Applies To:
Show Versions
BIG-IQ Centralized Management
- 7.0.0
BIG-IQ CM Release Information
Version: 7.0.0
Build: 1854.0
NOTE: This release DOES NOT include fixes for the Spectre vulnerabilities (CVE-2017-5715, CVE-2017-5753).
F5 is currently developing fixes which will be released in a future version. Please see K91229003 for current Spectre and Meltdown information.
Known Issues in BIG-IQ CM v7.0.x
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 669855 | CVE-2016-10088 CVE-2016-10142 CVE-2016-2069 CVE-2016-2384 CVE-2016-6480 CVE-2016-7042 CVE-2016-7097 CVE-2016-8399 CVE-2016-9576 | K31603170 | Multiple Linux Kernel Vulnerabilities |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 755992 | 3-Major | SSL Profile field missing from HTTPS monitor |
BIG-IQ Configuration - Local Traffic Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 769877 | 3-Major | Partial deployment fails to detach ASM policies from a virtual server |
BIG-IQ Device User Interface Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 769189 | 2-Critical | BIG-IP Devices page might not discovered BIG-IP in environments with large numbers of devices and/or large numbers of device groups | |
| 759409 | 4-Minor | Improved image upload chunk size from 256kb to 4MB. | |
| 758863 | 4-Minor | Device list shows "Filtered by [term]", but contains all devices |
BIG-IQ Monitoring - Alerts & Notifications Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 788649 | 4-Minor | Times displayed in the BIG-IQ UI might be off by one hour for users in the CLT timezone |
BIG-IQ Monitoring - Logs Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 782237 | 4-Minor | Event logs filter having special characters fails to provide results |
BIG-IQ Search Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 749545 | 3-Major | Devices > BACK UP & RESTORE > Backup Files screen filter returns no results |
BIG-IQ System User Interface Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 754887 | 2-Critical | Managing users, user groups, and roles may cause the page to hang when managing large, complex sets of objects | |
| 790177 | 4-Minor | BIG-IQ data collection devices logging maxConcurrentShardRequests errors | |
| 781873 | 4-Minor | BIG-IQ high availability configuration containing a quotation mark as the root password | |
| 751734 | 4-Minor | TCP port 9300 required for adding a DCD in Azure |
BIG-IQ Access Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 759889 | 3-Major | Access - Visual Policy Editor branch rule advanced expression not saving |
BIG-IQ Local Traffic & Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 772213 | 3-Major | BIG-IQ cannot deploy interface while BIG-IP changes it out of band | |
| 758639 | 3-Major | Unsetting property overrides for the Analytics Http profile | |
| 708410 | 4-Minor | LTM discover fails due to NullPointerException |
AppIQ Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 782329 | 2-Critical | Re-enabling statistics collection | |
| 757423 | 2-Critical | Statistics collected from devices in sync/failover clusters | |
| 803757-1 | 3-Major | DoS Attack page displaying empty charts | |
| 780385 | 3-Major | Health alerts returned for application named "N/A" | |
| 778437 | 3-Major | BIG-IQ setting wrong stats related configuration on BIG-IP platforms | |
| 777329 | 3-Major | Source ID pattern accepts colons | |
| 753755 | 3-Major | Device statistics stop working after restoring BIG-IQ from a UCS | |
| 752153 | 3-Major | UCS backup failed on /var/config/rethinkdb/data | |
| 752144 | 3-Major | Purging old RethinkDB backup and log files | |
| 723514-1 | 3-Major | Possibility for misconfiguration of BIG-IQ console address on DCD |
BIG-IQ Configuration - Infrastructure Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 755832 | 3-Major | Error displays when BIG-IP devices are removed from a cluster | |
| 753871 | 3-Major | Device import and reimport of a clustered device fail after the device's machine id is changed | |
| 799217 | 4-Minor | iApp configured objects return an error message when viewing | |
| 717301 | 4-Minor | Device with short form of IPv6 address fails to add to the cluster |
BIG-IQ Device Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 753333 | 3-Major | Updating description for a UCS backup through an API removes expirationDateTime |
BIG-IQ DNS Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 772157 | 3-Major | Saving a GSLB Topology region with a state name that has more than 2 words | |
| 781633 | 4-Minor | iRule object names should not contain spaces. |
BIG-IQ Fraud Protection Service (FPS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 755662 | 3-Major | FPS rules not working on Injected Scripts and Forbidden words | |
| 752167 | 3-Major | Transform rules fail to push if the post data too large for webd on the DCD |
BIG-IQ Network Security Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 800593 | 2-Critical | BIG-IQ cannot discover AFM service on BIG-IP devices v14.1.0.5-14.1.0.7 if AFM IPS is not licensed | |
| 770109-1 | 3-Major | The daily-hour-end field for a network firewall schedule is different when deployed from BIG-IQ vs one configured on the BIG-IP itself | |
| 760598-1 | 3-Major | Configuring a NAT Policy with a mixed IPv4 and IPv6 addresses | |
| 757773 | 3-Major | Import for BIG-IQ AFM service when the firewall policy includes specific protocol | |
| 751852 | 4-Minor | Warning for AFM SNAT policy parameter mismatch |
REST Framework and TMOS Platform Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 759073 | 2-Critical | "Timer already cancelled" errors logged | |
| 758132 | 3-Major | Stats agent re-installs occurring if no DCDs are available for BIG-IP system in given zone | |
| 756737 | 3-Major | Decrease grooming interval for stats agent installation tasks | |
| 756373 | 3-Major | Upgrade might fail if all audit loggers are not the same kind | |
| 755021 | 3-Major | Related items for some types of objects might be limited 3 | |
| 751196 | 3-Major | Administrator users cannot modify user groups of which they are a member | |
| 750274 | 3-Major | Azure SSG creation with WAF BIG-IP's does not complete successfully | |
| 745882 | 3-Major | Tokumond service restarts due to exhausted memory heap | |
| 764745 | 4-Minor | BIG-IQ is unavailable when accessing it over a VPN with http/2 enabled | |
| 756283 | 4-Minor | Faster login to BIG-IQ when using an LDAP auth provider backed by a large directory | |
| 756006 | 4-Minor | Add online help on correct routing to DCD services |
BIG-IQ Web Application Security (ASM) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 785881 | 3-Major | Creating a Web Application Security child policy | |
| 753730 | 3-Major | Downloading signature file through proxy when two proxy objects are configured with the same name | |
| 752961 | 3-Major | ASM policy: Creating IP address with route domain indication strips the route domain from the IP address | |
| 752959 | 3-Major | Route domains in ASM Policy IP addresses | |
| 752957 | 3-Major | Deploying changes to Policy IPs using route domains | |
| 779293 | 4-Minor | Special characters in ASM event logs preventing export to CSV |
BIG-IQ Application Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 752202-1 | 3-Major | Creating application from a template after upgrading★ | |
| 757327 | 4-Minor | Profile selection in application creation page cannot be filter by partition |
Cumulative fix details for BIG-IQ CM v7.0.0 that are included in this release
803757-1 : DoS Attack page displaying empty charts
Component: AppIQ
Symptoms:
When accessing the DOS detailed attack screen using the back option, empty charts display.
Conditions:
This issue occurs only when accessing the screen by clicking on the "back" option of another page and going back to the DOS detailed attack page.
For example, when you initially access a DOS attack details page, charts are displayed normally.
If you then click on attack-vector/protected object /dos-profile and go to another page, then click back, the charts no longer display.
Impact:
Statistical data does not appear.
Workaround:
To work around this, navigate to the main DOS dashboard and click the desired attack from there. All charts display correctly.
800593 : BIG-IQ cannot discover AFM service on BIG-IP devices v14.1.0.5-14.1.0.7 if AFM IPS is not licensed
Component: BIG-IQ Network Security
Symptoms:
BIG-IQ is unable to discover the AFM service for BIG-IP devices running version 14.1.0.5-14.1.0.7 that do not have an AFM IPS license.
Conditions:
AFM discovery of BIG-IP versions 14.1.0.5-14.1.0.7 without an AFM IPS license (only regular AFM).
Impact:
BIG-IQ will not support AFM module management.
Workaround:
Install an AFM IPS license ("Intrusion Detection & Prevention System, VE-HP" or "Intrusion Prevention System" as it appears in the license site) to the relevant BIG-IP devices.
799217 : iApp configured objects return an error message when viewing
Component: BIG-IQ Configuration - Infrastructure
Symptoms:
After discovering and importing a BIG-IP device with iApp-created profiles, BIG-IQ returns the following error when you attempt to view those objects.
"Unsupported config type VERSIONED for ..."
Conditions:
When managing iApp-created objects from BIG-IQ.
Impact:
You cannot view LTM objects like profile.
Workaround:
This issue is now fixed the error no longer occurs.
790177 : BIG-IQ data collection devices logging maxConcurrentShardRequests errors
Component: BIG-IQ System User Interface
Symptoms:
When removing the last BIG-IQ DCD in a cluster, maxConcurrentShardRequests log messages occur.
Conditions:
This happens when you remove the last BIG-IQ DCD in a cluster.
Impact:
This issue is cosmetic only.
Workaround:
To work around this issue:
1) At the command line, type: GET to /cm/adc-core/current-config/stats-refresh
2) Copy the full returned body.
3) Change the "useAppIqDcd" flag
a) If you have added the first DCD change the flag to 'true'
b) If you have removed the last DCD change the flag to 'false'
Note if the flag is already set to the correct value, no further action is required.
4) Type: PUT to /cm/adc-core/current-config/stats-refresh with the updated body.
788649 : Times displayed in the BIG-IQ UI might be off by one hour for users in the CLT timezone
Component: BIG-IQ Monitoring - Alerts & Notifications
Symptoms:
BIG-IQ converts GMT timestamps into local time based on the timezone set on your local computer. While data stored on the BIG-IQ is correct, the time the computer displays may be off by one hour if you are using the Chile Standard Time (CLT) timezone on your local computer.
Conditions:
-- Your computer is using the CLT timezone.
-- Viewing time in the browser.
Impact:
The times displayed in the web browser is offset by one hour.
Workaround:
Change the timezone on your local BIG-IQ to a timezone with the same time offset from GMT, such as EDT.
785881 : Creating a Web Application Security child policy
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
When trying to create a Web Application Security child policy with case sensitivity set to "No", BIG-IQ displays an error and you cannot save the policy.
Conditions:
Parent Policy set to Case sensitive "No"
Impact:
Cannot create child policy of a case sensitive "No" parent policy
Workaround:
You can work around this issue by sending the right parameters to the rest API to successfully create the Child Policy as expected
Fix:
This issue has been fixed and no longer occurs.
782329 : Re-enabling statistics collection
Component: AppIQ
Symptoms:
Stats collection for one or more devices is repeatedly reconfigured.
Conditions:
When BIG-IQ detects that stats collection might fail for a particular BIG-IP device, it attempts to reconfigure stats collection for that device. Under certain conditions, false positives can result in repeated reconfiguration events.
Impact:
CPU/memory for stats reconfigure task, repeated log messages, gaps in stats collection.
Fix:
This issue no longer occurs.
782237 : Event logs filter having special characters fails to provide results
Component: BIG-IQ Monitoring - Logs
Symptoms:
If you create an Event Logs advanced filter with a value that contains parentheses, the filter fails.
Conditions:
Selecting a value in the advanced filter that contains parentheses. For example "Cross Site Scripting (XSS)"
Impact:
You cannot use the advanced filter to search values containing parentheses.
Workaround:
If the filter required has other fields from the advanced filter, then the advanced filter can be filled with all the relevant terms, apply the advanced filter and then use the standard filter box to write manually the value. This combines both filters and returns the expected result.
Fix:
You can now use parentheses in an advanced filter.
781873 : BIG-IQ high availability configuration containing a quotation mark as the root password
Component: BIG-IQ System User Interface
Symptoms:
If the root password for a BIG-IQ in a high availability configuration contains a quote (single ' or double "), pairing might fail when establishing SSH trust between the active BIG-IQ and the standby BIG-IQ.
Conditions:
Root passwords like abc'123 or xyz321" on the standby BIG-IQ will prompt an error when added to the active BIG-IQ.
Impact:
Unable to create an HA pair when the root password has a ' or ".
Workaround:
To work around this issue, remove quotation marks in the BIG-IQ root password.
Fix:
Starting in BIG-IQ version 7.0, special characters are allowed in the BIG-IQ root password.
781633 : iRule object names should not contain spaces.
