Supplemental Document : Release Information: BIG-IQ Centralized Management 5.3.0

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.3.0
Original Publication Date: 07/13/2017 Updated Date: 04/18/2019

BIG-IQ CM Release Information

Version: BIGIQ-5.3.0
Build: 1119.0

Known Issues in BIG-IQ CM v5.3.x

Functional Change Fixes

None


BIG-IQ Configuration - Network Fixes

ID Number Severity Description
660022-1 3-Major BIG-IQ does not support creating route with default address

BIG-IQ Configuration - Security - Network Security Fixes

ID Number Severity Description
658780 3-Major A port misuse policy rule marked for deletion will have the deletion state cleared when a new rule is added.

BIG-IQ Device User Interface Fixes

ID Number Severity Description
664666 2-Critical Regkey pool assignments from 5.1 cannot be revoked after upgrade to 5.2

BIG-IQ Monitoring - Dashboards & Reports Fixes

ID Number Severity Description
652975 3-Major OAuth Client timeline doesn't show right data if timeframe is changed

BIG-IQ System User Interface Fixes

ID Number Severity Description
668865 3-Major Attempting to manually sync files in an HA pair may fail if a file sync task is in progress
667484 3-Major Local users lost on UCS restore for version 5.2.0
655987 3-Major When upgrading devices with large configurations to 5.2, user may encounter errors when setting the Master Key in the setup wizard

BIG-IQ Access Fixes

ID Number Severity Description
667688 3-Major Application Summary Reporting does not work with Portal Access.
629213 3-Major Set filespace quota for file objects

BIG-IQ Local Traffic & Management Fixes

ID Number Severity Description
663932 2-Critical BIG-IQ v5.2 LTM config import fails when cookie persistence timeout set to 0
668986 3-Major Import fails on BIG-IQ when BIG-IP HTTP profile has "response_chunking unchunk"

AppIQ Fixes

ID Number Severity Description
647127 2-Critical Removal of Data Collection Device may result in a Elastic Search cluster health status of "red"

BIG-IQ Device Management Fixes

ID Number Severity Description
649796 3-Major Secondary alert generated for certificates

BIG-IQ Fraud Protection Service (FPS) Fixes

ID Number Severity Description
669484 3-Major FPS - issues with web service interaction through proxy when 3 or more proxy servers are configured
666150 3-Major FPS - alert display issue when alert is not set with a specific domain
612283 4-Minor FPS alert queries that use the same key in multiple times in the same query must be enclosed in parenthesis

BIG-IQ Network Security Fixes

ID Number Severity Description
632813 3-Major Removing the global-fqdn policy may fail. The deployment may need to be done in 2 steps.

REST Framework and TMOS Platform Fixes

ID Number Severity Description
662812 2-Critical Filenames with exactly 100 characters get name truncated in qkview
662742 2-Critical Files with file names larger than 100 characters are omitted from qkview
665927 3-Major QKView hangs indefinitely on secondary in BIG-IQ HA pair
658358 3-Major Minimum master eligible node setting set by user is overwritten by default calculated value when zone of the log node is changed
656828-1 3-Major Setting the master key after upgrading a system with a large configuration from 5.x to 5.2 could result in an unsuccessful encryption of objects.
652270 3-Major Users experiencing lock out after a RADIUS server goes down
630648 3-Major BIG-IQ HA: Zone of the secondary console node is set to default when two BIG-IQ console nodes are paired
660424-2 5-Cosmetic httpd service fails to start on boot

Cumulative fix details for BIG-IQ CM v5.3.0 that are included in this release

669484 : FPS - issues with web service interaction through proxy when 3 or more proxy servers are configured

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
The BIG-IQ system might not be able to download alert rules or interact with web service.

Conditions:
This happens when 3 or more proxies are configured and have the same name.

Impact:
Download alert rules/web service interaction failure

Workaround:
Limit usage to 2 proxy servers.

Fix:
We corrected the issue so that the system can handle 3 servers configured with the same name.


668986 : Import fails on BIG-IQ when BIG-IP HTTP profile has "response_chunking unchunk"

Component: BIG-IQ Local Traffic & Management

Symptoms:
Import of the LTM service fails with a message similar to:
   "Failed to copy configuration to working-config; reason: Failed copying from source to target: java.lang.IllegalArgumentException:"

Conditions:
This occurs when BIG-IP has an HTTP profile where Response Chunking is set to Unchunk.

Impact:
BIG-IP's config cannot be managed.

Fix:
BIG-IQ now supports importing HTTP profiles with Response Chunking set to Unchunk.


668865 : Attempting to manually sync files in an HA pair may fail if a file sync task is in progress

Component: BIG-IQ System User Interface

Symptoms:
When viewing the BIG-IQ HA Settings page, the user is presented with a "Sync Files" button, allowing users to manually begin syncing files across an HA pair.

While this is already done automatically, users can manually start a file sync task. Only one of these tasks can run at a time, so if users begin a file sync task while one is in progress, the UI will present an error dialog. After closing the error dialog, a second dialog will appear which may show confusing information like a red error icon with text like "file sync successful".

Conditions:
The BIG-IQ is in an HA pair, and a file sync task is in progress.

Impact:
The user who attempts to start a second file sync task will see an error dialog followed by a second dialog with confusing text.

Workaround:
Close the dialog(s) after clicking "Sync Files" and receiving an error. This error will have no negative impact on the system.


667688 : Application Summary Reporting does not work with Portal Access.

Component: BIG-IQ Access

Symptoms:
The Application Summary Reporting feature that was released in BIG-IQ 5.2.0 does not work for the portal access use case.

However, Application Summary Reporting still works for the LTM+APM (WAM) use case.

Conditions:
Found in version 5.2.0 and beyond.

Impact:
This affects users who wish to run the Access Summary Reporting feature with portal access.

Workaround:
There is currently no workaround for this known issue.

Fix:
This is currently no fixes for this known issue.


667484 : Local users lost on UCS restore for version 5.2.0

Component: BIG-IQ System User Interface

Symptoms:
When restoring from a UCS, local users may be lost during the restore process.

Conditions:
Restoring from UCS on BIG-IQ 5.2.

Impact:
Local users are lost and must be recreated.

Workaround:
None

Fix:
Users are no longer lost on UCS restore


666150 : FPS - alert display issue when alert is not set with a specific domain

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
The alerts user interface (UI) page is unable to show alerts, showing an error.

Conditions:
This happens when the alerts are not set with a domain.

Impact:
UI page error.

Fix:
We corrected the issues so that the system can handle the error condition, and display the UI page correctly.


665927 : QKView hangs indefinitely on secondary in BIG-IQ HA pair

Component: REST Framework and TMOS Platform

Symptoms:
On a secondary BIG-IQ creating a qkview will hang indefinitely.

Conditions:
BIG-IQ is a secondary in HA pair. Qkview creation is attempted.

Impact:
Qkviews cannot be made for secondary BIG-IQs.

Fix:
qkview no longer hangs on secondary BIG-IQ HA pair.


664666 : Regkey pool assignments from 5.1 cannot be revoked after upgrade to 5.2

Component: BIG-IQ Device User Interface

Symptoms:
A revoke of a regkey pool assignment fails and the logs show a message similar to: Failed to close audit record for device: com.f5.rest.common.RestWorkerUriNotFoundException: URI path not registered. Please verify URI is supported and wait for /available suffix to be responsive.

Conditions:
This issue occurs when the license assignment is made in BIG-IQ 5.1 and the revoke (or cleanup related to assigning a different license) occurs after upgrading to BIG-IQ 5.2.

Impact:
Regkey pool licenses cannot be properly managed.

Workaround:
The auditRecordReference needs to be updated for the license assignment.
1. Review assignments within regkey pools via: restcurl "shared/index/config?%24filter=(kind%20eq%20'cm%3Adevice%3Alicensing%3Apool%3Aregkey%3Alicenses%3Aitem%3Aofferings%3Aregkey%3Amembers%3Aregkeypoollicensememberstate')&%24select=auditRecordReference,selfLink"
2. In the response from step 1, review the auditRecordReference. Affected assignments will have a link that includes the string cm/system/licensing. This should be changed to cm/device/licensing -- the following steps describe how to do this.
3. The response from step 1 has a list of items. For each item, do a GET (start with the selfLink, change https to http, add port 8100, and remove the mgmt path segment):
curl http://localhost:8100/cm/device/licensing/pool/regkey/licenses/05af08dc-93f7-426a-9691-113a1e46a2ae/offerings/Y8971-44137-22411-68390-0628740/members/c4becd2a-cff2-4955-b6c6-af720c338d00
4. Using the body from the response from step 3, change cm/system/licensing to cm/device/licensing and then save the changes: curl -X POST -d '{"id":"c4becd2a-cff2-4955-b6c6-af720c338d00","deviceMachineId":"319967de-3d02-42f6-ab0b-ea90870fd648",...' http://localhost:8100/shared/storage

Fix:
Stale audit record reference links are cleaned up on upgrade to BIG-IQ 5.3.


663932 : BIG-IQ v5.2 LTM config import fails when cookie persistence timeout set to 0

Component: BIG-IQ Local Traffic & Management

Symptoms:
BIG-IQ fails to discover/import the configuration of a device with a cookie persistence timeout of zero (0).

Conditions:
BIG-IP has a cookie persistence profile configured with a timeout of zero (0).

Impact:
Device is undiscoverable and configuration is not manageable by BIG-IQ.

Workaround:
Change the timeout to a non-zero value. This may not be possible if the persistence profile is being used to set a session cookie which requires the timeout to be set to 0.

Fix:
BIG-IQ can now discover and import configuration when the cookie persistence profile contains a zero (0) timeout.


662812 : Filenames with exactly 100 characters get name truncated in qkview

Component: REST Framework and TMOS Platform

Symptoms:
If the filename of a file being gathered by qkview happens to be exactly 100 characters, the filename will be truncated in the qkview.

Impact:
Restoring the contents of a qkview does match the original state captured by the qkview.

Workaround:
To restore the contents of a qkview to the original state, truncated filenames must be manually renamed.

Fix:
Filenames with 100 characters are no longer truncated in a qkview.


