Release Notes : BIG-IQ Centralized Management 5.0.0

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.0.0
Release Notes
Original Publication Date: 06/22/2016 Updated Date: 04/18/2019

Summary:

This release note documents version 5.0.0 of BIG-IQ Centralized Management.

Contents:

About BIG-IQ

BIG-IQ Centralized Management gives you all the tools you need to monitor, license, and configure BIG-IP devices, and the BIG-IQ system itself, from one location. With BIG-IQ, you can manage some or all of the following aspects of the BIG-IP devices:
  • Access
  • ADC
  • Fraud Protection Services
  • Network Security
  • Web Application Security
  • Change Management
  • Audit Logging
Performing tasks on your managed devices from BIG-IQ saves you time because you don't have to go directly to a single BIG-IP device and log on, and make changes only to that device. Instead, you can access devices remotely, and monitor and manage several devices at once.

New features

BIG-IQ System

  • New and improved user interface experience
    • Functional areas are now accessed through menus, rather than panels.
    • Unified navigation provides the same look and feel throughout the product.
  • Improved scalability to support more devices and network objects
  • Support for Closed Circuit Network (CCN) licensing for BIG-IQ.
  • Additional pre-defined user roles and new customizable user roles.
  • BIG-IQ Logging Node integration. This includes support for BIG-IQ Access, BIG-IQ Fraud Protection Security (FPS) and BIG-IQ Web Application Security.
  • Audit logs now capture and record all user-initiated BIG-IQ tasks and are organized into five categories: Local Traffic & Network, Network Firewall Security, Web Application Security, and Fraud Protection Services.
  • Support to export audit logs to syslog for long-term storage.

BIG-IQ Device

  • Unified device discovery
    • A single BIG-IP Device inventory for all managed devices, regardless of services licensed.
    • Ability to export BIG-IP Device inventory to CSV to create customizable reports.
    • Able to discover BIG-IP Application Policy Manager (APM) and BIG-IP Secure Web Gateway (SWG) service configurations.
    • Support for bulk upgrades of managed BIG-IP devices.
    • VIPRION blade serial numbers now included in the BIG-IP Device inventory list.
  • Licensing
    • Support for Closed Circuit Network (CCN) licensing for BIG-IP devices.
    • BIG-IQ pool licensing support for up to 5,000 concurrent license grants.
    • Current and historical reporting for purchased pools, volume licensing pools, and utility licensing pools.
    • Ability to license devices that you have not discovered from BIG-IQ by entering the device's user name and password.
BIG-IQ Access
  • Centralized Policy Management
    • Support for exporting BIG-IQ Access and BIG-IP Secure Web Gateway (SWG) Reports to CSV to create customizable reports. Reports include top users, top website, top categories, and top client IPs by request count.
    • SWG Dashboard that displays request count trends, top users, and top categories.
    • Ability to deploy a policy to up to 100 BIG-IP devices.
  • Centralized Reporting
    • Access Dashboard with a view of sessions trends, top users, license usage, and top countries by session count.
    • Ability to run reports within a selected time range as well as using a flexible time slider for quick time range views.
    • Able to drill down on reports for further analysis, such as identifying problem areas and usage trends.
    • Zoom in on Geo Map reports.
    • Reports for:
      • Session Summary
      • ACL
      • Network Access, Portal Access usage
      • License usage trends
      • Bad IP reputation clients
      • Browser types distribution
      • Access Profile usage trends by session count
      • Session Termination reports.
BIG-IQ ADC
  • Snapshot and rollback are now supported.
  • Evaluations and difference-comparison of config when importing and deploying.
  • Deployment schedules.
  • Expanded management for local traffic objects:
    • Virtual Servers support more attributes, including iRule/profile attachment.
    • Pools and Pool Members support more attributes.
    • Nodes support more attributes.
    • Ability to create, discover, and deploy iRules, and attach and remove iRules from one or more Virtual Servers.
    • You now discover Monitors and Traffic Profiles and attach them to relevant (read-only) objects.
  • Expanded network objects support:
    • Self IP, VLAN, Interface are included in the consolidated change management.
    • You can configure Route, Route Domain, DNS Resolver.
  • Delegation of self-serve pool member management (enable, disable, and force offline) to a lower-privileged user.
  • Delegation of self-serve Virtual Server management (enable and disable) can be delegated to a lower-privileged user.
  • You can clone an existing Virtual Server configuration to create a new Virtual Server.
  • Deeper validation of configuration changes of BIG-IP system validation rules.
BIG-IQ AVR
  • Support for BIG-IP version 12.1.0, including AFM DoS Sweeper reports.
  • Ability to port legacy ASM/AFM reports.
BIG-IQ Network Security - (AFM)
  • Firewall rule reports for duplicate, overlapping, or outdated content to help you clean-up firewall policies, and improve performance, and maintainability.
  • Rule Monitoring provides statistical information for rule-hit-count and rule compilation.
  • Improved discovery of and interoperability with clustered BIG-IP devices (DSC sync).
  • Support for DoS Vectors on BIG-IP devices.
  • Support for NAT Firewall Policy management.
  • Support FQDN as a source or destination in firewall rules.
  • Ability to configure BIG-IP DNS security services.
  • Support for firewall idle timer objects.
BIG-IQ Web Application Security - ASM
  • ASM now includes:
    • Consolidated device deployment into new Unified Deploy.
    • Unified object editor.
    • Ability to create user-defined signatures for deployment to BIG-IP devices.
  • New Web Application Security roles:
    • Viewer: A user role capable only of reviewing Web Application configurations.
    • Editor: A user role capable only of editing and managing Web Applications configurations, but cannot deploy anything to BIG-IP devices.
    • Deployer: A user role able only to deploy changes to BIG-IP devices, without being able to actually make the changes on the BIG-IQ.
BIG-IQ Security - FPS
  • On-premise support for Fraud Protection Service (FPS) with a dashboard that enables you to:
    • View and search alerts.
    • Apply transforms and severity to the alerts.
    • Download alert transform rules from F5 Security Operations Center (SOC).
    • Support mobile alerts from Android and iOS devices forwarded by BIG-IP systems to identify vulnerability of a mobile device against security risks.
    • Provide multiple ways to forward alerts including syslog, SOC, SMTP (email,) and custom (HTTP/HTTPS).

Screen resolution requirement

To properly display, the BIG-IQ system requires that your screen resolution is set to 1280x1024 or higher.

Browser support

BIG-IQ supports the following browsers and versions:

  • Microsoft Internet Explorer version 11 and later
  • Microsoft Edge version 12 and later
  • Mozilla Firefox version 29.x and later
  • Google Chrome version 34.x and later

BIG-IP compatibility

SOL14592: Compatibility between BIG-IQ and BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.

In general, this table outlines managed device compatibility:

Functional Description Minimum BIG-IP version Maximum BIG-IP version
Device operations 11.5.0 HF7 12.1.x
Upgrade - legacy devices 10.2.0 11.4.1
Upgrade - managed devices 11.5.0 HF7 12.1.x
ADC management 11.5.1 HF4 12.1.x
AFM 11.5.2 12.1.x
Access 12.1.0 12.1.x
ASM 11.5.3 HF2 12.1.x
FPS 11.6.0 12.1.x

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IQ 5.0.0 Documentation page.

Software installation

For procedures about specifying network options and performing initial configuration, refer to the BIG-IQ Centralized Management: Licensing and Initial Configuration guide.

For instructions about how to upgrade from BIG-IQ version 4.5.x to 5.0, refer to the BIG-IQ Centralized Management: Upgrading BIG-IQ to version 5.0 guide.

Behavior changes

ID Functional Area Description
592887 ADC The ability to delete VLANs on managed devices has been deprecated from BIG-IP 5.0. To workaround this limitation, perform the following steps: 1. Log into the BIG-IP, then delete the VLAN. 2. Log into BIG-IQ, then re-discover and re-import the device.
593998 ADC The ability to view statistics for specific ADC objects has been removed due to scale and performance issues. Status for some objects is still available.
594000 ADC The ability in BIG-IQ ADC to find objects related to a particular object (related-to searching) has been removed in version 5.0 and replaced with the ability to on the configuration tables, as well as across all ADC objects from the left navigation menu.
594006 ADC The ability to create ADC objects within BIG-IP Administrative Folders has been removed. Only creation is affected, objects within folders can be discovered, edited and deleted from BIG-IQ ADC.
594009 ADC In BIG-IQ ADC, you cannot manage BIG-IP devices with configured VLAN Groups. You must remove the VLAN Groups in BIG-IP prior to managing the device from BIG-IQ.
594023 ADC In BIG-IQ version 5.0, all fine-grained RBAC features for ADC objects have been removed, with the exception of these features: pool member enable, pool member disable, pool member force-offline, and virtual server enable and disable.
594032 ADC After upgrading BIG-IQ from version 4.x to version 5.0, you must re-discover and re-import your devices as there is no object upgrade support provided. Once re-discovered and re-imported, you may resume managing configuration objects for the components licensed on those devices.
534918 Device The SNMP Configuration option has moved from the BIG-IQ local host properties screen to the System Management > LOCAL HOST SETTINGS > SNMP Configuration screen.
536479 Device The ability to archive a backup on the local BIG-IQ file system has been deprecated in BIG-IQ 5.0.
562837 Device BIG-IQ version 5.0 no longer supports updating the Management Framework software on BIG-IP through a rediscovery operation. Upgrading the Management Framework can be accomplished via the device inventory or device properties page.
566458 Device BIG-IQ version 5.0 has deprecated support for BIG-IP version 11.4.x. Any BIG-IP version 11.4.x system discovered in a BIG-IQ version 4.x system will display a warning icon after upgrading to BIG-IQ version 5.0. An error message is displayed if a BIG-IP version 11.4.x system is specified for discovery. Legacy upgrade functionality in BIG-IQ version 5.0 supports upgrading a BIG-IP version 11.4.x system to 11.5.x, 11.6.x, and 12.x.x versions of BIG-IP software.
591088 Device The Read/Write Network Operator role has been deprecated in BIG-IQ version 5.0. Users and User Groups assigned to this role will be automatically promoted to Device Manager after upgrading BIG-IQ from 4.x to 5.0.
591542 Device Localhost is no longer in the logging group. If there was an existing backup schedule of localhost in the logging group prior to upgrade to BIG-IQ 5.0, the associated device will not show up in the selected area of the device picker. You can still edit the schedule to chose the localhost in the HA group, then save the schedule.
579940 Network Security (AFM) Previously, in the system interface, the daily run time in network security change notification schedule was the server time. With version 5.0.0, it is the client time. Example, BIG-IQ server is in PST and client is in EST. Client sets daily run time to 08:00. Before version 5.0.0, change notification would run at 08:00 PST. Now, in version 5.0.0, it will run at 05:00 PST.
592524 Web App Security (ASM) BIG-IQ 5.0 Web Application Security requires BIG-IP systems running a minimum version of 11.5.3 HF2.

Fixed CVE issues in 5.0.0

ID Number CVE Number
499496 CVE-2014-7841
505635 CVE-2015-0235
516875 CVE-2015-0286 CVE-2015-0287 CVE-2015-0289 CVE-2015-0293 CVE-2015-0209 CVE-2015-0288
517529 CVE-2013-7424
525027 CVE-2015-3628

