Applies To:

Show Versions Show Versions

Supplemental Document: BIG-IQ Centralized Management 6.0.1.1 :: Fixes and Known Issues

Original Publication Date: 10/16/2018

BIG-IQ CM Release Information

Version: 6.0.1.1
Build: 9.0

NOTE: This release DOES NOT include fixes for the Spectre or Meltdown vulnerabilities (CVE-2017-5715, CVE-2017-5753).
F5 is currently developing fixes which will be released in a future version. Please see K91229003 for current Spectre and Meltdown information.

Cumulative fixes from BIG-IQ CM v6.0.1 that are included in this release
Known Issues in BIG-IQ CM v6.0.x

Functional Change Fixes

None



Cumulative fixes from BIG-IQ CM v6.0.1 that are included in this release


Functional Change Fixes

None


BIG-IQ Configuration - Local Traffic Fixes

ID Number Severity Solution Article(s) Description
721539 3-Major   Editing a device-specific Management Port Log Destination removes it's association from the parent template log destination


BIG-IQ Deployment - Evaluate & Deploy Fixes

ID Number Severity Solution Article(s) Description
697834 4-Minor   Date format inconsistency when scheduling deployments


BIG-IQ Device User Interface Fixes

ID Number Severity Solution Article(s) Description
726411 3-Major   Service scaling group alert rules with the same name
719278-1 3-Major   Assigning cluster name to unclusterd devices considered harmful
721891-1 4-Minor   Device inventory service column does not update when a filter is applied
713341-1 4-Minor   Device cluster name selection resets unexpectedly when trying to rename it


BIG-IQ Monitoring - Dashboards & Reports Fixes

ID Number Severity Solution Article(s) Description
737324 3-Major   BIG-IQ makes unexpected connections to internet addresses
718568 4-Minor   DoS Events Monitoring pages might display new Virtual Server screen VIP links is selected


BIG-IQ Local Traffic & Management Fixes

ID Number Severity Solution Article(s) Description
709543-2 3-Major   BIG-IQ LTM Statistics gathering may induce CPU spikes on managed BIG-IP systems.


AppIQ Fixes

ID Number Severity Solution Article(s) Description
720379-1 2-Critical   Standalone and load balancing clustered BIG-IP devices must use auto-sync when stats collection is enabled
740410 3-Major   Disk use is high when there are a large number of files
721733 3-Major   Enhanced Analytics Mode Error Handling
721711 3-Major   Pool member active alert persists after scale-in
719599 3-Major   Active alerts can be displayed without an assigned application or service scaling group
714116 3-Major   Pool member status may be displayed incorrectly


BIG-IQ Configuration - Infrastructure Fixes

ID Number Severity Solution Article(s) Description
719499 3-Major   BIG-IQ upgrade to 5.4 or later fails with "Error: [SNAPU] Sanity check failed"
699952 4-Minor   Objects with v6 IP addresses for names that use "::" to replace a single zero


BIG-IQ Device Management Fixes

ID Number Severity Solution Article(s) Description
720195-1 3-Major   "Change Device Password" not functional with remote auth
705049 3-Major   Unable to manage a license assigned for unmanaged devices after BIG-IQ upgrade
720197-1 4-Minor   Device diagnostics flags set do not persist after new qkview upload task
692135 4-Minor   Stats collection agent out of date alert


BIG-IQ DNS Management Fixes

ID Number Severity Solution Article(s) Description
720894-1 3-Major   DNS sync-group discovery fails with "DNS certificate unavailable" error
719191 3-Major   DNS devices health indication is wrong when their sync-group availability shown as 'Impaired'
718948 3-Major   Null Pointer Exception intermittently displays in the restjavad log
716312-2 3-Major   Difference display incorrectly for DNS topology objects


REST Framework and TMOS Platform Fixes

ID Number Severity Solution Article(s) Description
726880-1 1-Blocking   BIG-IQ HA peer unavailable for a few minutse approximately once a day
719436-2 2-Critical   Deadlock in DnsConfigObjectStatsProcessor blocks all non-blocking pool threads
702237-1 2-Critical   CVE-2017-5754 (Meltdown)
734615 3-Major   Changes to SNMP can cause bigiqsnmp to core
727321-1 3-Major   Global search and other queries fail if BIG-IQ system in an HA configuration use IPv6 discovery addresses
725891 3-Major   Fields can be missing from CSV export
722894-1 3-Major   StackOverFlow exception in DnsConfigObjectStatsProcessor
722889 3-Major   NullPointerException printed in restjavad.0.log from time to time
721487-1 3-Major   ElasticSearch java process stalls when running at high CPU rate and does not recover
721186 3-Major   clear-rest-storage -d will reset the provisioning settings
718815 3-Major   Removed 3des-cbc from default cipher list for SSHD.
691531-1 4-Minor   Resource Group form's preview section


BIG-IQ Web Application Security (ASM) Fixes

ID Number Severity Solution Article(s) Description
726389 3-Major   Syslogs with 'request' attribute larger than 32766 characters do not appear on BIG-IQ Monitoring
722343 3-Major   Using HTTP Proxy in ASM Signature File update
722066 3-Major   ASM events - missing date after upgrade
721198 3-Major   Web Application Security Policy created with language set to 'auto-detect', updating it to another value fails.
721042 3-Major   Unexpected behavior when changing the policy building of a web application security parent policy


BIG-IQ Application Management Fixes

ID Number Severity Solution Article(s) Description
722225 3-Major   Auto-deploy scaling fails for a service scaling group in an AWS cloud when ASM policy is set to auto-deploy
722145-1 3-Major   Syncing application on VMware SSG after removing pool health monitor or picking a different kind of monitor
721593-1 3-Major   When application deletion fails 'Retry' button does not work
721088 3-Major   AWS service scaling group with BYOL license type fails if it has a duplicate name
721030-1 3-Major   Template node modifications do not synch on an existing application
720890 3-Major   Application deployment fails
720779 3-Major   BIG-IQ UCS sizes increasing or BIG-IQ running out disk space in /var after frequent scaling activity
720655-1 3-Major   Deleting an application with app-specific node monitor fails
720630 3-Major   Unable to remove application with non-existent ELB
720416 3-Major   Unable to modify an inactive AWS service scaling group's properties
720336-1 3-Major   A scaled-out device does not collect any application security metrics
719853 3-Major   Working configuration deployments cannot be targeted for AWS SSG devices
719652 3-Major   Automatic scale out fails after manually scaling out
719616-1 4-Minor   Cannot create an application for service scaling group that doesn't have LTM imported for its load balancer
717583-1 4-Minor   ASM policy available for for some virtual servers in a template, but not others

 

Cumulative fix details for BIG-IQ CM v6.0.1.1 that are included in this release

740410 : Disk use is high when there are a large number of files

Component: AppIQ

Symptoms:
When there is a large number of APPIQ files, disk usage is high.

Conditions:
This can happen when the data device cluster is not healthy or when the APPIQ services are restarted.

Impact:
It might occur repeatedly and increase log files dramatically.

Workaround:
You can work around this issue by manually deleting old log files.

Fix:
In this release, we've improved log rotation and we have limited the number of files and file size.


737324 : BIG-IQ makes unexpected connections to internet addresses

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
BIG-IQ version 6.0.0 uses a third party graphing package which by default make connections from time to time to Internet IPs:
107.178.222.220:443
151.101.52.133:443

Due to this external communication sometimes we will see this package waiting for connection on its default port:

netstat -napt |grep grafana
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN 6829/bin/grafana-se

And sometimes ESTABLISHED connections to above IPs:

cat grafana.txt | grep EST |awk '{print $5}'|sort|uniq
107.178.222.220:443
151.101.52.133:443

Conditions:
This happens by default in BIG-IQ Version 6.0.0.

Impact:
This creates unwanted connections to external IP addresses opened by BIG-IQ.

Workaround:
To work around this issue, modify configuration file and restart services by typing the following commands:

# mount -o remount,rw /usr
# vi /usr/local/grafana/conf/defaults.ini

Change file to looks like this:
check_for_updates = false

# mount -o remount,ro /usr

list the grafana-server processes
# ps aux| grep grafana-server
root 6829 0.3 0.2 726896 48112 ? Sl Jul16 15:44 bin/grafana-server
root 31641 0.0 0.0 5564 820 pts/0 S+ 08:42 0:00 grep grafana-server

kill the process with PID corresponding to grafana-server

# kill -9 6829

Fix:
External software update checks removed from third party configuration files


734615 : Changes to SNMP can cause bigiqsnmp to core

Component: REST Framework and TMOS Platform

Symptoms:
After making a change to SNMP you see messages similar tot he following related to bigiqsnmpd coring in the console node.

bigiq emerg logger: Re-starting bigiqsnmpd

Conditions:
Making a change to SNMP.

Impact:
Partial loss of SNMP functionality while bigiqsnmp restarts.

Workaround:
None.

Fix:
Changes to SNMP no longer cause bigiqsnmp to core.


727321-1 : Global search and other queries fail if BIG-IQ system in an HA configuration use IPv6 discovery addresses

Component: REST Framework and TMOS Platform

Symptoms:
If you use a IPv6 discovery address for your BIG-IQ systems in an HA configuration, global search and other queries fail.

Conditions:
This happens when you use IPv6 addresses for the discovery.