662742 : Files with file names larger than 100 characters are omitted from qkview

Component: REST Framework and TMOS Platform

Symptoms:
If the filename of a file being gathered by qkview happens to be larger than 100 characters, the qkview will simply not include it.

Impact:
Files with names larger than 100 characters are being omitted from the qkview. Since UNIX files can be 256 characters long, this potentially could omit important files that could help diagnose problems.

Workaround:
One would have to rename any files with names larger than 100 characters to names with less than 100 characters.

Fix:
Qkview was fixed to not use POSIX as the tar format, but instead to use the "GNU" format which allows for up to 256 characters (the system limit). The fixed program now allows any length of characters possible.


660424-2 : httpd service fails to start on boot

Component: REST Framework and TMOS Platform

Symptoms:
When booting a BIG-IQ device you may see a message indicating the httpd service fails to start: "Starting httpd: [FAILED]".

Conditions:
When booting the BIG-IQ.

Impact:
No impact to BIG-IQ functionality. httpd is not required for BIG-IQ to function correctly and this message can be ignored.


660022-1 : BIG-IQ does not support creating route with default address

Component: BIG-IQ Configuration - Network

Symptoms:
After BIG-IQ deploys a new route with the default address cannot discover and reimport a device where that route has been deployed.

Conditions:
Deploying a route with "0.0.0.0/0" address. Deploying it to a BIG-IP device and reimport that same device

Impact:
Unable to import device once deploying with a failure message:
"Invalid route Default: Change destination network from '0.0.0.0/0' to 'default' is not allowed"

Workaround:
Create the default route directly on the BIG-IP device.

Fix:
BIG-IQ now handles the default route correctly. Import and deploy should work as expected.


658780 : A port misuse policy rule marked for deletion will have the deletion state cleared when a new rule is added.

Component: BIG-IQ Configuration - Security - Network Security

Symptoms:
A port misuse policy rule marked for deletion will not be deleted if a new rule is added in the same edit session after the rule has been marked for deletion.

Conditions:
The user marks a port misuse policy rule for deletion and subsequently adds a new rule to the policy in the same edit session.

Impact:
A rule marked for deletion will not be deleted under these conditions.

Workaround:
When a rule will be deleted and a new rule added to a port misuse policy, perform the delete and save actions first for rules that are to be deleted, followed by the addition of the new rules.

Fix:
This is no longer an issue in the 5.3.0 BIG-IQ Release.


658358 : Minimum master eligible node setting set by user is overwritten by default calculated value when zone of the log node is changed

Component: REST Framework and TMOS Platform

Symptoms:
If the BIG-IQ Data Collection Devices --> Settings --> Minimum Master Eligible Devices setting is set by the user and if the BIG-IQ Data Collection Devices --> Zone setting is changed by the user, the Minimum Master Eligible Devices setting will be set to a new code calculated value.

Conditions:
1. Override the Minimum Master Eligible Devices setting from the UI
2. Modify the Zone setting of a BIG-IQ Data Collection device

Impact:
The Minimum Master Eligible Devices setting may or may not be different from what the user had previously set. It could impact how the customer expects the BIG-IQ elasticsearch cluster expects to behave during a disaster. But under normal operations of the BIG-IQ this setting has no impact on the product functionality.

Workaround:
Whenever the BIG-IQ Data Collection Devices --> Zone setting is changed, the Minimum Master Eligible Devices setting can be reset in the UI by the customer based on their environment and requirements.

Fix:
Minimum master eligible node setting is now correctly set.


656828-1 : Setting the master key after upgrading a system with a large configuration from 5.x to 5.2 could result in an unsuccessful encryption of objects.

Component: REST Framework and TMOS Platform

Symptoms:
After upgrading the BIG-IQ system from 5.x to 5.2, when the user logs into the BIG-IQ UI, the user will be required to go through the setup wizard. When the master key passphrase is entered and the Next button clicked, the master key is created and the encryption upgrade starts.

The following two symptoms can occur:

Symptom 1:
If the encryption upgrade does not finish within five minutes, the user will see a 504 gateway timeout exception in the UI. This is a possible indication that the encryption upgrade will not succeed, so the user should click the Dismiss button, log out from the UI, and check to see if symptom 2 occurs after waiting another five minutes.

Symptom 2:
If the encryption upgrade does not complete in ten minutes, in the /var/log/restjavad.0.log file the following error message is observed:

[ERROR][12 Apr 2017 11:07:00 EDT][/cm/shared/secure-storage/masterkey SecureStorageMasterkeyGenerator] The BIG-IQ ran into error 'Encryption upgrade has failed to run to completion due to Timed out during execution of command. This may result in some attributes that are encrypted with the old encryption scheme that need to be manually upgraded.' when upgrading encrypted values. This may cause some encrypted values to be unusable.

If Symptoms 1 and 2 are both seen, the customer should proceed with the workaround.

Conditions:
The pre-upgraded 5.x system has large number of objects requiring encryption.
example:
The BIG-IQ system managed several hundred BIG-IP's, had several hundred rules, etc (a very large system) then such a system upon upgrade to 5.2 could have an issue setting the encryption master key upon first logging in to the BIG-IQ 5.2 UI.

Impact:
If the encryption upgrade fails, the upgraded BIG-IQ system will be unstable to use. There will be several errors in the product and in the log files.

Workaround:
If both symptoms 1 and 2 are seen, the customer can work around the issue as follows:

1. Log in to the BIG-IQ shell (not the UI)
2. cd /var/config/rest/tokuupgrade/encryption
3. sh run_encryption_upgrade.sh
4. Wait for the execution of this command to complete. When the execution completes, the following message will be displayed: "The Encryption upgrade script is complete"
5. Log back in to the UI and finish executing the setup wizard.


655987 : When upgrading devices with large configurations to 5.2, user may encounter errors when setting the Master Key in the setup wizard

Component: BIG-IQ System User Interface

Symptoms:
When setting the Master Key, the request may run for a long time and may time out. If the request times out, it was likely still successful but is taking some extra time to complete due to the existing configuration on the system.

Conditions:
The BIG-IQ is running a large configuration, and is upgraded to BIG-IQ version 5.2.

Impact:
You may need to wait until the Master Key is established on the device. After the request times out, wait for a few minutes and refresh the page. If the page tells you that the Master Key has already been set, you can safely complete the setup wizard.


652975 : OAuth Client timeline doesn't show right data if timeframe is changed

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
If you change the timeframe on a report you will notice the timeline not showing the correct data.

Conditions:
This is intermittent, and it's unclear when it can occur.

Impact:
Timeline on a report is not updated if timeframe is changed and may not represent the timeline desired.

Workaround:
Refresh the browser and the data will be displayed properly

Fix:
Fix timeline data generation on time frame changes


652270 : Users experiencing lock out after a RADIUS server goes down

Component: REST Framework and TMOS Platform

Symptoms:
Remote authentication user is prevented from logging in for 30 minutes after a RADIUS server goes down, even though the RADIUS server is back up.

Conditions:
RADIUS server goes down and the user tries to log in while it's down. This will prevent users from logging in until 30 minutes after the failed login attempt.

Impact:
Users will not be able to log in even if the remote server is back online.

Workaround:
1) curl https://<ip>/mgmt/cm/system/authn/providers/radius
2) Find the selfLink of the RADIUS provider in the results.
3) curl -X PATCH '{"failBackIntervalMinutes":"1"}' <selfLink> ------> 1 for 1 minute

Fix:
Fixed the issue so that RADIUS remote authentications users can log in after the remote server comes back online after error recovery.


649796 : Secondary alert generated for certificates

Component: BIG-IQ Device Management

Symptoms:
If a system has certs on it between the 0 days to expire and the configured expire threshold (default 30 days) an alert will have already been fired at the 30 day mark to warn of expiration but after an upgrade to this fix the system will send a second alert for all these certs again saying the cert has X days to discovery. This will only happen once and only for already existing certs that are within the expire period. It will not happen for new certs.

Conditions:
Certificates on the system are between 0 and the configured expire threshold (default 30 days) and have already alerted that they will expire in 30 days (or the configured threshold)

Impact:
Small, this is not a duplicate alert as it is additional information about when it will expire. It is an extra alert and a different one off behavior the user may not be expecting.

Workaround:
Renew all certs before upgrading and this behavior will not be hit


647127 : Removal of Data Collection Device may result in a Elastic Search cluster health status of "red"

Component: AppIQ

Symptoms:
Removing a Data Collection Device (DCD) from a cluster that contains statistics data may cause the cluster to contain one or more unassigned data shards.

Conditions:
You desire to remove a DCD when statistics collection is enabled for one or more BIG-IPs.

Impact:
When the DCD elastic search cluster transitions to "red" status, the cluster may become unusable.

Workaround:
The following workaround can be performed:

1. Log into BIG-IQ as an administrator

2. Click on the "System" tab

3. Open up the "BIG-IQ Data Collection" on the left navigation menu.

4. Click on "BIG-IQ Data Collection Devices"

5. Click Add, and enter the DCD's information.

Once successfully added to the BIG-IQ cluster, you will need to enable statistics data replication:

1. From the BIG-IQ Data Collection Devices user interface,
click "Settings".

2. Then, click Statistics Collection

3. Click Configure

4. Click Advanced Settings

5. Check the box next to "Enable Replicas"

6. Click Save & Close

Next, wait for the elastic search cluster to show a status of Green, then the DCD can removal can be re-tried.


632813 : Removing the global-fqdn policy may fail. The deployment may need to be done in 2 steps.

Component: BIG-IQ Network Security

Symptoms:
When doing a deployment in which the DNS resolver is removed from the Global FQDN Policy (effectively turning fqdn off on the BIG-IPs), this may fail with the following device error:

"Configuration error: dns-resolver can't be removed (atleast 1 AFM rule with source or destination fqdn attribute set.)"

This is due to an issue in the BIG-IP transaction processing.

Conditions:
This happens when a DNS resolver is configured on the BIG-IP and there are any address-lists or rules that use FQDN in the firewall.

Impact:
The deployment will fail. There is a workaround to do this in 2 phases.

Workaround:
In order to get around this issue, the deployment will need to be done in 2 phases. First, all address lists and rules that use FQDNs will need to be removed from the BIG-IP (deployment 1). Second, the global-fqdn can then remove the DNS Resolver to turn off firewall fqdn (deployment 2).

