Applies To:

Show Versions Show Versions

Supplemental Document: Release Information: Hotfixes: BIG-IP 11.4.1

Original Publication Date: 09/28/2016

BIG-IP Hotfix Release Information

Version: BIGIP-11.4.1
Build: 711.0
Hotfix Rollup: 11

Cumulative fixes from BIG-IP v11.4.1 Hotfix 10 that are included in this release
Cumulative fixes from BIG-IP v11.4.1 Hotfix 9 that are included in this release
Cumulative fixes from BIG-IP v11.4.1 Hotfix 8 that are included in this release
Cumulative fixes from BIG-IP v11.4.1 Hotfix 7 that are included in this release
Cumulative fixes from BIG-IP v11.4.1 Hotfix 6 that are included in this release
Cumulative fixes from BIG-IP v11.4.1 Hotfix 5 that are included in this release
Cumulative fixes from BIG-IP v11.4.1 Hotfix 4 that are included in this release
Cumulative fixes from BIG-IP v11.4.1 Hotfix 3 that are included in this release
Cumulative fixes from BIG-IP v11.4.1 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v11.4.1 Hotfix 1 that are included in this release
Known Issues in BIG-IP v11.4.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
600662-7 CVE-2016-5745 SOL64743453 CGNAT: NAT64 vulnerability CVE-2016-5745
569467-9 CVE-2016-2084 SOL11772107 BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.
580596-7 CVE-2013-0169 CVE-2016-6907 SOL14190 SOL39508724 TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Description
494029-1 3-Major During boot the econsole shows "/etc/rc3.d/S15cluster: line 225: ebtables: command not found"
547047-8 4-Minor Older cli-tools unsupported by AWS


Local Traffic Manager Fixes

ID Number Severity Description
557645-6 3-Major Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.


Application Security Manager Fixes

ID Number Severity Description
465181 3-Major Unhandled connection error in iprepd causes memory leak in iprepd or merged
458295-2 3-Major Memory leaks while connecting to the IP reputation database server using a proxy.

 

Cumulative fix details for BIG-IP v11.4.1 Hotfix 11 that are included in this release

600662-7 : CGNAT: NAT64 vulnerability CVE-2016-5745

Vulnerability Solution Article: SOL64743453


580596-7 : TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907

Vulnerability Solution Article: SOL14190 SOL39508724


569467-9 : BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.

Vulnerability Solution Article: SOL11772107


557645-6 : Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.

Component: Local Traffic Manager

Symptoms:
Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.

Conditions:
VIPRION 2200 and 2400 platforms with more than one blade.

Multiple devices in an HA configuration.

TMM incorrectly identifies which TMM should handle host connections from an HA peer.

The host connection will be reset after the SYN retransmits are exceeded between TMM and the host process.

Impact:
Periodic reported failures in host-to-host communication. This could affect config sync, and other HA related communication.

Workaround:
None.

Fix:
Host communication on VIPRION 2200 and 2400 platforms behaves the same as host communication on non-VIPRION 2200 and 2400 platforms, as expected.


547047-8 : Older cli-tools unsupported by AWS

Component: TMOS

Symptoms:
Older EC2 tools stopped working in some AWS regions.

Conditions:
This can happen in some AWS regions.

Impact:
BIG-IP high availability configurations may stop working in some AWS regions.

Workaround:
None.

Fix:
F5 Networks added the latest available version (1.7.5.1) of EC2 tools in this release/hotfix.


494029-1 : During boot the econsole shows "/etc/rc3.d/S15cluster: line 225: ebtables: command not found"

Component: TMOS

Symptoms:
During boot the console shows "/etc/rc3.d/S15cluster: line 225: ebtables: command not found"

Conditions:
The issue occurs during startup on BIG-IP systems which do not support vCMP.

Impact:
This issue is purely cosmetic, it does not affect the BIG-IP operation in any way.

Fix:
Console messages about a missing ebtables command no longer appear during BIG-IP system startup.


465181 : Unhandled connection error in iprepd causes memory leak in iprepd or merged

Component: Application Security Manager

Symptoms:
If the BIG-IP system fails to connect to the IP reputation database server (either using a proxy or not), it causes a memory leak in one of the internal daemons (iprepd and/or merged).

Conditions:
IP-reputation is enabled and it fails to connect to the database server (usually to the proxy of the database server or there is a bad/non-existent connection outside).

Impact:
This issue causes a slow memory leak in the iprepd or merged daemon.

Workaround:
Fix the proxy to the ipreputation or the connection to the IP reputation or turn off IP reputation.

Fix:
Even if the BIG-IP system fails to connect to the IP reputation database server (either using a proxy or not), it no longer causes a memory leak in one of the internal daemons.


458295-2 : Memory leaks while connecting to the IP reputation database server using a proxy.

Component: Application Security Manager

Symptoms:
Memory leaks sometimes occur while connecting to the IP reputation database server using a proxy.

Conditions:
Enable IP reputation and connect using a proxy.

Impact:
Performance may degrade over time and the system may become unresponsive due to memory exhaustion.

Workaround:
None.

Fix:
This release fixes memory leaks that sometimes occurred when connecting to the IP reputation database server using a proxy.




Cumulative fixes from BIG-IP v11.4.1 Hotfix 10 that are included in this release

Note: F5 has recently changed the bug numbering scheme in our bug tracking database. Now all bugs have a single version assigned to them and so bugs can now have sub bugs denoted by a '-' and then the sub bug number, i.e. 404716-4 with 404716 being the parent bug. The release notes for previous rollups will also reflect this change so some bugs may now contain a sub bug prefix.

TMOS Fixes

ID Number Severity Description
520466-6 1-Blocking Ability to edit iCall scripts is removed from resource administrator role
527630-5 1-Blocking CVE-2015-1788 : OpenSSL Vulnerability
567484-3 1-Blocking CVE-2015-8705
560180-4 1-Blocking CVE-2015-8000
397431-5 1-Blocking Improved security for Apache.
545762-4 1-Blocking CVE-2015-7394
436849 1-Blocking Front panel port link LEDs do not match the bundle configuration state
567475-3 1-Blocking CVE-2015-8704
513454-1 2-Critical An snmpwalk with a large configuration can take too long, causing snmpd or mcpd restarts
432039-6 2-Critical Sync status does not update when devices are added or removed from the device cluster
544913-4 2-Critical tmm core while logging from TMM during failover
540846-2 2-Critical CVE 2015-5722
365219-4 2-Critical Trust upgrade fails when upgrading from version 10.x to version 11.x.
495335-3 2-Critical BWC related tmm core
412160-3 2-Critical vCMP provisioning may cause continual tmm crash.
438757-1 2-Critical TMM may crash or may have corrupted SessionDB key value
452318-1 2-Critical Local vulnerability CVE-2014-0050
364978-3 2-Critical Active/standby system configured with unit 2 failover objects
555686-3 2-Critical Copper SFPs OPT-0015 on 10000-series appliance may cause interfaces to not come up and/or show corrupted serial numbers
469296-4 2-Critical MCPD config validation error resulting in error: requested integer (0) is invalid
503600-5 2-Critical TMM core logging from TMM while attempting to connect to remote logging server
540849-2 2-Critical CVE-2015-5986
441573-6 2-Critical Selecting [All] in partition selector may not show all data on list pages
513382-6 2-Critical Resolution of multiple OpenSSL vulnerabilities
529509-3 2-Critical CVE 2015-4620 BIND vulnerability
558573-4 3-Major MCPD restart on secondary blade after updating Pool via GUI
489113-3 3-Major PVA status, statistics not shown correctly in UI
355661-1 3-Major sod logs error 010c003b:3: bind fails on recv_sock_fd, Cannot assign requested address
473348-4 3-Major SNMP hbInterval value not set to 300 sec after upgrade from 11.2.x to 11.3.0 or later
461077-3 3-Major New or replacement hard drives may not be checked for pending sectors
438159-1 3-Major Anonymous Internet Key Exchange (IKE) peer doesn't support pre-shared key
549971-1 3-Major Some changes to virtual servers' profile lists may cause secondary blades to restart
515667-2 3-Major Unique truncated SNMP OIDs.
521144-3 3-Major Network failover packets on the management interface sometimes have an incorrect source-IP
433466-6 3-Major Disabling bundled interfaces affects first member of associated unbundled interfaces
551927-6 3-Major ePVA snoop header's transform vlan should be set properly under asymmetric routing condition
506041-7 3-Major Folders belonging to a device group can show up on devices not in the group
553902-5 3-Major CVE-2015-5300 CVE-2015-7704 CVE-2015-7871 CVE-2015-7855 CVE-2015-7853 CVE-2015-7852 CVE-2015-7850 CVE-2015-7701 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 CVE-2015-5196
517020-3 3-Major SNMP requests fail and subsnmpd reports that it has been terminated.
362267-1 3-Major Configuring network failover on a VIPRION cluster using the blade management addresses results in 'Cannot assign requested address' errors
556277 3-Major Config Sync error after hotfix installation (chroot failed rsync error)
494575 3-Major Cannot export cert/key with names longer than 64 characters.
551742 3-Major Hardware parity error mitigation for the SOURCE_VP table on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades
470756-4 3-Major snmpd cores or crashes with no logging when restarted by sod
526817-2 3-Major snmpd core due to mcpd message timer thread not exiting
533826-1 3-Major SNMP Memory Leak on a VIPRION system.
516669-3 3-Major Rarely occurring SOD core causes failover.
513498-1 3-Major MCP may crash while performing a very large chunked query and CPU is highly loaded
517388-1 3-Major Parsing the DN (for subject or issuer) in a certificate does not take into account all the possible RDNs.
430205 3-Major getChassisPwr error messages in VIPRION C2000-series chassis when power supply removed.
442115-1 3-Major upgrade to v11.4.1 re-sets trust.configupdatedone to false on chassis
425980 3-Major Blade number not displayed in CPU status alerts
553576-1 3-Major Intermittent 'zero millivolt' reading from FND-850 PSU
455264-1 3-Major Error messages are not clear when adding member to device trust fails
519068-1 3-Major device trust setup can require restart of devmgmtd
540825 3-Major Deletion of non-synchable objects may unexpectedly sync
540767-4 3-Major [RHSA-2015:1636-01] Moderate: net-snmp security update
528276-4 3-Major The device management daemon can crash with a malloc error
544888 3-Major Idle timeout changes to five seconds when using PVA full or Assisted acceleration.
519510-1 3-Major Throughput drop and rxbadsum stat increase in tagged VLAN with LRO/GRO on BIG-IP VE running on ESX platforms with particular network hardware
513916-3 3-Major String iStat rollup not consistent with multiple blades
533156-4 3-Major CVE-2015-6546
547532-5 3-Major Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades
437285-3 3-Major CVE-2013-3571 CVE-2012-0219 CVE-2010-2799
523863-4 4-Minor istats help not clear for negative increment
536938 4-Minor SELinux Security Enhancements
473163-6 4-Minor RAID disk failure and alert.conf log message mismatch results in no trap
553174-1 4-Minor Unable to query admin IP via SNMP on VCMP guest
541320 4-Minor Sync of tunnels might cause restore of deleted tunnels.
464489 4-Minor Error message 'Error reading cert PEM file [...] Memory exhausted' can be inaccurate (memory is not actually exhausted)
551481-7 4-Minor 'tmsh show net cmetrics' reports bandwidth = 0
413708-1 5-Cosmetic BIG-IP system may use an ephemeral source port when sending SNMP IPv6 UDP response.


Local Traffic Manager Fixes

ID Number Severity Description
536690-3 1-Blocking Occasional host-tmm connections within a chassis will fail
527630-4 1-Blocking CVE-2015-1788 : OpenSSL Vulnerability
490225-9 2-Critical Duplicate DNSSEC keys can cause failed upgrade.
456766-1 2-Critical SSL Session resumption with hybrid handshake might fail
528739-3 2-Critical DNS Cache could use cached data from ADDITIONAL sections in ANSWER responses.
517590-4 2-Critical Pool member not turning 'blue' when monitor removed from pool
484948-2 2-Critical UDP connflow may aborted from parked iRule in server_closed.
478592-8 2-Critical When using the SSL forward proxy feature, clients might be presented with expired certificates.
538255-3 2-Critical SSL handshakes on 4200/2200 can cause TMM cores.
554967-4 2-Critical Small Client EDNS0 Limits can Sometimes Truncate DNSSEC or iRule DNS Packets
530963-2 2-Critical BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms
530505-1 2-Critical IP fragments can cause TMM to crash when packet filtering is enabled
428712-2 2-Critical Fix SSL Alert sending inifinite loop problem
531576-3 2-Critical tmm memory leak in traffic handling
459994-1 2-Critical tmm may crash if default gateway pool contains members that it cannot route to
540568-6 2-Critical TMM core due to SIGSEGV in ifc_list_is_member
523079-3 2-Critical Merged may crash when file descriptors exhausted
533388-3 2-Critical tmm crash with assert "resume on different script"
456078-2 2-Critical Possible SSL crash
529920-3 2-Critical Connection mirroring with OneConnect on a virtual server can cause TMM crash on standby unit
481162-3 2-Critical vs-index is set differently on each blade in a chassis
489329-1 2-Critical Memory corruption can occur with SPDY/HTTP2 filter
424831-3 3-Major State Mirroring does not work for an HA pair that uses only hardwired (serial) failover, without network failover
533820-2 3-Major DNS Cache response missing additional section
556421-1 3-Major Occasional message length miscalculation in DNS messages over TCP
442539-7 3-Major OneConnect security improvements.
462714-8 3-Major Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server
524666-1 3-Major DNS licensed rate limits might be unintentionally activated.
527027-1 3-Major DNSSEC Unsigned Delegations Respond with Parent Zone Information
525553 3-Major SSL keys are loaded on first use, not at initialization
542031-1 3-Major CMP messages may be lost leading to inconsistent behaviors
348000-7 3-Major HTTP response status 408 request timeout results in error being logged.
364994-5 3-Major Disabling OneConnect must be done on Client and Server sides
515322-3 3-Major Intermittent TMM core when using DNS cache with forward zones
542314-1 3-Major Resolved HSB lockup specific to certain platforms.
536481-5 3-Major Improper handling of TCP options.
543220-2 3-Major Global traffic statistics does not include PVA statistics
537964-1 3-Major Monitor instances may not get deleted during configuration merge load
483267-2 3-Major UDP connflow irule parked in server_closed might abort
539130-4 3-Major bigd may crash due to a heartbeat timeout
431926-3 3-Major The tcp proxy can accidentally resend request or response done events.
527024-1 3-Major DNSSEC Unsigned Delegations Respond with Parent Zone Information
553916-1 3-Major min_path_mtu does not function as designed
485917-6 3-Major BIG/IP is vulnerable to Path MTU discovery attack (CVE-2004-1060)
532107-3 3-Major [LTM] [DNS] Maximum RTT value for nameserver cache still exists after nameserver cache is deleted
488401-1 3-Major proxy_tuple object memory leak.
512062-1 3-Major A db variable to disable verification of SCTP checksum when ingress packet checksum is zero
530829-5 3-Major UDP traffic sent to the host may leak memory under certain conditions.
554295-1 3-Major CMP disabled flows are not properly mirrored
496758-7 3-Major Monitor Parameters saved to config in a certain order may not construct parameters correctly
550689-4 3-Major Resolver H.ROOT-SERVERS.NET Address Change
436681-2 3-Major Add support to disable hw compression provider
525322-3 3-Major Executing tmsh clientssl-proxy cached-certs crashes tmm
454018-5 3-Major Nexthop to tmm0 ref-count leakage could cause TMM core
440311-1 3-Major Virtual Edition Throughput Licensing Improvements
523513-1 3-Major COMPRESS::enable keeps compression enabled for a subsequent HTTP request.
517790-3 3-Major When non-HTTP traffic causes the server-side to receive unexpected data, the connection will be dropped
525958-4 3-Major TMM may crash if loadbalancing to node's IP in iRule routed towards an unreachable nexthop.
552532-2 3-Major Oracle monitor fails with certain time zones.
528007-1 3-Major Memory leak in ssl
528407-1 3-Major TMM may core with invalid lasthop pool configuration
529899-5 3-Major Installation may fail with the error "(Storage modification process conflict.)".
375887-7 3-Major Cluster member disable or reboot can leak a few cross blade trunk packets
522552 3-Major SSL Certificates, Keys, and CRLs load upon configuration load might cause timeout.
534052-1 3-Major VLAN failsafe triggering on standby leaks memory
352925-5 3-Major Updating a suspended iRule and TMM process restart
515995 4-Minor Monitor fails to update Node state when Mcpd also updates Node state
446830-1 4-Minor Current Sessions stat does not increment/decrement correctly.
458872-4 4-Minor Check SACK report before treating as dupack


Global Traffic Manager Fixes

ID Number Severity Description
469033-5 2-Critical Large big3d memory footprint.
471467-2 2-Critical gtmparse segfaults when loading wideip.conf because of duplicate virtual server names
533658-4 2-Critical DNS decision logging can trigger TMM crash
510888-4 3-Major [LC] snmp_link monitor is not listed as available when creating link objects
529460-3 3-Major Short HTTP monitor responses can incorrectly mark virtual servers down.
540576-1 3-Major big3d may fail to install on systems configured with an SSH banner
465951-4 3-Major If net self description size =65K, gtmd restarts continuously
546640-2 3-Major tmsh show gtm persist not work
517582-1 3-Major [GUI] [GTM] Cannot delete Region if attempting to delete another region referenced by a record.
526699-2 3-Major TMM might crash if BIG-IP DNS iRule nodes_up references invalid IP/Port.


Application Security Manager Fixes

ID Number Severity Description
552139-8 2-Critical A limitation in the pattern matching matrix builtup


Access Policy Manager Fixes

ID Number Severity Description
553330-1 1-Blocking Unable to create a new document with SharePoint 2010
482266-4 1-Blocking Windows 10 support for Network Access / BIG-IP Edge Client
505101-2 2-Critical tmm may panic due to accessing uninitialized memory
556774-5 2-Critical EdgeClient cannot connect through captive portal
451777-8 2-Critical Custom reports Available fields may be broken
569306-7 2-Critical Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected
537227-5 2-Critical EdgeClient may crash if special Network Access configuration is used
527799-11 2-Critical OpenSSL library in APM clients updated to resolve multiple vulnerabilities
517988-3 2-Critical TMM may crash if access profile is updated while connections are active
530622-3 2-Critical EAM plugin uses high memory when serving very high concurrent user load
472093-4 2-Critical RCE via uploaded name manipulated php file
487859-4 3-Major Importing local db users from a CSV file that has no UID set, displays incorrect information in the GUI.
488105-4 3-Major TMM may generate core during certain config change.
528675-6 3-Major BIG-IP EDGE Client can indefinitely stay "disconnecting..." state when captive portal session expired
529392-4 3-Major Win10 and IE11 is not determined in case of DIRECT rule of proxy autoconfig script
528726-1 3-Major AD/LDAP cache size reduced
539229-3 3-Major Authentication with Oracle Access Manager API can throw an exception while checking if authentication is required.
511893-6 3-Major Client connection timeout after clicking Log In to Access Policy Manager on a Chassis
455493-4 3-Major Cancel button remains enabled
523327-4 3-Major In very rare cases Machine Certificate service may fail to find private key
563670-10 3-Major CVE-2015-3194, CVE-2015-3195, CVE-2015-3196
518550-4 3-Major Incorrect value of form action attribute inside 'onsubmit' event handler in some cases
532522-5 3-Major CVE-2015-1793
549086-4 3-Major Windows 10 is not detected when Firefox is used
526084-4 3-Major Windows 10 platform detection for BIG-IP EDGE Client
509677-4 3-Major Edge-client crashes after switching to network with Captive Portal auth
528622 3-Major apd leaks memory when AD Query agent is used in access policy
552498-3 3-Major APMD basic authentication cookie domains are not processed correctly
492305-3 3-Major Recurring file checker doesn't interrupt session if client machine has missing file
537000-4 3-Major Installation of Edge Client can cause Windows 10 crash in some cases
446860-3 3-Major APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348
530697-4 3-Major Windows Phone 10 platform detection
539013-3 3-Major DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases
457603-1 3-Major Cookies handling issue with Safari on iOS6, iOS7
524909-4 3-Major Windows info agent could not be passed from Windows 10
528808 3-Major Source NAT translation doesn't work when APM is disabled using iRule
479451-3 3-Major Different Outlook users with same password and client IP are tied to a single APM session when using Basic auth
549588-4 3-Major EAM memory leak when cookiemap is destroyed without deleting Cookie object in it
452010-5 3-Major RADIUS Authentication fails when username or password contain non-ASCII characters
539923-3 3-Major Limited authorized user roles access to reports
472446-5 3-Major Customization Group Template File Might Cause Mcpd to Restart
526275-3 3-Major VMware View RSA/RADIUS two factor authentication fails
490830-5 3-Major Protected Workspace is not supported on Windows 10
474657-4 3-Major BIG-IP Edge Client shows confusing window with text 'avail' after authentication through Captive Portal
526492-4 3-Major DNS resolution fails for Static and Optimized Tunnels on Windows 10
531883-4 3-Major Windows 10 App Store VPN Client must be detected by BIG-IP APM
558631-3 3-Major APM Network Access VPN feature may leak memory
512345-5 3-Major Dynamic user record removed from memcache but remains in MySQL
482145-5 4-Minor Text in buttons not centered correctly for higher DPI settings
524756-2 4-Minor APM Log is filled with errors about failing to add/delete session entry
473685-3 4-Minor Websso truncates cookie domain value
533723-1 4-Minor [Portal Access] Client side HTML rewriter should not rewrite content within "textarea" tag.
504461-4 4-Minor Logon Page agent gets empty user input in clientless mode 3 when a Variable Assign agent resides in front of it.


WebAccelerator Fixes

ID Number Severity Description
522231-5 3-Major TMM may crash when a client resets a connection
551010-5 3-Major Crash on unexpected WAM storage queue state


Wan Optimization Manager Fixes

ID Number Severity Description
426482-3 2-Critical System might hang when decompressing large or corrupted files on 2100/2150 blades


Service Provider Fixes

ID Number Severity Description
521556-6 2-Critical Assertion "valid pcb" in TCP4 with ICAP adaptation
430117-1 3-Major DIAMETER can double-free data leading to unpredictable behavior
550434-1 3-Major Diameter connection may stall if server closes connection before CER/CEA handshake completes


Carrier-Grade NAT Fixes

ID Number Severity Description
533562-3 2-Critical Memory leak in CGNAT can result in crash
540571-6 2-Critical TMM cores when multicast address is set as destination IP via iRules and LSN is configured

 

Cumulative fix details for BIG-IP v11.4.1 Hotfix 10 that are included in this release

569306-7 : Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected

Component: Access Policy Manager

Symptoms:
User is shown the logon page to connect to VPN after he logs on. Windows logon credentials are not used for VPN automatically.

Conditions:
Connectivity profile has "Reuse Windows Logon Credentials" selected

Impact:
User has to retype his credentials to connect to VPN

Workaround:
Enter the credentials again to connect to VPN

Fix:
Now logged on credentials are used automatically to connect to VPN


567484-3 : CVE-2015-8705

Component: TMOS

Symptoms:
CVE-2015-8705

Conditions:
CVE-2015-8705

Impact:
CVE-2015-8705

Workaround:

Fix:
CVE-2015-8705


567475-3 : CVE-2015-8704

Component: TMOS

Symptoms:
CVE-2015-8704

Conditions:
CVE-2015-8704

Impact:
CVE-2015-8704

Workaround:

Fix:
CVE-2015-8704


563670-10 : CVE-2015-3194, CVE-2015-3195, CVE-2015-3196

Component: Access Policy Manager

Symptoms:
CVE-2015-3194 Certificate verify crash with missing PSS parameter CVE-2015-3195 X509_ATTRIBUTE memory leak CVE-2015-3196 Race condition handling PSK identify hint ()

Conditions:
CVE-2015-3194 The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and absent mask generation function parameter. Since these routines are used to verify certificate signature algorithms this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication. CVE-2015-3195 When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak memory. This structure is used by the PKCS#7 and CMS routines so any application which reads PKCS#7 or CMS data from untrusted sources is affected. SSL/TLS is not affected. CVE-2015-3196 If PSK identity hints are received by a multi-threaded client then the values are wrongly updated in the parent SSL_CTX structure. This can result in a race condition potentially leading to a double free of the identify hint data.

Impact:
Exploitation of one of these vulnerabilities could allow an attacker to cause a denial-of-service condition.

Workaround:
https://support.f5.com/kb/en-us/solutions/public/k/86/sol86772626.html https://support.f5.com/kb/en-us/solutions/public/k/12/sol12824341.html https://support.f5.com/kb/en-us/solutions/public/k/55/sol55540723.html

Fix:
Applied patches for CVE-2015-3194, CVE-2015-3195, CVE-2015-3196


560180-4 : CVE-2015-8000

Component: TMOS

Symptoms:
CVE-2015-8000

Conditions:
CVE-2015-8000

Impact:
CVE-2015-8000

Workaround:

Fix:
CVE-2015-8000


558631-3 : APM Network Access VPN feature may leak memory

Component: Access Policy Manager

Symptoms:
VPN connections may cause memory usage to increase with the memory never being reclaimed.

Conditions:
The APM Network Access feature is configured and VPN connections are being established.

Impact:
Slow memory leak over time with eventual out-of-memory condition, performance degradation, and traffic outage.

Workaround:
No workaround short of not using the APM Network Access feature.

Fix:
The APM Network Access VPN feature no longer leaks memory.


558573-4 : MCPD restart on secondary blade after updating Pool via GUI

Component: TMOS

Symptoms:
If you use the LTM GUI in a clustered environment to add an IP Encapsulation profile to a Pool, then click Update, mcpd and other daemons may restart on secondary blades in the cluster. When this occurs, errors similar to the following will be logging from the secondary blades: -- err mcpd[22537]: 01020036:3: The requested pool profile (49825) was not found. -- err mcpd[22537]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested pool profile (49825) was not found.

Conditions:
This problem may occur when operating BIG-IP in a clustered environment (VIPRION), and using the GUI to update the properties of an LTM pool with an IP Encapsulation profile defined.

Impact:
Daemon restarts, disruption of traffic passing on secondary blades.

Workaround:
Perform pool updates via the tmsh command-line utility.

Fix:
Pool profile update is performed by name rather than object ID, so MCPD no longer restarts on secondary blade after updating a pool using the GUI.


556774-5 : EdgeClient cannot connect through captive portal

Component: Access Policy Manager

Symptoms:
EdgeClient cannot connect through captive portal.

Conditions:
1) Install EdgeClient on a PC that connects to the APM through a captive portal. 2) Launch EdgeClient and try to connect to the APM. 3) System posts certificate warnings. Accept them. 4) Captive portal is not shown to the user. 5) EdgeClient just toggles between 'Waiting to connect to server' and 'Downloading server settings' messages.

Impact:
No captive portal displayed to the user. EdgeClient UI shows he user. 5) EdgeClient just toggles between 'Waiting to connect to server' and 'Downloading server settings' messages.

Workaround:
None.

Fix:
Install EdgeClient on a PC that connects to the APM through a captive portal now opens as expected.


556421-1 : Occasional message length miscalculation in DNS messages over TCP

Component: Local Traffic Manager

Symptoms:
DNS messages over TCP passing through a DNS virtual may be marked as corrupt due to a message length miscalculation.

Conditions:
A virtual must have a DNS profile assigned, a DNS message must be exactly two bytes longer than a multiple of the TCP segment size, and the TCP stack on the DNS client or resolver must bundle the first two bytes (the TCP message length) with the message in the first TCP segment.

Impact:
DNS messages over TCP passing through a DNS virtual may be marked as corrupt due to a message length miscalculation.

Workaround:
Use UDP with EDNS instead of TCP if possible. Alternatively, adjust the TCP MSS setting by a few bytes for the DNS virtual.

Fix:
The DNS message length is now correctly calculated.


556277 : Config Sync error after hotfix installation (chroot failed rsync error)

Component: TMOS

Symptoms:
Once an installation has been booted into, applying a hotfix over that installation will still use the old policy forever.

Conditions:
Installation onto a new volume is unaffected. This only affects installations of a later hotfix atop an earlier hotfix or a base build of the same software version. Without sync being involved, this can be detected by using md5sum to check /etc/selinux/targeted/modules/active/modules/f5_mcpd.pp and /usr/share/selinux/targeted/f5_mcpd.pp . They should have the same checksum.

Impact:
Sync of file objects may fail with an error similar to the following: 01071488:3: Remote transaction for device group [name] to commit id [number] failed with error 01070712:3: Caught configuration exception (0), verify_sync_result:() :Failed to sync files. - sys/validation/FileObject.cpp, line 6276..

Workaround:
Instead of installing the hotfix over an existing installation of the base build of that version (or an earlier hotfix), install onto a new volume.


555686-3 : Copper SFPs OPT-0015 on 10000-series appliance may cause interfaces to not come up and/or show corrupted serial numbers

Component: TMOS

Symptoms:
Some OPT-0015 copper small form-factor pluggable (SFP) transceiver might cause an internal bus to hang.

Conditions:
This happens only when the following conditions are met: -- 10000-series appliances. -- At reboot, at a restart of the bcm56xxd daemon, or when a copper SFP is enabled or disabled. -- There is at least one copper SFP present in the appliance. -- Interfaces are spread between hardware muxes. That means some SFPs are in ports 1.1-1.8 and other SFPs are in ports 1.9-1.16.

Impact:
Corrupted serial number information from SFPs, and fiber SFPs may not come up. Enable and disable of copper SFPs may not work.

Workaround:
None.

Fix:
The system now ensures that the I2C bus muxes only enable a single interface, so the issue with interfaces on Copper SFPs OPT-0015 on 10000-series appliances no longer occurs.


554967-4 : Small Client EDNS0 Limits can Sometimes Truncate DNSSEC or iRule DNS Packets

Component: Local Traffic Manager

Symptoms:
A resolver sending a query with a small EDNS0 UDP buffer limit can lead to packet truncation. These response packets are flagged as truncated in the header, but the OPT record might be cut/missing leading some resolvers to consider the packet malformed.

Conditions:
Primarily via dynamic settings such as iRules on DNS_RESPONSE events adding new records, or DNSSEC record signing with responses over UDP.

Impact:
Some resolvers regard OPT-less truncated packets as malformed and cease follow-up requests via TCP or a larger EDNS0 UDP limit.

Workaround:
none


554295-1 : CMP disabled flows are not properly mirrored

Component: Local Traffic Manager

Symptoms:
A client connection to a virtual server configured for 'cmp-enabled no' and 'mirror enabled' will be dropped if the standby unit is promoted to active.

Conditions:
The virtual server is configured for 'cmp-enabled no' and 'mirror enabled' on multiple BIG-IP appliances peered in a HA configuration.

Impact:
Mirroring does not work as expected on BIG-IP appliances. (NOTE: CMP is required on Viprion chasses, so this expectation only applies to appliances.)

Workaround:
Do not disable CMP on virtual servers that are mirrored.

Fix:
Support CMP disabled on mirrored connections between BIG-IP appliances in an HA configuration.


553916-1 : min_path_mtu does not function as designed

Component: Local Traffic Manager

Symptoms:
A route metrics mtu value lower than min_path mtu could be set

Conditions:
A mtu lower than min_path_mtu.

Impact:
The expected db variable min_path_mtu was not be correctly followed with unexpected results in certain conditions.

Workaround:
none

Fix:
Resolved error to ensure min_path_mtu is enforced as lowest mtu value as designed.


553902-5 : CVE-2015-5300 CVE-2015-7704 CVE-2015-7871 CVE-2015-7855 CVE-2015-7853 CVE-2015-7852 CVE-2015-7850 CVE-2015-7701 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 CVE-2015-5196

Component: TMOS

Symptoms:
CVE-2015-5300 CVE-2015-7704 CVE-2015-7871 CVE-2015-7855 CVE-2015-7853 CVE-2015-7852 CVE-2015-7850 CVE-2015-7701 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 CVE-2015-5196

Conditions:
CVE-2015-7871 NAK to the Future: Symmetric association authentication bypass via crypto-NAK (Cisco ASIG) CVE-2015-7855 decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (IDA) CVE-2015-7854 Password Length Memory Corruption Vulnerability. (Cisco TALOS) CVE-2015-7853 Invalid length data provided by a custom refclock driver could cause a buffer overflow. (Cisco TALOS) CVE-2015-7852 ntpq atoascii() Memory Corruption Vulnerability. (Cisco TALOS) CVE-2015-7851 saveconfig Directory Traversal Vulnerability. (OpenVMS) (Cisco TALOS) CVE-2015-7850 remote config logfile-keyfile. (Cisco TALOS) CVE-2015-7849 trusted key use-after-free. (Cisco TALOS) CVE-2015-7848 mode 7 loop counter underrun. (Cisco TALOS) CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC. (Tenable) CVE-2015-7703 configuration directives "pidfile" and "driftfile" should only be allowed locally. (RedHat) CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should validate the origin timestamp field. (Boston University) CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey data packet length checks. (Tenable)

Impact:
Exploitation of some of these vulnerabilities may allow an attacker to cause a denial-of-service (DoS) condition.

Workaround:
See Bugs/Links below for Mitigation http://support.ntp.org/bin/view/Main/NtpBug<number> Bug 2941 CVE-2015-7871 NAK to the Future: Symmetric association authentication bypass via crypto-NAK (Cisco ASIG) Bug 2922 CVE-2015-7855 decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (IDA) Bug 2921 CVE-2015-7854 Password Length Memory Corruption Vulnerability. (Cisco TALOS) Bug 2920 CVE-2015-7853 Invalid length data provided by a custom refclock driver could cause a buffer overflow. (Cisco TALOS) Bug 2919 CVE-2015-7852 ntpq atoascii() Memory Corruption Vulnerability. (Cisco TALOS) Bug 2918 CVE-2015-7851 saveconfig Directory Traversal Vulnerability. (OpenVMS) (Cisco TALOS) Bug 2917 CVE-2015-7850 remote config logfile-keyfile. (Cisco TALOS) Bug 2916 CVE-2015-7849 trusted key use-after-free. (Cisco TALOS) Bug 2913 CVE-2015-7848 mode 7 loop counter underrun. (Cisco TALOS) Bug 2909 CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC. (Tenable) Bug 2902: CVE-2015-7703 configuration directives "pidfile" and "driftfile" should only be allowed locally. (RedHat) Bug 2901: CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should validate the origin timestamp field. (Boston University) Bug 2899: CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey data packet length checks. (Tenable)

Fix:
Applied patches for CVE-2015-5300 CVE-2015-7704 CVE-2015-7871 CVE-2015-7855 CVE-2015-7853 CVE-2015-7852 CVE-2015-7850 CVE-2015-7701 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 CVE-2015-5196


553576-1 : Intermittent 'zero millivolt' reading from FND-850 PSU

Component: TMOS

Symptoms:
In rare instances, certain BIG-IP platforms may erroneously generate power supply error messages that indicate zero milli-voltage. Specific symptoms include: - SNMP alert 'bigipSystemCheckAlertMilliVoltageLow' detected. - Front panel Alarm LED is blinking amber. - Errors such as the following are logged: emerg system_check[<#>]: 010d0017:0: Power supply #<x> meas. main outpu: milli-voltage (0) is too low. [where <x> is the power supply location (either 1 or 2)] - Errors such as the following may also be logged: -- err chmand[<#>]: 012a0003:3: Sensor read fault for Power supply #<x> meas. main outpu : File sensor/LopSensSvc.cpp Line 1453. -- notice chmand[<#>]: 012a0005:5: reinitialize tmstat sensors (num sensors:<#>). -- notice chmand[<#>]: 012a0005:5: reinitialize tmstat sensors (num sensors:<#>). Note that this condition may affect either PSU 1 or PSU 2.

Conditions:
This may occur intermittently on BIG-IP 10000-/12000-series appliances (including 10000s/10200v, 10050s/10250v, 10055/10255, 10350v and 12250v models) with FND850 model DC power supplies.

Impact:
There is no impact; these error messages are benign.

Workaround:
None.

Fix:
Resolved intermittent erroneous "zero millivolt" reading from FND-850 PSU on BIG-IP 10000-/12000-series appliances.


553330-1 : Unable to create a new document with SharePoint 2010

Component: Access Policy Manager

Symptoms:
Unable to create a new document with SharePoint 2010 An error is given: "The Internet address https://ip:port/shared documents/forms/template.dotx" is not valid

Conditions:
Create a new document using the"New Document button".

Impact:
User cannot create a new document with SharePoint 2010.

Workaround:
none

Fix:
You can create a new document with Microsoft SharePoint 2010.


553174-1 : Unable to query admin IP via SNMP on VCMP guest

Component: TMOS

Symptoms:
The admin IP address is not returned via ipAdEntAddr.

Conditions:
Query admin IP via SNMP on VCMP guest via ipAdEntAddr.

Impact:
Unable to obtain admin IP address via SNMP for VCMP guests.

Workaround:
none


552532-2 : Oracle monitor fails with certain time zones.

Component: Local Traffic Manager

Symptoms:
Occasionally, the OJDBC driver reads a time zone file that it cannot understand, which causes Oracle monitors to fail.

Conditions:
- The system uses ojdbc6.jar for Oracle monitor functionality. - The UTC time zone is configured. - Contents of the /usr/share/zoneinfo directory are arranged so that the 'UTC' file is not the first in the list. (Versions prior to 10.2.4 use the 1.4-compatible ojdbc14.jar driver. The objdbc6.jar OJDBC driver, as supplied by Oracle for Java 6 (aka 1.6) auto-detects the local system's time zone name by scanning and comparing files under /usr/share/zoneinfo. The filenames are created during installation, and seem to depend on the 'Directory Hash Seed' of the /usr filesystem, so there is no predictable result.)

Impact:
Cannot use direct Oracle monitoring to ensure the backend is functionally operational. OJDBC driver seems to negotiate the time zone for the session, and instead of 'UTC', it attempts to change the time zone to: 'Universal', 'Zulu', 'Etc/Universal', 'Etc/Zulu', which will cause the monitor to fail, and not execute the actual monitoring. Note: Other time zones might be affected.For example, a similar issue might happen with the time zone set to GMT, which can become 'Greenwich' because of the same functionality.

Workaround:
Although there is no reliable workaround, reinstalling might resolve the issue, as may using another time zone.

Fix:
Oracle monitor functions now as expected with UTC and other time zones.


552498-3 : APMD basic authentication cookie domains are not processed correctly

Component: Access Policy Manager

Symptoms:
401 responses containing Set-Cookie headers might not be processed correctly. Domains that begin with a dot will be truncated and the cookies will not be sent to back end servers.

Conditions:
An access policy needs to use Basic or NTLM authentication and one or more of the 401 responses must contain Set-Cookie headers. If a domain is specified and the domain begins with a dot, it will not be processed correctly.

Impact:
Cookies assigned during the authentication handshake might not be sent to back end servers.

Workaround:
An iRule can be used to process the 401 responses and remove any leading dots from domain fields of Set-Cookie headers.

Fix:
Domain fields in Set-Cookie headers found in 401 responses are processed correctly.


552139-8 : A limitation in the pattern matching matrix builtup

Component: Application Security Manager

Symptoms:
The signature configuration is not building up upon adding new signatures. This can look like a configuration change is not finishing, or if it does, it may result in crashes when the bd starts up resulting in constant startups.

Conditions:
Too many signatures are configured with custom signatures. The exact number varies (depending on the signature) but it should be hundreds.

Impact:
Configuration change doesn't finish or crashes in the ASM startup (which results in constant startups of the system).

Workaround:
Workarounds are possible only in a custom signature scneario, only by getting less signatures in or removing unused signatures.

Fix:
A limitation in the attack signature engine was fixed.


551927-6 : ePVA snoop header's transform vlan should be set properly under asymmetric routing condition

Component: TMOS

Symptoms:
On ePVA capable platform with fastl4 profile and asymetric routing on client side, it is observed ltm sends packets to client with wrong vlan/correct mac address (or correct vlan and wrong mac-address) and undecremented ttl.

Conditions:
fastl4 profile and asymetric routing on client side

Impact:
Return traffic could use the wrong vlan

Workaround:
none

Fix:
Use the nexthop VLAN for ePVA transformation for offloaded flow when available, instead of the incoming VLAN


551742 : Hardware parity error mitigation for the SOURCE_VP table on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades

Component: TMOS

Symptoms:
In rare occurrences, BIG-IP hardware is susceptible to parity errors due to unknown source. This bug mitigates parity errors that occur in the SOURCE_VP table of the switch hardware, indicated with the following message in the ltm log: Sep 15 12:12:12 info bcm56xxd[8066]: 012c0016:6: _soc_xgs3_mem_dma: SOURCE_VP.ipipe0 failed(NAK)

Conditions:
This occurs only on the BIG-IP 10000s/10200v/10250v platforms, and on the VIPRION B4300/B4340N and B2250 blades. The exact trigger of the parity error is unknown at this time.

Impact:
This impacts several series of BIG-IP products with hardware parity error mitigation capabilities.

Workaround:
Rebooting BIG-IP hardware should clear issues caused by hardware parity errors.


551481-7 : 'tmsh show net cmetrics' reports bandwidth = 0

Component: TMOS

Symptoms:
'tmsh show net cmetrics' reports bandwidth = 0

Conditions:
tcp profile enables cmetrics-cache. connection involves at least 4 rtt updates.

Impact:
User cannot view cmetrics data.

Workaround:
For 12.0.0 and later, you can get this data using the ROUTE::bandwidth iRule. For earlier versions, there is no workaround.

Fix:
Properly compute bandwidth with the formula cwnd/rtt.


551010-5 : Crash on unexpected WAM storage queue state

Component: WebAccelerator

Symptoms:
In rare circumstances WAM may enter an unexpected queue state and crash.

Conditions:
WAM configured on virtual Request queuing enabled

Impact:
Crash

Workaround:
none

Fix:
Gracefully recover from unexpected WAM storage queue state


550689-4 : Resolver H.ROOT-SERVERS.NET Address Change

Component: Local Traffic Manager

Symptoms:
The IPv4 and IPv6 addresses for H.ROOT-SERVERS.NET are changing on December 1st 2015 from (128.63.2.53 / 2001:500:1::803f:235) to (198.97.190.53 / 2001:500:1::53). The old addresses will be good for 6 months after the change, and then the IPv4 address will go completely offline, and the IPv6 address is subject to go offline as well. More details http://h.root-servers.org/renumber.html

Conditions:
DNS Resolver uses hard-coded root hints for H.ROOT-SERVERS.NET

Impact:
Incorrect address for a root-server means no response to that query.

Workaround:
There are 12 other root-servers to also provide answers to TLD queries, so this is cosmetic, but the addresses still needed to be updated to fit with the change.

Fix:
Updated H.ROOT-SERVERS.NET to reflect the new IPv4 and IPv6 addresses taking effect December 1st, 2015 from (128.63.2.53 / 2001:500:1::803f:235) to (198.97.190.53 / 2001:500:1::53). More details here: http://h.root-servers.org/renumber.html


550434-1 : Diameter connection may stall if server closes connection before CER/CEA handshake completes

Component: Service Provider

Symptoms:
Serverside connection stalls. Connection is not torn down and packets are not forwarded to serverside.

Conditions:
Selected pool member closes (via FIN) connection before sending CEA as part of Diameter handshake.

Impact:
Connection stalls until handshake timeout and then it is reset.

Workaround:
none

Fix:
Serverside diameter connections will be immediately reset if FIN is received before CEA (Capabilities-Exchange-Answer).


549971-1 : Some changes to virtual servers' profile lists may cause secondary blades to restart

Component: TMOS

Symptoms:
If a virtual server's ip-protocol is not set, then some changes to the list of attached profiles may cause a validation error on secondary blades. This will cause those blades to restart.

Conditions:
This may happen in some cases when changing the list of profiles attached to a virtual server, but does not happen if 'ip-protocol' was explicitly set by the user.

Impact:
mcpd will restart on secondary blades. This will cause most other daemons on those blades to restart as well, including the TMM. Traffic will be lost.

Workaround:
You should explicitly set the ip-protocol when changing the profiles of a virtual server. Then this bug will not occur.

Fix:
If a virtual server's ip-protocol was not set, then some changes to the list of attached profiles would cause a validation error on secondary blades. This would cause those blades to restart. This issue has been fixed.


549588-4 : EAM memory leak when cookiemap is destroyed without deleting Cookie object in it

Component: Access Policy Manager

Symptoms:
EAM memory growing and OOM kills EAM process under memory pressure.

Conditions:
when an authentication request is redirected to IDP (redirect URL is present) , Cookie object is constructed for the obSSOCookie. Pointer to this cookie object is added to cookieMap.When the connection closes, only the cookieMap is deleted. orphaned Cookie object causes memory leak.

Impact:
EAM memory usage increases and OOM kills EAM process if the system is under memory pressure.

Workaround:
No Workaround

Fix:
EAM memory usage no longer grows. Cookie objects are deleted prior to deleting cookieMap from obAction destructor.


549086-4 : Windows 10 is not detected when Firefox is used

Component: Access Policy Manager

Symptoms:
Windows 10 is not detected when the Firefox browser is used.

Conditions:
Windows 10 and Firefox (at least versions 40 and 41).

Impact:
The Client OS agent chooses an incorrect branch. Network Access might be disabled for such a client.

Workaround:
There is no workaround.

Fix:
Now Windows 10 is properly detected with the Firefox browser.


547532-5 : Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades

Component: TMOS

Symptoms:
Error messages similar to this are present in the ltm log: -- err mcpd[9369]: 01020036:3: The requested monitor instance (/part10/test_mon 90.90.90.90%10 443 ltm-pool-member) was not found. -- err mcpd[9369]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/part10/test_mon 90.90.90.90%10 443 ltm-pool-member) was not found.

Conditions:
A chassis-based system with multiple blades. A monitor is attached to an object that is configured in a partition that uses a non-default route domain, but the address of the monitor is explicitly using the default route domain (e.g. %0).

Impact:
Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades. mcpd restarts.

Workaround:
Move the monitor to the /Common/ partition and do not specify %0 in the Alias Address.

Fix:
Ensured that the complete state for addresses in the default route domain is propagated to secondary blades.


546640-2 : tmsh show gtm persist not work

Component: Global Traffic Manager

Symptoms:
Following commands fail to return results even if there are matching records: # tmsh show gtm persist level wideip # tmsh show gtm persist target-type pool-member

Conditions:
N/A

Impact:
The customer can not get a granular detail for persist stats.

Workaround:
Use GUI.


545762-4 : CVE-2015-7394

Component: TMOS

Symptoms:
CVE-2015-7394

Conditions:
CVE-2015-7394

Impact:
CVE-2015-7394

Workaround:

Fix:
CVE-2015-7394


544913-4 : tmm core while logging from TMM during failover

Component: TMOS

Symptoms:
TMM crash and coredump while logging to remote logging server when an HA failover occurs.

Conditions:
The problem might occur when: 1. A log message is created as the result of errors that can occur during log-connection establishment. 2. An error occurs while attempting to connect to the remote logging server. 3. The Primary HA member fails over. The crash occurs on the HA member which was the Primary member prior to the failover.

Impact:
TMM runs out of stack and dumps core. Stack trace shows recursion in errdefs. The system cannot function under these conditions. This is an issue that might occur anytime logs are generated when managing resources that are also used by the logging system itself.

Workaround:
Two possible workarounds are available: 1) Create a log filter specifically for message-id :1010235: that either discards or directs such messages to local syslogs. 2) If the problem occurs on TMM startup, disable and then re-enable the corresponding log source once the TMM starts up.

Fix:
Logging recursion no longer occurs in TMM during failover while the system is attempting to connect to the remote logging server.


544888 : Idle timeout changes to five seconds when using PVA full or Assisted acceleration.

Component: TMOS

Symptoms:
When FastL4 performs hardware acceleration during the TCP handshake, the FastL4 handshake timeout is not updated to match the profile timeout value after the connection is established.

Conditions:
Accelerated, established TCP flows with no traffic for more than five seconds.

Impact:
TCP flows in the established state are dropped if they have more than five seconds of inactivity.

Workaround:
Disable embedded Packet Velocity Acceleration (ePVA) acceleration.

Fix:
Once the TCP connection reaches established state, the idle timeout is now set to the value found in the associated profile. By default the profile timeout value is 300 seconds.


543220-2 : Global traffic statistics does not include PVA statistics

Component: Local Traffic Manager

Symptoms:
Global traffic statistics shown in the GUI and in TMSH are not correct.

Conditions:
Hardware acceleration enabled.

Impact:
Statistics discrepancy in global traffic statistics.

Workaround:
None.

Fix:
Global traffic statistics now includes the correct PVA statistics in the GUI and in TMSH.


542314-1 : Resolved HSB lockup specific to certain platforms.

Component: Local Traffic Manager

Symptoms:
A rare condition could result in High-speed bridge (HSB) lockup on a 3900, 6900, 8900, 8950, 11000, 11050, PB100 or PB200 platform. In the LTM log, you can see the message: Interface 0.x: HSB DMA lockup on transmitter failure.

Conditions:
Undisclosed conditions.

Impact:
HSB lockup results in a reboot.

Workaround:
None.

Fix:
Rare HSB lockup on a 3900, 6900, 8900, 8950, 11000, 11050, PB100 or PB200 platform no longer occurs.


542031-1 : CMP messages may be lost leading to inconsistent behaviors

Component: Local Traffic Manager

Symptoms:
Features that utilize CMP messages may exhibit inconsistent behavior.

Conditions:
Upon receiving a CMP message, the tmm processes an internal event that sends CMP message that overwrites the incoming message.

Impact:
Some examples: ARP failures, persistence failures, and connection stalling.

Workaround:
None.

Fix:
Incoming CMP messages are no longer overwritten before they have been processed.


541320 : Sync of tunnels might cause restore of deleted tunnels.

Component: TMOS

Symptoms:
After a full load sync, tunnels may be spuriously added to the default route domain for the partition that contains them.

Conditions:
Viewing tunnels after a full load sync.

Impact:
This might result in a deleted tunnel being restored to the configuration.

Workaround:
None.

Fix:
Sync of tunnels no longer causes restore of deleted tunnels.


540849-2 : CVE-2015-5986

Component: TMOS

Symptoms:
CVE-2015-5986.

Conditions:
CVE-2015-5986.

Impact:
CVE-2015-5986.

Workaround:
None.

Fix:
Resolved CVE-2015-5986. See AskF5 Solution Article SOL17227: BIND vulnerability CVE-2015-5986, available here https://support.f5.com/kb/en-us/solutions/public/17000/200/sol17227.html.


540846-2 : CVE 2015-5722

Component: TMOS

Symptoms:
CVE-2015-5722.

Conditions:
See AskF5 solution article SOL17181: BIND vulnerability CVE-2015-5722, available here https://support.f5.com/kb/en-us/solutions/public/17000/100/sol17181.html.

Impact:
CVE-2015-5722.

Workaround:
None.

Fix:
Resolved CVE-2015-5722. See AskF5 solution article SOL17181: BIND vulnerability CVE-2015-5722, available here https://support.f5.com/kb/en-us/solutions/public/17000/100/sol17181.html.


540825 : Deletion of non-synchable objects may unexpectedly sync

Component: TMOS

Symptoms:
Under certain conditions, the deletion of non-synchable objects may unexpectedly sync.

Conditions:
This is known to happen for the association between route domains and VLANs. It only happens for incremental sync, not full load.

Impact:
Sync may either fail (if the object does not exist on the other end) or succeed with unexpected results (the deletion of the object).

Workaround:
Perform a full load sync. To do this, either temporarily set the device group's full-load-on-sync flag to true, or use the 'Overwrite Configuration' checkbox in the GUI when performing the sync operation.

Fix:
Under certain conditions, the deletion of non-synchable objects would unexpectedly sync. This no longer happens.


540767-4 : [RHSA-2015:1636-01] Moderate: net-snmp security update

Component: TMOS

Symptoms:
It was discovered that the snmp_pdu_parse() function could leave incompletely parsed varBind variables in the list of variables.

Conditions:
none

Impact:
A remote, unauthenticated attacker could use this flaw to crash snmpd or, potentially, execute arbitrary code on the system with the privileges of the user running snmpd. (CVE-2015-5621)

Workaround:
none

Fix:
upgrade to net-snmp-5.5-54.el6_7.1


540576-1 : big3d may fail to install on systems configured with an SSH banner

Component: Global Traffic Manager

Symptoms:
When a BIG-IP system is configured to display a banner at SSH login, big3d_install may be unable to update the big3d daemon on that device.

Conditions:
sshd banner enabled.

Impact:
big3d_install fails to install big3d on the target remote BIG-IP system.

Workaround:
1. Disable the SSH banner on the target device: tmsh modify /sys sshd banner disabled. 2. Add the target: bigip_add target_name. 3. Re-enable the SSH banner: tmsh modify /sys sshd banner enabled.

Fix:
big3d now installs correctly on systems configured with an SSH banner.


540571-6 : TMM cores when multicast address is set as destination IP via iRules and LSN is configured

Component: Carrier-Grade NAT

Symptoms:
TMM may core when an iRule changes the destination address of a connection to use a multicast address such as 224.0.0.1. When the BIG-IP system looks up the route, it returns an internal route with no interface designed for use with multicast traffic. LSN expects to find an interface and crashes when it attempts to use the non-existent interface.

Conditions:
- CGNAT enabled and LSN pools configured on active virtual server that accepts traffic. - On the same virtual server, an iRule is configured that changes the destination IP to a multicast address in the 224.0.0.0/24 network.

Impact:
TMM crashes, interrupting traffic flow.

Workaround:
There are two workarounds: -- Remove the offending iRule that is sending traffic to the 224.0.0.0/24 network. -- Prevent traffic from using that destination in the iRule.

Fix:
TMM no longer cores when multicast address is set as destination IP via iRules and LSN is configured. Now, the system fails connections when the route's IFC is null, which is correct behavior.


540568-6 : TMM core due to SIGSEGV in ifc_list_is_member

Component: Local Traffic Manager

Symptoms:
TMM may core due to a SIGSEGV.

Conditions:
Occurs rarely. Specific conditions unknown.

Impact:
TMM crashes, interrupting traffic flow.

Workaround:
None.


539923-3 : Limited authorized user roles access to reports

Component: Access Policy Manager

Symptoms:
Limited authorized user roles access to reports.

Conditions:
Limited authorized user roles access to reports.

Impact:
Limited authorized user roles access to reports.

Workaround:
N/A

Fix:
Limited authorized user roles access to reports.


539229-3 : Authentication with Oracle Access Manager API can throw an exception while checking if authentication is required.

Component: Access Policy Manager

Symptoms:
Authentication with Oracle Access Manager API can result in an exception while checking whether authentication is required. This is an intermittent issue.

Conditions:
Core would be triggered when ASDK throws ObAccessRuntimeException in case if it fails to return the boolean value for authentication required or not.

Impact:
Without the fix, the unhandled exception cause EAM core and service outage. With fix, the exception is handled gracefully and return an eror page with error message to end user. The process will not core.

Workaround:
No workaround

Fix:
EAM handles exceptions gracefully during the authentication process, when Oracle ASDK API determines whether authentication is required and determines the authentication type.


539130-4 : bigd may crash due to a heartbeat timeout

Component: Local Traffic Manager

Symptoms:
bigd crashes and generates a core file. The system logs entries in /var/log/ltm that are similar to the following: sod[5853]: 01140029:5: HA daemon_heartbeat bigd fails action is restart. This issue is more likely to occur if /var/log/ltm contains entries similar to the following: info bigd[5947]: reap_child: child process PID = 9198 exited with signal = 9.

Conditions:
External monitors that run for a long time and are killed by the next iteration of the monitor. For example, the LTM external monitor 'sample_monitor' contains logic to kill a running monitor if it runs too long.

Impact:
bigd crashes and generates a core file. Monitoring is interrupted.

Workaround:
None.

Fix:
External monitors that run for a long time and are killed by the next iteration of the monitor now recover without bigd crashing and generating a core file.


539013-3 : DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases

Component: Access Policy Manager

Symptoms:
DNS resolution stops working on a Windows 10 desktop when the VPN connection is established.

Conditions:
This occurs when the client system meets all of the following conditions: - Running BIG-IP software version Hotfix-BIGIP-11.5.3.1.47.167-HF1-ENG.iso. - Running Microsoft Windows version 10. - Has multiple NICs and one of them is in the disconnected state, with a statically assigned IPv4 configuration.

Impact:
User cannot access resources by DNS name.

Workaround:
Disable disconnected NICs that have a statically assigned IPv4 configuration.

Fix:
After VPN connection has been established, DNS resolution works, in the case of a Windows 10 desktop with multiple NICs and one of them is in a disconnected state and has a statically assigned IPv4 configuration.


538255-3 : SSL handshakes on 4200/2200 can cause TMM cores.

Component: Local Traffic Manager

Symptoms:
When processing SSL handshakes in the crypto acceleration hardware, a BIG-IP 2000 or 4000 platform might experience a TMM core.

Conditions:
This can occur when processing SSL handshakes in the crypto acceleration hardware. The issue is very unlikely to be seen other than on BIG-IP version 11.6.0 HF5 or on version 12.0.0 base install.

Impact:
TMM cores.

Workaround:
This issue has no workaround at this time.

Fix:
The crypto acceleration hardware driver for the 2200/4200 has been fixed to avoid memory corruption.


537964-1 : Monitor instances may not get deleted during configuration merge load

Component: Local Traffic Manager

Symptoms:
After performing a configuration merge load (for example, "tmsh load sys config merge ...") that changes an existing pool's monitor, old monitor instances may not get deleted. This can result in a system generating monitor requests that are no longer part of the configuration. It can also result in the system logging messages such as the following: err mcpd[8793]: 01070712:3: Caught configuration exception (0), Can't find monitor rule: 42.

Conditions:
Pools with monitors configured must exist. The merge load must replace the pool's monitor.

Impact:
Multiple monitor instances may be active on some pool members. This may result in incorrect monitoring status.

Workaround:
Once a system is affected by this issue, the misbehavior can be resolved by doing the following: 1. Save and re-load the configuration to correct the incorrect information in mcpd: tmsh save sys config partitions all && tmsh load sys config partitions all 2. Restart bigd: On an appliance: bigstart restart bigd On a chassis: clsh bigstart restart bigd

Fix:
Ensure that all relevant monitor instances are deleted when replacing a pool's monitor.


537227-5 : EdgeClient may crash if special Network Access configuration is used

Component: Access Policy Manager

Symptoms:
EdgeClient crashes during connect or disconnect process. Exact time may differ from time to time.

Conditions:
EdgeClient may crash if Network Access contains configuration which includes: Full-tunnel Allow DHCP or Allow Local subnets is used There is a proxy between client and APM

Impact:
EdgeClient crashes prevent Access Network to work

Workaround:
Remove on of conditions causing crash to happen

Fix:
BIG-IP Edge Client now correctly processes particular Network Access configurations.


537000-4 : Installation of Edge Client can cause Windows 10 crash in some cases

Component: Access Policy Manager

Symptoms:
connecting to an APM box which has support for Windows 10 can cause the OS to crash. After reboot the next attempt will be successful

Conditions:
- Windows 10 - APM box supporting Windows 10 - user installed F5 VPN driver from an APM box, not supporting Windows 10

Impact:
User can lose some data

Workaround:
Before connecting old VPN driver instances must be manually removed using Device Manager

Fix:
Installation of Edge Client on Windows 10 does not cause system crash anymore


536938 : SELinux Security Enhancements

Component: TMOS

Symptoms:
SELinux permissions violation found in internal F5 testing.

Conditions:
NA

Impact:
NA

Workaround:
NA

Fix:
SELinux permissions updated to eliminate permissions violation found in internal F5 testing.


536690-3 : Occasional host-tmm connections within a chassis will fail

Component: Local Traffic Manager

Symptoms:
When using features that require a process on the host to connect to a specific tmm within a chassis, those connections sometimes fail. This can result in improper behavior of the feature, such as failure to create sessions in APM.

Conditions:
Using a module and feature that requires host-tmm communication within a chassis. Requires that the fix to ID 499430 be present.

Impact:
Possible service failure, such as disallowing entry to APM.

Workaround:
none

Fix:
Host-tmm connections within a chassis no longer fail.


536481-5 : Improper handling of TCP options.

Component: Local Traffic Manager

Symptoms:
TCP options may not fit in the MTU.

Conditions:
Undisclosed conditions

Impact:
Box crashes.

Workaround:
Set tm.minpathmtu to at least 80. Disable TCP SACK, Fast Open, and MPTCP.

Fix:
Changed the TCP code to check for value terminate the connection without crashing when appropriate.


534052-1 : VLAN failsafe triggering on standby leaks memory

Component: Local Traffic Manager

Symptoms:
Memory is leaked when VLAN failsafe is active and sending ICMP probes.

Conditions:
VLAN failsafe active and sending ICMP probes on standby and configured with failsafe-action failover.

Impact:
Memory leak causing aggressive sweeper and eventually TMM crash on standby.

Workaround:
None.

Fix:
Memory is no longer leaked when VLAN failsafe is active and sending ICMP probes.


533826-1 : SNMP Memory Leak on a VIPRION system.

Component: TMOS

Symptoms:
The snmpd image increases in size on a VIPRION system.

Conditions:
Run continuous snmpbulkwalk operations.

Impact:
The snmpd image increases, and might eventually result in a crash. The ltm log might contain an error message similar to the following: err mcpd[7061]: 01071087:3: Killed process for snmpd as current count of messages (965505855) keeps building.

Workaround:
To reset the memory usage and stop the snmpd daemon from coring, run the following command: bigstart restart snmpd.

Fix:
The snmpd image no longer increases in size on a VIPRION system processor.


533820-2 : DNS Cache response missing additional section

Component: Local Traffic Manager

Symptoms:
Resolver cache lookups are missing authority and additional sections.

Conditions:
Resolver cache lookups could be missing the authority and additional sections for A and AAAA queries if the DO bit is also not set.

Impact:
If the requesting client needs the information that would normally be included in the authority or additional sections, it would have to make additional queries to acquire that data.

Workaround:
none

Fix:
The resolver cache now correctly includes the information available for the authority and additional sections if the information is available.


533723-1 : [Portal Access] Client side HTML rewriter should not rewrite content within "textarea" tag.

Component: Access Policy Manager

Symptoms:
The client-side HTML rewriter rewrites content within the "textarea" tag.

Conditions:
Web-application dynamically creates HTML content on the client side that contains the textarea tag.

Impact:
Web-application misfunction is possible.

Workaround:
There is no workaround at this time

Fix:
Content rewriting is suppressed on the client side for the textarea tag.


533658-4 : DNS decision logging can trigger TMM crash

Component: Global Traffic Manager

Symptoms:
Applying load balance decision logging to the DNS profile can cause TMM to crash when a query is load balanced to a last resort pool that is unavailable.

Conditions:
-- DNS load balance decision logging is enabled on the DNS profile, A Wide IP is configured with a last resort pool. -- The last resort pool is unavailable. -- A query is load balanced to the last resort pool.

Impact:
TMM crashes and restarts.

Workaround:
Disable decision logging for the DNS profile, or discontinue use of the last resort pool feature.

Fix:
DNS decision logging no longer causse TMM to crash when a last resort pool is configured for a Wide IP, that last resort pool is unavailable, and a query is load balanced to that last resort pool.


533562-3 : Memory leak in CGNAT can result in crash

Component: Carrier-Grade NAT

Symptoms:
tmm leaks cmp memory, resulting in crash. 'tmctl memory_usage_stat' reports very high cmp memory utilization.

Conditions:
Configure hairpin mode or inbound connection handling set to automatic.

Impact:
BIG-IP system might run out of memory and crash.

Workaround:
Avoid hairpin mode or inbound connection handling set to automatic.

Fix:
Fixed CGNAT memory leak that occurred when configured for hairpin mode or when inbound connection handling is set to automatic.


533388-3 : tmm crash with assert "resume on different script"

Component: Local Traffic Manager

Symptoms:
In a rare race condition involving stalled server-side TCP connections on which a RST is received and a asynchronously executing client-side iRule for event CLIENT_CLOSED the tmm can crash with assert "resume on different script".

Conditions:
The conditions under which this assert/crash is triggered are hard to reproduce.

Impact:
tmm crashes and restarts. Traffic while stop flowing while tmm is restarting.

Workaround:
Avoid asynchronously executing CLIENT_CLOSED iRules (e.g. those that use 'after' or 'table' or 'session' commands - this is not an exhaustive list).

Fix:
tmm no longer crashes with assert "resume on different script"


533156-4 : CVE-2015-6546

Component: TMOS

Symptoms:
CVE-2015-6546

Conditions:
CVE-2015-6546

Impact:
CVE-2015-6546

Workaround:

Fix:
CVE-2015-6546


532522-5 : CVE-2015-1793

Component: Access Policy Manager

Symptoms:
Resolved vulnerabilities in OpenSSL. CVE-2015-1793

Conditions:
CVE-2015-1793

Impact:
CVE-2015-1793

Workaround:

Fix:
OpenSSL library in APM clients updated to resolve vulnerabilities in OpenSSL. CVE-2015-1793


532107-3 : [LTM] [DNS] Maximum RTT value for nameserver cache still exists after nameserver cache is deleted

Component: Local Traffic Manager

Symptoms:
If RTT value for nameserver cache reached the maximum value as 120000, even after executing 'delete ltm dns cache nameserver', BIG-IP still keeps the past maximum RTT value.

Conditions:
The RTT for the nameserver cache reached the maximum value of 120000.

Impact:
Usability and customer confusion.

Workaround:
Change size for nameserver-cache-count to reset the nameserver cache. # tmsh modify /ltm dns cache resolver my_dns_cache nameserver-cache-count 16536

Fix:
Maximum RTT value for nameserver cache is now deleted when the nameserver cache is deleted, which is correct behavior.


531883-4 : Windows 10 App Store VPN Client must be detected by BIG-IP APM

Component: Access Policy Manager

Symptoms:
Windows 10 App Store VPN Client is not detected by BIG-IP APM out of the box via client type agent

Conditions:
Windows 10 App Store VPN Client, BIG-IP APM , client type agent

Impact:
Windows 10 App Store VPN Client is not detected by BIG-IP APM out of the box

Workaround:

Fix:
Windows 10 App Store VPN Client is now detected by BIG-IP APM out of the box via client type agent


531576-3 : tmm memory leak in traffic handling

Component: Local Traffic Manager

Symptoms:
In certain scenarios TMM may suffer from a memory leak while handling certain types of TCP traffic.

Conditions:
Undisclosed conditions for packet processing.

Impact:
TMM will leak memory.

Workaround:

Fix:
TMM no longer leaks memory while processing certain types of TCP traffic.


530963-2 : BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms

Component: Local Traffic Manager

Symptoms:
The BIG-IP does not verify every byte in the Finished message of an TLS handshake but does properly validate the MAC of the Finished message.

Conditions:
* The BIG-IP platform contains a Cavium SSL accelerator card but the affected TLS connection is not accelerated by the Cavium SSL accelerator card. The following list some examples when a TLS connection is not accelerated by the Cavium card: * The ciphers used by the TLS connection are not fully accelerated in the Cavium card. For more information about ciphers that are fully hardware accelerated, refer to SOL13213: SSL ciphers that are fully hardware accelerated on BIG-IP platforms (11.x) * The BIG-IP platform does not contain a Cavium SSL accelerator card. The following list the BIG-IP platforms that do not contain a Cavium SSL accelerator card: * BIG-IP 2000 platforms * BIG-IP 4000 platforms * BIG-IP Virtual Edition

Impact:
F5 believes the reported behavior does not have security implications at this time.

Workaround:
None.

Fix:
BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms. F5 does not consider this behavior a vulnerability.


530829-5 : UDP traffic sent to the host may leak memory under certain conditions.

Component: Local Traffic Manager

Symptoms:
Possible memory leak with UDP traffic.

Conditions:
When UDP traffic is sent to the host.

Impact:
If memory leak becomes large enough over time, there could be a reboot.

Workaround:
Block UDP traffic to the host.

Fix:
Memory no longer leaks when UDP traffic is sent to the host.


530697-4 : Windows Phone 10 platform detection

Component: Access Policy Manager

Symptoms:
Windows Phone 10 platform is not currently detected

Conditions:
Windows Phone 10 platform , BIG-IP APM system

Impact:
Windows Phone 10 platform is not detected correctly by BIG-IP

Workaround:

Fix:
Windows Phone 10 platform is detected correctly now.


530622-3 : EAM plugin uses high memory when serving very high concurrent user load

Component: Access Policy Manager

Symptoms:
EAM plugin cannot sustain high concurrent user load and will be killed by memory monitors. EAM is cored and restarted. Any requests coming during restart will not be served.

Conditions:
We found this issue in stress testing and reported by customers during high concurrent user load.

Impact:
As a result, EAM cored and restarted; users cannot authenticate during process restart.

Workaround:
No workaround.

Fix:
There was a memory usage issue in the EAM plugin that was caused by a huge object allocation for each connection. This issue is fixed by reducing the default size of client cert and payload arrays.


530505-1 : IP fragments can cause TMM to crash when packet filtering is enabled

Component: Local Traffic Manager

Symptoms:
TMM can crash when an IP fragment is received and packet filtering is enabled.

Conditions:
This issue can occur when packet filtering is enabled and an IP fragment is received on the non-owning TMM. To determine if packet filtering is enabled, then the packetfilter setting can be queried by using the 'tmsh list sys db packetfilter' command.

Impact:
TMM crashes when it attempts to forward the fragment to the owning TMM. Traffic interruption while TMM restarts.

Workaround:
Disable packet filtering.

Fix:
When packet filtering is enabled and an IP fragment is received on the non-owning TMM, TMM forwards the IP fragment without issue.


529920-3 : Connection mirroring with OneConnect on a virtual server can cause TMM crash on standby unit

Component: Local Traffic Manager

Symptoms:
TMM crashes on the standby unit.

Conditions:
This is a standby-only failure. Connection mirroring on a OneConnect virtual server can lead to a TMM crash during connection establishment.

Impact:
TMM restarts, and the standby is not available for failover. When the standby unit comes back up it does not have the mirrored flows from the active unit, so failover results in loss of those connection flows.

Workaround:
None.

Fix:
Connection mirroring on a OneConnect virtual server now successfully recovers from a TMM crash during connection establishment, so no mirrored connection flows are lost.


529899-5 : Installation may fail with the error "(Storage modification process conflict.)".

Component: Local Traffic Manager

Symptoms:
On chassis, installation may fail with the error "(Storage modification process conflict.)".

Conditions:
Unknown.

Impact:
Minimal; the installation can be restarted.

Workaround:
Delete the failed volume and restart the installation.

Fix:
On chassis, there was one possible case where the installation would occasionally fail with the error "(Storage modification process conflict.)". This case has been fixed.


529509-3 : CVE 2015-4620 BIND vulnerability

Component: TMOS

Symptoms:
A flaw was found in the way BIND performed DNSSEC validation.

Conditions:
Red Hat Product Security has rated this update as having Important security impact. Due to F5 architecture and design this has restricted impact and can only impacts GTM and only in a non-default configuration.

Impact:
An attacker able to make BIND (functioning as a DNS resolver with DNSSEC validation enabled) resolve a name in an attacker-controlled domain could cause named to exit unexpectedly with an assertion failure. (CVE-2015-4620)

Workaround:

Fix:
Upgrade to the latest version.


529460-3 : Short HTTP monitor responses can incorrectly mark virtual servers down.

Component: Global Traffic Manager

Symptoms:
Despite successful probe response, BIG-IP DNS marks virtual server down.

Conditions:
HTTP server sends HTTP response that is shorter than 64 bytes.

Impact:
Virtual servers are incorrectly marked down.

Workaround:
Modify server response or use a TCP monitor.

Fix:
BIG-IP DNS HTTP/1.x monitor probe now requires 17, rather than 64 bytes of response payload, so HTTP monitor responses HTTP response that is shorter than 64 bytes no longer incorrectly mark virtual servers down.


529392-4 : Win10 and IE11 is not determined in case of DIRECT rule of proxy autoconfig script

Component: Access Policy Manager

Symptoms:
Windows 10 and Internet Explorer 11 is not determined in case of DIRECT rule is used to connect to BIG-IP in proxy autoconfig script configured locally.

Conditions:
Local proxy autoconfig scrip, DIRECT rule for BIG-IP virtual server, Internet Explorer 11.

Impact:
Internet Explorer 11 is not detected properly.

Workaround:

Fix:
Internet Explorer 11 on Microsoft Windows 10 is detected correctly now if local proxy autoconfig script is configured with DIRECT rule for BIG-IP.


528808 : Source NAT translation doesn't work when APM is disabled using iRule

Component: Access Policy Manager

Symptoms:
Source NAT translation does not happen and server-side connection fails.

Conditions:
ACCESS::disable iRule is added to the virtual server.

Impact:
Proxy's server-side connection fails.

Workaround:
Do not use the ACCESS::disable iRule command.

Fix:
Restore the source address translation correctly even if an iRule has disabled APM.


528739-3 : DNS Cache could use cached data from ADDITIONAL sections in ANSWER responses.

Component: Local Traffic Manager

Symptoms:
The DNS Cache could use cached data from ADDITIONAL sections of previous lookups in the ANSWER section of responses.

Conditions:
DNS Cache

Impact:
The data from the ADDITIONAL section should not be used in the ANSWER section of DNS responses. The data could be stale or incorrect.

Workaround:
None

Fix:
The DNS Cache now correctly ignores data from the ADDITIONAL section when constructing the ANSWER section.


528726-1 : AD/LDAP cache size reduced

Component: Access Policy Manager

Symptoms:
When AD or LDAP Query module built a group cache, that cache contained an unnecessary attribute that was never used.

Conditions:
AD/LDAP Query module is configured with option that requires building of a local group cache.

Impact:
apd process size grows significantly after group cache is built. If several different caches are maintained at the same time, the process size can hit the 4 GB limit.

Workaround:

Fix:
Removed an unnecessary attribute from cache. As a result, the group cache size and APD process size have been reduced.


528675-6 : BIG-IP EDGE Client can indefinitely stay "disconnecting..." state when captive portal session expired

Component: Access Policy Manager

Symptoms:
Edge Client can stuck in "disconnecting..." state if connected through with captive portal session and captive portal session expired. This happens when BIG-IP EDGE client keep HTTP connection to captive portal probe URL alive.

Conditions:
BIG-IP EDGE Client for Windows connecting to BIG-IP APM on network with active captive portal. Captive portal session expired before user terminate active Network Access connection.

Impact:
When user run into this condition BIG-IP EDGE client for Windows cannot connect to BIG-IP APM server without restart.

Workaround:
User can exit and restart BIG-IP EDGE client.

Fix:
Captive portal detection request modified to properly close HTTP connection.


528622 : apd leaks memory when AD Query agent is used in access policy

Component: Access Policy Manager

Symptoms:
AD Query agents leaks memory if used in access policy

Conditions:
AD Query is in the access policy

Impact:
apd grows up in size and stops serving auth requests at some point

Workaround:
none

Fix:
after fix, apd doesn't leak memory in AD Query agent


528407-1 : TMM may core with invalid lasthop pool configuration

Component: Local Traffic Manager

Symptoms:
In certain circumstances, TMM may core if the unit is configured with an invalid, non-local lasthop pool,

Conditions:
1) BIG-IP system with VIP and lasthop pool with non-local pool member. 2) Sys db tm.lhpnomemberaction set to 2.

Impact:
TMM cores and fails over.

Workaround:
Configure lasthop pool to use local members/addresses.

Fix:
TMM no longer cores with an invalid lasthop pool configuration.


528276-4 : The device management daemon can crash with a malloc error

Component: TMOS

Symptoms:
The device management daemon can core if a timeout condition occurs during an iControl query. The daemon recovers and proceeds with the operation.

Conditions:
A timeout can occur during an iControl query and in some instances this can cause a core.

Impact:
The daemon crashes and recovers.

Workaround:
This issue has no workaround at this time.

Fix:
The device management daemon no longer causes a crash when a timeout condition occurs during an iControl query.


528007-1 : Memory leak in ssl

Component: Local Traffic Manager

Symptoms:
An intermittent memory leak was encountered in SSL

Conditions:
This can occur under certain conditions when using Client SSL profiles

Impact:
The amount of memory leaked is quite small, but over time enough memory would leak that TMM would have to reboot.

Workaround:
none

Fix:
An intermittent memory leak in SSL was fixed


527799-11 : OpenSSL library in APM clients updated to resolve multiple vulnerabilities

Component: Access Policy Manager

Symptoms:
Multiple vulnerabilities in OpenSSL library: CVE-2015-4000, CVE-2015-1792, CVE-2015-1791, CVE-2015-1790, CVE-2015-1789, CVE-2015-1788, CVE-2014-8176.

Conditions:
Widows, Linux or Mac OS OX networkaccess connection to BIG-IP APM

Impact:
CVE-2015-4000, CVE-2015-1792, CVE-2015-1791, CVE-2015-1790, CVE-2015-1789, CVE-2015-1788, CVE-2014-8176.

Workaround:
n/a

Fix:
OpenSSL library in APM clients updated to resolve multiple vulnerabilities in OpenSSL. CVE-2015-4000,CVE-2015-1792,CVE-2015-1791,CVE-2015-1790,CVE-2015-1789,CVE-2015-1788,CVE-2014-8176


527630-5 : CVE-2015-1788 : OpenSSL Vulnerability

Component: TMOS

Symptoms:
https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16938.html

Conditions:
See F5 Solution for complete information. https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16938.html

Impact:
A potential denial-of-service (DoS) by way of a session that uses an Elliptic Curve algorithm against a server that supports client authentication.

Workaround:
None.

Fix:
Fixed CVE-2015-1788.


527630-4 : CVE-2015-1788 : OpenSSL Vulnerability

Component: Local Traffic Manager

Symptoms:
https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16938.html

Conditions:
See F5 Solution for complete information. https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16938.html

Impact:
A potential denial-of-service (DoS) by way of a session that uses an Elliptic Curve algorithm against a server that supports client authentication.

Workaround:
None.

Fix:
Fixed CVE-2015-1788.


527027-1 : DNSSEC Unsigned Delegations Respond with Parent Zone Information

Component: Local Traffic Manager

Symptoms:
When a DNSSEC zone has an unsigned delegation to a child zone, responses to the queries on the unsigned child zone do not include proper delegation records.

Conditions:
A DNSSEC zone configured on BIG-IP for a zone that delegates to an unsigned child zone.

Impact:
DNSSEC tools are unable to verify that the child subdomain is properly delegated to an insecure authoritative name server.

Workaround:
None

Fix:
Queries for an unsigned child zone of a DNSSEC zone on a BIG-IP are now sent to the backend nameserver. DNSSEC-OK flag is observed when processing the response and attaching and/or responding to DNSSEC resource records.


527024-1 : DNSSEC Unsigned Delegations Respond with Parent Zone Information

Component: Local Traffic Manager

Symptoms:
When a DNSSEC zone has an unsigned delegation to a child zone, responses to the queries on the unsigned child zone do not include proper delegation records.

Conditions:
A DNSSEC zone configured on BIG-IP for a zone that delegates to an unsigned child zone.

Impact:
DNSSEC tools are unable to verify that the child subdomain is properly delegated to an insecure authoritative name server.

Workaround:
None

Fix:
Queries for an unsigned child zone of a DNSSEC zone on a BIG-IP are now sent to the backend nameserver. DNSSEC-OK flag is observed when processing the response and attaching and/or responding to DNSSEC resource records.


526817-2 : snmpd core due to mcpd message timer thread not exiting

Component: TMOS

Symptoms:
snmpd might occasionally experience a thread deadlock conditions and would be reanimated (with a core dump) by sod.

Conditions:
After a SNMP configuration change, snmpd is signaled to de-initialize/re-initialize its configuration. During the de-initialization process, snmpd does not shutdown its mcpd message timer thread, but as part of re-initialization, an additional thread is created for the same purpose.

Impact:
This exposed a thread deadlock timing condition. snmpd occasionally becomes unresponsive for the duration of the configured snmpd heartbeat timeout.

Workaround:
After a SNMP configuration change on the BIG-IP system, the deadlock timing issue can avoided by manually restarting snmpd.

Fix:
snmpd has been modified to cause its mcpd message timer thread to exit during the de-initialization process, so snmpd no longer becomes unresponsive for the duration of the configured snmpd heartbeat timeout.


526699-2 : TMM might crash if BIG-IP DNS iRule nodes_up references invalid IP/Port.