Impact:
Queries to the indexer will not work.

Workaround:
None

Fix:
This issue is fixed.


726880-1 : BIG-IQ HA peer unavailable for a few minutse approximately once a day

Component: REST Framework and TMOS Platform

Symptoms:
Approximately every 24 hours, the secondary BIG-IQ system in an HA pair reports as unavailable for several minutes and then recovers on its own.

Conditions:
This happens with a BIG-IQ HA pair.

Impact:
Reports the secondary BIG-IQ as unavailable, even though it is still running, but unresponsive.

Fix:
This issue is resolved and the peer BIG-IQ no longer becomes unavailable.


726411 : Service scaling group alert rules with the same name

Component: BIG-IQ Device User Interface

Symptoms:
You might get a 400 error if you delete an alert rule for your service scaling group and then create another one with the same name.

Conditions:
This happens when you delete an alert rule then attempt to create a new one immediately afterward with the same name

Impact:
Nominal, these APIs are unpublished so updating through the API is unsupported and the time it takes you to manually call them through the UI will be enough to not see this issue

Workaround:
To work around this issue, wait a few seconds between deleting and creating alert rules.


726389 : Syslogs with 'request' attribute larger than 32766 characters do not appear on BIG-IQ Monitoring

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Syslogs are not saved onto BIG-IQ when the 'request' attribute exceeds an allowed character length.
A syslogs save fails with the following error in the logs:
Document contains at least one immense term in field="request" (whose UTF8 encoding is longer than the max length 32766).

Conditions:
Syslogs with 'request' attribute larger than 32766 characters.

Impact:
Syslogs are not saved onto BIG-IQ.

Fix:
Syslogs are now saved onto BIG-IQ when max allowed characters for the 'request' attribute is reached (max length 63461).


725891 : Fields can be missing from CSV export

Component: REST Framework and TMOS Platform

Symptoms:
Fields are missing from an exported CSV report.

Conditions:
-- Cells that contain leading spaces.
-- Exporting the report to CSV.

Impact:
Cells will be missing from the results.

Workaround:
None.

Fix:
Export now handles export of fields that have leading whitespace.


722894-1 : StackOverFlow exception in DnsConfigObjectStatsProcessor

Component: REST Framework and TMOS Platform

Symptoms:
The restjavad.log displays StackOverFlow exception forDnsConfigObjectStatsProcessor.

Conditions:
This happens when numerous DNS objects are configured.

Impact:
This causes degraded performance.

Workaround:
N/A

Fix:
To work around this issue, put DNS collection item stats into distinct batches on a new executor and stack.


722889 : NullPointerException printed in restjavad.0.log from time to time

Component: REST Framework and TMOS Platform

Symptoms:
NullPointerException printed in restjavad.0.log from time to time

Conditions:
DNS support enabled on BIG-IQ and BIG-IPs.

Impact:
NullPointerException in restjavad.0.log

Workaround:
N/A

Fix:
'Lazy' mode of DNS collections loading cancelled.


722343 : Using HTTP Proxy in ASM Signature File update

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Using HTTP proxy for signature file operations might fail with logged errors, similar to the following: "external adapter failed in fetching product version"

Conditions:
The issue happens when the proxy is configured using an FQDN.

Impact:
Failure retrieving signature files from the F5 sever.

Workaround:
Use the IP address of the proxy when configuring it.


722225 : Auto-deploy scaling fails for a service scaling group in an AWS cloud when ASM policy is set to auto-deploy

Component: BIG-IQ Application Management

Symptoms:
When auto-deploy is enabled for a policy for BIG-IP devices in a service scaling group, scaling fails.

Conditions:
When all the following three conditions are met

1) BIG-IP devices in an SSG is provisioned with WAF (Web Application Security)
2) WAF Policy is set to learning mode=Automatic, Policy Building Mode=Central, Auto-Deploy Policy=Real Time.
3) Auto scale BIG-IP VE devices in an SSG greater than 1.

Impact:
Attempts are made to auto-deploy the WAF policy every 5 minutes to the BIG-IP devices in an SSG, and it continues to fail.

Workaround:
Disable auto-deploy by setting Configuration:Web Application Security:policies:<ASMPolicy>:POLICY BUILDING:Settings:Auto-Deploy Policy to Disabled.


722145-1 : Syncing application on VMware SSG after removing pool health monitor or picking a different kind of monitor

Component: BIG-IQ Application Management

Symptoms:
If you remove a pool monitor from an application template on a BIG-IP device in an SSG, the pool monitor is not removed from the BIG-IP device that is load balancing traffic to your SSG when you synchronize the application.

Conditions:
Having an application deployed to a VMware SSG.

Modify the template the either remove the monitor or changing it to a different monitor kind.

Sync the app with the template in order to update the monitor changes.

Impact:
Since the old monitor isn't removed from the BIG-IP load balancer, you'll get unnecessary alarms.

Workaround:
Use the API on BIG-IQ to update or remove the monitor on the and then synchronize the application to the other devices.


722066 : ASM events - missing date after upgrade

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
ASM events stored before an upgrade might not display with a date after upgrade.

Conditions:
-- DCD is used to store ASM events.
-- An upgrade is performed.

Impact:
After the upgrade, existing events are shown without a date.

Workaround:
None.

Fix:
The system now displays the previous field. Note that searching and sorting for those events might not work.


721891-1 : Device inventory service column does not update when a filter is applied

Component: BIG-IQ Device User Interface

Symptoms:
The services column on the device inventory (Devices > BIG-IP Devices) screen might not show the current services when a filter is applied until the page is reloaded

Conditions:
This happens when a filter is applied.

Impact:
Cannot see updates or changes to the services column.

Workaround:
To work around this issue, remove the filter or reload the page.


721733 : Enhanced Analytics Mode Error Handling

Component: AppIQ

Symptoms:
No error message for the failure to enable or disable Enhanced Analytics will be displayed.

Conditions:
This can occur if the attempt to enable or disable Enhanced Analytics fails.

Impact:
The user may not realize that the attempt to update Enhanced Analytics has failed.

Workaround:
Any failures to enable or disable Enhanced Analytics mode will be logged both in the browser console and in the restjavad log on the BIG-IQ.


721711 : Pool member active alert persists after scale-in

Component: AppIQ

Symptoms:
Following a scale-in procedure for a service scaling group, the active pool member status alerts persist.

Conditions:
Service scaling group has has active pool member status alerts prior to a scale-in procedure.

Impact:
The active alerts area may show erroneous alerts for pool member status.

Fix:
Following an SSG scale-in, the active pool member status alerts for a scaled-in BIG-IP are cleared following a time period of up to two hours.


721593-1 : When application deletion fails 'Retry' button does not work

Component: BIG-IQ Application Management

Symptoms:
When the deletion of an application fails, clicking Retry does not work and actually recreates the application.

Conditions:
An application deletion fails, either because of connection closed by BIG-IP, or another reason.

Impact:
You might think you're deleting the application, but you're actually recreating it.

Workaround:
To work around this issue, select the application from list and click the 'Delete' button instead of the 'Retry' button.


721539 : Editing a device-specific Management Port Log Destination removes it's association from the parent template log destination

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
Editing a device-specific Management Port Log Destination removes its association from the parent template log destination.

Conditions:
This happens when you edit a previously created device-specific Management Port Log Destination.

Impact:
The object disappears from the list of device-specific objects available for that log destination.

Workaround:
N/A

Fix:
N/A


721487-1 : ElasticSearch java process stalls when running at high CPU rate and does not recover

Component: REST Framework and TMOS Platform

Symptoms:
An ElasticSearch java process stalls when running at high CPU and does not recover. Search results in BIG-IQ might become stale and the user interface won't work well, if at all.

Conditions:
A large amount of search data updates are posted by a BIG-IQ process to the ElasticSearch instance in response to a change in data such as a multi-BIG-IP deployment.

Impact:
Under some conditions, the ElasticSearch continually fails, even after a restart of the service. The service periodically restarts itself due to insufficient memory to complete the ingest operation.BIG-IQ user interface becomes unusable.

Workaround:
To work around this issue:
run command:
bigstart stop restjavad tokumond searchd

run command:
cd /var/config/rest/searchd

run command:
pwd
Verify the output of the pwd command is /var/config/rest/searchd

if in the correct directory according to the above steps run command:
rm -rf ./data/

run command:
bigstart start searchd tokumond

Wait for all data to be re-indexed. The easiest way to determine the re-index is finished is to monitor the command:
top
and to wait until the ElasticSearch user's java process no longer shows high cpu for at least one minute.

run command:
bigstart start restjavad

Once the BIG-IQ comes back up, verify the CPU utilization of the ElasticSearch user's java process is no longer in the top of the top command's results.


721198 : Web Application Security Policy created with language set to 'auto-detect', updating it to another value fails.

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
If you create a Web Application Security Policy with the application language set to 'auto-detect' and try to update it to another value, it fails with an error. The error appears similar to the following: applicationLanguage is set only once, and should not be changed. Existing value: auto-detect, New value: utf-8.

Conditions:
The issue happens when using auto-detect language.

Impact:
The save fails with an error.

Workaround:
To work around this issue, delete the policy and recreate it with a different application language.

Fix:
It is now possible to set application language.


721186 : clear-rest-storage -d will reset the provisioning settings

Component: REST Framework and TMOS Platform

Symptoms:
elasticsearch and restjavad cannot start.

