Applies To:

Show Versions Show Versions

Supplemental Document: Release Information: Hotfixes: BIG-IP 11.5.4

Original Publication Date: 05/12/2017

BIG-IP Hotfix Release Information

Version: BIGIP-11.5.4
Build: 313.0
Hotfix Rollup: 4

Cumulative fixes from BIG-IP v11.5.4 Hotfix 3 that are included in this release
Cumulative fixes from BIG-IP v11.5.4 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v11.5.4 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v11.5.4 that are included in this release
Cumulative fixes from BIG-IP v11.5.3 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v11.5.3 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v11.5.3 that are included in this release
Cumulative fixes from BIG-IP v11.5.2 Hotfix 1 that are included in this release
Known Issues in BIG-IP v11.5.x

Functional Change Fixes

None


Local Traffic Manager Fixes

ID Number Severity Description
656902 2-Critical Upgrade to 11.5.4 HF3 may remove valid cipher suite configuration from SSL profile
655756 2-Critical TMM might crash while using SSL profiles on BIG-IP 2000/4000 platforms.
587691-2 2-Critical TMM crashes upon SSL handshake cancellation.



Cumulative fixes from BIG-IP v11.5.4 Hotfix 3 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
631582-3 CVE-2016-9250 K55792317 Administrative interface enhancement
616772-3 CVE-2014-3568 K15724 CVE-2014-3568 : OpenSSL Vulnerability (Oracle Access Manager)
616765-3 CVE-2013-6449 K15147 CVE-2013-6449 : OpenSSL Vulnerability (Oracle Access Manager)
636702-1 CVE-2016-9444 K40181790 BIND vulnerability CVE-2016-9444
636700-2 CVE-2016-9147 K02138183 BIND vulnerability CVE-2016-9147
636699-3 CVE-2016-9131 K86272821 BIND vulnerability CVE-2016-9131
624570-4 CVE-2016-8864 K35322517 BIND vulnerability CVE-2016-8864
616498-3 CVE-2009-3245 K15404 CVE-2009-3245 : OpenSSL Vulnerability (Oracle Access Manager)
616491-3 CVE-2006-3738 K6734 CVE-2006-3738 : OpenSSL Vulnerability (Oracle Access Manager)
611830 CVE-2016-7468 K13053402 TMM may crash when processing TCP traffic
611469-6 CVE-2016-7467 K95444512 Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector
597394-5 CVE-2016-9252 K46535047 Improper handling of IP options
596340-4 CVE-2016-9244 K05121675 F5 TLS vulnerability CVE-2016-9244
591327-3 CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 K36488941 OpenSSL vulnerability CVE-2016-2106
591325-3 CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 K75152412 OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109
591042-6 CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 K23230229 OpenSSL vulnerabilities
508057-2 CVE-2015-0411 K44611310 MySQL Vulnerability CVE-2015-0411
635412-1 CVE-2017-6137 K82851041 Invalid mss with fast flow forwarding and software syn cookies
622496-3 CVE-2016-5829 K28056114 Linux kernel vulnerability CVE-2016-5829
604442-3 CVE-2016-6249 K12685114 iControl log
601938-5 CVE-2016-7474 K52180214 MCPD stores certain data incorrectly
597023-5 CVE-2016-4954 K82644737 NTP vulnerability CVE-2016-4954
594496-4 CVE-2016-4539 K35240323 PHP Vulnerability CVE-2016-4539
593447-3 CVE-2016-5024 K92859602 BIG-IP TMM iRules vulnerability CVE-2016-5024
587077-4 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118 K37603172 Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118
526514-2 CVE-2016-3687 K26738102 Open redirect via SSO_ORIG_URI parameter in multi-domain SSO
524279-4 CVE-2015-4000 K16674 CVE-2015-4000: TLS vulnerability
520924-3 CVE-2016-5020 K00265182 Restricted roles for custom monitor creation
475743-2 CVE-2017-6128 K92140924 Improve administrative login efficiency
416734-2 CVE-2012-5195 CVE-2012-5526 CVE-2012-6329 CVE-2013-1667 K15867 Multiple Perl Vulnerabilities
635933-2 CVE-2004-0790 K23440942 K13361021 The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable
599285-5 CVE-2016-5094 CVE-2016-5095 CVE-2016-5096 K51390683 PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095
573343-4 CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158 K01324833 NTP vulnerability CVE-2015-8158


Functional Change Fixes

ID Number Severity Description
633723-1 3-Major New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot
620712 3-Major Added better search capabilities on the Pool Members Manage & Pool Create page.
561348-2 3-Major krb5.conf file is not synchronized between blades and not backed up
541549-3 3-Major AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.
530109-1 3-Major OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.
511818-5 3-Major Support RSASSA-PSS signature algorithm in server SSL certificate
454492-2 3-Major Improved handling of signature_algorithms extension to avoid using SHA1 in TLS handshake signatures


TMOS Fixes

ID Number Severity Description
624457-2 1-Blocking Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195
638935-1 2-Critical Monitor with send/receive string containing double-quote may cause upgrade to fail.
624263-1 2-Critical iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response
616864-4 2-Critical BIND vulnerability CVE-2016-2776
614865 2-Critical Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
610354-3 2-Critical TMM crash on invalid memory access to loopback interface stats object
605476 2-Critical istatsd can core when reading corrupt stats files.
601527-1 2-Critical mcpd memory leak and core
600396-1 2-Critical iControl REST may return 404 for all requests in AWS
570663-2 2-Critical Using iControl get_certificate_bundle_v2 causes a memory leak
562959-3 2-Critical In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.
551661-3 2-Critical Monitor with send/receive string containing double-quote may fail to load.
483373-1 2-Critical Incorrect bash prompt for created admin role users
467847-1 2-Critical passphrase visible in audit log
440752-2 2-Critical qkview might loop writing output file if MCPD fails during execution
355806-2 2-Critical Starting mcpd manually at the command line interferes with running mcpd
632618 3-Major ImageMagick vulnerability CVE-2016-3717
631627-3 3-Major Applying BWC over route domain sometimes results in tmm not becoming ready on system start
631530 3-Major TAI offset not adjusted immediately during leap second
628164-1 3-Major OSPF with multiple processes may incorrectly redistribute routes
624931 3-Major getLopSensorData "sensor data reply too short" errors with FND300 DC PSU
623119-3 3-Major Linux kernel vulnerability CVE-2016-4470
621417-2 3-Major sys-icheck error for /usr/share/defaults/bigip_base.conf in AWS.
621242-2 3-Major Reserve enough space in the image for future upgrades.
620659-1 3-Major The BIG-IP system may unecessarily run provisioning on successive reboots
616242-1 3-Major basic_string::compare error in encrypted SSL key file if the first line of the file is blank
615934 3-Major Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
614675 3-Major iControl SOAP API call "LocalLB::ProfileClientSSL::create_v2" creates invalid profile
608320-2 3-Major iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response
604237-1 3-Major Vlan allowed mismatch found error in VCMP guest
596814-2 3-Major HA Failover fails in certain valid AWS configurations
595773-6 3-Major Cancellation requests for chunked stats queries do not propagate to secondary blades
591455-3 3-Major NTP vulnerability CVE-2016-2516
560510-4 3-Major Invalid /etc/resolv.conf when more than one DNS servers are set and MCPD is down.
558858-1 3-Major Unexpected loss of communication between slots of a vCMP Guest
556277-4 3-Major Config Sync error after hotfix installation (chroot failed rsync error)
534021-1 3-Major HA on AWS uses default AWS endpoint (EC2_URL).
533813-2 3-Major Internal Virtual Server in partition fails to load from saved config
502714-6 3-Major Deleting files and file object references in a single transaction might cause validation errors
502049-3 3-Major Qkview may store information in the wrong format
502048-3 3-Major Qkview may store information in the wrong format
499537-2 3-Major Qkview may store information in the wrong format
491406-2 3-Major TMM SIGSEGV in sctp_output due to NULL snd_dst
460833-2 3-Major MCPD sync errors and restart after multiple modifications to file object in chassis
420438-2 3-Major Default routes from standby system when HA is configured in NSSA
393270-3 3-Major Configuration utility may become non-responsive or fail to load.
601927-4 4-Minor Security hardening of control plane
599191-1 4-Minor One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card
591447-4 4-Minor PHP vulnerability CVE-2016-4070
589379-1 4-Minor ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.
551208-3 4-Minor Nokia alarms are not deleted due to the outdated alert_nokia.conf.
516841-3 4-Minor Unable to log out of the GUI in IE8
500452-3 4-Minor PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware
471827-2 4-Minor Firstboot early syslog-ng log: /var/run/httpd.pipe does not exist
457951-3 4-Minor openldap/ldap.conf file is not part of ucs backup archive.
442231-1 5-Cosmetic Pendsect log entries have an unexpected severity


Local Traffic Manager Fixes

ID Number Severity Description
637181-2 2-Critical VIP-on-VIP traffic may stall after routing updates
622166-1 2-Critical HTTP GET requests with HTTP::cookie iRule command receive no response
619071-1 2-Critical OneConnect with verified accept issues
616215-1 2-Critical TMM can core when using LB::detach and TCP::notify commands in an iRule
611704-1 2-Critical tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event
605865-1 2-Critical Debug TMM produces core on certain ICMP PMTUD packets
603667-1 2-Critical TMM may leak or corrupt memory when configuration changes occur with plugins in use
597966-1 2-Critical ARP/neighbor cache nexthop object can be freed while still referenced by another structure
588351-3 2-Critical IPv6 fragments are dropped when packet filtering is enabled.
578045-5 2-Critical The HTTP_PROXY_REQUEST iRule event can cause the TMM to crash if pipelined ingress occurs when the iRule parks
576897-2 2-Critical Using snat/snatpool in related-rule results in crash
575011-9 2-Critical Memory leak. Nitrox3 Hang Detected.
574153-3 2-Critical If an SSL client disconnects while data is being sent to SSL client, the connection may stall until TCP timeout.
565409-3 2-Critical Invalid MSS with HW syncookies and flow forwarding
559973-5 2-Critical Nitrox can hang on RSA verification
526367-2 2-Critical tmm crash
488686-4 2-Critical Large file transfer hangs when HTTP is in passthrough mode
484214-3 2-Critical Nitrox got stuck when processed certain SSL records
477195-1 2-Critical OSPFv3 session gets stuck in loading state
469770-3 2-Critical System outage can occur with MPTCP traffic.
411233-2 2-Critical New pool members take all requests until lb_value catches up.
629771 3-Major the TCP::unused_port does erroneous accept IPV4_COMPAT addresses
621465 3-Major The minimum IP packet fragment size is now 1 and not 24
617862-3 3-Major Fastl4 handshake timeout is absolute instead of relative
617824-1 3-Major "SSL::disable/enable serverside" + oneconnect reuse is broken
610609-4 3-Major Total connections in bigtop, SNMP are incorrect
610429-2 3-Major X509::cert_fields iRule command may memory with subpubkey argument
608551-2 3-Major Half-closed congested SSL connections with unclean shutdown might stall.
608024-2 3-Major Unnecessary DTLS retransmissions occur during handshake.
607304-1 3-Major TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
606575-2 3-Major Request-oriented OneConnect load balancing ends when the server returns an error status code.
604977-4 3-Major Wrong alert when DTLS cookie size is 32
604496-1 3-Major SQL (Oracle) monitor daemon might hang.
603723-1 3-Major TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
603606-1 3-Major tmm core
600827-3 3-Major Stuck nitrox crypto queue can erroneously be reported
598874-1 3-Major GTM Resolver sends FIN after SYN retransmission timeout
597089-3 3-Major Connections are terminated after 5 seconds when using ePVA full acceleration
592871-1 3-Major Cavium Nitrox PX/III stuck queue diagnostics missing.
592784 3-Major Compression stalls, does not recover, and compression facilities cease.
591789 3-Major IPv4 fragments are dropped when packet filtering is enabled.
591659-2 3-Major Server shutdown is propagated to client after X-Cnection: close transformation.
591476-6 3-Major Stuck crypto queue can erroneously be reported
588572-2 3-Major Unnecessary re-transmission of packets on higher ICMP PMTU.
588569-2 3-Major Don't include maximum TCP options length in calculating MSS on ICMP PMTU.
588115-4 3-Major TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw
587892 3-Major Multiple iRule proc names might clash, causing the wrong rule to be executed.
586738-3 3-Major The tmm might crash with a segfault.
584310 3-Major TCP:Collect ignores the 'skip' parameter when used in serverside events
584029-7 3-Major Fragmented packets may cause tmm to core under heavy load
583957-3 3-Major The TMM may hang handling pipelined HTTP requests with certain iRule commands.
579926-2 3-Major HTTP starts dropping traffic for a half-closed connection when in passthrough mode
579843-4 3-Major tmrouted may not re-announce routes after a specific succession of failover states
572281-3 3-Major Variable value in the nesting script of foreach command get reset when there is parking command in the script
568543-2 3-Major Syncookie mode is activated on wildcard virtuals
556117-1 3-Major client-ssl profile is case-sensitive when checking server_name extension
555432-2 3-Major Large configuration files may go missing on secondary blades
554761-4 3-Major Unexpected handling of TCP timestamps under syncookie protection.
549329-2 3-Major L7 mirrored ACK from standby to active box can cause tmm core on active
545450-2 3-Major Log activation/deactivation of TM.TCPMemoryPressure
537326-4 3-Major NAT available in DNS section but config load fails with standalone license
528734-1 3-Major TCP keeps retransmitting when ICMP Destination Unreachable-Fragmentation Required messages are received.
519746-2 3-Major ICMP errors may reset FastL4 connections unexpectedly
512119-3 3-Major Improved UDP DNS packet truncation
508486-1 3-Major TCP connections might stall if initialization fails
503214-11 3-Major Under heavy load, hardware crypto queues may become unavailable.
500003-3 3-Major Incoming NTP packets from configured NTP server to non-local IP breaks outgoing NTP
499478-3 3-Major Bug 464651 introduced change-in-behavior for SSL server cert chains by not including the root certificate
483257-2 3-Major Cannot delete keys without extension .key (and certificates without .crt) using iControl SOAP
468820-2 3-Major MPTCP Flows may hang whan an MTU mismatch occurs on the network.
468300-3 3-Major Filters may not work correctly with websockets or CONNECT
464801-1 3-Major Intermittent tmm core
455553-8 3-Major ICMP PMTU handling causes multiple retransmissions
442539-3 3-Major OneConnect security improvements.
442455-4 3-Major Hardware Security Module (HSM) CSR and certificate fields constraints: 15 characters and no spaces.
437256-1 3-Major clientssl profile has no key/cert pair
423392-7 3-Major tcl_platform is no longer in the static:: namespace
598860-5 4-Minor IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address
587966-5 4-Minor LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port
538708-2 4-Minor TMM may apply SYN cookie validation to packets before generating any SYN cookies
536868-2 4-Minor Packet Sizing Issues after Receipt of PMTU
486485-2 4-Minor TCP MSS is incorrect after ICMP PMTU message.
356841-2 5-Cosmetic Don't unilaterally set Connection: Keep-Alive when compressing


Global Traffic Manager Fixes

ID Number Severity Description
603598-1 2-Critical big3d memory under extreme load conditions
642330-4 3-Major GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.
613576-9 3-Major QOS load balancing links display as gray
589256-4 3-Major DNSSEC NSEC3 records with different type bitmap for same name.
487144-1 3-Major tmm intermittently reports that it cannot find FIPS key


Application Security Manager Fixes

ID Number Severity Description
614441-1 1-Blocking False Positive for illegal method (GET)
602749 2-Critical Memory exhaustion when asking for missing page of learning suggestion occurrences
577668-2 2-Critical ASM Remote logger doesn't log 64 KB request.
499347 2-Critical JSON UTF16 content could be blocked by ASM as Malformed JSON
616169-1 3-Major ASM Policy Export returns HTML error file
615695 3-Major Fixes to bd and iprepd components not included in BIG-IP v11.5.4-HF2
603945-3 3-Major BD config update should be considered as config addition in case of update failure
576591-3 3-Major Support for some future credit card number ranges
562775-3 3-Major Memory leak in iprepd
366605-2 3-Major response_log_size_limit does not limit the log size.
463314-1 4-Minor Enabling ASM AJAX blocking response page feature causing cross domain AJAX requests to fail


Application Visibility and Reporting Fixes

ID Number Severity Description
565085-4 3-Major Analytics profile allows invalid combination of entities for Alerts setup
560114-2 3-Major Monpd is being affected by an I/O issue which makes some of its threads freeze
491185-3 3-Major URL Latencies page: pagination limited to 180 pages


Access Policy Manager Fixes

ID Number Severity Description
618324-3 2-Critical Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor
592868-1 2-Critical Rewrite may crash processing HTML tag with HTML entity in attribute value
591117-2 2-Critical APM ACL construction may cause TMM to core if TMM is out of memory
536683-1 2-Critical tmm crashes on "ACCESS::session data set -secure" in iRule
511478-1 2-Critical Possible TMM crash when evaluating expression for per-request policy agents.
428068-2 2-Critical Insufficiently detailed causes for session deletion.
625376-2 3-Major In some cases, download of PAC file by edge client may fail
613613 3-Major Incorrect handling of form that contains a tag with id=action
612419-3 3-Major APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))
610243-1 3-Major HTML5 access fails for Citrix Storefront integration mode with gateway pass through authentication
610180-5 3-Major SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.
604767-6 3-Major Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.
601407 3-Major Legacy PNAgent access does not work from Citrix Receiver 4.3 onwards
600116 3-Major DNS resolution request may take a long time in some cases
598981-1 3-Major APM ACL does not get enforced all the time under certain conditions
598211-3 3-Major Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.
597431-6 3-Major VPN establishment may fail when computer wakes up from sleep
597429 3-Major eam maintains lock on /var/log/apm.1 after logrotate
592869 3-Major Syntax Error when reimporting exported content containing acl-order 0
592414-3 3-Major IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed
590820-5 3-Major Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
586718-5 3-Major Session variable substitutions are logged
586006-5 3-Major Failed to retrieve CRLDP list from client certificate if DirName type is present
582440-1 3-Major Linux client does not restore route to the default GW on Ubuntu 15.10
568445-7 3-Major User cannot perform endpoint check or launch VPN from Firefox on Windows 10
565167-3 3-Major Additional garbage data being logged on user name and domain name for NTLM authentication
563349-2 3-Major On MAC, Network Access proxy settings are not applied to tun adapter after VPN is established
561798-3 3-Major Windows edge client may show scripting error on certain 3rd party authentication sites
556088-2 3-Major In a chassis system with APM provisioned mcpd daemon on secondary blade will restart.
553063-4 3-Major Epsec version rolls back to previous version on a reboot
553037 3-Major iOS Citrix Receiver web interface mode cannot launch the apps
551260-3 3-Major When SAML IdP-Connector Single Sign On Service URL contains ampersand, redirect URL may be truncated
525429-13 3-Major DTLS renegotiation sequence number compatibility
508337-5 3-Major In Chrome, parent.document.write() from frame may cause errors on pages accessed through Portal Access
451301-2 3-Major HTTP iRules break Citrix HTML5 functionality
450314-1 3-Major Portal Access / JavaScript code which uses reserved keywords for object field names may not work correctly
447565-4 3-Major Renewing machine-account password does not update the serviceId for associated ntlm-auth.
424368-3 3-Major parent.document.write(some_html_with_script) hangs up parent frame for IE browsers
389484-5 3-Major OAM reporting Access Server down with JDK version 1.6.0_27 or later
584373-1 4-Minor AD/LDAP resource group mapping table controls are not accessible sometimes


WebAccelerator Fixes

ID Number Severity Description
467542-1 2-Critical TMM core in AAM assembly code during high memory utilization
474445-3 3-Major TMM crash when processing unexpected HTTP response in WAM


Wan Optimization Manager Fixes

ID Number Severity Description
619757-4 2-Critical iSession causes routing entry to be prematurely freed


Service Provider Fixes

ID Number Severity Description
649933-5 3-Major Fragmented RADIUS messages may be dropped
550434-4 3-Major Diameter connection may stall if server closes connection before CER/CEA handshake completes
489957-8 3-Major RADIUS::avp command fails when AVP contains multiple attribute (VSA).


Policy Enforcement Manager Fixes

ID Number Severity Description
596134-1 2-Critical TMM core with PEM virtual server
472106-1 2-Critical TMM crash in a rare case of flow optimization


Global Traffic Manager (DNS) Fixes

ID Number Severity Description
624193 3-Major Topology load balancing not working as expected
615187 4-Minor Missing hyperlink to GSLB virtual servers and servers on the pool member page.



Cumulative fixes from BIG-IP v11.5.4 Hotfix 2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
600662-5 CVE-2016-5745 K64743453 NAT64 vulnerability CVE-2016-5745
599168-5 CVE-2016-5700 K35520031 BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
598983-5 CVE-2016-5700 K35520031 BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
596488-5 CVE-2016-5118 K82747025 GraphicsMagick vulnerability CVE-2016-5118.
591806-4 CVE-2016-3714 K03151140 ImageMagick vulnerability CVE-2016-3714
570716-1 CVE-2016-5736 K10133477 BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736
569467-2 CVE-2016-2084 K11772107 BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.
565169-1 CVE-2013-5825 CVE-2013-5830 K48802597 Multiple Java Vulnerabilities
580596-5 CVE-2013-0169 CVE-2016-6907 K14190 K39508724 TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907
579955-4 CVE-2016-7475 K01587042 BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475
577826-3 CVE-2016-1286 K62012529 BIND vulnerability CVE-2016-1286
573124-5 CVE-2016-5022 K06045217 TMM vulnerability CVE-2016-5022
572495-4 CVE-2016-5023 K19784568 TMM may crash if it receives a malformed packet CVE-2016-5023
563670-5 CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 K86772626 OpenSSL vulnerabilities
539923-2 CVE-2016-1497 K31925518 BIG-IP APM access logs vulnerability CVE-2016-1497
457811-1 CVE-2013-6438 CVE-2014-0098 K15300 CVE-2013-6438 : HTTPD Vulnerability
452318-2 CVE-2014-0050 K15189 Apache Commons FileUpload vulnerability CVE-2014-0050
591918-6 CVE-2016-3718 K61974123 ImageMagick vulnerability CVE-2016-3718
591908-6 CVE-2016-3717 K29154575 ImageMagick vulnerability CVE-2016-3717
591894-6 CVE-2016-3715 K10550253 ImageMagick vulnerability CVE-2016-3715
591881-5 CVE-2016-3716 K25102203 ImageMagick vulnerability CVE-2016-3716
582952 CVE-2011-5321 CVE-2012-6647 CVE-2012-6657 CVE-2013-0190 CVE-2013-0228 CVE-2013-1860 CVE-2013-2596 CVE-2013-2851 CVE-2013-4483 CVE-2013-4591 CVE-2013-6367 CVE-2013-6381 CVE-2013-6383 CVE-2013-7339 CVE-2014-0055 CVE-2014-0077 K31300371 Linux kernel vulnerability CVE-2013-4483
579220-2 CVE-2016-1950 K91100352 Mozilla NSS vulnerability CVE-2016-1950
564111-2 CVE-2015-8395 CVE-2015-8384 CVE-2015-8392 CVE-2015-8394 CVE-2015-8391 CVE-2015-8390 CVE-2015-8389 CVE-2015-8388 CVE-2015-8387 CVE-2015-8386 CVE-2015-8385 CVE-2015-8383 CVE-2015-8382 CVE-2015-8381 CVE-2015-8380 CVE-2015-2328 CVE-2015-2327 CVE-2015-8393 K05428062 Multiple PCRE vulnerabilities
550596-2 CVE-2016-6876 K52638558 RESOLV::lookup iRule command vulnerability CVE-2016-6876
541231-1 CVE-2014-3613 CVE-2014-3707 CVE-2014-8150 CVE-2015-3143 CVE-2015-3148 K16704 K16707 Resolution of multiple curl vulnerabilities
486791-3 CVE-2014-6421 CVE-2014-6422 CVE-2014-6423 CVE-2014-6424 CVE-2014-6425 CVE-2014-6426 CVE-2014-6427 CVE-2014-6428 CVE-2014-6429 CVE-2014-6430 CVE-2014-6431 CVE-2014-6432 K16939 Resolution of multiple wireshark vulnerabilities
616382 CVE-2016-0705 K93122894 OpenSSL Vulnerability (TMM)
580340-4 CVE-2016-2842 K52349521 OpenSSL vulnerability CVE-2016-2842
580313-4 CVE-2016-0799 K22334603 OpenSSL vulnerability CVE-2016-0799
579975-4 CVE-2016-0702 K79215841 OpenSSL vulnerability
579829-4 CVE-2016-0702 K79215841 OpenSSL vulnerability CVE-2016-0702
579237-4 CVE-2016-0705 K93122894 OpenSSL Vulnerability CVE-2016-0705
579085-3 CVE-2016-0797 K40524634 OpenSSL vulnerability CVE-2016-0797
578570-3 CVE-2016-0705 K93122894 OpenSSL Vulnerability CVE-2016-0705
577828-4 CVE-2016-2088 K59692558 BIND vulnerability CVE-2016-2088
577823-3 CVE-2016-1285 K46264120 BIND vulnerability CVE-2016-1285
567379-2 CVE-2013-4397 K16015326 libtar vulnerability CVE-2013-4397
565895-3 CVE-2015-3217 K17235 Multiple PCRE Vulnerabilities
551287-3 CVE-2010-2596 CVE-2013-1960 CVE-2013-1961 CVE-2013-4231 CVE-2013-4232 CVE-2013-4243 CVE-2013-4244 K16715 Multiple LibTIFF vulnerabilities
481806-4 CVE-2013-4002 K16872 Java Runtime Environment vulnerability CVE-2013-4002
437285-4 CVE-2013-3571 CVE-2012-0219 CVE-2010-2799 K14919 Multiple socat vulnerabilities
416372-3 CVE-2012-2677 K16946 Boost memory allocator vulnerability CVE-2012-2677
570667-10 CVE-2016-0701 CVE-2015-3197 K64009378 OpenSSL vulnerabilities


Functional Change Fixes

ID Number Severity Description
583631-1 1-Blocking ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.
445633-2 2-Critical Config sync of SecurID config file fails on secondary blades
560405-5 3-Major Optional target IP address and port in the 'virtual' iRule API is not supported.
532685-5 3-Major PAC file download errors disconnect the tunnel
544325-2 4-Minor BIG-IP UDP virtual server may not send ICMP Destination Unreachable message Code 3 (port unreachable).


TMOS Fixes

ID Number Severity Description
572600 1-Blocking mcpd can run out of file descriptors
538761-1 1-Blocking scriptd may core when MCP connection is lost
596603-5 2-Critical AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.
583936-1 2-Critical Removing ECMP route from BGP does not clear route from NSM
582295 2-Critical ospfd core dump when redistributing NSSA routes in a HA failover
574116-3 2-Critical MCP may crash when syncing configuration between device groups
568889-5 2-Critical Some ZebOS daemons do not start on blade transition secondary to primary.
564427-1 2-Critical Use of iControl call get_certificate_list_v2() causes a memory leak.
563064-5 2-Critical Bringing up and tearing down an IPsec tunnel will slowly leak tmm memory
561814-4 2-Critical TMM Core on Multi-Blade Chassis
559034-3 2-Critical Mcpd core dump in the sync secondary during config sync
557144-1 2-Critical Dynamic route flapping may lead to tmm crash
556380-3 2-Critical mcpd can assert on active connection deletion
539784-2 2-Critical HA daemon_heartbeat mcpd fails on load sys config
529141-4 2-Critical Upgrade from 10.x fails on valid clientssl profile with BIGpipe parsing error
510979-2 2-Critical Password-less SSH access after tmsh load of UCS may require password after install.
507499-2 2-Critical TMM can watchdog under extreme memory pressure.
506199-8 2-Critical VCMP guests on VDAG platforms can experience excessive tmm redirects after multiple guest provisioning cycles
505071-2 2-Critical Delete and create of the same object can cause secondary blades' mcpd processes to restart.
490801-3 2-Critical mod_ssl: missing support for TLSv1.1 and TLSv1.2
595874-3 3-Major Upgrading 11.5.x/11.6.x hourly billing instances to 12.1.0 fails due to license SCD.
586878-1 3-Major During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.
583285-2 3-Major BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
579284-5 3-Major Potential memory corruption in MCPd
579047 3-Major Unable to update the default http-explicit profile using the GUI.
576305-1 3-Major Potential MCPd leak in IPSEC SPD stats query code
575735-1 3-Major Potential MCPd leak in global CPU info stats code
575726-1 3-Major MCPd might leak memory in vCMP interface stats.
575716-1 3-Major MCPd might leak memory in VCMP base stats.
575708-1 3-Major MCPd might leak memory in CPU info stats.
575671-1 3-Major MCPd might leak memory in host info stats.
575619-1 3-Major Potential MCPd leak in pool member stats query code
575608-1 3-Major MCPd might leak memory in virtual server stats query.
575587-1 3-Major Potential MCPd leak in BWC policy class stats query code
575027-3 3-Major Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
574045-3 3-Major BGP may not accept attributes using extended length
573529 3-Major F-bit is not set in IPv6 OSPF Type-7 LSAs
571344-2 3-Major SSL Certificate with special characters might cause exception when GUI retrieves items list page.
571210-3 3-Major Upgrade, load config, or sync might fail on large configs with large objects.
571019-2 3-Major Topology records can be ordered incorrectly.
570053-1 3-Major HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync.
569356-5 3-Major BGP ECMP learned routes may use incorrect vlan for nexthop
569236-2 3-Major BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
565534-3 3-Major Some failover configuration items may fail to take effect
563475-1 3-Major ePVA dynamic offloading can result in immediate eviction and re-offloading of flows.
562044-1 3-Major Statistics slow_merge option does not work
560975-1 3-Major iControl can remove hardware SSL keys while in use
559939-3 3-Major Changing hostname on host sometimes causes blade to go RED / HA TABLE offline
558779-5 3-Major SNMP dot3 stats occassionally unavailable
558573-3 3-Major MCPD restart on secondary blade after updating Pool via GUI
557281-3 3-Major The audit_forwarder process fails to exit normally causing the process to consume CPU to near 100%
556252 3-Major sysGlobalTmmStatTmUsageRatio5s and sysGlobalTmmStatNpus in chassis
555905-1 3-Major sod health logging inconsistent when device removed from failover group or device trust
555039-1 3-Major VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration
554563-2 3-Major Error: Egress CoS queue packet drop counted against both Drops In and Drops Out statistics.
554340-2 3-Major IPsec tunnels fail when connection.vlankeyed db variable is disabled
553795-3 3-Major Differing certificate/key after successful config-sync
553649 3-Major The SNMP daemon might lock up and fail to respond to SNMP requests.
551927-3 3-Major ePVA snoop header's transform vlan should be set properly under asymmetric routing condition
551742-1 3-Major Hardware parity error mitigation for the SOURCE_VP table on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades
549971-3 3-Major Some changes to virtual servers' profile lists may cause secondary blades to restart
549543-2 3-Major DSR rejects return traffic for monitoring the server
548385-1 3-Major iControl calls that query key/cert from parent folder, and the name is missing the extension, result in incorrect results
547942 3-Major SNMP ipAdEntAddr indicates floating vlan IP rather than local IP
547532-6 3-Major Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades
542742-3 3-Major SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).
541316-5 3-Major Unexpected transition from Forced Offline to Standby to Active
540996-4 3-Major Monitors with a send attribute set to 'none' are lost on save
539125-1 3-Major SNMP: ifXTable walk should produce the available counter values instead of zero
530242-4 3-Major SPDAG on VIPRION B2250 blades might cause traffic imbalance among TMMs
529484-3 3-Major Virtual Edition Kernel Panic under load
527168-3 3-Major In GUI System :: Users : Authentication TACACS+ ports have max value of 32768 instead of 65535
527145-3 3-Major On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.
520408-1 3-Major TMM ASSERTs due to subkey_record field corruption in the SessionDB.
517209-6 3-Major tmsh save sys config file /var/tmp or /shared/tmp can make some BIG-IP functionality unusable
517020-4 3-Major SNMP requests fail and subsnmpd reports that it has been terminated.
515667-6 3-Major Unique truncated SNMP OIDs.
512954-1 3-Major ospf6d might leak memory distribute-list is used
510580-3 3-Major Interfaces might be re-enabled unexpectedly when loading a partition
508076-1 3-Major Cannot successfully create a key/cert via tmsh or the GUI of the form name.key1, where extension is in the name.
496679-3 3-Major Configuration loads may fail because the 'default-device' on a traffic-group object does not contain a valid value.
491716-3 3-Major SNMP attribute type incorrect for certain OIDs
487625-4 3-Major Qkview might hang
486725-1 3-Major GUI creating key files with .key extensions in the name causing errors
486512-8 3-Major audit_forwarder sending invalid NAS IP Address attributes
483228-8 3-Major The icrd_child process generates core when terminating
478215-5 3-Major The command 'show ltm pool detail' returns duplicate members in some cases
474194-4 3-Major iControl GlobalLB::PoolMember get_all_statistics and get_monitor_association cause memory leaks
453949-3 3-Major small memory leak observed in audit_forwarder
451494-1 3-Major SSL Key/Certificate in different partition with Subject Alternative Name (SAN)
446493-3 3-Major foreign key index error on local traffic-only group
425980-2 3-Major Blade number not displayed in CPU status alerts
421971-7 3-Major Renewing certificates with SAN input in the GUI leads to error.
418664-3 3-Major Configuration utility CSRF vulnerability
405635-5 3-Major Using the restart cm trust-domain command to recreate certificates required by device trust.
405611-2 3-Major Configuration utility CSRF vulnerability
400456-2 3-Major HTTP monitors with long send or receive strings may not save or update
372118-1 3-Major import_all_from_archive_file and import_all_from_archive_stream does not create file objects.
339825-2 3-Major Management.KeyCertificate.install_certificate_from_file failing silently
553174-2 4-Minor Unable to query admin IP via SNMP on VCMP guest
551481-4 4-Minor 'tmsh show net cmetrics' reports bandwidth = 0
551349-1 4-Minor Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade
548053-1 4-Minor User with 'Application Editor' role set cannot modify 'Description' field using the GUI.
536746-2 4-Minor LTM : Virtual Address List page uses LTM : Nodes List search filter.
535544-7 4-Minor Enhancement: ltm virtual translate-port, translate-address are not listed if they are enabled
533480-4 4-Minor qkview crash
519216-3 4-Minor Abnormally high CPU utilization from external SSL/OpenSSL monitors
511332-1 4-Minor Customer cannot view Pools list by Address
481003-1 4-Minor 'General database error' trying to view Local Traffic :: Pools :: Pool List.
468949-1 4-Minor audit_forwarded started error message
466612-2 4-Minor Missing sys DeviceModel OID for VIPRION C2200 chassis
452487-5 4-Minor Incremental sync causes incorrect accounting of member count of pools
447364-2 4-Minor BIG-IP may report getLopSensorData warnings at boot time or when changing a PSU
401893-2 4-Minor Allowing tilde in HTTP Profile fields Response Headers Allowed and Encrypt Cookies
572133-3 5-Cosmetic tmsh save /sys ucs command sends status messages to stderr
524281-1 5-Cosmetic Error updating daemon ha heartbeat
470627-4 5-Cosmetic Incorrect and benign log message of bandwidth utilization exceeded when licensed with rate limit in VE
458563-3 5-Cosmetic A "status down" message is logged when enabling a pool member that was previously disabled
388274-2 5-Cosmetic LTM pool member link in a route domain is wrong in Network Map.
291469-3 5-Cosmetic SNMP query fails to return ARP entries when the ARP table exceeds 2,048 entries.


Local Traffic Manager Fixes

ID Number Severity Description
555549-2 1-Blocking 'tmsh modify ltm node <ip_addr> state user-down' fails to bring pool member state offline.
579919 2-Critical TMM may core when LSN translation is enabled
565810-5 2-Critical OneConnect profile with an idle or strict limit-type might lead to tmm core.
562566-3 2-Critical High Availability connection flap may cause mirrored persistence entries to be retained after expiration on multi-blade systems
558612-3 2-Critical System may fail when syncookie mode is activated
554967-2 2-Critical Small Client EDNS0 Limits can Sometimes Truncate DNSSEC or iRule DNS Packets
552937-2 2-Critical HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail.
552151-1 2-Critical Continuous error report in /dev/log/ltm: Device error: n3-compress0 Nitrox 3, Hang Detected
549868-2 2-Critical 10G interoperability issues reported following Cisco Nexus switch version upgrade.
544375-2 2-Critical Unable to load certificate/key pair
540568-4 2-Critical TMM core due to SIGSEGV
534795-6 2-Critical Swapping VLAN names in config results in switch daemon core and restart.
517613-2 2-Critical ClientSSL profile might have the wrong key/certificate/chain when created with a specific set of steps
483665-3 2-Critical Restrict the permissions for private keys
478812-4 2-Critical DNSX Zone Transfer functionality preserved after power loss
468791-3 2-Critical Crash when using FIX tag maps and a FIX message arrives without a SenderCompID.
466007-3 2-Critical DNS Express daemon, zxfrd, can not start if it's binary cache has filled /var
459671-1 2-Critical iRules source different procs from different partitions and executes the incorrect proc.
454583-4 2-Critical SPDY may cause the TMM to crash if it aborts while there are stalled streams.
592854-2 3-Major Protocol version set incorrectly on serverssl renegotiation
585412-1 3-Major SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines
584717 3-Major TCP window scaling is not applied when SYN cookies are active
580303-2 3-Major When going from active to offline, tmm might send a GARP for a floating address.
579371-1 3-Major BIG-IP may generate ARPs after transition to standby
576296-1 3-Major MCPd might leak memory in SCTP profile stats query.
575626-6 3-Major Minor memory leak in DNS Express stats error conditions
575612-4 3-Major Potential MCPd leak in policy action stats query code
571573-3 3-Major Persistence may override node/pmbr connection limit
571183-3 3-Major Bundle-certificates Not Accessible via iControl REST.
570617-5 3-Major HTTP parses fragmented response versions incorrectly
569642-3 3-Major Deleting all routes on a unit with a mirroring fastL4 Virtual may cause TMM to core
569349-3 3-Major Packet's vlan priority is not preserved for CMP redirected flows when net cos feature is enabled
569288-4 3-Major Different LACP key may be used in different blades in a chassis system causing trunking failures
566361-2 3-Major RAM Cache Key Collision
563591-3 3-Major reference to freed loop_nexthop may cause tmm crash.
563419-3 3-Major IPv6 packets containing extended trailer are dropped
563227-4 3-Major When a pool member goes down, persistence entries may vary among tmms
558602-2 3-Major Active mode FTP data channel issue when using lasthop pool
557783-3 3-Major TMM generated traffic to external IPv6 global-addr via ECMP routes might use link-local addr
557645-1 3-Major Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.
556560-1 3-Major DNS messages may become malformed if the Additional section contains an OPT record followed by multiple records.
556103-2 3-Major Abnormally high CPU utilization for external monitors
554977-1 3-Major TMM might crash on failed SSL handshake
553688-3 3-Major TMM can core due to memory corruption when using SPDY profile.
552931-2 3-Major Configuration fails to load if DNS Express Zone name contains an underscore
552865-5 3-Major SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'.
551189-2 3-Major Modifying an HTTP cookie value via the HTTP::cookie iRule API may yield to incorrect HTTP header data
550782-2 3-Major Cache Lookups for Validating Resolvers ignore the query's DNSSEC OK (DO) bit
550689-3 3-Major Resolver H.ROOT-SERVERS.NET Address Change
549406-3 3-Major Destination route-domain specified in the SOCKS profile
548680-3 3-Major TMM may core when reconfiguring iApps that make use of iRules with procedures.
548583-5 3-Major TMM crashes on standby device with re-mirrored SIP monitor flows.
548563-3 3-Major Transparent Cache Messages Only Updated with DO-bit True
547732-3 3-Major TMM may core on using SSL::disable on an already established serverside connection
542654 3-Major bigd may experience a heartbeat failure when tcp-half-open monitors are used
541126-1 3-Major Safenet connection may fail on restarting pkcs11d or HSM reboot or if the connection to HSM is lost and then resumed
540893-3 3-Major Unevenly loaded tmms while using syncookies may cause occasional spurious connection resets.
540213-4 3-Major mcpd will continually restart on newly inserted secondary blades when certain configuration exists on the primary
536191-3 3-Major Transparent inherited TCP monitors may fail on loading configuration
534111-2 3-Major [SSL] Config sync problems when modifying cert in default client-ssl profile
533820-3 3-Major DNS Cache response missing additional section
531979-4 3-Major SSL version in the record layer of ClientHello is not set to be the lowest supported version.
530812-5 3-Major Legacy DAG algorithm reuses high source port numbers frequently
529899-3 3-Major Installation may fail with the error "(Storage modification process conflict.)".
527742-1 3-Major The inherit-certkeychain field of a clientSSL profile is not synchronized correctly on a standby BIG-IP system
524641-4 3-Major Wildcard NAPTR record after deleting the NAPTR records
523471-3 3-Major pkcs11d core when connecting to SafeNet HSM
521711-3 3-Major HTTP closes connection if client sends non-keepalive request and server responds with 200 OK on One-Connect enabled virtual
519217-2 3-Major tmm crash: valid proxy
516816-2 3-Major RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake.
515322-2 3-Major Intermittent TMM core when using DNS cache with forward zones
513530-3 3-Major Connections might be reset when using SSL::disable and enable command
513213-4 3-Major FastL4 connection may get RSTs in case of hardware syncookie enabled.
509416-4 3-Major Suspended 'after' commands may result in unexpected behaviors
505089-3 3-Major Spurious ACKs result in SYN cookie rejected stat increment.
500786-4 3-Major Heavy memory usage while using fastL4/BIGTCP virtual with HTTP profile
490936-1 3-Major SSLv2/TLSv1 based handshake causing handshake failures
490174-3 3-Major Improved TLS protocol negotiation with clients supporting TLS1.3
469627-2 3-Major When persistence is overriden from cookie to some other persistence method, the cookie should not be sent.
468471-1 3-Major The output of DNS::edns0 subnet address command is not stored properly in a variable
463202-6 3-Major BIG-IP system drops non-zero version EDNS requests
458348-3 3-Major RESOLV:: iRule commands and sFlow don't function correctly when using non-default CMP hashing.
457109-3 3-Major Traffic misclassified and matching wrong rule in CPM policy.
452900-3 3-Major IP iRules may cause TMM to segfault in low memory scenarios
452659-1 3-Major DNS Express zone creation, deletion or updates can slow down or stop other DNS services.
445471-1 3-Major DNS Express zone creation, deletion or updates can slow down or stop other DNS services.
419217-1 3-Major LTM policy fails to decompress compressed http requests
417006-5 3-Major Thales HSM support on Chassis cluster-mode.
406001-5 3-Major Host-originated traffic cannot use a nexthop in a different route domain
372473-3 3-Major mcp error 0x1020003 may be logged to /var/log/tmm when TMM crashes
336255-8 3-Major OneConnect Connection Limits with Narrow Source Address Masks
546747-4 4-Minor SSL connections may fail with a handshake failure when the ClientHello is sent in multiple packets
541134-3 4-Minor HTTP/HTTPS monitors transmit unexpected data to monitored node.
499795-3 4-Minor "persist add" in server-side iRule event can result in "Client Addr" being pool member address
492780-3 4-Minor Elliptic Curves Extension in ServerHello might cause failed SSL connection.
458872-1 4-Minor Check SACK report before treating as dupack


Global Traffic Manager Fixes

ID Number Severity Description
569972-3 2-Critical Unable to create gtm topology records using iControl REST
569521-2 2-Critical Invalid WideIP name without dots crashes gtmd.
561539-1 2-Critical [Upgrade] GTM pool member ratio setting to 0 is not honored when upgrading from v10.2.4 to v11.5.3.
539466-3 2-Critical Cannot use self-link URI in iControl REST calls with gtm topology
533658-3 2-Critical DNS decision logging can trigger TMM crash
471467-1 2-Critical gtmparse segfaults when loading wideip.conf because of duplicate virtual server names
569472-3 3-Major TMM segfault in lb_why_pmbr_str after GTM/BIG-IP DNS disables a GTM pool and LB why log is enabled
559975-4 3-Major Changing the username or password used for HTTP monitor basic auth may break HTTP basic auth
551767-2 3-Major GTM server 'Virtual Server Score' not showing correctly in TMSH stats
546640-1 3-Major tmsh show gtm persist <filter option> does not filter correctly
540576-2 3-Major big3d may fail to install on systems configured with an SSH banner
552352-3 4-Minor tmsh list display incorrectly for default values of gtm listener translate-address/translate-port


Application Security Manager Fixes

ID Number Severity Description
560748 2-Critical BIG-IQ discovery fails
451089-1 2-Critical ASM REST: Incorrect/Duplicate REST id for policy after a copy is made
449231-1 2-Critical ASM REST: Updating multiple items in a list only make one change
589298 3-Major TMM crash with a core dump
585045 3-Major ASM REST: Missing 'gwt' support for urlContentProfiles
582683-1 3-Major xpath parser doesn't reset a namespace hash value between each and every scan
574214-2 3-Major Content Based Routing daemon (cbrd) logging control
573406-2 3-Major ASU cannot be completed if license was last activated more than 18 months before
572922-3 3-Major Upgrade causes an ASM subsystem error of PL_PARAM_ATTRIBUTES.
566758-3 3-Major Manual changes to policy imported as XML may introduce corruption for Login Pages
559541-3 3-Major ICAP anti virus tests are not initiated on XML with when should
559055 3-Major Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All"
531809-1 3-Major FTP/SMTP traffic related bd crash


Application Visibility and Reporting Fixes

ID Number Severity Description
578353-1 2-Critical Statistics data aggregation process is not optimized
529900-4 2-Critical AVR missing some configuration changes in multiblade system
472969-3 2-Critical If you try to create more than 264 AVR profiles, avrd might crash.
569958-3 3-Major Upgrade for application security anomalies
557062-3 3-Major The BIG-IP ASM configuration fails to load after an upgrade.
488989-4 3-Major AVRD does not print out an error message when the external logging fails
454071-1 5-Cosmetic 'Show all' button has no effect or becomes hidden for short period of time


Access Policy Manager Fixes

ID Number Severity Description
581770-1 1-Blocking Network Access traffic does not pass IPv6 traffic if a Network Access resource contains IPv4&IPv6
580817-4 2-Critical Edge Client may crash after upgrade
579909-3 2-Critical Secondary MCPD exits for APM Sandbox warning improperly treated as configuration error
579559-4 2-Critical DTLS Networks Access may not work with some hardware platforms with Nitrox hardware acceleration
578844-3 2-Critical tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client.
575609-4 2-Critical Zlib accelerated compression can result in a dropped flow.
574318-4 2-Critical Unable to resume session when switching to Protected Workspace
572563-4 2-Critical PWS session does not launch on Internet Explorer
571090-1 2-Critical When BIG-IP is used as SAML IdP, tmm may restart under certain conditions
569306-5 2-Critical Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected
565056-5 2-Critical Fail to update VPN correctly for non-admin user.
562919-1 2-Critical TMM cores in renew lease timer handler
559138-4 2-Critical Linux CLI VPN client fails to establish VPN connection on Ubuntu
556774-1 2-Critical EdgeClient cannot connect through captive portal
555272-3 2-Critical Endpoint Security client components (OPSWAT, EPSEC) may fail to upgrade
513083-2 2-Critical d10200: tmm core when using ASM-FPS-AVR-APM-DOS on virtual server.
586056 3-Major Machine cert checker doesn't work as expected if issuer or AltName is specified
581834-3 3-Major Firefox signed plugin for VPN, Endpoint Check, etc
580421-4 3-Major Edge Client may not register DLLs correctly
576350-3 3-Major External input from client doesn't pass to policy agent if it is not the first in the chain.
576069-1 3-Major Rewrite can crash in some rare corner cases
575499-3 3-Major VPN filter may leave renew_lease timer active after teardown
575292-2 3-Major DNS Relay proxy service does not respond to SCM commands in timely manner
574781-3 3-Major APM Network Access IPV4/IPV6 virtual may leak memory
573581-2 3-Major DNS Search suffix are not restored properly in some cases after VPN establishment
573429-2 3-Major APM Network Access IPv4/IPv6 virtual may leak memory
572893-5 3-Major error "The modem (or other connecting device) is already in use or is not configured properly"
571003-4 3-Major TMM Restarts After Failover
570640-4 3-Major APM Cannot create symbolic link to sandbox. Error: No such file or directory
570064-4 3-Major IE gives a security warning asking: "Do you want to run ... InstallerControll.cab"
569255-5 3-Major Network Access incorrectly manipulates routing table when second adapter being connected if "Allow Local subnet access' is set to ON
566908-3 3-Major Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN with proxy.pac file
566646-2 3-Major Portal Access could respond very slowly for large text files when using IE < 11
565231-1 3-Major Importing a previously exported policy which had two object names may fail
564521-2 3-Major JavaScript passed to ExternalInterface.call() may be erroneously unescaped
564496-2 3-Major Applying APM Add-on License Does Not Change Effective License Limit
564482-3 3-Major Kerberos SSO does not support AES256 encryption
564262-3 3-Major Network Access does not work if DNS cannot be resolved on client and PAC file contains DNS resolution code
564253-6 3-Major Firefox signed plugin for VPN, Endpoint Check, etc
563443-3 3-Major WebSSO plugin core dumps under very rare conditions.
558946-3 3-Major TMM may core when APM is provisioned and access profile is attached to the virtual
558870-4 3-Major Protected workspace does not work correctly with third party products
558631-6 3-Major APM Network Access VPN feature may leak memory
556597-3 3-Major CertHelper may crash when performing Machine Cert Inspection
555457-4 3-Major Reboot is required, but not prompted after F5 Networks components have been uninstalled
554993-1 3-Major Profile Stats Not Updated After Standby Upgrade Followed By Failover
554626 3-Major Database logging truncates log values greater than 1024
554228-4 3-Major OneConnect does not work when WEBSSO is enabled/configured.
554074-3 3-Major If the user cancels a connection attempt, there may be a delay in estabilshing the next connection.
554041-4 3-Major No connectivity inside enterprise network for "Always Connected" client if Network Location Awareness is enabled
553925-3 3-Major Manual upgrade of Edge Client fails in some cases on Windows
552498-2 3-Major APMD basic authentication cookie domains are not processed correctly
550536-4 3-Major Incorrect information/text (in French) is displayed when the Edge Client is launched
549086-3 3-Major Windows 10 is not detected when Firefox is used
536575-2 3-Major Session variable report can be blank in many cases
531983-4 3-Major [MAC][NA] Routing table is not updated correctly in connected state when new adapter is added
528548-1 3-Major @import "url" is not recognized by client-side CSS patcher
528139-4 3-Major Windows 8 client may not be able to renew DHCP lease
520088-1 3-Major Citrix HTML5 Receiver does not properly display initial tour and icons
519059-2 3-Major [PA] - Failing to properly patch webapp link, link not working
518550-5 3-Major Incorrect value of form action attribute inside 'onsubmit' event handler in some cases
516219-2 3-Major User failed to get profile license in VIPRION 4800 chassis if slot 1 is not enabled
492122-4 3-Major Now Windows Logon Integration does not recreate temporary user for logon execution each time
488811-4 3-Major F5-prelogon user profile folder are not fully cleaned-up
487859-2 3-Major Importing local db users from a CSV file that has no UID set, displays incorrect information in the GUI.
473344-7 3-Major Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP.
472446-4 3-Major Customization group template file might cause mcpd to restart
464687-1 3-Major Copying Access Profile with Machine Cert Agent check fails
462268-1 3-Major long session var processing in variable assignment agent
461084-2 3-Major Kerberos Auth might fail if client request contains Authorization header
458737-1 3-Major non-printable characters are escaped before hexencoding
409323-2 3-Major OnDemand cert auth redirect omits port information
404141-3 3-Major Standby system offers option to Apply Access Policy even though it has been synced
399732-2 3-Major SAML Error: Invalid request received from remote client is too big
580429-3 4-Minor CTU does not show second Class ID for InstallerControll.dll
572543-4 4-Minor User is prompted to install components repeatedly after client components are updated.
541156-3 4-Minor Network Access clients experience delays when resolving a host


WebAccelerator Fixes

ID Number Severity Description
575631-2 3-Major Potential MCPd leak in WAM stats query code
551010-3 3-Major Crash on unexpected WAM storage queue state


Wan Optimization Manager Fixes

ID Number Severity Description
552198-3 3-Major APM App Tunnel/AM iSession Connection Memory Leak
547537-4 3-Major TMM core due to iSession tunnel assertion failure


Service Provider Fixes

ID Number Severity Description
572224 3-Major Buffer error due to RADIUS::avp command when vendor IDs do not match


Advanced Firewall Manager Fixes

ID Number Severity Description
575582-1 3-Major MCPd might leak memory in FW network attack stats.
575571-1 3-Major MCPd might leak memory in FW DOS SIP attack stats query.
575569-1 3-Major MCPd might leak memory in FW DOS DNS stats query.
575565-1 3-Major MCPd might leak memory in FW policy rule stats query.
575564-1 3-Major MCPd might leak memory in FW rule stats query.
575557-2 3-Major MCPd might leak memory in FW rule stats.
575321-1 3-Major MCPd might leak memory in firewall stats.
569337-4 3-Major TCP events are logged twice in a HA setup
561433-6 3-Major TMM Packets can be dropped indiscriminately while under DOS attack
556694-6 3-Major DoS Whitelist IPv6 addresses may "overmatch"


Policy Enforcement Manager Fixes

ID Number Severity Description
577814 3-Major MCPd might leak memory in PEM stats queries.


Carrier-Grade NAT Fixes

ID Number Severity Description
540571-4 2-Critical TMM cores when multicast address is set as destination IP via iRules and LSN is configured
482202-2 2-Critical Very long FTP command may be ignored.
515736-5 3-Major LSN pool with small port range may not use all ports


Device Management Fixes

ID Number Severity Description
453640-2 2-Critical Java core when modifying global-settings



Cumulative fixes from BIG-IP v11.5.4 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
518275-3 CVE-2016-4545 K48042976 The BIG-IP system may stop the normal processing of SSL traffic and dump a TMM core file


Functional Change Fixes

ID Number Severity Description
577811 3-Major SNMP sysObjectID OID reports ID of blade on VIPRION 2xxx-series platforms


Local Traffic Manager Fixes

ID Number Severity Description
576314 2-Critical SNMP traps for FIPS device fault inconsistent among versions.
574262 3-Major Rarely encountered lockup for N3FIPS module when processing key management requests.
574073 3-Major Support for New Platform: BIG-IP 10350 FIPS with NEBS support



Cumulative fixes from BIG-IP v11.5.4 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
542314-7 CVE-2015-8099 K35358312 TCP vulnerability - CVE-2015-8099
536481-8 CVE-2015-8240 K06223540 F5 TCP vulnerability CVE-2015-8240
567475-4 CVE-2015-8704 K53445000 BIND vulnerability CVE-2015-8704
560910-3 CVE-2015-3194 K86772626 OpenSSL Vulnerability fix
560180-3 CVE-2015-8000 K34250741 BIND Vulnerability CVE-2015-8000
554624-1 CVE-2015-5300 CVE-2015-7704 K10600056 K17566 NTP CVE-2015-5300 CVE-2015-7704
553902-3 CVE-2015-5300 CVE-2015-7704 CVE-2015-7871 CVE-2015-7855 CVE-2015-7853 CVE-2015-7852 CVE-2015-7850 CVE-2015-7701 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 CVE-2015-5196 K17516 Multiple NTP Vulnerabilities
546080-4 CVE-2016-5021 K99998454 Path sanitization for iControl REST worker
545786-2 CVE-2015-7393 K75136237 Privilege escalation vulnerability CVE-2015-7393
545762-1 CVE-2015-7394 K17407 CVE-2015-7394
540849-4 CVE-2015-5986 K17227 BIND vulnerability CVE-2015-5986
540846-4 CVE-2015-5722 K17181 BIND vulnerability CVE-2015-5722
540767-1 CVE-2015-5621 K17378 SNMP vulnerability CVE-2015-5621
533156-2 CVE-2015-6546 K17386 CVE-2015-6546
472093-2 CVE-2015-8022 K12401251 APM TMUI Vulnerability CVE-2015-8022
556383-2 CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 K31372672 Multiple NSS Vulnerabilities
534633-1 CVE-2015-5600 K17113 OpenSSH vulnerability CVE-2015-5600
525232-10 CVE-2015-4024 CVE-2014-8142 K16826 PHP vulnerability CVE-2015-4024
485917-5 CVE-2004-1060 K15792 BIG/IP is vulnerable to Path MTU discovery attack (CVE-2004-1060)
427174-6 CVE-2013-1620 CVE-2013-0791 K15630 SOL15630: TLS in Mozilla NSS vulnerability CVE-2013-1620
560948-3 CVE-2015-3195 K12824341 OpenSSL vulnerability CVE-2015-3195
553454-3 CVE-2015-2730 K15955144 Mozilla NSS vulnerability CVE-2015-2730
515345-4 CVE-2015-1798 K16505 NTP Vulnerability
430799-5 CVE-2010-5107 K14741 CVE-2010-5107 openssh vulnerability
567484-4 CVE-2015-8705 K86533083 BIND Vulnerability CVE-2015-8705


Functional Change Fixes

ID Number Severity Description
557221 2-Critical Inbound ISP link load balancing will use pool members for only one ISP link per data center
539130-7 3-Major bigd may crash due to a heartbeat timeout
530133 3-Major Support for New Platform: BIG-IP 10350 FIPS
498992-9 3-Major Troubleshooting enhancement: improve logging details for AWS failover failure.
439013-5 3-Major IPv6 link-local vlan tag handling incorrect
425331-1 3-Major On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID reports Chassis ID not Blade ID
226043-5 3-Major Add support for multiple addresses for audit-forwarder.
479147-5 4-Minor Cannot create VXLAN tunnels with the same local-address and different multicast addresses.


TMOS Fixes

ID Number Severity Description
546260-1 1-Blocking TMM can crash if using the v6rd profile
544980-1 1-Blocking BIG-IP Virtual Edition may have minimal disk space for the /var software partition when deploying from the OVA file for the Better or Best license bundle.
510393-2 1-Blocking TMM may occasionally restart with a core file when deployed VCMP guests are stopped
465142-5 1-Blocking iControl LocalLB::ProfileClientSSL::create and create_v2 methods result in crash when not in /Common
445327-1 1-Blocking OpenJDK 1.7 vulnerabilities
397431-8 1-Blocking Improved security for Apache.
562427 2-Critical Trust domain changes do not persist on reboot.
555686-2 2-Critical Copper SFPs OPT-0015 on 10000-series appliance may cause interfaces to not come up and/or show corrupted serial numbers
544913-2 2-Critical tmm core while logging from TMM during failover
544481-4 2-Critical IPSEC Tunnel fails for more than one minute randomly.
530903-5 2-Critical HA pair in a typical Active/Standby configuration becomes Active/Active after a software upgrade
523434-5 2-Critical mcpd on secondary blades will restart with an error message about a sflow_http_virtual_data_source object
520380-4 2-Critical save-on-auto-sync can spawn multiple invocations of tmsh, starving system of memory
513151-7 2-Critical VIPRION B2150 blades show up as unknown when SNMP queries the OID sysObjectID.
511559-6 2-Critical Virtual Address advertised while unavailable
510559-5 2-Critical Add logging to indicate that compression engine is stalled.
507602-4 2-Critical Data packet over IPsec tunnel might be looping between cores after rekey if IPsec lifebyte is enabled
504508-4 2-Critical IPsec tunnel connection from BIG-IP to some Cisco ASA does not stay up when DPD (Dead Peer Detection) is enabled
503600-3 2-Critical TMM core logging from TMM while attempting to connect to remote logging server
482373-5 2-Critical Can not delete and re-create a new virtual server that uses the same virtual address in the same transaction
468473-5 2-Critical Monitors with domain username do not save/load correctly
460165-5 2-Critical General Database Error when accessing Clusters or Templates page
365219-3 2-Critical Trust upgrade fails when upgrading from version 10.x to version 11.x.
355199-5 2-Critical ePVA flow not removed when connection closed
556284-3 3-Major iqsyncer: GTM/LC config sync failure with error from local mcpd Monitor parent not found
553576-2 3-Major Intermittent 'zero millivolt' reading from FND-850 PSU
550694 3-Major LCD display stops updating and Status LED turns/blinks Amber
547047-1 3-Major Older cli-tools unsupported by AWS
545745-3 3-Major Enabling tmm.verbose mode produces messages that can be mistaken for errors.
542860-5 3-Major TMM crashes when IPsec SA are deleted during HA Active to Standby or vice versa event
542320 3-Major no login name may appear when running ssh commands through management port
539822-1 3-Major tmm may leak connflow and memory on vCMP guest.
538133-1 3-Major Only one action per sensor is displayed in sensor_limit_table and system_check
536939-1 3-Major Secondary blade may restart services if configuration elements are deleted using a * wildcard.
534582-3 3-Major HA configuration may fail over when standby has only base configuration loaded.
533826-4 3-Major SNMP Memory Leak on a VIPRION system.
532559-2 3-Major Upgrade fails to 11.5.0 and later if 'defaults-from none' is under profile '/Common/clientssl'.
531986-2 3-Major Hourly AWS VE license breaks after reboot with default tmm route/gateway.
529977-4 3-Major OSPF may not process updates to redistributed routes
529524-5 3-Major IPsec IKEv1 connectivity issues
528881-5 3-Major NAT names with spaces in them do not upgrade properly
528498-2 3-Major Recently-manufactured hardware may not be identified with the correct model name and SNMP OID
528276-6 3-Major The device management daemon can crash with a malloc error
527431-2 3-Major Db variable to specify audit forwarder port
526974-5 3-Major Data-group member records map empty strings to 'none'.
526817-6 3-Major snmpd core due to mcpd message timer thread not exiting
524490-7 3-Major Excessive output for tmsh show running-config
524333-5 3-Major iControl command pkcs12_import_from_file_v2 may fail if httpd is restarted or session times out.
524300-1 3-Major The MOS boot process appears to hang.
523922-6 3-Major Session entries may timeout prematurely on some TMMs
523867-2 3-Major 'warning: Failed to find EUDs' message during formatting installation
523642-4 3-Major Power Supply status reported incorrectly after LBH reset
523527-10 3-Major Upgrade from 10.x to 11.2.0 or later does not add existing routing protocols to RD0.
522871-4 3-Major [TMSH] nested wildcard deletion will delete all the objects (matched or not matched)
522837-3 3-Major MCPD can core as a result of another component shutting down prematurely
521144-7 3-Major Network failover packets on the management interface sometimes have an incorrect source-IP
519510-4 3-Major Throughput drop and rxbadsum stat increase in tagged VLAN with LRO/GRO on BIG-IP VE running on ESX platforms with particular network hardware
519081-6 3-Major Cannot use tmsh to load valid configuration created using the GUI.
518283-4 3-Major Cookie rewrite mangles 'Set-Cookie' headers
517714-2 3-Major logd core near end of its life cycle
517388-6 3-Major Parsing the DN (for subject or issuer) in a certificate does not take into account all the possible RDNs.
516995-8 3-Major NAT traffic group inheritance does not sync across devices
516322-5 3-Major The BIG-IP system may erroneously remove an iApp association from the virtual server.
514844-3 3-Major Fluctuating/inconsistent number of health monitors for pool member
514726-5 3-Major Server-side DSR tunnel flow never expires
514724-4 3-Major crypto-failsafe fail condition not cleared when crypto device restored
512618-2 3-Major Continuous "Invalid sadb message" upon issuing "racoonctl -l show-sa esp"
511145-2 3-Major IPsec Policy Link not functional.
510425-7 3-Major DNS Express zone RR type-count statistics are missing in some cases
510381-5 3-Major bcm56xxd might core when restarting due to bundling config change.
509600-5 3-Major Global rule association to policy is lost after loading config.
507853-10 3-Major MCP may crash while performing a very large chunked query and CPU is highly loaded
504803-4 3-Major GUI Local Traffic Pool list does not show certain Pools with name containing 'mam'.
504494-4 3-Major Upgrading to 11.5.0 and later might associate a disabled HA group to traffic groups.
501437-6 3-Major rsync daemon does not stop listening after configsync-ip set to none
497304-10 3-Major Unable to delete reconfigured HTTP iApp when auto-sync is enabled
495865-4 3-Major iApps/tmsh cannot reconfigure pools that have monitors associated with them.
495862-7 3-Major Virtual status becomes yellow and gets connection limit alert when all pool members forced down
493246-1 3-Major SNMP error: Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot
491556-10 3-Major tmsh show sys connection output is corrected
489113-7 3-Major PVA status, statistics not shown correctly in UI
485939-8 3-Major OSPF redistributing connected subnets that are configured in the network element with infinity metric in a HA pair.
485702-7 3-Major Default SNMP community 'public' is re-added after the upgrade
484861-10 3-Major A standby-standby state can be created when auto failback acts in a CRC disagreement scenario
484534-5 3-Major interface STP state stays in blocked when added to STP as disabled
483699-5 3-Major No Access error when trying to access iFile object in Local Traffic :: iRules : iFile list
483104-6 3-Major vCMP guests report platform type as 'unknown'
481089-6 3-Major Request group incorrectly deleted prior to being processed
479553-6 3-Major Sync may fail after deleting a persistence profile
479543-8 3-Major Transaction will fail when deleting pool member and related node
476288-5 3-Major Tmrouted restarted after a series of creating/deleting route domains and adding/deleting protocols due to seg fault
473037-7 3-Major BIG-IP 2000/4000 platforms do not support RSS with L4 data on SCTP
470788-4 3-Major Creating static ARP entry with unreachable IP address causes BIG-IP to be unreachable after reboot
470756-8 3-Major snmpd cores or crashes with no logging when restarted by sod
464225-6 3-Major 'tmsh list ltm message-routing' and 'tmsh show ltm message-routing' fail for non-admin users
463468-9 3-Major failed tmsh command generate double logs
462187-6 3-Major 'tmsh list net tunnels' and GUI tunnel access fail for non-admin users
458104-6 3-Major LTM UCS load merge trunk config issue
455980-6 3-Major Home directory is purged when the admin changes user password.
455651-6 3-Major Improper regex/glob validation in web-acceleration and http-compression profiles
454392-1 3-Major Added support for BIG-IP 10350N NEBS platform.
439299-5 3-Major iApp creation fails with non-admin users
433466-5 3-Major Disabling bundled interfaces affects first member of associated unbundled interfaces
410101-4 3-Major HSBe2 falls off the PCI bus
375246-11 3-Major Clarification of pool member session enabling versus pool member monitor enabling
549023 4-Minor warning: Failed to find EUDs
548268-3 4-Minor Disabling an interface on a blade does not change media to NONE
503841-4 4-Minor Slow performance with delete_string_class_member in iControl-SOAP
492163-6 4-Minor Applying a monitor to pool and pool member may cause an issue.
473163-9 4-Minor RAID disk failure and alert.conf log message mismatch results in no trap
465675-5 4-Minor Invalid MAX-ACCESS clause for deprecated variables: ltmNodeAddrNewSessionEnable and ltmPoolMemberNewSessionEnable.
434096-5 4-Minor TACACS log forwarder truncates logs to 1k
413708-7 5-Cosmetic BIG-IP system may use an ephemeral source port when sending SNMP IPv6 UDP response.


