/ssl.csr directory disappears after creating certificate archive
938309-2 3-Major BT938309 In-TMM Monitors time out unexpectedly
937769-2 3-Major BT937769 SSL connection mirroring failure on standy with sslv2 records
937573-3 3-Major BT937573 Connections drop in virtual server with Immediate Action On Service Down set to Drop
936441-2 3-Major BT936441 Nitrox5 SDK driver logging messages
935793-2 3-Major BT935793 With mirroring enabled on a SIP virtual server, connections on the standby are reset with MBLB internal error (Routing problem)
934697-3 3-Major BT934697 Route domain not reachable (strict mode)
932857-2 3-Major BT932857 Delays marking Nodes or Pool Members DOWN with in-TMM monitoring
932461-3 3-Major BT932461 Cert update on server SSL profile on HTTPS monitor: BIG-IP not using the updated certificate.
928445-4 3-Major BT928445 HTTPS monitor is down when server_ssl profile cipher string is configured to TLSv1_2
927713-1 3-Major BT927713 Secondary blade IPsec SAs lost after standby reboot using clsh reboot
927589-3 3-Major BT927589 ILX::call command response get truncated
927569-2 3-Major BT927569 HTTP/3 rejects subsequent partial SETTINGS frames
926757-2 3-Major BT926757 ICMP traffic to a disabled virtual-address might be handled by a virtual-server.
926513-2 3-Major BT926513 HTTP/2 clone pool fails to receive traffic with the clone pool (server) option selected.
922641-4 3-Major BT922641 Any iRules that park in a clientside or serverside command leave the iRule attached to the wrong flow
922413-2 3-Major BT922413 Excessive memory consumption with ntlmconnpool configured
921541-3 3-Major BT921541 When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.
920789-2 3-Major BT920789 UDP commands in iRules executed during FLOW_INIT event fail
920285 3-Major BT920285 WS::disconnect may result in TMM crash under certain conditions
920205-4 3-Major BT920205 Rate shaping might suppress TCP RST
918277-2 3-Major BT918277 Slow Ramp does not take into account pool members' ratio weights
914061-2 3-Major BT914061 BIG-IP may reject a POST request if it comes first and exceeds the initial window size
913385-1 3-Major BT913385 TMM generates core while deleting iFiles
912517-2 3-Major BT912517 Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured
912293-3 3-Major BT912293 Persistence might not work properly on virtual servers that utilize address lists
910905-1 3-Major BT910905 Unexpected tmm core
910673-4 3-Major BT910673 Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM'
910273-2 3-Major BT910273 SSL Certificate version always displays as '1' in the GUI
910105-1 3-Major BT910105 Partial HTTP/2 payload may freeze on the BIG-IP system
909997-3 3-Major BT909997 Virtual server status displays as unavailable when it is accepting connections
909677-2 3-Major BT909677 HTTP/2 full proxy always sets the :scheme pseudo-header for HTTPS requests where the server-side connection is not encrypted
907177-2 3-Major BT907177 Priority of embedded APM iRules is ignored
906653-3 3-Major BT906653 Server side UDP immediate idle-timeout drops datagrams
905477-2 3-Major BT905477 The sdmd daemon cores during config sync when multiple devices configured for iRules LX
904625-2 3-Major BT904625 Changes to SSL.CertRequest.* DB variables cause high availability (HA) devices go out of sync
902377-2 3-Major BT902377 HTML profile forces re-chunk even though HTML::disable
901569-1 3-Major BT901569 Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.
898733-3 3-Major BT898733 SSL handshakes fail on secondary blades for Thales keys created with fipskey.nethsm after upgrade to 14.1.x and re-import of the keys from HSM
898685-4 3-Major BT898685 Order of ciphers changes after updating cipher group
897185-2 3-Major BT897185 Resolver cache not using random port distribution
896245-3 3-Major BT896245 Inconsistency is observed in ARP behavior across releases
895649-2 3-Major BT895649 Improve TCP analytics goodput reports
895205-2 3-Major BT895205 A circular reference in rewrite profiles causes MCP to crash
895165-2 3-Major BT895165 Traffic-matching-criteria with "any" protocol overlaps with explicit protocols
892801-2 3-Major BT892801 When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent"
892485-2 3-Major BT892485 A wrong OCSP status cache may be looked up and re-used during SSL handshake.
892073-3 3-Major BT892073 TLS1.3 LTM policy rule based on SSL SNI is not triggered
891145-5 3-Major BT891145 TCP PAWS: send an ACK for half-open connections that receive a SYN with an older TSVal
889245-3 3-Major BT889245 Ndal ixvf driver can lock up
888885-1 3-Major BT888885 BIG-IP Virtual Edition TMM restarts frequently without core
887045-1 3-Major BT887045 The session key does not get mirrored to standby.
885325-2 3-Major BT885325 Stats might be incorrect for iRules that get executed a large number of times
883133-2 3-Major BT883133 TLS_FALLBACK_SCSV with TLS1.3
883049-2 3-Major BT883049 Statsd can deadlock with rrdshim if an rrd file is invalid
882725-5 3-Major BT882725 Mirroring not working properly when default route vlan names not match.
881937-1 3-Major BT881937 TMM and Kernel choose different VLANs as Src IPs (IPv6).
881065-1 3-Major BT881065 Adding port-list to Virtual Server changes the route domain to 0
881041-3 3-Major BT881041 BIG-IP system may forward IP broadcast packets back to the incoming VLAN interface via a forwarding virtual server.
878253-1 3-Major BT878253 LB::down no longer sends an immediate monitor probe
876569-3 3-Major BT876569 QAT compression codec produces gzip stream with CRC error
876145-3 3-Major BT876145 Nitrox5 failure on vCMP guest results in all crypto requests failing.
874877-1 3-Major BT874877 Bigd monitor reports misleading error messages
874317-1 3-Major BT874317 Client-side asymmetric routing could lead to SYN and SYN-ACK on different VLAN
873677-7 3-Major BT873677 LTM policy matching does not work as expected
872981-1 3-Major BT872981 MCP crashes when deleting a virtual server and its traffic-matching-criteria in the same transaction
872721-3 3-Major BT872721 SSL connection mirroring intermittent failure with TLS1.3
872685-1 3-Major BT872685 Some HTTP/3 streams terminate early
871045-1 3-Major BT871045 IP fragments are disaggregated to separate TMMs with hardware syncookies enabled
870349-1 3-Major BT870349 Continuous restart of ntlmconnpool after license reinstall
868033-1 3-Major BT868033 SSL option "passive-close" option is unused and should be removed
867985-4 3-Major BT867985 LTM policy with a 'shutdown' action incorrectly allows iRule execution
864649-4 3-Major BT864649 The client-side connection of a dhcpv4_fwd profile on Broadcast DHCP-Relay Virtual Server never expires from the connection table
863165-3 3-Major BT863165 Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
862069-1 3-Major BT862069 Using non-standard HTTPS and SSH ports fails under certain conditions
862001-1 3-Major BT862001 Improperly configured NTP server can result in an undisciplined clock stanza
860277-4 3-Major BT860277 Default value of TCP Profile Proxy Buffer High Low changed in 14.1
852953-1 3-Major BT852953 Accept Client Hello spread over multiple QUIC packets
852325-1 3-Major BT852325 HTTP2 does not support Global SNAT
851353-1 3-Major BT851353 Connection reset with incorrect error code when invalid or malformed header is received in an HTTP/3 request
851121-2 3-Major BT851121 Database monitor DBDaemon debug logging not enabled consistently
851101-4 3-Major BT851101 Unable to establish active FTP connection with custom FTP filter
846977-1 3-Major BT846977 TCP:collect validation changed in 12.0.0: the first argument can no longer be zero
846873-4 3-Major BT846873 Deleting and re-adding the last virtual server that references a plugin profile in a single transaction causes traffic failure
843317-3 3-Major BT843317 The iRules LX workspace imported with incorrect SELinux contexts
842425-1 3-Major BT842425 Mirrored connections on standby are never removed in certain configurations
842137-3 3-Major BT842137 Keys cannot be created on module protected partitions when strict FIPS mode is set
841369-3 3-Major BT841369 HTTP monitor GUI displays incorrect green status information
841341-6 3-Major BT841341 IP forwarding virtual server does not pick up any traffic if destination address is shared.
840785-1 3-Major BT840785 Update documented examples for REST::send to use valid REST endpoints
838353-1 3-Major BT838353 MQTT monitor is not working in route domain.
832133-1 3-Major BT832133 In-TMM monitors fail to match certain binary data in the response from the server.
825245-4 3-Major BT825245 SSL::enable does not work for server side ssl
824433-3 3-Major BT824433 Added HTTP2 and HTTP3 request/response statistic fields to the HTTP profile
823825-7 3-Major BT823825 Renaming high availability (HA) VLAN can disrupt state-mirror connection
818789-7 3-Major BT818789 Setting ssl profile to none in https monitor, not setting Ciphers to DEFAULT as in serverssl Profile
816953-1 3-Major BT816953 RST_STREAM is sent in closed state on a serverside stream in HTTP/2 full proxy
815405-6 3-Major BT815405 GUI update of Child FastL4 profile overwrites CLI-only customized settings (options that are not available in GUI)
812693-3 3-Major BT812693 Connection in FIN_WAIT_2 state may fail to be removed
812497-3 3-Major BT812497 VE rate limit should not count packet that does not have a matched vlan or matched MAC address
808017-5 3-Major BT808017 When using a variable as the only parameter to the iRule persist command, the iRule validation fails
805561-3 3-Major BT805561 Change of pool configuration in OneConnect environment can impact active traffic
803109-3 3-Major BT803109 Certain configuration may result in zombie forwarding flows
795933-7 3-Major BT795933 A pool member's cur_sessions stat may incorrectly not decrease for certain configurations
794505-5 3-Major BT794505 OSPFv3 IPv4 address family route-map filtering does not work
794385-3 3-Major BT794385 BGP sessions may be reset after CMP state change
793669-5 3-Major BT793669 FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value
787973-1 3-Major BT787973 Potential memory leak when software crypto request is canceled.
785361-3 3-Major BT785361 In L2wire mode packets from srcIP 0.0.0.0 will be silently dropped
780857-2 3-Major BT780857 HA failover network disruption when cluster management IP is not in the list of unicast addresses
779137-5 3-Major BT779137 Using a source address list for a virtual server does not preserve the destination address prefix
778841-3 3-Major BT778841 Traffic is not passing in virtual wire when Virtual server type is standard & IP profile is ipother
778501-2 3-Major BT778501 LB_FAILED does not fire on failure of HTTP/2 server connection establishment
774817-1 3-Major BT774817 ICMP packets are intermittently forwarded out of both VLAN group members
767217-5 3-Major BT767217 Under certain conditions when deleting an iRule, an incorrect dependency error is seen
766593-5 3-Major BT766593 RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20
760406-1 3-Major BT760406 HA connection might stall on Active device when the SSL session cache becomes out-of-sync
757029-6 3-Major BT757029 Ephemeral pool members may not be created after config load or reboot
756313-6 3-Major BT756313 SSL monitor continues to mark pool member down after restoring services
755791-6 3-Major BT755791 UDP monitor not behaving properly on different ICMP reject codes.
755631-5 3-Major BT755631 UDP / DNS monitor marking node down
754604-4 3-Major BT754604 iRule : [string first] returns incorrect results when string2 contains null
753526-7 3-Major BT753526 IP::addr iRule command does not allow single digit mask
751451-2 3-Major BT751451 When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles
748886-3 3-Major BT748886 Virtual server stops passing traffic after modification
724327-3 3-Major BT724327 Changes to a cipher rule do not immediately have an effect
723306-7 3-Major BT723306 Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition
709952-4 3-Major BT709952 Disallow DHCP relay traffic to traverse between route domains
705387-3 3-Major BT705387 HTTP/2, ALPN and SSL
700639-2 3-Major BT700639 The default value for the syncookie threshold is not set to the correct value
672963-2 3-Major BT672963 MSSQL monitor fails against databases using non-native charset
582666-1 3-Major BT582666 TMM spams ltm log with "01010235:2: Inet port find called for pg 1 with invalid cmp state 0"
574762-2 3-Major   Forwarding flows leak when a routing update changes the egress vlan
512490-11 3-Major BT512490 Increased latency during connection setup when using FastL4 profile and connection mirroring.
369640-6 3-Major   iRules might return incorrect data when multiple partitions and/or folders contain objects with the same name
315765-2 3-Major BT315765 The BIG-IP system erroneously performs a SNAT translation after the SNAT translation address has been disabled.
1067469-3 3-Major BT1067469 Discrepancy in virtual server stats with LRO enabled
1065429-2 3-Major BT1065429 LACP trunks flap continuously when used in virtual-wire configuration
1065353 3-Major BT1065353 Disabling ciphers does not work due to the order of cipher suite
1065013-3 3-Major BT1065013 Tmm crash with iRuleLX plugin in use
1064157-2 3-Major BT1064157 Http_proxy_opaque_get should constrain search to local/spawn flows, not looped flows
1063977-2 3-Major BT1063977 Tmsh load sys config merge fails with "basic_string::substr" for non-existing key.
1063865-5 3-Major BT1063865 Blade remains in an INOPERATIVE state after being moved to new chassis.
1063453-2 3-Major BT1063453 FastL4 virtual servers translating between IPv4 and IPv6 may crash on fragmented packets.
1060541-2 3-Major   Bigd has high CPU utilization when https pool members do not allow SSL/TLS session resumption
1060269 3-Major BT1060269 Safenet NetHSM client library leaking socket FDs.
1060021-2 3-Major   Using OneConnect profile with RESOLVER::lookup_name iRule might result in core
1059573-3 3-Major BT1059573 Variation in a case insensitive value of an operand in LTM policy may fail in some rules.
1058469-2 3-Major BT1058469 Disabling strict-updates for an iApp service which includes a non-default NTLM profile will cause virtual servers using that profile to stop working.
1056941-1 3-Major BT1056941 HTTPS monitor continues using cached TLS version after receiving fatal alert.
1056401-3 3-Major BT1056401 Valid clients connecting under active syncookie mode might experience latency.
1053741-3 3-Major BT1053741 Bigd may exit and restart abnormally without logging a reason
1053149-2 3-Major BT1053149 A FastL4 TCP connection which is yet to fully establish fails to update its internal SEQ space when a new SYN is received.
1052929-3 3-Major BT1052929 MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized
1051153-3 3-Major BT1051153 DHCP fails intermittently when the connection is through BIG-IP.
1046717 3-Major BT1046717 Tmm crash when utilizing one-connect with inband monitors and ECMP or pool routes.
1043985-2 3-Major BT1043985 After editing an iRule, the execution order might change.
1043805-2 3-Major BT1043805 ICMP traffic over NAT does not work properly.
1043357-3 3-Major BT1043357 SSL handshake may fail when using remote crypto client
1043017-3 3-Major BT1043017 Virtual-wire with standard-virtual fragmentation
1043009-3 3-Major BT1043009 TMM dump capture for compression engine hang
1042913 3-Major BT1042913 Pkcs11d CPU utilization jumps to 100%
1040957-2 3-Major BT1040957 The ipother profile can be used with incompatible profiles in a virtual server
1040045-2 3-Major BT1040045 Unable to delete trunk member on a VCMP guest
1040017-3 3-Major BT1040017 Final ACK validation during flow accept might fail with hardware SYN Cookie
1039277-3 3-Major BT1039277 TMM core
1037645-1 3-Major BT1037645 TMM may crash under memory pressure when using iRule 'AES::key' command
1036873-1 3-Major BT1036873 Pre-shared key extension sometimes is not the last extension in ClientHello in TLS1.3
1036169-3 3-Major BT1036169 VCMPD rsync server max connection limit: guest "Exit flags for PID 17299: 0x500".
1036093-3 3-Major BT1036093 Tmm sends out neighbor advertisements for the link local addresses even if IPv6 is disabled
1036013-2 3-Major BT1036013 BIG-IP systems may terminate connections prematurely when a TLS close-notify alert is received
1034953-2 3-Major BT1034953 In explicit proxy, HTTP_STATCODE missing from syslog
1033537-3 3-Major BT1033537 Cookie persistence profile only examines the first cookie.
1029069-1 3-Major   Non-ASCII characters are not displayed correctly.
1025089-3 3-Major BT1025089 Pool members marked down by database monitor due to stale cached connection
1024841-1 3-Major BT1024841 SSL connection mirroring with ocsp connection failure on standby
1024225 3-Major BT1024225 BIG-IP sends "Transfer-Encoding: chunked" to http/2 client after HEAD request
1023529-1 3-Major BT1023529 FastL4 connections with infinite timeout may become immune to manual deletion and remain in memory.
1022453-2 3-Major BT1022453 IPv6 fragments are dropped when packet filtering is enabled.
1021837-2 3-Major BT1021837 When a virtual server has an inline service profile configured, connections will be reset with cause "No server selected"
1020069-2 3-Major BT1020069 Equinix SmartKey HSM is not working with nethsm-partition 'fortanix'
1019641-1 3-Major BT1019641 SCTP INIT_ACK not forwarded
1019261-2 3-Major BT1019261 In-TMM HTTPS monitor with SSL Profile set to None does not use serverssl profile.
1018765-2 3-Major BT1018765 Changing the sshd port breaks some BIG-IP utilities on a multi-bladed system
1017885-4 3-Major BT1017885 Wildcard server-name does not match multiple labels in FQDN
1017801-3 3-Major BT1017801 Internal listeners (cgc, ftp data, etc) all share the same listener_key stats
1017721-3 3-Major BT1017721 WebSocket does not close cleanly when SSL enabled.
1017513-3 3-Major BT1017513 Config sync fails with error Invalid monitor rule instance identifier
1017421-3 3-Major BT1017421 SASP Monitor does not log significant error conditions at default logging level
1017029-3 3-Major BT1017029 SASP monitor does not identify specific cause of failed SASP Registration attempt
1016921-4 3-Major BT1016921 SSL Connection mirroring - session resumption does not occur on standby when the session ticket is enabled
1016909-2 3-Major BT1016909 BIG-IP iRule commands FLOW::this or FLOW::peer can create zombie flows.
1016589-3 3-Major BT1016589 Incorrect expression in STREAM::expression might cause a tmm crash
1016449-2 3-Major BT1016449 After certain configuration tasks are performed, TMM may run with stale Self IP parameters.
1015817-3 3-Major BT1015817 Flows rejected due to no return route do not increment rejection stats
1015161-2 3-Major BT1015161 Ephemeral pool member may not be created when FQDN resolves to address that matches static node
1014633-3 3-Major BT1014633 Transparent / gateway monitors may fail if there is no route to a node
1013597-1 3-Major BT1013597 `HTTP2::disable serverside` can reset flows
1013209-2 3-Major BT1013209 BIG-IP components relying on ca-bundle.crt may stop working after upgrade
1012813-3 3-Major BT1012813 Statsd can deadlock with rrdshim with the error that a stats file "is not an RRD file"
1010209-3 3-Major BT1010209 BIG-IP configuration allows literal CR and LF characters in LTM monitor send and recv strings
1009921-1 3-Major BT1009921 'SSL::verify_result' iRule command may return incorrect value when combined with dynamic CRL check
1008501-3 3-Major BT1008501 TMM core
1008009-2 3-Major BT1008009 SSL mirroring null hs during session sync state
1006857-3 3-Major BT1006857 Adding a source address list to a virtual server in a partition with a non-default route domain fails
1006157-1 3-Major BT1006157 FQDN nodes not repopulated immediately after 'load sys config'
1004897-4 3-Major BT1004897 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason
1004609-4 3-Major   SSL forward proxy virtual server may set empty SSL session_id in server hello.
1004445-4 3-Major BT1004445 Warning not generated when maximum prefix limit is exceeded.
1000561-3 3-Major BT1000561 Chunk size incorrectly passed to client-side
1000069-1 3-Major BT1000069 Virtual server does not create the listener
999709-4 4-Minor BT999709 iRule 'pool'/'virtual' commands not triggered in CLIENT_ACCEPTED with HTTP/2.
994269-2 4-Minor BT994269 Message: 'double flow removal' in LTM log file
990173-3 4-Minor BT990173 Dynconfd repeatedly sends the same mcp message to mcpd
987885-4 4-Minor BT987885 Half-open unclean SSL termination might not close the connection properly
987401-2 4-Minor BT987401 Increased TMM memory usage on standby unit after pool flap
982993-4 4-Minor BT982993 Gateway ICMP monitors with IPv6 destination and IPV6 transparent nexthop might fail
962181-2 4-Minor BT962181 iRule POLICY command fails in server-side events
956025-2 4-Minor BT956025 HTTP profile response-chunking "unchunk" option does not remove Content-Length from response header
947937-2 4-Minor BT947937 HTTP iRule commands may fail to execute within the "fallback-host" HTTP profile field.
947745-1 4-Minor BT947745 Tcp proxy does not ignore HUDEVT_CHILD_CONNECTED and gives an error
943945 4-Minor BT943945 Incorrect Error message in /var/log/ltm when HTTP::respond is used in ADAPT_REQUEST_RESULT iRule event
942793-1 4-Minor BT942793 BIG-IP system cannot accept STARTTLS command with trailing white space
940837-2 4-Minor BT940837 The iRule command node is not triggered in CLIENT_ACCEPTED with HTTP/2.
932553-4 4-Minor BT932553 An HTTP request is not served when a remote logging server is down
932045-3 4-Minor BT932045 Memory leak when creating/deleting LTM node object
931469-7 4-Minor BT931469 Redundant socket close when half-open monitor pings
929429-2 4-Minor BT929429 Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed
922005-3 4-Minor BT922005 Stats on a certain counter for web-acceleration profile may show excessive value
921993-3 4-Minor BT921993 LTM policy with a 'contains' operator does not work as expected when using an external data group.
921477-2 4-Minor BT921477 Health monitors may fail when the HTTP RFC Compliance option is enabled in a dual BIG-IP setup.
916485-2 4-Minor BT916485 Tmsh install sys crypto key (SafeNet) command creates a duplicate mcp object
915969-1 4-Minor BT915969 Truncated QUIC connection close reason
914589-2 4-Minor BT914589 VLAN Failsafe timeout is not always respected
911853-5 4-Minor BT911853 Stream filter chunk-size limits filter to a single match per ingress buffer
910965-2 4-Minor BT910965 Overflow of Multicast table filling the tmm log
907045-2 4-Minor BT907045 QUIC HANDSHAKE_DONE is sent at the end of first flight
904537-3 4-Minor BT904537 The csyncd process may keep trying to sync the GeoIP database to a secondary blade
901485-2 4-Minor BT901485 HTTP_RESPONSE_RELEASE is not raised for HTTP early response
898753-5 4-Minor BT898753 Multicast control-plane traffic requires handling with AFM policies
898201-2 4-Minor BT898201 Fqdn nodes are not getting populated after BIG-IP reboot when DNS server is accessed through a local virtual server.
880697-1 4-Minor BT880697 URI::query command returning fragment part, instead of query part
869565-1 4-Minor BT869565 Disabling of HTTP/2 profile on server side does not prevent h2 in ALPN
869553-1 4-Minor BT869553 HTTP2::disable fails for server side allowing HTTP/2 traffic
858309-4 4-Minor BT858309 Setting a self IP with an IPv6 Address with an embedded IPv4 address causes tmm to continually restart
851757-1 4-Minor BT851757 Receiving a TLS END_OF_EARLY_DATA message in QUIC is a PROTOCOL_VIOLATION
851425-1 4-Minor BT851425 Update QLOG to draft-01
845545 4-Minor BT845545 Potential name collision for client-ssl profile named 'clientssl-quic'
844337-4 4-Minor BT844337 Tcl error log improvement for node command
838405-3 4-Minor BT838405 Listener traffic-group may not be updated properly when spanning is in use.
838305-7 4-Minor BT838305 BIG-IP may create multiple connections for packets that should belong to a single flow.
834217-7 4-Minor BT834217 Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window.
832233-1 4-Minor BT832233 The iRule regexp command issues an incorrect warning
829021-3 4-Minor BT829021 BIG-IP does not account a presence of http2 profile when response payload is modified
818721-3 4-Minor BT818721 Virtual address can be deleted while it is in use by an address-list.
807397-3 4-Minor BT807397 IRules ending with a comment cause config verification to fail
802721-4 4-Minor BT802721 Virtual Server iRule does not match an External Data Group key that's 128 characters long
801705-6 4-Minor BT801705 When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC
760590-3 4-Minor BT760590 TCP Verified-Accept with proxy-mss enabled does not honor the route-metrics cache when sending the SYN to the server
758435-2 4-Minor BT758435 Ordinal value in LTM policy rules sometimes do not work as expected
750705-3 4-Minor BT750705 LTM logs are filled with error messages while creating/deleting virtual wire configuration
742603-5 4-Minor BT742603 WebSocket Statistics are updated to differentiate between client and server sides
717806-1 4-Minor BT717806 In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured
683534-3 4-Minor BT683534 'tmsh show sys connection' command prompt displaying 4 billion connections is misleading
640374-2 4-Minor BT640374 DHCP statistics are incorrect
1067025-3 4-Minor BT1067025 Rate-shaping + immediate timeout causing connection to stall.
1064725-3 4-Minor BT1064725 False alarm log message on ltm as CHMAN request for tag:19 as failed
1064669-2 4-Minor BT1064669 Using HTTP::enable iRule command in RULE_INIT event might cause TMM to crash
1045913-3 4-Minor BT1045913 COMPRESS::disable/COMPRESS::enable don't work reliably for selective compression
1042133 4-Minor BT1042133 Current Sessions value of gateway route pool member goes negative
1037153-3 4-Minor BT1037153 iRule "log" command to remote destinations may cause TMM to leak memory
1035757-3 4-Minor BT1035757 iRulesLX restart leaves stale files in /var/tmstat/blade/tmplugin_ilx_*
1034865-3 4-Minor BT1034865 CACHE::enable failed on private/no-store content
1034217-1 4-Minor BT1034217 Quic_update_rtt can leave ack_delay uninitialized
1030533-2 4-Minor BT1030533 The BIG-IP system may reject valid HTTP responses from OCSP servers.
1030093-3 4-Minor BT1030093 An http2 to http2 virtual connection with translate-address disabled might only use one stream on the server side.
1027805-3 4-Minor BT1027805 DHCP flows crossing route-domain boundaries might fail.
1026605-4 4-Minor BT1026605 When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes
1016049-4 4-Minor BT1016049 EDNS query with CSUBNET dropped by protocol inspection
1015793-2 4-Minor BT1015793 Length value returned by TCP::payload is signed and can appear negative
1015117-3 4-Minor BT1015117 Headers are corrupted during modification/insertion if a mix of end-of-line markers <CRLF> and <LF> are used
1013937-2 4-Minor BT1013937 In-TMM HTTP and HTTPS monitors require RFC-compliant send strings to work.
1011889-4 4-Minor BT1011889 The BIG-IP system does not handle DHCPv6 fragmented traffic properly
1004953-3 4-Minor BT1004953 HTTP does not fall back to HTTP/1.1
979213-2 5-Cosmetic BT979213 Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.
968581-2 5-Cosmetic BT968581 TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description
926085-1 5-Cosmetic BT926085 GUI: Node/port monitor test not possible in the GUI, but works in tmsh
897437-5 5-Cosmetic BT897437 First retransmission might happen after syn-rto-base instead of minimum-rto.
873249-1 5-Cosmetic BT873249 Switching from fast_merge to slow_merge can result in incorrect tmm stats


Global Traffic Manager (DNS) Issues

ID Number Severity Links to More Info Description
993921-4 2-Critical BT993921 TMM SIGSEGV
940733-3 2-Critical K29290121, BT940733 Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt
931149-1 2-Critical BT931149 Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings
887681-3 2-Critical BT887681 Tmm SIGSEGV in rrset_array_lock,services/cache/rrset.c
744743-2 2-Critical BT744743 Rolling DNSSEC Keys may stop generating after BIG-IP restart
705869-3 2-Critical BT705869 TMM crashes as a result of repeated loads of the GEOIP database
264701-5 2-Critical K10066 GTM: zrd exits on error from bind about .jnl file error (Formerly CR 68608)
1062513-3 2-Critical BT1062513 GUI returns 'no access' error message when modifying a GTM pool property.
1050537-2 2-Critical BT1050537 GTM pool member with none monitor will be part of load balancing decisions
1031945-3 2-Critical BT1031945 DNS cache configured and tmm stuck in 'not ready' state indefinitely after TMM restart or reboot
1027657-3 2-Critical BT1027657 Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules.
1011433-3 2-Critical BT1011433 TMM may crash under memory pressure when performing DNS resolution
1010617-3 2-Critical BT1010617 String operation against DNS resource records cause tmm memory corruption
994221-3 3-Major BT994221 ZoneRunner returns error 'Resolver returned no such record'
990929-3 3-Major BT990929 Status of GTM monitor instance is constantly flapping
987709-4 3-Major BT987709 Static target string as CNAME pool member might cause config load failure if wide IP with same name exists in another partition
984749-2 3-Major   Discrepancy between DNS cache statistics "Client Summary" and "Client Cache"
977625-3 3-Major BT977625 GTM persistence records linger in tmm
973341-2 3-Major BT973341 Customized device certs will break scripts relying on /config/httpd/conf/ssl.crt/server.crt
969553-2 3-Major BT969553 A DNS Cache (or Network DNS Resolver) returns SERVFAIL to some queries.
967737-2 3-Major BT967737 DNS Express: SOA stops showing up in statistics from second zone transfer
966461-6 3-Major BT966461 Tmm leaks memory after each DNSSEC query when netHSM is not connected
965053-3 3-Major BT965053 [Regression of ID787881 & ID761032] DNSX fails to sign zone transfer using tsig key after failure
958325-1 3-Major BT958325 Updating DNS pool monitor via transaction leaves dangling monitor_rule in MCP DB
958157-3 3-Major BT958157 Hash collisions in fastDNS packet processing
940469-4 3-Major BT940469 Unsupported option in /etc/resolv.conf causes failure to sync DNS Zone configuration
939941-1 3-Major BT939941 Monitor parameter not found error
936777-2 3-Major BT936777 Old local config is synced to other devices in the sync group.
936417-3 3-Major BT936417 DNS/GTM daemon big3d does not accept ECDH or DH ciphers
936361-1 3-Major BT936361 IPv6-based bind (named) views do not work
935945-1 3-Major BT935945 GTM HTTP/HTTPS monitors cannot be modified via GUI
920817-6 3-Major BT920817 Wide IP operations performed in quick succession result in missing resource records and out of sync journals.
918693-4 3-Major BT918693 Wide IP alias validation error during sync or config load
913917-2 3-Major BT913917 Unable to save UCS
912761-2 3-Major BT912761 Link throughput statistics are different
911497-2 3-Major BT911497 Unbound's backoff algorithm interacts badly with net resolver iRules
911241-6 3-Major BT911241 The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug
908829-1 3-Major BT908829 The iqsyncer utility may not write the core file for system signals
908801-1 3-Major BT908801 SELinux policies may prevent from iqsh/iqsyncer dumping core
903521-2 3-Major BT903521 TMM fails to sign responses from BIND when BIND has 'dnssec-enable no'
899253-6 3-Major BT899253 [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist
894081-2 3-Major BT894081 The Wide IP members view in the WebUI may report the incorrect status for a virtual server.
887921-1 3-Major   iRule command “RESOLVER::name_lookup” returns null for responses more than 512 bytes
880125-5 3-Major BT880125 WideIP (A) created together with aliases (CNAME) causes missing A records in ZoneRunner
879301-1 3-Major BT879301 When importing a BIND zone file, SRV/DNAME/NAPTR RRs do not have correct $ORIGIN appended
876677-1 3-Major BT876677 When running a debug version of TMM, an assertion may be triggered due to and expired DNS lookup
874221-1 3-Major BT874221 DNS response recursion desired (rd) flag does not match DNS query when using iRule command DNS::header rd
872037-2 3-Major BT872037 DNS::header rd does not set the Recursion desired
862949-3 3-Major BT862949 ZoneRunner GUI is unable to display CAA records
821589-1 3-Major BT821589 DNSSEC does not insert NSEC3 records for NXDOMAIN responses
813221-5 3-Major BT813221 Autoconf continually changes a virtual IP object when virtual IP/port on LTM is not in sync
795633-2 3-Major BT795633 GUI and REST API unable to add virtual servers containing a space in the name to a pool
779185-2 3-Major BT779185 Forward zone deleted when wideip updated
774225-4 3-Major BT774225 mcpd can get in restart loop if making changes to DNSSEC key on other GTM while the primary GTM is rebooting
760615-6 3-Major BT760615 Virtual Server discovery may not work after a GTM device is removed from the sync group
757464-7 3-Major BT757464 DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record
739553-5 3-Major BT739553 Setting large number for Wide IP Persistence TTL breaks Wide IP persistence
718230-8 3-Major BT718230 Attaching a BIG-IP monitor type to a server with already defined virtual servers is not prevented
716701-4 3-Major BT716701 In iControl REST: Unable to create Topology when STATE name contains space
222220-6 3-Major   Distributed application statistics are not passed correctly.
1067309-2 3-Major BT1067309 GTMD cored followed by TMM core SIGSEGV due to illegal GTM server reference
1066397-2 3-Major BT1066397 GTM persists to last resort pool members even when primary pool members become available.
1063829-3 3-Major BT1063829 Zxfrd could run out of memory because zone db files are not efficiently recycled
1055077-3 3-Major BT1055077 Modifying the datacenter does not check GTM server configuration for prober-pool.
1046785-3 3-Major BT1046785 Missing GTM probes when max synchronous probes are exceeded
1044873-2 3-Major BT1044873 Deleted GTM link is not removed from virtual server object and causes load failure.
1041889-1 3-Major BT1041889 RRSIG missing for CNAME with RDATA in different zone
1041801-2 3-Major BT1041801 TMM crashes when handling Network DNS resolver Traffic.
1041625-3 3-Major BT1041625 Virtual server flapping when the active and standby devices have different configuration.
1040153-3 3-Major BT1040153 Topology region returns narrowest scope netmask without matching
1039205 3-Major BT1039205 DNSSEC key stored on netHSM fails to generate if the key name length is > 24
1033897-1 3-Major BT1033897 DNSSEC keys generated independently are still in use after GTM sync
1030237-2 3-Major BT1030237 Zxfrd core and continual restart when out of configured space
1026621-2 3-Major BT1026621 DNS cache resolver could not connect to remote DNS server with snatpool if multiple routes exist
1024905-2 3-Major BT1024905 GTM monitor times out if monitoring a virtual server with translation address
1020337-1 3-Major BT1020337 DNS msg_ObjType can cause buffer overrun due to lack of NUL terminator
1018613-3 3-Major BT1018613 Modify wideip pools with replace-all-with results pools with same order 0
1012061-3 3-Major BT1012061 Link Controller auto-discovery does not remove deleted virtual servers
1003233-3 3-Major BT1003233 SNMP Polling can cause inconsistencies in gtm link stats
1001101-3 3-Major BT1001101 Cannot update/display GTM/DNS listener route advertisement correctly
996261-3 4-Minor BT996261 Zrd in restart loop with empty named.conf
995369-3 4-Minor BT995369 DNSSEC manual key created with other algorithms ends up using RSA/SHA1 algorithm
959613-2 4-Minor BT959613 SIP/HTTPS monitor attached to generic-host virtual server and pool shows 'blank' reason
950069-2 4-Minor BT950069 Zonerunner can't edit TXT records containing a + symbol - "Resolver returned no such record"
947217-5 4-Minor BT947217 Fix of ID722682 prevents GTM config load when the virtual server name contains a colon
889801-1 4-Minor BT889801 Total Responses in DNS Cache stats does not increment when an iRule suspending command is present under DNS_RESPONSE.
886145-2 4-Minor BT886145 The 'Reconnect' and 'Reconnect All' buttons do not work if reached via a particular section of the DNS GUI.
885869-2 4-Minor BT885869 Incorrect time used with iQuery SSL certificates utilizing GenericTime instead of UTCTime
882933-2 4-Minor BT882933 Nslookup might generate a core during system restart
839361-6 4-Minor BT839361 iRule 'drop' command does not drop packets when used in DNS_RESPONSE
822393-3 4-Minor BT822393 Prober pool selected on server or data center not being displayed after selection in Internet Explorer
808913-2 4-Minor BT808913 Big3d cannot log the full XML buffer data
792813-1 4-Minor BT792813 The iRule command 'DNS::edns0 subnet address' returns an empty string when subnet info is not received
790113-6 4-Minor BT790113 Cannot remove all wide IPs from GTM distributed application via iControl REST
708680-3 4-Minor BT708680 TMUI is unable to change the Alias Address of DNS/GTM Monitors
464708-2 4-Minor BT464708 DNS logging does not support Splunk format log
1067821-3 4-Minor BT1067821 Stats allocated_used for region inside zxfrd is overflowed
1026813-5 4-Minor BT1026813 LCD IP address is missing from /etc/hosts on iSeries
1014761-1 4-Minor BT1014761 [GTM][GUI] Not able to enable/disable pool member from pool member property page
1008233-3 4-Minor BT1008233 The gtm_add command fails but reports no error
985001-3 5-Cosmetic BT985001 Taiwan, Hong Kong, and Macau Are Defined As Countries in DNS/GTM Topology Definition
1053605-1 5-Cosmetic BT1053605 When you use NAT, the iQuery status displays 'BIGIP' instead of 'BIGIP-DNS'.


Application Security Manager Issues

ID Number Severity Links to More Info Description
956889-2 2-Critical BT956889 /var fills up very quickly
887621-2 2-Critical BT887621 ASM virtual server names configuration CRC collision is possible
884945-2 2-Critical BT884945 Latency reduce in case of empty parameters.
865981-1 2-Critical BT865981 ASM GUI and REST become unresponsive upon license change
857677-3 2-Critical BT857677 Security policy changes are applied automatically after asm process restart
761429-1 2-Critical BT761429 TMM core after long run of high volumes of traffic
1050089-3 2-Critical   TMM crash in certain cases
1048685-2 2-Critical BT1048685 Rare TMM crash when using Bot Defense Challenge
1015881-3 2-Critical BT1015881 TMM might crash after configuration failure
995889-2 3-Major BT995889 Username/Password JSON elements of login page detected as case sensitive when the policy is configured as case insensitive
987453-1 3-Major   Bot Defense browser verification fails upon iframes of different top-level domains
985205-1 3-Major BT985205 Event Log and Traffic Learning screens fail to load request details
974985-2 3-Major   Dosl7/bot does not ignore non-http traffic even when disabled via iRule DOSL7::disable
974513-2 3-Major BT974513 Dropped requests are reported as blocked in Reporting/charts
966633-2 3-Major BT966633 Policy entity search with non-ASCII value filter returns no results in REST/GUI in non-UTF-8 policies
966613-4 3-Major BT966613 Cannot create XML profile based on WSDL when wsdl contains empty soap:address – getting error ‘Column 'object_uri' cannot be null’
965785-2 3-Major   Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine
962493-5 3-Major   Request is not logged
962489-5 3-Major   False positive enforcement of parameters with specific configuration
961509-2 3-Major BT961509 ASM blocks WebSocket frames with signature matched but Transparent policy
959965-3 3-Major   Asmlogd stops deleting old protobufs
959957-3 3-Major BT959957 Asmlogd stops deleting old protobufs
943441-2 3-Major BT943441 Issues in verification of Bot Defense with F5 Anti-Bot Mobile SDK
937445-1 3-Major BT937445 Incorrect signature context logged in remote logger violation details field
937213 3-Major BT937213 Virtual Server is not created when a new HTTPS virtual server is defined with a new security policy
929005-2 3-Major BT929005 TS cookie is set in all responses
926845-5 3-Major BT926845 Inactive ASM policies are deleted upon upgrade
923221-4 3-Major BT923221 BD does not use all the CPU cores
921697-3 3-Major BT921697 Attack signature updates fail to install with Installation Error.
903313-2 3-Major   OWASP page: File Types score in Broken Access Control category is always 0.
902445-2 3-Major BT902445 ASM Policy Event Logging stops working after 'No space in shmem' error disconnection mitigation
898825-2 3-Major BT898825 Attack signatures are enforced on excluded headers under some conditions
891181-2 3-Major BT891181 Wrong date/time treatment in logs in Turkey/Istambul timezone
890825-2 3-Major BT890825 Attack Signatures and Threat Campaigns filter incorrect behaviour
890169-2 3-Major BT890169 URLs starting with double slashes might not be loaded when using a Bot Defense Profile.
887265-2 3-Major BT887265 BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration
887261-1 3-Major BT887261 JSON schema validation files created from swagger should support "draft-04" only
867777-3 3-Major BT867777 Remote syslog server cannot parse violation detail buffers as UTF-8.
862413-1 3-Major BT862413 Broken layout in Threat Campaigns and Brute Force Attacks pages
853989-1 3-Major BT853989 DOSL7 Logs breaks CEF connector by populating strings into numeric fields
853565-2 3-Major BT853565 VCMP host primary blade reboot causes security policy loss in the VCMP guest primary blade
853269-1 3-Major BT853269 Incorrect access privileges to "Policy List" and "Security Policy Configuration" pages in case of complex role user
853177-1 3-Major BT853177 'Enforcement Mode' in security policy list is shown without value
852429-1 3-Major BT852429 "ASM subsystem error" logged when creating policies
850633-1 3-Major BT850633 Policy with % in name cannot be exported
849349-5 3-Major BT849349 Adding a new option to disable CSP header modification in bot defense/dosl7 via sys db
849269-1 3-Major BT849269 High CPU usage after Inheritance page opened
848921-1 3-Major BT848921 Config sync failure when importing a Json policy
848757-1 3-Major BT848757 Link between 'API protection profile' and 'Security Policy' is not restored after UCS upload
845933-1 3-Major BT845933 Unused parameters remain after modifying the swagger file of a policy
844373-1 3-Major BT844373 Learning suggestion details layout broken in some browsers
841285-1 3-Major BT841285 Sometimes apply policy is stuck in Applying state
839509-1 3-Major BT839509 Incorrect inheritance treatment in Response and Blocking Pages page
839141-1 3-Major BT839141 Issue with 'Multiple of' validation of numeric values
829029-1 3-Major BT829029 Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error
818889-2 3-Major BT818889 False positive malformed json or xml violation
785873-3 3-Major BT785873 ASM should treat 'Authorization: Negotiate TlR' as NTLM
703678-3 3-Major BT703678 Cannot add 'secure' attributes to several ASM cookies
1062493-2 3-Major BT1062493 BD crash close to it's startup
1062105-1 3-Major BT1062105 For specific configurations (Auto-Added Signature Accuracy and Case Sensitive parent policy), child security policy fails to create.
1058597-3 3-Major BT1058597 Bd crash on first request after system recovery
1057557-4 3-Major BT1057557 Exported policy has greater-than sign '>' not escaped to '&gt;' with response_html_code tag
1051589-2 3-Major   Missing configuration after upgrade
1051213-2 3-Major BT1051213 Increase default value for violation 'Check maximum number of headers'
1048949-3 3-Major BT1048949 TMM xdata leak on websocket connection with asm policy without websocket profile
1043533-1 3-Major   Unable to pick up the properties of the parameters from audit reports.
1043385-3 3-Major   No Signature detected If Authorization header is missing padding
1042605-3 3-Major   ASM Critical Warnings during UCS load after upgrade to v15.1.0 or above
1041149-2 3-Major   Staging of URL does not affect apply value signatures
1037457-2 3-Major   High CPU during specific dos mitigation
1036969-3 3-Major BT1036969 Chrome sometimes ignores cross-site bot-defense cookies
1033025-2 3-Major BT1033025 TMM might crash when unsupported bot iRule is used
1033017-4 3-Major BT1033017 Policy changes learning mode to automatic after upload and sync
1031461-4 3-Major   Session awareness entries aren't mirrored to both sides of an active-active deployment.
1030853-2 3-Major BT1030853 Route domain IP exception is being treated as trusted (for learning) after being deleted
1029989-2 3-Major   CORS : default port of origin header is set 80, even when the protocol in the header is https
1028493-3 3-Major   Live Update genesis file for Server Technologies installation fails
1023889-2 3-Major BT1023889 HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message
1021521-2 3-Major   JSON Schema is not enforced if OpenAPI media-type is wild card
1020149-2 3-Major BT1020149 Bot Defense does not support iOS's WKWebView framework
1017557-3 3-Major BT1017557 ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN
1017261-5 3-Major BT1017261 Configuraton update triggers from MCP to ASM are ignored
1014973 3-Major BT1014973 ASM changed cookie value
1012221-2 3-Major BT1012221 Message: childInheritanceStatus is not compatible with parentInheritanceStatus
1008849-3 3-Major BT1008849 OWASP "A4 XML External Entities (XXE)" is not reflecting the XXE signatures configuration
1008005 3-Major BT1008005 Configuration load fails due to BOTDEFENSE_ACTION event in iRule after upgrade
1006181-1 3-Major BT1006181 ASM fails to start after upgrade if different ASM policies use login pages with the same name
994013-2 4-Minor BT994013 Modifying bot defense allow list via replace-all-with fails with match-order error
991765-2 4-Minor BT991765 Inheritance of staging_period_in_days from policy template
984521-2 4-Minor BT984521 Accept-Encoding header is stripped by Bot Defense profile in case of incompatible file extension and a dot in the file name
984449-1 4-Minor   Unnecessary swagger validation violation may raise due to behavioral WAF parameter traps that have identical name
974409-2 4-Minor   False Positive "Surfing Without Human Interaction"
957321-1 4-Minor   When BIG-IP contains an invalid DNS Resolver, Bot Defense might wrongly classify search engines as malicious
950953-1 4-Minor BT950953 Browser Challenges update file cannot be installed after upgrade
945821-1 4-Minor BT945821 Remote logging conditions adjustments
937541-2 4-Minor   Wrong display of signature references in violation details
932893-2 4-Minor BT932893 Content profile cannot be updated after redirect from violation details in Request Log
931033-1 4-Minor BT931033 Device ID Deletions anomaly might be raised in case of browser/hardware change
923233-1 4-Minor BT923233 Incorrect encoding in 'Logout Page' for non-UTF8 security policy
915133-3 4-Minor BT915133 Single Page Application can break the page, when hooking is done by the end server application.
906737-3 4-Minor BT906737 Error message: 'templates/' is not a directory
905669-2 4-Minor BT905669 CSRF token expired message for AJAX calls is displayed incorrectly
893905-2 4-Minor BT893905 Wrong redirect from Charts to Requests Log when request status selected in filter
887625-3 4-Minor BT887625 Note should be bold back, not red
885789-1 4-Minor BT885789 Clicking 'Fix Automatically' on PCI Compliance page does not replace non-PCI-compliant-profile with complaint one on HTTP/2 virtual servers
885785-1 4-Minor BT885785 Clicking 'Fix Automatically' in PCI Compliance page does not attach a PCI-compliant-profile on HTTP/2 virtual servers
882729-3 4-Minor BT882729 Applied Blocking Masks discrepancy between local/remote event log
875373-3 4-Minor BT875373 Unable to add domain with leading '.' through webUI, but works with tmsh.
864989-2 4-Minor BT864989 Remote logger violation_details field content appears as "N/A" when violations field is not selected.
858445-1 4-Minor BT858445 Missing confirmation dialog for apply policy in new policy pages
842265-1 4-Minor BT842265 Create policy: trusted IP addresses from template are not shown
841985-5 4-Minor BT841985 TSUI GUI stuck for the same session during long actions
807569-2 4-Minor BT807569 Requests fail to load when backend server overrides request cookies and Bot Defense is used
765365-2 4-Minor BT765365 ASM tries to send response cookies after response headers already forwarded - makes CSRF false positive
759671-2 4-Minor BT759671 Unescaped slash in RE2 in user-defined signature should not be allowed
757486-1 4-Minor BT757486 Errors in IE11 console appearing with Bot Defense profile
746984-5 4-Minor BT746984 False positive evasion violation
1067917-2 4-Minor   Attaching iRule DOSL7::enable when mitigation is not enabled at dosl7 profile, it is not showing warning in GUI
1064821 4-Minor BT1064821 ASM v15.1.4 REST/AS3-imported and replaced policies have different encodings.
1060677 4-Minor BT1060677 Unable to upload swagger file using REST/AS3 with JSON.
1059421-2 4-Minor   Bot Signature is not updated when the signature rule is updated.
1058665-2 4-Minor BT1058665 Bot signature with a semicolon followed by a space is not detected
1057713-6 4-Minor   "South Sudan" is missing from the ASM Geolocation Enforcement List
1050697-5 4-Minor   Traffic learning page counts Disabled signatures when they are ready to be enforced
1048617-1 4-Minor   Nice level BigDB paramter is not applied for BD
1048445-3 4-Minor BT1048445 Accept Request button is clickable for unlearnable violation illegal host name
1040513-1 4-Minor BT1040513 The counter for "FTP commands" is always 0.
1038741-3 4-Minor BT1038741 NTLM type-1 message triggers "Unparsable request content" violation
1036521-3 4-Minor BT1036521 TMM crash in certain cases
1035361-2 4-Minor   Illegal cross-origin after successful CAPTCHA
1026277-2 4-Minor   Apply Policy can get ignored in auto-sync setup, while importing/replacing several existing policies with policies that have Policy Builder enabled
1021637-2 4-Minor BT1021637 In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs
1020717-3 4-Minor   Policy versions cleanup process sometimes removes newer versions
1017149-3 4-Minor   User-defined bot sigs that are created in tmsh don't overlap staged factory bot sigs
1005309-2 4-Minor BT1005309 Additional Tcl variables showing information from the AntiBot Mobile SDK
1005181-2 4-Minor BT1005181 Bot Defense Logs indicate the mobile debugger is used even when it is not
989353-1 5-Cosmetic BT989353 Block column of policy signature list always shows a checkmark, regardless of policy enforcement mode
1037189 5-Cosmetic BT1037189 Invalid values in long request buffer size in umu stats
1011045-1 5-Cosmetic BT1011045 GUI does not reflect 'Fully Automatic' state , which is substate of Automatic learning mode.


Application Visibility and Reporting Issues

ID Number Severity Links to More Info Description
932189-3 3-Major BT932189 Incorrect BD Swap Size units on ASM Resources chart
898333-2 3-Major BT898333 Unable to collect statistics from BIG-IP system after BIG-IQ restart
852577-5 3-Major BT852577 [AVR] Analytic goodput graph between different time period has big discrepancy
808801-4 3-Major BT808801 AVRD crash when configured to send data externally
1063801 3-Major BT1063801 The avrd module produces wrong dns messages per second statistic records for errdefs_msgno=22282300,Entity=DNS_Offbox_All, when dns dos profile is attached
1040477 3-Major BT1040477 Drop-Down menu shows white blank items in Reporting : DoS : URL Latencies
1038913-3 3-Major   The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category
1036601 3-Major BT1036601 Discrepancies in the number of requests with violations in ASM reports
950305-2 4-Minor BT950305 Analytics data not displayed for Pool Names
915005-1 4-Minor BT915005 AVR core files have unclear names
910777-3 4-Minor BT910777 Sending ASM report via AWS SES failed duo to wrong content type
930217-3 5-Cosmetic BT930217 Zone colors in ASM swap usage graph are incorrect


Access Policy Manager Issues

ID Number Severity Links to More Info Description
349706-2 0-Unspecified   NetworkAccess assigns 1.1.1.1 address to remote ppp endpoint APM VPN
893953-2 1-Blocking BT893953 Portal Access: Chrome/Edge browser: cookie transport: sync XMLHttpRequests should not be used in onbeforeunload handlers
990073 2-Critical BT990073 BIG-IP software v13.1.3.6, v14.1.4, v15.1.2.1, v16.0.1.1 or later require APM Clients 7.1.8.5, 7.1.9.8, or 7.2.1.1
965837-2 2-Critical BT965837 When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection
965777-2 2-Critical BT965777 Per-request policy authentication becomes unresponsive
904441-2 2-Critical BT904441 APM vs_score for GTM-APM load balancing is not calculated correctly
903257-1 2-Critical BT903257 GUI issues for Access :: Profiles/Policies : Customization : General Customization or Advanced Customization
882545-1 2-Critical BT882545 Multiple rate-limiting agents sharing the same rate-limiting key config may not function properly
880073-1 2-Critical BT880073 Memory leak on every DNS query made for "HTTP Connector" agent
856909-3 2-Critical BT856909 Apmd core occurs when it fails to retrieve agentInfo
756540-1 2-Critical BT756540 End-user may not be able to connect to VPN.
1024029-3 2-Critical   TMM may crash when processing traffic with per-session APM Access Policy
1020349-2 2-Critical BT1020349 APM daemon may crash if CRLDP agent cannot find a certificate to validate CRL
1007869-2 2-Critical BT1007869 Upgrade from v14.1.x to v15.1.2.1 or later fails for app-tunnel, RDP and config migration
963869-2 3-Major BT963869 Remote Desktop app fails to launch from webtop when Per-request Policy is added to virtual server.
956645-2 3-Major BT956645 Per-request policy execution may timeout.
949105-2 3-Major BT949105 Error log seen on Category Lookup SNI requests for same connection
944029-1 3-Major BT944029 Support challenge response agent to handle Access-Challenge when Logon agent is not in policy
942729-2 3-Major   Export of big Access Policy config from GUI can fail
924697-2 3-Major BT924697 VDI data plane performance degraded during frequent session statistic updates
920541-3 3-Major BT920541 Incorrect values in 'Class Attribute' in Radius-Acct STOP request
918053-1 3-Major BT918053 [Win][EdgeClient] 'Enable Always Connected mode' is checked for all connectivity profiles with same Parent profile.
907873-2 3-Major BT907873 Authentication tab is missing in VPE for RDG-RAP Access Policy type
903501-2 3-Major BT903501 VPN Tunnel establishment fails with some ipv6 address
898381-2 3-Major BT898381 Changing the setting of apm-forwarding-fastl4 profile does not take effect
892861-3 3-Major BT892861 Cannot configure aaa OAuth provider - invalid x509 file
883841-1 3-Major BT883841 APM now displays icons of all sizes what Horizon VCS supports.
848673-1 3-Major BT848673 Messages that originate from split tunneled frame have incorrect Portal Access message event origin.
842149-2 3-Major BT842149 Verified Accept for SSL Orchestrator
835285-1 3-Major BT835285 Client browser traffic through APM SWG transparent proxy using captive portal might get reset.
827393-2 3-Major BT827393 In rare cases tmm crash is observed when using APM as RDG proxy.
806809-2 3-Major BT806809 JWT Claim value without quotes is invalid
788473-3 3-Major BT788473 Email sent from APM is not readable in some languages
752077-1 3-Major BT752077 Kerberos replay cache leaks file descriptors
744316-6 3-Major BT744316 Config sync of APM policy fails with Cannot update_indexes validation error.
738547-4 3-Major BT738547 SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII
653210-3 3-Major BT653210 Rare resets during the login process
597955-3 3-Major BT597955 APM can generate seemingly spurious error log messages
470916-3 3-Major BT470916 Using native View clients, cannot launch desktops and applications from multiple VMware back-ends
1063345-3 3-Major   Urldbmgrd may crash while downloading the database
1060477 3-Major BT1060477 iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]"
1054677-2 3-Major BT1054677 Ng_export fails for users with the 'pager' option enabled in their 'cli preference' configuration.
1053309-2 3-Major BT1053309 Localdbmgr leaks memory while syncing data to sessiondb and mysql
1048913-2 3-Major BT1048913 APM internal virtual server leaks memory under certain conditions.
1046401-1 3-Major BT1046401 APM logs shows truncated OCSP URL path while performing OCSP Authentication
1045229-2 3-Major BT1045229 APMD leaks Tcl_Objs as part of the fix made for ID 1002557
1044121-2 3-Major   APM logon page is not rendered if db variable "ipv6.enabled" is set to false
1043233-1 3-Major BT1043233 Export of large access policy configuration from ng_export CLI
1042505-2 3-Major BT1042505 Session variable "session.user.agent" does not get populated for edge clients
1041989-3 3-Major BT1041989 APM Portal Access does not add automatically the / after the URL encoded (after the '$$'), Redirect breaks
1039941-2 3-Major BT1039941 [WIN]Webtop offers to download f5vpn when it is already installed
1039725-2 3-Major BT1039725 Reverse proxy traffic fails when a per-request policy is attached to a virtual server.
1037877-2 3-Major BT1037877 OAuth Claim display order incorrect in VPE
1024437-3 3-Major BT1024437 Urldb index building fails to open index temp file
1022877-2 3-Major   Ping missing from list of Types for OAuth Client
1022493-2 3-Major BT1022493 Slow file descriptor leak in urldbmgrd (sockets open over time)
1018877-1 3-Major BT1018877 Subsession variable values mixing between sessions
1010597-2 3-Major BT1010597 Traffic disruption when virtual server is assigned to a non-default route domain
1006509 3-Major BT1006509 TMM memory leak
1002413-1 3-Major BT1002413 Websso puts quotation marks around non-string claim type 'custom' values
1000669-2 3-Major BT1000669 Tmm memory leak 'string cache' leading to SIGFPE
992533 4-Minor BT992533 HTML meta tag URL not rewritten when received under single quotes (' ')
977425 4-Minor BT977425 APM - nlad & eca restarting in loop after upgrade
952801 4-Minor BT952801 Changing access policy from multi-domain to single domain does not send domain cookies
949957 4-Minor BT949957 RDP: Username is pre-filled with f5_apm* string after clicking on webtop resource on Mobile Clients (iOS & Android)
944093-2 4-Minor BT944093 Maximum remaining session's time on user's webtop can flip/flop
943033-2 4-Minor BT943033 APM PRP LDAP Group Lookup agent has a syntax error in built in VPE expression
872105 4-Minor BT872105 APM Hosted Content feature incorrectly guesses content type for CSS files
869541-2 4-Minor BT869541 Series of unexpected <aborted> requests to same URL
867705-4 4-Minor BT867705 URL for IFRAME element may not be normalized in some cases
866953-5 4-Minor BT866953 Portal Access: F5_Inflate_onclick wrapper functionality needs refining
848217-4 4-Minor   Portal Access: default port encoded in rewritten url, need to be removed from host header in request to backend
847109-1 4-Minor BT847109 Very large policies could have problems with re-import
840257-4 4-Minor BT840257 Portal Access: HTML iframe sandbox attribute is not supported
840249-2 4-Minor BT840249 With BIG-IP as a SAML IdP, important diagnostic information is not logged
819233-3 4-Minor BT819233 Ldbutil utility ignores '--instance' option if '--list' option is specified
712542-5 4-Minor BT712542 Network Access client caches the response for /pre/config.php
707294-4 4-Minor BT707294 When BIG-IP as OAuth AS has missing OAuth Profile in the Access profile, the error log is not clear
547947-1 4-Minor BT547947 Feeding empty username and password to the Logon Page followed by RadiusAuthAgent shows the session as Logged out
438684-1 4-Minor   Access Profile Type of SSO requires SSO configuration at create time
1058377 4-Minor BT1058377 [APM CUSTOMIZATION] Unable to edit image for RDP resource
1041985-3 4-Minor   TMM memory utilization increases after upgrade
1040829-3 4-Minor BT1040829 Errno=(Invalid cross-device link) after SCF merge
1022973 4-Minor BT1022973 Sessiondb entries related to Oauth module not cleaned up in certain conditions
1004845-2 4-Minor BT1004845 Accessing attribute using attributeNode value does not work with Portal Access
1004077-2 4-Minor BT1004077 When configuring from VPE, audit logs from mcp records the user as admin, even if done by another user


WebAccelerator Issues

ID Number Severity Links to More Info Description
900825 3-Major BT900825 WAM image optimization can leak entity reference when demoting to unoptimized image
890573 3-Major BT890573 BigDB variable wam.cache.smallobject.threshold may not pickup its value on restart
890401 3-Major BT890401 Restore correct handling of small object when conditions to change cache type is satisfied
489960 4-Minor BT489960 Memory type stats is incorrect


Wan Optimization Manager Issues

ID Number Severity Links to More Info Description
863601-3 2-Critical BT863601 Panic in TMM due to internal mirroring interactions


Service Provider Issues

ID Number Severity Links to More Info Description
839389-1 2-Critical BT839389 TMM can crash when connecting to IVS under extreme overload
1007109-1 2-Critical BT1007109 Flowmap entry is deleted before updating its timeout to INDEFINITE
991037-2 3-Major BT991037 MR::message can cause tmm crash
970341 3-Major BT970341 Messages are not forwarded when "disable-parser" is set to "NO" in Generic Message Profile
957905-2 3-Major BT957905 SIP Requests over TCP without content_length header are not aborted by BIG-IP
921441-2 3-Major BT921441 MR_INGRESS iRules that change diameter messages corrupt diam_msg
917637-2 3-Major BT917637 Tmm crash with ICAP filter
908477-2 3-Major BT908477 Request-adapt plus request-logging causes HTTP double-chunking in an ICAP request
895801-2 3-Major BT895801 Changing an MRF transport-config's TCP profile does not take effect until TMM is restarted
831105-2 3-Major BT831105 Session timeout in diadb entry is updated to 180 on unsuccessful transaction
817369-2 3-Major BT817369 TCP, UDP, and SCTP proxy converts to GEO proxy when georedundancy profile is attached with virtual server.
755033-1 3-Major   Dynamic Routes stats row does not appear in the UI
753501-5 3-Major BT753501 iRule commands (such as relate_server) do not work with MRP SIP
749528-8 3-Major BT749528 IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap
748355-5 3-Major BT748355 MRF SIP curr_pending_calls statistic can show negative values.
1038057-1 3-Major BT1038057 Unable to add a serverssl profile into a virtual server containing a FIX profile
1008169-3 3-Major BT1008169 BIG-IP systems disconnect the DIAMETER transport connection if it receives an answer message without a Result-Code AVP
862337-2 4-Minor BT862337 Message Routing Diameter profile fails to forward messages with zero length AVPs
844169-1 4-Minor BT844169 TMSH context-sensitive help for diameter session profile is missing some descriptions
794889-1 4-Minor BT794889 Pool member state force-offline processes persistent connections in Diameter.
1013297 4-Minor BT1013297 MRF persistence records are not removed with "DIAMETER::persist reset" in DIAMETER_INGRESS


Advanced Firewall Manager Issues

ID Number Severity Links to More Info Description
965897-2 2-Critical BT965897 Disruption of mcpd with a segmentation fault during config sync
964989-2 2-Critical BT964989 AFM DOS half-open does not handle wildcard virtual servers properly.
850117-2 2-Critical BT850117 Autodosd crash after assigning dos profile with custom signatures to a virtual server
1061929 2-Critical BT1061929 Unable to perform IPI update (through proxy) after upgrade to 15.1.4
1060833-1 2-Critical BT1060833 After handling a large number of connections with firewall rules that log or report translation fields or server side statistics, TMM may crash.
1058645-1 2-Critical BT1058645 ipsecalg blocks Sophos ISAKMP negotiation during tunnel setup.
1048425-3 2-Critical BT1048425 Packet tester crashes TMM when vlan external source-checking is enabled
1040685-3 2-Critical BT1040685 Core file on blade slot2 after reboot (TMM SIGSEGV in pktclass_classifier)
1033781 2-Critical BT1033781 IP Reputation database sync fails when DB variable iprep.protocol is set to auto-detect
998701-2 3-Major BT998701 Active_zombie_port_blocks counter from fw_lsn_pool_pba_stat stats may reach unrealistically large value.
997781 3-Major BT997781 Support for DSLITE event logging for field format and user format
997433 3-Major BT997433 When dos.logging interval is greater than 1, the log statistics are not accumulated
997429 3-Major BT997429 When (DoS Detection threshold = DoS Mitigation threshold) for a vector, logging is erratic when hardware offload is enabled
993269-1 3-Major BT993269 DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option
990461-3 3-Major BT990461 Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade
987133-2 3-Major BT987133 Non-EDNS response with RCODE FORMERR are blocked by dns-qdcount-limit vector.
980593 3-Major BT980593 LSN logging stats are always 0 for log_attempts and log_failures in tmctl fw_lsn_log_stat table
976621-3 3-Major BT976621 SIP ALG not processing IPv6 in NAT64 UDP
968953-3 3-Major BT968953 Unnecessary authorization header added in the response for an IP intelligence feed list request
964625-3 3-Major BT964625 Improper processing of firewall-rule metadata
959609 3-Major BT959609 Autodiscd daemon keeps crashing
953425-3 3-Major BT953425 Hardware syncookie mode not cleared when changing dos-device-vector enforcement
952521-2 3-Major BT952521 Memory allocation error while creating an address list with a large range of IPv6 addresses
935769-3 3-Major BT935769 Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time
929909-2 3-Major BT929909 TCP Packets are not dropped in IP Intelligence
926549-1 3-Major BT926549 AFM rule loops when 'Send to Virtual' is used with Virtual Server iRule 'LB::reselect'
918905-2 3-Major BT918905 PCCD restart loop when using more than 256 FQDN entries in Firewall Rules
915221-4 3-Major BT915221 DoS unconditionally logs MCP messages to /var/tmp/mcpd.out
881985-4 3-Major BT881985 AFM FQDN rule matching is broken when multiple FQDN's in firewall policies resolve to the same IP address
874797-1 3-Major BT874797 Cannot use GUI to configure FQDN in device DNS NXDOMAIN QUERY Vector
867321-3 3-Major BT867321 Error: Invalid self IP, the IP address already exists.
857897-2 3-Major BT857897 Address and port lists are not searchable within the GUI
844597-4 3-Major BT844597 AVR analytics is reporting null domain name for a dns query
818705-1 3-Major BT818705 afm_cmi.py daemon can cause very high BIG-IP CPU utilization(>90%)
813969-5 3-Major BT813969 Network DoS reporting events as 'not dropped' while in fact, events are dropped
793217-5 3-Major BT793217 HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation
663946-7 3-Major BT663946 The vCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments
1067393-1 3-Major BT1067393 MCP validation - incorrect config load fail on AFM NAT rule with next-hop pool
1063681-1 3-Major BT1063681 PCCD cored, SIGSEGV in pc::cfg::CMessageProcessor::modify_fqdn
1057061-1 3-Major   BIG-IP Virtual Edition + security-log-profile (HSL) performance issue with "Log Translation Fields"
1053589 3-Major BT1053589 DDoS functionality cannot be configured at a Zone level
1047933-2 3-Major BT1047933 Virtual server security policy - An error has occurred while trying to process your request
1042153-1 3-Major   AFM TCP connection issues when tscookie-vlans enabled on server/client side VLAN.
1039993-2 3-Major   AFM NAT Excessive number of logs "Port Block Updated" and "LSN_PB_UPDATE"
1033761 3-Major BT1033761 BIG-IP consumes excessive CPU when "Log Translation Fields" are enabled in logging policy
1022613-3 3-Major BT1022613 Cannot modify Security "global-network" Logging Profile
1021737 3-Major BT1021737 NAT policy rules are matched regardless of route domains
1020061-1 3-Major BT1020061 Nested address lists can increase configuration load time
1019557-2 3-Major BT1019557 Bdosd does not create /var/bdosd/*.json
1012581-3 3-Major BT1012581 Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered
1011445-3 3-Major BT1011445 Recovery after DoS attack uses SYN cookies inefficiently
981145-3 4-Minor BT981145 DoS events do not include the attack name for "tcp syn ack flood"
967245-3 4-Minor   Incorrect SPVA counter incremented during Sweep attack on profile
942665-2 4-Minor BT942665 Rate limit and threshold configuration checks are inconsistent when applied to Basic DoS Vectors and Bad Actors DoS vectors
935865-5 4-Minor BT935865 Rules that share the same name return invalid JSON via REST API
928177-2 4-Minor BT928177 Syn-cookies might get enabled when performing multiple software upgrades.
926425-3 4-Minor BT926425 Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts
760355-3 4-Minor BT760355 Firewall rule to block ICMP/DHCP from 'required' to 'default'
1038837-1 4-Minor BT1038837 Debugd starts with message: Shm segment not found in /etc/ha_table/ha_table.conf.
1037661-1 4-Minor   The packet tester does not validate the route domain after applying the rule list when the protocol is changed from IP to any
1037197 4-Minor BT1037197 Packet tester UI does not show partition label for VLANs
1033021-1 4-Minor BT1033021 UI: Partition does not work when clicking through security zones
1022213-3 4-Minor BT1022213 DDOS: BDOS: Warning messages related to high availability (HA) watchdog seen on system bring up
1021633 4-Minor BT1021633 DDoS: ICMPv6 packets not reported properly by Virtual DDoS
1003377-1 4-Minor BT1003377 Disabling DoS TCP SYN-ACK does not clear suspicious event count option


Policy Enforcement Manager Issues

ID Number Severity Links to More Info Description
829657-3 2-Critical BT829657 Possible TMM crash with a multi-IP PEM subscriber configured with more than 16 IP addresses
924589-1 3-Major BT924589 PEM ephemeral listeners with source-address-translation may not count subscriber data
829653-2 3-Major BT829653 Memory leak due to session context not freed
1044901 3-Major BT1044901 PEM Feature not supported for BIG-IP 15.1.5 on rSeries 5k/10k hardware
1020041-2 3-Major   "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs
1015501-4 3-Major BT1015501 Changes to DHCP Profile are not used by tmm
911585-3 4-Minor BT911585 PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval
815901-1 4-Minor BT815901 Add rule to the disabled pem policy is not allowed


Carrier-Grade NAT Issues

ID Number Severity Links to More Info Description
1028269-1 2-Critical BT1028269 Device using CGNAT + subscriber discovery license shows unknown for pem_subscriber-id
1019613-3 2-Critical BT1019613 Unknown subscriber in PBA deployment may cause CPU spike
812705-3 3-Major BT812705 'translate-address disabled' setting for LTM virtual server does not have any effect with iRules for NAT64 traffic
1064217-2 3-Major BT1064217 Port bit not set correctly in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T
1023461 3-Major BT1023461 Multiple entries for CGNAT when PBA pools allocation is defined: for each request, a new entry is created
1034009-3 4-Minor BT1034009 CGNAT+Subscriber Discovery - NAT IP with wrong route domain on the CGNAT Log


Fraud Protection Services Issues

ID Number Severity Links to More Info Description
1016481-3 3-Major   Special JSON characters in Dom Signatures breaks configuration


Anomaly Detection Services Issues

ID Number Severity Links to More Info Description
1010717-3 3-Major BT1010717 Default DoS profile creation from tmsh is incorrectly interpreted by DoS profile GUI
1060409-3 4-Minor   Behavioral DoS enable checkbox is wrong


Traffic Classification Engine Issues

ID Number Severity Links to More Info Description
1033829-1 2-Critical BT1033829 Unable to load Traffic Classification package
1058349-2 3-Major BT1058349 Requirement of new signatures to detect IMO and Google Duo service
1052153 3-Major   Signature downloads for traffic classification updates via proxy fail
1013629-3 3-Major BT1013629 URLCAT: Vulnerability Scan finds many Group/User Read/Write (666/664/662) files
776285-1 4-Minor BT776285 No stats returned for 'ltm classification stats urlcat-cloud' component at system startup


Device Management Issues

ID Number Severity Links to More Info Description
663754-2 2-Critical BT663754 Modifying the default management port can break internal functionality
942521-7 3-Major BT942521 Certificate Managers are unable to move certificates to BIG-IP via REST
880565-1 3-Major BT880565 Audit Log: "cmd_data=list cm device recursive" is been generated continuously
835517-1 3-Major BT835517 After upgrading BIG-IP software and resetting HA, gossip may show 'UNPAIRED'
717174-3 3-Major BT717174 WebUI shows error: Error getting auth token from login provider
1029633 3-Major BT1029633 Intermittent REST api failure when using PUT to modify LTM config objects
1049237-2 4-Minor BT1049237 Restjavad may fail to cleanup ucs file handles even with ID767613 fix


iApp Technology Issues

ID Number Severity Links to More Info Description
974193-2 3-Major BT974193 Error when trying to create a new f5.vmware_view.v1.5.9 iApp
842193-1 3-Major BT842193 Scriptd coring while running f5.automated_backup script
818069-6 3-Major BT818069 GUI hangs when iApp produces error message
1042057 3-Major BT1042057 SSL Orchestrator high availability (HA) pair sync issue


Protocol Inspection Issues

ID Number Severity Links to More Info Description
778225-5 3-Major BT778225 vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host
1013777-2 3-Major   An error is encountered when enabling reset-learning to all the signatures of a protocol inspection profile in the GUI.
760740-3 4-Minor BT760740 Mysql error is displayed when saving UCS configuration on BIG-IP system when MySQL is not running


Guided Configuration Issues

ID Number Severity Links to More Info Description
960133-1 1-Blocking   AGC 8.0 installation failure


In-tmm monitors Issues

ID Number Severity Links to More Info Description
944121-1 3-Major BT944121 Missing SNI information when using non-default domain https monitor running in tmm mode
854129-2 3-Major BT854129 SSL monitor continues to send previously configured server SSL configuration after removal
1046917-3 3-Major BT1046917 In-TMM monitors do not work after TMM crashes
1002345-2 3-Major BT1002345 Transparent DNS monitor does not work after upgrade
788257-2 4-Minor BT788257 Bigd.mgmtroutecheck setting ignored by in-tmm monitors after bigstart restart


SSL Orchestrator Issues

ID Number Severity Links to More Info Description
956913-2 2-Critical BT956913 HTTPS traffic may fail for Inbound topology gateway mode
1055361-2 2-Critical BT1055361 Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a tmm crash
964617-2 3-Major BT964617 Connector error "CONNECTOR: Invalid external event HUDEVT_SENT in state Init
890721-2 3-Major BT890721 SSL Orchestrator sends reset to the client when an initial ingress data arrives 5 seconds after tcp connection establishment
887765-3 3-Major BT887765 [SSL Orchestrator] if all pool members of HTTP type services are down, traffic gets reset
873545-2 3-Major BT873545 SSL Orchestrator Configuration GUI freezes after management IP change.
1011169-1 3-Major BT1011169 Upgrade failed with invalid property value "type":"ending-abort"

 

Known Issue details for BIG-IP v15.1.x

999881-4 : Tcl command 'string first' not working if payload contains Unicode characters.

Links to More Info: BT999881

Component: Local Traffic Manager

Symptoms:
Tcl command 'string first' returns an incorrect value when Unicode characters are present in the payload.

Conditions:
-- Tcl command 'string first' is used in iRules.
-- Payload contains Unicode characters.

Impact:
Traffic processing with iRules that contains the 'string first' command might not work as expected.

Workaround:
You can use any of the following workarounds:

-- Use iRuleLX.
-- Do not use Unicode characters in the payload.
-- Use a custom Tcl proc to iterate through the string using lindex

999709-4 : iRule 'pool'/'virtual' commands not triggered in CLIENT_ACCEPTED with HTTP/2.

Links to More Info: BT999709

Component: Local Traffic Manager

Symptoms:
The 'pool'/'virtual' iRule commands cause the specified pool to be used directly. However, with HTTP/2, the 'pool'/'virtual' command may fail to execute within the CLIENT_ACCEPTED event. This results in no traffic being sent.

Conditions:
-- A 'pool'/'virtual' command is used under CLIENT_ACCEPTED event.
-- An HTTP/2 profile applied to virtual server.
-- The HTTP/2 protocol in use.
-- HTTP/2 Message Routing is disabled.

Impact:
With HTTP/2 configured, the iRule 'pool'/'virtual' commands fail to execute within the CLIENT_ACCEPTED event, causing no traffic to be sent to the desired pool/virtual.

Workaround:
As a workaround, you may use HTTP_REQUEST event instead of CLIENT_ACCEPTED in iRule syntax.

999669-2 : Some HTTPS monitors are failing after upgrade when config has different SSL option

Links to More Info: BT999669

Component: Local Traffic Manager

Symptoms:
Some HTTPS monitors are failing after upgrade when the config has different SSL option properties for different monitors.

Conditions:
-- Individual SSL profiles exist for different HTTPS monitors with SSL parameters.
-- A unique server SSL profile is configured for each HTTP monitor (one with cert/key, one without).

Impact:
Some HTTPS monitors fail. Pool is down. Virtual server is down.

Workaround:
None

999125-2 : After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states.

Links to More Info: BT999125

Component: TMOS

Symptoms:
After a device (or multiple devices) in a sync-failover device-group undergoes a management IP change, multiple devices in the group can be stuck indefinitely in improper Active/Active or Standby/Standby failover states.

Conditions:
-- One or more devices belonging to a sync-failover device-group undergo a management IP change.

Impact:
-- The affected units are unable to pass traffic, as they are either both Standby or Active (resulting in either no service availability or IP address conflicts in the network).

Workaround:
If you are planning to change management IP addresses on your devices, consider doing so during a maintenance window, in order to account for the eventuality this issue might occur.

Then, if this issue does occur, you can restore correct system functionality by restarting the sod daemon on all units that had their management IP address changed. To do so, run the following command:

tmsh restart sys service sod

Note: This is a one-time workaround, and the issue may re-occur if the devices undergo further management IP address changes in the future.

999021-3 : IPsec IKEv1 tunnels fail after a config sync from Standby to Active

Links to More Info: BT999021

Component: TMOS

Symptoms:
When racoon (the IKEv1 daemon) sees a tunnel config change, which occurs due to a config sync from the standby device, the change causes tmm and racoon to have conflicting views on the state of that tunnel.

If the IKEv1 tunnel is up at the time of the config change, tmm fails to restart the tunnel.

Conditions:
-- IPsec IKEv1 tunnel in use.
-- Changes made to IPsec IKEv1 tunnel on the Standby BIG-IP device, which are then sync'd to the Active BIG-IP device.
-- And/or a full config sync from the Standby to Active BIG-IP system.

Impact:
IPsec IKEv1 tunnels fail and do not start again.

Workaround:
-- Do not make changes to IPsec IKEv1 tunnels on the Standby device.

-- Avoid full syncs from Standby to Active.

How to recover when the problem occurs:

-- Disable the affected ike-peer and re-enable it.

998957-3 : Mcpd consumes excessive CPU while collecting stats.

Links to More Info: BT998957

Component: TMOS

Symptoms:
Mcpd CPU utilization is 100%.

Conditions:
This can occur when the BIG-IP system has a large number of virtual servers, pools, and pool members for which statistics are being collected.

Impact:
CPU utilization by mcpd is excessive.

Workaround:
None

998945-2 : Load sys config is failing with OOM in MCPD processing

Links to More Info: BT998945

Component: TMOS

Symptoms:
While loading a large config on BIG-IP, mcpd runs at high CPU for a while, then is killed by the OOM killer when MCPD starts increasing rapidly in size.

Conditions:
-- Licensed and provisioned modules: LTM+APM+AFM
-- large number of virtual servers configured and executing "load sys config".

Impact:
Config load fails with std::badalloc with OOM.

998701-2 : Active_zombie_port_blocks counter from fw_lsn_pool_pba_stat stats may reach unrealistically large value.

Links to More Info: BT998701

Component: Advanced Firewall Manager

Symptoms:
Under certain conditions, the active_zombie_port_blocks counter from fw_lsn_pool_pba_stat statistics may reach an unrealistically large value.

Conditions:
-- VIPRION system with more than one blade
-- ASM is provisioned
-- Network address translation is in use
-- Source translation type: Dynamic PAT
-- PAT mode: Port Block Allocation

Impact:
Active_zombie_port_blocks counter indications are incorrect. Otherwise system functionality is unaffected.

Workaround:
None

998649-3 : Log hostname should be consistent when it contains ' . '

Links to More Info: BT998649

Component: TMOS

Symptoms:
Messages that are logged to journald use the configured hostname, while sylog-ng uses the hostname (machine name) and truncates it starting at the first '.' (period). This results in hostnames being inconsistent when it contains '.'; e.g., 'my.hostname' is logged as 'my' by syslog-ng, and 'my.hostname' by journald. This can make it difficult for log analysis tools to work with the log files.

Conditions:
-- Hostname contains a period
-- Viewing log files emitted from journald and from syslog-ng

Impact:
The full hostname is logged for system logs while logs that go directly to syslog-ng use a truncated hostname.

Workaround:
None.

998253-2 : SNI configuration is not sent via HTTPS when in-tmm monitors are disabled

Links to More Info: BT998253

Component: Local Traffic Manager

Symptoms:
The Server Name Indication (SNI) extension is missing on the HTTPS handshake.

Conditions:
-- Global in-tmm monitors are disabled
-- HTTPS monitor traffic

Impact:
The HTTPS client-server handshake occurs without a TLS SNI.

Workaround:
None

997793-2 : Error log: Failed to reset strict operations; disconnecting from mcpd

Links to More Info: K34172543, BT997793

Component: TMOS

Symptoms:
After rebooting the device you are unable to access the GUI. When checking the ltm logs in the SSH / console, it repeatedly prompts an error:

Failed to reset strict operations; disconnecting from mcpd.

Conditions:
Previous EPSEC packages that are still residing on the system from old BIG-IP versions is installing upon boot. An internal timer can cause the installation to be aborted and all daemons to be restarted via 'bigstart restart'

Impact:
Mcpd fails to fully load and the device fails to come up fully, and it cannot pass traffic.

Workaround:
1. Stop the overdog daemon first by issuing the command:
   systemctl stop overdog

2. Restart all services by issuing the command:
   bigstart restart

3. Wait for 10 to 20 mins until EPSEC packages are successfully installed and mcpd successfully starts.

997781 : Support for DSLITE event logging for field format and user format

Links to More Info: BT997781

Component: Advanced Firewall Manager

Symptoms:
NA

Conditions:
NA

Impact:
Though Dslite tunnel src ip and route domain is supported for default mode, the tunnel destination address is not visible.

Workaround:
NA

997561-3 : TMM CPU imbalance with GRE/TB and GRE/MPLS traffic

Links to More Info: BT997561

Component: TMOS

Symptoms:
When handling unidirectional GRE traffic, a lack of inner payload entropy can lead to CPU pinning.

In some circumstances, handling this traffic should not require maintaining state across TMMs.

Conditions:
This occurs with GRE/TB (transparent ethernet bridging) and GRE/MPLS traffic.

Impact:
TMM utilization across CPUs is imbalanced, which can impact overall device performance.

Workaround:
None

997541-3 : Round-robin GRE Disaggregator for hardware and software

Links to More Info: BT997541

Component: TMOS

Symptoms:
GRE tunnel traffic is pinned to one CPU.

Conditions:
GRE traffic is passed through BIG-IP system.

Impact:
Traffic is pinned to one CPU and overall performance is degraded.

Workaround:
None

997433 : When dos.logging interval is greater than 1, the log statistics are not accumulated

Links to More Info: BT997433

Component: Advanced Firewall Manager

Symptoms:
Incorrect DoS statistics may be provide via logs.

Conditions:
DDoS log interval is set to more than 1 second

Impact:
Applications dependent on log provided DoS statistics may be impacted.

Workaround:
Do not change the default log interval value.

997429 : When (DoS Detection threshold = DoS Mitigation threshold) for a vector, logging is erratic when hardware offload is enabled

Links to More Info: BT997429

Component: Advanced Firewall Manager

Symptoms:
Some DoS-related log messages may be missing

Conditions:
-- Static DDoS vector is configured with the same mitigation threshold and detection threshold setpoint.
-- The platform supports Hardware DDoS mitigation and hardware mitigation and hardware mitigation is not disabled.

Impact:
Applications dependent on log frequency may be impacted.

Workaround:
Configure the mitigation limit about 10% over the attack limit.

996649-4 : Improper handling of DHCP flows leading to orphaned server-side connections

Links to More Info: BT996649

Component: Local Traffic Manager

Symptoms:
When there are multiple client-side flows tied to a single server-side DHCP flow, timeout handling on the client-side flows is incorrect and might lead to a server-side flow getting orphaned. This results in traffic from the server not making its way back to the client.

Conditions:
Regular DHCP virtual server in use.

Impact:
Traffic is not passed to the client.

Workaround:
None.

996261-3 : Zrd in restart loop with empty named.conf

Links to More Info: BT996261

Component: Global Traffic Manager (DNS)

Symptoms:
The zrd process enters a restart loop:
logger[20015]: Re-starting zrd

Conditions:
This occurs when /var/named/config/named.conf is empty.

Impact:
The zrd process enters a restart loop. If the device is in a sync group, zrd enters a restart loop on all devices.

Workaround:
Restore content to the named.conf file.

995889-2 : Username/Password JSON elements of login page detected as case sensitive when the policy is configured as case insensitive

Links to More Info: BT995889

Component: Application Security Manager

Symptoms:
A JSON element of a page behaves in a case-sensitive manner even if the policy is configured as case insensitive.

Conditions:
- Using JSON in a page
- Authentication type is json/ajax
- The policy is configured case-insensitive
- JSON element seen in a request has uppercase letter(s)

Impact:
Case-insensitive configuration fails to detect uppercase JSON elements in a page. This may cause, for example, brute force protection to not trigger.

Workaround:
None

995605-1 : PVA accelerated traffic does not update route domain stats

Links to More Info: BT995605

Component: TMOS

Symptoms:
PVA accelerated traffic does not update route domain stats

Conditions:
-- PVA accelerated traffic.
-- Viewing the route domain stats.

Impact:
The route domain stats may be inaccurate

Workaround:
Use the virtual server stats or ifc_stats instead.

995369-3 : DNSSEC manual key created with other algorithms ends up using RSA/SHA1 algorithm

Links to More Info: BT995369

Component: Global Traffic Manager (DNS)

Symptoms:
Generated DNSSEC keys always use RSA/SHA1 algorithm.

Conditions:
DNSSEC keys are generated with manual key management method.

Impact:
You are unable to create DNSSEC keys with other algorithms.

Workaround:
Choose automatic key management method.

995201-4 : IP fragments for the same flow are dropped if they are received on different VLANs and route domains.

Links to More Info: BT995201

Component: Local Traffic Manager

Symptoms:
When duplicate IP fragments for the same flow (same connection tuple and flow ID) are simultaneously received on different VLANs or route domains, IP datagram reassembly fails.

Conditions:
-- Multicast traffic where identical fragments arrive on two different VLANs.
-- IP fragments for the same flow are received on different VLANs.
-- Alternatively, IP fragments for the same flow are received on different route domains.

Impact:
IP fragments that fail reassembly are dropped.

Workaround:
None

995097-3 : Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file.

Links to More Info: BT995097

Component: TMOS

Symptoms:
After reloading the configuration from a file, management-dhcp supersede options whose values contained a double quote character (") no longer contain the character.

For instance, after reloading the configuration, the following section:

# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
    supersede-options {
        domain-name {
            value { "example.com" }
        }
        domain-name-servers {
            value { 8.8.8.8 }
        }
        domain-search {
            value { "example.com" }
        }
    }
}

Becomes:

# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
    supersede-options {
        domain-name {
            value { example.com }
        }
        domain-name-servers {
            value { 8.8.8.8 }
        }
        domain-search {
            value { example.com }
        }
    }
}

This also affects the configuration file for the dhclient/dhclient6 daemons that the system automatically generates from the aforementioned config stanza.

Conditions:
This issue occurs when the following statements apply:
--- The values of management-dhcp supersede options contain double quote characters.
--- The configuration is reloaded from file.

The BIG-IP system reloads the configuration from file in the following cases:
-- When you issue the 'tmsh load sys config' command.
-- After an upgrade, as the mcpd binary database does not exist yet.
-- When troubleshooting requires removing the mcpd binary database and reloading the config from file.
-- When the system is relicensed.
-- When system provisioning changes.
-- When a UCS/SCF archive is restored.
-- When someone merges in config from file or terminal (but this is limited to the actual contents being merged in, not the entire configuration).

Impact:
The in-memory mcpd configuration relating to management-dhcp supersede options is incorrect.

The /etc/dhclient.conf file that is automatically generated contains incorrect syntax.

As a result of this, the dhclient/dhclient6 daemons fail to parse the file and run with an incomplete configuration.

Ultimately, the system does not behave as configured in regard to its management-dhcp configuration.

Workaround:
Reapply the desired management-dhcp supersede-options configuration using the tmsh utility.

For example, to restore the intended in-memory configuration shown under Symptoms, you would run within tmsh:

# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options none
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-search { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name-servers { value add { 8.8.8.8 } } }
# save sys config

On versions earlier than 15.0.0, you must also restart the dhclient/dhclient6 daemons by running:

bigstart restart dhclient dhclient6

Note that the workaround is not permanent and will be invalidated the next time the config is loaded from file again.

994365-3 : Inconsistency in tmsh 'object mode' for some configurations

Links to More Info: BT994365

Component: TMOS

Symptoms:
Tmsh does not support object mode when modifying certain configurations, such as the node configuration. This results in misleading error 'not found' even though the configuration is available.

Conditions:
Modify node config results in error, even though the config is present.

# Node Object 'example' is created successfully
(tmos)# create ltm node example address 1.2.3.4

# On modifying the node 'example', tmsh gives error
(tmos)# modify ltm node example
      Data Input Error: node "example" not found

The modify command does work when a property is specified:
(tmos)# modify ltm node example description "Node 1234"

Impact:
Inconsistent tmsh syntax when using 'object mode' for modifying the configuration.

Workaround:
Use 'tmsh modify' commands, or the GUI, to make the required changes without 'entering' the object in tmsh.

994361-3 : Updatecheck script hangs/Multiple updatecheck processes

Links to More Info: BT994361

Component: TMOS

Symptoms:
Multiple updatecheck and 'rpm -qf' processes running simultaneously.

Updatecheck is not functional

Conditions:
Updatecheck is run periodically via a cronjob. Updatecheck runs 'rpm -qf' command.

Impact:
Due to that 'rpm -qf' command hangs. This causes multiple updatecheck and 'rpm -qf' processes. High CPU and memory usage.

The most likely explanation is that rpmdb has gotten corrupted.

Workaround:
To rebuild rpmdb:

1. Halt all running updatecheck and 'rpm -qf' processes.

2. Run these commands:
rm /var/lib/rpm/__db*
rpm --rebuilddb

994305-1 : The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5

Links to More Info: BT994305

Component: TMOS

Symptoms:
Features supported in newer versions of open-vm-tools are not available.

Conditions:
This issue may be seen when running in VMware environments.

Impact:
Features that require a later version of open-vm-tools are not available.

Workaround:
None.

994269-2 : Message: 'double flow removal' in LTM log file

Links to More Info: BT994269

Component: Local Traffic Manager

Symptoms:
The LTM log contains messages similar to the following:

Oops @ 0x290cfa0:1129: double flow removal.

Conditions:
FastL4 virtual server with iRule containing the FLOW_INIT command.

Impact:
Memory_usage_stat and tmm/umem_usage_stat might reflect incorrect values under increased traffic load when the underlying double flow removal messages persist continuously on the blades.

Workaround:
None

994221-3 : ZoneRunner returns error 'Resolver returned no such record'

Links to More Info: BT994221

Component: Global Traffic Manager (DNS)

Symptoms:
ZoneRunner returns error 'Resolver returned no such record'.

Conditions:
When trying to retrieve TXT records with single backslash.

Impact:
Not able to manage TXT record.

Workaround:
Use double backslashes to retrieve TXT records.

994081-2 : Traffic may be dropped with an Immediate idle timeout setting.

Links to More Info: BT994081

Component: Local Traffic Manager

Symptoms:
When the idle timeout is set to Immediate, flows may be expired while packets are buffered. Buffered packets are dropped. This can impact iRules and non-L4 virtual servers.

Conditions:
-- Idle timeout set to Immediate.
-- iRules are configured or non-L4 virtual servers are used.

Impact:
Traffic is dropped.

Workaround:
You can use either workaround:

-- Configure an L4 virtual server.

-- Consider removing iRules.

994013-2 : Modifying bot defense allow list via replace-all-with fails with match-order error

Links to More Info: BT994013

Component: Application Security Manager

Symptoms:
An error occurs when modifying the allow list (or in case of 'load sys config verify' with similar configuration):

01b90026:3: Bot defense profile (/Common/bot-defense-device-id-generate-before-access) error: match-order should be unique.

Conditions:
-- Either modification via replace-all-with:
tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist replace-all-with { first_1 { match-order 1 source-address 10.0.0.0/8 url /foo } second_2 { match-order 2 source-address ::/32 url /bar } }

-- Or delete all, add, save and load-verify:
tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist delete { all }
tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist add { first_1 { match-order 1 source-address 10.0.0.0/8 url /foo } second_2 {match-order 2 source-address ::/32 url /bar}}
tmsh save sys config
load sys config verify

Impact:
You are unable to add-replace the bot defense allow list configuration

Workaround:
You can use either of the following workarounds:

-- Change match-order of defaults in profile_base.conf to use match-order 3 and up (and load config).
-- Change match-order of custom modify command (to continue with match-order 3 and up).

993921-4 : TMM SIGSEGV

Links to More Info: BT993921

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes on SIGSEGV.

Conditions:
This is a rarely occurring issue associated with the iRule command 'pool XXXX member XXXX'.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use 'pool XXXX member XXXX' iRule command.

993517-3 : Loading an upgraded config can result in a file object error in some cases

Links to More Info: BT993517

Component: Local Traffic Manager

Symptoms:
After an upgrade from a version prior to 13.1.0, when loading a configuration that has had an HTTPS monitor in it, if that configuration has not yet been saved, you may see errors like this in the LTM log:

-- 0107134a:3: File object by name (DEFAULT) is missing.

If you run 'tmsh load sys config verify' on this configuration, the system also posts the error on the screen.

Conditions:
-- Upgrading from a version prior to 13.1.0.
-- At least one HTTPS monitor that has the kEDH cipher in its cipherlist.
-- Upgrading to version 13.1.1.4 or later.
-- Loading the configuration (either automatically on startup, or manually).

Impact:
Other than the error message, there is no impact.

Workaround:
After the initial reboot, save the configuration.

993481-3 : Jumbo Frame issue with DPDK-eNIC.

Component: TMOS

Symptoms:
TMM crashes

Conditions:
-- TMM is using DPDK driver w/ Cisco eNIC
-- TMM receives Jumbo-sized packet

Impact:
Traffic disrupted while TMM restarts.

Workaround:
A) Use a different driver such as sock.
B) Do not use or accept Jumbo-frames. One way to perform this is to set the MTU to <= 1500 using the following tmsh command:
tmsh modify net vlan external mtu 1500

993269-1 : DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option

Links to More Info: BT993269

Component: Advanced Firewall Manager

Symptoms:
Using DoS timestamp cookies together with a FastL4 profile with the timestamp rewrite option enabled might lead to traffic failures.

DoS timestamp cookies might also lead to problems with traffic generated by the Linux host.

Conditions:
-- DoS timestamp cookies are enabled, and either of the following:

-- FastL4 profile with the timestamp rewrite option enabled.
-- Traffic originating from Linux host.

Impact:
Traffic is dropped due to incorrect timestamps.

Workaround:
Disable timestamp cookies on the affected VLAN.

992813-2 : The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations.

Links to More Info: BT992813

Component: TMOS

Symptoms:
The mcpd daemon performs validation of the request-options and supersede-options a BIG-IP administrator specifies via the tmos.sys.management-dhcp endpoint in tmsh.

As the list of dhcp-options known to mcpd is outdated, it is possible you may be returned an error when attempting to configure valid request-options or supersede-options.

For example, you may be returned the following error when attempting to supersede the domain-search option:

01071627:3: Management Dhcp resource supersede-option - Invalid dhcp option: domain-search

Conditions:
You attempt to configure a dhcp-option unknown to mcpd as part of the request-options or supersede-options properties.

Note: A common dhcp-option of which mcpd has no knowledge is domain-search. You are unlikely to experience this issue unless you are requesting or superseding this particular dhcp-option.

Impact:
You are unable to instantiate the desired management-dhcp configuration.

Workaround:
None

992533 : HTML meta tag URL not rewritten when received under single quotes (' ')

Links to More Info: BT992533

Component: Access Policy Manager

Symptoms:
The URL meta tag is not rewritten if it is encapsulated in single quotes.

Conditions:
HTML page with meta tag URL under single quotes('') loaded through Portal access

Impact:
-- Failure in redirection to URL
-- Error in sending request to the URL

Workaround:
Use a custom iRule to find meta tag URL and remove the single ('') before it goes to rewrite. There is no standard iRule as it depends on web application accessed through Portal Access. Here is sample iRule:

when REWRITE_REQUEST_DONE {
    if { [HTTP::path] contains "XXXXX" } {
        #XXXXX is accessed html file
        set replace_metaurl 1
        set host_name [HTTP::host]
    } else {
        set replace_metaurl 0
    }
}


when HTTP_RESPONSE {
    if {$replace_metaurl == 1} {
        if { [HTTP::header exists "Content-Length"] and [HTTP::header "Content-Length"] <= 1048576 } {
            HTTP::collect [HTTP::header Content-Length]
        } else {
            HTTP::collect 2097152 ;# 2MB
        }
    }
}

when HTTP_RESPONSE_DATA {
    if {$replace_metaurl == 1} {
        # Workaround for support meta tag URL under ''
        # Find the meta tag URL and remove ''
        HTTP::release
    }
}

992449-3 : The vCMP host does not report the correct number of guest CPUs on the guest page of the GUI

Links to More Info: BT992449

Component: TMOS

Symptoms:
The total number of cores for a multi-slot vCMP guest is not shown correctly on the GUI page for a vCMP guest.

Conditions:
-- vCMP Host on VIPRION platforms with multiple blades.
-- vCMP guest spanning two or more blades.

Impact:
Incorrect number of cores listed.

-- The vCMP :: Guest List page shows all cores for all slots.
-- The vCMP -> Guest List specific_guest page shows only cores for that guest's slot.

Workaround:
View the Guest List page to see a graphical representation of the number of cores per guest.

992253-2 : Cannot specify IPv6 management IP addresses using GUI

Links to More Info: BT992253

Component: TMOS

Symptoms:
You are unable to set the IPv6 mgmt IP address using the GUI, even if the IPv6 address format is a not a short address. When you submit the change, the field is empty.

Conditions:
Attempt to set up IPv6 management address using the GUI

Impact:
You are unable to configure IPv6 management addresses using the GUI.

Workaround:
Use tmsh:

tmsh create sys management-ip <address>/<netmask>
tmsh create sys management-route default-inet6 <address>

992241-1 : Unable to change initial admin password from GUI after root password change

Links to More Info: BT992241

Component: TMOS

Symptoms:
While trying to change the admin password from GUI, an error occurs:
-- Authentication failed: Password expired. Update password via /mgmt/shared/authz/users.

Conditions:
-- Change the password for the root user the first time, before the admin password has been changed. This action sets both the root and admin password at the same time.

-- Navigate to the GUI and attempt to update the admin password.

Impact:
GUI password change fails.

Workaround:
You can use either of the following workarounds:

-- Change the password admin via the GUI before changing the root admin via ssh.

-- After changing the root password, use tmsh to set the admin password using the command:

modify auth user admin password.

992097-2 : Incorrect hostname is seen in logging files

Links to More Info: BT992097

Component: TMOS

Symptoms:
-- On the local blade, slot information is missing from LTM logs. Only the hostname is logged.
-- For messages received from another blade, the hostname is replaced by the word "slotX".

Conditions:
Multi-bladed VIPRION or VIPRION-based vCMP guest.

Impact:
Remote log collectors cannot identify the log message based on hostname and/or blade number.

Workaround:
None

991765-2 : Inheritance of staging_period_in_days from policy template

Links to More Info: BT991765

Component: Application Security Manager

Symptoms:
Enforcement readiness period of newly created Policy does not get its value from Policy Template.

Conditions:
Creating new ASM Policy from a template with an Enforcement readiness period different from the default (default is 7).

Impact:
Newly created policy has an incorrect configuration.

Workaround:
Create the Policy using tmsh or REST API.

991501-3 : Pool members with HTTPS monitor may be incorrectly marked down.

Links to More Info: BT991501

Component: Local Traffic Manager

Symptoms:
A pool with an HTTPS monitor may have its members marked down due to the monitor not being able to find a matching cipher for the SSL connection. This occurs when the @STRENGTH keyword is provided in the cipher suites list in the server SSL profile used by the HTTPS monitor, because bigd does not handle this keyword correctly.

Conditions:
Problem is observed when all conditions listed below are met:
- The db variable bigd.tmm set to disable (default setting).
- Pool is using an HTTPS monitor.
- The HTTPS monitor uses a custom server SSL profile.
- The server SSL profile uses a cipher string with @STRENGTH keyword.

Impact:
Pool members are wrongly marked down, preventing them from handling incoming traffic.

Workaround:
1. Select the cipher group instead of cipher suites in the server SSL profile.
2. Manually enter the ciphers in the desired order.

991265-2 : Persistence entries point to the wrong servers for longer periods of time

Links to More Info: BT991265

Component: Local Traffic Manager

Symptoms:
Persistence entries point to the wrong servers for a longer than expected.

Conditions:
A pool member goes down, causing the persistence entry to change to a new pool member. Then, the pool member comes back up.

Impact:
The persistence entry does not change to the pool member that came back up. It does not expire as client requests using this cookie continue to refresh the persistence entry that goes to the wrong server.

This can delay recovery of the pool members when they are marked down for regular maintenance, or if all pool members are cycled up/down periodically, it causes persistence entries to point to the wrong servers for longer periods of time than necessary.

Workaround:
None.

991037-2 : MR::message can cause tmm crash

Links to More Info: BT991037

Component: Service Provider

Symptoms:
The iRule command MR::message drop can occasionally trigger a memory corruption and tmm crash.

Conditions:
The iRule command MR::message drop is used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

990929-3 : Status of GTM monitor instance is constantly flapping

Links to More Info: BT990929

Component: Global Traffic Manager (DNS)

Symptoms:
Status of GTM monitor instance is constantly flapping.

Conditions:
GTM devices in a GTM sync group configured with IP addresses that can not communicate with each other.

Impact:
Resources are marked offline constantly.

Workaround:
Remove from the GTM server object definition the IP addresses that do not communicate with each other.

990853-3 : Mcpd restarts on Secondary VIPRION blades upon modifying a vCMP guest's management IP address or gateway.

Links to More Info: BT990853

Component: TMOS

Symptoms:
The mcpd daemon restarts on all secondary VIPRION blades after logging error messages similar to the following example to the /var/log/ltm file:

-- err mcpd[6250]: 0107098a:3: The ip address (10.10.10.3%1) for a VCMP Mgmt IP in partition () references a route domain (1) in a different partition (part1). Objects may only reference objects in the same or the 'Common' partition
-- err mcpd[6250]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107098a:3: The ip address (10.10.10.3%1) for a VCMP Mgmt IP in partition () references a route domain (1) in a different partition (part1). Objects may only reference objects in the same or the 'Common' partition... failed validation with error 17238410.

Conditions:
-- Multi-blade VIPRION system provisioned as vCMP host.
-- The system is configured with partitions using non-default route-domains.
-- Using the GUI, an Administrator attempts to modify the management IP address or management gateway of a vCMP guest.
-- A non-Common partition is selected in the GUI Partition drop-down menu when making the change.

Impact:
MCPD restarts, causing all other daemons on the blade to restart as well. The vCMP guests running on the affected blades suffer an outage and are unable to process traffic while the daemons restart.

Workaround:
Ensure that when you make management IP address or gateway changes to a vCMP guest, you do so while the Common partition is selected in the GUI.

990461-3 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade

Links to More Info: BT990461

Component: Advanced Firewall Manager

Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.

Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.

Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.

Workaround:
Manually update the SYN cookie threshold values after an upgrade.

990173-3 : Dynconfd repeatedly sends the same mcp message to mcpd

Links to More Info: BT990173

Component: Local Traffic Manager

Symptoms:
If dynconfd sends a single message to mcpd containing two or more operations, and one of the operations fails mcpd validation, dynconfd repeatedly sends same message to mcpd.

An example of two operations in one mcp message would be an ephemeral node creation and an ephemeral pool member creation in a single mcp message.

Conditions:
This can occur when:

-- Using FQDN nodes and FQDN pool members.

-- There is an additional issue where the message from dynconfd fails validation within mcpd (e.g., a misconfiguration in which the monitor assigned to the pool is configured with a wildcard destination and the pool member is added to the pool with a port of '0' or 'any'.

Impact:
By repeatedly resending the same messages, which fail repeatedly, dynconfd causes increased mcpd CPU utilization.

This might cause the population of ephemeral nodes and pool members to fail and become out of sync with what the DNS server is resolving.

Workaround:
Examine the LTM logs for mcpd error messages indicating failed attempts to create ephemeral nodes or ephemeral pool members, and resolve the cause of the failed node or pool-member creation.

990073 : BIG-IP software v13.1.3.6, v14.1.4, v15.1.2.1, v16.0.1.1 or later require APM Clients 7.1.8.5, 7.1.9.8, or 7.2.1.1

Links to More Info: BT990073

Component: Access Policy Manager

Symptoms:
APM end user clients fail to establish VPN access using the browser to BIG-IP APM systems running 13.1.3.6, 14.1.4, 15.1.2.1, or 16.0.1.1 with APM Client versions 7.1.8.4, 7.1.9.7, 7.2.1 or earlier in their respective software branches.

You may observe the following error message in a pop up dialog of the browser when the network access fails to launch:
=============
"F5 VPN - Your session could not be established"

"Your session could not be established.
The session reference number: nnnnnnnn

Application will be closed"
=============

Conditions:
-- This can occur after upgrading to the following BIG-IP versions:

   - 13.1.3.6
   - 14.1.4
   - 15.1.2.1
   - 16.0.1.1

-- APM end user clients are running 7.1.8.4 or earlier, 7.1.9, 7.1.9.7, or 7.2.1.

Impact:
APM end user clients, using the browser, cannot establish VPN access to the BIG-IP system.

Workaround:
Edge Clients (apmclients) versions 7.1.8.4, v7.1.9, and v7.1.9.7 (and earlier), do not work with BIG-IP versions beginning with v16.0.1.1, v15.1.2.1, v14.1.4, or v13.1.3.6. You must use later Edge Client versions.

-- If you are running 7.1.8.4 and earlier, upgrade to 7.1.8.5.
-- If you are running 7.1.9 or 7.1.9.7, upgrade to 7.1.9.8.
-- If you are running 7.2.1, upgrade to 7.2.1.1.

You can find versions 7.1.8.5, 7.1.8.9 and 7.2.1.1 on the F5 Downloads site :: https://downloads.f5.com/esd/index.jsp

For more information, see K13757: BIG-IP Edge Client version matrix :: https://support.f5.com/csp/article/K13757 and K01733249: What version of BIG-IP Edge Client should I use on my APM? :: https://support.f5.com/csp/article/K01733249

989937-1 : Device Trust Certificates Expiring after 2038-01-19 show date of 1969

Links to More Info: BT989937

Component: TMOS

Symptoms:
If you import a Certificate into the Device Trust Certificates that expires after 2038-01-19, the system GUI shows an expiration date of 1969.

Conditions:
Certificate expiring on/after 2038-01-19T03:14:08Z.

Impact:
The expiration date in the GUI shows 1969. This does not impact iquery or device function.

Workaround:
You can use the command line interface to view the certificate:

$ cd /config/big3d
$ openssl crl2pkcs7 -nocrl -certfile client.crt | openssl pkcs7 -print_certs -noout -text | grep "Issuer:\|Subject:\|Not Before:\|Not After :"

989517-2 : Acceleration section of virtual server page not available in DHD

Links to More Info: BT989517

Component: TMOS

Symptoms:
The acceleration section in the virtual server page(UI) is not visible if a DHD license is installed.

Conditions:
The acceleration section is not visible in case "Dos" is provisioned

Impact:
1) You are unable to use the GUI to modify any parameters of the Acceleration table in the virtual server page.

2) Loss of configuration items if making changes via the GUI.

Workaround:
A virtual server with parameters present in the Acceleration table can still be created using TMSH

989353-1 : Block column of policy signature list always shows a checkmark, regardless of policy enforcement mode

Links to More Info: BT989353

Component: Application Security Manager

Symptoms:
The 'Block' column on the policy signature screen always shows checkmarks, regardless of policy enforcement mode.

Conditions:
Signature Set has BLK enabled, and the policy is in Transparent mode.

Impact:
Misreporting of the 'Block' setting when viewed in the GUI.

Workaround:
None

988745-3 : On reboot, 'could not find platform object' errors may be seen in /var/log/ltm

Links to More Info: BT988745

Component: TMOS

Symptoms:
During a reboot, several error messages are logged in /var/log/ltm:

-- err mcpd[9401]: 01070710:3: Database error (0), get_platform_obj: could not find platform object - sys/validation/Platform.cpp, line 188.

-- err chmand[6578]: 012a0003:3: hal_mcp_process_error: result_code=0x1070710 for result_operation=eom result_type=eom

Conditions:
This occurs when either of the following conditions is met:
-- A fresh installation of a BIG-IP system.
-- A reboot after forcing the mcpd process to reload the BIG-IP configuration,

Impact:
There is no functional impact to these error messages.

Workaround:
None.

988165-2 : VMware CPU reservation is now enforced.

Component: TMOS

Symptoms:
CPU reservation is not enforced which can result in users over-subscribing their hosts.

Conditions:
BIG-IP Virtual Edition running in VMware.

Impact:
If a host is oversubscribed, performance can suffer as traffic volumes increase.

Workaround:
Manually enforce the 2GHz per core rule when provisioning VMware instances to ensure that your VMware hosts are not oversubscribed.

987885-4 : Half-open unclean SSL termination might not close the connection properly

Links to More Info: BT987885

Component: Local Traffic Manager

Symptoms:
Upon receiving TCP FIN from the client in the middle of the SSL Application Data, the BIG-IP system does not close the connection on either client- or server-side (i.e., it does not 'forward' the FIN on the server-side as it normally does) causing the connection to go stale until the timeout is reached.

Conditions:
-- TCP and SSL profiles configured on a virtual server.
-- Client terminates the connection in the middle of an SSL record.

Impact:
Connection termination does not happen. Connection remains in the connection table until idle timeout is reached.

Workaround:
None.

987709-4 : Static target string as CNAME pool member might cause config load failure if wide IP with same name exists in another partition

Links to More Info: BT987709

Component: Global Traffic Manager (DNS)

Symptoms:
GTM config fails to load with errors similar to this:

01070726:3: Pool 5 /Common/cnamepool1 in partition Common cannot reference GTM wideip pool member 5 /Common/cnamepool1 gslb.mycompany.com /App2/gslb.mycompany.com 1 in partition App2
Unexpected Error: Loading configuration process failed

Conditions:
There is a wide IP with the same name in another partition as the static target CNAME pool member.

Impact:
Gtm config fails to load.

Workaround:
Create the wide IP first and then add the static target CNAME pool member.

987453-1 : Bot Defense browser verification fails upon iframes of different top-level domains

Component: Application Security Manager

Symptoms:
When using Bot Defense on a page which has an iframe to a different top-level domain, the iframe may fail to load.

Conditions:
Page has an iframe on a different top-level domain than that of the main page. Note that iframes with different sub-domains are not impacted.

Impact:
Page resources may fail to load.

Workaround:
None

987401-2 : Increased TMM memory usage on standby unit after pool flap

Links to More Info: BT987401

Component: Local Traffic Manager

Symptoms:
TMM memory usage on a BIG-IP standby device might be substantially higher than an active device.

Conditions:
Standby device with UDP mirroring traffic and datagram-load-balancing disabled.

Impact:
The standby device may not be able to take over traffic when failover happens.

Workaround:
None.

987301-1 : Software install on vCMP guest via block-device may fail with error 'reason unknown'

Links to More Info: BT987301

Component: TMOS

Symptoms:
When installing an engineering hotfix (EHF) on a vCMP guest via block-device, sometimes it fails with 'reason unknown'.

-- /var/log/liveinstall may contain an error similar to:

I/O error : Input/output error
/tmp/lind_util.voCQOs/BIGIP1610/install/fsinfo.xml:1: parser error : Document is empty

-- /var/log/kern.log may contain an error similar to:

Aug 14 14:15:54 bigip1 info kernel: attempt to access beyond end of device
Aug 14 14:15:54 bigip1 info kernel: sr0: rw=0, want=3560560, limit=312712

Conditions:
This might occur after multiple attempts to install an EHF on a vCMP guest via block-device:

 tmsh install sys software block-device-hotfix Hotfix-BIGIP-14.1.2.6.0.77.2-ENG.iso volume HD1.3

Impact:
Sometimes the EHF installation fails on the guest.

Workaround:
-- Retry the software installation.
-- If the software installation continues to fail, copy the ISO images into the vCMP guest, and use those to perform the installation.

987133-2 : Non-EDNS response with RCODE FORMERR are blocked by dns-qdcount-limit vector.

Links to More Info: BT987133

Component: Advanced Firewall Manager

Symptoms:
When a client sends a DNS request to a non-EDNS-capable server, the server may send a legitimate response with RCODE FORMERR and no DNS data. The MALFORM DNS vector blocks those requests if the dns-qdcount-limit vector is enabled.

Conditions:
-- The client sends a DNS request to NON-EDNS capable server.
-- The server replies with RCODE FORMERR and no DNS data.
-- The dns-qdcount-limit vector is enabled.

Impact:
AFM erroneously detects an attack and mitigates it, and the client does not get a response from the EDNS server

Workaround:
Disable dns-qdcount-limit vector:

security dos device-config /Common/dos-device-config {
    dos-device-vector {
        dns-nxdomain-query {
            state disabled
        }
    }
}

987081-3 : Alarm LED remains active on Secondary blades even after LCD alerts are cleared

Links to More Info: BT987081

Component: TMOS

Symptoms:
When a condition occurs which causes an alert message to be logged to the LCD display for a VIPRION chassis, the Alarm LED on the blade where the condition was reported may be set (to solid or flashing amber or red) according to the severity of the reported condition.

When the LCD alert messages are cleared, the Alarm LED on the Primary blade in the chassis will be cleared (or set according to remaining alert messages if only a subset of messages are cleared).

However, the Alarm LED on the Secondary blades in the chassis will not be cleared, and will continue to indicate the highest severity of the previously reported alert messages.

Conditions:
This occurs when:
-- A condition is reported by a Secondary blade in the chassis which causes its Alarm LED to be set (to solid or flashing amber or red) and a message logged to the chassis LCD display.
-- The LCD alert messages are cleared, such as by issuing the 'tmsh reset-stats sys alert lcd' command.

Impact:
The Alarm LED on one or more Secondary blades in the chassis continues to indicate an alert condition even after the previously reported alert messages have been cleared.

Workaround:
To restore the Secondary blade LEDs to their proper state, restart the fpdd daemon on each affected blade.

For example, if the Alarm LED is not reset on the blade in slot 4, issue one of the following commands from the console of the Primary blade in the chassis:
-- clsh --slot=4 "bigstart restart fpdd"
-- ssh slot4 "bigstart restart fpdd"

Alternately, you may log in to the console of the affected blade and issue the 'bigstart restart fpdd' command directly.

987077-1 : TLS1.3 with client authentication handshake failure

Links to More Info: BT987077

Component: Local Traffic Manager

Symptoms:
SSL handshakes are failing, and TLS clients send 'Bad Record MAC' errors.

Conditions:
-- LTM authentication profile using OSCP and TLS1.3.
-- Client application data arrives during LTM client authentication iRule.

Impact:
A handshake failure occurs.

Workaround:
Use TLS1.2 or use TLS1.3 without LTM authentication profile.

985925-1 : Ipv6 Routing Header processing not compatible as per Segments Left value.

Links to More Info: BT985925

Component: Local Traffic Manager

Symptoms:
Packet should forward the packet with the route header unmodified when Segments Left is 0 (zero). It performs as expected when Segments Left is non-zero by dropping the packet and sending an ICMP error.

Conditions:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.

Impact:
With Next Header field in IP header being Routing Header for IPv6, BIG-IP system fails to forward the ICMPv6 Echo Request packet to server, rather, it drops the packet.

Workaround:
None

985749-3 : TCP exponential backoff algorithm does not comply with RFC 6298

Links to More Info: BT985749

Component: Local Traffic Manager

Symptoms:
The algorithms used for TCP exponential backoff are different for SYN and non-SYN packets.

Conditions:
Using TCP.

Impact:
Retransmission timeout interval depends on the inclusion/exclusion of SYN flag.

Workaround:
None

985401-3 : ProxySSL virtual servers should work with web acceleration (ramcache) profiles attached

Links to More Info: BT985401

Component: Local Traffic Manager

Symptoms:
Attempting to attach a web acceleration profile to a virtual server that has an SSL profile with ProxySSL enabled will result in the following validation error:

A validation error similar to:

01070734:3: Configuration error: Proxy SSL is not compatible with Web Acceleration profile on Virtual Server (<virtual server name>).

Conditions:
-- Virtual server using an SSL profile with ProxySSL enabled.
-- Attaching a web acceleration (webacceleration) profile to the virtual server.

Impact:
Unable to use the web acceleration profile with ProxySSL virtual servers.

Workaround:
Avoid using ProxySSL virtual servers with web acceleration (ramcache) profiles attached.

985205-1 : Event Log and Traffic Learning screens fail to load request details

Links to More Info: BT985205

Component: Application Security Manager

Symptoms:
Event Log and Traffic Learning screens get stuck with loading animation. and request details are not displayed.

Conditions:
This problem might be introduced during upgrading, so you see the symptom with the post-upgrade version (boot location).

Impact:
Event Log and Traffic Learning screens do not function as expected.

Workaround:
You can manually trigger populating missing items in the database to recover from the problem.

1. When this problem occurs, you see all or some of rows have no value in the following output:

# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "select rest_uuid from PLC.VIOLATIONS"
+-----------+
| rest_uuid |
+-----------+
| |
| |
| |
...snip...

2. Trigger populating those missing values:

# perl -MF5::ASMConfig::Entity::Base -MF5::DbUtils -MF5::Utils::Rest -e 'F5::Utils::Rest::populate_uuids(dbh => F5::DbUtils::get_dbh())'

3. Verify those values are indeed populated"

# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "select rest_uuid from PLC.VIOLATIONS"
+------------------------+
| rest_uuid |
+------------------------+
| -GXGw7y7XeOe4EYDgpXA9g |
| -wRSIageblaImzwhL3Pobw |
| 0GtnXx4yBFSqaB7STLh1tA |
...snip...

4. You might need to restart this daemon to make the changes take effect.
 
# pkill -f asm_config_server

5. Wait 30 seconds.

NOTE: None of these steps have any impact on traffic. The last step halts ASM control plane functionality for 30 seconds or so. During that time you lose access to the ASM part of GUI, cannot change the ASM configuration, and cannot perform config-sync operations.

985001-3 : Taiwan, Hong Kong, and Macau Are Defined As Countries in DNS/GTM Topology Definition

Links to More Info: BT985001

Component: Global Traffic Manager (DNS)

Symptoms:
Taiwan, Hong Kong, and Macau are defined as countries in DNS/GTM Topology definition.

Conditions:
In GUI screen, under GSLB/Topology/Records and GSLB/Topology/Regions, 'Country' field can be used to specify Taiwan, Hong Kong, and Macau.

Impact:
Taiwan, Hong Kong, and Macau can be configured as countries in GSLB/Topology screens.

Workaround:
Change 'Country' label to 'Country/Location' and the 'Country/State' label to 'Country/Location/State'.

984897-3 : Some connections performing SSL mirroring are not handled correctly by the Standby unit.

Links to More Info: BT984897

Component: Local Traffic Manager

Symptoms:
Some of the connections performing SSL mirroring do not advance through TCP states as they should on the Standby unit.

Additionally, these connections do not get removed from the connection table of the Standby unit when the connections close. Instead, they linger on until the idle timeout expires.

Conditions:
A virtual server configured to perform SSL connection mirroring.

Impact:
Should the units fail over, some connections may not survive as expected.

Additionally, given a sufficient load and a long idle timeout, this could cause unnecessary TMM memory utilization on the Standby unit.

Workaround:
None.

984749-2 : Discrepancy between DNS cache statistics "Client Summary" and "Client Cache"

Component: Global Traffic Manager (DNS)

Symptoms:
"show ltm dns cache", shows difference between "Client Summary" and "Client Cache".

Conditions:
Create a resolver type DNS cache, attach to a DNS profile, and attach to a virtual server. Send queries to virtual server. Compare/review result of "show ltm dns cache"

Impact:
Client Cache Hit/Miss Statistics ratio affected.

984585-1 : IP Reputation option not shown in GUI.

Links to More Info: BT984585

Component: TMOS

Symptoms:
Cannot configure IP Reputation option from the GUI.

Conditions:
Configuring the LTM policy type 'IP Reputation' using the GUI, when the 'IP Intelligence' module is licensed in time-limited modules.

Impact:
The IP Reputation option is not shown in GUI configuration list. Cannot create LTM policies with IP Reputation.

Workaround:
Use tmsh to configure IP Reputation.

984521-2 : Accept-Encoding header is stripped by Bot Defense profile in case of incompatible file extension and a dot in the file name

Links to More Info: BT984521

Component: Application Security Manager

Symptoms:
Bot Defense profile checks if a page is not an HTML page by checking the file extension (among other ways).

In case the filename contains a dot (.) - the parsing is wrong and it is not detected as incompatible. As a result, the Accept-Encoding header is removed (to allow injection in the response).

Conditions:
-- Bot Defense profile is attached to s virtual server configured with any response injection (Device ID, Browser Verification, or Single Page Application).
Request is sent to an incompatible file extension (one of gif,png,bmp,jpg,ico,css,mp3,mp4,mpg,avi,wmv,mov,3gp,fla,swf,js), and filename contains a dot (.).

Impact:
Accept-Encoding header is removed, causing the server to not send a gzipped response.

Workaround:
Add this specific URL to sys db:

dosl7.parse_html_excluded_urls

984449-1 : Unnecessary swagger validation violation may raise due to behavioral WAF parameter traps that have identical name

Component: Application Security Manager

Symptoms:
An unnecessary swagger validation violation may be raised about illegal parameters which is actually the parameter trap that was injected by ASM and failed to be ignored by the enforcer. Only one of these parameter traps will be ignored - enforcement will be avoided for it. Expected behavior is to avoid enforcement for both parameters traps.

Conditions:
Security team provide 2 traps with type parameter and with identical name but with different values. In adition one of these parameter traps was injected by ASM to the web-page.

Impact:
Unecessary swagger validation violation may raise regarding one of these parameters traps and request may be blocked, instead of ignoring swagger enforcement for both parameters traps.

Workaround:
None.

983021-2 : Tmsh does not correctly handle the app-service for data-group records

Links to More Info: BT983021

Component: TMOS

Symptoms:
-- The guishell shows the app_id as the default application for the folder /Common/example_app.app and not what was specified, which was 'none'.

-- If the record has an app_id configured, the output of tmsh list data-group should list the app-service.