Fix:
In BIG-IQ version 5.3.0, a new deployment evaluation warning has been created to inform the user that this issue has been detected and provides the steps necessary to perform the workaround.


630648 : BIG-IQ HA: Zone of the secondary console node is set to default when two BIG-IQ console nodes are paired

Component: REST Framework and TMOS Platform

Symptoms:
Zone of the secondary console node is set to default when two BIG-IQ console nodes are paired.

There is no impact if the Zone of the secondary console node is set to "default" or incorrectly set or gets overwritten when the BIG-IQ console devices are paired.

Conditions:
When the BIG-IQ HA pair is initiated, the data in the database on the secondary device gets overwritten. Therefore if the Zone on the BIG-IQ console is set to a value prior to BIG-IQ HA pairing is done and is chosen to be the BIG-IQ secondary device, then after the HA pairing is complete the Zone information on the BIG-IQ secondary is overwritten with the Zone named "default".

Impact:
None that affects the functionality of the product. It appears in the UI under System --> BIG-IQ HA that the Zone on the secondary device is set to "default".

Workaround:
After the BIG-IQ HA is setup, navigate to the System --> BIG-IQ HA page. Select the machine with Type "Secondary". Choose an existing Zone or create a new Zone as appropriate and click on Update.

Fix:
Zone of the secondary console node is set to the correct value after the two BIG-IQ console nodes are paired.


629213 : Set filespace quota for file objects

Component: BIG-IQ Access

Symptoms:
Unable to download new file objects due to "exceeds storage quota" error.

Conditions:
Default storage quota is 500MB, if use wants to store more than that amount the quota must be changed.

Impact:
Inability to add new file objects

Workaround:
To extend the storage quota, use the restcurl command to set a new value. Current value is obtained by:

# restcurl cm/system/file-object-configuration/storageDir
{
  "directoryPath": "/var/config/rest/fileobject",
  "generation": 4,
  "kind": "cm:system:file-object-configuration:fileobjectconfigurationstate",
  "lastUpdateMicros": 1491948519420631,
  "maxFilespaceBytes": 524288000,
  "name": "storageDir",
  "selfLink": "https://localhost/mgmt/cm/system/file-object-configuration/storageDir"
}

Use restcurl with PATCH verb to update maxFilespaceBytes:

restcurl -X PATCH cm/system/file-object-configuration/storageDir -d '{"maxFilespaceBytes":1000000000}'

{
  "name": "storageDir",
  "directoryPath": "/var/config/rest/fileobject",
  "maxFilespaceBytes": 1000000000,
  "generation": 5,
  "lastUpdateMicros": 1491948923168173,
  "kind": "cm:system:file-object-configuration:fileobjectconfigurationstate",
  "selfLink": "https://localhost/mgmt/cm/system/file-object-configuration/storageDir"
}

Fix:
File grooming issues are fixed. Any excess config files that are not used in the system are removed. Since these excess files were occupying file-quota space, import failed in earlier releases. This should resolve import issues related to file-quota overage.


612283 : FPS alert queries that use the same key in multiple times in the same query must be enclosed in parenthesis

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
If using ad-hoc or saved filters in the Fraud Prevention service and the same key name is used multiple times in the query, those key names must be enclosed in parenthesis or the query will not provide the expected results.

Conditions:
This issue happens when a query is created that uses the same key name multiple times in the same query.

Impact:
The results of the query can produce no results or inaccurate results.

Workaround:
Always enclose the items that use the same key names within a parenthesis. For example: (alertType:6 OR alertType:8)



Known Issues in BIG-IQ CM v5.3.x


BIG-IQ Configuration - Access Issues

ID Number Severity Description
659958-2 3-Major Active Directory Groups update does not show any groups
647189 3-Major Deployment to version 12.1.1 device fails with error ""Encountered unsupported operation 16 at /apm/policy/access-policy/..../subroutine-properties"


BIG-IQ Configuration - Local Traffic Issues

ID Number Severity Description
671693-1 3-Major BIG-IQ fails to import BIG-IP v11.x LTM profiles that reference certificates with names containing special characters
650218-1 3-Major Client SSL - BIG-IP 11.5.1 HF7 - overridden yet unchanged Cert Key Chain in Client SSL profile causes discovery failure
641451-1 3-Major Deployment error when overriding the certificate-key chain on a Client SSL profile.
653529-2 4-Minor Deployment fails when attempting to deploy more than 4000 certs in a single deployment across multiple BIG-IPs
653528-1 4-Minor Deployment fails when attempting to deploy more than 1100 certificates and key pairs (2200 files) to a single BIG-IP
640043-2 4-Minor Monitors cannot be deleted on BIG-IQ
637937-1 4-Minor Similarly named keys/certs on BIG-IPs of different versions appear as distinct objects in BIG-IQ if the name includes special characters
637728-1 4-Minor SSL keys/certificates on BIG-IP with + or ~ in the name cause a discovery failure in BIG-IQ
636086-1 4-Minor Certificates and keys that are copied between BIG-IP are not match on the BIG-IQ


BIG-IQ Configuration - Network Issues

ID Number Severity Description
670671 3-Major Missing error message when user moves VLAN from Selected to Available in default route domain, when the VLAN is already in use by a self ip


BIG-IQ Configuration - Security - Network Security Issues

ID Number Severity Description
643083-1 3-Major Using multiple search terms across object types is not supported on some Network Security screens


BIG-IQ Deployment - Evaluate & Deploy Issues

ID Number Severity Description
651013-1 3-Major Device discovery and unresolved conflicts
648546-1 3-Major Cannot deploy a certificate with server-ssl


BIG-IQ Device User Interface Issues

ID Number Severity Description
663606 2-Critical Pool license cannot be assigned after upgrade to BIG-IQ 5.2
667776 4-Minor Restore of UCS on BIG-IP v13 times out in BIG-IQ
658039-2 4-Minor Failure to reactivate some licenses when EULA has changed


BIG-IQ Monitoring - Dashboards & Reports Issues

ID Number Severity Description
671695-1 3-Major Stats collection can cause BIG-IP CPU issues
653760-2 3-Major Token Table is not updated in real time on the drill down screen
639896-2 3-Major Cannot view SWG Reports and download CSV Reports on Standby BIG-IQ
651172-1 4-Minor CSV download fails after opening a session details dialog
627105-2 4-Minor Incorrect Error when clicking on Tokens under Monitoring --> Access --> Federation --> OAuth --> Authorization Server --> Tokens


BIG-IQ Search Issues

ID Number Severity Description
641427 3-Major Portal Access Rewrite not be searchable by Global Search


BIG-IQ System User Interface Issues

ID Number Severity Description
648293-1 3-Major Device status can show green when ES cluster is not green
643645-1 3-Major BIG-IQ System Settings: SNMP /32 allow mask does not work
643507-1 4-Minor Removing a Data Collection Device may take a long time, and will not show an error dialog if removal times out


BIG-IQ Access Issues

ID Number Severity Description
660828-2 2-Critical Deployment Failure: "transaction failed: ... : file (/config/filestore/files_d/Common_d/customization_group_d/:Common:...) expected to exist"
655123-2 3-Major Unable to open Network Access, LDAP, AD, CRLDP, TACACS, or Radius server object UI for edit.
642976-2 3-Major Deployment diff shows unused objects to be deleted during deployment
636188-3 3-Major Access Events in iRule requires an Access Profile associated with Virtual
612292-2 3-Major Customization file changes are not deployed when customization template and customization group objects are created in deployment
659424-2 4-Minor Deployment failure due to SAML object deletion
505455-2 4-Minor Adding a device to Access Group fails: Unable to calculate working config ID


BIG-IQ Local Traffic & Management Issues

ID Number Severity Description
663919 3-Major Pool Member Operator role cannot filter pools
659729 3-Major Filtering by the text 'http' in LTM Profiles grid takes a long time to complete
651892-1 3-Major Some Rewrite profiles created on BIG-IP cannot be updated or deleted by BIG-IQ
651186-2 3-Major SSL certificate in non-PEM format can not be imported and managed
650405-1 3-Major Error while transforming Profile Client SSL when BIG-IP in DSC (Failed to transform secure field value)
643825-1 3-Major Inability to remove Certificate and/or Key used by serverssl profile in specific cases for v11.6.0 and v11.6.1
641237-1 3-Major Inability to delete SNAT pool with SNAT transaction from some versions of BIG-IP.
614199-2 3-Major Profile - Client SSL - Cannot deploy Certificate Key Chain changes to root clientssl profile
646929-1 4-Minor BIG-IQ cannot remove overrides for LWS Separator field on HTTP explicit profiles.
624368-1 4-Minor BIG-IQ fails to discover Rewrite profiles that have a corrupt passphrase on BIG-IP


AppIQ Issues

ID Number Severity Description
651998-2 3-Major When /var partition reaches configured limit, collection of statistics from BIG-IP will stop, and older data may be automatically removed by BIG-IQ
644884 3-Major Sort-Selected rows of data in dimension panes may show N/A for data


BIG-IQ Device Management Issues

ID Number Severity Description
670955-1 3-Major Spurious warning log during upgrade from BIG-IQ
670837-1 4-Minor iHealth upload task partially fails with error about "Duplicate item"
620394 4-Minor Framework upgrade fails on Viprion when non-primary slot is upgraded first


BIG-IQ DNS Management Issues

ID Number Severity Description
667446 4-Minor Sync groups manual "refresh list" is needed after major upgrade


BIG-IQ Fraud Protection Service (FPS) Issues

ID Number Severity Description
672680-1 3-Major Alerts marked "drop" aren't actually deleted from the database
670255-1 3-Major Existing transform rule updates from the cloud dashboard are not updated on the local (on premise) BIG-IQ devices
666309-1 3-Major Existing transform rule deletions from the cloud dashboard are not deleted on the local (on premise) BIG-IQ devices
635584-2 3-Major BIG-IQ setup wizard fails with "Cannot delete IP X.X.X.X because it would leave a route unreachable"
655283-1 4-Minor Refreshing an FPS saved filter page will not render results.
652666-1 4-Minor Unable to save FPS Download schedule with start date in past


BIG-IQ Network Security Issues

ID Number Severity Description
648876 3-Major Discovery of a BIG-IP Advanced Firewall service may fail if the service is newly provisioned on the BIG-IP
632900-1 3-Major Bot Signatures/Bot Signature Categories User Defined Flag Behavior
632799-1 3-Major BIG-IP 13.0.0 Firewall Rule option "Send to Virtual" not managed by the BIG-IQ
638131-1 4-Minor Deploying a DoS profile imported from a BIG-IP 11.6.x to a 12.x or higher would fail when Proactive Bot Defense is enabled
582701-3 4-Minor At Scale, HTML Report fails to render in IE and Edge.