Component: Global Traffic Manager

Symptoms:
A BIG-IP DNS system configured with an iRule that makes use of the command nodes_up in its ip_address :: port version might lead to a crash.

Conditions:
- BIG-IP DNS iRule processing traffic with nodes_up IP/Port command. - IP/Port references an invalid LTM virtual server. - Client sends requests to the BIG-IP DNS wide IP.

Impact:
TMM might crash.

Workaround:
Specify correct IP/Port in the nodes_up iRule command

Fix:
TMM no longer crashes when using an incorrect IP/Port in a nodes_up BIG-IP DNS iRule.


526492-4 : DNS resolution fails for Static and Optimized Tunnels on Windows 10

Component: Access Policy Manager

Symptoms:
When Static and Optimized Tunnels are used on Windows 10 desktop, accessing a backend server by hostname will fail.

Conditions:
1. Windows 10 desktop 2. Static or Optimized Tunnels are used

Impact:
No access to backend servers using hostnames.

Workaround:
none

Fix:
DNS resolution is successful for static and optimized tunnels on Microsoft Windows 10.


526275-3 : VMware View RSA/RADIUS two factor authentication fails

Component: Access Policy Manager

Symptoms:
VMware View client fails to authenticate with APM configured for RSA/RADIUS two factor authentication.

Conditions:
APM is configured for VMWare View proxy with RSA or RADIUS two factor authentication and VMware View client is used.

Impact:
User sees a confusing error message.

Workaround:
Click "OK" on an error message "The username or password is not correct. Please try again.". Enter valid AD credentials and login again.

Fix:
Now APM correctly handles VMware View RSA/RADIUS two factor authentication.


526084-4 : Windows 10 platform detection for BIG-IP EDGE Client

Component: Access Policy Manager

Symptoms:
The session.client.platform variable contains "Win8.1" for BIG-IP Edge Client on Windows 10.

Conditions:
n/a

Impact:
n/a

Workaround:
n/a

Fix:
BIG-IP APM was enhanced to report session.client.platform session variable for BIG-IP Edge Client on Windows 10.


525958-4 : TMM may crash if loadbalancing to node's IP in iRule routed towards an unreachable nexthop.

Component: Local Traffic Manager

Symptoms:
In a specific combination of events TMM may core.

Conditions:
This occurs when the following conditions are met: - Load balancing a flow to an ip_tuple (e.g., the Tcl 'node' command). - That address is not directly connected. - The matched route is a gateway pool that contains a pool member that is not reachable.

Impact:
System may failover.

Workaround:
Ensure correct routing to all destinations with reachable next hops.

Fix:
TMM no longer cores when load balancing to a node's IP address in iRule, routed towards an unreachable nexthop.


525553 : SSL keys are loaded on first use, not at initialization

Component: Local Traffic Manager

Symptoms:
During initialization, if there are many SSL keys in use, the watchdog timer can fire causing TMM to crash.

Conditions:
There are many SSL keys in use (for example, when a very large number of profiles are attached to a virtual server), and the BIG-IP system is sufficiently loaded.

Impact:
Service interruption

Workaround:
Use fewer SSL keys.

Fix:
SSL keys are now loaded on first use, rather then during initialization which should mitigate this issue.


525322-3 : Executing tmsh clientssl-proxy cached-certs crashes tmm

Component: Local Traffic Manager

Symptoms:
tmm crash while executing "tmsh clientssl-proxy cached-certs" command

Conditions:
ssl forward proxy virtual with a clientssl profile name longer than 32 characters which includes the partition name as well. (/Common/<profilename> -> has length more than 32 chars).

Impact:
tmm crash

Workaround:
Keep the profile name lengths less than 32 chars, or do not run the command until fixed.

Fix:
The "tmsh clientssl-proxy cached-certs" command will now run successfully with profile name lengths longer than 32 characters.


524909-4 : Windows info agent could not be passed from Windows 10

Component: Access Policy Manager

Symptoms:
APM endpoint check action "Windows Info agent" was not able to detect Windows 10 clients.

Conditions:
n/a

Impact:
n/a

Workaround:
n/a

Fix:
Now BIG-IP APM support Windows Info action on Windows 10 clients.


524756-2 : APM Log is filled with errors about failing to add/delete session entry

Component: Access Policy Manager

Symptoms:
APM log is filled with the following error when the issue occurs: May 21 16:34:16 bigip4013mgmt err tmm2[20158]: 01490558:3: 00000000: Access stats encountered error: Failed to add/delete session entry (ERR_NOT_FOUND)

Conditions:
If a session times out before it completes policy evaluation, APM will still attempt to delete its marker from the established session namespace and, hence, results in ERR_NOT_FOUND error

Impact:
There is no functional impact. However, APM log may become useless if the volume of the error is big.

Workaround:

Fix:
Access Filter now skips session marker deletion if the timed-out session is not in established state.


524666-1 : DNS licensed rate limits might be unintentionally activated.

Component: Local Traffic Manager

Symptoms:
DNS licensed rate limits might be unintentionally activated.

Conditions:
This might occur with a license in which DNS services is unlimited, but BIG-IP DNS (formerly GTM) is limited.

Impact:
DNS licensed rate limits might be unintentionally activated. Rate counters will activate, even though rates are unlimited, which unnecessarily uses CPU cycles. Also, features that indirectly look at rate flags such as hardware DNS, might deactivate improperly even though rates are unlimited.

Workaround:
None.

Fix:
DNS licensed rate limits are now handled as expected.


523863-4 : istats help not clear for negative increment

Component: TMOS

Symptoms:
The help for the istats command line tool was not clear on how to specify a negative increment for a gauge iStat.

Conditions:
Try to increment a gauge iStat by a negative amount using the istats command line tool.

Impact:
Bash shell would print a cryptic error and the help did not clarify how to make it work

Workaround:
Research bash shell options for the cryptic error.

Fix:
The help for the istats command line was augmented to clearly state that the double-dash option should be specified before the negative number.


523513-1 : COMPRESS::enable keeps compression enabled for a subsequent HTTP request.

Component: Local Traffic Manager

Symptoms:
COMPRESS::enable keeps compression enabled for a subsequent HTTP request. The response for the first HTTP request enables the compression, but it is not used since the payload is empty. For the second HTTP request (whose URI indicates that it is not supposed to be compressed), the system still compresses the response because the first request did not disable compression.

Conditions:
Subsequent HTTP requests in the same TCP connection. - First HTTP response contains empty payload and enabling the compression. - Second HTTP response still gets compressed.

Impact:
Unintended compression for subsequent HTTP responses.

Workaround:
Disable compression in the else case manually in the iRule using COMPRESS::disable.

Fix:
Compression is now disabled after an HTTP response with empty payload for iRule-based enabling.


523327-4 : In very rare cases Machine Certificate service may fail to find private key

Component: Access Policy Manager

Symptoms:
Non-elevated client component is able to find certificate but not the key, while machine cert service/F5 Elevation Helper fails to find certificate. f5certhelper.txt (helper) or logterminal.txt (in windows\temp folder for service) contains: 1, , 0, , EXCEPTION - CCertInfo::FindCertificateInStore: CertFindCertificateInStore failed with error code: 80092004

Conditions:
IE/Edge Client is not running under Admin user. Special certificate is used.

Impact:
User fails to pass access policy.

Workaround:
Run IE/BIG-IP Edge Client under administrator.

Fix:
Now both service and elevation helper can find those specific certificates.


523079-3 : Merged may crash when file descriptors exhausted

Component: Local Traffic Manager

Symptoms:
The merged daemon crashes.

Conditions:
The limit on file descriptors is exceeded.

Impact:
Merged crashes leaving a core file. The collection of system stats and merging of blade stats will not work until merged restarts.

Workaround:
Monitor the system file descriptor use and avoid exceeding the limit.

Fix:
Fixed a crash bug in Merged.


522552 : SSL Certificates, Keys, and CRLs load upon configuration load might cause timeout.

Component: Local Traffic Manager

Symptoms:
When the system loads a configuration, SSL immediately reads any associated keys, certificates, and CRLs. This can take long enough that the watchdog timer fires causing TMM to restart.

Conditions:
Many SSL profiles are in use.

Impact:
TMM restarts.

Workaround:
Use fewer SSL profiles.

Fix:
Keys, certificates, and CRLs used by SSL are loaded on first use instead of when configured, which mitigates potential timeouts caused by SSL reading the associated keys, certificates, and CRLs for many SSL profiles.


522231-5 : TMM may crash when a client resets a connection

Component: WebAccelerator

Symptoms:
When a client resets a connection while AAM is preparing to serve a response from cache TMM may crash causing failover and restart of AAM. A profile on a virtual from another BIG-IP module (other than AAM and LTM) may contribute to the issue.

Conditions:
1) AAM must be provisioned. 2) A response to the requested URL must be cached and fresh. 3) Client resets a connection immediately after the request is done and the response has not started to serve.

Impact:
TMM crashes when the issue occurs causing failover for a high availability group or service disruption on a standalone device or temporary load increase if the device is a member of a cluster (AAM farm, for example).

Workaround:
Install the fix.

Fix:
Fix removes the condition when AAM starts to serve the response to the already aborting connection.


521556-6 : Assertion "valid pcb" in TCP4 with ICAP adaptation

Component: Service Provider

Symptoms:
TMM crashes with assertion "valid pcb" in tcp4.c

Conditions:
Virtual server with request-adapt or response-adapt profile. Congested client or TCP small window (flow-control is active). Multiple HTTP requests in a single client connection. More likely with iRules that park.

Impact:
Intermittent crash under load.

Workaround:

Fix:
Assertion "valid pcb" does not occur.


521144-3 : Network failover packets on the management interface sometimes have an incorrect source-IP

Component: TMOS

Symptoms:
After reboot, network failover packets might be transmitted with an internal source address, on the 127/8 network.

Conditions:
This problem might occur if the members of a device service clustering (DSC)/high availability (HA) device group have management ports on different IP networks, so that a management-route is necessary for them to communicate.

Impact:
If there are intervening firewalls or routers that drop packets with improper/unroutable source addresses, then the members of the device group cannot communicate on this channel.

Workaround:
Remove the management-route from tmsh, and add a static route to the Linux kernel routing table. For example: # tmsh delete sys management-route 10.208.101.0/24 # tmsh save sys config # echo "10.208.101.0/24 via 10.208.102.254 dev eth0" > /etc/sysconfig/network-scripts/route-eth0 # reboot

Fix:
Network failover packets on the management interface now have the correct source-IP when device service clustering (DSC)/high availability (HA) device group have management ports on different IP networks, so that a management-route is necessary for them to communicate.


520466-6 : Ability to edit iCall scripts is removed from resource administrator role

Component: TMOS

Symptoms:
A user account with resource administrator role assignment is able to modify user accounts using iCall scripts.

Conditions:
Resource administrators attempting to modify iCall scripts will be denied access. Such users will still be able to create iCall handlers that reference existing scripts.

Impact:
Resource administrators are no longer able to modify iCall script objects.

Workaround:
To manage iCall scripts the user account must be assigned the administrator role.

Fix:
We have removed access to modify iCall scripts for the Resource Administrator role. iCall handlers can still be created that refer to scripts created by an administrator.


519510-1 : Throughput drop and rxbadsum stat increase in tagged VLAN with LRO/GRO on BIG-IP VE running on ESX platforms with particular network hardware

Component: TMOS

Symptoms:
TCP throughput might be severely impacted for traffic traversing a tagged VLAN and BCM57800/BCM57810 NIC on BIG-IP VEs. The 'rxbadsum' counts increase as received LRO'd traffic is ignored by TMM.

Conditions:
1. Traffic traverses a tagged VLAN. 2. This issue might be related to systems using Broadcom BCM57800 or BCM57810 NICs. However in general, the required condition is reception of packets with VLAN header are received in uNIC driver.

Impact:
Potential throughput drop during a high volume of data transfer.

Workaround:
You can use either of the following workarounds: 1. Avoid using tagged VLANs. 2. Run the following commands on the ESX hypervisor to disable LRO/GRO system-wide, followed by a reboot. -- esxcli system settings advanced set -o /Net/Vmxnet2HwLRO -i 0. -- esxcli system settings advanced set -o /Net/Vmxnet3HwLRO -i 0. -- esxcli system settings advanced set -o /Net/Vmxnet2SwLRO -i 0. -- esxcli system settings advanced set -o /Net/Vmxnet3SwLRO -i 0. -- esxcli system settings advanced set -o /Net/VmxnetSwLROSL -i 0.

Fix:
Change in L4 packet header offset, resulting from VLAN header insertion, is being accounted for to verify checksum.


519068-1 : device trust setup can require restart of devmgmtd

Component: TMOS

Symptoms:
Depending on the order of operations, the device trust might enter a state in which the device trust connections between devices are continuously reset and messaging about self-signed certificates.

Conditions:
This occurs when devices are being added to and deleted from the device trust.

Impact:
This prevents devices from being able to communicate with each other. The device trust goes to Disconnected and cannot synchronize.

Workaround:
A restart of the devmgmtd daemon clears any stale cached information that it has. However, the administrator may still need to reset the device trust (remove devices from the trust and re-add them).

Fix:
The system now correctly resets device trust when devices are being added to and deleted from the device trust.


518550-4 : Incorrect value of form action attribute inside 'onsubmit' event handler in some cases

Component: Access Policy Manager

Symptoms:
Incorrect value of 'action' form attribute may be used inside 'onsubmit' event handlers if original 'action' is an absolute path.

Conditions:
HTML form with absolute path in 'action' attribute; 'onsubmit' event handler for this form.

Impact:
Web application may work incorrectly.

Workaround:
There is no general workaround. But if 'action' value can be converted to relative path or to full URL (with host), this can be done using iRule.

Fix:
Now value of form 'action' attribute is correct inside event handlers.


517988-3 : TMM may crash if access profile is updated while connections are active

Component: Access Policy Manager

Symptoms:
The BIG-IP system has a virtual server with an access profile. There is live traffic using that virtual. If the access profile is updated, enforcement of certain behaviors on the live traffic may end up accessing stale profile data, and result in a crash.

Conditions:
If an access profile is attached to a virtual server, and the profile is updated while the virtual has active connections.

Impact:
TMM may crash. Connections may be interrupted. Access sessions are lost.

Workaround:
(These are untested...) Without HA, (1) disable virtuals using access profile, (2) delete any active connections on the virtuals, (3) update access profile, and, (4) enable virtuals. With HA, (1) update access profile on standby, (2) failover to the standby, and (3) sync the configuration.

Fix:
Upon access profile update, cleanup of the previous profile data is deferred until there are no active connections referencing it.


517790-3 : When non-HTTP traffic causes the server-side to receive unexpected data, the connection will be dropped

Component: Local Traffic Manager

Symptoms:
Non-HTTP traffic can have the server-side send data outside the usual request-response pairing. (Either before a request, or extra data after a response is complete.) If so, HTTP will reject the connection as the server state is now unknown. However, if HTTP is acting as a Transparent proxy, switching to pass-through mode and disabling HTTP may be a better course of action.

Conditions:
Non-HTTP data sent to the server-side not belonging to a response.

Impact:
Banner protocols, where the a server will respond before seeing any data will not pass through the Transparent HTTP proxy. Non-HTTP protocols that start with a pseudo-HTTP response, followed by extra data will reject the connection when the extra data is seen.

Workaround:
It may be possible to use HTTP::disable to disable the HTTP filter when some signature of the non-HTTP protocol is seen.

Fix:
The transparent HTTP profile's passthrough-pipeline option now allows unexpected server-side ingress to switch the Transparent HTTP proxy into pass-through mode.


517590-4 : Pool member not turning 'blue' when monitor removed from pool

Component: Local Traffic Manager

Symptoms:
Pool member's status does not update when a monitor is removed from the pool.

Conditions:
Must have a pool configured with a monitor and pool members

Impact:
Traffic may be routed incorrectly

Workaround:
One may be able to update the pool member status by toggling the pool member's state down and then up again.

Fix:
The pool member's status updates when the pool's monitor is removed.


517582-1 : [GUI] [GTM] Cannot delete Region if attempting to delete another region referenced by a record.

Component: Global Traffic Manager

Symptoms:
Cannot delete a region even though it is not referenced by any record.

Conditions:
This occurs after a failed attempt to delete a region that is referenced by a record.

Impact:
Hard to manage topology regions.

Workaround:
Restart mcpd.

Fix:
Can now delete regions after failed deletion.


517388-1 : Parsing the DN (for subject or issuer) in a certificate does not take into account all the possible RDNs.

Component: TMOS

Symptoms:
The system recognizes and displays to the user a few relative distinguished names (RDNs): division name, state name, locality name, organization name, country name, and common name.

Conditions:
RDNs other than those in the subject/issuer are not parsed correctly.

Impact:
Parsing the DN (for subject or issuer) might combine fields that result in RDN values that are longer than allowed. This causes issues when trying to store these in Enterprise Manager (EM) database.

Workaround:
None.

Fix:
All relative distinguished names (RDNs) are now parsed as expected. Previously, the system correctly parsed RDNs for division name, state name, locality name, organization name, country name, and common name. Now, the system correctly parses all RDNs.


517020-3 : SNMP requests fail and subsnmpd reports that it has been terminated.

Component: TMOS

Symptoms:
After an unspecified period of time, SNMP requests fail and subsnmpd reports that it has been terminated.

Conditions:
SNMP polls sent to a system start to fail after a few days, until subsnmpd is restarted. When in the failed state, you can determine the status of subsnmpd by running the following command: tmsh show sys services. Here is an example of the status when the system is in this state: subsnmpd run (pid 4649) 26 days, got TERM.

Impact:
Loss of snmp data set to a client. The /var/log/snmpd.log contains numerous messages similar to the following: Received broken packet. Closing session. The /var/log/sflow_agent.log contains numerous messages similar to the following: AgentX session to master agent attempted to be re-opened.

Workaround:
Restart subsnmpd using the following command: bigstart restart subsnmpd.

Fix:
SNMP requests handling has been improved to ensure that requests no longer fail after a number of days.


516669-3 : Rarely occurring SOD core causes failover.

Component: TMOS

Symptoms:
Spontaneous failover occurs rarely due to a SOD core dump.

Conditions:
Cannot reproduce the issue reliably, so conditions for the crash are unknown.

Impact:
When SOD cores, all traffic groups fail over to another device. Non-mirrored flows will be interrupted.

Workaround:
None.

Fix:
Errors in handling memory have been fixed to prevent allocation failure.


515995 : Monitor fails to update Node state when Mcpd also updates Node state

Component: Local Traffic Manager

Symptoms:
Monitor fails to update Node state when Mcpd also updates Node state

Conditions:
This is an intermittent issue that might occur as a result of a timing issue between the monitor and the Mcpd process.

Impact:
Node fails to change state.

Workaround:
bigstart restart bigd.

Fix:
This release fixes a timing issue in which a monitor failed to update Node state when Mcpd also updated Node state.


515667-2 : Unique truncated SNMP OIDs.

Component: TMOS

Symptoms:
When a BIG-IP generates SNMP OID-required truncation in order to stay within the OID max length limit of 128, the truncated OID is not always consistent or unique.

Conditions:
An SNMP table has a unique index (key) consisting of one or more table attributes of various types. String type index attributes with values lengths approaching or exceeding 128 characters expose this truncation issue.

Impact:
SNMP get, get-next, and set commands might fail or even operate on incorrect data when the target OID is not consistent or unique.

Workaround:
The long string values triggering this issue are typically identified as user-supplied names that were introduced as part of BIG-IP configuration. Often these names can be reconfigured to a shorter length.

Fix:
Truncated OIDs are now appended with a unique check-sum value that remains unchanged from one query to the next.


515322-3 : Intermittent TMM core when using DNS cache with forward zones

Component: Local Traffic Manager

Symptoms:
TMM can intermittently crash when using the DNS cache resolver.

Conditions:
When a cache configuration is "removed" there are conditions where a refcount is not properly managed that would lead to memory being deleted before the last user is done with it.

Impact:
TMM core

Workaround:
N/A

Fix:
TMM will no longer intermittently core when using the DNS cache resolver.


513916-3 : String iStat rollup not consistent with multiple blades

Component: TMOS

Symptoms:
An iStat of type string does not merge consistently in a multi-bladed chassis, so the value read on different blades at the same time may differ.

Conditions:
The iStat must be of type string, and the chassis must have multiple blades.

Impact:
The value of the iStat after the merge differs on different blades.

Workaround:
Use clsh to write the string iStat value to all blades together.

Fix:
The rollup of strings is based on a timestamp of the last update, but this value was not preserved through the first level of merge so the second level done on each blade was arbitrary. Now, the value is preserved, so the iStat value for multiple blades is correct.


513498-1 : MCP may crash while performing a very large chunked query and CPU is highly loaded

Component: TMOS

Symptoms:
MCP crashes while performing a chunked query (such as 'tmsh show sys connection) that returns a large result if a connection to a TMM is severed (due to a zero-window timeout).

Conditions:
-- CPU is highly loaded. -- BIG-IP version is v11.4.1 HF9, which includes an incomplete fix for ID 507853 for this issue.

Impact:
Failover (in a device cluster) or temporary outage (in a standalone system). A core file is generated that has a stack trace that includes a message similar to the following: error reading variable: Cannot access memory at address 0x1.

Workaround:
None.

Fix:
Ensured that MCP no longer crashes when performing a large chunked query and a connection to a TMM is severed. Provides a complete implementation of the fix for ID 507853 on BIG-IP v11.4.1 HF10 and later.


513454-1 : An snmpwalk with a large configuration can take too long, causing snmpd or mcpd restarts

Component: TMOS

Symptoms:
The snmpwalk will fail and the mcpd daemon could be restarted.

Conditions:
The configuration must be large so that the number of configured items related to the snmpwalk are in the tens of thousands.

Impact:
Failure to read SNMP data, mcpd restart and temporary loss of service.

Workaround:
Spread the configuration among more BIG-IPs or avoid running snmpwalks.

Fix:
Cache internal query data to optimize statistical queries.


513382-6 : Resolution of multiple OpenSSL vulnerabilities

Component: TMOS

Symptoms:
Resolved multiple vulnerabilities in OpenSSL. CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288

Conditions:
https://support.f5.com/kb/en-us/solutions/public/16000/300/sol16317.html

Impact:
Update of OpenSSL to resolve multiple vulnerabilities.

Workaround:

Fix:
Resolved multiple vulnerabilities in OpenSSL. CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288


512345-5 : Dynamic user record removed from memcache but remains in MySQL

Component: Access Policy Manager

Symptoms:
When the system fetches a dynamic user record from MySQL and places the record into memcache, the record might remain there in an unmodified state for ten days.

Conditions:
This occurs when a dynamic user record is removed from memcache but remains in MySQL, due to an intermittent race condition between apmd/memcache and localdbmgr.

Impact:
Dynamic user, if locked out, remains in memcache for ten days. During this interval, the dynamic user record is unusable.

Workaround:
The Admin can remove the user by deleting the associated memcache record.

Fix:
Now APM handles the condition in which a dynamic user record is removed from memcache but remains in MySQL due to an intermittent race condition between apmd/memcache and localdbmgr.


512062-1 : A db variable to disable verification of SCTP checksum when ingress packet checksum is zero

Component: Local Traffic Manager

Symptoms:
BIG-IP system drops SCTP INIT multi-homing message with checksum 0x00000000.

Conditions:
This occurs when the SCTP packet's verification tag is 0x00000000 and the checksum also is 0x00000000.

Impact:
System drops these SCTP packets.

Workaround:
None.

Fix:
Added a db variable to disable verification of SCTP checksum when ingress packet's checksum is zero. The current default behavior is not changed if this db variable is not enabled.


511893-6 : Client connection timeout after clicking Log In to Access Policy Manager on a Chassis

Component: Access Policy Manager

Symptoms:
Clients connecting via Edge Client or Network Access to Access Policy Manager running on a chassis will experience a connection timeout after clicking Log In

Conditions:
1. Two or more blades chassis with APM provisioned 2. Create Portal Access/NA. start > logon page > portal resource (portal webtop, resource)> Allow. 3. Create access session using browser.

Impact:
Access session never finishes and browser does not render portal.

Workaround:
None

Fix:
BIG-IP Access Policy Manager running on a chassis will correctly process the client's Log In command.


510888-4 : [LC] snmp_link monitor is not listed as available when creating link objects

Component: Global Traffic Manager

Symptoms:
GUI: snmp_link is not listed from Available monitor list when creating link objects. TMSH: snmp_link is not shown when using TAB to show monitor options when creating link objects.

Conditions:
When creating GTM link objects.

Impact:
Cannot determine whether snmp_link monitor can be used. Must manually input snmp_link to associate snmp_link to a link object.

Workaround:
Through tmsh, manually type snmp_link as monitor when creating link objects.

Fix:
snmp_link monitor is now listed as available when creating link objects.


509677-4 : Edge-client crashes after switching to network with Captive Portal auth

Component: Access Policy Manager

Symptoms:
When switching to a network with Captive Portal authentication, the Edge-client becomes unresponsive.

Conditions:
- Captive Portal uses https logon page - Network switching done by unplugging network cable from NIC or disconnecting from wireless network (not disabling network interface).

Impact:
Edge-client crashes

Workaround:
N/A

Fix:
Corrected invalid pointer by update pointer name.


506041-7 : Folders belonging to a device group can show up on devices not in the group

Component: TMOS

Symptoms:
All folders and partitions always get synced regardless of whether they are in the device group. If a user wants to utilize the same folder/partition scheme across multiple devices, this can lead to conflicts. In particular it can clobber the default route domain on a partition or rewrite the device group of a folder.

Conditions:
This only occurs during a full sync. This can occur if two different device groups use the same folder or partition names. For example, if there are two separate failover-sync groups in the same trust and they both sync a different set of objects in /MyHAFolder. This can also occur if a device has a local folder or partition with the same name as one in a device group.

Impact:
If a conflicted partition uses different default route domains, they will be overridden and may result in a sync error. Conflicted folders will inherit the configuration of the source of the config sync. This can override the device group, traffic group, and iApp reference of the folder.

Workaround:
Use unique partition and folder names across all devices in the trust group.

Fix:
Only folders and partitions in the device group will get synced. However, since multiple device groups can still share the same partition, there is still a chance that the route domain on the partition could get overridden if the two device groups use different route domains.


505101-2 : tmm may panic due to accessing uninitialized memory

Component: Access Policy Manager

Symptoms:
tmm panics with the message "memory owned by current process"

Conditions:
SAML plugin encounters an internal error and attempts to free an uninitialized memory region.

Impact:
tmm restarts

Workaround:
none

Fix:
Initialized SAML memory region to prevent tmm panic.


504461-4 : Logon Page agent gets empty user input in clientless mode 3 when a Variable Assign agent resides in front of it.

Component: Access Policy Manager

Symptoms:
APM is unable to complete the access policy when there is a Variable Assign agent in front of a Logon Page agent.

Conditions:
Access policy has a Variable Assign agent in front of a Logon Page agent.

Impact:
APM is unable to complete the access policy.

Workaround:

Fix:
Now APM can successfully run access policies where a Variable Assign agent resides in front of a Logon Page agent.


503600-5 : TMM core logging from TMM while attempting to connect to remote logging server

Component: TMOS

Symptoms:
TMM crash and coredump while logging to remote logging server.

Conditions:
The problem might occur when a log message is created as the result of errors that can occur during log-connection establishment. The crash specifically occurs when an error occurs while attempting to connect to the remote logging server.

Impact:
TMM runs out of stack and dumps core. Stack trace shows recursion in errdefs. The system cannot function under these conditions. This is an issue that might occur anytime logs are generated when managing resources that are also used by the logging system itself.

Workaround:
Two possible workarounds are available: 1) Create a log filter specifically for message-id :1010235: that either discards or directs such messages to local syslogs. 2) If the problem occurs on TMM startup, disable and then re-enable the corresponding log source once the TMM starts up.

Fix:
TMM no longer crashes and coredumps while logging to remote logging server.


496758-7 : Monitor Parameters saved to config in a certain order may not construct parameters correctly

Component: Local Traffic Manager

Symptoms:
When configuring both a monitor and a child monitor, if the two monitors are saved in reverse order, the default monitor parameters will not be created. For example: ltm monitor tcp /Common/child { defaults-from /Common/parent destination *.990 interval 5 ip-dscp 0 time-until-up 0 timeout 16 } ltm monitor tcp /Common/parent { defaults-from /Common/tcp destination *:* interval 5 ip-dscp 0 time-until-up 0 timeout 16 } Some of the default parameters for the above configuration will not be created upon loading config.

Conditions:
This occurs when there are at least two monitors, and the child custom monitor appears before the parent monitor. Must have a parent that derives from a root monitor, and a child that derives from the parent monitor.

Impact:
Possible undefined behavior in bigd, and failing iControl calls. On performing a 'tmsh load sys config verify' the system posts an error message similar to the following: 01070740:3: Performance monitor /Common/http-a may not have the manual resume feature. Unexpected Error: Validating configuration process failed.

Workaround:
A possible workaround involves switching the order of the monitors in the config file. This can either be accomplished manually, or by naming things in alphabetical order, such that the parent precedes the child: ltm monitor tcp /Common/aaa_parent { defaults-from /Common/tcp destination *:* interval 5 ip-dscp 0 time-until-up 0 timeout 16 } ltm monitor tcp /Common/bbb_child { defaults-from /Common/aaa_parent destination *.990 interval 5 ip-dscp 0 time-until-up 0 timeout 16 }

Fix:
The system now handles a configuration in which a child custom monitor precedes the parent's, so that monitor parameters are constructed properly.


495335-3 : BWC related tmm core

Component: TMOS

Symptoms:
tmm coredumps while BWC is processing packets.

Conditions:
BWC is being enabled on a virtual server that does not have any BWC iRules enabled. Reasons for this are being investigated.

Impact:
BWC related tmm core. BIG-IP fails to pass traffic when tmm coredumps.

Workaround:

Fix:
Avoid a divide by zero while computing average packet size.


494575 : Cannot export cert/key with names longer than 64 characters.

Component: TMOS

Symptoms:
Cannot export cert/key with names longer than 64 characters.

Conditions:
When a SSL cert/key created with long name, the system fails to export that cert/key.

Impact:
Cannot export cert/key. GUI shows error screen with the message: An error has occurred while trying to process your request.

Workaround:
Create cert/key with names shorter than 64 characters.

Fix:
Can now export cert/key with names longer than 64 characters.


492305-3 : Recurring file checker doesn't interrupt session if client machine has missing file

Component: Access Policy Manager

Symptoms:
If file required for recurring file checker agent is deleted on client machine when session already established - session would not be interrupted.

Conditions:
File checker agent is used. Recurring check is enabled for it.

Impact:
Session is not interrupted when it should be.

Workaround:

Fix:
Now session is interrupted when file required for recurring file check is missing.


490830-5 : Protected Workspace is not supported on Windows 10

Component: Access Policy Manager

Symptoms:
APM does not support Protected Workspace on Windows 10

Conditions:
Protected Workspace action configured on BIG-IP APM server. Users connecting to BIG-IP APM using Windows 10 client.

Impact:
Users cannot use Protected Workspace feature on Windows 10.

Workaround:
n/a

Fix:
Protected Workspace disabled on Windows 10 client.


490225-9 : Duplicate DNSSEC keys can cause failed upgrade.

Component: Local Traffic Manager

Symptoms:
When DNSSEC keys are stored in HSM and the system is upgraded, config load can fail because of duplicate keys in HSM.

Conditions:
DNSSEC keys in HSM. Upgrade or UCS load of configuration that contains the same keys.

Impact:
Failed upgrade or config load.

Workaround:
None.

Fix:
BIG-IP DNS/mcpd now checks for an existing key and does not import keys that already exist.


489329-1 : Memory corruption can occur with SPDY/HTTP2 filter

Component: Local Traffic Manager

Symptoms:
A virtual using the SPDY/HTTP2 filter can experience random memory corruption due to a double free of memory.

Conditions:
SPDY/HTTP2 filter is configured on the virtual.

Impact:
This results in a TMM crash in random components due to memory corruption.

Workaround:
Do not use SPDY2/HTTP2 filter.


489113-3 : PVA status, statistics not shown correctly in UI

Component: TMOS

Symptoms:
When affected versions of BIG-IP are running on VIPRION B2250 blades, the PVA status and statistics are not displayed correctly (missing entirely) from the user interface.

Conditions:
VIPRION B2250 blades running affected versions of BIG-IP.

Impact:
PVA appears to be disabled/unavailable. PVA statistics are not available. PVA functionality is actually enabled and operating in the data plane.

Workaround:
Example of incorrect display: # guishell -c 'select name,has_pva,pva_version from platform' -------------------------------- | NAME | HAS_PVA | PVA_VERSION | -------------------------------- | A112 | false | | <<< incorrect -------------------------------- # tmsh show ltm virtual ------------------------------------------------------------------ Ltm::Virtual Server: vs1 ------------------------------------------------------------------ Status Availability : unknown State : enabled Reason : The children pool member(s) either don't have service checking enabled, or service check results are not available yet CMP : enabled CMP Mode : all-cpus Destination : 30.30.30.1:80 <<< missing 'PVA Acceleration' item

Fix:
PVA status and statistics are displayed correctly for VIPRION B2250 blades.


488401-1 : proxy_tuple object memory leak.

Component: Local Traffic Manager

Symptoms:
proxy_tuple occupies most of the memory.

Conditions:
Either configured with an FTP virtual server or configured with Fast L4 and LSN.

Impact:
High memory usage triggering aggressive mode sweeper and connection reaping. The system might post alerts similar to the following in the LTM log: Aggressive Mode Sweeper. TMM Memory at 94%. Note: This issue was introduced in 11.3.0 HF9, and is not present in subsequent releases for version 11.3.0. It also affects version 11.4.1 from HF6 and later.

Workaround:
This issue has no workaround at this time.

Fix:
Fixed the memory leak in the proxy_tuple object.


488105-4 : TMM may generate core during certain config change.

Component: Access Policy Manager

Symptoms:
While the sandbox file is being used by data-plane, if the admin changes configuration to delete this sandbox file, the TMM may generate core due to accessing freed up memory.

Conditions:
While data-plane is handling requests for the sandbox files, if admin deletes it from the control plane.

Impact:
TMM may core, which may cause APM service to become unavailable for some time.

Workaround:

Fix:
Access whitelist entries are refcount-ed to prevent freeing of the memory while it is still being used.


487859-4 : Importing local db users from a CSV file that has no UID set, displays incorrect information in the GUI.

Component: Access Policy Manager

Symptoms:
Importing local db users from a CSV file that has no UID set, displays incorrect information in the GUI.

Conditions:
When importing the local DB user from the CSV file, with no UID value provided.

Impact:
All users imported without UIDs will be mapped to one user's detail entry (that is, fname, lname, email, and so on). So all such users show the same first name, last name, email, and other user details.

Workaround:
There is no workaround.

Fix:
Importing local db users with no UID set now generates a Unique ID and stores each user's details in the database.


485917-6 : BIG/IP is vulnerable to Path MTU discovery attack (CVE-2004-1060)

Component: Local Traffic Manager

Symptoms:
https://support.f5.com/kb/en-us/solutions/public/15000/700/sol15792.html

Conditions:
https://support.f5.com/kb/en-us/solutions/public/15000/700/sol15792.html

Impact:
https://support.f5.com/kb/en-us/solutions/public/15000/700/sol15792.html

Workaround:


484948-2 : UDP connflow may aborted from parked iRule in server_closed.

Component: Local Traffic Manager

Symptoms:
Some UDP idle flows will abort a parked iRule after the UDP idle timeout.

Conditions:
Conditions leading to this issue include: 1) UDP virtual, drop connection on response. 2) client_closed and server_close iRule, and parked in irule for a long time 3) make the the virtual expired when iRule is parking.

Impact:
The impact of this issue is the iRule aborts and impacts performance. The user cannot keep accurate connection count per client using iRules.

Workaround:
Set the idle timeout to a different value in client and sever will make it happen much less frequently.

Fix:
Resolve problem of double calling functions that caused iRule to abort.


483267-2 : UDP connflow irule parked in server_closed might abort

Component: Local Traffic Manager

Symptoms:
In a UDP virtual server, if client-closed and server_closed contains a parking iRule, the connflow has a high chance of being aborted during parking.

Conditions:
The occurs under the following conditions: - UDP connflow. - iRule client-closed and server_closed. - Parking in the iRule. There is a higher chance of the connflow termination occurring when the EXPIRE interval on the client side and server side are very close.

Impact:
UDP connflow might terminate.

Workaround:
Setting idle timeout to different values in client and sever lessens the chance of encountering the issue.

Fix:
UDP connflow now finishes processing the parking iRule, and the connflow does not terminate unexpectedly.


482266-4 : Windows 10 support for Network Access / BIG-IP Edge Client

Component: Access Policy Manager

Symptoms:
Connection fails with "Network Access Connection Device was not found." message.

Conditions:
1. Clean installation of Windows 10 (not upgrade) OR 2. Windows has been upgraded from previous version of Windows OS and it did not have NA driver installed.

Impact:
User running Windows 10 can not establish a VPN connection.

Workaround:

Fix:
Users running on Windows 10 running the BIG-IP Edge Client will no longer see a "Network Access Connection Device was not found." error message.


482145-5 : Text in buttons not centered correctly for higher DPI settings

Component: Access Policy Manager

Symptoms:
When high DPI setting are used in Windows, text in buttons is not centered correctly and may run outside the boundaries of buttons.

Conditions:
User interface is displayed and user has set a higher DPI setting for Windows.

Impact:
Button text does not look correct.

Workaround:
Set DPI settings back to default.

Fix:
Buttons are now correctly scaled for Windows DPI setting.


481162-3 : vs-index is set differently on each blade in a chassis

Component: Local Traffic Manager

Symptoms:
The vs-index field on virtual servers differs on each blade in a chassis.

Conditions:
This occurs on chassis systems when creating a virtual server on a multi-blade VIPRION and on multi-blade vCMP guests.

Impact:
The recently created virtual server holds different vs_index across blades (typically, the virtual servers differ by one, when compared with the active blade). From that point on, every newly created virtual server carries that inconsistency, so that vs-index is set differently on each blade in a chassis.

Workaround:
Follow the procedure in SOL13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html) to clear the configuration cache and reload configuration after reboot.

Fix:
The vs-index is now the same on each blade in a chassis on a multi-blade VIPRION and on multi-blade vCMP guests.


479451-3 : Different Outlook users with same password and client IP are tied to a single APM session when using Basic auth

Component: Access Policy Manager

Symptoms:
Different Outlook users are tied to a single APM session.

Conditions:
Users have identical passwords and come from the same client IP address.

Impact:
The impact of this issue is APM does not validate Outlook credentials.

Workaround:
This issue has no workaround at this time.

Fix:
APM correctly validates Outlook credentials and creates new APM session for users that come from the same IP and have identical passwords.


478592-8 : When using the SSL forward proxy feature, clients might be presented with expired certificates.

Component: Local Traffic Manager

Symptoms:
When SSL forward proxy feature is enabled, the certificates cached might not expire at the right time resulting in expired certificates being presented to the clients.

Conditions:
When using the SSL forward proxy feature.

Impact:
Incorrect certificates are presented to the clients.

Workaround:
Manually delete the cached certs in: show ltm clientssl-proxy cached-certs.

Fix:
Cached certificates are now handled correctly.


474657-4 : BIG-IP Edge Client shows confusing window with text 'avail' after authentication through Captive Portal

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client shows white window with text "text" after user authenticates in captive portal.

Conditions:
User is located in network where captive portal is used

Impact:
Confusing window is shown

Workaround:
Press 'Cancel' or click close button

Fix:
BIG-IP Edge Client no longer shows confusing window after authenticating through captive portal.


473685-3 : Websso truncates cookie domain value

Component: Access Policy Manager

Symptoms:
Cookies assigned during back end authentication may not be returned to back end servers. The failures require the set-cookie header contain a domain assignment and the domain value must begin with a dot.

Conditions:
401 response from a back end has Set-Cookie headers containing domain assignments that begin with a dot.

Impact:
Applications protected by the above authorization may not work.

Workaround:
An iRule can be used to catch the 401 response. If it contains one or more Set-Cookie headers, check each for a domain attribute. Remove the initial dot in the domain value, if present.

Fix:
WebSSO processes domain fields in Set-Cookie headers correctly.


473348-4 : SNMP hbInterval value not set to 300 sec after upgrade from 11.2.x to 11.3.0 or later

Component: TMOS

Symptoms:
The hbInterval determines the amount of time the snmpd daemon can wait for a response. Software versions 11.2.x use an hbInterval of 60 sec. Software versions 11.3.0 and later use an hbInterval of 300 sec.

Conditions:
When upgrading from version 11.2.x to version 11.3.0 or later.

Impact:
After upgrade, the hbInterval is still set to 60 sec and not set to 300 sec. An snmpd core is created.

Workaround:
Edit bigipTrafficMgmt.conf and set hbInterval value to 300 using the following procedure: 1. Run the command: bigstart stop snmpd. 2. Change the value of hbInterval in /config/snmp/bigipTrafficMgmt.conf and save the file. 3. Run the command: bigstart start snmpd.

Fix:
When upgrading from a release that did not have the hbInterval set to 300, the new release now has hbInterval set to 300.


473163-6 : RAID disk failure and alert.conf log message mismatch results in no trap

Component: TMOS

Symptoms:
Due to a mismatch between the definition of an alert for RAID disk failure in alert.conf, and the actual log message syntax, the appropriate SNMP traps are not issued when a disk is failing.

Conditions:
This happens when there is a RAID disk failure and the definition RAID disk failure in alert.conf is similar to the following: alert BIGIP_RAID_DISK_FAILURE "raid[0-9]: Disk failure .*?" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.96"; lcdwarn description="RAID disk failure." priority="3" }

Impact:
Actual log message syntax matches the following: 'alert kernel: md/raid1:md12: Disk failure on dm-29, disabling device.' As a result, there is no SNMP trap for a failing disk, so no SNMP trap is issued, and the LCD message is not displayed.

Workaround:
For information about configuring custom traps, see SOL3727: Configuring custom SNMP traps, available here: https://support.f5.com/kb/en-us/solutions/public/3000/700/sol3727.html.

Fix:
RAID disk failure and alert.conf log message now match, so appropriate SNMP traps are now issued when a disk is failing.


472446-5 : Customization Group Template File Might Cause Mcpd to Restart

Component: Access Policy Manager

Symptoms:
A config sync or tmsh transaction might fail and make mcpd restart if the config sync or tmsh transaction includes a misconfigured object and simultaneously includes a customization group template file.

Conditions:
The config sync or tmsh transaction includes a misconfigured object and includes a customization group template file.

Impact:
The config sync or tmsh transaction fails, and mcpd exits. Note: Avoid configurations that put customization group template file objects through a config sync or tmsh transaction, when that transaction might contain an object configured with an invalid value. This results in a configuration error. Here is one example of the types of messages you might see when this occurs: -- info mcpd[12395]: 01071528:6: Device group '/Common/f5omb' sync inconsistent, Incremental config sync may not be complete on one or more devices in this devicegroup, Sync status may not be consistent until incremental config sync is complete. -- err mcpd[12395]: 01070734:3: Configuration error: Cannot apply template as cache path for (customization template file logon.inc customization group /Common/ap_deptSharePt_act_logon_page_ag) cannot be empty. -- err mcpd[12395]: 01070596:3: An unexpected failure has occurred, - apm/validation/APMCustomizationFileObject.cpp, line 1825, exiting... -- info sod[5467]: 010c0009:6: Lost connection to mcpd - reestablishing. -- err zxfrd[12033]: 0153e0f7:3: Lost connection to mcpd.

Workaround:
None.

Fix:
A configuration error in config sync or tmsh transaction is now handled correctly.


472093-4 : RCE via uploaded name manipulated php file

Component: Access Policy Manager

Symptoms:
Allowed to upload vulnerability php file

Conditions:
Allowed to upload jpg file with php content. Which may cause to vulanarable.

Impact:
Allowed to upload jpg file with php content. Which may cause to vulanarable.

Workaround:
Block the file upload with PHP content.

Fix:
Block the file upload with PHP content.


471467-2 : gtmparse segfaults when loading wideip.conf because of duplicate virtual server names

Component: Global Traffic Manager

Symptoms:
gtmparse segfaults when loading wideip.conf with duplicate virtual server names, or whose names differ only by spaces.

Conditions:
wideip.conf contains duplicate virtual server name definitions, or the virtual server names are unique only because of leading or trailing spaces.

Impact:
gtmparse segfaults during a wideip.conf load, causing GTM configuration load to fail.

Workaround:
Change virtual server definitions so that there are no duplicate named virtual servers. Note that adding only leading or trailing spaces does not result in a unique virtual server name.

Fix:
gtmparse will now throw descriptive errors when encountering duplicate vs names in wideip.conf, for example: ./gtm/wideip.conf:61: "opt_vs_long_def: vs set name vs_1 on vs 10.221.43.28:1545 failed, duplicate name exists" at character '1545' in line: name "vs_1" address 10.221.43.28:1545


470756-4 : snmpd cores or crashes with no logging when restarted by sod

Component: TMOS

Symptoms:
Prior to sod restarting snmpd following a heartbeat timeout, there are often no snmpd warning/error logs leading up to the restart condition that might indicate root-cause.

Conditions:
snmpd can be blocked waiting for mcpd responses to its database queries. This is typically experienced when CPU utilization is very high.

Impact:
sod continues restarting snmpd (and generating a core dump) as long as the blocking conditions continue for longer than the configured snmpd heartbeat interval. During this time, external MIB queries might timeout/fail.

Workaround:
Address CPU utilization issues.

Fix:
The snmpd daemon now periodically logs warning messages regarding slow query responses from mcpd. snmpd also attempts to maintain heart-beat communication with sod under these conditions.


469296-4 : MCPD config validation error resulting in error: requested integer (0) is invalid

Component: TMOS

Symptoms:
MCPD config validation error might occur, resulting in an error such as: 01070911:3: The requested integer (0) is invalid for egress_high in profile_mblb This is not an indication of a configuration issue with an MBLB profile. This issue can occur when loading the configuration, or performing a ConfigSync, or during the initial configuration load of mcpd on a secondary blade in a VIPRION chassis.

Conditions:
This occurs under unknown and rare conditions. The BIG-IP configuration does not need to reference MBLB profiles for this issue to occur.

Impact:
Config sync fails, or MCPD restarts, and the system logs the message 'requested integer (0) is invalid'.

Workaround:
This issue can be mitigated by forcing the mcpd process to reload the configuration as detailed in https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html.

Fix:
MCPD will no longer trigger a validation error such as "01070911:3: The requested integer (0) is invalid for egress_high in profile_mblb"


469033-5 : Large big3d memory footprint.

Component: Global Traffic Manager

Symptoms:
The big3d process might take up a large amount of memory.

Conditions:
Using GTM in various configurations.

Impact:
Large big3d memory footprint. This is a configuration- and usage-dependent issue.

Workaround:
None.

Fix:
Reduced big3d memory footprint.


465951-4 : If net self description size =65K, gtmd restarts continuously

Component: Global Traffic Manager

Symptoms:
The gtmd process restarts continuously.

Conditions:
This issue occurs when the net self <IP> description >= <65K string> 'Description', 'Location', 'Contact', or 'Comment' field for the device (Device Management>Devices>Properties) > = <65K string>

Impact:
When this happens, gtmd is unable to perform its duties.

Workaround:
This issue has no workaround at this time.

Fix:
An issue that caused gtmd to restart because of long descriptions has been fixed.


464489 : Error message 'Error reading cert PEM file [...] Memory exhausted' can be inaccurate (memory is not actually exhausted)

Component: TMOS

Symptoms:
Cannot create or modify SSL profiles. The system an error message in the LTM log similar to: -- err mcpd[6412]: 01070313:3: Error reading cert PEM file /config/filestore/files_d/Common_d/certificate_d/:Common:default.crt_14711_1 for profile /Common/testclientssl: Memory exhausted. This error message might be incorrect. Memory is not exhausted.

Conditions:
User must have at least one SSL profile, or be attempting to create one.

Impact:
Cannot create or modify SSL profiles. This is a rarely encountered issue.

Workaround:
Although there is no workaround for this issue, you can check the SSL error stack for the error conditions that occur when SSL_CTX_new fails.


462714-8 : Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server

Component: Local Traffic Manager

Symptoms:
A source address persistence record created on a virtual server with a FastL4 profile times out and is aged out even while traffic is flowing through that flow. The traffic that results in this issue is UDP with checksum of 0.

Conditions:
The profile has to be FastL4. Traffic that is either UDP with checksum of 0, or SCTP are definitely affected.

Impact:
Source address persistence is not usable as the entry ages out while it should not.

Workaround:
None.

Fix:
Source address persistence record no longer times out unexpectedly on FastL4 profile virtual server.


461077-3 : New or replacement hard drives may not be checked for pending sectors

Component: TMOS

Symptoms:
New hard disk drives installed in BIG-IP systems during manufacturing or as RMA replacements might not be checked for pending sectors. If the pendsect script runs (as scheduled at 04:02am daily) and finds no errors, a log entry such as the following appears in /var/log/user.log: May 16 04:02:04 testbox notice pendsect[15989]: pendsect: /dev/sda no Pending Sectors detected If the pendsect script runs (as scheduled at 04:02am daily) and does not recognize the hard disk drive by model number, no such log appears.

Conditions:
1. BIG-IP appliances or VIPRION blades running a version of BIG-IP implementing the Pending-Sector detection/correction improvements (pendsect) described in: SOL14426: Hard disk error detection and correction improvements 2. New hard disk drives installed during manufacturing or as RMA replacements, which are not listed among the drive models known by the pendsect feature. The hard drive model can be determined by the 'tmsh show sys raid' command.

Impact:
1. New hard disk drives installed during manufacturing or as RMA replacements may not be checked for pending sectors. 2. No messages are logged indicating that the hard disk drive is not being checked for pending sectors.

Workaround:
None.

Fix:
New hard disk drives installed in BIG-IP systems during manufacturing or as RMA replacements are now checked for pending sectors, as expected.


459994-1 : tmm may crash if default gateway pool contains members that it cannot route to

Component: Local Traffic Manager

Symptoms:
tmm may crash in an invalid routing setup

Conditions:
create gw pool member that is unreachable and not local on any subnet

Impact:
tmm crash

Workaround:
do not create invalid routing setup

Fix:
If tmm cannot obtain a route to the pool member that was selected, the connection will be reset.


458872-4 : Check SACK report before treating as dupack

Component: Local Traffic Manager

Symptoms:
TCP uses duplicate acks as a sign that data has left the network. When SACK is enabled, the SACK contains better information about this. When SACK indicates no data has left, do not execute duplicate ACK processing.

Conditions:
SACK is enabled and duplicate ACKs arrive.

Impact:
TCP sends data in excess of what is authorized by the congestion window.

Workaround:
It's a mild performance impact, so no workaround is necessary.

Fix:
Consider SACK information before dupack processing.


457603-1 : Cookies handling issue with Safari on iOS6, iOS7

Component: Access Policy Manager

Symptoms:
Wrong cookies set send to backend with some requests. The issue is very intermittent.

Conditions:
Web-Application with Portal Access when Safari on iOS6, iOS7 is used.

Impact:
Web-Application misfunction.

Workaround:
This issue has no workaround at this time.

Fix:
Web applications with portal access using Safari on iOS now work correctly when an 'onbeforeunload' event occurs.


456766-1 : SSL Session resumption with hybrid handshake might fail

Component: Local Traffic Manager

Symptoms:
When using SSL session resumption during a hybrid handshake (sslv2 with tls1.0), the resumption might fail.

Conditions:
SSL session resumption is allowed, and is using a hybrid handshake.

Impact:
Session resumption would fail, necessitating a complete handshake to reconnect.

Workaround:
Disable SSL Session Cache

Fix:
SSL Session resumption now works in all expected cases.


456078-2 : Possible SSL crash

Component: Local Traffic Manager

Symptoms:
In rare circumstances, SSL might crash when preparing to send an alert.

Conditions:
SSL needs to send an alert during the handshake.

Impact:
TMM crash.

Workaround:
None.

Fix:
SSL needs to send an alert during the handshake no longer results in a TMM crash.


455493-4 : Cancel button remains enabled

Component: Access Policy Manager

Symptoms:
During normal Policy Sync operations, the Cancel button is enabled while the Access Profile is exchanged with other devices within the device group, and then should disable. This known issue occurs when the Cancel button stays enabled even after the Access Profile has successfully been exchanged with all other devices.

Conditions:
No particular condition leads to this issue.

Impact:
While the Cancel button remains enabled, further changes and subsequent policy sync operations cannot be made for that Access Profile. The Access profile will not even be allowed to be deleted.

Workaround:
This issue has no workaround at this time.

Fix:
An issue that caused the Cancel button to stay enabled after Access Profile is exchanged with other devices has been fixed.


455264-1 : Error messages are not clear when adding member to device trust fails

Component: TMOS

Symptoms:
If you cannot reach the IP address of a device that you are adding to a device trust then the error message does not properly display in the GUI. For some errors the message is empty and for some errors the message contains unformatted xml data.

Conditions:
This problem occurs when adding a peer or subordinate to the device trust where the IP address cannot be reached.

Impact:
User cannot be sure what the problem with adding the device really is.

Workaround:
Verify that the address is correct and that you are able to route to the device you are trying to add to the device trust.

Fix:
During trust initiation when the peer is unreachable, the system now posts the error message is "This device is not found."


454018-5 : Nexthop to tmm0 ref-count leakage could cause TMM core

Component: Local Traffic Manager

Symptoms:
Each use of the interface tmm0 for inter-TMM communication is supposed to increment its count of nexthop references. When the use of the interface is expired, the reference count is supposed to decrement, but in this case, the reference count is not decremented.

Conditions:
This occurs when TMM runs over an extended period of time, and internal communication between TMMs over tmm0 is heavy during the period.

Impact:
Reference count leaks, which causes the count to monotonically increase, which eventually might cause TMM to crash and restart.

Workaround:
This issue has no workaround.

Fix:
The nexthop reference count of the interface tmm0 is thoroughly examined and corrected, so it no longer leaks ref counts.


452318-1 : Local vulnerability CVE-2014-0050

Component: TMOS

Symptoms:
Third party software has been updated to a version not vulnerable to CVE-2014-0050.

Conditions:
see https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15189.html

Impact:
see https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15189.html

Workaround:
None.

Fix:
Third party software has been updated to a version not vulnerable to CVE-2014-0050.


452010-5 : RADIUS Authentication fails when username or password contain non-ASCII characters

Component: Access Policy Manager

Symptoms:
RADIUS Authentication fails when the logon name contains non-ASCII characters. The problem is caused due to failure in conversion from UTF-8 to Windows-1252.

Conditions:
RADIUS authentication is configured and username/password contain non-ASCII characters.

Impact:
Users are not able to log in.

Workaround:
There is no workaround for this issue.

Fix:
Now it is possible to configure charset decoding behavior. You can decode usernames and passwords into CP-1252 (original behavior) or use UTF-8 charset (in this case, RADIUS Auth sends the username and password unmodified).


451777-8 : Custom reports Available fields may be broken

Component: Access Policy Manager

Symptoms:
This may happen only when there is something wrong with installation or DB connection and user wants to create a custom report. The "Available Fields" will show infinitely in Custom Report UI. It may be fixed by restart tomcat if just DB connection issue and DB issue is fixed. If it is installation issue, restart tomcat will not help. Need to reinstall BIG-IP

Conditions:
When user wants to create custom report at the first time and it has DB/installation issue.

Impact:
Custom Report cannot be created.

Workaround:
This issue has no workaround at this time.

Fix:
If a connection issue or a database problem occurs the first time that a user tries to create a custom report, an error message displays now.


446860-3 : APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348

Component: Access Policy Manager

Symptoms:
APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348 (ActiveSync client fails to login to APM with large POST body)

Conditions:
ActiveSync client large POST body tries to log into APM.

Impact:
ActiveSync client with large POST body cannot log in even when tmm.access.maxrequestbodysize DB variable is configured

Workaround:
This issue has no workaround at this time.

Fix:
Now APM Exchange Proxy honors the tmm.access.maxrequestbodysize DB variable. Modify the tmm.access.maxrequestbodysize DB variable with a value larger than the maximum email body size you would like to support. The maximum supported value is 25000000 (25MB).


446830-1 : Current Sessions stat does not increment/decrement correctly.

Component: Local Traffic Manager

Symptoms:
Current Sessions stat does not increment/decrement correctly.

Conditions:
On a virtual server with an HTTP filter, if either side closes the connection after the HTTP request has been forwarded to the server but before the server has sent its response, the pool member's cur_sessions stat is incremented but not decremented.

Impact:
Difficult to determine an accurate number of Current Sessions. Current Sessions stat appears unexpectedly large, for example, Current Sessions : 18446744073709551615, rather than as expected, Current Sessions : 0.

Workaround:
None.

Fix:
On a virtual server with an HTTP filter, Current Sessions stat now increments/decrements correctly if either side closes the connection after the HTTP request has been forwarded to the server but before the server has sent its response.


442539-7 : OneConnect security improvements.

Component: Local Traffic Manager

Symptoms:
OneConnect security improvements.

Conditions:
OneConnect security improvements.

Impact:
OneConnect security improvements.

Workaround:


442115-1 : upgrade to v11.4.1 re-sets trust.configupdatedone to false on chassis

Component: TMOS

Symptoms:
After upgrading from v11.x to v11.4.1 on a VIPRION system, the trust.configupdatedone DB key resets to False. This causes the device to continually try to log into the peer over iControl, unsuccessfully. This will be apparent by repeated entries in /var/log/audit and /var/log/secure (every 30 seconds) (of the /other/ devices), along the lines of the following, where the host is identified as the afflicted system: Jan 01 01:01:09 slot1/VIPRION info httpd(pam_audit)[31039]: User=admin tty=(unknown) host=1.1.1.1 failed to login after 1 attempts (start="Wed Jan 01 01:01:07 2014" end="Wed Jan 01 01:01:09 2014").

Conditions:
- Viprion system in a device group - Upgraded from v11.x to v11.4.1 Upgrade a UCS created on Viprion system with slot is not equal to 0 to 11.4.1

Impact:
The system continually tries to log into the peer through iControl unsuccessfully.

Workaround:
- tmsh modify sys db trust.configupdatedone value true - bigstart restart devmgmtd


441573-6 : Selecting [All] in partition selector may not show all data on list pages

Component: TMOS

Symptoms:
On list pages in the GUI, when the user selects "[All] Read Only" in the partition selector, the page may not reflect all of the partitions' data. It is possible, that after selecting another partition, to see a proper dataset when selecting [All], but we have not been able to come up with a fully reproducable scenario were this happens.

Conditions:
The user is viewing a list page in the GUI and changes the partition selector to [All] Read Only. Selecting individual partitions work properly.

Impact:
The user may not see the proper selection of objects.

Workaround:
The user must manually refresh the page.

Fix:
Enable users in all partitions to be shown for All[Read Only].


440311-1 : Virtual Edition Throughput Licensing Improvements

Component: Local Traffic Manager

Symptoms:
Virtual edition throughput license enforcement can drop packets when traffic is under the licensed throughput limit. When these packet drops occur you will see increasing 'ingress_drops' and 'egress_drops' statistics in tmm/if_shaper

Conditions:
Virtual Edition with a throughput-based license

Impact:
Virtual Edition instances may not achieve the licensed throughput, and may drop packets below the licensed throughput limit.

Workaround:

Fix:
Virtual Edition throughput licensing was modified to reduce latency and avoid unnecessary packet drops.


438757-1 : TMM may crash or may have corrupted SessionDB key value

Component: TMOS

Symptoms:
Symptoms of this issue include a TMM crash or SessionDB key may be corrupted.

Conditions:
Conditions leading to this issue include: the stored key is in local tmm; and the hex key value found ends one character from the end of the data *and* the last character is a hex digit *and* the character after that (which is not part of the data) is also a hex digit.

Impact:
The impact of this issue is a TMM crash or the Stored SessionDB key may be corrupted.

Workaround:
This issue has no workaround at this time.


438159-1 : Anonymous Internet Key Exchange (IKE) peer doesn't support pre-shared key

Component: TMOS

Symptoms:
anonymous Internet Key Exchange (IKE) peer does not work with pre-shared key

Conditions:
IKEv1 negotiation using anonymous IKE peer configured with pre-shared key will fail.

Impact:
User can't use pre-shared key with anonymous IKE peer

Workaround:
Use X.509 certificate with the anonymous IKE peer or configure specific IKE peer with the proper remote address for each remote IKE peer to use pre-shared key.

Fix:
Users can now use pre-shared key with anonymous IKE peer for IKEv1 negotiation.


437285-3 : CVE-2013-3571 CVE-2012-0219 CVE-2010-2799

Component: TMOS

Symptoms:
CVE-2013-3571 CVE-2012-0219 CVE-2010-2799

Conditions:
https://support.f5.com/kb/en-us/solutions/public/14000/900/sol14919.html

Impact:
https://support.f5.com/kb/en-us/solutions/public/14000/900/sol14919.html

Workaround:

Fix:
Updated socat to 1.7.2.2 [was 1.7.1.2] to address CVE-2010-2799.


436849 : Front panel port link LEDs do not match the bundle configuration state

Component: TMOS

Symptoms:
If the default bundling configuration is being used, an incorrect front panel 10 GB/40 GB link LED status might display on first startup following a new install.

Conditions:
This occurs when you use the default bundling configuration.

Impact:
The front panel link LEDs might not match the configuration mode shown by the output of the command tmsh list net interface.

Workaround:
Workarounds for correcting the front panel 10G/40G LED link status display include any command that results in a bcm56xxd daemon restart, whether through a 'bigstart restart bcm56xxd', 'bigstart restart', bundling configuration change, blade reboot, etc.

Fix:
The front panel link LEDs now match the configuration mode shown by the output of the command tmsh list net interface.


436681-2 : Add support to disable hw compression provider

Component: Local Traffic Manager

Symptoms:
This is a requested enhancement. Some TMOS users prefer to completely disable hardware accelerated compression. This feature provides a "softwareonly" provider selection algorithm that will force all compression requests to be done by TMOS, and will not attempt to send compression requests to accelerator hardware.

Conditions:
The new setting is available when the "compression.provider" db variable is set to "softwareonly".

Impact:
When enabled, all compression requests will be performed by TMOS. This consumes CPU resource, and may reduce overall system performance.

Workaround:
This is a requested enhancement controlled by setting the "compression.provider" db variable to "softwareonly". To disable the new feature, change "compression.provider" to another provider selection algorithm.

Fix:
Enhancement: Provide user with a mechanism to completely disable hardware accelerated compression.


433466-6 : Disabling bundled interfaces affects first member of associated unbundled interfaces

Component: TMOS

Symptoms:
When the bundled interface (e.g., 2.1) is disabled, it might result in link issues observed with the first member of the associated unbundled interfaces (e.g., 1.1).

Conditions:
Disabling bundled interfaces affects first member of associated unbundled interfaces.

Impact:
Traffic unable to pass due to ports 'Down' status.

Workaround:
Do not disable the associated bundled interface (e.g., 2.1) when intending to use the first member of the associated unbundled interfaces (e.g., 1.1). Same for the interface bundle/unbundle relationships for 2.2/1.5, 2.3/1.9, vice-versa, etc.

Fix:
Disabling bundled interfaces no longer affects the first member of associated unbundled interfaces.


432039-6 : Sync status does not update when devices are added or removed from the device cluster

Component: TMOS

Symptoms:
When a device is added or removed from a device cluster, the sync status does not change to "In Sync" or "Disconnected" respectively.

Conditions:
This occurs when adding or removing devices from a device cluster.

Impact:
The impact of this issue is that an incorrect status is displayed when a device's connectivity state changes.

Workaround:
This issue has no workaround at this time.

Fix:
Sync status now gets updated when device connectivity state changes.


431926-3 : The tcp proxy can accidentally resend request or response done events.

Component: Local Traffic Manager

Symptoms:
The message "http_process_state_parse_header - Invalid action EV_BODY_COMPLETE during ST_HTTP_PARSE_HEADERS" appears in /var/log/ltm

Conditions:
If a filter decides to message the proxy while handling a request or response done event, the proxy may re-send that event again.

Impact:
Filters may receive an extra HUDCTL_RESPONSE_DONE or HUDCTL_REQUEST_DONE event that they do not expect. This may generate messages in the logs, or other unwanted behavior.

Workaround:
None.

Fix:
The TCP proxy no longer can accidentally resend request or response done events.


430205 : getChassisPwr error messages in VIPRION C2000-series chassis when power supply removed.

Component: TMOS

Symptoms:
If one of the power supplies in a VIPRION C2200 or C2400 chassis is removed while the system is running on at least one blade, warning messages similar to the following are logged in the LTM log: warning chmand[*]: 012a0004:4: getChassisPwr err: LopDev: sendLopCmd: Lopd status: 1 packet: action=1 obj_id=54 sub_obj=0 slot_id=10 result=19 len=0 crc=462c payload= (error code:0x19).

Conditions:
1. VIPRION C2200 or C2400 chassis with 2 power supplies inserted and operating (connected, supplying power). 2. At least one blade running. 3. One of the power supplies is then removed.

Impact:
Excessive error messages logged in the LTM log. These are benign error messages that can be ignored.

Workaround:
Available workarounds: 1. Reinsert/reconnect the missing power supply. 2. Ignore these benign messages.

Fix:
Excessive getChassisPwr errors are no longer logged when a power supply is removed from a running VIPRION C2000-series chassis.


430117-1 : DIAMETER can double-free data leading to unpredictable behavior

Component: Service Provider

Symptoms:
Resets on the server side of a hudchain; Unpredictable behavior. Different stack trace of core dumps.

Conditions:
Persistence was enabled and server initiate message was sent.

Impact:
V11.0.0, v11.1.0, v11.2.0-hfn

Workaround:
N/A

Fix:
A double-free condition in the Diameter profile has been fixed.


428712-2 : Fix SSL Alert sending inifinite loop problem

Component: Local Traffic Manager

Symptoms:
SSL sends Alert in infinite loop.

Conditions:
When clean shutdown is enabled.

Impact:
SSL stucks in infinite loop

Workaround:
No workaround

Fix:
avoid the calling ssl_tx_alert() loop


426482-3 : System might hang when decompressing large or corrupted files on 2100/2150 blades

Component: Wan Optimization Manager

Symptoms:
If a corrupted file or a very large file is sent to be decompressed, the system might hang.

Conditions:
A large or corrupted file sent to be decompressed on 2100/2150 blades.

Impact:
System hangs and compression/decompression operations fail.

Workaround:

Fix:
The Octeon now properly handle decompressing large files on 2100/2150 blades without any failures.


425980 : Blade number not displayed in CPU status alerts

Component: TMOS

Symptoms:
Messages displayed on the VIPRION chassis LCD display always reference the blade number of the Primary blade in the chassis at the time that the message was issued. The slot number where the blade-specific condition is not included in message in the LCD display. In the case of CPU status alerts, where the CPU temperature is too high or the CPU fan speed is too low, the identification of the blade is not included in the console output or log messages produced by the system_check utility.

Conditions:
Affects: VIPRION B4100 (PB100), B4200 (PB200) and B4300-series blades in VIPRION C4400, C4480 and C4800 chassis. VIPRION B2100, B2150 and B2250 blades in VIPRION C2400 and C2200 chassis with external LCD displays attached.

Impact:
It may not be possible to accurately determine which blade has actually experienced a blade-specific condition reported on the chassis LCD display.

Workaround:
Use one of the following commands to examine the CPU measurements to determine which CPU on which blade is experiencing excessive temperature and/or slow fan speed: 1. tmsh show sys hardware 2. tmctl cpu_status_stat

Fix:
The system_check utility now logs the blade number as part of CPU status alerts to the system console and log messages. Such detail is not made available on the LCD display.


424831-3 : State Mirroring does not work for an HA pair that uses only hardwired (serial) failover, without network failover

Component: Local Traffic Manager

Symptoms:
Failovers between devices in a HA pair might result in an unexpected disruption of traffic (for instance, if virtual servers are configured for mirroring). Persistence / session table information would similarly be missing on the newly-active system.

Conditions:
Platform that supports hardwired failover, configured for hardwired failover. (Note: this excludes chassis-based platforms, as well as VCMP guests and VEs) Network failover disabled.

Impact:
- Failovers may result in unexpected disruption of traffic that a customer expects to be mirrored. - Session database (SessionDB things, iRule session table, persistence table, etc) will not be mirrored, as expected, which may result in unknown unexpected traffic failures.

Workaround:
Enable network failover, then restart all TMMs. Note: workaround will temporarily disrupt traffic.

Fix:
State Mirroring now works for HA configurations that use only hardwired (serial) failover, without network failover.


413708-1 : BIG-IP system may use an ephemeral source port when sending SNMP IPv6 UDP response.

Component: TMOS

Symptoms:
When SNMP IPv6 UDP queries are directed from client to self-ip, response from the BIG-IP system does not preserve source port. An ephemeral source port will be used, instead of the source port 161.

Conditions:
SNMP IPv6 UDP query only.

Impact:
SNMP query fails.

Workaround:

Fix:
A problem of SNMP IPv6 UDP response from the BIG-IP system with an ephemeral source port has been solved.


412160-3 : vCMP provisioning may cause continual tmm crash.

Component: TMOS

Symptoms:
vCMP provisioning may cause continual tmm crash. In rare cases, tmm cores when VCMP is provisioned/deprovisioned. The tmm log file presents messages similar to the following: panic: ../dev/cn1120/n3_compress.c:555: Assertion 'enough n3_comp_dev structs' failed.

Conditions:
1) LTM is provisioned. 2) Provision vCMP. 3) View the tmm log file/system process table/etc.

Impact:
The tmm continually restarts.

Workaround:
1) Save the system configuration. 2) Reboot 3) After reboot, ensure that the device stays active and has only twoNitrox 3 Compression Devices listed in /var/log/tmm: -- notice n3-compress0 PASS 0.1: Nitrox 3 Compression Device -- notice n3-compress1 PASS 0.1: Nitrox 3 Compression Device

Fix:
The system now prevents the tmm from starting up in the case where vCMP is provisioned/deprovisioned. This is correct behavior.


397431-5 : Improved security for Apache.

Component: TMOS

Symptoms:
Improved security for Apache.

Conditions:
Improved security for Apache.

Impact:
Improved security for Apache.

Workaround:


375887-7 : Cluster member disable or reboot can leak a few cross blade trunk packets

Component: Local Traffic Manager

Symptoms:
Using the cluster member 'disable' command with a trunk that spans blades might cause a brief period where received broadcast and multicast packets egress out the enabled trunk members of the cluster.

Conditions:
This occurs on a trunk that spans blades.

Impact:
To an external device running spanning tree protocol or variant, this can look like a loop.

Workaround:
None.

Fix:
Cluster member disable or reboot no longer leaks a few cross-blade trunk packets.


365219-4 : Trust upgrade fails when upgrading from version 10.x to version 11.x.

Component: TMOS

Symptoms:
Trust upgrade fails when upgrading from version 10.x to version 11.x. The upgrade fails without apparent error, but there will be one of the two following error messages in /var/log/ltm log: -- com.f5.devmgmt.certmgmt.TrustConfigUpdateForHAPairTask.run(TrustConfigUpdateForHAPairTask.java:425): Trust configuration update for HA Pair has failed: [STACK TRACE: {java.lang.Exception: Config sync password is invalid.}{ at com.f5.devmgmt.certmgmt.TrustConfigUpdateForHAPairTask.run(TrustConfigUpdateForHAPairTask.java:200)}. -- devmgmtd[7983]: 015a0000:3: Trust Config Update: [TrustConfigUpdateForHAPair.cpp:521 ] Skipping already-completed trust.

Conditions:
Upgrading high availability version 10.x configurations that use the factory default admin password.

Impact:
Trust upgrade for version 10.x high availability configuration fails.

Workaround:
Change the default admin password in the 10.x configuration before upgrading to 11.0.0.

Fix:
Upgrades of high availability configurations from version 10.x to version 11.x or later now succeed, even if the 10.x system was still using the factory default admin password. It is recommended that you change the default admin password before deployment.


364994-5 : Disabling OneConnect must be done on Client and Server sides

Component: Local Traffic Manager

Symptoms:
When OneConnect is in use, server-side flows are reused, whenever possible. If this is disabled client-side (via an iRule), this may not take into affect if the server-side currently doesn't exist yet.

Conditions:
This happens when OneConnect is enabled, and the ONECONNET::reuse disable irule command is used.

Impact:
Flows may be reused even though they have been marked as not to be reused.

Workaround:
Add: when SERVER_CONNECTED { if { [info exists oc_reuse_ss_disable] } { ONECONNECT::reuse disable } }

Fix:
TMM no longer restarts when a OneConnect profile is applied to a virtual server and OneConnect reuse is disabled on the server side by an iRule.


364978-3 : Active/standby system configured with unit 2 failover objects

Component: TMOS

Symptoms:
If an active/standby system is misconfigured with unit 2 failover objects, two traffic groups are automatically created: traffic-group-1 and traffic-group-2.

Conditions:
This occurs when an active/standby system is misconfigured with unit 2 failover objects.

Impact:
For traffic-group-2, the default device points toward the unit 2 box. Instead, it should point to the unit 1 box, because it is an active/standby pair.

Workaround:
To work around this, modify the default device to point to unit 1 using a command similar to the following: tmsh modify /cm traffic-group traffic-group-2 default-device unit_1_device_name.

Fix:
Active/standby system configured with unit 2 failover objects now create one traffic group, which is correct behavior.


362267-1 : Configuring network failover on a VIPRION cluster using the blade management addresses results in 'Cannot assign requested address' errors

Component: TMOS

Symptoms:
If a user configures network failover on a VIPRION that uses a blade's management address as the unicast address, the other blades cannot use this address and issues an error message. This is correct operation.

Conditions:
System is configured with per-blade management addresses as unicast network failover addresses.

Impact:
The system posts error messages that appear severe. However, there is no impact to system functionality.

Workaround:
No workaround is needed (under these conditions, message is cosmetic), but the use of multicast failover avoids the messages.

Fix:
The system now tracks the set of active self-ips and management addresses, only issues errors when the unicast source ip is invalid, or does not behave as expected.


355661-1 : sod logs error 010c003b:3: bind fails on recv_sock_fd, Cannot assign requested address

Component: TMOS

Symptoms:
During system startup, particularly after an upgrade or 'load sys config', the sod daemon will repeatedly log errors failing to bind() to the appliance management address to listen for network failover packets. This is caused by a race condition between the chassis management daemon programming the management port address and the failover daemon attempting to access that address.

Conditions:
The management address is configured as a device unicast address.

Impact:
Excessive logging traffic at error level for a valid configuration.

Workaround:

Fix:
The sod daemon has been modified to validate the unicast addresses against the configured management addresses and non-floating self-IPs, and retries the bind() without logging an error when the race occurs. The daemon now reports when it is successfully listening on each of the configured unicast addresses, and only logs bind() errors is the configured address is invalid.


352925-5 : Updating a suspended iRule and TMM process restart

Component: Local Traffic Manager

Symptoms:
Updating a suspended iRule assigned via a profile causes the TMM process to restart when trying to return to the suspended iRule.

Conditions:
This occurs when the iRule is suspended and the TMM process is trying to restart.

Impact:
TMM restarts.

Workaround:
Assign the iRule to the virtual server instead of assigning it to the profile.

Fix:
Updating a suspended iRule no longer results in TMM process restart.


348000-7 : HTTP response status 408 request timeout results in error being logged.

Component: Local Traffic Manager

Symptoms:
HTTP response status 408 request timeout results in error being logged.

Conditions:
HTTP profile is attached to a virtual server. 408 response status is received from server and is not preceded by request from the client.

Impact:
The 408 response status received is consumed and the connection is reset. The response never makes it to the client. The following error is reported in the log: http_process_state_prepend - Invalid action EV_INGRESS_DATA during ST_HTTP_PREPEND_HEADERS.

Workaround:
None.

Fix:
HTTP response status 408 request timeout no longer results in error being logged.




Cumulative fixes from BIG-IP v11.4.1 Hotfix 9 that are included in this release

Note: F5 has recently changed the bug numbering scheme in our bug tracking database. Now all bugs have a single version assigned to them and so bugs can now have sub bugs denoted by a '-' and then the sub bug number, i.e. 404716-4 with 404716 being the parent bug. The release notes for previous rollups will also reflect this change so some bugs may now contain a sub bug prefix.