Fixes

ID Functional Area Description
563107 ADC In previous versions, ADC status for some objects might not have been collected correctly. We have fixed status gathering, and icons are now up to date.
569082 ADC Previously, when looking up managed devices, routes, and tunnel objects were not considered. This caused discovery/import to fail. This issue has been remedied.
576671 ADC Previously, when the AFM-provisioned device had self-IP addresses in different route-domains that shared the same subnet, BIG-IQ Security failed to discover. This issue has been fixed.
594348 ADC Without an LTM license the ratio value on Nodes is rejected by the BIG-IP. This prevents Nodes from being deployed from BIG-IQ which fills this value in by default. Possible error message on deploy: 01070356:3: Ratio load balancing feature not licensed. This issue is fixed, simply delete the value in the ratio input.
472275 Device If you deleted a managed device using a Pool License without first revoking the pool license, BIG-IQ Device would display "Missing Device" for the device assignment on the pool license properties screen, and provide no way to remove the assignment. In BIG-IQ 5.0.0, the UI provides a way to delete these sorts of grants.
507861 Device There was an issue with blacked out health status bars in the device properties. Device health status bars now display correctly in the device properties.
516945 Device Previously, there was an issue when giving the same name for backup jobs, the jobs failed silently. This has been fixed to report the error correctly.
557194 Device In BIG-IQ CM 4.6.0, there was an issue with device certificate visibility to users with the Device Manager role. This issue does not apply to BIG-IQ CM 5.0.0.
561093 Device Invalid UCS backup/restore tasks are now moved to a failed status on startup.
570374 Device In releases prior to BIG-IQ 5.0.0, if you selected a Route or Self-IP Address in the Device Module UI and clicked "Delete", the change did not occur on the BIG-IP device on which that object resided, and an error message was shown. In BIG-IQ 5.0.0, this has been corrected and the workflow for deleting these objects has changed. To remove a Self-IP or Route from a BIG-IP device, navigate to the ADC module using the BIG-IQ menu. On the left, select "NETWORK" > "Self IPs", or "NETWORK" > "Routes", select the object and then click the "Delete" button above the grid. Next, select "Change Management" from the BIG-IQ menu and select "Evaluate & Deploy" > "Local Traffic & Network" on the left. Create an evaluation, selecting the Self IP or Route's BIG-IP device as the target. After the evaluation completes, deploy the evaluation.
570721 Device During manual activation of a pool license, if extra white space was appended to the end of the license text, the pool did not function properly. BIG-IQ CM 5.0.0 properly handles white space, and this no longer causes issues when activating a pool license using the manual method.
591338 Device In BIG-IQ CM 4.6.0, restore was not available for a UCS archive of a Scheduled Backup if the source device was a member of a dynamic device group. This issue has been addressed in BIG-IQ CM 5.0.0; backups can be restored as expected.
479606 Network Security (AFM) Corrected timing of log file deletion and Virtual Server deletion so that deployments from snapshots no longer fail.
483837 Network Security (AFM) The Device DoS attack types single endpoint flood and endpoint sweep are now supported. Previously, BIG-IQ Shared Security did not discover the Device DoS Single Endpoint Flood and Single Endpoint Sweep properties.
487014 Network Security (AFM) The DoS profile and another profile can now be associated with a virtual server in a single deployment. Previously, when a virtual server contained a DoS Profile and another profile that is required by the DoS Profile (such as a DNS profile or an HTTP profile), the deployment could fail with a false error.
491480 Network Security (AFM) Prefix length validation now prevents deployment failures. Previously, you could create a virtual server within shared security and enter a Source IP address without a prefix length (for example, 1.1.1.1 instead of 1.1.1.1/24). When deploying this virtual server to a BIG-IP system, the deployment fails and the virtual server cannot be created on the BIG-IP device, due to the missing prefix length.
495576 Network Security (AFM) In the Network Security policy editor, the Global firewall content panel refreshes correctly.
497516 Network Security (AFM) For Logging Profile Storage Format User-Defined free text, text within double quotes no longer needs to be escaped.
511754 Network Security (AFM) Previously, the BIG-IQ system allowed a management-IP firewall that supports IPv6 to have rules or policies with IPv4 addresses, which is a misconfiguration. When later deploying this misconfiguration, the deployment fails. The error that appears in the BIG-IQ restjavad.log file is "The Address Family for the admin IP is different from the Address Family referred to by the rule." Appropriate validation has been added to catch and warn of this condition during evaluation and prior to deployment.
542023 Network Security (AFM) Duplicate audit log entries are no longer presented. Previously, duplicate audit log entries appeared for subcollections associated with an object that had been deleted and re-created using the same name.
555149 Network Security (AFM) Related-to searches are not supported from user-defined device groups. Related-to searches from firewall policies or contexts do not return results within a user-defined device group. Perform the related-to search from a system-defined device group, such as the firewall group, or from Devices on the left side of the Policy Editor.
555304 Network Security (AFM) When a user selects items for an operation in the Network Security Policy Editor, such as selecting an object for deletion, those selections will be cleared if the user refreshes that page in the browser.
556152 Network Security (AFM) When using the Network Security Policy Editor, expanding all rule lists when there are a lot of them can cause the Web browser to become unresponsive. This release significantly improves the performance of rule list rendering. When many large rule lists are in use, be sure to open firewall policies with rule lists "collapsed" by default. You can modify this setting in the security user settings.
556247 Network Security (AFM) When management communication issues are encountered with a BIG-IP device during a rule compilation check task, the pending status update from BIG-IP device displays an appropriate status message.
556264 Network Security (AFM) We have addressed previously reported occurrences of slow response when users were viewing address lists and port lists in the UI. This release contains significant performance and scale improvements across the product.
560872 Network Security (AFM) Incorrectly reported "Ready to deploy" status is fixed.
568022 Network Security (AFM) In version 5.0 the rules editor was redesigned, so that it no longer needs to make a large query that previously triggered a 414 error.
576505 Network Security (AFM) Previously, BIG-IQ Security discovery of the second node in an HA pair could fail after an upgrade of the BIG-IP device from version 11.4.1 to 11.5.3. This was caused by the references in virtual servers not getting properly validated by the BIQ-IQ cluster synchronization. Now when BIG-IQ validates a virtual server in an HA configuration, it finds the referenced objects (in this case a SNAT pool), and validates those as well.
578445 Network Security (AFM) UI scrolling with large numbers of objects in the list no longer hangs. Scrolling may be continued until the end of the list is reached.
579940 Network Security (AFM) Previously, the daily run time in change notification was shown as the server time, instead of the client time. This was inconsistent with other BIG-IQ scheduling features, which use client times. Also, this could cause problems if the server and client were in different time zones. Now, with BIG-IQ version 5.0, the change notification schedule uses the client time.
440333 Platform Active-Active HA mode is not supported from v4.6.0.
470986 Platform For security purposes, the BIG-IQ system logs users out at a specified timeout. The system displays a logout warning dialog box 5 minutes before the 10 hour authentication limit is reached.
496899 Platform The /var/log/restjavad.<n>.log file might contain messages similar to the following: [SEVERE]...PipelineManagerTaskWorker][failed] failed to register for worker notifications. These messages are benign and have no impact on the BIG-IQ system's functionality.
499273 Platform BIG-IQ log reports CONNECTION UNKNOWN. If you cannot communicate with the managed BIG-IP devices, attempt to fix any network communication problems by pinging or routing the BIG-IP device from the BIG-IQ system, and then restart the restjavad process on the BIG-IQ system by typing the following command: # bigstart restart restjavad
509120 Platform BIG-IQ attempts to discover a BIG-IP, during the discovery process the BIG-IQ attempts to perform a REST framework upgrade on the BIG-IP device. We removed the grooming of the '/tmp' directory so that framework upgrade and discovery complete successfully, and the BIG-IP device can be managed using the BIG-IQ.
520625 Platform BIG-IP device discovery from BIG-IQ succeeds even with a custom administrator user configured in BIG-IP system.
525346 Platform Previously, there were situations where discovering a BIG-IP device with an up-to-date management package still required a needless upgrade. This issue has been addressed and further upgrades should not be required.
547371 Platform When connecting to SMTP Server there was an issue where the BIG-IQ system would identify itself as "localhost.localdomain" instead of using its FQDN or IP address. BIG-IQ now uses the configured FQDN hostname.
549041 Platform Previously, the "Last Availability" field was not being updated on the "Device Properties" screen for BIG-IQ Device. Now BIG-IQ Device properly updates the Last Availability field on the Device properties screen every 120 seconds.
551729 Platform Don't allow user creation without valid name
552678 Platform You can see updated time stamps by manually refreshing the page. To do this, close and then reopen the fly-out.
557847 Platform After setting up Active-Standby HA, an admin should verify that the secondary device is in a good state (no HA Error) on restart.
557915 Platform In an Active-Standby HA configuration, ensure that both BIG-IQ systems are in a good state before promoting the secondary to be the new primary.
560593 Platform Storage replication task schedule is now properly enabled only on primary BIG-IQ.
562199 Platform Previously, there was an issue where saving the configuration from tmsh might have failed for Virtual Edition (VE) platforms that had only one NIC configured. 'tmsh save sys config' output now returns correct information on a VE with a single NIC configured.
564902 Platform BIG-IQ VE instances created using OpenStack interfaces now detect the KVM hypervisor. Important: If you performed the steps to work around this issue (as described in the known issue for bug ID 564902), removing the workaround might require a license change.
566915 Platform audit_forwarder will also exit when syslog-ng exits normally or is killed manually.
568074 Platform Previously, IPv6 data pulled from the BIG-IP system using HTTPS, SCP, SSH, DNS, or SMTP might have encountered significant performance impacts when initiated We have corrected this, so that there is no performance impact pulling data over affected ports using HTTPS, SCP, SSH, DNS or SMTP from the BIG-IP device over IPv6. And there is no BIG-IQ performance managing BIG-IP devices over IPv6.
571769 Platform Radius remote authentication succeeds for passwords longer than 16 characters.
575023 Platform Password-less SSH access is now maintained after tmsh load (or install and move config) of UCS.
582480 Platform In previous versions of BIG-IQ, icrd did not operate with 3rd party authentication providers. Now iCRD can be used by clients authenticated through 3rd party providers.
586972 Platform Run the command to add Big-IQ logging Node
590022 Platform Add a logging node, it takes a long time and user sees an error message. Later Navigating to the Logging Configuration page, user observes that the log node count increased. This means that adding the Logging node took longer than expected. It is added partially to the BIQ-IQ system.
507492 System When attempting to delete the Self IP address used for HA peer discovery, a pop up warns the user that the Self IP address is in use and cannot be deleted.
565515 System In BIG-IQ CM version 4.6.0, the sslPreference attribute of LDAPS external authentication was not stored correctly in all instances. This issue does not affect BIG-IQ CM version 5.0.0.
441557 Web App Security (ASM) Previously, discovery of a BIG-IP device failed if any virtual server had an unexpected policy configuration. Discovery of such BIG-IP devices no longer fails.
441559 Web App Security (ASM) In previous releases, ASM security policies attached to only one virtual server and deployed from the BIG-IQ system might have been attached to multiple virtual servers on the BIG-IP system. This is now fixed.
472773 Web App Security (ASM) In previous versions, an administrative account authenticated through RADIUS could not manage BIG-IP systems with BIG-IQ Security. This is now fixed.
493663 Web App Security (ASM) In earlier versions, virtual servers created in Shared Security were not visible in Web Application Security. In this version, virtual servers are created in the ADC module. Virtual servers created in the ADC configuration pages are now visible in Web Application Security.
496349 Web App Security (ASM) In Web Application Security, using Show Related Items on a device did not highlight policies when it should. This is now fixed.
516866 Web App Security (ASM) In previous releases, after a successful deployment a policy sometimes had spurious character-set differences. This release corrects the issue so that the false differences no longer appear.
526160 Web App Security (ASM) Creation and deletion of virtual servers are now performed through the ADC module and ADC deployments. This issue has been resolved.
539703 Web App Security (ASM) Update of the signature file using BIG-IQ no longer fails if you use a signature file older than the one currently on the BIG-IQ system.
548840 Web App Security (ASM) BIG-IQ ASM failed to deploy an ASM policy associated with a virtual server with connection mirroring enabled. A critical error is now shown in the deployment evaluation to prevent the deploy failure.
549116 Web App Security (ASM) Performance improvement - evaluating a Web Application Security deployment now takes less time than previous version.
556185 Web App Security (ASM) Previously, the system incorrectly allowed a policy in a non-common partition to be associated with a virtual server in the common partition. Validation now correctly prevents the assignment.
558020 Web App Security (ASM) In earlier releases, Web App Security was missing the read-only user role. We have added a viewer role, among others.
564326 Web App Security (ASM) Previously, policy conflicts were not detected correctly when changes included the addition of items on BIG-IP system. Conflicts are now detected correctly.
571823 Web App Security (ASM) A critical error was shown on deployment for version 11.x devices for the 'placeSignaturesInStaging' field. The logic that detects that error is now fixed, and the error is only shown when required.
572688 Web App Security (ASM) Earlier, when a snapshot of a configuration was restored, the devices were not marked as modified. Now all devices are being marked as modified. Note - on some cases, evaluating a change will show nothing to deploy. That is expected due to system limitations. We recommend that you do evaluation to check whether deployment is actually required.
585919 Web App Security (ASM) Wrong validation for parameter min/max values was fixed.