Conditions:
Create an application service using tmsh.

Impact:
-- Unable to properly manage the lifecycle of data-group records created via an iApp.

-- Unable to update data-group records at all via iControl REST, because the entire set of records must be managed altogether, and strict-updates prevents the existing records from being modified.

-- Inconsistent behavior across a save-and-load operation.

(The app-service is not serialized to the configuration, so after save and load, the app-service is dropped from the data-group records.)

Workaround:
After every iApp template deploy/update, run the following command:

tmsh save sys config && tmsh load sys config

982993-4 : Gateway ICMP monitors with IPv6 destination and IPV6 transparent nexthop might fail

Links to More Info: BT982993

Component: Local Traffic Manager

Symptoms:
Gateway ICMP monitors configured with IPv6 destinations and IPv6 transparent nexthop do not work if the IPv6 destination address is not directly connected, but reachable via an intermediate hop.

Conditions:
An IPv6 monitor's destination address is not directly connected, but reachable via intermediate hop.

Impact:
Monitor status remains DOWN.

Workaround:
Consider monitoring the actual target.

981485-4 : Neurond enters a restart loop after FPGA update.

Links to More Info: BT981485

Component: TMOS

Symptoms:
After FPGA firmware upgrade, the neurond process might enter a restart loop, unable to recover.

When the problem is present you might see logs similar to:
-- notice chmand[6674]: 012a0005:5: FPGA PNP FW upgrade check: req type 0, file:Latest
-- notice chmand[6674]: 012a0005:5: FPGA: Requesting type: 0, vers: Latest
-- notice chmand[6674]: 012a0005:5: FPGA: current type: 2, vers: hsb_5SGXEA7H2F35C2_t37dc_1d10_v5.23.5.0_d20.06.11.00.bit
-- notice chmand[6674]: 012a0005:5: FPGA: match for type: 0, vers: hsb_5SGXEA7H2F35C2_t37dc_1d10_v5.6.7.0_d20.06.11.00.bit
-- notice chmand[6674]: 012a0005:5: removed /var/db/mcpdb.* FPGA current disk firmware updated to: /L7L4_BALANCED_FPGA type: 0
-- notice chmand-fpga-pnp[17551]: Stopping TMM, BCM56xxd, and neurond
-- notice logger[17553]: /bin/bash /etc/init.d/fw_pnp_upgrade upgrade restart ==> /usr/bin/bigstart stop tmm bcm56xxd neurond

Conditions:
FPGA firmware mismatch, leading to FPGA firmware upgrade.

Impact:
Enhanced flow acceleration provided by the Neuron chip cannot be utilized.

Workaround:
Perform a full system restart.

981145-3 : DoS events do not include the attack name for "tcp syn ack flood"

Links to More Info: BT981145

Component: Advanced Firewall Manager

Symptoms:
BIG-IQ does not display the attack name for a 'tcp syn ack flood' attack.

Conditions:
DoS on BIG-IP enabled to address 'tcp syn ack flood' attack.

Impact:
Lack of DoS attack information. The mitigation occurs as expected. Only the notification information is missing.

Workaround:
None.

980617-3 : SNAT iRule is not working with HTTP/2 and HTTP Router profiles

Links to More Info: BT980617

Component: Local Traffic Manager

Symptoms:
On HTTP/2 full-proxy virtual servers, the snatpool command in an iRule is accepted but the source address server-side is not changed.

Conditions:
1.) Basic HTTP profile and HTTP/2 profile is configured on BIG-IP systems
2.) iRule with snatpool <pool_name>, snat <IP> is configured

Impact:
Unable to use snatpool (and possibly snat) in iRule to control the server-side source address.

Workaround:
Configure SNAT under the virtual server configuration, rather than in an iRule.

980593 : LSN logging stats are always 0 for log_attempts and log_failures in tmctl fw_lsn_log_stat table

Links to More Info: BT980593

Component: Advanced Firewall Manager

Symptoms:
LSN logging stats are always 0 (zero) for log_attempts and log_failures in tmctl table fw_lsn_log_stat if lsn_legacy_mode is set as disabled.

Conditions:
The lsn_legacy_mode value is disabled.

Impact:
The log_attempts and log_failures are always 0 in tmctl table fw_lsn_log_stat.

Workaround:
None

979213-2 : Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.

Links to More Info: BT979213

Component: Local Traffic Manager

Symptoms:
Upon reviewing the performance graphs in the GUI, you may notice significant spikes in the Throughput(bits) and Throughput(packets) graphs.

The spikes may report unrealistically high levels of traffic.

Note: Detailed throughput graphs are not affected by this issue.

Conditions:
This issue occurs when the following conditions are met:

-- The BIG-IP device is a physical system.
-- TMM was restarted on the system.
-- At some point, at least one interface was up on the system and recorded some traffic.

Impact:
This issue is purely cosmetic but might cause concern when reviewing the performance graphs.

Workaround:
None.

979045-3 : The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms

Links to More Info: BT979045

Component: TMOS

Symptoms:
After installing an Engineering Hotfix version of BIG-IP v14.1.0 or later, certain BIG-IP hardware systems. The Trusted Platform Module (TPM), status is showing as INVALID.

Conditions:
This may occur:
-- Running BIG-IP v14.1.0 or later.
-- Using Engineering Hotfixes containing fixes for the following bugs:
   - ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html)
   - ID946745 (https://cdn.f5.com/product/bugtracker/ID946745.html)
   - ID963017 (https://cdn.f5.com/product/bugtracker/ID963017.html)
-- The issue is observed only on the following platforms:
   - i11600 / i11800
   - i11400-DS / i11600-DS / i11800-DS

Impact:
The TPM status INVALID indicates that the system integrity is compromised when it is actually valid.

Workaround:
None.

978953-2 : The value of the sys db variable vlan.backplane.mtu intermittently out-of-sync with the value of the MTU of the kernel interface tmm_bp during the initial boot up

Links to More Info: BT978953

Component: Local Traffic Manager

Symptoms:
During the initial boot of the device the MTU of the tmm_bp kernel interface is out-of-sync with the value of sys db vlan.backplane.mtu as well as out-of-sync with the MTU displayed by the following command:
 tmsh show /net vlan all-properties -hidden.
 tmsh list net vlan tmm_bp all-properties -hidden.

Additionally, running the following command:

modify sys db vlan.backplane.mtu value <some value> (within the range accepted), and saving the configuration change does not last through a reboot.

Conditions:
This issue occurs on the first boot intermittently.

Impact:
When the values are seen at non-sync, after the modification of the backplane vlan mtu and saving the config, changing the mtu config value does not last through a reboot.

Workaround:
Rebooting the device resolves the issue

977953-2 : Show running config interface CLI could not fetch the interface info and crashes the imi

Links to More Info: BT977953

Component: TMOS

Symptoms:
The confd command 'show running-config' does not display interface information if nsm and bgpd are the only processes running.

If you run 'show running-config interface', imi crashes.

Conditions:
1. nsm and bgpd are the daemons running.
2. Run the "show running-config" command

Impact:
Imish cannot retrieve interface information from the show running-config command.

Workaround:
* Enable OSPF. For example,

  # tmsh modify /net route-domain 0 routing-protocol add { BGP OSPFv3 }

  # ps -ef | egrep -i ospf
  root 11954 4654 0 11:25 ? S 0:00 ospf6d%0

977657-2 : SELinux errors when deploying a vCMP guest.

Links to More Info: BT977657

Component: TMOS

Symptoms:
An error occurs:
SELinux avc: denied { write } for pid=9292 comm="rpm" name="rpm".

Conditions:
The error occurs when the system is started back up after provisioning VCMP.

Impact:
SELinux avc is denied write permission for rpm_var_lib_t.

977625-3 : GTM persistence records linger in tmm

Links to More Info: BT977625

Component: Global Traffic Manager (DNS)

Symptoms:
-- GTM persistence records are not cleared.
-- GTM still answers from persist records even though the persist records not listed by the "tmsh show gtm persist" command.

Conditions:
Persistence for wideip or application is disabled and then enabled quickly afterwards

Impact:
GTM answers from stale persist records.

Workaround:
Do not enable persistence right after disabling.

977425 : APM - nlad & eca restarting in loop after upgrade

Links to More Info: BT977425

Component: Access Policy Manager

Symptoms:
After upgrading and rebooting, nlad and eca restart continuously.

Conditions:
-- Upgrading BIG-IP from 13.1.1 to 15.1.1
-- NTLM configured in APM
-- The system is rebooted after upgrading

Impact:
Nlad and ECA crashes continuously.

977153-1 : Packet with routing header IPv6 as next header in IP layer fails to be forwarded

Links to More Info: BT977153

Component: Local Traffic Manager

Symptoms:
BIG-IP systems fail to follow RFC 5095, which specifies the traffic should be forwarded.

Conditions:
This symptom is found when the following conditions are met:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.

Impact:
This failure in forwarding ICMP error message prevents the BIG-IP AFM product from completing certification.

Workaround:
None.

977113-5 : Unable to configure dependency for GTM virtual server if pool member dependency exists

Links to More Info: BT977113

Component: TMOS

Symptoms:
The following error is displayed when configuring GTM virtual server dependency:
01020037:3: The requested GTM depends (/Common/Generic-Host GH-VS1 /Common/DC1-DNS1 /Common/VS1) already exists.

Conditions:
The pool member dependency exists for the same virtual server.

Impact:
Not able to configure GTM virtual server dependency at GTM server level.

Workaround:
First creating GTM virtual server dependency at GTM server level, and then create pool member dependency.

976669-2 : FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade

Links to More Info: BT976669

Component: TMOS

Symptoms:
After rebooting or replacing a secondary blade, the FIPS integrity check fails for other secondary blades and they fail to fully boot.

Conditions:
This can occur after rebooting or replacing a secondary blade.

Impact:
When the FIPS integrity checks fail the blades won't fully boot.

Workaround:
On the secondary blade reboot, the following critical files are deleted from other secondary blades which leads to FIPS integrity check failure:

/root/.ssh/authorized_keys
/root/.ssh/known_hosts

To mitigate, copy the missing files from the primary blade to the secondary blade.

From the primary blade, issue the following command towards the secondary blade(s).

rsync -avz -e ssh /root/.ssh/* root@<Secondary Blade>:/root/.ssh/

976621-3 : SIP ALG not processing IPv6 in NAT64 UDP

Links to More Info: BT976621

Component: Advanced Firewall Manager

Symptoms:
NAT64 UDP does not work with application layer gateway (ALG) profiles configured for SIP traffic.

Conditions:
-- ALG profiles configured for SIP traffic.
-- NAT and IPv6 UDP traffic.

Impact:
NAT translation does not happen for IPv6 UDP traffic with SIP ALG.

Workaround:
Enable NAT64 explicitly for UDP SIP traffic to be translated.

976525-3 : Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled

Links to More Info: BT976525

Component: Local Traffic Manager

Symptoms:
In BIG-IP v13.1.3.2 and later, there is new functionality to SNAT the traffic coming from the host system. When there are multiple routes to a destination address and transparent monitors are in use, tmm occasionally picks the wrong source IP for these connections.

Conditions:
-- The db variable snat.hosttraffic is enabled.
-- Gateway pool with multiple members.
-- Transparent monitors.

Impact:
The system chooses the wrong source IP address for the egress interface. That incorrect source IP address might cause traffic to return on the wrong VLAN.

Workaround:
Use either of the following workarounds:

-- Disable VLAN keyed connections: modify sys db connection.vlankeyed value disable

-- Upgrade to a version with a fix for ID 826905 (https://cdn.f5.com/product/bugtracker/ID826905.html) and disable snat.hosttraffic.

976517-1 : Tmsh run sys failover standby with a device specified but no traffic group fails

Links to More Info: BT976517

Component: TMOS

Symptoms:
The tmsh run /sys failiover standby device <device> command fails and returns an error if no traffic-group is specified:

Syntax Error: There is no failover device with a name (/Common/bigip2.localhost).

Conditions:
Two or more BIG-IPs configured with high availability (HA)

Impact:
You are required to specify all the traffic groups you want to failover to a peer.

Workaround:
For each traffic group that you want to failover to a peer run the tmsh run /sys failover standby.

For example if you want to fail over both traffic groups traffic-group-1 and traffic-group-2 to failover to bigip2.localhost, run the following:

tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-1

tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-2

If you want the device to be standby for all traffic groups but you don't care what device takes over as active, run the following command (note there is no traffic-group nor device):

tmsh run /sys failover standby

976337-1 : i40evf Requested 4 queues, but PF only gave us 16.

Links to More Info: BT976337

Component: TMOS

Symptoms:
During BIG-IP system boot, a message is logged:

i40evf 0000:05:00.0: Requested 4 queues, but PF only gave us 16.

Conditions:
-- BIG-IP Virtual Edition configured for SR-IOV
-- E810 virtual functions (VFs)

Impact:
A message is logged but it is benign and can be ignored.

976101-2 : TMM crash after deleting an interface from a virtual wire vlan

Links to More Info: BT976101

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
-- Virtual wire enabled
-- Delete an interface from the virtual wire vlan.

Impact:
Traffic disrupted while tmm restarts.

976013-4 : If bcm56xxd starts while an interface is disabled, the interface cannot be enabled afterwards

Links to More Info: BT976013

Component: TMOS

Symptoms:
A disabled interface is not getting enabled.

Conditions:
-- An interface is disabled
-- bcm56xxd is restarted

Impact:
The interface remains on disable state and no traffic passes via that interface.

Workaround:
Restart bcm56xxd again.

975725-3 : Wildcard virtual servers do not forward L3 unicast traffic sent to L2 broadcast

Links to More Info: BT975725

Component: Local Traffic Manager

Symptoms:
L3 unicast traffic with L2 broadcast destination MAC (ff:ff:ff:ff:ff:ff) matching wildcard virtual servers is not handled properly.

Conditions:
Wildcard virtual server is configured to handle such traffic.

Impact:
Traffic will not be forwarded properly.

Workaround:
Use specific non-wildcard virtual-server.

975657 : With HTTP2 enabled, only partial sorry contents (< 32KB) can be sent to the client via HTTP::respond

Links to More Info: BT975657

Component: Local Traffic Manager

Symptoms:
Partial content (<= max allowed "write-size" in HTTP2 profile i.e. 32KB) can be sent to client via the HTTP:respond iRule command.

Conditions:
-- HTTP2 enabled on virtual server
-- Content sent by the iRule exceeds 32KB

Impact:
Client fails to receive the whole content

974985-2 : Dosl7/bot does not ignore non-http traffic even when disabled via iRule DOSL7::disable

Component: Application Security Manager

Symptoms:
Non http traffic isn't forwarded to the backend server

Conditions:
- ASM provisioned
- DoS Application or Bot Defense profile assigned to a virtual server
- DOSL7::disable applied at when CLIENT_ACCEPTED {}

Impact:
Broken webapps with non-http traffic

Workaround:
Instead of using DOSL7::disable, redirect non-http traffic to non-http aware virtual server using the iRule command virtual <virtual_server_name>

974513-2 : Dropped requests are reported as blocked in Reporting/charts

Links to More Info: BT974513

Component: Application Security Manager

Symptoms:
Dropped requests are reported as blocked in Reporting/charts.

Conditions:
Request is dropped (or client side challenge / captcha is not answered) as part of a brute force mitigation or a slow post attack causes dropping of a request.

Impact:
Data reported might be incorrect. There is a filter for dropped requests which, when selected, does not show anything, even when there are drops.

Workaround:
None.

974409-2 : False Positive "Surfing Without Human Interaction"

Component: Application Security Manager

Symptoms:
When using Bot Defense profile, and an application contains many HTML pages which are not qualified (not even accept: text/html), a "Surfing Without Human Interaction" anomaly is mis-counted and falsely raised.

Conditions:
-- Bot Defense Profile is attached to a virtual server.
-- The application contains many HTML pages which can be detected as such from the request.

Impact:
Real clients might or might not be blocked, it depends on the environment.

Workaround:
None.

974225-2 : Link Status traps are not issued on VE based BIG-IP systems

Links to More Info: BT974225

Component: TMOS

Symptoms:
The Link Status traps, both F5 proprietary and standard LinkUp/LinkDown are issued on the BIG-IP hardware but not on BIG-IP Virtual Edition (VE) configurations.

Conditions:
This occurs when interfaces on hardware-based BIG-IP systems or VE-based BIG-IP configurations experience link status events (links go up or down, or are administratively enabled or disabled).

Impact:
Log messages are issued and SNMP traps are issued if an SNMP trap destination is configured.

On BIG-IP Virtual Edition, logs are emitted but traps do not occur.

An SNMP client waiting for a Link Status trap on an administrator to enable or disable then, does not receive the trap.

Workaround:
None.

974193-2 : Error when trying to create a new f5.vmware_view.v1.5.9 iApp

Links to More Info: BT974193

Component: iApp Technology

Symptoms:
Error when trying to create a f5.vmware_view.v1.5.9 iApp

Configuration Warning: New virtual address (/Common/10.10.10.10) used by server with access profile attached has traffic group (/Common/traffic-group-1) that is different from existing one (/Common/traffic-group-exchange). Change it to the existing one

Conditions:
-- Create a new f5.vmware_view.v1.5.9 iApp
-- iApp uses a traffic group other than the default traffic-group-1

Impact:
Unable to create new f5.vmware_view.v1.5.9 iApp

Workaround:
None.

973341-2 : Customized device certs will break scripts relying on /config/httpd/conf/ssl.crt/server.crt

Links to More Info: BT973341

Component: Global Traffic Manager (DNS)

Symptoms:
Bigip_add, big3d_install, gtm_add will not work.

Conditions:
Device cert is customized.

Impact:
Bigip_add, big3d_install, gtm_add not work.

Workaround:
Copy the content of the new cert to default file "/etc/httpd/conf/ssl.crt/server.crt".

972785-6 : Unable to create virtual server with a non-zero Route Domain for custom partition via iControl SOAP

Links to More Info: BT972785

Component: TMOS

Symptoms:
While creating a virtual server using iControl SOAP you get an error:

error_string : 0107004d:3: Virtual address (/VPN_WEB_01/0.0.0.0%201) encodes IP address (0.0.0.0%201) which differs from supplied IP address field (10.10.10.50%201).'

Conditions:
-- Using iControl SOAP to create a virtual server.
-- The virtual server is assigned to a partition that uses a non-default route domain.

Impact:
Unable to create the virtual server with the iControl SOAP command.

Workaround:
First create the virtual server with a default Virtual Address ('0.0.0.0'). and then update the virtual address with the desired address.

Example:
ltm.LocalLB.VirtualServer.create([{'name': 'vs_test_9095', 'address': '0.0.0.0', 'port': 9090, 'protocol': 'PROTOCOL_TCP'}], ['255.255.255.255'], [{'type': 'RESOURCE_TYPE_POOL'}], [[{'profile_context': 'PROFILE_CONTEXT_TYPE_ALL', 'profile_name': 'fastL4'}]])
ltm.LocalLB.VirtualServer.set_destination_v2(['vs_test_9095'],[{'address': '10.10.10.50', 'port': 9090}])

971217-2 : AFM HTTP security profiles may treat POST requests with Content-Length: 0 as "Unparsable Request Content" violations.

Links to More Info: BT971217

Component: Local Traffic Manager

Symptoms:
An HTTP Security profile can be created and enabled within Advanced Firewall Manager's Protocol Security options. The HTTP Security Profile contains various protocol checks that can be enabled and disabled to allow customization of security checks. When the "Unparsable request content" check is selected, BIG-IP will incorrectly indicate that HTTP POST requests with Content-Length:0 are not allowed assuming that these requests are unparsable. POST requests with Content-Length:0 can still be checked by enabling the "POST request with Content-Length: 0" option in the same profile.

Conditions:
-- HTTP Protocol Security Profile configured with the "Unparsable request content" check.

-- Client sends HTTP POST request with Content-Length:0

Impact:
POST requests of Content-Length 0 cannot be disabled separately from general "Unparsable request content".

Workaround:
None.

971009-1 : SNMPv3 alerts are not sent after upgrade to post 15.1.0.3 firmware

Links to More Info: BT971009

Component: TMOS

Symptoms:
SNMPv3 alerts are not sent after upgrade to post 15.1.0.3 firmware. SNMPv2 traps are not affected.

Conditions:
This is encountered after upgrading to firmware version 15.1.0.4 or higher.

Impact:
SNMPv3 traps are not sent.

Workaround:
Restart alertd:
tmsh restart sys service alertd

970341 : Messages are not forwarded when "disable-parser" is set to "NO" in Generic Message Profile

Links to More Info: BT970341

Component: Service Provider

Symptoms:
In the BIG-IP Generic Message profile, if "disable-parser" is set to "YES", parsing and message forwarding should be performed using iRule code, but this does not occur.

Conditions:
-- Generic message MRF Profile
-- Set "disable-parser" to "YES" in generic message profile in BIG-IP system

Impact:
Messages accumulated at Generic Message filter in tmm and not routed to server

Workaround:
Message can be forwarded using below iRule command in egress direction

when GENERICMESSAGE_EGRESS {
     SCTP::respond "[GENERICMESSAGE::message data]\n"
}

969737-1 : Snmp requests not answered if V2 traps are configured

Links to More Info: BT969737

Component: TMOS

Symptoms:
SNMP requests are not answered except the ones sent to the localhost ip address.

Conditions:
V2 traps are configured, for example:

tmsh modify sys snmp v2-traps add { ...

Impact:
SNMP external requests fail

Workaround:
Move all traps configured under 'v2-traps' to 'traps' in the configuration

969553-2 : A DNS Cache (or Network DNS Resolver) returns SERVFAIL to some queries.

Links to More Info: BT969553

Component: Global Traffic Manager (DNS)

Symptoms:
- A DNS Cache (or Network DNS Resolver) returns SERVFAIL responses to clients, despite the BIG-IP system receiving a good (albeit delayed) response from upstream servers.

- When this happens, the BIG-IP system can be seen reject the responses from the upstream servers with ICMP errors (Destination unreachable - Port unreachable).

- If the db key dnscacheresolver.loglevel is set to debug5, the following error message is visible in the /var/log/ltm file when this issue occurs:

debug tmm[13147]: DNScache: request example.com. has exceeded the maximum number of glue fetches 17 to a single delegation point

- If a Network DNS Resolver is used with an HTTP Explicit Proxy profile, the symptoms can appear as "503 Service Unavailable" responses to clients due to DNS lookup failure.

Conditions:
This issue occurs when the following conditions are met:

- A DNS Cache (or Network DNS Resolver) is in use on the BIG-IP system.

- The aforementioned object is configured with a forward-zone that uses multiple servers to perform resolutions.

- The RTT of the servers fluctuates. For example, the servers are generally fast to reply for most domains, but take extra time to reply for a given domain.

- 'Randomize Query Character Case' is enabled in the DNS Cache (or Network DNS Resolver).

- If the requests for the domain take a long time to resolve, BIG-IP may reply with SERVFAIL.

Impact:
Clients of the BIG-IP DNS Cache (or Network DNS Resolver) are not returned an answer. As a result, application failures may occur.

Workaround:
You can work around this issue by changing 'Randomize Query Character Case' to 'No' in the DNS Cache (or Network DNS Resolver) settings.

969329-2 : Dashboard: Chart title/legend 'Control Plane' needs to be modified within dashboard of BIG-IP

Links to More Info: BT969329

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) uses a virtualized core, so there is no hyper-threading. This means the data plane and control plane share a single CPU core. However, the Dashboard allows you to select CPU data for 'Control Plane' beside System Average.

Conditions:
View GUI Dashboard on BIG-IP VE or HTsplit-disabled appliances.

Impact:
Dashboard chart title creates confusion.

Workaround:
None.

968953-3 : Unnecessary authorization header added in the response for an IP intelligence feed list request

Links to More Info: BT968953

Component: Advanced Firewall Manager

Symptoms:
Empty authorization header in the response for an IP intelligence feed list request.

Conditions:
Feed list configured without username/password pair.

Impact:
Feed List request from dwbld adds unnecessary Authorization header. There is no functional impact.

Workaround:
None.

968949-5 : Keepalives aren't sent in FIN_WAIT_2 when using a TCP profile

Links to More Info: BT968949

Component: Local Traffic Manager

Symptoms:
When a client-side connection goes into FIN_WAIT_2, BIG-IP does not send keepalives even if they are being sent on the server-side connection.

Conditions:
- Virtual server configured with a TCP profile and network listener.

Impact:
Client-side connections timeout prematurely.
As a result, the server-side connections end up being open indefinitely.

Workaround:
No workaround currently known.

968581-2 : TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description

Links to More Info: BT968581

Component: Local Traffic Manager

Symptoms:
The TMSH command "show /ltm profile ramcache" has a max-response option to output a number of records designated in this parameter. Due to calculation algorithm, the command may output less records than RAMCACHE stores or more records than the limit prescribes.

Conditions:
-- A virtual server is configured on BIG-IP.
-- A webacceleration profile with no web application is attached to the virtual server.
-- Traffic is sent over the virtual server with a number of unique cacheable documents that exceed a designated limit.

Impact:
Output of the command may not match to actual list of stored documents in RAMCACHE.

967769-2 : During reset of high-speed interfaces, TMMs may mistakenly continue hardware watchdog checks

Links to More Info: BT967769

Component: TMOS

Symptoms:
Tmm crashes and restarts. The following panic message is found in /var/log/tmm:

    notice panic: ../dev/hsb/if_hsb.c:6129: Assertion "HSB lockup, see ltm and tmm log files" failed.

Conditions:
-- Running on a platform that incorporates 'HiGig MAC' network interfaces.
-- Some error or glitch is detected on the high-speed bus (HSB).
-- Software commands a reset of the HSB and interface hardware.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

967737-2 : DNS Express: SOA stops showing up in statistics from second zone transfer

Links to More Info: BT967737

Component: Global Traffic Manager (DNS)

Symptoms:
Start of Authority (SOA) record is not displayed in zone statistics.

Conditions:
The issue appears after the 2nd zone transfer.

Impact:
This is a cosmetic issue without any actual impact.

Workaround:
None

967573-2 : Qkview generation from Configuration Utility fails

Links to More Info: BT967573

Component: TMOS

Symptoms:
When you attempt to generate a qkview using the Configuration Utility, the system fails to generate a qkview.

Conditions:
Trying to generate a Qkview using the Configuration Utility.

Impact:
The Configuration Utility cannot be used to generate a qkview.

Workaround:
Use the qkview command to generate a qkview from the command line.

967557-2 : Improve apm logging when loading sys config fails due to corruption of epsec rpm database

Links to More Info: BT967557

Component: TMOS

Symptoms:
Loading sys config fails and mcpd may not be running properly due to corruption of EPSEC rpm database. It is difficult to tell from logs that the issue is with epsec rpm database. This error may be the only indication:

emerg load_config_files[10761]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- Error: failed to reset strict operations; disconnecting from mcpd. Will reconnect on next command.

Conditions:
Loading of sys config fails due to corruption of EPSEC rpm database.

Impact:
Difficult to troubleshoot the root cause for config load failure.

967425-2 : mcp error: 0x1020036 at ../mcp/db_pool.c:461

Component: Local Traffic Manager

Symptoms:
After a node has been 'moved' / renamed, modification of objects referencing the node may result in a database error and issues with the intended action.

In particular, when a node which is associated with a pool is moved, it will appears to be successful, however, after modifying the session / user status, it will result in an error.:
mcp error: 0x1020036 at ../mcp/db_pool.c:461

Conditions:
In particular, when a node which is associated with a pool is moved, it will appears as successful, however, after modifying the session / user status, it will result in a DB error.

Impact:
A after modifying the pool, an error will be logged.

Connections will continue to be accepted despite all members in the pool being down/disabled.

967353-3 : HTTP proxy should trim spaces between a header field-name and colon in its downstream responses.

Links to More Info: BT967353

Component: Local Traffic Manager

Symptoms:
Client receives no response along with a connection reset by the BIG-IP system.

Conditions:
-- HTTP profile is enabled on the BIG-IP system.
-- Server sends HTTP response with one or more header field names separated with the trailing colon by a space.

Impact:
HTTP responses that should be delivered to the client by the proxy are not being sent out.

Workaround:
None

967249-2 : TMM may leak memory early during its startup process, and may continue to do so indefinitely.

Links to More Info: BT967249

Component: Local Traffic Manager

Symptoms:
TMM leaks memory in the packet and xdata components. The aggressiveness of the leak depends on how much traffic TMM receives from the Linux host subsystem.

Conditions:
- A BIG-IP system running more than 1 TMM instance.

- Early during its startup process, TMM begins receiving traffic from the Linux host subsystem destined to the network (e.g., remote syslog traffic routed to its destination through TMM).

- Depending on the system's configuration, TMM attempts to set up flow forwarding for the aforementioned traffic. This may happen, for instance, if the egress VLAN is configured for 'cmp-hash src-ip'.

- TMM hasn't fully completed its startup process yet.

Impact:
TMM leaks memory.

If the flow set up during early TMM startup continues to receive a constant stream of new packets, then the flow may live on indefinitely, and TMM may continue to leak memory indefinitely.

In the example of remote syslog traffic, this could happen, for instance, if the box keeps logging messages at a sustained rate.

Eventually, TMM may be unable to allocate any more memory and crash. Traffic disrupted while tmm restarts.

Workaround:
You can work around this issue by ensuring that TMM does not receive any traffic from the Linux host subsystem for forwarding during early startup.

In the example of remote syslog destinations, you could specify the management IP address of the system as the source IP address for the traffic, thus forcing the traffic out of the management port instead of TMM. This implies the management port has a suitable working route to the destination.

967245-3 : Incorrect SPVA counter incremented during Sweep attack on profile

Component: Advanced Firewall Manager

Symptoms:
Incorrect SPVA counters updated.

Conditions:
Configure DoS Sweep vector on an SPVA supported device.

Impact:
Usage of dos_spva_stat will result in displaying incorrect counters.

967101-2 : when all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out.

Links to More Info: BT967101

Component: Local Traffic Manager

Symptoms:
Gratuitous ARP (GARP) messages are dropped at the time of sending GARP because the number of links up in the trunk is 0 (which returns "error 18" ... ERR_NOT_FOUND)

Conditions:
-- Two BIG-IP systems with switchless configuration.
-- Bring down and up the interfaces at the same time in the trunk.

Impact:
Neighboring device arp table is not updated about the BIG-IP interface status, because no gratuitous ARP message is sent out.

Workaround:
N/A

966949-2 : Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node

Links to More Info: BT966949

Component: TMOS

Symptoms:
If an FQDN template node is configured with "autopopulate enabled" and the FQDN name resolves to multiple IP addresses, multiple FQDN ephemeral nodes will be created.
If the FQDN template node is then deleted, the associated FQDN ephemeral nodes (sharing the same FQDN name) will not be deleted as expected.

Conditions:
This may occur under the following conditions:
-- An FQDN template node is configured with "autopopulate enabled"
-- The configured DNS server resolves the FQDN name to multiple IP addresses
-- You are running an Affected Version of BIG-IP, or an Engineering Hotfix based on a non-Affected Version of BIG-IP which contains a fix for ID 722230

This issue does not occur if only one FQDN ephemeral node is created for the associated FQDN template node.

Impact:
Unused FQDN ephemeral nodes may remain in the active configuration.
-- Since is it not possible to delete an FQDN template node if there are any FQDN template pool members referring to that node, it is not possible for any FQDN ephemeral pool members to remain when the steps that lead to this issue occur.
-- Since traffic can only be passed to FQDN ephemeral pool members, the existence of the unused FQDN ephemeral nodes does not lead to traffic being passed to such nodes.

Workaround:
It is possible to work around this issue by one of the following methods:
-- Manually deleting the remaining FQDN ephemeral nodes using the "tmsh" command-line interface (CLI)
(Note that this is normally not possible. It is possible to manually delete an FQDN ephemeral node only if the corresponding FQDN template node no longer exists.)
-- Restarting BIG-IP (for example, using the command "bigstart restart")

966633-2 : Policy entity search with non-ASCII value filter returns no results in REST/GUI in non-UTF-8 policies

Links to More Info: BT966633

Component: Application Security Manager

Symptoms:
WAF policy entities (such as parameters) are not found when filtering by non-ASCII values in REST/GUI in non-UTF-8 policies.

Conditions:
WAF policy is defined as non-UTF-8, and a non-ASCII value is used in an entity search filter.

Impact:
No results are returned.

Workaround:
None

966613-4 : Cannot create XML profile based on WSDL when wsdl contains empty soap:address – getting error ‘Column 'object_uri' cannot be null’

Links to More Info: BT966613

Component: Application Security Manager

Symptoms:
Perl error returned when saving new XML content profile using wsdl file with empty soap:address node "<soap:address/>".

Conditions:
Creating a new content profile using a wsdl file which contains a "<soap:address/>" node which does not have a "location" attribute value.

When this content profile is saved, ASM attempts to create an associated URL with no value, which fails validation.

Impact:
After trying to save the content profile, you see an error message: "Could not create XML Profile; Error: DBD::mysql::db do failed: Column 'object_uri' cannot be null"

Workaround:
Delete the node "<soap:address/>" from the wsdl file

966461-6 : Tmm leaks memory after each DNSSEC query when netHSM is not connected

Links to More Info: BT966461

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm memory increases per DNSSEC query.

Conditions:
NetHSM is configured but is disconnected

Impact:
Tmm high memory consumption.

Workaround:
Connect the netHSM.

965941-2 : Creating a net packet filter in the GUI does not work for ICMP for IPv6

Links to More Info: BT965941

Component: TMOS

Symptoms:
When using the GUI to create a 'net packet-filter' rule to block ICMP packets, the filter does not block IPv6 packets.

Conditions:
-- Using the GUI to create a packet filter rule to block incoming ICMP packets.
-- Attempting to block an IPv6 address.

Impact:
Packets get through the filter unexpectedly.

Workaround:
Modify the packet filter manually using tcpdump syntax. For example, the following syntax is used to block ICMP packets for both IPv4 and IPv6:

icmp or icmp6

965897-2 : Disruption of mcpd with a segmentation fault during config sync

Links to More Info: BT965897

Component: Advanced Firewall Manager

Symptoms:
The mcpd process on the peer device fails with a segfault, restarts and then segfaults again in a loop

Numerous messages may be logged in the "daemon" logfile of the following type:

emerg logger[2020]: Re-starting mcpd

Conditions:
-- High availability (HA) configuration
-- A port-and-address list configuration is changed to be only an address list
-- A config sync occurs

Impact:
Continuous restarts of mcpd process on the peer device.

Workaround:
One possible measure for getting the peer-machine "mcpd" out of its failure mode is to command the still-functioning system to push a "full" config sync to the appropriate device group. Doing this twice consecutively may be necessary.

  # tmsh run /cm config-sync force-full-load-push to-group APPROPRIATE-DEVICE-GROUP

965837-2 : When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection

Links to More Info: BT965837

Component: Access Policy Manager

Symptoms:
When BIG-IP is configured with a PingAccess profile and an SSL profile is associated with both the BIG-IP virtual server and a ping access configuration, an active connection to the virtual server may lead to a TMM crash.

Conditions:
-- SSL is configured on both the BIG-IP virtual server that contains the ping access profile and ping access configuration.
-- Active connection to the BIG-IP virtual server
-- Config sync is triggered or "tmsh load sys config" is triggered

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.

965785-2 : Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine

Component: Application Security Manager

Symptoms:
DCC.HSL_DATA_PROFILES table on standby machine stay empty after sync process. Error for DB insert failure into table DCC.HSL_DATA_PROFILES thrown in asm_config_server.log.

Conditions:
There is no specific condition, the problem occurs rarely.

Impact:
Sync process requires an additional ASM restart

Workaround:
Restart ASM after sync process finished

965777-2 : Per-request policy authentication becomes unresponsive

Links to More Info: BT965777

Component: Access Policy Manager

Symptoms:
Per-request policy execution can appear to be slow during subroutine evaluation, and apmd appears to take a large amount of CPU.

Conditions:
The per-request policy is using subroutine to execute an authentication related agent that is dispatched to apmd for completion. These typically involve authentication agents that interact with an external authentication server, such as LDAP, RADIUS, or AD.

Impact:
Connectivity may be impaired or lost.

Workaround:
Failover the high availability (HA) pair, or restart apmd.

965457-4 : OSPF duplicate router detection might report false positives

Links to More Info: BT965457

Component: TMOS

Symptoms:
OSPF duplicate router detection might report false positives

Conditions:
Router sends LSA that is looped in network and sent back to its origin.

Impact:
Cosmetic

965053-3 : [Regression of ID787881 & ID761032] DNSX fails to sign zone transfer using tsig key after failure

Links to More Info: BT965053

Component: Global Traffic Manager (DNS)

Symptoms:
DNSX fails to sign zone transfer using tsig key.

Conditions:
A transfer error occurs while DNSX is initializing.

Impact:
DNSX zones are not been updated.

Workaround:
Re-enter the tsig key secret.

964989-2 : AFM DOS half-open does not handle wildcard virtual servers properly.

Links to More Info: BT964989

Component: Advanced Firewall Manager

Symptoms:
AFM DOS half-open vector does not handle wildcard virtual servers properly.

Conditions:
-- Wildcard virtual-server.
-- AFM DOS half-open vector configured.
-- Attacks towards multiple destinations covered by a single virtual-server.

Impact:
- Wrong statistics reporting.
- Wrong status of syncookie protection.
- Unexpected traffic drops.

Workaround:
Split wildcard virtual server into a series of /32 virtual servers.

964625-3 : Improper processing of firewall-rule metadata

Links to More Info: BT964625

Component: Advanced Firewall Manager

Symptoms:
The 'mcpd' process may suffer a failure and be restarted.

Conditions:
Adding very large firewall-policy rules, whether manually, or from config-sync, or from BIG-IQ.

Impact:
-- MCPD crashes, which disrupts both control-plane and data-plane processing while services restart.
-- Inability to configure firewall policy.

Workaround:
Reduce the number of firewall policy rules.

964617-2 : Connector error "CONNECTOR: Invalid external event HUDEVT_SENT in state Init

Links to More Info: BT964617

Component: SSL Orchestrator

Symptoms:
Error log "CONNECTOR: Invalid external event HUDEVT_SENT in state Init" seen in ltm logs and traffic might stall and ultimately will be abort/reset.

Conditions:
SSL Orchestrator with services inserted after Category lookup based on HTTP_CONNECT and client side does not accept (zero window) or SSL Orchestrator send buffer is full for HTTP CONNECT request response.

Impact:
Connection will stall and will be aborted / reset.

964533-3 : Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.

Links to More Info: BT964533

Component: TMOS

Symptoms:
The BIG-IP system tmm logs show multiple session_process_pending_event_callback errors.

Conditions:
If a session is deleted before all the session db callback events are handled, this error can occur while passing normal traffic.

Impact:
Numerous error event entries found in the TMM log:
notice session_process_pending_event_callback ERROR: could not send callback to 10.10.10.10:460 - 10.10.10.10:80 ERR_NOT_FOUND.

There is no impact other than additional log entries.

Workaround:
None.

964421-2 : Error '01070734:3: Configuration error: Signing key and signing certificate must be set simultaneously'

Links to More Info: BT964421

Component: TMOS

Symptoms:
The error message '01070734:3: Configuration error: Signing key and signing certificate must be set simultaneously' is unclear.

It fails to indicate which rewrite profile has failed validation, and it is not clear that the error has something to do with the validation of rewrite profiles.

Conditions:
A BIG-IP Administrator is attempting to configure an invalid rewrite profile (one where the 'signing certificate' and 'signing key' options are not simultaneously set).

Impact:
A confusing error message is logged, which makes it difficult to know what to do next.

964125-2 : Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.

Links to More Info: BT964125

Component: TMOS

Symptoms:
Mcpd might core and restart if it fails to process a query for all node statistics in less than 5 minutes.

There is more then one avenue where node statistics would be queried.

The BIG-IP Dashboard for LTM from the GUI is one example.

Conditions:
Thousands of FQDN nodes and pools with FQDN pool members and a query for all node statistics.

Impact:
Mcpd restarted which will cause services to failover. Traffic and configuration disrupted while mcpd restarts.

963869-2 : Remote Desktop app fails to launch from webtop when Per-request Policy is added to virtual server.

Links to More Info: BT963869

Component: Access Policy Manager

Symptoms:
Users are unable to launch the Remote Desktop app from the webtop.

Conditions:
-- APM is licensed and provisioned.
-- Remote Desktop is configured and attached to the per-session policy.
-- A per-request policy is attached to the virtual server.

Impact:
Users cannot access the remote desktop application.

Workaround:
Don't attach the per-request policy to the virtual server if it's not required.

963541-2 : Net-snmp5.8 crash

Links to More Info: BT963541

Component: TMOS

Symptoms:
Snmpd crashes.

Conditions:
This does not always occur, but it may occur after a subagent (bgpd) is disconnected.

Impact:
Snmpd crashes.

963393-1 : Key handle 0 is treated as invalid for NetHSM devices

Links to More Info: BT963393

Component: Local Traffic Manager

Symptoms:
HTTPS pool members are marked down when they are up.

Conditions:
-- SafeNet HSM configured
-- HTTPS monitor uses the safenet keys
-- The key handle generated by the HSM is 0

Impact:
Pool members are marked down because bigd cannot connect to the pool member using the Safenet HSM key.

Workaround:
Use in-TMM monitors as an alternative to bigd monitors.

962913-4 : The number of native open connections in the SSL profile is higher than expected

Links to More Info: BT962913

Component: Local Traffic Manager

Symptoms:
The number of native open connections in the SSL profile shows a value that is higher than expected.

Conditions:
SSL renegotiation is enabled. Other conditions are unknown.

Impact:
The SSL stats are incorrectly reading higher than expected.

Workaround:
Disable SSL renegotiation.

962605-4 : BIG-IP may go offline after installing ASU file with insufficient disk space

Component: TMOS

Symptoms:
When installing an ASU file, if there is not enough disk space in /var, the clntcp update file might become corrupted, causing datasyncd to be offline (and thus cause the entire BIG-IP offline)

Conditions:
-- ASM/FPS provisioned.
-- Installing ASU file.
-- Not enough space in /var partition.

Impact:
Device goes offline.

Workaround:
Delete the update file:
tmsh delete security datasync update-file /Common/datasync-global/update-file-clntcap_update_ (auto complete)

962493-5 : Request is not logged

Component: Application Security Manager

Symptoms:
A request is not logged in the local and/or remote logs.

Conditions:
A request has evasions detected on very large parameters.

Impact:
A missing request in the log.

Workaround:
N/A

962489-5 : False positive enforcement of parameters with specific configuration

Component: Application Security Manager

Symptoms:
False positive parameters are being detected in the payload and enforced wrongly.

Conditions:
The URL is not defined (also not as wildcard - not defined at all) and the request has a payload.

Impact:
False positive enforcement - may lead to wrong violations and wrong blocking of requests.

Workaround:
None.

962181-2 : iRule POLICY command fails in server-side events

Links to More Info: BT962181

Component: Local Traffic Manager

Symptoms:
BIG-IP provides an iRule command POLICY to retrieve information on or manipulate an LTM policy attached to a virtual. This command fails when it is used in server-side event like HTTP_RESPONSE.

Conditions:
-- Configure a virtual server with one or more LTM policies.
-- The virtual server has an iRule with a POLICY command executed on a server side (e.g. HTTP_RESPONSE).

Impact:
A command returns an incorrect value and may cause unexpected outcomes in an iRule execution.

961653-2 : Unable to retrieve DNS link statistics via SNMP OID gtmLinkStatRate

Links to More Info: BT961653

Component: Local Traffic Manager

Symptoms:
Unable to retrieve link statistics via SNMP OID gtmLinkStatRate

config # snmpwalk -c public localhost F5-BIGIP-GLOBAL-MIB::gtmLinkStatRate
F5-BIGIP-GLOBAL-MIB::gtmLinkStatRate = No Such Object available on this agent at this OID

Conditions:
A BIG-IP DNS/LC system configured with link objects.

Try to do an snmpwalk for F5-BIGIP-GLOBAL-MIB::gtmLinkStatRate which is not successful.

Impact:
BIG-IP DNS system link statistics cannot be retrieved via SNMP.

Workaround:
No workaround.

961509-2 : ASM blocks WebSocket frames with signature matched but Transparent policy

Links to More Info: BT961509

Component: Application Security Manager

Symptoms:
WebSocket frames receive a close frame

Conditions:
-- ASM provisioned
-- ASM policy attached to a virtual server
-- WebSocket profile attached to a virtual server
-- ASM policy transparent mode enabled

Impact:
WebSocket frame blocked in transparent mode

Workaround:
Change signatures blocking settings to Learn = Yes, Alarm = Yes, Block = No

961001-2 : Arp requests not resolved for snatpool members when primary blade goes offline

Links to More Info: BT961001

Component: Local Traffic Manager

Symptoms:
Arp requests not resolved for snatpool members and traffic does not go through when the primary blade becomes offline.

Conditions:
-- VIPRION platforms serving as AAA and Diameter virtual server to load-balance.
-- route-domain configured other than 0.
-- Radius authentication pool and snatpool are configured.
-- Primary blade goes offline and new Primary is not elected.

Impact:
Traffic failure when primary became offline.

Workaround:
Disable primary blade which is offline.

960133-1 : AGC 8.0 installation failure

Component: Guided Configuration

Symptoms:
Attempting to install the AGC 8.0 results in the following error:

"Failed to load IApp artifacts from f5-iappslx-waf-bot-protection: java.lang.IllegalStateException: Failed to post template to block collection: ..."

Conditions:
The AGC is upgraded to a newer version via the "Access >> Guided Configuration" -> " Upgrade Guided Configuration".

Impact:
AGC 8.0 package is not installed.

Workaround:
Important: This workaround will delete all existing iApp configurations.

1. Download the latest AGC 8.0 package.
2. Open a new browser tab (first) and navigate to "Access >> Guided Configuration"
3. Open a new browser tab (second) and navigate to iApps >> Templates: Templates LX. Select all templates and click “Delete”.
4. In the second tab navigate to iApps >> Package Management LX. Select all existing packages and click “Uninstall”.
5. In the first tab click "Upgrade Guided Configuration" click and install the downloaded package.

960029-2 : Viewing properties for IPv6 pool members in the Statistics page in the GUI returns an error

Links to More Info: BT960029

Component: TMOS

Symptoms:
While attempting to view the properties for pool members via the Statistics page in the GUI, you see an error:

Instance not found: /Common/1234:80

Conditions:
-- A pool with at least one pool member with an IPv6 address.
-- Attempting to view the IPv6 pool member's properties via the Statistics page in the GUI.

Impact:
Unable to see the pool member's properties.

Workaround:
Use TMSH to view pool member properties:

# tmsh show ltm pool <pool name> members {<pool members>}

959965-3 : Asmlogd stops deleting old protobufs

Component: Application Security Manager

Symptoms:
Protobuf files are being cleaned only when trying to write to the protobuf file and on startup.

Conditions:
This occurs during normal operation.

Impact:
/var/asmdata1 can run out of disk space.

Workaround:
None

959957-3 : Asmlogd stops deleting old protobufs

Links to More Info: BT959957

Component: Application Security Manager

Symptoms:
Asmlogd restarts and there are asmlogd errors:

asmlogd|ERR|Oct 19 13:46:35.199|6005|,,asmlogd ended unexpectedly
asmlogd|ERR|Oct 19 13:46:35.203|6005|,,Can't call method "size" on an undefined value at /usr/local/share/perl5/F5/RequestLog.pm line 1902.

Conditions:
Disk is full -- the following warnings are being displayed:

err diskmonitor[3483]: 011d0004:3: Disk partition /var/asmdata1 (slot 1) has only 0% free

Impact:
Old protobuf files are not cleaned up.

Workaround:
0) If the /appdata partition is filled to 100% and MySQL restarts continuously, refer to the following Knowledge Articles:
   https://support.f5.com/csp/article/K14956
   https://support.f5.com/csp/article/K42497314

1) To identify the empty partitions, look into:
   SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G

2) For every partition that is empty, manually (or via shell script) execute this sql:
   ALTER TABLE PRX.REQUEST_LOG DROP PARTITION empty_partition_name
where 'empty_partition_name' is the partition name as 'p100001'

4) Increase 'open_files_limit' to '10000'.
--------------------------------
In the /etc/my.cnf file:
1. Change the value of the 'open_files_limit' parameter to 10000.
2. Restart MySQL:
   bigstart restart mysql
--------------------------------

5) pkill asmlogd

Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.

959613-2 : SIP/HTTPS monitor attached to generic-host virtual server and pool shows 'blank' reason

Links to More Info: BT959613

Component: Global Traffic Manager (DNS)

Symptoms:
When you double-monitor a Generic Host Virtual Server (pool level + virtual server level) using the same SIP/HTTPS monitor, the 'Reason' is omitted from the output. 'tmsh show gtm server <server> virtual-servers' shows a "blank" reason for monitoring failure/success.

Conditions:
Double-monitor a Generic Host virtual server (pool level + virtual server level) using the same SIP/HTTPS monitor.

Impact:
Impedes your ability to identify the failure/success reason quickly.

Workaround:
Do not use the same monitor on both the virtual server and the pool level.

959609 : Autodiscd daemon keeps crashing

Links to More Info: BT959609

Component: Advanced Firewall Manager

Symptoms:
Autodiscd daemon keeps crashing.

Conditions:
Issue is happening when high speed logging and auto discovery configuration are configured and send the traffic.

Impact:
Auto discovery feature is not working as expected

Workaround:
None.

959241-2 : Fix for ID871561 might not work as expected on the VCMP host

Links to More Info: BT959241

Component: TMOS

Symptoms:
Attempting to deploy an engineering hot fix (EHF) for ID871561 (https://cdn.f5.com/product/bugtracker/ID871561.html) fails in the same manner

Conditions:
-- Attempting to install an EHF containing a fix for ID871561 on a vCMP guest
-- The fix for ID871561 has not already been applied to the vCMP guest

Impact:
Unable to perform software installations on vCMP guests using installation media located on the vCMP host even if fix for ID871561 is available on VCMP guest.

Workaround:
Option 1:
===========
Make sure that the .iso files for both base image and engineering hotfix are copied to the vCMP guest (under /shared/images) before starting the installation. If installing the software from the command line, use syntax similar to the following:

tmsh install sys software hotfix <hotfix-image-name> volume <volume.name>

Option 2:
===========
Even if the engineering hotfix installation has failed, the base image should still have been installed properly. You can restart the vCMP guest and perform a hotfix installation on top of already installed base image, using syntax similar to the following:

tmsh install sys software hotfix <hotfix-image-name> volume <volume.name>

Option 3:
===========
Even if the engineering hotfix installation has failed, the base image should still have been installed properly. Ensure there is copy of the engineering hotfix image locally within the vCMP Guest.

Then restart the lind service on the vCMP Guest:
  tmsh restart sys service lind

If running the vCMP Guest on multiple slots, you may need to restart lind on all slots. From the primary slot on the vCMP Guest, run:
  clsh tmsh restart sys service lind

The hotfix installation should begin again, this time using the hotfix from within the /shared/images/ location on the vCMP Guest.

Option 4:
===========
Manually eject the CD from the vCMP guest's virtual CD drive, and then restart lind. On the vCMP Guest:

1. Confirm the wrong ISO image is still locked (inserted in the CD drive):
  isoinfo -d -i /dev/cdrom

Note: Pay attention to the volume ID in the output from within the vCMP guest.

2. Unlock (eject) the image:
  eject -r -F /dev/cdrom && vcmphc_tool -e

3. Verify the CD drive is now empty:
  isoinfo -d -i /dev/cdrom

The output should report an error that includes:
<...> Sense Code: 0x3A Qual 0x00 (medium not present) Fru 0x0 <…>

4. Restart lind:
  tmsh restart sys service lind

If running the vCMP Guest on multiple slots, you may need to restart lind on all vCMP Guest slots. From the primary slot on the vCMP Guest, run:
  clsh tmsh restart sys service lind

959057-3 : Unable to create additional login tokens for the default admin user account

Links to More Info: BT959057

Component: TMOS

Symptoms:
When remote user authentication is configured, BIG-IP systems apply maximum active login token limitation of 100 to the default admin user account.

Conditions:
Remote Authentication is configured

Impact:
Unable to create more than 100 tokens for admin when remote authentication is configured

958833-1 : After mgmt ip change via GUI, brower is not redirected to new address

Links to More Info: BT958833

Component: TMOS

Symptoms:
After changing the management IP address via the GUI, the browser is not redirected, and reports Unable to connect BIG-IP device.

Conditions:
Change the Management IP address from the GUI and submit the change.

Impact:
Browser does not get redirected to the new address

Workaround:
Access the GUI by manually going to the new Management IP.

958785-5 : FTP data transfer does not complete after QUIT signal

Links to More Info: BT958785

Component: Local Traffic Manager

Symptoms:
When a QUIT signal is sent over an FTP connection to an FTP virtual server during a data transfer, the data connection is closed immediately instead of waiting until the transfer is complete.

Conditions:
- BIG-IP configured with an FTP virtual server
- A client connects to the FTP virtual server
- Client starts an FTP data transfer
- Client sends a QUIT signal before the data transfer completes.

Impact:
FTP data connections are closed prematurely, causing incomplete data transfers.

Workaround:
This does not occur if the FTP profile for the FTP virtual server has inherit-parent-profile set to enable.

958601-2 : In the GUI, searching for virtual server addresses does not match address lists

Links to More Info: BT958601

Component: TMOS

Symptoms:
In the GUI, if you filter the virtual server listing using an IP address, or part of an IP address, if there are any virtual servers that are using an address list that contains an address that matches that search string, those virtual servers will not show up in the search results.

Similarly, if you filter the virtual server listing using an IP address, or part of an IP address, if there are any virtual servers that are using an address that matches the search string, but are using a port list, those virtual servers will not show up in the search results.

Conditions:
-- Using Address Lists or Port lists with a virtual server.
-- Using the GUI to search for virtual servers based on address.

Impact:
Virtual servers that should match a search are not found.

Workaround:
None.

958325-1 : Updating DNS pool monitor via transaction leaves dangling monitor_rule in MCP DB

Links to More Info: BT958325

Component: Global Traffic Manager (DNS)

Symptoms:
Dangling monitor rule after pool deletion.

# tmsh delete gtm monitor tcp tcp_test
01070083:3: Monitor /Common/tcp_test is in use

Conditions:
Using transaction to delete pool and create pool of same name with different monitor.

Impact:
Unable to delete the remaining monitor.

Workaround:
Run:
1. # bigstart restart mcpd
Or
2. Do not combine deletion and re-create pool in the same transaction.

958157-3 : Hash collisions in fastDNS packet processing

Links to More Info: BT958157

Component: Global Traffic Manager (DNS)

Symptoms:
FastDNS packet processing might cause unexpected traffic drops.

Conditions:
-- FastDNS is in use.

The problem is more likely to occur on a systems with a low number of TMMs.

Impact:
Unexpected traffic drops

957993-2 : Unable to set a port list in the GUI for an IPv6 address for a virtual server

Links to More Info: BT957993

Component: TMOS

Symptoms:
When creating a virtual server in the GUI with an IPv6 destination address and a port list (shared object) or a source address list (shared object), the system returns an error similar to:

0107028f:3: The destination (0.0.0.0) address and mask (ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) for virtual server (/Common/vs03-v6_dns) must be be the same type (IPv4 or IPv6).

Conditions:
-- Creating or updating a virtual server.
-- Attempting to use an IPv6 Host address with a Port List shared object or a Source Address List shared object.

Impact:
Unable to create/modify virtual server.

Workaround:
Create an Address List shared object with the IPv6 address in it and use that instead of the Host address.

957905-2 : SIP Requests over TCP without content_length header are not aborted by BIG-IP

Links to More Info: BT957905

Component: Service Provider

Symptoms:
SIP Requests that don't contain a content_length header are accepted and forwarded by the BIG-IP to the server. The sipmsg parser treats the content_length header as a required header as part of the SIP Request.

Conditions:
SIP request without content_length header.

Impact:
RFC 6731 non compliance.

Workaround:
No Workaround.

957897-1 : Unable to modify gateway-ICMP monitor fields in the GUI

Links to More Info: BT957897

Component: TMOS

Symptoms:
While modifying a gateway-ICMP monitor you see the following error:

01070374:3: Cannot modify the address type of monitor /Common/<monitor_name>.

Conditions:
-- Using the GUI to modify a Gateway-ICMP monitor field.
-- The monitor is attached with a pool that has one or more pool members.

Impact:
You cannot update the Gateway-ICMP monitor fields via the GUI.

Workaround:
Use the tmsh command:
tmsh modify ltm monitor gateway-icmp <monitor_name> [<field> <new_value>]

For example, to update the description of a monitor named gw_icmp, use the following command:
modify ltm monitor gateway-icmp gw_icmp description new_description

957637-2 : Pfmand crash during bootup

Links to More Info: BT957637

Component: TMOS

Symptoms:
The pfmand process crashes and writes out a core during bootup on certain platforms.

Conditions:
-- Platforms i4000/i2000/i4800/i2800/i4600/i2600/i850.
-- BIG-IP software version is v14.1.x, v15.1.x, or v16.1.x.

Impact:
Network connection lost while pfmand restarts.

Workaround:
None

957461-2 : Creating virtual server with IPv6 address or port list in destination should display source address in IPv6 format

Links to More Info: BT957461

Component: TMOS

Symptoms:
In the GUI, while creating a virtual server with an IPv6 address or a port list in destination, the BIG-IP system should display the source address in IPv6 format rather than IPv4 format 0.0.0.0/0.

Conditions:
This is encountered while creating a virtual server with an IPv6 address or port list in destination.

Impact:
The IPv6 address list is displayed in IPv4 notation.

Workaround:
This is a cosmetic issue. The correct addresses are used.

957321-1 : When BIG-IP contains an invalid DNS Resolver, Bot Defense might wrongly classify search engines as malicious

Component: Application Security Manager

Symptoms:
When the first DNS resolver is invalid, Bot Defense is unable to verify trusted bots, and is classifying them as malicious bots.

Conditions:
-- First DNS resolver in the list is invalid.
-- Bot Defense profile is attached to a virtual server.
-- Request from a search engine arrives.

Impact:
Bot Defense wrongly classifies valid search engines as malicious bots (and might block them if enforcement is enabled).

Workaround:
Fix the first DNS resolver in the list. It's possible that the first DNS resolver is the built in DNS resolver "f5-aws-dns".

956913-2 : HTTPS traffic may fail for Inbound topology gateway mode

Links to More Info: BT956913

Component: SSL Orchestrator

Symptoms:
HTTPS traffic may fail for Inbound topology gateway mode.

Conditions:
-- SSL Orchestrator is licensed and provisioned.
-- Inbound topology with gateway mode is selected and gateway iRule is attached to wildcard virtual.
-- HTTPS Traffic is intercepted.
-- SNI is not sent in clientHello.

Impact:
HTTPS traffic may fail.

Workaround:
Pass SNI from the client if not already sent in clientHello.

956889-2 : /var fills up very quickly

Links to More Info: BT956889

Component: Application Security Manager

Symptoms:
Policy history files fill /var disk partition

Conditions:
Very large configuration with substantial history and config sync enabled

Impact:
ASM sync fails due to /var being full

Workaround:
The properties in '/etc/ts/tools/policy_history.cfg' file, for cleaning as a file-based configuration option, are a Support-oriented configuration option aimed to help in these cases.

956645-2 : Per-request policy execution may timeout.

Links to More Info: BT956645

Component: Access Policy Manager

Symptoms:
When attempting to access a resource that requires subsession validation, the client may receive an HTTP 503 "Service Unavailable" response, and the logs indicate that per-request policy execution time has expired.

Conditions:
Multiple connections are accessing the same subsession, triggering subsession lock contention.

Impact:
Some clients will fail to connect to their destination.

Workaround:
Add criteria to the gating criteria to enable more fine-grained subroutines to reduce subsession contention. For example, add category, or application name, to the gating criteria. In the case of API protection, consider concatenating credentials with the resource hostname (plus port).

Increase the per-request policy execution timeout value, controlled by the variable tmm.access.prp_global_timeout, to a higher value.

956625-2 : Port and port-list type are both stored in a traffic-matching-criteria object

Links to More Info: BT956625

Component: TMOS

Symptoms:
Using "tmsh load sys config replace file ..." to change a traffic matching criteria's port type from port to port-list (or vice-versa) results in both types ending up in the traffic matching criteria object.

Conditions:
-- Using traffic-matching-criteria.
-- Using "tmsh load sys config replace file ..." or "tmsh load sys config merge file ..." to change the port to a port-list (or vice-versa).

Impact:
-- System does not load the desired configuration.
-- Virtual servers may match/process more traffic than expected.

956109-2 : Modifying a traffic-matching-criteria with a port-list during a full sync may result in an incorrect configuration on the sync target

Links to More Info: BT956109

Component: Local Traffic Manager

Symptoms:
In a device service cluster, changing a traffic-matching-criteria object's port configuration and then performing a full-sync will cause the sync target's traffic-matching-criteria ports to be modified incorrectly.

Once systems are in this state, further ConfigSyncs may result in these error messages:

err mcpd[6489]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127.
err mcpd[6489]: 01071488:3: Remote transaction for device group /Common/Failover to commit id 250 6869100131892804718 /Common/tmc-sync-2-bigip1.test 0 failed with error 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127..

Conditions:
-- Two or more BIG-IPs in a DSC.
-- Using traffic-matching-criteria, and making changes.

Impact:
BIG-IP configurations are out of sync (even though they show "In Sync"). Affected virtual servers will process more traffic than configured.

Workaround:
On an affected system, perform one of the two procedures to correct MCPD's in-memory configuration:

1. Remove the traffic-matching criteria from all virtual servers (or only affected virtual servers, if known), and then re-add the traffic-matching criteria.

2. Save the configuration and then follow the procedure in
K13030: Forcing the mcpd process to reload the BIG-IP configuration.

   tmsh save sys config
   clsh touch /service/mcpd/forceload
   clsh reboot

956025-2 : HTTP profile response-chunking "unchunk" option does not remove Content-Length from response header

Links to More Info: BT956025

Component: Local Traffic Manager

Symptoms:
When the HTTP profile response-chunking option is set to "unchunk", chunked responses will be unchunked and the Transfer-Encoding header is removed.

If the server sends a chunked response with both Transfer-Encoding and Content-Length headers, Transfer-Encoding is removed but Content-Length is not. This causes the client to receive a response with an erroneous Content-Length header.

Conditions:
- HTTP virtual server with response-chunking set to "unchunk"
- Server response with both Transfer-Encoding and Content-Length headers present

Impact:
Malformed HTTP response received by client as length of response should be determined by closure of connection, not erroneous Content-Length header.

Workaround:
Implement iRule: at HTTP_RESPONSE time, remove the Content-Length header if the Transfer-Encoding header is also present.

955953-2 : iRule command 'table' fails to resume when used with Diameter 'irule_scope_msg'

Links to More Info: BT955953

Component: TMOS

Symptoms:
'table' command fails to resume causing processing of traffic to halt due to 'irule_scope_msg' causing iRule processing to proceed in a way that 'table' does not expect.

Conditions:
- iRule using 'table' command
- Diameter 'irule_scope_msg' enabled

Impact:
Traffic processing halts (no crash)

955897-2 : Configuration may fail to load with named virtual-address for 0.0.0.0 in a non-zero route domain

Links to More Info: BT955897

Component: TMOS

Symptoms:
When reading the configuration from /config files, the BIG-IP system may fail to load the configuration regarding a virtual server with a named virtual-address for address 0.0.0.0 in a non-default route domain:

err mcpd[21812]: 0107028b:3: The source (0.0.0.0%123) and destination (0.0.0.0) addresses for virtual server (/Common/vs1) must be in the same route domain.
Unexpected Error: Loading configuration process failed.

Conditions:
-- An LTM virtual-address object with a name.
-- The virtual-address's address is 0.0.0.0 (or the keyword 'any'). The IPv6 address :: (or the keyword 'any6') is not affected.
-- The virtual-address's address is in a route domain other than route domain 0. The route domain can be the partition's default route domain.
-- An LTM virtual server that uses the affected address as its destination.

Example:
tmsh create net route-domain 123
tmsh create ltm virtual-address allzeros-rd123 address 0.0.0.0%123
tmsh create ltm virtual allzeros-rd123 destination 0.0.0.0%123:0
tmsh save sys config

Impact:
The configuration fails to load from disk when the affected objects do not yet exist in running memory or binary cache, for example, during:

- Reinstalling
- Upgrading
- Loading manual changes to the /config/*.conf files
- MCP force-reload

Other operations such as rebooting, relicensing, and reloading the same configuration (such as 'tmsh load sys config' are not affected.

Workaround:
Replace the configuration that uses a named virtual-address with the direct address. Here is an example of the configuration in bigip.conf:

ltm virtual-address allzeros-rd123 {
    address any%123
    mask any
}
ltm virtual allzeros-rd123 {
    destination allzeros-rd123:0
    mask any
    source 0.0.0.0%123
}

This can be rewritten to remove the virtual-address object, and replace the virtual server destination with the address (0.0.0.0 or 'any'):

ltm virtual allzeros-rd123 {
    destination any%123:0
    mask any
    source 0.0.0.0%123
}

955617-2 : Cannot modify properties of a monitor that is already in use by a pool

Links to More Info: BT955617

Component: Local Traffic Manager

Symptoms:
Modifying monitor properties gives error, if it is attached to a pool with Node/Pool member instance.

0107082c:3: Cannot modify the destination address of monitor /Common/my_monitor

Conditions:
-- Monitor with alias address field as default properties.
-- Pool containing a node or pool member.
-- Monitor is attached to the pool.

Impact:
Monitor properties can't be modified if they are in use by a pool.

Workaround:
Remove monitor, modify it, and then add it back.

955593-2 : "none" missing from the error string when snmp trap is configured with an invalid network type

Links to More Info: BT955593

Component: TMOS

Symptoms:
When you try to configure an SNMP trap with an invalid network type, you get a confusing error:

01070911:3: The requested enumerated (aaa) is invalid (, mgmt, other) for network in /Common/snmpd trapsess (/Common/i2_2_2_1_1)

Conditions:
SNMP trap is configured with an invalid network enum type.

Impact:
The word 'none' is not shown in the error string.

955057-2 : UCS archives containing a large number of DNS zone files may fail to restore.

Links to More Info: BT955057

Component: TMOS

Symptoms:
This issue can manifest in the following ways:

- Failure to restore a UCS archive to the currently active boot location (i.e. restoring a backup).

- Failure to restore a UCS archive to a different boot location by means of using the cpcfg utility (or the the "Install Configuration" option when changing boot locations in the Web UI).

- Failure to restore a UCS archive as part of a software upgrade (if rolling forward the configuration was requested, which is the default BIG-IP behavior).

In all cases, error messages similar to the following example are returned to the user:

/bin/sh: /bin/rm: Argument list too long
Fatal: executing: /bin/sh -c rm -fr /var/named/config/namedb/*
Operation aborted.
/var/tmp/configsync.spec: Error installing package
Config install aborted.
Unexpected Error: UCS loading process failed.

Conditions:
This issue occurs when a large number of DNS zone files are already present in the /var/named/config/namedb directory of the boot location to which the UCS archive is being restored.

Impact:
The UCS archive fails to restore. Additionally:

- If the UCS archive was being restored on the currently active boot location, the named and zrd daemons may not be running after the failure, leading to traffic outages.

- If the UCS archive was being restored as part of an upgrade, the installation will fail and the destination boot location will be marked as failed (thus preventing a BIG-IP Administrator from activating it).

Workaround:
Depending on the failure mode, perform one of the following workarounds:


- If you were restoring a UCS archive on the currently active boot location, run the following command, and then attempt the UCS archive restore operation again:

find /var/named/config/namedb -mindepth 1 -delete

- If you encountered the failure during an upgrade, it should mean you were installing an Engineering Hotfix (otherwise the /var/named/config/namedb directory on the destination boot location would have been empty).

Installing an Engineering Hotfix will actually perform two separate installations - first the base version, and then the hotfix on top of that. Each installation restores the source location's UCS archive.

The UCS installation performed during the base installation will work, and the one performed during the hotfix installation will fail (because DNS zone files are already in place now, and they will fail to be deleted).

In this case, you can work around the issue by performing two distinct installations (to the same destination boot location). First the base version by itself, and then the hotfix installation by itself:

Perform the first installation with the liveinstall.moveconfig and liveinstall.saveconfig db keys disabled. Perform the second installation after enabling the liveinstall.moveconfig and liveinstall.saveconfig db keys again.

- If you encountered the failure while using the cpcfg utility (or equivalent WebUI functionality), take a UCS archive instead, download it off of the BIG-IP or save it in a shared directory (e.g. /var/tmp), boot the system into the destination boot location, run the below command, and then restore the UCS archive:

find /var/named/config/namedb -mindepth 1 -delete

953601-3 : HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions

Links to More Info: BT953601

Component: Local Traffic Manager

Symptoms:
HTTPS monitor marks pool member/nodes as down and they remain down until bigd is restarted or the monitor instance is removed and created again.

Conditions:
BIG-IP is configured with restrictive ciphers that are only compatible with TLS 1.2 (ECDH+AESGCM) but all of the TLS protocol versions are allowed. When HTTPS monitor TLS 1.0 handshake fails, due to incompatible ciphers with the server being monitored. It does not try TLS 1.2 version and marks pool members or nodes as down.

Impact:
HTTPS monitor shows pool members or nodes down when they are up.

Workaround:
Restart bigd or remove and add monitors.

953477-3 : Syncookie HW mode not cleared when modifying VLAN config.

Links to More Info: BT953477

Component: TMOS

Symptoms:
Changing VLAN configuration can cause BIG-IP get stuck in hardware syncookie mode.

Conditions:
- Changing VLAN configuration when vlan-based syncookies are active.

For a list of platforms that support hardware syncookie protection, see https://support.f5.com/csp/article/K14779

Impact:
Device is stuck in hardware syncookie mode and generates syncookies.

Workaround:
Run the following command:
tmsh restart sys service tmm

Impact of workaround: restarting tmm disrupts traffic.

953425-3 : Hardware syncookie mode not cleared when changing dos-device-vector enforcement

Links to More Info: BT953425

Component: Advanced Firewall Manager

Symptoms:
Changing DOS vector enforcement configuration can cause BIG-IP to get stuck in hardware syncookie mode.

Conditions:
- Changing DOS vector enforcement configuration when device is in global syncookie mode.

For a list of platforms that support hardware syncookie protection, see https://support.f5.com/csp/article/K14779

Impact:
Device is stuck in hardware syncookie mode and generates syncookies.

Workaround:
Run the following command:
tmsh restart sys service tmm

Impact of workaround: restarting tmm disrupts traffic.

952801 : Changing access policy from multi-domain to single domain does not send domain cookies

Links to More Info: BT952801

Component: Access Policy Manager

Symptoms:
The BIG-IP system sends cookies with no "domain" attribute set.

Conditions:
- Configure a Multidomain access profile
- Change the profile to single domain

Impact:
The BIG-IP system sends cookies with no "domain" attribute set. This causes the cookie to be not associated to a particular domain.

Workaround:
Manually remove the domain-groups config from the access profile by editing the bigip.conf.

952521-2 : Memory allocation error while creating an address list with a large range of IPv6 addresses

Links to More Info: BT952521

Component: Advanced Firewall Manager

Symptoms:
When trying to create a large IPv6 address-list IP range either via the GUI, tmsh, or from loading a previously saved config, MCPd will temporarily experience memory exhaustion and report an error "01070711:3: Caught runtime exception, std::bad_alloc"

Conditions:
When adding an IPv6 address range that contains a very large number of IPs. This does not affect IPv4.

Impact:
The IP address range cannot be entered. If upgrading from a non-affected version of TMOS where an IP range of this type has been saved to the config, a std::bad_alloc error will be printed when loading the config after upgrading.

Workaround:
Use CIDR notation or multiple, smaller IP ranges.

950953-1 : Browser Challenges update file cannot be installed after upgrade

Links to More Info: BT950953

Component: Application Security Manager

Symptoms:
After upgrading BIG-IP, the Browser Challenges factory default update file cannot be installed, and you see this error:

Installation error: gpg: WARNING: unsafe ownership on homedir `/usr/share/live-update/share/gpg/browser_challenges_genesis_load'gpg: encrypted with 1024-bit ELG key, ID 7C3E3CE5, created 2007-03-20 "asm_sigfile_installer"gpg: Signature made Mon Aug 2

Conditions:
The new file that comes with the installation is ready to install

Impact:
New updated cannot be installed

Workaround:
There are 2 options:
1. download a new version of the update file (if exists)
2.
   2.1 download a copy of that file from the machine to your locale machine
   2.2 rename it :
       > cp BrowserChallenges_20200722_072935.im BrowserChallenges_<CURRENT_DATE>_<CURRENT_TIME>.im
       ## the date and time are for tracking and the have to be in a specific format DATE : YYYYMMDD, TIME: HHMMSS
   2.3 upload the file and install it manually from the LiveUpdate screen.

950673-3 : Hardware Syncookie mode not cleared when deleting/changing virtual server config.

Links to More Info: BT950673

Component: TMOS

Symptoms:
Modifying a virtual server can cause BIG-IP to get stuck in hardware syncookie mode.

Conditions:
-- A virtual server is in hardware syncookie mode.
-- Modifying or deleting the virtual server

For a list of platforms that support hardware syncookie protection, see https://support.f5.com/csp/article/K14779

Impact:
Device is stuck in hardware syncookie mode and generates syncookies.

Workaround:
tmsh restart sys service tmm

Impact of workaround: restarting tmm disrupts traffic.

950305-2 : Analytics data not displayed for Pool Names

Links to More Info: BT950305

Component: Application Visibility and Reporting

Symptoms:
You cannot see reports (statistics->analytics->pool) when you choose to view by pool names.

Conditions:
This is encountered in the statistics screen.

Impact:
You can't see the statistics->analytics->pool report when you choose view by pool names.

950201 : Tmm core on GCP

Links to More Info: BT950201

Component: TMOS

Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.

TMM panic with this message in a tmm log file:

panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.

Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following workarounds:

-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141

-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.


Note: Each of these workarounds have performance impact.

950153-2 : LDAP remote authentication fails when empty attribute is returned

Links to More Info: BT950153

Component: TMOS

Symptoms:
LDAP /AD Remote authentication fails and the authenticating service may crash.

The failure might be intermittent.

Conditions:
LDAP/AD server SearchResEntry includes attribute with empty or NULL value.

This can be seen in tcpdump of the LDAP communication in following ways

1. No Value for attribute . Example in tcpdump taken on affected user :

vals: 1 item
        AttributeValue:

2. 1. NULL Value for attribute . Example in tcpdump taken on affected user :

vals: 1 item
    AttributeValue: 00

Impact:
Logging in via the GUI will fail silently
Logging in via ssh will cause the sshd service on LTM to crash and logs will be seen under /var/log/kern.log

The logs will be similar to :

info kernel: : [460810.000004] sshd[31600]: segfault at 0 ip 00002b3abcb2ef3e sp 00007fffef3431a0 error 4 in pam_ldap.so[2b3abcb2c000+7000]
info kernel: : [460810.002036] traps: sshd[31598] general protection ip:fffffffffffffff3 sp:80000 error:0

Workaround:
There is no Workaround on the LTM side.

For LDAP, you change/add the value from none/NULL on the affected attribute to ANY dummy value which will prevent the issue

950069-2 : Zonerunner can't edit TXT records containing a + symbol - "Resolver returned no such record"

Links to More Info: BT950069

Component: Global Traffic Manager (DNS)

Symptoms:
When attempting to use zonerunner to edit a TXT record that contains a plus character, BIG-IP DNS presents the error message 'Resolver returned no such record'.

Conditions:
A TXT record exists with RDATA (the value of the TXT record) containing one or more + symbols

Impact:
Unable to edit the record.

Workaround:
Two workarounds available:

1. Use zonerunner to delete the record and then recreate it with the desired RDATA value

2. Manually edit the bind zone file (see K7032)

950005-2 : TCP connection is not closed when necessary after HTTP::respond iRule

Links to More Info: BT950005

Component: Local Traffic Manager

Symptoms:
HTTP does not close the TCP connection on the client if response is sent via HTTP::respond.

Conditions:
- TCP profile is used.
- HTTP profile is used.
- HTTP::respond iRule is used (via HTTP_RESPONSE_RELEASE).
- HTTP sends "Connection: close" header.

Impact:
TCP connection lives longer than needed.

Workaround:
None

949957 : RDP: Username is pre-filled with f5_apm* string after clicking on webtop resource on Mobile Clients (iOS & Android)

Links to More Info: BT949957

Component: Access Policy Manager

Symptoms:
When user connects to the virtual server using Browser on their iPhone or Android device, webtop displays RDP resource. When they click on it, if SSO is not enabled, Remote Desktop Client App pops up with username pre-filled with string starting with f5_apm.

Conditions:
-- APM Webtop is configured with Single Sign-on disabled RDP resource.
-- Access the RDP resource from iOS or Android using RDP client.

Impact:
Remote Desktop Client App pops up with username pre-filled with string starting with f5_apm.

Workaround:
User needs to clear the username field and enter the actual username.

949137-3 : Clusterd crash and vCMP guest failover

Links to More Info: BT949137

Component: Local Traffic Manager

Symptoms:
Clusterd crashes and a vCMP guest fails over.

Conditions:
The exact conditions under which this occurs are unknown. It can occur during normal operation.

Impact:
Memory corruption and clusterd can crash, causing failover.

Workaround:
None.

949105-2 : Error log seen on Category Lookup SNI requests for same connection

Links to More Info: BT949105

Component: Access Policy Manager

Symptoms:
Client connections are reset and you see an error in /var/log/apm : "(ERR_NOT_FOUND) Category Lookup failed or a Category Lookup agent is not present in the policy before Response Analytics"

Conditions:
-- Category Lookup agent (lookup type SNI) in the per-request policy before Request or Response Analytics agent
-- Multiple requests sent in the same SSL connection.

Impact:
Connections are reset or they follow the fallback branch for subsequent requests in the same SSL connection

948601-3 : File object checksum attribute is not updated when an external data-group file or external monitor file is edited from GU

Component: TMOS

Symptoms:
SHA1 checksum attribute/property of the file object is not persisted/published/propagated to the MCP datastore/GUI.

Conditions:
This could be observed when an external data-group file or external monitor file definition is edited from GUI.
Below mentioned is the workflow where the issue can be seen/replicated,
System ›› File Management : Data Group File List >> FILE
Edit the "definition" field of the file object & click update.
1.) edit sys file data-group "filename"
2.) list sys file data-group "filename"
Aforementioned commands can be used from TMOS shell to understand the correct behavior that is expected when the same is done from GUI

Impact:
You are unable to identify whether the file object was modified by just validating/comparing the file object's metadata/schema property i.e. "checksum SHA1"

Workaround:
None

948101-1 : Pair of phase 2 SAs missing after reboot of standby BIG-IP device

Links to More Info: BT948101

Component: TMOS

Symptoms:
In the case of IPsec traffic-selector narrowing during tunnel negotiation, Security Associations (SAs) may not be mirrored to the Standby after the Standby is rebooted.

Conditions:
- BIG-IP systems configured in High Availability (HA).
- Mirroring is configured.
- The Standby system reboots.

Impact:
IPsec SAs may not be mirrored to the Standby device. If a failover occurs, the newly Active device cannot handle previously established tunnels.

Workaround:
Configure traffic-selectors to match exactly on both IPsec peers.

948065-3 : DNS Responses egress with an incorrect source IP address.

Links to More Info: BT948065

Component: Local Traffic Manager

Symptoms:
DNS responses over a certain size egress the BIG-IP with an incorrect source IP address set.

Conditions:
Large responses of ~2460 bytes from local BIND

Impact:
The response to the client appears to be coming from the wrong source IP address, and the request fails.

Workaround:
Change 'max-udp-size' in BIND to a smaller value reduces the size of response, which stops the fragmentation.

Note: This workaround has limitations, as some records in 'Additional Section' are truncated.

947937-2 : HTTP iRule commands may fail to execute within the "fallback-host" HTTP profile field.

Links to More Info: BT947937

Component: Local Traffic Manager

Symptoms:
The BIG-IP system can redirect a request to a fallback host when the target pool is unavailable. If the configured fallback host within the HTTP profile contains HTTP iRule commands such as HTTP::host or HTTP::uri, the corresponding HTTP request can fail. A connection reset may be encountered instead.

Conditions:
- HTTP profile with "fallback-host" profile option configured containing an HTTP iRule command.

Impact:
When utilizing the HTTP profile with "fallback-host" profile option with HTTP iRule commands, incorrect connection resets can be seen by the client instead of the correct HTTP response.

Workaround:
Attaching an iRule containing HTTP::redirect or similar command to the virtual server can be used instead of the fallback host-profile option to redirect traffic to another virtual server.

947745-1 : Tcp proxy does not ignore HUDEVT_CHILD_CONNECTED and gives an error

Links to More Info: BT947745

Component: Local Traffic Manager

Symptoms:
Tcp proxy does not ignore HUDEVT_CHILD_CONNECTED and gives an error message:
hud_tcp_serverside_handler/3676: 10.0.0.20.21 - 10.10.10.1.51147: unexpected serverside message HUDEVT_CHILD_CONNECTE

Conditions:
FTP profile is in use

Impact:
Logs entries in the log file

Workaround:
None

947217-5 : Fix of ID722682 prevents GTM config load when the virtual server name contains a colon

Links to More Info: BT947217

Component: Global Traffic Manager (DNS)

Symptoms:
GTM is unable to load the configuration.

Conditions:
-- GTM has been upgraded to a version with fix for ID722682 from a version that does not have the fix for ID722682
-- A GTM server has a name with no colon
-- That GTM server has a virtual server with colon in the name
-- That virtual server is added to a pool

Impact:
GTM config file cannot be loaded successfully after upgrade.

Workaround:
Edit bigip_gtm.conf manually to delete "\\" or replace colon ":" with other non-reserved char. such as "-".

947125-2 : Unable to delete monitors after certain operations

Links to More Info: BT947125

Component: Local Traffic Manager

Symptoms:
Unable to delete monitor with an error similar to:

01070083:3: Monitor /Common/my-mon is in use.

Conditions:
-- HTTP monitors are attached directly to pool members, or node-level monitors exist.
-- Performing an operation that causes the configuration to get rebuilt implicitly, such as "reloadlic".

Impact:
Unable to delete object(s) no longer in use.

Workaround:
When the system gets into this state, save and reload the configuration:
tmsh save sys config && tmsh load sys config

946481-1 : Virtual Edition FIPS not compatible with TLS 1.3

Links to More Info: BT946481

Component: Local Traffic Manager

Symptoms:
A TLS 1.3 handshake failure occurs when using openssl's AES-GCM cipher in FIPS mode.

Conditions:
FIPS mode and attempting TLS 1.3 with cipher AES-GCM

Impact:
Handshake failure for TLS 1.3

Workaround:
Disable FIPS mode, or alternately use non AES-GCM cipher for TLS 1.3.

946121-2 : SNMP user added with password less than 8 characters through tmsh is allowed but fails during snmpwalk.

Links to More Info: BT946121

Component: TMOS

Symptoms:
Whenever snmp user is added with short password (less than 8 characters), tmsh allows this during creation but throws an error when snmpwalk is done. But in GUI it throws error "Password must have at least 8 characters." during creation itself.

Conditions:
Configuring snmp user from tmsh with password less than 8 characters leads to this problem of getting error during snmp walk.

Impact:
snmpwalk fails

Workaround:
Configure snmp user with password greater than or equal to 8 characters.

945821-1 : Remote logging conditions adjustments

Links to More Info: BT945821

Component: Application Security Manager

Symptoms:
When "Null in multi-part" violation is detected, BIG-IP logs it to remote log even when the violation is not set to blocked in Learning and Blocking settings

Conditions:
This happens when "Null in multi-part" violation is detected

Impact:
Incorrect logging to remote logs

Workaround:
None

945601-4 : An incorrect LTM policy rule may be matched when a policy consists of multiple rules with TCP address matching conditions.

Links to More Info: BT945601

Component: Local Traffic Manager

Symptoms:
An incorrect LTM policy rule is picked up e.g. a rule which should match first is omited.

Conditions:
Policy contains multiple rules which employ TCP address matching condition.

Impact:
Inocorrect LTM policy is applied.

945413-3 : Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync

Links to More Info: BT945413

Component: TMOS

Symptoms:
BIG-IP systems in a device group do not stay in sync if config sync is manual and constantly syncs if config sync is automatic.

The BIG-IP system constantly downloads the certificate bundle if the CA-bundle manager config includes a URL.

Conditions:
The CA-bundle manager is configured.

Impact:
The keymgmtd and mcpd process gets into a loop that causes constant config changes and if the ca-bundle-manager includes a URL, the BIG-IP system constantly downloads the bundle.

945189-2 : HTTPS monitor fails due to missing ECDHE-RSA-AES256-CBC-SHA

Links to More Info: BT945189

Component: Local Traffic Manager

Symptoms:
After upgrade, the 'DEFAULT' cipher in the server SSL profile attached to the HTTPS monitor does not include the ECDHE-RSA-AES256-CBC-SHA cipher suite in the Client Hello.

Conditions:
After upgrade, HTTPS monitor cipherlist is read from server SSL profile ciphers and set to DEFAULT after upgrade.

Impact:
1. Upgrade breaks the SSL pool monitoring.
2. It is also possible that the pools monitoring succeeds but with different ciphers

That can cause multiple issues:

2a. After upgrade, the ciphers are of a lower strength, and now the traffic is vulnerable to attacks
2b. After upgrade, the ciphers are of a higher strength, causing BIGD overload up to control plane crashes and device reboots

Workaround:
Set ciphers as DEFAULT:+SHA:+3DES:+EDH for profile server-ssl

944485-5 : License activation through proxy server uses IP address in proxy CONNECT, not nameserver

Links to More Info: BT944485

Component: TMOS

Symptoms:
License activation http/https request has the license server IP address instead of license server domain name.

Conditions:
When the proxy server and proxy port are configured and delete default management route.

Impact:
This causes your proxy server to disallow the connection

Workaround:
None.

944381-1 : Dynamic CRL checking for client certificate is not working when TLS1.3 is used.

Links to More Info: BT944381

Component: Local Traffic Manager

Symptoms:
In SSL reverse proxy, dynamic CRL checking for client certificate is not working when TLS 1.3 handshake is used.
The SSL handshake successfully completed even though the client certificate is revoked.

Conditions:
-- Dynamic CRL checking enabled on a client-ssl profile
-- The client-side SSL handshake uses TLS1.3.

Impact:
The handshake should fail but complete successfully

944173-2 : SSL monitor stuck does not change TLS version

Links to More Info: BT944173

Component: Local Traffic Manager

Symptoms:
The SSL monitor remains in the current TLS version and does not switch to another version when a server changes.

Conditions:
-- SSL monitor configured.
-- Server configuration changes from TLSv1.2 to TLSv1.

Impact:
Pool members marked down.

Workaround:
Use the In-TMM monitor.

944121-1 : Missing SNI information when using non-default domain https monitor running in tmm mode

Links to More Info: BT944121

Component: In-tmm monitors

Symptoms:
In-tmm https monitors do not send the SNI (Server Name Indication) information for non-default route domain pool members.

In-tmm monitors do not send any packet when TLS1.3 moniotr is used

Conditions:
-- SNI is configured in serverssl profile a
-- serverssl profile is assigned to in-tmm https monitors
-- https monitors are monitoring pool members that are in a non-default route domain.

 - Another Condition :

TLS1.3 Monitor is used

Impact:
The TLS connection might fail in case of SNI

No SYN packet is sent in case of TLS1.3 monitor

Workaround:
None

944093-2 : Maximum remaining session's time on user's webtop can flip/flop

Links to More Info: BT944093

Component: Access Policy Manager

Symptoms:
When an Access Policy is configured with Maximum Session Timeout, the rendered value of maximum remaining session's time can flip/flop in seconds on a user's webtop

Conditions:
Access Policy is configured with Maximum Session Timeout >= 60000 secs

Impact:
End users will see the remaining time being continually reset.

944029-1 : Support challenge response agent to handle Access-Challenge when Logon agent is not in policy

Links to More Info: BT944029

Component: Access Policy Manager

Symptoms:
In case of Multi-Factor Authentication (MFA), the challenge response is handled by the 401 response agent, in the following scenario:
-- The policy does not have logon page agent.
-- AAA/Radius server action is configured to send challenge response to the client.
-- The policy has a 401 response logon agent.

The APM end user client sees the credentials popup for 401 response.

After entering and sending credentials (challenge response code received from RSA server via email or SMS), the Access Policy action fails.

Conditions:
-- Challenge response via RSA server or other.
-- Logon Page logon agent not implemented.

Impact:
Unable to use challenge response sent by RSA (or AAA RADIUS server).

Workaround:
None

943945 : Incorrect Error message in /var/log/ltm when HTTP::respond is used in ADAPT_REQUEST_RESULT iRule event

Links to More Info: BT943945

Component: Local Traffic Manager

Symptoms:
When HTTP::respond is used in ADAPT_REQUEST_RESULT in iRule event, an error message "http_process_state_prepend - Invalid action:0x10a071 clientside" is observed in /var/log/ltm log.

Since HTTP::respond is not supported in ADAPT_REQUEST_RESULT, a better tcl error should be shown in /var/log/ltm like "TCL error: /Common/AVScan_Content <ADAPT_REQUEST_RESULT > - Illegal argument. Can't execute in the current context"

Conditions:
This can occur when HTTP::respond is used in ADAPT_REQUEST_RESULT:

when ADAPT_REQUEST_RESULT {
    if {[ADAPT::result] contains "respond"} {
        HTTP::respond 403 -version auto ...
    }
}

Impact:
TCL error messages don't give adequate information to explain what triggered the TCL error.

943793-2 : Neurond continuously restarting

Links to More Info: BT943793

Component: TMOS

Symptoms:
Neurond continuously restarts.

Conditions:
-- BIG-IP iSeries hardware platform
-- issuing the command "service --status-all"

Impact:
Neuron communications will be impacted

943641-1 : IKEv1 IPsec in interface-mode may fail to establish after ike-peer reconfiguration

Links to More Info: BT943641

Component: TMOS

Symptoms:
After changing an element of the ike-peer configuration, such as the pre-shared secret, the related IPsec interface mode tunnel can no longer forward packets into the tunnel.

Conditions:
-- IKEv1.
-- IPsec policy in interface mode.
-- Configuration change or a new configuration.

Impact:
When the problem is exhibited on a BIG-IP Initiator, ISAKMP negotiation fails to start when interesting traffic arrives. No messages are written to /var/log/racoon.log.

When the problem is exhibited on a BIG-IP Responder, the IPsec tunnel successfully establishes, but the BIG-IP fails to forward any interesting traffic into the established tunnel. No useful log messages are seen.

Note: 'Interesting traffic' is packets that match a traffic-selector.

Workaround:
Run 'bigstart restart tmm' or reboot.

943597-2 : 'Upper Bound' and 'Lower Bound' thresholds are not displayed in Connections line chart

Links to More Info: BT943597

Component: TMOS

Symptoms:
On the dashboard, the line chart of 'Throughput', 'CPU Usage', and 'Memory Usage' can show the line of thresholds that indicates 'Upper Bound' and 'Lower Bound', but there is no line of thresholds on the line chart of 'Connections'.

Conditions:
Create a custom line chart for 'Connections' that includes 'Upper Bound' and 'Lower Bound'.

Impact:
Line Chart of 'Connections' does not display 'Upper Bound' and 'Lower Bound' thresholds.

Workaround:
None.

943577-2 : Full sync failure for traffic-matching-criteria with port list under certain conditions

Links to More Info: BT943577

Component: TMOS

Symptoms:
Performing a full configuration sync with traffic-matching-criteria (TMC) under specific conditions fails with errors similar to:

err mcpd[6489]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127.
err mcpd[6489]: 01071488:3: Remote transaction for device group /Common/Failover to commit id 245 6869100131892804717 /Common/tmc-sync-2-bigip1.test 0 failed with error 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127..

Conditions:
This may occur on a full-load config sync (not an incremental sync)
On the device receiving the ConfigSync:
   - a traffic-matching-criteria is attached to a virtual server
   - the traffic-matching-criteria is using a port-list
On the device sourcing the ConfigSync:
   - the same traffic-matching-criteria is attached to the same virtual server
   - the original port-list is modified (e.g. a description is changed)
   - the TMC is changed to reference a _different_ port-list

Impact:
Unable to sync configurations.

Workaround:
Copy the "net port-list" and "ltm traffic-matching-criteria" objects from the source to target system, merge them with "tmsh load sys config merge", and then perform a force-full-load-push sync from source to target.

If the BIG-IP systems are using device groups with auto-sync enabled, disable auto-sync temporarily while performing this workaround.

1. On the source system (the system whose configuration you want to sync to peer), save the configuration and extract the ltm traffic-matching-criteria and port-lists:

tmsh save sys config

(shopt -s nullglob; echo "#"; echo "# $HOSTNAME"; echo "# generated $(date +"%F %T %z")"
    cat /config{/partitions/*,}/bigip{_base,}.conf |
    awk '
        BEGIN { p=0 }
        /^(ltm traffic-matching-criteria|net port-list) / { p=1 }
        /^}/ { if (p) { p=0; print } }
        { if (p) print; }
    ' ) > /var/tmp/portlists-and-tmcs.txt

2. Copy /var/tmp/portlists-and-tmcs.txt to the target system

3. On the target system, load that file:

    tmsh load sys config replace file /var/tmp/portlists-and-tmcs.txt

3a. If loading the config file on the target system fails with the same error message seen during a ConfigSync, follow the procedure in
K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.

   tmsh save sys config
   clsh touch /service/mcpd/forceload
   clsh reboot

4. On the source system, force a full-load sync to the device-group:

    tmsh run cm config-sync force-full-load-push to-group <name of sync-group>

943473-2 : LDAP monitor's test functionality has an incorrect and non-modifiable IP address field in GUI

Links to More Info: BT943473

Component: TMOS

Symptoms:
While trying to use the monitor test page in the GUI for an LDAP monitor, the destination address field contains the value *.*(asterisk-dot-asterisk), and it is not editable.

Conditions:
-- Create an LDAP monitor.
-- Go to the Test page.

Impact:
You are unable to modify the test destination address for the LDAP monitor.

Workaround:
Use TMSH.

-- To run the test:
tmsh run /ltm monitor ldap <LDAP-Monitor-Name> destination <IP-Address>

Example: tmsh run /ltm monitor ldap myldap destination 10.10.10.10:389

-- To check test results:
tmsh show /ltm monitor ldap <LDAP-Monitor-Name> test-result
tmsh show /ltm monitor ldap myldap test-result

943441-2 : Issues in verification of Bot Defense with F5 Anti-Bot Mobile SDK

Links to More Info: BT943441

Component: Application Security Manager

Symptoms:
Verification may be incomplete when using the F5 Anti-Bot Mobile SDK with the Bot Defense profile.

Conditions:
-- Using the Bot Defense profile together with the F5 Anti-Bot Mobile SDK.
-- Enabling the Mobile Applications section in the profile.

Impact:
Mobile application verification may be incomplete.

Workaround:
None

943109-2 : Mcpd crash when bulk deleting Bot Defense profiles

Links to More Info: BT943109

Component: TMOS

Symptoms:
When bulk deleting a large number of Bot Defense profiles (around 450 profiles) using TMSH, mcpd could crash.

Conditions:
This can be encountered during bulk delete of Bot Defenese profiles via tmsh.

Impact:
Crash of mcpd causing failover.

Workaround:
Delete the Bot Defense profiles in smaller batches to avoid the possible crash.

943045-2 : Inconsistency in node object name and node IPv6 address when IPv6 pool-member is created without providing node object name.

Links to More Info: BT943045

Component: TMOS

Symptoms:
When using Ansible to create a pool that contains an IPv6 pool member, you get an error:

0107003a:3: Pool member node and existing node cannot use the same IP Address.

Conditions:
-- Creating a new pool via Ansible.
-- A new IPv6 pool member is used.
-- The IPv6 pool member's name is not included.

Impact:
Pool creation fails.

Workaround:
If you are unable to specify the pool member name, you can use other available configuration tools like tmsh, the GUI, or AS3.

943033-2 : APM PRP LDAP Group Lookup agent has a syntax error in built in VPE expression

Links to More Info: BT943033

Component: Access Policy Manager

Symptoms:
PRP LDAP Group Lookup agent, the expression incorrectly places the 'string tolower' outside the square brackets. This causes an issue in the GUI of the LDAP Group Lookup object where the 'Simple' branch rules do not show up. You see this 'Warning':

Warning, this expression was made manually and couldn't be parsed, please use advanced tab.

Conditions:
Configure PRP with the LDAP Group Lookup agent in the Visual Policy Editor (VPE).

Impact:
Tcl expression containing a syntax error prevents the LDAP Group Lookup agent from functioning properly.

Workaround:
Go to the LDAP Group Lookup agent advanced tab and change this:
expr {[string tolower [mcget {session.ldap.last.attr.memberOf}]] contains string tolower["CN=MY_GROUP, CN=USERS, CN=MY_DOMAIN"]}

To this:
expr {[string tolower [mcget {session.ldap.last.attr.memberOf}]] contains [string tolower "CN=MY_GROUP, CN=USERS, CN=MY_DOMAIN"]}

Click finish.

Now you can click 'change', and use the 'Simple' tab and the 'Add an expression using presets' option.

942793-1 : BIG-IP system cannot accept STARTTLS command with trailing white space

Links to More Info: BT942793

Component: Local Traffic Manager

Symptoms:
When an SMTPS profile is applied on a virtual server and the SMTP client sends a STARTTLS command containing trailing white space, the BIG-IP system replies with '501 Syntax error'. The command is then forwarded to the pool member, which can result in multiple error messages being sent to the SMTP client.

Conditions:
-- A virtual server is configured with an SMTPS profile.
-- The SMTP client sends a STARTTLS command with trailing spaces.

Impact:
The SMTP client is unable to connect to the SMTP server.

Workaround:
Use an SMTP client that does not send a command containing trailing white space.

942729-2 : Export of big Access Policy config from GUI can fail

Component: Access Policy Manager

Symptoms:
Export of Access Policy times out after five minutes and fails via the GUI

Conditions:
Exact conditions are unknown, but it occurs while handling a large access policy.

Impact:
Unable to redeploy configuration

Workaround:
Use thge cli to export the access policy:

K30575107: Overview of the ng_export, ng_import and ng_profile commands
https://support.f5.com/csp/article/K30575107

942665-2 : Rate limit and threshold configuration checks are inconsistent when applied to Basic DoS Vectors and Bad Actors DoS vectors

Links to More Info: BT942665

Component: Advanced Firewall Manager

Symptoms:
Inconsistent configuration checks may result in configuration not being applied correctly.

Conditions:
DoS vectors configured on the BIG-IP

Impact:
Configuration changes may not be accepted by the BIG-IP.

942521-7 : Certificate Managers are unable to move certificates to BIG-IP via REST

Links to More Info: BT942521

Component: Device Management

Symptoms:
You cannot upload a cert/key via the REST API if you are using a certificate manager account

Conditions:
-- Using the REST API to upload a certificate and/or key
-- User is logged in as a Certificate Manager

Impact:
Unable to upload certificates as Certificate Manager

Workaround:
Use admin account instead of using Certificate Manager account to upload certs and keys

942217-3 : Virtual server keeps rejecting connections for rstcause 'VIP down' even though virtual status is 'available'

Links to More Info: BT942217

Component: Local Traffic Manager

Symptoms:
With certain configurations, virtual server keeps rejecting connections for rstcause 'VIP down' after 'trigger' events.

Conditions:
Required Configuration:

-- On the virtual server, the service-down-immediate-action is set to 'reset' or 'drop'.

-- The pool member has rate-limit enabled.

Required Conditions:

-- Monitor flap, or adding/removing monitor or configuration change made with service-down-immediate-action.

-- At that time, one of the above events occur, the pool member's rate-limit is active.

Impact:
Virtual server keeps rejecting connections.

Workaround:
Delete one of the conditions.

Note: The affected virtual server may automatically recover upon the subsequent monitor flap, etc., if no rate-limit is activated at that time.

941381-3 : MCP restarts when deleting an application service with a traffic-matching-criteria

Links to More Info: BT941381

Component: TMOS

Symptoms:
After deleting an application service that contains a virtual server and a traffic-matching-criteria, the mcpd daemon crashes.

Conditions:
-- BIG-IP application service configuration containing a virtual server with traffic-matching-criteria
-- Application service is deleted

Impact:
Traffic and control plane disrupted while mcpd restarts.

Workaround:
None.

940837-2 : The iRule command node is not triggered in CLIENT_ACCEPTED with HTTP/2.

Links to More Info: BT940837

Component: Local Traffic Manager

Symptoms:
The node iRule command causes the specified server node to be used directly, thus bypassing any load-balancing. However, with HTTP/2, the node command may fail to execute within the CLIENT_ACCEPTED event. This results in no traffic being sent to configured node.

Conditions:
-- A node command is used under CLIENT_ACCEPTED event.
-- An HTTP/2 profile applied to virtual server.
-- The HTTP/2 protocol in use.

Impact:
With HTTP/2 configured, the iRule node command fails to execute within the CLIENT_ACCEPTED event, causing no traffic to be sent to the desired node.

Workaround:
As a workaround, you may use HTTP_REQUEST event instead of CLIENT_ACCEPTED in iRule syntax.

940733-3 : Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt

Links to More Info: K29290121, BT940733

Component: Global Traffic Manager (DNS)

Symptoms:
The system fails during the boot-up process, reports a libcrypto validation error, and the system halts. The console will show this error:

Power-up self-test failures:
OpenSSL: Integrity test failed for libcrypto.so

This occurs after one of the following:
-- Upgrading a FIPS-enabled BIG-IP system, booting to a volume running an earlier software version
-- running big3d_install from a BIG-IP GTM to an LTM

Conditions:
-- FIPS-licensed BIG-IP system.
-- Upgrade.
-- Boot into an volume running an earlier version of the software.

Another way to encounter the issue is:

-- FIPS-licensed BIG-IP LTM.
-- BIG-IP DNS (GTM) device running a higher software version than the LTM.
-- Run big3d_install from GTM pointing to FIPS-licensed LTM.

Impact:
System boots to a halted state.

Workaround:
Before booting to the volume with the earlier version, delete /shared/bin/big3d.

Note: This issue might have ramifications for DNS/GTM support. DNS/GTM is not FIPS certified.

If the target software volume has already experienced this issue (the system boots to a halted state), follow the instructions in K25205233: BIG-IP System halted while booting. Halt at boot after FIPS Integrity Check Result FAIL :: https://support.f5.com/csp/article/K25205233, in addition to deleting /shared/bin/big3d.

For additional information, see K29290121: Rollback after upgrade or big3d_install may cause FIPS to halt system on boot :: https://support.f5.com/csp/article/K29290121.

940469-4 : Unsupported option in /etc/resolv.conf causes failure to sync DNS Zone configuration

Links to More Info: BT940469

Component: Global Traffic Manager (DNS)

Symptoms:
The 'gtm_add' script fail to sync configuration information from the peer when 'options inet6' is present in /etc/resolv.conf.

Conditions:
The option 'options inet6' is used in /etc/resolv.conf.

Impact:
The 'gtm_add' script removes the current config and attempts to copy over the config from the remote GTM. When the remote copy fails, the local device is left without any config.

Workaround:
Remove the 'options inet6' from /etc/resolv.conf.

940225-2 : Not able to add more than 6 NICs on VE running in Azure

Links to More Info: BT940225

Component: TMOS

Symptoms:
Azure BIG-IP Virtual Edition (VE) with more than 6 NICs fails to boot.

Conditions:
-- Standard_DS4_v2 Azure instance type.
-- Mellanox ConnectX-3 ethernet controller.
-- A greater-than-2-NIC template is used, for example https://github.com/F5Networks/f5-azure-arm-templates/tree/master/supported/standalone/n-nic/existing-stack/byol with "numberOfAdditionalNics" set.
-- Accelerated networking is enabled on two or more NICs.

Impact:
Not able to boot BIG-IP VM with 8 NICs, which should be supported for Standard_DS4_v2 instance type:
8 vCPU
28 GiB
8 Max NICs

Adding more NICs to the instance makes the device fail to boot.

Workaround:
None

940161 : iCall throws error: foreign key index (name_FK) do not point at an item that exists in the database

Links to More Info: BT940161

Component: TMOS

Symptoms:
Reconfiguring existing iapp results in an error:
01070712:3: Values (ICALL_SCRIPT_/Common/my_send_stats) specified for tcl user proc graph
(ICALL_SCRIPT_/Common/my_send_stats ICALL_SCRIPT_/Common/my_send_stats:escape_json): foreign key index
(name_FK) do not point at an item that exists in the database.

Conditions:
Reconfigure existing application while iCall is in use

Impact:
Modification of a running iCall script results in an error

Workaround:
None.

939941-1 : Monitor parameter not found error

Links to More Info: BT939941

Component: Global Traffic Manager (DNS)

Symptoms:
While trying to update a monitor in the GUI, there is an error:

01020036:3: The requested monitor parameter (/Common/my_https_mon 2 RECV_STATUS_CODE=) was not found.

Conditions:
-- The GTM Monitor is created in TMSH.
-- Attempt to modify it via the GUI.

Impact:
You are unable to update monitor values using the GUI.

Workaround:
Use tmsh to modifythese monitor values.

939757-4 : Deleting a virtual server might not trigger route injection update.

Links to More Info: BT939757

Component: TMOS

Symptoms:
When multiple virtual servers share the same virtual address, deleting a single virtual server might not trigger a route injection update.

Conditions:
-- Multiple virtual servers sharing the same destination address
-- One of the virtual servers is deleted

Impact:
The route remains in the routing table.

Workaround:
Disable and re-enable the virtual address after deleting a virtual server.

939517-4 : DB variable scheduler.minsleepduration.ltm changes to default value after reboot

Links to More Info: BT939517

Component: TMOS

Symptoms:
Running the command 'tmsh list /sys db scheduler.minsleepduration.ltm'
shows that the value is -1.

The db variable 'scheduler.minsleepduration.ltm' is set to -1 on mcpd startup.

This overwrites a custom value.

Conditions:
-- The db variable 'scheduler.minsleepduration.ltm' has a non-default value set.
-- A reboot occurs.

Impact:
The db variable 'scheduler.minsleepduration.ltm' reverts to the default value. When the db variable reverts to the default value of unset -1, tmm uses more CPU cycles when idle.

Workaround:
None

939249-3 : iSeries LCD changes to secure mode after multiple reboots

Links to More Info: BT939249

Component: TMOS

Symptoms:
After repeatedly rebooting an iSeries platform, the LCD can become erroneously set to secure mode on its own, and you are unable to use the menus on the LCD.

Conditions:
-- Repeated reboots of the device.
-- The db lcd.showmenu value initially set to enable are required.
-- Other required conditions are not fully known.

Impact:
-- LCD becomes set to secure mode.
-- The bigdb variable lcd.showmenu is changed to 'disable'.

Workaround:
Run the commands:
tmsh modify sys db lcd.showmenu value disable
tmsh modify sys db lcd.showmenu value enable

This clears the secure mode of the LCD.

939209-1 : FIPS 140-2 SP800-56Arev3 compliance

Links to More Info: BT939209

Component: Local Traffic Manager

Symptoms:
BIG-IP is not compliant with a NIST revision to the SP800-56A standard for cryptographic algorithms.

Conditions:
Using cryptographic algorithms covered by this revision in a FIPS 140-2 deployment.

Impact:
BIG-IP will comply with the older standard.

939085-2 : /config/ssl/ssl.csr directory disappears after creating certificate archive

Links to More Info: BT939085

Component: Local Traffic Manager

Symptoms:
Creating a certificate archive removes the /config/ssl/ssl.csr directory.

Conditions:
This occurs while creating a certificate archive.

Impact:
Missing /config/ssl/ssl.csr directory is causing Integrity Check to fail on an intermittent basis.

Workaround:
Recreate /config/ssl/ssl.csr directory and set correct file permissions:

mkdir /config/ssl/ssl.csr
chmod 755 /config/ssl/ssl.csr/
chcon -R --reference=/config/ssl/ssl.crt/ /config/ssl/ssl.csr

938545-3 : Oversize plugin Tcl object results can result in 0-length messages and plugin crash

Links to More Info: BT938545

Component: Local Traffic Manager

Symptoms:
Bd crashes.

Conditions:
-- ASM enabled.
-- iRule used.
-- Command arguments are greater than maximum MPI message size.

Impact:
ASM traffic disrupted while bd restarts.

Workaround:
None.

938309-2 : In-TMM Monitors time out unexpectedly

Links to More Info: BT938309

Component: Local Traffic Manager

Symptoms:
When using the in-TMM monitoring feature, monitored targets (nodes/pool members) may be marked DOWN unexpectedly if there is a delay in responding to ping attempts.
Specifically, if the ping response from the target is delayed by more than the 'interval' value configured for the monitor, but less than the 'timeout' value configured for the monitor, the target may be marked DOWN.

Conditions:
This may occur when either:
-- In-TMM monitoring is enabled (sys db bigd.tmm = enable) and the monitor type uses in-TMM monitoring; OR
-- Bigd is configured to NOT reuse the same socket across consecutive ping attempts (sys db bigd.reusesocket = disable)
AND:
-- The monitored target does not respond to ping attempts within the 'interval' value configured for the monitor.

Impact:
The monitored target may be marked DOWN if it does not respond to ping attempts within the 'interval' value configured for the monitor, instead of within the 'timeout' value configured for the monitor.

Workaround:
To work around this issue, use one of the following methods:
-- Disable in-TMM monitoring and enable bigd socket reuse (sys db bigd.tmm = disable, and sys db bigd.reusesocket = enable).
-- Configure the monitor with an 'interval' value longer than the expected response time for the monitored target(s).

938145-1 : DAG redirects packets to non-existent tmm

Links to More Info: BT938145

Component: TMOS

Symptoms:
-- Connections to self-IP addresses may fail.
-- SYNs packets arrive but are never directed to the Linux host.

Conditions:
-- Provision as vCMP dedicated host.
-- Create a self-IP address with appropriate allow-service.

Impact:
Repeated attempts to connect to the self-IP (e.g., via ssh) fail.

Workaround:
None

937777-2 : The invalid configuration of using HTTP::payload in a PEM Policy may cause the TMM to crash.

Links to More Info: BT937777

Component: Local Traffic Manager

Symptoms:
The iRule command HTTP::payload is not supported for use within Policy Enforcement Manager (PEM) policies. Attempting to use this within your configuration may result in the TMM crashing.

Conditions:
-- Policy Enforcement Manager (PEM) policy containing the iRule command HTTP::payload

Impact:
Traffic disrupted while the TMM restarts.

Workaround:
Do not use the iRule command HTTP::payload within Policy Enforcement Manager (PEM) policies.

937769-2 : SSL connection mirroring failure on standy with sslv2 records

Links to More Info: BT937769

Component: Local Traffic Manager

Symptoms:
Standby device in ssl connection mirroring config does not handle sslv2 recrods correctly.

Conditions:
SSLv2 records processed by standby high availability (HA) device.

Impact:
Standby device fails handshake, active will finish handshake resulting in non mirrored connection.

937649-3 : Flow fwd broken with statemirror.verify enabled and source-port preserve strict

Links to More Info: BT937649

Component: Local Traffic Manager

Symptoms:
Flow forwarding does not work with statemirror.verify enabled and source-port is preserve strict. Depending on the number of tmms and the IP addresses/ports on the network, this causes return traffic to get dropped.

Traffic captures show packets leaving the BIG-IP system on one tmm and being returned on another. The return traffic that encounters the second tmm is dropped.

Conditions:
-- Mirroring is enabled.
-- High availability (HA) peer is connected.
-- The source-port setting is preserve-strict.
-- The statemirror.verify option is enabled.
-- There is more than one tmm.

Impact:
Server-side return traffic to the BIG-IP is dropped. This causes connection timeouts and resets.

Workaround:
-- Disable statemirror.verify, disable source-port preserve-strict, disable mirroring.

-- On BIG-IP Virtual Edition (VE), add the following to tmm_init.tcl on both units and restart tmm:
 ndal ignore_hw_dag yes

937601-2 : The ip-tos-to-client setting does not affect traffic to the server.

Links to More Info: BT937601

Component: TMOS

Symptoms:
The ip-tos-to-client setting is intended to apply to client traffic only. Server traffic IP ToS values are configured on the pool using the ip-tos-to-server property.

This is a change in behavior in that previously ip-tos-to-client was loosely interpreted to apply to server traffic as well if not overwritten by the pool.

Conditions:
The ip-tos-to-client value is set in the L4/L7 profile.

Impact:
IP ToS values in traffic to the server is unmodified.

Workaround:
Use the ip-tos-to-server property on pools to change IP ToS values to the server.

Alternatively, use an iRule to set the IP ToS to the server. For example:
when SERVER_CONNECTED {
    IP::tos 63
}

937573-3 : Connections drop in virtual server with Immediate Action On Service Down set to Drop

Links to More Info: BT937573

Component: Local Traffic Manager

Symptoms:
In a virtual server configured with Immediate Action On Service Down set to Drop and an iRule to pick a pool different from the one attached to the virtual server, if the default pool is attached in an offline state, connections are always dropped even when the default pool becomes available later.

Conditions:
- Virtual server configured with Immediate Action On Service Down set to Drop.
- An iRule selects a different pool from the one attached to the virtual server.

Impact:
Connections are silently dropped.

Workaround:
Change the virtual server's Immediate Action On Service Down setting to None.

937541-2 : Wrong display of signature references in violation details

Component: Application Security Manager

Symptoms:
The number '1' is added to the signature reference in violation details in the Request Log.

Conditions:
You click the '?' icon near signature name to view signature details and there are references for this signature

Impact:
The number 1 is shown before the link

937481-2 : Tomcat restarts with error java.lang.OutOfMemoryError

Links to More Info: BT937481

Component: TMOS

Symptoms:
In the GUI, while trying to list a large configuration, tomcat restarts with error java.lang.OutOfMemoryError: Java heap space due to a large read operation.

Conditions:
-- From the GUI, navigate to Local Traffic :: Pools :: Pool List.
-- The configuration contains approximately 10,000 objects (objects include pools, nodes, virtual servers, etc.).

Impact:
When the system attempts to list the large configuration, tomcat restarts, resulting in 503 error.

Workaround:
Use the provision.tomcat.extramb database variable to increase the maximum amount of Java virtual memory available to the tomcat process.

Impact of workaround: Allocating additional memory to Apache Tomcat may impact the performance and stability of the BIG-IP system. You should perform this procedure only when directed by F5 Technical Support after considering the impact to Linux host memory resources.

-- Using a utility such as free or top, determine if you have enough free memory available to use this procedure.

For example, the following output from the free utility shows 686844 kilobytes available:
total used free shared buffers cachedMem:
16472868 15786024 686844 807340 827748 2543836
-/+ buffers/cache: 12414440 4058428
Swap: 1023996 0 1023996

-- View the current amount of memory allocated to the tomcat process by typing one of the following commands:
ps | grep " -client" | egrep -o Xmx'[0-9]{1,5}m'

The command output appears similar to the following example:

Xmx260m
Xmx260m

-- View the current value of the provision.tomcat.extramb database variable by typing the following command
tmsh list /sys db provision.tomcat.extramb

-- Set the provision.tomcat.extramb database variable to the desired amount of additional memory to be allocated using the following command syntax:
modify /sys db provision.tomcat.extramb value <MB>

-- If the device is part of a high availability (HA) configuration, the provision.tomcat.extramb database value should be synchronized to the peer devices from the command line. To run the ConfigSync process, use the following command syntax:
tmsh run /cm config-sync <sync_direction> <sync_group>

For example, the following command pushes the local device's configuration to remote devices in the Syncfailover device group:

tmsh run /cm config-sync to-group Syncfailover

-- Restart the tomcat process by typing the following command:
restart /sys service tomcat

937445-1 : Incorrect signature context logged in remote logger violation details field

Links to More Info: BT937445

Component: Application Security Manager

Symptoms:
An incorrect context (request) is logged for URL signatures in the violation details field.

Conditions:
-- ASM is running with a remote logger that has the violation_details field assigned.
-- A URL signature is matched.

Impact:
The logs do not provide the correct information, which might result in confusion or the inability to use the logged information as intended.

Workaround:
None.

937213 : Virtual Server is not created when a new HTTPS virtual server is defined with a new security policy

Links to More Info: BT937213

Component: Application Security Manager

Symptoms:
Virtual Server is not created when a new HTTPS virtual server is defined with a new security policy using GUI page.

Conditions:
- In GUI open "create new policy" page
- Assign a policy name in "Policy Name"
- Assign "Fundamental" for "Policy Template"
- Choose "Configure new virtual server" in "Virtual Server"
- Select "HTTPS" for "What type of protocol does your application use?"
- Choose an IP address and port 443 for "HTTPS Virtual Server Destination"
- Choose an IP address and port 443 for "HTTPS Pool Member"
- "clientssl" for "SSL Profile (Client)"
- "serverssl" for "SSL Profile (Server)"
- click on "Save" button to create new policy

Impact:
The virtual server is not created when you create the policy, and HTTPS security will not be applied to this newly created security policy.

Workaround:
Go to the Local Traffic section and create a HTTPS Virtual Server manually. After that, assign the security policy to the Virtual Server.

936777-2 : Old local config is synced to other devices in the sync group.

Links to More Info: BT936777

Component: Global Traffic Manager (DNS)

Symptoms:
Newly added DNS/GTM device may sync old local config to other devices in the sync group.

Conditions:
Newly added DNS/GTM device has a more recent change than other devices in the sync group.

Impact:
Config on other DNS/GTM devices in the sync group are lost.

Workaround:
You can use either of the following workarounds:

-- Make a small DNS/GTM configuration change before adding new devices to the sync group.

-- Make a small DNS/GTM configuration change on the newly added device to re-sync the correct config to other DNS/GTM devices.

936441-2 : Nitrox5 SDK driver logging messages

Links to More Info: BT936441

Component: Local Traffic Manager

Symptoms:
The system kernel started spontaneously logging messages at an extremely high rate (~3000 per second):

Warning kernel: EMU(3)_INT: 0x0000000000000020
warning kernel: sum_sbe: 0
warning kernel: sum_dbe: 0
warning kernel: sum_wd: 0
warning kernel: sum_gi: 0
warning kernel: sum_ge: 0
warning kernel: sum_uc: 1

The above set of messages seems to be logged at about 2900-3000 times a second.

These messages continue after TMM fails its heartbeat and is killed. The system is rebooted by the host watchdog.

Conditions:
These messages are triggered by Nitrox5 driver when EMU microcode cache errors corrected by hardware.

Impact:
High rate of logging messages. The tmm heartbeat eventually fails, and tmm is restarted. Traffic disrupted while tmm restarts.

Workaround:
None.

936417-3 : DNS/GTM daemon big3d does not accept ECDH or DH ciphers

Links to More Info: BT936417

Component: Global Traffic Manager (DNS)

Symptoms:
The DNS/GTM big3d daemon does not accept ECDH or DH ciphers.

Conditions:
Connections to big3d with ECDH or DH ciphers.

Impact:
ECDH/DH ciphers do not work with big3d.

Workaround:
Do not use ECDH/DH ciphers.

936361-1 : IPv6-based bind (named) views do not work

Links to More Info: BT936361

Component: Global Traffic Manager (DNS)

Symptoms:
Bind does not match IPv6 addresses configured for a zone view, and returns REFUSED responses, rather than the
expected answers.

After enabling debug logging in bind (see K14680), the apparent source address of the IPv6 DNS requests shows as being in the fe80::/96 range, rather than the IPv6 source address that sent the request.

For example:

debug 1: client @0x579bf188 fe80::201:23ff:fe45:6701%10#4299: no matching view in class 'IN'

Conditions:
- BIG-IP DNS is provsioned
- One or more ZoneRunner views is defined using IPv6 addresses.
- A DNS query is sent from an IPv6 source address

Impact:
You cannot use DNS views in bind (zonerunner) based on IPv6 addresses.

Workaround:
If possible, use only IPv4 addresses to define views for DNS queries

936093-2 : Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline

Links to More Info: BT936093

Component: TMOS

Symptoms:
Loading a UCS file with non-empty fipserr files can cause a FIPS-based system to remain offline.

Conditions:
-- Using a BIG-IP with a Platform FIPS license.
-- Loading a UCS file with a non-empty fipserr file.

Impact:
System is completely offline with spurious 'fipserr' failures, even after loading the UCS file.

Workaround:
Before creating a UCS archive, truncate the following files so they have zero size:

/config/f5_public/fipserr
/var/named/config/f5_public/fipserr
/var/dnscached/config/f5_public/fipserr

This can be accomplished using a command such as:

truncate -c -s0 /config/f5_public/fipserr /var/named/config/f5_public/fipserr /var/dnscached/config/f5_public/fipserr

935945-1 : GTM HTTP/HTTPS monitors cannot be modified via GUI

Links to More Info: BT935945

Component: Global Traffic Manager (DNS)

Symptoms:
GUI reports an error when modifying DNS/GTM HTTP/HTTPS monitors:

01020036:3: The requested monitor parameter (/Common/http-default 2 RECV_STATUS_CODE=) was not found.

Conditions:
RECV_STATUS_CODE has never been set for the DNS/GTM HTTP/HTTPS monitors.

Impact:
Not able to make changes to DNS/GTM HTTP/HTTPS monitors through GUI.

Workaround:
If 'recv-status-code' has never been set, use tmsh instead.

Note: You can set 'recv-status-code' using tmsh, for example:

   tmsh modify gtm monitor http http-default recv-status-code 200

935865-5 : Rules that share the same name return invalid JSON via REST API

Links to More Info: BT935865

Component: Advanced Firewall Manager

Symptoms:
When retrieving rule stats on a firewall policy, if two rules that share the same name but one of which is directly attached to the policy while the other is attached via a rule list, then a invalid JSON is returned. The JSON has identical keys for each entry associated with the rule. This is an invalid JSON structure that cannot be parsed correctly (Or data for one of the rules is lost)

Conditions:
A firewall policy that has one of rule directly attached to the policy while the other is attached via a rule list, and both rules share the same name.

Impact:
Invalid JSON structure returned for stat REST API call

Workaround:
Ensure that no rule shares its name with another rule.