Conditions:
This happens when because of lack of memory.

Impact:
elasticsearch and restjavad cannot start.

Workaround:
To work around this issue, run the following 3 commands:

tmsh modify sys provision biq level nominal
tmsh modify sys provision ltm level none
tmsh save sys configuration


721088 : AWS service scaling group with BYOL license type fails if it has a duplicate name

Component: BIG-IQ Application Management

Symptoms:
Creating BYOL license fails with the following error in orchestrator.log:

2018-05-19 07:43:28 PM Updating S3 Bucket failed due to An error occurred (403) when calling the HeadBucket operation: Forbidden

Conditions:
This happens if you have two SSGs with the same name.

Impact:
AWS SSG creation fails.

Workaround:
Use a different SSG name.


721042 : Unexpected behavior when changing the policy building of a web application security parent policy

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Changes to policy building for a web application security parent policy, and all relevant security (child) policies, do not take effect.

Conditions:
The issue happens when changing the policy building mode of a parent policy.

Impact:
The security/child policy building mode is left unchanged, causing issues with policy building suggestions.

Workaround:
To work around the issue, re-import the BIG-IP device configuration.

Fix:
Handling of policy building changes resolved.


721030-1 : Template node modifications do not synch on an existing application

Component: BIG-IQ Application Management

Symptoms:
Performing the "Sync" operation on an existing application does not update existing nodes with template node changes.

Conditions:
When a node is changed on a template that is being used by an application, and you click the Sync button.

Impact:
After following all prompts for "Sync", the LTM nodes used in the application do not have the changes made to the template nodes

Workaround:
Manually modify nodes that were created from templates and use the typical deployment mechanisms.


720894-1 : DNS sync-group discovery fails with "DNS certificate unavailable" error

Component: BIG-IQ DNS Management

Symptoms:
DNS sync-group discovery fails with "DNS certificate unavailable" error

Conditions:
This can happen when more than one Web Server SSL certificate defined on BIG-IP.

Impact:
Performance is degraded when this occurs.

Workaround:
To work around this, define a single Web Server SSL certificate on BIG-IP.

Fix:
Starting in this release, BIG-IQ can successfully manage more than one Web Server SSL certificate so this issue doesn't occur.


720890 : Application deployment fails

Component: BIG-IQ Application Management

Symptoms:
Application deployment fails with the following log messages in restjavad.0.log file:

[INFO][19 May 2018 17:51:20 PDT][/cm/global/tasks/device-discovery/02a15529-cc71-48aa-82d1-b0f74b6e0937/worker DiscoverySuperTaskWorker] java.lang.Exception: The task https://localhost/mgmt/cm/asm/tasks/discover-config/1270e927-6bcc-477c-8946-8d412159197c is still in process, wait for this task to complete
[ERROR][19 May 2018 17:51:20 PDT][/cm/global/tasks/device-discovery/02a15529-cc71-48aa-82d1-b0f74b6e0937/worker DiscoverySuperTaskWorker] Failed to check the service tasks
[ERROR][19 May 2018 17:51:21 PDT][/cm/global/tasks/device-discovery-import-controller/7a62bab8-d105-4a3a-ad35-98d72d321be3/worker DiscoveryAndImportControllerTaskWorker] Discovery failed for all the devices

Conditions:
Failed application.

Impact:
Application deployment fails

Workaround:
Try the application deployment again.


720779 : BIG-IQ UCS sizes increasing or BIG-IQ running out disk space in /var after frequent scaling activity

Component: BIG-IQ Application Management

Symptoms:
If the BIG-IQ system is managing a lot of SSG activity, it is possible to run out of disk space in /var.

Conditions:
This happens because the Gunicorn TCWs are leaving state data in REST storage.

Impact:
BIG-IQ runs out of disk space in /var with an error or BIG-IQ UCS sizes continue growing.

Workaround:
To work around this issue, manually start the Gunicorn TCW purger using the following commands:

# export PYTHONPATH=/usr/local/lib/python2.7/site-packages/bigiq_orchestrator

# /usr/local/bin/python2.7 /usr/local/lib/python2.7/site-packages/bigiq_orchestrator/TCW_item_state_purger.py &


720655-1 : Deleting an application with app-specific node monitor fails

Component: BIG-IQ Application Management

Symptoms:
When you select a device and click 'Delete,' the task fails with an error.

Conditions:
This only happens for applications that use a template with a monitor that uses a monitor in the same template and the node addresses are unique on all target devices.

Impact:
The delete task fails with the following error: "Failed to delete foo-test5. Failed to delete application: Failed to finalize coordination: Worker http://localhost:8100/cm/adc-core/working-config/ltm/monitor/http failed validation with status 500: com.f5.rest.workers.configmgmtbase.config.WorkingCollectionHelper$ConfigItemInUseException: <monitor-fullpath>t is in use by Node '<node-fullpath>'.

Workaround:
To work around this issue:
1. Remove the monitor from the node(s) that reference in the configuration section of BIG-IQ it
2. Remove these references directly on the BIG-IP or create a partial deployment on the target devices that only select those specific nodes.
3. Retry deleting the application.


720630 : Unable to remove application with non-existent ELB

Component: BIG-IQ Application Management

Symptoms:
Application deletion fails with the following log message,

AWS load balancer configuration workflow has failed due to Failed to get ELB due to 'There
is no ACTIVE Load Balancer named '<load balancer name>''

Conditions:
Application with an non-existent ELB

Impact:
Unable to remove the application

Workaround:
To work around this issue, edit the application from BIG-IQ, supplying the correct ELB details and then remove the application.


720416 : Unable to modify an inactive AWS service scaling group's properties

Component: BIG-IQ Application Management

Symptoms:
After making changes to an inactive AWS SSG's properties and trying to save it, the following error occurs:

Cannot change status from 'OFFLINE' to
'REDEPLOYING'.

Conditions:
Modifying an inactive AWS SSG.

Impact:
Not able to modify SSG properties for an inactive AWS SSG


720379-1 : Standalone and load balancing clustered BIG-IP devices must use auto-sync when stats collection is enabled

Component: AppIQ

Symptoms:
If you are collecting statistics from BIG-IQ, it can cause standalone and load balancing BIG-IP devices to become out of synch and returns an error.

Conditions:
Enable statistics collection on clustered BIG-IP devices with manual sync-failover.

Impact:
BIG-IP devices become out of sync, and applications can't be deployed.

Workaround:
Set sync-failover cluster sync type to auto-sync


720336-1 : A scaled-out device does not collect any application security metrics

Component: BIG-IQ Application Management

Symptoms:
A device that has been scaled out to an SSG does not collect any application security metrics.

Conditions:
An application with enhanced analytics set to collect security metrics deploy to an SSG. Scale out the SSG and add new devices to the group.

Impact:
The new device does not collect security metrics.

Workaround:
After scale-out disable and re-enable the enhance analytics security metric collection


720197-1 : Device diagnostics flags set do not persist after new qkview upload task

Component: BIG-IQ Device Management

Symptoms:
After flagging diagnostic items, those flags are lost when running diagnostics again.

Conditions:
Running a new qkview task after flagging diagnostic items.

Impact:
Flags are not stable and unusable.


720195-1 : "Change Device Password" not functional with remote auth

Component: BIG-IQ Device Management

Symptoms:
IF the BIG-IP is configured with remote auth, then the change password functionality does not work from BIG-IQ.

Conditions:
When a BIG-IP is configured with remote auth.

Impact:
Cannot use the change password functionality.

Workaround:
Change the password directly on the BIG-IP.


719853 : Working configuration deployments cannot be targeted for AWS SSG devices

Component: BIG-IQ Application Management

Symptoms:
Missing AWS SSG devices in Evaluate & Deployment tasks.

Conditions:
Working configuration is missing.

Impact:
Working configuration deployments cannot be targeted for AWS SSG devices

Workaround:
To resolve this issue:

1. Edit the service template with the required working configuration.

2. Go to the deployed application and click 'Sync' button. This will synchronize service template configuration to the existing deployed application.


719652 : Automatic scale out fails after manually scaling out

Component: BIG-IQ Application Management

Symptoms:
If you manually scale out the service scaling group, auto scaling stops working.

[ERROR][10 May 2018 15:56:05 PDT][/cm/cloud/tasks/aws/scale-out/d8359c3e-e2ef-4b99-9b14-951c9a58334a/worker ScaleOutTaskWorker]
Exception caught: java.lang.NullPointerException
    at com.f5.rest.workers.cloud.task.aws.ScaleOutTaskWorker.addAWSSSGProperties(ScaleOutTaskWorker.java:1111)

Conditions:
Manually change the settings for a service scaling group.

Impact:
Automatic scaling fails.

Workaround:
1. Login to BIG-IQ UI.

2. Navigate to Scaling Groups List page.

3. Find the SSG that is PAUSED.

4. Select it and click Activate button.


719616-1 : Cannot create an application for service scaling group that doesn't have LTM imported for its load balancer

Component: BIG-IQ Application Management

Symptoms:
If you do not have the LTM service imported for the BIG-IP device load balancing traffic to your SSG, you'll get an error similar to:

app creation failed with message: Failed to pin folder 'Common/myRealAppOnSSGV13' since: cannot find root node for devices
(58ac5359-eda2-4cad-9cd4-b2c8dfb8e375).