Known issues

ID Functional Area Description Workaround (if Available)
505455 Access Adding a non-source device to an Access group fails when a device-specific object on the non-source device refers to an object that does not exist on the source device. To identify and resolve the issue, you must look into logs for errors such as "Failed to re-work references" and "Unable to calculate working config id". The logs will have information on the type of object that needs to be fixed on the BIG-IP system.
507774 Access Local User DB users cannot be managed from BIG-IQ Access. The BIG-IP APMs that use the Local DB User Management feature are not be able to use this feature from BIG-IQ Access. To manage the local users, the administrator must go to each individual BIG-IP device and make corresponding changes. BIG-IQ Access 5.0 discovers and manages a BIG-IP 12.1 with APM configured. Then the Access Object-Editor cannot be used to manage Local DB Users. Go to each BIG-IP device that is managed from BIG-IQ to do the local db user management.
519587 Access BIG-IQ Access device-specific objects differ on different devices in an HA configuration. BIG-IQ Access device-specific objects differ on different devices in an HA configuration. The user must modify each object on each device that is part of the cluster. Note that if a cluster name is specified when they are discovered, the device-specific objects are modified correctly. This occurs when two BIG-IP devices that are part of a sync-failover DSC cluster group are discovered in BIG-IQ, and no cluster name is specified in discovery parameters. After discovery, they are imported and an Access Group is created. When device-specific objects on one device are modified, other devices are not updated. To work around this issue, perform one of the following workarounds: -- Specify cluster name when devices are discovered. -- Modify device-specific objects on all devices that otherwise are part of a cluster.
519685 Access When a BIG-IP system in an HA configuration fails over to a standby device, the Source device in the Access Group does not automatically change to a standby device. The Source device in the Access Group does not automatically change to a standby device. This happens when the source device goes down and the administrator wants the system to continue working, failing over to another device as the source device. To work around the issue. (1) log in to BIG-IQ Access. (2) Select Configuration :: Access Groups and then select an Access group by name. (3) Select a standby device or another device in the Access group and click Make Source. (4) Click Reimport Source to import the configuration from the newly designated Source device to the BIG-IQ system.
540329 Access Deployment fails at the CHECK_DEVICE_AVAILABILITY step. Because System Setup is not complete, the deployment task fails. After upgrading the BIG-IQ system or cleaning up REST storage on it, the system displays a message stating that the user must complete System Setup. If the user ignores the message and goes ahead with device discovery, Access group creation and subsequent deployment, then the deployment request can fail at the CHECK_DEVICE_AVAILABILITY step. To work around the issue, initiate and complete the BIG-IQ System Setup and re-attempt the deployment task.
552120 Access Creating a BIG-IQ Access group fails when any of the following scenarios occur: First scenario: 1) Provision a BIG-IP device with Secure Web Gateway (SWG). 2) Create a per-request policy for SWG with URL filters. 3) De-provision SWG. 4) From BIG-IQ Access, discover the BIG-IP device and add it to an Access group. Second scenario: 1) On a BIG-IP system, de-provision Secure Web Gateway (SWG). 2) Import a per-request policy for SWG with URL filter from the BIG-IP system. 3) From BIG-IQ Access, discover the BIG-IP device and add it to an Access group. Creation of an Access group fails. First scenario: 1) On a BIG-IP system, provision Secure Web Gateway (SWG). 2) Create a per-request policy for SWG with URL filters. 3) Deprovision SWG. 4) In BIG-IQ Access, discover the BIG-IP device and add it to an Access group. Second scenario: 1) On a BIG-IP system, de-provision Secure Web Gateway (SWG). 2) Import a per-request policy for SWG with URL filter from the BIG-IP system. 3) In BIG-IQ Access, discover the BIG-IP device and add it to an Access group. To identify and resolve the issue, look into logs for errors such as 'Failed to re-work references' or 'Unable to calculate working config id'. The logs will have information on what type of object needs to be fixed in BIG-IP system.
579042 Access In rare instances, BIG-IQ Access device discovery fails with this error: Failed to transform secure field value for field <name of the field> To work around this issue, log in to the managed BIG-IP device and restart restjavad. This likely occurs when on a BIG-IP device the restjavad/ICRD is not up or cannot communicate to mcp. bigstart restart restjavad from tmsh: restart restjavad
579557 Access BIG-IQ Access creates pools under BIG-IQ ADC Pools if the AD object is in pool-mode. If this Pool or Pool-member is deleted from ADC, under BIG-IQ Access the AD will still show the pool-member. It would confuse the user. However, this will not impact the configuration on the managed BIG-IP devices. If a Deployment is triggered from ADC and then Access, a validation error is then thrown by BIG-IP device. If BIG-IQ Access has any Active directory object in pool-mode and the pool-member is deleted from BIG-IQ ADC module, this discrepancy will be seen. Administrator can add the deleted pool member once he sees the deployment error, and try deployment again.
581899 Access BIG-IQ Access reports are missing logs and session data. Loss of logs and session info in BIG-IQ Access Reporting. This is usually seen under 2 circumstances- 1. bigstart restart apmd tmm on the managed BIG-IP device. 2. Log-node/restjavad on the Log-node restarts. To resolve this issue, log in to the command line of the managed BIG-IP and type the following command: bigstart restart tmm
586165 Access You must deploy configuration changes for a device before you re-import services. If you don't, your changes are lost. If you add a non-source device to an Access Group, deploy LTM before you re-import.
588171 Access BIG-IQ Logging Node drops logs if traffic on BIG-IP APM generates more than 4,500 logs per second for 10 minutes. Loss of logs on Logging node. High number of sessions have to be created on the BIG-IP devices for a period of more than 10 minutes. To try to work around this issue, load-balance the logs from the BIG-IP device to multiple BIG-IQ Logging Nodes, and enabling Access service on them.
591018 Access BIG-IQ Access returns incorrect results if you filter on specific fields (such as Type or Access Profiles) for a device resource. Filtering results will be incorrect if user searches on such fields. If user is trying to do a search on specific fields like Type, Access Profiles, he does not get correct results, as the associations are calculated separately and are not indexed in the system.
591625 Access A SAML IdP automation configuration specifies a local SP service, which is also known as a SAML AAA server. If you delete a SAML AAA server that is specified in a SAML IdP automation configuration on the BIG-IP system, then try to import the APM configuration into a BIG-IQ Access group, the import fails. The logs contain these exceptions: ---- [ERROR][05 May 2016 14:26:57 PDT][ConfigDifferencer] ERROR: caught java.lang.IllegalStateException: Reference comparand has no name: https://localhost/mgmt/cm/access/current-config/apm/aaa/saml/44533f70-9ded-3ab5-83d1-531a6eed62fc at com.f5.rest.workers.configmgmtbase.config.ResourceReferenceState.checkFields(ResourceReferenceState.java:104) at com.f5.rest.workers.configmgmtbase.config.ResourceReferenceState.equals(ResourceReferenceState.java:155) at com.f5.rest.workers.configmgmtbase.config.ResourceReferenceState.equals(ResourceReferenceState.java:131) at com.f5.rest.workers.configmgmtbase.config.StateUtil.equalsMember(StateUtil.java:141) at com.f5.rest.workers.access.config.state.apm.aaa.SamlIdpAutomationState.equals(SamlIdpAutomationState.java:61) at com.f5.rest.workers.access.config.state.apm.aaa.SamlIdpAutomationState.equals(SamlIdpAutomationState.java:48) ---- APM import fails. On the BIG-IP system, edit SAML BIG-IP IdP automation configurations, and select another server from the SP Service list. On the BIG-IQ system, re-import APM configuration for the device in BIG-IQ.
594536 Access If you enable a pool for RDP VMware and deploy the configuration to a source and non-source device, and the non-source device does't have a pool, the deployment fails on the non-source device with a pool not found error. If the source device has a pool enabled in RDP VMware, on mark shared that pool doesn't get created in all the non source devices. Gradually deployment fails. Deployment will fail. Two Flows: First flow: 1. Configure VMware view Remote desktop on source bigip 2. On bigiq , Trust Discover import source bigip and non-source bigip , create access group having source bigip and nonsource bigip 3. Go to ADC >> Pool , Create Pool for source bigip 4. Go to Access >> Source bigip >> Remote desktop , Mark Vmware View Remote desktop as shared 5. Go to Shared resources >> Remote desktop. Add Pool to Vmware View Remote desktop 6. Go to Change Management >> Evaluate & deploy >> Access , Create new evaluation record having source and non-source device, evaluate diff. User would get verification warnings to deploy ADC first to Deploy pool on source and non-source device. 7. Go to Change Management >> Evaluate & deploy >> ADC , Deploy ADC configuration to source and non-source BIG-IP device (as verification warnings says ) 8. Go to Change Management >> Evaluate & deploy >> Access. Deploy config to source and non-source device. Deployment fails on non-source device saying Pool was not found. Second flow: 1. Configure VMware view Remote desktop on source bigip 2. On bigiq , Trust Discover import source bigip and non-source bigip , create access group having source bigip and nonsource bigip 3 Go to Access >> Source bigip >> Remote desktop >> select pool >> Mark Vmware View Remote desktop as shared 4. Go to Change Management >> Evaluate & deploy >> Access . Deploy config to source and non-source device , Deployment fails on non-source device saying Pool was not found To avoid this issue, manually create a pool for each non-source devices in BIG-IQ ADC.
597389 Access If you modify the Active Directory to use Pool and select http as the Server Pool Monitor, the BIG-IP LTM deployment fails with the following message: Failed submitting iControl REST transaction 1464991770669174: status:400, body:{"code":400,"message":"transaction failed:01070622:3: The monitor /Common/http has a wildcard destination service and cannot be associated with a node that has a zero service.","errorStack":[],"apiError":1} LTM deployment fails. When user modifies an Active Directory object to use Pool and selects http as Server Pool Monitor. To avoid this issue, do not select http as a Server Pool Monitor.
487477 ADC VLANs associated with a self IP must be in the default route domain with the Common partition and an ID of 0 (/Common/0). If the VLAN is a member of any other route domain in a partition, the deployment containing that self IP will fail. Cannot deploy configuration. VLANs associated with a self IP must be in the default route domain with the Common partition and an ID of 0 (/Common/0). If the VLAN is a member of any other route domain in a partition, the deployment containing this self IP will fail. To resolve this issue, fix the configuration on the BIG-IP device, and re-discover it and its services from BIG-IQ.
560809 ADC BIG-IP devices ship with a list of default protocol/services allowed on Self IPs configured with the "Port Lockdown" -> "Allow Default". You can modify this list through TMSH on the BIG-IQ device. If you modify this list, BIG-IQ might return evaluation differences in Change Management. Differences in evaluations for Self IPs may erroneously appear. User has modified the default list of allowed protocol/services used with the "Port Lockdown" setting. Only self ips using the "Allow default" setting will be affected. To resolve the evaluation difference, rediscover the BIG-IP device and re-import its services.
578322 ADC If you remove a SIP profile from a Virtual Server with a DoS profile and SIP enabled and you attempt to deploy that change, BIG-IQ ADC returns the following error: Virtual server (/Common/Cathy_VIP3_bigip2_sip): DoS profile with Protocol Security (SIP) enabled requires SIP profile." This virtual server will block deployment to the BIG-IP device until the DoS configuration is removed or the SIP profile is re-added. Virtual Server with SIP and DoS configured. To fix this issue, re-add the SIP profile from BIG-IQ ADC. Alternatively, remove the DoS profile from BIG-IQ Network Security.
578874 ADC A deployment scheduled at a date and time that when BIG-IQ is not operational, doesn't run when the BIG-IQ returns to full operational status. The scheduled deployment displays as waiting to occur in the Deployment section of the Configuration Management page, but BIG-IQ cannot deploy it in its current state. The scheduled deployment will not occur and the scheduled deployment cannot be rescheduled or manually deployed using the existing deployment task. Schedule a deployment for a date and time when the BIG-IQ is not operational. To deploy the changes associated with the missed scheduled deployment, create a new deployment using the snapshot associated with that scheduled deployment, and then manually deploy the snapshot.
580103 ADC ADC deployment fails because a DNS resolver is being used by the http-explicit profile. BIG-IQ does not know about this relationship, and BIG-IP system does not allow the DNS Resolver to be removed when referenced by the HTTP Explicit profile. Deployment will fail with a BIG-IP validation error. User wants to deploy a deletion of a DNS Resolver which is referenced by a HTTP Explicit profile. To resolve this issue from BIG-IQ, add the device back the DNS Resolver's list of attached devices. Alternatively, on the BIG-IP device, remove the association of the HTTP Explicit profile to the DNS Resolver.
584031 ADC BIG-IQ does not validate Virtual Server profile dependencies between Persistence Profiles and other profile types. There are situations where unmanaged profiles associated with Virtual Servers cause deployment failures. For example, if you change the protocol from TCP to UDP on a Virtual Server with attached profiles, the change is not detected by BIG-IQ, and the BIG-IP device rejects the deployment. The user may have to make those change on the BIG-IP device and re-discover/re-import. BIG-IP device has a Virtual Server using profiles or configured attributes that BIG-IQ doesn't manage but may cause validation failures on BIG-IP device. If this occurs, make the changes on the BIG-IP device and re-discover/re-import that device into BIG-IQ.
594619 ADC If you create a referencing object in BIG-IQ ADC for Local Traffic or Network, they do not appear in the custom partition. Reference object is not displayed and cannot be selected, initially. Reference object is created in a custom partition, and user selects device before selecting partition when creating the referencing object in a custom partition. Two workarounds exist: A) When you create the referencing object, select the partition before selecting the device that it should be deployed to. B) Alternatively, create the referencing object in the custom partition without trying to specify the reference object, and save your changes. Then, update the object to point to the referencing object.
597135 ADC Interfaces should not be disabled for BIG-IP VCMP guests (platform z101). The BIG-IP GUI prevents interfaces from being disabled, however in some version the interface can be disabled using TMSH. This is a known issue on BIG-IP (see sol15487). Devices managed on BIG-IQ reflect the same issue where the interface for these devices can be disabled. The sol15487 indicates this will potentially interrupt traffic on the BIG-IP. BIG-IQ is managing VCMP guests and the user disables an interface. Do not disable interfaces on VCMP guests.
598406 App Visibility and Reporting (AVR) BIG-IQ cannot create AVR reports for Network & Application and Firewall for BIG-IP devices running versions 12.0.0 or 12.0.0 HF1/HF2. To work around this issue, upgrade to BIG-IP version 12.0.0 HF3 or later.
474742 Device While running a Deployment Job to perform a Factory Install, the job might fail to re-discover the target device, causing the job to time out with the following message: "Attempting preliminary device configuration", "Attempting to re-discover device", and "Rediscovering device failed, retrying". The message "Rediscovery failed in job <job ID>, will retry" may periodically be logged in /var/log/restjavad.0.log on the BIG-IQ. It's also possible in some cases for the job's message field to simply report "Attempting to re-discover device" until the job times out. Deployment jobs for a factory install on older BIG-IP software version will not complete. This leaves the target device unconfigured and potentially unreachable over its management interface when its DHCP lease expires, because the deployment job is unable to disable DHCP on the management interface. This occurs because the discovery process requires updating the version of the REST framework on the target device. Currently Deployment If the BIG-IQ system cannot update the framework, discovery fails. When discovery fails, the BIG-IQ system retries discovery until the job times out. To work around this issue, select the Update Framework check box for this device and re-run the deployment job.