935793-2 : With mirroring enabled on a SIP virtual server, connections on the standby are reset with MBLB internal error (Routing problem)

Links to More Info: BT935793

Component: Local Traffic Manager

Symptoms:
When a virtual server with a SIP profile has mirroring enabled, connections on the standby unit will be removed shortly after being created. If tm.rstcause.log is enabled the reset cause message appears similar to the following:

-- err tmm1[18383]: 01230140:3: RST sent from 10.2.207.208:5080 to 10.2.207.201:31597, [0x2c1c820:1673] MBLB internal error (Routing problem).
-- err tmm1[18383]: 01230140:3: RST sent from 10.2.207.209:51051 to 10.2.207.202:5080, [0x2c1c820:931] MBLB internal error.

Conditions:
-- BIG-IP Virtual Edition (VE) running on 2000/4000 platforms using RSS hash.
-- Platforms with more than 1 tmm.

Impact:
Mirrored connections on the standby unit are removed.

Workaround:
-- On BIG-IP VE, add the following to tmm_init.tcl on both units and restart tmm:
 ndal ignore_hw_dag yes

935769-3 : Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time

Links to More Info: BT935769

Component: Advanced Firewall Manager

Symptoms:
Version upgrade takes more time than usual when the config contains address-lists with a lot of IP addresses. The same delay will be observed with 'tmsh load sys config' as well.

Conditions:
-- Configure address-list with 10K to 20K IP addresses or address ranges or subnets.
-- Attempt upgrade / reboot of the platform.

Impact:
Version upgrade / 'tmsh load sys config' process takes a long time than usual.

Workaround:
1) Convert continuous individual addresses in the address-lists to IP address ranges and subnets if possible.

2) Remove the huge address-lists from config before the upgrade and add back after the upgrade process is finished.

935485-2 : BWC: flows might stall when using dynamic BWC policy

Links to More Info: BT935485

Component: TMOS

Symptoms:
When multiple flows are passing through the single instance of BWC policy, one or more flows might stall for a few seconds or more. The fairness among the flows is also affected.

Conditions:
-- BWC dynamic policy is enabled.
-- Multiple flows are passing through a single instance of the BWC dynamic policy.

Impact:
Some of the flows may stall.

Workaround:
None.

935193-1 : With APM and AFM provisioned, single logout ( SLO ) fails

Links to More Info: BT935193

Component: Local Traffic Manager

Symptoms:
SAML Single log out (SLO) fails on BIG-IP platforms. The SAML module on the BIG-IP system reports following error messages:

-- SAML SSO: Error (12) Inflating SAML Single Logout Request
-- SAML SSO: Error (12) decoding SLO message
-- SAML SSO: Error (12) extracting SAML SLO message

Conditions:
Failures occur with Redirect SLO.

Impact:
SAML single logout does not work.

Workaround:
Use POST binding SLO requests.

935177-2 : IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm

Links to More Info: BT935177

Component: TMOS

Symptoms:
TMM crashes when the maximum transmission unit (MTU) or 'Use PMTU' setting is changed while passing IPsec traffic.

Conditions:
-- IPsec tunnel configured and passing traffic.
-- The MTU or 'Use PMTU' setting for the IPsec tunnel (in interface mode) is changed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not change MTU or PMTU settings for the tunnel while it is passing traffic.

The settings can be changed while passing traffic, but TMM may crash very soon after the change. If the settings are changed and TMM does not crash soon after, then it will not spontaneously crash at some later point.

934697-3 : Route domain not reachable (strict mode)

Links to More Info: BT934697

Component: Local Traffic Manager

Symptoms:
Network flows are reset and errors are found in /var/log/ltm:

Route domain not reachable (strict mode).

Conditions:
This might happen in either of the following scenarios:
Scenario 1
==========
-- LTM with iRules configured.
-- The iRule directs traffic to a node that is in a route domain.

Scenario 2
==========
-- LTM with an LTM policy configured.
-- The policy directs traffic to a node that is in a route domain.

Impact:
Traffic is not sent to the node that is in a route domain.

The iRule 'node' method and/or LTM policy 'node' specification require a route_domain to be specified in order for the traffic to be sent to a node that is assigned to a route domain.

Workaround:
Specify the node along with Route domain ID.

-- For iRules, change from this:
when HTTP_REQUEST {
 node 10.10.10.10 80
}

To this (assuming route domain 1):
when HTTP_REQUEST {
 node 10.10.10.10%1 80
}


-- For LTM policies, change from this:
actions {
    0 {
        forward
        select
        node 10.2.35.20
    }
}

To this (assuming route domain 1):
actions {
    0 {
        forward
        select
        node 10.2.35.20%1
    }
}

933329-2 : The process plane statistics do not accurately label some processes

Links to More Info: BT933329

Component: TMOS

Symptoms:
The plane process statistics can be used to track the statistics of processes even though the process ID has changed over time. The processes are characterized as belonging to the control plane, data plane, or analysis plane. Some of the processes are incorrectly labeled.

Conditions:
Viewing the plane process statistics when diagnosing plane usage on the BIG-IP system.

Impact:
The percentage of usage of each plane can be confusing or incorrect.

Workaround:
None.

932893-2 : Content profile cannot be updated after redirect from violation details in Request Log

Links to More Info: BT932893

Component: Application Security Manager

Symptoms:
BIG-IP issues a redirect to the content profile form that contains relevant violation details in the Request Log. If you follow this redirect and try to update profile, the action fails.

Conditions:
This occurs if you follow the redirect to the content profile page from the violation details page in the Request Log, and then try to update the profile

Impact:
You are unable to update the content profile.

Workaround:
Go to the list content profile page, and update the content profile from there.

932857-2 : Delays marking Nodes or Pool Members DOWN with in-TMM monitoring

Links to More Info: BT932857

Component: Local Traffic Manager

Symptoms:
When configured with a large number of in-TMM monitors, Nodes or Pool Members may not be marked DOWN immediately after the configured timeout period once the target stops responding to pings.

Conditions:
This may occur when:
-- In-TMM monitoring is enabled (via sys db bigd.tmm).
-- A large number of Nodes and/or Pool Members (several hundreds or thousands) are configured and monitored.

Impact:
Nodes or Pool Members which are not responsive may not be marked DOWN in a timely fashion.

Workaround:
You can work around this issue by disabling in-TMM monitoring, at the expense of decreased monitoring performance (higher CPU usage by the bigd daemon).

932553-4 : An HTTP request is not served when a remote logging server is down

Links to More Info: BT932553

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide an option to sanitize HTTP traffic via the http_security profile. When the profile is configured to alarm on a violation, it is possible that a connection to the violating client is reset if a remote logging server is marked down.

Conditions:
-- A BIG-IP system has an HTTP profile and and an http_security profile with the alarm option set.
-- A remote logging server is configured via a BIG-IP pool.
-- The pool has a monitor that marks all the pool members down.
-- A request with an HTTP violation is processed and triggers an alarm configured in the http_security profile.

Impact:
-- A TCP connection to a client is reset by the BIG-IP system.
-- The web page may not render, or may not render as expected.
-- Data are not delivered to a server with a POST request.

Workaround:
None.

932461-3 : Cert update on server SSL profile on HTTPS monitor: BIG-IP not using the updated certificate.

Links to More Info: BT932461

Component: Local Traffic Manager

Symptoms:
If you overwrite the certificate that is configured on the server SSL profile and used with the HTTPS monitor, the BIG-IP system still uses an old certificate.

After you update the certificate, the stored certificate is incremented, but monitor logging indicates it is still using the old certificate.

Conditions:
--Create a pool with an HTTPS pool member.
--Create an HTTPS monitor with cert and key.
--Assign the HTTPS monitor to the HTTPS pool.
--Update the certificate via GUI or tmsh.

Impact:
The monitor still tries to use the old certificate, even after the update.

Workaround:
Use either of the following workarounds:

-- Restart bigd:
bigstart restart bigd

-- Modify the server SSL profile cert key, set it to 'none', and switch back to the original cert key name.

The bigd utility successfully loads the new certificate file.

932189-3 : Incorrect BD Swap Size units on ASM Resources chart

Links to More Info: BT932189

Component: Application Visibility and Reporting

Symptoms:
The 'BD Swap Size' reported on the 'Security :: Reporting : ASM Resources : Memory Utilization' page is much too high and incorrect.

Conditions:
ASM provisioned.

Impact:
Graphically reported BD swap memory usage is incorrect.

Workaround:
None.

932045-3 : Memory leak when creating/deleting LTM node object

Links to More Info: BT932045

Component: Local Traffic Manager

Symptoms:
A memory leak occurs when creating/deleting an LTM node object.

Conditions:
-- Create a node object.
-- Delete the node object.

Impact:
This gradually causes tmm memory pressure, and eventually severe outcome is possible such as aggressive mode sweeper and tmm restart. Traffic disrupted while tmm restarts.

Workaround:
Refrain continuous creation/deletion of LTM nodes.

931629-2 : External trunk fdb entries might end up with internal MAC addresses.

Links to More Info: BT931629

Component: TMOS

Symptoms:
The vCMP host might have external trunk with internal MAC addresses. This is visible via 'tmsh show net fdb'.

Conditions:
-- vCMP is provisioned and has guests deployed on it.
-- vCMP host uses trunks.
-- Create VLANs using trunks and assign it to guests.
-- Guests need to be in high availability (HA) configuration.

Impact:
Traffic processing is disrupted.

Workaround:
None.

931469-7 : Redundant socket close when half-open monitor pings

Links to More Info: BT931469

Component: Local Traffic Manager

Symptoms:
Sockets and log files are closed and re-opened twice instead of one time when the half-open TCP monitor pings successfully.

Conditions:
This occurs when the half-open monitor pings successfully.

Impact:
Minor performance impact.

Workaround:
None.

931149-1 : Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings

Links to More Info: BT931149

Component: Global Traffic Manager (DNS)

Symptoms:
RESOLV::lookup returns an empty string.

Conditions:
The name being looked up falls into one of these categories:

-- Forward DNS lookups in these zones:
    - localhost
    - onion
    - test
    - invalid

-- Reverse DNS lookups for:
    - 127.0.0.0/8
    - ::1
    - 10.0.0.0/8
    - 172.16.0.0/12
    - 192.168.0.0/16
    - 0.0.0.0/8
    - 169.254.0.0/16
    - 192.0.2.0/24
    - 198.51.100.0/24
    - 203.0.113.0/24
    - 255.255.255.255/32
    - 100.64.0.0/10
    - fd00::/8
    - fe80::/10
    - 2001:db8::/32
    - ::/64

Impact:
RESOLV::lookup fails.

Workaround:
Use a DNS Resolver ('net dns') and RESOLVER::name_lookup / DNSMSG:: instead of RESOLV::lookup:

1. Configure a local 'net dns' resolver, replacing '192.88.99.1' with the IP address of your DNS resolver:

    tmsh create net dns-resolver resolver-for-irules answer-default-zones no forward-zones add { . { nameservers add { 192.88.99.1:53 } } }

2. Use an iRule procedure similar to this to perform PTR lookups for IPv4 addresses:

proc resolv_ptr_v4 { addr_v4 } {
    # Convert $addr_v4 into its constituent bytes
    set ret [scan $addr_v4 {%d.%d.%d.%d} a b c d]
    if { $ret != 4 } {
        return
    }

    # Perform a PTR lookup on the IP address $addr_v4, and return the first answer
    set ret [RESOLVER::name_lookup "/Common/resolver-for-irules" "$d.$c.$b.$a.in-addr.arpa" PTR]
    set ret [lindex [DNSMSG::section $ret answer] 0]
    if { $ret eq "" } {
        # log local0.warn "DNS PTR lookup for $addr_v4 failed."
        return
    }

    # Last element in '1.1.1.10.in-addr.arpa. 600 IN PTR otters.example.com'
    return [lindex $ret end]
}

-- In an iRule, instead of:
    RESOLV::lookup @192.88.9.1 $ipv4_addr
Use:
    call resolv_ptr_v4 $ipv4_addr

931033-1 : Device ID Deletions anomaly might be raised in case of browser/hardware change

Links to More Info: BT931033

Component: Application Security Manager

Symptoms:
-- Valid users complain they are unable to connect, or they are required to do CAPTCHA frequently.
-- On the BIG-IP device, 'Device ID Deletion' violations are being raised.

Conditions:
-- Bot Defense Profile with 'Device ID' mode set to 'Generate After Access' is attached to the virtual server.
-- Some change in the browser or computer hardware occurs.
-- Surfing to multiple qualified pages at the same time.

Impact:
Valid requests might be mitigated.

Workaround:
Raise the threshold of 'Device ID Deletion' anomaly (recommended value according to the webserver, is approximately 4).

930825-4 : System should reboot (rather than restart services) when it sees a large number of HSB XLMAC errors

Links to More Info: BT930825

Component: TMOS

Symptoms:
The following symptoms may be seen when the HSB is experiencing a large number of XLMAC errors and is unable to recover from the errors. After attempting XLMAC recovery fails, the system fails over to the peer unit, goes offline, and closes down links.

The TMM logs contain messages similar to the following:
-- notice The number of the HSB XLMAC recovery operation 11 or fcs failover count 0 reached threshold 11 on bus: 3.
-- notice HA action is triggered due to XLMAC/FCS errors on HSB1 on bus 3.
-- notice HSBE2 1 disable XLMAC TX/RX at runtime.
-- notice HA failover action is cleared.

Followed by a failover event message.

Conditions:
It is unknown under what conditions the XLMAC errors occur.

Impact:
The BIG-IP system fails over.

Workaround:
None.

930633-3 : Delay in using new route updates by existing connections on BIG-IP.

Links to More Info: BT930633

Component: TMOS

Symptoms:
If routes are updated in BIG-IP by static or dynamic methods, the existing connections will not use the new routes until ~1-8 seconds later.

Conditions:
Routes for existing connections on the BIG-IP are updated.

Impact:
Performance might be degraded when routes are updated for existing connections on BIG-IP.

930217-3 : Zone colors in ASM swap usage graph are incorrect

Links to More Info: BT930217

Component: Application Visibility and Reporting

Symptoms:
In GUI ASM memory utilization chart, 'BD swap size, Total swap size' graph show inconsistent background colors. It looks like these colors are assigned with an assumption that swap usage is shown as percentage but it is shown as absolute value.

Conditions:
-- ASM is provisioned.
-- Viewing ASM memory utilization chart/

Impact:
Potential confusion viewing colors in ASM memory utilization chart.

Workaround:
None. This is a cosmetic issue only.

929909-2 : TCP Packets are not dropped in IP Intelligence

Links to More Info: BT929909

Component: Advanced Firewall Manager

Symptoms:
When an IP address is added to IP Intelligence under Denial-Of_service Category at a global level, and a TCP flood with that IP address occurs, IP Intelligence does not drop those packets

Conditions:
TCP traffic on BIG-IP with IP Intelligence enabled and provisioned

Impact:
When adding an IP address to an IP Intelligence category, UDP traffic from that IP address is dropped, but TCP traffic is not dropped.

929813-2 : "Error loading object from cursor" while updating a client SSL profile

Links to More Info: BT929813

Component: TMOS

Symptoms:
When updating a client-ssl profile in the GUI, the update fails and the GUI displays the following error:
  "Error loading object from cursor"

Conditions:
- Client SSL profiles with inheritance: Parent -> Child -> Grand Child.

- Parent SSL profile uses cert-key-chain

Impact:
Unable to edit the profile using the GUI.

Workaround:
Use tmsh or iControl to update the Client SSL profile

929429-2 : Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed

Links to More Info: BT929429

Component: Local Traffic Manager

Symptoms:
Whenever you create Oracle or SQL (mssql, mysql or postgresql) database monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs.

Conditions:
-- Create an Oracle or SQL database LTM monitor.
-- Add a pool member to the Oracle or SQL database monitor created.
-- Platform FIPS is licensed.

Impact:
High CPU Usage due to the loading of libraries whenever new connection is created.

Workaround:
None.

929173-2 : Watchdog reset due to CPU stall detected by rcu_sched

Links to More Info: BT929173

Component: TMOS

Symptoms:
Rcu_sched detected CPU stall, which can cause vCMP host reboot. The device reboots without core and records "Host Watchdog timeout."

Typically there will logs in kern.log similar to:
err kernel: : [526684.876928] INFO: rcu_sched detected stalls on CPUs/tasks: ...

Conditions:
Host undergoing a watchdog reset in a vCMP environment.

Impact:
CPU RCU stalls and host watchdog reboots

929133-2 : TMM continually restarts with errors 'invalid index from net device' and 'device_init failed'

Links to More Info: BT929133

Component: TMOS

Symptoms:
VLANs with a name that that start with "eth" will cause tmm to fail and restart.

Conditions:
Vlan name that starts with "eth"

Impact:
Since tmm fails to start, the BIG-IP cannot serve traffic.

Workaround:
Rename all vlans that start with "eth"

929005-2 : TS cookie is set in all responses

Links to More Info: BT929005

Component: Application Security Manager

Symptoms:
ASM sends a new cookie in every response, even though there is no change to the cookie name-plus-value.

Conditions:
-- ASM enabled.
-- Hostname is configured in the ASM policy.
-- The pool member sends different cookie values each time.

Impact:
ASM sends a Set-Cookie in every response, and it always sets the same cookie value.

Workaround:
None.

928665-2 : Kernel nf_conntrack table might get full with large configurations.

Links to More Info: BT928665

Component: TMOS

Symptoms:
Linux host connections are unreliable, and you see warning messages in /var/log/kern.log:

warning kernel: : [182365.380925] nf_conntrack: table full, dropping packet.

Conditions:
This can occur during normal operation for configurations with a large number of monitors, for example, 15,000 or more active entries.

Impact:
Monitors are unstable/not working at all.

Workaround:
1. Modify /etc/modprobe.d/f5-platform-el7-conntrack-default.conf
increasing the hashsize value:

options nf_conntrack hashsize=262144

2. Save the file.
3. Reboot the system.

928445-4 : HTTPS monitor is down when server_ssl profile cipher string is configured to TLSv1_2

Links to More Info: BT928445

Component: Local Traffic Manager

Symptoms:
HTTPS monitor state is down when server_ssl profile cipher string has the value 'TLSv1_2'.
 -- configured cipherstring TLSv1_2/TLSv1_1 is rejected by OpenSSL.

Conditions:
-- Pool member is attached with HTTPS monitor.
-- Monitor is configured with an SSL profile.
-- The configured server_ssl profile has cipher string as DEFAULT:!TLSv1_2.

Impact:
Pool status is down.

Workaround:
-- Enable 'in-tmm' monitoring.
-- Use SSL options available in the server SSL profile to disable TLSv1_2 or TLSv1_1 instead of cipher string.
-- Use the same cipher string with cipher group / cipher rule that is attached to the SSL profile.

928389-2 : GUI becomes inaccessible after importing certificate under import type 'certificate'

Links to More Info: BT928389

Component: TMOS

Symptoms:
After importing a new certificate, httpd goes down and the GUI becomes inaccessible.

Conditions:
Upload new certificate using Import-type 'Certificate' option.

Impact:
The GUI is inaccessible as soon as you import a new device certificate using import-type 'Certificate'.

Workaround:
Manually copy the matching key to /config/httpd/conf/ssl.key/server.key and restart apache (bigstart restart httpd)

If you do not have the matching key, generate a new key/cert pair from the command line by following K9114

928353-2 : Error logged installing Engineering Hotfix: Argument isn't numeric

Links to More Info: BT928353

Component: TMOS

Symptoms:
When installing an Engineering Hotfix, the following error may be logged in /var/log/liveinstall.log:

Argument "" isn't numeric in numeric eq (==) at /var/tmp/install/pkgcpio/usr/local/lib/tm_install/Hotfix.pm line 651.

Conditions:
This error may occur when installing an Engineering Hotfix, if the Engineering Hotfix does not include an update to the nash-initrd component.

Impact:
The error message gives a mistaken impression that the Engineering Hotfix did not install successfully. However, it does install correctly, and the system operates without issue. You can safely ignore this message.

Workaround:
None.

928177-2 : Syn-cookies might get enabled when performing multiple software upgrades.

Links to More Info: BT928177

Component: Advanced Firewall Manager

Symptoms:
Syn-cookie protection of FastL4/TCP profile might get enabled when performing multiple software upgrades.

Conditions:
-- Performing an upgrade from version earlier than 14.0.0 to a version higher than or equal to 14.0.0.
-- Then performing another upgrade.

Impact:
Value of profile attribute syn-cookie-enable might be changed during an upgrade.

Workaround:
Save configuration before starting each upgrade.

928161-1 : Local password policy not enforced when auth source is set to a remote type.

Links to More Info: BT928161

Component: TMOS

Symptoms:
The local password policy is not enforced when the auth source type is set to the value of 'Remote'. Any non-default password policy changes are not enforced for local users.

Conditions:
1) Some parts of the local password policy has been changed from the default values, for example, changing the password required-uppercase to 2.

2) The auth source is set to a remote source, such as LDAP, AD, or TACACS.

Impact:
The system does not enforce any of the non-default local password policy options.

For example, even if the required-uppercase is set to 2, a local user's password can be set to something less than 2.

Even if the minimum-length is set to 12, a local user's password can be set to something less than 12.

Another example, even if the max-duration is set to 90 days, the password does not expire for 99999 days (the default).

Workaround:
None

927713-1 : Secondary blade IPsec SAs lost after standby reboot using clsh reboot

Links to More Info: BT927713

Component: Local Traffic Manager

Symptoms:
-- When 'clsh reboot' is executed on the primary blade, it internally calls ssh reboot on all secondary blades and then reboots the primary blade. The 'clsh reboot' script hangs, and there is a delay in rebooting the primary blade.
-- Running 'ssh reboot' on secondary blades hangs due to sshd sessions getting killed after network interface down.

Conditions:
-- Running 'clsh reboot' on the primary blade.
-- Running 'ssh reboot' on secondary blades.

Impact:
A secondary blade is not rebooted until clsh or ssh closes the connection to that blade.

Workaround:
Perform a reboot from the GUI.

927633-2 : Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic

Links to More Info: BT927633

Component: Local Traffic Manager

Symptoms:
Log messages written to /var/log/ltm:
-- notice tmm2[30394]: 01010259:5: External Datagroup (/Common/dg1) queued for update.
-- notice panic: ../kern/sys.c:1081: Assertion "entry != NULL" failed.

Conditions:
-- Create datagroups.
-- Some condition causes a datagroup to not be present (e.g., delete, rename operations, or another, internal operation).
-- Load the config.

Impact:
Internal mapping of external datagroup fails. Datagroup creation fails.

Workaround:
None.

927589-3 : ILX::call command response get truncated

Links to More Info: BT927589

Component: Local Traffic Manager

Symptoms:
If a response to an ILX::call command is larger than 64 KB, data is truncated.

Conditions:
-- iRule script including an ILX::call command in use.
-- Return response is greater than 64 KB.

Impact:
iRule fails and the connection aborts.

Workaround:
None.

927569-2 : HTTP/3 rejects subsequent partial SETTINGS frames

Links to More Info: BT927569

Component: Local Traffic Manager

Symptoms:
HTTP/3 aborts the connection upon receipt of a 'second' SETTINGS frame.

Conditions:
HTTP/3 first receives an incomplete SETTINGS frame, followed by more SETTINGS frame bytes.

Impact:
Connection fails to complete.

Workaround:
None.

927441-3 : Guest user not able to see virtual server details when ASM policy attached

Links to More Info: BT927441

Component: TMOS

Symptoms:
When ASM is attached to a Virtual Server, a BIG-IP user account configured with the Guest role cannot see virtual server details. An error message is printed instead:
01070823:3: Read Access Denied: user (guestuser) type (GTM virtual score).

Conditions:
-- ASM Policy attached to virtual server.
-- Logging onto the BIG-IP system using an account configured with the guest user role.
-- Running the command:
tmsh show ltm virtual detail

Impact:
Cannot view virtual server details.

Workaround:
None.

927025-3 : Sod restarts continuously

Links to More Info: BT927025

Component: TMOS

Symptoms:
After upgrading to v14.1.2.6, sod keeps restarting and dumping core.

Conditions:
This occurs when /dev/shm/chmand is missing and the system restarts chmand and sod upon reload.

Note: It is unknown how this condition might occur.

Impact:
Unstable sod process can affect failover functionality in BIG-IP systems.

Note: This happens only the first time after upgrade. To recover, you must power down the system for a full reboot.

Workaround:
Run the following command:

restorecon /dev/shm/chmand

926985-2 : HTTP/3 aborts stream on incomplete frame headers

Links to More Info: BT926985

Component: Local Traffic Manager

Symptoms:
HTTP/3 streams abort at seemingly arbitrary times when BIG-IP is receiving large amounts of data.

Conditions:
HTTP/3 receives an incomplete frame header on a given stream.

Impact:
Data transfer is incomplete.

Workaround:
None

926845-5 : Inactive ASM policies are deleted upon upgrade

Links to More Info: BT926845

Component: Application Security Manager

Symptoms:
Upon upgrade, active ASM policies are preserved, and inactive policies are deleted.

Conditions:
-- Configuration contains active and inactive ASM policies.
-- Upgrade the BIG-IP system to any later version.
-- You can check existing ASM policies in tmsh:
tmsh list asm policy

Impact:
Only the active ASM policies are preserved; the inactive policies are deleted.

Workaround:
None.

926757-2 : ICMP traffic to a disabled virtual-address might be handled by a virtual-server.

Links to More Info: BT926757

Component: Local Traffic Manager

Symptoms:
ICMP traffic to a disabled virtual-address might be handled by a virtual-server.

Conditions:
Virtual-server with an address space overlapping with a self-IP, capable of handling ICMP traffic, for example:
ip-forward wildcard 0.0.0.0/0 virtual-server

Impact:
ICMP traffic to a virtual-address might be handled by a virtual-server.

Workaround:
There is no workaround.

926549-1 : AFM rule loops when 'Send to Virtual' is used with Virtual Server iRule 'LB::reselect'

Links to More Info: BT926549

Component: Advanced Firewall Manager

Symptoms:
With some configurations, executing a command such as 'tmsh show security firewall global-rules active' loops continuously, causing stat counters to rise, and possibly log messages to be written to /var/log/ltm.

Conditions:
-- AFM is routing traffic to a Virtual Server through the 'Send to Virtual' option.
-- The target Virtual Server uses the 'LB_FAILED' iRule to select a new Virtual Server through virtual command and 'LB::reselect'.

Impact:
The iRule loops continuously, causing stat counters to rise, and possibly logging messages in /var/log/ltm.

Workaround:
This configuration should be avoided, but if it is used, and if this does happen, you can restart tmm:
bigstart restart tmm

This stops the current looping, until it is triggered again.

Impact of workaround: Traffic disrupted while tmm restarts.

926513-2 : HTTP/2 clone pool fails to receive traffic with the clone pool (server) option selected.

Links to More Info: BT926513

Component: Local Traffic Manager

Symptoms:
HTTP/2 Clone pools are not working when the Clone Pool (Server) option is selected. This issue occurs when a HTTP/2 profile (Server) or HTTP/2 full-proxy configuration is enabled and an HTTP/2 clone pool is set on a virtual server. This issue prevents traffic from being copied to the appropriate clone pool member.

Conditions:
A virtual server provisioned with the following configuration:

--HTTP/2 default pool.
--HTTP/2 clone pool (server).
--HTTP/2 profile (server) or HTTP/2 profile full-proxy configuration.

Impact:
Clone pools (server) do not mirror HTTP/2 traffic.

Workaround:
None.

926425-3 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts

Links to More Info: BT926425

Component: Advanced Firewall Manager

Symptoms:
Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection continue to be unsupported until hardware SYN cookies are disabled.

Conditions:
SYN Cookie activated on Neuron-capable platforms:
  + VIPRION B4450N blade
  + BIG-IP iSeries devices (ix800) except the i850, ix2800, and ix4800:
     -- BIG-IP i5800 Series
     -- BIG-IP i7800 Series
     -- BIG-IP i11800 Series
     -- BIG-IP i15800 Series

Impact:
This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate.

Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options are not taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead.

Workaround:
You can use any of the following to clear the HSB issue:
-- Restart neurond.
-- Restart TMM,
-- Reboot the device.

926085-1 : GUI: Node/port monitor test not possible in the GUI, but works in tmsh

Links to More Info: BT926085

Component: Local Traffic Manager

Symptoms:
The node address field is disabled when trying to create a custom HTTP/HTTPS/FTP monitor, so you cannot enter a node address. This prevents you from using the Test operation to test this type of monitor in the GUI.

Conditions:
-- In a new monitor derived from HTTP/HTTPS/FTP, click the Test tab.
-- View the Address field, and then try to run the test.

Impact:
The Address field is disabled, with *.* in the field. You cannot enter a node address. The test fails with a message:

invalid monitor destination of *.*:80.
invalid monitor destination of *.*:443. (:port used to test)

Workaround:
Run either of the following tmsh commands:

for HTTP
-- tmsh run ltm monitor http my_http destination <IP address>:<port>

-- tmsh modify ltm monitor http my_http destination *:*

for HTTPS
-- tmsh run ltm monitor https my_https destination <IP address>:<port>

-- tmsh modify ltm monitor https my_https destination *:*

925797-2 : Full config sync fails and mcpd memory usage is very high on the receiving device with thousands of FQDN pools members

Links to More Info: BT925797

Component: TMOS

Symptoms:
There there are thousands of FQDN nodes and thousands of pools that have FQDN pool members, mcpd can run out of memory during a full config sync.

The mcpd process might fail and restart or it might remain running but have its virtual memory so fragmented that queries to mcpd might fail to allocate memory.

One of signs that this has occurred is a non-zero free_fail count in the tmstat table vmem_kstat.

Conditions:
-- Thousands of FQDN nodes
-- Thousands of pools with FQDN pool members
-- Full config sync.

Impact:
-- The mcpd process might restart.
-- The config save operation fails:
tmsh save /sys config fails
-- Other queries to mcpd fail.

Workaround:
None.

925469-1 : SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo

Links to More Info: BT925469

Component: TMOS

Symptoms:
When using the Certificate Order Manager to request new Multi-Domain certificate from the Sectigo Certificate Authority (CA), the request the BIG-IP sends is missing the field 'subjectAltName'.

Conditions:
-- Certificate Order Manager is configured to send requests to the Comodo/Sectigo CA.

-- Configure a new key with Subject Alternative Name (SAN).

Impact:
The BIG-IP system sends a request to the Sectigo CA that is missing the 'subjectAltName' field. That makes Certificate Order Manager not suitable for requesting Multi-Domain certificates.

Workaround:
There is no workaround other than not using Certificate Order Manager for Multi-Domain certificates.

924697-2 : VDI data plane performance degraded during frequent session statistic updates

Links to More Info: BT924697

Component: Access Policy Manager

Symptoms:
Data plane performance for VDI use cases (Citrix/VMware proxy) is degraded during frequent access session statistic updates.

Conditions:
APM is used as VDI proxy for Citrix or VMware.

Impact:
APM's VDI proxy does not perform to its full capacity.

Workaround:
None.

924589-1 : PEM ephemeral listeners with source-address-translation may not count subscriber data

Links to More Info: BT924589

Component: Policy Enforcement Manager

Symptoms:
When a PEM profile is associated with a protocol that can create dynamic server-side listeners (such as FTP), and source-address-translation is also enabled on the virtual server, traffic on that flow (for example ftp-data) is not associated with the subscriber, and is therefore not counted or categorized.

Conditions:
-- Listener configured with PEM and FTP profiles
-- Some form of source address translation is enabled on the listener (for example, SNAT, Automap, SNAT Pool)

Impact:
Inaccurate subscriber traffic reporting and classification.

Workaround:
None.

924297-2 : Ltm policy MCP objects are not being synced over to the peer device

Links to More Info: BT924297

Component: TMOS

Symptoms:
An LTM policy does not sync to the peer device, but the devices report "In Sync".

Conditions:
-- Sync/failover device group with full load on sync disabled
-- A draft policy is attached to a parent policy's rule actions and published.
-- A config sync occurs (manually or automatically)

Impact:
The LTM policy does not sync to the peer device.

Workaround:
Perform a full config sync:

tmsh run cm config-sync force-full-load-push to-group <device group name>

923745-3 : Ctrl-Alt-Del reboots the system

Links to More Info: BT923745

Component: TMOS

Symptoms:
A device reboot occurs when pressing Ctrl-Alt-Del.

Conditions:
This occurs when pressing Ctrl-Alt-Del or sending the command to a BIG-IP Virtual Edition (VE) virtual console.

Impact:
Accidental reboots are possible. You should not reboot VE using Ctrl-Alt-Del.

Workaround:
Run the following command:

systemctl mask ctrl-alt-del.target

923233-1 : Incorrect encoding in 'Logout Page' for non-UTF8 security policy

Links to More Info: BT923233

Component: Application Security Manager

Symptoms:
Fields in 'Logout Page' for a non-UTF8 security policy has incorrect encoding for values, including non-English characters in the GUI and iControl REST.

Conditions:
This can be encountered while creating a non-UTF8 security policy via iControl REST, where the 'expected' and 'unexpected' fields contain non-UTF8 content.

Impact:
Logout Page field values are displayed with the wrong encoding.

Workaround:
None.

923221-4 : BD does not use all the CPU cores

Links to More Info: BT923221

Component: Application Security Manager

Symptoms:
Not all the CPUs are utilized. The CPUs that are not loaded are those with ID greater than 31.

Conditions:
BIG-IP is installed on a device with more than 32 cores.

Impact:
ASM does not use all of the available CPU cores.

Workaround:
1. Modify the following file on the BIG-IP system:
   /usr/local/share/perl5/F5/ProcessHandler.pm

Change this:
  ALL_CPUS_AFFINITY => '0xFFFFFFFF'

To this:
  ALL_CPUS_AFFINITY => '0xFFFFFFFFFFFF',

2. Restart the asm process:
   bigstart restart asm.

922885-3 : BIG-IP Virtual Edition does not pass traffic on ESXi 6.5

Links to More Info: K27872027, BT922885

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) does not pass traffic when deployed on ESXi 6.5 hypervisors, when the VE is using VMXNET 3 network interfaces (VMXNET 3 interfaces are the default).

'tmsh show net interface' indicates that one or more interfaces are not initialized.

Conditions:
-- BIG-IP VE running on VMware ESXi 6.5 hypervisor.

Impact:
Traffic does not pass through non-mgmt interfaces.

Workaround:
-- On the BIG-IP systems, you can switch to the 'sock' driver.

Note: The workarounds that switch driver must be applied individually to devices, as they do not synchronize via ConfigSync.

IMPORTANT: The driver must be configured the same way on all devices in a sync-failover device group.

1, At the command prompt, run the following command to enable the sock driver in tmm_init.tcl:

echo "device driver vendor_dev 15ad:07b0 sock" >> tmm_init.tcl

2. Restart tmm:

tmsh restart sys service tmm

-- After restarting, the sock driver should be listed in the 'driver_in_use' column when running the following command.

tmctl -d blade tmm/device_probed
pci_bdf pseudo_name type available_drivers driver_in_use
------------ ----------- --------- --------------------- -------------
0000:03:00.0 F5DEV_PCI xnet, vmxnet3, sock,
0000:0b:00.0 1.1 F5DEV_PCI xnet, vmxnet3, sock, sock
0000:13:00.0 1.2 F5DEV_PCI xnet, vmxnet3, sock, sock
0000:1b:00.0 1.3 F5DEV_PCI xnet, vmxnet3, sock, sock

922641-4 : Any iRules that park in a clientside or serverside command leave the iRule attached to the wrong flow

Links to More Info: BT922641

Component: Local Traffic Manager

Symptoms:
iRule commands issued after a clientside or serverside command operate on the wrong peer flow.

Conditions:
An iRule contains a script that parks in a clientside or serverside command.

Examples of parking commands include 'table' and 'persist'.

Impact:
The iRule commands operate on the wrong peer flow.

Workaround:
Avoid using commands that park inside the clientside or serverside command.

922613-2 : Tunnels using autolasthop might drop traffic with ICMP route unreachable

Links to More Info: BT922613

Component: TMOS

Symptoms:
Traffic that should be encapsulated and sent via tunnel might get dropped with an ICMP error, destination unreachable, unreachable route. This happens in a scenario where no route exists towards the remote tunnel endpoint and the BIG-IP system relies on autolasthop to send the encapsulated traffic back to the other end of the tunnel.

Conditions:
No route exists to the other end of the tunnel.

Impact:
Traffic dropped with ICMP error, destination unreachable, unreachable route.

Workaround:
Create a route towards the other remote end of the tunnel.

922413-2 : Excessive memory consumption with ntlmconnpool configured

Links to More Info: BT922413

Component: Local Traffic Manager

Symptoms:
OneConnect allows load balancing of HTTP requests from the same client connection over a pool of server side connections. When NTLM authentication is used, the NTLM Conn Pool allows reuse of server-side connections for authenticated client side connections. It holds HTTP authentication headers which is no longer necessary once a client is authenticated.

Conditions:
-- The virtual server is configured with both OneConnect and NTLM Conn Pool profiles.
-- A large number of client systems with NTLM authentication are load balanced via the virtual server with long-lived connections.

Impact:
The BIG-IP system experiences memory pressure, which may result in an out-of-memory condition and a process crash, and potentially cause failover and interruption of traffic processing.

Workaround:
None.

922153-2 : Tcpdump is failing on tmm 0.x interfaces

Links to More Info: BT922153

Component: TMOS

Symptoms:
The tcpdump command exits immediately with an error:
 errbuf ERROR:TMM side closing: Aborted
tcpdump: pcap_loop: TMM side closing: Aborted

Conditions:
Capturing the packets on tmm interfaces.

Impact:
Unable to capture the packets on specific tmm interfaces.

Workaround:
There are two possible workarounds:

-- Start tcpdump on the tmm that actually owns the interface using the TCPDUMP_ADDR command; for example, using blade1 for 1/0.16, run the command:

TCPDUMP_ADDR=127.1.1.16 tcpdump -w testcap.pcap -s 0 -i 1/0.16


-- Send the TCPDUMP_ADDR command to a specific tmm, which could work from any blade (127.20.<slot>.<tmmnumber+1> (e.g. 127.20.1.1 == slot1/tmm0, 127.20.2.16 == slot2/tmm15):

TCPDUMP_ADDR=127.20.1.16 tcpdump -w testcap.pcap -s 0 -i 1/0.16

922069 : Increase iApp block configuration processor timeout

Links to More Info: BT922069

Component: TMOS

Symptoms:
Attempting to configure and deploy an SSL Orchestrator configuration may result in a configuration processor timeout error.

Conditions:
When the TMOS control plane is taking a relatively high amount of CPU processing due to intense REST framework management workflows, any attempt to configure and deploy an SSL Orchestrator configuration using the guided configuration user interface, might take longer than the default 30 seconds timeout.

Impact:
The operation fails, resulting in a configuration processor timeout error. The BIG-IP administrator cannot configure and deploy an SSL Orchestrator configuration.

Workaround:
1. Edit the /var/config/rest/iapps/f5-iappslx-ssl-orchestrator/nodejs/gc/orchestratorConfigProcessor.js file:

vi /var/config/rest/iapps/f5-iappslx-ssl-orchestrator/nodejs/gc/orchestratorConfigProcessor.js

2. Locate the var _createComponentBlock = function(...) and locate the following line inside the function body (line ~1290):

requestBody.state = "BINDING";

3. Add the following after the 'requestBody.state' line:
requestBody.configProcessorTimeoutSeconds = 120;

4. Save the edited file.

5. Restart the restnoded daemon:
bigstart restart restnoded

922005-3 : Stats on a certain counter for web-acceleration profile may show excessive value

Links to More Info: BT922005

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system is configured to use the RAM Cache feature, a corresponding profile may report an excessively large value for the cache_misses_all counter under certain conditions.

Conditions:
-- The BIG-IP system has a virtual server with web-acceleration profile without an application (RAM Cache feature).
-- The virtual receives uncacheable requests which are interrupted by a client or are not served by a server.

Impact:
A value for cache_misses_all incurs an arithmetic overflow, and shows an excessive number comparable with 1.8e19. The issue has no functional impact; the system operates as normal.

Workaround:
None.

921993-3 : LTM policy with a 'contains' operator does not work as expected when using an external data group.

Links to More Info: BT921993

Component: Local Traffic Manager

Symptoms:
If a combination of other operators and the 'contains' operator are used in LTM Policy, searches might fail if the hashing-based operators have not populated the target entries.

Conditions:
-- LTM policy with 'contains' operator.
-- Use of external datagroups.

Impact:
LTM policy might not work as expected with external data groups.

Workaround:
Use either of the following workarounds:

-- If applicable, change the 'contains' operator to 'starts_with' in the policy.

-- Change the policy into an iRule (executing '[class get <datagroup]' )

921697-3 : Attack signature updates fail to install with Installation Error.

Links to More Info: BT921697

Component: Application Security Manager

Symptoms:
Installing a new Attack Signature Update (ASU) file on ASM/AWAF device that has large number of active policies can result in a failure due to memory exceptions. The following errors can be observed:

/var/log/ts/asm_config_server.log:
F5::ASMConfig::Handler::handle_error,,Code: 406 , Error message = Process size (232341504) has exceeded max size (200000000)

/var/log/asm
crit perl[19751]: 01310027:2: ASM subsystem error (apply_asm_attack_signatures ,F5::LiveUpdate::PayloadHandler::clean_fail): Fail load update files: TSocket: timed out reading 1024 bytes from n.n.n.n:9781

Conditions:
1. Adding and activating a large number of policies on a BIG-IP system configured with ASM/AWAF. It is not known exactly how many policies are required to encounter this, but it appears to be between 50 and 90 where this becomes a risk.

2. Installing a new ASU file

Impact:
The attack signature update fails.

Workaround:
Impact of workaround:
Performing this workaround requires restarting ASM, so it affects traffic processing briefly; therefore, it is recommended that you perform this during a maintenance window.

Increase 'max memory size' from the default ~200 MB (200000000) to 300 MB:

1. Take a backup of the original file.
# cp /etc/ts/tools/asm_config_server.cfg /var/tmp/asm_config_server.original.cfg

2. Add the following to the end of file /etc/ts/tools/asm_config_server.cfg:
# AsyncMaxMemorySize=314572800

3. Restart ASM.
# bigstart restart asm

921541-3 : When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.

Links to More Info: BT921541

Component: Local Traffic Manager

Symptoms:
The HTTP session initiated by curl hangs.

Conditions:
-- The problem occurs when the file to be compressed meets the following criteria:
-- The following platforms with Intel QAT are affected:
   + B4450N (A114)
   + i4000 (C115)
   + i10000 (C116/C127)
   + i7000 (C118)
   + i5000 (C119)
   + i11000 (C123)
   + i11000 (C124)
   + i15000 (D116)
-- File size to be compressed is less than compression.qat.dispatchsize.
-- File size to be compressed is one of specific numbers from this list: 65535, 32768, 16384, 8192, 4096.

Impact:
Connection hangs, times out, and resets.

Workaround:
Use software compression.

921477-2 : Health monitors may fail when the HTTP RFC Compliance option is enabled in a dual BIG-IP setup.

Links to More Info: BT921477

Component: Local Traffic Manager

Symptoms:
With the HTTP RFC enforcement profile option enabled, incoming health monitor requests without an HTTP version in the request line (HTTP/0.9) may fail to produce the correct result for dual BIG-IP configurations. This can result in incoming health monitor traffic being incorrectly blocked when traveling through a virtual server. These health monitors will be unable to provide the correct availability of the intended resource. The default HTTP and HTTPS monitors as well as any custom monitors with a missing HTTP version in their requests could see this issue.

Conditions:
A dual BIG-IP configuration may provisioned with the following considerations.

-- One or more BIG-IP systems are in the network path for monitor traffic.

-- The first BIG-IP system uses a health monitor that initiates a health check request (without an HTTP version) in the request line (HTTP/0.9) against a second BIG-IP system.

-- The second (downstream) BIG-IP system has a virtual server that is the endpoint for the monitor. The virtual server is configured with an HTTP profile with the HTTP RFC Compliance profile option selected.

Impact:
Rather than receiving the correct health check result, the original BIG-IP system can fail to report whether the second BIG-IP is available.

Workaround:
You can use http_head_f5 monitor to perform health checks.

921441-2 : MR_INGRESS iRules that change diameter messages corrupt diam_msg

Links to More Info: BT921441

Component: Service Provider

Symptoms:
-- 'DIAMETER::host origin' command may not be set correctly.

There are errors in ltm/log:
err tmm[18562]: 014c0001:3: DIAMETER: hud_diam_handle error: Not found

Conditions:
-- Virtual server is configured with a diameter profile enabled with an ingress iRule, for example:

ltm rule Diameter - iRule {
  when MR_INGRESS {
    DIAMETER:: host origin "hostname.realm.example"
  }
}

-- Traffic arrives containing CER and ULR messages.

Impact:
Using the iRule to change the host origin corrupts the diameter message.

Workaround:
None.

921149-1 : After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy

Links to More Info: BT921149

Component: TMOS

Symptoms:
All Bandwidth Controller (BWC) stats are 0 (zero) even though traffic is passing.

Conditions:
-- A BWC policy is attached to a virtual server.
-- The virtual server with the attached BWC policy is modified.

Impact:
The system disassociates the BWC policy from the virtual server. Traffic is no longer throttled according to the policy rules.

Workaround:
To reattach the policy, detach the Bandwidth Controller policy from the virtual server, and then reapply it.

921121-4 : Tmm crash with iRule and a PEM Policy with BWC Enabled

Links to More Info: BT921121

Component: TMOS

Symptoms:
Tmm crashes while passing traffic through PEM.

Conditions:
-- PEM policy with bandwidth controller.
-- iRule makes a traffic decision based on certain unique PEM sessions.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

921001-4 : After provisioning change, pfmand might keep interfaces down on particular platforms

Links to More Info: BT921001

Component: TMOS

Symptoms:
After a provisioning change, pfmand might keep interfaces down.

Conditions:
-- Provisioning change on the following platforms:
   + i850
   + i2600 / i2800
   + i4600 / i4800
   + 2000- and 4000-series

-- Link Down Time on Failover configured to a non-zero value (the default is '10').

Impact:
Interfaces remain DOWN.

Workaround:
Follow this procedure:

1. Set db failover.standby.linkdowntime to '0'.

2. To bring interfaces UP again, restart pfmand:
bigstart restart pfmand

920893-1 : GUI banner for configuration issues frozen after repeated forced VIPRION blade failover

Links to More Info: BT920893

Component: TMOS

Symptoms:
Repeatedly forcing VIPRION blade failover can cause the GUI to get stuck displaying:

This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.

Examination of the configuration and license shows that there are no configuration errors or unlicensed configuration objects. Failover occurs as expected, and the device is operational.

Conditions:
Repeatedly forcing blade failover triggers this issue, with commands such as the following issued in rapid succession:

- tmsh modify sys cluster default members { 2 { disabled } }
- tmsh modify sys cluster default members { 2 { enabled } }
- tmsh modify sys cluster default members { 1 { disabled } }
- tmsh modify sys cluster default members { 1 { enabled } }

Impact:
The GUI continuously displays the banner the device-not-operational banner. However, the device is operational.

Workaround:
You can use either of the following workarounds to return the GUI to normal operation:
-- Restart mcpd by running the following command:
bigstart restart mcpd

-- Reboot the VIPRION system.

920817-6 : Wide IP operations performed in quick succession result in missing resource records and out of sync journals.

Links to More Info: BT920817

Component: Global Traffic Manager (DNS)

Symptoms:
Two issues occur with Wide IP operations performed in quick succession:
1. DNS Zone syncing is missing resource records.
2. In some cases it throws named/zrd error: journal rollforward failed: journal out of sync with zone.

Conditions:
This issue can occur when a large number of configuration changes, including Wide IP changes, are made simultaneously on multiple GTM/DNS devices in a sync group.

Impact:
DNS resource records can be missing from the BIND DNS database.

The impact of this issue is that if GSLB Load Balancing falls back to BIND, the DNS resource records may not be present.
Manually remove the .jnl files in order to restore named/zrd on all GTMs.

Workaround:
Restrict configuration (Wide IP) changes to one GTM/DNS device in a device group.

Note: It is also possible to turn off zone syncing. GTM/DNS configuration is still synced, but you lose the ability to sync non-Wide IP changes to the BIND DB.
If you do not use ZoneRunner to add additional non-Wide IP records, this is only a problem when GSLB resorts fallback to BIND.
This can be mitigated with DNSX and DNS (off device) for non Wide IP Resource Records.

Manually remove the .jnl files in order to restore named/zrd on all GTMs.

920789-2 : UDP commands in iRules executed during FLOW_INIT event fail

Links to More Info: BT920789

Component: Local Traffic Manager

Symptoms:
UDP commands in iRules executed during FLOW_INIT event fail.

Conditions:
An iRule that contains UDP commands is executed on the FLOW_INIT event.

Impact:
UDP commands in iRules executed during FLOW_INIT event fail.

Workaround:
None.

920761-2 : Changing a virtual server type in the GUI may change some options; changing back to the original type does not restore original values

Links to More Info: BT920761

Component: TMOS

Symptoms:
In the GUI if you change a virtual server from one type to another, there may be changes automatically applied to some of the settings. If you change the type back to its original value, those changes remain, and are saved when you click Update.

Conditions:
-- Modifying a virtual server from one type to another, and then changing it back to the original type.
-- Clicking Update.

Impact:
Unexpected configuration changes, which can lead to unexpected behavior of the BIG-IP system.

Workaround:
To prevent unwanted changes, when you change a virtual server's type and then change it back within the same session, click Cancel instead of Update.

920541-3 : Incorrect values in 'Class Attribute' in Radius-Acct STOP request

Links to More Info: BT920541

Component: Access Policy Manager

Symptoms:
'Class Attribute' value in the Radius-Acct STOP request from the BIG-IP APM system does not match the 'Class Attribute' value in the Radius-Acct START request from the RADIUS server.

Conditions:
-- Access policy is configured with RADIUS Acct VPE item to send accounting messages to RADIUS server when users log on and off.

Impact:
RADIUS server does not log accounting information properly.

Workaround:
This workaround textually describes reconfiguring an access policy in the Visual Policy Editor (VPE). Descriptions may not be as straightforward as in regular GUI workarounds.

This is a description of the visual layout of the policy:

Start --+-- Logon Page --+-- RADIUS Auth --+-- RADIUS Acct --+-- Variable Assign (1) --+-- Advanced Resource Assign --+-- Variable Assign --+-- Allow

1. Decode the class attribute and save it in a temporary variable:

   -- Click Variable Assign (1); in the two sub-areas, enter the following:

      temp.radius.last.attr.class.decoded
      expr { [mcget -decode {session.radius.last.attr.class}] }

2. Copy the temporary variable into the class session var:

   -- Click Variable Assign; in the two sub-areas, enter the following:

   session.radius.last.attr.class,
   expr { [mcget {temp.radius.last.attr.class.decoded}] }

In this way, when you log out, and APM sends the RADIUS Stop accounting message, it uses the decoded value that is saved in the session.radius.last.attr.class variable.

920517-2 : Rate Shaping Rate Class 'Queue Method' and 'Drop Policy' defaults are incorrect in the GUI

Links to More Info: BT920517

Component: TMOS

Symptoms:
When creating a Rate Shaping Rate Class in the GUI, the default values for 'Queue Method' and 'Drop Policy' are not correct.

Conditions:
-- Creating a Rate Shaping Rate Class in the GUI.
-- Leaving 'Queue Method' and 'Drop Policy' settings as their defaults.

Impact:
Unexpected values in the configuration: 'Queue Method' is 'sfq' and 'Drop Policy' is 'tail#39;.

Workaround:
You can use either of the following workarounds:

-- Manually set the 'Queue Method' and 'Drop Policy' when creating a Rate Shaping Rate Class object. These settings are available in the 'Advanced' view of the 'General Properties' section. 'Queue Method' should be 'pfifo' and 'Drop Policy' should be 'fred'.

-- Use TMSH to create Rate Shaping Rate Class objects.

920285 : WS::disconnect may result in TMM crash under certain conditions

Links to More Info: BT920285

Component: Local Traffic Manager

Symptoms:
The WebSocket profile allows use of the WS::disconnect iRule command to gracefully terminate a connection with a client or a server. Use of this command may result in crash if tmm parts the iRule before execution completes.

Conditions:
-- BIG-IP has a virtual server configured with a WebSocket profile.
-- An iRule the includes the WS::disconnect command is attached to the virtual server.
-- BIG-IP is under heavy load and/or the iRule requires an extended time to execute, which might happen, for example, during execution on an iRule, tmm might park the iRule execution because the operation takes more CPU cycle than tmm can allocate to complete the iRule execution.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

920205-4 : Rate shaping might suppress TCP RST

Links to More Info: BT920205

Component: Local Traffic Manager

Symptoms:
When rate shaping is configured, the system might suppress TCP RSTs issued by itself.

Conditions:
Rate shaping is configured.

Impact:
The rate-shaping instance drops TCP RSTs; the endpoint is not informed about the ungraceful shutdown.

Workaround:
Do not use rate-shaping.

919861-1 : Tunnel Static Forwarding Table does not show entries per page

Links to More Info: BT919861

Component: TMOS

Symptoms:
On the Network :: Tunnels page of the GUI, if the Tunnel Static Forwarding Table contains more than one page of data, you are unable to advance past the first page.

Conditions:
Tunnel Static Forwarding Table contains a large number of configured tunnels.

Impact:
The content displayed on screen and does not conform to the system preference for Records Per Screen.

Workaround:
None.

919401-2 : Disallow adding Request Adapt Profiles and Response Adapt Profiles to virtual servers in TMSH when ICAP is not licensed

Links to More Info: BT919401

Component: TMOS

Symptoms:
If ICAP is not licensed, the system does not prevent you from adding Request Adapt Profiles and Response Adapt Profiles to virtual servers in the CLI. If these profiles are configured, traffic does not pass through the virtual server and the following error is reported in /var/log/ltm:

crit tmm[3328]: 01010022:2: ICAP feature not licensed

Conditions:
-- ICAP is not licensed.
-- At least one virtual server has been configured with a Request Adapt Profile and/or a Response Adapt Profile.

Impact:
Traffic does not pass through the affected virtual servers.

Workaround:
Remove any configured Request Adapt Profiles and Response Adapt Profiles from virtual servers.

919317-5 : NSM consumes 100% CPU processing nexthops for recursive ECMP routes

Links to More Info: BT919317

Component: TMOS

Symptoms:
The NSM process might enter a state where it gets stuck at 100% CPU usage.

Conditions:
ECMP routes reachable via recursive nexthops.

Impact:
NSM is stuck at 100% CPU usage.

Workaround:
Avoid using EMCP routes reachable via recursive nexthops.

919185-2 : Request adapt and response adapt profile options should not be available in the GUI when ICAP is not licensed

Links to More Info: BT919185

Component: TMOS

Symptoms:
The Request Adapt Profile and Response Adapt Profile settings are visible when creating or editing a virtual server in the GUI on systems that do not have ICAP licensed. If these profiles are configured, traffic does not pass through the virtual server and the following error is reported in /var/log/ltm:

crit tmm[3328]: 01010022:2: ICAP feature not licensed

Conditions:
-- ICAP is not licensed.
-- At least one virtual server has been configured with a Request Adapt Profile and/or a Response Adapt Profile.

Impact:
Traffic does not pass through the affected virtual servers.

Workaround:
Remove any configured Request Adapt Profiles and Response Adapt Profiles from virtual servers.

918905-2 : PCCD restart loop when using more than 256 FQDN entries in Firewall Rules

Links to More Info: BT918905

Component: Advanced Firewall Manager

Symptoms:
PCCD enters a restart loop, until the configuration is changed such that 256 or fewer FQDN entries are in use. Errors are reported to the terminal screen:

pccd[23494]: 015d0000:0: pccd encountered a fatal error and will be restarted shortly...

Conditions:
Greater than 256 FQDN entries are in use in Firewall Rules.

Impact:
PCCD goes into a restart loop. PCCD is not functional until there are 256 or fewer entries.

Workaround:
Use 256 or fewer FQDN entries in Firewall Rules.

To aid in the removal of extra rules when using tmsh, you can prevent PCCD restart messages from flooding the console:
1. Stop PCCD to halt the restart messages:
bigstart stop pccd
2. Modify the configuration.
3. Bring PCCD back up:
bigstart start pccd

918693-4 : Wide IP alias validation error during sync or config load

Links to More Info: BT918693

Component: Global Traffic Manager (DNS)

Symptoms:
DB validation exception occurs during sync or config load:

01070734:3: Configuration error: DB validation exception, unique constraint violation on table (gtm_wideip_alias) object ID (1 /Common/alias.test.com www.test.com). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:gtm_wideip_alias status:13)
Unexpected Error: Loading configuration process failed.

Conditions:
-- Wide IP has an alias associated with it.
-- Sync or load the config.

Impact:
You are unable to load config or full sync from peer GNS/GTM.

Workaround:
Follow this procedure:
1. Delete the wide IP alias on the destination device.
2. Try the sync or load config operation again.

918409-2 : BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures

Links to More Info: BT918409

Component: TMOS

Symptoms:
If a BIG-IP device has more than 24 tmm instances and one of the tmm processes above the 24th cpu loops (e.g., in response to an internal issue), it loops indefinitely.

Conditions:
-- BIG-IP i15600 / i15800 platforms.
-- Another issue occurs that that causes a tmm process greater than the 24th tmm process to loop.

Impact:
Traffic disrupted on the tmm process that is looping indefinitely.

Workaround:
1. Manually change /defaults/daemon.conf to include the appropriate tmm number and respective heartbeat action if the supported tmm is not listed.

Note: The change does not persist across software installs.

    a. mount -o remount,rw /usr
    b. Edit /defaults/daemon.conf and put these contents at the top of the file:

sys daemon-ha tmm24 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}
sys daemon-ha tmm25 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}
sys daemon-ha tmm26 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}
sys daemon-ha tmm27 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}

    c. mount -o remount,ro /usr

2. After performing the edit, load the changes into the running configuration via 'tmsh load sys config partitions all'.
3. Verify that sod is now correctly monitoring tmm instances above tmm24 using a command such as:

    tmsh show sys ha-status all-properties | grep "daemon-heartbeat" | grep tmm

918277-2 : Slow Ramp does not take into account pool members' ratio weights

Links to More Info: BT918277

Component: Local Traffic Manager

Symptoms:
When a pool member is within its slow-ramp period, and is a member of a pool that uses a static-ratio-based load balancing algorithm, its ratio weight is not taken into account when balancing connections to it. If it has a ratio that is higher than other pool members, this can result in a sudden influx of connections once the pool member exits the slow-ramp period.

Conditions:
-- Pool with a non-zero slow-ramp timeout and a static-ratio-based load balancing algorithm.
-- Pool members within the pool have different ratio weights.
-- At least one pool member is inside its slow-ramp period.

Impact:
The pool member could still be overwhelmed despite the attempt to slow-ramp connections to it.

Workaround:
None.

918053-1 : [Win][EdgeClient] 'Enable Always Connected mode' is checked for all connectivity profiles with same Parent profile.

Links to More Info: BT918053

Component: Access Policy Manager

Symptoms:
The default value of 'Enable Always Connected' becomes enabled for connectivity profiles after adding 'Server List' to one of the connectivity profiles with the same Parent profile.

Conditions:
-- Add 'Server List' to one of the connectivity profiles with the same Parent profile.
-- Enable the 'Always Connected mode' setting for one of the connectivity profiles.

Impact:
This change affects all of the connectivity profiles. The parent-child inheritance logic is broken.

Workaround:
Manually uncheck the setting in all new profiles where 'Enable Always Connected' is not needed.

918013-1 : Log message with large wchan value

Links to More Info: BT918013

Component: TMOS

Symptoms:
A message is logged with a very large wchan (waiting channel, WCHAN :: Sleeping in Function) value that corresponds to -1 when read as signed instead of unsigned.

Conditions:
This happens in normal operation.

Impact:
The message is not accurately reporting the wchan value

Workaround:
Look at the /proc/PID/stack file for the correct wchan value.

917637-2 : Tmm crash with ICAP filter

Links to More Info: BT917637

Component: Service Provider

Symptoms:
Tmm crashes while passing traffic.

Conditions:
-- Per-request policies configured.
-- ICAP is configured.

This is rare condition that occurs intermittently.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

916485-2 : Tmsh install sys crypto key (SafeNet) command creates a duplicate mcp object

Links to More Info: BT916485

Component: Local Traffic Manager

Symptoms:
Running 'tmsh install sys crypto key' command for SafeNet keys creates a new mcp object with the keyname as the label name in HSM, and with the duplicate key-id.

Conditions:
This happens when trying to install the key using the key-label as the argument.

Impact:
Even after deleting the tmsh key (tmsh delete sys crypto key), the BIG-IP system can still pass traffic because there's a duplicate key pointing to the same key in the HSM.

Workaround:
None.

915969-1 : Truncated QUIC connection close reason

Links to More Info: BT915969

Component: Local Traffic Manager

Symptoms:
The connection close reason in QUIC is limited to 5 bytes prior to the path being validated. This makes it difficult to debug early connection failures.

Conditions:
A connection close is sent in QUIC before the path is validated.

Impact:
Connection close reason is limited to 5 bytes before the path is validated.

Workaround:
None

915829-2 : Particular Users unable to login with LDAP Authentication Provider

Links to More Info: BT915829

Component: TMOS

Symptoms:
With LDAP as authentication provider, some administrative users are unable to login to BIG-IP.

Conditions:
-- LDAP remote authentication.
-- Certain users, whose characteristics have not been identified.

Impact:
Certain client users cannot login to administer the BIG-IP system.

Workaround:
None.

915557-2 : The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status.

Links to More Info: BT915557

Component: TMOS

Symptoms:
When using the pool statistics GUI page, the page stops displaying and the GUI shows the following error:

General database error retrieving information.

Conditions:
You attempt to apply a Status filter (e.g., Available) to display only some pools.

Impact:
The Status filter is not usable. Additionally, the page continues not to display even after you navigate away from the page and later return to it.

Workaround:
There is no workaround to prevent the issue, but if you wish to access that page again (and not use the Status filter), you can do so by clearing your browser's cache.

915493-4 : imish command hangs when ospfd is enabled

Links to More Info: BT915493

Component: TMOS

Symptoms:
Running the imish command hangs when ospfd is enabled.

Conditions:
-- Dynamic routing enabled.
-- The ospfd protocol is enabled.
-- Running the imish command.

Impact:
The imish operation hangs.

Workaround:
Restart the ospfd daemon.

915473-1 : Accessing Dashboard page with AVR provisioned causes continuous audit logs

Links to More Info: BT915473

Component: TMOS

Symptoms:
Navigating to Statistics :: Dashboard in the GUI with AVR or APM provisioned causes continuous audit logging and restjavad logs.

Conditions:
-- AVR provisioned
-- An administrator navigates to Statistics :: Dashboard.

Impact:
The continuous extra logs might lead to confusion and may not be helpful.

Workaround:
None.

915221-4 : DoS unconditionally logs MCP messages to /var/tmp/mcpd.out

Links to More Info: BT915221

Component: Advanced Firewall Manager

Symptoms:
Excessive and large DoS debug messages associated with tmsh commands and stat queries are logged to /var/tmp/mcpd.out which is not log-rotated.

Conditions:
-- AFM is provisioned.
-- DoS queries executed via tmsh.

Impact:
Disk space is consumed on the filesystem for /var/tmp, which can eventually lead to follow-on failures when the disk fills up.

Workaround:
Delete or purge /var/tmp/mcpd.out.

915141-2 : Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown'

Links to More Info: BT915141

Component: TMOS

Symptoms:
Availability status of virtual server can be left 'available' even if the corresponding pool's availability becomes 'unknown'.

Conditions:
- Pool member is configured as an FQDN node.
- You set monitor to 'none' with the pool.

Impact:
Inconsistent availability status of pool and virtual server.

Workaround:
Set the FQDN node to 'force offline', and then 'enable'. This triggers virtual server's status updates and syncs to pool.

915133-3 : Single Page Application can break the page, when hooking is done by the end server application.

Links to More Info: BT915133

Component: Application Security Manager

Symptoms:
When the end server application hooks some of the XHR callback functions (onload, onreadystate, send, open..), and a Single Page Application is used, the application page may malfunction.

Conditions:
This may occur when a server application hooks some XHR callbacks, and one of the following:

-- Bot Defense Profile with 'Single Page Application' enabled and attached to the virtual server.

-- ASM Policy with 'Single Page Application' enabled and a JS feature is attached to the virtual server.

-- DoS Profile with Application Security and 'Single Page Application' enabled and is attached to the virtual server.

Impact:
Web page does not render properly. It might result in a blank page, missing functionality, etc.

Workaround:
Run the command:
tmsh modify sys db dosl7.parse_html_inject_tags value "after,body"

915005-1 : AVR core files have unclear names

Links to More Info: BT915005

Component: Application Visibility and Reporting

Symptoms:
If avrd fails a core file created in this case is named accordung to the thread name and has no indication that it belongs to avr, for example: SENDER_HTTPS.bld0.0.9.core.gz

Conditions:
Avrd fails with a core

Impact:
It is inconvenient for identifying the process that caused the core.

914589-2 : VLAN Failsafe timeout is not always respected

Links to More Info: BT914589

Component: Local Traffic Manager

Symptoms:
VLAN Failsafe timeout is triggered later than its configured interval.

Conditions:
-- Rarely happen on first failover. More commonly occurs on 3rd/4th failover.
-- Specific conditions that cause this issue are not known.

Impact:
VLAN Failsafe timeout might be triggered later than it is configured.

The exact impact varies based on the configuration and traffic activity.

Workaround:
Use another form of automatic failover if needed (gateway failsafe, ha-groups, etc.).

914309-3 : TMM crash seen with FTP and Classification profiles

Links to More Info: BT914309

Component: Local Traffic Manager

Symptoms:
TMM might core and restart when FTP traffic is being proxied by a BIG-IP device.

Conditions:
-- Both FTP and Classification profiles are applied to a virtual server.
-- The FTP profile has inherit-parent-profile enabled.

Impact:
-- TMM crashes and restarts
-- Failover, loss of service during restart.
-- Traffic disrupted while tmm restarts.

Workaround:
None.

914061-2 : BIG-IP may reject a POST request if it comes first and exceeds the initial window size

Links to More Info: BT914061

Component: Local Traffic Manager

Symptoms:
HTTP/2 protocol allows a negative flow-control window on initial stage of communication while first 65,535 bytes of payload are delivered from a peer. BIG-IP may break this requirement.

Conditions:
-- BIG-IP has a virtual server with http2 profile.
-- A configured receive window size in the http2 profile is below 64K (default 32K).
-- A peer sends POST request with payload exceeding initial receive window size over HTTP/2 connection.

Impact:
BIG-IP denies the POST request and sends RST_STREAM.

913917-2 : Unable to save UCS

Links to More Info: BT913917

Component: Global Traffic Manager (DNS)

Symptoms:
You are unable to create a backup UCS.

You see a warning in /var/log/restjavad.0.log:

[WARNING][8100/tm/shared/sys/backup/306b4630-aa74-4a3d-af70-0d49bdd1d89e/worker UcsBackupTaskWorker] Failure with backup process 306b4630-aa74-4a3d-af70-0d49bdd1d89e.
This is followed by a list of some files in /var/named/config/namedb/.

Conditions:
Named has some Slave zones configured and is going through frequent zone transfer.

Impact:
You are unable to create a UCS file.

Workaround:
Stop named zone transfer while doing UCS backup.

913713-2 : Rebooting a blade causes MCPd to core as it rejoins the cluster

Links to More Info: BT913713

Component: TMOS

Symptoms:
Tmm and mcpd cores for slot2

Conditions:
On the standby chassis, reboot the primary blade and wait for it to rejoin the cluster. Once it does, mcpd will core.

Impact:
Traffic disrupted while tmm and mcpd mcpd restarts.

Workaround:
N/A

913573-2 : Unable to complete REST API PUT request for 'tm/ltm/data-group/internal' endpoint.

Links to More Info: BT913573

Component: TMOS

Symptoms:
When REST API PUT request is call to modify LTM data-group internal without 'type' field in body-content, it fails intermittently with a 400 error.

--{"code":400,"message":"invalid property value \"type\":\"\"","errorStack":[],"apiError":26214401}

The 'type' field is not getting populated with default value and is set to null string "" instead.

Conditions:
-- PUT REST API request used to modify LTM data-group internal.
-- Type field is not specified in the body-content.

Impact:
Unable to update the configuration object (LTM data-group internal) with REST API PUT.

Workaround:
Include 'type' field inside PUT request body content for the operation to succeed.

Example Curl Command:
-- curl -isku <username>:<password> -H "Content-Type: application/json" -X PUT -d '{"records":[{"name":"1.1.1.1"}, {"name":"1.1.1.2"}], "type":"ip"}' https://localhost/mgmt/tm/ltm/data-group/internal/~Common~<Name>

913385-1 : TMM generates core while deleting iFiles

Links to More Info: BT913385

Component: Local Traffic Manager

Symptoms:
While deleting iFiles, TMM might crash and generates a core.

Conditions:
-- There is any ifile command in an iRule where you are giving a list object to the file name argument instead of to a string object, for example:

The 2nd line returns a list object, and the 3rd line is giving it to ifile command:

set ifile_name tcl.1
set ifile_name [lsearch -glob -inline [ifile listall] "*$ifile_name"]
ifile get $ifile_name

-- A request is processed by the iRule.
-- Attempt to delete the file in which the issue occurred.

Impact:
TMM crashes and restarts, triggering failover in high availability (HA) configurations. Traffic disruption while TMM restarts on a standalone configuration.

Workaround:
Ensure that the iRule gives a string object to ifile commands. Here is a sample iRule that implements the workaround:

set ifile_name tcl.1
set ifile_name [lsearch -glob -inline [ifile listall] "*$ifile_name"]
ifile get [format "%s" $ifile_name]

912761-2 : Link throughput statistics are different

Links to More Info: BT912761

Component: Global Traffic Manager (DNS)

Symptoms:
Different link throughput statistics are seen on GTM/DNS systems that are connected by full-mesh iQuery.

Conditions:
-- The same link is used on different BIG-IP addresses as a pool member in the default gateway pool.
-- A forwarding virtual server is used.

Impact:
Each GTM/DNS server might get different link throughput for the same link, and therefore make less-than-optimal decisions.

Workaround:
Do not use the same uplink for different BIG-IP devices.

912517-2 : Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured

Links to More Info: BT912517

Component: Local Traffic Manager

Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle, or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.

Conditions:
-- An LTM pool or pool members is configured to use an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- A 'send' string is configured for the monitor.
-- A 'receive' string is not configured.

Impact:
The database monitor marks the pool member down, even in cases where the pool member is actually pingable.

Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).

912293-3 : Persistence might not work properly on virtual servers that utilize address lists

Links to More Info: BT912293

Component: Local Traffic Manager

Symptoms:
-- Connections to the virtual server might hang.
-- Increased tmm CPU utilization.

Conditions:
-- A virtual server is configured with a traffic-matching-criteria that utilizes a source-address-list and/or destination-address-list.

-- The virtual server utilizes certain persistence one of the following persistence types:
  + Source Address (but not hash-algorithm carp)
  + Destination Address (but not hash-algorithm carp)
  + Universal
  + Cookie (only cookie hash)
  + Host
  + SSL session
  + SIP
  + Hash (but not hash-algorithm carp)

Impact:
-- High tmm CPU utilization.
-- Stalled connections.

Workaround:
Enable match-across-virtuals in the persistence profile.

Note: Enabling match-across-virtuals might might affect the behavior of other virtual servers in the configuration that utilize persistence.

912253-1 : Non-admin users cannot run show running-config or list sys

Links to More Info: BT912253

Component: TMOS

Symptoms:
Lower-privileged users, for instance guests or operators, are unable to list the configuration in tmsh, and get an error:

Unexpected Error: Can't display all items, can't get object count from mcpd.

The list /sys or list /sys telemd commands trigger the following error:

01070823:3: Read Access Denied: user (oper) type (Telemd configuration).

Conditions:
User account with a role of guest, operator, or any role other than admin.

Impact:
You are unable to show the running config, or use list or list sys commands.

Workaround:
Logon with an account with admin access.

911853-5 : Stream filter chunk-size limits filter to a single match per ingress buffer

Links to More Info: BT911853

Component: Local Traffic Manager

Symptoms:
The chunk-size profile setting of the stream filter limits memory by capping the match string allocated from an ingress buffer to <chunksize> bytes. This implicitly limits the maximum size of the match, potentially resulting in missed matches beyond chunk-size within the same ingress buffer. For more information, see:

https://support.f5.com/csp/article/K39394712

Conditions:
A stream filter is configured with the chunk-size parameter set and ingress data arrives which contains matches beyond the configured chunk-size in the buffer.

Impact:
Potential matches beyond the configured chunk-size will be sent unmodified by the stream filter, potentially resulting in missed matches.

Workaround:
None.

911713-3 : Delay in Network Convergence with RSTP enabled

Links to More Info: BT911713

Component: TMOS

Symptoms:
The BIG-IP system does not to Rapid Spanning Tree Protocol (RSTP) Bridge Protocol Data Units (BPDUs) with only the proposal flag ON (i.e., without the agreement flag ON).

Conditions:
-- Neighbor Switch sends RSTP BPDU with only proposal flag ON.
-- The agreement flag is not ON.

Impact:
Network convergence takes more time than expected.

Workaround:
None.

911585-3 : PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval

Links to More Info: BT911585

Component: Policy Enforcement Manager

Symptoms:
PEM sessions go to a stale state and the Credit Control Request (CCRi) is not sent.

Conditions:
-- PEM is configured and passing normal PEM traffic.
-- Using BIG-IP Virtual Edition (VE)

Impact:
Session is not established.

Workaround:
None.

911497-2 : Unbound's backoff algorithm interacts badly with net resolver iRules

Links to More Info: BT911497

Component: Global Traffic Manager (DNS)

Symptoms:
Using RESOLVER::name_lookup in an iRule against a net resolver forward zone name server that happens to be down can result in the iRule pausing for up to a few minutes.

Conditions:
Nameserver configures as fwd-zone in net resolver should be down.

Impact:
The connection to the virtual server is paused for a significant amount of time.

Workaround:
Use a pool of dns-servers, and configure the pool to monitor the backend dns servers and load balance to healthy pool members.

911241-6 : The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug

Links to More Info: BT911241

Component: Global Traffic Manager (DNS)

Symptoms:
The iqsyncer utility leaks memory.

Conditions:
-- There is a large bigip_gtm.conf.
-- The log.gtm.level is set to debug.

Impact:
The iqsyncer utility exhausts memory and is killed.

Workaround:
Do not set log.gtm.level equal to or higher than debug.

910965-2 : Overflow of Multicast table filling the tmm log

Links to More Info: BT910965

Component: Local Traffic Manager

Symptoms:
Whenever a new multicast entry is added to an already full table, an error is logged to /var/log/tmm

Conditions:
This warning occurs when the multicast table is full

Impact:
When this condition occurs, this can fill the tmm log with these warning messages

Workaround:
None.

910905-1 : Unexpected tmm core

Links to More Info: BT910905

Component: Local Traffic Manager

Symptoms:
A tmm core occurs unexpectedly and causes a failover event.

Conditions:
This can occur while tmm is in normal operation. An internal error occurs when deleting an old SSL session during SSL handshake.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

910777-3 : Sending ASM report via AWS SES failed duo to wrong content type

Links to More Info: BT910777

Component: Application Visibility and Reporting

Symptoms:
When you attempt to send an ASM report via AWS SES, the message bounces with the following message:
  Could not send e-mails: SMTP Error: data not accepted.; Transaction failed: Expected MIME type, got ;; Error code: 554.

This occurs because the BIG-IP system is sending out the report message with an empty Content-Type in the multipart MIME, which the AWS mail host cannot process.

Conditions:
This is encountered in the following scenario:
1. Set up SMTP and ASM schedule report.
2. Click Send Now, and get the error message in GUI.
3. SSH into the BIG-IP system.
4. Add this line under the following snippet:

[admin@bigip:Active:Standalone] ~ # chmod 644 /var/ts/dms/script/avrexport/avrmail.php
[admin@bigip:Active:Standalone] ~ # vi /var/ts/dms/script/avrexport/avrmail.php

if (!$mail_subject) $mail_subject = "BIG-IP Analytics Report";
if (!$mail_body) $mail_body = "Attached to this e-mail is a BIG-IP Analytics Report issued at $mail_time\n\n";
if (!$mail_from) $mail_from = 'BIG-IP Reporter';
if (!$mail_content_type) $mail_content_type = 'text/html'; <<<< Add this line for add text/html into content type.

[admin@bigip:Active:Standalone] ~ # chmod 444 /var/ts/dms/script/avrexport/avrmail.php

5. Click Send Now again and it works.


Note: To use AWS SES, you must verify your email address first (as a Sender). You can search SES in AWS and verify your email in Email Addresses. AWS sends an email. Click the embedded link after receipt, and then you can use it as the Sender address on the BIG-IP system.

Impact:
Cannot receive ASM reports.

910673-4 : Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM'

Links to More Info: BT910673

Component: Local Traffic Manager

Symptoms:
Thales installation script fails with error message.

ERROR: Could not reach Thales HSM "<ip>". Make sure the HSM IP address is correct and that the HSM is accessible to the BIG-IP.

Conditions:
This occurs when the ICMP ping is blocked between the BIG-IP system and netHSM.

Impact:
Thales/nCipher NetHSM client software installation fails.

Workaround:
Unblock ICMP ping between the BIG-IP system and netHSM.

910645-1 : Upgrade error 'Parsing default XML files. Failed to parse xml file'

Links to More Info: BT910645

Component: TMOS

Symptoms:
After upgrading BIG-IP APM, multiple error messages appear in /var/log/ltm:

-- err mcpd[5352]: 010713cf:3: Parsing default XML files. Failed to parse xml file (/var/sam/www/client/customization-source/Common/modern/secure_access_client/default_secure_access_client.xml) because Failed to stat file (/var/sam/www/client/customization-source/Common/modern/secure_access_client/default_secure_access_client.xml) errno(2) strerror(No such file or directory)
-- err mcpd[5352]: 010713cf:3: Parsing default XML files. Failed to parse xml file (/var/sam/www/client/customization-source/Common/modern/resource_app_tunnel/default_resource_app_tunnel.xml) because Failed to stat file (/var/sam/www/client/customization-source/Common/modern/resource_app_tunnel/default_resource_app_tunnel.xml) errno(2) strerror(No such file or directory)

Conditions:
-- APM configuration.
-- Upgrade the BIG-IP system to v15.1.0 or newer.

Impact:
These are benign messages that do not indicate a functional issue. There is no impact; the system works correctly.

The errors occur when the upgraded BIG-IP APM configuration attempts to load resource definitions for the modern customization schema. However, by design, the modern customization schema does not define resources. Only the standard customization schema defines resources found under '/var/sam/www/client/customization-source/Common/standard/'.

Workaround:
None.

910325 : DDoS Vector - TCP BAD ACK is not hardware-accelerated

Links to More Info: BT910325

Component: TMOS

Symptoms:
There is no FPGA support for vector number 105 (FPGA vector number). This is an L4 DDoS vector that rate limits the number of incorrect TCP ACK Cookies. The vector is commonly referred to as ACK_Cookie_Bad.

Conditions:
This is encountered when a TCP BADACK DDoS vector is detected.

Impact:
This vector is not hardware accelerated. The DDoS mitigation can rely only on software support for this DDoS vector.

Workaround:
None.

910273-2 : SSL Certificate version always displays as '1' in the GUI

Links to More Info: BT910273

Component: Local Traffic Manager

Symptoms:
In GUI an SSL certificate's version is displayed as '1', even if its version is higher than 1.

Conditions:
-- Viewing an SSL certificate in the GUI.
-- The SSL certificate's version is higher than 1.

Impact:
SSL certificate's version is displayed as '1'. There is no functional impact.

Workaround:
None.

910213-2 : LB::down iRule command is ineffective, and can lead to inconsistent pool member status

Links to More Info: BT910213

Component: Local Traffic Manager

Symptoms:
Use of the LB::down command in an iRule may not have the desired effect, or may result in pool members that are down for load balancing, but indicate up/available in the GUI and CLI.

Specifically, the pool member is marked down within the tmm instance executing the iRule, but the status change is not updated to mcpd, or to other tmm instances.

As a result, the message 'Pool /Common/mypool member /Common/1.1.1.1:80 monitor status iRule down' does not appear in the log, and the status of the pool member is not updated when viewed in the GUI or via 'tmsh show ltm pool xxxx members'.

Note: If [event info] is logged in the LB_FAILED event, it will indicate that the load balancing decision failed due to "connection limit"

Conditions:
Using the LB::down command in an iRule.

Impact:
Because mcpd believes the pool member to be up, it does not update tmm's status, so tmm continues to regard it as down indefinitely, or until a monitor state change occurs.

If the LB::down command is used on all members of a pool, the affected tmms cannot load balance to that pool, even though the GUI/tmsh indicate that the pool has available members.

Because pool member status is stored on per-tmm basis and incoming connections are distributed across tmms using a hash, this can lead to apparently inconsistent results, where some traffic (traffic hitting a particular tmm) is rejected with an RST cause of 'No pool member available'.

Workaround:
- Delete and recreate affected pool members
(or) Restart tmm
(or) Restart the BIG-IP.

There is no direct workaround, but the use of an inband monitor instead of the LB::down command may be effective. You must tune the inband monitor's settings to values consistent with the desired behavior.

910105-1 : Partial HTTP/2 payload may freeze on the BIG-IP system

Links to More Info: BT910105

Component: Local Traffic Manager

Symptoms:
HTTP/2 allows sending the payload in both directions gradually, until a frame with an END_STREAM flag closes a direction. The BIG-IP does not properly handles an early response from a server when HTTP router is configured on a virtual and partial payload sent in each direction. In this case, communication over the stream hangs.

Conditions:
-- Virtual server is configured on the BIG-IP system with HTTP and HTTP/2 profiles on both the client and server sides.
-- HTTP router profile is configured on the virtual server.
-- Client sends a request and delivers a partial payload, waiting for a response from a server.
-- Server responds with a partial payload.

Impact:
A response with a partial payload is not delivered to a client. Communication freezes on that specific stream.

Workaround:
None.

909997-3 : Virtual server status displays as unavailable when it is accepting connections

Links to More Info: BT909997

Component: Local Traffic Manager

Symptoms:
After a rate limit is triggered and released, the virtual server status in the GUI remains as 'unavailable'. The virtual server resumes accepting new connections while the GUI shows the virtual server is unavailable.

Conditions:
-- The virtual server has a source address list configured.
-- Address lists define more than one address.
-- The connections are over the rate limit, and the virtual server status is marked unavailable.
-- The number of connections falls below the limit.

Impact:
Actual virtual server status is not reflected in GUI.

Workaround:
If the deployment design allows, you can use either of the following workarounds:

-- Remove the source address list from the virtual server.

-- Have a single address in the source address list.

909677-2 : HTTP/2 full proxy always sets the :scheme pseudo-header for HTTPS requests where the server-side connection is not encrypted

Links to More Info: BT909677

Component: Local Traffic Manager

Symptoms:
When using HTTP/2, the :scheme pseudo-header appears to always be set to HTTPS on requests, even when the server-side connection is not encrypted.

Conditions:
-- Using an HTTP/2 virtual server.
-- The server-side connection that is unencrypted.

Impact:
The impact of this issue varies based on how the application reacts at the server-side.

Workaround:
None.

909505-3 : Creating LTM data group external object fails.

Links to More Info: BT909505

Component: TMOS

Symptoms:
iControl REST command to create a data group fails if you do not set the externalFileName variable.

The same command works in tmsh, and you are not required to specify the externalFileName.

Conditions:
-- Creating a data group using iControl REST.
-- POST payload does not contain the externalFileName variable.

Impact:
You are unable to create the data group.

Workaround:
The command works if you specify the externalFileName parameter:

curl -sku $PASS https://$HOST/mgmt/tm/ltm/data-group/external -X POST -H "Content-type: application/json" -d '{"name":"fooBar", "externalFileName":"fooBar.txt"}'

909485-3 : Deleting LTM data-group external object incorrectly reports 200 when object fails to delete

Links to More Info: BT909485

Component: TMOS

Symptoms:
When you delete an LTM external data-group object using iControl REST, it incorrectly returns '200 OK' even though the object is not deleted.

Conditions:
-- Deleting an external data-group object via iControl REST.
-- The LTM external data-group object is referenced by another object (such as an iRule).

Impact:
The object still exists, even though the system returns a '200 OK' message indicating that the operation completed successfully.

Workaround:
None.

908829-1 : The iqsyncer utility may not write the core file for system signals

Links to More Info: BT908829

Component: Global Traffic Manager (DNS)

Symptoms:
In certain instances, the iqsyncer utility may not write the core file for system signals.

Conditions:
-- SELinux policies enabled.
-- Run the iqsyncer utilities to initiate a core dump with system signals SIGABRT, SIGQUIT, and SIGSEGV.

Impact:
The iqsyncer utility does not write core file.

Workaround:
Disable SELinux with 'setenforce 0'.

You can now generate a core with a SIGQUIT (-3), but not with SIGABRT or SIGSEGV.

908801-1 : SELinux policies may prevent from iqsh/iqsyncer dumping core

Links to More Info: BT908801

Component: Global Traffic Manager (DNS)

Symptoms:
SELinux policies may prevent the iqsh/iqsyncer utilities from dumping core information.

Conditions:
-- SELinux policies enabled.
-- Run the iqsh/iqsyncer utilities to initiate a core dump.

Impact:
The operation does not result in dumping the core information.

Workaround:
Disable SELinux with 'setenforce 0'.

908753-3 : Password memory not effective even when password policy is configured

Links to More Info: BT908753

Component: TMOS

Symptoms:
The BIG-IP system does not prevent you from specifying previously used passwords, even if Secure Password Enforcement is enabled with password memory set to a non-zero value.

Conditions:
-- Password memory in auth settings is not 0 (zero).
-- Attempt to specify a previously specified password

Impact:
Password history to prevent user from using same password is not enforced.

Workaround:
None.

908477-2 : Request-adapt plus request-logging causes HTTP double-chunking in an ICAP request

Links to More Info: BT908477

Component: Service Provider

Symptoms:
When an HTTP chunked request is sent to a virtual server that has both a request-adapt (e.g., for ICAP), and a request-logging profile attached, the request that is sent to the ICAP server is doubly chunked.

Conditions:
-- A virtual server is configured with both a request-adapt (ICAP) and request-logging profile.
-- HTTP chunked requests are sent to this virtual server.

Impact:
Data corruption in the HTTP stream.

Workaround:
You can use either of the following workarounds:

-- Force rechunking on the HTTP profile:
request-chunking rechunk

-- Remove the request-logging profile (and potentially log requests) using an iRule instead.

908453-3 : Trunks with names longer than 32 characters update working-mbr-count in vCMP guests incorrectly

Links to More Info: BT908453

Component: TMOS

Symptoms:
When a trunk is configured with a name longer than 32 characters on a vCMP host, guests update the working-mbr-count for the trunk incorrectly when another trunk on the host changes. This might result in vCMP guests failing over unexpectedly.

Conditions:
-- Trunk configured with a name longer than 32 characters on vCMP host.
-- Trunk made available to guests for high availability (HA) Group scoring.
-- At least one other trunk configured on vCMP host.
-- Interface state changes in any other trunk.

Impact:
The vCMP guests may fail over unexpectedly.

Workaround:
Do not use trunk names longer than 32 characters.

907873-2 : Authentication tab is missing in VPE for RDG-RAP Access Policy type

Links to More Info: BT907873

Component: Access Policy Manager

Symptoms:
Authentication tab is missing in Visual Policy Editor (VPE) for RDG-RAP Access Policy type

Conditions:
Configuration of RDG-RAP Access Policy type in VPE.

Impact:
Authentication tab with AD/LDAP Query agents is missing in VPE.

Workaround:
Use the tmsh cli configuration of AD/LDAP Query for RDG-RAP Access Policy type.

907645-1 : IPsec SAs may not be mirrored to HA standby

Links to More Info: BT907645

Component: TMOS

Symptoms:
Some IPsec Security Associations (SAs) may not be mirrored to the HA standby device.

Conditions:
-- HA mirrored configured
-- Many IPsec tunnels are established

Impact:
The HA standby system is unable to take over established tunnels when HA failover happens.

Workaround:
None

907177-2 : Priority of embedded APM iRules is ignored

Links to More Info: BT907177

Component: Local Traffic Manager

Symptoms:
Custom iRule events are executed before the embedded APM iRule events, despite the custom iRule's priority value being larger than the APM iRule's priority value.

Conditions:
-- APM is provisioned.
-- Custom iRule with a priority value larger the APM iRule's priority value.

Impact:
Custom iRule event is executed before APM iRule event.

Workaround:
None.

907045-2 : QUIC HANDSHAKE_DONE is sent at the end of first flight

Links to More Info: BT907045

Component: Local Traffic Manager

Symptoms:
QUIC does not send the HANDSHAKE_DONE immediately on conclusion of the handshake. Instead, it sends an entire flight of data first.

Conditions:
This happens in normal operation.

Impact:
The end user system has to store handshake state longer than it might have to otherwise.

Workaround:
None.

906737-3 : Error message: 'templates/' is not a directory

Links to More Info: BT906737

Component: Application Security Manager

Symptoms:
Some of the Templates class values are incorrectly initialized with the wrong base directory, so every time specific pages are opened in browser a message is written to var/log/ts/ui/debug.log:

'templates/' is not a directory.

Conditions:
Open Live Update, Policies Lists, Policies Summary, and several other pages under the Security heading.

Impact:
No functional impact, but log entries are added.

Workaround:
None

906653-3 : Server side UDP immediate idle-timeout drops datagrams

Links to More Info: BT906653

Component: Local Traffic Manager

Symptoms:
With immediate idle-timeout, flows may be closed before a datagram is forwarded.

Conditions:
-- Immediate idle-timeout is set on the server context of a UDP virtual server.

Impact:
Datagrams are dropped periodically depending on traffic load.

Workaround:
None.

906505-2 : Display of LCD System Menu cannot be configured via GUI on iSeries platforms

Links to More Info: BT906505

Component: TMOS

Symptoms:
In the BIG-IP Graphical User Interface (TMUI), display of the System Menu on the LCD front panel of most BIG-IP platforms can be enabled or disabled under System :: Configuration :: Device :: General.

However, on iSeries appliances, the 'Display LCD System Menu' option does not appear on this page.

Conditions:
This occurs on the following iSeries appliances:
-- i850
-- i2000-series (i2600/i2800)
-- i4000-series (i4600/i4800)
-- i5000-series (i5600/i5800/i5820-DF)
-- i7000-series (i7600/i7600-D/i7800/i7800-D/i7820-DF)
-- i10000-series (i10600/i10600-D/i10800/i10800-D)
-- i11000-series (i11600/i11800/i11400-DS/i11600-DS/i11800-DS)
-- i15000-series (i15600/i15800)

Impact:
The 'Display LCD System Menu' option cannot be configured via the GUI.

Workaround:
You can enable display of the LCD System Menu using the Command Line (CLI) by running the following commands, in sequence:

tmsh mod sys global-settings lcd-display [enabled|disabled]
tmsh mod sys db lcd.showmenu value [enabled|disabled]

906449-2 : Node, Pool Member, and Monitor Instance timestamps may be updated by config sync/load

Links to More Info: BT906449

Component: TMOS

Symptoms:
The text that describes the monitor state of an LTM node, pool member, or monitor instance also contains a timestamp that initially indicates when the monitor set the affected node or pool member to the indicated state. This timestamp can be affected by other actions, such as incremental or full config sync and config load.

The monitor-state description and timestamp can be viewed in the CLI (CLI/TMSH) and GUI (TMUI) as follows:

-- From the CLI/TMSH:
tmsh show ltm monitor <monitor_type> <monitor_name>

This command shows the state of ltm nodes or pool members currently monitored by the specified ltm health monitor, as in the following example:
-------------------------------------
 LTM::Monitor /Common/mysql_test
-------------------------------------
   Destination: 10.10.200.28:3296
   State time: down for 1hr:58mins:42sec
   | Last error: No successful responses received before deadline. @2020.03.25 14:10:24

-- From the GUI:
   + Navigate to Local Traffic :: Nodes : Node List :: <node_name>. The 'Availability' field shows text describing the node's monitored state with a timestamp.

   + Navigate to Local Traffic :: Pools : Pool List :: <pool_name>, under the Members tab, click the pool member name. The 'Availability' field shows text describing the pool member's monitored state with a timestamp.

Conditions:
This may occur under the following conditions:

-- If an incremental config sync occurs from one high availability (HA) member to another member or to the device group:
   + The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on HA members receiving the incremental config sync.
   + If a Node or Pool Member has been marked DOWN by a monitor, its timestamp may be updated in the GUI (Node List/Pool-Member list) on HA members receiving the incremental config sync.

-- If a full/forced config sync occurs from one HA member to another member or to the device group:
   + The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on HA members receiving the incremental config sync.
   + The timestamp for all Nodes or Pool Members may be updated in the GUI (Node List/Pool-Member list) on HA members receiving the incremental config sync.

-- If a config load occurs:
   + The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on the HA member where the config load occurred.
   + The timestamp for all Nodes or Pool Members may be updated in the GUI (Node List/Pool-Member list) on the HA member where the config load occurred.

Impact:
The timestamp indicated next to the monitored-state description for an LTM Node or Pool Member indicates when the Node or Pool Member was updated in ways other than by its configured monitor. Thus, this timestamp may not indicate the actual time of the monitor event suggested by the description text.

Workaround:
None.

905893 : Modification of SmartNIC MTU not supported

Links to More Info: BT905893

Component: TMOS

Symptoms:
During initialization, the SmartNIC driver reports a fixed MTU size. This prevents the MTU from being modified and results in the following error message in /var/log/tmm:

bigip1 notice xnet[00:08.0]: Error: Command 14 failed: 5

Conditions:
This error message is generated each time TMM is started or restarted.

Impact:
Jumbo frames are not supported by SmartNIC.

Workaround:
None.

905881 : MTU assignment to non-existent interface

Links to More Info: BT905881

Component: TMOS

Symptoms:
Warning log message generated to /var/log/ltm

warning mcpd[5494]: 01071859:4: Warning generated : cannot set MTU for eth1. No such device. For legacy VE driver.

Conditions:
Occurs when enabling or disabling VLAN-based Syn Cookies.

Impact:
No known functional impact. This is an incorrectly generated warning message.

Workaround:
None.

905749-1 : imish crash while checking for CLI help string in BGP mode

Links to More Info: BT905749

Component: TMOS

Symptoms:
imish crashes while checking the help strings of '(no) neighbor x.x.x.x fall-over bfd ?' when Border Gateway Protocol (BGP) is configured.

Conditions:
-- Configure BGP.
-- Check for help strings in imish using the '?' (question mark) character.

Impact:
imish crash.

Although imish crashes, BGP functionality is not impacted.

Workaround:
Avoid using '?' while entering the commands.

905669-2 : CSRF token expired message for AJAX calls is displayed incorrectly

Links to More Info: BT905669

Component: Application Security Manager

Symptoms:
CSRF token expired message for AJAX calls is displayed incorrectly in alert message

Conditions:
This can occur if a BIG-IP administrator or user navigates to pages containing AJAX calls that modify a policy when the CSRF token is already expired. This occurs very rarely.

Impact:
Each letter in message is shown in new line in alert message

905477-2 : The sdmd daemon cores during config sync when multiple devices configured for iRules LX

Links to More Info: BT905477

Component: Local Traffic Manager

Symptoms:
The iRules LX workspaces belong on only one device in a Device Service Cluster (DSC). If you have the same iRules LX workspace configured on multiple devices and then perform a config sync operation, the sdmd daemon cores.

Conditions:
-- Multiple devices configured with the same iRules LX workspace in a DSC.
-- Change one of the devices such that the configuration requires a config sync.
-- Perform the config sync.

Impact:
The sdmd daemon cores. Although having multiple devices configured with the same iRules LX workspace is an incorrect configuration, sdmd should not core.

Workaround:
When the iRules LX workspace is correctly configured, i.e., on only one device in a DSC, there is no need to config sync, so this issues does not occur.

904661-3 : Mellanox NIC speeds may be reported incorrectly on Virtual Edition

Links to More Info: BT904661

Component: TMOS

Symptoms:
Speeds for Mellanox NICs on BIG-IP Virtual Edition may be reported incorrectly. The behavior varies depending on what driver is in use:
- Speeds are always reported as 10G when the mlxvf5 driver is used, regardless of the actual speed of the interface.
- Speeds are reported as either 10G or 40G when the xnet driver is used. This is accurate unless the actual NIC speed is greater than 40G, in which is it will still be reported as 40G.

Conditions:
-- BIG-IP Virtual Edition
-- Using a Mellanox NIC with the mlxvf5 or xnet driver

Impact:
Possibly incorrect media speed reported. (Actual speed is correct, regardless of what is displayed.)

904625-2 : Changes to SSL.CertRequest.* DB variables cause high availability (HA) devices go out of sync

Links to More Info: BT904625

Component: Local Traffic Manager

Symptoms:
The GUI saves SSL certificate/CSR subject fields data into SSL.CertRequest.* DB variables to use them in pre-populating subject fields for subsequent modifications.

Conditions:
-- SSL certificate/CSR modification through GUI.
-- Changing the content of the SSL.CertRequest.* DB variables.
-- High availability (HA) configuration.

Impact:
HA devices go out of sync.

Workaround:
SSL.CertRequest.* DB variables are used only as GUI SSL certificate/CSR pre-populated suggestions.

You can still review and modify them before completing SSL certificate/CSR modification operation, so it is safe to sync them onto the high availability (HA) peer.

904537-3 : The csyncd process may keep trying to sync the GeoIP database to a secondary blade

Links to More Info: BT904537

Component: Local Traffic Manager

Symptoms:
The most common symptom is when csyncd repeatedly syncs the GeoIP files and loads the GeoIP database, causing a large number of Clock advanced messages on all tmms.

Repeated log messages similar to the following are reported when a secondary slot logs into the primary slot to load the sys geoip database:

-- info sshd(pam_audit)[17373]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=x.x.x.x attempts=1 start="Wed Apr 29 13:50:49 2020".
-- notice tmsh[17401]: 01420002:5: AUDIT - pid=17401 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys geoip.

Conditions:
-- VIPRION or vCMP guests.
-- Either of the following:
   - First installing the GeoIP database if the /shared/GeoIP/v2 directory does not exist.
   - When a new blade is installed into a chassis.

Impact:
Repeated logs of Clock advanced messages.

Workaround:
Run the command:
 clsh bigstart restart csyncd

904441-2 : APM vs_score for GTM-APM load balancing is not calculated correctly

Links to More Info: BT904441

Component: Access Policy Manager

Symptoms:
Output from the 'show ltm virtual <vs> detail' command reports an incorrect value for the APM Module-Score.

Conditions:
-- Using GTM/DNS and APM.
-- Configure an access profile attached to a virtual server.
-- Configure a non-zero number for 'Max Concurrent Users' for the access profile.
-- Access the virtual server.

Impact:
GTM/DNS load balancing does not work as expected.

Workaround:
None.

904401-1 : Guestagentd core

Links to More Info: BT904401

Component: TMOS

Symptoms:
Guestagentd crashes on a vCMP guest.

Conditions:
This can occur during normal operation in a vCMP environment.

Impact:
Guestagentd crashes on the vCMP guest, and the vCMP host does not have accurate guest information, such as version, provisioning, high availability (HA) status, and tmm status.

Workaround:
None.

903521-2 : TMM fails to sign responses from BIND when BIND has 'dnssec-enable no'

Links to More Info: BT903521

Component: Global Traffic Manager (DNS)

Symptoms:
TMM fails to sign responses from BIND.

Conditions:
BIND has 'dnssec-enable no' in named.conf.

Impact:
TMM fails to sign responses from BIND.

Workaround:
Remove 'dnssec-enable no' from named.conf in options section.

903501-2 : VPN Tunnel establishment fails with some ipv6 address

Links to More Info: BT903501

Component: Access Policy Manager

Symptoms:
VPN Tunnel establishment fails with some ipv6 address

Conditions:
- APM is provisioned.
- Network Access with IPv6 virtual server is configured.

Impact:
VPN Tunnel cannot be established.

Workaround:
1. Disable the DB variable isession.ctrl.apm:
tmsh modify sys db isession.ctrl.apm value disable

2. Perform 'Apply Access Policy' for the access policy attached to the virtual server.

Important: The iSession control channel is needed if optimized apps are configured, so use this workaround only when 'No optimized apps are configured' is set (available in the GUI by navigating to Access :: Connectivity / VPN : Network Access (VPN) : Network Access Lists :: {NA resources} :: 'Optimization' tab).

903313-2 : OWASP page: File Types score in Broken Access Control category is always 0.

Component: Application Security Manager

Symptoms:
Under Broken Access Control category, the contribution of Disallowed File Types seems to be 0 no matter what is the number of Disallowed File Types in policy. As a result, it is not possible to reach full compliance.

Conditions:
Security Policy is configured. Not Applicable for parent or child policy.

Impact:
For any OWASP configurable policy (i.e. not parent or child policy), the policy cannot reach the maximum score for Broken Access Control category

903265-3 : Single user mode faced sudden reboot

Links to More Info: BT903265

Component: TMOS

Symptoms:
Being logged into the system in single user mode (emergency shell) causes a sudden automatic reboot after some time (~5-to-10 minutes, or longer).

Conditions:
-- Using iSeries platforms.
-- When logged into the emergency shell by appending rd.break to kernel command line.

Impact:
The device reboots after some time. Because of the automatic reboot, you cannot reliably use the emergency shell.

Workaround:
None.

903257-1 : GUI issues for Access :: Profiles/Policies : Customization : General Customization or Advanced Customization

Links to More Info: BT903257

Component: Access Policy Manager

Symptoms:
Error messages when navigating to Access :: Profiles/Policies : Customization : General Customization or Advanced Customization:

Button states incorrect on return from server after button push.

Conditions:
After creation of an Access Profile with Customization Type = modern (which is the default starting with v15.1.0).

Impact:
The GUI for General Customization or Advanced Customization of Access Profiles is not available.

Workaround:
Run the following commands, in sequence, from an SSH session:

cp --preserve=all /var/sam/www/client/customization-source/Common/modern/eps/default_eps.xml /var/sam/www/client/customization-source/Common/modern/eps/default_eps.xml.ORG

sed -e 's|b\&gt\ã|b\&gt;\ã|' /var/sam/www/client/customization-source/Common/modern/eps/default_eps.xml.ORG > /var/sam/www/client/customization-source/Common/modern/eps/default_eps.xml

bigstart restart tomcat

902445-2 : ASM Policy Event Logging stops working after 'No space in shmem' error disconnection mitigation

Links to More Info: BT902445

Component: Application Security Manager

Symptoms:
ASM event logging stops working.

Conditions:
This can occur during normal ASM operation. It occurs after ASM executes 'No space in shmem' error disconnection mitigation, and this error is logged.

Impact:
ASM Policy Event Logging stop working; new event is not saved.

Workaround:
Restart asmlogd and pabnagd:
pkill asmlogd
pkill pabnagd

902377-2 : HTML profile forces re-chunk even though HTML::disable

Links to More Info: BT902377

Component: Local Traffic Manager

Symptoms:
HTML profile performs a re-chunk even though HTML::disable has been executed in the HTTP_RESPONSE event.

Conditions:
Using HTML::disable in an HTTP_RESPONSE event.

Impact:
The HTML profile still performs a re-chunk.

Workaround:
None.

901989-2 : Boot_marker writes to /var/log/btmp

Links to More Info: BT901989

Component: TMOS

Symptoms:
The boot_marker is written to /var/log/btmp, but /var/log/btmp is a binary file.

A message similar to:

Apr 21 09:19:52 bigip1 warning sshd[10901]: pam_lastlog(sshd:session): corruption detected in /var/log/btmp

... may be logged to /var/log/secure.

Conditions:
-- Rebooting a BIG-IP.

Impact:
Since this file is unknowingly corrupt at first boot, any potential investigation needing this data may be compromised.

Workaround:
After bootup you can truncate the file.
$ truncate --size 0 /var/log/btmp

901985-6 : Extend logging for incomplete HTTP requests

Links to More Info: BT901985

Component: TMOS

Symptoms:
Logging is not triggered for incomplete HTTP requests.

Conditions:
- HTTP profile is configured.
- Request-log profile is configured.
- HTTP request is incomplete.

Impact:
Logging is missing for incomplete HTTP requests.

Workaround:
None.

901669-4 : Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change.

Links to More Info: BT901669

Component: TMOS

Symptoms:
-- The 'tmsh show cm failover-status' command shows a status of 'Error' when the command is run on a peer of a device that underwent a management IP address change.

-- Should the sod_tg_conn_stat or sod_tg_msg_stat tmstat tables be inspected using the tmctl command, the tables show stale information in the entry_key column.

Note: Additionally, in certain cases, it is possible for failover functionality to be broken after the management IP address change, meaning devices remain stuck in an improper Active/Active or Standby/Standby state. This further aspect of the issue is tracked under ID999125. This ID tracks only the cosmetic defect.

Conditions:
-- Two or more devices in a sync-failover device-group.
-- The management IP address is changed on one of the devices.

The error appears under either of these conditions:
-- The 'tmsh show cm failover-status' is run on a peer of the device that underwent the management IP address change.
-- The sod_tg_conn_stat or sod_tg_msg_stat tmstat tables are inspected using the tmctl command.

Impact:
The 'tmsh show cm failover-status' command indicates an error.

Workaround:
You can work around this issue by running the following command on the peers of the device which underwent a management IP address change:

tmsh restart sys service sod

901569-1 : Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.

Links to More Info: BT901569

Component: Local Traffic Manager

Symptoms:
Loopback traffic (local traffic) destined to a virtual server might get dropped when the incoming packet matches a terminating connection flow.

Conditions:
-- VLAN filter is enabled on the virtual server created for loopback traffic processing.
-- An incoming packet matches a terminating connection flow (i.e., the connection flow terminates because of timeout, being dropped by iRule, etc.).

Impact:
Traffic that is matched against a terminating connection flow of a virtual is not processed by the virtual server.

Workaround:
Because this filter is ignored for loopback traffic, removing the 'Enabled On VLAN' filter at the virtual server mitigates the issue.

901529 : AFM Debug Reroute feature not supported

Links to More Info: BT901529

Component: TMOS

Symptoms:
AFM Debug Reroute feature does not work.

Conditions:
Attempting to use the AFM Debug Reroute Feature.

Impact:
Cannot use the AFM Debug Reroute feature.

Workaround:
None.

901485-2 : HTTP_RESPONSE_RELEASE is not raised for HTTP early response

Links to More Info: BT901485

Component: Local Traffic Manager

Symptoms:
When server sends the response early (before the request is completed), client-side HTTP sends the response but does not raise HTTP_RESPONSE_RELEASE.

Conditions:
- HTTP profile is configured.
- Request-log profile is configured.
- HTTP request is incomplete.

Impact:
Timeout occurs and the BIG-IP system sends shutdown.

Workaround:
None

900825 : WAM image optimization can leak entity reference when demoting to unoptimized image

Links to More Info: BT900825

Component: WebAccelerator

Symptoms:
WAM image optimization can leak entity reference when demoting to unoptimized image.

WAM allows PNG files to be optimized to WEBP and JPG files to be optimized to JPEG XR formats, based on capabilities inferred from the client's User-Agent value. Once the optimized version is in the cache, internal check failures might cause the entity/document to be reverted to the unoptimized version. If this unoptimized version is already present in the cache, a reference to the corresponding entity is leaked, thus causing the entity to be held in memory along with attached resource/document objects and associated storage (UCI).

Conditions:
-- WAM-optimized PNG files (to WEBP) and JPG files (to JPEG XR) on tye system.
-- A policy change occurs that causes an internal check to fail.

Note: This can also occur in some cases without actual changes to the policy if the optimization step is skipped by wamd.

Impact:
WAM image optimization might leak entity reference.

Workaround:
None.

900485-2 : Syslog-ng 'program' filter does not work

Links to More Info: BT900485

Component: TMOS

Symptoms:
The 'program' filter type does not work with the BIG-IP system's version of syslog-ng.

Conditions:
-- Using the 'program' expression in a syslog-ng filter.

Impact:
Unable to filter messages as expected.

Workaround:
None.

899933-2 : Listing property groups in TMSH without specifying properties lists the entire object

Links to More Info: BT899933

Component: TMOS

Symptoms:
When listing a property group, if you do not specify any specific properties within that group, the entire object is listed.

Conditions:
-- Using TMSH to list a property group of an object.
-- Not specifying any properties within the property group.

Impact:
Unexpected output.

Workaround:
None.

899253-6 : [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist

Links to More Info: BT899253

Component: Global Traffic Manager (DNS)

Symptoms:
Making changes to wide IP pools through GUI management do not take effect.

Conditions:
-- GTM configuration contains a sufficiently high number of pools (~ 15,000).
-- Using the GUI to assign a pool to a wide IP.

Impact:
Changes do not take effect. Unable to use the GUI to manage which pools are associated with a wide IP.

Workaround:
Use TMSH.

899097-2 : Existence of rewrite profile with HTTP profile response chunking mode 'sustain' always triggers client-side chunking

Links to More Info: BT899097

Component: TMOS

Symptoms:
When using the rewrite profile, unchunked server responses where content-type is not text/html or text/css also gets converted to chunked encoding in client-side. Also, the server response is missing a message-body (no content-type/content-length).

The client device receives 'Transfer-Encoding: chunked' in the message-header and receives a chunked body if the origin response has a message-body. The client receives a zero-length chunk if the origin response has no message-body.

Prior to BIG-IP version 15, chunking happens only if origin server response has content-type header set to either text/html or text/css.

Conditions:
- HTTP profile response chunking is set to 'sustain'.
- The virtual server has rewrite profile attached.
- Server response has content-type set not to text/html or text/css OR no content-type header.

Impact:
End users may notice a change in chunking behavior after upgrading from prior release.

Workaround:
Use response chunking mode 'unchunk'

899085-6 : Configuration changes made by Certificate Manager role do not trigger saving config

Links to More Info: BT899085

Component: TMOS

Symptoms:
Configuration changes made in the BIG-IP GUI by a user with role 'Certificate Manager' do not result in the configuration being saved.

If the system is rebooted (or MCPD restarted) without saving the configuration, those changes will be lost.

Conditions:
-- User with role 'Certificate Manager'.
-- Changes made in GUI.
-- System rebooted.

Impact:
Loss of configuration changes.

Workaround:
Users with a 'Certificate Manager' role can save the configuration from tmsh:
tmsh save /sys config

Alternately, another user can save the configuration.

898825-2 : Attack signatures are enforced on excluded headers under some conditions

Links to More Info: BT898825

Component: Application Security Manager

Symptoms:
Attack signatures are marked as detected when they should be marked as excluded (i.e., a false positive).

Conditions:
-- A 100-continue transaction occurs in HTTP.
-- The internal parameter answer_100_continue is set to a non-default value of 0.

Impact:
False positive enforcement for header signature.

Workaround:
Set the answer_100_continue to 1 (default) on versions later than 15.0.0.

898753-5 : Multicast control-plane traffic requires handling with AFM policies

Links to More Info: BT898753

Component: Local Traffic Manager

Symptoms:
AFM virtual-server specific rules are being matched against control-plane traffic.

Conditions:
-- Broadcast OSPF configured.
-- AFM provisioned.
-- OSPF neighbor configured.

Impact:
OSPF neighborship is not formed.

Workaround:
Add an AFM route-domain policy.

898733-3 : SSL handshakes fail on secondary blades for Thales keys created with fipskey.nethsm after upgrade to 14.1.x and re-import of the keys from HSM

Links to More Info: BT898733

Component: Local Traffic Manager

Symptoms:
SSL handshakes intermittently fail for virtual servers using HSM keys.

In /var/log/ltm you see errors:
err pkcs11d[6575]: 01680002:3: Key table lookup failed. error.

Conditions:
1. Keys were created on earlier versions of BIG-IP software with fipskey.nethsm wrapper, and the device was upgraded to 14.1.0 or later.

2. Keys were created on BIG-IP v14.1.0 or later directly, using fipskey.nethsm wrapper.

3. The platform is a multi-bladed Viprion.

This can occur after applying the workaround for ID758491:
https://cdn.f5.com/product/bugtracker/ID758491.html

Impact:
SSL handshakes that arrive on the secondary blade(s) fail.

Handshakes arriving on the primary blade work fine.

Workaround:
Re-install the Thales client after the upgrade.

898685-4 : Order of ciphers changes after updating cipher group

Links to More Info: BT898685

Component: Local Traffic Manager

Symptoms:
The order of cipher results may change with no modification in the cipher group.

Conditions:
Click 'Update' in a cipher group in the GUI without making any changes.

Impact:
The order of the ciphers changes. During a handshake, SSL/TLS may not be able to select ciphers in the preferred order.

Workaround:
Create a cipher rule with the preferred cipher order and include only a single rule in cipher group allow list.

898577-2 : Executing a command in "mgmt tm" using iControl REST results in tmsh error

Links to More Info: BT898577

Component: TMOS

Symptoms:
When you try to update the frequency of live-update using iControl REST, it results in a java exception being returned instead of updating the value.

Conditions:
When a command for updating the frequency of live updates is executed using iControl REST in an ASM configured BIG-IP.

Impact:
You are unable to update the frequency of live-update via iControl REST.

898389-1 : Traffic is not classified when adding port-list to virtual server from GUI

Links to More Info: BT898389

Component: TMOS

Symptoms:
Traffic is not matching to the virtual server.

Conditions:
Using the GUI to configure traffic-matching-criteria by adding port-list to the virtual server.

Impact:
Traffic loss.

Workaround:
Creating traffic-matching-criteria from the command line

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm traffic-matching-criteria tmc_name_here destination-address-inline <IP ADDR>%10 route-domain <Route domain name>

898381-2 : Changing the setting of apm-forwarding-fastl4 profile does not take effect

Links to More Info: BT898381

Component: Access Policy Manager

Symptoms:
Changing the setting of apm-forwarding-fastl4 profile does not take effect and is not getting applied to the last leg of client-initiated VPN traffic.

Conditions:
- APM is configured on the BIG-IP system.
- BIG-IP Administrator (Admin) has configured a VPN tunnel.
- Admin is trying to change the TCP characteristic of the last leg of VPN tunnel traffic by tuning the parameters of FastL4 profile apm-forwarding-fastl4.

Impact:
Admin cannot enforce the updated values of apm-forwarding-fastl4 profile on the last leg of client-imitated VPN tunnel traffic.

Workaround:
None.

898333-2 : Unable to collect statistics from BIG-IP system after BIG-IQ restart

Links to More Info: BT898333

Component: Application Visibility and Reporting

Symptoms:
AVR fails to send statistics to BIG-IQ. Lack of stats data in the BIG-IQ console.

Conditions:
-- The BIG-IP system is connected to the Data Collection Device (DCD), BIG-IQ.
-- DCD is restarted.
-- DCD does not send to BIG-IQ configuration instructions via REST interface due to ID 898341.

Impact:
Unable to collect statistics from BIG-IP system. Lack of stats data in the BIG-IQ console.

Workaround:
Restart avrd:
bigstart restart avrd

898201-2 : Fqdn nodes are not getting populated after BIG-IP reboot when DNS server is accessed through a local virtual server.

Links to More Info: BT898201

Component: Local Traffic Manager

Symptoms:
After reboot, no access to services host using fqdn nodes.
-- fqdn nodes are not populated with IP addresses.
-- Unable to access virtual servers served by pools using fqdn nodes.

Conditions:
The issue happens after the BIG-IP is rebooted.
-- when DNS server is accessed through a local virtual server.
-- Single arm cloud BIG-IP with virtual server listening for DNS requests to redirect.

Impact:
-- FQDN DNS requests bypassing the listening virtual server.
-- Unable to access the pools of those configured fqdn nodes.

Workaround:
-- restarting dynconfd.
-- Running a script to trigger off "Tmm ready" and either delete the bad flow(s) or a specific connflow entry.
-- change the dummy dns server to be something in the same subnet as the single interface.

897437-5 : First retransmission might happen after syn-rto-base instead of minimum-rto.

Links to More Info: BT897437

Component: Local Traffic Manager

Symptoms:
If a TCP profile is configured with a syn-rto-base value that is lower than minimum-rto, the first retransmission might happen after syn-rto-base.

This behavior is encountered only if the BIG-IP system is unable to compute the new RTO value before the retransmission timer expires, meaning:

-- The BIG-IP system has not received a packet with a TCP timestamp reply.
-- The BIG-IP system has not received an ACK for a timed sequence number.

Conditions:
Configured value of syn-rto-base is lower than minimum-rto.

Impact:
Retransmission might happen sooner than expected.

Workaround:
There are two possible workarounds:

-- Avoid using a syn-rto-base value that is lower than the minimum-rto value (the default values are 3 seconds for syn-rto-base and 1 second for minimum-rto).

-- Consider enabling timestamps to allow faster RTT measurement.

897185-2 : Resolver cache not using random port distribution

Links to More Info: BT897185

Component: Local Traffic Manager

Symptoms:
Outgoing queries to backend dns server use incremented port numbers instead of being distributed random ports.

Conditions:
-- Fix of ID726176 is applied (see https://cdn.f5.com/product/bugtracker/ID726176.html )

Impact:
The port numbers are incremented.

896693-4 : Patch installation is failing for iControl REST endpoint.

Links to More Info: BT896693

Component: TMOS

Symptoms:
iControl REST async endpoint /mgmt/tm/task/util/ihealth behaving inconsistently:

-- A call to VALIDATE the async task is rejected with the error message: 'Operation is not allowed on component /util/ihealth.'
-- The task can be started by calling a different endpoint (e.g., /mgmt/tm/task/cli/script). In this case, the task completes immediately, however, a qkview generating iHealth util is still running. At the end, the qkview is generated.

Conditions:
-- Use iControl REST to create an async task for creating qkview using 'ihealth' with -n option (just generate file, do not upload to iHealth).
-- Try starting the async task by changing the status to VALIDATING.

Impact:
Patch for iControl REST endpoint is not successful. Patch operation is accepted by /mgmt/tm/task/cli/script/ but rejected by /mgmt/tm/task/util/ihealth.

Workaround:
None.

896689-4 : Asynchronous tasks can be managed via unintended endpoints

Links to More Info: BT896689

Component: TMOS

Symptoms:
An asynchronous task created on one endpoint can be started using some other endpoint

Conditions:
Create an asynchronous task e.g. creating qkview using ihealth
using endpoint /mgmt/tm/task/util/ihealth

Gather the task id of the created asynchronous task and send it to a different endpoint e.g. /mgmt/tm/task/cli/script

Impact:
The asynchronous task can be started using this endpoint but this is not intended behavior.

896245-3 : Inconsistency is observed in ARP behavior across releases

Links to More Info: BT896245

Component: Local Traffic Manager

Symptoms:
Creating and deleting VLANs/self IPs might end up with a different number of GARP responses, depending on the BIG-IP software version.

You might notice the differences when comparing older and newer releases, for example, comparing v14.1.0 and earlier compared with versions older than v14.1.0.

Conditions:
This might become evident when you upgrade from an older version.

Impact:
There is no functional impact as a result of this discrepancy.

Workaround:
None.

895845-5 : Implement automatic conflict resolution for gossip-conflicts in REST

Links to More Info: BT895845

Component: TMOS

Symptoms:
The devices in a high availability (HA) environment are out of sync in strange ways; config sync status indicates 'In Sync', but iApps such as SSL Orchestrator are out of sync.

Conditions:
-- high availability (HA) environment with two or more devices.
-- Gossip used for config sync. (Note: Gossip sync is used by BIG-IQ for BIG-IP config sync by iAppLX.)
-- A gossip conflict occurs for some reason.

You can detect gossip conflicts at the following iControl REST endpoint:
/mgmt/shared/gossip-conflicts

You can check gossip sync status at the following iControl REST endpoint:
/mgmt/shared/gossip

Impact:
If there are gossip conflicts, the devices requires manual intervention to get back in sync.

Workaround:
When two devices are out of sync with different generation numbers due to gossip conflict, you can use the following guidance to resolve the conflict:

1. Update devices info to use the same generation number.

2. This info found on REST Storage worker. Storage worker uses the selflink plus a generation number as the key to a given set of data.

3. Add the data from the unit with the highest generation number to the other unit.

4. Must also take care to increase the generation number on the new data to match that of the highest generation

Commands used:
1. Look for GENERATION_MISSING and gossip-conflict objects:
tmsh list mgmt shared gossip-conflicts

2. Get the 'selflink in remoteState' attribute. This self link is same across all devices and checks on the browser with each device to discover the device that is on the highest generation number:
tmsh list mgmt shared gossip-conflicts <OBJECT_ID>

3. Now you know what device contains the most recent version of your data, run this command to get up-to-date data:
restcurl /shared/storage?key=<everything after 'https://localhost/mgmt/' on selflink>

4. Make a post to the out-of-date device that includes the info from the up-to-date device as the post body:
restcurl -X POST /shared/storage -d '{<data from above command>}'

895801-2 : Changing an MRF transport-config's TCP profile does not take effect until TMM is restarted

Links to More Info: BT895801

Component: Service Provider

Symptoms:
After modifying an MRF transport-config to use a different TCP profile, TMM must be restarted for this change to take effect. tmm crash

Conditions:
-- Using MRF with a transport-config.
-- Modifying the transport-config so that it uses a different TCP profile.

Impact:
Expected changes do not take effect until TMM is restarted.

Workaround:
Restart TMM.

Note: Traffic is disrupted while tmm restarts.

895649-2 : Improve TCP analytics goodput reports

Links to More Info: BT895649

Component: Local Traffic Manager

Symptoms:
TCP analytics reports very large goodput values under rare conditions.

Conditions:
-- TCP or FastL4 filter is in use.
-- TCP analytics is enabled.
-- A specific sequence number space is observed during the data transfer.

Impact:
TCP reports a very large goodput value to AVR. This also impacts the average goodput reports as the high value reported shifts the average value to a considerably large one.

Workaround:
None.

895205-2 : A circular reference in rewrite profiles causes MCP to crash

Links to More Info: BT895205

Component: Local Traffic Manager

Symptoms:
MCPD crash when modifying rewrite profile.

Conditions:
-- More than one rewrite profile is configured.
-- At least two rewrite profiles are referencing each other circularly.

Impact:
MCPD crash. For a Device Service Cluster this results in a failover. For a standalone system, this results in an outage.