Component: BIG-IQ DNS Management
Symptoms:
If a BIG-IP DNS Wide IP A object references an iRule with a name that contains space characters (" "), discovering and importing that BIG-IP device's configuration fails with a NullPointerException error.
Conditions:
--A BIG-IP has an iRule configuration object has a name that contains space characters.
-- On BIG-IP, a DNS Wide IP A config object is configured to use that iRule config object.
-- BIG-IQ attempts to discover & import the BIG-IP device's configuration.
Here is an example of the BIG-IP configuration:
gtm wideip a /Common/americas.sftp.example.com {
pools {
/Common/ame.sftp {
order 0
}
}
rules {
"/Common/americas internal sftp access" <=== name with spaces
}
}
Impact:
BIG-IQ cannot discover & import the configuration of the BIG-IP device with an iRule that contains a space character in the name.
Workaround:
1. Create a new iRule object with the same configuration data, but change its name to use dash ("-") or underline ("_") instead of spaces.
2. Identify other configuration objects that reference the problematic iRule object, and change them to reference the new iRule object created above.
780385 : Health alerts returned for application named "N/A"
Component: AppIQ
Symptoms:
Virtual servers that are not a part of an application produce health alerts for an application named "N/A".
Conditions:
Virtual servers that are not a part of any application is in an unhealthy state. For example, if the percent of incomplete transactions is above the configured threshold.
Impact:
Redundant alerts happen.
Fix:
This issue no longer occurs.
779293 : Special characters in ASM event logs preventing export to CSV
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
If a managed BIG-IP device sends a log with a signature name that starts with a special character, BIG-IQ displays an empty field for the signature name when exporting it to a CSV file.
Conditions:
When a signature file starts with a special character and BIG-IP sends a log to BIG-IQ that contains that signature file.
Impact:
The name field is empty for the signature file in an exported CSV file for that log.
Fix:
This issue no longer occurs.
778437 : BIG-IQ setting wrong stats related configuration on BIG-IP platforms
Component: AppIQ
Symptoms:
When collecting BIG-IP stats, BIG-IQ reduces the number of entities AVR is sending.
BIG-IQ is setting telemetry related configuration on BIG-IP that are connected to it.
For BIG-IP platform machines, BIG-IQ does not set the correct configuration and it can cause BIG-IP to send a large amount of telemetry information to BIG-IQ. This can result in BIG-IQ being flooded with information that it cannot save.
Conditions:
When the BIG-IP platform is sending statistics to BIG-IQ.
Impact:
Potential high cpu/memory/disk load on the BIG-IQ DCDs and console.
Workaround:
To work around this issue, run the following command in the BIG-IP:
tmsh modify sys db avr.stats.internal.maxentitiespertable value 2000
Then restart avrd.
Fix:
BIG-IQ now sets the correct configuration on BIG-IP, telemetry information sent from BIG-IP is tuned to correct levels and this issue no longer occurs.
777329 : Source ID pattern accepts colons
Component: AppIQ
Symptoms:
Registering a BIG-IP by the Analytics system fails when the source ID contains colons.
Conditions:
1. BIG-IQ system with DCDs
2. Statistics collection enabled for a specific BIG-IP
3. The ID of the BIG-IP (source) contains colons
Impact:
BIG-IP statistics are not available to the DCD.
Fix:
Source ID pattern now accepts inclusion of colons.
772213 : BIG-IQ cannot deploy interface while BIG-IP changes it out of band
Component: BIG-IQ Local Traffic & Management
Symptoms:
vCMP guests interfaces are managed by the vCMP host and may change 'out of band' from the configuration maintained on BIG-IQ. When these interfaces change, BIG-IQ attempts to revert them, which results in an error from the BIG-IP system.
Conditions:
-- vCMP guest managed by BIG-IQ.
-- Reboot the vCMP host.
Impact:
Interfaces change. BIG-IQ cannot deploy configurations to vCMP guests hosted on that BIG-IP system.
Workaround:
Have the BIG-IQ rediscover the managed device to bring in the new interface configuration from the BIG-IP system.
Fix:
BIG-IQ no longer manages physical interfaces for vCMP guests, so this issue no longer occurs.
772157 : Saving a GSLB Topology region with a state name that has more than 2 words
Component: BIG-IQ DNS Management
Symptoms:
If you choose a GSLB Topology region that has a state name with more than 2 words, you can not save the region.
Conditions:
When a state for a GSLB topology region has more than 2 words.
Impact:
Cannot save the region.
Workaround:
There is no workaround.
Fix:
BIG-IQ now supports GSLB Topology region state names that have more than 2 words.
770109-1 : The daily-hour-end field for a network firewall schedule is different when deployed from BIG-IQ vs one configured on the BIG-IP itself
Component: BIG-IQ Network Security
Symptoms:
If you set a new rule schedule for a BIG-IP device from BIG-IQ with the All Day selected for the Time Range, the rule incorrectly schedules the rule from 00:00 to 23:59 instead of from 00:00 to 24:00.
Conditions:
This happens when a rule is scheduled with the Time Range of All Day.
Impact:
This prompts an automatic deployment at 23:59 that disables the rule. When the second deployment happens, it should re-activate the rule at 00:00, but this often doesn't happen because the deployment can take up to 6-7 minutes. This causes the rule to be deactivated.
Workaround:
To work around this issue, reconfigure the rule directly on the BIG-IP device.
Fix:
This bug is fixed at BIG-IQ 7.0.
769877 : Partial deployment fails to detach ASM policies from a virtual server
Component: BIG-IQ Configuration - Local Traffic
Symptoms:
If you attach a policy to a single virtual server on a specific BIG-IP device, remove the policy, and then perform a partial deployment, the policy remains on the virtual server.
Conditions:
On BIG-IP: A policy is attached only to one virtual server on the BIG-IP device.
From BIG-IQ: Partially deploy after removing the policy from the virtual server.
Impact:
The policy remains attached to the virtual server after the partial deployment.
Workaround:
To work around this issue, perform a full deployment.
769189 : BIG-IP Devices page might not discovered BIG-IP in environments with large numbers of devices and/or large numbers of device groups
Component: BIG-IQ Device User Interface
Symptoms:
The BIG-IP Devices page might fail to display data under certain circumstances, such as when you use the dropdown menu at the left corner of the page to select a Device Group.
Conditions:
When a large number of BIG-IP devices are discovered, or you have a lot of custom Device Groups.
Note: There is no way to predict exact numbers because it can vary by environment. One BIG-IQ with 100 devices configured in 10 or more device groups might show no impact if there is no traffic. If fewer devices are discovered and each device has a lot of activity, the load on the BIG-IQ might lead to latency.
Impact:
The BIG-IP Devices page may not show the list of BIG-IP devices.
Workaround:
To view grouped devices:
1. Navigate to the Device Groups page.
2. Click the link for the Device Group.
The page for that Device Group lists all of the BIG-IP Devices it contains.
764745 : BIG-IQ is unavailable when accessing it over a VPN with http/2 enabled
Component: REST Framework and TMOS Platform
Symptoms:
BIG-IQ is shipped with http/2 enabled. Under certain circumstances, you might not be able to access BIG-IQ over a VPN and you will see a "User Session Terminated" message.
Conditions:
When you try to access a BIG-IQ over a VPN.
Impact:
You cannot access BIG-IQ.
Workaround:
To work around this issue, edit the /etc/webd/webd.conf file. Look for these two lines:
listen [::]:443 ipv6only=on ssl http2;
listen *:443 ssl http2;
Remove http2 references so the lines now read:
listen [::]:443 ipv6only=on ssl;
listen *:443 ssl;
Then, from the BIG-IQ's console, run "bigstart restart webd".
webd restarts, which should only take a few seconds.
Fix:
http/2 is now disabled by default so this issue no longer occurs.
760598-1 : Configuring a NAT Policy with a mixed IPv4 and IPv6 addresses
Component: BIG-IQ Network Security
Symptoms:
If you configure an APM NAT policy with a mix of IPv4 and IPv6 addresses, deployment from BIG-IQ fails.
Conditions:
If you use a combination of IPv4 and IPv6 addresses in a NAT policy.
Impact:
Deployment fails.
Workaround:
Configure valid addresses for the APM NAT policy..
Fix:
BIG-IQ now issues a REST response error:
"Cannot configure a mix of IPV4 and IPV6 address(es) in this obj"
759889 : Access - Visual Policy Editor branch rule advanced expression not saving
Component: BIG-IQ Access
Symptoms:
When you try to use an advanced expression for a branch rule in Visual Policy Editor, it doesn't save the changes.
Conditions:
Add or edit an existing policy item's branch rule advanced expression and save. It does not save. If you reopen the policy, the changes are lost.
Impact:
You could use only the Simple expression builder.
Workaround:
This issue is now fixed. You will be able to use both Simple expression and custom Advanced expression in policy item branch rule setup.
759409 : Improved image upload chunk size from 256kb to 4MB.
Component: BIG-IQ Device User Interface
Symptoms:
Uploading an ISO image to the Device->SOFTWARE MANAGEMENT->Software Images can some times be slow.
Conditions:
This can happen when you upload an image to BIG-IQ that is greater than 256KB in size.
Impact:
The upload for the image is slow.
Fix:
You can now upload images in chunks of 4MB instead of 256KB, which improves the speed of uploading images.
759073 : "Timer already cancelled" errors logged
Component: REST Framework and TMOS Platform
Symptoms:
Logs filled with "Timer already cancelled" errors.
Conditions:
This happens because the internal timer fails to reschedule due to memory pressure.
Impact:
Some critical internal tasks do not run, logs get filled with errors.
Fix:
This issue no longer occurs. BIG-IQ now checks for a failed timer schedule and re-creates schedule it when needed.
758863 : Device list shows "Filtered by [term]", but contains all devices
Component: BIG-IQ Device User Interface
Symptoms:
If you apply a filter on the Device page and go back to the properties page of a device in the list, the filter still displays as applied, but all the devices are displayed in the list.
Conditions:
This happens if you click "go back" arrow from the device properties page to get back to the device list page.
Impact:
The devices aren't filtered, even though the filter displays as applied.
Workaround:
Re-apply the filter on the Device list page.
Fix:
This issue is now fixed and BIG-IQ properly applies the filter.
758639 : Unsetting property overrides for the Analytics Http profile
Component: BIG-IQ Local Traffic & Management
Symptoms:
Big-IQ displays an error if you unset overrides of some Analytics Http profile properties.
Conditions:
You override a property for the Analytics Http profile.
notificationEmailAddresses
ipsForStatCollection
countriesForStatCollection
urlsForStatCollection
Impact:
You cannot unset overrides for a property that is defined as a
string array. In other words, those properties cannot simply copy from their parent profile as is. Once they are set, you must set them to the right values for the current instance.
Workaround:
Set the values in the current (child) profile correctly.
758132 : Stats agent re-installs occurring if no DCDs are available for BIG-IP system in given zone
Component: REST Framework and TMOS Platform
Symptoms:
If a BIG-IP system is inadvertently assigned to a zone with no DCDs, BIG-IQ repeatedly attempts to reconfigure stats for that device.
Conditions:
No DCDs in zone assigned to the BIG-IP system.
Impact:
Stats are not collected from the device. Repeated reconfiguration of status impacts CPU/memory. Repeated log messages.
Workaround:
None.
Fix:
If there are no available DCDs for a BIG-IP system in a given zone, stats are unconfigured for that device, a log message is issued, and an 'unassigned device' alert is generated.
757773 : Import for BIG-IQ AFM service when the firewall policy includes specific protocol
Component: BIG-IQ Network Security
Symptoms:
An AFM import into BIG-IQ fails if one of the imported firewall policies contain: ipv4 (previously, ipencap), crudp (previously, crdup), wesp, rohc, or mobility-header.
Conditions:
Policies contain: ipv4 (previously, ipencap), crudp (previously, crdup), wesp, rohc, or mobility-header.
Impact:
AFM import fails.
Workaround:
From the BIG-IQ UI:
1. ipencap protocol show as "ipv4 (ipencap)".
2. crudp protocol show as crdup.
3. the wesp, rohc and mobility-header protocols will not be shown by their names but by their number.
757423 : Statistics collected from devices in sync/failover clusters
Component: AppIQ
Symptoms:
When managed BIG-IP devices are configured in a DSC group, BIG-IQ does not collect statistics from all managed devices.
Conditions:
Statistics collection enabled for managed BIG-IP devices in a DSC group.