Local Traffic Manager Fixes

ID Number Severity Description
536690-1 1-Blocking Occasional host-tmm connections within a chassis will fail (affects APM processes trying to connect to a tmm)
540473-5 2-Critical peer/clientside/serverside script with parking command may cause tmm to core.
538255-2 2-Critical SSL handshakes on 4200/2200 can cause TMM cores.
537988-3 2-Critical Buffer overflow for large session messages
534804-3 2-Critical TMM may core with rate limiting enabled and service-down-action reselect on poolmembers
534052-5 2-Critical VLAN failsafe triggering on standby leaks memory
533388-8 2-Critical tmm crash with assert "resume on different script"
530505-2 2-Critical IP fragments can cause TMM to crash when packet filtering is enabled
529920-6 2-Critical Connection mirroring with OneConnect on a virtual server can cause TMM crash on standby unit
528739-5 2-Critical DNS Cache might use cached data from ADDITIONAL sections in ANSWER responses.
527011-4 2-Critical Intermittent lost connections with no errors on external interfaces
520413-12 2-Critical Aberrant behavior with woodside TCP congestion control
517590-1 2-Critical Pool member not turning 'blue' when monitor removed from pool
517465-3 2-Critical tmm crash with ssl
514108-7 2-Critical TSO packet initialization failure due to out-of-memory condition.
509646-6 2-Critical Occasional connections reset when using persistence
503343-9 2-Critical TMM crashes when cloned packet incorrectly marked for TSO
497299-7 2-Critical Thales install fails if the BIG-IP system is also configured as the RFS
489451-2 2-Critical TMM might panic due to OpenSSL failure during handshake generation
483719-4 2-Critical vlan-groups configured with a single member VLAN result in memory leak
481677-5 2-Critical A possible TMM crash in some circumstances.
481162-6 2-Critical vs-index is set differently on each blade in a chassis
477064-5 2-Critical TMM may crash in SSL
472585-5 2-Critical tmrouted crashes after a series configuration changes
470235-1 2-Critical The HTTP explicit proxy may leak memory in some cases
459100-6 2-Critical TMM may crash when offloading one-way UDP FastL4 flow
456766-2 2-Critical SSL Session resumption with hybrid handshake might fail
456175-3 2-Critical Memory issues possible with really long interface names
455286-2 2-Critical BIG-IP might send both session ID and server certificate during renegotiation
451059-8 2-Critical SSL server does not check and validate Change Cipher Spec payload.
569718-3 3-Major Traffic not sent to default pool after pool selection from rule
553311-1 3-Major Route pool configuration may cause TMM to produce a core file
552532-3 3-Major Oracle monitor fails with certain time zones.
552385 3-Major Virtual servers using an SSL profile and two UDP profiles may not be accepted
547815-2 3-Major Potential DNS Transparent Cache Memory Leak
545704-3 3-Major TMM might core when using HTTP::header in a serverside event
544028-3 3-Major Verified Accept counter 'verified_accept_connections' might underflow.
543993-4 3-Major Serverside connections may fail to detach when using the HTTP and OneConnect profiles
543220-3 3-Major Global traffic statistics does not include PVA statistics
538603-3 3-Major TMM core file on pool member down with rate limit configured
537964-3 3-Major Monitor instances may not get deleted during configuration merge load
537553-3 3-Major tmm might crash after modifying virtual server SSL profiles in SNI configuration
533966-4 3-Major Double loopback nexthop release might cause TMM core.
532107-5 3-Major [LTM] [DNS] Maximum RTT value for nameserver cache still exists after nameserver cache is deleted
530761-4 3-Major TMM crash in DNS processing on a TCP virtual
528407-6 3-Major TMM may core with invalid lasthop pool configuration
528188-4 3-Major Packet filters are by-passed for some fragmented ICMP echo requests to a virtual address
528007-5 3-Major Memory leak in ssl
527027-3 3-Major DNSSEC Unsigned Delegations Respond with Parent Zone Information
527024-2 3-Major DNSSEC Unsigned Delegations Respond with Parent Zone Information
526810-8 3-Major Crypto accelerator queue timeout is now adjustable
525958-10 3-Major TMM may crash if loadbalancing to node's IP in iRule routed towards an unreachable nexthop.
525322-6 3-Major Executing tmsh clientssl-proxy cached-certs crashes tmm
524960-5 3-Major 'forward' command does not work if virtual server has attached pool
523513-5 3-Major COMPRESS::enable keeps compression enabled for a subsequent HTTP request.
521036-4 3-Major Dynamic ARP entry may replace a static entry in non-primary TMM instances.
520405-2 3-Major tmm restart due to oversubscribed DNS resolver
517790-11 3-Major When non-HTTP traffic causes the server-side to receive unexpected data, the connection will be dropped
517510-5 3-Major HTTP monitor might add extra CR/LF pairs to HTTP body when supplied
517282-6 3-Major The DNS monitor may delay marking an object down or never mark it down
517124-6 3-Major HTTP::retry incorrectly converts its input
516598-6 3-Major Multiple TCP keepalive timers for same Fast L4 flow
516432-4 3-Major DTLS may send corrupted records when the DB variable tmm.ssl.dtlsmaxcrs is not the default value 1.
516320-5 3-Major TMM may have a CPU spike if match cross persist is used.
515482-6 3-Major Multiple teardown conditions can cause crash
515072-7 3-Major Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased
514419-7 3-Major TMM core when viewing connection table
514246-6 3-Major connflow_precise_check_begin does not check for NULL
513319-7 3-Major Incorrect of failing sideband connections from within iRule may leak memory
513243-5 3-Major Improper processing of crypto error condition might cause memory issues.
512490-10 3-Major Increased latency during connection setup when using FastL4 profile and connection mirroring.
512148-7 3-Major Self IP address cannot be deleted when its VLAN is associated with static route
511517-8 3-Major Request Logging profile cannot be configured with HTTP transparent profile
511057-7 3-Major Config sync fails after changing monitor in iApp
510921-6 3-Major Database monitors do not support IPv6 nodes
510164-4 3-Major DNS Express zone RR statistics are correctly reset after zxfrd restart
507109-6 3-Major inherit-certkeychain attribute of child Client SSL profile can unexpectedly change during upgrade
505705-6 3-Major Expired mirrored persistence entries not always freed using intra-chassis mirroring
504827-3 3-Major Use of DHCP relay virtual server might result in tmm crash 'top filter'.
503257-13 3-Major Persistence, connection limits and HTTP::respond or HTTP::redirect may result in RST
502747-13 3-Major Incoming SYN generates unexpected ACK when connection cannot be recycled
498334-6 3-Major DNS express doesn't send zone notify response
495588-4 3-Major Configuration fails with Syntax Error after upgrading from pre-11.5.0 releases
493140-6 3-Major Incorrect persistence entries are created when invoking cookie hash persistence within an iRule using offset and length parameters.
493117-12 3-Major Changing the netmask on an advertised virtual address causes it to stop being advertised until tmrouted is restarted
490740-9 3-Major TMM may assert if HTTP is disabled by another filter while it is parked
490429-4 3-Major The dynamic routes for the default route might be flushed during operations on non-default route domains.
475649-6 3-Major HTTP::respond in explicit proxy scenarios may cause TMM crash due to assert
475125-2 3-Major Use of HTTP::retry may cause TMM crash
472748-4 3-Major SNAT pool stats are reflected in global SNAT stats
471059-7 3-Major Malformed cookies can break persistence
467551-5 3-Major TCP syncookie and Selective NACK (profile option) causes traffic to be dropped
464651-7 3-Major Multiple root certificates with same 'subject' and 'issuer' may cause the tmm to core.
458822-5 3-Major Cluster status may be incorrect on secondary blades
453720-6 3-Major clientssl profile validation fails to detect config with no cert/key name and no cert/key
452246-4 3-Major The correct cipher may not be chosen on session resumption.
447043-11 3-Major Cannot have 2 distinct 'contains' conditions on the same LTM policy operand
442869-7 3-Major GUI inaccessible on chassis when var/log/audit log is full
441638-9 3-Major CACHE::header insert fails with 'Out of bounds' error for 301 Cache response
441058-5 3-Major TMM can crash when a large number of SSL objects are created
429011-8 3-Major No support for external link down time on network failover
424831-4 3-Major State Mirroring does not work for an HA pair that uses only hardwired (serial) failover, without network failover
418890-5 3-Major OpenSSL bug can prevent RSA keys from rolling forward
364994-14 3-Major TMM may restart or disabled connections may be reused when a OneConnect profile is configured and OneConnect reuse is disabled be an iRule.
348000-16 3-Major HTTP response status 408 request timeout results in error being logged.
534458-4 4-Minor SIP monitor marks down member if response has different whitespace in header fields.
532799-4 4-Minor Static Link route to /32 pool member can end using dst broadcast MAC
513288-2 4-Minor Management traffic from nodes being health monitored might cause health monitors to fail.
503560-5 4-Minor Statistics profiles cannot be configured along with HTTP transparent profile on the same virtual server.
446830-2 4-Minor Current Sessions stat does not increment/decrement correctly.
446755-5 4-Minor Connections with ramcache and clientssl profile allowing non-SSL traffic may stall


Global Traffic Manager Fixes

ID Number Severity Description
469033-15 2-Critical Large big3d memory footprint.
437025-5 2-Critical big3d might exit during loading of large configs or when a connection to mcpd is dropped.
529460-5 3-Major Short HTTP monitor responses can incorrectly mark virtual servers down.
517582-5 3-Major [GUI] [GTM] Cannot delete Region if attempting to delete another region referenced by a record.
510888-8 3-Major [LC] snmp_link monitor is not listed as available when creating link objects
494070-4 4-Minor BIG-IP DNS cannot use a loopback address with fallback IP load balancing


Application Security Manager Fixes

ID Number Severity Description
555057-1 2-Critical ASM REST: Removing a Signature Set From One Security Policy Removes It From All Security Policies.
555006-1 2-Critical ASM REST: lastUpdateMicros is not updated when changing a Custom Signature
552139-3 2-Critical ASM limitation in the pattern matching matrix builtup
540424-1 2-Critical ASM REST: DESC modifier for $orderby option does not affect results
515728-4 2-Critical Repeated BD cores.
478351-2 2-Critical Changing management IP can lead to bd crash
475551-5 2-Critical Flaw in CSRF protection mechanism
547000-3 3-Major Enforcer application might crash on XML traffic when out of memory
544831 3-Major ASM REST: PATCH to custom signature set's attackTypeReference are ignored
542511-1 3-Major 'Unhandled keyword ()' error message in GUI and/or various ASM logs
540390-1 3-Major ASM REST: Attack Signature Update cannot roll back to older attack signatures
538195-5 3-Major Incremental Manual sync does not allow overwrite of 'newer' ASM config
535188-5 3-Major Response Pages custom content with \n instead of \r\n on policy import.
534246-4 3-Major rest_uuid should be calculated from the actual values inserted to the entity
530598-2 3-Major Some Session Tracking data points are lost on TMM restart
529610-4 3-Major On HA setups ASM session tracking page display an empty list when in fact there are asm entries in session db
528071-2 3-Major ASM periodic updates (cron) write errors to log
526162-6 3-Major TMM crashes with SIGABRT
521183-3 3-Major Upgrade from 11.2.x (or earlier) to 11.5.x/11.6.x can fail when an active DoS profile exists with 'Prevention Duration' set to a value less than 5
519053-4 3-Major Request is forwarded truncated to the server after answering challenge on a big request
514313-3 3-Major Logging profile configuration is updated unnecessarily
502852-4 3-Major Deleting an in-use custom policy template
498189-6 3-Major ASM Request log does not show log messages.
491371-4 3-Major CMI: Manual sync does not allow overwrite of 'newer' ASM config
491352-4 3-Major Added ASM internal parameter to add more XML memory
484079-5 3-Major Change to signature list of manual Signature Sets does not take effect.
478674-10 3-Major ASM internal parameters for high availability timeout was not handled correctly
471766-3 3-Major Number of decoding passes configuration
470779-3 3-Major The Enforcer should exclude session awareness violations when counting illegal requests.
466423-1 3-Major ASM REST: Partial PATCH to User-Defined Signature-Set Filter Resets Other Fields to Defaults
442313-6 3-Major Content length header leading whitespaces should not be counted as digits
440913-2 3-Major Apply Policy Fails After Policy Diff and Merge


Application Visibility and Reporting Fixes

ID Number Severity Description
458823-2 2-Critical TMM Crash can lead to crash of other processes
535246 3-Major Table values are not correctly cleaned and can occupy entire disk space.
530952-4 3-Major MySql query fails with error number 1615 'Prepared statement needs to be re-prepared'
530356-1 3-Major Some AVR tables that hold ASM statistics are not being backed up in upgrade process.
529903-2 3-Major Incorrect reports on multi-bladed systems
474613-2 3-Major Upgrading from previous versions
537435-4 4-Minor Monpd might core if asking for export report by email while monpd is terminating


Access Policy Manager Fixes

ID Number Severity Description
553330-2 1-Blocking Unable to create a new document with SharePoint 2010
555507-3 2-Critical Under certain conditions, SSO plugin can overrun memory not owned by the plugin.
537227-6 2-Critical EdgeClient may crash if special Network Access configuration is used
532340-2 2-Critical When FormBased SSO or SAML SSO are configured, tmm may restart at startup
530622-2 2-Critical EAM plugin uses high memory when serving very high concurrent user load
502269-2 2-Critical Large post requests may fail using form based SSO.
480272-8 2-Critical During OAM SDK initialization, ObConfig initialization returns wrong accessgate ID
459584-2 2-Critical TMM crashes if request URI is empty or longer than 4096 bytes.
437611-3 2-Critical ERR_NOT_FOUND. File: ../modules/hudfilter/access/access_license.c, Function: access_read_license_settings, Line: 204
558859 3-Major Control insertion to log_session_details table by Access policy logging level.
551764-1 3-Major [APM] HTTP status 500 response of successful Access Policy in clientless mode on chassis platform
549588-3 3-Major EAM memory leak when cookiemap is destroyed without deleting Cookie object in it
544992-2 3-Major Virtual server profile changes are ignored if it has /Common/remotedesktop and /Common/vdi assigned (Citrix/Vmware View iApp)
539270-2 3-Major A specific NTLM client fails to authenticate with BIG-IP
539229-4 3-Major EAM core while using Oracle Access Manager
537614-2 3-Major Machine certificate checker fails to use Machine cert check service if Windows has certain display languages
532761-1 3-Major APM fails to handle compressed ICA file in integration mode
528808-2 3-Major Source NAT translation doesn't work when APM is disabled using iRule
526637-1 3-Major tmm crash with APM clientless mode
522791-1 3-Major HTML rewriting on client might leave 'style' attribute unrewritten.
482177-2 3-Major Accessing Sharepoint web application portal interferes with IdP initiated SAML SSO
467256-1 3-Major Deleting OPSWAT/Epsec packages from GUI does not delete files from disk causing UCS packages to bloat
462598-3 3-Major Failover triggered due to a TMM crash resulting from unavailable APM renderer pool members.
446860-6 3-Major APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348
533723-7 4-Minor [Portal Access] Client side HTML rewriter should not rewrite content within "textarea" tag.
491080-2 4-Minor Memory leak in access framework
473685-2 4-Minor Websso truncates cookie domain value


WebAccelerator Fixes

ID Number Severity Description
525478-3 3-Major Requests for deflate encoding of gzip documents may crash TMM
517013-2 3-Major CSS minification can on occasion remove necessary whitespace
506557-5 3-Major IBR tags might occasionally be all zeroes.
506315-10 3-Major WAM/AAM is honoring OWS age header when not honoring OWS maxage.
501714-4 3-Major System does not prevent low quality JPEGs from optimizing to higher quality (becoming larger) does not work when AAM image optimization enabled and JPEG quality in policy is higher than JPEGs on OWS.
476476-9 3-Major Occasional inability to cache optimized PDFs and images
384072-5 3-Major Authorization requests not being cached when allowed.


Service Provider Fixes

ID Number Severity Description
528955-2 3-Major TMM may core when using Request Adapt profile
523854-4 3-Major TCP reset with RTSP Too Big error when streaming interleaved data


Advanced Firewall Manager Fixes

ID Number Severity Description
519252-1 3-Major SIP statistics upgrade
472125-3 3-Major IP Intelligence report data is not roll-forwarded between installations as it should


Carrier-Grade NAT Fixes

ID Number Severity Description
540484-4 2-Critical "show sys pptp-call-info" command can cause tmm crash
533562-5 2-Critical Memory leak in CGNAT can result in crash
515646-9 2-Critical TMM core when multiple PPTP calls from the same client
494743-8 2-Critical Port exhaustion errors on VIPRION 4800 when using CGNAT
494122-6 2-Critical Deterministic NAT state information from HSL is not usable on VIPRION B4300 blades
490893-9 2-Critical Determinstic NAT State information incomplete for HSL log format
500424-5 3-Major dnatutil exits when reverse mapping one of the snippet results in "No tmms on the blade" error
486762-2 3-Major lsn-pool connection limits may be invalid when mirroring is enabled
480119-5 3-Major Vague error - Error ERR_BOUNDS connflow ... processing pullup of control message.


Global Traffic Manager (DNS) Fixes

ID Number Severity Description
514731-4 3-Major GTM Fails to change GTM server with IPv4 'Address Translation enabled
494305-6 4-Minor [GUI] [GTM] Cannot remove the first listed dependent virtual server from dependency list.
451211-3 4-Minor Error using GUI when setting debug option on GTM SIP monitor.



Cumulative fixes from BIG-IP v11.5.3 Hotfix 2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
534630-3 CVE-2015-5477 K16909 Upgrade BIND to address CVE 2015-5477
530829-2 CVE-2015-5516 K00032124 UDP traffic sent to the host may leak memory under certain conditions.
529509-4 CVE-2015-4620 K16912 BIND Vulnerability CVE-2015-4620
527799-10 CVE-2015-4000 CVE-2015-1792 CVE-2015-1791 CVE-2015-1790 CVE-2015-1789 CVE-2015-1788 CVE-2014-8176 K16674 K16915 K16914 OpenSSL library in APM clients updated to resolve multiple vulnerabilities
527630-2 CVE-2015-1788 K16938 CVE-2015-1788 : OpenSSL Vulnerability
523032-5 CVE-2015-3456 K16620 qemu-kvm VENOM vulnerability CVE-2015-3456
506034-5 CVE-2014-9297 CVE-2014-9298 CVE-2014-9750 CVE-2014-9751 K16393 NTP vulnerabilities (CVE-2014-9297,CVE-2014-9298)
532522-4 CVE-2015-1793 K16937 CVE-2015-1793
531576-2 CVE-2016-7476 K87416818 TMM vulnerability CVE-2016-7476
520466-3 CVE-2015-3628 K16728 Ability to edit iCall scripts is removed from resource administrator role
516618-4 CVE-2013-7424 K16472 glibc vulnerability CVE-2013-7424
513382-2 CVE-2015-0286 CVE-2015-0287 CVE-2015-0289 CVE-2015-0293 CVE-2015-0209 CVE-2015-0288 K16317 Resolution of multiple OpenSSL vulnerabilities
527639-5 CVE-2015-1791 K16914 CVE-2015-1791 : OpenSSL Vulnerability
527638-5 CVE-2015-1792 K16915 OpenSSL vulnerability CVE-2015-1792
527637-5 CVE-2015-1790 K16898 PKCS #7 vulnerability CVE-2015-1790
527633-5 CVE-2015-1789 K16913 OpenSSL vulnerability CVE-2015-1789
500091-3 CVE-2015-0204 K16139 CVE-2015-0204 : OpenSSL Vulnerability


Functional Change Fixes

ID Number Severity Description
502443-9 2-Critical After enabling a blade/HA member, pool members are marked down because monitoring starts too soon.
520705-4 3-Major Edge client contains multiple duplicate entries in server list
490537-4 3-Major Persistence Records display in GUI might cause system crash with large number of records
374067-2 3-Major Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections


TMOS Fixes

ID Number Severity Description
516184 1-Blocking IKEv1 for IPsec does not work when VLAN cmp-hash is set to non-default values
486758-6 1-Blocking Management port unreachable after install
542898 2-Critical Virtual Edition: Disk partition /var shows 100% after live install to 12.0.0
513454-2 2-Critical An snmpwalk with a large configuration can take too long, causing snmpd or mcpd restarts
509503-3 2-Critical tmsh load sys config merge file 'filename' takes signficant time for firewall rulelist configuration
507327-2 2-Critical Programs that read stats can leak memory on errors reading files
495335-4 2-Critical BWC related tmm core
479460-4 2-Critical SessionDb may be trapped in wrong HA state during initialization
420107-3 2-Critical TMM could crash when modifying HTML profile configuration
364978-2 2-Critical Active/standby system configured with unit 2 failover objects
546410-1 3-Major Configuration may fail to load when upgrading from version 10.x.
540638 3-Major GUI Device Management Overview to display device_trust_group
535806-4 3-Major Not enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE
533458-2 3-Major Insufficient data for determining cause of HSB lockup.
533257-1 3-Major tmsh config file merge may fail when AFM security log profile is present in merged file
530122 3-Major Improvements in building hotfix images for hypervisors.
527021-2 3-Major BIG-IQ iApp statistics corrected for empty pool use cases
526419-2 3-Major Deleting an iApp service may fail
524326-3 3-Major Can delete last ip address on a gtm server but cannot load a config with a gtm server with no ips
524126-3 3-Major The DB variable provision.tomcat.extramb is cleared on first boot.
523125-1 3-Major Disabling/enabling blades in cluster can result in inconsistent failover state
520640-1 3-Major The iControl Management.Zone.get_zone() method can return zone options in a format inconsistent for use with the Management.Zone.set_zone_option() method.
519877-3 3-Major External pluggable module interfaces not disabled correctly.
519068-2 3-Major device trust setup can require restart of devmgmtd
518039-2 3-Major BIG-IQ iApp statistics corrected for partition use cases
517580-2 3-Major OPT-0015 on 10000-series appliance may cause bcm56xxd restarts
516669-2 3-Major Rarely occurring SOD core causes failover.
513974-4 3-Major Transaction validation errors on object references
513916-4 3-Major String iStat rollup not consistent with multiple blades
513649-3 3-Major Transaction validation errors on object references
510119-3 3-Major HSB performance can be suboptimal when transmitting TSO packets.
509782-2 3-Major TSO packets can be dropped with low MTU
509504-4 3-Major Excessive time to save/list a firewall rule-list configuration
507575-3 3-Major An incorrectly formated NAPTR creation via iControl can cause an error.
507331-6 3-Major Using saved configuration with 11.5.2 on AWS may cause SSLv3 to be enabled.
506041-5 3-Major Folders belonging to a device group can show up on devices not in the group
502238-2 3-Major Connectivity and traffic interruption issues caused by a stuck HSB transmit ring
501517-5 3-Major Very large configuration can cause transaction timeouts on secondary blades
499260-2 3-Major Deleting trust-domain fails when standby IP is in ha-order
497564-5 3-Major Improve High Speed Bridge diagnostic logging on transmit/receive failures
483683-7 3-Major MCP continues running after "Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error
481696-5 3-Major Failover error message 'sod out of shmem' in /var/log/ltm
473348-5 3-Major SNMP hbInterval value not set to 300 sec after upgrade from 11.2.x to 11.3.0 or later
472365-5 3-Major The vCMP worker-lite system occasionally stops due to timeouts
470184-1 3-Major In Configuration Utility, unable to view or edit objects in Local Traffic :: iRules :: Data Group List
455264-2 3-Major Error messages are not clear when adding member to device trust fails
451602-6 3-Major DPD packet drops with keyed VLAN connections
441100-1 3-Major iApp partition behavior corrected
436682-6 3-Major Optical SFP modules shows a higher optical power output for disabled switch ports
410398-8 3-Major sys db tmrouted.rhifailoverdelay does not seem to work
405752-2 3-Major TCP Half Open monitors sourced from specific source ports can fail
362267-2 3-Major Configuring network failover on a VIPRION cluster using the blade management addresses results in 'Cannot assign requested address' errors
359774-5 3-Major Pools in HA groups other than Common
355661-2 3-Major sod logs error 010c003b:3: bind fails on recv_sock_fd, Cannot assign requested address
523863-1 4-Minor istats help not clear for negative increment
475647-3 4-Minor VIPRION Host PIC firmware version 7.02 update
465009-2 4-Minor VIPRION B2100-series LOP firmware version 2.10 update
464043-4 4-Minor Integration of Firmware for the 2000 Series Blades
460456-3 4-Minor FW RELEASE: Incorporate 5000, 5050, 5250 BIOS 2.06.214.0
460444-3 4-Minor VIPRION B4300 BIOS version 2.03.052.0 update
460428-3 4-Minor BIG-IP 2000-/4000-series BIOS version 2.02.171.0 update
460422-3 4-Minor BIOS 4.01.006.0 for BIG-IP 10000, 10250, 10350 platforms.
460406-3 4-Minor VIPRION B2100-series BIOS version 1.06.043.0 update
460397-3 4-Minor FW RELEASE: Incorporate B2250 BIOS 1.26.012.0
447075-3 4-Minor CuSFP module plugged in during links-down state will cause remote link-up
443298-3 4-Minor FW Release: Incorporate VIPRION 2250 LOP firmware v1.20


Local Traffic Manager Fixes

ID Number Severity Description
522784-3 1-Blocking After restart, system remains in the INOPERATIVE state
420341-5 1-Blocking Connection Rate Limit Mode when limit is exceeded by one client also throttles others
419458-3 1-Blocking HTTP is more efficient in buffering data
530963-3 2-Critical BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms
530769 2-Critical F5 SFP+ module becomes unpopulated after mcpd is restarted in a clustered environment.
528432-1 2-Critical Control plane CPU usage reported too high
527826-1 2-Critical IP Intelligence update failed: Missing SSL certificate
527649-1 2-Critical Upgrade sets client/server SSL profiles Ciphers field to DEFAULT if upgraded cipherstring effectively contains no ciphersuites.
523079-1 2-Critical Merged may crash when file descriptors exhausted
521548-5 2-Critical Possible crash in SPDY
521336-1 2-Critical pkcs11d initialization retry might post misleading error messages and eventually result in a pkcs11d core
499422-2 2-Critical An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet result in a FIN/ACK storm.
478592-5 2-Critical When using the SSL forward proxy feature, clients might be presented with expired certificates.
474601-4 2-Critical FTP connections are being offloaded to ePVA
468375-2 2-Critical TMM crash when MPTCP JOIN arrives in the middle of a flow
450814-9 2-Critical Early HTTP response might cause rare 'server drained' assertion
443157-1 2-Critical zxfrd might crash when the zone file (zxfrd.bin) is deleted from the directory /var/db
431283-3 2-Critical iRule binary scan may core TMM when the offset is large
402412-10 2-Critical FastL4 tcp handshake timeout is not honored, connection lives for idle timeout.
545821 3-Major Idle timeout changes to five seconds when using PVA full or Assisted acceleration.
530795-1 3-Major In FastL4 TCP virtual servers, ICMP might send wrong SEQ number/ACK number.
524666-2 3-Major DNS licensed rate limits might be unintentionally activated.
522147-1 3-Major 'tmsh load sys config' fails after key conversion to FIPS using web GUI
521813-3 3-Major Cluster is removed from HA group on restart
521774-2 3-Major Traceroute and ICMP errors may be blocked by AFM policy
521538-3 3-Major Keep-alive transmissions do not resume after failover of flows on an L4 virtual, when the sequence number is known
521522-2 3-Major Traceroute through BIG-IP may display destination IP address at BIG-IP hop
521408-2 3-Major Incorrect configuration in BigTCP Virtual servers can lead to TMM core
520540-2 3-Major Specific iRule commands may generate a core file
518086-1 3-Major Safenet HSM Traffic failure after system reboot/switchover
518020-10 3-Major Improved handling of certain HTTP types.
517556-2 3-Major DNSSEC unsigned referral response is improperly formatted
515759-2 3-Major Configuration objects with more than four vlans in vlan list may cause memory utilization to increase over time
515139-4 3-Major Active FTP session with inherit profile and address translation disabled may not decrement pool member current connections statistics
514604-2 3-Major Nexthop object can be freed while still referenced by another structure
512383-4 3-Major Hardware flow stats are not consistently cleared during fastl4 flow teardown.
510638-2 3-Major [DNS] Config change in dns cache resolver does not take effect until tmm restart
507529 3-Major Active crash with assert: tmm failed assertion, non-zero ha_unit required for mirrored flow
507127-1 3-Major DNS cache resolver is inserted to a wrong list on creation.
504899-1 3-Major Duplicated snat-translation addresses are possible (a named and an anonymous (created by snatpool) one)
504105-3 3-Major RRDAG enabled UDP ports may be used as source ports for locally originated traffic
501516-4 3-Major If a very large number of monitors is configured, bigd can run out of file descriptors when it is restarted.
497584-5 3-Major The RA bit on DNS response may not be set
496758-4 3-Major Monitor Parameters saved to config in a certain order may not construct parameters correctly
488600-1 3-Major iRule compilation fails on upgrade
479682-5 3-Major TMM generates hundreds of ICMP packets in response to a single packet
478617-7 3-Major Don't include maximum TCP options length in calculating MSS on ICMP PMTU.
478439-5 3-Major Unnecessary re-transmission of packets on higher ICMP PMTU.
478257-6 3-Major Unnecessary re-transmission of packets on ICMP notifications even when MTU is not changed
476097-3 3-Major TCP Server MSS option is ignored in verified accept mode
468472-6 3-Major Unexpected ordering of internal events can lead to TMM core.
465590-4 3-Major Mirrored persistence information is not retained while flows are active
462714-3 3-Major Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server
460627-5 3-Major SASP monitor starts a new connection to the Group Workload Manager (GWM) server when a connection to it already exists
455762-3 3-Major DNS cache statistics incorrect
454018-6 3-Major Nexthop to tmm0 ref-count leakage could cause TMM core
452439-4 3-Major TMM may crash when enabling DOS sweep/flood if a TMM process has multiple threads
451960-3 3-Major HTTPS monitors do not work with FIPS keys
449848-5 3-Major Diameter Monitor not waiting for all fragments
442686-1 3-Major DNSX Transfers Occur on DNSX authoritative server change
422107-7 3-Major Responses from DNS transparent cache will no longer contain RRSIG for queries without DO bit set
422087-4 3-Major Low memory condition caused by Ram Cache may result in TMM core
375887-5 3-Major Cluster member disable or reboot can leak a few cross blade trunk packets
374339-5 3-Major HTTP::respond/redirect might crash TMM under low-memory conditions
352925-4 3-Major Updating a suspended iRule and TMM process restart
342013-5 3-Major TCP filter doesn't send keepalives in FIN_WAIT_2
514729-1 4-Minor 10.2.1 system with SSL profile specifying ciphers 'DEFAULT:!HIGH:!MEDIUM' fails to upgrade to 11.5.1, 11.5.2, 11.5.3, or 11.6.0.


Global Traffic Manager Fixes

ID Number Severity Description
515797-2 2-Critical Using qos_score command in RULE_INIT event causes TMM crash
526699-5 3-Major TMM might crash if BIG-IP DNS iRule nodes_up references invalid IP/Port.
516685-1 3-Major ZoneRunner might fail to load valid zone files.
516680-1 3-Major ZoneRunner might fail when loading valid zone files.
515033-1 3-Major [ZRD] A memory leak in zrd
515030-2 3-Major [ZRD] A memory leak in Zrd
496775-6 3-Major [GTM] [big3d] Unable to receive mark LTM virtual server up if there is another VS with same ltm_name for the bigip monitor
471819-1 3-Major The big3d agent restarts periodically when upgrading the agent on a v11.4.0 or prior system and Common Criteria mode is enabled.
465951-1 3-Major If net self description size =65K, gtmd restarts continuously
225443-6 3-Major gtmparse fails to load if you add unsupported SIP monitor parameters to the config
479084-3 4-Minor ZoneRunner can fail to respond to commands after a VE resume.
353556-2 4-Minor big3d https monitor is unable to correctly monitor the web server when SSL protocol is changed


Application Security Manager Fixes

ID Number Severity Description
524428-2 2-Critical Adding multiple signature sets concurrently via REST
524004-2 2-Critical Adding multiple signatures concurrently via REST
520280-2 2-Critical Perl Core After Apply Policy Action
516523-1 2-Critical Full ASM Config Sync was happening too often in a Full Sync Auto-Sync Device Group
487420-3 2-Critical BD crash upon stress on session tracking
532030-2 3-Major ASM REST: Custom Signature Set Created via REST is Different Than When Created From GUI
526856-2 3-Major "Use of uninitialized value" warning appears on UCS installation due to ASM signature inconsistency
523261-2 3-Major ASM REST: MCP Persistence is not triggered via REST actions
523260-2 3-Major Apply Policy finishes with coapi_query failure displayed
523201-1 3-Major Expired files are not cleaned up after receiving an ASM Manual Synchronization
520796-2 3-Major High ASCII characters availability for policy encoding
520585-1 3-Major Changing Security Policy Application Language Is Not Validated or Propagated Properly
516522-2 3-Major After upgrade from any pre-11.4.x to 11.4.x through 12.0.0, the configured redirect URL location is empty.
514061-1 3-Major False positive scenario causes SMTP transactions to hang and eventually reset.
512668-2 3-Major ASM REST: Unable to Configure Clickjacking Protection via REST
510499-1 3-Major System Crashes after Sync in an ASM-only Device Group.
506407-1 3-Major Certain upgrade paths to 11.6.x lose the redirect URL configuration for Alternate Response Pages


Application Visibility and Reporting Fixes

ID Number Severity Description
533098 3-Major Traffic capture filter not catching all relevant transactions
531526-1 3-Major Missing entry in SQL table leads to misleading ASM reports
525708-2 3-Major AVR reports of last year are missing the last month data
519022-1 3-Major Upgrade process fails to convert ASM predefined scheduled-reports.


Access Policy Manager Fixes

ID Number Severity Description
525920 1-Blocking VPE fails to display access policy
492149-2 1-Blocking Inline JavaScript with HTML entities may be handled incorrectly
488736-6 1-Blocking Fixed problem with iNotes 9 Instant Messaging
482266-1 1-Blocking Windows 10 support for Network Access / BIG-IP Edge Client
482241-5 1-Blocking Windows 10 cannot be properly detected
437670-2 1-Blocking Race condition in APM windows client on modifying DNS search suffix
526833 2-Critical Reverse Proxy produces JS error: 'is_firefox' is undefined
526754-3 2-Critical F5unistaller.exe crashes during uninstall
525562-2 2-Critical Debug TMM Crashes During Initialization
520298-1 2-Critical Java applet does not work
520145-2 2-Critical [Policy Sync] OutOfMemoryError exception when syncing big and complex APM policy
519864-2 2-Critical Memory leak on L7 Dynamic ACL
518260-4 2-Critical Missing NTLMSSP_TARGET_INFO flag on NTLMSSP_CHALLENGE message
517988-1 2-Critical TMM may crash if access profile is updated while connections are active
517146-2 2-Critical Log ID 01490538 may be truncated
516075-5 2-Critical Linux command line client fails with on-demand cert
514220-2 2-Critical New iOS-based VPN client may fail to create IPv6 VPN tunnels
513581 2-Critical Occasional TMM crash when HTTP payload is scanned through SWG
509490-1 2-Critical [IE10]: attachEvent does not work
507681-9 2-Critical Window.postMessage() does not send objects in IE11
506223-1 2-Critical A URI in request to cab-archive in iNotes is rewritten incorrectly
497118-6 2-Critical Tmm may restart when SAML SLO is triggered
487399-3 2-Critical VDI plugin crashes when View client disconnects prematurely
474058-7 2-Critical When the BIG-IP system is configured as Service Provider, APD may restart under certain conditions
471874-6 2-Critical VDI plugin crashes when trying to respond to client after client has disconnected
452163-1 2-Critical Cross-domain functionality is broken in AD Query
451469-3 2-Critical APM User Identity daemon doesn't generate core
540778 3-Major Multiple SIGSEGV with core and failover with no logged indicator
539013-2 3-Major DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases
537000-3 3-Major Installation of Edge Client can cause Windows 10 crash in some cases
534755-2 3-Major Deleting APM virtual server produces ERR_NOT_FOUND error
532096-3 3-Major Machine Certificate Checker is not backward compatible with 11.4.1 (and below) when MatchFQDN rule is used
531883-3 3-Major Windows 10 App Store VPN Client must be detected by BIG-IP APM
531483-1 3-Major Copy profile might end up with error
530697-3 3-Major Windows Phone 10 platform detection
529392-3 3-Major Win10 and IE11 is not determined in case of DIRECT rule of proxy autoconfig script
528726-2 3-Major AD/LDAP cache size reduced
528675-3 3-Major BIG-IP EDGE Client can indefinitely stay "disconnecting..." state when captive portal session expired
526617-2 3-Major TMM crash when logging a matched ACL entry with IP protocol set to 255
526578-2 3-Major Network Access client proxy settings are not applied on German Windows
526492-3 3-Major DNS resolution fails for Static and Optimized Tunnels on Windows 10
526275-2 3-Major VMware View RSA/RADIUS two factor authentication fails
526084-1 3-Major Windows 10 platform detection for BIG-IP EDGE Client
525384-3 3-Major Networks Access PAC file now can be located on SMB share
524909-3 3-Major Windows info agent could not be passed from Windows 10
523431-1 3-Major Windows Cache and Session Control cannot support a period in the access profile name
523390-1 3-Major Minor memory leak on IdP when SLO is configured on bound SP connectors.
523329 3-Major When BIG-IP is used as SAML Identity Provider(IdP), TMM may restart under certain conditions.
523327-3 3-Major In very rare cases Machine Certificate service may fail to find private key
523222-7 3-Major Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending.
521835-1 3-Major [Policy Sync] Connectivity profile with a customized logo fails
521773-1 3-Major Memory leak in Portal Access
521506-3 3-Major Network Access doesn't restore loopback route on multi-homed machine
520642-2 3-Major Rewrite plugin should check length of Flash files and tags
520390-2 3-Major Reuse existing option is ignored for smtp servers
520205-2 3-Major Rewrite plugin could crash on malformed ActionScript 3 block in Flash file
520118-3 3-Major Duplicate server entries in Server List.
519966-1 3-Major APM "Session Variables" report shows user passwords in plain text
519415-4 3-Major apm network access tunnel ephemeral listeners ignore irules (related-rules from main virtual )
519198-2 3-Major [Policy Sync] UI General Exception Error when sync a policy in non-default partition as non-default admin user
518981-1 3-Major RADIUS accounting STOP message may not include long class attributes
518583-3 3-Major Network Access on disconnect restores redundant default route after looped network roaming for Windows clients
517564-2 3-Major APM cannot get groups from an LDAP server, when LDAP server is configured to use non-default port
517441-4 3-Major apd may crash when RADIUS accounting message is greater than 2K
516839-7 3-Major Add client type detection for Microsoft Edge browser
516462-3 3-Major Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines
515943-1 3-Major "Session variables" report may show empty if session variable value contains non-English characters
514912-2 3-Major Portal Access scripts had not been inserted into HTML page in some cases
513969-2 3-Major UAC prompt is shown for machine cert check for non-limited users, even if machine cert check service is running
513953-2 3-Major RADIUS Auth/Acct might fail if server response size is more than 2K
513706-3 3-Major Incorrect metric restoration on Network Access on disconnect (Windows)
513283 3-Major Mac Edge Client doesnt send client data if access policy expired
513165-1 3-Major SAML Service Provider generated SLO requests do not contain 'SessionIndex' attribute
513098-2 3-Major localdb_mysql_restore.sh failed with exit code
512345-6 3-Major Dynamic user record removed from memcache but remains in MySQL
512245 3-Major Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host name instead of hostname
511961-2 3-Major BIG-IP Edge Client does not display logon page for FirePass
511854-3 3-Major Rewriting URLs at client side does not rewrite multi-line URLs
511648-3 3-Major On standby TMM can core when active system sends leasepool HA commands to standby device
511441-2 3-Major Memory leak on request Cookie header longer than 1024 bytes
510709-3 3-Major Websso start URI match fails if there are more than 2 start URI's in SSO configuration.
507116-3 3-Major Web-application issues and/or unexpected exceptions.
505755-4 3-Major Some scripts on dynamically loaded html page could be not executed.
500938-4 3-Major Network Access can be interrupted if second NIC is disconnected
500450-2 3-Major ASM and APM on same virtual server caused Set-Cookie header modification done by ASM not honored by APM websso.
498782-5 3-Major Config snapshots are deleted when failover happens
495702-3 3-Major Mac Edge Client cannot be downloaded sometimes from management UI
495336-5 3-Major Logon page is not displayed correctly when 'force password change' is on for local users.
494565-3 3-Major CSS patcher crashes when a quoted value consists of spaces only
494189-3 3-Major Poor performance in clipboard channel when copying
493006 3-Major Export of huge policies might endup with 'too many pipes opened' error
492701-2 3-Major Resolved LSOs are overwritten by source device in new Policy Sync with new LSO
492305-2 3-Major Recurring file checker doesn't interrupt session if client machine has missing file
490830-3 3-Major Protected Workspace is not supported on Windows 10
488105-2 3-Major TMM may generate core during certain config change.
483792-6 3-Major when iSession control channel is disabled, don't assign app tunnel, MSRDP, opt tunnel resources
483286-2 3-Major APM MySQL database full as log_session_details table keeps growing
482699-2 3-Major VPE displaying "Uncaught TypeError"
482269-2 3-Major APM support for Windows 10 out-of-the-box detection
482251-2 3-Major Portal Access. Location.href(url) support.
480761-2 3-Major Fixed issue causing TunnelServer to crash during reconnect
479451-2 3-Major Different Outlook users with same password and client IP are tied to a single APM session when using Basic auth
478492-5 3-Major Incorrect handling of HTML entities in attribute values
478333-4 3-Major Edge-Client client shows an error about corrupted config file, when User's profile and temp folders located on different partitions
474779-2 3-Major EAM process fails to register channel threads (MPI channel) with TMM, and subsequent system call fails.
474698-5 3-Major BIG-IP as IdP can send incorrect 'Issuer' element for some SLO requests under certain conditions.
473255-2 3-Major Javascript sibmit() method could be rewritten incorrectly inside of 'with' statement.
472256-4 3-Major tmsh and tmctl report unusually high counter values
472062-2 3-Major Unmangled requests when form.submit with arguments is called in the page
471117-3 3-Major iframe with JavaScript in 'src' attribute not handled correctly in IE11
468441-2 3-Major OWA2013 may work incorrectly via Portal Access in IE10/11
468433-2 3-Major OWA2013 may work incorrectly via Portal Access in IE10/11
468137-12 3-Major Network Access logs missing session ID
466745-2 3-Major Cannot set the value of a session variable with a leading hyphen.
457902-5 3-Major No EAM- log stacktrace in /var/log/apm on EAM crash event.
457760-6 3-Major EAM not redirecting stdout/stderr from standard libraries to /var/log/apm
457603-3 3-Major Cookies handling issue with Safari on iOS6, iOS7
457525-3 3-Major When DNS resolution for AppTunnel resource fails, the resource is removed
454086-4 3-Major Portal Access issues with Firefox version 26.0.0 or later
452527-2 3-Major Machine Certificate Checker Agent always works in "Match Subject CN to FQDN" mode
442528-5 3-Major Demangle filter crash
440841-4 3-Major sso and apm split tunnelling log message is at notice level
438969-2 3-Major HTML5 VMware View Client does not work with APM when Virtual Server is on non-default route domain
437744-7 3-Major SAML SP service metadata exported from APM may fail to import.
425882-4 3-Major Windows EdgeClient's configuration file could be corrupted on system reboot/sleep
424936-1 3-Major apm_mobile_ppc.css has duplicate 1st line
423282-7 3-Major BIG-IP JavaScript includes can be improperly injected in case of conditional commment presence
420512-1 3-Major All Messages report does not display any data when the Log Levels are selected to filter data based on Log levels
416115-13 3-Major Edge client continues to use old IP address even when server IP address changed
408851-3 3-Major Some Java applications do not work through BIG-IP server
402793-13 3-Major APM Network Accces tunnel slows down and loses data in secure renegotiation on Linux and Mac clients
532394-1 4-Minor Client to log value of "SearchList" registry key.
524756-1 4-Minor APM Log is filled with errors about failing to add/delete session entry
517872-2 4-Minor Include proxy hostname in logs in case of name resolution failure
513201-5 4-Minor Edge client is missing localization of some English text in Japanese locale
510596-5 4-Minor Broken DNS resolution on Linux client when "DNS Default Domain Suffix" is empty
510459-2 4-Minor In some cases Access does not redirect client requests
507321-2 4-Minor JavaScript error if user-defined object contains NULL values in 'origin' and/or 'data' fields
504461-3 4-Minor Logon Page agent gets empty user input in clientless mode 3 when a Variable Assign agent resides in front of it.
497627-2 4-Minor Tmm cores while using APM network access and no leasepool is created on the BIG-IP system.
482145-4 4-Minor Text in buttons not centered correctly for higher DPI settings
464547-5 4-Minor Show proper error message when VMware View client sends invalid credentials to APM
454784-2 4-Minor in VPE %xx symbols such as the variable assign agent might be invalidly decoded.


WebAccelerator Fixes

ID Number Severity Description
514785-3 1-Blocking TMM crash when processing AAM-optimized video URLs
522231-2 3-Major TMM may crash when a client resets a connection
521455-5 3-Major Images transcoded to WebP format delivered to Edge browser
511534-2 3-Major A large number of regular expressions in match rules on path-segments may cause an AAM policy to take too long to load,
476460-4 3-Major WAM Range HTTP header limited to 8 ranges
421791-4 3-Major Out of Memory Error


Wan Optimization Manager Fixes

ID Number Severity Description
461216-2 2-Critical Cannot rename some files using CIFS optimization of the BIG-IP system.
497389-2 3-Major Extraneous dedup_admin core
457568-1 3-Major Loading of configuration fails intermittently due to WOC Plug-in-related issues.


Service Provider Fixes

ID Number Severity Description
521556-2 2-Critical Assertion "valid pcb" in TCP4 with ICAP adaptation
516057-5 2-Critical Assertion 'valid proxy' can occur after a configuration change with active IVS flows.
503652-1 2-Critical Some SIP UDP connections are lost immediately after enabling a blade on the Active HA unit.
512054-4 3-Major CGNAT SIP ALG - RTP connection not created after INVITE
511326-3 3-Major SIP SUBSCRIBE message not forwarded by BIG-IP when configured as SIP ALG with translation.
499701-6 3-Major SIP Filter drops UDP flow when ingressq len limit is reached.
480311-4 3-Major ADAPT should be able to work with OneConnect
448493-11 3-Major SIP response from the server to the client get dropped


Advanced Firewall Manager Fixes

ID Number Severity Description
524748 2-Critical PCCD optimization for IP address range
468688-1 2-Critical Initial sync fails for upgraded pair (11.5.x to 11.6)
530865-1 3-Major AFM Logging regression for Global/Route Domain Rules incorrectly using virtual server logging profile (if it exists)
523465-1 3-Major Log an error message when firewall rule serialization fails due to maximum blob limit being hit.
515187 3-Major Certain ICMP packets are evaluated twice against Global and Route Domain ACL rules.
515112-2 3-Major Delayed ehash initialization causes crash when memory is fragmented.
513565-3 3-Major AFM Kill-on-the-fly does not re-evaluate existing flows against any Virtual/SelfIP ACL policies if a Global or Route-Domain rule action is modified from Accept-Decisively to Accept.
509919-1 3-Major Incorrect counter for SelfIP traffic on cluster
497671 3-Major iApp GUI: Unable to add FW Policy/Rule to context via iApp
485880-3 3-Major Unable to apply ASM policy with forwarding CPM policy via GUI, generic error
459024-1 3-Major Error L4 packets were hitting configured WL entries we were not matching the protocol for them
533808-2 4-Minor Unable to create new rule for virtual server if order is set to "before"/"after"
533336-1 4-Minor Display 'description' for port list members
510226-1 4-Minor All descriptions for ports-list's members are flushed after the port-list was updated
495432-1 5-Cosmetic Add new log messages for AFM rule blob load/activation in datapath.


Policy Enforcement Manager Fixes

ID Number Severity Description
491771-1 2-Critical Parking command called from inside catch statement
450779-1 2-Critical PEM source or destination flow filter attempts match against both source and destination IPs of a flow
439249-1 2-Critical PEM:Initial quota request in the rating group request is not as configured.
526295-4 3-Major BIG-IP crashes in debug mode when using PEM iRule to create session with calling-station-id and called-station-id
511064-2 3-Major Repeated install/uninstall of policy with usage monitoring stops after second time
495913-3 3-Major TMM core with CCA-I policy received with uninstall
478399-6 3-Major PEM subscriber sessions are created without PEM licensed, if "radiusLB-subscriber-awre" profile is configured.
464273-1 3-Major PEM: CCR-I for the Gx session has only one subscriber ID type even if session created has more than one type
438608-1 3-Major PEM: CCR-U triggered during Gy session may not have Request Service Unit (RSU)
438092-2 3-Major PEM: CCR-U triggered by RAR during Gy session will have not have Requested Service Unit(RSU)
449643-2 4-Minor Error message "Gx uninit failed!" and "Gy unint failed!" received during boot of the system


Global Traffic Manager (DNS) Fixes

ID Number Severity Description
514236-2 3-Major [GUI][GTM] GUI does not prefix partition to device-name for BIG-IP DNS Server IP addresses


Device Management Fixes

ID Number Severity Description
525595-1 1-Blocking Memory leak of inbound sockets in restjavad.
509273-3 2-Critical hostagentd consumes memory over time
509120-1 2-Critical BIG-IQ is unable to discover older BIG-IP versions due to over-zealous grooming



Cumulative fixes from BIG-IP v11.5.3 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
511651-2 CVE-2015-5058 K17047 CVE-2015-5058: Performance improvement in packet processing.


Functional Change Fixes

None



Cumulative fixes from BIG-IP v11.5.3 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
513034-2 CVE-2015-4638 K17155 TMM may crash if Fast L4 virtual server has fragmented packets
492368-10 CVE-2014-8602 K15931 Unbound vulnerability CVE-2014-8602
489323-6 CVE-2015-8098 K43552605 Out-of-bounds memory access when 'remotedesktop' profile is assigned to a virtual server.
507842-4 CVE-2015-1349 K16356 Patch for BIND Vulnerability CVE-2015-1349
500088-10 CVE-2014-3571 K16123 OpenSSL Vulnerability (January 2015) - OpenSSL 1.0.1l update
497719-12 CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296, K15934 NTP vulnerability CVE-2014-9293, NTP vulnerability CVE-2014-9294, NTP vulnerability CVE-2014-9295, and NTP vulnerability CVE-2014-9296
447483-7 CVE-2014-3959 K15296 CVE-2014-3959


Functional Change Fixes

ID Number Severity Description
500303-11 1-Blocking Virtual Address status may not be reliably communicated with route daemon
499947-3 2-Critical Improved performance loading thousands of Virtual Servers
502770-3 3-Major clientside and serverside command crashes TMM
451433-2 3-Major HA group combined with other failover (e.g., VLAN Failsafe or Gateway Failsafe)
368824-1 3-Major There is no indication that a failed standby cannot go active.


TMOS Fixes

ID Number Severity Description
477218-6 1-Blocking Simultaneous stats query and pool configuration change results in process exit on secondary.
452656-4 1-Blocking NVGRE tunnel traffic might stall if the sys db variable tm.tcplargereceiveoffload is set to 'enable'
425729-1 1-Blocking mcpd debug logging hardening
509276-3 2-Critical VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on standby device
507487-3 2-Critical ZebOS Route not withdrawn when VAddr/VIP down and no default pool
504496-4 2-Critical AAA Local User Database may sync across failover groups
501343-2 2-Critical In FIPS HA setup, peer may use the FIPS public-handle instead of the FIPS private-handle
484733-5 2-Critical aws-failover-tgactive.sh doesn't skip network forwarding virtuals
477281-9 2-Critical Improved XML Parsing
471860-2 2-Critical Disabling interface keeps DISABLED state even after enabling
467196-4 2-Critical Log files limited to 24 hours
466266-3 2-Critical In rare cases, an upgrade (or a restart) can result in an Active/Active state
438674-4 2-Critical When log filters include tamd, tamd process may leak descriptors
430323-3 2-Critical VXLAN daemon may restart when 8000 VXLAN tunnels are configured
412160-4 2-Critical vCMP provisioning may cause continual tmm crash.
394236-4 2-Critical MCP unexpectedly exits, "failure has occurred, There is no active database transaction, status: 0 -
514450-2 3-Major VXLAN: Remote MAC address movement does not trigger ARL updates across TMMs.
513294-1 3-Major LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances
512485-2 3-Major Forwarding of flooded VXLAN-encapsulated unicast frames may introduce additional forwarding
503604-2 3-Major Tmm core when switching from interface tunnel to policy based tunnel
501953-1 3-Major HA failsafe triggering on standby device does not clear next active for that device.
501371-2 3-Major mcpd sometimes exits while doing a file sync operation
500234-3 3-Major TMM may core during failover due to invalid memory access in IPsec components
495526-2 3-Major IPsec tunnel interface causes TMM core at times
494367-4 3-Major HSB lockup after HiGig MAC reset
491791-2 3-Major GET on non-existent pool members does not show error
489750-2 3-Major Deletion of FIPS keys by-handle may delete key in FIPS-card even if key exists in BIG-IP config
488374-3 3-Major Mismatched IPsec policy configuration causes racoon to core after failed IPsec tunnel negotiation
484706-7 3-Major Incremental sync of iApp changes may fail
477789-2 3-Major SSL Certificate can accommodate & (ampersand) in the Common Name, Organization Name, Division and SAN.
468235-3 3-Major The worldwide City database (City2) does not contain all of the appropriate Proxy strings.
456573-5 3-Major Sensor read faults with DC power supply
453489-3 3-Major userauth_hostbased mismatch: warnings from VIPRION for localhost or slotN
439343-9 3-Major Client certificate SSL authentication unable to bind to LDAP server
420204-2 3-Major FIPS key deletion by-handle does not post an error if corresponding key object exists but the keyname is more than 32 characters long
509063-1 4-Minor Creating or loading guest on cluster with empty slot 1 can result in error
493223-2 4-Minor syscalld core dumps now keep more debugging information
441642-4 4-Minor /etc/monitors/monitors_logrotate.conf contains an error
437637-2 4-Minor Sensor critical alarm: Main board +0.9V_CN35XX
492422-3 5-Cosmetic HTTP request logging reports incorrect response code
456263 5-Cosmetic Platform marketing name for B4300 is incorrectly shown as A108
440605-4 5-Cosmetic Unknown BigDB variable type 'port_list'


Local Traffic Manager Fixes

ID Number Severity Description
445329-2 1-Blocking DNS cache resolver connections can be slow to terminate
507611-1 2-Critical On BIG-IP 2000- and 4000-series platforms BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors.
506304-3 2-Critical UDP connections may stall if initialization fails
505222-3 2-Critical DTLS drops egress packets when traffic is large
504225-1 2-Critical Virtual creation with the multicast IPv6 address returns error message
503620-2 2-Critical ECDHE_ECDSA and DHE_DSS ciphers do not work with OpenSSL 1.0.1k and later
495030-3 2-Critical Segfault originating from flow_lookup_nexthop.
493558-3 2-Critical TMM core due to SACK hole value mismatch
486450-5 2-Critical iApp re-deployment causes mcpd on secondaries to restart
480370-7 2-Critical Connections to virtual servers with port-preserve property will cause connections to leak in TMM
475460-6 2-Critical tmm can crash if a client-ssl profile is in use without a CRL
474974-2 2-Critical Fix ssl_profile nref counter problem.
474388-4 2-Critical TMM restart, SIGSEGV messages, and core
456853-2 2-Critical DTLS cannot handle client certificate when client does not send CertVerify message.
511130-2 3-Major TMM core due to invalid memory access while handling CMP acknowledgement
510720-2 3-Major iRule table command resumption can clear the header buffer before the HTTP command completes
510264-2 3-Major TMM core associated with smtps profile.
508716-3 3-Major DNS cache resolver drops chunked TCP responses
506702-2 3-Major TSO can cause rare TMM crash.
506282-5 3-Major GTM DNSSEC keys generation is not sychronized upon key creation
505964-3 3-Major Invalid http cookie handling can lead to TMM core
504633-7 3-Major DTLS should not update 'expected next sequence number' when the record is bad.
504396-3 3-Major When a virtual's ARP or ICMP is disabled, the wrong mac address is used
504306-7 3-Major https monitors might fail to re-use SSL sessions.
503979-3 3-Major High CPU usage when DNS cache resolver sends a large number of DNS queries to the backend name server.
503741-14 3-Major DTLS session should not be closed when it receives a bad record.
503118-1 3-Major clientside and serverside command crashes TMM
502959-3 3-Major Unable get response from virtual server after node flapping
502683-6 3-Major Traffic intermittently dropped in syncookie mode, especially when hardware syncookie is on
502174-6 3-Major DTLS fragments do not work for ClientHello message.
502149-2 3-Major Archiving EC cert/key fails with error 'EC keys are incompatible for Webserver/EM/iQuery.'
501690-7 3-Major TMM crash in RESOLV::lookup for multi-RR TXT record
499950-6 3-Major In case of intra_cluster ha, node flapping may still lead to inconsistent persistence entries across TMMs
499946-2 3-Major Nitrox might report bad records on highly fragmented SSL records
499430-6 3-Major Standby unit might bridge network ingress packets when bridge_in_standby is disabled
499150-2 3-Major OneConnect does not reuse existing connections in VIP targeting VIP configuration
497742-5 3-Major Some TCP re-transmits on translucent vlangroup skip bit-flip on source MAC address
495574-6 3-Major DB monitor functionality might cause memory issues
495443-3 3-Major ECDH negotiation failures logged as critical errors.
495253-5 3-Major TMM may core in low memory situations during SSL egress handling
494322-5 3-Major The HTTP_REQUEST iRule event may cause the TMM to crash if the explicit proxy is used
493673-5 3-Major DNS record data may have domain names compressed when using iRules
491518-5 3-Major SSL persistence can prematurely terminate TCP connection
491454-8 3-Major SSL negotiation may fail when SPDY profile is enabled
490713-5 3-Major FTP port might occasionally be reused faster than expected
485472-4 3-Major iRule virtual command allows for protocol mismatch, resulting in crash
485176-5 3-Major RADIUS::avp replace command cores TMM when only two arguments are passed to it
484305-5 3-Major Clientside or serverside command with parking command crashes TMM
483539-6 3-Major With fastL4, incorrect MSS value might be used if SYN has options without MSS specified
481844-4 3-Major tmm can crash and/or use the wrong CRL in certain conditions
481216-5 3-Major Fallback may be attempted incorrectly in an abort after an Early Server Response
478734-4 3-Major Incorrect 'FIPS import for failed for key' failure when operation actually succeeds
471625-7 3-Major After deleting external data-group, importing a new or editing existing external data-group does not propagate to TMM
471535-6 3-Major TMM cores via assert during EPSV command
461587-6 3-Major TCP connection can become stuck if client closes early
456763-2 3-Major L4 forwarding and TSO can cause rare TMM outages
456413-4 3-Major Persistence record marked expired though related connection is still active
455840-5 3-Major EM analytic does not build SSL connection with discovered BIG-IP system
447272-4 3-Major Chassis with MCPD audit logging enabled will sync updates to device group state
444710-8 3-Major Out-of-order TCP packets may be dropped
438792-10 3-Major Node flapping may, in rare cases, lead to inconsistent persistence behavior
435335-6 3-Major SSL proxy session ID cache does not respect limit set by tmm.proxyssl.cachesize
428163-2 3-Major Removing a DNS cache from configuration can cause TMM crash
415358-6 3-Major Remote login shell hardening
384451-8 3-Major Duplicated cert/keys/chain might cause SIGABRTs and low-memory conditions
498597-8 4-Minor SSL profile fails to initialize and might cause SSL operation issues
459884-5 4-Minor Large POST requests are not handled well by APM.
451224-2 4-Minor IP packets that are fragmented by TMM, the fragments will have their DF bit
436468-2 4-Minor DNS cache resolver TCP current connection stats not always decremented properly
442647-4 5-Cosmetic IP::stats iRule command reports incorrect information past 2**31 bits
435044-4 5-Cosmetic Erroneous 'FIPS open failed' error on platforms without FIPS hardware


Performance Fixes

ID Number Severity Description
497619-7 3-Major TMM performance may be impacted when server node is flapping and persist is used


Global Traffic Manager Fixes

ID Number Severity Description
479142-8 3-Major Deleting a virtual server does not delete the resource record (RR) in ZoneRunner Daemon (ZRD)
468519-6 3-Major BIG-IP DNS configuration load failure from invalid bigip_gtm.conf file.
420440-7 3-Major Multi-line TXT records truncated by ZoneRunner file import
491554-5 4-Minor [big3d] Possible memory leakage for auto-discovery error events.


Application Security Manager Fixes

ID Number Severity Description
464735-1 2-Critical Errors and unavailable virtual server upon deactivation of ASM policy that is assigned to a non-default rule of L7 policy
509968 3-Major BD crash when a specific configuration change happens
501612-5 3-Major Spurious Configuration Synchronizations
485764-4 3-Major WhiteHat vulnerability assessment tool is configured but integration does not work correctly
482915-7 3-Major Learning suggestion for the maximum headers check violation appears only for blocked requests
475819-6 3-Major BD crash when trying to report attack signatures
442157-2 3-Major Incorrect assignment of ASM policy to virtual server
512687-2 4-Minor Policy parameter fields minimumValue and maximumValue do not accept decimal values through REST but accept decimal through GUI


Application Visibility and Reporting Fixes

ID Number Severity Description
441214-3 2-Critical monpd core dumps in case of MySQL crash
497681-3 3-Major Tuning of Application DoS URL qualification criteria
479334-4 3-Major monpd/ltm log errors after Hotfix is applied
439514-6 4-Minor Different time-stamps are translated to the same time (due to DST clock change) and causes database errors


Access Policy Manager Fixes

ID Number Severity Description
488986-13 1-Blocking Access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and edge client.
441613-8 1-Blocking APM TMUI Vulnerability CVE-2015-8022
507782-6 2-Critical TMM crashes for Citrix connection when Address field in the ICA file has non-patched/invalid data
506235-4 2-Critical SIGSEGV caused by access_redirect_client_to_original_uri
505101-4 2-Critical tmm may panic due to accessing uninitialized memory
495901-4 2-Critical Tunnel Server crash if probed on loopback listener.
494098-9 2-Critical PAC file download mechanism race condition
493360-4 2-Critical Fixed possible issue causing Edge Client to crash during reconnect
489328-8 2-Critical When BIG-IP virtual accessed with multiple tabs with long initial URLs before session creation can cause TMM crash.
484454-7 2-Critical Users not able to log on after failover
441790 2-Critical Logd core formed, while executing provisioning run script(mod_combo_7000_12721.py) on 5000 and 7000 series platforms
511893 3-Major Client connection timeout after clicking Log In to Access Policy Manager on a Chassis
509956-5 3-Major Improved handling of cookie values inside SWG blocked page.
509758-3 3-Major EdgeClient shows incorrect warning message about session expiration
508719-7 3-Major APM logon page missing title
508630-3 3-Major The APM client does not clean up DNS search suffixes correctly in some cases
507318-2 3-Major JS error when sending message from DWA new message form using Chrome
506349-5 3-Major BIG-IP Edge Client for Mac identified as browser by APM in some cases
504606-6 3-Major Session check interval now has minimum value
503319-5 3-Major After network access is established browser sometimes receives truncated proxy.pac file
502441-7 3-Major Network Access connection might reset for large proxy.pac files.
501498-4 3-Major APM CTU doesn't pick up logs for Machine Certificate Service
499620-8 3-Major BIG-IP Edge Client for MAC shows wrong SSL protocol version; does not display the protocol version that was negotiated.
499427-4 3-Major Windows File Check does not work if the filename starts with an ampersand
498469-8 3-Major Mac Edge Client fails intermittently with machine certificate inspection
497436-3 3-Major Mac Edge Client behaves erratically while establishing network access connection
497325-5 3-Major New users cannot log in to Windows-based systems after installing BIG-IP EDGE client in certain deployment
496817-7 3-Major Big-IP Edge client for Windows fails to connect to Firepass server if tunnel is established through a proxy
495319-9 3-Major Connecting to FP with APM edge client is causing corporate network to be inaccessible
495265-6 3-Major SAML IdP and SP configured in same access profile not supported
494637-6 3-Major localdbmgr process in constant restart/core loop
494284-10 3-Major Mac Edge Client, with primary language of German shows unneeded text shown under disconnected status.
494176-1 3-Major Network access to FP does not work on Yosemite using APM Mac Edge Client.
494088-5 3-Major APD or APMD should not assert when it can do more by logging error message before exiting.
494008-4 3-Major tmm crash while initializing the URL filter context for SWG.
493487-5 3-Major Function::call() and Function::apply() wrapping does not work as expected
493164-4 3-Major flash.net.NetConnection::connect() has an erroneous security check
492238-9 3-Major When logging out of Office 365 TMM may restart
492153-7 3-Major Edge clients shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel, changes to deprecated.
491233-9 3-Major Rare deadlock in CustomDialer component
490844-2 3-Major Some controls on a web page might stop working.
490681-5 3-Major Memcache entry for dynamic user leaks
490675-5 3-Major User name with leading or trailing spaces creates problems.
489382-8 3-Major Machine Cert allows mismatched SubjectCN and FQDN for browsers in case of valid cert
488892-4 3-Major JavaRDP client disconnects
486597-7 3-Major Fixed Network Access renegotiation procedure
486268-7 3-Major APM logon page missing title
485355-4 3-Major Click-to-Run version of Office 2013 does not work inside PWS (Protected WorkSpace)
484847-13 3-Major DTLS cannot be disabled on Edge Client for troubleshooting purposes
484582-3 3-Major APM Portal Access is inaccessible.
483601-4 3-Major APM sends a logout Bookmarked Access whitelist URL when session is expired.
480817-4 3-Major Added options to troubleshoot client by disabling specific features
480242-7 3-Major APD, APMD, MCPD communication error failure now reported with error code
477898-2 3-Major Some strings on BIG-IP APM EDGE Client User Interface were not localized
477795-4 3-Major SSL profile passphrase may be displayed in clear text on the Dashboard
476038-9 3-Major Mac Edge Client crashes on OS X 10.7 if a user adds new server using its IP address rather than DNS name
476032-6 3-Major BIG-IP Edge Client may hang for sometime when disconnecting from Firepass server
475735-2 3-Major Failed to load config after removing peer from sync-only group
475505-8 3-Major Windows Phone 8.1 built-in browser is not properly detected by BIG-IP system.
474582-2 3-Major Add timestamps to logstatd logs for Policy Sync
473386-13 3-Major Improved Machine Certificate Checker matching criteria for FQDN case
473129-6 3-Major httpd_apm access_log remains empty after log rotation
470205-4 3-Major /config/.../policy_sync_d Directory Is 100% Full
469824-9 3-Major Mac Edge client on Mac mini receives settings for iOS Edge Client
468395-2 3-Major IPv4 Allocation failure ... is out of addresses
458770-4 3-Major [Mac][Edge] Edge client doesn't handle ending redirects to the same box if second access policy assumes interaction
456608-5 3-Major Direct links for frame content, with 'Frame.src = url'
453455-9 3-Major Added support of SAML Single Logout to Edgeclient.
452464-6 3-Major iClient does not handle multiple messages in one payload.
452416-6 3-Major tmctl leasepool_stat and snmp apmLeasepoolStatTable return incorrect values
452010-4 3-Major RADIUS Authentication fails when username or password contain non-ASCII characters
442698-9 3-Major APD Active Directory module memory leak in exception
437743-8 3-Major Import of Access Profile config that contains ssl-cert is failing
436201-15 3-Major JavaScript can misbehave in case of the 'X-UA-Compatible' META tag when a client uses IE11
432900-12 3-Major APM configurations can fail to load on newly-installed systems
431149-8 3-Major APM config snapshot disappears and users see "Access Policy configuration has changed on gateway"
428387-9 3-Major SAML SSO could fail if SAML configuration contains special XML characters (&,<,>,",')
403991-9 3-Major Proxy.pac file larger than 32 KB is not supported
489364-6 4-Minor Now web VPN client correctly minimizes IE window to tray
482134-6 4-Minor APD and APMD cores during shutdown.
465012-5 4-Minor Rewrite plugin may crash if webtrace or debug log level is enabled for Portal Access
464992-8 4-Minor Mac Edge fails to pass machine certificate inspection if domain component is included in search criteria
461597-10 4-Minor MAC edge client doesn't follow HTTP 302 redirect if new site has untrusted self-signed certificate
461560-6 4-Minor Edge client CTU report does not contain interface MTU value
460427-6 4-Minor Address collision reported when the Primary blade goes down or its TMM crashes in an Chassis IntraCluster environment.
451118-8 4-Minor Fixed mistakes in French localization
449525-1 4-Minor apd and apmd constantly restarting
432423-8 4-Minor Need proactive alerts for APM license usage
493385-9 5-Cosmetic BIG-IP Edge Client uses generic icon set even if F5 icon set is configured
486344-4 5-Cosmetic French translation does not properly fit buttons in BIG-IP Edge client on Windows


WebAccelerator Fixes

ID Number Severity Description
486346-2 2-Critical Prevent wamd shutdown cores
488917-1 4-Minor Potentially confusing wamd shutdown error messages


Wan Optimization Manager Fixes

ID Number Severity Description
485182-4 3-Major wom_verify_config does not recognize iSession profile in /Common sub-partition


Service Provider Fixes

ID Number Severity Description
503676-5 2-Critical SIP REFER, INFO, and UPDATE request do not trigger SIP_REQUEST or SIP_REQUEST_SEND iRule events
500365-5 2-Critical TMM Core as SIP hudnode leaks
482436-9 2-Critical BIG-IP processing of invalid SIP request may result in high CPU utilization
466761-5 2-Critical Heartbeat, UDP packet with only double CRLF, on existing SIP flow results in connection loss.
455006-6 2-Critical Invalid data is merged with next valid SIP message causing SIP connection failures
507143-2 3-Major Diameter filter may process HUDCTL_ABORT message before processing previously queued events leading to tmm assertion
472092-6 3-Major ICAP loses payload at start of request in response to long execution time of iRule
464116-5 3-Major HTTP responses are not cached when response-adapt is applied


Advanced Firewall Manager Fixes

ID Number Severity Description
512609-2 2-Critical Firewall rules specifying wildcard IPv6 addresses match IPv4 addresses
478470 4-Minor AFM Online Help updated: DoS Detection Threshold Percentage


Policy Enforcement Manager Fixes

ID Number Severity Description
484278-3 2-Critical BIG-IP crash when processing packet and running iRule at the same time


Carrier-Grade NAT Fixes

ID Number Severity Description
493807-4 2-Critical TMM might crash when using PPTP with profile logging enabled
487660-1 3-Major LSN translation failures when persistence is enabled, cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN and using a small port range


Global Traffic Manager (DNS) Fixes

ID Number Severity Description
475549-2 3-Major Input handling error in GTM GUI


Device Management Fixes

ID Number Severity Description
462827-8 1-Blocking Headers starting with X-F5 may cause problems if not X-F5-REST-Coordination-Id
463380-4 3-Major URIs with space characters may not work properly in ODATA query



Cumulative fixes from BIG-IP v11.5.2 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
496849-2 CVE-2014-9326 K16090 F5 website update retrievals vulnerability
477274-12 CVE-2014-6031 K16196 Buffer Overflow in MCPQ
496845-2 CVE-2014-9342 K15933 NTP vulnerability CVE-2014-9296
477278-11 CVE-2014-6032 K15605 XML Entity Injection vulnerabilities CVE-2014-6032 and CVE-2014-6033
468345-2 CVE-2015-1050 K16081 Blocking page with harmful JavaScript can be run by system administrator


Functional Change Fixes

ID Number Severity Description
382157-2 3-Major Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats


TMOS Fixes

ID Number Severity Description
498704-1 2-Critical Module provisioning doesn't properly account for disk space
487567-3 2-Critical Addition of a DoS Profile Along with a Required Profile May Fail
472202-2 2-Critical Potential false positive report of DMA RX lockup failure
507461-2 3-Major Net cos config may not persist on HA unit following staggered restart of both HA pairs.
504572-3 3-Major PVA accelerated 3WHS packets are sent in wrong hardware COS queue


Local Traffic Manager Fixes

ID Number Severity Description
509310-1 2-Critical Bad outer IPv4 UDP checksum observed on egressing VxLAN traffic on VIPRION chassis and 5000 series appliances
498005-1 2-Critical The HTTP:payload command could cause the TMM to crash if invoked in a non-HTTP event
506290-3 3-Major MPI redirected traffic should be sent to HSB ring1
505452-1 3-Major New db variable to control packet priority for TMM generated packets
505056-3 3-Major BIG-IP system might send an egress packet with a priority different from that of ingress packet on the same flow.
496588-2 3-Major HTTP header that is larger than 64K can be analyzed incorrectly, leading to TMM crash


Performance Fixes

ID Number Severity Description
489259-2 2-Critical [AFM] packets from good ip's are being dropped by DoS Sweep & Flood logic
496998-2 3-Major Update offenders more aggressively. Increase batch size for Dwbld processing.


Application Security Manager Fixes

ID Number Severity Description
510287 1-Blocking Create ASM security policy by BIG-IQ
509663 1-Blocking asm restart periodically with errors in asm_config_server.log: ASM Config server died unexpectedly
508908-2 2-Critical Enforcer crash
507919-2 2-Critical Updating ASM through iControl REST does not affect CMI sync state
504182-2 2-Critical Enforcer cores after upgrade upon the first request
498361 2-Critical Manage ASM security policies from BIG-IQ
493401-3 2-Critical Concurrent REST calls on a single endpoint may fail
489705-3 2-Critical Running out of memory while parsing large XML SOAP requests
481476-10 2-Critical MySQL performance
468387-2 2-Critical Enforcer core related to specific error condition in the session db
511477 3-Major Manage ASM security policies from BIG-IQ
511029 3-Major "selfLink" for ASM Policy was incorrect for iControl REST
510818 3-Major Manage ASM security policies from BIG-IQ
508519-1 3-Major Performance of Policy List screen
508338-2 3-Major Under rare conditions cookies are enforced as base64 instead of clear text
507905-1 3-Major Saving Policy History during UCS load causes DB deadlock/timeout
507289-1 3-Major User interface performance of Web Application Security Editor users
506386-1 3-Major Automatic ASM sync group remains stuck in init state when configured from tmsh
506355-2 3-Major Importing an XML file without defined entity sections
504973-2 3-Major Configuring a route domain with 32 bit subnet mask, 128 bit mask saved instead
497769-2 3-Major Policy Export: BIG-IP does not export redirect URL for "Login Response Page"
496565-2 3-Major Secondary Blades Request a Sync
496011-2 3-Major Resets when session awareness enabled
490284-6 3-Major ASM user interface extremely slow to respond (e.g. >2 minutes to render policy list)
469786-2 3-Major Web Scraping Mitigation: Display of request status when configuration includes an ASM iRule
465181-4 3-Major Unhandled connection error in iprepd causes memory leak in iprepd or merged
510828 5-Cosmetic Manage ASM security policies from BIG-IQ


Application Visibility and Reporting Fixes

ID Number Severity Description
461715-2 2-Critical AVR: Collecting geolocation IDs
503471-2 3-Major Memory leak can occur when there is a compressed response, and abnormal termination of the connection
500034-2 3-Major [SMTP Configuration] Encrypted password not shown in GUI
489682-4 3-Major Configuration upgrade failure due to change in an ASM predefined report name
468874-1 3-Major Monpd errors appear when AVR loads data to MySQL
467945-4 3-Major Error messages in AVR monpd log


Access Policy Manager Fixes

ID Number Severity Description
497662-4 1-Blocking BIG-IP DoS via buffer overflow in rrdstats
431980-2 2-Critical SWG Reports: Overview and Reports do not show correct data.


Advanced Firewall Manager Fixes

ID Number Severity Description
514651 2-Critical db variable to disable rate-tracker
514266 2-Critical Change firewall rules with ip-protocol ICMP and ICMP type 0, code 0 cause pccd crash
513403-3 2-Critical TMM asserts when certain ICMP packets (e.g multicast echo) are classified by AFM and match rules at Global and Route Domain context with logging enabled for these rules and also log-translations is enabled in AFM Logging configuration.
510162 2-Critical potential TMM crash when AFM DoS Sweep & Flood is configured
503541-3 2-Critical Use 64 bit instead of 10 bit for Rate Tracker library hashing.
501480-2 2-Critical AFM DoS Single Endpoint Sweep and Flood Vectors crash TMM under heavy traffic.
500925-2 2-Critical Introduce a new sys db variable to control number of merges per second of Rate Tracker library.
498227 2-Critical Incorrect AFM firewall rule counter update after pktclass-daemon restarts.
497342-2 2-Critical TMM crash while executing FLOW_INIT event (with multiple commands that abort the connection) in an iRule attached to an AFM firewall rule.
489845-1 2-Critical Sometimes auto-blacklisting will not function after the provisioning of AFM and APM modules
511406 3-Major Pagination issue on firewall policy rules page
510224-1 3-Major All descriptions for address-list members are flushed after the address-list was updated
506452-1 3-Major Issues with firewall rules configured with a source or destination IPv6 address whose most significant bit is 1
505624-2 3-Major Remote logger will continue to get DoS L7 messages after it was removed from the virtual server configuration
504384-3 3-Major ICMP attack thresholds
503085-2 3-Major Make the RateTracker threshold a constant
502414-3 3-Major Make the RateTracker tier3 initialization number less variant.
501986-2 3-Major Add a sys db tunable to make Sweep and Flood vectors be rate-limited per TMM process
500640-2 3-Major TMM core could be seen if FLOW_INIT iRule attached to Virtual server
497732 3-Major Enabling specific logging may trigger other unrelated events to be logged.
497667 3-Major Configuring of ICMPv4/ICMPv6 ip-protocol in mgmt port ACL Rules generated error
497263-2 3-Major Global whitelist count exhausted prematurely
496278 3-Major Disabling/enabling Rule within Rule List causes disabling/enabling of other Rule with the same name
495928-4 3-Major APM RDP connection gets dropped on AFM firewall policy change
495698 3-Major iRule can be deleted even though it exists in a rule-list
495390-2 3-Major An error occurs on Active Rules page after attempting to reorder Rules in a Policy
485771-2 3-Major TMM crashes while executing multiple FLOW_INIT events and one of the event triggers an abort.
469297-2 3-Major Address list summary page does not display the description for individual address list entries.
465229-1 3-Major Fix for Policy Rule Names Displaying Distorted in Rare Conditions
464972-2 3-Major Wrong parsing of Country Code (Geo) from address region list if Country name contains parentheses.
464966-1 3-Major Active Rule page may display incorrectly if showing multiple rules and at least one rule list
464762-1 3-Major Rule lists may not display schedules for rules that have them
464222-1 3-Major Policy Rule Missing from TMSH Overlapping Status Output
458810-1 3-Major Time field may not display correctly in log search function
445984-1 3-Major Wrong overlapping status is shown if there are firewall rules with source or destination port range that begins with "1"
438773-1 3-Major Network Firewall event logs page pops up date/time picker automatically during drag-and-drop
506470 4-Minor Reduce pccd OOM probability with port expansion change
497311-1 4-Minor Can't add a ICMPv6 type and code to a FW rule.
473589-1 4-Minor Error at attempt to add GeoIP with parentheses.

 

Cumulative fix details for BIG-IP v11.5.4 Hotfix 4 that are included in this release

656902 : Upgrade to 11.5.4 HF3 may remove valid cipher suite configuration from SSL profile

Component: Local Traffic Manager

Symptoms:
During the upgrade to 11.5.4 HF3, the upgrade will remove the DHE-DSS from cipher suite, which will cause the cipher suites configured beginning with the characters '@', '+', '-', or '!' will be removed from the configuration.

Conditions:
clientssl/serverssl profile ciphers configuration contains keywords beginning with the characters '@', '+', '-', or '!'.

Impact:
Cipher suites are configured using keywords such as AES, AES-GCM, !DES, -ADH, @STRENGTH, etc. The issue causes keywords beginning with the characters '@', '+', '-', or '!' to be removed from the configuration.