Workaround:
Do not create circular references with profiles.

895165-2 : Traffic-matching-criteria with "any" protocol overlaps with explicit protocols

Links to More Info: BT895165

Component: Local Traffic Manager

Symptoms:
An error like the example below when defining "any" protocol after previously defining traffic-matching-criteria with explicit protocols.
01b90011:3: Virtual Server /Common/vs-tcp's Traffic Matching Criteria /Common/vs-tcp_IP_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs-any destination address, source address, service port.

Conditions:
-- Previously defining traffic-matching-criteria with explicit protocols
-- Afterwards defining virtual server with "any" protocol

Impact:
Cannot define a valid virtual server with "any" protocol

Workaround:
N/A

894133-1 : After ISO upgrade the SSL Orchestrator guided configuration user interface is not available

Links to More Info: BT894133

Component: TMOS

Symptoms:
After the ISO upgrade, any attempt to access the SSL Orchestrator guided configuration user interface results in the following error:
The requested URL /iapps/f5-iappslx-ssl-orchestrator/sgc/sgcIndex.html was not found on this server.

Conditions:
Upgrade the BIG-IP system.

Impact:
Cannot perform SSL Orchestrator configuration tasks using the SSL Orchestrator guided configuration user interface.

Workaround:
(1) Query the f5-iappslx-ssl-orchestrator package ID (9beb912b-4f1c-3f95-94c3-eb1cbac4ab99), and use the returned ID in the following step.
restcurl shared/iapp/installed-packages | jq -r '.items[] | select(.appName=="f5-iappslx-ssl-orchestrator") | .id'
9beb912b-4f1c-3f95-94c3-eb1cbac4ab99

(2) Delete existing f5-iappslx-ssl-orchestrator package references.
restcurl -X DELETE shared/iapp/global-installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99
restcurl -X DELETE shared/iapp/installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99

(3) Stop the REST framework daemons.
bigstart stop restjavad restnoded

(4) Make sure the /var/iapps/www/ directory exists.
mkdir -p /var/iapps/www/

(5) Create the RPMS.save directory.
mkdir -p /var/config/rest/iapps/RPMS.save

(6) Check if the current f5-iapplx-ssl-orchestrator RPM (e.g., 14.1.0-5.5.8) is present at the default location.
ls -la /var/config/rest/iapps/RPMS/

-- If it is not present, try to get it from either the /usr/share/packages/f5-iappslx-ssl-orchestrator/ directory or from the remote high availability (HA) peer device (/var/config/rest/iapps/RPMS/). Make sure the RPM version matches the current SSL Orchestrator configuration/version (e.g., 14.1.0-5.5.8). If there is no RPM available (anywhere), you cannot continue with this workaround.

-- If it is present, copy the RPM to /var/config/rest/iapps/RPMS/ (locally).

(7) Copy the current f5-iapplx-ssl-orchestrator (e.g., 14.1.0-5.5.8) RPM to the RPMS.save directory.
cp /var/config/rest/iapps/RPMS/f5-iappslx-ssl-orchestrator-14.1.0-5.5.8.noarch.rpm /var/config/rest/iapps/RPMS.save/

(8) Make sure you have only one f5-iappslx-ssl-orchestrator RPM in the RPMS.save/ directory and that it matches the RPM version. Remove other RPMs, if any.

(9) Remove the current SSL Orchestrator user interface artifacts.
rm -rf /var/iapps/www/f5-iappslx-ssl-orchestrator/
rm -rf /var/config/rest/iapps/f5-iappslx-ssl-orchestrator

(10) Restart the REST framework.
bigstart restart restjavad restnoded

(11) Wait at least 30 seconds.

(12) Open TMUI (the GUI) on the affected device, and navigate to SSL Orchestrator :: Configuration.

(13) The SSL Orchestrator Self-Guided Configuration page should initialize and eventually load successfully.

894081-2 : The Wide IP members view in the WebUI may report the incorrect status for a virtual server.

Links to More Info: BT894081

Component: Global Traffic Manager (DNS)

Symptoms:
A virtual server which is actually down and should show red is reported as up and shows green.

Conditions:
This issue happens when a virtual server is marked down by the system due to inheriting the status of its parent link.

Note: This issue only affects Link Controller systems, and not DNS/GTM systems.

Impact:
The WebUI cannot be used to reliably assess the status of Wide IP members (virtual servers).

Workaround:
Use the tmsh utility in one of the following ways to inspect the status of Wide IP members:

# tmsh show gtm pool a members

# tmsh show gtm server virtual-servers

893953-2 : Portal Access: Chrome/Edge browser: cookie transport: sync XMLHttpRequests should not be used in onbeforeunload handlers

Links to More Info: BT893953

Component: Access Policy Manager

Symptoms:
Error message in browser console:

Uncaught DOMException: Failed to execute 'send' on VM41 cache-fm.js:618
'XMLHttpRequest': Failed to load ''https://appportal.omo.nl/private/fm/volatile.html': Synchronous XHR in page dismissal. See https://www.chromestatus.com/feature/4664843055398912 for more details.

Conditions:
Setting and/or getting cookies in onbeforeunload/onunload handlers defined by the web-application.

Impact:
Web-application does not function as expected. Behavior varies, depending on web-application control flow.

Workaround:
Important: This workaround will work until later versions of Chrome and Edge Browser are released. You can refer to the release notes for these browsers to determine when functionality is removed.


Use an iRule to allow sync requests from onbeforeunload, onunload, and other page dismissal events.

This is intended to inject into responses from the BIG-IP virtual server header, Origin-Trial, using a token obtained from the Google Chrome developer console. This token allows for use of synchronous requests in page dismissal events. It should work for Chrome and Microsoft Edge browsers where such sync requests are disabled now.

To obtain the token you need to use the following iRule with your virtual server:

1. Go to the Chrome Origin Trials page:
https://developers.chrome.com/origintrials/#/trials/active.

2. Click the 'REGISTER' button to the right of 'Allow Sync XHR In Page Dismissal'.

3. Enter the origin of your virtual server and other information:
https://domain_of_your_virtual_server.

4. Click REGISTER.

By doing this, you obtain a token to use in place of the token provided in the following iRule.

Note: For additional info about Origin Trials and how they work:
https://github.com/GoogleChrome/OriginTrials/blob/gh-pages/developer-guide.md


when HTTP_RESPONSE_RELEASE {
      HTTP::header insert Origin-Trial Aq5OZcJJR3m8XG+qiSXO4UngI1evq6n8M33U8EBc+G7XOIVzB3hlNq33EuEoXZQEt30Yv2W6YgFelr2aGUkmowQAAABieyJvcmlnaW4iOiJodHRwczovLzEwLjE5Mi4xNTIuMzk6NDQzIiwiZmVhdHVyZSI6IkFsbG93U3luY1hIUkluUGFnZURpc21pc3NhbCIsImV4cGlyeSI6MTU5ODk5NzIyMX0=
}

893905-2 : Wrong redirect from Charts to Requests Log when request status selected in filter

Links to More Info: BT893905

Component: Application Security Manager

Symptoms:
Incorrect filter applied when you are redirected from Charts page to Requests Log.

Conditions:
Select request status in filter in Charts page and apply filter and then click View Requests on the bottom of Charts page.

Impact:
Filter not applied in Requests Log page after redirect.

Workaround:
Filter can be applied manually after redirect.
There is mismatch between AVR request types and ASM request statuses, e.g., Blocked in AVR includes Unblocked as well.

893813-3 : Modifying pool enables address and port translation in TMUI

Links to More Info: BT893813

Component: TMOS

Symptoms:
When modifying the pool for a virtual server, address translation and port translation checkboxes are enabled irrespective of their initial state.

Conditions:
-- Creating a virtual server using the GUI
-- Advanced Configuration is selected
-- Address Translation or Port Translation checkboxes are initially unchecked
-- You modify a pool from this screen

Impact:
Virtual server is created with address and port translation enabled.

Workaround:
You can disable it by again editing the virtual server.

893093-2 : An extraneous SSL CSR file in the /config/big3d or /config/gtm directory can prevent certain sections in the WebUI from showing.

Links to More Info: BT893093

Component: TMOS

Symptoms:
The intended screen does not show when you navigate in the WebUI to either of the following locations:

-- System :: Certificate Management :: Device Certificate Management->Device Trust Certificates

-- DNS :: GSLB :: Servers :: Trusted Server Certificates

The system returns the following error:

An error has occurred while trying to process your request.

Additionally, a Java stack trace is also logged to the /var/log/tomcat/catalina.out file.

Conditions:
An extraneous SSL CSR file is present in the /config/big3d or /config/gtm directory.

-- When the extraneous file is in the /config/big3d directory, the System :: Certificate Management :: Device Certificate Management :: Device Trust Certificates screen is affected.

-- When the extraneous file is in the /config/gtm directory, the DNS :: GSLB :: Servers :: Trusted Server Certificates screen is affected.

Impact:
The WebUI cannot be used to inspect those particular SSL certificate stores.

Workaround:
The /config/big3d and /config/gtm directories are meant to contain only one file each (client.crt and server.crt, respectively).

You can resolve this issue by inspecting those directories and removing any file that may have been accidentally copied to them.

For more information on those directories, refer to: K15664: Overview of BIG-IP device certificates (11.x - 15.x) :: https://support.f5.com/csp/article/K15664.

892861-3 : Cannot configure aaa OAuth provider - invalid x509 file

Links to More Info: BT892861

Component: Access Policy Manager

Symptoms:
An error is encountered when trying to create Ping or Custom type OAuth provider:

General error: 01070712:3: unable to validate certificate, invalid x509 file (/Common/textcert.crt). in statement [SET TRANSACTION END].

Conditions:
-- Access :: Federation : OAuth Client / Resource Server : Provider:: Create
-- Select 'custom' or 'ping' as the type.
-- Attempt a Discover operation to the <provider-hostname> on a server representing a custom- or ping-type provider, and then save the settings.

Impact:
Operation fails. Cannot use Ping or a Custom type OAuth provider.

Workaround:
None

892801-2 : When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent"

Links to More Info: BT892801

Component: Local Traffic Manager

Symptoms:
When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent".

Conditions:
-- An Internal Virtual Server is created without an existing 0.0.0.0 virtual address.

Impact:
The Internal Virtual Server will be considered unavailable and will not process traffic.

Workaround:
Create a 0.0.0.0 virtual address prior to creating the Internal Virtual Server.

892485-2 : A wrong OCSP status cache may be looked up and re-used during SSL handshake.

Links to More Info: BT892485

Component: Local Traffic Manager

Symptoms:
A wrong OCSP status entry in SessionDB is returned during a cache lookup due to using a wrong input parameter - certificate serial number. The result is wrong OCSP status is used in the SSL handshake.

Conditions:
If OCSP object is configured in a clientSSL or serverSSL profile.

Impact:
A wrong OCSP status may be reported in the SSL handshake.

892445-2 : BWC policy names are limited to 128 characters

Links to More Info: BT892445

Component: TMOS

Symptoms:
A 128-character limit for BWC policy object names is enforced and reports an error:

01070088:3: The requested object name <name> is invalid.

Conditions:
Attempting to create a BWC policy object with a name longer than 128 characters.

Impact:
Unable to create BWC policy objects with names that have more than 128 characters.

Workaround:
Use fewer than 128 characters when creating a BWC policy.

892073-3 : TLS1.3 LTM policy rule based on SSL SNI is not triggered

Links to More Info: BT892073

Component: Local Traffic Manager

Symptoms:
A policy rule based on SSL SNI at SSL client hello is not triggered for a TLS1.3 connection.

Conditions:
-- LTM policy rule specifying SSL client hello SNI.
-- TLS1.3 connection.

Impact:
Policy rule not triggered for TLS1.3.

Workaround:
None.

891221-2 : Router bgp neighbor password CLI help string is not helpful

Links to More Info: BT891221

Component: TMOS

Symptoms:
Unable to confirm the supported encryption types.

enable or add BGP routing protocol to a route domain
imish >> enable >> conf t >> router bgp 20065004 >> neighbor 1.2.3.4 password ?

b7000.lab[0](config-router)#neighbor 1.1.1.1 password ?
  WORD Encryption Type or the password

Conditions:
Configuring the bgp neighbor with encryption password.

Impact:
Unable to confirm the supported encryption types.

Workaround:
None.

891181-2 : Wrong date/time treatment in logs in Turkey/Istambul timezone

Links to More Info: BT891181

Component: Application Security Manager

Symptoms:
There is mismatch between server and GUI timezone treatment for Turkey/Istambul timezone.

Conditions:
User sets Turkey/Istambul timezone on BIG-IP

Impact:
When filtering logs by time period, results differ from set period by an hour

Workaround:
Define time period one hour earlier for filtering ASM logs

891145-5 : TCP PAWS: send an ACK for half-open connections that receive a SYN with an older TSVal

Links to More Info: BT891145

Component: Local Traffic Manager

Symptoms:
SYNs received with TSVal <= TS.Recent are dropped without sending an ACK in FIN-WAIT-2 state.

Conditions:
-- Timestamps are enabled in TCP profile.
-- Local TCP connection is in FIN-WAIT-2 state.
-- Remote TCP connection abandoned the flow.
-- A new TCP connection sends a SYN with TSVal <= TS.Recent to the local connection.

Impact:
The new TCP connection cannot infer the half-open state of Local TCP connections, which prevents faster recovery of half-open connections. The local TCP connection stays around for a longer time.

Workaround:
There are two workarounds:

-- Reduce the Fin Wait 2 timeout (the default: 300 sec) so that TCP connection is terminated sooner.

-- Disable TCP Timestamps.

890825-2 : Attack Signatures and Threat Campaigns filter incorrect behaviour

Links to More Info: BT890825

Component: Application Security Manager

Symptoms:
When removing not last selected values in Systems or Tags filter, last one is removed.

Conditions:
Select several values in Systems or Tags filter and then remove not the last value.

Impact:
Filter incorrectly displayed.

Workaround:
None.

890721-2 : SSL Orchestrator sends reset to the client when an initial ingress data arrives 5 seconds after tcp connection establishment

Links to More Info: BT890721

Component: SSL Orchestrator

Symptoms:
SSL Orchestrator sends reset to the client when an initial ingress data arrives 5 seconds after tcp connection establishment. Reset cause is "cl side error (No error)".

Conditions:
-- SSL Orchestrator is licensed and provisioned.
-- Per-request policy is attached to virtual server.

Impact:
SSL Orchestrator/BIG-IP rejects the client connection.

Workaround:
Modify 'tmm.access.prp_global_timeout' sys db value from default 5 seconds to some appropriate value like 30 or 60 seconds.

Example:
Following command sets this sys db variable value to 60 seconds.

#tmsh modify sys db tmm.access.prp_global_timeout value 60

890573 : BigDB variable wam.cache.smallobject.threshold may not pickup its value on restart

Links to More Info: BT890573

Component: WebAccelerator

Symptoms:
BIG-IP WAM/AAM provides a faster cache store called small object cache. To get into this cache, an object must have its size below a threshold defined in BigDB variable wam.cache.smallobject.threshold. BIG-IP does not always pickup this value after a restart of TMM.

Conditions:
- WAM/AAM is provisioned;
- A virtual server is configured with a webacceleration profile having a web application.

Impact:
When small object cache has a non-default value, it may incorrectly place an object into Small Object cache (faster cache store) or MetaStor (slower cache store), causing performance impact.

Workaround:
Reset wam.cache.smallobject.threshold value.

890401 : Restore correct handling of small object when conditions to change cache type is satisfied

Links to More Info: BT890401

Component: WebAccelerator

Symptoms:
BIG-IP system software allows you to cache HTTP responses with WAM/AMM web applications. There is a special storage location for small-size objects. If a caching object is about to exceed a threshold limit, the BIG-IP system might change its caching storage to MetaStor. A fix for ID 792045 introduced an issue for instances in which it does not, which resulted in not serving a cached object.

Conditions:
-- WAM/AAM is provisioned.
-- Virtual server has a webacceleration profile with a web application.
-- The BIG-IP software contains a fix for ID 792045.

Impact:
The BIG-IP system resets a connection with an error, a cached object is not served, and the rendering of a client's webpage is not correct.

Workaround:
None.

890169-2 : URLs starting with double slashes might not be loaded when using a Bot Defense Profile.

Links to More Info: BT890169

Component: Application Security Manager

Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure.

Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period.

Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense.

Workaround:
None.

889813-2 : Show net bwc policy prints bytes-per-second instead of bits-per-second

Links to More Info: BT889813

Component: TMOS

Symptoms:
The 'tmsh show net bwc policy' is printing out bits-per-second in the value field, but the name field says 'bytesPerSec'.

Conditions:
Running the tmsh command:
tmsh show net bwc policy

Impact:
The stats are in bits-per-second, but the label says bytesPerSec. Although there is no functional impact, the incorrect label could cause confusion.

Workaround:
None.

889801-1 : Total Responses in DNS Cache stats does not increment when an iRule suspending command is present under DNS_RESPONSE.

Links to More Info: BT889801

Component: Global Traffic Manager (DNS)

Symptoms:
Upon close inspection of the statistics of a particular DNS Cache, for example by running the command 'tmsh show ltm dns cache resolver <name>', you realize that the 'Total Responses' counter for the cache is not incrementing as much as it should be.

Specifically, by comparing the counter with packet captures or the stats of the DNS Profile, you realize the system is under-reporting 'Total Responses'.

Conditions:
The virtual server using the DNS Cache also uses an iRule which happens to include a suspending command (e.g., 'table') under the DNS_RESPONSE event.

Impact:
The incorrect DNS Cache statistics may confuse or mislead a BIG-IP Administrator.

No traffic impact exists as part of this issue. Responses are still being served from the cache even when the counter says they are not.

Workaround:
None.

889245-3 : Ndal ixvf driver can lock up

Links to More Info: BT889245

Component: Local Traffic Manager

Symptoms:
Under certain circumstances, the TMM ixvf driver for the Virtual Function (VF) of an SRIOV x520 / 82599 card can lock up the tx queue.

Conditions:
Conditions are unknown.

Impact:
No further transmit is possible.

Workaround:
None

888885-1 : BIG-IP Virtual Edition TMM restarts frequently without core

Links to More Info: BT888885

Component: Local Traffic Manager

Symptoms:
The following messages are found in the QKViews:
"bigipA notice MCP bulk connection aborted, retrying"
"bigipA notice Initiating TMM shutdown"

Prior to this, the TMM process logs that it is waiting for its instances to reach different states. For example,
"localhost notice ixlv(1.3)[0:7.0]: Waiting for tmm1 to reach state 1..."

In the /var/log/ltm file, the following message are found sometimes.
"bigip1 crit tmm9[19358]: 01230017:2: Unable to attach to PCI device 00:09.00 for Interface 1.5"

Conditions:
BIG-IP VE with SR-IOV enabled on a Red Hat Enterprise Linux 7.7 which is a part of Red Hat OpenStack Platform 13

Impact:
The TMM process restarts without a core file repeatedly.
Traffic disrupted while tmm restarts.

888765-1 : After upgrading from 13.1.0 to 15.1.0.1 CGNAT is deprovisioned and tmm is restarted by reloaded config from text files

Links to More Info: BT888765

Component: TMOS

Symptoms:
After upgrading, CGNAT is de-provisioned and tmm is restarted after config load.

Conditions:
- CGNAT provisioned prior to upgrade
- Upgrade from 13.1.0 to 15.1.0.1 and reboot

Impact:
-- CGNAT is de-provisioned
-- Tmm restarts

Workaround:
After upgrading, re-provision CGNAT:

tmsh modify sys provision cgnat level <level>
tmsh save sys config

888081-4 : BIG-IP VE Migration feature fails for 1NIC

Links to More Info: BT888081

Component: TMOS

Symptoms:
When a saved UCS is attempted to be restored in a new BIG-IP Virtual Edition (VE) in order to migrate the configuration, it fails.

load_config_files[28221]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- 01071412:3: Cannot delete IP (x.x.x.x) because it is used by the system config-sync setting.

Conditions:
The UCS load step might fail if the DB variable Provision.1NicAutoconfig is set to disable.

Impact:
The UCS restore fails.

Workaround:
The DB variable can be set to enable before loading the UCS.

# tmsh modify sys db provision.1nicautoconfig value enable

887921-1 : iRule command “RESOLVER::name_lookup” returns null for responses more than 512 bytes

Component: Global Traffic Manager (DNS)

Symptoms:
“RESOLVER::name_lookup” returns null.

Conditions:
Response is larger than 512 bytes.

Impact:
“RESOLVER::name_lookup” returns empty answer.

887765-3 : [SSL Orchestrator] if all pool members of HTTP type services are down, traffic gets reset

Links to More Info: BT887765

Component: SSL Orchestrator

Symptoms:
You see lots of resets, with the reset cause being 'No pool member available'.

Conditions:
-- SSL Orchestrator deployed.
-- HTTP type services configured.
-- Service down action is set to Ignore.
-- All pool members of the services are down.

Impact:
Client traffic gets reset with cause 'No pool member available.

Workaround:
None.

887681-3 : Tmm SIGSEGV in rrset_array_lock,services/cache/rrset.c

Links to More Info: BT887681

Component: Global Traffic Manager (DNS)

Symptoms:
TMM Cored with SIGSEGV.

Conditions:
N/A.

Impact:
Traffic disrupted while tmm restarts.

887625-3 : Note should be bold back, not red

Links to More Info: BT887625

Component: Application Security Manager

Symptoms:
Under Session Hijacking :: Device Session Hijacking by Device ID Tracking, the note text below the 'enable' checkbox is shown in bold red color

Note : Device-ID mode must be configured in bot profile for this option to work.

Conditions:
This always occurs.

Impact:
The Note does not indicate a hazardous situation (as might be implied by the color), so the text should be black instead of red.

Workaround:
None.

887621-2 : ASM virtual server names configuration CRC collision is possible

Links to More Info: BT887621

Component: Application Security Manager

Symptoms:
A policy add/modify/delete fails with the following error:

-- crit g_server_rpc_handler_async.pl[19406]: 01310027:2: ASM subsystem error (asm_config_server.pl ,F5::ASMConfig::Handler::log_error_and_rollback): Failed on insert to DCC.VS_RAMCACHE (DBD::mysql::db do failed: Duplicate entry '375946375' for key 'PRIMARY').

Conditions:
This can occur when adding a policy. The chance of it occurring increases when there are many virtual servers.

Impact:
Every config update fails.

Workaround:
Figure out which virtual servers have the CRC collision (by looking into DCC.RAMCACHE_VS). Change the name of one of these virtual servers.

You can get the name of the affected virtual server by using the entry reported in the 'Duplicate entry' log, and running this command.

mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e 'SELECT * FROM DCC.VS_RAMCACHE WHERE vs_name_crc = 375946375'

887265-2 : BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration

Links to More Info: BT887265

Component: Application Security Manager

Symptoms:
When booting to a boot location for the first time, the system does not come on-line.

Conditions:
-- There is a large configuration.
-- VLAN failsafe is configured, and the failsafe-action is something other than failover.
-- The BIG-IP system is an appliance.

Impact:
BIG-IP processes continually restart (VLAN failsafe-action failover-restart-tm), or the BIG-IP system continually reboots (VLAN failsafe-action reboot)

Workaround:
Either disable VLAN failsafe or set the failsafe-action to failover during an upgrade.

887261-1 : JSON schema validation files created from swagger should support "draft-04" only

Links to More Info: BT887261

Component: Application Security Manager

Symptoms:
The JSON schema validation file creation from swagger's schema entry fails and errors are logged to /ts/log/asm_config_server.log.

Conditions:
-- API Protection used in a security policy
-- Swaggers's schema entry contains one or more fields that are incompatible between draft-04 and draft-07 of the JSON schema validation spec (e.g.: "exclusiveMinimum")

Impact:
Since BIG-IP is locked to draft-07, a security policy created from swagger file will not include some entities.

Workaround:
No workaround

887045-1 : The session key does not get mirrored to standby.

Links to More Info: BT887045

Component: Local Traffic Manager

Symptoms:
When a session variable key length is 65 KB, session mirroring fails for that specific key.

Conditions:
-- APM high availability (HA) setup.
-- Access Policy is configured and synced across both devices.
-- A session variable key of ~65 KB arrives

Impact:
The session key does not get mirrored to standby.

Workaround:
None

886649-2 : Connections stall when dynamic BWC policy is changed via GUI and TMSH

Links to More Info: BT886649

Component: TMOS

Symptoms:
Connections stall when dynamic BWC policy is changed via GUI and TMSH.

Conditions:
Issue is seen when you have a dynamic bandwidth control policy configured, and you make a change to the policy via the GUI and TMSH.

Impact:
Connection does not transfer data.

Workaround:
Restart TMM. Delete the relevant configuration, create a new configuration, and apply it.

886145-2 : The 'Reconnect' and 'Reconnect All' buttons do not work if reached via a particular section of the DNS GUI.

Links to More Info: BT886145

Component: Global Traffic Manager (DNS)

Symptoms:
The 'Reconnect' and 'Reconnect All' buttons (introduced in BIG-IP version 14.1.0 to restart some or all iQuery connections) do not work when clicked.

The 'Reconnect' button does not become enabled when a server is selected from the list, and an error is logged in the browser console.

The 'Reconnect All' button is clickable but returns the error when clicked:
No response action specified by the request.

Conditions:
You have accessed the buttons via the following GUI path:

DNS :: GSLB :: Data Centers :: [dc name] > Servers

Impact:
The buttons do not work, making the corresponding feature unavailable from the GUI.

Workaround:
Access the buttons using the following alternative GUI path:

DNS :: GSLB :: Servers

886045-2 : Multi-NIC instances fail to come up when trying to use memory-mapped virtio device

Links to More Info: BT886045

Component: Local Traffic Manager

Symptoms:
Multi-NIC instances fail to come up while using memory-mapped virtio device.

Running the command 'lspci -s <pci-id> -vv' results in the 'region' field reporting 'Memory at xxxxx'.

Conditions:
TMM crashes as soon as the BIG-IP system tries to come up.

Impact:
The BIG-IP system fails to attach to the underlying virtio devices.

Workaround:
Switch to the sock driver by overriding tmm_init.tcl.

For instructions on how to enable the sock driver, see the workaround in K74921042: BIG-IP VE may fail to process traffic after upgrading the VMware ESXi 6.7 host to Update 2 (or later), available at https://support.f5.com/csp/article/K74921042.

885869-2 : Incorrect time used with iQuery SSL certificates utilizing GenericTime instead of UTCTime

Links to More Info: BT885869

Component: Global Traffic Manager (DNS)

Symptoms:
iQuery incorrectly interprets iQuery SSL certificate times when they are using GenericTime instead of UTCTime.

Conditions:
An iQuery certificate using GenericTime instead of UTCTime.

Note that this would only occur with a date beyond the year 2049.

Impact:
Internal years are interpreted to be much later than they should be.

Workaround:
Use SSL certificates with UTCTime instead of GenericTime.

885789-1 : Clicking 'Fix Automatically' on PCI Compliance page does not replace non-PCI-compliant-profile with complaint one on HTTP/2 virtual servers

Links to More Info: BT885789

Component: Application Security Manager

Symptoms:
Clicking the 'Fix Automatically' button in the PCI Compliance page does not replace the insecure client SSL profile attached on an HTTP/2 virtual server, with a secure one. The compliance state shows as a red cross mark, indicating the virtual server to be noncompliant.

Conditions:
-- Clicking the 'Fix Automatically' button on the PCI compliance page.
-- A noncompliant PCI profile is attached to the HTTP/2 virtual server.
-- A PCI-compliant, client SSL profile with renegotiation disabled is available in the SSL profiles.

Impact:
The provision for enhanced configuring does not function as expected for HTTP/2-based virtual servers.

Workaround:
Manually configure a PCI-compliant profile in SSL profiles, with renegotiation disabled, and attach it to the virtual server.

885785-1 : Clicking 'Fix Automatically' in PCI Compliance page does not attach a PCI-compliant-profile on HTTP/2 virtual servers

Links to More Info: BT885785

Component: Application Security Manager

Symptoms:
For an HTTP/2 virtual server with an insecure client SSL profile attached, clicking the 'Fix Automatically' button on the PCI Compliance page creates a PCI-compliant client SSL profile, but fails to attach to the virtual server. The compliance state shows as a red cross mark, indicating the virtual server to be noncompliant.

Conditions:
-- No compliant PCI profile is attached to the HTTP/2 virtual server.
-- Click the 'Fix Automatically' button on the PCI Compliance page.

Impact:
The provision for enhanced configuring does not function as expected for HTTP/2-based virtual servers.

Workaround:
Manually configure a PCI-compliant profile in SSL profiles, with renegotiation disabled, and attach it to the virtual server.

885325-2 : Stats might be incorrect for iRules that get executed a large number of times

Links to More Info: BT885325

Component: Local Traffic Manager

Symptoms:
iRules that execute a lot can make stats counters large enough to overflow in a relatively short amount of time (e.g., a couple of months).

Conditions:
Execute an iRule a lot (e.g., make the total number of executions greater than 32 bits) and check its stats.

Impact:
After the total number exceeds 32 bits, the counter stats are no longer valid.

Workaround:
None.

884989-1 : IKE_SA's Not mirrored of on Standby device if it reboots

Links to More Info: BT884989

Component: TMOS

Symptoms:
After rebooting the standby BIG-IP device, IKE SA's are not mirrored.

Conditions:
-- IPSEC is configured in a high availability (HA) environment
-- Standby device is rebooted

Impact:
IKE_SA's will have to be renegotiated.
The performance impact is minimal.

884953-3 : IKEv1 IPsec daemon racoon goes into an endless restart loop

Links to More Info: BT884953

Component: TMOS

Symptoms:
The IKEv1 IPsec daemon racoon goes into an endless restart loop.

2020-01-02 08:36:36: ERROR: /etc/racoon/racoon.conf.BIG-IP:376: "}" duplicated sainfo: loc='ANONYMOUS', rmt='10.42.80.0/24', peer='ANY', id=0
2020-01-02 08:36:36: ERROR: fatal parse failure (1 errors)
2020-01-02 08:36:36: ERROR: failed to parse configuration file.

Conditions:
Duplicate wildcard traffic-selectors, one with ::/0 and one with 0.0.0.0/0, attached to different IPsec policies.

Impact:
IPsec IKEv1 tunnels cannot be established.

Workaround:
Configure duplicate traffic-selectors only when they are attached to interface mode IPsec policies.

884945-2 : Latency reduce in case of empty parameters.

Links to More Info: BT884945

Component: Application Security Manager

Symptoms:
Traffic load with many empty parameters may lead to increased latency.

Conditions:
Sending requests with many empty parameters

Impact:
Traffic load with many empty parameters may cause increased latency through the BIG-IP system.

Workaround:
None

884729-2 : The vCMP CPU usage stats are incorrect

Links to More Info: BT884729

Component: TMOS

Symptoms:
The vCMP CPU usage stats are incorrect when process on a secondary blade has the same PID as that of primary blade's qemu process.

Conditions:
A process on a secondary blade has the same PID as that of primary blade's qemu process.

Impact:
The vCMP CPU usage stats are intermittently incorrect.

Workaround:
None.

883841-1 : APM now displays icons of all sizes what Horizon VCS supports.

Links to More Info: BT883841

Component: Access Policy Manager

Symptoms:
If the application icon's size is not 32x32, a default icon is displayed on the webtop.

Conditions:
1. Open Horizon VCS
2. Associate a custom icon to the application (size other
   than 32x32) and save the changes.
3. Connect to virtual server or Native client

Impact:
A default icon is displayed for the applications which has icons of sizes not supported by APM.

Workaround:
In Horizon VCS, associate the application with an icon that is 32x32.

883149-1 : The fix for ID 439539 can cause mcpd to core.

Links to More Info: BT883149

Component: TMOS

Symptoms:
Mcpd cores during config sync.

Conditions:
This has only been observed once. The device was going from standby to active, and the connection between the BIG-IP peers stalled out.

Impact:
Mcpd cores. Traffic disrupted while mcpd restarts.

Workaround:
NA

883133-2 : TLS_FALLBACK_SCSV with TLS1.3

Links to More Info: BT883133

Component: Local Traffic Manager

Symptoms:
Possible handshake failure with some combinations of TLS Fallback Signaling Cipher Suite Value (SCSV) and SSL profile protocol versions.

Conditions:
-- Using fallback SCSV suites.
-- Using certain client SSL profile protocol versions (e.g., the virtual server is configured for TLS1.3, and the client is configured for TLS1.0 - TLS1.2).

Impact:
Possible handshake failure.

Workaround:
None.

883049-2 : Statsd can deadlock with rrdshim if an rrd file is invalid

Links to More Info: BT883049

Component: Local Traffic Manager

Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.

You may see errors:

-- err statsd[5005]: 011b0600:3: Error ''/var/rrd/endpisession' is too small (should be 15923224 bytes)' during rrd_update for rrd file '/var/rrd/endpisession'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/endpisession'.

Conditions:
Truncation of a binary file in /var/rrd.

Impact:
Stats are no longer collected. Statsd and rrdshim deadlock.

Workaround:
Remove the truncated file and restart statsd:
bigstart restart statsd

882933-2 : Nslookup might generate a core during system restart

Links to More Info: BT882933

Component: Global Traffic Manager (DNS)

Symptoms:
Nslookup generates a core file. The core file name might start with "nslookup", "isc-worker", "isc-timer" or "isc-socket".

Conditions:
Multiple instances of nslookup are running when the system shuts down.

Impact:
A core file is generated. However, since this is during system shutdown, the impact should be minimal.

882833-2 : SELinux issue cause zrd down

Links to More Info: BT882833

Component: TMOS

Symptoms:
After upgrading BIG-IP software, zrd fails to start.

There are errors in /var/log/daemon.log:

err named[19356]: open: /config/named.conf: permission denied

Conditions:
This can occur after upgrading, for example, when upgrading from version 14.1.0.6 to 15.0.1.1.

Impact:
DNS service disrupted as zrd fails to start after reboot.

Workaround:
Run the following command after upgrading:

restorecon -rF /var/named/

882757-1 : sflow_agent crash SIGABRT in the cleanup flow

Links to More Info: BT882757

Component: TMOS

Symptoms:
Disabling DHCP on the management port causes sflow_agent to crash.

Conditions:
This does not always occur, but when it does occur, it crashes when disabling DHCP on the management port.

Impact:
sflow_agent crashes.

Workaround:
Do not disable DHCP on the management port

882729-3 : Applied Blocking Masks discrepancy between local/remote event log

Links to More Info: BT882729

Component: Application Security Manager

Symptoms:
Applied Blocking Masks discrepancy between local/remote event log, ASM logging event logs both locally and remotely to BIG-IQ has discrepancy.

Conditions:
This occurs when "Applied Blocking Masks" logs are emitted on a device where local and remove event logging is configured.

Impact:
This is cosmetic but can lead to confusion.

882725-5 : Mirroring not working properly when default route vlan names not match.

Links to More Info: BT882725

Component: Local Traffic Manager

Symptoms:
When using two BIG-IP systems to mirror traffic, mirroring functions correctly if the default gateway VLAN names match; however, if default gateway VLAN names don't match, then the BIG-IP system does not mirror client-side packets to the peer, which causes the standby BIG-IP system to reset all client-side flows on failover.

Conditions:
-- Two BIG-IP LTM BIG-IP Virtual Edition (VE) systems configured as a high availability (HA) pair.
-- Default gateway VLAN names don't match between them.

Impact:
BIG-IP system does not mirror client-side packets to the peer, which causes the next-active device to reset all client-side flows on failover.

Upon failover all flows are being RST just like a typical failover scenario without mirroring implemented.

Workaround:
Use same VLAN name on all external VLANs that might be used for mirroring.

882709-4 : Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors

Links to More Info: BT882709

Component: TMOS

Symptoms:
Traffic does not pass on tagged VLANs when a BIG-IP Virtual Edition (VE) is deployed on a Hyper-V hypervisor.

This may manifest as traffic failing after an upgrade from earlier (unaffected) software versions.

Note: This functionality worked as expected in v13.x and earlier, and if the same VE is downgraded to v13.x, VLAN tagging functionality is restored.

This is due to an interoperability issue between RedHat Enterprise Linux (RHEL) and Microsoft Hyper-V, which seems to affect RHEL v7.3 and RHEL v7.5.

Hyper-V on Windows Server 2016 and Windows Server 2012 do not seem to identify the version of the built-in LIS correctly on Centos 7.3 or Centos 7.5 (which are built on RHEL 7.3 and RHEL 7.5 respectively).

Although there is a statement of support by Microsoft for VLAN tagging on RHEL 7.3 and 7.5 when running on Hyper-V, that functionality does not appear to work at present: Supported CentOS and Red Hat Enterprise Linux virtual machines on Hyper-V :: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/Supported-CentOS-and-Red-Hat-Enterprise-Linux-virtual-machines-on-Hyper-V.

Conditions:
-- BIG-IP VE is deployed on a Hyper-V hypervisor.
-- VLAN configured in BIG-IP VE with tagged interfaces, e.g.:

    net vlan external {
        interfaces {
            1.1 {
                tagged
            }
        }
        tag 4000
    }

-- At present, VLAN tagging on the v14.x and v15.x releases does not work because those releases are running on CentOS 7.3 and 7.5 respectively, which both are affected by the MS/RHEL interoperability issue.

-- BIG-IP v12.x and v13.x use a different (older) CentOS version, so VLAN tagging works without issue on those releases.

Impact:
-- The system does not prevent you from configuring tagged VLANs, even though they do not pass traffic.

-- Although upgrades complete and you can reboot into the new boot location (or you can set up on Hyper-V from scratch), traffic does not pass (into the guest) across VLANs that are tagged.

Important: If using tagged VLANs on VE setups on Hyper-V is critical to your configuration, you might want to elect to postpone upgrading from a working, v12.x and v13.x release.

Workaround:
Essentially, there is no workaround in this release; you must reconfigure the virtual machine to use separate, untagged interfaces for each VLAN.

Note: Although this is technically a problem between Hyper-V and the built-in LIS on RHEL 7.3/7.5, this issue is being tracked internally in this bug.

882609-1 : ConfigSync status remains 'Disconnected' after setting ConfigSync IP to 'none' and back

Links to More Info: BT882609

Component: TMOS

Symptoms:
After setting a device's ConfigSync IP to 'none' and then back to an actual IP address, the device remains in a disconnected state, and cannot establish ConfigSync connections to other BIG-IP systems in its trust domain.

MCPD periodically logs messages in /var/log/ltm:
err mcpd[27610]: 0107142f:3: Can't connect to CMI peer a.b.c.d, TMM outbound listener not yet created.

Conditions:
--- BIG-IP system is in a trust domain with other BIG-IP systems.
--- Local device's ConfigSync IP is set to 'none', and then back to an actual IP address.

Impact:
Devices unable to ConfigSync.

Workaround:
This workaround will disrupt traffic while TMM restarts:

1. Ensure the local ConfigSync IP is set to an IP address.
2. Restart TMM:
bigstart restart tmm


This workaround should not disrupt traffic:

Copy and paste the following command into the Advanced Shell (bash) on a BIG-IP system, and then run it. This sets the ConfigSync IP for all device objects to 'none', and then back to their correct values.

TMPFILE=$(mktemp -p /var/tmp/ ID882609.XXXXXXX); tmsh -q list cm device configsync-ip > "$TMPFILE"; sed 's/configsync-ip .*$/configsync-ip none/g' "$TMPFILE" > "$TMPFILE.none"; tmsh load sys config merge file "$TMPFILE.none"; echo "reverting back to current"; tmsh load sys config merge file "$TMPFILE"

882545-1 : Multiple rate-limiting agents sharing the same rate-limiting key config may not function properly

Links to More Info: BT882545

Component: Access Policy Manager

Symptoms:
When multiple rate-limiting agents share the same rate-limiting key config, removing one agent may cause other agents to not function properly. In case of using tmm.debug, it may generate a core.

Conditions:
-- Multiple rate-limiting agents sharing the same rate-limiting key config.
-- Removing one agent.

Impact:
Tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
Do not share the same rate-limiting key config among multiple agents.

881985-4 : AFM FQDN rule matching is broken when multiple FQDN's in firewall policies resolve to the same IP address

Links to More Info: BT881985

Component: Advanced Firewall Manager

Symptoms:
AFM FQDN rule matching is broken when multiple FQDN's in firewall policies resolve to the same IP address

Conditions:
-- A firewall policy contains multiple rules
-- Two or more rules point to different fully qualified domain names (FQDNs).
-- Both FQDNs resolve to the same IP address

Impact:
Firewall rule action won't be correctly applied to traffic, causing some traffic to be processed incorrectly by BIG-IP.

Workaround:
Configure FQDN's in such way that no two FQDN's will resolve to the same IP address. If you need to use multiple FQDNs with the same IP address in a policy, configure one as FQDN and the other as a resolved IP address.

881937-1 : TMM and Kernel choose different VLANs as Src IPs (IPv6).

Links to More Info: BT881937

Component: Local Traffic Manager

Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, can use a MAC and IPv6 source address from different VLANs.

Conditions:
- Multiple VLANs with IPv6 configured addresses.
- Multiple routes to the same destination, either the same or more specific, default routes, etc., that cover the traffic destination.
- Changes in routes that cause the traffic to the destination to shift from one VLAN and gateway to another. This can be typically observed with dynamic routing updates.
- The db key snat.hosttraffic is set to disable.

Impact:
Traffic to the destination may fail because we're using the incorrect source IPv6/MAC address, which might cause monitor traffic to fail.

Workaround:
tmsh list sys db snat.hosttraffic
tmsh modidy sys db snat.hosttraffic value enable
tmsh save sys config

881401-1 : TMM crash at Tcl_AfterCancelByUF() while deleting connections

Links to More Info: BT881401

Component: Local Traffic Manager

Symptoms:
TMM crashed while deleting connections

Conditions:
1.There are a high volume of connections remaining (those connections born from a virtual server which has iRule with "after XXX -periodic" iRule command) and connections are deleted.

2. A huge number of DNS requests are sent from the same source IP/port to a datagram_LB enabled UDP listener, which results in a huge number of flows in the same bucket and connections are deleted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

881065-1 : Adding port-list to Virtual Server changes the route domain to 0

Links to More Info: BT881065

Component: Local Traffic Manager

Symptoms:
When attaching the port-list to virtual server dest:port-list, the route domain of the virtual server is changed to the default value of 0, and the port-list is not correctly applied. This is encountered in the GUI but not in the CLI.

Conditions:
Using port-list along with virtual server in non default route domain using the GUI.

Impact:
You are unable to use the GUI to attach a port-list that uses a non-default route domain to a virtual server.

Workaround:
Use tmsh to attach a port-list to a virtual server if the port-list uses a non-default route domain.

881041-3 : BIG-IP system may forward IP broadcast packets back to the incoming VLAN interface via a forwarding virtual server.

Links to More Info: BT881041

Component: Local Traffic Manager

Symptoms:
Some received packets are retransmitted back on the incoming VLAN interface.

Conditions:
The symptom is found with the following conditions:
1. A forwarding virtual server is configured.
2. A packet is received whose destination MAC address is its unicast VLAN MAC address and the destination IP address is the broadcast address of that subnet.

Impact:
Broadcast packets are forwarded back to the incoming VLAN interface might result in loops if there are multiple gateways on the network.

Workaround:
None.

880697-1 : URI::query command returning fragment part, instead of query part

Links to More Info: BT880697

Component: Local Traffic Manager

Symptoms:
The iRule URI commands are designed to parse a given URI string to each components such as scheme (URI::protocol) or authority (URI::host). The URI::query command is designed to return the query part of an URI, but the returned string contains the fragment part. For example, for the URI "foo://example.com:8042/over/there?name=ferret#nose" (an example from Section 3, RFC 3986), URI::query returns "name=ferret#nose". The "#nose" part should not be present in the return value

Conditions:
Create a test rule with URI having '#' like this.

when HTTP_REQUEST {
  # from RFC 3986 Section 3
  set url "foo://example.com:8042/over/there?name=ferret#nose"
  log local0. "query: [URI::query $url]"
}

Impact:
URI operations that involve #fragments may fail.

Workaround:
NA

880689-2 : Update oprofile tools for compatibility with current architecture

Links to More Info: BT880689

Component: TMOS

Symptoms:
Current operf as shipped with BIG-IP is out of date and will not work.

Per the oprofile page (https://oprofile.sourceforge.io/news/) the version included in our systems (0.9.9) was released in 2013.

Conditions:
Opcontrol still works but operf will not load.
# operf --version
use the opcontrol command instead of operf.

Impact:
Outdated operf means that it cannot be used for troubleshooting purposes.

880565-1 : Audit Log: "cmd_data=list cm device recursive" is been generated continuously

Links to More Info: BT880565

Component: Device Management

Symptoms:
The system generates and logs the following message continuously, at the rate of 3 times a minute, in /var/log/audit:

-- bigip1 notice tmsh[47755]: 01420002:5: AUDIT - pid=47755 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=cd / ;
-- bigip1 notice tmsh[47755]: 01420002:5: AUDIT - pid=47755 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=list cm

Conditions:
This occurs during normal operation.

Impact:
Audit log file contains numerous 'cmd_data=list cm device recursive' messages.

Workaround:
-- To suppress all messages, do the following:

1. Edit the 'include' section of syslog configuration to suppress audit logs of 'cmd_data=cd /' and 'cmd_data=list cm device recursive':

# tmsh edit /sys syslog all-properties

2. Replace 'include none' with following syntax:
===
sys syslog {
- snip -
    include "
filter f_audit {
       facility(local0) and match(AUDIT) and not match(\"cmd_data=list cm device recursive|cmd_data=cd /\");
};"
- snip -
}


-- To filter the messages sent to existing remote syslog servers, do the following:

1. Set sys syslog remote-servers none:
# tmsh modify sys syslog remote-servers none

2. Define the remote syslog server in the 'sys syslog include' statement.

3. Add the following filter:

   filter f_remote_server {
   not (facility(local0) and message(\"AUDIT\") and match(\"cmd_data=list cm device recursive|cmd_data=cd /\"));
    };

Result: The system sends all messages to the remote syslog server, excluding the messages that match the filter.


Here is a sample filter, with sample data:

sys syslog {
    include "
    filter f_remote_server {
    not (facility(local0) and message(\"AUDIT\") anD match(\"cmd_data=list cm device recursive|cmd_data=cd /\"));
    };
    destination d_remote_loghost {
        udp(\"10.0.0.1\" port(514));
    };
    log {
        source(s_syslog_pipe);
        filter(f_remote_server);
        destination(d_remote_loghost);
    };
    "
}

880473-1 : Under certain conditions, the virtio driver may core during shutdown

Links to More Info: BT880473

Component: TMOS

Symptoms:
If the virtio driver fails to initialize, it may core during shutdown.

Conditions:
-- Using the virtio VE driver.
-- The virtio driver fails initialization and shuts down instead.

Impact:
TMM cores during driver shutdown.

880125-5 : WideIP (A) created together with aliases (CNAME) causes missing A records in ZoneRunner

Links to More Info: BT880125

Component: Global Traffic Manager (DNS)

Symptoms:
Creating WideIP with aliases at the same time causes ZoneRunner to create CNAME RRset without matching A RRset on the peer.

Conditions:
Creating WideIP with aliases at the same time(using GUI or tmsh) causes ZoneRunner to create CNAME RRset without matching A RRset on the peer.

Impact:
GTM peer will not respond with correct answer for DNS request.

Workaround:
Create wideip with two steps.

880073-1 : Memory leak on every DNS query made for "HTTP Connector" agent

Links to More Info: BT880073

Component: Access Policy Manager

Symptoms:
'plugin' subsystem of TMM leaks memory, when "HTTP Connector" agent performs DNS query.

Conditions:
Access Policy contains "HTTP Connector" agent.

Impact:
Roughly 500 KB is leaked for every 10000 requests.

Workaround:
None.

880013-1 : Config load fails after changing the BIG-IP Master key which has an encrypted key in it's configuration

Links to More Info: BT880013

Component: TMOS

Symptoms:
Config load fails with an error:

01071769:3: Decryption of the field (privatekey) for object (12004) failed.
Unexpected Error: Loading configuration process failed.

Conditions:
-- BIG-IP configuration has a secured attribute, for example an encrypted dynad key
-- The master key password is changed
-- The configuration is loaded before saving the changes

Impact:
"tmsh load sys config" fails.

Workaround:
After modifying the master key password, save the configuration and then perform the tmsh load sys configuration.

880009-1 : Tcpdump does not export the TLS1.3 early secret

Links to More Info: BT880009

Component: TMOS

Symptoms:
Users running tcpdump with the 'ssl:v' flag to obtain the early traffic secret are given the early master secret instead.

Conditions:
Run tcpdump with the 'ssl:v' flag.

Impact:
Users cannot decrypt TLS1.3 early data packets.

Workaround:
None.

879969-5 : FQDN node resolution fails if DNS response latency >5 seconds

Links to More Info: BT879969

Component: TMOS

Symptoms:
When resolving FQDN names for FQDN nodes/pool members, pending DNS requests are timed out after 5 seconds with no response from the DNS server.
If there is a persistent latency of 5 seconds or greater in the DNS server responses, FQDN name resolution will fail and ephemeral nodes/pool members will not be created.

Conditions:
- BIG-IP using FQDN nodes/pool members
- Persistent latency of 5 seconds or greater in the DNS server responses

Impact:
Ephemeral pool members may not be created, thus no traffic will be sent to the intended pool members.

Workaround:
Resolve any persistent latency issues that might cause delays of 5 seconds or more in DNS server responses.

879301-1 : When importing a BIND zone file, SRV/DNAME/NAPTR RRs do not have correct $ORIGIN appended

Links to More Info: BT879301

Component: Global Traffic Manager (DNS)

Symptoms:
When importing a BIND zone file, $ORIGIN is appended for rdata from SRV and NAPTR RRs, also not appended for DNAME's owner label.

Conditions:
$ORIGIN is used in original zone files and use zone runner to import.

Impact:
Zone files are not generated correctly.

Workaround:
Do not use $ORIGIN.

879001-1 : LDAP data is not updated consistently which might affect authentication.

Links to More Info: BT879001

Component: TMOS

Symptoms:
Change not updated in LDAP when the system auth source ('systemauth.source' DB key/'Auth Source Type') is set to Active Directory.

This change is not applied when the setting is modified (e.g., from local or LDAP to Active Directory, or from Active Directory to LDAP). Instead, the change is applied only when MCPD is rewriting the file for other reasons.

Conditions:
Changing the 'systemauth.source' DB key/'Auth Source Type':
-- From local to Active Directory.
-- From LDAP to Active Directory.
-- From Active Directory to LDAP.

Impact:
LDAP data is not updated consistently, and authentication might fail.

Workaround:
None.

878469-2 : System uptime in bgpBackwardTransNotification is incorrect

Links to More Info: BT878469

Component: TMOS

Symptoms:
When BGP peer is going down, BIG-IP is sending the wrong system uptime in the trap bgpBackwardTransNotification being sent.

Conditions:
-- BIG-IP system is configured with a BGP peer connection to a Cisco router to verify the traps.
-- BGP peer between the BIG-IP system and the Cisco router goes down.
-- Both devices release an SNMP trap.

Impact:
The BIG-IP system sends the wrong system uptime in the trap sent

Workaround:
None

878253-1 : LB::down no longer sends an immediate monitor probe

Links to More Info: BT878253

Component: Local Traffic Manager

Symptoms:
The iRule command LB::down is supposed to send an immediate monitor probe, but it does not.

Conditions:
-- Executing LB::down in an iRule.

Impact:
A monitor probe is not immediately sent, which may cause a pool member to be marked down longer than it should be.

876809-3 : GUI cannot delete a cert with a name that starts with * and ends with .crt

Links to More Info: BT876809

Component: TMOS

Symptoms:
If a cert is created with a name that begins with * (asterisk) and ending with .crt, you cannot delete it using the GUI.

Conditions:
-- Certificate with a name similar to *example.crt.

-- Select the checkbox in the GUI and click Delete.

Impact:
GUI displays the message: No records to display. The '*example' certificate is still present.

Workaround:
You can use TMSH to delete it without issue.

Note that the asterisk needs to be escaped in tmsh, e.g.:

    tmsh delete sys file ssl-cert '\*example'

876677-1 : When running a debug version of TMM, an assertion may be triggered due to and expired DNS lookup

Links to More Info: BT876677

Component: Global Traffic Manager (DNS)

Symptoms:
When running a debug TMM, if a DNS lookup takes more than 30 seconds, TMM may assert with a message similar to the following in the /var/log/ltm file:

-- notice panic: ../modules/hudfilter/3dns/cache_resolver.c:2343: Assertion "standalone refcnt must be one" failed.

Conditions:
-- Using the debug TMM.
-- Executing a DNS lookup that expires.

Impact:
TMM crash and (in a high availability (HA) configuration) failover.

Workaround:
Do not use the debug TMM.

876569-3 : QAT compression codec produces gzip stream with CRC error

Links to More Info: BT876569

Component: Local Traffic Manager

Symptoms:
When an HTTP compression profile is enabled on BIG-IP platforms with Intel QuickAssist Technology (Intel QAT) compression accelerators, gzip errors are produced.

Conditions:
This occurs when the following conditions are met:

-- The following platforms with Intel QAT are affected:
   + 4450 blades
   + i4600/i4800
   + i10600/i10800
   + i7600/i7800
   + i5600/i5800
   + i11600/i11800
   + i11400/i11600/i11800
   + i15600/i15800

-- The compression.qat.dispatchsize variable is set to any of the following values:
   + 65535
   + 32768
   + 16384
   + 8192

-- The size of the file being compressed is a multiple of the compression.qat.dispatchsize value, for exampld:

   + 65355*32768
   + 8192*32768

Impact:
Clients cannot decompress the compressed file because there is an invalid gzip footer.

Workaround:
Disable hardware compression and use software compression.

876145-3 : Nitrox5 failure on vCMP guest results in all crypto requests failing.

Links to More Info: BT876145

Component: Local Traffic Manager

Symptoms:
Nitrox5 SSL card failure on a vCMP guest deployed on i11000 platform might cause all SSL transactions to fail.

Conditions:
- i11000 platform.
- vCMP guest.
- Nitrox5 card experiences a failure.

Impact:
- SSL transactions do not complete the handshake.
- Following logs can be seen in /var/log/ltm :

01260013:4 SSL Handshake failed for TCP 10.1.1.5:55368 -> 10.1.1.55:443
01260009:4: 10.2.36.5:55384 -> 10.1.1.1:443: Connection error: ssl_hs_vfy_vfydata_cont:14608: alert(47) verify failed

875373-3 : Unable to add domain with leading '.' through webUI, but works with tmsh.

Links to More Info: BT875373

Component: Application Security Manager

Symptoms:
It is possible to create certain domain matches with leading dot '.' in tmsh, but not in the GUI.

Conditions:
Advanced WAF bot signature configuration with domain with a leading . character.

Impact:
You are unable to use the GUI to create custom bot-defense signatures.

Workaround:
Use tmsh to add custom bot-defense signatures as follows:

tmsh create security bot-defense signature ockerdocker category Crawler domains add {.ockerdocker} rule "headercontent:\"Google_Analytics_Snippet_Validator\"; useragentonly; nocase;"

874877-1 : Bigd monitor reports misleading error messages

Links to More Info: BT874877

Component: Local Traffic Manager

Symptoms:
When a recv string is used with an HTTP/HTTP2/HTTPS/TCP monitor, the HTTP status code is collected and in the event of failure, the most recent value (from before the failure) is retrieved and used as part of the log output. This can result in a message that is misleading.

Conditions:
-- BIG-IP system configured to monitor an HTTP/HTTP2 server.
-- BIG-IP system configured to monitor an HTTPS/TCP monitor, and the bigd.tmm is set to 'enable'.

Impact:
Misleading log messages; difficulty in identifying the actual cause of the monitor failure.

This occurs because the system stores the 'last error' string for these monitors. This can be misleading, especially when a receive string is used. Here is an example:

-- A BIG-IP system is monitoring an HTTP server that is returning proper data (i.e., matching the receive string).
-- The HTTP server goes down. Now the BIG-IP system will have a last error string of 'No successful responses received before deadline' or 'Unable to connect'.
-- The HTTP server goes back up and works for a while.
-- For some reason, the HTTP server's responses no longer match the receive string.

In this case, a message is logged on the BIG-IP system:

      notice mcpd[6060]: 01070638:5: Pool /Common/http member /Common/n.n.n.n:n monitor status down. [ /Common/my_http_monitor: down; last error: /Common/my_http_monitor: Unable to connect @2020/01/09 04:18:20. ] [ was up for 4hr:18mins:46sec ]

The 'Unable to connect' last error reason is not correct: the BIG-IP system can connect to the HTTP server and even gets responses back, but they don't match the receive string.

874797-1 : Cannot use GUI to configure FQDN in device DNS NXDOMAIN QUERY Vector

Links to More Info: BT874797

Component: Advanced Firewall Manager

Symptoms:
The GUI for device vector is missing functionality to check, add, and delete FQDNs.

Conditions:
This is encountered in the GUI in the DNS tab while viewing the DNS NXDOMAIN Query vector.

Impact:
You are unable to configure a valid FQDN list.

Workaround:
Use TMSH to configure a valid FQDN list.

874317-1 : Client-side asymmetric routing could lead to SYN and SYN-ACK on different VLAN

Links to More Info: BT874317

Component: Local Traffic Manager

Symptoms:
When BIG-IP is configured with at least two VLANs/interfaces, and a virtual server with auto-lasthop disabled, then when that virtual server receives a SYN from a client and sends the SYN/ACK directly back to the client on a different VLAN/interface, it currently expects the ACK to be received on the outgoing interface unless the client is not directly connected and the connection is using a default gateway.

Conditions:
-- The BIG-IP is configured with two VLANs/interfaces for a client (one for incoming packets, one for outgoing packets, i.e. asymmetric routing).
-- The client using asymmetric routing is connecting to a virtual server with auto-lasthop disabled.
-- The outgoing route to the client (from the BIG-IP) is directly connected to the client (i.e. on the same network; not going through a gateway).
-- The DB variable connection.vlankeyed has the value "enabled" (which is the default).

Impact:
The mismatch could lead to connections failing to establish.

Workaround:
Use only a single VLAN on the client side, or disable the DB variable "connection.vlankeyed".

874221-1 : DNS response recursion desired (rd) flag does not match DNS query when using iRule command DNS::header rd

Links to More Info: BT874221

Component: Global Traffic Manager (DNS)

Symptoms:
DNS response recursion desired (rd) flag does not match the DNS query when using the iRule command DNS::header rd.

Conditions:
-- iRule command DNS::header rd is used to set DNS query rd bit to a different value.
-- At least one wide IP is configured.

Impact:
DNS response rd flag does not match the DNS query. This is not RFC compliant.

Workaround:
Do not configure any wide IPs.

873677-7 : LTM policy matching does not work as expected

Links to More Info: BT873677

Component: Local Traffic Manager

Symptoms:
Policy matching may fail to work as expected

Conditions:
Having many conditions with the same operand may trigger an issue where the wrong transition is taken.

This may also be triggered by very complex policies with large numbers of rules.

Impact:
LTM policy matching does not work as expected.

Workaround:
None.

873545-2 : SSL Orchestrator Configuration GUI freezes after management IP change.

Links to More Info: BT873545

Component: SSL Orchestrator

Symptoms:
Changing the management IP address of the SSL Orchestrator BIG-IP device can result in an unresponsive SSL Orchestrator configuration interface in the TMUI. All other menus continue to work fine.

Conditions:
Change the management IP address of the SSL Orchestrator BIG-IP device.

Impact:
The SSL Orchestrator configuration interface in the TMUI becomes unresponsive and the BIG-IP SSL Orchestrator device administrator is not able to perform SSL Orchestrator management and configuration tasks.

Workaround:
After the SSL Orchestrator BIG-IP device management IP address change, use the following steps to get the SSL Orchestrator user interface to render correctly:

1. Wait for the management IP address change to become effective: (That is, the BIG-IP admin/user can log in to the BIG-IP console using the new management IP address).
2. In the BIG-IP terminal run the following commands:
   restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices
   restcurl -X POST -d '{}' tm/shared/bigip-failover-state
3. The SSL Orchestrator UI/topology should become available in approximately 30 - 60 seconds (subject to topology size, etc.)

873249-1 : Switching from fast_merge to slow_merge can result in incorrect tmm stats

Links to More Info: BT873249

Component: Local Traffic Manager

Symptoms:
TMM stats are reported incorrectly. For example, the system may report double the number of running TMMs or an incorrect amount of available memory.

Conditions:
Changing the DB key merged.method from fast_merge to slow_merge.

Impact:
Incorrect reporting for TMM stats.

Workaround:
Remove the file /var/tmstat/cluster/blade0-performance.

These files are roll-ups and will be re-created as necessary.

872981-1 : MCP crashes when deleting a virtual server and its traffic-matching-criteria in the same transaction

Links to More Info: BT872981

Component: Local Traffic Manager

Symptoms:
MCPD crashes when deleting a virtual server and traffic-matching-criteria in the same transaction. This can happen when explicitly using a transaction, or when using a feature that uses transactions, such as when deleting an iApp instance that created these objects.

Conditions:
-- Using a virtual server that has traffic-matching-criteria (e.g., port lists or address lists) attached.
-- Deleting the virtual server and its traffic-matching-criteria in the same transaction.

Impact:
MCP cores, which causes a failover (in a high availability (HA) system) or temporary outage.

Workaround:
Delete the traffic-matching-criteria object separately from the virtual server.

872721-3 : SSL connection mirroring intermittent failure with TLS1.3

Links to More Info: BT872721

Component: Local Traffic Manager

Symptoms:
Intermittent failure of standby connection mirroring TLS1.3 handshake.

Conditions:
TLS1.3 and connection mirroring. More easily reproduces with ecdsa signature.

Impact:
Standby device fails tls handshake, active success so connection succeeds but not mirrored.

872685-1 : Some HTTP/3 streams terminate early

Links to More Info: BT872685

Component: Local Traffic Manager

Symptoms:
Some HTTP/3 streams are terminated with a FIN before all the requested data is delivered.

Conditions:
-- Send multiple HTTP3 requests on different streams simultaneously.
-- The back-end in server is NGINX.

Note: This might happen with other web servers as well.

Impact:
Data transfer is incomplete.

Workaround:
Update the server-side connection to HTTP/2.

872165-2 : LDAP remote authentication for REST API calls may fail during authorization

Links to More Info: BT872165

Component: TMOS

Symptoms:
LDAP (or Active Directory) remote authentication fails during authorization for REST API calls.

Clients receive 401 Unauthorized messages and /var/log/restjavad.x.log may report messages similar to the following:

-- [I][1978][26 Mar 2021 13:23:36 UTC][8100/shared/authn/login AuthnWorker] User remoteuser failed to login from 192.0.2.1 using the tmos authentication provider

-- [WARNING][807][26 Mar 2021 14:43:24 UTC][RestOperationIdentifier] Failed to validate Authentication failed.

Conditions:
LDAP (or Active Directory) remote authentication configured with a User Template instead of a Bind Account.

Impact:
Unable to authenticate as remote-user for access that uses authorization, like REST API calls.

Workaround:
You can use either of the following workarounds:

-- Configure LDAP/AD remote authentication to utilize a Bind account instead of the User Template.
-- Create a local user account for each remote user, allowing local authorization (authentication remains remote).

872105 : APM Hosted Content feature incorrectly guesses content type for CSS files

Links to More Info: BT872105

Component: Access Policy Manager

Symptoms:
APM has a hosted content feature where files can be uploaded for serving out to end users. This is typically used for Edge Client hosting, CSS, and Images.

When you upload a CSS file with Hosted Content enabled, BIG-IP classifies it as 'text/x-asm' when it should be 'text/css'.

Conditions:
APM Hosted Content feature serving CSS files.

Impact:
Incorrect content type used for CSS may confuse some web clients.

Workaround:
To work around this issue, use the Hosted Content GUI to change the file type from 'text/x-asm' to 'text/css'.

872037-2 : DNS::header rd does not set the Recursion desired

Links to More Info: BT872037

Component: Global Traffic Manager (DNS)

Symptoms:
iRule command DNS::header rd not working as expected.

Conditions:
Virtual server configured with an iRule command to set DNS::header rd.

Impact:
The DNS::header rd iRule command does not set the Recursion Desired flag in DNS headers.

Workaround:
None.

871705-6 : Restarting bigstart shuts down the system

Links to More Info: BT871705

Component: TMOS

Symptoms:
The 'bigstart restart bigstart' command shuts down the system without displaying or informing the BIG-IP system user that this command can interrupt service. The system goes directly to the inoperative state as soon as the command is run.

Conditions:
-- Running the command bigstart restart bigstart.
-- Running 'systemctl restart systemd-bigstart' twice.

Impact:
Different versions appear to have different behavior:

-- v12.1.5: shell hangs on bigstart command, but the BIG-IP system stays Active.
-- v13.1.0.7: The BIG-IP system goes inoperative upon 'bigstart restart bigstart'.
-- 1v4.1.2.3: The 'bigstart restart bigstart' command cannot find the 'bigstart' service, but 'systemctl restart systemd-bigstart' shows this behavior.

Workaround:
None.

871045-1 : IP fragments are disaggregated to separate TMMs with hardware syncookies enabled

Links to More Info: BT871045

Component: Local Traffic Manager

Symptoms:
With hardware syncookies enabled, HTTP POST requests that are fragmented into separate segments are processed by different TMMs.

Connection is subsequently reset with a TCP RST cause reported as: No flow found for ACK.

Conditions:
-- Hardware syncookies triggered.
-- IP fragmented HTTP POST request.

Impact:
Connection is subsequently reset with TCP RST, cause 'No flow found for ACK'.

Workaround:
None.

870349-1 : Continuous restart of ntlmconnpool after license reinstall

Links to More Info: BT870349

Component: Local Traffic Manager

Symptoms:
The ntlmconnpool process continuously restarts after reinstalling the licence. The system reports a message in the BIG-IP console:
Re-starting ntlmconnpool.

Conditions:
This occurs when you upgrade your license such that the new license changes the number of TMMs available.

Impact:
System requires reboot, and reports 'Re-starting ntlmconnpool' message continuously in the BIG-IP console.

Workaround:
You must reboot to clear the condition. Once the system comes back up, it operates as expected.

869565-1 : Disabling of HTTP/2 profile on server side does not prevent h2 in ALPN

Links to More Info: BT869565

Component: Local Traffic Manager

Symptoms:
HTTP/2 protocol can be negotiated with the Application-Layer Protocol Negotiation (ALPN) on the Transport Layer Security (TLS) level of communication. When an iRule disables HTTP/2 on a server side, it is assumed that the BIG-IP system no longer offers h2 to a server as an option.

Conditions:
-- A virtual server has an HTTP/2 profile configured on both the client and server sides.
-- A server SSL profile is configured on the virtual server.
-- An iRule using the 'HTTP2::disable serverside' command is attached to the virtual server.

Impact:
The BIG-IP system offers h2 as an option in ALPN when the HTTP/2 profile is disabled on a server side. If h2 is accepted by the server, communication fails since HTTP/2 is disabled and does not decode HTTP/2 traffic.

Workaround:
None.

869553-1 : HTTP2::disable fails for server side allowing HTTP/2 traffic

Links to More Info: BT869553

Component: Local Traffic Manager

Symptoms:
The BIG-IP system provides an iRule command 'HTTP2::disable serverside' to put http2 in passthrough mode. When the command is called during the CLIENT_ACCEPTED event, it should completely disable http2 until the end of TCP connection, or until the HTTP2::enable command is executed.

Conditions:
-- A virtual server has an HTTP/2 profile configured on the server side.
-- An iRule with an the command 'HTTP2::disable serverside' command is attached to the virtual server in the CLIENT_ACCEPTED event.

Impact:
The BIG-IP system continues to send HTTP/2 traffic to a server.

Workaround:
None.

869541-2 : Series of unexpected <aborted> requests to same URL

Links to More Info: BT869541

Component: Access Policy Manager

Symptoms:
Series of unexpected <aborted> requests to same URL

Conditions:
Client using Internet Explorer to access the portal

Impact:
Page load is aborted

Workaround:
Following iRule can be used with customized SPECIFIC PAGE_URL value:

when REWRITE_REQUEST_DONE {
  if {
    [HTTP::path] ends_with "SPECIFIC_PAGE_URL"
  } {

    # log "URI=([HTTP::path])"
    # Found the file we wanted to modify

    REWRITE::post_process 1
    set do_fix 1
  }
}

when REWRITE_RESPONSE_DONE {
  if {[info exists do_fix]} {
    unset do_fix

    set strt [string first {<script>try} [REWRITE::payload]]

    if {$strt > 0} {
      REWRITE::payload replace $strt 0 {
        <script>
          (function () {
            var dl = F5_Deflate_location;
            F5_Deflate_location = function (o) {
              if (o.F5_Location) Object.preventExtensions(o.F5_Location)
              return dl(o);
            }
          })()
        </script>
      }
    }
  }
}

869237-5 : Management interface might become unreachable when alternating between DHCP/static address assignment.

Component: TMOS

Symptoms:
When the Management IP address assignment is changed and the IP address obtained from DHCP lease is used for static interface configuration, the management port might become unreachable after the DHCP lease expiration time, even though interface has a static IP configured.

Conditions:
-- Management IP assignment is changed from dynamic (DHCP) to static.
-- The static IP address that is configured is identical to the DHCP address that was assigned.

Impact:
Remote management access is lost after the DHCP lease expires.

Workaround:
When changing the management interface configuration from DHCP to static, first delete the old configuration, then create new configuration. This can be done with TMSH:

(tmos)# modify sys global-settings mgmt-dhcp disabled
(tmos)# del sys management-ip 10.14.30.111/24
(tmos)# create sys management-ip 10.14.30.111/24 { description configured-statically }

868033-1 : SSL option "passive-close" option is unused and should be removed

Links to More Info: BT868033

Component: Local Traffic Manager

Symptoms:
The SSL profile "passive-close" option is available in TMSH (but not the GUI), but is not actually used.

A side-effect of this issue is: when the "passive-close" option is configured in TMSH, if the profile is later modified in the GUI, the "passive-close" option will be removed from the profile.

Conditions:
-- Modifying a client or server SSL profile in TMSH.

Impact:
The "passive-close" option is not actually used.

Workaround:
Do not use the "passive-close" option.

867985-4 : LTM policy with a 'shutdown' action incorrectly allows iRule execution

Links to More Info: BT867985

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide manipulation tools over a connection with an LTM policy and/or iRule. LTM policy takes precedence over iRules and has an option to shutdown a connection based on satisfied conditions. When a connection is closing, an iRule should not be executed under the same conditions.

Conditions:
-- The BIG-IP system has a virtual server with an LTM policy and an iRule.
-- The LTM policy has action 'shutdown connection' under certain conditions.
-- The iRule has an event which is triggered under the same conditions.

Impact:
The iRule is executed before the connection is being reset.

Workaround:
None.

867777-3 : Remote syslog server cannot parse violation detail buffers as UTF-8.

Links to More Info: BT867777

Component: Application Security Manager

Symptoms:
Remote syslog server is unable to properly parse the violation detail buffers as UTF-8.

Conditions:
This occurs when the violation detail buffers contain double-byte/non-UTF characters, due to requests that contain non-ASCII UTF-8 characters.

Impact:
The syslog server cannot parse violation detail buffers as UTF-8.

Workaround:
None.

867705-4 : URL for IFRAME element may not be normalized in some cases

Links to More Info: BT867705

Component: Access Policy Manager

Symptoms:
Client JavaScript may see a non-normalized URL for the IFRAME HTML element in Portal Access.

Conditions:
- Original HTML page contains IFRAME element with relative URL
- JavaScript code reads this URL from the IFRAME element

Impact:
The URL for IFRAME element is not normalized and the web application may not work correctly in Portal Access.

Workaround:
Use an iRule to correct the returned IFRAME URL in rewritten JavaScript code. There is no generic iRule pattern; the correction depends on actual JavaScript code, but you can use the following example as a template:

when REWRITE_REQUEST_DONE {
  if { [HTTP::path] ... } { # use appropriate selection for URI
    set correct_location 1
  }
}

when REWRITE_RESPONSE_DONE {
  if {[info exists correct_location]} {
    unset correct_location
    # look for the piece of code to be corrected
    set str2find {...} # use appropriate pattern for rewritten code
    set str_len [string length $str2find]
    set strt [string first $str2find [REWRITE::payload]]

    # make replacement using appropriate corrected code
    if {$strt > 0} {
      REWRITE::payload replace $strt $str_len {...}
    }
  }
}

867549-3 : LCD touch panel reports "Firmware update in progress" indefinitely

Links to More Info: BT867549

Component: TMOS

Symptoms:
After a software upgrade that includes an LCD firmware update, the LCD touch panel may remain stuck reporting an error indefinitely / for longer than 30 minutes:
Firmware update in Progress may take up to 30 minutes.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have one of the following BIG-IP platforms:
 * i850
 * i2x00
 * i4x00
 * i5x00
 * i7x00
 * i10x00
 * i11x00
 * i15x00
 * HRC-i2x00
 * HRC-i5x00
 * HRC-i10x00

-- You perform a software upgrade that updates the firmware on the LCD touch panel, e.g. upgrading from BIG-IP v13.1.x to BIG-IP v14.1.x or newer.

Impact:
The system is functional, but the LCD displays the firmware update screen indefinitely. The LCD cannot be used while it is frozen on the firmware update warning screen.

Workaround:
Important: Before attempting this workaround, check that there are no indications the system is still performing a firmware update (such as a terminal prompt), and that the following messages can be found in /var/log/ltm after the most recent boot:

notice chmand[6302]: 012a0005:5: firmware update succeeded.
notice chmand[6302]: 012a0005:5: Firmware check finished.

These messages indicates that the firmware update has finished, and the LCD is displaying the warning screen in error, so it is safe to perform the workaround.

Reboot the BIG-IP system to return the LCD to normal operation.

After a reboot of the BIG-IP operating system, the LCD touch panel should be responsive.

867321-3 : Error: Invalid self IP, the IP address already exists.

Links to More Info: BT867321

Component: Advanced Firewall Manager

Symptoms:
When loading a configuration, the config load fails with an error:

Invalid self IP, the IP address <ip_addr> already exists.

Conditions:
-- Config contains an IPv4 SelfIP
-- Config contains an IPv4-mapped IPv6 address that is assigned to the same vlan

BIG-IP does not prevent you from creating this condition and will allow you to save it.

Impact:
During configuration load will fail:

0107176c:3: Invalid self IP, the IP address <ip_addr> already exists.
Unexpected Error: Loading configuration process failed.

Workaround:
Delete one of the SelfIP addresses and load the configuration.

867253-3 : Systemd not deleting user journals

Links to More Info: BT867253

Component: TMOS

Symptoms:
When setting 'SystemMaxUse' to any value, systemd does not honor this limit, and the specified size is exceeded.

Conditions:
Using a non-TMOS user account with external authentication permission.

Note: Systemd-journald is configured to create a user journal for every remote user that logs into the BIG-IP system.

Impact:
Journald filling up the file system. These journals are allocated with a minimum size of 4MiB and are not removed when the log entries age-out.

Workaround:
Option 1:
To immediately free up space, manually remove per-user journal logs from the following location:
  /var/log/journal/*/user-*

Option 2:
To prevent the system from creating these journal files going forward:

1. Edit /etc/systemd/journald.conf and add the following at the bottom of the file:
  SplitMode=none

2. Restart systemd-journal service
  # systemctl restart systemd-journald

3. Delete the existing user journal files from /var/log
  # rm /var/log/journal/*/user-*

Note:
-- You must apply this workaround separately to each blade of a VIPRION or vCMP guest running on a VIPRION.
-- You must reapply this workaround after performing software installations.

867249-1 : New SNMP authentication type and privacy protocol algorithms not available in UI

Links to More Info: BT867249

Component: TMOS

Symptoms:
You are unable to configure the new SNMP authentication type and privacy protocol algorithms from the BIG-IP Configuration utility.

Conditions:
A BIG-IP with net-snmp libraries v5.8

Impact:
The new authentication type and privacy protocol algorithms cannot be configured via the GUI.

Workaround:
Specify the auth-protocol and privacy-protocol values using TMSH.

modify /sys snmp users add { <user> { access rw security-level auth-privacy auth-protocol sha256 auth-password defaultPassword privacy-protocol aes privacy-password defaultPassword username <user> } }

867177-3 : Outbound TFTP and Active FTP no longer work by default over the management port

Links to More Info: BT867177

Component: TMOS

Symptoms:
When attempting to use TFTP or Active FTP at the BIG-IP management port to transfer files to a remote system, the connection eventually times out and the file is not transferred.

This is expected behavior resulting from the enhancement made in BIG-IP v14.1.0:
"Support for network firewall rules on the management port" :: https://techdocs.f5.com/kb/en-us/products/BIG-IP_ltm/releasenotes/product/relnote-bigip-14-1-0.html#rn_ltm-tmos_1410_new.

When attempting to use TFTP and Active FTP via tmm interfaces will work as it has the necessary Algorithm capabilities to set up return listeners.

Conditions:
- BIG-IP v14.1.0 or greater.
- Attempt to initiate TFTP or Active FTP from the BIG-IP management port through command line.

Impact:
Unable to use TFTP or Active FTP to transfer files to/from the BIG-IP system over management port

Workaround:
Consider using encrypted transport (sftp, scp, etc.) in order to avoid the exposure of sensitive data, including passwords.

Manually load connection tracking for the necessary protocol(s) from the command line with:
modprobe nf_conntrack_ftp
modprobe nf_conntrack_tftp

866953-5 : Portal Access: F5_Inflate_onclick wrapper functionality needs refining

Links to More Info: BT866953

Component: Access Policy Manager

Symptoms:
Event handler defined on DOM elements is not executed properly, and some events on a page like onClick() are not executed properly.

Conditions:
-- Portal access enabled.
-- Rewrite enabled.
-- New value of event handler is equal to inline handler already set for the element.

Impact:
Web application does not operate as expected.

Workaround:
Use a custom iRule, for example, an iRule that redefines F5_Inflate_onclick:

Note: In the following iRule, substitute <PATH_TO_PAGE> with the page in your web application.

when REWRITE_REQUEST_DONE {
  if {
    [HTTP::path] ends_with "<PATH_TO_PAGE>"
  } {

    # log "URI=([HTTP::path])"
    # Found the file to modify

    REWRITE::post_process 1
    set do_it 1
  }
}

when REWRITE_RESPONSE_DONE {
  if {[info exists do_it]} {
    unset do_it

    set strt [string first {<script>try} [REWRITE::payload]]

    if {$strt > 0} {
      REWRITE::payload replace $strt 0 {
        <script>
          (function(){
            var ioc = F5_Inflate_onclick;

            F5_Inflate_onclick = function(o, incr, v) {
              if (v === o.onclick && typeof v === 'function') {
                return v;
              }
              return ioc.call(this,o,incr,v);
            }

          })();
        </script>
      }
    }
  }
}

865981-1 : ASM GUI and REST become unresponsive upon license change

Links to More Info: BT865981

Component: Application Security Manager

Symptoms:
When there is a license change at the same time as a security update (ex. Threat Campaigns or Attack Signatures), the system can reach a deadlock which blocks some operations, eventually leading to all the REST threads becoming blocked and unresponsive.

Conditions:
A license change occurs at the same time as a security update (ex. Threat Campaigns or Attack Signatures).

Impact:
ASM user interfaces are unresponsive.

Workaround:
Kill asm_config_server.pl or restart ASM

865653-3 : Wrong FDB table entries with same MAC and wrong VLAN combination

Links to More Info: BT865653

Component: TMOS

Symptoms:
Forwarding DataBase (FDB) table has duplicate MAC entries with the incorrect VLANs.

MAC entries are correct in the switch but not in the control plane.

Conditions:
Enable L2Wire.

Impact:
Duplicate MAC entries with incorrect VLANs in FDB table.

Workaround:
Restart bcm56xxd:
bigstart restart bcm56xxd

Note: You can use tmsh to see the table:
tmsh -m show net fdb

865329-1 : WCCP crashes on "ServiceGroup size exceeded" exception

Links to More Info: BT865329

Component: TMOS

Symptoms:
Under general usage; WCCP crashes with a "ServiceGroup size exceeded" exception.

Conditions:
Have WCCP service groups configured.

Impact:
WCCP throws an exception and crashes.

Workaround:
None.

864989-2 : Remote logger violation_details field content appears as "N/A" when violations field is not selected.

Links to More Info: BT864989

Component: Application Security Manager

Symptoms:
When remote logger is enabled and violation_details field is selected for output, but violations field is not selected - content of violation_details field appears as "N/A".

Conditions:
- Remote logger is enabled;
- violation_details field is selected for output;
- violations field is not selected for output;
- violation is detected and reported to remote logger.

Impact:
Remote logger will not contain violation_details in report.

Workaround:
Enable violations field for remote logging.

864897-2 : TMM may crash when using "SSL::extensions insert"

Links to More Info: BT864897

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
iRule with "SSL::extensions insert"

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

864649-4 : The client-side connection of a dhcpv4_fwd profile on Broadcast DHCP-Relay Virtual Server never expires from the connection table

Links to More Info: BT864649

Component: Local Traffic Manager

Symptoms:
The client-side connection of the dhcpv4_fwd profile on Broadcast DHCP-Relay Virtual Server never expires from the connection table.

Conditions:
Configure dhcpv4_fwd profile on Broadcast DHCP-Relay Virtual Server.

Impact:
Even after correcting the listener to use dhcpv4 (relay) instead of dhcpv4_fwd (forwarding) profile, the client-side connection from the dhcpv4_fwd profile remains.

Workaround:
Delete the long-standing connection from the connection table.

864321-3 : Default Apache testing page is reachable at <mgmt-ip>/noindex

Links to More Info: BT864321

Component: TMOS

Symptoms:
For BIG-IP v14.1.x and later, the default testing page of the Apache web-server is accessible at <mgmt-ip>/noindex.

Conditions:
This is encountered when navigating to the /noindex page from the web browser.

Impact:
Limited information about the Apache web server and its operating system is available to users with access to the mgmt port interface.

Workaround:
None.

863601-3 : Panic in TMM due to internal mirroring interactions

Links to More Info: BT863601

Component: Wan Optimization Manager

Symptoms:
The Traffic Management Microkernel suddenly restarts due to a SIGSEGV segmentation fault.

Conditions:
-- APM is being used.
-- Connection mirroring is being used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid configuring connection mirroring when APM is being used.

863165-3 : Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.

Links to More Info: BT863165

Component: Local Traffic Manager

Symptoms:
For the i4x00 and 4000 platforms, egress trunk distribution will be unbalanced if the number of trunk members is not a power of 2.

Conditions:
A trunk is configured with an odd number of trunk interfaces or a trunk member goes down such that the number of working members is odd.

Impact:
Uneven traffic distribution. Some interfaces will see more traffic than others.

Workaround:
Insure the number of trunk interfaces is a power of 2: 2, 4, or 8.

862949-3 : ZoneRunner GUI is unable to display CAA records

Links to More Info: BT862949

Component: Global Traffic Manager (DNS)

Symptoms:
Attempting to manage a CAA record via the GUI shows an error:

Resolver returned no such record.

Conditions:
-- Navigate to DNS :: Zones :: ZoneRunner :: Resource Record List :: Search All Records.
-- Click on record of type CAA.

Impact:
Unable to update CAA records via the GUI.

Workaround:
You can use either of the following workarounds:

-- Manually edit the BIND configuration.
-- Delete the record and create a new one with the desired changes.

862693-6 : PAM_RHOST not set when authenticating BIG-IP using iControl REST

Links to More Info: BT862693

Component: TMOS

Symptoms:
The missing PAM_RHOST setting causes the radius packet to go out without the calling-station-id avp

Conditions:
1. Configure radius server and add it to BIG-IP
tmsh create auth radius system-auth servers add { myrad }

2. modify auth source type to radius
tmsh modify auth source { type radius }

3. try to authenticate to BIG-IP using iControl REST

Impact:
Remote authentication using iControl REST is not allowed based on calling-station-id

862525-1 : GUI Browser Cache Timeout option is not available via tmsh

Component: TMOS

Symptoms:
In BIG-IP v10.x it was possible to change the browser cache timeout from bigpipe using the command:
  bigpipe httpd browsercachetimeout

In 14.1.2.1 and newer, it is still possible to change the value in the GUI using "System :: Preferences :: Time To Cache Static Files.

However there is no tmsh equivalent in any version.

Conditions:
This is encountered when you try to configure the GUI browser cache timeout setting using tmsh.

Impact:
Unable to modify browser cache timeout except from GUI

Workaround:
Using GUI to configure this field. GUI System :: Preferences :: Time To Cache Static Files.

862413-1 : Broken layout in Threat Campaigns and Brute Force Attacks pages

Links to More Info: BT862413

Component: Application Security Manager

Symptoms:
Horizontal scroll added to the page unnecessarily.

Conditions:
This occurs when viewing the Threat Campaigns or Brute Force Attacks page in any browser

Impact:
The horizontal scroll bar breaks the intended page layout.

Workaround:
N/A

862337-2 : Message Routing Diameter profile fails to forward messages with zero length AVPs

Links to More Info: BT862337

Component: Service Provider

Symptoms:
Message Routing Diameter profile does not forward diameter messages that include an AVP with a zero (0) length data field.

Conditions:
-- A virtual server with an Message Routing Diameter Profile.
-- A diameter message containing an AVP with a zero length data field.

Impact:
Diameter messages with zero length AVPs are not forwarded as expected.

Workaround:
None.

862069-1 : Using non-standard HTTPS and SSH ports fails under certain conditions

Links to More Info: BT862069

Component: Local Traffic Manager

Symptoms:
On all versions 12.1.0 or later, if you change the HTTPS port (e.g., to 8443, as is required for '1NIC' BIG-IP Virtual Edition (VE) deployments) and then expose the management UI via a self IP in a non-zero route domain, you cannot access the system via the GUI or CLI, and the system does not pass traffic as expected.

In versions 14.1.0 and later on VE installations, attempting to manage a BIG-IP system over a self IP can fail if all these conditions are met:
-- Non-standard HTTPS port used.
-- No TMM default route configured.
-- No route to the client IP address configured.

Conditions:
-- Modify the default HTTPS and/or default SSH ports.

And either of the following:

On 12.1.0 and above:
-- Expose the management UI and/or CLI via a self IP in a non-zero route domain.

On 14.1.0 and above:
-- No TMM default route configured.
-- No route to the client IP address configured.

Impact:
-- Unable to access BIG-IP GUI on non-standard HTTPS port.
-- Unable to access BIG-IP CLI on non-standard SSH port.

Workaround:
None.

862001-1 : Improperly configured NTP server can result in an undisciplined clock stanza

Links to More Info: BT862001

Component: Local Traffic Manager

Symptoms:
There can be an undisciplined clock stanza in /etc/ntp.conf, resulting in an undisciplined clock.

NTP documentation:
http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock

Conditions:
This might occur in at least the following ways:
-- No server is specified in 'sys ntp servers {}'.
-- A server does exist, but an improper method was used to configure the NTP server.

Impact:
When the LOCAL undisciplined clock is left as a valid time-source, it delays the system synchronizing time to a real NTP server. It can also result in time being adjusted incorrectly if the the remote time-source becomes unreachable.

Workaround:
Configure a dummy server via 'ntp servers {}' that does not respond.

While this removes the undisciplined local clock, it does result in ntpd having an unreachable time source, and could be flagged in diagnostics, misdirect other troubleshooting, generate unnecessary traffic, etc.
 
However, if the 'dummy' source starts responding, it could become a rogue time source.

860573-3 : LTM iRule validation performance improvement by tracking procedure/event that have been validated

Links to More Info: BT860573

Component: TMOS

Symptoms:
Loading (with merge) a configuration file that references some iRules results in validating every iRule and ends up validating the same procedures multiple times for every virtual server a single iRule is associated with.

Conditions:
Configuration which has 100's of virtual servers, some iRules that are assigned to all virtual servers and a few library iRules.

Impact:
Task fails (via REST) or ends up taking a really long time when run manually.

Workaround:
None.

860277-4 : Default value of TCP Profile Proxy Buffer High Low changed in 14.1

Links to More Info: BT860277

Component: Local Traffic Manager

Symptoms:
Version: 13.1.3.1

# tmsh list ltm profile tcp tcp proxy-buffer-high proxy-buffer-low
ltm profile tcp tcp {
    proxy-buffer-high 49152
    proxy-buffer-low 32768
}

       proxy-buffer-high
            Specifies the highest level at which the receive window is closed.
            The default value is 49152.

       proxy-buffer-low
            Specifies the lowest level at which the receive window is closed.
            The default value is 32768.

Version: 14.1.2.2

# list ltm profile tcp TCP proxy-buffer-high proxy-buffer-low
ltm profile tcp tcp {
    proxy-buffer-high 65535
    proxy-buffer-low 32768
}


proxy-buffer-high
            Specifies the highest level at which the receive window is closed.
            The default value is 131072.

proxy-buffer-low
            Specifies the lowest level at which the receive window is closed.
            The default value is 98304.

Conditions:
Looking at the help for proxy-buffer-high and proxy-buffer-low in tmsh

Impact:
The default value for proxy-buffer-high is 65535 and the default value for proxy-buffer-low is 32768, but the help text indicates that the defaults are 13072 and 98304 respectively.

860245-1 : SSL Orchestrator configuration not synchronized across HA peers after upgrade from 14.1.2.x

Links to More Info: BT860245

Component: TMOS

Symptoms:
The SSL Orchestrator configuration is not synced properly across the high availability (HA) configuration.

The REST framework versions are different on the devices.

Conditions:
-- BIG-IP devices configured for HA.
-- SSL Orchestrator configured.
-- Upgrading from v14.1.2 to v15.1.x or newer.

Impact:
SSL Orchestrator configuration does not sync across BIG-IP HA peers.

Workaround:
The following steps are required on all HA, first on the active and then on the standby BIG-IP devices.

1. Open a BIG-IP terminal session with admin/root level access.
2. Run the following commands, in the order specified:

bigstart stop restjavad
rm -rf /shared/em/ssl.crt/*
bigstart start restjavad
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices
restcurl -X DELETE shared/gossip-conflicts
restcurl -X DELETE shared/device-certificates
restcurl -X POST -d '{"generateKeyPair": true}' shared/device-key-pair
bigstart restart restjavad restnoded

860181-1 : After sync failure due to lack of local self-IP on the peer, adding in the self-IP does not resolve the sync error

Links to More Info: BT860181

Component: TMOS

Symptoms:
If you have BIG-IPs in a Device Service Cluster, and you attempt to sync a new floating self-IP over to a standby on a VLAN that the standby does not currently have a non-floating self-IP on, you will get an error and the sync will fail. This is the correct behavior. The issue, though, is that if you subsequently create a non-floating self-IP on the standby in order to rectify this issue, the sync will still fail.

Conditions:
-- BIG-IPs configured in a Device Service Cluster.
-- Device group is configured to use Automatic Sync or Manual with Incremental sync.
-- Attempting to sync a floating self-IP to a system that does not have a non-floating self-IP on the same VLAN.

Impact:
You are unable to sync BIG-IPs. Both devices will be out of sync and you will see an error displayed:

01070355:3: Self IP <address> is declared as a floating address but there is no non-floating address defined for this network

Even after you add a non-floating self-IP on the affected device, a subsequent config sync does not fix the error.

Workaround:
If you make any other configuration change that generates a config sync, this will correct itself after the other device has added a non-floating Self-IP.

Otherwise, this can be corrected by doing a full config sync, and can be done via the GUI or via tmsh.

In the GUI, change the Sync Type for the device group to Manual with Full Sync, and then do a config sync.

In tmsh, the command is:
run cm config-sync force-full-load-push to-group <affected_device_group>

858877-3 : SSL Orchestrator config sync issues between HA-pair devices

Links to More Info: BT858877

Component: TMOS

Symptoms:
SSL Orchestrator configuration deployment across BIG-IP devices in a high-availability (HA) group may result in inconsistent state, if during deployment the connectivity between the HA peers is lost.

Conditions:
Deploying SSL Orchestrator configuration across BIG-IP devices in an HA group.

Impact:
Inconsistent SSL Orchestrator configuration on BIG-IP devices in an HA group.

Workaround:
Run the /usr/bin/ha-sync script. See ha-sync -h for help.

858445-1 : Missing confirmation dialog for apply policy in new policy pages

Links to More Info: BT858445

Component: Application Security Manager

Symptoms:
There is no confirmation dialog for applying a policy.

Conditions:
This occurs when visiting any policy page available from the policies list.

Impact:
Without a confirmation dialog, it is easier to apply a policy by mistake

Workaround:
N/A

858309-4 : Setting a self IP with an IPv6 Address with an embedded IPv4 address causes tmm to continually restart

Links to More Info: BT858309

Component: Local Traffic Manager

Symptoms:
TMM keeps restarting after setting a self IP to an IPv6 address with an embedded IPv4 address in TMSH.

Conditions:
Set self IP to an IPv6 address with an embedded Ipv4 address using tmsh.

Impact:
Tmm restarts repeatedly. Traffic disrupted while tmm restarts.

Workaround:
Set self IP to IPv4 address.

858173-3 : SSL Orchestrator RPM not installed on HA-peer after upgrade from 14.1.2.1

Links to More Info: BT858173

Component: TMOS

Symptoms:
With BIG-IP devices configured in high availability (HA) mode, with SSL Orchestrator configured, when upgrading from v14.1.2 to v15.1.x or newer, the SSL Orchestrator configuration is not synced properly across the high availability (HA) configuration.

This problem is caused by a REST framework sync issue between the devices in the high availability (HA) pair.

Conditions:
-- BIG-IP devices configured in high availability (HA) mode.
-- SSL Orchestrator configured.
-- Upgrading from v14.1.2 to v15.1.x or newer.

Impact:
SSL Orchestrator configuration not syncing across the BIG-IP high availability (HA) pair.

Workaround:
The following steps are required on both high availability (HA) peers, first on the active and then on the standby BIG-IP device.

1. Open a terminal session with admin/root level access.
2. Run the following commands, in the order specified:

bigstart stop restjavad
rm -rf /shared/em/ssl.crt/*
bigstart start restjavad
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices
restcurl -X DELETE shared/gossip-conflicts
restcurl -X DELETE shared/device-certificates
restcurl -X POST -d '{"generateKeyPair": true}' shared/device-key-pair
bigstart restart restjavad restnoded

857897-2 : Address and port lists are not searchable within the GUI

Links to More Info: BT857897

Component: Advanced Firewall Manager

Symptoms:
Search from shared objects of IP addresses in the address list and port numbers in the port list does not work as expected. In previous releases, it was possible to expand all address/port lists in a single operation. There is no support for that in this release.

Conditions:
Searching from shared objects of IP addresses in the address list and port numbers in the port list.

Impact:
It is no longer possible to expand all address/port lists in a single operation, and because all lists needs to be expanded to allow a search using the browser or cache the objects in the embedded search box from the GUI, the functionality does not work as expected.

Workaround:
None.

857677-3 : Security policy changes are applied automatically after asm process restart

Links to More Info: BT857677

Component: Application Security Manager

Symptoms:
Changes in security policy are applied after ASM restart. This may activate unintended enforcement.

Conditions:
Restart ASM.

Impact:
Potentially unintended activation of new security entities.

Workaround:
None.

857045-1 : LDAP system authentication may stop working

Links to More Info: BT857045

Component: TMOS

Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.

In /var/log/daemon.log, you may see the following:

warning systemd[1]: nslcd.service failed

Conditions:
Nslcd daemon crashed, and it fails to restart.

Impact:
System authentication stops working until nslcd is restarted.

Workaround:
Manually restart nslcd daemon:

systemctl start nslcd



nslcd can be reconfigured to restart automatically and create core files when it crashes, though these changes will be lost across software installs (and is not backed up as part of a UCS archive):

1. Run "systemctl edit nslcd", which will open a text editor (by default, nano).

2. In the text editor, add these contents:

[Service]

# Allow core files
LimitCORE=infinity
# Try to keep auth daemon running, even if it crashes
Restart=always

3. Exit the text editor and save the file

4. Check the output of "systemctl status nslcd" for any warnings/errors from systemd as a result of editing the file; there should not be any.

5. Restart nslcd:
   systemctl restart nslcd

856909-3 : Apmd core occurs when it fails to retrieve agentInfo

Links to More Info: BT856909

Component: Access Policy Manager

Symptoms:
APMD daemon crashes.

Conditions:
When configuring 'REST API Security (Open API Spec)' application with Rate Limiting in Security.

Specific conditions required to reproduce this issue have not been identified.

Impact:
APMD crashes and restarts during configuration time. No service impact.

Workaround:
No workaround is needed because it is during configuration time and the system recovers by itself.

856713-3 : IPsec crash during rekey

Links to More Info: BT856713

Component: TMOS

Symptoms:
IPsec-related tmm crash and generated core file during rekey.

Conditions:
-- IPsec timeout occurs.
-- Some temporary SA's are created by racoon.

Impact:
Tmm crashes and creates core file. Traffic disrupted while tmm restarts.

Workaround:
None.

854129-2 : SSL monitor continues to send previously configured server SSL configuration after removal

Links to More Info: BT854129

Component: In-tmm monitors

Symptoms:
After an SSL profile has been removed from a monitor, a monitor instance continues to use settings from the previously-configured server SSL profile, such as client certificate or ciphers or supported TLS versions.

Conditions:
-- In-TMM monitors enabled.
-- SSL monitor configured with a server SSL profile.
-- Setting the monitor's 'SSL Profile' parameter to 'none'.

Impact:
The previously configured settings, such as certificate or cipher, continue to be used for monitoring pool members, which may result in unexpected health check behavior/pool member status.

Workaround:
An administrator can avoid this issue by ensuring the monitor's 'SSL Profile' parameter specifies a profile (i.e., is not 'none').

Note: In some software versions, changing a monitor's SSL profile from one profile to a different profile may not take effect. For information about this behavior, see https://cdn.f5.com/product/bugtracker/ID912425.html

853989-1 : DOSL7 Logs breaks CEF connector by populating strings into numeric fields

Links to More Info: BT853989

Component: Application Security Manager

Symptoms:
Dosl7 remote logger messages breaks ArcSight CEF connector when using ArcSight destination format. CEF Logs are dropped.

Conditions:
- ASM provisioned
- Dos profile attached to a virtual server
- Dos application protection enabled
- Logging profile configured with ArcSight format attached to a virtual

Impact:
ArcSight server might be broken after getting dosl7 attack detection messages from the BIG-IP.

Workaround:
BIG-IP iRule or another proxy can be used to intercept ArcSight messages and strip the a string portion from ArcSight numeric type fields.

853617-1 : Validation does not prevent virtual server with UDP, HTTP, SSL, (and OneConnect) profiles

Links to More Info: BT853617

Component: TMOS

Symptoms:
Validation does not prevent specific configuration, but reports errors. In newer versions:

-- err tmm1[7019]: 01010008:3: Proxy initialization failed for /Common/vs_test. Defaulting to DENY.
-- err tmm1[7019]: 01010008:3: Listener config update failed for /Common/vs_test: ERR:ERR_ARG

In older versions:

-- err tmm[23118]: 01010007:3: Config error: virtual_server_profile no suitable hudchain
-- err tmm[23118]: 01010007:3: Config error: add virtual server profile error

Conditions:
Creating a virtual server with UDP, HTTP, SSL, (and OneConnect) profiles.

Impact:
Virtual server is defined and in configuration, but does not pass traffic.

On v12.1.x and v13.0.0, attempts to recover from this configuration can leave TMM in a bad state, which can then result in a TMM crash.

Workaround:
None.

853565-2 : VCMP host primary blade reboot causes security policy loss in the VCMP guest primary blade

Links to More Info: BT853565

Component: Application Security Manager

Symptoms:
After rebooting a vCMP guest with ASM provisioned and configured, there are no asm policies. The following command returns no results:

tmsh list asm policy all-properties

Conditions:
-- vCMP host with 2+ slots
-- vCMP guest with 2+ slots
-- LTM+ASM provisioned
-- ASM security policy + virtual server configured
-- reboot primary slot of VCMP host

Impact:
There are no ASM policies on the vCMP guest.

853269-1 : Incorrect access privileges to "Policy List" and "Security Policy Configuration" pages in case of complex role user

Links to More Info: BT853269

Component: Application Security Manager

Symptoms:
Incorrect access privileges to "Policy List" and "Security Policy Configuration" pages are given

Conditions:
User has a complex role, e.g. ASM Admin in partition A and Guest in partition B

Impact:
User with complex role gets incorrect privileges in "Policy List" and "Security Policy Configuration" pages

Workaround:
N/A

853177-1 : 'Enforcement Mode' in security policy list is shown without value

Links to More Info: BT853177

Component: Application Security Manager

Symptoms:
The 'Enforcement Mode' field in the security policy list has no value.

Conditions:
Security policy list in the GUI is sorted by 'last modified'.

Impact:
Security policy list page has empty 'Enforcement Mode' field.

Workaround:
None.

853161-4 : Restjavad has different behavior for error responses if the body is over 2k

Links to More Info: BT853161

Component: TMOS

Symptoms:
The error Response body from iControl REST is truncated at 2048 characters. If an iControl REST response sends an error that is longer than 2048 characters, the truncated response will not contain valid JSON.

Conditions:
This occurs when iControl REST error messages are longer than 2048 characters.

Impact:
The error response body is deformed when the length of the error body is more than 2k characters

852953-1 : Accept Client Hello spread over multiple QUIC packets

Links to More Info: BT852953

Component: Local Traffic Manager

Symptoms:
A QUIC connection does not complete the handshake successfully when the Client Hello spans multiple initial packets.

Conditions:
-- QUIC is in use.
-- A Client Hello is received that spans multiple packets.

Impact:
QUIC is unable to process a Client Hello that spans multiple packets.

Workaround:
None.

852577-5 : [AVR] Analytic goodput graph between different time period has big discrepancy

Links to More Info: BT852577

Component: Application Visibility and Reporting

Symptoms:
The incorrect goodput value is showing on the GUI > Analytics > TCP > Goodput.

Conditions:
AVR is provisioned
Running TCP related traffic (with the amount that can exceeds the MAX_INT value in any aggregation level).

Impact:
AVR statistics for TCP goodput may be incorrect.

Workaround:
There is no workaround at this time.

852565-5 : On Device Management::Overview GUI page, device order changes

Links to More Info: BT852565

Component: TMOS

Symptoms:
When manual device group sync is enabled, the device with the most recent change will be displayed at the top of the Device Management::Overview GUI page.

Conditions:
-- Multiple devices in a device group
-- Device group has manual config sync enabled
-- A change is made on a device

Impact:
When the list loads, the device with the most recent changes is displayed at the top. This can make the device order appear to be inconsistent, and can create confusion when doing manual config sync if you are expecting the order to be always consistent.

852429-1 : "ASM subsystem error" logged when creating policies

Links to More Info: BT852429

Component: Application Security Manager

Symptoms:
After creating certain security policies, errors are logged to /var/log/asm:

crit g_server_rpc_handler_async.pl[2328]: 01310027:2: ASM subsystem error
(asm_config_server.pl,F5::DbUtils::insert_data_to_table): Row 7 of table PLC.PL_SUGGESTIONS is missing viol_index () -- skipping
N

Conditions:
This occurs when creating security policy based on the following security templates:
- drupal
- owa
- sharepoint
- wordpress

Impact:
Misleading errors are logged in ASM log file; they can be safely ignored.

852325-1 : HTTP2 does not support Global SNAT

Links to More Info: BT852325

Component: Local Traffic Manager

Symptoms:
The Global SNAT feature does not work with HTTP2.

Conditions:
-- Global SNAT is used
-- HTTP2 is used.

Impact:
Traffic uses the incorrect IP addresses when sourced from the BIG-IP system.

Workaround:
Use an explicit SNAT setting: SNAT Auto-Map or a SNAT pool.

852265-1 : Virtual Server Client and Server SSL profile list boxes no longer automatically scale for width

Links to More Info: BT852265

Component: TMOS

Symptoms:
The 'SSL Profile (Client)' and 'SSL Profile (Server)' listboxes (both 'Selected' and 'Available') now have a fixed width when viewing Virtual Server settings.

Conditions:
-- An SSL profile (client or server) with a long name.
-- Accessing the Virtual Server settings page in the GUI.

Impact:
If many SSL profiles start with the same several letters, it may be impossible to detect which one is the desired profile.

Workaround:
None.

851837-2 : Mcpd fails to start for single NIC VE devices configured in a trust domain

Links to More Info: BT851837

Component: TMOS

Symptoms:
Single NIC BIG-IP Virtual Edition (VE) devices configured in a trust domain (e.g., in high availability (HA)) cannot reload a running configuration when restarted and/or when mcpd fails to load the config, and reports a validation error:

err mcpd[25194]: 0107146f:3: Self-device config sync address cannot reference the non-existent Self IP ([IP ADDR]); Create it in the /Common folder first.

Conditions:
Single NIC VE devices configured in a trust domain (e.g., HA)

Impact:
The mcpd process fails to start, and the configuration does not load.

Workaround:
Manually copy and paste the self IP configuration snippet into the /config/bigip_base.conf file:

1. Connect to the CLI.

2. Edit bigip_base.conf, and add the following:

net self self_1nic {
    address 10.0.0.1/24
    allow-service {
       default
    }
    traffic-group traffic-group-local-only
    vlan internal
}

Note: replace 10.0.0.1 with the IP indicated in the error message

3. Save the changes and exit.

4. Load the configuration using the command:
tmsh load sys config

5. If APM or ASM is provisioned/configured, then also restart services with this command:
bigstart restart

851785-3 : BIG-IP 10350V-F platform reported page allocation failures in N3FIPS driver

Links to More Info: BT851785

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:

swapper/13: page allocation failure: order:2, mode:0x204020

After that, a stack trace follows. The process name in the line ('swapper/16', in this example). You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This issue is known to occur on the appliance 10350V-F D112.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this to 128 MB (131072 KB).

When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID 851785' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID851785' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on the BIG-IP appliance and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the BIG-IP appliance and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"

851757-1 : Receiving a TLS END_OF_EARLY_DATA message in QUIC is a PROTOCOL_VIOLATION

Links to More Info: BT851757

Component: Local Traffic Manager

Symptoms:
When a TLS END_OF_EARLY_DATA message is received by QUIC, a CONNECTION_CLOSE frame with a CRYPTO_ERROR is produced. However, the error should be a PROTOCOL_VIOLATION.

Conditions:
-- QUIC is in use.
-- A TLS END_OF_EARLY_DATA message is received.

Impact:
A CRYPTO_ERROR is produced, however, the error should be PROTOCOL_VIOLATION.

Workaround:
None.

851425-1 : Update QLOG to draft-01

Links to More Info: BT851425

Component: Local Traffic Manager

Symptoms:
The BIG-IP QLOG implementation is currently on draft-00, and draft-01 has been released.

Conditions:
QUIC and QLOG are in use.

Impact:
Existing third-party applications might remove support for QLOG draft-00 at some point.

Workaround:
None.

851385-1 : Failover takes too long when traffic blade failure occurs

Links to More Info: BT851385

Component: Local Traffic Manager

Symptoms:
When blades 1 and 4 are disabled on the active chassis, the failover period is between 3.4 to 4.7 seconds before the next-active device starts processing messages.
  
If the blades are physically pulled from the chassis,
the failure occurs within 1 second.

Conditions:
-- Multi-blade VIPRION system
-- Blades 1 and 4 are connected to the network via trunks, blades 2 and 3 are CPU-only blades
-- Blades 1 and 4 are disabled via the GUI

Impact:
Significant delay before BIG-IP delivers a web page during between-cluster failover

851353-1 : Connection reset with incorrect error code when invalid or malformed header is received in an HTTP/3 request

Links to More Info: BT851353

Component: Local Traffic Manager

Symptoms:
Invalid pseudo header or malformed header in an HTTP/3 request should result in resetting of the stream with error code of HTTP3_GENERAL_PROTOCOL_ERROR. Instead the connection is reset with HTTP3_UNEXPECTED_FRAME error code.

Conditions:
-- Virtual server with QUIC, HTTP/3, HTTP, SSL, and httprouter profiles.
-- HTTP/3 header frame from client with invalid or malformed header is received.

Impact:
Connection is reset with incorrect error code, instead of just the individual stream.

Workaround:
No workaround.

851121-2 : Database monitor DBDaemon debug logging not enabled consistently

Links to More Info: BT851121

Component: Local Traffic Manager

Symptoms:
Debug logging in the database monitor daemon (DBDaemon) for database health monitors (mssql, mysql, postrgresql, oracle) is enabled on a per-monitor basis.
When a ping is initiated for a particular monitor with debug logging enabled in the monitor configuration, debug logging in DBDaemon is enabled.
When a ping is initiated for a particular monitor with debug logging disabled in the monitor configuration, debug logging in DBDaemon is disabled.
When monitoring database pool members with a mix of monitors with debug logging enabled vs. disabled, the result can be that debug logging in DBDaemon is enabled and disabled at times which do not correspond to all actions related to a specific database monitor, or pool members monitored by that monitor.
In addition, debug messages logging internal DBDaemon state related to the management of the full collection of monitored objects, active threads, etc. may not be logged consistently.

Conditions:
-- Using multiple database health monitors (mssql, mysql, postrgresql, oracle)
-- Enabling debug logging on one or more database health monitors, but not all

Debug logging for database health monitors is enabled by configuring the "debug" property of the monitor with a value of "yes".
Debug logging is disabled by configuring the "debug" property with a value of "no" (default).

# tmsh list ltm monitor mysql mysql_example debug
ltm monitor mysql mysql_example {
    debug yes
}

Impact:
Logging of database monitor activities by DBDaemon may be inconsistent and incomplete, impeding efforts to diagnose issues related to database health monitors.

Workaround:
When attempting to diagnose database health monitor issues with DBDaemon debug logging, enable debug logging for ALL database monitors currently in use.
Once diagnostic data collection is completed, disable debug logging for all database monitors currently configured/in use.

851101-4 : Unable to establish active FTP connection with custom FTP filter

Links to More Info: BT851101

Component: Local Traffic Manager

Symptoms:
Unable to establish active FTP connection with custom FTP filter.

Conditions:
All of the following conditions are true:
-- Virtual server using custom FTP filter.
-- FTP filter has port (port used for data channel) set to 0 (zero).
-- Virtual server has source-port set to preserve-strict.
-- Using active FTP through the virtual server.

Impact:
-- The active FTP data channel is reset.
-- Commands that require data channel in active mode fail.

Workaround:
-- Change source-port to change or preserve.
-- Set port on FTP filter to be used for data channel.
-- Use passive FTP.

851021-1 : Under certain conditions, 'load sys config verify file /config/bigip.conf' may result in a 'folder does not exist' error

Links to More Info: BT851021

Component: TMOS

Symptoms:
TMSH error example:

Configuration error: Can't associate ASM device sync (/Common/testsync/staging.example.com) folder does not exist

Conditions:
The conditions under which this occurs are unknown.

Impact:
Load of config file fails with an error that the folder does not exist.

Workaround:
Use 'tmsh load sys config verify', without specifying a specific file.

850997-1 : 'SNMPD' no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page

Links to More Info: BT850997

Component: TMOS

Symptoms:
The SNMPD daemon no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page.

Conditions:
Viewing the page at:

System :: High Availability : Fail-safe : System

Impact:
Unable to configure the high availability (HA) settings for the snmpd high availability (HA) daemon through the GUI.

Workaround:
Use TMSH to modify the snmpd high availability (HA) settings.

850633-1 : Policy with % in name cannot be exported

Links to More Info: BT850633

Component: Application Security Manager

Symptoms:
Policies with characters that are encoded with urlencode in name cannot be exported in GUI

Conditions:
Policies has characters that are encoded with urlencode in name

Impact:
Policy cannot be exported in GUI

Workaround:
Most policies can be cloned, and during clone user can select name without special characters. Then cloned policy can be exported.

850357-1 : LDAP - tmsh cannot add config to nslcd.conf

Links to More Info: BT850357

Component: TMOS

Symptoms:
nslcd comes as a dependency package for the nss-pam-ldapd and nslcd.conf file contains the configuration information for running nslcd.
tmsh does not support modification of nslcd.conf to include some options.

Conditions:
This would be encountered only if you wanted to do modify the nslcd configurations

Impact:
You are unable to modify nslcd configuration for some options.
 This prevents the ability to use certain ldap-based remote authentication techniques.

Workaround:
Modify nslcd.conf file to include configuration changes manually and restart the nslcd daemon with systemctl restart nslcd

850117-2 : Autodosd crash after assigning dos profile with custom signatures to a virtual server

Links to More Info: BT850117

Component: Advanced Firewall Manager

Symptoms:
When attaching dos profile to virtual server, it will crash occasionally.

Conditions:
-- AFM is provisioned
-- Performing profile attachment

Impact:
Autodosd crashes and restarts.

849349-5 : Adding a new option to disable CSP header modification in bot defense/dosl7 via sys db

Links to More Info: BT849349

Component: Application Security Manager

Symptoms:
Web app flow might fail resulting in JavaScript errors related to CSP policy

Conditions:
-- ASM provisioned.
-- Bot-Defense or DoS Application profile assigned to a virtual server.
-- The backend server sends CSP headers.

Impact:
Web application flow might fail.

Workaround:
Attach an iRule:

when HTTP_REQUEST {
    set csp 0
}
when HTTP_RESPONSE {
    if { [HTTP::header exists Content-Security-Policy] } {
        set csp "[HTTP::header values Content-Security-Policy]"
    }
}
when HTTP_RESPONSE_RELEASE {
    if { $csp != 0 } {
        HTTP::header replace Content-Security-Policy $csp
    }
    set csp 0
}

849269-1 : High CPU usage after Inheritance page opened

Links to More Info: BT849269

Component: Application Security Manager

Symptoms:
After you visit the Policy Inheritance page, there is high CPU usage in the browser until you leave the policies page.

Conditions:
This occurs when opening the Policy Inheritance page for a policy that does not have a parent.

Impact:
High CPU usage by browser

Workaround:
N/A

848921-1 : Config sync failure when importing a Json policy

Links to More Info: BT848921

Component: Application Security Manager

Symptoms:
Importing a json policy to a BIG-IP that is in a device group machine causes errors on the other devices, which leads to a sync failure.

Conditions:
This can occur when a json policy is imported to a BIG-IP that is in a device group

Impact:
Config sync fails.

848757-1 : Link between 'API protection profile' and 'Security Policy' is not restored after UCS upload

Links to More Info: BT848757

Component: Application Security Manager

Symptoms:
Link between 'API protection profile' and 'Security Policy' created with swagger based 'API protection profile' preserved in UCS file. This link is not restored after UCS upload.

Conditions:
UCS upload.

Impact:
'API protection profile' has no link to related security policy.

Workaround:
None.

848681-7 : Disabling the LCD on a VIPRION causes blade status lights to turn amber

Links to More Info: BT848681

Component: TMOS

Symptoms:
When the LCD is disabled or turned off on a VIPRION system, the blade status lights turn amber.

Conditions:
You can cause this to occur by running the command:
tmsh modify sys db platform.chassis.lcd value disable

Impact:
Blade status lights change to amber, even if nothing is wrong with the system.

Workaround:
None.

848673-1 : Messages that originate from split tunneled frame have incorrect Portal Access message event origin.

Links to More Info: BT848673

Component: Access Policy Manager

Symptoms:
Depending on the web-application internal logic, unexpected exceptions can occur and other issues can be visible.

Conditions:
Portal Access message originates from a split tunneled frame, for example, in a split tunneling configuration:

    REWRITE
      *://*
    BYPASS
      *://*example*
      *://*exmpmg*

Impact:
Web-application does not operate as expected. The
- Messages sent from the iframe with src=http://example.com to the main window with URL http://my.company.com might cause exceptions when receiving data.

Workaround:
Use a custom iRule to handle this situation.

848217-4 : Portal Access: default port encoded in rewritten url, need to be removed from host header in request to backend

Component: Access Policy Manager

Symptoms:
Bad response, or invalid response for request in which default port was used in web-application.

Conditions:
Default port is used in the url, back end application does not expect the default port in the request's Host header.

Impact:
Web-application misfunction

Workaround:
Custom workaround iRule can be used to remove default port form rewritten url.

847109-1 : Very large policies could have problems with re-import

Links to More Info: BT847109

Component: Access Policy Manager

Symptoms:
Policy exported and then imported with Syntax Error:

Import error: Syntax Error:(/shared/tmp/apmom/import/p--11-02--07-34-31--208.conf at line: 976) "src-subnet" unexpected argument.

Conditions:
Elements in policy are very large (e.g., 100 KB).

Note: This is a rarely occurring issue.

Impact:
Unable to import policy.

Workaround:
None.

846977-1 : TCP:collect validation changed in 12.0.0: the first argument can no longer be zero

Links to More Info: BT846977

Component: Local Traffic Manager

Symptoms:
Validation for TCP::collect was changed in BIG-IP software v12.0.0 (with the introduction of JET specifications). Prior to 12.0.0, there were no restrictions on the values of the two arguments. As of 12.0.0, the first argument ('collect_bytes') must be a positive integer, and the second argument ('skip_bytes) must be a non-negative integer.

Occurrences of 'TCP::collect 0 0' in iRules experience issues when upgrading to a newer version, producing warnings in LTM log:

/Common/T_collect:9: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "invalid argument 0; expected syntax spec:"136 17][TCP::collect 0 0].

Conditions:
-- Using a version of BIG-IP software earlier than 12.0.0, configure an iRule with a 'TCP::collect 0 0' command.
-- Upgrade to 12.0.0 or later.

Impact:
Warning in the LTM log file. The iRules containing 0 values do not function as expected. There is no other impact.

Workaround:
Change 'TCP::collect 0 0' to a value other than 0 (zero) in any iRules before or after upgrade.

846873-4 : Deleting and re-adding the last virtual server that references a plugin profile in a single transaction causes traffic failure

Links to More Info: BT846873

Component: Local Traffic Manager

Symptoms:
Traffic fails to pass through a virtual server.

Conditions:
-- Virtual server is removed and a new one is added in a single transaction.
-- Virtual server references a plugin profile.

For example, create a CLI transaction:
- delete ltm virtual vs_http
- create ltm virtual vs_https destination 1.1.1.1:443 vlans-enabled profiles replace-all-with { http ntlm oneconnect }
- submit cli transaction

Impact:
Traffic failure on the new virtual server.

Workaround:
Create a virtual server that does not accept any traffic, but keeps the NTLM MPI plugin channel alive:

tmsh create ltm virtual workaround destination 1.1.1.1:1 profiles replace-all-with { http oneconnect ntlm } vlans-enabled vlans none && tmsh save sys config

846521-7 : Config script does not refresh management address entry properly when alternating between dynamic and static

Links to More Info: BT846521

Component: TMOS

Symptoms:
Config script does not refresh management address entry properly when alternating between dynamic (DHCP) and static configuration.

Conditions:
- Management IP assignment is changed from dynamic (DHCP) to static.
- Same IP address is configured, as previously received from DHCP server.

Impact:
Remote management access is lost after DHCP lease expires.

Workaround:
Restart BIG-IP after changing the management IP address.

846141-1 : Unable to use Rest API to manage GTM pool members that have an pipe symbol '|' in the server name.

Links to More Info: BT846141

Component: TMOS

Symptoms:
Rest API returns 404 'Object not found"' error when attempting direct access to pool member that has pipe symbol '|' in the server or virtual server name.

Conditions:
An iControl/REST call to a pool member that has a virtual server on the Server whose name contains a | character in the server or virtual server name.

Impact:
The iControl/REST call cannot manage a pool member associated with a virtual server or server whose name contains a | character.

Workaround:
Rename the server or virtual server to a name that does not contains the | character.

845933-1 : Unused parameters remain after modifying the swagger file of a policy

Links to More Info: BT845933

Component: Application Security Manager

Symptoms:
After you update the swagger file of a policy, some parameters that are not defined in the updated swagger may remain in the policy.

Conditions:
1. Policy contains global parameters that were added manually
2. All the URL parameters are deleted in the new swagger file

Impact:
Traffic to these parameters will not raise a violation ILLEGAL PARAMETER as expected

Workaround:
The leftover parameters need to be removed manually

845545 : Potential name collision for client-ssl profile named 'clientssl-quic'

Links to More Info: BT845545

Component: Local Traffic Manager

Symptoms:
This release includes a new base client-ssl profile for use by QUIC virtual servers. If an existing client-ssl profile named 'clientssl-quic' exists, it will be overwritten by the new built-in profile after upgrading.

Conditions:
The system to be upgraded has an existing client-ssl profile named 'clientssl-quic'.

Impact:
The existing profile will be overwritten by the new built-in profile.

Workaround:
Rename the existing profile prior to upgrade.

844925-3 : Command 'tmsh save /sys config' fails to save the configuration and hangs

Links to More Info: BT844925

Component: TMOS

Symptoms:
The 'tmsh save /sys config' command hangs and fails to save the configuration if there is a memory allocation failure when creating the reply.

Conditions:
-- A large number of iApps: in the thousands.
-- Each iApp has tens of variables.

Impact:
Because tmsh cannot save the configuration, if the BIG-IP system reboots, any changes made since the last successful save are lost.

Workaround:
Run the command:
tmsh save /sys config binary

This does not save the configuration to files in /config, but it does at least allow you to save the binary configuration.

That way, you can reboot the BIG-IP system and not lose the configuration.

Note: It is possible that a reboot will provide sufficient memory to save to configuration files. It depends on the configuration of virtual memory at the time of the save. It is possible that every time you want to save the config, you must use the binary option.

844597-4 : AVR analytics is reporting null domain name for a dns query

Links to More Info: BT844597

Component: Advanced Firewall Manager

Symptoms:
AVR analytics is reporting null domain name for a DNS query if DNS DoS profile is attached to a virtual server, but the profile does not have the matching type vector enabled to the query type.

Conditions:
-- DNS DoS profile is attached to a virtual server.
-- The query type in the DNS query does not match an enabled DNS vector on the DNS profile.

Impact:
DNS domain name is reported as NULL

Workaround:
Enable the matching type vector on the DNS DoS profile.

844373-1 : Learning suggestion details layout broken in some browsers

Links to More Info: BT844373

Component: Application Security Manager

Symptoms:
One of the suggestion details is placed incorrectly, out of alighment.

Conditions:
This occurs when you open the details for learning suggestion, e.g., based on refinement.

Impact:
Refinement title is out of line.

Workaround:
Use a different browser, if needed.