TMOS Fixes

ID Number Severity Description
477218-1 1-Blocking Simultaneous stats query and pool configuration change results in process exit on secondary.
427077-3 1-Blocking Regenerate trust domain and related device certs and keys
465803-5 1-Blocking CVE-2014-0221 CVE-2014-0195: DTLS flaws
530744 1-Blocking kernel.ntp: livelock in leapsecond insertion :: watchdog reboots
466486 1-Blocking CVE-2014-0224: CCS vulnerability
467022-4 1-Blocking 11050 platform will not go active citing error 01071335:3: Invalid logical_disk (0) for application volume (mysqldb_.2).
468175-2 1-Blocking IPsec interop with Cisco systems intermittent outages
428735-4 1-Blocking TACACS+ system auth and file descriptors leak
467646-1 2-Critical IDE DMA timeouts can result in stuck processes
428494-1 2-Critical bigip.conf loses all high level config data after loading base config
423115-2 2-Critical mcpd cores when virtual servers in traffic groups have non-floating IP address
484733-1 2-Critical aws-failover-tgactive.sh doesn't skip network forwarding virtuals
460730-4 2-Critical On systems with multiple blades, large queries can cause TMM to restart
429544-1 2-Critical Resolve mutliple known Linux vulnerabilities with Low rating.
477281-8 2-Critical Improved XML Parsing
451424-7 2-Critical SNMP subagent/snmpd might restart under certain conditions
435569-1 2-Critical Cannot change cluster management IP address from GUI when logged on to management port
523032-3 2-Critical qemu-kvm VENOM vulnerability CVE-2015-3456
501343-5 2-Critical In FIPS HA setup, peer may use the FIPS public-handle instead of the FIPS private-handle
477031-3 2-Critical Deleting multiple VXLAN tunnels with flooding type multipoint can cause TMM restart
511942-1 2-Critical Unable to establish HA connection
505071-1 2-Critical Delete and create of the same object can cause secondary blades' mcpd processes to restart.
421210-3 2-Critical FIPS key mismatch
376120 2-Critical tmrouted restart after reconfiguration of previously deleted route domain
429991-1 2-Critical Introduced stateless UDP disaggregation on the VIPRION C4800 chassis
438674-6 2-Critical When log filters include tamd, tamd process may leak descriptors
413052-2 2-Critical Generating a qkview report on systems with large routing tables can crash TMM.
428161-2 2-Critical Not possible to set up a non-CA-device
470796-4 2-Critical XSS vulnerability in echo.jsp CVE-2014-4023
421349-3 2-Critical FIPS key mismatch
420915-1 2-Critical Reload of configuration after virtual server deletion can cause very small memory leak.
513341-1 2-Critical CVE-2015-0292 : OpenSSL Vulnerability
479374-1 2-Critical Setting appropriate TX driver settings for 40 GB interfaces.
426373-2 2-Critical OSPFv3 external LSA format corrected
484453-2 2-Critical Messages logged when registering with LOP daemon (lopd) or CAN daemon (cand)
534630-1 2-Critical Upgrade BIND to address CVE 2015-5477
433822-2 2-Critical Uninitialized variable may cause packets to be directed to wrong TMM
483683-4 3-Major MCP continues running after "Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error
375246-7 3-Major Clarification of pool member session enabling versus pool member monitor enabling
405067-4 3-Major System applies active bonus value when the HA score is zero
436682-3 3-Major Optical SFP modules shows a higher optical power output for disabled switch ports
472365-1 3-Major The vCMP worker-lite system occasionally stops due to timeouts
410398-2 3-Major sys db tmrouted.rhifailoverdelay does not seem to work
476288-3 3-Major Tmrouted restarted after a series of creating/deleting route domains and adding/deleting protocols due to seg fault
507331-2 3-Major Using saved configuration with 11.5.2 on AWS may cause SSLv3 to be enabled.
460020-1 3-Major Rewrite profile might cause tmm core when trying to rewrite set cookie in HTTP response header
519877-4 3-Major External pluggable module interfaces not disabled correctly.
473037-4 3-Major BIG-IP 2000/4000 platforms do not support RSS with L4 data on SCTP
442993-1 3-Major An unexpected gateway may be selected for the management interface
491556-2 3-Major tmsh show sys connection output is corrected
513294-4 3-Major LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances
501517 3-Major Very large configuration can cause transaction timeouts on secondary blades
497719-5 3-Major CVE-2014-9295, CVE-2014-9293, CVE-2014-9294, CVE-2014-9296
491439 3-Major HiGig MAC registers are not dumped to log file on HSB transmitter failure
411151-1 3-Major Vlan groups with EtherIP tunnel members may drop packets
510381-1 3-Major bcm56xxd on A108 may core when restarting due to bundling config change.
434730-4 3-Major Auto-sync may fail with many synchronizations in rapid succession
484861-2 3-Major A standby-standby state can be created when auto failback acts in a CRC disagreement scenario
420475-2 3-Major IPv6 Reject routes installed using tmsh/GUI does not appear in ZebOS routing table
423834-3 3-Major TMSH list with one-line option does not display on one line for some objects.
428072-6 3-Major iRules referring to pool by full path/folder name
463468 3-Major failed tmsh command generate double logs
485939-4 3-Major OSPF redistributing connected subnets that are configured in the network element with infinity metric in a HA pair.
439559-3 3-Major APM policy sync resulting in failover device group sync may make the failover sync fail
421124-2 3-Major Role change and update in EM/BIG-IP system SSO setup
513649 3-Major Transaction validation errors on object references
473088-1 3-Major Virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile
485352-5 3-Major TMM dumps core file when loading configuration or starting up
416292-4 3-Major MCPD can core as a result of another component shutting down prematurely
501670 3-Major mcpd on secondary blades can core if the MCPD log level is set to info or debug during config sync
367759-5 3-Major VLAN tagged vs. untagged configuration change applied only after tmm restart
497564-3 3-Major Improve High Speed Bridge diagnostic logging on transmit/receive failures
456384-3 3-Major alertd is coring on 2 very long syslog messages
507327-3 3-Major Programs that read stats can leak memory on errors reading files
405752-3 3-Major Monitors sourced from specific source ports can fail
421513-1 3-Major Cannot create key/csr with DSA key using GUI
427357-7 3-Major Virtual address icmp-echo and arp properties get reset to disabled for network prefixes on config load
495024-1 3-Major Policy flow's nexthop not always updated when route pool member status changes
462943-2 3-Major TMM could crash when sending CSS files through a virtual with LTM URI Translation profile
431176-2 3-Major cmd_sod does not retry sending messages
479543-4 3-Major Transaction will fail when deleting pool member and related node
414245-4 3-Major Attributes not populated when using tmsh edit command to modify existing virtual server
226043-2 3-Major Add support for multiple addresses for audit-forwarder.
507575-2 3-Major An incorrectly formated NAPTR creation via iControl can cause an error.
514726-1 3-Major Server-side DSR tunnel flow never expires
426267-3 3-Major Vcmp guest management IP does not get set after config load failure
468235-4 3-Major The worldwide City database (City2) does not contain all of the appropriate Proxy strings.
428645-2 3-Major chmand core file during shutdown due to uncaught exception
477888-2 3-Major ESP ICSA support is non-functional on versions 11.4.0 and up
425878-5 3-Major Loading a configuration with vcmp guests may cause incorrect guest settings.
484706-4 3-Major Incremental sync of iApp changes may fail
486512-4 3-Major audit_forwarder sending invalid NAS IP Address attributes
442889 3-Major TMM may generate core dump with rewrite profile
468837-1 3-Major SNAT translation traffic group inheritance does not sync across devices
359774-4 3-Major Pools in HA groups other than Common
442625-1 3-Major TMM crash, requested unknown already exists errors when creating IPsec AH traffic-selector
439363-1 3-Major Auto-generated policy names might be too long
439446-1 3-Major vcmpd crash related to insufficient stopping timeout
481648-4 3-Major mib-2 ipAddrTable interface index does not correlate to ifTable
426508-2 3-Major Inconsistent OSPFv3 default-information originate behavior
507842-3 3-Major Patch for BIND Vulnerability CVE-2015-1349
437081-2 3-Major IPv6 virtual servers with TSO enabled may drop packets.
385274-2 3-Major Policy flow's nexthop not always updated when route pool member status changes
421882-3 3-Major ospf6d may crash during HA failover
442191-1 3-Major HTTP Class profiles globs are upgraded to a contains condition when it should be equals
440346-6 3-Major Monitors removed from a pool after sync operation
424322-5 3-Major Trunks containing empty SFP ports rejected on 2x00/4x00 appliances
485232 3-Major Disabling and re-enabling an active blade in a HA group may result in the blade becoming standby
429975-3 3-Major Client Cert Auth (SSO) OCSP connectivity issue due to timeout value
451602-2 3-Major DPD packet drops with keyed VLAN connections
497304-4 3-Major Unable to delete reconfigured HTTP iApp when auto-sync is enabled
418943-1 3-Major Session DB math operations may fail on long data values
446352-2 3-Major NAT-T and IPsec is not working when tunnel endpoint has floating IP address
507853-4 3-Major MCP may crash while performing a very large chunked query and CPU is highly loaded
405470-2 3-Major promptstatusd dumps core under unknown circumstances
420769-2 3-Major Memory corruption caused by qemu-kvm set_vcpu_affinity()
435953-3 3-Major In the GUI, the search fails to return results for the Wide IP list
476708-5 3-Major ZebOS using BGP ECMP may not correctly update the ECMP paths when one of the paths goes down and comes back up
498992-2 3-Major Troubleshooting enhancement: improve logging details for AWS failover failure.
524545 3-Major Generate HF roll-up images for Virtual Edition platforms.
476738-4 3-Major rsync daemon may be configured to listen on a public port
519081 3-Major Cannot use tmsh to load valid configuration created using the GUI.
440259-3 3-Major logd crash during improper cast conversion
478922-2 4-Minor ICSA logging issues on versions 11.4.0 and later
447075-2 4-Minor CuSFP module plugged in during links-down state will cause remote link-up
415616-2 4-Minor qkview may generate error messages for very long file names
507115 4-Minor Unable to repeat the creation of a server
434096-1 4-Minor TACACS log forwarder truncates logs to 1k
477111-7 4-Minor Dual management routes in the main routing table
492163-2 4-Minor Applying a monitor to pool and pool member may cause an issue.
420283-2 5-Cosmetic Eliminate the need for customers to enable sys DB variables for VXLAN multicast tunnels.
437173-2 5-Cosmetic Dashboard Platform limits showing "none" for 7000s and 7200v platforms
430799-4 5-Cosmetic CVE-2010-5107 openssh vulnerability


Local Traffic Manager Fixes

ID Number Severity Description
420341-4 1-Blocking Connection Rate Limit Mode when limit is exceeded by one client also throttles others
419458-2 1-Blocking HTTP is more efficient in buffering data
456942-2 2-Critical TMM may crash when using DNS:name iRule to modify the RR owner name
451003-2 2-Critical SSL/TLS client certificate verification may fail due to SHA algorithms that are advertised but not supported
472831-1 2-Critical FIPS-enabled DNSSEC can cause TMM core
426328-3 2-Critical Updating iRule procs while in use can cause a core
442336-6 2-Critical FastL4 virtual may crash with SERVER_CONNECTED rule and acceleration
428504-1 2-Critical Forward proxy does not send forged certificate using SSLv3
513034-6 2-Critical TMM may crash if Fast L4 virtual server has fragmented packets
448787-3 2-Critical Monitors in non-default route domains may flap when large number of connections are originiated from that route-domain
451041-3 2-Critical Session ticket may not be parsed correctly when using SSL persistence
422241-4 2-Critical Thales without OCS protected slot
451035-3 2-Critical On a 11050-FIPS BIG-IP, TMM may reset when loading a large number of FIPS keys
514108-5 2-Critical TSO packet initialization failure due to out-of-memory condition.
483665-1 2-Critical Restrict the permissions for private keys
500945 2-Critical Firefox 35 or later cannot connect to BIG-IP virtual server with clientssl profile in TLS1.2
472157-1 2-Critical Large file uploads abort for SPDY/3 and SPDY/3.1
480370-3 2-Critical Connections to virtual servers with port-preserve property will cause connections to leak in TMM
422460-4 2-Critical TMM may restart on startup/config-load if it has too many objects to publish back during config load
472585-1 2-Critical tmrouted crashes after a series configuration changes
505331 2-Critical SASP Monitor may core
420723-2 2-Critical Configuration can be lost upon VIPRION reset and multi slot guest activation
491771-4 2-Critical Using catch to supress 'invalid command' errors resulting from invalid use of [] around a parking command in a proc can cause TMM to panic
495560 2-Critical Crash from the error TMM if_bge.c:4471: Assertion 'we always have room in either sw or hw ring' fail.
440685-2 2-Critical LTM 3900, V11.3.0 hf8, source address translation memory leak suspected.
474601-2 2-Critical FTP connections are being offloaded to ePVA
503343-1 2-Critical TMM crashes when cloned packet incorrectly marked for TSO
407353-4 2-Critical TMM may fail under heavy load when using cmp.
433460-1 2-Critical Client browser activity causes server-side connection abort resulting in pool member down
521548-3 2-Critical Possible crash in SPDY
462025-8 2-Critical SQL monitors do not handle route domains properly
439862-1 2-Critical In rare situations SPDY combined with other filters can cause a TMM crash
436811-7 2-Critical Incorrect pool member status reporting by database monitors. oracle, MSSQL, MySQL, PostgreSQL
427239-1 2-Critical Default node monitor causes nodes to be left unchecked after sync
402412-2 2-Critical FastL4 tcp handshake timeout is not honored, connection lives for idle timeout.
424653-9 2-Critical SSL retransmit issues
473759-2 3-Major Unrecognized DNS records can cause mcpd to core during a DNS cache query
508716-2 3-Major DNS cache resolver drops chunked TCP responses
460627-2 3-Major SASP monitor starts a new connection to the Group Workload Manager (GWM) server when a connection to it already exists
457293-3 3-Major Clustered Multiprocessing (CMP) peer connection is not removed in certain race conditions.
478257-5 3-Major Unnecessary re-transmission of packets on ICMP notifications even when MTU is not changed
490713 3-Major FTP port might occasionally be reused faster than expected
413236-5 3-Major SSL session ID reuse may fail if the Client SSL profile name is 32 characters or more
471059-2 3-Major Malformed cookies can break persistence
461587-8 3-Major TCP connection can become stuck if client closes early
474002-8 3-Major Server SSL profile unable to complete SSL handshake when server selects DHE-based key exchange, and is configured with 2048-bit or larger DH keys
497584-1 3-Major The RA bit on DNS response may not be set
479129-6 3-Major TCP window scaling is not applied when SYN cookies are active
437627-2 3-Major TMM may crash if fastl4 vs has fragmeneted pkt
504306-4 3-Major https monitors might fail to re-use SSL sessions.
422554-1 3-Major Lack of detail for why TMM does not become Ready For World
475055-1 3-Major Core caused by incorrect accounting of I/O flows
424248-3 3-Major Virtual servers bind failure on some tmm's
501690 3-Major TMM crash in RESOLV::lookup for multi-RR TXT record
499478-1 3-Major Fix bug 464651 which introduced change-in-behavior for SSL server cert chains by not including the root certificate
449848-6 3-Major Diameter Monitor not waiting for all fragments
501715 3-Major [DNS] RESOLV::lookup in CLIENT_ACCEPTED doesn't cache responses for VIP w/HTTP profile
426600-1 3-Major tmm may loop with priority group and rate limit enabled
474226-6 3-Major LB_FAILED may not be triggered if persistence member is down
458556-3 3-Major TMM may fail to start in certain traffic situations on chassis platforms
510638-3 3-Major [DNS] Config change in dns cache resolver does not take effect until tmm restart
425250-5 3-Major If datagram lb is enabled with a parking iRule, TMM may crash if more than one response is received
353101-2 3-Major The BIG-IP system marks pool members down when database server returns NULL
422077-1 3-Major TMM memory grows, TCL Variable leaking
463202-4 3-Major BIG-IP system drops non-zero version EDNS requests
401852-2 3-Major csyncd will intentionally dump core when the kernel event queue is full
447080-2 3-Major VLAN tagged/untagged configuration change requires tmm restart
506282-3 3-Major GTM DNSSEC keys generation is not sychronized upon key creation
427085-2 3-Major BIGIP should send Alert message when it recieves ClientHello with unsupported protocol version.
408965-1 3-Major SSL persistence does not work with session ticket
502747-6 3-Major Incoming SYN generates unexpected ACK when connection cannot be recycled
515759-6 3-Major Configuration objects with more than four vlans in vlan list may cause memory utilization to increase over time
449891-1 3-Major Fallback source persistence entry is not used when primary SSL persistence fails
475791 3-Major Ramcache profile may dispatch internal messages out-of-order leading to assert
428598-1 3-Major BIGIP does not send the correct SSLv3 protocol in forward proxy
514017 3-Major There is some memory bloat when loading SSL profiles
435965-2 3-Major clientssl/serverssl profile can support maximum ciphers with 256
490817-6 3-Major SSL filter might report codec alerts repeatedly
434400-3 3-Major tmm might core with rate-limiting on virtual server
455762-2 3-Major DNS cache statistics no longer incremented improperly due to mirrored cache data.
471535-4 3-Major TMM cores via assert during EPSV command
226892-14 3-Major Packet filter enabled, default action discard/reject and IP fragment drop
481880-3 3-Major SASPD monitor cores
429011-4 3-Major No support for external link down time on network failover
448606-1 3-Major tmm cores with panic string %slistener ref non-zero%s
427201-1 3-Major Issues with the LTM policy http-set-cookie action
516320 3-Major TMM may have a CPU spike if match cross persist is used.
422156-1 3-Major IRule errors can crash SPDY
504538-1 3-Major OneConnect and Least connections (member) lb mode does not balance load as expected
395570-5 3-Major TCP::Collect iRule can cause TMM failure.
520540-3 3-Major HTTP Basic authentication may cause the TMM to crash if the header is too large
499950-8 3-Major In case of intra_cluster ha, node flapping may still lead to inconsistent persistence entries across TMMs
439773-3 3-Major "Request for segment from middle of queue" condition converted to reset that particular flow instead of causing tmm core
513243-4 3-Major Improper processing of crypto error condition might cause memory issues.
493117 3-Major Changing the netmask on an advertised virtual address causes it to stop being advertised until tmrouted is restarted
519217-1 3-Major tmm crash: valid proxy
504854-1 3-Major OneConnect does not balance new traffic for all load balancing methods
523832 3-Major Import of FIPS key from a local FIPS exported key file (.exp) fails via TMSH
491454-3 3-Major SSL negotiation may fail when SPDY profile is enabled
493673-3 3-Major DNS record data may have domain names compressed when using iRules
465607-3 3-Major TMM cores with TMM log error 'Assertion "flow in use" failed.' when isuing FastHTTP.
497742-2 3-Major Some TCP re-transmits on translucent vlangroup skip bit-flip on source MAC address
499430 3-Major Standby unit might bridge network ingress packets when bridge_in_standby is disabled
490740-3 3-Major TMM may assert if HTTP is disabled by another filter while it is parked
512148-4 3-Major Self IP address cannot be deleted when its VLAN is associated with static route
463902-2 3-Major Hardware Compression in CaveCreek may cause excessive memory consumption.
512490-4 3-Major Increased latency during connection setup when using FastL4 profile and connection mirroring.
357536-4 3-Major HTTP iRule commands in an early server response will now work
452516-8 3-Major Excessive memory consumption after extended use
485472-5 3-Major iRule virtual command allows for protocol mismatch, resulting in crash
438877-3 3-Major If the SASP monitor receives an unexpected message from the GWM server containing an expected message id then the monitor stops processing any further messages.
476097-2 3-Major TCP Server MSS option is ignored in verified accept mode
442647-6 3-Major IP::stats iRule command reports incorrect information past 2**31 bits
505705-4 3-Major Expired mirrored persistence entries not always freed using intra-chassis mirroring
480506-9 3-Major tmm CMP does not delete server side flow when CMP flow response is undeliverable
442139-2 3-Major Some iRules can result in stuck UDP connections
474584-5 3-Major igbvf driver leaks xfrags when partial jumbo frame received
456413-6 3-Major Persistence record marked expired though related connection is still active
427393-3 3-Major BIG-IP serverssl "Untrusted Certificate Response Control" with ignore option does not ignore self-signed untrusted certificate.
468472-1 3-Major Unexpected ordering of internal events can lead to TMM core.
374339-9 3-Major HTTP::respond/redirect might crash TMM under low-memory conditions
469705 3-Major TMM might panic when processing SIP messages due to invalid route domain
503741-4 3-Major DTLS session should not be closed when it receives a bad record.
433008-1 3-Major Some CAs may fail to insert SAN
442410-4 3-Major Error condition with connection mirroring and connection pooling (OneConnect) enabled
452643-4 3-Major Pool member's lb_value is not updated when transistioning from disabled to enabled
427157-2 3-Major The TMM process may restart and produce a core file when using certain SSL iRule commands.
428163-1 3-Major Removing a DNS cache from configuration can cause TMM crash
471625-1 3-Major After deleting external data-group, importing a new or editing existing external data-group does not propagate to TMM
517556-1 3-Major DNSSEC unsigned referral response is improperly formatted
452246-1 3-Major The correct cipher may not be chosen on session resumption.
470994-4 3-Major Rarely, TMM may segfault when applying TSO to invalid packets
342013-4 3-Major TCP filter doesn't send keepalives in FIN_WAIT_2
515072-1 3-Major Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased
447043-5 3-Major Cannot have 2 distinct 'contains' conditions on the same LTM policy operand
451960-1 3-Major HTTPS monitors do not work with FIPS keys
425459-2 3-Major session iRule command may cause errors
477375-4 3-Major SASP Monitor may core
447874 3-Major TCP zero window suspends data transfer
443098-5 3-Major Memory leakage when Proxy SSL feature enabled
465908-3 3-Major CVE-2014-0224: behavior change
429770-4 3-Major Pool members become unavailable with connection limit and connection queuing enabled
413689-4 3-Major ntlm + oneconnect + persistence + v2 plugin can cause crash
502959-4 3-Major Unable get response from virtual server after node flapping
478439-4 3-Major Unnecessary re-transmission of packets on higher ICMP PMTU.
505964-7 3-Major Invalid http cookie handling can lead to TMM core
438792-3 3-Major Node flapping may, in rare cases, lead to inconsistent persistence behavior
483653-1 3-Major In some traffic situations, virtuals using SSL can excessively buffer client data instead of closing the TCP window
427732-2 3-Major Connections using ECMP route may not be mirrored
501516-1 3-Major If a very large number of monitors is configured, bigd can run out of file descriptors when it is restarted.
430746-3 3-Major Some iRule commands may cause tmm to crash
427118-2 3-Major BIGIP serverssl profile does not send out any Alert message.
435335-1 3-Major SSL proxy session ID cache does not respect limit set by tmm.proxyssl.cachesize
471821-4 3-Major Compression.strategy "SIZE" is not working
454475-6 3-Major TLS Handshake succeeds when the padding is incorrect.
478617-5 3-Major Don't include maximum TCP options length in calculating MSS on ICMP PMTU.
437448-4 3-Major Rate limited pool member might stop accepting traffic under certain conditions
518020-7 3-Major Improved handling of certain HTTP types.
435993-4 3-Major Tunnel recipient drops encapsulated traffic instead of forwarding
421429-3 3-Major Client-initiated renegotiation for server ssl profile does not work with DTLS when it connects to another BIG-IP clientssl.
465052 3-Major Some HTTP::cookie iRule commands can cause TMM to core if required arguments are missing
353623-2 4-Minor global_stat, avg max_conns does not report correct value.
471787 4-Minor RADIUS information in configuration file not encrypted.
498597-4 4-Minor SSL profile fails to initialize and might cause SSL operation issues
452482-2 4-Minor HTTP virtual servers with cookie persistence might reset incoming connections
464462 4-Minor Prevent SQL monitor hangs
446755-2 4-Minor Connections with ramcache and clientssl profile allowing non-SSL traffic may stall
420485-4 4-Minor TMM silently drop non-SYN packet without TCP RST
454692-1 4-Minor Assigning 'after' object to a variable causes memory leaks
480888-5 4-Minor Tcl parks during HTTP::collect, and serverssl is present, data can be truncated


Performance Fixes

ID Number Severity Description
473485-3 2-Critical Fixed a few issues in HTTP Auth module
497619-1 3-Major TMM performance may be impacted when server node is flapping and persist is used


Global Traffic Manager Fixes

ID Number Severity Description
515797-4 2-Critical Using qos_score command in RULE_INIT event causes TMM crash
442980-3 2-Critical GTM pool statistics incorrect if max-address-returned not set to 1 and r
513464-2 2-Critical Some autodiscovered virtuals may be removed from pools.
440284-4 2-Critical GTM VSes with a folderized ltm_name may not be monitored properly on a 10.2.4 LTM.
517083-4 3-Major Some autodiscovered virtuals may be removed from pools.
515033-2 3-Major [ZRD] A memory leak in zrd
425568-3 3-Major MySQL monitor may hang under repeated connection failures
515030-3 3-Major [ZRD] A memory leak in Zrd
225443-2 3-Major gtmparse fails to load if you add unsupported SIP monitor parameters to the config
420440-8 3-Major Multi-line TXT records truncated by ZoneRunner file import
423317-8 3-Major Reloading the config causes virtual servers to lose their reference to LC/GTM links
424135-2 3-Major gtmd crash caused by iQuery connection failure.
496775-7 3-Major [GTM] [big3d] Unable to receive mark LTM virtual server up if there is another VS with same ltm_name for bigip monitor
466756-3 3-Major Automating input to gtm_add script rather than running it interactively can result in script failure
353556-3 4-Minor big3d https monitor is unable to correctly monitor the web server when SSL protocol is changed
479084-2 4-Minor ZoneRunner can fail to respond to commands after a VE resume.
491554-1 4-Minor [big3d] Possible memory leakage for auto-discovery error events.
495311-1 4-Minor Internal build error occurs when manually building certain BIG-IP components


Access Policy Manager Fixes

ID Number Severity Description
436177-3 1-Blocking Improved security around Endpoint security modules
477278-6 1-Blocking CVE-2014-6032 and CVE-2014-6033
488986-5 1-Blocking Access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and edge client.
488736-2 1-Blocking Fixed problem with iNotes 9 Instant Messaging
484635-13 1-Blocking Upgraded to OpenSSL 1.0.1j
436180-4 1-Blocking Improved security around webcontrol installation
459900-1 1-Blocking Policy Sync error response "An error has occurred while trying to process your request"
482241-4 1-Blocking Windows 10 cannot be properly detected
441613-4 1-Blocking Customization allows arbitary files to be uploaded
477274-10 1-Blocking Buffer Overflow in MCPQ
480272-3 2-Critical During OAM SDK initialization, ObConfig initialization returns wrong accessgate ID
427880-1 2-Critical SQL-injection can be introduced via JSON payloads
485465-4 2-Critical TMM might restart under certain conditions when executing SLO.
513382-18 2-Critical Resolution of multiple OpenSSL vulnerabilities
519864-1 2-Critical Memory leak on L7 Dynamic ACL
479524-1 2-Critical If a "refresh" response header should not be rewritten, it can crash the rewrite plugin or be improperly rewritten
477540-4 2-Critical 'ACCESS::policy evaluate' iRule command causes crash of apmd daemon
507782-4 2-Critical TMM crashes for Citrix connection when Address field in the ICA file has non-patched/invalid data
450814-2 2-Critical Early HTTP response might cause rare 'server drained' assertion
489328-4 2-Critical When BIG-IP virtual accessed with multiple tabs with long initial URLs before session creation can cause TMM crash.
466605-1 2-Critical Corruption of web-application global variable 'r' under some conditions.
476736-6 2-Critical APM IPv6 Network Access connection may fail in some cases
441790-1 2-Critical Logd core formed, while executing provisioning run script(mod_combo_7000_12721.py) on Whitethorne 2U platform
518260-2 2-Critical Missing NTLMSSP_TARGET_INFO flag on NTLMSSP_CHALLENGE message
427790-3 2-Critical LocalDB backup during system update fails when provisioning does not include anything that starts MySQL
471874-4 2-Critical VDI plugin crashes when trying to respond to client after client has disconnected
475049-4 2-Critical Missing validation of disallowing empty DC configuration list
494098-2 2-Critical PAC file download mechanism race condition
484454-8 2-Critical Users not able to log on after failover
468908-4 2-Critical Session timeout settings doesn't work properly
460265-4 2-Critical APMD crash on some string operations in Tcl expressions.
507681-7 2-Critical Window.postMessage() does not send objects in IE11
489323-4 2-Critical Out-of-bounds memory access when 'remotedesktop' profile is assigned to a virtual server.
434776-2 2-Critical APD and APMD might crash if a file check agent is added to access policy
458928-2 2-Critical APMD cores in Kerberos authentication, when the agent tries to derefence a null authparam session variable.
509490-3 2-Critical [IE10]: attachEvent does not work
526578-3 3-Major Network Access client proxy settings are not applied on German Windows
389328-4 3-Major RSA SecurID node secret is not synced to the standby node
432102-2 3-Major HTML reserved characters not supported as part of SAML RelayState
513098-3 3-Major localdb_mysql_restore.sh failed with exit code
481203-4 3-Major User name case sensitivity issue
476133-4 3-Major In APM OAM authentication, ObSSOCookie _lastUseTime was not updated.
492238-3 3-Major When logging out of Office 365 TMM may restart
477898-5 3-Major Some strings on BIG-IP APM EDGE Client User Interface were not localized
510709-6 3-Major Websso start URI match fails if there are more than 2 start URI's in SSO configuration.
494565-1 3-Major CSS patcher crashes when a quoted value consists of spaces only
464313-1 3-Major Dynamically created HTML forms may be handled incorrectly
471125-4 3-Major Fixed issue causing EdgeClient to work improperly behind environment with CaptivePortal.
496817-4 3-Major Big-IP Edge client for Windows fails to connect to Firepass server if tunnel is established through a proxy
480761-4 3-Major Fixed issue causing TunnelServer to crash during reconnect
491233-5 3-Major Rare deadlock in CustomDialer component
494088-1 3-Major APD or APMD should not assert when it can do more by logging error message before exiting.
403991-4 3-Major Proxy.pac file larger than 32 KB is not supported
489382-3 3-Major Machine Cert allows mismatched SubjectCN and FQDN for browsers in case of valid cert
432900-3 3-Major APM configurations can fail to load on newly-installed systems
482710-7 3-Major SSLv3 protocol disabled in APM clients
500088-5 3-Major OpenSSL Vulnerability (January 2015) - OpenSSL 1.0.1l update
437744-2 3-Major SAML SP service metadata exported from APM may fail to import.
452464-2 3-Major iClient does not handle multiple messages in one payload.
464992-3 3-Major Mac Edge fails to pass machine certificate inspection if domain component is included in search criteria
475682-3 3-Major APM OAM should be sending a single Cookie header with the cookies delimited by semi-colon.
458167-2 3-Major Improve logging and error code checks for EAM / OAM component
461189-2 3-Major Generated assertion contains HEX-encoded attributes
475338-1 3-Major Webtop customization done to the ACL deny page with Advanced Customization is not visible
435383-2 3-Major Incorrect MCPD validation while deleting an accessgate configuration in aaa oam
442528-6 3-Major Demangle filter crash
476038-5 3-Major Mac Edge Client crashes on OS X 10.7 if a user adds new server using its IP address rather than DNS name
499427-3 3-Major Windows File Check does not work if the filename starts with an ampersand
482260-1 3-Major Location of Captive portal configuration registry entry in 64 bit windows is incorrect
511441-1 3-Major Memory leak on request Cookie header longer than 1024 bytes
505755-1 3-Major Some scripts on dynamically loaded html page could be not executed.
446207-3 3-Major "state" value of software check result session variables never gets updated
517441-2 3-Major apd may crash when RADIUS accounting message is greater than 2K
463651-2 3-Major PPP tunnels remain open after session gets closed
440290-5 3-Major Fluctuating Sync messages when Policy sync is triggered
412138-1 3-Major If there's resource that has acl order 0 and it's been used by profile, that has been exported, you'd not be able to import it back
414370-4 3-Major ACCESS::disable and ASM may send TCP reset
433847-4 3-Major APD crashes with a segmentation fault.
478751-3 3-Major OAM10g form based AuthN is not working for a single/multiple domain.
442598-4 3-Major Traffic cannot pass through a tunnel after the Edge client is switched to DTLS from TLS
502441-2 3-Major Network Access connection might reset for large proxy.pac files.
463776-1 3-Major VMware View client freezes when APM PCoIP is used and user authentication fails against VCS 5.3
481046-1 3-Major F5_Inflate_text(o, incr, v) wrapper need to be fixed for case when o is script tag
490811-2 3-Major Proxy configuration might not to be restored correctly in some rare case
422527-2 3-Major innerHTML property improperly patched for SCRIPT and STYLE tags in input
495265-5 3-Major SAML IdP and SP configured in same access profile not supported
421215-5 3-Major "Error to launch inspector" error on 64-bit Linux
457902-4 3-Major No EAM- log stacktrace in /var/log/apm on EAM crash event.
469824-5 3-Major Mac Edge client on Mac mini receives settings for iOS Edge Client
485948-3 3-Major Machine Info Agent should have a fallback branch
428387-5 3-Major SAML SSO could fail if SAML configuration contains special XML characters (&,<,>,",')
520205-1 3-Major Rewrite plugin could crash on malformed ActionScript 3 block in Flash file
481257-2 3-Major Information on "OPSWAT Integration Libraries V3" is missing from CTU report
495336-2 3-Major Logon page is not displayed correctly when 'force password change' is on for local users.
437743-2 3-Major Import of Access Profile config that contains ssl-cert is failing
438730-2 3-Major DNS Filtering driver causes crash/BSOD
432336-2 3-Major Window.postMessage() rewriting for Internet Explorer browsers
471714-4 3-Major Certain SMTP servers (Windows) do not receive complete email due to missing CRLF header terminator in Emails generated by APM Email agent.
416949-3 3-Major When user logs into Citrix resource on APM Webtop, and has no Citrix apps assigned to him, "Logon Failed" is displayed in the dialog caption
483286-4 3-Major APM MySQL database full as log_session_details table keeps growing
490675-4 3-Major User name with leading or trailing spaces creates problems.
516839-6 3-Major Add client type detection for Microsoft Edge browser
487170-4 3-Major Enahnced support for proxy servers that resolve to multiple IP addresses
435682-5 3-Major eamtest tool may fail while checking if the requested resource is protected due to exception thrown by SDK.
494284-5 3-Major Mac Edge Client, with primary language of German shows unneeded text shown under disconnected status.
431810-1 3-Major APMD process core due to missing exception handling in execute agents
466898-1 3-Major JavaScript may see incorrect value for form action.
507116-4 3-Major Web-application issues and/or unexpected exceptions.
519415-1 3-Major apm network access tunnel ephemeral listeners ignore irules (related-rules from main virtual )
464748-1 3-Major A cookie with an empty or incorrect expires field causes a JavaScript failure.
439977-6 3-Major apd crash in AD module
423483-3 3-Major Edge Client incorrectly resolves APM hostname while reconnecting
499620-2 3-Major BIG-IP Edge Client for MAC shows wrong SSL protocol version; does not display the protocol version that was negotiated.
426623-4 3-Major Proxy auto-config (PAC) file isn't applied sometimes.
484582-5 3-Major APM Portal Access is inaccessible.
521773 3-Major Memory leak in Portal Access
495319-6 3-Major Connecting to FP with APM edge client is causing corporate network to be inaccessible
429680-2 3-Major Incorrect handling of responses with binary content and HTTP Refresh header
457760-2 3-Major EAM not redirecting stdout/stderr from standard libraries to /var/log/apm
454086-3 3-Major Portal Access issues with Firefox version 26.0.0 or later
439330-6 3-Major Javascript: getAttribute() returns mangled event handlers
481663-2 3-Major Disable isession control channel on demand.
452625-5 3-Major Edge Client unable to automatically retrieve the RSA SecurID software token.
492153-4 3-Major Edge clients shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel, changes to deprecated.
498782-6 3-Major Config snapshots are deleted when failover happens
451083-4 3-Major Citrix Wyse clients when working with StoreFront in integration mode
472099-6 3-Major DisableCaptivePortalDetection registry key doesn't work in some cases
441631-4 3-Major WebSSo may take 100% if new instance started manually
422196-3 3-Major FEC functionality may not take effect due to certain config change.
422948-3 3-Major APD does not trigger Apply Access Policy when rule expression is changed in macro
454370-2 3-Major Policy Sync Status messages become unordered
501498-5 3-Major APM CTU doesn't pick up logs for Machine Certificate Service
470414-1 3-Major Portal Access rewrite daemon may crash while processing some Flash files
494637-4 3-Major localdbmgr process in constant restart/core loop
468478-2 3-Major APM Portal Access becomes unresponsive.
509758-5 3-Major EdgeClient shows incorrect warning message about session expiration
475262-4 3-Major In some cases Edge Client for Windows does not re-resolve server hostname while reconnecting
465346 3-Major APD may crash while updating cache for Active Directory module
471421-1 3-Major Ram cache evictions spikes with change of access policy leading to slow webtop rendering
503319-6 3-Major After network access is established browser sometime receives truncated proxy.pac file
427830-4 3-Major Proxy Auto-config (PAC) download error now is treated as critical error for Network Access.
337178-6 3-Major EdgeClient doesn't fallback from DTLS to TLS when http-proxy is used
468441-1 3-Major OWA2013 may work incorrectly via Portal Access in IE10/11
439461-1 3-Major Citrix Receiver for Linux is unable to receive full applications list.
474730-2 3-Major Incorrect handling of form if it contains a tag with id=action
482251-1 3-Major Portal Access. Location.href(url) support.
483792-2 3-Major when iSession control channel is disabled, don't assign app tunnel, MSRDP, opt tunnel resources
466745-1 3-Major Cannot set the value of a session variable with a leading hyphen.
473386-7 3-Major Improved Machine Certificate Checker matching criteria for FQDN case
452416-4 3-Major tmctl leasepool_stat and snmp apmLeasepoolStatTable return incorrect values
468465-1 3-Major OWA2013 may work incorrectly via Portal Access in IE10/11
423282-5 3-Major BIG-IP JavaScript includes can be improperly injected in case of conditional commment presence
469100-2 3-Major JavaScript index expressions with a comma are not properly rewritten
441355-4 3-Major Enable change password within vmview client when password doesn't meet the AD policy requirements
464159-3 3-Major JavaScript: submit() method without explicit object
520642-1 3-Major Rewrite plugin should check length of Flash files and tags
423007-2 3-Major The .toString() fuinction could return mangled source for inline event handler.
508719-2 3-Major APM logon page missing title
468433-1 3-Major OWA2013 may work incorrectly via Portal Access in IE10/11
523329-1 3-Major When BIG-IP is used as SAML Identity Provider(IdP), TMM may restart under certain conditions.
477547-2 3-Major Resource Assign Agent shows javascript error
475163-2 3-Major Submitting an HTML form that does not have an action attribute is a 404 error and 'null' in the request URL.
498469-7 3-Major Mac Edge Client fails intermittently with machine certificate inspection
436201-2 3-Major JavaScript can misbehave in case of the 'X-UA-Compatible' META tag when a client uses IE11
484847-5 3-Major DTLS cannot be disabled on Edge Client for troubleshooting purposes
480242-3 3-Major APD, APMD, MCPD communication error failure now reported with error code
473344-3 3-Major Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP.
471825-5 3-Major Add 'Date:' header in email message generated by APM Email agent to comply with RFC 5322.
508630-6 3-Major The APM client does not clean up DNS search suffixes correctly in some cases
474757-6 3-Major Update openssl to 1.0.1i
421542-4 3-Major Supported Internet Explorer minor deviation in javascript syntax
462481-4 3-Major Missing exception handling in APM OAM authentication during SDK calls
418850-4 3-Major Do not restrict AD to be the last auth agent for View Client
475360-3 3-Major Edge client remembers specific virtual server URI after it is redirected
480247-2 3-Major Modifying edge client application folder causes gatekeeper to throw warning
478115-2 3-Major The action attribute value of a form HTML tag is not properly rewritten in the Minimal Content Rewriting mode when it starts with "/"
490681-4 3-Major Memcache entry for dynamic user leaks
482269-4 3-Major APM support for Windows 10 out-of-the-box detection
497436-6 3-Major Mac Edge Client behaves erratically while establishing network access connection
433972-5 3-Major New Event dialog widget is shifted to the left and Description field does not have action widget
438613-2 3-Major Virtual server created using Portal Access Device Wizard does not reflect changes correctly
462258-2 3-Major AD/LDAP server connection failures might cause apd to stop processing requests when service is restored
473728-8 3-Major Incorrect HTML form handling.
477642-2 3-Major Portal Access rewriting leads to page reload in Firefox
476032-4 3-Major BIG-IP Edge Client may hang for sometime when disconnecting from Firepass server
486597-5 3-Major Fixed Network Access renegotiation procedure
512245-3 3-Major Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host name instead of hostname
431149-3 3-Major APM config snapshot disappears and users see "Access Policy configuration has changed on gateway"
513165-3 3-Major SAML Service Provider generated SLO requests do not contain 'SessionIndex' attribute
523222-2 3-Major Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending.
424936-2 3-Major apm_mobile_ppc.css has duplicate 1st line
474779-4 3-Major EAM process fails to register channel threads (MPI channel) with TMM, and subsequent system call fails.
513953-3 3-Major RADIUS Auth/Acct might fail if server response size is more than 2K
422409-1 3-Major Rare issue causing TunnelServer to crash after hibernate
486268-4 3-Major APM logon page missing title
481020-4 3-Major Traffic does not flow through VPN tunnel in environements where proxy server is load balanced
425377-1 3-Major Proxy server might cause EdgeClient to detect captive portal that does not exist
439849-2 4-Minor Portal Access: Exchange 2003 Outlook Web Access, JS error on inbox
464547-2 4-Minor Show proper error message when VMware View client sends invalid credentials to APM
465012-2 4-Minor Rewrite plugin may crash if webtrace or debug log level is enabled for Portal Access
478658-3 4-Minor Window.postMessage() does not send objects
482134-4 4-Minor APD and APMD cores during shutdown.
510459-3 4-Minor In some cases Access does not redirect client requests
432423-2 4-Minor Need proactive alerts for APM license usage
436489-2 4-Minor Session variables defined within the "Relay State" parameter of an SP initiated SSO session may fail.
454784-4 4-Minor in VPE %xx symbols such as the variable assign agent might be invalidly decoded.
489364-5 4-Minor Now web VPN client correctly minimizes IE window to tray
461560-4 4-Minor Edge client CTU report does not contain interface MTU value
460427-5 4-Minor Address collision reported when the Primary blade goes down or its TMM crashes in an Chassis IntraCluster environment.
466797-3 4-Minor Added warning message when maximum session timeout is reached
451118-6 4-Minor Fixed mistakes in French localization
451213-4 4-Minor Logs do not distinguish between static and dynamic ip allocation.
480360-1 4-Minor Edge Client for Mac blocks textexpander application's functionality
430680-5 5-Cosmetic Wrong expression is generated for Weekend template for "Date Time" item in VPE
493385-3 5-Cosmetic BIG-IP Edge Client uses generic icon set even if F5 icon set is configured


WebAccelerator Fixes

ID Number Severity Description
514785-6 1-Blocking TMM crash when processing AAM-optimized video URLs
430488-1 2-Critical Core in WAM plugin handling a POST with huge content
486346-4 2-Critical Prevent wamd shutdown cores
517551-1 3-Major Assembly Can Create Response Stalls
511534-5 3-Major A large number of regular expressions in match rules on path-segments may cause an AAM policy to take too long to load,
506315-1 3-Major WAM/AAM is honoring OWS age header when not honoring OWS maxage.
476476 3-Major Occasional inability to cache optimized PDFs and images
459851-5 3-Major Connection aborted when using GET request If-Match header in Policy Node with No-Proxy(request)/Always_Proxy(response) setting.
421791-3 3-Major Out of Memory Error
384072-2 3-Major Authorization requests not being cached when allowed.
420837-2 3-Major AAM can duplicate http headers under certain circumstances
423805-2 3-Major WAM may not send Etag for content it serves from cache
467633-1 3-Major WAM CSS minification can add spaces to the output, potentially coring TMM (in rare cases)
476460-3 3-Major WAM Range HTTP header limited to 8 ranges
439904-1 3-Major Wamd crashed after command 'tmsh restart sys service mcpd'
488917-3 4-Minor Potentially confusing wamd shutdown error messages


Wan Optimization Manager Fixes

ID Number Severity Description
479889-2 1-Blocking Memory leaks when iSession and iControl are configured
461216-1 2-Critical Cannot rename some files using CIFS optimization of the BIG-IP system.
457568-3 3-Major Loading of configuration fails intermittently due to WOC Plug-in-related issues.
480305-4 4-Minor tmm log flood: isession_handle_evt: bad transition:7


Service Provider Fixes

ID Number Severity Description
516057-1 2-Critical Assertion 'valid proxy' can occur after a configuration change with active IVS flows.
428631 2-Critical DWR and the Diameter profile's rewrite attributes
476886-1 3-Major When ICAP cuts off request payload, OneConnect does not drop the connection
450055-3 3-Major SSL termination with responseadapt causes early client shutdown
464116-2 3-Major HTTP responses are not cached when response-adapt is applied
480311-5 3-Major ADAPT should be able to work with OneConnect
503676-1 3-Major SIP REFER, INFO, and UPDATE request do not trigger SIP_REQUEST or SIP_REQUEST_SEND iRule events
499701-4 3-Major SIP Filter drops UDP flow when ingressq len limit is reached.
448493-1 3-Major SIP response from the server to the client get dropped
452440-2 3-Major TMM CPU/Memory utilization increases when using call-id persistence
500365 3-Major TMM Core as SIP hudnode leaks


Advanced Firewall Manager Fixes

ID Number Severity Description
442535-1 3-Major Time zone changes do not apply to log timestamps without tmm restart


Policy Enforcement Manager Fixes

ID Number Severity Description
485176-1 3-Major RADIUS::avp replace command cores TMM when only two arguments are passed to it


Carrier-Grade NAT Fixes

ID Number Severity Description
468388-6 2-Critical Connection flows leak when service provider DAG is configured and/or under-provisioned LSN pools are configured


Global Traffic Manager (DNS) Fixes

ID Number Severity Description
514236-4 3-Major [GUI][GTM] GUI does not prefix partition to device-name for BIG-IP DNS Server IP addresses
447061-1 3-Major DNS Listeners Properties display issues

 

Cumulative fix details for BIG-IP v11.4.1 Hotfix 9 that are included in this release

534630-1 : Upgrade BIND to address CVE 2015-5477

Component: TMOS

Symptoms:
See SOL https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16909.html for complete information. BIND will issue a REQUIRE assert and exit under certain conditions. It will automatically be restarted by bigstart.

Conditions:
A deliberately constructed packet can exploit an error in the handling of queries for TKEY records, permitting denial of service.

Impact:
DNS resolutions that are answered by the on box BIND server may be interrupted.

Workaround:
Please see F5 Solution SOL16909.

Fix:
BIND was upgraded, which addresses this vulnerability. F5 is less vulnerable than the industry rating due to system design.


530744 : kernel.ntp: livelock in leapsecond insertion :: watchdog reboots

Component: TMOS

Symptoms:
On rare occasions systems hang due to leap-second livelock. As a result of this issue, you may encounter one or more of the following symptoms: -- The BIG-IP system fails to process traffic for a brief period of time. -- The BIG-IP system fails over to another host in the device group. -- Error messages similar to the following example may appear in the /var/log/daemon.log file: notice ntpd[6789]: kernel time sync enabled Error messages similar to the following example appear in the /var/log/ltm file: notice boot_marker : ---===[ MD1.2 - BIG-IP 11.3.0 Build 3158.21 ]===--- chmand[6586]: 012a0005:5: CPLD indicates prior Host CPU subsystem reset chmand[6587]: 012a0005:5: Host CPU subsystem reset - PCI reset asserted chmand[6588]: 012a0005:5: Host CPU subsystem reset caused by a Southbridge system reset chmand[6589]: 012a0004:4: Host CPU subsystem reset caused by *** Super I/O watchdog timeout ***

Conditions:
During the 24 hour window leading up to a leap second event a RedHat kernel livelock condition may occur. A a result the BIG-IP hardware watchdog will trigger a reboot to allow the system to recover. This occurs due to the Redhat kernel-based livelock condition reference by the follwoing link: https://rhn.redhat.com/errata/RHBA-2012-1198.html

Impact:
BIG-IP system will restart.

Workaround:
Once affected, running this command resets the clock and eliminates the issue: date -s "$( date )". You can read more about this issue in SOL16839: The BIG-IP system may reboot when configured to synchronize its clock with an NTP server, available here https://support.f5.com/kb/en-us/solutions/public/16000/800/sol16839.html, and on the Redhat site, here: https://access.redhat.com/solutions/154713.

Fix:
The issue resulting from NTP inserting the leap second has been resolved.


526578-3 : Network Access client proxy settings are not applied on German Windows

Component: Access Policy Manager

Symptoms:
Network Access client proxy settings are not applied on German Windows with Internet Explorer 10 under obscure conditions. If APM address is not in the Trusted Sites List, then this issue has good reproducibility. Windows shows empty fields in proxy settings UI of Internet Explorer.

Conditions:
Client machine has Windows with German localization. Client machine has Internet Explorer 10. APM is not in trusted sites list or other obscure conditions.

Impact:
Network Access works in unexpected way: client ignores proxy settings.

Workaround:
Run IE under administrator Update to IE11

Fix:
Now proxy settings are correctly applied on client machine with German localization and Internet Explorer 10. However, Windows still shows empty fields in proxy settings GUI of Internet Explorer.


524545 : Generate HF roll-up images for Virtual Edition platforms.

Component: TMOS

Symptoms:
Release HF roll-up images for Virtual Edition.

Conditions:
Building images for Virtual Edition.

Impact:
Release HF roll-up images for Virtual Edition.

Workaround:

Fix:
Starting to release HF roll-up images for Virtual Edition.


523832 : Import of FIPS key from a local FIPS exported key file (.exp) fails via TMSH

Component: Local Traffic Manager

Symptoms:
The following TMSH command fails: tmsh install sys crypto key <keyname> from-local-file <FIPS-exp-keyfile> security-type fips

Conditions:
Install a FIPS exported key using TMSH on a FIPS-platform.

Impact:
Failure to install FIPS exported key files on a BIG-IP system.

Workaround:
None.

Fix:
Install of FIPS exported key files now works correctly via TMSH.


523329-1 : When BIG-IP is used as SAML Identity Provider(IdP), TMM may restart under certain conditions.

Component: Access Policy Manager

Symptoms:
TMM may restart

Conditions:
- BIG-IP is used as IdP. - Client or Service Provider sends a number of specific invalid requests to BIG-IP

Impact:
TMM is not available while restarting

Workaround:

Fix:
Issue where TMM would restart as a result of invalid user request is now fixed.


523222-2 : Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending.

Component: Access Policy Manager

Symptoms:
Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending. If an access policy has Redirect ending, the Citrix HTML5 client will fail to start with HTTP 400 error.

Conditions:
Citrix Storefront configured in integration mode through APM.

Impact:
HTML5 client not usable for this sort of integration

Workaround:

Fix:
Fixed Citrix HTML5 handling code so that it works fine with the Redirect endings in access policies.


523032-3 : qemu-kvm VENOM vulnerability CVE-2015-3456

Component: TMOS

Symptoms:
A vCMP hosted guest may be able to execute code in the context of the vCMP host hypervisor.

Conditions:
An attacker with root access on a vCMP guest may be able to crash the guest instance and/or execute code in the context of the vCMP hypervisor.

Impact:
A attacker in a vCMP guest can crash the guest system and/or execute code in the context of the hypervisor.

Workaround:
None.

Fix:
Integrated fixes to resolve CVE-2015-3456.


521773 : Memory leak in Portal Access

Component: Access Policy Manager

Symptoms:
Memory consumption of "rewrite.*" processes is growing constantly. On manually taken core file, result of following command is large (more than 100000). zcat <core-file.gz> | strings -n 15 | grep "^/f5-w-" | wc -l

Conditions:
Memory leaks in cases when POST request content could be modified by Portal Access (for example, xml).

Impact:
Rewrite processes may use all available memory on the box and then cause 'Out of memory' condition and failover.

Workaround:
This issue has no workaround at this time.

Fix:
Fixed a memory leak of request urls in rewrite plug-in.


521548-3 : Possible crash in SPDY

Component: Local Traffic Manager

Symptoms:
In very rare circumstances related to SPDY protocol handling together with a compression profile a crash may occur.

Conditions:
This is very rare and the exact circumstances are unclear, It involves SPDY, a compression profile and a congested client connection and a stream being reset by the browser (using a RST_STREAM frame).

Impact:
Very rarely a crash may occur.

Workaround:
Don't apply the compression profile.

Fix:
A sporadic crash when using SPDY together with a compression profile no longer occurs.


520642-1 : Rewrite plugin should check length of Flash files and tags

Component: Access Policy Manager

Symptoms:
Portal Access Flash patcher could crash or apply incorrect modifications on some malformed Flash files.

Conditions:
This occurs when a Flash file is truncated or contains incorrect length value in file or tag headers.

Impact:
It may cause a crash and restart of Portal Access services.

Workaround:

Fix:
Rewrite plugin now correctly processes Adobe Flash files with invalid length in file or tag header.


520540-3 : HTTP Basic authentication may cause the TMM to crash if the header is too large

Component: Local Traffic Manager

Symptoms:
Accessing the information within a HTTP Authorization header via the HTTP::username, HTTP::password (or other method), may cause the TMM to crash if the header is too large.

Conditions:
An overlarge Authorization HTTP header, together with an iRule that accesses it via the HTTP::username or HTTP::password commands, or via the sflow feature.

Impact:
The TMM will crash

Workaround:
One possible work-around is to manually truncate the size of the HTTP Authorization header by an iRule.

Fix:
Overlarge HTTP Authorization headers will no longer cause the TMM to crash if they are inspected via the HTTP::username, HTTP::password iRule commands, or via the sflow feature.


520205-1 : Rewrite plugin could crash on malformed ActionScript 3 block in Flash file

Component: Access Policy Manager

Symptoms:
The rewrite plugin crashes. The following log message is in the log: ../fm_patchers/abc/abcScanner.cpp:70: void abc::abcScanner::has(size_t): Assertion `GetRemaining() >= (ssize_t)l' failed.

Conditions:
Input file is truncated or contains invalid bytecode instructions at the end of doabc/doabcdefine tag.

Impact:
Portal Access services restart.

Workaround:

Fix:
Rewrite plugin no longer crashes on truncated or malformed Adobe Flash files with incorrect ActionScript 3 method body blocks.


519877-4 : External pluggable module interfaces not disabled correctly.

Component: TMOS

Symptoms:
External pluggable module interface may show link UP status, when administratively disabled.

Conditions:
Disable any external pluggable module interface that is connected to an enabled peer interface.

Impact:
Disabled external pluggable module interface may link UP and potentially pass traffic.

Workaround:

Fix:
Software fix prevents disabled external pluggable module interface from being re-enabled, as a result of periodic linkscan operations.


519864-1 : Memory leak on L7 Dynamic ACL

Component: Access Policy Manager

Symptoms:
There is a memory leak on Dynamic ACL with regard for HTTP related configuration such as HTTP host name, and HTTP URI path in ACL entry. The leaks occurs for every session as these entries are generated per session bases.

Conditions:
Use L7 Dynamic ACL

Impact:
The memory usage is slowly increasing, and cause unstability in the overall system.

Workaround:
Use static ACL whenever possible.

Fix:
L7 Dynamic ACL is no longer leaking memory.


519415-1 : apm network access tunnel ephemeral listeners ignore irules (related-rules from main virtual )

Component: Access Policy Manager

Symptoms:
If a customer wants to change timeout values for server-side initiated flows inside Network Access tunnels, ephemeral listeners ignore irules. There seems to be a workaround for this through tmsh (not ui) by attaching iRules (related-rules) to main virtual that gets run on ephemeral listeners. (These ephemeral listeners are created by Network Access tunnels for lease-pool IPs.) The command for this is (for example): tmsh modify ltm virtual vs_dtls related-rules { idle_time } The problem here was APM Network Access used to ignore the related-rules on main virtual and the rules weren't triggered.

Conditions:
APM Network access use case.

Impact:
Related rules on main virtual are not applied to ephmeral listeners; (these ephemeral listeners are created by Network Access tunnels for lease-pool IPs).

Workaround:
none.

Fix:
iRules get executed on Ephemeral listeners.


519217-1 : tmm crash: valid proxy

Component: Local Traffic Manager

Symptoms:
tmm might crash in extremely rare circumstances when a virtual server is used during an update. Standard process is for virtual servers to be unavailable until the configuration update is complete; there are extremely rare circumstances when it is possible for a connection to use a virtual server before it is ready.

Conditions:
This requires that traffic is running during a configuration update, including a config sync from an HA peer. There must be a virtual server or configuration that uses a second virtual server while traffic is running: these include vip-on-vip using iRules and WAM prefetch, but might include other internal conditions.

Impact:
Traffic disruption, possible failover to another device if HA is configured. If using keepalive or other means to keep the connection alive, then a long amount of time might pass between the creation of the invalid flow and any impact from the error.

Workaround:
None.

Fix:
If a virtual server is used during an update (that is, before the virtual server is ready), an error message is now posted to tmm log files, and a small amount of memory is used each time this message is logged.


519081 : Cannot use tmsh to load valid configuration created using the GUI.

Component: TMOS

Symptoms:
Cannot use tmsh to load a valid configuration created using the GUI.

Conditions:
This occurs with the following configuration: 1) Configure server with :* members. 2) Configure member-specific gateway-icmp monitor for the :* member. 3) Assign any L4/7 monitor at the server level. (http/tcp, etc., with the default '*:*' destination in the monitor).

Impact:
Although the configuration is valid, it fails to load with error: err iqsyncer[16456]: 011ae104:3: Gtm config sync result from local mcpd: result { result_code 17237538 result_message '01070622:3: The monitor /Common/fidelity-tcp-half has a wildcard destination service and cannot be associated with a node that has a zero service.' }

Workaround:
Remove the parent TCP monitor.

Fix:
The server configuration of :* members now loads without error using tmsh.


518260-2 : Missing NTLMSSP_TARGET_INFO flag on NTLMSSP_CHALLENGE message

Component: Access Policy Manager

Symptoms:
NTLMSSP_TARGET_INFO flag is set on NTLMSSP_CHALLENGE message that is generated by ECA, although Target Info attribute itself is included. Certain NTLM clients may ignore the target info attribute due to this issue, and fall back to use NTLM v1 authentication. With ActiveDirectory default configuration this is not an issue. However, if the customer had specifically required NTLMv2 in their policy, then the authentication never succeeded due to mismatch of the protocol.

Conditions:
Customer has specifically required NTLMv2 and denied NTLMv1 in their ActiveDirectory policy.

Impact:
Users cannot authenticate.

Workaround:

Fix:
NTLM client that depends on NTLMSSP_TARGET_INFO flag can complete NTLM authentication using NTLMv2 protocol.


518020-7 : Improved handling of certain HTTP types.

Component: Local Traffic Manager

Symptoms:
Improperly formatted HTTP connection through BIG-IP may cause the connection to hang and eventually timeout.

Conditions:
If the HTTP version token in the request is improperly crafted, BIG-IP ends up treating the request as HTTP 0.9. Hence any data after the first CRLF is held back by BIG-IP due to pipeline handling, and is not passed to the backend server. If the backend server is Apache or IIS, this improperly crafted HTTP request line causes the request to be treated as 1.1, and both the servers wait for the Host header and CRLFs. Since no data is forthcoming, the connection hangs and the backend servers timeout the connection a few seconds later. F5 Networks would like to acknowledge Eitan Caspi, Security Researcher of Liacom Systems, Israel for bringing this to our attention.

Impact:
This has the potential to exhaust the number of connections at the backend.

Workaround:
Mitigations: 1) iRule that can drop the connections after a specified amount of idle time. 2) iRule to validate the request line in an iRule and fix it. 3) Tuning of profile timeouts 4) ASM prevents this issue.

Fix:
This release has improved handling of certain HTTP types, so that an HTTP request with a version token that is not properly crafted is no longer treated as HTTP 0.9. This has the effect of all of the request data being forwarded to the backend.


517556-1 : DNSSEC unsigned referral response is improperly formatted

Component: Local Traffic Manager

Symptoms:
When DNSSEC signs an unsigned referral response, the contained NSEC3 resource record has an empty type bitmap. Type bitmap should contain an NS type.

Conditions:
DNSSEC processing an unsigned referral response from DNS server.

Impact:
DNSSEC referral response is not RFC compliant.

Workaround:
None.

Fix:
NS type added to NSEC3 type bitmap, so that DNSSEC unsigned referral response is properly formatted.


517551-1 : Assembly Can Create Response Stalls

Component: WebAccelerator

Symptoms:
In some rare cases, if a document is "assembled", it can stall, giving little or no response to the client.

Conditions:
The original document has to be smaller than the small object cache size limit, but grow to be larger than the small object cache size limit during assembly. In rare cases, this can cause the document to be unservable.

Impact:
Requests for that document will result in client timeouts.

Workaround:
Create a policy node for that specific document, and set to "proxy always."

Fix:
The fix corrects a miscalculation, allowing the document to be written to the metastor cache and served to the requesting client.


517441-2 : apd may crash when RADIUS accounting message is greater than 2K

Component: Access Policy Manager

Symptoms:
If the RADIUS Acct agent is configured for an access policy, and there are a lot of attributes with total size greater than 2K, apd may crash.

Conditions:
RADIUS Acct agent is configured and an AP with numerous attributes in RADIUS Acct request

Impact:
service becomes unavailable while restarting apd process

Workaround:

Fix:
The maximum size of RADIUS packet is now set to 4K (RFC2865). If the total size of attributes is greater than 4K, the packet will be truncated to 4K.


517083-4 : Some autodiscovered virtuals may be removed from pools.

Component: Global Traffic Manager

Symptoms:
As part of a larger effort to refine Virtual Server Auto Discovery and monitoring, several changes were made to improve cross version interoperability and Virtual Server matching. As part of these fixes, an error was introduced which caused some virtual servers to be deleted and rediscovered. This removed them from the Pool they were assigned to, which can cause load balancing errors.

Conditions:
This can occur with Virtual Servers that were originally specified on a pre-folder aware version of BIGIP, such as 10.2.x. When they are discovered by a folder aware version, they may be deleted from the GTM config and re-added with "/Common/" prepended to the name.

Impact:
Some virtual servers will be removed from Pools. The virtual server will be deleted and recreated, but not added back to the pool. This will result in incorrect load balancing decisions.

Workaround:
Changing the GTM config to add the virtual servers back to the pool will resolve the issue.

Fix:
The discovery and monitoring of virtual servers has been made more robust to deal with cases of multiple GTM VSes pointing at the same LTM virtual, as well as naming/folderization issues.


516839-6 : Add client type detection for Microsoft Edge browser

Component: Access Policy Manager

Symptoms:
Microsoft Edge browser cannot be detected by Client Type action item agent in access policy.

Conditions:
Microsoft Edge browser, Client Type action item agent in access policy on BIG-IP APM.

Impact:
Microsoft Edge browser is not detected by Client Type action item and the webtop might not display properly or might display resources that are not supported.

Workaround:

Fix:
Improvement: Microsoft Edge browser is now detected properly and only supported resources are shown on the webtop now. All components that require ActiveX are not supported.


516320 : TMM may have a CPU spike if match cross persist is used.

Component: Local Traffic Manager

Symptoms:
TMM may have a CPU spike. A few(very few) connections may fail.

Conditions:
1) Match cross persist is used. 2) Long idle time out makes the symptom worse. 3) Persist HA makes the symptom worse.

Impact:
TMM may have a CPU spike. A few(very few) connections may fail.

Workaround:
Avoid using match across persist.

Fix:
Match across persistence no longer causes CPU spike.


516057-1 : Assertion 'valid proxy' can occur after a configuration change with active IVS flows.

Component: Service Provider

Symptoms:
When a configuration update or sync takes place while there are active connections on an affected internal virtual server (IVS), and a new connection is initiated during the update, the TMM can assert 'valid proxy' and crash. If there were are no preexisting active connections, the assertion does not occur, but connections initiated during the configuration update might be in a bad state and cause unpredictable effects.

Conditions:
1. Active flows exist on an internal virtual server (IVS). Necessary to trigger the assertion. 2. A configuration update or sync affecting that IVS is in progress. 3. A new connection is initiated to that IVS during the update.

Impact:
This is intermittent and rarely encountered. When all preexisting connection flows on this IVS tear down, a 'valid proxy' assertion can trigger and cause a TMM crash and restart, resulting in lost connections across the BIG-IP system or blade. New IVS connection flows initiated during the configuration update might be in a bad state and exhibit unpredictable effects, even if there is no crash.

Workaround:
Try to avoid configuration changes affecting any IVS while connections are active. This is intermittent so most likely will not manifest, even with active connections.

Fix:
When a configuration update or sync takes place while there are active connections on an affected internal virtual server (IVS), new connections fail and log an error message indicating that the IVS is not ready for connections. If the connections are to an ICAP server, the BIG-IP system performs the service-down-action configured in the request-adapt or response-adapt profile of the virtual server that attempted to initiate the connection. There are no assertions or unpredictable effects. Any new connections that failed for this reason may be retried after the configuration update is complete.


515797-4 : Using qos_score command in RULE_INIT event causes TMM crash

Component: Global Traffic Manager

Symptoms:
TMM crashes when the iRule with qos_score command in RULE_INIT event is added to a wide IP.

Conditions:
Configured iRule with qos_score command in RULE_INIT event that is added to a wide IP.

Impact:
TMM crashes.

Workaround:
Mitigation: Do not use qos_score command in RULE_INIT event.

Fix:
qos_score command is disallowed in RULE_INIT event.


515759-6 : Configuration objects with more than four vlans in vlan list may cause memory utilization to increase over time

Component: Local Traffic Manager

Symptoms:
tmm memory growth over time.

Conditions:
Conditions leading to this issue include: one or more virtual servers, NATs, SNATs, or LSNs with more than four VLANS in a vlan allow or vlan deny list.

Impact:
tmm memory usage can grow over time eventually causing memory exhaustion.

Workaround:
Mitigation: Minimize the number of VLANs in the VLAN list for virtual servers, NATs, SNATs and LSNs. Minimize the number of configurations changes to Self-IPs, virtual servers, NATs, SNATs and LSNs.

Fix:
Configuration objects with more than four vlans in vlan list no longer causes memory utilization to increase over time.


515072-1 : Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased

Component: Local Traffic Manager

Symptoms:
When a virtual server has priority groups and connection limit configured, if the connection limit is reached and is increased while the member is limited, then subsequent connections will be reset rather than allowed.

Conditions:
Using priority groups and a non-zero connection limit, with one of the following load balancing methods: least-connections-member, least-sessions, ratio-member, ratio-least-connections-member, ratio-session. The issue occurs when the connection limit is adjusted higher when the connection limit is reached on the high-priority pool.

Impact:
New connections are reset without being able to send traffic.

Workaround:
If it is feasible to adjust the priorities, adjust the connection limit to its initial value, and adjust the priority groups so that the traffic currently on the limited pool drains out. When the pool has no connections, increase the limit to restore the correct priorities.

Fix:
Make pool member eligible for load balancing if its not connection limited after modifying its connection limit.


515033-2 : [ZRD] A memory leak in zrd

Component: Global Traffic Manager

Symptoms:
Memory leaks for zrd when performing wide IP alias updating.

Conditions:
When an add, modification, or deletion of a GTM Wide IP Alias is made through the GUI or tmsh, there is a small memory leak in zrd. Although this memory leak is small for any one change, it could be noticeable after hundreds or thousands of changes when viewing memory consumption through 'top' or other tools.

Impact:
Memory leak after multiple wide IP alias create/update operations.

Workaround:
If the zrd memory usage is negatively impacting system performance, you can restart zrd and clear out the memory usage by running the command: bigstart restart zrd.

Fix:
Memory no longer leaks for zrd when performing wide IP alias updating.


515030-3 : [ZRD] A memory leak in Zrd

Component: Global Traffic Manager

Symptoms:
Memory leaks for zrd when performing multiple wide IP alias updating.

Conditions:
When an add, modification, or deletion of a GTM Wide IP Alias is made through the GUI or tmsh there is a small memory leak in zrd. This memory leak is not significant for any one change, but it might become noticeable after hundreds or thousands of changes when viewing memory consumption through 'top' or other tools.

Impact:
Memory leak after multiple wide IP alias updates.

Workaround:
Although there is no workaround, you can mitigate potential system performance impacts by restarting zrd, which clears out the memory usage. To do so, run the command: bigstart restart zrd.

Fix:
Memory no longer leaks in zrd when performing multiple wide IP alias updating.


514785-6 : TMM crash when processing AAM-optimized video URLs

Component: WebAccelerator

Symptoms:
TMM might crash when processing HTTP requests for certain types of AAM-optimized videos.

Conditions:
AAM-enabled VIP with video optimization and IBR enabled by AAM policy.

Impact:
Potential TMM crash.

Workaround:
Disable AAM processing of AAM-optimized video URLs.

Fix:
TMM no longer crashes when processing HTTP requests for certain types of AAM-optimized videos.


514726-1 : Server-side DSR tunnel flow never expires

Component: TMOS

Symptoms:
TMM cores and memory exhaustion using Direct Server Return (DSR). DSR establishes a one-way tunnel between the BIG-IP system and the back-end servers using the clients' IP addresses as the tunnel local-address on the BIG-IP system. These flows never expire.

Conditions:
BIG-IP virtual servers using DSR tunnels to send client traffic to the server.

Impact:
Server-side DSR tunnel flow never expires. Because the DSR tunnels use client's IP address as the tunnel local-address and the server's IP address as the tunnel remote-address, a single DSR setup might introduce as many tunnels as the clients' requests. When these tunnels do not expire, the BIG-IP system memory resource might be used up eventually, causing TMM cores.

Workaround:
None.

Fix:
Individual DSR tunnels are removed after the corresponding client's user flows expire.


514236-4 : [GUI][GTM] GUI does not prefix partition to device-name for BIG-IP DNS Server IP addresses

Component: Global Traffic Manager (DNS)

Symptoms:
IP addresses associated with a BIG-IP DNS server object may not be viewable from the Configuration utility.

Conditions:
This issue occurs when all of the following conditions are met: -- You use the Configuration utility to create a BIG-IP DNS server object with one or more IP addresses. -- You then use the Configuration utility to add one or more IP addresses to a BIG-IP DNS server object. -- You use the Traffic Management Shell (tmsh) to add one or more additional IP addresses to the BIG-IP GTM server object. -- From the Configuration utility, you navigate to DNS :: GSLB :: Servers :: [BIG-IP DNS Server Name] and then view the BIG-IP DNS server object IP addresses in the Address List box.

Impact:
Only the BIG-IP GTM server object IP addresses that are added from the tmsh utility display in the Configuration utility. After tmsh modifies the BIG-IP DNS server by adding another IP address, the GUI fails to show those IP addresses previously added using the GUI.

Workaround:
Use tmsh to create and modify IP addresses on BIG-IP DNS servers. Or use only the Configuration utility or only the tmsh utility to create and modify BIG-IP GTM server object IP addresses.

Fix:
GUI now adds the partition prefix to device-name for BIG-IP DNS Server IP addresses, so IP addresses associated with a BIG-IP DNS server object are now viewable from the Configuration utility.


514108-5 : TSO packet initialization failure due to out-of-memory condition.

Component: Local Traffic Manager

Symptoms:
TCP Segmentation Offload (TSO) packet initialization failure due to out-of-memory condition with the message: packet is locked by a driver.

Conditions:
Requires a specific packet layout and memory allocation to fail in a specific place at a specific time.

Impact:
TMM posts the assert message: packet is locked by a driver.

Workaround:
None.

Fix:
TCP Segmentation Offload (TSO) packet is now cleared correctly with no packet-locked message.


514017 : There is some memory bloat when loading SSL profiles

Component: Local Traffic Manager

Symptoms:
When loading SSL profiles, some of the large elements (certificates, CAs, and CRLs) are not shared among profiles, but instead, they are loaded per profile, causing inefficient memory increases.

Conditions:
SSL profiles are used, especially with CRLs and (to a lesser extent) certificates and CAs.

Impact:
The extra memory used cannot be used elsewhere, potentially decreasing the maximum number of concurrent SSL sessions.

Workaround:
None.

Fix:
The large elements (certificates, CAs, and CRLs) in the SSL profile are now shared among SSL profiles, decreasing overall memory usage.


513953-3 : RADIUS Auth/Acct might fail if server response size is more than 2K

Component: Access Policy Manager

Symptoms:
RADIUS authentication or accounting fails when a response from the backend server is bigger than 2048 bytes

Conditions:
Response from backend server is bigger than 2048 bytes

Impact:
RADIUS Auth/Acct agent failed.

Workaround:

Fix:
Now RADIUS Auth and RADIUS Acct agents can successfully parse packets of sizes up to 4K, which is the maximum allowed RADIUS packet size. At the moment the BIG-IP system does not support RADIUS packet fragmentation.


513649 : Transaction validation errors on object references

Component: TMOS

Symptoms:
If certain objects are deleted then created within the same transaction, transaction errors might occur.

Conditions:
This is exclusive to transactions either via iControl, tmsh cli transaction, or a device group config sync. An object must be deleted and re-created in the same transaction. The object that was deleted must have configured references to other objects. For example, a virtual server can reference a profile or a VLAN. If it does, and there is a virtual server delete-and-create operation in the same transaction, mcpd fails to clean up the join reference on delete and complains when it tries to recreate it.

Impact:
Unnecessary mcpd validation failure. The system posts an error message similar to the following: 01020066:3: The requested virtual server profile (/Common/vs1 /Common/tcp) already exists in partition Common.

Workaround:
If a user needs to delete and re-create an object, perform the delete in one transaction and the create in a subsequent transaction.

Fix:
Attempts to delete and recreate objects within the same transaction now complete successfully.


513464-2 : Some autodiscovered virtuals may be removed from pools.

Component: Global Traffic Manager

Symptoms:
As part of a larger effort to refine Virtual Server Auto Discovery and monitoring, several changes were made to improve cross version interoperability and Virtual Server matching. As part of these fixes, an error was introduced which caused some virtual servers to be deleted and rediscovered. This removed them from the Pool they were assigned to, which can cause load balancing errors.

Conditions:
This can occur with Virtual Servers that were originally specified on a pre-folder aware version of BIGIP, such as 10.2.x. When they are discovered by a folder aware version, they may be deleted from the GTM config and re-added with "/Common/" prepended to the name.

Impact:
Some virtual servers will be removed from Pools. The virtual server will be deleted and recreated, but not added back to the pool. This will result in incorrect load balancing decisions.

Workaround:
Changing the GTM config to add the virtual servers back to the pool will resolve the issue.

Fix:
The discovery and monitoring of virtual servers has been made more robust to deal with cases of multiple GTM VSes pointing at the same LTM virtual, as well as naming/folderization issues.


513382-18 : Resolution of multiple OpenSSL vulnerabilities

Component: Access Policy Manager

Symptoms:
Resolved multiple vulnerabilities in OpenSSL. CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288

Conditions:
https://support.f5.com/kb/en-us/solutions/public/16000/300/sol16317.html

Impact:
Update of OpenSSL to resolve multiple vulnerabilities.

Workaround:

Fix:
Resolved multiple vulnerabilities in OpenSSL. CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288


513341-1 : CVE-2015-0292 : OpenSSL Vulnerability

Component: TMOS

Symptoms:
Low rated vulnerability. See SOL4602 for vulnerability response.

Conditions:
Requires reading specifically crafted PEM file. It doesn't affect external functionality

Impact:
This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

Workaround:


513294-4 : LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances

Component: TMOS

Symptoms:
The following issues may be observed on BIG-IP 5000-/7000-series appliances: 1. When a system shuts down due to a over temperature condition, the name of the sensor that triggered the shutdown does not display. 2. Unable to configure AOM IP address using the DHCP Menu Option, with the system responding with the message: Error: Failed to configure AOM management port. 3. TMOS may log a critical alarm for the 0.9 volt sensor even though the voltage is in the nominal range.

Conditions:
BIG-IP 5000-/7000-series appliances with LBH firmware versions prior to v3.07 may experience each of the above issues under the following corresponding conditions: 1. Over temperature, thermal shutdown. 2. When trying to configure an IP address for AOM using the N - Configure AOM network option. 3. When the host is powered off using the AOM menu, the LBH will detect an under voltage condition for all non-standby voltage rails.

Impact:
The impacts of these issues are: 1. The user cannot determine which sensor triggered the thermal shutdown. 2. Unable to configure the AOM address using DHCP. 3. There will be a single ltm log message indicating this critical alarm, however the voltage reported in the log message will be in the nominal range.

Workaround:
Corresponding workarounds include: 1. None. 2. None. 3. Do not power cycle the host with the AOM menu. This error does not occur with an AC power cycle.

Fix:
LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances now works as expected.


513243-4 : Improper processing of crypto error condition might cause memory issues.

Component: Local Traffic Manager

Symptoms:
Improper processing of a crypto error condition might cause memory issues.

Conditions:
Error when processing certain crypto commands.

Impact:
The error might cause TMM to crash.

Workaround:
None.

Fix:
If certain crypto commands return an error, but memory is allocated successfully, the system now completes the operation as expected.


513165-3 : SAML Service Provider generated SLO requests do not contain 'SessionIndex' attribute

Component: Access Policy Manager

Symptoms:
When the BIG-IP system is used as SAML Service Provider, and SP-initiated Single Logout (SLO) is executed, the SLO request message does not contain the 'SessionIndex' attribute'. As a result, the external IdP might not be able to terminate the user's session.

Conditions:
BIG-IP is configured as SP. SLO is initiated by SP.

Impact:
External IdP may not be able to terminate user's session.

Workaround:

Fix:
SAML Service Provider generated SLO requests contain needed attributes


513098-3 : localdb_mysql_restore.sh failed with exit code

Component: Access Policy Manager

Symptoms:
In certain scenarios, deleting a dynamic user entry from memory does not clear the entry from the underlying table.

Conditions:
This might occur when a dynamic user record is marked for deletion but has not yet been removed when the dynamic user representing that record is re-authenticated.

Impact:
Over time, the table grows in size due to stale records.

Workaround:

Fix:
Orphaned dynamic user records are now correctly deleted.


513034-6 : TMM may crash if Fast L4 virtual server has fragmented packets

Component: Local Traffic Manager

Symptoms:
tmm crashes.

Conditions:
This might occur when the following conditions are met: Fast L4 virtual server. -- Incoming fragmented packets.

Impact:
tmm might crash.

Workaround:
In the Fast L4 profile, enable the option 'Reassemble IP Fragments'.

Fix:
TMM no longer crashes if Fast L4 virtual servers have fragmented packets


512490-4 : Increased latency during connection setup when using FastL4 profile and connection mirroring.

Component: Local Traffic Manager

Symptoms:
Connection setup when using FastL4 profile and connection mirroring takes longer than previous versions.

Conditions:
FastL4 profile with connection mirroring.

Impact:
Slight delay during connection setup.

Workaround:
Disable tm.fastl4_ack_mirror. Optionally, enable tm.fastl4_mirroring_taciturn for signal to noise ratio improvements. This helps resolve connection setup latency.

Fix:
Disable Nagle algorithm on TCP/HA profile to improve performance.


512245-3 : Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host name instead of hostname

Component: Access Policy Manager

Symptoms:
Machine certificate agent checker on client might extract wrong certificate based on LocalHostName if it is not same as hostname. Machine certificate agent checker might fail.

Conditions:
BIG-IP APM with machine certificate agent.

Impact:
Machine certificate check might fail

Workaround:

Fix:
Machine Cert Auth agent passes on OS X 10.8 and OS X 10.9.


512148-4 : Self IP address cannot be deleted when its VLAN is associated with static route

Component: Local Traffic Manager

Symptoms:
A self IP address cannot be deleted when its VLAN is associated with a static route

Conditions:
The self IP address' VLAN is associated with a static route.

Impact:
Self IP address cannot be deleted.

Workaround:
Temporarily remove the static route entries, delete the self IP, and then add the static route entries again.

Fix:
A self IP now can be deleted even when its VLAN is associated with a static route, as long as at least one self IP exists on that VLAN. If the static route is IPv4, then an IPv6 self IP does not meet the requirement, and vice versa.


511942-1 : Unable to establish HA connection

Component: TMOS

Symptoms:
On AWS platforms, the HA setup process may fail with the error "iControl connection to xxx failed".

Conditions:
AWS platform HA-capable configuration

Impact:
Unable to create HA connection

Workaround:
Run this command on all devices: tmsh modify sys httpd ssl-protocol "ALL -SSLv2"

Fix:
Remove SSLv2 negotiation from HA connections.


511534-5 : A large number of regular expressions in match rules on path-segments may cause an AAM policy to take too long to load,

Component: WebAccelerator

Symptoms:
When loading an AAM policy, the tmm compiles the rules to an internal structure that is efficient for execution. Some conditions however may cause this process to take too long and the tmm gets halted before the system has finished compiling the policy.

Conditions:
The compilation time increases dramatically when regular expressions are used on more than one or 2 operands. Since you can have conditions on many different path-segments (e.g. the 1st, 2nd, 3rd, etc), using regular expression on path-segments are a likely way to trigger this condition.

Impact:
The compilation time increases dramatically when regular expressions are used on more than one or two operands. Since conditions might exist on many different path-segments (e.g., the 1st, 2nd, 3rd, etc.), using regular expression on path-segments is a likely way to trigger this condition.

Workaround:
None.

Fix:
Now, you can prevent AAM policy compilation from taking too long by turning the regular expression into plain matches using the '\' character to escape those symbols that turn a string into a regular expression. For example, previously, 'favicon.ico' was treated as a regular expression because '.' means 'any character'. Now the user can specify 'favicon\\.ico' (double '\' required by tmsh), which causes the '.' to mean the period character, thus avoiding the (unintended) regular expression.


511441-1 : Memory leak on request Cookie header longer than 1024 bytes

Component: Access Policy Manager

Symptoms:
Memory leak on request Cookie header longer than 1024 bytes.

Conditions:
Client is sending 'Cookie' request header with more than 1024 bytes of data to APM Portal Access host.

Impact:
Memory used by 'rewrite' process keeps increasing and leads to 'out of memory' logs and possibly failover.

Workaround:

Fix:
Portal Access no longer leaks memory on large Cookie request headers from the client.


510709-6 : Websso start URI match fails if there are more than 2 start URI's in SSO configuration.

Component: Access Policy Manager

Symptoms:
If more than 2 start URIs are configured, start URI parsing does not work correctly. This results in no start URI match and websso failure.

Conditions:
SSO error happens only if there are more than 2 start URIs configured in the SSO configuration.

Impact:
SSO V1(websso) fails for configured start URI due to start URI mismatch.

Workaround:
No workaround

Fix:
Websso config start URI parsing was wrong when there are multiple lines in start URI configuration. Websso start URI parsing is fixed.


510638-3 : [DNS] Config change in dns cache resolver does not take effect until tmm restart

Component: Local Traffic Manager

Symptoms:
Config change in DNS cache resolver does not take effect until tmm restart.

Conditions:
Make changes to LTM DNS cache resolver.

Impact:
Changes made to DNS cache resolver are not in effect until tmm restarts. For example, changes to the DNS cache resolver's parameters Max. Concurrent Queries and Allowed Query Time do not load into the system until tmm restarts.

Workaround:
Restart tmm after making changes, or create a new DNS cache profile.

Fix:
Config change in DNS cache resolver now take effect immediately and no longer require tmm restart.


510459-3 : In some cases Access does not redirect client requests

Component: Access Policy Manager

Symptoms:
A client may receive the following error message upon request: "The requested file could not be found on the server. Please contact system administrator."

Conditions:
Client requests received by Access running on BIG-IP versions 11.4.0 to 11.6.0 may encounter this issue.

Impact:
Client request is not fulfilled and error message received.

Workaround:
None

Fix:
Resolved issue in which clients receive a file not found message from Access due to out of date White List entry in OPSWAT.