For example, if the cipher suite configuration before installing 11.5.4 HF3 was: 'NATIVE:!SSLV2:!SSLV3:!MD5:!EXPORT:!LOW:ECDHE+AES-GCM:ECDHE+AES:DHE+AES-GCM:DHE+AES:AES-GCM+RSA:RSA+AES:RSA+3DES:!RC4:!ADH:!ECDHE_ECDSA:!ECDH_ECDSA:!ECDH_RSA:!DHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!DHE-RSA-AES128-SHA:+DES-CBC3-SHA'

After installing 11.5.4 HF3 it would be reduced to: 'NATIVE:ECDHE+AES-GCM:ECDHE+AES:DHE+AES-GCM:DHE+AES:AES-GCM+RSA:RSA+AES:RSA+3DES'

Workaround:
Manually restore the clientssl/serverssl profile cipher configuration.

Fix:
Fixed an issue that causes the cipher suites configured beginning with the characters '@', '+', '-', or '!' to be removed from the configuration on upgrade.


655756 : TMM might crash while using SSL profiles on BIG-IP 2000/4000 platforms.

Component: Local Traffic Manager

Symptoms:
TMM might crash while using SSL profiles on BIG-IP 2000/4000 platforms.

Conditions:
-- TMOS v11.5.4 HF3.
-- SSL profile active.
-- BIG-IP 2000/4000 platform.

Impact:
TMM may crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The cause of the crash was identified and removed.


649933-5 : Fragmented RADIUS messages may be dropped

Component: Service Provider

Symptoms:
Large RADIUS messages may be dropped when processed by iRules.

Conditions:
This occurs when a RADIUS message that exceeds 2048 bytes is processed by an iRule containing the RADIUS::avp command.

Impact:
The RADIUS message will be dropped, and an error will be logged that resembles:

Illegal argument (line 1) (line 1) invoked from within "RADIUS::avp 61 "integer""

Workaround:
Remove RADIUS::avp commands from iRules processing large messages, or ensure that no RADIUS client or server will send large messages.


642330-4 : GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.

Component: Global Traffic Manager

Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.

Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.

Impact:
Configuration fails to load.

Workaround:
Manually edit each string in the BIG-IP_gtm.conf to include enclosing quotes in order to get the config to load the first time.

Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the BIG-IP_gtm.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list gtm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.


638935-1 : Monitor with send/receive string containing double-quote may cause upgrade to fail.

Component: TMOS

Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.

Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.

Impact:
Configuration fails to load.

Workaround:
Manually edit each string in the bigip.conf to include enclosing quotes in order to get the config to load the first time.

Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the bigip.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list ltm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.

If you have an escaped quote in your configuration, and are moving to a configuration with this the dependency of this fix, you cannot reload the configuration or the license which also reloads the configuration. Doing so, will cause the config load to fail.


637181-2 : VIP-on-VIP traffic may stall after routing updates

Component: Local Traffic Manager

Symptoms:
After a routing update traffic for an existing connection sent to a VIP-on-VIP virtual server may be sent directly to the destination address instead of to the inner virtual server.

Conditions:
VIP-on-VIP configuration and static or dynamic routing changes.

Impact:
Existing connections to the outer VIP may stall.

Workaround:
None.

Fix:
Connections to VIP-on-VIP virtual servers no longer stall after routing updates.


636702-1 : BIND vulnerability CVE-2016-9444

Vulnerability Solution Article: K40181790


636700-2 : BIND vulnerability CVE-2016-9147

Vulnerability Solution Article: K02138183


636699-3 : BIND vulnerability CVE-2016-9131

Vulnerability Solution Article: K86272821


635933-2 : The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable

Vulnerability Solution Article: K23440942 K13361021


635412-1 : Invalid mss with fast flow forwarding and software syn cookies

Vulnerability Solution Article: K82851041


633723-1 : New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot

Component: Local Traffic Manager

Symptoms:
A new db variable has been added to print diagnostic information when Cavium Nitrox devices encounter a "request queue stuck" error.

Conditions:
A Cavium Nitrox "request queue stuck" error occurs and the db variable "crypto.ha.action" is set to reboot.

I.e., when log message such as:
Feb 27 07:39:07 localhost crit tmm1[19936]: 01010260:2: Hardware Error(Co-Processor): cn1 request queue stuck

Impact:
Under the above conditions, the system will automatically run "nitrox_diag" to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.

The system will immediately failover to the standby system, but will then spend approximately one minute gathering diagnostic information beffore rebooting.

See https://support.f5.com/csp/article/K95944198 for more information about nitrox_diag.

Behavior Change:
Under rare conditions, the system will take approximately one additional minute to reboot.

If a Cavium Nitrox "request queue stuck" error occurs and the db variable "crypto.ha.action" is set to reboot, the system will automatically run "nitrox_diag" to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.

When the error happens, failover to the standby system will still happen immediately. The delay is only on rebooting the system which has already gone to standby mode.


632618 : ImageMagick vulnerability CVE-2016-3717

Component: TMOS

Symptoms:
It was discovered that certain ImageMagick coders and pseudo-protocols did not properly prevent security sensitive operations when processing specially crafted images.

Conditions:
ImageMagick may be used when Image Optimization is in use by an AAM policy.

Impact:
A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would allow the attacker to disclose the contents of arbitrary files.


631627-3 : Applying BWC over route domain sometimes results in tmm not becoming ready on system start

Component: TMOS

Symptoms:
Rebooting after applying BWC to route domain stops vlan traffic on VCMP guest. You will experience connection failures when bandwidth Controller (bwc) and Web Accelerator are enabled.

Running the tmsh show sys ha-status all-properties command will indicate that tmm is in "ready-for-world", but the Fail status will read "Yes" when this is triggered.

Conditions:
BWC enabled and associated with a route domain, Web Accelerator is enabled, and the system is rebooted.

Impact:
The system does not comes up fully. TMM does not reach a ready state and will not pass traffic.

Workaround:
Remove BWC from route domain and then reapply the BWC back.

Fix:
BWC enabled and associated with a route domain, Web Accelerator enabled, and the system is rebooted, now results in the system and TMM coming up fully and passing traffic.


631582-3 : Administrative interface enhancement

Vulnerability Solution Article: K55792317


631530 : TAI offset not adjusted immediately during leap second

Component: TMOS

Symptoms:
When repeating a UTC time value during a leap second (when UTC time should be 23:59:60), the International Atomic Time (TAI) timescale should not stop, the kernel increments the TAI offset one second too late.

Conditions:
This occurs during an NTP leap second event, for example an event occurs on December 31, 2016, at 23:59:60 UTC

Impact:
Impact to applications unknown, system will stay stable and a timer may be fired off later than expected.

Workaround:
None.

Fix:
International Atomic Time (TAI) offset during leap second has been corrected.


629771 : the TCP::unused_port does erroneous accept IPV4_COMPAT addresses

Component: Local Traffic Manager

Symptoms:
when calling TCP::unused_port command with a tcl ip addr object which represents the IPv4 address as IPv4-Compatible IPv6 address,
the function searches for existing flows related to this address.
IPv4-Compatible IPv6 addresses are deprecated, the flow table uses IPv4-Mapped IPv6 address

Conditions:
the IP::Addr object has been crafted with the following command

[IP::addr <addr> mask ::ffff:ffff]

Impact:
The TCP::unused_port command is unable to return an unused port

Workaround:
use the string representation by forcing the object to be a string
e.g.

 set ipv6_addr "fe80::250:56ff:0a1e:0101"
      set ipv4_from_ipv6 [ string tolower [IP::addr $ipv6_addr mask ::ffff:ffff] ]
      set free [TCP::unused_port $ipv4_from_ipv6 [TCP::local_port] 10.30.1.64 [TCP::client_port] 48000 48255]

Fix:
ID598860-5 fixes the IP::addr command to return IPV4 MAPPED addr


628164-1 : OSPF with multiple processes may incorrectly redistribute routes

Component: TMOS

Symptoms:
When OSPF is configured with multiple processes that each redistribute different type routes, LSAs may be created in a process for a route of the type other than the one configured for redistribution into that process.

Conditions:
OSPF routing with multiple processes configured. Each OSPF process configured with a different route type redistributed.

Impact:
Incorrect routing information in the network when OSPF converges.

Workaround:
Redistribute the leaked route type into the affected OSPF process and use a route map that filters out all routes.

Fix:
OSPF no longer leaks LSAs between processes redistributing different types of routes.


625376-2 : In some cases, download of PAC file by edge client may fail

Component: Access Policy Manager

Symptoms:
Edge client may fail to download PAC file and incorrectly apply proxy configuration after VPN connection.

Conditions:
- User machine proxy configuration points to a proxy auto configuration file.
- Network access proxy configuration points to a proxy auto configuration file.
- PAC file URI in either case has uppercase characters.
- PAC file is hosted on a server where resource names are case sensitive.

Impact:
PAC file download will fail and client will use incorrect proxy settings due to unavailability of PAC file.

Workaround:
Use only lowercase characters in PAC file URI.

Fix:
Now Edge client can download PAC files from URIs that have uppercase as well as lowercase characters.


624931 : getLopSensorData "sensor data reply too short" errors with FND300 DC PSU

Component: TMOS

Symptoms:
On a BIG-IP 2000-/4000-series or 5000-/7000-series appliances with FND300 DC power supplies running BIG-IP v11.5.4-HF2, errors similar to the following are logged every 30+ seconds:

warning chmand[8220]: 012a0004:4: getLopSensorData: LopHlprDev: sensor data reply too short, objId: 16d size: 39
warning chmand[8220]: 012a0004:4: getLopSensorData: LopHlprDev: sensor data reply too short, objId: 16e size: 39

In addition, the PSU status is reported as Not Present by the "tmsh show sys hardware" and "tmctl chassis_power_supply_status_stat" commands.

tmsh show sys hardware:

Chassis Power Supply Status
  Index Status Current
  1 not-present NA
  2 not-present NA

tmctl chassis_power_supply_status_stat:

name index status input_status output_status fan_status current_status
==============================================================================
pwr1 1 2 2 2 2 0
pwr2 2 2 2 2 2 0
Totals 3 4 4 4 4 0
------------------------------------------------------------------------------

(Where a status value of 2 == Not Present)

Conditions:
This problem occurs when all of the following conditions are true:
1. BIG-IP 2000-/4000-series or 5000-/7000-series appliance
2. One or more FND300 DC power supplies installed
3. Running BIG-IP v11.5.4-HF2

Impact:
1. Errors logged every 30+ seconds
2. PSU status is reported as Not Present

Fix:
The status of FND300 DC power supplies is reported correctly on BIG-IP 2000-/4000-series and 5000-/7000-series appliances.


624570-4 : BIND vulnerability CVE-2016-8864

Vulnerability Solution Article: K35322517


624457-2 : Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195

Component: TMOS

Symptoms:
For more information, see SOL10558632: Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195, available at https://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html

Conditions:
For more information, see SOL10558632: Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195, available at https://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html

Impact:
For more information, see SOL10558632: Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195, available at https://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html

Fix:
For more information, see SOL10558632: Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195, available at https://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html


624263-1 : iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response

Component: TMOS

Symptoms:
For profiles, iControl REST does not provide visibility for profile property override when "none" is specified, including references, passwords, and array of strings.

Conditions:
-- Use iControl REST API.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.

Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for profile property overrides.

Workaround:
None.

Fix:
iControl REST API now returns elements (i.e., string, enum, or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.


624193 : Topology load balancing not working as expected

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, load balancing decisions can result in an unequal or unexpected distribution.

Conditions:
Occurs when topology load balancing is used for a wide IP and more than one pool share the highest assigned score for a particular load balancing decision.

Impact:
The resulting load balancing decisions can lead to an unequal or unexpected distribution of pool selections.

Workaround:
Topology records and pools can be configured to avoid the conditions which cause the condition.

Fix:
A system DB variable, gtm.wideiptoporandom, has been added. When this system DB variable is assigned the value of "enable" and more than one pool shares the highest assigned score for a given load balancing decision, a random pool is selected.


623119-3 : Linux kernel vulnerability CVE-2016-4470

Component: TMOS

Symptoms:
For more information, see SOL55672042: Linux kernel vulnerability CVE-2016-4470, available at https://support.f5.com/kb/en-us/solutions/public/k/55/sol55672042.html

Conditions:
For more information, see SOL55672042: Linux kernel vulnerability CVE-2016-4470, available at https://support.f5.com/kb/en-us/solutions/public/k/55/sol55672042.html

Impact:
For more information, see SOL55672042: Linux kernel vulnerability CVE-2016-4470, available at https://support.f5.com/kb/en-us/solutions/public/k/55/sol55672042.html

Fix:
For more information, see SOL55672042: Linux kernel vulnerability CVE-2016-4470, available at https://support.f5.com/kb/en-us/solutions/public/k/55/sol55672042.html


622496-3 : Linux kernel vulnerability CVE-2016-5829

Vulnerability Solution Article: K28056114


622166-1 : HTTP GET requests with HTTP::cookie iRule command receive no response

Component: Local Traffic Manager

Symptoms:
HTTP GET requests to virtual servers using the command "HTTP::cookie <name> <value>" in HTTP_REQUEST iRule event handlers do not get a response.

Conditions:
An LTM virtual server with an iRule including the HTTP::cookie command.

Impact:
No response is received by the client.

Workaround:
None.

Fix:
HTTP GET requests to virtual servers using the command "HTTP::cookie <name> <value>" in HTTP_REQUEST iRule event handlers now get a response as expected.


621465 : The minimum IP packet fragment size is now 1 and not 24

Component: Local Traffic Manager

Symptoms:
The minimum IP packet fragment size, set via DB Var [TM.MinIPfragSize], is 24 and that causes problems if you need to use smaller fragments in your network.

Conditions:
You are trying to configure TM.MinIPfragSize and need it to be set to a value smaller than 24.

Impact:
You are unable to configure fragment sizes smaller than 24 in your network.

Workaround:
NA

Fix:
Changed DB Var [TM.MinIPfragSize] minimum value from 24 to 1.


621417-2 : sys-icheck error for /usr/share/defaults/bigip_base.conf in AWS.

Component: TMOS

Symptoms:
On a BIG-IP deployed in AWS cloud, sys-icheck reports size an md5 errors for /usr/share/defaults/BIG-IP_base.conf file as following:

ERROR: S.5...... c /usr/share/defaults/BIG-IP_base.conf (no backup)

Conditions:
BIG-IP deployed in AWS cloud.

Impact:
sys-icheck reports "rpm --verify" size and md5 errors for /usr/share/defaults/BIG-IP_base.conf. This doesn't have any functional impact on the product but looks like factory config file was modified incorrectly by a user/application.

Workaround:
No workaround exists for this issue.

Fix:
sys-icheck error for /usr/share/defaults/BIG-IP_base.conf in AWS.


621242-2 : Reserve enough space in the image for future upgrades.

Component: TMOS

Symptoms:
Increased the reserved free space in VM image from 15% to 30% to accommodate upgrades to future versions. Each next version tends to be bigger and require more disk space to install. The increased reserved space will allow upgrading to at least next 2 versions.

Conditions:
VE in local hypervisors and VE in the Cloud (AWS, Azure).

Impact:
Extends the disk image to reserve more disk space for upgrades.

Workaround:
N/A

Fix:
Increased the reserved free space on VE images.


620712 : Added better search capabilities on the Pool Members Manage & Pool Create page.

Component: Global Traffic Manager (DNS)

Symptoms:
Large amount of virtual servers were hard to manage on the GSLB Pool Member Manage page.

Conditions:
Having large amount of virtual servers/wide ips

Impact:
Poor usability.

Workaround:
No workaround.

Fix:
The GSLB Pool Member Manage page now has a new search feature in the form of a combo box to allow for better management of large amount of virtual servers.

Behavior Change:
The GSLB Pool Member Manage page now has the new search feature to allow for better management of large amount of virtual servers.


620659-1 : The BIG-IP system may unecessarily run provisioning on successive reboots

Component: TMOS

Symptoms:
After the first boot, the system runs provisioning and boots successfully, but there is a file left on the system /mprov_firstboot. This will appear in /var/log/ltm:
  info mprov:4614:: \'\'provision.initialized\' indicates force TMOS only provisioning - forcing.\'

During a subsequent boot, provisioning will run again, potentially unnecessarily, due to the existence of this file. The following will appear in /var/log/ltm during the second boot:
  info mprov:4609:: \'Existence of file \'/mprov_firstboot\' indicates force TMOS only provisioning - forcing.\'

Conditions:
The memory size of the host changes and there is some other need for reprovisioning (for example a new configuration load).

Impact:
On a vCMP host, the second provisioning may not complete properly and guest systems will not pass traffic.

The vCMP host will continually try to start more than one tmm and fail when there should only be one tmm running. The /var/log/tmm logfile on the vCMP host will contain:
  <13> Sep 25 01:33:28 vcmphost1 notice Too small memsize (60) -- need at least 136 MB

The /var/log/tmm logfile on the vCMP guest will contain:
  <13> Sep 25 01:38:21 bigip1 notice Failed to write /var/run/libdag.so_2, err: -30
  <13> Sep 25 01:38:21 bigip1 notice panic: vdag failed to attach
  <13> Sep 25 01:38:21 bigip1 notice ** SIGFPE **

Workaround:
If the vCMP host is in a tmm restart loop due to this issue, reboot the vCMP host to allow the system to come up properly.

Fix:
The BIG-IP software now always removes the /mprov_firstboot file when the system is reprovisioned.


619757-4 : iSession causes routing entry to be prematurely freed

Component: Wan Optimization Manager

Symptoms:
iSession may cause TMM to prematurely free a routing entry resulting in memory corruption and TMM restarting.

Conditions:
iSession-enabled virtual.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
No reasonable workaround short of not using iSession functionality.

Fix:
iSession no longer causes routing entries to be prematurely freed.


619071-1 : OneConnect with verified accept issues

Component: Local Traffic Manager

Symptoms:
System may experience an outage.

Conditions:
Verified Accept enabled in TCP profile
hardware syncookies enabled
OneConnect profile on VIP
Syncookie threshold crossed

Impact:
System outage.

Workaround:
Disabled verified accept when used with OneConnect on a VIP.

Fix:
Verified accept, OneConnect and hardware syncookies work
correctly together.


618324-3 : Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor

Component: Access Policy Manager

Symptoms:
When upgrading from OPSWAT SDK V3 to V4, opening Access Policy in VPE if one of the opswat checker (e.g. Anti-Virus checker) contains an Undefined (i.e. previously defined but out of support) ID it will display as "Any." The correct display should be "Unsupported" or "Invalid" product.

Conditions:
Wrongful information displayed.

Impact:
Wrongful information displayed.

Workaround:
N/A

Fix:
Correct (*** Invalid ***) information displayed.


617862-3 : Fastl4 handshake timeout is absolute instead of relative

Component: Local Traffic Manager

Symptoms:
TCP connections that are pending completion of the three-way handshake are expired based on the absolute value of handshake timeout. For example, if handshake timeout is 5 seconds, then the connection is reset after 5 seconds of receiving the initial SYN from the client.

Conditions:
A TCP connection in three-way handshake.

Impact:
Connections are expired prematurely if they are still in three-way handshake.

Workaround:
Disable handshake timeout.

Impact of workaround: Your TCP handshake will not prematurely timeout and connections remains open until the Idle Timeout expires.

Fix:
The handshake timeout now expires based on idleness of the connection, taking into consideration of any SYN retransmissions, etc., that might occur.


617824-1 : "SSL::disable/enable serverside" + oneconnect reuse is broken

Component: Local Traffic Manager

Symptoms:
If "SSL::disable/enable serverside" is configured in an iRule and oneConnect is configured in the iRule or in the Virtual Server profile, BIG-IP may not receive the backend server's HTTP response for every client's HTTP Request.

Conditions:
1. "SSL::disable/enable serverside" exists in the iRule
2. OneConnect is configured in the iRule or in the VS profile
3. apply the iRule and oneConnect Profile to the VS.

Impact:
The oneConnect behavior is unexpected, and may not get the backend Server's HTTP response for every client's HTTP Request.

Workaround:
You can work around the problem by disabling oneConnect.


616864-4 : BIND vulnerability CVE-2016-2776

Component: TMOS

Symptoms:
See SOL18829561: BIND vulnerability CVE-2016-2776, available at https://support.f5.com/kb/en-us/solutions/public/k/18/sol18829561.html

Conditions:
See SOL18829561: BIND vulnerability CVE-2016-2776, available at https://support.f5.com/kb/en-us/solutions/public/k/18/sol18829561.html

Impact:
See SOL18829561: BIND vulnerability CVE-2016-2776, available at https://support.f5.com/kb/en-us/solutions/public/k/18/sol18829561.html

Fix:
See SOL18829561: BIND vulnerability CVE-2016-2776, available at https://support.f5.com/kb/en-us/solutions/public/k/18/sol18829561.html


616772-3 : CVE-2014-3568 : OpenSSL Vulnerability (Oracle Access Manager)

Vulnerability Solution Article: K15724


616765-3 : CVE-2013-6449 : OpenSSL Vulnerability (Oracle Access Manager)

Vulnerability Solution Article: K15147


616498-3 : CVE-2009-3245 : OpenSSL Vulnerability (Oracle Access Manager)

Vulnerability Solution Article: K15404


616491-3 : CVE-2006-3738 : OpenSSL Vulnerability (Oracle Access Manager)

Vulnerability Solution Article: K6734


616382 : OpenSSL Vulnerability (TMM)

Vulnerability Solution Article: K93122894


616242-1 : basic_string::compare error in encrypted SSL key file if the first line of the file is blank

Component: TMOS

Symptoms:
Trying to load a configuration that references an encrypted SSL key file may fail if the first line of the SSL key file is blank. When this occurs, the system will report a vague error message:

    01070711:3: basic_string::compare

If this happens during an upgrade, the system will not load the configuration under the new software version, and will remain inoperative.

Conditions:
This can occur if an affected configuration is present on a system running BIG-IP v11.3.0 or earlier, and is upgraded to BIG-IP v11.4.0 through v12.1.1.

Impact:
Configuration fails to load on upgrade with extremely unhelpful error message, and absolutely no indication as to what file was being processed at the time (or that this relates to a filestore file).

Workaround:
Remove the newlines at the beginning of any SSL key files that begin with a newline. During an upgrade scenario, edit the files in the filestore.


616215-1 : TMM can core when using LB::detach and TCP::notify commands in an iRule

Component: Local Traffic Manager

Symptoms:
TMM cores when running an iRule that has the LB::detach command before the TCP::notify command.

Conditions:
A virtual server with an iRule that has the LB::detach command executed before the TCP::notify command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid the combination of the TCP::notify and LB::detach commands.

Fix:
TMM no longer cores in this instance.


616169-1 : ASM Policy Export returns HTML error file

Component: Application Security Manager

Symptoms:
When attempting to export an ASM Policy the resulting file contains an HTML error page.

Conditions:
It is not known what triggers this condition.

Impact:
Unable to export ASM Policies.

Workaround:
A) Restarting the asm_config_server.pl process, or restarting ASM usually clears up the issue.

B) Run "umask 0022" on the device

C) Download the file from the shell.

Fix:
Permissions are now explicitly set on exported ASM Policies so the GUI PHP process can successfully download it.


615934 : Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.

Component: TMOS

Symptoms:
Overwrite flag in key/certificate management iControl functions is ignored and might result in errors.

Conditions:
If there is an existing key/certificate, and the key/certificate management iControl functions are used to overwrite the key/certificate by setting the overwrite flag, the flag is ignored, and an error is returned.

Impact:
Key/certificate overwrite using iControl operations might fail.

Fix:
The fix honors the overwrite flag, so that the key/certificate is overwritten when the flag is set to true.


615695 : Fixes to bd and iprepd components not included in BIG-IP v11.5.4-HF2

Component: Application Security Manager

Symptoms:
The following bugs were documented as fixed in BIG-IP v11.5.4-HF2:

ID 531809: FTP/SMTP traffic related bd crash
ID 559541: ICAP anti virus tests are not initiated on XML with when should
ID 562775: Memory leak in iprepd

However, the packages containing these fixes were not actually included in the BIG-IP v11.5.4-HF2 ISO.
Therefore, these bugs are not actually fixed in BIG-IP v11.5.4-HF2.

Conditions:
BIG-IP v11.5.4-HF2

Impact:
Referenced bugs are not actually fixed in BIG-IP v11.5.4-HF2.

Fix:
[BIG-IP v11.5.4 Hotfix Rollup containing this fix] includes the packages which contain the fixes for the following bugs:

ID 531809: FTP/SMTP traffic related bd crash
ID 559541: ICAP anti virus tests are not initiated on XML with when should
ID 562775: Memory leak in iprepd


615187 : Missing hyperlink to GSLB virtual servers and servers on the pool member page.

Component: Global Traffic Manager (DNS)

Symptoms:
Hyperlinks to to GSLB virtual servers and servers on the pool member page were removed in 11.x.

Conditions:
Have a GSLB pool with pool members set up.

Impact:
Must manually note of the member's virtual or server.

Workaround:
Manually take note of virtual or server and search for it.

Fix:
Added hyperlink to GSLB virtuals and servers on the pool member page.


614865 : Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.

Component: TMOS

Symptoms:
Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.

Specifically, the functions are:
key_import_from_pem()
certificate_import_from_pem()
key_import_from_pem_v2()
certificate_import_from_pem_v2()

Conditions:
When there is an existing key or certificate on the BIG-IP system, and you want to overwrite them using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls, it results in errors stating that the key or certificate already exists on the BIG-IP system.

Impact:
Cannot overwrite the key/certificate file-objects using these iControl calls.

Workaround:
There are two workarounds:
- Delete and import the key/certificate using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls.

- Use key_import_from_file and certificate_import_from_file iControl calls as an alternative to import key/certificate from a file.

Fix:
Overwrite flag in iControl functions key/certificate_import_from_pem_v2() functions are now processed correctly and no longer produce errors.


614675 : iControl SOAP API call "LocalLB::ProfileClientSSL::create_v2" creates invalid profile

Component: TMOS

Symptoms:
iControl function "LocalLB::ProfileClientSSL::create_v2" creates a profile with two cert-key-chain objects containing identical cert and key but with different name:

      ltm profile client-ssl my_prof {
          app-service none
          cert mycert.crt
          cert-key-chain {
              "" {
                  cert mycert.crt
                  key mycert.key
              }
              default_rsa_ckc {
                  cert mycert.crt
                  key mycert.key
              }
          }
          chain none
          inherit-certkeychain false
          key mycert.key
          passphrase none
      }

Conditions:
When the user creates clientSSL profile using iControl function create_v2().

Impact:
Unable to add the invalid clientSSL profile to a virtual server.

Workaround:
Remove the invalid clientSSL profile and re-create the profile using TMSH or GUI.

Fix:
iControl SOAP API call "LocalLB::ProfileClientSSL::create_v2" no longer creates invalid profile when creating clientSSL profile using iControl function create_v2().


614441-1 : False Positive for illegal method (GET)

Component: Application Security Manager

Symptoms:
False Positive for illegal method (GET) and errors in BD log on Apply Policy:
----
ECARD|ERR |Sep 04 07:38:47.992|23835|table.h:0287|KEY_REMOVE: Failed to REMOVE data
----

Conditions:
This was seen after upgrade and/or failover.

Impact:
-- False positives.
-- BD has the incorrect security configuration.

Workaround:
Run the following command: restart asm.


613613 : Incorrect handling of form that contains a tag with id=action

Component: Access Policy Manager

Symptoms:
In some cases, a form with an absolute path in the action is handled incorrectly in Internet Explorer (IE) versions 7, 8, and 9. The resulting action path is wrong and the form cannot be submitted.

Conditions:
This issue occurs under these conditions:
-- HTML Form with absolute action path.
-- A tag with id=action inside this form.
-- A submit button in the form.
-- IE versions 7 through 9.

Impact:
The impact of this issue is that the web application can not work as expected.

Workaround:
This issue has no workaround at this time.

Fix:
Forms with absolute action paths and tag with id=action inside are handled correctly.


613576-9 : QOS load balancing links display as gray

Component: Global Traffic Manager

Symptoms:
All links in all data centers appear gray. After this patch all link appear to be green and the functional of load balancing to the first available link in each pool is restored.

Conditions:
This bug only affects devices licensed after 9/1/2016 which contain the gtm_lc: disabled field.

Impact:
Any GTM/LC devices licensed after 9/1/2016 and using links as part of their configuration will have the links reported as gray.

Workaround:
Remove all ilnks from configuration or install this hotfix.


612419-3 : APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))

Component: Access Policy Manager

Symptoms:
When there are multiple network access resources, and users switch between them within the same connection, a small memory leak happens.

Conditions:
Network access; full webtop, multiple Network Access resources.

Impact:
Memory usage increases over time.

Workaround:
There is no workaround. It is a relatively slow leak though. In the case where it was observed, the leak was about 130MB per month.

Fix:
Fixed a memory leak related to network access.


611830 : TMM may crash when processing TCP traffic

Vulnerability Solution Article: K13053402


611704-1 : tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event

Component: Local Traffic Manager

Symptoms:
A tmm crash was discovered during internal testing.

Conditions:
HTTPS virtual server configured with an iRule that uses TCP::close in the CLIENTSSL_CLIENTCERT iRule event.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm crash related to TCP::close in CLIENTSSL_CLIENTCERT


611469-6 : Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector

Vulnerability Solution Article: K95444512


610609-4 : Total connections in bigtop, SNMP are incorrect

Component: Local Traffic Manager

Symptoms:
While looking at total connections for the active BIG-IP using bigtop or SNMP, the connections are reported too high. For example if you sent a single connection through BIG-IP it is reported as 2 connections. Meanwhile, the standby device with mirroring configured accurately shows the number of connections.

Conditions:
This occurs on PVA-enabled hardware platforms.

Impact:
The total connection count statistic is incorrect.


610429-2 : X509::cert_fields iRule command may memory with subpubkey argument

Component: Local Traffic Manager

Symptoms:
The X509::cert_fields iRule command can leak memory in the 'method' memory subsystem if called with the 'subpubkey' argument, when the 'subpubkey' argument is not the last argument.

Conditions:
Create an iRule using X509::cert_fields where the subpubkey is not the last argument.

Example/signature to look for:
ltm rule rule_leak {
    when HTTP_REQUEST {
        if { [SSL::cert 0] ne "" } {
            HTTP::respond 200 content "[X509::cert_fields [SSL::cert 0] 0 subpubkey hash]\n"
        } else {
            HTTP::respond 200 content "no client cert (WRONG!)"
        }
    }
}

Impact:
Memory will leak, eventually impacting the operation of tmm.

Workaround:
Ensure that 'subpubkey' is the last argument to X509::cert_fields


610354-3 : TMM crash on invalid memory access to loopback interface stats object

Component: TMOS

Symptoms:
TMM can crash with segmentation fault when TMM drops packets on its internal loopback interface. TMM needs to update interface stats associated with the loopback interface when dropping packets on that interface. The interface stats object for loopback interface is not allocated yet. That results in segmentation fault.

Conditions:
TMM drops packets on its internal loopback interfaces.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No Workaround.


610243-1 : HTML5 access fails for Citrix Storefront integration mode with gateway pass through authentication

Component: Access Policy Manager

Symptoms:
HTML5 client can not be used to access the published applications or desktops.
HTML5 client access displays returns blank/black screen and displays "Can not connect to the server".

Conditions:
APM is configured Citrix Storefront integration mode. And in Storefront html5 client access is enabled.

Impact:
HTML5 client can not be used to access the published resources

Workaround:
None

Fix:
HTML5 client can be used to access the published resources.


610180-5 : SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML SP, and SLO is not properly configured on associated saml-idp-connector objects, IdP initiated SAML SLO may result in memory leak in SSO plugin.

Conditions:
- BIG-IP is used as SP.
- Associated saml-idp-connector object has 'single-logout-uri' property configured, but 'single-logout-response-uri' property is empty.
- User performs IdP initiated SAML SLO

Impact:
SSO plugin leaks memory

Workaround:
There are two possible workarounds:
- Fix misconfiguration: Configure SLO correctly by adding value to 'single-logout-response-uri' property of IdP connector object.
- Disable SLO by removing single-logout-uri' property of IdP connector object.

Fix:
When fixed, memory will no longer leak in SSO plugin even when SLO is misconfigured.


608551-2 : Half-closed congested SSL connections with unclean shutdown might stall.

Component: Local Traffic Manager

Symptoms:
Half-closed congested SSL connections with unclean shutdown might stall.

Conditions:
If SSL egress is congested and the client FINs with no Close Notify, connection might stall as SSL does not request more egress data from HTTP.

Impact:
Possible stalled flow.

Workaround:
Use SSL client that sends clean shutdown.

Fix:
Resolved half-closed congested SSL connections with unclean shutdown, so connections no longer stall.


608320-2 : iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response

Component: TMOS

Symptoms:
For persistence profiles, iControl REST does not provide visibility for property override when "none" is specified, including references, passwords, and array of strings.

Conditions:
-- Use iControl REST API with persistence profiles.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.

Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for persistence profile property overrides.

Workaround:
None.

Fix:
iControl REST API now returns persistence profile elements (i.e., string, enum , or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.


608024-2 : Unnecessary DTLS retransmissions occur during handshake.

Component: Local Traffic Manager

Symptoms:
Unnecessary DTLS retransmissions occur during handshake.

Conditions:
During DTLS handshake, unnecessary retransmissions of handshake message may occur on VE platform.

Impact:
Possible DTLS handshake failure on VE platform.

Workaround:
None.

Fix:
This release fixes a possible failed DTLS handshake on VE platforms.


607304-1 : TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.

Component: Local Traffic Manager

Symptoms:
TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.

Conditions:
This can occur under normal operation, while running the geo_update command.

Impact:
Traffic disrupted while tmm restarts.


606575-2 : Request-oriented OneConnect load balancing ends when the server returns an error status code.

Component: Local Traffic Manager

Symptoms:
Request-oriented OneConnect load balancing ends when the server returns an error status code.

Conditions:
OneConnect is enabled and the server responds with a HTTP error status code.

Impact:
The client remains connected to the server, and no further load-balancing decisions are made.

Workaround:
It may be possible to detect the HTTP status code in the response, and manually detach the client-side.

To do so, use an iRule similar to the following:

when HTTP_RESPONSE {
    if { [HTTP::status] == 200 } { return }
    if { [HTTP::status] == 401 } {
        set auth_header [string tolower [HTTP::header values "WWW-Authenticate"]]
        if { $auth_header contains "negotiate" || $auth_header contains "ntlm" } {
            # Connection-oriented auth. System should already be doing the right thing
            unset auth_header
            return
        }

        unset auth_header
    }

    catch { ONECONNECT::detach enable }
}.

Note: These workarounds should not be used when the backend server is using connection-oriented HTTP authentication (e.g., NTLM or Negotiate authentication).

Fix:
With OneConnect, the client-side remains detachable when the server-side returns an HTTP error status code.


605865-1 : Debug TMM produces core on certain ICMP PMTUD packets

Component: Local Traffic Manager

Symptoms:
The debug TMM will produce a core on the assert "cwnd or ssthresh too low" when receiving an ICMP PMTUD packet with an MTU larger than the current MTU. This does not affect the default TMM.

Conditions:
While using the debug TMM, an ICMP PMTUD packet is received with an MTU larger than the current MTU.

Impact:
Debug TMM crashes on assert "cwnd or ssthresh too low." Traffic disrupted while tmm restarts.

Workaround:
Block incoming ICMP PMTUD packets. Note that this will cause Path MTU Discovery to fail, and IP packets sent by the BIG-IP system with the Don't Fragment (DF) bit set may be dropped silently if the MTUs of the devices on the path are configured incorrectly.

Fix:
The system now always updates TCP MSS after an ICMP PMTUD packet, so there is no debug TMM core.


605476 : istatsd can core when reading corrupt stats files.

Component: TMOS

Symptoms:
-- The istatsd process produces a core file in the /shared/core directory.

Conditions:
This issue occurs when the following condition is met:

The istatsd process attempts to read a corrupt iStats segment file with duplicate FIDs.

Under these conditions, the istatsd process continually consumes memory which produces a core causing the istatsd process to restart.

Impact:
iStatsd process will restart due to resource exhaustion.

Workaround:
To work around this issue, you can remove the iStats files and restart the istatsd processes. To do so, perform the following procedure:

Impact of workaround: This workaround will cause all statistics in the iStats files to reset.

1. Log in to the BIG-IP command line.
2. To stop the istatsd and related processes, type the following command:
tmsh stop sys service istatsd avrd merged.

3. To delete the iStats files, type the following command:
find /var/tmstat2/ -depth -type f -delete.

4. To start the istatsd and related processes, type the following command:
tmsh start sys service istatsd avrd merged.

Fix:
Added a fix to protect against a continually reading a segment file that is corrupted and has Duplicate Fids.


604977-4 : Wrong alert when DTLS cookie size is 32

Component: Local Traffic Manager

Symptoms:
When ServerSSL profile using DTLS receives cookie with length of 32 bytes it throws fatal alert.

Conditions:
Another LTM with ClientSSL profile issues 32byte long cookie.

Impact:
DTLS with cookie size 32 is not supported.


604767-6 : Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.

Component: Access Policy Manager

Symptoms:
When importing SAML IdP's metadata, certificate object might not be assigned as 'idp-certificate' value of saml-idp-connector object.

Conditions:
BIG-IP is used as SAML SP.

Impact:
Described behavior will result in misconfiguration. SAML WebSSO will subsequently fail.

Workaround:
Manually assign imported certificate as a 'idp-certificate' value of saml-idp-connector object.


604496-1 : SQL (Oracle) monitor daemon might hang.

Component: Local Traffic Manager

Symptoms:
SQL (Oracle) monitor daemon might hang with high monitoring load (hundreds of monitors). DBDaemon debug log contains messages indicating hung connection aborting and that the address in use, unable to connect.

Conditions:
High number of SQL (Oracle, MSSQL, MySQL, PostgresSQL) monitors. Slow SQL responses might make the condition worse.

Impact:
Flapping pool members connected to SQL monitors. Frequent aborts and restarts of SQL monitor daemon.

Workaround:
You can mitigate this issue in the following ways:
-- Reduce number of monitored pool members.
-- Reduce frequency of monitor interval.
-- Split monitors among multiple devices.
-- Run monitors on bladed systems.

Fix:
This release fixes the address-in-use issue, and contains multiple monitor improvements to handle aborts and restarts of the SQL monitor daemon as well so that the system handles hung connections without aborting.


604442-3 : iControl log

Vulnerability Solution Article: K12685114


604237-1 : Vlan allowed mismatch found error in VCMP guest

Component: TMOS

Symptoms:
Your vCMP guests are unable to reach the network. You see in /var/log/ltm "mcpd[5503]: 01071322:4: Vlan allowed mismatch found: hypervisor "

Conditions:
When a VLAN exists in the vlan-allowed list contains a VLAN which matches the suffix of another VLAN in the list and both VLANs are configured on the VCMP guest. For example, xyz and abc_xyz will produce the error "warning mcpd[6374]: 01071322:4: Vlan allowed mismatch found: hypervisor (abc_xyz:1860), guest (/Common/xyz:1850)."

Impact:
Unable to use VLAN.

Workaround:
Rename the VLANs such that no VLAN matches suffix of any other VLAN.


603945-3 : BD config update should be considered as config addition in case of update failure

Component: Application Security Manager

Symptoms:
A configuration update fails when the system cannot find the item to update. Configuration failures are shown in bd.log.

Conditions:
The condition that leads to this scenario is not clear and is still under investigation.

Impact:
The update fails and the entity is not added.

Workaround:
Delete the faulty entity and re-add, and then issue the following command: restart asm.

This fixes the issue in the cases in which it is a single entity.

Fix:
A configuration update no longer fails when the system cannot find the item to update. Now, the system adds the item with its updated value if the entity does not already exist. Otherwise, the operation updates the value of the existing entry.


603723-1 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup

Component: Local Traffic Manager

Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.

Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.

Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.

Workaround:
None.

Fix:
The system now successfully handles TLS v1.0 fallback when pool members are configured to use TLS v1.2 only, so pool members are correctly marked as being up.


603667-1 : TMM may leak or corrupt memory when configuration changes occur with plugins in use

Component: Local Traffic Manager

Symptoms:
TMM may leak memory when plugins are in use and the plugin is re-initialized (typically due to configuration changes). In rare cases, memory corruption may occur causing TMM to restart.

Conditions:
Plugin-based functionality configured (ASM, APM, etc.) and configuration changes occur.

Impact:
The memory leakage generally occurs infrequently and at a rate that TMM operations are not affected. However, when memory corruption occurs, a traffic interruption may occur due to TMM restarting.

Workaround:
No workaround except disabling plugin-based functionality (such as ASM, APM, etc.).

Fix:
TMM now properly manages plugin memory, and no longer leaks or corrupts this memory.


603606-1 : tmm core

Component: Local Traffic Manager

Symptoms:
A tmm core occurrs with the following log message: notice panic: ../kern/page_alloc.c:521: Assertion "vmem_hashlist_remove not found" failed.

Conditions:
It is not known exactly what triggers this condition.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


603598-1 : big3d memory under extreme load conditions

Component: Global Traffic Manager

Symptoms:
big3d memory consumption can grow if big3d is unable to process monitor requests in a timely fashion.

This can be seen by monitoring the memory consumption of big3d using standard OS tools such as top.

Conditions:
big3d maintains a queue for monitor requests.
Incoming monitor requests are first placed in the Pending queue.
Requests are moved from the Pending queue to the Active queue, if there is room in the Active queue.

When the Pending queue is full, there is no room for the Monitor Request. big3d attempts to clean up the Monitor request, but fails to completely free the memory.
This might result in a significant memory leak.

For this to happen, the Active queue must be full as well as the Pending queue.

One possible condition that might cause this is if multiple Monitors time out. This results in Monitors having long life times, which keeps the Active queue full.

Thus the Pending queue might become full and the memory leak can occur.

In BIG-IP 11.1.0 versions of big3d,
the Active queue has 256 slots and
the Pending queue has 4096 slots.

In BIG-IP 11.1.0-hf3, the queue sizes were expanded to
2048 for the Active queue and 16384 for the Pending queue.

Since the queues were smaller n versions prior to
11.1.0-hf3, this leaks is more likely to manifest itself.

In later versions, the leak is still possible, but is less likely to occur.

Impact:
big3d memory consumption grows unbounded. This might result in a big3d restart or memory starvation of other processes.

Workaround:
This can be partially mitigated by ensuring that monitors
settings are reasonable and that big3d is not overloaded.

This will minimize the chances that the Pending queue
does not become full.

There is no mechanism to resize the queues.

Fix:
When a monitor request is unable to be placed in the queue, the memory for the request is freed properly.


602749 : Memory exhaustion when asking for missing page of learning suggestion occurrences

Component: Application Security Manager

Symptoms:
High CPU Utilization: event code I706 Bypassing ASM

Conditions:
Open occurrences for some suggestion, there should be multiple pages, clear requests (on real machine that'll be because of traffic, but can be done directly in database by cleaning LRN_REQUESTS table), then change to the second page.

Impact:
memory exhaustion

Workaround:
None


601938-5 : MCPD stores certain data incorrectly

Vulnerability Solution Article: K52180214


601927-4 : Security hardening of control plane

Component: TMOS

Symptoms:
File permissions changes needed as found by internal testing

Conditions:
N/A

Impact:
N/A

Fix:
Apply latest security practices to control plane files.


601527-1 : mcpd memory leak and core

Component: TMOS

Symptoms:
Mcpd can leak memory during config update or config sync.

Conditions:
All of the conditions that trigger this are not known but it seems to occur during full configuration sync and is most severe on the config sync peers. It was triggered making a single change on the primary by configuring a monitor rule, e.g., tmsh create ltm pool p members { 1.2.3.4:80 } monitor http

Impact:
Loss of memory over time, which may result in out-of-memory and mcpd core.

Fix:
Fixed a memory lean in mcpd


601407 : Legacy PNAgent access does not work from Citrix Receiver 4.3 onwards

Component: Access Policy Manager

Symptoms:
While adding a new account from Citrix Receiver, it does not prompt for the credentials

Conditions:
APM is in integration mode with Storefront or web interface and APM uses only pnagent protocol for the integration.

Impact:
Could not access the published applications.

Workaround:
None

Fix:
APM supports new user agent string from Citrix Receiver 4.3 onwards.


600827-3 : Stuck nitrox crypto queue can erroneously be reported

Component: Local Traffic Manager

Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Nitrox systems (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The message "Hardware Error(Co-Processor): n3-crypto0 request queue stuck" will appear in the ltm log file.

Conditions:
Nitrox based system performing SSL under heavy load.

Impact:
Device errors reported in logs and crypto HA action is taken, possibly resulting in failing over.

Fix:
The Nitrox crypto driver uses a proper timeout value for crypto requests.


600662-5 : NAT64 vulnerability CVE-2016-5745

Vulnerability Solution Article: K64743453


600396-1 : iControl REST may return 404 for all requests in AWS

Component: TMOS

Symptoms:
iControl REST queries may fail against specific versions of BIG-IP in AWS. When this issue is encountered, all queries fail for the entirety of the BIG-IP uptime. An error message mentioning "RestWorkerUriNotFoundException" will be returned. For instance, this basic query will always return 404:

curl -k -u admin:ADMINPASSWORD -sv -X GET https://1.2.3.4/mgmt/tm/ltm

* Trying 1.2.3.4...
* Connected to 1.2.3.4 (1.2.3.4) port 443 (#0)
* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* Server certificate: localhost.localdomain
* Server auth using Basic with user 'admin'
> GET /mgmt/tm/ltm HTTP/1.1
> Host: 1.2.3.4
> Authorization: Basic ....
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Date: 20 Jun 2016 17:49:39 UTC
< Server: com.f5.rest.common.RestRequestSender
...
{ [1093 bytes data]
* Connection #0 to host 1.2.3.4 left intact
{
   "errorStack" : [
      "com.f5.rest.common.RestWorkerUriNotFoundException: http://localhost:8100/mgmt/tm/ltm",
      "at com.f5.rest.workers.ForwarderPassThroughWorker.cloneAndForwardRequest(ForwarderPassThroughWorker.java:293)",
      "at com.f5.rest.workers.ForwarderPassThroughWorker.onForward(ForwarderPassThroughWorker.java:211)",
      "at com.f5.rest.workers.ForwarderPassThroughWorker.onGet(ForwarderPassThroughWorker.java:370)",
      "at com.f5.rest.common.RestWorker.callDerivedRestMethod(RestWorker.java:1009)",
      "at com.f5.rest.common.RestWorker.callRestMethodHandler(RestWorker.java:976)",
      "at com.f5.rest.common.RestServer.processQueuedRequests(RestServer.java:850)",
      "at com.f5.rest.common.RestServer.access$000(RestServer.java:43)",
      "at com.f5.rest.common.RestServer$1.run(RestServer.java:147)",
      "at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)",
      "at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)",
      "at java.lang.Thread.run(Thread.java:722)\n"
   ],
   "restOperationId" : 8827,
   "code" : 404,
   "referer" : "4.3.2.1",
   "message" : "http://localhost:8100/mgmt/tm/ltm"
}

Conditions:
It is not known what triggers this, it intermittently affects new BIG-IP instances running in Amazon Web Services (AWS EC2) cloud environments.

Impact:
All iControl REST queries (GETs, PUTs, POSTs, DELETEs) will fail always until the BIG-IP is restarted.

Workaround:
Restart the BIG-IP.


600116 : DNS resolution request may take a long time in some cases

Component: Access Policy Manager

Symptoms:
DNS resolution may appear slow in some cases

Conditions:
All of following conditions should be met

1) DNS Relay proxy is installed on user's machine
2) User's machine has multiple network adapters and some of them are in disconnected state.

Impact:
DNS resolution will be slow

Workaround:
Disable network adapters that are not connected.

Fix:
Now DNS Relay proxy server doesn't proxy DNS servers on non-connected interfaces. This fixes slow resolution DNS issue.


599285-5 : PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095

Vulnerability Solution Article: K51390683


599191-1 : One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card

Component: TMOS

Symptoms:
When running the tmsh show sys crypto fips command, you notice stale keys that you have previously deleted are left behind on the FIPS card.

Conditions:
This occurs when you have BIG-IPs with FIPS HSMs, configured in manual sync mode, under the following set of actions:
- Create a key-cert pair
- Associate the new key-cert pair with a clientssl profile
- Config sync to the peers
- Associate the clientssl profile with the default key and cert
- Delete the key and cert
- Manual sync

Impact:
A stale key is left on the FIPS card. There is no impact to functionality.

Workaround:
Check for the handles/key-ids of the keys in configuration using tmsh. Then remove the key that is not in use using the command tmsh delete sys crypto key <keyname>


599168-5 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700

Vulnerability Solution Article: K35520031


598983-5 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700

Vulnerability Solution Article: K35520031


598981-1 : APM ACL does not get enforced all the time under certain conditions

Component: Access Policy Manager

Symptoms:
APM ACL does not get enforced all the time under certain conditions

Conditions:
The following conditions individually increase the chances for this problem to occur:
1. The device is very busy. (Construction of ACL windows is prolonged.)
2. Concentration of connections into one TMM. (e.g., VPN feature.)
3. Small number of TMMs (e.g., BIG-IP low-end platform, Virtual Edition (VE) configurations.)
4. Application starts with a high number of concurrent connections.

Impact:
ACL is not applied for subsequent connections for that TMM. This issue does not consistently reproduce.

Workaround:
Mitigation:
Administrator can kill the affected session, which forces the user to re-login, and ultimately restarts the ACL construction process.

Fix:
Switching context when applying ACL is properly processed, and no longer cause ACL to be not enforced.


598874-1 : GTM Resolver sends FIN after SYN retransmission timeout

Component: Local Traffic Manager

Symptoms:
If a DNS server is not responding to TCP SYN, GTM Resolver sends a FIN after a retransmission timeout (RTO) of the SYN.

Conditions:
GTM Resolver tries to open a TCP connection to a server that does not respond.

Impact:
Firewalls may log the FIN as a possible attack.

Fix:
Do not send anything in response to a SYN retransmission timeout.


598860-5 : IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address

Component: Local Traffic Manager

Symptoms:
The IP::addr iRule can be used to translate an IPv6 address containing an IPv4 address, but instead it converts it into an IPv4 compatible IPv6 address.

Example:
ltm rule test_bug {
    when CLIENT_DATA {
    log local0. "[IP::addr 2A01:CB09:8000:46F5::A38:1 mask ::ffff:ffff]"
}

Expected result:
Rule /Common/test_bug <CLIENT_DATA>: 10.56.0.1

Actual result:
Rule /Common/test_bug <CLIENT_DATA>: ::10.56.0.1

Conditions:
using IP::addr to convert an IPv6 to an IPv4 address

Impact:
Address is converted into an IPv4-compatible IPv6 address.


598211-3 : Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.

Component: Access Policy Manager

Symptoms:
During the logon to Citrix StoreFront through an APM virtual server, after the login page, the BIG-IP system sends the client the following error: Error 404 file or directory not found.

Conditions:
This occurs when the following conditions are met:
- Citrix Android receiver 3.9.
- APM is in integration mode with Citrix StoreFront.
- Storefront unified experience mode is enabled.

Impact:
Cannot access Citrix StoreFront unified UI through Android Receiver 3.9.

Workaround:
For StoreFront integration mode, there is an iRule that is created by the iApp that redirects the root page to the store's URI. The workaround is to add an additional redirect for the receiver_uri ending with receiver.html. The iRule below contains this workaround.
It is also recommended to delete and recreate the existing store account.

when HTTP_REQUEST {
    if { [regexp -nocase {/citrix/(.+)/receiver\.html} [HTTP::path] dummy store_name] } {
        log -noname accesscontrol.local1.debug "01490000:7: setting http path to /Citrix/$store_name/"
        HTTP::path "/Citrix/$store_name/"
    }
}

Fix:
Citrix Android Receiver 3.9 now works through APM in StoreFront integration mode.


597966-1 : ARP/neighbor cache nexthop object can be freed while still referenced by another structure

Component: Local Traffic Manager

Symptoms:
Use after free or double-free of the nexthop object may cause memory corruption or TMM core.

Conditions:
This can happen if the server-side connection establishment takes some time to complete, creating a large enough time window where the nexthop object might be freed.

Impact:
The BIG-IP dataplane might crash. This is a very timing/memory-usage-dependent issue.

Workaround:
None.

Fix:
Management of nexthop object reference counting is more consistent.


597431-6 : VPN establishment may fail when computer wakes up from sleep

Component: Access Policy Manager

Symptoms:
EdgeClient doesn't cleanup routing table before windows goes to hibernate. This may result in establishment of VPN when computer wakes up. It may also result in other network connectivity issues

Conditions:
-VPN connection is not disconnected
-Computer goes in hibernation

Impact:
Issues with Network connectivity

Workaround:
Renew DHCP lease by running
ipconfig/renew.

or

reboot the machine.


597429 : eam maintains lock on /var/log/apm.1 after logrotate

Component: Access Policy Manager

Symptoms:
/var/log fills up and eventually runs out of disk space. Old log files are not being deleted from the rotation, and they are locked and unable to be removed.

Conditions:
This occurs when eam is configured. eam provides external access management for 3rd party identity integration such as Oracle Access Manager (OAM) SSO.

Impact:
/var/log consumes an unusually high amount of disk space, and logrotate does not work correctly.


597394-5 : Improper handling of IP options

Vulnerability Solution Article: K46535047


597089-3 : Connections are terminated after 5 seconds when using ePVA full acceleration

Component: Local Traffic Manager

Symptoms:
When using a fast L4 profile with ePVA full acceleration configured, the 5-second TCP 3WHS handshake timeout is not being updated to the TCP idle timeout after the handshake is completed. The symptom is an unusually high number of connections getting reset in a short period of time.

Conditions:
It is not known all of the conditions that trigger this, but it is seen when using the fast L4 profile with pva-acceleration set to full.

Impact:
High number of connections get reset, longer than expected idling TCP connections, and potential performance issues.

Workaround:
Disabling the PVA resolves the issue.


597023-5 : NTP vulnerability CVE-2016-4954

Vulnerability Solution Article: K82644737


596814-2 : HA Failover fails in certain valid AWS configurations

Component: TMOS

Symptoms:
Some of the floating object's IPs might not be reattached to the instance acting as the new active device.

Conditions:
AWS deployments where there are multiple coincidences for the provided IP address (corresponding to other Amazon VPCs in the same Availability Zone containing unrelated instances but having the same IP address as the BIG-IP's floating IP address.

Impact:
Potential traffic disruption. Some of the floating object's IPs might not be reattached to the instance acting as the new active device.

Workaround:
Do not have AWS deployments with multiple VPCs sharing the same IP address as the BIG-IP's floating IP address.

Fix:
Failover now narrows network description by filtering with VPC id.


596603-5 : AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.

Component: TMOS

Symptoms:
When deploying BIG-IP VE in AWS with c4.8xlarge instance type, the system never boots and remains in "Stopped" state after briefly trying to start-up.

Conditions:
BIG-IP VE is deployed with c4.8xlarge instance type in AWS.

Impact:
c4.8xlarge instance type are not supported for BIG-IP VE in AWS.

Workaround:
Choose c4.4xlarge or other instance types in AWS.

Fix:
Issue corrected so that BIG-IP VE will work with c4.8xlarge instance type AWS.


596488-5 : GraphicsMagick vulnerability CVE-2016-5118.

Vulnerability Solution Article: K82747025


596340-4 : F5 TLS vulnerability CVE-2016-9244

Vulnerability Solution Article: K05121675


596134-1 : TMM core with PEM virtual server

Component: Policy Enforcement Manager

Symptoms:
TMM cores, this signature is contained in /var/log/ltm:
err tmm1[7822]: 011f0007:3: http_process_state_prepend - Invalid action:0x109010

Conditions:
A core may occur if a PEM virtual has a parked flow (through an iRule, persistence profile, or other mechanism), where an internal control event occurs while the flow is parked.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Check for the processing of a HUDCTL_ABORT message prior processing other HUD messages in PEM.


595874-3 : Upgrading 11.5.x/11.6.x hourly billing instances to 12.1.0 fails due to license SCD.

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) instances that use the Amazon Web Services (AWS) hourly billing license model may fail when upgrading to version 12.1.0.

As a result of this issue, you may encounter the following symptom:

After upgrading to version 12.1.0, the BIG-IP VE instance license is invalid.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have BIG-IP VE instances that use the hourly billing licensing model.
-- Your BIG-IP VE instances are running 11.5.x or 11.6.x software versions.
-- Your BIG-IP VE instances are running within the AWS EC2 environment.
-- You upgrade the BIG-IP VE instance using the liveinstall method.

Impact:
BIG-IP VE instance licenses are not valid after upgrading to software version 12.1.0.

Workaround:
To work around this issue, you can use the liveinstall method on the hotfix image directly (instead of installing the base software image and then the hotfix image). To do so, perform the following procedure:

Impact of workaround: Performing the following procedure requires rebooting the system and should be performed only during a maintenance window.

Download the BIGIP-12.1.0.0.0.1434.iso and Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso files to your workstation. For more information about downloading software, refer to SOL167: Downloading software and firmware from F5.
Copy the downloaded files from your workstation to the /shared/images directory on the VE instance.
To perform the installation by using the liveinstall method, and reboot the BIG-IP VE instance to the volume running the new software, use the following command syntax:

tmsh install sys software hotfix Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso volume <volume-number> reboot

For example, to install the hotfix to volume HD1.3 and reboot to the volume running the newly installed software, type the following command:

tmsh install sys software hotfix Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso volume HD1.3 reboot
 
Verify the installation progress by typing the following command:
tmsh show sys software

Output appears similar to the following example:

Sys::Software Status
Volume Product Version Build Active Status
----------------------------------------------------------------
HD1.1 BIG-IP 12.0.0 0.0.606 yes complete
HD1.2 BIG-IP 12.1.0 0.0.1434 no complete
HD1.3 BIG-IP 12.1.0 0.0.1434 no installing 6.000 pct

Fix:
BIG-IP VE instances that use the AWS hourly billing license model now complete successfully when upgrading to version 12.1.0.


595773-6 : Cancellation requests for chunked stats queries do not propagate to secondary blades

Component: TMOS

Symptoms:
Canceling a request for a chunked stats query (e.g. hitting ctrl-c during "tmsh show sys connection") does not stop data flowing from secondary blades.

Conditions:
A chassis-based system with multiple blades. Users must execute a chunked stats query (e.g. "tmsh show sys connection") and then cancel it before it finishes (e.g. with ctrl-c in tmsh).

Impact:
Unnecessary data will be sent from TMM to secondary mcpd instances, as well as from secondary mcpd instances to the primary mcpd instance. This could cause mcpd to restart unexpectedly.

Fix:
Cancellations for chunked stats queries are now propagated to secondary blades.


594496-4 : PHP Vulnerability CVE-2016-4539

Vulnerability Solution Article: K35240323


593447-3 : BIG-IP TMM iRules vulnerability CVE-2016-5024

Vulnerability Solution Article: K92859602


592871-1 : Cavium Nitrox PX/III stuck queue diagnostics missing.

Component: Local Traffic Manager

Symptoms:
Diagnostics tool to investigate rare issue where the Cavium Nitrox PX/III crypto chip gets into a "request queue stuck" situation.

Conditions:
System with Cavium Nitrox PX/III chip(s) which includes the BIG-IP 5xxx, 7xxx, 10xxx, and 12xxx platforms as well as the VIPRIOn B2200 blade, that hits a rare issue which logs a "request queue stuck" message in /var/log/ltm.

Impact:
This tool enables F5 engineers to obtain more data about this problem to help diagnose the issue.

Workaround:
None.

Fix:
Provides a diagnostics tool. Does not directly mitigate the problem.


592869 : Syntax Error when reimporting exported content containing acl-order 0

Component: Access Policy Manager

Symptoms:
Syntax Error when reimporting exported content containing acl-order 0. The error message is similar to the following.

Syntax Error: ... 'acl-order' may not be specified more than once; Validating configuration...

Conditions:
Exported config has apm resource with acl-order 0.

Impact:
Unable to import exported .conf.tar.gz.

Workaround:
None.

Fix:
It is now possible to export and then import config that contains apm resource with acl-order 0.


592868-1 : Rewrite may crash processing HTML tag with HTML entity in attribute value

Component: Access Policy Manager

Symptoms:
If HTML page contains HTML entities in attribute values, rewrite may crash processing this page.

Conditions:
HTML tag like this:
<script src="&#10;" type="text/javascript"></script>

Impact:
Web application may not work correctly.

Workaround:
In most cases HTML entities can be replaced by appropriate characters by iRule.

Fix:
Now rewrite correctly handles HTML entities in attribute values.


592854-2 : Protocol version set incorrectly on serverssl renegotiation

Component: Local Traffic Manager

Symptoms:
If the BIG-IP serverssl profile sends a new ClientHello request to renegotiate SSL, the protocol version will be set to 0. This will cause renegotiation to fail.

Conditions:
ServerSSL profile configured on a virtual server, and BIG-IP initiates a renegotiation.

Impact:
Protocol field is invalid (0), and the server will reset the connection.

Fix:
Fixed a reset issue with SSL renegotiation in the serverssl profile.


592784 : Compression stalls, does not recover, and compression facilities cease.

Component: Local Traffic Manager

Symptoms:
Compression stalls, does not recover, and compression facilities may cease.

Conditions:
A device error of any kind, or requests that result in the device reporting an error (for example, attempting to decompress an invalid compression stream).

Impact:
In general, compression stops altogether. Under some circumstances, compression requests may end up routed to zlib (software compression), but generally the SSL hardware accelerator card does not correctly report that it is unavailable when it stalls.

Workaround:
Select the softwareonly compression provider by running the following tmsh command: tmsh modify sys db compression.strategy value softwareonly.

Fix:
The compression device driver now attempts to recover after a failure. If it still cannot recover, new compression requests will be assigned to zlib (software) for compression.


592414-3 : IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed

Component: Access Policy Manager

Symptoms:
IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed from dynamically generated child.

Conditions:
Browsers: IE11 and Chrome
When: After document.write() into its parent has been performed from dynamically generated child.

Impact:
Web application malfunction.

Workaround:
None.

Fix:
Fixed.


591918-6 : ImageMagick vulnerability CVE-2016-3718

Vulnerability Solution Article: K61974123


591908-6 : ImageMagick vulnerability CVE-2016-3717

Vulnerability Solution Article: K29154575


591894-6 : ImageMagick vulnerability CVE-2016-3715

Vulnerability Solution Article: K10550253


591881-5 : ImageMagick vulnerability CVE-2016-3716

Vulnerability Solution Article: K25102203


591806-4 : ImageMagick vulnerability CVE-2016-3714

Vulnerability Solution Article: K03151140


591789 : IPv4 fragments are dropped when packet filtering is enabled.

Component: Local Traffic Manager

Symptoms:
IPv4 fragments are dropped when packet filtering is enabled.

Conditions:
Packet filtering is enabled on version 11.5.4, 11.6.0 HF6, or 11.6.1.

Impact:
IPv4 fragments with a non-zero offset are lost.

Workaround:
Disable packet filtering.

Fix:
IPv4 fragments are no longer incorrectly dropped when packet filtering is enabled.


591659-2 : Server shutdown is propagated to client after X-Cnection: close transformation.

Component: Local Traffic Manager

Symptoms:
Server shutdown is propagated to client after X-Cnection: close transformation.

Conditions:
In OneConnect configurations, when a server's maximum number of keep-alives is exceeded, the server closes the connection between itself and the BIG-IP system. This Connection: Close is transformed to an X-Cnection: close and sent to the Client along with a TCP FIN.

Impact:
Client side connections are closed by the BIG-IP system too early, causing subsequent requests to be dropped.

Workaround:
Set the OneConnect profile "Maximum Reuse" value to 2 below the value of the pool members max keep-alive setting. This forces OneConnect to close the connection before the pool member.

Fix:
Server shutdown is no longer propagated to client after X-Cnection: close transformation, so client side connections are now kept open by the BIG-IP system as expected, and subsequent requests are no longer dropped.


591476-6 : Stuck crypto queue can erroneously be reported

Component: Local Traffic Manager

Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Nitrox-based systems (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The following message appears in the ltm log: Device error: crypto codec cn-crypto-0 queue is stuck.

Conditions:
-- Running on one of the following platforms:
 + BIG-IP 800, 1600, 3600, 3900, 6900, 89xx, 5xxx, 7xxx, 10xxx, 11xxx, and 12xxx
 + VIPRION B41xx-B43xx, B21xx, and B22xx blades.
-- Performing SSL.
-- Under heavy load.

Impact:
Device errors reported in logs and crypto HA action is taken, possibly resulting in failing over.

Workaround:
Modify the crypto queue timeout value to 0 to prevent timeouts using the following command:

tmsh modify sys db crypto.queue.timeout value 0

Fix:
The crypto driver now only examines requests in the hardware DMA ring to detect a stuck queue.


591455-3 : NTP vulnerability CVE-2016-2516

Component: TMOS

Symptoms:
For more information, see K24613253: NTP vulnerability CVE-2016-2516, available at https://support.f5.com/csp/#/article/K24613253

Conditions:
For more information, see K24613253: NTP vulnerability CVE-2016-2516, available at https://support.f5.com/csp/#/article/K24613253

Impact:
For more information, see K24613253: NTP vulnerability CVE-2016-2516, available at https://support.f5.com/csp/#/article/K24613253

Fix:
For more information, see K24613253: NTP vulnerability CVE-2016-2516, available at https://support.f5.com/csp/#/article/K24613253


591447-4 : PHP vulnerability CVE-2016-4070

Component: TMOS

Symptoms:
See SOL42065024: CVE-2016-4070 available at https://support.f5.com/kb/en-us/solutions/public/k/42/sol42065024.html

Conditions:
See SOL42065024: CVE-2016-4070 available at https://support.f5.com/kb/en-us/solutions/public/k/42/sol42065024.html

Impact:
See SOL42065024: CVE-2016-4070 available at https://support.f5.com/kb/en-us/solutions/public/k/42/sol42065024.html

Fix:
See SOL42065024: CVE-2016-4070 available at https://support.f5.com/kb/en-us/solutions/public/k/42/sol42065024.html


591327-3 : OpenSSL vulnerability CVE-2016-2106

Vulnerability Solution Article: K36488941


591325-3 : OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109

Vulnerability Solution Article: K75152412


591117-2 : APM ACL construction may cause TMM to core if TMM is out of memory

Component: Access Policy Manager

Symptoms:
During ACL construction, TMM send queries regarding assigned ACL information. If the reply message contains error message of out-of-memory, TMM was not handling this error message properly, and cause TMM to core.

Conditions:
BIG-IP is extremely loaded and out of memory.

Impact:
Traffic disrupted while tmm restarts.

Fix:
When handling the error reply message of out-of-memory during ACL construction, TMM can handle it without causing TMM to crash.


591042-6 : OpenSSL vulnerabilities

Vulnerability Solution Article: K23230229


590820-5 : Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.

Component: Access Policy Manager

Symptoms:
Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.

Conditions:
Intense usage of JavaScript methods such as: appendChild(), insertBefore(), and other, similar JavaScript methods, in a customer's web application code.

Impact:
Very low web application performance when using Microsoft Internet Explorer.

Workaround:
None.

Fix:
Applications that use appendChild() or similar JavaScript functions to build UI now experience expected performance in Microsoft Internet Explorer browser.


589379-1 : ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.

Component: TMOS

Symptoms:
In a configuration with a summary route that is added to ZebOS and configured with 'not-advertise', when deleting the exactly matching route, ospfd sends LSA route with age 1, then immediately sends update with age 3600.

Conditions:
OSPF using route health injection for default route.

Impact:
No functional impact. The extraneous LSA is immediately aged out.

Workaround:
Configure a static default route in imish instead of using RHI for the default route.

Fix:
ZebOS no longer adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.


589298 : TMM crash with a core dump

Component: Application Security Manager

Symptoms:
TMM crash with a core dump

Conditions:
ASM provisioned
Session Awareness enabled
Mirroring is enabled
HA (CMI) setup

Impact:
Traffic disrupted while tmm restarts.

Workaround:
none

Fix:
We've fixed the handling of Session Awareness in HA (CMI) setup to prevent TMM crashes


589256-4 : DNSSEC NSEC3 records with different type bitmap for same name.

Component: Global Traffic Manager

Symptoms:
For a delegation from a secure zone to an insecure zone, BIG-IP returns different type bitmaps in the NSEC3 record depending on the query type. This causes BIND9's validator to reject the secure delegation to the insecure zone.

Conditions:
For insecure delegations, our DNSSEC implementation does not support the DS record. Those queries are forwarded to the backend, BIND if selected as fallback. Without ZSK/KSK for an insecure child zone, BIND responds SOA which we dynamically sign.

Impact:
DNS lookups may fail if BIND9's validator rejects the delegation.

Workaround:
None.

Fix:
If response is a NODATA from either the proxy or a transparent cache, and the query is a DS, set the types bitmap to NS.


588572-2 : Unnecessary re-transmission of packets on higher ICMP PMTU.

Component: Local Traffic Manager

Symptoms:
LTM re-transmits TCP segments even when ICMP Path maximum transmission unit (PMTU) is higher than existing MTU.

Conditions:
ICMP PMTU is higher than existing MTU. User enables MPTCP, Rate Pacing, or any of the following congestion controls:
Vegas, Illinois, Woodside, CHD, CHG

Impact:
Burst traffic generated.

Workaround:
Disable Path MTU Discovery by entering the command: tmsh modify sys db tm.enforcepathmtu value disable.

Fix:
Fixed unnecessary re-transmission of packets on higher ICMP Path maximum transmission unit (PMTU) in the advanced TCP implementation.


588569-2 : Don't include maximum TCP options length in calculating MSS on ICMP PMTU.

Component: Local Traffic Manager

Symptoms:
TCP segment size is 40 bytes less.

Conditions:
ICMP implementation using Path MTU (PMTU). User enables MPTCP, Rate Pacing, or any of the following congestion controls:
Vegas, Illinois, Woodside, CHD, CHG

Impact:
The impact of this issue is less data per TCP segment.

Workaround:
Disable Path MTU Discovery by doing the following,

"tmsh modify sys db tm.enforcepathmtu value disable"

Fix:
Don't include maximum TCP options length in calculating MSS on ICMP PMTU in the advanced TCP implementation.


588351-3 : IPv6 fragments are dropped when packet filtering is enabled.

Component: Local Traffic Manager

Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.

Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.

Impact:
IPv6 fragments with a non-zero offset are lost.

Workaround:
Disable packet filtering.

Fix:
IPv6 fragments are no longer dropped when packet filtering is enabled.


588115-4 : TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw

Component: Local Traffic Manager

Symptoms:
As a result of a known issue TMM may crash in some specific scenarios if there is an overlapping and more specific route to the floating self-IP range configured on the unit.

Conditions:
- Unit configured with a floating self-IP and allow-service != none.
  - More specific route exists via GW to the self-IP.
  - Configured gateway for the overlapping route is unreachable.
  - Ingress traffic to the floating self-IP.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid the use of routes overlapping with configured floating self-IPs.

Fix:
TMM no longer crashes when floating self IPs are configured with more specific overlapping routes.


587966-5 : LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port

Component: Local Traffic Manager

Symptoms:
LTM FastL4 DNS virtual server or SNAT: first A query dropped when A and AAAA requested at the same time with same source IP:port.

Conditions:
A and AAAA DNS Query requested at the same time with the same source IP and Port.

Impact:
A Type DNS Query dropped intermittently.

Workaround:
Configure a standard virtual server with a UDP profile for the traffic instead of using FastL4 or SNAT.

Fix:
Type A requests no longer dropped when A and AAAA DNS Query requested at the same time with the same source IP and Port.


587892 : Multiple iRule proc names might clash, causing the wrong rule to be executed.

Component: Local Traffic Manager

Symptoms:
Multiple iRule proc names might clash, causing the wrong rule to be executed.

Conditions:
This occurs when there is an iRule configured with more than one proc, which might cause the wrong proc to get executed.

Impact:
The call proc might execute the wrong proc.

Workaround:
None.

Fix:
Multiple iRules configured with more than one proc no longer cause the wrong proc to get executed.


587691-2 : TMM crashes upon SSL handshake cancellation.

Component: Local Traffic Manager

Symptoms:
TMM crashes upon SSL handshake cancellation.

Conditions:
SSL handshake cancellation.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when SSL handshake is canceled.


587077-4 : Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118

Vulnerability Solution Article: K37603172


586878-1 : During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.

Component: TMOS

Symptoms:
During upgrade, configuration fails to load due to invalid clientssl profile cert/key configuration. The validation to verify whether at least one valid key/cert pair exists in clientssl profiles was enforced in software versions through 11.5.0. This validation was not in effect in versions 11.5.1, 11.5.2, and 11.5.3.

The lack of validation resulted in invalid clientssl profiles (those containing empty key/certs or a cert/key of 'default'). When you upgrade such a configuration to 11.5.4 or later, you will receive a validation error, and the configuration will fail to load after upgrade.

Conditions:
The issue occurs when all the below conditions are met.
1. You have a clientssl profile in a configuration from a version without validation (that is, 11.5.1, 11.5.2, or 11.5.3).
2. The clientssl profile in the configuration has an empty cert/key, or a cert/key of 'default'.
3. You upgrade to a version that has the cert/key validation (specifically, 11.5.4, 11.6.0, 11.6.1, and versions 12.1.0 and later).

Impact:
Configuration fails to load. The system posts an error message that might appear similar to one of the following:
-- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed.
-- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.
Unexpected Error: Loading configuration process failed.

Workaround:
To workaround this situation, modify the configuration file before upgrading:
1. Check the config file /config/bigip.conf.
2. Identify the clientssl profile without a cert/key.
    For example, it might look similar to the following:
    ltm profile client-ssl /Common/cssl_no-cert-key2 {
        app-service none
        cert none
        cert-key-chain {
            "" { }
        }
        chain none
        defaults-from /Common/clientssl
        inherit-certkeychain false
        key none
        passphrase none
    }

   Note: The profile might have cert-key-chain name but not the cert/key. In other words, it could also appear similar to the following example:
    ltm profile client-ssl /Common/cssl_no-cert-key2 {
        app-service none
        cert none
        cert-key-chain {
            default { }
        }
        chain none
        defaults-from /Common/clientssl
        inherit-certkeychain false
        key none
        passphrase none
    }
3. Remove the clientssl profile from /config/bigip.conf.
4. Run the command: tmsh load sys conf.
5. Re-create the clientssl profiles you need.