490976 Device Deploying a configuration template to a BIG-IP device occasionally fails and the BIG-IQ system returns a JSON configuration error. Template deployment will fail partway through the process. Earlier items will be applied, while the failing item and later items will not be. This problem can occur when the target BIG-IP device is an older version (in this case, 11.5) that does not support a particular object attribute in the configuration template. If the error occurred because the configuration template includes a BIG-IP object attribute that does not exist in the targeted BIG-IP version, you may be able to work around the issue by editing the template through the REST API and removing the incompatible field. You cannot perform this change from the user interface. Note that the template API is not a supported API and is subject to change or removal without notice. Templates are stored in a collection at the path /mgmt/cm/autodeploy/simple-templates. To make this change, perform a GET to retrieve the current state, edit that state, then perform a PUT or PATCH to apply the updated state. You need to edit only the content field.
501508 Device BIG-IQ file load operations (such as importing devices or uploading software images) fail when using Internet Explorer versions prior to version 10. This happens if you use Internet Explorer 9 to upload files because Internet Explorer versions prior to 10 do not contain the HTML5 file API requires to upload files to a BIG-IQ system. To work around this issue, use Microsoft Internet Explorer version 10 or later. Alternatively, use Mozilla Firefox version 29.x and later, or Google Chrome version 34.x and later.
508303 Device vCMP guests can become unresponsive when the BIG-IQ system is creating simultaneous backups of all the vCMP guests. Guests might failover if the device targeted for failover is on the same host; the problem will become worse because the net load on the host has increased due to failover. If vCMP guests are already working at high capacity and BIG-IQ starts creating simultaneous backups on guests that share a host, it causes the overall load on the host to rise and the guests to become unresponsive. To avoid this issue, make sure that guests within the same host are not on the same backup schedule.
508469 Device If a managed BIG-IP device has a large clock skew (more than a few minutes) from BIG-IQ, the BIG-IQ might receive 401 authorization errors from the BIG-IP device. BIG-IQ cannot manage the BIG-IP device. BIG-IQ managing a BIG-IP device with a large clock skew. Set the system time on the BIG-IP system to reduce the clock skew. Alternatively, configure BIG-IP system and BIG-IQ to use the same NTP server to automatically keep the system time in sync.
509028 Device The F5 HNV Gateway Provider Plugin cannot apply updates to the remaining devices in the cluster. This occurs when a BIG-IP Device Cluster is used with the F5 HNV Gateway Provider Plugin, and one device is unavailable.
514164 Device The BIG-IQ system does not check storage availability before it downloads a UCS backup file. This could cause the BIG-IQ system to consume all the available storage when creating a backup. To avoid this issue, configure an alert condition for the /shared/ucs_backups file so you are notified when storage is reaching a specific threshold. The alert conditions are set from the BIG-IQ Systems group :: Properties :: Alert Conditions screen. If this issue occurs, delete any unneeded backups, and re-create the backup.
524798 Device You have to manually reactivate a license for a replacement BIG-IQ system (RMA). You must manually activate the license. This happens when you attempt automatic license reactivation for a replacement BIG-IQ system without contacting F5 Support. To work around this issue: (1) Log into the replacement BIG-IQ system (2) Get the base-registration key for the license (3) Call F5 support (4) Ask them to set the licence's allow_move variable. (5) Re-activate the license. (6) Set the hostname (7) Restore the UCS backup.
546564 Device If a scheduled backup you configured from the Backups panel cannot run at its schedule time (for example, if the BIG-IQ system is powered off) the BIG-IQ system does not notify you, through the user interface, that the backup was not done. The missed backups will not be mentioned, so the customer could assume everything worked, and the backup was created. A recurring backup task is created. The backup time passes, but the BIG-IQ is not operational at that time, so does not initiate the operation. If a scheduled backup was not created due to this issue, you must either wait for the next scheduled backup to occur, or create one explicitly. To verify that a backup was created, view the location where you store the UCS backups (typically /shared/ucs_backups/*.ucs).
556762 Device  
559599 Device During initial setup for the BIG-IQ 7000 platform, the license registration key is not populated. BIG-IQ cannot be licensed without a known license key. To work around this issue, paste the key into the field. For new hardware platforms, you can find the key in the /config directory.
568075 Device The BIG-IQ Device data sheet incorrectly listed the height of the BIG-IQ 7000 as 4.45” instead of 3.45”.
568857 Device BIG-IQ Device does not allow you to save a new Route to a configuration template if the Destination value is 0.0.0.0/0. This would Cannot create a config template for a default route. default route destination To work around this issue, you can create the config template for the default route from the command line, then update the template's other fields from the Templates screen. 1. Create a file with the route object like below, [root@user-94-116:Active] shared # cat template_data {"content":{"net":{"route":{"fixedItems":[{"name":"<route object name>","description":{"value":"","templateFieldType":"OPTIONAL_ITEM"},"network":{"value":"0.0.0.0/0","templateFieldType":"REQUIRED_ITEM"},"gw":{"value":"","templateFieldType":"OPTIONAL_ITEM"},"tmInterface":{"value":"","templateFieldType":"OPTIONAL_ITEM"},"mtu":{"value":0,"templateFieldType":"OPTIONAL_ITEM"}}],"minUserItems":0,"maxUserItems":0,"templateFieldType":"LIST"}},"sys":{}},"name":"<config template name>"} 2. Send POST to simple-templates worker [root@user-94-116:Active] shared # curl -d @template_data -X POST -ks -u admin:admin https://localhost/mgmt/cm/autodeploy/simple-templates {"id":"9d012534-d1e5-4878-8d9d-777911f01401","name":"<config template name>","content":{"net":{"route":{"fixedItems":[{"name":"<route object name>","description":{"value":"","templateFieldType":"OPTIONAL_ITEM"},"gw":{"value":"","templateFieldType":"OPTIONAL_ITEM"},"tmInterface":{"value":"","templateFieldType":"OPTIONAL_ITEM"},"mtu":{"value":0,"templateFieldType":"OPTIONAL_ITEM"},"network":{"value":"0.0.0.0/0","templateFieldType":"REQUIRED_ITEM"}}],"minUserItems":0,"maxUserItems":0,"templateFieldType":"LIST"}},"sys":{}},"generation":1,"lastUpdateMicros":1453333025908391,"kind":"cm:autodeploy:simple-templates:templatestate","selfLink":"https://localhost/mgmt/cm/autodeploy/simple-templates/9d012534-d1e5-4878-8d9d-777911f01401"} 3. You can now modify the configuration template from the CONFIG TEMPLATES :: Templates screen.
570732 Device If, during manual activation of a pool license, you add an extra blank line to the end of the license text, BIG-IQ returns an error when you try to grant a license from the pool. To fix this issue, re-activate the license, making sure you add no extra lines or spaces.
575036 Device After promoting a BIG-IQ in a high availability configuration to primary, the promoted BIG-IQ system might display warnings that some software images are missing. This can happen if you didn't upload a software image to the peer BIG-IQ or if you deleted a software image after you completed a software installation. The popup is modal and always present when user navigates to the software installations page. This occurs when you have not uploaded a software image used in a software installation on the HA Peer or if you have deleted a software image after a software installation has completed. To fix this issue, upload the missing software image to BIG-IQ.
575659 Device If you add a new BIG-IP device to an existing DSC cluster and the Deployment Settings mode is different than the other devices in the cluster, BIG-IQ ignores the setting for the new device. This means the DSC Sync mode for the cluster remains set to the value initially configured for the first BIG-IP added to the DSC cluster group. This is only an issue if the value for the DSC Sync mode is different from the existing DSC cluster sync mode on a device addition to an existing DSC cluster. To correct this issue: (1) Click the name of the newly-added BIG-IP device on the BIG-IP Device inventory screen (2) From the Properties screen, click the Edit button for the Cluster Members setting. (4) Edit the Deployment Setting to match the other cluster members.
578041 Device In rare circumstances, device discovery fails with the following error: java.lang.IllegalStateException: Framework upgrade failed because the /usr file partition on BIG-IP (null) could not be re-mounted read-only due to the /usr file system being busy. Device discovery fails Not known To resolve this issue: 1. Log in to the BIG-IP device's command line and mount /usr partition manually by typing the following commands: (1) bigstart stop restjavad (2)mount -o remount,ro /usr (3) bigstart start restjavad 2. From BIG-IQ, rediscover the BIG-IP device and select the "Ignore Framework Check on Discovery" check box, since the BIG-IP device already has the most recent REST framework.
578483 Device Discovery of a new or recently upgraded BIG-IP device might fail because of communication issues between BIG-IQ and the BIG-IP device. The discovery, rediscovery or configuration deployment attempt will fail. When discovering a new device or rediscovering a device that has been recently upgraded the BIG-IQ may need to update the REST framework on the BIG-IP. The REST framework is used during BIG-IP to BIG-IQ communication. During the update process an infrequent startup race condition may occur that will cause communication issues with the icrd process. During the framework update communication To resolve this issue, from the command line of the BIG-IP device, type the following command: bigstart restart icrd
587724 Device After you upgrade the REST framework for a BIG-IP device running version 11.6, errors related to 404 Not Found responses might display when performing certain operations. Various operations reliant upon icrd may fail, including discovery/import of a BIG-IP device into BIG-IQ. When this occurs, there may be errors related to 404 Not Found responses to icrd endpoints (/mgmt/tm/*). To resolve this issue, from the command line of the BIG-IP device, type the following command: bigstart restart icrd
588063 Device Device inventory page occasionally grayed out when performing REST Framework upgrade operation. The Inventory page can appear grayed out and tasks can still be running, but the user will not receive feedback. This can occur when you start multiple REST Framework upgrade tasks from inventory page. You can refresh the web browser to resolve the issue.
590641 Device The "License is expired" message might incorrectly display on BIG-IQ for a BIG-IQ device even after you re-activated the license. You can see what information the BIG-IP device is presenting to BIG-IQ by viewing the endpoint, /tm/shared/licensing/registration, on the BIG-IP device. BIG-IQ shows a "License is expired" message longer than it should. Depending on the manner of re-activation, the message could persist until the next time REST services are restarted on the device, plus up to 12 hours. If the device's license was re-activated without using the REST API (eg: if tmsh were used), the incorrect license information will persist until the next time restjavad restarts (such as via a reboot, or "bigstart restart restjavad"). Restarting restjavad will update the license information that BIG-IP device presents to BIG-IQ, but it could be up to an additional 12 hours before BIG-IQ takes notice. If the device's license was re-activated using the REST API, it can still take up to 12 hours for BIG-IQ to notice. 1. A managed device has an expired license (for example, an expired Eval period) 2. That license is re-activated, so that inspecting the device manually shows it is no longer expired. To resolve this issue, perform one of the following steps: Reboot the BIG-IP device, then wait up to 12 hours for BIG-IQ refresh the license status. Restart REST services on the BIG-IP device by typing bigstart restart restjavad
590791 Device The BIG-IP service re-discovery might fail with a generic error message if the BIG-IP system needs a REST framework upgrade. Service rediscovery may be failed with non specific error message. The BIG-IP device is upgraded offline. And the BIG-IP REST framework upgrade is required but not upgraded. View the BIG-IP Device inventory list to see if the device needs a REST framework upgrade. Upgrade the REST framework if required.
593491 Device If you re-import only one of the BIG-IP devices in a DSC cluster and make changes on it, it may cause BIG-IQ to show differences during deployment and manage them incorrectly. The device that is re-imported will show that the new changes need to be removed. The device that was not re-imported will not show the new changes at all because the status of the change in current config is set to (Not Imported). This can occur when you re-import configuration for a BIG-IP device following a sync and then create an Evaluation. To resolve this issue, re-import all BIG-IP devices configured in a DCS cluster at the same time.
595938 Device When downloading a Device Inventory report for the first time, your web browser might prompt for credentials in a new tab. If prompted, enter the BIG-IQ user name and password. This is required only once per BIG-IQ session.
598240 Device Because there is no ASM Logging Group in BIG-IQ version 5.0, any backup you created specifying the ASM Logging Group displays the associated BIG-IQ as "unmanaged" after you upgrade from 4.x. A version 4.x BIG-IQ backup cannot be restored to a BIG-IQ running version 5.x, so this issue is mostly cosmetic. The backup is still intact and can be used to restore the BIG-IQ if the BIG-IQ is rolled back to the prior version.
423694 Network Security (AFM) This address list is accepted on BIG-IP devices (running 11.4.1) but not in BIG-IQ systems.
426774 Network Security (AFM) The error message "HA Firewalls in device 10.1.1.1 do not match those in peer device 10.1.1.2" is issued when there is a mismatch between firewalls. This error message is not very specific about the types and names of the firewalls. Providing this information would aid the user in correcting the error.
459888 Network Security (AFM) The BIG-IQ system is unaware of default route domain assignments in non-default BIG-IP system partitions. For example, assume you have a non-default partition with a default route domain setting of something other than zero and /partitionA has a default route domain of 5. If, from the BIG-IQ system, you assign an IP address to any firewall in /partitionA without specifying the route domain (such as 192.168.25.4), and then deploy the firewall to the BIG-IP system, the BIG-IP system assigns the default route domain (5) to the IP address. The firewall on the BIG-IQ system is still shown as 192.168.25.4, while on the BIG-IP system it is 192.168.25.4%5. The address is clear on the BIG-IP system (192.168.25.4%5), but it is less clear on the BIG-IQ system where the route domain is omitted. You can ignore the IP address settings in the BIG-IQ system. They are benign.
473034 Network Security (AFM) The hostname of a BIG-IP system is not valid in the search field for Network Security Deployments. Search for a device by its IP address, and then show its related items.
474135 Network Security (AFM) Deployment occasionally fails during distribution with the error: There is no transaction created for this user. Deployment might fail and post an error message. This failure is rare and is related to timeouts experienced for large configuration changes and devices under heavy load. Once deployment to a specific device fails, retry the deployment operation on the same device.
476209 Network Security (AFM) The Network Security's Overview page contains three blades: Devices, Deployment, and Snapshots. In the Properties for each object in each blade, you can use the "Show Only Related Objects" feature. Any interactions with the Devices blade are not accurate. This feature only produces accurate results when determining which snapshots are related to which deployment, and the reverse.
478963 Network Security (AFM) Only route-domain 0 can have VLANs from other partitions. You must assign VLANs from the same partition to all other route-domains.
488527 Network Security (AFM) When clustering multiple BIG-IP devices together in a common cluster group, BIG-IQ Security software does not verify the BIG-IP device has been provisioned with a common set of licensed software modules. BIG-IQ clustering operation is successful when it should fail. As a result, the BIG-IP device might not perform the expected functionality, and there is no indication to the user what the problem might be. Multiple BIG-IP devices with mismatches between provisioned software modules. When adding a BIG-IP device to a cluster group, ensure that the BIG-IP device has the same software modules provisioned as does the peer BIG-IP device.
512639 Network Security (AFM) Firefox 42 fails when connecting to BIG-IQ version 5.0.0. Cannot use Firefox browser with BIG-IQ version 5.0.0. This is a Firefox Certificate issue. Solution is documented at Firefox website at https://support.mozilla.org/en-US/questions/1012728#answer-616338 Using Firefox 42 with BIG-IQ 5.0.0. Rename or delete cert8.db file in Firefox config folder You can use this button to go to the currently used Firefox profile folder: 1) Help > Troubleshooting Information > Profile Directory: Show Folder 2) rename or delete file cert8.db
522260 Network Security (AFM) DoS Profile deployment fails on BIG-IP device after changing to a different type of DoS Profile. Deployment fails on the BIG-IP device. The system posts a deployment error similar to the following: 01070734:3: Configuration error: /Common/vs-dos-profile-1: Web Security profile requires an HTTP profile to be associated with the virtual server. This occurs when using the BIG-IQ system to deploy a DoS Profile with a virtual server that has an associated Web Application Security policy (that is, an ASM security policy imported from a discovered BIG-IP device) from the BIG-IQ system, and then removing the HTTP profile from the DoS Profile configuration. A virtual server that has been used for Web Application Security may not be used for other purposes as the profiles enabled on the virtual server currently cannot be modified on the BIG-IP device nor on the BIG-IQ system by the user explicitly. The only way to make it usable for other purposes is to remove the ASM policy and deploy it back to BIG-IP device. The HTTP profile can be removed thereafter.