REST Framework and TMOS Platform Issues

ID Number Severity Description
671437-2 3-Major The post upgrade process fails when the Data Collection device is discovered using it's self-ip
665639-1 3-Major Amazon EC2 Abuse Report upon a new deployment of BIG-IQ AMI instance
658402-1 3-Major "Reset to Standalone" is a feature of HA that should only be used if the HA peers are not communicating with each other.
629237-1 3-Major Firefox may perform poorly when running the BIG-IQ management user interface
464572-1 3-Major Validation of IP/mask for SNMP allowed-addresses list.
654514-1 4-Minor Some grid pages may take several seconds to populate rows while scrolling
652954 4-Minor BIG-IQ 5.x does not allow clustered BIG-IP devices to be added to custom device groups created in BIG-IQ 4.x

 

Known Issue details for BIG-IQ CM v5.3.x

672680-1 : Alerts marked "drop" aren't actually deleted from the database

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
The alerts with "drop" status aren't actually deleted from the BIG-IQ database when user apply transform rules.

Conditions:
Whenever a user tries to apply new transform rule on existing alerts and their status change to 'drop', the alert stays and display on GUI with status 'drop' and doesn't get removed.

Impact:
Alerts are not being dropped. Alert database may grow substantially quick as a result, possibly impacting DB capacity and product efficiency.

Workaround:
To avoid this issue, manually delete the alerts with status 'drop'. There is an option to delete them in the list of alerts.


671695-1 : Stats collection can cause BIG-IP CPU issues

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
BIG-IP configured to collect statistics by a BIG-IQ has been reported to cause excessive CPU on the BIG-IP when the statistics file is being downloaded from the BIG-IP to the BIG-IQ Data Collection Device.

Conditions:
Statistics collection enabled on BIG-IQ/BIG-IP

Impact:
Excess CPU usage can cause issues with traffic management on BIG-IP

Workaround:
If this is observed, either stop collecting statistics on a given BIG-IP or reduce the overall load by changing the polling frequency (Devices -> BIG-IP DEVICES -> <Device> -> Statistics Collection -> Frequency)


671693-1 : BIG-IQ fails to import BIG-IP v11.x LTM profiles that reference certificates with names containing special characters

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
Importing LTM for BIG-IP version 11.x fails with a message similar to:
      "current-config requester failed: Reason: java.lang.IllegalArgumentException: kind is missing"

Conditions:
This issue can occur when BIG-IP is version 11.x and an LTM profile references a certificate with a name containing a special character (such as asterisk).

Impact:
The LTM service cannot be managed for affected devices.

Workaround:
This issue can be avoided by renaming keys/certs so they do not include special characters.


671437-2 : The post upgrade process fails when the Data Collection device is discovered using it's self-ip

Component: REST Framework and TMOS Platform

Symptoms:
When a system consisting of Data Collection devices is upgraded to BIG-IQ 5.3, after upgrade the following warning messages are seen in the restjavad.0.log on the BIG-IQ console:

[WARN][03 Jul 2017 12:29:54 PDT][/cm/shared/esmgmt/upgrade-prep/13366647-93b5-409c-84a6-969b395b268e/worker ESUpgradePrepTaskWorker] Unable to stop elasticsearch service for machine https://10.144.73.116/mgmt/cm/shared/esmgmt/cluster-task due to exception java.lang.Exception: 10.144.73.116 not found in any device-groups.


[WARN][03 Jul 2017 12:29:54 PDT][/cm/shared/esmgmt/upgrade-prep/13366647-93b5-409c-84a6-969b395b268e/worker ESUpgradePrepTaskWorker] java.lang.Exception: 10.144.73.116 not found in any device-groups.
        at com.f5.rest.common.DeviceAuthTokenCache.findDiscoveryGroupWithDevice(DeviceAuthTokenCache.java:282)
        at com.f5.rest.common.DeviceAuthTokenCache.access$200(DeviceAuthTokenCache.java:30)
        at com.f5.rest.common.DeviceAuthTokenCache$1.completed(DeviceAuthTokenCache.java:260)
...
...

Conditions:
Discover a Data Collection Device from the BIG-IQ console using the "self-ip" of the Data Collection device in a prior version. Then upgrade to BIG-IQ 5.3.0

This error occurs ONLY if the Data Collection device was discovered using the "self-ip"

Impact:
The event log listeners and stats data collection may not work correctly.

Workaround:
1. On the BIG-IQ console UI, navigate away from the System --> BIG-IQ DATA COLLECTION --> BIG-IQ Data Collection Devices

2. Log out of the BIG-IQ console UI

3. Run this on the BIG-IQ console:

restcurl cm/shared/esmgmt/upgrade-prep-accounting

Lets call the result of this -- "A". Save a copy of this resultset. This is important.


4. Run the following on the BIG-IQ console:

curl -X GET 'https://10.144.73.117/mgmt/shared/index/config?$filter=%27kind%27+eq+%27shared:resolver:device-groups:restdeviceresolverdevicestate%27+and+%27groupName%27+eq+%27cm-esmgmt-logging-group%27' -u "admin:password" -k | json-format


Lets call the result of this as "B"


5. Now do the following comparison:

if (A.machineId == B.machineId && A.managementAddress != B.address) {

   A.managementAddress = B.address

}


6. Now correctly update "A" with the new values after step #5 by patching the worker. Here's an example:

curl -X PATCH 'https://10.144.73.117/mgmt/cm/shared/esmgmt/upgrade-prep-accounting' -u "admin:f5site02" -k -d '{
    "deviceAndServicesStates": [
        {
            "machineId": "2b091c1f-b466-4389-af20-9b17f739f923",
            "managementAddress": "10.10.1.6",
            "hostname": "ip-10-144-73-116.mgmt.pdsea.f5net.com",
            "asmActivated": true,
            "fpsActivated": true,
            "accessActivated": true,
            "ipsecActivated": false,
            "asmListenerAddress": "10.10.1.6",
            "fpsListenerAddress": "10.10.1.6",
            "accessListenerAddress": "10.10.1.6"
        }
    ],
    "preUpgradeCurrentStep": "DONE",
    "postUpgradeCurrentStep": "",
    "isDataCollectionDevice": false,
    "lastBackupData": false,
    "preUpgradeCompleted": true,
    "lastPreUpgradeStartDateTime": "2017-07-03T19:29:53.869Z",
    "lastPreUpgradeEndDateTime": "2017-07-03T19:29:54.307Z",
    "postUpgradeCompleted": false,
    "lastPostUpgradeStartDateTime": "",
    "lastPostUpgradeEndDateTime": "",
    "lastPreUpgradeFailed": false,
    "lastPostUpgradeFailed": false,
    "hasDataCollectionDevices": true,
    "message": "All the listener services were correctly started.",
    "firstBoot": true,
    "preUpgradeSoftwareVersion": "BIG-IQ 5.2.0.0.0.5741",
    "kind": "cm:shared:esmgmt:upgrade-prep-accounting:esupgradeprepaccountingstate",
    "selfLink": "https://localhost/mgmt/cm/shared/esmgmt/upgrade-prep-accounting"
}'


NOTE: You have to correctly update the managementAddress field with the self-ip (address) of the Data Collection Device, set the preUpgradeCompleted field to true and postUpgradeCompleted field to false.

7. After the PATCH has been executed. Login to the BIG-IQ console and navigate to the System --> BIG-IQ DATA COLLECTION --> BIG-IQ Data Collection Devices page. This will re-trigger the post upgrade process which will complete in about 1 minute. Review the restjavad.0.log and see that there are no such warning messages:

[WARN][03 Jul 2017 12:29:54 PDT][/cm/shared/esmgmt/upgrade-prep/13366647-93b5-409c-84a6-969b395b268e/worker ESUpgradePrepTaskWorker] Unable to stop elasticsearch service for machine https://10.144.73.116/mgmt/cm/shared/esmgmt/cluster-task due to exception java.lang.Exception: 10.144.73.116 not found in any device-groups.


670955-1 : Spurious warning log during upgrade from BIG-IQ

Component: BIG-IQ Device Management

Symptoms:
Upgrading a BIG-IP device via BIG-IQ can result in warning log messages like:

[8100/shared/file-transfer/ucs-downloads FileTransferWorker] Transfer failed for
/var/local/ucs/f5.bigiq-analytics-BIG-IQ.gz with java.io.FileNotFoundException: File does not exist or file path is not a file:
/var/local/ucs/f5.bigiq-analytics-BIG-IQ.gz

Conditions:
BIG-IP is being upgraded by BIG-IQ and it is collecting stats.

Impact:
This is a log message only

Workaround:
None


670837-1 : iHealth upload task partially fails with error about "Duplicate item"

Component: BIG-IQ Device Management

Symptoms:
iHealth upload task fails with a message similar to:
   Request for POST on localhost failed: Duplicate item. Key already exists: name : H00329831

Conditions:
This can occur when an upload task is running for multiple managed devices simultaneously and more than one attempt to add a new diagnostic that doesn't already exist in BIG-IQ.

Impact:
The device report fails to generate.

Workaround:
A subsequent run of the failed task should succeed.


670671 : Missing error message when user moves VLAN from Selected to Available in default route domain, when the VLAN is already in use by a self ip

Component: BIG-IQ Configuration - Network

Symptoms:
BIG-IQ allows a user to move a VLAN from Selected to Available in the default (id 0) route domain screen after this VLAN has been assigned to a self IP.

Conditions:
A VLAN in route domain 0 is referenced by a self IP.

Impact:
A user will not be able to deploy to the device until the VLAN is moved to Selected in the route domain 0 screen.