586738-3 : The tmm might crash with a segfault.

Component: Local Traffic Manager

Symptoms:
The tmm might crash with a segfault.

Conditions:
Using IPsec with hardware encryption.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
IPsec is configured with hardware encryption error now returns an error code when appropriate, and manages the error as expected, so tmm no longer crashes with a segfault.


586718-5 : Session variable substitutions are logged

Component: Access Policy Manager

Symptoms:
With the log level set to debug, session variable substitutions are logged, including the encrypted password if you are substituting the password variable. You may see the following logs: debug apmd[3531]: 01490000:7: Util.cpp func: "ScanReplaceSessionVar()" line: 608 Msg: data: '%{session.logon.last.password}' start_pos: 0, count: 30 on 'session.logon.last.password' with the encrypted password logged

Conditions:
APM Access Policy log level set to debug, and session variable substitution is performed.

Impact:
Session variable substitution should not be logged, even if it is secure.

Workaround:
Set log level to informational or notice for normal operations. Logging at debug level is not recommended unless absolutely needed for specific troubleshooting as it adversely affects system performance.

Fix:
Session variable substitutions are no longer logged.


586056 : Machine cert checker doesn't work as expected if issuer or AltName is specified

Component: Access Policy Manager

Symptoms:
Windows Machine cert checker doesn't work as expected if issuer or AltName is specified. User cannot pass access policy even with valid machine cert.

Logs in client PC can be produced, such as:

EXCEPTION - CCertCheckCtrl::Verify FindCertificateInStore failed with error code:

and

CCertCheckCtrl::Verify, Store name:"MY", Store location:"LocalMachine", Subject match FQDN:"1", Allow elevation UI:"0", Serial number(HEX):"", Issuer:"??????????????????????", SubjectAltName:""

Conditions:
Issuer or Subject AltName fields are populated.

Site recently upgraded to 11.5.4.

Impact:
User may not pass policy as expected

Workaround:
N/A

Fix:
Now Machine Cert checker correctly processes issuer and SAN fields.


586006-5 : Failed to retrieve CRLDP list from client certificate if DirName type is present

Component: Access Policy Manager

Symptoms:
Client certification revocation check will fail.

Conditions:
Two conditions will trigger this problem:
1. A CRLDP agent is configured in the access policy without server hostname and port, which is needed for DirName type processing. AND
2. At least one DirName type CRLDP is present in the client certification and it is the first in the list.

Impact:
Users may fail access policy evaluation when client certification is used.

Workaround:
Configure an LDAP server for the CRLDP object. It need not return a valid CRL.


585412-1 : SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines

Component: Local Traffic Manager

Symptoms:
Connections to a virtual server that uses an SMTPS profile may be reset with a reset cause of 'Out of memory.'

Conditions:
This might occur under the following conditions:
-- A virtual server that uses an SMTPS profile with activation-mode set to allow.
-- A client connection which does not use TLS that sends a DATA section with a text line that is longer than approximately 8192 characters.

8192 characters is an approximation for the maximum line length. The actual problem length can be affected by the MSS value and the particular way that the TCP traffic is segmented.

Impact:
The TCP connection is reset with a reset-cause of Out of memory' and the email will not be delivered.

Workaround:
None.

Fix:
A virtual server that uses an SMTPS profile with activation-mode set to allow no longer resets connections when the client does not use STARTTLS and the email body contains very long lines.


585045 : ASM REST: Missing 'gwt' support for urlContentProfiles

Component: Application Security Manager

Symptoms:
A URL's header content profile cannot be set to 'gwt' via REST, and if such a configuration exists on the device, then REST will fail to retrieve the collection.

Conditions:
ASM REST is used to configure or inspect URLs on a Security Policy, and GWT profiles are used.

Impact:
Unusable REST for the collection.

Workaround:
None.

Fix:
GWT profiles on URLs are now correctly supported via REST.


584717 : TCP window scaling is not applied when SYN cookies are active

Component: Local Traffic Manager

Symptoms:
TCP window scaling is not applied, which can be observed in transmitted packets containing small segments that are about the size of the unscaled window.

Conditions:
SYN cookies have been activated.

Impact:
Poor performance / throughput.

Workaround:
None

Fix:
The tmm now properly scales the TCP window upon SYN cookie activation.


584373-1 : AD/LDAP resource group mapping table controls are not accessible sometimes

Component: Access Policy Manager

Symptoms:
AD/LDAP resource group mapping
In case of both lengthy group names and resource names edit link and control buttons could disapper under dialogue bounds

Conditions:
very long group names and resource names

Impact:
Impossible to delete and move rows in table - still possible to edit tho.

Workaround:
Spread one assign thru multiple rows

Fix:
Scroll bar is appearing when needed


584310 : TCP:Collect ignores the 'skip' parameter when used in serverside events

Component: Local Traffic Manager

Symptoms:
When TCP::Collect is used with 'skip' and 'length' arguments in SERVER_CONNECTED, the "skip' argument does not take effect and is ignored. The Collect works, but collects only the length bytes from start.

Conditions:
TCP:Collect on server side events like SERVER_CONNECTED used with the 'skip' parameter. This is an intermittent issue that have happen only with IIS server.

Impact:
TCP:Collect collects bytes without taking into account the skip, so the bytes collected are not the correct ones.

Workaround:
None.

Fix:
The settings for TCP::Collect command skip and length arguments are now honored during packet processing.


584029-7 : Fragmented packets may cause tmm to core under heavy load

Component: Local Traffic Manager

Symptoms:
tmm core due to assertion

Conditions:
tmm offloads a fragmented packet via an ffwd operation.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


583957-3 : The TMM may hang handling pipelined HTTP requests with certain iRule commands.

Component: Local Traffic Manager

Symptoms:
Rarely, the TMM may hang during a HTTP::respond or HTTP::redirect iRule command if it is part of a pipelined HTTP request.

Conditions:
A HTTP::respond or HTTP::redirect iRule is used.
The iRule command is in an event triggered on the client-side.
A pipelined HTTP request is being handled.

Impact:
The TMM will be restarted by SOD.

Fix:
The TMM no longer hangs in rare situations when processing a pipelined HTTP request and invoking a HTTP::respond or HTTP::redirect iRule command.


583936-1 : Removing ECMP route from BGP does not clear route from NSM

Component: TMOS

Symptoms:
When configured to install multiple routes into the routing table, ZebOS does not withdraw BGP routes when a neighbor is shut down and it has more than two routes already installed for the same route prefix.

Conditions:
ECMP routing must be enabled and in-use.

Impact:
ECMP routes are not properly removed from the main routing table.

Fix:
Now properly removing ECMP routes from the routing table.


583631-1 : ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.

Component: Local Traffic Manager

Symptoms:
Server SSL ClientHello does not encode lowest supported TLS version. The outer record for a ClientHello contains the same version as the ClientHello. If, for example, the ClientHello is TLS1.2, the outer record will contain TLS1.2. Older servers that do not support later TLS versions might generate an alert and close the connection.

Conditions:
A BIG-IP system with a server SSL profile that supports a TLS version higher than that of the server to which it is connecting.

Impact:
The connection fails. The system might generate an alert.

Workaround:
Force the server SSL profile to use a lower TLS version number by selecting 'No TLSv1.2' or 'No TLSv1.1' in the `options' section of the Server SSL Profile.

Fix:
When enabled by setting the db variable, 'SSL.OuterRecordTls1_0,' to, 'enable,' the outer SSL record will always contain TLS1.0. This is the default. You can use this db variable to prevent an issue in older servers that do not support TLS versions later than 1.0, in which an alert might be generated closing the connection.

Behavior Change:
Formerly, the version present in the ClientHello and the version present in the outer record would match. Now, if the sys db variable, 'SSL.OuterRecordTls1_0,' is set to 'enable' the version present in the outer record will be TLS 1.0 regardless of the version in the ClientHello. This is the default.


583285-2 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.

Component: TMOS

Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message. This is the second part of a fix provided for this issue. See fixes for bug 569236 for the first part.

Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.

Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.

Workaround:
Manually remove the invalid SA on the BIG-IP system.

Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again. This is part two of a two-part fix. Fixes for bug 569236 provide part one of the fix.


582952 : Linux kernel vulnerability CVE-2013-4483

Vulnerability Solution Article: K31300371


582683-1 : xpath parser doesn't reset a namespace hash value between each and every scan

Component: Application Security Manager

Symptoms:
After a while the iRule event stops firing until the cbrd daemon is restarted.

Conditions:
The customer has a virtual server configured with an XML, along with an iRule that triggers on the XML_CONTENT_BASED_ROUTING event.

Impact:
XML content based routing does not work dependably.

Workaround:
N/A

Fix:
fixing xpath parer -- Restoring namespace declaration each time the xpath parser finishes to parse the document.


582440-1 : Linux client does not restore route to the default GW on Ubuntu 15.10

Component: Access Policy Manager

Symptoms:
Default route may be deleted after network access connection is deleted on Linux Ubuntu 15.10 distribution.

Conditions:
Ubuntu 15.0, network access tunnel connect and then disconnect

Impact:
User will not be able to reach internet after disconnecting from network access.

Workaround:
If Wifi is in use then turn off and on again.
If Ethernet is used then unplugging and plugging cable again should solve the problem.


582295 : ospfd core dump when redistributing NSSA routes in a HA failover

Component: TMOS

Symptoms:
The ospfd is dumping a core when nssa routes are redistributed.

Conditions:
When a failover is initiated through the GUI on a BIG-IP high availability (HA) configuration, and a standby BIG-IP system cannot take the active role due to low HA score. The original active BIG-IP system takes back the active role.

Impact:
ospfd terminates on the BIG-IP system leading to connectivity issues until the ospfd comes up.

Workaround:
None.

Fix:
ospfd no longer crashes when redistributing NSSA routes in a HA failover event.


581834-3 : Firefox signed plugin for VPN, Endpoint Check, etc

Component: Access Policy Manager

Symptoms:
clients are unable to use the Firefox plugin on Firefox version 47 and above

Conditions:
Clients using Firefox v47 and above attempting to use the Firefox plugin

Impact:
Clients will be unable to use the plugin if they are using Firefox version 47 and above

Fix:
The Firefox plugin now supports all versions.


581770-1 : Network Access traffic does not pass IPv6 traffic if a Network Access resource contains IPv4&IPv6

Component: Access Policy Manager

Symptoms:
Network Access clients are unable to pass IPv6 traffic

Conditions:
Network Access resource configured with IPv4&IPv6
Client attempts to pass IPv6 traffic

Impact:
IPv6 traffic is dropped

Fix:
APM will now pass IPv6 traffic through the tunnel if an IPv4&IPv6 resource is configured.


580817-4 : Edge Client may crash after upgrade

Component: Access Policy Manager

Symptoms:
The Edge client may crash after upgrading to 11.4.1 through 12.0.0.

Conditions:
Access Policy with Firewall Checker
Update BIG-IP to 12.1.0

Impact:
Users are unable to use the Edge client

Fix:
Fixed a crash in the Edge client


580596-5 : TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907

Vulnerability Solution Article: K14190 K39508724


580429-3 : CTU does not show second Class ID for InstallerControll.dll

Component: Access Policy Manager

Symptoms:
Client troubleshooting utility does not display the registered class id of Installer control.dll.

Conditions:
Client troubleshooting utility is used to display all installed edge client components.

Impact:
No impact to end user or administrator. Impacts F5 support.

Workaround:
None.

Fix:
CTU now shows the class id of installer control.dll.


580421-4 : Edge Client may not register DLLs correctly

Component: Access Policy Manager

Symptoms:
After an end-user confirms that they want to install InstallerControll.cab, the browser gets stuck in 'Checking client'.

Conditions:
Client is using Internet Explorer

Impact:
Clients are unable to install the Edge client components

Fix:
Edge client components are now getting properly registered.


580340-4 : OpenSSL vulnerability CVE-2016-2842

Vulnerability Solution Article: K52349521


580313-4 : OpenSSL vulnerability CVE-2016-0799

Vulnerability Solution Article: K22334603


580303-2 : When going from active to offline, tmm might send a GARP for a floating address.

Component: Local Traffic Manager

Symptoms:
When moving from active to offline, tmm might send one final GARP for a floating address from the device that is moving offline.

Conditions:
Using high availability, and switching a device from active to offline.

Impact:
The GARP from the offline device can arrive on upstream devices after the GARP from the newly active device, which might poison the address cache of the upstream device. The result is that failover takes longer, since the upstream devices must rediscover the active device.

Workaround:
Use MAC masquerading along with the floating address; the system sends a GARP for the MAC masqueraded address, which prevents the issue.

Fix:
tmm no longer sends a final GARP for a floating address immediately before going offline.


579975-4 : OpenSSL vulnerability

Vulnerability Solution Article: K79215841


579955-4 : BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475

Vulnerability Solution Article: K01587042


579926-2 : HTTP starts dropping traffic for a half-closed connection when in passthrough mode

Component: Local Traffic Manager

Symptoms:
HTTP starts dropping traffic for a half-closed connection when in passthrough mode.

Conditions:
HTTP is in passthrough mode. Traffic is flowing for a half-closed connection.

Impact:
Incomplete data transfer to end-point, when the connection is half-closed and HTTP is in passthrough mode.

Workaround:
No workaround.


579919 : TMM may core when LSN translation is enabled

Component: Local Traffic Manager

Symptoms:
tmm core

Conditions:
Virtual uses LSN translation with a destination matching a pool-based route

Impact:
Traffic disrupted while tmm restarts.

Fix:
Virtual with LSN translation no longer leads tmm coring when destination matches a pool-based route.


579909-3 : Secondary MCPD exits for APM Sandbox warning improperly treated as configuration error

Component: Access Policy Manager

Symptoms:
Secondary blade MCPD exits if APM Sandbox intends to log a warning message when it fails to remove the corresponding sandbox directory /var/sam/www/webtop/sandbox/files_d/<partition_name>_d while the user is removing the partition.

There are multiple cases that can potentially log such kind of Sandbox warning message and cause an mcpd crash and/or tmm crash. APM can log the warning if it encounters a directory which is not empty, or if the directory does not exist. You will see this error signature in /var/log/ltm:

Mar 11 11:36:49 slot2/viprion-3 warning mcpd[6022]: 010717ac:4: Configuration Warning: Cannot remove directory with symlink to sandbox for partition (p1). Error: Directory not empty. If you have access to bash shell, try to run command: rmdir /var/sam/www/webtop/sandbox/files_d/p1_d/

Conditions:
The sandbox directory corresponding to the partition that you are deleting cannot be removed due to any reason such as Not Existing, Not Empty, etc. on the secondary blade. This can occur on the secondary blades if you create a partition before provisioning APM, then delete the partition on the primary blade, and auto-sync is enabled in the device group.

Impact:
Secondary MCPD exits and blade restarts. Tmm can core. Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Fixed such that Secondary MCP will not exit but only log the warning message as the partition is successfully deleted.


579843-4 : tmrouted may not re-announce routes after a specific succession of failover states

Component: Local Traffic Manager

Symptoms:
tmrouted does not re-announce RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.

Conditions:
- Active/Standby HA pair set up
 - Both units configured with a dynamic routing protocol and Route Health Injection enabled on one or more Virtual-Addresses.
 - Active unit has the following succession of failover states:
   Active->Offline->Online->Standby->Active

Impact:
Tmrouted may not announce the Virtual addresses when coming back to Active state after the mention succession.

Workaround:
A failover to Standby and back to Active works around the issue.
Restarting tmrouted is also an alternative option.

Fix:
tmrouted now re-announces RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.


579829-4 : OpenSSL vulnerability CVE-2016-0702

Vulnerability Solution Article: K79215841


579559-4 : DTLS Networks Access may not work with some hardware platforms with Nitrox hardware acceleration

Component: Access Policy Manager

Symptoms:
Network Access always fallbacks to TLS connection even if DTLS is configured when connecting to some hardware platforms.

Conditions:
Network Access is configured to use DTLS
Hardware BIG-IP with DTLS Nitrox acceleration is used,

Impact:
Network Access connection always fallbacks to TLS connection

Workaround:
N/A

Fix:
Previously, Network Access always fell back to a TLS connection even if DTLS was configured when connecting to some hardware platforms. Network Access no longer falls back to TLS.


579371-1 : BIG-IP may generate ARPs after transition to standby

Component: Local Traffic Manager

Symptoms:
tmm generates unexpected ARPs after entering standby.

Conditions:
-- High availability configuration with a vlangroup with bridge-in-standby disabled.
-- ARP is received just before transition to standby.

Impact:
Unexpected ARP requests that might result in packet loops.

Workaround:
None.

Fix:
ARPs will no longer be proxied on vlangroups with bridge-in-standby disabled after entering standby.


579284-5 : Potential memory corruption in MCPd

Component: TMOS

Symptoms:
Memory in mcpd could get corrupted. The effect of this is unpredictable.

Conditions:
Varies. One way (but not the only way) this could be seen is by cancelling a chunked stats query (e.g. hitting ctrl-c during "show sys connection").

Impact:
Varies. Sometimes nothing will happen; other times MCP could start acting unpredictably. In one case it closed its connection to TMM, which caused all TMMs to restart.

Fix:
Identified and fixed areas of potential memory corruption in MCP.


579237-4 : OpenSSL Vulnerability CVE-2016-0705

Vulnerability Solution Article: K93122894


579220-2 : Mozilla NSS vulnerability CVE-2016-1950

Vulnerability Solution Article: K91100352


579085-3 : OpenSSL vulnerability CVE-2016-0797

Vulnerability Solution Article: K40524634


579047 : Unable to update the default http-explicit profile using the GUI.

Component: TMOS

Symptoms:
Trying to update default Local Traffic :: Profiles : Services : HTTP :: http-explicit profile, the system posts the following error: 'Some fields below contain errors. Correct them before continuing.' Under the 'Explicit Proxy' section for 'DNS Resolver' option, the system posts the following error: '010717e8:3: Invalid 'dns-resolver' value for profile /Common/http-explicit. The dns-resolver does not exist.'

Conditions:
Updating default http-explicit profile using the GUI.

Impact:
Error messages. Unable to update the default http-explicit profile using the GUI.

Workaround:
Use tmsh to update the default http-explicit profile.

Fix:
You can now update the default http-explicit profile without error using the GUI.


578844-3 : tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client.

Component: Access Policy Manager

Symptoms:
tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client.

Conditions:
NA resource with IPv4&IPv6 is used (SNAT pool in NA resource is set to None). User is connected to IPv4 Virtual server.
While connected user clicks on 'Change server' and chooses an IPv6 virtual server.

Impact:
Traffic disrupted while tmm restarts.


578570-3 : OpenSSL Vulnerability CVE-2016-0705

Vulnerability Solution Article: K93122894


578353-1 : Statistics data aggregation process is not optimized

Component: Application Visibility and Reporting

Symptoms:
CPU spikes may occur every 5 minutes

Conditions:
Occurs all the time

Impact:
High CPU usage may be observed every 5 minutes

Workaround:
For versions based on 11.5.4 and 11.6.0 take the following steps:

1. Edit the entry 'AggregationMode' under the /etc/avr/monpd/monpd.cfg file and set it to be 'low' instead of 'medium' or 'high'.

2.Restart Monpd afterwards.

For 12.0.0 and on:
tmsh modify sys db avr.stats.aggregation value low

Fix:
The aggregation process of statistics in DB which is done using monpd should be optimized, and skip redundant updates of tables.


578045-5 : The HTTP_PROXY_REQUEST iRule event can cause the TMM to crash if pipelined ingress occurs when the iRule parks

Component: Local Traffic Manager

Symptoms:
The TMM crashes while resuming from a HTTP_PROXY_REQUEST event.

Conditions:
A HTTP_PROXY_REQUEST iRule event parks. Pipelined ingress occurs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Don't use parking iRule commands within the HTTP_PROXY_REQUEST event.

If a parking command must be used, the following may work:

Try using TCP::collect to disable ingress while a potentially parking iRule command executes. TCP::release can be used after the command completes to restore normal behavior.

Another work-around is to set max-requests to 1. (Disabling pipelining.)


577828-4 : BIND vulnerability CVE-2016-2088

Vulnerability Solution Article: K59692558


577826-3 : BIND vulnerability CVE-2016-1286

Vulnerability Solution Article: K62012529


577823-3 : BIND vulnerability CVE-2016-1285

Vulnerability Solution Article: K46264120


577814 : MCPd might leak memory in PEM stats queries.

Component: Policy Enforcement Manager

Symptoms:
Memory leak may result in an "Out of Memory" condition causing functional issues in the BIG-IP.

Conditions:
Occurs when a valid PEM stats query is issued by a UI (GUI TMSH, REST, etc.) and PEM is configured on the BIG-IP.

Impact:
System may be unresponsive or crash due to being out of memory.

Workaround:
None.

Fix:
Fixed the potential MCPd memory leak in PEM stats queries.


577811 : SNMP sysObjectID OID reports ID of blade on VIPRION 2xxx-series platforms

Component: TMOS

Symptoms:
In BIG-IP v11.5.4, the behavior of the SNMP sysObjectID changed for VIPRION 2xxx-series platforms.
On other BIG-IP 10.x and 11.x versions running on VIPRION 2xxx-series platforms, the SNMP sysObjectID reports the ID of the Chassis (bigipVprC2400 or bigipVprC2200).
In BIG-IP v11.5.4 and v12.0.0 and later running on VIPRION 2xxx-series platforms, the SNMP sysObjectID reports the ID of the Blade (bigipVprB2100, bigipVprB2150, or bigipVprB2250).

In all versions of BIG-IP running on VIPRION 4xxx-series platforms, the SNMP sysObjectID reports the ID of the Blade (bigipPb100, bigipPb100n, bigipPb200, bigipPb200N, bigipVprB4300 or bigipVprB4300N).
In BIG-IP v12.0.0 and later running on VIPRION 2xxx-series platforms, the BIG-IP design is changed such that the SNMP sysObjectID reports the ID of the Blade (bigipVprB2100, bigipVprB2150, or bigipVprB2250), consistent with VIPRION 4xxx-series platforms.
[See Solution article for ID 425331, when published.]

Conditions:
VIPRION C2400 and C2200 chassis
VIPRION B2100, B2150 and B2250 blades
BIG-IP v11.5.4 (release)

Impact:
SNMP queries to identify VIPRION 2xxx-series platforms return the Blade ID instead of the Chassis ID, requiring changes in how the returned sysObjectID is interpreted.

Workaround:
Identify a VIPRION 2xxx-series platform by the appropriate Blade ID (bigipVprB2100, bigipVprB2150, or bigipVprB2250), instead of by the Chassis ID (bigipVprC2400 or bigipVprC2200).

Fix:
On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID reports the ID of the Chassis, to match the behavior on VIPRION 2xxx-series platforms with previous BIG-IP versions 10.2.x and 11.x.

Behavior Change:
On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID now reports the ID of the Chassis, to match the behavior on VIPRION 2xxx-series platforms with previous BIG-IP versions 10.2.x and 11.x.

Previously, SNMP sysObjectID reported the ID of the Blade on VIPRION 2xxx-series platforms, to match the behavior on VIPRION 4xxx-series platforms.


577668-2 : ASM Remote logger doesn't log 64 KB request.

Component: Application Security Manager

Symptoms:
A request longer than 10 KB is truncated to 10 KB in the ASM remote logger although the remote logger is configured to log up to 64 KB requests.

Conditions:
The remote logger is configured to max request size 64k .
A request is longer than 10 KB.

Impact:
Incorrect request size in the log.

Workaround:
N/A

Fix:
ASM can now logs up to 64 KB requests. (Actual size depends on the total message size and the other fields in the message.)


576897-2 : Using snat/snatpool in related-rule results in crash

Component: Local Traffic Manager

Symptoms:
TMM crash resulting in failover.

Conditions:
Using snat/snatpool command in related-rule.

Impact:
TMM crash resulting in failover.

Workaround:
Do not use snat/snatpool commands in related rule.


576591-3 : Support for some future credit card number ranges

Component: Application Security Manager

Symptoms:
ASM does not block or mask when a specific credit card number range (planned for the future) appears in the response.

Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains credit card number with specific ranges.

Impact:
The traffic passes unmasked or unblocked to the end client.

Workaround:
A custom pattern is possible for these cases, but should be adjusted to each customer specifically.


576350-3 : External input from client doesn't pass to policy agent if it is not the first in the chain.

Component: Access Policy Manager

Symptoms:
When client gets authenticated, and then the session is deleted (times out or is manually deleted from memcache), the browser still has its authorization token.

If client refreshes the page, the browser passes the existing 'authorization' token, which gets deleted by the agent processing the existing task (a message box, in this case) for the targeted agent (HTTP_401_Response agent, in this case).

Conditions:
When a logon page is not the first agent in the access policy chain and it gets a pre-authenticated token from browser.

Impact:
Although client (browser) sends the pre-authenticated token, the browser still posts a challenge for credential (pop up window). This is unnecessary and should not occur.

Workaround:
None.

Fix:
An HTTP_401_RESPONSE page can be placed anywhere in the access policy chain. Any pre-authenticated information for the targeted agent will not be consumed by another agent sitting in front.


576314 : SNMP traps for FIPS device fault inconsistent among versions.

Component: Local Traffic Manager

Symptoms:
The snmp traps bigipFipsDeviceError and bigipFipsFault are inconsistent among versions.

Conditions:
This trap is raised if the FIPS device firmware has stopped responding to requests and is no longer functional. The trap is different on the BIG-IP 10350 FIPS platform.

Impact:
The meaning of the trap is that the system is not able to perform any FIPS operations and process FIPS related traffic. You will need to be mindful of which version you are on to interpret the OIDs correctly.

Fix:
An SNMP trap is generated when the system has detected a FIPS device fault indicating that said device can no longer service FIPS operations. The OIDs are different across versions and one specific platform. Here is the OIDs and versions:

BIGIP-COMMON-MIB::bigipFipsDeviceError .1.3.6.1.4.1.3375.2.4.0.152
This trap means "Encountered error in the FIPS card operation" on all FIPS platforms

BIGIP-COMMON-MIB::bigipFipsFault .1.3.6.1.4.1.3375.2.4.0.156 (from v11.5.4-hf1 and 11.6.1, not 12.0.0)
BIGIP-COMMON-MIB::bigipFipsFault .1.3.6.1.4.1.3375.2.4.0.166 (from v12.1.0)
These traps mean "The FIPS card is currently in faulty state" for the specific FIPS hardware included on the BIG-IP 10350


576305-1 : Potential MCPd leak in IPSEC SPD stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying IPSEC SPD stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying IPSEC SPD stats.


576296-1 : MCPd might leak memory in SCTP profile stats query.

Component: Local Traffic Manager

Symptoms:
The memory allocation for mcpd might grow by a small amount if SCTP profile stats are queried. In order to begin to impact the performance of the system, the stats would have to be queried many thousands of times.

Conditions:
An SCTP profile is configured, and the stats are displayed in TMSH or the GUI.

Impact:
Performance may be degraded.

Workaround:
None.

Fix:
Resolved a memory leak in mcpd resulting from a query of SCTP profile stats.


576069-1 : Rewrite can crash in some rare corner cases

Component: Access Policy Manager

Symptoms:
Rewrite can crash in some rare corner cases when some specific erroneous elements are present in an HTML content.

Conditions:
Any of the strings:

<meta http-equiv="refresh" />
<meta http-equiv="location" />
<param name="general_servername" />
<param name="wmode" />

triggers guaranteed rewrite crash.

Impact:
Web application malfunction.

Workaround:
iRule or direct fix of improper HTML tag.

Fix:
Fixed.


575735-1 : Potential MCPd leak in global CPU info stats code

Component: TMOS

Symptoms:
MCPd leaks memory; the umem_alloc_8 cache will grow.

Conditions:
In some cases, querying global CPU information stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying global CPU information stats.


575726-1 : MCPd might leak memory in vCMP interface stats.

Component: TMOS

Symptoms:
MCPd might leak memory in vCMP interface stats.

Conditions:
The memory leak occurs when viewing VCMP interface statistics.

Impact:
Over time this can cause MCPd to run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying vCMP interface stats.


575716-1 : MCPd might leak memory in VCMP base stats.

Component: TMOS

Symptoms:
MCPd might leak memory in VCMP base stats.

Conditions:
This occurs when looking at VCMP base statistics.

Impact:
Over time this might cause MCPd to run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying VCMP base stats.


575708-1 : MCPd might leak memory in CPU info stats.

Component: TMOS

Symptoms:
MCPd might leak memory in CPU info stats.

Conditions:
In some cases, querying CPU information stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying CPU information stats.


575671-1 : MCPd might leak memory in host info stats.

Component: TMOS

Symptoms:
MCPd might leak memory in host info stats.

Conditions:
In some cases, querying host information stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying host information stats.


575631-2 : Potential MCPd leak in WAM stats query code

Component: WebAccelerator

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying WAM stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying WAM stats.


575626-6 : Minor memory leak in DNS Express stats error conditions

Component: Local Traffic Manager

Symptoms:
A minor memory leak might occur in certain error conditions relating to DNS Express statistics.

Conditions:
There are no known DNS Express configurations that lead to this issue. The problem was detected through standard code review practices.

Impact:
Memory leaks might eventually lead to system reboots.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur in certain error conditions relating to DNS Express statistics.


575619-1 : Potential MCPd leak in pool member stats query code

Component: TMOS

Symptoms:
MCPd leaks memory; the umem_alloc_8 cache will grow.

Conditions:
In some cases, querying pool member stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying pool member stats.


575612-4 : Potential MCPd leak in policy action stats query code

Component: Local Traffic Manager

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying policy action stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying policy action stats.


575609-4 : Zlib accelerated compression can result in a dropped flow.

Component: Access Policy Manager

Symptoms:
Some compression requests would fail when the estimated compression output block was too small. Such errors deposit an error in the log similar to: Device error: n3-compress0 Zip engine ctx eviction (comp_code=2): ctx dropped.

Conditions:
A block that will not compress can generate a compression output that exceeds the estimated output block size.

Impact:
The flow that encounters the error is dropped.

Workaround:
Disable hardware accelerated compression.

Fix:
Difficult to compress requests may be dropped.


575608-1 : MCPd might leak memory in virtual server stats query.

Component: TMOS

Symptoms:
MCPd might leak memory in virtual server stats query.

Conditions:
In some cases, querying virtual server stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying virtual server stats.


575587-1 : Potential MCPd leak in BWC policy class stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying BWC policy stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying BWC policy stats.


575582-1 : MCPd might leak memory in FW network attack stats.

Component: Advanced Firewall Manager

Symptoms:
MCPd might leak memory in FW network attack stats.

Conditions:
This occurs when looking at firewall network attack statistics.

Impact:
Over time this can cause MCPd to run out of memory and core.


575571-1 : MCPd might leak memory in FW DOS SIP attack stats query.

Component: Advanced Firewall Manager

Symptoms:
MCPd might leak memory in FW DOS SIP attack stats query.

Conditions:
This occurs when looking at firewall DOS SIP stats.

Impact:
Over time this can cause MCPd to run out of memory and core.


575569-1 : MCPd might leak memory in FW DOS DNS stats query.

Component: Advanced Firewall Manager

Symptoms:
MCPd might leak memory in FW DOS DNS stats query.

Conditions:
This occurs when looking at firewall DOS DNS statistics.

Impact:
Over time this can cause MCPd to run out of memory and core.


575565-1 : MCPd might leak memory in FW policy rule stats query.

Component: Advanced Firewall Manager

Symptoms:
MCPd might leak memory in FW policy rule stats query.

Conditions:
This occurs when looking at firewall policy rule stats.

Impact:
Over time this can cause MCPd to run out of memory and core.


575564-1 : MCPd might leak memory in FW rule stats query.

Component: Advanced Firewall Manager

Symptoms:
MCPd might leak memory in FW rule stats query.

Conditions:
This occurs when looking at firewall rule statistics.

Impact:
Over time this can cause MCPd to run out of memory and core.


575557-2 : MCPd might leak memory in FW rule stats.

Component: Advanced Firewall Manager

Symptoms:
MCPd might leak memory in FW rule stats.

Conditions:
This occurs when looking at firewall rule statistics.

Impact:
Over time this can cause MCPd to run out of memory and core.


575499-3 : VPN filter may leave renew_lease timer active after teardown

Component: Access Policy Manager

Symptoms:
TMM core making the system unavailable for a period of time until it comes back up.

Conditions:
When using both IPv4 & IPv6 network access resources with static IP address for IPv4 and dynamic address assignment for IPv6 tmm will core while NA tunnel is running or on NA's disconnect time.

Impact:
TMM core and bring down the system.

Workaround:
N/A

Fix:
No more stale renew_lease timer in vpn_ctx to cause TMM core.


575321-1 : MCPd might leak memory in firewall stats.

Component: Advanced Firewall Manager

Symptoms:
MCPd might leak memory in firewall stats.

Conditions:
This occurs when looking at firewall stats.

Impact:
Over time this can cause MCPd to run out of memory and core.


575292-2 : DNS Relay proxy service does not respond to SCM commands in timely manner

Component: Access Policy Manager

Symptoms:
DNS relay proxy service may appear unresponsive when stopped/started through Service control manager and user may see a system dialog box saying "Service did not respond in a timely manner"

Conditions:
DNS relay services component of edge client is installed on user's machine

Impact:
Usability, User may think that service has failed.

Workaround:
Wait for service to respond proper status

Fix:
Service now reports correct status to service control manager immediately.


575027-3 : Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.

Component: TMOS

Symptoms:
Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.

Conditions:
This occurs when the following conditions are met:
1. Use of tagged VLANs in the configuration.
2. Change cmp-hash of the tagged VLAN.

Impact:
Throughput is lower than expected. Packets are not being hashed using the hash set in config. (This can be verified by looking at 'tmm/flow_redir_stat'.)

Workaround:
Use untagged VLANs and hypervisor side tagging.

Fix:
You can now use tagged VLAN configurations along with a cmp-hash setting for the VLAN, without compromising performance.


575011-9 : Memory leak. Nitrox3 Hang Detected.

Component: Local Traffic Manager

Symptoms:
System exhausts available memory due to compression memory leak. Prior to running out of memory, repeatedly logs "Nitrox3 Hang Detected".

Conditions:
Compression device unavailable during creation of a new context.

Impact:
System can run out of memory.

Workaround:
Disable hardware compression using tmsh:

% tmsh modify sys db compression.strategy softwareonly

Fix:
Repaired memory leak.


574781-3 : APM Network Access IPV4/IPV6 virtual may leak memory

Component: Access Policy Manager

Symptoms:
Observation of performance graphs shows increasing TMM memory usage over time. Specifically, xhead and xdata caches grow over time. Additionally, the ppp_npmode_errors in the ppp stat table will increment with each leak.

Conditions:
APM virtual with Network Access configured with IPV4 and IPv6.

Impact:
Memory leakage over time leads to performance degradation and possible traffic outage.

Workaround:
No workaround short of not enabling IPv6.

Fix:
APM Network Access now correctly manages its memory resources.


574318-4 : Unable to resume session when switching to Protected Workspace

Component: Access Policy Manager

Symptoms:
Clients logging into Protected Workspace are unable to view the page. The client's log file may have the following signature: HandlePwsCmd, detoured.dll signature validation error

Conditions:
This occurs infrequently on certain Windows clients logging into Protected Workspace

Impact:
Client browser cannot render the protected workspace

Fix:
Fixed an issue preventing Windows clients from using Protected Workspace


574262 : Rarely encountered lockup for N3FIPS module when processing key management requests.

Component: Local Traffic Manager

Symptoms:
The N3FIPS module does not respond to key management requests.

Conditions:
No specific condition has been identified for this failure.

Impact:
Existing data continues to forward, but new traffic keys fail. MGMT locks up. This is a rarely encountered issue.

Workaround:
A SNMP trap is generated when N3FIPS is locked up. The trap informs the user that the BIG-IP system must be rebooted. Rebooting clears the condition.

Fix:
The N3FIPS module no longer experiences occasional lockups when processing key management requests.


574214-2 : Content Based Routing daemon (cbrd) logging control

Component: Application Security Manager

Symptoms:
The cbrd logger might not produce enough useful output for troubleshooting purposes, and debug logging is not available.

Conditions:
Using xml profile, and you would like to see the xpath prints to a log file.

Impact:
Unable to see the xpath information

Fix:
It is now possible to enable xpath logging by adding these lines to /etc/cbr/logger.cfg:

MODULE=CBR_PLUGIN;
LOG_LEVEL=TS_INFO | TS_DEBUG;
FILE = 2;

Then:
bigstart restart cbrd


574153-3 : If an SSL client disconnects while data is being sent to SSL client, the connection may stall until TCP timeout.

Component: Local Traffic Manager

Symptoms:
If an SSL connection gracefully begins to disconnect at the same time as data is being encrypted by SSL acceleration hardware, the connection will remain open until the TCP profile timeout occurs instead of being closed immediately. This can cause unwanted higher memory usage, possibly causing crashes elsewhere.

Conditions:
* A virtual server with ClientSSL or ServerSSL profile.
* BIG-IP SSL acceleration hardware.
* While an SSL record is being encrypted by SSL accelerator hardware, the SSL connection begins to close by client TCP FIN or by any iRule command that closes the connection.

Impact:
There is a potential for higher memory usage, which in turn may cause TMM crash due to memory exhaustion resulting in service disruption.

Workaround:
If the affected SSL traffic does not include any long idle periods, memory consumption can be mitigated by reducing the idle timeout of the TCP or SCTP profile.

Fix:
SSL connections now disconnect normally if a disconnect attempt occurs while data is being encrypted by SSL acceleration hardware.


574116-3 : MCP may crash when syncing configuration between device groups

Component: TMOS

Symptoms:
mcpd on the sync target crashes when syncing configuration.

Conditions:
This can occur when a local non-synced object references an object that is synced (such as a local-only virtual server referencing a synced iRule), and a non-synced object on the target machine happens to be referencing the same synced object. In this condition, mcpd could crash if objects in a sync group are deleted and synced.

Impact:
Outage due to mcp crash which causes tmm to restart.

Workaround:
When you have devices with local-only resources that are referencing objects contained in a sync/failover group, avoid deleting any objects (such as iRules) that might be referenced by other local-only resources on other devices. Instead of a "this object is in use error", mcpd on the target machine will crash.

Fix:
Verify existence of rule objects when validating configuration.


574073 : Support for New Platform: BIG-IP 10350 FIPS with NEBS support

Component: Local Traffic Manager

Symptoms:
New platform introduction

Conditions:
New platform introduction

Impact:
New platform introduction


574045-3 : BGP may not accept attributes using extended length

Component: TMOS

Symptoms:
If a BGP peer sends a path attribute using the "extended length" flag and field, the attribute may be rejected and the BGP connection terminated.

Conditions:
Neighbor sends path attributes using extended length.

Impact:
The BGP adacency will repeatedly bounce and the RIB will never converge.

Fix:
Received BGP attributes using extended length are no longer rejected.


573581-2 : DNS Search suffix are not restored properly in some cases after VPN establishment

Component: Access Policy Manager

Symptoms:
Modified DNS suffix after VPN establishment and closure may result in failure to resolve some DNS names

Conditions:
DNS Relay proxy service is stopped in the middle of VPN session.
User's machine is rebooted.

Impact:
DNS suffixes are not restored properly which may lead to incorrect resolution of certain DNS names.

Workaround:
Any of the following workarounds
1) Do not stop DNS relay proxy service in the middle of a VPN session
2)Restore DNS search suffixes manually.


573529 : F-bit is not set in IPv6 OSPF Type-7 LSAs

Component: TMOS

Symptoms:
The forwarding address and the F-bit are not set in Type-7 LSAs sent out by the ASBR.

Conditions:
Virtual IP from a virtual server is redistributed as a Type-7 route by the ASBR.

Impact:
ABR routers are not able to propagate NSSA routes to other OSPF areas as External Type-5 routes. As a result, OSPF areas cannot reach external networks.

Fix:
ASBR sets the F-bit and forwarding address correctly.


573429-2 : APM Network Access IPv4/IPv6 virtual may leak memory

Component: Access Policy Manager

Symptoms:
Observation of performance graphs shows increasing TMM memory usage over time. Specifically, connflow and tunnel_nexthop caches grow over time.

Conditions:
APM virtual with Network Access configured with no SNAT and both IPV4 and IPV6 enabled.

Impact:
Memory leakage over time leads to performance degradation and possible traffic outage.

Workaround:
No workaround short of not enabling IPv6 support.

Fix:
Network Access now correctly manages its memory resources.


573406-2 : ASU cannot be completed if license was last activated more than 18 months before

Component: Application Security Manager

Symptoms:
Attack Signature Update (ASU) if license was last activated more than 18 months before.

Conditions:
The license was last activated more than 18 months before.

Impact:
Attack SIgnature Update (ASU) cannot be performed.

Workaround:
The license must be re-activated.

Fix:
Attack Signature Update (ASU) can now be completed based on a license retrieved from server.


573343-4 : NTP vulnerability CVE-2015-8158

Vulnerability Solution Article: K01324833


573124-5 : TMM vulnerability CVE-2016-5022

Vulnerability Solution Article: K06045217


572922-3 : Upgrade causes an ASM subsystem error of PL_PARAM_ATTRIBUTES.

Component: Application Security Manager

Symptoms:
The following error is produced in ASM log during upgrade:
-----------
ASM subsystem error (ts_configsync.pl,F5::DbUtils::insert_data_to_table): Row <some_row_id> of table <some_db_table_name> is missing <some_field_name> (DDD) -- skipping F5::<some_package_name>
-----------

Conditions:
ASM provisioned

Impact:
Different portions of the security policy may be incorrectly upgraded.

Workaround:
N/A

Fix:
We have fixed the root cause so that the following error does not reproduce upon upgrading:
ASM subsystem error (ts_configsync.pl,F5::DbUtils::insert_data_to_table): Row <some_row_id> of table <some_db_table_name> is missing <some_field_name> (DDD) -- skipping F5::<some_package_name>


572893-5 : error "The modem (or other connecting device) is already in use or is not configured properly"

Component: Access Policy Manager

Symptoms:
Clients get an error: error "The modem (or other connecting device) is already in use or is not configured properly"

Conditions:
The exact reproduction steps are not known, but it was seen to occur on certain Windows 10 clients where the access components were removed and login was attempted afterward.

Impact:
Clients will be unable to connect to the VPN

Workaround:
Rebooting might correct the issue on the client machine.

Fix:
Network Access will no longer fail on client machines that first uninstall the components and then attempt to reconnect.


572600 : mcpd can run out of file descriptors

Component: TMOS

Symptoms:
Mcpd crashes with the log message err mcpd[8835]: 01071070:3: Failed to open file /config/BigDB.dat.tmp with error 24

Conditions:
This can happen in multiple ways, in this case it was detected while running BIG-IQ policy sync.

Impact:
Mcpd can crash, rendering the system instable

Fix:
A crash related to mcpd running out of file descriptors has been fixed.


572563-4 : PWS session does not launch on Internet Explorer

Component: Access Policy Manager

Symptoms:
Internet Explorer (IE) gets stuck entering Protected Work Space (PWS).

Conditions:
One of the DLLs provided by APM, vdeskctrl.dll, provides COM services. Internet Explorer (IE), consumes the COM services. The DLL is loaded by IE during upgrade of PWS components. For some reason (especially on slow systems), IE does not unload the the old DLL promptly after upgrading PWS. When COM services are invoked to initialize PWS after upgrade, old DLL provides the service. Due to the recent renewal of our signing certificate, old DLL can't certify the integrity of the new PWS components. We have researched the issue, but we have not found a way to instruct IE to unload the old DLL after upgrade.

Impact:
PWS session does not launch.

Workaround:
After upgrade, if Internet Explorer(IE) does not enter into PWS within 60 seconds, close IE and start a new session. This is an one time event.

Fix:
Internet Explorer can now launch a Protected Workspace session.


572543-4 : User is prompted to install components repeatedly after client components are updated.

Component: Access Policy Manager

Symptoms:
After auto-update of client components from internet explorer, user will be prompted to install components again if he goes to VPN site again.

Conditions:
Administrator upgrades big-ip to 12.1.
User has client components from a release older than 12.1

Impact:
User is prompted to install components again and again

Workaround:
Restart browser after components are updated the first time.


572495-4 : TMM may crash if it receives a malformed packet CVE-2016-5023

Vulnerability Solution Article: K19784568


572281-3 : Variable value in the nesting script of foreach command get reset when there is parking command in the script

Component: Local Traffic Manager

Symptoms:
When there is something like the following script:

foreach a [list 1 2 3 4] {
   set a 10
   after 100
}

There is parking command, after, in the script and it runs after "set a 10", when after command returns, the value of a goes back to the initial value set in the foreach, value of 10 is lost.

Conditions:
There is parking command in the nesting script of foreach. For more information on commands that park, see K12962: Some iRule commands temporarily suspend iRule processing at https://support.f5.com/csp/#/article/K12962

Impact:
Variable values get reset.

Workaround:
Set(or set again) the variable value after the parking command.

Fix:
Will fix in later release.


572224 : Buffer error due to RADIUS::avp command when vendor IDs do not match

Component: Service Provider

Symptoms:
Errors similar to the following in the ltm log:

err tmm3[21915]: 01220001:3: TCL error: /Common/RadiusTest CLIENT_DATA - Buffer error (line 1) (line 1) invoked from within 'RADIUS::avp 26 ip4 index 0 vendor-id 12345 vendor-type 6'.

Conditions:
The issue happens when there is a RADIUS::avp command for a vendor specific AVP and there's a RADIUS request that contains a different vendor-id than what was specified in the iRule command.

Impact:
You are unable to use vendor-specific RADIUS AVP commands

Workaround:
None.

Fix:
Vendor-specific RADIUS AVP commands no longer generate errors.


572133-3 : tmsh save /sys ucs command sends status messages to stderr

Component: TMOS

Symptoms:
When you run the tmsh save /sys ucs command, some normal status messages are being sent to stderr instead of stdout. This will be seen if a you are watching stderr for error messages.

Conditions:
There are no conditions, every time the command is run, it will send some status type messages to stderr.

Impact:
If a script runs the command it may report that the save failed because messages were send to stderr.

Workaround:
You can ignore the message "Saving active configuration..." being sent to stderr. It is not an error.

Fix:
The command will send the status messages to stdout.


571573-3 : Persistence may override node/pmbr connection limit

Component: Local Traffic Manager

Symptoms:
In certain circumstances the BIG-IP system may load balance connections to a node or poolmember over the configured connection limit.

Conditions:
- Node or pool member configured with connection limit.
- L4 or L7 virtual server.
- Persistence configured on the Virtual Server.
- Very high load on unit.

Impact:
BIG-IP system may load balance connections to a node or pool member over the configured connection limit.

Workaround:
Remove persistence or use another method of limiting the connections (rate limiting or connection limit on the Virtual Server).

Fix:
The BIG-IP system now correctly enforces the pool member/node connection limit.


571344-2 : SSL Certificate with special characters might cause exception when GUI retrieves items list page.

Component: TMOS

Symptoms:
After upgrading, unable to view certain certs from gui. Catalina.out file could contain the signature MalformedByteSequenceException: Invalid byte 2 of 3-byte UTF-8 sequence.

iControl SOAP methods
====================
Management::KeyCertificate::get_certificate_list and get_certificate_list_v2 will return an exception if returning a certificate with special characters.

Conditions:
SSL Certificate with special characters might cause exception when GUI retrieves items list page. This has been observed on upgrades to BIG-IP version 11.5.4 through 12.0.0.

Impact:
The GUI does not display the page containing certificate information. iControl SOAP cannot return a list of certificates if they contain information with special characters.

Workaround:
None.

Fix:
The GUI now correctly displays certificates with special characters, and iControl SOAP methods Management::KeyCertificate::get_certificate_list and get_certificate_list_v2 no longer return exceptions.


571210-3 : Upgrade, load config, or sync might fail on large configs with large objects.

Component: TMOS

Symptoms:
Attempting to load a large config with large objects may result in the following error message:

err mcpd[7366]: 01070710:3: Database error (52), Can't write blob data, attribute:implementation status:52 - EdbBlobData.cpp, line 57

Attempting to synchronize a large change may result in the following error messages and a crash of the MCPD process:

err mcpd[8210]: 01071693:3: Incremental sync: Caught an exception while adding a transaction to the incremental config sync cache: unexpected exception.

err mcpd[8210]: 01070734:3: Configuration error: MCPProcessor::processRequestNow: Can't write blob data, attribute:msgs status:52

err mcpd[8210]: 01070596:3: An unexpected failure has occurred, request_group destroyed while processing, exiting...

Conditions:
The config must be approximately 19.75 MB (slightly less) prior to processing a large object in the config that exceeds 256 KB.

Or, once config exceeds 19.75 MB and 2 MB of additional memory has been allocated, processing config objects that exceed 256 KB (the larger, the more likely to occur) lead to the error.

Impact:
Upgrade, load config, or sync might fail, and a system crash and restart might occur.

Workaround:
Stagger the load, or reduce the size of particularly large objects within a config.

Fix:
Memory handling is improved so that large configs with large objects now successfully complete upon upgrade, load config, or sync.


571183-3 : Bundle-certificates Not Accessible via iControl REST.

Component: Local Traffic Manager

Symptoms:
Bundle-certificates Not Accessible via iControl REST.

Conditions:
This occurs when using iControl REST to look at bundle certificates via /mgmt/tm/sys/file/ssl-cert/~Common~ca-bundle.crt/bundle-certificates

Impact:
Unable to get data from the command.

Workaround:
If you do not need to do it via iControl REST, you can view bundle certificates using the tmsh command tmsh list sys file ssl-cert ca-bundle.crt bundle-certificates

Fix:
The iControl rest command for viewing bundle-certificates now displays all of the certificates.


571090-1 : When BIG-IP is used as SAML IdP, tmm may restart under certain conditions

Component: Access Policy Manager

Symptoms:
tmm restarts.

Conditions:
It is not known exactly what the conditions are, but this occurs when BIG-IP is configured as SAML IdP.

Impact:
Tmm may restart.

Workaround:
None


571019-2 : Topology records can be ordered incorrectly.

Component: TMOS

Symptoms:
Topology records can contain missing order numbers, duplicate order numbers, and differences in the ordering of topology records on BIG-IP's in a sync group.

Conditions:
When adding or deleting topology records or modifying the order of existing topology records, the resulting ordering of the topology records can be inconsistent. This can lead to ordering issues including differences in the ordering of topology records on BIG-IP's in a sync group.

Impact:
It is difficult to manage the order of topology records. Topology records are evaluated in different orders on different BIG-IP's in a sync group.

Workaround:
None.

Fix:
Topology records are now ordered consistently.


571003-4 : TMM Restarts After Failover

Component: Access Policy Manager

Symptoms:
TMM generates core file and restarts.

Conditions:
1. In a HA pair running pre 11.5.3-HF2 or 11.6.0-HF6, the standby is upgraded to 11.6.0-HF6 EHF 186, 241, 243, or 247.
2. Force failover.
3. A new session is established or an existing session terminated.

Impact:
Serivce is disrupted. All existing sessions are terminated.

Workaround:
None.

Fix:
TMM no longer generates core file and restarts upon upgrade.


570716-1 : BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736

Vulnerability Solution Article: K10133477


570667-10 : OpenSSL vulnerabilities

Vulnerability Solution Article: K64009378


570663-2 : Using iControl get_certificate_bundle_v2 causes a memory leak

Component: TMOS

Symptoms:
Using iControl call get_certificate_bundle_v2() causes a memory leak. iControlPortal memory use grows unbounded every time the method is called.

Conditions:
This occurs anytime the method is invoked; BIG-IP devices managed by Enterprise Manager can be especially impacted.

Impact:
Eventually iControlPortal will run out of memory and crash.

Fix:
The memory leak issue has been fixed.


570640-4 : APM Cannot create symbolic link to sandbox. Error: No such file or directory

Component: Access Policy Manager

Symptoms:
The user may encounter the following configuration error when adding a new APM sandbox-contained object in a non-default partition (other than /Common) if the user has ever attempted (but failed) to delete this partition (for example, couldn't delete it because it was not empty).

01070734:3: Configuration error: Cannot create symbolic link to sandbox. Error: No such file or directory. If you have access to bash shell, try to run command: ln -s /config/filestore/files_d/p1_d/sandbox_file_d /var/sam/www/webtop/sandbox/files_d/p1_d/sandbox_file_d. Then try to upload file again.
Unexpected Error: Validating configuration process failed.

Conditions:
The user has ever attempted (but failed) to delete the partition.

Impact:
No more APM sandbox object such as Hosted-Content can be added to the partition.

Upgrade may fail to install configuration with the impacted sandbox object.

Workaround:
Manually use the shell command 'mkdir -p' to re-create the missing folder where the symbolic link is suppsed to be created as shown in the error message.

Directories are: {to do mkdir -p)
/config/filestore/files_d/OUTSIDE_PROD_d/sandbox_file_d
/var/sam/www/webtop/sandbox/files_d/OUTSIDE_PROD_d/sandbox_file_d
After creating the directors sync to active unit.


570617-5 : HTTP parses fragmented response versions incorrectly

Component: Local Traffic Manager

Symptoms:
When a fragmented response is parsed by HTTP, the version field may be incorrectly bounded. HTTP correctly determines the version of the response. However, other filters that re-scan the version field might see a truncated value. The filters then miss-parse the HTTP version.

Conditions:
A fragmented response where the HTTP version field appears in multiple packets. Another filter, for example VDI, re-scans the HTTP version field.

Impact:
The detected version of HTTP may be incorrect. Typically, the response is detected as a HTTP/0.9 response rather than the 1.0 or 1.1 response it actually uses.

Workaround:
None.

Fix:
HTTP correctly bounds the response version for other filters to parse.


570064-4 : IE gives a security warning asking: "Do you want to run ... InstallerControll.cab"

Component: Access Policy Manager

Symptoms:
When logging into a VPN connection using Internet Explorer, Internet Explorer may prompt "Do you want to run ... InstallerControll.cab"

Conditions:
BIG-IP APM configured and is accessed by Internet Explorer. This can happen after an upgrade of BIG-IP.

Impact:
The prompt should not occur.

Fix:
Internet Explorer will no longer prompt to run InstallerControll.cab


570053-1 : HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync.

Component: TMOS

Symptoms:
HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync.

Conditions:
The issue is seen when all the below conditions are met.
1. When more than one certkeychains are configured in the clientSSL profile.
2. When the content of a certkeychain of the clientSSL profile is modified. For example, "modify ltm profile client-ssl a4 cert-key-chain modify { default { cert rsa.crt key rsa.key } }".
3. Performs config sync in HA setup.

Impact:
Missing certkeychain of a clientSSL profile can result in its inability to handle some kind of SSL traffic. For example, if the clientSSL originally has EC key/cert but loses it, then it is no longer able to handle SSL connection using EC cipher suites.

Workaround:
Basically reconfigure certkeychain but avoid modifying the content.
1. On any BIG-IP system, leave only the RSA certkeychain in the clientSSL profile, just like the default configuration.
2. Config sync, so that both systems have only the RSA certkeychain.
3. In any BIG-IP system, add certkeychains for other types (EC or DSA) you need. You can "add" or "delete" but do not "modify" any existing certkeychain.
4. Do config sync, so that both systems have the same certkeychains in the clientSSL profile.


569972-3 : Unable to create gtm topology records using iControl REST

Component: Global Traffic Manager

Symptoms:
The user is unable to create gtm topology records using iControl REST.

Conditions:
This occurs when a user issues an iControl REST POST command for a gtm topology record.

Impact:
The iControl REST POST command fails with the following error: 'Topologies must specify both regions: ldns: server:'.

Workaround:
Use TMSH, iControl SOAP, or the GUI to create gtm topology records.

Fix:
You can now create gtm topology records using iControl REST.

Please be sure to format the gtm topology oid string using the following rules:

1) Use only a single space between each item in the topology string.
2) Use a fully-pathed name for datacenter, isp, region, and pool objects.

For example:
"ldns: subnet 11.11.11.0/24 server: datacenter /Common/DC".


569958-3 : Upgrade for application security anomalies

Component: Application Visibility and Reporting

Symptoms:
If upgrading to newer version, old statistics for application security anomalies are not shown.

Conditions:
Upgrade from BIG-IP version older than 12.1.0 to newer version

Impact:
Losing old statistics for application security anomalies

Fix:
Upgrade to newer version and verify that old statistics are shown.


569718-3 : Traffic not sent to default pool after pool selection from rule

Component: Local Traffic Manager

Symptoms:
If you have an iRule configured to match a pattern in the HTTP::uri and send it to a non-default pool, subsequent requests in the HTTP keep-alive session will also be sent to the non-default pool even though they do not match the iRule.

Conditions:
This occurs after upgrading from 11.5.3 HF1 to 11.5.3 HF2.

Impact:
If the pool members are not configured to accept traffic that doesn't match the uri criterial, the server will not respond properly.

Fix:
Reverted a change that caused subsequent HTTP requests to go to the non-default pool after it was selected in an iRule.


569642-3 : Deleting all routes on a unit with a mirroring fastL4 Virtual may cause TMM to core

Component: Local Traffic Manager

Symptoms:
In certain circumstances TMM may core if an HA pair configured with mirroring has all the routes to the server pool removed.

Conditions:
- HA pair.
 - FastL4 VIP with mirroring.
 - default route to pool via an intermediate router.
 - The active unit is handling traffic.
 - Active unit fails over and loses its mirroring connection.
 - Prior active unit comes back and HA connection is reestablished.
 - During the loss of HA and its recovery the now active unit loses its only route to the pool member.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not remove all routes to poolmembers. If this is needed please create other backup routes prior to the deletion.

Fix:
TMM no longer cores on deleting all routes on a unit with a mirroring fastL4 Virtual during HA connection loss and recovery.


569521-2 : Invalid WideIP name without dots crashes gtmd.

Component: Global Traffic Manager

Symptoms:
If a user creates a WideIP or WideIP Alias with a name that does not contain a dot, gtmd crashes.

The symptom is a crash and core dump from gtmd.

Conditions:
This occurs when the following conditions are met:
-- FQDN validation is suppressed by the following setting: gtm global-settings general domain-name-check == 'none'.
-- User attempts to create a WideIP with a name that does not contain a dot.

Impact:
gtmd crashes and WideIPs do not function.

Workaround:
When creating a WideIP or WideIP Alias while FQDN validation has been disabled (by setting gtm global-settings general domain-name-check == 'none'), make sure that the WideIP or WideIP Alias name contains at least one dot, and follows these rules:
-- The name must not end with a dot.
-- The name must not begin with a dot, unless '.' is the entire name.
-- The name contains no consecutive dots.

Fix:
FQDN now validates to confirm that a WideIP or WideIP Alias name has at least one dot in an appropriate position, and has no consecutive dots, so there is no crash and core dump from gtmd. This validation occurs even when other FQDN validation has been suppressed by setting
gtm globlal-settings general domain name check == 'none'.


569472-3 : TMM segfault in lb_why_pmbr_str after GTM/BIG-IP DNS disables a GTM pool and LB why log is enabled

Component: Global Traffic Manager

Symptoms:
tmm cores with sigsegv within lb_why_pmbr_str.

Conditions:
1. Disable a GTM/BIG-IP DNS pool or pool member;
2. pool-member-selection is enabled for load-balancing-decision-log-verbosity.

Impact:
tmm cores.

Workaround:
Disable pool-member-selection for load-balancing-decision-log-verbosity.

Fix:
tmm no longer cores when disabling pool-member-selection for load-balancing-decision-log-verbosity.


569467-2 : BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.

Vulnerability Solution Article: K11772107


569356-5 : BGP ECMP learned routes may use incorrect vlan for nexthop

Component: TMOS

Symptoms:
BGP with ECMP may result in learned routes using an incorrect next-hop vlan if there are more than one VLAN configured with global IPv6 addresses in the same RD where the routing protocol is running.

Conditions:
BIG-IP configuration with two or more VLANs configured with IPv6 global addresses and BGP with ECMP is peered with an active IPv6 BGP neighbor. The BGP is also configured with max-paths.

Impact:
The traffic randomly gets sent using the incorrect nexthop.

Workaround:
None

Fix:
Routes learned from the peer will have the correct nexthop VLANs.


569349-3 : Packet's vlan priority is not preserved for CMP redirected flows when net cos feature is enabled

Component: Local Traffic Manager

Symptoms:
When net cos (class of Service) feature is enabled, vlan priority for those cmp redirected packets are not being preserved from ingress to egress.

Conditions:
1. net cos feature is enabled
2. packet is being cmp redirected from one tmm to another tmm for processing.

Impact:
Egress packets are not being processed according to the ingress vlan priority by BIG-IP and down stream router. Certain packets will be dropped by downstream router due to the wrong mark of vlan priority.

Workaround:
None.


569337-4 : TCP events are logged twice in a HA setup

Component: Advanced Firewall Manager

Symptoms:
TCP log events are logged twice (if enabled in security log profile) with connection mirroring enabled on the virtual server in a HA setup (Active/Standby).

Conditions:
When there's a HA setup (Active/Standby) or both client side and server side connection flow.

Impact:
TCP log events are logged twice (duplicate events from active unit and standby unit or from both client side and server side of the connection flow).

Workaround:
N/A

Fix:
TCP log events are no longer logged twice when enabled in the security log profile with connection mirroring enabled on the virtual server in a HA setup (Active/Standby).


569306-5 : Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected

Component: Access Policy Manager

Symptoms:
User is shown the logon page to connect to VPN after he logs on. Windows logon credentials are not used for VPN automatically.

Conditions:
Connectivity profile has "Reuse Windows Logon Credentials" selected

Impact:
User has to retype his credentials to connect to VPN

Workaround:
Enter the credentials again to connect to VPN

Fix:
Now logged on credentials are used automatically to connect to VPN


569288-4 : Different LACP key may be used in different blades in a chassis system causing trunking failures

Component: Local Traffic Manager

Symptoms:
In rare conditions, different blades in a chassis system may use different LACP keys for the same trunk in the LACP control frames. This will cause some of the LACP trunk members not able to aggregate successfully with peer switch.

Conditions:
This only happens in a chassis based system when certain race condition causes trunk id being modified after initial trunk creation.

Impact:
Non aggregated trunk members won't be able to pass traffic.

Workaround:
Restart lacpd in all the blades in the chassis by running command "clsh bigstart restart lacpd"


569255-5 : Network Access incorrectly manipulates routing table when second adapter being connected if "Allow Local subnet access' is set to ON

Component: Access Policy Manager

Symptoms:
When Network Access is already established and a second network interface is being connected to client system, VPN quickly reconnects, which breaks existing TCP connections. Because reconnect occurs very quickly, it might appear to the user that nothing happened.

Conditions:
-- 'Allow Local subnet access' enabled.
-- Client system is getting second network interface connected.

Impact:
Long-standing TCP connection may break, for example, VPN over Network Access.

Workaround:
Disable 'Allow Local subnet access'.

Fix:
Now Network Access remains stable when a second network interface is being connected, so any long-standing TCP connections (such as VPN over Network Access) continue as expected.


569236-2 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.

Component: TMOS

Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message. This is the first part of a fix provided for this issue. See fixes for bug 569236 for the second part.

Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.

Impact:
If the BIG-IP is always the Initator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.

Workaround:
Manually remove the invalid SA on the BIG-IP system.

Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again. This is part one of a two-part fix. Fixes for bug 583285 provide part two of the fix.


568889-5 : Some ZebOS daemons do not start on blade transition secondary to primary.

Component: TMOS

Symptoms:
In some specific cases the standby unit's secondary blade ZebOS daemons might not get started when it becomes active.

Conditions:
If the failover occurs as a result of the primary blade's mcpd restarting

Impact:
The new primary blade does not start some ZebOS daemons resulting in ospf not working as expected on the standby unit.

Workaround:
Run the following tmsh command on the new active unit: bigstart restart tmrouted.

Fix:
The BIG_IP system now correctly starts ZebOS daemons on the standby unit on a new blade that is starting up as a primary.


568543-2 : Syncookie mode is activated on wildcard virtuals

Component: Local Traffic Manager

Symptoms:
Syncookie mode can be activated with a wildcard virtual, even in the case where there is no SYN flood.

Conditions:
The default number of connections per second before activating syncookie mode is 1993. This value can be increased to a max of 4093. After this threshold is reached, then syncookie mode is activated. This is an insufficient maximum for wildcard virtuals, since they can have 30k+ connections per second.

Impact:
Syncookie mode is activated with high connection rates to a wildcard virtual.

Workaround:
Break up the wildcard virtual into multiple virtuals to reduce the number of connections per virtual.

Fix:
It is now possible to set the PvaSynCookies.Virtual.MaxSynCache DB variable to 64K (previous max was 4093)


568445-7 : User cannot perform endpoint check or launch VPN from Firefox on Windows 10

Component: Access Policy Manager

Symptoms:
If Firefox is used on Windows 10 to connect to APM, access policy may fail, or system fails to launch VPN.

Conditions:
Firefox is used to connect to APM on Windows 10. The following conditions are exclusive and have different impact:
1) Access policy requires client side inspection.
2) Attempt to launch VPN from WebTop.

Impact:
1) Access policy will fail.
2) VPN cannot be launched from WebTop.

Workaround:
None.

Fix:
User can now perform endpoint check or launch VPN from Firefox on Windows 10.


567484-4 : BIND Vulnerability CVE-2015-8705

Vulnerability Solution Article: K86533083


567475-4 : BIND vulnerability CVE-2015-8704

Vulnerability Solution Article: K53445000


567379-2 : libtar vulnerability CVE-2013-4397

Vulnerability Solution Article: K16015326


566908-3 : Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN with proxy.pac file

Component: Access Policy Manager

Symptoms:
Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN if proxy.pac is defined in a way that forwards all web traffic over VPN.

Conditions:
proxy.pac, network access, OS X system.

Impact:
Local web server is inaccessible if proxy.pac is defined in a way that forwards all traffic over VPN to corporate proxy server.

Workaround:
None.

Fix:
Webserver listening on local Wifi or Ethernet IP can be accessed after VPN even if proxy.pac is defined in a way that forwards all web traffic over VPN to corporate proxy server.


566758-3 : Manual changes to policy imported as XML may introduce corruption for Login Pages

Component: Application Security Manager

Symptoms:
Manual changes to policy imported as XML may introduce corruption for Login Pages. If the expiration period is omitted, the Login Page will be inaccessible.

Conditions:
Expiration period is omitted in hand-crafted XML policy file.

Impact:
The Login Page created as a result is inaccessible in GUI and REST.

Workaround:
Ensure that expiration period exists in XML policy file before import.

Fix:
A policy file, with a missing expiration field, imported as XML is now handled correctly.


566646-2 : Portal Access could respond very slowly for large text files when using IE < 11

Component: Access Policy Manager

Symptoms:
When accessing a large 'text/plain' file from server with Internet Explorer versions 7 through 10 client browsers, Portal Access sometimes holds the response until it fetches and processes the entire file contents. This can take several dozen seconds, or even minutes.

Conditions:
Internet Explorer version 7 through 10 with Portal Access

Impact:
Large text files can't be accessed or downloaded through Portal Access.

Workaround:
Irule that does any of following:
a) Preferred: append F5CH=I to request uri in HTTP_REQUEST for affected requests.
b) Call REWRITE::disable for affected requests.

Fix:
Fixed the issue where Portal Access could try to buffer contents of some large files and respond with significant delay.


566361-2 : RAM Cache Key Collision

Component: Local Traffic Manager

Symptoms:
Intermittent tmm SIGSEGV when RAM Cache is enabled

Conditions:
This occurs when RAM cache is enabled in certain circumstances.

Impact:
Invalid response format, and/or serving the wrong object from cache, and/or tmm crash, interruption of service.

Workaround:
None.

Fix:
The system now avoids RAM Cache Key collisions, the correct object and response format are delivered from the cache, and tmm no longer cores.


565895-3 : Multiple PCRE Vulnerabilities

Vulnerability Solution Article: K17235


565810-5 : OneConnect profile with an idle or strict limit-type might lead to tmm core.

Component: Local Traffic Manager

Symptoms:
OneConnect profile with an idle or strict limit-type might lead to tmm core.

Conditions:
OneConnect profile with a limit-type value of idle or strict.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use a limit-type of 'none'.

Fix:
A OneConnect profile using an idle or strict limit-type no longer causes the tmm to core when attempting to shutdown idle connections.


565534-3 : Some failover configuration items may fail to take effect

Component: TMOS

Symptoms:
These symptoms apply to version 12.0.0 and later:

When only multicast failover is configured, traffic-groups are active on all devices in the device-group. If unicast failover is also configured, the traffic-group unexpectedly switches to a different device.

These symptoms can occur on all versions:

When the unicast address list is changed at the same time as other device properties, sod (the failover daemon) may fail to recognize one of the other changes.

Conditions:
For version 12.0.0 and later:

Multicast failover is configured and the system loads the configuration from the configuration files. For example during the first boot of a new boot location, or after performing the procedure in K13030: Forcing the mcpd process to reload the BIG-IP configuration https://support.f5.com/csp/article/K13030.

For all versions:

A change is made to the cm device configuration that includes a unicast-address change along with something else.

Impact:
When only multicast failover is configured, traffic-groups may become active on all devices in the device-group. If unicast failover is also configured, the traffic-group might switch to a different device.

Workaround:
Mitigation for v12.0.0 (and later) symptom:

To restore multicast failover, disable and re-enable multicast failover.

To do so, perform the following procedure on the the local device.
1. Determine which interface is being used for multicast failover by running the following tmsh command:
list cm device device1 multicast-interface.
3. Disable and re-enable multicast failover by running the following tmsh commands:
modify cm device device1 { multicast-interface none }.
modify cm device device1 { multicast-interface eth0 }.


Mitigation for all versions symptoms:
Do not make cm device unicast-address changes simultaneously with changes to other cm device properties.

Fix:
With the fix, sod now sends out multicast FO heartbeat datagrams under the same condition.


565409-3 : Invalid MSS with HW syncookies and flow forwarding

Component: Local Traffic Manager

Symptoms:
A packet may have an MSS set to 65536 when using HW syncookies and flow forwarding.

Conditions:
The conditions which cause this are not fully known.

Impact:
TMM core/reboot.

Workaround:
Disable HW syncookies or TSO.


565231-1 : Importing a previously exported policy which had two object names may fail

Component: Access Policy Manager

Symptoms:
If an exported access policy includes two object names profile_name-aaa and aaa, import that policy may fail or be incorrect.

Conditions:
For example:
access policy name "test"
access policy item name "test-empty"
access policy item name "empty"

For example:
access policy name "test"
access policy item name "test-empty"
macro name "empty"

Impact:
Rare case, but the import of such a policy may fail.

Workaround:
One of the objects could be renamed in the bigip.conf file to avoid such a naming pattern.

Fix:
Objects are being exported correctly without error.


565169-1 : Multiple Java Vulnerabilities

Vulnerability Solution Article: K48802597


565167-3 : Additional garbage data being logged on user name and domain name for NTLM authentication

Component: Access Policy Manager

Symptoms:
ECA logs an error message in this format:
Could not verify user (<Domain Name>\<User Name>) credential (<Reason>)
Example:
Could not verify user (mv4\test1) credential (STATUS_NO_LOGON_SERVERS)

However, due to missing NUL termination, the user name and domain name may include garbage data such as follwing example:
Could not verify user (mv413abfee\test1ewq12dsasd) credential (STATUS_NO_LOGON_SERVERS)

Conditions:
When NTLM front end authentication could not send the verification of the user's credential (e.g. ActiveDirectory server is down)

Impact:
BIG-IP could not send the verification to ActiveDirectory server for any reasons such as down ActiveDirectory server, incorrect machine account information between BIG-IP, and ActiveDirectory server, etc.

Workaround:
No workaround

Fix:
Now it properly logs the message with correct domain name and user name.


565085-4 : Analytics profile allows invalid combination of entities for Alerts setup

Component: Application Visibility and Reporting

Symptoms:
When non cumulative metrics are selected for an Alert on a dimension that's other than a Virtual Server, errors appear in the log.

Conditions:
Analytics in use, and non-cumulative metrics such as the following are used on a time dimension:

- Maximum TPS
- Maximum Server Latency
- Maximum Page Load Time
- Maximum Request Throughput
- Maximum Response Throughput

Impact:
You are able to configure invalid alerts but no warning is given and the metric does not work and generates errors in the /var/log/monpd.log file.

Workaround:
None needed. This is Cosmetic.

Fix:
Invalid combination of entities for Alerts setup is no longer allowed. Validation is present both on UI side and the backend.


565056-5 : Fail to update VPN correctly for non-admin user.

Component: Access Policy Manager

Symptoms:
VPN is not updated correctly for non-admin users.

Conditions:
Steps to Reproduce:
1. In BIG-IP 12.0, create Access Policy containing (Firewall Check, Machine Info, Machine Cert Auth, Cache and Session Control, Protected Workspace, VPN Resources with Optimized Applications.)
2. Login with a User without admin privileges
3. Run FF
4. Login to VS and install components
5. Click on NA resource on the webtop to start VPN tunnel => a user is asked for an admin password and VPN is successfully installed and established
6. Close FF and exit PWD

Impact:
VPN is not updated. A user is not asked to enter admin credentials and an error is given: "Error downloading required files (-1)"

Workaround:
None.

Fix:
VPN is now updated as expected for non-admin users.


564521-2 : JavaScript passed to ExternalInterface.call() may be erroneously unescaped

Component: Access Policy Manager

Symptoms:
JavaScript passed to ExternalInterface.call() may be erroneously unescaped.

Conditions:
Adobe ActionScript 3.0 version 24 or less.

Impact:
Adobe Flash application may crash.