540492 Network Security (AFM) When viewed from some laptops, the screen resolution does not allow the config and refresh buttons to be seen or clicked. This causes the user to not be able to access the buttons. For example, this occurs on a laptop with a screen resolution of 1440 x 900. Use the Web browser to zoom in to view and use the buttons.
541254 Network Security (AFM) Changing the 'Days to keep entries' or the 'Check expiration at this time' values (under Settings) while an Audit Log archive and deletion operation is currently underway causes that operation to stop. The next operation then starts at the specified time. This can occur if you change the Audit Log Settings for the AFM or ASM Audit Logs. The impact is that Audit Log entries will stop being removed from storage and the archive to the /var/config/rest/auditArchive directory will stop. You will see an Audit Log archive/delete operation stop if you change the Audit Log Settings mid-operation. You can wait for the next archive/delete operation to occur. Or you can specify a new time 1 day from the current time if you want the archive to happen as soon as possible. You cannot force the archive/delete operation to happen within the next 24 hours. It will occur, at the earliest, exactly 24 hours from the current time. To set the new time so that the Audit Log archive/delete will occur 1 day from the current time, select the Audit Log Settings button and enter 1 for 'Days to keep entries'. Then set the 'Check expiration at this time' to the current hour and current minute. Finally, add one additional minute before selecting the Save button.
542905 Network Security (AFM) Deployment of the changes to route domains fails because the system cannot find the virtual server to be removed. Reimport of BIG-IP devices in BIG-IQ Web Application Security (ASM) updates only ASM and shared security with the latest BIG-IP configuration. It does not update the BIG-IQ Network Security (AFM) module. Therefore, if you are using both AFM and ASM, you must reimport both modules.
552765 Network Security (AFM) You might observe high CPU usage after a recent upgrade of a managed BIG-IP device. Slowness during discovery followed by temporary high CPU usage. This problem is triggered when an older REST framework is installed as part of the BIG-IP system upgrade, and is expected behavior. If the identified BIG-IP device has been recently upgraded, make sure that correct REST framework is installed. To update the framework, use the following procedure. 1. Go to the BIG-IQ Device module, hover over the device entry. Click the gear icon and select properties. 2. Scroll to the bottom of the page, and select the 'Update Framework On Rediscover' check box. 3. Enter the credentials, and at the top of the screen, click Rediscover. 4. This pushes the newer REST framework to the BIG-IP system. For a VIPRION system, each blade is represented as a separate managed device in BIG-IQ system, and so each upgraded blade must have the current REST framework pushed to it. The high CPU issue should resolve itself after the tasks have time to complete.
553761 Network Security (AFM) With large configurations and large numbers of BIG-IP devices under management, performance issues have become visible when performing searches in the global navigation filter. Although a solution has been developed, there is a restriction for searching in contexts. Search does not search through rules in contexts, only in policies in contexts. Therefore, search does find items in any BIG-IP device running a version that supports inline rules in all contexts. Search also does not find items in management firewall contexts that contain only inline rules for all BIG-IP versions.
556516 Network Security (AFM) When performing a search using the Exact keyword in the Network Security Policy Editor, the search is not case sensitive.
557774 Network Security (AFM) If you enable and modify the default values for the Bot Signatures or Bot Signature Categories settings on a version 12.0 BIG-IP device, and then attempt to discover that BIG-IP device using a BIG-IQ system, the discovery will fail because the BIG-IQ DoS Profile only supports the default values for these parameters. Additionally, if you configure a new Bot Signature category and use the category to create a bot signature list, the Action must be set to a value of None. If the Action is set to a value of Block or Report, discovery of the BIG-IP device will fail even if Bot Signatures are disabled on the BIG-IP device in the DoS profile. Do not enable and modify the default values for the Bot Signatures or Bot Signature Categories settings on a version 12 BIG-IP device and then attempt to discover that device using a BIG-IQ system.
558494 Network Security (AFM) When trying to discover a second chassis device as part of a BIG-IQ Security high availability (HA) configuration, you might get the error: "Unable to discover device to be managed." Managed AFM chassis devices, such as VIPRION platforms, need the device framework on each blade. While the system is updating the framework (when Update Framework is selected in the system interface), the framework is pushed to all the blades of the managed device. In the rare case in which the update fails or times out during discovery, the system shows error messages similar to the following: Discovery Failed! -- Unable to discover device to be managed - https://<device-designation>, with error You must update the device's framework before you can manage it state POST_FAILED -- Unable to discover device to be managed - https://<device-designation>, with error could not upgrade REST framework state POST_FAILED. When trying to discover a second chassis device as part of a BIG-IQ Security high availability (HA) configuration. AFM might be required to encounter this issue. This appears to be a rarely encountered, possibly environmental or timing-related issue that cannot be effectively reproduced. To work around this, reboot the device. This clears the problem and allows the device to be discovered.
582701 Network Security (AFM) In IE & Edge browsers, the HTML report fails to generate when the report has too much data to display, which can be caused by the user selecting a large number of devices to generate the report and/or the data per device is too large. There are two possible workarounds: 1) Use Firefox/Chrome. 2) Try reducing the number of devices selected for the report.
583142 Network Security (AFM) If you search for a NAT firewall policy that is attached to the Global context using the search filter above the navigation list or in the Global screen, no results will be returned. NAT firewall policies that are not attached to the Global context can be searched for and found.
583456 Network Security (AFM) User changes to objects in LTM are not synchronized to AFM and ASM in some cases. After LTM is imported, users may change virtual server, route domain, and self IP address in LTM on the BIG-IQ system. If AFM and ASM are discovered before these changes are deployed in LTM, these changes will not be synchronized with AFM and ASM when they are imported. If AFM and ASM have been imported when these changes are made in LTM, these changes will be synchronized to AFM and ASM. If configurations in LTM, AFM, and ASM are not synchronized, AFM and ASM deployments may fail. The following conditions are required to cause this issue. 1. LTM is imported but AFM and ASM are not imported. 2. User creates, modifies and deletes virtual servers, route domains and self IP address in LTM. 3. AFM and ASM are discovered before LTM deploys the changes. Rediscover and reimport AFM and ASM after LTM is deployed.
590102 Network Security (AFM) Logging Profile Application Security configuration management is not supported in BIG-IQ 5.0 for devices running BIG-IP version 12.1.0. When the logProfile application subcollection is enabled: (1) After reimport of Network Security or Web Application Security services, deployment evaluation shows differences related to log profile application subcollection. (2) Deployment may then fail for this configuration for Network Security or Web Application Security services. Reimport after deployment shows spurious differences. Re-deployment of the configuration can fail. LogProfile application subcollection is enabled in the BIG-IQ system interface and applied to a virtual server on a BIG-IP device running software version 12.1.0. This issue is fixed in BIG-IP software versions 12.1.0 HF1 and 12.1.1 and higher. Workaround is to either, not configure application security in logging profiles that are attached to virtual servers on BIG-IP devices running software version 12.1.0, or upgrade affected BIG-IP devices to software version 12.1.0 HF1 or later.
590391 Network Security (AFM) Relationship searches performed from firewall configuration objects traverse associations only up to the firewall policy level. Relationships above the policy level (contexts and devices) are out of scope and will always return (0) as the result. This limitation is necessary to avoid excessive system resource utilization during related-to searching. To see all relationships for a given firewall configuration, run the related-to search from the firewall policy object. The search will then traverse all relationships both up to the associated devices and down to all associated configuration objects.
590492 Network Security (AFM) BIG-IQ Shared Security Device DoS only supports the following DoS Single Endpoint vectors for an 11.5.3 BIG-IP device: Any ICMP IPv4, Any ICMP IPv6, Any IPv4, and Any IPv6. The following vectors are not supported: Any UDP IPv4, Any UDP IPv6, TCP SYN without ACK IPv4, and TCP SYN without ACK IPv6. An error like the following is shown when a user tries to configure unsupported Single Endpoint vectors for an 11.5.3 BIG-IP device: "The system returned an unexpected error (400 Bad Request). dos-device-config is invalid on device bigip3.dmeast.acopianet.com (10.1.1.11), device doesn't support enhanced 11.6.0 features." This issue results in the user being unable to use the unsupported vectors with BIG-IP version 11.5.3. Select Device DoS from Shared Security. From Device DoS, under Device Configuration, select Single Endpoint. Both Single Endpoint Flood and Single Endpoint Sweep do not support the previously listed vectors with BIG-IP version 11.5.3.
593673 Network Security (AFM) A BIG-IP cluster may go out of sync if a user tries to deploy a NAT firewall policy that is attached to a route domain. If the issue occurs, a verification warning will be shown to the user with two options: 1. Remove the NAT policy association from the route domain and create a fresh evaluation again. 2. Continue to deploy and manually apply the changes on BIG-IP devices if they are in a cluster. If the user does not follow either option, then the deployment may cause the cluster to go out of sync. There are two workarounds: 1. Remove the NAT policy association from the route domain and create a fresh evaluation again. 2. Continue to deploy and manually apply the changes on the BIG-IP devices if they are in a cluster.
593912 Network Security (AFM) Configuring a firewall rule with a Domain Name of the form <number>.<number>.<number> (for example, '1.2.3') is allowed by BIG-IQ but will fail on deployment to BIG-IP device. Since the BIG-IP device rejects this configuration, you should not use this form of Domain Name in the BIG-IQ. While a Domain Name of '1.2.3' is technically legal, it is not possible to use this in the configuration of firewall rules on the BIG-IP device. None.
595302 Network Security (AFM) Some BIG-IQ DoS Profile fields have incorrect upper boundaries for fields that support ranges. Where BIG-IP system supports up to 4294967295 for many fields, in some places BIG-IQ supports only a maximum value of 2147483647. When an incorrect upper range value is specified, the resulting error messages may not be as useful as possible. The following error messages might be displayed if you specify too large of a number for a DoS Profile field, "This value is too large" or "The system returned an unexpected error (400 Bad Request). Invalid JSON posted - could not deserialize to class com.f5.rest.workers.security.shared.config.dosProfile.state.DosProfileApplicationState." When attempting to set the maximum value for a field, use 2147483647. Refer to the BIG-IP DoS Profile documentation to find the correct maximum value for a particular field.
595822 Network Security (AFM) Deployments will fail if a firewall NAT policy coexists with existing LTM pools (either SNAT/LSN/Automap or LTM Pool). If a virtual server has a firewall NAT policy attached along with LTM pools (either SNAT/LSN/Automap or LTM Pool) configured, the deployment will fail. No verification warning or critical error is displayed to the user prior to the deployment failing.
596080 Network Security (AFM) Logging profiles that are in use by a NAT policy and deployed on a BIG-IP device cannot be removed from NAT policy and deleted in one deployment step. If this happens, the system will get into a state where deployment will never succeed unless the BIG-IP configuration is reimported or the workaround is used. To delete logging profiles, use the following steps. Step 1: Delete the logging profile reference from the NAT firewall policy. Step 2: Deploy this change to the BIG-IP device. Step 3: Remove the device association from the logging profile and then delete the logging profile. Step 4: Deploy this change to the BIG-IP device.
597094 Network Security (AFM) In the Log Profile NAT sub-profile, if the Include Destination Address/Port check box is cleared for Start Outbound Session or End Outbound Session and deployed, the BIG-IP device does not show the value as cleared. This is caused by an issue in the BIG-IP system communication API between the BIG-IQ system and the BIG-IP device. This issue prevents the proper clearing of the value on the BIG-IP device, and will cause subsequent evaluation differences for the Log Profile. This issue only occurs if the Include Destination Address/Port was previously in the checked state on the BIG-IP device. This issue can only be corrected by clearing the check box for the associated value on the BIG-IP device, or by upgrading to a version of BIG-IP software that has the issue resolved in the BIG-IP API.
425406 Platform The status of a BIG-IQ in an HA configuration always displays in the command line interface as ACTIVE.
481360 Platform An erroneous warning icon with a 'Device is not available' error might show in either the BIG-IQ Device or BIG-IQ Security areas for managed BIG-IP devices, even though the BIG-IQ system can reach those devices. The system posts the erroneous error message that the device is not available. However, you can still reach the system using HTTPs and SSH. There is no functional issue with the BIG-IP system. The actual issue is that the BIG-IQ system fails to provide the correct status. The specific conditions under which this occurs are not easily reproducible. None.
486335 Platform Device discovery fails with a "Failed to establish trust" error message. Device discovery is not possible until the REST framework is downgraded on the BIG-IP. This happens when the REST Framework on the BIG-IP device is newer than the REST Framework on the BIG-IQ system. To avoid this issue, take one of the following actions: ()From the BIG-IP system: Remove the framework RPMs and retry discovery from the BIG-IQ system, specifying to upgrade the framework on discovery. Warning: Do not perform the following procedure on BIG-IP devices running version 12.0.0. ()From the BIG-IQ system: Force the REST framework downgrade using the /lib/dco/packages/upd-adc/update_bigip.sh script with the -f argument to force the install of the framework.
496091 Platform You might not be able to click-to-provision a BIG-IP VE machine on an ESXi host if there is a time stamp issue on the ESXi host. The BIG-IP VE will not be fully provisioned. To determine if this is a time issue, view the BIG-IQ system /var/log/restjavad.0.log file and look for something similar to the following line: Illegal state, startTime is before oldStartTime: startTime=Wed Dec 10 22:10:27 GMT 2014; oldStartTime=Wed Dec 10 22:25:41 GMT 2014. To resolve this issue, refer to the VMWare ESXi documentation to set the NTP server or fix the NTP issue and then restart the click-to-provision VE process.
497373 Platform When the BIG-IQ system discovers or re-discovers a multi-slot VIPRION device, it prompts the device to upgrade its framework, regardless of its current version. Framework upgrade is triggered. This happens with any framework revision present on the VIPRION device. All multi-active-slot devices are affected. Always allow discovery to upgrade the framework, even in cases where it seems unnecessary. You can only discover devices with multiple active slots through the command line. The BIG-IQ system cannot validate the existing framework revision with this technique.
499273 Platform When managing a large number (dozens to hundreds) of devices, you might notice the memory utilization for the BIG-IQ system is high and reports OutOfMemory exceptions in /var/log/restjavad.*.log or /var/tmp/restjavad.out file. If restjavad is indeed leaking socket connections, then it will eventually run out of file descriptors and/or report OutOfMemory exceptions in /var/log/restjavad.*.log or /var/tmp/restjavad.out. BIG-IQ restjavad is expiring outbound REST operations that haven't completed after 60 seconds. This can occur when a managed BIG-IP device is unresponsive or there are network communication problems. Shell command shows sockets that are not being closed over time: lsof -p <restjavad PID> If you cannot communicate with the managed BIG-IP devices, attempt to fix any network communication problems by pinging or routing the BIG-IP device from the BIG-IQ system, and then restart the restjavad process on the BIG-IQ system by typing the following command: # bigstart restart restjavad