510381-1 : bcm56xxd on A108 may core when restarting due to bundling config change.

Component: TMOS

Symptoms:
A race condition exists where bcm56xd may core while restarting due to a bundling configuration change if it is still processing other config messages from MCP

Conditions:
Interface bundling change requiring a restart while still processing configuration messages.

Impact:
Unnecessary core file produced since the daemon is restarting anyway.

Workaround:

Fix:
Fixed possible race condition which resulted in a core.


509758-5 : EdgeClient shows incorrect warning message about session expiration

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client shows an incorrect warning message once a network access connection is established.

Conditions:
Access Policy has disabled Maximum Session timeout (set to 0) and Network Access webtop is used.

Impact:
Versions that have session expiration timeout display all zeroes instead of the timeout value. This is a cosmetic issue that does not indicate incorrect system functionality.

Workaround:
None.

Fix:
Now, the BIG-IP Edge Client does not show an incorrect cosmetic warning message.


509490-3 : [IE10]: attachEvent does not work

Component: Access Policy Manager

Symptoms:
Websites are broken in Internet Explorer if they use postMessage to send objects. There could be errors in the JavaScript console.

Conditions:
Web application in Internet Explorer 8, 9 or 10 that uses window.postMessage() and recieves message with handler added through window.attachEvent() working through Portal Access.

Impact:
Web-Application cannot use Window.postMessage() to send data with Portal Access in Internet Explorer.

Workaround:
No

Fix:
The 'onmessage' handler added with window.attachEvent() now correctly recieves data sent through window.postMessage().


508719-2 : APM logon page missing title

Component: Access Policy Manager

Symptoms:
The title might be missing from a logon page.

Conditions:
Logon page uses field filled with dynamically assigned session variable.

Impact:
No title displays on the logon page.

Workaround:
Modify page logon.inc using customization panel. *Add function: function getSoftTokenPrompt() { if ( softTokenFieldId != "" && edgeClientSoftTokenSupport()) { var div = document.getElementById("formHeaderSoftToken"); if (div) { return div.innerHTML; } } return null; } *Replace code: function OnLoad() { var header = document.getElementById("credentials_table_header"); var softTokenHeaderStr = getSoftTokenPrompt(); if ( softTokenHeaderStr ) { header.innerHTML = softTokenHeaderStr; } By: function OnLoad() { var header = document.getElementById("credentials_table_header"); var softTokenHeaderStr = "<? echo $formHeaderSoftToken; ?>" if ( softTokenFieldId != "" && softTokenHeaderStr != "" && edgeClientSoftTokenSupport()) { header.innerHTML = softTokenHeaderStr; } else { header.innerHTML = "<? echo $formHeader; ?>"; } * Replace code <td colspan=2 id="credentials_table_header" ></td> By <td colspan=2 id="credentials_table_header" ><? echo $formHeader; ?></td> * Add code before </body> tag: <div id="formHeaderSoftToken" style="overflow: hidden; visibility: hidden; height: 0; width: 0;"><? echo $formHeaderSoftToken; ?></div>

Fix:
The title displays on the logon page now.


508716-2 : DNS cache resolver drops chunked TCP responses

Component: Local Traffic Manager

Symptoms:
DNS cache resolver drops chunked TCP responses

Conditions:
If the cache resolver uses TCP to resolve a query, and a nameserver does not include the complete reply in the first TCP segment.

Impact:
The response will be discarded, the connection dropped, and the query retried

Workaround:

Fix:
DNS cache resolver no longer drops chunked TCP responses


508630-6 : The APM client does not clean up DNS search suffixes correctly in some cases

Component: Access Policy Manager

Symptoms:
The APM client does not clean up DNS search suffixes correctly when the DNs suffixes configured on a client contain names configured in an APM Network Access resource.

Conditions:
The problem occurs when a suffix name that is configured in a Network Access resource matches the suffix configured locally on the user's machine.

Impact:
As a result, DNS suffixes are not restored correctly.

Workaround:

Fix:
An additional fix was made to restore DNS suffixes correctly.


507853-4 : MCP may crash while performing a very large chunked query and CPU is highly loaded

Component: TMOS

Symptoms:
MCP crashes while performing a chunked query (such as 'tmsh show sys connection) that returns a large result if a connection to a TMM is severed (due to a zero-window timeout).

Conditions:
CPU is highly loaded.

Impact:
Failover (in a device cluster) or temporary outage (in a standalone system). A core file is generated that has a stack trace that includes a message similar to the following: error reading variable: Cannot access memory at address 0x1.

Workaround:
None.

Fix:
Ensured that MCP no longer crashes when performing a large chunked query and a connection to a TMM is severed.


507842-3 : Patch for BIND Vulnerability CVE-2015-1349

Component: TMOS

Symptoms:
The named daemon can exit or crash under certain conditions.

Conditions:
When BIND's DNSSEC validation and the managed-keys features are enabled, allows remote attackers to cause a denial of service (assertion failure and daemon exit, or daemon crash) by triggering an incorrect trust-anchor management scenario in which no key is ready for use.

Impact:
Temporary DoS for backend BIND server

Workaround:
Disable BIND's DNSSEC validation and managed-key features. These are not enabled by default on a BIGIP

Fix:
CVE-2015-1349


507782-4 : TMM crashes for Citrix connection when Address field in the ICA file has non-patched/invalid data

Component: Access Policy Manager

Symptoms:
TMM crashes on an attempt to open Citrix connection

Conditions:
Unpatched/malformed ICA file received by the client

Impact:
Network outage for all the clients served by TMM

Workaround:

Fix:
Fixed validation for the input data sent in the ICA connection so that for the invalid/non-patched Address it will reject the connection instead of crashing.


507681-7 : Window.postMessage() does not send objects in IE11

Component: Access Policy Manager

Symptoms:
Websites are broken if they use postMessage to send objects in Internet Explorer 11. There could or could not be error in JavaScript console based on web application.

Conditions:
Web-Application that uses Window.postMessage() with Portal Access working in Internet Explorer 11.

Impact:
Web-Application can't use Window.postMessage() to send non-string data with Portal Access in Internet Explorer 11.

Workaround:
No

Fix:
Window.postMessage() now works in Internet Explorer 11.


507575-2 : An incorrectly formated NAPTR creation via iControl can cause an error.

Component: TMOS

Symptoms:
NAPTR records are somewhat complicated and if an incorrect set of string arguments are passed to iControl, the string parsing can fail and generate unhelpful error messages.

Conditions:
Specifically, it is valid to have empty strings as some of the fields of a NAPTR record. However, these empty strings must be quoted as empty strings. An example of a valid empty string parameter foo.example.com. 19799 IN NAPTR 100 7 "u" "good" "" bar.example.com. Not quoting the empty parameter (after "good") confuses the parser into thinking that not enough parameters were passed. This causes a segfault and the error.

Impact:
Potential failure of iControl parsing.

Workaround:
Use quotes around empty strings such as: foo.example.com. 19799 IN NAPTR 100 7 "u" "good" "" bar.example.com.

Fix:
The string parser has been made tolerant of missing parameters for these records and will now report an error.


507331-2 : Using saved configuration with 11.5.2 on AWS may cause SSLv3 to be enabled.

Component: TMOS

Symptoms:
If a saved configuration from an earlier version is used when launching an instance of BIG-IP v11.5.2 on AWS, then SSLv3 may be enabled on the management interface.

Conditions:
Using configuration saved with version 11.5.2 (and earlier) on AWS.

Impact:
There are known security vulnerabilities with SSLv3 and the BIG-IP software disables it by default with v11.5.2 on AWS. An enabled SSLv3 on the management interface might make the instance vulnerable to an attack, so after upgrading, configurations in which SSLv3 is enabled should be disabled before deploying.

Workaround:
Disable SSLv3 as documented here: https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip, and in and in SOL15702: https://support.f5.com/kb/en-us/solutions/public/15000/700/sol15702.html.

Fix:
SSLv3 is no longer enabled after loading a configuration saved with BIG-IP v11.5.2 or earlier, even if SSLv3 was enabled in the original configuration.


507327-3 : Programs that read stats can leak memory on errors reading files

Component: TMOS

Symptoms:
Daemons that read statistics might leak memory over time so the amount of memory they use continues to grow.

Conditions:
There is an error reading a statistics file. For example, permissions on the file or directory prohibit access.

Impact:
Eventually the daemon or system might run out of memory.

Workaround:
Remove anything causing an error reading a stats file such as deleting unneeded files or fixing permissions.

Fix:
A memory leak reading stats has been fixed.


507116-4 : Web-application issues and/or unexpected exceptions.

Component: Access Policy Manager

Symptoms:
Web-application issues and/or unexpected exceptions.

Conditions:
Undisclosed conditions related to web-applications.

Impact:
Unexpected web-application functionality.

Workaround:
None.

Fix:
Web-application issues have been fixed.


507115 : Unable to repeat the creation of a server

Component: TMOS

Symptoms:
Clicking a 'Repeat' button after configuring the required fields in GTM server : Create page, the operation does not retain information specified. Instead the operation redirects the user to the GTM server list page.

Conditions:
In GTM server create page, click a 'Repeat' button.

Impact:
Unable to repeat the creation of a server based on the just-created server.

Workaround:
From the GTM server list page, click Create.

Fix:
Clicking a 'Repeat' button after configuring the required fields in GTM server : Create page, now retains information specified, as expected.


506315-1 : WAM/AAM is honoring OWS age header when not honoring OWS maxage.

Component: WebAccelerator

Symptoms:
WAM/AAM policy is configured to ignore OWS maxage header values, but the policy does not ignore the OWS Age header.

Conditions:
BIG-IP system with AAM provisioned, content matching a policy node not honoring OWS headers maxage and or s-maxage, and a large 'Age' value.

Impact:
This results in WAM/AAM improperly reducing the lifetime of OWS responses by the amount of the Age header, and more frequent WAM/AAM revalidation of the affected content (possibly on every request if the Age header is larger than the policy-specified cache lifetime).

Workaround:
You can use any one of the following as a workaround: -- Honor OWS lifetime headers (s-maxage and max-age). -- Use an iRule to delete OWS Age header. -- Increase cache AAM/WAM cache lifetime for that content to compensate.

Fix:
When WAM/AAM policy is configured not to honor OWS maxage, it also does not honor OWS Age headers, which is correct behavior.


506282-3 : GTM DNSSEC keys generation is not sychronized upon key creation

Component: Local Traffic Manager

Symptoms:
DNSSEC key generation is not synchronized upon key creation.

Conditions:
This occurs when creating LTM DNSSEC keys on one unit of a sync group.

Impact:
The keys are synced, but the key generation information is not.

Workaround:
Modify another parameter on the GTM system after DNSSEC key generation to trigger the sync operation.

Fix:
DNSSEC key generation is now synchronized upon key creation.


505964-7 : Invalid http cookie handling can lead to TMM core

Component: Local Traffic Manager

Symptoms:
If an http cookie is invalid, then subsequent modifications to http cookie entries can result in a TMM core.

Conditions:
This issue can occur with an HTTP virtual server that performs cookie processing (either via an iRule, profile configuration, or as a result of persistence) and also performs header manipulation.

Impact:
TMM restart.

Workaround:
None.

Fix:
A crash in the HTTP profile implementation of cookie handling has been fixed.


505755-1 : Some scripts on dynamically loaded html page could be not executed.

Component: Access Policy Manager

Symptoms:
Some scripts on dynamically loaded HTML page might not execute.

Conditions:
Dynamically loaded HTML page

Impact:
Web application accessed via Portal Access does not work as expected.

Workaround:
None.

Fix:
Fixed an issue in Portal Access that could affect script execution in documents.


505705-4 : Expired mirrored persistence entries not always freed using intra-chassis mirroring

Component: Local Traffic Manager

Symptoms:
When using persistence mirroring, it is possible for the mirror owner of a persistence record to also be the proxying tmm for the connection. In this case, depending on timing of the connection and timeouts configured, it is possible for a persistence record to not be released when the connection is terminated and persistence timeout expires.

Conditions:
Using intra-chassis persistence mirroring. The records appear in tmsh show sys persistence persist-records all-properties, with an age always set to zero but no connection and no other persistence records for the same persistence key.

Impact:
Possible memory growth. This is not a leak, in that the memory can be recovered when subsequent requests reach different tmms that might need the same persistence record.

Workaround:
None.

Fix:
Both the local and mirrored owner persistence record are properly removed.


505331 : SASP Monitor may core

Component: Local Traffic Manager

Symptoms:
The SASP monitor unexpectedly terminates with a core dump.

Conditions:
More than one Group Workload Manager (GWM) server, and all servers are down at the same time.

Impact:
When the monitor cores, a pool member gets marked down, which might lead to an outage.

Workaround:
None.

Fix:
SASP monitor no longer cores when multiple Group Workload Manager (GWM) servers are down.


505071-1 : Delete and create of the same object can cause secondary blades' mcpd processes to restart.

Component: TMOS

Symptoms:
A single transaction containing both a delete and a create of the same object can, for certain types of objects, cause the secondary blades' mcpd processes to restart because of validation failure. The validation error appears similar to the following: 01020036:3: The requested object type (object name) was not found.

Conditions:
The only known type of object for which this fails is an APM policy agent logon page, and the error indicates that its customization group cannot be found.

Impact:
mcpd restarts on every secondary blade, causing most other system services to restart as well. This might result in a temporary loss of traffic on all secondary blades. After mcpd restarts, the new configuration is accepted and the system returns to normal operation.

Workaround:
None.

Fix:
For certain types of objects, an incorrect message was sent to the secondary blades' mcpd processes if an object of that type was deleted and then recreated within a single transaction. This caused mcpd to restart on every secondary blade. The correct message is now sent, even for this type of object.


504854-1 : OneConnect does not balance new traffic for all load balancing methods

Component: Local Traffic Manager

Symptoms:
With several load balancing methods, OneConnect does not load-balance new connections to pool members as desired. These methods include ratio (node), least connections (node), observed (node) and predictive (node). In these cases, new traffic will continue going to a limited number of pool members.

Conditions:
Using OneConnect along with one of the following load balancing methods: ratio (node), least connections (node), observed (node) or predictive (node).

Impact:
Traffic does not balance across nodes as desired.

Workaround:
This can be partially mitigated if load balancing can be done with other methods; however, using these methods there is no workaround.

Fix:
Adjusted counters correctly to load balance traffic as desired.


504538-1 : OneConnect and Least connections (member) lb mode does not balance load as expected

Component: Local Traffic Manager

Symptoms:
OneConnect and Least connections (member) lb mode does not balance load as expected.

Conditions:
OneConnect and Least connections (member) lb mode.

Impact:
Connection distribution is skewed.

Workaround:
Disabling OneConnect will prevent the problem from occurring. If the problem is being experienced, a reboot may be necessary to clear the problem after OneConnect has been disabled.

Fix:
OneConnect and Least connections (member) lb mode now distributes connections equally.


504306-4 : https monitors might fail to re-use SSL sessions.

Component: Local Traffic Manager

Symptoms:
SSL handshakes for https monitors might fail to correctly re-use SSL session IDs.

Conditions:
A configuration that utilizes https monitors to servers that implement an SSL session cache. More servers utilizing the same https monitor make the problem more likely to occur. For the monitor flapping or false negative symptom in 11.5.0 or higher, a monitor must be configured for a combination of TLS 1.0 and TLS 1.2 servers.

Impact:
The bigd process might consume more CPU than necessary because it might always be performing complete SSL handshakes with monitored servers. BIG-IP version 11.5.0 or higher in environments with both TLS 1.0 and TLS 1.2 servers that perform SSL session caching may experience monitor flapping or servers that are marked down unexpectedly.

Workaround:
None.

Fix:
https monitors now properly perform SSL session re-use.


503741-4 : DTLS session should not be closed when it receives a bad record.

Component: Local Traffic Manager

Symptoms:
According to RFC6347: 4.1.2.7. Handling Invalid Records: 'Unlike TLS, DTLS is resilient in the face of invalid records (e.g., invalid formatting, length, MAC, etc.). In general, invalid records SHOULD be silently discarded, thus preserving the association; however, an error MAY be logged for diagnostic purposes. Implementations which choose to generate an alert instead, MUST generate fatal level alerts to avoid attacks where the attacker repeatedly probes the implementation to see how it responds to various types of error. Note that if DTLS is run over UDP, then any implementation which does this will be extremely susceptible to denial-of-service (DoS) attacks because UDP forgery is so easy. Thus, this practice is NOT RECOMMENDED for such transports.' In the BIG-IP implementation, DTLS chooses to disconnect the session when it receives invalid record.

Conditions:
DTLS receives a bad record packet.

Impact:
DTLS disconnects the session.

Workaround:
None.

Fix:
The system now silently discards all of the invalid records and preserves the association. This is correct behavior.


503676-1 : SIP REFER, INFO, and UPDATE request do not trigger SIP_REQUEST or SIP_REQUEST_SEND iRule events

Component: Service Provider

Symptoms:
SIP REFER, INFO, and UPDATE requests do not trigger iRule events.

Conditions:
The occurs when the following conditions are met: -- Virtual server has a SIP profile. -- Virtual server has iRule(s) containing SIP_REQUEST or SIP_REQUEST_SEND events. -- SIP REFER, INFO, or UPDATE request is received on the virtual server.

Impact:
iRule event is not executed.

Workaround:
none

Fix:
SIP REFER, INFO, and UPDATE requests now trigger the SIP_REQUEST and SIP_REQUEST_SEND iRule events. This is the correct behavior.


503343-1 : TMM crashes when cloned packet incorrectly marked for TSO

Component: Local Traffic Manager

Symptoms:
TMM cores

Conditions:
1. Clone pool configured 2. Clone MTU > Client or Server MTU 3. tm.tcpsegmentationoffload db var in "disable" state 4. TSO enabled in client or server side interface 5. TSO disabled in clone interface

Impact:
Traffic disruption

Workaround:
Remove the configured clone pool

Fix:
Prevent TMM crash due to cloned packet incorrectly marked for TSO.


503319-6 : After network access is established browser sometime receives truncated proxy.pac file

Component: Access Policy Manager

Symptoms:
After network access is established, poxy.pac received by the browser is truncated.

Conditions:
This occurs if proxy.pac file is larger than 65535 bytes (~65 KB).

Impact:
Large proxy.pac file might not be downloaded or might be truncated.

Workaround:
Reduce proxy.pac file size so that merge file is less than ~65 KB.

Fix:
Merged (by F5 tunnel server) proxy.pac is now NOT truncated when sent to the browser even if its size is greater than ~65 KB.


502959-4 : Unable get response from virtual server after node flapping

Component: Local Traffic Manager

Symptoms:
If persistence is used, and a node is marked down and then up in quick succession (less than about 7 seconds), then persistence may act inconsistently.

Conditions:
Persistence, rapid node flapping, new connection (via a TMM with an existing connection) after node has been re-marked as up.

Impact:
Persistence may act inconsistently (meaning, not all connections expected to persist to a server will do so). In certain circumstances, requests may hang (the client is connected, waiting for a response).

Workaround:
None.

Fix:
The system now deletes a persist entry from all peer TMMs when it is deleted in any TMM, so no conflicts occur.


502747-6 : Incoming SYN generates unexpected ACK when connection cannot be recycled

Component: Local Traffic Manager

Symptoms:
Incoming SYN causes the BIG-IP system to generate ACK instead of SYN-ACK.

Conditions:
This can occur when the following conditions are met: - IP addresses and ports of SYN match an existing connection; - Sequence number of the SYN is greater than 2^31+ from previously sent FIN; - Existing connection is in TIME_WAIT state; - Virtual server has time_wait_recycle enabled.

Impact:
Client will generate RST and connection must be re-tried.

Workaround:
Set time-wait-timeout to 1 millisecond per SOL12673.

Fix:
The BIG-IP system will no longer generate an ACK to incoming SYNs which match an existing connection that cannot be recycled.


502441-2 : Network Access connection might reset for large proxy.pac files.

Component: Access Policy Manager

Symptoms:
Network Access connection might reset when large proxy.pac files are configured in the access policy.

Conditions:
MAC Edge client, browsers, Network Access, large proxy.pac file.

Impact:
Network Access connection might reset.

Workaround:
Reduce the proxy.pac file size to be less than 10 KB.

Fix:
Network Access connection does not reset if a large proxy.pac file is configured.


501715 : [DNS] RESOLV::lookup in CLIENT_ACCEPTED doesn't cache responses for VIP w/HTTP profile

Component: Local Traffic Manager

Symptoms:
RESOLV::lookup command does not cache responses if it is called within CLIENT_ACCEPTED event for VIP with HTTP profile.

Conditions:
iRule with RESOLV::lookup command in CLIENT_ACCEPTED event assigned to VIP with HTTP profile

Impact:
DNS responses are not cached. RESOLV::lookup requests DNS RR instead of getting response from its cache.

Workaround:
Use RESOLV::lookup in HTTP_REQUEST event.


501690 : TMM crash in RESOLV::lookup for multi-RR TXT record

Component: Local Traffic Manager

Symptoms:
TMM crashes with a specific ASSERT-based backtrace.

Conditions:
Requires an LTM listener with an iRule that has a RESOLV::lookup command querying for a TXT record and receiving multiple RRs.

Impact:
Failover momentary halt to traffic processing.

Workaround:
None.

Fix:
TMM no longer crashes due to the behavior of the LTM listener with an iRule that has a RESOLV::lookup command when parsing its return values.


501670 : mcpd on secondary blades can core if the MCPD log level is set to info or debug during config sync

Component: TMOS

Symptoms:
mcpd might core on secondary blades if the MCPD log level is set to info or debug during config sync operations.

Conditions:
Perform a a config sync operations on a system with multiple blades and at least one peer, with mcpd log level set to info or debug.

Impact:
mcpd cores, resulting in an outage or a failover.

Workaround:
Change the MCPD log level from debug/info to notice (the default) or a higher level (so that this info-level message is not logged).

Fix:
A log statement at the info or debug levels has been corrected so that it does not cause MCPD to crash.


501517 : Very large configuration can cause transaction timeouts on secondary blades

Component: TMOS

Symptoms:
Messages with 'end_transaction message timeout on connection 0x5ea9a9c8 (user mcpd-primary)' in them in the ltm log after a secondary blade is inserted or restarted.

Conditions:
A multi-bladed system with a very large configuration that takes more than a minute to transfer to secondary blades.

Impact:
mcpd's transaction does not complete and the configuration is not loaded properly.

Workaround:
None.

Fix:
Increased the transaction timeout to accommodate very large configuration transfers.


501516-1 : If a very large number of monitors is configured, bigd can run out of file descriptors when it is restarted.

Component: Local Traffic Manager

Symptoms:
When using a very large number of monitors, bigd may run out of file descriptors when it is restarted.

Conditions:
A system with a large number of monitors configured.

Impact:
bigd cores and gets into a restart loop; monitors no longer work properly. The ltm log might contain error messages similar to the following: socket error: Too many open files.

Workaround:
Reduce the number of monitors on the system.

Fix:
bigd no longer runs out of file descriptors during restart when using a very large number of monitors.


501498-5 : APM CTU doesn't pick up logs for Machine Certificate Service

Component: Access Policy Manager

Symptoms:
CTU report does not contain logs from Machine Certificate Service.

Conditions:
When the CTU report is run, it does not contain data in the logs.

Impact:
Logs are not available to technical staff

Workaround:
You can pick up logs manually from C:\Windows\Temp\logterminal.txt.

Fix:
CTU correctly pick ups logs for Machine Cert service.


501343-5 : In FIPS HA setup, peer may use the FIPS public-handle instead of the FIPS private-handle

Component: TMOS

Symptoms:
In FIPS HA setup when the FIPS private handle of x.key on Device A is a FIPS public handle of x.key on Device B, Device B (the HA peer) gets the configuration from Device A and operates as if the handle is correct because the modulus matches, but it actually is the public-handle and not the private-handle.

Conditions:
FIPS HA setup and FIPS private handle of x.key on Device A is a FIPS public handle of x.key on Device B.

Impact:
With this configuration, when the device fails over, it can lead to traffic failure. This occurs because TMM tries to use the public-handle when it should be using the private-handle.

Workaround:

Fix:
FIPS HA peer verifies the FIPS handle type to confirm that it uses only the private FIPS handles.


500945 : Firefox 35 or later cannot connect to BIG-IP virtual server with clientssl profile in TLS1.2

Component: Local Traffic Manager

Symptoms:
Firefox 35 fails to negotiate security protocol during SSL handshake with BIG-IP's virtual server in case of client SSL profile contains Client Certificate Authentication (request/require). Issue is reproducible only with new Firefox 35 beta (35.0) or later when using TLS1.2.

Conditions:
This occurs when using Firefox version 35 or later to connect to virtual server using TLS1.2.

Impact:
Cannot connect to the BIG-IP virtual server using the Firefox version 35 or later.

Workaround:
Any of the below 2 methods will work. 1. Use a different browser. Or 2. Disable TLS1.2 (configure No TLSv1.2 in the Options List of the ClientSSL profile).


500365 : TMM Core as SIP hudnode leaks

Component: Service Provider

Symptoms:
There is a memory leak when using SIP in TCP/ClientSSL configurations.

Conditions:
The leak occurs when the clientside flow is torn down in response to the SSL handshake not completing.

Impact:
Because the SSL handshake is not complete, the SIP handler cannot complete the operation as expected, which results in an error and a memory leak of the SIP handler. The tmm memory increases, which eventually requires restarting tmm as a workaround.

Workaround:
Although there is no workaround to prevents the issue, you can recover from the memory-leak condition by restarting tmm.

Fix:
This release fixes a memory leak that occurred when using SIP in TCP/ClientSSL configurations, when the clientside flow was torn down in response to the SSL handshake not completing. The system now frees the SIP handler upon receiving the notification of a failed SSL handshake, so that the connection is rejected, the system performs the proper cleanup of the SIP handler, and no memory leak occurs.


500088-5 : OpenSSL Vulnerability (January 2015) - OpenSSL 1.0.1l update

Component: Access Policy Manager

Symptoms:
potential openSSL vulnerabilities. https://www.openssl.org/news/secadv_20150108.txt

Conditions:

Impact:
Upgraded to openSSL 1.0.1l

Workaround:

Fix:
OpenSSL library updated to version 1.0.1l


499950-8 : In case of intra_cluster ha, node flapping may still lead to inconsistent persistence entries across TMMs

Component: Local Traffic Manager

Symptoms:
Inconsistent persistence entries across TMMs.

Conditions:
This occurs under the following conditions are met: -- intra_cluster HA configuration. -- node flapping.

Impact:
Inconsistent persistence behaviors.

Workaround:
Add an iRule command to the PERSIST_DOWN event that deletes the persistence entry for this connection. One example might be: when PERSIST_DOWN { persist delete source_addr [IP::client_addr] } For more information, see SOL14918: Node flapping may cause inconsistent persistence records, available here: http://support.f5.com/kb/en-us/solutions/public/14000/900/sol14918.html.

Fix:
An issue involving inconsistent behavior of persistence across TMMs is fixed.


499701-4 : SIP Filter drops UDP flow when ingressq len limit is reached.

Component: Service Provider

Symptoms:
UDP stats shows increase in the number of flows and valid SIP messages are dropped.

Conditions:
This occurs when an iRule processing delay occurs (session db operations) combined with increase in the SIP incoming flow.

Impact:
SIP UDP flows are dropped.

Workaround:
None.

Fix:
The SIP UDP flow now remains when the ingress len limit is reached.


499620-2 : BIG-IP Edge Client for MAC shows wrong SSL protocol version; does not display the protocol version that was negotiated.

Component: Access Policy Manager

Symptoms:
The BIG-IP Edge Client for Mac shows the wrong SSL protocol version in Details; it does not display the protocol version that was negotiated.

Conditions:
BIG-IP Edge Client for Mac.

Impact:
The BIG-IP Edge Client for Mac displays the incorrect SSL protocol version now in Details.

Workaround:
None.

Fix:
The BIG-IP Edge Client for Mac displays the correct SSL protocol version now in Details.


499478-1 : Fix bug 464651 which introduced change-in-behavior for SSL server cert chains by not including the root certificate

Component: Local Traffic Manager

Symptoms:
Bug 464651 fixed a loop issue when building certificate chain caused by a bad configuration in certificates. The fix un-intentionally exclude the root certificate in the chain. While it is still a valid certificate chain, it does create a change-in-behavior issue.

Conditions:

Impact:
Some customers required the root certificate being included in the certificate chain. Or the certificate validation failed.

Workaround:

Fix:
This fix is to restore the same behavior by including the root certificate in the chain.


499430 : Standby unit might bridge network ingress packets when bridge_in_standby is disabled

Component: Local Traffic Manager

Symptoms:
On a standby unit with a vlangroup configured with multiple VLAN members and bridge_in_standby attribute set to false, the unit might still bridge network ingress packets across the vlangroup, if those packet happen to match the host monitor traffic flows.

Conditions:
This occurs when the following conditions are met: Configure a vlangroup with multiple VLAN members in HA configuration and set vlangroup's bridge_in_standby attribute to false. Configure monitors to use non-default monitor rules (ICMP, etc.).

Impact:
This results in a traffic bridging loop among active and standby unis. Excessive traffic load might take down monitors on the BIG-IP system.

Workaround:
None.

Fix:
Standby unit no longer bridges network ingress packets when bridge_in_standby is disabled. This is correct behavior.


499427-3 : Windows File Check does not work if the filename starts with an ampersand

Component: Access Policy Manager

Symptoms:
Windows File Check does not work if the filename starts with an ampersand.

Conditions:
Run Windows file check and add a file name that starts with an ampersand.

Impact:
Depends upon access policy, but in the worst case a user might be allowed to log in.

Workaround:

Fix:
Access policy Windows File check now works with a file name that starts with an ampersand (&).


498992-2 : Troubleshooting enhancement: improve logging details for AWS failover failure.

Component: TMOS

Symptoms:
Logging information on BIG-IP VE for Failover on AWS was inadequate and did not provide the reason for failures in Failover.

Conditions:
Traffic-group failover sometimes failed without providing specific reason for the failure.

Impact:
Because of the lack of proper logging messages that could pin-point the mis-configuration or connectivity issues on AWS, it was difficult for customers to figure out what is causing the Failover to fail.

Workaround:
Adding more logging information in failover script resolves this issue and provides enough information to the customer to detect problems in failover.

Fix:
Added more logging details for AWS failover failure to assist in detecting problems in failover.


498782-6 : Config snapshots are deleted when failover happens

Component: Access Policy Manager

Symptoms:
When failover occurs, the config snapshots on the new active node might be deleted during the HA state transition. As a result, a user might encounter one of the errors below: 1. Login failure/denied. 2. Some webtop resources are missing after successful login.

Conditions:
When the standby node switches to active.

Impact:
User cannot login or access some resources after login.

Workaround:
Restart APD by running the command: bigstart restart apd.

Fix:
Now APD uses a short time interval for periodic checking of config snapshots right after failover happens. If config snapshots are found to be missing, APD recreates them. After a few such cycles, APD reverts to using a long time interval for the check.


498597-4 : SSL profile fails to initialize and might cause SSL operation issues

Component: Local Traffic Manager

Symptoms:
When the SSL profile fails to initialize, it causes the SSL enter pass-through mode instead of rejecting traffic.

Conditions:
SSL profile fails to initialize, for example, due to failure to load cert/key files.

Impact:
SSL enters pass-through mode instead of rejecting traffic. As a side effect, ConfigSync might fail, as the communication channel does not establish because of a hung SSL connection.

Workaround:
Make sure cert/key is available and has the proper grant access mode.

Fix:
When the SSL profile fails to initialize, it now causes the SSL to reject traffic correctly.


498469-7 : Mac Edge Client fails intermittently with machine certificate inspection

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client for Mac fails intermittently with machine certificate inspection when "Match CN with FQDN" setting is configured.

Conditions:
The problem occurs with BIG-IP Edge Client for Mac and machine certificate agent when in the access policy "Match CN with FQDN" is set.

Impact:
Edge ClienT fails to pass machine certificate inspection.

Workaround:

Fix:
BIG-IP Edge Client for Mac does not fail intermittently with machine certificate inspection agent.


497742-2 : Some TCP re-transmits on translucent vlangroup skip bit-flip on source MAC address

Component: Local Traffic Manager

Symptoms:
Some packets re-transmitted as part of a full-proxy, non-SNAT'd TCP virtual server on a translucent-mode vlangroup do not correctly have the translucent-mode bit-flip applied.

Conditions:
This occurs with a translucent vlangroup and full virtual server with no SNAT.

Impact:
Egressing traffic with the source-MAC of another host can potentially lead to traffic loops.

Workaround:
Enable SNAT on the virtual server.

Fix:
All TCP re-transmits have the proper source MAC address.


497719-5 : CVE-2014-9295, CVE-2014-9293, CVE-2014-9294, CVE-2014-9296

Component: TMOS

Symptoms:
CVE-2014-9295, CVE-2014-9293, CVE-2014-9294, CVE-2014-9296

Conditions:
CVE-2014-9295, CVE-2014-9293, CVE-2014-9294, CVE-2014-9296

Impact:
Potential susceptibility to one of the noted CVEs.

Workaround:
None.

Fix:
CVE-2014-9295, CVE-2014-9293, CVE-2014-9294, CVE-2014-9296


497619-1 : TMM performance may be impacted when server node is flapping and persist is used

Component: Performance

Symptoms:
TMM consumes a higher percentage of the CPU resources when handling traffic.

Conditions:
This intermittent issue occurs when a pool members goes up and down when using source_addr persistence.

Impact:
System performance is impacted.

Workaround:
This issue has no workaround at this time.

Fix:
The intermittent performance impact no longer occurs when a pool members goes up and down when using source_addr persistence.


497584-1 : The RA bit on DNS response may not be set

Component: Local Traffic Manager

Symptoms:
Under some circumstances, the recursion available (RA) bit may be unset in responses from DNS cache.

Conditions:
If the system caches a message from the authoritative server without the rd bit, and subsequent queries with rd set find that message, the first message will not be used because the rd bit is not set. In this case, the operation falls back to the rrset cache and composes a message, but leaves the RA bit unset. This is appropriate for the transparent cache, but not the non-transparent cache.

Impact:
The impact of this issue is that recursion available is not signaled to clients so they may not treat the DNS cache as an available resolver.

Workaround:
To work around this issue, write an iRule to set the RA bit when the cache is a resolver. Must also check origin for CACHE.

Fix:
The RA bit is set for the response when the cache resolver answers the query from the fast path.


497564-3 : Improve High Speed Bridge diagnostic logging on transmit/receive failures

Component: TMOS

Symptoms:
When an HSB transmitter or receive failure occurs, no information is provided on the state of the HSB transmit/receive rings prior to the failure.

Conditions:
The HSB experiences a transmitter or receive failure.

Impact:
The unit is rebooted.

Workaround:
None.

Fix:
Improved High Speed Bridge diagnostic logging on transmit/receive failures.


497436-6 : Mac Edge Client behaves erratically while establishing network access connection

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client for Mac does not establish a network access connection, or if it can establish a connection, then it drops the connection. A user might see a cycle of connect/re-connect again.

Conditions:
OS X Yosemite, network access, BIG-IP Edge Client for Mac.

Impact:
User cannot establish network access connection.

Workaround:
None.

Fix:
BIG-IP Edge Client for Mac can now establish a connection correctly. An issue with routing table patch coding deleting an essential route has been resolved.


497304-4 : Unable to delete reconfigured HTTP iApp when auto-sync is enabled

Component: TMOS

Symptoms:
When deleting an HTTP iApp, the system posts errors similar to this in the LTM log, along with similar sync errors in the GUI: -- err mcpd[6629]: 01070265:3: The HTTP Profile (/Common/http-test-farm1.app/http-test-farm1_http) cannot be deleted because it is in use by a sflow http data source (16). -- err mcpd[6629]: 01071488:3: Remote transaction for device group /Common/HA_Group to commit id 895 6070871290648001573 /Common/cr-ltm-bb2.ns.uwaterloo.ca 0 failed with error 01070265:3: The HTTP Profile (/Common/http-test-farm1.app/http-test-farm1_http) cannot be deleted because it is in use by a sflow http data source (16).

Conditions:
Auto-sync must be enabled. HTTP iApp must have been reconfigured prior to deleting the iApp.

Impact:
Sync failure. Cannot delete the iApp manually after the error occurs.

Workaround:
Do not use auto-sync. If the sync failure has already occurred, refer to SOL13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html) for information on how to restore configuration sync.

Fix:
Ensure the sFlow data source is removed from an HTTP profile when it is deleted.


496817-4 : Big-IP Edge client for Windows fails to connect to Firepass server if tunnel is established through a proxy

Component: Access Policy Manager

Symptoms:
In a reconnect scenario, Big-IP Edge Client cannot connect to a FirePass server if the tunnel was established through a proxy server.

Conditions:
Proxy is used to create VPN tunnel. The server is FirePass.

Impact:
The client fails to restore the VPN connection to the FirePass server.

Workaround:
Restart client.

Fix:
Added backward compatibility changes to BIG-IP Edge Client for Windows to work properly with FirePass.


496775-7 : [GTM] [big3d] Unable to receive mark LTM virtual server up if there is another VS with same ltm_name for bigip monitor

Component: Global Traffic Manager

Symptoms:
[GTM] [big3d] Unable to mark LTM virtual server up if there is another virtual server with same ltm_name for bigip monitor.

Conditions:
LTM (running BIG-IP software older than v11.2.X) with a virtual server: /Common/http_vip with destination /Common/192.168.10.34:80. GTM (running BIG-IP software newer than v11.5.0) with this LTM as a BIG-IP Server. Two virtual servers on LTM: One with the original LTM virtual server address, and the other with the translated address: 1. name ltm_http_vip :: destination 192.168.10.34:80 :: monitor /Common/bigip. 2. name ltm_http_trans_vip :: destination 10.10.10.34:80 :: translation-address 192.168.10.34:80 :: monitor /Common/bigip.

Impact:
Both virtual servers are marked up for a brief interval. After a few minutes, one of them is marked down.

Workaround:
You can use either of the following workarounds: -- Use a monitor other than bigip. -- Replace /shared/bin/big3d on the LTM system with a copy of a version v11.2.1 big3d.

Fix:
The bigip health monitor no longer incorrectly marks down virtual servers with a duplicate ltm-name when there are BIG-IP GTM systems with differing software versions monitoring BIG-IP LTM virtual servers using the bigip monitor.


495560 : Crash from the error TMM if_bge.c:4471: Assertion 'we always have room in either sw or hw ring' fail.

Component: Local Traffic Manager

Symptoms:
When the transmit queue is nearly full, and a packet with more than 4 xfrags is being transmitted, an assertion failure causes a crash since there is not enough room in the queue for all the fragments.

Conditions:
Transmitting a packet with more than 4 xfrags when the transmit queue is almost full. This is rarely seen, with no known reproduction.

Impact:
The unit cannot pass traffic for an extended time during the crash and recovery, which can last for more than two minutes.

Workaround:
None.

Fix:
The system now performs error checking for maximum xfrags per transmit packet to prevent a TMM crash.


495336-2 : Logon page is not displayed correctly when 'force password change' is on for local users.

Component: Access Policy Manager

Symptoms:
Logon page is not displayed correctly when 'force password change' is on for local users.

Conditions:
When more than one logon page is configured in the Access policy, and the administrator sets 'Force Password Change' in the local user account database.

Impact:
Although it is correct behavior to require an initial password change and to require a logon after changing the password, the expected first page is a one-time password-change request, instead of the same change-password change page displayed twice.

Workaround:
The current workaround is to add 'Variable Assign' agent in the LocalDB Auth Successful branch with a custom variable, for example: session.logon.page.challenge = expr { 0 }.

Fix:
The system now shows the correct logon page after the successful password change.


495319-6 : Connecting to FP with APM edge client is causing corporate network to be inaccessible

Component: Access Policy Manager

Symptoms:
Connecting to FirePass with a BIG-IP Edge Client for Mac that was downloaded from APM might not provide complete network access.

Conditions:
APM Edge Client, Firepass server, network access connection.

Impact:
Incomplete network access.

Workaround:
None.

Fix:
All configured networks are now reachable when connecting to FirePass using a BIG-IP Edge Client for Mac downloaded from APM.


495311-1 : Internal build error occurs when manually building certain BIG-IP components

Component: Global Traffic Manager

Symptoms:
A build error may occur if an F5 developer builds certain BIG-IP components using specific sequences of commands.

Conditions:
F5 developer builds certain BIG-IP components using specific sequences of commands to override default build process.

Impact:
Internal to F5 developers only. No customer impact.

Workaround:

Fix:
Resolved build issues to install updated library and include files.


495265-5 : SAML IdP and SP configured in same access profile not supported

Component: Access Policy Manager

Symptoms:
SLO might not work properly under certain conditions. When a user attempts to start SLO, the connection gets reset. The system logs messages such as the following: RST sent from x.x.x.x:433 to x.x.x.x:xxxx, [0xxxxxx:xxx] Internal error ((APM::SSO) Error in reading sp info from session db failed)

Conditions:
All conditions must be met: 1. Both BIG-IP as SP and BIG-IP as IdP are configured on the same access profile. 2. SLO is configured for both BIG-IP as IdP and BIG-IP as SP. 3. SLO is executed in multiple TCP sessions between the user's browser and the BIG-IP system.

Impact:
SLO is not properly executed; users's session might not be terminated.

Workaround:
None.

Fix:
A problem with SAML single-logout has been fixed.


495024-1 : Policy flow's nexthop not always updated when route pool member status changes

Component: TMOS

Symptoms:
Policy flow's nexthop is not always updated when route pool member status changes.

Conditions:
This issue shows when an IPsec flow is routed via a gateway pool. When a monitored gateway pool member is detected to be down, a different member is selected as the gateway. The policy flow's nexthop is not always updated to reflect the member switch.

Impact:
IPsec traffic continues to use the down pool member.

Workaround:
None.

Fix:
Policy flow's nexthop is now correctly updated when route pool member status changes.


494637-4 : localdbmgr process in constant restart/core loop

Component: Access Policy Manager

Symptoms:
The localdbmgr process keeps crashing repeatedly.

Conditions:
The issue is caused by corruption in the contents stored in the memcache. Although the conditions under which the memory corruption occurs are not reproducible, this is a rarely occurring issue.

Impact:
The localdbmgr process crashes repeatedly.

Workaround:
None.

Fix:
The localdbmgr process has been updated in order to gracefully handle corruption in the memcache contents.


494565-1 : CSS patcher crashes when a quoted value consists of spaces only

Component: Access Policy Manager

Symptoms:
CSS content that contains some spaces between quotes leads to rewrite crash. Example: ... background: url(' ') // some spaces between quotes ...

Conditions:
Conditions leading to this problem include any case when CSS content contains a quoted value which consists of spaces only.

Impact:
The impact of this issue causes a rewrite crash which leads to a possible web application malfunction.

Workaround:
To work around this issue, create a particular iRule that removes mentioned spaces between quotes.


494284-5 : Mac Edge Client, with primary language of German shows unneeded text shown under disconnected status.

Component: Access Policy Manager

Symptoms:
With BIG-IP Edge Client for Mac, when primary language is set to German on the Mac, the text shown under the disconnected status contains extra, unneeded text wording.

Conditions:
Edge Client for Mac, when primary language is set to German on the Mac.

Impact:
Shows the following message: 'Um eine Verbindung herzustellen, wählen Sie aus dem Menü oben einen Server aus, und klicken Sie dann auf die Schaltfläche 'Auto-Verbindung' oder 'Verbinden' sichern und Werner der Seite standen aufs Auge drücken als Schadenersatz einer Woche kein Telefonat erneute.'

Workaround:
None.

Fix:
For BIG-IP Edge Client for Mac with primary language of German, the content that displays under disconnected status is now correct, without any unneeded text.


494098-2 : PAC file download mechanism race condition

Component: Access Policy Manager

Symptoms:
PAC file download mechanism might encounter a race condition if /etc/hosts is patched with the static entry of the host that contains PAC file.

Conditions:
The /etc/hosts is patched with the static entry of the host that contains PAC file.

Impact:
Proxy PAC file fails to download.

Workaround:
Add delay in proxy PAC file download to avoid race condition.

Fix:
PAC file download mechanism now avoids a race condition if /etc/hosts is patched with the static entry of the host that contains PAC file.


494088-1 : APD or APMD should not assert when it can do more by logging error message before exiting.

Component: Access Policy Manager

Symptoms:
APD or APMD asserts and exits without logging error messages to aid in debugging the error.

Conditions:
In some rare situation apmd (for example, access 'profile not found', failure in 'loading policy object'), APD, APMD assert. This results in dumping core.

Impact:
Restarting of APD, APMD and core file.

Workaround:
None.

Fix:
Now, in some rare situations where previously APD or APMD would assert, the system logs proper error messages before exiting. This results in restarting APD or APMD.


493673-3 : DNS record data may have domain names compressed when using iRules

Component: Local Traffic Manager

Symptoms:
Some DNS record types forbid dns name compression in their record data, e.g., the NAPTR Replacement field. For certain parts of the DNS feature set, some of these record datum may have compressed names, e.g., DNS iRules, DNSSEC, GTM.

Conditions:
Using iRules.

Impact:
Some clients may expect uncompressed names and may not be able to follow compression pointers. This may cause the client to fail to use the RR.

Workaround:
None.

Fix:
Fields are properly not compressed, e.g., the NAPTR Replacement field.


493385-3 : BIG-IP Edge Client uses generic icon set even if F5 icon set is configured

Component: Access Policy Manager

Symptoms:
BIG-IP Edge client uses generic icon set even if F5 icon set is configured.

Conditions:
BIG-IP MAC Edge client customized for a specific language.

Impact:
The UI might show the generic icon set for MAC edge client in the system menu.

Workaround:
Remove customization for that language.

Fix:
Now BIG-IP Edge Client uses the set of icons that the configuration specifies. Also, F5 icons no longer display for a split second during application launch when the configuration specifies the generic set of icons.


493117 : Changing the netmask on an advertised virtual address causes it to stop being advertised until tmrouted is restarted

Component: Local Traffic Manager

Symptoms:
After changing the netmask of an advertised virtual address, the address is no longer advertised.

Conditions:
Must have an advertised virtual address, and change its netmask.

Impact:
tmrouted must be restarted whenever the netmask of an advertised virtual address is changed.

Workaround:
Restart tmrouted whenever the netmask of an advertised virtual address is changed.

Fix:
Now, an advertised route remains advertised after its netmask is changed.


492238-3 : When logging out of Office 365 TMM may restart

Component: Access Policy Manager

Symptoms:
TMM may restart when a user initiates single logout (SLO) from Microsoft Office 365 configured as a SAML Service Provider (SP).

Conditions:
The problem occurs under these conditions: 1. The BIG-IP system is configured as a SAML Identity Provider (IdP) with Office 365 configured as a SAML Service Provider (SP). 2. Single logout (SLO) is configured on the BIG-IP system. 3. As a part of a SLO request, the SP sends unsupported query parameters.

Impact:
Under certain conditions TMM may restart.

Workaround:
To work around the problem, disable SLO on the BIG-IP system.

Fix:
TMM no longer restarts when a user initiates single logout (SLO) from Microsoft Office 365 configured as a SAML Service Provider (SP).


492163-2 : Applying a monitor to pool and pool member may cause an issue.

Component: TMOS

Symptoms:
Typically, when applying a monitor to pool and a monitor to pool member, there are no issues. In a scenario where the pool monitor is incompatible with the pool member, it can cause validation issue.

Conditions:
A scenario where the pool monitor is incompatible with the pool member, it can cause validation issue. For example, a pool with an http monitor and a wildcard pool member (even if pool member had its own monitor).

Impact:
Failed transaction or configuration load.

Workaround:
Remove the pool monitor, load, then add pool monitor back.

Fix:
Instances in which the pool monitor is incompatible with the pool member are now validated correctly.


492153-4 : Edge clients shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel, changes to deprecated.

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel changes to deprecated.

Conditions:
BIG-IP Edge Client monitors the state of IP address for the DTLS tunnel, so the system can react quickly to any network connectivity issues. The monitor correctly disconnects the tunnel if the adapter loses the IP address. However, there is an issue that causes the tunnel to shut down when the state of IP address is changed to deprecated.

Impact:
Tunnel processing halts.

Workaround:

Fix:
BIG-IP Edge Client now keeps the DTLS connection until the IP address becomes invalid, as expected.


491771-4 : Using catch to supress 'invalid command' errors resulting from invalid use of [] around a parking command in a proc can cause TMM to panic

Component: Local Traffic Manager

Symptoms:
If inside a proc, a parking command (like table, session, open, send, RESOLVE::lookup) is incorrectly placed within square brackets (meaning the result is to be evaluated as a command by the superior "catch" block) and the error is suppressed by the catch block, TMM will core with a SIGFPE panic and this message: panic: TclExecuteByteCode execution failure: end stack top < start stack top Example (THIS CODE MAY CAUSE TMM TO CRASH if this procedure is called): proc id491771 { # WILL CAUSE TMM TO CRASH catch { [table lookup "key"] } } The correct usage of "catch" is without the brackets: proc id491771 { catch { table lookup "key" } }

Conditions:
1) A parking command like "table" 2) The very next operation generates an error 3) Both commands are inside a "catch" block 4) And this catch block exists within a proc

Impact:
TMM cores with a SIGFPE and this panic string: panic: TclExecuteByteCode execution failure: end stack top < start stack top

Workaround:
Any command which completes without parking after the parking command but before the error will prevent the issue. For instance set A "a" Another solution is to move "catch" statement outside of proc into body of script. Alternately remove the square brackets that indicate that the result of the command should be evaluated in this specific case. The use of brackets in this way is likely a mistake in coding of the iRule.


491556-2 : tmsh show sys connection output is corrected

Component: TMOS

Symptoms:
tmsh show sys connection output is corrupted for certain user roles.

Conditions:
This occurs for users with user roles that do not have access to all partitions.

Impact:
The output from tmsh show sys connection is corrupted. After issuing this command, the output of subsequent tmsh commands might not be correct or complete.

Workaround:
Quit out of tmsh. Restart the shell. Do not use the show sys connection command for users that do not have access to all partitions. Use the GUI instead to get this information.

Fix:
tmsh show sys connection output is correct for users that do not have access to all partitions.


491554-1 : [big3d] Possible memory leakage for auto-discovery error events.

Component: Global Traffic Manager

Symptoms:
Big3d may leak memory when auto-discovery is enabled and error events occur.

Conditions:
Auto-discovery is enabled on a BIG-IP system.

Impact:
big3d consumes an increasing amount of memory.

Workaround:
None.

Fix:
big3d no longer leaks memory during auto-discovery failure events.


491454-3 : SSL negotiation may fail when SPDY profile is enabled

Component: Local Traffic Manager

Symptoms:
SSL handshake fails when SPDY profile is attached.

Conditions:
This occurs when the following conditions are met: -- Client (i.e., Chrome for Android) attempts to use SPDY protocol using Next Protocol Negotiation (NPN) during SSL handshake. -- BIG-IP system has a Cavium Nitrox card.

Impact:
SSL handshake or other connection failure.

Workaround:
Remove SPDY profile.

Fix:
SSL handshake now completes successfully when a SPDY profile is attached when Next Protocol Negotiation (NPN) is detected on a BIG-IP system with a Cavium Nitrox accelerator.


491439 : HiGig MAC registers are not dumped to log file on HSB transmitter failure

Component: TMOS

Symptoms:
The HiGig MAC (HGM) registers are not dumped to the log files when an HSB transmitter failure occurs.

Conditions:
When an HSB transmitter failure occurs due to an issue in the HiGig MAC, there is not enough information in the log files to determine the cause of the lockup.

Impact:
Only part of the log registered are dumped to the log files when an HSB transmitter failure occurs. The following HiGig event and HSB transmitter failure are present in the log files: -- info bcm56xxd[7746]: 012c0015:6: Link: 4.3 is DOWN -- info bcm56xxd[7746]: 012c0012:6: Reset HSBe2 (bus 1) HGM2 MAC completed on higig2 link 4.3 down event. -- info bcm56xxd[7746]: 012c0015:6: Link: 4.3 is UP -- crit tmm5[14718]: 01230111:2: Interface 0.6: HSB DMA lockup on transmitter failure.

Workaround:

Fix:
HiGig MAC registers are now correctly dumped to log file on HSB transmitter failure.


491233-5 : Rare deadlock in CustomDialer component

Component: Access Policy Manager

Symptoms:
Windows 7 systems hang at a black screen after a reboot. This requires a hard boot to resolve.

Conditions:
CustomDialer component.

Impact:
Cannot log in. Requires hard boot to resolve.

Workaround:

Fix:
The CustomDialer component has been updated to prevent a rarely occurring deadlock.


490817-6 : SSL filter might report codec alerts repeatedly

Component: Local Traffic Manager

Symptoms:
TMM cores due to Out of Memory (OOM), and xdata is the majority of the memory consumption.

Conditions:
The SSL enters a failure mode where it appears to transmit alert messages repeatedly until TMM is OOM, which causes the transmissions to stop due to lack of memory. TMM then cores due to lack of memory.

Impact:
The system might crash. (Massive xfrag usage, degraded performance, eventual TMM OOM.)

Workaround:

Fix:
Clear codec alert after propagation so SSL filter no longer reports alerts indefinitely.


490811-2 : Proxy configuration might not to be restored correctly in some rare case

Component: Access Policy Manager

Symptoms:
Local proxy configuration on Mac OS X might not to be restored correctly in some rare case.

Conditions:
BIG-IP Edge Client for Mac is connected, tunnel drops for some reason, race condition happens during proxy configuration restoration which causes it to not be restored properly.

Impact:
Proxy configuration might not to be restored correctly in some rare case.

Workaround:
None

Fix:
A rare case where proxy configuration might not be restored correctly has been fixed.


490740-3 : TMM may assert if HTTP is disabled by another filter while it is parked

Component: Local Traffic Manager

Symptoms:
If HTTP is parked in an iRule, if it is disabled by another filter on the client-side it will assert with the message: TCL passthrough switch state only valid server-side.

Conditions:
A HTTP iRule on the client side parks. Another filter tells HTTP to disable itself.

Impact:
The impact of this issue is that the TMM will crash.

Workaround:
Avoid using HTTP::disable in iRules that can run simultaneously with with iRules triggered by the HTTP filter. Instead, disable

Fix:
HTTP will no longer crash if HTTP is disabled while it is parked on the client side.


490713 : FTP port might occasionally be reused faster than expected

Component: Local Traffic Manager

Symptoms:
FTP port is randomly selected and occasionally might be reused quickly.

Conditions:
FTP active mode. Source Port is set to change.

Impact:
FTP port might occasionally be reused faster than expected.

Workaround:

Fix:
FTP port selection uses a round robin method to avoid quick-reuse as much as possible.


490681-4 : Memcache entry for dynamic user leaks

Component: Access Policy Manager

Symptoms:
A race condition causes a memcache entry to remain in memcache forever.

Conditions:
Due to a race condition between identifying dynamic users in MySQL and removing them from memcache (based on timestamp), some memcache entries remain. Although the entry is removed from MySQL, it remains in memcache.

Impact:
The user state information for the user remains unchanged. If the user is locked out in memcache, the user state remains locked out.

Workaround:
The only way to recover is to remove the user using telnet to access memcache (which is not a typical operation and is difficult to perform).

Fix:
Now a self expiry is set for each memcache object (which is configurable). With this change, each user remains in the cache only for the configured duration.


490675-4 : User name with leading or trailing spaces creates problems.

Component: Access Policy Manager

Symptoms:
User creates dynamic user with leading and trailing spaces. In the case user name will look like " user1 ". When the user entry gets created in MySQL it treats the user name " user1 " same as "user1", by eliminating the spaces at the beginning and the end. The memcache entry does not do the same.

Conditions:
Create a dynamic user with a regular name. Then retry the same username with leading and trailing spaces. There will be multiple entries for the same user (one regular and another with spaces). When the dynamic user gets deleted, the regular user name is deleted from memcache and from MySQL; the other user entry remains in memcache.

Impact:
Unnecessary memcache entries.

Workaround:
This issue has no workaround at this time.

Fix:
In this fix, we trim leading and trailing spaces from the user name before using it. So the user name is uniform everywhere.


489382-3 : Machine Cert allows mismatched SubjectCN and FQDN for browsers in case of valid cert

Component: Access Policy Manager

Symptoms:
Browser clients allow Machine Cert Auth agent to pass even if the match SubjectCN and FQDN criteria is not satisfied. It only happens if the selected certificate is recognized by the BIG-IP system but does not fit the Machine Cert Auth selection criteria.

Conditions:
The problem occurs with a Mac and the browser client, with the Machine Cert Auth agent in the access policy, and a valid certificate.

Impact:
Browser allows network access to be established even though it should not

Workaround:
To work around the problem, add more search criteria in the Machine Cert Auth agent.

Fix:
Browser client now selects the appropriate certificate when the match SubjectCN and FQDN criteria is specified in the Machine Cert Auth agent.


489364-5 : Now web VPN client correctly minimizes IE window to tray

Component: Access Policy Manager

Symptoms:
An Internet Explorer window remains on taskbar on Network Access connect even if 'minimize to tray' option is enabled.

Conditions:
Internet Explorer is used and 'minimize to tray' option is enabled

Impact:
IE window stays on desktop

Workaround:

Fix:
Now an Internet Explorer window is correctly minimized to tray.


489328-4 : When BIG-IP virtual accessed with multiple tabs with long initial URLs before session creation can cause TMM crash.

Component: Access Policy Manager

Symptoms:
If a BIG-IP virtual server is accessed from multiple tabs with long initial URLs before session creation, this might cause TMM to crash.

Conditions:
Rare condition: a user opens the browser and different tabs in the browser pointing to BIG-IP APM virtual server and they cause the access policy to run from both tabs. If the length of the encoded URL falls into 4K boundary then TMM might crash.

Impact:
Rarely encountered BIG-IP service unavailable.

Workaround:
None.

Fix:
Proper checks were added before processing the URL so that, if there is a long initial URL, the BIG-IP system does not process it, and a user might see a reset. After establishing the session in other tabs, the user can access the long URL again.


489323-4 : Out-of-bounds memory access when 'remotedesktop' profile is assigned to a virtual server.

Component: Access Policy Manager

Symptoms:
Out-of-bounds memory access when 'remotedesktop' profile is assigned to a virtual server. This issue was found during internal code audit.

Conditions:
This occurs when a remote desktop profile is enabled on a virtual server that is also configured with either of the following: - VDI profile. - Application Tunnels (Java & Per-App VPN).

Impact:
A remote attacker may be able to impact the availability of BIG-IP system.

Workaround:
The issue is exposed only if a remote desktop profile is in use. If remote desktop profile is needed there is no mitigation. If remote desktop profile is not needed it can be removed from the virtual servers in question.

Fix:
Out-of-bounds memory access when 'remotedesktop' profile is assigned to a virtual server no longer occurs.


488986-5 : Access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and edge client.

Component: Access Policy Manager

Symptoms:
An access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and Windows Edge client.

Conditions:
Internet Explorer versions 10 and 11.

Impact:
Access policy cannot enter Windows Protected Workspace.

Workaround:
Use a browser other than Internet Explorer versions 10 and 11.

Fix:
An access policy can now enter Windows Protected Workspace on Internet Explorer versions 10 and 11.


488917-3 : Potentially confusing wamd shutdown error messages

Component: WebAccelerator

Symptoms:
When shutting down, wamd might log debug messages that appear serious.

Conditions:
wamd shutdown.

Impact:
Unnecessary log messages generated, similar to the following: -- WA Debug (17637): * WARNING: The server encountered an unexpected condition. -- WA Debug (17637): * Contact F5 support if you are experiencing problems and include -- WA Debug (17637): * the following diagnostic information. These messages are cosmetic and do not indicate a problem with the system.

Workaround:
None.

Fix:
The wamd process no longer generates potentially alarming debug log messages when shutting down.


488736-2 : Fixed problem with iNotes 9 Instant Messaging

Component: Access Policy Manager

Symptoms:
iNotes 9 IM (Sametime) is not working. There are errors in JS Console.

Conditions:
User is connected to iNotes 9 through Portal Access.

Impact:
Sametime in iNotes 9 is not accessible.

Workaround:
No

Fix:
iNotes 9 Sametime (instant messaging) is working now.


487170-4 : Enahnced support for proxy servers that resolve to multiple IP addresses

Component: Access Policy Manager

Symptoms:
VPN might fail to connect in environments where DNS returns multiple IP address for the proxy server host name. This includes both Edge client and web client.

Conditions:
Proxy server name is resolved to multiple IP address, or the proxy server IP address changes on a subsequent call to the DNS resolver.

Impact:
VPN connection might fail.

Workaround:
Configure DNS to persist an IP addresses for the proxy host name.

Fix:
Added support for scenarios where proxy host name resolves to multiple addresses.


486597-5 : Fixed Network Access renegotiation procedure

Component: Access Policy Manager

Symptoms:
Network Access reconnects on every SSL renegotiation attempt on Windows 7 for TLS1.2 and TLS1.1 if client cert is requested.

Conditions:
This occurs when the following conditions are met: Windows 7. -- TLS 1.1/TLS1.2. -- Client cert set to 'required' at Virtual Server's Client Cert profile.

Impact:
Reconnect on every SSL renegotiation attempt.

Workaround:
None.

Fix:
Fixed Network Access renegotiation procedure on TLS1.1 and TLS1.2 for Microsoft Windows 7.


486512-4 : audit_forwarder sending invalid NAS IP Address attributes

Component: TMOS

Symptoms:
Forwarded auditing messages contain the incorrect nas-ip-address attribute. It should be the local IP of the box. Instead nas-ip-address is another, random IP address.

Conditions:
This seems to work fine when the BIG-IP is a virtual machine.The issue reproduces only on the actual hardware.

Impact:
Cannot pass certification because config auditing is not working as expected (invalid NAS IP Address).

Workaround:
None.

Fix:
Forwarded auditing messages now contain the correct nas-ip-address attribute, so config auditing is now working as expected.


486346-4 : Prevent wamd shutdown cores

Component: WebAccelerator

Symptoms:
Under some circumstances, wamd cores while trying to exit.

Conditions:
wamd during shutdown.

Impact:
Unnecessary core files generated consuming some resources.

Workaround:
None.

Fix:
wamd no longer cores and now exits gracefully when shutting down.


486268-4 : APM logon page missing title

Component: Access Policy Manager

Symptoms:
On the BIG-IP APM logon page, a title may not appear.

Conditions:
RSA error message contains newline symbols. (For example RSA 8.1 uses such message)

Impact:
May cause usability issues.

Workaround:

Fix:
Now the title displays correctly on the logon page; RSA error messages are now sanitized.


485948-3 : Machine Info Agent should have a fallback branch

Component: Access Policy Manager

Symptoms:
Machine Info agent is not supported for legacy logon clients (for example, mobile clients and Linux CLI); it is only supported for web logon clients (browsers and BIG-IP Edge Clients). However, the Machine Info agent does not throw any error if a legacy logon client connects to APM with the Machine Info agent in it.

Conditions:
This occurs with a Machine Info agent in the access policy and legacy logon clients.

Impact:
The impact of this issue is that the Machine Info agent does not create any machine information-related session variables for legacy logon clients, neither does it indicate that it is not supported.

Workaround:
To work around the problem, use the Client Type agent to distinguish between legacy logon or web logon clients. And then only add the Machine Info agent in web logon clients branch.

Fix:
The Machine Info agent now differentiates between legacy logon clients and web logon clients by creating an error session variable. The error session variable is set to 1 when legacy logon clients connect to APM and 0 otherwise.


485939-4 : OSPF redistributing connected subnets that are configured in the network element with infinity metric in a HA pair.

Component: TMOS

Symptoms:
In a HA pair setup, the active node is sending an As_External Link-State Advertisement (LSA) with infinity metric value for the redistributed connected subnets that are configured in the network element of the OSPF.

Conditions:
HA pair with redistributed connected subnets and subnets configured in the network element in the OSPF.

Impact:
The active node in the HA pair sends an LSA with infinity metric that gets exchanged in the other networks affecting the routing process.

Workaround:
Clear ip ospf process fixes the issue. However, it is not an effective solution in a production environment.

Fix:
OSPF sessions in an HA pair doesn't send an As_External LSA for the subnets that are configured as network element and redistributed as connected subnets.


485472-5 : iRule virtual command allows for protocol mismatch, resulting in crash

Component: Local Traffic Manager

Symptoms:
iRule 'virtual' command allows for protocol mismatch.

Conditions:
A virtual server with an iRule which leverages the 'virtual' command targeting a virtual server that differs in protocol. For example, a UDP virtual server targeting a TCP virtual server.

Impact:
tmm might crash with assert: 'Must be syncookie'. Traffic is interrupted.

Workaround:
This is the result of a misconfiguration. Modify iRules to ensure L4 protocols match between virtual servers.

Fix:
Resolved issue where TMM might crash with assert: 'Must be syncookie' when the iRule 'virtual' command leads to a protocol mismatch.


485465-4 : TMM might restart under certain conditions when executing SLO.

Component: Access Policy Manager

Symptoms:
TMM may restart when Single Logout (SLO) request/response contains an invalid 'Issuer' attribute.

Conditions:
SLO is configured on BIG-IP as SP or IdP. SLO request or response is received from SP/IdP for which there is no current session.

Impact:
TMM restarts.

Workaround:
Disable SLO.

Fix:
The system now handles Single Logout (SLO) response/request so that TMM no longer restarts.


485352-5 : TMM dumps core file when loading configuration or starting up

Component: TMOS

Symptoms:
TMM dumps core file when configuration file is being loaded or when TMM is starting up.

Conditions:
This error happens when there is no APM license installed.

Impact:
The error renders the system unusable.

Workaround:

Fix:
The system now correctly handles configuration load when there is no APM license.


485232 : Disabling and re-enabling an active blade in a HA group may result in the blade becoming standby

Component: TMOS

Symptoms:
Disabling and re-enabling an active blade in a HA group might result in the blade becoming standby.

Conditions:
This occurs when using HA group scoring with HA scoring weighted equally among peers. The peer must have its blades enabled.

Impact:
After re-enabling a blade, it does not go active even though its mate blade is active. The standby blade does not take traffic.

Workaround:
Fail the system over to the peer by disabling its blades, then enable them and fail back (if desired).

Fix:
When a blade is re-enabled, it checks to see if a mate blade is active. If a mate blade is active, the newly enabled blade will also go active.


485176-1 : RADIUS::avp replace command cores TMM when only two arguments are passed to it

Component: Policy Enforcement Manager

Symptoms:
The RADIUS::avp replace iRule command will core when only two arguments are passed to it.

Conditions:
Must be running an iRule that executes a RADIUS::avp replace command with only two arguments.

Impact:
TMM cores, which can result in a failover.

Workaround:
None.

Fix:
TMM no longer cores when only two arguments are passed to the RADIUS::avp replace command.


484861-2 : A standby-standby state can be created when auto failback acts in a CRC disagreement scenario

Component: TMOS

Symptoms:
A standby-standby state can occur after a failback if there is a CRC disagreement between peers.

Conditions:
HA pair using auto failback. There must be a CRC disagreement between peers. The failback preferred system must have a lower traffic group score than its peers. NOTE: CRC disagreements may lead to other issues and the customer is strongly advised to sync the devices to remove the disagreement.

Impact:
It's a site down situation as all the objects in the traffic group will become unreachable.

Workaround:
Sync devices to remove the CRC disagreement.

Fix:
Ensure that the preferred system goes active after auto failback, even if its traffic group score is lower than that of its peers.


484847-5 : DTLS cannot be disabled on Edge Client for troubleshooting purposes

Component: Access Policy Manager

Symptoms:
There is no client side option to disable DTLS. This option can be very useful in troubleshooting client connectivity issues.

Conditions:
It is required to debug DTLS versus TLS connections.

Impact:
Troubleshooting connectivity issues becomes difficult.

Workaround:
Disable DTLS on server side.

Fix:
Now you can add new registry keys and use them to disable DTLS on both BIG-IP Edge Client and browsers. Using these keys, you can disable DTLS on a particular client without changing the BIG-IP system configuration. To disable DTLS on a client machine: Create registry DWORD value (keys are both valid for both x64 and x86 systems): HKEY_LOCAL_MACHINE\Software\F5 Networks\RemoteAccess\EnableDTLSTransport or HKEY_CURRENT_USER\Software\F5 Networks\RemoteAccess\EnableDTLSTransport and set to 0


484733-1 : aws-failover-tgactive.sh doesn't skip network forwarding virtuals

Component: TMOS

Symptoms:
When there are forwarding virtual servers with SNATs defined in the configuration, the reassignment of IP addresses for virtual servers does not happen correctly in Amazon Web Services (AWS).

Conditions:
Forwarding virtual servers with SNATs defined.

Impact:
HA failover is impacted.

Workaround:

Fix:
The reassignment of IP addresses for forwarding virtual servers with SNATs defined in the configuration now occurs as expected in Amazon Web Services (AWS).


484706-4 : Incremental sync of iApp changes may fail

Component: TMOS

Symptoms:
Incremental sync of the deletion of an iApp instance may fail, with the error message indicating that certain objects owned by the application are still in use. Alternatively, child objects that should have been deleted when reconfiguring an iApp instance may remain on peer devices after incremental sync has completed.

Conditions:
Incremental sync of the deletion of an iApp instance. Incremental sync of deleting a child object, if the iApp implementation script creates the parent object without child objects, and then separately adds the replacement child objects.

Impact:
An attempt to delete an iApp may cause a sync failure. An attempt to reconfigure an iApp without a previously existing child object (pool member, etc.) may cause the object to continue to exist on peer devices.

Workaround:
Full load sync (either the 'Overwrite Configuration' option on the Device Management Overview page, or temporarily setting the device group to full load only), and then performing the sync operation completes successfully.

Fix:
Incremental sync of the deletion of an iApp instance now completes successfully. Incremental sync of iApp changes, where the iApp template creates a parent object separately from child objects now syncs correctly.


484635-13 : Upgraded to OpenSSL 1.0.1j

Component: Access Policy Manager

Symptoms:
OpenSSL 1.0.1j fixed vulnerabilities described in https://www.openssl.org/news/secadv_20141015.txt

Conditions:

Impact:
potential openSSL 1.0.1j vulnerabilities as described in https://www.openssl.org/news/secadv_20141015.txt

Workaround:

Fix:
CVE-2014-3513 CVE-2014-3567 CVE-2014-3566 CVE-2014-3568: Update OpenSSL to latest.


484582-5 : APM Portal Access is inaccessible.

Component: Access Policy Manager

Symptoms:
APM Portal Access is inaccessible.

Conditions:
One of sessions reaches 64 KB of Portal Access application cookie storage.

Impact:
Rewrite plugin crashes; APM Portal Access becomes inaccessible. Shortly after this plugin crashes with *** glibc detected *** memory-corruption-message. The rewrite daemon log contains following lines: - notice rewrite - cookie.cpp:543 : updateCookieSessionStore : expiring cookie ...

Workaround:
None.

Fix:
Rewrite plugin no longer crashes when Portal Access application cookies require more than 32 KB of storage.


484454-8 : Users not able to log on after failover

Component: Access Policy Manager

Symptoms:
Users fail the access policy check after failover happens. The command 'configdump -allkeys' does not display any entry for the access profile.

Conditions:
The issue will show up after the following events: 1. The TMM on the active node restarts or crashes, the node become standby. 2. TMM and APD restart. APD re-creates config snapshots in the SessionDB. 3. The snapshots just created get deleted. 4. Failover happens again and the node becomes active. 5. Users fail to log on

Impact:
Users cannot log on

Workaround:
Run 'bigstart restart apd' to re-create config snapshots.

Fix:
APM checks config snapshots periodically and recreates them if any are missing.


484453-2 : Messages logged when registering with LOP daemon (lopd) or CAN daemon (cand)

Component: TMOS

Symptoms:
When the log filter is configured to filter at the 'Informational' log level, the logs can get filled with 'client /var/run/lopd.chmand.lopuns already registered' messages when registering with either the Lights Out Processor daemon (lopd) or the CAN daemon (cand). These messages appear in the log every two seconds on systems with lopd, or every 20 seconds on systems with cand.

Conditions:
This occurs when using a remote syslog logging filter with the 'Severity' field set to 'Informational'.

Impact:
Logs fill with messages. These messages are related to communication with the Lights Out Processor daemon (lopd) or with the CAN daemon (cand), and are completely benign, so you can safely ignore them.

Workaround:
Change the remote syslog logging level to 'Notice'.

Fix:
Reduced the log level for registering with the LOP (lights out processor) and CAN daemon (cand) to the debug level.


483792-2 : when iSession control channel is disabled, don't assign app tunnel, MSRDP, opt tunnel resources

Component: Access Policy Manager

Symptoms:
Customers running into iSession related issues.

Conditions:
This happens when APM has been running.

Impact:
Some of the Network Access resources may not run properly when iSession control channel is disabled.

Workaround:
None

Fix:
When the iSession control channel is disabled through db variable, then some of the Network Access resources, including App tunnel, Microsoft RDP, and optimized tunnel resources, will not be assigned to the session.


483683-4 : MCP continues running after "Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error

Component: TMOS

Symptoms:
"Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error on secondary blades when starting up. When this happens, MCP is left in a bad state and several issues (not obviously related to this error) can occur.

Conditions:
Only occurs on a chassis system, and only on secondary blades.

Impact:
This error is the precursor to bad behavior on the system. The exact issues seen are hard to quantify, as they vary depending on what state MCP's database is in when the exception is thrown.

Workaround:

Fix:
Added code to catch exceptions in rm_DBLowHighWide. We now delete the binary MCP database when an exception is caught, and restart MCP. This restart without a binary database bypasses rm_DBLowHighWide and allows the secondary MCP to receive its configuration from the primary MCP.


483665-1 : Restrict the permissions for private keys

Component: Local Traffic Manager

Symptoms:
Keys were readable by all users on the BIG-IP once they are given the path.

Conditions:

Impact:
Keys were readable by all users on the BIG-IP once they are given the path.

Workaround:

Fix:
The permissions for SSL keys are restricted such that they are readable only for export from iControl or UI.


483653-1 : In some traffic situations, virtuals using SSL can excessively buffer client data instead of closing the TCP window

Component: Local Traffic Manager

Symptoms:
In some traffic situations, TMM can excessively buffer client data instead of closing the TCP window. This buffering occurs based on internal race conditions that are not directly controllable. This occurs only when the BIG-IP is providing SSL termination or origination. In extreme circumstances with a slow connection, this could ultimately lead to out of memory situations.

Conditions:
The virtual must be providing SSL termination and/or origination.

Impact:
Increased memory usage, possibly leading to tmm crashing.

Workaround:

Fix:
Flow control through SSL is consistent and no longer leaves the chain misordered on flow control.


483286-4 : APM MySQL database full as log_session_details table keeps growing

Component: Access Policy Manager

Symptoms:
APM stores session reporting data in "apm" MySQL database, under log_session_details table, but never does any cleanup. This causes the table to continuously grow. Eventually this consumes all disk, potentially corrupting the SQL data, and stopping services on the BIG-IP system that rely on MySQL.

Conditions:
Conditions leading to this issue include: APM is provisioned; and 350M APM sessions are created over any period of time (each row in log_session_details consumes ~20 bytes).

Impact:
MySql volume (12G) will fill with data, potentially stopping or degrading services in the box that rely on MySQL. Including: ASM, AVR, APM Reporting, Web UI, and QkView.

Workaround:
Workaround is to manually clean up the log_session_details table in MySQL database. First, retrieve the randomly generated MySQL password per box, using the following shell command as the root user. For example, # perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw PjL7mq+fFJ where PjL7mq+fFJ is the random password at MySQL installation in this example. Use this password in the following command for clean-up. # /usr/bin/mysql -uroot -pPjL7mq+fFJ --database=apm -e "delete from log_session_details where active = 'N';" This will delete all those rows that are referred to by an inactive session.


482710-7 : SSLv3 protocol disabled in APM clients

Component: Access Policy Manager

Symptoms:
Clients configured to only support SSLv3 will fail to connect. Web login using clients configured to only support SSLv3 will fail.

Conditions:

Impact:
Clients should be configured to support TLS based ciphers.

Workaround:

Fix:
SSLv3 protocol is disabled in APM clients. All clients must connect using TLS based ciphers.


482269-4 : APM support for Windows 10 out-of-the-box detection

Component: Access Policy Manager

Symptoms:
APM does not support out-of-the-box detection for Windows 10 in visual policy editor configuration.

Conditions:
Windows 10, APM

Impact:
Windows 10 cannot be detected in visual policy editor rules.

Workaround:

Fix:
APM now supports out-of-the-box detection of Microsoft Windows 10 in visual policy editor action items, such as, Client OS and Client Type.


482260-1 : Location of Captive portal configuration registry entry in 64 bit windows is incorrect

Component: Access Policy Manager

Symptoms:
Captive portal detection configuration in BIG-IP Edge Client does not work as intended on 64-bit Windows-based platforms. Changing HKEY_CURRENT_USER\Software\F5 Networks\RemoteAccess\DisableCaptivePortalDetection has no impact on captive portal detection in Edge Client on 64-bit Windows.

Conditions:

Impact:
Windows 64-bit clients are not redirected to the custom captive portal page as the expected but instead are sent to the default URL.

Workaround:
Configuring this setting in HKEY_CURRENT_USER\Software\Wow6432Node\F5 Networks\RemoteAccess works.

Fix:
APM captive portal probe URL in BIG-IP Edge Client for Windows can now be customized on x64 Windows-based platforms in the same way as for x86 Windows-based platforms.


482251-1 : Portal Access. Location.href(url) support.

Component: Access Policy Manager

Symptoms:
Some pages cannot be loaded in specific web applications.

Conditions:
This happens in Microsoft Internet Explorer browser-specific code that contains: Location.href(some_url).

Impact:
Web application cannot load some web pages.

Workaround:
None.

Fix:
The Microsoft Internet Explorer browser-specific code Location.href(some_url) now works correctly, so web applications can load previously unloadable web pages.


482241-4 : Windows 10 cannot be properly detected

Component: Access Policy Manager

Symptoms:
Windows 10 cannot be properly detected by BIG-IP

Conditions:
Windows 10 desktop operating system and BIG-IP APM access policy with client OS and Windows info agents.

Impact:
Windows 10 will not be detected out-of-the-box by BIG-IP client OS and Windows info agents.

Workaround:
User agent can be parsed in access policy for windows 10 tokens.

Fix:
Windows 10 can now be detected out-of-the-box by Client OS and Windows Info agents.


482134-4 : APD and APMD cores during shutdown.

Component: Access Policy Manager

Symptoms:
When apd and apmd shutdown while they are still processing, the system cores while accessing policy configuration data.

Conditions:
This occurs with a second apd or apmd process while an apd or apmd process is already running. The second apd or apmd process goes down (because one process is already up).

Impact:
During this shutdown process, the system cores.

Workaround:
None.

Fix:
APD and APMD no longer core during shutdown of a second occurrence of APD or APMD.


481880-3 : SASPD monitor cores

Component: Local Traffic Manager

Symptoms:
SASP monitor process core dumping during a state change.

Conditions:
This occurs when the SASP monitor is configured in push mode.

Impact:
Pool member is marked down, which leads to monitor outage.

Workaround:

Fix:
SASP monitor no longer core dumps during a state change in push mode.


481663-2 : Disable isession control channel on demand.

Component: Access Policy Manager

Symptoms:
Customers running into isession related issues.

Conditions:
This happens when APM has been running.

Impact:
TMM could run out of memory because of these issues.

Workaround:
This issue has no workaround at this time.

Fix:
If customer does not need optimized tunnels, app tunnels, remote desktop then he can safely disable the db variable "isession.ctrl.apm" which disables isession. Then do "bigstart restart tmm apd" so that the db variable takes effect.


481648-4 : mib-2 ipAddrTable interface index does not correlate to ifTable

Component: TMOS

Symptoms:
The ipaddrTable's ipAdEntIfIndex value does not match the ifTable's ifIndex value for the same interface.

Conditions:
Using SNMP to monitor F5 and other network devices.

Impact:
Data in the mib-2 ifTable does not correlate to the data in the ipAddrTable.

Workaround:
Use the F5 MIB to monitor F5 devices.

Fix:
The ipaddrTable's ipAdEntIfIndex value now matches the ifTable's ifIndex value for the same interface.


481257-2 : Information on "OPSWAT Integration Libraries V3" is missing from CTU report

Component: Access Policy Manager

Symptoms:
Information on "OPSWAT Integration Libraries V3" is missing from CTU report

Conditions:
"OPSWAT Integration Libraries V3" are installed on the PC.