844337-4 : Tcl error log improvement for node command

Links to More Info: BT844337

Component: Local Traffic Manager

Symptoms:
Because of the Tcl error, connection gets reset and reports an error:

err tmm[18774]: 01220001:3: TCL error: /Common/test2- bad port in node <addr> <port> cmdTCL error (line 43) (line 43) invoked from within "node 172.x.x.x IP [LB::server port]"

Conditions:
Using node command under pre-load-balancing iRule events.

Impact:
Unclear port values in Tcl error message.

Workaround:
None.

844169-1 : TMSH context-sensitive help for diameter session profile is missing some descriptions

Links to More Info: BT844169

Component: Service Provider

Symptoms:
The tmsh context-sensitive help content for the following diameter session attributes is missing:
-- respond-unroutable
-- retransmission-action
-- retransmission-queue-limit-high
-- retransmission-queue-limit-low
-- retransmission-queue-max-bytes
-- retransmission-queue-max-messages

Conditions:
When attempting in tmsh to list a diameter session profile followed by a question mark for context-sensitive help- for example:
list ltm message-routing diameter profile session <sess-name> ?

Impact:
The specified attributes are no described.

Workaround:
These are the missing descriptions:

-- respond-unroutable: When selected (enabled), messages that do not match any known route will be transformed into an error answer message and sent to the originator of the request. When disabled, unroutable request messages are routed back to the connection where they came from. The default value is disabled.

-- retransmission-action: Specifies the action performed when retransmission has been triggered for a request message. The options are:
  1) Disabled: Retransmission is disabled. This is the default action.
  2) Busy: An answer message is generated with a TOO_BUSY result code and returned to the originator of the request.
  3) Unable: An answer message is generated with an UNABLE_TO_DELIVER result code and returned to the originator of the request.
  4) Retransmit: The request message will be retransmitted.

-- retransmission-queue-limit-high: Specifies the high watermark for the retransmission queue (in percentage). If the retransmission queue exceeds this limit, the transport window will begin closing. A value of 0 will disable closing the transport window. Valid range from 0 to 100. The default value is 90.

-- retransmission-queue-limit-low: Specifies the low watermark for the retransmission queue (in percentage). If the retransmission queue drops below this limit, the transport window will reopen. Valid range from 0 to 100. The default value is 60.

-- retransmission-queue-max-bytes: Specifies the maximum number of bytes that can be stored in a connections retransmission queue. A value of 0 will disable this limit. The default value is 131072 bytes.

-- retransmission-queue-max-messages: Specifies the maximum number of messages that can be stored in a connections retransmission queue. A value of 0 will disable this limit. The default value is 1024 messages.

843661-1 : TMSH allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command

Links to More Info: BT843661

Component: TMOS

Symptoms:
TMSH currently allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command, but the option is not honored and the entire license is revoked.

Conditions:
-- BIG-IP license and add-on license are installed.
-- Attempt to revoke the system license with 'add-on-keys' as an option.

Impact:
Add-on-keys option is ignored, and the entire license is revoked instead.

Workaround:
None.

843317-3 : The iRules LX workspace imported with incorrect SELinux contexts

Links to More Info: BT843317

Component: Local Traffic Manager

Symptoms:
Files imported from iRules LX workspace may have incorrect SELinux contexts such as abrt_var_cache_t.

This can cause reloading the workspace to fail with errors:

01070079: failed to create workspace archive ... Return code {2}

Conditions:
Importing the iRules LX workspace.

Impact:
Workspace cannot be imported

Workaround:
As a workaround you can run the following command on the folders to restore the context:
restorecon -R -v

843293-3 : When L7 performance FPGA is loaded, "tmsh show sys fpga" shows standard-balanced-fpga.

Links to More Info: BT843293

Component: TMOS

Symptoms:
When L7 performance FPGA is loaded, "tmsh show sys fpga" shows standard-balanced-fpga. "tmsh list sys fpga" will list the expected type "l7-performance-fpga".

Conditions:
-- iSeries i5000/i7000/i10000/i11000/i15000 platform
-- Pay as you grow (PAYG) license applied
-- L7 performance FPGA is loaded

Impact:
"tmsh show sys fpga" shows standard-balanced-fpga

This is cosmetic and there is no function impact. "tmsh list sys fpga" will list the correct type "l7-performance-fpga".

Workaround:
N/A

842669-3 : Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log

Links to More Info: BT842669

Component: TMOS

Symptoms:
Systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log. Bare ')' being logged to /var/log/user.log., for example:

cat /var/log/user.log
[...]: Deleting file /shared/core/*.core.*
[...]: Deleting file /shared/core/*.core.*
[...] )
[...] )

Conditions:
This occurs when the system logs syslog messages containing embedded newlines, such as

- The cron process tries and fails to send an email because of output about a cron script.
- Modify syslog include configuration
- Apply ASM policy configuration change
- GTM.debugprobelogging output from big3d

Impact:
The logging subsystem accepts syslog messages with embedded newlines, and writes first line to the appropriate file, and remaining lines to /var/log/user.log.

Workaround:
View the logs using journalctl -D /var/log/journal

842425-1 : Mirrored connections on standby are never removed in certain configurations

Links to More Info: BT842425

Component: Local Traffic Manager

Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.

Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.

Impact:
Leaking connections on the standby system.

Workaround:
You can use either of the following workarounds:

-- Use auto-lasthop with mirrored connections.

-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.

842265-1 : Create policy: trusted IP addresses from template are not shown

Links to More Info: BT842265

Component: Application Security Manager

Symptoms:
If there are trusted IP addresses in the selected template, they are not shown in GUI during policy creation

Conditions:
Create user-defined template from policy with trusted IP addresses.

Impact:
If you manually enter the same IP addresses that were in template, you may get an error message after policy creation

Workaround:
None.

842193-1 : Scriptd coring while running f5.automated_backup script

Links to More Info: BT842193

Component: iApp Technology

Symptoms:
When the iApp, f5.automated_backup, script is terminated due to the max-script-run-time, the script still continues and finishes, sometimes with scriptd coring and posting error messages in /var/log/ltm:

-- info logger[17173]: f5.automated_backup iApp autobackup: STARTED
-- info logger[17175]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs GENERATING

-- err scriptd[13532]: 014f0004:3: script has exceeded its time to live, terminating the script <------ after 20 secs, it continues even after the scriptd core.

-- notice sod[3235]: 01140041:5: Killing /usr/bin/scriptd pid 13532.
-- warning sod[3235]: 01140029:4: high availability (HA) daemon_heartbeat scriptd fails action is restart.
-- info logger[19370]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs SAVED LOCALLY
(/var/local/ucs)
-- info logger[19372]: f5.automated_backup iApp autobackup: FINISHED

Conditions:
Configure the iApp application with f5.automated_backup template to do auto-backup at regular intervals.

Impact:
Scriptd core.

Workaround:
Increasing the sys scriptd max-script-run-time higher then the default of 300 seconds might be helpful if the higher timeout allows the script to complete.

For example, if the script is saving a UCS and the save takes 400 seconds, then increasing the max-script-run-time to 430 seconds would allow the script to finish and would work around this issue.

842149-2 : Verified Accept for SSL Orchestrator

Links to More Info: BT842149

Component: Access Policy Manager

Symptoms:
You are unable to configure Verified Accept on SSL Orchestrator.

Conditions:
-- SSL Orchestrator in use .
-- A TCP profile is in use and it contains the Verified Accept flag.

Impact:
No connectivity over SSL Orchestrator.

Workaround:
None.

842137-3 : Keys cannot be created on module protected partitions when strict FIPS mode is set

Links to More Info: BT842137

Component: Local Traffic Manager

Symptoms:
When FIPS mode is set to use FIPS 140-2 Level 3 protection, new keys cannot be created in the module's protected partition

Conditions:
-- FIPS 140-2 Level 3 protection is configured on a NetHSM partition
-- You attempt to create a FIPS key using that partition

Impact:
New Keys cannot be created

Workaround:
Here are all the steps to generate a new netHSM key called "workaround" and install it into the BIG-IP config:

1.

[root@bigip1::Active:Standalone] config # fipskey.nethsm --genkey -o workaround -c module
WARNING: fipskey.nethsm will soon be deprecated for use with Thales. Please switch to using tmsh commands instead.
tmsh commands...

Generate Key:
tmsh create sys crypto key <key_name> security-type nethsm [gen-certificate|gen-csr] ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate CSR for existing key:
tmsh create sys crypto csr <csr_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate Self-Signed Certificate for existing key:
tmsh create sys crypto cert <cert_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Delete Key:
tmsh delete sys crypto key <keyname>


str[cd /shared/tmp && /opt/nfast/bin/generatekey -b pkcs11 certreq=yes selfcert=yes protect=module size=2048 embedsavefile="workaround" plainname="workaround" digest=sha256]
key generation parameters:
 operation Operation to perform generate
 application Application pkcs11
 protect Protected by module
 verify Verify security of key yes
 type Key type RSA
 size Key size 2048
 pubexp Public exponent for RSA key (hex)
 embedsavefile Filename to write key to workaround
 plainname Key name workaround
 x509country Country code
 x509province State or province
 x509locality City or locality
 x509org Organisation
 x509orgunit Organisation unit
 x509dnscommon Domain name
 x509email Email address
 nvram Blob in NVRAM (needs ACS) no
 digest Digest to sign cert req with sha256

Key successfully generated.
Path to key: /opt/nfast/kmdata/local/key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622
Starting synchronisation, task ID 5de83486.6e9e32d7f367eaf4
Directory listing failed: No such file or directory

2. (this is to confirm the key is present with the label "workaround"

[root@bigip1::Active:Standalone] config # nfkminfo -l

Keys with module protection:

 key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622 `workaround'

Keys protected by cardsets:
...

3.
[root@bigip1::Active:Standalone] config # tmsh install sys crypto key workaround from-nethsm

4. (install public certificate)
[root@bigip1::Active:Standalone] config # tmsh install sys crypto cert workaround from-local-file /config/ssl/ssl.crt/workaround

841985-5 : TSUI GUI stuck for the same session during long actions

Links to More Info: BT841985

Component: Application Security Manager

Symptoms:
The GUI becomes unresponsive when you perform an operation that takes a long time (e.g., Attack Signatures update).

Conditions:
Long-running task is performed, such as export/import/update signatures.

Impact:
GUI is unresponsive for that session.

Workaround:
If you need to continue working during long task is performed, you can log in via another browser.

841721-2 : BWC::policy detach appears to run, but BWC control is still enabled

Links to More Info: BT841721

Component: TMOS

Symptoms:
The dynamic BWC policy can be attached from iRules but not detached. No error occurs when BWC::policy detach is run, but the detached policy continues to work.

Conditions:
-- Dynamic BWC policy for a HTTP request URI during session.
-- Running BWC::policy detach.

Impact:
The detached policy continues to work.

Workaround:
None.

841369-3 : HTTP monitor GUI displays incorrect green status information

Links to More Info: BT841369

Component: Local Traffic Manager

Symptoms:
LTM HTTP monitor GUI displays incorrect green status when related pool is down.

TMSH shows correct information

Conditions:
LTM HTTP monitor destination port does not match with pool member port.

Impact:
LTM HTTP marks the node down, but the Instances tab of the monitor in the GUI reports the status as green

Workaround:
You can use either of the following workarounds:
-- Use TMSH to get correct info.
-- Ensure that LTM HTTP monitor destination port does match pool member port.

841341-6 : IP forwarding virtual server does not pick up any traffic if destination address is shared.

Links to More Info: BT841341

Component: Local Traffic Manager

Symptoms:
Virtual servers do not forward any traffic but the SNAT does.

Conditions:
-- Multiple wildcard IP forwarding virtual servers with the same destination address.
-- SNAT is configured.

Impact:
IP forwarding virtual server does not pick up any traffic.

Workaround:
Delete and then re-create virtual servers.

841285-1 : Sometimes apply policy is stuck in Applying state

Links to More Info: BT841285

Component: Application Security Manager

Symptoms:
The word "Applying" is displayed long after the policy has been applied.

Conditions:
This can occur when applying policies.

Impact:
It appears that Apply policy is stuck, when it is not.

Workaround:
Refresh the page, or look for the log entry in /var/log/asm

ASMConfig change: Apply Policy Task Apply Policy Task [update]: Status was set to COMPLETED.

840785-1 : Update documented examples for REST::send to use valid REST endpoints

Links to More Info: BT840785

Component: Local Traffic Manager

Symptoms:
The documented examples for REST::send refers to REST endpoints that are not valid.

Conditions:
Viewing the documentation at https://clouddocs.f5.com/api/irules/REST__send.html.

Impact:
Invalid examples lead to potential confusion.

Workaround:
Use valid REST endpoints, documented at https://clouddocs.f5.com/api/icontrol-rest/APIRef.html.

840769-2 : Having more than one IKE-Peer version value results in upgrade failure

Links to More Info: BT840769

Component: TMOS

Symptoms:
When a 'net ipsec ike-peer' object has the version attribute with more than one value, upgrading to version 15.1.0 results in a failed upgrade.

Conditions:
The version attribute has two values, in this example, 'v1' and 'v2.'

net ipsec ike-peer test {
    my-cert-file default.crt
    my-cert-key-file default.key
    my-id-value 38.38.38.64
    peers-id-value 38.38.38.38
    phase1-auth-method rsa-signature
    phase1-encrypt-algorithm 3des
    phase1-hash-algorithm sha256
    prf sha256
    remote-address 38.38.38.38
    traffic-selector { /Common/homer2 }
    version { v1 v2 }
}

Impact:
Upgrading to version 15.1.0, which allows only one value for the version attribute, results in a failed upgrade/config load error.

Workaround:
Before upgrading, modify your config so that the version attribute has only one value for the version attribute.

840257-4 : Portal Access: HTML iframe sandbox attribute is not supported

Links to More Info: BT840257

Component: Access Policy Manager

Symptoms:
Issues with content displayed in iframes.

Conditions:
Using an iframe with the sandbox attribute in a web application.

Impact:
The web application does not work as expected.

Workaround:
Use an iRule as a workaround. Although the exact content of the iRule is strongly dependent on the web application, you can use the following iRule as a good example that can be customized:

when REWRITE_REQUEST_DONE {
  if {
    HTTP::path] ends_with "/CUSOM_PATH_TO_JS_FILE"
  } {
    REWRITE::post_process 1
  }

}

when REWRITE_RESPONSE_DONE {

  while {true} {
    set str { sandbox="}
    set strt [string first $str [REWRITE::payload]]
    set str_len [string length $str]

    if {
      $strt > 0
      and
      $strt < [expr [REWRITE::payload length] - $str_len]
    } {
      REWRITE::payload replace $strt $str_len { sandbo1="}
    } else {
      break
    }
  }

}

840249-2 : With BIG-IP as a SAML IdP, important diagnostic information is not logged

Links to More Info: BT840249

Component: Access Policy Manager

Symptoms:
When the BIG-IP system is configured as a SAML IdP and processes an SAML Authentication Request, if it does not find the appropriate SAML SP connector, it does not log relevant information such as the Issuer, ACS _URL, and Protocol binding from the Authentication request.

Conditions:
This occurs when a BIG-IP system is configured as a SAML IdP and processes a SAML Authentication request, but does not find an appropriate SP configuration that matches the information provided in the SAML Authentication request.

Impact:
Troubleshooting the issue and fixing the SAML configuration is difficult since there is no relevant information in the error log.

Workaround:
Enable the log level for SSO to 'Debug', and capture the logs at the debug level to troubleshoot further.

839509-1 : Incorrect inheritance treatment in Response and Blocking Pages page

Links to More Info: BT839509

Component: Application Security Manager

Symptoms:
Deception Response Pages is not inherited, but if common response pages are inherited, you are unable to save changes.

Conditions:
-- Deception Response Pages features licensed.
-- Parent policy selected with inheritance of response pages.

Impact:
Deception Response Pages cannot be modified.

Workaround:
None.

839389-1 : TMM can crash when connecting to IVS under extreme overload

Links to More Info: BT839389

Component: Service Provider

Symptoms:
TMM might crash while attempting to connect internally to an internal virtual server (IVS) and the connection setup cannot be completed due to internal factors.

Conditions:
-- Extreme overload such that TMM is out of memory, or some other internal condition that prevents connection setup.
-- Connection to an internal virtual server is attempted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

839361-6 : iRule 'drop' command does not drop packets when used in DNS_RESPONSE

Links to More Info: BT839361

Component: Global Traffic Manager (DNS)

Symptoms:
The iRule 'drop' command may not drop a DNS response when called under DNS_RESPONSE event.

Conditions:
iRule drop is used under DNS_RESPONSE event.

Impact:
DNS response may be improperly forwarded to the client.

Workaround:
Use DNS::drop instead.

839141-1 : Issue with 'Multiple of' validation of numeric values

Links to More Info: BT839141

Component: Application Security Manager

Symptoms:
'Multiple of' validation of numeric values may not be correct in some scenarios.

Conditions:
-- Create default policy from API Security template.
-- Create default decimal parameter with 'Multiple of'=5.
-- Send request to /index.php?param=0.

Impact:
'Multiple of' validation of numeric values does not block as expected.

Workaround:
None.

838925-7 : Rewrite URI translation profile can cause connection reset while processing malformed CSS content

Links to More Info: BT838925

Component: TMOS

Symptoms:
Malformed CSS where one of the style rules is missing a closing brace could cause LTM Rewrite profile to stop processing file or reset connection.

Conditions:
-- LTM Rewrite (URI translation) profile is attached to virtual server.
-- Content rewriting is enabled in Rewrite profile settings.
-- CSS file contains style rule with missing closing brace.

Impact:
URLs are not modified within affected files, starting from the missing closing brace. Intermittent connection resets occur.

Workaround:
Before rewriting, insert the missing symbol into CSS content either directly on the backend server or with an iRule.

838405-3 : Listener traffic-group may not be updated properly when spanning is in use.

Links to More Info: BT838405

Component: Local Traffic Manager

Symptoms:
BIG-IP may fail to update configuration of a virtual server when disabling or enabling spanning on the virtual address.

Conditions:
Spanning is disabled or enabled on a virtual address.

Impact:
Disabling or enabling spanning on a virtual address has no effect on the virtual-server configuration.

Depending on the configuration, virtual server may or may not forward the traffic when expected.

Workaround:
Enable/Disable spanning together with changing a traffic-group:

> modify ltm virtual-address 0.0.0.0 traffic-group none spanning enabled
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-1 spanning enabled

838353-1 : MQTT monitor is not working in route domain.

Links to More Info: BT838353

Component: Local Traffic Manager

Symptoms:
MQTT monitor fails when non-default route domains are used.

Conditions:
-When a non-default route domain is configured for a pool member
-mqtt monitor in use

Impact:
Mqtt monitor does not work in route domain.

838337-1 : The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.

Links to More Info: BT838337

Component: TMOS

Symptoms:
In 2019, Brazil cancelled DST (Daylight Saving Time) and is now on standard time indefinitely. The BIG-IP system's time zone database needs to be updated to reflect this change.

Conditions:
None.

Impact:
BIG-IP systems configured to use "America/Sao_Paul" (or other applicable Brazilian localities) will still apply DST. Hence time will spring forward and backward on previously designated dates.

This will have no impact to application traffic handled by the BIG-IP system. However, logs, alerts, reports, cron jobs, etc. will use incorrect time.

Note: You can inspect the time changes your system is due to apply by running the following command from the BIG-IP system's advanced shell (bash):

zdump -v <timezone>

For example:

zdump -v America/Sao_Paulo

Workaround:
As a workaround, you can set the BIG-IP system's time zone to that of a different country with the same UTC offset and already not observing DST.

For example, instead of using "America/Sao_Paul", you could use "America/Buenos_Aires" to obtain the same result.

838305-7 : BIG-IP may create multiple connections for packets that should belong to a single flow.

Links to More Info: BT838305

Component: Local Traffic Manager

Symptoms:
Due to a known issue, BIG-IP may create multiple connections for packets that should belong to a single flow. These connections will stay in the connection table until the idle timeout is reached. These connections can be used for forwarding the traffic.

Conditions:
BIG-IP may create multiple connections for packets that should belong to a single flow when both following conditions are true:
- Packets are coming at a very high rate from the network.
- Flow handling these packets is torn down.

Impact:
This might result in packets from the client being handled by one flow and packets from the server being handled by a different flow.

837481-7 : SNMPv3 pass phrases should not be synced between high availability (HA) devices as that are based on each devices unique engineID

Links to More Info: BT837481

Component: TMOS

Symptoms:
SNMPv3 fails to read authenticated or encrypted messages to all but one of the members of a Config Sync group.

Conditions:
Using SNMPv3 to read or receive Traps from high availability (HA) pairs.

Impact:
SNMPv3 can only work for one member of a configsync group.
Configuring passwords on one device, makes that device work, but other members of the config sync group will now fail.

Workaround:
- check "Authoritative (security) engineID for SNMPv3" is not synced (mostly code released since 2019)
engineID needs to be unique per device

- Modify /defaults/config_base.conf to set sync to "no" and check that these do not sync
We must NOT sync these parameters as they need to match the individual device engineID

            display-name "Authoritative (security) engineID for SNMPv3"
            display-name "Authentication pass phrase for SNMPv3 messages"
            display-name "Privacy pass phrase used for encrypted SNMPV3 messages"
            display-name "User's passphrase"
            display-name "Privacy passphrase"

### Mount usr as rw see see K11302
mount -o remount,rw /usr
pico /defaults/config_base.conf
# use Control-w to search for the display names above
# change "configsyncd yes" to "configsyncd no" if necessary in each location
# use Control-x y to exit with saving
# Restore usr as ro
mount -o remount,ro /usr
tmsh load sys config

Then once they are not syncing over, you can create v3 on each device using the same pass phrase as your SNMPv3 manager is using

tmsh modify sys snmp users add { v3snmp { auth-protocol sha privacy-protocol aes username mikev3 auth-password password3 privacy-password password3} }
tmsh modify sys snmp users modify { v3snmp { security-level auth-privacy access rw } }

Then each device should respond OK to query for that same pass phrase

snmpwalk -v 3 localhost -a sha -x aes -A password3 -X password3 -u mikev3 -l authpriv


For more information about SNMP, see the following articles.
K15681: Customizing the SNMP v3 engineID
K6821: SNMP v3 fails if the SNMP engine ID is not unique
K3727: Configuring custom SNMP traps

835517-1 : After upgrading BIG-IP software and resetting HA, gossip may show 'UNPAIRED'

Links to More Info: BT835517

Component: Device Management

Symptoms:
After upgrading BIG-IP software and reconfiguring high availability (HA), gossip may show 'UNPAIRED' and the REST endpoint /resolver/device-groups/tm-shared-all-big-ips/devices/ may show only one device.

Conditions:
-- This has been observed during upgrade from 14.x.x to 15.x.x.
-- Reconfigure HA.
-- View gossip results and REST endpoint output.

Impact:
The gossip output shows 'UNPAIRED', and the REST endpoint reports only one decide. SSL Orchestrator does not work as expected

Workaround:
If gossip shows 'UNPAIRED' after upgrade, you may need to do following at both devices:

1. Delete existing device information:
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices
 
2. Force update:
bigstart restart restjavad
restcurl -X POST -d '{}' tm/shared/bigip-failover-state

835505-1 : Tmsh crash potentially related to NGFIPS SDK

Links to More Info: BT835505

Component: Local Traffic Manager

Symptoms:
Tmsh crash occurs rarely. The NGFIPS SDK may generate a core as well.

Conditions:
The exact conditions that trigger this are unknown.

It can be encountered when running the following tmsh command:

tmsh -a show sys crypto fips key field-fmt include-public-keys all-properties

Impact:
Tmsh may crash. You are exited from tmsh if you were using it as a shell.

Workaround:
None.

835285-1 : Client browser traffic through APM SWG transparent proxy using captive portal might get reset.

Links to More Info: BT835285

Component: Access Policy Manager

Symptoms:
Client browser traffic through APM Secure Web Gateway is being reset by APM SWG.

Conditions:
-- APM SWG transparent proxy is configured with captive portal. -- Client browser sends redirect to original URI on a TCP connection that was opened before access policy completion on captive portal.

Impact:
The connection is reset.

834217-7 : Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window.

Links to More Info: BT834217

Component: Local Traffic Manager

Symptoms:
Due to a known issue BIG-IP may advertise sub-optimal window size.

Conditions:
Result of (init-rwnd * client-mss) is greater than maximum window size (65,535).

Impact:
Degraded TCP performance.

Workaround:
Do not use init-rwnd values that might result in values higher than maximum window size (65,535).

Assuming MSS of 1480, the maximum value of init-rwnd is:
65535/1480 = 44.

832665-1 : The version of open-vm-tools included with BIG-IP Virtual Edition is 10.0.5

Links to More Info: BT832665

Component: TMOS

Symptoms:
Features supported in newer versions of open-vm-tools will not be available.

Conditions:
This issue may be seen when running in VMware environments.

Impact:
Features that require a later version of open-vm-tools will not be available.

Workaround:
None.

832661 : Default provisioning for all instances is LTM nominal

Links to More Info: BT832661

Component: TMOS

Symptoms:
Prior to configuring an AWS WAF (AWAF) PAYG cloud instance, you may see errors related to an unlicensed LTM module. This occurs because the default provisioning for all instances is LTM nominal. However, the license associated with an AWAF PAYG cloud instance does not enable the LTM feature. As a result, the default provisioning for an unconfigured AWAF PAYG cloud instance will be incompatible with the PAYG license.

Conditions:
-- This issue relates only to AWAF PAYG cloud instances.
-- Not using the onboarding/templates to configure/provision the instance prior to use.

Impact:
Licensing error messages may be observed before the AWAF cloud instance is configured/provisioned. The functionality works as expected, however, so you can ignore these messages.

Workaround:
The recommended workflow for all cloud instances is to use onboarding/templates to configure/provision the instance prior to use. If this workflow is followed, any provisioning errors associated with the default provisioning are cleared prior to usage.

832233-1 : The iRule regexp command issues an incorrect warning

Links to More Info: BT832233

Component: Local Traffic Manager

Symptoms:
At validation time, mcpd issues a warning similar to the following:

warning mcpd[7175]: 01071859:4: Warning generated : /Common/test1:2: warning: ["\1" has no meaning. Did you mean "\\1" or "1"?][{(test) (\1)}]

Conditions:
Use arguments such as "\1", "\2", "\3" etc., in command regexp.

Impact:
A warning is generated, "\1" has no meaning, even though it is valid.

Workaround:
Ignore the warning.

832133-1 : In-TMM monitors fail to match certain binary data in the response from the server.

Links to More Info: BT832133

Component: Local Traffic Manager

Symptoms:
Pool members are incorrectly marked DOWN by a monitor. The pool members send the expected response to the probe, but the BIG-IP system still marks them DOWN.

Conditions:
This issue occurs when all of the following conditions are met:

-- In-TMM monitoring is enabled on the system (the 'bigd.tmm' db key is set to 'enable'; note this is set to 'disable' by default).

-- One (or more) of your TCP or HTTP monitors specifies a receive string using HEX encoding, in order to match binary data in the server's response.

-- Depending on the HEX values specified (currently values in the range of 0x80-0xBF are believed to be affected), response matching fails.

Impact:
Objects that are meant to be marked UP are marked DOWN. As a result, no load balancing occurs to affected resources.

Workaround:
You can use either of the following workarounds:

-- Disable in-TMM monitoring by setting 'bigd.tmm' to 'disable'.

-- Do not monitor the application through a binary response (if the application allows it).

831105-2 : Session timeout in diadb entry is updated to 180 on unsuccessful transaction

Links to More Info: BT831105

Component: Service Provider

Symptoms:
Diameter MRF persist records are not deleted at session timeout.

Conditions:
-- Diameter MRF in use
-- An unsuccessful CCR transaction occurs

Impact:
Unsuccessful transaction attempts do not time out and remain in the session database.

Workaround:
An iRule can be used to reset session timeout in diadb upon an unsuccessful transaction through MR_FAILED by executing DIAMETER::persist reset.

829657-3 : Possible TMM crash with a multi-IP PEM subscriber configured with more than 16 IP addresses

Links to More Info: BT829657

Component: Policy Enforcement Manager

Symptoms:
TMM crash.

Conditions:
PEM configured with a multi-IP subscriber with more than 16 IP addresses.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not create a PEM subscriber with more than 16 IP addresses.

829653-2 : Memory leak due to session context not freed

Links to More Info: BT829653

Component: Policy Enforcement Manager

Symptoms:
Memory increases slowly

Conditions:
A PEM iRule times out

Impact:
Memory could be exhausted depending on the frequency of the command timeouts

829029-1 : Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error

Links to More Info: BT829029

Component: Application Security Manager

Symptoms:
Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error.

Conditions:
At least two REST calls adding Attack Signatures and/or Attack Signature Sets which are sent in quick succession to the BIG-IP system.

Impact:
REST calls after the first may not be successful, resulting in failure to modify configuration as desired.

Workaround:
Retry the subsequent REST calls.

829021-3 : BIG-IP does not account a presence of http2 profile when response payload is modified

Links to More Info: BT829021

Component: Local Traffic Manager

Symptoms:
The BIG-IP system might close a connection when the HTTP response payload is modified and sent without chunking encoding. If communication goes over an HTTP connection, the BIG-IP system closes a connection to tell a client that a response is served. With HTTP/2 connections, an unsized response is marked with the END_STREAM flag. This case is not accounted for, and the BIG-IP system closes HTTP communication with a server anyway.

Conditions:
-- A virtual server has an http/2 profile configured on the client side.
-- There are other profiles configured which can modify the HTTP response payload.

Impact:
The BIG-IP system wastes resources not reusing a server side HTTP connection when an unsized response is sent over an HTTP/2 connection to a client.

Workaround:
None.

828625-3 : User shouldn't be able to configure two identical traffic selectors

Links to More Info: BT828625

Component: TMOS

Symptoms:
Config load fails by issuing "tmsh load sys config verify"
01070734:3: Configuration error: Duplicate traffic selector is not allowed
Unexpected Error: Validating configuration process failed.

Conditions:
Duplicate IP addresses on multiple traffic-selectors attached to different ipsec-policies.

Impact:
Config load will fail after a reboot

Workaround:
Delete duplicate traffic-selectors.

827393-2 : In rare cases tmm crash is observed when using APM as RDG proxy.

Links to More Info: BT827393

Component: Access Policy Manager

Symptoms:
Tmm may crash when APM is configured as an RDG proxy to access Microsoft remote desktops and applications.

Conditions:
APM is used as RDG proxy

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

827293-3 : TMM may crash running remote tcpdump

Links to More Info: BT827293

Component: TMOS

Symptoms:
TMM crashes.

Conditions:
-- Tcpdump is run with the --remote-dest parameter.
-- The destination address is routed via a VLAN, whose cmp-hash setting has been changed from default to src-ip.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not route remote tcpdump operations via a VLAN with non-default cmp-hash settings.

827209-4 : HSB transmit lockup on i4600

Links to More Info: BT827209

Component: TMOS

Symptoms:
TMM shows HSB transmit lockup message and cored.

Conditions:
-- Using an i4600 platform.
-- Other conditions under which this occurs are unknown.

Impact:
Disruption to processing traffic on the BIG-IP system.

Workaround:
None.

827021-7 : MCP update message may be lost when primary blade changes in chassis

Links to More Info: BT827021

Component: TMOS

Symptoms:
In a VIPRION chassis, when the Primary blade is disabled (intentionally or due to an unexpected loss of functionality) and a new Primary blade is selected, there is a brief window of time during which status messages forwarded from MCPD on a Secondary blade to MCPD on the Primary blade might be dropped, possibly resulting in an incorrect view of the state of configured objects.

Conditions:
This problem may occur under the following conditions:
-- The state of a blade-local object/resources (such as a network interface or trunk) changes.
-- There is a high load on MCPD (for example, due to configuration reload on the new Primary blade) which delays processing of some MCPD actions.

Impact:
This problem may result in the state of blade-local objects (such as interfaces or trunks) being seen and reported incorrectly across the blades in the chassis, or on one or more specific blades (Primary, Secondary) in the chassis.

For example, if loss of the Primary blade results in one or more interfaces in a trunk being marked down by LACPD on a specific blade, resulting changes in trunk/member status may not be propagated correctly to the Primary blade, and from there to other Secondary blades.

Workaround:
None.

826313-6 : Error: Media type is incompatible with other trunk members

Links to More Info: BT826313

Component: TMOS

Symptoms:
Loading system configuration is failing after upgrade with an error message

01070619:3: Interface 5.0 media type is incompatible with other trunk members

Conditions:
-- Trunk interface created in BIG-IP version 12.3.4.
-- Trunk interfaces have different speeds (e.g. 100Mb interfaces and 1Gb interfaces)
-- Load the configuration after upgrading from v12.1.3.4 to v12.1.3.5.

Impact:
The system configuration is failing to load.

Workaround:
If you encounter this error, manually fix all trunks to only use interfaces of the same speed, and then load the configuration.

826189-3 : The WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask.

Links to More Info: BT826189

Component: TMOS

Symptoms:
The input validation performed by the BIG-IP system WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask.

The WebUI should allow users to specify only a prefix (for example, 2001:db8:0:0:0:0:0:0 or 2001:db8::); however, it incorrectly allows users to specify a subnet mask too (for example, 2001:db8:0:0:0:0:0:0/96 or 2001:db8::/96).

In contrast, the TMSH utility correctly enforces values for this option.

Conditions:
The BIG-IP Administrator creates or modifies a DNS profile using the WebUI, and specifies an IP/SM value for the dns64-prefix option.

Impact:
Upon performing DNS64, TMM returns incorrect DNS answers that do not use the specified prefix. For example, if the Administrator specifies 2001:db8:0:0:0:0:0:0/96 as the prefix, and if the IPv4 address of the requested resource is 198.51.100.1, DNS64 returns ::198.51.100.1 instead of 2001:db8::c633:6401. This prevents end-user clients from reaching the intended resource.

The impact described in this section only applies to BIG-IP versions 14.1.0 and later. Previous BIG-IP versions also had this WebUI validation issue, but despite this TMM still returned the correct DNS answer.

Workaround:
When configuring this option using the WebUI, do not specify a subnet mask.

825245-4 : SSL::enable does not work for server side ssl

Links to More Info: BT825245

Component: Local Traffic Manager

Symptoms:
When SSL::enable is issued in an iRule, for example in the HTTP Request event, it will not enable the server side profile if the server side profile is disabled.

Conditions:
An HTTP profile is configured on a virtual, and the server-ssl profile on the same virtual is disabled.

Impact:
The connection will close instead of completing.

Workaround:
Do not use a disabled server-ssl profile in this situation.

824809-6 : bcm56xxd watchdog restart

Links to More Info: BT824809

Component: TMOS

Symptoms:
During initialization of very large configurations it is possible that the watchdog timer will fire and reset the bcm56xxd driver.

Conditions:
System configuration with very large number of objects being loaded.

Impact:
The driver restarts.

824437-7 : Chaining a standard virtual server and an ipother virtual server together can crash TMM.

Links to More Info: BT824437

Component: Local Traffic Manager

Symptoms:
TMM crashes with a SIGFPE and restarts. The TMM logs contain the following panic message:

Assertion "xbuf_delete_until successful" failed.

Conditions:
This issue occurs when the following conditions are met:

-- The system has been configured with a standard virtual server and an Any IP (ipother) virtual server chained together. This can be done explicitly using an iRule that features the 'virtual' command to connect the two virtual servers, or implicitly with certain APM configurations.

-- The pool member on the server-side asks this specific virtual server configuration on the BIG-IP system to retransmit data.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure the target virtual server in the chain configuration does not use the ipother profile.

824433-3 : Added HTTP2 and HTTP3 request/response statistic fields to the HTTP profile

Links to More Info: BT824433

Component: Local Traffic Manager

Symptoms:
The HTTP/1.1 request/response statistic fields in the HTTP profile are incremented incorrectly when HTTP2 traffic is encountered.

There is not currently a way to view the HTTP2 and HTTP3 request/response stats on the HTTP profile.

Conditions:
-- Client or server sends HTTP2 request/response.
-- Using GUI, TMSH, iControl (SOAP), or SNMP.

Impact:
Incorrect HTTP/1.1 request/response statistic values are present in the HTTP profile when HTTP2 traffic is encountered.

Workaround:
None.

824205-3 : GUI displays error when a virtual server is modified if it is using an address-list

Links to More Info: BT824205

Component: TMOS

Symptoms:
When you modify a virtual server, the GUI returns an error similar to the following:

01b90011:3: Virtual Server /Common/vs2_udp's Traffic Matching Criteria /Common/vs2_udp_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs1_tcp destination address, source address, service port.

Conditions:
This occurs when either of the following occur:

-- When renaming the virtual server.
-- When changing the address-list attribute.

Impact:
Cannot update virtual configuration with new value.

Workaround:
None.

823825-7 : Renaming high availability (HA) VLAN can disrupt state-mirror connection

Links to More Info: BT823825

Component: Local Traffic Manager

Symptoms:
If the VLAN that services the state mirror connection between BIG-IP systems is renamed, it can cause a disruption of the state mirror connection. It can also lead to an eventual crash.

Conditions:
Renaming the VLAN that services the state mirror connection between BIG-IP systems in an high availability (HA) configuration.

Impact:
System might crash eventually.

Workaround:
Do not rename the VLAN that services the state mirror connection between BIG-IP systems in an high availability (HA) configuration.

822393-3 : Prober pool selected on server or data center not being displayed after selection in Internet Explorer

Links to More Info: BT822393

Component: Global Traffic Manager (DNS)

Symptoms:
Selected prober pool not visible on server or data center in Internet Explorer or Edge

Conditions:
This occurs when you have a prober pool configured for a data center or server, and you are viewing them in the GUI using Internet Explorer or Edge.

Impact:
The prober pool is not displayed.

Workaround:
Use Chrome or Firefox as browser

822253-1 : After starting up, mcpd may have defunct child "run" and "xargs" processes

Links to More Info: BT822253

Component: TMOS

Symptoms:
After starting up, mcpd may have defunct child "run" and "xargs" processes

Conditions:
Slow disk storage or large configuration files.

Impact:
Minimal; some zombie processes are created.

821589-1 : DNSSEC does not insert NSEC3 records for NXDOMAIN responses

Links to More Info: BT821589

Component: Global Traffic Manager (DNS)

Symptoms:
DNSSEC does not insert NSEC3 records for NXDOMAIN responses.

Conditions:
-- "process-xfr yes" is set for the dns profile associated with the listener;
And
-- There is no "Zone Transfer Clients" nameserver configured for that zone.
And
-- There is no wideip configured.

Impact:
DNSSEC does not respond NSEC3 for non-existent domain.

Workaround:
1. Change this setting for dns profile from "process-xfr yes" to "process-xfr no";
Or
2. Add a nameserver for "Zone Transfer Clients" of that zone.
Or
3. Add a wideip.

819457-1 : LTM high availability (HA) sync should not sync GTM zone configuration

Links to More Info: BT819457

Component: TMOS

Symptoms:
LTM high availability (HA) sync group are syncing GTM zone configuration changes.

Conditions:
1. BIG-IPs has both LTM and GTM provisioned.
2. The two BIG-IPs are inside one LTM sync group.

Impact:
GTM zone files are accidentally modified.

819429-5 : Unable to scp to device after upgrade: path not allowed

Links to More Info: BT819429

Component: TMOS

Symptoms:
Cannot scp copy a file to the BIG-IP system. The system reports an error:
path not allowed

Conditions:
Issue occurs when both conditions are present:
-- The BIG-IP user has 'shell tmsh' or 'shell none' access.
-- The scp destination is the real path target (not listed in the 'allow' list) of a symbolic link that is listed in the scp 'allow' list (/config/ssh/scp.whitelist).

For example:
scp to /var/tmp succeeds.
scp to /shared/tmp fails with 'path not allowed'.

Impact:
Cannot copy files to a path present under whitelist.

Workaround:
Use the explicitly listed (symlink) path as the scp destination.

819261-4 : Log HSB registers when parts of the device becomes unresponsive

Links to More Info: BT819261

Component: TMOS

Symptoms:
Part of the HSB becomes unresponsive, and there is no logging of additional registers to assist in diagnosing the failure.

Conditions:
It is unknown under what conditions the HSB becomes unresponsive.

Impact:
Limited visibility into the HSB state when it becomes unresponsive.

Workaround:
None.

819233-3 : Ldbutil utility ignores '--instance' option if '--list' option is specified

Links to More Info: BT819233

Component: Access Policy Manager

Symptoms:
When running ldbutil utility, if the '--list' option is specified, then the '--instance' option has no effect. All the local users will be listed.

Conditions:
When both '--list' and '--instance' options are specified.

Impact:
The output lists all the local users and not limiting to the '--instance' option given.

Workaround:
None.

818889-2 : False positive malformed json or xml violation

Links to More Info: BT818889

Component: Application Security Manager

Symptoms:
A false positive malformed XML or JSON violation occurs.

Conditions:
-- A stream profile is attached (or the http profile is set to rechunk on the request side)
-- A json/XML profile attached to the virtual.

Impact:
A false positive violation.

Workaround:
Modify the http profile to work in preserve mode for request chunking (this workaround is not possible in 16.1)

818789-7 : Setting ssl profile to none in https monitor, not setting Ciphers to DEFAULT as in serverssl Profile

Links to More Info: BT818789

Component: Local Traffic Manager

Symptoms:
With in-tmm monitoring enabled (or sys db bigd tmm set to enable) and with https monitor's ssl-profile set to none, the expected behavior is to send ciphers in ClientHello based on default serverssl profile as mentioned in GUI help for https monitor.

Conditions:
Configure HTTPS Monitor with ssl-profile "None".

Impact:
Ciphers are not exchanged as expected in the ClientHello Packets

Workaround:
Configure HTTPS Monitor without ssl-profile option, default serverssl profile will be used

818777-2 : MCPD error - Trouble allocating MAC address for VLAN object

Links to More Info: BT818777

Component: TMOS

Symptoms:
You see the following errors in /var/log/ltm:

err mcpd[8985]: 0107071c:3: Trouble allocating mac address for vlan object /Common/external.

Conditions:
Conditions under which this occurs are unknown.

Impact:
There is no known impact to the system as a result of this log message.

Workaround:
If this reoccurs, you can try force reloading mcpd.

For more information, see K13030: Forcing the mcpd process to reload the BIG-IP configuration, available at https://support.f5.com/csp/article/K13030.

818737-3 : Improve error message if user did not select a address-list or port list in the GUI

Links to More Info: BT818737

Component: TMOS

Symptoms:
In the GUI, the Virtual Server screen displays the available address-lists or port lists for source address, but there is no clarity on whether the options are selected or available.

Conditions:
-- Virtual server's source address section.

Impact:
If you do not make a selection and try to create the Virtual Server, an error occurs: An error has occurred while trying to process your request.

Workaround:
Click to select the address-list of port-list displayed as source address for Virtual Server.

818721-3 : Virtual address can be deleted while it is in use by an address-list.

Links to More Info: BT818721

Component: Local Traffic Manager

Symptoms:
-- The virtual-address (and virtual server) will no longer work.

-- The BIG-IP won't answer ARP requests for it.

-- Loading the config again or performing similar operations will not re-create the virtual-address.

Conditions:
-- A virtual address is deleted while it is in use by an address list and virtual server.
-- MCPD is restarted (or the unit rebooted, etc.).

Impact:
Traffic processing is disrupted

818705-1 : afm_cmi.py daemon can cause very high BIG-IP CPU utilization(>90%)

Links to More Info: BT818705

Component: Advanced Firewall Manager

Symptoms:
The AFM Auto threshold and behavioral dos historical data synchronization process consumes greater than 90% CPU. This affects TMM performance and some outages may occur.

Conditions:
This occurs in both high availability (HA) and standalone configurations. In both cases "MCPD" issues were reported. (Delay in response or the daemon crashed)

Impact:
TMM performance is affected and outages may occur.

Workaround:
Kill the AFM data synchronization process:

kill -9 afm_cmi.py

818505-1 : Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Links to More Info: BT818505

Component: TMOS

Symptoms:
Using an iControl PUT command to modify a virtual address will change that address's netmask to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.

Conditions:
Modifying a virtual address using an iControl PUT command.

Impact:
An unintentional change to the virtual address's netmask.

Workaround:
Two options:
-- Use a PATCH command instead of a PUT command.
-- Always specify the netmask explicitly when making changes.

818297-3 : OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure

Links to More Info: BT818297

Component: TMOS

Symptoms:
OVSDB-server fails to make SSL connections when Selinux is enforced.

In /var/log/openvswitch/ovsdb-server.log:

...|00012|stream_ssl|ERR|/config/filestore/files_d/Common_d/certificate_d/:Common:myCert_2468_1: stat failed (Permission denied).

Conditions:
-- Navigate to System :: Configuration : OVSDB.
-- Add cert and keys.

Impact:
Permission denied, SSL connection failure.

Workaround:
Step 1: Check openvswitch SELinux denial:
# audit2allow -w -a
Example output:
type=AVC msg=audit(1566915298.607:32958): avc: denied { search } for pid=18966 comm="ovsdb-server" name="/" dev="dm-7" ino=2 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:f5config_t:s0 tclass=dir
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

Step 2: Find openvswitch components that need Linux policy additions:
# audit2allow -a
Example output:
#============= openvswitch_t ==============
allow openvswitch_t f5config_t:dir search;
allow openvswitch_t f5filestore_t:dir search;
allow openvswitch_t f5filestore_t:file { getattr open read };

Step 3: Modify the policy to allow access to the component openvswitch_t:
# audit2allow -a -M openvswitch_t

Step 4: Apply the policy:
# semodule -i openvswitch_t.pp

818069-6 : GUI hangs when iApp produces error message

Links to More Info: BT818069

Component: iApp Technology

Symptoms:
If lengthy Tcl errors are displayed in the GUI while creating an iApp, the GUI can hang.

Conditions:
-- Creating an iApp that contains a syntax error.
-- A large error message is emitted.

Impact:
GUI hangs.

Workaround:
Restart the tomcat process:
tmsh restart sys service tomcat

817989-1 : Cannot change managemnet IP from GUI

Links to More Info: BT817989

Component: TMOS

Symptoms:
You are unable to change the management IP from the GUI

Conditions:
This is encountered when using the GUI to change the management IP address via the System :: Platform page.

Impact:
The GUI indicates that it will redirect you to the new IP address. You will eventually be redirected but the management IP address is not changed on the BIG-IP device.

Workaround:
Use tmsh to create the management IP. This will overwrite the old one.

Example:
create /sys management-ip [ip address/prefixlen]

To view the management IP configurations

tmsh list /sys management-ip

817369-2 : TCP, UDP, and SCTP proxy converts to GEO proxy when georedundancy profile is attached with virtual server.

Links to More Info: BT817369

Component: Service Provider

Symptoms:
When a georedundancy profile is attached to a TCP, UDP, and SCTP virtual server, proxy does not convert to GEO proxy.

Conditions:
Attach georedundancy profile to a standard TCP, UDP, or SCTP virtual server.

Impact:
Unable to convert proxy to GEO proxy when georedundancy profile is attached with TCP, UDP and SCTP virtual

Workaround:
None.

817089-3 : Incorrect source MAC address with hardware acceleration (ePVA) and asymmetric routing

Component: TMOS

Symptoms:
Connections that are hardware accelerated and that use asymmetric routing may use the wrong MAC address for return traffic. This can be observed by looking at a packet capture.

Conditions:
Hardware acceleration is enabled (ePVA/fastL4) with asymmetric routing.

Impact:
The return traffic has the wrong source MAC address. This may affect packet forwarding depending on the configuration.

Workaround:
Disable HW acceleration.

816953-1 : RST_STREAM is sent in closed state on a serverside stream in HTTP/2 full proxy

Links to More Info: BT816953

Component: Local Traffic Manager

Symptoms:
RST_STREAM is sent on a serverside stream in closing state in HTTP/2 full proxy.

Conditions:
-- HTTP/2 clientside and serverside profiles are attached to the virtual server.
-- HTTP and httprouter profiles are attached to the virtual server.
-- Race between clientside and serverside closing, where clientside closes faster.

Impact:
RST_STREAM is sent on a stream in closed state.

816353-3 : Unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1

Links to More Info: BT816353

Component: TMOS

Symptoms:
During re-licensing or license reload, an unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1 may be sent.

Conditions:
Occurs during license reload or reactivation.

Impact:
After a license reload, the unknown trap can be seen like the following:

run "tcpdump -ni mgmt port 162 -vvvv &":

12:01:59.883331 IP (tos 0x0, ttl 64, id 47411, offset 0, flags [DF], proto UDP (17), length 101)
    10.248.136.179.55540 > 172.28.8.68.snmptrap: [bad udp cksum 0x486e -> 0xd7b8!] { SNMPv2c { V2Trap(58) R=1205683810 .1.3.6.1.2.1.1.3.0=1775555 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.2.1.47.2.0.1.0.1 } }

815901-1 : Add rule to the disabled pem policy is not allowed

Links to More Info: BT815901

Component: Policy Enforcement Manager

Symptoms:
Adding rule to PEM policy is not allowed

Conditions:
A PEM policy is disabled

Impact:
You are unable to add rules to a PEM policy if it is disabled.

815405-6 : GUI update of Child FastL4 profile overwrites CLI-only customized settings (options that are not available in GUI)

Links to More Info: BT815405

Component: Local Traffic Manager

Symptoms:
Child FastL4 profile is being reset after clicking Update from GUI.

Conditions:
-- Create child SSL FastL4, profile inheriting settings from a parent FastL4 profile.
-- From the command line, change any of the CLI-only visible settings in the child FastL4 profile (e.g., pva-acceleration, explicit-flow-migration, etc.), and save the changes.
-- In the GUI, click the Update button in the child FastL4 profile without making any change.

Impact:
The operation overwrites the CLI changes made in the child profile, and inherits those values from the parent settings instead.

Workaround:
None.

814353-6 : Pool member silently changed to user-disabled from monitor-disabled

Links to More Info: BT814353

Component: TMOS

Symptoms:
When a node (Disabled by Monitor) is updated via the member screen (no change to configuration required), the status changes from:

'Available (Disabled) pool members is available, monitor disabled'.

To:

'Available (Disabled), pool member is available, user disabled'.

Conditions:
-- A node disabled by Monitor.
-- Go to GUI LTM pool member and navigate into the monitor disabled member, then update without any configuration change.

Impact:
Pool member goes to 'user-disabled'.

Workaround:
To recover, re-enable the pool member.

814273-1 : Multicast route entries are not populating to tmm after failover

Links to More Info: BT814273

Component: TMOS

Symptoms:
Multicast route entries are not populating in tmm after failover. ZebOS has the multicast entries, but tmm does not.

Conditions:
-- High Availability (HA) configured, with multicast traffic.
-- A failover occurs.

Impact:
Multicast traffic does not pass through properly

Workaround:
Clear the multicast entries in ZebOS manually:
> clear ip mroute *
> clear ip igmp group

813969-5 : Network DoS reporting events as 'not dropped' while in fact, events are dropped

Links to More Info: BT813969

Component: Advanced Firewall Manager

Symptoms:
Logs/Tmctl shows packet dropped whereas AVR shows Action as 'Allowed' and not 'Dropped'.

Conditions:
-- AFM configured.
-- AFM passes the message to AVR for reporting.

Impact:
The operation does not update the drop flag. It appears from AVR Reporting that packets are allowed, but actually they are dropped

Workaround:
There is no workaround at this time.

813221-5 : Autoconf continually changes a virtual IP object when virtual IP/port on LTM is not in sync

Links to More Info: BT813221

Component: Global Traffic Manager (DNS)

Symptoms:
The virtual server for an LTM redundant peer is continually updated with its IP/Port changing back and forth between two values, leading to perpetual GTM configuration syncs.

Conditions:
The destination IP:port of the virtual server on the LTM is not in sync between the LTM devices in the device-group.

Impact:
The virtual server is flapping status between "blue" and 'green', and its destination IP:port is changing between a correct value and an incorrect one. Traffic will be impacted.

Workaround:
Perform a configsync on the LTM device-group that owns the virtual server.

812705-3 : 'translate-address disabled' setting for LTM virtual server does not have any effect with iRules for NAT64 traffic

Links to More Info: BT812705

Component: Carrier-Grade NAT

Symptoms:
IPv4 Packets are forwarded to server-side with destination address changed to LTM pool member address even when 'translate-address disabled' is configured on a NAT64 virtual server.

Conditions:
-- Create iRules for LTM pool selection.
-- Configure the NAT64 virtual server with 'translate-address disabled'.
-- Send IPv6 client request accessing the NAT64 virtual server.

Impact:
Server-side IPv4 packets are forwarded with destination address modified. The server-side packets do not reach the intended destination, resulting in connection failures.

Workaround:
Use normal LTM pool selection instead of iRules-based, LTM pool selection.

812693-3 : Connection in FIN_WAIT_2 state may fail to be removed

Links to More Info: BT812693

Component: Local Traffic Manager

Symptoms:
If a connection that has a fully closed client-side, but a server-side still in FIN_WAIT_2, receives a SYN matching the same connflow, the idle time is reset. This can result in the fin-wait-2-timeout never being reached. The SYN will be responded to with a RST - 'TCP Closed'

Conditions:
- Client side connection has been fully closed. This may occur if a client SSL profile is in use and an 'Encrypted Alert' has been received.
- Server side has sent a FIN which has been ACK'd, but no FIN has been received from the server.
- SYN received matching the existing connflow before the FIN-WAIT-2-timeout has been reached (300 default).

Impact:
Connection may fail to be removed in a timely manner. New connection attempts are RST with 'TCP Closed'

Workaround:
You can use either of the following:
-- Ensure servers are sending FIN's so as not to leave the connection in a FIN_WAIT_2 state.

-- Mitigate the issue by lowering the FIN-WAIT-2-timeout to a smaller value, e.g., FIN-WAIT-2-timeout 10.

812497-3 : VE rate limit should not count packet that does not have a matched vlan or matched MAC address

Links to More Info: BT812497

Component: Local Traffic Manager

Symptoms:
Virtual Edition (VE) Rate limit counts packets that are not intended for BIG-IP.

Conditions:
-- Rate-limited license in BIG-IP Virtual Edition (VE)
-- Promiscuous mode is enabled

Impact:
If you do not have an unlimited license for a Virtual Edition device, you cannot use VLAN tags or MAC Masquerading without a greatly increased risk of running out of licensed bandwidth. Even if you are not using any service, BIG-IP counts all traffic seen on the interface against the license. Due to VMWare's switch design you have to expose the device to all of the traffic to use those two features.

810613-5 : GUI Login History hides informative message about max number of lines exceeded

Links to More Info: BT810613

Component: TMOS

Symptoms:
When there are more than 10000 lines in /var/log/secure* files, visiting System :: Logins :: [History|Summary] in the GUI shows 'No Entries' instead of the actual error message about the large number of lines.

Conditions:
If there are more than 10000 lines in /var/log/secure* files.

Impact:
GUI displays 'No Entries' instead of the actual error message.

Workaround:
-- Via the CLI by specifying the number of lines:
tmsh show sys log security lines 15000 | less
-- Delete the large amount of secure files from /var/log/.

809089-1 : TMM crash after sessiondb ref_cnt overflow

Links to More Info: BT809089

Component: TMOS

Symptoms:
Log message that indicates this issue may happen:
session_reply_multi: ERROR: unable to send session reply: ERR_BOUNDS
[...] valid s_entry->ref_cnt

Conditions:
-- Specific MRF configuration where all 500 session entries are owned by a single tmm.

-- High rate of session lookups with a lot of entries returned.

Note: This issue does not affect HTTP/2 MRF configurations.

Impact:
TMM core: the program terminates with signal SIGSEGV, Segmentation fault. Traffic disrupted while tmm restarts.

Workaround:
1. Change MRF configuration to spread session lookups across multiple tmms.
2. Reduce the sub-key entries to far below 500.

808913-2 : Big3d cannot log the full XML buffer data

Links to More Info: BT808913

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d cannot log the full XML buffer data:

-- notice big3d[12212]: 012b600d:5: Probe from ::ffff:11.11.1.21:45011: len 883/buffer = <vip>.

Conditions:
The gtm.debugprobelogging variable is enabled.

Impact:
Not able to debug big3d monitoring issues efficiently.

Workaround:
None.

808801-4 : AVRD crash when configured to send data externally

Links to More Info: BT808801

Component: Application Visibility and Reporting

Symptoms:
AVRD can crash repeatedly when configured to send telemetry data externally.

Conditions:
-- AVR is configured to send telemetry data to an external source (like connection with BIG-IQ).
-- Large number of config objects in the system, such as virtual servers and pool members.

Impact:
AVRD process crashes, and telemetry data is not collected.

Workaround:
Split the configuration updates into smaller batches

808481-5 : Hertfordshire county missing from GTM Region list

Links to More Info: BT808481

Component: TMOS

Symptoms:
Hertfordshire county is missing from Regions in the United Kingdom Country/State list.

Conditions:
-- Creating a GTM region record.
-- Attempting to select Hertfordshire county for the United Kingdom.

Impact:
Cannot select Hertfordshire county from United Kingdom Country/State list.

Workaround:
None.

808277-6 : Root's crontab file may become empty

Links to More Info: BT808277

Component: TMOS

Symptoms:
Under low-disk conditions for the /var/ filesystem, BIG-IP system processes may incorrectly update root's crontab file (/var/spool/cron/root). This results in the file contents being removed; i.e., the file is empty.

Conditions:
Low disk space on the /var filesystem.

Impact:
System and user entries in root's crontab file stop executing.

Workaround:
None.

808149-2 : Tmm crash

Links to More Info: BT808149

Component: TMOS

Symptoms:
When the tunnel count is high, tmm can crash.

Conditions:
This issue was not reproducible and steps are unknown as it occurs randomly.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

808017-5 : When using a variable as the only parameter to the iRule persist command, the iRule validation fails

Links to More Info: BT808017

Component: Local Traffic Manager

Symptoms:
When using a variable as the only parameter to the iRule persist command, for example:

when HTTP_REQUEST {
    set persistence none
    persist $persistence
}

The iRule validation fails with the message:

Persistence mode (Cookie) called out in rule <rule name> requires a corresponding persistence profile for virtual server

Conditions:
Using a variable as the only parameter to the iRule persist command.

Impact:
Validation fails and hence the system config cannot be loaded.

Workaround:
The first parameter is one of pre-defined action keywords, so use plain text.

807945-3 : Loading UCS file for the first time not updating MCP DB

Links to More Info: BT807945

Component: TMOS

Symptoms:
MCP DB is not updated after loading a UCS file.

Conditions:
1. Save UCS with 'flow-control' default value 'tx-rx'.
2. Modify the value from 'rx-tx' to 'none'.
3. Save another UCS with modified value.
4. Load the UCS with default value, everything works fine here.
5. Load the UCS with the modified value.

Impact:
The 'flow-control' setting gets changed. The functionality does not work after the first UCS load as MCP DB is not getting updated.

Workaround:
Load the same UCS again.

The MCP DB gets updated properly.

807837-2 : Upgrade fails when client-ssl inherits proxy-ca-key/cert with error message: Client SSL profile (/Common/child): must have at least one set of CA type cert-key-chain.

Links to More Info: BT807837

Component: TMOS

Symptoms:
Upgrade failure when loading configuration file or ucs from older version, with the below error message against child client-ssl profile:

Client SSL profile (/Common/child): must have at least one set of CA type cert-key-chain.

Conditions:
The issue occurs when all of the following conditions are met:
-- When upgrading from an older version (earlier than 14.0.0) to a newer version (14.1.0 or later).
-- The configuration has a child client SSL profile that inherits from a parent client SSL profile.
-- The parent SSL profile has SSL forward proxy enabled and proxy-ca-cert/proxy-ca-key configured.

Impact:
Unable to upgrade the system with old configuration.

Workaround:
You can workaround this issue using the following procedure:

1. Manually edit /config/bigip.conf to add the following lines:
 proxy-ca-cert /Common/rsa.crt
 proxy-ca-key /Common/rsa.key

2. Reload the configuration using the following command:
tmsh load sys config

Here is an example:

ltm profile client-ssl /Common/child {
    app-service none
    cert /Common/default.crt
    cert-key-chain {
        default {
            cert /Common/default.crt
            key /Common/default.key
        }
    }
    chain none
    defaults-from /Common/parent
    inherit-certkeychain true
    key /Common/default.key
    passphrase none
    proxy-ca-cert /Common/rsa.crt <===== add this line
    proxy-ca-key /Common/rsa.key <===== add this line

}

807569-2 : Requests fail to load when backend server overrides request cookies and Bot Defense is used

Links to More Info: BT807569

Component: Application Security Manager

Symptoms:
When Bot Defense is used on the backend server that overrides request cookies, requests to non-HTML resources may fail, or may receive the whitepage JavaScript challenge. An example is when a back-end server responds with a Set-Cookie header containing empty values for each cookie request cookie it does not recognize.

Conditions:
-- Bot Defense is enabled.
-- Backend server is overriding the Bot Defense cookies with the TS prefix.

Impact:
Some URLs fail to load following the JavaScript challenge.

Workaround:
Use an iRule to strip the TSPD_101 cookie from the request before forwarding it to the backend:

when HTTP_REQUEST_RELEASE {
    HTTP::cookie remove "TSPD_101"
}

807397-3 : IRules ending with a comment cause config verification to fail

Links to More Info: BT807397

Component: Local Traffic Manager

Symptoms:
'tmsh load sys config verify' reports error messages for a signed iRule:
-- 01071485:3: iRule (/Common/example) content does not match the signature.
-- Unexpected Error: Validating configuration process failed.

Conditions:
-- Have an iRule which ends in a comment.
-- iRule is signed.
-- Run the command:
tmsh load sys config verify

Impact:
'tmsh load sys config verify' reports an error when there should be none. Configuration validation fails.

Workaround:
Delete or move any comments that are at the end of the iRule, and validate the configuration again.

807309-3 : Incorrect Active/Standby status in CLI Prompt after failover test

Links to More Info: BT807309

Component: TMOS

Symptoms:
After running 'promptstatusd -y' to check current failover status, it displays an incorrect Active/Standby status in the CLI prompt.

Conditions:
This occurs under the following conditions:

1. Modify the db variable: bigdb failover.state.
2. Check that /var/prompt/ps1 and CLI prompt reflect the setting.
2. Reboot the BIG-IP system.

Impact:
Status shown in the prompt does not change.

Workaround:
Do not run 'promptstatusd -y' command manually.

The db variable 'failover.state is a status-reporting variable. The system does not report status manually set to something other than the actual status.

Note: 'promptstatusd' is not a BIG-IP user command, it is a daemon. It is highly unlikely that manually running this command will produce information that is useful or relevant to the status being sought.

806881-6 : Loading the configuration may not set the virtual server enabled status correctly

Links to More Info: BT806881

Component: TMOS

Symptoms:
When loading the configuration, if the virtual address is disabled but the virtual server is enabled, the virtual server may still pass traffic.

Conditions:
-- Loading the configuration.
-- A virtual server's virtual address is disabled.

Impact:
Virtual servers unexpectedly process traffic.

Workaround:
Manually re-enable and disable the virtual address.

806809-2 : JWT Claim value without quotes is invalid

Links to More Info: BT806809

Component: Access Policy Manager

Symptoms:
JSON payload is invalid since claims are generated without quotes(")

Conditions:
BIG-IP creates JWT claim value without quotes when scope is not openid.

Impact:
Token is invalid.

Workaround:
Replace claim type 'string' with 'custom' adding quotes after backslash.

apm oauth oauth-claim /Common/uid {
  claim-name uid
  claim-type custom
  claim-value "\"%{session.custom.name:noconv}\""
}

805561-3 : Change of pool configuration in OneConnect environment can impact active traffic

Links to More Info: BT805561

Component: Local Traffic Manager

Symptoms:
In OneConnect environments, when the default pool is updated for the first time, active connections reconnect to new pool members. Further update to pool configuration has no impact on traffic.

Conditions:
-- Virtual server configured with OneConnect profile.
-- Default pool is updated when active connections are present.

Impact:
Active traffic disrupted.

Workaround:
None.

805325-6 : tmsh help text contains a reference to bigpipe, which is no longer supported

Links to More Info: BT805325

Component: TMOS

Symptoms:
The 'sys httpd ssl-certkeyfile' tmsh help text contains a reference to bigpipe, which is no longer supported.

Conditions:
Viewing tmsh help for 'sys httpd ssl-certkeyfile'.

Impact:
Incorrect reference to bigpipe.

Workaround:
You can use the following command sequence to change the key:
modify httpd { ssl-certfile [string] ssl-certkeyfile [string] }

804529-2 : REST API to /mgmt/tm/ltm/pool/members/stats will fail for some pools

Links to More Info: BT804529

Component: TMOS

Symptoms:
GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats may fail with error 404

Conditions:
This impacts pools which start with the letter 'm'. This because those endpoints contain objects with incorrect selflinks

For example
1. Query to below pool (that starts with letter 'm') will work as it contains the right selflink
       - Pool: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats"
       - selfLink: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats?ver=x.x.x.x"

2. Query to below pool (that does NOT start with letter 'm') may not work as it contains the wrong selflink
       - Pool: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats"
       - selfLink: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats?ver=x.x.x.x"
         
In above example you will notice the word 'members' shows up expectedly in selflink for case 2

Impact:
You may see errors with GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats

Workaround:
You may use the following workarounds

1. Use /mgmt/tm/ltm/pool/members/stats, which does return the pool member stats for every pool

2. For each pool member in /mgmt/tm/ltm/pool, issue a GET for:

/mgmt/tm/ltm/pool/<pool>/members/<member>/stats

803457-3 : SNMP custom stats cannot access iStats

Links to More Info: BT803457

Component: TMOS

Symptoms:
While doing an snmpwalk, you encounter the following error:

-- tcl callback Default return string: istats: tmstat_open_read: open: /var/tmstat/istats: Permission denied.
-- istats: tmstat_read: open: /var/tmstat/istats: Permission denied.
-- ERROR opening iStats read segment '/var/tmstat/istats': Permission denied.

Conditions:
This occurs when using SNMP to access iStats.

Impact:
iStats cannot be accessed through SNMP and generates an error.

Workaround:
None.

803157-3 : LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots

Links to More Info: BT803157

Component: TMOS

Symptoms:
In reboot case, the BIG-IP system buffers the shutdown sequence log messages and writes them to disk once the syslog service starts during the boot process. The boot_marker message is written before shutdown messages sync to disk. This leads to out-of-sequence log messages, making it difficult to determine when the service stop occurred.

Conditions:
Reboot the BIG-IP system.

Impact:
Log messages appear out of order. It is difficult to tell whether service stop happened as part of reboot, or any error during the subsequent boot process.

Workaround:
None.

803109-3 : Certain configuration may result in zombie forwarding flows

Links to More Info: BT803109

Component: Local Traffic Manager

Symptoms:
OneConnect profile in conjunction with 'Source-port preserve-strict' or cmp-hash setting of 'dst-ip' or 'src-ip' on the server-side VLAN may result in zombie forwarding flows.

On the server-side the incoming traffic hits a different TMM from the one that handles the outgoing traffic.

Unexpected 'Inet port exhaustion' messages may be logged in the LTM log file.

Conditions:
-- OneConnect configured.

And one of the following:

-- Source-port is set to preserve-strict.
-- The cmp-hash setting on the server-side VLAN is set to 'dst-ip' or 'src-ip'.

Impact:
Zombie forwarding flows. Over time, the current allocation count grows and does not return to its prior level when traffic stops.

The current allocation can be checked with this command:
# tmctl memory_usage_stat name=connflow -s name,cur_allocs

Workaround:
You can use any of the following workarounds:

-- Remove the OneConnect profile from the Virtual Server.

-- Do not use 'source-port preserve-strict' setting on the Virtual Server.

-- Set the 'cmp-hash default' on the server-side VLAN if it is set to 'cmp-hash src-ip' or 'cmp-hash dst-ip'.

Note: After making this change, it may be necessary to run the command 'tmsh restart sys service tmm', which will clear the old flows but also impact traffic. Traffic interrupted while tmm restarts.

802721-4 : Virtual Server iRule does not match an External Data Group key that's 128 characters long

Links to More Info: BT802721

Component: Local Traffic Manager

Symptoms:
Virtual server iRule does not match an External Data Group key that is 128 characters long.

Conditions:
-- A string type External Data Group with a key/value pair whose key is 128 characters long.

-- An iRule using [class match] to get the value from the Data Group.

Impact:
The call to [class match] returns an empty string ("").

Workaround:
None.

801705-6 : When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC

Links to More Info: BT801705

Component: Local Traffic Manager

Symptoms:
The 'HTTP::cookie attribute' irule command allows manipulation of Cookie or Set-Cookie headers in HTTP requests or responses. When this command is used to insert a cookie attribute, it appends the attribute (and a possible value) to the header without a leading space character. A leading space character is a requirement per RFC 6265. When such a header is formed with iRule command 'HTTP::cookie insert' or 'HTTP::cookie attribute insert', the leading space is not provided, violating the RFC.

Conditions:
-- A virtual server with HTTP profile is configured.
-- There is an iRule generating or updating a cookie header with 'HTTP::cookie insert' or 'HTTP::cookie attribute insert' command.

Impact:
There is no space preceding the attribute. RFC is violated.

Workaround:
When inserting a cookie attribute with iRule command, add a leading space to the name of attribute to be inserted.

798885-4 : SNMP response times may be long when processing requests

Links to More Info: BT798885

Component: TMOS

Symptoms:
SNMP queries to the BIG-IP system may take longer (up to 15% more time) to process on BIG-IP systems with large configurations. mcpd CPU usage increases by a small amount (up to 10%) during these queries.

Conditions:
-- Large configuration.
-- Using SNMP to query statistics on the BIG-IP system.

Impact:
A small increase in response time to SNMP requests to the BIG-IP. Some SNMP queries might fail due to timeouts. mcpd CPU usage is slightly elevated while processing these queries.

Workaround:
If the responses to SNMP queries are taking too long, MCPD and SNMPD may overburden the control plane. It may be necessary to lengthen the timeout and retry values used by the SNMP client. It may also be helpful to trim what is queried, for example, not repetitively walking large tables like the Virtual Server or LTM Pool Member tables for statistics.

797573-3 : TMM assert crash with resulting in core generation in multi-blade chassis

Links to More Info: BT797573

Component: Local Traffic Manager

Symptoms:
TMM crashes while changing settings.

Conditions:
Seen on multi-blade chassis with either one of the options:
-- Running system with DoS and other traffic.
-- Create a new vCMP guest and deploy it.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

796985-3 : Default IPv4 IP address is assigned to Alt-Address in isolated vCMP guest; vCMP host or guest are upgraded and guest is 'Inoperative'

Links to More Info: BT796985

Component: TMOS

Symptoms:
VCMP host or guest is upgraded, and the vCMP guest is 'Inoperative', with messages similar to the following in /var/log/ltm:

-- warning clusterd[1546]: 013a0005:4: Clusterd using /VERSION for SW specification.
-- info clusterd[1546]: 013a0023:6: Blade 1: No info received from slot: Starting up
-- err clusterd[1546]: 013a0004:3: result {
-- err clusterd[1546]: 013a0004:3: result.code 17237812
-- err clusterd[1546]: 013a0004:3: result.attribute float_mgmt2_ip
-- err clusterd[1546]: 013a0004:3: result.message 01070734:3: Configuration error: Cluster alt-address: 192.168.1.246 cannot be the same address family as cluster address: 192.168.1.246
-- err clusterd[1546]: 013a0004:3: }
-- err clusterd[1546]: 013a0004:3: Per-invocation log rate exceeded; throttling.
-- notice clusterd[1546]: 013a0006:5: Disconnecting from mcpd.
-- info clusterd[1546]: 013a0007:6: clusterd stopping...

Conditions:
-- Isolated vCMP guest.
-- Both 'Address' and 'Alt-Address' are assigned the same IPv4 address.
-- Upgrade occurs.

Impact:
Upon host/guest upgrade, vCMP guest is 'Inoperative'.

Workaround:
-- For new vCMP guests, or prior to booting the vCMP guest to an affected version for the first time, assign it a management-ip from the vCMP host. This prevents the alt-address from being assigned and the issue from occurring on subsequent upgrades.

tmsh modify vcmp <guest_name> management-ip 192.168.1.246/24

-- For existing vCMP guests already on an affected version, but not currently experiencing the issue, assign a management-ip from the vCMP host and remove the alt-address from within the vCMP guest to prevent the issue from occurring in a future upgrade or reboot:

    host# tmsh modify vcmp guest <guest-name> management-ip 192.168.1.246/24

    guest# tmsh modify sys cluster default alt-address none

-- When already upgraded and seeing the issue on a guest, set a management-ip from the vCMP host and run the following commands within the guest to remove the alternate address from the configuration file:

    host# tmsh modify vcmp guest <guest-name> management-ip 192.168.1.246/24

    guest# bigstart stop clusterd
    guest# sed -i s/alt_addr=.*// -i /shared/db/cluster.conf
    guest# bigstart start clusterd

795933-7 : A pool member's cur_sessions stat may incorrectly not decrease for certain configurations

Links to More Info: BT795933

Component: Local Traffic Manager

Symptoms:
Under certain conditions, a pool member's cur_sessions stat may increase, but not decrease when it should.

Conditions:
- The virtual server using the pool has an iRule attached that references global variables.
- The virtual server using the pool has an ASM security policy attached to it.
- Traffic flows to the pool member.

Impact:
Incorrect stats.

795633-2 : GUI and REST API unable to add virtual servers containing a space in the name to a pool

Links to More Info: BT795633

Component: Global Traffic Manager (DNS)

Symptoms:
The GUI and REST API are unable to add virtual servers containing a space in the name to a pool.

Conditions:
Virtual server name contains a space.

Impact:
Unable to manage pool members if the virtual server contains a space in the name.

Workaround:
Use tmsh.

795429-5 : Unrelated iControl REST transaction error message is returned when committing a transaction without any tasks.

Links to More Info: BT795429

Component: TMOS

Symptoms:
An unrelated iControl REST transaction error message is returned when committing an iControl REST transaction that does not contain any tasks:

Error: Missing transaction ID for this call.

Conditions:
-- Committing an iControl REST transaction.
-- The task does not contain any tasks within 120 seconds of creating the transaction.

Impact:
Unrelated error message can be confusing and increase troubleshooting time.

Workaround:
None.

794889-1 : Pool member state force-offline processes persistent connections in Diameter.

Links to More Info: BT794889

Component: Service Provider

Symptoms:
When a Diameter pool member is marked force-offline, it continues to process persistent connections.

Conditions:
Configure pool member state to force-offline, before initiating Diameter connections.

Impact:
Pool member continues to process persistent connections after being forced offline.

794505-5 : OSPFv3 IPv4 address family route-map filtering does not work

Links to More Info: BT794505

Component: Local Traffic Manager

Symptoms:
Filtering IPv4 routes using route-map does not work. All the IPv4 redistributed routes fail to redistribute if the route-map is attached to the OSPFv3 IPv4 address-family.

Conditions:
1. Configure two OSPF sessions, one for the IPv4 address-family and the other for the IPv6 address family.
2. Redistribute kernel routes.
3. Check routes are propagated.
4. Add a route map to allow any IPv4 kernel route matching IP address.

Impact:
All routes fail to propagate and show that the IPv6 OSPF database external is empty. All IPv4 routes are blocked to redistribute instead of the routes mentioned in the route-map/prefix-list.

Workaround:
None.

794385-3 : BGP sessions may be reset after CMP state change

Links to More Info: BT794385

Component: Local Traffic Manager

Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.

This happens in the following instances:
  - Blade reset.
  - Booting up or shutting down.
  - Running 'bigstart restart'.
  - Setting a blade state from/to primary/secondary.

During these events, there is a small chance that ingress ACK packet of previously established BGP connection is going to be disaggregated to the new processing group(TMMs) and selected TMM is ready to process traffic, but is not ready yet to process traffic for existing connection. In this case, connection isn't processed and reset instead.

Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BGP peering is configured.
-- CMP state change is occurred on one of the blades.
-- BGP ingress ACK packet is disaggregated to TMM, which either wrong TMM or not ready to process the packet of already established connection

Impact:
Affected BGP peering is reset and dynamic routes learnt by the configured protocol are withdrawn, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.

In most cases, unexpected routing decisions are from networks learnt by affected routing protocols when the routing process on the BIG-IP system becomes unreachable. However, this state is short-lived, because the peering is recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
There is no workaround, but the issue was never seen with a configuration where CMP hash of affected VLAN is changed back to Default value.

793669-5 : FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value

Links to More Info: BT793669

Component: Local Traffic Manager

Symptoms:
On a high availability (HA) paired device group configuration, where there are FQDN nodes as pool members in a pool, when the pool member is enabled or disabled on one device, and with config-sync, the other device does not fully update the peer. The template node gets updated with the new value, but the ephemeral pool member retains the old value.

Conditions:
Steps to Reproduce:
1. Configure HA, specifically a Device group (e.g., Failover) with two BIG-IP systems.
2. Create an HTTP pool (TEST_FQDN_POOL) and FQDN Pool Member on both systems.
3. Wait for the FQDN pool member to report as AVAIL_GREEN and the ephemeral node as AVAIL_BLUE on both systems.
4. Tmsh login to any of the systems.
5. Run the command:
tmsh run cm config-sync to-group Failover
6. Run the command:
tmsh modify ltm pool TEST_FQDN_POOL members modify { example.com:http { session user-disabled } }
7. Run the command:
tmsh run cm config-sync force-full-load-push to-group Failover

Impact:
FQDN pool member enabling/disabling is not being fully propagated to the other device after config-sync.

Workaround:
None.

793217-5 : HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation

Links to More Info: BT793217

Component: Advanced Firewall Manager

Symptoms:
Depending on traffic patterns, when HW DoS on BIG-IP i2800/i4800 is configured, HW DoS might mitigate up to 10% more aggressively. If the rate-limit configured is 1000pps, the device might allow only 900pps.

Conditions:
-- HW DoS on BIG-IP i2800/i4800 platforms.
-- Attack pattern is distributed evenly on all tmm threads.

Impact:
HW DoS mitigates more aggressively, which might result in seeing fewer packets than what is configured.

Workaround:
Configure the rate-limit to be 10% more than what is desired.

792813-1 : The iRule command 'DNS::edns0 subnet address' returns an empty string when subnet info is not received

Links to More Info: BT792813

Component: Global Traffic Manager (DNS)

Symptoms:
When subnet info is not received, iRule command 'DNS::ends0 subnet address' reports a Tcl error. Because that is optional information, the command should not report an error.

Conditions:
-- iRule command 'DNS::ends0 subnet address'.
-- DNS request is received without subnet info.

Impact:
Using the iRule command 'DNS::edns0 subnet address' reports a Tcl error.

Workaround:
None.

791365-3 : Bad encryption password error on UCS save

Links to More Info: BT791365

Component: TMOS

Symptoms:
When a user with the admin role attempts to save a UCS with a passphrase, the following error is encountered:

[resource-admin@inetgtm1dev:Active:Standalone] ucs # tmsh save sys ucs /var/local/ucs/test-ucs passphrase password
Saving active configuration...
Error: Bad encryption password. <=========
Operation aborted.
/var/tmp/configsync.spec: Error creating package

WARNING:There are error(s) during saving.
        Not everything was saved.
        Be very careful when using this saved file!

Error creating package
Error during config save.
Unexpected Error: UCS saving process failed.

Conditions:
1) Log into the BIG-IP system as a user with admin role that has Advanced Shell access.
2) Attempt to create a UCS with a passphrase.

Impact:
Unable to save UCS with a passphrase.

Workaround:
This affects users logged in with the Admin role; you will be able to create a UCS with a passphrase while logged in as either the root user or as a user with the resource-admin role.

791061-5 : Config load in /Common removes routing protocols from other partitions

Links to More Info: BT791061

Component: TMOS

Symptoms:
While loading the /Common partition, config routing protocols on other partition route-domains will be removed.

Conditions:
-- Configure route-domains on other partitions with routing-protocols.
-- Load the /Common partition config alone.

Impact:
Routing protocols config from other partitions are removed.

Workaround:
Reload the config with the command:
load sys config partitions all

790113-6 : Cannot remove all wide IPs from GTM distributed application via iControl REST

Links to More Info: BT790113

Component: Global Traffic Manager (DNS)

Symptoms:
The following tmsh command allows you to delete all wide IPs using an 'all' specifier:

modify gtm distributed-app da1 wideips delete { all }

There is no equivalent iControl REST operation to do this.

Conditions:
This can be encountered while trying to delete all wide IPs from a distributed application via iControl REST.

Impact:
iControl REST calls that should allow you to remove all wide IPs from a GTM distribution application return an error, leaving you unable to complete the task via iControl REST.

Workaround:
You can use one of the following workarounds:

-- Use the WebUI.

-- Use the tmsh utility, for example:
tmsh modify gtm distributed-app da1 wideips delete { all }

-- Invoke tmsh from within the bash iControl REST endpoint, for exmaple:
curl -u username:password -s -H 'Content-Type: application/json' -X POST -d "{\"command\":\"run\",\"utilCmdArgs\":\"-c 'tmsh modify gtm distributed-app da1 wideips delete { all }'\"}" https://<IP>/mgmt/tm/util/bash

788645-5 : BGP does not function on static interfaces with vlan names longer than 16 characters.

Links to More Info: BT788645

Component: TMOS

Symptoms:
If a VLAN, VLAN group, or tunnel has a name with more than 15 characters, BGP does not function properly on that interface.

Conditions:
-- BGP Dynamic routing in use.
-- Interface name greater than 15 characters.

Impact:
BGP Dynamic Routing is not working.

Workaround:
1. Rename the interface using 15 or fewer characters.
2. Remove Static Binding and Bind to all interfaces.

788473-3 : Email sent from APM is not readable in some languages

Links to More Info: BT788473

Component: Access Policy Manager

Symptoms:
Email sent from APM is not readable in some languages.

Conditions:
APM administrator has configured Email Agent in the per-session policy.

Impact:
Users receiving the email in certain languages cannot read the email.

Workaround:
None.

788257-2 : Bigd.mgmtroutecheck setting ignored by in-tmm monitors after bigstart restart

Links to More Info: BT788257

Component: In-tmm monitors

Symptoms:
The bigd.mgmtroutecheck db variable can be enabled to prevent monitor traffic from going through the management interface (for information, see K14549: Overview of the 'bigd.mgmtroutecheck' database key :: https://support.f5.com/csp/article/K14549); however, if in-tmm monitors are configured, the setting will be ignored after a bigstart restart.

Conditions:
-- bigd.mgmtroutecheck is enabled
-- bigd.tmm is enabled (i.e., in-tmm monitors are configured).
-- tmm has a route configured to the management interface.
-- A pool member exists that matches a route through the management interface.
-- bigstart restart is performed.

Impact:
In-tmm monitor traffic uses the management interface if there is a route to the pool member via the management interface, even when bigd.mgmtroutecheck indicates it is enabled.

Workaround:
None

787973-1 : Potential memory leak when software crypto request is canceled.

Links to More Info: BT787973

Component: Local Traffic Manager

Symptoms:
Memory may occasionally leak when a software crypto request is cancelled before it has completed.

Conditions:
There are a number of reasons why a software crypto request may be canceled.

Impact:
Memory may leak.

Workaround:
No workaround.

786633-2 : Debug-level messages are being logged even when the system is not set up for debug logging

Links to More Info: BT786633

Component: TMOS

Symptoms:
With certain modules provisioned, the following debug apmd log events are reported to the logging server:

-- slot1/systemname debug apmd[14204]: GSSAPI client step 2.
-- err apmd[14204]: 01490107:3: ...: Local error, SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) (-2)

Conditions:
-- APM, APML, ASM, AVR, iRulesLX, LTM provisioned.
-- Configured to use Generic Security Service Application Program Interface (GSSAPI, also GSS-API).

Impact:
Debug-level messages are logged even when the BIG-IP system is not configured to use debug logging:
debug apmd[14204]: GSSAPI client step 2.

Workaround:
None.

785873-3 : ASM should treat 'Authorization: Negotiate TlR' as NTLM

Links to More Info: BT785873

Component: Application Security Manager

Symptoms:
When an authentication request with Authorization: Negotiate arrives to ASM. ASM does not count it as a login attempt. As a result brute force protection isn't applied.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual sever.
-- Login URL configured in ASM policy.
-- Brute force protection enabled in ASM policy.

Impact:
Brute force attack checking can be skipped if the backend server authorization type is NTLM but the client sends 'Authorization: Negotiate TlR'.

Workaround:
Use iRule which changes 'Authorization: Negotiate TlR' to NTLM on the client side (before ASM) and sets is back to the original value on the server side (after ASM)

785361-3 : In L2wire mode packets from srcIP 0.0.0.0 will be silently dropped

Links to More Info: BT785361

Component: Local Traffic Manager

Symptoms:
If the BIG-IP system is configured in L2Wire mode, packets from srcIP 0.0.0.0 are dropped.

Conditions:
L2Wire mode.

Impact:
All srcIP 0.0.0.0 packets are dropped silently.

Workaround:
Configure the virtual server to be in L2-forward mode.

781733-5 : SNMPv3 user name configuration allows illegal names to be entered

Links to More Info: BT781733

Component: TMOS

Symptoms:
The validation of SNMPv3 user names is not strict, and allows users of both the GUI and TMSH to enter badly formed user names. When the SNMP daemon reads these user names from the snmpd.conf file, validation rejects the names.

Conditions:
Poorly formed SNMPv3 user names can be entered into configuration, for example, names with embedded spaces.

Impact:
The user names are not accepted by the SNMP daemon when it reads the configuration from the snmpd.conf file.

Workaround:
Use alphanumeric characters for SNMPv3 user names, and do not include embedded spaces in the names.

780857-2 : HA failover network disruption when cluster management IP is not in the list of unicast addresses

Links to More Info: BT780857

Component: Local Traffic Manager

Symptoms:
If the cluster management IP address is not in the list of failover network unicast addresses, the blade management IP addresses in the unicast mesh will not be able to receive failover messages from peer devices.

Conditions:
-- VIPRION chassis or vCMP guest on a VIPRION chassis.
-- Per-blade management IP addresses listed in the failover network unicast mesh.
-- No cluster management IP address listed.

Impact:
The blade management IP addresses in the failover network unicast mesh stop functioning:

[root@VIP2200-R75-S5:/S1-green-P::Standby:In Sync] config # tmctl -w 200 -S sod_tg_conn_stat
entry_key local_failover_addr remote_device_name pkts_received transitions last_msg status
----------------------------- ------------------- ------------------------------ ------------- ----------- ---------- ------
10.200.75.8->10.10.10.1:1026 10.10.10.1:1026 VIP2200-R75-S8.sin.pslab.local 3249 3 1555399271 1
10.200.75.8->10.200.75.3:1026 10.200.75.3:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--
10.200.75.8->10.200.75.4:1026 10.200.75.4:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--

Workaround:
You can add an explicit management IP firewall rule to allow this traffic:

tmsh modify security firewall management-ip-rules rules add { accept_udp_1026 { place-before first ip-protocol udp destination { ports add { 1026 } } action accept } }

This will add a firewall policy so port 1026 is no longer locked down, and the blade management IP addresses in the unicast mesh should begin to function properly.

780745-3 : TMSH allows creation of duplicate community strings for SNMP v1/v2 access

Links to More Info: BT780745

Component: TMOS

Symptoms:
TMSH allows you to create multiple access records with the same IP protocol, same Source IP network, and same community string.

Conditions:
Duplicate access records are created in TMSH.

Impact:
Unintended permissions can be provided when an undesired access record with the correct community string is matched to a request instead of the desired access record.

Workaround:
Use the Configuration Utility to manage SNMP v1/2c access records. (The GUI properly flags the error with the message:
The specified SNMP community already exists in the database.

If you use tmsh, ensure that community strings remain unique within each Source IP Network for each IP protocol.

780437-6 : Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.

Links to More Info: BT780437

Component: TMOS

Symptoms:
It is possible, although unlikely, for a vCMP host to scan the /shared/vmdisks directory for virtual disk files while the directory is unmounted.

As such, virtual disk files that existed before the reboot will not be detected, and the vCMP host will proceed to create them again.

The virtual disks get created again, delaying the guests from booting. Once the guests finally boot, they have no configuration.

Additionally, the new virtual disk files are created on the wrong disk device, as /shared/vmdisks is still unmounted.

Symptoms for this issue include:

-- Running the 'mount' command on affected host blades and noticing that /shared/vmdisks is not mounted.

-- Running the 'tmsh show vcmp guest' command on affected host blades (early on after the reboot) and noticing some guests have status 'installing-vdisk'.

-- Running the 'lsof' command on affected and unaffected host blades shows different device numbers for the filesystem hosting the virtual disks, as shown in the following example (note 253,16 and 253,1):

qemu-kvm 19386 qemu 15u REG 253,16 161061273600 8622659 /shared/vmdisks/s1g2.img

qemu-kvm 38655 qemu 15u REG 253,1 161061273600 2678798 /shared/vmdisks/s2g1.img

-- The /var/log/ltm file includes entries similar to the following example, indicating new virtual disks are being created for one of more vCMP guests:

info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Adding.
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:0]
notice vcmpd[x]: 01510006:5: Guest (s2g1): Creating VDisk (/shared/vmdisks/s2g1.img)
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:1]
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_ACQUIRING_VDISK->VS_WAITING_INSTALL
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_WAITING_INSTALL->VS_INSTALLING_VDISK
notice vcmpd[x]: 01510006:5: Guest (s2g1): Installing image (/shared/images/BIGIP-12.1.2.0.0.249.iso) to VDisk (/shared/vmdisks/s2g1.img).
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:2]

Conditions:
-- VIPRION chassis provisioned in vCMP mode with more than one blade in it.

-- Large configuration with many guests.

-- The VIPRION chassis is rebooted.

-- A different issue, of type 'Configuration from primary failed validation' occurs during startup on one or more Secondary blades. By design, MCPD restarts once on affected Secondary blades, which is the trigger for this issue. An example of such a trigger issue is Bug ID 563905: Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.

Impact:
-- Loss of entire configuration on previously working vCMP guests.

-- The /shared/vmdisks directory, in its unmounted state, may not have sufficient disk space to accommodate all the virtual disks for the vCMP guests designated to run on that blade. As such, some guests may fail to start.

-- If you continue using the affected guests by re-deploying configuration to them, further configuration loss may occur after a new chassis reboot during which this issue does not happen. This occurs because the guests would then be using the original virtual disk files; however, their configuration may have changed since then, and so some recently created objects may be missing.

Workaround:
There is no workaround to prevent this issue. However, you can minimize the risk of hitting this issue by ensuring you are running a software version (on the host system) where all known 'Configuration from primary failed validation' issues have been resolved.

If you believe you are currently affected by this issue, please contact F5 Networks Technical Support for assistance in recovering the original virtual disk files.

779185-2 : Forward zone deleted when wideip updated

Links to More Info: BT779185

Component: Global Traffic Manager (DNS)

Symptoms:
When a forward zone is configured in zonerunner, and a wideip is configured in the same zone, BIG-IP may delete the bind zone whenever the wide ip's pool members are modified.

Subsequent modifications of the same zone will then result in a new primary zone being created in bind.

Conditions:
- A forward zone is configured in bind (zonerunner)
- The pool members associated with a wideip are modified

Impact:
Queries that do not match wideips are passed to bind for processing, and are no longer forwarded to the nameserver configured in the forward zone.

Workaround:
- Recreate the zonerunner forward zone after modifying the wideip

779137-5 : Using a source address list for a virtual server does not preserve the destination address prefix

Links to More Info: BT779137

Component: Local Traffic Manager

Symptoms:
Configuring a network virtual server with a source address list causes the system to treat the virtual server as a host.

Conditions:
-- Configure a source address list on the virtual server.
-- Configure a network address for the destination of the virtual server (not an address list).

Impact:
Traffic does not flow to the virtual server as expected.

Workaround:
None.

778841-3 : Traffic is not passing in virtual wire when Virtual server type is standard & IP profile is ipother

Links to More Info: BT778841

Component: Local Traffic Manager

Symptoms:
Traffic is not passing in virtual wire when virtual server type is configured as standard, protocol set to "All Protocols" and the IP profile is ipother.

Conditions:
-- Virtual wire is configured
-- Virtual server type is standard
-- IP profile is ipother

Impact:
Virtual wire traffic matching the virtual server is dropped.

778513-1 : APM intermittently drops log messages for per-request policies

Links to More Info: BT778513

Component: TMOS

Symptoms:
APM may intermittently drop log messages, leading to missing information on policy execution or other events.

Conditions:
Using APM per-request policies, or ACCESS::log iRule commands.

Impact:
Administrator may fail to report certain logging events, hindering troubleshooting or auditing efforts.

Workaround:
No workaround is possible. When reviewing APM logs, keep in mind that during periods of high activity (greater than 100 log messages in 1-to-2 seconds) that the system may drop some log messages.

778501-2 : LB_FAILED does not fire on failure of HTTP/2 server connection establishment

Links to More Info: BT778501

Component: Local Traffic Manager

Symptoms:
When the server connection fails to be established due to server being down or actively rejecting the connection, LB_FAILED should fire and allow a new destination to be selected via iRule.

Conditions:
- iRule with LB_FAILED event
- server connection establishment fails

Impact:
Selection of a new destination via LB_FAILED is not possible, thus the client connection will be aborted.

Workaround:
No workaround available.

778225-5 : vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host

Links to More Info: BT778225

Component: Protocol Inspection

Symptoms:
Automatic hitless upgrade for protocol inspection fails on vCMP guests. This occurs because vCMP guest don't install f5_api_com key and certificates.

Conditions:
After licensing a vCMP guest, there is no f5_api_com key or certificate (you can run key_cache_path and crt_cache_path to determine that).

Impact:
Hitless upgrade fails for protocol inspection and traffic classification on vCMP guests.

Workaround:
Install the hitless upgrade IM package manually.

778041-3 : tcpdump fails with an unclear message when the 'epva' option is used on non-epva platforms (directly or through 'all' option)

Links to More Info: BT778041

Component: TMOS

Symptoms:
When tcpdump is invoked with the epva option on a non-epva platform (BIG-IP Virtual Edition, for example), it fails with an unclear message

errbuf:DPT Provider fatal error. Provider:ePVA Provider. No valid arguments.

Conditions:
-- Using a non-epva platform such as VE.
-- Calling the epva option:
  + Directly:
tcpdump -i 0.0 --f5 epva
  + Indirectly using 'all' (which includes epva):
tcpdump -i 0.0 --f5 all

Impact:
Unclear message does not give clear indication what the issue is, or how to get tcpdump to run with the 'all' option on non-epva platforms

Workaround:
Do not use the explicit epva option on non-epva platforms (it does not work anyway, as there is no epva debug information on those platforms).

Instead of 'all', explicitly specify other, non-epva providers on such platforms, for example, specifying 'noise' and 'ssl' providers:
tcpdump -i 0.0 --f5 n,ssl

777389-5 : In rare occurrences related to PostgreSQL monitor, the mcpd process restarts

Links to More Info: BT777389

Component: TMOS

Symptoms:
Possible indications include the following:

-- Errors such as the following may appear in ltm/log:

   - notice postgres[10872]: [466-1] WARNING: pgstat wait timeout.
   - notice sod[27693]: 01140041:5: Killing /usr/bin/mcpd pid 7144.
   - BD_CONF|ERR| ...failed to connect to mcpd after 5 retries, giving up...
   - BD_CONF|ERR| ...can't read message from mcp conn, status:16908291.
   - BD_MISC|CRIT| ...Received SIGABRT - terminating.

-- Errors such as the following may appear in the dwbld/log:

   - Couldn't send BLOB notification - MCP err 16908291.
   - Got a terminate/abort signal - terminating ...
   - Terminating mcp_bridge thread.

-- Processes may restart unexpectedly, including mcpd, bd, and postgresql.

Conditions:
-- The 'mcpd' process attempts to read monitoring data from the PostgreSQL server, but no data is available.

-- A contributing factor might be that the AFM module is licensed but not configured.

Impact:
Failing to receive a monitoring response from the SQL server, MCPD goes into an infinite loop and skips the heartbeat report, resulting in its restart. While MCPD is restarting, the system is offline and does not process traffic. After restart, system operation returns to normal.

Workaround:
The chance of occurrence can be minimized by making sure that control-plane processes have sufficient memory to run efficiently.

776489-5 : Remote authentication attempts to resolve only LDAP host against the first three name servers configured.

Links to More Info: BT776489

Component: TMOS

Symptoms:
'Login failed' is displayed on the BIG-IP system's login screen.

Conditions:
-- Remote authentication is enabled.
-- There are more than three name servers configured.

Impact:
Admins may not be able to log into the BIG-IP GUI with their admin user account if the first 3 configured DNS name servers are not reachable.

Workaround:
None.

776285-1 : No stats returned for 'ltm classification stats urlcat-cloud' component at system startup

Links to More Info: BT776285

Component: Traffic Classification Engine

Symptoms:
The 'ltm classification stats urlcat-cloud' returns no stats even if the stats have zero values.

Conditions:
-- PEM URL Filtering license
-- The BIG-IP system has recently rebooted and has not passed traffic yet

Impact:
You are unable to see the zeroed stats for 'urlcat-cloud' until traffic has passed through and some stats accumulate.

Workaround:
None

776117-2 : BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type

Links to More Info: BT776117

Component: TMOS

Symptoms:
The BIG-IP Virtual Edition's virtio driver is incompatible with the Q35 machine type.

Conditions:
-- BIG-IP Virtual Edition with the virtio driver.
-- Setting the machine type to Q35 on the hypervisor.

Impact:
The BIG-IP will not use the virtio driver, using the sock (or unic, in versions prior to 14.1.0) driver instead.

775845-1 : Httpd fails to start after restarting the service using the iControl REST API

Links to More Info: BT775845

Component: TMOS

Symptoms:
After restarting httpd using the iControl REST API, httpd fails to start, even with a subsequent restart of httpd at the command line.

Similar to the following example:

config # restcurl -u admin:admin /tm/sys/service -X POST -d '{"name":"httpd", "command":"restart"}'
{
  "kind": "tm:sys:service:restartstate",
  "name": "httpd",
  "command": "restart",
  "commandResult": "Stopping httpd: [ OK ]\r\nStarting httpd: [FAILED]\r\n(98)Address already in use: AH00072: make_sock: could not bind to address n.n.n.n:n\nno listening sockets available, shutting down\nAH00015: Unable to open logs\n"
}

config # tmsh restart sys service httpd
Stopping httpd: [ OK ]
Starting httpd: [FAILED]

Conditions:
Restarting httpd service using iControl REST API.

Impact:
Httpd fails to start.

Workaround:
To recover from the failed httpd state, you can kill all instances of the httpd daemon and start httpd:

killall -9 httpd

tmsh start sys service httpd

775797-3 : Previously deleted user account might get authenticated

Links to More Info: BT775797

Component: TMOS

Symptoms:
A user account which may have originally been manually configured as a local user (auth user) but may have since been removed, might still get authenticated and be able to modify the BIG-IP configuration.

Conditions:
-- User account configured as local user.
-- The user account is deleted later.

(Note: The exact steps to produce this issue are not yet known).

Impact:
The deleted user that no longer exists in the local user list and which is also not explicitly authorized by remote role groups, can get authenticated. The deleted user is also able to modify the BIG-IP configuration via iControl.

Workaround:
None.

774817-1 : ICMP packets are intermittently forwarded out of both VLAN group members

Links to More Info: BT774817

Component: Local Traffic Manager

Symptoms:
ICMP packets sent out on the wrong interface.

Conditions:
BIG-IP system is configured in VLAN group-based L2 transparent mode.

Impact:
The ICMP packet sent out on the wrong VLAN is dropped by the receiving router because the destination MAC address does not match that of the router. Typically, a topology for asymmetric traffic flows across VLAN groups has VLAN asymmetry built in using routers.

Workaround:
None.

774225-4 : mcpd can get in restart loop if making changes to DNSSEC key on other GTM while the primary GTM is rebooting

Links to More Info: BT774225

Component: Global Traffic Manager (DNS)

Symptoms:
mcpd is in a restart loop after creating an internal DNSSEC FIPS key on a secondary GTM while rebooting the primary DNSSEC key generator GTM (gtm.peerinfolocalid==0).

Conditions:
New DNSSEC internal FIPS key is created and assigned to DNSSEC zone when BIG-IP system with gtm.peerinfolocalid==0 is down.

Impact:
mcpd is in a restart loop.

Workaround:
For maintenance window operations, set DNSSEC peer leader to the unit that will remain UP while rebooting the primary key generator in sync group (gtm.peerinfolocalid==0).

# tmsh modify gtm global-settings general peer-leader <gtm-server-name>


After the reboot is complete, all devices are back up, and everything looks good in the configs, clear the peer-leader setting:

# tmsh modify gtm global-settings general peer-leader none


If there are two GTM units: GTM1 (having gtm.peerinfolocalid == 0), GTM2, and you are going to reboot GTM1, then before rebooting, run the following command to configure the DNSSEC peer-leader setting:

# tmsh modify gtm global-settings general peer-leader GTM2


After reboot, clear the peer-leader setting:

# tmsh modify gtm global-settings general peer-leader none

773577-5 : SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted

Links to More Info: BT773577

Component: TMOS

Symptoms:
On an SNMPv3 configuration, when a security-name and a username are the same but have different passwords, traps are not properly crafted.

Conditions:
security-name is the same as an SNMPv3 username.

Impact:
SNMP traps cannot be decoded

Workaround:
Delete or rename user.

773173-2 : LTM Policy GUI is not working properly

Links to More Info: BT773173

Component: TMOS

Symptoms:
The GUI, is not displaying LTM policies created with a rule in which log criteria is 'action when the traffic is matched'.

Also, some of the Actions disappear while adding multiple actions in a rule.

Using tmsh shows the polices created in the GUI.

Conditions:
From the GUI, create LTM policies with a rule in which log criteria is 'action when the traffic is matched'.

Impact:
GUI is not displaying LTM policies created with log as action in rule.

Workaround:
Use tmsh.

771137-1 : vCMP host reports much larger 'Virtual-disk' usage than du reports on the guest

Links to More Info: BT771137

Component: TMOS

Symptoms:
Host and guest 'used disk space' data is inconsistent.

Conditions:
-- Copy a file in the guest and check the 'Disk Use (bytes)' field using 'tmsh show vcmp virtual-disk' in the host and the du utility in the guest.

-- Delete the file and check the size again.

Impact:
vCMP host reports much larger 'Virtual-disk' usage than du reports on the guest.

Workaround:
None.

767305-5 : If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried

Links to More Info: BT767305

Component: TMOS

Symptoms:
Upon querying a sysTmmStat* SNMP OID (for example, sysTmmStatTmUsageRatio5s), you find your SNMP client returns an error message similar to the following example:

No Such Instance currently exists at this OID

The very next time you query that same SNMP OID (or any other sysTmmStat* SNMP OID), you find they all work as expected and return the correct result.

Conditions:
This issue occurs after restarting only the mcpd daemon, i.e., running bigstart restart mcpd.

Impact:
All sysTmmStat* SNMP OIDs do not work until one of them is queried at least once, and the query is allowed to fail. After that, all sysTmmStat* SNMP OIDs work as expected.

Workaround:
Restart all services together, i.e., running the command: bigstart restart.

Should the mcpd daemon happen to be restarted on its own, you can simply ignore the error message and allow your SNMP polling station to fail a single polling cycle.

If you want to ensure that this issue does not occur, for example, so that your SNMP polling station does not generate unnecessary alarms, do not restart the mcpd daemon on its own, but rather restart all services together by running the following command:

bigstart restart

767217-5 : Under certain conditions when deleting an iRule, an incorrect dependency error is seen

Links to More Info: BT767217

Component: Local Traffic Manager

Symptoms:
If an iRule is being referenced by another iRule, and the reference is then removed, attempts to delete the formerly referenced iRule will result in an error similar to the following:

01070265:3: The rule (/Common/irule1) cannot be deleted because it is in use by a rule (/Common/irule2).

Conditions:
-- An iRule referencing another iRule.
-- The referencing iRule is in use.

Impact:
Unable to delete the iRule.

Workaround:
Save and re-load the configuration.

766593-5 : RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20

Links to More Info: BT766593

Component: Local Traffic Manager

Symptoms:
RESOLV::lookup returns empty string.

Conditions:
Input bytes array is at length of 4, 16, or 20.

For example:
[RESOLV::lookup @dnsserveraddress -a [binary format a* $host1.d1test.com]]

Impact:
RESOLV::lookup returns empty string.

Workaround:
Use lindex 0 to get the first element of the array.

For example:
[RESOLV::lookup @dnsserveraddress -a [lindex [binary format a* $host1.d1test.com] 0]]

766321-2 : boot slots created on pre-14.x systems lack ACLs

Links to More Info: BT766321

Component: TMOS

Symptoms:
Creation of HD1.x slots from 14.1.0.2 creates filesystems with slightly different properties than on slots created from 12.1.x for example. This is allowing ACL/XATTR support by default for the former units, which can triggers errors in some 14.1.x installations.

Conditions:
- Running 14.x, which had its slot created from a system running 12.x or 14.x
- Triggering journal creation (login? tmsh commands? unclear)

Impact:
An error may be generated after creating the journal:
warning kernel: [143381.837840]: systemd-journald[658]: Failed to read ACL on /var/log/journal/sample/user-sample.journal, ignoring: Operation not supported

This instance of the error message might not be critical.

If anything else depends on the ACLs to be present right at the start of the installation, some components might behave differently.

765365-2 : ASM tries to send response cookies after response headers already forwarded - makes CSRF false positive

Links to More Info: BT765365

Component: Application Security Manager

Symptoms:
ASM blocks a legal request and fires CSRF false positive violations when csrf JavaScript code is injected into a page without an html tag.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- CSRF protection configured.
-- HTML pages learning features enabled.(BruteForce/WebScraping).
-- CSRF JavaScript code is injected into a page without an html tag.

Impact:
HTTP requests are blocked sometimes when they should not be.

Workaround:
To workaround this issue, configure asm internal and then restart asm, as follows:

/usr/share/ts/bin/add_del_internal add cs_resp_ingress_count 1
bigstart restart asm

764969-2 : ILX no longer supports symlinks in workspaces as of v14.1.0

Links to More Info: BT764969

Component: TMOS

Symptoms:
The GUI and TMSH report an error message if a symlink is present, and the workspace does not run. The error appears similar to the following:
General database error retrieving information.
General error: 01070711:3: boost::filesystem::status: Permission denied: "/var/ilx/workspaces/Common/test_links1/tmp_file" in statement [SELECT COUNT(*) FROM dev_workspace WHERE name LIKE '%'].

Conditions:
-- An ILX workspace is in the configuration.
-- The workspace contains a symlink.
-- Install the relevant rpm package with --no-bin-links (e.g., npm install <package-name> --no-bin-links).

Impact:
The ILX module is not accessible via the GUI, and the workspace with the symlink cannot be run.

Workaround:
1. Remove the symlink.
2. Copy the file into the workspace.

763145-2 : TMM Crash when using certain HTTP iRules with HTTP Security Profile

Links to More Info: BT763145

Component: Local Traffic Manager

Symptoms:
TMM could crash with core when HTTP Security Profile (Protocol Security, PSM) is on the Virtual Server, and using an iRule with either the HTTP::redirect or HTTP::respond commands, together with HTTP::disable on the same event. This is normally an incorrectly written iRule, but TMM crashes in this case.

Conditions:
-- HTTP Security Profile is used.
-- iRules contain HTTP::disable command and either HTTP::redirect or HTTP::respond on the same event.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Edit the iRules to prevent calling HTTP::disable together with HTTP::respond or HTTP::redirect.

762097-3 : No swap memory available after upgrading to v14.1.0 and above

Links to More Info: BT762097

Component: TMOS

Symptoms:
After an upgrade to v14.1.0 or higher, swap memory may not be mounted. TMM or other host processes may restart due to lack of memory.

Conditions:
-- System is upgraded to v14.1.0 or above.

-- System has RAID storage.

Impact:
May lead to low or out-of-memory condition. The Linux oom killer may terminate processes, possibly affecting service.

Typically management activities may be impacted, for example, a sluggish GUI (config utility) or tmsh sessions.

Workaround:
Mount the swap volume with correct ID representing the swap device.

Perform the following steps on the system after booting into the affected software version:

1. Get the correct ID (RAID device number (/dev/md<number>)):
blkid | grep swap

Note: If there is no RAID device number, perform the procedure detailed in the following section.

2. Check the device or UUID representing swap in /etc/fstab.

3. If swap is not represented with the correct ID, modify the /etc/fstab swap entry to point to the correct device.

4. Enable the swap:
swapon -a

5. Check swap volume size:
swapon -s


If the blkid command shows there is no UUID associated with the swap RAID device, use the following procedure:

1. Generate a random UUID:
uuidgen

2. Make sure swap is turned off:
swapoff -a

3. Recreate the swap partition with UUID generated in step 1:
mkswap -U <uuid_from_step_1> <raid_device_from_step_1>

4. Run blkid again to make sure that you now have a UUID associated with the raid device:
blkid | grep swap

5. edit fstab and find the line
      <old_value> swap swap defaults 0 0

6. Replace the old value, whether it was an incorrect UUID or a device name, with the UUID generated in step 1, for example:
      UUID=8b35b30b-1076-42bb-8d3f-02acd494f2c8 swap swap defaults 0 0

761429-1 : TMM core after long run of high volumes of traffic

Links to More Info: BT761429

Component: Application Security Manager

Symptoms:
TMM core, failover.

Conditions:
-- Running on a vCMP guest with 4 cores and 2 VIPRION B4300 Blades.
-- ASM provisioned.
-- Bot-defense profile attached to a virtual server.
-- DoS profile attached to a virtual server.
-- Antifraud profile attached to a virtual server.
-- Different types of traffic running for hours.

Note: This is a description of the hardware and software configuration on which this occurred; the issue has not been reproduced, so some triggering factors have not yet been identified.

Impact:
Failover. Traffic disrupted while tmm restarts.

Workaround:
None.

760982-1 : An NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command in some scenarios

Links to More Info: BT760982

Component: TMOS

Symptoms:
Soft out reset does not work for the default route.

Conditions:
-- BGP enabled
-- A route configuration change is made and 'clear ip bgp <IP-addr> soft in/out' is executed

Impact:
A default-route is not propagated in Network Layer Reachability Information (NLRI) by 'soft out' request.

Workaround:
None

760932-1 : Part of audit log messages are also in other logs when strings are long

Links to More Info: BT760932

Component: TMOS

Symptoms:
Parts of audit logs are found also in other logs like /var/log/user.log and /var/log/messages.

Conditions:
-- When audit log message strings are long.

Impact:
Log messages are duplicated. There is no indication of system functionality, and you can safely ignore them.

Workaround:
Modify the syslog-ng maximum length of incoming log messages from 8192 to 16384 bytes:

tmsh modify sys syslog include "options { log-msg-size(16384); };"

760740-3 : Mysql error is displayed when saving UCS configuration on BIG-IP system when MySQL is not running

Links to More Info: BT760740

Component: Protocol Inspection

Symptoms:
When saving the configuration to a UCS file, the process tries save the IPS learning information stored in the MySQL database.

MySQL runs only when particular modules are provisioned. If MySQL was previously running as a result of different provisioning, but is not currently running, saving the configuration to a UCS file succeeds, but the system reports a spurious message during the operation:

Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock.

Conditions:
-- Saving the configuration to a UCS file.
-- BIG-IP system provisioning only includes modules that do not require MySQL. These modules may include:
   + LTM
   + FPS
   + GTM (DNS)
   + LC
   + SWG
   + iLX
   + SSLo

-- BIG-IP system was previously provisioned with a module that starts MySQL, which results in the creation of the file /var/db/mysqlpw. These modules may include:
   + APM
   + ASM
   + AVR
   + PEM
   + AFM
   + vCMP

Impact:
The error message is cosmetic and has no impact on the UCS save process.

Workaround:
None.

760615-6 : Virtual Server discovery may not work after a GTM device is removed from the sync group

Links to More Info: BT760615

Component: Global Traffic Manager (DNS)

Symptoms:
LTM configuration does not auto-discover GTM-configured virtual servers.

Conditions:
-- GTM is deprovisioned on one or more GTM sync group members, or the sync group is reconfigured on one or more members.

-- Those devices remain present in the GTM configuration as 'gtm server' objects.

-- iQuery is connected to those members.

Impact:
Virtual servers are not discovered or added automatically.

Workaround:
You can use either of the following workarounds:

-- Manually add the desired GTM server virtual servers.

-- Delete the 'gtm server' objects that represent the devices that are no longer part of the GTM sync group. These can then be recreated if the devices are operating as LTM-configured devices.

760590-3 : TCP Verified-Accept with proxy-mss enabled does not honor the route-metrics cache when sending the SYN to the server

Links to More Info: BT760590

Component: Local Traffic Manager

Symptoms:
TCP Verified-Accept with proxy-mss enabled does not honor the route-metrics cache when sending the SYN to the server

Conditions:
-- TCP Verified-Accept option is used.
-- The proxy-mss is enabled.
-- The route-metrics cache entry is enabled.

Impact:
Route-metrics cache entry does not get used.

Workaround:
None.

760406-1 : HA connection might stall on Active device when the SSL session cache becomes out-of-sync

Links to More Info: BT760406

Component: Local Traffic Manager

Symptoms:
You see 'SSL handshake timeout' error messages in LTM log, and high availability (HA) system performance becomes degraded.

Conditions:
This might occur in either of the following scenarios:

Scenario 1
-- Manual sync operations are performed during while traffic is being passed.
-- SSL Connection mirroring is enabled.


Scenario 2
-- Saving configuration on an HA Standby node during while traffic is being passed.
-- SSL Connection mirroring is enabled.

Impact:
-- In Scenario 1, the sync operations causes the session cache to be out-of-sync between active and standby nodes.

-- In Scenario 2, the save operation clears the session cache on the standby node. As a result, the session cache might be out-of-sync between active and standby nodes.

In either Scenario:
-- SSL Connection mirroring fails and posts the timeout message.

-- The HA system performance becomes degraded due to SSL connection timeout.

Workaround:
-- Disable SSL session caching by setting 'Cache Size' in the client SSL profile option to 0.

-- Set device management sync type to Automatic with incremental sync.

760355-3 : Firewall rule to block ICMP/DHCP from 'required' to 'default'

Links to More Info: BT760355

Component: Advanced Firewall Manager

Symptoms:
If firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.

Conditions:
-- Firewall is configured on the management port.
-- Firewall is configured with an ICMP rule to block.

Impact:
ICMP packets cannot be blocked with a firewall rule to drop on management port. ICMP packets are allowed from the management port.

Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions.

# /sbin/iptables -N id760355
# /sbin/iptables -I INPUT 1 -j id760355
# /sbin/iptables -A id760355 -i mgmt -p icmp --icmp-type 8 -s 172.28.4.32 -j DROP

760354-4 : Continual mcpd process restarts after removing big logs when /var/log is full

Links to More Info: BT760354

Component: TMOS

Symptoms:
The BIG-IP device suddenly stops passing traffic. You might see errors similar to the following:

err mcpd[15230]: 01070596:3: An unexpected failure has occurred, TAP creation failed (tmm): Permission denied - net/validation/routing.cpp, line 168, exiting...

Conditions:
This might occur when when /var/log is full and then you remove big logs.

Impact:
The mcpd process restarts continuously. This occurs because tmm blocks mcpd from restarting after /var/log fills up.

Workaround:
Empty the contents of big size log files under /var/log and reboot the BIG-IP system.

759852-4 : SNMP configuration for trap destinations can cause a warning in the log

Links to More Info: BT759852

Component: TMOS

Symptoms:
The snmpd configuration parameters can cause net-snmp to issue a warning about deprecated syntax.

Conditions:
The use of a sys snmp command similar to the following to modify the snmpd.conf file:
sys snmp v2-traps { TRAP1 { host 1.2.3.4 community somestring } }

Impact:
net-snmp issues a warning that the syntax has been deprecated and reports a warning message in the log.

Workaround:
None.

759737-3 : Control and Analysis Plane CPU usage statistics are inaccurate for single core vCMP guests

Links to More Info: BT759737

Component: TMOS

Symptoms:
CPU usage statistics reported for Control and Analysis planes are not described properly for single-core vCMP guests.

Conditions:
A vCMP guest with a single core.

Impact:
CPU usage statistics report 0 Control Plane cores and 1 Analysis Plane core.

Workaround:
On a single core, two hyperthread vCMP guest, one hyperthread/CPU is dedicated to Data Plane while the other is dedicated to Control and Analysis Plane. All statistics attributed to the Analysis Plane in this CPU configuration are in fact the aggregate of Control Plane and Analysis Plane.

759671-2 : Unescaped slash in RE2 in user-defined signature should not be allowed

Links to More Info: BT759671

Component: Application Security Manager

Symptoms:
An unescaped slash in RE2 keyword in a user-defined signature caused a REST PATCH to the signature to have no effect.

Conditions:
A user-defined signature has an unescaped slash in RE2 keyword.

Impact:
REST PATCH to update the user-defined signature has no effect.

Workaround:
The slash in the signature keyword must be escaped by backslash.

759606-3 : REST error message is logged every five minutes on vCMP Guest

Links to More Info: BT759606

Component: TMOS

Symptoms:
Guestagentd periodically logs the following REST error message for each secondary slot in /var/log/ltm:

Rest request failed{"code":502."message":"This is a non-primary slot on the Viprion. Please access this device through the cluster address.","restOperationId":6410038,"kind":":resterrorresponse"}

Conditions:
Upgrade a vCMP guest from pre-13.1.x to a 13.1.x or later version.

Impact:
There is stale stat information for vCMP guests running on secondary slots.

Workaround:
Create a Log Filter with no publisher on the vCMP guest to discard the specific error message:

sys log-config filter Filter_RestError {
    level info
    message-id 01810007
    source guestagentd
}

759590-6 : Creation of RADIUS authentication fails with service types other than 'authenticate only'

Links to More Info: BT759590

Component: TMOS

Symptoms:
RADIUS authentication can only have an initial service type of 'authenticate only'.

Conditions:
This is encountered when configuring RADIUS authentication via the GUI.

Impact:
If you change the Service Type to anything except Authenticate Only (default), Authentication creation fails, and the following error appears in /var/log/webui.log:

01020066:3: The requested RADIUS Authentication Configuration (/Common/system-auth) already exists in partition Common.

Workaround:
After configuring RADIUS authentication with 'authenticate only' as the service type, go back and change the service type to the desired option.

759258-5 : Instances shows incorrect pools if the same members are used in other pools

Links to More Info: BT759258

Component: TMOS

Symptoms:
Monitor 'Instances' tab shows incorrect pools if the same members are used in other pools.

Conditions:
Steps to Reproduce:

1. Create custom monitor or use system default.
2. Assign that monitor to a test pool.
3. Navigate to Local Traffic :: Monitors, click the test monitor, then select the Instances tab.

Impact:
The test pool is displayed, as well any other pools that use the same member or members (but with other monitors assigned).

Workaround:
None.

758491-3 : When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys

Links to More Info: BT758491

Component: Local Traffic Manager

Symptoms:
For Thales:
The ltm/log shows SSL handshake failures with similar lines (this is for Diffie-Hellman Key Exchange):

-- warning bigip1 tmm1[28813] 01260013 SSL Handshake failed for TCP 192.0.2.1:5106 -> 192.0.2.200:5607
-- warning bigip1 tmm1[28813] 01260009 Connection error: ssl_hs_vfy_sign_srvkeyxchg:13583: sign_srvkeyxchg (80)
-- debug bigip1 tmm1[28813] 01260036 FIPS acceleration device error: fips_poll_completed_reqs: req: 4 status: 0x1 : Cancel
-- err bigip1 pkcs11d[26259] 01680002 Key table lookup failed. error.

After enabling pkcs11d debug, the pkcs11d.debug log shows:

-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_CLASS
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_CLASS matches
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_ID
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_ID does not match <===


For Safenet:
-- warning tmm1[17495]: 01260009:4: Connection error: ssl_hs_vfy_sign_srvkeyxchg:13544: sign_srvkeyxchg (80)
-- warning tmm1[17495]: 01260013:4: SSL Handshake failed for TCP 10.1.1.11:6009 -> 10.1.1.201:443
-- err pkcs11d[5856]: 01680002:3: Key table lookup failed. error.

Conditions:
1. Keys were created on earlier versions of BIG-IP software, no matter if using tmsh (Safenet) or using fipskey.nethsm (Thales, Safenet) and the device was upgraded to 14.1.0 or later.

2. Keys were created on BIG-IP v14.1.0 or later directly, using fipskey.nethsm (Thales). For Safenet, fipskey.nethsm was deprecated in 14.0.0.

Impact:
SSL handshake failures.

Workaround:
There are two workarounds:
-- Re-create the keys using tmsh command.

IMPORTANT: This workaround is suitable for deployments that are new and not in production.


-- Re-import the keys from nethsm using:
tmsh install sys crypto key <key_label> from-nethsm


You can find the key_label here:
-- The rightmost string in the output of the Thales command:
nfkminfo -l

-- The string after label= in the 'cmu list' command for Safenet.

758435-2 : Ordinal value in LTM policy rules sometimes do not work as expected

Links to More Info: BT758435

Component: Local Traffic Manager

Symptoms:
Which actions trigger in a first-match policy should depend on the ordinal of their rule. Sometimes, this does not work correctly.

Conditions:
The conditions under which this occurs are not known.

Impact:
LTM policy rules do not execute in the expected order.

Workaround:
It may be possible to re-arrange the rules to avoid the incorrect action execution.

758105-6 : Drive model WDC WD1005FBYZ-01YCBB2 must be added to pendsect drives.xml

Links to More Info: BT758105

Component: TMOS

Symptoms:
Below messages get logged to /var/log/messages
-- notice syslog-ng[15662]: Configuration reload request received, reloading configuration;
-- warning pendsect[31898]: skipping drive -- Model: WDC WD1005FBYZ-01YCBB2
-- warning pendsect[31898]: No known drives detected for pending sector check. Exiting

Conditions:
Using hardware containing drive model WDC WD1005FBYZ-01YCBB2.

Impact:
The system logs the messages because the drive model is not listed in /etc/pendsect/drives.xml.