Workaround:
None

Fix:
Completely fixed.


564496-2 : Applying APM Add-on License Does Not Change Effective License Limit

Component: Access Policy Manager

Symptoms:
When an add-on license is applied on the active node, the effective license limit is not updated, even though telnet output shows that it is.

Conditions:
1. Set up a high availability (HA) configuration with a base APM license.
2. Apply an APM add-on license to increase Access and CCU license limits.

Impact:
The actual number of sessions that can be established remains unchanged after adding an add-on license.

Workaround:
To make the add-on license effective, run the following command:
bigstart restart tmm.

For systems running v11.5.3, v11.5.4, and v11.6.0, use the following workaround:
 - Take one unit Offline.
 - Remove the HA configuration.
 - Reactivate license on the offline unit.
 - Take a peer unit Offline.
 - Release the first unit from Offline.
 - Reactivate license on the peer unit.
 - Rebuild HA configuration.
 - Release the peer unit from Offline.

Fix:
Applying APM add-on license now increases Access and CCU license limits, as expected.


564482-3 : Kerberos SSO does not support AES256 encryption

Component: Access Policy Manager

Symptoms:
If the delegation account is enforced to use AES256 encryption, then APM Kerberos SSO will fail. Example error message: Dec 18 19:22:19 bigip8910mgmt err websso.7[31499]: 014d0005:3: Kerberos: can't decrypt S4U2Self ticket for user 'username' - Decrypt integrity check failed (-1765328353).

Conditions:
Delegation account is enforced to use AES256 encryption.

Impact:
Kerberos SSO will fail and user will be prompted to enter credential.

Workaround:
Disable the option to enforce AES256 encryption for the delegation account.

Fix:
Delegation account can be enforced to use AES256 encryption, provided the delegation account is configured as SPN format on the Kerberos SSO configuration.


564427-1 : Use of iControl call get_certificate_list_v2() causes a memory leak.

Component: TMOS

Symptoms:
Use of iControl call get_certificate_list_v2() causes a memory leak.

Conditions:
This occurs when using the Management::KeyCertificate::get_certificate_list_v2 method in iControl.

Impact:
memory leak.

Workaround:
Restarting httpd helps reduce memory, but it must be restarted periodically to clear up the memory issues.

Fix:
Use of Management::KeyCertificate::get_certificate_list_v2 method in iControl no longer causes a memory leak.


564262-3 : Network Access does not work if DNS cannot be resolved on client and PAC file contains DNS resolution code

Component: Access Policy Manager

Symptoms:
Tunnel server component of Edge client crashes, and user cannot establish VPN.

Conditions:
-DNS names cannot be resolved on client system.
-PAC file used to determine proxy server uses JavaScript DNS resolution function.

Impact:
Tunnel server crashes and user cannot establish VPN.

Workaround:
Enable DNS resolution on client or do not use DNS resolution JavaScript functions in PAC file.

Fix:
Network Access now works as expected even when DNS cannot be resolved on client and PAC file contains DNS resolution code.


564253-6 : Firefox signed plugin for VPN, Endpoint Check, etc

Component: Access Policy Manager

Symptoms:
Firefox v44.0 and later does not allow loading of Netscape Plugin Application Programming Interface (NPAPI) plugins, which are not signed by Firefox.

Conditions:
Using APM with Firefox v44.0 and later.

Impact:
Firefox v44.0 and later cannot establish network access or perform endpoint checking.

Workaround:
- Use Firefox v43.0 and earlier on all platforms.
- Use Safari on Mac systems and Microsoft Internet Explorer on Microsoft Windows systems.

Fix:
Firefox v44.0 through v46.0 can now install F5 Network plugins, perform endpoint checking, and establish network access connections.


564111-2 : Multiple PCRE vulnerabilities

Vulnerability Solution Article: K05428062


563670-5 : OpenSSL vulnerabilities

Vulnerability Solution Article: K86772626


563591-3 : reference to freed loop_nexthop may cause tmm crash.

Component: Local Traffic Manager

Symptoms:
tmm may crash intermittently when there are cmp directed VIP (Virtual IP) to VIP traffic.

Conditions:
When CMP directed VIP to VIP traffic exists.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
none.

Fix:
tmm should not crash on this condition any more


563475-1 : ePVA dynamic offloading can result in immediate eviction and re-offloading of flows.

Component: TMOS

Symptoms:
ePVA dynamic offloading can result in immediate eviction and re-offloading of flows. If dynamic offloading is enabled in the fastl4 profile, flows that collide in the ePVA will ping/pong in and out of the ePVA due to immediate eviction and re-offloading. Flows that are evicted due to collisions are reported in the epva_flowstat stats, tot.hash_evict.

Conditions:
A fastl4 profile with PVA Offload Dynamic enabled and two flows that result in a hash collision, resulting in an evicted flow.

Impact:
Flows that collide will be re-offloaded, evicted, and then re-offloaded again within a short time span. It is unknown if there is a direct impact, but in some cases a delay in processing packets on a connection may occur.

Workaround:
Disable PVA Offload Dynamic in the fastl4 profile. Another option would be to disable PVA Flow Evict in the fastl4 profile.

Fix:
The system now handles flows involved in hash collisions such that ePVA dynamic offloading no longer results in immediate eviction and re-offloading of flows.


563443-3 : WebSSO plugin core dumps under very rare conditions.

Component: Access Policy Manager

Symptoms:
WebSSO plugin core dumps under very rare conditions.

Conditions:
This occurs rarely when the WebSSO plugin is enabled.

Impact:
WebSSO plugin core dumps.

Workaround:
None.

Fix:
This release fixes a rare core dump related to the Websso plugin.


563419-3 : IPv6 packets containing extended trailer are dropped

Component: Local Traffic Manager

Symptoms:
Some IPv6 packets are dropped

Conditions:
IPv6 packet contains trailing bytes after payload

Impact:
Packet loss

Fix:
IPv6 packets that exceed the size of the 'Payload Length' header will be trimmed and processed instead of being dropped.


563349-2 : On MAC, Network Access proxy settings are not applied to tun adapter after VPN is established

Component: Access Policy Manager

Symptoms:
In some cases, user may not be able to browse to external or internal web sites, Because the proxy settings won't be used.

Conditions:
User's machine has local proxy settings configured
NA settings specify a proxy configuration

Impact:
User may not be able to browse some sites, or the connection would not take the proxy settings into account.

Workaround:
None


563227-4 : When a pool member goes down, persistence entries may vary among tmms

Component: Local Traffic Manager

Symptoms:
When a pool member goes down, persistence entries may vary among tmms. The result will be that rather than persisting to a single pool member, the new connections may arrive on different pool members based on the number of tmms on the BIG-IP platform in use.

Conditions:
Using persistence with some connections persisted to a pool member that goes down, either administratively or due to a monitor. During this time, the client is issuing several new connections to the BIG-IP system.

Impact:
Inconsistent persistence entries.

Workaround:
None.

Fix:
The race conditions that involved dropping an offline pool member have been resolved.


563064-5 : Bringing up and tearing down an IPsec tunnel will slowly leak tmm memory

Component: TMOS

Symptoms:
Cipher memory initialized when an IPsec tunnel is created is not cleaned up when IPsec tunnel is removed.

Conditions:
Every time an IPsec tunnel is established and then removed will leave the allocated cipher memory in the system.

Impact:
Slowly leak TMM memory

Fix:
Cipher memory is freed when an IPsec tunnel is removed


562959-3 : In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.

Component: TMOS

Symptoms:
In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.

Conditions:
This occurs when there is some issue processing the packet going through IPsec tunnel.

Impact:
Tmm restart without core due to internal connection timeout.

Workaround:
None.

Fix:
IPsec now only sends packets intended for IPsec over the tunnel.


562919-1 : TMM cores in renew lease timer handler

Component: Access Policy Manager

Symptoms:
TMM generates core.

Conditions:
All three following conditions have to be met for this to trigger :
1) Both IPv4 and IPv6 network access connection has to be enabled for the same network access resource.
2) IPv4 address have to be statically assigned.
3) IPv6 address have to be dynamically assigned from the leasepool.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Workaround 1) Use IPv4 only network access connection.

Workaround 2) While using both IPv4 and IPv6 network access connection, assign both IPv4 and IPv6 endpoint addresses from IPv4 and IPv6 leasepool respectively.

Workaround 3) While using both IPv4 and IPv6 network access connection, assign both IPv4 and IPv6 endpoint statically.

Fix:
TMM no longer cores in renew lease timer handler


562775-3 : Memory leak in iprepd

Component: Application Security Manager

Symptoms:
The IP reputation daemon (iprepd) has a small leak of around ~8 to ~16 bytes every 5 minutes.

Conditions:
This occurs when the BIG-IP box is licensed with IPI Subscription, and iprepd is running.

Impact:
Memory increases slowly until the kernel out-of-memory kills the iprepd process.

Workaround:
None.

Fix:
This release fixes a memory leak in the IP reputation daemon (iprepd).


562566-3 : High Availability connection flap may cause mirrored persistence entries to be retained after expiration on multi-blade systems

Component: Local Traffic Manager

Symptoms:
Prior to expiration, the age of persistence entries is reset back to 0, thus retaining the persistence entries forever.

Conditions:
Persistence is configured on a multi-blade system, a configured High Availability peer is present, and a flap occurs on the High Availability connection between active and standby systems.

Impact:
Retention of persistence entries leads to eventual low memory conditions, performance degradation, and traffic outage or restarting of some daemons.

Workaround:
Although no reasonable workaround exists, you can clear the persistence table to reclaim leaked memory.

Fix:
Persistence entries are no longer retained beyond their expiration.


562427 : Trust domain changes do not persist on reboot.

Component: TMOS

Symptoms:
Some earlier releases saved only the internal binary database for trust domain changes (generally, changes to device group objects and device objects), rather than saving the text-based authoritative configuration in '/config/bigip*.conf'.

Conditions:
This occurs when making changes to devices via the Device Management UI.

Impact:
Device Group configuration may not be correct after a reboot.

Workaround:
Explicitly run a command to save the configuration before rebooting devices.

Fix:
Trust domain changes do not persist on reboot.


562044-1 : Statistics slow_merge option does not work

Component: TMOS

Symptoms:
When the statistics DB variable option 'merged.method' is set to 'slow_merge' then the merging of statistics stops working. This causes statistics to no longer appear to be updated.

Conditions:
The DB variable 'merged.method' is set to 'slow_merge'.

Impact:
Statistics no longer appear to be updated.

Workaround:
1) Set "merged.method" to "fast_merge" which is the default.

-or-

2) Create the /var/tmstat/cluster directory using mkdir. Please note the directory must be created on every blade in a chassis. Additionally, this directory needs to be re-created after reboots, so something like "/bin/mkdir /var/tmstat/cluster" should be added to "/config/startup"

Fix:
Statistics are now updated as expected when the statistics DB variable option 'merged.method' is set to 'slow_merge'.


561814-4 : TMM Core on Multi-Blade Chassis

Component: TMOS

Symptoms:
TMM core.

Conditions:
On a multi-blade chassis with WAM caching in use, where the datastor daemon is stopped and restarted, and where traffic is being cached by datastor.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The software defect has been found and fixed.


561798-3 : Windows edge client may show scripting error on certain 3rd party authentication sites

Component: Access Policy Manager

Symptoms:
User sees JavaScript error on third party IDP sites.

Conditions:
Windows Edge client is used
Access policy requires user to authenticate on a third party site

Impact:
Usability of Edge Client

Fix:
Edge Client now runs embedded browser in Internet Explorer 10 emulation mode, which has support for modern JavaScript.


561539-1 : [Upgrade] GTM pool member ratio setting to 0 is not honored when upgrading from v10.2.4 to v11.5.3.

Component: Global Traffic Manager

Symptoms:
When upgrading from 10.x to 11.x Wide IP pool member ratio value is changed from 0 to 1.

Conditions:
1. Upgrade from v10.x to v11.x through 12.0.0
2. Have a Wide IP pool member ratio set to 0.

Impact:
Wide IP pool member ratio is changed to 1 (the default) from 0 after upgrading, potentially enabling selection of members that had been "disabled" with a ratio of 0.

Workaround:
Manually change ratio back to 0 after upgrade.


561433-6 : TMM Packets can be dropped indiscriminately while under DOS attack

Component: Advanced Firewall Manager

Symptoms:
When we have a loaded tmm which cannot consume packets fast enough, then packets could be dropped while DMAing from the HW.

Conditions:
This could happen for a variety of reasons which cause tmm to be loaded.

Impact:
Packets will be dropped indiscriminately.

Workaround:
none

Fix:
We've now added a sys db tunable (sys db dos.scrubtime) which can be set to drop DoS attack packets in HW more aggressively. This will prevent other non-attack packets from being dropped indiscriminately.


561348-2 : krb5.conf file is not synchronized between blades and not backed up

Component: Access Policy Manager

Symptoms:
krb5.conf file is not in sync across all blades.
this may cause a feature (Kerberos SSO / Kerberos Auth) to not work as expected.

Conditions:
When administrator made changes to krb5.conf file manually, the configuration file is not synchronized to all blades or is lost upon upgrade.

Impact:
Kerberos Auth / Kerberos SSO does not work properly on all blades.

Workaround:
None.

Fix:
The APM code now automatically synchronizes the changes to /etc/krb5.conf file to all devices in the Failover Device group. Any change made to this file either in Active Device or Standby device will be automatically synced to other device.

In Chassis, all the Secondary blades will mirror the file on the Primary blade. Any manual change done on the Secondary blade(s) will be lost. The admin has to do the changes on Primary blade only and it will be synchronized with all others blades.

Behavior Change:
When admin modifies /etc/krb5.conf file, the changes are automatically updated on other devices in the same Failover Device group.

When admin modifies the /etc/krb5.conf file on the primary blade of the chassis, the changes are automatically updated on all secondary blades.


560975-1 : iControl can remove hardware SSL keys while in use

Component: TMOS

Symptoms:
When deleting SSL keys via iControl it is possible to delete keys from the Hardware Security Module even while they are configured in an active profile.

Conditions:
Using iControl to delete SSL key installed in hardware.

Impact:
Key is removed from HSM and must be reloaded.

Workaround:
Verify that keys are not in use before using iControl to delete them.


560948-3 : OpenSSL vulnerability CVE-2015-3195

Vulnerability Solution Article: K12824341


560910-3 : OpenSSL Vulnerability fix

Vulnerability Solution Article: K86772626


560748 : BIG-IQ discovery fails

Component: Application Security Manager

Symptoms:
After updating attack signatures, a Signature-system called "IBM WebSphere" may be created that does not contain a REST ID, and BIG-IQ will fail discovery.

If you look at the REST output for this item at https://bigip_address/mgmt/tm/asm/signature-systems/

and look for "IBM WebSphere", you will see that the id field is empty.

Conditions:
This can occur when updating attack signatures, and when using BIG-IQ discovery.

Impact:
BIG-IQ discovery fails.

Workaround:
On the affected device run the following:
perl -MF5::Utils::Rest -MF5::DbUtils -MF5::ASMConfig::Entity::SignatureSystem -e "F5::Utils::Rest::populate_uuids(dbh => F5::DbUtils::get_dbh(), rest_entities => ['F5::ASMConfig::Entity::SignatureSystem'])"

Fix:
Fixed an issue with attack signature updates causing BIG-IQ discovery to fail.


560510-4 : Invalid /etc/resolv.conf when more than one DNS servers are set and MCPD is down.

Component: TMOS

Symptoms:
When MCPD is not in the running state, dhclient directly writes domain-name-server information into /etc/resolv.conf. If multiple domain-name-servers are given by DHCP server, they are written in the incorrect format with multiple domain-name-servers in a single line comma-separated. Each domain-name-servers entry should be written in a single line with "nameserver" prefix.

Conditions:
- MCPD is not in the running state.
 - DHCP is enabled.
 - DHCP server has provided multiple domain-name-server entries in the lease.

Impact:
Domain name resolution doesn't work.

Workaround:
Bring up MCPD which would write the resolv.conf in the correct format. Alternatively, user can manually modify /etc/resolv.conf to write multiple nameserver entry one per line.

Fix:
DHCP will now write a single nameserver per line in /etc/resolv.conf when multiple nameservers are configured in DHCP.


560405-5 : Optional target IP address and port in the 'virtual' iRule API is not supported.

Component: Local Traffic Manager

Symptoms:
In certain scenarios there is a need to redirect an HTTP request through a given virtual server to a another virtual server (or remote endpoint). Such an operation is also known as 'vip-to-vip' forwarding. The available iRule API (specifically, the 'virtual' command) does not currently support this functionality.

Conditions:
Using an iRule to forward a request through a given virtual server to another virtual server or remote endpoint.

Impact:
Cannot implement HTTP Forward Proxy plus Transparent redirection to Web-Cache Pool.

Workaround:
None.

Behavior Change:
The 'virtual' iRule API has been changed to support a secondary target IP address and port to redirect the connection to, from a given virtual server. The new signature of the 'virtual' iRule API is:

virtual [<name>] [<ipaddr> [<port>]]

where:

-- <name> = the name of the virtual server to redirect the connection from.
-- <ipaddr> = the target IP address of the remote endpoint to route the connection to, through the specified virtual server; <ipaddr> can also have a route-domain (%).
-- <port> = the port of the remote endpoint to route the connection to, through the specified virtual server.


560180-3 : BIND Vulnerability CVE-2015-8000

Vulnerability Solution Article: K34250741


560114-2 : Monpd is being affected by an I/O issue which makes some of its threads freeze

Component: Application Visibility and Reporting

Symptoms:
When Monpd is restarted, it starts printing non-stop error message to logs. Analytics statistics may be lost, and new data cannot be loaded. The ltm log contains this error signature - err stat_bridge_thread[8278]: monpd`ERR`date`11285` [stat_bridge_thread::validateCorrectNumberOfPartitions, ] Too many partitions (44) defined for DB table AVR_STAT_DISK_T

Conditions:
A system I/O issue (maybe caused by /var/log being full).

Impact:
AVR statistics are lost.
Monpd thread cannot load new data, and it prints non-stop error messages to the logs.

Workaround:
Run the following:

find /var/avr/loader/ -mindepth 1 -name "*" -print0 | xargs -0 rm
touch /var/avr/init_avrdb
bigstart restart monpd


559975-4 : Changing the username or password used for HTTP monitor basic auth may break HTTP basic auth

Component: Global Traffic Manager

Symptoms:
HTTP basic authentication uses a base64 encoded string. When an HTTP monitor username or password is changed, the b64 string is regenerated and may become malformed.

Conditions:
When an http monitor username or password is changed, e.g. shortened, then the HTTP basic auth string may be mangled.

Impact:
An HTTP monitor may show its resource as unavailable after changing the username or password.

Workaround:
Restart big3d, or delete then recreate the monitor instead of modifying the existing monitor.

Fix:
HTTP monitors will now correctly handle a username or password change.


559973-5 : Nitrox can hang on RSA verification

Component: Local Traffic Manager

Symptoms:
With certain signatures, RSA verification can hang the Nitrox crypto accelerator chip. Errors in the ltm log show crit tmm[11041]: 01010260:2: Hardware Error(Co-Processor): n3-crypto2 request queue stuck

Conditions:
RSA verification with certain signatures.

Impact:
Nitrox crypto accelerator can hang.

Fix:
The Nitrox crypto accelerator will no longer hang when performing RSA verification.


559939-3 : Changing hostname on host sometimes causes blade to go RED / HA TABLE offline

Component: TMOS

Symptoms:
If the UI System::Platform screen is used to change the hostname on a Standalone VIPRION, the non-primary blades in the chassis may temporarily report an offline state.

Conditions:
This affects only multi-blade chassis systems in Standalone mode.

Impact:
If the system is hosting vCMP guests, it may cause unexpected failovers, and interruption of traffic.

Workaround:
To change the hostname on the VIPRION, use the tmsh command:
'modify sys global-settings hostname new-host-name'.

Fix:
Changing hostname on Standalone VIPRION no longer causes the non-primary blade to go RED / HA TABLE offline.


559541-3 : ICAP anti virus tests are not initiated on XML with when should

Component: Application Security Manager

Symptoms:
ICAP anti virus tests are not performed on XML with sensitive data.

Conditions:
ICAP and XML profile are configured on the policy, the ICAP configured to inspect the XML.
The XML has sensitive data configured.
The XML request contained sensitive data.
The expectation was that XML with sensitive data would initiate ICAP tests.

Impact:
Virus tests will not be enabled on this request if the only reason for testing the ICAP was the existence of the sensitive XML data.

Fix:
ICAP tests are performed on XML with sensitive data.


559138-4 : Linux CLI VPN client fails to establish VPN connection on Ubuntu

Component: Access Policy Manager

Symptoms:
Linux client is unable to establish a VPN connection. An error is displayed which says that server certificate verification has failed.

Conditions:
CLI client used on Ubuntu to establish VPN connection.

Impact:
User cannot connect to VPN

Workaround:
Use web client.

Fix:
Fixed bug in certificate verification code.


559055 : Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All"

Component: Application Security Manager

Symptoms:
Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All Entities".

Conditions:
Learn New Parameters is set to "Add All Entities".

Impact:
Staging on wildcard parameter "*" remains unchanged.

Workaround:
Disable staging on wildcard parameter "*" manually.

Fix:
Staging is now disabled correctly on wildcard parameter "*" when Learn New Parameters is set to "Add All Entities".


559034-3 : Mcpd core dump in the sync secondary during config sync

Component: TMOS

Symptoms:
mcpd will crash if certain files are missing from the file store during sync operations.

Conditions:
This can happen when files associated with file objects are removed from the file store. Users are not permitted to directly modify the contents of the file store.

Impact:
mcpd will crash

Workaround:
Users are not permitted to directly modify the contents of the file store. Use tmsh or the Configuration Utility to manage BIG-IP objects such certificates.

Fix:
Mcpd will no longer crash during a config sync if a file store object is missing.


558946-3 : TMM may core when APM is provisioned and access profile is attached to the virtual

Component: Access Policy Manager

Symptoms:
TMM may core when APM is provisioned and access profile is attached to the virtual.

Conditions:
This crash is most likely to occur when there are more than 1 ABORT events sent to a connection on a virtual with attached access profile.

Impact:
Traffic disrupted while tmm restarts.

Fix:
APM virtual server that can have multiple ABORTs events to a connection will no longer cause TMM to crash and restart.


558870-4 : Protected workspace does not work correctly with third party products

Component: Access Policy Manager

Symptoms:
1) Internet Explorer and Firefox cannot be launched in Windows protected workspace if Norton Internet Security 22.x is present on user's machines.
2) Microsoft OneDrive does not work correctly inside protected workspace.

Conditions:
Norton Internet Security 22.x is installed on user's desktop.
Protected workspace is used.

Impact:
User cannot launch Internet Explorer or Firefox inside protected workspace.
Files cannot be synced to OneDrive.

Workaround:
There is no workaround.

Fix:
User can now launch Internet Explorer or Firefox inside protected workspace.


558859 : Control insertion to log_session_details table by Access policy logging level.

Component: Access Policy Manager

Symptoms:
Session records are always written to log_session_details table upon new session creation, regardless of access log level.

Conditions:
New sessions created

Impact:
CPU hogged when large numbers of sessions are created within short time period

Fix:
Control insertion to log_session_details table by Access policy logging level.


558858-1 : Unexpected loss of communication between slots of a vCMP Guest

Component: TMOS

Symptoms:
1. Within the vCMP guest, the affected slot shows the other slot(s) to be offline. When logged into any other "offline" slot, the slot shows itself to be online.

2. Within the vCMP guest, on the affected slot, the log files (such as /var/log/ltm) have stopped recording log entries from the other slot(s).

3. Within the vCMP guest, on the affected slot, the eth1 interface shows TX increasing but RX not increasing. The eth1 interface on other slots shows both TX and RX increasing.

Conditions:
Only affects vCMP guests with 2 or more slots on VIPRION C2000-series chassis.

Impact:
The number of working slots in a vCMP guest is reduced to 1 slot. The effect on traffic may range from none to severe.

Workaround:
Within the vCMP guest, login to the command line (vconsole or SSH) of the affected slot and run the following:

ifconfig eth1 down ; ifconfig eth1 up

Alternatively, from the hypervisor, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.

Fix:
This release no long exhibits loss of communication between slots of a vCMP Guest.


558779-5 : SNMP dot3 stats occassionally unavailable

Component: TMOS

Symptoms:
SNMP would not provide values for some dot3 stats.

Conditions:
Always under affected version

Impact:
SNMP would not provide values for some dot3 stats.
This is no impact actual traffic.

Workaround:
None

Fix:
The dot3 stats are now available.


558631-6 : APM Network Access VPN feature may leak memory

Component: Access Policy Manager

Symptoms:
VPN connections may cause memory usage to increase with the memory never being reclaimed.

Conditions:
-- APM Network Access feature is configured.
-- VPN connections are being established.

Impact:
Slow memory leak over time with eventual out-of-memory condition, performance degradation, and traffic outage.

Workaround:
No workaround short of not using the APM Network Access feature.

Fix:
The APM Network Access VPN feature no longer leaks memory.


558612-3 : System may fail when syncookie mode is activated

Component: Local Traffic Manager

Symptoms:
TMM may core when syncookie mode has been activated when under extreme memory pressure.

Conditions:
L7 VIP with certain TCP profile attributes enabled.
Syncookies have been activated.
System under memory pressure due to heavy load.

Impact:
tmm may core.

Workaround:
Use the default TCP profile for all L7 VIPs.

Fix:
The BIG-IP will not encounter a system failure when syncookie mode has been activated.


558602-2 : Active mode FTP data channel issue when using lasthop pool

Component: Local Traffic Manager

Symptoms:
The data channel for active mode FTP may fail.

Conditions:
Active mode FTP through a virtual with ftp profile with port set to zero and configured to use a lasthop pool.

Impact:
Active mode FTP does not work.

Workaround:
Use auto-lasthop instead of lasthop pool.
Use passive mode FTP.

Fix:
Active mode FTP now works correctly.


558573-3 : MCPD restart on secondary blade after updating Pool via GUI

Component: TMOS

Symptoms:
If you use the LTM GUI in a clustered environment to add an IP Encapsulation profile to a Pool, then click Update, mcpd and other daemons may restart on secondary blades in the cluster.

When this occurs, errors similar to the following will be logging from the secondary blades:
-- err mcpd[22537]: 01020036:3: The requested pool profile (49825) was not found.
-- err mcpd[22537]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested pool profile (49825) was not found.

Conditions:
This problem may occur when operating BIG-IP in a clustered environment (VIPRION), and using the GUI to update the properties of an LTM pool with an IP Encapsulation profile defined.

Impact:
Daemon restarts, disruption of traffic passing on secondary blades.

Workaround:
Perform pool updates via the tmsh command-line utility.

Fix:
Pool profile update is performed by name rather than object ID, so MCPD no longer restarts on secondary blade after updating a pool using the GUI.


557783-3 : TMM generated traffic to external IPv6 global-addr via ECMP routes might use link-local addr

Component: Local Traffic Manager

Symptoms:
TMM might use a link-local IPv6 address when attempting to reach an external global address for traffic generated from TMM (for example, dns resolver, sideband connections, etc.).

Conditions:
- ECMP IPv6 routes to a remote destination where the next hop is a link local address. Typically this occurs with dynamic routing.
- Have configured a virtual server that generates traffic from TMM (for example, dns resolver, sideband connections, etc.).

Impact:
Traffic might fail as its egresses from a link-local address instead of a global address.

Workaround:
It might be possible to work around if the dynamic routing peer can announce the route from a global address instead of a link local.
Use of static routes might also work around the issue.

Fix:
TMM now uses the correct IPv6 global address when generating traffic to a remote address using ECMP routes via link-local next-hops.


557645-1 : Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.

Component: Local Traffic Manager

Symptoms:
Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.

Conditions:
VIPRION 2200 and 2400 platforms with more than one blade.

Multiple devices in an HA configuration.

TMM incorrectly identifies which TMM should handle host connections from an HA peer.

The host connection will be reset after the SYN retransmits are exceeded between TMM and the host process.

Impact:
Periodic reported failures in host-to-host communication. This could affect config sync, and other HA related communication.

Workaround:
None.

Fix:
Host communication on VIPRION 2200 and 2400 platforms behaves the same as host communication on non-VIPRION 2200 and 2400 platforms, as expected.


557281-3 : The audit_forwarder process fails to exit normally causing the process to consume CPU to near 100%

Component: TMOS

Symptoms:
audit_forwarder and mcpd consume almost 100% CPU. When syslog-ng restarts it will start another audit_forwarder process, but it is the orphaned audit_forwarder process that will consume almost 100% CPU. When syslog-ng is restarted and audit_forwarder does not exit cleanly, the mcpd process will also begin consuming high CPU.

Conditions:
syslog-ng is stopped manually or sometimes (rarely) during a normal resstart of syslog-ng.

Impact:
The audit_forwarder and mcpd processes consume excessive CPU.

Workaround:
Stop audit_forwarder manually (kill -9), once the orphaned audit_forwarder process is stopped, mcpd will return to normal CPU consumption.

Fix:
When syslog-ng is stopped manually (or when expected), audit_forwarder also exits, so the audit_forward process no longer consumes increasing CPU.


557221 : Inbound ISP link load balancing will use pool members for only one ISP link per data center

Component: Global Traffic Manager

Symptoms:
In BIG-IP Link Controller and GTM 11.5.3, 11.6.0 and prior versions, and BIG-IP DNS 12.0.0, the inbound ISP link load balancing functionality uses pool members for more than one ISP link per data center.

Conditions:
Using the inbound ISP link load balancing functionality in BIG-IP Link Controller and GTM 11.5.3, 11.6.0 and prior versions, and BIG-IP DNS 12.0.0.

Impact:
If a pool has multiple members that use different ISP links within a data center, the system uses only pool members associated with the ISP link of the first available pool member. The system marks pool members associated with subsequent ISP links as unavailable (grey).

Fix:
The inbound ISP link load balancing functionality will use pool members for only one ISP link per data center for each pool.

Behavior Change:
Beginning in BIG-IP Link Controller and GTM 11.5.4, 11.6.1, and BIG-IP DNS 12.1.0, the ISP link load balancing functionality will use pool members for only one ISP link per data center for each pool.

The link that is associated with the first configured and available pool member within each data center will determine the link that will be used for the data center. The system will use only pool members associated with that link.


557144-1 : Dynamic route flapping may lead to tmm crash

Component: TMOS

Symptoms:
When dynamic routing is in use and routes are being actively added and removed, tmm may crash.

Conditions:
Virtual Server configured with Dynamic Routing

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Flapping dynamic routes no longer trigger a tmm crash.


557062-3 : The BIG-IP ASM configuration fails to load after an upgrade.

Component: Application Visibility and Reporting

Symptoms:
A configuration load failure occurs after creating an ASM predefined report in a previous version - (11.3 or 11.4) and upgrading to a version prior to 12.1.0.

Conditions:
Define scheduled report with 'predefined-report-name: '/Common/Top alerted URLs' on version 11.3 or 11.4 upgrade the version.

Impact:
Version upgrade fails (the BIG-IP system becomes unusable).

Workaround:
Manually change predefined-report-name '/Common/Top alerted URLs' to predefined-report-name '/Common/Top alarmed URLs'.

Fix:
If an ASM predefined report was created in a previous version and the system was updated, it could have caused the configuration upgrade to fail. This failure no longer occurs.


556774-1 : EdgeClient cannot connect through captive portal

Component: Access Policy Manager

Symptoms:
EdgeClient cannot connect through captive portal.

Conditions:
1) Install EdgeClient on a PC that connects to the APM through a captive portal.
2) Launch EdgeClient and try to connect to the APM.
3) System posts certificate warnings. Accept them.
4) Captive portal is not shown to the user.
5) EdgeClient just toggles between 'Waiting to connect to server' and 'Downloading server settings' messages.

Impact:
No captive portal displayed to the user. EdgeClient UI shows he user.
5) EdgeClient just toggles between 'Waiting to connect to server' and 'Downloading server settings' messages.

Workaround:
None.

Fix:
Install EdgeClient on a PC that connects to the APM through a captive portal now opens as expected.


556694-6 : DoS Whitelist IPv6 addresses may "overmatch"

Component: Advanced Firewall Manager

Symptoms:
When using the 8-entry "rich" DoS whitelist with IPv6 addresses, the HW matches only 32 bits of an incoming IPv6 address against the whitelist entry, meaning that if an incoming IPv6 address matches those 32 bits, the whitelist will result in "match", even if other bits of the IPv6 address do not match.
Note that the configuration can select which set of bits (there are 4 choices -- 127:96, 95:64, 63:32, 31:0) to match against, via the db.tunable dos.wlipv6addrsel.
Also, note that IPv4 matches are always perfect, and are not affected by this issue.

Conditions:
Occurs when the 8-entry AFM DoS Whitelist is used to match against IPv6 addresses.

Impact:
In some cases, the Whitelist may overmatch, meaning some IPv6 addresses will be considered whitelist matches, when they do not match the whitelist.


556597-3 : CertHelper may crash when performing Machine Cert Inspection

Component: Access Policy Manager

Symptoms:
CertHelper may crash while checking of machine certificate.

Conditions:
APM installed

Impact:
Authentication may fail.

Fix:
Fixed crash cause in CertHelper.


556560-1 : DNS messages may become malformed if the Additional section contains an OPT record followed by multiple records.

Component: Local Traffic Manager

Symptoms:
DNS messages which contain an OPT record followed by more than one record in the additional section will become malformed when they pass through a virtual with an assigned DNS profile.

Conditions:
A DNS message contains and OPT record in the Additional section, the message is compressed, and more than one record follow the OPT record.

Impact:
This issue impacts all DNS messages that contain an OPT record followed by more than one record. The DNS handling code expects a message containing an OPT record to have 0 or 1 TSIG record following the OPT record in the additional record section of a message.

The RFCs permit the OPT record to be placed anywhere in the additional record section of a DNS message, with the exception of a TSIG record. If a TSIG record is present, it must always be last. If no TSIG record is present, then an OPT record can be last.

The RFCs do not restrict a query from containing records in the additional record section of the message.

When a DNS query or response is passed through the TMM DNS message handler, and that message contains an OPT record followed by more than one record, and those records that follow the OPT record contain compression pointers to other records that also follow the OPT record, then the message becomes mangled.

Workaround:
Disable DNS compression on the resolver, or configure the resolver to place OPT records at the end of the additional section (except TSIG records which must always be last).

Fix:
DNS messages which contain a record other than TSIG following an OPT record in the additional record section will be transformed in the message handler and the message inspection will be restarted.

The transformation involves safely moving the OPT record to be last or second-to-last (in the presence of a TSIG record) position of the additional record section. 'Safely' means updating the relevant compression pointers.

The subsequent code paths which depend on the OPT record's position now work as expected.


556383-2 : Multiple NSS Vulnerabilities

Vulnerability Solution Article: K31372672


556380-3 : mcpd can assert on active connection deletion

Component: TMOS

Symptoms:
When all of the peers in an HA / DSC configuration are removed, then it is possible for the connection tear down to result in an assert.

Conditions:
Removal of all peers while a connection is handling a transaction.

Impact:
MCPD asserts and restarts.

Workaround:
No workaround is necessary. MCPD restarts.

Fix:
Connection tear down checks for active connections and does not result in an assert when removing all peers while a connection is handling a transaction.


556284-3 : iqsyncer: GTM/LC config sync failure with error from local mcpd Monitor parent not found

Component: TMOS

Symptoms:
GTM/LC config sync fails with error in /var/log/gtm and /var/log/ltm similar to the following:
Monitor /Common/my_http_monitor parent not found

Conditions:
There is a customized GTM monitor on one member of a high availability configuration, but not on others.

Impact:
Config sync fails. On the device that does not have the monitor, the system logs a parent-not-found message into /var/log/gtm.

Workaround:
None.

Fix:
GTM/LC sync now completes successfully even when the configuration being sync'd contains a custom GTM/LC monitor definition.


556277-4 : Config Sync error after hotfix installation (chroot failed rsync error)

Component: TMOS

Symptoms:
Once an installation has been booted into, applying a hotfix over that installation does not change the SELinux policy, but instead uses the previously installed SELinux policy.

Conditions:
This affects installations of a later hotfix atop an earlier hotfix, or onto a base build of the same software version. Installation onto a new volume is unaffected.

To determine whether the configuration will experience this issue, use md5sum to see whether the following have the same checksums:
-- /etc/selinux/targeted/modules/active/modules/f5_mcpd.pp
-- /usr/share/selinux/targeted/f5_mcpd.pp.

If the checksums are the same, the system will use the SELinux policy installed with the previous hotfix, and this issue will occur.

Impact:
Sync of file objects might fail with an error similar to the following:

01071488:3: Remote transaction for device group [name] to commit id [number] failed with error 01070712:3: Caught configuration exception (0), verify_sync_result:() :Failed to sync files. - sys/validation/FileObject.cpp, line 6276..

Workaround:
Instead of installing the hotfix over an existing installation of the base build of that version (or an earlier hotfix), install the base ISO (for example 11.5.4) into a volume, and then install the hotfix onto that volume, without booting the volume in between.

Fix:
Installing a hotfix over an existing base install now rebuilds the SELinux policy as expected.


556252 : sysGlobalTmmStatTmUsageRatio5s and sysGlobalTmmStatNpus in chassis

Component: TMOS

Symptoms:
The sysGlobalTmmStatTmUsageRatio5s and sysGlobalTmmStatNpus OIDs read lower than expected given the traffic on the system. The values suddenly increase when a non-running blade is powered down.

Conditions:
This occurs on a chassis where one or more of the blades are not in the cluster, but are not powered down. The usage ratios and Npus stats treat the blades as if they are in the cluster, and are factored into the calculation, making them appear lower than they actually are because non-working blades are in the calculation.

Impact:
Misleading, confusing statistics

Workaround:
You can completely power down the blade and it will be removed from the statistics calculation.

Fix:
sysGlobalTmmStatTmUsageRatio5s and sysGlobalTmmStatNpus are now calculated only against running blades.


556117-1 : client-ssl profile is case-sensitive when checking server_name extension

Component: Local Traffic Manager

Symptoms:
The client-ssl profile is Case-Sensitive when configuring server-name in the client-ssl profiles and checking server_name extension in the ClientHello Message.

Conditions:
When using mixed upper-lower case server-name in the client-ssl profile configuration and ClientHello messages.

Impact:
The system treats mixed upper-lower case server-name as different names which violate the RFC6066, which states: "Currently, the only server names supported are DNS hostnames. DNS hostnames are case-insensitive."

Workaround:
1. Configure only one client-ssl profile with same server-name.

2. Use only lower-case server-name when configure the client-ssl profile.

3. Use lower-case server-name in the Client side.

Fix:
The system now treats mixed upper-lower case server-names as the same name, so server-name is no longer case sensitive.


556103-2 : Abnormally high CPU utilization for external monitors

Component: Local Traffic Manager

Symptoms:
High CPU utilization for external monitors that use SSL.

Conditions:
External monitor using SSL.

Impact:
Abnormally high CPU utilization.

Workaround:
None.

Fix:
This release improves the handling of external monitors that use SSL so that CPU utilization no longer increases.


556088-2 : In a chassis system with APM provisioned mcpd daemon on secondary blade will restart.

Component: Access Policy Manager

Symptoms:
Uploading and installing an epsec/Opswat package on a chassis system will result in mcpd restart on the secondary blades.

Conditions:
Installing a new epsec package in a chassis system is the only condition under which this can happen.

Impact:
All daemons dependent on mcpd will restart

Fix:
Prevent validation of epsec package on secondary blades


555905-1 : sod health logging inconsistent when device removed from failover group or device trust

Component: TMOS

Symptoms:
When a device is in a failover group, sod logs the state change messages indicating the reachability of other devices in the group. For example:

Nov 2 11:34:54 BIGIP-1 notice sod[5716]: 010c007f:5: Receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Online).
Nov 2 11:31:19 BIGIP-1 notice sod[5716]: 010c007f:5: Receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Offline).
Nov 2 11:31:43 BIGIP-1 notice sod[5716]: 010c007e:5: Not receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Disconnected).

If a reachable device is removed from the failover group, no "Disconnected" message is issued, so the last reported status will be inaccurate.

When a device is part of a trust, sod logs messages indicating what unicast addresses it is monitoring on remote devices:

Nov 2 11:34:29 BIGIP-1 info sod[5716]: 010c007a:6: Added unicast failover address 10.145.192.5 port 1026 for device /Common/BIGIP-3.localdomain.

If devices are removed from the trust, sod does not log a message that those unicast addresses are no longer in use.

Conditions:
When a device is removed from a failover device group, or removed from a device trust.

Impact:
Inaccurate state reporting.

Fix:
When a device is removed from a failover device group, it is now reported as "Disconnected".

When a device is removed from the device trust, sod on the other devices correctly reports that the unicast addresses belonging to the other devices have been deleted.


555686-2 : Copper SFPs OPT-0015 on 10000-series appliance may cause interfaces to not come up and/or show corrupted serial numbers

Component: TMOS

Symptoms:
Some OPT-0015 copper small form-factor pluggable (SFP) transceiver might cause an internal bus to hang.

Conditions:
This happens only when the following conditions are met:
-- 10000-series appliances.
-- At reboot, at a restart of the bcm56xxd daemon, or when a copper SFP is enabled or disabled.
-- There is at least one copper SFP present in the appliance.
-- Interfaces are spread between hardware muxes. That means some SFPs are in ports 1.1-1.8 and other SFPs are in ports 1.9-1.16.

Impact:
Corrupted serial number information from SFPs, and fiber SFPs may not come up. Enable and disable of copper SFPs may not work.

Workaround:
None.

Fix:
The system now ensures that the I2C bus muxes only enable a single interface, so the issue with interfaces on Copper SFPs OPT-0015 on 10000-series appliances no longer occurs.


555549-2 : 'tmsh modify ltm node <ip_addr> state user-down' fails to bring pool member state offline.

Component: Local Traffic Manager

Symptoms:
The command to set the ltm note state to user-down fails to bring pool member state offline.

Running the command results in error messages similar to the following:
01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 1137

Conditions:
This occurs when running the command to set the ltm node state to user-down, for example: tmsh modify ltm node 10.10.10.10 state user-down.

Impact:
Session status fails to update for pool member.

Workaround:
None.

Fix:
The command to set the ltm node state to user-down now successfully brings pool member state offline.


555507-3 : Under certain conditions, SSO plugin can overrun memory not owned by the plugin.

Component: Access Policy Manager

Symptoms:
Under certain conditions, SSO plugin can overrun memory not owned by the plugin. Symptoms could be different based on the owner of overrun memory.

Conditions:
This occurs when the following conditions are met:

1. The BIG-IP system is configured and used as SAML Identity Provider.
2. Single Logout (SLO) protocol is configured on an attached SP connector.
3. At least one user executed SAML WebSSO profile.

Impact:
Symptoms might differ based on the owner of overrun memory.
Potentially, tmm could restart as a result of this issue.

Workaround:
Disable SAML SLO: remove SLO request and SLO response URLs from configuration in appropriate SAML SP connectors.

Fix:
SSO plugin no longer overruns memory not owned by the plugin, so the system supports the following configuration without memory issues:

The BIG-IP system is configured and used as a SAML Identity Provider.
Single Logout (SLO) protocol is configured on the attached Service Provider (SP) connector.
At least one user executed SAML webSSO profile.


555457-4 : Reboot is required, but not prompted after F5 Networks components have been uninstalled

Component: Access Policy Manager

Symptoms:
Attempt to establish a VPN connection from a Windows 10, Windows 8.1, Windows 7, or Vista desktop fails if F5 Networks components have been removed previously and the desktop was not rebooted.

Typically this issue can be identified by these log records:
<snip>
DIALER, 48, \driverstatechecker.cpp, 10, dump, WAN Miniport (SSTP)
DIALER, 48, \driverstatechecker.cpp, 10, dump, WAN Miniport (SSTP)
DIALER, 48, \driverstatechecker.cpp, 10, dump, F5 Networks VPN Adapter <--- Two F5 Devices
DIALER, 48, \driverstatechecker.cpp, 10, dump, F5 Networks VPN Adapter (7) <--- Two F5 Devices
DIALER, 48, \driverstatechecker.cpp, 155, GetVPNDriverRASDeviceName, found device, F5 Networks VPN Adapter
<snip>
DIALER, 1, \urdialer.cpp, 1573, CURDialer::OnRasCallback(), RAS error (state=RASCS_OpenPort, error=633: The modem (or other connecting device) is already in use or is not configured properly.)

Conditions:
Windows desktop.
Existing F5 components uninstalled.
Reboot was not performed after uninstall.

Impact:
End users cannot establish a VPN connection from Windows-based clients.

Workaround:
Reboot the affected Windows desktop.

Fix:
After F5 Networks components have been uninstalled, the system does not require reboot, and uses the latest installed software-device for VPN, as expected.


555432-2 : Large configuration files may go missing on secondary blades

Component: Local Traffic Manager

Symptoms:
bigip.conf or other configuration files may go missing on secondary blades once the configuration exceeds a certain size (approximately 8 MB).

Conditions:
This is only relevant on chassis.

Impact:
If the primary changes, then the configuration is at risk of being lost.

Workaround:
touch the relevant configuration file (usually bigip.conf) and the configuration file will reappear.

Fix:
bigip.conf or other configuration files would go missing on secondary blades once the configuration exceeded a certain size (approximately 8 MB). This has been fixed.


555272-3 : Endpoint Security client components (OPSWAT, EPSEC) may fail to upgrade

Component: Access Policy Manager

Symptoms:
Previously, F5 Client components were signed using SHA1 certificate. SHA1 is now considered insecure and Windows will reject components signed using a SHA1 certificate after March 31st 2016.

To support this new requirement, F5 has changed the client component signing certificates to utilize a higher security validation algorithm.

The result of this change is that clients utilizing client components built prior to these versions:

Big-IP 12.0.0HF1 or earlier
Big-IP 11.6.0 HF8 or earlier
Big-IP 11.5.4 (base release) or earlier

cannot Endpoint Security updates build 431 or greater.

If you require updated Endpoint Security (OPSWAT / EPSEC) builds greater than 431 you must upgrade to these versions:

Big-IP 12.1.0 or later
Big-IP 12.0.0HF2 or later
Big-IP 11.6.1 or later

Big-IP 11.5.4 HF1 or later

Conditions:
Running incompatible BIG-IP version with EPSEC build 431 or later.

Impact:
User will see certificate warnings and installation of client component updates may fail. The failure may occur multiple times.

Workaround:
Upgrade BIG-IP to the correct version.

Use the BIG-IP Web GUI's Software Management :: Antivirus Check Check Updates section to install an EPSEC build prior to 431.

Fix:
Updated signing certificate to a sha256 certificate. Client components and EPSEC binaries are now signed using the new, higher security certificate. Please note that upgrade to a HF in which client is signed using updated certificate is needed to install updated EPSEC releases. Please review the information carefully.


555057-1 : ASM REST: Removing a Signature Set From One Security Policy Removes It From All Security Policies.

Component: Application Security Manager

Symptoms:
When using ASM REST to remove a signature set association from a policy (DELETE), the set is removed from all policies in the system.

Conditions:
ASM REST is used to remove a signature set association from a policy.

 DELETE /mgmt/tm/asm/policies/<ID>/signature-sets/<ID>

Impact:
All policies will lose their association to that signature set. This may leave some policies not enforcing all the Attack Signatures that they are expected to.

Workaround:
A DELETE can be issued to the collection endpoint: /mgmt/tm/asm/policies/<ID>/signature-sets utilizing the $filter parameter to delete only the desired sets.

Ex. DELETE /mgmt/tm/asm/policies/<ID>/signature-sets?$filter=id eq '<ID>'

Fix:
When using ASM REST to remove a signature set association from a policy (DELETE), the signature set association is removed only from the desired policy and not from all policies in the system.


555039-1 : VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration

Component: TMOS

Symptoms:
There is a high drop counts when running tmsh show net interface, and running tmctl -a drop_reason shows that a large number of drops are due to counters.rx_cosq_drop

Smaller buffering alpha values are configured for egress buffering to allow an 8 HW CoS queue feature to correctly implement weight based egress dropping. This results in busy ports dropping more aggressively, although allowing more fair buffering amongst multiple active ports.

Conditions:
Higher traffic rates, which stress switch MMU buffering resources, might result in egress CoS queue drop on busy ports.
This affects the BIG-IP 5000- and 7000 series platforms, and VIPRION B2100, B2150, and PB200 blades.

Impact:
This results in busy ports dropping more aggressively. Note that using smaller values allows more fair buffering amongst multiple active ports, whereas higher values allow better burst absorption but less fair buffering.

Workaround:
None.

Fix:
This release uses a larger alpha value for better burst absorption when the 8 hardware CoS queue feature is not enabled.


555006-1 : ASM REST: lastUpdateMicros is not updated when changing a Custom Signature

Component: Application Security Manager

Symptoms:
The lastUpdateMicros field is meant to be updated if a user changes a custom signature, but it is not.

Conditions:
REST client is used to look at/filter the signatures collection (/mgmt/tm/asm/sigantures)

Impact:
Checking for updated signatures does not return the expected result.

Workaround:
None.

Fix:
REST: The lastUpdateMicros field is now correctly updated after updating a user defined signature.


554993-1 : Profile Stats Not Updated After Standby Upgrade Followed By Failover

Component: Access Policy Manager

Symptoms:
1. The current active sessions, current pending sessions, and current established sessions counts shown in commands 'tmsh show /apm profile access' and 'tmctl profile_access_stat' become zero after failover.
2. The system posts an error message to /var/log/apm:
01490559:3: 00000000: Access stats encountered error: SessionDB operation failed (ERR_NOT_FOUND).

Conditions:
This issue happens when the following conditions are met:
1. The HA configuration is running a release prior to 11.5.3 HF2, 11.6.0 HF6, or 12.0.0.
2. A standby unit is upgraded to version 11.5.3 HF2, 11.6.0 HF6, or 12.0.0.
3. Failover is triggered.

Impact:
The current active sessions, current pending sessions, and current established sessions counts of profile access stats remain zero after failover.

Workaround:
Upgrade all devices in the HA configuration to the same release and reboot them simultaneously.

Fix:
The current active sessions, current pending sessions, and current established sessions counts of profile access stats now report correctly after failover.


554977-1 : TMM might crash on failed SSL handshake

Component: Local Traffic Manager

Symptoms:
SSL handshake failures may crash in ssl_verify().

Conditions:
Certain types of failed SSL handshakes in versions 11.5.0 through 11.5.4.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Modifying serverssl cipher string to exclude ECDHE_RSA and ECDHE_ECDSA might help prevent the crash.

Fix:
This release fixes a TMM crash that might be encountered during the SSL handshake.


554967-2 : Small Client EDNS0 Limits can Sometimes Truncate DNSSEC or iRule DNS Packets

Component: Local Traffic Manager

Symptoms:
A resolver sending a query with a small EDNS0 UDP buffer limit can lead to packet truncation. These response packets are flagged as truncated in the header, but the OPT record might be cut/missing leading some resolvers to consider the packet malformed.

Conditions:
Primarily via dynamic settings such as iRules on DNS_RESPONSE events adding new records, or DNSSEC record signing with responses over UDP.

Impact:
Some resolvers regard OPT-less truncated packets as malformed and cease follow-up requests via TCP or a larger EDNS0 UDP limit.

Workaround:
none

Fix:
Truncated DNSSEC or iRule DNS packets are RFC-compliant.


554761-4 : Unexpected handling of TCP timestamps under syncookie protection.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system experiences intermittent packet drops.

Despite being negotiated during TCP handshake, the BIG-IP system fails to present timestamp option in subsequent segments.

The BIG-IP system calculates invalid round trip time immediately after handshake, which might result in delayed retransmissions.

Conditions:
This occurs when the following conditions are met:
- Virtual server configured with a TCP profile with timestamps enabled.

- The syncookie mode has been activated.

- Clients that support timestamps.

Impact:
Connection might be reset by remote TCP stack (e.g., NetBSD and FreeBSD), which requires timestamps to be maintained once negotiated.

Retransmission timeout (RTO) value may be skewed. Segments that are subject to RTO might take up to 64 segments to retransmit.

Workaround:
Choose or create a TCP profile that has timestamps disabled.

Fix:
TCP Timestamps are now maintained on all negotiated flows.


554626 : Database logging truncates log values greater than 1024

Component: Access Policy Manager

Symptoms:
The Logging agent truncates log values greater than 1024. If the log value size is greater than 4060, the field is empty or null.

Conditions:
Logging into local database with log values (such as session variables) greater than 1024. If this size is too high (greater than 4060), the field displays as empty or null in reports.

Impact:
The reporting UI displays null or empty fields when the logged value is too large in size, such as a huge session variable.

Workaround:
No workaround.

Fix:
This release handles large single log values.


554624-1 : NTP CVE-2015-5300 CVE-2015-7704

Vulnerability Solution Article: K10600056 K17566


554563-2 : Error: Egress CoS queue packet drop counted against both Drops In and Drops Out statistics.

Component: TMOS

Symptoms:
Class of Service Queues (cosq) egress drop statistics are counted against both Drops In and Drops Out interface statistics.

Conditions:
This occurs for all cosq drops in response to excess egress traffic and MMU egress congestion.

Impact:
Any CoS queue egress drop is also counted against ingress drop stats, which could be interpreted incorrectly as doubled total drop stats.

Workaround:
None.

Fix:
The Drops In interface statistics no longer includes Class of Service Queues (cosq) egress drop counts, which is correct behavior.


554340-2 : IPsec tunnels fail when connection.vlankeyed db variable is disabled

Component: TMOS

Symptoms:
When connection.vlankeyed db variable is disabled, if the data traffic coming out of IKEv1 tunnels that needs to be secured using IKEv2 tunnels lands on tmm's other than tmm0, it will be dropped. The system establishes the IKEv2 tunnel but the data traffic will not be secured.

Conditions:
This issue is seen when the interesting data traffic lands on tmm's other than tmm0. The reason for this issue is due to incorrectly creating a flow on another TMM that is the owner of the outbound SA (IKEv2 tunnel).

Impact:
The system drops the data traffic to be secured using IPsec and connections fail.

Workaround:
Disable the cmp in the virtual server configuration.

Fix:
Flow creation at the TMM that owns the outbound SA for the IKEv2 tunnel is properly handled. TMM can handle the inner traffic from IKEv1 tunnel and secure it over another IKEv2 tunnel.


554228-4 : OneConnect does not work when WEBSSO is enabled/configured.

Component: Access Policy Manager

Symptoms:
OneConnect is a feature that reuses server-side connections. When WEBSSO is enabled, it always creates a new server-side connection, and doesn't reuse pooled connections.

Conditions:
WEBSSO and OneConnect.

Impact:
Idle serverside connections that should be eligible for reuse by the virtual server are not used. This might lead to build-up of idle serverside connections, and may result in unexpected 'Inet port exhaustion' errors.

Workaround:
None.

Fix:
OneConnect now works when WEBSSO is enabled/configured, so that the system reuses the pooled server side connections.


554074-3 : If the user cancels a connection attempt, there may be a delay in estabilshing the next connection.

Component: Access Policy Manager

Symptoms:
Clicking on connect button does not trigger start of VPN connection immediately.

Conditions:
User cancelled previous connection attempt

Impact:
User must wait for ten seconds before attempting to reconnect.

Workaround:
None

Fix:
Fixed code to trigger VPN connection immediately even when user clicked cancel before.


554041-4 : No connectivity inside enterprise network for "Always Connected" client if Network Location Awareness is enabled

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client loses all connectivity and an option to establish VPN is not available.

Conditions:
All of the following conditions must apply.
1) Edge Client is installed in "Always Connected" mode.
2) The Connectivity profile on server has location DNS list entries.
3) One of the DNS locations matches the DNS suffix set on the local network adapter.

Impact:
Client shows "LAN Detected" in the UI and does not try to connect to VPN.
All traffic to and from the user's machine is blocked.

Workaround:
This issue has no workaround at this time.

Fix:
Edge Client now ignores DNS location settings in Always Connected mode and establishes VPN even inside enterprise networks.


553925-3 : Manual upgrade of Edge Client fails in some cases on Windows

Component: Access Policy Manager

Symptoms:
Manual upgrade of BIG-IP Edge Client for Windows fails and this message displays "Newer version of this product is already installed."

Conditions:
Edge Client version 11.2.0. Version 12.0 is installed.
User tries to upgrade Edge Client by running a newer installer package of Edge Client.

Impact:
Edge Client cannot be upgraded.

Workaround:
Uninstall and reinstall Edge Client or use the installer service component for automatic update of Edge Client.

Fix:
Fixed installer package.


553902-3 : Multiple NTP Vulnerabilities

Vulnerability Solution Article: K17516


553795-3 : Differing certificate/key after successful config-sync

Component: TMOS

Symptoms:
1) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with the same name as the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer system(s)' FIPS chip will retain a copy of the original key.

2) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with a different name from the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer's client-ssl profile will still use the original certificate/key instead of the new one.

Conditions:
1) High Availability failover systems with FIPS configured with Manual Sync.

2) High Availability failover systems configured with Manual Sync.

Impact:
1) An abandoned FIPS key is left behind.

2) The systems claim to be synced, but one system's client-ssl profile uses one certificate/key pair, while the other system(s)' same client-ssl profile uses a different certificate/key pair.

Workaround:
1) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
   Workaround #2: Delete the FIPS key by-handle on the peer system(s).

2) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
   Workaround #2: Manually update the client-ssl profile then delete the old certificate/key on the peer system(s).

Fix:
Systems now have the same certificate/key after successful config-sync of High Availability configurations.


553688-3 : TMM can core due to memory corruption when using SPDY profile.

Component: Local Traffic Manager

Symptoms:
TMM corefiles containing memory corruption within 112-byte memory cache.

Conditions:
Virtual server using a SPDY profile encounters an internal error while processing a SPDY packet.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release contains a fix that prevents a double free on error within the SPDY component.


553649 : The SNMP daemon might lock up and fail to respond to SNMP requests.

Component: TMOS

Symptoms:
The SNMP daemon might lock up and fail to respond to SNMP requests.

Conditions:
If the SNMP configuration on the BIG-IP changes and the SNMP daemon restarts. This is a timing issue that might appear intermittently.

Impact:
The BIG-IP system stops responding to SNMP requests. You then cannot monitor the BIG-IP system via SNMP.

Workaround:
If the SNMP daemon is locked up, restart it by issuing the following command: bigstart restart snmpd.

Fix:
The SNMP daemon no longer locks up and become unresponsive when it is restarted.


553576-2 : Intermittent 'zero millivolt' reading from FND-850 PSU

Component: TMOS

Symptoms:
In rare instances, certain BIG-IP platforms may erroneously generate power supply error messages that indicate zero milli-voltage.
Specific symptoms include:
- SNMP alert 'bigipSystemCheckAlertMilliVoltageLow' detected.
- Front panel Alarm LED is blinking amber.
- Errors such as the following are logged:
emerg system_check[<#>]: 010d0017:0: Power supply #<x> meas. main outpu: milli-voltage (0) is too low.
[where <x> is the power supply location (either 1 or 2)]
- Errors such as the following may also be logged:
-- err chmand[<#>]: 012a0003:3: Sensor read fault for Power supply #<x> meas. main outpu : File sensor/LopSensSvc.cpp Line 1453.
-- notice chmand[<#>]: 012a0005:5: reinitialize tmstat sensors (num sensors:<#>).
-- notice chmand[<#>]: 012a0005:5: reinitialize tmstat sensors (num sensors:<#>).

Note that this condition may affect either PSU 1 or PSU 2.

Conditions:
This may occur intermittently on BIG-IP 10000-/12000-series appliances (including 10000s/10200v, 10050s/10250v, 10055/10255, 10350v and 12250v models) with FND850 model DC power supplies.

Impact:
There is no impact; these error messages are benign.

Workaround:
None.

Fix:
Resolved intermittent erroneous "zero millivolt" reading from FND-850 PSU on BIG-IP 10000-/12000-series appliances.


553454-3 : Mozilla NSS vulnerability CVE-2015-2730

Vulnerability Solution Article: K15955144


553330-2 : Unable to create a new document with SharePoint 2010

Component: Access Policy Manager

Symptoms:
VPN users are unable to create a new document with SharePoint 2010

An error is given: "The Internet address https://ip:port/shared documents/forms/template.dotx" is not valid

Conditions:
Create a new document using the"New Document button".

Impact:
User cannot create a new document with SharePoint 2010.

Workaround:
none

Fix:
You can create a new document with Microsoft SharePoint 2010.


553311-1 : Route pool configuration may cause TMM to produce a core file

Component: Local Traffic Manager

Symptoms:
TMM might produce a core file and take the action defined in configuration.

Conditions:
Client-side route pool configuration that configures a route pool to route back and has auto lasthop disabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid using any route at client side (using auto lasthop or lasthop pool).

Fix:
The tmm crash caused by the route pool configuration is fixed.


553174-2 : Unable to query admin IP via SNMP on VCMP guest

Component: TMOS

Symptoms:
The admin IP address is not returned via ipAdEntAddr.

Conditions:
Query admin IP via SNMP on VCMP guest via ipAdEntAddr.

Impact:
Unable to obtain admin IP address via SNMP for VCMP guests.

Workaround:
none

Fix:
ipAdEntAddr will now return the admin IP address on a VCMP guest.


553063-4 : Epsec version rolls back to previous version on a reboot

Component: Access Policy Manager

Symptoms:
If administrator has installed multiple EPSEC packages, after a reboot the EPSEC version rolls back to the previously installed version.

Conditions:
The BIG-IP system needs to be rebooted for this issue to be seen, and multiple EPSEC packages must have been installed on the system before the reboot.

Impact:
OPSWAT version rolls back without prompting or logging. This might open up the end-point security issues that are supposed to be fixed by the latest installed OPSWAT package.

Workaround:
The workaround is to upload a dummy file in Sandbox.
1. Go to Access Policy :: Hosted Content :: Manage Files.
2. Upload any dummy file, even a 0 byte file. Change the security level to 'session'.

After this change, even if you reboot or shutdown-restart, the EPSEC version does not revert.

Fix:
The most recently installed EPSEC version now remains configured, and does not roll back after reboot or shutdown-restart.


553037 : iOS Citrix Receiver web interface mode cannot launch the apps

Component: Access Policy Manager

Symptoms:
When a user clicks an app, a window displays with this message: "Cannot start the requested App. Select More info for further details."

Conditions:
An iOS Citrix Receiver in Web interface connection type and a BIG-IP system in Web interface configuration.

Impact:
Customer cannot launch app.

Workaround:
1. In the Citrix Receiver, you can use the native GUI with Access-Gateway Enterprise edition type with this URI:
https://<BIG-IP system virtual server FQDN>/


2. Define an LTM data-group with FQDN set to /config/<storename>/pnagent/config.xml

Fix:
LaunchICA get request to be passed through VDI.


552937-2 : HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail.

Component: Local Traffic Manager

Symptoms:
An iRule that calls HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the TMM to core on the next pipelined request.

Conditions:
HTTP::respond or HTTP::redirect used in a non-HTTP iRule event. A pipelined request follows the request that triggers the iRule response.

Impact:
TMM core.

Workaround:
Add the close header to the HTTP::response, and the connection will be automatically closed.

Fix:
The TMM will no longer core due to not being able to handle the next pipelined request after a HTTP::respond or HTTP::redirect is used in a non-HTTP iRule event.


552931-2 : Configuration fails to load if DNS Express Zone name contains an underscore

Component: Local Traffic Manager

Symptoms:
A configuration with a DNS Express Zone with an underscore in the name does not load, even though the gtm global-settings general domain-name-check is set to any of allow-underscore, svn-compatible, or none.

Conditions:
-- Configuration setting gtm global-settings general domain-name-check is set to any of allow-underscore, svn-compatible, or none.
-- DNS Express Zone exists with an underscore in the name.

Impact:
Cannot load the LTM configuration when restarting BIG-IP system when DNS Express Zones that have an underscore character in the name.

Workaround:
Force the GTM configuration to load by sequentially running the following commands:
tmsh load sys config gtm-only.
tmsh load sys config.

Fix:
All FQDNs may now contain underscore character. The BIG-IP system now correctly load configurations that contain DNS Express Zones with underscores in the name.


552865-5 : SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'.

Component: Local Traffic Manager

Symptoms:
When peer certificate mode (PCM) is set to request, and the BIG-IP system client-ssl asks for the client certificate, handshake might fail if the client sends an invalid signed Certificate Verify message.

Conditions:
When SSL client certificate mode is request, and the client sends an invalid signed Certificate Verify message to the BIG-IP system.

Impact:
The handshake does not ignore the invalid signed certificate verify message, and handshake might fail. SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'. Regardless of whether the Certificate and Certificate Verify message is valid, the handshake should ignore the Certificate Verify signature error and let the handshake continue.

Workaround:
None.

Fix:
When peer certificate mode (PCM) is set to request, and the BIG-IP system client-ssl asks for the client certificate, the handshake now ignores the Certificate Verify signature error and lets the handshake continue. This is correct behavior.


552532-3 : Oracle monitor fails with certain time zones.

Component: Local Traffic Manager

Symptoms:
Occasionally, the OJDBC driver reads a time zone file that it cannot understand, which causes Oracle monitors to fail.

Conditions:
- The system uses ojdbc6.jar for Oracle monitor functionality.
- The UTC time zone is configured.
- Contents of the /usr/share/zoneinfo directory are arranged so that the 'UTC' file is not the first in the list. (Versions prior to 10.2.4 use the 1.4-compatible ojdbc14.jar driver. The objdbc6.jar OJDBC driver, as supplied by Oracle for Java 6 (aka 1.6) auto-detects the local system's time zone name by scanning and comparing files under /usr/share/zoneinfo. The filenames are created during installation, and seem to depend on the 'Directory Hash Seed' of the /usr filesystem, so there is no predictable result.)

Impact:
Cannot use direct Oracle monitoring to ensure the backend is functionally operational. OJDBC driver seems to negotiate the time zone for the session, and instead of 'UTC', it attempts to change the time zone to: 'Universal', 'Zulu', 'Etc/Universal', 'Etc/Zulu', which will cause the monitor to fail, and not execute the actual monitoring.

Note: Other time zones might be affected.For example, a similar issue might happen with the time zone set to GMT, which can become 'Greenwich' because of the same functionality.

Workaround:
Although there is no reliable workaround, reinstalling might resolve the issue, as may using another time zone.

Fix:
Oracle monitor functions now as expected with UTC and other time zones.


552498-2 : APMD basic authentication cookie domains are not processed correctly

Component: Access Policy Manager

Symptoms:
401 responses containing Set-Cookie headers might not be processed correctly. Domains that begin with a dot will be truncated and the cookies will not be sent to pool members.

Conditions:
An access policy needs to use Basic or NTLM authentication and one or more of the 401 responses must contain Set-Cookie headers. If a domain is specified and the domain begins with a dot, it will not be processed correctly.

Impact:
Cookies assigned during the authentication handshake might not be sent to pool members.

Workaround:
An iRule can be used to process the 401 responses and remove any leading dots from domain fields of Set-Cookie headers.

Fix:
Domain fields in Set-Cookie headers found in 401 responses are processed correctly.


552385 : Virtual servers using an SSL profile and two UDP profiles may not be accepted

Component: Local Traffic Manager

Symptoms:
Error message:
01070711:3: Found disallowed profile: Not Profile profile_clientssl
or
01070711:3: Found disallowed profile: Not Profile profile_serverssl

Conditions:
Create a virtual server with a client-ssl profile and/or a server-ssl profile and two different UDP profiles (one on the server side and one on the client side).

Impact:
When using either a client-ssl profile or a server-ssl profile, depending on the sort order of the UDP profiles, the configuration may not be accepted.

When using both a client-ssl profile and a server-ssl profile, the configuration is not accepted.

Workaround:
When using either a client-ssl profile or a server-ssl profile, either use a common UDP profile for both client and server side or try renaming one of the UDP profiles to alter the sort order.

When using both a client-ssl profile and a server-ssl profile, try using one UDP profile for both the client and server side.

Fix:
Virtual servers that utilize an SSL profile and a combination of UDP profiles are now accepted.


552352-3 : tmsh list display incorrectly for default values of gtm listener translate-address/translate-port

Component: Global Traffic Manager

Symptoms:
tmsh list displays incorrectly for default values of GTM listener translate-address/translate-port settings.

Conditions:
Using the tmsh list command to show translate-address/translate-port for GTM listener.

Impact:
tmsh list gtm listener does not display 'translate-address'/'translate-port' when it is set to enabled, but the command does show the values when it is set to disabled. The tmsh list gtm listener command should not show the default settings. This becomes an issue when used with the TMSH merge command, where the value gets set to the LTM virtual server default instead of maintained as the GTM Listener default. This might eventually result in failing traffic.

Workaround:
Use tmsh list with 'all-properties' instead.

Fix:
GTM Listener's translate-address and translate-port field are now always displayed in TMSH commands. This is because there are different defaults in GTM Listeners than the LTM virtual servers. When used with the TMSH merge command, the value gets set to the LTM virtual server default instead of maintained as the GTM Listener default. By always displaying this attribute, no matter what the value is, the merge will always be handled appropriately.


552198-3 : APM App Tunnel/AM iSession Connection Memory Leak

Component: Wan Optimization Manager

Symptoms:
A memory leak occurs when APM application tunnels or AM iSession connections are aborted while waiting to be reused.

Conditions:
The iSession profile reuse-connection attribute is true.
A large number of iSession connections are aborted while waiting to be reused.

Impact:
Available memory might be significantly reduced when a large number of iSession connections waiting to be reused are aborted.

Workaround:
Disable the iSession profile reuse-connection attribute. Restart TMM.

Fix:
This release fixes an APM App Tunnel/AM iSession connection memory leak.


552151-1 : Continuous error report in /dev/log/ltm: Device error: n3-compress0 Nitrox 3, Hang Detected

Component: Local Traffic Manager

Symptoms:
Hardware compression slowly and progressively fails to handle compression operations. The system posts the following errors in ltm.log: crit tmm3[14130]: 01010025:2: Device error: n3-compress0 Nitrox 3.

Conditions:
This occurs when the system encounters errors during hardware compression handling. This occurs on the BIG-IP 5000-, 7000-, 10000-, and 12000-series platforms, and on VIPRION B22xx blades.

Impact:
Compression is (eventually) performed by software. This can result in high CPU utilization.

Workaround:
Disable compression if CPU usage is too high.

Fix:
Improved the device exception handling so that errors are correctly propagated to compression clients, thus preventing the progressive failure of the compression engine, and stopping the offload to software compression (which was driving up the CPU).


552139-3 : ASM limitation in the pattern matching matrix builtup

Component: Application Security Manager

Symptoms:
The signature configuration is not building up upon adding new signatures. This can look like a configuration change is not finishing, or if it does, it may result in crashes when the Enforcer starts up resulting in constant startups.

Conditions:
Too many signatures are configured with custom signatures. The exact number varies (depending on the signature) but hundreds of signatures may be enough to trigger it.

Impact:
Configuration change doesn't finish or crashes in the ASM startup (which results in constant startups of the system).

Workaround:
Workarounds are possible only in a custom signature scenario, only using fewer signatures or by removing unused signatures.

Fix:
Fixed a limitation in the attack signature engine.


551927-3 : ePVA snoop header's transform vlan should be set properly under asymmetric routing condition

Component: TMOS

Symptoms:
On ePVA capable platform with fastl4 profile and asymetric routing on client side, ltm sends packets to the client with wrong vlan/correct mac address (or correct vlan and wrong mac-address) and undecremented ttl.

Conditions:
fastl4 profile and asymetric routing on client side

Impact:
Return traffic could use the wrong vlan

Workaround:
none

Fix:
Use the nexthop VLAN for ePVA transformation for offloaded flow when available, instead of the incoming VLAN


551767-2 : GTM server 'Virtual Server Score' not showing correctly in TMSH stats

Component: Global Traffic Manager

Symptoms:
GTM server 'Virtual Server Score' is not showing correct values in TMSH stats. Instead, stats shows zero value.

Conditions:
You have a virtual server configured with a non-zero score.

Impact:
tmsh show gtm server server-name detail lists 'Virtual Server Score' as zero. Note that there is no impact to actual load balancing decisions. Those decisions take into account the configured score. This is an issue only with showing the correct information and stats.

Workaround:
None.

Fix:
TMSH now shows the correct value for 'Virtual Server Score' when you have a virtual server configured with a non-zero score.


551764-1 : [APM] HTTP status 500 response of successful Access Policy in clientless mode on chassis platform

Component: Access Policy Manager

Symptoms:
Successful execution of an Access Policy will result in the client receiving a HTTP status 500 error response when clientless mode is set. This error response is generated by APMD. This is a regression condition that occurs when the fix for bug 374067 is included.

Conditions:
-- The system has the fix for bug 374067.
-- Clientless mode is enabled.
-- BIG-IP platform is chassis platform.
-- The administrator does not override the Access Policy response with iRule command.

Impact:
Client receives an invalid response.

Workaround:
None.

Fix:
Upon successful execution of the Access Policy in clientless mode, the request is forwarded to the configured backend as needed.


551742-1 : Hardware parity error mitigation for the SOURCE_VP table on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades

Component: TMOS

Symptoms:
In rare occurrences, BIG-IP hardware is susceptible to parity errors due to unknown source. This bug mitigates parity errors that occur in the SOURCE_VP table of the switch hardware, indicated with the following message in the ltm log:

Sep 15 12:12:12 info bcm56xxd[8066]: 012c0016:6: _soc_xgs3_mem_dma: SOURCE_VP.ipipe0 failed(NAK)

Conditions:
This occurs only on the BIG-IP 10000s/10200v/10250v platforms, and on the VIPRION B4300/B4340N and B2250 blades. The exact trigger of the parity error is unknown at this time.

Impact:
This impacts several series of BIG-IP products with hardware parity error mitigation capabilities.

Workaround:
Rebooting BIG-IP hardware should clear issues caused by hardware parity errors.

Fix:
A hardware parity error issue has been fixed.