Workaround:
Edit route domain 0 by moving the VLAN from Available to Selected.


670255-1 : Existing transform rule updates from the cloud dashboard are not updated on the local (on premise) BIG-IQ devices

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
When configuring import of transform rule from a web service and using the SOC as the web service, changes made by the FPS SOC to existing rules might not be updated on the BIG-IQ system.

Conditions:
Happens when the SOC or any other F5 FPS dashboard is used as the source of rules.

Impact:
Existing rules are not updated.

Workaround:
Delete the alert transform rule from BIG-IQ, delete the alert transform rule import rules and create a new alert transform rule import schedule.


667776 : Restore of UCS on BIG-IP v13 times out in BIG-IQ

Component: BIG-IQ Device User Interface

Symptoms:
A restore of BIG-IP v13 from BIG-IQ fails with a message like:
   Timed out waiting for restore task to complete

Conditions:
This issue applies for BIG-IP versions 13.x.

Impact:
Though the restore on BIG-IP v13 may be successful, BIG-IQ does not report the status of the restore. Users must determine the status of the restore by looking directly at the BIG-IP (e.g. ltm log).


667446 : Sync groups manual "refresh list" is needed after major upgrade

Component: BIG-IQ DNS Management

Symptoms:
Due to the configuration structure change from previous versions, the real status of the DNS sync groups does not automatically appear.

Conditions:
This happens only after major version upgrade (e.g. from 12.x to 13.x)

Impact:
The current status of DNS Sync Groups is not visible until after refreshing the list.

Workaround:
You must must run "refresh list" manually for the real status to be retrieved.
Go to: Devices > BIG-IP clusters > DNS sync groups >
and click the "Refresh List" button.


666309-1 : Existing transform rule deletions from the cloud dashboard are not deleted on the local (on premise) BIG-IQ devices

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
When configuring import of transform rule from a web service and using the SOC as the web service, deletions made by the FPS SOC to existing rules might not be applied on the BIG-IQ system and the rules will not get deleted.

Conditions:
Happens when the SOC or any other F5 FPS dashboard is used as the source of rules.

Impact:
Existing rules are not deleted.

Workaround:
Delete the alert transform rule from BIG-IQ, delete the alert transform rule import rules and create a new alert transform rule import schedule


665639-1 : Amazon EC2 Abuse Report upon a new deployment of BIG-IQ AMI instance

Component: REST Framework and TMOS Platform

Symptoms:
Upon deploying a new BIG-IQ AMI instance and a successful login to the BIG-IQ web user interface, within minutes Amazon EC2 flags an abuse report about potential port scanning activities from the BIG-IQ instance to the client machine initiating the browser session.

Conditions:
New BIG-IQ AMI instance deployed and running in EC2, with first successful login from an arbitrary client into the BIG-IQ web user interface, using an internet browser with websocket support (Firefox, Chrome, Safari, etc.). Even the idle user interface left untouched (without browsing BIG-IQ UI pages) would trigger the EC2 Abuse report.

Impact:
The customer owning the EC2/AMI deployment of BIG-IQ will get an email with the Amazon EC2 Abuse Report.

Workaround:
At this time there are no clear indications of illegal port scanning activities originated from the BIG-IQ AMI instance to the client machine initiating the BIG-IQ UI browser session.

A current assumption is that Amazon EC2 may have some initial sensitivity for websocket-based browser connections, with a relatively high number of websocket frames being exchanged between a client browser and the BIG-IQ AMI instance, although the number of websocket ports involved in this traffic remains relatively low (below a dozen).


663919 : Pool Member Operator role cannot filter pools

Component: BIG-IQ Local Traffic & Management

Symptoms:
When creating pool member operator users under this role can see pools but they cannot filter them.

Conditions:
User in pool member operator role attempting to filter pools.

Impact:
When creating pool member operator users under this role can see pools but they cannot filter them.


663606 : Pool license cannot be assigned after upgrade to BIG-IQ 5.2

Component: BIG-IQ Device User Interface

Symptoms:
Assigning a pool license (purchased pool, volume license, utility license) after upgrading to BIG-IQ 5.2 fails with a message similar to: "last block incomplete in decryption".

Conditions:
This occurs if the license was activated prior to the 5.2 upgrade.

Impact:
License cannot be used.

Workaround:
Note, steps 4 and 5 can be skipped if running BIG-IQ 5.3 or later.

1. Take a backup of the BIG-IQ
2. Login to the BIG-IQ via ssh
3. cd /var/config/rest/tokuupgrade/encryption
4. cp platformEncryption.js platformEncryption.js.bak
5. Modify platformEncryption.js, updating 5 lines. Replace the quoted portion of each:
Line:
     cursor = findDocuments("cm:shared:licensing:pools:licensepoolworkerstate");
       change to: cm:device:licensing:pool:purchased-pool:licenses:licensepoolworkerstate

Line:
     cursor = findDocuments("cm:system:licensing:utility-licenses:utilitylicensestate");
       change to: cm:device:licensing:pool:utility:licenses:utilitylicensestate

Line:
     cursor = findDocuments("cm:system:licensing:pool:volume:licenses:licensestate");
       change to: cm:device:licensing:pool:volume:licenses:licensestate

Line:
     cursor = findDocuments("cm:system:licensing:pool:websafe:licenses:websafelicensestate");
       change to: cm:device:licensing:pool:websafe:licenses:websafelicensestate

Line:
     cursor = findDocuments("cm:system:licensing:pool:initial-activation:initialactivationworkeritemstate");
       change to: cm:device:licensing:pool:initial-activation:initialactivationworkeritemstate

6. /bin/sh /var/config/rest/tokuupgrade/encryption/run_encryption_upgrade.sh
7. bigstart restart restjavad


660828-2 : Deployment Failure: "transaction failed: ... : file (/config/filestore/files_d/Common_d/customization_group_d/:Common:...) expected to exist"

Component: BIG-IQ Access

Symptoms:
Deployment failure with error similar to the one below:

Deployment Failure: "transaction failed: ... : file (/config/filestore/files_d/Common_d/customization_group_d/:Common:...) expected to exist"

Conditions:
Deployment fails when advanced customization is involved.

Impact:
The BIG-IQ APM deployment fails.

Workaround:
On the failed device, remove the object that uses the customization group, which in-turn will remove the customization-group (logon page agent in policy or policy macro), then deploy to the device again.


659958-2 : Active Directory Groups update does not show any groups

Component: BIG-IQ Configuration - Access

Symptoms:
Active Directory, LDAP groups are not displayed even after the administrator clicks "Update" from the Active Directory > LDAP Groups screen.

Conditions:
This issue happens when the administrator does not have advanced shell access on the BIG-IP system.

Impact:
Admin has to type in the active directory group details manually or copy it from the BIG-IP system.

Workaround:
Give advanced shell access for the administrator on the BIG-IP system.
To give the administrator access to the Advanced Shell, use the following command syntax:

modify /auth user <UserID> shell bash


659729 : Filtering by the text 'http' in LTM Profiles grid takes a long time to complete

Component: BIG-IQ Local Traffic & Management

Symptoms:
The LTM profiles grid will show a spinner for 30 or more seconds until results are returned. Note that queries for other text is not affected.

Conditions:
User enters 'http' in to the filter bar in the LTM profiles grid and hits the Enter key.

Impact:
The user may have to wait for longer than expected to see the results of this query.

Workaround:
User can use a different or more specific query. For example if the user is searching for the http-explicit profiles, they can filter with 'explicit'.


659424-2 : Deployment failure due to SAML object deletion

Component: BIG-IQ Access

Symptoms:
This symptom observed on BIG-IQ is caused by a defect on BIG-IP systems.

This defect happens when BIG-IQ attempts to delete unreferenced SAML objects on deployment.

When this happens, the deployment will fail, and the following message will be displayed:


Failed submitting iControl REST transaction 1487875767493967: status:400, body:{"code":400,"message":"transaction failed:01070734:3: Configuration error: a
pm aaa saml-idp-connector: Cannot delete saml-idp-connector /Common/ipd.cooper.local
because it is being used by
aaa-saml-server (/Common/saml_sp)","errorStack":[],"apiError":1}

Conditions:
When unreferenced SAML objects are deleted by BIG-IQ at time of deployment.

Impact:
Failure to perform a BIG-IQ deployment.

Workaround:
Customers can administer BIG-IP, and remove the unused SAML objects, or reference them by a dummy Access Policy. Alternatively, BIG-IP systems call be upgraded once appropriate hotfixes are available.


658402-1 : "Reset to Standalone" is a feature of HA that should only be used if the HA peers are not communicating with each other.

Component: REST Framework and TMOS Platform

Symptoms:
"Reset to Standalone" is not the preferred method to break a functioning HA pairing. Its actions only affect the system from which the command was initiated. The other HA peer system is not aware that the initiating system as left the HA pairing.

If "Reset to Standalone" is used to break an HA pairing it will leave the system from which the feature was run in "Standalone" mode. However, it will leave the peer system in a state where it still expects to be in an active HA pairing.

For example, if "Reset to Standalone" is initiated on the Primary system, the Secondary system will report:

"Failed - Peer reporting as STANDALONE, expected PRIMARY"

Also, if "Reset to Standalone" is initiated on the Secondary system, the Primary system will report:

"Failed - Peer reporting as STANDALONE, expected SECONDARY"

Impact:
Messages like this might be seen in the restjavad logs of the Primary system after it underwent a "Reset to Standalone":

[WARN][13 Apr 2017 13:34:20 EDT][/cm/shared/esmgmt/cluster ESClusterInstanceCollectionWorker] Unable to patch cluster instance: java.lang.IllegalArgumentException: at least one node must defined in the cluster

Workaround:
If trying to break an HA pairing and both peer systems are reporting an "Operational" state (as seen in System -> BIG-IQ HA -> BIG-HA Settings), the preferred method for breaking the HA pairing is to use the System -> BIG-IQ HA -> Remove Secondary option.


658039-2 : Failure to reactivate some licenses when EULA has changed

Component: BIG-IQ Device User Interface

Symptoms:
Attempts to reactivate a license when the EULA has changed generates a message similar to: "The system returned an unexpected error (400 Bad Request). Validation of PATCH failed."

Conditions:
This can occur for utility, volume and FPS licenses when the user navigates away from the license properties page before accepting the new EULA and then returning later.

Impact:
License fails to complete the reactivation.

Workaround:
When the user returns to the license properties page, clicking "Finish Reactivation" opens a new page with a "Reactivate" button which generates the error. Instead of clicking "Finish Reactivation" on the license properties page, the user can click the "Accept" button at the bottom right of the page to accept the new EULA and complete the reactivation.


655283-1 : Refreshing an FPS saved filter page will not render results.

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
A saved filter is run, and results are not displayed after logging out and back in (or via the browser refresh button).

Conditions:
If a user runs a saved filter and then either (a) refreshes via the browser button or (b) logs out and then back in, the query will not succeed in displaying matching alerts. It will not look like a query with no results, which usually displays the message "There are no items to show in this view." Instead not even the table will be displayed.

Impact:
The list of matching alerts will not be displayed.

Workaround:
Click the saved filter navigation item and then 'Run Filter'.


655123-2 : Unable to open Network Access, LDAP, AD, CRLDP, TACACS, or Radius server object UI for edit.

Component: BIG-IQ Access

Symptoms:
When a user clicks an instance of the following objects, UI does not open the object for edits. There is no response for the user mouse click.

Object Types: LDAP, AD, CRLDP, TACACS, or Radius server

Conditions:
This happens after import/reimport of Access.

This is due to the fact that pool used by the object instance of kinds LDAP, AD, CRLDP, TACACS, or Radius server does not exist in "LTM".

This is due to the fact that route-domain used by Network Access object does not exist in "LTM".

Impact:
Object instances of kind Network Access, LDAP, AD, CRLDP, TACACS, or Radius server could not be edited.

Workaround:
Users must rediscover and reimport LTM for the corresponding device to which the object (LDAP, AD, CRLDP, TACACS, or Radius server) belongs.


654514-1 : Some grid pages may take several seconds to populate rows while scrolling

Component: REST Framework and TMOS Platform

Symptoms:
For some grid pages which present a large amount of information, there may be a delay of several seconds when scrolling in the grid.

Conditions:
If you are viewing a grid page which contains a large amount of data, such as the Network Security Contexts grid.

Impact:
There may be a delay of several seconds before new rows are rendered when scrolling.

Workaround:
If you are looking for specific items, filter the grid to limit the number of items in the grid.


653760-2 : Token Table is not updated in real time on the drill down screen

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
Drilling down on the Access Token Count screen doesn't show the right number of tokens in the table the first time.

Conditions:
Happens during the drill down action.

Impact:
Minimal.

Workaround:
Refresh the page, all tokens will show up.


653529-2 : Deployment fails when attempting to deploy more than 4000 certs in a single deployment across multiple BIG-IPs

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
Attempting to deploy more than 4000 certificates and key objects will result in deployment failure

Conditions:
Trying to deploy more than 4000 across multiple BIG-IPs

Impact:
Deployment fails and the 'restjavad' daemon must be restarted using the TMSH command 'bigstart restart restjavad' on BIG-IQ to get the device fully operational again, as BIG-IPs may be marked as unavailable.

Workaround:
Split the deployment by either reducing the number of devices or number of certificates and keys per deployment


653528-1 : Deployment fails when attempting to deploy more than 1100 certificates and key pairs (2200 files) to a single BIG-IP

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
Deployment failure with an error of 'Failed submitting iControl REST transaction.'

Conditions:
Attempting to deploy more than ~1100 certificates and key pairs (2200 files) to a single BIG-IP

Impact:
Deployment failure with an error of 'Failed submitting iControl REST transaction'

Workaround:
Split the deployment to contain below 2200 file objects


652954 : BIG-IQ 5.x does not allow clustered BIG-IP devices to be added to custom device groups created in BIG-IQ 4.x

Component: REST Framework and TMOS Platform

Symptoms:
BIG-IQ 5.x fails to properly add a device to a custom device group created in BIG-IQ 4.x. The error message in the UI is "Unable to establish trust with this device. Delete the device and re-add it."

Conditions:
This issue is applicable when the BIG-IP is a clustered device and the device group is a custom device group that was created in BIG-IQ 4.x.

Impact:
The BIG-IP device cannot be properly managed via the device group.

Workaround:
Remove the device from the device group, which should clear any "Unable to establish trust" error on the BIG-IP devices inventory. Take a UCS backup of the BIG-IQ. Remove the device-group-key-pair for the device group using: "restcurl -X DELETE shared/device-group-key-pairs/{group name here}". Then add the device to the device group again.


652666-1 : Unable to save FPS Download schedule with start date in past

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
It is possible to get into a state where an transform alert download rule schedule will not save. Schedules must have a start date at least 5 minutes in the future. If a start date is set into the past AND there is an end date, the start date must be at least 5 minutes from 'now'.

Conditions:
This is usually seen when setting an hourly schedule, but can be seen when editing an existing schedule. In both cases, and end date is specified.

Impact:
Unable to save the schedule.

Workaround:
Set the start date the current time or later. The start time must be before the end time.


651998-2 : When /var partition reaches configured limit, collection of statistics from BIG-IP will stop, and older data may be automatically removed by BIG-IQ

Component: AppIQ

Symptoms:
You may observe two behaviors:
1. Current statistics from BIG-IPs are not shown on graphs
2. Older statistics from BIG-IPs may no longer be available

Conditions:
This occurs when the data store for statistics reaches the configured limit

Impact:
Loss of current and potentially older statistical data, resulting in graphs showing no data and/or flat areas of no data.

Workaround:
There are several actions you can take:
1. Increase the /var partition on your Data Collection Devices.
2. Increase the maximum percent of storage BIG-IQ may consume for statistical data.
3. Reduce the frequency of data collection from each BIG-IP.
4. A combination of one or more actions listed above.
Please consult product documentation.


651892-1 : Some Rewrite profiles created on BIG-IP cannot be updated or deleted by BIG-IQ

Component: BIG-IQ Local Traffic & Management

Symptoms:
Using BIG-IQ to update or delete a URI translation rewrite profile that was created via the BIG-IP UI may fail with a message like "transaction failed:01020036:3: The requested rewrite rules URI (/Common/rewrite-custom uri_c931dcd3-acbe-34cf-81c9-a27b64738bb0) was not found."

Conditions:
This issue applies to URI translation rewrite profiles created via the BIG-IP UI that have a parent profile that includes one URI rule.

Impact:
This issue can cause BIG-IQ deployments to fail.

Workaround:
This issue can be resolved by using BIG-IP (tmsh or UI) to remove the inherited URI rule from the affected profile and then recreating it. Afterwards, discover/import the LTM service for the relevant device to update the profile in BIG-IQ.


651186-2 : SSL certificate in non-PEM format can not be imported and managed

Component: BIG-IQ Local Traffic & Management

Symptoms:
BIG-IQ fails to import DER encoded certificates/keys.

Conditions:
This applies when manually importing DER encoded certificates/keys from an external source or when trying to convert an unmanaged certificate/key from BIG-IP into a managed certificate/key.

Impact:
DER encoded certificates/keys cannot be managed by BIG-IQ.

Workaround:
DER encoded certificates/keys can be converted to PEM format to allow them to be managed by BIG-IQ.


651172-1 : CSV download fails after opening a session details dialog

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
Click the CSV download button, after viewing the session details dialog. The download fails.

Conditions:
Happens only after session details dialog is opened

Impact:
Minimal

Workaround:
Refresh the browser when this error occurs. This error is not seen if the CSV download occurs before the session dialog is opened.


651013-1 : Device discovery and unresolved conflicts

Component: BIG-IQ Deployment - Evaluate & Deploy

Symptoms:
When a BIG-IP is added to BIG-IQ objects named the same as ones residing on BIG-IQ will be tagged as conflicting. The user who initiates the discovery must resolve those conflicts.

Conditions:
Adding a BIG-IQ that contains object named the same as objects already residing on BIG-IQ.

Impact:
Other users of BIG-IQ will be restricted in the operations until the conflicts are resolved.

Workaround:
Only the user who initiated the discovery has the ability to resolve the conflicts, and they must navigate to the device inventory or device services page to do so.


650405-1 : Error while transforming Profile Client SSL when BIG-IP in DSC (Failed to transform secure field value)

Component: BIG-IQ Local Traffic & Management

Symptoms:
Due to a BIG-IP defect, discovery may fail due to an invalid passphrase. Logs messages will include the error: "Failed to transform secure field value".

Conditions:
This may occur when BIG-IPs are configured in a DSC pair and there is one or more profiles configured with a passphrase.

Impact:
As a result, the LTM service cannot be managed for the affected BIG-IP.

Workaround:
Restart restjavad/icrd on the BIG-IP that fails discovery and re-discover.


650218-1 : Client SSL - BIG-IP 11.5.1 HF7 - overridden yet unchanged Cert Key Chain in Client SSL profile causes discovery failure

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
Discovery of the LTM service for a BIG-IP fails with the error: "Unable to parse tmsh output: java.lang.IllegalArgumentException: malformed or empty array: "" { }"

Conditions:
This can occur for older BIG-IPs that allow a Client SSL profile to be saved without a certificate/key.

Impact:
This prevents the LTM service for the BIG-IP device from being managed in BIG-IQ.

Workaround:
The issue can be resolved by correcting the configuration for the relevant Client SSL profile(s) by adding a certificate/key.


648876 : Discovery of a BIG-IP Advanced Firewall service may fail if the service is newly provisioned on the BIG-IP

Component: BIG-IQ Network Security

Symptoms:
Discovery of the Advanced Firewall service may fail with an error message similar to: check if iControl REST service is running on the BIG-IP

Conditions:
A BIG-IP Local Traffic service is already imported on the BIG-IQ and then the Advanced Firewall service is provisioned on the BIG-IP and that service is then discovered by the BIG-IQ.

Impact:
The Advanced Firewall service cannot be discovered on the BIG-IQ due to a BIG-IP REST service issue.