Impact:
Information on "OPSWAT Integration Libraries V3" is not available in CTU report

Workaround:
None

Fix:
CTU report now includes information on "OPSWAT Integration Libraries V3".


481203-4 : User name case sensitivity issue

Component: Access Policy Manager

Symptoms:
Create a local user (for dynamic user too) starting with upper case. When responding to logon page, user can enter all lower case or upper case or any combination of the same. User gets authenticated, however, for all different combinations of user names, it creates an entry in memcache. Actually there should be only one. So when the user gets deleted, all other entries remains in memcache.

Conditions:
This issue occurs While entering user name during logon page response.

Impact:
This issue causes dangling memcache entries which does not have accountability.

Workaround:
This issue has no workaround at this time.

Fix:
While creating memcache entry, we now normalize the username into utf8 lowerecase. This makes sure, there is only one entry for all combination of usernames.


481046-1 : F5_Inflate_text(o, incr, v) wrapper need to be fixed for case when o is script tag

Component: Access Policy Manager

Symptoms:
A web application can get an unrewritten dynamically-generated script when not using Internet Explorer browser.

Conditions:
The problem occurs when scriptTag.text='source script' and the browser is not Internet Explorer.

Impact:
As a result, the web application misfunctions.

Workaround:
This issue has no workaround at this time.

Fix:
The wrapper for scriptTag.text='source script' now rewrites 'source script' for all browsers.


481020-4 : Traffic does not flow through VPN tunnel in environements where proxy server is load balanced

Component: Access Policy Manager

Symptoms:
VPN will appear to be established but no traffic will flow through the VPN tunnel.

Conditions:
VPN is established through proxy server. DNS returns different IP address for subsequent name resolution query for proxy server.

Impact:
No traffic flows through VPN tunnel.

Workaround:
Use IP address for proxy server instead of name.

Fix:
Resolved intermittent routing table issue that caused Traffic not to flow through tunnel if proxy server is load balanced.


480888-5 : Tcl parks during HTTP::collect, and serverssl is present, data can be truncated

Component: Local Traffic Manager

Symptoms:
If Tcl parks during HTTP::collect, and serverssl is present, data can be truncated. serverssl can send an 'early' EOF when notified by the server.

Conditions:
serverssl with a server that notifies SSL of connection termination. If Tcl is parked during a HTTP::collect call, then it is possible for the EOF to be placed before the data collected. If that occurs, then the data is dropped. Use of HTTP::collect in an iRule on the server-side. If HTTP::collect is called within the HTTP_RESPONSE_DATA event, the occurrence is much more likely.

Impact:
The server response is truncated.

Workaround:

Fix:
A response from the server is no longer truncated in some situations when the serverssl profile is combined with the use of the HTTP::collect iRule command.


480761-4 : Fixed issue causing TunnelServer to crash during reconnect

Component: Access Policy Manager

Symptoms:
TunnelServer may crash in rare conditions during reconnect.

Conditions:
Crash may happens when PC wakes up after hibernate

Impact:
User sees confusing message about crashed TunnelServer.

Workaround:
This issue has no workaround at this time.

Fix:
Fixed issue that caused TunnelServer to crash during reconnect.


480506-9 : tmm CMP does not delete server side flow when CMP flow response is undeliverable

Component: Local Traffic Manager

Symptoms:
When a CMP message arrives at the originator (processing unit, thread), and the original connflow is already removed (because of early abort/reset) tmm CMP does not delete the server side flow when the CMP flow response is undeliverable.

Conditions:
This occurs when the CMP flow response is undeliverable.

Impact:
System runs Out of Memory over time, leading to a tmm crash. Traffic interrupted by tmm crashing.

Workaround:
None.

Fix:
tmm CMP now correctly deletes server side flow when CMP flow response is undeliverable.


480370-3 : Connections to virtual servers with port-preserve property will cause connections to leak in TMM

Component: Local Traffic Manager

Symptoms:
Connections leak, exhausting the memory over time and causing TMM to re-start.

Conditions:
Virtual server with port-preserve setting. Tunneled APM connections in a CMP environment (many TMM processes).

Impact:
TMM process re-starts causing traffic disruption. Low performance is also seen due to the high number of leaked connections.

Workaround:
None.

Fix:
The internal listeners that are created to forward the connections between TMM processes are now deleted when no longer needed, so new connections are not created, which prevents a memory leak.


480360-1 : Edge Client for Mac blocks textexpander application's functionality

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client for Mac blocks textexpander application's functionality. Edge Client does npt release secure input and from there on textexpander application does not expand keywords.

Conditions:
BIG-IP access policy must have logon page configured with password field. Edge Client for Mac connects to such a BIG-IP

Impact:
textexpander fails to expand recognized keywords

Workaround:
Click on submit button with mouse or press tab to move focus on submit button and then hit return.

Fix:
BIG-IP Edge Client for Mac was fixed so that it does not block textexpander's functionality.


480311-5 : ADAPT should be able to work with OneConnect

Component: Service Provider

Symptoms:
The request-adapt and response-adapt profiles are unable to work with the OneConnect profile, and so those combinations are not allowed in the same virtual server.

Conditions:
Attempt to combine request-adapt or response-adapt profile with OneConnect profile on the same virtual server.

Impact:
When adaptation is being used, the connection cannot be kept open and reused for multiple HTTP transactions.

Workaround:

Fix:
The OneConnect profile can be combined with either or both of request-adapt and response-adapt profiles on a virtual server. Both client and server HTTP connections are reused.


480305-4 : tmm log flood: isession_handle_evt: bad transition:7

Component: Wan Optimization Manager

Symptoms:
tmm log flood with the event: 01470000:3: iSession: Connection error: isession_handle_evt:6680: isession_handle_evt: bad transition:7

Conditions:
This may happen when using APM.

Impact:
The tmm log is filled with unnecessary events.

Workaround:
None

Fix:
Fixed iControl / iSession memory leak issue; set proper log level to prevent log flooding.


480272-3 : During OAM SDK initialization, ObConfig initialization returns wrong accessgate ID

Component: Access Policy Manager

Symptoms:
OAM ObConfig Initialization returns wrong accessgate ID, and that resulted in EAM setting wrong domain for the ObSSOCookie.

Conditions:
After network connection failure with backend OAM server, ObConfig initilization returned past Accessgate ID.

Impact:
The impact of this issue is that ObConfig initialization returns the wrong accessgate ID.

Workaround:
This issue has no workaround at this time.

Fix:
AccessGate init should now fail initialization and retry in case of an AccessGate ID mismatch. If all retries fail, then the AccessGate remains uninitialized. The administrator should clear the config cache for all the AccessGates and restart the EAM process.


480247-2 : Modifying edge client application folder causes gatekeeper to throw warning

Component: Access Policy Manager

Symptoms:
Configuration file exist in edge client application folder and this keeps getting modified by edge client (e.g. when user adds new server), gatekeeper throws warning if this file is modified by edge client.

Conditions:
MAC Edge client, OS X Yosemite, configuration.

Impact:
Gatekeeper throws warning, edge client might keep working correctly.

Workaround:

Fix:
BIG-IP Edge Client does not update its application directory anymore; instead it uses /Libarary/Application\ Support/ directory.


480242-3 : APD, APMD, MCPD communication error failure now reported with error code

Component: Access Policy Manager

Symptoms:
When an unexpected error is received during communication between apd, apmd, and mcpd, it throws an exception.

Conditions:
Rarely reproducible, failed communication between apd, apmd, and mcpd.

Impact:
The system cores without an error code indicating the reason. This hampers finding the actual cause for the error.

Workaround:
None.

Fix:
Now, when an error occurs, the system prints an error code in HEX, which facilitates finding the reason for the error.


479889-2 : Memory leaks when iSession and iControl are configured

Component: Wan Optimization Manager

Symptoms:
Memory leaks might occur when iSession and iControl are configured.

Conditions:
This occurs when using iSession on APM.

Impact:
Memory leaks.

Workaround:

Fix:
This release resolves memory leaks that occurred when iSession and iControl were configured.


479543-4 : Transaction will fail when deleting pool member and related node

Component: TMOS

Symptoms:
Removing a pool and the related nodes in the same transaction will fail. It will output an error message similar to the following: 01070110:3: Node address '/Common/12.33.22.2' is referenced by a member of pool '/Common/mypool'.

Conditions:
Create a pool, add a single pool member (which creates the associated node). If you then delete the pool and node in the same transaction, the transaction will fail.

Impact:
A pool and related nodes cannot be deleted within the same transaction.

Workaround:
If you delete the pool and nodes in 2 separate transactions, the process will succeed.

Fix:
The pool-member reference check for the node was moved to a later stage of validation, allowing the pool and pool members to be updated/deleted. This ensures that when the delete code for the node checks for references from a pool, there will be none.


479524-1 : If a "refresh" response header should not be rewritten, it can crash the rewrite plugin or be improperly rewritten

Component: Access Policy Manager

Symptoms:
If a "Refresh" response header should not be rewritten, it can crash the rewrite plugin or be improperly rewritten.

Conditions:
If URL in a "Refresh" header matches the bypass list, plugin crashes; if it is related to the current path, it is rewritten as an empty string.

Impact:
The impact of this issue is a possible web application malfunction.

Workaround:
This issue has no workaround at this time.

Fix:
Portal Access no longer crashes if a URL in a Refresh header matches a Portal Access bypass list entry.


479374-1 : Setting appropriate TX driver settings for 40 GB interfaces.

Component: TMOS

Symptoms:
In rare cases, the VIPRION C4800 chassis might experience an inability to establish some connections due to losing packets in one direction while in transit between blades.

Conditions:
VIPRION C4800 chassis.

Impact:
When the problem is due to this issue, one or more 5.x or 6.x interfaces show status as 'up' but the corresponding media as 'none'. Inability to establish some connections. The problem is consistent, depending on source and destination IP and port.

Workaround:

Fix:
VIPRION C4800 backplane interfaces are now given proper settings to prevent unidirectional traffic issues.


479129-6 : TCP window scaling is not applied when SYN cookies are active

Component: Local Traffic Manager

Symptoms:
TCP window scaling is not applied, which can be observed in transmitted packets containing small segments that are about the size of the unscaled window.

Conditions:
SYN cookies have been activated.

Impact:
Poor performance / throughput.

Workaround:
None.

Fix:
The tmm now properly scales the TCP window upon SYN cookie activation.


479084-2 : ZoneRunner can fail to respond to commands after a VE resume.

Component: Global Traffic Manager

Symptoms:
The ZoneRunner GUI can become unresponsive after a VE resume.

Conditions:
This is due to the "lo:" interface not being recreated during the resume processing. ZoneRunner relies on this interface to communicate with the on box BIND server.

Impact:
ZoneRunner cannot create/modify/delete/query records from the on box BIND server

Workaround:
Restart ZoneRunner after a VE resume with the command: bigstart restart zonerunner.

Fix:
ZoneRunner now uses the tmm0 interface to communicate with BIND.


478922-2 : ICSA logging issues on versions 11.4.0 and later

Component: TMOS

Symptoms:
Attempting to turn on ICSA logging for non-ESP packets lead to the following log messages. Aug 21 10:47:17 2000a info tmm1[10347]: 01070417:6: ICSA: source: %A, destination: %A, spi: 0x%x, seqno: 0x%x ESP packet discarded: 'inbound'.

Conditions:
ICSA logging is enabled. Connections are sent through the BIG-IP system.

Impact:
ICSA logging misses information that is required for certification. Logs similar to the following are found in /var/log/ICSA Aug 21 10:47:17 2000a info tmm1[10347]: 01070417:6: ICSA: source: %A, destination: %A, spi: 0x%x, seqno: 0x%x ESP packet discarded: 'inbound'.

Workaround:
None.

Fix:
Resolved issue that ICSA logging did not contain information that is required for certification.


478751-3 : OAM10g form based AuthN is not working for a single/multiple domain.

Component: Access Policy Manager

Symptoms:
OAM10g form based AuthN is not working for a single/multiple domain.

Conditions:
Conditions leading to this issue include double encoding of parameters and race condition on parsing form body.

Impact:
Form based OAM authentication might not work.

Workaround:
This issue has no workaround at this time.

Fix:
Fixed all the issues found during the testing of OAM Form-based AuthN scheme, for both single domain and multiple domain.


478658-3 : Window.postMessage() does not send objects

Component: Access Policy Manager

Symptoms:
Websites are broken if they use postMessage to send objects. There could or could not be an error in the JavaScript console based on web application.

Conditions:
Web-Application that uses Window.postMessage() with Portal Access.

Impact:
Web-Application can't use Window.postMessage() to send non-string data with Portal Access.

Workaround:
No

Fix:
Window.postMessage supports sending objects.


478617-5 : Don't include maximum TCP options length in calculating MSS on ICMP PMTU.

Component: Local Traffic Manager

Symptoms:
TCP segment size is 40 bytes less.

Conditions:
ICMP implementation using Path MTU (PMTU)

Impact:
The impact of this issue is less data per TCP segment.

Workaround:
Disable Path MTU Discovery by doing the following, "tmsh modify sys db tm.enforcepathmtu value disable"

Fix:
Don't include maximum TCP options length in calculating MSS on ICMP PMTU.


478439-4 : Unnecessary re-transmission of packets on higher ICMP PMTU.

Component: Local Traffic Manager

Symptoms:
LTM re-transmits TCP segments even when ICMP Path maximum transmission unit (PMTU) is higher than existing MTU.

Conditions:
ICMP PMTU is higher than existing MTU.

Impact:
Burst traffic generated.

Workaround:
Disable Path MTU Discovery by entering the command: tmsh modify sys db tm.enforcepathmtu value disable.

Fix:
Fixed unnecessary re-transmission of packets on higher ICMP Path maximum transmission unit (PMTU).


478257-5 : Unnecessary re-transmission of packets on ICMP notifications even when MTU is not changed

Component: Local Traffic Manager

Symptoms:
Re-transmission of fragment needed packets.

Conditions:
Multiple ICMP Destination Unreachable with Fragmentation needed code messages.

Impact:
Burst traffic generated.

Workaround:
Disable Path MTU Discovery by doing the following, "tmsh modify sys db tm.enforcepathmtu value disable"

Fix:
Don't re-transmit packets if the MTU is not changed.


478115-2 : The action attribute value of a form HTML tag is not properly rewritten in the Minimal Content Rewriting mode when it starts with "/"

Component: Access Policy Manager

Symptoms:
If the action URL of a form HTML tag begins with "/" and the Minimal Content Rewriting list contains the current host name, this URL is erroneously rewritten with adding of "/f5-w-" prefix.

Conditions:
The current host name is in Minimal Content Rewriting list.

Impact:
The impact of this issue is a possible web application malfunction.

Workaround:
To work around this issue, create a particular iRule for each case.

Fix:
The action attribute value of a form HTML tag is now properly rewritten in the Minimal Content Rewriting mode when it starts with a forward slash (/).


477898-5 : Some strings on BIG-IP APM EDGE Client User Interface were not localized

Component: Access Policy Manager

Symptoms:
Some text in internationalized Edge Client was still shown in English.

Conditions:
Use of internationalized edge client

Impact:
Some strings were displayed in English instead of localized language.

Workaround:
None.

Fix:
BIG-IP APM Edge Client User Interface Translation has been updated. UI messages and labels have now been translated into several languages.


477888-2 : ESP ICSA support is non-functional on versions 11.4.0 and up

Component: TMOS

Symptoms:
Attempting to turn on ICSA logging for ESP packets will lead to the following logs. Aug 21 10:47:17 2000a info tmm1[10347]: 01070417:6: ICSA: source: %A, destination: %A, spi: 0x%x, seqno: 0x%x ESP packet discarded: "inbound"

Conditions:
ICSA logging for ESP packets is enabled. ESP connections are sent through the BIG-IP. Logs similar to the following are found in /var/log/ICSA Aug 21 10:47:17 2000a info tmm1[10347]: 01070417:6: ICSA: source: %A, destination: %A, spi: 0x%x, seqno: 0x%x ESP packet discarded: "inbound"

Impact:
ICSA logging misses information that is required for certification.

Workaround:

Fix:
ICSA logging no longer missing information that is required for certification.


477642-2 : Portal Access rewriting leads to page reload in Firefox

Component: Access Policy Manager

Symptoms:
Endless page reload after Portal Access rewriting in Firefox.

Conditions:
Browser is Firefox; there is an expression similar to "location.hash = ''" in the Javascript code.

Impact:
Customer cannot access page with Firefox.

Workaround:
An iRule, which changes javascript code from {location.hash = ''} to {location.hash = '#'}. Note that such iRule should be written for specific application, that's why there's no generic solution in this section.

Fix:
In Portal Access assignment of empty string to location.hash property no longer causes page reload loop in Firefox.


477547-2 : Resource Assign Agent shows javascript error

Component: Access Policy Manager

Symptoms:
When opening full resource assign, users encounter the following error while trying to edit the Visual Policy Editor (VPE): "Error While creating agent class (pCustomRAMapping_class is not defined)"

Conditions:
Attempt to edit resource assign.

Impact:
Unable to edit resource assign.

Workaround:
Edit bigip.conf directly.


477540-4 : 'ACCESS::policy evaluate' iRule command causes crash of apmd daemon

Component: Access Policy Manager

Symptoms:
Call of the ACCESS::policy evaluate iRule command in affected builds causes crash of APDM daemon.

Conditions:

Impact:
As a result, access policy evaluation cannot be initiated from iRules.

Workaround:

Fix:
APMD no longer crashes with null Tcl interpreter object when used with the ACCESS::policy evaluate iRule command.


477375-4 : SASP Monitor may core

Component: Local Traffic Manager

Symptoms:
Rarely, the SASP monitor cores.

Conditions:
This occurs when the SASP monitor is configured in push mode.

Impact:
When the monitor cores, a pool member gets marked down, which might lead to an outage. This occurs rarely.

Workaround:

Fix:
SASP monitor no longer cores when configured in push mode.


477281-8 : Improved XML Parsing

Component: TMOS

Symptoms:
With certain requests, XML parsing improperly returns the incorrect document.

Conditions:
A certain set of parameters are sent to pages which utilize DocumentBuilderFactory to process and return XML documents.

Impact:
The document that was requested is not returned. Another document is returned instead.

Workaround:
None.

Fix:
XML Parser configuration was changed to ensure only correct documents are returned to all requests.


477278-6 : CVE-2014-6032 and CVE-2014-6033

Component: Access Policy Manager

Symptoms:
This release fixes CVE-2014-6032 and CVE-2014-6033.

Conditions:

Impact:
Potential base OS vulnerability where with the fix we are no longer susceptible.

Workaround:
None.

Fix:
This release fixes CVE-2014-6032 and CVE-2014-6033.


477274-10 : Buffer Overflow in MCPQ

Component: Access Policy Manager

Symptoms:
MCPQ crashes with core shown in "dmesg" or /var/log/kern.log, when user sends POST query with invalid parameters in several places, and with large POST body.

Conditions:
supply "func=stat&obj1=<large text>" Or "function=<large text>"

Impact:
MCPQ becomes unavailable and cannot serve XUI pages while it is down (before it is restarted)

Workaround:
None

Fix:
Issue Fixed. A crash in mcpq from bad user input is now prevented.


477218-1 : Simultaneous stats query and pool configuration change results in process exit on secondary.

Component: TMOS

Symptoms:
Simultaneous stats query and pool configuration change results in process exit on secondary.

Conditions:
Running parallel operations in tmsh/GUI or multiple tmsh operations on pool objects. For example, running 'tmsh show' command while simultaneously updating the monitor on the pool in the GUI.

Impact:
The primary restarts, and the slot goes down, resulting in potential traffic impact. The ltm logs display error messages similar to the following: -- err mcpd[29041]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested pool (/Common/CYBS-P-UBC-43) was not found. -- notice mcpd[8487]: 0107092a:5: Secondary slot 1 disconnected.

Workaround:
Use the absolute name of the pool in the tmsh command: /partition_name/pool_name.

Fix:
TMSH command now automatically issues the absolute path by using the context for the current connection to MCPd, so there are no MCPd restarts in this case.


477111-7 : Dual management routes in the main routing table

Component: TMOS

Symptoms:
Dual management routes might exist in the default routing table, main. On version 11.6.0, the the system also produces an error message when querying SNMP ipCidrRouteTable.

Conditions:
In versions earlier that 11.6.0, conditions are unknown other than observing the dual management routes in the main routing table. On version 11.6.0, the condition is snmpwalking ipCidrRouteTable.

Impact:
On affected versions earlier than 11.6.0, there are dual management routes in the main routing table. On version 11.6.0, you might also receive an error upon querying SNMP ipCidrRouteTable and/or snmpd core.

Workaround:
To recover from this issue, delete the duplicate route.

Fix:
The main routing table now has a single entry for the management network.


477031-3 : Deleting multiple VXLAN tunnels with flooding type multipoint can cause TMM restart

Component: TMOS

Symptoms:
Deleting multiple VXLAN tunnels with flooding type multipoint can cause TMM restart.

Conditions:
Deleting multiple VXLAN tunnels with flooding type multipoint.

Impact:
TMM restart and a TMM core is generated.

Workaround:
None.

Fix:
No TMM restart when deleting multiple VXLAN tunnels with flooding type multipoint.


476886-1 : When ICAP cuts off request payload, OneConnect does not drop the connection

Component: Service Provider

Symptoms:
After sending an ICAP preview, BigIP waits for a response from the ICAP server. If BigIP receives the complete ICAP response before it has completed sending the ICAP request (for example, when the response contains an encapsulated 302 redirect), it stops sending the request payload and closes the TCP connection. However when a OneConnect profile (CONNPOOL filter) is on the IVS, the TCP connection to the ICAP server is not terminated.

Conditions:
This occurs when using ICAP and OneConnect profiles on an IVS, when the BIG-IP ICAP client has resumed sending the request body on receiving a 200-OK response after the preview. ICAP server response completes before it has received the entire request body (for example, encapsulated redirect).

Impact:
The ICAP server cannot detect the end of the ICAP request so might get confused.

Workaround:
Do not use OneConnect. As an alternative, if the ICAP server completes its response, it could ignore any further input from the client until it detects another RESPMOD or REQMOD indicating the beginning of a new transaction. ICAP servers are not required to do this, but it would allow connection reuse in the case where the server completes its response before the request is complete.

Fix:
In this release, if the BIG-IP system receives the complete ICAP response from the ICAP server before it has completed sending the ICAP request, and a OneConnect profile is on the IVS, the TCP connection to the ICAP server is terminated and that connection is not reused.


476738-4 : rsync daemon may be configured to listen on a public port

Component: TMOS

Symptoms:
Not vulnerable by default. Chassis and CMI configurations use the rsync daemon to exchange some files. Changing the option 'use chroot' could allow write access to the daemons.

Conditions:
Requires explicitly configured configsync-ip (a self IP) such that the rsync port was explicitly opened. This option has been removed.

Impact:
None expected for most configurations, since rsyncd on chassis does not listen to connections outside the chassis, and the configsync-ip is configured the same way by default. Only explicitly configuring the configsync-ip (a self IP) such that the rsync port is explicitly opened might be affected.

Workaround:
Ensure that port 873 is not explicitly listed in the default self allow list (this is the default) or in the configsync-ip addresses allowed port list.

Fix:
The vulnerable option has been removed from all rsync daemon configurations.


476736-6 : APM IPv6 Network Access connection may fail in some cases

Component: Access Policy Manager

Symptoms:
When the client provided link local address contains zeros for first 4+ bytes, the IPv6 Network Access connection will fail due to listener bind failure.

Conditions:
When the first 4+ bytes of IPv6 Link Local address are zeros this bug will show up.

Impact:
IPv6 Network Access Tunnels may not succeed.

Workaround:
There is no workaround for this.

Fix:
For a certain set of IPv6 link local addresses, the IPv6 Network Access tunnel may not succeed due to listener lookup failure. This code change fixes this issue.


476708-5 : ZebOS using BGP ECMP may not correctly update the ECMP paths when one of the paths goes down and comes back up

Component: TMOS

Symptoms:
ZebOS using BGP equal-cost multi-path routing (ECMP) might not correctly update the ECMP paths when one of the paths goes down and comes back up.

Conditions:
This occurs when a downstream ECMP link is disabled such that one of the two equal-cost paths becomes unavailable, and is then enable.

Impact:
ECMP does not function as desired because both available paths are not utilized. This can only be recovered by clearing the BGP connection on the affected ECMP path.

Workaround:
None.

Fix:
Correctly update the ECMP route paths on update.


476476 : Occasional inability to cache optimized PDFs and images

Component: WebAccelerator

Symptoms:
Restarting the datastor service can result in some optimized PDFs or optimized images becoming un-cacheable

Conditions:
If WAM has a handle to cached content in datastor which no longer exists because datastor restarted or evicted it, and if this content is an image or PDF which WAM optimized, and if two requests for such content arrive on the same TCP connection, the second can get incorrectly cached such that it can not be served or replaced until tmm is restarted.

Impact:
Certain URLs become uncacheable, thus reducing effectiveness of WAM.

Workaround:
Disable client keep-alive in the HTTP profile (change Maximum Requests in the HTTP profile from 0 to 1) or disable PDF linearization and image optimization. A partial workaround is to use wa_clear_cache instead of restarting datastor to clear the cache. Content which datastor evicts might still suffer (but this is unlikely).

Fix:
Restarting datastor no longer results in the possibility of some optimized PDFs or optimized images becoming uncacheable.


476460-3 : WAM Range HTTP header limited to 8 ranges

Component: WebAccelerator

Symptoms:
When doing a request with multiple ranges, depending on the current state of the document in the cache (due to previous requests), WAM responds with 'HTTP 416 Requested range not satisfiable'.

Conditions:
Client requesting more than 8 ranges in a single HTTP Range request for a document that has an active cache record.

Impact:
Document is not possible retrieve, even with valid range values.

Workaround:
Force the document to not be cached in the Policy and to be always proxied to the OWS.

Fix:
Use db variable Wam.Cache.Range.MaxRanges to increase the number of max allowed sub-ranges in a HTTP range request. It defaults to a maximum of 8 sub-ranges, however it can be increased up to 32.


476288-3 : Tmrouted restarted after a series of creating/deleting route domains and adding/deleting protocols due to seg fault

Component: TMOS

Symptoms:
When multiple route domains and multiple routing protocols per route domain are repeatedly created and deleted, the tmrouted crashes and restarts.

Conditions:
multiple route domains with multiple routing protocols per each route domain are created and deleted repeatedly in a short time intervals.

Impact:
The routing information is lost and the tables need to be built again. This might cause packet loss.

Workaround:
None.

Fix:
Repeated creation and deletion of route domains and routing protocols led to a race condition between the start timer of the routing protocols and inconsistent memory state of the deleted routing protocols. This fix resolves the race condition.


476133-4 : In APM OAM authentication, ObSSOCookie _lastUseTime was not updated.

Component: Access Policy Manager

Symptoms:
_lastUseTime in APM OAM ObSSOCookie is not updated after the user is authenticated using ObSSOCookie. This results in ObSSOCookie expiring prematurely.

Conditions:
User is already authenticated and provided with an ObSSOCookie.

Impact:
With ObSSOCookie gets expired prematurely and authentication with ObSSOCookie fails, User is asked to submit credentials for authentication.

Workaround:
No known workaround

Fix:
Issue Fixed. _lastUseTime in OAM ObSSOCookie is updated on successful authentication and authorization process.


476097-2 : TCP Server MSS option is ignored in verified accept mode

Component: Local Traffic Manager

Symptoms:
After enabling 'verified-accept' in the TCP profile, window scaling is not working on server side connection. More specifically, the BIG-IP system ignores window scaling from the back-end server.

Conditions:
Enabling 'verified-accept' in TCP profile.

Impact:
the BIG-IP system ignores window scaling from the back-end server.

Workaround:
Disable 'verified-accept' in the TCP profile.

Fix:
Window scaling with back-end server now works when 'verified-accept' is enabled in the TCP profile.


476038-5 : Mac Edge Client crashes on OS X 10.7 if a user adds new server using its IP address rather than DNS name

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client for Mac crashes on OS X 10.7 if a user adds a new server using its IP address rather than its DNS name.

Conditions:
Create an APM virtual server IP address using the Edge Client for Mac

Impact:
Edge Client crashes

Workaround:
Use DNS name rather than IP address when adding a new server.

Fix:
On BIG-IP Edge Client for Mac on OS X 10.7, a user can successfully add a new server using IP address.


476032-4 : BIG-IP Edge Client may hang for sometime when disconnecting from Firepass server

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client hangs in "Disconnecting" state for some time if the backend server is FirePass.

Conditions:
FirePass server as backend

Impact:
User has to wait

Workaround:

Fix:
Issue fixed. Now BIG-IP Edge Client disconnects from FirePass smoothly without delays.


475791 : Ramcache profile may dispatch internal messages out-of-order leading to assert

Component: Local Traffic Manager

Symptoms:
Ramcache profile might dispatch internal messages out-of-order, leading to assert.

Conditions:
Assert may occur when the following conditions are met: - Virtual server uses ramcache profile. - Virtual server has mirroring enabled. - Device is in standby mode. - Active unit is unable to fulfill incoming HTTP request (ramcache entry is invalid / no pool members). - Standby unit is able to fulfill mirrored request (ramcache entry is valid).

Impact:
Due to this rarely occurring race condition, a tmm_panic occurs ('valid pcb') when a connection is being closed and the ramcache feature is able fulfill an incoming request. Standby unit becomes temporarily unavailable.

Workaround:
Do not use ramcache profile and connection mirroring feature together.

Fix:
Removed ramcache race condition, so that connection teardown messages are processed in the correct order.


475682-3 : APM OAM should be sending a single Cookie header with the cookies delimited by semi-colon.

Component: Access Policy Manager

Symptoms:
Authentication with OAM ObSSOCookie failed after the mutiple cookies added by APM EAM module was sent with a comma delimiter to separate them. EAM should be making a single Cookie header with the cookies delimited by semi-colon.

Conditions:
Authentication with OAM ObSSOCookie fails after multiple cookies added by APM EAM module are sent with comma delimiter to separate them.

Impact:
Authentication with OAM ObSSOCookie fails and user is required to authenticate again with credentials.

Workaround:
no workaround

Fix:
EAM used to send multiple cookies headers in HTTP message. Multiple HTTP headers like this are treated as comma-separated by some receivers. Now EAM adds a single Cookie header with the cookies delimited by semi-colon.


475360-3 : Edge client remembers specific virtual server URI after it is redirected

Component: Access Policy Manager

Symptoms:
When client is redirected with HTTP 302, either from Access policy or from iRule, it remembers the URL of the server it was redirected to, even after a hard disconnect.

Conditions:

Impact:
Certain configurations in which APM server is selected based on location (or other attributes) of the client will not work as intended and user will continue to use the same APM that it used the first time.

Workaround:
Restart edge client and connect again.

Fix:
Resolved issue when BIG-IP Edge Client remembers a specific virtual server URI after it is redirected.


475338-1 : Webtop customization done to the ACL deny page with Advanced Customization is not visible

Component: Access Policy Manager

Symptoms:
The header background color for the page that the user receives when blocked by an ACL is always white. Changing the color under Advanced Customization attribute "Page Header Settings" changes the color of, for example, the Logon Page but not the acl deny page.

Conditions:
n/a

Impact:
The customization of the color done via the Advanced Customization is not reflected in the ACL deny page

Workaround:
This issue is Cosmetic and has no workaround.

Fix:
After the fix, the ACL deny page correctly reflects the customizations which were done via Advanced Customization Dialog


475262-4 : In some cases Edge Client for Windows does not re-resolve server hostname while reconnecting

Component: Access Policy Manager

Symptoms:
If BIG-IP Edge Client for Windows connects to APM server using FQDN, it does not re-resolve the server hostname while reconnecting. In failover scenarios where one APM server goes down, Edge Client will continually try to connect to the non-existent IP of the APM server that went down and will not switch over to the next APM server.

Conditions:
The problem occurs under these conditions. 1. Edge Client is connected to APM server using FQDN and 2. More than one APM servers are configured and a GTM, or another DNS server, is used for failing over.

Impact:
The client does not re-resolve the server hostname while reconnecting and needs to be restarted to successfully connect again.

Workaround:
To work around the problem, restart Edge Client and connect again.

Fix:
Resolved this issue: when APM is configured with URL (https://....), BIG-IP Edge Client for Windows does not resolve the APM hostname while reconnecting.


475163-2 : Submitting an HTML form that does not have an action attribute is a 404 error and 'null' in the request URL.

Component: Access Policy Manager

Symptoms:
The result of submitting an HTML form that does not have an action attribute is a 404 error and 'null' in the request URL.

Conditions:
Form tag does not have action attribute.

Impact:
Form cannot be submitted.

Workaround:
Add attribute "action=''" into the HTML form tag, either by modifying the source or by using an iRule.

Fix:
Now HTML forms without action attribute are handled correctly.


475055-1 : Core caused by incorrect accounting of I/O flows

Component: Local Traffic Manager

Symptoms:
I/O flows for the Cavium Nitrox are not always added to the count- but are always subtracted correctly, causing an imbalance.

Conditions:
This occurs only on platforms using the Cavium Nitrox chip.

Impact:
Incorrect accounting allowed the number of flows to drop below zero, triggering an assert and a core.

Workaround:

Fix:
Resolved core caused by accounting miscalculation of Nitrox I/O flows


475049-4 : Missing validation of disallowing empty DC configuration list

Component: Access Policy Manager

Symptoms:
NTLM authentication feature requires at least one Domain Controller to be specified in the NTLM Auth Configuration Domain Controller FQDN list. This is as designed to prevent unwanted load on the server because NTLM authentication is performed on a per connection basis. There is no DC autodiscovery mechanism implemented for NTLM authentication, by design. To effect the feature, we need the administrator to specify particular servers. Having this list empty caused an unexpected behavior, in which authentication is not performed and yet is considered a success. The configuration of the Domain Controller for an NTLM authentication configuration is different from the configuration of the Domain Controller for an NTLM machine account. For the NTLM machine account, the BIG-IP system can automatically discover one of the available DCs using DNS method or the administrator can specify a DC. We are asking administrators to specify at least one Domain Controller for NTLM Auth configurations in the Domain Controller FQDN list.

Conditions:
Domain Controller configuration is allowed to be empty which is both incorrect and unsupported.

Impact:
misbehave with incorrect and unsupported configuration, and causes no authentication is being performed.

Workaround:

Fix:
In this release, the Domain Controller (DC) fully qualified domain name (FQDN) list for an NTLM Auth Configuration is mandatory. Before you upgrade, ensure that the DC FQDN list for each NTLM Auth Configuration contains at least one domain controller FQDN. You can perform this verification from the GUI or by using tmsh. In tmsh, you can add the following line (dc-fqdn-list { <fqdn> } ) for each ntlm auth configuration as shown in this example. apm ntlm ntlm-auth ntlm_test { app-service none dc-fqdn-list { dc01.example.com } machine-account-name mdc1 partition Common service-id 2 }


474779-4 : EAM process fails to register channel threads (MPI channel) with TMM, and subsequent system call fails.

Component: Access Policy Manager

Symptoms:
On EAM process initialization, the plugin is unable to register a thread (MPI channel) with TMM on rare occasions. A subsequent system call to end the process fails.

Conditions:
Unknown.

Impact:
EAM plugin is up but the access gates are not initialized correctly.

Workaround:
Establish connection to OAM server. bigstart stop eam Clear config.cache from each accessgates by deleting /config/aaa/oam/<partition_name>/<aaa_oam_obj_name>/<accessgate_name>/config.cache using commandline. bigstart restart eam

Fix:
EAM plugin initialization is fixed, now the plugin register with TMM process will not fail.


474757-6 : Update openssl to 1.0.1i

Component: Access Policy Manager

Symptoms:
Using old openssl version with known issues.

Conditions:

Impact:
Potential security impact.

Workaround:

Fix:
OpenSSL Security Advisory 8/6/14 (1.0.1i Update).


474730-2 : Incorrect handling of form if it contains a tag with id=action

Component: Access Policy Manager

Symptoms:
In some cases, a form with absolute path in the action is handled incorrectly in Internet Explorer 7, 8, and 9. The resulting action path is wrong and the form cannot be submitted.

Conditions:
This issue occurs under these conditions: HTML Form with absolute action path; a tag with id=action inside this form; IE7-9

Impact:
The impact of this issue is that the web application can not work as expected.

Workaround:
This issue has no workaround at this time.

Fix:
Now forms with absolute action path and tag with id=action inside are handled correctly.


474601-2 : FTP connections are being offloaded to ePVA

Component: Local Traffic Manager

Symptoms:
FTP connections are offloaded to acceleration hardware embedded Packet Velocity Acceleration (ePVA) chip.

Conditions:
SNAT listener

Impact:
FTP data connections fail due to lack of translation in PORT commands.

Workaround:
Use FTP virtual instead of SNAT listener.

Fix:
FTP connections will no longer be offload to ePVA hardware when traversing through a SNAT listener.


474584-5 : igbvf driver leaks xfrags when partial jumbo frame received

Component: Local Traffic Manager

Symptoms:
On platforms utilizing the igbvf driver, xfrags can be leaked if a partial jumbo frame is received.

Conditions:
On platforms utilizing the igbvf driver, xfrags can be leaked if a partial jumbo frame is received.

Impact:
TMM memory usage increases over time and eventually TMM crashes due to lack of memory.

Workaround:
None.

Fix:
The igbvf driver no longer leaks xfrags when a partial jumbo frame is received.


474226-6 : LB_FAILED may not be triggered if persistence member is down

Component: Local Traffic Manager

Symptoms:
LB_FAILED may not be triggered if persistence member is down.

Conditions:
This occurs when the following conditions exist: - Incoming connection has cookie matching persistence entry. - Persisted pool member has been marked down. - No other pool members are available.

Impact:
Cannot utilize LB::reselect command.

Workaround:
None.

Fix:
LB_FAILED event is correctly triggered when persistence pool member is not available or offline.


474002-8 : Server SSL profile unable to complete SSL handshake when server selects DHE-based key exchange, and is configured with 2048-bit or larger DH keys

Component: Local Traffic Manager

Symptoms:
If a BIG-IP virtual server is configured with a Server SSL profile, and a pool member or server selects a DHE-based ciphersuite (e.g. DHE-RSA-AES128-SHA), the BIG-IP system might not successfully complete an SSL handshake with the server.

Conditions:
This occurs when the following conditions exist: - HTTPS Pool member or server. - Virtual server with Server SSL profile. - Server is configured with 2048-bit or larger Diffie-Hellman keys.

Impact:
Traffic to affected pool members fails, although the pool members are marked up by HTTPS monitors.

Workaround:
Either disable the use of ephemeral Diffie-Hellman (DHE) key exchange on the backend servers, select a smaller set of DH parameters on the backend servers, or disable DHE ciphersuites in affected virtual servers' Server SSL profiles.

Fix:
BIG-IP system now successfully completes an SSL handshake with a server that is using Diffie-Hellman parameters that are 2048-bits or larger.


473759-2 : Unrecognized DNS records can cause mcpd to core during a DNS cache query

Component: Local Traffic Manager

Symptoms:
mcpd cores during a DNS cache record query if a DNS record with an unknown type is in the cache. mcpd attempts to translate the record's type into a text string, but ends up with a NULL pointer instead.

Conditions:
A DNS record with a type unknown by mcpd must exist in the DNS cache during the query.

Impact:
mcpd cores, causing either a failover (if there is a standby unit) or an outage while mcpd restarts (if there is no standby unit).

Workaround:

Fix:
Unrecognized DNS records no longer cause mcpd to core during a DNS cache query.


473728-8 : Incorrect HTML form handling.

Component: Access Policy Manager

Symptoms:
If one of the HTML forms on a page is added dynamically, it is possible that other forms cannot be submitted via portal access.

Conditions:
- HTML form added dynamically. - absolute action path for one of another forms on this page.

Impact:
Action path may be rewritten incorrectly and the form cannot be submitted.

Workaround:
None.

Fix:
Now absolute action path for any form in HTML page is rewritten correctly at submit time.


473485-3 : Fixed a few issues in HTTP Auth module

Component: Performance

Symptoms:
1. possible buffer overflow when session var CookieClientData is >8K 2. inappropriate use of mc_get_session_var in agent that may cause apd crash 3. per-request memory leak of cookies struct

Conditions:
1. session variable CookieClientData is > 8K 2. apd may crash unexpectedly when HTTP Auth agent cannot get session variable 3. When HTTP Auth agent is configured for an Access Policy apd might leak memory per-request

Impact:
apd might crash apd might leak memory per-request

Workaround:

Fix:
After fix, there is no memory leak in HTTP Auth agent, and it would not crash in HTTP Auth agent


473386-7 : Improved Machine Certificate Checker matching criteria for FQDN case

Component: Access Policy Manager

Symptoms:
Machine cert check agent might fail if the certificate was issued with extended fields or to a domain machine.

Conditions:
This issue occurs when the machine is outside of domain and the certificate is issued to a domain machine.

Impact:
Machine cert check agent might fail on MAC OS X/Windows for the machines currently outside of domain.

Workaround:
This issue has no workaround at this time.

Fix:
Machine cert check agent matching criteria for FQDN has been improved.


473344-3 : Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP.

Component: Access Policy Manager

Symptoms:
Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP.

Conditions:
APM access policy is configured with Kerberos authentication and the attempted authentication session was was initially created on a different VIP.

Impact:
Error occurs with no error message. The system should post an error message similar to the following: (Failure VIP Name): Kerberos Request-Based Auth failed because session was initially created on a different VIP (Original VIP Name). Please either disable RBA on the originating access profile, or remove the domain cookie.

Workaround:
Either disable RBA on the originating access profile, or remove the domain cookie.

Fix:
With the fix, APMD correctly handles the request for Kerberos Request-Based Auth, and posts the proper error message.


473088-1 : Virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile

Component: TMOS

Symptoms:
The BIG-IP system does not allow you to configure a virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile. If you attach a ClientSSL profile, however, the configuration is allowed, which is incorrect behavior.

Conditions:
Create a virtual server, add tcp, request-adapt, and one-connect profiles along with ClientSSL.

Impact:
This unsupported configuration might have many unknown side effects in TMM.

Workaround:
Do not configure a virtual server with one-connect and requestadapt or responseadapt profiles.

Fix:
Configurations of request-/response-adapt combined with one-connect along with ClientSSL profiles are now handled correctly.


473037-4 : BIG-IP 2000/4000 platforms do not support RSS with L4 data on SCTP

Component: TMOS

Symptoms:
BIG-IP 2000/4000 platforms do not support RSS with L4 data on SCTP. If multiple connections are attempted, the same port is computed.

Conditions:
This occurs on BIG-IP 2000/4000 platforms with SCTP configured.

Impact:
This causes 'Inet port collision' log errors, and the connection is terminated.

Workaround:
None.

Fix:
BIG-IP 2000/4000 platforms now support RSS with L4 data on SCTP.


472831-1 : FIPS-enabled DNSSEC can cause TMM core

Component: Local Traffic Manager

Symptoms:
Creating Cavium-FIPS-enabled DNSSEC zone and keys causes TMM core.

Conditions:
FIPS DNSSEC zone and key creation on a FIPS-platform.

Impact:
TMM core.

Workaround:
None.

Fix:
FIPS-enabled DNSSEC zone and keys now work correctly without causing TMM core.


472585-1 : tmrouted crashes after a series configuration changes

Component: Local Traffic Manager

Symptoms:
When multiple route domains with multiple routing protocols with heartbeat enabled are repeatedly created and deleted, the tmrouted daemon may restart.

Conditions:
This occurs when the following conditions are met: -- Heartbeat is enabled. -- Multiple route domains and routing protocols are created and deleted in a short time interval.

Impact:
The tmrouted crashes and it might lead to packet loss with regard to forwarding.

Workaround:
None.

Fix:
The tmrouted functions normally when multiple route domains with multiple routing protocols, with heartbeat enabled, are created and deleted repeatedly.


472365-1 : The vCMP worker-lite system occasionally stops due to timeouts

Component: TMOS

Symptoms:
The VCMP host side of the worker-lite system has a shorter timeout that the VCMP guest side. This can cause a worker-lite VCMP host to silently stop processing worker-lite requests for a VCMP guest.

Conditions:
This issue affects worker-lite based VCMP hosts running any version of VCMP guests that are processing SSL and compression traffic.

Impact:
SSL and compression traffic does not pass through VCMP guests running on an affected VCMP host. The system posts error messages in /var/log/ltm, similar to the following: Device error: crypto codec 'device-name' queue is stuck.

Workaround:
To resume processing of SSL and compression traffic in a VCMP guest, restart the guest tmm by issuing a 'bigstart restart tmm' from within the guest. Restarting a VCMP guest by setting its state from 'deployed' to 'provisioned' and then back to 'deployed' also resumes processing of SSL and compression traffic.

Fix:
Corrected a VCMP timeout issue that might have prevented a VCMP guests from processing SSL and compression traffic.


472157-1 : Large file uploads abort for SPDY/3 and SPDY/3.1

Component: Local Traffic Manager

Symptoms:
When uploading large file using SPDY/3 or SPDY/3.1, the browser aborts the connection.

Conditions:
The browser uploads a file larger than 16 KB while using a SPDY/3 or SPDY/3.1 connection.

Impact:
The browser will stall the upload, because it doesn't receive a correct WINDOW_UPDATE from the BIGIP. The browser will appear to be stuck. This affects all browsers that support the mentioned protocols.

Workaround:

Fix:
The browser now succeeds uploading large files.


472099-6 : DisableCaptivePortalDetection registry key doesn't work in some cases

Component: Access Policy Manager

Symptoms:
In some configurations DisableCaptivePortalDetection registry key does not take affect.

Conditions:

Impact:
Captive portal detection cannot be disabled.

Workaround:

Fix:
DisableCaptivePortalDetection registry key now works as expected.


471874-4 : VDI plugin crashes when trying to respond to client after client has disconnected

Component: Access Policy Manager

Symptoms:
VDI plugin crashes when trying to respond to client after client has disconnected.

Conditions:
Client has disconnected, VDI plugin tries to send response to the client.

Impact:
VDI plugin crash.

Workaround:

Fix:
The VDI plugin does not crash when trying to respond to a client after the client has disconnected.


471825-5 : Add 'Date:' header in email message generated by APM Email agent to comply with RFC 5322.

Component: Access Policy Manager

Symptoms:
Emails sent by Email agent, when received by certain SMTP servers, contain an empty body. Email needs to comply with RFC 5322 and should include the Date: header.

Conditions:
Certain SMTP servers (new Microsoft hosted email service) send an empty email body when the Date: header is missing from the email message

Impact:
Empty email body received.

Workaround:
None.

Fix:
Emails sent by the Email agent now include the Date: header in compliance with RFC 5322.


471821-4 : Compression.strategy "SIZE" is not working

Component: Local Traffic Manager

Symptoms:
The Compression strategy Size is not working as expected. Instead of performing compression in the software, the system use the hardware compression provider to compress HTTP server responses.

Conditions:
1. Compression.strategy "SIZE" 2. Create a http vs with http compress profile

Impact:
Compression data is done in hardware rather than software.

Workaround:
Set compression.providerbusy to 0

Fix:
Compression.strategy "SIZE" would cause software to do the compression.


471787 : RADIUS information in configuration file not encrypted.

Component: Local Traffic Manager

Symptoms:
RADIUS information in configuration file is not always encrypted.

Conditions:
Using a RADIUS monitor.

Impact:
This may lead to exposing sensitive information.

Workaround:
None.

Fix:
RADIUS information in configuration file is now always encrypted.


471714-4 : Certain SMTP servers (Windows) do not receive complete email due to missing CRLF header terminator in Emails generated by APM Email agent.

Component: Access Policy Manager

Symptoms:
Emails sent by the APM Email Agent when received by certain SMTP servers do not contain subject and body. This is caused by an incomplete header terminating character (LF) used in the Email Agent. CRLF needs to be used at the end of header and as a separator between the header and email body as per RFC 5322.

Conditions:
Certain SMTP servers does not accept the LF terminator used in the Emails generated by APM Email agent.

Impact:
Email message with Empty body received by certain SMTP server.

Workaround:
None.

Fix:
The APM Email agent now generates emails using CRLF at the end of the header and as a separator between the header and the email body, conforming to RFC 5322.


471625-1 : After deleting external data-group, importing a new or editing existing external data-group does not propagate to TMM

Component: Local Traffic Manager

Symptoms:
After deleting external data-group, importing a new or existing external data-group does not propagate to TMM. Although the import/modify individually seem to work as expected with no errors displayed in the web interface, the ltm log shows 'update queued', but does not show 'update finished' for the imported/modified datagroup. tmctl ext_class_stat command shows that the deleted data-groups are still in the TMM and existing data-groups stay the same and do not reflect the modification that are made to them via GUI.

Conditions:
The issue occurs when working in an administrative partition other than Common.

Impact:
iRules associated with the data-groups do not behave as expected if data-group is deleted and afterwards when data-group modifications are made.

Workaround:
There are two options for workarounds: 1. Use short names for the data-group files. It is the long names that are problematic. This is the recommended workaround. 2. Reboot. This causes the mcpd to re-load the data-groups and corrects the situation.

Fix:
After deleting external data-group, importing a new or editing existing external data-group now works as expected.


471535-4 : TMM cores via assert during EPSV command

Component: Local Traffic Manager

Symptoms:
TMM cores via assert during EPSV command from clients when The FTP filter rewrites the commands.

Conditions:
This rarely encountered issue occurs with the use of line feed (NL) characters in rewritten commands.

Impact:
TMM cores.

Workaround:
Use a TCP collect iRule to detect and insert the missing CR.

Fix:
FTP filter now accepts NL-only line-ending when rewriting EPSV command.


471421-1 : Ram cache evictions spikes with change of access policy leading to slow webtop rendering

Component: Access Policy Manager

Symptoms:
When there is a high load on the system and a user changes an access policy, it can lead to slow rendering of the webtop or the access page.

Conditions:
High load with change of access policy around that time.

Impact:
Slow webtop/access page rendering.

Workaround:

Fix:
Access policy changes are now handled gracefully.


471125-4 : Fixed issue causing EdgeClient to work improperly behind environment with CaptivePortal.

Component: Access Policy Manager

Symptoms:
BIG-Ip Edge Client may display a window that will not close with the content of F5 probe file, however Network Access (NA) works.

Conditions:
Special environment with captive portal and proxy.

Impact:
User can be confused by window shown.

Workaround:

Fix:
Resolved rare condition that caused BIG-IP Edge Client to work improperly when a client uses proxy to connect to the BIG-IP system.


471059-2 : Malformed cookies can break persistence

Component: Local Traffic Manager

Symptoms:
Clients sending a malformed cookie (that is, a space character that precedes the persistence cookie) might prevent the parsing of a valid persistence cookie.

Conditions:
HTTP request contains malformed cookie value that occurs before the BIG-IP system persistence cookie, For example: Cookie:foo=bar =bar; BIGipServerhttp=60361226.20480.0001

Impact:
Persistence is ignored.

Workaround:
None.

Fix:
Cookie values containing space character are parsed properly.


470994-4 : Rarely, TMM may segfault when applying TSO to invalid packets

Component: Local Traffic Manager

Symptoms:
You might see TMM segfaults when the system attempts to apply TSO processing to an outbound packet that does not need it.

Conditions:
Occurs when applying TSO to packets.

Impact:
TMM crashes and the system fails over. This occurs rarely.

Workaround:
You can work around this by disabling TCP segmentation offload. To do so, modify the tm.tcpsegmentationoffload value using the following command: tmsh modify sys db tm.tcpsegmentationoffload value disable.

Fix:
TMM now correctly applies TSO processing to outbound packets, so TMM no longer segfaults.


470796-4 : XSS vulnerability in echo.jsp CVE-2014-4023

Component: TMOS

Symptoms:
See SOL15532: XSS vulnerability in echo.jsp CVE-2014-4023 for complete details.

Conditions:
F5 is responding to this vulnerability as determined by the parameters defined in SOL4602: Overview of the F5 security vulnerability response policy.

Impact:
Unknown.

Workaround:
To mitigate this vulnerability, you can limit Configuration utility access to a trusted management network.

Fix:
CVE-2014-4023.


470414-1 : Portal Access rewrite daemon may crash while processing some Flash files

Component: Access Policy Manager

Symptoms:
rewrite process starts consuming 100% of CPU and then it's killed. Symptoms: high load of the box, rewrite core files.

Conditions:
This happens in a very rare situation when flash files were produced with specification violations. Specifically, list of objects within tag DefineSprite is not terminated with tag End while it always should be terminated this way.

Impact:
Portal Access is temporarily unavailable. Core file for 'rewrite' process is generated.

Workaround:

Fix:
Portal Access no longer crashes when rewriting some incorrect Adobe Flash files.


469824-5 : Mac Edge client on Mac mini receives settings for iOS Edge Client

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client for Mac on Mac mini receives settings for iOS Edge Client. Edge Client behavior might be different than expected if Mac Edge Client settings are different from iOS Edge Client settings.

Conditions:
Mac mini, iOS Edge and Mac Edge Client setting in connectivity profile on BIG-IP.

Impact:
Probably different than expected behavior of Edge Client for Mac.

Workaround:

Fix:
Edge Client for Mac on Mac mini now uses the settings for the Mac Edge Client in the connectivity profile on BIG-IP system.


469705 : TMM might panic when processing SIP messages due to invalid route domain

Component: Local Traffic Manager

Symptoms:
TMM might panic when processing SIP messages due to invalid route domain.

Conditions:
SIP Requests are being processed with a via header that does not contain an 'rport' attribute. SIP profile attached to the virtual server has 'dialog aware' enabled.

Impact:
TMM panics with following string: 'domain != RT_DOMAIN_NONE'.

Workaround:
Disable the 'dialog aware' option on the SIP profile, or configure SIP OneConnect.

Fix:
TMM sets a known route domain when processing SIP Requests to prevent panics caused by an invalid route domain.


469100-2 : JavaScript index expressions with a comma are not properly rewritten

Component: Access Policy Manager

Symptoms:
If there are expressions like a[b,c] within JavaScript code, these expressions will return a[b] instead of a[c] after rewriting with Portal Access. This could lead to JavaScript exceptions, or silent flaws in logic of application.

Conditions:

Impact:
This issue leads to exceptions or broken logic of customer's backend application.

Workaround:
This issue has no workaround at this time.

Fix:
JavaScript index expressions with list of values are now correctly rewritten by Portal Access.


468908-4 : Session timeout settings doesn't work properly

Component: Access Policy Manager

Symptoms:
Disabling "Session timeout" option in Resource item properties has no effect on appearing of popup dialog about user log out.

Conditions:
1. Set inactivity timeout to 105 sec. 2. Create resource item with enabled session timeout. 3. Go to this resource. Popup dialog will appear via 5 sec. 4. Disable session timeout for this item. 5. Go to this resource. Popup dialog also will appear via 5 sec.

Impact:
Session timeout can't be disabled in Resource item.

Workaround:
There is no workaround at this time.

Fix:
Now Session timeout can be disabled in Resource item.


468837-1 : SNAT translation traffic group inheritance does not sync across devices

Component: TMOS

Symptoms:
When a snat-translation object is created, and its inherited-traffic-group property is set, this property does not sync to other devices.

Conditions:
This is relevant for any setup with multiple devices in a CMI failover device group.

Impact:
The inherited-traffic-group property must be manually maintained on all devices.

Workaround:
Enable the 'full sync' option instead of using incremental sync.

Fix:
SNAT translation traffic group inheritance now syncs across devices using incremental sync.


468478-2 : APM Portal Access becomes unresponsive.

Component: Access Policy Manager

Symptoms:
APM Portal Access becomes unresponsive.

Conditions:
Using APM Portal Access with application cookies that require more than 32 KB of storage.

Impact:
APM Portal Access becomes unresponsive and rewrite plugins consume 100% of the CPU.

Workaround:
None.

Fix:
Now, when the 32 KB cookie storage limit is reached, the oldest application cookie is discarded, allowing the application to continue processing new data.


468472-1 : Unexpected ordering of internal events can lead to TMM core.

Component: Local Traffic Manager

Symptoms:
TMM may core and failover with the following tcp4 assert: ../modules/hudfilter/tcp4/tcp4.c:937: %svalid pcb%s.

Conditions:
If the TCP profile receives a spurious event it can cause TMM to crash.

Impact:
TMM crashes and fails over.

Workaround:
None.

Fix:
Unexpected ordering of internal events no longer leads to TMM core.


468465-1 : OWA2013 may work incorrectly via Portal Access in IE10/11

Component: Access Policy Manager

Symptoms:
JavaScript error appears if user tries to view/change settings in OWA2013 via Portal Access in Internet Explorer 10/11.

Conditions:
Internet Explorer 10 or 11 OWA2013

Impact:
User cannot change settings in OWA2013.

Workaround:
No workaround is known.

Fix:
Now it is possible to view and/or change settings in OWA2013 via Portal Access using Internet Explorer 10/11.


468441-1 : OWA2013 may work incorrectly via Portal Access in IE10/11

Component: Access Policy Manager

Symptoms:
JavaScript error appears if user tries to view/change settings in OWA2013 via Portal Access in Internet Explorer 10/11.

Conditions:
Internet Explorer 10 or 11 OWA2013

Impact:
User cannot change settings in OWA2013.

Workaround:
No workaround is known.

Fix:
Now it is possible to view and/or change settings in OWA2013 via Portal Access using Internet Explorer 10/11.


468433-1 : OWA2013 may work incorrectly via Portal Access in IE10/11

Component: Access Policy Manager

Symptoms:
JavaScript error appears if user tries to view or change settings in OWA2013 via Portal Access in Internet Explorer 10/11.

Conditions:
Conditions leading to this issue include: Internet Explorer 10 or 11 and OWA2013.

Impact:
User cannot change settings in OWA2013.

Workaround:
This issue has no workaround at this time.

Fix:
Now it is possible to view and/or change settings in OWA2013 via Portal Access using Internet Explorer 10/11.


468388-6 : Connection flows leak when service provider DAG is configured and/or under-provisioned LSN pools are configured

Component: Carrier-Grade NAT

Symptoms:
Connection flows leak when service provider DAG is configured and/or under provisioned LSN pools are configured on BIG-IP systems.

Conditions:
Service provider DAG and/or under-provisioned LSN pools configured.

Impact:
Connection flow leak causing TMM core after some time.

Workaround:

Fix:
Connection flows do not leak and TMM does not core when service provider DAG is configured and/or under-provisioned LSN pools are configured on the BIG-IP systems.


468235-4 : The worldwide City database (City2) does not contain all of the appropriate Proxy strings.

Component: TMOS

Symptoms:
Digital Element's proxy information is not available in the City2 database.

Conditions:
We do not ship this database, but it is available from our partner. In the case of a customer obtaining and installing the city database, Digital Element's proxy information is not included.

Impact:
Proxy information is incomplete.

Workaround:
None.

Fix:
The tool that generates the database as well as the tool that allows users to lookup entries have been modified to use the new proxy strings.


468175-2 : IPsec interop with Cisco systems intermittent outages

Component: TMOS

Symptoms:
Occasionally, traffic going through an IPsec tunnel from BIG-IP systems to Cisco systems stops after a certain period of time and recovers after an hour.

Conditions:
This issue occurs when there is more than one pair of IPsec SAs negotiated and triggers redundant SA removal on the Cisco router.

Impact:
IPsec tunnel stops passing traffic until the trouble IPsec SA expires and the new set of IPsec SAs are negotiated.

Workaround:
Delete the trouble IPsec SAs

Fix:
The system now works correctly, without stopping traffic going through an IPsec tunnel from BIG-IP systems to Cisco systems.


467646-1 : IDE DMA timeouts can result in stuck processes

Component: TMOS

Symptoms:
If the device experiences an IDE DMA timeout, some processes become unresponsive and the kernel logs messages containing 'DMA timeout error' in kern.log. An unfulfilled request from the kernel of the IDE device might result in uninterruptible, stuck processes.

Conditions:
This occurs on VIPRION B4100/B4100N (A100), B4200/B4200N (A107) blades and on Virtual Edition (VE) configurations deployed with IDE storage drivers (Xen, Hyper-V).

Impact:
This condition can cause the i/o request to never complete and result in unresponsive and uninterruptible processes. Various symptoms result depending on the affected process. Some conditions might require a power cycle to correct.

Workaround:

Fix:
IDE DMA timeouts no longer result in become unresponsive on VIPRION B4100/B4100N (A100), B4200/B4200N (A107) blades and on Virtual Edition (VE) configurations deployed with IDE storage drivers (Xen, Hyper-V).


467633-1 : WAM CSS minification can add spaces to the output, potentially coring TMM (in rare cases)

Component: WebAccelerator

Symptoms:
TMM coring, or exhibiting strange behavior. Checking the WAM stats reveals an underflow for bytes_minified in wam_css_stat, for example: active parses bytes_parsed bytes_queued partial_parses partial_parse_bytes ------ ------ ------------ ------------ -------------- ------------------- 0 4 612 0 4 586 annotations resets parser_errors bytes_minified images_inlined ----------- ------ ------------- -------------------- -------------- 5 0 0 18446744073709551564 0 images_bytes_inlined images_uninlined images_uninlined_expiry -------------------- ---------------- ----------------------- 0 0 0

Conditions:
The CSS data that is being minified must already be minified and contain no extraneous whitespace.

Impact:
TMM may core or behave unexpectedly. The wam_css_stat stat's bytes_minified will be incorrect.

Workaround:
Disable CSS minification.

Fix:
Extra spaces are no longer added to the minified CSS.


467022-4 : 11050 platform will not go active citing error 01071335:3: Invalid logical_disk (0) for application volume (mysqldb_.2).

Component: TMOS

Symptoms:
When booting an affected release, the system will not go active and mcpd will not come up. In /var/log/ltm, an error similar to the following will be seen. err mcpd[1234]: 01071335:3: Invalid logical_disk (0) for application volume (mysqldb_.2). This causes the system to have an inconsistent view of the disks and subsequent steps in the boot process fail to complete.

Conditions:
This only happens on the 11050 platform running an affected release. It occurs on boot into TMOS.

Impact:
The system will not go active.

Workaround:
If there is a duplicate platform name in /etc/hal/platform-capabilities.xml, the xml file is loaded improperly which causes problems. Specifically, the software raid capability of the 11050 is not detected properly. The fix is to manually edit the /etc/hal/platform-capabilities.xml file and resolve this conflict, and then reboot. Changing the 11050 Nebs platform name to "BIG-IP 11050N" will workaround the issue. /etc/hal/platform-capabilities.xml: --BEFORE--- <platform name="BIG-IP 11050" pid="E102" > <!-- Turbo Apollo --> <raid type="software" /> </platform> <platform name="BIG-IP 11050" pid="E103" > <!-- Turbo Apollo NEBS --> <------ Duplicate entry <raid type="software" /> <nebs value="true" /> ---AFTER--- <platform name="BIG-IP 11050" pid="E102" > <!-- Turbo Apollo --> <raid type="software" /> </platform> <platform name="BIG-IP 11050N" pid="E103" > <!-- Turbo Apollo NEBS --> <------ fixed entry <raid type="software" /> <nebs value="true" /> </platform> All you need to do is add an "N", changing the platform name for Turbo Apollo NEBS to "BIG-IP 11050N", which resolves the conflict. After making the change, save the file, reboot the box, and it should come up normally.

Fix:
The platform capabilities file which was causing this issue has been modified to allow the system to go active normally.


466898-1 : JavaScript may see incorrect value for form action.

Component: Access Policy Manager

Symptoms:
HTML form action value may be corrupted after form submitting.

Conditions:
HTML form with absolute action path.

Impact:
Web application may work incorrectly via portal access if it does not reload HTML page with form after submitting.

Workaround:

Fix:
Issue Fixed. Enterprise Manager reports now work correctly when accessed via Portal Access.


466797-3 : Added warning message when maximum session timeout is reached

Component: Access Policy Manager

Symptoms:
Perviously when EdgeClient reaches maximum session timoeut it simply disconnects with no indication of reason.

Conditions:
Session reaches maximum timeout

Impact:
User may be confused

Workaround:

Fix:
Now BIG-IP Edge Client shows warning about session expiration when maximum session timeout is reached.


466756-3 : Automating input to gtm_add script rather than running it interactively can result in script failure

Component: Global Traffic Manager

Symptoms:
The gtm_add script can fail if the user automates input to the script, even if the input is valid.

Conditions:
User is automating input to gtm_add script. For example: echo y | tmsh run gtm gtm_add 1.1.1.1

Impact:
The gtm_add script will fail and GTM sync will not be established with the target bigip.

Workaround:
Run the script interactively from the command line.

Fix:
The user can now automate input to the gtm_add script and it will succeed, given that the input provided is valid.


466745-1 : Cannot set the value of a session variable with a leading hyphen.

Component: Access Policy Manager

Symptoms:
Cannot set the value of an ACCESS::session variable with a leading hyphen.

Conditions:
Using a leading hyphen for the value of the session variable, for example: ACCESS::session set data var_name -value.

Impact:
Cannot use hyphen in session variable value. The system posts and error message similar to the following: err tmm3[12741]: 01220001:3: TCL error: /Common/pass <ACCESS_POLICY_AGENT_EVENT> - bad option name (line 1)setting variable var_name for sid (null) failed (line 1)Illegal argument (line 1) (line 1) invoked from within "ACCESS::session data set var_name "-foo""

Workaround:
This issue has no workaround at this time.

Fix:
In this release, an extra parameter, made up of two dashes (--), was added. When -- is inserted before a value, the value can start with a hyphen; for example, "ACCESS::session set data var_name -- -value".


466605-1 : Corruption of web-application global variable 'r' under some conditions.

Component: Access Policy Manager

Symptoms:
JavaScript: Web-application malfunction.

Conditions:
Web-Application code use global variabe 'r' and use assignment to obj.innerHTML.

Impact:
The impact of this issue is a web-application malfunction.

Workaround:
This issue has no workaround at this time.

Fix:
JavaScript: Portal Access variable 'r' is now a local variable.


466486 : CVE-2014-0224: CCS vulnerability

Component: TMOS

Symptoms:
An early change cipher spec message could result in a man in the middle attack against OpenSSL 0.9.8 servers. The management GUI uses OpenSSL0.9.8 on 11.4.0 and 11.4.1. This patch fixes OpenSSL so that it is not vulnerable to a MITM. BIG-IP virtual servers doing TLS termination are not vulnerable to the man in the middle attack.

Conditions:
11.4.0 and 11.4.1 are only vulnerable on the management port.

Impact:
Potentially vulnerable to listed CVE.

Workaround:

Fix:
OpenSSL has been upgraded to eliminate the man in the middle attack.


465908-3 : CVE-2014-0224: behavior change

Component: Local Traffic Manager

Symptoms:
BIG-IP virtual servers doing TLS termination are not vulnerable to CVE-2014-0224. OpenSSL has made a change to disallow early change cipher spec messages. This fix imitates that behavior.

Conditions:
CCS(change-cipher-spec) is received before Client key exchange

Impact:
We should not tolerate the received wrong SSL message sequence. In this case, CCS(change-cipher-spec) is received before Client key exchange.

Workaround:
N/A

Fix:
BIG-IP TLS virtual servers will now reject the connection when an early CCS message is received.


465803-5 : CVE-2014-0221 CVE-2014-0195: DTLS flaws

Component: TMOS

Symptoms:
CVE-2014-0221 CVE-2014-0195 are OpenSSL flaws in the DTLS implementation. BIG-IP does not have any DTLS servers. BIG-IP does not by default have any DTLS clients, but some may be configured by customers. These clients might be vulnerable.

Conditions:
BIG-IP virtual servers doing DTLS termination are vulnerable only with configured COMPAT ciphers.

Impact:
Vulnerable to CVE-2014-0221 CVE-2014-0195.

Workaround:

Fix:
OpenSSL is updated to fix CVE-2014-0221 and CVE-2014-0195.


465607-3 : TMM cores with TMM log error 'Assertion "flow in use" failed.' when isuing FastHTTP.

Component: Local Traffic Manager

Symptoms:
TMM cores with the TMM log showing the error 'Assertion "flow in use" failed.' This is an infrequent race condition.

Conditions:
This is an infrequent race condition. The actual set of events that leads to this core is unknown. However, this requires FastHTTP to be configured, and it is known that this happens when the FastHTTP connection is closing.

Impact:
TMM has cores and restarts. Connections may be lost, failover may be triggered.

Workaround:
Do not use FastHTTP.

Fix:
The system now provides checks to mitigate the race condition on close of FastHTTP to avoid the core.


465346 : APD may crash while updating cache for Active Directory module

Component: Access Policy Manager

Symptoms:
When the BIG-IP system has a heavy load, a lot of session requests accepted at the same time, and group cache needs to be updated (cache expired / new group added).

Conditions:
This issue occurs when an Active Directory group cache update is required.

Impact:
The impact of this issue is that apd does not accept session requests until it starts up after crash.

Workaround:
This issue has no workaround at this time.


465052 : Some HTTP::cookie iRule commands can cause TMM to core if required arguments are missing

Component: Local Traffic Manager

Symptoms:
TMM cores when executing an HTTP::cookie command in an iRule. If the command does not have the minimum required number of arguments, the code is not checking for this condition; it assumes they are there.

Conditions:
An iRule command must execute an HTTP::cookie command (such as "HTTP::cookie sanitize") with missing required arguments.

Impact:
TMM restarts, possibly causing a failover in an active/standby system.

Workaround:
Ensure all HTTP::cookie commands in iRules have the correct number of arguments. A work around is to add a line "log local0. some text" before the line "HTTP::cookie sanitize". Then, there will be no tmm crash.

Fix:
Check to make sure all required arguments are present in an HTTP::cookie command prior to attempting to use them.


465012-2 : Rewrite plugin may crash if webtrace or debug log level is enabled for Portal Access

Component: Access Policy Manager

Symptoms:
Rewrite plugin may crash on large javascript files and tags when webtrace or debug log for Portal Access is enabled.

Conditions:
Portal Access log level is set to "Debug", or Web Application Trace feature of Portal Access is active.

Impact:
Portal Access is temporarily unavailable. Core file for 'rewrite' process is generated.

Workaround:
Disable webtrace Change Portal Access log level to Notice

Fix:
Fixed an issue where Rewrite plugin could crash when collecting webtrace or debug logs for Portal Access.


464992-3 : Mac Edge fails to pass machine certificate inspection if domain component is included in search criteria

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client for Mac fails to recognize DC component in certificate common name field. Edge Client fails to pass machine certificate inspection if domain component is included in search regular expression.

Conditions:
BIG-IP Edge Client for Mac, machine certificate agent, DC component in common name search regex

Impact:
BIG-IP Edge Client for Mac might fail to log in.

Workaround:

Fix:
BIG-IP Edge Client for Mac now passes Machine Certificate inspection when domain component is included in search criteria.


464748-1 : A cookie with an empty or incorrect expires field causes a JavaScript failure.

Component: Access Policy Manager

Symptoms:
Cookie is not set from JavaScript. There is a failed request from browser to /private/fm/volatile.html?F5CH=<something>

Conditions:
This issue occurs when the expires part of the cookie string is missing or in an unsupported format.

Impact:
The impact of this issue is that some cookies cannot be set from JavaScript.

Workaround:
This issue has no workaround at this time.

Fix:
In portal access, a cookie with an empty or wrong expires field no longer causes a JavaScript failure.


464547-2 : Show proper error message when VMware View client sends invalid credentials to APM

Component: Access Policy Manager

Symptoms:
The View client shows no information or error page if the user types the wrong password or username

Conditions:
Bad credentials supplied to Vmware View client connecting using APM.

Impact:
End user would not know if the failed login was caused by bad credentials or for another reason.

Workaround:

Fix:
VMware View client displays a proper message when a user enters invalid credentials.


464462 : Prevent SQL monitor hangs

Component: Local Traffic Manager

Symptoms:
Certain situations could cause SQL monitors to hang, or to get the wrong connection status.

Conditions:
Uncertain, but using different send and/or receive strings with the same IP:port could cause collisions.

Impact:
This could cause SQL connections to hang, or node status to be incorrectly determined.

Workaround:

Fix:
Send and receive strings were added to unique PingerKey object to differentiate between SQL connections, so connections to the same IP:port that differ by send and/or receive strings are treated separately.


464313-1 : Dynamically created HTML forms may be handled incorrectly

Component: Access Policy Manager

Symptoms:
If a HTML page contains BASE tag, any dynamically created form in this page may work incorrectly if it uses absolute action path.

Conditions:

Impact:
Web application may not work via portal access.

Workaround:

Fix:
Now dynamically created forms with absolute action path are handled correctly even with non-empty BASE tag.


464159-3 : JavaScript: submit() method without explicit object

Component: Access Policy Manager

Symptoms:
JavaScript: It is possible to call the submit() method without explicit object, for example, in event handlers: <form action='/action.cgi/> <input type=button name=a onclick='submit()' value='Submit'> </form> Pressing the button, the form should be submitted. If the form has action with absolute path (as in this example), then non-rewritten path is used working via portal access.

Conditions:
HTML page with form which has absolute action path and uses explicit submit() call.

Impact:
This impact of this issue is the form is not submitted due to wrong action path used.

Workaround:
This issue has no workaround at this time.

Fix:
JavaScript: Now isolated submit() calls are handled correctly and form action paths are rewritten at such calls. The situation when a submit() call refers to a separate function is also supported.


464116-2 : HTTP responses are not cached when response-adapt is applied

Component: Service Provider

Symptoms:
When a response-adapt profile is applied on a virtual with ramcache, HTTP responses are not cached.

Conditions:
Both ramcache and response-adapt on a virtual.

Impact:
HTTP responses are not cached.

Workaround:

Fix:
HTTP responses modified by response-adapt are cached.


463902-2 : Hardware Compression in CaveCreek may cause excessive memory consumption.

Component: Local Traffic Manager

Symptoms:
Closely related to BZ456859. Symptoms appear as slow, but unbounded, growth in xfrag allocation.

Conditions:
Highly-varying compression payload sizes, plus time.

Impact:
Tmm may segfault and leave a core that indicates a high xfrag memory usage.

Workaround:
Do not use hardware compression.

Fix:
Flat-buffer allocator for hardware compression tuned to be less greedy.


463776-1 : VMware View client freezes when APM PCoIP is used and user authentication fails against VCS 5.3

Component: Access Policy Manager

Symptoms:
VMware View client freezes

Conditions:
APM PC-over-IP (PCoIP) is used and user authentication fails against View Connection Server (VCS) 5.3.

Impact:
VMware View client freezes, user unable to log in

Workaround:
This issue has no workaround at this time.

Fix:
VMware View client does not freeze when APM PC-over-IP (PCoIP) is used and user authentication fails against View Connection Server 5.3.


463651-2 : PPP tunnels remain open after session gets closed

Component: Access Policy Manager

Symptoms:
Point-to-Point Protocol (PPP) tunnels remain open after session gets closed. APM logs of PPP tunnel closed appears much later than Session closed log.

Conditions:
This can occur with Gzip compression configuration and may sometimes happen randomly.

Impact:
Holds resources on server side.

Workaround:
This issue has no workaround at this time.

Fix:
An issue that caused PPP tunnels to remain open after the session gets closed has been fixed.


463468 : failed tmsh command generate double logs

Component: TMOS

Symptoms:
A single failed tmsh command generates two identical audit logs, and audit_forwarder sends two logs to audit server (TACACS+ in this example).

Conditions:
tmsh audit is on and tmsh command is failed from mcpd validation. This does not occur with successful commands.

Impact:
Here is an example of the failure: tmsh create ltm pool pool20 01020066:3: The requested pool (/Common/pool20) already exists in partition Common Tue May 20 16:27:17 2014 10.10.10.201 root unknown unknown update service=system protocol=ip task_id=130start_time=1400627369 event=cmd_acct reason=May 20 16:09:29 aftest notice tmsh[20175]: 01420002:5: AUDIT - pid=20175 user=root folder=/Common module=(tmos)# status=[01020066:3: The requested pool (/Common/pool20) already exists in partition Common.] cmd_data=create ltm pool pool20 Tue May 20 16:27:17 2014 10.10.10.201 root unknown unknown update service=system protocol=ip task_id=132start_time=1400627369 event=cmd_acct reason=May 20 16:09:29 aftest notice tmsh[20175]: 01420002:5: AUDIT - pid=20175 user=root folder=/Common module=(tmos)# status=[01020066:3: The requested pool (/Common/pool20) already exists in partition Common.] cmd_data=create ltm pool pool20

Workaround:
None.

Fix:
Failed tmsh command no longer generates double logs.


463202-4 : BIG-IP system drops non-zero version EDNS requests

Component: Local Traffic Manager

Symptoms:
If a query from a client contains a non-zero EDNS version, the query is dropped instead of sending an appropriate response.

Conditions:
This occurs with DNS profile/processing when a client sends a query with non-zero EDNS version.

Impact:
Dropped queries, retries, and then time-outs occur.

Workaround:

Fix:
If the EDNS version is not zero, the query passes through the filter and is not dropped.


462943-2 : TMM could crash when sending CSS files through a virtual with LTM URI Translation profile

Component: TMOS

Symptoms:
TMM could crash when sending CSS files through a virtual with LTM URI Translation profile. This happens if CSS parser does not have enough input data to finish processing of current chunk and remains in a certain unfinished state. CSS will try to parse remaining data again starting from that incorrect state and will crash after that.

Conditions:
Specific data at the end of current chunk of backend response.

Impact:
TMM restart. Temporary outage or failover, all clients will have to reconnect.

Workaround:
This issue has no workaround at this time.

Fix:
Resolved issue where rewrite CSS filter/parser may use stale iovs in declaration_state resulting in SIGSEGV.


462481-4 : Missing exception handling in APM OAM authentication during SDK calls

Component: Access Policy Manager

Symptoms:
Access Policy Manager Oracle Access Manager (APM OAM) unhandles ObAccessRuntimeException and ObAccessException that could be thrown by Access SDK (ASDK) API calls.

Conditions:

Impact:
EAM process cores if an exception thrown by SDK is not handled properly.

Workaround:
This issue has no workaround at this time.

Fix:
OAM code is fixed with proper exception handling where Oracle API calls are made.


462258-2 : AD/LDAP server connection failures might cause apd to stop processing requests when service is restored

Component: Access Policy Manager

Symptoms:
AD/LDAP server connection failures might cause APM apd to stop processing requests when service is restored. These symptoms accompany the problem: - Too many file descriptors open by apd. - 'Too many open files' error messages in the log file. - Running qkview to gather diagnostic data reveals the information similar to the following in 'netstat -pano' from qkview: tcp 270 0 127.0.0.1:10001 10.10.225.85:53212 ESTABLISHED 12191/apd off (0.00/0/0) tcp 269 0 127.0.0.1:10001 10.10.225.4:56305 ESTABLISHED 12191/apd off (0.00/0/0) tcp 272 0 127.0.0.1:10001 10.10.57.10:57508 CLOSE_WAIT 12191/apd off (0.00/0/0) tcp 0 0 127.1.1.1:56230 127.7.0.1:389 ESTABLISHED 12191/apd keepalive (1909.72/0/0) The last line with timer 'keepalive (1909.72/0/0)' indicates that apd has been waiting for a response for too long. Other lines with Recv-Q '272' indicate that apd is not reading incoming requests as expected (specifically, that the internal worker queue is overloaded because all threads are waiting for the one hanging thread to be processed).

Conditions:
This occurs between the connect and search phases of the AD/LDAP server connection operation, most likely when a AAA Server is configured to use pool as a backend. In this case, apd can always connect locally to layered virtual server, but the pool monitor has a server availability check interval, so a lag in the request to an unavailable server might cause apd to hang.

Impact:
Potential connection failures to backend server.

Workaround:

Fix:
Active Directory and LDAP server connection operations time out in 3 minutes, so a thread does not block any other, and service can recover as soon as the connection to the backend is restored.


462025-8 : SQL monitors do not handle route domains properly

Component: Local Traffic Manager

Symptoms:
SQL monitors cannot be started consistently when route domains are involved.

Conditions:
Configure a SQL monitor on a node inside a route domain.

Impact:
SQL monitor does not work as expected. They might hang or only intermittently return results.

Workaround:

Fix:
SQL monitors now handle route domains so that they behave as expected.