Impact:
Statistics are not collected for all the managed BIG-IP devices. In addition, the managed BIG-IP devices get into an out-of-sync config state that is displayed to the user as a state that needs attention.
Fix:
This issue is fixed in BIG-IQ version 7.0, for managed BIG-IP devices running the following versions:
13.1.2.0+ or a later 13.1.x version
14.1.0.7+ or a later 14.1.x version
15.0.0.1+ or a later 15.0.x version
757327 : Profile selection in application creation page cannot be filter by partition
Component: BIG-IQ Application Management
Symptoms:
Profile dropdowns in service catalog app creation page cannot be filtered by a partition or /.
Conditions:
When you create a service catalog template with a virtual server that has an editable profile field ( such as an HTTP profile), then you create an application from that template you're able to select an HTTP profile from the menu, which can be filtered only by the profile name. If you try to filter by partition or /, it will not work.
Impact:
Profiles that are in different partitions but have the same name will not be filterable in the menu.
Workaround:
Make sure your profile names are unique across partitions.
Fix:
A filter using capitalization will work but filtering by / or partition is still not possible, the objects are designed to be filtered by name only.
756737 : Decrease grooming interval for stats agent installation tasks
Component: REST Framework and TMOS Platform
Symptoms:
Logs include many info messages:
[INFO]...[/shared/index/config StorageQueryWorker] toku failed sorting query '$orderby=lastUpdateMicros+desc&kind=cm:shared:stats-mgmt:agent-install-and-config-task:agentinstallandconfigtaskstate&parentContext... sending to legacy indexer (Query failed with error code 10128 and error message 'too much data for sort() with no index. add an index or specify a smaller limit' on server localhost:27017)
Conditions:
Old task data retained in database.
Impact:
If there are a number of BIG-IP systems under management, this historical data might grow too large for the database to sort correctly. There might be database errors, log errors, CPU/memory pressure.
Workaround:
None.
Fix:
Refined interval to a smaller value to prevent this from occurring.
756373 : Upgrade might fail if all audit loggers are not the same kind
Component: REST Framework and TMOS Platform
Symptoms:
Upgrading from BIG-IQ version 5.4 might fail if all the audit loggers are not the same type.
Conditions:
Upgrading when all audit loggers are not the same type.
Impact:
Upgrade fails.
Workaround:
1. Reboot back to BIG-IQ version 5.4.
2. Remove all device audit log by typing the command:
restcurl -X DELETE /cm/device/audit-logger
3. Upgrade the BIG-IQ software version again.
Fix:
Upgrade from 5.4 is now successful under these conditions.
756283 : Faster login to BIG-IQ when using an LDAP auth provider backed by a large directory
Component: REST Framework and TMOS Platform
Symptoms:
When a BIG-IQ user is authenticated against an LDAP auth provider, the auth provider retrieves from the LDAP directory all the groups the user is a member of, to determine authorization. If the directory is very large, the query returns a large amount of data, therefore the operation may be slow, leading to a slow authentication.
Conditions:
The external LDAP directory contains a large number of entries, specifically user groups, which are themselves large.
Impact:
Slow authentication.
Workaround:
None.
Fix:
In 7.0, we optimized the LDAP query so that it returns a smaller result, therefore it is faster and uses less memory. This leads to improved authentication time.
756006 : Add online help on correct routing to DCD services
Component: REST Framework and TMOS Platform
Symptoms:
There is not enough information in the online for DCD routing.
Conditions:
Looking for online help for routing to DCD services.
Impact:
This might make it difficult to debug stats collection problems due to lack of a route from BIG-IP to the DCD.
Workaround:
OLH added
Fix:
There is now a note un the online help to describe the routing requirement.
755992 : SSL Profile field missing from HTTPS monitor
Component: BIG-IQ Configuration - Local Traffic
Symptoms:
When creating an HTTPS monitor from BIG-IQ, the SSL Profile field is missing.
Conditions:
When you try to create an HTTPS monitor from BIG-IQ.
Impact:
You cannot create an HTTPS monitor from UI that require cert and key because you cannot configure the server SSL profile.
Workaround:
To work around this issue, you can configure HTTP monitor from the API.
Fix:
The SSL Profile field for the HTTPS monitor now displays from BIG-IQ.
Behavior Change:
You can now configure the SSL profile introduced in BIG-IP v13 for an HTTPS monitor from BIG-IQ.
755832 : Error displays when BIG-IP devices are removed from a cluster
Component: BIG-IQ Configuration - Infrastructure
Symptoms:
When the devices in a cluster are removed quickly, you might see an error on the Device page when the device is added back.
This is only a display issue as eventually everything is cleaned up during the removal
Conditions:
When you remove devices in a cluster.
Impact:
Error displayed on the devices page. This is only a display issue as eventually everything is cleaned up during the removal.
Workaround:
Remove devices in a cluster one after the other
755662 : FPS rules not working on Injected Scripts and Forbidden words
Component: BIG-IQ Fraud Protection Service (FPS)
Symptoms:
Setting up an FPS Profile Rule with Web Injection and redirect action, when the triggering the rule, an alert is sent but the action configured (redirect) doesn't happen
Conditions:
FPS profile with a Web Injection Rule with the following configuration
Minimum score to perform action = 0
Action = Redirect to URL
URL = http://<VS_IP>
Impact:
The redirect does not happen as expected.
Fix:
This issue is now fixed and the redirect happens as it should.
755021 : Related items for some types of objects might be limited 3
Component: REST Framework and TMOS Platform
Symptoms:
While viewing the preview and related objects for an object, the list of related items might incorrectly be limited to 3 related items of each object type.
Conditions:
Viewing the preview of related objects.
Impact:
The list is limited to 3.
754887 : Managing users, user groups, and roles may cause the page to hang when managing large, complex sets of objects
Component: BIG-IQ System User Interface
Symptoms:
Large data sets of user, user groups, roles, and role types can cause the associated pages to load slowly and sometimes become non-responsive.
Conditions:
When BIG-IQ is managing large sets of users, user groups, roles, and role types.
Impact:
BIG-IQ might become unresponsive.
Workaround:
All of these objects can be managed directly via the BIG-IQ REST API.
753871 : Device import and reimport of a clustered device fail after the device's machine id is changed
Component: BIG-IQ Configuration - Infrastructure
Symptoms:
Device import and reimport fail with an error message:
Failed to synchronize clustered devices; reason: Device sync failed from device hostname (address) to device hostname (address): no message: java.lang.NullPointerException.
Conditions:
-- The device is a cluster.
-- The machine ID is changed when it is managed by BIG-IQ.
Impact:
Device import and reimport fail.
Workaround:
Remove the device from BIG-IQ and add it back.
753755 : Device statistics stop working after restoring BIG-IQ from a UCS
Component: AppIQ
Symptoms:
Following a UCS restore, RethinkDB fails to restart.
Conditions:
This happens after you restore BIG-IQ from a UCS.
Impact:
During a UCS restore, the restored files and current files are both in the same directory: var/config/rethinkdb/data. This corrupts current files, which are then deleted/overridden from the UCS.
Workaround:
None.
Fix:
The UCS restore performs as expected. During a UCS restore, the /var/config/rethinkdb/data is automatically cleaned before files are copied from the UCS.
Due to architectural changes in BIG-IQ 7.0.0, this issue no longer occurs.
753730 : Downloading signature file through proxy when two proxy objects are configured with the same name
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
If two proxy objects have the same name, BIG-IQ cannot download the signature file.
Conditions:
Two proxy objects have the same name.
Impact:
BIG-IQ cannot download the signature file and the restjavad.0.log file reports the following error:
java.lang.Exception: No proxy object exists on Data Collection Device with the name <proxy name>
Workaround:
To work around the issue, make each proxy a unique name.
753333 : Updating description for a UCS backup through an API removes expirationDateTime
Component: BIG-IQ Device Management
Symptoms:
If you update a description of a UCS backup through the API, the expiration for the UCS backup in BIG-IQ is lost.
Conditions:
This occurs after updating the description of a backup via API using PATCH.
Impact:
As a result, the backup is not groomed as expected.
Workaround:
To workaround this issue, the backupLifeTime and expirationDateTime fields should be included in the PATCH.
752961 : ASM policy: Creating IP address with route domain indication strips the route domain from the IP address
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
When creating an IP address with route domain indication, the route domain part is stripped from the IP address and not saved
Conditions:
Creating an IP address with route domain indication (%x).
Impact:
Cannot manage IP addresses with route domain indication in BIG-IQ versions previous to 7.0.0
Fix:
You can manage IP addresses with route domain indication.
752959 : Route domains in ASM Policy IP addresses
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
If you try to add an ASM Policy IP address with a route domain, you're unable to save the policy.
Conditions:
Adding ASM Policy IP addresses with route domains.
Impact:
Unable to save ASM Policy.
Workaround:
None.
Fix:
BIG-IQ now allows route domains in ASM Policy IP addresses.
752957 : Deploying changes to Policy IPs using route domains
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
Deploying changes to Policy IP addresses fails when using route domains.
Conditions:
Using route domains for Policy IP addresses.
Impact:
Deployment to BIG-IP devices fails.
Fix:
You can now successfully deploy Policy addresses with route domains.
752202-1 : Creating application from a template after upgrading★
Component: BIG-IQ Application Management
Symptoms:
After upgrading to BIG-IQ version 6.1.0, template fields (application name, node, virtual server, and so forth) only display for some service templates when creating an application.
Conditions:
This can happen after upgrading from BIG-IQ version 6.0 to 6.1 and then attempting to create an application using the Application Creator role.
Impact:
The Application Creator cannot create applications if they are part of a custom application creator role.
Workaround:
To resolve this issue, run following POST on BIG-IQ after upgrading:
json='{"isUpdateAppCreatorRoleRequired":true}'
curl -X POST http://localhost:8100/shared/authorization/application-creator-roles-updater -d $json
752167 : Transform rules fail to push if the post data too large for webd on the DCD
Component: BIG-IQ Fraud Protection Service (FPS)
Symptoms:
BIG-IQ fails to push transform rules if the post data is too large for webd on the DCD and returns an error similar to: "Failed to push alert rules to device 1.1.1.1: java.net.ProtocolException: status:413, body:<html...>"
Conditions:
The issue occurs when overall data of the transform rules exceed 16MB.
Impact:
The DCD devices do not apply transform rules. Due to this issue, transform rules are not being synced to the DCDs.
Workaround:
To work around this issue, edit /etc/webd/webd.conf to set client_max_body_size 128M and restart webd by running the 'bigstart restart webd' command.
752153 : UCS backup failed on /var/config/rethinkdb/data
Component: AppIQ
Symptoms:
UCS creation fails if there is a simultaneous RethinkDB data backup on /var/config/rethinkdb/data.
Conditions:
Perform a USC backup on /var/config/rethinkdb/data while rethinkdb service is undergoing updates or changes.
Impact:
UCS is not saved, and the following error messages are sent:
WARNING:There are error(s) during saving.
Not everything was saved.
Be very careful when using this saved file!
Error creating package
Error during config save.
Unexpected Error: UCS saving process failed.
Fix:
When performing a USC backup in the GUI/CLI, the Rethinkdb service is automatically stopped until /var/config/rethinkdb/data files are copied into the UCS. Once the UCS backup is complete, the Rethinkdb service is automatically restarted.
Due to architectural changes in BIG-IQ 7.0.0, this issue no longer occurs.
752144 : Purging old RethinkDB backup and log files
Component: AppIQ
Symptoms:
BIG-IQ does not properly purge Old RethinkDB backup and log directories (/var/config/appiq/rethinkdb_backup and /var/log/rethinkdb).
Conditions:
This occurs when running the following script, which manages the RethinkDB database backups: files/var/config/appiq/configserver/bin/manage_rethinkdb_backup.sh on the BIG-IQ console node.
Impact:
An error in a script prevents the system from purging old RethinkDB backup and log files. Over long periods of time, this might affect disk usage and inode usage.
Workaround:
None.
Fix:
BIG-IQ now retains log content for a specific number of days before purging, preventing high disk usage. Due to architectural changes in BIG-IQ 7.0.0, this issue no longer occurs.
751852 : Warning for AFM SNAT policy parameter mismatch
Component: BIG-IQ Network Security
Symptoms:
BIG-IQ does not generate a Warning verification log during deployment of AFM if a SNAT policy is a "Dynamic PAT" type and the source address count and source address translation count are different, or the destination address count and the destination address translation count are different.