510102 Platform Firefox version 30 or later, and Internet Explorer version 11 or later, ignore the autocomplete="off" attribute in HTML. If the password autofill behavior is not wanted, the user should disable the feature in the browser. When using one of these browsers with the default autofill or password management settings, the browser might automatically populate a password field in the BIG-IQ user interface. Firefox version 30 or later, and Internet Explorer version 11 or later ignore the autocomplete="off" attribute in HTML. If the password autofill behavior is not wanted, the user should disable the feature in the browser. One workaround is to disable the autofill or password management features of the browser. Another workaround is to use the Google Chrome browser, which still honors autocomplete=off in HTML.
513613 Platform If someone makes a modification to the certificate information on a managed device (for example, changing the certificate's canonical name), that device becomes unavailable to the BIG-IQ system managing it. The impact is functional, performance degradation. Any attempt to communicate with the BIG-IP device fails until restjavad is restarted on the BIG-IQ device. However, even after the restjavad restart, although BIG-IQ-to-BIG-IP device communication is restored, subsequent changes to the certificate will again disrupt communication. BIG-IQ 4.5 managing BIG-IP devices whose device certificates change. There are two workarounds for this situation. The first (A) is the recommended workaround. Workaround A.) With this solution, communication (and device discovery) is restored and socket reuse is disabled for the BIG-IQ system. Disabling reuse can impact performance, but future changes to the authentication certificate do not disable management for the device. 1. Using SSH, log in to the BIG-IQ system as root. 2. Stop restjavad by typing the command: bigstart stop restjavad. 3. In /etc/bigstart/scripts/restjavad, edit ARGS="--port=8100 ..." to read as follows: ARGS="--port=8100 --isConnectionReUseDisabled=true ...". 4. Start restjavad by typing: bigstart start restjavad. Workaround B.) With this solution, communication (and device discovery) is restored, but future changes to the managed device's authentication certificate again disables device management and requires a restjavad restart. 1. Using SSH, log in to the BIG-IQ system as root. 2. Start restjavad by typing the command: bigstart start restjavad.
516565 Platform BIG-IQ logs events not associated with local traffic management display in the /var/log/ltm file. BIG-IQ logs system and other events to /var/log/ltm. BIG-IQ is in use, and LTM may or may not be present in the environment. BIG-IQ uses the /var/log/ltm file for system events and other messages based off of the TMOS architecture. If you want, you can configure BIG-IQ to save events to different local logs or set up logging to save remotely.
516649 Platform After an upgrade to one of the interim hotfix builds, one of the BIG-IP devices might fail deployment with an auth token failure. The device needs to be removed from the ASM module and then rediscovered. deployment failure After the upgrade to this hotfix build, remove the devices and then re-add them to clear the previous false differences that were reported.
517723 Platform In some cases, you cannot access the BIG-IQ system user interface when you use Mozilla Firefox version 37 or later. BIG-IQ system interface becomes inaccessible or unusable with Firefox 37 or later. This can happen when you use Mozilla Firefox version 37 or later. To work around this issue, delete the Firefox cert8.db file or open Firefox and click Help :: Troubleshooting, and go through the Refresh Firefox process. Alternatively, you can use Chrome or Internet Explorer to access the BIG-IQ system.
520171 Platform During discovery where a Framework Upgrade is done using Root/SSH method from the BIG-IQ system interface, discovery can fail with the "Connection Refused" error message from SSH. Discovery where Framework Upgrade is done via Root/SSH method from the BIG-IQ GUI. Sync the date and time of the source and target machines, and retry the operation.
521513 Platform On a BIG-IQ HA setup with two devices, when you go to create a backup from the backup blade and look at the Devices box, it only shows one device in the HA-Peer group. The other device is there but cannot be seen and there are no scroll bars. This gives the impression that there are no more devices. You can click in this box and use your arrow keys to scroll down.
521867 Platform If the /shared disk partition is running low on disk space, a software upgrade fails with the error message: "create_ucs failed; No such file or directory". The BIG-IQ configuration is not loaded on the upgraded boot location and the software upgrade is marked as failed. The /shared partition has a limited amount of free disk space. The amount of free space required will vary based on the configuration on the BIG-IQ, but the amount required should be approximately double the size of the /var/config/rest directory. To avoid this issue, /shared needs to have additional free space. You can accomplish this by deleting files from the /shared disk partition or by extending the disk partition to be larger (procedure described in SOL14952)
526684 Platform When BIG-IQ updates the REST framework for a BIG-IP device, it restarts restjavad and displays the following message in the restjavad.log: [SEVERE][4][04 Jun 2015 06:32:22 UTC][RestWorkerHost][main] java.lang.NoSuchFieldError: LUCENE_47 restjavad restarts in managed device. Framework upgrade from BIG-IQ UI. To work around this issue, from the command line of the BIG-IP device, type the following 4 commands: (1) mount -o remount,rw /usr (2) rm -rvf /usr/share/java/lucene-analyzers-common-4.2.1.jar (3) rm -rvf /usr/share/java/lucene-core-4.2.1.jar (4) mount -o remount,ro /usr
528253 Platform When a user is logged in as a non-admin user, the Roles panel does not appear.Without the Roles panel, the non-admin user cannot determine their administrative-role assignments.
532781 Platform The system interface reports the memory that is allocated to the BIG-IQ VE as 4096 MB, even if more memory has been allocated to the VE. To view memory allocated to a VE, a user must use the command line interface or hypervisor reporting. Greater than 4 GB of memory allocated to a BIG-IQ Virtual Edition Use free command from the command line interface to see how much memory is allocated to the VE.
545130 Platform This issue occurs because the SSL certificates from the system when the UCS backup was run are different (out of date) from the SSL certificates in use with the software on which the UCS restore is run. The new certificates are overwritten with the backed-up certificates, causing the HA cluster to break. HA cluster down. HA pair. Re-establish HA cluster.
550394 Platform When a HA sync is performed, the storage from the primary system overwrites the storage on the secondary system. This causes any active sessions to terminate on the secondary system because the auth tokens are overwritten. Minimal. Users should not be using the secondary system because any changes made on it will be overwritten on the next sync. Log back into secondary system.
553670 Platform After promoting the peer device to primary in a BIG-IQ HA setup, the system interface of the new primary system may come back and be accessible before all entries in the blades are populated. A finite amount of time may be needed to populate the yet-to-be-filled-in data. A browser refresh might expedite recovery.
556553 Platform After adding a VLAN and Self-IP address to a previously discovered BIG-IP device on VIPRION, the new VLAN and Self-IP are not read by BIG-IQ, even after rediscovery. The change in VIPRION networking configuration does not automatically update BIG-IQ. Click the Refresh button on the device properties screen(next to the Network Config option) to sync the networking configuration.
570048 Platform It is possible to create multiple device groups with the same display name. Since the system interface presents the display name when selecting device groups, having multiple device groups with the same name makes the selection ambiguous. User could select an incorrect device group when performing operations Change the display name on the device group properties to disambiguate the device groups.
571812 Platform HA cluster cannot be created. The secondary machine will have an error similar to this in the restjavad.*.log files: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@^M @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @^M @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@^M HA not functional due to inability to synchronize the datastore or UCS backups The secondary has an invalid/stale entry in known_hosts for the primary. This prevents the trust relationship from being formed and used by rsync. From the command-line, remove the invalid entry in /root/.ssh/known_hosts
575997 Platform Under certain conditions, a user on a workstation with multiple network interfaces may have their system interface session to the BIG-IQ terminated unexpectedly at seemingly random times. User session will be abruptly terminated, possibly resulting in the loss of whatever data was input into the current view, and the user will have to log back in. On multi homed workstations with more than one default route to the BIG-IQ, the user's workstation may be configured in such a way to allow it to switch between outbound interfaces when using the BIG-IQ web GUI. The auth token generated for the GUI session is tied to the specific IP address used to request the token. If the workstation switches interfaces during the session the BIG-IQ will refuse the auth token since it is being sent from a different address and the GUI will interpret this as a session termination. The user will be redirected to the login page. If the workstation OS is attempting to load-balance across the multiple routes, the user may end up in a loop where they log in and are immediately sent back to the login page. If users find themselves in the situation where their OS is switching between interfaces (which should be rare) they might need to disable one of the network interfaces. For example, if using a notebook computer in a docking station with a wired ethernet and a wireless ethernet connection, the user may need to disable the wireless link while using the BIG-IQ.
581471 Platform When attempting to change the "Bind Password" field, or when setting the "Connect Timeout" or "Read Timeout" fields to values greater than 2147483, users are unable to change the "Bind Password" value for LDAP auth providers. Users are unable to change the "Bind Password" value for LDAP auth providers. When attempting to change the "Bind Password" field, or when setting the "Connect Timeout" or "Read Timeout" fields to values greater than 2147483. To resolve this, delete and recreate the auth provider with the wanted "Bind Password" value.
581822 Platform When IE v11 zoom is set to 100% before logging in to get to the Web Application Security snapshots screen, all snapshot columns are present. However, when IE v11 zoom is set to 125% before logging in to get to the Web Application Security snapshots screen, this issue IS seen: the snapshot name column is cut off. Once the snapshot name column is cut off, changing the zoom to any other value does NOT fix the issue: the snapshot name column continues to be cut off. Name column is cut off in display. Only seen in IE11, if initial zoom is set to 122% or greater. Issue seen at 122% zoom with screen resolution of 1920 X 1080. Issue seen IE11 version "11.0.9600.18204 Update Versions: 11.0.28 (KB3134814)", windows 7 version "6.1.7601 Service Pack 1 Build 7601". Navigate away from Web Application Security Snapshot screen, and re-navigate back to Web Application Security Snapshot screen.
584666 Platform Some grid columns may not be visible when the grid is too wide to fit into the current browser window. Some grid columns may not be visible when the grid is too wide to fit into the current browser window. To work around this issue: - Increase the width of your browser window until all columns are visible. or - Change the visible columns by clicking the gear icon at the upper right corner of the grid, and adding or removing columns until the desired columns are visible.
585713 Platform BIG-IQ Logging Snapshots cannot be restored.
585996 Platform Both peers of a cluster are presented as Green/Active on the BIG-IQ HA Inventory screen, even though the HA cluster creation has failed, and the BIG-IQ Status indicator on top of the screen correctly displays "Red/HA Error." The HA cluster is falsely presented as Healthy and ready for failover when in reality HA failover is impossible. Something happened that prevented the initial HA Synchronization from completing or otherwise led HA cluster to become unhealthy. To work around this issue: 1. Use the Status bar at the top of the screen to determine the definitive health status of the BIG-IQ HA cluster and its peers. 2. If the Status bar shows "HA Error", break up the unhealthy cluster by removing the secondary device on the primary device's BIG-IQ HA screen. 3. Re-add the secondary device to form a new BIG-IQ HA cluster. 4. Allow the synchronization to complete, ensure that the status indicators at the top display green/healthy status on both peers.
586391 Platform When you deploy a BIG-IQ on a hypervisor running DHCP, the IP address you configured during the initial setup might be lost. When this happens, you can only communicate with BIG-IQ through the virtual console. Unable to communicate with the deployed BIG-IQ other than through the virtual console. VMware hypervisor running DHCP service To fix this issue, log in to BIG-IQ from the virtual console and type the config command. This guides you through the process of reconfiguring the management address, netmask, and gateway address.
588533 Platform The user is warned when he tries to delete the node while the service is running. He can choose to move forward to remove the service. However when he re-adds the node, activating the service might not be possible Unusable logging node after re-add Re-adding a removed node when the listener (Service is running) To work around this issue, after the node is removed, issue a curl request to cancel the listener (ASM or Access or FPS - whichever was activated) 1. Use SSH to access the logging node 2. Get the task-ID for services by running the curl command and noting the ID field of the running task. For ASM: curl localhost:8100/cm/asm/tasks/sysloglistener/ For Access: curl localhost:8100/cm/shared/hsl/listener-tasks/ For FPS: curl localhost:8100/cm/websafe/tasks/listeners 3. Run the following curl command if the service is activated: For ASM: curl localhost:8100/cm/asm/tasks/sysloglistener/<taskid> -d ' { "Status" : "CANCEL_REQUESTED" }' For Access: curl localhost:8100/cm/shared/hsl/listener-tasks/<taskid> -d ' { "Status" : "CANCEL_REQUESTED" }' For FPS: curl localhost:8100/cm/websafe/tasks/listeners/<taskid> -d ' { "Status" : "CANCEL_REQUESTED" }'
588834 Platform On the Logging Node Configuration screen, the Number of Logging Nodes is less. Loss of node in the cluster, if not enough nodes cluster can go to RED status and query results might be incomplete. 1. When there is a networking outage for more than 15 minutes in the cluster. 2. When user manually restarts elastic search on the Logging Node and it does not join the ES cluster. - Log On to the BIG-IQ machine. - Remove the problematic logging node. - Re-add the logging node back to the system.
589283 Platform If you make a change to an alert setting, it might take up to 8 hours for BIG-IQ to implement those changes.
589515 Platform Unicode characters in the device name are translated to underscore characters when the device group is saved. Customer will not be able to use Unicode in a meaningful way in device group names. Avoid using Unicode characters in device group names
589619 Platform A device might be marked unavailable after an upgrade in BIG-IQ in HA case in from version 4.6 to version 5.0.0. When the version 5.0 upgrade procedure is not properly followed, upon completion of upgrade of the formerly-standby BIG-IQ, all BIG-IP devices are manageable only from the formerly-standby node. None are manageable from the formerly-active node. BIG-IQ HA upgrade Follow the documented upgrade procedure from the version 5.0 release to avoid this issue.
590514 Platform Certificate Expiration emails report stale Expiration Date following certificate renewal.
590962 Platform If the guest is provisioned with more memory than the actual reservation of the memory, when at load, the BIG-IQ can become unstable and daemons could begin restarting continuously. System could become unstable. A virtual environment BIG-IQ guest (VM) must have the memory provisioned the same with the reserved amount. A virtual environment BIG-IQ guest (VM) must have the memory provisioned the same as the reserved amount.
591335 Platform The online help may not update when you switch from one context area to another. For example, if you're on a Device screen, and switch to ADC, the online help may appear as the screen you last viewed in the Device context. Sometimes it can update after a waiting period. You may have temporarily inaccurate online help. This can occur when you switch functional areas from the main BIG-IQ menu. To work around this issue, you can close the help window and click the help icon again.
591760 Platform User goes to System ->Logging Nodes-> "Select multiple node" -> screen and clicks Remove Node. User continues, however after a few minutes, one or more of the nodes still remains in the system interface. User sees that he was not able to delete the nodes from the logging cluster. User goes to System ->Logging Nodes-> "Select multiple node" -> Click on Remove Node. User continues, however after a few minutes, one or more of the nodes still remains in the system interface. When user goes to System -> Logging Configuration, he sees that the log node count is reduced. To work around this issue: Remove the node again through the system interface, and it will be deleted. Sometimes, the logging service might be unavailable (check by going to system: logging->logging configuration, it will throw an error saying "Elasticsearch unavailable"), then take the following steps 1. Remove the field min_master_count in /var/config/rest/Elasticsearch/Elasticsearch.json 2. Remove the file "global*.st" in "/var/config/rest/elasticsearch/data/<cluster_name>/nodes/0/_state" 3. Run "bigstart restart Elasticsearch"