Conditions:
Attempt to deploy an application to an SSG that does not have LTM discovered for its load balancer.

Impact:
Can't deploy applications.

Workaround:
Locate the BIG-IP that is load balancing traffic to your SSG and import the appropriate services.


719599 : Active alerts can be displayed without an assigned application or service scaling group

Component: AppIQ

Symptoms:
In the Active Alerts screen (Applications>> ALERT MANAGEMENT >> Active Alerts) alerts are displayed without an assigned application or without an assigned service scaling group.

Conditions:
Pool members or virtual servers that are configured on BIG-IP while they are down are then configured to an application, or are down after a scale-out.

A device alert that is not assigned to a service scaling group can occur immediately after a scale-out, if a device threshold is crossed.

Impact:
These alerts persist as active alerts, once they are triggered.

Fix:
Alerts are raised with the correct object associations, and are cleared as expected.


719499 : BIG-IQ upgrade to 5.4 or later fails with "Error: [SNAPU] Sanity check failed"

Component: BIG-IQ Configuration - Infrastructure

Symptoms:
BIG-IQ upgrade from a version before 5.4 fails with the following error:

Error: [SNAPU] Sanity check failed. See logs for more

The upgrade log includes a large number of warnings that objects are found in old snapshots but not in the converted global snapshots.

Conditions:
BIG-IQ has failed snapshots that contain incomplete references of the objects in the snapshot.

Impact:
Upgrade fails.

Workaround:
1) To work around this issue, reboot to the previous BIG-IQ version.

2) Delete all failed snapshots from all modules before upgrading again: Deployment :: <Module Name> :: Snapshots

3) Delete all orphaned snapshots that don't have the snapshot tasks that created them. This step has to be done through APIs.

4) Perform the upgrade again.

Fix:
BIG-IQ upgrade script now deletes the failed and orphaned snapshots before it converts the old snapshots to global snapshots.


719436-2 : Deadlock in DnsConfigObjectStatsProcessor blocks all non-blocking pool threads

Component: REST Framework and TMOS Platform

Symptoms:
Deadlock in DnsConfigObjectStatsProcessor blocks all non-blocking pool threads.

Conditions:
Numerous DNS devices and objects defined.

Impact:
Performance degraded

Workaround:
N/A

Fix:
Conditions causing the deadlock eliminated in the code


719278-1 : Assigning cluster name to unclusterd devices considered harmful

Component: BIG-IQ Device User Interface

Symptoms:
When a cluster display name is set during device discovery (Devices -> BIG-IP DEVICES -> Add Device) BIG-IQ assumes that the device is in a DSC cluster and takes appropriate actions such as calling DSC sync when configurations are modified on that device. This can result in internal errors in BIG-IQ; it does not affect the BIG-IP.

Conditions:
Assigning cluster name to unclustered device.

Impact:
Internal BIG-IQ errors

Workaround:
There is no workaround.


719191 : DNS devices health indication is wrong when their sync-group availability shown as 'Impaired'

Component: BIG-IQ DNS Management

Symptoms:
When a DNS sync-group availability has an 'Impaired' status the DNS devices of that group appears healthy (green icon).
there should be at least one DNS device the is not available.

Conditions:
The setup includes a set of DNS devices that are all in sync and discovered in BIG-IQ

Impact:
When a DNS sync-group availability has an 'Impaired' status all the DNS devices of that group appears healthy (green icon) although there should be at least one device that is not available.

Workaround:
There is no workaround.

Fix:
N/A


718948 : Null Pointer Exception intermittently displays in the restjavad log

Component: BIG-IQ DNS Management

Symptoms:
Null Pointer Exception incorrectly displays in the restjavad log from time to time.

Conditions:
Normal conditions

Impact:
Null Pointer Exception is logged.

Workaround:
N/A

Fix:
This issue no longer occurs.


718815 : Removed 3des-cbc from default cipher list for SSHD.

Component: REST Framework and TMOS Platform

Symptoms:
3des-cbc is still available in the default cipher list for the SSH daemon (sshd) on the BIG-IQ management address.

Conditions:
Using cipher 3des-cbc in the default configuration.

Impact:
There is no specific impact, however, many open source projects (e.g., OpenSSL) and international certification standards (e.g., Common Criteria) have deprecated support for 3DES-based ciphers.

Workaround:
For information about removing 3des-cbc prior to this fix, see K80425458: Modifying the list of ciphers and MAC algorithms used by the SSH service on the BIG-IQ system :: https://support.f5.com/csp/article/K80425458.
The default ciphers allowed after this fix no longer include '3des-cbc' and are: aes128-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes192-cbc

Fix:
Removed 3des-cbc from default cipher list for sshd.

Important: Clients that support only 3des-cbc will no longer be able to connect to the BIG-IQ system in the default configuration.

For information about restoring 3des-cbc support for configurations that require it, see K80425458: Modifying the list of ciphers and MAC algorithms used by the SSH service on the BIG-IQ system :: https://support.f5.com/csp/article/K80425458. The string needed to restore support is '3des-cbc'. Adding that to the current defaults would be:
aes128-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes192-cbc,3des-cbc


718568 : DoS Events Monitoring pages might display new Virtual Server screen VIP links is selected

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
Linking from the DoS monitoring pages for Application, DNS, SIP, and Network sometimes don't initially display the correct Virtual Server config details. Instead, the linking might display the new Virtual Server screen for the creation of a new VIP.

This can be seen using the Virtual Server links provided in the Virtual Server grid columns on each DoS monitoring page, as well as the event details for each attack.

Conditions:
Incorrect display of VIP information may occur if the page has not been refreshed for awhile.

Impact:
Linking to Virtual Servers from the DoS Monitoring pages (for Application, DNS, SIP, Network) may appear broken, when in fact the page just needs to be refreshed.

Workaround:
To work around this issue, push the F5 key or refresh the page URL so the Virtual Server details display when you select the VIP links from the individual DoS monitoring pages.


717583-1 : ASM policy available for for some virtual servers in a template, but not others

Component: BIG-IQ Application Management

Symptoms:
Template editors are allowed to pick a template for each individual template virtual server within the Security section of the template editing page.

Conditions:
Navigate to a custom template with 1 or more virtual servers and click the Security menu. Select an ASM Policy for one of the virtuals and leave "None" for the other(s).

Impact:
You might discover that protection mode for the application is not what you expect. For example, it may show as not protected, even if the policy has 'Blocking' enabled for the hostnames of the app.

Navigate to "Application Services" > "Security" in the application view, the following message is displayed: "Note: The following virtual-servers doesn't have a security policy attached to them: <name-of-virtual>"

Workaround:
Select the same ASM Policy for all virtual servers in the template.


716312-2 : Difference display incorrectly for DNS topology objects

Component: BIG-IQ DNS Management

Symptoms:
After modifying a DNS topology object and deploying it to a BIG-IP and you view differences, all other DNS topology objects incorrectly display as modified.

Conditions:
This happens after you modify DNS topology objects.

Impact:
Unmodified DNS topology objects display as modified.

Workaround:
N/A


714116 : Pool member status may be displayed incorrectly

Component: AppIQ

Symptoms:
Pool member alert status in BIG-IQ may incorrectly reflect the pool member's current status in BIG-IP.

Conditions:
When a pool member changes status in BIG-IP.

Impact:
Pool member status alert in BIG-IQ may not accurately reflect the status in BIG-IP.

Fix:
The pool member status alerts are now accurately displayed in BIG-IQ to reflect the current pool member status in BIG-IP.


713341-1 : Device cluster name selection resets unexpectedly when trying to rename it

Component: BIG-IQ Device User Interface

Symptoms:
When trying to change the device cluster name in the device properties, the list might reset to the current value unexpectedly.

Conditions:
When attempting to change the device cluster name in the device properties the drop down may reset to the current value unexpectedly.

Impact:
You'll need to change the cluster name again.

Workaround:
Change the cluster name again.


709543-2 : BIG-IQ LTM Statistics gathering may induce CPU spikes on managed BIG-IP systems.

Component: BIG-IQ Local Traffic & Management

Symptoms:
BIG-IQ LTM management periodically gathers state and status information on the Virtual Servers, Nodes, and Pool Members. If there are large numbers of objects of those types the BIG-IP system may have large CPU spikes which may trigger alerts.

This legacy mechanism is scheduled to be removed in a future release. The BIG-IQ Data Collection Device stats mechanism will be used.

Conditions:
Using BIG-IQ to manage LTM configurations with large numbers of objects on the BIG-IP system.

Impact:
CPU spikes on the BIG-IP possibly triggering alerts.

Workaround:
The mechanism can be disabled or the frequency of polling can be increased using the REST API on BIG-IQ. The 'isMonitorRunning' can be PATCHed to 'false' to disable the refresh or the 'pollingIntervalSeconds' field can be PATCHed to a larger number to reduce the frequency.

[root@bigiq1:Active:Standalone] config # restcurl /cm/adc-core/current-config/stats-refresh
{
  "isMonitorRunning": true,
  "pollingIntervalSeconds": 300,
  "generation": 4,
  "lastUpdateMicros": 1526921418154182,
  "kind": "cm:adc-core:current-config:stats-refresh:statsmonitorstate",
  "selfLink": "https://localhost/mgmt/cm/adc-core/current-config/stats-refresh"
}

Fix:
This issue has been fixed.


