BIG-IQ Centralized Management 7.1.0 :: Fixes and Known Issues

Supplemental Document : BIG-IQ Centralized Management 7.1.0 :: Fixes and Known Issues

Applies To:

Show Versions

BIG-IQ Centralized Management

7.1.0

Updated Date: 01/12/2021

BIG-IQ CM Release Information

Version: 7.1.0
Build: 1511.0

Known Issues in BIG-IQ CM v7.1.x

Functional Change Fixes

None

AppIQ Fixes

ID Number	Severity	Solution Article(s)	Description
898445-2	3-Major		When user makes analytics retention configuration changes from UI, changes may not behave as expected
805457	3-Major		Error in UI and query service log when viewing raw DDoS attacks
804601	3-Major		Custom user role does not display application and application services statistics

BIG-IQ Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
781109	4-Minor		The "Export Inventory" button on the BIG-IP Devices page exports all managed devices

BIG-IQ Web Application Security (ASM) Fixes

ID Number	Severity	Solution Article(s)	Description
893977	3-Major		BIG-IQ does not properly export to XML ASM Response Page Login Page default values
830153	3-Major		Deployment failure after upgrading BIG-IP devices running version 13.1 or earlier
867557	4-Minor		Unable to edit Web Application Security policy builder Learn from Responses option
858017	4-Minor		Users with viewer roles unable to create attack signature filter in the Web Application Security policy
817613	4-Minor		Filter for identifying signature by Signature ID

Cumulative fix details for BIG-IQ CM v7.1.0 that are included in this release

898445-2 : When user makes analytics retention configuration changes from UI, changes may not behave as expected

Component: AppIQ

Symptoms:
When user makes analytics retention configuration changes from UI these changes are not reflected at the DB level, and the retention is not working as the user configured at the UI.

Conditions:
Make changes in the UI, under the Analytics retention configuration for one or more of the following fields:
keep real-time (raw) data up to:
Keep hourly data up to:
Keep daily data up to:
Keep monthly data up to:

Impact:
Retention will not behave as configured.
For example, if the raw data retention is configured for 10H and changes were to 20H, then the retention mechanism might remain at the previous setting of 10H.

Workaround:
The work around is to change the retention using the REST API and not the UI.
For example, to change the real-time (raw) retention then:
1. Get the current configuration of of the raw index(tl0)
https://10.240.21.201/mgmt/ap/config/v1/platform-config/resources/a/es-index-statistics-tl0
2. From the returned JSON, find the retentionTime field.
3. Manually change the field to the desired value.
4. Send back the JSON with the changed value of retention using a PATCH to the same URL.

If you want to change the retention for other fields:
Keep hourly data up to:
Keep daily data up to:
Keep monthly data up to:

Then change, respectively, the URL ending with:
es-index-statistics-tl1
es-index-statistics-tl2
es-index-statistics-tl3

Fix:
Retention configuration changes for BIG-IQ v7.1 have been corrected, and changes in the UI behave as expected.

893977 : BIG-IQ does not properly export to XML ASM Response Page Login Page default values

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
When the BIG-IQ exports an ASM Security Policy to XML, the Response Page: Login Page response is not properly included when set to default value (Default Response).

Conditions:
1. ASM Security Policy in BIG-IQ has Response Page: Login Page response set to default value (Default Response).

2. Export ASM Security Policy as XML.

Impact:
Response Page: Login Page response information (header and body) are missing from XML. Importing XML into BIG-IP will result in incomplete information for Response Page: Login Page.

Note that when BIG-IQ Deploys new policies to BIG-IPs it will export the ASM Security Policy as XML and then import it into the BIG-IP, triggering this issue if the Response Page: Login Page response value is default. This process is an internal process that occurs when a new policy, with default values, is introduced to a BIG-IP via BIG-IQ.

Workaround:
Ensure that ASM Security Policies on BIG-IQ have a Custom Response (instead of Default Response) in the Response Page: Login Page. This Custom Response can contain the exact same headers and body found in the Default Response and do not need to be altered.

Fix:
Response page login default values are exported to XML as expected. No error is reported in ASM log.

867557 : Unable to edit Web Application Security policy builder Learn from Responses option

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
The Web Application Security policy building option "Learn from Responses" checkbox is grayed out in the BIG-IQ GUI even, if though the setting can be edited within BIG-IP.

Conditions:
1. Import a BIG-IP device with ASM provisioned and configured policy builder.

2. Try to edit the 'Learn from Response' option in the BIG-IQ GUI for the imported ASM policy.

Impact:
The learn from response option cannot be edited using the BIG-IQ GUI.

Fix:
You can now edit an imported ASM policy to 'Learn from Response', using the BIG-IQ GUI.

858017 : Users with viewer roles unable to create attack signature filter in the Web Application Security policy

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
User with viewer system privileges is unable to create advanced filters for Attack Signatures in the Attack Signatures subsection of Policies because the Query Parameters are grayed out, however they are able to create advanced filters for Attack Signatures in the "global" section without issue.

Conditions:
1. Create user with role of Web Application Security Viewer and log into the BIG-IQ GUI.
2. Go to Configuration -> Security -> Web Application Security -> Attack Signatures.
3. Click the Advanced Filter option and then click Create
4. Note how the Query parameters can be modified, like how the Source drop down can be selected
5. Go to Configuration -> Security -> Web Application Security -> select any policy -> Attack Signatures
6. Click the Advanced Filter option and then click Create
7. Note how the Query parameters *CANNOT* be modified, like Source drop down is now grayed out

Impact:
Certain user roles cannot create an advanced filter for attack signatures list within a Web Application Security policy.

Fix:
Advanced filters can now be created for attack signatures within the Web Application Security policy, regardless of user role.

830153 : Deployment failure after upgrading BIG-IP devices running version 13.1 or earlier

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Following an upgrade, deployment failure for devices with an ASM child policy that have unsupported device versions. For managed BIG-IP devices running v13.1 (or earlier) there is inconsistency between the way threat-campaign inheritance section is populated during upgrade vs. how it is populated during discovery of an unsupported device version.

Conditions:
1.Discover & import a device v13.1.0 (or earlier) with at least one child policy
2. Evaluate a deployment in ASM module
3. See differences in threat-campaigns inheritance section
4. Deploy devices

Impact:
Device deployment fails following the upgrade.

Fix:
Following an upgrade, deployment of unsupported devices are not affected by inheritance settings applied to newer device version, and deployment occurs as expected.

817613 : Filter for identifying signature by Signature ID

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Identifying signatures using the signature's ID was unavailable for managing Web Application Security signature sets.

Conditions:
1. Go to your Web Application Security signature sets: Configuration > SECURITY > Web Application Security> Signature Sets.
2. Select SELECT SIGNATURES.
3. No option to filter by signature ID under Selected Signatures.

Impact:
No way to filter by signature ID.

Fix:
Signature ID search is now supported by BIG-IQ.

805457 : Error in UI and query service log when viewing raw DDoS attacks

Component: AppIQ

Symptoms:
When navigating to raw attacks from an ongoing DDoS attack's dashboard (Monitoring ->DASHBOARDS -> DDoS -> Protection Summary: Selected Attack), the UI and query service log show a TEMPLATE_MALFORMED
error message.

Conditions:
1. Generate DDos attack with more than one raw attack - an attack on multiple BIG-IP devices or an attack with multiple attack vectors.
2. Go to Monitoring->DASHBOARDS->DDoS->Protection Summary.
3. Go to the attack page by clicking the active attack id.
4. Select "Raw Attacks" under "ATTACKED ENVIRONMENTS".

Impact:
TEMPLATE_MELFORMED error is shown in the charts area of the UI, and chart data is not shown.

TEMPLATE_MELFORMED error message is shown in the query service log file.

Fix:
Fixed RawAttackIds API to support returning multiple attack IDs.

804601 : Custom user role does not display application and application services statistics

Component: AppIQ

Symptoms:
When configuring a custom application manager user, the user might not be able to view applications and application services statistics.
This occurs even when the Application Editor role is added to the settings of the user.

Conditions:
1. Create a user, assign them the Application Editor role, and give that role access to edit AS3 templates.

2. Create an application and application service with live traffic.

3. Provide permission for the Application Editor role to view the application and application services.

3. Sign in as the Application Editor.

4. Navigate to Applications or Application services.

Impact:
Statistics display as NO DATA.

Workaround:
Remove the Application Editor role from the user, and configure specific permissions manually for the role of an application editor.

Fix:
Fixed retrieval of statistics that fall under conflicting RBAC permissions, which fixes the application editor statistics display issue.

781109 : The "Export Inventory" button on the BIG-IP Devices page exports all managed devices

Component: BIG-IQ Device Management

Symptoms:
Even if you select specific managed devices to export to a csv file, when you click the Export Inventory button, BIG-IQ exports all devices.

Conditions:
When you select specific managed devices and click the Export Inventory button from the BIG-IP Devices page.