461587-8 : TCP connection can become stuck if client closes early

Component: Local Traffic Manager

Symptoms:
Connection remains half-open and appears in connflow table after receiving FIN/ACK from serverside. the BIG-IP system never sends FIN/ACK to serverside to indicate connection has been closed.

Conditions:
Clientside connection is closed before serverside completes 3-way handshake. Serverside never completes 3-way handshake and LB::reselect command is issue via iRule.

Impact:
Connection remains half-open and stuck in connflow table

Workaround:

Fix:
Serverside connections established due to LB::reselect will now correctly get closed after the 3-way handshake completes if the corresponding clientside connection has already been closed.


461560-4 : Edge client CTU report does not contain interface MTU value

Component: Access Policy Manager

Symptoms:
Client trouble shooting utility reports do not log the value of MTU on network interfaces.

Conditions:

Impact:
Troubleshooting MTU related issues become difficult.

Workaround:
Use third party tools to capture MTU values.


461216-1 : Cannot rename some files using CIFS optimization of the BIG-IP system.

Component: Wan Optimization Manager

Symptoms:
Cannot rename some files using CIFS optimization of the BIG-IP system.

Conditions:
Happens with BIG-IP systems with WOM configuration and CIFS optimization enabled and the files names are very long.

Impact:
Unable to rename files with long filenames using CIFS optimization of the BIG-IP system. wocplugin core.

Workaround:
None.

Fix:
You can now rename files with long filenames using CIFS optimization of the BIG-IP system.


461189-2 : Generated assertion contains HEX-encoded attributes

Component: Access Policy Manager

Symptoms:
When a BIG-IP system serving as SAML identity provider (IdP), generates an assertion, the message might contain HEX-encoded values.

Conditions:
This occurs when user authenticates against LDAP/AD/RADIUS, and retrieved from AAA server attributes contain non-ASCII values. These non-ASCII values are then used by BIG-IP as Identity Provider in generated Assertion.

Impact:
SAML SSO might fail if Service Provider is not be able to process HEX-encoded attributes.

Workaround:
There is no workaround for IdentityProvider. On Service Provider side, assertion attribute values that begin with '0x' could be treated as HEX encoded. Such values can be HEX decoded after SP processed assertion.

Fix:
BIG-IP as Identity Provider now base64-encodes non-UTF8 attributes, as expected.


460730-4 : On systems with multiple blades, large queries can cause TMM to restart

Component: TMOS

Symptoms:
When executing a chunked query (such as "show sys connection") that returns a lot of data, the primary MCP can get overwhelmed by the amount of data it is receiving from both its blade's TMMs and the secondary MCPs. It gives the data from its own TMMs priority, which eventually causes the secondary MCPs to run out of memory. At this point the MCP memory safeguards kick in and the secondary MCPs stop receiving data from their TMMs. The TMMs wait 20 seconds under these conditions, and if they have been unable to send data to MCP during that time, they exit and restart.

Conditions:
System must have multiple blades and execute a chunked query (for connection data or persistence records, for example) that returns a lot of data.

Impact:
TMM restarts and the system is unusable during that time.

Workaround:
This issue has no workaround at this time.

Fix:
Increased MCP's throughput by limiting the amount of data sent in a given chunk.


460627-2 : SASP monitor starts a new connection to the Group Workload Manager (GWM) server when a connection to it already exists

Component: Local Traffic Manager

Symptoms:
When the SASP monitor starts up, it can attempt to open a new TCP connection to the GWM server when another connection exists to it.

Conditions:
This happens when a GWM server sends the SendWeight messages to SASP monitor immediately after the registration of the pool member is complete, but the registration of all the pool members is not complete.

Impact:
The SASP monitor fins an existing TCP connection to the GWM server.

Workaround:
This issue has no workaround at this time.

Fix:
The Send Weight messages are processed only after the registration of all the pool members is complete. Monitor logging has been vastly improved. In addition, there was a crashing bug that caused the SASPD_monitor process to be restarted. That bug has been fixed.


460427-5 : Address collision reported when the Primary blade goes down or its TMM crashes in an Chassis IntraCluster environment.

Component: Access Policy Manager

Symptoms:
In Chassis IntraCluster environment; when the Primary blade or its TMM goes down for any reason, (e.g., crash, restart, or shut down) the system posts 'IPv4 Addr collision' messages in APM logs.

Conditions:
This happens when a Chassis platform is used in IntraCluster mode with APM's Network Access.

Impact:
Address collision is reported in the logs, and affected clients (that have duplicate IP addresses - both the original ones and the new ones) might intermittently lose connectivity.

Workaround:
None.

Fix:
Now the TMM leasepool IP information for the primary blade is mirrored on the oldest secondary blade, so the system no longer posts 'IPv4 Addr collision' messages.


460265-4 : APMD crash on some string operations in Tcl expressions.

Component: Access Policy Manager

Symptoms:
APMD crash on Tcl expression evaluation on trying to read a session variable

Conditions:
Null tcl interpreter object may cause expression evaluation to fail.

Impact:
APMD core and access policy execution fails.

Workaround:
this issue has no workaround.

Fix:
apmd crashes with null tcl interpreter object. This is now fixed.


460020-1 : Rewrite profile might cause tmm core when trying to rewrite set cookie in HTTP response header

Component: TMOS

Symptoms:
If there are multiple set cookie rewrites to an HTTP response header, then there is a chance that tmm might core due to referencing incorrect locations into the buffer. TMM may crash and leave an error message in one of the TMM log files (/var/log/tmm*) similar to: notice 2: lib/c/xbuf.c:930: xbuf_subtract: Assertion `valid xfrag subtraction' failed.

Conditions:
The original issue occurred with ASM, but is not specific to ASM. It can occur whenever the rewrite profile is used and the the path/domain within the set cookie filed of an HTTP response header is rewritten.

Impact:
TMM crashes and restarts, which may result in a failover or traffic disruption.

Workaround:
This issue has no workaround at this time.

Fix:
If there are multiple set cookie rewrites to an HTTP response header, tmm no longer cores due to referencing incorrect locations into the buffer.


459900-1 : Policy Sync error response "An error has occurred while trying to process your request"

Component: Access Policy Manager

Symptoms:
It is purely under config issue ( Under config ). If define Device Group constraints other than supported values : " hidden, autosync_enabled, type, full_load_on_sync", failed to process the request.

Conditions:
It is purely under config issue ( Under config ). If define Device Group constraints other than supported values : " hidden, autosync_enabled, type, full_load_on_sync", failed to process the request.

Impact:
Because of unknown constraint show error message in UI.

Workaround:
No Workaround

Fix:
Device group constraints config corrected with supported ones.


459851-5 : Connection aborted when using GET request If-Match header in Policy Node with No-Proxy(request)/Always_Proxy(response) setting.

Component: WebAccelerator

Symptoms:
The connection is aborted when using If-Match header with a Always Proxy response policy node but No Proxy request policy node.

Conditions:
Virtual server with Web Accelerator. GET request with Header: If-Match with strong tag. WA Policy: Node matching the request: No-Proxy Node matching the response: Always Proxy

Impact:
The connection is reset when it should return 412.

Workaround:
None.

Fix:
When using If-Match header with a Always Proxy response policy node but No Proxy request policy node, the connection condition returns 412, which is correct behavior.


458928-2 : APMD cores in Kerberos authentication, when the agent tries to derefence a null authparam session variable.

Component: Access Policy Manager

Symptoms:
APMD cores in Kerberos authentication, when the agent tries to derefence a null authparam session variable.

Conditions:
This occurs when using client based Kerberos authentication without an authparam.

Impact:
APMD process cores and restarts.

Workaround:
None.

Fix:
If an authparam is not found in the local cache, an empty string will be returned to the caller. This is correct behavior.


458556-3 : TMM may fail to start in certain traffic situations on chassis platforms

Component: Local Traffic Manager

Symptoms:
TMM restarts on startup, when traffic arrives before the cmp transitions to ready. The transition to ready message can be found in the TMM logs; if traffic is sent to the device prior to this, it is possible for TMM to core.

Conditions:
Applies to chassis platforms with monitors enabled, that are restarted or upgraded while traffic is running.

Impact:
Outage on one or more blades.

Workaround:
Disable monitors, restart TMM, then re-enable the monitors.

Fix:
TMM will no longer core on startup when traffic arrives before transitioning to cmp ready.


458167-2 : Improve logging and error code checks for EAM / OAM component

Component: Access Policy Manager

Symptoms:
EAM had no detailed logs in some data path and during some errors. This caused difficulty to analyse cause behind some of unexpected errors.

Conditions:
Logs were missing on unexpected error event in some cases and some of the details like error code were missing and only a general message "failure occurred when processing the work item" is logged which did not help much in troubleshooting

Impact:
There was no functional impact. Debugging was difficult due to less logs

Workaround:
No workaround. New logs helps debugging incase of an unexpected error.

Fix:
Improve logging and error code checks for EAM / OAM component.


457902-4 : No EAM- log stacktrace in /var/log/apm on EAM crash event.

Component: Access Policy Manager

Symptoms:
On EAM crash event, stack trace or fault address were not logged in /var/log/apm.

Conditions:
EAM crash and the signal handler did not log much details on /var/log/apm

Impact:
Core debugging is made easier with improved signal handler to log stack trace, fault address etc.

Workaround:
No workaround

Fix:
[OAM] Improve signal handler to log stack trace, fault address etc. to /var/log/apm - this is now fixed.


457760-2 : EAM not redirecting stdout/stderr from standard libraries to /var/log/apm

Component: Access Policy Manager

Symptoms:
Logs from standard libraries were not redirected to /var/log/apm in EAM plugin.

Conditions:
Stdout/stderr from standard libraries are affected.

Impact:
stderr/ stdout from standard libraries were not logged and that impacted troubleshooting effort.

Workaround:
No workaround to log stderr/stdout

Fix:
[OAM] Redirecting stdout/stderr from standard libraries to /var/log/apm. This is now fixed.


457568-3 : Loading of configuration fails intermittently due to WOC Plug-in-related issues.

Component: Wan Optimization Manager

Symptoms:
Loading of configuration fails intermittently due to WOC Plug-in-related issues.

Conditions:
This rarely encountered issue occurs when the BIG-IP system is configured with AAM (formerly WOM/WOC/WAM) objects when there is an attempt to change/load the configuration.

Impact:
Configuration load fails. Cannot change the configuration.

Workaround:
Manually change the configuration and restart/reboot the system.

Fix:
Loading of configuration no longer fails due to WOC Plug-in-related issues.


457293-3 : Clustered Multiprocessing (CMP) peer connection is not removed in certain race conditions.

Component: Local Traffic Manager

Symptoms:
The CMP peer connection could be left there without being swept out when the connection at origin is aborted too soon in the connection flow.

Conditions:
CMP with two tmm instances. Connection gets aborted.

Impact:
Connections are leaked up to reaching a point when the memory is consumed.

Workaround:
N/A

Fix:
When the origin CMP instance couldn't find the connection after its peer replied, re-send a REMOVE message to the peer to remove it.


456942-2 : TMM may crash when using DNS:name iRule to modify the RR owner name

Component: Local Traffic Manager

Symptoms:
When using the DNS:name iRule to modify the RR owner name of a DNS message, TMM may crash if the new owner name passed from the iRule is not a valid domain name or the BIG-IP is processing high volume of traffic and under memory pressure.

Conditions:
When using iRule to modify the RR owner name of a DNS message, and one of the following conditions satisfies: (a) The new domain name passed in from iRule is an invalid domain name. (b) BIG-IP is short of memory and memory allocation failure happens when creating a new RDF.

Impact:
TMM may crash, site is at risk.

Workaround:
Use a valid domain name in the iRule.

Fix:
After the fix, if the domain name in the iRule is invalid or memory allocation failure happens when modifying the RR owner name using the DNS:name iRule, TMM will not crash.


456413-6 : Persistence record marked expired though related connection is still active

Component: Local Traffic Manager

Symptoms:
A persistence record might be marked expired even though its corresponding connection is still active and passing traffic.

Conditions:
This occurs when using persistence.

Impact:
Persist records disappear in spite of flow activity that is more recent than the persist timeout.

Workaround:
Set the timeout of persist to at least 33 seconds longer than the related flow timeout.

Fix:
Persistence records are maintained when connection and persistence timeouts are with 33 seconds of each other.


456384-3 : alertd is coring on 2 very long syslog messages

Component: TMOS

Symptoms:
alertd cores sometimes.

Conditions:
When a pool associated with a lot of monitors and it goes down, a very long syslog message will be logged. This could cause alertd to core. The syslog messages should be with the following error code. 01070640:5 01070638:5

Impact:
This issue causes alertd to restart. At the alertd stopping time, no SNMP traps will be sent.

Workaround:
This issue has no workaround at this time.

Fix:
An issue that made alertd core on 2 long syslog messages is now fixed.


455762-2 : DNS cache statistics no longer incremented improperly due to mirrored cache data.

Component: Local Traffic Manager

Symptoms:
DNS Cache statistics might skew high due to shared information between TMMs incrementing the same statistic multiple times.

Conditions:
Any DNS Cache might see this issue.

Impact:
DNS Cache Statistics are listed as higher than they should have been.

Workaround:
This issue has no workaround.

Fix:
DNS Cache Statistics are no longer being incremented multiple times for the same action.


454784-4 : in VPE %xx symbols such as the variable assign agent might be invalidly decoded.

Component: Access Policy Manager

Symptoms:
in VPE %xx symbols might invalidly decode If user assignment string contains percent encoded symbols like: "%60", "%7E", "%21", "%40", "%23" etc Saved string is written properly but re-readed and displayed as character "`", "~", "!", "@", "#" Therefore new saving might cause uneeded re-encoding of such symbols

Conditions:
Variable assign agent. Assigned string contains %xx symbol

Impact:
Medium. Customer is confused and might not be able to modify saved and then loaded string

Workaround:
1. Direct bigip.conf editing 2. Saving proper string in other location and copy paste before modification so %xx encoded symbols would stay preserved

Fix:
Issue fixed, encoding doesn't reencode/redecode symbols anymore.


454692-1 : Assigning 'after' object to a variable causes memory leaks

Component: Local Traffic Manager

Symptoms:
Assigning 'after' object to a variable prevents the release of the 'after' object and its related connflow object, resulting in a memory leak for 'connflow', 'tcl (variable)', 'tclrule_pcb', and 'filter (variable)'.

Conditions:
This occurs when using the 'after' iRule command and assigning it to a variable.

Impact:
TMM crash or TMM memory usage increases.

Workaround:
Unset the variable containing the 'after' object, for example: when HTTP_REQUEST priority 800 { set SCRIPT_ID [\ after $static::one_second { log local0. "$LOG_MSG" } \ ] } when CLIENT_CLOSED { unset SCRIPT_ID }

Fix:
Assigning 'after' object to a variable no longer causes memory leaks.


454475-6 : TLS Handshake succeeds when the padding is incorrect.

Component: Local Traffic Manager

Symptoms:
When padding is used (from TLS1.0 forward), all bytes must be set the the length of the padding or the handshake should fail.

Conditions:
TLS 1.0 or greater handshake with padding.

Impact:
Handshake succeeds where it should fail.

Workaround:
None.

Fix:
The padding values used in the TLS 1.0 or greater handshake are now validated, and invalid values cause an alert to be sent.


454370-2 : Policy Sync Status messages become unordered

Component: Access Policy Manager

Symptoms:
The messages that communicate status of PolicySync between devices can arrive unordered.

Conditions:
Many conditions can affect this, such as file size and network latency. The issue is further exacerbated by NTP not being configured on all devices within the device group.

Impact:
This issue can lead to devices believing that the policy sync is still in progress, even if all devices have the updates reflected within their policy.

Workaround:
This issue has no workaround.

Fix:
The messages that communicate status of PolicySync between devices can arrive unordered. This is now fixed.


454086-3 : Portal Access issues with Firefox version 26.0.0 or later

Component: Access Policy Manager

Symptoms:
Using Firefox version 26.0.0 or later with some web-applications can fail. The page may stop loading and/or rendering page.

Conditions:
Firefox version 26.0.0 or later, asynchronously loaded script which works with cookies and DOM in same time. A good example is google analytics script in the page.

Impact:
Web-application stops loading/rendering.

Workaround:
No general workaround.

Fix:
When using portal access on Firefox with some applications, the browser would go into deadlock. This no longer occurs.


452643-4 : Pool member's lb_value is not updated when transistioning from disabled to enabled

Component: Local Traffic Manager

Symptoms:
Some members may not receive traffic when the pool's load balancing method is set to one of the following: - Least Connections - Fastest - Least Sessions

Conditions:
Member's lb_value is non-zero when transitioned to disabled.

Impact:
Member does not receive traffic

Workaround:
Enable pool member and change load balancing method from original to Ratio and back.

Fix:
A Members lb_value is updated upon transitioning from disabled to enabled states when using one of the following load balancing methods: - Least Connections - Fastest - Least Sessions


452625-5 : Edge Client unable to automatically retrieve the RSA SecurID software token.

Component: Access Policy Manager

Symptoms:
Before this fix users with RSA SecurID software token had to manually copy-paste software token from RSA SecurID application into the logon page in Edge client. Now logon page can be configured so that it automatically retrieves the software token (if the PIN is provided by the user) from "RSA SecurID software token with automation" application. This configuration of logon page on BIG-IP only works with edge clients, in browsers users will have to manually copy-paste the token as they did before this fix.

Conditions:
Logon page, RSA SecurID Software token, Edge client

Impact:
None, its an enhancement

Workaround:

Fix:
Edge client cannot automatically retrieve RSA SecurID software token if configured on Logon page


452516-8 : Excessive memory consumption after extended use

Component: Local Traffic Manager

Symptoms:
Certain conditions can lead to excessive memory consumption. Excessive buffering results in performance drop, connections being dropped, and Out-of-memory core errors.

Conditions:
This can occur after a long period of time, such as a month or more.

Impact:
This might result in performance drop, connections being halted, and out-of-memory cores. Performance and stability can be impacted as well as full traffic-outages.

Workaround:
The command 'bigstart restart tmm' on the standby unit will clear up the condition.

Fix:
Memory usage has been improved for certain categories of connections that are not yet fully established.


452482-2 : HTTP virtual servers with cookie persistence might reset incoming connections

Component: Local Traffic Manager

Symptoms:
Incoming TCP connection to HTTP virtual server receives RST during 3-way handshake

Conditions:
Incoming connection matches existing cookie persistence record and would be persisted to a pool member whose connection limit has been reached.

Impact:
TCP connection fails.

Workaround:

Fix:
Cookie persistence records are ignored when the connection limit of the persisted pool member has been reached. This results in incoming connections to be offloaded to another pool member (if available).


452464-2 : iClient does not handle multiple messages in one payload.

Component: Access Policy Manager

Symptoms:
iClient does not handle multiple messages in one payload leading to possible memory leak symptoms.

Conditions:
If by chance multiple messages arrive as one from the BIG-IP Edge Client.

Impact:
Possible memory leak symptoms.

Workaround:
This issue has no workaround at this time.

Fix:
If multiple messages arrive from BIG-IP Edge Client in one payload, the system processes them correctly.


452440-2 : TMM CPU/Memory utilization increases when using call-id persistence

Component: Service Provider

Symptoms:
TMM CPU/Memory utilization keeps increasing unchecked under steady, high SIP traffic.

Conditions:
This occurs with steady, high SIP traffic levels for a long duration on a SIP MBLB profile with call-id persistence.

Impact:
System resources are regained once load reduces, but having load remain high for a long time eventually results in SIP call failures.

Workaround:

Fix:
TMM CPU/Memory grows in accordance with the connections. If the SIP connections remains steady, resource utilization remains steady, as expected.


452416-4 : tmctl leasepool_stat and snmp apmLeasepoolStatTable return incorrect values

Component: Access Policy Manager

Symptoms:
On a multi-blade chassis, tmctl leasepool_stat for some slots may not be in sync. In addition, query of snmp apmLeasepoolStatTable returns values that do not match the tmctl leasepool_stat output for the current primary slot.

Conditions:
The issue occurs after a blade or tmm of a blade restarts.

Impact:
Incorrect stats only. No impact to fuctionality.

Workaround:

Fix:
The system now uses the correct system object to track current primary slot, which ensures that counters in leasepool_stat that have global context (that is, cur_member, cur_assigned, cur_free, max_assigned) are synced to all blades.


452246-1 : The correct cipher may not be chosen on session resumption.

Component: Local Traffic Manager

Symptoms:
During session resumption, the same cipher must be used as was during the original session. If the original session negotiates cipher A, and the resumed clienthello contains cipher A and B, the BIG-IP system might choose cipher B, which is incorrect.

Conditions:
The original ClientHello contains a different cipher list from the resuming one, and the resuming one contains a stronger cipher than was originally chosen.

Impact:
Not strictly RFC compliant.

Workaround:
This issue has no workaround.

Fix:
When the original ClientHello and resuming ClientHello contain different ciphers, if the original cipher is in the resuming ClientHello it will be chosen and the session resumed, otherwise a full handshake will be used.


451960-1 : HTTPS monitors do not work with FIPS keys

Component: Local Traffic Manager

Symptoms:
If HTTPS monitor is configured with FIPS key, the monitor connection to the backend server is unsuccessful and consequently, the corresponding pool is marked down.

Conditions:
BIG-IP FIPS platforms (except for Gemini) using FIPS keys with HTTPS monitor(s).

Impact:
Pool is incorrectly marked down.

Workaround:
This issue has no workaround.

Fix:
Monitors configured with FIPS keys now work and the pool status is marked correctly.


451602-2 : DPD packet drops with keyed VLAN connections

Component: TMOS

Symptoms:
The DPD (Dead Peer Detection) packets are dropped after the IPsec tunnel is up. This occurs because the BIG-IP system drops DPD packets because keyed VLAN connections are enabled. The system tries to match the VLAN ID along with other parameters for DPD packets.

Conditions:
Enable keyed VLAN connections and bring up IPsec tunnel.

Impact:
The tunnel does not stay up because of the DPD failure. The match should be done for the host interface instead of the actual VLAN interface.

Workaround:
None.

Fix:
Changed the interface match to look up host interface instead of VLAN interface.


451424-7 : SNMP subagent/snmpd might restart under certain conditions

Component: TMOS

Symptoms:
When an SNMP request is made to the BIG-IP system, snmpd decodes the request and sends a request to the process that supplies the data to answer the SNMP request.

Conditions:
This occurs when using SNMP.

Impact:
If the SNMP request times out before the process responds, the snmpd or SNMP subagent daemons might generate a core and restart. As a result, some data may be lost.

Workaround:
Restart snmpd using the command: bigstart restart snmpd.

Fix:
This release corrects a condition that could cause snmpd or SNMP subagent daemons to generate a core and restart.


451213-4 : Logs do not distinguish between static and dynamic ip allocation.

Component: Access Policy Manager

Symptoms:
In APM network access use case there was no way of knowing from logs whether the leasepool ip was coming statically or dynamically.

Conditions:
APM network access use case.

Impact:
None.

Workaround:
None.

Fix:
Added logs to distinguish static ip allocation from dynamic ip allocation.


451118-6 : Fixed mistakes in French localization

Component: Access Policy Manager

Symptoms:
French localization contains mistakes

Conditions:
French locale configured on user machine

Impact:
User observes incorrect translation

Workaround:

Fix:
Mistakes in French localization were fixed.


451083-4 : Citrix Wyse clients when working with StoreFront in integration mode

Component: Access Policy Manager

Symptoms:
APM does not support Citrix Wyse clients when working with StoreFront in integration mode.

Conditions:
Using APM with Citrix Wyse clients when working with StoreFront in integration mode.

Impact:
Citrix Wyse clients are unable to connect to APM.

Workaround:
Use the following iRule: priority 1 when HTTP_REQUEST { set string [HTTP::header value Cookie] if {$string contains "NSC_AAAC=xyz"}{ regsub {NSC_AAAC=xyz;?} $string {} tmp regsub {NSC_DLGE=xyz;?} $tmp {} result HTTP::header replace Cookie $result } }

Fix:
Now APM supports Citrix Wyse clients when working with StoreFront in integration mode.


451041-3 : Session ticket may not be parsed correctly when using SSL persistence

Component: Local Traffic Manager

Symptoms:
When using SSL persistence with session tickets, the session ticket may not be parsed correctly causing the SERVERSSL_HANDSHAKE event to not be triggered.

Conditions:
SSL persistence is configured and using session tickets.

Impact:
Expected TCL events might not happen.

Workaround:
Do not use server-side session tickets.

Fix:
The parsing of session tickets is now correct, and the expected TCL events are fired.


451035-3 : On a 11050-FIPS BIG-IP, TMM may reset when loading a large number of FIPS keys

Component: Local Traffic Manager

Symptoms:
If 11050-FIPS system is configured with hundreds of FIPS keys, TMM clock advanced messages will be seen and TMM may reset.

Conditions:
A 11050-FIPS system with over 200 FIPS keys configured with FIPS card loaded with firmware version 1.2 .

Impact:
TMM restarts.

Workaround:
Upgrade Cavium FIPS firmware to FW 2.1 using: tmsh run util fips-util fwupdate

Fix:
Configuring BIG-IP with hundreds of FIPS keys no longer causes TMM to reset.


451003-2 : SSL/TLS client certificate verification may fail due to SHA algorithms that are advertised but not supported

Component: Local Traffic Manager

Symptoms:
When using ClientSSL, client certificate authentication may fail, if client certificate authentication is set to 'request' or 'require'.

Conditions:
This occurs when the following conditions are met: -- The software version is 11.4.0 or 11.4.1. -- A ClientSSL profile exists on the virtual server. -- The ClientSSL profile is configured with client certificate authentication set to 'request' or 'require.' -- The client responds with a certificate signed by one of the following affected signature algorithms: SHA256-RSA(0x0401), SHA384-RSA(0x0501), or SHA512-RSA(0x0601).

Impact:
SSL/TLS connections fail to establish for some clients on virtual servers that request or require client certificates.

Workaround:

Fix:
Unsupported SHA algorithms have been removed, so SSL/TLS client certificate verification completes successfully.


450814-2 : Early HTTP response might cause rare 'server drained' assertion

Component: Access Policy Manager

Symptoms:
Early HTTP response from the server might cause 'server drained' assertion and traffic disruption.

Conditions:
This occurs when the server sends an early response, which might occur if the server responded before the system completed processing the entire incoming HTTP request data from the client. A filter other than HTTP is also required on the chain.

Impact:
The system posts a 'server drained' assertion and traffic is disrupted.

Workaround:
None, however, this issue occurs very rarely.

Fix:
HTTP will not cause a "server drained" assertion if a server ends a connection in an early server response.


450055-3 : SSL termination with responseadapt causes early client shutdown

Component: Service Provider

Symptoms:
When the HTTP terminates its connection, BIG-IP receives an SSL encryption alert along with a FIN from the server (close SSL from the server), and then BIG-IP sends a FIN to the clientside before the RSPMOD transaction with the ICAP server has completed. HTTP client does not receive the HTTP repsonse (whether modified or not).

Conditions:
Virtual Server (VS) with responseadapt and SSL.

Impact:
Response adaptation with with SSL might not return entire response to client after server closes SSL session.

Workaround:
None.

Fix:
When the HTTP terminates its connection, BIG-IP receives an SSL encryption alert along with a FIN from the server (close SSL from the server), BIG-IP completes the HTTP response before closing the client connection.


449891-1 : Fallback source persistence entry is not used when primary SSL persistence fails

Component: Local Traffic Manager

Symptoms:
The existing source persistence record is not used as fallback for a second SSL request from the same source. The second request may be load balanced to a different pool member than the first one. Sometimes multiple source persistence records may be created pointing to different pool members.

Conditions:
SSL persistence configured as primary persistence method on a SSL VIP. Source persistence configured as fallback persistence method. The same client sends a second SSL request, but sends a different session ID so that SSL persistence look up fails.

Impact:
Requests are load balanced to different pool members instead of the same one. In other words, source fallback persistence does not work.

Workaround:
There is no workaround for this issue.

Fix:
Fallback source persistence entry is now used when primary SSL persistence fails.


449848-6 : Diameter Monitor not waiting for all fragments

Component: Local Traffic Manager

Symptoms:
When the server returns response in two fragments, the Diameter monitor sends an ACK for the first fragment followed by a FIN and then a reset.

Conditions:
Server returns response in two fragments.

Impact:
Pool member is marked down.

Workaround:
None.

Fix:
Diameter Monitor now handles fragments as expected.


448787-3 : Monitors in non-default route domains may flap when large number of connections are originiated from that route-domain

Component: Local Traffic Manager

Symptoms:
Limiting TCP/IP connections on non-default route domains can cause potential non-default route domain monitor issues.

Conditions:
This occurs because the rules that provide connection tracking are not picked up in the non-default route-domain upon creation.

Impact:
When the issue occurs, the kern.log reports the following message: 'nf_conntrack: table full, dropping packet', and pool monitors flap intermittently.

Workaround:
Disable connection tracking in non-default route domains.

Fix:
Connection tracking is now correctly disabled in non-default route domains.


448606-1 : tmm cores with panic string %slistener ref non-zero%s

Component: Local Traffic Manager

Symptoms:
The listener ref count might overflow and cause a TMM core and crash.

Conditions:
This intermittent issue occurs when the listener ref count increases and is never released.

Impact:
TMM cores with panic string tmm_panic ... %slistener ref non-zero%s.

Workaround:
None.

Fix:
The listener ref count no longer overflows and causes a TMM core and crash.


448493-1 : SIP response from the server to the client get dropped

Component: Service Provider

Symptoms:
SIP responses are not forwarded to the client. Instead, the system drops those SIP responses.

Conditions:
This occurs when using SIP OneConnect with an iRule that uses the node/snat command in SIP_RESPONSE event in the iRule to direct the SIP response from the server.

Impact:
Some SIP flows do not complete, which affects the SIP clients.

Workaround:
Remove the node/snat command from SIP_RESPONSE event processing in the iRule.

Fix:
iRules node/snat command in the iRule SIP_RESPONSE event now works correctly.


447874 : TCP zero window suspends data transfer

Component: Local Traffic Manager

Symptoms:
HTTP pipeline request might cause TCP window stay at 0 and not recover.

Conditions:
This intermittent issue occurs when HTTP pipeline requests are sent, and those requests use the GET method.

Impact:
When this occurs, the resulting TCP zero window suspends data transfer. It is possible that the TCP window will be reduced to 0 (zero) and never recover.

Workaround:
None.

Fix:
HTTP pipeline request no longer causes TCP window stay at 0 when HTTP pipeline requests are sent, and those requests use the GET method.


447080-2 : VLAN tagged/untagged configuration change requires tmm restart

Component: Local Traffic Manager

Symptoms:
On BIG-IP 2000-/4000-series appliances, modifying an interface's VLAN configuration from tagged to untagged, or untagged to tagged, can result in unavailability of traffic on that interface.

Conditions:
This occurs on BIG-IP 2000-series or 4000-series appliance, connected to an upstream network that expects a tagged (or alternately, untagged) VLAN.

Impact:
Traffic does not pass after this change, until TMM is restarted.

Workaround:
Restarting the tmm with 'bigstart restart tmm' corrects this condition, as does deleting and recreating the VLAN with desired tagging attributes.

Fix:
VLAN tagged/untagged configuration change occurs immediately, and no longer requires tmm restart.


447075-2 : CuSFP module plugged in during links-down state will cause remote link-up

Component: TMOS

Symptoms:
If a CuSFP module is plugged into a port that is in a links-down state while connected via a cable to a remote switch or other network connection, the remote switch will report a links-up state. A port on the BIG-IP or VIPRION device may be in a links-down state while BIG-IP is not in a running state, or if the network interface has been administratively disabled.

Conditions:
Issue has been primarily observed with VIPRION B2100 or B2150 blades. However, the problem could potentially occur on other VIPRION blades or BIG-IP appliances which employ a Broadcom hardware switch (i.e., most F5 hardware products). BIG-IP appliances which do NOT employ a Broadcom hardware switch include: BIG-IP 2000-/4000-series appliances.

Impact:
The remote switch may erroneously attempt to direct traffic to what is seen as an active link, which the BIG-IP or VIPRION device will not be able to process.

Workaround:
You may work around this problem by any of the following methods: 1. Unplug the cable connecting the CuSFP (Copper SFP) module to the remote network connection before plugging the CuSFP into the port on the BIG-IP or VIPRION device. 2. Wait until the port on the BIG-IP or VIPRION device is in an enabled/links-up state before plugging in the CuSFP. 3. Enable the port on the BIG-IP or VIPRION device after plugging in the CuSFP.

Fix:
A remote network connection no longer shows as Up/Link when a CuSFP module is plugged into a port on a BIG-IP or VIPRION device that is in a links-down state, while connected via a cable to the remote switch/other network connection.


447061-1 : DNS Listeners Properties display issues

Component: Global Traffic Manager (DNS)

Symptoms:
On the web interface, on the properties screen, DNS Listeners don't display properly in certain route domain/partition combinations. For example, the properties page for listeners is empty or incomplete and cannot be updated.

Conditions:
This can occur if you select a Partition that has a different route domain than Common, then click on a listener that is in the Common partition.

Impact:
The page is broken with missing information and cannot be updated.

Workaround:
Go to DNS >> Listeners and select the "Common" Partition, then click on the listener.

Fix:
If the listener address changes route domains, the source address will also automatically change to the same route domain


447043-5 : Cannot have 2 distinct 'contains' conditions on the same LTM policy operand

Component: Local Traffic Manager

Symptoms:
Cannot express conditions such as 'user-agent contains 'Android' AND 'Mobile'. LTM policies have operands that can be matched against a set of values, causing a match when the operand matches one of these values. There is no way to use current functionality to match all of the values. One specific situation in which this is needed is to configure 'contains'.

Conditions:
Specify an ltm rule with 2 conditions with the same operand and match type, for example: conditions { 0 { http-header name User-Agent contains values { Android } } 1 { http-header name User-Agent contains values { Mobile } }

Impact:
The policy does not work. The system posts an error message similar to the following: Failed to compile the combined policies.

Workaround:

Fix:
LTM policies now allow for rules to have multiple conditions on the same operand and same match type so that 'user-agent contains 'Android' AND 'Mobile' can now be expressed by specifying: conditions { 0 { http-header name User-Agent contains values { Android } } 1 { http-header name User-Agent contains values { Mobile } }


446755-2 : Connections with ramcache and clientssl profile allowing non-SSL traffic may stall

Component: Local Traffic Manager

Symptoms:
Connections with both ramcache and clientssl profile allowing non-SSL traffic connection may stall under certain unusual conditions.

Conditions:
Virtual server with ramcache and clientssl profile allowing non-SSL traffic.

Impact:
The connection stalls until reset by the client or expired by the sweeper. The client may see a response from the server.

Workaround:
No practical workaround.

Fix:
Connections no longer stall on virtual servers with ramcache and clientssl profile allowing non-SSL traffic.


446352-2 : NAT-T and IPsec is not working when tunnel endpoint has floating IP address

Component: TMOS

Symptoms:
IKE negotiation fails with NAT-T and floating tunnel end point address.

Conditions:
NAT_T configured on BIG-IP and the IPsec tunnel endpoint address is floating

Impact:
Tunnel never comes up.

Workaround:
Nothing

Fix:
IKE negotiation is now successful and the IPsec tunnel comes up properly and passes traffic with NAT-T and floating tunnel end point address.


446207-3 : "state" value of software check result session variables never gets updated

Component: Access Policy Manager

Symptoms:
"state" value in the session variables of software check results never gets updated. When endpoint executes a access policy that is configured for doing any software check (e.g. antivirus, anti-spyware, firewall, patch management, peer-to-peer, health agent and disk encryption) then after executing this software check result session variables are produced, e.g.: <session ID>.session.check_software.last.<software type>.state 1 0 <session ID>.session.check_software.last.<software type>.result 1 1 <session ID>.session.check_software.last.<software type>.count 1 1 <session ID>.session.check_software.last.<software type>.error 1 0 In these session variables value of "state" always remain the same. So if access policy is check if the value of this will ever be 1 then access policy will fail.

Conditions:
software check (antivirus, anti-spyware, firewall, patch management, peer-to-peer, health agent and disk encryption) configured on BIG-IP access policy and endpoint executes this access policy.

Impact:
Access policy failure

Workaround:
Don't use this deprecated session variable (it exist for backward compatibility) but rather configure your access policy to match the state correctly. If you want to verify that "state" of any software check (antivirus, anti-spyware, firewall, patch management, peer-to-peer, health agent and disk encryption) is "enabled" then configure the access policy and change the state to "enabled".

Fix:
The "state" value in the session variables created after a software check (antivirus, anti-spyware, firewall, patch management, peer-to-peer, health agent and disk encryption) now contains the state of the specified product.


443098-5 : Memory leakage when Proxy SSL feature enabled

Component: Local Traffic Manager

Symptoms:
When the ProxySSL feature is enabled, small amounts of memory used during connection handling is leaked. Over a long period of time, this leakage accumulates and causes memory pressure.

Conditions:
This occurs when the Proxy SSL feature is enabled.

Impact:
When this occurs, memory is leaked over time and eventually results in performance degradation and eventual traffic outage.

Workaround:
None.

Fix:
The Proxy SSL feature no longer leaks memory.


442993-1 : An unexpected gateway may be selected for the management interface

Component: TMOS

Symptoms:
Unexpected gateway via management interface (in /etc/sysconfig/network) is created whenever a specific management-route is configured using tmsh. This unexpected configuration is applied onto the kernel after a reboot.

Conditions:
This occurs when a specific non-default management-route is configured, and the default management-route is not configured.

Impact:
An incorrect gateway is configured after a reboot.

Workaround:
You can avoid the issue by configuring a default management-route if you are using non-default management-routes. As a workaround for the issue, delete the unexpectedly created management default route following every reboot. To do so, use a command similar to the following: 'ip route del default dev eth0' or 'ip route del default dev mgmt'. You can include the appropriate command in the file /config/startup to have the command run automatically after each boot operation.

Fix:
The system uses only the default management-route to configure the gateway If the default management-route is not configured, the system does not create the gateway. This is correct behavior.


442980-3 : GTM pool statistics incorrect if max-address-returned not set to 1 and r

Component: Global Traffic Manager

Symptoms:
With max_addresses_returned greater than 1, multiple addresses are returned, but only the pool member associated with the first address gets stats increased.

Conditions:
Set max_addresses_returned greater than 1

Impact:
Pool stats do not show the update when pool members are selected as alternate addresses.

Workaround:
None.

Fix:
All pool members returned now have their statistics increased.


442889 : TMM may generate core dump with rewrite profile

Component: TMOS

Symptoms:
Core dump may be generated when using web applications (Sharepoint confirmed) through LTM Rewrite profile.

Conditions:
This issue occurs when Sharepoint is working through LTM Rewrite profile.

Impact:
Web application is not working, core dumps are generated on access.

Workaround:
This issue has no workaround at this time.

Fix:
Sharepoint is working now, core dumps are not being generated.


442647-6 : IP::stats iRule command reports incorrect information past 2**31 bits

Component: Local Traffic Manager

Symptoms:
Due to a mistaken internal object-size conversion, the statistical data used by the IP::stats iRule command reports a negative number when the data exceeds 2**31.

Conditions:
Transferring more than 2 gigabytes or 2 billion packets on a connection that then uses IP::stats commands in an iRule will show a negative number.

Impact:
iRules cannot rely on the validity of the IP::stats counters when more than 2 gigabytes have been transferred.

Workaround:
Upgrade to a fixed version.

Fix:
iRules now uses a 64-bit object


442625-1 : TMM crash, requested unknown already exists errors when creating IPsec AH traffic-selector

Component: TMOS

Symptoms:
When attempting to create an IPsec Authentication Header (AH) traffic-selector, you might encounter errors, and TMM might crash.

Conditions:
The crash occurs when a TCP virtual server retransmits over an IPsec AH tunnel.

Impact:
The system posts alerts similar to the following: err alertd[6623]: 01100014:3: Action tmsh create net ipsec traffic-selector NET18 Source-Address 200.4.18.0/24 destination-port any destination-address 0.0.0.0/0 ipsec-policy test_tunnel is failed. err mcpd[5973]: 01020037:3: The requested unknown (/Common/NET19) already exists. err tmsh[32652]: 01420006:3: 01020037:3: The requested unknown (/Common/NET19) already exists.

Workaround:
None.

Fix:
Fixed TMM crash in which requested unknown already exists errors occurred when creating IPsec AH traffic-selector


442598-4 : Traffic cannot pass through a tunnel after the Edge client is switched to DTLS from TLS

Component: Access Policy Manager

Symptoms:
Traffic cannot pass through a tunnel after the Edge client is switched to DTLS from TLS.

Conditions:
Edge client switched to DTLS from TLS.

Impact:
Traffic does pass through the tunnel. The Edge client hangs, and the status changes to 'Waiting to connect' 'Downloading server settings'

Workaround:

Fix:
Now, the Edge client correctly does not close the session locally if the server is not reachable because the session timeout check require fails.


442535-1 : Time zone changes do not apply to log timestamps without tmm restart

Component: Advanced Firewall Manager

Symptoms:
When the timezone of the BIG-IP system changes, logging timestamps are not updated to the new timezone.

Conditions:
This occurs when the timezone of the BIG-IP system changes.

Impact:
/var/log/ltm logs will have the correct time from the other processes that log, but tmm logs will have the incorrect time. The time remains incorrect until tmm or the system is restarted. There are potential issues with processes that depend on correct localtime in tmm.

Workaround:
In tmsh, run one or both of the following commands: 'restart tmm'. -- bigstart restart tmm.

Fix:
tmsh modify sys ntp timezone <timezone> will now send a message to TMM so it will reload the timezone.


442528-6 : Demangle filter crash

Component: Access Policy Manager

Symptoms:
Demangle filter crashes with a SIGBUF.

Conditions:
Very long URLs must be used and the demangle filter must be in the chain.

Impact:
HTTP requests with very long URL cannot be processed.

Workaround:
To work around the problem, add this code to the iRule: when HTTP_REQUEST { log local0. "Refer length is [string length [HTTP::header Referer] ]" if { [string length [HTTP::header Referer] ] > 4000 } { HTTP::header remove Referer } }

Fix:
Long URLs (up to 16K long) are handled correctly.


442410-4 : Error condition with connection mirroring and connection pooling (OneConnect) enabled

Component: Local Traffic Manager

Symptoms:
If connection mirroring is enabled on a BIG-IP HA configuration with connection pooling (OneConnect) also enabled, TMM on a standby member may core with a SIGFPE, after logging a message containing the following string in the TMM log: 'panic: TCP4: HUDEVT_EXPIRED (Connection expired) bad pcb magic (0x00585858)'.

Conditions:
This may occur when enabling connection mirroring on a BIG-IP HA configuration with connection pooling (OneConnect) also enabled.

Impact:
TMM logs errors, generates SIGFPE messages and cores until connection mirroring is turned off.

Workaround:
You can use one of the following to work around the issue: -- Turn off connection mirroring. -- Turn off connection pooling (OneConnect).

Fix:
Resolved TMM error message 'HUDEVT_EXPIRED (Connection expired) bad pcb magic (0x00585858)' and TMM core on standby member of HA configuration with connection mirroring and connection pooling (OneConnect) enabled.


442336-6 : FastL4 virtual may crash with SERVER_CONNECTED rule and acceleration

Component: Local Traffic Manager

Symptoms:
In a FastL4 virtual server with hardware cookie enabled and accelerated, and there is a SERVER_CONNECTED rule is in place, when the SERVER_CONNECTED rule fails, the flow is aborted while it is still in the packet path, and tmm produces a segv and crashes.

Conditions:
This occurs with a FastL4 virtual server, syncookie enabled, PVA accelerated and configured with SERVER_CONNECTED rule (this rule fails).

Impact:
TMM crashes.

Workaround:
turn off syncookie

Fix:
TMM no longer crashes when there is a FastL4 virtual server, syncookie is enabled, PVA is accelerated, and a configured SERVER_CONNECTED rule fails.


442191-1 : HTTP Class profiles globs are upgraded to a contains condition when it should be equals

Component: TMOS

Symptoms:
HTTP Class profiles globs are upgraded to a policy with a contains condition when it should be equals. The upgrade process will succeed, but the policy will not use the correct syntax.

Conditions:
A UCS or config with HTTP Class profiles containing globs for matching must be applied to 11.4.0 or 11.4.1 to encounter this state. The UCS must be from 11.3.x or earlier.

Impact:
After the upgrade to 11.4.x, The policy will match more than the HTTP Class profile did. Network traffic will be impacted.

Workaround:
Manually modify policies with the incorrect condition after upgrading to 11.4.x.

Fix:
The policy condition now converts properly from an HTTP class to an LTM policy and the ultimate behavior is identical to that of the previous release.


442139-2 : Some iRules can result in stuck UDP connections

Component: Local Traffic Manager

Symptoms:
When using an iRule on a UDP virtual server, it is possible for a connection flow to get stuck and remain allocated until it times out. The connection flow will appear via the tmsh (using "tmsh sys conn show") but will no longer pass packets. As new packets arrive, the flow timeout will be extended causing an outage.

Conditions:
The connection flow must be aborted (e.g. ICMP/Reachable received from serverside) while the iRule is parked due to an asynchronous command.

Impact:
Incoming packets matching the stuck connection are dropped.

Workaround:
The error can only be cleared if the connection is allowed to timeout or the tmm is restarted.

Fix:
Aborted UDP connections with parked iRules will be cleaned up normally and no longer match incoming packets.


441790-1 : Logd core formed, while executing provisioning run script(mod_combo_7000_12721.py) on Whitethorne 2U platform

Component: Access Policy Manager

Symptoms:
Logd core formed while executing provisioning run script(mod_combo_7000_12721.py) on Whitethorne 2U platform.

Conditions:
While executing provisioning run script(mod_combo_7000_12721.py) on Whitethorne 2U platform.

Impact:
logd restarts.

Workaround:
Run the tmsh command: logd restart.

Fix:
Fixed a threading pitfall that could cause deadlock between DB rotation and loading threads.


441631-4 : WebSSo may take 100% if new instance started manually

Component: Access Policy Manager

Symptoms:
100% of CPU resources could be used by the websso process if it is not started properly. A WebSSO session should be started/restarted using bigstart script. However, if /etc/bigstart/scripts/websso.start script is running manually when previous websso.N proccesses are still working, then it will bring up new websso.N instances that will cause original websso.N proccess to spin in a loop and could use up to 100% of CPU resources.

Conditions:
websso started manually

Impact:
original websso.N do not function properly and takes ~100% CPU

Workaround:
bigstart restart websso

Fix:
Now you cannot start more than one instance of WebSSO for every MCPD channel number. For example, if websso.3 is running, then you cannot manually start websso -c 3.


441613-4 : Customization allows arbitary files to be uploaded

Component: Access Policy Manager

Symptoms:
APM Advanced Customization allows image files to be uploaded. Customer could upload other js or html or php files using this facility that could lead to potential security issues

Conditions:
Customer uploading non images files in the customization that is intended to accept only image files

Impact:
Potential xss and other security vulnerability

Workaround:
This is used by limited users with admin privilege. Advice the users about this vulnerability and not do upload other contents.

Fix:
Check the file types and content before accepting it as a valid content.


441355-4 : Enable change password within vmview client when password doesn't meet the AD policy requirements

Component: Access Policy Manager

Symptoms:
Previously VMWare View client hung/disconnected if the attempt to change an expired password had failed due to the AD policy requirements.

Conditions:
User's password is expired but the new password provided doesn't meet the policy requirements.

Impact:
VMWare View client freezes/hangs, user gets confused.

Workaround:

Fix:
Improved VMware View native client error reporting and prompting for the new password.


440685-2 : LTM 3900, V11.3.0 hf8, source address translation memory leak suspected.

Component: Local Traffic Manager

Symptoms:
TMM crash after long run on a LTM 3900 platform running TMOS v11.3.0 HF8.

Conditions:
iSession and source address translation pool used. The many sessions established and closed. LTM 3900 running v11.3.0 HF8

Impact:
TMM crashed after memory exhaustion.

Workaround:
It does not present.

Fix:
Fix memory leak for use case: iSession + source address translation pool


440346-6 : Monitors removed from a pool after sync operation

Component: TMOS

Symptoms:
Monitors might be removed from a pool after sync operation.

Conditions:
If devices are in a failover device group, and this group contains a pool with multiple health monitors enabled, then using the 'Overwrite Configuration' option.

Impact:
Monitors might be removed from a pool on the devices that received a sync.

Workaround:

Fix:
Monitors are no longer removed from a pool on the devices that received a sync.


440290-5 : Fluctuating Sync messages when Policy sync is triggered

Component: Access Policy Manager

Symptoms:
During some Policy-sync attempts, the SyncStatus flag for the devices keeps toggling and status messages keep changing (In-Sync, Changes Pending, Not All devices are synced, and so on). It can take over 15 minutes for the status messages to stabilize. This might occur when there is a large delay in the Sync requests between devices most likely due to WAN.

Conditions:
Geographically distributed devices in the policy-sync device-group where network delay makes the sync infrastructure susceptible to issues like this.

Impact:
Policy sync is successful. Only the Sync Status flag on the GUI keeps toggling.

Workaround:
None. The fluctuations stop after some time.

Fix:
APM now prevents the retransmission of policy sync requests that caused status messages to fluctuate.


440284-4 : GTM VSes with a folderized ltm_name may not be monitored properly on a 10.2.4 LTM.

Component: Global Traffic Manager

Symptoms:
If an GTM VS ltm_name contains a folder, such as /Common/vs.1, and the server is a 10.2.4 or earlier LTM, GTM may not be able to monitor it.

Conditions:
This can happen if The ltm_name is folderized (Which can happen if the LTM was run at 11.x and regressed or rebooted to 10.2.4). and The GTM VS name does not match the VS name on the LTM. (Which can happen if the VS name on the LTM contains a '.' which will be converted to a '_' by GTM. and The LTM VS is in a different route domain than the LTM's self ip that GTM is using to talk to the LTM. The LTM big3d will be unable to correctly identify the VS in question, and will send no response. This will cause the GTM to mark the VS red when the timeout period has elapsed.

Impact:
VSes that match the conditions will be marked down because of timeouts.

Workaround:
Edit the GTM configuration and either delete the ltm_name field or remove the folder(s) from the ltm_name field and reload the config.

Fix:
The LTM big3d now correctly identifies and monitors 10.2.4 or earlier LTM virtual servers.


440259-3 : logd crash during improper cast conversion

Component: TMOS

Symptoms:
Logd may crash in seemingly random intervals.

Conditions:

Impact:
Logd crash.

Workaround:

Fix:
Fixed type conversion issue by correctly catching the exception.


439977-6 : apd crash in AD module

Component: Access Policy Manager

Symptoms:
APD process may crash when running AD Agent

Conditions:
the intermittent crash of apd process may happen if: - group cache update is required - DC is not available / connection to DC failed

Impact:
apd crashed and restarted

Workaround:
NA

Fix:
after fix, apd doesn't crash in the conditions explained above


439904-1 : Wamd crashed after command 'tmsh restart sys service mcpd'

Component: WebAccelerator

Symptoms:
Daemon wamd crashes when mcpd is not available.

Conditions:
AAM is provisioned and mpcd daemon is restarting.

Impact:
Wamd crashes producing a core.

Workaround:
This issue has no workaround at this time.

Fix:
When mcpd goes down with AAM provisioned wamd no longer crashes when it tries to communicate with mcpd.


439862-1 : In rare situations SPDY combined with other filters can cause a TMM crash

Component: Local Traffic Manager

Symptoms:
A TMM crash occurs when stream->ingress_frames is NULL in spdy_stream_process_ingress_body()

Conditions:
Recursion back into SPDY inside spdy_stream_process_acquired() can cause the state of the ingress frames list to not be what is expected.

Impact:
TMM Crash

Workaround:
Try using less filters on the listener using SPDY. The lower the number of filters, the less likely this crash will occur.

Fix:
When recursion occurs in SPDY frame ingress, it now correctly handles the case where the ingress was completed by the higher call into SPDY.


439849-2 : Portal Access: Exchange 2003 Outlook Web Access, JS error on inbox

Component: Access Policy Manager

Symptoms:
JavaScript error: Error Object doesn't support this property or method.

Conditions:
Using Portal Access for Exchange 2003 Outlook Web Access (OWA).

Impact:
Cannot log in into OWA.

Workaround:
None.

Fix:
Can now use Portal Access for Exchange 2003 Outlook Web Access (OWA).


439773-3 : "Request for segment from middle of queue" condition converted to reset that particular flow instead of causing tmm core

Component: Local Traffic Manager

Symptoms:
TMM will core with panic string "Request for segment from middle of queue."

Conditions:
The conditions are infrequent and not all of them are known fully. TCP is in an invalid state for that particular flow, and this flow cannot continue anymore.

Impact:
Entire tmm will core due to one flow being in this invalid state.

Workaround:
This issue has no workaround at this time.

Fix:
The ASSERTing condition has been converted to RESET that particular flow with the RST cause "Request for segment from middle of queue." This has been decided to be better for product stability as one affected flow does not core the full tmm.


439559-3 : APM policy sync resulting in failover device group sync may make the failover sync fail

Component: TMOS

Symptoms:
If an APM policy sync puts the new policy on a member of a sync-failover device group then the sync of the sync-failover group may fail.

Conditions:
* At least three devices in trust. * Two devices in a sync-failover device group. * Two devices in a sync-only device group suitable for APM policy sync. * The policy is synchronized from a device that is not in the sync-failover device group.

Impact:
Sync will fail, but full load sync will then succeed.

Workaround:
Using a full load sync (the force option on the GUI sync page) will work.

Fix:
If an APM policy sync puts the new policy on a member of a sync-failover device group then the sync of the sync-failover group used to fail. This now succeeds.


439461-1 : Citrix Receiver for Linux is unable to receive full applications list.

Component: Access Policy Manager

Symptoms:
Citrix Receiver for Linux shows only a part of applications list when connecting to APM.

Conditions:
APM is configured for Citrix Replacement and Citrix Receiver for Linux is used.

Impact:
Citrix Receiver for Linux shows only a part of applications list.

Workaround:

Fix:
Now Citrix Receiver for Linux shows full applications list when connecting to APM.


439446-1 : vcmpd crash related to insufficient stopping timeout

Component: TMOS

Symptoms:
vcmpd may crash and there is a possibility of vdisk corruption when a guest is terminated abnormally.

Conditions:
VCMP

Impact:
Crash of hypervisor and potential vdisk corruption of guest.

Workaround:

Fix:
Fix increases vcmp.timeout.stopping default value and corrects some resources that were not cleaned up in non-standard shutdown scenario.


439363-1 : Auto-generated policy names might be too long

Component: TMOS

Symptoms:
Auto-generated policy names might be too long for the system to handle. When you load a configuration, the system combines multiple HTTP Class profiles names into a single local traffic policy before assigning it to a virtual server.

Conditions:
When the local traffic policy name exceeds the maximum allowable length, the mcpd process fails to load the upgraded configuration.

Impact:
Upgrades and UCS restores fail. The mcpd process fails to load configuration and logs an error the /var/log/ltm file: 0107141f:3: The maximum allowable length of 255 for a full path has been exceeded. The object name was auto-generated-policy-name), the truncated folder path was /foldername/truncated-auto-generated-policy-name). Unexpected Error: Loading configuration process failed.

Workaround:
Shorten the names of the HTTP Class profiles before upgrade.

Fix:
When the local traffic policy name that is auto-generated from multiple HTTP Class profile names is longer than the maximum supported length of 255 characters, the system now truncates the name, so that config load and upgrade occur successfully.


439330-6 : Javascript: getAttribute() returns mangled event handlers

Component: Access Policy Manager

Symptoms:
All event handlers in HTML page are rewritten by APM. If some script uses getAttribute() call to obtain event handler code, it gets rewritten code. This may lead to incorrect results.

Conditions:
HTML page with event handlers defined.

Impact:
If a script uses event handler source code, it might work incorrectly.

Workaround:

Fix:
The getAttribute() call returns unmodified source code for any event handler.


438877-3 : If the SASP monitor receives an unexpected message from the GWM server containing an expected message id then the monitor stops processing any further messages.

Component: Local Traffic Manager

Symptoms:
The send weight messages message id field does not serve any purpose as per the SASP rfc 4678. Consider a scenario where the SASP monitor sents a registration request message containing message id x. It expects a registration reply with message id x. However, if it receives a send seight message with message id x then it throws the monitor out of sync. It stops processing any further messages.

Conditions:
The SASP monitor sends a request message with a message id in it to the GWM server. It expects a reply from the GWM server to the request message containing the same message id. But instead it receives a send weights reply containing the expected message id.

Impact:
The SASP monitor stops processing of any messages after it receives the unexpected send weights message.

Workaround:
None.

Fix:
The SASP monitor ignores up to 5 consecutive unexpected send weight messages and keep looking for registration reply response from GWM. If it does not get the reply in 5 attempts then the monitor shall restart.


438792-3 : Node flapping may, in rare cases, lead to inconsistent persistence behavior

Component: Local Traffic Manager

Symptoms:
If persistence is used, and a node is marked down and then up in quick succession (less than about 7 seconds), then persistence may act inconsistently (meaning, not all connections expected to persist to a server will do so). Further requests in certain circumstances may hang (the client will be left waiting for a response).

Conditions:
Persistence, rapid node flapping, new connection (via a TMM with an existing connection) after node has been re-marked as up.

Impact:
Inconsistent persistence behaviors. If persistence records are examined, you might find multiple, conflicting entries. This is an intermittent issue.

Workaround:
Add an iRule command to the PERSIST_DOWN event that deletes the persistence entry for this connection. One example might be: when PERSIST_DOWN { persist delete source_addr [IP::client_addr] } For more information, see SOL14918: Node flapping may cause inconsistent persistence records, available here: http://support.f5.com/kb/en-us/solutions/public/14000/900/sol14918.html.

Fix:
The system now deletes a persist entry from all peer TMMs when it is deleted in any TMM, so no conflicts occur.


438730-2 : DNS Filtering driver causes crash/BSOD

Component: Access Policy Manager

Symptoms:
DNS Relay proxy service causing Client App tunnel crash or BSOD (DRIVER_FAULT).

Conditions:
Using DNS relay filtering driver in Windows XP SP3.

Impact:
Client App tunnel crash/BSOD. This is an intermittent issue.

Workaround:

Fix:
Fixed BSOD caused by DNS relay filtering driver in very specific condition on Microsoft Windows XP SP3.


438674-6 : When log filters include tamd, tamd process may leak descriptors

Component: TMOS

Symptoms:
The log filter functionality in TMOS allows users to publish logs from a specific set of processes to various log destinations.

Conditions:
Configure log filter that includes tamd.

Impact:
Client authentication might fail. When a log filter includes tamd, the tamd process might start to leak descriptors.

Workaround:
Do not define log filters that include tamd (tamd is included in 'all').

Fix:
The BIG-IP system no longer sends tamd log messages to the configured remote log destinations.


438613-2 : Virtual server created using Portal Access Device Wizard does not reflect changes correctly

Component: Access Policy Manager

Symptoms:
Virtual server created using Portal Access Device Wizard does not reflect changes correctly.

Conditions:
This occurs when using the Portal Access Device Wizard to create virtual servers.

Impact:
Changes to Client SSL Profile including deletion have no effect.

Workaround:
Create the virtual server manually instead of using the Portal Access Device Wizard.

Fix:
Virtual server created via Portal Access Device Wizard correctly works with Client SSL Profile now.


437744-2 : SAML SP service metadata exported from APM may fail to import.

Component: Access Policy Manager

Symptoms:
SAML SP service metadata exported from APM contains elements in incorrect order which might cause it to fail to be imported by other implementations.

Conditions:
When SAML metadata is exported from BIG-IP when it is acting as SAML Service Provider, the order of 'SingleLogoutService' and 'AssertionConsumerService' are not right.

Impact:
Import of SAML metadata with SAML IdP from BIG-IP as SP might fail.

Workaround:
Edit exported metadata: change the order of elements in the SPSSODescriptor so that SingleLogoutService element goes first in the sequence.

Fix:
SAML metadata elements are exported in correct order.


437743-2 : Import of Access Profile config that contains ssl-cert is failing

Component: Access Policy Manager

Symptoms:
An access profile configuration that uses an SSL Certificate fails to import. This happens because of a change in the method to import SSL certificates.

Conditions:
Access Profile configuration contains (SSL) Certificate File object, that is configurations that include OCSP responder, Certificate Authority Profile or ServerSSL Profile.

Impact:
Serious. It's not possible to import configs that contain above mentioned objects to another box, which might prevent users from distributing profiles manually or properly importing a backup/

Workaround:
You can either exclude above-\ mentioned objects prior to export and then recreate them after the import or (not recommended) edit the config manually and import the SSL certificate prior to import.

Fix:
You can import an access profile that includes an SSL certificate object in its configuration objects.


437627-2 : TMM may crash if fastl4 vs has fragmeneted pkt

Component: Local Traffic Manager

Symptoms:
TMM may crash if a fast L4 profile has a fragmented packet

Conditions:
fastl4 configure incoming fragmented packets

Impact:
tmm crash

Workaround:
In fast L4 profile, enable option "Reassemble IP Fragments"

Fix:
Improved handling of a fragmented packet that could cause a crash if using a fastL4 profile.


437448-4 : Rate limited pool member might stop accepting traffic under certain conditions

Component: Local Traffic Manager

Symptoms:
Pool members may not be able to accept traffic once the rate limit is exceeded, even if it goes below the threshold.

Conditions:
Rate limit set on the pool member and the rate limit is exceeded. This causes the pool member to no longer accept traffic.

Impact:
Pool member will no longer accept traffic.

Workaround:
Remove the rate limit.

Fix:
Pool members with rate limits now resume accepting traffic when the rate limit is no longer exceeded.


437173-2 : Dashboard Platform limits showing "none" for 7000s and 7200v platforms

Component: TMOS

Symptoms:
Platform limits show "none" in the Configuration Utility Dashboard.

Conditions:
Platform 7000s and 7200v.

Impact:
This is a cosmetic issue with no significant impact.

Workaround:
None.

Fix:
Configuration Utility Dashboard now shows the platform limits.


437081-2 : IPv6 virtual servers with TSO enabled may drop packets.

Component: TMOS

Symptoms:
Virtual servers with TCP Segmentation Offload (TSO) enabled may drop packets.

Conditions:

Impact:
When tcpsegmentationoffload is enabled IPv6 Virtual servers may drop packets.

Workaround:

Fix:
Standard IPv6 virtual servers now support TSO.


436811-7 : Incorrect pool member status reporting by database monitors. oracle, MSSQL, MySQL, PostgreSQL

Component: Local Traffic Manager

Symptoms:
Consider a configuration containing two or more oracle monitors configured to the same ip::port. The pool member statuses can be incorrectly reported for the default time interval setting. The possibility of the incorrect status reporting increases if the monitor interval is reduced from its default value 10.

Conditions:
Configuration containing database monitors with the same ip::port destination.

Impact:
Incorrect status reporting in oracle monitors. This may lead to data traffic directed to pool members that are down and no data traffic directed to pool members that are available.

Workaround:
Increasing the monitor time interval will alleviate this issue.But it may not solve it entirely.

Fix:
Pool member status are updated correctly if there are multiple database monitors configured to the same ip::port destination.


436682-3 : Optical SFP modules shows a higher optical power output for disabled switch ports

Component: TMOS

Symptoms:
Some optical SFP/SFP+ modules may continue to provide optical power output higher than the specified detection threshold when the port has been disabled. As a result, the remote connected device may indicate a false positive link state.

Conditions:
The SFP or SFP+ module switch port has been disabled on the BIG-IP system. The problem occurs due to the optical transmitter in the SFP/SFP+ module not being disabled when the switch port itself is in a disabled state. The problem may occur with certain optical SFP/SFP+ modules, including all or a subset of individual modules with the following part numbers: OPT-0010-00 (1G-SR) OPT-0011-00 (1G-LR) OPT-0016-00 (10G-SR) OPT-0017-00 (10G-LR) For a list of F5 supported Fiber Gigabit Ethernet SFP, XFP, SFP+ and QSFP+ modules, see SOL6097: Specifications of the Fiber Gigabit Ethernet SFP, XFP, SFP+ and QSFP+ module ports on BIG-IP system platforms, available here: https://support.f5.com/kb/en-us/solutions/public/6000/000/sol6097.html.

Impact:
Link status may be incorrectly reported as up on remote connected device.

Workaround:
To work around this issue, when disabling an affected switch port on the BIG-IP system, you can also disable the connected port on the remote device.

Fix:
Optical SFP/SFP+ modules now show the correct optical power output for disabled switch ports, which no longer attributes to false link states.


436489-2 : Session variables defined within the "Relay State" parameter of an SP initiated SSO session may fail.

Component: Access Policy Manager

Symptoms:
Session variables, such as, %{session.server.landinguri}, are not processes as part of Relay State parameter in BIG-IP SP service configuration.

Conditions:
Session variable configured as part of Relay State parameter in BIG-IP SP service configuration and SP initiated SAML SSO is used.

Impact:
Session variables are not processed

Workaround:
Do not use session variables inside Relay State configuration for BIG-IP SP service.

Fix:
The BIG-IP system SAML Service Provider (SP) service now supports and processes session variables as part of the RelayState parameter.


436201-2 : JavaScript can misbehave in case of the 'X-UA-Compatible' META tag when a client uses IE11

Component: Access Policy Manager

Symptoms:
JavaScript can misbehave when encountering the 'X-UA-Compatible' META tag from clients using Microsoft Internet Explorer 11.

Conditions:
Internet Explorer 11 and meta http-equiv='X-UA-Compatible' content='IE=10'.

Impact:
Web application malfunction.

Workaround:
Use an iRule.

Fix:
JavaScript now correctly handles the X-UA-Compatible meta tag from clients using Microsoft Internet Explorer 11.


436180-4 : Improved security around webcontrol installation

Component: Access Policy Manager

Symptoms:
Web controls may download custom file as result of sophisticated attack from phishing site.

Conditions:

Impact:
Custom file download on client machine.

Workaround:

Fix:
Security issue has been resolved.


436177-3 : Improved security around Endpoint security modules

Component: Access Policy Manager

Symptoms:
Sophisticated attack can lead to Network Access disconnect on client side.

Conditions:
User accessed malicious site with specially crafted page

Impact:
Network Access is disconnected after attack

Workaround:

Fix:
Now Endpoint security modules provides more security for endpoint clients and prevents the issue


435993-4 : Tunnel recipient drops encapsulated traffic instead of forwarding

Component: Local Traffic Manager

Symptoms:
It is possible for the GRE tunnel to decapsulate SYN packets to wrong tmm, causing intermittent failures when accessing the local virtual server on CMP systems.

Conditions:
This occurs on CMP systems.

Impact:
TMM suffers packet/xfrag leakage over time and eventually cores due to out of memory.

Workaround:
None.

Fix:
Establishment of CMP-redirected flows no longer erroneously expires/replaces NOEXPIRE flows, so this probably no longer occurs.


435965-2 : clientssl/serverssl profile can support maximum ciphers with 256

Component: Local Traffic Manager

Symptoms:
clientssl/serverssl profile can support maximum ciphers with 256

Conditions:
clientssl/serverssl profile has ciphers has >256 string

Impact:
The string bigger than 256 will be truncated by SSL.

Workaround:
No

Fix:
Increase SSL to handle maximum ciphers string to 768.


435953-3 : In the GUI, the search fails to return results for the Wide IP list

Component: TMOS

Symptoms:
Using the GUI to search fails to return results from the Wide IP list.

Conditions:
This occurs when the Wide IP and the Alias share same domain name. (e.g., siterequest.com).

Impact:
Cannot search by Wide IP alias using the GUI.

Workaround:
in the GUI, use * to get all the Wide IPs, or use a prefix such as 'wip' or 'wip1'. Another work around is to use TMSH.

Fix:
Using the GUI search function now correctly returns alias results in the Wide IP list.


435682-5 : eamtest tool may fail while checking if the requested resource is protected due to exception thrown by SDK.

Component: Access Policy Manager

Symptoms:
What happened was, on requesting a resource, EAM will verify if a requested resource is protected by OAM server through the Oracle ASDK API, and an OAM exception occurred (Error 310 )due to internal server issues. This error was not caught and handled properly in EAMTEST. Later, when another Oracle ASDK API is called for checking if the resource is protected again, it may throw another exception, which causes eam plugin to be terminated.

Conditions:
Internal server issues or connectivity issues caused OAM SDK to throw an exception and this was not handled properly in eamtest tool.

Impact:
eamtest tool cored

Workaround:
no workaround for eamtest to complete successfully.

Fix:
If APM attempts to verify whether a resource is protected when a connectivity failure to the OAM server occurs, APM handles the failure gracefully.


435569-1 : Cannot change cluster management IP address from GUI when logged on to management port

Component: TMOS

Symptoms:
Users logged on to the GUI of a clustered BIG-IP system using the management port cannot change the cluster management IP address.

Conditions:
This occurs when a user is logged on to the management IP address on clustered BIG-IP systems.

Impact:
Cannot change the cluster management IP address from the GUI. If the user attempts to change the management IP address at System :: Clusters :: Management IP Address, the change appears to work (that is, does not report an error) but the redirection to the new IP address does not occur.

Workaround:
Log on to the GUI on the primary blade of the system and change the management IP address.

Fix:
The cluster management IP address can be changed from the web interface.


435383-2 : Incorrect MCPD validation while deleting an accessgate configuration in aaa oam

Component: Access Policy Manager

Symptoms:
MCPD validation is incorrect and throws error while trying to delete the second last accessgate from aaa oam configuration. this validation should prevent deletion of last accessgate in a aaa oam configuration.

Conditions:
wrong MCPD validation on trying to delete the second last accessgate from aaa oam configuration.

Impact:
could not delete second last accessgate in aaa oam configuration.

Workaround:
delete the apm aaa oam object and recrete as required.

Fix:
When deleting an Accessgate from OAM server configuration, wrong MCPD validation prevented deleting the second to last Accessgate. This fix will result in throwing the MCPD error, while deleting the last Accessgate only, as expected.


435335-1 : SSL proxy session ID cache does not respect limit set by tmm.proxyssl.cachesize

Component: Local Traffic Manager

Symptoms:
After setting tmm.proxyssl.cachesize to a non-default value and restarting TMM, the new maximum size is not respected, either causing too many or too few entries to be retained. This can lead to memory exhaustion over time.

Conditions:
Proxy SSL feature enabled with non-default tmm.proxyssl.cachesize value set.

Impact:
The setting has no effect, so if it is being used to avoid low-memory conditions, the low-memory conditions persist.

Workaround:

Fix:
The tmm.proxyssl.cachesize and tmm.proxyssl.bucketcount settings are now respected when set and TMM has been restarted after the new values have been set.


434776-2 : APD and APMD might crash if a file check agent is added to access policy

Component: Access Policy Manager

Symptoms:
APD and APMD might crash when a file check agent is added to an access policy. The issue can happen for any file check agent: Windows File, Linux File, or Mac File.

Conditions:
A file check agent (Windows / Mac / Linux) is added to an access policy.

Impact:
A daemon, APD or APDM, cannot start because it crashes during initialization of the affected agent. You can confrm the presence of the issue by To confirm, please searching apm log file for either of the following SIGABRT messages: -- notice apd[<pid>]: 01490000:5: ** SIGABRT **. -- notice apmd[<pid>]: 01490000:5: ** SIGABRT **.

Workaround:
None.

Fix:
In 11.5.0 and later, a Windows File, Mac File, or Linux File agent can be added to an access policy without causing APD or APDM to crash.


434730-4 : Auto-sync may fail with many synchronizations in rapid succession

Component: TMOS

Symptoms:
If an device group is configured to perform auto-sync with incremental synchronization enabled, and a number of rapid configuration changes cause a rapid sequence of auto-sync operations, synchronizations may fail, and mcpd may log a message like the following to the LTM log: 0107168e:5: Unable to do incremental sync, reverting to full load for device group

Conditions:
- This affects any device group configured with auto-sync enabled with and full-load-on-sync disabled. - A number of rapid configuration changes resulting in a rapid sequence of auto-sync operations.

Impact:
Manual mcpd restart may be required.

Workaround:
Disable auto-sync.

Fix:
Automatic incremental synchronization succeeds even after a large number of synchronization operations in rapid succession.


434400-3 : tmm might core with rate-limiting on virtual server

Component: Local Traffic Manager

Symptoms:
tmm might core when rate-limiting is configured on a virtual server.

Conditions:
This occurs on a virtual server with rate-limiting enabled and unexpected filter operations that send LB selection after connection is in progress. This might also occur with an iRule that behaves similarly, for example, issuing an LB command after a TCP::release.

Impact:
tmm crashes.

Workaround:

Fix:
The connection is terminated and tmm core no longer occurs.


434096-1 : TACACS log forwarder truncates logs to 1k

Component: TMOS

Symptoms:
TACACS log forwarder truncates logs to 1 KB.

Conditions:
When the log size is bigger than 1 KB.

Impact:
Log texte will be truncated.

Workaround:
None.

Fix:
The BIG-IP system now allows up to an 8 KB log message size.


433972-5 : New Event dialog widget is shifted to the left and Description field does not have action widget

Component: Access Policy Manager

Symptoms:
When you access Microsoft SharePoint 2013 through APM and use a rewrite profile, the rewritten New Event dialog box is shifted to the left and action widgets are not displayed above the Description field.

Conditions:
The problem occurs in Internet Explorer 11 with meta http-equiv='X-UA-Compatible' content='IE=10'.

Impact:
SharePoint 2013 malfunctions.

Workaround:
You could potentially use an iRule to mitigate the problem.

Fix:
Portal Access now correctly displays a New Event window for Microsoft SharePoint 2013 from Internet Explorer 11.


433847-4 : APD crashes with a segmentation fault.

Component: Access Policy Manager

Symptoms:
Uninitialized CRLDP or OCSP field might cause a crash because of possible memory corruption.

Conditions:
This occurs when there is an uninitialized field in the Crldp or OCSP module.

Impact:
APD crashes with a segmentation fault. Uninitialized field might cause a crash trying to free the client connection.

Workaround:

Fix:
Crashes because of an uninitialized field in the CRLDP or OCSP module no longer occur.


433822-2 : Uninitialized variable may cause packets to be directed to wrong TMM

Component: TMOS

Symptoms:
Packets may be redirected to the wrong TMM. Such redirections are indicated by a non-zero count in the 'packets' column of the 'tmctl -d blade tmm/flow_redir_stats' command, as in the below example: tmctl -d blade tmm/flow_redir_stats pg pu redirect_pg redirect_pu packets -- -- ----------- ----------- ------- 0 1 0 0 11

Conditions:
This may occur on VIPRION B4300 blades in VIPRION C4800 (8-slot) chassis.

Impact:
Performance may be impacted as packets are redirected to the correct TMM.

Workaround:
None.

Fix:
Resolved an uninitialized variable issue that may cause erroneous results when searching for a local port using the P8DAG hash. This fix initializes variables to F5 coding standards.


433460-1 : Client browser activity causes server-side connection abort resulting in pool member down

Component: Local Traffic Manager

Symptoms:
Client browser activity causes server-side connection abort that results in pool member down.

Conditions:
When inband monitor is enabled, if there are n (configurable) server side aborts, the poolmember is taken down.

Impact:
The poolmember is taken down.

Workaround:
This issue has no workaround at this time.

Fix:
Client browser activity no longer causes serverside connection abort. Previously, this could result in pool members being marked down.


433008-1 : Some CAs may fail to insert SAN

Component: Local Traffic Manager

Symptoms:
certificate signing requests created by bigip via GUI put SubjectAltName as an attribute not a extension

Conditions:
via GUI, create CSR and add SAN name.

Impact:
Some CAs may fail to insert SAN when the CA signs the CSR bigip requested.

Workaround:
use tmsh to insert the SAN as an extension as described in SOL13471


432900-3 : APM configurations can fail to load on newly-installed systems

Component: Access Policy Manager

Symptoms:
APM upgrades fail if the /shared/apm directory is not present before you load the configuration. APM writes a configuration loading error to the /var/log/ltm file with content similar to this: Oct 25 08:42:11 localhost notice mcpd[6311]: 0107165d:5: copy_file: EPSEC::In copy_file - src (/config/filestore/files_d/Common_d/epsec_package_d/:Common:EPSEC:Images:epsec-1.0.0-160.0.iso_14866_1) dst (/shared/apm/images/epsec-1.0.0-160.0.iso) Oct 25 08:42:11 localhost notice mcpd[6311]: 0107165d:5: copy_file: Failed in file copy errno=(No such file or directory) .... 01071558:3: EPSEC - File Copy to /shared location failed Unexpected Error: Loading configuration process failed.

Conditions:
If the system is fresh from manufacturing or has had a recent formatting installation, it is vulnerable to this upgrade defect. The failure is only observed if the configuration being applied contains elements of APM.

Impact:
After booting into an upgraded system, the configuration will fail to load. A load failure can also be observed when manually loading a UCS file.

Workaround:
Create the directory /shared/apm and try to load the configuration again.

Fix:
Releases with this fix will load the configuration properly. There is no need for users to first create the /shared/apm directory.


432423-2 : Need proactive alerts for APM license usage

Component: Access Policy Manager

Symptoms:
Customer would like APM to generate proactive alerts when license usage reaches a certain threshold

Conditions:
N/A

Impact:
Without proactive alert, customer will not know that license consumption is near the maximum allowed and, hence, will not be prepared for the event of license being exhausted.

Workaround:
N/A

Fix:
Support for generating a license usage alert when a threshold is crossed has been added.


432336-2 : Window.postMessage() rewriting for Internet Explorer browsers

Component: Access Policy Manager

Symptoms:
No onmessage event occurs when it is expected.

Conditions:
Internet Explorer browser with web-application which uses Window.postMessage() for interwindow communications.

Impact:
web-application malfunction.

Workaround:
None.

Fix:
Window.postMessage() processing is fixed for IE browsers.


432102-2 : HTML reserved characters not supported as part of SAML RelayState

Component: Access Policy Manager

Symptoms:
If the RelayState parameter includes HTML and XHTML special characters, then BIG-IP as IdP or BIG-IP as SP does not process them correctly, and does not send complete RelayState value to the Peer.

Conditions:
Using special characters

Impact:
SAML integration may not work properly with other products when configured RelayState parameter includes special characters.

Workaround:
To use reserved characters in HTML (",',&,<,>) as part of SAML RelaySate, convert them to their HTML entities (&#34;, &#39;, &#38;, &#60;, &#62;).

Fix:
When the BIG-IP system is configured as a SAML Identity Provider (IdP) or Service Provider (SP), it now URL encodes (or decodes, as applicable) the RelayState parameter.


431810-1 : APMD process core due to missing exception handling in execute agents

Component: Access Policy Manager

Symptoms:
APMD cores due to a missing exception handling in APMD while executing access policy agent.

Conditions:
This occurs when using APM.

Impact:
APMD might core due to a missing exception handling in APMD while executing access policy agent.

Workaround:

Fix:
Processing is now provided for exceptions that could occur when using a Kerberos Auth agent in a multi-domain SSO configuration.


431176-2 : cmd_sod does not retry sending messages

Component: TMOS

Symptoms:
cmd_sod does not retry sending command messages over UDP. this could lead to SOD failing receiving commands when busy.

Conditions:
it is easier to reproduce this when many traffic groups are selected and cmd_sod is used to send commands to SOD concurrently for each traffic group.

Impact:
some of the commands may fail to reach SOD daemon.

Workaround:
None.

Fix:
cmd_sod will now retry sending command messages up to 3 times if failing to reach SOD, increasing the reliability of the failover process.


431149-3 : APM config snapshot disappears and users see "Access Policy configuration has changed on gateway"

Component: Access Policy Manager

Symptoms:
In scenarios where there are multiple slots on a chassis in an HA pair (in both vCMP and chassis only mode), the error "Access Policy configuration has changed on gateway" might be displayed when a user connects to a virtual server.

Conditions:
It can occur in conditions when : - right after when the whole chassis is rebooted - secondary/slave slot's tmm cores. - disabling a slot on chassis

Impact:
Customer would see following message when they connect to virtual server "Access Policy configuration has changed on gateway"

Workaround:
To work around the problem, type the command "bigstart restart apd" on the primary slot.

Fix:
The issue is fixed by having the primary blade of the chassis/vCMP to recreate config snapshots if a secondary blade transitions from online to offline and vice versa.


430799-4 : CVE-2010-5107 openssh vulnerability

Component: TMOS

Symptoms:
The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which could enable a denial of service.