Workaround:
Manually edit /etc/pendsect/drives.xml as follows:

1. Give write permissions to modify file:
chmod u+w /etc/pendsect/drives.xml

2. Open the file and add the following at the end of the file, before default:

<snip>
         <WD1005FBYZ>
            <offset firmware="RR07">0</offset>
            <offset firmware="default">0</offset>
            <family> "wd_Gold"</family>
            <wd_name>"Gold"</wd_name>
         </WD1005FBYZ>
         <DEFAULT>
              <firmware version="default">
                     <offset>0</offset>
              </firmware>
              <name> "UNKNOWN"</name>
              <family> "UNKNOWN"</family>
              <wd_name>"UNKNOWN"</wd_name>
         </DEFAULT>
   </model>
  </drives>

3. Save and close the file.

4. Remove write permissions so that no one accidentally modifies this file:
chmod u-w /etc/pendsect/drives.xml

5. Run the following command and check /var/log/messages to verify no errors are seen:
/etc/cron.daily/pendsect

757787-3 : Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI.

Links to More Info: BT757787

Component: TMOS

Symptoms:
When creating a new rule or modifying an existing rule in a LTM/AFM Policy policy using the WebUI, the operation fails and an error similar to the following example is returned:

Transaction failed:010715bd:3: The parent folder is owned by application service (/Common/MyPolicy.app/MyPolicy), the object ownership cannot be changed to ().

Conditions:
-- The LTM/AFM Policy belongs to an Application Service (iApp).
-- The modification is attempted via the WebUI.

Impact:
Unable to make changes to existing LTM/AFM Policies.

Workaround:
Use the tmsh utility to make the necessary modifications to the LTM/AFM Policy. For example, the following command modifies an existing rule:

tmsh modify ltm policy myapp.app/Drafts/myapp_l7policy rules modify { 0 { conditions modify { 0 { http-method equals values { GET POST } } } } }

757486-1 : Errors in IE11 console appearing with Bot Defense profile

Links to More Info: BT757486

Component: Application Security Manager

Symptoms:
When Bot Defense profile is used and has Browser Verification enabled to either Verify Before Access, or Verify After Access, Microsoft Internet Explorer v11 (IE11) Browsers may display the following errors in the browser console:

HTML1512: Unmatched end tag.
a.html (26,1)
HTML1514: Extra "<body>" tag found. Only one "<body>" tag should exist per document.
a.html (28,1)

Conditions:
-- Bot Defense profile is enabled with Browser Verification.
-- End user clients are using the IE11 browser.

Impact:
Cosmetic error messages appear in an end user's browser console.

Workaround:
In order to work around this issue, inject the scripts to the '<body>' tag instead of the '<head>' tag. This can be done using this tmsh command:

tmsh mod sys db dosl7.parse_html_inject_tags value after,body,before,/body`

757464-7 : DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record

Links to More Info: BT757464

Component: Global Traffic Manager (DNS)

Symptoms:
Attempt to delete a DNS Validating Resolver cache record from the 'Key' cache does not remove the record. Also displays a negative TTL for that record.

tmm crash

Conditions:
-- Populate the DNS Validating Resolver Cache.
-- Attempt to delete a record from the 'Key' cache.

Impact:
Undesired behavior due to records not being deleted as instructed. Also negative TTL.

Workaround:
The only workaround is to restart tmm to generate a completely empty DNS cache. Traffic disrupted while tmm restarts.

757167-3 : TMM logs 'MSIX is not supported' error on vCMP guests

Links to More Info: BT757167

Component: TMOS

Symptoms:
On vCMP guests, logs of 'MSIX is not supported' messages apppear in /var/log/tmm.

Conditions:
This occurs only on vCMP guests.

Impact:
MSIX is not supported on vCMP guests, but system operation and traffic passing are not impacted otherwise.

Workaround:
None.

757029-6 : Ephemeral pool members may not be created after config load or reboot

Links to More Info: BT757029

Component: Local Traffic Manager

Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP system reboot operation.

Conditions:
This may occur on affected BIG-IP versions when:

-- Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
-- DNS queries to resolve these FQDN names occur almost simultaneously.

The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.

Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected.

As a result, some pools may not have any active pool members, and do not pass traffic.

This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default FQDN interval value of 3600 seconds, such downtime lasts approximately one hour.

Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter FQDN interval value for the FQDN nodes:

tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
Where ## is the desired number of seconds between successive DNS queries to resolve the configure FQDN name.

756830-5 : BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'

Links to More Info: BT756830

Component: TMOS

Symptoms:
The BIG-IP system may fail source translation for connections matching a virtual server that has connection mirroring enabled and source port selection set to 'preserve strict'.

Conditions:
Connections match a virtual server that has following settings:

- Connection mirroring is enabled.
- Source Port set to 'Preserve Strict'.

In addition, CMP hash selection (DAG mode) on the corresponding VLANs is set to 'Default DAG'.

Impact:
Source translation may fail on BIG-IP system, leading to client connection failures.

Workaround:
You can try either of the following:

-- Do not use the Source Port setting of 'Preserve Strict'.

-- Disable connection mirroring on the virtual server.

756714-1 : UIDs on /home directory are scrambled after upgrade

Links to More Info: BT756714

Component: TMOS

Symptoms:
UIDs of /home/$USER files and /home file are scrambled after upgrade.

Conditions:
Upgrade from 12.1.3.7 to 13.1.0.8.

Impact:
Low in most cases, since the administrative user can still access most files. One exception is that SSH requires that the authorized_keys file be owned by the user ID in question. This is 0 when a user has an administrative role, so the authorized_keys file will be ignored and a password will still be required for login.

Workaround:
None.

756540-1 : End-user may not be able to connect to VPN.

Links to More Info: BT756540

Component: Access Policy Manager

Symptoms:
When a virtual server without a connectivity profile is accessed with the request for a file pre/config.php, an invalid file is cached in the BIG-IP system's HTTP cache.

When the same request is later sent to a virtual server that does contain a connectivity profile, the invalid file from the cache is returned, which results in VPN connection failure.

Conditions:
-- APM is configured.
-- Virtual server without connectivity profile is configured.
-- Another Virtual server with connectivity profile is configured.
-- The first virtual server is accessed with an HTTP request for pre/config.php?version=2.0.
-- Then second virtual server is accessed with same request.

Impact:
End-user may not be able to use the VPN.

Workaround:
When the issue occurs, run the following command on the BIG-IP command line in order to clear the cache:

tmsh delete ltm profile ramcache all

756313-6 : SSL monitor continues to mark pool member down after restoring services

Links to More Info: BT756313

Component: Local Traffic Manager

Symptoms:
After an HTTPS monitor fails, it never resumes probing. No ClientHello is sent, just 3WHS and then 4-way closure. The pool member remains down.

Conditions:
-- The cipherlist for the monitor is not using TLSv1 (e.g., contains -TLSv1 or !TLSv1).
-- The pool member is marked down.

Impact:
Services are not automatically restored by the health monitor.

Workaround:
-- To restore the state of the member, remove it and add it back to the pool.

-- Remove !TLSv1 and -TLSv1 from the cipher string, if possible.

755976-4 : ZebOS might miss kernel routes after mcpd deamon restart

Links to More Info: BT755976

Component: TMOS

Symptoms:
After an mcpd daemon restart, sometimes (in ~30% of cases) ZebOS is missing some of kernel routes (virtual addresses).

One of the most common scenario is a device reboot.

Conditions:
-- Dynamic routing is configured.
-- Virtual address is created and Route Advertisement is configured:
imish -e 'sh ip route kernel'
-- mcpd daemon is restarted or device is rebooted.

Impact:
The kernel route (virtual address) is not added to the ZebOS routing table and cannot be advertised.

Workaround:
There are several workarounds; here are two:

-- Restart the tmrouted daemon:
bigstart restart tmrouted

-- Recreate the affected virtual address.

755791-6 : UDP monitor not behaving properly on different ICMP reject codes.

Links to More Info: BT755791

Component: Local Traffic Manager

Symptoms:
Unexpected or improper pool/node member status.

Conditions:
The BIG-IP system receives the ICMP rejection code as icmp-net/host-unreachable.

Impact:
The monitor might consider a server available when some type of ICMP rejection has been received that is not port unreachable.

Workaround:
You can use either of the following workarounds:
-- Use UDP monitors configured with a receive string.
-- Do not use UDP monitors.

755631-5 : UDP / DNS monitor marking node down

Links to More Info: BT755631

Component: Local Traffic Manager

Symptoms:
The UDP / DNS monitor marks nodes down.

Conditions:
-- UDP or DNS monitor configured.
-- Interval is multiple of timeout.
-- The response is delayed by over one interval.

Impact:
Pool member is marked down.

Workaround:
Increase the interval to be greater than the response time of the server.

755033-1 : Dynamic Routes stats row does not appear in the UI

Component: Service Provider

Symptoms:
From UI, when navigate to the following path:
Statistics ›› Module Statistics : Local Traffic ›› Profiles Summary : Diameter Router.
The stat for 'Current number of dynamic routes' does not appear.

Conditions:
Any condition

Impact:
Unable to view dynamic routes statistics in the GUI

Workaround:
Look at the statistics from tmsh

754604-4 : iRule : [string first] returns incorrect results when string2 contains null

Links to More Info: BT754604

Component: Local Traffic Manager

Symptoms:
In an iRule such as 'string first $string1 $string2' returns incorrect results when $string2 contains a null byte and $string1 is not found within $string2. Performing the same search in tclsh, the expected -1 (not found) result is returned.

Conditions:
-- 'string first $string1 $string2' iRule.
-- string2 in an iRule contains a null byte.

Impact:
Operation does not return the expected -1 (not found) result, but instead returns an unexpected, random result.

Workaround:
None.

753712-1 : Incorrect warning: Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family.

Links to More Info: BT753712

Component: TMOS

Symptoms:
An incorrect warning message is given when the inline source/dest address is changed:

-- warning mcpd[6927]: 01071859:4: Warning generated : Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family.

Conditions:
This occurs after you create a traffic-matching-criteria (port-list, address-list) with different source and destination addresses.

Impact:
An incorrect and confusing warning message is given. This warning does not affect traffic processing. It is inadvertently triggered when reading the configuration of the traffic matching profile. Virtual servers should continue to work, and the config should load as expected, despite the warning.

Workaround:
None

753526-7 : IP::addr iRule command does not allow single digit mask

Links to More Info: BT753526

Component: Local Traffic Manager

Symptoms:
When plain literal IP address and mask are used in IP::addr command, the validation fails if the mask is single digit.

Conditions:
The address mask is single digit.

Impact:
Validation fails.

Workaround:
Assign address/mask to a variable and use the variable in the command.

753501-5 : iRule commands (such as relate_server) do not work with MRP SIP

Links to More Info: BT753501

Component: Service Provider

Symptoms:
Some iRule commands (such as relate_server) fail when used in conjunction with Message Routing Protocol (MRP) SIP configurations using message routing transport.

Conditions:
-- MRP SIP configuration uses transport-config.
-- iRule command 'relate_server' is configured on the corresponding virtual server.

Impact:
iRule commands such as relate_server cannot be used with MRF SIP.

Workaround:
None.

752077-1 : Kerberos replay cache leaks file descriptors

Links to More Info: BT752077

Component: Access Policy Manager

Symptoms:
APMD reports 'too many open files' error when reading HTTP requests:

-- err apmd[15293]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 113 Msg: epoll_create() failed [Too many open files].
-- err apmd[15293]: 01490000:3: ApmD.cpp func: "process_apd_request()" line: 1801 Msg: Error 3 reading/parsing response from socket 1498. strerror: Too many open files, queue size 0, time since accept

There are file descriptor dumps in /var/log/apm showing many deleted files with name krb5_RCXXXXXX:

-- err apmd[15293]: 01490264:3: 1492 (/shared/tmp/krb5_RCx8EN5y (deleted)) : cloexec, Fflags[0x8002], read-write
-- err apmd[15293]: 01490264:3: 1493 (/shared/tmp/krb5_RCnHclFz (deleted)) : cloexec, Fflags[0x8002], read-write
-- err apmd[15293]: 01490264:3: 1494 (/shared/tmp/krb5_RCKGW8ia (deleted)) : cloexec, Fflags[0x8002], read-write

Conditions:
This failure may happen if the access policy uses Kerberos authentication, Active Directory authentication, or Active Directory query. The conditions under which the Kerberos replay cache leaks is unknown.

Impact:
APM end users experience intermittent log on issues.

Workaround:
None.

751451-2 : When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles

Links to More Info: BT751451

Component: Local Traffic Manager

Symptoms:
If there are HTTPS monitor objects that were created using BIG-IP software v12.x, when the BIG-IP is upgraded directly to v14.0.0 or later, the operation automatically creates server SSL profiles for the HTTPS monitors as needed. Those server SSL profile objects do not have 'no-tlsv1.3' included in their 'options' configuration.

Conditions:
-- Having HTTPS monitors configured in v12.x before upgrading.
-- Directly upgrading from v12.x to v14.0.0 or later

Impact:
TLSv1.3 gets enabled on the server SSL profiles.

Workaround:
-- To avoid this issue, upgrade from v12.x to v13.x, and then upgrade to v14.0.0 or later


-- To mitigate this issue, modify the affected profile to disable TLSv1.3.

751409-7 : MCP Validation does not detect when virtual servers differ only by overlapping VLANs

Links to More Info: BT751409

Component: TMOS

Symptoms:
It is possible to configure two virtual servers with the same address, port, and route domain, and have them overlap only in VLANs. MCP does not detect the overlap.

Errors like this may be seen in the ltm log:

err tmm1[29243]: 01010009:3: Failed to bind to address

Conditions:
Two (or more) virtual servers with the same address, port, and route domain, and have them overlap only in VLANs

Impact:
Traffic does not get routed properly.

Workaround:
There is no workaround other than ensuring that virtual servers that have the same address, port, and route domain have no overlap of VLANs.

750705-3 : LTM logs are filled with error messages while creating/deleting virtual wire configuration

Links to More Info: BT750705

Component: Local Traffic Manager

Symptoms:
LTM logs are filled with error messages when creating/deleting virtual wire config.

Conditions:
Virtual wire is created and then deleted.

Impact:
Error messages are getting logged to ltm.

750588-3 : While loading large configurations on BIG-IP systems, some daemons may core intermittently.

Links to More Info: BT750588

Component: TMOS

Symptoms:
When manually copying a large config file and running 'tmsh load sys config' on specific hardware BIG-IP platforms, multiple cores may be observed from different daemons.

Conditions:
This has been observed on i4800 platforms when the 'management' provisioning (corresponding to the provision.extramb DB key) is set to 500 MB or less.

Impact:
The mcp daemon may core and all daemons on the BIG-IP system may be restarted.

Workaround:
Set db key 'provision.extramb' to 1024 or greater.

749757-1 : -s option in qkview help does not indicate maximum size

Links to More Info: BT749757

Component: TMOS

Symptoms:
When running qkview with the -h option to obtain help, the -s (size) option is incorrectly rendered.

It should read:

[ -s <max file size> range:0-104857600 Bytes ]

Conditions:
-- Running qkview -h.
-- Viewing the -s (size) option help.

Impact:
The measurement size, bytes, is missing, which might result in confusion.

Workaround:
Use the -s option as normal, but be advised that the number should be in bytes, and that the maximum number is 104857600.

749528-8 : IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap

Links to More Info: BT749528

Component: Service Provider

Symptoms:
Under certain conditions the wrong self-IP can be selected as a source address for connections from an Internal Virtual Server to remote servers.

Conditions:
- Using an Internal Virtual Server (IVS).
- The VLAN being used to connect from the IVS to the server does not have a floating self-IP configured.
- At least one other VLAN has a floating self-IP configured.
- The primary virtual server that connects to the IVS is using SNAT automap.

Impact:
IVS traffic might not be routed properly.

Workaround:
- Configure a floating self-IP on the IVS server side VLAN.
or
- Use a SNAT pool instead of automap.

748886-3 : Virtual server stops passing traffic after modification

Links to More Info: BT748886

Component: Local Traffic Manager

Symptoms:
A virtual server stops passing traffic after changes are made to it.

Conditions:
-- Virtual server is using a port-list or address-list
-- High availability (HA) environment with multiple traffic groups
-- A change is made to the virtual server

Impact:
Every time you make changes to the virtual server, the traffic-group for the virtual address is changed, and traffic goes down.

748355-5 : MRF SIP curr_pending_calls statistic can show negative values.

Links to More Info: BT748355

Component: Service Provider

Symptoms:
Certain irregular SIP message patterns may produce an erroneous curr_pending_calls value that can drop below zero and underflow.

Conditions:
Uncommon message flows like re-transmitted INVITE or OK responses can trigger the issue, which may be brought about at times by lost packets when using UDP.

Impact:
SIP curr_pending_calls may show incorrect values.

746984-5 : False positive evasion violation

Links to More Info: BT746984

Component: Application Security Manager

Symptoms:
When Referer header contains a backslash character ('\') in query string portion, 'IIS backslashes' evasion technique violation is raised.

Conditions:
-- 'Url Normalization' is turned on and 'Evasion Techniques Violations' is enabled.
-- Referer header contains a backslash character ('\') in query string part.

Impact:
False positive evasion technique violation is raised for Referer header.

Workaround:
Turn off 'Url Normalization' on the 'Normalization Settings' section of the 'referer' property on the HTTP Header Properties screen.

746758-1 : Qkview produces core file if interrupted while exiting

Links to More Info: BT746758

Component: TMOS

Symptoms:
If, during qkview operation's exit stage, it is interrupted (with Ctrl-C for example), it produces a core file.

Conditions:
-- Qkview is exiting.
-- The qkview operation receives an interrupt.

Impact:
A core file is produced.

Workaround:
When closing qkview, or if it is closing, do not interrupt it; wait for it to exit.

744924-2 : Bladed unit goes offline after UCS install

Links to More Info: BT744924

Component: TMOS

Symptoms:
Unit goes offline after UCS install. Secondary blades go offline. This lasts about a minute, and then the system goes back online.

Conditions:
After UCS install.

Impact:
-- Limited high availability (HA) capabilities (failover, sync, mirroring, etc.).
-- Cluster reduced to a single blade immediately after UCS install, which might impact performance.

Workaround:
None.

744743-2 : Rolling DNSSEC Keys may stop generating after BIG-IP restart

Links to More Info: BT744743

Component: Global Traffic Manager (DNS)

Symptoms:
Rolling DNSSEC Keys may stop generating when a BIG-IP system restart.

Conditions:
BIG-IP system gets restarted by calling 'bigstart restart' command.

Impact:
Rolling DNSSEC keys can stop generating.

Workaround:
None.

744316-6 : Config sync of APM policy fails with Cannot update_indexes validation error.

Links to More Info: BT744316

Component: Access Policy Manager

Symptoms:
Config sync operation fails for APM policy when policy item of same name points to different agent on source and target

The system posts errors similar to the following:

Sync error on rfang-vemgmt.lab.labnet.com: Load failed from /Common/rfang-ve-3mgmt.lab.labnet.com 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (access_policy_item_agent) object ID (/Common/resm_act_message_box_1 /Common/resm_act_message_box_ag_1). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:access_policy_item_agent status:13)"

Conditions:
This occurs in the following scenario:

1. Configure a failover device group containing two BIG-IP systems.
2. Create an APM access profile on one unit.
  + Launch VPE for the policy.
  + Add a macro.
  + In macro add an agent, e.g., Message box.
  + Add macro to the main policy.
3. Initiate config sync to another device.
4. On one BIG-IP system, add another Message box agent using the same macro. On the other BIG-IP system, make a copy of the access profile.
5. On either BIG-IP system, initiate another config sync operation.

Impact:
Unable to sync configuration in a failover device group.

Workaround:
You can work around this using the following procedure:

1. On the device receiving the config sync, delete the APM policies that contain the referenced APM policy items.
2. Perform an overwrite-config-sync operation from the sending device to this device.

743950-5 : TMM crashes due to memory leak found during SSL OCSP with C3D feature enabled

Links to More Info: BT743950

Component: Local Traffic Manager

Symptoms:
TMM raises a segmentation violation and restarts.

Conditions:
-- Set up client-side and server-side SSL with:
  + Client Certificate Constrained Delegation (C3D) enabled.
  + OCSP enabled.

-- Supply SSL traffic.

Impact:
Memory leaks when traffic is supplied. When traffic intensifies, more memory leaks occur, and eventually, tmm raises a segmentation fault, crashes, and restarts itself. All SSL connections get terminated. Traffic disrupted while tmm restarts.

Workaround:
Disable C3D.

742764-2 : The raccoon daemon is spawned more then once on startup, one fails and cores.

Links to More Info: BT742764

Component: TMOS

Symptoms:
On BIG-IP startup tmipsecd starts a racoon daemon for each route domain, including the default rd 0.

If for any reason racoon fails to fully start, tmipsecd will start another instance of racoon.

When this occurs, one or both of them may crash and create a core file.

Conditions:
-- BIG-IP becomes Active or racoon is (re)started.
-- IPsec does not have to be configured for this failure to occur.

Impact:
IPsec IKEv1 tunnels might delay starting while racoon restarts.

742753-5 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail

Links to More Info: BT742753

Component: TMOS

Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.

Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:

- Remove the Referer header.

- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.

Impact:
Users cannot log on to the BIG-IP system's WebUI.

Workaround:
As a workaround, you can do any of the following things:

- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).

- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).

- Modify the proxy solution so that it inserts compatible Referer and Host headers.

742603-5 : WebSocket Statistics are updated to differentiate between client and server sides

Links to More Info: BT742603

Component: Local Traffic Manager

Symptoms:
The WebSocket feature has statistics that records the number of each type of frame seen. These statistics do not differentiate between client and server sides.

Conditions:
The WebSocket profile is used to add WebSocket protocol parsing.

Impact:
WebSocket Traffic Statistics may be misleading

Workaround:
None.

742419-4 : BIG-IP NIC teaming of SR-IOV interfaces does not work under VMware ESXi

Links to More Info: BT742419

Component: TMOS

Symptoms:
Configuring multiple SR-IOV interfaces into a trunk does not function correctly when running BIG-IP as a guest under VMware ESXi. The interface will show as uninitialized.

Conditions:
A system that passes SR-IOV virtual functions directly to a BIG-IP guest when running on VMware ESXi.

Impact:
The trunk will fail to initialize.

Workaround:
None.

742105-3 : Displaying network map with virtual servers is slow

Links to More Info: BT742105

Component: TMOS

Symptoms:
The network map loads slowly when it contains lots of objects.

Conditions:
Load the network map in a configuration that contains 1000 or more objects.

Impact:
The network map loads very slowly.

Workaround:
None.

741702-2 : TMM crash

Links to More Info: BT741702

Component: TMOS

Symptoms:
TMM crashes during normal operation.

Conditions:
-- This can occur while passing normal traffic.
-- In this instance, APM and LTM are configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

739820-7 : Validation does not reject IPv6 address for TACACS auth configuration

Links to More Info: BT739820

Component: TMOS

Symptoms:
TACACS authentication does not support IPv6 address for the authentication server, but both GUI and TMSH allow IPv6 addresses to be configured for TACACS. Such configurations may result in failed logins with messages in /var/log/secure like

Aug 8 10:47:39 gtm-13108-174 err httpd[5948]: pam_tacplus: skip invalid server: 2001::1001:1001 (invalid port: no digits)

Conditions:
Use the GUI or TMSH to create or modify a TACACS server

Impact:
Remote authentication will fail unless a second server is configured with IPv4 address.

Workaround:
Do not configure IPv6 address for TACACS server

739553-5 : Setting large number for Wide IP Persistence TTL breaks Wide IP persistence

Links to More Info: BT739553

Component: Global Traffic Manager (DNS)

Symptoms:
Wide IP persistence is not working. Previous Wide IP persistence records are cleared.

Conditions:
This occurs when the Wide IP Persistence TTL plus the persist-record creation time is greater than 4294967295.

Impact:
Wide IP persistence does not work.

Workaround:
There is no workaround other than not setting Wide IP Persistence TTL to a number greater than 4294967295.

739118-5 : Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration

Links to More Info: BT739118

Component: TMOS

Symptoms:
Changing existing self IP addresses in bigip_base.conf file directly. After uploading the changed configuration file, BIG-IP routing service provides out of date Self IP route information to dependent services.

Conditions:
- Self IP address is configured on the BIG-IP system.
- Manually change the IP address of a self IP in bigip_base.conf file.
- Load changed configuration via tmsh.

Impact:
Different services have different route information:
-- tmsh table - has the old route.
-- Dynamic routing - hHas the old and new routes.
-- Kernel table - has the new route.

Workaround:
There are two workarounds, preventive and corrective.
Preventive:
Do not manually change self IP addresses in bigip_base.conf file. It is not recommended way to add/change BIG-IP configuration. Use GUI or tmsh instead.

Corrective:
If changed configuration is uploaded. In GUI or tmsh, delete changed self IP address, and then create a self IP address with old IP address and delete it as well. Now, all affected routes are removed.

738547-4 : SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII

Links to More Info: BT738547

Component: Access Policy Manager

Symptoms:
When SAML metadata file that contains certain UTF-8 characters other than ASCII is imported, SAML SAX Parser returns error

Conditions:
When SAML metadata file contains certain UTF-8 characters other than the ASCII set,

Impact:
SAML metadata file is not imported, and the system reports an error. SAML configuration on BIG-IP systems is impacted.

Workaround:
Remove the non-ASCII UTF-8 characters, and try the import operation again.

737739-2 : Bash shell still accessible for admin even if disabled

Links to More Info: BT737739

Component: TMOS

Symptoms:
With the administrator role, you have an option in TMUI to disable or restrict terminal access. If you disable or restrict access, the corresponding REST endpoint is neither disabled nor restricted.

Conditions:
Use TMUI as the admin, or as a user with the administrator role, and either of the following:
-- Disable terminal access.
-- Restrict access to TMSH.

Impact:
Users with the Administrator role can obtain shell access via REST.

With terminal access disabled:
-- If you attempt to login using SSH, you will not be to do so.
-- If you make a POST request to the /mgmt/tm/util/bash endpoint with a body that includes a command to run, that command will be run.

With access to TMSH restricted:
-- A POST request to the /mgmt/tm/util/bash endpoint that includes a body with a command to run will be run.

Workaround:
None.

730852-1 : The tmrouted repeatedly crashes and produces core when new peer device is added

Links to More Info: BT730852

Component: TMOS

Symptoms:
There is a tmrouted crash when new peer device is added.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Core produced. Tmrouted crashes repeatedly. Dynamic routing for all route domains is temporarily disrupted.

Workaround:
Have MCP force load as described in K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).

725646-2 : The tmsh utility cores when multiple tmsh instances are spawned and terminated quickly

Links to More Info: BT725646

Component: TMOS

Symptoms:
A tmsh core occurs when multiple tmsh instances are spawned and terminated quickly

/var/log/kern.log:
info kernel: tmsh[19017]: segfault ...

system messages in /var/log/messages:
notice logger: Started writing core file: /var/core/-tmsh ...

/var/log/audit:
notice -tmsh[19010]: 01420002:5: AUDIT - pid=19010 ...

Conditions:
This issue occurs intermittently in the following scenario:

1. Open multiple instances of tmsh using the following command pattern:
tmsh
run util bash
tmsh
run util bash
tmsh
run util bash
tmsh
run util bash
...
2. Quickly terminate them using Ctrl-D or by closing terminal.

Impact:
The tmsh utility crashes and produces a core file in the /shared/core directory. The BIG-IP system remains operational.

Workaround:
Restart tmsh if the problem occurs.

To prevent the issue from occurring: Do not quickly terminate tmsh instances using Ctrl-D.

724653-3 : In a device group, a non-empty partition can be deleted by a peer device during a config sync

Links to More Info: BT724653

Component: TMOS

Symptoms:
In a device cluster, a BIG-IP administrator can add a non-synced object to a partition on one device, then delete that partition on a peer device, syncing the delete (this is assuming the partition is empty on the peer).

Conditions:
-- Two or more devices in a device service cluster.
-- Using partitions that contain only non-synced objects.
-- Deleting the partition on a peer and syncing the changes to the other devices.

Impact:
The partition is deleted on the peer device, even though it still contains non-synced objects.

724327-3 : Changes to a cipher rule do not immediately have an effect

Links to More Info: BT724327

Component: Local Traffic Manager

Symptoms:
If a cipher rule is changed, and a cipher group that uses the rule is attached to an SSL profile, the change does not take effect until something else on the SSL profile changes.

Conditions:
-- A cipher group is used by an SSL profile.
-- One of its cipher rules changes.

Impact:
Unexpected behavior occurs because the cipher rule change does not take effect immediately.

Workaround:
After changing the cipher rule that's used by a cipher group, make a change to any SSL profile that uses the associated cipher group.

723306-7 : Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition

Links to More Info: BT723306

Component: Local Traffic Manager

Symptoms:
Loading correct configuration with 'tmsh load /sys config' fails. The error message appears similar to the following:

    01070726:3: Virtual Address /test/0.0.0.0 in partition test cannot be referenced by Virtual Server /Common/test-internal in partition Common.
Unexpected Error: Loading configuration process failed.

Conditions:
Creating internal virtual server, when 0.0.0.0 address exists on another partition.

Impact:
Inability to load config, with created internal virtual server.

Workaround:
Create internal virtual server first; then create the 0.0.0.0 address on a different partition.

720610-3 : Updatecheck logs bogus 'Update Server unavailable' on every run

Links to More Info: BT720610

Component: TMOS

Symptoms:
The updatecheck operation erroneously logs that the Update Server is unavailable on every run, successful or not.

Conditions:
The BIG-IP system is configured to run the Automatic Update Check feature.

Impact:
Misleading messages in the log file, implying that the update server is not available.

Workaround:
None.

718573-3 : Internal SessionDB invalid state

Links to More Info: BT718573

Component: TMOS

Symptoms:
TMM crashes.

Conditions:
SessionDB is accessed in a specific way that results in an invalid state.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

718291-3 : iHealth upload error does not clear

Links to More Info: BT718291

Component: TMOS

Symptoms:
If an error occurs that sets the iHealth error string, then this string is never cleared.

Conditions:
Setting an invalid hostname for db variable proxy.host.

Impact:
The system reports the following error string: curl: (56) Recv failure: Connection reset by peer. This error message is never cleared, despite running a successful upload. The bogus error message could result in unnecessary confusion after a successful upload.

Workaround:
To clear the error message, run the following command:
/usr/bin/guishell -c "update diags_ihealth_request set error_str='';"

718230-8 : Attaching a BIG-IP monitor type to a server with already defined virtual servers is not prevented

Links to More Info: BT718230

Component: Global Traffic Manager (DNS)

Symptoms:
In certain circumstances, attaching a BIG-IP monitor type to a non-BIG-IP server with already defined virtual servers is allowed by the system when it should not be allowed.

Conditions:
Attempting to attach a BIG-IP monitor type to a non-BIG-IP server.

Impact:
The BIG-IP monitor can be added to a non-BIG-IP server without error. This causes a configuration load error, such as after a reboot, tmm restart, or tmsh load sys config, and results in an error message such as:

-- localhost emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all gtm-only" - failed. -- Loading schema version: 12.1.3 Loading schema version: 12.1.5.1 01071033:3: Server (/Common/generic_server_object) contains monitor (/Common/bigiptest) which is an invalid type. Unexpected Error: Loading configuration process failed.

Workaround:
None.

717806-1 : In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured

Links to More Info: BT717806

Component: Local Traffic Manager

Symptoms:
Load average peaks are observed when a high number of monitors (>= 200) are configured across 'n' bigd instances.

Conditions:
When a high number of monitors are configured across 'n' bigd instances. CPU load peaks appear and disappear periodically.

Impact:
No performance impact

Workaround:
None

717174-3 : WebUI shows error: Error getting auth token from login provider

Links to More Info: BT717174

Component: Device Management

Symptoms:
Occasionally, the BIG-IP Admin Utility TMUI fails to function correctly and produces the following error:
Error getting auth token from login provider.

This occurs when the BIG-IP REST Daemon restjavad fails to start up properly.

Conditions:
This error most often occurs on the first or second boot after upgrade, and more often on Virtual Edition BIG-IP platforms running on oversubscribed or slow hypervisors.

Impact:
TMUI and any other BIG-IP system components that rely on REST Workers such as: OpenID Connect key rotation discovery, portions of the TMOS Web Configuration Utility, and Guided Configuration (AGC and WGC) fail to function properly.

Workaround:
Restarting the BIG-IP REST daemons restjavad and restnoded will usually correct the problem. To do so, connect to the SSH console and issue the following two commands:

bigstart restart restjavad
bigstart restart restnoded

716701-4 : In iControl REST: Unable to create Topology when STATE name contains space

Links to More Info: BT716701

Component: Global Traffic Manager (DNS)

Symptoms:
Cannot use iControl REST to create topology records when whitespace exist in a STATE name.

Conditions:
STATE name contains a space (e.g., New Mexico).

Impact:
Unable to create a topology record using iControl REST.

Workaround:
Use TMSH with quotes or escaping to create topology records for a STATE with whitespace in the name.

714216-4 : Folder in a partition may result in load sys config error

Links to More Info: BT714216

Component: TMOS

Symptoms:
If you run the command 'tmsh load sys config current-partition' in a partition that includes a folder, the command may return an error.

Conditions:
This occurs in the following scenario:
-- Create a partition.
-- Create a folder in that partition.
-- In the newly-created partition.
-- Save the configuration with the command 'save sys conf'.
-- In the same partition, run the following command to load the configuration: 'tmsh load sys config current-partition'.

Impact:
The load configuration process fails with an error that the folder does not exist.

Workaround:
There is no workaround at this time.

713183-4 : Malformed JSON files may be present on vCMP host

Links to More Info: BT713183

Component: TMOS

Symptoms:
Malformed JSON files may be present on vCMP host.

Conditions:
All needed conditions are not yet defined.

- vCMP is provisioned.
- Guests are deployed.
- Software versions later than 11.6.0 for both guest/host may be affected.

Impact:
Some vCMP guests may not show up in the output of the command:
 tmsh show vcmp health

In addition, there might be files present named using the following structure:
 /var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.

There is no functional impact to the guests or to the host, other than these lost tables, which are provided as a convenience to the vCMP host administrator.

Workaround:
None.

712542-5 : Network Access client caches the response for /pre/config.php

Links to More Info: BT712542

Component: Access Policy Manager

Symptoms:
The Network Access client caches the response for /pre/config.php.

Conditions:
-- APM is provisioned.
-- Network Access is configured.

Impact:
Caching the response for /pre/config.php might reveal configuration information. However, a URL is public information by definition. The only sensitive information revealed are server names, which have to be revealed in order for the client to know where to connect.

Workaround:
None.

712241-3 : A vCMP guest may not provide guest health stats to the vCMP host

Links to More Info: BT712241

Component: TMOS

Symptoms:
A vCMP guest usually provides the vCMP host with some guest health statistics as a convenience to the vCMP host administrator. These stats are:
-- mgmt/tm/sys/ha-status
-- mgmt/tm/sys/software/status
-- mgmt/tm/sys/software/provision

These tables are created by the host when host vcmpd queries the guest over the vmchannel using REST.

These RESTful queries may sometimes fail, causing the queried vCMP guest to be omitted in the display of the output of the following command: $ tmsh show vcmp guest

Conditions:
-- vCMP provisioned.
-- Guests are deployed.
-- Host vcmpd queries the guest over the vmchannel using REST.

Impact:
There is no functional impact to the guests or to the host, other than these lost tables.

-- Some vCMP guests may not show up in the output of the following command: tmsh show vcmp health
-- Some guests may appear with the wrong status in the GUI. Such as being grey when it should be green.
-- Files containing guest information, kept in:
/var/run/vcmpd/<guestname>/json/(sys-ha-status.json|sys-provision.json|sys-software.json) may be missing from that directory.
-- There might be files present there named using the following structure:
 /var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.

Workaround:
There is no workaround at this time.

711747-3 : Vcmp_pde_state_memcpy core during http traffic and pfmand resets

Links to More Info: BT711747

Component: TMOS

Symptoms:
TMM restarts with core file available.

Conditions:
The issue occurs intermittently under the following conditions

-- pfmand enabled (sys db pfmand.healthstatus value enable)
-- The system is passing http traffic
-- pfmand is reset (tmsh modify sys pfman device 0/00:0c.5 status reset)

Impact:
Traffic disrupted while tmm restarts.

709952-4 : Disallow DHCP relay traffic to traverse between route domains

Links to More Info: BT709952

Component: Local Traffic Manager

Symptoms:
DHCP traffic can traverse between route domains, e.g., when working with a route domain with a parent. Under certain circumstances, this is not desired.

Conditions:
DHCP relay in use on a route domain with a parent relationship or strict isolation disabled.

Impact:
The DHCP server side flow might get established to the parent route domain, and will persist even after the route in its own route domain becomes available again.

Workaround:
There is no workaround at this time.

708991-3 : Newly entered password is not remembered

Links to More Info: BT708991

Component: TMOS

Symptoms:
- Upon enabling password remember feature and running 'tmsh load sys config default', the password history fails to verify and save the newly entered password.
- Upon installing a BIG-IP image for the first time, the default password is not updated.

Conditions:
- Installing first time BIG-IP image.
- Resetting the configuration using 'tmsh load sys config default'.

Impact:
The password is not remembered

708680-3 : TMUI is unable to change the Alias Address of DNS/GTM Monitors

Links to More Info: BT708680

Component: Global Traffic Manager (DNS)

Symptoms:
TMUI (the GUI) is unable to change the Alias Address of DNS/GTM Monitors.

Conditions:
-- Using the GUI.
-- DNS/GTM monitors with alias address.
-- Attempting to change the Alias Address.

Impact:
Cannot change the Alias Address.

Workaround:
Use tmsh.

707294-4 : When BIG-IP as OAuth AS has missing OAuth Profile in the Access profile, the error log is not clear

Links to More Info: BT707294

Component: Access Policy Manager

Symptoms:
When the BIG-IP system configured as OAuth AS has a missing OAuth Profile in the Access profile, the error log is not clear. It shows an error indicating 'OAuth mode is not set' instead of showing 'OAuth Profile is not configured'. In this case, the error 'OAuth mode is not set' means that the OAuth Profile is not associated in the Access profile of the virtual server acting as BIG-IP OAuth Authentication server.

Conditions:
-- The BIG-IP system is configured as OAuth AS.
-- The Access profile is not configured with OAuth profile.

Impact:
Confusing error message that leads to delay in troubleshooting the OAuth configuration.

Workaround:
Configure an OAuth Profile in the Access profile of the virtual server acting as BIG-IP OAuth AS.

705869-3 : TMM crashes as a result of repeated loads of the GEOIP database

Links to More Info: BT705869

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes.

Conditions:
Repeatedly loading the GeoIP database in rapid succession.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Don't do repeated load of GeoIP Database.

705387-3 : HTTP/2, ALPN and SSL

Links to More Info: BT705387

Component: Local Traffic Manager

Symptoms:
The SSL filter will not always add the ALPN extension.

Conditions:
If the negotiated cipher is not HTTP/2 compliant, the SSL filter may not add the ALPN extension.

Impact:
The failure to add the ALPN extension may result in the failure to negotiate the proper protocol.

Workaround:
There is no workaround at this time.

703678-3 : Cannot add 'secure' attributes to several ASM cookies

Links to More Info: BT703678

Component: Application Security Manager

Symptoms:
There is an option to add 'secure' attribute to ASM cookies.
There are some specific cookies which this option does not apply on.

Conditions:
-- ASM policy is attached to the virtual server.
-- Internal parameter 'cookie_secure_attr' flag is enabled, along with either of the following:
   + Using HTTPS traffic.
   + The 'assume https' internal parameter is also enabled.
-- Along with one of the following:
   + Web Scraping' feature is enabled.
   + 'Bot Detection' feature is enabled.
   + The 'brute force' feature is enabled using CATPCHA.

Impact:
Some cookies do not have the 'secure' attributes.

Workaround:
None.

703226-2 : Failure when using transactions to create and publish policies

Links to More Info: BT703226

Component: TMOS

Symptoms:
Use batch mode transactions to create Virtual Servers with Policies containing rules.

Conditions:
Create and publish in the same transaction a Policy containing rules.

Impact:
Operation fails.

This occurs because the system is trying to look up a policy that does not exist because the 'create' operation is not yet complete. This might happen when the create and publish operations occur simultaneously, which might happen in response to scripts from iApps, batch mode creation of policies, UCS load, upgrade operation--all try to create domain trust, and all might include the policy create in the same operation.

Workaround:
Separate the create Policy and publish Policy operations into two transactions when the Policy contains rules.

700639-2 : The default value for the syncookie threshold is not set to the correct value

Links to More Info: BT700639

Component: Local Traffic Manager

Symptoms:
The default value for connection.syncookies.threshold should be set to 64000. Instead, this value defaults to 16384.

Conditions:
This issue may be encountered when a virtual server uses syncookies.

Impact:
The connection.syncookies.threshold value will be lower than intended, possibly resulting in lower performance.

Workaround:
Use tmsh to manually set the threshold value:
# tmsh modify sys db connection.syncookies.threshold value 64000

696363-4 : Unable to create SNMP trap in the GUI

Links to More Info: BT696363

Component: TMOS

Symptoms:
Trying to create a SNMP trap may fail in the GUI with the following error message: An error has occurred while trying to process your request.

Conditions:
-- Trap destinations are configured using the GUI: When trap destinations are configured in the GUI, the trap name is generated using the destination IP address.
-- Traps of the same destination address were previously created and deleted.

Impact:
GUI parameter checking does not work as expected. BIG-IP Administrator is unable to create a SNMP trap session.

Workaround:
To work around this issue when using the GUI, remove all traps that have the same destination address as the new one that failed. Then re-add your destination.

Tip: You can use tmsh to create/delete/modify SNMP traps, which enables viewing of the generated names, making it easier to understand what error has occurred.

694765-6 : Changing the system's admin user causes vCMP host guest health info to be unavailable

Links to More Info: BT694765

Component: TMOS

Symptoms:
On the host, 'tmsh show vcmp health' does not display guest info.

The iControl REST log at /var/log/icrd contains entries similar to the following:

 notice icrd_child[32206]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.

Conditions:
Change the default admin user.

Note: You change the default admin user by following the steps in the Article K15632: Disabling the admin and root accounts using the BIG-IP Configuration utility or the Traffic Management Shell: https://support.f5.com/csp/article/K15632.

Impact:
Many REST APIs do not function, and functionality such as vCMP guest health that depend on REST fails.

Workaround:
Rename the default system admin to 'admin'.

Note: If you are using the default 'admin' account, make sure you change the password as well.

691219-2 : Hardware syncookie mode is used when global auto last hop is disabled.

Links to More Info: BT691219

Component: TMOS

Symptoms:
When global auto last hop is disabled, for iSeries platforms (excluding i2xxx/i4xxx) and B4450 blades, hardware syncookie mode is used on SYN attack.

Conditions:
Global autohop is disabled. This setting is controlled by the following DB variable:

# tmsh list sys db connection.autolasthop
sys db connection.autolasthop {
    value "enable"
}

The default setting is enable.

Impact:
The virtual server can enter hardware syncookie mode, at which point responses will be routed using the incoming packet route. This can break configurations that are using asymmetric routing.

Workaround:
Disable hardware syncookies using the following DB variable:

# tmsh list sys db pvasyncookies.enabled
sys db pvasyncookies.enabled {
    value "true"
}

The default setting is true.

690928-3 : System posts error message: 01010054:3: tmrouted connection closed

Links to More Info: BT690928

Component: TMOS

Symptoms:
Beginning in BIG-IP 12.0.0, the tmrouted process pushes dynamic routes directly to the Traffic Management Microkernel (TMM). This message indicates the system is shutting down and is expected behavior during the reboot or shutdown process. The appearance of this message on a stable running system may indicate an issue with tmrouted functionality.

System posts the following message in /var/log/ltm: 01010054:3: tmrouted connection closed

Conditions:
This message occurs when all of the following conditions are met:

-- You have configured the BIG-IP system to use dynamic routing.
-- The BIG-IP system is in the process of shutting down or rebooting.

Impact:
This message is benign, unless you view the message on a stable running system. In this case, the message may indicate an issue with the tmrouted process.

Workaround:
None.

689147-3 : Confusing log messages on certain user/role/partition misconfiguration when using remote role groups

Links to More Info: BT689147

Component: TMOS

Symptoms:
When using remote role groups to set user/role/partition information, user login fails, but logs in /var/log/secure indicate that authentication was successful.

Errors similar to the following appear in /var/log/ltm:

-- User restriction error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition.
-- Input error: invalid remote user credentials, partition does not exist, broken-partition

Errors similar to the following appear in /var/log/secure:

tac_authen_pap_read: invalid reply content, incorrect key?

Conditions:
Using remote role groups to set user/role/partition information for remote users, and either of the following:
-- A remote user is configured with the role of administrator, resource administrator, auditor, or web application security administrator, with access to a particular partition, rather than all. (These roles require access to all partitions.)
-- A remote user is configured with partition access set to a partition that does not exist on the BIG-IP system.

Impact:
The messages in /var/log/secure may be confusing and make it more difficult to diagnose the login failure.

Workaround:
Check /var/log/ltm for more specific error messages.

688231-3 : Unable to set VET, AZOT, and AZOST timezones

Links to More Info: BT688231

Component: TMOS

Symptoms:
Unable to set VET, AZOT, and AZOST timezones

Conditions:
This occurs under normal operation.

Impact:
Cannot set these timezones.

Workaround:
Use the following zones with the same offset:

The AZOT timezone is the same offset as
N – November Time Zone.

The AZOST timezone is the same offset as
Z – Zulu Time Zone,
GMT – Greenwich Mean Time,
WET – Western European Time.

The VET timezone is the same offset as
AST – Atlantic Standard Time,
CDT – Cuba Daylight Time, CLT – Chile Standard Time,
EDT – Eastern Daylight Time,
FKT – Falkland Island Time,
Q – Quebec Time Zone.

683534-3 : 'tmsh show sys connection' command prompt displaying 4 billion connections is misleading

Links to More Info: BT683534

Component: Local Traffic Manager

Symptoms:
The 'tmsh show sys connection' may present a prompt asking you to confirm you want to display ~4 billion (4,294,967,295) connections:

# show sys connection max-result-limit infinite

Really display 4294967295 connections? (y/n)

Conditions:
-- The 'tmsh show sys connection' command is executed with max-result-limit option set to infinite.

Impact:
The value shown in the prompt (4294967295) is misleading, and does not reflect the actual number of connections being handled by the system. The 4294967295 number represents the maximum value the field can hold, not the number of actual connections.

Workaround:
None

675772-2 : IPsec tunnels fail when traffic-selectors share one IPsec interface mode policy

Links to More Info: BT675772

Component: TMOS

Symptoms:
When IPsec tunnels to several different peers are configured using a single ipsec-policy in interface mode, the tunnels will be unreliable or may not start.

Conditions:
Several traffic-selectors that are associated with different tunnels reference the same interface mode IPsec policy.

Note: It is not possible to create this configuration when the IPsec policy is tunnel or transport mode.

Impact:
IPsec tunnels may start but fail after a period of time. In other cases, IPsec tunnels may not start at all.

Workaround:
(1) Create a unique ipsec-policy configuration object for each remote peer and traffic-selector.
(2) Use tunnel mode. It is not possible to create this configuration when the IPsec policy is tunnel or transport mode.

674026-4 : iSeries AOM web UI update fails to complete.

Links to More Info: BT674026

Component: TMOS

Symptoms:
Upon upgrading a BIG-IP version, AOM web UI updates can sometimes fail.

Conditions:
This occurs when upgrading a BIG-IP system's software version on iSeries platforms.

Impact:
After booting to a new version, the AOM web UI update fails with an error message in /var/log/ltm similar to the following:

err bmcuiupdate[20824]: Failed updated AOM web UI with return code 2

Workaround:
At the bash prompt run:

/etc/lcdui/bmcuiupdate

This triggers another upgrade attempt, and the result is logged in /var/log/ltm. This should not be service-affecting.

673952-5 : 1NIC VE in high availability (HA) device-group shows 'Changes Pending' after reboot

Links to More Info: BT673952

Component: TMOS

Symptoms:
When Virtual Edition (VE) is configured for 1NIC, you will see the following logs on reboot indicating that configuration has been loaded from file:

 notice tmsh[12232]: 01420002:5: AUDIT - pid=12232 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all base
 notice tmsh[12392]: 01420002:5: AUDIT - pid=12392 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all

Conditions:
- VE configured in 1NIC mode.
- Unit booted either through reboot or power on.

Impact:
This is unlikely to have any impact if the VE is in standalone mode but could result in an unexpected config if the configuration files differ.

If the VE is part of a device-group, then this will result in a commit id update and the units will show 'Changes pending'.

Workaround:
None.

673573-1 : tmsh logs boost assertion when running child process and reaches idle-timeout

Links to More Info: BT673573

Component: TMOS

Symptoms:
An idle-timeout occurs while running a sub-process in interactive mode, resulting in a log message. tmsh logs a benign but ominous-looking critical error to the console and to /var/log/ltm if a tmsh command reaches idle timeout and a spawned sub-process is still running.

The errors in /var/log/ltm begin with the following text:
    'boost assertion failed'

Conditions:
-- tmsh command reaches idle timeout.
-- Spawned sub-process is still running.

Impact:
Although the wording indicates a failure, the message is benign and you can safely ignore it.

Workaround:
None.

672963-2 : MSSQL monitor fails against databases using non-native charset

Links to More Info: BT672963

Component: Local Traffic Manager

Symptoms:
MSSQL monitor is fails against databases using non-native charset.

Conditions:
MSSQL monitor configured to monitor a database that is using non-native charset (ISO-8859-1).

Impact:
MSSQL monitoring always marks node / member down.

Workaround:
On BIG-IP v13.x and v14.0.x, you can work around this issue using the following steps:

1. Log in to the BIG-IP console into a bash prompt.

2. Run the following command:
mount -o remount,rw /usr; ln -s /usr/java-64/openjdk/lib/charsets.jar /usr/java/openjdk/lib/charsets.jar; mount -o remount,ro /usr

3. Restart bigd:
bigstart restart bigd

671545-2 : MCPD core while booting up device with error "Unexpected exception caught"

Links to More Info: BT671545

Component: TMOS

Symptoms:
Mcpd crashes.

Conditions:
The file-store path is missing with specific configuration file which is needed by mcpd while booting.

Impact:
Traffic and control plane disrupted while mcpd restarts.

663946-7 : The vCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments

Links to More Info: BT663946

Component: Advanced Firewall Manager

Symptoms:
On a vCMP platform with host and guest using different BIG-IP versions, when DNS is under load greater than the AFM-configured rate limit, certain IPv4 packets are categorized as IPv6 atomic fragments and may be dropped due to rate limits.

Conditions:
-- vCMP platform with host and guest using different BIG-IP versions.
-- AFM enabled.
-- DNS load greater than AFM-configured rate limit for IPv6 atomic fragments (default 10 KB).

Impact:
May result in lower than expected DNS load test results.

Workaround:
You can use any of the following workarounds:
-- Disable AFM.
-- Increase detection limit for IPv6 atomic fragments under AFM.
-- Disable hardware offload with sys db Dos.VcmpHWdos.

Note: For AFM HW DoS protection, the host and vCMP guest must be the same version, disable hardware DoS checking on the vCMP guest to prevent this issue. To do so, set sys db dos.forceswdos to 'true'.

663754-2 : Modifying the default management port can break internal functionality

Links to More Info: BT663754

Component: Device Management

Symptoms:
Modifying the default management port for httpd 443 (ssl-port) to anything else via tmsh, will break the below functionality :
1. Gossip Framework : REST high availability (HA) sync framework will not work.
2. Licensing via BIG-IQ
3. selfLinks will be wrong

Conditions:
Changing the default management port of BIG-IP for httpd from 443 to anything else.

Impact:
BIG-IP will be unable to provide below functionality :
1. Gossip Framework : REST high availability (HA) sync framework will not work.
2. Licensing via BIG-IQ
3. selfLinks will be wrong
4. iAppLx, SSL Orchestrator, Access Guided Configuration, AS3 will be affected as these modules depends on Gossip

Workaround:
NA

662301-2 : 'Unlicensed objects' error message appears despite there being no unlicensed config

Links to More Info: BT662301

Component: TMOS

Symptoms:
An error message appears in the GUI:
This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.

Examination of the configuration and license shows that there are no configuration errors or unlicensed configuration objects. The device is operational.

Conditions:
The BIG-IP system is licensed and the configuration loaded.

Impact:
Error message appears in the GUI stating that the device is not operational. However, the device is operational.

Workaround:
On an appliance, restart mcpd by running the following command:

    bigstart restart mcpd

On a VIPRION or vCMP guest running on a VIPRION, restart MCPD on all blades by running the following command:

    clsh bigstart restart mcpd

Note: This causes a system to go offline while services restart. Traffic disrupted while services restart.

659579-4 : Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time

Links to More Info: BT659579

Component: TMOS

Symptoms:
Logs on icrd, restnoded, and restjavad are in the UTC time zone and are not aligned to the system time, which makes it difficult to determine the time during troubleshooting operations.

Conditions:
Checking the icrd, restnoded, and restjavad logs timestamps.

Impact:
Difficult to troubleshoot as the logs are not aligned with system time.

Workaround:
None

658943-3 : Errors when platform-migrate loading UCS using trunks on vCMP guest

Links to More Info: BT658943

Component: TMOS

Symptoms:
During platform migration from a physical BIG-IP system to a BIG-IP vCMP guest, the load fails with one of these messages:

01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform. Unexpected Error: Loading configuration process failed.

01070338:3: Cannot create trunk [name of trunk], maximum limit reached Unexpected Error: Loading configuration process failed.

Conditions:
-- The source device is a physical BIG-IP device with one or more trunks with or without LACP in its configuration.
-- The destination device is a vCMP guest.

Impact:
The platform migration fails and the configuration does not load.

Workaround:
You can use one of the following workarounds:

-- Remove all trunks from the source configuration prior to generation of the UCS.

-- Before loading the UCS archive onto the target BIG-IP, edit the archive and remove the trunk configuration from ./config/bigip_base.conf, and then repack the UCS.

-- After the UCS load fails, edit the configuration manually on the destination to remove trunk references, and then reload the configuration.

658850-3 : Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP

Links to More Info: BT658850

Component: TMOS

Symptoms:
When you load a UCS file using the platform-migrate parameter, the mgmt-dhcp value (enabled, disabled, or unset) will overwrite the value on the destination. Depending on the effect, this could change the destination's management IP and default management route.

If the UCS does not have mgmt-dhcp explicitly written out, note that its value is treated as the default for the local system, which varies by the type of system. On Virtual Edition (VE) platforms, the default is to enable DHCP. On all other platforms, the default is to disable DHCP.

Conditions:
This occurs when loading a UCS using the platform-migrate parameter:
tmsh load sys ucs <ucs_file_from_another_system> platform-migrate

Impact:
Changing the mgmt-dhcp value on the destination can result in management changing from statically configured to DHCP or DHCP to statically configured. This can result in loss of management access to the device, requiring in-band or console access.

Workaround:
There are a few ways to avoid this issue:

1. Specify the "keep-current-management-ip" parameter to the "load sys ucs" command, for instance:

tmsh load sys ucs <ucs_file_from_another_system> platform-migrate keep-current-management-ip

Note: The "keep-current-management-ip" parameter is undocumented and will not appear in context help or tab completion.

2. If you want to reset the target device to use a static IP, run the following commands after loading the UCS with the platform-migrate command:

tmsh modify sys global-settings mgmt-dhcp disabled
tmsh create sys management-ip <ip>/<mask>
tmsh delete sys management-route default
tmsh create sys management-route default gateway <ip>

654635-1 : FTP virtual server connections may rapidly reuse ephemeral ports

Links to More Info: K34003145, BT654635

Component: TMOS

Symptoms:
The BIG-IP system reuses ephemeral ports quickly, which might cause connections to fail, because those ports are in TIME-WAIT state on the server.

Conditions:
-- FTP active mode is used.
-- Virtual server source-port change.

-- Running on an affected platform:
--- BIG-IP 5000 series (C109)
--- BIG-IP 7000 series (D110)
--- BIG-IP 10000s/10050s/10200v/10250v (D113, D112)
--- B4300 / B4340N VIPRION blades (A108, A110)

Impact:
FTP active mode connections might fail.

Workaround:
There is no complete workaround. However, you can mitigate the issue using the default setting source-port=preserve on the virtual server.

As alternatives, you can also try the following:
-- Switching client traffic to Passive FTP.
-- Enabling TIME_WAIT reuse on the FTP server, if the operating system supports it.

653210-3 : Rare resets during the login process

Links to More Info: BT653210

Component: Access Policy Manager

Symptoms:
On rare occasions, the login process resets and a NULL sresult message will be logged in /var/log/apm:

-- notice tmm[18397]: 01490505:5: /Common/ltm-apm_main_irules:Common:448568c9: Get license - Unexpected NULL session reply. Resetting connection.

Conditions:
A race condition allows license information to be processed out of order.

Impact:
The system resets the client connection attempt. The APM end user client must retry the login process.

Workaround:
Have the APM end user client retry the login operation.

646768-1 : VCMP Guest CM device name not set to hostname when deployed

Links to More Info: K71255118, BT646768

Component: TMOS

Symptoms:
When you access the vCMP guest instance after you deploy the system, the instance uses the hostname bigip1.

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP system is running v11.6.0 or earlier.
-- You configure a vCMP guest instance that is running BIG-IP v11.6.0 or later.
-- You have configured the vCMP guest instance with a hostname other than bigip1.
-- You deploy the vCMP guest instance.

Impact:
The vCMP guest does not use the configured hostname.

Workaround:
-- In tmsh, run the following commands, in sequence:

 mv cm device bigip1 HOSTNAME
 save sys config

-- Rename the device name in the GUI.

640374-2 : DHCP statistics are incorrect

Links to More Info: BT640374

Component: Local Traffic Manager

Symptoms:
DHCP statistics are incorrect if DHCP server is down while a new virtual server is created. And when the DHCP server comes back up, the current pending transactions are incorrect.

Conditions:
-- DHCP relay configured.
-- DHCP server is down while the virtual server is created.

Impact:
The 'current pending transactions' for the DHCP server is incorrect if the DHCP server is down while a new virtual server is created.

Workaround:
None.

639606-1 : If mcpd fails to load DNSSEC keys then signing does not happen and no error logged

Links to More Info: BT639606

Component: TMOS

Symptoms:
MCPD successfully loads configuration when it's not able to decrypt DNSSEC Key generation.

Conditions:
MCPD loads configuration with DNSSEC Key generation encrypted by master key which has been changed.

Impact:
The configuration successfully loads but BIG-IP is not able to sign Resource Records.

632553-5 : DHCP: OFFER packets from server are intermittently dropped

Links to More Info: K14947100, BT632553

Component: Local Traffic Manager

Symptoms:
With a DHCP relay virtual server, OFFER packets from DHCP server are intermittently not forwarded to the client and dropped on BIG-IP.

Conditions:
It is not known exactly what triggers this condition, but it occurs intermittently when the DHCP relay virtual server is in use.

Impact:
Client machines joining the network do not receive DHCP OFFER messages.

Workaround:
Enforce that the serverside flow is getting deleted, e.g. if dhcp server 10.0.66.222 is broken, issue the following tmsh command:

tmsh delete sys connection ss-server-addr 10.0.66.222 cs-server-port 67

631083-5 : Some files in home directory are overwritten on password change

Links to More Info: BT631083

Component: TMOS

Symptoms:
The files

  .bash_logout
  .bash_profile
  .bashrc

in a user's home directory are overwritten when that user's password is changed.

Conditions:
Change a user's password.

Impact:
Customizations to these files would be lost on password change. This only applies to users with advanced shell access.

Workaround:
Back up the files to a different location before making a password change.

627760-7 : Gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card

Links to More Info: BT627760

Component: TMOS

Symptoms:
When running gtm_add from one BIG-IP system to another, if the system being added already has the same DNSSEC key (dictated by DNSSEC key name), and you synchronize the FIPS card, then the FIPS card is wiped out (as expected), but the key is not re-added.

Conditions:
-- There is an existing DNSSEC key on one system.
-- A second system has a DNSSEC key of the same name.
-- Run gtm_add, with instructions to synchronize FIPS cards.

Impact:
No DNSSEC key of that name is present on FIPS card.

Workaround:
None.

625807-3 : Tmm cores in bigproto_cookie_buffer_to_server

Links to More Info: BT625807

Component: Local Traffic Manager

Symptoms:
TMM cores on SIGSEGV during normal operation.

Although the exact triggering conditions are unknown, it might that when a connection is aborted in a client-side iRule, the reported log signature may indicate its occurrence:

tmm3[11663]: 01220009:6: Pending rule <irule_name> <HTTP_REQUEST> aborted for <ip> -> <ip>.

Conditions:
Specific conditions that trigger this issue are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

615329-1 : Special Virtual IP configuration required for IPv6 connectivity on some Virtual Edition interfaces

Links to More Info: BT615329

Component: TMOS

Symptoms:
IPv6 virtual servers may not be reachable on specific Virtual Edition (VE) instances, based on the interfaces used by that instance.

Conditions:
VE with IPv6 virtual servers configured. The VE instance must have SR-IOV interfaces, or KVM virtio interfaces backed by macvtap.

Impact:
Special configuration procedure is required.

Workaround:
Follow the defined configuration procedure by explicitly listing the VLANs for which this VIP is enabled. For example, in TMSH:

'modify ltm virtual <name> vlans-enabled'
'modify ltm virtual <name> vlans add { <vlans> }'

605966-5 : BGP route-map changes may not immediately trigger route updates

Links to More Info: BT605966

Component: TMOS

Symptoms:
When a route-map is used to filter BGP advertisements, changes to the route-map that affect the filtered routes may not trigger an update to the affected routes.

Conditions:
BGP in use with a route-map filtering advertisements.

Impact:
BGP table may not reflect route-map changes until "clear ip bgp" is executed.

Workaround:
Run "clear ip bgp <neighbor>".

603693-2 : Brace matching in switch statement of iRules can fail if literal strings use braces

Links to More Info: K52239932, BT603693

Component: TMOS

Symptoms:
In the TMUI on any iRule editing page, brace matching within a switch statement can fail if a literal string is surrounded with braces.

Conditions:
Use a literal string surrounded with curly braces for a case/pattern within a switch statement.

Impact:
Incorrect brace matching.

Workaround:
Instead of surrounding the literal string with braces, use double quotes.

597955-3 : APM can generate seemingly spurious error log messages

Links to More Info: BT597955

Component: Access Policy Manager

Symptoms:
Internally detected issues can trigger a series of error log messages. The logs look alarming, but can be considered diagnostic in the case there is an actual behavioral issue that needs to be analyzed.

The system reports the following messages in /var/log/apm:
-- err tmm1[11197]: 01490514:3: 00000000: Access encountered error: ERR_VAL. File: ../modules/hudfilter/access/access.c, Function: access_slowpath_security_check, Line: 6648
-- err tmm8[18022]: 01490514:3: 00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_sanitize_uri, Line: 16406
-- err tmm8[18022]: 01490514:3: 00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_check_uri_type, Line: 11219
-- err tmm8[18022]: 01490514:3: 00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_process_state_client_classify_req, Line: 3308
-- err tmm8[18022]: 01490514:3: 00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: hud_access_handler, Line: 2311

Conditions:
An internal software API call triggers an unexpected result.

Impact:
Logs might give the appearance of many issues, even if there are no behavioral anomalies.

Workaround:
None.

587821-10 : vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.

Links to More Info: BT587821

Component: TMOS

Symptoms:
On the affected slot, the vCMP guest is unable to pass traffic to or from the VLANs. If the guest has multiple slots, the CMP state logged in /var/log/tmm on that slot differs from the CMP state logged by other slots of the same guest.

In the vCMP guest, 'tmsh show net interface -hidden' shows 0.x interfaces for the affected slot that differ from the 0.x interfaces shown by 'tmsh show vcmp guest all-properties' on the vCMP hypervisor for the same guest slot.

Conditions:
The MCPD daemon on one of the blades of the vCMP hypervisor crashes or restarts.

Impact:
The vCMP guests that are still running since before the MCPD daemon restarted may be unable to communicate to VLAN networks. Incoming traffic may also be affected, even though the vCMP guest has other functional slots to process traffic.

Workaround:
On the hypervisor, modify the vCMP guest configuration to not run on the affected slot. Wait to confirm the vCMP guest has stopped on the affected slot. Then modify the vCMP guest to run on the previously affected slot.

Alternatively, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.

582666-1 : TMM spams ltm log with "01010235:2: Inet port find called for pg 1 with invalid cmp state 0"

Links to More Info: BT582666

Component: Local Traffic Manager

Symptoms:
/var/log/ltm is spammed with below shown logs:

Mar 23 08:21:52 slot2/technetium crit tmm[13305]: 01010235:2: Inet port find called for pg 1 with invalid cmp state 0
Mar 23 08:21:53 slot2/technetium crit tmm3[13305]: 01010235:2: Inet port find called for pg 1 with invalid cmp state 0
Mar 23 08:21:53 slot2/technetium crit tmm3[13305]: 01010235:2: Inet port find called for pg 1 with invalid cmp state 0

Conditions:
One or more blades are administratively disabled on a chassis system.

Impact:
Detrimental to TMM performance.

574762-2 : Forwarding flows leak when a routing update changes the egress vlan

Component: Local Traffic Manager

Symptoms:
Forwarding flow doesn’t expire and leaks a connflow object.

Conditions:
Conditions to hit this are a route change on forwarded flows.

Impact:
Memory leak.

Workaround:
None

554506-1 : PMTU discovery from management does not work

Links to More Info: K47835034, BT554506

Component: TMOS

Symptoms:
You encounter connectivity issues to management interface.

Conditions:
MTU on the intermediate route is less than the management interface's MTU and the response packets have the DF flag set.

Impact:
Connectivity issues to management interface.

Workaround:
None.

Note: Although there is no workaround for this module, you can disable auto last hop and configure a default gateway to avoid this issue.

For more information see K52592992: Overview of the Auto Last Hop feature on the management interface, available at
https://support.f5.com/csp/article/K52592992.

550526-5 : Some time zones prevent configuring trust with a peer device using the GUI.

Links to More Info: K84370515, BT550526

Component: TMOS

Symptoms:
AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, and AWDT time zones prevent configuring trust with a peer device using the GUI.

Conditions:
-- Setting a BIG-IP system timezone to AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, or AWDT.

-- Using the GUI to add a peer device to a trust configuration.

Impact:
Adding a peer device using the GUI fails.

Workaround:
You can use either of the following workarounds (you might find the first one easier):

-- Temporarily set the device timezone to a non-affected timezone (e.g.; UTC), establish trust, and set it back:

1. Navigate to System :: Platform.

2. Under 'Time Zone', select 'UTC', and click 'Update'

3. Repeat steps one and two to change all devices that are to be part of the trust domain.

4. Establish device trust by navigating to Device Management :: Device Trust :: Add all peers to be part of the trust domain.

5. Once trust is established, navigate to System :: Platform, and change Time Zone back to preferred time zone.

-- Use tmsh to add a peer device in these timezones: AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, or AWDT.

547947-1 : Feeding empty username and password to the Logon Page followed by RadiusAuthAgent shows the session as Logged out

Links to More Info: BT547947

Component: Access Policy Manager

Symptoms:
Session logs out. No error messages or retry logon page.
---------------------------------------------

Your session is finished.

Logged out successfully.

Thank you for using BIG-IP.

To open a new session, please click here.
----------------------------------------------

Conditions:
Your environment has an access policy like the following

                                   Success
Start -> Logon Page -> Radius Auth ----> Advanced resource assign (webtop) -> allow.
                              |
                              | failure
                              -----------------------------------------------> Deny.

If you connect to the virtual server with this access policy and provide an empty username and password, you are logged out of the session and asked to open a new session page.

Impact:
Without providing proper username and password, user is shown the error "Logged out successfully.", which is improper.

Workaround:
No mitigation observed.

538283-2 : iControl REST asynchronous tasks may block other tasks from running

Links to More Info: BT538283

Component: TMOS

Symptoms:
If an iControl REST asynchronous task is running, other iControl REST queries (synchronous or asynchronous) will wait until the asynchronous task completes before executing. If the asynchronous task is long-running, subsequent requests will block for a long time.

Conditions:
-- Executing an iControl REST task asynchronously.
-- Performing further iControl REST tasks (synchronous or asynchronous) while the asynchronous task is still running.

Impact:
Potential (and unexpected) long wait times while running a task asynchronously.

Workaround:
None.

528314-3 : Generating new default certificate and key pairs for BIG-IP ssl profiles via CLI will not be reflected in GUI or in tmsh

Links to More Info: K16816, BT528314

Component: TMOS

Symptoms:
Using CLI to generate new default certificate and key pairs for BIG-IP ssl profiles are not reflected in GUI or in tmsh.

Conditions:
Using OpenSSL commands to generate a new default certificate and key pair, as described in SOL13579: Generating new default certificate and key pairs for BIG-IP ssl profiles, available here: https://support.f5.com/kb/en-us/solutions/public/13000/500/sol13579.html.

Impact:
After the renewal, tmsh list sys file ssl-cert default.crt command or the general properties in the GUI SSL Cert List shows the old one. This is a cosmetic issue only. The system uses the new default.

Workaround:
Perform a force reload of mcpd by running the following commands: -- touch /service/mcpd/forceload. -- tmsh restart sys service mcpd.

512490-11 : Increased latency during connection setup when using FastL4 profile and connection mirroring.

Links to More Info: BT512490

Component: Local Traffic Manager

Symptoms:
Connection setup when using FastL4 profile and connection mirroring takes longer than previous versions.

Conditions:
FastL4 profile with connection mirroring.

Impact:
Slight delay during connection setup.

Workaround:
Disable tm.fastl4_ack_mirror. Optionally, enable tm.fastl4_mirroring_taciturn for signal to noise ratio improvements. This helps resolve connection setup latency.

499348-11 : System statistics may fail to update, or report negative deltas due to delayed stats merging

Links to More Info: BT499348

Component: TMOS

Symptoms:
Under some conditions, the BIG-IP system might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (e.g., all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters.

The system performance graphs will also appear to have gaps / be missing data at the times that this occurs.

Conditions:
This occurs when there are frequent changes occurring to the underlying statistics data structures. This might occur under the following conditions:

-- The system is spawning/reaping processes on a frequent basis (e.g., when there is a large number of external monitors).

-- iRules are frequently using 'SSL::profile' to select different SSL profiles on a virtual server (this can cause per-virtual server, per-profile statistics to be created and deleted on a regular basis).

Impact:
Statistics fail to merge, which results in incorrect view of system behavior and operation.

Workaround:
This issue has two workarounds:

1. Reduce the frequency of changes in the statistics data structures. The specific action to take depends on what is triggering them. To do so, use any or all of the following:

 -- Reduce the frequency of configuration changes.
 -- Reduce the use of 'SSL::profile' in iRules.
 -- Reduce the number/frequency of processes being spawned by the system.

2. Switch statistics roll-ups to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. To do so, set the 'merged.method' DB key to 'slow_merge' using the following command:

    tmsh modify sys db merged.method value slow_merge.


Note: Performing the second workaround has the side-effect of disabling tmstat snapshots on the device. The tmstat snapshots are intended for F5-internal use only: the lack of snapshots will have no bearing on the functionality of your system; however, F5 Support might be impacted in their ability to troubleshoot issues on your system.

489960 : Memory type stats is incorrect

Links to More Info: BT489960

Component: WebAccelerator

Symptoms:
When tmm allocates memory, it adds up stats per memory type allocated. AAM is not properly marking memory type for strings objects, affecting other types of memory stats depending on configuration and release.

Conditions:
AAM is provisioned and there are virtuals in BIG-IP configuration which have web acceleration profiles associated with one or more AAM policies.

Impact:
Stats for some types of memory can be skewed causing troubleshooting issues.

Workaround:
None.

474797-8 : Nitrox crypto hardware may attempt soft reset while currently resetting

Links to More Info: BT474797

Component: Local Traffic Manager

Symptoms:
Nitrox crypto hardware may attempt soft reset to clear a stuck condition while already engaged in a soft reset attempt.

Conditions:
Soft reset is needed to clear a stuck condition occurring in the timeframe during which another soft reset is occurring.

Impact:
The initial soft reset attempt does not complete as the process is restarted by the new attempt.

Workaround:
Correct the condition resulting in the need for the soft reset to clear the stuck condition or disable hardware-based crypto acceleration by setting db variable 'tmm.ssl.cn.shunt' to disable.

To disable hardware-based crypto acceleration issue the following command:

tmsh modify sys db tmm.ssl.cn.shunt value disable

Note: Disabling hardware-based crypto acceleration results in all crypto actions being processed in software, which might result in higher CPU and memory usage based on traffic patterns.

472645-2 : Memory issues when there is a lot of data in /var/annotate (annotations for dashboard)

Links to More Info: BT472645

Component: TMOS

Symptoms:
When there is a large number annotations in /var/annotate, tomcat might run out of memory when the dashboard requests the annotations.

The tomcat process logs an out-of-memory error, and the dashboard reports an error:
-- SEVERE: Servlet.service() for servlet org.apache.jsp.dashboard.annotations_jsp threw exception
java.lang.OutOfMemoryError: Java heap space.
-- Unrecoverable Communications Error. Please close this window and log in via the BIG-IP Configuration Utility.

Conditions:
-- Large number of configuration events, i.e., too many annotations in /var/annotate.
-- Click anything other than the default '5 minutes' tab.

Impact:
The the dashboard attempts to load all annotations into memory, but cannot. Dashboard must be restarted and can only be used at the 5-minute zoom level.

Workaround:
-- Delete the files in /var/annotate.

-- Increase the tomcat memory:
provision.tomcat.extramb = 320

470916-3 : Using native View clients, cannot launch desktops and applications from multiple VMware back-ends

Links to More Info: BT470916

Component: Access Policy Manager

Symptoms:
If APM is configured to protect multiple VMware resources (VCS servers), you can launch desktops and applications only from the first resource. Attempts to launch desktop or applications from other resources result in error.

Conditions:
-- APM is configured to protect multiple VMware resources (VCS servers).
-- You attempt to launch a desktop or application using the native VMware client.

Impact:
Cannot access desktops and applications from multiple VMware back-ends.

Workaround:
Use HTML5 client instead.

469724-3 : When evaluation/demonstration features expire, features enabled by both evaluation and perpetual licenses also expire

Links to More Info: BT469724

Component: TMOS

Symptoms:
Evaluation features cause perpetual features to expire when the evaluation license expires.

Conditions:
-- Perpetual license with an evaluation/demonstration add-on feature.
-- The add-on license expires or is expired.

Impact:
When an evaluation/demonstration add-on license expires, features included in both the evaluation add-on as well as the regular, perpetual license stop working.

This behavior is covered in F5 article K4679: BIG-IP evaluation and demonstration licenses do expire :: https://support.f5.com/csp/article/K4679.

Workaround:
To work around this issue, activate the license from the command line:

When reactivating an existing license, and deactivating an expired evaluation license key, specify the base registration key and add-on (if any), and use the -i option for the expired evaluation license key in the get_dossier command.

For example, if the expired evaluation license key is ABCDEFG-ZZZZZZZ, use the following command:

get_dossier -b ABCDE-ABCDE-ABCDE-ABCDE-ABCDEFG -a ABCDEFG-ABCDEFG -i ABCDEFG-ZZZZZZZ

You can find these steps detailed in K2595: Activating and installing a license file from the command line :: https://support.f5.com/csp/article/K2595. This part in particular is required to work around this issue

464708-2 : DNS logging does not support Splunk format log

Links to More Info: BT464708

Component: Global Traffic Manager (DNS)

Symptoms:
DNS logging does not support Splunk format logging. It fails to log the events, instead logging err messages:

hostname="XXXXXXXXXXXXX.XX",errdefs_msgno="01230140:3:

Conditions:
DNS logging configured for Splunk format.

Impact:
DNS logging does not log Splunk format to HSL.

Workaround:
Use an iRule to send Splunk-formatted messages to the Splunk server.

For example:

ltm rule dns_logging_to_splunk {

   when DNS_REQUEST {
      set ldns [IP::client_addr]
      set vs_name [virtual name]
      set q_name [DNS::question name]
      set q_type [DNS::question type]

      set hsl [HSL::open -proto UDP -pool splunk-servers]
      HSL::send $hsl "<190>,f5-dns-event=DNS_REQUEST,ldns=$ldns,virtual=$vs_name,query_name=$q_name,query_type=$q_type"
   }

   when DNS_RESPONSE {
      set ldns [IP::client_addr]
      set vs_name [virtual name]
      set q_name [DNS::question name]
      set q_type [DNS::question type]
      set answer [DNS::answer]

      set hsl [HSL::open -proto UDP -pool splunk-servers]
      HSL::send $hsl "<190>,f5-dns-event=DNS_RESPONSE,ldns=$ldns,virtual=$vs_name,query_name=$q_name,query_type=$q_type,answer=\"$answer\""
   }
}

438684-1 : Access Profile Type of SSO requires SSO configuration at create time

Component: Access Policy Manager

Symptoms:
If you start to create an Access Profile and you set the Profile Type to SSO, you cannot complete the configuration from the New Profile screen unless an SSO configuration already exists.

Conditions:
Attempt to create a new Access Profile of Type SSO without having an existing SSO to select.

Impact:
Cannot create a new Access Profile of Type SSO until an SSO Configuration has been created and then selected for use within Access Profile.

Workaround:
To work around this problem, you can create an SSO Configuration prior to creating the new Access Profile of Type SSO.

398683-4 : Use of a # in a TACACS secret causes remote auth to fail

Links to More Info: K12304

Component: TMOS

Symptoms:
TACACS remote auth fails when the TACACS secret contains the '#' character.

Conditions:
TACACS secret contains the '#' character.

Impact:
TACACS remote auth fails.

Workaround:
Do not use the '#' character in the TACACS secret.

385013-2 : Certain user roles do not trigger a sync for a 'modify auth password' command

Component: TMOS

Symptoms:
If users with the certain roles change their password, the BIG-IP system does not detect that it is out-of-sync with its peer and does not trigger an automatic sync:

Conditions:
-- Multiple BIG-IP devices in a Device Service Cluster that sync configurations with each other.
-- A user with one of the following roles logs in and changes their password:
  + guest
  + operator
  + application-editor
  + manager
  + certificate-manager
  + irule-manager
  + resource-admin
  + auditor

Impact:
The system does not detect that it is out of sync with its peer, and does not report this condition. If automatic sync is enabled, a sync does not automatically occur.

Workaround:
Force a full sync to the peer systems.

382363-3 : min-up-members and using gateway-failsafe-device on the same pool.

Links to More Info: K30588577

Component: TMOS

Symptoms:
The system does not require setting a pool's min-up-members greater than 0 (zero) when also using gateway-failsafe-device on the same pool.

Conditions:
A pool's min-up-members is 0 when gateway-failsafe-device is set.

Impact:
Failure to set min-up-members greater than 0 when using gateway-failsafe-device might cause errors. The tmm might crash.

Workaround:
Set min-up-members greater than 0 when using gateway-failsafe-device.

369640-6 : iRules might return incorrect data when multiple partitions and/or folders contain objects with the same name

Component: Local Traffic Manager

Symptoms:
iRules might return incorrect data when the BIG-IP configuration has folders or multiple administrative partitions that contain objects with the same name.

As a result of this issue, you may encounter one or more of the following symptoms:

 -- Client connections receive incorrect data.
 -- The BIG-IP system incorrectly load balances client connections.

Conditions:
This issue occurs when all of the following conditions are met:

 -- The configuration includes objects of the same name in different folders or administrative partitions
 -- An iRule references the object without using the fully-qualified path, e.g. "pool example_pool" instead of "pool /Common/folder1/example_pool"

Impact:
Client connections receive incorrect data, or are load balanced incorrectly.

Workaround:
To work around this issue, always specify full paths to objects referenced in iRules, e.g. instead of:
    pool example_pool
use:
    pool /Common/example_pool

353607-1 : cli global-settings { service number } appears to have no effect

Component: TMOS

Symptoms:
cli global-settings { service number } appears to have no effect.

Conditions:
cli global-settings { service number } command.

Impact:
Has no effect.

Workaround:
None.

349706-2 : NetworkAccess assigns 1.1.1.1 address to remote ppp endpoint APM VPN

Component: Access Policy Manager

Symptoms:
Network access sends 1.1.1.1 as X-VPN-serer-IP and Edge client reserves this IP for PPP communication with APM server.

Conditions:
-- VPN is configured on BIG-IP.
-- Edge Client/webtop is used to connect to VPN.

Impact:
If VPN is connected:
1. The user may not access the 1.1.1.1 address from the client machine.
2. if 1.1.1.1 is used as a dns server ip in Network Access configuration, DNS resolution may fail on the client machine.

Workaround:
NA

315765-2 : The BIG-IP system erroneously performs a SNAT translation after the SNAT translation address has been disabled.

Links to More Info: BT315765

Component: Local Traffic Manager

Symptoms:
The BIG-IP system erroneously performs a SNAT translation after the SNAT translation address has been disabled. As a result of this issue, you may encounter the following symptom:

A network trace capturing the affected traffic on a BIG-IP system shows traffic continues to egress the BIG-IP system using the disabled SNAT translation address.

Conditions:
This issue occurs when the following condition is met: A SNAT translation address is configured, but disabled.

Impact:
Traffic egresses the BIG-IP system with the disabled SNAT translation address.

Workaround:
To work around this issue, you must delete the affected SNAT configuration instead of disabling it. To do so, perform the following procedure:

Impact of workaround: Deleting the affected SNAT configuration removes it entirely from the BIG-IP configuration. If you require the SNAT configuration later, you must recreate it manually.

BIG-IP 11.x/12.x

1. Log in to the tmsh utility.
2. Delete the affected SNAT configuration by entering the following command: delete /ltm snat <affected SNAT name>.

For example, to delete the test-315765 SNAT configuration, you would enter the following command: delete /ltm snat test-315765.

3. Save the modified configuration by entering the following command:
save /sys config

BIG-IP 9.x through 10.x

1. Log in to the command line.
2. Delete the affected SNAT configuration by entering the following command: bigpipe snat <affected SNAT name> delete.

For example, to delete the test-315765 SNAT configuration, you would enter the following command: bigpipe snat test-315765 delete.

3. Save the modified configuration by entering the following command: bigpipe save all.

264701-5 : GTM: zrd exits on error from bind about .jnl file error (Formerly CR 68608)

Links to More Info: K10066

Component: Global Traffic Manager (DNS)

Symptoms:
The zrd process exits and cannot be restarted.

Conditions:
This occurs when the journal is out-of-sync with the zone.

Impact:
The zrd process cannot be restarted.

Workaround:
Before beginning, ensure that no one else is making config changes (i.e., consider making changes during a maintenance window).

I) On a working system, perform the following:
1. # rndc freeze $z

(Do this for all nonworking zones. Do not perform the thaw until you finish copying all needed files to the nonworking system.)

2. # tar zcvf /tmp/named.zone.files namedb/db.[nonworking zones].
3. # rndc thaw $z

II) On each nonworking system, perform the following:
1. # bigstart stop zrd; bigstart stop named
2. Copy the nonworking /tmp/named.zone.files from a working GTM system.
3. # bigstart start named; bigstart start zrd.

(Before continuing, review /var/log/daemon.log for named errors, and review /var/log/gtm for zrd errors0.)

Repeat part II until all previously nonworking systems are working.

III) On a working GTM system, run the following command:
# touch /var/named/config/named.conf.

222220-6 : Distributed application statistics are not passed correctly.

Component: Global Traffic Manager (DNS)

Symptoms:
Distributed application statistics include only requests passed to its first wide IP.

For BIG-IP versions 12.0.0 and later, distributed application statistics are always zero.

Conditions:
Viewing distributed application statistics on configurations with multiple wide-IP members.

Impact:
The system does not pass statistics for requests to all wide-IP members in the distributed application.

Note: For BIG-IP versions 12.0.0 and later, the system does not pass statistics for requests to any wide-IP-members in the distributed application.

Workaround:
None

1067917-2 : Attaching iRule DOSL7::enable when mitigation is not enabled at dosl7 profile, it is not showing warning in GUI

Component: Application Security Manager

Symptoms:
Attaching iRule DOSL7::enable to virtual server when same virtual server attached to dosl7 profile without mitigation enables, It is able to attach iRule the successful but same steps is giving error in 13.1.3.6
"1070151:3: Rule [/Common/<iRulename>] error: Unable to find profile_dos (<dos profile name>) referenced at line 3: [DOSL7::enable <dosl7 profile name>]"

Conditions:
Create dosl7 profile without any mitigation enabled and have iRule
when HTTP_REQUEST {

 DOSL7::enable test
}

Attach iRule to virtual server.

Impact:
No warning is shown, but the rule causes an error in the logs and does not apply.

Workaround:
Enable the mitigation in order to attach this DOSL7::enable method

1067821-3 : Stats allocated_used for region inside zxfrd is overflowed

Links to More Info: BT1067821

Component: Global Traffic Manager (DNS)

Symptoms:
No visible symptoms.

Conditions:
Large resource record addition and deletion for dns express zones.

Impact:
Internal zxfrd stats are incorrect.

1067797-2 : Trunked interfaces that share a MAC address may be assigned in the incorrect order

Links to More Info: BT1067797

Component: TMOS

Symptoms:
Interfaces that are trunked together and use the same MAC address may end up in an incorrect order when the system is restarted.

Conditions:
Trunked interfaces that use the same MAC address. On reboot the f5-swap-eth script will incorrectly reorder the affected interfaces.

Impact:
Incorrect ordering could result in a failover or outage.

1067669-2 : Following an upgrade, TCP/UDP virtual servers drop incoming traffic

Links to More Info: BT1067669

Component: Local Traffic Manager

Symptoms:
-- Incoming TCP/UDP traffic is not processed by virtual servers on the BIG-IP system. Instead, legitimate traffic appears to be dropped by the BIG-IP system.

-- A tcpdump taken on the BIG-IP system shows the traffic arriving on VLAN 0 instead of the actual VLAN.

-- Inspection of the dns_rapid_response_global tmstat table shows many entries in the failed_ifc column.

Conditions:
-- Using a BIG-IP 2000 or 4000 device.

-- Using a trunk with an untagged VLAN.

-- Using a virtual server with a dns profile configured for rapid-response.

Impact:
All TCP/UDP virtual servers fail to process incoming traffic.

Workaround:
You can work around this issue by performing any one of the following actions:

-- Avoid using an untagged VLAN with your trunks.
-- Avoid using a trunk if you cannot avoid using untagged VLANs.
-- Disable rapid-response in all dns profiles (this option is disabled by default).

1067617-3 : BGP default route not advertised after mid-session OPEN.

Links to More Info: BT1067617

Component: TMOS

Symptoms:
After BGP peer open a new session with BIG-IP in the middle of the existing session and the session is dropped, BIG-IP will not send default route NLRI to the peer upon new session establishment.

Conditions:
Mid-session OPEN (Event 16 or Event 17 per RFC spec).

Impact:
Default route is missing on a BGP peer.

Workaround:
Clear the BGP session manually.

1067469-3 : Discrepancy in virtual server stats with LRO enabled

Links to More Info: BT1067469

Component: Local Traffic Manager

Symptoms:
The virtual_server_stat table has a discrepancy in clientside.bytes_out and serverside.bytes_in with LRO enabled.

Conditions:
LRO is enabled (sys db tm.tcplargereceiveoffload value "enable")

Impact:
The virtual_server_stat table shows a difference in clientside.bytes_out and serverside_bytes_in when LRO is enabled.

Workaround:
Disable LRO using the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable

After modifying that variable, the virtual server stats need to be reset in order to clear historical stats using the following command: tmsh reset-stats ltm virtual

Otherwise TMM can be restarted to clear the stats.

1067397 : TMM cored after response, due to receipt of GOAWAY frame from server post TCP FIN

Links to More Info: BT1067397

Component: Local Traffic Manager

Symptoms:
Tmm crashes while passing HTTP/2 traffic.

Conditions:
-- Virtual Server with HTTP2 profile
-- receipt of GOAWAY from the server after BIG-IP has sent the GOAWAY and TCP FIN

Impact:
Traffic disrupted while tmm restarts.

1067393-1 : MCP validation - incorrect config load fail on AFM NAT rule with next-hop pool

Links to More Info: BT1067393

Component: Advanced Firewall Manager

Symptoms:
Upgrade failure, which may lead to a rollback and delayed upgrade.

Conditions:
AFM NAT rule referencing a Next Hop pool.

Impact:
Upgrade failure, which may lead to a rollback and delayed upgrade.

Workaround:
Once in the failed state, the system can be recovered by running 'tmsh load sys config'; the config will load successfully. No changes to the configuration are needed.

1067309-2 : GTMD cored followed by TMM core SIGSEGV due to illegal GTM server reference

Links to More Info: BT1067309

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm, gtmd cores while passing traffic.

Conditions:
A rare race condition between TMM and GTMD occurs while passing traffic.

Impact:
Traffic disrupted while tmm and gtmd restarts.

1067105-1 : Racoon logging shows incorrect SA length

Component: TMOS

Symptoms:
Debug2 logs incorrect "total SA" length in racoon.log.

Conditions:
-- IKEv1 tunnels in use
-- ikedaemon in debug2 mode

Impact:
Confuses troubleshooting with misleading information about the SA payload length.

Workaround:
None. This is a cosmetic / logging issue.

1067025-3 : Rate-shaping + immediate timeout causing connection to stall.

Links to More Info: BT1067025

Component: Local Traffic Manager

Symptoms:
Server-side connection stalls if rate-limit is reached for a connection that has a timeout value set to immediate.

Conditions:
-- Rate-limit configured and reached.
-- Profile has immediate timeout configured.

Impact:
No packets are sent to the server.

Workaround:
Configure a timeout value on a protocol profile.

1066397-2 : GTM persists to last resort pool members even when primary pool members become available.

Links to More Info: BT1066397

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Queries are persisted to the last resort pool members after the primary pool comes back.

Conditions:
-- WideIP with persistence enabled
-- Disable primary pool members with the queries answered from the last resort pool
-- Now re-enable the primary pool members

Impact:
DNS Queries are persisted to the last resort pool members after the primary pool comes back.

Workaround:
None

1066285-3 : Master Key decrypt failure - decrypt failure

Links to More Info: BT1066285

Component: TMOS

Symptoms:
After MCPD restarts or the system reboots:
-- the system is inoperative and MCPD may be restarting
-- the logs report this error:

err mcpd[12444]: 01071769:3: Decryption of the field (value) for object (config.auditing.forward.sharedsecret) failed while loading configuration that is encrypted with a different master key.

-- the system may be reporting this error:

load_config_files[5635]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- Error: failed to reset strict operations; disconnecting from mcpd. Will reconnect on next command.

This may occur during a system upgrade.

Conditions:
When config.auditing.forward.sharedsecret is encrypted and masterkey value is changed

Impact:
MCPD will continuously restart, and the system will remain inoperative.

Workaround:
If a system is affected by this issue, set the DB key back to its default value. Once the configuration is loaded, set the DB key back to the correct value:

   - tmsh modify /sys db config.auditing.forward.sharedsecret value '<null>'


After changing the SecureValue master key but before encountering the issue, run the following command to update the value of the DB key on-disk:

    setdb config.auditing.forward.sharedsecret "$(getdb config.auditing.forward.sharedsecret)"

1065821-3 : Cannot create an iRule with a newline between event and opening brace

Links to More Info: BT1065821

Component: TMOS

Symptoms:
POST-ing to the BIG-IP REST API fails when creating an iRule.

Conditions:
iRule body has a newline after the event name.

For example:
"apiAnonymous": "when HTTP_REQUEST\n {...}"

Working:
"apiAnonymous": "when HTTP_REQUEST {...}"

Impact:
The iRule fails to create and you receive a warning about an unknown property.

{
    "code": 400,
    "message": "\"{\" unknown property",
    "errorStack": [],
    "apiError": 26214401
}

Workaround:
Format the iRule to not use newlines between the event name and opening brace.

Change from:
"apiAnonymous": "when HTTP_REQUEST\n {...}"

To:
"apiAnonymous": "when HTTP_REQUEST {...}"

1065429-2 : LACP trunks flap continuously when used in virtual-wire configuration

Links to More Info: BT1065429

Component: Local Traffic Manager

Symptoms:
When a virtual wire is configured with two LACP trunks and the "vwire-propagate-linkstatus" option is enabled, the trunks flap continuously and are unable to pass any traffic.

Conditions:
-- A virtual wire is configured with 2 trunks
-- The "vwire-propagate-linkstatus" option is enabled on the virtual wire

Impact:
The virtual wire is unable to pass any traffic

Workaround:
Disable the "vwire-propagate-linkstatus" option of the virtual wire.

1065353 : Disabling ciphers does not work due to the order of cipher suite

Links to More Info: BT1065353

Component: Local Traffic Manager

Symptoms:
You are not able to disable a list of ciphers.

Conditions:
The cipher list is given in an order in the tmsh command 'tmm --clientciphers'

Impact:
Inconsistent behavior of the command "tmm --clientciphers".

Workaround:
Reorder the ciphers in the list and pass the reordered list to "tmm --clientciphers".

1065041 : Web Application shows 'Not Found' in GUI

Links to More Info: BT1065041

Component: TMOS

Symptoms:
Clicking 'Web Application' under GUI :: Acceleration results in errors:

 Not found
 The requested URL was not found on this server.

Conditions:
With AAM provisioned, upgrade to BIG-IP v15.1.4.

Impact:
Web acceleration configuration cannot be accessed from the GUI.

Workaround:
There are two workarounds:
 -- Use use tmsh for managing acceleration.
 -- Follow this procedure:

1. Go to the end of /etc/rc.d/init.d/httpd, and add the following content

# Check if WA package is installed (by checking the existence of
# /usr/local/www/waui/WEB-INF/web.xml
[ -f /usr/local/www/waui/WEB-INF/web.xml ] && OPTIONS="${OPTIONS} -DWebAccelerator"


2. In /config/httpd/conf/httpd.conf, in the following location:

<Directory "/var/run/config/htdocs">
    Options None
    AllowOverride None
</Directory>

Add the following content:

<IfDefine WebAccelerator>

    <Location /waui>
      <RequireAll>
      AuthType Basic
      AuthName "BIG-IP"
      AuthPAM_Enabled on
      AuthPAM_IdleTimeout 1200
      require valid-user
      </RequireAll>
    </Location>

    <Location "/waui/WEB-INF">
      Require all denied
    </Location>

</IfDefine>


3. Go to end of /config/httpd/conf.d/proxy_ajp.conf, and add the following content

<IfDefine WebAccelerator>
  ProxyPassMatch ^/waui/(.*)$ ajp://localhost:8009/waui/$1 retry=5
</IfDefine>


4. Restart httpd:

bigstart restart httpd

1065013-3 : Tmm crash with iRuleLX plugin in use

Links to More Info: BT1065013

Component: Local Traffic Manager

Symptoms:
Tmm runs out of memory and crashes.

Conditions:
Exact conditions that trigger this are unknown:

-- iRuleLX provisioned and configured in one or more virtual servers
-- Network traffic is passing

Impact:
Traffic disrupted while tmm restarts.

1064893-2 : Keymgmtd memory leak occurrs while configuring ca-bundle-manager

Links to More Info: BT1064893

Component: TMOS

Symptoms:
Keymgmtd leaks memory and the RES/RSS value increases over time.

same can be observed using top -p `pidof keymgmtd` or tmctl proc_pid_stat proc_name=keymgmtd -s proc_name,vsize,rss monitor keymgmtd resident memory size.

Conditions:
Configure sys crypto ca-bundle-manager to periodically update the ca bundle on the system

Impact:
If keymgmtd causes a system wide out of memory condition, this could cause a traffic disruption, if mcpd is chosen to be killed.

Workaround:
None

1064821 : ASM v15.1.4 REST/AS3-imported and replaced policies have different encodings.

Links to More Info: BT1064821

Component: Application Security Manager

Symptoms:
A JSON policy that was created via REST/AS3 and then overwritten via tmsh will result in an error:

Unexpected Error: Import policy failed. Messages: [fatal] Failed action: Imported and replaced policies have different encodings.

Conditions:
-- A JSON policy was first created via REST/AS3
-- Overwriting an existing via 'tmsh load asm policy'

Impact:
A JSON policy cannot be imported and overwrite an existing policy using tmsh.

Workaround:
None

1064753-3 : OSPF LSAs are dropped/rate limited incorrectly.

Links to More Info: BT1064753

Component: TMOS

Symptoms:
Some LSAs are dropped on BIG-IP with a log similar to:
"LSA is received recently".

Conditions:
Tuning OSPF min LSA arrival has no effect on some LSA handling.

Impact:
OSPF LSAs are dropped/rate limited incorrectly.

1064725-3 : False alarm log message on ltm as CHMAN request for tag:19 as failed

Links to More Info: BT1064725

Component: Local Traffic Manager

Symptoms:
Following log is seen in /var/log/ltm:

warning chmand[6307]: 012a0004:4: CHMAN request (from qkview) for tag:19 failed.

Conditions:
Generate a qkview file from GUI/CLI.

Impact:
No functional impact.

Workaround:
Not Applicable.

1064669-2 : Using HTTP::enable iRule command in RULE_INIT event might cause TMM to crash

Links to More Info: BT1064669

Component: Local Traffic Manager

Symptoms:
Tmm crashes if an iRule is configured that has HTTP::enable in the RULE_INIT event.

Conditions:
iRule that uses HTTP:enable command in RULE_INIT event, i.e.:

ltm rule example_rule {
    when RULE_INIT {
        # Don't do this!
        HTTP::enable
    }
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the HTTP::enable iRule command in the RULE_INIT event.

1064617-2 : DBDaemon process may write to monitor log file indefinitely

Links to More Info: BT1064617

Component: Local Traffic Manager

Symptoms:
If debug logging is enabled for a database monitor (mssql, mysql, postgresql or oracle), the DBDaemon process may write to a monitor log file indefinitely, including after the monitor log file is rotated and/or deleted.

Conditions:
This problem may occur when:
- using a database monitor (mssql, mysql, postgresql or oracle) which is configured with the "debug" value set to "yes"
- using a database monitor (mssql, mysql, postgresql or oracle) for a pool member which is configured with the "logging" set to "enabled"

Impact:
The DBDaemon process may write debug logging messages to the affected monitor log file indefinitely, including after the monitor log file has been rotated and/or deleted.
As a result, storage in the /var/log volume may be consumed to the point that other logging cannot be performed, and the BIG-IP instance may be restarted/rebooted.

Workaround:
To work around this issue, restart the DBDaemon process.

To find the PID of the DBDaemon process, observe the output of the following command:
ps -ef |grep -v grep | grep DB_monitor.jar | awk '{print($2)}'

To confirm whether the DBDaemon process is writing to a monitor log file, and if so, which file:
lsof -p $(ps -ef | grep -v grep | grep DB_monitor.jar | awk '{print($2)}') | grep -e COMMAND -e '/var/log/monitors'

To kill the DBDaemon process:
kill $(ps -ef | grep -v grep | grep DB_monitor.jar | awk '{print($2)}')

NOTE:
Killing the DBDaemon process will cause a short-term loss of database monitoring functionality, until DBDaemon is restarted by the next database monitor probe.

1064461-3 : PIM-SM will not complete RP registration over tunnel interface when floating IP address is used

Links to More Info: BT1064461

Component: TMOS

Symptoms:
PIM-SM will not complete rendezvous point (RP) registration over the tunnel interface when a floating IP address is used (ip pim use-floating-address). Join/prune from RP gets dropped on BIG-IP when doing local-address validation.

BIG-IP never completes registration successfully.

Conditions:
RP registration over tunnel interface when floating IP address is used.

Impact:
BIG-IP never completes registration and outgoing packets are register-encapsulated.

1064257-1 : Bundled SSL certificates may not get revalidated successfully over OCSP after stapling parameters have been modified

Links to More Info: BT1064257

Component: TMOS

Symptoms:
Bundled SSL certifcates fail to validate with an OCSP responder, and they are marked invalid in the GUI and tmsh.

Conditions:
1. One or more bundled certificates (containing intermediate certificates in addition to the subject one) are stored on the BIG-IP.
2. The certificates are configured for monitoring over OCSP.
2. The OCSP stapling parameter "Trusted Responders" is set to 'none'.

Impact:
Client SSL traffic may become disrupted if the affected certificates are used to process it.

Workaround:
1. Do not use OCSP status monitoring on subject certificates
OR
2. Do not use bundled certificates
OR
3. Set the Trusted Responders OCSP stapling parameter to the certificate of the OCSP responder used by the certificates

1064217-2 : Port bit not set correctly in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T

Links to More Info: BT1064217

Component: Carrier-Grade NAT

Symptoms:
Port bits are not set as expected in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T

Conditions:
This occurs in a MAP-T configuration.

Impact:
MAP-T port translation does not work as expected.

Workaround:
None

1064157-2 : Http_proxy_opaque_get should constrain search to local/spawn flows, not looped flows

Links to More Info: BT1064157

Component: Local Traffic Manager

Symptoms:
In a VIP-on-VIP (looped) situation, HTTP on one virtual server uses/reuses an existing 'http_proxy_opaque' whilst still in use by another virtual server that causes unexpected state changes in the opaque which may cause tmm to core.

Conditions:
-- Explicit Forward Proxy SSL Orchestrator, in other words an L3 Explicit Proxy which is usually deployed in a VIP on VIP configuration
-- Hostname resolution using explicit 'RESOLV::lookup' iRule in HTTP_PROXY_REQUEST on the explicit/client-facing VIP

Impact:
Traffic disrupted while tmm restarts.

1063977-2 : Tmsh load sys config merge fails with "basic_string::substr" for non-existing key.

Links to More Info: BT1063977

Component: Local Traffic Manager

Symptoms:
"tmsh load sys config merge" fails with the following error.

Loading configuration...
  /var/tmp/repro.txt
01070711:3: basic_string::substr
Unexpected Error: Loading configuration process failed.

Conditions:
The key referenced in the configuration of the SSL profile does not exist in the BIG-IP.

Impact:
"tmsh load sys config merge" fails which is expected, but the error is not meaningful.

Workaround:
Identify the missing SSL key used in the configuration and correct it.

1063865-5 : Blade remains in an INOPERATIVE state after being moved to new chassis.

Links to More Info: BT1063865

Component: Local Traffic Manager

Symptoms:
When moving a blade to a new chassis, it can remain in an INOPERATIVE state upon startup. The following errors can be found in /var/log/ltm:

slot2 notice mcpd[7042]: 01071029:5: Master Key not present.
slot2 err csyncd[8163]: 013b0004:3: Unable to subscribe to mcpd, disconnecting...

Conditions:
- Multi-bladed BIG-IP systems
- Move a blade from one chassis to an open slot in the other chassis

Impact:
The moved blade will not properly sync up with the rest of the system, and remain INOPERATIVE

Workaround:
This occurs due to the master key not being propagated to the moved blade. You can manually circumvent this by doing the following (this assumes slot 1 is primary and slot 2 has the moved blade):

Back up the master keys first (optional):
1. On the primary slot:
cp /config/bigip/kstore/master /var/tmp/master_slot1
2. On the moved slot:
cp /config/bigip/kstore/master /var/tmp/master_slot2

Copy the master key to the moved slot:
1. On the primary slot:
scp /config/bigip/kstore/master root@slot2:/config/bigip/kstore/master
2. On the moved slot:
bigstart restart mcpd

1063829-3 : Zxfrd could run out of memory because zone db files are not efficiently recycled

Links to More Info: BT1063829

Component: Global Traffic Manager (DNS)

Symptoms:
Zxfrd is killed because of "Out of memory".

Conditions:
Dns express zones are updated continuously.

Impact:
Zxfrd keeps restarting.

Workaround:
Delete zxfrd files and restart zxfrd.
If sys db dnsexpress.hugepages is 0, run:
# rm -rf /shared/zxfrd/*
# bigstart restart zxfrd

 
If sys db dnsexpress.hugepages is 1, run:
# rm -rf /dev/mprov/zxfrd/*
# bigstart restart zxfrd

1063801 : The avrd module produces wrong dns messages per second statistic records for errdefs_msgno=22282300,Entity=DNS_Offbox_All, when dns dos profile is attached

Links to More Info: BT1063801

Component: Application Visibility and Reporting

Symptoms:
When looking on the DDOS DNS statistics on the total DNS messages TPS going through module. Then the total DNS TPS (with and without a DOS profile) is twice what it should be.

Conditions:
DNS virtual server listener has a DNS DoS profile attached.

Impact:
Analytics data is incorrect.

1063681-1 : PCCD cored, SIGSEGV in pc::cfg::CMessageProcessor::modify_fqdn

Links to More Info: BT1063681

Component: Advanced Firewall Manager

Symptoms:
Pccd (Packet Correlation Classification Daemon) generates a core while adding a fqdn during testing.

Conditions:
Conditions to trigger the core are unknown.

Impact:
Pccd crashes and creates a core file.

Workaround:
Restart PCCD

1063653-1 : TMM Crash while processing traffic on virtual server

Links to More Info: BT1063653

Component: Local Traffic Manager

Symptoms:
TMM core while processing traffic on a virtual server.

Conditions:
iRule Execution during processing HTTP response

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1063473-1 : During establishing a HA connection, the number of npus in DAG context may be overwritten incorrectly

Links to More Info: BT1063473

Component: TMOS

Symptoms:
Even though the platform is distributing packets to the TMM's SEPs evenly, the VIP connections are balanced unevenly.

Conditions:
Migrated the vCMP guests to the Velos chassis.

Impact:
Traffix is not distributed evenly across TMM. LTM log shows a lot of RST packets and pool members go down and up continuously.

Workaround:
None

1063453-2 : FastL4 virtual servers translating between IPv4 and IPv6 may crash on fragmented packets.

Links to More Info: BT1063453

Component: Local Traffic Manager

Symptoms:
Tmm crashes while passing IPv4-to-IPv6 traffic over FastL4.

Conditions:
-- A FastL4 virtual server translates between IPv4 and IPv6.
-- Fragment reassembly is not enabled in the FastL4 profile.
-- A feature requiring asynchronous completion is configured including: asynchronous irules on LB events (LB_SELECTED, LB_FAILED, LB_PERSIST_DOWN, LB_QUEUED, SA_PICKED), persistence, sessiondb operations, HA, virtual rate limiting.

Impact:
All traffic is disrupted while the TMM restarts.

Workaround:
Configure the FastL4 profile to always reassemble fragments.

1063345-3 : Urldbmgrd may crash while downloading the database

Component: Access Policy Manager

Symptoms:
Urldbmgrd may crash while downloading the database

Conditions:
SWG or URLDB is provisioned

Impact:
User traffic will be impacted when urldbmgrd is down.

1063237-3 : Stats are incorrect when the management interface is not eth0

Links to More Info: BT1063237

Component: TMOS

Symptoms:
The provision.managementeth db variable can be used to change which interface the management interface is bridged to:

https://clouddocs.f5.com/cloud/public/v1/shared/change_mgmt_nic_google.html

If this is changed to something other than eth0, the management interface stats will continue to be read from eth0 and thus be incorrect.

Conditions:
When provision.managementeth is changed to something other than eth0.

Impact:
Management interface stats are incorrect.

Workaround:
Reconfigure the management interface to use eth0

1062953-2 : Unable to save configuration via tmsh or the GUI.

Links to More Info: BT1062953

Component: TMOS

Symptoms:
If there are hundreds of partitions and changes to the configuration are made via the GUI, the configuration save can hang. When the configuration save hangs, all subsequent configuration saves will not complete.

Conditions:
-- Hundreds of partitions with objects contained in them.
-- Changing config via the GUI.

Impact:
Subsequent attempts to save the configuration will not complete.

Workaround:
For this scenario, syscalld is the process that created
the tmsh process to save the config where the tmsh process hangs. A restart of syscalld using bigstart restart syscalld will kill the hung syscalld and tmsh processes and restore services.

1062901-2 : The 'trap-source' and 'network' SNMP properties are ineffective, and SNMP traps may be sent from an unintended interface.

Links to More Info: BT1062901

Component: TMOS

Symptoms:
The BIG-IP system sends SNMP traps from an unintended interface (likely a TMM VLAN instead of the management port).

Conditions:
This issue occurs when the configuration:

- Includes a 'trap-source' property which matches the BIG-IP system's management IP address.

- Includes a SNMP trap destination which specifies 'mgmt' as the 'network' property.

- Includes routes to the aforementioned SNMP trap destination via both tmm and the management port (and the routes are such that the tmm one wins).

Impact:
Outgoing snmp traps fail to bind to the management IP address and to leave from the management port. Instead, they will bind to a self-ip matching tmm's route to the destination and leave from a tmm vlan.

This can cause issues (or not work at all) depending on the configuration of the host system meant to receive the traps and/or of the surrounding network devices.

1062857-2 : Non TMM source logs stop populating after a system time change.

Links to More Info: BT1062857

Component: TMOS

Symptoms:
Syslog-ng service functionality leads to failures like no daemon logs being captured in files like
- /var/log/ltm and
- /var/log/messages.

Conditions:
Change the system date and time to future or past, and then reboot the system.

Impact:
Expected TMM logs rest all daemons logs are not captured at /var/log/ltm, due to syslog-ng failure.

Workaround:
N/A

1062513-3 : GUI returns 'no access' error message when modifying a GTM pool property.

Links to More Info: BT1062513

Component: Global Traffic Manager (DNS)

Symptoms:
When you modify a GTM pool property and then click "Update," the next page displays the error message "No access."

When you modify GTM pool properties using the GUI, the properties do not update or display.

Conditions:
This occurs when you modify a GTM pool property using the GUI.

Impact:
You cannot change a GTM pool property using the GUI.

Workaround:
Use TMSH to change the GTM pool property.
OR
Click on "Update" a second time in the GUI.

1062493-2 : BD crash close to it's startup

Links to More Info: BT1062493

Component: Application Security Manager

Symptoms:
BD crashes shortly after startup.

Conditions:
FTP or SMTP are in use. Other causes are unknown.

Impact:
Traffic disrupted while bd restarts.

Workaround:
No workaround except removal of the FTP/SMTP protection.

1062385-3 : BIG-IP has an incorrect limit on the number of monitored HA-group entries.

Links to More Info: BT1062385

Component: TMOS

Symptoms:
BIG-IP has an incorrect limit on the number of monitored HA-group entries.

Conditions:
Large amount of traffic groups (over 50) with high availability (HA) Group monitoring attached.

Impact:
Not all traffic groups are properly monitored. Some traffic groups might not fail-over properly.

Workaround:
N/A

1062105-1 : For specific configurations (Auto-Added Signature Accuracy and Case Sensitive parent policy), child security policy fails to create.

Links to More Info: BT1062105

Component: Application Security Manager

Symptoms:
1. Creation of child security policy fails when it should not.
2. GUI shows wrong value for Auto-Added Signature Accuracy in creation page of the child policy.

Conditions:
1. Create a parent policy with the following settings:

   - Policy is Case Sensitive set to disable.
   - Auto-Added Signature Accuracy set to low.

Note: these values are not the default values related to the template used in the policy. For example: Fundamental, Comprehensive, and RDP templates.

2. Try to create a policy using the above parent policy.

Impact:
Creation of child policy

Workaround:
Send REST command with minimumAccuracyForAutoAddedSignatures field under 'signature-settings' and not from the outer level.

1062053-1 : Creating subfolder of a partition results in error but creates folder anyway

Links to More Info: BT1062053

Component: TMOS

Symptoms:
Creating subfolder of a partition results in error which is as expected, but it still creates the sub folder.

Conditions:
Create a sub-partition using the GUI

Impact:
Incorrect folder creation.

Workaround:
Do not use GUI to create sub-partitions.

1061929 : Unable to perform IPI update (through proxy) after upgrade to 15.1.4

Links to More Info: BT1061929

Component: Advanced Firewall Manager

Symptoms:
After upgrading, the IPI database fails to update. During system start, iprepd logs an error:
"Cannot connect to host api.bcti.brightcloud.com: No route to host"

Conditions:
IPI update occurs through a proxy server.

Impact:
IPI update fails.

Workaround:
None

1061905-2 : Adding peer unit into device trust changes the failover address family

Links to More Info: BT1061905

Component: TMOS

Symptoms:
In Device Management >> Devices >> [self device] > Failover Network
Address Family Mode resets back to "IPv4 & IPv6" instead of already set configuration i.e. IPv4 when a new peer unit is added.

Conditions:
-- Add a new device into the device trust
-- Set both devices to "IPv4"
-- Join the devices in device trust

Impact:
Inconsistent configuration

Workaround:
Modify the address family to IPv4 manually after adding the peer.

1060833-1 : After handling a large number of connections with firewall rules that log or report translation fields or server side statistics, TMM may crash.

Links to More Info: BT1060833

Component: Advanced Firewall Manager

Symptoms:
TMM crashes.

The 'virt_cnt' column in the tmctl 'string_cache_stat' table continues to grow over time, and diverges significantly from the 'phys_cnt' column.

Conditions:
-- Enforced AFM firewall policies configured in multiple contexts (global, route domain, virtual server)

-- Large number of connections that matches rules in multiple contexts

-- AFM configured in at least one of the following ways:

--+ Stats collection enabled and collecting server-side stats enabled. Stats collection is enabled by default. Collecting server-side statistics ("security analytics settings acl-rules { collect-server-side-stats }") is not enabled by default.
--+ ACL logging enabled, and the logging of translation fields enabled.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
Disable logging and reporting of server-side information in AFM firewall ACLs.

After making these changes, it may be necessary to restart TMM once.

1060769-2 : The /mgmt/tm/sys/performance/all-stats and /mgmt/tm/sys/performance/throughput iControl REST endpoints cannot be successfully parsed by common JSON libraries.

Links to More Info: BT1060769

Component: TMOS

Symptoms:
Because of identically-named key/value pairs in the "entries" object returned by the /mgmt/tm/sys/performance/all-stats and /mgmt/tm/sys/performance/throughput iControl REST endpoints, the output of these endpoints cannot be successfully parsed by common JSON-parsing libraries.

Only the key/value pair appearing last for a given name is returned by common JSON-parsing libraries.

As a result, the In/Out/Service sections of the output, which should show both Throughput(bit) and Throughput(packets) only shows Throughput(packets).

Conditions:
Querying the /mgmt/tm/sys/performance/all-stats or /mgmt/tm/sys/performance/throughput iControl REST endpoints.

Impact:
Common JSON-parsing libraries are unable to extract all of the information contained in the JSON blob (only a subset of the information is returned).

Workaround:
If possible, use the TMSH utility from the CLI of the BIG-IP system to display the complete information.

1060721-1 : Unable to disable auto renew in Certificate order manager via GUI

Links to More Info: BT1060721

Component: TMOS

Symptoms:
From the GUI, you are unable to disable auto-renew on the certificate order manager.

Conditions:
In the GUI navigate to System :: Certificate Management : Traffic Certificate Management : Certificate Order Manager List : Create and then select the any certificate Authority items, then disable Auto-renew.

Impact:
In Certificate order manager, auto-renew can not be disabled from the GUI.

Workaround:
Issue the following command from tmsh to disable auto-renew in cert-order manager.

tmsh modify sys crypto cert-order-manager <cert_order_manager_name> auto-renew no

1060677 : Unable to upload swagger file using REST/AS3 with JSON.

Links to More Info: BT1060677

Component: Application Security Manager

Symptoms:
Attempted to create the partition <partition name>, and the ASM Policy <ASM-Policy> with all the requested customization using REST/AS3 calls, but the Swagger file was not uploaded.

This works on version 16.1.0 but on 15.1.4 you must use the GUI to manually import the swagger file.

Conditions:
Creating a partition using iControl REST / AS3.

Impact:
You cannot use iControl REST AS3 to add a swagger file to BIG-IP version v15.1.x

Workaround:
N/A

1060541-2 : Bigd has high CPU utilization when https pool members do not allow SSL/TLS session resumption

Component: Local Traffic Manager

Symptoms:
Bigd uses more CPU than it did n previous versions when https monitors are used for pool members and the pool members do not resume the SSL/TLS session.

Conditions:
-- https monitors
-- pool members that do not allow or are not using TLS/SSL session resumption

Impact:
High CPU utilization

Workaround:
Ensure the pool members have SSL/TLS session resumption enabled.

1060477 : iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]"

Links to More Info: BT1060477

Component: Access Policy Manager

Symptoms:
Apmd crashes after setting the userName field via an iRule

Conditions:
1.Setting the userName field:

set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]

2.Getting the sid feild
[ACCESS::session data get session.user.sessionid]

Impact:
APM traffic disrupted while apmd restarts.

Workaround:
Check the username before setting it from iRule.

1060409-3 : Behavioral DoS enable checkbox is wrong

Component: Anomaly Detection Services

Symptoms:
Behavioral DoS Enabled indicator is wrongly reported after configuration change, when no traffic is injected to the virtual server.

Conditions:
Behavioral DoS is enabled and then disabled when no traffic is injected to the virtual server.

Impact:
After server health is stabilized and constant, the BIG-IP system doesn't report the configuration changes.

Workaround:
Send 1-2 requests to the server and the configuration will be updated.

1060269 : Safenet NetHSM client library leaking socket FDs.

Links to More Info: BT1060269

Component: Local Traffic Manager

Symptoms:
Pkcs11d is getting " CKR_DEVICE_ERROR " when calling C_GetTokenInfo(). And it(pkcs11d) keep on getting the error and not able to reconnect back.

Conditions:
Conditions are unknown as it is happening in the vendor's library.

Impact:
Pkcs11d is not able to communicate to the external safenet HSM. This impacts traffic processing with the keys stored in external HSM.

Workaround:
Restart pkcs11d.

1060181 : SSL handshakes fail when using CRL certificate validator.

Links to More Info: BT1060181

Component: TMOS

Symptoms:
Some SSL handshakes are reset with "SSL Handshake timeout exceeded" reset.

Conditions:
Client SSL profile with CRL certificate validator.
Client SSL certificate authentication enabled.

Impact:
SSL handshakes fail.

Workaround:
None

1060149-1 : BIG-IP vCMP guest data-plane failure with turboflex-adc selected on the host.

Links to More Info: BT1060149

Component: TMOS

Symptoms:
-- Interfaces in the vCMP guest may remain uninitialized;
-- 'Invalid VCMP PDE state version' log in /var/log/tmm*;

Conditions:
-- BIG-IP i7xxx/i10xxx/i11xxx platform;
-- vCMP provisioned;
-- turboflex-adc profile selected;

Impact:
Affected guest is non-functional.

Workaround:
Use the turboflex-base profile.

1060021-2 : Using OneConnect profile with RESOLVER::lookup_name iRule might result in core

Component: Local Traffic Manager

Symptoms:
Tmm might core while using a OneConnect profile with iRule command RESOLVER::lookup_name

Conditions:
1. One connect profile attached
2. iRules with RESOLVER::lookup_name command

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Don't use RESOLVER::lookup_name iRule on virtual that uses the oneconnect profile.

1059573-3 : Variation in a case insensitive value of an operand in LTM policy may fail in some rules.

Links to More Info: BT1059573

Component: Local Traffic Manager

Symptoms:
LTM policy engine compiles a policy into a state machine. If there is a variation of the same case insensitive value for an operand, the state machine may fail to properly build all rules, using this value. An example of a variation is a list of words like "Myself", "myself", "MYself", "mySElf", "MYSELF".

Conditions:
-- LTM policy is configured and attached to a virtual server.
-- The policy has variation in a case insensitive value of an operand.

Impact:
An expected rule does not apply: either a wrong rule is applied, or no rule is applied, causing incorrect traffic processing.

Workaround:
Eliminate variation in any case insensitive value of any operand. For example, replace all variations in the mentioned list with "myself".

1059441-2 : Upgrading with a configuration that contains objects with properties that override the TCP profile can result in incorrect property values being used.

Links to More Info: BT1059441

Component: TMOS

Symptoms:
1. Displayed TCP profiles properties (for example, 'tmsh list ltm profile tcp') indicate they are using property values of the main TCP profile, even though they are marked as defaulting from the 'tcp-legacy' profile.
2. tmsh and the BIG-IP GUI display different values for TCP profiles.

Conditions:
This issue usually results after an upgrade from an older version (for example, 12.x to 13.x) where the configuration contains customized tcp profiles that use default values from the main tcp profile (these profiles are modified to use default values from the tcp-legacy profile during the upgrade process).

Impact:
TCP traffic-processing objects might start using invalid property values.

Workaround:
If this problem is observed after an upgrade, use the following command sequence to reload the configuration:
1. tmsh save sys config
2. tmsh load sys config

1059421-2 : Bot Signature is not updated when the signature rule is updated.

Component: Application Security Manager

Symptoms:
In some cases, when you update a user-defined Bot Signature rule, the new rule is not applied.

Conditions:
-- Bot Defense profile is attached to virtual server
-- A user-define bot signature is updated

Impact:
Updated signature is not enforced.

Workaround:
-Delete the Bot Signature rule
-Add another Bot Signature rule
-Check to see that all changes are applied

1058789-3 : Virtual addresses are not created from an address list that includes an IP address range.

Links to More Info: BT1058789

Component: TMOS

Symptoms:
The virtual address is listed as offline regardless of the status of the virtual server. This makes understanding virtual-address status very difficult.

Conditions:
Create virtual server using a traffic-matching-criteria (TMC) address list.

Impact:
The virtual addresses are created but the BIG-IP system shows all of them as offline enabled regardless of the status of the virtual server.

Workaround:
None

1058765-3 : Virtual Addresses created from an address list with prefix all say Offline (enabled)

Links to More Info: BT1058765

Component: TMOS

Symptoms:
Virtual Addresses created from an address list with prefix all say Offline (enabled)

Conditions:
Using the prefix in the address-list which is used for virtual server configuration.

Impact:
Improper status of the virtual address.

1058677-1 : Not all SCTP connections are mirrored on the standby device when auto-init is enabled

Links to More Info: BT1058677

Component: TMOS

Symptoms:
When auto-init is enabled, Not all SCTP connections are mirrored to the standby device.

Conditions:
-- SCTP Profile and Mirroring
-- Auto initialization is enabled

Impact:
Only half of the connections are mirrored to the standby device.

Workaround:
Disable auto initialization:

tmsh modify ltm message-routing diameter peer <affected_peer> { auto-initialization disabled }

1058665-2 : Bot signature with a semicolon followed by a space is not detected

Links to More Info: BT1058665

Component: Application Security Manager

Symptoms:
When creating a user-defined Bot Signature, semicolon followed by space cannot be used.