551661-3 : Monitor with send/receive string containing double-quote may fail to load.

Component: TMOS

Symptoms:
When a monitor string contains contains \" (backslash double-quote) but does not contain a character that requires quoting, one level of escaping is lost at each save/load.

Note: Re-loading a config happens during licensing. If you decide to upgrade, first verify that you have an escaped quote in the monitor string. If you do, remove the re-licensing step from your MOP (Method of Procedure). The failure message for reloading the license with an escaped quote appears similar to the following example:

Monitor monitor_1 parameter contains unescaped " escape with backslash.

Conditions:
If the string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.

Impact:
Monitors are marked down due to expected string not matching or incorrect send string. Potential load failure.

Workaround:
You can use either of the following workarounds:
-- Modify the content the BIG-IP system retrieves from the web server for the purposes of health monitoring, so that double quotes are not necessary.
-- Use an external monitor instead.

Fix:
If the monitor send-recv strings contain a double-quote ", character, the system now adds quotes to the input.

If a configuration contains '/"', does not reload the license before upgrade.


551481-4 : 'tmsh show net cmetrics' reports bandwidth = 0

Component: TMOS

Symptoms:
'tmsh show net cmetrics' reports bandwidth = 0

Conditions:
tcp profile enables cmetrics-cache.
connection involves at least 4 rtt updates.

Impact:
User cannot view cmetrics data.

Workaround:
For 12.0.0 and later, you can get this data using the ROUTE::bandwidth iRule. For earlier versions, there is no workaround.

Fix:
Properly compute bandwidth with the formula cwnd/rtt.


551349-1 : Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade

Component: TMOS

Symptoms:
A monitor destination address in the form of *:port (IPv4) is converted to *.port when upgrading from 10.2.4 to 11.5.x.

Conditions:
A monitor exists with a non-explicit address and explicit port on a BIG-IP system running 10.2.4. Then upgrade to 11.5.x (or install 10.2.4 ucs)

Impact:
Monitors appears to function normally but they will have the wrong format in the config file.

Workaround:
None.

Fix:
Determine if non-explicit (*) address is ipv4 or ipv6 based on next character to be parsed.


551287-3 : Multiple LibTIFF vulnerabilities

Vulnerability Solution Article: K16715


551260-3 : When SAML IdP-Connector Single Sign On Service URL contains ampersand, redirect URL may be truncated

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML Service Provider, and IdP-Connectors Single Sign On Service URL contains ampersand (&),
part of the URL may be truncated when user is redirected to IdP for authentication.

Conditions:
All conditions must be true:
- BIG-IP is used as SAML Service Provider
- Single Sign On Service URL property of IdP connector contains ampersand, e.g. https://idp.f5.com/saml/idp/profile/redirectorpost/sso?a=b&foo=bar
- User performs SP initiated SSO

Impact:
The query part of the redirect URL after ampersand will be lost when user is redirected to SSO URL with Authentication Request.

Fix:
Redirect URL is no longer truncated after ampersand sign.


551208-3 : Nokia alarms are not deleted due to the outdated alert_nokia.conf.

Component: TMOS

Symptoms:
Some of the log messages watched by alertd changed between BIG-IP software versions 10.x to versions 11.x/12.x. However, the /etc/alertd/alert_nokia.conf file has not been updated accordingly.

Conditions:
Running versions 11.x/12.x and receiving targeted messages that match the 10.x regex key fields. This occurs when the Nokia snmp alarms are enabled. See K15435 at https://support.f5.com/csp/#/article/K15435

Impact:
Matching the specific fields in the log message fails, so the corresponding alarm is not deleted from the nokia_alarm table. This might cause SNMP alerts to not be broadcast in Nokia-specific environments.

Workaround:
None.

Fix:
The log messages watched by alertd and appearing in alert_nokia.conf now match each clear event key to its corresponding error definition, so alerts are recorded correctly.


551189-2 : Modifying an HTTP cookie value via the HTTP::cookie iRule API may yield to incorrect HTTP header data

Component: Local Traffic Manager

Symptoms:
Upon repeatedly modifying the same HTTP cookie value (in the Set-Cookie header) within an iRule attached to a virtual server, the HTTP::cookie API may produce stale HTTP header data (e.g. HTTP Set-Cookie header and/or other HTTP headers).

Conditions:
LTM Virtual Server handling HTTP traffic, with iRule attached which modifies a given HTTP cookie value through the HTTP::cookie API, on ingress and/or egress traffic (through the HTTP_REQUEST and/or HTTP_RESPONSE events). An example use-case for producing the error would be encrypting and decrypting HTTP cookies via an iRule.

Impact:
Repeatedly altering the same HTTP cookie value in an iRule, via the HTTP::cookie API, may yield to an HTTP request/response with inconsistent HTTP header data, including but not limited to the Set-Cookie HTTP header.

Workaround:
None.


551010-3 : Crash on unexpected WAM storage queue state

Component: WebAccelerator

Symptoms:
In rare circumstances WAM may enter an unexpected queue state and crash.

Conditions:
WAM configured on virtual with request queuing enabled

Impact:
Crash

Workaround:
none

Fix:
Gracefully recover from unexpected WAM storage queue state


550782-2 : Cache Lookups for Validating Resolvers ignore the query's DNSSEC OK (DO) bit

Component: Local Traffic Manager

Symptoms:
RRSIG present when not asked for, and RRSIG and AD drop from response upon expiration from the cache.

Conditions:
If standard DNS requests are made against a Validating Resolver DNS cache that points to a second BIG-IP which in turn contains a wideip in a signed zone

Impact:
RRSIG present when not asked for, and RRSIG and AD drop from response upon expiration from the cache

Workaround:
N/A

Fix:
Update message encoding to depend on client DO bit.


550694 : LCD display stops updating and Status LED turns/blinks Amber

Component: TMOS

Symptoms:
The LCD display may stop updating and the Status LED may turn Amber and begin blinking on BIG-IP 2000, 4000, 5000, 7000, or 10000-series appliances.

Conditions:
The Status LED turns Amber if the LED/LCD module stops receiving updates from the BIG-IP host, and begins blinking Amber if the LED/LCD module does not receive updates from the BIG-IP host for three minutes or longer.
This condition may occur if data transfers between the BIG-IP host and the LED/LCD module over the connecting USB bus becomes stalled.
Due to changes in BIG-IP v11.5.0 and later, the frequency and likelihood of this condition is greatly reduced, but may still occur under rare conditions.

Impact:
When this condition occurs, the front-panel LCD display does not display the current BIG-IP host status, and the Status LED blinks Amber. There is no impact to BIG-IP host operations, and no disruption to traffic.

Workaround:
This condition can be cleared by either of the following actions:
1. Press one of the buttons on the LCD display to navigate the LCD menus.
2. Issue the following command at the BIG-IP host console:
/sbin/lsusb -v -d 0451:3410.

Either action generates USB traffic, which triggers recovery from the USB stalled transfer condition.

Fix:
Auto-recovery from a USB stalled-transfer condition has been implemented, which prevents the Status LED from blinking Amber on BIG-IP 2000, 4000, 5000, 7000, 10000 or 12000-series appliances.


550689-3 : Resolver H.ROOT-SERVERS.NET Address Change

Component: Local Traffic Manager

Symptoms:
The IPv4 and IPv6 addresses for H.ROOT-SERVERS.NET are changing on December 1st 2015 from (128.63.2.53 / 2001:500:1::803f:235) to (198.97.190.53 / 2001:500:1::53). The old addresses will be good for 6 months after the change, and then the IPv4 address will go completely offline, and the IPv6 address is subject to go offline as well. More details http://h.root-servers.org/renumber.html

Conditions:
DNS Resolver uses hard-coded root hints for H.ROOT-SERVERS.NET.

Impact:
Incorrect address for a root-server means no response to that query.

Workaround:
There are 12 other root-servers that also provide answers to TLD queries, so this is cosmetic, but the addresses still need to be updated to respond to the change.

Fix:
Updated H.ROOT-SERVERS.NET to reflect the new IPv4 and IPv6 addresses taking effect December 1st, 2015 from (128.63.2.53 / 2001:500:1::803f:235) to (198.97.190.53 / 2001:500:1::53).

For more information, see H-Root will change its addresses on 1 December 2015, available here: http://h.root-servers.org/renumber.html.


550596-2 : RESOLV::lookup iRule command vulnerability CVE-2016-6876

Vulnerability Solution Article: K52638558


550536-4 : Incorrect information/text (in French) is displayed when the Edge Client is launched

Component: Access Policy Manager

Symptoms:
Incorrect information/text (in French) is displayed when the Edge Client is launched.

Conditions:
Edge client is used in French locale.

Impact:
User sees grammatically incorrect text in French. This is a cosmetic error that has no impact on system functionality.

Workaround:
None.

Fix:
The correct information/text (in French) is now displayed when the Edge Client is launched.


550434-4 : Diameter connection may stall if server closes connection before CER/CEA handshake completes

Component: Service Provider

Symptoms:
Serverside connection stalls. Connection is not torn down and packets are not forwarded to serverside.

Conditions:
Selected pool member closes (via FIN) connection before sending CEA as part of Diameter handshake.

Impact:
Connection stalls until handshake timeout and then it is reset.

Workaround:
none

Fix:
Serverside diameter connections will be immediately reset if FIN is received before CEA (Capabilities-Exchange-Answer).


549971-3 : Some changes to virtual servers' profile lists may cause secondary blades to restart

Component: TMOS

Symptoms:
If a virtual server's ip-protocol is not set, then some changes to the list of attached profiles may cause a validation error on secondary blades. This will cause those blades to restart.

Conditions:
This may happen in some cases when changing the list of profiles attached to a virtual server, but does not happen if 'ip-protocol' was explicitly set by the user.

Impact:
mcpd will restart on secondary blades. This will cause most other daemons on those blades to restart as well, including the TMM. Traffic will be lost.

Workaround:
You should explicitly set the ip-protocol when changing the profiles of a virtual server. Then this bug will not occur.

Fix:
If a virtual server's ip-protocol was not set, then some changes to the list of attached profiles would cause a validation error on secondary blades. This would cause those blades to restart. This issue has been fixed.


549868-2 : 10G interoperability issues reported following Cisco Nexus switch version upgrade.

Component: Local Traffic Manager

Symptoms:
10G link issues reported with VIPRION B2250, B4300 blades and BIG-IP 10x00 appliances connected to Cisco Nexus switches.

Conditions:
Issues reported after version upgrade on Cisco switch to version 7.0(5)N1(1).

Impact:
The links might not come up.

Workaround:
Toggling the SFP+ interfaces reportedly usually restores link.

Fix:
The BIG-IP system's 10G link now consistently becomes active when it is connected to other switches.


549588-3 : EAM memory leak when cookiemap is destroyed without deleting Cookie object in it

Component: Access Policy Manager

Symptoms:
EAM memory growing and OOM kills EAM process under memory pressure.

Conditions:
This occurs when using access management such as Oracle Access Manager, when an authentication request is redirected to IDP (redirect URL is present) with cookies present, memory can grow unbounded.

Impact:
EAM memory usage increases and OOM kills EAM process if the system is under memory pressure.

Workaround:
No Workaround

Fix:
EAM memory usage no longer grows. Cookie objects are deleted prior to deleting cookieMap from obAction destructor.


549543-2 : DSR rejects return traffic for monitoring the server

Component: TMOS

Symptoms:
System DB variable 'tm.monitorencap' controls whether the server monitor traffic is encapsulated inside DSR tunnel. If it is set to 'enable', monitor traffic is encapsulated, and return traffic is without the tunnel encapsulation. In such a case, the return traffic is not mapped to the original monitor flow, and gets rejected/lost.

Conditions:
System DB variable 'tm.monitorencap' is set to 'enable', and DSR server pool is monitored.

Impact:
Monitor traffic gets lost, and server pool is marked down.

Workaround:
None.

Fix:
The DSR tunnel flow now sets the correct underlying network interface, so that the return monitor flow can match the originating flow, which results in the DSR monitor working as expected.


549406-3 : Destination route-domain specified in the SOCKS profile

Component: Local Traffic Manager

Symptoms:
The SOCKS profile route-domain setting is supposed to control which route domain is used for destination addresses. It is currently used to identify the listener/tunnel interface to use when forwarding the traffic, but does not set the route domain on the destination address used by the proxy to determine how to forward the traffic.

Conditions:
When the virtual server receives a SOCKS request and the route-domain is not the default (0).

Impact:
SOCKS connection fails immediately and the system returns the following message to the client: Results(V5): General SOCKS server failure (1). Traffic is forwarded correctly only when the destination is route-domain 0. Other route domains might result in error messages and possible failed traffic.

Workaround:
Use a destination route-domain of 0 when working with the SOCKS profile.

Fix:
The system now uses the destination route-domain specified in the SOCKS profile. This allows the SOCKS profile to work correctly when the destination is not in route-domain 0.


549329-2 : L7 mirrored ACK from standby to active box can cause tmm core on active

Component: Local Traffic Manager

Symptoms:
A spurious ACK sent to the standby unit will be mirrored over to the active unit for processing. If a matching connection on the active has not been fully initialized, tmm will crash.

Conditions:
HA active-standby configuration setup for L7 packet mirroring.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.


549086-3 : Windows 10 is not detected when Firefox is used

Component: Access Policy Manager

Symptoms:
Windows 10 is not detected when the Firefox browser is used.

Conditions:
Windows 10 and Firefox (at least versions 40 and 41).

Impact:
The Client OS agent chooses an incorrect branch. Network Access might be disabled for such a client.

Workaround:
There is no workaround.

Fix:
Now Windows 10 is properly detected with the Firefox browser.


549023 : warning: Failed to find EUDs

Component: TMOS

Symptoms:
There are normal circumstances where the system does not yet have a diagnostics package installed. Even though it is normal, a warning log message is emitted for this condition.

Conditions:
This occurs on newly formatted installations prior to version 11.5.4.

Impact:
Even though this is logged at the warning level, lack of an EUD can indicate a normal condition on new installations.

Workaround:
ignore the warning

Fix:
If the system cannot find the EUD it will now be logged at the info level.


548680-3 : TMM may core when reconfiguring iApps that make use of iRules with procedures.

Component: Local Traffic Manager

Symptoms:
TMM may core when reconfiguring iApps that make extensive use of iRules with procedures.

Conditions:
During the reconfiguration of more than one iApp by switching templates, prior and new templates to contain iRules with procedures of the same name.
After the second or later reconfiguration TMM may core.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Modify iApp template to generate procedures that have a unique name per iApp.

Fix:
TMM no longer cores when reconfiguring more than one iApp that contains iRule procedures of the same name.


548583-5 : TMM crashes on standby device with re-mirrored SIP monitor flows.

Component: Local Traffic Manager

Symptoms:
Occasionally, the standby system with a SIP monitor crashes in a configuration where the active system contains a forwarding virtual server with a wildcard IP address and port, with connection mirroring enabled.

Conditions:
This occurs on an active-standby setup in which there is an L4 forwarding virtual server or SNAT listener configuration with a wildcard IP address and port, and with connection mirroring enabled. Also, the standby has a SIP monitor configured.

Impact:
Packets that are sent by the SIP monitor on the standby get routed back to the active unit (possibly due to a routing loop) and are then sent to the standby because of the wildcard mirrored configuration. tmm on standby might crash. When the crash occurs, the standby system posts the following assert and crashes: tmm failed assertion, non-zero ha_unit required for mirrored flow.

Workaround:
-- If a routing or switching loop is the reason the packets come back to the active unit, then the routing issues can be eliminated.
-- The mirroring of the wildcard virtual server or SNAT listener can be disabled.

Fix:
TMM no longer crashes on standby device with re-mirrored SIP monitor flows.


548563-3 : Transparent Cache Messages Only Updated with DO-bit True

Component: Local Traffic Manager

Symptoms:
When a transparent cache stores a message with DNSSEC OK (DO) bit TRUE and its TTL expires, the message is only updated when a new message arrives with DO-bit TRUE.

Conditions:
Running a DNS transparent cache with clients requesting DNSSEC messages.

Impact:
When the DO-bit TRUE's cached message TTL expires, the general impact is DO-bit FALSE queries will be proxied until the message cache is updated with DO-bit TRUE.

Workaround:
None.

Fix:
The message cache is updated regardless of DO-bit state after TTL expiration. However, the cache prefers DO-bit TRUE messages, and will update the cached message if a newer one arrives with DNSSEC OK.


548385-1 : iControl calls that query key/cert from parent folder, and the name is missing the extension, result in incorrect results

Component: TMOS

Symptoms:
If the active folder is not same as the folder in which the query is being run, and the corresponding key/cert extension is not present in the name of the key/certificate file, the query result returns incorrect results.

Conditions:
This occurs when iControl calls that query key/cert from parent folder, and the name is missing the extension.

Impact:
The query result returns incorrect results.

Workaround:
You can use one of the following workarounds:
-- Change the filename to include the extension.
-- Change to the folder containing the iControl call you are executing.

Fix:
The system now correctly loads key/cert/csr/crl files without an extension, so iControl calls that query those files from parent folder, now return correct results.


548268-3 : Disabling an interface on a blade does not change media to NONE

Component: TMOS

Symptoms:
When an interface on a blade in a chassis is disabled, it's media does not get reported as NONE and the link on the other end stays UP.

Conditions:
Disabling an interface on a blade within a chassis.

Impact:
Media on the disabled interface is not reported as NONE and link on partner end is UP.

Workaround:
none

Fix:
fixed


548053-1 : User with 'Application Editor' role set cannot modify 'Description' field using the GUI.

Component: TMOS

Symptoms:
User with 'Application Editor' role set cannot modify 'Description' field using the GUI.

Conditions:
Users with a role of Application Editor.

Impact:
Cannot modify 'Description' field using the GUI.

Workaround:
User with 'Application Editor' roles can modify 'Description' fields using tmsh.

Fix:
User with 'Application Editor' role can now modify 'Description' field using the GUI.


547942 : SNMP ipAdEntAddr indicates floating vlan IP rather than local IP

Component: TMOS

Symptoms:
An SNMP query response for ipAdEntAddr would sometimes return floating IPs rather than local IPs. This was due to the supporting software returning the first found IP address for a given vlan.

Conditions:
Problem started after upgrading to v11.5.1 Eng-HF7, from v10.2.4.
The same problem can happen on freshly installed 11.5.x as well.

Impact:
No impact to BIG-IP services, but the returned information to the SNMP query is sometimes incorrect.

Workaround:
None.


547815-2 : Potential DNS Transparent Cache Memory Leak

Component: Local Traffic Manager

Symptoms:
When a transparent cache is populated with messages where the DNSSEC OK-bit is true, and a query with that bit true, arrives at or after the expiration of the message TTL, the system leaks all subsequent queries with DNSSEC OK set to false, up through the TTL of that message.

Conditions:
Running a DNS transparent cache with clients requesting DNSSEC messages.

Impact:
A few hundred bytes can leak on each clientside query, leading to a massive leak over a short period of time.

Workaround:
Disable DNSSEC on all cached messages by disabling DNSSEC on pool members.

Fix:
This release fixes a potential DNS transparent cache memory leak.


547732-3 : TMM may core on using SSL::disable on an already established serverside connection

Component: Local Traffic Manager

Symptoms:
TMM process may crash if the SSL::disable iRule command is used on a serverside with a connection that has already established SSL.

Conditions:
Use of the 'SSL::disable serverside' iRule command on a serverside connection that has already established SSL

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use SSL::disable on an event where the serverside SSL connection is already established.

Fix:
TMM no longer cores on using SSL::disable on an already established serverside connection, it will now log a warning Connection error: hud_ssl_handler:605: disable profile (80)


547537-4 : TMM core due to iSession tunnel assertion failure

Component: Wan Optimization Manager

Symptoms:
TMM core due to "valid isession pcb" assertion failure in isession_dedup_admin.c.

Conditions:
Deduplication endpoint recovery occurs on a BIG-IP that has duplication is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
none

Fix:
An iSession tunnel initialization defect has been corrected.


547532-6 : Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades

Component: TMOS

Symptoms:
Error messages similar to this are present in the ltm log:

-- err mcpd[9369]: 01020036:3: The requested monitor instance (/part10/test_mon 90.90.90.90%10 443 ltm-pool-member) was not found.
-- err mcpd[9369]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/part10/test_mon 90.90.90.90%10 443 ltm-pool-member) was not found.

Conditions:
A chassis-based system with multiple blades. This can occur a few different ways:
- A monitor is attached to an object that is configured in a partition that uses a non-default route domain, but the address of the monitor is explicitly using the default route domain (e.g. %0).
- A monitor defined in the Common partition is attached to an object from a partition where the default route domain is different.

Impact:
Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades. mcpd restarts.

Workaround:
There are two possible workarounds:

-- Move the monitor to the /Common/ partition and do not specify %0 in the Alias Address.

-- Do not use monitors from other partitions where the default route domain is different.

Fix:
The complete state for addresses on the primary blade is propagated to secondary blades.


547047-1 : Older cli-tools unsupported by AWS

Component: TMOS

Symptoms:
Older EC2 tools stopped working in some AWS regions.

Conditions:
This can happen in some AWS regions.

Impact:
BIG-IP high availability configurations may stop working in some AWS regions.

Workaround:
None.

Fix:
F5 Networks added the latest available version (1.7.5.1) of EC2 tools in this release/hotfix.


547000-3 : Enforcer application might crash on XML traffic when out of memory

Component: Application Security Manager

Symptoms:
Enforcer application might crash on XML traffic when out of memory.

Conditions:
This occurs when the system is out of memory.

Impact:
The BIG-IP system might temporarily fail to process traffic.

Workaround:
None.

Fix:
This release fixes a scenario where the system might crash when the XML parser ran out of memory.


546747-4 : SSL connections may fail with a handshake failure when the ClientHello is sent in multiple packets

Component: Local Traffic Manager

Symptoms:
Sometimes BIG-IP system responds with a fatal-handshake alert and closes the SSL session for a new connection when a ClientHello record is split between two or more packets.

If SSL debug logging is enabled, the system logs an error such as the following:
    01260009:7: Connection error: ssl_hs_rxhello:6210: ClientHello contains extra data (47).

Note: For information on SSL debug logging, see SOL15292: Troubleshooting SSL/TLS handshake failures at https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15292.html.

Conditions:
This occurs when a SSL ClientHello record is split across multiple TCP segments, and the last segment is relatively small.

Impact:
SSL connections fail to complete with a handshake failure.

Workaround:
No workaround.

Fix:
SSL handshakes no longer fails to complete when the ClientHello is split across multiple TCP segments, and the last segment is relatively small.


546640-1 : tmsh show gtm persist <filter option> does not filter correctly

Component: Global Traffic Manager

Symptoms:
Following commands fail to return results even if there are matching records:
  # tmsh show gtm persist level wideip
  # tmsh show gtm persist target-type pool-member

Conditions:
This only happens when running the tmsh commands listed in the Symptoms.

Impact:
It is not possible to get a granular detail for persist stats.

Workaround:
Use GUI.

Fix:
Filters for the tmsh show gtm persist command now apply the filters correctly.


546410-1 : Configuration may fail to load when upgrading from version 10.x.

Component: TMOS

Symptoms:
After upgrade from 10.x to 11.5.3 HF2, configuration fails to load with the following error:
01070734:3: Configuration error: Invalid primary key on monitor_param object () - not a full path 2.

Conditions:
Configuration contains a user-created monitor (A) that inherits from user-created monitor (B). Monitor A appears first within the configuration files and monitor B does not have a 'destination' attribute.

Impact:
Configuration fails to load.

Workaround:
Re-order monitors such that Monitor B appears first, or add a 'destination' attribute (i.e., 'destination *:*') to monitor B.

Fix:
10.x upgrade now completes successfully, even when parent monitors appear later in the monitor list, or when there is no destination attribute in the child monitor.


546260-1 : TMM can crash if using the v6rd profile

Component: TMOS

Symptoms:
TMM might crash intermittently when traffic is sent through v6rd profile-configured tunnels.

Conditions:
Specific conditions required for encountering this issue are not well understood.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed root cause of TMM core related to the v6rd profile, so this issue no longer occurs.


546080-4 : Path sanitization for iControl REST worker

Vulnerability Solution Article: K99998454


545821 : Idle timeout changes to five seconds when using PVA full or Assisted acceleration.

Component: Local Traffic Manager

Symptoms:
When FastL4 performs hardware acceleration during the TCP handshake, the FastL4 handshake timeout is not updated to match the profile timeout value after the connection is established.

Conditions:
Accelerated, established TCP flows with no traffic for more than five seconds.

Impact:
TCP flows in the established state are dropped if they have more than five seconds of inactivity.

Workaround:
Disable embedded Packet Velocity Acceleration (ePVA) acceleration.

Fix:
Once the TCP connection reaches established state, the idle timeout is set to the value found in the associated profile. By default the profile timeout value is 300 seconds.


545786-2 : Privilege escalation vulnerability CVE-2015-7393

Vulnerability Solution Article: K75136237


545762-1 : CVE-2015-7394

Vulnerability Solution Article: K17407


545745-3 : Enabling tmm.verbose mode produces messages that can be mistaken for errors.

Component: TMOS

Symptoms:
When tmm first starts, the system logs multiple messages containing the words "error:" and "best_error:" in the tmm log files when tmm.verbose is enabled, and hardware accelerators are present.

Conditions:
Must have an accelerator device, and enable tmm.verbose logging.

Impact:
The system posts messages that could be mistaken for errors. For example: en: 1, clkf: 13, pll_MHz: 650, ddr_hertz: 650000000, error: 17000000, best_error: 667000000. These are not errors, and may be safely ignored.

Workaround:
Ignore the lines with format similar to the following:

 en: 1, clkf: 13, pll_MHz: 650, ddr_hertz: 650000000, error: 17000000, best_error: 667000000

Fix:
The cosmetic messages containing 'err' and 'best err' are no longer posted on initial tmm startup when tmm.verbose logging on hardware accelerated devices.


545704-3 : TMM might core when using HTTP::header in a serverside event

Component: Local Traffic Manager

Symptoms:
In certain circumstances TMM might core when using an HTTP iRule command in a HTTP_REQUEST_SEND serverside event.

Conditions:
- iRule with an HTTP command in a serverside event prior to the serverside being completely established, such as HTTP_REQUEST_SEND.
- OneConnect configured on the virtual server.

Impact:
The command might either return invalid value or lead to a condition where TMM might core.

Workaround:
Use the {clientside} Tcl command to execute on the client side.

Alternatively, you might use the HTTP_REQUEST_RELEASE event for HTTP inspection/modification on the server-side.

Fix:
TMM no longer cores when using HTTP iRule commands on the server-side of the HTTP_REQUEST_SEND event.


545450-2 : Log activation/deactivation of TM.TCPMemoryPressure

Component: Local Traffic Manager

Symptoms:
The TCP memory pressure feature allows packets to be randomly dropped when the TMM is running low on available memory. The issue is that these packets are dropped silently.

Conditions:
TM.TCPMemoryPressure set to "enable".

Impact:
Packets are dropped, where the cause of the drop cannot be easily determined.

Fix:
Logging added in /var/log/ltm for activation and deactivation of TCP memory pressure. The deactivation message also includes the number of packets and bytes dropped.


544992-2 : Virtual server profile changes are ignored if it has /Common/remotedesktop and /Common/vdi assigned (Citrix/Vmware View iApp)

Component: Access Policy Manager

Symptoms:
Changes to the profiles that are assigned to a virtual server are ignored if the /Common/remotedesktop and /Common/vdi profiles are already assigned to it. Some iApps that F5 provides to create Citrix or VMware View configurations assign those profiles to a virtual server.

Conditions:
/Common/remotedesktop and /Common/vdi profiles are assigned to a virtual server.

Impact:
Changes to the profiles assigned to a virtual server (adding a new new profile, deleting a profile, changing existing profiles) have no effect until either of these occurs: The /Common/vdi profile is removed from the virtual server or tmm is restarted.

Workaround:
Use tmsh to remove /Common/vdi from the profiles for the virtual server.
(There is no option in the GUI that allows you to do this.)

Fix:
The /Common/remotedesktop and /Common/vdi profiles can be assigned to a virtual server without affecting other profiles.


544980-1 : BIG-IP Virtual Edition may have minimal disk space for the /var software partition when deploying from the OVA file for the Better or Best license bundle.

Component: TMOS

Symptoms:
The size of /var volume is 500 MB instead of 3 GB for BETTER and BEST license bundles.

Conditions:
BIG-IP VE BETTER and BEST vm_bundle images.

Impact:
Not enough space in /var.

Workaround:
In the current volume:

1. Modify global_attributes file.
* The global_attributes file is located at /shared/.tmi_config, so modify global_attributes file by using vi command.

From:
{"TMI_VOLUME_FIX_VAR_MIB":"500","TMI_VOLUME_FIX_CONFIG_MIB":"500"}

To:
{"TMI_VOLUME_FIX_VAR_MIB":"3000","TMI_VOLUME_FIX_CONFIG_MIB":"500"}

2. Install version.

3. Modify global_attributes file to back original value.

4. Switchboot to newly installed volume.

5. To change /var to 3 GB and from tmsh, run the following command:
modify /sys disk directory /var new-size 3145728

6. Reboot.

Fix:
BIG-IP Virtual Edition now has 3GB of disk space for the /var software partition when deploying from OVA for the Better or Best license bundle


544913-2 : tmm core while logging from TMM during failover

Component: TMOS

Symptoms:
TMM crash and coredump while logging to remote logging server when an HA failover occurs.

Conditions:
The problem might occur when:
1. A log message is created as the result of errors that can occur during log-connection establishment.
2. An error occurs while attempting to connect to the remote logging server.
3. The Primary HA member fails over. The crash occurs on the HA member which was the Primary member prior to the failover.

Impact:
TMM runs out of stack and dumps core. Stack trace shows recursion in errdefs. The system cannot function under these conditions. This is an issue that might occur anytime logs are generated when managing resources that are also used by the logging system itself.

Workaround:
Two possible workarounds are available:
1) Create a log filter specifically for message-id :1010235: that either discards or directs such messages to local syslogs.
2) If the problem occurs on TMM startup, disable and then re-enable the corresponding log source once the TMM starts up.

Fix:
Logging recursion no longer occurs in TMM during failover while the system is attempting to connect to the remote logging server.


544831 : ASM REST: PATCH to custom signature set's attackTypeReference are ignored

Component: Application Security Manager

Symptoms:
When trying to update filter/attackTypeReference for a User-Defined Filter-Based Signature Set (/mgmt/tm/asm/signature-set/<ID>), the PATCH call completes successfully, but the change never occurred.

Conditions:
Using the REST API, a user tries to update filter/attackTypeReference for a User-Defined Filter-Based Signature Set (/mgmt/tm/asm/signature-set/<ID>)

Impact:
The PATCH call completes successfully, but the change never occurred. This may result in the Signature Set not containing the expected signatures.

Workaround:
The bug only exists via the REST API, the GUI can be used to change this value.

Fix:
The attackTypeReference field is now correctly updated using a REST PATCH.


544481-4 : IPSEC Tunnel fails for more than one minute randomly.

Component: TMOS

Symptoms:
IPsec IKEv1: DPD ACK may be dropped when excessive DPD message exchange. This causes the IPsec tunnel to fail.

Conditions:
Excessive DPD message exchange.

Impact:
Connection resets.

Workaround:
None.

Fix:
Excessive DPD message exchange no longer causes the IPsec tunnel to fail.


544375-2 : Unable to load certificate/key pair

Component: Local Traffic Manager

Symptoms:
After creating SSL profile, 'could not load key/certificate file' appears in /var/log/ltm with profile name. Unable to connect to virtual with SSL profile.

Conditions:
Certificate uses sha1WithRSA or dsaWithSHA1_2 signature algorithm.

Impact:
Unable to load certificate.

Workaround:
None.

Fix:
Can now load certificates with sha1WithRSA or dsaWithSHA1_2 signature algorithm.


544325-2 : BIG-IP UDP virtual server may not send ICMP Destination Unreachable message Code 3 (port unreachable).

Component: Local Traffic Manager

Symptoms:
A BIG-IP UDP virtual server may not send an ICMP Destination Unreachable message Code 3 (port unreachable). As a result of this issue, you may encounter the following symptoms:

-- Client applications may not respond or appear to hang.
-- When attempting to troubleshoot the connectivity issue from remote devices, no ICMP diagnostic data is available from the BIG-IP system.

Conditions:
This issue occurs when the following condition is met: All pool members for the UDP virtual server are unavailable.

Impact:
In versions 11.3.0 through 11.4.1, the system silently drops the request. In versions 11.5.0 and later, the system sends back the ICMP message with type 13 ('administratively filtered').

Workaround:
None.

Fix:
LTM now sends back an ICMP Destination Unreachable message Code 3 (port unreachable), which is expected behavior.

Behavior Change:
In version 11.2.1 and earlier, the system responded to a request with an ICMP packet containing the type code 'port unreach' when a UDP virtual server pool member was down due to no available pool members. For the same scenario in versions 11.3.0 through 11.4.1, the system sends no ICMP packet. In versions 11.5.0 through this hotfix/release, the system sends an ICMP packet containing the 'administratively filtered' type code for the same scenario.

In this hotfix/release, the 11.2.1 behavior is restored. In this case, the system responds with an ICMP packet containing the type code set to 'port unreach'.


544028-3 : Verified Accept counter 'verified_accept_connections' might underflow.

Component: Local Traffic Manager

Symptoms:
Verified Accept counter 'verified_accept_connections' might underflow.

Conditions:
When the verified accept setting on a TCP profile is changed for an active virtual server.

Impact:
When the counter underflows, new connections on any verified-accept enabled virtual server are dropped. The counter will never recover.

Workaround:
Avoid changing the verified accept setting on a TCP profile for an active virtual server.

Fix:
This release corrects the issue in which the Verified Accept counter 'verified_accept_connections' might underflow.


543993-4 : Serverside connections may fail to detach when using the HTTP and OneConnect profiles

Component: Local Traffic Manager

Symptoms:
Serverside connection does not detach when using OneConnect profile

Conditions:
An HTTP/1.1 response without Content-Length header is received in response to an HTTP/1.0 HEAD request

Impact:
HTTP requests on the same connection are not LB'ed across pool members.

Workaround:
Remove OneConnect profile

Fix:
Ensure serverside detachment when handling HTTP responses to HEAD requests.


543220-3 : Global traffic statistics does not include PVA statistics

Component: Local Traffic Manager

Symptoms:
Global traffic statistics shown in the GUI and in TMSH are not correct.

Conditions:
Hardware acceleration enabled.

Impact:
Statistics discrepancy in global traffic statistics.

Workaround:
None.

Fix:
Global traffic statistics now includes the correct PVA statistics in the GUI and in TMSH.


542898 : Virtual Edition: Disk partition /var shows 100% after live install to 12.0.0

Component: TMOS

Symptoms:
After installing a new Virtual Edition software instance and booting into it, disk partition /var shows 100%

Conditions:
Virtual Edition only

Impact:
System is generally un-usable; applications cannot operate without space in /var.

Workaround:
1) reboot into the previous software location

2) delete the new software location that is non-functional

3) remove this file:
/shared/.tmi_config/global_attributes

4) install the new software again.

Fix:
after applying the fix, subsequent operations that install new software will size the /var filesystem appropriately.


542860-5 : TMM crashes when IPsec SA are deleted during HA Active to Standby or vice versa event

Component: TMOS

Symptoms:
TMM can crash when IPsec SA's are deleted using TMSH or racoonctl utility during HA Active to Standby or vice versa.

Conditions:
During the HA Active to standby or vice versa event, Use of TMSH or racoonctl utility to delete IPsec SA's can cause TMM crash. This is a race condition and can occur rarely.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Running TMSH command or racoonctl utility to delete IPsec SA's during HA Active to Standby or vice versa event does not result in TMM crash and IPsec SA's will be deleted as per the request.


542742-3 : SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).

Component: TMOS

Symptoms:
SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).

Conditions:
Querying the OIDs.

Impact:
Unable to monitor the moving averages of the current connection counts as they return 0.

Workaround:
There is no known workaround.

Fix:
SNMP now reports valid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).


542654 : bigd may experience a heartbeat failure when tcp-half-open monitors are used

Component: Local Traffic Manager

Symptoms:
bigd generates a core file and restarts. The system writes a message to /var/log/ltm that is similar to the following: notice sod[6504]: 01140029:5: HA daemon_heartbeat bigd fails action is restart.

Conditions:
tcp-half-open monitors are in use.

Impact:
bigd restarts and there is an interruption in monitoring.

Workaround:
There is no workaround, but this has been seen extremely rarely.


542511-1 : 'Unhandled keyword ()' error message in GUI and/or various ASM logs

Component: Application Security Manager

Symptoms:
'Unhandled keyword ()' error message may appear in 'Session Awareness Tracking' GUI page and/or various ASM logs, such as: learning manager log, asm config server log, main asm log.
In the case of learning manager, it causes a crash of the latter. Learning manager process is then restarted ~15 seconds later.

Conditions:
ASM provisioned.
Session Awareness Tracking is enabled.

Impact:
Uninformative errors in 'Session Awareness Tracking' GUI page and/or various ASM logs, such as: learning manager log, asm config server log, main asm log.
Learning manager process restart.

Workaround:
None.

Fix:
Learning manager now handles the 'Unhandled keyword ()' exception in a graceful manner and does not crash.


542320 : no login name may appear when running ssh commands through management port

Component: TMOS

Symptoms:
ssh root@mgmt_port_ip_address "bash -cl 'tmsh show sys sof'" displays "logname: no login name"

Conditions:
ssh root@mgmt_port_ip_address "bash -cl 'tmsh show sys sof'" displays "logname: no login name"

Impact:
Display issue

Fix:
Properly display login name


542314-7 : TCP vulnerability - CVE-2015-8099

Vulnerability Solution Article: K35358312


541549-3 : AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.

Component: TMOS

Symptoms:
The default settings of an AMI is not to delete an attached volume of an instance when the instance is terminated. This results in extra effort to delete a volume manually after terminating the instance. If not done always, the orphaned volume causes extra bills.

Conditions:
A BIG-IP VE is launched from an AMI in the marketplace.

Impact:
Volumes attached to BIG-IP VE instances will be deleted automatically when the instance is terminated. This option is set to be default now. If you want to keep a volume even after terminating a BIG-IP VE instance, you will have to set it to not be deleted upon termination during instance launch in AWS console.

Workaround:
None.

Fix:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.

Behavior Change:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.


541316-5 : Unexpected transition from Forced Offline to Standby to Active

Component: TMOS

Symptoms:
If a BIG-IP configuration is reset to default, and then restored from a saved UCS that was taken while the system was Forced Offline, the system will be restored to the Forced Offline state, but the state may not persist across reboots.

Conditions:
Restore a saved UCS that was created while the BIG-IP system was Forced Offline.

Impact:
System may unexpectedly go Active after a reboot.

Workaround:
None.

Fix:
Device forced offline remains forced offline after restoring a UCS and rebooting.


541231-1 : Resolution of multiple curl vulnerabilities

Vulnerability Solution Article: K16704 K16707


541156-3 : Network Access clients experience delays when resolving a host

Component: Access Policy Manager

Symptoms:
The DNS Relay proxy for Network Access clients operating in split-tunnel mode intercepts a client's DNS request for a non-matching host and will forward it to the client's local DNS server. If the client contains multiple NICs, one containing a down or invalid DNS server, this could cause a delay in resolving the host.

Conditions:
Network Access with the DNS Relay Proxy configured
A client machine has multiple NICs
One of the NICs has an invalid or down DNS server configured
Client attempts to resolve a host not matching the Network Access policy

Impact:
Clients will experience unusual delays (10+ seconds) when resolving hosts.

Workaround:
Clients can check their system setup and remove the affected interfaces that contain an invalid DNS server (virtual machine network adapters are becoming increasingly common and can exhibit this), or they can ensure that they are mapped only to valid DNS servers that can resolve the host.

Fix:
The DNS Relay proxy will now avoid sending DNS requests to down DNS servers for DNS requests that do not match the Network Access policy while Network Access is connected.


541134-3 : HTTP/HTTPS monitors transmit unexpected data to monitored node.

Component: Local Traffic Manager

Symptoms:
HTTP/HTTPS) monitors send unexpected data (crlfcrlf) after completion of TCP and/or SSL handshake.

Conditions:
HTTP/HTTPS monitor with a send attribute set to 'none'. HTTP/HTTPS monitors with a 'none' send string should complete the TCP handshake(+SSL handshake) and then close the connection without sending any data.

Impact:
A monitor configured with a 'none' send string sends a 4-byte string, \r\n\r\n (crlfcrlf), after completing the handshake. This is ignored by the monitored node, which might cause it to be marked down.

Workaround:
None.

Fix:
HTTP/HTTPS monitor no longer transmits any L7 data when send attribute is set to 'none'.


541126-1 : Safenet connection may fail on restarting pkcs11d or HSM reboot or if the connection to HSM is lost and then resumed

Component: Local Traffic Manager

Symptoms:
netHSM usage may fail for Safenet users with error message in the ltm log similar to the following:
warning tmm1[11930]: 01260009:4: Connection error: ssl_hs_vfy_sign_srvkeyxchg:9678: sign_srvkeyxchg (80).
info tmm1[11930]: 01260013:6: SSL Handshake failed for TCP 10.10.0.1:59513 -> 10.10.1.150:20001.
warning pkcs11d[12005]: 01680022:4: Crypto operation [2] failed.
crit tmm1[11930]: 01260010:2: FIPS acceleration device failure: fips_poll_completed_reqs: req: 56 status: 0x1 : Cancel.

Conditions:
This may happen for any of the following conditions:
-- Restart pkcs11d without starting tmm immediately after.
-- Network connection between the BIG-IP and HSM is interrupted and then restored.
-- HSM is rebooted without being followed by a restart to pkcs11d and tmm.

Impact:
SSL handshake failure with a message similar to the following:

SSL Handshake failed for TCP 10.10.0.1:59513 -> 10.10.1.150:20001.

Workaround:
For Safenet, always restart tmm after restarting pkcs11d. To do so, run the following commands:
bigstart restart pkcs11d
bigstart restart tmm

When the networking to HSM is restored or after a HSM reboot, always run the following commands:
bigstart restart pkcs11d
bigstart restart tmm

Fix:
After restarting pkcs11d, Safenet connections no longer fails with the message 'cannot locate key'.


540996-4 : Monitors with a send attribute set to 'none' are lost on save

Component: TMOS

Symptoms:
Monitors that have a send, recv, or recv-disable attribute set to 'none' are lost on configuration save.

Impact:
Monitor may send unexpected string.

Workaround:
None.

Fix:
Monitor send, recv, and recv-disable attributes now retains a 'none' value on configuration save.


540893-3 : Unevenly loaded tmms while using syncookies may cause occasional spurious connection resets.

Component: Local Traffic Manager

Symptoms:
Flows for a syncookie-enabled listener might occasionally receive a RST after responding correctly to a syncookie challenge.

Conditions:
-- Fast Flow Forwarding is enabled.

-- At least one tmm thread is heavily loaded but has not reached its syncookie thresholds, while at least one tmm thread is less heavily loaded but has met its syncookie threshold.

Impact:
Occasional clients take an incorrect path and have their valid syncookie ACKs rejected with a TCP RST and must retry.

Workaround:
Set db variable tmm.ffwd.enable = false.

Doing this may modestly reduce peak performance on CPU bound loads.

Fix:
Fixed occasional RST in response to valid syncookie ACKs when under uneven load.


540849-4 : BIND vulnerability CVE-2015-5986

Vulnerability Solution Article: K17227


540846-4 : BIND vulnerability CVE-2015-5722

Vulnerability Solution Article: K17181


540778 : Multiple SIGSEGV with core and failover with no logged indicator

Component: Access Policy Manager

Symptoms:
A multimodule HA pair under high load experiences 3 failover events.

Conditions:
Configure HA pair for GBB multimodule testing (AFM, ASM, APM, GTM, LTM) and apply high concurrent load.

Impact:
Instability in HA. The current HA config under test has not had a unit remain active for more than ~12 hours.

Workaround:
None.

Fix:
Fix to free memory with same length as used for alloc using umem_alloc.


540767-1 : SNMP vulnerability CVE-2015-5621

Vulnerability Solution Article: K17378


540638 : GUI Device Management Overview to display device_trust_group

Component: TMOS

Symptoms:
The Device Management Overview page is displaying a blank page in the Device Groups panel.

Conditions:
No special condition is required.

Impact:
The Device Management Overview page does not display any information. This might be especially confusing when devices are not in sync.

Workaround:
None.

Fix:
Device Management Overview page now displays the device and device group details in the Device Groups panel.


540576-2 : big3d may fail to install on systems configured with an SSH banner

Component: Global Traffic Manager

Symptoms:
When a BIG-IP system is configured to display a banner at SSH login, big3d_install may be unable to update the big3d daemon on that device.

Conditions:
sshd banner enabled.

Impact:
big3d_install fails to install big3d on the target remote BIG-IP system.

Workaround:
1. Disable the SSH banner on the target device:
tmsh modify /sys sshd banner disabled.

2. Add the target:
bigip_add target_name.

3. Re-enable the SSH banner:
tmsh modify /sys sshd banner enabled.

Fix:
big3d now installs correctly on systems configured with an SSH banner.


540571-4 : TMM cores when multicast address is set as destination IP via iRules and LSN is configured

Component: Carrier-Grade NAT

Symptoms:
TMM may core when an iRule changes the destination address of a connection to use a multicast address such as 224.0.0.1. When the BIG-IP system looks up the route, it returns an internal route with no interface designed for use with multicast traffic. LSN expects to find an interface and crashes when it attempts to use the non-existent interface.

Conditions:
- CGNAT enabled and LSN pools configured on active virtual server that accepts traffic.
- On the same virtual server, an iRule is configured that changes the destination IP to a multicast address in the 224.0.0.0/24 network.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There are two workarounds: -- Remove the offending iRule that is sending traffic to the 224.0.0.0/24 network. -- Prevent traffic from using that destination in the iRule.

Fix:
TMM no longer cores when multicast address is set as destination IP via iRules and LSN is configured. Now, the system fails connections when the route's IFC is null, which is correct behavior.


540568-4 : TMM core due to SIGSEGV

Component: Local Traffic Manager

Symptoms:
TMM may core due to a SIGSEGV.

Conditions:
Occurs rarely. Specific conditions unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed an intermittent tmm core related to Bug 540571.


540484-4 : "show sys pptp-call-info" command can cause tmm crash

Component: Carrier-Grade NAT

Symptoms:
Core when "show sys pptp-call-info" is called.

Conditions:
On BIG-IP with fastl4 virtual server forwarding PPTP GRE traffic, TMSH "show sys pptp-call-info" command can cause crash in TMM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not issue "show sys pptp-call-info" command on BIG-IP forwarding PPTP GRE traffic.

Fix:
Fixed crash from incorrectly matching PPTP ALG traffic in forwarding fastl4 virtual server.


540473-5 : peer/clientside/serverside script with parking command may cause tmm to core.

Component: Local Traffic Manager

Symptoms:
When the peer/clientside/serverside iRule contains parking commands, or in NTLM profiles (which utilize parking commands), tmm might core upon connection reuse.

Conditions:
1. The iRule used in peer/clientside/serverside contains a parking command.

2. The connection is reused. This might occur in OneConnect configurations, for example.

In configurations that do not have parking iRule commands, this issue might also occur when the NTLM profile is in use, as the NTLM profile also utilizes parking. Note: The NTLM profile might be deployed automatically if you are using a SharePoint iApp.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use parking commands in cases where the system might reuse the connection. If the issue occurs with the NTLM profile, do not use the NTLM profile, if possible.

Fix:
When the peer/clientside/serverside iRule contains parking commands, or when using NTLM profiles that utilize parking commands, tmm no longer cores upon connection reuse.


540424-1 : ASM REST: DESC modifier for $orderby option does not affect results

Component: Application Security Manager

Symptoms:
Collections returned from the REST API can be sorted by a field from the $orderby ODATA parameter. The default sort order is ascending, but it is meant to allow a "DESC" modified to sort in descending order. The "DESC" modifier has no effect on the sort order.

Conditions:
ASM REST API is used to retrieve a collection with the elements sorted by a field's value in descending order.

Impact:
The collection is always returned in ascending sort order even if it descending order was requested.

Workaround:
None.

Fix:
The DESC operator is now honored for the $orderby ODATA parameter on ASM REST API requests.


540390-1 : ASM REST: Attack Signature Update cannot roll back to older attack signatures

Component: Application Security Manager

Symptoms:
There is no way to roll back to an older attack signature update using the REST interface

Conditions:
REST is used to manage Attack Signature Updates on a BIG-IP device, and an older version than the currently installed file is desired to be installed.

Impact:
REST clients have no way to fully manage Attack Signature Updates for the BIG-IP

Workaround:
The GUI can be used to roll back to an earlier version

Fix:
The REST API now includes support for the "allowOlderTimestamp" field to the update-signatures task in order to allow rolling back to an older attack signature update using the REST interface.

POST https://<host>/mgmt/tm/asm/tasks/update-signatures/
{
  "allowOlderTimestamp": true,
  <Rest of body as usual>
}


540213-4 : mcpd will continually restart on newly inserted secondary blades when certain configuration exists on the primary

Component: Local Traffic Manager

Symptoms:
When a secondary blade's mcpd starts up, it may continually restart, failing to load, when the primary blade has a certain configuration. The easiest way to reproduce this is to insert a new blade into an existing running cluster.

This will happen when a link local IPv4 self IP is in use and the DB variable config.allow.rfc3927 is set to disabled (which is the default).

It is not possible to create such self IPs unless the DB variable is first enabled, the object is created, and then the DB variable is disabled.

In certain scenarios a secondary blade mcpd may go into a restart loop when receiving the configuration from the primary blade if ipv4 link local SelfIP addresses are in use enabled by DBKey config.allow.rfc3927.

Conditions:
This happens only on MCP startup on secondary blades, when a link local IPv4 self IP is configured, and when the DB variable config.allow.rfc3927 is set to disabled (which is the default).

Impact:
Secondary blade will not become part of the cluster and will not be able to process traffic. Continual log messages will show up on existing blades announcing that mcpd is continually restarting.

Workaround:
Enable the config.allow.rfc3927 DB variable on the primary to suspend this validation.

Fix:
When a link local IPv4 self IP is in use and the DB variable config.allow.rfc3927 is set to disabled (which is the default), mcpd would previously fail to start on a newly inserted secondary blade. This no longer occurs.


539923-2 : BIG-IP APM access logs vulnerability CVE-2016-1497

Vulnerability Solution Article: K31925518


539822-1 : tmm may leak connflow and memory on vCMP guest.

Component: TMOS

Symptoms:
tmm may leak connflow and memory on vCMP guests.

Conditions:
This occurs on a vCMP guest when only one tmm is provisioned on the blade.

Impact:
tmm leaks memory and might eventually crash from an out-of-memory condition.

Workaround:
Provision more than one tmm.

Fix:
tmm no longer leaks connflows and memory on vCMP guests when only one tmm is provisioned.


539784-2 : HA daemon_heartbeat mcpd fails on load sys config

Component: TMOS

Symptoms:
A particular stage of validation can take longer than the ha-daemon heartbeat interval, and while nothing is actually wrong, the system responds as if there is an unresponsive daemon, so the system restarts it.

Conditions:
iRules must be present in the configuration that the system is loading.

Impact:
MCPd restarts.

Workaround:
On the BIG-IP system, run the command: tmsh mod sys daemon-ha mcpd heartbeat disabled.

Fix:
Added additional heartbeats during validation, so HA daemon_heartbeat mcpd no longer fails on load sys config.


539466-3 : Cannot use self-link URI in iControl REST calls with gtm topology

Component: Global Traffic Manager

Symptoms:
The self-link URI cannot be used in iControl REST calls with gtm topology.

Conditions:
User issues iControl REST commands for gtm topology that include the self-link URI.

Impact:
The given command is not executed and the system posts the following error message: "Topologies must specify both regions: ldns: server:".

Workaround:
Do not use the self-link in iControl REST commands with gtm topology.

Fix:
You can now use self-link URI in gtm topology-related iControl REST commands.

Be sure to format the gtm topology OID string using the following rules:

1) Use only a single space between each item in the topology string.
2) Use a fully-pathed name for datacenter, isp, region, and pool objects.

For example:
"ldns: subnet 11.11.11.0/24 server: datacenter /Common/DC"


539270-2 : A specific NTLM client fails to authenticate with BIG-IP

Component: Access Policy Manager

Symptoms:
Specific NTLM client (such as Android Lync 2013) fails to authenticate with BIG-IP as it sends a particular NTLMSSP_NEGOTIATE which BIG-IP was not able to parse properly and throws an error. This effectively stops the authentication process, and this particular client never completes the authentication.

Conditions:
Specific NTLM client. It is not clear whether this issues affect a particular version of Android Lync 2013 or a particular Android version.

Impact:
Cannot complete the authentication, hence, not allowed to access protected resources.

Workaround:
No workaround exists for the affected clients.

Fix:
The BIG-IP system now processes NTLM requests for affected Lync clients, and users of the client are able to authenticate.


539229-4 : EAM core while using Oracle Access Manager

Component: Access Policy Manager

Symptoms:
Authentication with Oracle Access Manager can result in an exception while checking whether authentication is required. This is an intermittent issue.

Conditions:
This event can be triggered while using the Oracle Access Manager.

Impact:
An unhandled exception will cause EAM to core and possible access outage.

Workaround:
No workaround

Fix:
EAM handles exceptions gracefully during the authentication process when Oracle Access Manager is used.


539130-7 : bigd may crash due to a heartbeat timeout

Component: Local Traffic Manager

Symptoms:
bigd crashes and generates a core file.

The system logs entries in /var/log/ltm that are similar to the following: sod[5853]: 01140029:5: HA daemon_heartbeat bigd fails action is restart.

This issue is more likely to occur if /var/log/ltm contains entries similar to the following: info bigd[5947]: reap_child: child process PID = 9198 exited with signal = 9.

Conditions:
External monitors that run for a long time and are killed by the next iteration of the monitor. For example, the LTM external monitor 'sample_monitor' contains logic to kill a running monitor if it runs too long.

Impact:
bigd crashes and generates a core file. Monitoring is interrupted.

Workaround:
None.

Fix:
External monitors that run for a long time and are killed by the next iteration of the monitor now recover without bigd crashing and generating a core file.

Behavior Change:
bigd now logs child process exit messages in /var/log/bigdlog (so bigd.debug must be enabled) rather than in /var/log/ltm. This allows the logging to be controllable.

Successful command exits are also logged for completeness since this the log messages only appears when debugging is enabled.


539125-1 : SNMP: ifXTable walk should produce the available counter values instead of zero

Component: TMOS

Symptoms:
The SNMP ifXTable is presenting zeros for attributes hc_in_multicast_pkts and hc_out_multicast_pkts. However, this data is available on the Big-IP and should be presented.

Conditions:
snmpwalk the ifTable and the ifXTable. The ifTable shows Counter32 values for attributes in_multicast_pkts and out_multicast_pkts, but the ifXTable shows zeros for the Counter64 equivalent attributes hc_in_multicast_pkts and hc_out_multicast_pkts (except for vlans, which are correct).

Impact:
Inability to characterize/view counts for the above-referenced multicast packets via SNMP.

Fix:
The snmp walk described in the Symptom/Known issues field gives meaningful results after application of this hotfix.


539013-2 : DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases

Component: Access Policy Manager

Symptoms:
DNS resolution stops working on a Microsoft Windows 10 desktop when the VPN connection is established.

Conditions:
This occurs when the client system meets all of the following conditions:
- Running BIG-IP software version Hotfix-BIGIP-11.5.3.1.47.167-HF1-ENG.iso.
- Running Microsoft Windows version 10.
- Has multiple NICs and one of them is in the disconnected state, with a statically assigned IPv4 configuration.

Impact:
User cannot access resources by DNS name.

Workaround:
Disable disconnected NICs that have a statically assigned IPv4 configuration.

Fix:
After VPN connection has been established, DNS resolution works, in the case of a Windows 10 desktop with multiple NICs and one of them is in a disconnected state and has a statically assigned IPv4 configuration.


538761-1 : scriptd may core when MCP connection is lost

Component: TMOS

Symptoms:
Scriptd loses MCP connection may cause scriptd to core.

Conditions:
Unknown, Only known to reproduce in an F5 internal test.

Impact:
None known.

Fix:
A possible case of scriptd dumping core has been fixed.


538708-2 : TMM may apply SYN cookie validation to packets before generating any SYN cookies

Component: Local Traffic Manager

Symptoms:
SYN cookie validation is applied when SYN cookies are not active

Conditions:
Internal TMM clock has overflowed and is near 0
ACK packet has been received that does not match an existing connection flow

Impact:
Validation can be applied to a listener/proxy that does not support SYN cookies which can lead to a tmm core.

Fix:
SYN cookie validation will not be applied if SYN cookies have not been activated.


538603-3 : TMM core file on pool member down with rate limit configured

Component: Local Traffic Manager

Symptoms:
TMM may produce a core file when attempting to retry to calculate the rate-limit on a pool member that has gone down.

Conditions:
This occurs when the following conditions are met:
- service-down-action reselect.
- rate limit specified.
- traffic load balanced to pool members.
- traffic is over the rate for all pool members.
- all pool members go down.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove rate-limit configuration.

Fix:
TMM no longer produces a core file when attempting to retry to calculate the rate-limit on a pool member that has gone down.


538255-2 : SSL handshakes on 4200/2200 can cause TMM cores.

Component: Local Traffic Manager

Symptoms:
When processing SSL handshakes in the crypto acceleration hardware, a BIG-IP 2000 or 4000 platform might experience a TMM core.

Conditions:
This can occur when processing SSL handshakes in the crypto acceleration hardware. The issue is very unlikely to be seen other than on BIG-IP version 11.6.0 HF5 or on version 12.0.0 base install.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.

Fix:
The crypto acceleration hardware driver for the 2200/4200 has been fixed to avoid memory corruption.


538195-5 : Incremental Manual sync does not allow overwrite of 'newer' ASM config

Component: Application Security Manager

Symptoms:
ASM Sync was designed to only request the ASM portion of the configuration if it recognizes that a peer has a newer configuration.
This precluded the ability to 'roll back' changes on a device by pushing from the peer that still has the older configuration.

Conditions:
Devices are set up in an Incremental Manual Sync ASM-enabled group.

Impact:
User is unable to 'roll back' changes on a device by pushing from the peer that has an older configuration.

Workaround:
Make a spurious change on the device that has an older configuration and then push the changes to the peer.

Fix:
Older ASM configurations can now be pushed to a peer in an incremental sync manual device group.


538133-1 : Only one action per sensor is displayed in sensor_limit_table and system_check

Component: TMOS

Symptoms:
A list of sensors is displayed in the sensor_limit_table or by the system_check utility, with the actions taken when the sensor data exceeds its defined limit. On the affected versions, each sensor item is displayed only once, even if multiple limits and actions are defined for the sensor. Additional limits and actions defined for the sensor are not displayed.

Conditions:
This problem occurs when the affected version of the BIG-IP software is running on the following hardware platforms:
BIG-IP 2000-/4000-/5000-/7000-/10000-/12000-series appliances and VIPRION B2100, B2150, B2250 blades.

Impact:
The system does not show the complete set of defined sensor limits and corresponding BIG-IP system actions when there are multiple limits and actions defined. Only one action is displayed for each sensor.
The system_check utility will only evaluate sensor measurements against limits that appear in its sensor limit tables. Missing sensor limits will not be evaluated, and corresponding alerts will not be issued.

Workaround:
None.

Fix:
The system now shows a list of sensors in the sensor_limit_table or by the system_check utility, with the actions taken when the sensor data exceeds its defined limit.


537988-3 : Buffer overflow for large session messages

Component: Local Traffic Manager

Symptoms:
System with multiple blades may crash when when configured with functionality that utilizes SessionDB.

Conditions:
On a multi-blade machine, send an MPI message larger than 64K between blades (typically a session message).

Impact:
Core or potential data corruption.

Workaround:
None.

Fix:
There is no longer a buffer overflow for large session messages.


537964-3 : Monitor instances may not get deleted during configuration merge load

Component: Local Traffic Manager

Symptoms:
After performing a configuration merge load (for example, "tmsh load sys config merge ...") that changes an existing pool's monitor, old monitor instances may not get deleted.

This can result in a system generating monitor requests that are no longer part of the configuration. It can also result in the system logging messages such as the following:

err mcpd[8793]: 01070712:3: Caught configuration exception (0), Can't find monitor rule: 42.

Conditions:
Pools with monitors configured must exist. The merge load must replace the pool's monitor.

Impact:
Multiple monitor instances may be active on some pool members. This may result in incorrect monitoring status.

Workaround:
Once a system is affected by this issue, the misbehavior can be resolved by doing the following:

1. Save and re-load the configuration to correct the incorrect information in mcpd:

    tmsh save sys config partitions all && tmsh load sys config partitions all

2. Restart bigd:

    On an appliance:
    bigstart restart bigd

    On a chassis:
    clsh bigstart restart bigd

Fix:
Ensure that all relevant monitor instances are deleted when replacing a pool's monitor.


537614-2 : Machine certificate checker fails to use Machine cert check service if Windows has certain display languages

Component: Access Policy Manager

Symptoms:
Machine certificate checker agent fails to use machine certificate checker service for Windows if it has certain display language, for example Polish.

In failed case logs contain:
2015-08-04,18:37:59:042, 924,756,, 1, , 330, CCertCheckCtrl::CheckPrivateKey, EXCEPTION caught: CCertCheckCtrl::CheckPrivateKey - EXCEPTION
2015-08-04,18:38:00:618, 924,756,, 1, \RPCConnector.cpp, 85, UCredMgrService::RpcConnect, EXCEPTION - Failed to set binding handle's authentication, authorization and security QOS info (RPC_STATUS: 1332)
2015-08-04,18:38:00:618, 924,756,, 1, \RPCConnector.cpp, 88, RPCConnector::Connect, EXCEPTION caught: UCredMgrService::RpcConnect - EXCEPTION
2015-08-04,18:38:00:618, 924,756,, 1, \MCClient.h, 86, MCClient::Verify, Failed to perform PRC-call:error=1702

Conditions:
Windows with non-english display language
Machine certificate checker is supposed to use Machine Certificate Checker service

Impact:
Machine certificate checker cannot be passed using Machine cert service.

Workaround:
Switch display language to English.

Fix:
Machine certificate checker service works now with a display language other than English.


537553-3 : tmm might crash after modifying virtual server SSL profiles in SNI configuration

Component: Local Traffic Manager

Symptoms:
Modifying a Secure Sockets Layer (SSL) profile associated with a virtual server may result in the Traffic Management Microkernel (TMM) producing a core file. As a result of this issue, you may encounter one or more of the following symptoms:

-- BIG-IP system sends an invalid memory access segmentation fault (SIGSEGV) or floating point error (SIGFPE), signal to TMM, resulting in a stack trace that appears in the /var/log/tmm file.
-- TMM restarts and produces a core file in the /shared/core directory.
-- The BIG-IP system generates an assertion failure panic string in the /var/log/tmm file that appears similar to the following example:
panic: ../kern/umem.c:3881: Assertion "valid type" failed

Conditions:
1. LTM virtual server is configured with multiple SSL profiles, one of which is the default SNI profile.
2. A configuration change is made that affects the virtual server. Among others:
-- Configuration is reloaded either manually or automatically after config sync.
-- Change is made to any of the SSL profiles configured on the virtual server.
-- SSL profiles are added or removed from the virtual server profile list.
-- Change is made to the virtual server.
-- Virtual server is deleted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Making SSL profile configuration changes now completes successfully.


537435-4 : Monpd might core if asking for export report by email while monpd is terminating

Component: Application Visibility and Reporting

Symptoms:
Core file is created by monpd if you try to export a report by email while monpd is terminating.

Conditions:
Very rare case that can happen if user asks to export report by email in the middle of monpd's graceful termination (due to restart or other reason) will cause core dump (not graceful termination).

Impact:
None

Workaround:
Fixed to code to avoid this behavior.

Fix:
Exporting a report by email in the middle of monpd's graceful termination (due to restart or other reason) will no longer cause a core dump.


537326-4 : NAT available in DNS section but config load fails with standalone license

Component: Local Traffic Manager

Symptoms:
config load fails with error:
01070356:3: NAT feature not licensed.
Unexpected Error: Loading configuration process failed.

Conditions:
A NAT object is created for GTM/LC standalone license box.

Impact:
config fails to load.

Workaround:
none.

Fix:
Configuration loading no longer fails with a NAT in DNS section.


537227-6 : EdgeClient may crash if special Network Access configuration is used

Component: Access Policy Manager

Symptoms:
EdgeClient crashes during connect or disconnect process. Exact time may differ from time to time.

Conditions:
EdgeClient may crash if Network Access contains configuration which includes:
Full-tunnel
Allow DHCP or Allow Local subnets is used
There is a proxy between client and APM

Impact:
EdgeClient crashes prevent Access Network to work

Workaround:
Remove on of conditions causing crash to happen

Fix:
BIG-IP Edge Client now correctly processes particular Network Access configurations.


537000-3 : Installation of Edge Client can cause Windows 10 crash in some cases

Component: Access Policy Manager

Symptoms:
connecting to an APM box which has support for Windows 10 can cause the OS to crash. After reboot the next attempt will be successful

Conditions:
- Windows 10
- APM box supporting Windows 10
- user installed F5 VPN driver from an APM box, not supporting Windows 10

Impact:
User can lose some data

Workaround:
Before connecting old VPN driver instances must be manually removed using Device Manager

Fix:
Installation of BIG-IP Edge Client on Windows 10 does not cause system crash anymore.


536939-1 : Secondary blade may restart services if configuration elements are deleted using a * wildcard.

Component: TMOS

Symptoms:
In certain situations a chassis based system with more than one working blade may encounter service restart on the secondary blade.

Conditions:
- Chassis system with 2 or more working blades.
 - Configuration to be deleted via tmsh using a wildcard. For instance: tmsh delete ltm virtual test*

Impact:
Services will restart on the secondary blade.

Workaround:
Do not use * wildcards with tmsh when deleting configuration elements on a chassis system.

Fix:
Services no longer restart on a secondary blade when deleting configuration elements via tmsh using a * wildcard.


536868-2 : Packet Sizing Issues after Receipt of PMTU

Component: Local Traffic Manager

Symptoms:
TCP sends IP fragments in spite of PMTU message.

Conditions:
BIG-IP has received an ICMP PMTU message.

Impact:
IP fragmentation.

Workaround:
Set the MSS in the TCP profile sufficiently low to avoid inducing ICMP messages in the future.

Fix:
Properly process ICMP packets.


536746-2 : LTM : Virtual Address List page uses LTM : Nodes List search filter.

Component: TMOS

Symptoms:
LTM : Virtual Address List page doesn't have it's own filter but uses other object's filter like Node list or Access policy.

Conditions:
Specifying a search filter on the Nodes page and then navigating to the Virtual Address page.

Impact:
Displays an empty virtual server list or only the virtual address matching the node addresses.

Workaround:
Remove the filter on the LTM : Nodes List before viewing the LTM : Virtual Address List.

Fix:
Specifying a search filter on LTM : Nodes List no longer affects the output on LTM : Virtual Address List.

Virtual Address List now has its own fixed, general filter, and is not affected by filter settings on any other object.


536690-1 : Occasional host-tmm connections within a chassis will fail (affects APM processes trying to connect to a tmm)

Component: Local Traffic Manager

Symptoms:
When using features that require a process on the host to connect to a specific tmm within a chassis, those connections sometimes fail. This can result in improper behavior of the feature, such as failure to create sessions in APM.

Conditions:
Using a module and feature that requires host-tmm communication within a chassis.

Impact:
Possible service failure, such as disallowing entry to APM.

Workaround:
None.

Fix:
Host-to-tmm connections within a chassis no longer fail.


536683-1 : tmm crashes on "ACCESS::session data set -secure" in iRule

Component: Access Policy Manager

Symptoms:
You encounter a tmm crash when your configuration contains an iRule that uses "ACCESS::session data set -secure"

Conditions:
Use of "ACCESS::session data set -secure" in an iRule

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a crash related to the "ACCESS::session data set -secure" command


536575-2 : Session variable report can be blank in many cases

Component: Access Policy Manager

Symptoms:
For an access policy that includes On-Demand Cert Auth, Dynamic ACL, Per-App VPN, and other components, the Session Variable Report output can be blank.

Conditions:
On-Demand Cert Auth in an access policy.
DACL in access policy.
Per-App VPN access policy.

probably others.

Impact:
The Session Variable report is empty.

Workaround:
Check the session variable using command sessiondump.

Fix:
For an access policy that includes On-Demand Cert Auth, Dynamic ACL, or Per-App VPN, the Session Variable Report now shows session variables correctly.


536481-8 : F5 TCP vulnerability CVE-2015-8240

Vulnerability Solution Article: K06223540


536191-3 : Transparent inherited TCP monitors may fail on loading configuration

Component: Local Traffic Manager

Symptoms:
LTM monitor configuration may fail to reload from disk if the monitor name occurs alphabetically prior to the inherited-from monitor.

Conditions:
Monitor A inheriting from Monitor B, where both monitors are of type 'transparent'.

Impact:
Configuration from disk fails to load. System posts an error message similar to the following: 1070045:3: Monitor /Common/test1 type cannot have transparent attribute.
Unexpected Error: Loading configuration process failed.

Workaround:
Rename monitors so they occur in the required alphabetical order to support inheritance.

Fix:
Transparent inherited TCP monitors no longer fail on loading configuration.


535806-4 : Not enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE

Component: TMOS

Symptoms:
Not enough free disk space for live install of 12.0.0.

Conditions:
Initial install of BIG-IP VE GOOD 11.5.3. Upgrade to 12.0.0

Impact:
Unable to install 12.0.0 on 2nd slot.

Workaround:
Grow the virtual disk before installing 12.0.0.

Fix:
Increased the size of virtual disk so that there is enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE.


535544-7 : Enhancement: ltm virtual translate-port, translate-address are not listed if they are enabled

Component: TMOS

Symptoms:
Consider the listing of the ltm virtual vsach below.

The translate-port, translate-address properties are not listed. This implies that these properties are set to their default value of true. tmsh does not list default values. In case these are set to false, they will be listed.

(tmos)# list ltm virtual
ltm virtual vsach {
    destination 1.1.1.1:http
    mask 255.255.255.255
    profiles {
        fastL4 { }
    }
    source 0.0.0.0/0
    vs-index 3
}

Conditions:
Presence of a ltm virtual in the configuration with its destination port any (ex: x.y.z.w:any) and translate-port enabled. When listing this ltm virtual the translate-port, translate-address are not displayed.

Impact:
Cannot know the actual value of virtual::translate-port, translate-address attributes until the workaround is applied.

Workaround:
Explicitly list the property

(tmos)# list ltm virtual sach translate-port
ltm virtual vsach {
    translate-port enabled
}

Fix:
Post change the above mentioned properties will always be listed, irrespective if they have default value or not.


535246 : Table values are not correctly cleaned and can occupy entire disk space.

Component: Application Visibility and Reporting

Symptoms:
AVR data in MySQL might grow to fill all disk space.

Conditions:
This might occur when DNS table receives a large number of entries that are not being evicted when they are no longer needed.

Impact:
MySQL stops responding. Site might experience down time due to full disk.

Workaround:
If monitoring disk space and AVR data takes more than 70% of the space, reset AVR data by running the following commands sequentially: -- touch /var/avr/init_avrdb. -- bigstart restart monpd.

Fix:
In this release, the system handles AVR data in MySQL so that database size no longer grows beyond a certain point.


535188-5 : Response Pages custom content with \n instead of \r\n on policy import.

Component: Application Security Manager

Symptoms:
After importing policy with custom content on the Default Response Page, new lines are changed from \r\n to \n and it shouldn’t.

Conditions:
1. Create New Policy.
2. Go to Security : Application Security : Policy : Response Pages
3. On Default Response Page, change Response Type to 'Custom Response'.
4. Add 'Enters' to the 'Response Body' and save it.
(for example:
<html><head><title>Request Rejected</title></head><body>The requested URL was rejected.
 Please consult with your administrator.<br><br>Your support



 ID is: <%TS.request.ID()%></body></html>).
5. View the REST state of the response page and see that the new lines presented by '\r\n'.
6. Export the policy to XML.
7. Import the policy back (replace the old policy).
8. Now the 'new lines' in the content of the response page presented by '\n' instead of '\r\n'.

Impact:
After importing policy with custom content on Default Response Page, new lines are changed from \r\n to \n and it shouldn't.

Workaround:
In GUI, Go to Security : Application Security : Policy : Response Pages, remove and add the 'Enters' and
click on 'Save' for the default response page.

Fix:
After importing a policy with custom content on the Default Response Page, new lines are no longer changed from \r\n.


534804-3 : TMM may core with rate limiting enabled and service-down-action reselect on poolmembers

Component: Local Traffic Manager

Symptoms:
TMM may produce a core file when calculating the rate limit in certain circumstances.

Conditions:
VIP/pool configuration contains:
 - Pool configured with
    + Action On Service Down is set to Reselect
 - Pool members configured with
    + Connection Rate Limit is set

If all pool members go down, this can trigger the core

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove rate limit configuration.

Fix:
TMM no longer cores in certain conditions with rate limiting and service-down-action reselect on poolmembers


534795-6 : Swapping VLAN names in config results in switch daemon core and restart.

Component: Local Traffic Manager

Symptoms:
Changing names of configured VLANs directly in the configuration file and reloading results in a bcm56xxd switch daemon core and restart.

Conditions:
Applies to all switch based platforms, when modifying the VLAN names directly in the configuration file and reloading.

Impact:
Switch daemon drops core, restarts, and reconfigures the switch.

Workaround:
First delete any existing VLANs, and then recreate then with new names.

Fix:
Add additional protection and error logging for VLAN-name- and VLAN-ID-lookup failures in the switch daemon.