Conditions:
Confidentiality Impact: None (There is no impact to the confidentiality of the system.) Integrity Impact: None (There is no impact to the integrity of the system.) Availability Impact: Partial (There is reduced performance or interruptions in resource availability.) Access Complexity: Low (Specialized access conditions or extenuating circumstances do not exist.)

Impact:
CVE-2010-5107 openssh vulnerability.

Workaround:
Update the configuration of OpenSSH to prevent this issue.

Fix:
Resolved CVE-2010-5107. See AskF5 solution article SOL14741: OpenSSH vulnerability CVE-2010-5107, available here https://support.f5.com/kb/en-us/solutions/public/14000/700/sol14741.html.


430746-3 : Some iRule commands may cause tmm to crash

Component: Local Traffic Manager

Symptoms:
Tmm crashes, usually with a "umem_backstore_free: no such allocation" panic message.

Conditions:
If an iRule command which is affected by this bug is executed in a server-side context at a time when there is no client-side connection, then tmm will probably crash.

Impact:
Tmm crashes, resulting in failover.

Workaround:
None.

Fix:
iRule crash bug fixed.


430680-5 : Wrong expression is generated for Weekend template for "Date Time" item in VPE

Component: Access Policy Manager

Symptoms:
The Date Time item in the visual policy editor generates the wrong expression when you select the Weekend template.

Conditions:

Impact:
User is not able to set up Access Policy based on Weekend template

Workaround:
Edit the generated expression, changing "expr { [clock format [mcget {session.user.starttime}] -format %u] == 0 }" to "expr { [clock format [mcget {session.user.starttime}] -format %u] == 7 }"

Fix:
When you create a new expression in the Date Time access policy item for a weekend date, the expression is correct.


430488-1 : Core in WAM plugin handling a POST with huge content

Component: WebAccelerator

Symptoms:
When processing POST requests with very large bodies, WAM may crash while attempting viewstate processing.

Conditions:
WAM-enabled virtual server Invalidation trigger matches request Very large POST request

Impact:
TMM crash

Workaround:
Ensure that no invalidation triggers exist for paths that might POST large documents

Fix:
AAM no longer crashes while attempting viewstate processing.


429991-1 : Introduced stateless UDP disaggregation on the VIPRION C4800 chassis

Component: TMOS

Symptoms:
Stateless UDP traffic cannot be evenly distributed by regular DAGs on the VIPRION C4800 chassis.

Conditions:
VIPRION C4800 chassis and passing UDP traffic.

Impact:
Stateless UDP traffic cannot be evenly distributed by regular DAGs.

Workaround:
None.

Fix:
On the VIPRION C4800 chassis, when DB variable "udp.hash" is set to "ipport_stateless", UDP packets are disaggregated in a stateless, round-robin manner.


429975-3 : Client Cert Auth (SSO) OCSP connectivity issue due to timeout value

Component: TMOS

Symptoms:
Failure to access the BigIP device.

Conditions:
Client Cert Auth (SSO) option should be enabled as the authentication and authorization process.

Impact:
Client Cert Auth (SSO) users wont be able to log in to their device due to Client certificate validation failures.

Workaround:
--

Fix:
OCSP Responder Timeout value has been made configurable to meet the required timeout values at site. #tmsh modify sys httpd ssl-ocsp-responder-timeout 500 Also as an other alternative you could try the following # tmsh modify sys httpd ssl-include " SSLOCSPResponderTimeout 500"


429770-4 : Pool members become unavailable with connection limit and connection queuing enabled

Component: Local Traffic Manager

Symptoms:
With connection queuing enabled, and with pool members having connection limit set, under certain race condition in the code, the pool members become unavailable and show that they have reached the connection limit. They stay in this state even after the connections themselves are long gone.

Conditions:
Connection limit on pool members needs to be set. Queue connection needs to be set.

Impact:
Pool members become unavailable, and remain unavailable.

Workaround:
None.

Fix:
The pool now goes unavailable and comes back available.


429680-2 : Incorrect handling of responses with binary content and HTTP Refresh header

Component: Access Policy Manager

Symptoms:
If the backend HTTP server replies with a 'Refresh' header to a request for an image or other non-text object, APM does not send this reply to the client.

Conditions:
This occurs with a response containing binary content that encounters an HTTP Refresh header.

Impact:
If a web application uses automatic refreshing of some non-text objects (images or any other binary objects), the refresh might not work correctly.

Workaround:
There is no workaround.

Fix:
Response headers are parsed correctly for any responses with unsupported content.


429544-1 : Resolve mutliple known Linux vulnerabilities with Low rating.

Component: TMOS

Symptoms:
The Bluetooth protocol stack in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation. In the Linux kernel before 3.8.9, when the Performance Events Subsystem is enabled, specifies an incorrect bitmask, which allows local users to cause a denial of service (general protection fault and system crash) by attempting to set a reserved bit.

Conditions:
CVE-2012-6544 CVE-2013-2146 CVE-2013-2206 CVE-2013-2224 CVE-2013-2232 CVE-2013-2237

Impact:
Low rated Linux vulnerabilities could cause system impacts depending on system configuration and use.

Workaround:


429011-4 : No support for external link down time on network failover

Component: Local Traffic Manager

Symptoms:
For switch based platforms, the bcm56xxd daemon monitors the active/standby state using the failover.bigipunitmask DB variable and if this indicates a transition from Active to Standby, it downs external links and starts a timer for re-enabling the links after a customer-specified delay as per the failover.standby.linkdowntime DB variable.

Conditions:
This occurs on BIG-IP 2000 series and 4000 series platforms.

Impact:
No support for external link down time on network failover.

Workaround:
None.

Fix:
External link down time on network failover is now supported on BIG-IP 2000 series and 4000 series platforms. You can find the Link Down Time on Failover option in the GUI under Device Management :: Device Groups :: [device_group_name] :: Failover.


428735-4 : TACACS+ system auth and file descriptors leak

Component: TMOS

Symptoms:
Administrative access to the system with remote authenticated accounts fails, and the following is seen in the security log (/var/log/secure): httpd[###]: PAM [error: /lib/security/pam_bigip_authz.so: cannot open shared object file: Too many open files]. This can eventually lead to lack of access to the BIG-IP system from all but the root account.

Conditions:
Remote system authentication configured to use TACACS+. Administrative access to the BIG-IP system using any HTTP-based results in leaked file descriptors. Relevant access methods include Web UI, iControl and iControl-REST. Repeated automated access using iControl is the fastest route.

Impact:
If the leak is allowed to accumulate to the point that no file descriptors are available, administrative access using remote authenticated accounts is no longer possible. This also includes access from SSH and console. The root account, which always uses local authentication, is not affected.

Workaround:
Several workaround options: 1. Use a system auth method other than TACACS+. 2. Use only SSH for administrative access. 3. Restart httpd as needed.

Fix:
A TACACS+ system auth and file descriptors leak has been corrected.


428645-2 : chmand core file during shutdown due to uncaught exception

Component: TMOS

Symptoms:
chmand core file is found.

Conditions:
chmand is shutting down. An internal error that is an intermittent artifact of the shutdown procedure causes an uncaught exception to be thrown.

Impact:
False alarm.

Workaround:
None

Fix:
The fix is to catch exceptions of a type that were previously, erroneously, uncaught.


428631 : DWR and the Diameter profile's rewrite attributes

Component: Service Provider

Symptoms:
Device Watchdog Requests (DWR) are not using the rewrite attributes configured in the Diameter profile.

Conditions:
This occurs in DWR messages when attributes such as origin-host-to-client, origin-realm-to-client, origin-host-to-server, origin-realm-to-server are configured.

Impact:
The impact is that there is no rewrite for DWR messages.

Workaround:
None.

Fix:
DWR now uses rewrite attributes configured in the Diameter profile (for example, origin-host-to-client, origin-host-to-server, origin-realm-to-server, and origin-realm-to-server).


428598-1 : BIGIP does not send the correct SSLv3 protocol in forward proxy

Component: Local Traffic Manager

Symptoms:
BIGIP does not send the correct SSLv3 protocol in forward proxy

Conditions:
Forward proxy is enabled, SSLv3

Impact:
BIGIP sends the incorrect protocol version for SSLv3.

Workaround:
Use TLS1.0, TLS1.1 and TLS1.2.

Fix:
BIGIP sends the correct SSLv3 protocol version in forward proxy case.


428504-1 : Forward proxy does not send forged certificate using SSLv3

Component: Local Traffic Manager

Symptoms:
Forward proxy does not send forged certificate using SSLv3

Conditions:
Forward proxy is enabled, SSLv3 is used.

Impact:
BIGIP does not send forget certificate.

Workaround:
Use TLS1.0,1,1 and 1.2

Fix:
BIGP sends forged certificate when forward proxy is enabled with SSLv3.


428494-1 : bigip.conf loses all high level config data after loading base config

Component: TMOS

Symptoms:
After running tmsh load sys config base, bigip.conf loses high level configuration data.

Conditions:
This might happen when the device involved is part of a sync-only Device-group and an APM policy sync might have been attempted from or to the device.

Impact:
Loss of high level config data from bigip.conf.

Workaround:
None.

Fix:
A loss of high level configuration data after loading bigip_base.conf has been largely corrected. Some scenarios still exist, however.


428387-5 : SAML SSO could fail if SAML configuration contains special XML characters (&,<,>,",')

Component: Access Policy Manager

Symptoms:
SAML AuthRequest and Assertion generation could fail if the configuration (IdpEntityID, ACS, SAML Attributes, and so on) contain special XML characters, such as [&,<,>,",'].

Conditions:
- Assertion signing is enabled on BIG-IP as IdP. - SAML Configuration (IdpEntityID, ACS, not-encrypted SAML Attributes, ACS URL, SP Entity ID, SLO URL) contains special characters, e.g. [&,<,>,",']

Impact:
SAML AuthRequest and Assertion generation could fail.

Workaround:
You can replace special XML character with XML-escape codes in the configuration: " &quot; ' &apos; < &lt; > &gt; & &amp; For example, replace "http://f5.com/acs_url?user=5&password=pass" with "http://f5.com/acs_url?user=5&amp;password=pass"

Fix:
The BIG-IP system, when configured as an Identity Provider (IdP), can now successfully create SAML assertions even when the BIG-IP configuration contains special XML characters.


428163-1 : Removing a DNS cache from configuration can cause TMM crash

Component: Local Traffic Manager

Symptoms:
Removing a DNS cache from the configuration with outstanding packets on the server side can cause a TMM crash if those responses time out after the resolver removed.

Conditions:
This occurs with DNS traffic in progress when removing a configured DNS cache from the configuration.

Impact:
TMM crash and restart. Traffic served by that TMM will be temporarily impacted until the service restarts.

Workaround:
This occurs with DNS traffic in progress. Disabling the listener using that cache and waiting 60 seconds before removing the cache prevents this from occurring.

Fix:
Deleting a cache resolver no longer results in outstanding packet issues.


428161-2 : Not possible to set up a non-CA-device

Component: TMOS

Symptoms:
Adding a non-CA device to trust fails.

Conditions:
This occurs with non-CA devices.

Impact:
It is not possible to add a non-CA device to a trust domain. It is still possible to add a CA device.

Workaround:
Set up the device as a CA device instead.

Fix:
It is now possible to add a non-CA device to a trust domain.


428072-6 : iRules referring to pool by full path/folder name

Component: TMOS

Symptoms:
If an iRule refers to a pool by the full path, /folder/pool name, the virtual server status does not reflect the pool's status.

Conditions:
This occurs when the iRule uses the full path name for the pool.

Impact:
While traffic can still be served to the pool_member despite the virtual server status, for changes at the virtual server level (for example, route health injection), the system needs a reliable virtual server health status.

Workaround:
Remove the folder path and reference the pool by name only within the iRule.

Fix:
If an iRule refers to a pool by leaf name (without the full path), the virtual server status now reflects the pool's status.


427880-1 : SQL-injection can be introduced via JSON payloads

Component: Access Policy Manager

Symptoms:
Input validation and output escaping were missing for some JSON parameters.

Conditions:
If an attacker were to send malformed JSON payloads within requests to certain server URLs, they could potentially gain access to configuration attributes that they would not normally be allowed access to.

Impact:
Configuration attributes could potentially be accessed / modified, even if attacker does not have sufficient access.

Workaround:

Fix:
APM now provides client-side validation of the JSON being sent to server, and sanitizes responses in the case where parameters added to JSON request are not expected.


427830-4 : Proxy Auto-config (PAC) download error now is treated as critical error for Network Access.

Component: Access Policy Manager

Symptoms:
Previously NA is established regardless of PAC download status which can cause unwanted behaviour.

Conditions:

Impact:
Unwanted behavior of NA in case of download failure

Workaround:

Fix:
Network Access connection will not be established if PAC file specified in NA resource cannot be downloaded within 30 seconds.


427790-3 : LocalDB backup during system update fails when provisioning does not include anything that starts MySQL

Component: Access Policy Manager

Symptoms:
Capability to move local database users to the newly upgraded BIG-IP firmware has been added. Part of the procedure involved requires connecting to MySQL using credentials obtained without any user prompt from the system. However, if MySQL is not started (has never been), the credential store is empty and local database will inadvertently prompt for credentials.

Conditions:
Provisioning does not include MySQL

Impact:
Any local user data in mysql that needed to be transferred to the new build during upgrade will not be transferred.

Workaround:
Any one of the following will be a workaround: 1) Provision a module that starts MySQL 2) Comment out this section in /usr/libdata/configsync/cs.dat # APM Local User Database save.1400.save_pre = (/usr/bin/ldbutil --backup --file="/var/apm/localdb/restore.sql") save.1400.file = /var/apm/localdb/restore.sql save.1400.save_post = (rm -f /var/apm/localdb/restore.sql)


427732-2 : Connections using ECMP route may not be mirrored

Component: Local Traffic Manager

Symptoms:
In an HA pair, a connection that uses an ECMP route does not establish on the standby device.(ECMP routes are marked as 'dynamic ecmp' when you use the 'tmsh show net route' command).

Conditions:
HA pair configured to use dynamic routing with ECMP

Impact:
Connection will not survive a HA failover event.

Workaround:
None.

Fix:
Connections that rely on ECMP routes to the pool members are mirrored correctly when mirroring is enabled on the virtual.


427393-3 : BIG-IP serverssl "Untrusted Certificate Response Control" with ignore option does not ignore self-signed untrusted certificate.

Component: Local Traffic Manager

Symptoms:
In serverssl profile, if set "Untrusted Certificate Response Control" to ignore. When backend server sends self-signed untrusted certificate, BIG-IP should ignore it.

Conditions:
Serverssl profile set "Untrusted Certificate Response Control" to ignore When backend server sends self-signed untrusted certificate

Impact:
BIG-IP should ignore the self-signed untrusted certificate, treat the certificate as valid and continue the handshake instead drop the handshake.

Workaround:
None.

Fix:
Ignore the self-signed untrusted certificate when serverssl profile sets "Untrusted Certificate Response Control" to ignore.


427357-7 : Virtual address icmp-echo and arp properties get reset to disabled for network prefixes on config load

Component: TMOS

Symptoms:
On a configuration load, the icmp-echo property is always set disabled for a virtual address with network prefix.

Conditions:
This occurs on virtual addresses that have a network prefix.

Impact:
ICMP and ARP behavior stops for the virtual address.

Workaround:
Manually reconfigure the icmp-echo property for virtual addresses with network prefixes.

Fix:
The icmp-echo property is now set correctly for virtual addresses with network prefixes.


427239-1 : Default node monitor causes nodes to be left unchecked after sync

Component: Local Traffic Manager

Symptoms:
When multiple devices are in a failover device group and a default node monitor is being used, removing the default node monitor, synchronizing the configuration, then recreating it and re-synchronizing will cause other devices' nodes to move to the unchecked state.

Conditions:
This only affects configurations that have a default node monitor configured.

Impact:
Affected nodes will be left in the unchecked state.

Workaround:
Temporarily turn on full-load-only sync on the failover device group, or use the 'Overwrite Configuration' option in the device group sync page of the GUI.

Fix:
The default node monitor now syncs even when full-load-on-sync is false on the failover device group.


427201-1 : Issues with the LTM policy http-set-cookie action

Component: Local Traffic Manager

Symptoms:
The http-set-cookie action in an LTM policy can have several parameters. The parameters 'domain' and 'path' are reversed. The value of the domain parameter is used as the path in the Set-Cookie header and the value of the path parameter is used as the domain in the Set-Cookie header. It is also possible to use an http-set-cookie action without supplying a value. This results in an invalid Set-Cookie header.

Conditions:
The issue happens whenever the http-set-cookie action is executed with a domain and/or path parameter, or without a value parameter.

Impact:
An invalid Set-Cookie header might be sent to the browser.

Workaround:
Reverse the values for the domain and path parameters and make sure a value parameter is supplied.

Fix:
The http-set-cookie action in an ltm policy now correctly uses the domain and path parameters when generating a Set-Cookie header. It is no longer possible to use the http-set-cookie actions without supplying a value.


427157-2 : The TMM process may restart and produce a core file when using certain SSL iRule commands.

Component: Local Traffic Manager

Symptoms:
The following TCL commands can cause tmm to crash: -- SSL::verify_result. -- SSL::mode. -- SSL::secure_renegotiation. -- SSL::cert count.

Conditions:
Execute one of the commands.

Impact:
The execution of the above commands can, in rare instances, cause tmm to crash.

Workaround:
Do not execute the listed commands.

Fix:
The following Tcl commands no longer cause tmm to crash: SSL::verify_result, SSL::mode, SSL::secure_renegotiation.


427118-2 : BIGIP serverssl profile does not send out any Alert message.

Component: Local Traffic Manager

Symptoms:
BIG-IP serverssl profile does not send out any Alert message.

Conditions:
When BIGIP serverssl profile tries to send Alert message

Impact:
No Alert message is sent out.

Workaround:
None.

Fix:
BIG-IP now sends correct TLS alert messages in handshake failure modes.


427085-2 : BIGIP should send Alert message when it recieves ClientHello with unsupported protocol version.

Component: Local Traffic Manager

Symptoms:
When BIG-IP receives ClientHello message which has unsupported protocol version, it should send Alert message with protocol version as the received one.

Conditions:
When BIGIP receives ClientHello with protocol version which is not supported by BIGIP.

Impact:
BIGIP should send Alert message with the protocol version same as the one received in ClientHello. But BIGIP sends Alert message with protocol version 00 00

Workaround:
None.

Fix:
BIG-IP sets the correct protocol version in Alert message when it receives a ClientHello with an unsupported protocol version.


427077-3 : Regenerate trust domain and related device certs and keys

Component: TMOS

Symptoms:
Occasionally, a UCS file might have one of the following conditions: 1. Missing trust certs (dtca.crt, dtca-bundle.crt), trust key (dtca.key), device cert (dtdi.crt) or missing device key(dtdi.key). 2. Inconsistent configuration of the above file objects. This generally means that the cache-path entry in the config entry for the files in bigip_base.conf are inconsistent with what actually exist in the filestore. These two conditions can can occur as a result of several errors: Loading from a previously defective UCS, an incomplete load from scf files, creating a UCS after a configuration change without performing a config save operation, and others.

Conditions:
This occurs when the dtca/dtdi file are missing or contain configuration inconsistencies.

Impact:
When these conditions are met, the UCS fails to load.

Workaround:
You can mitigate the problem by regenerating the trust-related certs and keys while loading an affected UCS. To do so, run the following command: tmsh load sys ucs <UCS File> reset-trust

Fix:
An option has been added to the TMSH config installation command that can be used to reset keys and certs associated with the trust domain. The option name is 'reset-trust' and it can be specified on the command line when manually loading a UCS file in TMOS. This command can be used to mitigate the problem of a UCS file not loading because of missing or incorrectly formed trust certs or device keys. To regenerate the trust-related certs and keys while loading an affected UCS, run the following command: tmsh load sys ucs <UCS File> reset-trust. Important: running this command on a device that is part of a trust domain requires the device to rejoin that trust domain.


426623-4 : Proxy auto-config (PAC) file isn't applied sometimes.

Component: Access Policy Manager

Symptoms:
PAC file is not applied during network access if it fails to download for the first time.

Conditions:
PAC file configured on network access configuration. MAC is used to connect to BIG-IP with such NA configuration.

Impact:
Some websites might be inaccessible or directly accessible based on PAC file and corporate network setup.

Workaround:
Disconnect and keep reconnecting unless PAC file is applied. "scutil --proxy" command will show a local loopback PAC file URL (e.g. http://127.0.0.1/[path]/proxy.pac) if its applied.

Fix:
Improved PAC file download mechanisms.


426600-1 : tmm may loop with priority group and rate limit enabled

Component: Local Traffic Manager

Symptoms:
TMM may loop and be killed by SOD service in the end

Conditions:
rate limit and priority group enabled

Impact:
tmm will crash

Workaround:
None.

Fix:
tmm loop will be fixed.


426508-2 : Inconsistent OSPFv3 default-information originate behavior

Component: TMOS

Symptoms:
When the "default-information originate" option is configured on Open Shortest Path First (OSPFv3) protocol, a default route Link State Advertisements (LSA) would only be originated if a default route was configured before "default-information originate"

Conditions:
The Open Shortest Path First (OSPFv3) protocol is configured to redistribute default route information using the default-information originate option.

Impact:
Default IPv6 route not advertised via OSPFv3.

Workaround:
Remove and readd "default-information originate" from the OSPFv3 configuration.

Fix:
"default-information originate" in OSPFv3 now correctly detects the additional and deletion of a default route.


426373-2 : OSPFv3 external LSA format corrected

Component: TMOS

Symptoms:
External (type 5) OSPFv3 LSAs had a route tag appended unconditionally. This may have caused peer routers to reject the LSAs.

Conditions:
OSPFv3 configured with route redistribution.

Impact:
Adjacency never reaches full state on neighbor.

Workaround:
Configure a route tag on redistribution.

Fix:
OSPFv3 external (type 5) LSAs originated by TMOS contain a route tag only when a route tag is configured.


426328-3 : Updating iRule procs while in use can cause a core

Component: Local Traffic Manager

Symptoms:
When updating an iRule that is in process or parked and has existing connections and uses a proc, a core can occur due to incorrect internal reference counting.

Conditions:
High traffic iRule that both parks and uses a proc.

Impact:
The BIG-IP system might temporarily fail to process traffic, and fail over if configured as part of a high availability (HA) pair.

Workaround:
Disable listener before updating iRule. For more information, see SOL14654: Updating an iRule that uses sideband connections may cause TMM to core, available here: http://support.f5.com/kb/en-us/solutions/public/14000/600/sol14654.

Fix:
Updating an iRule that uses sideband connections no longer causes TMM to core.


426267-3 : Vcmp guest management IP does not get set after config load failure

Component: TMOS

Symptoms:
If a guest's config load fails and is then subsequently corrected, the management IP passed in from the hypervisor is not applied until it is changed to a different value.

Conditions:
The guest has had a config load failure that has been fixed, and is not configured to override the management IP given by the hypervisor.

Impact:
The guest is not reachable on its management IP address.

Workaround:
1. Change the guest's management IP on the hypervisor side (and then change it back): tmsh modify vcmp guest <guest-name> management-ip <new-address> 2. Change the guests's management IP in the guest (TODO: verify if this also works), to override the one passed in by the hypervisor.

Fix:
mcpd ignores the management IP passed in from the hypervisor in cases where it has not changed since the last time the management IP was set. The fix is to reset the change detection state in the case of a transaction rollback that occurs after processing the management IP given by the hypervisor.


425878-5 : Loading a configuration with vcmp guests may cause incorrect guest settings.

Component: TMOS

Symptoms:
Multiple vcmp instances may use the same mac addresses when running fastL4 traffic.

Conditions:
This issue can be triggered by loading a configuration, ucs, or scf containing vcmp objects in the provisioned or deployed state while the running system is not provisioned for vcmp. It may also be triggered during a relicensing event if the system has vcmp guests provisioned or deployed and is restarted prior to applying an updated license.

Impact:
This issue can cause traffic disruption, traffic being directed to the wrong vcmp instance, and incorrect learning on upstream devices.

Workaround:
Set all vcmp guests to the configured state. After all guests are down, they may be redeployed as desired.

Fix:
Loading a configuration with vcmp guests no longer causes incorrect guest settings.


425568-3 : MySQL monitor may hang under repeated connection failures

Component: Global Traffic Manager

Symptoms:
After receiving errors from a SQL server, which causes the server to close the connection, the monitor (client) tries to continue to use the cached database connection that is no longer valid.

Conditions:
Under certain rare conditions, when a database monitor is unable to connect repeatedly (locked out for too many failed passwords, for example), the database monitor may get into a state where it becomes unresponsive and stop trying to send monitor probes.

Impact:
Monitor marks pool member down when it may not be down.

Workaround:
None.

Fix:
This release contains a fix for the intermittent hang of SQL monitors when cached database connections are closed on the server.


425459-2 : session iRule command may cause errors

Component: Local Traffic Manager

Symptoms:
The errors caused could be anything from invalid data being returned by a different iRule command to an iRule error being raised (which would normally kill the flow), with the latter possibly logging a message in /var/log/tmm* which looks like "Received bad req_id: (0000004a00000072 != 0000000000000000)" depending on the exact command.

Conditions:
If a session command runs and is followed by some other iRule command which uses the session DB, then some problem is likely to happen.

Impact:
Connections being reset, or other problems resulting from bad data being returned from iRule commands.

Workaround:
Replace session iRule commands with table iRule command equivalents.

Fix:
Errors no longer happen when using session iRule commands.


425377-1 : Proxy server might cause EdgeClient to detect captive portal that does not exist

Component: Access Policy Manager

Symptoms:
EdgeClient incorrectly detects captive portal if requests go through tunnel and then through BIG-IP-defined proxy server.

Conditions:
If proxy server is enabled for Network Access, then captive portal is incorrectly detected when the following conditions are met: 1) All IP traffic is routed to tunnel (either the Force all traffic through tunnel option is enabled or split tunneling with address space such as 0.0.0.0/0.0.0.0 is used). 2) Proxy server redirects HTTP requests.

Impact:
EdgeClient might detect captive portal that does not exist.

Workaround:

Fix:
BIG-IP Edge Client now correctly detects captive portal if requests go through tunnel and then through BIG-IP-defined proxy server.


425250-5 : If datagram lb is enabled with a parking iRule, TMM may crash if more than one response is received

Component: Local Traffic Manager

Symptoms:
The TMM will segfault. It is difficult to identify this issue without a core analysis.

Conditions:
* Datagram load-balancing is enabled. * An iRule command which parks is used. Examples include 'delay' and 'table'. * More than one response is received. An example of this situation might be the use of udp dns with the udp_gtm_dns profile (which enabled datagram lb). The DNS_RESPONSE event triggers for each DNS response. If a parking iRule command is used in this event and more than one response is returned from the DNS server, the TMM may crash.

Impact:
The TMM will crash and write out a core file. The system should recover on its own. Note, however, that this crash is caused by a specific sequence of events and if those events replay or are mirrored to another device, failover systems may also crash.

Workaround:
If using datagram load balancing, avoid iRule commands which park in events which may trigger multiple times (e.g. DNS_RESPONSE).

Fix:
TMM no longer crashes when using iRule parking commands with Datagram Load Balancing. This version silently drops any datagrams received after the first response datagram is egressed to the client.


424936-2 : apm_mobile_ppc.css has duplicate 1st line

Component: Access Policy Manager

Symptoms:
An extra line (that consists of "<?") appears at the top of the apm_mobile_ppc.css file and causes an error like this one: Jul 9 08:37:10 roeislfl4gm err httpd_sam[13917]: [error] [client 127.1.1.4] PHP Parse error: syntax error, unexpected '&amp;lt;' in /var/sam/www/php_include/webtop/renderer/customization/general_ui/Common/tmsproext-apm_general_ui/en/apm_mobile_ppc.css on line 2

Conditions:

Impact:
Generate an error message in /var/log/http_errors log file.

Workaround:
To work around the problem, remove the extra line ("<?") from var/sam/www/php_include/webtop/renderer/customization/general_ui/Common/tmsproext-apm_general_ui/en/apm_mobile_ppc.css.


424653-9 : SSL retransmit issues

Component: Local Traffic Manager

Symptoms:
There are two SSL retransmit issues.

Conditions:
1. SSL transmit uses different codecs to transmit the same packet. 2. Retransmitting the DTLS Finish message has no limit, and can continue indefinitely.

Impact:
Packet is not transmitted correctly in the first case, and continuous retransmission of the DTLS Finish message in the second case.

Workaround:

Fix:
SSL transmit now uses the same codec to transmit the same packet. In addition, you can now set a DTLS Finish message limit, so the retransmission of the Finish message no longer continues indefinitely.


424322-5 : Trunks containing empty SFP ports rejected on 2x00/4x00 appliances

Component: TMOS

Symptoms:
Attempting to create a trunk containing an unpopulated SFP port and ANY other member (including another unpopulated port) would generate an error about incompatible media types. # tmsh create net trunk test-trunk interfaces add { 2.1 2.2 } 01070619:3: Interface 2.2 media type is incompatible with other trunk members

Conditions:

Impact:
Config load could fail if the target system doesn't have transceivers installed in all SFP ports designated as trunk members by the incoming config.

Workaround:
Install transceivers before configuring the BIG-IP.

Fix:
Re-designated an empty SFP port as capable of all media the MAC knows how to support until a PHY is installed. Trunks may now contain empty SFP ports on 2x00/4x00 platforms.


424248-3 : Virtual servers bind failure on some tmm's

Component: Local Traffic Manager

Symptoms:
Packets arriving on the BIG-IP system that should match a specific virtual server are dropped, or are matching a less-specific virtual server. In this case, the virtual servers have failed to bind on some tmm's and therefore not able to forward traffic. When a client uses passive FTP, and there are multiple control connections, the data connection of a client might end up going to one of the other duplicate listeners, resulting in the data connection eventually going to the wrong server/poolmember.

Conditions:
Two or more virtual servers that are listening on the same ip, port, and protocol but have different vlan assignments, typically with a vlan enable list on one, and a vlan disable list on the other, although this may not be strictly required. For the FTP case, the client must be using passive FTP. Also, there must be at least two FTP control connections from the client.

Impact:
Dropped or misdirected traffic. Misdirected in the sense that the traffic does not match the more-specific virtual server and is matched to a less-specific one or dropped outright. The passive FTP data connections from a client may end up going to the wrong server.

Workaround:
At this time, we recommend using vlan enable lists for all virtual servers that are listening on the same ip, port, and protocol as a workaround if the customer runs into this issue. This workaround does not apply to the passive FTP issue.

Fix:
Virtual servers with the same ip address and port but different vlan assignment now successfully bind to tmm and process traffic as expected.


424135-2 : gtmd crash caused by iQuery connection failure.

Component: Global Traffic Manager

Symptoms:
When gtmd is parsing an iQuery message from a failed iQuery connection, gtmd will crash.

Conditions:
Memory usage is high and memory allocation failure causes iQuery connection failure.

Impact:
gtmd may crash when iQuery connection fails. Site is at risk.

Workaround:

Fix:
gtmd will not crash when iQuery connection fails.


423834-3 : TMSH list with one-line option does not display on one line for some objects.

Component: TMOS

Symptoms:
There is a minor regression introduced to the functionality of the 'one-line' option. The symptom will show as added spaces and newline characters where there should not be any extras. This behavior only happens on association list configuration items that use custom sorting methods. This includes things like the rules or related rules properties of a Virtual Server, or the rules of an HTML Profile item.

Conditions:
This only presents itself when the one-line option is specified during a tmsh list operation and the object being listed contains an association list. ltm virtual: rules, related-rules ltm profile html: rules

Impact:
With the introduction of this regression, most systems will remain unaffected; however, a user may run into issues with scripts that expect a single line of input or custom parsers that are not expecting the extra \n or spaces.

Workaround:
There is no direct workaround for this issue, but scripts and parsers may be updated to expect or filter out extra whitespace characters and extra newline characters in the output.

Fix:
tmsh list with the one-line option now displays on one line for all objects as expected.


423805-2 : WAM may not send Etag for content it serves from cache

Component: WebAccelerator

Symptoms:
When clients request compressed static content that is already in WAM cache, and the cache content needs to be revalidated, WAM may not send the etag for the content even the content has not changed on the OWS.

Conditions:
WAM is configured to cache compressed static content from OWS, and OWS does not send a Last-Modified date header in the response.

Impact:
Without an etag sending back to the client, WAM may get unnecessary load from clients that otherwise will be able to do conditional GET with the etag.

Workaround:
Configure OWS to return the Last-Modified header for content it serves.

Fix:
WAM now sends Etag for content it serves from cache.


423483-3 : Edge Client incorrectly resolves APM hostname while reconnecting

Component: Access Policy Manager

Symptoms:
Sometimes Edge Client incorrectly resolves APM hostname while reconnecting, this triggers full reconnection even if it is not really needed.

Conditions:
GTM is used for load balancing APMs. HTTPS request to the resolved hostname should be redirected with HTTP 302 response.

Impact:
Users may need to go through the full reconnection process including client checks and authentication when it's not really needed.

Workaround:
No.

Fix:
Previously, when the primary APM hostname was successfully resolved by GTM but the first request to download configuration failed and the next one succeeded Edge Client made incorrect decision about the primary APM IP address. Eventually this led to full reconnection when Network Access connection was temporarily disrupted. Now Edge Client makes correct decision about the primary APM IP address in this scenario and performs quick reconnection instead.


423317-8 : Reloading the config causes virtual servers to lose their reference to LC/GTM links

Component: Global Traffic Manager

Symptoms:
Normally when a GTM virtual server points to an LTM virtual server that is local to the LC/GTM box, it will display the link that it is assigned by LC/GTM. When a user reloads the config file, virtual servers will lose their association with links.

Conditions:
GTM or LC and LTM is provisioned, a GTM virtual server is pointed at an LTM virtual server on the same box, and a user runs tmsh load sys config.

Impact:
The user is unable to see the link associated with the LTM virtual server.

Workaround:
From the shell prompt on the BIG-IP: bigstart restart gtmd

Fix:
Link status for GTM server and virtual server IPs should work properly now after a config load.


423282-5 : BIG-IP JavaScript includes can be improperly injected in case of conditional commment presence

Component: Access Policy Manager

Symptoms:
JavaScript does not work if a page contains conditional comments inside its head tag.

Conditions:
Presence of conditional comments contain very first script tag. Example: <html> <!--[if lt IE 9]> <script src="foo.js"></script> <![endif]--> <script> document.write("foo"); </script> </html>

Impact:
JavaScript does not work.

Workaround:
To work around the problem, use an iRule. The exact commands to use depend on the situation.

Fix:
The issue has been fixed by adding necessary JavaScript includes into every conditional branch.


423115-2 : mcpd cores when virtual servers in traffic groups have non-floating IP address

Component: TMOS

Symptoms:
Changing IP addresses on traffic groups in an HTTP iApp service from floating to non-floating and then performing a full sync operation, might cause mcpd to crash and write out a core file on the peer device.

Conditions:
This occurs after changing the IP addresses on a traffic group in an iApp service from floating to non-floating, and then syncing.

Impact:
The mcpd process restarts, which also results in most other system daemons restarting as well.

Workaround:
Ensure that iApps and the objects within them are associated with the same traffic group.

Fix:
mcpd no longer cores when syncing virtual servers in a traffic group that have non-floating IP addresses.


423007-2 : The .toString() fuinction could return mangled source for inline event handler.

Component: Access Policy Manager

Symptoms:
The .toString() function applied to event handler reference (like document.body.onload.toString() ) could return event handler source with our modifications. This may lead to errors in web application.

Conditions:
Event handler was defined inline as a HTML tag attribute.

Impact:
Some web applications could work incorrectly.

Workaround:
This issue has no workaround at this time.

Fix:
Fixed an issue where toString function could return mangled text of inline html event handler.


422948-3 : APD does not trigger Apply Access Policy when rule expression is changed in macro

Component: Access Policy Manager

Symptoms:
If Access Policy Item got changed at Rules tab, then apd does not show "Apply Access Policy" link, so administrator may forget to apply modified policy.

Conditions:
Access Policy Item modified at Rules tab

Impact:
modified Access Policy is not applied

Workaround:
apply access policy manually after every change

Fix:
If you change a rule expression in a macro, the "Apply Access Policy" link now appears as expected.


422554-1 : Lack of detail for why TMM does not become Ready For World

Component: Local Traffic Manager

Symptoms:
TMM may fail to achieve ready-for-world status (as shown in the HA Status table) due to a number of possible reasons. Currently, there is no direct logging of the specific reason that TMM fails to achieve ready-for-world status.

Conditions:
TMM ready-for-world condition (as shown in the HA Status table) fails, and the HA group member fails to become active and to begin passing traffic.

Impact:
Diagnosing situations where TMM does not become Ready-For-World requires understanding the requirements/dependencies for TMM to become Ready-For-World, and examining indirect logged data to confirm which dependency failed in each observed case.

Workaround:

Fix:
The tmm/ready_for_world_stat tmstat table now list the components upon which TMM depends to become Ready For World, and indicates whether each is currently in a 'ready' versus 'not_ready' state. For example: # tmctl -d blade tmm/ready_for_world_stat name ready not_ready ---- -------------------------------------------------- --------- tmm0 platform_msg,shared_random,cmp_mpi,dag_transition,


422527-2 : innerHTML property improperly patched for SCRIPT and STYLE tags in input

Component: Access Policy Manager

Symptoms:
innerHTML property is improperly patched for SCRIPT and STYLE tags in its input if it should not be transformed.

Conditions:
Example: ... var s=document.createElement("script"); var x="alert('test');"; s.innerHTML=x; document.head.appendChild(s); ...

Impact:
F5_Inflate_innerHTML() wrapper improperly patches SCRIPT and STYLE tags if content should not be transformed. Web application malfunction.

Workaround:

Fix:
innerHTML property is inow roperly patched in case of SCRIPT and STYLE tags in its input.


422460-4 : TMM may restart on startup/config-load if it has too many objects to publish back during config load

Component: Local Traffic Manager

Symptoms:
TMM restarts without any core file on startup or when mcpd is loading the configuration if the size of configuration is considered big (for example over 1000 passive monitors).

Conditions:
This issue occurs when all of the following conditions are met: -- The mcpd process loads a large configuration with thousands of objects. -- The platform is running 12 or more TMM instances (BIG-IP 11000, 11050 platform, or VIPRION B4300 blade).

Impact:
Traffic processed by the affected TMM instance is interrupted while TMM restarts. TMM might enter a restart loop and restart multiple times, without producing a core file. You might see errors similar to the following in log/tmm or log/daemon: -- LTM01 notice mcp error: 0x1020003 at ../mcp/db_net.c:575. -- LTM01 crit tmm11[28599]: 01010020:2: MCP Connection aborted, exiting. -- LTM01 emerg logger: Re-starting tmm. This might cause serious traffic disruption.

Workaround:
This workaround is a mitigation and may not work in all cases; the zero-window timeout may need to be adjusted to a higher value for some customers. To work around this issue, you can increase the time-out used for the MCP connection by adding a zero_window_timeout 300000 setting to the profile tcp _mcptcp stanza in the tmm_base.tcl file. This lengthens the timeout and hence avoids the restart. For more information, see SOL14498: The mcpd connection to TMM may time out on either startup or configuration load and cause TMM to restart, available here: http://support.f5.com/kb/en-us/solutions/public/14000/400/sol14498.html.

Fix:
TMM no longer restarts on startup/config-load if it has too many objects to publish back during config load.


422409-1 : Rare issue causing TunnelServer to crash after hibernate

Component: Access Policy Manager

Symptoms:
Tunnel server may crash during system restore from hibernate

Conditions:
System is awakening from hibernate, Network Access connection had been established and didn't finished prior to hibernate

Impact:
User may be confused. TunnelServer will be restarted.

Workaround:

Fix:
Issue has been resolved.


422241-4 : Thales without OCS protected slot

Component: Local Traffic Manager

Symptoms:
The pkcs11d daemon is unable to initialize the pkcs11 session with the hardware security modules (HSM), if only the module slot exists. The pkcs11d daemon expects an Operator Card Set (OCS)-protected slot to always exist.

Conditions:
Configuring only module-protected slots and disabling OCS protected slot.

Impact:
pkcs11d daemon is unable to initialize the session with the HSM and keeps restarting due to failed initialization.

Workaround:
Enable an OCS protected slot.

Fix:
The system now supports Thales without an Operator Card Set (OCS)-protected slot.


422196-3 : FEC functionality may not take effect due to certain config change.

Component: Access Policy Manager

Symptoms:
FEC functionality does not take effect for DTLS/VPN tunnel when an already attached connectivity profile is modified.

Conditions:
This happens when the connectivity profile is already attached to a virtual.

Impact:
When the FEC profile is attached to the connectivity profile, which is already attached to a virtual, the FEC functionality will not take effect for DTLS VPN tunnels.

Workaround:
Detach the connectivity profile from the virtual. Attach the FEC profile to the connectivity profile. Attach the connectivity profile to the virtual.

Fix:
Resolved issue of adding profiles to an existing connectivity profile that is already attached so that data will be updated between the client and server.


422156-1 : IRule errors can crash SPDY

Component: Local Traffic Manager

Symptoms:
When an iRule raises an error, it may cause SPDY to free the TCL context early. This can cause a NULL pointer to be dereferenced, crashing the TMM.

Conditions:
SPDY is used, and an iRule event above spdy in the chain has an error.

Impact:
TMM crash

Workaround:
Most iRules do not cause TCL errors. (They would normally kill the flow anyway.) Re-write your iRule to avoid syntax errors, invalid function calls etc.

Fix:
An error within an iRule will no longer cause SPDY to cause the TMM to crash.


422077-1 : TMM memory grows, TCL Variable leaking

Component: Local Traffic Manager

Symptoms:
The memory keeps going high tmctl -a "memory_usage_stat" name allocated max_allocated held size tot_allocs cur_allocs tcl (variable) 1326234128 1326239328 1326234128 1 8986499096 17184678 umem_alloc_48 671065104 671067744 13981343 48 3234287967 13980523 umem_alloc_8192 434741248 434741248 54060 8192 183410902 53069

Conditions:
The cause can be this irule persist uie [HTTP::header "Authorization"] 7200 under the condition that if tcl_ctx.cf is serverside with NULL peer. Here the TCL Obj would leak

Impact:
Experience TMM memory growth

Workaround:
none

Fix:
Memory leak in the persist tcl variable is fixed.


421882-3 : ospf6d may crash during HA failover

Component: TMOS

Symptoms:
ospf6d generates a core after encountering a segmentation fault when it attempts to remove redistributed routes during a HA failover due to a bug in logging error.

Conditions:
HA pair experiences a failover when route redistribution for OSPFv3 is in use.

Impact:
OSPFv3 routes are dropped when this happens. Route redistribution feature not usable.

Workaround:
None.

Fix:
ospf6d no longer crashes while attempting to remove redistributed routes during failover.


421791-3 : Out of Memory Error

Component: WebAccelerator

Symptoms:
TMM crashes due to a segmentation violation early in a WAM interface. Most likely, before the crash occurs the logs should show messages indicating that the sweeper was activated one or more times.

Conditions:
Only happens when free memory is very low to non-existent.

Impact:
TMM crashes.

Workaround:
Reduce load on box if possible.

Fix:
Guards were placed on the module interfaces to bypass the module when the necessary memory could not be allocated for a connection.


421542-4 : Supported Internet Explorer minor deviation in javascript syntax

Component: Access Policy Manager

Symptoms:
Web application can produce not-rewritten links to external resources.

Conditions:
Web-application for using with IE only, and javascript with constructs like: if (a){ stmts1; };else{ stmts2; } (pay attention to semicolon before 'else' keyword) Similar contexts are: do {stmts};while(condition); try {stmt};catch(condition){};finally{};

Impact:
Not rewritten javascript can be encountered.

Workaround:
None

Fix:
Added tolerance to IE's deviation in javascript syntax.


421513-1 : Cannot create key/csr with DSA key using GUI

Component: TMOS

Symptoms:
After selecting key type DSA and creating key/csr in GUI, the key type still shows RSA instead of DSA.

Conditions:
The issue is seen when an user creates DSA key/csr in GUI.

Impact:
Generated key is incorrect type.

Workaround:
The user can create DSA key/csr using tmsh command as below. tmsh create sys crypto key dsa key-type dsa-private tmsh create sys crypto csr dsa key dsa.key common-name cn

Fix:
Issued fixed, DSA key/csr can now be created using GUI.


421429-3 : Client-initiated renegotiation for server ssl profile does not work with DTLS when it connects to another BIG-IP clientssl.

Component: Local Traffic Manager

Symptoms:
Client-initiated renegotiation for Server SSL profile does not work with DTLS when it connects to another BIG-IP Client SSL.

Conditions:
This issue occurs when the following condition is met: A BIG-IP system configured with a Server SSL profile attempts to renegotiate a DTLS connection with a BIG-IP system configured with a Client SSL profile, as follows: BIG-IP (Server SSL) BIG-IP (Client SSL) | | |----ClientHello (no cookie)----->| |<---HelloVerifyRequest(cookie)---| |-----ClientHello(with cookie)--->| | |

Impact:
Attempts to renegotiate Datagram Transport Layer Security (DTLS) connections between BIG-IP systems might fail.

Workaround:
Do not directly connect two BIG-IP systems by DTLS.

Fix:
Client-initiated renegotiation for Server SSL profile now works with DTLS when it connects to another BIG-IP Client SSL.


421349-3 : FIPS key mismatch

Component: TMOS

Symptoms:
If, from the command line you run the commands 'tmsh show sys crypto fips' and 'tmsh show sys crypto key', you see a FIPS key handle mismatch in the output of these commands.

Conditions:
This can occur when you use FIPS keys on two 6900 or 8900 platforms configured as an HA pair and also manage the devices by EM.

Impact:
Traffic might be disrupted.

Workaround:
Remove the device from EM management.

Fix:
Using Enterprise Manager to manage HA pairs with FIPS no longer causes key handle mismatches.


421215-5 : "Error to launch inspector" error on 64-bit Linux

Component: Access Policy Manager

Symptoms:
BIG-IP APM access policy has configured any endpoint check. If any browser on 64-bit Linux is used to browse to such BIG-IP then endpoint check might fail with error saying "Error to launch inspector"

Conditions:
BIG-IP APM access policy with any endpoint check, any browser on 64-bit Linux

Impact:
If any browser on 64-bit Linux is used to browse to such BIG-IP then endpoint check might fail with error saying "Error to launch inspector"

Workaround:
launch 32-bit versioned binary of the browser.

Fix:
Browsers on 64-bit Linux now perform endpoint check properly.


421210-3 : FIPS key mismatch

Component: TMOS

Symptoms:
If, from the command line, you run the commands 'tmsh show sys crypto fips' and 'tmsh show sys crypto key', you see a FIPS key handle mismatch in the output of these commands.

Conditions:
This can occur when you use FIPS keys on two 6900 or 8900 platforms configured as an HA pair and also manage the devices by EM.

Impact:
Traffic might be disrupted.

Workaround:
Remove the device from EM management.

Fix:
Using Enterprise Manager to manage HA pairs with FIPS no longer causes key handle mismatches.


421124-2 : Role change and update in EM/BIG-IP system SSO setup

Component: TMOS

Symptoms:
When an external authentication mechanism is used, for example LDAP, to establish SSO between EM and a BIG-IP system, and the role of a user is changed at EM, the change does not get reflected in BIG-IP system.

Conditions:
SSO between EM and BIG-IP system using a 3rd party authentication system, like LDAP.

Impact:
Possibility of authorization (role) escalation issues.

Workaround:
None.

Fix:
Role change is now updated in EM/BIG-IP system SSO setup


420915-1 : Reload of configuration after virtual server deletion can cause very small memory leak.

Component: TMOS

Symptoms:
Very small memory leak can occur when configuration is reloaded after virtual servers have been deleted.

Conditions:
Reload of configuration after virtual servers have been deleted may cause the leak.

Impact:
Very small leak per configuration reload can contribute to low memory conditions over time.

Workaround:
No practical workaround or mitigation.

Fix:
The leak no longer occurs when the configuration is reloaded.


420837-2 : AAM can duplicate http headers under certain circumstances

Component: WebAccelerator

Symptoms:
When a client uses the "Accept-Encoding: identity" request header, AAM is responding with duplicate response headers.

Conditions:
AAM and Accept-Encoding: identity in use by client

Impact:
Erroneous duplicate HTTP headers in the response.

Workaround:
This issue has no workaround at this time.

Fix:
AAM no longer duplicates http headers when a client uses the "Accenpt-Encoding: identity" request header.


420769-2 : Memory corruption caused by qemu-kvm set_vcpu_affinity()

Component: TMOS

Symptoms:
Crash of a guest's qemu-kvm process with core generated

Conditions:
Any running vCMP guest could potentially hit this issue.

Impact:
This issue could cause a vCMP guest to crash or restart.

Workaround:

Fix:
Fix prevents crash from occurring.


420723-2 : Configuration can be lost upon VIPRION reset and multi slot guest activation

Component: Local Traffic Manager

Symptoms:
Under certain conditions, a new or less desired cluster member's configuration might become the active configuration.

Conditions:
This can occur when the cluster is active, goes dormant, and becomes active again. There are two forms of this: 1. The VIPRION hardware cluster has a new or differently configured blade inserted while all of its members are not available (rebooting, resetting, powered off, etc.). 2. The vCMP guest deployed on VIPRION hardware has multiple slots. The guest was powered off or brought to a configured before being deployed again. The guest has slots added while in a configured state, or at least one guest's vdisk image is created on a new slot at provisioning/deployment time (and therefore not migrated).

Impact:
The configuration might change or become factory default between instances of a live cluster.

Workaround:
When adding additional slots to a vCMP guest, you should leave the vCMP guest in state 'deployed' to keep the extant slots running. Only add slots to a running guest, not configured guests. Similarly, only add new blades to a live cluster.

Fix:
In this version of software, the cluster synchronized configuration files have version control, so that a new blade or guest slot's configuration cannot overwrite the higher version of any existing configuration on any potential cluster primary member.


420485-4 : TMM silently drop non-SYN packet without TCP RST

Component: Local Traffic Manager

Symptoms:
In 11.0.0 and 11.3.0, TMM silently drops the non-SYN packet without TCP RST if TCP 3WHS has not yet established. In 11.2.1, TMM sends the reset. In 10.2.3, TMM rejects non-SYN packet.

Conditions:
TMM rejects non-SYN packet if TCP 3WHS has not yet established.

Impact:
When this occurs, there is no RST for non-SYN packets.

Workaround:
None.

Fix:
TMM now correctly sends a RST packet when it receives a non-SYN TCP packet for which no connection has been established. In some versions, TMM would silently drop the packet.


420475-2 : IPv6 Reject routes installed using tmsh/GUI does not appear in ZebOS routing table

Component: TMOS

Symptoms:
When you use tmsh or the web interface to install IPv6 blackhole routes, it does not get added to the ZebOS routing table. The show ipv6 route command in imish (ZebOS IMI shell interface) does not show these routes.

Conditions:
This affects static IPv6 routes only. Static IPv4 routes are correctly reflected in ZebOS as kernel routes.

Impact:
Static IPv6 routes added via tmsh/GUI are not redistributed.

Workaround:
Create static IPv6 blackhole routes in ZebOS using IMI shell interface instead of using tmsh. Routes created using IMI shell are reflected in the TMM.

Fix:
Static routes created via tmsh or the web UI are now correctly propagated to ZebOS.


420440-8 : Multi-line TXT records truncated by ZoneRunner file import

Component: Global Traffic Manager

Symptoms:
Checking your TXT record in the web interface causes the system to give an error. Querying for the data against a listener for the record reveals that the TXT rdata is incorrect.

Conditions:
GTM enabled and a zone file with a TXT record that has multi-line rdata has been imported via the GUI into ZoneRunner.

Impact:
Your DNS TXT records will be incorrect.

Workaround:
Enter your multi-line TXT records via the web interface as single line, quote separated lines.

Fix:
Multi-line TXT records are no longer truncated.


420341-4 : Connection Rate Limit Mode when limit is exceeded by one client also throttles others

Component: Local Traffic Manager

Symptoms:
Connection Rate Limit Mode is set to Per Virtual Server and Source Address, you might encounter unexpected results. Once a particular client is above the limit, other clients (other source IP addresses) are also throttled by the system.

Conditions:
This occurs in the following manner: There is a configured connection rate limit per virtual server per client; one client exceeds the configured rate limit; and the virtual server also throttles other, unrelated clients.

Impact:
The virtual server throttles clients that are not exceeding the connection rate limit.

Workaround:
None.

Fix:
Connection Rate Limit Mode when limit is exceeded by one client no longer throttles others.


420283-2 : Eliminate the need for customers to enable sys DB variables for VXLAN multicast tunnels.

Component: TMOS

Symptoms:
The two sys DB variables (tm.acceptipoptions and tm.allowmulticastl2destinationtraffic) need to be manually enabled for VXLAN tunnels with the flooding type 'multicast' to work.

Conditions:
Create a VXLAN tunnel with the flooding type 'multicast'.

Impact:
Without enabling the two sys DB variables, VXLAN tunnels with the flooding type 'multicast' do not work.

Workaround:
Customers can always enable the two sys DB variables manually before they create VXLAN tunnels with the flooding type 'multicast'.

Fix:
The two sys DB variables are automatically enabled when creating a VXLAN tunnel with the flooding type 'multicast'.


419458-2 : HTTP is more efficient in buffering data

Component: Local Traffic Manager

Symptoms:
Expiration of HTTP connections.

Conditions:
If many small packets are received, then the HTTP filter may buffer those packets inefficiently.

Impact:
Excessive memory usage for buffering data.

Workaround:
None.

Fix:
HTTP is more efficient in buffering data so that HTTP connections do not get expired early.


418943-1 : Session DB math operations may fail on long data values

Component: TMOS

Symptoms:
Sessiondb operations may fail, causing module errors or iRule errors.

Conditions:
Attempting sessiondb operations on extremely long integer values, i.e., padded integers.

Impact:
Failure of sessiondb operations.

Workaround:
Mitigate by trimming variables before using them in iRules.

Fix:
Session DB math operations no longer fail on long data values.


418850-4 : Do not restrict AD to be the last auth agent for View Client

Component: Access Policy Manager

Symptoms:
Previously we required that AD Auth agent to be the last authentication agent in the policy to make it work correctly with native VMware View client.

Conditions:
User's password got expired and user is requested to change it.

Impact:
User got error message even for successful password change.

Workaround:

Fix:
If used, the AD Auth agent no longer needs to be the last authentication agent in an access policy for VMware View. Now username, password, and domain from AD Auth are preserved and passed to the backend.


416949-3 : When user logs into Citrix resource on APM Webtop, and has no Citrix apps assigned to him, "Logon Failed" is displayed in the dialog caption

Component: Access Policy Manager

Symptoms:
When a user logs in to a Citrix resource on an APM webtop and has no Citrix apps assigned to him, "Logon Failed" is displayed in the dialog caption.

Conditions:
APM Webtop, user logs into Citrix resource.

Impact:
User is confused by seeing "Logon Failed" caption in the Citrix Logon Dialog, while in fact user logged in successfully, but has no apps assigned to him.

Workaround:

Fix:
"Login failed" is no longer displayed as the caption of the Citrix Logon Dialog box on the APM webtop when the user successfully logs into a Citrix resource, but has no apps assigned to him.


416292-4 : MCPD can core as a result of another component shutting down prematurely

Component: TMOS

Symptoms:
During a small window of opportunity, mcpd can core if it is told to restart. This often occurs when another component has failed.

Conditions:
This issue generally occurs when another component has a problem which then initiates an mcpd restart.

Impact:
An mcpd core file is generated during shutdown, and it may initially appear as if mcpd coring was the cause of the restart.

Workaround:

Fix:
Ensured that the active CMI connection is destroyed when mcpd is shutting down.


415616-2 : qkview may generate error messages for very long file names

Component: TMOS

Symptoms:
File names that contain more than 100 characters in the full pathname cannot be added to qkview files. If such filenames are encountered by qkview, they will be discarded. This will be indicated in both the meta.xml file and the qkview_run.data file.

Conditions:
Filenames under paths collected by qkview exceed 100 characters in length.

Impact:
possible file containing useful diagnostic information is omitted.

Workaround:
Run qkview manually, and observe errors output to stderr. Copy these files manually to examine their contents.


414370-4 : ACCESS::disable and ASM may send TCP reset

Component: Access Policy Manager

Symptoms:
Client receives TCP reset.

Conditions:
Both access profile and asm profile are assigned to a virtual. And The iRule ACCESS::disable is used on the virtual.

Impact:
Minimal. Most clients will automatically retry, and the retry will succeed. Most users will not notice this error.

Workaround:
None

Fix:
Clients no longer receive a TCP reset if an ASM profile is configured and access was disabled with the "ACCESS::disable" iRule.


414245-4 : Attributes not populated when using tmsh edit command to modify existing virtual server

Component: TMOS

Symptoms:
When you use the tmsh edit command to modify an existing virtual server, the editor screen displays the default template for creating a virtual server.

Conditions:
This issue occurs when the following condition is met: The tmsh edit command is used to modify an existing virtual server.

Impact:
You are unable to save changes to an existing virtual server using the tmsh edit command.

Workaround:
To work around this issue, you can use the modify command in the tmsh utility.

Fix:
You can now save changes to an existing virtual server using the tmsh edit command.


413689-4 : ntlm + oneconnect + persistence + v2 plugin can cause crash

Component: Local Traffic Manager

Symptoms:
If you apply NTLM, OneConnect, Persistence together WITH a V2 (TMI) Plugin, the TMM can crash.

Conditions:
The specific filters indicated above, together, can result in a TMM crash.

Impact:
TMM restarts, connections lost.

Workaround:
None.

Fix:
TMM no longer crashes with certain combinations of profiles.


413236-5 : SSL session ID reuse may fail if the Client SSL profile name is 32 characters or more

Component: Local Traffic Manager

Symptoms:
SSL session ID reuse may fail if the Client SSL profile name is 32 characters or more.

Conditions:
This occurs with Client SSL profile name containing 32 characters or more.

Impact:
A full SSL handshake is executed rather than an optimized handshake, so that SSL resumption does not work. When this occurs, SSL session IDs might not be reused appropriately, and new SSL session IDs might be presented during the SSL handshake, while the previous session ID is still valid.

Workaround:
Change SSL profile with name length of fewer than 32 bytes. Note: The 32-character limit includes the profile name and the characters that comprise the folder path (partition and folder). For example, the following profile name is 34 characters in length: /Common/client-ssl-profile-test123. For more information, SOL14372: SSL session ID reuse may fail if the Client SSL profile name is 32 characters or more.

Fix:
The system now successfully resumes SSL sessions when a Client SSL profile name is 32 characters or more.


413052-2 : Generating a qkview report on systems with large routing tables can crash TMM.

Component: TMOS

Symptoms:
TMM can assert and crash when pulling out routing table for qkview (support info)

Conditions:
This happens only on system with 100K+ routes

Impact:
TMM cores and get restarted.

Workaround:
Avoid running qkview and use other ways how to collect support information.

Fix:
Issue Fixed, it is now possible to collect qkview data with a large number of routes.


412138-1 : If there's resource that has acl order 0 and it's been used by profile, that has been exported, you'd not be able to import it back

Component: Access Policy Manager

Symptoms:
You're trying to import profile and it fails

Conditions:
If .conf file contains resource with acl-order 0 (default)

Impact:
Medium. Import is failing if object has acl-order 0

Workaround:
1. Don't use ACL 0 in exported config 2. It's possible to open .conf.tar.gz and edit it adding "acl-order 0" where it's missed

Fix:
You can now import an access policy when a new ACL is order 0 and an ACL with that order already exists.


411151-1 : Vlan groups with EtherIP tunnel members may drop packets

Component: TMOS

Symptoms:
Vlan groups that have both vlan and EtherIP tunnel members may drop packets with sizes exceeding the effective MTU size of the EtherIP tunnel. The effective MTU size is computed by discounting the encapsulation overhead of 36 bytes from the configured MTU size of the underlying vlan. The underlying vlan of the tunnel is the vlan used to transmit tunnel packets.

Conditions:
The issue applies to configurations with vlan groups that have both vlan and EtherIP tunnel members.

Impact:
The vlan group drops all packets exceeding the effective MTU of the EtherIP tunnel.

Workaround:
The recommended workaround is to increase the configurable MTU size of the vlan underlying the EtherIP tunnel to amount for the encapsulation overhead of 36 bytes. This will avoid the issue and will additionally avoid fragmentation of encapsulated packets.

Fix:
The fix causes EtherIP tunnels to appear to have no encapsulation overhead. If the tunnel is a member of a vlan group, the vlan group will be able to forward frames with sizes not exceeding the minimum MTU setting of member vlans and the underlying vlans of member tunnels. Additionally, the fix avoids vlan group forwarding loops caused by misconfiguration of tunnels.


410398-2 : sys db tmrouted.rhifailoverdelay does not seem to work

Component: TMOS

Symptoms:
The problem is that the sys db tmrouted.rhifailoverdelay value <value> does not seem to take any effect, and the route is being withdrawn, sometimes before the newly active device is able to advertise the virtual address, leaving a blackhole route.

Conditions:
This occurs during a failover.

Impact:
Temporary black hole for a route.

Workaround:

Fix:
Fixed tmrouted to not bypass rhifailoverdelay during op-state change.


408965-1 : SSL persistence does not work with session ticket

Component: Local Traffic Manager

Symptoms:
When an SSL persistence profile is attached to a virtual server, and the SSL server sends a session ticket, it will not be parsed correctly causing persistence to fail.

Conditions:
An SSL persistence profile is attached to a virtual server, and the SSL server sends a Session Ticket extension.

Impact:
SSL persistence will not work correctly

Workaround:
Do not allow the SSL server to send the Session Ticket Extension.

Fix:
SSL Persistence now works when the session ticket extension is sent.


407353-4 : TMM may fail under heavy load when using cmp.

Component: Local Traffic Manager

Symptoms:
TMM may crash under heavy load when cmp forwarding is triggered resulting in TMM core.

Conditions:
Heavy TMM load, CMP forward triggered.

Impact:
TMM crash

Workaround:
no

Fix:
TMM will not crash under this situation.


405752-3 : Monitors sourced from specific source ports can fail

Component: TMOS

Symptoms:
Monitors using TCP transport; when sourced from ports 1097 (on some platforms), 1098, 1099 and 3306, will fail. Upon receipt of SYN-ACK from the monitored device, TMOS will filter the packet and respond with ICMP port unreachable.

Conditions:
Use one or more monitors which rely upon TCP as a transport. Port 1097 will be affected on the BIG-IP 800, 1600, 3600, 3900, 6900, 8900 (and derivative), 1100, and 11050 platforms.

Impact:
May result in false monitor failures.

Workaround:
1. Set bigd.reusesocket database variable to enable and follow F5 Network's best practices for monitors, specifying a timeout of three times the interval plus 1 second. 2. Modify iptables by removing the affecting iptable rule: -- /sbin/iptables -D INPUT -p tcp --dport 3306 -j REJECT --reject-with icmp-port-unreachable. -- /sbin/iptables -D INPUT -p tcp -m tcp --dport 3306 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset. -- /sbin/iptables -A INPUT -p tcp -m tcp --dport 3306 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset.

Fix:
Monitors using TCP transport sourced from certain ports now handle traffic as expected.


405470-2 : promptstatusd dumps core under unknown circumstances

Component: TMOS

Symptoms:
promptstatusd is the daemon that examines the system to produce the dynamic parts of the shell prompt (e.g. informing the user whether the device is active or standby). Under unknown conditions it will dump core.

Conditions:
Unknown.

Impact:
A core will be left, but the daemon will restart and the system will return to normal operation.

Workaround:

Fix:
promptstatusd no longer dumps core under a certain unknown condition.


405067-4 : System applies active bonus value when the HA score is zero

Component: TMOS

Symptoms:
Contrary to documentation, release 11.2.0 and later apply the active bonus to HA group score even when the HA group score is 0 (zero).

Conditions:
This occurs when the HA group score is 0 and there is a value specified in Active Bonus.

Impact:
A minimal HA group configuration can result in a situation in which the active bonus alone is enough to keep an ailing unit active.

Workaround:
For configurations without pool/pool member with HA group, the workaround is to lower the Active Bonus value to a small value (one is sufficient).

Fix:
The system no longer adds the active bonus when the HA group score is 0 (zero). This is correct behavior.


403991-4 : Proxy.pac file larger than 32 KB is not supported

Component: Access Policy Manager

Symptoms:
Proxy.pac file larger than 32 KB is not downloaded and edge client may fail to provide network access.

Conditions:
BIG-IP APM, MAC Edge Client, network access, proxy.pac URL pointing to the file greater than 32 KB.

Impact:
User might not be able to access internal resources and Edge Client might go into connect/disconnect loop.

Workaround:

Fix:
BIG-IP Edge Client for Mac now supports Proxy.pac file size of up to 1 MB; previously, the limit was 32KB.


402412-2 : FastL4 tcp handshake timeout is not honored, connection lives for idle timeout.

Component: Local Traffic Manager

Symptoms:
When FastL4 performs hardware acceleration at TCP handshake, FastL4 handshake timeout is not honored.

Conditions:
When FastL4 performs hardware acceleration at SYN time, once a flow is offloaded to hardware, the flow switches to using idle timeout instead of standard established timeout.

Impact:
FastL4 tcp handshake timeout is not honored, connection lives for idle timeout.

Workaround:
None.

Fix:
FastL4 no longer switches to idle timeout before data is received, so the 5-second TCP handshake timeout holds until the first data arrives, at which time it switches to idle timeout.


401852-2 : csyncd will intentionally dump core when the kernel event queue is full

Component: Local Traffic Manager

Symptoms:
csyncd is a daemon that synchronizes parts of the filesystem between blades of a chassis, and also runs in a limited mode on appliances to detect and respond to changes on the filesystem. The Linux kernel has a fixed-size buffer in which it will write a log of the filesystem events in which csyncd is interested. If the kernel indicates that this buffer is full, then csyncd will generate a log message of this format: csyncd[6885]: 013b0004:3: Fatal error: event queue overflow After this it will leave a core dump.

Conditions:
This can happen with no special configuration.

Impact:
The daemon will dump core as it restarts. No action is required.

Workaround:

Fix:
csyncd no longer dumps core if the kernel event queue is full. It will still generate a log message and restart, which is intentional.


395570-5 : TCP::Collect iRule can cause TMM failure.

Component: Local Traffic Manager

Symptoms:
TMM can fail when traffic sent to a SSL VIP.

Conditions:
Use of a TCP::Collect iRule together with the SSL filter being in use can cause a TMM failure.

Impact:
TMM Outage.

Workaround:

Fix:
The TCP implementation has been corrected to prevent invoking the SSL code under these conditions thereby preventing the TMM outage.


389328-4 : RSA SecurID node secret is not synced to the standby node

Component: Access Policy Manager

Symptoms:
When RSA SecurID node secret files are created on the active node, the files are not synced to the standby node. As a result, user will not be able to log on after switchover.

Conditions:
RSA node secret files are created on the active node after the first successful authentication.

Impact:
Service will be inaccessible after switchover.

Workaround:
1. Copy node secret files /config/aaa/ace/Common/<rsa_securid_aaa_server>/sdstatus.12 and /config/aaa/ace/Common/<rsa_securid_aaa_server>/securid from the active node to the same directory on the standby node. 2. Wait for at least 30 seconds 3. Excute the command "tmsh save sys config" to commit the changes to disk.

Fix:
The SecurID node secret file monitoring algorithm was updated so that a new node secret file can be detected. Also, aced now authenticates with mcpd so that any node secret file object changes will be accepted by the mcpd.


385274-2 : Policy flow's nexthop not always updated when route pool member status changes

Component: TMOS

Symptoms:
Policy flow's nexthop is not always updated when route pool member status changes.

Conditions:
This issue shows when an IPsec flow is routed via a gateway pool. When a monitored gateway pool member is detected to be down, a different member is selected as the gateway. The policy flow's nexthop is not always updated to reflect the member switch.

Impact:
IPsec traffic continues to use the down pool member.

Workaround:
None.

Fix:
Policy flow's nexthop is now correctly updated when route pool member status changes.


384072-2 : Authorization requests not being cached when allowed.

Component: WebAccelerator

Symptoms:
Requests containing authorization headers are not cached under any circumstance, not complying with RFC 2626 14.8.

Conditions:
-- Requests containing Authorization headers. -- OWS returning responses with either cache-control:public, must-revalidate or s-maxage.

Impact:
The cache benefit is not seen in objects that should be cached that are requested using authentication headers.

Workaround:
None.

Fix:
Now the authentication header handling complies with RFC 2616 14.8, based on the OWS response headers.


376120 : tmrouted restart after reconfiguration of previously deleted route domain

Component: TMOS

Symptoms:
When a non-default route domain is configured for dynamic routing, then subsequently deleted and re-added, tmrouted might restart.

Conditions:
Non-default route domains in use.

Impact:
Dynamic routing for all route domains is interrupted.

Workaround:

Fix:
tmrouted no longer restarts when reconfiguring a previously deleted route domain.


375246-7 : Clarification of pool member session enabling versus pool member monitor enabling

Component: TMOS

Symptoms:
In previous documentation of LocalLB::Pool::set_member_monitor_state and set_member_session_enabled_state lead to some confusion for those using the API.

Conditions:
Reading the documentation.

Impact:
Confusion in the expected behavior for both functions.

Workaround:
Experimentation with the SOAP api and observation of BIG-IP behavior.

Fix:
When set_member_session_enabled_state sets a pool member to disabled, then current connections will be maintained, but no more connections will be allowed. When set_member_monitor_state sets a pool member to disabled, then all connections will be killed immediately and no more connections will be allowed.


374339-9 : HTTP::respond/redirect might crash TMM under low-memory conditions

Component: Local Traffic Manager

Symptoms:
HTTP::respond/redirect might crash TMM under low-memory conditions.

Conditions:
Under low-memory conditions, if a new HTTP connection triggers an HTTP::respond/redirect event.

Impact:
TMM might crash.

Workaround:
Reduce memory usage

Fix:
HTTP::respond/redirect no longer crashes TMM under low-memory conditions.


367759-5 : VLAN tagged vs. untagged configuration change applied only after tmm restart

Component: TMOS

Symptoms:
Reconfiguring a VLAN from being "tagged" on a particular interface to "untagged" (or vice-versa) does not have an immediate effect, and instead, will only take effect after the TMM is restarted.

Conditions:
BIG-IP Virtual Edition (VE), connected to an upstream network that expects a tagged (or alternately, untagged) VLAN.

Impact:
Traffic does not pass after this change, until TMM is restarted.

Workaround:
Restart TMM, or delete and recreate the VLAN with appropriate tagged/untagged configuration.

Fix:
On BIG-IP VE, modifying an interface's VLAN configuration from tagged to untagged, or untagged to tagged, can result in unavailability of traffic on that interface. Restarting the tmm with "bigstart restart tmm" will correct this condition, as will deleting and recreating the VLAN with desired tagging attributes.


359774-4 : Pools in HA groups other than Common

Component: TMOS

Symptoms:
In v11.x, pools used in an HA group must be in Common. If the user has a v10.x configuration that has pools in different partitions that are used in an HA group, an upgrade to v11.x fails.

Conditions:
HA group pools in administrative partitions other than Common.

Impact:
Upgrade fails.

Workaround:
None, except ensuring that all pools used in HA groups exist in the Common administrative partition.

Fix:
Upgrade script has been updated to append the full partition path names to pools in ha-groups when upgrading from 10.x to 11.x and ha-groups are defined. If the same pool name is used in multiple partitions, the pool in /Common will be used first. If the name exists in multiple partitions other than /Common, the first match is used, and a warning will be logged by the upgrade script.


357536-4 : HTTP iRule commands in an early server response will now work

Component: Local Traffic Manager

Symptoms:
HTTP iRule commands executed in an HTTP_RESPONSE event caused by an early server response did not work correctly.

Conditions:
A server responds before the full request has egressed from the BigIP. This is typically done in an error in response to a POST request expecting a 100 Continue. HTTP iRule commands executing within the HTTP_RESPONSE event generated by the early response did not work correctly.

Impact:
HTTP iRule commands did not work correctly. This may cause flows to be aborted.

Workaround:
It may be possible to work-around HTTP commands by using TCP commands, depending on the goal of the iRule.

Fix:
HTTP::respond, HTTP::close and HTTP::disable now will work within an early server response. HTTP::collect and HTTP::retry still are non-functional.


353623-2 : global_stat, avg max_conns does not report correct value.

Component: Local Traffic Manager

Symptoms:
In SNMP, the average MaxConns in sysGlobalStat always reports 0: F5-BIGIP-SYSTEM- MIB::sysStat{Client,Server}MaxConns{5s,1m,5m}.0

Conditions:
Using SNMP.

Impact:
Average MaxConns in sysGlobalStat always reports 0: F5-BIGIP-SYSTEM- MIB::sysStat{Client,Server}MaxConns{5s,1m,5m}.0

Workaround:
There is no workaround for this issue.

Fix:
global_stat, avg max_conns now reports the correct value.


353556-3 : big3d https monitor is unable to correctly monitor the web server when SSL protocol is changed

Component: Global Traffic Manager

Symptoms:
Big3d keeps a SSL session cache for HTTPs monitors to improve performance, when the web server changes the SSL protocol, big3d fails to connect to the web server since it was using the cached SSL session.

Conditions:
Modify SSL protocol at the server side and restart the web server.

Impact:
Big3d is unable to correctly monitor the https web server.

Workaround:
restart big3d

Fix:
Fixed, now when big3d fails to connect to the https web server it will clear the session entry from the session cache and initiate a new SSL negotiation.


353101-2 : The BIG-IP system marks pool members down when database server returns NULL

Component: Local Traffic Manager

Symptoms:
The BIG-IP system marks pool members down when database server returns NULL

Conditions:
If you configure any SQL monitor (MySQL, MSSQL, or Oracle) with a Receive String and a Send String, and the SQL server returns NULL after processing the Send String, the SQL monitor fails to process the NULL response.

Impact:
As a result, the BIG-IP system marks the pool member down after the configured Timeout elapses. In addition, if there is another instance of the same SQL monitor assigned to a different pool member, the other pool member will be incorrectly marked down after the configured Timeout elapses, even though it returns a response that matches the Receive String.

Workaround:
The workaround is to substitute the probable NULL receive strings by <substitute-value> strings using constructs such as: ifnull(<column-name>, <substitute-value>).

Fix:
The system now handles the NULL, and SQL monitors do not hang. No workaround is necessary.


342013-4 : TCP filter doesn't send keepalives in FIN_WAIT_2

Component: Local Traffic Manager

Symptoms:
TCP filter doesn not send keepalives in FIN_WAIT_2 (half close state). This may result in connections to remain open when they should be closed.

Conditions:
The problem is the BIG-IP stops sending keepalives once the connection enters half close state, and the server sends keep-alives. This ends up with us keeping connections open indefinitely if the client disappears, or a firewall drops its flow entry, etc. It is never sweeped as the server keepalives reset the idle timeout – one customer case has connections open for over 90 days not passing data!

Impact:
Possible open idle never ending connections.

Workaround:

Fix:
This is fixed by sending keepalives even in half close state, as idle connections intentionally left open will still be allowed, and clients will be detected disappearing.


337178-6 : EdgeClient doesn't fallback from DTLS to TLS when http-proxy is used

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client can not establish Network Access.

Conditions:
DTLS is configured in Network Access HTTPS proxy is configured on client machine

Impact:
User cannot establish Network Access at all

Workaround:

Fix:
BIG-IP Edge Client falls back to TLS from DTLS if http-proxy is used. After some delay, the client automatically switches (falls back) to Network Access over TLS connection through HTTPS proxy.


226892-14 : Packet filter enabled, default action discard/reject and IP fragment drop

Component: Local Traffic Manager

Symptoms:
With packet filter enabled with a default action of discard/reject, you might encounter the following symptoms: -- Packet captures show that the BIG-IP system is receiving return traffic for one or more connections, but failing to forward those packets. -- Some connections may fail. DNS traffic, or traffic with IP fragments, are more likely to fail due to how TMM handles connections. -- If logging is enabled for the affected packet filter rule, many entries similar to the following example are logged to the /var/log/pktfilter file: 'local/tmm notice tmm[4835]: 01250004:5: test_pf_rule (56687): reject on external, len: 98 [IPv4 84 192.168.1.1 -- 192.168.1.2 ICMP 0:0]'

Conditions:
After configuring packet filters, you may notice that the BIG-IP system is incorrectly dropping the return packets of certain connections. This issue occurs when all of the following conditions are met: -- The BIG-IP platform and software version support Clustered Microprocessing (CMP). -- CMP is enabled globally. -- CMP is enabled for the specific traffic-handling object. -- Packet filtering is enabled with the Filter established connections option disabled (this is the default setting).

Impact:
The BIG-IP system incorrectly drops return packets, which may cause your applications to fail or work intermittently.

Workaround:
To work around this issue, you can either define additional packet filter rules that explicitly allow return traffic, or disable CMP for the affected traffic-handling object. If the object does not allow CMP to be disabled (for example a SNAT), you can first replace it with a virtual server. For more information, see SOL12831: Using packet filters in conjunction with CMP may cause intermittent drops on return traffic, available here" http://support.f5.com/kb/en-us/solutions/public/12000/800/sol12831.html.

Fix:
Resolved intermittent issue when return packets were dropped after configuring packet filters for DNS traffic or traffic with IP fragments.


226043-2 : Add support for multiple addresses for audit-forwarder.

Component: TMOS

Symptoms:
The BIG-IP system supports only one destination address for audit-forwarder.

Conditions:
Audit forwarder.

Impact:
Cannot use multiple destinations for audit forwarder.

Workaround:
None.

Fix:
This release adds support for multiple destination addresses for audit-forwarder. There is one new db variable added for audit_forwarder: 'config.auditing.forward.multiple'. There are three options: 'broadcast', 'failover' and 'none'. The default is 'none'. When set to 'none', the behavior is the same as in previous releases. When db variable 'config.auditing.forward.multiple' is set to 'broadcast' or 'failover', db variable 'config.auditing.forward.destination' can be set to multiple IP addresses, separated by commas ( , ), such as '192.0.2.1,198.51.100.53,www.example.com'. This provides more than one destination IP address to the BIG-IP system audit_forwarder. Note that a single IP address works as well. When 'config.auditing.forward.multiple' is set to 'broadcast', the audit message is sent to all destinations. When it is set to failover, audit_forwarder sends the message to the first destination. If that fails, audit_forwarder tries the next destination until it finds a successful destination, or fails all destinations. Note that 'failover' mode is not supported for RADIUS server since it is UDP and there is no notion of failing to connect. For RADIUS server, if config.auditing.forward.multiple' is set to 'failover', audit_forwarder treats it as 'none'. When there is a failure to send the audit message, the system logs errors in '/var/log/ltm'.


225443-2 : gtmparse fails to load if you add unsupported SIP monitor parameters to the config

Component: Global Traffic Manager

Symptoms:
Customers could either manually or via tmsh add unsupported properties to a GTM SIP monitor. Examples of properties that are supported by LTM SIP monitor but not GTM SIP monitor are "headers" and "filter neg". If these are added to a GTM SIP monitor definition in wideip.conf, gtmparse will fail to load the configuration.

Conditions:
Unsupported GTM SIP monitor properties like "headers" and "filter neg" are added either manually or via tmsh to wideip.conf and then customer runs gtmparse to load the config and/or the config is gtm sync'd to another box and fails to load there.

Impact:
Gtmparse will fail to load the configuration.

Workaround:
none

Fix:
Gtmparse will now successfully load a configuration that contains GTM SIP monitors that include the following properties: "headers" and "filter neg". Please note that if a single box in a GTM sync group is upgraded to this hotfix version and the "headers" or "filter neg" gtm sip monitor options are used, all of the boxes in the sync group must be upgraded to this version as well in order for the config to sync successfully between boxes in a sync group.




Cumulative fixes from BIG-IP v11.4.1 Hotfix 8 that are included in this release


TMOS Fixes

ID Number Description

492809-3

An issue has been fixed that resulted in a small, periodic mcpd memory leak associated with APM stats.

503237-4

CVE-2015-0235 : glibc vulnerability known as Ghost.

499212

The operating system now works correctly after a soft reboot taking into account the unfixed Intel TSC errata.