593096 Platform To create an FPS snapshot and upgrade an FPS cluster, you must access the command line of each BIG-IQ management station. You must also use the REST API on the active BIG-IQ system. Contact F5 Support to upgrade your FPS service with a new hotfix.
593126 Platform Firefox 46 may freeze intermittently while user is browsing the BIG-IQ system interface or attempting to access the login screen. The user might be significantly slowed by the browser's performance issues. This might occur when the user is using Firefox version 46 and using the default self-signed SSL certificate configured in webd. Use Google Chrome to access the BIG-IQ system interface, or possibly use a version of Firefox other than v46, or use Microsoft Edge or Internet Explorer 11.
594275 Platform Then the help display cannot be seen until the screen is refreshed. The help display is no longer visible, and cannot be brought back into the visible area. This happens when Help is dragged outside of the visible window, or when the window is resized to be small enough that the dialog box is no longer visible. Refresh the screen to reset the position of the help display.
594289 Platform Discovery fails due to collision of device identifiers. Inability to discover and manage BIG-IQ HA pairs, BIG-IP, and Logging Nodes. The mechanism is the same for all discovered devices in BIG-IQ. The contents of the file /config/f5-rest-device-id must be unique across all discovered devices. Cloning an image of a running BIG-IQ results in a copy of this file on both virtual appliances which violates the assumption that all devices have unique identifiers. On the cloned device, remove the file /config/f5-rest-device-id and restart restjavad. This will generate a unique machine identifier. # bigstart stop restjavad # rm -f /config/f5-rest-device-id # bigstart start restjavad
595364 Platform  
596082 Platform 1) The "Promote to Primary" button is functional for the secondary BIG-IQ peer when it is selected from the list, even though the cluster is in an unhealthy HA error state. 2) The "Last Successful Sync" field incorrectly displays a successful Sync completion for the first 10 minutes after the initial, unsuccessful BIG-IQ Cluster synchronization attempt. The secondary peer in the BIG-IQ HA cluster is falsely presented as up-to-date and available for failover when actually the data from the primary peer has not been synchronized, and an HA failover is impossible. Something happened that prevented the initial HA Synchronization from completing or otherwise led HA cluster to become unhealthy. 1. Use the Status bar at the top of the screen to determine the definitive health status of the BIG-IQ HA cluster and its peers. 2. If the Status bar shows "HA Error", do NOT use the "Promote to Primary" functionality of the secondary peer. 3. As soon as possible, break up the unhealthy cluster by removing the secondary device on the primary device's BIG-IQ HA screen. 4. Re-add the secondary device to form a new BIG-IQ HA cluster. 5. Allow the synchronization to complete, ensure that the status indicators at the top display green/healthy status on both peers.
597225 Platform The browser may be caught in an infinite redirect loop. The application will not be accessible. This can occur when upgrading directly from BIG-IQ version 4.5 to 5.0, if the preferred default page is set to "Last visited", and the last visited page before upgrading is Cloud. There are two workarounds for this problem. The easiest workaround is as follows: Close the browser tab that is stuck. Then open a new browser tab, and type the following text into the browser's location bar: https://<BIG-IQ IP or hostname>/ui/system-management/inventory/users and press Enter. The application should attempt to access the Users screen, and then redirect back to the login screen. At this point you should be able to log in successfully. If this doesn't work, the following workaround will reset user preferences entirely: Use SSH to access the BIG-IQ. From the BIG-IQ command prompt, issue the following command (if the user is not admin, replace occurrences of the word "admin" with the affected username): restcurl shared/authz/users/admin/ui-preferences -X PUT -d '{ "key": "USERPREFS", "value": { items: [] }, "kind": "shared:authz:users:admin:ui-preferences:uipreferencesstate", "selfLink": "https://localhost/mgmt/shared/authz/users/admin/ui-preferences/USERPREFS" }'
597695 Platform Web Application Security event logs will not be received on the logging node after the backup and restore process if the Web Application Security service is activated before the restore step. Older event logs that were restored from the backed up data will show up in the system interface, but newer event logs will not. Logging nodes need to be added during the restore process and the Elasticsearch cluster should be active during the restore step. Web Application Service should not be activated during this procedure.
598057 Platform HTTP Basic Authentication is disabled by default. To enable Basic Authentication, log in to the command line and type: set-basic-auth on. To disable it, type: set-basic-auth off.
598318 Platform After creating a BIG-IQ HA pair, there have been occasions where the secondary BIG-IQ's UI remains unavailable and the HA status from the primary BIG-IQ shows "Peer Down". The underlying reason is that tokumond and tokumx were stopped but never restarted. This can be seen by issuing the following command: "bigstart status" If the issue has been encountered, tokumx and tokumond will be down. To workaround the issue, on the secondary BIG-IQ, issue the following command: bigstart restart
598407 Platform At times when a BIG-IQ HA pairing is performed, the UI will show an "HA Error". If this issue is encountered, the secondary BIG-IQ's restjavad.0.log will show this error: "failed to synchronize cluster: java.io.IOException: Connection reset by peer" If this issue is encountered, workaround the issue by breaking the HA pair (that is, remove the secondary device from the primary device in System Management -> Inventory -> BIG-IQ HA) and retry forming the BIG-IQ HA pair.
598543 Platform TMM may crash if it receives a malformed packet. TMM may produce a core file and will restart. None.
514694 System Forms containing usernames and passwords in a Mozilla Firefox browser might not function as expected. The values for username and password display, but you cannot click the button to submit. The user might not understand why the form cannot be submitted. This would occur only in the Firefox browser, and only if the "remember passwords for sites" feature is enabled. It may also occur if the user has installed a 3rd party password management utility as an addon to Firefox. Use one of the following solutions to work around this issue: () From the Preference setting of the Security section disable the "remember passwords for sites" feature. () Instead of using a Firefox browser, use Chrome or Internet Explorer to access the BIG-IQ system. () Retype the username and password values for all forms.
584649 System After upgrade, the SMTP destinations are not retained. You must re-enter the SMTP destination configuration after upgrade. Occurs when you have SMTP destinations configured in a 4.x installation, and you upgrade it to 5.0.
585769 System After creating a new Snapshot Schedule in BIG-IQ Logging, if the Snapshot Schedules field displays "N/A", this might indicate that a snapshot schedule won't run. If you did not encounter an error message while creating the snapshot schedule, BIG-IQ should correctly create a new snapshot at the next scheduled time. When the Snapshot Schedule is listed as "N/A" it may or may not be running a snapshot schedule.
595479 System While attempting to upload a BIG-IQ image, sometimes the upload may get stuck and never complete. The user may have to use a web browser other than IE11, like Firefox or Chrome. This issue occurs when uploading an image using Internet Explorer 11. Use Firefox or Chrome when attempting to upload an image.
471353 Web App Security (ASM) When the BIG-IP sends log items to the LOG-IQ node, it does not send the encoding. Therefore, some of the content displays as question mark characters instead of the real content. For example, the request http://23.23.23.23/aXXXa (where "X" is a character with an unrecognized encoding). The only attribute that the request displays correctly is the violation_details where all the buffers are base64 encoded.
488830 Web App Security (ASM) ASM Security policies can only be deployed from the latest working configuration and not from ASM snapshots.
505799 Web App Security (ASM) BIG-IQ Security Web Application Security policy in blocking mode might block legitimate traffic. Legitimate traffic that should pass the block configured for this policy might be erroneously blocked. This occurs when using pre-version 12.0.0 BIG-IP software-created BIG-IQ Security policies. Because of how the BIG-IP system communicates with the BIG-IQ system, the resulting Web Application Security policy contains no allowed URLs for the BIG-IP system. Use BIG-IP version 12.0.0 to work around this issue.
515552 Web App Security (ASM) When using the Web Application Security Event Log some filters are not producing the expected result set. These filters are only available on the Web Application Security Event Log GUI screens and are related to searches for events that contain a specified string.
515924 Web App Security (ASM) When using the out-of-band XML policy importing mechanism for importing a policy, the following issue was discovered. If you export a Web Application policy to a BIG-IP system and import the same policy later, the imported policy does not contain any character sets.
516107 Web App Security (ASM) When deploying a policy from Web Application Security, a log message in restjavad.log may indicate nonexistent differences in the character-sets section. The GUI displays the correct differences, if there are any. You can safely ignore this log message.
516116 Web App Security (ASM) After a hot-fix to hot-fix upgrade, rediscovery using Web Application Security showed false conflicts and restnoded began to restart continuously. This was only seen in one testing environment and not in others. The issue occurred in an environment with more than 50 ASM policies. When the number of ASM policies was reduced to 10, the device rediscovery completed successfully. For memory limited BIG-IQ VE installations, reduce the number of ASM policies per device to under 20.
516270 Web App Security (ASM) On changing a virtual server's Web Application Security policy setting from one policy to another, and then deploying the change, the BIG-IQ system reported that the deployment failed. However, the policy assignment successfully changed at the BIG-IP device. This issue is dependent on fixes for 2 BIG-IP 11.5.2 HF1 issues: 464735 and 464750. This does not occur for BIG-IP devices running other software releases.
516545 Web App Security (ASM) In the ASM policy object, the user can define custom parameters. If the user is editing an existing user defined parameter and the Data Type for the parameter is set to decimal, the deployment may fail if the Minimum or Maximum values are changed so that the number of decimal places are extended or one of the value is changed so that it appears as an integer. This is an issue with BIG-IP v11.5.2 HF1 only, and does not occur with other BIG-IP releases. The UI accepts the change, but the deployment task will fail
516585 Web App Security (ASM) 4.5.0 HF2 fixes issues where the BIG-IQ was incorrectly identifying differences between the BIG-IP ASM configuration and the BIG-IQ device's view of the ASM configuration. The fixes are implemented as part of the discovery mechanism. Due to the upgrade process in 5.0.0, users are required to rediscover and import their devices. This process will ensure that all policy information is current.
517069 Web App Security (ASM) Event logs from a BIG-IP device can be configured to go through a BIG-IQ logging node to a remote BIG-IQ system, where they are aggregated from multiple BIG-IP devices onto a single BIG-IQ interface. It is possible to create a situation where some Web Application Security logs do not go through the logging node all the way to the BIG-IQ system. Clear log storage on the BIG-IQ and the BIG-IQ logging node, remove and replace the logging profile on the BIG-IP's virtual server, and remove and replace the logging node from the BIG-IQ system's logging group.
518575 Web App Security (ASM) If you attempt to discover a BIG-IP device running version 11.5.2 EHF1-19, the discovery fails with the message "Error querying iControl Rest for ASM Policy - Response Pages in." Delete one of the installation volumes on the BIG-IP system and re-install the BIG-IP hotfix. For example, these are the tmsh commands to remove the volume and install the hotfix: # tmsh delete sys software volume HDx.y # tmsh install sys software hotfix Hotfix-BIGIP-whatever-hotfix.iso volume HDx.y create-volume reboot where 'HDx.y' is a (any) desired target software volume. After the boot, run the following commands: # /usr/share/ts/bin/add_del_internal add rest_api_extensions 1 # tmsh restart sys service asm Wait for the BIG-IP device to become 'Active' again and then restart the discovery process from the BIG-IQ system.
518734 Web App Security (ASM) The client UI appears to be functional for users who were already logged in, even though restjavad is no longer running and the underlying server is not available. It appears that the UI is hung, but the actual problem is that the server is no longer running. User logged in prior to restjavad stopping/crashing. restjavad stops/crashes. User attempts to do something in the UI with restjavad down. Check to see if restjavad is running on the BIG-IQ, using the command: "bigstart status restjavad." Restart the restjavad process, using the command "bigstart restart restjavad." Refresh the client UI.
519714 Web App Security (ASM) When using Data Guard in Web Application Security, disabling either Custom Patterns or Exception Patterns will cause the patterns to disappear.
521595 Web App Security (ASM) After the evaluate phase of a BIG-IQ Web Application Security deployment, if an active BIG-IP cluster device goes down before the deployment completes, the BIG-IQ system signals that the deployment has failed, but the deployment does occur on what was the standby BIG-IP device. On BIG-IQ the deployment reports a failure, but the deployment completes successfully on the remaining BIG-IP device which is now the active device.
522986 Web App Security (ASM) When deploying the same deployment again to a BIG-IP version 11.6.0 HF4 cluster with manual sync enabled, differences are displayed that actually do not exist. These false differences are not displayed with other versions of BIG-IP devices.
524603 Web App Security (ASM) When comparing snapshots with differences, there is a lag where the system indicates "No differences were found." After several seconds, the incorrect message is replaced by a view of the snapshot differences.
525277 Web App Security (ASM) Snapshots taken prior to version 4.5.0 HF2 cannot be used in 4.5.0 HF2. Custom signature set support and blocking mask support has been added to the ASM component. To extend support for these new objects, references paths in the ASM policy object were changed. After an upgrade, older snapshots will have obsolete references. Running a difference report against older snapshots and attempting to restore from these snapshots will fail and report the error in the UI. Upgrading of snapshots is not supported in version 4.5.0 HF2.
525968 Web App Security (ASM) Configuration snapshots taken before Release 4.5.0 HF2 do not contain enough information to support the BIG-IQ Web Application Security features in v4.5.0 HF2 and beyond. The BIG-IQ system cannot successfully restore them. As a best mitigation, take configuration snapshots immediately after installing Hot Fix 2 for version 4.5.0 or any later release.
526869 Web App Security (ASM) If a device discovery failed and was not completed successfully prior to upgrading, a device discovery error message might appear in the UI after the BIG-IP device has been upgraded. Prior to version 4.5.0 HF2, the failed discovery task was not being removed from the system. After an upgrade, the system recognizes that the obsolete task has failed and should be removed. The user is prompted the remove the task. Click the OK button on the discovery error message. The system then removes the task and the dialog box does not reappear.
526964 Web App Security (ASM) Discovery By BIG-IQ ASM fails with the error message: "Error received during device discovery due to missing/empty parameter name". This only happens when the BIG-IP device license expires. Make sure the BIG-IP device is licensed and operational prior to discovery.
527759 Web App Security (ASM) When you push a new ASM signatures file to a BIG-IP device that already has that version of the signatures file, the BIG-IP device correctly rejects the update. The BIG-IQ log message in /var/log/restjavad.n.log, however, is misleading about the cause of the push failure: The uploaded Attack signature update file does not match the current version of BIG-IP software. The problem is that the update would not change the current file, not a version mismatch. You can ignore this error. It is benign.
531985 Web App Security (ASM) Discovery of an ASM policy with custom signature set from a BIG-IP 11.6.0 cluster, that is deployed and redeployed to a BIG-IP 11.5.3 device cluster, creates spurious differences. This only occurs if you use the Policy Creation wizard on the version 11.6 BIG-IP device to create the custom signature set. When discovered by the BIG-IQ system and deployed and re-deployed to a version 11.5.3 BIG-IP device cluster, it creates a duplicate signature set. The custom signature set collides with its originally-deployed copy, and is renamed with an "_1" suffix. For example, if the signature set is named "Systems: Apache", the final policy on the version 11.5.3 device has a set named "Systems: Apache_1." Both copies of the signature set, "Systems: Apache" and "Systems: Apache_1," appear on the device. This is due to a BIG-IP device issue, 532030. User-defined signature sets, created manually on the BIG-IP device, do not exhibit this behavior.