Impact:
BIG-IQ creates a csv file containing all managed devices in the BIG-IP Devices list, rather than only the selected files.

Workaround:
N/A

Fix:
Now, if you select specific devices and click the "Export Inventory" button, only the selected devices are included in the csv file. If you do not select a device, all devices are included in the csv file.

Known Issues in BIG-IQ CM v7.1.x

BIG-IQ Configuration - Local Traffic Issues

ID Number	Severity	Solution Article(s)	Description
859709	3-Major		Full name of the default pool does not display on the LTM virtual server properties screen
899213	4-Minor		Contents column for a certificate changes from RSA Key to RSA Certificate & Key when you use the Name filter to find it
891001	4-Minor		Viewing virtual servers with certain properties, sometimes makes it appear that you made revisions to them
843109	4-Minor		Using an incorrect password to import a certificate from BIG-IP does not result in an error message
828617	4-Minor		BIG IQ:GUI Cert/key page does not generate reports for all certificates

BIG-IQ Configuration - Network Issues

ID Number	Severity	Solution Article(s)	Description
845713	4-Minor		BIG-IQ does not create a self IP when floating IP option is enabled

BIG-IQ Configuration - Security - Shared Security Issues

ID Number	Severity	Solution Article(s)	Description
812717-1	3-Major		Some logging profiles do not display after upgrading to BIG-IQ v7.0.0

BIG-IQ Deployment - Evaluate & Deploy Issues

ID Number	Severity	Solution Article(s)	Description
888749	4-Minor		Creating an Evaluation/Deployment creates a Snapshot which may be difficult to delete.

BIG-IQ Device User Interface Issues

ID Number	Severity	Solution Article(s)	Description
888813	3-Major		When you manage software upgrades or GeoIP databases in an HA configuration, you must upload the files in both the active and stand-by devices.
827297	4-Minor		Sorting Certificates and Keys columns

BIG-IQ Monitoring - Dashboards & Reports Issues

ID Number	Severity	Solution Article(s)	Description
759069	3-Major		Full access session variables on BIG-IQ
868577	5-Cosmetic		Phishing alerts with URI containing 'extended' ASCII chars are encoded incorrectly while forwarding to WebSafe

BIG-IQ Monitoring - Logs Issues

ID Number	Severity	Solution Article(s)	Description
809149-1	3-Major		Attempting to enable remote loggin configuration

BIG-IQ Search Issues

ID Number	Severity	Solution Article(s)	Description
891353-1	4-Minor		Cannot open online help results from finder menu
841949	4-Minor		Unable to create topology record for DNS with Data Center as the destination
827009-1	4-Minor		BIG-IQ UI returns an error when you sort on a description column in a list

BIG-IQ System User Interface Issues

ID Number	Severity	Solution Article(s)	Description
890129	2-Critical		Bot profile requires manual role-type configuration
843305-5	3-Major		Users assigned to custom roles cannot deploy objects to BIG-IP devices
824081	3-Major		If a BIG-IP device software ISO image upload fails, subsequent upload attempts also fail★
812373	3-Major		Elasticsearch split brain situation when service is forced to restart
865285	4-Minor		Setting the Zone on the BIG-IQ General Properties page is not effective
862357	4-Minor		UI does not display entries after SNMP access configuration
828605	4-Minor		Pre-upgrade test script
813665	4-Minor		Discovery and management IP address are out of sync once tmsh operation used to change management IP address

BIG-IQ Access Issues

ID Number	Severity	Solution Article(s)	Description
903149	3-Major		Cannot edit and save Remote Desktop configurations
903121	3-Major		Evaluation and deployment failure: error obtaining aclOrder value for Remote Desktop objects
900469	3-Major		Customization Type field is missing for Webtop Lists objects
900413	3-Major		Configuration tab is not available for users with Access Auditor role
899609	3-Major		Deployment of an imported Existing Application SSLO topology may fail from BIG-IQ
899069	3-Major		Deployment of an access policy with LDAP Group agent fails
868865	3-Major		Message details are not visible for BIG-IP 15.0.x devices
900849	4-Minor		Issues with Save & Next button after BIG-IP upgrade in an SSLO topology running RPM version 5.4
892901	4-Minor		After using the Remove SSL Orchestrator Configuration button in 5.X SSL Orchestrator RPM versions, the topology deployment fails
871701	4-Minor		Access reports may be missing
807385-1	4-Minor		Egress gateway pool unselect empty the dropdown

BIG-IQ Local Traffic & Management Issues

ID Number	Severity	Solution Article(s)	Description
901277	3-Major		HTTP2 Monitors are not supported
863605	3-Major		LTM policy gets removed from VIP when making changes to VIP & deploying them via BIG-IQ
901465	4-Minor		Save and Close button is not enabled in pool details page after adding pool members
900453	4-Minor		Deleting a BIG-IP VE in an Azure cloud
900389	4-Minor		Creating a tunnel on a BIG-IP device in an HA cluster
899737	4-Minor		Cannot create BIG-IP VE on Azure if the VE name contains special characters
830337-1	4-Minor		Network object VLAN is device specific object

BIG-IQ App Visibility and Reporting (AVR) Issues

ID Number	Severity	Solution Article(s)	Description
782241	4-Minor		VCMP host reports disc usage stats to BIG-IQ while all other health parameters are not reported

AppIQ Issues

ID Number	Severity	Solution Article(s)	Description
832801	2-Critical		BIG-IP with FIPS and BIG-IQ analytics iApp may become inaccessible
804213	2-Critical		BIG-IQ cannot handle same AVR profile for BIG-IP V13.x and V14.x
898341	3-Major		BIG-IP may stop sending statistics following a DCD reboot
876565-1	3-Major		Log files in /var/log/appiq not removed after 10 days
872237	3-Major		Analytics iApp causes CPU spikes
838265	3-Major		Agentmanager should not depend on elasticsearch cluster status to start
825301-1	3-Major		The BIG-IQ Analytics iApp fails to execute on managed BIG-IP
812065	3-Major		Pools & pool-member stats are not collected after upgrade

BIG-IQ Configuration - Infrastructure Issues

ID Number	Severity	Solution Article(s)	Description
901145	3-Major		Save and close button in adding pool member screen is only enabled if a description is added for the pool member
901065	3-Major		Restore task for siloed configuration may not return expected results
840101	3-Major		ElasticSearch snapshot view
851853	4-Minor		iApp object's monitors and profiles do not get deleted

BIG-IQ Device Management Issues

ID Number	Severity	Solution Article(s)	Description
721768	3-Major		If you change the unique ID of a managed BIG-IP device, BIG-IQ displays the BIG-IP device and its objects twice
900573	4-Minor		A declarative onboarding (DO) request without "BigIqSettings" in API
893505	4-Minor		Onboarding of a BIG-IP from a standby BIG-IQ configured in an HA pair
891569	4-Minor		Erroneous uploads are not deleted when the database is not saved
883913	4-Minor		GeoIP Database Management: If a remote command freezes while updating a BIG-IP device, it can block subsequent new GeoIP Database update attempts from starting.
781061-1	4-Minor		Device Type is Unmanaged in license pool if the device is licensed by BIG-IQ before importing
899013	5-Cosmetic		Onboarded devices display as unmanaged on Licenses page

REST Framework and TMOS Platform Issues

ID Number	Severity	Solution Article(s)	Description
796601-1	2-Critical		Invalid parameter in errdefsd while processing hostname db_variable
903229	3-Major		Pruning of expired backups fails due to a failed query.
900889	3-Major		After copying the ISO file to a DCD fails during a BIG-IQ cluster upgrade, retrying the upgrade fails because the previous file copy is reported in progress.★
900625	3-Major		ISO file fails to copy to DCD during regular BIG-IQ DCD cluster upgrade★
893653	3-Major		Hierarchical privileges to unlock Security Objects are missing
890029	3-Major		After upgrading to BIG-IQ version 7.1, client certificate authentication fails
860473	3-Major		Connection timeout is not configurable for the TACACS+ authentication provider
832753	3-Major		IPV6 HA management addresses in local IPV6 subnet unreachable when IPv6 gateway down
823565	3-Major		BIG-IQ REST framework JVM process crashing intermittently
822225	3-Major		Cancelling a queued deployment evaluation task
821381	3-Major		Client certificate authentication settings are not preserved after upgrading from BIG-IQ v7.0.0 to v7.0.0.1
813121-1	3-Major		URIs are not inflated error on deployment
902349	4-Minor		BIG-IQ CM has itself as DCD and cannot be removed
901969	4-Minor		Users created during heavy rbac procedures may be unable to login until fully processed
900857	4-Minor		A failed upgrade seems to still be in progress, so you can't start a new upgrade.★
900697	4-Minor		The timezone used in the Postgres log files is different than the timezone used in the restjavad log files
900597	4-Minor		UCS created while in setup mode cannot be restored
900565	4-Minor		Error message when creating Auto Failover of BIG-IQ High Availability cluster
900557	4-Minor		CRMD core file is returned if create a BIG-IQ auto failover HA config and then create a manual HA configuration
898665	4-Minor		Adding a peer BIG-IQ to HA configuration after primary BIG-IQ was reset to standalone
892041	4-Minor		New BIG-IQ first-time installation with IPv6 management port
882121-2	4-Minor		Global config items are not indexed when objects have over 2000 fields
839349	4-Minor		Boot-marker logline added not only to most recent files but also to older files
812097	4-Minor		Elasticsearch may crash and create core file when too little memory is allocated to BIG-IQ