Cumulative fixes from BIG-IP v11.4.1 Hotfix 7 that are included in this release


TMOS Fixes

ID Number Description

490577-3

An issue has been corrected which could result in the TMM process crashing and leaving a core during process shutdown.

492367-3

CVE-2014-8500.

492368-3

CVE-2014-8602.

497579-1

An issue has been corrected which can prevent a vCMP guest from processing SSL and compression traffic.

496829

Included build automation file.

498314

An issue has been resolved which could cause vcmpd to crash repeatedly when processing certain vCMP configurations.

498599

An issue has been resolved which caused vCMP guests to freeze shortly after startup.


Local Traffic Manager Fixes

ID Number Description

491030-3

The Nitrox crypto accelerator will no longer hang with certain SSL records.

496985

The Priority group setting is now being honored.


Access Policy Manager Fixes

ID Number Description

493993-2

In APM HA environments, the system now prevents global status from being updated before the initialization is completed on a standby device. TMM on the standby no longer dumps core files on startup.


Cumulative fixes from BIG-IP v11.4.1 Hotfix 6 that are included in this release


TMOS Fixes

ID Number Description

242715-1

Frames are now maintained during failover using VLANs in VLAN groups, so no frames are lost.

364880-1

This error formerly occurred when synchronizing a sync-failover device group from a Virtual Edition on a VMware host to a hardware BIG-IP platform: 01070734:3: Configuration error: vmw-compat: vlan may only have one interface This sync operation now can be performed successfully.

365764-2

It is now possible to run a UCS load even if there are partitions still containing GTM objects.

380221-6

Improved security for authorization.

383784-3

Remote user authentication now allows blank space in user names.

404716-5

Decapsulated tunnel packets are correctly handled by packet filter.

408124-2

The fix checks for BFD TTL value of 255 on incoming BFD Control packets, and discards BFD Control packets if check fails.

419664-1

Performing a mibwalk of SNMP-sysIfxStat now returns expected stats.

420933-1

Resolved error with web interface when adding or removing RAID array members.

422471-3

alertd was missing requisite configuration and error map files. Those mappings are now populated and the traps should work.

425070-2

The HTML profile code was improved for security reasons.

426625-4

The system no longer returns an error when a user tries to update a Data Group of type 'string' or 'integer' that have records containing a String but not a Value.

428494-1

A loss of high level configuration data after loading bigip_base.conf has been largely corrected. Some scenarios still exist, however.

431582-2

The cpcfg utility is now working correctly, and does not post a spurious error message.

431985-4

Monitor instance is now correctly re-enabled, if it was previously user-down, on all devices after an incremental sync. In earlier versions it would only update properly on the source device of the sync.

437773-5

All LACP trunk members remain present after rebooting primary blade.

438443-2

Reduced latency in the input packets being received by the upper layers of the networking stack.

439300-1

Due to missing permission setting, Users with role Manager and App Editor , used to see a validation error while creating AAA Http server. This error is fixed and Manager or App Editor will be able to create AAA http server objects.

441063-2

Adding DNS name-servers via tmsh no longer causes a momentary loss of access to tmsh.

441512-3

Sync now completes successfully, without sflow error.

442140-1

This change fixes incorrect state machine transitions during fault conditions and improves error reporting.

445911-2

tmm fast forwarded flows are no longer offloaded to ePVA, which is correct behavior.

445924-3

Changed code to allow IP multicast packets to be delivered to all blades so that OSPF failover can occur.

450089-1

Add diagnostic code to the request_group to abort when it is being deleted while actively processing.

450129-8

LOP (Lights Out Processor) firmware version 2.08 for VIPRION B2100, B2150 resolves the following issues: (ID446907) Alarm LED may be Red upon powering up VIPRION B2100, B2150 blades (ID439435) AOM Command Menu no longer reports failure when successfully powering up VIPRION B2100 or B2150 blades.

451621-4

We now preserve the MCP interface name mapping for VLANs when performing a configuration load operation.

453515-1

Fixed issue with firewall rule re-ordering in UI.

455311-5

vCMP guests access to the management network of the hypervisor has been restricted.

456848-4

LBH firmware v4.08 for BIG-IP 2000-/4000-series appliances resolves the following issues: ID455728: PSU status/changes reported incorrectly ID450177: AOM controller resets when it has no IP configured ID451493: Fan speed higher than expected ID453493: Change fan control set points for less noise

457166-2

An issue has been resolved which affected the ability to modify a vCMP guest's management network mode.

457330-1

When doing tcpdump from the WebUI, traffic can now be captured for VLANs with names having 16 or more characters.

457951-1

Added /etc/openldap/ldap.conf file to cs.dat.

459694-2

vCMP guests ability to interfere with the management network of the hypervisor has been restricted.

461580-3

Resolved intermittent kernel panic that causes crash using telnet with external monitor.

462045-1

This release has a longer timeout for activating the new HSB bitfile after reboot, so the HSB bitfile-quarantined issue does not occur, and you can successfully boot from 11.5.x to 11.4.x or 11.3.x.

462590-2

A compatibility issue between vCMP guest and host versions resulting in a failure to pass traffic has been corrected.

463603-3

IPv6 any address "::/0" is saved properly in configuration file.

464870-1

Fixed potential crash and removed some extraneous time stamps from logged messages.

465530-1

If modified it to be more than the licensed value, set only to the licensed value itself, instead of writing "mos".

466752-1

Monitor instance is now correctly enabled or disabled after an incremental sync.

467716-2

It is now possible to have a self IP with a name that looks like an IP address and a different actual address (example: '/Common/1.2.3.4' with an actual address of 5.6.7.8). This is not recommended because it can lead to confusion (thinking at first glance that the above object has an address of 1.2.3.4 instead of the proper value). Self IPs should have names describing what their purpose is.

468514-1

Ensures that only one sync for a given commit transaction is sent to the remote peer.

471042-3

Datastor will now reserve a given percentage of the obj table for the writing of new objects, forcing out objects to maintain this percentage. By default, if a new object cannot be created after a given period of time, datastor will log a message, then restart. Controlling how many contiguous failures before restart, the percentage of the obj table to reserve for writing, and how to restart datastor has been exposed as a new command line parameter. A change has been made to datastor to more readily allow for analyzing its core files.

471704-5

The vcmpd process is no longer vulnerable to malicious data passed from a vCMP guest.

473033-2

Datastor now uses syslog-ng.

473105-1

FastL4 connections are now handles correctly with pva-acceleration set to guaranteed, and are no longer reset.

474166-5

The ConfigSync operation completes successfully, and the sFlow error no longer occurs.

474332-2

F5 will start releasing "base installable" VM images as part of hotfix release. The VM images will consist of base RTM + installed hotfix on top of it. Such images are going to be ready for deployment without the need to apply hotfix as an additional step.

475641-3

Treadstone LBH firmware v6.09 correctly reports PSU (power supply) status after PSU removal or insertion on BIG-IP 10000-series appliances running BIG-IP versions prior to 11.5.0.

476157-13

Security patches applied to krb5 library.

477959-2

Internal structure improvements, no customer facing functionality changes have been made.

479152-3

This release includes functionality to leverage hardware parity error mitigation capabilities, which reduces the number of fatal errors.

479302-1

Remove the seldom used internal debug table which eliminates the periodic accesses.

480931-3

ShellShock bash vulnerability has been fixed with upstream patches for CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187.

481073-2

Add needed attributes to AMI name during generation.

486758-1

Resolved installation error when management port doesn't come up and causes the BIG-IP to be inaccessible to the automation system that required manual intervention.

487800-6

The guest-specific configuration information blocks are now isolated from each other and the hypervisor is protected against invalid data injected by a vCMP guest.

492460-1

This error message used to occur intermittently when trying to delete a virtual and using sFlow: 01070265:3: The Virtual Server () cannot be deleted because it is in use by a sflow http data source (). This no longer occurs.

447063

General Database error no longer occurs when attempting to configure system logging via the GUI on a vCMP guest.

457747

Read in all firmware list files to ensure that firmware.dat is populated with all relevant information

459096

Setting Allow All to Allow Default now works without error.

464024

Ensure that all pipes are closed when a TMSH command is completed.

464504

Auto-recovery from a USB stalled-transfer condition has been implemented, which prevents the Status LED from blinking Amber on BIG-IP 10000-series appliances.

465826

Only process configuration files contained in UCS archives that exactly matches one of the following: bigip.conf bigip_base.conf bigip_user.conf bigip_gtm.conf

485012

CVE-2014-3566: A new command has been added to TMSH that allows the administrator to configure the SSL protocol version that is supported on the management interface. Use this command to enable or disable support for specific protocol versions. For example, the following command will disable SSL protocol versions 2 and 3, leaving TLS versions 1, 1.1 and 1.2 enabled: tmsh modify sys httpd { ssl-protocol "all -SSLv2 -SSLv3" }

485833

Ensure all user directory file descriptors are closed.

486712

Improved the statistics for updating the number of PVA connections when using fastL4.

486721

Improved build process.

493275

Improved F5 automated testing.

493885

F5 improvements for automated testing to improve quality of releases.


Local Traffic Manager Fixes

ID Number Description

348194-2

Allow configuration of FIN_WAIT2 timeout

359978-4

Dashboard now presents throughput stats via the same calculation as used by other tools.

384111-8

The iRule 'nexthop' command now updates only 'nexthop' for the connection, and no longer overwrites the selected remote node's address.

384451-2

Improved memory management when there are duplicated keys or certs.

402510-1

Pool members are properly counted when using TCP connection queueing and OneConnect together.

411101-3

Resolved an issue found in F5 testing for ability to tcpdump mgmt_bp_* and loopback. Also added vm_tap_* for guests.

413354-4

Some excessively quick port reuse conditions are now fixed. This results the BIG-IP system now being able to pass FTP traffic.

415991-2

Active FTP works when there is no route back to the client.

416250-2

Added timeout to cancel incomplete SSL handshakes and retry

419730-3

A defect in the handling of FTP traffic that led to TMM panics has been corrected.

419969-3

The BIG-IP system no longer uses different source IP addresses for the Passive FTP data and control connections for virtual servers with an FTP profile and SNAT pool configured. Specific members of a SNAT pool can also now be selected in an iRule.

420789-2

The standby system no longer crashes in a configuration containing a forwarding virtual server with a wildcard IP address and port, with connection mirroring enabled.

421145-2

Systems with many hundreds of active server-side flows on the affected thread no longer result in port exhaustion.

421964-4

BIG-IP system now correctly aggregates an LACP-enabled link.

422087-2

Tmm no longer crashes in certain low memory conditions with Ram Cache enabled.

422808-4

The connection to a down port specific virtual server is no longer answered by the next less specific port.

422897-2

FTP will work in case of port translation is needed.

424931-2

Creation of a large file, such as a UCS archive is now handled correctly, and csyncd process no longer causes high CPU utilization.

425182-2

Improvements have been made to the way the system handles memory pressure, so the system does not slow down or become unstable.

425525-3

The system now correctly performs a slow-start when serving from cache, which results in correct buffering and traffic handling.

426569-2

This version provides handling for session callbacks and timer events such that the tmm core and crash no longer occurs.

427736-1

Occasional possibility of a TMM crash during sFlow sampling of HTTP traffic no longer occurs.

427832-2

The timestamp for the bounded lifetime of the syncookie tables of secrets is now maintained correctly. As a result, software syncookies are resolved consistently.

428864-3

Lowering the virtual server connection limit now works, even when traffic is already being processed

429124-2

This release adds support for accelerating connections that do not always use autolasthop but instead use a lasthop pool with a single member. The process now allows accelerating traffic from vlangroup members as long as those members are vlans.

429429-3

Disabling plugins programmatically is now supported, and TMM memory use does not increase with traffic that would otherwise involve those plugins.

430552-1

Added handling to protect against attributing a CMP message to the wrong flow.

431141-2

This release fixes a race window that occurred after a failover operation resulted in dropped connections on the new active unit.

432492-5

The BIG-IP system transmits IPv6 BFD for single-hop sessions with a hop limit value of 255.

432939-4

A memory leak in the SASP monitor has been corrected.

433375-2

TMM no longer crashes when virtual has an Analytics profile and Citrix or View broker responds with 'HTTP 100 Continue'.

434515-2

The system no longer returns a truncated response when both ASM Policy and DOS Profile are assigned to the virtual server.

435407-3

ssl persistence no longer corrupts application data

435959-2

The system now correctly handles packets output on members of vlangroups where the packets are cached replies for the same vlan on which the request arrived.

436772-1

Enable listeners to be marked as "no bind" - this allows the cloned, disabled SPDY listeners to avoid BIND failure resulting in cores due to the SPDY chain being used in invalid state.

437875-1

This spurious error message may have previously been displayed when the local user database feature is configured: 01071704:3: Not running command (/usr/libexec/localdb_mysql_restore.sh) because the request came from an untrusted connection. This error message has always been harmless, but now it no longer is displayed.

439013-2

Validation now allows IPv6 link-local address with %vlan notation.

439048-2

TCP connections no longer stall when tcpdump is started on the BIG-IP system and tcp segmentation offload is enabled.

439653-1

Long-lived connections consistently use policy settings from the beginning of the connection, and for the lifetime of that connection, regardless of any virtual server and policy configuration changes that occur in the interim.

441636-2

Local traffic policy http-reply redirect no longer leaks "tcl (variable)" memory.

442931-1

Loading external data groups no longer leaks page memory.

447390-5

Loose-close no longer causes issues with traffic on FastL4 virtual servers.

447424-1

Resumed SSL server-side sessions are now correctly using hardware encryption when it is applicable, instead of always defaulting to software.

449920-1

A memory leak using compression on BIG-IP 2000-series and 4000-series appliances was resolved.

450031-5

Log messages are no longer observed when tm.rejectunmatched is set to false.

450087-1

Unacknowledged TCP segments are re-transmitted upon re-opening of window.

450804-4

Improved TLS finish messages.

451218-5

CVE-2014-8730: Corrected Nitrox TLS padding.

451319-2

The system now honors Content-Length header when server responds with 4xx response with body for CONNECT request.

451889-1

Made changes to once again allow the attr_type to be optional for all forms of RADIUS::avp.

452232-2

iRule no longer uses stale qname.

452454-1

Forward RST packet for IP forwarding Virtual with fastL4 profile with loose initialization configured and an idle timeout that is less than the server idle timeout.

453171-1

The system now correctly handles a large number of cookies when using Application Policy Manager (APM).

454463-3

A memory leak when executing a suspended DNS iRule many times has been fixed.

454465-8

CVE-2014-8730: Corrected TMM TLS padding

454954-3

Packets dropped using DIAMETER::drop within DIAMETER_INGRESS event will no longer be retransmitted.

455553-3

No multiple retransmission of the entire send queue when the MSS size is improperly large.

456753-2

TMM no longer may restart on Virtual Edition systems when receiving an incoming packet on a tagged VLAN that need to be forwarded to a different TMM (e.g. a CMP-demoted virtual server).

456859-2

Interface to hardware compression has improved allocation strategy.

457109-1

A range check has now been added to correctly classify and forward traffic in the case of incorrect rules in CPM policies.

457934-1

SSL Persistence Profile now operates correctly, and does not cause high CPU usage.

458597-2

Now there is no memory leak when transfer a zone to zxfrd.

460197-2

active_requests is updated when a flow using hardware acceleration is reset.

460868-2

TMM no longer crashes if network HSM is improperly configured.

460945-2

Memory no longer leaks when changing a policy that is in use by a virtual server.

462649-1

TMM no longer crashes under heavy load.

465866-4

The current tag file only indexes the sources for tmm. This makes it difficult when debugging customer issues that reference code within libraries, primary tmjail (xbuf/xfrags) and tmm_tcl. The fix is simple: index libraries that are commonly used, along with tmm.

469139-1

Modify virtual stats detail page to display values for max PVA assist, Current PVA assist and total PVA assist from the virtual server stats table and the pva struct.

471644-1

'Total' is removed from Throughput(bits) and Throughput(pkts) charts (both in GUI and tmsh)

472148-5

The Nitrox driver was updated to properly handle highly fragmented SSL records.

479682-1

TMM no longer generates hundreds of ICMP packets when the server on the second virtual server in a VIP2VIP configuration becomes unreachable.

480686-2

Internal vlangroup loop no longer occurs when the Translucent/Transparent vlangroup setting exists with a duplicate IP address.

485188-4

When the SSL ClientHello contains the SCSV marker, if the client protocol offered is not the latest that the virtual server supports, a fatal alert will be sent.

486066-1

tmm does not core

448535

gtmd will no longer crash if you trigger a GTM iRule from a BigIP that is not licensed for GTM.

449903

Resolved intermittent issue under heavy DNS cache traffic for a timing issue that could cause a crash.

454636

The logging destination IP address only matches virtual servers, so no HSL logging is lost.

455376

Parked Diameter response messages are no longer dropped, nor are the requests retransmitted.

458564

Fragment the packet sent to the cloned pool if it is marked for TSO and the clone flow doesn't support TSO.

458957

TMM no longer leaks memory on repeated plugin client initialization messages.

461350

Fix the standby box memory keeps growing when the connection mirroring and re-transmission are turned on.

464651

Resolved a failure when the customer installs another self-signed certificate with same subject/issuer before a self-signed certificate expires.

468819

The documentation for "Receive Disable String" has been updated to reflect when a response matches both the "Receive String" and "Receive Disable String".

471798

the tmm crash is fixed.

474364

dhcpv6 RFC3633 requests can go through BIG-IP dhcp-relay virtual when source IP is Ipv6.

475231

Connection remains open after dispatching CLIENTSSL_CLIENTCERT iRule event, which prevents accessing invalid memory.

476564

The system now sends RST in guaranteed mode for an ePVA flow when the packet is received in software.

476567

The system now updates accelerated status after the flow has been successfully inserted into the ePVA, so the correct state is reported.


Global Traffic Manager Fixes

ID Number Description

432541-1

1. GTM topology longest match sorting now correctly orders negated records below non-negated topology records and places wildcard records at the end of the list. 2. GTM topology records of the same types are correctly sorted in descending order.

451985-3

We delay sending the configuration timestamp until the end transaction message has been received. This fixes the problem with sync becoming disabled

473139-1

GTM IMAP monitor now marks a working IMAP server up.

473577-1

GTMd now receives updated information about changes to WideIP Alias/topology configuration items.

487808-1

Link cost and inbound link path load balancing software support has reached EOL. (See Solution 15834)


Application Security Manager Fixes

ID Number Description

418396-2

You can now have the risk and accuracy of each signature logged in the remote logger appended to the signature names. To do this, from the command line, set the new internal configuration boolean variable "remote_logger_include_sig_risk_accuracy" to 1 (enabled). Its default value is 0 (disabled).

428010-4

The remote logger message now contains an attack signature's risk and accuracy after you perform the following: configure a remote logger including the "sig_names" field, add the "remote_logger_include_sig_risk_accuracy" flag from the command line (/usr/share/ts/bin/add_del_internal add remote_logger_include_sig_risk_accuracy 1), restart ASM, and send a request to trigger the Attack Signature violation.

430073-2

We shortened the amount of time it takes for the system to load the Parameters screen. We also added on the Parameter Properties screen a text box that enables you to filter attack signatures, found in the Global Security Policy Settings list, either by name or ID.

433407-6

Allow Base64 Import/Export of Policies and Signature files.

434461-2

Improved the system's integration with IBM Guardium.

435520-2

We fixed an issue that sometimes stopped you from deleting an ASM security policy that was created using a template after you rolled-forward the policy's configuration from a previous version.

435531-2

Policy Builder now correctly learns long URLs that are greater than 24 bytes.

436924-2

We added the internal parameter "dont_norm_high_ascii". If the value is set to 0 (the default value), the system removes high ASCII bytes as part of the normalization process. If the value is set to 1, the system leaves and does not remove high ASCII bytes. Consider setting this parameter to 1 if your web application uses non-English encoding where high ASCII bytes are legal. Removing these bytes may lead to false positive detection of attack signatures when the remaining bytes exactly compose an attack signature.

438045-2

We fixed web services signature verification for inclusive namespaces.

438424-2

Asmqkview and qkview now collect the contents of all MySQL tables, including learning data stored in var/tmp/asm_tables_dump/plc_non_configsync_dump.sql.

439169-3

The XML parser correctly parses XML documents that contain Unicode characters in the code-points range [0x2100 - 0x23FF].

439758-2

We improved how the Policy Builder handles requests with multiple learning suggestions.

441075-1

Newly added or updated signatures are no longer erroneously added to Manual user-defined signature sets that were created by policy import.

441500-3

We fixed an issue where a unit occasionally fails-over upon receiving updates from the IP reputation database.

447319-2

Due to the fact that our PDF generating mechanism does not support all character encodings, you now have the option of exporting Requests and Event Correlation as an HTML file, or as a PDF file.

449963-1

Due to the fact that our PDF generating mechanism does not support all character encodings, you now have the option of exporting Requests and Event Correlation as an HTML file, or as a PDF file.

455389-4

We improved how the system decides on the content profile when there is a request with multiple content-type headers.

455391-3

We improved how the system parses query strings in absolute URLs.

455837-2

The fixed item text for ID 405316 was corrected in the "Fixes introduced in version 11.4.0" section of the release notes in versions 11.4.0, 11.4.1,and 11.5.0. The text "remote_logger_reconnect_timeout (default is 5 seconds)" was changed to "remote_logging_reconnect_timeout (default is 5 seconds)", and the text "remote_logger_reconnect_max_failed_messages (default is 3 messages)" was changed to "remote_logging_reconnect_max_failed_messages (default is 1 message)".

456120-3

After you perform a configuration sync, all policy version files persist correctly on both the sender and the receiver.

466171-1

We improved how the security policy name is displayed, on the Security > Application Security > Security Policies > Active Policies screen, when there are many virtual servers assigned to that security policy.

481792-4

We fixed an issue of specific requests the sometimes caused the Enforcer to crash.

469601

We fixed an issue where the Configuration utility very rarely became unresponsive when a security policy was being built using the Deployment wizard and the Automatic Policy Builder.


Application Visibility and Reporting Fixes

ID Number Description

428673-1

The View Requests link on the ASM Charts page now applies correct filters in the Requests list.

433596-1

User-defined filters based on values filtered in "Advanced Filters" on the Security > Reporting > Application > Charts screen are displayed correctly in ASM scheduled chart reports.

447693-1

We corrected an issue where some reports generated from the Configuration utility and/or from TMSH commands did not work.

462561-3

We fixed a case that caused avrd to crash when external logging of traffic capturing is used.

466922-3

Now Max TPS and Throughput are displayed properly in HTTP Analytics (if configured in Analytics profile) when drilling down from virtual server to pool members.


Access Policy Manager Fixes

ID Number Description

225651-3

The installation path for the BIG-IP Edge Client was updated to avoid collision with third-party software installations.

238350-2

The new network access setting, Use Local Proxy Settings, is introduced. When it is enabled, after the client establishes a network access connection, proxy settings configured on the client continue to be used.

238350-8

The new network access setting, Use Local Proxy Settings, is introduced. When it is enabled, after the client establishes a network access connection, proxy settings configured on the client continue to be used.

238494-4

The F5 Credential Management service now updates automatically on the BIG-IP Edge Client. To get SSO working after update, user should reboot the machine.

357360-3

Mac network access client now supports static host entries.

394449-1

Now, AD and LDAP can parse multiple entries in LDAP response

398134-3

Now APM supports non-ascii usernames and passwords when performing NTLM Front-end Authentication and NTLM Back-end SSO.

398657-5

The active session count graphs no longer becomes significantly large at times due to a counter underflow.

399822-3

OpenSSL #2051: [PATCH] IPv6 support for s_client, s_server and DTLS.

403660-2

Application icons (Finder, Spotlight, Launchpad, Notification Center, Dock, Menu Bar) have been updated for retina displays.

407362-2

When a desktop requested by the user is not immediately available (as reported by XML Broker), APM waits for some time and retry launching attempt predefined number of times.

416221-1

Now EdegClient correctly saves virtual server list according to BIG-IP settings

419809-3

An error message formatting issue was fixed.

421446-3

Added fix which allow InstallerService to update

421796-2

SAML single logout (SLO) now succeeds when a SAML Service Provider (SP) session times out, the user logs in to the SAML SP again, and the user initiates SLO.

422396-2

You can now start a Citrix application with an ampersand in its name from an APM webtop.

423430-4

Now valid host chars from header 'Host:' until 1st invalid character are used.

423751-5

A case where policy evaluation is in process and an existing client connection is disconnected is now handled correctly.

425731-4

A TCP reset is not longer sent to a client during access policy execution.

425765-2

Pools referenced by resource assignment agents can no longer be deleted.

428820-11

Clients can now access a network behind a second NIC after ending an APM VPN session.

429362-3

EDGE Client properly reconnects when network connectivity is restored. Previously full reconnection was done in this case and the previous session was not removed.

431512-2

Now APM validates the origin header of the WebSocket handshake and accepts connections with correct origin only.

431860-2

Now F5_VDI cookie has secure flag.

431925-1

Fixed error log messages in libmemcacheapi are not logged in /var/log/apm for apd.

432012-1

Now users can successfully reconnect to View Desktop after logging off.

433227-3

F5 PCoIP proxy implementation is certified by VMware.

434162-1

User can delete system image in Antivirus Check Update Package Page.

436183-3

Check if critical section object was initialized before deleting it.

436616-4

CTU correctly enables logs for 64-bit services on Windows systems.

436985-1

Processing has been added to handle data movement, which eliminates the error that occurred when tmm passed TSO frames greater than or equal to 64k.

438053-2

In local user DB, hyphen is allowed in first name and last name when create local user account.

438248-1

Fixed issue when user can't login to OWA2010 using FireFox or Chrome browser through Portal Access Webtop.

438251-1

Now when using Outlook Web Access (OWA) 2010 from a portal access webtop, new messages are shown automatically in the mailbox and the message indicator changes accordingly depending on whether the messages are read or unread.

438278-4

The Access Profile which is associated with one or more AAA server objects can be deleted with the fix provided.

438292-6

Resolved issue of Web AppTunnel re-using wrong existing loopback for different backend server IP.

438433-1

Uploading an image without proper message ID is now ignored.

438436-6

Security improvements resulting from F5 internal testing were made.

438530-2

Image file names are now validated and must include these characters only: a-z A-Z 0-9 _ - . The Advanced Customization GUI displays the correct error message when the name for an image is invalid.

438709-3

Users can now open the calendar widget in SharePoint 2007 while using Internet Explorer browsers with portal access.

439280-6

When installing VPN driver on Windows 8.1 with partially uninstalled VPN driver, BSOD no longer occurs.

440519-2

Proper character encoding conversion fixed in Peer to Peer check.

441210-3

The tmm process provides more robust handling for PCoIP traffic.

441659-2

Fixed User-mode installer service: it does not require admin rights for limited users anymore.

441830-9

Incorrect overriding of VPN driver was causing BSOD. Old driver is now uninstalled before new one is installed.

442038-1

The BIG-IP APM Antivirus endpoint security check now detects the Symantec antivirus version 12.1.4013 on Mac OS X 10.9.

442333-4

Cluster HA state is now updated correctly, so that access policy execution is completed.

442393-2

APM will now attempt to terminate Citrix session when user logs out of APM Webtop.

442656-3

Fixed race condition of multiple establishments/teardown of PPP tunnels lead to loss of availability of leasepool addresses.

442698-2

apd is now more robust and handles exceptions in AD module properly

446465-1

Fixed issue that caused a vdi crashed when view standalone client communicates that had changed destination of view connection server.

447013-1

Browser detection JavaScript improved to support Internet Explorer 11

449141-2

Notifications to the user when the BIG-IP Edge Client must reboot to complete updates have been improved.

449225-2

Windows, Mac and Linux clients were updated to prevent a crash when establishing a VPN connection in certain conditions.

450033-3

Windows View client 2.3 can consistently launch desktops via APM

451387-1

Support of button-less logon pages is added to BIG-IP Edge Client.

451777-5

If a connection issue or a database problem occurs the first time that a user tries to create a custom report, an error message displays now.

451864-2

Always preserve locally configured DNS suffixes when establishing VPN connection.

452753-1

Now EdgeClient clean up cookies for all intermediate hosts visited during connect

453164-4

Routes are restored after disconnecting from the Network Access connection.

453455-1

SAML Single Logout is now supported on the BIG-IP Edge Client.

453455-3

SAML Single Logout is now supported on the BIG-IP Edge Client.

453514-3

A problem in memcached causing intermittent failures was fixed.

454307-1

Resolved error when Machine Cert Auth agent crashes in case of Russian language if agent is configured with 'Match Issuer' check.

454322-1

When Allow Local DNS Servers option is enabled, DNS servers from interfaces which are down, won't be added to VPN exclusion list.

454547-3

Forms - Client Initiated SSO authentication handles decryption failure correctly.

454899-3

Guest user will get access denied response when use the token of admin user request to create/delete/modify local db user.

455039-3

Now Citrix HTML5 Receiver v.1.3 available with Storefront 2.5 can be hosted in APM Sandbox and launched from APM Full Webtop.

455113-2

ACCESS::session data get has been extended to return configuration variables: ACCESS::session data get [-sid ] [-secure] [-config] [-ssid ]

455426-2

Now user with apostrophe in the name can log in with Citrix Receiver successfully.

455892-3

Now APM support AGEE SSO to new Citrix StoreFront 2.5 backends.

456098-5

Remove the logic for specific internal requestID in XUI

456714-2

Fixed for cases when Assertion does not contain SessionIndex and SLO is configured.

457623-1

Endpoint Security Integration SDK Updates.

457865-1

Fixed a rare issue where VDI plugin thread constantly resets incoming connections.

457925-3

When BIG-IP as SAML SP, IdP initiated authentication now works with the first attempt.

458211-2

The EAM module now continues to function correctly when the size of a cookie in the HTTP request is greater than 4095.

458447-2

An issue in Network access; where customer would see "IPv4 Addr collision" in logs has been fixed.

458784-1

Endpoint Security Integration SDK Updates.

459577-1

Endpoint Security Integration SDK Updates.

459780-1

Added [APM] Network Access option: "Do not enforce IP scopes in Proxy-Auto-Configuration".

459870-1

Now BIG-IP Edge Client in Always Connected mode properly processes cancelling captive portal detection.

459953-1

When an LDAP query runs and the user password is not retrieved or necessary, a misleading error message about NULL cyphertext is no longer logged.

460062-2

Access policy export works correctly even when a resource with a long name has been assigned in the policy.

460272-1

Additional logging included for troubleshooting captive portal detection.

460645-1

Users can now close logon window in "Locked Client" mode.

460715-1

Fixed using F5 captive portal probe URL in BIG-IP EDGE client for Windows instead of default Microsoft captive portal detection URL.

460762-1

Citrix apps consistently start from APM Webtop when using Kerberos SSO to XML Broker.

460798-1

Endpoint Security Integration SDK Updates.

460798-2

Endpoint Security Integration SDK Updates.

460939-3

Additional exception processing (for ObAccessException from the SDK) was added to the EAM module. The module now handles this exception by displaying an error.

460958-3

Cannot Start built-in PAC file server after multiple connecting/disconnecting edge client multiple times. This is now fixed.

461087-2

Fixed [APM] Crash in ActiveXDialer if proxy address is missing.

461624-3

A problem with APD in chassis that resulted in the portal access connection terminating has been fixed.

461990-1

Endpoint Security Integration SDK Updates.

461990-2

Endpoint Security Integration SDK Updates.

462143-1

Show main EDGE client UI when user click on Connect, Disconnect or Auto-Connect button in a system tray.

463280-1

Endpoint Security Integration SDK Updates.

463280-2

Endpoint Security Integration SDK Updates.

464561-1

Endpoint Security Integration SDK Updates.

464561-2

Endpoint Security Integration SDK Updates.

465408-1

Endpoint Security Integration SDK Updates.

465408-2

Endpoint Security Integration SDK Updates.

466273-1

On Mac and Linux clients, recurrent checks do not end the user session when the access policy allows access on the fallback branch.

466317-10

The following OpenSSL vulnerabilities have been addressed in APM clients: CVE-2014-0221, CVE-2014-0224, CVE-2014-0195, CVE-2014-3470

466317-13

The following OpenSSL vulnerabilities have been addressed in APM clients: CVE-2014-0221, CVE-2014-0224, CVE-2014-0195, CVE-2014-3470

466325-3

Continuous policy checks now doesn't kill the session if some configuration, configured to be ignored, changes on client side.

466488-1

Under high load conditions when the HTTP auth agent is configured in the access policy, now the access policy daemon (APD) continues to respond.

466617-4

Now routes for Exclude Addrress Space are correctly removed when NA connection is terminated if the client was switched to another network.

466877-3

Issue with signature validation is fixed

467597-3

InspectionHost plugin will now be installed to the "current user" profile (as opposed to all users) and therefore will no longer prompt for administrative password.

467605-1

Endpoint Security Integration SDK Updates.

467605-2

Endpoint Security Integration SDK Updates.

467849-4

Split tunnel is improved when connecting to a FirePass with a APM build of the edge client.

468611-1

Endpoint Security Integration SDK Updates.

468611-2

Endpoint Security Integration SDK Updates.

468988-1

Endpoint Security Integration SDK Updates.

468988-2

Endpoint Security Integration SDK Updates.

469112-1

Endpoint Security Integration SDK Updates.

469112-2

Endpoint Security Integration SDK Updates.

469754-3

Users deleted from the local user database are now prohibited from logging on using invalid credentials.

469805-1

Endpoint Security Integration SDK Updates.

469805-2

Endpoint Security Integration SDK Updates.

469960-4

In this fix we implemented a throttling mechanism, so that when number of fds in the queue reaches a certain threshold, apd will stop accepting new requests, until the number of fds in the queue decreases to a defined level. We introduced three db-variables; - to enable/disabling throttling - to define a high water mark beyond which release of any connection handle will be stopped and - a low water mark to allow further connection from tmm.

470225-1

Machine Certificate checker now correctly works in Internet Explorer 11

471014-10

Openssl improvements.

471113-1

APM in replacement mode works correctly with Windows Citrix Receiver.

471893-1

A problem in which the BIG-IP system when, configured as a SAML IdP , might reboot tmm when executing SLO protocol in certain conditions has been fixed.

472040-3

TMM with BZ 455113 is no longer crash when using ACCESS::session iRule comamnd.

472825-1

Dashboard no longer displays a dip in active session count when primary blade is comes back from a reboot

473129-1

fix access_log to keep logging even after log rotation.

473377-2

Fixed to accept NameID format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

474058-1

Prevented crash when BIG-IP is configured as Service Provider, APD may restart when BIG-IP is configured as a SAML Service Provider and BIG-IP receives a signed assertion that contains empty "Reference URI" in Signature element.

474231-1

access policy changes to be handled gracefully.

474392-3

Code signing of executables (app, plugin and installer) have been updated to Apple's latest (v2) signature requirement.

474532-6

Proper validation was added to check correct messages were received on proper URL. Logging was added for failing cases.

475650-2

Issue is fixed that caused tmm to occasionally restart when processing SLO messages.

475770-4

Improved routing table managment for 2 and more network interfaces

477445-5

Client modified to restore routing table state and select active interface (on a system connected to the same network segment through multiple interfaces).

477841-4

Safari 8 will now properly use the admin-defined proxy settings if available.

478285-4

An issue with routing table not being restored correctly in multi-homed environment when server settings disallow local subnet access is now fixed.

483113-4

A cosmetic issue with the server selection menu showing white background is now fixed.

483379-5

An issue with Edge Client consuming high CPU and having unresponsive menu icon is now fixed.

405851

Now OESIS Diagnose tools located on epse.iso in ".Tools" folder. You can use "v2test" application and OESISDiagnose.zip to report issues on APM 11.3.0 and older BIG-IP APM versions. You can use "v3test" application and OESISDiagnose_V3.zip to report issues on APM 11.4.0 and newer.

454759

Now APM reports http error 500 when View Connection Server response is not 200 OK and writes an error log message.

457622

Endpoint Security Integration SDK Updates.

457623

Endpoint Security Integration SDK Updates.

458195

Now credential managment service is auto-updatable. EdgeClient checks version at connection start-up and updates it if it is required.

458783

Endpoint Security Integration SDK Updates.

458784

Endpoint Security Integration SDK Updates.

459576

Endpoint Security Integration SDK Updates.

459577

Endpoint Security Integration SDK Updates.

460798

Endpoint Security Integration SDK Updates.

461990

Endpoint Security Integration SDK Updates.

463280

Endpoint Security Integration SDK Updates.

464561

Endpoint Security Integration SDK Updates.

464648

Added support for Antispyware on Linux that causes build failure.

465408

Endpoint Security Integration SDK Updates.

467032

Endpoint Security Integration SDK Updates.

467070

Added MS Remote Access Diagnostic to CTU report

467605

Endpoint Security Integration SDK Updates.

468611

Endpoint Security Integration SDK Updates.

468988

Endpoint Security Integration SDK Updates.

469112

Endpoint Security Integration SDK Updates.

469805

Endpoint Security Integration SDK Updates.

486881

An issue with the mac_inspectionhost.pkg failing to install the InspectionHost plugin and creating a zero byte file under ~/Library/Internet Plug-Ins/ is now fixed.

487472

An issue with Java installer failing to install the InspectionHost plugin and creating a zero byte file under ~/Library/Internet Plug-Ins/ is fixed.

489073

Updated v11.4.1 APM Compatiblity Matrix, HTML5 Receiver for SF 2.5 & 2.6 & HF5


Wan Optimization Manager Fixes

ID Number Description

487103

Improvements to automation for including drivers for better testing.


Service Provider Fixes

ID Number Description

421948-1

BigIP stops sending the ICAP request body immediately it sees the end of the ICAP server's response. If the end of the response is in the same frame as the 200-ok (which is normally the case for a short HTTP response like 302 redirect), no more bytes are sent beyond what was sent in the preview and the performance impact is eliminated (otherwise data might resume very briefly with less performance impact than before).

429994-1

Data flow returning from the ICAP server to the BigIP is correctly flow-controlled to match the rate at which the destination server or client can consume it, and the complete data stream reaches the destination.

430091-2

An adapt profile without an internal virtual selected will be treated as if it is disabled. This is correct behavior.

438555-2

Flow returning from ICAP server see TCP window operating normally and does not lock up.

454348-2

BIG-IP delays closing the internal connection to the IVS after the final chuck of the ICAP response has been received, until all the payload has been transmitted to the HTTP destination.

455006-1

Invalid UDP datagrams that interfered with SIP processing are now dropped.

466281-1

A value stored in the session DB from an iRule on the parent VS can be accessed from the internal virtual server, and vice-versa.

466761-2

Fixed an error that could cause dropped invalid sip messages to be merged into the next valid sip message.

472092-1

The complete request payload goes out to the ICAP server even in the presence of a long-running iRule in ICAP_REQUEST.

474069-1

If the IVS connection is closed while ICAP is processing an iRule that completes asynchronously, and if on resumption of processioning the ICAP response an abort occurs, the closing is not processed after the abort, and no crash occurs.

482436-2

Improved security of invalid SIP messages.


Advanced Firewall Manager Fixes

ID Number Description

426447-1

On systems where PSM is provisioned and ASM is not provisioned, running asmqkview no longer causes a "dosl7d_mem_dump" core dump. This crash never affected PSM traffic, or the qkview itself.

435813-1

Fixed issue related to setting iRule actions in firewall rules.

436895-4

Previously, if a virtual server with a DoS profile with Application Security enabled was not created in /Common, the configuration could not be saved or loaded, and upgrades from version 11.4.0 with such a virtual server could not be completed. This issue has been fixed.

459719-2

Pccd BF Hash table changes to reduce pccd BLOB size

459758-2

Restart pccd to avoid blob-size growth (pccd always starts from scratch)

464916-3

Previously, in the active rules or security page, when the user was trying to view the second page of staged rules, the display showed the first page of enforced rules instead. This has been fixed.

469507-2

Previously, when the db variable pccd.alwaysfromscratch was set to true, management port context rules did not always stop processing traffic when they were removed from the configuration. This has been fixed.

472801-1

This issue is now fixed so TMM will not be restarted if AFM is provisioned and 'tmsh load sys conf default' is done.

475556-2

AVR IP collection and the DOS attack detection: Previously, if an HTTP profile has both XFF and one or more custom headers (called "Alternate headers" in the Configuration utility), the system took the last header (whether it is the actual X-Forwarded-For or the custom header) and used that as the header from which to extract the IP address. Now, the system uses the last custom header, even if it comes before the last XFF header.

462903

TMM getting aborted by SOD due to heartbeat miss (when trying to load huge firewall policies) is being fixed.

469512

TMM getting aborted by SOD due to heartbeat miss (when trying to load huge firewall policies) is being fixed.

469729

Automated the value for pccd.alwaysfromscratch to save customers from having to manually set.

470366

Fixed the regression issue introduced due to fix for BZ 469512


Carrier-Grade NAT Fixes

ID Number Description

425033-1

Validation will now prevent LSN pools with overlapping prefixes from being configured.

439197-1

Fix an issue where the epva snoop header is constructed before the ARP entries are resolved.

448533-3

The endpoint is chosen based on the client's source port. This leads to better port selection behavior.

449896-4

Deterministic NAT (DNAT) does not pick a colliding port for the second connection, so connections complete successfully.

465871-1

dnatutil forward mapping is working correctly.

477232-2

Only the translation address persists when the persistence mode is address.

468288

Only publish DNAT state after the HSB count is updated.


Global Traffic Manager Fixes

ID Number Description

482442

State changes for wideips should be updated correctly when the "Update" button is clicked in the GUI wideip properties page.


Cumulative fixes from BIG-IP v11.4.1 Hotfix 5 that are included in this release


TMOS Fixes

ID Number Description

461646-5

Applied upstream fix to resolve telnet panic CVE-2014-0196.

481732

Address kernel vulnerability:CVE-2012-4461. Address kernel vulnerability:CVE-2012-6638 Address kernel vulnerability:CVE-2013-0311 Address kernel vulnerability:CVE-2013-1767 Address kernel vulnerability:CVE-2013-2094


Local Traffic Manager Fixes

ID Number Description

435652-6

The timing differences in the Nitrox crypto accelerator have been eliminated: CVE-2014-4024

451340-4

Enable faster performing software client authentication and disable ec cert/keys.


Cumulative fixes from BIG-IP v11.4.1 Hotfix 4 that are included in this release


TMOS Fixes

ID Number Description

396915-1

The 'run cm sniff-updates" utility no longer crashes. An error message will still be displayed when a malformed packet is sent.

416496-3

TMM and mcpd now throttle the amount of data flowing through them for 'show sys connection' commands, so the processes do not run out of memory.

425245-2

Improved potential performance issues found in F5 testing for encryption when there are many policy combinations being updated.

427791-4

During IPsec rekey between the BIG-IP system and Fortigate firewall, the interoperation issue no longer occurs.

428036-2

After BIG-IP established IPsec Tunnel with Fortigate, tmm will not core when system is in stable state (after rekey).

429105-4

Prevent restarts in rare circumstances

429871-2

F5 improvement of the integration of latest epsec packages

430104-3

iControl fixed to not report error when done from localhost.

430197-4

Prior to this release, HDAG platforms could send traffic with the same source and destination ports to the wrong tmm. NTP traffic typically has the same source and destination port. This problem has been corrected.

430324-1

When installing a vADC instance, care should be taken to make sure that the virtual machine has no more than 8 processing units if the intent is to run AAM. The default installation of the datastor libraries and process is limited to supporting no more than 8 processing units, and if a virtual is created with more than that, the processes that use or talk to datastor will report an error and quit.

431361-7

With the AWS marketplace release of the BIG-IP 11.4.1 AMI on 1/21/14 (contains all fixes included in BIG-IP 11.4.1 HF3) and the BIG-IQ 4.2.0 AMI on 1/24/14, the AWS BIG-IP/BIG-IQ instances now start up properly.

432216-1

Improvements in firmware definitions.

439343-1

LDAP client certificate SSL authentication sends correct bind password to LDAP server

442751-2

With this fix the BIG-IP has been upgraded to the appropriate version of BIND

448299-3

The emulated IDE storage driver has been replaced with PV (para-virtualized) SCSI storage driver. PV SCSI driver gracefully handles disk I/O timeouts and recovers from them.

448476-1

Updated media code to recognize XFP media in PB100 blades.

450058-3

Added changes from RHEL6.4 kernel sources prevent possible lockup conditions by yielding to other tasks waiting for the swap I/O requests to complete.

450156-2

Prevent install failure by always using target installation to get kernel version information.

450684-3

Corrected an internal report used for QA/testing.

450693-3

F5 Internal: Correction to internal firmware report.

450694-3

F5 Internal: Correction to internal firmware report.

450839-3

The 11000 and 11050 platforms now boot correctly with updated hotfixes. You can check the associated hotfix notes to ensure the fix is incorporated.

451458-3

fix leasepool stat to return data only for primary blade

452066-1

 

458676-4

Corrected possible internal Rsync port exposure.

459723-1

CMI rsync daemon will always restart now when necessary.

441618

An internal issue introduced in APM hotfix v11.4.1 that affects APM hotfix v11.4.2 and APM hotfix v11.4.3 is fixed in the APM hotfix v11.4.4 and later. Command 'bigstart add' should now work as expected.

442568

a benign error message no longer appears

445919

Issuing the command "tmsh show sys connection" when you have over one million connections no longer causes TMM or MCPD to core.

446549

During a config sync, steps were taken to ensure that mcpd objects are not deleted until after they have been fully processed.

446901

The UI now appropriately handles the value range for the Message Cache Size field.

447266

Took steps to ensure that MCP would not attempt to modify an object that has been both created and deleted in the same transaction.

451507

When entering standby due to a failover condition, the BIG-IP system no longer incorrectly responds to ARP requests.

462191

Rsync security fix is updated to work in cluster environment.


Local Traffic Manager Fixes

ID Number Description

284369-1

LTM monitor passwords are now encrypted in the configuration file.

349680-4

Correct the port number provided in Via header in SIP monitoring connections.

354161-1

DNS Express expires zones according to the expire value contained in the zone SOA record.

383853-1

Added synchronous event to signal end of message from RCP rule event to prevent performance degradation when traffic is returned to the wrong source port.

418889-1

A TMM crash bug has been fixed.

420941-1

A potential TMM crash in low-resource situations with persistence cookies no longer occurs.

422330-3

A flaw has been fixed that would cause tmm to crash with compression enabled under a particular corner case involving an aborted or dying flow.

423705-3

The SIP monitor will now internally retransmit a request after 0.5, 1, 2, and 4 seconds.

425333-2

Fixed an issue on ProxySSL with Stratos and VE platform during SSL renegotiation.

428066-2

IPv6 router advertisement now works in vlan group.

428642-2

TMM no longer crashes and restarts with APM provisioned and virtual's pool retry is greater than 0.

430728-4

Resolved an issue that would cause TMM to crash if a TCP iRule is suspended with an error while the peer sends a packet.

431463-1

Mirrored connections are no longer lost on standby systems after failover, and failback occurs correctly.

432723-3

External Datagroup: TMM no longer cores on rapid creation/deletion cycle.

437229-3

Integrate iRule for RSA.

437398-2

When datagram-load-balance mode is enabled on the UDP profile, the client's max udp payload size is "remembered" for the responses. If the BIG-IP system alters the response (e.g., DNSSEC signing) and increases its size beyond the max, before sending the response to the client, the response will be properly truncated (per the RFC).

437906-1

WebSockets and the HTTP CONNECT method now work with OneConnect.

438670-1

Use of invalid memory may result in packet loss.

439208-3

HTTP protocol security can be successfully enforced if it is enabled on the VPN access profile.

439431-3

Flows with asynchronous iRule commands in CLOSED events will be cleaned up normally, and will not match any new requests.

440786-1

Now when bad config occurs in virtual server, tmm won't crash, instead, such a virtual will not be responsive.

440877-1

Stateless virtual server now properly processes fragmented packets in this case.

441048-2

The DNS Express Zone Resource Record counts now display accurate numbers when an AXFR answer is returned for an IXFR query.

442020-1

Router information is now preserved correctly by proxy ARP/NDP code for VLAN groups.

442034-2

SSL persistence allows clientside to complete before closing.

442391-3

Duplicate address detection and unsolicited neighbor advertisement now work as expected.

442408-1

The traffic component no longer attempts to handle data after the connection has been aborted by another process or an external agent. This prevents a crash.

442584-2

Making configuration changes, such as adding/removing a profile, to the targeted virtual will not adversely affect policy execution.

442618-2

Improved memory handling in TMM prevents some TMM crashes in low-memory situations.

444178-1

The policy will properly replace specified HTTP headers.

446540-2

TMM will no longer core/restart with this backtrace due to large DNS sub-cache sizes. Please note that it is still advised to restrict cache size to fit within available memory. Be conservative and size up given available memory. Note for EACH configured cache, the sum of the sub-cache sizes (rrset + msg + nameserver + key), times the number of TMM threads, is approximately the size the cache may occupy in memory (it will actually occupy slightly more). Each configured cache consumes its own amount of memory -- configured caches do not share memory. Their sum must not exceed available memory of TMM. Note also TMM does not have control over all available system memory -- some is left available for the host; this is platform dependent.

448327-1

Prevent memory leak when iRule suspends or aborts an DNS command.

448846-2

A crash bug related to HSM and memory exhaustion has been fixed.

449845-2

DNS filter now formally enters framework.

450698-1

Use a consistent method for storing external datagroups in TMM.

450713-4

Out-of-order segments received after FIN will be forwarded as expected.

454583-1

SPDY will no longer cause a TMM crash when it aborts, followed by egress, followed by a second abort. SPDY will handle 100 Continue messages correctly by ignoring them.

440854

Sweeper now kills stale mirrored flows.

441401

Released memory earlier on standby units using L4 mirroring, Some memory was retained longer than necessary

441413

Changed initial tcp window sizes.

444710

Out-of-order segments received before 3WHS is completed are no longer dropped.

446222

Improved SW SYN cookies on non-ePVA systems using a fastL4 profile.

446295

Performance improvements for engineering HF 11.4.1 635.3.

447091

Ensured that packet filters with orders greater than 32767 are able to be deleted.

447515

Resolved intermittent issue that could cause an eventual crash when an iRule was parked longer than the time-out which caused the flow to be deleted but then the iRule is resumed and becomes in a bad state due to the missing flow.

451441

Improved password encryption for FTP monitor.

453358

The memory leak is fixed.

454256

SYN retransmissions received on CMP platforms will be queued and reprocessed upon completion of persistence processing.


Performance Fixes

ID Number Description

454949

AFM Optimizations to improve run-time and memory usage.


Global Traffic Manager Fixes

ID Number Description

439854-3

An additional attempt is made to match virtual servers by addr:port, even if there is an LTM Name that does not match.

440205-6

The software now attempts to match the name of the LTM 11.x virtual server with a virtual server on a 10.x BIG-IP system, so the virtual servers are not marked down.

442133-2

Disabling Synchronize on one GTM no longer disables Sync on all GTMs in the sync group.


Application Security Manager Fixes

ID Number Description

226473-2

ASM entities can no longer be created containing null characters.

248487-3

The enforcer does not convert parameter values into the web application language when parameters are defined as "file upload" or "ignore value" in the security policy.

420108-3

Policy export in XML format now includes all attack signature settings, even if attack signatures were deleted from the system.

420374-1

If security policies exist on a partition on one system and those partitions do not exist on the other system, those folders will now be created, and the synchronization will succeed.

420981-1

The file asm_module.xml within the qkview file no longer contains illegal (non-UTF-8) characters that cannot be parsed by many XML tools.

422515-1

Include better troubleshooting information in asmqkview.

425411-1

The ASM part of qkview no longer hangs when trying to collect data from the system's DoS layer 7 plugin.

425539-1

We fixed a typo in the "Evasion Techniques Detected in Headers" table on the Application Security > Policy Building > Manual Traffic Learning > Evasion Techniques Detected in Headers screen.

427035-4

ASM System Variables request_buffer_size and long_request_buffer_size are now enforced correctly.

436899-1

The Enforcer correctly sends information to the Policy Builder about specific value and name meta characters that were previously mishandled.

438582-3

We fixed an issue that caused the Policy Builder to crash in rare cases when Explicit Entities Learning was set to "Selective".

440525-1

When response logging is enabled, the system now blocks responses with the wrong content length upon "Illegal HTTP status in response" violation.

440755-1

To detect more security issues, the system now applies security checks on partial responses.

441249-1

We fixed a rare issue where requests were not processed correctly by the system when the session awareness feature was enabled.

442313-3

The system no longer blocks content length headers with leading whitespaces, because it is legal. The system used to issue the "HTTP protocol compliance failed" sub-violation: "Unparsable request content".

445508-2

We optimized the memory usage among long requests in conditioning to various platforms. We introduced a new internal parameter: long_request_mem_percentage. This parameter defines the memory percentage for long requests. The default is 10%. Upon upgrading to version 11.6, we discard the old internal parameter 'max_concurrent_long_request' in favor of the new internal parameter 'long_request_mem_percentage'.

446589-1

We fixed a client side challenge parsing issue that rarely led to a crash.

446989-2

The Enforcer no longer crashes when it analyzes a long dynamic parameter.

448402-2

We reduced the learning manager’s resource usage when it processes traffic with cookies and headers, in case there are no learning suggestions for cookies or headers.

453568-4

The client side challenge mechanism now correctly reconstructs the referrer header.

439372

If you have response filtering enabled in Protocol Security for version v11.2.X (or earlier) and then upgrade to v11.3.X/v11.4.X, the system no longer filters (blocks) responses. We edited this behavior because in the later BIG-IP versions the response filtering feature is not visible in the Protocol Security configuration Configuration utility.


Application Visibility and Reporting Fixes

ID Number Description

433281-2

Fixed rare case where multi-threading caused memory corruption.

436352-2

We fixed an issue where the Analytics user-session tracking feature sometimes caused the TMM to core dump due to memory consumption issues.

438604-2

AVR now checks the Content-Type of a response before inserting CSPM JavaScript, so that it only injects the CSPM JavaScript into appropriately formatted text and HTML documents.

440085-1

We fixed an issue where the system did not free resources upon the closing of a connection.

448717-4

The AVR_DIM_URL table size is now controlled and does not fill the /var/lib/mysql partition nor block /var/avr/loader files from being loaded.

441594

We fixed an issue that caused all HTTPS traffic to be logged as HTTP traffic. This affected the display of traffic on the Captured Transactions screen, but the system always correctly enforced SSL traffic.


Access Policy Manager Fixes

ID Number Description

400433-3

Daemons (apd/apmd) are more robust.

405348-3

Modify the db variable "tmm.access.maxrequestbodysize" with a value larger than the maximum email body size you would like to support. The maximum supported value is 25000000 (25MB).

406649-4

Installing a hotfix will no longer cause apd to continuously restart.

410157-3

BIG-IP Edge Client now displays PPP disconnection/reconnection notification quickly.

415299-1

[Mac][EPS] policyserver.log should now contain information about recurring check failure.

420989-1

When using an access policy with Windows Logon Integration, if you are denied access once, you can try again.

420990-1

Support for smart cards was added to Client Cert Inspection and On Demand Cert Inspection with Windows Logon Integration.

420992-2

When you use Windows Logon Integration with BIG-IP Edge Client for Windows, now you can choose the server to connect to.

422818-2

"Store information about client software in session variables" setting is removed from the Visual Policy Editor for these Endpoint Security (Client-Side) software checks: Antivirus, Anti-Spyware, Firewall, Hard Disk Encryption, Patch Management, Peer-to-peer, and Windows Health Agent.

423346-3

fixed order of arguments in result of rewriting for 'Call someObject.open(argumentsList)'

424008-1

APM now supports smart card logon on Windows-based systems with APM Windows Logon Integration.

424357-7

Resolved rare case when URI were not properly percent decoded.

424938-2

APD no longer crashes when processing an access policy with Tcl expressions; previously, this occurred rarely.

425130-2

The assumptions have been changed so that "in progress" will proceed as normal.

425507-3

An issue in which logd could start to consume 99% of CPU after table rotation has been fixed.

427962-2

A new option is added to full webtop configuration: "Show warning message when webtop window closed." When this option is disabled, a user can close a webtop browser without also being prompted to close the Network Access tunnel that was launched from the full webtop.

429286-2

Added test for History object into F5_Invoke_go(obj,url).

430531-1

Computer group policy settings are updated after establishing VPN connection with Windows Logon Integration.

430833-4

Now Network Access client proxy settings are correctly applied on Windows German with IE10.

432260-3

An AAA server pool remains reachable after the bigstart restart [mcpd] command runs.

432469-8

APM Client Firewall Check on does not detect state of Windows 8.1 firewall. This is fixed now.

432537-3

A call to ParseCookie() in PatchInfo::processSetCookie() no longer takes an improper length argument.

432543-2

Fixed issue to prevent crash is event handlers are not fully initialized, usually because of lack of metadata.

432784-10

Clean up the memory buffers that store sensitive information immediately after usage.

432851-3

Mac File and Linux File access policy items work correctly when the specified file size is greater than 1024 bytes.

432925-2

You can now successfully create a macro from the Support for Microsoft Exchange macro template.

433243-3

BIG-IP IdP subtracts three minutes from the NotBefore timestamp in an assertion to accommodate Service Providers whose clocks might be behind.

433605-5

At the end of an APM network access session, the route is now restored for an interface that has a gateway and IP address on different subnets, provided that the gateway and IP address have not changed during the session.

435329-5

Layered virtual servers are now assigned the correct IP addresses, and no longer conflict or interfere with each other.

435455-2

Now Citrix policies are properly activated by SmartAccess filters provided by APM.

436556-3

The correct list of Citrix apps render on an APM webtop when a Citrix resource uses Kerberos single sign-on to Citrix XML Broker.

437326-2

Now APM supports Citrix Receiver for HTML5 version 2.1

437395-1

APD became unresponsive, while using strace or attaching GDB, which resulted in incoming connection handling thread has gone. With this fix, APD will continue to server connection requests while strace-ing or attach it to gdb.

437795-2

Fixed intermittent Citrix Receiver hang due to TCP window size being reduced to zero by BIG-IP.

437804-2

Improved client code to reduce potential memory leaks identified in testing.

437820-1

The machine certificate check on Mac OS X now correctly lets clients, for which only a certificate and not the key are found, go through the "found" branch.

437881-1

In an HA configuration, any users deleted from the localDB on the current unit are now deleted from the standby unit also.

438256-2

Forms with an absolute path in the action are now handled correctly.

438595-2

There is now backward compatibility with FirePass for EPS, so the rowser on the FirePass system no longer freezes on 'Checking running processes'.

438696-2

Now Java RDP and Java App Tunnels work without showing a security warning.

438964-1

Template files now include a version number and the Component Installer service updates correctly.

439453-1

Now Citrix Receiver works with APM when APM is integrating with StoreFront

439463-3

Now Citrix Receiver for Mac and iOS gets the correct config.xml file when working through a Wi-Fi router and APM is integrated with Citrix Web Interface.

439728-3

An APM page that contains dynamic scripts now works correctly when a user opens it from another domain or protocol using the Chrome browser.

440022-3

Now an APM webtop renders Citrix apps when a Citrix resource uses a pool and Kerberos SSO.

440385-2

Support of Internet Explorer 10 (without compatibility mode) for machine certificate checker was added.

440432-2

The iRule event agent (in an access policy) no longer logs BIG-IP Edge Client for Linux Command Line users out before they can establish network access.

440564-1

Citrix Session Sharing did not work properly in some cases. Now it is fixed.

440792-2

Client proxy settings specified in a Network Access resource are applied without an occasional miss now.

440841-3

This split tunnelling log message is no longer written at the notice level: "Username used for SSO contains domain information. Please enable 'Split domain from full Username' option in the Logon Page if domain info should be separated from username for SSO to work properly" The log is now written at the informational level.

441073-4

When using Portal Access, an input tag in forms now can receive a value that is dynamically created by JavaScript on the client.

441318-3

The special character "." can now be used for a user name.

441507-2

SWF parser now correctly rewrites a compressed object when the compressed body is followed by data.

441553-3

A Network Access client can now connect successfully after one or more failovers.

441612-2

BIG-IP Edge Client for Mac now can connect to a BIG-IP system on which a machine information agent is included in the access policy.

441809-2

Network access connections now succeed after failover without encountering an IPv4 allocation failure error: 'leasepool leasepoolname is out of addresses'.

442026-2

On any partition, customer can create a Portal Access resource using the Wizard.

442699-2

after fix, AD module handles displayName properly even if it contains special characters, exception doesn't happen. AD module is exception safe, even if exception happens in any other situation, APD doesn't leak memory in AD module code.

443139-1

Session variables have been made available during the ACCESS_SESSION_CLOSED event. As a side effect, session variables are still available even after issuing the "ACCESS::session remove" command, because the actual removal is deferred until after the current iRule completes. However, it is considered an error to access that data outside of the ACCESS_SESSION_CLOSED event.

445399-3

Support was added for Network Access over PPPoE.

445970-3

[Java][Mac][NA][EPS] NA and EPS auto installation is now working with Java 7 update 51

445985-1

Now JavaScript arithmetic assignment operators are handled correctly on the server and on the client.

446425-5

The BIG-IP Edge Client for MAC now applies DNS server settings correctly.

446881-2

Prevented potential crash found in testing when users connect to BIG-IP that has an access policy with AV or FW checker on MAC OS X and use OPSWAT library version 3.6.8642.2.

447301-2

The current HTML page continues to display without reloading if a user clicks a link that contains an undefined URL.

447392-2

The installer for the BIG-IP Edge Client for Windows now prompts the user if a reboot is required.

448896-2

An HTML page with base URI (HREF attribute of the BASE tag) is rewritten correctly.

450298-5

Logging on to Outlook Web App 2013 (SP1) using portal access with Firefox browser now works without producing an error.

450305-3

When accessing OWA 2013 through portal access, users can successfully create a new message, calendar, or task item.

450360-2

Now Citrix Session Sharing works correctly for any version of XenApp.

450687-3

After the GUI or the console displays an error message to a user who is configuring an SSO NTLMv1 (or NTLMv2) object, an incorrectly configured object is no longer created.

450728-3

Now APM correctly handles VMware View client requests with empty body.

450845-1

Under logging stress, logd no longer writes duplicate fd errors in the log.

451233-1

The APD and ACCTD processes now parse any IP address that includes a route domain ID as a suffix.

451588-2

Portal access renders the data correctly when creating a new item on Sharepoint 2013.

451867-2

SWF patcher behaves properly now.

452182-2

Flash ActionScript 3 rewriter now correctly rewrites URLs containing "../".

453880-2

Fixed a possible failure to handle Citrix Receiver for Windows client connection.

454010-4

APM now recognizes Internet Explorer in compatibility mode on Windows 8.1 correctly.

454248-1

Fixed unnecessary localdbmgr messages logged in /var/log/apm every minute at the notice level.

454550-4

Proxy auto configuration now works with Internet Explorer when a URL cannot be resolved on a client.

455046-1

OPSWAT Endpoint Security Integration SDK 3.6.8917.2 Update

456302-4

APM clients heartbeat read overrun issue is now fixed.

458485-3

The code is updated so that APD no longer crashes on certain VPE expressions, such as Date Time check or 'encoding' command due to a change introduced by fixing 424938.

447302

APM correctly supports 'redirect' ending in an access policy for web browser clients when deployed for Citrix Web Interface in proxy mode.

452041

Previously Machine Certificate Checker worked only in "Subject CN match FQDN" mode, now it correctly processes any matching rules.

452344

HexToBinReverse() is now ncorrectly converts unicode strings.

453185

Access Policy Manager 11.4.1 release note include a new section: "Module combination support on the 3900" which states: "The GTM+APM module combination is not supported on the 3900 product platform."

455783

Low speed of ppp interface has been fixed.


WebAccelerator Fixes

ID Number Description

413981-2

WAM install/UCS restore from a v10.x release will succeed.

418760-1

Qpdf no longer cores when trying to linearize PDFs with certain internal inconsistencies.

431409-1

Log_Level_Debugging is now set correctly.

435367-1

This release fixes a memory leak related to a large memory allocation to wam::wam_bitset_bits, so the leak no longer occurs.

438688

TMM no longer crashes. When the newer document gets evicted due to cache writing errors, the stand-in document is used as configured.


Wan Optimization Manager Fixes

ID Number Description

424657-2

The assertion no longer fails as stale prune messages are now ignored.

426652-1

Deduplication occurs properly and control connections are no longer aborted.

446827-1

SDDv2 cache resynchronization regression has been fixed.

446839-1

SDDv2 deduplication control connections are not initiated when deduplication is globally disabled.

447288-1

Endpoint recovery now completes after a deduplication control connection is re-established.


Service Provider Fixes

ID Number Description

450001-2

Flow control in the SIPP filter no longer blocks flow improperly.

450019-2

When you use the LB::prime pool command, the system tries to flush the queue, but if there is a server side congestion the messages do not get processed. However, if there is no LB::prime, the queue is not flushed.


Advanced Firewall Manager Fixes

ID Number Description

418945-3

Prevents a crash for the rare case of when AFM is licensed but not provisioned and multiple contexts are meant to have the same ACL and are using rule lists instead of policies.

425522-2

Improved rate-limit calculations when using relative thresholds, to avoid faulty behavior because of the base/average being artificially too low due to lack of enough history.

439445-2

Improved security.

441672-1

It is now possible to upgrade a configuration with firewall rules referencing an iRule with no special effort.

455744-1

Fixed a management IP firewall rules compilation failure.

421016

Previously, when the Network Firewall was configured in Firewall mode (default deny), Access Policy Manager (APM) traffic could be dropped. Issues with this configuration no longer occur.

440817

Sweeper would no longer reap a flow that would have matched a rule in either global or corresponding route-domain classifier with action = Accept Decisive in the scenario when this particular classifier did not change (and there are no matching rules in the corresponding VIP/SelfIP classifier and VIP/SelfIP default action is set to Drop or Reject).

445456

Issue fixed where editing address list in AFM using the web interface (Security > Network Firewall > Address Lists), any syntax trying to enter subnets failed with "invalid IP address" error message.

453377

Previously, when a network firewall rule was configured on a Self IP context, and an iRule was specified in the configuration, an error occurred. This configuration now processes traffic correctly.


Policy Enforcement Manager Fixes

ID Number Description

428274-1

Resolved rare case for specific environment when no RAA seen when PCRF ends the session for subscriber.


Carrier-Grade NAT Fixes

ID Number Description

435078-1

LSN pool will now correctly log long-live connections usable by dnatutil.

438046-4

Unattached and disabled VS correctly removed from LSN pool.

446402-6

Deterministic NAT state information will be logged from one TMM when configuration changes.


Global Traffic Manager Fixes

ID Number Description

448914-4

Object name field now has a correct input validation and escapes javascript.


Firepass Fixes

ID Number Description

469649

Resolved intermittent Vtoken issue when missing JavaScript injections when surfing via browser


Local Traffic Manager Fixes

ID Number Description

463943

 


Cumulative fixes from BIG-IP v11.4.1 Hotfix 3 that are included in this release


TMOS Fixes

ID Number Description

420459-1

Firmware release.

427930-1

Firmware release.

430242-2

Firmware release.

431136-1

Platform release.

431361-10

With the AWS marketplace release of the BIG-IP 11.4.1 AMI on 1/21/14 (contains all fixes included in BIG-IP 11.4.1 HF3) and the BIG-IQ 4.2.0 AMI on 1/24/14, the AWS BIG-IP/BIG-IQ instances now start up properly.

435053-7

Add RQ19 mode to make FW backwards compatible.

436962-1

 

436965-1

 

437030-1

Firmware release.

437104-1

 

438194-1

Firmware release.

440543-1

Firmware release.

420391

Support new F5 hardware platforms.

420728

Support new F5 hardware platforms.

427179

Support new F5 hardware platforms.

430929

Support new F5 hardware platforms.

433657

Support new F5 hardware platforms.

433913

Support new F5 hardware platforms.

433915

Support new F5 hardware platforms.

433989

Support new F5 hardware platforms.

433990

Support new F5 hardware platforms.

434219

Support new F5 hardware platforms.

435040

Support new F5 hardware platforms.

435043

Support new F5 hardware platforms.

436095

Support new F5 hardware platforms.

436687

Support new F5 hardware platforms.

439654

Support new F5 hardware platforms.

440158

Support new F5 hardware platforms.

440323

Support new F5 hardware platforms.

440360

Support new F5 hardware platforms.

441173

Support new F5 hardware platforms.


Local Traffic Manager Fixes

ID Number Description

424379-3

Configuring BIG-IP with many FIPS keys no longer causes TMM to constantly reset.

437866-2

In this release, the system correctly decrements active jobs counter when this error is detected. CPU no longer runs high, and jobs are assigned to the correct compression queue.

438385-2

Firmware release.

410260

Support new F5 hardware platforms.

438949

Support new F5 hardware platforms.

439712

Single SSL transfers will perform much better on 4200/2200.

440800

Support new F5 hardware platforms.

441456

Do not mark a packet TSO if the forwarding virtual is fastL4.

442098

Avoid head-of-line-blocking (or lossless mode) with CoS queue dropping by enabling mmu queue egress limit thresholds and reverting back to a SDK default dynamic queue threshold alpha value.


Cumulative fixes from BIG-IP v11.4.1 Hotfix 2 that are included in this release


TMOS Fixes

ID Number Description

427152-1

LBH firmware version 5.02 for BIG-IP 10000-series appliances corrects intermittent "read error" messages when getting information about installed power supplies.

427153-1

LBH firmware version 2.18 for BIG-IP 5000-/7000-series appliances corrects intermittent "read error" messages when getting information about installed power supplies.

429172-1

LBH firmware version 3.02 for BIG-IP 2000-/4000-series appliances corrects intermittent power supply fan failure and bad status error logs.

429174-1

LBH firmware version 2.19 for BIG-IP 5000-/7000-series appliances corrects intermittent power supply fan failure and bad status error logs.

412642

When the configuration of the floating management is handled internally, wipe out all other mgmt ip addresses and reprogram the floating ip as primary.

419036

HTTP iApps now correctly configures Slow Ramp Time when it is set to a non-default value in advanced configuration mode. Affected iApps are f5.http, f5.bea_weblogic, f5.microsoft_iis, f5.microsoft_sharepoint_2010, f5.oracle_as_10g, f5.oracle_ebs, f5.peoplesoft_9, f5.sap_enterprise_portal, and f5.sap_erp.

419319

Fixed a rare problem when not using the standard configuration that resulted in error message: 01070712:3: Cannot delete tunnel 'r10.10.10.2' in rd65535 - ioctl failed: No such device - net/validation/routing.cpp, line 523 Unexpected Error: Loading configuration process failed.

421721

With this fix, we ensure that SDN license is required in order to use VXLAN.

421886

MCPD will no longer crash during configuration synchronization. Steps were taken to ensure that objects were not prematurely deleted.

422630

Use the default port suggested by the RFC for VXLAN profile.

423876

HTTP iApps now correctly configure Priority Group Activation (PGA) when it is selected. Affected iApps are f5.http, f5.bea_weblogic, f5.microsoft_iis, f5.microsoft_sharepoint_2010, f5.oracle_as_10g, f5.oracle_ebs, f5.peoplesoft_9, f5.sap_enterprise_portal, and f5.sap_erp.

425101

The 'Prepaid Segment' and 'Incremental Segments' sections show up properly in GTM Link page so users can create the cost based link loadbalancing in GUI now.

425670

You are now able to delete a wide IP in the LC web interface.

427071

Resolved issue preventing GUI from displaying traffic selector list.

427342

If you filter by the Status column under Local Traffic > DNS Express Zones > DNS Express Zone List, the page now correctly renders without error.

427344

The translation address for GTM Servers can be configured in GUI now.

427952

Memory during load operations is properly re-claimed.

427956

The system now properly reclaims the memory during load operations.

428191

The 'Allow custom' field allows users to add as many ports and protocols they want and 'Allow custom(include default)' field allows to add ports and the default port value. As seen previously, deletion of already created ports has been fixed to not lose port values and also toggle of 'Allow custom' to 'Allow custom (include default)' does not occur when user updates the page.

428395

The interrupt remap filtering are properly delivered to the ngfips driver.

428405

Fixed a slow memory leak with client and server ssl profiles in mcpd.

428516

Fixed a leak in mcpd when using centralized policy management.

428706

False positive messages warning of 100% CPU use have been corrected.

430638

 

430655

Improved debugging on TMM to include DB variable provision.

430793

Fixed issue when creating AV/FW configurations that caused 'access denied' error.

430905

Policy sync now works with more than two devices.

431160

Fixed divide by zero kernel panic.

431305

Fixed TMM crash that could occur in rare instances of iSession use.

431667

Fixed the show cm device-group option that would intermittently specify incorrect options.

432826

Trunks now work upon reboot if not configured with LACP Active on BIG-IP 2000-/4000-series appliances.

435600

Resolves core found in testing.

436239

Name resolution is working properly now and mcpd doesn't allow such a situation

436861

Incremental synch of configuration files now work regardless of the sync type and prevent error messages for load failures.

437739

TMOS now monitors all tmms for looping/locked on a Centaur/Victoria2 BIGIP.

438622

SFP insertion and removal events are detected automatically on BIG-IP 800 appliances.

438657

Creating or modifying iApp Application Service no longer causes GTM global settings to be reset.


Local Traffic Manager Fixes

ID Number Description

435822-1

dpid service no longer leaks memory.

364814

Improvements in strict ipv6 compatibility and standards compliance.

418781

The TMM has been fixed to delay linking child route-domains until all the RD's are loaded.

420200

More types of DNS messages are now passed through the BIG-IP system, so that, for example, the DNS_UPDATE response (which is a valid header-only DNS message) is correctly passed through without processing.

421495

Improvements for ipv6 support.

424350

Users can now start VMware View desktop when using APM as PCoIP Gateway even there is a forwarding 0.0.0.0/0:0 virtual on APM

424901

Introduced improvements in strict ipv6 compatibility and standards compliance.

425382

Improvements in strict ipv6 compatibility and standards compliance.

425589

Improvements in strict ipv6 compatibility and standards compliance

425921

Compression on the 4200v platforms now behave properly in these cases.

425953

The commit ID is now synchronized to secondary blades of a chassis; a sync will not be required if a different blade becomes primary.

426570

tmm no longer leaks "source address" memory.

426802

Improvements in strict ipv6 compatibility and standards compliance

427012

BIGIP no longer truncates DNS over TCP; nor does it send more than 512 bytes over UDP when edns0 is not present.

427607

The fix is to modify the polling behavior in the quickassist driver to allow more efficient handling of hardware compression requests.

427972

Unrecognized or non-standard types are ignored for the purpose of stats collection.

428764

Improvement to allow more rules and bigger state-machines to ensure CPM functions as designed after policy update.

429960

When a lookup fails is aborted, report that the lookup failed, instead of assuming a lookup always succeeds.

430379

Fixed a crash of multiple daemons when creating a PEM listener.

431263

Resolved crash found by F5 testing when adding the latest classification_base.conf file

431914

The v1.1 cave creek firmware allows for compressed streams greater than 4 gigabytes. This addresses the issue where requests for file download (with compression) resulted in a reset when the compressed stream exceeded 4G in size.

432775

Fixed tmm core that could occur in rare situations.

434416

Resolved response side classification that wasn't working with cpm policies.

435598

The condition which could cause memory corruption in tmm related to the http-set-cookie action in an ltm policy has been fixed.

435879

Improvements in strict ipv6 compatibility and standards compliance

436634

tmm no longer crashes if the profile changes and the virtual server is deleted immediately afterward.

436883

 

437006

The tmm now correctly processes large URIs when evaluating conditions of type http-uri in an ltm policy.

437051

 

438081

Bug fixed in zxfrd to continue large response processing.

439036

Multiple unnecessary restarts of zxfrd on startup prevented with use of swallow tag not found error for zxfrd.

439440

Resolved bug found in F5 testing when using many signatures.

439718

Prevent a crash when trying to assign profile to a listener with a software check to be consistent between functions.


Global Traffic Manager Fixes

ID Number Description

391999

[LB::server addr] will now return an empty object if there's no address and will no longer return previous address.

412112

GTM no longer incorrectly adds Self IP addresses that correspond to gateway pool members.

416445

Fixed rare case when using the GSLB configuration under the DNS Lite (Free provisioned capability on an LTM), and using a client computer to test the GSLB configuration, the lowest rate possible would be 1 request per second. This assumes the client is pinned to a single processing core on the BIG-IP. If more than one client IP and the requests get spread across multiple cores, they would experience at least 1 request per core. Testers and admins need to be able to hit their refresh button or re-request every 1 second and get at least a response without triggering a rate limited failure.

423317

Link status for GTM server and virtual server IPs should work properly now after a config load.

424997

Big3d no longer restarts in certain circumstances when retrying a connection to mcpd, and no longer produces a segmentation fault.

426957

Attempting to create a zone using the ZoneRunner GUI using the "Transfer From Server" option now works correctly.

430200

When an explicit link is changed by a user on a server or virtual server configuration, the updated links should apply immediately.

431157

GTM now correctly include all information necessary for the monitor to make the correct determination of status.

433358

The Active member of the HA Link Controller pair will not display the correct stats and the will apply the correct traffic based limits.

437025

Very large configs will no longer cause big3d to be Aborted.


Application Security Manager Fixes

ID Number Description

420335-1

We fixed an issue that sometimes raised the error message "crit g_server_rpc_handler_async.pl[13807]: 01310027:2: ASM subsystem error asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): Set active failed" in the /var/log/asm.log on VIPRION devices or in a device group after synchronizing a failover device group.

420980-4

We fixed an issue that sometimes caused the Enforcer to crash when response logging is enabled.

432207-3

The GWT parser no longer blocks legal requests with non-digit characters at the end of the request payload.

433418-7

After updating the GeoIP database (see SOL11176) and restarting the ASM bd daemon, the bd daemon no longer fails to read the system's GeoIP files (/shared/GeoIP/).

366861

We fixed an issue that sometimes caused the Enforcer's XML parser to crash.

414931

The Automatic Policy Builder no longer learns entities (like URLs and parameters) from an unparsable request. It does learn violations from the traffic event.

415118

When a response is compressed, and the "Learn from responses" option is enabled for the Policy Builder, and JavaScript is injected into the response, then the system no longer replaces the original response with an unescaped compressed response.

420528

The Enforcer no longer crashes during a specific memory exhaustion scenario.

427147

We fixed an issue that sometimes caused the Enforcer's XML parser to crash.

427161

Enabling the "URL Meta Characters" Automatic Policy Building Policy Element setting. and running the Policy Builder no longer places explicit URLs in staging that were previously not in staging.

428327

We fixed an issue that happened rarely, where the Enforcer crashed after connecting and disconnecting VIPRION blades due to memory corruption.

428952

We fixed an issue, which rarely occurred, when the Enforcer would crash after a long POST request prematurely closed.

430303

We fixed an issue where previously, the Automatic Policy Builder's collapse URL feature collapsed disallowed URLs. This no longer occurs.

430810

We fixed an issue that may cause the Enforcer to crash during the parsing of request parameters.

431873

Fixed the sending of SMTP email attachments to the an ICAP server, if configured.

433427

We fixed an issue (involving extraction parameters) that sometimes caused the Enforcer to crash.

435026

We fixed an issue where the system did not correctly extract dynamic parameters in forms that contain combo boxes with script attributes, and the "Illegal dynamic parameter value" violation was incorrectly produced.

436381

The Configuration utility now quickly displays active security policies even when there are a large number of security policies assigned to a large number of virtual servers (over 100).


Application Visibility and Reporting Fixes

ID Number Description

426550

We fixed an issue that sometimes caused the Analytics module external logging to not work after the BIG-IP system was rebooted, unless you also ran the command "bigstart restart avrd".

427888

AVR no longer breaks the response of an HTTP transaction when receiving a FIN before receiving the entire request.

428565

An error no longer occurs when sending Scheduled Reports that use filters.

429522

Fixed a rare issue with the AVR initialization process that led to invalid JavaScript injection when the page-load-time feature is used.

430941

You can now export from the Security > Overview > Application > Traffic screen, and the report is correctly displayed when the system reports a very large number of entities.

431619

Fixed an intermittent issue with the Application DoS initialization process that led to errors in DoS mitigation after the initialization.

434283

DoS attack statistics are collected for VLAN groups, but are reported as "Aggregated" and are not broken down for each individual VLAN group.


Access Policy Manager Fixes

<
ID Number Description

346972-1

Rewriting for inflating location when it is specified without object has been fixed.