Conditions:
-- Using a user-defined Bot Signature in Simple mode.
-- There is a semicolon followed by a space in the User-Agent or URL sections.

Impact:
The signature is not detected.

Workaround:
Escaping the semicolon in the signature created as "|3B|".

1058645-1 : ipsecalg blocks Sophos ISAKMP negotiation during tunnel setup.

Links to More Info: BT1058645

Component: Advanced Firewall Manager

Symptoms:
Sophos IPsec clients cannot connect to a Sophos firewall when ipsecalg is configured on the forwarding virtual server.

The Sophos client initially attempts to start the tunnel using aggressive mode. The Sophos firewall does not support remote users attempting aggressive mode and responds with Notify Message Type INVALID-PAYLOAD-TYPE. The tunnel setup cannot proceed correctly after that point.

Conditions:
-- Sophos client is installed on remote user devices.
-- Sophos firewall is the remote endpoint in the IPsec tunnel.

Note: The Sophos client and firewall combination is the only known failing use-case.

Impact:
Sophos clients cannot start an IPsec tunnel.

Workaround:
The Sophos client cannot be configured to use main mode instead of starting with aggressive mode. The Sophos firewall does not support aggressive mode for remote user IPsec tunnels.

Therefore, create an iRule and add the iRule to the ipsecalg virtual server. The iRule simply contains this:

when SERVER_DATA {
# Only execute on first server side packet of conflow.
event disable

if { [UDP::payload length] < 40 } { return; }
binary scan [UDP::payload] x8x8cH2cx9x10S payload_type ver exch_type noti_type

# Depending on throughput, the amount of logging here may be problematic
#log local0. "payload_type : $payload_type"
#log local0. "ver : $ver"
#log local0. "exch_type : $exch_type"
#log local0. "noti_type : $noti_type"

if { $payload_type == 11 && $ver == 10 && $exch_type == 5 && $noti_type == 1 } {
log local0. "Closing ipsecalg connection"
after 1 { reject }
}
}

1058597-3 : Bd crash on first request after system recovery

Links to More Info: BT1058597

Component: Application Security Manager

Symptoms:
Bd crashes on the first request.

Conditions:
The system is out of disk space while creating the ASM policy.

Impact:
The security configuration is incomplete with missing data.

Workaround:
-- Remove the ASM policy from the virtual server to avoid the bd crash.
-- Go to the cookie protection screen and reconfigure the secure and fast algorithm.
-- Re-attach the security policy to the virtual server.

1058469-2 : Disabling strict-updates for an iApp service which includes a non-default NTLM profile will cause virtual servers using that profile to stop working.

Links to More Info: BT1058469

Component: Local Traffic Manager

Symptoms:
A virtual server which is part of an iApp service and which was previously working correctly now rejects all traffic.

Upon inspecting the log, entries similar to the following examples may be noticed:

==> /var/log/tmm <==
<13> Oct 28 23:41:36 bigip1 notice hudfilter_init: clientside matches TCP position. 0 0

==> /var/log/ltm <==
Oct 28 23:41:36 bigip1 err tmm[21251]: 01010008:3: Proxy initialization failed for /Common/my.app/my-vs. Defaulting to DENY.
Oct 28 23:41:36 bigip1 err tmm[21251]: 01010008:3: Listener config update failed for /Common/my.app/my-vs: ERR:ERR_UNKNOWN

Conditions:
This issue is known to occur when strict-updates is disabled for an iApp service which includes a non-default NTLM profile.

Impact:
Traffic outage as the affected virtual server(s) will no longer be passing any traffic.

Workaround:
To recover an affected system, either restart tmm (bigstart restart tmm) or delete and redeploy the iApp service.

To prevent this issue from occurring again, modify the iApp configuration to use the default NTLM profile rather than a custom one (if the iApp template involved allows this).

1058377 : [APM CUSTOMIZATION] Unable to edit image for RDP resource

Links to More Info: BT1058377

Component: Access Policy Manager

Symptoms:
Unable to change the Image for an RDP resource in General Customization.

Conditions:
Navigate to Access > Profiles > Customization > General then drill down into "Remote Desktop" > then "/Common/<<Created RDP Profile>>".

Impact:
You are unable to change the image for a resource in "General Customization"

Workaround:
1. Try to change the path.
2. Click on "Restore Default" button.
3. Should be able to Edit resource image now

1058349-2 : Requirement of new signatures to detect IMO and Google Duo service

Links to More Info: BT1058349

Component: Traffic Classification Engine

Symptoms:
Google Duo voice call and IMO applications are not blocking

Conditions:
On Latest IM with PEM policy and TC policy

Impact:
Traffic throttling will not work on IMO and DUO app

Workaround:
None

1057925-3 : GTP iRule generates a warning.

Links to More Info: BT1057925

Component: TMOS

Symptoms:
Merging GTP config generates a warning.

cat ltm rule GTP_Rate_Limmit {
when CLIENT_DATA {

        set gtp_message [GTP::parse [UDP::payload]]
        set ie_list [GTP::ie get list -message $gtp_message -type 87]
        #set ie_list [GTP::ie get list -type 97 -message $gtp_message]


        foreach ie $ie_list {

                set fteid_value [lindex $ie 5]
                set interface_type [lindex $fteid_value 2]
                set ipv4_addr [lindex $fteid_value 4]

                log local0. "$fteid_value,$interface_type,$ipv4_addr"

        }

}
}
ltm rule GTP_Rate_Limmit {
when CLIENT_DATA {

        set gtp_message [GTP::parse [UDP::payload]]
        set ie_list [GTP::ie get list -type 87 -message $gtp_message]

        foreach ie $ie_list {

                set fteid_value [lindex $ie 5]
                set interface_type [lindex $fteid_value 2]
                set ipv4_addr [lindex $fteid_value 4]

                log local0. "$fteid_value,$interface_type,$ipv4_addr"

        }

}
}


root@(sr)(cfg-sync Standalone)(Active)(/Common)(tmos)# load sys config merge file gtprule.conf
Merging GTP rule config generates warning.

 /var/local/scf/gtprule.conf
There were warnings:
/Common/GTP_Rate_Limmit:4: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "invalid '-type'; expected:-message"93 47][GTP::ie get list -type 87 -message $gtp_message]

Conditions:
This error occurs every the time the GTP config is merged.

Impact:
Config merge shows a warning.

Workaround:
Change
set ie_list [GTP::ie get list -type 87 -message $gtp_message]
to
set ie_list [GTP::ie get list -message $gtp_message -type 87]

1057713-6 : "South Sudan" is missing from the ASM Geolocation Enforcement List

Component: Application Security Manager

Symptoms:
South Sudan is not available as a selection in ASM's Geolocation Enforcement configuration.

Conditions:
South Sudan was not added into ASM database.

Impact:
There is no way to set the country code for "South Sudan" under 'Allowed Geolocations'

Workaround:
None

1057709-3 : Invalid Certificate for all BIG-IP VE OVA images on vCenter 7.0U2

Links to More Info: BT1057709

Component: TMOS

Symptoms:
When deploying all BIG-IP VE OVA/OVF images, vCenter 7.0U2 will display an invalid certificate (not trusted) warning message. This is due to enhanced signing certificate verifications for expiry, and other validity checks for the entire chain of the signing certificate against the VECS store (known vCenter issue https://kb.vmware.com/s/article/84240).

Conditions:
Login to vCenter 7.0U2, deploy a BIG-IP VE using an OVF template, select the Local File option, upload the OVA template from your local directory, and then follow the prompts to complete the deployment. In the review details section, "The certificate is not trusted" warning message appears.

Impact:
You can ignore the message and continue with the deployment, or add the missing signing certificate(s) to the VECS store.

Workaround:
To avoid this warning, do the following to add the signing certificate to the VECS store:

1. Get the OVF/OVA signing certificate's chain (root CA and intermediate certificates, if any). You can use any certificate chain resolver to find the missing certificates from the chain.
2. To add the intermediate and root certificates to VECS store:
    a. login to vCenter as administrator.
    b. From drop-down menu select administration -> Certificates -> Certificate Management.
    c. Click ADD next to Trusted Roots Certificates.
    d. Browse and select the certificate(s) found in step 1.

1057557-4 : Exported policy has greater-than sign '>' not escaped to '&gt;' with response_html_code tag

Links to More Info: BT1057557

Component: Application Security Manager

Symptoms:
The greater-than sign '>' is not escaped/converted to '&gt;' with response_html_code tag.

Having not escaped greater-than sign can cause issues when re-importing the policy, if the greater-than sign appears in a specific sequence, ']]>'. In other word, if the greater-than sign does not appear in the specific sequence, you can successfully re-import the policy without problem.

The specific sequence can be possible with a custom response page configuration. If you modify the custom response page in the way it has a sequence of characters ']]>', as the greater-than sing won't be escaped due to this bug, the exported policy has the sequence of characters ']]>' as is. Note: what it should be is ']]&gt;'

']]>' in xml is CDATA End delimiter and not allowed. The exported policy causes parser error and can not be re-imported.

Conditions:
This occurs if you modify the default custom response page where this specific character sequence is observed ']]>'

Impact:
The exported policy cannot be re-imported.

Workaround:
This workaround forces the greater-than sing to be escaped to '&gt;' so that that policy can be re-imported without problem.

- make /usr writable
# mount -o remount,rw /usr

- backup
# cp /usr/local/share/perl5/F5/ExportPolicy/XML.pm /usr/local/share/perl5/F5/ExportPolicy/XML.pm.orig

- see this line exists
# grep "gt;" /usr/local/share/perl5/F5/ExportPolicy/XML.pm
            $xml =~ s/&gt;/>/g;

- delete the line and verify
# sed -i '/$xml =~ s\/&gt;.*/d' /usr/local/share/perl5/F5/ExportPolicy/XML.pm

- should not see the line
# grep "gt;" /usr/local/share/perl5/F5/ExportPolicy/XML.pm

- move /usr read-only
mount -o remount,ro /usr

- make the change in effect
# pkill -f asm_config_server

1057501-3 : Expired DST Root CA X3 resulting in http agent request failing

Links to More Info: BT1057501

Component: TMOS

Symptoms:
When the DST Root CA X3 is expired, any HTTP agent request fails with the error:

err tmm2[19302]: Rule /Common/my_rule <HTTP_REQUEST>: Client - <address>, failure :proxyInterstitialPage: FetchError: request to <url> failed, reason: certificate has expired

Conditions:
The DST Root CA X3 certificate is expired, see
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Impact:
ILX plugins that reply on outbound HTTP client/agent requests to remote servers fail.

Workaround:
Create a /var/tmp/isrgrootx1.pem with contents of https://letsencrypt.org/certs/isrgrootx1.pem.txt

The Node.js script:
# cat /var/tmp/CustomCA-2.js
var fs = require('fs');
var https = require('https');
var options = {
    hostname: 'letsencrypt.org',
    port: 443,
    path: '/',
    method: 'GET',
    ca: fs.readFileSync('/var/tmp/isrgrootx1.pem') <<<<<<<<<<<<<<< incorporated CA thus bypassing the CA embedded in the EOL version of Node.js
};
var req = https.request(options, function(res) {
    res.on('data', function(data) {
        console.log("PASS");
    });
});
req.end();

1057305-2 : "-c" may be logged as the TMM process/thread name on deployments that use DPDK

Links to More Info: BT1057305

Component: TMOS

Symptoms:
"-c" may be logged as the process/thread name on deployments that use DPDK:

notice -c[17847]: 01010044:5: Gx feature is not licensed
notice -c[17847]: 01010044:5: LTM Transparent feature is licensed
notice -c[17847]: 01010044:5: NAT feature is licensed

Conditions:
- BIG-IP Virtual Edition using XNET with DPDK. This can be AWS, Mellanox, or Cisco eNIC.

Impact:
Confusing logging.

Workaround:
None

1057061-1 : BIG-IP Virtual Edition + security-log-profile (HSL) performance issue with "Log Translation Fields"

Component: Advanced Firewall Manager

Symptoms:
When using a security log profile that has “Log Translation Fields” enabled, CPU usage is unusually high.

Conditions:
-- AFM provisioned
-- One or more security log profiles has “Log Translation Fields” enabled

Impact:
Excessive CPU utilization when compared to the same configuration with "Log Translation Fields" disabled.

Workaround:
None

1056993-1 : 404 error is raised on GUI when clicking "App IQ."

Component: TMOS

Symptoms:
When the App IQ menu option is clicked in the GUI workflow, (GUI: System ›› Configuration >> App IQ) the result is "Not Found. The requested URL was not found on this server."

Conditions:
Clicking the App IQ menu option in the GUI workflow, GUI: System ›› Configuration >> App IQ.

Impact:
Not able to access App IQ page.

Workaround:
Navigate directly to the following page on your BIG-IP (replacing <BIG-IP> with the IP/hostname of the system):

https://<BIG-IP>/tmui/tmui/system/appiq_ng/views/settings.html

1056941-1 : HTTPS monitor continues using cached TLS version after receiving fatal alert.

Links to More Info: BT1056941

Component: Local Traffic Manager

Symptoms:
After an HTTPS monitor completes successfully, the TLS version is cached and used for subsequent monitor probes.
If the back end server TLS version changes between monitor polls and no longer allows the cached TLS version, the back end server correctly sends a fatal alert to the BIG-IP in response to the no longer allowed TLS version.
The BIG-IP will continue to use the cached, now prohibited, version in all subsequent probes resulting in a false down resource until the cached information is cleared on the BIG-IP.

Conditions:
ClientSSL profile is changed on backend BIG-IP device's virtual server,

Impact:
BIG-IP continues to send prohibited TLS version and reports the member as down.

Workaround:
-- Delete and re-add pool member.
-- Change HTTPS monitor to any other monitor (including another HTTPS monitor) and then back.
-- Restart bigd with "bigstart restart bigd" - Note that this impacts all monitoring on the BIG-IP.
-- Restart BIG-IP - Note that this impacts all traffic on the BIG-IP.

1056741 : ECDSA certificates signed by RSA CA are not selected based by SNI

Links to More Info: BT1056741

Component: TMOS

Symptoms:
Attempts to select a client-ssl profile based on the certificate subject/SAN will not work for ECDSA certificates if ECDSA cert is signed by RSA CA. Even when the SNI in the client hello matches the certificate subject/SAN, BIG-IP selects the default client SSL profile.

Conditions:
-- ECDSA certificate signed by RSA CA.
-- Client SSL profile does not have "server name" option configured.

Impact:
The desired client-ssl profile is not selected for ECDSA hybrid certificates when the SNI matches the certificate subject/SAN.

Workaround:
Do not use hybrid certificates or configure the "server name" option in the client-ssl profile matching SNI.

1056401-3 : Valid clients connecting under active syncookie mode might experience latency.

Links to More Info: BT1056401

Component: Local Traffic Manager

Symptoms:
Valid clients that connect using active syncookie mode might experience latency.

Conditions:
- SYN Cookie (Hardware or Software) is enabled.
- SYN Cookies are activated (TCP Half Open) for the virtual server.
- Fastl4 tcp-generate-isn option or SYN-ACK vector 'suspicious event count' options are enabled.
- SYN Cookie issue and validation with client is correct.
- SSL Client Hello packet sent by client reaches DHD right after TCP SYN packet is sent to backend server.

Impact:
Random connections could be disrupted.

1055361-2 : Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a tmm crash

Links to More Info: BT1055361

Component: SSL Orchestrator

Symptoms:
Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a tmm crash

Conditions:
Suspending iRule command in L7CHECK_CLIENT_DATA

Example:

ltm rule /Common/rule-a {
when L7CHECK_CLIENT_DATA {
        after 10000
        }
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use Suspending iRule command in L7CHECK_CLIENT_DATA

1055077-3 : Modifying the datacenter does not check GTM server configuration for prober-pool.

Links to More Info: BT1055077

Component: Global Traffic Manager (DNS)

Symptoms:
If GTM is in a bad configuration state, the reload can fail with an error similar to this:

01071b63:3: The prober fallback value for server /Common/server1 cannot be the same as the inherited prober preference value.
Unexpected Error: Validating configuration process failed.

or

01071b62:3: The prober preference value for server /Common/server2 cannot be the same as the inherited prober fallback value.
Unexpected Error: Validating configuration process failed.

Conditions:
1. GSLB server has a prober-pool and inherits the datacenter selected for prober preference or prober fallback (it does not matter which prober configuration has which value).
2. GSLB datacenter is modified such that the prober configuration inherited by the constituent GSLB server is changed from a non-pool method to prober-pool.

This results in the GSLB server having a prober-pool probe configuration manually configured and another prober-pool probe configuration inherited from the GSLB datacenter.

Impact:
Two prober-pool configurations for a GSLB server is a prohibited state. Once this state is reached, any action that tries to validate the configuration (like a configuration load) will fail. This can cause the BIG-IP to fail to load configuration or cause a UCS restore to fail.

Workaround:
Review the configured and inherited prober configuration state of all GSLB servers whose parent GSLB datacenter has a prober-pool configured for it's prober preference or prober fallback. If any GSLB servers are affected, change their prober configuration so that only a single prober-pool configuration exists; or, you can change the parent GSLB server to no longer use the prober-pool method.

1055053-3 : "tmsh load sys config default" does not clear Zebos config files.

Links to More Info: BT1055053

Component: TMOS

Symptoms:
Typing the command: "tmsh load sys config default" does not clear Zebos config files.

Conditions:
- Dynamic routing in use.
- Loading default configuration with "tmsh load sys config default"

Impact:
Zebos configuration files still contain configuration after restoring default config.

Workaround:
Manually delete the Zebos configuration before running "tmsh load sys config default".

1054677-2 : Ng_export fails for users with the 'pager' option enabled in their 'cli preference' configuration.

Links to More Info: BT1054677

Component: Access Policy Manager

Symptoms:
For users with pager enabled, some lines are missing in the ng-export.conf file.

Conditions:
For your CLI preference, the 'pager' option is set to enabled.

Impact:
When 'pager' is set to enabled, you will be unable to export Access policies.

Workaround:
Disable the 'pager' option in 'cli preference' config for the affected user.

1054497-2 : Tmsh command "show sys fpga" does not report firmware for all blades.

Links to More Info: BT1054497

Component: TMOS

Symptoms:
After upgrading or forcing a reload of the configuration, the tmsh command "show sys fpga" does not report the firmware for all blades.

Conditions:
- Mutli-blade VIPRION or vCMP guest.
- Upgrade or forced reload of the configuration

Impact:
The tmsh command "show sys fpga" does not report firmware information for all blades.

Workaround:
Use the following command to restart chmand on the blade that is not reporting the firmware information:
bigstart restart chmand

1053741-3 : Bigd may exit and restart abnormally without logging a reason

Links to More Info: BT1053741

Component: Local Traffic Manager

Symptoms:
Certain fatal errors may cause the bigd daemon to exit abnormally and restart to recover.
For many such fatal errors, bigd logs a message in the LTM log (/var/log/ltm) indicating the fatal error that occurred.
For some causes, no message is logged to indicate what error occurred to cause big to exit abnormally and restart

Conditions:
This may occur when bigd encounters a fatal error when monitoring LTM pool members, particularly (although not exclusively) when using In-TMM monitor functionality (sys db bigd.tmm = enable).

Impact:
It may be difficult to diagnose the reason that caused bigd to exit abnormally and restart.

Workaround:
To enable logging of all fatal errors that cause bigd to exit abnormally and restart, enable bigd debug logging:

tmsh modify sys db bigd.debug value enable

With bigd debug logging enabled, bigd messages (including such fatal errors) will be logged to /var/log/bigdlog

1053605-1 : When you use NAT, the iQuery status displays 'BIGIP' instead of 'BIGIP-DNS'.

Links to More Info: BT1053605

Component: Global Traffic Manager (DNS)

Symptoms:
Use the 'show gtm iquery' command. The 'Server Type' may show as "BIGIP" rather than "BIGIP-DNS", even though DNS is provisioned on that device.


   # tmsh show gtm iquery
   ----------------------------------------
   Gtm::IQuery: 10.0.0.1
   ----------------------------------------
   Server GTM1
   Server Type BIG-IP <--
   ...
   ...
   ...


Note: Other BIG-IP DNS devices in the same sync group will correctly show the status as 'BIGIP-DNS'.

Conditions:
This occurs in the following conditions:

 - The gtm server has both an address and a translation defined.
 - The BIG-IP running the command is the same device being viewed (that is, it is showing its own status).
 

For example:

   gtm server GTM1 {
      devices {
         GTM1 {
            address { 10.0.0.1 { translation 192.168.1.1 } }
         }
      }
      ...
   }

Impact:
This is purely cosmetic, and does not affect the operation of the iQuery protocol.

1053589 : DDoS functionality cannot be configured at a Zone level

Links to More Info: BT1053589

Component: Advanced Firewall Manager

Symptoms:
DDoS functionality is supported at the global and virtual server level.

Conditions:
DDoS functionality configured on the BIG-IP system.

Impact:
Cannot enable DDoS at a zone level.

Workaround:
None

1053309-2 : Localdbmgr leaks memory while syncing data to sessiondb and mysql

Links to More Info: BT1053309

Component: Access Policy Manager

Symptoms:
Top output shows that localdbmgr memory increases steadily.

Conditions:
Localdb auth is enabled or localdb is used for storing APM-related information like for MDM intune

Impact:
Localdbmgr is killed by oom killer and is restarted, thereby affecting the execution of access policies.

1053305-1 : TMM crashes with assertion "vmem_hashlist_remove not found."

Links to More Info: BT1053305

Component: Local Traffic Manager

Symptoms:
TMM crashes and restarts.

Conditions:
Unknown.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
None

1053149-2 : A FastL4 TCP connection which is yet to fully establish fails to update its internal SEQ space when a new SYN is received.

Links to More Info: BT1053149

Component: Local Traffic Manager

Symptoms:
Depending on the software version running on the BIG-IP system, this issue can manifest in one of two ways:

- Versions with the fix for ID1008077 will fail to forward the client's final ACK (from the TCP 3-way handshake) to the server. Eventually, once the TCP handshake timeout expires, the BIG-IP system will reset both sides of the connection.

- Versions without the fix for ID1008077 will forward the traffic correctly, but will not advance the internal FastL4 state for the connection. Given enough traffic for the same 4-tuple, the connection may never expire. Traffic for subsequent connections will appear to be forwarded correctly, but no load-balancing will occur due to the original connection not having expired yet.

Conditions:
A FastL4 TCP connection not completing the TCP handshake correctly, and the client retrying with a new (different SEQ number) SYN.

Impact:
Traffic failures (intended as either connections failing to establish, or improper load-balancing occurring).

1053037-5 : MCP error on loading a UCS archive with a global flow eviction policy

Links to More Info: BT1053037

Component: TMOS

Symptoms:
Attempting to load a UCS archive with a global flow eviction policy results in an error like the following.

loaddb[3609]: 01080023:3: Error return while getting reply from mcpd: 0x1070911, 01070911:3: The requested flow_eviction_policy object (/Common/otters) does not exist for global_flow_eviction_policy in ltm (/Common/ltm)
Error 0x1070911 occurred: 01070911:3: The requested flow_eviction_policy object (/Common/otters) does not exist for global_flow_eviction_policy in ltm (/Common/ltm)

Despite this error, restoring the UCS archive continues on, and may succeed.

Conditions:
-- Loading a UCS archive with a non-default global-flow-eviction-policy configured.
-- The existing configuration on the BIG-IP system does not define the same eviction policy.

Impact:
The above mentioned error message is printed to the logs.
It should be safe to ignore the error if the UCS otherwise loads successfully.

Workaround:
Ignore the error message.

1052929-3 : MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized

Links to More Info: BT1052929

Component: Local Traffic Manager

Symptoms:
When MCPD starts, it may log an error message reporting an issue communicating with the onboard FIPS HSM. If the HSM is uninitialized, this message is erroneous, and an be ignored.

Depending on the hardware platform, the message may be one of the following:

err mcpd[12345]: 01b50049:3: FIPSUserMgr Error: An internal login failure is being experienced on the FIPS card. Please issue 'FIPSutil loginreset -r' followed by 'bigstart restart' for a password reset. You will need your FIPS Security Officer password to reset the password..
err mcpd[12345]: 01b50049:3: FIPSUserMgr Error: An internal login failure is being experienced on the FIPS card. The FIPS card must be reinitialized, which will erase its contents..

Conditions:
-- BIG-IP system with an onboard FIPS HSM, or a vCMP guest running on a BIG-IP system with an onboard FIPS HSM
-- the FIPS HSM is not initialized, i.e. "fipsutil info" reports "FIPS state: -1"

Impact:
This message can be ignored when the FIPS HSM is not in-use, and is uninitialized.

Workaround:
Initialize the FIPS HSM following the instructions in the F5 Platforms : FIPS Administration manual.

1052153 : Signature downloads for traffic classification updates via proxy fail

Component: Traffic Classification Engine

Symptoms:
Downloading IM package via proxy fails.

Conditions:
Downloading the IM file through a proxy.

Impact:
Auto-download IM package from f5.com will fail

Workaround:
Disable the proxy and trigger the IM package download from the management interface.

1051589-2 : Missing configuration after upgrade

Component: Application Security Manager

Symptoms:
After a successful UCS load, some parts of the security configuration are missing.

Conditions:
-- ASM provisioned
-- Limited disk space in /shared
-- Upgrade or create and then install a UCS

Impact:
A device after upgrade or UCS install is missing some of the security configuration.

Workaround:
Clear out disk space in /shared before attempting an upgrade or creating a UCS

1051213-2 : Increase default value for violation 'Check maximum number of headers'

Links to More Info: BT1051213

Component: Application Security Manager

Symptoms:
Due to recent change in browsers, up to 7 headers are newly inserted in the request.

In ASM, there is default limit of 20 headers. So, when legitimate requests have more than 20 headers, they're blocked with violation "Maximum Number of Headers exceeded"

Conditions:
When the number of headers passed in request is greater than the value of maximum number of headers set, then this violation is raised

Impact:
Legitimate requests are blocked with violation "Maximum Number of Headers exceeded" when number of header is greater than the value set for the policy (default 20)

Workaround:
Increase "Check maximum number of headers" to 30 under Learning and Blocking settings screen for a policy

1051153-3 : DHCP fails intermittently when the connection is through BIG-IP.

Links to More Info: BT1051153

Component: Local Traffic Manager

Symptoms:
DHCP DISCOVER packets are received, load balanced to the back end DHCP server, a DHCP OFFER reply is received from the server to BIG-IP, but this packet is dropped.

Conditions:
A BIG-IP system is between the DHCP client and DHCP server.

Impact:
DHCP OFFER is never passed on to the client, and as such, the client keeps sending DHCP DISCOVER packets, which are all dropped the same way.

1050697-5 : Traffic learning page counts Disabled signatures when they are ready to be enforced

Component: Application Security Manager

Symptoms:
The traffic learning page counts Disabled signatures when they are ready to be enforced.

Conditions:
Policy has a disabled signature.

Impact:
Traffic learning page shows different counts of "ready to be enforced" signatures compared to Security ›› Application Security : Security Policies : Policies List ›› <policy name>

Workaround:
None

1050537-2 : GTM pool member with none monitor will be part of load balancing decisions

Links to More Info: BT1050537

Component: Global Traffic Manager (DNS)

Symptoms:
A GTM pool member containing no monitor (status=BLUE) is not included in load balancing decisions.

Conditions:
GTM pool member the monitor value set to none.

Impact:
GTM does not load balance to this pool member.

1050457-2 : The "Permitted Versions" field of "tmsh show sys license" only shows on first boot

Links to More Info: BT1050457

Component: TMOS

Symptoms:
As of BIG-IP Virtual Edition version 15.0.0, running "tmsh show sys license" should show the Permitted Versions. After the system is rebooted, this information is no longer displayed by TMSH.

Conditions:
-- Running the 'tmsh show sys license' command after a reboot

Impact:
Unable to see the permitted versions for the license.

Workaround:
The list of permitted versions can be seen in the /config/bigip.license file, by looking for Exclusive_version:

config # grep Exclusive_version /config/bigip.license
Exclusive_version : 11.6.*
Exclusive_version : 12.*.*
Exclusive_version : 13.*.*
Exclusive_version : 14.*.*
Exclusive_version : 15.*.*
Exclusive_version : 16.*.*
Exclusive_version : 5.*.*
Exclusive_version : 6.*.*
Exclusive_version : 7.*.*

1050413-3 : Drive model HGST HUS722T1TALA604 must be added to pendsect drives.xml

Links to More Info: BT1050413

Component: TMOS

Symptoms:
When using the hard drive model HGST HUS722T1TALA604, pendsect does not recognize the hard drive and skips during sector checks.

Conditions:
- Using a HGST HUS722T1TALA604 hard drive on a BIG-IP system.
- Pendsect runs a sector check.

Impact:
Warning messages like the following will be logged to /var/log/messages:
-- warning pendsect[31898]: skipping drive -- Model: HDC WD1005FBYZ-01YCBB2
-- warning pendsect[31898]: No known drives detected for pending sector check. Exiting

Pendsect can't properly check the hard drive.

Workaround:
Give write permissions to modify file:
chmod u+w /etc/pendsect/drives.xml

Open the file and add the following at the end of the file, before default:
<snip>
         <HUS722T1TA>
            <offset firmware="RAGNWA09">0</offset>
            <offset firmware="default">0</offset>
            <family> "HA210"</family>
            <wd_name>"Ultrastar"</wd_name>
         </HUS722T1TA>
         <DEFAULT>
              <firmware version="default">
                     <offset>0</offset>
              </firmware>
              <name> "UNKNOWN"</name>
              <family> "UNKNOWN"</family>
              <wd_name>"UNKNOWN"</wd_name>
         </DEFAULT>
   </model>
  </drives>

Save and close the file.

Remove write permissions so that no one accidentally modifies this file:
chmod u-w /etc/pendsect/drives.xml



Run the following command and check /var/log/messages to verify no errors are seen:
/etc/cron.daily/pendsect

1050089-3 : TMM crash in certain cases

Component: Application Security Manager

Symptoms:
TMM crash in certain cases

Conditions:
Bot defense profile is used in TMM

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1049237-2 : Restjavad may fail to cleanup ucs file handles even with ID767613 fix

Links to More Info: BT1049237

Component: Device Management

Symptoms:
Files that restjavad makes available for download (such as UCS files in /var/local/ucs) can be held open indefinitely if a requesting client (such as a BIG-IQ which is out of disk space) does not complete the download.
Since these files remain open, you may see low disk space even after deleting the associated files, and you may see items listed with '(deleted)' in lsof output.

Additionally, on a software version with ID767613 fix, you may see restjavad NullPointerException errors on /var/log/restjavad.*.log.

[SEVERE][1837][23 Sep 2021 10:18:16 UTC][RestServer] java.lang.NullPointerException
at com.f5.rest.workers.FileTransferWorker$3.run(FileTransferWorker.java:230)
at com.f5.rest.common.ScheduleTaskManager$1$1.run(ScheduleTaskManager.java:68)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:473)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1152)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:622)
at java.lang.Thread.run(Thread.java:748)

Conditions:
-- Files restjavad makes available for download.
-- The requesting client does not complete the download.

Impact:
Low disk space, items listed with '(deleted)' when listed using lsof.

Workaround:
To free the file handles, restart restjavad:

# tmsh restart sys service restjavad

Files that were deleted now have their space reclaimed.

1049085-2 : Booting into a newly installed hotfix volume may stall on RAID-capable platforms

Links to More Info: BT1049085

Component: TMOS

Symptoms:
Upon booting into a RAID volume containing a newly installed instance of BIG-IP system software which is an Engineering Hotfix, the following messages may appear, after which the boot process stalls:

[...]
[ 11.705219] dracut-initqueue[324]: mdadm: Duplicate MD device names in conf file were found.
[ 133.844644] dracut-initqueue[324]: Warning: dracut-initqueue timeout - starting timeout scripts
[ 133.932885] dracut-initqueue[324]: mdadm: Devices UUID-012345678:9abcdef0:12345678:9abcdef0 and UUID-abcdef01:23456789:abcdef01:23456789 have the same name: /dev/md4
[...]
[ *** ] A start job is running for dev-disk...

Conditions:
1) a hardware platform is configured to use RAID for redundancy
2) duplicate RAID array declarations are introduced into /etc/mdadm.conf
3) a hotfix installation is performed to one of the RAID volumes

Impact:
Impossible to boot into the volume of the new installation, it is necessary to physically reboot the device and revert to a previously working volume to rectify the problem.

Workaround:
Instead of installing the hotfix directly, first install the plain base version on which the hotfix is based and boot into it - this will resolve the problem with the duplicate entries in /etc/mdadm.conf.
Then install the hotfix as normal.

1048949-3 : TMM xdata leak on websocket connection with asm policy without websocket profile

Links to More Info: BT1048949

Component: Application Security Manager

Symptoms:
Excessive memory consumption, tmm core.

Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- Websocket profile isn't attached to the virtual server
- Long lived websocket connection with messages

Impact:
Excessive memory consumption, tmm crash. Traffic disrupted while tmm restarts.

Workaround:
Attach the websocket profile to the virtual server

1048913-2 : APM internal virtual server leaks memory under certain conditions.

Links to More Info: BT1048913

Component: Access Policy Manager

Symptoms:
The internal virtual server used for APM leaks memory while passing traffic.

Conditions:
1. Client/Backend is slow in responding to packets from the BIG-IP system.
2. There is some congestion on the network which prompts BIG-IP to throttle egress.

Impact:
TMM memory use grows over time. This will lead to out-of-memory for TMM and eventually trigger a restart. Traffic is disrupted while TMM restarts.

Workaround:
N/A

1048853-2 : "IKE VBUF" memory leak debug

Links to More Info: BT1048853

Component: TMOS

Symptoms:
The memory increase is seen through tmctl memory_usage_stat when ipsec-sa are deleted and new ipsec-sa are created.

Conditions:
A tunnel connection exists between the BIG-IP initiator and responder.

Impact:
Memory consumption increases after every ipsec-sa delete operation when the new ipsec-sa is created.

Workaround:
None

1048685-2 : Rare TMM crash when using Bot Defense Challenge

Links to More Info: BT1048685

Component: Application Security Manager

Symptoms:
When using the Bot Defense Profile on Blocking mode, TMM could crash on rare cases with a core dump.

Conditions:
Using the Bot Defense profile on blocking mode.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1048617-1 : Nice level BigDB paramter is not applied for BD

Component: Application Security Manager

Symptoms:
Nice level BigDB parameter is not applied for BD when BIG-IP is using split-planes

Conditions:
BIG-IP supports split-planes and nice level DB variable is set to non-zero.

Impact:
BD niceness level does not change.

Workaround:
None

1048541-2 : Certificate Order Manager: renew requests to the Comodo (now Sectigo) CA are unsuccessful.

Links to More Info: BT1048541

Component: TMOS

Symptoms:
A BIG-IP Administrator utilizing the 'Certificate Order Manager' feature is unable to renew SSL certificates issued by the Comodo (now Sectigo) certification authority.

Conditions:
Using the 'Certificate Order Manager' feature on BIG-IP to renew SSL certificates issued by the Comodo (now Sectigo) certification authority.

Impact:
The renew requests fail.

1048445-3 : Accept Request button is clickable for unlearnable violation illegal host name

Links to More Info: BT1048445

Component: Application Security Manager

Symptoms:
For the following violations:
- VIOL_HOSTNAME (Hostname violation)
- VIOL_HOSTNAME_MISMATCH (Hostname mismatch violation)

The accept button is clickable when it should not. Accept Request button should be disabled for this violations.

Conditions:
Generate an illegal host name or hostname mismatch violation.

Impact:
Request will not be accepted even though you have elected to accept the illegal request.

Workaround:
Do not accept the request to hostname and hostname mismatch violation, no ASM config changes will be triggered.

1048425-3 : Packet tester crashes TMM when vlan external source-checking is enabled

Links to More Info: BT1048425

Component: Advanced Firewall Manager

Symptoms:
TMM SIGFPE Core Assertion "packet must already have an ethernet header".

Conditions:
Run the AFM Packet Tracer when external source-checking is enabled on the VLAN.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable source checking on the vlan.

1048141-2 : Sorting pool members by 'Member' causes 'General database error'

Links to More Info: BT1048141

Component: TMOS

Symptoms:
The configuration utility (web UI) returns 'General database error' when sorting pool members. The pool member display does not work for the duration of the login.

Conditions:
Sorting the pool member list by member.

Impact:
A pool's pool member page cannot be displayed.

Workaround:
Clear site and cached data on browser and do not sort by pool member.

1048097 : Under certain conditions, using the HTTP::retry iRule command causes TMM to crash.

Links to More Info: BT1048097

Component: Local Traffic Manager

Symptoms:
TMM crashes with segfault.

Conditions:
- HTTP virtual server
- iRule with HTTP::retry command
- certain traffic conditions

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
Do not use HTTP::retry command; or, use it with fewer arguments.

1047933-2 : Virtual server security policy - An error has occurred while trying to process your request

Links to More Info: BT1047933

Component: Advanced Firewall Manager

Symptoms:
While loading the security tab page in the virtual server configuration page, you see an error: "An error has occurred while trying to process your request"

Conditions:
This is encountered when clicking the security tab in the virtual server configuration page, when there are a large number of virtual servers on the BIG-IP system (~2500).

Impact:
Delay in security tab page loading times and possible page timeout.

Workaround:
None

1047581-2 : Ramcache can crash when serving files from the hot cache

Links to More Info: BT1047581

Component: Local Traffic Manager

Symptoms:
Under certain circumstances, TMM may crash when processing traffic for a virtual server that uses RAM Cache.

Conditions:
- RAM Cache configured
- Document served not out of the hotcache
- The server served with must-revalidate.
- The server 304 contains a 0 byte gzip payload

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1047169-2 : GTM AAAA pool can be deleted from the configuration despite being in use by an iRule.

Links to More Info: BT1047169

Component: TMOS

Symptoms:
A BIG-IP Administrator is incorrectly able to delete a GTM AAAA pool from the configuration, despite this object being referenced in an iRule in use by an AAAA wideip.

An error similar to the following example will be visible in the /var/log/gtm file should the iRule referencing the pool run after the pool has been deleted:

err tmm[11410]: 011a7001:3: TCL error: Rule /Common/my_rule <DNS_REQUEST> - GTM Pool 'my_pool' of type 'A' not found (line 1)GTM Pool 'my_pool' of type 'A' not found (line 1) invoked from within "pool my_pool"

Note the error message incorrectly reports the pool as type A (it should report type AAAA).

Conditions:
-- Two GTM pools of type A and AAAA share the same exact name (which is legal).

-- The pool name is referenced in an iRule by the 'pool' command.

-- The iRule is in use by an AAAA wideip.

-- A BIG-IP Administrator attempts to delete the AAAA pool.

Impact:
The system incorrectly allows the deletion of the AAAA pool from the configuration.

Consequently, the next time the GTM configuration is reloaded from file, the operation will fail.

Additionally, traffic which relied on the pool being present in the configuration will fail.

1046917-3 : In-TMM monitors do not work after TMM crashes

Links to More Info: BT1046917

Component: In-tmm monitors

Symptoms:
After TMM crashes and restarts, in-TMM monitors do not run. Monitored pool members are down.

Conditions:
-- In-TMM monitors are enabled.
-- TMM exits abnormally, as a result of one of the following:
  + TMM crashing and restarting
  + TMM being sent a termination signal (i.e. using 'pkill' to kill TMM)

Note: This issue does not occur if TMM is restarted using 'bigstart' or 'tmsh sys service'.

Impact:
Monitored pool members are offline.

Workaround:
One of the following:

1. Do not use in-TMM monitors.

2. After TMM restarts, manually restart bigd:
   tmsh restart sys service bigd

3. Add an entry to /config/user_alert.conf such as the following, so that the system restarts bigd when TMM starts up.

alert id1046917 "Tmm ready - links up." {
    exec command="bigstart restart bigd"
}

Note: This change must be made separately on each device in a ConfigSync device group.

1046785-3 : Missing GTM probes when max synchronous probes are exceeded

Links to More Info: BT1046785

Component: Global Traffic Manager (DNS)

Symptoms:
GTM probes are missing, resources are marked down.
When instances fail and BIG-IP is not aware of the failure, some virtual servers/pool members are marked as available and some objects are marked down on part of the sync group members.

Conditions:
Max synchronous probes are exceeded. This value is controlled by the GTM global variable max-synchronous-monitor-requests.

Impact:
Resources are marked down.

1046717 : Tmm crash when utilizing one-connect with inband monitors and ECMP or pool routes.

Links to More Info: BT1046717

Component: Local Traffic Manager

Symptoms:
Tmm crashes and restarts.

Conditions:
A virtual server that utilizes one-connect and a pool with an inband monitor and the pool members are reachable via a route. If the route changes back and forth between a gateway route and an ECMP or pool route, tmm could crash.

Impact:
Traffic disrupted while tmm restarts.

1046693-3 : TMM with BFD confgured might crash under significant memory pressure

Links to More Info: BT1046693

Component: TMOS

Symptoms:
TMM might crash when processing BFD traffic under high memory pressure.

Conditions:
- BFD in use.
- TMM under high memory pressure.

Impact:
Traffic disrupted while tmm restarts.

1046669-2 : The audit forwarders may prematurely time out waiting for TACACS responses

Links to More Info: BT1046669

Component: TMOS

Symptoms:
If a TACACS server takes longer than five seconds to respond, the audit forwarder will reset the connection.

Conditions:
-- Using remote TACACS logging.
-- TACACS server takes longer than 5 seconds to respond to logging requests.

Impact:
Misleading log messages.

1046401-1 : APM logs shows truncated OCSP URL path while performing OCSP Authentication

Links to More Info: BT1046401

Component: Access Policy Manager

Symptoms:
While performing OCSP authentication, the APM log file (/var/log/apm) shows the incomplete path of the OCSP URL.

Conditions:
-- Configure OCSP Server object
-- Configure OCSP Agent in the VPE
-- Perform OCSP Authentication

Impact:
Incomplete path of the OCSP URL causes ambiguity and gives the impression that APM is not parsing the URL correctly, while LTM parses correctly at the same time.

Workaround:
None

1046261-2 : Asynchronous REST task IDs do not persist across process restarts

Links to More Info: BT1046261

Component: TMOS

Symptoms:
If an asynchronous task is started via REST and the iControl REST process(es) restart, the task ID is lost and queries regarding its state will result in "Task not found" responses.

Conditions:
-- Starting an asynchronous process via REST.
-- The iControl REST process(es) restart.

Impact:
Unable to get the status of an asynchronous task. If you are using iControl REST to load a UCS, you will be unable to determine the status of the UCS load.

1045913-3 : COMPRESS::disable/COMPRESS::enable don't work reliably for selective compression

Links to More Info: BT1045913

Component: Local Traffic Manager

Symptoms:
When using selective compression, COMPRESS::disable after a compressed response on the same connection will remove the Accept-Encoding header on the subsequent request and then correctly not compress the response. The Accept-Encoding header should be left in place to allow the server to compress the response, if able.

Conditions:
1. Virtual server with HTTP profile and selective compression using conditional COMPRESS::disable/COMPRESS::enable iRules with a server capable of responding with compressed content.

2. A client requests compressed documents over a persistent connection

Impact:
Client may receive some uncompressed responses in cases where compression was expected.

Workaround:
An iRule that can insert an Accept-Encoding header at HTTP_REQUEST_RELEASE time which would allow the server to compress, if capable.

1045717 : IPSEC: IKEV1: Algorithms changing from one to another for authentication or encryption tunnel is not establishing

Component: TMOS

Symptoms:
IKEv1 tunnel does not establish after we change IKE version from V2 to V1 and modify certain authentication / encryption algorithms.

Conditions:
- Establish tunnel using IKEv2 version
- Change version from IKEv2 to IKEv1
- Modify authentication algorithm

Impact:
IKEv1 tunnel does not establish.

It is highly unlikely that anybody moves from IKEv2 to IKEv1
(newer to older version). This is a lab test scenario only.

Workaround:
reboot the system

1045549-3 : BFD sessions remain DOWN after graceful TMM restart

Links to More Info: BT1045549

Component: TMOS

Symptoms:
BFD sessions remain DOWN after graceful TMM restart

Conditions:
TMM is gracefully restarted, for example with 'bigstart restart tmm' command.

Impact:
BFD sessions remain DOWN after graceful TMM restart

Workaround:
After restarting TMM, restart tmrouted.

1045277-2 : The /var partition may become 100% full requiring manual intervention to clear space

Links to More Info: BT1045277

Component: TMOS

Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

Workaround:
Important: This workaround is temporary, and may need to be periodically performed either manually or from a script.

Impact of Workaround: While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.

Run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.

1045229-2 : APMD leaks Tcl_Objs as part of the fix made for ID 1002557

Links to More Info: BT1045229

Component: Access Policy Manager

Symptoms:
APMD memory grows over time causing OOM killer to kill apmd

Conditions:
Access policy has resource assignment agents/variable assignments

Impact:
APMD memory grows over time and OOM killer terminates apmd thereby affecting traffic. Access traffic disrupted while apmd restarts.

1044901 : PEM Feature not supported for BIG-IP 15.1.5 on rSeries 5k/10k hardware

Links to More Info: BT1044901

Component: Policy Enforcement Manager

Symptoms:
The PEM feature is not supported on the rSeries 5000/10000 system.

Conditions:
Attempting to configure PEM on the BIG-IP rSeries hardware.

Impact:
PEM support is disabled.

Workaround:
None

1044893-3 : Kernel warnings from NIC driver Realtek 8139

Links to More Info: BT1044893

Component: TMOS

Symptoms:
Excessive kernel logs occur from the NIC driver Realtek 8139

Conditions:
-- Realtek 8139 driver is used
-- Packets with partial checksum and protocol IPPROTO_TCP/IPPROTO_UDP arrives

Impact:
The Realtek 8139 driver logs excessive kernel warnings.

1044873-2 : Deleted GTM link is not removed from virtual server object and causes load failure.

Links to More Info: BT1044873

Component: Global Traffic Manager (DNS)

Symptoms:
The configuration fails to load with an error:

01070712:3: Values (/Common/Link_to_delete) specified for Virtual Server (/Common/vs1 /Common/HTTPP): foreign key index (explicit_link_FK) do not point at an item that exists in the database.
Unexpected Error: Loading configuration process failed.

Conditions:
-- Create GTM link
-- Assign specific link to any virtual server object
-- Delete link object
-- Run tmsh load sys config gtm-only (or create a sync group and the sync will fail)

Impact:
GTM config fails to load or config sync.

Workaround:
Remove any assigned virtual servers from the link prior to deleting it.

1044577-1 : TMM crash on BIG-IP Virtual Edition using DPDK and xnet drivers

Links to More Info: BT1044577

Component: TMOS

Symptoms:
TMM crashes

Conditions:
-- BIG-IP Virtual Edition using DPDK and xnet drivers
-- More than one tmm

Impact:
Traffic disrupted while tmm restarts.

Workaround:
- Use only 1 TMM
- Use some other driver combination other than DPDK-xnet

1044281-2 : In some cases, cpcfg does not trigger selinux relabel, leaving files unlabeled

Links to More Info: BT1044281

Component: TMOS

Symptoms:
Under certain circumstances, if a configuration is copied to a boot location that has has already been booted into, files restored by the UCS archive remain unlabeled. After booting to the target volume, the BIG-IP will not function and will have the status "INOPERATIVE".

Conditions:
-- APM is provisioned.
-- Performing a cpcfg copy to another volume.

Impact:
-- APM localdbmgr restarts, and fails to restore configuration from UCS archive
-- Spurious system permissions failures as a result of SELinux

Workaround:
After booting into the affected boot location, force an SELinux relabeling:

# touch /.autorelabel && reboot

1044121-2 : APM logon page is not rendered if db variable "ipv6.enabled" is set to false

Component: Access Policy Manager

Symptoms:
When accessing a Virtual Server with an access policy, users are redirected to the hangup page.

Conditions:
Db variable "ipv6.enabled" is set to false

Impact:
Users will not be able to access the virtual server and associated resources behind it.

Workaround:
Keep the value of db variable "ipv6.enabled" set to true.

# setdb "ipv6.enabled" true

1044089-1 : ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI

Links to More Info: BT1044089

Component: TMOS

Symptoms:
Virtual address is reachable even when the virtual server is offline.

Conditions:
The virtual server status is updated to offline by modifying the virtual server and adding an iRule via the GUI.

Impact:
ICMP echo requests are still handled by the virtual address even though the virtual server is marked offline.

Workaround:
Use tmsh to attach the iRule to the virtual server:

tmsh modify ltm virtual <virtual_server_name> rules {<rule_name> }

1044021-1 : Searching for IPv4 strings in statistics module does not work.

Links to More Info: BT1044021

Component: TMOS

Symptoms:
In Statistics :: Module statistics : Local Traffic : Pools, in "Display Options", if you choose "Statistics Type" as "Pools" and search for some IPv4 ip with partial words, the search will not return expected results.

Conditions:
Searching for an IPv4 address in the "Statistics" module.

Impact:
It is not possible to filter for IPv4 addresses.

Workaround:
None

1043985-2 : After editing an iRule, the execution order might change.

Links to More Info: BT1043985

Component: Local Traffic Manager

Symptoms:
After modification, the iRule execution order may change for events with the same priority.

Conditions:
Virtual server has an iRule that contains multiple events with the same priority.

Impact:
Unexpected behavior can cause virtual server malfunction.

Workaround:
Add desired priorities for iRules that contain the same event.
For example: when <event_name> priority nnn

1043805-2 : ICMP traffic over NAT does not work properly.

Links to More Info: BT1043805

Component: Local Traffic Manager

Symptoms:
ICMP traffic hitting a NAT translation address is dropped and not sent further to the originating address.

Conditions:
-- An LTM NAT is configured.
-- ICMP traffic arrives.

Impact:
ICMP traffic fails to be forwarded over the NAT.

1043533-1 : Unable to pick up the properties of the parameters from audit reports.

Component: Application Security Manager

Symptoms:
In the GUI under Security ›› Application Security : Audit : Reports, if you select "User-input parameters..." in the menu "Security Policy Audit Reports", then click on the parameter to retrieve the properties, you will see this error:
   " Could not retrieve parameter; Could not get the Parameter, No matching record was found."

Conditions:
1) Create a new parameter.
2) Customize or overwrite an existing ASM signature for the parameter in question.
3) Save and apply to the policy the new changes
4) Go to:
    Security ›› Application Security : Audit : Reports
    Report Type : User-input parameters with overridden attacks signatures (this also happens for other "User-input parameters...")
    Select the parameter to audit
    Error: "Could not retrieve parameter; Could not get the Parameter, No matching record was found."

Impact:
A page error occurs.

Workaround:
1. Open in a separate tab the following screen: Security ›› Application Security : Parameters : Parameters List
2. Under "Parameter List" title, there is a filter dropdown with the "Parameter Contains" texting.
3. On the blank part (before "Go" button) type the name of the required parameter.
4. You will get the desired page with the desired parameter properties.

1043385-3 : No Signature detected If Authorization header is missing padding

Component: Application Security Manager

Symptoms:
If the Authentication scheme value in the Authorization header contains extra/missing padding in base64, then ASM does not detect any attack signatures.

Conditions:
HTTP request with Authorization header contains base64 value with extra/missing padding

Impact:
Attack signature not detected

1043357-3 : SSL handshake may fail when using remote crypto client

Links to More Info: BT1043357

Component: Local Traffic Manager

Symptoms:
ServerSSL handshake fails when verifying ServerKeyExchange message.

Conditions:
Remote crypto client is configured and the ServerSSL profile connects using an ephemeral RSA cipher suite.

Impact:
The virtual server is unable to connect to the backend server.

Workaround:
Use non-ephemeral RSA or ECDSA cipher suite on ServerSSL.

1043233-1 : Export of large access policy configuration from ng_export CLI

Links to More Info: BT1043233

Component: Access Policy Manager

Symptoms:
PHP Fatal error: Allowed memory size of <maximum allowed number> bytes exhausted (tried to allocate <number> bytes) in /usr/bin/ng_export on line <line number>

Conditions:
Huge Access policies (Eg: 1Gb)

Impact:
Policy export fails.

1043141-2 : Misleading 'Symmetric Unit Key decrypt failure - decrypt failure' when loading UCS from another BIG-IP

Links to More Info: BT1043141

Component: TMOS

Symptoms:
Loading a UCS file from another BIG-IP results in an error message similar to:

"/usr/bin/tmsh -n -g -a load sys config partitions all platform-migrate" - failed. -- 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure

The error message is misleading as the issue is unrelated to master key decryption.

Conditions:
-- Loading a UCS archive from a different BIG-IP.
-- The UCS archive does not contain a ".unitkey" file.
-- The target system does have the correct master key value configured.
-- There is some other MCPD validation issue in the configuration.

Impact:
Platform migration fails with a misleading error message.

Workaround:
Once the issue has happened, you can either:

- Examine the LTM log file for other error messages from MCPD and then correct the configuration issue(s).

OR:

- Re-start MCPD.

1043017-3 : Virtual-wire with standard-virtual fragmentation

Links to More Info: BT1043017

Component: Local Traffic Manager

Symptoms:
A standard virtual-server configured on top of a virtual-wire has unexpected handling of fragmented IP traffic.

Conditions:
Standard virtual-server configured on top of a virtual-wire handling fragmented IP traffic.

Impact:
- Fragments missing on egress.
- Packet duplication on egress.

Workaround:
Use fastl4 virtual-server instead.

1043009-3 : TMM dump capture for compression engine hang

Links to More Info: BT1043009

Component: Local Traffic Manager

Symptoms:
TMM crashes

Conditions:
The system detects a Nitrox hang and attempts to reset it.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Set Nitrox3.Compression.HangReset db variable to reset

1042913 : Pkcs11d CPU utilization jumps to 100%

Links to More Info: BT1042913

Component: Local Traffic Manager

Symptoms:
CPU utilization of pkcs11d increases to 100%.

Conditions:
This occurs when pkcs11d is disconnected from the external HSM.

Impact:
As the pkcs11d consumes most of the CPU, other processes are starved for CPU.

Workaround:
None.

1042737-3 : BGP sending malformed update missing Tot-attr-len of '0.

Links to More Info: BT1042737

Component: TMOS

Symptoms:
BIG-IP might send a malformed BGP update missing Tot-attr-len of '0 when performing a soft reset out.

Conditions:
-- Multiple traffic groups configured.
-- A BGP soft reset occurs.

Impact:
BGP peering resets.

1042605-3 : ASM Critical Warnings during UCS load after upgrade to v15.1.0 or above

Component: Application Security Manager

Symptoms:
Following an upgrade, an error occurs:
ERROR: Failed during loading ASM configuration.

An "ASM critical warning" banner is displayed in the ASM GUI.

Conditions:
-- ASM is upgraded to v15.1.0 or above
-- The following query returns results prior to upgrading:

SELECT policy_name_crc FROM DCC.ACCOUNTS accounts WHERE policy_name NOT IN (SELECT name FROM PLC.PL_POLICIES)

Impact:
ASM upgrade is aborted due to an exception:
Can't call method "clear_traffic_data" on unblessed reference

1042589-2 : Wrong trunk_id is associated in bcm56xxd.

Links to More Info: BT1042589

Component: TMOS

Symptoms:
When a set of interfaces are moved from one trunk to another, the now empty trunk is left with a valid association in bcm56xxd, and deleting that trunk can cause a valid trunk to be removed in the BCM hardware.

'tmsh show net trunk MY_TRUNK' shows the trunk is UP, but in fact the trunk is unconfigured in hardware.

Conditions:
Moving the interfaces across trunks.
i.e.
tmsh modify net trunk MY_OLD_TRUNK interfaces none
tmsh modify net trunk MY_NEW_TRUNK interfaces add { 1.1 1.2 }
tmsh delete net trunk MY_OLD_TRUNK

Impact:
May cause an L2 traffic loop.

1042505-2 : Session variable "session.user.agent" does not get populated for edge clients

Links to More Info: BT1042505

Component: Access Policy Manager

Symptoms:
Access policy agents and iRules that depend on "session.user.agent" session variable fail to execute properly.

Conditions:
Access polices have agents that depend on the value of session variable "session.user.agent" for its execution.

Impact:
Any access policy agents that depend on this session variable will not be able to follow the rules.

Workaround:
An iRule can be used to generate a session variable. For example:

# This event fires once per session
when ACCESS_SESSION_STARTED {
  log local0. "Setting User-Agent based on HTTP data - [HTTP::header User-Agent]"
  ACCESS::session data set session.custom.client.useragent [HTTP::header User-Agent]
  #Use this variable in the VPE to make some decision
}

1042153-1 : AFM TCP connection issues when tscookie-vlans enabled on server/client side VLAN.

Component: Advanced Firewall Manager

Symptoms:
The BIG-IP system is unable to restore the Timestamp (by replacing the TS cookie) when the packet is offloaded to hardware. This happens only when TS cookie enabled on either of the VLANS (client/server), when the TS cookie enabled on both the VLAN no issues are seen.

Conditions:
Configure TCP BADACK Flood DDoS vector to start mitigation at a given value and enable TS cookies on the server VLAN.

Impact:
The TS cookie will not be restored to its original value when the SYN packet is processed by software in BIG-IP and the SYNACK will be handled by the hardware in BIG-IP. As s result, end-hosts (client/server) RTT calculation is incorrect and causes various issues (ex : blocks the Internet access from hosts in the backend infrastructure).

Workaround:
Use fastL4 profile with EST mode i.e. change the 'pva-offload-state to EST'

1042133 : Current Sessions value of gateway route pool member goes negative

Links to More Info: BT1042133

Component: Local Traffic Manager

Symptoms:
A pool member's current session value can go to a negative value.

Conditions:
-- Explict http proxy
-- Gateway pool with a default route
-- Traffic arrives so that the proxy attempts to send requests via the default gateway pool

Impact:
Wrong value of current sessions of pool member

1042057 : SSL Orchestrator high availability (HA) pair sync issue

Links to More Info: BT1042057

Component: iApp Technology

Symptoms:
SSL Orchestrator high availability (HA) pair fails to perform the initial config sync.

Conditions:
This occurs with SSL Orchestrator deployed to a high availability (HA) pair.

Impact:
A sync issue occurs, gossip conflicts exist and connection timeout issues occur.

Workaround:
Running the sslofix as well as ha-sync utilities.

1042009-2 : Mcpd fails to reply if a request is proxied to another daemon and the connection to that daemon closes

Links to More Info: BT1042009

Component: TMOS

Symptoms:
Mcpd does not reply to the request if the publisher's connection closes/fails, in this case when bcm56xxd
is restarted. The perceivable signs of the failure are the snmpwalk failing with a timeout and the
"MCPD query response exceeding" log messages

Conditions:
1) Configure snmp on the BIG-IP so you can run snmpwalk locally on the BIG-IP.

2) From one session on the BIG-IP, run a snmpwalk in the while loop.
    
while true;do date; snmpwalk -v2c -c public 127.0.0.1 sysDot1dbaseStat;sleep 2;done

Sample output:

Sat Aug 21 00:57:23 PDT 2021
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatResetStats.0 = INTEGER: 0
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatMacAddr.0 = STRING: 0:23:e9:e3:8b:41
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatNumPorts.0 = INTEGER: 12
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatType.0 = INTEGER: transparentonly(2)

3) From a second session on the BIG-IP restart bcm56xxd

bigstart restart bcm56xxd

4a) the snmpwalk will continually report the following:

Timeout: No Response from 127.0.0.1

And snmpd will continually log "MCPD query response exceeding" every 30 seconds in /var/log/ltm

Impact:
SNMP stopped responding to queries after upgrade

Workaround:
Snmpd restart

1041989-3 : APM Portal Access does not add automatically the / after the URL encoded (after the '$$'), Redirect breaks

Links to More Info: BT1041989

Component: Access Policy Manager

Symptoms:
If the Location header does not end with '/' in direct case, the rewritten URL misses the forward slash character '/'.

APM does not add automatically the / after the URL encoded(after $$)?

e.g https://website Is rewritten as https://apm/f5-w-<hex encoded scheme,host,port>$$ instead of https://apm/f5-w-<hex encoded scheme,host,port>$$/.

If the caption URI is https://website without / at the end, APM will rewrite it as https://apm/f5-w-<hex encoded scheme,host,port>$$/

Conditions:
-- APM Portal Access
-- Redirect response Location header does not end with '/' - after the {scheme://host:port}

Impact:
Missing / after redirection - Page does not load

Workaround:
Add '/' through iRule in redirect response header.

1041985-3 : TMM memory utilization increases after upgrade

Component: Access Policy Manager

Symptoms:
TMM memory utilization increases after upgrading.

The keep-alive interval of the _tmm_apm_portal_tcp default profile is set to a value that is less than the Idle Timeout setting.

Conditions:
-- APM enabled and passing traffic
-- The configuration has a profile that uses or is derived from _tmm_apm_portal_tcp where the keep-alive interval was reduced to 60

Note that this can be encountered any time a tcp profile contains a keep-alive interval setting that is less than the idle timeout.

For more information about the relationship between keep-alive and idle time out, see K13004262: Understanding Idle Timeout and Keep Alive Interval settings in the TCP profile, available at https://support.f5.com/csp/article/K13004262

Impact:
TMM memory may increase while passing traffic.

Workaround:
Change the tcp keep alive interval to the default setting of 1800 seconds.

1041889-1 : RRSIG missing for CNAME with RDATA in different zone

Links to More Info: BT1041889

Component: Global Traffic Manager (DNS)

Symptoms:
RRSIG missing for CNAME.

Conditions:
-- CNAME record with RDATA in different zone.
-- One zone dynamically signed.
-- The other zone in local BIND (ZoneRunner) with static DNSSEC records.

Impact:
DNSSEC validation failure.

1041865-3 : Correctable machine check errors [mce] should be suppressed

Links to More Info: BT1041865

Component: TMOS

Symptoms:
Log emerg in kern.log similar to:
  emerg kernel: mce: [Hardware Error]: CPU 0: Machine Check: 0 Bank 10: cc003009000800c1

Conditions:
Correctable errors can be identified by analyzing the 16‐bit value shown in bits [31:16] of the 64‐bit error from the /var/log/kern.log message. When bits [31:16] = 0008 this is a correctable error and not failing hardware.

An example is shown below.

Log error matches this pattern:
  Machine Check: 0 [bank number]: [cc003009][0008][00c1]
  bits [31:16] = 0008

Impact:
Correctable errors are logged in kern.log and to the console. There is no functional impact.

Workaround:
None

1041801-2 : TMM crashes when handling Network DNS resolver Traffic.

Links to More Info: BT1041801

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes and produces a core file.

Conditions:
-- The configuration involves a Network DNS resolver object and it receives traffic.

Impact:
Traffic disrupted while tmm restarts.

1041765-1 : Racoon may crash in rare cases

Links to More Info: BT1041765

Component: TMOS

Symptoms:
Racoon may crash when NAT Traversal is on and passing IPsec traffic in IKEv1.

Conditions:
-- IKEv1 IPsec tunnel configured
-- NAT Traversal is on in ike-peer configuration.

Impact:
Racoon will crash and any IKEv1 tunnels will restart

Workaround:
Use IKEv2 only.

1041625-3 : Virtual server flapping when the active and standby devices have different configuration.

Links to More Info: BT1041625

Component: Global Traffic Manager (DNS)

Symptoms:
The virtual server status flaps.

Conditions:
1. Virtual server auto discovery enabled.
2. Configured GTM server is configured for high availability (HA).
3. The active and standby devices have different IP addresses for the same virtual server.

Impact:
The virtual server status flaps and traffic might be interrupted.

Workaround:
Make the active and standby devices have the same configuration.

1041317-2 : MCPD delay in processing a query_all message if the update_status bit is set

Links to More Info: BT1041317

Component: TMOS

Symptoms:
When there are a significant number of virtual servers or pools, mcpd can take a several seconds to respond to query_all messages, if the update_status is set to 1 in the message.

Conditions:
Update_status is set to 1 in the message. This could occur, for example, with the following snmp command

snmpget -v2c -c public localhost ltmVsStatusNumber.0

Impact:
While mcpd is busy updating the status for each virtual server or pool, mcpd will not able to to respond to any messages. Control plane operations might timeout.

1041225-3 : Missing SHA-384 cipher suites in outgoing LDAP TLS ClientHello

Links to More Info: BT1041225

Component: Local Traffic Manager

Symptoms:
BIG-IP does not send SHA-384 ciphers in the advertised ciphers list in the Client Hello when initiating LDAP/TLS with a pool member (in the case of a monitor).

Conditions:
You have LDAP servers which support SHA-384 ciphers only for LDAP/TLS authentication.

Impact:
Servers requiring SHA-384 for LDAP/TLS authentication will not be able to authenticate.

1041149-2 : Staging of URL does not affect apply value signatures

Component: Application Security Manager

Symptoms:
When a URL is staged and a value content signature is detected, the matched request is blocked.

Conditions:
-- URL is set to staging;
-- Only default ("Any") content profile is present, set to apply value signatures (all other content profiles deleted);
-- Request matches attack signature

Impact:
The request for staged URL is blocked

Workaround:
Configure relevant content profiles or leave the default content profiles configuration.

1040957-2 : The ipother profile can be used with incompatible profiles in a virtual server

Links to More Info: BT1040957

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not prevent the ipother profile from being used with incompatible profiles in a virtual server.

-- Log messages such as the following in the LTM log file:

err tmm[28670]: 01010008:3: Proxy initialization failed for /Common/example_vs. Defaulting to DENY.
err tmm[28670]: 01010008:3: Listener config update failed for /Common/example_vs: ERR:ERR_ARG

-- Log messages such as the following in TMM's log file:

notice hudchain contains precluded clientside filter: IPOTHER

Conditions:
Creating or modifying a virtual server to use the ipother profile with an incompatible profile.

Impact:
Invalid configuration. TMM traffic passing does not behave the way virtual server configuration dictates it should.

Workaround:
Remove the incompatible profile(s) from the virtual server.

1040829-3 : Errno=(Invalid cross-device link) after SCF merge

Links to More Info: BT1040829

Component: Access Policy Manager

Symptoms:
A single config file (SCF) merge fails with the following error:

01070712:3: failed in syscall link(/var/system/tmp/tmsh/IHxlie/files_d/Common_d/customization_group_d/:Common:otters-connectivity_1_secure_access_client_customization_62552_1, /config/filestore/.trash_bin_d/.current_d/Common_d/customization_group_d/:Common:otters-connectivity_1_secure_access_client_customization_62552_1) errno=(Invalid cross-device link)

Conditions:
A customization group with the same name is present in both the SCF file and the BIG-IP device.

Impact:
SCF merge fails

Workaround:
None

1040821-3 : Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes

Links to More Info: BT1040821

Component: TMOS

Symptoms:
Address Translation and Port Translation checkboxes are automatically checked under the virtual server's advanced configuration.

Conditions:
Virtual Server's Advanced configuration option is selected followed by adding an iRule or a pool.

Impact:
The Address and Port translation options are automatically checked when the default is to have them unchecked.

Workaround:
Manually un-check Address Translation and Port Translation checkboxes under virtual server's advanced configuration

1040685-3 : Core file on blade slot2 after reboot (TMM SIGSEGV in pktclass_classifier)

Links to More Info: BT1040685

Component: Advanced Firewall Manager

Symptoms:
Tmm crashes after reboot.

Conditions:
This is encountered intermittently after rebooting a blade.

Impact:
Slot usable until manual intervention. Traffic disrupted while tmm restarts.

Note: this issue happened only once and no further occurrence was reported.

1040573-2 : REST operation takes a long time when two different users perform tasks in parallel

Links to More Info: BT1040573

Component: TMOS

Symptoms:
It takes excessive time to execute multiple REST(icr) requests in parallel by different users.

Conditions:
Multiple iControl REST operations are performed by different users in parallel.

Impact:
BIG-IP system performance is impacted.

Workaround:
Use only one user to process the multiple requests.
OR
Use an iControl REST transaction containing multiple requests.

1040513-1 : The counter for "FTP commands" is always 0.

Links to More Info: BT1040513

Component: Application Security Manager

Symptoms:
On the FTP Statistics page, the "FTP Commands" value is always zero.

Conditions:
FTP security is applied and "FTP commands violations" is enforced.

Impact:
The FTP security does not show violations statistics regarding the FTP commands.

Workaround:
None

1040477 : Drop-Down menu shows white blank items in Reporting : DoS : URL Latencies

Links to More Info: BT1040477

Component: Application Visibility and Reporting

Symptoms:
Drop-Down menu shows white blank items in Reporting : DoS : URL Latencies

Conditions:
- 15.1.2.1 or subsequent v15 releases
- Using Chrome on Windows

Impact:
The drop-down menu is not usable.

Workaround:
None.

1040153-3 : Topology region returns narrowest scope netmask without matching

Links to More Info: BT1040153

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP returns malformed packets or the narrowest scope not matching the request.

Conditions:
Mixed sub networks with different mask length.

Impact:
Malformed packets.

Workaround:
Do not put mixed subnets in one region.

1040117-1 : BIG-IP Virtual Edition drops UDP packets

Links to More Info: BT1040117

Component: TMOS

Symptoms:
BIG-IP Virtual Edition drops padded UDP packets when the hardware will accept and forward these same packets.

Conditions:
-- BIG-IP Virtual Edition
-- Padded UDP packets are sent

Impact:
UDP packets are dropped, potentially disrupted traffic

1040045-2 : Unable to delete trunk member on a VCMP guest

Links to More Info: BT1040045

Component: Local Traffic Manager

Symptoms:
After deleting a trunk member on a VCMP hypervisor, the change may not propagate to the guest.

Conditions:
-- VCMP guest
-- A trunk member that is UP
-- The trunk member is deleted on the hypervisor

Impact:
The guest does not have the current trunk information

Workaround:
Down the interface on the VCMP hypervisor before removing it (tmos)# modify net interface 2/3.1 disabled
(tmos)# modify net trunk trunk_1 interfaces del { 2/3.1 }

1040017-3 : Final ACK validation during flow accept might fail with hardware SYN Cookie

Links to More Info: BT1040017

Component: Local Traffic Manager

Symptoms:
With hardware SYN cookie mode enabled, final ACK validation during flow accept fails and ACK packets are dropped. Such error messages are being logged in LTM logs :

"An Enforced Device DOS attack start was detected for vector TCP half-open"

Conditions:
-- Hardware SYN Cookie is enabled
-- BIG-IP is under TCP half-open attack and packet hits a CMP forwarding flow

Impact:
ACK packets are wrongly dropped, causing traffic interruption.

Workaround:
Disable hardware SYN Cookie

1039993-2 : AFM NAT Excessive number of logs "Port Block Updated" and "LSN_PB_UPDATE"

Component: Advanced Firewall Manager

Symptoms:
Although Subscriber ID is not changed, "Port Block Updated","10.10.10.29","0","10.20.20.64","0","1025","1275","","unknown" is being written in the log

Conditions:
If "Log subscriber ID" field is selected in the log profile, this log will be printed.

Impact:
Excessive log messages occur.

Workaround:
If you deselect "Log subscriber ID" field in log profile, this message will not be written. Note that this workaround may impact other messages related to subscriber ID.

1039941-2 : [WIN]Webtop offers to download f5vpn when it is already installed

Links to More Info: BT1039941

Component: Access Policy Manager

Symptoms:
A pop-up window shows up and requests to download the client component.

Conditions:
Either of these conditions can trigger it:

#1
-- Network Access configured and webtop type to "Network Access"
-- VPE configured
[Machine Info (or Anti Virus Check)] -- [Resource Assignment (NA + Webtop)]

#2
-- Network Access (auto launch) and webtop configured
-- VPE configured
[Machine Info (or Anti Virus Check)] -- [Resource Assignment (NA + Webtop)]

Impact:
End users are unable to use the browser-based VPN.

Workaround:
Any of these workarounds will work:

-- Use Internet Explorer
-- Do not configure Network Access auto launch or "Network Access" for the webtop type
-- Insert the message box between Client Inspection (Machine info, etc.) and "Resource Assignment" on the VPE
-- Ignore the message (click "Click here"), and it allows you to move on to the next step

1039725-2 : Reverse proxy traffic fails when a per-request policy is attached to a virtual server.

Links to More Info: BT1039725

Component: Access Policy Manager

Symptoms:
Reverse proxy or inbound traffic fails during SSL renegotiation when a per-request policy is attached to the virtual server.

Conditions:
-- SSL Orchestrator is licensed and provisioned.
-- Per-request policy is attached to virtual server.
-- Client or backend server initiates SSL renegotiation.

Impact:
Reverse proxy traffic fails during SSL renegotiation.

Workaround:
If renegotiation is not required then it can be disabled on BIG-IP. The client SSL and server SSL profiles have 'Renegotiation' settings. If it is set to disabled, BIG-IP or SSL Orchestrator does not do SSL renegotiation.

1039609-3 : Unable to poll Dynamic routing protocols SNMP OID's on non-default route domain

Links to More Info: BT1039609

Component: TMOS

Symptoms:
You are unable to extract the dynamic routing protocols configuration information via an SNMP walk.

Conditions:
Example taken below is for BGP:

-- Create BGP config in non-default route-domain, establish peer with some router.
-- Create snmp community in non-default route domain
-- Run snmp walk for BGP4 mib (1.3.6.1.2.1.15).

Certain key MIB OIDs from the BGP configuration like bgpPeerRemoteAddr,bgp4PathAttrIpAddrPrefixLen are missing.

Impact:
Dynamic routing protocols SNMP OID polling not working when they are in a non-default route-domain.

1039277-3 : TMM core

Links to More Info: BT1039277

Component: Local Traffic Manager

Symptoms:
Tmm crashes while passing traffic

Conditions:
- http virtual server
- httprouter
- http2 profile

Impact:
Traffic disrupted while tmm restarts.

1039205 : DNSSEC key stored on netHSM fails to generate if the key name length is > 24

Links to More Info: BT1039205

Component: Global Traffic Manager (DNS)

Symptoms:
DNSSEC keys are not generated successfully.
Errors in logs similar to:

gtm1 err tmsh[4633]: 01420006:3: Key management library returned bad status: -20, Domain names must be 63 characters or less.

Conditions:
Create DNSSEC key with a name longer than 24:
# tmsh create ltm dns dnssec key DNSSEC_with_long_name_21_ key-type zsk use-fips external

Impact:
DNSSEC keys are not generated successfully.

1038913-3 : The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category

Component: Application Visibility and Reporting

Symptoms:
In GUI "Security ›› Reporting : Application : Charts" filtering "View By" as IP Intelligence "Last Week", "Last Month" and "Last Year" reports show the "Safe" category instead of "Aggregated".

Conditions:
-- ASM is provisioned
-- The system is under heavy traffic
-- The number of stats records per report period (5 min) is higher than 10,000

Impact:
Inaccurate Last Week IPI reporting

1038837-1 : Debugd starts with message: Shm segment not found in /etc/ha_table/ha_table.conf.

Links to More Info: BT1038837

Component: Advanced Firewall Manager

Symptoms:
During system boot, the debugd daemon emits a message 'Shm segment not found in /etc/ha_table/ha_table.conf', and heartbeat monitoring is disabled for debugd.

Conditions:
Debugd daemon is running.

Impact:
No heartbeat monitoring for debugd daemon.

Workaround:
Manually edit the file /etc/ha_table/ha_table.conf and insert a line at the end:
ha segment path: /debugd

1038741-3 : NTLM type-1 message triggers "Unparsable request content" violation

Links to More Info: BT1038741

Component: Application Security Manager

Symptoms:
When internal parameter for "authorization header decode failure" is disabled, Valid NTLM type-1 message will be blocked with "Unparsable request content" violation

Conditions:
Disable internal parameter ignore_authorization_header_decode_failure

Impact:
Valid NTLM Type-1 message will be blocked by ASM

Workaround:
Enable internal parameter ignore_authorization_header_decode_failure, ASM will not block the NTLM type-1 message request

1038057-1 : Unable to add a serverssl profile into a virtual server containing a FIX profile

Links to More Info: BT1038057

Component: Service Provider

Symptoms:
You are unable to configure a virtual server to use server SSL encryption with FIX protocol messages.

Conditions:
This is encountered when serverssl needs to be configured for FIX profiles

Impact:
You are unable to assign a server-ssl profile to the virtual server.

Workaround:
None

1037877-2 : OAuth Claim display order incorrect in VPE

Links to More Info: BT1037877

Component: Access Policy Manager

Symptoms:
In the visual policy editor (VPE), it is difficult to re-order custom previously created Claims in the oAuth Authorization agent.

The following error is thrown in the developer tools screen of the client browser:
common.js?m=st&ver=15.1.2.1-0.0.10.0:902 Uncaught TypeError: Cannot read property 'row' of undefined
    at Object.common_class.swap (common.js?m=st&ver=15.1.2.1-0.0.10.0:902)
    at multipleObjectsSelectionCBDialogue_class.swapEntries (multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:263)
    at HTMLAnchorElement.<anonymous> (multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:185)
common_class.swap @ common.js?m=st&ver=15.1.2.1-0.0.10.0:902
multipleObjectsSelectionCBDialogue_class.swapEntries @ multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:263
(anonymous) @ multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:185

Conditions:
-- There are at least two claims in Access :: Federation : OAuth Authorization Server : Claim
-- You are attempting to reorder the claims in the visual policy editor

Impact:
It is not possible to re-order the claims

Workaround:
None

1037661-1 : The packet tester does not validate the route domain after applying the rule list when the protocol is changed from IP to any

Component: Advanced Firewall Manager

Symptoms:
After changing a firewall rule protocol to "any" and applying the change, the change is accepted but traffic is not matched.

Conditions:
-- Firewall rules are applied to a non-default route domain
-- One or more rules have the protocol field set to "any" and this is the only change

Impact:
The configuration change is applied but the rule is not applied correctly and some traffic might not be matched.

Workaround:
Make a change to an additional variable and submit the change.

1037645-1 : TMM may crash under memory pressure when using iRule 'AES::key' command

Links to More Info: BT1037645

Component: Local Traffic Manager

Symptoms:
TMM crashes and generates core file.

Conditions:
-- TMM is under memory pressure
-- iRule using 'AES::key' command

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1037457-2 : High CPU during specific dos mitigation

Component: Application Security Manager

Symptoms:
CPU is high.

Conditions:
A dos attack with specific characteristic is active and the policy is configured in a specific way.

Impact:
While the attack is mitigated on the BIG-IP system and does not reach the server, the CPU of the BIG-IP increases and this may impact other services on the BIG-IP device.

Workaround:
N/A

1037197 : Packet tester UI does not show partition label for VLANs

Links to More Info: BT1037197

Component: Advanced Firewall Manager

Symptoms:
The GUI does not show partition labels for VLANs on the packet tester page.

Conditions:
-- Create VLAN
-- Navigate to Security>Debug: Packet Tester
-- UI does not show partition label for the VLAN

Impact:
Can't identify VLAN's partition

1037189 : Invalid values in long request buffer size in umu stats

Links to More Info: BT1037189

Component: Application Security Manager

Symptoms:
Logs shows invalid values in long request buffer size in umu stats printout

"Total allocated long request buffers: 621, Total memory used by long request buffers: 18446744072519584320 bytes"

Conditions:
Lots of concurrent connections sending long requests.

Impact:
Confusing log messaging

Workaround:
No workaround

1037153-3 : iRule "log" command to remote destinations may cause TMM to leak memory

Links to More Info: BT1037153

Component: Local Traffic Manager

Symptoms:
TMM leaks memory in the errdefs component.

TMM may leak memory in the xdata and xhead components if the system does not have routes to the specified syslog servers.

Conditions:
-- iRule that uses "log" to target a remote destination, e.g.: "log 192.0.2.1 'log message'"

Impact:
TMM leaks memory.

Eventually, TMM may disrupt legitimate connections as a result of memory pressure, or even crash and restart.

Workaround:
One of the following:

1. Log to local syslog, and configure syslog-ng to log to remote servers.

2. Use High-Speed Logging (https://clouddocs.f5.com/api/irules/HSL.html), instead of the "log" command.

1036969-3 : Chrome sometimes ignores cross-site bot-defense cookies

Links to More Info: BT1036969

Component: Application Security Manager

Symptoms:
Chrome ignores cross-site bot-defense cookies when bot-defense is sending 307 redirect.

Conditions:
A site is using another site/domain resources that are also protected by bot-defense

Impact:
The other site/domain resource will not display correctly on Chrome

Workaround:
iRule work-around based on:https://devcentral.f5.com/s/articles/iRule-to-set-SameSite-for-compatible-clients-and-remove-it-for-incompatible-clients-LTM-ASM-APM.

Or, disabling simple redicret via TMSH:
tmsh modify sys db dosl7.proactive_defense_simple_redirect { value "disable" }
tmsh modify sys db dosl7.proactive_defense_simple_redirect_on_grace { value "disable" }

1036873-1 : Pre-shared key extension sometimes is not the last extension in ClientHello in TLS1.3

Links to More Info: BT1036873

Component: Local Traffic Manager

Symptoms:
Under some conditions, the BIG-IP's TLS 1.3 Client Hello sometimes does not have the pre-shared key extension as the last extension in the Client Hello. This is contrary to a requirement in the TLS 1.3 RFC, and causes servers to fail the connection.

A backend server may log a message such as:

SSL_do_handshake() failed (SSL: error:141B306E:SSL routines:tls_collect_extensions:bad extension)

Conditions:
-- Server SSL profile (BIG-IP operating as client) with TLS 1.3 enabled.
-- A Client Hello message size that falls between 256 and 512 bytes (without padding), which causes the BIG-IP to introduce a padding extension at the end of the Client Hello.

This issue can be seen via use of the "single-dh-use" or "session-tickets" options in the SSL profile.

Impact:
The TLS handshake fails.

Workaround:
Adjust the configuration of the Server SSL profile by either:

-- Disable Session Tickets
or
-- Disable the single-dh-use option

1036613-1 : Client flow might not get offloaded to PVA in embryonic state

Links to More Info: BT1036613

Component: TMOS

Symptoms:
The client flow is not offloaded in embryonic state, but only is only offloaded once the flow transitions to an established state.

Conditions:
-- FastL4 profile configured to offload TCP connections in embryonic state (this is the default)
-- Clientside and serverside ingress traffic is handled by different TMMs
-- Running on a platform with multiple HSB modules per TMM, i.e.:
--+ BIG-IP i11600 Series
--+ BIG-IP i15600 Series

Impact:
- minor performance degradation;
- PVA traffic counters show unexpectedly high values;

1036601 : Discrepancies in the number of requests with violations in ASM reports

Links to More Info: BT1036601

Component: Application Visibility and Reporting

Symptoms:
In GUI form "Security->Reporting->Application->Charts" the overall number of request when "View by" is set to "violations" differs considerably from the number of all illegal requests(alarmed or blocked) when "View by" is set to "Request Types". These numbers must be close to each other since all alarmed requests should have one or (in some cases) more violations.

Conditions:
ASM is provisioned. Under heavy traffic, the number of stats records per report period (5 min) is higher than 10000

Impact:
The aforementioned AVR reports show incorrect statistical data.

1036557-3 : Monitor information not seen in GUI

Links to More Info: BT1036557

Component: TMOS

Symptoms:
GUI displays "An error has occurred while trying to process your request" when deleting/creating a monitor with the same name under the same transaction.

Conditions:
(a) Create a TCP monitor, then in a single transaction delete the TCP monitor + create an HTTP monitor with same name as the TCP monitor. Example below:

# tmsh create ltm monitor tcp <Name of the monitor>
# echo 'create cli transaction; delete ltm monitor tcp <Name of the monitor> ; create ltm monitor http <Name of the monitor>; submit cli transaction' | tmsh
# tmsh save sys config

This could also occur when reconfiguring an iApp, or changing a configuration via AS3.


(b) Login to the GUI and click on the monitor (GUI > Local Traffic > Monitors > (Monitor created)) you'll see "An error has occurred while trying to process your request"

Impact:
Unable to view monitor parameters in GUI.

Workaround:
Any one of the following workarounds help:
- do not use the same monitor name
- do not perform the delete+create actions on a single transaction
- save and load the configuration:
  tmsh save sys config && tmsh load sys config

1036541-3 : Inherited-traffic-group setting of floating IP does not sync on incremental sync

Links to More Info: BT1036541

Component: TMOS

Symptoms:
When a floating IP object is created, and its inherited-traffic-group property is set, this property does not sync to other devices.

Conditions:
This is relevant for any setup with multiple devices in a sync/failover device group.

Impact:
This will impact incremental syncing to other peers in the device group.

Workaround:
Do a full config sync if possible.

1036521-3 : TMM crash in certain cases

Links to More Info: BT1036521

Component: Application Security Manager

Symptoms:
TMM crash in certain case when dosl7 is attached

Conditions:
TMM is configured with dosl7

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1036461-3 : icrd_child may core with high numbers of open file descriptors

Links to More Info: BT1036461

Component: TMOS

Symptoms:
icrd_child core generated

Conditions:
Have over 1024 open file descriptors.

Impact:
REST API usage for BIG-IP configuration will be impacted

Workaround:
Make sure that open file descriptor count is not reached 1024 and close the file descriptors opened

1036265-3 : Overlapping summary routes might not be advertised after ospf process restart.

Links to More Info: BT1036265

Component: TMOS

Symptoms:
Overlapping summary routes might not be advertised after ospf process restarts.

Conditions:
Add an overlapping /32 entry for a summary route and restart ospf process.

Impact:
Summary routes are not advertised.

1036169-3 : VCMPD rsync server max connection limit: guest "Exit flags for PID 17299: 0x500".

Links to More Info: BT1036169

Component: Local Traffic Manager

Symptoms:
Guestagentd will log the message "Exit flags for PID <PID>:0x500" in guest ltm log, if vcmp host rsync server current active connection is more than 4

Conditions:
-- vCMP guest
-- Rsync transfer frequency is 10 seconds between vCMP guest to vCMP host.
-- more than 4 vCMP guest.

Impact:
Guest LTM logs fill with "Exit flags for PID <PID>: 0x500".

Workaround:
None

1036097-3 : VLAN failsafe does not trigger on guest

Links to More Info: BT1036097

Component: TMOS

Symptoms:
VCMP guest VLAN failsafe does not trigger as expected.

Conditions:
-- VCMP host configured
-- VLAN failsafe enabled on a VLAN
-- One or more VCMP guests enabled that use that VLAN.
-- A trunk member of a trunk connected to the vCMP guest is flapping.

Impact:
Since the neighbor messages for the IPv6 link-local addresses continue to be successfully passed from host to guest upon a trunk member change, VLAN failsafe does not trigger even if the upstream switch goes down that's connected to the VLAN.

Workaround:
None

1036093-3 : Tmm sends out neighbor advertisements for the link local addresses even if IPv6 is disabled

Links to More Info: BT1036093

Component: Local Traffic Manager

Symptoms:
When a trunk member state changes and IPv6 is disabled, BIG-IP still sends neighbor advertisements for the link-local addresses on each VLAN

Conditions:
- IPv6 is disabled (ipv6.enabled=false)
- change in a trunk member state occurs

Impact:
Link-local addresses are still in the vaddr hash even after ipv6 is disabled.

1036013-2 : BIG-IP systems may terminate connections prematurely when a TLS close-notify alert is received

Links to More Info: BT1036013

Component: Local Traffic Manager

Symptoms:
When a backend server sends a TLS close-notify alert, BIG-IP may terminate the connection prematurely without forwarding the HTTP response.

Conditions:
ServerSSL receives a TLS Close-notify alert after a TLSv1.3 session is established.

Impact:
Server responses may be dropped.

Workaround:
Use TLSv1.2.

1036009-2 : Fix DPDK RSS configuration settings

Component: TMOS

Symptoms:
When using DPDK driver and multiqueue, only TCP traffic will get hashed and distributed between different TMMs

Conditions:
- DPDK driver is being used
- Multiqueue is enabled and in use

For a list of NICs that use dpdk see K17204: BIG-IP VE NIC adapters that support SR-IOV, available at https://support.f5.com/csp/article/K17204

Impact:
UDP traffic will get funneled to only a single TMM causing excess CPU usage on that TMM

Workaround:
Disable multiqueue

1035757-3 : iRulesLX restart leaves stale files in /var/tmstat/blade/tmplugin_ilx_*

Links to More Info: BT1035757

Component: Local Traffic Manager

Symptoms:
After restarting the ilx plugin, new tmplugin_ilx_rpc_* stat files are being created, but old files are not being deleted.

Conditions:
- ilx configured
- ilx plugin restarted

Impact:
The presence of too many of these leftover files might prevent merged from rolling up stats and providing graphs and cause such errors:

err merged[8523]: 011b0900:3: TMSTAT error tmstat_remerge: Cannot allocate memory.

Workaround:
Delete stale tmplugin_ilx_* files manually

1035661-2 : REST Requests return 401 Unauthorized when using Basic Auth

Links to More Info: BT1035661

Component: TMOS

Symptoms:
REST Requests are intermittently failing with a 401 error.

The restjavad-audit.*.log shows these requests are closely preceded by a 503 response from /mgmt/tm/auth/source.

Conditions:
Triggered when a REST request comes in using Basic Auth while an asynchronous task is executing on the BIG-IP.

An example of an asynchronous task is the BIG-IP processing an AS3 declaration.

Impact:
REST requests will fail with a misleading response code and for no readily apparent reason.

Workaround:
Use token based authentication for REST requests.

1035361-2 : Illegal cross-origin after successful CAPTCHA

Component: Application Security Manager

Symptoms:
After enabling CAPTCHA locally on BIG-IP with brute force, after configured login attempts, CAPTCHA appears, but after bypassing the CAPTCHA successfully the user receives a support ID with cross-origin violation.

Conditions:
- brute force with CAPTCHA mitigation enforced on login page.
- cross-origin violation is enforced on the login page.
- user fails to login until CAPTCHA appears
- user inserts the CAPTCHA correctly

Impact:
- blocking page appears.
- on the event log cross-origin violation is triggered.

Workaround:
- disable cross-origin violation enforcement.

1035121-3 : Configsync syncs the node's monitor status

Links to More Info: BT1035121

Component: TMOS

Symptoms:
After config sync, nodes may be marked marked down when they are up, even if the monitor determines that the node is up.

The logs will show something similar to :

notice mcpd[8091]: 010714a0:5: Sync of device group /Common/device_trust_group to commit id 1 6986973310536375596 /Common/xxxxxxxx 1 from device /Common/yyyyyyyy

notice mcpd[8091]: 01070640:5: Node /Common/node1 address 10.10.100.1 monitor status down. [ /Common/icmp: up ] [ was up for 0hr:3mins:15sec ]
notice mcpd[8091]: 01070640:5: Node /Common/node2 address 10.10.100.2 monitor status down. [ /Common/icmp: up ] [ was up for 0hr:3mins:15sec ]

The node/pool member/pool/virtual server will be marked down.
Checking the actual monitor it will be up, tcpdump will show successful monitor transactions.

Conditions:
1. Two or more devices in a sync/failover device group
2. The config sync from-device has marked nodes down
3. A config sync occurs

This can occur on both incremental and full config sync.

Impact:
The node's monitor status is synced to the peer device. If the from-device's monitor was unable to reach the nodes and was marking the nodes as DOWN, then the node status will be set to DOWN on the other device, even if the monitor is successfully connecting to the node. This can cause a traffic disruption.

Note: the opposite can occur, where a "node up" status is sent to a device whose monitor is failing to connect to the nodes due to a network issue.

Workaround:
If a device is in this state, you can work around this issue by doing one of the following:

-- Save and reload the configuration on the device with the bad state
   tmsh save sys config && tmsh load sys config

-- Perform a full-load sync from the peer device to the affected device:
   (On the peer) tmsh run cm config-sync force-full-load-push to-group group-name

1035017-2 : Remove unused CA-bundles

Component: TMOS

Symptoms:
Some of the certificate bundles shipped on BIG-IP devices are not used and aren't updated. In particular, there are legacy bundles which aren't needed.

Conditions:
This affects certain internal certificate bundles on the BIG-IP file system:

Impact:
There is a chance that there might be failures when "internal certificates" expires.

Workaround:
None

1034953-2 : In explicit proxy, HTTP_STATCODE missing from syslog

Links to More Info: BT1034953

Component: Local Traffic Manager

Symptoms:
HTTP_STATCODE missing from logs captured using request logging profile when HTTP request is made to explicit proxy virtual server.

Conditions:
- Configure explicit proxy virtual server
- Apply request logging on the same virtual server
- Send HTTP request to connect to a Host via the explicit virtual server

Impact:
HTTP_STATCODE not found in the logs captured from request logging

1034865-3 : CACHE::enable failed on private/no-store content

Links to More Info: BT1034865

Component: Local Traffic Manager

Symptoms:
BIG-IP provides a possibility to cache HTTP responses with RAMCACHE feature. When a response has either "Cache-Control: private" or "Cache-Control: no-store", the CACHE::enable setting allows the content to be cached. This option was removed when a fix to ID 360047 was introduced.

Conditions:
-- A virtual server has a web-acceleration profile without a policy.
-- An iRule has CACHE::enable command, overwriting Cache-Control header's values "no-store" and/or "private".

Impact:
BIG-IP always requests for a response from the origin web server even when a response is cacheable, putting extra load on the origin web server.

1034589-2 : No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration.

Links to More Info: BT1034589

Component: TMOS

Symptoms:
It is possible to delete a Pool or Trunk from the configuration while one or more high availability (HA) Groups still reference it.

As a result, the configuration of affected high availability (HA) Groups is automatically and silently adjusted (i.e. the deleted object is no longer referenced by any high availability (HA) Group).

The lack of warning about this automatic change could lead to confusion.

Conditions:
A pool or trunk is deleted from the configuration while still being referenced from a high availability (HA) Group.

Impact:
The automatic and silent removal of the deleted object from all high availability (HA) Groups may go unnoticed by BIG-IP Administrators, with potential consequences on the failover behavior of the devices.

1034509-4 : Sensor read errors on VIPRION C2200 chassis

Links to More Info: BT1034509

Component: TMOS

Symptoms:
Due to LOP sensor read errors, the command 'tmsh show sys hardware' can list an RPM of 0 for some chassis fans.

Conditions:
- Running a C2200 VIPRION chassis
- Other conditions unknown

Impact:
Messages such as the following appear in /var/log/ltm:

warning chmand[7629]: 012a0004:4: hal_if_media_poll: media SVC exception: media: getLopReg error
err chmand[7629]: 012a0003:3: getSensorData: sensor read fault for Chassis fan 1, LOP return code -1 : File sensor/LopSensSvc.cpp Line 2315
err chmand[7629]: 012a0003:3: getSensorData: sensor read fault for Chassis fan 2, LOP return code -1 : File sensor/LopSensSvc.cpp Line 2315
err chmand[7629]: 012a0003:3: getSensorData: sensor read fault for Chassis fan 3, LOP return code -1 : File sensor/LopSensSvc.cpp Line 2315
err chmand[7629]: 012a0003:3: getSensorData: sensor read fault for Chassis fan 4, LOP return code -1 : File sensor/LopSensSvc.cpp Line 2315
warning chmand[7629]: 012a0004:4: getLopReg Sock error: send to lopd failed [lopd addr:/var/run/lopdsvr] [client addr:/var/run/hwctl.hal.sock] (errno:2) No such file or directory
warning chmand[7629]: 012a0004:4: GET_STAT failure (status=0xc) page=0x21 reg=0x50
err chmand[7629]: 012a0003:3: getSensorData: sensor read fault for Chassis 3.3V main voltage, LOP return code -1 : File sensor/LopSensSvc.cpp Line 2315
notice chmand[7629]: 012a0005:5: Tmstat::updateSensorTbls: HAL SenSvc error: send to lopd failed [lopd addr:/var/run/lopdsvr] [client addr:/var/run/hwctl.hal.sock] (errno:2) No such file or directory
warning chmand[7629]: 012a0004:4: getChassisPwrSup err: send to lopd failed [lopd addr:/var/run/lopdsvr] [client addr:/var/run/hwctl.hal.sock] (errno:2) No such file or directory
warning chmand[7629]: 012a0004:4: getChassisPwrSup err: send to lopd failed [lopd addr:/var/run/lopdsvr] [client addr:/var/run/hwctl.hal.sock] (errno:2) No such file or directory

Tmsh show sys hardware will list an RPM of 0 for chassis fans affected by the sensor read errors

Workaround:
No workaround currently known.

1034217-1 : Quic_update_rtt can leave ack_delay uninitialized

Links to More Info: BT1034217

Component: Local Traffic Manager

Symptoms:
Retransmission times to be very long if there is packet loss near the beginning of the connection.

Conditions:
-- Basic QUIC configuration
-- The first couple of packets in the connection reaches an uninitialized variable path before the connection reaches the ESTABLISHED state

Impact:
Uninitialized ack_delay variable could be any value and cause RTT measurements to be unusually large. That could cause retransmission times to be very long if there is packet loss near the beginning of the connection.

Workaround:
None

1034009-3 : CGNAT+Subscriber Discovery - NAT IP with wrong route domain on the CGNAT Log

Links to More Info: BT1034009

Component: Carrier-Grade NAT

Symptoms:
The route domain ID for the translated IP is incorrect in the log message.

Conditions:
This issue will be seen when the different route domain are configured for incoming and outgoing traffic.

Impact:
Log messages will have an incorrect domain-id.

Workaround:
None

1033969-3 : MPLS label stripping needs next protocol indicator

Links to More Info: BT1033969

Component: TMOS

Symptoms:
MPLS label stripping does not participate in the MPLS control-plane, and MPLS does not have a next protocol indicator.

Conditions:
This is encountered when attempting to pass IPv6 packets to GRE-encapsulated MPLS on BIG-IP systems.

Impact:
GRE/MPLS packets with IPv6 traffic encapsulated are not forwarded to the egress VLAN.

Workaround:
None

1033897-1 : DNSSEC keys generated independently are still in use after GTM sync

Links to More Info: BT1033897

Component: Global Traffic Manager (DNS)

Symptoms:
If GTM sync is broken around DNSSEC key rollover time and two devices generate a DNSSEC key independently, the key is still used for generating a DNSSEC signature after DNS config sync resumes.

Conditions:
-- iQuery connection broken between BIG-IP DNS devices during DNSSEC key rollover
-- A DNSSEC key is generated independently on the two affected devices
-- iQuery connection re-established, config sync resumes, and the DNSSEC key is overwritten on one device

Impact:
-- TMM continues using the old key for DNSSEC signatures
-- Different key in the running config than what is used for generating DNSSEC signatures.
-- Possibly invalid DNSSEC data in DNS caching resolvers.

Workaround:
Restart tmm on the affected device:

tmsh restart sys service tmm

1033829-1 : Unable to load Traffic Classification package

Links to More Info: BT1033829

Component: Traffic Classification Engine

Symptoms:
After installation and initial configuration, the latest Traffic Classification IM package fails to load.

Conditions:
This type of behavior is observed when the system is configured as follows,

1. LTM provisioned
2. Create virtual servers with classification profile
3. Then provision PEM module
4. Do a Hitless upgrade

Impact:
The latest Traffic Classification IM package fails to load.

Workaround:
Once the TMM is restarted after the issue, the latest IM is loaded.

1033781 : IP Reputation database sync fails when DB variable iprep.protocol is set to auto-detect

Links to More Info: BT1033781

Component: Advanced Firewall Manager

Symptoms:
The IP Reputation database is not updated at the regular intervals, as expected.

Conditions:
The DB variable iprep.protocol is configured with the default value of "auto-detect".

Impact:
The connection to the IP reputation database fails, and therefore traffic is not IP reputed.

Workaround:
Set the DB variable iprep.protocol to either ipv4 or ipv6, depending on the management IP.

1033761 : BIG-IP consumes excessive CPU when "Log Translation Fields" are enabled in logging policy

Links to More Info: BT1033761

Component: Advanced Firewall Manager

Symptoms:
CPU utilization is excessive when logging is enabled

Conditions:
-- The traffic consists of UDP DNS requests being load-balanced to a back-end DNS responder.
-- Caching is not being used.
-- The virtual-server has a Firewall policy, a DDoS policy, a udp datagram-lb profile, and a security-log-profile (HSL).

When the logging policy is present, the BIG-IP system consumes excessive CPU.

Impact:
High CPU usage while processing less number of packets

Workaround:
Do not use log-translations

1033689-2 : BGP route map community value cannot be set to the required range when using AA::NN notation

Links to More Info: BT1033689

Component: TMOS

Symptoms:
The community value for BGP route map entries should allow values of 1-65535 for both components, but it is not allowing 65535 for either component when using AA::NN notation.

Conditions:
-- Using BGP route map community values.
-- Attempting to set one or both components to 65535 with
   using AA::NN notation

Impact:
Unable to use the full range of BGP route map community values.

Workaround:
None

1033537-3 : Cookie persistence profile only examines the first cookie.

Links to More Info: BT1033537

Component: Local Traffic Manager

Symptoms:
The cookie persistence profile does not process multiple cookies with the same name. If that cookie is not valid for the selected pool or if it fails to decrypt, if encryption is enabled, it stops - even if there are other cookies of the same name.

Conditions:
-- Virtual server with an HTTP profile and a cookie persistence profile.
-- Multiple cookies with the same name arrive from the client.
 They can appear in a single Cookie header or two separate headers.
-- This can occur with cookie encryption enabled or disabled.

Impact:
Only the first cookie is evaluated.

Workaround:
Do not use cookie persistence profile.

1033333-3 : FIPS: importing a stub SSL key file results in 2 keys that share the same FIPS device

Links to More Info: BT1033333

Component: TMOS

Symptoms:
The 'tmsh list sys crypto key' command lists multiple keys with the same FIPS ID.

Conditions:
-- BIG-IP using a FIPS HSM
-- Import the stub FIPS key file contents (the filestore certificate_key file object) into the system as a new file object.

Impact:
Two object points to same key stored in the FIPS HSM. If one of the two objects are deleted, the key stored in the HSM will be deleted. This will result in traffic failures, i.e. TLS handshake failures.

Workaround:
Do not create a second MCP SSL key object by importing the stub key file content from the filestore.

1033025-2 : TMM might crash when unsupported bot iRule is used

Links to More Info: BT1033025

Component: Application Security Manager

Symptoms:
TMM crashes.

Conditions:
Bot defense iRule with async commands is attached to virtual server, for example:

when BOTDEFENSE_ACTION
{
        after 7000 {
            if { ([BOTDEFENSE::device_id] eq "0") }
                {
                    log local0. "Violations Names: [BOTDEFENSE::device_id];"
                    BOTDEFENSE::action browser_challenge
                }
           }

}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1033021-1 : UI: Partition does not work when clicking through security zones

Links to More Info: BT1033021

Component: Advanced Firewall Manager

Symptoms:
1. Zones UI is not refreshed when the partition changes
2. You are unable to administer zones while using partitions

Conditions:
Change the partition in GUI, then view the corresponding mapped zones.

Impact:
All zones are displayed for every partition instead of just the mapped zones

Workaround:
None

1033017-4 : Policy changes learning mode to automatic after upload and sync

Links to More Info: BT1033017

Component: Application Security Manager

Symptoms:
When newly created policies are synchronized, the learning states of the policies are different.

Conditions:
-- Active/Active high availability (HA) setup in sync-failover device group with ASM enabled.
-- Sync a new policy configured with disabled/manual learning mode.

Impact:
Learning mode changes from disabled to automatic on peer device after sync, so learning modes differ on the peer devices.

Workaround:
1. On the peer device, change the learning mode to disabled.
2. Push sync from the originator device.

Both devices are then in sync and policies have the same learning mode (disabled), so operations complete as expected.

1032921-3 : VCMP Guest CPU usage shows abnormal values at the Host

Links to More Info: BT1032921

Component: TMOS

Symptoms:
CPU usage is represented as 100% for each CPU core, so for instance top may report CPU usage above 100%
for a two CPU system, given that in that case 200% would actually represent the full CPU capacity.

Here for vCMP with 'n' CPUs reporting more than n*100% for CPU utilization.

Conditions:
VCMP provisioned on BIG-IP

Impact:
CPU utilization is incorrectly shown.

Workaround:
NA

1032821-5 : Syslog: invalid level/facility from /usr/libexec/smart_parse.pl

Links to More Info: BT1032821

Component: TMOS

Symptoms:
When the smart_parse.pl script is run and finds a disk error, it attempts to log an error with an incorrect syslog level.

Conditions:
Run smart_parse.pl on a BIG-IP platform with a disk error.

Impact:
When this script is run (usually as a cron job) the following message occurs:

syslog: invalid level/facility: error at /etc/cron.daily/pendsect line 194.

Workaround:
None.

1032257-2 : Forwarded PVA offload requests fail on platforms with multiple PDE/TMM

Links to More Info: BT1032257

Component: TMOS

Symptoms:
Forwarded PVA requests use a static bigip_connection that does not have its pva_pde_info initialized, which results in offload failure on platforms that have multiple PDEs per TMM.

Conditions:
Pva_pde_info is not initialized and Forwarded PVA requests occur.

Impact:
Hardware offload does not occur.

1031945-3 : DNS cache configured and tmm stuck in 'not ready' state indefinitely after TMM restart or reboot

Links to More Info: BT1031945

Component: Global Traffic Manager (DNS)

Symptoms:
Clusterd reports "TMM not ready" right after "Active"

Jun 23 18:21:14 slot2 notice sod[10084]: 010c0019:5: Active
Jun 23 18:21:14 slot2 notice clusterd[10920]: 013a0019:5: Blade 2 turned Yellow: TMM not ready

All blades are showing 'unavailable'

Conditions:
1. Multiple dns cache-resolver and/or net dns-resolver objects configured with names that only differ in letter case, e.g. /Common/example-dns-cache and /Common/Example-DNS-cache

2. Occurs after rebooting/upgrading

Impact:
The system remains inoperative.

1031461-4 : Session awareness entries aren't mirrored to both sides of an active-active deployment.

Component: Application Security Manager

Symptoms:
Session awareness entries aren't mirrored to both sides of an active-active deployment.

session db entries remain in bd (ASM) daemon until manually removed

Conditions:
- ASM provisioned
- Security policy attached to a virtual server
- Session tracking and Login Page enabled in the policy

Impact:
ASM session tracking feature isn't properly functioning on active-active deployment.

1031425-2 : Provide a configuration flag to disable BGP peer-id check.

Links to More Info: BT1031425

Component: TMOS

Symptoms:
A fix for ID 945265 (https://cdn.f5.com/product/bugtracker/ID945265.html) introduced strict checking of a peer-id. This check might be not desired in some configurations.

Conditions:
EBGP peering with two routers in the same autonomous system, configured with the same peer-id.

Impact:
BIG-IP will not pass the NLRIs between two eBGP peers. The following message can be seen in debug logs:
172.20.10.18-Outgoing [RIB] Announce Check: 0.0.0.0/0 Route Remote Router-ID is same as Remote Router-ID

Workaround:
Change peer-ids to be unique on eBGP peers.

1031413 : "tmsh load sys config default" does not reset the configs to default in VELOS tenant after reboot

Links to More Info: BT1031413

Component: TMOS

Symptoms:
BIG-IP is still able to retrieve previous configurations (pools, nodes, virtual servers, vlan, self-IPs etc) after a reboot in a VELOS environment.

Conditions:
tmsh load sys config default" executed and BIG-IP is rebooted without saving the config "tmsh save sys config

Impact:
Previous configuration loads even after resetting config to default.

Workaround:
After running "tmsh load sys config default", run "tmsh save sys config" before rebooting the BIG-IP tenant.

1031357-1 : After reboot of standby and terminating peer, some IPsec traffic-selectors are still online

Links to More Info: BT1031357

Component: TMOS

Symptoms:
HA Standby marks traffic selectors up when they are actually down on the Active device.

Conditions:
-- High availability (HA) configured and mirroring configured
-- IPsec tunnels up on Active
-- Reboot Standby
-- Standby starts correctly and all SAs are mirrored
-- Tunnel(s) go down on Active

Impact:
-- Traffic Selector is incorrectly marked up on the Standby when it is actually down on the Active.
-- While this is cosmetic, the information is misleading.

Workaround:
None

1031117-2 : The mcpd error for virtual server profiles incompatible needs to have more details

Links to More Info: BT1031117

Component: TMOS

Symptoms:
The mcpd error message MCPDERR_VIRTUAL_SERVER_INCOMPAT_PROFILE_PROTO currently has text which does not provide detail information.
-The error text should also list which profile is problematic, and the protocol that the virtual server is using. This will help Support pinpoint the issue much faster.

Conditions:
- Configure a virtual server with a profile that is invalid for its protocol.

Impact:
The error text not listing which profile is problematic, and the protocol that the virtual server is using.

Workaround:
None.

1031025-2 : Nitrox 3 FIPS: Upgrade from v12.1.x to v14.1.x results in new .key.exp files for the FIPS keys created before upgrade.

Links to More Info: BT1031025

Component: TMOS

Symptoms:
During upgrade from v12.1.x to v14.1.x, New ".key.exp" export file is created for the FIPS keys present in the card.

Conditions:
This happens during the upgrade from v12.1.x to v14.1.x for the existing keys with ".key" extension to it in the label.

It occurs only if the key is deleted/not present in the FIPS card (e.g. a faulty card), and BIG-IP has the configuration / metadata for the missing keys.

Impact:
The upgrade fails while loading the configuration.

Workaround:
Delete the missing key's configuration from config file, then perform the upgrade.

1030853-2 : Route domain IP exception is being treated as trusted (for learning) after being deleted

Links to More Info: BT1030853

Component: Application Security Manager

Symptoms:
Traffic is considered trusted for learning even though a trusted IP exception was deleted.

Conditions:
Creating and deleting a route domain-specific IP exception

Impact:
Traffic learning suggestions scores are miscounted.
In automatic policy builder mode the policy can be updated by the policy builder based on the wrong score counting.

Workaround:
Stop and restart learning for the relevant policy

1030645-3 : BGP session resets during traffic-group failover

Links to More Info: BT1030645

Component: TMOS

Symptoms:
BGP session might be hard reset during a traffic group failover. The following log is displayed:

BGP[11111]: BGP : %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down Peer reset due to nh address change

Conditions:
Floating self-ips defined on a single vlan/subnet, with different traffic-groups configured.

Impact:
BGP session goes down during traffic-group failover.

1030533-2 : The BIG-IP system may reject valid HTTP responses from OCSP servers.

Links to More Info: BT1030533

Component: Local Traffic Manager

Symptoms:
When this happens, the BIG-IP system can be seen closing the TCP connection to the OCSP server prematurely (for instance, as soon as the HTTP response headers are received, before the response body is transmitted).

If log.keymgmtd.level is set to debug, an error similar to the following example will be logged to the /var/log/ltm file:

Jun 22 14:40:08 bigip1.local debug tmm[9921]: 01a40004:7: OCSP validation result of certificate(/config/filestore/files_d/Common_d/certificate_d/:Common:endpoint-intermediate_69993_1): OCSP response - (connection - HTTP error), certificate status - (error), lifetime - 10.

Conditions:
The server uses a Content-Type HTTP header in its response that isn't just "application/ocsp-response" (for instance, it may include a charset specification after that string, or the string may use a mix of uppercase and lowercase letters).

Impact:
Valid HTTP responses from OCSP servers are rejected. OCSP stapling and OCSP validation are not available on the BIG-IP system.

Workaround:
If you control the OCSP server and are able to customize its HTTP response headers, setting the Content-Type to simply "application/ocsp-response" (all lowercase) is a workaround for this issue.

Otherwise, no workaround exists.

1030237-2 : Zxfrd core and continual restart when out of configured space

Links to More Info: BT1030237

Component: Global Traffic Manager (DNS)

Symptoms:
Zxfrd is in restart loop and occasionally cores.

Conditions:
Zxfrd is out of the configured space.

Impact:
Dns express and rpz does not work properly.

Workaround:
1. locate any zone that is suspiciously large and delete that zone from dns zones if unexpected;
2. Allocate more space for zxfrd using dnsexpress huge pages.
tmsh modify sys db dnsexpress.hugepages { value "8000" }
8000 should be adjusted accordingly.

1030185-3 : TMM may crash when looking up a persistence record using "persist lookup" iRule commands

Links to More Info: BT1030185

Component: Local Traffic Manager

Symptoms:
Tmm may crash with a SIGSEGV when looking up a persistence record in an iRule when using the "any" flag

Conditions:
-- The persistence entry exists on a virtual server other than the virtual server the iRule is configured on.
-- The iRule contains [persist lookup source_addr "[IP::client_addr] any"]

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Discontinue the use of the "any" flag in the persist lookup iRule.

1030093-3 : An http2 to http2 virtual connection with translate-address disabled might only use one stream on the server side.

Links to More Info: BT1030093

Component: Local Traffic Manager

Symptoms:
When there is no pool object available, this issue results in only stream ID 1 succeeding to the server-side. All subsequent streams fail.

Conditions:
With the following configuration:
-- client side HTTP2
-- server side HTTP2
-- HTTP2 MRF enabled
-- translate-address disabled

Impact:
Connection only works for stream 1. All other streams fail.

Workaround:
If you set "translate-address enabled" on the virtual server, then all streams work fine.

1029989-2 : CORS : default port of origin header is set 80, even when the protocol in the header is https

Component: Application Security Manager

Symptoms:
Destination port is set to 80, instead of 443, for Origin header value that has https in the schema field.

This causes unexpected "Illegal cross-origin request" violation.

Conditions:
- Using CORS enforcement where you allow HTTPS and port 443 for an origin name
- The Origin header value has https in the schema
- The Origin header value does not specify non default port number

Impact:
Unexpected "Illegal cross-origin request" violation.

Workaround:
Allow port 80 or use 'any' for the given origin name.

1029949-1 : IPsec traffic selector state may show incorrect state on high availability (HA) standby device

Links to More Info: BT1029949

Component: TMOS

Symptoms:
IPsec traffic selector state can be viewed in the config utility or by tmsh with the "tmsh show net ipsec traffic-selector" command. On an high availability (HA) standby device, some selector states may be incorrect.

Conditions:
-- High availability (HA) environment
-- Standby reboots or in some way, such as a tmm restart, is forced to re-learn all the mirrored IPsec security associations (SAs).

Impact:
There is no functional impact. The issue is that a selector may incorrectly appear down in one or both directions.

Workaround:
When the tunnel re-keys on the high availability (HA) active device, the selector state shows the correct value.

1029633 : Intermittent REST api failure when using PUT to modify LTM config objects

Links to More Info: BT1029633

Component: Device Management

Symptoms:
For the Application editor user role, REST PUT calls to modify LTM Node parameter 'session' to "user-enabled" or "user-disabled" will fail randomly with the error response " seteuid error 1: Operation not permitted ".

Conditions:
1. User role is Application Editor.
2. REST PUT method is used to modify the LTM->Node->session
3. Only the PUT operation for modifying LTM->Node->session tends to return the error response.
4. No other LTM config object was facing this issue.

Impact:
Intermittent failures to modify LTM->Node->session will fail, and subsequent operations will succeed.

Workaround:
Using PATCH instead of PUT to modify /mgmt/tm/ltm/node "session" attribute will stop the intermittent failures observed with the PUT operation.

1029173-3 : MCP daemon does not log an error message upon connection failure to PostgreSQL server.

Links to More Info: BT1029173

Component: TMOS

Symptoms:
When mcpd fails to connect to PostgreSQL, the PostgreSQL error code and message is not logged. A very generic exception is thrown when the connection is lost.

Conditions:
- AFM is provisioned.
- Mcpd fails to connect pgsql.

Impact:
The failed connection is not logged, which makes the problem more difficult to troubleshoot.

1029069-1 : Non-ASCII characters are not displayed correctly.

Component: Local Traffic Manager

Symptoms:
Add new address ip with value that includes non ASCII characters in data group list.
Then go back GUI->Local Traffic ›› iRules : Data Group List and click it.
The value field does not display entered values.

Conditions:
Adding non ASCII characters to value field in data group lists.

Impact:
Impact the functioning of the address record, when the datagroup is called by an iRule for example.

Workaround:
Do not add non ASCII characters to value field.

1028969-2 : An unused traffic-selector can prevent an IKEv2 IPsec tunnel from working

Links to More Info: BT1028969

Component: TMOS

Symptoms:
If both IKEv1 and IKEv2 try to listen to the same self IP address on the BIG-IP for a local tunnel IP address, only one can win, and previously a v2 ike-peer would be blocked if a v1 listener managed to get installed first.

If a partial tunnel config exists, with no ike-peer and only ipsec-policy and traffic-selector definitoins, this is understood to be IKEv1 implicitly, by default, and will install a v1 listener for the IP address and port.

Then if a fully configured ike-peer is added using IKEv2, it can fail to establish the required listener for v2 when an existing v1 listener is squatting on that IP address.

Conditions:
Conflict between IKEv2 and IKEv1 on the same IP address when:

-- a v2 ike-peer has local tunnel IP address X

-- a v1 ike-peer, or a traffic-selector with no peer at all, has the same local IP address X

Impact:
An IKEv2 tunnel can fail to negotiate when v2 packets cannot be received on a local IP address because a listener for IPsec cannot be established on that IP address.

Workaround:
You can avoid conflict between v1 and v2 by:

-- removing a traffic-selector not in use (which is v1)

-- avoiding use of the same local IP in both v1 and v2 definitions of ike-peer

1028493-3 : Live Update genesis file for Server Technologies installation fails

Component: Application Security Manager

Symptoms:
Installation of the Live Update genesis file (file included in BIG-IP) fails.

Conditions:
Live Update genesis file version is different than the BIG-IP version.

Impact:
"Server Technologies" will not be properly updated

Workaround:
Install latest "Server Technologies" update manually or upload the latest "Server Technologies" file.

1028269-1 : Device using CGNAT + subscriber discovery license shows unknown for pem_subscriber-id

Links to More Info: BT1028269

Component: Carrier-Grade NAT

Symptoms:
On a BIG-IP device configured with CGNAT + subscriber discovery license, the LSN log shows "unknown" for the pem_subscriber-id field.

Conditions:
-- PEM and CGNAT enabled
-- RADIUS and CGNAT traffic are in different route domains

Impact:
LSN log shows "unknown" for the pem_subscriber-id field.

1027961-1 : Changes to an admin user's account properties may result in MCPD crash and failover

Links to More Info: BT1027961

Component: TMOS

Symptoms:
-- The mcpd process fails with a segmentation fault and restarts, leaving a core-dump file.
-- Active sessions in the Configuration Utility report "unable to contact BIG-IP device".
-- Various processes may record entries into the "ltm" log saying "Lost connection to mcpd."

Conditions:
-- Changes to properties of administrative user-login accounts are occurring.
-- A user account being changed has a current, active session in the Configuration Utility GUI.

Impact:
The failure and restart of mcpd will trigger a restart of many other processes, including the TMM daemons, thus interrupting network traffic handling. In high availability (HA) configurations, a failover will occur.

Workaround:
Before making changes to the account properties of an administrative user, where the changes affect the role, make certain that all GUI Configuration Utility sessions opened by that user are logged out.

1027805-3 : DHCP flows crossing route-domain boundaries might fail.

Links to More Info: BT1027805

Component: Local Traffic Manager

Symptoms:
DHCP flows crossing route-domain boundaries might fail.

Conditions:
Example of a configuration leading to the problem:
- route-domain RD%2 with parent defined as route-domain RD%1.
- Virtual-server in route-domain RD%2.
- Pool member configured in RD%2 (sharing IP addressing with RD1)
- DHCP client connects to the virtual-server in route-domain RD%2.
- Route lookup for a pool member ends up with connection in route-domain RD%1

Impact:
The second and subsequent DHCP clients requests will not be forwarded to the DHCP pool members.

Workaround:
When configuring a DHCP pool member, use the ID of the parent route-domain (the one that will be returned by a route-lookup for the pool member's IP address).

1027657-3 : Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules.

Links to More Info: BT1027657

Component: Global Traffic Manager (DNS)

Symptoms:
Inconsistent monitor intervals for resource monitoring.

Conditions:
"require M from N" monitor rules configured.

Impact:
Monitor status flapping.

Workaround:
Do not use "require M from N" monitor rules.

1027601 : AFM IP Error Checksum and Bad TCP Checksum vectors not supported

Links to More Info: BT1027601

Component: TMOS

Symptoms:
AFM does not report IP Checksum and Bad TCP Checksum vector attacks because these signatures are dropped in the SmartNIC hardware as malformed packets.

Conditions:
-- BIG-IP Virtual Edition running on a device with a SmartNIC -- AFM provisioned and configured to detect IP Checksum and Bad TCP Checksum vectors.

Impact:
SmartNIC drops the packets and they are not reported by AFM.

1027481-2 : 'error: /bin/haloptns unexpected error -- 768' log messages generated on A110 and D112 platforms

Links to More Info: BT1027481

Component: TMOS

Symptoms:
'error: /bin/haloptns unexpected error -- 768' message logged by system commands, including some startup scripts and the software installation process.

Running /bin/haloptns manually displays this output:
'Expected 32 bit OPTN field, found field "" instead.'

Conditions:
-- One of the following platforms:
  - D112 (B10350v-F (FIPS) or B10150s-N (NEBS))
  - A110 (VIPRION B4340N (NEBS) blades)

-- The system does not use RAID.

Impact:
Excessive "error: /bin/haloptns unexpected error -- 768" error messages in log files, and command output (e.g. "cpcfg").

There is no other impact, and the messages can be ignored.

Workaround:
Ignore the error messages.

1027477-2 : Virtual server created with address-list in custom partition non-RD0 does not create listener

Links to More Info: BT1027477

Component: TMOS

Symptoms:
After creating a virtual-server in a partition with a non RD0 route-domain attached, the virtual address listener does not get associated with the virtual server and the virtual address stays offline.

Conditions:
-- An address list (traffic matching criteria) is used when creating the virtual server in the GUI.
-- The virtual server is created with a route domain other than the default route domain.

Impact:
The virtual address remains in an offline state.

Workaround:
None.

1027237-3 : Cannot edit virtual server in GUI after loading config with traffic-matching-criteria

Links to More Info: BT1027237

Component: TMOS

Symptoms:
After creating a virtual server with a traffic-matching-criteria and then loading the configuration, you are unable to make changes to it in the GUI. Attempting to do so results in an error similar to:

0107028f:3: The destination (0.0.0.0) address and mask (::) for virtual server (/Common/test-vs) must be be the same type (IPv4 or IPv6).

Conditions:
-- A virtual server that has traffic-matching-criteria (i.e., address and/or port lists).
-- The configuration has been saved at least once.
-- Attempting to edit the virtual server in the GUI.

Impact:
Unable to use the GUI to edit the virtual server.

Workaround:
Use TMSH to modify the virtual server.