Conditions:
When deploying AFM with a SNAT policy of type Dynamic PAT and either of the following conditions are true:
1. Source address count and source address translation count are different.
2. Destination address count and destination address translation count are different
Impact:
BIG-IQ does not generate a warning as it should.
Workaround:
Make sure the address counts and address translation counts are identical before deploying AFM.
Fix:
If a customer has defined an AFM SNAT policy that is of "Dynamic PAT" typ,e then no Warning verification log will be generated, during deploy, if source address count and source address translation count are different or destination address count and destination address translation count are different.
751734 : TCP port 9300 required for adding a DCD in Azure
Component: BIG-IQ System User Interface
Symptoms:
When you deploy BIQ-IQ from Azure, port 9300 is not in the allowed ports.
Conditions:
This issue applies when you install the Big-IQ template from the Azure store and attempt to add a DCD then attempt to change the port lockdown settings.
Impact:
You will be unable to add a DCD in the Azure environment because the port is required.
Workaround:
There is no TMSH command to change this. The only way to change it is to manually edit the BIG-IQ configuration file
Fix:
Port 9300 is now added to self-allow defaults
751196 : Administrator users cannot modify user groups of which they are a member
Component: REST Framework and TMOS Platform
Symptoms:
When saving changes to a user group you are a part of, the save operation fails with a message:
PUT to /mgmt/cm/system/authn/providers/radius/[some_uuid]/user-groups/[some_other_uuid] is unauthorized.
Conditions:
-- Active user is configured with the Administrators Role.
-- That user is in a user group.
-- That user then attempts to edit the user group.
Impact:
Edits to the user group fail, making the user group almost uneditable.
Workaround:
The user group can be edited by logging in as a different administrator user who is not in the user group.
This may or may not be feasible for third-party authentication users, but should be available for the default local admin, 'admin.'
Fix:
All Administrator users can now edit all user groups, even if they are a member of the user group being edited.
750274 : Azure SSG creation with WAF BIG-IP's does not complete successfully
Component: REST Framework and TMOS Platform
Symptoms:
A service scaling group (SSG) created with BIG-IP VE devices running the WAF service in an Azure environment sometimes fails in a Pause state.
Conditions:
When an SSG is created in an Azure environment with BIG-IP VE devices running WAF.
Impact:
SSG is created but not functional
Workaround:
To work around this, you must recreate the SSG.
Fix:
BIG-IQ now checks for the ASM service status in BIG-IP devices before trying to discover it.
749545 : Devices > BACK UP & RESTORE > Backup Files screen filter returns no results
Component: BIG-IQ Search
Symptoms:
From the Devices > BACK UP & RESTORE > Backup Files screen, the search filter currently returns no results.
Conditions:
Device contains one or more backup files.
Impact:
Filtering on backup files returns no results.
Workaround:
None.
Fix:
Filtering on backup files in now returns expected list of backup files.
745882 : Tokumond service restarts due to exhausted memory heap
Component: REST Framework and TMOS Platform
Symptoms:
node daemon running script tokumon.js restarts every few minutes due to memory issues with the following error:
Core was generated by `/usr/bin/node --max_old_space_size=440 /usr/share/rest/tokumon/src/tokumon.js'
/var/log/tokumon/
FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed - JavaScript heap out of memory
Conditions:
The issue happens when large audit logger documents exist, which causes memory issues.
Impact:
You cannot access BIG-IQ when this happens.
Workaround:
To work around this issue:
1. Remount /usr as read-write with the command:
# mount -o remount,rw /usr
2. Go to the directory below:
# cd /usr/share/rest/tokumon/config
3. Edit the file 'white-list.js' and remove the line that contains the string "audit-logger" (first, copy the line to the clipboard).
4. Edit 'black-list.js' and insert the copied line (which should be: '/audit-logger',) in line 3, right after the var definition.
5. Clean and restart tokumond by running these three commands:
# bigstart stop tokumond
# /usr/share/rest/tokumon/clean.sh
# bigstart start tokumond
6. Remount /usr as read only
# mount -o remount,ro /usr
Fix:
Tokumond service should continue without logging restarts.
723514-1 : Possibility for misconfiguration of BIG-IQ console address on DCD
Component: AppIQ
Symptoms:
DCD may implement the wrong address for the BIG-IQ console, and thus, cannot connect to RethinkDB. The primary symptom is that no stats are received from the affected DCD. On the DCD, the log file /var/log/appiq/agentmanager.log will have entries showing inability of agentmanager to connect to RethinkDB on the console.
Conditions:
Configuring the discovery address on the console after discovering the DCD could trigger this condition.
Impact:
No stats are received from the affected DCD.
Workaround:
Restart restjavad on the console to correct this condition.
717301 : Device with short form of IPv6 address fails to add to the cluster
Component: BIG-IQ Configuration - Infrastructure
Symptoms:
BIG-IQ tries to discover a device and add it to a new cluster at the same time, device fails to add to cluster.
Conditions:
BIG-IQ attempts to discover and add to a cluster a device with short form of an IPv6 address.
Impact:
Device is not added to cluster.
Workaround:
Use only the long form of IPv6 addresses.
Fix:
Input IP address is now normalized as part of address validation.
708410 : LTM discover fails due to NullPointerException
Component: BIG-IQ Local Traffic & Management
Symptoms:
LTM discovery fails with an error:
Error while transforming Virtual Server, exception \u0027IllegalStateException\u0027 was returned with text \u0027java.lang.NullPointerException\u0027.
Conditions:
This occurs when BIG-IP system has a virtual server but no virtual addresses.
Impact:
As a result, the BIG-IP system cannot be managed by BIG-IQ.
Workaround:
Creating a virtual address on the BIG-IP system allows LTM to be discovered successfully.
Fix:
BIG-IQ now supports managing BIG-IP systems with a virtual server but no virtual addresses.
669855 : Multiple Linux Kernel Vulnerabilities
Solution Article: K31603170
Known Issues in BIG-IQ CM v7.0.x
BIG-IQ Configuration - Access Issues
| ID Number | Severity | Solution Article(s) | Description |
| 801793 | 3-Major | Topologies list screen displaying "# of Services" as showing 0 for Existing App type topologies |
BIG-IQ Configuration - Security - Network Security Issues
| ID Number | Severity | Solution Article(s) | Description |
| 788665 | 4-Minor | Changing protocol to esp for a policy/rule list fails |
BIG-IQ Configuration - Security - Shared Security Issues
| ID Number | Severity | Solution Article(s) | Description |
| 812717 | 3-Major | Some logging profiles do not display after upgrading to BIG-IQ v7.0.0 |
BIG-IQ Device User Interface Issues
| ID Number | Severity | Solution Article(s) | Description |
| 811785 | 1-Blocking | Configuration pages may show a banner indicating that import conflicts must be resolved, but links to incorrect device | |
| 801761 | 4-Minor | Creating BIG-IP VE devices in an AWS and Azure environment |
BIG-IQ Monitoring - Dashboards & Reports Issues
| ID Number | Severity | Solution Article(s) | Description |
| 806749 | 3-Major | Bot Dashboards show negative numbers for "Browser Verification Challenge (Time out)" Mitigation events |
BIG-IQ Monitoring - Logs Issues
| ID Number | Severity | Solution Article(s) | Description |
| 809149 | 3-Major | Attempting to enable remote loggin configuration |
BIG-IQ Access Issues
| ID Number | Severity | Solution Article(s) | Description |
| 811129 | 4-Minor | Drag and Drop policy rules does not save the modified order in Security Policy Page | |
| 809725 | 4-Minor | Security Policy through topology is not visible in BIG-IP when deployed from BIG-IQ | |
| 809421 | 4-Minor | Not able to save L2 Service if selected same VLAN in both FromBigIP VLAN and ToBigIP VLAN Configuration | |
| 808865 | 4-Minor | Rediscovery fails after import | |
| 807385 | 4-Minor | Egress gateway pool unselect empty the dropdown | |
| 807257 | 4-Minor | Topology deployment of type L3 Explicit proxy returns a Validation error for Access profile menu in Interception Rules page | |
| 807081 | 4-Minor | Selecting and deselecting a pool in an interception rule | |
| 805593 | 4-Minor | Deployment fails after editing deployed topology of type Existing App | |
| 805533 | 4-Minor | Device Overrides copies from the default after changing a security policy rule | |
| 805689 | 5-Cosmetic | SSLO Summary page has empty ssl card and security policy card |
BIG-IQ Local Traffic & Management Issues
| ID Number | Severity | Solution Article(s) | Description |
| 707476-1 | 4-Minor | String properties break into multiple lines |
AppIQ Issues
| ID Number | Severity | Solution Article(s) | Description |
| 812065-1 | 3-Major | Pools & pool-member stats are not collected after upgrade | |
| 810341-1 | 3-Major | L7 Security Dashboard do not show the number Applications/Virtual-Servers with Bad Traffic Trend | |
| 808333-1 | 3-Major | Restricted application service data displayed in the Applications screen | |
| 805473-1 | 3-Major | DDoS protected object screen does not display applications | |
| 805457-1 | 3-Major | Error in UI and query service log when viewing raw DDoS attacks | |
| 804601-1 | 3-Major | Custom user role does not display application and application services statistics | |
| 803789-1 | 3-Major | DDoS protection summary - protected objects grid doesn't display virtual servers with the same name | |
| 800605-1 | 3-Major | Analytics screens temporarily display error messages | |
| 804077-1 | 4-Minor | Severity filters for DDoS protected objects do not filter | |
| 802157-1 | 4-Minor | Application Protection Mode is shown as "Not Protected" if it contains only DNS application service |
BIG-IQ Configuration - Infrastructure Issues
| ID Number | Severity | Solution Article(s) | Description |
| 807897 | 3-Major | Importing child cookie persistence profile | |
| 799793 | 3-Major | BIG-IP deployment fails when LTM config objects generated by SSLO |
BIG-IQ Device Management Issues
| ID Number | Severity | Solution Article(s) | Description |
| 808457 | 4-Minor | Re-licensing a BIG-IP from a different license pool through onboarding fails | |
| 797973 | 4-Minor | AWS key pair left behind in AWS after deleting a BIG-IP VE | |
| 781061 | 4-Minor | Device Type is Unmanaged in license pool if the device is licensed by BIG-IQ before importing |
BIG-IQ DNS Management Issues
| ID Number | Severity | Solution Article(s) | Description |
| 776593 | 3-Major | BIG-IP devices might be reported as Unavailable with no reason provided |
BIG-IQ Network Security Issues
| ID Number | Severity | Solution Article(s) | Description |
| 813181 | 3-Major | Discovering BIG-IP devices with the AFM service and IPS configured |
REST Framework and TMOS Platform Issues
| ID Number | Severity | Solution Article(s) | Description |
| 813121 | 3-Major | URIs are not inflated error on deployment | |
| 811773 | 3-Major | BIG-IQ Web Application Security event log page does not list events after upgrade from 6.1 | |
| 811121 | 3-Major | BIG-IQ cannot onboard BIG-IP VE devices when BIG-IQ HA failover happens | |
| 810925 | 3-Major | Regkey Pool cannot be use to license AWS BIG-IP VE | |
| 809761 | 3-Major | Onboarding task for BIG-IP VE in AWS cloud might fail if the active BIG-IQ fails over to the standby BIG-IQ | |
| 757809 | 3-Major | Using the f5mku utility to modify the BIG-IQ master key is not supported | |
| 753892 | 3-Major | BIG-IQ UCS backup fails in Microsoft Azure deployments | |
| 603979-8 | 3-Major | Data transfer from the BIG-IP system self IP might be slow | |
| 809609 | 4-Minor | "Use Management Address for HA Peer Communication" for a BIG-IP in an auto failover HA configuration | |
| 767621 | 4-Minor | restjavad can keep partially downloaded files open indefinitely |
BIG-IQ Web Application Security (ASM) Issues
| ID Number | Severity | Solution Article(s) | Description |
| 797801 | 3-Major | Deployment fail if new hostname on parent policy | |
| 778137 | 4-Minor | If 'Differentiate between HTTP/WS and HTTPS/WSS URLs' setting is disabled on the BIG-IP system, deployment of URLs may fail |
BIG-IQ Application Management Issues
| ID Number | Severity | Solution Article(s) | Description |
| 752722 | 2-Critical | Deploying application services using some of the default templates to VMware SSG fails | |
| 751785 | 2-Critical | DCD zone for devices in an service scaling group (SSG) | |
| 811013 | 3-Major | Const property from schemaOverlay not used when deploying an AS3 app using that schemaOverlay | |
| 809501 | 3-Major | Adding a template to an existing custom application role | |
| 808697 | 3-Major | From BIG-IQ you can only select or input certain string types, even though the AS3 templates support other types | |
| 808177 | 3-Major | Azure service scaling group (SSG) does not support images with GOOD license bundle | |
| 803221-1 | 3-Major | Applications page - "Sort by: Name ascending" sorts tiles by descending order | |
| 801833 | 3-Major | Deleting AS3 Application Service may result in Unknown Error | |
| 801625-1 | 3-Major | Health/alerts/thresholds for the DNS application | |
| 760242 | 3-Major | Application cannot be deployed to VMware SSG | |
| 752124 | 3-Major | AS3 declarations with more than 10 tenants fails because the auth token expires | |
| 811069 | 4-Minor | Overriding deeply nested fields in AS3 Templates will appear at deployment time. | |
| 804461 | 4-Minor | AS3 application actions might fail with a "Public URI path not registered" error | |
| 803101 | 4-Minor | Application Viewer and Application Manager role users don't see the Applications tap | |
| 802349 | 4-Minor | Connection Refused errors may be seen on APPLICATIONS page |
Known Issue details for BIG-IQ CM v7.0.x
813181 : Discovering BIG-IP devices with the AFM service and IPS configured
Component: BIG-IQ Network Security
Symptoms:
BIG-IQ cannot discover BIG-IP devices with the AFM service and IPS (Protocol Inspection related objects). As a result, if a BIG-IP has Inspection Profile configured on an FW-Rule or a virtual server, it fails to import.
Conditions:
BIG-IP has IPS (inspection profile) configured on an FW-Rule or a virtual server.
Impact:
1.From BIG-IQ the change of this firewall rule that contains an inspection profile fails with an error such as:
Validation failure: java.lang.IllegalStateException: fw-rule1 refers to nonexistent object (https://localhost/mgmt/cm/firewall/working-config/protocol-inspection/profiles/de357389-da99-3c79-83eb-76b8f6be5c17)
4. Deploying the BIG-IP fails with error like:
Failed
Difference operation failed: Object /Common/protocol_inspection_http-CLONE does not exist, URI https://localhost/mgmt/cm/firewall/current-config/protocol-inspection/profiles/c18f6ad8-f46e-3491-aecf-a64c5b16e8ba [KeyNotFoundException
Workaround:
IPS import/discovery is disabled by default. To work around this issue and discover BIG-IP devices with the AFM service and IPS configured, complete the following 3 procedures:
1.Changed the parameter protocolInspectionDisabled (inside afm->ips) from true to false at /var/config/rest/config/restjavad.properties.json:
…..
"afm" :
{
"esListener" :
{
"serverThreadsCount": "0",
"pipelineThreadsCount": "4",
"batchSize": "500",
"queueReadTimeoutMS": "1000",
"inboundReadLimitBytes": "0",
"inboundWriteLimitBytes": "0",
"outboundReadLimitBytes": "0",
"outboundWriteLimitBytes": "0",
"trafficCheckIntervalMS": "600000",
"connectionLimit": "0",
"retryOnErrorCount": true
},
"ips" : {
"protocolInspectionDisabled": false
}
},
……..
2. Restart the BIG-IQ CM, run:
bigstart restart restjavad
3. Re-discover/reimport the BIG-IP device with the AFM service.
813121 : URIs are not inflated error on deployment
Component: REST Framework and TMOS Platform
Symptoms:
If you create an evaluation without deploying it, and then discover a BIG-IP with some changes (deletions or detachments for shared device-specific objects) in the working configuration, deploying the existing evaluation fails with the error "URIs were not inflated"
Conditions:
Deleting or detaching shared objects from a specific BIG-IP device's object after evaluation and before deployment.
Impact:
Deployment fails.
Workaround:
Create a new evaluation and deployment.
812717 : Some logging profiles do not display after upgrading to BIG-IQ v7.0.0
Component: BIG-IQ Configuration - Security - Shared Security
Symptoms:
After an upgrade from to BIG-IQ v7.0.0, some logging profiles do not display.
Conditions:
After upgrading to BIG-IQ v7.0.0.
Impact:
Some logging profiles do not display.
Workaround:
To work around this, from the BIG-IQ command line, run the following:
for item_id in 96a784ae-904c-340e-aa4b-700dd693e51b 9ac61bf5-cedf-3625-af0e-00f0a98a1cc0 d2a5fc31-d153-3fff-a8ea-97de03f95d97 f0a05642-f8ac-39e1-9f67-98fc6b8f4449 5ec7ef41-7938-384a-8489-f68df693c9b2; do restcurl -X PATCH /cm/security-shared/working-config/log-profiles/$item_id -d '{hidden:false}'; done
812065-1 : Pools & pool-member stats are not collected after upgrade
Component: AppIQ
Symptoms:
In some rare instances after upgrading to BIG-IQ version 7.0, BIG-IQ might not collect pool & pool-member statistics information.
Conditions:
When you upgrade from BIG-IQ version 6.x to 7.0.
To identify the presence of the issue, go to: Monitoring -> Dashboards -> Local Traffic -> Pools & Pool Members.
If stats are displayed - then the upgrade process was completed properly.
Impact:
Statistical information about pool and pool-member activities is not being collected and this information is not displayed in the corresponding dashboards.
Workaround:
The root cause of this problem is in ElasticSearch index mapping. To work around this issue, update the mapping manually:
1. unzip the attachment and place under /tmp on the CM.
2. run ./fix_es_mapping.sh
New mapping definitions take effect after the index is switched, so it can take up to 1 hour before BIG-IQ can collect statistis.
811785 : Configuration pages may show a banner indicating that import conflicts must be resolved, but links to incorrect device
Component: BIG-IQ Device User Interface
Symptoms:
In environments where multiple import/re-import tasks have been run, Configuration pages may show a banner indicating that conflicts must be resolved with a link to an incorrect device.
Conditions:
-- BIG-IQ has discovered more than one BIG-IP device.
-- Configuration has been imported/re-imported from multiple devices.
-- One or more more devices encountered conflicts during import/re-import that were not resolved.
Impact:
Configuration pages may be inaccessible.
Workaround:
Navigate to the Devices :: BIG-IP Devices page. Look for any device which indicates that conflicts need to be resolved in the 'Services' column.
If that does not remove the banner, you can clear the import task collections.
Important: Clearing the import task collections erases any import tasks that have pending conflicts, as well as any import/re-import tasks that failed that might provide useful error messages.
restcurl -X DELETE cm/adc-core/tasks/declare-mgmt-authority/
restcurl -X DELETE cm/access/tasks/declare-mgmt-authority/
restcurl -X DELETE cm/asm/tasks/declare-mgmt-authority/
restcurl -X DELETE cm/websafe/tasks/declare-mgmt-authority/
restcurl -X DELETE cm/firewall/tasks/declare-mgmt-authority/
restcurl -X DELETE cm/dns/tasks/declare-mgmt-authority/
restcurl -X DELETE cm/security-shared/tasks/declare-mgmt-authority/
restcurl -X DELETE cm/sslo/tasks/declare-mgmt-authority/
811773 : BIG-IQ Web Application Security event log page does not list events after upgrade from 6.1
Component: REST Framework and TMOS Platform
Symptoms:
Due to an upgrade problem, the Web Application Security event logs screens do not open after an upgrade to 7.0.
Conditions:
The issue happens after upgrading BIG-IQ with a DCD cluster and the Web Application Security listener enabled.
Impact:
The Brute Force Attacks and Event Logs screens fail to load, so you cannot monitor these events.
Workaround:
1. Navigate to System > BIG-IQ DATA COLLECTION > BIG-IQ Data Collection Devices.
2. Click the name of the relevant DCD device.
3, Click Services.
4. Click Activate for the Web Application Security listener.
811129 : Drag and Drop policy rules does not save the modified order in Security Policy Page
Component: BIG-IQ Access
Symptoms:
In security policy page, User adds a new rule and tries to drag and drop it to change the order of rules, It saves the view as modified. But once the user comes back to policy page the order will not be as modified by drag and drop.
Conditions:
In security policy page, User adds a new rule and tries to drag and drop it to change the order of rules, and comes back to the policy page
Impact:
User will not be able to use drag and drop to change the order of rules in security policy page.
Workaround:
Delete the rules and add them in the required order.
811121 : BIG-IQ cannot onboard BIG-IP VE devices when BIG-IQ HA failover happens
Component: REST Framework and TMOS Platform
Symptoms:
When the active BIG-IQ in a high availability (NA) configuration fails over to the standby BIG-IQ, onboarding tasks for new BIG-IP Virtual Edition (VE) devices fail with an error message:
Failed to complete onboarding task: null: Unknown response format found. code: 500, message: empty. See log for details.
Conditions:
-- After a BIG-IQ HA failover happens.
-- Attempting to onboard BIG-IP VE devices.
Impact:
Onboarding BIG-IP VE task fails after BIG-IQ failover.
Workaround:
To work around this issue, login to the currently-active BIG-IQ through SSH and run the command:
bigstart restart restnoded
811069 : Overriding deeply nested fields in AS3 Templates will appear at deployment time.
Component: BIG-IQ Application Management
Symptoms:
Overriding certain deeply nested fields in AS3 Templates makes them appear as editable when deployed even though they shouldn't be.
Conditions:
Select "override" on All the fields of a nested object. For example, the "Security_Log_Profile" class contains many deeply nested class objects. The JSON schema for the "Security_Log_Profile" could look like:
{
"properties": {
"class": {},
"application": {
"type": "object",
"properties": {
"localStorage": {
"type": "boolean",
"default": false,
"const": false
},
"maxEntryLength": {
"type": "string",
"default": "64k",
"const": "64k"
},
"remoteStorage": {
"type": "string",
"default": "bigiq",
"const": "bigiq"
},
"reportAnomaliesEnabled": {
"type": "boolean",
"default": true,
"const": true
},
"servers": {
"type": "array",
"items": {
"type": "object",
"properties": {
"address": {
"type": "string",
"default": "10.1.10.6",
"const": "10.1.10.6"
},
"port": {
"type": "string",
"default": "8514",
"const": "8514"
}
}
}
},
"storageFilter": {
"type": "object",
"properties": {
"requestType": {
"type": "string",
"const": "illegal",
"default": "illegal"
}
}
}
}
}
},
"type": "object",
"additionalProperties": false
}
Note that this class cannot have anything edited by the "const" keywords throughout the declaration.
Impact:
When deployed, fields appear as editable, even though they're not. If you attempt to edit the values, BIG-IQ returns an error.
811013 : Const property from schemaOverlay not used when deploying an AS3 app using that schemaOverlay
Component: BIG-IQ Application Management
Symptoms:
When you deploy an AS3 application service using an AS3 template with an attribute that references an existing object in BIG-IP and you set the properties for that object to Override, the object does not get attached to the virtual server.
Example:
Set existing WAF policy (/Common/asm-policy) in Service_HTTPS using the BIG-IP as a constant and check Override; the policy does not get attached to the virtual server.
Conditions:
Use Override for existing object in BIG-IP (For example: /Common/asm-policy or /Common/http-profile) in Service_HTTP, Service_HTTPS, Service_TCP, Service_UDP, or Service_Generic.
Impact:
It is not possible to use Override (constant) for existing objects referenced in BIG-IP in Service_HTTP, Service_HTTPS, Service_TCP, Service_UDP, Service_Generic.
Workaround:
Define the object in an AS3 class and use the AS3 pointer when using Override feature in AS3 template.
Make sure you set the Override to the attribute inside the target class, not in the Service class.
Example: set WAF policy as constant in the template
In Service_HTTPS class, set policyWAF to Editable.
In WAF_Policy class, set file (or use url) to Override.
810925 : Regkey Pool cannot be use to license AWS BIG-IP VE
Component: REST Framework and TMOS Platform
Symptoms:
When using a RegKey Pool to license a BIG-IP VE in an AWS environment, BIG-IQ returns an error similar to:
Failed to install license to device xxx.xxx.xxx.xxx. (Not a valid F5 license)
Conditions:
When you create a RegKey Pool on BIG-IQ and then add a regkey to the pool, you cannot license a BIG-IP in an AWS environment even thought the regkey that you added is a valid regkey for that BIG-IP.
Impact:
You cannot use RegKey Pool on BIG-IQ to license AWS BIG-IP VE.
Workaround:
Apply the regkey license directly on the BIG-IP VE in AWS or use utility pool on BIG-IQ to license your device.
810341-1 : L7 Security Dashboard do not show the number Applications/Virtual-Servers with Bad Traffic Trend
Component: AppIQ
Symptoms:
The L7 security dashboard does not show the number of applications/virtual-servers with Bad Traffic Trend that had an increase in the number of DDoS attacks from zero to a higher value when the comparing last day to the last week.
Conditions:
A DDoS protected application/virtual server had no DDoS attacks in the last week and had at least one DDoS attack in the past day.
Impact:
You won't know from the L7 Security Dashboard of the number of applications/virtual-servers with a rising trend of DDoS attacks.
809761 : Onboarding task for BIG-IP VE in AWS cloud might fail if the active BIG-IQ fails over to the standby BIG-IQ
Component: REST Framework and TMOS Platform
Symptoms:
When creating an onboarding task for a new BIG-IP VE in AWS cloud, the task failed with this error message: "Task Failed: Failed to complete onboarding task. code: 500, message: error during onboarding, error: ssh got error on stderr: Warning: Identity file /your/path/to/private/key not accessible: No such file or directory. ".
Conditions:
This happens when you create a BIG-IP VE on AWS without onboarding it, failover to standby BIG-IQ and then try onboarding the BIG-IP VE.
Impact:
If BIG-IQ fails over to the standby BIG-IQ, and you have created a BIG-IP VE in an AWS cloud, but have not onboarded it, the onboarding task on this newly-active BIG-IQ fails.
Workaround:
There are two options:
1. Remove the BIG-IP VE from AWS and create a new BIG-IP VE on currently active BIG-IQ.
2. Promote originally active BIG-IQ device (active at the time of BIG-IP VE being created) to be active again.
809725 : Security Policy through topology is not visible in BIG-IP when deployed from BIG-IQ
Component: BIG-IQ Access
Symptoms:
If you deploy a security policy through topology from BIG-IQ, it does not display in BIG-IP.
Conditions:
1) Create a Security Policy with Proxy Connect enabled with a device pool selected.
2) Create an OutBound Topology and in the security policy section use an existing security policy that was just created with the proxy connect enabled.
3) Deploy the topology.
Impact:
The security policy doesn't display from BIG-IP.
Workaround:
Deploy the same topology to BIG-IP from BIG-IQ with a security policy that does not have Proxy Connect enabled or disable the Proxy Connect option on the same topology and re-deploy
809609 : "Use Management Address for HA Peer Communication" for a BIG-IP in an auto failover HA configuration
Component: REST Framework and TMOS Platform
Symptoms:
If you select "Use Management Address for HA Peer Communication" when configuring BIG-IQ in an auto-failover high availability configuration, BIG-IQ returns an error:
400 Bad Request.
Conditions:
This happens when configuring auto-failover HA since that configuration needs a DCD configured as the Quorum device.
This can also happen during Manual failover when a DCD is discovered on the BIG IQ.
Impact:
"Use Management Address for HA Peer Communication" fails to use the management address and returns an error.
Workaround:
1. You must use the setup wizard (https://<ip>/ui/setup) when setting up the HA communication for a BIG-IQ in an auto-failover high availability.
2. The DCD discovery address is used for communication between each BIG-IQ and the Quorum DCD and must be on the same network as the HA communication.
3. If you're using a floating IP address, you must set the management network, regardless of the HA communication network (that can be on either management or a self IP address).
4. Before changing the default self IP address, you must first delete/un-manage all devices that you have established communication with: <DCD's IP address>.
809501 : Adding a template to an existing custom application role
Component: BIG-IQ Application Management
Symptoms:
When you try to assign another template to an existing custom application role, (sometimes) only a list of users displays with no other options (such as templates).
Conditions:
This happens sometimes when you try to edit a custom application role to add a template.
Impact:
Admin cannot edit a custom application role after
Workaround:
Navigate to another screen, then navigate back to the role and the correct fields display. You can now assign other templates to the role.
809421 : Not able to save L2 Service if selected same VLAN in both FromBigIP VLAN and ToBigIP VLAN Configuration
Component: BIG-IQ Access
Symptoms:
If the same VLAN is selected in the Default Properties > Network Configuration section, you cannot save the L2 service.
Conditions:
This happens when you select the same VLAN for the Default Properties - Network Configurations when the VLAN field show only one VLAN option available to select.
Impact:
You cannot save the L2 Service Configuration.
Workaround:
If only one VLAN is available to select, do not select both FromBigIPVLan and ToBigIPVlan for the same VLAN. Log in to the BIG-IP device and fill the device-specific overrides Network Configuration and create the required VLAN for the Service.
809149 : Attempting to enable remote loggin configuration
Component: BIG-IQ Monitoring - Logs
Symptoms:
When attempting to enable remote logging configuration, BIG-IQ returns an error:
The requested Node (/Common/access-remote-syslog-node-*) already exists in partition.
Conditions:
This happens when you attempt to enable remote logging configuration.
Impact:
You are unable to Access reports from the Monitoring tab.
808865 : Rediscovery fails after import
Component: BIG-IQ Access
Symptoms:
This happens when importing an SSLO service.
Conditions:
When porting the SSLO service for a device.
Impact:
The configuration for that device is lost until the next periodic refresh. SSLO configuration modifications would run into issues during that period of missing discovered configuration.
Workaround:
Do not re-discover SSLO after import. If done, wait for some time for auto refresh of latest configuration from BIG-IP (done about every 15 minutes).
808697 : From BIG-IQ you can only select or input certain string types, even though the AS3 templates support other types
Component: BIG-IQ Application Management
Symptoms:
When using an AS3 template, some fields have more than one type in the AS3 schema but only the first type is supported for the AS3 template from the user interface for the following:
*A field that can be a string or object, like serverTLS in Service_HTTPS class. AS3 template does support f5String fields which can be object or string but it does not support other fields which can be string or object, order matters in this case.
*A field that can be an array of string or an array of objects like virtualAddresses and irules in Service_HTTPS class.
*A field that can be a string or an integer like idleTimeout in IP_Other_Profile class
Conditions:
Using an AS3 template from BIG-IQ.
Impact:
When using an AS3 template from BIG-IQ you can only select or input certain string types, even though the AS3 templates support other types.
Workaround:
To work around this issue, Use the API instead of the BIG-IQ user interface.
808457 : Re-licensing a BIG-IP from a different license pool through onboarding fails
Component: BIG-IQ Device Management
Symptoms:
If you re-license a BIG-IP device through onboarding from a different license pool, you cannot license the BIG-IP device if you specify the current BIG-IQ to revoke license from old license pool and re-license it from a new license pool.
Conditions:
Revoke old BIG-IP VE license, and re-license BIG-IP through onboarding, and specify the BIG-IQ as current BIG-IQ.
Impact:
The task will succeed, but BIG-IP device is not licensed.
Workaround:
Workaround1:
Re-license BIG-IP in a separate DO.
Workaround2:
Provide IP address, and admin credential for the current BIG-IQ in both revoke and re-license parts in the DO.
808333-1 : Restricted application service data displayed in the Applications screen
Component: AppIQ
Symptoms:
The summary bar of the applications page displays statistics for all application services even if the user role has permissions to view only some of the application services in an application.
Conditions:
1. Create a user with a specific application role for some (not all) of the contained application services.
2. Go to the applications page (Applications --> APPLICATIONS).
Impact:
Statistics under the application shows data for all application services, even if the user does not have permissions to see them.
808177 : Azure service scaling group (SSG) does not support images with GOOD license bundle
Component: BIG-IQ Application Management
Symptoms:
If you create an SSG in an Azure cloud environment with a GOOD license bundle, the SSG is created successfully and is able to scale in and scale out, but application deployment fails.
Conditions:
Create an SSG in an Azure cloud environment with a GOOD license image. BIG-IQ succesfully creates the SSG that is able to scale in and out, but if you try to deploy an application to the SSG, it fails.
Impact:
You're unable to deploy an application to devices in the SSG.
Workaround:
Do not use BIG-IP images with the GOOD license bundle for SSG in an Azure environment.
807897 : Importing child cookie persistence profile
Component: BIG-IQ Configuration - Infrastructure
Symptoms:
Cannot import a child profile if it
attempts to override
"Cookie Encryption Use Policy"
but not able to provide a new passphrase.
Conditions:
1. From BIG-IP, create a cookie persistence profile and enable Encryption requires setting a passphrase.
2. From BIG-IP, create a second profile inheriting from the first and only change Encryption to Preferred. Don't override passphrase. For some reason, BIG-IP does not allow you to override a passphrase from BIG-IP.
3. In BIG-IQ, import the configuration into BIG-IQ and the following error occurs:
cookie with cookie encryption policy 'xxx'
is missing encryption passphrase
Impact:
BIG-IQ cannot import a BIG-IP device this state. This is a corner case issue and can be worked around.
Workaround:
Use one of the following workarounds.
1) Override passphrase in the child profile using TMSH.
Tmsh Example,
modify ltm persistence cookie c2 cookie-encryption-passphrase myPassword
2) Delete this profile and create an identical profile with all of the properties. But do not use a parent profile that has override value for "Cookie Encryption Use Policy".
807385 : Egress gateway pool unselect empty the dropdown
Component: BIG-IQ Access
Symptoms:
If you select an existing pool in egress, then unselect it, the pool menu becomes empty.
Conditions:
When you select a pool with an egress, and then unselect it.
Impact:
The pool menu becomes empty.
Workaround:
Switch the gateway pool ratio to default and change back to use existing.
807257 : Topology deployment of type L3 Explicit proxy returns a Validation error for Access profile menu in Interception Rules page
Component: BIG-IQ Access
Symptoms:
Deployment for an L3 Explicit proxy topology type returns validation errors for access the profile menu in the interception rules page.
Conditions:
In L3 Explicit proxy deployment, select the access profile from the interception rules page and going back to the interception rules page or reopening the deployed configuration
Impact:
Deployment does not complete and returns an error.
Workaround:
To work around this, click on -select- from the menu and reselect the access profile.
807081 : Selecting and deselecting a pool in an interception rule
Component: BIG-IQ Access
Symptoms:
When you select a pool in an interception rule and then deselect it, it isn't deselected.
Conditions:
Select a pool in an interception rule, and then deselect it.
Impact:
BIG-IQ displays an error and pool is not deselected.
Workaround:
Do not select and unselect a pool in interception rule. If you do, delete the pending topology and create a new one.
806749 : Bot Dashboards show negative numbers for "Browser Verification Challenge (Time out)" Mitigation events
Component: BIG-IQ Monitoring - Dashboards & Reports
Symptoms:
When a discovered BIG-IP device receives traffic that triggers Browser Verification Challenge (Time out) mitigation, BIG-IQ displays Negative Numbers.
Conditions:
Browser Verification Challenge (Time out) mitigation events.
Impact:
The BIG-IQ dashboard aggregates from different accepted/declined events, so the numbers shown when this mitigation is present won't be accurate since the numbers for this mitigation are negative.
805689 : SSLO Summary page has empty ssl card and security policy card
Component: BIG-IQ Access
Symptoms:
In L2 outbound/L2 Inbound topology deployment, the summary page shows empty ssl card and security policy card for protocol udp and other.
Conditions:
This happens when you deploy L2 Inbound/L2 Outbound topology types for the protocol udp and other.
Impact:
This doesn't cause any issues.
Workaround:
This is not an issue since there is no ssl step for protocol udp and there is no security policy step for protocol other. It just shows empty cards for these steps in summary page. Deployments will not affect by this empty cards.
805593 : Deployment fails after editing deployed topology of type Existing App
Component: BIG-IQ Access
Symptoms:
Deployment for a topology of type Existing App fails.
Conditions:
If you open the deployed topology of type Existing App, goes directly to Security Policy step and creates new Security Policy
Impact:
Deployment for topology of type Existing App might fail.
Workaround:
Open the deployed topology of type Existing App, create a new security policy. After that, follow these steps:
1.Go back to any page of (topology or service or service chain) and click save & next in each page and reach to summary page.
2.Click on deploy from the summary.
805533 : Device Overrides copies from the default after changing a security policy rule
Component: BIG-IQ Access
Symptoms:
Device Overrides copies from the default after changing a security policy rule.
Conditions:
Steps to Reproduce:
1. Edit an existing security policy in topology.
2. Choose create new and check device overrides.
3. Select a service chain in rule and save. Pages go to IR directly.
4. Go to next and deploy. Bigip got correct value. Got back to deployed topology, device overrides got copy from default.
Impact:
no impact.It has workaround.
Workaround:
In step 3, when it goes directly to IR, go back to the security policy and click Save and Next.
805473-1 : DDoS protected object screen does not display applications
Component: AppIQ
Symptoms:
Application type protected objects are not displayed in the protected objects list for Shared Security. Instead, the screen lists the application's virtual servers. This allows you to immediately review and edit Shared Security settings for the application's associated virtual servers.
Conditions:
1. Create applications with an HTTP DoS profile
2. Navigate to Configuration -> Security -> Shared Security -> Dos Protection -> Protected Objects screen.
Impact:
There is no application type object in the Protected Objects screen.
805457-1 : Error in UI and query service log when viewing raw DDoS attacks
Component: AppIQ
Symptoms:
When navigating to raw attacks from an ongoing DDoS attack's dashboard (Monitoring ->DASHBOARDS -> DDoS -> Protection Summary: Selected Attack), the UI and query service log show a TEMPLATE_MALFORMED
error message.
Conditions:
1. Generate DDos attack with more than one raw attack - an attack on multiple BIG-IP devices or an attack with multiple attack vectors.
2. Go to Monitoring->DASHBOARDS->DDoS->Protection Summary.
3. Go to the attack page by clicking the active attack id.
4. Select "Raw Attacks" under "ATTACKED ENVIRONMENTS"
Impact:
TEMPLATE_MELFORMED error is shown in the charts area of the UI, and chart data is not shown.
TEMPLATE_MELFORMED error message is shown in the query service log file.
804601-1 : Custom user role does not display application and application services statistics
Component: AppIQ
Symptoms:
When configuring a custom application manager user, the user may not be able to view applications and application services statistics.
This occurs even when the "Application Editor" role is added to the settings of the user.
Conditions:
1. Create a user assigned to the Application Editor role and access to edit AS3 templates.
2. Create an application and application service with live traffic.
3. Provide permission for the Application Editor role to view the application and application services.
3. Sign in as the Application Editor.
4. Navigate to Applications or Application services.
Impact:
Statistics display as NO DATA.
Workaround:
Remove the Application Editor role from the user, and configure specific permissions manually for the role of an application editor.
804461 : AS3 application actions might fail with a "Public URI path not registered" error
Component: BIG-IQ Application Management
Symptoms:
AS3-related operations sometimes fail with an error that contains "Public URI path not registered".
Conditions:
This happens when the REST data is cleared, but the AS3 host process restnoded is not restarted.
Impact:
AS3 operations fail.
Workaround:
Restart restnoded by logging into BIG-IQ as root using ssh, then issuing the command "bigstart restart restnoded".
804077-1 : Severity filters for DDoS protected objects do not filter
Component: AppIQ
Symptoms:
The attack severity filters (located in the summary bar of a virtual server protected object) do not filter the attack list at the bottom of the screen.
Conditions:
1. Navigate to Configuration -> Security -> Shared Security -> Dos Protection -> Protected Objects.
2. Select a virtual server name that has reported DDoS attacks (a lowered attack status).
3. From the ATTACK SEVERITY area in the summary bar, click Warning or Critical to filter the attack IDs at the bottom of the screen.
Impact:
The list of Attack IDs is not filtered according to severity filter selection from the summary bar.
Workaround:
You can sort attacks by their severity by clicking the column header "Severity" from the attack list.
803789-1 : DDoS protection summary - protected objects grid doesn't display virtual servers with the same name
Component: AppIQ
Symptoms:
Virtual servers with the same name configured on different BIG-IP devices (or service scaling groups) are displayed in one row within the DDoS protection summary screen. The data displays aggregated data of the multiple virtual servers and only one of the associated device hostnames.
Conditions:
1. Create virtual servers on a clustered BIG-IP devices, or create virtual servers with identical names (including partition) on two different BIG-IP devices managed by BIG-IQ.
2. Go to the DDoS protection summary page.
3. Go to the protected object section and check the virtual server's BIG-IP device/service scaling group.
Impact:
Aggregated data of the virtual servers with the same name will only appear once in the protected object grid, and will be associated to one of the host devices.
This can impact the display of the virtual servers' health within the grid, but does not impact the data in the summary bar.
803221-1 : Applications page - "Sort by: Name ascending" sorts tiles by descending order
Component: BIG-IQ Application Management
Symptoms:
In the Applications and Application Services summary screens, when selecting the "Sort by: Name ascending", the screen orders the tiles in descending order.
Conditions:
1. Go to the Applications or Application Services summary screen, and display data in tile mode.
2. Select "Sort by: Name ascending"
Impact:
The order of the tiles is not displayed as expected.
803101 : Application Viewer and Application Manager role users don't see the Applications tap
Component: BIG-IQ Application Management
Symptoms:
Application Viewer and Application Manager role users do not see the Applications tab on BIG-IQ.
Conditions:
If a user is granted, Application Viewer or Application Manager role only, they cannot see the Application tab on BIG-IQ.
Impact:
User is not able to view or manage applications.
Workaround:
To work around this issue, assign an Application Service Viewer or Application Template role to the user.
802349 : Connection Refused errors may be seen on APPLICATIONS page
Component: BIG-IQ Application Management
Symptoms:
When viewing the APPLICATIONS screen, a dialog pops up with a "Connection Refused" error.
Conditions:
This occurs when the APPLICATIONS screen is viewed shortly after the BIG-IQ system has been rebooted, or shortly after the restjavad service on BIG-IQ has been restarted.
Impact:
The APPLICATIONS page will be unusable for a short time.
Workaround:
To work around this issue, reload the APPLICATIONS page until it works. It might take up to 90 seconds to resolve.
802157-1 : Application Protection Mode is shown as "Not Protected" if it contains only DNS application service
Component: AppIQ
Symptoms:
When an application contains only a DNS application service, the protection mode of the application is displayed as "Not Protected" while the protection mode of the contained application service is displayed as "N/A"
Conditions:
Application with only DNS application service/s
Impact:
The application incorrectly displays.
Workaround:
None
801833 : Deleting AS3 Application Service may result in Unknown Error
Component: BIG-IQ Application Management
Symptoms:
"An unknown error has occurred" displays when deleting AS3 Application Services.
Conditions:
An application contains at least 1 AS3 Application Service, and you try to delete 1 or more Application Services.
Impact:
An error message displays without clear resolution as to what the next steps should be.
Workaround:
You can view additional information for the error by clicking F12 to open the console mode or by looking at the BIG-IQ system's restjavad.0.log file.
To get past this issue, retry your request.
801793 : Topologies list screen displaying "# of Services" as showing 0 for Existing App type topologies
Component: BIG-IQ Configuration - Access
Symptoms:
On the Topologies screen, "# of Services" is showing an incorrect count of 0.
Conditions:
All the topologies of Existing App type are showing "# of Services" as 0.
Impact:
It is difficult to see how many services are running.
Workaround:
Open the topology and the service chain in use and check the number of services.
801761 : Creating BIG-IP VE devices in an AWS and Azure environment
Component: BIG-IQ Device User Interface
Symptoms:
When you create a BIG-IP VE device in an AWS or Azure environment from BIG-IQ, you cannot specify multiple NICs.
Conditions:
When you create a BIG-IP VE device for AWS and Azure, you don't have the option to specify multiple NICs. The created BIG-IP VE default for AWS and Azure is on NIC, which is used for management and traffic.
Impact:
If you want to cluster BIG-IP in a mode that requires multiple NICs.
Workaround:
To work around this issue, after you create a BIG-IP VE device on AWS or Azure from BIG-IQ, manually add an additional NIC from the AWS or Azure environment.
801625-1 : Health/alerts/thresholds for the DNS application
Component: BIG-IQ Application Management
Symptoms:
Health/alerts/thresholds for the DNS application are displaying as Grey/Other in the Application Dashboard because there are no health/alerts/thresholds implemented for the DNS application deployed with an AS3 template.
Conditions:
Deploy DNS application using an AS3 template.
Impact:
You will not see health/alerts/thresholds for the DNS application in the Application Dashboard.
Workaround:
User will need to refer to the health of the Application Services serving the FQDNS/WideIP.
800605-1 : Analytics screens temporarily display error messages
Component: AppIQ
Symptoms:
Immediately after configuring a data collection device cluster (DCD) and discover BIG-IP devices, the analytics screens display error messages.
Conditions:
1. Add the first DCD to BIG-IQ.
2. Discover BIG-IP devices with stats collection enabled.
3. View the analytics screens
Impact:
The Analytics screens temporarily display error messages, immediately after DCD and BIG-IP devices are configured. These error messages are no longer displayed, once installation processes are complete, and sufficient data is collected.
Workaround:
Wait until Analytics initialization processes are complete to view data.
799793 : BIG-IP deployment fails when LTM config objects generated by SSLO
Component: BIG-IQ Configuration - Infrastructure
Symptoms:
When using SSL Orchestrator (SSLO) with ADC or other configurations, conflicts between objects created inside and outside of SSLO occurs.
Conditions:
SSLO deployed along with virtual servers or other ADC components
Impact:
User experience can be severely limited when using a device for SSLO and using other modules concurrently.
Workaround:
Before deploying a BIG-IP with LTM services from BIG-IQ, you must re-discover and re-import LTM to avoid losing the changes made by SSL Orchestrator. If deployment fails with the error: "...the object xyz must be updated using an application management interface.", use the "Keep Unused Objects" option and re-try the LTM deployment.
797973 : AWS key pair left behind in AWS after deleting a BIG-IP VE
Component: BIG-IQ Device Management
Symptoms:
If you delete a BIG-IP VE device that was created in an AWS cloud environment, the BIG-IP VE is removed from AWS, but the associated key pair remains.
Conditions:
Delete a BIG-IP VE device created from the BIG-IP VE Creation screen in an AWS Cloud Environment.
Impact:
Unused key pairs are left behind in AWS.
Workaround:
Log in to the AWS Console and manually delete the unused key pairs by navigating to EC2->Key Pairs.
797801 : Deployment fail if new hostname on parent policy
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
Deployment to a BIG-IP version 14.1 fails if a parent policy is configured with hostnames.
Conditions:
A deployment to BIG-IP version 14.1 with a parent policy configured with hostnames.
Impact:
Deployment fails.
Workaround:
When configuring parent and children policies, don't make the hostnames section inherited. BIG-IQ copies the current parent hostnames configuration into each child, after that, remove the hostnames from the parent policy.
Deployment will now work.
788665 : Changing protocol to esp for a policy/rule list fails
Component: BIG-IQ Configuration - Security - Network Security
Symptoms:
Selecting the esp protocol for a policy/rule list incorrectly changes the protocol to ipv6-crypt.
Conditions:
Select protocol esp in a policy/rule-list rule and save and the protocol.
Impact:
The protocol is incorrectly changed to ipv6-crypt.
781061 : Device Type is Unmanaged in license pool if the device is licensed by BIG-IQ before importing
Component: BIG-IQ Device Management
Symptoms:
If an unmanaged BIG-IP device is licensed from BIG-IQ, and later it is discovered and imported, the "Device Type" in the license pool on BIG-IQ shows the device as unmanaged, even if it is discovered and imported.
Conditions:
The device is licensed first, and then discovered and imported.
Impact:
There is no real impact on the device management. It only makes the user confusing when looking at the device type on the license pool page.
Workaround:
Discover and import the BIG-IP device first before you license it.
778137 : If 'Differentiate between HTTP/WS and HTTPS/WSS URLs' setting is disabled on the BIG-IP system, deployment of URLs may fail
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
The 'Differentiate between HTTP/WS and HTTPS/WSS URLs' setting is not supported by BIG-IQ, meaning that if this setting is disabled on a discovered policy and you configures the same URL with HTTP and HTTPS protocol on BIG-IQ, the deployment fails because the BIG-IP system only accepts one of them, while the second URL creation fails for 'duplicate item' error.
Conditions:
-- 'Differentiate between HTTP/WS and HTTPS/WSS URLs' disabled in BIG-IP Policy.