BIG-IQ System Issues

ID Number	Severity	Solution Article(s)	Description
899329	4-Minor		When exiting setup mode BIG-IQ returns a 502 error

General BIG-IQ User Experience Issues

ID Number	Severity	Solution Article(s)	Description
842605	4-Minor		Log in fails when BIG-IQ is not in operational state

BIG-IQ Web Application Security (ASM) Issues

ID Number	Severity	Solution Article(s)	Description
863613	3-Major		Changes in parent policy-builder settings might need a second deploy to sync child policies
811773-1	3-Major		BIG-IQ Web Application Security event log page does not list events after upgrade to BIG-IQ v7.0
901689	4-Minor		L7 Dashboard grid does not report number of DoS attacks correctly

BIG-IQ Shared Security Issues

ID Number	Severity	Solution Article(s)	Description
899885	3-Major		Cannot remove Behavioral DoS template, once selected

BIG-IQ Application Management Issues

ID Number	Severity	Solution Article(s)	Description
900445	2-Critical		BIG-IQ allows you to delete peer device with legacy application service
902081	3-Major		AS3 template UI cannot set persistenceMethods to an empty array
900397	3-Major		BIG-IQ UI does't display an error message when you try to remove services from a device with a legacy application service deployed on it
899789	3-Major		Updates to legacy application service pool members or virtual servers deployed on a BIG-IP cluster are not displayed
898925	3-Major		Analytics are not available for legacy application services because the BIG-IP cluster is not in sync
898609	3-Major		LTM policy and firewall policy limitations within the BIG-IQ AS3 template UI
894077	3-Major		User can deploy an application using a template to which you did not explicitly specify permissions.
890329	3-Major		When creating a service catalog application service, sometimes the deployment fails
862701	3-Major		Azure SSG f5-cloud-libs can fail if scale-out of more than one device.
862697	3-Major		Initial deployment or scale-out of BIG-IP VE devices to an SSG in an Azure cloud fails with a 409 error
900577	4-Minor		Orphaned objects in topology and virtual server disappear when trying to disable a virtual server or pool member from the Configuration Tab
899601	4-Minor		Number of services in the SSL Orchestrator topology list page shows 0 for imported topologies
899321	4-Minor		BIG-IQ allows you to create a service scaling group (SSG) for AWS with an invalid name
899285	4-Minor		After you upgrade to version 7.1, imported AS3 application service configurations on the BIG-IQ might not be marked as AS3
898641	4-Minor		AS3 application deployment UI: persistence method(s), iRule & Firewall Address List do no render values from template correctly
898489	4-Minor		Deleting an in-use template leaves application creator roles in undefined state in role editor
898133	4-Minor		Force-Delete API does not support service catalog application services on SSGs
888553	4-Minor		Error while updating AS3 Application: New endpoint mgmt/shared/appsvcs/info was not up in 60 seconds.
887301	4-Minor		AS3 dashboard lists an incorrect number of servers if the AS3 declaration specifies an fqdn member that includes both hostname and serverAddresses
811069	4-Minor		Overriding deeply nested fields in AS3 Templates can cause them to appear at deployment time.
801581	4-Minor		L7 Security Dashboard and Application Dashboard do not display enforcement mode updates to AS3 applications
892609	5-Cosmetic		GSLB/DNS objects that are part of an AS3 application are editable using the Configuration tab

Known Issue details for BIG-IQ CM v7.1.x

903229 : Pruning of expired backups fails due to a failed query.

Component: REST Framework and TMOS Platform

Symptoms:
Once a backup is expired it is supposed to be deleted by global pruning schedule (GPS) that runs at around 1AM on every BIG-IQ device. However, this pruning of expired backups fails due to an invalid query.

Conditions:
BIG-IQ is configured and is running.

Impact:
Expired BIG-IQ backups are not pruned and a warning is logged.

Workaround:
Manually select and delete the expired backups.

903149 : Cannot edit and save Remote Desktop configurations

Component: BIG-IQ Access

Symptoms:
Save and Save & Close buttons are not enabled when a Remote Desktop object within an Access Group is opened and edited in BIG-IQ.

Conditions:
This issue may occur when a Remote Desktop configuration was created on a managed BIG-IP device running version 15.1 and later and it was discovered and imported into the BIG-IQ.

Impact:
May not be able to edit and save the configurations containing Remote Desktop within an Access Group on BIG-IQ.

Workaround:
To remedy this issue, assign the Remote Desktop object to an aclOrder.
You can define aclOrder for a Remote Desktop object using the following APIs:

For Remote Desktop - Citrix
https://X.X.X.X/mgmt/cm/access/working-config/apm/resource/remote-desktop/citrix

For Remote Desktop - RDP
https://X.X.X.X/mgmt/cm/access/working-config/apm/resource/remote-desktop/rdp

For Remote Desktop - VMWare
https://X.X.X.X/mgmt/cm/access/working-config/apm/resource/remote-desktop/vmware-view

After defining the aclOrder for the Remote Desktop objects, you will be able to save and edit the configuration.

903121 : Evaluation and deployment failure: error obtaining aclOrder value for Remote Desktop objects

Component: BIG-IQ Access

Symptoms:
Evaluation and deployment of Access Groups containing a Remote Desktop configuration may fail and display the following error: Critical error: Error getting aclOrder value on object.

Conditions:
This error may occur if a Remote Desktop object was created on a managed BIG-IP running version 15.1 or later and it was discovered and imported into BIG-IQ.

Impact:
You may not be able to deploy configurations containing Remote Desktop objects to target BIG-IP devices from BIG-IQ.

Workaround:
To resolve this issue, you can define aclOrder for a Remote Desktop object using the following APIs:

For Remote Desktop - Citrix
https://X.X.X.X/mgmt/cm/access/working-config/apm/resource/remote-desktop/citrix

For Remote Desktop - RDP
https://X.X.X.X/mgmt/cm/access/working-config/apm/resource/remote-desktop/rdp

For Remote Desktop - VMWare
https://X.X.X.X/mgmt/cm/access/working-config/apm/resource/remote-desktop/vmware-view

After defining the aclOrder for the Remote Desktop objects, you should be able to successfully evaluate and deploy this configuration to managed BIG-IP devices.

902349 : BIG-IQ CM has itself as DCD and cannot be removed

Component: REST Framework and TMOS Platform

Symptoms:
CM is listed as a DCD on the Data Collection page and will error when attempting to remove.

Conditions:
This occurs when you change the system personality of a BIG-IQ from DCD to CM after initial setup.

Impact:
DCD grid page lists the local CM as a Data Collection Device.

Workaround:
After changing the system personality to a CM from a DCD, find your machine-Id at /config/f5-rest-device-id:

cat /config/f5-rest-device-id

That ID is used to update the device property:

restcurl -d '{"properties":{"isLoggingNode":false}}' -X PATCH "/shared/resolver/device-groups/cm-esmgmt-logging-group/devices/[machineid]

902081 : AS3 template UI cannot set persistenceMethods to an empty array

Component: BIG-IQ Application Management

Symptoms:
AS3 template UI does not provide a way to set persistenceMethods to an empty array.

Conditions:
When you want the connection to persist (e.g., when performing a demo of round-robin load balancing), the persistenceMethods property needs to be set to an empty array: "persistenceMethods": [],

Impact:
It is not possible to set the persistenceMethods property to an empty array in the BIG-IQ AS3 UI template.

Workaround:
Use the API to set "persistenceMethods": [] in the template.

901969 : Users created during heavy rbac procedures may be unable to login until fully processed

Component: REST Framework and TMOS Platform

Symptoms:
BIG-IQ users created during heavy rbac procedures cannot log in immediately after creation.

Conditions:
Heavy rbac operations (e.g., creating role groups / role types with multiple item types and bulk references, legacy app creation).

Impact:
Users created during these bulk processing times cannot log in until the previous bulk operations are done.

Workaround:
Wait until the previous bulk operations are done before logging in.

901689 : L7 Dashboard grid does not report number of DoS attacks correctly

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
The grid for the L7 Security Dashboard does not report attack data, even when objects are under attack.

Conditions:
Go to Monitoring > DASHBOARDS > L7 Security Dashboard
Run a DoS L7 attack
View the attacks in the summary bar (confirming attacks)
View the DoS attacks column in the grid, all report "No Data"

Impact:
No DoS attack count data for column in object grid.