1026989-2 : More specific dynamic or static routes created for application traffic processing can erroneously replace the route to the management subnet.

Links to More Info: BT1026989

Component: TMOS

Symptoms:
When a dynamic or static route is instantiated for application traffic processing, protection exists at configuration-validation time to ensure that the new route does not overwrite how the management port's subnet is accessed.

To do so, the destination of the new route is compared to the management port's subnet. If the two match, the new route is only instantiated in TMM, but not in the Linux host's routing table.

The issue is this logic fails when the new route is a subset of the management port's subnet. For example, if the new route is to destination 10.215.50.0/25, and the management port's subnet is 10.215.50.0/24, the new route will be added to both TMM and the Linux host, bypassing the aforementioned protection.

Instead, the logic should check for overlapping subnets, not just strict equality.

Conditions:
- A dynamic or static route whose destination partially overlaps with the management port's subnet is added to or learnt by the system.

Impact:
A new and more specific route for part of the management port's subnet is added to the Linus host's routing table.

Part of the management port traffic can fail or be misrouted via a TMM interface.

If multiple routes of this kind are instantiated (e.g. 10.215.50.0/25 + 10.215.50.128/25), the whole management port's subnet can be overtaken.

Workaround:
Redesign your network and then reconfigure the BIG-IP system so that TMM does not need access to the management port's subnet or part of it (thus negating the need to create a route to that destination in the first place).

If this is not possible, you can temporarily resolve the issue by using the `route` or `ip` utility on the Linux host subsystem to manually fix the routing table. However, the issue will occur again the next time the problematic route is loaded or learnt by the system.

1026973-2 : Static routes created for application traffic processing can erroneously replace the route to the management subnet.

Links to More Info: BT1026973

Component: TMOS

Symptoms:
If a static route is added via "tmsh create net route" (or equivalent configuration ingestion system), and this route's destination matches the management port's subnet, the protection that prevents the new route from being propagated to the Linux kernel will initially work, but will fail after mcpd is restarted or the system is rebooted.

Conditions:
- A static route whose destination matches the management port's subnet is added to the system.

- The system is rebooted or mcpd is restarted.

Impact:
The directly-connected route for the management port's subnet appearing in the Linux host's routing table is replaced, or complemented, by a new and unnecessary route.

In either case, management port traffic can fail or be misrouted via a TMM interface.

Workaround:
Align your network and the BIG-IP system so that TMM does not need access to the management port's subnet (thus negating the need to create a route to that destination in the first place).

If this is not possible, you can temporarily resolve the issue by using the `route` or `ip` utility on the Linux host subsystem to manually fix the routing table. However, the issue will occur again the next time mcpd or the system restarts.

1026861-2 : Live Update of Browser Challenges and Anti-Fraud are not cleaned up

Links to More Info: BT1026861

Component: TMOS

Symptoms:
When installing live updates of either Browser Challenges (ASM) or Anti-Fraud (FPS), the update file remains in the system, taking up disk space and increasing config sync size.

Conditions:
Installing Live Update files of either Browser Challenges (part of ASM) or Anti-Fraud (part of FPS).

Impact:
Increased disk size, config size, and config-sync size.

Workaround:
It is possible to manually clean up old, unused Live Update files using TMSH or REST:
tmsh delete security datasync update-file datasync-global/<file>

Important: Use caution, as deleting update-files that are in use could cause the system to go offline or get out of sync. The in-use update files can be observed under the GENERATION PROFILES section of the /var/log/datasyncd.log file.

Note: There is no auto-completion on the 'update-file' keyword.

1026813-5 : LCD IP address is missing from /etc/hosts on iSeries

Links to More Info: BT1026813

Component: Global Traffic Manager (DNS)

Symptoms:
On iSeries platforms, /etc/hosts is missing an entry for the LCD IP address, 127.4.2.2.

Conditions:
Run any iSeries appliance.

Impact:
- BIG-IP generates reverse DNS requests for the LCD.
- /var/log/touchscreen_lcd lists the IP address "127.4.2.2" as the hostname

Workaround:
Add an entry for the LCD to /etc/hosts by modifying the 'remote-host' global settings, by running the following tmsh command:

tmsh modify sys global-settings remote-host add { lcd { addr 127.4.2.2 hostname lcd } }
tmsh save sys config

Or, in the BIG-IP GUI, System >> Configuration : Device : Hosts

1026621-2 : DNS cache resolver could not connect to remote DNS server with snatpool if multiple routes exist

Links to More Info: BT1026621

Component: Global Traffic Manager (DNS)

Symptoms:
DNS query could not be resolved properly.

Conditions:
1. dnscache.matchwildcardvip is enabled
2. Multiple possible routes to destination DNS server exist. This can be triggered by either using a gateway pool, or using dynamic routing with multiple equal paths available.

Impact:
Unable to use snatpool for cache resolver.

Workaround:
Ensure only a single route to destination exists, or disable dnscache.matchwildcardvip

NOTE: With dnscache.matchwildcardvip disabled, snatpool will not be used.

1026605-4 : When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes

Links to More Info: BT1026605

Component: Local Traffic Manager

Symptoms:
When bigd.mgmtroutecheck is enabled and monitors are configured in a non-default route-domain, bigd may calculate the interface index incorrectly. This can result in monitor probes improperly being denied when they egress a non-mgmt VLAN. Or monitor probes might be allowed to egress the management interface

Conditions:
-- Bigd.mgmtroutecheck is enabled.
-- Monitor probes in a non-default route domain
-- More than one VLAN configured in the route-domain

Impact:
Monitor probes may be denied even thought they egress a non-mgmt VLAN.

Monitor probes may be improperly allowed out a mgmt interface.

/var/log/ltm:
err bigd.0[19431]: 01060126:3: Health check would route via mgmt port, node fc02:0:0:b::1%1. Check routing table.

bigd debug log:
:(_do_ping): probe denied; restricted egress device and route check [ tmm?=false td=true tr=false addr=fc02:0:0:b::1%1:0 srcaddr=none ]

Workaround:
Disable bigd.mgmtroutecheck, reduce the number of VLANs inside the route-domain

1026581-1 : NETFLOW/IPFIX observationTimeMilliseconds Information Element value is not populated correctly.

Links to More Info: BT1026581

Component: TMOS

Symptoms:
When logging Carrier Grade NAT Port Port Block Allocation (CGNAT PBA) events using NetFlow/IPFIX log destinations,
if the AFM module is not enabled, the observationTimeMilliseconds Information Element value is incorrectly reported as zero in reported events.

Conditions:
Using CGNAT PBA, logging to a NetFlow/IPFIX log destination, and AFM is not enabled.

Impact:
CGNAT PBA events containing the observationTimeMilliseconds Information Element will report incorrect values for this field.

Workaround:
1) Enable AFM module, or
2) Enable lsn-legacy-mode in the log profile

1026277-2 : Apply Policy can get ignored in auto-sync setup, while importing/replacing several existing policies with policies that have Policy Builder enabled

Component: Application Security Manager

Symptoms:
With auto-sync enabled, replacing multiple policies on Unit-A with policies having Policy Builder enabled, "Apply Policy" initiated by Policy Builder can be ignored at Unit-B that results all the policy on Unit-A appear as not-edited while a few policies on Unit-B appear as edited.

Conditions:
-- Using auto-sync
-- Multiple policies are replaced (imported as replacing method) at the same time
  Note : bulk import/replace is only possible via Ansible (also, maybe scripting that utilizes REST API)
-- Those imported policies have Policy Builder enabled

Impact:
Inconsistent policy state in auto-sync members

Workaround:
Make a minor update on those affected policies, then "Apply Policy" will fix the inconsistent state.

1026273-1 : HA failover connectivity using the cluster management address does not work on VIPRION platforms

Links to More Info: BT1026273

Component: TMOS

Symptoms:
Upon upgrade to an affected version, failover communication via the management port does not work. You may still see packets passing back and forth, but the listener on the receiving end is not configured, and therefore the channel is not up.

Here are a few symptoms you may see:
-- Running 'tmsh show cm failover-status' shows a status of 'Error' on the management network.

-- Running 'tmctl' commands reports the disconnected state:
Example:
$ tmctl -l sod_tg_conn_stat -s entry_key,last_msg,status
entry_key last_msg status
----------------------------- ---------- ------
10.76.7.8->10.76.7.9:1026 0 0 <--- Notice there is no 'last message' and 'status' is 0, which means disconnected.
10.76.7.8->17.1.90.2:1026 1623681404 1

-- Looking at 'netstat -pan | grep 1026 command output, you do not see the management port listening on port 1026:
Example (notice that the management IP from the above example of 10.76.7.9 is not listed):
# netstat -pan | grep 1026
udp 0 0 10.10.10.10:1026 0.0.0.0:* 6035/sod

-- Listing /var/run/ contents shows that the chmand.pid file is missing:
 # ls /var/run/chmand.pid
ls: cannot access /var/run/chmand.pid: No such file or directory

Conditions:
-- Running on VIPRION platforms
-- Only cluster management IP address is configured: No cluster member IP addresses are configured
-- Install a software version where ID810821 is fixed (see https://cdn.f5.com/product/bugtracker/ID810821.html)
-- Management IP is configured in the failover configuration

Impact:
If only the management is configured for failover or there are communication issues over the self IP (such as misconfigured port lockdown settings), then the devices may appear to have unusual behavior such as both going active.

Workaround:
-- Configure a cluster member IP address on each individual blade in addition to the Cluster management IP address.

1025965-3 : Audit role users cannot see folder properties under sys-folder

Links to More Info: BT1025965

Component: TMOS

Symptoms:
Users with auditor role cannot create, modify, or delete any data, nor can they view SSL keys or user passwords. Users with the Auditor role have access to all partitions on the system, and this partition access cannot be changed.

Conditions:
Run tmsh command to check the access under sys folder

Impact:
Tmsh does not allow sys folder component for auditor.
no-ref-check, traffic-group, device-group

1025513-2 : PAM Authenticator can cause authorization failure if it fails to lock /var/log/tallylog

Links to More Info: BT1025513

Component: TMOS

Symptoms:
The following JSON content can be seen in the HTTP 401 response. (By looking at the capture or RESTful client)

{"code":401,"message":"Authorization failed: no user authentication header or token detected. Uri:http://localhost:8100/mgmt/tm/ltm/pool/?expandSubcollections=true Referrer:<ip_address> Sender:<ip_address>,"referer":<ip_address>,"restOperationId":12338804,"kind":":resterrorresponse"}


Contention for /var/log/tallylog lock might result in users failing to authenticate correctly. As a result of this issue, you might see the following message:

 PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable.

Conditions:
High concurrent authentication attempts may trigger this issue. For example, opening a connection, using basic authentication, performing a query (for example, get node list, get virtual address list, and set pool min active members), and then closing the connection. If done frequently enough, there is an occasional authentication failure.

Impact:
This intermittent auth issue results in failure of some auth request.

Workaround:
Since this is an intermittent authentication failure, wait a few seconds and then attempt to rerun auth request.

For automation tools, please use token-based authentication.

1025261-2 : When restjavad.useextramb is set, java immediately uses more resident memory in linux

Links to More Info: BT1025261

Component: TMOS

Symptoms:
When restjavad.useextramb is set, java immediately reserves more memory and the process size (RSS) increases.

Conditions:
When restjavad.useextramb and when provision.extramb is set to a non-default value.

Impact:
The restjavad process size will use more RSS.

Workaround:
Revert the restjavad.useextramb value or set provision.extramb higher to compensate.

1025089-3 : Pool members marked down by database monitor due to stale cached connection

Links to More Info: BT1025089

Component: Local Traffic Manager

Symptoms:
By default, BIG-IP database monitors (mssql, mysql, oracle, postgresql) are configured to keep a connection to the database server open between monitor probes to avoid the overhead of establishing the network connection to the database server for each query operation.
If this cached network connection times out or is dropped by the database server, it is marked as "stale" when the next probe occurs, and a new connection is made during the next scheduled monitor probe.
In the meantime, due to the lost connection, the monitored pool member may be marked DOWN until the next scheduled monitor probe. This is more likely to occur when a database monitor is used to monitor a GTM pool member instead of an LTM pool member, due to differences between how monitors are configured for GTM versus LTM.

Conditions:
This may occur under the following conditions:
-- GTM or LTM pool members are monitored by a database monitor, configured such that a single probe failure will mark the member DOWN. (Such configuration may be more common for GTM monitors.)
-- Either the database server times out or drops the connection for some reason, or no database monitor probes are sent to the database server within a 5 minute interval.

Impact:
GTM or LTM pool members monitored by a database monitor may be marked DOWN temporarily if the network connection to the database server is dropped or times out.

Workaround:
To work around this issue, perform one of the following actions:
-- Configure the database (mssql, mysql, oracle, postgresql) monitor with a "count" value of "1". This prevents the caching/reuse of network connections to the database server between probes. Thus there is no cached connection to time out/get dropped. However, the overhead of establishing the network connection to the database server will be incurred for each probe.
-- Configure the database monitor "interval" and "timeout" values (for an LTM monitor), or the "interval", "timeout", "probe-attempts", "probe-interval" and "probe-timeout" values (for a GTM monitor) such that multiple failed monitor probes are required before the monitored member is marked DOWN.

1024905-2 : GTM monitor times out if monitoring a virtual server with translation address

Links to More Info: BT1024905

Component: Global Traffic Manager (DNS)

Symptoms:
GTM monitor flaps between UP and DOWN.

Conditions:
1. GTM configured with two type of IP addresses, one IPv4 with translated address and IPv6 without translated address, or the other way around.
2. The monitored resource is with the translated address of the other type. If step 1, IPV4 translated, then step with IPV4 translated address.

Impact:
Monitor flaps.

Workaround:
Configure both with translated address.

1024841-1 : SSL connection mirroring with ocsp connection failure on standby

Links to More Info: BT1024841

Component: Local Traffic Manager

Symptoms:
SSL connection mirroring with ocsp stapling connection failure on standby, active completes handshake with delay.

Conditions:
SSL connection mirroring with ocsp stapling

Impact:
Handshake delay on active

Workaround:
Disable ocsp stapling or ssl connection mirroring

1024661-2 : SCTP forwarding flows based on VTAG for bigproto

Links to More Info: BT1024661

Component: TMOS

Symptoms:
Sometimes SCTP traffic is unidirectionally dropped on one link after an SCTP link down occurs.

Conditions:
-- SCTP configured and BIG-IP is passing traffic
-- A link goes down

Impact:
Flow creation on the wrong TMM and some traffic is dropped.

Workaround:
Disable SCTP flow redirection.
tmm.sctp.redirect_packets == disable

1024621-3 : Re-establishing BFD session might take longer than expected.

Links to More Info: BT1024621

Component: TMOS

Symptoms:
It might take a few minutes for a BFD session to come up. During this time you will notice session state transition multiple times between 'Admin Down' <-> 'Down'.

Conditions:
BFD peer trying to re-establish a session with BIG-IP, choosing ephemeral ports dis-aggregating to different TMMs.

Impact:
It might take a few minutes for a BFD session to come up.

Workaround:
Increasing Tx/Rx timers will minimize a chance of hitting the problem (For example 1000 TX/RX)

1024437-3 : Urldb index building fails to open index temp file

Links to More Info: BT1024437

Component: Access Policy Manager

Symptoms:
The following error message shows up in /var/log/urldbmgr-trace.log:

THREAD: 2CDD4700; ERROR; WsFileOpen: Could not open file /var/urldb/staging/current/host.6417.byte.dat.003
THREAD: 2CDD4700; ERROR; WsIndexBuilderOpenFile: Failed to open index file /var/urldb/staging/current/host.6417.byte.dat.003.
THREAD: 2CDD4700; ERROR; WsHostIndexV7OpenFile: Failed to open Host index file /var/urldb/staging/current/host.6417.byte.dat.003.
THREAD: 2CDD4700; ERROR; WsHostIndexV7BuildProcessTempFiles: Failed to open host index temp file

As a result of this error, some requested URL category lookups return "Uncategorized".

Conditions:
The error can happen during index building after a new primary URLDB is downloaded.

Impact:
Some websites are categorized as "Uncategorized"

Workaround:
1) Stop urldbmgrd:
    bigstart stop urldb urldbmgrd

2) Delete databases:
    rm -rf /var/urldb/master/
    rm -rf /var/urldb/rtu/

3) Start urldbmgrd:
    bigstart start urldb urldbmgrd
 
4) Force database download:
   - tmsh command: "modify sys url-db download-schedule urldb download-now true", or
   - Admin GUI: Access >> Secure Web Gateway >> Database Settings >> Database Download >> Download Now
 
Databases will re-download and index.

1024301-2 : Missing required logs for "tmsh modify disk directory" command

Links to More Info: BT1024301

Component: TMOS

Symptoms:
In case of failure of "tmsh modify disk directory" command, log which help to find reason for failure are getting missed.

Conditions:
Attempt to resize some volumes via the "tmsh modify disk directory" command

Impact:
Not able to find failure reason for resize of volumes.

Workaround:
Manually running the resize2fs command, can give the reason for failure.

1024269-2 : Forcing a file system check on the next system reboot does not check all filesystems.

Links to More Info: BT1024269

Component: TMOS

Symptoms:
Forcing a file system check on the next system reboot, as described in K73827442, does not check all filesystems, but only the root (/) filesystem. This should not be the case and is a regression compared to previous BIG-IP versions.

After the reboot, you can inspect which filesystems were checked by running the following command:

journalctl --all --no-pager | grep -i fsck

Conditions:
A BIG-IP Administrator follows the procedure to force a file system check on the next system reboot.

Impact:
Some filesystems will not be fixed, and will continue to be corrupted. This can have a number of negative consequences. For instance, enlarging a filesystem (via the 'tmsh modify sys disk directory' command) can fail when a filesystem is dirty.

Workaround:
You can boot the system from the Maintenance Operating System (MOS), and perform all needed file system check operations from there. To boot the system into MOS, simply type 'mosreboot'. Note that once the system reboots into MOS, you will need video console access (for VE systems) or serial console access (for hardware systems) to be able to run fsck and the reboot the system into a regular BIG-IP boot location.

For more information on MOS, please refer to K14245.

1024241-2 : NULL TLS records from client to BIG-IP results in SSL session termination

Links to More Info: BT1024241

Component: Local Traffic Manager

Symptoms:
After client completes TLS handshake with BIG-IP, when it sends a NULL TLS record, the client BIG-IP SSL connection is terminated.

Conditions:
This is reported on i7800 which has Intel QAT crypto device
The issue was not reported on Nitrox crypto based BIG-IP platforms. Issue is not seen when hardware crypto is disabled

Impact:
SSL connection termination is seen in TLS clients

Workaround:
Disable hardware crypto acceleration

1024225 : BIG-IP sends "Transfer-Encoding: chunked" to http/2 client after HEAD request

Links to More Info: BT1024225

Component: Local Traffic Manager

Symptoms:
BIG-IP proxying http2 -> http1.1. In response to a HEAD request, pool member sends response with "Transfer-Encoding: chunked" header without chunked payload. BIG-IP sends "Transfer-Encoding: chunked" header back to http2 client which generates RST_STREAM, PROTOCOL_ERROR. According to RFC 7450 a proxy SHOULD remove such headers.

Conditions:
1) H2 <-> H1 is configured on virtual server
2) HEAD request over http2->http1.1 gateway getting chunked response.

Impact:
Http2 connection is reset

Workaround:
iRule to remove "Transfer-Encoding: Chunked" header from response.

1024029-3 : TMM may crash when processing traffic with per-session APM Access Policy

Component: Access Policy Manager

Symptoms:
Under certain conditions, TMM may crash while processing traffic with per-session APM Access Policy rules.

Conditions:
- APM provisioned
- Per-Request APM Access Policy enabled

Impact:
TMM crash leading to a failover event.

Workaround:
Remove all perflow vars like %{perflow.*} from per session APM policy

1023889-2 : HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message

Links to More Info: BT1023889

Component: Application Security Manager

Symptoms:
Protocol filter does not suppress WS/WSS server->client message.

Conditions:
- protocol filter is set to HTTP, HTTPS or HTTP/HTTPS
- response logging is set to For All Requests

Impact:
Remote log server receives unexpected messages

Workaround:
None

1023829 : Security->Policies in Virtual Server web page spins mcpd 100%, which later cores

Links to More Info: BT1023829

Component: TMOS

Symptoms:
With a large number of VLANs (3000+) and virtual servers (2000+), the virtual server list page consumes excessive resources, eventually leading to a mcpd crash.

Conditions:
-- A huge number of VLANs and virtual servers exist.
-- The virtual server list page is displayed

Impact:
Page becomes inaccessible. Mcpd may crash. Traffic and control plane disrupted while mcpd restarts.

1023817-1 : Misleading "Enabling NAT64 for virtual server with security NAT policy configured is redundant/not required." warning

Links to More Info: BT1023817

Component: TMOS

Symptoms:
While loading the configuration or specifying that NAT64 should be disabled on a virtual server, a warning is displayed or logged:

"Enabling NAT64 for virtual server with security NAT policy configured is redundant/not required."

This warning should only be displayed when a virtual server has both NAT64 enabled and a security NAT policy present, but may occur incorrectly even when NAT64 is disabled.

Conditions:
This warning may be incorrectly generated when all of these conditions are met:

-- a multi-bladed VIPRION
-- virtual servers in the configuration security NAT policies
-- receiving a ConfigSync from a peer, or running "tmsh load sys config" on the primary blade

Impact:
An erroneous warning is logged. It can be safely ignored.

1023529-1 : FastL4 connections with infinite timeout may become immune to manual deletion and remain in memory.

Links to More Info: BT1023529

Component: Local Traffic Manager

Symptoms:
Command "tmsh show sys tmm-traffic" reports non-zero number of current connections but "tmsh show sys connection" shows nothing.

Conditions:
-- A virtual sever with fastL4 profile with infinite timeout enabled and an iRule containing "after" command. Having "-periodic" argument makes the problem more prominent.
-- Aggressive sweeper activated due to low memory conditions.

Impact:
Connections that were supposed to be removed by aggressive sweeper but were waiting for completion of an iRule may end up in a state where they are not reported by "tmsh show sys connection." Because of this issue, these connections cannot be deleted manually using 'tmsh del sys connection", but remain in memory. Their presence can be confirmed by non-zero number of current connections shown by "tmsh show sys tmm-traffic". Because of the infinite timeout setting, they will not timeout by themselves either.

Workaround:
N/A

1023461 : Multiple entries for CGNAT when PBA pools allocation is defined: for each request, a new entry is created

Links to More Info: BT1023461

Component: Carrier-Grade NAT

Symptoms:
Two pools are configured, for example:
A: any destination
B: destination 8.8.8.8

1. Making connections and utilizing port block allocation (PBA) pool A works as expected; pools are correctly allocated and released as needed.
2. When a client has active PBA pool A allocated and requests pool B (because of connectivity to specific destination IP), then each subsequent connection request from that client results in new PBA pool B allocation.

Conditions:
Multiple rules are defined to configure PBA.

Impact:
If a request does not belong to the first pool then it will not belong any other, so the system creates a new pool.

Workaround:
None

1022997-3 : TCP segments with an incorrect checksum are transmitted when the sock driver is used in AWS deployments (e.g., 1NIC)

Links to More Info: BT1022997

Component: TMOS

Symptoms:
Deployments on AWS that use the sock driver (1NIC, for example) transmit packets with bad checksums when TSO/GSO is required. This causes significant delays as TMM re-segments the packets with correct checksums for retransmission, and may cause some operations to time out (such as configsyncs of large configurations).

Conditions:
-- BIG-IP Virtual Edition (VE) using the sock driver on AWS (all 1NIC deployments use this)
-- TSO/GSO required due to MTU limitations on one or more VLANs

Impact:
-- Delayed packets.
-- Possible timeouts for some operations (configsyncs, for example).

Workaround:
Modify (or create, if not present) the file /config/tmm_init.tcl on the affected BIG-IP systems, and add the following line to it:

ndal force_sw_tcs off 1d0f:ec20

Then restart TMM:

bigstart restart tmm

Note: Restarting TMM will cause a failover (or an outage if there is no high availability (HA) peer available).

1022973 : Sessiondb entries related to Oauth module not cleaned up in certain conditions

Links to More Info: BT1022973

Component: Access Policy Manager

Symptoms:
When an OAuth AS is configured with a refresh lifetime of '0', this implies that the refresh token lifetime is infinite. This leads to all sessiondb entries related to this refresh token (including associated access token entries in sessiondb) to have infinite lifetime.

Conditions:
Refresh token lifetime is set to '0'.

Impact:
User will see consistent and persistent increase in memory consumption by TMM, potentially leading to out-of-memory situation.

Workaround:
Do not set refresh token lifetime to '0'.

1022877-2 : Ping missing from list of Types for OAuth Client

Component: Access Policy Manager

Symptoms:
Ping is missing from the 'Type' dropdown menu in Access ›› Federation : OAuth Client / Resource Server : OAuth Server ›› New OAuth Server Configuration...

Conditions:
-- Affected BIG-IP version
-- Add new Oauth server configuration from Access :: Federation : OAuth Client / Resource Server : OAuth Server :: New OAuth Server Configuration...

Impact:
Oauth client configuration for the server of type 'Ping' cannot be created via GUI

Workaround:
Use tmsh to create the configuration, e.g.:

tmsh create apm aaa oauth-server <server name> provider-name Ping dns-resolver-name <dns-resolver-name>

1022757-3 : Tmm core due to corrupt list of ike-sa instances for a connection

Links to More Info: BT1022757

Component: TMOS

Symptoms:
Tmm generates a core when a corrupt list of ike-sa instances is processed.

Conditions:
Deletion of an expired ike-sa.

Impact:
Restart of tmm and re-negotiation of IPsec tunnels. Traffic disrupted while tmm restarts.

Workaround:
None

1022613-3 : Cannot modify Security "global-network" Logging Profile

Links to More Info: BT1022613

Component: Advanced Firewall Manager

Symptoms:
When attempting to update the settings of the Security Logging profile, the window displays a modal dialog box titled "Saving Logging Profile" and never completes the update Action

Conditions:
"global-network" logging profile is selected for update

Impact:
You are unable to update the log settings for the "global-network" profile via UI

Workaround:
Use tmsh

1022493-2 : Slow file descriptor leak in urldbmgrd (sockets open over time)

Links to More Info: BT1022493

Component: Access Policy Manager

Symptoms:
Unix domain sockets are opened and never closed in urldbmgrd. This is a very slow leak over time.

Conditions:
SWG or URLDB is provisioned.

Impact:
Urldbmgrd may hit a limit of open file descriptors, and may eventually core and restart. When urldbmgrd restarts, urldb also restarts. This may result in a momentary instant where URL categorization is not available.

Workaround:
Restarting urldbmgrd will clear the open file descriptors. Performing a forced restart during a time of no traffic will mitigate the risk of urldbmgrd restarting at an inconvenient time if there are too many sockets open.

"bigstart restart urldbmgrd" will restart the daemon.

1022453-2 : IPv6 fragments are dropped when packet filtering is enabled.

Links to More Info: BT1022453

Component: Local Traffic Manager

Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.

Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.

Impact:
Some or all of the fragments of an IPv6 packet are lost.

Workaround:
Disable packet filtering

1022421-3 : Pendsec utility incorrectly starts on i2x00/i4x00 platform with NON WD disk

Links to More Info: BT1022421

Component: TMOS

Symptoms:
The pendsec utility recognizes that the disk is a HDD and attempts to run a smart check against it but it does not recognize or support the disk type that is in the system and therefore you will see log messages like this in /var/log/messages when the cron job attempts to run:

   May 14 15:34:04 fqdn.device.com notice pendsect[11461]: skipping drive --
   May 14 15:34:04 fqdn.device.com notice pendsect[11461]: No known drives detected for pending sector check. Exiting

Conditions:
- i2x00 or i4x00 platform with the Seagate brand HDD

Impact:
Cosmetic

Workaround:
You can mitigate the cosmetic log issue by suppressing the pendsec utility.

Login to BIG-IP using SSH
 
 Navigate to /etc/cron.daily
# cd /etc/cron.daily
 
Create new directory called suppress
# mkdir suppress
 
Move the pendsect cron job to suppres
# mv pendsect suppress

1022417-2 : Ike stops with error ikev2_send_request: [WINDOW] full window

Links to More Info: BT1022417

Component: TMOS

Symptoms:
IKE SAs will be lost.

Conditions:
A failover occurs while IKE is sending DPD to the peer, and the reply is received by the newly active BIG-IP.

Multiple failovers can increase the likelihood that this occurs.

Impact:
IKE SAs may be deleted and there will be traffic loss.

Workaround:
Increase in DPD interval to reduce the probability of occurrence of the issue.

1022297-3 : In BIG-IP GUI using "Select All" with filters is not working appropriately for policies

Links to More Info: BT1022297

Component: TMOS

Symptoms:
In BIG-IP GUI using "Select All" with filters is not working appropriately for policies. When you attempt to delete policies after using filtering, all policies are deleted.

Conditions:
In BIG-IP GUI policies page, apply filter and using select all, for an action is selecting all objects and filter not applied.

Impact:
All policies objects are affected for an action, and filter is not applied

1022213-3 : DDOS: BDOS: Warning messages related to high availability (HA) watchdog seen on system bring up

Links to More Info: BT1022213

Component: Advanced Firewall Manager

Symptoms:
When the BDoS log message level is set to "Warning", some high availability (HA) watchdog messages are logged:

info bdosd[14184]: BDoS: May 27 03:51:40|loadState|460|HA Watchdog was not found <DNS_CLASS_L>

Conditions:
-- DDoS is used.
-- Dynamic signature is enabled on vectors
-- Default BDoS log level is changed to Warning.

Impact:
Unwanted log messages displayed. They can be safely ignored.

1021925-3 : During bootup AWS BIG-IP endpoint was not licensed when custom gateway configured over management interface

Links to More Info: BT1021925

Component: TMOS

Symptoms:
AWS-based BIG-IP instance with a static IP assigned to the mgmt interface and a custom gateway configured, the box fails to load its license during startup.

Conditions:
BIG-IP configured with static IP address and customize gateway for default route.

Impact:
BIG-IP fails to load license.

Workaround:
Once BIG-IP boots up, execute reloadlic command which installs the license.

1021873-2 : TMM crash in IPIP tunnel creation with a pool route

Links to More Info: BT1021873

Component: TMOS

Symptoms:
In rare circumstances, the Traffic Management Microkernel (TMM) process may produce a core file in the /shared/core directory while processing traffic.

Conditions:
1)Virtual server attached with an ipip encapsulation enabled pool
2)Multiple paths to pool members
(pool route to pool member)

Impact:
Traffic disrupted while tmm restarts.

1021837-2 : When a virtual server has an inline service profile configured, connections will be reset with cause "No server selected"

Links to More Info: BT1021837

Component: Local Traffic Manager

Symptoms:
Connections are reset with "No server selected" cause.

Conditions:
-- An inline service profile ("ltm profile service") attached to a normal virtual server

Impact:
TCP connections are reset

Workaround:
Delete and recreate the virtual server without the inline service profile associated with it.

Simply removing the service profile from the virtual server is not sufficient.

1021737 : NAT policy rules are matched regardless of route domains

Links to More Info: BT1021737

Component: Advanced Firewall Manager

Symptoms:
Only the first policy rule is processed, as route domain indices not respected.

Conditions:
-- Two custom route domains, each with a virtual server configured in them
-- A policy with two rules (one per route domain ID) is assigned to both the virtual servers

Impact:
Unable to segregate client traffic, as route domain indices are not respected in NAT policy rules

Workaround:
Use a separate policy on the wildcard virtual server for each route domain.

1021637-2 : In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs

Links to More Info: BT1021637

Component: Application Security Manager

Symptoms:
CSRF is sometimes enforced on URLs that do not match the CSRF URLs list

Conditions:
ASM policy with CSRF settings

Impact:
URLs that do not match the CSRF URLs list can be blocked due to CSRF violation.

Workaround:
None

1021633 : DDoS: ICMPv6 packets not reported properly by Virtual DDoS

Links to More Info: BT1021633

Component: Advanced Firewall Manager

Symptoms:
Hardware does not support ICMPv6 protocol by virtual server DOS (Dos profile attached to virtual server).

Conditions:
-- BIG-IP hardware platform
-- Virtual server configured with a DoS profile
-- ICMPv6 traffic reaches the virtual server

Impact:
ICMPv6 Packets will be mitigated as per configuration but will not be reported in stats table

Workaround:
None

1021521-2 : JSON Schema is not enforced if OpenAPI media-type is wild card

Component: Application Security Manager

Symptoms:
If the openAPI configuration contains a wildcard media type for an endpoint, ASM does not enforce the JSON schema for requests with a JSON payload

Conditions:
Create an OpenAPI policy with media type set to wildcard

Impact:
ASM doesn't enforce JSON schema validation for HTTP requests containing a JSON payload

1021109-3 : The cmp-hash VLAN setting does not apply to trunked interfaces.

Links to More Info: BT1021109

Component: TMOS

Symptoms:
-- CPU usage is increased.
-- Throughput is reduced.
-- Packet redirections occur (visible when using 'tmctl -d blade tmm/flow_redir_stats')

Conditions:
-- Traffic is received on trunked interfaces.
-- The cmp-hash setting has a non-default value.
-- The platform is BIG-IP Virtual Edition (VE).

Impact:
Performance is reduced. Output from 'tmctl -d blade tmm/flow_redir_stats' shows redirections.

Workaround:
-- Use the default cmp-hash setting.
-- Do not trunk interfaces.

1020789-3 : Cannot deploy a four-core vCMP guest if the remaining cores are in use

Links to More Info: BT1020789

Component: TMOS

Symptoms:
When trying to deploy a vCMP guest on an i11800 vCMP host using four or more cores while all of the other cores are in use, the following error message may be seen:

err mcpd[<pid>]: 0107131f:3: Could not allocate vCMP guest (<guest_name>) because fragmented resources

--------------------------------------------------
one more similar issue has raised for 8 guests allocation failure

When trying to deploy a eight core guest on an i11800 vCMP host where four 2 cores are in use, the following error message may be seen:

0107131f:3: Could not allocate vCMP guest (guest-8cores-A) because fragmented resources

Conditions:
-- VCMP provisioned and all or most cores are in use.
-- Attempt to deploy a guest

This is more likely to occur with vCMP guests that use four or more cores.

Impact:
All of the available cores cannot be used.

Workaround:
You may be able to work around this by deploying the largest guests first, then any remaining 2-core guests.

There is currently no other fix.

1020717-3 : Policy versions cleanup process sometimes removes newer versions

Component: Application Security Manager

Symptoms:
The policy versions cleanup process sometimes removes versions in incorrect order. Newer versions are removed while older versions are preserved.

Conditions:
"maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg" has very low value.

Impact:
Newer versions are removed.

Workaround:
increase value of "maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg"

1020377-2 : Missing IKEv2 listeners can send IKE packets to the IKEv1 racoon daemon

Links to More Info: BT1020377

Component: TMOS

Symptoms:
If an IKEv2 tunnel terminates with an error condition, afterward it is possible for IKE packets to be received by the IKEv1 racoon daemon, which is listening to local host (i.e 127.0.0.1) on ports 500 and 4500.

Conditions:
To get the problem to occur, you may need these details:

-- an IKEv2 config where traffic selector narrowing happens
-- termination of an IKEv2 tunnel with an error condition
-- some other BIG-IP service using the same local self IP

Packets can reach the IKEv1 racoon daemon only when some BIG-IP service uses bigself as the proxy, which forwards packets to localhost (127.0.0.1) with the same port number. So even if no IKEv1 config is present for a local self IP, if some other BIG-IP service also uses bigself as a proxy, this can forward IKE packets to localhost as well.

Impact:
The IKEv2 tunnel does not get renegotiated, because IKE packets reach the IKEv1 daemon, which ignores them, because the proper listener to handle IKEv2 is missing. As a result, tunnel service is interrupted.

Workaround:
Deleting and re-adding the problematic ike-peer and traffic-selector should bring back IPsec support for that tunnel.

If the initiating and responding sides of the tunnel have identical traffic-selector proposals, then narrowing should not happen, and this would also prevent the problem in the first place.

1020349-2 : APM daemon may crash if CRLDP agent cannot find a certificate to validate CRL

Links to More Info: BT1020349

Component: Access Policy Manager

Symptoms:
APM daemon (apmd) crashes and a coredump is created at '/var/core/'

Conditions:
-- Configure On-Demand Cert Auth with any Auth Mode
-- 'Request/Require'
-- Configure AAA CRLDP

Impact:
All CRLDP based authentications fail.

Workaround:
None

1020337-1 : DNS msg_ObjType can cause buffer overrun due to lack of NUL terminator

Links to More Info: BT1020337

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm cores with umem debug enabled.

Conditions:
A string operation is performed against DNS resource records (RRs) from DNSMSG::section in an iRule.

Impact:
Tmm memory corruption. In some situations, tmm might crash. Traffic disrupted while tmm restarts.

Workaround:
Do not use string operations against DNS RRs returned from DNSMSG::section.

1020277-2 : Mcpd may run out of memory when build image is missing

Links to More Info: BT1020277

Component: TMOS

Symptoms:
After installing a new blade, if the BIG-IP does not have the appropriate images to install all volumes onto the new blade, it can get stuck waiting to install. This may cause mcpd to eventually run out of memory.

Running "tmsh show sys software" shows a message similar to this for a prolonged period of time:

HD1.2 3 BIG-IP 12.1.3.5 0.0.10 no waiting for product image (BIG-IP 12.1.3)

Conditions:
-- Installing a new blade into a chassis-based system.
-- Missing BIG-IP image(s) necessary to update all volumes on the new blade.

Impact:
Mcpd eventually runs out of memory and cores.

Workaround:
Either delete the affected volume if it is no longer necessary, or copy the appropriate BIG-IP image to /shared/images.

1020149-2 : Bot Defense does not support iOS's WKWebView framework

Links to More Info: BT1020149

Component: Application Security Manager

Symptoms:
When using the Bot Defense Profile, mobile apps which use iOS's WKWebView framework may get blocked from accessing the website.

Conditions:
-- Using the Bot Defense Profile
-- Mobile apps which use iOS's WKWebView framework try to access the website

Impact:
Mobile apps which use iOS's WKWebView framework may get blocked from accessing the website.

Workaround:
None

1020129-1 : Turboflex page in GUI reports 'profile.Features is undefined' error

Links to More Info: BT1020129

Component: TMOS

Symptoms:
The System :: Resource Provisioning : TurboFlex page is unusable, and the BIG-IP GUI reports an error:

An error occurred: profile.Features is undefined.

Conditions:
-- BIG-IP iSeries appliance
-- Upgrade to:
--- v15.1.3 or later within v15.1.x
--- v16.0.1.2 or later within v16.0.x
--- v16.1.0 or later
-- Accessing the System :: Resource Provisioning : TurboFlex page in the BIG-IP GUI

Impact:
Unable to manage TurboFlex profile via the BIG-IP GUI.

Workaround:
Use tmsh or iControl REST to manage TurboFlex profile configuration.

1020109-2 : Subnet mask property of virtual addresses not displayed in management GUI

Links to More Info: BT1020109

Component: TMOS

Symptoms:
You cannot determine the subnet mask for a displayed virtual address using only the BIG-IP management GUI.

Conditions:
-- A virtual address (automatically created by any virtual server) exists in the configuration.
-- Using the management GUI.

Impact:
Potential difficulty in troubleshooting and verifying config due to having to use other methods (accessing the CLI) to check a virtual address's netmask.

Workaround:
Use tmsh to determine the subnet mask.

1020089-2 : MCP validation should prevent defining multiple virtual servers with the same virtual address but with different subnet masks

Links to More Info: BT1020089

Component: TMOS

Symptoms:
Multiple virtual servers with the same virtual address but with different subnet masks are allowed.

Conditions:
Creation of multiple virtual servers with the same virtual address but with different subnet masks.

Impact:
Latest virtual server instantiation implicitly and silently modifies the subnet mask of the virtual address, making the system not behave as the user thinks or intended.

Workaround:
None.

1020069-2 : Equinix SmartKey HSM is not working with nethsm-partition 'fortanix'

Links to More Info: BT1020069

Component: Local Traffic Manager

Symptoms:
Setting up the Equinix SmartKey HSM with nethsm-partition 'fortanix' (or anything other than 'auto') pkcs11d logs an error:

err pkcs11d[21535]: 01680040:3: netHSM: Failed to find partition with label 'fortanix' on the netHSM.

Conditions:
Configuring a nethsm-partition other than 'auto'.

Impact:
BIG-IP does not connect to the HSM and SSL traffic is disrupted.

Workaround:
Use the nethsm-partition 'auto'
tmsh create sys crypto fips nethsm-partition 'auto'

1020061-1 : Nested address lists can increase configuration load time

Links to More Info: BT1020061

Component: Advanced Firewall Manager

Symptoms:
Whenever there are a number of nested address lists configured, the 'load sys config' command takes a long time to complete.

Conditions:
-- Several nested Address Lists are configured.
-- The 'load sys config' command is run.

Impact:
Upgrading (load sys config) takes a lot of time of time to complete, which sometimes causes Packet Correlation Classification Daemon (pccd) to fail.

If pccd fails, the system is unable to detect and compile firewall configuration changes, meaning that changes made to the firewall configuration are not enforced.

Note: The firewall configuration that was running before pccd goes down continues to be enforced; only changes are not enforced.

Workaround:
None

1020049 : iControl REST 401 error caused by pam-authenticator failure

Links to More Info: BT1020049

Component: TMOS

Symptoms:
F5 OpenStack LBaaSv2 driver code can produce many iControl REST API calls against a BIG-IP VE device. Some of those API calls get 401 responses and so, the whole configuration procedure fails.

Conditions:
iControl authentication code executes a pam-authenticator command to verify admin password, and the pam-authenticator command often fails, if we run several processes of it at the same time

Impact:
iControl API returns 401 error, even if the admin password is correct.

1020041-2 : "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs

Component: Policy Enforcement Manager

Symptoms:
The following message may be logged to /var/log/tmm*

   Can't process event 16, err: ERR_NOT_FOUND

Conditions:
Applying a PEM policy to an existing session that already has that policy (eg, through an irule using 'PEM::subscriber config policy referential set xxxx'

Impact:
Since the PEM policy is already applied to the session, the failure message is essentially cosmetic, but it can cause the tmm logs to grow in size if this is happening frequently.

Workaround:
--

1019829-1 : Configsync.copyonswitch variable is not functioning on reboot

Links to More Info: BT1019829

Component: TMOS

Symptoms:
Configsync.copyonswitch variable is not functioning properly during reboot to another partition

Conditions:
-- db variable configsync.copyonswitch modified
-- hostname is changed in global-settings
-- reboot to another partition

Impact:
The hostname will be changed back to the default hostname after reboot

1019749-1 : Enabling DHCP for management should not be allowed on vCMP guest

Links to More Info: BT1019749

Component: TMOS

Symptoms:
Options to enable DHCP for the management interface are available on vCMP guests.

Conditions:
-- BIG-IP vCMP guest running on an appliance

Impact:
VCMP guest can be configured with options that are incompatible with VCMP operation.

This might result in a loss of management IP in the guest after a reboot

Workaround:
Do not attempt to DHCP on the management interface of a vCMP guest.

1019709-2 : Modifying mgmt-dhcp options should not be allowed on VCMP guest

Links to More Info: BT1019709

Component: TMOS

Symptoms:
Option to modify mgmt-dhcp to dhcpv4 or dhcpv6 is available on VCMP guest.

Conditions:
This is encountered with the following tmsh command

modify sys global-settings mgmt-dhcp
Values:
  dhcpv4 dhcpv6 disabled enabled

Impact:
VCMP guest can be configured with options that are incompatible with VCMP operation.

This might result in a loss of management IP in the guest after a reboot

Workaround:
N/A

1019641-1 : SCTP INIT_ACK not forwarded

Links to More Info: BT1019641

Component: Local Traffic Manager

Symptoms:
After SCTP link down/up (not physical IF link down up), SCTP session can't be established.

Conditions:
-- CMP forwarding enabled (source-port preserve-strict)
-- The BIG-IP system is encountering heavy traffic load
-- A connection is deleted from the connection table

Impact:
Flow state can become out of sync between TMMs

Workaround:
Once the problem occurs, execute "tmsh delete sys connection", and the SCTP session will be re-established.

1019613-3 : Unknown subscriber in PBA deployment may cause CPU spike

Links to More Info: BT1019613

Component: Carrier-Grade NAT

Symptoms:
in PBA deployment, a CPU spike may be observed if the subscriber-id log is enabled and the subscriber-id is unknown.

Conditions:
-- PBA configuration
-- Address translation persistent is enabled
-- Subscriber-id log is enabled
-- There is an unknown subscriber

Impact:
Overall system capacity reduces.

Workaround:
Disable subscriber-id logging.

1019557-2 : Bdosd does not create /var/bdosd/*.json

Links to More Info: BT1019557

Component: Advanced Firewall Manager

Symptoms:
JSON files for historical data are not created for each virtual server in /var/bdosd.

BDOS for DDoS works on current data in memory but cannot to depend on the historical data for all virtual servers

Conditions:
BDOS is configured for any virtual server

Impact:
Custom signature or BDDoS-generated signature for the virtual server does not work correctly.

Workaround:
None

1019357-1 : Active fails to resend ipsec ikev2_message_id_sync if no response received

Component: TMOS

Symptoms:
In high availability (HA) setup, after failover, the newly active BIG-IP device, will send ikev2_message_id_sync messages to the other device.

If the BIG-IP device did not receive a response, it has to retransmit the packet. Some of the IKE tunnels are trying to retransmitting the packet, but its not going out of BIG-IP due to wrong state of relation between IKE tunnel and connection flow.

After 5 retries, it marks the peer as down, and the IKE tunnel is deleted.

Conditions:
-- High availability (HA) environment
-- IKE tunnels configured
-- A failover occurs

Impact:
Traffic loss.

Workaround:
None

1019285-3 : Systemd hangs and is unresponsive

Links to More Info: BT1019285

Component: TMOS

Symptoms:
When memory is exhausted on the system and systemd tries to fork to start or stop a service, systemd fails and enters "freeze" mode.

Conditions:
Following log messages can be seen in the daemon.log log file:

err systemd[1]: Failed to fork: Cannot allocate memory
crit systemd[1]: Assertion 'pid >= 1' failed at src/core/unit.c:1997, function unit_watch_pid(). Aborting.
emerg systemd[1]: Caught <ABRT>, cannot fork for core dump: Cannot allocate memory
emerg systemd[1]: Freezing execution.

Impact:
Systemd does not provide service anymore.

Workaround:
Reboot the system to restore the systemd services.

1019261-2 : In-TMM HTTPS monitor with SSL Profile set to None does not use serverssl profile.

Links to More Info: BT1019261

Component: Local Traffic Manager

Symptoms:
HTTPS monitors with SSL profile set to None (default) will not use the default ServerSSL profile of "serverssl" when In-TMM monitoring is enabled. Instead, another internal ServerSSL profile is used which has different values from "serverssl".

Conditions:
-- In-TMM monitoring is enabled
-- HTTPS monitor(s) with SSL profile field is set to the default of "None"

Impact:
The TLS settings for the HTTPS monitor monitor probes will not match those of the ServerSSL "serverssl" profile and may cause unexpected behavior such as utilizing TLS 1.3 (disabled by default in the "serverssl" profile) or random session IDs.

Workaround:
Specify a ServerSSL profile in every HTTPS monitor when using In-TMM monitoring.

Attaching the profile "serverssl" will result in the same behavior that SSL Profile "none" should provide, given that the "serverssl" profile should be the default.

1019129-3 : Changing syslog remote port requires syslog-ng restart to take effect

Links to More Info: BT1019129

Component: TMOS

Symptoms:
Modified remote port in syslog configuration takes effect only after restart of the syslog-ng.

Conditions:
-- Configure the remote syslogs and allow some time to pass.
-- Change the local IP or remote port in syslog config.

Impact:
Change does not occur until you reboot or restart syslog-ng.

Workaround:
To cause the change to occur, restart syslog-ng:
bigstart restart syslog-ng

1019085-1 : Network virtual-addresses fail to retain the "icmp-echo enabled" property following an upgrade or reload of the configuration from file.

Links to More Info: BT1019085

Component: TMOS

Symptoms:
Network virtual-addresses default to "arp disabled" and "icmp-echo disabled". However, a BIG-IP Administrator can change these settings to "enabled", if required.

Either following a software upgrade or a reload of the configuration from file, network virtual-addresses that had previously been set to "icmp-echo enabled" revert to the default of "icmp-echo disabled".

Conditions:
- One or more network virtual-addresses configured with "icmp-echo enabled".

- A software upgrade or reload of the configuration from file occurs (for example, taking and restoring a UCS archive, removing the mcpd binary database and reloading the config, etc.).

Impact:
Traffic failures can occur as a result of the affected network virtual-addresses not being presented to the surrounding network as originally intended by the BIG-IP Administrator.

Workaround:
Manually configure the affected virtual-addresses to "icmp-echo enabled" again. This workaround is not permanent, and the issue will occur again in the future given the right conditions.

1018877-1 : Subsession variable values mixing between sessions

Links to More Info: BT1018877

Component: Access Policy Manager

Symptoms:
Subsession variable lookup internally assumes that a complete session DB lookup name (Session ID + Subsession key) is used. However, when using the lookup table, only the subsession key is passed in.

Conditions:
Subsession variables are referenced in the Per-Request Policy outside of the Subsession without the Session ID.

Impact:
A Per-Request Policy execution may get the value of the subsession variable from a different APM session.

Workaround:
Add the session ID to the reference to the subsession variables used in Per-Request Policies.

1018765-2 : Changing the sshd port breaks some BIG-IP utilities on a multi-bladed system

Links to More Info: BT1018765

Component: Local Traffic Manager

Symptoms:
After using "sys sshd port" to change the default port for sshd, some utilities may no longer work properly on the BIG-IP, such as:

"tmsh reboot slot ..."

or

qkview

or

any command using clsh

or

ssh slot<slot number>

Conditions:
-- Chassis system with multiple blades.
-- Default sshd port was modified.

Impact:
Unable to run commands on secondary blades.

Workaround:
-- Reconfigure SSHD to run on the default port, 22.

or

-- Specify an explicit port when using ssh and log in to each blade to run the desired commands, e.g. "ssh -p 40222 slot2"

1018673-2 : Virtual Edition systems replicate host traffic to all TMMs when a multicast MAC address is the traffic's nexthop

Links to More Info: BT1018673

Component: TMOS

Symptoms:
When BIG-IP Virtual Edition receives a host packet that has a multicast MAC address as its nexthop, it will disaggregate this by forwarding it to all TMMs. This results in all TMMs egressing the packet.

Conditions:
-- BIG-IP Virtual Edition
-- A route is configured to a multicast MAC address
-- Host traffic (e.g. non-TMM monitors, ping, etc.) is routed to the multicast MAC address

Impact:
Extraneous packets are egressed from the BIG-IP.

Workaround:
Partial workaround for the case of monitors: use in-TMM monitors where possible. Otherwise, there is no workaround for this.

1018613-3 : Modify wideip pools with replace-all-with results pools with same order 0

Links to More Info: BT1018613

Component: Global Traffic Manager (DNS)

Symptoms:
Multiple wideip pools have the order 0.

Conditions:
There are overlap for the pools for command replace-all-with and the pools to be replaced.

Impact:
iQuery flapping between GTMs.

Workaround:
First delete all pools from the wideip and then use replace-all-with.

1018165-2 : GUI display of DHCPv6 profile not correct for virtual server in non-default route-domain

Links to More Info: BT1018165

Component: TMOS

Symptoms:
A virtual server created in a non-default route-domain with a DHCPv6 profile shows as using a DHCPv4 profile 'None' in the GUI.

Conditions:
-- Virtual server using a DHCPv6 profile.
-- Virtual server must be in a non-default route-domain.
-- Using the GUI to view the virtual server.

Impact:
Incorrect view of the configuration.

Workaround:
None

1017897-2 : Self IP address creation fails with 'ioctl failed: No such device'

Links to More Info: BT1017897

Component: TMOS

Symptoms:
Creating a self IP address after a route-domain using TMSH reports an error:

01070712:3: Cannot get device index for Backend in rd2 - ioctl failed: No such device.

Conditions:
Using tmsh, create a Trunk, create a VLAN on the trunk, create a route-domain, then create a self IP address.

Impact:
Self IP address creation fails after route-domain creation.
Unable to run declarative-onboarding declaration.

Workaround:
Add a short delay after modifying/creating the route domain before creating the self IP address.

Note: Self IP address should be created after route-domain creation.

1017885-4 : Wildcard server-name does not match multiple labels in FQDN

Links to More Info: BT1017885

Component: Local Traffic Manager

Symptoms:
Wildcard server-name does not match multiple labels in FQDN
for example: *.domain.com matches a.domain.com or a.bc.domain.com, but it does not match domain.com but here multiple labels(a.bc.domain.com) are not matched to the wildcard (*.domain.com).

Conditions:
Client-ssl is configured with a wildcard server-name with the virtual server configured with multiple client-ssl profiles. The correct ssl profile (and therefore certificate) is chosen based on SNI from the client Hello.

Impact:
Generates default profile/certificate when trying to match with multiple labels using wildcard, when it should generate correct certificate matched to the wildcard in server name.

Workaround:
N/A

1017857-3 : Restore of UCS leads to incorrect UID on authorized_keys

Links to More Info: BT1017857

Component: TMOS

Symptoms:
After restoring a UCS from a different BIG-IP device, the admin user is unable to log in via SSH using SSH public key authentication.

Conditions:
-- Create a UCS on one BIG-IP system where a UCS archive has been restored in the past (including by an upgrade)
-- Import the UCS to a different BIG-IP system and load it

Impact:
You are unable to log in as the admin user via SSH using key-based authentication.
NOTE: Password authentication works without any issues.

Workaround:
Change the owner of /home/admin/.ssh/authorized_keys to 'root', by running the following command:

    chown root /home/admin/.ssh/authorized_keys

This command can also be run via iControl REST using the /mgmt/tm/util/bash endpoint.

1017801-3 : Internal listeners (cgc, ftp data, etc) all share the same listener_key stats

Links to More Info: BT1017801

Component: Local Traffic Manager

Symptoms:
Internal stats are not accurate because they are shared across multiple listener types

Conditions:
This can occur when multiple virtual server types are in use and passing traffic.

Impact:
Internal listener stats are not accurate.

1017721-3 : WebSocket does not close cleanly when SSL enabled.

Links to More Info: BT1017721

Component: Local Traffic Manager

Symptoms:
After sending a close frame to the WebSocket server, the WebSocket client receives 1006 response.

Conditions:
Virtual server with the following profiles:
-- WebSocket
-- HTTP over SSL (at least server side SSL)

and connection closure is initiated by the client.

Impact:
Client side applications experience errors in the form of WebSocket abnormally closing connections with error code 1006.

Workaround:
Avoid using SSL on WebSocket server context.

1017557-3 : ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN

Links to More Info: BT1017557

Component: Application Security Manager

Symptoms:
ASM BD sends a reset back to the client when the backend server sends a response without proper terminating 0 chunk followed by FIN.

Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- Backed server sends a bad chunked response

Impact:
Valid requests can be reset.

Workaround:
Any one of the following workarounds can be applied.

-- Fix backed server behavior.
-- Fix bad response using iRule, appending proper terminating 0 chunk
-- Change ASM internal /usr/share/ts/bin/add_del_internal update bypass_upon_load 1

1017513-3 : Config sync fails with error Invalid monitor rule instance identifier

Links to More Info: BT1017513

Component: Local Traffic Manager

Symptoms:
If you remove or attach a different monitor to an fqdn pool, then perform a full config-sync, an error occurs:

Load failed from /Common/bigip1 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 58.

Conditions:
-- BIG-IP device is configured with fqdn nodes/pools with monitors.
-- Modify an fqdn pool to remove or attach a different monitor.
-- Run the command: run cm config-sync to-group Failover
-- Perform a full config-sync.

Impact:
Sync to the peer device(s) fails.

Workaround:
Use incremental-sync.

1017421-3 : SASP Monitor does not log significant error conditions at default logging level

Links to More Info: BT1017421

Component: Local Traffic Manager

Symptoms:
Most error conditions encountered by the SASP monitor are not logged at the default logging level ("error"). Most of the meaningful error conditions, including Exceptions, are logged at "info" or "debug" levels. Obtaining details to diagnose the SASP monitor issues requires reconfiguring sys db saspd.loglevel for a value of "info" or "debug".

Conditions:
-- Using the SASP monitor to monitor LTM pool members
-- Leaving the saspd.loglevel system DB variable configured at the default value of "error"

Impact:
Errors which occur intermittently or once while monitoring LTM pool members using the SASP monitor may not be diagnosable.

Workaround:
Configure the saspd.loglevel system DB variable with a value of "info" (for normal operations) or "debug" (if problems are occurring repeatedly).

1017261-5 : Configuraton update triggers from MCP to ASM are ignored

Links to More Info: BT1017261

Component: Application Security Manager

Symptoms:
If a stale/incorrect but running PID is present in /var/ts/var/install/ucs_install.pid, then ASMConfig will think it is in the middle of a UCS or Sync load event and ignore updates from MCP.

Conditions:
A UCS load event such as an upgrade or a config sync is interrupted and ASM is not restarted until another process reuses the process id from the upgrade.

Impact:
Updates from MCP are ignored which can cause:
* Missed sync events
* Missed updates for logging or pool configuration
* Missing security policies

Workaround:
Delete /var/ts/var/install/ucs_install.pid

1017149-3 : User-defined bot sigs that are created in tmsh don't overlap staged factory bot sigs

Component: Application Security Manager

Symptoms:
User-defined bot signatures that are created in tmsh are not enforced if there are similar factory bot signatures even when they are staged.

Conditions:
User-defined bot signature is created in tmsh and is matched also by staged factory bot signature.

Impact:
User-defined signature is not enforced correctly

Workaround:
Define user-defined bot signature using the GUI and if signature domain are needed but can't be configured by the GUI, define the domain in tmsh after the signature is created with:
tmsh mod security bot-defense signature <sig_name> domains replace-all-with { domains }

1017029-3 : SASP monitor does not identify specific cause of failed SASP Registration attempt

Links to More Info: BT1017029

Component: Local Traffic Manager

Symptoms:
On affected BIG-IP versions, upon startup, the SASP monitor sends a single Registration Request to the SASP GWM (Group Workload Manager) to initiate monitoring of configured LTM pool members. This Registration Request contains all configured LTM pools (SASP Groups) and members (SASP Group Members).

If an error is encountered by the SASP GWM with one of the SASP Groups in the request, the registration of all groups fails.
However, the GWM does not provide any indication of *which* Group or member does not match the GWM configuration, hindering troubleshooting efforts.

The current BIG-IP behavior does not allow identification of the specific pool/member or monitor that is misconfigured and thus responsible for the failed SASP Registration attempt.

Conditions:
This behavior occurs on affected BIG-IP versions when the LTM SASP monitor is configured to monitor members of multiple LTM pools, and when BIG-IP start/restarts/reboots or the configuration is loaded.

Impact:
If a single Registration Request fails, the GWM terminates the connection with the Load Balancer (BIG-IP SASP monitor). This behavior is defined by the SASP protocol and SASP GWM implementation.

As a result, the SASP monitor will mark all pool members DOWN that are monitored by the SASP monitor, halting traffic from flowing to all pools monitored by the SASP monitor.

When an error occurs during registration of the LTM pools (SASP Groups), the GWM does not provide any indication of *which* Group or member does not match the GWM configuration.
Since a single error message is returned by the SASP GWM for the entire Registration Request (for all SASP Groups), the SASP monitor cannot indicate which Group (pool/member) or monitor caused the error.

This hinders efforts to troubleshoot the cause of the failure, while all traffic has stopped flowing to the SASP-monitored pools.

Workaround:
To diagnose this issue, first enable saspd debug logging:
tmsh mod sys db saspd.loglevel value debug_msg
(Optional alternative values include deep_debug and debug, but provide less detail.)

With saspd debug logging enabled, a message like the following in /var/log/monitors/saspd.log confirms that an error occurred during the Registration step:
SASPProcessor::processRegistrationReply: received error registering workloads with GWM ##.##.##.###:3860: 69 'InvalidGroup'

If the above message is found to confirm this issue, the primary path to resolution should be for the BIG-IP administrator to very carefully compare the BIG-IP pool/member and sasp monitor configuration with the SASP GWM configuration, to identify any mismatches or inconsistencies between the configurations.

On the BIG-IP system, to help isolate the misconfigured LTM pool(s)/member(s) causing the SASP Registration failure:
1. Remove the sasp monitor from configured LTM pools/members one at a time, and observe whether any pool members still monitored by the sasp monitor are marked UP.
2. Add the sasp monitor back to configured LTM pools/members one at a time, in the same order as removed, except for the last LTM pool/member from which it was removed.
3. Save and reload the configuration, and check whether the LTM pools/members monitored by the sasp monitor are still marked UP.
4. Repeat as necessary if there appear to be multiple LTM pools/members causing a SASP Registration failure.


Alternately, it may be possible to choose a different monitor (using a more fault-tolerant protocol) to monitor the status of affected pool members.

1016921-4 : SSL Connection mirroring - session resumption does not occur on standby when the session ticket is enabled

Links to More Info: BT1016921

Component: Local Traffic Manager

Symptoms:
Eight-second delays occur on traffic through an SSL connection mirroring virtual server, and errors occur on the standby device:

crit tmm7[11598]: 01010025:2: Device error: crypto codec Couldn't create an OpenSSL EC group object OpenSSL error:0906D06C:PEM
err tmm7[11598]: 01010282:3: Crypto codec error: sw_crypto-7 Couldn't initialize the elliptic curve parameters.
crit tmm7[11598]: 01010025:2: Device error: crypto codec No codec available to initialize request context.

Conditions:
All of these conditions:
-- SSL connection mirroring enabled
-- Session tickets are enabled
-- High availability (HA) environment

and one of the following:
-- Running BIG-IP v14.1.4.1 or above (in the v14.1.x branch)
or
-- Engineering hotfix applied to v14.x/v15.x that has the ID760406 fix (see https://cdn.f5.com/product/bugtracker/ID760406.html)

Impact:
SSL traffic is significantly delayed and errors are thrown on the standby device.

Workaround:
Any one of the following could prevent the problem.

-- client-ssl profile cache-size 0.
-- client-ssl profile session-ticket disabled (default).
-- disable SSL connection mirror on virtual server.

1016909-2 : BIG-IP iRule commands FLOW::this or FLOW::peer can create zombie flows.

Links to More Info: BT1016909

Component: Local Traffic Manager

Symptoms:
Keeping a variable reference to FLOW::this or FLOW::peer in iRules can result in zombie connection flows that are never removed.

TMM memory use for 'connflow' and 'tclrule_pcb' are high, and do not match the number of current connections reported by the system.

Conditions:
-- iRule that uses FLOW::this or FLOW::peer, and stores the result of one of those commands into a variable.

Impact:
Increased memory use in TMM, which can eventually result in a TMM crash or traffic disruption while connections are removed using the connection sweeper.

Workaround:
Do not retain the result of 'FLOW::this' or 'FLOW::peer' in a variable in an iRule. Instead, either:

1. Use the variable directly, i.e.:
    log local0.warning: "The flow is [FLOW::this]"

2. Unset the variable when done, i.e.:
    set flow [FLOW::this]
    log local0.warning: "The flow is $flow"
    unset flow


If a system is already affected by this issue, the only way to free that memory is to restart TMM.

1016589-3 : Incorrect expression in STREAM::expression might cause a tmm crash

Links to More Info: BT1016589

Component: Local Traffic Manager

Symptoms:
Tmm restarts and generates a core file

Conditions:
An iRule uses STREAM::expression that contains certain strings or is malformed.

Stream expressions use a string representing a series of search/replace or search components. If there is more than one search-only component, this might cause tmm to crash.

The delimiter character used is the first character of each component search/replace pair. This example uses the '@' character as the delimiter, but it is malformed.

Given
  STREAM::expression "@dog@dot@cat@car@uvw@xyz@"
This would be interpreted as three items:
  search for "dog" replace with "dot"
  search for "at@"
  search for "r@uvw@xyz@"

This string should likely be:
  STREAM::expression "@dog@dot@@cat@car@@uvw@xyz@"
Which would be interpreted as
  search for "dog" replace with "dot"
  search for "cat" replace with "car"
  search for "uvw" replace with "xyz"

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure that strings in STREAM::expression iRule statements do not have more than one search-only component and are well formed.

1016481-3 : Special JSON characters in Dom Signatures breaks configuration

Component: Fraud Protection Services

Symptoms:
FPS modules malfunction.

Conditions:
Unescaped special JSON characters used in Dom Signatures.

Impact:
FPS client-side JS unable to load configuration JSON.

Workaround:
Manually escape all special JSON characters in Dom Signatures.

1016449-2 : After certain configuration tasks are performed, TMM may run with stale Self IP parameters.

Links to More Info: BT1016449

Component: Local Traffic Manager

Symptoms:
A Self IP instantiated by performing specific configuration tasks (see Conditions) does not work (e.g. the system does not respond to ARP requests for it).

On the contrary, the system continues to use (e.g. respond to ARP requests for) an old version of the Self IP specifying a different address.

Conditions:
This issue is known to occur when one of the following operations is performed:

- Restoring a UCS or SCF archive in which a Self IP with a specific name specifies a different address.

- Performing a config-sync between redundant units in which the sender changes a Self IP with a specific name to use a different address. For example:

tmsh delete net self <name>
tmsh create net self <name> address <new_address> ...
tmsh run cm config-sync to_group ...

- Performing specific tmsh CLI transactions involving Self IP modifications.

Impact:
The system does not utilise the configured Self IP address. Traffic will be impacted as a result (for example, in connections to the unit, in snat automap, etc.).

Workaround:
Restart TMM (bigstart restart tmm) on affected units.

1016433 : URI rewriting is incorrect for "data:" and "javascript:"

Links to More Info: BT1016433

Component: TMOS

Symptoms:
In case of LTM rewrite, HTML content having attribute values like "javascript:", "mailto:", "data:" etc are incorrectly rewritten as URI. This can cause web applications to fail.

Conditions:
-- LTM rewrite profile in URI translation mode.
-- HTML contents of web application contains attribute values like "javascript:abc", "data:" etc.

Impact:
Incorrect URI rewriting may cause web application to fail.

1016049-4 : EDNS query with CSUBNET dropped by protocol inspection

Links to More Info: BT1016049

Component: Local Traffic Manager

Symptoms:
EDNS query might be dropped by protocol inspection with an error log in /var/log/ltm similar to:

info tmm[21575]: 23003139 SECURITYLOG Drop sip:192.168.0.0 sport:64869 dip:1.1.1.1 dport:53 query:test.f5.com qtype:malformed attack:malformed

Conditions:
Query containing CSUBNET option.

Impact:
Some queries might fail.

1015881-3 : TMM might crash after configuration failure

Links to More Info: BT1015881

Component: Application Security Manager

Symptoms:
TMM crashes after DoSL7 application configuration failure

Conditions:
DoSL7 configuration is changed, and the configuration change fails in TMM.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
None

1015817-3 : Flows rejected due to no return route do not increment rejection stats

Links to More Info: BT1015817

Component: Local Traffic Manager

Symptoms:
When flows are rejected due to no return route being present, the BIG-IP does not increment the appropriate statistics to indicated this.

Conditions:
Flows are rejected due to no return route.

Impact:
There is no indication of the real problem when viewing the statistics.

1015793-2 : Length value returned by TCP::payload is signed and can appear negative

Links to More Info: BT1015793

Component: Local Traffic Manager

Symptoms:
When an iRule uses TCP::collect, if the amount of received data being buffered exceeds 2147483647 octets, the value returned from [TCP::payload length] will appear as a negative integer.

Conditions:
An iRule has been written to use TCP::collect with a very high-volume input stream.

Impact:
The unanticipated negative value may confuse the iRule's logic, with unpredictable effects. In extreme cases, a disruption of the TMM could occur.

Workaround:
Convert the result of "TCL::payload length" to an unsigned integer before using it, e.g.:

    set curlen [expr { 0xffffffff & [TCP::payload length] }]

Note: the amount of accumulated payload still must not exceed 4,294,967,295 bytes (2^32-1).

1015645-1 : IPSec SA's missing after reboot

Links to More Info: BT1015645

Component: TMOS

Symptoms:
Some IPSec SA's created after Tunnel migration may be missing after a reboot.

Conditions:
- IPSec tunnels
- Load balancing continues through tunnel migration
- The active BIG-IP system is rebooted

Impact:
Some IPSec SA's may be missing after the reboot

Workaround:
None

1015501-4 : Changes to DHCP Profile are not used by tmm

Links to More Info: BT1015501

Component: Policy Enforcement Manager

Symptoms:
After changing the authentication settings of a DHCP profile, the old authentication settings are still used.

Conditions:
Modify ltm profile dhcpv4 Discovery_DHCPv4_profile authentication { enabled true virtual RadiusAAA }

Impact:
New connections use existing listeners.

Workaround:
Restart tmm.

Impact of workaround: traffic disrupted while tmm restarts.

1015453-3 : Under some circumstances, the "Local Traffic" menu in System -> Configuration is inaccessible in the GUI

Links to More Info: BT1015453

Component: TMOS

Symptoms:
The "Local Traffic" menu in System -> Configuration is inaccessible in the GUI.

Conditions:
-- LTM is licensed but not provisioned.
-- AFM, DNS, and DoS are not provisioned.
-- Other modules (such as APM) are provisioned

Impact:
Unable to configure SYN cookies.

Workaround:
Use TMSH to configure SYN cookies.

1015161-2 : Ephemeral pool member may not be created when FQDN resolves to address that matches static node

Links to More Info: BT1015161

Component: Local Traffic Manager

Symptoms:
An ephemeral pool member may not created if the FQDN name resolves to a new IP address that matches an existing statically-configured node.

When this occurs, a message like the following appears in the LTM log:

err mcpd[4498]: 01070734:3: Configuration error: node (/Common/_auto_10.10.120.12) not found.

Note that the node name in the message is the expected name of an ephemeral node created for this address, not the actual name of the statically-configured node with that IP address.

Conditions:
This may occur if:
-- The FQDN node and pool member are created with the "autopopulate enabled" option.
-- The FQDN name resolves to more than one IP address.
-- One of these IP addresses was not included in the previous DNS query result.
-- There is a statically-configured node with the same IP address.

Impact:
An ephemeral pool member is not created for the IP address newly included in the DNS query result. This results in traffic not being load-balanced to all of the expected pool members.

Workaround:
Use one of the following methods to prevent this issue from occurring:
-- Avoid creating statically-configured nodes using the same IP addresses returned by resolution of configured node/pool member FQDN names.
-- Configure the FQDN pool member with "autopopulate disabled" (default), which creates only a single ephemeral pool member.

Perform this sequence of actions to recover from an occurrence of this issue:
1. Remove any pool members referencing the conflicting IP address(es) from their respective pool(s).
2. Delete the statically-configured node(s) using the conflicting IP address(es).
3. Add any pool members referencing the conflicting IP address(es) back to their respective pool(s).

1015117-3 : Headers are corrupted during modification/insertion if a mix of end-of-line markers <CRLF> and <LF> are used

Links to More Info: BT1015117

Component: Local Traffic Manager

Symptoms:
HTTP header corruption occurs after insertion/modification using an iRule in HTTP Headers which contain mixed end-of-line markers <CRLF> and <LF>.

Conditions:
- HTTP virtual server
- An iRule, policy or profile inserts an HTTP Request header - Such as x-forwarded-for
- An HTTP request contains some lines that end with <CRLF> and some that end with <LF>

Impact:
Inserted headers get concatenated in such a way that the HTTP request header gets corrupted.

Workaround:
Use HTTP headers with proper end-of-line markers in compliance with HTTP RFC

1014973 : ASM changed cookie value

Links to More Info: BT1014973

Component: Application Security Manager

Symptoms:
ASM changes the value of a cookie going to the server.

Conditions:
Specific conditions.

Impact:
Domain cookie will reach the server with a wrong value. Can cause different malfunctions depending on the application.

Workaround:
Change the following bigdb :
tmsh modify sys db asm.strip_asm_cookies value false
There is no need to restart asm.

1014761-1 : [GTM][GUI] Not able to enable/disable pool member from pool member property page

Links to More Info: BT1014761

Component: Global Traffic Manager (DNS)

Symptoms:
You are unable to enable/disable pool members from the pool member property page.

Conditions:
Making changes via the pool member property page.

Impact:
You can submit the changes but the changes do not persist.

Workaround:
1. tmsh
or
2. enable/disable pool member from list of pool members instead of 'general properties' page

1014633-3 : Transparent / gateway monitors may fail if there is no route to a node

Links to More Info: BT1014633

Component: Local Traffic Manager

Symptoms:
Transparent or gateway monitors may fail.

Conditions:
-- Transparent or gateway monitor configured.
-- Route does not exist to destination.

Impact:
The monitor fails and the node / pool member is marked unavailable.

Workaround:
Add a route to the destination.

1014361-1 : Config sync fails after provisioning APM or changing BIG-IP license

Links to More Info: BT1014361

Component: TMOS

Symptoms:
Clustered high availability (HA) devices cannot establish ConfigSync connection, and the prompt status reports disconnected.

MCPD is logging a message similar to this repeatedly, even though all TMMs are up and running:

err mcpd[4247]: 0107142f:3: Can't connect to CMI peer 192.0.2.1, TMM outbound listener not yet created

Conditions:
This can occur under either of the following conditions:

-- Some provisioning operations (i.e. provisioning APM), when TMM restarts during the provisioning. This has primarily been seen with BIG-IP instances running in Google Cloud.

-- Changing the license of a BIG-IP VE when the new license changes the number of TMM instances that will run on the BIG-IP (i.e. upgrading from a 1Gbps to 3Gbps VE license)

Impact:
BIG-IP devices are not able to perform ConfigSync operations.

Workaround:
Restart MCPD on the affected system.

Note: This will disrupt traffic while system services restart.

1014285-3 : Set auto-failback-enabled moved to false after upgrade

Links to More Info: BT1014285

Component: TMOS

Symptoms:
In a traffic group, auto-failback-enabled is changed from true to false after config save and upgrade.

During the upgrade, the following log can be observed:

info: Warning: Invalid configuration - Traffic Group has high availability (HA) Group "test_HA_Group" assigned and auto-failback-enabled set to true. Resetting auto-failback-enabled to false.

Conditions:
-- auto-failback-enabled is set to true and high availability (HA) groups are configured and assigned to traffic-group
-- The device is upgraded.

Impact:
Auto-failback-enabled is set from true to false and auto failback is disabled.

Workaround:
After upgrade, set the auto-failback-enabled to true.

1013937-2 : In-TMM HTTP and HTTPS monitors require RFC-compliant send strings to work.

Links to More Info: BT1013937

Component: Local Traffic Manager

Symptoms:
Pool members that should be marked UP are incorrectly marked DOWN. No monitor traffic is seen on the wire.

If pool member monitor logging is enabled, an entry similar to the following example can be seen in the logs:

[0][1399] 2021-02-11 11:11:34.709360: ID 44 :TMM::handle_message(TMA_Message<tma_msg_args_notify>*): tmm monitor failed to connect [ tmm?=true td=true tr=false tmm_mid=0:1 addr=::ffff:192.168.10.100:80 srcaddr=none ]

If tma debug logging is enabled, an entry similar to the following example can be seen in the logs:

Feb 11 11:12:14 bigip1.local debug tmm[2259]: 01ad0019:7: Monitor Agent TMM 0: received probe response: MID 1, reason TMA_RESULT_FAIL(Probe response lost due to transient failure), info 0

Conditions:
- In-tmm monitoring is enabled (the bigd.tmm db key is set to enable).

- A HTTP or HTTPS monitor has been configured with a send string which is not RFC-compliant. For instance, the following string incorrectly includes a space before the Host header:

"GET / HTTP/1.1\r\n Host: example.com\r\nConnection: Close\r\n\r\n"

Impact:
Pool member monitoring is impacted and unreliable.

Workaround:
Ensure that you specify a send string which is fully RFC-compliant (for instance, in the example above, remove the space before the Host header).

1013777-2 : An error is encountered when enabling reset-learning to all the signatures of a protocol inspection profile in the GUI.

Component: Protocol Inspection

Symptoms:
An error is displayed in the GUI when reset-learning is applied to all the signatures of a protocol inspection profile in the GUI.

The actual error is “414 Request-URI Too Long” because the HTTP request URI length generated in this case exceeds the system limit.

Conditions:
-- "Reset-learning" action is applied to all signatures and compliances of a protocol inspection profile.
-- Once a certain number of signatures are selected, The GUI throws a “414 Request-URI Too Long” error.

Impact:
- Bulk "reset-learning" action can't be applied from the GUI when the "414 Request-URI Too Long" is returned.

Workaround:
- The TMSH command "delete security protocol-inspection learning-stats <profile-name>" can be used to apply reset-learning to all the signatures of a protocol inspection profile.

1013629-3 : URLCAT: Vulnerability Scan finds many Group/User Read/Write (666/664/662) files

Links to More Info: BT1013629

Component: Traffic Classification Engine

Symptoms:
Shared memory files in relation with URLCAT have file permissions set to (-rwxrwxrwx), which is not necessary and needs to be restricted to (-rw-rw-r--).

Conditions:
Performing a Vulnerability Scan on shared memory files in relation with URLCAT.

Impact:
Full permission can result in unintentional/unauthorized access, which could result in unexpected behavior of the URLCAT feature.

Workaround:
Manually change permissions from (-rwxrwxrwx) to (-rw-rw-r--) using the chmod command.

1013597-1 : `HTTP2::disable serverside` can reset flows

Links to More Info: BT1013597

Component: Local Traffic Manager

Symptoms:
If `HTTP2::disable serverside` is called on a flow that has no HTTP2 configured on the server-side then it can incorrectly report an error and RST the flow.

Conditions:
1) iRule calls `HTTP2::disable serverside` on HTTP_REQUEST.
2) No HTTP2 configured on server-side.
3) server-side has already handled a flow.

Impact:
Traffic interruption, potential for a core (see ID1012533). Traffic disrupted while tmm restarts.

Workaround:
Don't call `HTTP2::disable serverside` if there is no HTTP2 on server-side.

1013297 : MRF persistence records are not removed with "DIAMETER::persist reset" in DIAMETER_INGRESS

Links to More Info: BT1013297

Component: Service Provider

Symptoms:
MRF persistence records are not removed upon receiving CCA-t with with "DIAMETER::persist reset" in DIAMETER_INGRESS
and instead it is extending timeout for the sessions

Conditions:
MRF is not removing persistence record upon arrival of CCR/A-t and
Even After "DIAMETER::persist reset" is used in DIAMETER_INGRESS, MRF is not removing records

Impact:
Persistence records not removed.

1013209-2 : BIG-IP components relying on ca-bundle.crt may stop working after upgrade

Links to More Info: BT1013209

Component: Local Traffic Manager

Symptoms:
After upgrading, the BIG-IP system components may stop working due to missing CA certificates in ca-bundle.crt.

Conditions:
CA cert which is expired/will expire in 6 months (or 182 days) after upgrade is removed from ca-bundle.crt.

Impact:
The BIG-IP components such as TMM, APM etc. may stop working due to missing CA certificates in ca-bundle.crt.

Workaround:
Download the blended-bundle.crt from the F5 download site. It is located at
https://downloads.f5.com/esd/product.jsp?sw=Certificate-Authority-Bundle&pro=Certificate-Authority-Bundle

1012813-3 : Statsd can deadlock with rrdshim with the error that a stats file "is not an RRD file"

Links to More Info: BT1012813

Component: Local Traffic Manager

Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.

You may see errors similar to:

-- err statsd[4908]: 011b0600:3: Error ''/var/rrd/access' is not an RRD file' during rrd_update for rrd file '/var/rrd/access'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/access'.

Conditions:
Corruption of a binary file in /var/rrd.

Impact:
Stats are no longer collected. Statsd and rrdshim deadlock, resulting in the issues noted in the Symptoms section.

Workaround:
Remove the corrupted file and restart statsd:
bigstart restart statsd

1012601-2 : Alarm LED and LCD alert cleared prematurely on startup for missing PSU input

Links to More Info: BT1012601

Component: TMOS

Symptoms:
Occasionally when starting up a BIG-IP system, if one PSU is connected but not supplying power, the corresponding amber alarm LED and "PSU status input lost" alert in the LCD menu can be incorrectly cleared after selecting System -> Power On from the LCD menu.

Conditions:
-- iSeries platforms
-- The BIG-IP device is powered on with one PSU connected and not supplying power

Impact:
The alarm LED is incorrectly turned off, and navigating to alerts on the LCD menu no longer shows a "PSU status input lost" alert after powering on.

Workaround:
Before powering on the BIG-IP device, check the alarm LED and navigate to alerts on the LCD screen. If there is a "PSU status input lost" alert, the corresponding power LED should be amber.

If the power LED is still amber after powering the system on but the alarm LED and LCD alert are cleared, please disregard the alarm LED and LCD in this case. The amber power LED is correct, and the PSU is still not supplying power.

Additionally, if you are logged into the console, running "bigstart restart chmand" will force a new "PSU status input lost" alert to be generated on the LCD and should also correct the alarm LED color to amber.

1012581-3 : Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered

Links to More Info: BT1012581

Component: Advanced Firewall Manager

Symptoms:
As soon as global syncookie enabled stats counts starts decrementing and when attack_detection_common callback function calls, the stats range is always under the configured packets per-second threshold, resulting in some tmms not being able to detect the attack but syncookies are already enabled on these tmms, and no statistics are gathered.

Conditions:
A SYN flood attack or similar SYN attack where SYNs are flooded into the BIG-IP system.

Impact:
SYN cookies may still be sent after traffic goes below the attack detection threshold.

Workaround:
Restart tmm

1012493-4 : Systemauth.primaryadminuser set to anything but 'admin' causes internal error for mcp-state check

Links to More Info: BT1012493

Component: TMOS

Symptoms:
When polling the endpoint /mgmt/tm/sys/mcp-state you get an error:

{
  "code": 500,
  "message": "MCP Session terminated",
  "errorStack": [],
  "apiError": 32768003
}

Conditions:
-- A user other than 'admin' polls /mgmt/tm/sys/mcp-state

Impact:
An error is returned for users that are not the admin user. Systems which are subject to special security rules that require disabling the admin user may lose functionality in iControl/REST.

Workaround:
You can use either of these workarounds:

-- Make the API call as user "admin"
-- Use tmsh
   tmsh show sys mcp-state

1012449-3 : Unable to edit custom inband monitor in the GUI

Links to More Info: BT1012449

Component: TMOS

Symptoms:
Attempting to edit a custom inband monitor in the GUI results in an error:

An error has occurred while trying to process your request.

Conditions:
Editing a custom inband monitor in the GUI.

Impact:
Unable to make changes to inband monitors in the GUI.

Workaround:
Use TMSH to modify the monitor, for example:

tmsh modify ltm monitor inband <monitor name> ...

1012221-2 : Message: childInheritanceStatus is not compatible with parentInheritanceStatus

Links to More Info: BT1012221

Component: Application Security Manager

Symptoms:
The BIG-IP system is unable to deploy a revision of upgraded child policies and you see an error:

Failed pushing changed objects to device <device>: Could not update the Section 'Threat Campaigns'. childInheritanceStatus is not compatible with parentInheritanceStatus.

Conditions:
-- An ASM Child Policy is present on the BIG-IP device in a version earlier than 14.0.0
-- The BIG-IP system is upgraded to version 14.0.0 or later

Impact:
This corruption impacts BIG-IQ interactions with the Child Policy and causes exported Child Policies to be incorrect.

Workaround:
After upgrading, perform the following:

1. Log into the BIG-IP Configuration Utility
2. Go to Security :: Application Security :: Security Policies :: Policies List
3. Select the first Parent Policy
4. Go to Inheritance settings and change Threat Campaigns from None to Optional
5. Click Save Changes
6. Change Threat Campaigns from Optional back to None
7. Click Save Changes
8. Click Apply
9. Repeat steps 3-8 for each additional Parent Policy

1012061-3 : Link Controller auto-discovery does not remove deleted virtual servers

Links to More Info: BT1012061

Component: Global Traffic Manager (DNS)

Symptoms:
Removed virtual servers are still displayed as available in link controller configuration.

Conditions:
1. GTM server representing Link Controller is configured for high availability (HA)
2. There is no working iQuery session with one of the units

Impact:
Virtual servers linger in bigip_gtm.conf configuration after they are deleted.

Workaround:
Make sure that there is at least one working iQuery channel with all devices configured under GTM server object.

1012049-3 : Incorrect virtual server list returned in response to status request

Links to More Info: BT1012049

Component: TMOS

Symptoms:
Returned list of virtual servers shows all virtual servers rather than no servers, or a specific list of servers.

Conditions:
-- Navigate through the GUI to Local Traffic :: Virtual Servers : Virtual Server List page.
-- Click the 'Status' drop down and select a status that returns no virtual servers or a specific subset of the virtual servers.
-- Modify the resulting request to insert ' --' url-encoded.

Impact:
The returned list shows all virtual servers instead of the ones specifically queried.

Workaround:
None

1011889-4 : The BIG-IP system does not handle DHCPv6 fragmented traffic properly

Links to More Info: BT1011889

Component: Local Traffic Manager

Symptoms:
In the following two scenarios, packets may get dropped by the BIG-IP device.

- [client MTU 1500]<--->(vlan1)<--->[MTU 1500BIG-IP MTU 9000]<--->(vlan2)<--->[MTU 1500server]
If the response from the server is large enough to be fragmented, the BIG-IP system is not able to process the packets.

- [client MTU 1500]<--->(vlan1)<--->[MTU 1500BIG-IP MTU 9000]<--->(vlan2)<--->[MTU 9000server]
Large response coming in a single packet is not fragmented properly on the client-side, then packets may be dropped.

Conditions:
DHCPv6 MTU size is greater than or equal to 1500.

Impact:
Packets are dropped, traffic is disrupted.

1011801 : L2 behavior becomes inconsistent while scaling address space

Links to More Info: BT1011801

Component: TMOS

Symptoms:
ARP/NDP+IP behavior becomes inconsistent for additional flows.

Conditions:
-- Two VIPRION 4800 chassis, fully populated
-- Chassis to chassis HA
-- Provisioned: LTM, AVR, CGN
-- All Subscriber/Internet flows are CGN->LSN, routed to/from the chassis broadcast domain.
-- All flows are routed and have their own Sub/Int VLAN pairs.

Steps to Reproduce:
Add flow, test validity, start traffic. Repeat.

Impact:
Issue with ICMP request / response from devices within the broadcast domain(s) associated with the BIG-IPs

Workaround:
None.

1011445-3 : Recovery after DoS attack uses SYN cookies inefficiently

Links to More Info: BT1011445

Component: Advanced Firewall Manager

Symptoms:
The SYN cookie mechanism recovers inefficiently from a Denial-of_Service attack.

Conditions:
A virtual server is configured with a DoS profile that employs SYN cookies.

Impact:
New legitimate connections not made efficiently.

Workaround:
None known.

1011433-3 : TMM may crash under memory pressure when performing DNS resolution

Links to More Info: BT1011433

Component: Global Traffic Manager (DNS)

Symptoms:
When running low on free memory, TMM may crash when performing DNS resolution.

Conditions:
-- TMM is under memory pressure.
-- TMM is performing DNS resolution via one of the following mechanisms:
--+ iRule using the "RESOLV::lookup" command
--+ AFM firewall rules that reference hostnames
--+ APM

Impact:
Traffic disrupted while tmm restarts.

1011265-1 : Failover script cannot read /config/partitions/ after upgrade

Links to More Info: BT1011265

Component: TMOS

Symptoms:
After upgrading, failover does not work correctly. An error is encountered in /var/log/audit/log:

type=AVC msg=audit(1617263442.711:206): avc: denied { read } for pid=17187 comm="active" name="partitions" dev="dm-11" ino=259 scontext=system_u:system_r:f5config_failover_t:s0 tcontext=system_u:object_r:f5config_t:s0 tclass=dir

Conditions:
-- High availability (HA) environment configured
-- Devices are upgraded to version 14.1.4
-- A failover occurs

Impact:
Failover does not complete. Floating IP addresses do not move to the active device.

Workaround:
Tmsh modify sys db failover.selinuxallowscripts enable

1011217-3 : TurboFlex Profile setting reverts to turboflex-base after upgrade

Links to More Info: BT1011217

Component: TMOS

Symptoms:
Custom TurboFlex Profile settings revert to the default turboflex-base profile after an upgrade.

Conditions:
-- iSeries platform with ix800 performance license
-- A non-default TurboFlex Profile is applied
-- The BIG-IP device is upgraded

Impact:
Some features of the previously selected TurboFlex Profile that are not part of the turboflex-base profile, are missing after upgrade. The TurboFlex Profile must be reconfigured after upgrade.

Workaround:
Reconfigure the TurboFlex Profile after upgrade.

1011169-1 : Upgrade failed with invalid property value "type":"ending-abort"

Links to More Info: BT1011169

Component: SSL Orchestrator

Symptoms:
Configuration load failed after upgrade. The following messages appear in /var/log/ltm:

notice tmsh[11242]: 01420012:5: Loading schema version: 15.1.1
err tmsh[11242]: 01420006:3: invalid property value "type":"ending-abort"
emerg load_config_files[11239]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- Loading schema version: 15.1.1
err mcpd[8354]: 01070425:3: Full configuration load failed.

Conditions:
The failure occurs if
1. SSL Orchestrator security policy is configured, and
2. Upgrade from 15.1.1 or 15.1.2 to 16.0.1 or 16.0.1.1.

Impact:
The BIG-IP will be in offline mode and services will be interrupted.

1011081-2 : Connection lost to the Postgres client during the BIG-IP bootup process

Links to More Info: BT1011081

Component: TMOS

Symptoms:
During the boot process of BIG-IP, mcpd loses the connection to the Postgres with FATAL error with a "Broken Pipe" error.

Conditions:
-- BIG-IP devices are configured in high availability (HA).
-- BIG-IP configuration has the keys configured in Postgres Database.

Impact:
Mcpd loses the connection to the Postgres with FATAL error with a "Broken Pipe" error

1011045-1 : GUI does not reflect 'Fully Automatic' state , which is substate of Automatic learning mode.

Links to More Info: BT1011045

Component: Application Security Manager

Symptoms:
When disabling 'Fully Automatic' mode in policy configuration (either through the GUI or REST) the GUI still indicates that the policy is in Automatic learning mode.

Conditions:
1. Configure a policy using the Fundamental template.
2. Change Learning Mode to 'automatic only' by REST, or uncheck the 'Fully Automatic' box in the GUI (Policy Configuration page).

Impact:
The GUI still shows the Learning Mode state, but not the 'Fully Automatic' state.

As a result, the administrator cannot be sure of the actual state of learning mode via the GUI.

Workaround:
The actual state is reflected properly when viewed via the REST command.

GET https://big-ip-mgmt/mgmt/tm/asm/policies/policy_id/policy-builder

1010785-1 : Online help is missing for CRL in client SSL profile and server SSL profile

Links to More Info: BT1010785

Component: TMOS

Symptoms:
Help tab does not show any documentation for CRL in client SSL profile and server SSL profile.

Conditions:
This can be seen in the online help for the client SSL and server SSL profiles.

Impact:
There are no online help instructions to configure CRLs.

Workaround:
None

1010761-1 : Missing TMSH help description for client-ssl profile 'CRL'

Links to More Info: BT1010761

Component: TMOS

Symptoms:
Running the command "tmsh help ltm profile client-ssl" shows that certificate revocation list (CRL) is not present/described.

Conditions:
Run tmsh help ltm profile client-ssl

Impact:
The CRL is not present/described.

Workaround:
None

1010717-3 : Default DoS profile creation from tmsh is incorrectly interpreted by DoS profile GUI

Links to More Info: BT1010717

Component: Anomaly Detection Services

Symptoms:
Creating a DoS profile from tmsh makes the Bados feature appear to be enabled in the GUI, which is incorrect.

Conditions:
Create DoS profile from tmsh, and not from GUI.

Impact:
Inconsistency between the DoS profile and what you see in the GUI.

Workaround:
Disable BADOS in the GUI after creating a DoS profile from tmsh.

1010617-3 : String operation against DNS resource records cause tmm memory corruption

Links to More Info: BT1010617

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm cores with umem debug enabled.

Conditions:
A string operation is performed against DNS resource records (RRs) in an iRule.

Impact:
Tmm memory corruption. In some situations, tmm could crash. Traffic disrupted while tmm restarts.

Workaround:
Do not use string operation against DNS RRs.

1010597-2 : Traffic disruption when virtual server is assigned to a non-default route domain

Links to More Info: BT1010597

Component: Access Policy Manager

Symptoms:
Assigning a virtual server to a non-default route domain might cause a traffic disruption.

Conditions:
-- An APM virtual server is assigned to a route domain other than 0 (zero, the default).
-- An access policy has an agent that results in tmm communicating to the renderer (e.g., Logon agent, HTTP 401 Response agent, and others).

Impact:
Access policy fails.

Workaround:
1. Log in to the Configuration utility.
2. Go to Network > Route Domains > affected route domain.
3. In the section Parent Name select '0 (Partition Default Route Domain)'.
4. Select Update.

1010341-2 : Slower REST calls after update for CVE-2021-22986

Links to More Info: BT1010341

Component: TMOS

Symptoms:
As a result of changes were introduced to increase security around the REST API, REST calls that use HTTP basic authentication may take longer to execute that they did previously.

Conditions:
- REST API calls
- HTTP basic authentication used for the REST calls

Impact:
- Degraded performance of the REST API

Workaround:
Update automation scripting to use token based authentication, which is both faster and more secure than HTTP basic authentication

1010209-3 : BIG-IP configuration allows literal CR and LF characters in LTM monitor send and recv strings

Links to More Info: BT1010209

Component: Local Traffic Manager

Symptoms:
It is possible, using REST or tmsh (vi the 'tmsh edit' command) to embed literal carriage return (CR) or line feed (LF) characters in an mcpd object's parameters, rather than the two-byte sequence \r or \n. This can be done with a monitor send or receive string. When the configuration is loaded, the CR characters are stripped off of the strings, resulting in invalid HTTP in the monitor strings.

Conditions:
-- Using HTTP monitors.
-- Embedding literal CR/LF characters in the monitor's send or receive string.

Impact:
Monitors stop working; pool members being monitored are considered inaccessible.

Workaround:
Do not use embedded unprintable characters in monitor send or receive strings.

1009921-1 : 'SSL::verify_result' iRule command may return incorrect value when combined with dynamic CRL check

Links to More Info: BT1009921

Component: Local Traffic Manager

Symptoms:
'SSL::verify_result' iRule command may return '0' (validation check success) even if the client certificate has already been revoked. The expected return value on a revoked certificate is '23' (certificate revoked).

Conditions:
-- Dynamic CRL check is configured on the client SSL profile.

-- An iRule checks client certificate validity by 'SSL::verify_result' command. Here is example.

  when HTTP_REQUEST {
     set cert [SSL::cert 0]
     set cert_string [X509::verify_cert_error_string [SSL::verify_result]]
     set code [SSL::verify_result]
     if { [SSL::verify_result] == 0 }{
        log local0. "success $cert_string $code" return
     }
     else {
        log local0. "failed $cert_string $code" HTTP::respond 403 content "<html>Invalid client certificate:</html>\n" }
  }

Note: SSL::cert command is in fact the trigger for the behavior as it causes a rebuild of the certificate chain and fetches the status from the cache, which is 0. The reason it is 0 in the cache is that, when dynamic CRLs are used, the system verifies the cert, receives a code 23 (revoked), but the system does not update the SSL session cache with the result.

Impact:
The iRule 'SSL::verify_result' command may return unexpected values. Traffic can be unexpectedly load-balanced to the backend pool member when the end user client requests the virtual server with the revoked certificate.

Workaround:
You can use any of the following workarounds:

-- Remove the SSL::cert command from the iRule (it is not needed in HTTP_REQUEST since the system still has the verify result in runtime code).

-- Set cache-size 0 (zero) on client SSL profiles:
# tmsh modify ltm profile client-ssl [client-ssl profile name] cache-size 0

-- Use authentication frequency 'always' on client SSL profiles:
# tmsh modify ltm profile client-ssl [client-ssl profile name] authenticate always

1009793-1 : Tmm crash when using ipsec

Links to More Info: BT1009793

Component: TMOS

Symptoms:
Tmm crashes.

Conditions:
Set sys db variable IPsec.RemoveRedundantSA to enable.
set sys db variable ipsec.removeredundantsa.delay to one.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Set sys db variable IPsec.RemoveRedundantSA to disable.
set sys db variable ipsec.removeredundantsa.delay to zero.

1009161-1 : SSL mirroring protect for null sessions

Links to More Info: BT1009161

Component: Local Traffic Manager

Symptoms:
Possible tmm crash during ssl handshake with connection mirroring enabled.

Conditions:
14.1 after changes applied for ID760406 and ssl handshake dropped during ssl handshake session state.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable connection mirroring

1008849-3 : OWASP "A4 XML External Entities (XXE)" is not reflecting the XXE signatures configuration

Links to More Info: BT1008849

Component: Application Security Manager

Symptoms:
in order to fulfill "A4 XML External Entities (XXE)", some required signatures need to be enforced.

Due to an update in some of those attack signatures names, this section does not find the signatures and by mistake it shows that the signatures are not enforced.

Also, when you choose to enforce the required signatures, this section tries to enforce the signatures and look for them via the old name, but it does not find them, and can't enforce them.

Conditions:
The attack signatures file is updated with the new names for the XXE signatures.

The old names are in use while trying to find and enforce the signatures, but it does not find them and can't enforce them and also can't see if they are already enforced.

Impact:
"A4 XML External Entities (XXE)" Compliance can't be fully compliant.

1008501-3 : TMM core

Links to More Info: BT1008501

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
Transparent monitors monitoring a virtual server's IP address.

Note: Although this is the current understanding of the issue, it is not clear whether this is an true requirement for the issue to occur.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1008269-3 : Error: out of stack space

Links to More Info: BT1008269

Component: TMOS

Symptoms:
When polling for profile statistics via iControl REST, the BIG-IP system returns an error:

Error: out of stack space

Conditions:
Polling stats via iControl REST.

Impact:
You are intermittently unable to get stats via iControl REST.

Workaround:
None

1008233-3 : The gtm_add command fails but reports no error

Links to More Info: BT1008233

Component: Global Traffic Manager (DNS)

Symptoms:
Running the command 'gtm_add' does not add the local GTM to the remote GTM sync group, and it does not display an error message.

Conditions:
The remote GTM has a GTM iRule that references an LTM datagroup that does not exist on the local GTM.

Impact:
The gtm_add command fails silently.

Workaround:
Add the remote LTM datagroup to the local LTM.

1008169-3 : BIG-IP systems disconnect the DIAMETER transport connection if it receives an answer message without a Result-Code AVP

Links to More Info: BT1008169

Component: Service Provider

Symptoms:
If the BIG-IP system receives a DIAMETER answer message without a Result-Code AVP (and/or Experimental-Result-Code AVP), it terminates the connection at the transport (L4) level.

Conditions:
-- Using DIAMETER.
-- Processing an answer message that is missing both Result-Code and Experimental-Result-Code AVPs.

Impact:
The connection is terminated without properly notifying the DIAMETER peer.

Workaround:
None

1008009-2 : SSL mirroring null hs during session sync state

Links to More Info: BT1008009

Component: Local Traffic Manager

Symptoms:
Tmm crashes.

Conditions:
-- SSL connection mirroring enabled
-- Running a version where ID 760406 is fixed (https://cdn.f5.com/product/bugtracker/ID760406.html)
-- A handshake failure occurs during session sync

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable connection mirroring

1008005 : Configuration load fails due to BOTDEFENSE_ACTION event in iRule after upgrade

Links to More Info: BT1008005

Component: Application Security Manager

Symptoms:
The configuration fails to load after a software upgrade with an error:

err mcpd[6990]: 01071912:3: BOTDEFENSE_ACTION event in rule (/Common/my_irule) requires an associated BOTDEFENSE profile on the virtual-server (/Common/example_virtual_server).

Conditions:
- ASM provisioned
- DoS Application profile attached to a virtual server
- An iRule with BOTDEFENSE_ACTION event attached to a virtual server
- Upgrading from 13.x to 14.x/15.x

Impact:
The configuration load at the end of the upgrade fails.

Workaround:
Prior to upgrade, remove all iRules that have a BOTDEFENSE_ACTION event from all virtual servers. After the upgrade is successful, add the bot-defense profile to the virtual servers and add the iRules.

1007909-3 : Tcpdump with :p (peer flow) flag does not capture forwarded between TMMs

Links to More Info: BT1007909

Component: TMOS

Symptoms:
When using tcpdump with the :p flag, it does not capture all packets that are processed by multiple TMMs.

Conditions:
Traffic flows are handled by multiple TMMs, e.g., one of the following:

-- 'preserve strict' set on virtual servers
-- a CMP-demoted virtual server
-- Service Provider (SP) DAG configured, but using custom mappings for some client IP addresses, or some traffic flows using VLANs without SPDAG configured.

Impact:
Causes confusion since there will be packets missing from tcpdump captures.

Workaround:
Use a packet capture filter to capture clientside and serverside flows directly, without relying on the peer flow flag (":p").

1007869-2 : Upgrade from v14.1.x to v15.1.2.1 or later fails for app-tunnel, RDP and config migration

Links to More Info: BT1007869

Component: Access Policy Manager

Symptoms:
Config load fails with the following error.

01070712:3: Failed: name (/Common/<customization resource name>) Cache path (/config/filestore/files_d/Common_d/customization_group_d/:Common:<customization resource name with revision>) does not exist and there is no copy in trash-bin to restore from.
Unexpected Error: Loading configuration process failed.

An upgraded config may show RDP resources missing from the Advanced resource assign agent:

# tmsh list apm policy agent resource-assign
apm policy agent resource-assign test-simple-ap-01_act_full_resource_assign_ag {
    rules {
        {
            portal-access-resources { /Common/test-pa-01 }
            remote-desktop-resources { /Common/test-rdp-01 } !!! this line may go missing in v15.1.2.1 !!!
            webtop /Common/test-full-wt-01
        }
    }
}

Conditions:
Upgrade to v15.1.2.1 or later with AppTunnel and RDP resources.

Impact:
The configuration fails to load following the upgrade.

Workaround:
Modify the revision numbers resources, customization path for missing webtop links.

Example:
=======

(1) The following AppTunnel config causes config loading failure:

01070712:3: Failed: name (/Common/Example_resource_app_tunnel_customization) Cache path (/config/filestore/files_d/Common_d/customization_group_d/:Common:Example_resource_app_tunnel_customization_1) does not exist and there is no copy in trash-bin to restore from.

(2) Modify as follows:

In TMSH:
#cp /config/filestore/files_d/Common_d/customization_group_d/\:Common\:Example_resource_app_tunnel_customization_1 /config/filestore/files_d/Common_d/customization_group_d/\:Common\:Example_resource_app_tunnel_customization_2

In bigip.conf under customization configuration:
Rename Example_resource_app_tunnel_customization_1 to Example_resource_app_tunnel_customization_2 (modifying revision numbers from _1 to _2)

#tmsh load sys config

(3) For a missing RDP resource: use VPE to edit access profiles and find the appropriate 'Advanced Resource Assign' agents. Add the appropriate RDP resources in the 'Advanced Resource Assign' agent.
==============

1007109-1 : Flowmap entry is deleted before updating its timeout to INDEFINITE

Links to More Info: BT1007109

Component: Service Provider

Symptoms:
A sessiondb entry cannot be looked up.

Conditions:
A connection takes more than 5 seconds to establish. For example, in SCTP, the connection establishment might take more than 5 seconds with a maximum timeout of 60 seconds

Impact:
The session db lookup failure leads to the establishment of a new connection, even though there is an existing connection to the pool member.

Workaround:
Increase the temporary timeout of the session db entry to 60 seconds.

1006857-3 : Adding a source address list to a virtual server in a partition with a non-default route domain fails

Links to More Info: BT1006857

Component: Local Traffic Manager

Symptoms:
Adding a source address list to a virtual server in a partition with a non-default route domain fails with an error similar to:

0107176c:3: Invalid Virtual Address, the IP address 10.10.10.20%2 already exists.

Conditions:
-- A partition with a non-default route domain.
-- A virtual server and address list in said partition.
-- Modifying the virtual server to use the address list as its source address.

Impact:
Unable to use a source address list in a partition with a non-default route domain.

Workaround:
Manually create a traffic-matching-criteria object in TMSH with the desired configuration, and then create the virtual server using that traffic-matching-criteria.

1006509 : TMM memory leak

Links to More Info: BT1006509

Component: Access Policy Manager

Symptoms:
After upgrading to 15.1.0.4, tmm memory grows and tmm may restart or the BIG-IP system may reboot.

Conditions:
-- APM provisioned
-- Other conditions are unknown but it linked to single sign-on functionality

Impact:
Tmm memory grows and tmm may restart. Traffic disrupted while tmm restarts.

1006449-2 : The default size of the subagent object cache possibly leading to slow snmp response time

Links to More Info: BT1006449

Component: TMOS

Symptoms:
After upgrading from 13.1.0.8 to 15.1.0.5, BIG-IP CPU utilization increases and SNMP is slow to respond.

Conditions:
SNMP client repeatedly polls BIG-IP for OIDs in multiple tables over a short period of time.

Impact:
SNMP queries take an unusually long time to return data, and BIG-IP CPU utilization is higher.

1006181-1 : ASM fails to start after upgrade if different ASM policies use login pages with the same name

Links to More Info: BT1006181

Component: Application Security Manager

Symptoms:
ASM fails to start with error message in asm_config_server.log:

Failed on insert to DCC.ACCOUNT_LOGIN_OBJECT_ATTRIBUTES (DBD::mysql::db do failed: Column 'object_crc' cannot be null

Conditions:
Upgrade system where two or more ASM policies have a login page with the same name.

Impact:
ASM fails to start

Workaround:
Delete the login page that has a name used by multiple ASM policies and create it again.

1006157-1 : FQDN nodes not repopulated immediately after 'load sys config'

Links to More Info: BT1006157

Component: Local Traffic Manager

Symptoms:
A DNS query is not sent for configured FQDN nodes until the TTL value expires.

Conditions:
This occurs when 'load sys config' is executed.

Impact:
Name addresses do not resolve to IP addresses until the TTL expires.

Workaround:
You can use either of the following workarounds:

-- Change the default TTL value to be fewer than 300 seconds (the default value is 300 seconds).

-- Restart dynconfd daemon:
tmsh restart sys service dynconfd

1005309-2 : Additional Tcl variables showing information from the AntiBot Mobile SDK

Links to More Info: BT1005309

Component: Application Security Manager

Symptoms:
When using the Bot Defense iRules together with the AntiBot Mobile SDK, there are several variables missing. These missing variables would be useful for correct troubleshooting and pattern matching.

Conditions:
Using the AntiBot Mobile SDK together with Bot Defense iRules

Impact:
Some variables that are required for troubleshooting and pattern matching of the AntiBot Mobile SDK are missing.

Workaround:
None

1005181-2 : Bot Defense Logs indicate the mobile debugger is used even when it is not

Links to More Info: BT1005181

Component: Application Security Manager

Symptoms:
When using the AntiBot Mobile SDK, the Bot Defense Request Log may indicate that the mobile debugger is enabled, even when it is not.

Conditions:
Using the AntiBot Mobile SDK with the Bot Defense Profile

Impact:
Request log is showing an incorrect value.

Workaround:
None

1004953-3 : HTTP does not fall back to HTTP/1.1

Links to More Info: BT1004953

Component: Local Traffic Manager

Symptoms:
After upgrading, the BIG-IP system's HTTP profile no longer falls back to HTTP/1.1 if a client sends a corrupted URI.

Conditions:
-- Client sends a corrupted URI (for example a URI containing a space).

Impact:
The BIG-IP system treats the URI as an HTTP/0.9 request (as per RFC) and forwards only the first request line. In previous releases, the BIG-IP system treated the URI as a HTTP/1.1 request.

Workaround:
None.

1004897-4 : 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason

Links to More Info: BT1004897

Component: Local Traffic Manager

Symptoms:
In HTTP2 setup, when the header count from the client request exceeds max-header-count value in the HTTP profile , COMPRESSION_ERROR(0x09) is seen in GoAway frame instead of FRAME_SIZE_ERROR(0x06)

Conditions:
- Virtual server with HTTP2 enabled
- A http2 request has a header count that exceeds 'Maximum Header Count' in the HTTP profile (default value is 64)

Impact:
Wrong GoAway Reason is logged

1004845-2 : Accessing attribute using attributeNode value does not work with Portal Access

Links to More Info: BT1004845

Component: Access Policy Manager

Symptoms:
URI normalization issue when using attributeNode to access attribute values.

Conditions:
Using attributeNode to access attribute value in web applications

Impact:
Web application does not work as expected.

Workaround:
Use custom iRule to fix this issue. There is no generic iRule for this issue, but here is a sample iRule:

XXXX is the file which usage attributeNode.

when REWRITE_REQUEST_DONE {
  if {
    [HTTP::path] ends_with "XXXX"
  } {

    # log "URI=([HTTP::path])"
    # Found the file to modify

    REWRITE::post_process 1
  }
}

when REWRITE_RESPONSE_DONE {
  set strt [string first {<script>try} [REWRITE::payload]]

  if {$strt > 0} {
    REWRITE::payload replace $strt 0 {
      <script>
        (function (){
         var old_F5_Inflate_value = F5_Inflate_value;
         F5_Inflate_value = function (o,sw,incr,v) {
            if (o && o.ownerDocument) {
                if (o.name == 'action') {
                  if (o.ownerElement) {
                    F5_Inflate_action(o.ownerElement,incr,v);
                  }
                }
            }
            return old_F5_Inflate_value.apply(this,arguments)
         }
        })();
      </script>
    }
  }
}

1004609-4 : SSL forward proxy virtual server may set empty SSL session_id in server hello.

Component: Local Traffic Manager

Symptoms:
End user clients are unable to establish a TLS connection. Further investigation indicates that the Session ID length field is set to 0, but there is no session ID.

   TLSv1.2 Record Layer: Handshake Protocol: Server Hello
           Content Type: Handshake (22)
           Version: TLS 1.2 (0x0303)
           Length: 59
           Handshake Protocol: Server Hello
               Handshake Type: Server Hello (2)
               Length: 55
               Version: Version: TLS 1.2 (0x0303)
               Random: aa957f92a5de4cedcf9750b60b3efab6b345da6c32189e93…
               Session ID Length: 0 <=== !!!
   .....
   TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
   .....
   TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
   .....

Conditions:
-- SSL forward proxy virtual server.
-- This can occur intermittently with normal HTTPS traffic. It occurs more frequently if the session cache's cache-timeout value is set to a low value.

Impact:
After receiving the invalid server hello message from the BIG-IP system, the client may generate unexpected_message (10) TLS alerts and the client may terminate SSL connection.

Workaround:
None

1004469-2 : SNMP OID ltmSipsessionProfileStatVsName and ltmSiprouterProfileStatVsName returns empty string

Links to More Info: BT1004469

Component: TMOS

Symptoms:
SNMP polling fails for ltmSipsessionProfileStatVsName and ltmSiprouterProfileStatVsName.

Conditions:
Run the snmpwalk for ltmSipsessionProfileStatVsName :

[root@d1:Active:Standalone] tmp # snmpwalk -c public localhost ltmSipsessionProfileStatVsName
F5-BIGIP-LOCAL-MIB::ltmSipsessionProfileStatVsName."/Common/test-sip"."" = STRING:
F5-BIGIP-LOCAL-MIB::ltmSipsessionProfileStatVsName."/Common/sipsession"."" = STRING:
F5-BIGIP-LOCAL-MIB::ltmSipsessionProfileStatVsName."/Common/sipsession-alg"."" = STRING:

----------
Run the snmpwalk for ltmSiprouterProfileStatTable

[root@ltm1:Active:Standalone] config # snmpwalk -c public localhost ltmSiprouterProfileStatTable
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatName."/Common/siprouter"."" = STRING: /Common/siprouter
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatName."/Common/siprouter-alg"."" = STRING: /Common/siprouter-alg
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatVsName."/Common/siprouter"."" = STRING:
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatVsName."/Common/siprouter-alg"."" = STRING:
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatTotMessgesIn."/Common/siprouter"."" = Counter64: 0
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatTotMessgesIn."/Common/siprouter-alg"."" = Counter64: 0
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatTotMessagesInRetry."/Common/siprouter"."" = Counter64: 0
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatTotMessagesInRetry."/Common/siprouter-alg"."" = Counter64: 0

Impact:
Returns empty. Cannot extract the virtual server name of a SIP session and SIP router profile through SNMP.

Workaround:
None

1004445-4 : Warning not generated when maximum prefix limit is exceeded.

Links to More Info: BT1004445

Component: Local Traffic Manager

Symptoms:
No warnings are given when the maximum prefix limit is exceeded.

Conditions:
BGP neighbor has a maximum-prefix warning configured

Impact:
If the limit is exceeded, no warnings are given. This can cause unexpected behavior.

Workaround:
None

1004077-2 : When configuring from VPE, audit logs from mcp records the user as admin, even if done by another user

Links to More Info: BT1004077

Component: Access Policy Manager

Symptoms:
When making changes via the visual policy editor (VPE), audit logs from mcp records the user as admin, even if the change was made by a non-admin user.

Conditions:
Non-admin users make changes from VPE.

Impact:
Audit logs records user as admin for some transactions VPE to mcp transactions.

Workaround:
None

1003469-2 : The BIG-IP GUI fails to reset the statistics for an IPv6 pool member and returns an error.

Links to More Info: BT1003469

Component: TMOS

Symptoms:
When trying to reset the statistics for an IPv6 pool member using the GUI, the operation fails and the system returns one of the following errors (depending on the software version in use):

01030010:3: eXtremeDB - search operation failed

Unable to complete request

Conditions:
This issue occurs when you attempt to use the BIG-IP GUI to:

-- Reset the statistics of one or more IPv6 pool members you have selected individually.

-- Reset the statistics of all pools by using the 'Select All' checkbox (provided the system contains IPv6 pool members).

Impact:
Inability to reset the statistics using the GUI.

Workaround:
You can use the tmsh utility to reset the pool member's statistics from the CLI. Example command:

tmsh reset-stats ltm pool my-pool members { 2001:DB8::1.80 }

1003377-1 : Disabling DoS TCP SYN-ACK does not clear suspicious event count option

Links to More Info: BT1003377

Component: Advanced Firewall Manager

Symptoms:
When the 'Only Count Suspicious Events' option is turned on for the TCP SYN ACK Flood vector and the vector gets disabled, TMM continues operating as if 'Only Count Suspicious Events' is still configured.

Conditions:
Disabling TCP SYN ACK Flood vector with 'Only Count Suspicious Events' enabled.

Impact:
BIG-IP system might continue altering TCP initial sequence numbers for SYN-ACK cookie validations.

Workaround:
Disable the 'Only Count Suspicious Events' option first, and then disable TCP SYN ACK Flood vector.

1003233-3 : SNMP Polling can cause inconsistencies in gtm link stats

Links to More Info: BT1003233

Component: Global Traffic Manager (DNS)

Symptoms:
if the uplink router does not allow SNMP polling, and snmp_link monitor is applied, then GTM stats becomes inconsistent.

Conditions:
The router is not being probed using SNMP

Impact:
Status values inconsistencies occur.

1003081-2 : GRE/TB-encapsulated fragments are not forwarded.

Links to More Info: BT1003081

Component: TMOS

Symptoms:
IP fragments that arrive over a GRE/TB tunnel are not reassembled, and are not forwarded through the BIG-IP system.

Conditions:
This occurs if all of the following conditions are true:

-- BIG-IP system with more than one TMM instance running.
-- Running a version or Engineering Hotfix that contains a fix for ID997541 (https://cdn.f5.com/product/bugtracker/ID997541.html).
-- GRE Round Robin DAG (the DB variable dag.roundrobin.gre) is enabled.
-- IP fragments arrive over GRE tunnel.

Impact:
BIG-IP system fails to process fragmented IP datagrams.

Workaround:
None

1002809-1 : OSPF vertex-threshold should be at least 100

Links to More Info: BT1002809

Component: TMOS

Symptoms:
OSPF vertex-threshold should be at least 100, but you are able to set it to any number between 0 and 10000000.

Conditions:
-- Using OSPFv2/OSPFv3
-- Configuring the vertex-threshold setting

Impact:
When the setting is less than the default of 100, routes may not be installed properly.

Workaround:
Ensure that vertex-threshold is set to 100 (default) or above.

1002417-1 : Switch L2 forwarding entries learnt on multi-blade trunk in one blade needs to be synchronized to other blades of that trunk

Links to More Info: BT1002417

Component: TMOS

Symptoms:
In a chassis, when the switch needs to forward a packet where the destination MAC address does not exist in the L2 forwarding table (DLF, destination lookup failure), the packet is forwarded to blade one and flooded there. This can lead to interfaces on blade one being more heavily used.

Conditions:
Altering of trunk vlan memberships after failovers will lead to traffic imbalance on egress ports.

Impact:
It may lead to an out of bandwidth condition on interfaces.

1002413-1 : Websso puts quotation marks around non-string claim type 'custom' values

Links to More Info: BT1002413

Component: Access Policy Manager

Symptoms:
When you define a claim to use with OAuth bearer SSO, and the claim-type setting is set to custom, the claim value is treated as a string and encapsulated in quotation marks.

Conditions:
-- OAuth bearer SSO is configured.
-- The OAuth claim value being used is of type 'custom'.

Impact:
The claim value is encapsulated in quotation marks and processed as a string and OAuth does not work properly.

Workaround:
None

1002345-2 : Transparent DNS monitor does not work after upgrade

Links to More Info: BT1002345

Component: In-tmm monitors

Symptoms:
DNS Pool state changes from up to down following an upgrade.

Conditions:
A transparent DNS monitor is configured to use the loopback address.

Impact:
The DNS pool is marked down.

Workaround:
None

1001129-3 : Maximum Login Failures lockout for root and admin

Component: TMOS

Symptoms:
The root/admin account does not lock out when multiple login failures occur.

Conditions:
Local accounts such as root and admin occur multiple login failures.

Impact:
The root or admin account is not locked out. Other accounts are locked out after multiple login failures.

Workaround:
None

1001101-3 : Cannot update/display GTM/DNS listener route advertisement correctly

Links to More Info: BT1001101

Component: Global Traffic Manager (DNS)

Symptoms:
Not able to update/display GTM/DNS listener route advertisement correctly.

Conditions:
Operating from the GUI GTM/DNS listener page.

Impact:
Not able to manage route advertisement from GUI GTM listener page.

Workaround:
Instead of GTM/DNS GUI, use LTM virtual address operations to manage GTM/DNS listener route advertisement.

1001069-3 : VE CPU higher after upgrade, given same throughput

Links to More Info: BT1001069

Component: TMOS

Symptoms:
Significant increase in CPU usage post-upgrade.

Conditions:
-- Upgrading from v13.x to a later version.
-- Configured BIG-IP Virtual Edition (VE) that uses the sock driver.

Impact:
Significant increase in CPU usage, leading to potential degradation or disruption of traffic.

Workaround:
Create the following overrides:
-- In '/config/tmm_init.tcl' add or append the following:
ndal mtu 1500 1137:0043
device driver vendor_dev 1137:0043 xnet

-- In '/config/xnet_init.tcl' add or append the following
device driver vendor_dev 1137:0043 dpdk

Note: These overrides must be re-applied every time an upgrade is done.

1000669-2 : Tmm memory leak 'string cache' leading to SIGFPE

Links to More Info: BT1000669

Component: Access Policy Manager

Symptoms:
SIGFPE core on tmm. The tmm string cache leaks aggressively and memory reaches 100% and triggers a core.

In /var/log/tmm you see an error:

Access encountered error: ERR_OK. File: ../modules/hudfilter/access/access_session.c, Function: access_session_delete_callback, Line: 2123

Conditions:
This can be encountered while APM is configured and passing traffic. Specific conditions are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

1000561-3 : Chunk size incorrectly passed to client-side

Links to More Info: BT1000561

Component: Local Traffic Manager

Symptoms:
HTTP/2 Virtual Servers pass the chunk size bytes from the server-side (HTTP/1.1) to the client-side (HTTP/2) when OneConnect and request-logging profiles are applied.

Conditions:
-- BIG-IP hardware platform
-- BIG-IP configured with a HTTP/2 virtual server - context client-side with OneConnect and request-logging profile
-- The server sends a chunked response

Impact:
The server-side response is chunked but the chunk size header is passed to the client-side when it should not be.

Workaround:
Change HTTP response-chunking to 'unchunk'.

1000325-2 : UCS load with 'reset-trust' may not work properly if base configuration fails to load

Links to More Info: BT1000325

Component: TMOS

Symptoms:
When loading a UCS archive using the 'reset-trust' option, if the system fails to load the base configuration from the UCS archive, the system may fail to regenerate new device trust certificates and keys.

This can result in subsequent issues, including configuration load failures after an upgrade, such as:

01070712:3: Values (/Common/dtca.key) specified for trust domain (/Common/Root): foreign key index (key_fk) do not point at an item that exists in the database.
Unexpected Error: Loading configuration process failed.

Conditions:
-- Loading a UCS file using the 'reset-trust' option.
-- The system fails to load the base configuration (bigip_base.conf) in the UCS archive for any reason.
-- The base configuration is corrected, and subsequently loaded (e.g., with 'tmsh load sys config').

Impact:
-- The system does not regenerate critical device trust keys and certificates.
-- After a subsequent upgrade, the BIG-IP system goes to INOPERATIVE state, and reports this error:

01070712:3: Values (/Common/dtca.key) specified for trust domain (/Common/Root): foreign key index (key_fk) do not point at an item that exists in the database.
Unexpected Error: Loading configuration process failed.

Workaround:
Remove trust-domain from the bigip_base.conf file and reload the configuration.

1000069-1 : Virtual server does not create the listener

Links to More Info: BT1000069

Component: Local Traffic Manager

Symptoms:
A virtual-address is in an offline state.

Conditions:
An address-list is used on a virtual server in a non-default route domain.

Impact:
The virtual IP address remains in an offline state.

Workaround:
Using tmsh, create the traffic-matching-criteria. Specify the route domain, and attach it to the virtual server.



This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information