-- The same URL is configured with HTTP and HTTPS protocol on BIG-IQ.
Impact:
Deployments of policies with URLs configured for both HTTP/WS and HTTPS/WSS fail, because the BIG-IP system accepts only one of the protocols.
Workaround:
Turn the flag on in the BIG-IP Policy and configure it accordingly.
776593 : BIG-IP devices might be reported as Unavailable with no reason provided
Component: BIG-IQ DNS Management
Symptoms:
Alerts and log messages might indicate BIG-IP devices are Unavailable without providing details. A log message with text like this is returned:
The following devices are not reachable from the BIG-IQ: some-bigip.mydomain
Conditions:
Specific conditions are not known, but most likely include intermittent network connectivity loss or network slowdowns, high CPU usage on the BIG-IP device, and so forth.
Impact:
Devices are temporarily marked unavailable, until the next successful poll.
Workaround:
Any details that are available are noted in the device-refresh API endpoint until the next refresh (every two minutes). For example, the following command can be run from the BIG-IQ shell:
# restcurl shared/identified-devices/config/device-refresh
Devices that are listed with isAvailable=false also have an errorResponse field with more information.
767621 : restjavad can keep partially downloaded files open indefinitely
Component: REST Framework and TMOS Platform
Symptoms:
Files that restjavad makes available for download (such as UCS files in /var/local/ucs) can be held open indefinitely if a requesting client does not complete the download. Since these files remain opened, the total number of available file handles for the process decreases and the disk space for the files cannot be recovered. Symptoms may include errors like 'Too many open files', low disk space even after deleting the associated files, and items listed with '(deleted)' in lsof output.
Conditions:
-- Files restjavad makes available for download.
-- The requesting client does not complete the download.
Impact:
Various errors ('Too many open files.'), low disk space, items listed with '(deleted)' when listed using lsof.
Workaround:
To free the file handles, restart restjavad:
bigstart restart restjavad
Files that were deleted now have their space reclaimed.
760242 : Application cannot be deployed to VMware SSG
Component: BIG-IQ Application Management
Symptoms:
The attempt to deploy an application on a VMware SSG does not complete and shows an eternal spinning circle. At the same time, logs under /var/log/tokumx.log show 'Lock not granted' errors every few minutes.
Conditions:
This issue applies when:
-- The SSG is based on a device template that includes ASM among the provisioned modules.
-- The Service Scaler associated with that SSG is provisioned with LTM only.
Impact:
This prevents properly deploying applications to the SSG.
Workaround:
1. License ASM or AFM in the Service Scaler.
2. Discover and import Shared Security.
3. Restart restjavad if needed to stop the running task.
4. Redeploy the application.
757809 : Using the f5mku utility to modify the BIG-IQ master key is not supported
Component: REST Framework and TMOS Platform
Symptoms:
You cannot use the f5mku utility from BIG-IQ. Instead, you must use the BIG-IQ user interface or public REST API to alter modify the master key and ensure all protected data is moved to the new master key. Any other method could result in loss of data.
Conditions:
Attempting to modify the BIG-IQ master key with the f5mku utility.
Impact:
This can result in unrecoverable data loss.
Workaround:
Use the BIG-IQ user interface or public REST API to modify the master key.
753892 : BIG-IQ UCS backup fails in Microsoft Azure deployments
Component: REST Framework and TMOS Platform
Symptoms:
Attempting to create a UCS backup on a BIG-IQ deployed in Microsoft Azure results in a failure. The operation fails with an error message:
Operation aborted. /var/tmp/configsync.spec: Error creating package.
Conditions:
- BIG-IQ is deployed and running in Microsoft Azure.
- BIG-IQ administrator uses the BIG-IQ interactive shell (SSH/TMSH) to create a UCS backup, e.g., by running the command:
tmsh save sys ucs bigiq
Impact:
The operation fails. BIG-IQ administrators are not able to create a UCS backup.
Workaround:
This workaround is based on a patch applied by a custom script.
1) Using a text editor, create a file named /var/tmp/id753892-workaround.sh
2) Add the following content to the file:
#!/bin/bash
IM_FILE=/usr/local/bin/im
if [ ! -f ${IM_FILE}.bak ]; then
VOL_USR=$(mount | awk '/ \/usr / { print $1 }')
if [[ -z "$VOL_USR" || $? -ne 0 ]]; then
echo "Could not get /usr partition"
exit 1
fi
mount -o rw,remount ${VOL_USR} /usr
cp ${IM_FILE} ${IM_FILE}.bak
chmod -x ${IM_FILE}.bak
sed -i '/$filepath =~ s/d' ${IM_FILE}
mount -o ro,remount ${VOL_USR} /usr
echo "Done."
else
echo "Patch has been applied already"
exit 1
fi
3) Save the file and execute the command:
/var/tmp/id753892-workaround.sh
752722 : Deploying application services using some of the default templates to VMware SSG fails
Component: BIG-IQ Application Management
Symptoms:
When using the following default templates to deploy application services to BIG-IP devices in a VMware service scaling group (SSG), deployment fails with an 'unable to get prototype' error.
The default templates that fail are:
- Default-f5-HTTPS-offload-lb-template
- Default-f5-HTTP-lb-template
- Default-f5-fastHTTP-lb-template
- Default-f5-HTTPS-offload-lb-Access-AD-Authentication-template
- Default-f5-HTTPS-offload-lb-Access-RADIUS-Authentication-template
- Default-f5-HTTPS-offload-lb-Access-LDAP-Authentication-template
Conditions:
This occurs only on systems upgraded from BIG-IQ version 6.0.x to 6.1.0.
Impact:
Application service deployment to VMware SSG does not complete.
Workaround:
Run the template-specific REST call from the BIG-IQ system:
- Default-f5-HTTP-lb-template
curl -sku admin:password https://localhost/mgmt/cm/security-shared/template-config/virtuals/d227aaac-7943-3006-bc9f-b487671f29ba -X PATCH -H "Content-Type: application/json" -d '{"throughputCapacity": 4294967295}'
- Default-f5-HTTPS-offload-lb-template
curl -sku admin:password https://localhost/mgmt/cm/security-shared/template-config/virtuals/26364976-3b50-3f39-a239-3c308c8687cf -X PATCH -H "Content-Type: application/json" -d '{"throughputCapacity": 4294967295}'
curl -sku admin:password https://localhost/mgmt/cm/security-shared/template-config/virtuals/1c50ae7b-9636-3e21-81e5-7a5f7da91996 -X PATCH -H "Content-Type: application/json" -d '{"throughputCapacity": 4294967295}'
- Default-f5-fastHTTP-lb-template
curl -sku admin:password https://localhost/mgmt/cm/security-shared/template-config/virtuals/92957cc6-2074-37e9-af3c-0257bb9bb997 -X PATCH -H "Content-Type: application/json" -d '{"throughputCapacity": 4294967295}'
- Default-f5-HTTPS-offload-lb-Access-AD-Authentication-template
curl -sku admin:password https://localhost/mgmt/cm/security-shared/template-config/virtuals/1d10ebba-25cd-3938-890a-380acb2525d6 -X PATCH -H "Content-Type: application/json" -d '{"throughputCapacity": 4294967295}'
curl -sku admin:password https://localhost/mgmt/cm/security-shared/template-config/virtuals/a6bcf439-2e77-3ee9-8113-a82442cfbb6a -X PATCH -H "Content-Type: application/json" -d '{"throughputCapacity": 4294967295}'
- Default-f5-HTTPS-offload-lb-Access-RADIUS-Authentication-template
curl -sku admin:password https://localhost/mgmt/cm/security-shared/template-config/virtuals/acf6b94d-50f0-36dd-b625-14550ae50011 -X PATCH -H "Content-Type: application/json" -d '{"throughputCapacity": 4294967295}'
curl -sku admin:password https://localhost/mgmt/cm/security-shared/template-config/virtuals/7f8c81a6-6bda-307e-8a4b-22fdd964974c -X PATCH -H "Content-Type: application/json" -d '{"throughputCapacity": 4294967295}'
- Default-f5-HTTPS-offload-lb-Access-LDAP-Authentication-template
curl -sku admin:password https://localhost/mgmt/cm/security-shared/template-config/virtuals/050805c8-b01d-364e-8a42-030a7d183828 -X PATCH -H "Content-Type: application/json" -d '{"throughputCapacity": 4294967295}'
curl -sku admin:password https://localhost/mgmt/cm/security-shared/template-config/virtuals/29d71136-cd9a-3510-b678-58d4bec1165d -X PATCH -H "Content-Type: application/json" -d '{"throughputCapacity": 4294967295}'
752124 : AS3 declarations with more than 10 tenants fails because the auth token expires
Component: BIG-IQ Application Management
Symptoms:
AS3 declarations with more than 10 tenants fail to process on BIG-IQ with a message similar to: "Invalid registered claims."
Conditions:
This issue happens because the auth token can expire with declarations that have more than 10 tenants.
Impact:
Declarations sent to BIG-IQ are limited to a few number of tenants.
Workaround:
Keep declarations to a smaller number of tenants.
751785 : DCD zone for devices in an service scaling group (SSG)
Component: BIG-IQ Application Management
Symptoms:
You cannot set the DCD zone from BIG-IQ for BIG-IP devices in an SSG.
Conditions:
BIG-IP devices in an SSG.
Impact:
All BIG-IP devices in the SSG are assigned to the default zone.
Workaround:
To change the zone for BIG-IP devices in an SSG from the default zone, you must do so via API.
707476-1 : String properties break into multiple lines
Component: BIG-IQ Local Traffic & Management
Symptoms:
BIG-IP UI added line-feed (CR-LF) to the content type so it breaks into multiple lines.
Conditions:
A property string is more than 256 characters with
CR/LN inside the string.
Impact:
Discovery might fail since the string cannot be
parsed correctly.
Workaround:
We can get around it without losing any functionality, by using tmsh to add content instead of the BIG-IP user interface. The following is a good example how we handle such case. Keep in mind this is one tmsh command so it musy be in one line.
(/Common)(tmos)#tmsh modify ltm profile http-compression httpcompression content-type-include replace-all-with {text/ application/vnd.ms-publisher "application/(xml|x-javascript|javascript|x-ecmascript|ecmascript)" "application/(word|doc|msword|winword|ms-word|x-word|x-msword|vnd.word|vnd.msword|vnd.ms-word)" "application/(xls|excel|msexcel|ms-excel|x-excel|x-xls|xmsexcel|x-ms-excel|vnd.excel|vnd.msexcel|vnd.ms-excel)" "application/(powerpoint|mspowerpoint|ms-powerpoint|x-powerpoint|x-mspowerpoint|vnd.powerpoint|vnd.mspowerpoint |vnd.ms-powerpoint|vnd.ms-pps)" "application/(mpp|msproject|x-msproject|x-ms-project|vnd.ms-project)" "application/(visio|x-visio|vnd.visio|vsd|x-vsd|x-vsd)" "application/(pdf|x-pdf|acrobat|vnd.pdf)"}
603979-8 : Data transfer from the BIG-IP system self IP might be slow
Component: REST Framework and TMOS Platform
Symptoms:
TCP traffic on a BIG-IP system using a self IP address may not correctly honor the MSS size specified during the connection establishment. The result is IP fragmentation of TCP segments sent out on the wire. The expected behavior is that TSO would package the TCP segments in a way that would not require fragmentation.
When a large amount of data needs to be transferred using a self IP address, the BIG-IP system might send out fragmented IP packets with both the DF and MF bits set. Setting both bits is RFC compliant and valid, however some routers drop such packets. This might result in retransmissions and low throughput
Conditions:
This occurs when a self IP address processes large data transfers, and the router between the two endpoints does not process the IP fragments that have both the DF and MF bits set.
This occurs only when TCP segmentation offload (TSO) is enabled, and traffic is using a tmm interface. TSO enabled is the default setting.
Impact:
Data transfer from the BIG-IP system's self IP address might be slow or fail.
Workaround:
To work around this issue, you can disable TSO by issuing the command:
ethtool -K tmm tso off.
Note: This has a different effect from setting the db key tm.tcpsegmentationoffload to 'disable' (which is not a workaround for the issue).
Note: To persist the effect of this command across reboots, use the solution specified in K14397: Running a command or custom script based on a syslog message, available here: https://support.f5.com/csp/#/article/K14397. For example,
alert tmmready "Tmm ready" {
exec command="/sbin/ethtool -K tmm tso off"
}
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/