901465 : Save and Close button is not enabled in pool details page after adding pool members

Component: BIG-IQ Local Traffic & Management

Symptoms:
After you add a pool member to the local traffic configuration of a device, the Save and Close button is not enabled.

Conditions:
Navigate to to Configuration > Local Traffic > Pool

Try to add one pool member to that pool and note that the Save and Close button is not enabled.

Impact:
You cannot add a pool member to a managed device's Local Traffic configuration.

Workaround:
If you also add text to the description field for the new pool member the Save and Close button is enabled.

901277 : HTTP2 Monitors are not supported

Component: BIG-IQ Local Traffic & Management

Symptoms:
When you try to discover a BIG-IP device that is version 15 and later, it might fail because BIG-IQ can't find an HTTP monitor path.

Conditions:
HTTP2 Monitor type is not supported. So if a device has a pool or pool member that uses HTTP2 monitor type, then discovery will fail.

Impact:
BIG-IQ cannot manage pools or pool monitors that use HTTP2 monitor.

Workaround:
Remove the HTTP2 monitor from the pool and/or pool member and then try to discover the device again.

901145 : Save and close button in adding pool member screen is only enabled if a description is added for the pool member

Component: BIG-IQ Configuration - Infrastructure

Symptoms:
When adding a pool member in the Configuration > Local Traffic > Pool screen, the "Save and Close" button is only enabled once a description is added for the pool member.

Conditions:
Adding a pool member without adding a description.

Impact:
Pool members cannot be added without a description.

Workaround:
Add text to the description when adding a pool member.

901065 : Restore task for siloed configuration may not return expected results

Component: BIG-IQ Configuration - Infrastructure

Symptoms:
If the Snapshot options are selected before selecting the Restore Siloed Configuration option in the Deployment > Restore > Local Traffic & Network > Create screen, the restore task returns unexpected results.

Conditions:
Configuring the Snapshot options before selecting the Restore Siloed Configuration option, when creating a restore task for a siloed configuration.

Impact:
Restore task returns unexpected results.

Workaround:
When creating a restore task for a siloed configuration, make sure to select the Restore Siloed Configuration option and silo before selecting the Snapshot options.

900889 : After copying the ISO file to a DCD fails during a BIG-IQ cluster upgrade, retrying the upgrade fails because the previous file copy is reported in progress.★

Component: REST Framework and TMOS Platform

Symptoms:
Occasionally, during a BIG-IQ and DCD cluster upgrade, copying the ISO file from the console node to a DCD fails. The cluster is therefore rolled back to the previous version. Retrying the upgrade sometimes fails with the following error:
"Software installation failed for device <DCD IP address> due to Device installation failed due to Software image BIG-IQ-7.1.0.iso copy to <DCD IP address> failed due to: An upload with the same file name is already taking place. Simultaneous uploads of the same file name are not supported."

Conditions:
1. Execute an upgrade of a BIG-IQ DCD cluster, which fails on the step that copies the ISO file from the console node to a DCD.
2. Retry the upgrade and fail again with the error message:
"Software installation failed for device <DCD IP address> due to Device installation failed due to Software image BIG-IQ-7.1.0.iso copy to <DCD IP address> failed due to: An upload with the same file name is already taking place. Simultaneous uploads of the same file name are not supported."

Impact:
Cluster upgrade fails.

Workaround:
If this error occurs:
1. Manually copy the iso file from the BIG-IQ /shared/images/ directory to the DCD /shared/images/ directory.
2. Restart the cluster upgrade, the upgrade process uses the iso file on the DCD and skips the step that copies the iso file.

The upgrade then completes normally.

900857 : A failed upgrade seems to still be in progress, so you can't start a new upgrade.★

Component: REST Framework and TMOS Platform

Symptoms:
If an individual BIG-IQ or BIG-IQ/DCD cluster upgrade fails, BIG-IQ is supposed to roll back to the previous version and classify the upgrade task as FAILED.
Under certain circumstances, the failed upgrade task is left in an inconsistent state, with "status": "STARTED". This prevents BIG-IQ from starting a new upgrade task, because it appears like the upgrade task that failed is still in progress. There is no way for the user to find and cancel the failed upgrade task using the GUI.

Conditions:
This problem was initially discovered while trying to upgrade a BIG-IQ HA pair (primary and standby). Removing the standby node failed, which caused the upgrade task to fail without setting the upgrade status correctly.

It is possible that there are other failure conditions that could leave the upgrade task status in the STARTED instead of FAILED state.

Impact:
After a failed upgrade, subsequent attempts to upgrade fail because the BIG-IQ thinks a previous upgrade is still in progress.

Workaround:
Before you can update the BIG-IQ, you need to find and change the upgrade task status from STARTED to CANCELLED. You can do this with a sequence of REST commands.

The command you use to find the failed status depends on whether you are performing a Regular or Rolling upgrade.

1. Log in to the BIG-IQ command line interface (CLI) as root.
2. Use the appropriate REST command to find the failed status.
  * To find the failed status setting for a Regular upgrade run the following command:
  restcurl /cm/shared/esmgmt/upgrade/regular/

  * To find the failed status setting for a Rolling upgrade run the following command:
   restcurl /cm/shared/esmgmt/upgrade/rolling/

3. Use the following REST command to view the individual upgrade task:
restcurl /cm/shared/esmgmt/upgrade/regular/d1f8f1b2-d9b6-4a65-92a8-de4728b6e05e
{
  "id": "d1f8f1b2-d9b6-4a65-92a8-de4728b6e05e",
  "kind": "cm:shared:esmgmt:upgrade:regular:regularclusterupgradeprocesstaskstate",
  "name": "regular_upgrade_4_16_2020",
  "status": "STARTED",
  "selfLink": "https://localhost/mgmt/cm/shared/esmgmt/upgrade/regular/d1f8f1b2-d9b6-4a65-92a8-de4728b6e05e",
  ...
}

4. Change the upgrade task status to CANCELED:
restcurl -X PATCH /cm/shared/esmgmt/upgrade/regular/d1f8f1b2-d9b6-4a65-92a8-de4728b6e05e -d '{ "status": "CANCELED" }'

After you cancel the upgrade task that failed, you can upgrade the BIG-IQ.

900849 : Issues with Save & Next button after BIG-IP upgrade in an SSLO topology running RPM version 5.4

Component: BIG-IQ Access

Symptoms:
After upgrading BIG-IP from any 14.x version to any 15.x using BIG-IQ, editing a deployed SSL Orchestrator topology running RPM 5.4 will trigger an error which makes it impossible to save the SSLO configuration and proceed to the next step.

Conditions:
This issue may occur after upgrading from any 14.x BIG-IP version to any 15.x BIG-IP version within BIG-IQ.

Impact:
User cannot edit a deployed topology after upgrading a BIG-IP image from 14.X to 15.X through BIG-IQ.

Workaround:
To resolve this issue follow the steps in the order shown:
1. Re-deploy the security policy used by the topology before editing the topology. Remove all devices from the device page, add the devices back, then re-deploy the policy.
2. Edit the SSLO topology in a topology workflow. Click the topology icon in the first step of the wizard. Do not click Save & Next, and instead click the interception rule icon in the wizard. Update the Access profile in the interception rule page, click Save, and deploy the topology.

900697 : The timezone used in the Postgres log files is different than the timezone used in the restjavad log files

Component: REST Framework and TMOS Platform

Symptoms:
BIG-IQ always specifies the timezone in the Postgres log files in the Pacific time zone, regardless of the local timezone in which the BIG-IQ is installed.

BIG-IQ specifies the timezone in the restjavad log files using the local timezone in which the BIG-IQ is installed.

Conditions:
1. On a BIG-IQ running version 7.1 or newer that is located somewhere other than the Pacific time zone, login to the BIG-IQ using the command line interface.
2. Navigate to /var/log/postgres.
3. Open the postgres log file... the name of the file will be similar to postgresql-2020-04-17.log.
4. Note that the time is set to the Pacific time zone.

Impact:
Users might be confused as to why the zones are different and why they need to convert the Postgres log time to local time.

Workaround:
N/A

900625 : ISO file fails to copy to DCD during regular BIG-IQ DCD cluster upgrade★

Component: REST Framework and TMOS Platform

Symptoms:
When you upgrade a BIG-IQ that uses a DCD cluster to collect statistics for a large number of BIG-IP devices, the upgrade step that copies the iso file from the console node to the DCD can fail. The BIG-IQ displays the error message:
"Software image BIG-IQ-7.1.0.iso copy to <DCD IP address> failed due to Connection timeout, cause: null"

Conditions:
1. Start a regular upgrade of a BIG-IQ DCD cluster that is scaled out to manage a large number of BIG-IP devices.
2. The upgrade fails and displays the error message: "Software image BIG-IQ-7.1.0.iso copy to <DCD IP address> failed due to Connection timeout, cause: null"

Impact:
Cluster upgrade fails.

900597 : UCS created while in setup mode cannot be restored

Component: REST Framework and TMOS Platform

Symptoms:
If you attempt to restore a UCS that was created during setup mode, an error similar to the following occurs:

BIG-IQ database restore file not found. Skip restoring BIG-IQ database.
psql: FATAL: database "bigiq_db" does not exist
ERROR: Failed to restore BIG-IQ database.

Conditions:
This can occur during UCS load or during system upgrade after rebooting into the new software volume (in which case the errors will appear in the bootstrap logs).

This only occurs with a UCS file that was saved while the BIG-IQ system is in setup mode (after initial install or after returning to setup to make configuration changes).

Impact:
The UCS cannot be successfully loaded.

Workaround:
Only save UCS files or perform system upgrades after completing system setup.

900577 : Orphaned objects in topology and virtual server disappear when trying to disable a virtual server or pool member from the Configuration Tab

Component: BIG-IQ Application Management

Symptoms:
Enable/disable a virtual server (or pool member) from the Application Service dashboard and then navigate out to the Configuration tab within the dashboard.

Conditions:
1. Log in to the BIG-IQ with a with manage or viewer role.
2. Navigate to the Application dashboard for a legacy application.
3. Select a virtual server (or pool member) and try to disable or enable it.
4. Navigate to Configuration>LOCAL TRAFFIC>Virtual Servers.

Impact:
the virtual server does not appear you won't be able to see its state or value.

Workaround:
Work around is to refresh the page.

900573 : A declarative onboarding (DO) request without "BigIqSettings" in API

Component: BIG-IQ Device Management

Symptoms:
If DO request does not contain 'bigiqSettings' property, the request does not error out properly. The API doesn't return an error and the task status continues to display as running. The only error is in the restnoded.log.

Conditions:
DO request does not contain 'bigiqSettings'

Impact:
The task never completes.

Workaround:
Include the following property to work around this issue:

"bigIqSettings": {
"failImportOnConflict": false,
"conflictPolicy": "USE_BIGIQ",
"deviceConflictPolicy": "USE_BIGIP",
"versionedConflictPolicy": "KEEP_VERSION",
"clusterName": "<clustername>"
}

in DO declaration.

900565 : Error message when creating Auto Failover of BIG-IQ High Availability cluster

Component: REST Framework and TMOS Platform

Symptoms:
BIG-IQ system returns an error message after creating a BIG-IQ high availability (HA) auto failover configuration.

Conditions:
This can happen if a network issue happens while you are creating the BIG-IQ HA auto failover configuration.

Impact:
The error message might be a false positive if the network issue resolves itself and the configuration will succeed. If the network issue persists, the BIG-IQ HA configuration will error out due to network issues.

Workaround:
Check the health of the BIG-IQ HA configuration. If the network issue has resolved and the BIG-IQ HA configuration is now healthy, no further action needed. Otherwise, you'll need to fix the network issue and recreate the BIG-IQ HA configuration.

900557 : CRMD core file is returned if create a BIG-IQ auto failover HA config and then create a manual HA configuration

Component: REST Framework and TMOS Platform

Symptoms:
If you create a BIG-IQ auto-failover high availability (HA) configuration, then remove it and create a manual HA configuration, BIG-IQ might log a core file.

Conditions:
Create the Manual Failover after Auto Failover is created and torn down

Impact:
If you log onto the active BIG-IQ device using command line and run: ls /shared/core

The log might show
crmd.bld0.0.xxx.core.gz (xxx is the build number) might show indicating there is a crash inside crmd daemon.

This error has no impact on HA functionality.

Workaround:
You can delete this core file. If you remove HA configurations on both BIG-IQ systems before recreating another HA configuration, this error will not be logged.

900469 : Customization Type field is missing for Webtop Lists objects

Component: BIG-IQ Access

Symptoms:
When a user tries to create or edit a Webtop Lists object, he/she may not see the Customization Type dropdown menu.

Conditions:
The Customization Type dropdown may be missing when creating and editing screens for Webtop Lists object.

Impact:
Users may not be able to see or change the Customization Type of a Webtop List object.

Workaround:
BIG-IQ only supports the "standard" customization type by default when creating Webtop Lists object. Use a managed BIG-IP device to create a Webtop Lists object with the "modern" customization type. When you re-import the device and its configuration to BIG-IQ, the Customization Type field will not be shown on the screen on BIG-IQ, but its value is retained when you go to deploy the object.

900453 : Deleting a BIG-IP VE in an Azure cloud

Component: BIG-IQ Local Traffic & Management

Symptoms:
If you create a BIG-IP VE from BIG-IQ in an Azure cloud, and it gets deleted from the Azure portal and then try to delete it from BIG-IQ, the operation fails.

Conditions:
- From BIG-IQ, create a BIG-IP VE in an Azure cloud.
- Delete the BIG-IP VE from the Azure portal.
- Attempt to delete the BIG-IP VE on BIG-IQ.

Impact:
The deletion attempt from BIG-IQ fails. The BIG-IP VE continues to display on BIG-IQ, but cannot be deleted.

Workaround:
Always remove BIG-IP VE devices in an Azure cloud from BIG-IQ.

900445 : BIG-IQ allows you to delete peer device with legacy application service

Component: BIG-IQ Application Management

Symptoms:
When you deploy a legacy app to a BIG-IP HA cluster, you can remove the services and stop managing the BIG-IP device on which the legacy app is not deployed.

Then, it is not possible to delete the legacy app.

Conditions:
1.Using the BIG-IQ application dashboard to create a legacy application service using LTM configuration objects that are deployed to a BIG-IP HA pair.
2. Remove services from and then stop managing the peer BIG-IP device.

Impact:
You will not be able to delete the Legacy Application Service.

Workaround:
1. Re-discover the HA peer device (no re-import needed)
2. Delete the legacy application service
3. Remove the services on the device

900413 : Configuration tab is not available for users with Access Auditor role

Component: BIG-IQ Access

Symptoms:
The configuration tab is missing for BIG-IQ users with the Access Auditor role.

Conditions:
This error may occur if the user is assigned to the Access Auditor role.

Impact:
Users with the Access Auditor role may not be able to view the Configuration tab at the top of the BIG-IQ screen.

Workaround:
To view the Configuration tab and the Access Groups that exist under it, the administrator can assign the user to the Access Viewer role in addition to the Access Auditor role.

900397 : BIG-IQ UI does't display an error message when you try to remove services from a device with a legacy application service deployed on it

Component: BIG-IQ Application Management

Symptoms:
On the device grid, if you try to remove services from a device on which a legacy application service is deployed, you don't get an error message.

Conditions:
1. Create a legacy application service using the BIG-IQ application dashboard.
2. Try to remove services from the device on which the application service is deployed

Impact:
There is no way for you to know that the legacy application service deployed to this device is blocking your ability to remove this device.

Workaround:
You can either:
* Examine the file: /var/log/restjavad.0.log and look for the error message: Device in use by application 'myWebApp'.

* Attempt to use the API call to remove the device. The response identifies the issue that blocks the device from being removed.

900389 : Creating a tunnel on a BIG-IP device in an HA cluster

Component: BIG-IQ Local Traffic & Management

Symptoms:
When you create a tunnel from BIG-IQ to one BIG-IP device in an HA pair, BIG-IQ creates the tunnel on the peer device as well. However, BIG-IQ does not add the 2nd tunnel to the default route domain. When you deploy these changes to the BIG-IP devices, the deployment fails.

Conditions:
Creating a tunnel for BIG-IP devices in an HA cluster.

Impact:
You cannot deploy a new tunnel to a BIG-IP HA cluster without performing additional steps.

Workaround:
Add the new tunnel that was created on the second BIG-IP device to a route domain on that BIG-IP device before deploying.

899885 : Cannot remove Behavioral DoS template, once selected

Component: BIG-IQ Shared Security

Symptoms:
Once you have selected, a BaDoS support template for a DoS profile (Configuration > SECURITY > Shared Security > DoS Protection > DoS Profiles), you cannot revert back to the default template.

Conditions:
1. Go to Configuration > SECURITY > Shared Security > DoS Protection > DoS Profiles
2. Click Create
3. From the Create from Template field, select BaDoS support 14.1.x.
4. Try to change the template setting back to Default

Impact:
You cannot return to the default template setting, once the BaDoS support 14.1.x setting is selected.

899789 : Updates to legacy application service pool members or virtual servers deployed on a BIG-IP cluster are not displayed

Component: BIG-IQ Application Management

Symptoms:
When an administrator modifies a legacy application service deployed on a BIG-IP cluster that is assigned to a user, the user won't see those changes on the BIG-IQ application dashboard.

Conditions:
Make updates to pool members or virtual servers that belong to a legacy application service that is to deployed to a BIG-IP cluster.

Impact:
Users with the manager role associated with the legacy application service won't be able to see the updates to the virtual servers or pool members. They also won't be able to perform operations such as enable/disable/force offline.

The UI displays the error message: "Please add at least one pool first".

Workaround:
1. Log in as admin and delete the legacy application service.
2. Re-create the application and re-assign the manager role to the user.

899737 : Cannot create BIG-IP VE on Azure if the VE name contains special characters

Component: BIG-IQ Local Traffic & Management

Symptoms:
BIG-IP VE creation fails on Azure if the VE name contains special characters `~!@#$%^&*()_+=[]{}\|;:'"/?,<>.

Conditions:
The BIG-IP VE name you are attempting to create on Azure contains any of these special characters
`~!@#$%^&*()_+=[]{}\|;:'"/?,<>.

Impact:
The BIG-IP VE is not successfully created.

Workaround:
Make sure that the BIG-IP VE name does not contain special characters if it is going to be deployed on Azure.

899609 : Deployment of an imported Existing Application SSLO topology may fail from BIG-IQ

Component: BIG-IQ Access

Symptoms:
A deployment of an SSLO topology may fail if that topology is an Existing Application type topology and if the configuration was imported from a managed BIG-IP to the BIG-IQ.

Conditions:
For this condition to occur, an Existing Application topology must be deployed in BIG-IP and then imported back to BIG-IQ. After this, any redeployment of this imported topology which uses the Existing Application configuration type may fail.

Impact:
The user will not be able to deploy an imported "Existing Application" SSLO topology from BIG-IQ.

Workaround:
Currently, there is no direct workaround to redeploy the imported topology without a deployment failure. Instead, the user may delete the topology that is failing and deploy a new Existing Application topology with the same configuration.

899601 : Number of services in the SSL Orchestrator topology list page shows 0 for imported topologies

Component: BIG-IQ Application Management

Symptoms:
In the SSL Orchestrator topology list page under the Configuration tab, the number of inspection services in the imported topology always shows 0, even if there are services that exist in this configuration.

Conditions:
This occurs whenever you try to view the number of services deployed in the topology list page.

Impact:
You might not be able to see how many services are being used by an imported topology.

Workaround:
To find the number of services attached to a particular topology, go to the service chain attached to the topology and check the number of services there.

899329 : When exiting setup mode BIG-IQ returns a 502 error

Component: BIG-IQ System

Symptoms:
If you click the Return to Setup from System -> General Properties and tries to log in again immediately, BOG=OQ returns a 502 error. This happens because BIG-IQ is restarting services.

Conditions:
Click the Return to Setup from System -> General Properties and try to log in again immediately.

Impact:
BIG-IQ returns a 502 error.

Workaround:
Wait for a couple of seconds before trying to login, after returning to setup.

899321 : BIG-IQ allows you to create a service scaling group (SSG) for AWS with an invalid name

Component: BIG-IQ Application Management

Symptoms:
If you create an SSG for AWS and specify an invalid name (for example you could include a period in the name), BIG-IQ successfully creates the SSG, but no devices are deployed in AWS.

Conditions:
Create an SSG with a name that does not match the regex
[a-zA-Z][-a-zA-Z0-9]*|arn:[-a-zA-Z0-9:/._+]*

Impact:
BIG-IQ creates the SSG, but no devices deploy and no scale-outs occur.

For example, you could create an SSG with a name like my.aws.ssg and creation will succeed but scaleout will fail.

Workaround:
Avoid using special characters in the SSG name.

If you have already created an SSG with an invalid name, delete the SSG and create a new one with a valid name.

899285 : After you upgrade to version 7.1, imported AS3 application service configurations on the BIG-IQ might not be marked as AS3

Component: BIG-IQ Application Management

Symptoms:
Some configuration items may not show the AS3 banner when viewed under the Configuration tab

Conditions:
Some configuration items may not display the AS3 banner when you view them on the Configuration tab.

Impact:
Generally no significant impact... but you might be mislet to think that you can make changes to these objects and deploy them to the BIG-IP.

Workaround:
Deploy a simple change to the AS3 application service. For example, change the description of the AS3 Application Service.
1. under the Applications tab navigate to the affected AS3 application.
2. Click Properties under Application Service.
3. Click Configuration.
4. Modify the Description property.
5. Click Save & Close.

BIG-IQ deploys the change and corrects any issues with objects that were not displaying the AS3 banner correctly.

899213 : Contents column for a certificate changes from RSA Key to RSA Certificate & Key when you use the Name filter to find it

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
The Contents column for a certificate changes from RSA Key to RSA Certificate & Key if you use UI filter to find that certificate.

Conditions:
1. Navigate to Configuration>LOCAL TRAFFIC>Certificate Management>Certificates & Keys>.
2. Scroll through the certificates listed until you find one that displays RSA Key in the Contents column. Note the name that displays in the Name column.
3. Type the name of the certificate in the Filter field near the top of the screen, then press Enter.
4. The list of certificates correctly filters to display the certificate you specified.... but... the Contents column entry changes from RSA key to RSA Certificate & Key.

Impact:
The changed Content column entry will create confusion.

Workaround:
N/A

899069 : Deployment of an access policy with LDAP Group agent fails

Component: BIG-IQ Access

Symptoms:
Access Policies with LDAP Group Agents fail to deploy, and will display the following error:
Transaction XXXXX on BIG-IP X.X.X.X failed after 0 seconds: "CN=XXXX," unknown property.

Conditions:
The policy contains the LDAP Group Agent with the expression which contains a double-quote in it.

Impact:
Policies with this VPE agent in them fail to deploy initially.

Workaround:
On BIG-IQ, open the policy and edit the LDAP Group agent. Go to Branch Rules and correct the expression under the 'Advanced' tab by inserting backslash '\' before double-quote, for example:

If the deployment fails on: "CN=USERS," unknown property

Change it to: \"CN=USERS,\"

899013 : Onboarded devices display as unmanaged on Licenses page

Component: BIG-IQ Device Management

Symptoms:
If a BIG-IP device is onboarded the DO declaration uses a license pool to license the device, the "Device Type" in the license pool on BIG-IQ shows the device as unmanaged, even after the device onboarding is complete.

Conditions:
The device is onboarded through DO declaration.

Impact:
There is no real impact on device management, although it might cause confusion when viewing the license pool screen.

898925 : Analytics are not available for legacy application services because the BIG-IP cluster is not in sync

Component: BIG-IQ Application Management

Symptoms:
If you create a legacy application service on the BIG-IQ and deploy it to a BIG-IP cluster, the analytics for the application service do not appear)on the application service dashboard.

This issue is triggered when a BIG-IP to which the legacy application service is deployed is not in sync.

Log relevant message: restjavad log:
[WARN][09 Apr 2020 17:38:31 BST][/cm/shared/stats-mgmt/device-monitor-task/97fc2520-f35b-4008-958d-290e6cd96327/worker DeviceMonitorTaskWorker] initDeviceUpdater on device 10.155.193.37 failed: java.lang.IllegalStateException: cluster device(s) not in sync: efee1741-d69e-44f6-9047-be4f777b985f: CHANGES_PENDING, fb44ba5a-f2ce-4c0a-a14d-0219fc321b46: CHANGES_PENDING . Please Make Sure The Cluster Is In Sync First (sync pending changes if any).

Conditions:
Deploy a legacy application service on a BIG-IP cluster that is not in sync and enable analytics.

Impact:
Analytics do not appear on the BIG-IQ application dashboard.

Workaround:
Re-sync the HA cluster.

898665 : Adding a peer BIG-IQ to HA configuration after primary BIG-IQ was reset to standalone

Component: REST Framework and TMOS Platform

Symptoms:
When BIG-IQ is in a high availability (HA) configuration with a DCD and you:

*Reset the primary BIG-IQ to standalone
*Remove the Remove HA Config on the secondary BIG-IQ

Error removing DCD on secondary.
An attempt to recreate the BIG-IQ HA configuration fails. This occurs because you should click the click Remove Standby button on the primary BIG-IQ.

Conditions:
Resting the primary BIG-IQ in an HA configuration to standalone.

Impact:
Cannot recreate BIG-IQ HA configuration.

Workaround:
If this occurs, run the following commands:

/usr/bin/ha_reset -f <discovery_address>
/usr/bin/reset-data-collection-cluster

After running these scripts on the console of primary and secondary the cluster could be recreated

898641 : AS3 application deployment UI: persistence method(s), iRule & Firewall Address List do no render values from template correctly

Component: BIG-IQ Application Management

Symptoms:
If you use Basic Schema type, AS3 Deployment incorrectly renders:

- Persistence method(s) and iRule fields for Service_HTTP(S) AS3 classes
- Addresses field for Firewall_Address_List AS3 class

Conditions:
This happens when you create an AS3 template Basic Schema type with persistent method(s), iRule fields for Service_HTTP(S) classes, and address field for Fierwall_Address_List AS3 class and allow the Address property to be editable.

Impact:
BIG-IQ splits out the string in the template into multiple fields.

Workaround:
Use Advanced Schema Type option instead of Basic Schema type.

898609 : LTM policy and firewall policy limitations within the BIG-IQ AS3 template UI

Component: BIG-IQ Application Management

Symptoms:
It is not possible to create LTM or firewall policies with different rules within the same AS3 Template.

LTM policy AS3 classes impacted:
* Endpoint_Policy
* Endpoint_Policy_Rule
* Policy_Action
* Enforcement_Policy

Firewall policy classes impacted:
* Firewall_Policy
* Firewall_Rule_List
* Firewall_Port_List
* Firewall_Address_List

Conditions:
When you use the AS3 Template UI on BIG-IQ to create an AS3 template with either an LTM Policy defined or a Firewall Policy...

Impact:
The user won't be able to create different rules within LTM or firewall policies.

Workaround:
Use the API to create the AS3 application services using LTM or firewall policies. If you need different policies, do not use AS3 templates.

For Firewall Policies, it is recommended you create the policies, rules, addresses and ports lists through the Configuration tab under SECURITY > Network Security > Network Firewall, then reference the policy in the AS3 Service class (such as Service_HTTPS, Service_TCP) under property "firewall policy (enforced)".

898489 : Deleting an in-use template leaves application creator roles in undefined state in role editor

Component: BIG-IQ Application Management

Symptoms:
In the Custom Application Role editor one or more entries of "undefined [API only]" appear in the AS3 Templates, Selected column.

Conditions:
This condition is triggered when a template was deleted while in-use by the custom application role.

Impact:
You cannot make changes and save the role when this condition occurs.

Workaround:
Manually select and remove the "undefined [API only]" entries from the Selected column.

898341 : BIG-IP may stop sending statistics following a DCD reboot

Component: AppIQ

Symptoms:
After rebooting a data collection device, the monitored BIG-IPs might not send statistics to the rebooted DCD.

Conditions:
BIG-IQ CM and DCDs are rebooted.

Impact:
Affected BIG-IPs aren't sending statistics

Workaround:
Workaround: Re-enable stats (from BIG-IQ) to the disconnected BIG-IP.

898133 : Force-Delete API does not support service catalog application services on SSGs

Component: BIG-IQ Application Management

Symptoms:
The Force-Delete call fails if you try to run it on a service catalog application that deploys to an SSG.

Conditions:
Force delete a service catalog application on an SSG.

Impact:
You cannot use Force-Delete API for this task.

Workaround:
Using a REST API client like PostMan, make these calls to your BIG-IQ:

1) Post a GET to /cm/global/tasks/apply-template, find the failed 'DELETE' task for the application. Copy the full task body. This will likely be the last task body if you have had several deployments.
2) Do the following to the task body:

Delete all the fields except: "mode", "name", "deploy", "subPath", "partition", "ssgReference", and "configSetName", then change "deploy" to false, and change "mode" to DELETE.

3) POST to /cm/global/tasks/apply-template with the modified task body in Step 2.

894077 : User can deploy an application using a template to which you did not explicitly specify permissions.

Component: BIG-IQ Application Management

Symptoms:
When you assign a user to an Application Creator role, you specify the templates they can use to deploy applications. The user cannot deploy an application using templates to which you didn't assign access.

When you want to allow a user to revise a deployed application, you assign that user to the custom Application Manager role for that application. When you assign that role, BIG-IQ gives that user permissions to the template that was used to deploy the application.

Conditions:
The issue arises when you assign a user to both an Application Creator role and an Application Manager role. When you do that, the user will be able to deploy applications using not only the templates that you specified for the Application Creator role, but also, using the template that was used to deploy the application for which you assigned the Application Manager role.

Impact:
The user can create applications using templates that would were not assigned by the Application Creator role.

Workaround:
Their are two options:
1. Only allow users to only manage applications that they create.
2. Do not assign a user to both Application Manager and Application Creator roles.

Note: When an Application Creator creates an application, BIG-IQ creates a custom Application Manager role for that Application and assigns the application creator to that role.

893653 : Hierarchical privileges to unlock Security Objects are missing

Component: REST Framework and TMOS Platform

Symptoms:
Hierarchical privileges previously available to Security Manager and Network Security Manager to unlock UI objects in their areas are no longer present.

Conditions:
BIG-IQ user who is not an Administrator using the BIG-IQ administration console as follows:

-- Notices a 'lock' icon next to a configuration object (e.g., object1).
-- Browses to System :: Locked Objects
-- Expects to see the object1 listed with an option to 'Unlock' it.

Impact:
There is no object1 listed on the page.

Only users with Administrator roles are able to unlock objects locked by other users.

-- Security Manager is no longer able to unlock objects locked by Network Security Manager, Network Security Editor, or Network Security Deployer.

-- Network Security Manager is no longer able to unlock objects locked by Network Security Editor or Network Security Deployer.

Workaround:
None.

893505 : Onboarding of a BIG-IP from a standby BIG-IQ configured in an HA pair

Component: BIG-IQ Device Management

Symptoms:
If you add and onboard a BIG-IP device with an API call on the standby BIG-IQ ina HA pair, onboarding fails.

Conditions:
Attempting to onboard a BIG-IP device on the standby BIG-IQ in an HA pair.

Impact:
Status of the request displays as RUNNING and does not complete.

Workaround:
You must onboard BIG-IP devices from the active BIG-IQ system in an HA pair.

892901 : After using the Remove SSL Orchestrator Configuration button in 5.X SSL Orchestrator RPM versions, the topology deployment fails

Component: BIG-IQ Access

Symptoms:
After selecting the button to remove an SSL Orchestrator (SSLO) configuration for any topologies running all 5.X SSL Orchestrator RPM versions, the topology deployment will fail.

Conditions:
This issue occurs only when removing configurations from topologies running any 5.X SSLO RPM version.

Impact:
You are unable to deploy any SSLO topology, security policy, or inspection services to managed BIG-IP devices after using the Remove SSLO Configuration button in BIG-IQ unless you employ the workaround.

Workaround:
To effectively deploy a configuration after using the Remove SSLO Configuration button and clearing your device of all SSL Orchestrator configurations, you must reset your Device Settings and deploy them before attempting additional configurations on the device. Follow the steps in this order to get a successful deployment:

1) In BIG-IQ under Configuration :: SSL Orchestrator :: Devices, click on each managed device for which you did a full clean-up.
2) On each managed device page, modify the General Settings to your specifications. If you have nothing to change, change a field and then revert it to re-activate the Deploy button.
3) Click Deploy.
4) Make other configurations within a topology on this managed BIG-IP device and deploy them successfully.

892609 : GSLB/DNS objects that are part of an AS3 application are editable using the Configuration tab

Component: BIG-IQ Application Management

Symptoms:
The Configuration>>DNS>>GSLB grids display objects that you can revise or delete. If these objects were created as part of AS3 application, you should not be able to edit or delete them using the object properties screens listed under Configuration>>DNS>>GSLB... but in some scenarios you can. This is not acceptable.

Conditions:
1. Create an AS3 declaration to deploy an AS3 GSLB application directly to a BIG-IP device (no BIG-IQ involved).
2. Discover and Import the BIG-IP device.
3. Note that the GSLB objects created by the AS3 declaration appear on the BIG-IQ's Configuration>>DNS>>GSLB grids. (You then decide that you want to manage the AS3 application on the BIG-IQ... but the app does not exist on the BIG-IQ yet.)
4. So you use Application>>APPLICATIONS>>Create to specify and deploy the AS3 GSLB Application.
5. Navigate to Configuration>>DNS>>GSLB, and then select one of the GSLB object types that are included in the AS3 application you just deployed.
6. Note that you can revise or delete these objects.

Impact:
If you delete or modify a DNS->GSLB object that BIG-IQ uses in an AS3 application and then deploy those changes to the managed device, it will disable the application.

Workaround:
1. Navigate to Configuration>>DNS>>GSLB and then delete each GSLB object that is used by the AS3 application.
2. Do NOT deploy these changes to the managed device.
3. Rediscover and re-import the device.

After step 3, BIG-IQ will display the GSLB objects in the application tab, but a banner displays on the properties screen:
"This belongs to AS3 Application Service boston_dns and cannot be changed directly. A re-discover and re-import may be needed to sync this content with the deployed AS3 Application Service."

You will not be able to delete or edit this object.... to revise any of the objects in the AS3 application. To make changes to the AS3 application, use the Application Dashboard instead.

892041 : New BIG-IQ first-time installation with IPv6 management port

Component: REST Framework and TMOS Platform

Symptoms:
If you install BIG-IQ without rolling forward a previous configuration and use IPv6 address for the management port it fails and with the following error:

Error: (/config/bigip_base.conf at line 4) fd32:f5:0:a1::143/64/ffff:ffff:ffff:ffff:: contains an invalid netmask.