533938 Web App Security (ASM) If the user creates a custom header on the BIG-IP device with a name that contains capital letters, BIG-IQ cannot remove that custom HTTP header during a deployment, and the deployment will fail with an error like the following: AsmDistributeTaskWorker][failed] DELETE to iControl REST failed: "code":404,"message":"Could not get the Header, No matching record was found." The deployment task fails and reports an error like the following: AsmDistributeTaskWorker][failed] DELETE to iControl REST failed: "code":404,"message":"Could not get the Header, No matching record was found." On the BIG-IP device, manually remove any custom headers containing capital letters, or change the names of the custom headers to contain only lowercase letters.
538947 Web App Security (ASM) Unexpected user-defined signature set is created on the BIG-IP device after a user deploys custom signature sets from BIG-IQ. Unexpected user-defined signature set is created. BIG-IP issue (532030) was found when using TMOS versions 11.5.3 or 11.6.0 on the BIG-IP devices after deploying a custom signature sets from BIG-IQ. This issue was found while when using specific versions of TMOS. The issue can be avoided by moving to TMOS v11.5.3 HF2, v11.6.0 HF6 or above.
539176 Web App Security (ASM) In version 4.6.0, when a policy is removed from a virtual server, it is no longer automatically assigned to the special inactive VIP placeholder as in previous versions.
542812 Web App Security (ASM) When discovering BIG-IP devices with different versions (11.6, 12.0), there is a conflict even if the policies on the BIG-IP systems are imported using the same policy file. None.
543060 Web App Security (ASM) Deployment from Web Application Security fails with an error similar to Malformed XML: DBD::mysql::db do failed: Duplicate entry '9-300000001' for key 'PRIMARY.' This is caused by an issue in how different signature sets can be assigned to the same filter to a policy. Avoid assigning different signature sets with the same filter to a policy.
544039 Web App Security (ASM) Opening the exported event logs csv file in Microsoft Excel and possibly other programs shows wrong support_id. 1. Open a new empty sheet in Excel. 2. Go to the 'data' tab and select 'from text'. 3. Select your CSV file. 4. Choose: Delimited (you can also specify character encoding). 5. Check 'command' and uncheck 'tab'. 6. Find the field (support_id), select it, and choose 'text'.
547996 Web App Security (ASM) A policy exported from BIG-IQ in version 12.0.0 compatibility mode cannot be imported to BIG-IP version 12.0.0. Policy cannot be imported to BIG-IP version 12.0.0. This occurs when using pre-version 12.0.0 BIG-IP software-created BIG-IQ policies. Because of how the BIG-IP system communicates with the BIG-IQ system, the resulting policy cannot be imported to 12.0.0 BIG-IP. None.
552573 Web App Security (ASM) When deploying configuration to a BIG-IP group, the group is marked as not synced in the BIG-IP system even though the user chose "run manual sync". The group is marked as not synced on the BIG-IP system. This occurs in a group that is not configured for 'full sync'. When configuring the HA group, select 'full sync'.
554408 Web App Security (ASM) The Audit Log contains a section for the status of the updateAndPushSignatures task in the 'Signature file' section when you select Details. The BIG-IP device IP address does not appear in this section of the log. There is an issue that occurs if a newer version of the signature file has not been pushed to the device. None needed. This is a cosmetic issue and does not impact functionality.
555187 Web App Security (ASM) BIG-IQ ASM Device: the indicator that the device has been modified is not cleared. The flag is not cleared. In certain cases, users can modify the device configuration, causing the change flag to be set (which indicates that the device has been modified). Then, before deploying, the user backs out the change. Create a deployment task which evaluates the differences between the BIG-IQ configuration and the BIG-IP configuration. In this scenario, there are no changes to deploy, so no differences appear. As determined by the deployment task, there are no changes to deploy. The pending changes indicator will be cleared.
558510 Web App Security (ASM) Evaluation shows unexpected differences after a deployment for wildcard parameters. This is due to BIG-IP issue 559055. The issue occurs only when managing devices that are affected by that bug.
560197 Web App Security (ASM) While discovering the device into the BIG-IQ Web Application Security module, the discovery fails with the following error message displayed in the UI: primary key was not set and cannot be generated The specified device will not be able to be discovered until the workaround is applied to the BIG-IP device. The November 2015 update to the ASM signature file add a new system type into the configuration. This configuration did not contain the required unique identifier. During the BIG-IQ discovery process, the lack of the identifier caused the discovery process to fail. The workaround provided below adds a unique identifier to the new system type. Run the following command on the BIG-IP that you are trying to discover and then rediscover the device. perl -MF5::Utils::Rest -MF5::DbUtils -MF5::ASMConfig::Entity::SignatureSystem -e "F5::Utils::Rest::populate_uuids(dbh => F5::DbUtils::get_dbh(), rest_entities => ['F5::ASMConfig::Entity::SignatureSystem'])"
566543 Web App Security (ASM) Discovery failure due to corrupt login page configuration on BIG-IP device. The error shown includes: Error querying iControl Rest for ASM Policy - Login enforcement. The issue happens when the BIG-IP configuration is corrupt (bug 566758). The corruption is usually caused when deploying a policy from BIG-IQ v4.6 and earlier. On the BIG-IP device, connect to the console and run the following command: mysql -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password(user => q{root})'` PLC -e 'insert into PL_POLICY_PREREQUISITE_ATTRIBUTES (policy_id) select id from PL_POLICIES p LEFT JOIN PL_POLICY_PREREQUISITE_ATTRIBUTES prereq ON p.id = prereq.policy_id where prereq.policy_id IS NULL' Attempt re-discovery.
573202 Web App Security (ASM) Related to search for custom signature sets shows 0 signatures instead of showing the actual related signatures. Review the signatures that are related to the set using the signatures tab in the Signature Set properties.
575209 Web App Security (ASM) After discovering a BIG-IP device with a custom signature set of type filter-based, if such signature-set is changed to be of type to manual on the BIG-IP device and re-discovery is done, the signature set might incorrectly appear on the BIG-IQ. Note that BIG-IQ only supports filter based signature sets. Remove the signature set from BIG-IQ before re-discovering the configuration.
577670 Web App Security (ASM) Event log records that have violations found on staged entities are not found when searching for those violations. The violations are shown as part of the details of the event log record. This happens due to BIG-IP device behavior that treats those violations differently compared to violations found in regular context (non staged).
579422 Web App Security (ASM) Evaluation shows unexpected differences after deployment for policy building settings (enabled). This is due to BIG-IP device behavior that alters the configuration when the configuration is synchronized. Policy building mode on the BIG-IP device is not configured as set in the BIG-IQ configuration. Happens when deploying the device groups (clusters).
582067 Web App Security (ASM) Discovery error - "policy not found" error happens when discovering BIG-IP devices with corrupt configuration. This happens due to BIG-IP bug 451089. A corruption occurred in policy configuration, either when using binary policy import export or when policy backups are created as part of the merge procedure. On the BIG-IP device, export the bad policy, delete it and import it back. Attempt discovery again.
584629 Web App Security (ASM) BIG-IQ deployment task to version 11.5 BIG-IP device fails. All deployment tasks will fail. The BIG-IP device has the latest signature update file installed, and BIG-IP bug 560748 has not been fixed. On the BIG-IP devices that are affected by the issue, connect to the console or open an SSH session and run the following command: perl -MF5::Utils::Rest -MF5::DbUtils -MF5::ASMConfig::Entity::SignatureSystem -e "F5::Utils::Rest::populate_uuids(dbh => F5::DbUtils::get_dbh(), rest_entities => ['F5::ASMConfig::Entity::SignatureSystem'])"
584797 Web App Security (ASM) Discovery fails showing errors: "Error querying iControl Rest for ASM Policy - Url" and "Invalid value '7' for field 'type'". Discovery fails. For the issue to occur, the BIG-IP device should be configured with GWT profiles/URLs with installed version of version 11.5.x and without a fix to bug 585045. Install a fix to bug 585045 on the BIG-IP device if such exists.
584843 Web App Security (ASM) Unexpected differences are seen in the BIG-IQ device deployment UI for the session tracking policy attributes after a deployment to a BIG-IP device running version 12.1.0, resulting from wrong configuration set on the BIG-IP device. Unexpected differences and wrong configuration deployment. This happens for BIG-IP devices of version 12.1 that do not have a fix for bug 585054 deploying policies with customized settings for Session Tracking Violations. Create an additional evaluation and deploy the changes.
584884 Web App Security (ASM) There is a deployment issue of URL header based content profiles. When more than one of these profiles is deployed for a URL, some of the profiles are not deployed. This is due to BIG-IP bug 449231. Patch the BIG-IP device with a fix to bug 449231, if one is available.
585136 Web App Security (ASM) Deployment task fails, the error message indicates: "Failed pushing changed objects to device <device name>: Could not get the Brute Force Protection, No matching record was found.". Deploy task will fail. Happens when BIG-IQ manages BIG-IP devices with 12.x version and customized Brute Force Attack Prevention configuration, and the BIG-IP software does not contain a fix for bug 585352. Patch the BIG-IP system with the fix to bug 585352 if available.
587060 Web App Security (ASM) New policies deployed to BIG-IP devices might have the wrong settings for user-defined signatures if those are created on different BIG-IP devices. Wrong policy settings will be set on the target BIG-IP devices. Subsequent evaluations will show differences. This happens when user-defined signatures are created independently on different BIG-IP devices. Evaluate and deploy again to correct the wrong settings. We also recommend that you add all user-defined signatures through BIG-IQ to avoid the issue.
590213 Web App Security (ASM) Policy configuration is not deployed correctly to standby BIG-IP devices. Creation of evaluation after successful deployment to a device group shows differences to be deployed to the standby device as it was in time of deployment. Those differences are consistent with the BIG-IP device configuration as shown by the BIG-IP user interface. The configuration is not deployed correctly. Additional evaluations would show unexpected differences. This happens when deployment is done to a group (cluster) of BIG-IP devices that are affected by bug 578334. Only happens when a policy that did not exist on the BIG-IP device is deployed. Install a fix to bug 578334 on the BIG-IP devices when available, or redeploy changes when the original change included the addition of a policy to BIG-IP device.
590604 Web App Security (ASM) BIG-IQ does not manage the learn flag on BIG-IP policy sub violations - HTTP Protocol Compliance and Evasions. The configuration is not discovered/imported/deployed. Deployment of policy configurations to BIG-IP devices will result in different behavior compared to that on the BIG-IP in which the policies originated from. Note that there are not policy enforcement settings (automatic learning). The issue is only relevant to management of BIG-IP devices of versions 12 and above.
591982 Web App Security (ASM) Policy specific signature settings (enabled, in staging) might not be deployed correctly when the deployment task deploys other relevant changes. If the deployment included any change that alters the signatures relevant for a policy, the signatures that are affected by this change are configured with the settings last set by BIG-IP system for those signatures, and not the settings that are saved in BIG-IQ. Per policy signature settings are deployed wrongly, and additional deployment task might be required to set the correct values. This happens when policy signature settings are customized on BIG-IP/BIG-IQ and the change to deploy those customizations also includes changes that make these customized signatures relevant for policies. Such changes could include signature set filter changes, adding a signature set to a policy, or change in user defined signature attributes. Evaluate and deploy again when such changes are done
593362 Web App Security (ASM) BIG-IQ does not manage the follow schema link flag on BIG-IP policy xml profiles. The configuration is not discovered/imported/deployed. The flag has a default of enabled, which will be set on the devices managed by BIG-IQ.
593678 Web App Security (ASM) Critical error shown on deployment for 12.x devices with policies originated from 11.x devices. The error states that policy builder settings and violation settings are inconsistent. Example: "Policy /Common/aaa: can't be used on a BIG-IP version 12.0.0. checkMaximumCookieHeaderLength value (true) on policy builder and the matching violation: VIOL_COOKIE_LENGTH (false) have different values." (slightly different cases exist). The policy can't be deployed. The issue happens when automatic policy builder is enabled on the source policy.
596367 Web App Security (ASM) Signature sets - deploy to change "Update Date" from "Before"/"After" to "All" does not set the desired value. The deployment task succeeds, but the actual field value does not change. Additional evaluations will show differences. This is due to BIG-IP bug 596366 - BIG-IP system should not have a fix to that issue for the problem to occur. Either install a fix to the BIG-IP device (if available) or split the deployment task into two - one that deletes the set, and another one that creates it with the desired value.
596787 Web App Security (ASM) Exporting Web Application Security event logs fails silently without any errors in Web Application Security GUI when clicking the Select All option. Users cannot retrieve event logs in a CSV file on Chrome/Firefox. Issue happens when Select All option is used, which selects about 50 event logs per screen, however users are able to download CSV files for small number of selected ASM event logs in Chrome/Firefox. Event logs can be exported in a CSV file by using Internet Explorer as the browser, or by selecting fewer records at a time.
600317 Web App Security (ASM) The BIG-IQ system reports that the deployment task has completed successfully, but another evaluation or deployment task will show that the attack type value for the customer signature has not changed.Until the workaround is applied, the user will see this configuration difference appear in their evaluation and deployment tasks. This issue will be seen when attempting to modify the attack type of an existing custom signature and deploying it to BIG-IP devices running versions of TMOS v11.5.x where that custom signature already exists. To work around this issue, users can create a new custom signature with all the attributes set appropriately and use it to replace the older custom signature wherever it was used.
577761 Web Client Security (FPS) If an Alert URL has spaces in it, such as "http://www.server.com/my site.hm", and you choose an Exact match on the word before the space ("my"), the alert incorrectly shows up as an exact match. Alert results may include false positive alert matches. In general, if the data that is being searched has spaces in it, exact match may return more results than expected with partial matches.
579528 Web Client Security (FPS) This only occurs in a FireFox browser running on a Mac. When you right-click an alert inside an alert group, the "Filter 'related-to'" menu appears, but it typically disappears before you can select it. This behavior does not occur in any non-grouped view, such as the top-level views. Alert right-click 'Related to' searches cannot be done. On a MAC using the Firefox browser, you cannot right click while in a grouped view of alerts to do a related to search. Use the advanced query filter and enter the fpm_guid value (found on the advanced tab of the alert's properties.
580676 Web Client Security (FPS) It is possible to have a filter or search that matches alerts where you cannot find the string you searched for in any of the alert's fields. In these cases, the string is found in alert data that is not shown in the GUI. Although returned results have correctly matched the search criteria, it is not readily visible on GUI. On occasion some searches may return results that do not appear to match the search term.
594487 Web Client Security (FPS) If log node restarts for some reason, transform rules and forwarding rules that are stored in cache on log node will be cleared. Transform rules and forwarding rules will not be applied to alerts until the next synchronization from BIG-IQ to LOG-IQ. For transform rules the synchronization frequency is 10 minutes and for forwarding rules it is 5 minutes.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

How to Contact F5 Support or the Anti-Fraud SOC

You can contact a Network Support Center as follows:

You can manage cases online at F5 WebSupport (registration required). To register email CSP@F5.com with your F5 hardware serial numbers and contact information.

You can contact the Anti-Fraud SOC as follows:

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices