BIG-IQ Centralized Management 6.0.0 :: Fixes and Known Issues

Supplemental Document : BIG-IQ Centralized Management 6.0.0 :: Fixes and Known Issues

Applies To:

Show Versions

BIG-IQ Centralized Management

6.0.0

Original Publication Date: 05/31/2018 Updated Date: 03/06/2020

BIG-IQ CM Release Information

Version: 6.0.0
Build: 1674.0

NOTE: This release DOES NOT include fixes for the Spectre or Meltdown vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754).
F5 is currently developing fixes which will be released in a future version. Please see K91229003 for current Spectre and Meltdown information.

Known Issues in BIG-IQ CM v6.0.x

Functional Change

BIG-IP devices running version 13.1.05 and later requires the AVR service to push statistics to BIG-IQ DCD. For version 13.1.0.5 and prior, BIG-IQ DCD pulls statistics from the BIG-IP devices.For more information, refer to the following articles:

https://support.f5.com/csp/article/K96505382

https://support.f5.com/csp/article/K12121934

BIG-IQ Configuration - Access Fixes

ID Number	Severity	Solution Article(s)	Description
702833	3-Major		Network Access List IPv6 LAN Address Space mask error

BIG-IQ Configuration - Local Traffic Fixes

ID Number	Severity	Solution Article(s)	Description
705083	3-Major		UDP virtual servers

BIG-IQ Device User Interface Fixes

ID Number	Severity	Solution Article(s)	Description
710213	3-Major		Discovering DSC groups with IPv6 management addresses
717340	4-Minor		Registration Key Pool Assignments

BIG-IQ Monitoring - Dashboards & Reports Fixes

ID Number	Severity	Solution Article(s)	Description
698681	3-Major		User Dashboard shows incorrect Network Access Sessions count
698670	3-Major		Exporting Network Access Connections Dashboard to CSV
682765	3-Major		iHealth Task fails with "Request for PATCH on localhost failed: Invalid generation"
627105	4-Minor		Incorrect Error when clicking on Tokens under Monitoring --> Access --> Federation --> OAuth --> Authorization Server --> Tokens

BIG-IQ Monitoring - Logs Fixes

ID Number	Severity	Solution Article(s)	Description
702847-1	3-Major		Device field in ASM event displayed in BIG-IQ GUI shows N/A instead of BIG-IP device name

BIG-IQ Local Traffic & Management Fixes

ID Number	Severity	Solution Article(s)	Description
707066	2-Critical		Evaluating 13.1 fails with Cannot determine enumerator component for cm:adc-core:current-config:ltm:profile:server-ssl:adcprofileserversslstate
703908	2-Critical		maxSegmentSize of 0 in TCP profile is not accepted
710787	3-Major		Discovery fails due to Time Wait Indefinite in bigip tcp
697847	3-Major		Device RMA for Local Traffic can be incomplete if the device has IPFIX or Remote High-Speed Log Destinations
710588	4-Minor		false alarm on route domain verification

AppIQ Fixes

ID Number	Severity	Solution Article(s)	Description
651998	3-Major		When /var partition reaches configured limit, collection of statistics from BIG-IP will stop, and older data may be automatically removed by BIG-IQ

BIG-IQ Configuration - Infrastructure Fixes

ID Number	Severity	Solution Article(s)	Description
716065	3-Major		Removing a device's services fails

BIG-IQ Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
698616	3-Major	K40755239	Upgrades targetting clustered devices (Viprion or vCMP) fail with a timeout error
704186	4-Minor		Hotfix upgrade task
701265-1	4-Minor		Health upload schedule, selection by device group, shows deleted devices

BIG-IQ DNS Management Fixes

ID Number	Severity	Solution Article(s)	Description
715446-1	2-Critical		BIG-IQ stalled waiting for services to become available.
703480-2	3-Major		DnsConfigCopyTaskWorker fails to import topology when region name has a space

BIG-IQ Fraud Protection Service (FPS) Fixes

ID Number	Severity	Solution Article(s)	Description
712623	3-Major		Import of invalid transform rule CSV file
697542	4-Minor		FPS alerts display of X-Forwarded-For IP addresses

BIG-IQ Network Security Fixes

ID Number	Severity	Solution Article(s)	Description
700399	2-Critical	K24906352	FW rules are not deployed on AFM in order

REST Framework and TMOS Platform Fixes

ID Number	Severity	Solution Article(s)	Description
717855	2-Critical		3DES Ciphers have been removed from the SSL accepted cipher list for HTTPD
709573	3-Major		Changing the discovery address or management IP could cause BIG-IQ to not function
703559	3-Major		BIG-IQ unable to retrieve authentication token from BIG-IP 13.1.0+ using remote authentication
701703-1	3-Major	K14550300	BIG-IQ upgrade from 5.3.0 to 5.4.0 may fail when Access groups are configured★
701264-1	3-Major	K22136541	BSON-type UNDEFINED error after BIG-IQ version 5.3 to 5.4 upgrade
693399	3-Major		Changes dialog message
686699-1	3-Major		User with a custom Role is not able to create SecurID object for Access (APM)
529018	3-Major		Specific support for Active Directory as external authentication provider
680899	4-Minor		Support for UPN binding in Active Directory authentication providers
611859	4-Minor		Server certificate validation for LDAP and Active Directory authentication providers
584666-1	4-Minor		Grid columns may be render partially or completely off-screen

BIG-IQ Web Application Security (ASM) Fixes

ID Number	Severity	Solution Article(s)	Description
701045	2-Critical		Deploying a shared ASM policy to one virtual server
711023	3-Major		Display information for Websocket URLs
711021	3-Major		Links in enforcement readiness page when no suggestions exist
710936	3-Major		ASM import after upgrade
705270-1	3-Major		Web Application Manager, Editor and Security Manager roles do not have permissions to accept central policy builder suggestions for a policy
705104	3-Major		Differences/conflicts displayed after latest F5 Signature file released
701485	3-Major	K49064145	Storage upgrade when upgrading to BIG-IQ version 5.4
701178	3-Major		Importing a policy with special characters
698460	3-Major		Editing the session tracking policy sub-collection when an individual log in screen is selected
694675	3-Major		Configuration import for several large policies
639347	3-Major		Creating or removing a custom signature
715452	4-Minor		The policy builder doesn't start on logging node after upgrade (intermittently)
715142	4-Minor		ASM filtering signatures by signature overrides

BIG-IQ Shared Security Fixes

ID Number	Severity	Solution Article(s)	Description
709354-1	2-Critical		Default global-network log profile
699069	2-Critical		To deploy DoS Profiles to BIG-IP versions 13.0.0 and later, Application Security Module must be provisioned on the BIG-IP
707962	3-Major		Strict partition checking for Log Publisher, Log Destination, Log Profile
707949	3-Major		Importing a shared security configuration fails due to invalid stress-based detection in a DoS profile.
705051	3-Major		Importing configuration of TCP Half Open with Auto Threshold selected fails
703473	3-Major		Import fails when a BIG-IP device contains DNS profile and DoS profile with same name

Cumulative fix details for BIG-IQ CM v6.0.0 that are included in this release

717855 : 3DES Ciphers have been removed from the SSL accepted cipher list for HTTPD

Component: REST Framework and TMOS Platform

Symptoms:
3DES has been shown to be a weak cipher.

Conditions:
N/A

Impact:
All supported clients do not need 3DES to be supported to use BIG-IQ, as they already support more secure ciphers. Only unsupported or malicious clients would attempt to connect using the 3DES cipher.

Workaround:
You can manually remove 3DES from HTTPD-supported cipher list through its configuration file, and then restart.

Fix:
3DES has been removed from HTTPD-supported SSL cipher list.

717340 : Registration Key Pool Assignments

Component: BIG-IQ Device User Interface

Symptoms:
You can't assign a license if an assignment for the license key in a registration key pool previously failed.

Conditions:
A failed assignment for a license in a registration key pool.

Impact:
Users are unable to assign a failed license from the grid.

Workaround:
Drilling into the license properties page provides users with a button to assign to a device.

Fix:
You can now assign licenses from the registration key pool license grid.

716065 : Removing a device's services fails

Component: BIG-IQ Configuration - Infrastructure

Symptoms:
Attempting to remove a device's services so you can delete the device from the BIG-IQ inventory, fails.

Conditions:
A script written by the customer invoked the 'device-remove-mgmt-authority' API, providing an incorrect device reference URI.

In these conditions the task performed no action, thus the services were not removed. When the customer attempted subsequently to remove the services via the UI, the existing task was re-used with the same effect, thus the services could not be removed.

Impact:
The services cannot be removed, so the device cannot be removed.

Workaround:
The existing 'device-remove-mmgt-authority' tasks must be removed by a DELETE sent to '/cm/global/tasks/device-remove-mgmt-authority'.

Then the services can either be removed via the GUI, or the via the API providing the correct device reference, which must be one in the machineid-resolver, e.g.:

https://localhost/mgmt/cm/system/machineid-resolver/0d4ac6b3-2d58-4e8e-a0c4-126288f6a96f

Fix:
The '/cm/global/tasks/device-remove-mgmt-authority' API expects a device reference in '/cm/system/machineid-resolver' and returns an error if the device reference is incorrect.

In the previous releases, the task would ignore the error and perform no action.

715452 : The policy builder doesn't start on logging node after upgrade (intermittently)

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
The centralized policy builder feature cannot set policies for centralized learning.

Conditions:
When provisioning worker stalls on startup and is still down after system setup completed.

Impact:
Centralized policy builder does not work.

Workaround:
To work around this issue, type the following command: bigstart restart pabnagd

Fix:
Wait after running pabnagd's start script until provisioning worker is up, then check system personality.

715446-1 : BIG-IQ stalled waiting for services to become available.

Component: BIG-IQ DNS Management

Symptoms:
BIG-IQ stalled waiting for services to become available.

Conditions:
This happens when you have thousands of GSLB objects.

Impact:
BIG-IQ stalled waiting for services to become available.

Fix:
1. Install EHF 7467.12.
2. exec the following steps from cli:
2.1 'mongo'
2.2 'use bigiqDb'
2.3 'db.bigiqTasks.remove({"_value.kind":"cm:dns:tasks:stats-discovery:dnsstatsdiscoverytaskstate"})'
2.4 'db.bigiqCurrentConfig.remove({"_value.kind":"cm:dns:current-config:objects-stats:state"})'
2.5 'exit'
2.6 'bigstart restart restjavad'
2.7 'curl -X PATCH http://localhost:8100/cm/dns/current-config/sync-group-health-refresh --data "{"lastRefreshRequestedMicros":1000000000000001,"lastRefreshStartedMicros":1000000000000000,"status":"IDLE"}"'

715142 : ASM filtering signatures by signature overrides

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
The ASM module was missing an option to filter by signature overrides.

Conditions:
N/A

Impact:
N/A

Workaround:
N/A

Fix:
The ASM module can now filter by signature overrides.

712623 : Import of invalid transform rule CSV file

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
Import of invalid transform rule CSV file prevents further importing of valid files.

Conditions:
The issue happens after trying to load an invalid CSV file of transform rules.

Impact:
Inability to import valid CSV files of transform rules.

Workaround:
Use a script to delete the failed import task through REST APIs. Contact support for guidance if needed.

Fix:
The FPS code was fixed to avoid this issue.

711023 : Display information for Websocket URLs

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Enforcement readiness page shows error when trying to display information for Websocket URLs. The error starts with: "The system returned an unexpected error (400 Bad Request). unable to parse filter".

Conditions:
The issue happens when Centralized Policy Building is used.

Impact:
Screen fails to load.

Fix:
This issue no longer occurs.

711021 : Links in enforcement readiness page when no suggestions exist

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Broken links in enforcement readiness page when no suggestions exist.

Conditions:
The issue happens when centralized policy building is configured but no suggestions were added to the policy.

Impact:
Clicking the entity types links yields an error: "/shared/index/config StorageQueryWorker] Unexpected error in indexer query"

Fix:
The links were fixed and the issue no longer appears.

710936 : ASM import after upgrade

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
ASM import fails after upgrade due to hostnames. The restjavad.0.log file displays a messages similar to: 'Failed POST to target https://localhost/mgmt/cm/asm/working-config/policies/<id>/host-names: java.lang.IllegalArgumentException: Duplicate item'

Conditions:
The issue happens when host-names are configured and upgrade was performed from a version before 5.4.

Impact:
ASM configuration import fails.

Workaround:
On BIG-IQ, All existing host-names inside a policy must be deleted and recreated either manually or by importing BIG-IP(s) configuration (easier).

Fix:
This issue no longer occurs.

710787 : Discovery fails due to Time Wait Indefinite in bigip tcp

Component: BIG-IQ Local Traffic & Management

Symptoms:
Discovery of the TCP profile can fail if the time wait value is set to "Indefinite".

Note: In general indefinite values are typically not recommended for wait times.

Conditions:
BIG-IP with TCP profile that has a Time Wait value set to indefinite.

Impact:
Discovery is blocked.

Workaround:
You can change the value from Indefinite to a large integer such as 600000 MS (10 minutes).

Fix:
Indefinite is now a valid value for Time Wait on TCP profiles.

710588 : false alarm on route domain verification

Component: BIG-IQ Local Traffic & Management

Symptoms:
When a route domain is changed, deploying returnsa false alarm, even though the deployment was successful.

Conditions:
A route domain is changed before attempting to deploy
to BIG-IP device.

Impact:
There's no functional impact. Just a
false alarm message in the verification log.

Workaround:
This false alarm not longer occurs.

Fix:
N/A

710213 : Discovering DSC groups with IPv6 management addresses

Component: BIG-IQ Device User Interface

Symptoms:
When discovering BIG-IP devices in a DSC group that have IPv6 management addresses, BIG-IQ displays the sync status as unknown.

Conditions:
This occurs when BIG-IP management addresses are IPv6, and can be written in multiple ways. For example, if they contain sequences of zeros that can be replaced with "::".

This may only be applicable to BIG-IP versions prior to 13.0.

Impact:
Information (such as the sync status) is omitted from the internal representation of the group so the DSC groups might not be fully functional.

Fix:
BIG-IQ now correctly handles DSC group discovery for devices with IPv6 management addresses with multiple representations.

709573 : Changing the discovery address or management IP could cause BIG-IQ to not function

Component: REST Framework and TMOS Platform

Symptoms:
If you change the management address or discovery address in an HA environment through DHCP or tmsh, the BIG-IQ might stop functioning when you restart.

Conditions:
This can happen when you use DHCP without a static IPAM lease or if you change the IP address via tmsh.

Impact:
BIG-IQ won't be able to function because it cannot reach its stored data.

Fix:
Now if the IP address is altered in a standalone configuration, the datastore configuration will be corrected. In an HA configuration, this will still lead to a non-functioning system. It is highly recommend that users use a static IP or an infinite lease through DHCP/IPAM

709354-1 : Default global-network log profile

Component: BIG-IQ Shared Security

Symptoms:
Previously, when importing multiple BIG-IP devices, the global-network default log profile could cause conflicts that would need to be merged. This happened because BIG-IQ had only one global-network log profile for all BIG-IP devices being managed.

Conditions:
Different BIG-IP devices can have different values in their global-network default log profile, but BIG-IQ could manage only a single global-network log profile for all.

Impact:
All BIG-IP devices managed by the BIG-IQ system use the same global-network log profile, and so any differences need to be merged.

Workaround:
Make the "global-network" log profile an uninteresting object. That is user login to BIG-IP to configure the "global-network" log profile.

Fix:
The default global-network log profile is no longer managed by the BIG-IQ system, so no conflicts occur. Changes to the global-network log profile need to be made on the individual BIG-IP devices.

707962 : Strict partition checking for Log Publisher, Log Destination, Log Profile

Component: BIG-IQ Shared Security

Symptoms:
In 5.4, there were enforcement checks on BIG-IQ that Log Publishers referred to Log Destinations in the same partition. Similarly, there were checks that Log Profiles would refer to Log Publishers in the same partition.

Conditions:
N/A

Impact:
N/A

Fix:
These checks were too strict as BIG-IP allows these references across partitions. These checks have been removed.

707949 : Importing a shared security configuration fails due to invalid stress-based detection in a DoS profile.

Component: BIG-IQ Shared Security

Symptoms:
A shared security configuration import fails when it contains a DoS profile that has only “Bad actors behavior detection” enabled, and all other detection types are disabled and have the “no mitigation” state.

Conditions:
A DoS profile has only “Bad actors behavior detection” enabled, and all other detection types are disabled and have the "no mitigation" state.

Impact:
Import of the Shared Security configuration fails.

Fix:
An import of a shared security configuration with a DoS profile that has only “Bad actors behavior detection” enabled no longer causes an import failure.

707066 : Evaluating 13.1 fails with Cannot determine enumerator component for cm:adc-core:current-config:ltm:profile:server-ssl:adcprofileserversslstate

Component: BIG-IQ Local Traffic & Management

Symptoms:
HTTPS monitors changed for BIG-IP version 13 and later. The cert and key fields for handling SSL are deprecated and a reference to an SSL Server Profile was added.

NOTE: The Server SSL profile is not selectable from the BIG-IQ user interface.

Conditions:
This failure is triggered in the following situation:
-- Deploying BIG-IP version 13 and later.
-- The BIG-IP does not have the SSL Profile referenced by the monitor.

This situation can occur when attempting to copy an HTTPS monitor from on BIG-IP version 13 and later to another and the SSL Profile doesn't already exist.

Impact:
Cannot deploy to the BIG-IP.

Fix:
This issue is resolved and deployments are no longer blocked.

705270-1 : Web Application Manager, Editor and Security Manager roles do not have permissions to accept central policy builder suggestions for a policy

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Some users receive a 403 Not Authorized error when attempting to manually accept a policy suggestion generated by the Central Policy Manager.

Conditions:
This happens for users with the role of Web Application Manager, Web Application Editor, or Security Manager.

Impact:
Non-privileged users cannot manually accept central policy builder suggestions.

Workaround:
Provide users with Administrator role access to manually accept these suggestions.

Fix:
After installing this fix, you must:
1) Note/record the built-in role names for each of your users and user groups.
2) Execute the /usr/bin/rbac-reset command on each BIG-IQ console device, so that roles are regenerated with the proper access privileges.
3) After the system is back up, add the users and groups back to the built-in roles saved in step 1.

Users with the role of Web Application Manager, Web Application Editor, or Security Manager can now manually accept policy suggestions from the central policy manager.

705104 : Differences/conflicts displayed after latest F5 Signature file released

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
After discovering or rediscovering a BIG-IP device, unexpected conflicts display for Security Systems during the import phase.

Conditions:
When you deploy a new ASM signature file to BIG-IP devices, before import, BIG-IQ displays differences in the signature systems because of changes to textual descriptions deployed by the new signature file.

Impact:
These changes are benign, but need to be resolved during the import process.

Workaround:
If you see such differences, select Use BIG-IP to resolve the conflicts.

Fix:
This issue no longer occurs.

705083 : UDP virtual servers

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
Trying to create a virtual server with a UDP profile returns the following error:

Error on server request
Worker http://localhost:8100/cm/adc-core/working-config/ltm/virtual failed validation with status 500: java.lang.IllegalArgumentException: object includes reference that is null or empty.

The following error can be found in the /var/log/restjavad.0.log log:

[ERROR][02 Feb 2018 16:51:30 WET][/cm/adc-core/working-config/ltm/virtual AdcVirtualWorkingConfigCollectionWorker] Validation failure: java.lang.IllegalArgumentException: object includes reference that is null or empty.

Conditions:
-- Running v5.4.0.
-- Virtual server has an associated UDP profile.

Impact:
Unable to create virtual servers with a UDP profile on the BIG-IQ device.

Workaround:
Create the virtual server on BIG-IP system and import into BIG-IQ.

Note: No modifications of the virtual server can be saved in the BIG-IQ environment.

Fix:
You can now create a virtual server and associate a UDP profile.

705051 : Importing configuration of TCP Half Open with Auto Threshold selected fails

Component: BIG-IQ Shared Security

Symptoms:
BIG-IQ version 5.4 was unable to import BIG-IP version 13.1.

Conditions:
DoS Profile with TCP Half Open vector enabled and its auto-threshold enabled.

Impact:
Import failed.

Fix:
You can now successfully import BIG-IP version 13.1.

704186 : Hotfix upgrade task

Component: BIG-IQ Device Management

Symptoms:
A managed BIG-IP device upgrade task that installs a hotfix might fail on some devices with the error "Volume did not reach expected install state" while later examination of the target devices reveals that the installation succeeded.

Conditions:
Installing a hotfix requires first installing a base build, then installing the hotfix on top of that build. In some cases there is a longer than expected delay between the BIG-IP completing the base image installation and the BIG-IP beginning the hotfix installation. During this period, BIG-IP reports that the install is complete. BIG-IQ is monitoring the install status reported by BIG-IP, and if that status remains unchanged for too long, BIG-IQ concludes that the full install is complete, but also observes that the installed version (the base image) does not match the expected version (the hotfix).

Impact:
The upgrade task cannot proceed on the failed device.

Workaround:
It may be possible to mitigate this issue by trying the upgrade task again, and possibly by reducing the processing load on the target system to reduce the time between the base image and hotfix installation. It's also possible to manually complete the upgrade by manually rebooting the target devices into the newly installed volume.

Fix:
BIG-IQ now tolerates longer delays on BIG-IP upgrades before reporting an error.

703908 : maxSegmentSize of 0 in TCP profile is not accepted

Component: BIG-IQ Local Traffic & Management

Symptoms:
If the max segment size (MSS) value configured for the TCP profile on a BIG-IP system is set to 0, BIG-IQ will fail to import it.

[ERROR][23 Jan 2018 13:41:15 CST][/cm/adc-core/working-config/ltm/profile/tcp AdcProfileTcpWorkingConfigCollectionWorker] Validation failure: java.lang.IllegalArgumentException: maxSegmentSize 0 must be between 536 and 1460

Conditions:
TCP Profile max segment size is 0.

Impact:
BIG-IQ cannot manage LTM (or other services).

Workaround:
Per the LTM manual:
Max Segment Size (MSS) specifies the largest amount of data that the system can receive in a single TCP segment, not including the TCP and IP headers. If the value is 0 (zero), the system calculates the value from the MTU. The default value is 1460 bytes.

The default MTU is 1500 and the header is 40 bytes. That is why the max segment size is 1460 (1500-50).

As a workaround you should be able to set the max segment size to (MTU-40).

Unfortunately, this will work only if your MSS is within the current validated range on BIG-IQ.

Fix:
The BIG-IQ now has the correct validation for TCP profile maxSegmentSize property.

703559 : BIG-IQ unable to retrieve authentication token from BIG-IP 13.1.0+ using remote authentication

Component: REST Framework and TMOS Platform

Symptoms:
In BIG-IP 13.1.0, a change was made to how the BIG-IP handles the calls to authenticate, when an external authentication provider is configured. With this change, the caller is forced to use the authentication provider the BIG-IP system is configured to use, and it does not fall back to local authentication. This change results in a failure of the BIG-IQ authentication call to the BIG-IP system when an external authentication provider is configured. This is used at the beginning of device discovery, therefore discovery fails.

Conditions:
This occurs when the following conditions are met:
-- Running BIG-IQ versions up to and including 5.4 HF1.
-- External authentication provider is configured on the BIG-IP system.
-- Trying to discover BIG-IP systems running version 13.1.0 and newer.

Impact:
When an external authentication provider is configured on the BIG-IP system, device discovery from the BIG-IQ fails.

Workaround:
1. On the BIG-IP system, set the authentication provider to local.
2. On the BIG-IQ device, discover/import the device using local user admin.
3. On the BIG-IP system, set the authentication provider to the external/remote one.
4. As the BIG-IQ device already has the authentication token for the device, communication with the device still works. The BIG-IQ device can re-discover/re-import the device.

Important: However, DO NOT remove the device from the BIG-IQ device, as that causes authentication to fail.

Fix:
Device discovery for all the supported BIG-IP versions succeeds.

703480-2 : DnsConfigCopyTaskWorker fails to import topology when region name has a space

Component: BIG-IQ DNS Management

Symptoms:
The discovery/import of DNS from BIG-IP to BIG-IQ will fail

Conditions:
If the GTM region name configured on the BIG-IP has includes a space.

Impact:
BIG-IQ DNS will not show GTM/GSLB configuration of imported BIG-IP/Sync Group

Workaround:
Do not use spaces when creating GTM region BIG-IP.

Fix:
You can now discover and import a BIG-IP that includes a space for the GTM region.

703473 : Import fails when a BIG-IP device contains DNS profile and DoS profile with same name

Component: BIG-IQ Shared Security

Symptoms:
Import fails when a BIG-IP device is configured with a security DNS profile and a DoS profile that both have the same name.

Conditions:
A security DNS profile and DoSprofile have the same name and partition.

Impact:
Import fails

Workaround:
Rename one of the conflicting objects so they do not have the same name. Then retry import.

Fix:
Import is now successful even when a DoS Profile and DNS profile object have the same name.

702847-1 : Device field in ASM event displayed in BIG-IQ GUI shows N/A instead of BIG-IP device name

Component: BIG-IQ Monitoring - Logs

Symptoms:
When viewing ASM events sent to the BIG-IQ environment, the BIG-IQ displays incorrect information in the field designated for the device name. This field should show the name of the BIG-IP system that is the originator of the event.

Conditions:
Viewing events in the BIG-IQ environment.

Impact:
Cannot see the correct BIG-IP device name information for ASM Events. The BIG-IQ populates the device name field in the GUI using the contents of the Device ID field from the event database, which for the BIG-IP system is N/A.

Workaround:
None.

Fix:
The GUI now populates the Device field with the correct information from the event database.

702833 : Network Access List IPv6 LAN Address Space mask error

Component: BIG-IQ Configuration - Access

Symptoms:
After entering the IP address and the mask for the field 'IPV6 LAN Address Space', two issues occur:
-- The IPv6 addresses and mask are showing in IPv4 format.
-- The IPv6 mask is incorrect.

Conditions:
-- Client Settings configured as Advanced.
-- Traffic Options as 'Use split tunneling for traffic' while Creating/editing network access object.
-- Save after entering IP address and the mask for the field 'IPV6 LAN Address Space'.

Impact:
Incorrect IP address and mask. Save or Save and Close buttons are not enabled.

Workaround:
None.

Fix:
IPv6 address and mask Validator are fixed.
IP address and Mask are showing the correct data after save.

701703-1 : BIG-IQ upgrade from 5.3.0 to 5.4.0 may fail when Access groups are configured★

Solution Article: K14550300

Component: REST Framework and TMOS Platform

Symptoms:
Upgrade fails and tokuupgrade.log contains the following messages:

Error: [SNAPU] Found invalid generation undefined when making generation link for https://localhost/mgmt/cm/access/working-config ...
     at throwSnapuError (./020-platform-snapshots.js:1215:15)
     at makeGenLink (./020-platform-snapshots.js:1114:13)
     at sanityCheckLiveDocuments (./020-platform-snapshots.js:1489:68)
     at runSanityChecks (./020-platform-snapshots.js:1267:18)
     at ScriptEntry.upgrade [as upgradeFunc] (./020-platform-snapshots.js:158:5)
     at upgradeToVersionDir (/var/config/rest/tokuupgrade/src/upgradeversions.js:252:21)
     at upgradeToVersion (/var/config/rest/tokuupgrade/src/upgradeversions.js:155:5)
     at /var/config/rest/tokuupgrade/src/tokuupgrade.js:113:13

Note: Error messages may vary but can generally be identified by the upgrade script 020-platform-snapshots.js and a link starting with https://localhost/mgmt/cm/access.

Conditions:
-- BIG-IQ manages multiple Access Policy Manager (APM) devices.
-- BIG-IQ is configured to use Access Groups.
-- An APM device is removed from one device group and added to another device group.
-- An Access Group snapshot was created while the APM device belonged to the initial device group.
-- BIG-IQ is upgraded before a new / updated Access Group snapshot is created.

Impact:
Upgrade from 5.3.0 to 5.4.0 will fail.

Workaround:
1) To work around this issue, reboot to the previous BIG-IQ version.

2) Delete all Access snapshots before upgrading again: Deployment :: Access :: Snapshots

3) Perform the upgrade again.

For more information, see K14550300: BIG-IQ system upgrades from 5.3.0 to 5.4.0 may fail when Access Groups are configured https://support.f5.com/csp/article/K14550300.

Fix:
BIG-IQ now correctly transforms Access snapshots during the storage upgrade step of the BIG-IQ version 5.4.0 upgrade procedure.

701485 : Storage upgrade when upgrading to BIG-IQ version 5.4

Solution Article: K49064145

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
After upgrading to BIG-IQ 5.4.0 and booting into the new volume, the BIG-IQ CLI displays a "STORAGE_UPGRADE_FAILED" error message and user interface displays "Waiting for BIG-IQ services to become available..."

The tokuupgrade log also displays the following message: TypeError: Cannot read property 'attackTypeReference' of undefined

Conditions:
This can happen if the previous configuration on the BIG-IQ has an ASM signature set created by manually selecting individual signatures rather than through a filter.

Impact:
Upgrades cannot be completed successfully on the configuration.

Fix:
This release includes a fix that works properly on signature sets without filters.

701265-1 : Health upload schedule, selection by device group, shows deleted devices

Component: BIG-IQ Device Management

Symptoms:
If, when creating a QKView upload schedule, you select a device from anything other than the All BIG-IP Group Devices, BIG-IQ displays the device as Device Deleted when the schedule runs.

Impact:
This can be confusing.

Workaround:
To work around this issue, select devices only from the all BIG-IQ group when creating a QKView upload schedule.

Fix:
The device group selector has been removed and all available device display.

701264-1 : BSON-type UNDEFINED error after BIG-IQ version 5.3 to 5.4 upgrade

Solution Article: K22136541

Component: REST Framework and TMOS Platform

Symptoms:
After upgrading BIG-IQ to version 5.4, when attempting to access BIG-IP LTM pools and pool members, you might receive the following error:

'Found unexpected BSON type UNDEFINED.'

Conditions:
This happens after upgrading to BIG-IQ 5.4. The pool members impacted are those located in the 'Common' partition without folders.

Impact:
Re-importing the device might fail and you might be unable to access pool members.

Fix:
This issue is now fixed.

701178 : Importing a policy with special characters

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Importing a policy with special characters fails.

Conditions:
The issue happens when special characters are used in the policy.

Impact:
Import policy fails.

Fix:
BIG-IQ now accepts special characters in policies.

701045 : Deploying a shared ASM policy to one virtual server

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
When a BIG-IP device has a single policy and 2 virtual servers, assigning the ASM policy to the second virtual server prompts the removal of the policy from the first virtual server.

Conditions:
This happens when you deploy a policy assignment for an ASM policy to a second virtual server on a BIG-IP device.

Impact:
The deployment assignment removes the policy's assignment from the first virtual server.

Fix:
This issue no longer occurs.

700399 : FW rules are not deployed on AFM in order

Solution Article: K24906352

Component: BIG-IQ Network Security

Symptoms:
In certain conditions if a change is made to rule-ordering for BIG-IQ AFM and then deployed to a BIG-IP device, the rule order between BIG-IQ and BIG-IP are different.

Conditions:
This happens only under the following conditions:
1. Only when rules move. There is no issues for rules added, changed, or removed.
2. Only when a block of 2 or more rules move together. If only 1 rule moved, there is no issue. If more than 1 rules move to different positions, there is no issue.
3. Only when block moves with 2 or more positions. If a whole block of rule move by 1 position only, it works as expected.

Impact:
Subsequent deploys continue to show differences between Big-IQ and Big-IP rule ordering.

Workaround:
To work around this issue, use one of the following solutions:

1. Move a rule, then deploy it, rather than several move and deploy at rule at once.
2. If such change is necessary, add a change to "description" field for each moved rule. Taking above example, there are 2 rules that moved; B and C. While editing policy, edit rule B and change or add something to description. This is the field just below rule name. If you already has a description in place, append it with a char like "." etc. This will force a change in the rule and correct rule ordering will be applied.

Fix:
This release includes a fix for this issue that forces changes to all the affected rules when a rule moves. Now all affected rules deployed match in rule-ordering on BIG-IQ and BIG-IP.

699069 : To deploy DoS Profiles to BIG-IP versions 13.0.0 and later, Application Security Module must be provisioned on the BIG-IP

Component: BIG-IQ Shared Security

Symptoms:
Deployment of the Network Security configuration to a BIG-IP running version 13.0.0 or higher fails, if the BIG-IP does not have the Application Security Module (ASM) provisioned and a DoS Profile change exists.

Conditions:
This happens when:
1. A BIG-IP device is running version 13.0.0 or later.
2. The Application Security Module is not provisioned.
3. A DoS Profile change exists in the deployment evaluation.

Impact:
When this happens, you can't manage DoS Profiles on a BIG-IP from BIG-IQ. All Network Security deployments will fail as long a DoS Profile deployment change is part of the deployment and the outlined conditions are met.

Workaround:
To manage DoS Profiles from BIG-IQ, you must provision the Application Security Module in at least the Minimum provisioning setting. You can do this even if BIG-IP does not have a license for the Application Security Module.

If you can't provision the Application Security Module on the BIG-IP, then you must manage the DoS Profiles directly on BIG-IP and import the new configuration into BIG-IQ. This will allow you to manage all other Network Security device configurations from BIG-IQ.

Fix:
BIG-IQ now checks that the ASM module is provisioned and transforms the HTTP white list as needed.

698681 : User Dashboard shows incorrect Network Access Sessions count

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
The user dashboard always shows the Network Access Sessions as 0.

Conditions:
Admin navigates to the User Dashboard and views the Network Sessions count in the mini dashlet.

Impact:
Admin cannot see the Network Access Sessions count in the user dashboard.

Workaround:
You can now see the correct Network Access Session count in the Network Access Usage Summary report

698670 : Exporting Network Access Connections Dashboard to CSV

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
An error message appears when you try to export Network Access Connections dashboard to CSV.

Conditions:
When you click the Export button from Network Access Connections Dashboard

Impact:
Cannot export Network Access Connections Dashboard Data to CSV.

698616 : Upgrades targetting clustered devices (Viprion or vCMP) fail with a timeout error

Solution Article: K40755239

Component: BIG-IQ Device Management

Symptoms:
When upgrading a clustered device to (a Viprion chassis or a vCMP guest hosted on a Viprion chassis) to BIG-IQ version 5.4, the task will stall waiting for the target to reboot, and eventually time out and report the error "Timeout waiting for device to return from reboot".

Conditions:
This happens for any BIG-IQ version 5.4 upgrade targeting a clustered device, once the upgrade task reaches the reboot phase.

Impact:
The task will not correctly register that the target device has rebooted into the newly installed volume. The task will continue waiting for the target device to reboot until a timeout expires, even though the target device has correctly rebooted. Once the timeout expires, BIG-IQ reports an error.

Workaround:
If you don't need to perform any post-upgrade steps, then you can consider the upgrade successful, manually verify the target device booted properly into the target volume.

Another to select the Pause for reboot option for the Software Installation task, then when the task pauses cancel the task and reboot the target device manually.

Fix:
Upgrades targeting Viprions and Viprion-hosted vCMP guests now correctly detect when the target device has rebooted, and proceed without timing out and reporting an error.

698460 : Editing the session tracking policy sub-collection when an individual log in screen is selected

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
When an individual login page is defined and you try to edit the session tracking sub-collection, BIG-IQ displays a message indicating that there is an unexpected error, illegal reference.

Conditions:
The issue happens only when editing a session tracking configuration that was previously configured with a log in screen selected (use individual login page).

Impact:
An error is shown on the page, changes are not saved.

Workaround:
To avoid this error while editing, do the following:
a. Change the 'Application Username' first dropdown to 'None'
b. Save and close (there is a need to navigate out of the page, so 'Save' alone is insufficient).
c. Navigate to the policy session tracking configuration
d. Re-select the login page
e. Make the required changes
f. Save

Fix:
This issue is now corrected to allow editing of the session tracking configuration.

697847 : Device RMA for Local Traffic can be incomplete if the device has IPFIX or Remote High-Speed Log Destinations

Component: BIG-IQ Local Traffic & Management

Symptoms:
If you select "Remove Services" (RMA) for a managed device that has the newly added Log Destination objects IPFIX or Remote High-Speed Log, the removal can be incomplete leaving some objects for this device existing in the Local Traffic Configuration.

Conditions:
This only happens if the RMA occurs for a BIG-IP that has Log Destinations IPFIX and/or Remote High-Speed Log

Impact:
The RMA process will be incomplete, leaving objects such as Pools and Nodes for the RMAd device still in the Local Traffic configuration.

Workaround:
Prior to RMA, you must manually remove any IPFIX or Remote High-Speed Log objects for this device.

Go to Configuration -> Local Traffic -> Logs -> Log Destinations. One by one, edit each Log Destination of the above two kinds. In the 'Device Specific' section at the bottom of the screen, remove each object for the device to be RMAd.

After this, RMA can proceed as normal with no side-effects.

697542 : FPS alerts display of X-Forwarded-For IP addresses

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
BIG-IQ FPS incorrectly displays X-Forwarded-For IP addresses of alerts.

Conditions:
The issue happens when multiple X-Forward-For headers appear in the alert.

Impact:
IP addresses display incorrectly.

Fix:
Alert parsing is now fixed to correctly display such alerts.

694675 : Configuration import for several large policies

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Configuration import failure can occur when several large policies are imported for the same device with the following error: "Unable to post difference sub-collection results; too many differences" displays.

Conditions:
The issue can occur when the overall object count in policies for the imported device exceeds 200000.

Impact:
Failure to import configuration for the selected device.

Workaround:
To work around this issue, first export some of the large policies from the BIG-IP and import them as XML files into the BIG-IQ system before importing the device configuration.

Fix:
The software code is now optimized to support twice as many difference report objects.

693399 : Changes dialog message

Component: REST Framework and TMOS Platform

Symptoms:
The changes popup dialog does not have a loading indicator.

Conditions:
In some cases, the differences can take a few seconds to appear in the dialog. For example, when viewing Web Application Signature changes in the Audit Log.

Impact:
You might assume that no difference exists before the diff loads.

Workaround:
Wait for a few seconds for a diff to appear.

Fix:
This issue is now fixed.

686699-1 : User with a custom Role is not able to create SecurID object for Access (APM)

Component: REST Framework and TMOS Platform

Symptoms:
A User associated with a custom Role is not able to create SecurID object for Access (APM).

Conditions:
This happens when the associated Custom Role is configured in Strict Mode and the Custom Resource Group does not have the Any Instances option selected for the Source setting.

Impact:
The user will see error when trying to create SecurID object.

Workaround:
When you create a Custom Role in Strict mode, select the "Any Instance" option when you specify a Source for the associated Custom Resource Group.

682765 : iHealth Task fails with "Request for PATCH on localhost failed: Invalid generation"

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
Intermittently, the iHealth task fails with an error:

"Request for PATCH on localhost failed: Invalid generation"

This is exacerbated by large numbers of devices. Typically, the uploads to iHealth succeed and this is the diagnostics on BIG-IQ not being updated correctly.

Conditions:
Intermittently, the iHealth task can fail with an error:

"Request for PATCH on localhost failed: Invalid generation"

This is exacerbated by large numbers of devices.

Impact:
iHealth fails.

Workaround:
You can rerun the iHealth task to fix the diagnostics on BIG-IQ. If it fails again, reduce the number of iHealth devices in the task.

Fix:
This issue is now resolved.

680899 : Support for UPN binding in Active Directory authentication providers

Component: REST Framework and TMOS Platform

Symptoms:
BIG-IQ 5.4 and earlier does not allow binding to Active Directory using the UPN (e.g., username@example.com), but only using the DN (cn=username,dc=example,dc=com).

Conditions:
Authentication.

Impact:
This is unwieldy and rather uncommon in an environment using an Active Directory domain controller. Moreover, we mandated using a dedicated bind account for both LDAP and AD authentication providers, which is not allowed in certain organizations.

Workaround:
Use a DN to bind to Active Directory

Fix:
BIG-IQ version 6.0.0 now includes support for binding to external Active Directory auth providers using a User Bind Template either in the User Principal Name (UPN) format, e.g., {username}@domainname.example.com, or in the Down-Level Logon Name format, e.g., domainname\{username}.
We also no longer require specifying a bind user to authenticate a user against an external LDAP or Active Directory authentication provider.

651998 : When /var partition reaches configured limit, collection of statistics from BIG-IP will stop, and older data may be automatically removed by BIG-IQ

Component: AppIQ

Symptoms:
You may observe two behaviors:
1. Current statistics from BIG-IPs are not shown on graphs
2. Older statistics from BIG-IPs may no longer be available

Conditions:
This occurs when the data store for statistics reaches the configured limit

Impact:
Loss of current and potentially older statistical data, resulting in graphs showing no data and/or flat areas of no data.

Workaround:
There are several actions you can take:
1. Increase the /var partition on your Data Collection Devices.
2. Increase the maximum percent of storage BIG-IQ may consume for statistical data.
3. Reduce the frequency of data collection from each BIG-IP.
4. A combination of one or more actions listed above.
Please consult product documentation.

639347 : Creating or removing a custom signature

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Intermittently, after creating or removing a custom signature, you might have to refresh your browser for the change to display.

Conditions:
After creating or removing a custom signature.

Impact:
The changes don't take effect.

Workaround:
If you have waited more than 10 seconds and have not yet seen the changes take effect, manually refresh your browser.

Fix:
Software code was optimized to improve performance.

627105 : Incorrect Error when clicking on Tokens under Monitoring --> Access --> Federation --> OAuth --> Authorization Server --> Tokens

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
An error message appears when clicking on Tokens under Monitoring --> Access --> Federation --> OAuth --> Authorization Server --> Tokens

Conditions:
This error is seen only when No token record is yet created on BIG-IQ and a user navigates to the Token page.

Only seen if No tokens are present in BIG-IQ Access OAuth Federation elasticsearch index.

Impact:
No functional impact. It is an incorrect error message.

Workaround:
This error will not be seen if some logs are received from the managed BIG-IP which are in turn responsible for the OAuth token records seen under Reports.

611859 : Server certificate validation for LDAP and Active Directory authentication providers

Component: REST Framework and TMOS Platform

Symptoms:
When establishing an SSL connection to LDAP or Active Directory servers for 3rd-party authentication, BIG-IQ version 5.4 and earlier does not validate the server's SSL certificate. This opens up the possibility of a man-in-the-middle attack, where an attacker impersonates the LDAP server and steals the authentication credentials.

Conditions:
BIG-IQ version 5.4 or earlier connecting through SSL to LDAP or Active Directory for 3rd party authentication.

Impact:
Compromised credentials for the external authentication system (LDAP or Active Directory domain controller)

Fix:
Starting in version 6.0, BIG-IQ supports server certificate validation. It allows encrypting its connection to the LDAP or AD server using either StartTLS or LDAPS. It also allows unencrypted connections, primarily for test purpose, as they are insecure. We strongly recommend using StartTLS, as well as enabling server certificate validation, as this is the most secure option. Certificate validation prevents an eventual man-in-the-middle (MITM) attack on the SSL connection to the LDAP server. LDAPS is primarily used to connect to older serves, running an older version of the protocol (LDAPv2).

584666-1 : Grid columns may be render partially or completely off-screen

Component: REST Framework and TMOS Platform

Symptoms:
Some grid columns may not be visible when the grid is too wide to fit into the current browser window.

Conditions:
Some grid columns may not be visible when the grid is too wide to fit into the current browser window.

Impact:
The page may look incorrect and visible columns will appear hidden when a user changes the width of a column.

Workaround:
To work around this issue:
- Increase the width of your browser window until all columns are visible.
or
- Change the visible columns by clicking the gear icon at the upper right corner of the grid, and adding or removing columns until the desired columns are visible.

Fix:
A horizontal scroll bar is now provided when grid columns exceed the visible screen width.

529018 : Specific support for Active Directory as external authentication provider

Component: REST Framework and TMOS Platform

Symptoms:
BIG-IQ 5.4 and earlier does not specifically support using Active Directory (AD) domain controllers as external authentication providers. An LDAP auth provider can be set up to point to an AD controller, however the setup is difficult as some of the settings for AD are different from the ones for LDAP servers. The default values the BIG-IQ sets for various auth provider settings do not work for AD. Setting up a working AD auth provider requires a good amount of effort to figure out what values to enter for various settings.

Conditions:
-- Using BIG-IQ v5.4 or earlier.
-- Using AD domain controllers as external authentication providers.

Impact:
Decreased functionality; difficult to set up AD as an external authentication provider.

Workaround:
Set up an LDAP auth provider to point to an AD domain controller

Fix:
This release adds an AD auth provider type, separate from the LDAP auth provider. On creating a new AD auth provider, the page comes pre-filled with default values for some settings that work well for most AD controllers that use a standard schema. This release eliminates a few unnecessary fields and improves error reporting for handling incorrect values for some settings, to aid troubleshooting and simplify auth provider setup.

Known Issues in BIG-IQ CM v6.0.x

BIG-IQ Configuration - Access Issues

ID Number	Severity	Solution Article(s)	Description
720502-1	3-Major		Unable to create External SP Connector or External IdP Connector using metadata
714990	3-Major		Reimporting a non-source device in an Access Group with AGC policy
695139-1	3-Major		Reimport shared allows reimport from a different device version than that off group.
686162	3-Major		OAuth Profile deployment fails with JWK config failed trust verification with trusted CA bundle

BIG-IQ Configuration - Local Traffic Issues

ID Number	Severity	Solution Article(s)	Description
721539	3-Major		Editing a device-specific Management Port Log Destination removes it's association from the parent template log destination

BIG-IQ Deployment - Evaluate & Deploy Issues

ID Number	Severity	Solution Article(s)	Description
711480	3-Major		Deployment of Access policy fails
693594-1	4-Minor		Access deployment to BIG-IP HA Pair

BIG-IQ Device User Interface Issues

ID Number	Severity	Solution Article(s)	Description
720403	2-Critical		VMware SSG does not support BIG-IP with 1NIC
718162	2-Critical		Application deletion fails
721088	3-Major		AWS service scaling group with BYOL license type fails if it has a duplicate name
720890	3-Major		Application deployment fails
720630	3-Major		Unable to remove application with non-existent ELB
720416	3-Major		Unable to modify an inactive AWS service scaling group's properties
719853	3-Major		Working configuration deployments cannot be targeted for AWS SSG devices
719652	3-Major		Automatic scale out fails after manually scaling out
719278-1	3-Major		Assigning cluster name to unclusterd devices considered harmful
717684	3-Major		Unable to completely create device for an SSG
717404	3-Major		AWS SSG status may be in PAUSED after initial scale
721891-1	4-Minor		Device inventory service column does not update when a filter is applied
713341-1	4-Minor		Device cluster name selection resets unexpectedly when trying to rename it

BIG-IQ Monitoring - Dashboards & Reports Issues

ID Number	Severity	Solution Article(s)	Description
718595-1	3-Major		SWG Reports are not supported in big iq 6.0.0
721304	4-Minor		DoS: Duplicate attack events appear in the Dashboard table
718568	4-Minor		DoS Events Monitoring pages might display new Virtual Server screen VIP links is selected

BIG-IQ System User Interface Issues

ID Number	Severity	Solution Article(s)	Description
643507	4-Minor		Removing a Data Collection Device may take a long time, and will not show an error dialog if removal times out

BIG-IQ Access Issues

ID Number	Severity	Solution Article(s)	Description
660828-3	2-Critical		Deployment Failure: "transaction failed: ... : file (/config/filestore/files_d/Common_d/customization_group_d/:Common:...) expected to exist"
716696	3-Major		Users associated with a strict custom role cannot see Device Specific Objects created on Mark Device Specific
698644-1	3-Major		Pinning Policy evaluation
612292-3	3-Major		Customization file changes are not deployed when customization template and customization group objects are created in deployment

BIG-IQ Local Traffic & Management Issues

ID Number	Severity	Solution Article(s)	Description
698569	3-Major		Deployment of eviction policy deletion can disconnect BIG-IP HA cluster running version 11.6.x
594009-1	3-Major		Devices with configured VLAN Groups cannot be managed in BIG-IQ ADC.
707476	4-Minor		String properties break into multiple lines

BIG-IQ App Visibility and Reporting (AVR) Issues

ID Number	Severity	Solution Article(s)	Description
712009	3-Major		Default replica count in the database for statistics data is now 1 in BIG-IQ 6.0.0

AppIQ Issues

ID Number	Severity	Solution Article(s)	Description
720379-1	2-Critical		Standalone and load balancing clustered BIG-IP devices must use auto-sync when stats collection is enabled
696818	2-Critical		Default disk size of 10GB for the BIG-IQ DCD data partition might not be adequate
722342	3-Major		Details for certain chart events do no display on the Monitoring screen
722321	3-Major		Enhanced Analytics must include the Client-IP option to enable data collection
721733	3-Major		Enhanced Analytics Mode Error Handling
721715	3-Major		Disk-related data is not collected for BIG-IP devices deployed in an AWS service scaling group
721711	3-Major		Pool member active alert persists after scale-in
720374	3-Major		Non-admin roles might have limited alert history time view
720220	3-Major		Fast L4 TCP and Fast L4 UDP default templates won't make use of all metrics exposed for app health status
720161	3-Major		ASM staging violations are displayed incorrectly in security charts
719599	3-Major		Active alerts can be displayed without an assigned application or service scaling group
714116	3-Major		Pool member status may be displayed incorrectly

BIG-IQ Configuration - Infrastructure Issues

ID Number	Severity	Solution Article(s)	Description
719983	3-Major		Manually editing device groups can lead to errors reusing cluster names
719499	3-Major		BIG-IQ upgrade to 5.4 or later fails with "Error: [SNAPU] Sanity check failed"★
699952	4-Minor		Objects with v6 IP addresses for names that use "::" to replace a single zero

BIG-IQ Device Management Issues

ID Number	Severity	Solution Article(s)	Description
720195-1	3-Major		"Change Device Password" not functional with remote auth
705049	3-Major		Unable to manage a license assigned for unmanaged devices after BIG-IQ upgrade
720197-1	4-Minor		Device diagnostics flags set do not persist after new qkview upload task
692135	4-Minor		Stats collection agent out of date alert

BIG-IQ DNS Management Issues

ID Number	Severity	Solution Article(s)	Description
720162-1	3-Major		Deploy fails for DNS listener when it is set with a new DNS profile
719191	3-Major		DNS devices health indication is wrong when their sync-group availability shown as 'Impaired'
673763-2	3-Major		Wide IP list shows incorrect number of associated pools

BIG-IQ Network Security Issues

ID Number	Severity	Solution Article(s)	Description
678664-1	3-Major		Policy and Rule List rules do not support the Protocol Inspection Profile or Classification Policy configuration options supported by BIG-IP version 13.1.0

REST Framework and TMOS Platform Issues

ID Number	Severity	Solution Article(s)	Description
694788	2-Critical		Custom role in Relaxed Mode containing Address List resources provides very broad read access
721487-1	3-Major		ElasticSearch java process stalls when running at high CPU rate and does not recover
721186	3-Major		clear-rest-storage -d will reset the provisioning settings
718298-1	3-Major		Procedure to restore UCS backup files to BIG-IQ
715192	3-Major		BIG-IQ REST authentication errors after managed BIG-IP device is upgraded to version 13.1.x
704170-1	3-Major		Configuration Object lock behavior
686125-1	3-Major		User is not able to mark Access objects as shared
674249	3-Major		BIG-IQ AWS license not operational after reboot
665639-2	3-Major		Amazon EC2 Abuse Report upon a new deployment of BIG-IQ AMI instance
575066-2	3-Major		Management DHCP settings do not take effect
691531-1	4-Minor		Resource Group form's preview section
585996	4-Minor		Peer status is displays as healthy, even though the creation of the pair failed
706634	5-Cosmetic		Several config files in /config are named bigip.conf instead of bigiq.conf

BIG-IQ Web Application Security (ASM) Issues

ID Number	Severity	Solution Article(s)	Description
722343	3-Major		Using HTTP Proxy in ASM Signature File update
721198	3-Major		Web Application Security Policy created with language set to 'auto-detect', updating it to another value fails.
721042	3-Major		Unexpected behavior when changing the policy building of a web application security parent policy
719024	3-Major		DCD devices storage exhaustion when using non-large VM configuration size

BIG-IQ Shared Security Issues

ID Number	Severity	Solution Article(s)	Description
722137	4-Minor		Some Security Event Filter Query Parameters do not perform as expected

BIG-IQ Application Management Issues

ID Number	Severity	Solution Article(s)	Description
722458-1	2-Critical		Browser crashes when viewing/editing Application Services Configuration in Chrome 67
716593-1	2-Critical		Creating a new device with a previously-used hostname
722225	3-Major		Auto-deploy scaling fails for a service scaling group in an AWS cloud when ASM policy is set to auto-deploy
722145-1	3-Major		Syncing application on VMware SSG after removing pool health monitor or picking a different kind of monitor
721981-1	3-Major		Deleting an application from devices in an AWS SSG while the SSG is scaled-out might fail
721593-1	3-Major		When application deletion fails 'Retry' button does not work
721554-1	3-Major		When trying to delete an application deployed to an AWS SSG, BIG-IQ returns an error 'Deployment task failed'
721030-1	3-Major		Template node modifications do not synch on an existing application
720779	3-Major		BIG-IQ UCS sizes increasing or BIG-IQ running out disk space in /var after frequent scaling activity
720655-1	3-Major		Deleting an application with app-specific node monitor fails
720336-1	3-Major		A scaled-out device does not collect any application security metrics
722202	4-Minor		Sometimes the server count incorrectly displays as 0 until before a scaling event is complete
720303-1	4-Minor		After deleting your last application, BIG-IQ returns an error message
719616-1	4-Minor		Cannot create an application for service scaling group that doesn't have LTM imported for its load balancer
717583-1	4-Minor		ASM policy available for for some virtual servers in a template, but not others

Known Issue details for BIG-IQ CM v6.0.x

722458-1 : Browser crashes when viewing/editing Application Services Configuration in Chrome 67

Component: BIG-IQ Application Management

Symptoms:
Browser crashes when using Chrome 67, which is unsupported for BIG-IQ version 6.0.0.

Conditions:
This can happen when trying to view or modify an Application Services configuration (such as, adding a pool or virtual server) using unsupported Chrome browser versions. Or when resizing the page while viewing Application Environment, Application Services or Servers.

Impact:
Cannot perform certain Application Services configuration changes when using Chrome 67.

Workaround:
To work around this issue, use a supported browser: Chrome versions 65 or 66, Firefox 59 or 60, Microsoft Edge, or Microsoft Internet Explorer 11. Or, downgrade to a compatible version of Chrome (version 6.5x or 66.x)

722343 : Using HTTP Proxy in ASM Signature File update

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Using HTTP proxy for signature file operations might fail with logged errors, similar to the following: "external adapter failed in fetching product version"

Conditions:
The issue happens when the proxy is configured using an FQDN.

Impact:
Failure retrieving signature files from the F5 sever.

Workaround:
Use the IP address of the proxy when configuring it.

722342 : Details for certain chart events do no display on the Monitoring screen

Component: AppIQ

Symptoms:
When selecting the multiple event icon from the Monitoring screen's (Monitoring > DASHBOARDS) time charts, no data displays in the details list.

Conditions:
This occurs when one or more event that were triggered at a time is an affected event.

Impact:
Affected events that display no data are of the sub categories:
- "elastic-search-disk-full"
- "low watermark reached"
- "high watermark Reached"

Workaround:
Zoom into the desired time range so events are spread over multiple time points. This will allow you to isolate unaffected events, so they are displayed in the details list.

722321 : Enhanced Analytics must include the Client-IP option to enable data collection

Component: AppIQ

Symptoms:
Enhanced analytics fails to collect data as expected, unless the Client-IP option is selected.

Conditions:
Enhanced analytics is enabled, without client-IPs selected for data collection.

Impact:
Enhanced analytics is marked as enabled, but data collection does not take place according to enhanced analytics settings.

Workaround:
To avoid this issue, select the Client-IP option before enabling enhanced analytics.

722225 : Auto-deploy scaling fails for a service scaling group in an AWS cloud when ASM policy is set to auto-deploy

Component: BIG-IQ Application Management

Symptoms:
When auto-deploy is enabled for a policy for BIG-IP devices in a service scaling group, scaling fails.

Conditions:
When all the following three conditions are met

1) BIG-IP devices in an SSG is provisioned with WAF (Web Application Security)
2) WAF Policy is set to learning mode=Automatic, Policy Building Mode=Central, Auto-Deploy Policy=Real Time.
3) Auto scale BIG-IP VE devices in an SSG greater than 1.

Impact:
Attempts are made to auto-deploy the WAF policy every 5 minutes to the BIG-IP devices in an SSG, and it continues to fail.

Workaround:
Disable auto-deploy by setting Configuration:Web Application Security:policies:<ASMPolicy>:POLICY BUILDING:Settings:Auto-Deploy Policy to Disabled.

722202 : Sometimes the server count incorrectly displays as 0 until before a scaling event is complete

Component: BIG-IQ Application Management

Symptoms:
The APPLICATIONS > Configuration screen sometimes incorrectly displays the server count as 0. When the scaling operations are complete, the correct server count displays.

Conditions:
This can happen when BIG-IQ is scaling out or scaling in BIG-IP VE devices in a service scaling group.

Impact:
This can be confusing.

722145-1 : Syncing application on VMware SSG after removing pool health monitor or picking a different kind of monitor

Component: BIG-IQ Application Management

Symptoms:
If you remove a pool monitor from an application template on a BIG-IP device in an SSG, the pool monitor is not removed from the BIG-IP device that is load balancing traffic to your SSG when you synchronize the application.

Conditions:
Having an application deployed to a VMware SSG.

Modify the template the either remove the monitor or changing it to a different monitor kind.

Sync the app with the template in order to update the monitor changes.

Impact:
Since the old monitor isn't removed from the BIG-IP load balancer, you'll get unnecessary alarms.

Workaround:
Use the API on BIG-IQ to update or remove the monitor on the and then synchronize the application to the other devices.

722137 : Some Security Event Filter Query Parameters do not perform as expected

Component: BIG-IQ Shared Security

Symptoms:
When creating a Filter, the Query Parameters "Virtual Server" and "DoS Profile Name" won't match any events even if the virtual servers and DoS profiles are present in events.

Conditions:
DoS events, user building a filter

Impact:
Unable to filter as desired.

Workaround:
A partial workaround is available. The simple search filter will match on virtual server names / context. Simple search can not match on DoS profile name, however.

721981-1 : Deleting an application from devices in an AWS SSG while the SSG is scaled-out might fail

Component: BIG-IQ Application Management

Symptoms:
If you try to delete an application from devices in an AWS cloud while the SSG is scaling out, the application deletion might fail.

Conditions:
Deleting an application from an AWS SSG while the SSG is scaled-out can fail.

Impact:
Deleting an application fails with an error:

ConfigItemInUseException: /Common/AppName is pinned to device 'device.hostname.example.com'.

Workaround:
Retry deleting the application after the SSG scale-out task is complete.

721891-1 : Device inventory service column does not update when a filter is applied

Component: BIG-IQ Device User Interface

Symptoms:
The services column on the device inventory (Devices > BIG-IP Devices) screen might not show the current services when a filter is applied until the page is reloaded

Conditions:
This happens when a filter is applied.

Impact:
Cannot see updates or changes to the services column.

Workaround:
To work around this issue, remove the filter or reload the page.

721733 : Enhanced Analytics Mode Error Handling

Component: AppIQ

Symptoms:
No error message for the failure to enable or disable Enhanced Analytics will be displayed.

Conditions:
This can occur if the attempt to enable or disable Enhanced Analytics fails.

Impact:
The user may not realize that the attempt to update Enhanced Analytics has failed.

Workaround:
Any failures to enable or disable Enhanced Analytics mode will be logged both in the browser console and in the restjavad log on the BIG-IQ.

721715 : Disk-related data is not collected for BIG-IP devices deployed in an AWS service scaling group

Component: AppIQ

Symptoms:
BIG-IP does not collect disk-related data for BIG-IP devices deployed in an AWS service scaling group.

Conditions:
BIG-IP devices deployed in AWS SSG.

Impact:
The disk activity charts and metrics in the BIG-IQ Monitoring > Device > Health screen show a value of 0.

721711 : Pool member active alert persists after scale-in

Component: AppIQ

Symptoms:
Following a scale-in procedure for a service scaling group, the active pool member status alerts persist.

Conditions:
Service scaling group has has active pool member status alerts prior to a scale-in procedure.

Impact:
The active alerts area may show erroneous alerts for pool member status.

721593-1 : When application deletion fails 'Retry' button does not work

Component: BIG-IQ Application Management

Symptoms:
When the deletion of an application fails, clicking Retry does not work and actually recreates the application.

Conditions:
An application deletion fails, either because of connection closed by BIG-IP, or another reason.

Impact:
You might think you're deleting the application, but you're actually recreating it.

Workaround:
To work around this issue, select the application from list and click the 'Delete' button instead of the 'Retry' button.

721554-1 : When trying to delete an application deployed to an AWS SSG, BIG-IQ returns an error 'Deployment task failed'

Component: BIG-IQ Application Management

Symptoms:
When trying to delete an application, BIG-IQ returns an error:"Deployment task failed". The logs contain "org.apache.http.ConnectionClosedException: Connection closed unexpectedly"

Conditions:
An application is deployed to an SSG on AWS and the user selects that application and clicks 'Delete'.

Impact:
The application is not deleted.

Workaround:
Select the application again and click 'Delete'

721539 : Editing a device-specific Management Port Log Destination removes it's association from the parent template log destination

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
Editing a device-specific Management Port Log Destination removes its association from the parent template log destination.

Conditions:
This happens when you edit a previously created device-specific Management Port Log Destination.

Impact:
The object disappears from the list of device-specific objects available for that log destination.

Workaround:
N/A

721487-1 : ElasticSearch java process stalls when running at high CPU rate and does not recover

Component: REST Framework and TMOS Platform

Symptoms:
An ElasticSearch java process stalls when running at high CPU and does not recover. Search results in BIG-IQ might become stale and the user interface won't work well, if at all.

Conditions:
A large amount of search data updates are posted by a BIG-IQ process to the ElasticSearch instance in response to a change in data such as a multi-BIG-IP deployment.

Impact:
Under some conditions, the ElasticSearch continually fails, even after a restart of the service. The service periodically restarts itself due to insufficient memory to complete the ingest operation.BIG-IQ user interface becomes unusable.

Workaround:
To work around this issue:
run command:
bigstart stop restjavad tokumond searchd

run command:
cd /var/config/rest/searchd

run command:
pwd
Verify the output of the pwd command is /var/config/rest/searchd

if in the correct directory according to the above steps run command:
rm -rf ./data/

run command:
bigstart start searchd tokumond

Wait for all data to be re-indexed. The easiest way to determine the re-index is finished is to monitor the command:
top
and to wait until the ElasticSearch user's java process no longer shows high cpu for at least one minute.

run command:
bigstart start restjavad

Once the BIG-IQ comes back up, verify the CPU utilization of the ElasticSearch user's java process is no longer in the top of the top command's results.

721304 : DoS: Duplicate attack events appear in the Dashboard table

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
The DoS summary dashboard screen occasionally displays duplicate attack events.

Conditions:
This happens sometimes when first viewing the DoS summary dashboard screen.

Impact:
Duplicate attack events sometimes display, when in fact the real number of attacks is 50% of this total.

Workaround:
Use the refresh option to see the correct number of attacks. If you no longer want refreshing enabled, set it to 'off' after the issue is corrected.

721198 : Web Application Security Policy created with language set to 'auto-detect', updating it to another value fails.

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
If you create a Web Application Security Policy with the application language set to 'auto-detect' and try to update it to another value, it fails with an error.

Conditions:
The issue happens when using auto-detect language.

Impact:
The save fails with an error.

Workaround:
To work around this issue, delete the policy and recreate it with a different application language.

721186 : clear-rest-storage -d will reset the provisioning settings

Component: REST Framework and TMOS Platform

Symptoms:
elasticsearch and restjavad cannot start.

Conditions:
This happens when because of lack of memory.

Impact:
elasticsearch and restjavad cannot start.

Workaround:
To work around this issue, run the following 3 commands:

tmsh modify sys provision biq level nominal
tmsh modify sys provision ltm level none
tmsh save sys configuration

721088 : AWS service scaling group with BYOL license type fails if it has a duplicate name

Component: BIG-IQ Device User Interface

Symptoms:
Creating BYOL license fails with the following error in orchestrator.log:

2018-05-19 07:43:28 PM Updating S3 Bucket failed due to An error occurred (403) when calling the HeadBucket operation: Forbidden

Conditions:
This happens if you have two SSGs with the same name.

Impact:
AWS SSG creation fails.

Workaround:
Use a different SSG name.

721042 : Unexpected behavior when changing the policy building of a web application security parent policy

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Changes to policy building for a web application security parent policy, and all relevant security (child) policies, do not take effect.

Conditions:
The issue happens when changing the policy building mode of a parent policy.

Impact:
The security/child policy building mode is left unchanged, causing issues with policy building suggestions.

Workaround:
To work around the issue, re-import the BIG-IP device configuration.

721030-1 : Template node modifications do not synch on an existing application

Component: BIG-IQ Application Management

Symptoms:
Performing the "Sync" operation on an existing application does not update existing nodes with template node changes.

Conditions:
When a node is changed on a template that is being used by an application, and you click the Sync button.

Impact:
After following all prompts for "Sync", the LTM nodes used in the application do not have the changes made to the template nodes

Workaround:
Manually modify nodes that were created from templates and use the typical deployment mechanisms.

720890 : Application deployment fails

Component: BIG-IQ Device User Interface

Symptoms:
Application deployment fails with the following log messages in restjavad.0.log file:

[INFO][19 May 2018 17:51:20 PDT][/cm/global/tasks/device-discovery/02a15529-cc71-48aa-82d1-b0f74b6e0937/worker DiscoverySuperTaskWorker] java.lang.Exception: The task https://localhost/mgmt/cm/asm/tasks/discover-config/1270e927-6bcc-477c-8946-8d412159197c is still in process, wait for this task to complete
[ERROR][19 May 2018 17:51:20 PDT][/cm/global/tasks/device-discovery/02a15529-cc71-48aa-82d1-b0f74b6e0937/worker DiscoverySuperTaskWorker] Failed to check the service tasks
[ERROR][19 May 2018 17:51:21 PDT][/cm/global/tasks/device-discovery-import-controller/7a62bab8-d105-4a3a-ad35-98d72d321be3/worker DiscoveryAndImportControllerTaskWorker] Discovery failed for all the devices

Conditions:
Failed application.

Impact:
Application deployment fails

Workaround:
Try the application deployment again.

720779 : BIG-IQ UCS sizes increasing or BIG-IQ running out disk space in /var after frequent scaling activity

Component: BIG-IQ Application Management

Symptoms:
If the BIG-IQ system is managing a lot of SSG activity, it is possible to run out of disk space in /var.

Conditions:
This happens because the Gunicorn TCWs are leaving state data in REST storage.

Impact:
BIG-IQ runs out of disk space in /var with an error or BIG-IQ UCS sizes continue growing.

Workaround:
To work around this issue, manually start the Gunicorn TCW purger using the following commands:

# export PYTHONPATH=/usr/local/lib/python2.7/site-packages/bigiq_orchestrator

# /usr/local/bin/python2.7 /usr/local/lib/python2.7/site-packages/bigiq_orchestrator/TCW_item_state_purger.py &

720655-1 : Deleting an application with app-specific node monitor fails

Component: BIG-IQ Application Management

Symptoms:
When you select a device and click 'Delete,' the task fails with an error.

Conditions:
This only happens for applications that use a template with a monitor that uses a monitor in the same template and the node addresses are unique on all target devices.

Impact:
The delete task fails with the following error: "Failed to delete foo-test5. Failed to delete application: Failed to finalize coordination: Worker http://localhost:8100/cm/adc-core/working-config/ltm/monitor/http failed validation with status 500: com.f5.rest.workers.configmgmtbase.config.WorkingCollectionHelper$ConfigItemInUseException: <monitor-fullpath>t is in use by Node '<node-fullpath>'.

Workaround:
To work around this issue:
1. Remove the monitor from the node(s) that reference in the configuration section of BIG-IQ it
2. Remove these references directly on the BIG-IP or create a partial deployment on the target devices that only select those specific nodes.
3. Retry deleting the application.

720630 : Unable to remove application with non-existent ELB

Component: BIG-IQ Device User Interface

Symptoms:
Application deletion fails with the following log message,

AWS load balancer configuration workflow has failed due to Failed to get ELB due to 'There
is no ACTIVE Load Balancer named '<load balancer name>''

Conditions:
Application with an non-existent ELB

Impact:
Unable to remove the application

Workaround:
To work around this issue, edit the application from BIG-IQ, supplying the correct ELB details and then remove the application.

720502-1 : Unable to create External SP Connector or External IdP Connector using metadata

Component: BIG-IQ Configuration - Access

Symptoms:
You cannot create an External SP Connector or External IdP Connector object using metadata file.

Conditions:
This happens if the user is assigned to only custom Roles.

Impact:
You can't create External SP Connector and External IdP Connector objects using metadata file.

Workaround:
If you're associated with only custom roles, you must manually create External SP Connector and External IdP Connector objects manually instead of using metadata file.

720416 : Unable to modify an inactive AWS service scaling group's properties

Component: BIG-IQ Device User Interface

Symptoms:
After making changes to an inactive AWS SSG's properties and trying to save it, the following error occurs:

Cannot change status from 'OFFLINE' to
'REDEPLOYING'.

Conditions:
Modifying an inactive AWS SSG.

Impact:
Not able to modify SSG properties for an inactive AWS SSG

720403 : VMware SSG does not support BIG-IP with 1NIC

Component: BIG-IQ Device User Interface

Symptoms:
BIG-IQ times out while attempting to reset the default passwords on newly created BIG-IPs in a VMware service scaling group.

Conditions:
This issue can occur when an SSG is configured with a BIG-IP using only one NIC.

Impact:
BIG-IQ does not support creating 1NIC BIG-IPs in VMware.

720379-1 : Standalone and load balancing clustered BIG-IP devices must use auto-sync when stats collection is enabled

Component: AppIQ

Symptoms:
If you are collecting statistics from BIG-IQ, it can cause standalone and load balancing BIG-IP devices to become out of synch and returns an error.

Conditions:
Enable statistics collection on clustered BIG-IP devices with manual sync-failover.

Impact:
BIG-IP devices become out of sync, and applications can't be deployed.

Workaround:
Set sync-failover cluster sync type to auto-sync

720374 : Non-admin roles might have limited alert history time view

Component: AppIQ

Symptoms:
When viewing alert history from an application view (Applications >> APPLICATIONS >> <Application name>), non-admin user roles might not be able to select a time view that exceeds the last day.

Conditions:
The limited Alert History time view effects users who does not have administrative role.

Impact:
The Alert History view only displays alerts from the last day.

720336-1 : A scaled-out device does not collect any application security metrics

Component: BIG-IQ Application Management

Symptoms:
A device that has been scaled out to an SSG does not collect any application security metrics.

Conditions:
An application with enhanced analytics set to collect security metrics deploy to an SSG. Scale out the SSG and add new devices to the group.

Impact:
The new device does not collect security metrics.

Workaround:
After scale-out disable and re-enable the enhance analytics security metric collection

720303-1 : After deleting your last application, BIG-IQ returns an error message

Component: BIG-IQ Application Management

Symptoms:
After deleting your last application, the following message is returned:

"You are not authorized for: applytemplatetaskstate"

Conditions:
They have deleted their last application as a user with only an Application Manager role.

Impact:
This is a benign message. You can ignore it.

Workaround:
Dismiss the dialog.

720220 : Fast L4 TCP and Fast L4 UDP default templates won't make use of all metrics exposed for app health status

Component: AppIQ

Symptoms:
Fast L4 TCP and Fast L4 UDP templates do not permit BIG-IP to collect L7 data, since it will not exist for these profiles.

Conditions:
Use of Fast L4 TCP and/or UDP templates.

Impact:
You may choose metrics for health status calculation and/or auto scale-out / auto scale-in in the rule definition that will not be collected by the system, therefore having no effect for the rules they are referenced by.

Workaround:
None.

720197-1 : Device diagnostics flags set do not persist after new qkview upload task

Component: BIG-IQ Device Management

Symptoms:
After flagging diagnostic items, those flags are lost when running diagnostics again.

Conditions:
Running a new qkview task after flagging diagnostic items.

Impact:
Flags are not stable and unusable.

720195-1 : "Change Device Password" not functional with remote auth

Component: BIG-IQ Device Management

Symptoms:
IF the BIG-IP is configured with remote auth, then the change password functionality does not work from BIG-IQ.

Conditions:
When a BIG-IP is configured with remote auth.

Impact:
Cannot use the change password functionality.

Workaround:
Change the password directly on the BIG-IP.

720162-1 : Deploy fails for DNS listener when it is set with a new DNS profile

Component: BIG-IQ DNS Management

Symptoms:
When setting a new DNS listener with a new DNS profile and both profile and listener still do not exist in BIG-IP, the configuration deployment fails on BIG-IP.

Conditions:
The following configuration exists in BIG-IQ but hasn't been deployed yet to BIG-IP:
1. A new DNS profile
2. A new DNS listener that is set with the new profile

Impact:
Configuration deployment fails.

Workaround:
To work around this issue, deploy the DNS profile to BIG-IP before deploying the configuration. Once deployed successfully the associated DNS listener can be deployed too.

720161 : ASM staging violations are displayed incorrectly in security charts

Component: AppIQ

Symptoms:
When an ASM policy is staged, transactions that receive a violation rating will pass as legal, but are not reported with the correct violation type in the security charts.

Conditions:
ASM is in staging.

Impact:
Transaction by Violating Ratings charts display violations incorrectly.

719983 : Manually editing device groups can lead to errors reusing cluster names

Component: BIG-IQ Configuration - Infrastructure

Symptoms:
There can be errors re-creating a cluster

Conditions:
This can happen when device groups are manually edited with curl commands.

Impact:
This can prevent the same cluster name being re-used for BIG-IP devices with different addresses

719853 : Working configuration deployments cannot be targeted for AWS SSG devices

Component: BIG-IQ Device User Interface

Symptoms:
Missing AWS SSG devices in Evaluate & Deployment tasks.

Conditions:
Working configuration is missing.

Impact:
Working configuration deployments cannot be targeted for AWS SSG devices

Workaround:
To resolve this issue:

1. Edit the service template with the required working configuration.

2. Go to the deployed application and click 'Sync' button. This will synchronize service template configuration to the existing deployed application.

719652 : Automatic scale out fails after manually scaling out

Component: BIG-IQ Device User Interface

Symptoms:
If you manually scale out the service scaling group, auto scaling stops working.

[ERROR][10 May 2018 15:56:05 PDT][/cm/cloud/tasks/aws/scale-out/d8359c3e-e2ef-4b99-9b14-951c9a58334a/worker ScaleOutTaskWorker]
Exception caught: java.lang.NullPointerException
at com.f5.rest.workers.cloud.task.aws.ScaleOutTaskWorker.addAWSSSGProperties(ScaleOutTaskWorker.java:1111)

Conditions:
Manually change the settings for a service scaling group.

Impact:
Automatic scaling fails.

Workaround:
1. Login to BIG-IQ UI.

2. Navigate to Scaling Groups List page.

3. Find the SSG that is PAUSED.

4. Select it and click Activate button.

719616-1 : Cannot create an application for service scaling group that doesn't have LTM imported for its load balancer

Component: BIG-IQ Application Management

Symptoms:
If you do not have the LTM service imported for the BIG-IP device load balancing traffic to your SSG, you'll get an error similar to:

app creation failed with message: Failed to pin folder 'Common/myRealAppOnSSGV13' since: cannot find root node for devices
(58ac5359-eda2-4cad-9cd4-b2c8dfb8e375).

Conditions:
Attempt to deploy an application to an SSG that does not have LTM discovered for its load balancer.

Impact:
Can't deploy applications.

Workaround:
Locate the BIG-IP that is load balancing traffic to your SSG and import the appropriate services.

719599 : Active alerts can be displayed without an assigned application or service scaling group

Component: AppIQ

Symptoms:
In the Active Alerts screen (Applications>> ALERT MANAGEMENT >> Active Alerts) alerts are displayed without an assigned application or without an assigned service scaling group.

Conditions:
Pool members or virtual servers that are configured on BIG-IP while they are down are then configured to an application, or are down after a scale-out.

A device alert that is not assigned to a service scaling group can occur immediately after a scale-out, if a device threshold is crossed.

Impact:
These alerts persist as active alerts, once they are triggered.

719499 : BIG-IQ upgrade to 5.4 or later fails with "Error: [SNAPU] Sanity check failed"★

Component: BIG-IQ Configuration - Infrastructure

Symptoms:
BIG-IQ upgrade from a version before 5.4 fails with the following error:

Error: [SNAPU] Sanity check failed. See logs for more

The upgrade log includes a large number of warnings that objects are found in old snapshots but not in the converted global snapshots.

Conditions:
BIG-IQ has failed snapshots that contain incomplete references of the objects in the snapshot.

Impact:
Upgrade fails.

Workaround:
1) To work around this issue, reboot to the previous BIG-IQ version.

2) Delete all failed snapshots from all modules before upgrading again: Deployment :: <Module Name> :: Snapshots

3) Delete all orphaned snapshots that don't have the snapshot tasks that created them. This step has to be done through APIs.

4) Perform the upgrade again.

719278-1 : Assigning cluster name to unclusterd devices considered harmful

Component: BIG-IQ Device User Interface

Symptoms:
When a cluster display name is set during device discovery (Devices -> BIG-IP DEVICES -> Add Device) BIG-IQ assumes that the device is in a DSC cluster and takes appropriate actions such as calling DSC sync when configurations are modified on that device. This can result in internal errors in BIG-IQ; it does not affect the BIG-IP.

Conditions:
Assigning cluster name to unclustered device.

Impact:
Internal BIG-IQ errors

Workaround:
There is no workaround.

719191 : DNS devices health indication is wrong when their sync-group availability shown as 'Impaired'

Component: BIG-IQ DNS Management

Symptoms:
When a DNS sync-group availability has an 'Impaired' status the DNS devices of that group appears healthy (green icon).
there should be at least one DNS device the is not available.

Conditions:
The setup includes a set of DNS devices that are all in sync and discovered in BIG-IQ

Impact:
When a DNS sync-group availability has an 'Impaired' status all the DNS devices of that group appears healthy (green icon) although there should be at least one device that is not available.

Workaround:
There is no workaround.

719024 : DCD devices storage exhaustion when using non-large VM configuration size

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
BIG-IQ has built-in size boundaries for different ElasticSearch indexes. Those settings might not prevent the storage from being filled with events and alerts when using the non-large VM configuration.

Conditions:
The issue happens when Data Collection Devices are configured to use ASM services and the non-large VM configuration is chosen. F5 downloads site offers two VM configurations for each supported hypervisor - non-large and large. The large configuration name contains the LARGE string.

Impact:
The disk might get filled.

Workaround:
Consider changing the default configuration under System >> BIG-IQ Data Collection Cluster >> Logging Data Collection.

718595-1 : SWG Reports are not supported in big iq 6.0.0

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
If you discover a BIG-IP device from BIG-IQ that has the AVR service with stats collection enabled, SGW reports don't include the data on managed the BIG-IP and in the BIG-IQ Monitoring dashboards.

Conditions:
BIG-IQ discovers a device with AVR service and stats collection enabled.

Impact:
SWG does not report data on the BIG-IP or on the BIG-IQ monitoring dashboards. BIG-IQ version 6.0.0 handles only LTM and ASM.

Workaround:
There are two options:

Do not upgrade to BIG-IQ 6.0.0 if you require SWG dashboards.

If you must upgrade, or have already upgrade to BIG-IQ 6.0.0, do not enable stats collection for the SWG provisioned BIG-IP device.

718568 : DoS Events Monitoring pages might display new Virtual Server screen VIP links is selected

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
Linking from the DoS monitoring pages for Application, DNS, SIP, and Network sometimes don't initially display the correct Virtual Server config details. Instead, the linking might display the new Virtual Server screen for the creation of a new VIP.

This can be seen using the Virtual Server links provided in the Virtual Server grid columns on each DoS monitoring page, as well as the event details for each attack.

Conditions:
Incorrect display of VIP information may occur if the page has not been refreshed for awhile.

Impact:
Linking to Virtual Servers from the DoS Monitoring pages (for Application, DNS, SIP, Network) may appear broken, when in fact the page just needs to be refreshed.

Workaround:
To work around this issue, push the F5 key or refresh the page URL so the Virtual Server details display when you select the VIP links from the individual DoS monitoring pages.

718298-1 : Procedure to restore UCS backup files to BIG-IQ

Component: REST Framework and TMOS Platform

Symptoms:
Using the old UCS restore procedure can result in errors with master keys of the form:

"/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 01071769:3: Decryption of the field (passphrase) for object (/Common/MasterKeyStorageObject.key) failed. Unexpected Error: Loading configuration process failed.

Conditions:
Using the current procedure to restore UCS backup files.

Impact:
There are many wide ranging impacts such as not being able to communicate with devices under management.

Workaround:
To workaround this issue AFTER encountering the error, perform the following procedure:

1. Restart all system services by typing the following command:
tmsh restart sys service all

2. Load the UCS again by typing the following command:

tmsh load sys ucs /shared/ucs_backups/<UCS_filename>

3. Restart the restjavad service after restore by typing: tmsh restart sys service restjavad

718162 : Application deletion fails

Component: BIG-IQ Device User Interface

Symptoms:
When you try to delete an application, the following error displays in the restjavad.0.log:

Service scaling group is not ready for application deployment - status: null

Conditions:
This happens with the service scaling group status is not in READY state

Impact:
Application deletion fails.

Workaround:
To work around this:

1. Navigate to the service scaling groups screen, select the checkbox next to the service scaling group, and click the "Activate" button.

2. Delete the application.

717684 : Unable to completely create device for an SSG

Component: BIG-IQ Device User Interface

Symptoms:
If the ESXi host encounters failures while creating a BIG-IP VE the vCenter system might not return an error message. Reason: Unknown - Contact System Administrator

Conditions:
ESXi host controlled by the vCenter system encounters an error.

Impact:
The scale-out event fails.

Workaround:
Contact the vCenter system administrator to check the ESXi hosts.

717583-1 : ASM policy available for for some virtual servers in a template, but not others

Component: BIG-IQ Application Management

Symptoms:
Template editors are allowed to pick a template for each individual template virtual server within the Security section of the template editing page.

Conditions:
Navigate to a custom template with 1 or more virtual servers and click the Security menu. Select an ASM Policy for one of the virtuals and leave "None" for the other(s).

Impact:
You might discover that protection mode for the application is not what you expect. For example, it may show as not protected, even if the policy has 'Blocking' enabled for the hostnames of the app.

Navigate to "Application Services" > "Security" in the application view, the following message is displayed: "Note: The following virtual-servers doesn't have a security policy attached to them: <name-of-virtual>"

Workaround:
Select the same ASM Policy for all virtual servers in the template.

717404 : AWS SSG status may be in PAUSED after initial scale

Component: BIG-IQ Device User Interface

Symptoms:
AWS SSG is paused after initial scale out and returns the following message in the /var/log/restjavad.0.log file.

[ERROR][27 Apr 2018 12:21:21 PDT][/cm/cloud/tasks/aws/initial-buildout/f34ee31a-a233-4ed5-8753-11837dc21d45/worker InitialBuildOutTaskWorker] Unable to start the device discovery task for ssg negar-SSG20: http://localhost:8100/cm/global/tasks/device-discovery-import-controller : com.f5.rest.workers.configmgmtbase.task.BaseTaskCollectionWorker$ModalTaskException: Only one task can be created at a time.

Conditions:
Operations in multiple service scaling groups causes trigger DiscoveryAndImport task

Impact:
Operations on AWS SSG pauses.

Workaround:
1. Navigate to the service scaling group and select the paused SSG.

2. Click the Activate button.

716696 : Users associated with a strict custom role cannot see Device Specific Objects created on Mark Device Specific

Component: BIG-IQ Access

Symptoms:
Device Specific Objects created on Mark Device Specific action, are not automatically added to the User's Resource Group.

Conditions:
Users associated with custom roles with selective resource permission to objects for a kind.

Impact:
Users associated with a custom role with strict permissions won't be able to view this newly created objects. Users associated with a custom role with relaxed permissions will be able to view, but may not be able to perform other action specified for the kind in the role.

Workaround:
Admin has to add the newly created resources to the user's resource group.

716593-1 : Creating a new device with a previously-used hostname

Component: BIG-IQ Application Management

Symptoms:
When creating a new device that has a hostname that was previously used, the system might display the previous device's (with the same hostname) statistics and corresponding data.

Conditions:
Reuse a hostname for a new device.

Impact:
Statistics for the previously configured device will erroneously appear under the new device with the same hostname.

Workaround:
Make sure all device's host names are unique.

715192 : BIG-IQ REST authentication errors after managed BIG-IP device is upgraded to version 13.1.x

Component: REST Framework and TMOS Platform

Symptoms:
If you upgrade a managed BIG-IP device to version 13.1.x or later, BIG-IQ can no longer manage it because of REST authentication failures.

Conditions:
This happens when you upgrade a managed BIG-IP device to version 13.1.x or later.

Impact:
The BIG-IQ is not able to communicate with the managed BIG-IP device after the upgrade to 13.1.x or later.

Workaround:
The only way to work around this is to remove the device from BIG-IQ and discover it again. This is a less desirable workaround because it loses the historical data about the managed BIG-IP device.

714990 : Reimporting a non-source device in an Access Group with AGC policy

Component: BIG-IQ Configuration - Access

Symptoms:
Reimporting a non-source device in an Access Group with AGC policy fails with the following error:

"Found no device instance of application service object"

Conditions:
Reimporting a non-source device in an Access Group with AGC policy.

Impact:
Import fails.

Workaround:
For Access Group with AGC created policy, if you have a non-source device to which haven't done Access deployment yet, then do not do reimport of ADC or Access for that device.

Instead of reimport:
1>Remove Service (ADC or/and Access)
2>Discover Service (ADC or/and Access)
3>Import Service (ADC or/and Access)

714116 : Pool member status may be displayed incorrectly

Component: AppIQ

Symptoms:
Pool member alert status in BIG-IQ may incorrectly reflect the pool member's current status in BIG-IP.

Conditions:
When a pool member changes status in BIG-IP.

Impact:
Pool member status alert in BIG-IQ may not accurately reflect the status in BIG-IP.

713341-1 : Device cluster name selection resets unexpectedly when trying to rename it

Component: BIG-IQ Device User Interface

Symptoms:
When trying to change the device cluster name in the device properties, the list might reset to the current value unexpectedly.

Conditions:
When attempting to change the device cluster name in the device properties the drop down may reset to the current value unexpectedly.

Impact:
You'll need to change the cluster name again.

Workaround:
Change the cluster name again.

712009 : Default replica count in the database for statistics data is now 1 in BIG-IQ 6.0.0

Component: BIG-IQ App Visibility and Reporting (AVR)

Symptoms:
Replica count for statistics data is set to 1 replica starting in the BIG-IQ 6.0.0 release. Prior to 6.0.0, the value was 0 (do not replicate statistics data). This setting applies to new indices only (data existing prior to 6.0.0 upgrade is not affected).

Conditions:
N/A

Impact:
The new default setting might impact how much storage BIG-IQ uses for statistical data since new statistical data will be replicated in the BIG-IQ DSD cluster.

Workaround:
You can change this value in the BIG-IQ UI for statistics collection configuration.

711480 : Deployment of Access policy fails

Component: BIG-IQ Deployment - Evaluate & Deploy

Symptoms:
Access policy deployment fails.

Conditions:
Access policy deployment fails can occur when all of the following conditions are true:

1>The BIG-IP on which the Access policy is being deployed already has an associated application service object with strict-updates set to ‘enabled’.
2> On BIG-IQ, one or more configuration objects for the Access policy being deployed, has been either modified, added or removed.

Impact:
N/A

Workaround:
To workaround the issue:
ssh to the BIG-IP device where the Access policy deployment failure has occurred and run the following commands:

tmsh

modify sys application service <application-service-name> strict-updates disabled

707476 : String properties break into multiple lines

Component: BIG-IQ Local Traffic & Management

Symptoms:
BIG-IP UI added line-feed (CR-LF) to the content type so it breaks into multiple lines.

Conditions:
A property string is more than 256 characters with
CR/LN inside the string.

Impact:
Discovery might fail since the string cannot be
parsed correctly.

Workaround:
We can get around it without losing any functionality, by using tmsh to add content instead of the BIG-IP user interface. The following is a good example how we handle such case. Keep in mind this is one tmsh command so it musy be in one line.

(/Common)(tmos)#tmsh modify ltm profile http-compression httpcompression content-type-include replace-all-with {text/ application/vnd.ms-publisher "application/(xml|x-javascript|javascript|x-ecmascript|ecmascript)" "application/(word|doc|msword|winword|ms-word|x-word|x-msword|vnd.word|vnd.msword|vnd.ms-word)" "application/(xls|excel|msexcel|ms-excel|x-excel|x-xls|xmsexcel|x-ms-excel|vnd.excel|vnd.msexcel|vnd.ms-excel)" "application/(powerpoint|mspowerpoint|ms-powerpoint|x-powerpoint|x-mspowerpoint|vnd.powerpoint|vnd.mspowerpoint |vnd.ms-powerpoint|vnd.ms-pps)" "application/(mpp|msproject|x-msproject|x-ms-project|vnd.ms-project)" "application/(visio|x-visio|vnd.visio|vsd|x-vsd|x-vsd)" "application/(pdf|x-pdf|acrobat|vnd.pdf)"}

706634 : Several config files in /config are named bigip.conf instead of bigiq.conf

Component: REST Framework and TMOS Platform

Symptoms:
There are several files in /config that are named bigip*.conf. These are for the BIG-IQ, but with the same files on a BIG-IP.

Conditions:
These names are displayed when running:
tmsh save /sys config

which outputs:
Saving running configuration...
  /config/bigip.conf
  /config/bigip_base.conf
  /config/bigip_user.conf
Saving Ethernet mapping...done

Impact:
This could be confusing, since bigip is part of the file names. Otherwise there is no impact.

Workaround:
N/A

705049 : Unable to manage a license assigned for unmanaged devices after BIG-IQ upgrade

Component: BIG-IQ Device Management

Symptoms:
After upgrading, BIG-IQ returns an error when attempting to revoke a license from an unmanaged BIG-IP.

Conditions:
Trying to manage license for an unmanaged BIG-IP device from BIG-IQ.

Impact:
Unable to manage assigned licenses. Get a 400 error: "You must provide the uuid, a username, and password when revoking the license for an unmanaged device."

Workaround:
Manually delete the association using REST, and providing the username/password and device ID:
restcurl '/mgmt/cm/device/licensing/pool/purchased-pool/licenses/$licenseID/members/$memberID -u admin:a -X DELETE -d '{"username":"admin","password":"$memberPassword","uuid":"$memberID"}'

704170-1 : Configuration Object lock behavior

Component: REST Framework and TMOS Platform

Symptoms:
The current configuration lock behavior may not operate as a user expects.

Conditions:
When log out, a session times out, or you close the web browser, configuration objects locked are not unlocked. The lock is maintained across sessions.

Impact:
Objects remain locked when a user is not actively using BIG-IQ.

Workaround:
User should remember to unlock configuration objects before they log out of BIG-IQ or close their browser window.

699952 : Objects with v6 IP addresses for names that use "::" to replace a single zero

Component: BIG-IQ Configuration - Infrastructure

Symptoms:
Previously, using "::" to replace a single zero in a v6 address is not valid. BIG-IP allows it and simply fixes it for you but when using it as an object name that the address format isn't fixed.

BIG-IQ address validation was stricter and rejected "::" replacing a single zero because of this the name validation would fail for one of these invalid addresses.

Conditions:
BIG-IP has objects like self-IP addresses with poorly formatted names "2001:4888:3:3EE0:C0:D:0::".

Impact:
BIG-IP would fail to import into BIG-IQ.

Workaround:
Delete the objects on BIG-IP and create new ones with a valid address format.

698644-1 : Pinning Policy evaluation

Component: BIG-IQ Access

Symptoms:
When deploying a pinning policy evaluation, it fails with the following error:
"Evaluation error for Access, Difference operation failed: Object {OBJ_NAME} does not exist in snapshot"

Conditions:
User has pinned {OBJ_NAME} to the Pinning Policy of the device for which evaluation/deployment failed with above error.

User has objects of same type and with same name in multiple Access Groups. i.e. ad_employee present in multiple Access Groups.

Impact:
User is not able to evaluate and deploy configuration changes to the target device.

Workaround:
User must revisit the Pinning Policy for the device and make sure {OBJ_NAME} and other selected objects are from the Access Group to which the device belongs to.

User can use Global Search to find out {OBJ_NAME} and look at the Related Items section under preview for each object in the search result to find out which object is pinned in Pinning Policy.

User can also open Pinning Policy page and make sure correct {OBJ_NAME} is pinned by removing and carefully attaching correct {OBJ_NAME}.

698569 : Deployment of eviction policy deletion can disconnect BIG-IP HA cluster running version 11.6.x

Component: BIG-IQ Local Traffic & Management

Symptoms:
Under specific conditions, when you deploy a change to a BIG-IP HA cluster running version 11.6, that deletes both an eviction policy reference and its associated eviction policy.

Conditions:
This issue occurs only on an 11.6.x HA cluster when the eviction policy reference is part of a virtual server or is the general eviction policy reference. This doesn't happen occur when the eviction policy reference is part of a route domain. The issue also does not on occur on BIG-IP 12.x (latest hotfix) HA clusters and above.

Impact:
This causes a failed deployment and disconnects the BIG-IP cluster.

Workaround:
Perform a two-step deployment.
First, delete the reference to the eviction policy and create a deployment with "Keep Unused Objects" selected. When you deploy these changes, BIG-IQ removes only the eviction policy reference.

Next, create a second deployment. This time, select "Remove Unused Objects". When you deploy these changes, BIG-IQ removes the eviction policy.

If your HA cluster is in a disconnected state as a result of a one-step deployment with "Remove Unused Objects" selected, you can restore the HA cluster by performing a manual sync on the BIG-IP. The BIG-IP might be offline for a minute or so before the BIG-IP cluster is restored.

696818 : Default disk size of 10GB for the BIG-IQ DCD data partition might not be adequate

Component: AppIQ

Symptoms:
The 10GB default BIG-IQ DCD /var partition size might not be enough space for your operating environment.

Conditions:
If you're managing several BIG-IP devices with application statistics, the BIG-IQ DCD /var partition might fill up prematurely. This problem becomes more of an issue when BIG-IQ is configured to collect "enhanced application statistics", such as URL data, client data (IP addresses, user-agent, operating system), for one or more applications.

Impact:
When the /var partition fills up, BIG-IQ attempts to aggregate data to the various time layers, then removes detailed data represented by the aggregation, freeing up space. This can cause the quality the data to be reduced. If it cannot free enough space, BIG-IQ disables statistics collection.

Workaround:
Use the BIG-IQ Centralized Management DCD Sizing guide located on https://support.f5.com to estimate the amount of disk space needed for your environment and workflows. You can set alerts for the BIG-IQ DCD /var partitions and re-size when /var is consumed to the threshold you've defined.

695139-1 : Reimport shared allows reimport from a different device version than that off group.

Component: BIG-IQ Configuration - Access

Symptoms:
Reimport shared does not check if the Access Group config version and the device version matches.

Conditions:
This can happen if the device is upgraded after it has been added to the group.

Impact:
Access Group config version gets upgrade to the latest device version.

Workaround:
If you've upgraded BIG-IP, remove and move the device to another access group.

If you've upgraded BIG-IP and did a shared reimport, then move devices in the group with a different version to another access group.

694788 : Custom role in Relaxed Mode containing Address List resources provides very broad read access

Component: REST Framework and TMOS Platform

Symptoms:
A custom role in relaxed mode that contains Address List resources grants read permissions to both Network Security, Local Traffic and Network services.

Conditions:
A user is assigned a role that is in relaxed mode and contains the Address List resource in it's associated resource group.

Impact:
Users will have read permissions for all objects in the Network Security, Shared Security, Local Traffic and Network services areas regardless of the role intent to use only the Network Security or Network version of the Address Lists.

This may be an unexpected and undesired consequence of having Address Lists reside in both the Network Security and Network service areas.

Workaround:
A workaround is available that requires the Address List resources be contained in a strict role and that role associated with the user along with another relaxed role that does not explicitly contain the Address List resources.

693594-1 : Access deployment to BIG-IP HA Pair

Component: BIG-IQ Deployment - Evaluate & Deploy

Symptoms:
Deployment of an Access Policy to BIG-IP HA pairs after deleting an entire policy branch fails with the following error:

"The access policy item (....) is not referenced by any existing access policy"

Conditions:
Happens intermediately.

Impact:
The deployment fails.

Workaround:
Initiate the Access deployment again to the HA pairs.

692135 : Stats collection agent out of date alert

Component: BIG-IQ Device Management

Symptoms:
After upgrading to the latest version of BIG-IQ, the "Stats collection agent out of date" alert can sometimes erroneously trigger.

Conditions:
Upgrade to latest version of BIG-IQ.

Impact:
Cosmetic

Workaround:
There is no definitive workaround for this issue. Although rediscovering the BIG-IP device and disabling/enabling statistics might clear the alert.

691531-1 : Resource Group form's preview section

Component: REST Framework and TMOS Platform

Symptoms:
On the Resource Group form, the lower section of the page shows a grid featuring objects which can be added to the resource group. The lower right section shows a preview of objects selected in the lower left portion. If you select one or more items, then deselect them, you might see outdated preview content in the lower right portion of the page.

Conditions:
When you select and deselect resource group objects.

Impact:
You might see outdated preview content.

686162 : OAuth Profile deployment fails with JWK config failed trust verification with trusted CA bundle

Component: BIG-IQ Configuration - Access

Symptoms:
For OAuth Profile with Support JWT Token enabled, BIGIP verifies the primary key trust with Trusted Certificate Authorities. This trust verification is not done on BIG-IQ. If the user configures a mismatch primary key and trusted CA, the deployment fails.

Conditions:
When a mismatch primary key and trusted CA bundle is selected for OAuth Profile.

Impact:
Verification of the primary key and trusted Certificate Authority Bundle in OAuth Profile (when Support JWT Token is enabled) is not done in BIG-IQ, the Deployment fails.

Workaround:
Configure the matching Trusted Certificate Authority Bundle for the chosen Primary Key in order for the deployment to succeed.

686125-1 : User is not able to mark Access objects as shared

Component: REST Framework and TMOS Platform

Symptoms:
A user associated with a custom role is not able to mark Access Policy (APM) objects as shared.

Conditions:
This occurs when the user does not have Delete permission for particular Object Type.

Impact:
User will not be able to mark any instance of the object type for which Delete permission is missing.

Workaround:
To resolve this issue, you must provide Delete permission for all Role Types with the Mark Shared permission.

678664-1 : Policy and Rule List rules do not support the Protocol Inspection Profile or Classification Policy configuration options supported by BIG-IP version 13.1.0

Component: BIG-IQ Network Security

Symptoms:
Two new options were added to the BIG-IP 13.1.0 release for the firewall rules: Protocol Inspection Profile and Traffic Intelligence Classification Policy. These are similar to the Service Policy, iRule or Send-to-Virtual implementations.

If these two new properties are configured on a rule and imported into the BIG-IQ, they will be un-configured on the next deployment that modifies that rule.

Conditions:
If these two new properties are configured on a rule and imported into the BIG-IQ, they will be un-configured on the next deployment that modifies that rule.

Impact:
Protocol Inspection Profile and Traffic Intelligence Classification Policy will be un-configured upon AFM Deployment to a BIG-IP if the rule is modified on BIG-IQ.

Workaround:
After the deployment of the new rule configuration from the BIG-IQ to the BIG-IP, the affected rule on the BIG-IP may have the Protocol Inspection Profile and Traffic Intelligence Classification Policy re-configured via the BIG-IP if desired.

674249 : BIG-IQ AWS license not operational after reboot

Component: REST Framework and TMOS Platform

Symptoms:
After successfully licensing a BIG-IQ AWS guest instance, a subsequent reboot of the BIG-IQ renders the licensing inoperative. Further attempts to re-license the BIG-IQ AWS instance fails.

Conditions:
The problem occurs on BIG-IQ AWS guest instances with a single (1NIC) network interface.

Impact:
The BIG-IQ AWS guest instance with a single (1NIC) network interface is not operational.

Workaround:
BIG-IQ AWS guest instances with a single (1NIC) network interface are not supported. The requirement is to have at least two network interfaces. See related notes at: https://support.f5.com/kb/en-us/products/big-iq-centralized-mgmt/manuals/product/big-iq-central-mgmt-amazon-web-services-setup-5-2-0/1.html

Adding a secondary network interface to the BIG-IQ AWS guest instance would successfully license the BIG-IQ AWS instance.

673763-2 : Wide IP list shows incorrect number of associated pools

Component: BIG-IQ DNS Management

Symptoms:
Due to a defect on BIG-IP, BIG-IQ is unable to display a correct number of DNS pools that are referenced by Wide IP.

Conditions:
This can occur when BIG-IP is version 12.x or 13.x and a DNS sync-group is configured with Wide IP that references an arbitrary number of DNS pools.

Impact:
In Big-IQ under Configuration tab --> DNS --> GSLB --> Wide IPs.
The fields below may show an incorrect number of DNS pools:
1. Pools column in the list.
2. Pools related item entry.
3. Pools table section in the properties screen of a Wide IP.

Workaround:
The is no workaround at this time.

665639-2 : Amazon EC2 Abuse Report upon a new deployment of BIG-IQ AMI instance

Component: REST Framework and TMOS Platform

Symptoms:
Upon deploying a new BIG-IQ AMI instance and a successful login to the BIG-IQ web user interface, within minutes Amazon EC2 flags an abuse report about potential port scanning activities from the BIG-IQ instance to the client machine initiating the browser session.

Conditions:
New BIG-IQ AMI instance deployed and running in EC2, with first successful login from an arbitrary client into the BIG-IQ web user interface, using an internet browser with websocket support (Firefox, Chrome, Safari, etc.). Even the idle user interface left untouched (without browsing BIG-IQ UI pages) would trigger the EC2 Abuse report.

Impact:
The customer owning the EC2/AMI deployment of BIG-IQ will get an email with the Amazon EC2 Abuse Report.

Workaround:
At this time there are no clear indications of illegal port scanning activities originated from the BIG-IQ AMI instance to the client machine initiating the BIG-IQ UI browser session.

A current assumption is that Amazon EC2 may have some initial sensitivity for websocket-based browser connections, with a relatively high number of websocket frames being exchanged between a client browser and the BIG-IQ AMI instance, although the number of websocket ports involved in this traffic remains relatively low (below a dozen).

660828-3 : Deployment Failure: "transaction failed: ... : file (/config/filestore/files_d/Common_d/customization_group_d/:Common:...) expected to exist"

Component: BIG-IQ Access

Symptoms:
Deployment failure with error similar to the one below:

Deployment Failure: "transaction failed: ... : file (/config/filestore/files_d/Common_d/customization_group_d/:Common:...) expected to exist"

Conditions:
Deployment fails when advanced customization is involved.

Impact:
The BIG-IQ APM deployment fails.

Workaround:
On the failed device, remove the object that uses the customization group, which in-turn will remove the customization-group (logon page agent in policy or policy macro), then deploy to the device again.

643507 : Removing a Data Collection Device may take a long time, and will not show an error dialog if removal times out

Component: BIG-IQ System User Interface

Symptoms:
When removing a Data Collection Device, the removal task may take a long time to complete. While this task runs, you are free to use the UI or log out and the task will continue to run on your BIG-IQ. If the task fails or times out, you will not see an error message dialog.

Conditions:
This can occur when you remove a Data Collection Device with a large amount of data.

Impact:
Removal may fail without presenting an error message.

Workaround:
Attempt to remove the data collection device again.

612292-3 : Customization file changes are not deployed when customization template and customization group objects are created in deployment

Component: BIG-IQ Access

Symptoms:
Customization file changes are not deployed when customization template and customization group objects are created in deployment.

Deployment is successful. On a subsequent evaluation, it indicates that BIG-IQ customization group is different from the one on BIG-IP.

Conditions:
When customization template and corresponding customization group is deployed first time to a non-source device, deployment is successful.

Impact:
Customization group files are not deployed in such cases.

Workaround:
Perform one more deployment and it deploys the customization group correctly.

594009-1 : Devices with configured VLAN Groups cannot be managed in BIG-IQ ADC.

Component: BIG-IQ Local Traffic & Management

Symptoms:
Devices with configured VLAN Groups cannot be managed in BIG-IQ ADC. This is a restriction imposed by BIG-IQ functionality.

Conditions:
User has VLAN Groups configured on the BIG-IP system.

Impact:
The BIG-IP system cannot be managed by BIG-IQ ADC.

Workaround:
Remove the VLAN Groups.

585996 : Peer status is displays as healthy, even though the creation of the pair failed

Component: REST Framework and TMOS Platform

Symptoms:
Both peers of a cluster display as Green/Active from BIG-IQ, even though the high availability creation failed. The BIG-IQ Status indicator on top of the screen correctly displays "Red/HA Error."

Conditions:
Something happened that prevented the initial HA synchronization from completing, or something else happened to cause the HA pair to become unhealthy.

Impact:
The HA cluster is falsely presented as healthy and ready for failover, even though its not.

Workaround:
To work around this issue:
1. Use the Status bar at the top of the screen to determine the definitive health status of the BIG-IQ HA and its peers.
2. If the Status bar shows "HA Error", break up the unhealthy pair by removing the secondary device from the primary device.
3. Re-add the secondary device to form a new BIG-IQ HA pair.
4. Allow the synchronization to complete, ensure that the status indicators at the top display green/healthy status on both BIG-IQ systems.

575066-2 : Management DHCP settings do not take effect

Component: REST Framework and TMOS Platform

Symptoms:
Modifications to /sys management-dhcp do not take effect.

Conditions:
Custom management-dhcp settings configured.

Impact:
DHCP for management interface does not function correctly.

Workaround:
Perform the following procedure:

1. Remount /usr to be read-write.
# mount -o rw,remount /usr

2. Edit the following file, which is a symlink into /usr.
# vi /defaults/config/templates/dhcp.tmpl

3. Change this line around line 7 to add escaped quotes
print "interface \"$mgmt_interface\" {\n";

4. Remount /usr back to read-only.
# mount -o ro,remount /usr

5. Make a change to the list of DHCP requested options.
# tmsh modify sys management-dhcp sys-mgmt-dhcp-config request-options delete { ntp-servers }

6. Verify that "eth0" is quoted in this file:
# grep interface /etc/dhclient.conf
interface "eth0" {

7. Create a symbolic link to dhclient.conf
# cd /etc/dhcp
# ln -s ../dhclient.conf .

8. Restart DHCP on the management interface.
# tmsh modify sys global-settings mgmt-dhcp disabled
# tmsh modify sys global-settings mgmt-dhcp enabled

No system reboot should be necessary.

★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade

*********************** NOTICE ***********************

For additional support resources and technical documentation, see:

The F5 Networks Technical Support web site: http://www.f5.com/support/
The AskF5 web site: https://support.f5.com/csp/#/home
The F5 DevCentral web site: http://devcentral.f5.com/

******************************************************

Subscriptions

Product Usage

Trials

Registration Keys

Downloads

Applies To:

BIG-IQ Centralized Management

Cumulative fix details for BIG-IQ CM v6.0.0 that are included in this release

717855 : 3DES Ciphers have been removed from the SSL accepted cipher list for HTTPD

717340 : Registration Key Pool Assignments

716065 : Removing a device's services fails

715452 : The policy builder doesn't start on logging node after upgrade (intermittently)

715446-1 : BIG-IQ stalled waiting for services to become available.

715142 : ASM filtering signatures by signature overrides

712623 : Import of invalid transform rule CSV file

711023 : Display information for Websocket URLs

711021 : Links in enforcement readiness page when no suggestions exist

710936 : ASM import after upgrade

710787 : Discovery fails due to Time Wait Indefinite in bigip tcp

710588 : false alarm on route domain verification

710213 : Discovering DSC groups with IPv6 management addresses

709573 : Changing the discovery address or management IP could cause BIG-IQ to not function

709354-1 : Default global-network log profile

707962 : Strict partition checking for Log Publisher, Log Destination, Log Profile

707949 : Importing a shared security configuration fails due to invalid stress-based detection in a DoS profile.

707066 : Evaluating 13.1 fails with Cannot determine enumerator component for cm:adc-core:current-config:ltm:profile:server-ssl:adcprofileserversslstate

705270-1 : Web Application Manager, Editor and Security Manager roles do not have permissions to accept central policy builder suggestions for a policy

705104 : Differences/conflicts displayed after latest F5 Signature file released

705083 : UDP virtual servers

705051 : Importing configuration of TCP Half Open with Auto Threshold selected fails

704186 : Hotfix upgrade task

703908 : maxSegmentSize of 0 in TCP profile is not accepted

703559 : BIG-IQ unable to retrieve authentication token from BIG-IP 13.1.0+ using remote authentication

703480-2 : DnsConfigCopyTaskWorker fails to import topology when region name has a space

703473 : Import fails when a BIG-IP device contains DNS profile and DoS profile with same name

702847-1 : Device field in ASM event displayed in BIG-IQ GUI shows N/A instead of BIG-IP device name

702833 : Network Access List IPv6 LAN Address Space mask error

701703-1 : BIG-IQ upgrade from 5.3.0 to 5.4.0 may fail when Access groups are configured★

701485 : Storage upgrade when upgrading to BIG-IQ version 5.4

701265-1 : Health upload schedule, selection by device group, shows deleted devices

701264-1 : BSON-type UNDEFINED error after BIG-IQ version 5.3 to 5.4 upgrade

701178 : Importing a policy with special characters

701045 : Deploying a shared ASM policy to one virtual server

700399 : FW rules are not deployed on AFM in order

699069 : To deploy DoS Profiles to BIG-IP versions 13.0.0 and later, Application Security Module must be provisioned on the BIG-IP

698681 : User Dashboard shows incorrect Network Access Sessions count

698670 : Exporting Network Access Connections Dashboard to CSV

698616 : Upgrades targetting clustered devices (Viprion or vCMP) fail with a timeout error

698460 : Editing the session tracking policy sub-collection when an individual log in screen is selected

697847 : Device RMA for Local Traffic can be incomplete if the device has IPFIX or Remote High-Speed Log Destinations

697542 : FPS alerts display of X-Forwarded-For IP addresses

694675 : Configuration import for several large policies

693399 : Changes dialog message

686699-1 : User with a custom Role is not able to create SecurID object for Access (APM)

682765 : iHealth Task fails with "Request for PATCH on localhost failed: Invalid generation"

680899 : Support for UPN binding in Active Directory authentication providers

651998 : When /var partition reaches configured limit, collection of statistics from BIG-IP will stop, and older data may be automatically removed by BIG-IQ

639347 : Creating or removing a custom signature

627105 : Incorrect Error when clicking on Tokens under Monitoring --> Access --> Federation --> OAuth --> Authorization Server --> Tokens

611859 : Server certificate validation for LDAP and Active Directory authentication providers

584666-1 : Grid columns may be render partially or completely off-screen

529018 : Specific support for Active Directory as external authentication provider

Known Issue details for BIG-IQ CM v6.0.x

722458-1 : Browser crashes when viewing/editing Application Services Configuration in Chrome 67

722343 : Using HTTP Proxy in ASM Signature File update

722342 : Details for certain chart events do no display on the Monitoring screen

722321 : Enhanced Analytics must include the Client-IP option to enable data collection

722225 : Auto-deploy scaling fails for a service scaling group in an AWS cloud when ASM policy is set to auto-deploy

722202 : Sometimes the server count incorrectly displays as 0 until before a scaling event is complete

722145-1 : Syncing application on VMware SSG after removing pool health monitor or picking a different kind of monitor

722137 : Some Security Event Filter Query Parameters do not perform as expected

721981-1 : Deleting an application from devices in an AWS SSG while the SSG is scaled-out might fail

721891-1 : Device inventory service column does not update when a filter is applied

721733 : Enhanced Analytics Mode Error Handling

721715 : Disk-related data is not collected for BIG-IP devices deployed in an AWS service scaling group

721711 : Pool member active alert persists after scale-in

721593-1 : When application deletion fails 'Retry' button does not work

721554-1 : When trying to delete an application deployed to an AWS SSG, BIG-IQ returns an error 'Deployment task failed'

721539 : Editing a device-specific Management Port Log Destination removes it's association from the parent template log destination

721487-1 : ElasticSearch java process stalls when running at high CPU rate and does not recover

706634 : Several config files in /config are named bigip.conf instead of bigiq.conf