Workaround:
If the discovery fails with the indicated symptoms, the restjavad service must be restarted on the BIG-IP. The user should log onto the BIG-IP shell and execute the following command: bigstart restart restjavad


648546-1 : Cannot deploy a certificate with server-ssl

Component: BIG-IQ Deployment - Evaluate & Deploy

Symptoms:
Failure to deploy a certificate referenced by a new server-ssl profile. If a server-ssl profile inherits from the 'serverssl' system profile, it will be deploy successfully, but if the server-ssl profile inherits from any other profile, a deployment will fail.

An error is generated:
"transaction failed:0107134a:3: File object by name (/Common/some-ca-bundle.crt) is
missing."

Conditions:
This issue occurs when attempting to deploy at least 3 objects together: 1) a new traffic certificate, 2) a parent server-ssl profile, and 3) a child server-ssl profile referencing the traffic certificate from 1) and inheriting from the server-ssl profile from 2).

Impact:
Deployment will fail.

Workaround:
Deploy the traffic certificate or the parent server-ssl profile in a separate deployment task.


648293-1 : Device status can show green when ES cluster is not green

Component: BIG-IQ System User Interface

Symptoms:
Various warning conditions can occur with the ES cluster that are not reflected correctly in the overall device status.

Conditions:
A Data Collection device can be configured to alert at a different disk usage threshold than the ES disk usage threshold; this results in misleading error indicators in the device status.

Impact:
Potentially a user could miss problems with the ES cluster if only the device status was taken into account.

Workaround:
User should look at both the device status and the cluster status. Cluster status is available in System -> BIG-IQ DATA COLLECTION -> BIG-IQ Data Collection Cluster -> Status


647189 : Deployment to version 12.1.1 device fails with error ""Encountered unsupported operation 16 at /apm/policy/access-policy/..../subroutine-properties"

Component: BIG-IQ Configuration - Access

Symptoms:
Deployment to version 12.1.1 device fails with error ""Encountered unsupported operation 16 at /apm/policy/access-policy/..../subroutine-properties"

Conditions:
The deployed BIG-IP system is version 12.1.0.

Impact:
Cannot deploy the new configuration to the BIG-IP system.

Workaround:
Upgrade to 13.0, which addresses this issue.


646929-1 : BIG-IQ cannot remove overrides for LWS Separator field on HTTP explicit profiles.

Component: BIG-IQ Local Traffic & Management

Symptoms:
BIG-IQ cannot unset overrides on the LWS Separator field for HTTP profiles. This is due to a defect on the BIG-IP. This override can be removed on BIG-IP and the device rediscovered/reimported.

Conditions:
User tries to remove the LWS Separator override on the HTTP explicit profile.

Impact:
The value will always remain overridden in the child profile.

Workaround:
Manually unset the override on the BIG-IP and then rediscovery and reimport the BIG-IP.


644884 : Sort-Selected rows of data in dimension panes may show N/A for data

Component: AppIQ

Symptoms:
When sorting data in dimension tables, pinned / sort-selected items may show up as "N/A".

Conditions:
In the table of data for a specific dimension (such as Virtual Servers), BIG-IQ only shows the top-100 items meeting the sort criteria as determine by the column chosen and sort order (descending, ascending). If a specific row has been pinned using the "Sort Selected" action and the sort criteria is changes such that the rows pinned no longer are in the top-100, the data for the pinned rows will show as "N/A".

Impact:
None

Workaround:
You can choose a different column and sorting order resulting in the sort-selected rows showing data if row meets the top-100 criteria.


643825-1 : Inability to remove Certificate and/or Key used by serverssl profile in specific cases for v11.6.0 and v11.6.1

Component: BIG-IQ Local Traffic & Management

Symptoms:
When an ltm profile server-ssl using Certificate and/or key, key and certificate property override is unset.
BIG-IQ cannot remove that certificate and key in the same deployment.

Conditions:
1. Discover an ltm profile server-ssl using Certificate and/or key.
2. Unset the certificate override and/or key override.
3. Delete the certificate and key.
4. Deploy to BIG-IP.

Impact:
Deployment will fail with the message
"File object by name (/Common/cert.key) is in use."

Workaround:
Set the server-ssl to the desired value and do not unset the override certificate and key override.


643645-1 : BIG-IQ System Settings: SNMP /32 allow mask does not work

Component: BIG-IQ System User Interface

Symptoms:
SNMP allow lists in the Big-IQ GUI with a /32 mask (255.255.255.255) will cause polling to fail.

Conditions:
SNMP allow lists in the Big-IQ GUI with a /32 mask (255.255.255.255).

Impact:
SNMP Polling will not work.

Workaround:
Delete the previously created allowed address and create another via tmsh and see that SNMP polling now works.


643507-1 : Removing a Data Collection Device may take a long time, and will not show an error dialog if removal times out

Component: BIG-IQ System User Interface

Symptoms:
When removing a Data Collection Device, the removal task may take a long time to complete. While this task runs, you are free to use the UI or log out and the task will continue to run on your BIG-IQ. If the task fails or times out, you will not see an error message dialog.

Conditions:
This can occur when you remove a Data Collection Device with a large amount of data.

Impact:
Removal may fail without presenting an error message.

Workaround:
Attempt to remove the data collection device again.


643083-1 : Using multiple search terms across object types is not supported on some Network Security screens

Component: BIG-IQ Configuration - Security - Network Security

Symptoms:
On various Network Security screens (Firewall Policies, Rule Lists, NAT Policies, Service Policies and Notification Rules), you are allowed to apply multiple filters using the Filter field, even though such a search will only return expected results for the first filter.

Conditions:
For example, a user has a number of Firewall Policies that use the Common partition. One Firewall Policy has a port value of '11223'. The user applies a search of 'Common' first. Then after this they apply a search of '11223'. They will not see any results after the second filter is applied.

Impact:
Minimal impact.

Workaround:
If you apply the '11223' search first, then you will find the policy you are looking for.


642976-2 : Deployment diff shows unused objects to be deleted during deployment

Component: BIG-IQ Access

Symptoms:
Unused objects are deleted when you deploy a configuration change. The deployment diff shows objects to be deleted.

Conditions:
These objects are not used in the policy that gets deployed to device from BIG-IQ.

Impact:
Objects that are not used in policy in BIG-IP will get deleted.

Workaround:
A dummy policy that is not assigned to any virtual server can be created in BIG-IP or in BIG-IQ and those objects can be added in corresponding agents in the policy. Assigning those objects to the dummy policy will not delete it during deployment.

If the dummy policy is created in BIG-IP, user may have to reimport the shared configuration from the device.


641451-1 : Deployment error when overriding the certificate-key chain on a Client SSL profile.

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
Deployment error when overriding the certificate-key chain on a Client SSL profile.

Conditions:
On removal of the "Override" setting on the non-root ClientSSL certificate-key chain attribute.

Impact:
This change cannot be deployed to the BIG-IP and deployments will fail.

Workaround:
Specify an override value on the profile. These can be the same as the parent profile.


641427 : Portal Access Rewrite not be searchable by Global Search

Component: BIG-IQ Search

Symptoms:
Searching for an Portal Access Rewrite object via global search does not return any results and may return an error.

Conditions:
Using the global search for a Portal Access Rewrite object.

Impact:
You will not be able to search any Portal Access Rewrite object via global search

Workaround:
Customer will have to navigate to Portal Access Rewrite object list screen and do a search using the filter bar.


641237-1 : Inability to delete SNAT pool with SNAT transaction from some versions of BIG-IP.

Component: BIG-IQ Local Traffic & Management

Symptoms:
On BIG-IQ there is inability to delete a SNAT pool with SNAT translation and deploy to BIG-IP.

An error occurs similar to:

"transaction failed:01070321:3: Snat translation address /Common/1.2.3.4 is still referenced by a snat pool."

Conditions:
Configure a SNAT pool with SNAT translation.
Deleting the SNAT pool and deploying to BIG-IP.

Impact:
Deployment will fail.

Workaround:
Delete the SNAT pool and SNAT translation directly on the BIG-IP device


640043-2 : Monitors cannot be deleted on BIG-IQ

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
Due to a defect on BIG-IP, BIG-IQ is unable to deploy changes that delete monitors.

Conditions:
Due to a defect on BIG-IP, BIG-IQ is unable to deploy changes that delete monitors.

Impact:
Due to a defect on BIG-IP, BIG-IQ is unable to deploy changes that delete monitors.

Workaround:
Monitors that are unused can be deleted directly on the BIG-IP. However, these will stay on BIG-IQ.


639896-2 : Cannot view SWG Reports and download CSV Reports on Standby BIG-IQ

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
Request failed error message pops up when admin attempts to view SWG Reports or certain access reports like Browser OS, Geo-location,Access Profile Usage from the Stand-by BIG-IQ device. Admin cannot perform CSV download from Stand-by BIG-IQ device.

Impact:
Admin cannot view SWG Reports and few Access Reports , cannot download CSV reports from the stand-by BIG-IQ device.

Workaround:
Admin can view the reports and perform CSV downloads from the Active BIG-IQ device.


638131-1 : Deploying a DoS profile imported from a BIG-IP 11.6.x to a 12.x or higher would fail when Proactive Bot Defense is enabled

Component: BIG-IQ Network Security

Symptoms:
When a BIG-IQ Centralized Management user discovers a BIG-IP device that is 11.6.x, the Bot Signature Check is disabled and is read-only in a DoS profile.

Deploying a DoS profile imported from a BIG-IP 11.6.x to a 12.x or higher would fail, when Proactive Bot Defense is enabled.

Conditions:
Deploying a DoS profile imported from a BIG-IP 11.6.x to a 12.x or higher, when Proactive Bot Defense is enabled.

Impact:
User cannot deploy a DoS profile imported from a BIG-IP 11.6.x to a 12.x or higher, when Proactive Bot Defense is enabled.

Workaround:
First, in the Dos Profile, select the Application Security Proactive Bot Defense tab, and record the current setting of the Operation mode setting. Then set Operation mode to off. You can set it back to its previous value.
As a result, the Bot Signature Check in Bot Signature screen is set to Enabled automatically.
At this point the Bot Signatures and Bot Signature Categories should be visible and editable.
Save the configuration.


637937-1 : Similarly named keys/certs on BIG-IPs of different versions appear as distinct objects in BIG-IQ if the name includes special characters

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
BIG-IP v11.x APIs improperly escape special characters in key/certificate names. This was fixed at BIG-IP v12.0.0.