534755-2 : Deleting APM virtual server produces ERR_NOT_FOUND error

Component: Access Policy Manager

Symptoms:
When a APM virtual server is deleted on the active, the following error message will be seen in the APM log on the standby.

"Failed to delete profile stats namespaces"

Conditions:
This issue happens when a APM virtual is deleted on the active and the change is subsequently synced to the standby

Impact:
There is no functional impact.

Fix:
Access Filter now ignores the ERR_NOT_FOUND error when deleting the profile stats namespace.


534633-1 : OpenSSH vulnerability CVE-2015-5600

Vulnerability Solution Article: K17113


534630-3 : Upgrade BIND to address CVE 2015-5477

Vulnerability Solution Article: K16909


534582-3 : HA configuration may fail over when standby has only base configuration loaded.

Component: TMOS

Symptoms:
The active unit may fail over when only the base configuration is loaded on a standby system, and HA communications in the HA configuration is interrupted.

Conditions:
Only base configuration loaded on standby and HA communications are disrupted.

Impact:
Potential site outage.

Workaround:
Configure HA to use multiple network interfaces. Avoid loading only the base configuration on HA configurations.

Fix:
HA configuration no longer fails over when a standby system has only the base configuration loaded.


534458-4 : SIP monitor marks down member if response has different whitespace in header fields.

Component: Local Traffic Manager

Symptoms:
In certain circumstances the SIP monitor may incorrectly mark a SIP pool member down. This is due to the comparison the monitor makes of the standard header fields in the SIP monitor request to the response.

Conditions:
SIP monitor and response differ in the use of whitespace in the header fields, for example, 'field:value' and 'field: value'.

Impact:
Unable to monitor the SIP pool member accurately using the standard SIP monitor because the pool member will be marked down.

Workaround:
Use other types of monitors, e.g., UDP.

Fix:
SIP monitor now correctly processes monitor responses when the use of whitespace in header fields differ.


534246-4 : rest_uuid should be calculated from the actual values inserted to the entity

Component: Application Security Manager

Symptoms:
BIG-IP computes the case-sensitive rest_uuid values for HTTP headers but stores the headers as case-insensitive.

Conditions:
This is an example:
1. Go to Security>>Application Security>>Headers>>HTTP Headers.
2. Choose 'Custom...' for the name of the header.
3. Create a custom header as follows use name 'Abc' with Capital letter.
4. Remember the ID generated in the JSON element.
5. Delete the header.
6. Create a new custom header and use the name 'abc'.

Actual Results:
The ID of 'abc' and the ID of 'Abc' are different.

Impact:
Two identical normalized values may have different rest_uuid.

Workaround:
N/A

Fix:
The REST "id" field is now calculated from the actual values inserted to the entity, and not on the user-input values.


534111-2 : [SSL] Config sync problems when modifying cert in default client-ssl profile

Component: Local Traffic Manager

Symptoms:
Config sync problems after modifying cert in default client-ssl profile when the profile is already active and in use on members in a high availability configuration.

Conditions:
Modify cert in default client-ssl profile and perform a config sync operation.

Impact:
After config sync, units in the sync group have different cert/key settings for client-ssl profiles. You can see this in the inherit-certkeychain setting, which changes from 'true' to 'false' after syncing the configuration with the changed default value.

Workaround:
1. Remove client-ssl definitions from bigip.conf on each unit.
2. Reload the config.
3. Synchronize the config.

Fix:
The system now correctly syncs the default client-ssl profile that was modified with a new cert and key, so the active and standby unit configurations now have the correct cert/key settings after config sync.


534052-5 : VLAN failsafe triggering on standby leaks memory

Component: Local Traffic Manager

Symptoms:
Memory is leaked when VLAN failsafe is active and sending ICMP probes.

Conditions:
VLAN failsafe active and sending ICMP probes on standby and configured with failsafe-action failover.

Impact:
Memory leak causing aggressive sweeper and eventually TMM crash on standby.

Workaround:
None.

Fix:
Memory is no longer leaked when VLAN failsafe is active and sending ICMP probes.


534021-1 : HA on AWS uses default AWS endpoint (EC2_URL).

Component: TMOS

Symptoms:
HA doesn't work on Government clouds on AWS.

Conditions:
AWS endpoints for government clouds are different compared to their public offerings. Amazon recommendation is to construct the end-point (EC2_URL) dynamically based on: [<service name>.<region>.<services/domain>] construct.

Impact:
HA doesn't work on Government clouds on AWS.

Workaround:
EC2 endpoint can be constructed dynamically by:
 - Query EC2 Metadata service for <DOMAIN> name (curl http://169.254.169.254/latest/meta-data/services/domain)
 - Read the instance <REGION> from /shared/vadc/aws/iid-document
 - Declare global variable EC2_URL by using above two values in following format:
   export EC2_URL="http://ec2.<REGION>.<DOMAIN>"

Fix:
BIG-IP HA on AWS dynamically constructs the EC2 service endpoint based on the domain-name and region attached with the running instance.


533966-4 : Double loopback nexthop release might cause TMM core.

Component: Local Traffic Manager

Symptoms:
TMM might restart after logging an 'Assertion "nexthop ref valid" failed' message.

Conditions:
Traffic is sent from one tmm to a tunnel in another tmm, but the tunnel does not exist.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
There is no longer a TMM crash due to an extra loopback nexthop release.


533826-4 : SNMP Memory Leak on a VIPRION system.

Component: TMOS

Symptoms:
The snmpd image increases in size on a VIPRION system.

Conditions:
Run continuous snmpbulkwalk operations.

Impact:
The snmpd image increases, and might eventually result in a crash. The ltm log might contain an error message similar to the following: err mcpd[7061]: 01071087:3: Killed process for snmpd as current count of messages (965505855) keeps building.

Workaround:
To reset the memory usage and stop the snmpd daemon from coring, run the following command: bigstart restart snmpd.

Fix:
The snmpd image no longer increases in size on a VIPRION system processor.


533820-3 : DNS Cache response missing additional section

Component: Local Traffic Manager

Symptoms:
Resolver cache lookups are missing authority and additional sections.

Conditions:
Resolver cache lookups could be missing the authority and additional sections for A and AAAA queries if the DO bit is also not set.

Impact:
If the requesting client needs the information that would normally be included in the authority or additional sections, it would have to make additional queries to acquire that data.

Workaround:
none

Fix:
The resolver cache now correctly includes the information available for the authority and additional sections if the information is available.


533813-2 : Internal Virtual Server in partition fails to load from saved config

Component: TMOS

Symptoms:
Loading a successfully configured internal Virtual Server from the config fails with the following message:

-- 01070712:3: Values (/part2/0.0.0.0%2) specified for Virtual Server (/part2/ICAP_request): foreign key index (name_FK) do not point at an item that exists in the database.

Conditions:
This occurs when the following conditions are met:
-- You are running a BIG-IP system with no configuration.
-- You have created an external VLAN with an interface.
-- You have created a non-default route domain, and associated it with a newly created VLAN.
-- You have created a virtual server, and configured a pool in a partition other than /Common.
-- You have saved the configuration.

Here is an example of how this might occur. Run the following commands.

- tmsh
- create net vlan external interfaces add { 1.2 }
- create net route-domain 2 vlans add { external }
- create auth partition part2 default-route-domain 2
- cd ../part2
- create ltm pool icap_pool members add { 10.10.10.10:8080 }
- create ltm virtual ICAP_request destination 0.0.0.0:0 mask 0.0.0.0 internal ip-protocol tcp profiles add { tcp } pool icap_pool
- save sys config
- load sys config partitions all verify.

Impact:
The operation creates a virtual server but cannot load it from saved config.

Workaround:
To work around this issue, you can use the Common partition to complete the configuration.

Fix:
You can now configure an internal virtual server in a partition and load the config successfully.


533808-2 : Unable to create new rule for virtual server if order is set to "before"/"after"

Component: Advanced Firewall Manager

Symptoms:
Not able to create a new rule for virtual server when the order is set to "before"/"after".

Conditions:
Happens only when the order is set to "before"/"after"

Impact:
Unable to create a new rule from the virtual server page


533723-7 : [Portal Access] Client side HTML rewriter should not rewrite content within "textarea" tag.

Component: Access Policy Manager

Symptoms:
The client-side HTML rewriter rewrites content within the "textarea" tag.

Conditions:
Web-application dynamically creates HTML content on the client side that contains the textarea tag.

Impact:
Web-application misfunction is possible.

Workaround:
There is no workaround at this time

Fix:
Content rewriting is suppressed on the client side for the textarea tag.


533658-3 : DNS decision logging can trigger TMM crash

Component: Global Traffic Manager

Symptoms:
Applying load balance decision logging to the DNS profile can cause TMM to crash when a query is load balanced to a last resort pool that is unavailable.

Conditions:
-- DNS load balance decision logging is enabled on the DNS profile,
A Wide IP is configured with a last resort pool.
-- The last resort pool is unavailable.
-- A query is load balanced to the last resort pool.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable decision logging for the DNS profile, or discontinue use of the last resort pool feature.

Fix:
DNS decision logging no longer causse TMM to crash when a last resort pool is configured for a Wide IP, that last resort pool is unavailable, and a query is load balanced to that last resort pool.


533562-5 : Memory leak in CGNAT can result in crash

Component: Carrier-Grade NAT

Symptoms:
tmm leaks cmp memory, resulting in crash.

'tmctl memory_usage_stat' reports very high cmp memory utilization.

Conditions:
Configure hairpin mode or inbound connection handling set to automatic.

Impact:
BIG-IP system might run out of memory and crash.

Workaround:
Avoid hairpin mode or inbound connection handling set to automatic.

Fix:
Fixed CGNAT memory leak that occurred when configured for hairpin mode or when inbound connection handling is set to automatic.


533480-4 : qkview crash

Component: TMOS

Symptoms:
Qkview may crash or hang. You might see this error message in /var/log/ltm:

err mcpd[8003]: 0107134e:3: Failed while making snapshot:
(Failed to link files existing(/config/filestore/files_d/Common_d/...

Conditions:
Changing large configurations while running qkview or missing files from the /config/filestore/files_d/Common_d/external_monitor_d directory can cause qkview to crash or hang.

Impact:
You will be unable to generate a qkview file for support.

Workaround:
Make sure any iControl scripts that are making changes are allowed to complete.
If you deleted any external monitor files from /config/filestore/files_d/Common_d, restore the external-monitor file and re-run qkview.

Fix:
The system now handles running qkview while creating 20,000 or more pools or removing an external monitor from the /config/filestore/files_d/Common_d/external_monitor_d directory, so these conditions no longer cause qkview crash or hang issues.


533458-2 : Insufficient data for determining cause of HSB lockup.

Component: TMOS

Symptoms:
When an HSB lockup occurs only the HSB registers are dumped into the TMM log files for diagnosing the failure. There is no core file containing stats and the state of the HSB driver when the failure occurred to help diagnose the failure.

Conditions:
When an HSB lockup occurs.

Impact:
There is limited data is available for root cause analysis.

Workaround:
None.

Fix:
On HSB lockup, the system now generate a core file, which contains stats and the state of the HSB driver when the failure occurred to help diagnose the failure.


533388-8 : tmm crash with assert "resume on different script"

Component: Local Traffic Manager

Symptoms:
In a rare race condition involving stalled server-side TCP connections on which a RST is received and a asynchronously executing client-side iRule for event CLIENT_CLOSED the tmm can crash with assert "resume on different script".

Conditions:
The conditions under which this assert/crash is triggered are hard to reproduce.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid asynchronously executing CLIENT_CLOSED iRules (e.g. those that use 'after' or 'table' or 'session' commands - this is not an exhaustive list).

Fix:
tmm no longer crashes with assert "resume on different script"


533336-1 : Display 'description' for port list members

Component: Advanced Firewall Manager

Symptoms:
Descriptions for port list's members are not displayed in GUI

Conditions:
Create a port list with 'description' set for its members (using tmsh).

When the portlist list page is accessed from GUI, the description set for the members (on tmsh) is not displayed.

Impact:
Users will not be able to see the description

Workaround:
Use tmsh to view the description for portlist members on tmsh

Fix:
Descriptions for port list members are now displayed in the GUI.


533257-1 : tmsh config file merge may fail when AFM security log profile is present in merged file

Component: TMOS

Symptoms:
A config file merge into an existing config may fail with "unknown-property" message.

Conditions:
This can occur when you are doing a config file merge. The error encountered was with a parameter called "built-in enabled".

Impact:
All releases and modules are affected.

Workaround:
The offending parameter may be deleted from the merge file, however this may result in the value for the deleted parameter not set correctly in the existing config.

Fix:
Fixed a problem with tmsh config file merge failing when AFM security log profile is present in merged file.


533156-2 : CVE-2015-6546

Vulnerability Solution Article: K17386


533098 : Traffic capture filter not catching all relevant transactions

Component: Application Visibility and Reporting

Symptoms:
The traffic capture filter does not catch all relevant transactions.

Conditions:
When a traffic capture filter is set.

Impact:
Not all relevant transactions are captured.

Fix:
The traffic capture filter now catches all relevant transactions.


532799-4 : Static Link route to /32 pool member can end using dst broadcast MAC

Component: Local Traffic Manager

Symptoms:
After assigning a static route to a node on a specific VLAN, ARPs are no longer generated, and all traffic to the node uses a broadcast (ff:ff:ff:ff:ff:ff) MAC.

Conditions:
Static VLAN route to a poolmember/node with a /32 mask.

Impact:
This can cause the monitors to fail and the poolmember/node to be marked down.

Workaround:
Use a non /32 mask or use a gateway route instead.

Fix:
The BIG-IP system now correctly uses ARP to determine the destination MAC of a host routed via a /32 vlan route.


532761-1 : APM fails to handle compressed ICA file in integration mode

Component: Access Policy Manager

Symptoms:
Citrix application or desktop cannot be started in integration mode with Citrix StoreFront 3.0

Conditions:
APM is configured for StoreFront 3.0 proxy and HTTP compression is enabled on the StoreFront server.

Impact:
Citrix application or desktop cannot be started.

Fix:
Now APM supports Citrix StoreFront 3.0 in integration mode with HTTP compression enabled on the StoreFront server.


532685-5 : PAC file download errors disconnect the tunnel

Component: Access Policy Manager

Symptoms:
Any failure to download PAC file is treated as fatal error. If edge client fails to download PAC file VPN connection cannot be established.

Conditions:
-PAC file cannot be downloaded by edge client

Impact:
Tunnel disconnects in case of PAC file download errors.

Workaround:
Fix infrastructure issues that result in PAC file download failure

Fix:
PAC file download and merging issues were considered critical before and Edge Client disconnects the tunnel. This behavior is controlled by a new setting called "Ignore PAC download error" on BIG-IP now.

Behavior Change:
PAC file download and merging issues were considered critical before and BIG-IP Edge Client disconnects the tunnel. This behavior is controlled by a new setting called "Ignore PAC download error" on BIG-IP now.


532559-2 : Upgrade fails to 11.5.0 and later if 'defaults-from none' is under profile '/Common/clientssl'.

Component: TMOS

Symptoms:
If the client-ssl profile is /Common/clientssl, its parent profile is supposed to be /Common/clientssl. But the configuration could potentially use 'defaults-from none'.

Conditions:
This condition could be caused by executing the following command when generating the configuration.

'tmsh modify ltm profile client-ssl clientssl defaults-from none'

Impact:
The upgrade fails after booting into the new release, during the config loading phase. This occurs because the script extracts the line 'defaults-from none' and treats 'none' as its parent profile.

Workaround:
Edit the configuration prior to upgrading, changing the defaults-from value on the client-ssl profile to the name of that profile.

Fix:
Upgrade no longer fails if 'defaults-from none' is under profile '/Common/clientssl'.


532522-4 : CVE-2015-1793

Vulnerability Solution Article: K16937


532394-1 : Client to log value of "SearchList" registry key.

Component: Access Policy Manager

Symptoms:
n/a

Conditions:
Windows user connecting and disconnecting network access connection to BIG-IP APM server.

Impact:
n/a

Workaround:
n/a

Fix:
To provide better traceability, APM client creates log entry each time F5 software reads or writes "SearchList" or "SearchList_F5_BACKUP_VALUE" registry keys.


532340-2 : When FormBased SSO or SAML SSO are configured, tmm may restart at startup

Component: Access Policy Manager

Symptoms:
Under unlikely circumstances, tmm threads may run into synchronization issue at startup initialization, causing BIG-IP Failover

Conditions:
- SAML SSO or Form Based SSO are configured.
- TMM is in process of starting (during reboot or for any other reason).

Impact:
Impact is BIG-IP will failover at start time.
If tmm has successfully started - no further impact will be observed.

Workaround:
Remove Form Based SSO, and SAML objects from configuration.

Fix:
A thread synchronization issue that caused tmm startup issues has been fixed.


532107-5 : [LTM] [DNS] Maximum RTT value for nameserver cache still exists after nameserver cache is deleted

Component: Local Traffic Manager

Symptoms:
If RTT value for nameserver cache reached the maximum value as 120000, even after executing 'delete ltm dns cache nameserver', BIG-IP still keeps the past maximum RTT value.

Conditions:
The RTT for the nameserver cache reached the maximum value of 120000.

Impact:
This can cause dns response failure.

Workaround:
Change size for nameserver-cache-count to reset the nameserver cache.
# tmsh modify /ltm dns cache resolver my_dns_cache nameserver-cache-count 16536

Fix:
Maximum RTT value for nameserver cache is now deleted when the nameserver cache is deleted, which is correct behavior.


532096-3 : Machine Certificate Checker is not backward compatible with 11.4.1 (and below) when MatchFQDN rule is used

Component: Access Policy Manager

Symptoms:
Machine Certificate Checker (client side) is not backward compatible with BIG-IP 11.4.1 and earlier when MatchFQDN rule is used

Conditions:
Machine Certificate checker agent uses MatchFQDN rule in Access Policy of BIG-IP version 11.4.1 and earlier.
New BIG-IP Edge Client (version greater than 11.4.1) is used against old BIG-IP.

Impact:
Machine Certificate checker agent may fail. Policy goes wrong way.

Fix:
Fixed issue causing Machine Certificate checker agent backward incompatibility.


532030-2 : ASM REST: Custom Signature Set Created via REST is Different Than When Created From GUI

Component: Application Security Manager

Symptoms:
When importing a policy that utilizes a custom signature set, ASM checks whether that signature set is already exists on the system. If it does not exist, then it creates a new set.

When a set is created via REST it does not correctly set an internal field that does get set via creation by the GUI or XML import.

This causes unexpected behavior and extra signatures being created when a REST client, such as BIG-IQ, attempts to co-ordinate changes across devices utilizing import via XML and REST calls.

Conditions:
A Custom filter-based signature set is created by the GUI and then attached to a security policy.
The security is exported in XML format.

On a different device an identical signature set is created via REST.
The security policy is then imported on that device.

Impact:
Extraneous signature sets are created, and false differences appear with regards to which signature sets are attached to which policies across multiple devices.

Workaround:
As a workaround, custom filter-based signature sets should be created only via REST or only via GUI across multiple devices.

Fix:
Custom filter-based signature sets created using REST or the Configuration utility now have the same internal settings and match for XML security policy export/import.


531986-2 : Hourly AWS VE license breaks after reboot with default tmm route/gateway.

Component: TMOS

Symptoms:
In AWS Hourly instances, if a default gateway is added, the hourly license may fail, causing BIG-IP to fail to come up to a running state. Error messages will resemble the following:

Jul 6 19:26:14 ip-10-0-0-104 err mcpd[22186]: 01070734:3: Configuration error: MCPProcessor::check_initialization:
Jul 6 19:26:17 ip-10-0-0-104 err mcpd[22186]: 010717ff:3: [Licensing]: Failure in establishing instance identity.

Conditions:
Hourly instance in AWS with default tmm route added.

Impact:
BIG-IP VE will fail to fully start, rendering the instance unusable.

Workaround:
Temporary removal of default tmm route resolves this problem. The tmm route can be added back once MCPD is in the running state.

Fix:
The problem with default tmm route breaking Hourly licenses has been resolved. The default tmm route no longer affects the license check on Hourly billing Virtual Edition.


531983-4 : [MAC][NA] Routing table is not updated correctly in connected state when new adapter is added

Component: Access Policy Manager

Symptoms:
Routing table is not updated correctly in connected state when new adapter is added to the system.

Conditions:
SSL VPN tunnel is established and new adapter is added to the system. For example, Wi-Fi connected when tunnel is established already over Ethernet adapter.

Impact:
Routing table might be corrupted.

Workaround:
Restart OS X.

Fix:
Routing table now updates correctly when new adapter is added to the system while SSL VPN tunnel is already established over an network adapter.


531979-4 : SSL version in the record layer of ClientHello is not set to be the lowest supported version.

Component: Local Traffic Manager

Symptoms:
In the ClientHello message, the system is now setting the SSL version in the record layer to be the same as version value of ClientHello message, which is the highest SSL version now supported.

Although RFC 5246 appendix E.1 does not give specific advice on how to set the TLS versions, the de facto standard used by all major browsers and TLS stacks is to set the ClientHello as follows:

SSL Record:
    Content Type: Handshake (22)
    Version: $LOWEST_VERSION
    Handshake Record:
        Handshake Type: Client Hello (1)
        Version: $HIGHEST_VERSION

The BIG-IP system implementation tells the SSL peer that the system supports only SSL versions from the $HIGHEST_VERSION through the $HIGHEST_VERSION instead of from the $LOWEST_VERSION through the $HIGHEST_VERSION, which effectively limits the range of SSL versions the system can negotiate with the SSL peer.

Conditions:
This issue occurs when the highest SSL version that the BIG-IP system supports does not fall into the range that an SSL peer supports.

For example, with SSL peer support configured for TLS1.0 or TLS1.1, if the BIG-IP system sets the highest SSL version to be TLS1.2, then there will be no version that the SSL peer thinks they have in common, and SSL handshake fails.

Impact:
SSL handshake fails.

Workaround:
There is no workaround for this issue.

Fix:
The SSL version in the record layer of ClientHello is now set to be the lowest supported version, which eliminates that issue that occurred when the highest SSL version that the BIG-IP system supports did not fall into the range that an SSL peer supports.


531883-3 : Windows 10 App Store VPN Client must be detected by BIG-IP APM

Component: Access Policy Manager

Symptoms:
Windows 10 App Store VPN Client is not detected by BIG-IP APM out of the box via client type agent

Conditions:
Windows 10 App Store VPN Client, BIG-IP APM , client type agent

Impact:
Windows 10 App Store VPN Client is not detected by BIG-IP APM out of the box

Fix:
Windows 10 App Store VPN Client is now detected by BIG-IP APM out of the box using the Client Type agent.


531809-1 : FTP/SMTP traffic related bd crash

Component: Application Security Manager

Symptoms:
Protocol Security: The Enforcer may crash upon FTP or SMTP traffic using remote logging.

Conditions:
FTP/SMTP traffic and remote logging assigned. Crash happens on a rare occasion.

Impact:
bd crash, traffic disturbance.

Workaround:
Remove the remote logging from FTP/SMTP.

Fix:
Protocol Security: The Enforcer no longer crashes upon FTP or SMTP traffic using remote logging.


531576-2 : TMM vulnerability CVE-2016-7476

Vulnerability Solution Article: K87416818


531526-1 : Missing entry in SQL table leads to misleading ASM reports

Component: Application Visibility and Reporting

Symptoms:
Some reports of ASM violations were generated with missing activity.

Conditions:
When there are many entities to report and some are getting aggregated, then the aggregated activity was not reported.

Impact:
Misleading reports of ASM activity.

Workaround:
None.

Fix:
Aggregated activity is now reported even when there are many entities to report and some are aggregated.


531483-1 : Copy profile might end up with error

Component: Access Policy Manager

Symptoms:
Copy profile might end up with error about two items are sharing the same agent

Conditions:
Very rare - long policy names, similar name parts

Impact:
Minor - you would need to choose different name for new policy

Fix:
Issue resolved.


530963-3 : BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms

Component: Local Traffic Manager

Symptoms:
The BIG-IP does not verify every byte in the Finished message of an TLS handshake but does properly validate the MAC of the Finished message.

Conditions:
* The BIG-IP platform contains a Cavium SSL accelerator card but the affected TLS connection is not accelerated by the Cavium SSL accelerator card.

The following list some examples when a TLS connection is not accelerated by the Cavium card:

* The ciphers used by the TLS connection are not fully accelerated in the Cavium card. For more information about ciphers that are fully hardware accelerated, refer to SOL13213: SSL ciphers that are fully hardware accelerated on BIG-IP platforms (11.x)

* The BIG-IP platform does not contain a Cavium SSL accelerator card. The following list the BIG-IP platforms that do not contain a Cavium SSL accelerator card:
* BIG-IP 2000 platforms
* BIG-IP 4000 platforms
* BIG-IP Virtual Edition

Impact:
F5 believes the reported behavior does not have security implications at this time.

Workaround:
None.

Fix:
BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms.


530952-4 : MySql query fails with error number 1615 'Prepared statement needs to be re-prepared'

Component: Application Visibility and Reporting

Symptoms:
MySql query fails with error number 1615 'Prepared statement needs to be re-prepared'. Errors in monpd.log similar to the following:

[DB::mysql_query_safe, query failed] Error (error number 1615) executing SQL string ...

Conditions:
This is due to a MySql bug. For information, see 'Prepared-Statement fails when MySQL-Server under load', available here: http://bugs.mysql.com/bug.php?id=42041

Impact:
Monpd loses functionality

Workaround:
Restart monpd.

Fix:
Error number 1615, 'Prepared statement needs to be re-prepared', no longer occurs in the monpd.log.


530903-5 : HA pair in a typical Active/Standby configuration becomes Active/Active after a software upgrade

Component: TMOS

Symptoms:
HA pair should remain in active/standby state after the software upgrade but instead goes into an active/active state.

Conditions:
Occurs in an active/standby HA pair which has a medium size configuration of pools and virtual servers (at least 30 objects total). The standby device is upgraded first and then it is rebooted. After reboot, the HA pair goes into an Active/Active state. Upgrades to 11.5.0 through 11.5.3 as well as to 11.6.0 are impacted.

Impact:
Active/Standby configuration is lost.

Workaround:
Reconfigure the HA pair back to active/standby.

Fix:
HA pair in a typical Active/Standby configuration now remain Active/Standby after a software upgrade.


530865-1 : AFM Logging regression for Global/Route Domain Rules incorrectly using virtual server logging profile (if it exists)

Component: Advanced Firewall Manager

Symptoms:
Due to a related change in AFM ACL handling, global and route domain rule's were being logged (incorrectly) by the virtual server's AFM log profile (if it exists).

This is incorrect since the behavior has always been that Global and Route Domain AFM rule logging is controlled by global-network log profile only.

Conditions:
Global or Route Domain AFM ACL rule matches and logging is enabled. Also, the matched virtual server has a logging profile attached to it.

Impact:
This causes a regression (and inadvertent change in behavior) for Global and Route Domain AFM rule logging.

Workaround:
None

Fix:
With the fix, global and route domain AFM rule logging is controlled by global-network log profile (as has been the case since inception).


530829-2 : UDP traffic sent to the host may leak memory under certain conditions.

Vulnerability Solution Article: K00032124


530812-5 : Legacy DAG algorithm reuses high source port numbers frequently

Component: Local Traffic Manager

Symptoms:
A service on a pool member will receive connections frequently with a source port number above 65400, especially when the incoming connections to the Virtual IP listener are generated by test tools that increment their source port numbers sequentially. This could lead to premature SNAT port exhaustion, if SNAT is also being used.

Conditions:
The issue appears to be limited to the legacy DAG algorithm on the VIPRION PB100 and PB200 blades. All supported versions of BIG-IP will exhibit this issue on this hardware when this DAG algorithm is used. The problem is not exhibited when the incoming sessions' source port numbers have a reasonable amount of entropy (as one would normally see with real Internet traffic); however, the use of test tools, or even intentional malicious traffic may cause this issue to be seen.

Impact:
The issue could result in resource contention (such as SNAT pool port exhaustion), or problems with the pool member services distinguishing between sessions. A notable exception: Port reuse before TIME_WAIT expires is specifically NOT an impact of this issue.

Workaround:
To work around SNAT pool port exhaustion, increase the pool size, or change to auto-map. An iRule may be used to help pool member services better distinguish incoming sessions.

Fix:
The software emulation of the legacy DAG algorithm used on VIPRION PB100 and PB200 has been updated to more evenly distribute the source port numbers of sessions arriving at pool member services.


530795-1 : In FastL4 TCP virtual servers, ICMP might send wrong SEQ number/ACK number.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system may send ICMP messages that contain an incorrect tcp seq ack number in the embedded msg body.

Conditions:
FastL4 TCP virtual servers. Syncookie mode.

Impact:
The TCP connflow might be aborted if an ICMP message (such as More fragment) is received.

Workaround:
None.

Fix:
The BIG-IP system sends correct SEQ and ACK number in ICMP messages.


530769 : F5 SFP+ module becomes unpopulated after mcpd is restarted in a clustered environment.

Component: Local Traffic Manager

Symptoms:
When MCPD restarts on one of the B2100 blades, trunk interfaces on the blade are not coming up.

Conditions:
MCPD restarts in a clustered environment (chassis).

Impact:
TMM will not process traffic on the blade where mcpd restarted.

Workaround:
Restart tmm (bigstart restart tmm) on the blade that shows the interface down.

Fix:
Fixed in corrections for bug 502443-9.


530761-4 : TMM crash in DNS processing on a TCP virtual

Component: Local Traffic Manager

Symptoms:
TMM can crash while processing DNS requests on a TCP virtual server.

Conditions:
A TCP DNS virtual server combined with a DNS iRule that suspends and a client that closes its connection before receiving a response to its DNS request.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
While no true workaround exists, the situation can be avoiding by removing any one of the conditions above.

Fix:
TMM now properly handles DNS requests through a TCP virtual where the client closes the connection during iRule processing.


530697-3 : Windows Phone 10 platform detection

Component: Access Policy Manager

Symptoms:
Windows Phone 10 platform is not currently detected

Conditions:
Windows Phone 10 platform , BIG-IP APM system

Impact:
Windows Phone 10 platform is not detected correctly by BIG-IP

Fix:
Windows Phone 10 platform is detected correctly now.


530622-2 : EAM plugin uses high memory when serving very high concurrent user load

Component: Access Policy Manager

Symptoms:
EAM plugin cannot sustain high concurrent user load and will be killed by memory monitors. EAM is cored and restarted. Any requests coming during restart will not be served.

Conditions:
We found this issue in stress testing and reported by customers during high concurrent user load.

Impact:
As a result, EAM cored and restarted; users cannot authenticate during process restart.

Workaround:
No workaround.

Fix:
There was a memory usage issue in the EAM plugin that was caused by a huge object allocation for each connection. This issue is fixed by reducing the default size of client cert and payload arrays.


530598-2 : Some Session Tracking data points are lost on TMM restart

Component: Application Security Manager

Symptoms:
Session Tracking data points, that are added by ASM upon traffic, based on Session Tracking thresholds configuration, are lost when TMM restarts.

Conditions:
ASM Provisioned.
Session Tracking feature is ON.

Impact:
Session Tracking data points may be added by ASM upon traffic.
These are data points with action 'Block-All'.
These data points are lost when TMM restarts.

Workaround:
None.

Fix:
This release fixes the Session Tracking data points persistence, so that the 'Block-All' Session Tracking data points, which are added by ASM upon traffic, are not lost when TMM restarts.


530505-2 : IP fragments can cause TMM to crash when packet filtering is enabled

Component: Local Traffic Manager

Symptoms:
TMM can crash when an IP fragment is received and packet filtering is enabled.

Conditions:
This issue can occur when packet filtering is enabled and an IP fragment is received on the non-owning TMM.

To determine if packet filtering is enabled, then the packetfilter setting can be queried by using the 'tmsh list sys db packetfilter' command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable packet filtering.

Fix:
When packet filtering is enabled and an IP fragment is received on the non-owning TMM, TMM forwards the IP fragment without issue.


530356-1 : Some AVR tables that hold ASM statistics are not being backed up in upgrade process.

Component: Application Visibility and Reporting

Symptoms:
Some AVR tables that hold ASM statistics are not being backed up in the upgrade process when upgrading to a new version with ASM data present in AVR stat tables.

Conditions:
Upgrading to new version.

Impact:
Some ASM data is lost after upgrade.

Fix:
We now correctly back up AVR tables that hold ASM statistics that were previously not backed up when upgrading to a new version.


530242-4 : SPDAG on VIPRION B2250 blades might cause traffic imbalance among TMMs

Component: TMOS

Symptoms:
When SPDAG is turned on VIPRION B2250 blades, the traffic imbalance among TMMs might be observed.

Conditions:
Enable SPDAG on VIPRION B2250 blades.

Impact:
The traffic imbalance can lower the throughput of VIPRION B2250 blades.

Workaround:
Adding or removing B2250 blades might mitigate the imbalance.

If you are running BIG-IP versions 11.6.1 or 11.6.1 HF1, add the following to /config/tmm_init.tcl file: dag::use_p8_sp_hash yes

Fix:
A new DAG hash is added for SPDAG on VIPRION B2250 blades, which can resolve the SPDAG traffic imbalance. The new DAG hash can be turned on by setting tmm tcl variable, dag::use_p8_sp_hash, to yes.

Add the following to /config/tmm_init.tcl file: dag::use_p8_sp_hash yes


530133 : Support for New Platform: BIG-IP 10350 FIPS

Component: TMOS

Symptoms:
Support for New Platform: BIG-IP 10350 FIPS, effective in 11.5.4 HF1

Conditions:
This details the new platform name.

Impact:
This is an added platform. There is no impact to the product.

Workaround:
None needed.

Fix:
This release provides support for New Platform: BIG-IP 10350 FIPS. You can find more information in Platform Guide: 10000 Series, available here: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/pg-10200v.html.

Behavior Change:
This release provides support for New Platform: BIG-IP 10350 FIPS. You can find more information in Platform Guide: 10000 Series, available here: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/pg-10200v.html.


530122 : Improvements in building hotfix images for hypervisors.

Component: TMOS

Symptoms:
The name of HF/EHF ISOs changed recently and the filter used to locate them needs to change.

Conditions:
Building hotfix images for hypervisors.

Impact:
There are issues providing bundled images.

Workaround:
None.

Fix:
This release provides improvements for building hotfix images for hypervisors.


530109-1 : OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.

Component: Access Policy Manager

Symptoms:
OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.

Conditions:
-- User certificate has AIA configured.
-- Option 'Ignore AIA' is unchecked.
-- APM is configured.

Impact:
OCSP auth might fail as wrong URL is used.

Workaround:
1. Clean URL field.
2. Uncheck option 'Ignore AIA'.

Fix:
If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. This is correct behavior.

Behavior Change:
If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. To use the configured URL, the 'Ignore AIA' setting has to be checked.


529977-4 : OSPF may not process updates to redistributed routes

Component: TMOS

Symptoms:
When routes redistributed into OSPF are rapidly added and removed, OSPF may not reflect all of the updates in its LSA database.

Conditions:
External routes, such as kernel or static, redistributed into OSPF being rapidly added and removed. This my happen when using Route Health Injection and enabling/disabling a virtual address.

Impact:
The OSPF may have stale or missing LSAs for redistributed routes.

Workaround:
Identify the OSPF process ID for the affected route domain using "ps | grep ospfd" and terminate it using the kill command.

This disrupts dynamic routing using OSPF.

Fix:
The OSPF LSA database correctly reflects the state of redistributed routes after rapid updates.


529920-6 : Connection mirroring with OneConnect on a virtual server can cause TMM crash on standby unit

Component: Local Traffic Manager

Symptoms:
TMM crashes on the standby unit.

Conditions:
This is a standby-only failure. Connection mirroring on a OneConnect virtual server can lead to a TMM crash during connection establishment.

Impact:
TMM restarts, and the standby is not available for failover. When the standby unit comes back up it does not have the mirrored flows from the active unit, so failover results in loss of those connection flows.

Workaround:
None.

Fix:
Connection mirroring on a OneConnect virtual server now successfully recovers from a TMM crash during connection establishment, so no mirrored connection flows are lost.


529903-2 : Incorrect reports on multi-bladed systems

Component: Application Visibility and Reporting

Symptoms:
Reports on multi-bladed systems might contain incorrect data, if the blades are active at different times, and do not share the same level of history. A report appears on a different time range than expected.

Conditions:
Example:
A setup with 3 blades, and 2 are down while the active 1 receives traffic for a full day. Later the 2 down blades go up. The resulting report for 'last day' contains data only for the previous hour, even though traffic has been passing through it for the last day.

Impact:
Report not as expected.

Workaround:
None.

Fix:
Reports on multi-bladed systems are now displayed correctly even when the blades are active at different times, and do not share the same level of history.


529900-4 : AVR missing some configuration changes in multiblade system

Component: Application Visibility and Reporting

Symptoms:
Some DB variables affect the behavior of AVR, but if they are modified in a multiblade system, then not all blades will be aware of the change, which later leads to errors in functionality.

Conditions:
Multiblade system, having one of the following changes:
1. New primary blade is selected.
2. Change to AVR max number of entities in the DB.

Impact:
Data might not be loaded into the DB, or not be queried correctly.

Workaround:
Restart of monpd solves the problem.

Fix:
Configuration changes in multiblade systems are now treated correctly.


529899-3 : Installation may fail with the error "(Storage modification process conflict.)".

Component: Local Traffic Manager

Symptoms:
On chassis, installation may fail with the error "(Storage modification process conflict.)".

Conditions:
This happens when deleting a boot location and then quickly installing new software to that boot location.

Impact:
Minimal; the installation can be restarted.

Workaround:
Delete the failed volume and restart the installation.

Fix:
On chassis, there was one possible case where the installation would occasionally fail with the error "(Storage modification process conflict.)". This case has been fixed.


529610-4 : On HA setups ASM session tracking page display an empty list when in fact there are asm entries in session db

Component: Application Security Manager

Symptoms:
When session tracking actions are enabled in ASM policy, an HTTP request may be blocked based on HTTP session or username and illegal traffic that has been sent from this session. The blocked request is reported in the security events log, but there is no option to release the username using the Configuration utility.

Conditions:
High availability (HA) setup, and ASM with Session tracking actions enabled.

Impact:
Usernames and HTTP sessions are blocked by ASM without an option to release them from the Configuration utility.

Workaround:
Stop and start tmm on all devices in the HA group by running the following commands:
-- bigstart stop tmm
-- bigstart start tmm

Fix:
Using the Configuration utility, BIG-IP system administrators can now release blocked usernames and sessions. This is done on the Session Tracking Status screen.


529524-5 : IPsec IKEv1 connectivity issues

Component: TMOS

Symptoms:
IPsec IKEv1 tunnels do not come up and IKE negotiations is not initiated/ or does not complete.

Conditions:
1. Configure the BIG-IP system with IPsec IKEv1 tunnel.
2. Send traffic to match the selectors, and it fails. Although it may succeed intermittently.

The following chassis scenario might also cause the issue:
1. Configure the VIPRION chassis with IPsec IKEv1 tunnel.
2. Send traffic to match the selectors, and the intended traffic is secured. IPsec IKEv1 tunnels are established.
3. Perform bigstart restart on the secondary blade.
4. Observe Traffic does not pass, and shows IKE negotiation failures.

Impact:
IPsec IKEv1 tunnels do not get established and the intended traffic is not secured. Traffic does not pass, and shows IKE negotiation failures.

Workaround:
There is a workaround for the chassis platform: Perform bigstart restart of tmm on all blades. There is no workaround for non-chassis platforms.

Fix:
BIG-IP systems and VIPRION platforms now successfully establish IPsec IKEv1 tunnels and secure and pass the intended traffic.


529509-4 : BIND Vulnerability CVE-2015-4620

Vulnerability Solution Article: K16912


529484-3 : Virtual Edition Kernel Panic under load

Component: TMOS

Symptoms:
Virtual Edition instances may crash with a kernel panic under heavy traffic load.

Conditions:
Virtual Edition instances passing 10 Gbps of traffic on interfaces that support LRO.

Impact:
When the issue occurs the Virtual Edition instance will reboot.

Workaround:
Disable LRO on the underlying hypervisor, if possible.

Fix:
Virtual Edition instances now stays active when instances passing 10 Gbps of traffic on interfaces that support LRO.


529460-5 : Short HTTP monitor responses can incorrectly mark virtual servers down.

Component: Global Traffic Manager

Symptoms:
Despite successful probe response, BIG-IP DNS marks virtual server down.

Conditions:
HTTP server sends HTTP response that is shorter than 64 bytes.

Impact:
Virtual servers are incorrectly marked down.

Workaround:
Modify server response or use a TCP monitor.

Fix:
BIG-IP DNS HTTP/1.x monitor probe now requires 17, rather than 64 bytes of response payload, so HTTP monitor responses HTTP response that is shorter than 64 bytes no longer incorrectly mark virtual servers down.


529392-3 : Win10 and IE11 is not determined in case of DIRECT rule of proxy autoconfig script

Component: Access Policy Manager

Symptoms:
Windows 10 and Internet Explorer 11 is not determined in case of DIRECT rule is used to connect to BIG-IP in proxy autoconfig script configured locally.

Conditions:
Local proxy autoconfig scrip, DIRECT rule for BIG-IP virtual server, Internet Explorer 11.

Impact:
Internet Explorer 11 is not detected properly.

Fix:
Internet Explorer 11 on Microsoft Windows 10 is detected correctly now if local proxy autoconfig script is configured with DIRECT rule for BIG-IP.


529141-4 : Upgrade from 10.x fails on valid clientssl profile with BIGpipe parsing error

Component: TMOS

Symptoms:
Upgrade from 10.x fails with the error 'emerg load_config_files: '/usr/libexec/bigpipe load' - failed. -- BIGpipe parsing error (/config/bigpipe/bigip.conf Line 67): 012e0020:3: The requested item (myclientssl {) is invalid (profile_arg ` show ` list ` edit ` delete ` stats reset) for 'profile'."

Conditions:
Attempting to upgrade from 10.x to 11.6.1 or specific 11.5.3 and 11.5.4 engineering hotfixes with custom Certificate and Key in the clientssl profile.

Impact:
Unable to upgrade successfully and BIG-IP will be inoperative. You will be unable to log into the BIG-IP GUI. The error signature in /var/log/ltm will exist, and /config/bigip.conf will probably not exist.

Workaround:
Delete the following line from all ssl profiles in /config/bigpipe/bigip.conf: inherit-certkeychain false.

To complete the upgrade, run the following command: /usr/libexec/bigpipe load.

After config load is successful, run the following command:
tmsh save sys config && tmsh load sys config.

Fix:
Upgrade from 10.x now completes successfully with a valid clientssl profile, and produces no BIGpipe parsing error.


528955-2 : TMM may core when using Request Adapt profile

Component: Service Provider

Symptoms:
tmm core file

Conditions:
Serverside connection is detached after processing HTTP response

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Cleaned up invalid references in Adapt component after serverside connection detachment


528881-5 : NAT names with spaces in them do not upgrade properly

Component: TMOS

Symptoms:
When upgrading to an affected version, if a NAT has a name with spaces in it, the upgraded configuration does not load.

Conditions:
The BIG-IP system must be configured with NATs that have spaces in their names. When an upgrade is performed to 11.5.0 through 11.5.3 or to 11.6.0 this can be triggered.

Impact:
The configuration does not load on the upgraded system.

Workaround:
Remove spaces in NAT names before upgrading. Specifically: the initial letter must be a letter, underscore ( _ ), or forward slash ( / ), and subsequent characters may be letters, numbers, periods ( . ), hyphens ( - ), underscores ( _ ), or forward slashes ( / ).

Fix:
NAT names with spaces in them now upgrade properly.


528808-2 : Source NAT translation doesn't work when APM is disabled using iRule

Component: Access Policy Manager

Symptoms:
Source NAT translation does not happen and server-side connection fails.

Conditions:
ACCESS::disable iRule is added to the virtual server.

Impact:
Proxy's server-side connection fails.

Workaround:
Do not use the ACCESS::disable iRule command.

Fix:
Restore the source address translation correctly even if an iRule has disabled APM.


528739-5 : DNS Cache might use cached data from ADDITIONAL sections in ANSWER responses.

Component: Local Traffic Manager

Symptoms:
DNS Caching might use cached data from ADDITIONAL sections of previous lookups in the ANSWER section of responses.

Conditions:
This occurs when using DNS Caching.

Impact:
The data from the ADDITIONAL section might be used in the ANSWER section of DNS responses. The data might be stale or incorrect.

Workaround:
None.

Fix:
The DNS Cache now correctly ignores data from the ADDITIONAL section when constructing the ANSWER section.


528734-1 : TCP keeps retransmitting when ICMP Destination Unreachable-Fragmentation Required messages are received.

Component: Local Traffic Manager

Symptoms:
In a Standard virtual server, a data segment will be retransmitted when an ICMP Type 3, Code 4, message with an MTU (greater than or equal to 0) is received. The retransmission occurs until there are no ICMP Type 3, Code 4 messages, a connection times out, or an ACK is received.

Conditions:
Router or client sends ICMP frag messages with random MTU values. It can be increasing, decreasing, same, or 0 MTU.

Impact:
Packets might fill up the pipe and cause a minor outage.

Workaround:
None.

Fix:
TCP drops the second or later ICMP Type 3, Code 4 message. If the second packet is a valid ICMP packet, the downstream router will send another ICMP Type 3, Code 4 message.


528726-2 : AD/LDAP cache size reduced

Component: Access Policy Manager

Symptoms:
When AD or LDAP Query module built a group cache, that cache contained an unnecessary attribute that was never used.

Conditions:
AD/LDAP Query module is configured with option that requires building of a local group cache.

Impact:
apd process size grows significantly after group cache is built. If several different caches are maintained at the same time, the process size can hit the 4 GB limit.

Fix:
Removed an unnecessary attribute from cache. As a result, the group cache size and APD process size have been reduced.


528675-3 : BIG-IP EDGE Client can indefinitely stay "disconnecting..." state when captive portal session expired

Component: Access Policy Manager

Symptoms:
Edge Client can stuck in "disconnecting..." state if connected through with captive portal session and captive portal session expired. This happens when BIG-IP EDGE client keep HTTP connection to captive portal probe URL alive.

Conditions:
BIG-IP EDGE Client for Windows connecting to BIG-IP APM on network with active captive portal.
Captive portal session expired before user terminate active Network Access connection.

Impact:
When user run into this condition BIG-IP EDGE client for Windows cannot connect to BIG-IP APM server without restart.

Workaround:
User can exit and restart BIG-IP EDGE client.

Fix:
Captive portal detection request modified to properly close HTTP connection.


528548-1 : @import "url" is not recognized by client-side CSS patcher

Component: Access Policy Manager

Symptoms:
Not rewriten links from CSS.

Conditions:
CSS which contains:
@import "url"
 or
@import 'url'

Impact:
Unmangled requests resulting in error and customer confusion. Wrong rendering of pages.

Workaround:
Custom iRule can be used. No general workaround exists.

Fix:
Fixed CSS rewriting for:

 @import "URL"
  and
 @import 'URL'


528498-2 : Recently-manufactured hardware may not be identified with the correct model name and SNMP OID

Component: TMOS

Symptoms:
The model names and corresponding SNMP OIDs of BIG-IP and VIPRION hardware may not be identified correctly.

1. Under the 'tmsh show sys hardware' command, the 'Type' field under 'System Information' may show the alphanumeric Platform Identifier (e.g., C113) instead of the BIG-IP/VIPRION model name (e.g., 4200v).

2. The SNMP sysObjectID OID (1.3.6.1.2.1.1.2.0) may show a value of 'F5-BIGIP-SYSTEM-MIB::unknown' instead of the model-specific identifier.

Conditions:
This problem may occur when running older BIG-IP software releases on BIG-IP or VIPRION hardware platforms that were manufactured after the BIG-IP software release.

Each BIG-IP software release contains a database used to map platform hardware part numbers to BIG-IP or VIPRION model names.
If a BIG-IP or VIPRION hardware platform is manufactured after this BIG-IP software release, this new hardware may contain updates that result in a minor revision to its platform hardware part number.
If this revised platform hardware part number is not found in the database included in the BIG-IP software release, its corresponding model name cannot be determined.
The SNMP sysObjectID OID value is based on the resolved model name. If the model name cannot be determined, the SNMP sysObjectID OID returns 'F5-BIGIP-SYSTEM-MIB::unknown'.

Impact:
Unable to identify recently-manufactured BIG-IP or VIPRION hardware platforms.

Workaround:
1. Identify the hardware platform by its Platform ID, and correlate this to the Platform Name using SOL9476: The F5 hardware/software compatibility matrix at https://support.f5.com/kb/en-us/solutions/public/9000/400/sol9476.html.

2. Query the SNMP F5-BIGIP-SYSTEM-MIB::sysPlatformInfoName.0 object to obtain the hardware identifier, and correlate this to the Platform Name (e.g., from the 'Platform support' in the appropriate BIG-IP software Release Notes).

Fix:
BIG-IP software correctly identifies recently-manufactured BIG-IP or VIPRION hardware platforms with the correct model name and SNMP sysObjectID OID.


528432-1 : Control plane CPU usage reported too high

Component: Local Traffic Manager

Symptoms:
The system CPU usage is reported as the higher of the data plane averaqe and the control plane average. In certain cases, the control plane average was being calculated at about double.

Conditions:
When the data plane CPU usage was lower than the control plane CPU usage. This can occur when there is little client traffic flowing through the BIG-IP but the control plane is busy, say installing software.

Impact:
Typically, since client traffic drives data plane CPU usage, control plane CPU usage is less than data plane CPU usage at normal client loads.

Workaround:
This can safely be ignored at low data plane usage and will not be evident when data plane usage increases.

Fix:
The calculation of the control plane CPU usage no longer includes other CPUs.


528407-6 : TMM may core with invalid lasthop pool configuration

Component: Local Traffic Manager

Symptoms:
In certain circumstances, TMM may core if the unit is configured with an invalid, non-local lasthop pool,

Conditions:
1) BIG-IP system with VIP and lasthop pool with non-local pool member.
2) Sys db tm.lhpnomemberaction set to 2.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure lasthop pool to use local members/addresses.

Fix:
TMM no longer cores with an invalid lasthop pool configuration.


528276-6 : The device management daemon can crash with a malloc error

Component: TMOS

Symptoms:
The device management daemon can core if a timeout condition occurs during an iControl query. The daemon recovers and proceeds with the operation.

Conditions:
A timeout can occur during an iControl query and in some instances this can cause a core.

Impact:
The daemon crashes and recovers.

Workaround:
This issue has no workaround at this time.

Fix:
The device management daemon no longer causes a crash when a timeout condition occurs during an iControl query.


528188-4 : Packet filters are by-passed for some fragmented ICMP echo requests to a virtual address

Component: Local Traffic Manager

Symptoms:
A packet filter is in place to block ICMP traffic to a virtual address, but the virtual address responds to ICMP echo requests.

Conditions:
A packet filter is in place to block ICMP echo request traffic to a virtual address, and a fragmented ICMP echo request is received by the BIG-IP system. If the ICMP echo request needs to be forwarded to another tmm, the packet-filter is not honored.

Impact:
Traffic is not blocked despite the existence of a packet-filter rule.

Workaround:
Use AFM rather than packet-filter. Note: This may require additional licensing.

Fix:
When a packet filter is in place to block ICMP echo request traffic to a virtual address, and a fragmented ICMP echo request is received by the BIG-IP system, the packet filter is now honored.


528139-4 : Windows 8 client may not be able to renew DHCP lease

Component: Access Policy Manager

Symptoms:
VPN disconnects after the DHCP lease expires.

Conditions:
BIG-IP Edge Client is running on Windows 8.
"Allow access to local DHCP servers" is checked in Network Access settings.

Impact:
VPN may disconnect and user must connect to VPN again.
ipconfig /renew will not work.

Workaround:
DCHP Lease timeout is automatic and works properly. Also, end users can first run ipconfig /release and then ipconfig /renew to manually renew a lease.

Fix:
DHCP lease can now be renewed correctly.


528071-2 : ASM periodic updates (cron) write errors to log

Component: Application Security Manager

Symptoms:
ASM periodic updates (run via cron) write errors to log when ASM is not provisioned.

Conditions:
ASM is not provisioned.

Impact:
Errors appears in ASM logs.

Fix:
Errors no longer appear in ASM logs when ASM is not provisioned.


528007-5 : Memory leak in ssl

Component: Local Traffic Manager

Symptoms:
An intermittent memory leak was encountered in SSL

Conditions:
This can occur under certain conditions when using Client SSL profiles

Impact:
The amount of memory leaked is quite small, but over time enough memory would leak that TMM would have to reboot.

Workaround:
none

Fix:
An intermittent memory leak in SSL was fixed


527826-1 : IP Intelligence update failed: Missing SSL certificate

Component: Local Traffic Manager

Symptoms:
IP Intelligence is failing the update due to missing certificate. You will see these errors in /var/log/ltm:

err iprepd[5600]: 015c0004:3: Certificate verification error: 20
err iprepd[5600]: 015c0004:3: nSendReceiveSsl failed SSL handshake

The certificate of vector.brightcloud.com was changed recently.

Conditions:
This is seen when attempting to update the IP Intelligence database.

Impact:
IP Intelligence database will not update.

Workaround:
Add the new brightcloud certificate to the end of the chain.

Fix:
This release contains an updated certificate chain.


527799-10 : OpenSSL library in APM clients updated to resolve multiple vulnerabilities

Vulnerability Solution Article: K16674 K16915 K16914


527742-1 : The inherit-certkeychain field of a clientSSL profile is not synchronized correctly on a standby BIG-IP system

Component: Local Traffic Manager

Symptoms:
When creating a clientSSL profile at the active BIG-IP system, its inherit-certkeychain field is true by default, however, it appears to be false on the standby BIG-IP system.

Conditions:
BIG-IP systems are deployed as high-availability (HA) configuration.

Impact:
All units in an HA configuration should have the same configuration and the same behavior. Mismatching units in the HA configuration might lead to unexpected mismatching behavior.

Workaround:
None.

Fix:
With the fix, the inherit-certkeychain field of a newly created client SSL profile is set correctly on a standby BIG-IP system.


527649-1 : Upgrade sets client/server SSL profiles Ciphers field to DEFAULT if upgraded cipherstring effectively contains no ciphersuites.

Component: Local Traffic Manager

Symptoms:
Upgrade sets client/server SSL profiles Ciphers field to DEFAULT if the upgraded cipherstring would effectively contain no ciphersuites.

Conditions:
This is relevant when the following conditions are met:

* Upgrading to version 12.0.0.
* Client/server SSL profile is configured with the COMPAT keyword.

Impact:
The system changes 'COMPAT' to 'DEFAULT'. Upgrade posts a warning similar to the following:

WARNING: ciphers in clientssl profile TheProfile has been reset to DEFAULT from MD5.

This occurs because the BIG-IP software version 12.0.0 COMPAT set is empty by default. To prevent security issues and upgrade failures due to an empty ciphersuite, the upgrade operation replaces 'COMPAT' with 'DEFAULT'.

This is not considered a software defect, but instead assists users with maintenance of ciphersuites. It is expected that some legacy ciphersuites will be removed from default sets in major releases of BIG-IP system software, which might require user action to account for this change.

Workaround:
Because the upgrade script replaces the configured cipherstring, you should determine whether 'DEFAULT' is a suitable set of ciphersuites, and make necessary adjustments. For more information, see SOL13156: SSL ciphers used in the default SSL profiles (11.x - 12.x), available here: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html.

Best practice recommends periodic review of the enabled cipherstrings that are considered secure, since these change over time. Such a review should prevent future occurrence of the condition.


527639-5 : CVE-2015-1791 : OpenSSL Vulnerability

Vulnerability Solution Article: K16914


527638-5 : OpenSSL vulnerability CVE-2015-1792

Vulnerability Solution Article: K16915


527637-5 : PKCS #7 vulnerability CVE-2015-1790

Vulnerability Solution Article: K16898


527633-5 : OpenSSL vulnerability CVE-2015-1789

Vulnerability Solution Article: K16913


527630-2 : CVE-2015-1788 : OpenSSL Vulnerability

Vulnerability Solution Article: K16938


527431-2 : Db variable to specify audit forwarder port

Component: TMOS

Symptoms:
You can specify an audit forwarding destination for RADIUS or TACACS accounting using sys db config.auditing.forward.destination but cannot specify a custom port.

Conditions:
This is encountered if you want to use a port other than the default TCP port 49 for TACACS+ or port 1813 for RADIUS

Impact:
Unable to configure a custom port other than the default.

Fix:
The sys db config.auditing.forward.destination db variable can now have the IP address and port specified.

For more information on RADIUS or TACACS+ accounting, see SOL13762: Configuring remote RADIUS or TACACS+ accounting at https://support.f5.com/kb/en-us/solutions/public/13000/700/sol13762


527168-3 : In GUI System :: Users : Authentication TACACS+ ports have max value of 32768 instead of 65535

Component: TMOS

Symptoms:
In the GUI, the System :: Users : Authentication TACACS+ ports have max value of 32768 instead of 65535.

Conditions:
1. Go to System :: Users : Authentication and click 'Change'.
2. For 'User Directory' choose 'Remote - TACACS+'.
3. Try to add a server with port greater than 32768 and click Create.
4. The maximum value allowed is 32768 instead of 65535.

Impact:
TACACS+ servers with port greater than 32768 cannot be created or modified using the GUI.

Workaround:
Use tmsh to modify these servers.

Fix:
In GUI System :: Users : Authentication TACACS+ ports now the have correct max value of 65535.


527145-3 : On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.

Component: TMOS

Symptoms:
Occasionally SOD core dumps on shutdown during memory cleanup.

Conditions:
System shutdown. Cannot reproduce the issue reliably, so conditions for the crash are unknown.

Impact:
Minimal additional impact on services because a shutdown was already in process.

Workaround:
None.

Fix:
Daemon no longer cores on shutdown due to internal processing error.


527027-3 : DNSSEC Unsigned Delegations Respond with Parent Zone Information

Component: Local Traffic Manager

Symptoms:
When a DNSSEC zone has an unsigned delegation to a child zone, responses to the queries on the unsigned child zone do not include proper delegation records.

Conditions:
A DNSSEC zone configured on BIG-IP for a zone that delegates to an unsigned child zone.

Impact:
DNSSEC tools are unable to verify that the child subdomain is properly delegated to an insecure authoritative name server.

Workaround:
None

Fix:
Queries for an unsigned child zone of a DNSSEC zone on a BIG-IP are now sent to the backend nameserver. DNSSEC-OK flag is observed when processing the response and attaching and/or responding to DNSSEC resource records.


527024-2 : DNSSEC Unsigned Delegations Respond with Parent Zone Information

Component: Local Traffic Manager

Symptoms:
When a DNSSEC zone has an unsigned delegation to a child zone, responses to the queries on the unsigned child zone do not include proper delegation records.

Conditions:
A DNSSEC zone configured on BIG-IP for a zone that delegates to an unsigned child zone.

Impact:
DNSSEC tools are unable to verify that the child subdomain is properly delegated to an insecure authoritative name server.

Workaround:
None

Fix:
Queries for an unsigned child zone of a DNSSEC zone on a BIG-IP are now sent to the backend nameserver. DNSSEC-OK flag is observed when processing the response and attaching and/or responding to DNSSEC resource records.


527021-2 : BIG-IQ iApp statistics corrected for empty pool use cases

Component: TMOS

Symptoms:
BIG-IQ statistics gathering fails for HTTP iApps. The stats are collected periodically by an iCall script. A bug in the script causes a failure when the pool member count = 0.

Conditions:
The virtual has an empty pool (a common use case in SDN).

Impact:
Causes out-of-memory errors in scriptd.

Fix:
BIG-IP iApps now correctly provide statistics to BIG-IQ in empty-pool use cases.


527011-4 : Intermittent lost connections with no errors on external interfaces

Component: Local Traffic Manager

Symptoms:
Intermittent lost connections to virtual servers or pool nodes with no observable errors on external interfaces.
Errors are observed on internal interfaces using 'tmos show net interface -hidden'

Conditions:
Normal operation. This can occur on BIG-IP 8950, 11000, and 11050 platforms.

Impact:
Lost connections

Workaround:
None.

Fix:
An issue with intermittent lost connections with no errors on the external interface has been corrected.


526974-5 : Data-group member records map empty strings to 'none'.

Component: TMOS

Symptoms:
When empty string is applied to a data-group member record, it is being converted to 'none'.

Conditions:
Record type is string.

Impact:
Data-group records data is set to string 'none', literally, even though user input an empty string ''.

Workaround:
None.

Fix:
Data-group member records no longer map empty strings to 'none'.


526856-2 : "Use of uninitialized value" warning appears on UCS installation due to ASM signature inconsistency

Component: Application Security Manager

Symptoms:
"Use of uninitialized value" appears as a warning rarely upon UCS installation due to ASM signature inconsistency.

Conditions:
UCS file is installed with internal ASM signature inconsistency.

Impact:
"Use of uninitialized value" warning appears in output.

Fix:
"Use of uninitialized value" warning no longer appears upon UCS install.


526833 : Reverse Proxy produces JS error: 'is_firefox' is undefined

Component: Access Policy Manager

Symptoms:
Web application does not work. There is error in JS console: 'is_firefox' is undefined

Conditions:
Web application is running through Portal Access

Impact:
Web sites does not work

Fix:
Error is fixed. Web applications work through Portal Access.


526817-6 : snmpd core due to mcpd message timer thread not exiting

Component: TMOS

Symptoms:
snmpd might occasionally experience a thread deadlock conditions and would be restarted (with a core dump) by sod.

Conditions:
This can occur during a SNMP configuration change.

Impact:
snmpd occasionally becomes unresponsive for the duration of the configured snmpd heartbeat timeout.

Workaround:
After a SNMP configuration change on the BIG-IP system, the deadlock timing issue can avoided by manually restarting snmpd.

Fix:
snmpd no longer becomes unresponsive for the duration of the configured snmpd heartbeat timeout during configuration changes.


526810-8 : Crypto accelerator queue timeout is now adjustable

Component: Local Traffic Manager

Symptoms:
In order to diagnose crypto queue stuck errors, the timeout value for stuck crypto accelerator queues may now be adjusted using the crypto.queue.timeout DB variable.

The timeout value may be specified in milliseconds using the crypto.queue.timeout DB variable. The default value is 100 milliseconds.

Conditions:
This is only needed if you are getting errors in /var/log/ltm with this signature: crit tmm1[9829]: 01010025:2: Device error: crypto codec qa-crypto0-1 queue is stuck.

Impact:
Adjusting the queue timeout may help in certain configurations where SSL acceleration is the performance bottleneck.

Fix:
The crypto accelerator queue timeout may now be specified in milliseconds using the crypto.queue.timeout DB variable.


526754-3 : F5unistaller.exe crashes during uninstall

Component: Access Policy Manager

Symptoms:
f5unistaller.exe crashes, dmp points to a double free in SGetRegistryAsString function

Conditions:
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\*\DisplayName contains 0 length data

Impact:
f5unistaller crashes

Workaround:
Using the crash dump created. PD can determine the value of * from there if data is placed into the DisplayName key - it will no longer trigger this defect


526699-5 : TMM might crash if BIG-IP DNS iRule nodes_up references invalid IP/Port.

Component: Global Traffic Manager

Symptoms:
A BIG-IP DNS system configured with an iRule that makes use of the command nodes_up in its ip_address :: port version might lead to a crash.

Conditions:
- BIG-IP DNS iRule processing traffic with nodes_up IP/Port command.
 - IP/Port references an invalid LTM virtual server.
 - Client sends requests to the BIG-IP DNS wide IP.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Specify correct IP/Port in the nodes_up iRule command

Fix:
TMM no longer crashes when using an incorrect IP/Port in a nodes_up BIG-IP DNS iRule.


526637-1 : tmm crash with APM clientless mode

Component: Access Policy Manager

Symptoms:
A condition that occurs when using APM in clientless mode can cause a rare tmm crash

Conditions:
Only occurs on 11.5 and later, and while using clientless mode 3. This crash has been very difficult to reproduce.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
none

Fix:
tmm will no longer crash in APM clientless mode; it now sends a reset.


526617-2 : TMM crash when logging a matched ACL entry with IP protocol set to 255

Component: Access Policy Manager

Symptoms:
When TMM finds a matching ACL entry while enforcing the ACL, and that ACL entry is configured to produce a log entry as well, and the IP protocol for that packet is 255, then TMM crashes.

Conditions:
1. Log is enabled for that ACL entry.
2. IP protocol is set to 255

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable ACL logging

Fix:
TMM no longer crashes when logging a matching ACL entry for IP datagram with protocol set to 255.


526578-2 : Network Access client proxy settings are not applied on German Windows

Component: Access Policy Manager

Symptoms:
Network Access client proxy settings are not applied on German Windows with Internet Explorer 10 under obscure conditions.
If APM address is not in the Trusted Sites List, then this issue has good reproducibility.
Windows shows empty fields in proxy settings UI of Internet Explorer.

Conditions:
Client machine has Windows with German localization.
Client machine has Internet Explorer 10.
APM is not in trusted sites list or other obscure conditions.

Impact:
Network Access works in unexpected way: client ignores proxy settings.

Workaround:
Run IE under administrator
Update to IE11

Fix:
Now proxy settings are correctly applied on client machine with German localization and Internet Explorer 10. However, Windows still shows empty fields in proxy settings GUI of Internet Explorer.


526514-2 : Open redirect via SSO_ORIG_URI parameter in multi-domain SSO

Vulnerability Solution Article: K26738102


526492-3 : DNS resolution fails for Static and Optimized Tunnels on Windows 10

Component: Access Policy Manager

Symptoms:
When Static and Optimized Tunnels are used on Windows 10 desktop, accessing a backend server by hostname will fail.

Conditions:
1. Windows 10 desktop
2. Static or Optimized Tunnels are used

Impact:
No access to backend servers using hostnames.

Workaround:
none

Fix:
DNS resolution is successful for static and optimized tunnels on Microsoft Windows 10.


526419-2 : Deleting an iApp service may fail

Component: TMOS

Symptoms:
Deleting an iApp service may fail with an error message like this:

01070712:3: Can't load node: 839 type: 4

Conditions:
Unknown.

Impact:
You can't delete an iApp.

Workaround:
Save the configuration. Edit the relevant configuration file to remove the iApp service. Reload the configuration.

Fix:
Deleting an iApp service formerly could fail with an error message like this:

01070712:3: Can't load node: 839 type: 4

This is no longer possible.


526367-2 : tmm crash

Component: Local Traffic Manager

Symptoms:
tmm cores and restarts

Conditions:
It is not known what causes this, but it is related to use of DTLS in the serverssl profile.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm crash related to dtls.


526295-4 : BIG-IP crashes in debug mode when using PEM iRule to create session with calling-station-id and called-station-id

Component: Policy Enforcement Manager

Symptoms:
When using a PEM iRule to create a session with calling-station-id and called-station-id, the BIG-IP system will crash in debug mode.

Conditions:
1. PEM is provisioned.
2. BIG-IP system is running in debug mode.
3. PEM iRule is used to create session with calling-station-id and called-station-id.

Impact:
The BIG-IP system crashes.

Workaround:
Creating PEM sessions with iRules that do not have calling-station-id and called-station-id. And add the two attributes using separately using PEM info iRule

Fix:
With the fix, the problematic iRule is now working as expected and does not cause any crash.


526275-2 : VMware View RSA/RADIUS two factor authentication fails

Component: Access Policy Manager

Symptoms:
VMware View client fails to authenticate with APM configured for RSA/RADIUS two factor authentication.

Conditions:
APM is configured for VMWare View proxy with RSA or RADIUS two factor authentication and VMware View client is used.

Impact:
User sees a confusing error message.

Workaround:
Click "OK" on an error message "The username or password is not correct. Please try again.". Enter valid AD credentials and login again.

Fix:
Now APM correctly handles VMware View RSA/RADIUS two factor authentication.


526162-6 : TMM crashes with SIGABRT

Component: Application Security Manager

Symptoms:
TMM crashes with SIGABRT (sod crashes the tmm). This error appears in the LTM logs:
HA daemon_heartbeat tmm fails action is go offline down links and restart

Conditions:
IP reputation is turned on, and the IP reputation database is reloaded.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.

Fix:
We fixed a rare scenario where TMM was halted when the IP reputation daemon was loading a new IP reputation database.


526084-1 : Windows 10 platform detection for BIG-IP EDGE Client

Component: Access Policy Manager

Symptoms:
The session.client.platform variable contains "Win8.1" for BIG-IP Edge Client on Windows 10.

Conditions:
n/a

Impact:
n/a

Workaround:
n/a

Fix:
BIG-IP APM was enhanced to report session.client.platform session variable for BIG-IP Edge Client on Windows 10.


525958-10 : TMM may crash if loadbalancing to node's IP in iRule routed towards an unreachable nexthop.

Component: Local Traffic Manager

Symptoms:
In a specific combination of events TMM may core.

Conditions:
This occurs when the following conditions are met:
  - Load balancing a flow to an ip_tuple (e.g., the Tcl 'node' command).
  - That address is not directly connected.
  - The matched route is a gateway pool that contains a pool member that is not reachable.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure correct routing to all destinations with reachable next hops.

Fix:
TMM no longer cores when load balancing to a node's IP address in iRule, routed towards an unreachable nexthop.


525920 : VPE fails to display access policy

Component: Access Policy Manager

Symptoms:
VPE fails to display access policy
Server request for 'vpeDialogue' is failed: Request status=500

Conditions:
Always for certain HF

Impact:
Catastrophic - error message and no VPE working

Workaround:
No workaround, software upgrade needed

Fix:
Functionality restored


525708-2 : AVR reports of last year are missing the last month data

Component: Application Visibility and Reporting

Symptoms:
Reports are missing the latest data collected for them. Each report-type is missing a different portion of the data which is relative to the report-type. This issue becomes very noticeable when creating long-term reports. For example, a 'last-year' report might omit the last month data, 'last-month' report might omit the last week data, and so on.

Conditions:
Every report that is done on a long history time range.

Impact:
The presented data can be confusing and misleading.

Fix:
A new data aggregation mechanism was inserted, so that all reports include activity up to the last hour.
There is an option to make it available even for the last 5 minutes, although that might lead to too much CPU and disk load every 5 minutes.
There is also an option to turn off this new aggregation mechanism if you are not interested in accurate long-history reports, and the aggregation task that takes place once an hour is too heavy for this machine.


525595-1 : Memory leak of inbound sockets in restjavad.

Component: Device Management

Symptoms:
restjavad might run out of memory due to inactive sockets piling up in memory. The symptom will be 'Out of memory' messages in the /var/logrestjavad.0.log and any new rest calls will fail. The URL that fails is random.

Conditions:
Occurs after a few hours of use.

Impact:
Memory leak of inbound sockets in restjavad. restjavad becomes inoperative.

Workaround:
Restart restjavad with the following command:
bigstart restart restjavad.
Note: You can run the command periodically from a cron script.

Fix:
Inbound sockets in restjavad no longer causes a memory leak.


525562-2 : Debug TMM Crashes During Initialization

Component: Access Policy Manager

Symptoms:
Debug version of TMM (tmm.debug) generates core file and fails to start up.

Conditions:
This issue happens when running debug version of TMM on a multi-blade chassis/vCMP.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Revert to use default version of TMM (tmm.default)

Fix:
Removed unnecessary debug assert statements from TMM.


525478-3 : Requests for deflate encoding of gzip documents may crash TMM

Component: WebAccelerator

Symptoms:
When searching for documents in the gzip cache, if a document has been cached with gzip encoding but a non-deflate compression method (i.e., CM != 0x08) and the client has requested deflate compression, TMM may crash.

Conditions:
-- WAM/AAM enabled on VIP.
-- HTTP compression enabled on VIP.
-- Document served with gzip encoding and non-deflate compression.
-- Document has entered the gzip cache.
-- Client HTTP request specifies deflate encoding.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure that only the deflate method is used in gzip-compressed documents that will be cached by WAM/AAM. With most web servers this is the default behavior and cannot be changed.

Alternatively, remove the 'Accept-Encoding: deflate' header using an iRule so that no clients can request deflate encoding.

Fix:
Correctly handles requests for deflate compression of cached gzip documents with non-deflate compression methods.


525429-13 : DTLS renegotiation sequence number compatibility

Component: Access Policy Manager

Symptoms:
OpenSSL library was modified to keep it compatible with RFC 6347 complaint DTLS server renegotiation sequence number implementation.

Conditions:
The old OpenSSL library is not compatible with RFC6347, the new OpenSSL library is modified to be compatible with RFC6347.
The current APM client is compatible with old OpenSSL library, not the new OpenSSL library.

Impact:
The current APM client is not compatible with new OpenSSL libary.

Fix:
The APM client is now compatible with both the old and new OpenSSL library.


525384-3 : Networks Access PAC file now can be located on SMB share

Component: Access Policy Manager

Symptoms:
Network Access web components or Edge Client fail to download PAC file if it is located on SMB share as
file:////pac.file.hoster.local/config.pac.

Conditions:
Network Access with Client Proxy Settings Enabled,
PAC file path is set to somewhere on SMB share.

Impact:
Impossible to configure Network Access with PAC file located on SMB share.

Workaround:
Put PAC file to HTTP server, configure Network Access accordingly.

Fix:
Now Network Access components can obtain PAC file from SMB share.


525322-6 : Executing tmsh clientssl-proxy cached-certs crashes tmm

Component: Local Traffic Manager

Symptoms:
tmm crash while executing "tmsh clientssl-proxy cached-certs" command

Conditions:
ssl forward proxy virtual with a clientssl profile name longer than 32 characters which includes the partition name as well. (/Common/<profilename> -> has length more than 32 chars).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Keep the profile name lengths less than 32 chars, or do not run the command until fixed.

Fix:
The "tmsh clientssl-proxy cached-certs" command will now run successfully with profile name lengths longer than 32 characters.