705049 : Unable to manage a license assigned for unmanaged devices after BIG-IQ upgrade

Component: BIG-IQ Device Management

Symptoms:
After upgrading, BIG-IQ returns an error when attempting to revoke a license from an unmanaged BIG-IP.

Conditions:
Trying to manage license for an unmanaged BIG-IP device from BIG-IQ.

Impact:
Unable to manage assigned licenses. Get a 400 error: "You must provide the uuid, a username, and password when revoking the license for an unmanaged device."

Workaround:
Manually delete the association using REST, and providing the username/password and device ID:
restcurl '/mgmt/cm/device/licensing/pool/purchased-pool/licenses/$licenseID/members/$memberID -u admin:a -X DELETE -d '{"username":"admin","password":"$memberPassword","uuid":"$memberID"}'

Fix:
This issue has been resolved.


702237-1 : CVE-2017-5754 (Meltdown)

Component: REST Framework and TMOS Platform

Symptoms:
For more information see: https://support.f5.com/csp/article/K91229003

Impact:
For more information see: https://support.f5.com/csp/article/K91229003

Fix:
For more information see: https://support.f5.com/csp/article/K91229003


699952 : Objects with v6 IP addresses for names that use "::" to replace a single zero

Component: BIG-IQ Configuration - Infrastructure

Symptoms:
Previously, using "::" to replace a single zero in a v6 address is not valid. BIG-IP allows it and simply fixes it for you but when using it as an object name that the address format isn't fixed.

BIG-IQ address validation was stricter and rejected "::" replacing a single zero because of this the name validation would fail for one of these invalid addresses.

Conditions:
BIG-IP has objects like self-IP addresses with poorly formatted names "2001:4888:3:3EE0:C0:D:0::".

Impact:
BIG-IP would fail to import into BIG-IQ.

Workaround:
Delete the objects on BIG-IP and create new ones with a valid address format.

Fix:
BIG-IQ address validation is more flexible so it will match the BIG-IP address validation.


697834 : Date format inconsistency when scheduling deployments

Component: BIG-IQ Deployment - Evaluate & Deploy

Symptoms:
Date formats differ in various locations on the Scheduling Deployments pages, for example:

-- Aug 13, 2018 at 16:30.
-- Aug 13, 2018 at 16:30:00(EDT).
-- 08/13/18 at 4:30 PM.

Conditions:
When scheduling deployments.

Impact:
Date formats are inconsistent between deployment forms and scheduling dialogs.

Workaround:
None.

Fix:
Date formatting is now consistent between deployment forms and scheduling dialogs.


692135 : Stats collection agent out of date alert

Component: BIG-IQ Device Management

Symptoms:
After upgrading to the latest version of BIG-IQ, the "Stats collection agent out of date" alert can sometimes erroneously trigger.

Conditions:
Upgrade to latest version of BIG-IQ.

Impact:
Cosmetic

Workaround:
There is no definitive workaround for this issue. Although rediscovering the BIG-IP device and disabling/enabling statistics might clear the alert.


691531-1 : Resource Group form's preview section

Component: REST Framework and TMOS Platform

Symptoms:
On the Resource Group form, the lower section of the page shows a grid featuring objects which can be added to the resource group. The lower right section shows a preview of objects selected in the lower left portion. If you select one or more items, then deselect them, you might see outdated preview content in the lower right portion of the page.

Conditions:
When you select and deselect resource group objects.

Impact:
You might see outdated preview content.



Known Issues in BIG-IQ CM v6.0.x


BIG-IQ Configuration - Access Issues

ID Number Severity Solution Article(s) Description
739274 3-Major   Service Scaling Group devices are not available for Security Administrator to deploy Access Policy changes
723940 3-Major   Re-importing of a source device in an Access Group with AGC policy might fail


BIG-IQ Configuration - Local Traffic Issues

ID Number Severity Solution Article(s) Description
739884-1 2-Critical   Importing a BIG-IP device


BIG-IQ Deployment - Evaluate & Deploy Issues

ID Number Severity Solution Article(s) Description
723294 2-Critical   AGC Config: Editing an object or deployming on a non-source BIG-IP can fail
734529 3-Major   Logs and Dashboard data for non-source BIG-IP after deployment of configuration from source device to non-source device


BIG-IQ Monitoring - Dashboards & Reports Issues

ID Number Severity Solution Article(s) Description
718595-1 3-Major   SWG Reports are not supported in big iq 6.0.0


BIG-IQ Monitoring - Logs Issues

ID Number Severity Solution Article(s) Description
739394 3-Major   Event logs Sorting by fields other than the date causes Server errors


BIG-IQ System User Interface Issues

ID Number Severity Solution Article(s) Description
643507 4-Minor   Removing a Data Collection Device may take a long time, and will not show an error dialog if removal times out


BIG-IQ Local Traffic & Management Issues

ID Number Severity Solution Article(s) Description
723562 3-Major   Client and Server SSL profiles and BIG-IP version compatibility


BIG-IQ App Visibility and Reporting (AVR) Issues

ID Number Severity Solution Article(s) Description
712009 3-Major   Default replica count in the database for statistics data is now 1 in BIG-IQ 6.0.0


AppIQ Issues

ID Number Severity Solution Article(s) Description
740145 2-Critical   Data only updates every hour
737783 2-Critical   After an upgrade from BIG-IQ version 6.0 to BIG-IQ version 6.0.1, stats index restored may be in closed state
739529-1 3-Major   Scale-out activity can occur in an AWS SSG without an alert being triggered
739276 3-Major   Excessive logging to /var/log/appiq/healthcalculator.log file
724778 3-Major   After upgrading BIG-IQ from 6.0.0 to 6.0.1, analytics data from the DCD cluster is not preserved
723514 3-Major   Possibility for misconfiguration of BIG-IQ console address on DCD


BIG-IQ Configuration - Infrastructure Issues

ID Number Severity Solution Article(s) Description
738227-1 3-Major   Partial restore of shared security sometimes fails


BIG-IQ Device Management Issues

ID Number Severity Solution Article(s) Description
723296 3-Major   The secondary member of an HA pair does not show devices in the access group


BIG-IQ DNS Management Issues

ID Number Severity Solution Article(s) Description
723027 2-Critical   Peak Traffic graph shows values only for the highest listener
723759 3-Major   Modifications from BIG-IQ to iRules for version 12.1.1 DNS sync groups fail
722164 3-Major   Topology records configuration don't sync across all devices for a sync group running version 12.1.1 when deploying from BIG-IQ
722148 3-Major   Deploy fails for topology region when the target DNS target sync group is version 12.1.1
720162-1 3-Major   Deploy fails for DNS listener when it is set with a new DNS profile
716595 3-Major   Changing DNS topology records for version of BIG-IP version prior to 14.1
673763 3-Major   The wide IP list doesn't display the incorrect number of associated pools for BIG-IP version 12.x devices


REST Framework and TMOS Platform Issues

ID Number Severity Solution Article(s) Description
707726 2-Critical   After you upgrade BIG-IQ 7000, system might become unusable
738522 3-Major   On large-scale systems, creating an BIG-IQ HA pair can take a considerable amount of time before being able to login
738116 3-Major   Search results can lag or BIG-IQ might become unresponsive
723292 3-Major   The secondary BIG-IQ in an HA pair does not show access group devices
706634 5-Cosmetic   Several config files in /config are named bigip*.conf instead of bigiq*.conf


BIG-IQ Web Application Security (ASM) Issues

ID Number Severity Solution Article(s) Description
726517 2-Critical   Application deployment to BIG-IP devices in a service scaling group fails


BIG-IQ Application Management Issues

ID Number Severity Solution Article(s) Description
737973 1-Blocking   Deleting an service scaling group in a PAUSED state with applications deployed
737946 1-Blocking   Statistics data is not received by BIG-IQ due to BIG-IP connectivity issues
722458-1 2-Critical   Browser crashes when viewing/editing Application Services Configuration in Chrome 67
738432 3-Major   Cannot create a new service scaling group (SSG) if there are 50 or more SSGs already created
738105-1 3-Major   Deployment of WAF application fails on AWS SSGs created with 2 or more initial devices
737823 3-Major   HTTP Statistics can be enabled for Applications for BIG-IQ devices running a version prior to 13.1.0.5
737640 3-Major   BIG-IQ cannot revoke licenses for AWS instances
726243 3-Major   vCenter self-signed certificate after BIG-IQ upgrade

 

Known Issue details for BIG-IQ CM v6.0.x

740145 : Data only updates every hour

Component: AppIQ

Symptoms:
Changes to the data retention policy may result in data that only refreshes over hour-long intervals. This can temporarily impact the displayed data in tables and charts until the next refresh period.

Conditions:
Modifications to the default retention of analytics data.

Impact:
Data does not display as expected in the tables and charts.


739884-1 : Importing a BIG-IP device

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
BIG-IQ does not yet support importing BIG-IP devices configured with a VLAN 4096 on a virtual-wire interface.

Conditions:
Importing BIG-IP devices configured with a VLAN 4096 on a virtual-wire interface.

Impact:
BIG-IQ currently can not discover/import that BIG-IP device.


739529-1 : Scale-out activity can occur in an AWS SSG without an alert being triggered

Component: AppIQ

Symptoms:
For a service scaling group (SSG) in an AWS environment, BIG-IQ scales in or scales out BIG-IP VE devices based on management throughput. Alerts are based only on data-plane throughput and ignores management throughput. This means scale-in/out activity and the reported alerts about the need to perform them are different.

Conditions:
This happens when managing BIG-IP devices deployed in an AWS SSG.

Impact:
Scale-out activity can happen even when there is no alert for its need.


739394 : Event logs Sorting by fields other than the date causes Server errors

Component: BIG-IQ Monitoring - Logs

Symptoms:
When sorting events by anything other than Date & Time, BIG-IQ returns an error.

Conditions:
This happens when BIG-IQ has re-indexed after an installation or upgrade.

Impact:
Sorting causes an error.

Workaround:
To work around this issue, you can filter by a field instead of sorting. Or, you can re-sort by Date & Time.


739276 : Excessive logging to /var/log/appiq/healthcalculator.log file

Component: AppIQ

Symptoms:
BIG-IQ logs message for all objects it tracks (virtual servers, nodes, and pool members) related to BIG-IP. This can lead to excessive logging in the /var/log/appiq/healthcalculator.log file when there is a large number of configured objects.

Conditions:
This happens when BIG-IQ manages a system with a large number of virtual servers, nodes, and pool members.

Impact:
This causes an unnecessary load on the BIG-IQ console disk.

Workaround:
To work around this issue, edit the log4j file of appiq, and disable logging for the health calculator module.


739274 : Service Scaling Group devices are not available for Security Administrator to deploy Access Policy changes

Component: BIG-IQ Configuration - Access

Symptoms:
SSG devices are not available from the Under Deployment -> Access screen.

Conditions:
This happens when a Security Administrator changes an Access Policy and tries to deploy changes to Service Scaling Group devices.

Impact:
Access Deployment for Service Scaling Group devices is not available for Security Administrator.

Workaround:
Use the switch template feature to deploy instead.

1) Clone the template.
2) Open the App, and click the switch template button.
3) Select the cloned template.
4) Click deploy.

You don't need to repeat the first step every time. You only need two instances of the template to switch the template every time Access Policy is changed.


738522 : On large-scale systems, creating an BIG-IQ HA pair can take a considerable amount of time before being able to login

Component: REST Framework and TMOS Platform

Symptoms:
When you create an BIG-IQ HA pair prompts a re-indexing event.

Conditions:
Large-scale system with BIG-IQ systems in an HA pair.

Impact:
You won't be able to log in.

Workaround:
You'll be able to log in after re-indexing happens, which could take longer than 30 minutes.


738432 : Cannot create a new service scaling group (SSG) if there are 50 or more SSGs already created

Component: BIG-IQ Application Management

Symptoms:
If you have 50 or more SSGs created, subsequent SSG creation fails the SSG is put into a paused state. You cannot reactivate the paused SSG because you are limited to 50 SSGs.

Conditions:
This happens when you have 50 or more SSGs.

Impact:
You are limited to 50 SSGs

Workaround:
Do not create more than 50 SSGs.


738227-1 : Partial restore of shared security sometimes fails

Component: BIG-IQ Configuration - Infrastructure

Symptoms:
Partial restore of shared security can fail with the following error message:

    Internal error: adding device-specific item with no device provided by caller (see log)

Conditions:
This can happen when you have or had a virtual server (in shared security) that refers to one of the default (built-in) logging profiles, such as 'global-network' and you attempt a partial restore with that virtual server selected.

Impact:
Unable to restore virtual server.

Workaround:
To work around this issue, use one of the following solutions:

(1) Restore only the virtual server by clearing the "supporting objects: include" checkbox.

(2) Perform a full restore of working config.

(3) Examine the differences that apply to the virtual server and manually make those changes in the live BIG-IQ configuration.


738116 : Search results can lag or BIG-IQ might become unresponsive

Component: REST Framework and TMOS Platform

Symptoms:
The CPU usage for BIG-IQ might spike during a search and the /var/log/searchd/eslognode.log file might log a warning similar to:

[2018-05-24T20:41:34,332][WARN ][o.e.m.j.JvmGcMonitorService] [00000000-0000-0000-0000-222222222222] [gc][20354] overhead, spent [1.4s] collecting in the last [1.6s]
[2018-05-24T20:41:35,949][WARN ][o.e.m.j.JvmGcMonitorService] [00000000-0000-0000-0000-222222222222] [gc][20355] overhead, spent [1.2s] collecting in the last [1.6s]
[2018-05-24T20:41:37,280][WARN ][o.e.m.j.JvmGcMonitorService] [00000000-0000-0000-0000-222222222222] [gc][20356] overhead, spent [1.3s] collecting in the last [1.3s]

Or returns one or more out of memory errors in the /var/log/searchd/eslognode.log, similar to the following:
 
java.lang.OutOfMemoryError: Java heap space

Conditions:
This can happen during large operation, such as importing a device or creating an application.

Impact:
BIG-IQ might become slow or unresponsive, or search results might lag well behind the changes to the data on the BIG-IQ. In the worst possible case, the situation might not resolve on its own.

Workaround:
To resolve this issue, refer to Article KS0007133: Error Message: [WARN ][o.e.m.j.JvmGcMonitorService] at https://support.f5.com/csp/home


738105-1 : Deployment of WAF application fails on AWS SSGs created with 2 or more initial devices

Component: BIG-IQ Application Management

Symptoms:
After an AWS SSG has been created with 2 or more initial devices, deployment of WAF application may fail due to ASM module not being imported.

Conditions:
Create an AWS SSG with 2 or more initial devices and deploy a WAF application.

Impact:
Unable to deploy WAF applications on AWS SSGs with 2 or more initial devices.

Workaround:
Create an AWS SSG with an initial device count of 1 and allow for scaling out up to maxDevices prior to deploying a WAF application.


737973 : Deleting an service scaling group in a PAUSED state with applications deployed

Component: BIG-IQ Application Management

Symptoms:
When an SSG with applications deployed is in a PAUSED state, the SSG cannot be deactivated/activated/deleted because of the deployed applications, and the applications cannot be deleted due to the SSG being in a PAUSED state.

Conditions:
When applications are deployed to an SSG and an SSG is in a PAUSED state, possibly due to a redeployment that failed, the SSG cannot be deactivated, reactivated or deleted.

Impact:
The SSG and its applications are left in an unusable state and they cannot be deleted either.

Workaround:
To work around this issue, delete the applications as follows.

1. From the BIG-IQ command line, set the state of the SSG to READY by issuing the following command
   restcurl -X PATCH -d '{"status":"READY"}' /cm/cloud/service-scaling-groups/<SSG UUID>

2. Delete the Application(s) from the Applications screen.

3. Delete the SSG from the Applications > Environments > Service Scaling Groups screen.

4. Delete any listeners, if any, that were created for the application from the ELB by logging into the AWS console.

You can now recreate the SSG and the applications.


737946 : Statistics data is not received by BIG-IQ due to BIG-IP connectivity issues

Component: BIG-IQ Application Management

Symptoms:
If a managed BIG-IP device experiences connectivity issues, it stops sending statistics data to BIG-IQ.

Connectivity issues can occur for devices in a service scaling group (SSG) deployed in an AWS environment, because of a device-inactivity alert and a moderate health status.

Conditions:
Connectivity issues can occur for devices in a service scaling group (SSG) deployed in an AWS environment, because of a device-inactivity alert and a moderate health status.

Impact:
BIG-IQ does not receive the statistics data for the affected BIG-IP device.

Workaround:
Restart arvd on any affected BIG-IP devices.


737823 : HTTP Statistics can be enabled for Applications for BIG-IQ devices running a version prior to 13.1.0.5

Component: BIG-IQ Application Management

Symptoms:
BIG-IQ does not support HTTP statistics data collection for BIG-IP running a version prior to 13.1.0.5. If you enable it for a version of BIG-IP that is not supported data is not collected.

Conditions:
Applications managed by BIG-IP versions earlier than 13.1.0.5.

Impact:
The application gives the impression HTTP stats should work when they are not collected. This will impact the health data, where applications that are not supported by HTTP statistics data will show health status according to Pool member and virtual server status.

Workaround:
When creating a new application using a service template:

For BIG-IP devices running a version prior to 13.1.0.5, do not enable Collect HTTP Statistics.

When viewing application properties for an application:

For BIG-IP devices running a version prior to 13.1.0.5, do not select the Enable button from the HTTP Statistic Collection Field (Applications > APPLICATIONS > <Application Name>: Properties: CONFIGURATION).


737783 : After an upgrade from BIG-IQ version 6.0 to BIG-IQ version 6.0.1, stats index restored may be in closed state

Component: AppIQ

Symptoms:
After an upgrade from BIG-IQ version 6.0 to BIG-IQ version 6.0.1 with stats data, the CPU chart or any other chart may show the error: "INTERNAL_SERVER_ERROR: ClusterBlockException[blocked by: [FORBIDDEN/4/index closed];]"

Conditions:
This happens when you upgrade a DCD and BIG-IQ cluster from version 6.0.0 to version 6.0.1.

Impact:
Stats query that uses the restored index, which is in the closed state, fails.

Workaround:
To work around this issue, from the command line of the BIG-IQ system, type the following command:

curl localhost:9200/_cat/indices

If an index is in a closed state, type the following command to open the index:

curl -X POST localhost:9200/indexName/_open


Verify that all indices are now open, by typing the following command:

curl localhost:9200/_cat/indices


737640 : BIG-IQ cannot revoke licenses for AWS instances

Component: BIG-IQ Application Management

Symptoms:
If the initial build out of an AWS service scaling group (SSG) using BYOL images fails because of a connectivity issue, BIG-IQ cannot discover devices in the SSG. As a result, BIG-IQ cannot revoke licenses assigned to the AWS instances even after deactivating and activating the SSG.

Conditions:
This happens if there are connectivity issues.

Impact:
Licenses assigned to the AWS instances are not revoked by BIG-IQ even after deactivating and reactivating the SSG.

Workaround:
If an SSG is in a paused state because it failed the initial build out, make a note of the private IP addresses for the AWS instances using the AWS console. Then log in to the BIG-IQ license manager and manually revoke the AWS instance licenses you identified by the private IP addresses you gathered.


734529 : Logs and Dashboard data for non-source BIG-IP after deployment of configuration from source device to non-source device

Component: BIG-IQ Deployment - Evaluate & Deploy

Symptoms:
Access reports and Dashboard does not show any data from the non-BIG-IP source device.

Conditions:
This happens when Access Remote log configuration is enabled for a source device and configuration is deployed from the source device to the non-source device.

Impact:
Access reports and Dashboard does not show any data from the non-source device.

Workaround:
To fix this issue, enable the Access remote log configuration for the non-source device after deployment.


726517 : Application deployment to BIG-IP devices in a service scaling group fails

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
When trying to deploy a new or changed application to BIG-IP devices in a service scaling group, it might fail.

Conditions:
This happens when deploying an application to BIG-IQ devices in a service scaling group.

Impact:
Application deployment fails.

Workaround:
The application will sync with its peer automatically in approximately 10 seconds. This issue will not recur on future application deployments.


726243 : vCenter self-signed certificate after BIG-IQ upgrade

Component: BIG-IQ Application Management

Symptoms:
Existing service scaling group (SSG) fails to communicate with vCenter due to an invalid certificate.

Conditions:
This can happen after upgrade from 6.0.0 when vCenter uses a self-signed/untrusted certificate.

Impact:
SSG operations will continue to fail until the vCenter certificate is again installed in BIG-IQ.

Workaround:
If the SSGs were working correctly prior to the upgrade, the vCenter certificate was likely installed in BIG-IQ as per the guide (https://support.f5.com/kb/en-us/products/big-iq-centralized-mgmt/manuals/product/big-iq-centralized-management-auto-scaling-in-vmware-6-0-0/1.html).

After the BIG-IQ upgrade, repeat the same steps:

From the BIG-IQ command line, copy the root certificate from the vCenter host cert file:
/etc/vmware-sso/key/ssoserverRoot.crt

to the BIG-IQ system's cert file:

/config/ssl/ssl.crt

Then type the following command to create a symbolic link to this certificate using the certificate's hash

ln -s ssoserverRoot.crt `openssl x509 -hash -noout -in ssoserverRoot.crt`.0

Restart gunicorn by typing: bigstart restart gunicorn


724778 : After upgrading BIG-IQ from 6.0.0 to 6.0.1, analytics data from the DCD cluster is not preserved

Component: AppIQ

Symptoms:
After upgrading from BIG-IQ 6.0.0 to 6.0.1, data collected by a DCD cluster prior to the upgrade is not automatically preserved.

Conditions:
This happens after you upgrade BIG-IQ system with a DCD cluster from version 6.0 to version 6.0.1.

Impact:
No DCD cluster statistics display from the previous version after you upgrade to version 6.0.1.

Workaround:
To work around this issue, preserve your statistics data by logging in to the BIG-IQ system's shell as "root" and running the following commands:

VERSION=`cat /VERSION | grep -w Build: | cut -d: -f2 | xargs echo`
BUILD=`cat /VERSION | grep -w Version: | cut -d: -f2 | xargs echo`
 tar czvf rethinkdb_backup-$BUILD.$VERSION.tar.gz -P /var/config/rethinkdb/data/ >> /shared


723940 : Re-importing of a source device in an Access Group with AGC policy might fail

Component: BIG-IQ Configuration - Access

Symptoms:
Reimporting a source device in an Access Group with AGC policy might fail.

Conditions:
This can happen when:
1> BIG-IP 1 has AGC-created Access Policy being used by a Virtual Server. BIG-IP 2 has no Access Policy and no Virtual Server.
2>From BIG-IQ, you create an Access Group with BIG-IP 1 as the source device and BIG-IP as the non-source device.
3>From BIG-IQ, you deploy an Access Policy to BIG-IP 2.
4>From BIG-IQ, you reimport shared and device-specific objects to BIG-IP 2 so that BIG-IP becomes the source device for the Access group.
6>You delete the Access Policy from BIG-IP.
7>From BIG-IQ, you reimport shared and device-specific objects to BIG-IP (source device).

Impact:
Reimport fails for the source device

Workaround:
To work around this issue:
1>Find Virtual Server name from the error message:
Error message has the name of Virtual Server which uses Access policy objects. Example error message : "ConfigItemInUseException: /Common/agc_adfs_import.app/agc_adfs_import is in use by Virtual Server '/Common/agc_adfs_import.app/agc_adfs_import_vs'."

2> Find the BIG-IP address that has the Virtual server, from BIG-IQ the LTM module Virtual server and get its IP address.

3>On the BIG-IP device, disable strict-updates of application-service that contains the Virtual Server using 'tmsh' commands. Example command for application-service with name 'solo_app':
modify sys application service sslo_app.app/sslo_app strict-updates disabled

4>From BIG-IQ, reimport LTM service for that BIG-IP device.

Reimport of the source device should now be successful.


723759 : Modifications from BIG-IQ to iRules for version 12.1.1 DNS sync groups fail

Component: BIG-IQ DNS Management

Symptoms:
Change fail for change to iRules from BIG-IQ for DNS sync groups running 12.1.1.

Conditions:
This happens when you modify an existing iRule in BIG-IQ and deploy the change to a DNS sync-group of version 12.1.1.

Impact:
Changes are no applied.

Workaround:
To work around this issue, modify the iRule directly on the BIG-IP device.


723562 : Client and Server SSL profiles and BIG-IP version compatibility

Component: BIG-IQ Local Traffic & Management

Symptoms:
BIG-IP Version 14.0 introduced a new tmOption for Client and Server SSL profiles called, "No TLSv1.3". Beginning with BIG-IP Version 14.0, this tmOption must be enabled for Client and Server SSL profiles that do not include a Cipher Group. Client and Server SSL profiles BIG-IP Version 13.x do not define this option. Consequently, BIG-IP Version 13.x Client and Server profiles that do not include a Cipher Group will not deploy successfully to BIG-IP Version 14.0 devices.

Conditions:
Applies to BIG-IQ environments that manage a mix of BIG-IP Version 13.x and 14.0 devices, and whose configured Virtual Servers from the different device versions share Client and/or Server SSL profiles.

Impact:
Potential deployment failure to BIG-IP Version 14.0 devices.

Workaround:
BIG-IP Version 14.0 introduced a new tmOption for Client and Server SSL profiles called, "No TLSv1.3". Beginning with BIG-IP Version 14.0, this tmOption must be enabled for Client and Server SSL profiles that do not include a Cipher Group. This new tmOption is incompatible with BIG-IP versions prior to 14.0. It is very important to be aware of this incompatibility since the new tmOption is assigned to virtually all default Client and Server SSL profiles packaged with BIG-IP Version 14.0.

Since the "No TLSv1.3" tmOption, as well as its relationship to Cipher Group, are incompatible for pre-14.0 versions of BIG-IP, the following guidance is recommended to prevent BIG-IQ deployment failures: Client and Server SSL profile instances should not be shared by Virtual Servers across 13.0 and 14.0 versions of BIG-IP. Specifically:

- Client and Server SSL profiles assigned to BIG-IP Version 13.0 Virtual Servers should not include the new "No TLSv1.3" tmOption. If this tmOption is present, a warning will appear at Evaluation for deployments to BIG-IP Version 13.0 devices. At Deployment, the "No TLSv1.3" tmOption will be removed to prevent a device error.

- Client and Server SSL profiles assigned to BIG-IP Version 14.0 Virtual Servers must include the new "No TLSv1.3" tmOption in cases were no Cipher Group is defined for the profile. Deployments to BIG-IP Version 14.0 devices will fail if this condition is not met. Therefore, child profiles should be created that include this tmOption for BIG-IP Version 14.0 Virtual Servers in cases where the profile does not contain a Cipher Group.

There is one notable exception to the information above regarding BIG-IP Version 14.0 Client SSL profiles. The default profile, "clientssl-secure", may use an existing tmOption called, "No SSL", for cases where a Cipher Group is not assigned. If tmOption, "No SSL", is enabled for the "clientssl-secure" default profile, then the "No TLSv1.3" tmOption may be excluded.


723514 : Possibility for misconfiguration of BIG-IQ console address on DCD

Component: AppIQ

Symptoms:
DCD may implement the wrong address for the BIG-IQ console, and thus, cannot connect to RethinkDB. The primary symptom is that no stats are received from the affected DCD. On the DCD, the log file /var/log/appiq/agentmanager.log will have entries showing inability of agentmanager to connect to RethinkDB on the console.

Conditions:
Configuring the discovery address on the console after discovering the DCD could trigger this condition.

Impact:
No stats are received from the affected DCD.

Workaround:
Restart restjavad on the console to correct this condition.


723296 : The secondary member of an HA pair does not show devices in the access group

Component: BIG-IQ Device Management

Symptoms:
Devices added to the access group after creating an HA pair will not be visible on the secondary until the system is restarted.

Conditions:
This happens with a secondary BIG-IQ configured in an HA pair with an access group.

Impact:
This is a cosmetic issue as the data is on the secondary, only the local caching mechanism is stale.

Workaround:
To properly display devices in an access group on the secondary BIG-IQ, restart it.


723294 : AGC Config: Editing an object or deployming on a non-source BIG-IP can fail

Component: BIG-IQ Deployment - Evaluate & Deploy

Symptoms:
Editing an object on a non-source BIG-IP device or deployment to a non-source BIG-IP device fails.

Conditions:
This failure can happen when you reimport a non-source BIG-IP device before editing an AGC-created object on a non-source BIG-IP device or when deploying a AGC-created policy to non-source BIG-IP device.

Impact:
Editing or deployment can fail.

Workaround:
To work around this issue, from BIG-IQ, for the non-source BIG-IP device:
1>Remove ADC and ACCESS service.
2>Re-add ADC and ACCESS service.


723292 : The secondary BIG-IQ in an HA pair does not show access group devices

Component: REST Framework and TMOS Platform

Symptoms:
If you add devices to the access group after creating a BIG-IQ HA pair, they won't be visible on the secondary BIG-IQ until you restart the system.

Conditions:
HA configured and access groups added.

Impact:
This is a cosmetic issue only. The data is actually on the secondary BIG-IQ; the cache is just stale.

Workaround:
Restart the secondary BIG-IQ and you'll be able to see the devices.


723027 : Peak Traffic graph shows values only for the highest listener

Component: BIG-IQ DNS Management

Symptoms:
The Peak Traffic graph located in BIG-IQ --> Monitoring tab --> Dashboards --> DNS --> Traffic shows values only for the listener with the maximum queries.

The correct calculation should be a sum of the queries from all listeners.

Conditions:
1. Setup a BIG-IQ system with DNS module and a Data Collection Device cluster.
2. Discover a BIG-IP DNS with several DNS listeners.
3. Run DNS traffic towards the listeners.
4. View the Peak Traffic graph

Impact:
The graph is not accurate.

Workaround:
N/A


722458-1 : Browser crashes when viewing/editing Application Services Configuration in Chrome 67

Component: BIG-IQ Application Management

Symptoms:
Browser crashes when using Chrome 67, which is unsupported for BIG-IQ version 6.0.0.

Conditions:
This can happen when trying to view or modify an Application Services configuration (such as, adding a pool or virtual server) using unsupported Chrome browser versions. Or when resizing the page while viewing Application Environment, Application Services or Servers.

Impact:
Cannot perform certain Application Services configuration changes when using Chrome 67.

Workaround:
To work around this issue, use a supported browser: Chrome versions 65 or 66, Firefox 59 or 60, Microsoft Edge, or Microsoft Internet Explorer 11. Or, downgrade to a compatible version of Chrome (version 6.5x or 66.x)


722164 : Topology records configuration don't sync across all devices for a sync group running version 12.1.1 when deploying from BIG-IQ

Component: BIG-IQ DNS Management

Symptoms:
If you create or delete DNS topology records configuration objects from BIG-IQ and deploy the changes to a DNS sync-group running version 12.1.x only one device from the sync-group gets the changes.

Conditions:
This happens when you create DNS topology records configuration objects from BIG-IQ and deploy it to a DNS sync-group running version 12.1.1.

Impact:
Only one device from the sync-group gets the configuration changes.

Workaround:
To work around this issue, create DNS topology records directly on one of the DNS sync-group devices.


722148 : Deploy fails for topology region when the target DNS target sync group is version 12.1.1

Component: BIG-IQ DNS Management

Symptoms:
When creating a new topology region object on BIG-IQ, deployment fails if the target DNS sync-group is version 12.1.1

Conditions:
This happend when the target DNS sync-group is version 12.1.1.

Impact:
Changes for DNS topoloy regions aren't deployed.

Workaround:
To work around this issue, create DNS topology regions directly on the BIG-IP device.


720162-1 : Deploy fails for DNS listener when it is set with a new DNS profile

Component: BIG-IQ DNS Management

Symptoms:
When setting a new DNS listener with a new DNS profile and both profile and listener still do not exist in BIG-IP, the configuration deployment fails on BIG-IP.

Conditions:
The following configuration exists in BIG-IQ but hasn't been deployed yet to BIG-IP:
1. A new DNS profile
2. A new DNS listener that is set with the new profile

Impact:
Configuration deployment fails.

Workaround:
To work around this issue, deploy the DNS profile to BIG-IP before deploying the configuration. Once deployed successfully the associated DNS listener can be deployed too.


718595-1 : SWG Reports are not supported in big iq 6.0.0

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
If you discover a BIG-IP device from BIG-IQ that has the AVR service with stats collection enabled, SGW reports don't include the data on managed the BIG-IP and in the BIG-IQ Monitoring dashboards.

Conditions:
BIG-IQ discovers a device with AVR service and stats collection enabled.

Impact:
SWG does not report data on the BIG-IP or on the BIG-IQ monitoring dashboards. BIG-IQ version 6.0.0 handles only LTM and ASM.

Workaround:
There are two options:

Do not upgrade to BIG-IQ 6.0.0 if you require SWG dashboards.

If you must upgrade, or have already upgrade to BIG-IQ 6.0.0, do not enable stats collection for the SWG provisioned BIG-IP device.


716595 : Changing DNS topology records for version of BIG-IP version prior to 14.1

Component: BIG-IQ DNS Management

Symptoms:
You cannot change the order of DNS topology records from BIG-IP versions prior to 14.1.

Conditions:
If you're managing a BIG-IP running a version to 14.1.

Impact:
You cannot change the order of DNS topology records.

Workaround:
To work around this issue, you'll have to change the order of DNS topology records on BIG-IP devices running versions prior to 14.1, directly on the BIG-IP device.


712009 : Default replica count in the database for statistics data is now 1 in BIG-IQ 6.0.0

Component: BIG-IQ App Visibility and Reporting (AVR)

Symptoms:
Replica count for statistics data is set to 1 replica starting in the BIG-IQ 6.0.0 release. Prior to 6.0.0, the value was 0 (do not replicate statistics data). This setting applies to new indices only (data existing prior to 6.0.0 upgrade is not affected).

Conditions:
N/A

Impact:
The new default setting might impact how much storage BIG-IQ uses for statistical data since new statistical data will be replicated in the BIG-IQ DSD cluster.

Workaround:
You can change this value in the BIG-IQ UI for statistics collection configuration.


707726 : After you upgrade BIG-IQ 7000, system might become unusable

Component: REST Framework and TMOS Platform

Symptoms:
After upgrading BIG-IQ 7000 can result, the incorrect file system can mount, which keeps the system from initializing.

Conditions:
This can happen when you upgrade BIG-IQ from 5.x to 6.0.1 when there has a previous upgrade.

Impact:
System is not usable

Workaround:
To work around this issue, before you upgrade BIG-IQ, log in to a console and remove a file:

# rm -f /var/log/liveinstall.log

Then proceed with the upgrade.


706634 : Several config files in /config are named bigip*.conf instead of bigiq*.conf

Component: REST Framework and TMOS Platform

Symptoms:
There are several files in /config that are named bigip*.conf. These are for the BIG-IQ, but with the same files on a BIG-IP.

Conditions:
These names are displayed when running:
tmsh save /sys config

which outputs:
Saving running configuration...
  /config/bigip.conf
  /config/bigip_base.conf
  /config/bigip_user.conf
Saving Ethernet mapping...done

Impact:
This could be confusing, since bigip is part of the file names. Otherwise there is no impact.

Workaround:
N/A


673763 : The wide IP list doesn't display the incorrect number of associated pools for BIG-IP version 12.x devices

Component: BIG-IQ DNS Management

Symptoms:
Due to an issue with BIG-IP version 12.x, BIG-IQ is unable to correctly display the number of DNS pools that are referenced by the wide IP.

Conditions:
This happens only for BIG-IP devices running version 12.x.

Impact:
The wrong number of DNS pools display.

Workaround:
The is no workaround at this time.


643507 : Removing a Data Collection Device may take a long time, and will not show an error dialog if removal times out

Component: BIG-IQ System User Interface

Symptoms:
When removing a Data Collection Device, the removal task may take a long time to complete. While this task runs, you are free to use the UI or log out and the task will continue to run on your BIG-IQ. If the task fails or times out, you will not see an error message dialog.

Conditions:
This can occur when you remove a Data Collection Device with a large amount of data.

Impact:
Removal may fail without presenting an error message.

Workaround:
Attempt to remove the data collection device again.




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************
Generated: Fri Sep 7 14:47:54 2018 PDT
Copyright F5 Networks (2018) - All Rights Reserved

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.

Additional Comments (optional)