Conditions:
These issues occur when a mixture of BIG-IPs running both v11.x and v12+ are used in conjunction with BIG-IQ to manage SSL keys/certs.

Impact:
Users may see a keys/certs named with special characters (e.g. *.domain.com) represented multiple times on BIG-IQ (once with escaping and once without). Also, such keys/certs created on BIG-IQ or imported from BIG-IP v12+ cannot be deployed from BIG-IQ to BIG-IP v11.x devices.

Workaround:
These issues can be avoided by renaming keys/certs so they do not include special characters.


637728-1 : SSL keys/certificates on BIG-IP with + or ~ in the name cause a discovery failure in BIG-IQ

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
When a BIG-IP has an SSL key or certificate with + or ~ in the name, discovering the LTM service for the BIG-IP fails.

An error is generated:

"Error querying SSL Cert Bundle Certificate from..."

Conditions:
BIG-IP has an SSL key or certificate with + or ~ in the name.

Impact:
Services on BIG-IP cannot be managed by BIG-IQ.

Workaround:
There is no workaround aside from changing the name of affected keys/certs on BIG-IP.


636188-3 : Access Events in iRule requires an Access Profile associated with Virtual

Component: BIG-IQ Access

Symptoms:
Error during deployment:

"Failed submitting iControl REST transaction ...: status:400, body:{"code":400,"message":"transaction failed:01071912:3: ACCESS_... event in rule (/.../...) requires an associated ACCESS profile on the virtual-server (/.../...).","errorStack":[],"apiError":1}"

Conditions:
This issue happens when deploying LTM or Access Deployment that includes LTM objects. A virtual server in the device has iRule that uses some Access Event assigned.

Impact:
Failed to deploy LTM or APM that includes LTM objects.

Workaround:
1) Remove the iRule Assignment from Virtual Server.
2) Deploy Apm that includes LTM Objects
   or
   Full LTM deployment and APM deployment.
3) ReAssign the iRule to the Virtual Server in LTM
   and do a full LTM deployment again.


636086-1 : Certificates and keys that are copied between BIG-IP are not match on the BIG-IQ

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
Discovering devices with the same keys and/or certificates that were copied from one BIG-IP to another by using the paste text feature will result in conflict during BIG-IQ discovery/import of the second device.

Conditions:
Issue applies when multiple devices with the same certificates and/or keys that were copied using the paste text feature in BIG-IP.

Impact:
Conflict page will be displayed on the identical keys and/or certificates. During deployment, those identical items will be displayed as different.

Workaround:
When copying a key and/or certificate from on BIG-IP to another without using BIG-IQ, use the "Upload File" option versus the "Paste Text" to import the key and/or certificate to the other device.


635584-2 : BIG-IQ setup wizard fails with "Cannot delete IP X.X.X.X because it would leave a route unreachable"

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
BIG-IQ setup wizard fails to configure management address with error "Cannot delete IP X.X.X.X because it would leave a route unreachable".

Conditions:
This issue is applicable when trunking used for VLANs not named internal. The BIG-IQ UI does not support configuring trunks, but such configuration can be created via other means (e.g. tmsh).

Impact:
As a result, system setup cannot be completed.

Workaround:
BIG-IQ system setup should be completed prior to creating trunks on new installations. For upgrade scenarios, the network configuration has to be removed so that system setup can be completed, after which the network configuration can be restored.


632900-1 : Bot Signatures/Bot Signature Categories User Defined Flag Behavior

Component: BIG-IQ Network Security

Symptoms:
In some cases, user created Bot Signatures and Bot Signature Categories imported from BIG-IP are classified as "system defined" on the BIG-IQ after import. This behavior is true even if a bot signature or bot signature category is designated as "user defined" on BIG-IP.

Conditions:
Seen when discovering user defined bot signatures from "pre 13.0.0" version BIG-IP devices.

Impact:
Bot Signatures and Bot Signature Categories created by a user on the BIG-IP get re-classified as "system defined" upon import into the BIG-IQ. Bot signatures so classified are not editable in BIG-IQ.

Workaround:
To make the bot signature editable in BIG-IQ simply reset the bot signature or bot signature category to "user defined" to match the "user defined" setting in BIG-IP.


632799-1 : BIG-IP 13.0.0 Firewall Rule option "Send to Virtual" not managed by the BIG-IQ

Component: BIG-IQ Network Security

Symptoms:
The new BIG-IP Firewall Rule option "Send to Virtual" should not be configured on the BIG-IP if that BIG-IP will be managed by a BIG-IQ.

Impact:
A modification from a BIG-IQ to a Firewall Rule with "Send to Virtual" configured will have the "Send to Virtual" configuration cleared if that associated rule is modified.

Workaround:
If the "Send to Virtual" option must be used on a BIG-IP 13.0.0 device, following a deployment from a BIG-IQ that clears the configuration, the configuration must be manually re-entered on the BIG-IP.


629237-1 : Firefox may perform poorly when running the BIG-IQ management user interface

Component: REST Framework and TMOS Platform

Symptoms:
Firefox may perform poorly when running the BIG-IQ management interface. A user may encounter slow/laggy interaction and warnings from the browser indicating that "A web page is slowing down your browser" when using the BIGIQ GUI. The user may also experience slow performance when selecting menu picks, and may find that some screens require an additional refresh to fully populate.

Conditions:
This occurs in some cases when using Firefox to access BIG-IQ.

Impact:
This slowdown can lead to a very poor user experience.

Workaround:
If a Firefox user encounters a section of the GUI in which the browser performance degrades, recommend that the user retry that workflow with a different supported browser.


627105-2 : Incorrect Error when clicking on Tokens under Monitoring --> Access --> Federation --> OAuth --> Authorization Server --> Tokens

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
An error message appears when clicking on Tokens under Monitoring --> Access --> Federation --> OAuth --> Authorization Server --> Tokens

Conditions:
This error is seen only when No token record is yet created on BIG-IQ and a user navigates to the Token page.

Only seen if No tokens are present in BIG-IQ Access OAuth Federation elasticsearch index.

Impact:
No functional impact. It is an incorrect error message.

Workaround:
This error will not be seen if some logs are received from the managed BIG-IP which are in turn responsible for the OAuth token records seen under Reports.


624368-1 : BIG-IQ fails to discover Rewrite profiles that have a corrupt passphrase on BIG-IP

Component: BIG-IQ Local Traffic & Management

Symptoms:
BIG-IQ fails to discover Rewrite profiles that have a corrupt passphrase on BIG-IP

Conditions:
BIG-IP has a custom rewrite profile from the GUI.

Impact:
BIG-IQ cannot discover the BIG-IP.

Workaround:
Use tmsh on the BIG-IP to create the custom profile instead of the GUI.


620394 : Framework upgrade fails on Viprion when non-primary slot is upgraded first

Component: BIG-IQ Device Management

Symptoms:
Framework upgrade will fail if a non-primary slot is upgraded first.

Impact:
BIG-IP cannot be managed by BIG-IQ.

Workaround:
As a workaround, create /shared/mgmt/ep/rpms on the primary slot, and then add the device to BIG-IQ again (providing root access to accept the framework upgrade).


614199-2 : Profile - Client SSL - Cannot deploy Certificate Key Chain changes to root clientssl profile

Component: BIG-IQ Local Traffic & Management

Symptoms:
Due to an issue on BIG-IP BIG-IQ cannot update the Cert Key Chain values for root profiles more than once. This operation is blocked on BIG-IQ to prevent modification from BIG-IQ which could lead to permanently blocking deployments from BIG-IQ.

An error occurs:
"transaction failed:010717e1:3: Client SSL profile cannot contain more than one set of same certificate/key type."

Conditions:
User needs to modify the Cert/Key chain values for the root Client SSL Profile.

Impact:
Cannot deploy Certificate Key Chain changes to root clientssl profile

Workaround:
Manage these setting on BIG-IP and re-discover and import.


612292-2 : Customization file changes are not deployed when customization template and customization group objects are created in deployment

Component: BIG-IQ Access

Symptoms:
Customization file changes are not deployed when customization template and customization group objects are created in deployment.

Deployment is successful. On a subsequent evaluation, it indicates that BIG-IQ customization group is different from the one on BIG-IP.

Conditions:
When customization template and corresponding customization group is deployed first time to a non-source device, deployment is successful.

Impact:
Customization group files are not deployed in such cases.

Workaround:
Perform one more deployment and it deploys the customization group correctly.


582701-3 : At Scale, HTML Report fails to render in IE and Edge.

Component: BIG-IQ Network Security

Symptoms:
In IE & Edge browsers, the HTML report fails to generate when the report has too much data to display, which can be caused by the user selecting a large number of devices to generate the report and/or the data per device is too large.

Impact:
Reports are not available while using certain browser.

Workaround:
There are two possible workarounds:
1) Use Firefox/Chrome.
2) Try reducing the number of devices selected for the report.


505455-2 : Adding a device to Access Group fails: Unable to calculate working config ID

Component: BIG-IQ Access

Symptoms:
Adding a device to an Access group fails when a device-specific object on the non-source device refers to an object that does not exist on the source device.

Conditions:
Adding a device to Access Group fails when there exists a shared object that is referred from a "Device-specific" object in the device being added.

Impact:
Failed to add the device to the Access Group.

Workaround:
To identify and resolve the issue, look into logs for errors such as "Failed to re-work references" and "Unable to calculate working config id". The logs will have information on the type of object that needs to be fixed on the BIG-IP system.


464572-1 : Validation of IP/mask for SNMP allowed-addresses list.

Component: REST Framework and TMOS Platform

Symptoms:
The GUI option Client Allow List and the TMSH allowed-address property require IP address values. However, the system does not prevent entering a non-IP address value.

Conditions:
The issue occurs on both BIG-IQ and BIG-IP system, and is always applicable when configuring SNMP allowed-addresses.

Impact:
The CLI and GUI do not validate IP/mask for SNMP configurations within the allowed-addresses list.

Workaround:
Double check IP/mask entries for the GUI option Client Allow List and the TMSH allowed-address property.




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************
Generated: Thu Jul 13 09:18:57 2017 PDT
Copyright F5 Networks (2017) - All Rights Reserved