525232-10 : PHP vulnerability CVE-2015-4024

Vulnerability Solution Article: K16826


524960-5 : 'forward' command does not work if virtual server has attached pool

Component: Local Traffic Manager

Symptoms:
The iRule 'forward' command does not result in connections being routed to the proper destination if the virtual server has an attached pool.

Conditions:
Virtual server with:
  - Pool.
  - iRule that issues 'forward' commands.

Impact:
Connections are routed to pool member instead of destination determined by network routes.

Workaround:
Remove pool assigned to virtual server and select the pool using an iRule with a 'pool' command when 'forward' command is not issued.

Fix:
'forward' command releases previously selected pool member to enabled connection to be routed based on packet destination, as expected.


524909-3 : Windows info agent could not be passed from Windows 10

Component: Access Policy Manager

Symptoms:
APM endpoint check action "Windows Info agent" was not able to detect Windows 10 clients.

Conditions:
n/a

Impact:
n/a

Workaround:
n/a

Fix:
Now BIG-IP APM support Windows Info action on Windows 10 clients.


524756-1 : APM Log is filled with errors about failing to add/delete session entry

Component: Access Policy Manager

Symptoms:
APM log is filled with the following error when the issue occurs:

May 21 16:34:16 bigip4013mgmt err tmm2[20158]: 01490558:3: 00000000: Access stats encountered error: Failed to add/delete session entry (ERR_NOT_FOUND)

Conditions:
If a session times out before it completes policy evaluation, APM will still attempt to delete its marker from the established session namespace and, hence, results in ERR_NOT_FOUND error

Impact:
There is no functional impact. However, APM log may become useless if the volume of the error is big.

Fix:
Access Filter now skips session marker deletion if the timed-out session is not in established state.


524748 : PCCD optimization for IP address range

Component: Advanced Firewall Manager

Symptoms:
Pccd blob size grow too big with large scale policy configuration. Which cause slow compilation and serialization.

Conditions:
large scale policy configuration.

Impact:
Slow compilation/serialization and large pccd blob.

Workaround:
N/A

Fix:
With PCCD ip address range optimization, PCCD will reduce it's compilation/serialization time and blob size.


524666-2 : DNS licensed rate limits might be unintentionally activated.

Component: Local Traffic Manager

Symptoms:
DNS licensed rate limits might be unintentionally activated.

Conditions:
This might occur with a license in which DNS services is unlimited, but BIG-IP DNS (formerly GTM) is limited.

Impact:
DNS licensed rate limits might be unintentionally activated. Rate counters will activate, even though rates are unlimited, which unnecessarily uses CPU cycles. Also, features that indirectly look at rate flags such as hardware DNS, might deactivate improperly even though rates are unlimited.

Workaround:
None.

Fix:
DNS licensed rate limits are now handled as expected.


524641-4 : Wildcard NAPTR record after deleting the NAPTR records

Component: Local Traffic Manager

Symptoms:
There is a dns query issue when adding/deleting a NAPTR record through the Zonerunner.

Conditions:
After deleting a specific NAPTR record, the previously added wildcard NAPTR record will fail for wildcard dig queries and the system does not show the correct subdomains.

Impact:
Wildcard NAPTR record call fails after deleting the NAPTR records.

Workaround:
None.

Fix:
Wildcard NAPTR record call now completes successfully after deleting the NAPTR records.


524490-7 : Excessive output for tmsh show running-config

Component: TMOS

Symptoms:
The tmsh show running-config displays many default configuration items. Although the output does display the user-configuration items as expected, it is not expected to include default configuration items in the output.

Conditions:
tmsh show sys running-config.

Impact:
The presence of excessive default configuration items makes the tmsh show running-config output parsing difficult.

Workaround:
None.

Fix:
tmsh show sys running-config shows minimal default configuration.


524428-2 : Adding multiple signature sets concurrently via REST

Component: Application Security Manager

Symptoms:
Adding multiple ASM signature sets concurrently in REST actions causes deadlock.

Conditions:
Multiple ASM signature sets are added concurrently using REST.

Impact:
Some signature set REST add actions will fail due to deadlock.

Workaround:
Wait until signature set add action has completed in REST before issuing the next add.

Fix:
Multiple signature sets can be added concurrently using REST.


524333-5 : iControl command pkcs12_import_from_file_v2 may fail if httpd is restarted or session times out.

Component: TMOS

Symptoms:
When pkcs12_import_from_file_v2 is used immediately after httpd is restarted, or when pkcs12_import_from_file_v2 is used after the session-timeout period, an 'Internal error' response is received.

This issue is not seen if another iControl call is made and pkcs12_import_from_file_v2 is tried after that.

Conditions:
pkcs12_import_from_file_v2 is used immediately after httpd is restarted, or when pkcs12_import_from_file_v2 is used after the session-timeout period.

Impact:
iControl command may fail if httpd is restarted or session times out.

Workaround:
None.

Fix:
iControl command pkcs12_import_from_file_v2 now completes successfully if httpd is restarted or session times out.


524326-3 : Can delete last ip address on a gtm server but cannot load a config with a gtm server with no ips

Component: TMOS

Symptoms:
Current configuration validation will allow a user to delete the last (only remaining) IP address on a GTM server. However, since a GTM server cannot be created/loaded without at least one IP address, the configuration will fail to load.

Conditions:
User has deleted the last IP address on a GTM server.

Impact:
Configuration load will fail. If the GTMs are in a sync group, this will also break sync because the config change cannot be loaded by any GTM.

Workaround:
User must either delete the server from the config if it has no more valid IPs, or must add at least one IP to the server's IP address list.

Fix:
Extended MCPD validation to ensure any deleted GTM link/GTM server addresses do not leave parent objects without addresses.


524300-1 : The MOS boot process appears to hang.

Component: TMOS

Symptoms:
When a BIG-IP 2000 series or BIG-IP 4000 series device is booted into MOS (either manually or as a result of a user running the image2disk utility), the MOS boot process appears to hang. In reality, MOS boots successfully, but loses its connection to the BIG-IP system's serial console.

Conditions:
A BIG-IP 2000 series or BIG-IP 4000 series device with a MOS version older than 2.8.9 - 587.0 is booted from MOS.

Impact:
If you booted into MOS manually, you cannot carry out the tasks that you had set out to do. You must reset the device (either physically or via the AOM menu) to recover it.

If the system booted into MOS automatically (as a result of a user running the image2disk utility to perform a clean installation), the installation completes successfully and the system reboots correctly at the end of the installation. However, you cannot see and follow the re-imaging process because of this issue. In this case, you can watch the (seemingly hung) serial console until the system reboots by itself.

Workaround:
You can work around this issue by performing a temporary installation of BIG-IP version 12.0.0 to a new boot slot.
No further action is required. This temporary installation of BIG-IP version 12.0.0 can be deleted once completed.
This temporary installation of version 12.0.0 has the effect of upgrading MOS to a version which resolves this issue.

Fix:
A BIG-IP 2000 series or BIG-IP 4000 series device with a MOS version older than 2.8.9 - 587.0 is booted from MOS now retains its connection to the serial console.


524281-1 : Error updating daemon ha heartbeat

Component: TMOS

Symptoms:
During shutdown you see the following error in /var/log/ltm: err vcmpd[8590]: 01510004:3: Error updating daemon ha heartbeat: VcmpdHeartbeat.cpp:251 error 0x01140031

Conditions:
This issue applies only on shutdown if the shutdown takes a long time.

Impact:
Error messages are displayed, but as long as this is occurring only on shutdown this means that vcmpd is unable to communicate with sod, which has already shut down.

Fix:
vcmpd will now only log "Error updating daemon ha heartbeat" if the system is not shutting down.


524279-4 : CVE-2015-4000: TLS vulnerability

Vulnerability Solution Article: K16674


524126-3 : The DB variable provision.tomcat.extramb is cleared on first boot.

Component: TMOS

Symptoms:
You are unable to get to the GUI after upgrading to 11.5.x or 11.6.x from a prior version. The DB variable provision.tomcat.extramb is 0 (zero) after upgrading using a configuration with the variable set to a non-zero value.

Conditions:
The DB variable provision.tomcat.extramb set to a value other than 0 before installing.

Impact:
The DB value is not rolled forward, so the GUI gets less than expected amount of memory.

Workaround:
After the first boot, set the DB variable provision.tomcat.extramb to the desired amount or restore the saved UCS at /var/local/ucs/config.ucs.

Fix:
The DB variable provision.tomcat.extramb now retains the specified value when rolling forward a configuration.


524004-2 : Adding multiple signatures concurrently via REST

Component: Application Security Manager

Symptoms:
Adding multiple ASM signatures concurrently in REST actions causes deadlock.

Conditions:
Multiple ASM signatures are added concurrently using REST.

Impact:
Some signature REST add actions will fail due to deadlock.

Workaround:
Wait until signature add action has completed in REST before issuing the next add.

Fix:
Multiple signatures can be added concurrently using REST.


523922-6 : Session entries may timeout prematurely on some TMMs

Component: TMOS

Symptoms:
In certain scenarios, session entries may not be refreshed when the TMM that owns the entry is used to process the connection.

Conditions:
When the TMM owning the session entry is a different one to the TMM handling the connection and the entry is retrieved, for example via irule, "session lookup uie"; the timeout will be extended.

When the TMM owning the entry and the one handling the connection is the same, then the entry may not have its timeout changed and lead to premature removal.

Impact:
Different TMMs may behave differently and cause confusion when using the session table.

Workaround:
None

Fix:
Session table entries now consistently get their timeout values touched in all scenarios.


523867-2 : 'warning: Failed to find EUDs' message during formatting installation

Component: TMOS

Symptoms:
The following message may appear on the console:

warning: Failed to find EUDs
warning: Failed to get volume id for EUD

Conditions:
This warning occurs during a formatting installation.

Impact:
No impact. The message was intended to be logged at the 'info' level.

Workaround:
N/A

Fix:
The 'warning: Failed to find EUDs' diagnostic message during installation has been changed from a warning to info


523863-1 : istats help not clear for negative increment

Component: TMOS

Symptoms:
The help for the istats command line tool was not clear on how to specify a negative increment for a gauge iStat.

Conditions:
Try to increment a gauge iStat by a negative amount using the istats command line tool.

Impact:
Bash shell would print a cryptic error and the help did not clarify how to make it work

Workaround:
Research bash shell options for the cryptic error.

Fix:
The help for the istats command line was augmented to clearly state that the double-dash option should be specified before the negative number.


523854-4 : TCP reset with RTSP Too Big error when streaming interleaved data

Component: Service Provider

Symptoms:
RTSP connection containing interleaved streams is aborted mid-stream, causing loss of data. This occurs when there is packet loss and retransmission due to an unreliable connection. A RST is sent by BIG-IP with cause "Too big".

There is an RTSP profile parameter Maximum Header Size. When the RTSP filter receives a burst of reassembled stream data that exceeds this size, it aborts with that RST cause. When this parameter is raised above the value of parameter Maximum Queued Data, that parameter is exceeded and the RST cause is "Hudfilter abort". When both parameters are raised much higher, an abort is less likely, but can still occur with cause "Out of memory" (which is a false report as the system is not out of memory).

Conditions:
RTSP profile configured.
Interleaved stream.
Packet retransmissions due to an unreliable connection.

Impact:
RTSP traffic is interrupted or dropped
TCP session is reset with a cause of "Too Big" or "Hudfilter abort".

Workaround:
Set both the Maximum Header Size and Maximum Queued Data values to a value greater than 64 KB. This reduces the likelihood of failure, but is only a partial workaround.

Fix:
RTSP interleaved traffic passes reliably, even over an unreliable connection experiencing packet retransmission.


523642-4 : Power Supply status reported incorrectly after LBH reset

Component: TMOS

Symptoms:
On BIG-IP appliances with the Backplane Micro-Controller Hybrid (LBH) type of Always-On-Management device, Power Supply status reporting and enumeration may function incorrectly if the LBH resets due to a watchdog reboot or other cause.

Conditions:
This may occur on BIG-IP 2000-/4000-series, BIG-IP 5000-/7000-series, and BIG-IP 10000-/12000-series platforms.

Impact:
Resets of the LBH device occur very rarely.
When this issue occurs, the status reporting and enumeration of appliance power supplies may be inaccurate.
Errors may be reported when attempting to obtain sensor values from non-present power supplies.
Power supply presence, status and identification may be reported incorrectly following power supply removal or reinsertion.

Workaround:
To work around this issue and restore correct reporting of power supply status, you can restart the chmand process. To do so, perform the following procedure:

Impact of workaround: Restarting the chmand process also restarts core BIG-IP system daemons such as TMM. Running this procedure interrupts traffic processing.

1.Log in to the BIG-IP command line.
2.To restart the chmand process, type the following command:
bigstart restart chmand.

Fix:
Power Supply status is now reported correctly after LBH reset.


523527-10 : Upgrade from 10.x to 11.2.0 or later does not add existing routing protocols to RD0.

Component: TMOS

Symptoms:
If you are directly upgrading from version 10.x to version 11.2.0 or later with a working dynamic routing protocols configuration may encounter that the routing protocol is disabled on upgrade to 11.2.0 or later.

Conditions:
- Upgrade from 10.x to 11.2.0 or later.
- Routing protocol enabled in tmrouted dbkeys.
- No route domain 0 (zero) (RD0) configuration, that is defaults of all VLANs in RD0, no comment, leading to no existing configuration in bigip_base.conf

Impact:
Routing protocol information is missing from RD0, ZebOS is not running (although configured).

Workaround:
There are several workarounds to this issue:
  - Causing the RD0 configuration to exist by adding a comment to the 10.x description field and saving prior to upgrade.
  - Re-adding the routing protocol to the RD0 configuration after the upgrade.
  - Perform an intermediate upgrade from 10.x to 11.0.0 or 11.1.0 prior to upgrading to an 11.2.0 or later version.

Fix:
Routing protocols are now correctly configured on Route Domain 0 (zero) (RD0) after upgrade to version 11.2.0 or later.


523513-5 : COMPRESS::enable keeps compression enabled for a subsequent HTTP request.

Component: Local Traffic Manager

Symptoms:
COMPRESS::enable keeps compression enabled for a subsequent HTTP request.

The response for the first HTTP request enables the compression, but it is not used since the payload is empty. For the second HTTP request (whose URI indicates that it is not supposed to be compressed), the system still compresses the response because the first request did not disable compression.

Conditions:
Subsequent HTTP requests in the same TCP connection.
- First HTTP response contains empty payload and enabling the compression.
- Second HTTP response still gets compressed.

Impact:
Unintended compression for subsequent HTTP responses.

Workaround:
Disable compression in the else case manually in the iRule using COMPRESS::disable.

Fix:
Compression is now disabled after an HTTP response with empty payload for iRule-based enabling.


523471-3 : pkcs11d core when connecting to SafeNet HSM

Component: Local Traffic Manager

Symptoms:
Very occasionally, using the SafeNet hardware security module (HSM) results in a pkcs11d core.

Conditions:
This occurs when the SafeNet HSM is used. Because of the rare and intermittent nature of the issue, other required conditions are not known.

Impact:
pkcs11d cores, and HSM-based SSL traffic fails. This occurs as a result of the SafeNet library. It is not a BIG-IP system-specific issue.

Workaround:
None.

Fix:
The SafeNet library has been updated, and pkcs11d no longer cores intermittently.


523465-1 : Log an error message when firewall rule serialization fails due to maximum blob limit being hit.

Component: Advanced Firewall Manager

Symptoms:
Prior to fix, if AFM rule serialization fails due to OOM condition in pktclass-daemon, it's not identifiable if the failure is due to Out of Memory condition or the Max Blob limit being reached. Both the errors were logged as OOM in /var/log/ltm

Conditions:
AFM rule serialization fails due to max blob limit

Impact:
Hard to isolate the problem that serialization failed due to max blob limit

Workaround:
None

Fix:
With the fix, AFM rule serialization failure due to max blob limit is logged appropriately in /var/log/ltm making it easier to identify the cause of the failure.


523434-5 : mcpd on secondary blades will restart with an error message about a sflow_http_virtual_data_source object

Component: TMOS

Symptoms:
mcpd on secondary blades may restart and log an error of the following form: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_http_virtual_data_source) object ID (44). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_http_virtual_data_source status:13)... failed validation with error 17237812.

Conditions:
The exact conditions under which this occurs are not well understood. The immediately triggering event is a change in the cluster's primary blade.

Impact:
All services on an affected blade restart.

Workaround:
None.

Fix:
mcpd on secondary blades may restart and log an sflow_http_virtual_data_source error after a change in the cluster's primary blade.


523431-1 : Windows Cache and Session Control cannot support a period in the access profile name

Component: Access Policy Manager

Symptoms:
An access profile name containing a period will not work when using Windows Cache and Session Control. For example '/Common/test.profile' will not work. When evaluating the access policy, an end-user will be redirected to an error page.

Conditions:
Applies to any APM with Windows Cache and Session Control.

Impact:
Access Profile names cannot include a dot.
Invalid name: '/Common/profile.name'
Valid name: '/Common/profile_name'

Fix:
One of the PHP files for cache control has a regex that looks for invalid access profile names. This regex had previously flagged any profile name with a period to be invalid. The regex has been updated to allow periods.


523390-1 : Minor memory leak on IdP when SLO is configured on bound SP connectors.

Component: Access Policy Manager

Symptoms:
Several bytes of memory are leaked when SAML SSO is executed on BIG-IP system, configured as an Identity Provider (IdP), when the Service Provider (SP) connector has single logout (SLO) configured.

Conditions:
BIG-IP is used as Identity Provider, and SLO is configured for bound SP Connector.

Impact:
Several bytes of memory are leaked.

Workaround:
To work around the problem, disable SLO on SP connectors.

Fix:
Fixed memory leaks in SAML Identity Provider (IdP) when when SLO is configured in a Service Provider (SP) connector.


523329 : When BIG-IP is used as SAML Identity Provider(IdP), TMM may restart under certain conditions.

Component: Access Policy Manager

Symptoms:
TMM may restart

Conditions:
- BIG-IP is used as IdP.
- Client or Service Provider sends a number of specific invalid requests to BIG-IP

Impact:
TMM is not available while restarting

Fix:
Issue where TMM would restart as a result of invalid user request is now fixed.


523327-3 : In very rare cases Machine Certificate service may fail to find private key

Component: Access Policy Manager

Symptoms:
Non-elevated client component is able to find certificate but not the key, while machine cert service/F5 Elevation Helper fails to find certificate.

f5certhelper.txt (helper) or logterminal.txt (in windows\temp folder for service) contains:
1, , 0, , EXCEPTION - CCertInfo::FindCertificateInStore: CertFindCertificateInStore failed with error code: 80092004

Conditions:
IE/Edge Client is not running under Admin user.
Special certificate is used.

Impact:
User fails to pass access policy.

Workaround:
Run IE/BIG-IP Edge Client under administrator.

Fix:
Now both service and elevation helper can find those specific certificates.


523261-2 : ASM REST: MCP Persistence is not triggered via REST actions

Component: Application Security Manager

Symptoms:
Some REST calls that affect Security policies should be persistent to BIG-IP config files after their completion (create, delete, association to virtual servers, and changing language encoding), but are not.

Conditions:
REST API is being used to manage Security Policies.

Impact:
If the device is restarted configuration may be lost.

Workaround:
Any other action that will persist configuration (like an ASM config change through the GUI, or any LTM configuration change).

Fix:
Configuration is now correctly persisted when required after ASM REST actions.


523260-2 : Apply Policy finishes with coapi_query failure displayed

Component: Application Security Manager

Symptoms:
GUI actions to apply policy appear to fail with an error message regarding coapi_query.

Conditions:
Unknown.

Impact:
The policy is correctly applied locally, the coapi_query error message occurs after the commit.
This error, however, prevents correct behavior for device group synchronization of the change.

Workaround:
Use REST API to apply the policy:

POST https://<MGMT_IP>/mgmt/tm/asm/tasks/apply-policy
{
  "policy": {
        "fullPath": "/Common/<POLICY_NAME>"
    }
}

Fix:
This release fixes an error that intermittently caused the Apply Policy action to fail.


523222-7 : Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending.

Component: Access Policy Manager

Symptoms:
Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending.

If an access policy has Redirect ending, the Citrix HTML5 client will fail to start with HTTP 400 error.

Conditions:
Citrix Storefront configured in integration mode through APM.

Impact:
HTML5 client not usable for this sort of integration

Fix:
Fixed Citrix HTML5 handling code so that it works fine with the Redirect endings in access policies.


523201-1 : Expired files are not cleaned up after receiving an ASM Manual Synchronization

Component: Application Security Manager

Symptoms:
If a device only receives full ASM sync files from its peers, it never performs cleanup of files that are no longer needed.

Conditions:
An ASM manual synchronization device group is being used.

Impact:
May eventually lead to disk space exhaustion.

Workaround:
None.

Fix:
Files are now correctly cleaned up after loading a new configuration.


523125-1 : Disabling/enabling blades in cluster can result in inconsistent failover state

Component: TMOS

Symptoms:
Not all blades in the cluster agree about the high availability (HA) status.

Conditions:
Disabling and enabling blades in a chassis that is configured to use HA Groups can sometimes result in a blade staying in standby even though the other blades in the chassis have gone active.

Impact:
When the blades disagree about active/standby state, traffic might be disrupted.

Workaround:
None.

Fix:
Disabling/enabling blades in cluster no longer results in inconsistent failover state.


523079-1 : Merged may crash when file descriptors exhausted

Component: Local Traffic Manager

Symptoms:
The merged daemon crashes.

Conditions:
The limit on file descriptors is exceeded.

Impact:
Merged crashes leaving a core file. The collection of system stats and merging of blade stats will not work until merged restarts.

Workaround:
Monitor the system file descriptor use and avoid exceeding the limit.

Fix:
Fixed a crash bug in Merged.


523032-5 : qemu-kvm VENOM vulnerability CVE-2015-3456

Vulnerability Solution Article: K16620


522871-4 : [TMSH] nested wildcard deletion will delete all the objects (matched or not matched)

Component: TMOS

Symptoms:
Nested wildcard deletion deletes all of the objects (matched or not matched).

Conditions:
Use deletion in a nested TMSH command. For example:

tmsh modify gtm server GTM1 virtual-servers delete {f*}

This deletes all virtual servers even if none of the servers match. The same issue applies to pool members.

Impact:
All objects are deleted, instead of those targeted for delete.

Workaround:
None.

Fix:
Nested wildcard deletion now deletes matched objects only.


522837-3 : MCPD can core as a result of another component shutting down prematurely

Component: TMOS

Symptoms:
During a small window of opportunity, mcpd can core if it is told to restart. This often occurs when another component has failed.

Conditions:
This issue generally occurs when another component has a problem which then initiates an mcpd restart.

Impact:
An mcpd core file is generated during shutdown, and it may initially appear as if mcpd coring was the cause of the restart.

Workaround:
None.

Fix:
Ensured that connections are not deleted twice when shutting down, so mcpd no longer cores.


522791-1 : HTML rewriting on client might leave 'style' attribute unrewritten.

Component: Access Policy Manager

Symptoms:
In some cases, the 'style' attribute of HTML tag containing CSS styles is not rewritten.

Conditions:
This happens when HTML is added to a page using document.write or assignment to innerHTML.

Impact:
Images added with inline CSS styles are not displayed.
Direct requests to the backend are sent from browser.

Workaround:
Use an iRule to rewrite the 'style' attribute before adding HTML to the page.

Fix:
The HTML 'style' attribute is correctly rewritten for any tag.


522784-3 : After restart, system remains in the INOPERATIVE state

Component: Local Traffic Manager

Symptoms:
After restarting, it is normal for the system to remain in some state other than "Green/Active" for a few minutes while the system daemons complete their initialization.

During this time the following advanced shell command may produce one or more lines of output:

# bigstart status | grep waiting

However, if this condition persists for more than five minutes after access to the root shell via the management interface is available, then you may be experiencing this defect.

Conditions:
BIG-IP versions 11.5.x, 11.6.x or 12.0.x that have received the fix for bug 502443 but *not* 522784, may experience this issue. There are no officially supported BIG-IP releases that have this condition.

Impact:
As long as the system remains in the INOPERATIVE state, neither LTM nor ASM will function.

Workaround:
In order to work around this problem, de-provision ASM.

Fix:
Resolves a deadlock at startup, when LTM and ASM are provisioned, that may occur as a result of the fix for 502443.


522231-2 : TMM may crash when a client resets a connection

Component: WebAccelerator

Symptoms:
When a client resets a connection while AAM is preparing to serve a response from cache TMM may crash causing failover and restart of AAM. A profile on a virtual from another BIG-IP module (other than AAM and LTM) may contribute to the issue.

Conditions:
1) AAM must be provisioned.
2) A response to the requested URL must be cached and fresh.
3) Client resets a connection immediately after the request is done and the response has not started to serve.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Install the fix.

Fix:
Fix removes the condition when AAM starts to serve the response to the already aborting connection.


522147-1 : 'tmsh load sys config' fails after key conversion to FIPS using web GUI

Component: Local Traffic Manager

Symptoms:
Web GUI does not save config after key conversion to FIPS

Conditions:
On a Cavium-FIPS BIG-IP, create a normal key and then covert to FIPS using web GUI

Impact:
'tmsh load sys config' fails

Workaround:
Two possible workarounds:
1) Run 'tmsh save sys config' after the key conversion to FIPS using web GUI
2) Convert normal key to FIPS using tmsh instead of web GUI

Fix:
Web GUI is now fixed to properly save config after key conversion to FIPS


521835-1 : [Policy Sync] Connectivity profile with a customized logo fails

Component: Access Policy Manager

Symptoms:
Policy sync failed with a customized logo in connectivity profile.

Conditions:
Configure a customized logo on the connectivity profile.
Associate the profile with the access profile through a virtual server.
Start a policy sync.

Impact:
Policy Sync fails.

Workaround:
Keep the default logo for connectivity profile. After syncing to target, customize directly on the devices.

Fix:
A user can include a customized logo in a connectivity profile and sync it.


521813-3 : Cluster is removed from HA group on restart

Component: Local Traffic Manager

Symptoms:
When the system is rebooted (or "bigstart restart" is executed), any HA groups with clusters in them will have those clusters removed.

Conditions:
Chassis-based system with an ha-group and ha-group-cluster configured. All blades have to reboot, since if a single blade is rebooted it pulls the running-config from the primary slot.

Impact:
HA cluster configuration is missing every time all the blades are rebooted.

Fix:
Reverted changes made for ID481611.


521774-2 : Traceroute and ICMP errors may be blocked by AFM policy

Component: Local Traffic Manager

Symptoms:
ICMP error packets for existing connections can be blocked by AFM policy. Diagnostics that use ICMP error messages, such as traceroute, may fail to display information beyond the AFM device.

Conditions:
The AFM policy has a rule to drop or reject that can match the IP header of ICMP messages going from a router IP address back to the client or server IP address that sent the original packet.

Impact:
Network diagnostics such as traceroute through an AFM device will not display information from routers between the AFM device and the destination IP address.

Workaround:
If possible and allowed, create an AFM rule matching the affected ICMP packets with an action of accept-decisively.


521773-1 : Memory leak in Portal Access

Component: Access Policy Manager

Symptoms:
Memory consumption of "rewrite.*" processes is growing constantly.
On manually taken core file, result of following command is large (more than 100000).
zcat <core-file.gz> | strings -n 15 | grep "^/f5-w-" | wc -l

Conditions:
Memory leaks in cases when POST request content could be modified by Portal Access (for example, xml).

Impact:
Rewrite processes may use all available memory on the box and then cause 'Out of memory' condition and failover.

Workaround:
This issue has no workaround at this time.

Fix:
Fixed a memory leak of request urls in rewrite plug-in.


521711-3 : HTTP closes connection if client sends non-keepalive request and server responds with 200 OK on One-Connect enabled virtual

Component: Local Traffic Manager

Symptoms:
If the client sends a non-keepalive CONNECT request (in HTTP 1.0 with no Connection header, in 1.1 with Connection: close) to a OneConnect-enabled virtual server, HTTP forces the connection closed by sending FIN on both client and server flows, even if the server responds with a 200. If the connect is successful, HTTP should leave flows open regardless of the HTTP headers.

Conditions:
- HTTP and OneConnect profiles are attached to the virtual server.
- Client sends a non-keepalive CONNECT request (either 1.0/no-Connection-Header request or 1.1/'Connection: close' header.
- Server responds to the CONNECT request with successful 200 OK.

Impact:
HTTP adds a Connection: close header when responding to the client after a successful response is received from the server. In addition, HTTP closes the connection by sending FIN on both client and server flows. If the server responds to the CONNECT request with 200 OK, the connection should remain open.

Workaround:
You can use the following iRule to work around this issue:

   when HTTP_REQUEST {
      if { [HTTP::method] eq "CONNECT" } {
        HTTP::disable
      }
   }

Fix:
HTTP now keeps the connection open if client sends a non-keepalive request and server responds with 200 OK on One-Connect enabled virtual. This is correct behavior.


521556-2 : Assertion "valid pcb" in TCP4 with ICAP adaptation

Component: Service Provider

Symptoms:
TMM crashes with assertion "valid pcb" in tcp4.c

Conditions:
Virtual server with request-adapt or response-adapt profile.
Congested client or TCP small window (flow-control is active).
Multiple HTTP requests in a single client connection.
More likely with iRules that park.

Impact:
Intermittent crash under load.

Fix:
Assertion "valid pcb" does not occur.


521548-5 : Possible crash in SPDY

Component: Local Traffic Manager

Symptoms:
In very rare circumstances related to SPDY protocol handling together with a compression profile a crash may occur.

Conditions:
This is very rare and the exact circumstances are unclear, It involves SPDY, a compression profile and a congested client connection and a stream being reset by the browser (using a RST_STREAM frame).

Impact:
Very rarely a crash may occur.

Workaround:
Don't apply the compression profile.

Fix:
A sporadic crash when using SPDY together with a compression profile no longer occurs.


521538-3 : Keep-alive transmissions do not resume after failover of flows on an L4 virtual, when the sequence number is known

Component: Local Traffic Manager

Symptoms:
After failover of an L4 flow that is using keep-alive, the keep-alive transmissions do not resume after traffic has flowed through the BIG-IP system.

Conditions:
Using HA mirroring of L4 connections, with keep-alive enabled on the profile for TCP. After a failover, there was traffic before the flow timed out, then the traffic becomes idle. If there is no traffic after failover, the correct sequence numbers are unknown, then this is expected behavior: the flow times out due to inactivity. If there is traffic after failover, the correct TCP sequence numbers are known; if there is traffic after failover, and then the flow becomes idle, keep-alive transmissions should resume.

Impact:
Flows after failover with TCP keep-alive age out and expire even if traffic is available to set the sequence numbers. Depending on the configuration options, subsequent packets may reset or transparently create a new flow (if TCP loose initiation is enabled).

Workaround:
None.

Fix:
Keep-alive transmissions now resume after failover of flows on an L4 virtual, when the sequence number is known


521522-2 : Traceroute through BIG-IP may display destination IP address at BIG-IP hop

Component: Local Traffic Manager

Symptoms:
When performing traceroute through a BIG-IP device, the traceroute utility may display the destination IP in place of the hop where BIG-IP is located, instead of a Self IP address of the BIG-IP device at that hop.

Conditions:
No return route for the client IP address exists on the BIG-IP device.

Impact:
There is no impact to the performance of traffic through the BIG-IP device. The impact occurs only when reading and interpreting the results of a traceroute utility.

Workaround:
If possible and allowed, add route entry for the traceroute client subnet.

Fix:
Traceroute through BIG-IP now displays a Self IP address of the BIG-IP device at that hop. This is correct behavior.


521506-3 : Network Access doesn't restore loopback route on multi-homed machine

Component: Access Policy Manager

Symptoms:
Network Access on Windows doesn't restore loopback route for one adapter on multi-homed (Ethernet + Wi-Fi) machine.

Conditions:
This issue happens if:
1. Network Access was established via Ethernet
2. Ethernet cable was unplugged
3. Network Access reconnects using Wi-Fi
4. Ethernet cable is plugged in back

Impact:
Minor routing issues may occur if one special loopback is removed. To restore this route affected adapter should be disabled and enabled.

Fix:
Fixed issues causing improper routing table management.


521455-5 : Images transcoded to WebP format delivered to Edge browser

Component: WebAccelerator

Symptoms:
The Microsoft Edge browser does not support, and cannot render WebP format images. The AAM image optimization framework improperly classifies the Edge browser as being capable of supporting WebP and delivers WebP-transcoded images to such clients.

Conditions:
The AAM system's image optimization as well as the "optimize for client" setting must both be enabled, and the associated acceleration policy and application associated with one or more virtual servers.

Impact:
Some images will fail to render on the Edge browser.

Workaround:
Disable the "optimize for client" attribute in the applicable policies' acceleration assembly settings.

Fix:
Transcoded WebP images are no longer served to the Edge browser.

By default, transcoded JPEG-XR is also no longer served to the Edge browser, but the db variable ccdb.allow.edge.jpegxr may be used to override this.


521408-2 : Incorrect configuration in BigTCP Virtual servers can lead to TMM core

Component: Local Traffic Manager

Symptoms:
An incorrect configuration on an irule associated to a BigTCP virtual server can lead to TMM to core.

Conditions:
The following circumstances are needed:
   - BigTCP Virtual server
   - FastL4 profile with syncookies enabled.
   - Invalid iRule that will fail to execute, on LB_FAILED
   - Syncookie currently activated in that moment.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Correct or remove the irule event and coring will no longer occur.

Fix:
TMM now correctly handles the specific scenario to no longer core.


521336-1 : pkcs11d initialization retry might post misleading error messages and eventually result in a pkcs11d core

Component: Local Traffic Manager

Symptoms:
The retry of pkcs11d initialization might post misleading error messages and eventually result in a pkcs11d core.

Conditions:
When pkcs11d retries to wait for other services such as tmm or mcpd.

Impact:
After the system reboots, the /var/log/ltm shows initialize errors and the /var/log/daemon.log shows pkcs11_initialize messages: -- err pkcs11d[6247]: 01680002:3: Pkcs11 Initialize error (this is misleading; pkcs11d is actually retrying). -- err pkcs11d[6247]: Nethsm: pkcs11_initialize C_GetSlotList error 0x00000000, number of slots 0.

Workaround:
Retry pkcs11d restart when tmm and mcpd are both ready.

Fix:
The retry of pkcs11d initialization no longer posts misleading error messages when pkcs11d retries to wait for other services such as tmm or mcpd.


521183-3 : Upgrade from 11.2.x (or earlier) to 11.5.x/11.6.x can fail when an active DoS profile exists with 'Prevention Duration' set to a value less than 5

Component: Application Security Manager

Symptoms:
Upgrade fails with this error:
---------------------
The de-escalation period can be either zero or greater than or equal to the escalation period
---------------------

Conditions:
ASM is provisioned.
Active DoS profile exists with 'Prevention Duration' set to a value less than 5.

Impact:
Upgrade fails with this error:
---------------------
The de-escalation period can be either zero or greater than or equal to the escalation period
---------------------

Workaround:
Set the 'Prevention Duration' to at least 'Maximum 5 seconds' in all active DoS profiles.

Fix:
We fixed the upgrade process to work with active DoS profiles that have the 'Prevention Duration' setting set to a value less than 5.


521144-7 : Network failover packets on the management interface sometimes have an incorrect source-IP

Component: TMOS

Symptoms:
After reboot, network failover packets might be transmitted with an internal source address, on the 127/8 network.

Conditions:
This problem might occur if the members of a device service clustering (DSC)/high availability (HA) device group have management ports on different IP networks, so that a management-route is necessary for them to communicate.

Impact:
If there are intervening firewalls or routers that drop packets with improper/unroutable source addresses, then the members of the device group cannot communicate on this channel.

Workaround:
Remove the management-route from tmsh, and add a static route to the Linux kernel routing table. For example:

  # tmsh delete sys management-route 10.208.101.0/24
  # tmsh save sys config
  # echo "10.208.101.0/24 via 10.208.102.254 dev eth0" > /etc/sysconfig/network-scripts/route-eth0
  # reboot

Fix:
Network failover packets on the management interface now have the correct source-IP when device service clustering (DSC)/high availability (HA) device group have management ports on different IP networks, so that a management-route is necessary for them to communicate.


521036-4 : Dynamic ARP entry may replace a static entry in non-primary TMM instances.

Component: Local Traffic Manager

Symptoms:
In a very rare occasion, a dynamic ARP entry may replace a static entry in non-primary TMM instances. When the BIG-IP system attempts to send packets to an address, "tmsh show net arp" lists two entries for the address: one static and the other shows up as "incomplete" status.

Conditions:
The issue is due to a very rare race condition, and the BIG-IP system is configured with a static ARP entry.

Impact:
The issue may impact traffic flow if traffic goes through non-primary TMM instances.

Workaround:
There is no workaround but the issue is very rare to occur.

Fix:
Dynamic ARP entry no longer replaces a static entry in non-primary TMM instances.


520924-3 : Restricted roles for custom monitor creation

Vulnerability Solution Article: K00265182


520796-2 : High ASCII characters availability for policy encoding

Component: Application Security Manager

Symptoms:
High ASCII characters are not available, for any policy encoding, in any of the character sets except 'Headers : Character Set'.

Conditions:
ASM is provisioned.

Impact:
High ASCII characters are not available, for any policy encoding, in any of the character sets except 'Headers : Character Set'.

Workaround:
none

Fix:
High ASCII characters are now available, for the relevant policy encodings, in all character sets.


520705-4 : Edge client contains multiple duplicate entries in server list

Component: Access Policy Manager

Symptoms:
Edge client contains multiple duplicate entries in the server list.

Conditions:
Edge client with duplicate entries in connectivity profile.

Impact:
Edge client shows duplicate entries.

Workaround:
Do not create duplicate entries in connectivity profile

Fix:
BIG-IP Edge Client for Mac doesn't show duplicate entries in the servers list.

Behavior Change:
BIG-IP Edge Client for Mac no longer shows duplicate entries in the servers list.


520642-2 : Rewrite plugin should check length of Flash files and tags

Component: Access Policy Manager

Symptoms:
Portal Access Flash patcher could crash or apply incorrect modifications on some malformed Flash files.

Conditions:
This occurs when a Flash file is truncated or contains incorrect length value in file or tag headers.

Impact:
It may cause a crash and restart of Portal Access services.

Fix:
Rewrite plugin now correctly processes Adobe Flash files with invalid length in file or tag header.


520640-1 : The iControl Management.Zone.get_zone() method can return zone options in a format inconsistent for use with the Management.Zone.set_zone_option() method.

Component: TMOS

Symptoms:
Using the string returned in the options_seq field by the iControl Management.Zone.get_zone method in the Management.Zone.set_zone_option method can result in an 'Invalid zone option syntax...' error.

Conditions:
Use of the string returned by the iControl Management.Zone.get_zone method in the Management.Zone.set_zone_option() method.

Impact:
Strings returned in the options_seq field by the iControl Management.Zone.get_zone method cannot be used in the Management.Zone.set_zone_option() method unless they are reformatted consistent with the format expected by the Management.Zone.set_zone_option() method.

Workaround:
Use the GUI to set the zone options. Alternatively, modify the strings returned in the options_seq field by the iControl Management.Zone.get_zone method to a format consistent with those expected by the Management.Zone.set_zone_option() method. For example, modify options_seq to have each option as a single string (rather than the masters string, which is returned as 3 separate options strings).

Fix:
The iControl Management.Zone.get_zone_v2() method returns a value in the options_seq field in a format that is consistent with the format expected by the Management.Zone.set_zone_option() method.


520585-1 : Changing Security Policy Application Language Is Not Validated or Propagated Properly

Component: Application Security Manager

Symptoms:
After changing the Application Language for a Security Policy and pushing the changes over a manual sync device group, the device group's status immediately returns to "Changes Pending".

Additionally calls through the REST interface erroneously allowed a client to change the language for a policy where it was already set.

Conditions:
A Security Policy was set to "Auto-Detect" the Application Language, and then set to a specific encoding.
Or an application language is already set and is changed through the REST API.

Issue is seen most prominently in a device group when ASM sync is enabled on a Manual Sync Failover Group

Impact:
1) The change to encoding is not seen if looking at the result in tmsh.

2) In a manual sync group, after the change has been pushed to its peers, the change is correctly written to the MCP configuration when it is loaded. This appears as a new pending change from the peer device, and the device group appears out of sync again.

Workaround:
Push another sync from the peer to the original device.

Fix:
Changes to Language encoding are now validated and propagated correctly.


520540-2 : Specific iRule commands may generate a core file

Component: Local Traffic Manager

Symptoms:
Accessing the information within a HTTP Authorization header via the HTTP::username, HTTP::password (or other method), may cause the TMM to generate a core file on some requests.

Conditions:
iRule that makes use of the HTTP::username, HTTP::password commands, or the sflow feature.

Impact:
Traffic disrupted while TMM generates a core file.

Workaround:
Modify iRule to manually truncate the size of the HTTP Authorization header.

Fix:
HTTP::username, HTTP::password iRule commands, and the sflow feature no longer generate a core file.


520466-3 : Ability to edit iCall scripts is removed from resource administrator role

Vulnerability Solution Article: K16728


520413-12 : Aberrant behavior with woodside TCP congestion control

Component: Local Traffic Manager

Symptoms:
Potential tmm core.

Conditions:
Woodside congestion control along with multiple profile options enabled and certain traffic may cause an issue where tmm may core.

Impact:
With woodside and other necessary options, TMM may core. Without woodside, or the other necessary options, which has negative performance implications and might trigger other unexpected behaviors.

Workaround:
Switching from woodside to illinois congestion control avoids issue.

Fix:
Woodside congestion control along with multiple profile options enabled and certain traffic no longer causes an issue where tmm may core.


520408-1 : TMM ASSERTs due to subkey_record field corruption in the SessionDB.

Component: TMOS

Symptoms:
TMM ASSERTs on 'Subkey is a subkey' in the SessionDB when releasing a record.

Conditions:
This is a rarely encountered issue that might require SAML traffic.

Impact:
TMM ASSERTS, and the system stops passing traffic.

Workaround:
None.


520405-2 : tmm restart due to oversubscribed DNS resolver

Component: Local Traffic Manager

Symptoms:
A max-concurrent-queries configuration setting significantly above default can lead to a situation that causes tmm to restart in certain traffic loads.

Conditions:
DNS cache resolver configured with max-concurrent-queries setting significantly above default.

Impact:
tmm is restarted.

Workaround:
Set the max-concurrent-queries configuration value closer to default.

Fix:
A max-concurrent-queries configuration setting significantly above default no longer leads to a situation that causes tmm to restart in certain traffic loads.


520390-2 : Reuse existing option is ignored for smtp servers

Component: Access Policy Manager

Symptoms:
If policy is imported with reuse existing objects option and there is appropriate SMTP server, the newly imported policy would create and use a new one instead reusing the existing one.

Conditions:
Always

Impact:
Minor - easy to fix after import

Workaround:
Open assignment and reuse existing SMTP server, then delete old one.

Fix:
Reuse existing option works properly for SMTP servers.


520380-4 : save-on-auto-sync can spawn multiple invocations of tmsh, starving system of memory

Component: TMOS

Symptoms:
Unit demonstrates behaviors consistent with out-of-memory condition. 'top' and 'ps' may show multiple tmsh processes waiting to run.

Conditions:
Enable auto-sync and save-on-auto-sync.

Impact:
Low memory condition may result in system instability.

Workaround:
None.

Fix:
Enabled auto-sync and save-on-auto-sync no longer causes out-of-memory condition.


520298-1 : Java applet does not work

Component: Access Policy Manager

Symptoms:
Web applications may work incorrectly through Portal Access if they use Java applets.

Conditions:
Website uses Java applet that is loaded with deprecated <applet> HTML tag.

Impact:
Websites can't use Java applets.

Fix:
Java applets now work correctly through Portal Access.


520280-2 : Perl Core After Apply Policy Action

Component: Application Security Manager

Symptoms:
Apply policy causes a perl core
Further apply policy do not work

Conditions:
ASM provisioned.
LTM provisioned.
An ASM policy exists that is referenced by an LTM (L7) policy which is not assigned to any LTM virtual server.

Impact:
Apply policy causes a perl core and ASM config event dispatcher crash.
ASM config event dispatcher then is not restarted and remains down.
Further apply policy do not work.

Workaround:
Make sure that if an ASM policy exists that is referenced by an LTM (L7) policy then such LTM (L7) policy is assigned to some LTM virtual server.
one can create a dummy LTM virtual server for that purpose.

Fix:
Perl no longer cores and crashes ASM config event dispatcher in the case of an apply policy to an ASM policy that is referenced by an LTM (L7) policy which is not assigned to any LTM virtual server.


520205-2 : Rewrite plugin could crash on malformed ActionScript 3 block in Flash file

Component: Access Policy Manager

Symptoms:
The rewrite plugin crashes. The following log message is in the log:
../fm_patchers/abc/abcScanner.cpp:70: void abc::abcScanner::has(size_t): Assertion `GetRemaining() >= (ssize_t)l' failed.

Conditions:
Input file is truncated or contains invalid bytecode instructions at the end of doabc/doabcdefine tag.

Impact:
Portal Access services restart.

Fix:
Rewrite plugin no longer crashes on truncated or malformed Adobe Flash files with incorrect ActionScript 3 method body blocks.


520145-2 : [Policy Sync] OutOfMemoryError exception when syncing big and complex APM policy

Component: Access Policy Manager

Symptoms:
Policy sync fails with out-of-memory error on target device with big and complex policy.

Conditions:
Profile of big size, for example, excessive use of ACL resource.

Impact:
Policy Sync fails.

Fix:
APM allows a user to sync a large and complex policy.


520118-3 : Duplicate server entries in Server List.

Component: Access Policy Manager

Symptoms:
There are multiple entries in the server list, possibly with different connection strings.

Conditions:
Client ends up with duplicate entries in the server list if it connects to different virtual servers that have the same aliases in the connectivity profile.

Impact:
Duplicate server entries in Server List.

Workaround:
Avoid duplicate aliases across connectivity profiles on servers that client connects to.

Fix:
Single entry in the server list.


520088-1 : Citrix HTML5 Receiver does not properly display initial tour and icons

Component: Access Policy Manager

Symptoms:
When trying to connect with Citrix HTML5 Receiver, the initial tour screen does not display properly.

Conditions:
APM is configured for Citrix replacement mode and Citrix HTML5 Receiver client 1.4-1.6 is used.

Impact:
Issues with GUI user experience. User is presented with an improperly formatted page without icons.

Workaround:
1. Open /config/bigip.conf for edit.
2. Replace 'content-type text/plain' with 'content-type text/css' in HTML5Client(.*).css sections.
3. Replace 'content-type text/plain' with 'content-type text/javascript' in HTML5Client(.*).js sections/
4. Save the file.
5. From the console, type the following command: tmsh load sys config.

Fix:
Now APM correctly sets content type of CSS and JavaScript files when configuring Citrix HTML5 client bundle.


519966-1 : APM "Session Variables" report shows user passwords in plain text

Component: Access Policy Manager

Symptoms:
APM Session Variables report shows user passwords in plain text.

Conditions:
Has password session variable.

Impact:
It is not safe to show users' password in plain text.

Fix:
APM Session Variables report masks user passwords, displaying ************ instead.


519877-3 : External pluggable module interfaces not disabled correctly.

Component: TMOS

Symptoms:
External pluggable module interface may show link UP status, when administratively disabled.

Conditions:
Disable any external pluggable module interface that is connected to an enabled peer interface.

Impact:
Disabled external pluggable module interface may link UP and potentially pass traffic.

Fix:
Software fix prevents disabled external pluggable module interface from being re-enabled, as a result of periodic linkscan operations.


519864-2 : Memory leak on L7 Dynamic ACL

Component: Access Policy Manager

Symptoms:
There is a memory leak on Dynamic ACL with regard for HTTP related configuration such as HTTP host name, and HTTP URI path in ACL entry. The leaks occurs for every session as these entries are generated per session bases.

Conditions:
This occurs when using L7 Dynamic Access Control Lists.

Impact:
TMM memory usage increases.

Workaround:
Use static ACL whenever possible.

Fix:
L7 Dynamic ACL is no longer leaking memory.


519746-2 : ICMP errors may reset FastL4 connections unexpectedly

Component: Local Traffic Manager

Symptoms:
FastL4 connections may be reset when receiving an ICMP packet

Conditions:
ICMP packet with an embedded TCP packet is received on an ePVA accelerated flow

Impact:
Connection is reset

Fix:
TCP sequence numbers embedded in an ICMP packet are no longer validated on ePVA accelerated flows.


519510-4 : Throughput drop and rxbadsum stat increase in tagged VLAN with LRO/GRO on BIG-IP VE running on ESX platforms with particular network hardware

Component: TMOS

Symptoms:
TCP throughput might be severely impacted for traffic traversing a tagged VLAN and BCM57800/BCM57810 NIC on BIG-IP VEs.

The 'rxbadsum' counts increase as received LRO'd traffic is ignored by TMM.

Conditions:
1. Traffic traverses a tagged VLAN.

2. This issue might be related to systems using Broadcom BCM57800 or BCM57810 NICs. However in general, the required condition is reception of packets with VLAN header are received in uNIC driver.

Impact:
Potential throughput drop during a high volume of data transfer.

Workaround:
You can use either of the following workarounds:

1. Avoid using tagged VLANs.

2. Run the following commands on the ESX hypervisor to disable LRO/GRO system-wide, followed by a reboot.

-- esxcli system settings advanced set -o /Net/Vmxnet2HwLRO -i 0.
-- esxcli system settings advanced set -o /Net/Vmxnet3HwLRO -i 0.
-- esxcli system settings advanced set -o /Net/Vmxnet2SwLRO -i 0.
-- esxcli system settings advanced set -o /Net/Vmxnet3SwLRO -i 0.
-- esxcli system settings advanced set -o /Net/VmxnetSwLROSL -i 0.

Fix:
Change in L4 packet header offset, resulting from VLAN header insertion, is being accounted for to verify checksum.


519415-4 : apm network access tunnel ephemeral listeners ignore irules (related-rules from main virtual )

Component: Access Policy Manager

Symptoms:
If you want to change timeout values for server-side initiated flows inside Network Access tunnels, ephemeral listeners ignore irules.
There seems to be a workaround for this through tmsh (not ui) by attaching iRules (related-rules) to main virtual that gets run on ephemeral listeners. (These ephemeral listeners are created by Network Access tunnels for lease-pool IPs.) The command for this is (for example):
 tmsh modify ltm virtual vs_dtls related-rules { idle_time }

The problem here was APM Network Access used to ignore the related-rules on main virtual and the rules weren't triggered.

Conditions:
APM Network access use case.

Impact:
Related rules on main virtual are not applied to ephmeral listeners; (these ephemeral listeners are created by Network Access tunnels for lease-pool IPs).

Workaround:
none.

Fix:
iRules get executed on Ephemeral listeners.


519252-1 : SIP statistics upgrade

Component: Advanced Firewall Manager

Symptoms:
SIP data is lost when upgrading.

Conditions:
Collect SIP data,
Upgrade to newer version (from 11.5.0 to 12.0.0 or beyond).

Impact:
SIP data is lost.

Fix:
After upgrading from version 11.5.3 and later, collected SIP statistics are now moved to the new version.


519217-2 : tmm crash: valid proxy

Component: Local Traffic Manager

Symptoms:
tmm might crash in extremely rare circumstances when a virtual server is used during an update. Standard process is for virtual servers to be unavailable until the configuration update is complete; there are extremely rare circumstances when it is possible for a connection to use a virtual server before it is ready.

Conditions:
This requires that traffic is running during a configuration update, including a config sync from an HA peer. There must be a virtual server or configuration that uses a second virtual server while traffic is running: these include vip-on-vip using iRules and WAM prefetch, but might include other internal conditions.

Impact:
Traffic disruption, possible failover to another device if HA is configured. If using keepalive or other means to keep the connection alive, then a long amount of time might pass between the creation of the invalid flow and any impact from the error.

Workaround:
None.

Fix:
If a virtual server is used during an update (that is, before the virtual server is ready), an error message is now posted to tmm log files, and a small amount of memory is used each time this message is logged.


519216-3 : Abnormally high CPU utilization from external SSL/OpenSSL monitors

Component: TMOS

Symptoms:
The BIG-IP system may experience high CPU utilization when SSL/OpenSSL monitors are used to obtain availability status for 30 or more pool members.

Conditions:
External SSL monitors using OpenSSL. This includes but is not limited to EAV, ldap, sip, soap, firepass, snmpdca, real-server, wmi, virtual-location.

Builtin monitors are not affected, e.g., https, inband.

Impact:
High CPU utilization reported with potential performance degradation.

Workaround:
To work around this issue, you can use a different type of monitor to obtain pool member availability status.

Impact of workaround: Performing the recommended workaround should not have a negative impact on your system.

Fix:
The CPU utilization is reduced when SSL/OpenSSL monitors are used to obtain availability status for 30 or more pool members.


519198-2 : [Policy Sync] UI General Exception Error when sync a policy in non-default partition as non-default admin user

Component: Access Policy Manager

Symptoms:
Failed to sync a policy in non-Common partition as a non-default admin user.

Conditions:
Log in as different admin user than the default "admin".
Sync a policy that was created in a non-Common partition..

Impact:
Policy Sync fails

Workaround:
Log in as default "admin" user.

Fix:
APM allows a user to log in as any admin user to sync policy in any partition.


519081-6 : Cannot use tmsh to load valid configuration created using the GUI.

Component: TMOS

Symptoms:
Cannot use tmsh to load a valid configuration created using the GUI.

Conditions:
This occurs with the following configuration: 1) Configure server with :* members. 2) Configure member-specific gateway-icmp monitor for the :* member. 3) Assign any L4/7 monitor at the server level. (http/tcp, etc., with the default '*:*' destination in the monitor).

Impact:
Although the configuration is valid, it fails to load with error: err iqsyncer[16456]: 011ae104:3: Gtm config sync result from local mcpd: result { result_code 17237538 result_message '01070622:3: The monitor /Common/my-tcp-half has a wildcard destination service and cannot be associated with a node that has a zero service.' }

Workaround:
Remove the parent TCP monitor.

Fix:
The server configuration of :* members now loads without error using tmsh.


519068-2 : device trust setup can require restart of devmgmtd

Component: TMOS

Symptoms:
Depending on the order of operations, the device trust might enter a state in which the device trust connections between devices are continuously reset and messaging about self-signed certificates.

Conditions:
This occurs when devices are being added to and deleted from the device trust.

Impact:
This prevents devices from being able to communicate with each other. The device trust goes to Disconnected and cannot synchronize.

Workaround:
A restart of the devmgmtd daemon clears any stale cached information that it has. However, the administrator may still need to reset the device trust (remove devices from the trust and re-add them).

Fix:
The system now correctly resets device trust when devices are being added to and deleted from the device trust.


519059-2 : [PA] - Failing to properly patch webapp link, link not working

Component: Access Policy Manager

Symptoms:
Any attribute URL in a HTML content is rewritten as "javascript:location=..." if is <base> tag is situated before the tag with the attribute, a content hint is not set in the HTML rules for the attribute and it's not the cookieless mode.

Conditions:
Webapp link is not properly patched.

Impact:
Rewritten links are not accessible.

Fix:
WebApp links are now properly rewritten.


519053-4 : Request is forwarded truncated to the server after answering challenge on a big request

Component: Application Security Manager

Symptoms:
Large requests (over 5K) arrive truncated to the server when web scraping bot detection is enabled, or a brute force/session opening attack is ongoing with client-side mitigation.

Conditions:
The request size is between 5k-10k.
Web scraping bot detection is turned on, or a brute force/session opening attack is ongoing with client-side mitigation.

Impact:
The client side challenge mechanism causes a truncation of the request forwarded to the server. Only the first 5k of the request arrives to the server.

Workaround:
Change the internal parameter size max_raw_request_len to 10000.

Fix:
The system's client-side challenge mechanism no longer truncates large requests (those over 5K) forwarded to the server.


519022-1 : Upgrade process fails to convert ASM predefined scheduled-reports.

Component: Application Visibility and Reporting

Symptoms:
Upgrade from versions prior to 11.5 fail, if the scheduled report is using the predefined settings named: Top alerted and blocked policies.

Conditions:
There is a scheduled report that is using the predefined settings named: Top alerted and blocked policies. It can be triggered on upgrade to versions prior to 11.5.4, 11.6.1, and 12.0.0

Impact:
Upgrade process fails.

Workaround:
None.

Fix:
A scheduled report using the predefined settings named: 'Top alerted and blocked policies' no longer causes upgrades from versions prior to 11.5 to fail. The upgrade process now renames the predefined report-type to the correct one and thus the upgrade process does not fail anymore.


518981-1 : RADIUS accounting STOP message may not include long class attributes

Component: Access Policy Manager

Symptoms:
The class attribute should be sent back to RADIUS server unmodified.
However, if the RADIUS server is configured to send lots of long class attributes, the BIG-IP system might drop them when sending accounting stop message.

Conditions:
The BIG-IP system is configured with an Access Policy that contains RADIUS Acct agent. The
RADIUS server is configured to send class attributes with total size of greater than 512bytes.

Impact:
RADIUS Accounting server doesn't receive STOP message when user session is over.

Fix:
Previously, the BIG-IP system would not send an accounting stop message if class attributes were more than 512 bytes total size. Now, BIG-IP system sends the accounting stop message, but does not include class attributes.


518583-3 : Network Access on disconnect restores redundant default route after looped network roaming for Windows clients

Component: Access Policy Manager

Symptoms:
Windows Network Access restores redundant default route if client roaming from networks in loop e.g.:
NetworkA -> NetworkB -> NetworkA.

Conditions:
* Connect NIC to NetworkA
* Connect to VPN
* Roam to another wifi network SSID (NetworkB)
* Roam back to the original wifi SSID in step #1 (NetworkA)

Impact:
Incorrect default route may cause routing issues on client machine if metric of interfaces connected to NetworkB is lower than metric of interfaces connected to NetworkA

Workaround:
N/A

Fix:
Fixed issue causing redundant default route under described conditions.


518550-5 : Incorrect value of form action attribute inside 'onsubmit' event handler in some cases

Component: Access Policy Manager

Symptoms:
Incorrect value of 'action' form attribute may be used inside 'onsubmit' event handlers if original 'action' is an absolute path.

Conditions:
HTML form with absolute path in 'action' attribute;
'onsubmit' event handler for this form.

Impact:
Web application may work incorrectly.

Workaround:
There is no general workaround. But if 'action' value can be converted to relative path or to full URL (with host), this can be done using iRule.

Fix:
Now value of form 'action' attribute is correct inside event handlers.


518283-4 : Cookie rewrite mangles 'Set-Cookie' headers

Component: TMOS

Symptoms:
'Set-Cookie' headers are syntactically invalid.

Conditions:
Rewrite profile and 'Set-Cookie' header has 'Expires' attribute before 'Path' attribute.

Impact:
'Set-Cookie' headers in the client side become syntactically invalid (two 'Path' values that can be contradictory, plus a broken 'Expires' string).

Workaround:
Put the 'Path' attribute before 'Expires' attribute.

Fix:
The 'Expires' attribute is now properly parsed.


518275-3 : The BIG-IP system may stop the normal processing of SSL traffic and dump a TMM core file

Vulnerability Solution Article: K48042976


518260-4 : Missing NTLMSSP_TARGET_INFO flag on NTLMSSP_CHALLENGE message

Component: Access Policy Manager

Symptoms:
NTLMSSP_TARGET_INFO flag is set on NTLMSSP_CHALLENGE message that is generated by ECA, although Target Info attribute itself is included. Certain NTLM clients may ignore the target info attribute due to this issue, and fall back to use NTLM v1 authentication. With ActiveDirectory default configuration this is not an issue. However, if you had specifically required NTLMv2 in your policy, then the authentication will never succeed due to mismatch of the protocol.

Conditions:
This occurs when NTLMv2 is set to required and NTLMv1 is denied in your ActiveDirectory policy.

Impact:
Users cannot authenticate.

Fix:
NTLM client that depends on NTLMSSP_TARGET_INFO flag can complete NTLM authentication using NTLMv2 protocol.


518086-1 : Safenet HSM Traffic failure after system reboot/switchover

Component: Local Traffic Manager

Symptoms:
SafeNet hardware security module (HSM) Traffic failure after system reboot/switchover.

Conditions:
Restart of services on primary or secondary blade.

Impact:
Now traffic will fail. There will be no pkcs11 connection on new primary blade.

Workaround:
The workaround is to restart pkcs11d on the secondary blade.

Fix:
Wait and try SafeNet hardware security module (HSM) communication when MCPD is fully loaded.


518039-2 : BIG-IQ iApp statistics corrected for partition use cases

Component: TMOS

Symptoms:
When the f5.http iApp is deployed in a partition, the icall script fails to get stats because it assumes the application is in /Common.

Conditions:
iApps are running in an administrative partition.

Impact:
BIG-IQ customers fail to get statistics from iApps running on BIG-IP.

Fix:
Certain iApps deployed by BIG-IQ now provide statistics.


518020-10 : Improved handling of certain HTTP types.

Component: Local Traffic Manager

Symptoms:
Improperly formatted HTTP connection through BIG-IP may cause the connection to hang and eventually timeout.

Conditions:
If the HTTP version token in the request is improperly crafted, BIG-IP ends up treating the request as HTTP 0.9. Hence any data after the first CRLF is held back by BIG-IP due to pipeline handling, and is not passed to the backend server.

If the backend server is Apache or IIS, this improperly crafted HTTP request line causes the request to be treated as 1.1, and both the servers wait for the Host header and CRLFs. Since no data is forthcoming, the connection hangs and the backend servers timeout the connection a few seconds later.

F5 Networks would like to acknowledge Eitan Caspi, Security Researcher of Liacom Systems, Israel for bringing this to our attention.

Impact:
This has the potential to exhaust the number of connections at the backend.

Workaround:
Mitigations:
1) iRule that can drop the connections after a specified amount of idle time.
2) iRule to validate the request line in an iRule and fix it.
3) Tuning of profile timeouts
4) ASM prevents this issue.

Fix:
This release has improved handling of certain HTTP types, so that an HTTP request with a version token that is not properly crafted is no longer treated as HTTP 0.9. This has the effect of all of the request data being forwarded to the backend.


517988-1 : TMM may crash if access profile is updated while connections are active

Component: Access Policy Manager

Symptoms:
The BIG-IP system has a virtual server with an access profile. There is live traffic using that virtual. If the access profile is updated, enforcement of certain behaviors on the live traffic may end up accessing stale profile data, and result in a crash.

Conditions:
If an access profile is attached to a virtual server, and the profile is updated while the virtual has active connections.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
(These are untested...)

Without HA, (1) disable virtuals using access profile, (2) delete any active connections on the virtuals, (3) update access profile, and, (4) enable virtuals.

With HA, (1) update access profile on standby, (2) failover to the standby, and (3) sync the configuration.

Fix:
Upon access profile update, cleanup of the previous profile data is deferred until there are no active connections referencing it.


517872-2 : Include proxy hostname in logs in case of name resolution failure

Component: Access Policy Manager

Symptoms:
It's hard to troubleshoot cases when proxy name resolution failure happens.

Conditions:
Troubleshooting is required in proxy name resolution area.

Impact:
Network Engineer has problems with identifying root cause.

Fix:
Now proxy hostname is printed to logfile when resolution fails.


517790-11 : When non-HTTP traffic causes the server-side to receive unexpected data, the connection will be dropped

Component: Local Traffic Manager

Symptoms:
Non-HTTP traffic can have the server-side send data outside the usual request-response pairing. (Either before a request, or extra data after a response is complete.)

If so, HTTP will reject the connection as the server state is now unknown. However, if HTTP is acting as a Transparent proxy, switching to pass-through mode and disabling HTTP may be a better course of action.

Conditions:
Non-HTTP data sent to the server-side not belonging to a response.

Impact:
Banner protocols, where the a server will respond before seeing any data will not pass through the Transparent HTTP proxy.

Non-HTTP protocols that start with a pseudo-HTTP response, followed by extra data will reject the connection when the extra data is seen.

Workaround:
It may be possible to use HTTP::disable to disable the HTTP filter when some signature of the non-HTTP protocol is seen.

Fix:
The transparent HTTP profile's passthrough-pipeline option now allows unexpected server-side ingress to switch the Transparent HTTP proxy into pass-through mode.


517714-2 : logd core near end of its life cycle

Component: TMOS

Symptoms:
logd can core on shutdown.

Conditions:
Forcing shutdown of logd

Impact:
logd does not shut down gracefully.

Workaround:
N/A

Fix:
This is seen when forcing shutdown of logd only.


517613-2 : ClientSSL profile might have the wrong key/certificate/chain when created with a specific set of steps

Component: Local Traffic Manager

Symptoms:
ClientSSL profile might have the wrong key/certificate/chain when created with a specific set of steps.

Conditions:
Create a ClientSSL profile (p1) with user-defined key/certificate/chain.
Create another clientSSL profile (p2) with all default fields.
Modify p2 to have the defaults from p1.

Impact:
GUI shows the right key/certificate/chain in p2, whereas tmsh shows p2 to have default key and certificate.

Workaround:
None.

Fix:
ClientSSL profile now has the correct key/certificate/chain when multiple profiles are created with differing key/certificate/chain values.


517590-1 : Pool member not turning 'blue' when monitor removed from pool

Component: Local Traffic Manager

Symptoms:
Pool member's status does not update when a monitor is removed from the pool.

Conditions:
Must have a pool configured with a monitor and pool members

Impact:
Traffic may be routed incorrectly

Workaround:
One may be able to update the pool member status by toggling the pool member's state down and then up again.

Fix:
The pool member's status updates when the pool's monitor is removed.


517582-5 : [GUI] [GTM] Cannot delete Region if attempting to delete another region referenced by a record.

Component: Global Traffic Manager

Symptoms:
Cannot delete a region even though it is not referenced by any record.

Conditions:
This occurs after a failed attempt to delete a region that is referenced by a record.

Impact:
Hard to manage topology regions.

Workaround:
Restart mcpd.

Fix:
Can now delete regions after failed deletion.


517580-2 : OPT-0015 on 10000-series appliance may cause bcm56xxd restarts

Component: TMOS

Symptoms:
Changing configuration (enable/disable/auto-negotiation) on copper SFPs on 10000-series appliance might cause an internal bus to hang. Symptoms are bcm56xxd process restarts, and the interfaces may show as unknown.

Conditions:
Only copper SFPs OPT-0015 on 10000-series appliances exhibit this problem.

Impact:
The bcm56xxd process restarts, and the interfaces may show as unknown.

Workaround:
To work around this issue, follow these steps:
1) Force the system offline.
2) Reboot the system.
3) Release the system's offline status.

Fix:
The bcm56xxd daemon detects a bus problem and resets the bus to recover communications with SFP transceivers.


517564-2 : APM cannot get groups from an LDAP server, when LDAP server is configured to use non-default port

Component: Access Policy Manager

Symptoms:
Starting from BIG-IP APM 11.6.0, there is a new feature called LDAP Group Resource Assign agent. The agent relies on a group list that is retrieved at AAA > LDAP Server > Groups configuration page.
AAA LDAP Server fails to update the group list when the backend LDAP server is configured to use a port other than 389 (the default port).

Conditions:
Backend LDAP server is configured to use a non-default port (a port other than 389).
LDAP Group Resource Assign agent is added to an Access Policy.

Impact:
It is impossible to update group list from LDAP server.
LDAP Group Resource Assign agent does not provide a list of LDAP groups for easy configuration.

Fix:
LDAP groups can now be retrieved from an LDAP server that uses a non-default port (a port other than 389).


517556-2 : DNSSEC unsigned referral response is improperly formatted

Component: Local Traffic Manager

Symptoms:
When DNSSEC signs an unsigned referral response, the contained NSEC3 resource record has an empty type bitmap. Type bitmap should contain an NS type.

Conditions:
DNSSEC processing an unsigned referral response from DNS server.

Impact:
DNSSEC referral response is not RFC compliant.

Workaround:
None.

Fix:
NS type added to NSEC3 type bitmap, so that DNSSEC unsigned referral response is properly formatted.


517510-5 : HTTP monitor might add extra CR/LF pairs to HTTP body when supplied

Component: Local Traffic Manager

Symptoms:
When supplying HTTP containing body text to the HTTP monitor, the system might append extra CR/LF pairs to the end.

Conditions:
HTTP monitor with text specifying HTTP body text.

Impact:
This may cause malformed POST or PUT messages.

Workaround:
Limited work-around entails providing an alternative HTTP health check that does not require PUTting or POSTing a body.

Fix:
The HTTP monitor has been fixed to avoid adding additional CR/LF pairs, except for the case where only headers are supplied and there are insufficient CR/LF supplied to terminate the headers.


517465-3 : tmm crash with ssl

Component: Local Traffic Manager

Symptoms:
Under some rare conditions, a problem with SSL might cause TMM to crash.

Conditions:
An SSL alert is sent during the SSL handshake.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None known

Fix:
A tmm crash related to alerts during a SSL handshake failure has been fixed.


517441-4 : apd may crash when RADIUS accounting message is greater than 2K

Component: Access Policy Manager

Symptoms:
If the RADIUS Acct agent is configured for an access policy, and there are a lot of attributes with total size greater than 2K, apd may crash.

Conditions:
RADIUS Acct agent is configured and an AP
with numerous attributes in RADIUS Acct request

Impact:
service becomes unavailable while restarting apd process

Fix:
The maximum size of RADIUS packet is now set to 4K (RFC2865).
If the total size of attributes is greater than 4K, the packet will be truncated to 4K.


517388-6 : Parsing the DN (for subject or issuer) in a certificate does not take into account all the possible RDNs.

Component: TMOS

Symptoms:
The system recognizes and displays to the user a few relative distinguished names (RDNs): division name, state name, locality name, organization name, country name, and common name.

Conditions:
RDNs other than those in the subject/issuer are not parsed correctly.

Impact:
Parsing the DN (for subject or issuer) might combine fields that result in RDN values that are longer than allowed. This causes issues when trying to store these in Enterprise Manager (EM) database.

Workaround:
None.

Fix:
All relative distinguished names (RDNs) are now parsed as expected. Previously, the system correctly parsed RDNs for division name, state name, locality name, organization name, country name, and common name. Now, the system correctly parses all RDNs.


517282-6 : The DNS monitor may delay marking an object down or never mark it down

Component: Local Traffic Manager

Symptoms:
The DNS monitor may not mark an object down within the monitor timeout period or may never mark the object down.

Conditions:
A DNS monitor with no configured recv string and the monitor receives an ICMP error other than port unreachable.

Impact:
The DNS monitor may not mark an object down within the monitor timeout period or may never mark the object down.

Workaround:
Supply an appropriate recv string to the monitor definition:
  tmsh modify ltm monitor dns mydns recv 10.1.1.1

Or add another monitor to the object:
  tmsh modify ltm pool dnspool monitor min 2 of { mydns gateway_icmp }

Fix:
DNS monitor should mark server down when getting ICMP admin prohibited error. This is correct behavior.


517209-6 : tmsh save sys config file /var/tmp or /shared/tmp can make some BIG-IP functionality unusable

Component: TMOS

Symptoms:
The tmsh save sys config file /var/tmp or /shared/tmp or a relative path to these directories (for example, /config/../shared/tmp) saves the scf with the specified real path. However, since the /var/tmp directory is used internally by BIG-IP daemons, some functionality may be rendered unusable till the /var/tmp symlink to /shared/tmp is restored.

Conditions:
Saving the sys config file /var/tmp or /shared/tmp (or a relative patch to one of these directories).

Impact:
Some system functionality may be rendered unusable.

Workaround:
Use the following commands to delete the scf and restore the symlink: -- rm -f /var/tmp. -- ln -s /shared/tmp /var/. -- bigstart restart.

Fix:
The /var/tmp or /shared/tmp are now invalid paths for the tmsh save sys config file command.


517146-2 : Log ID 01490538 may be truncated

Component: Access Policy Manager

Symptoms:
Log ID 01490538 may appear truncated in /var/log/apm. It is supposed to say "Configuration snapshot deleted by Access".

Conditions:
Access profile snapshots are timing out and being deleted by the system.

Impact:
Most likely just corrupted log messages. A very slight chance of a crash, due to the string terminator being written to the wrong location in memory.

Workaround:
No workaround.

Fix:
Log ID 01450538 prints correctly to /var/log/apm now.


517124-6 : HTTP::retry incorrectly converts its input

Component: Local Traffic Manager

Symptoms:
The HTTP::retry iRule converts its input into UTF8. If the input is a bytearray using some other locale, then bytes with the high-bit set may be corrupted.

The resulting corrupted request will then be sent to the server as the retried request.

Conditions:
The input to HTTP::retry is a TCL bytearray rather than a TCL string. The output from some commands i.e. HTTP::payload is a bytearray. Strings are in the UTF8 format, Bytearrays are not.

Impact:
Non-ascii characters may be corrupted when HTTP::retry is used.

Fix:
The HTTP::retry command no longer corrupts input that isn't in the UTF8 format.


517020-4 : SNMP requests fail and subsnmpd reports that it has been terminated.

Component: TMOS

Symptoms:
After an unspecified period of time, SNMP requests fail and subsnmpd reports that it has been terminated.

Conditions:
SNMP polls sent to a system start to fail after a few days, until subsnmpd is restarted. When in the failed state, you can determine the status of subsnmpd by running the following command: tmsh show sys services. Here is an example of the status when the system is in this state: subsnmpd run (pid 4649) 26 days, got TERM.

Impact:
Loss of snmp data set to a client. The /var/log/snmpd.log contains numerous messages similar to the following: Received broken packet. Closing session. The /var/log/sflow_agent.log contains numerous messages similar to the following: AgentX session to master agent attempted to be re-opened.

Workaround:
Restart subsnmpd using the following command: bigstart restart subsnmpd.

Fix:
SNMP requests handling has been improved to ensure that requests no longer fail after a number of days.


517013-2 : CSS mini