Conditions:
This occurs with a new installation of BIG-IQ without a previous configuration.

Impact:
BIG-IQ is inoperative and unreachable.

Workaround:
Login to console.
Remove /64 from bigip_base.conf from the value of sys management-IP i.e change "fd32:F5:0:a1::143/64/ffff:ffff:ffff:ffff::" to "fd32:F5:0:a1::143/ffff:ffff:ffff:ffff::". After this perform the steps below:

1. tmsh save sys config.
2. tmsh modify sys global-settings mgmt-dhcp disabled
3. tmsh create net vlan <vlan_name> interfaces add { 1.1 }
4. tmsh create net self <ipaddress/cidr> vlan <vlan_name> allow-service default
5. tmsh save sys config

891569 : Erroneous uploads are not deleted when the database is not saved

Component: BIG-IQ Device Management

Symptoms:
A large (90+ MB) file is left on the BIG-IQ file system if you upload the wrong file, but then decide to cancel the database creation. These uploaded but not saved database zip files will also appear under the Software Images Grids.

Conditions:
You upload a new GeoIP database zip file, but then cancel instead of creating a new update package.

Impact:
A large (90+ MB) file is left on the BIG-IQ file system each time you upload the wrong file and have to cancel a database creation.

Workaround:
There are two ways to delete the zip file:
1. Navigate to Devices>SOFTWARE MANAGEMENT and delete the file from there.
2. Log in to the BIG-IQ via SSH as root and type:
rm /shared/images/<zip file name>.

891353-1 : Cannot open online help results from finder menu

Component: BIG-IQ Search

Symptoms:
When searching using the finder menu, online help results do not open.

Conditions:
Trying to access an online help screen from the finder menu.

Impact:
The online help link doesn't open.

Workaround:
To access the online help for a specific screen, navigate to that screen and select the online help icon.

891001 : Viewing virtual servers with certain properties, sometimes makes it appear that you made revisions to them

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
If you view a virtual server that is configured with either a source or destination address and a service port of either 0 or *, the UI displays an asterisk after the virtual server name to indicate that the settings for that virtual server have been revised.

Conditions:
Only occurs for virtual servers that use a source or destination address list (or both), and are configured with a service port of 0 (or *).

Impact:
After viewing a virtual server and not making any changes, you might think you had made an inadvertent change to the virtual server.

Workaround:
N/A

890329 : When creating a service catalog application service, sometimes the deployment fails

Component: BIG-IQ Application Management

Symptoms:
When creating service catalog apps, the application services occasionally fail to deploy.

Conditions:
When the service catalog application creation fails during the deployment stage, the application service displays on the BIG-IQ but is not deployed to the BIG-IP.

Impact:
Application service deployment fails.

Workaround:
1. Navigate to Applications>>APPLICATIONS, and open the failed service catalog application; then open one of the application services that failed to deploy.
2. On the top of the application service dashboard, click Retry.
3. If the application service still does not deploy, navigate to the the application service dashboard for the failing application service, then under SERVICES, click Traffic Management.
4. Click CONFIGURATION, then select one of the objects in the application service (a virtual server, for example).
5. Click Quick Edit and then make a (momentary) change to any value. (For example, you could type a different number for the last digit of a virtual server's Destination Address... then change the entry back to the correct value.)
6. The last step should enable the Save button. Click Save.

When BIG-IQ saves your "change", it triggers another deployment attempt to the BIG-IP.

890129 : Bot profile requires manual role-type configuration

Component: BIG-IQ System User Interface

Symptoms:
A user creating a user role type for a bot-profile, won't get permissions to ltm:pools. Won't be able to configure 'redirect-to-pool' under bot-profile.

Conditions:
Create a user role that is specific to bot profile usage.

Impact:
New user role won't be able to configure 'redirect-to-pool' under their bot profile.

Workaround:
Add LTM:pools to role type so role-based user can fully configure bot- profiles.

890029 : After upgrading to BIG-IQ version 7.1, client certificate authentication fails

Component: REST Framework and TMOS Platform

Symptoms:
After you upgrade a BIG-IQ that has client certification authentication enabled to version 7.1, authentication fails.

This happens because the corresponding web server settings are altered, causing them to be out of sync with the authentication provider settings.

Conditions:
BIG-IQ version 7.0 with client certificate authentication enabled, upgraded to version 7.1

Impact:
User authentication to the BIG-IQ fails.

Workaround:
Before you upgrade to BIG-IQ version 7.1, disable client certificate authentication. After upgrading BIG-IQ to version 7.1, re-enable client certificate authentication.

Alternatively, if you did not disable client certificate authentication before upgrading and you are unable to log in to the BIG-IQ GUI, log in to the BIG-IQ CLI and execute the following command: client-cert-auth -x
This resets authentication to the factory settings, with only local authentication available, and without any external authentication providers.

After running the command, log into BIG-IQ GUI as the local administrator and set up the LDAP or Active Directory authentication provider with client certificate authentication enabled.

888813 : When you manage software upgrades or GeoIP databases in an HA configuration, you must upload the files in both the active and stand-by devices.

Component: BIG-IQ Device User Interface

Symptoms:
When you upload a software image or new GeoIP database file to the active device in an BIG-IQ HA configuration, the objects are synced, but the files are not.

Conditions:
Upload a software image or GeoIP database package to the active BIG-IQ in an HA configuration.

Impact:
When a fail-over occurs and the user tries to upgrade his BIG-IPs with either the software image r a new GeoIP database, the update will fail as the files will not be present within the file system

Workaround:
If you upload a GeoIP database package or a new software image to a BIG-IQ that is configured as the active device in an HA configuration, upload the files to both the active and standby devices.

888749 : Creating an Evaluation/Deployment creates a Snapshot which may be difficult to delete.

Component: BIG-IQ Deployment - Evaluate & Deploy

Symptoms:
Creating an Evaluation or Deployment creates a Snapshot. Users are unable to delete this Snapshot from the Snapshots page.

Deleting the original Evaluation or Deployment which created this Snapshot does not automatically delete the Snapshot.

Deleting the Evaluation or Deployment Snapshot prematurely via CLI or Snapshot Properties page causes the undesirable effect of a dangling Evaluation/Deployment

Conditions:
User creates an Evaluation or Deployment.

Impact:
User may be unable to delete certain Snapshots.

User may have an Evaluation or Deployment which no longer has an associated Snapshot, which can cause errors when viewing the Evaluation or Deployment.

Workaround:
From the Snapshots page, click the link to view the properties page for the Snapshot you wish to delete. The properties page displays a Delete button at the upper right which will allow you to delete the snapshot. Upon doing so, be sure to delete the corresponding Evaluation or Deployment.

888553 : Error while updating AS3 Application: New endpoint mgmt/shared/appsvcs/info was not up in 60 seconds.

Component: BIG-IQ Application Management

Symptoms:
AS3 application dashboard reports an error when you try to update a deployed application.

Conditions:
If you modify a deployed AS3 application, and then click Save or Save & Close, BIG-IQ displays the error message.

Impact:
Unable to update a deployed AS3 application.

Workaround:
1. Use SSH to log in to the target BIG-IP on which the AS3 application is deployed.
2. Type the command: bigstart restart restnoded.
3. Close the SSH session.

You should now be able to make revisions to the AS3 application.

887301 : AS3 dashboard lists an incorrect number of servers if the AS3 declaration specifies an fqdn member that includes both hostname and serverAddresses

Component: BIG-IQ Application Management

Symptoms:
Server Addresses are ignored, which is the correct behavior. However the number of servers listed on the AS3 dashboard is incorrect.

Conditions:
This issue occurs when you post an AS3 declaration and specify a pool member using the fqdn property and specify a value for both the hostname and the serverAddresses.

Impact:
The AS3 dashboard shows the wrong number of servers for this application.

Workaround:
N/A

883913 : GeoIP Database Management: If a remote command freezes while updating a BIG-IP device, it can block subsequent new GeoIP Database update attempts from starting.

Component: BIG-IQ Device Management

Symptoms:
When this scenario occurs, the BIG-IQ UI’s GeoIP Database Management -> Update History page will show the active update task appearing to stall with the status "In progress", and indicating that one or more devices has not yet finished (e.g., "Updated 3/4 devices."). The details page for the update task will show results from other BIG-IP devices included in the update task that have completed their updates. Additionally, any other BIG-IQ tasks that use remote commands will fail to run against the affected BIG-IP device, reporting an error such as "The limit on the number of concurrent shells is exceeded".

Conditions:
In some environments, this scenario may never occur. In other environments, it may be more likely to occur when updating a BIG-IP device that is under heavy load.

Impact:
GeoIP Database Management will not be able to start new update tasks. Any new update tasks that are created will appear with the state "Queued", but will not start processing until this issue is resolved.

Workaround:
To solve the immediate issue:
1. Use SSH to log in to the affected BIG-IP device.
2. At the shell prompt, run: "ps ax | grep geoip"
3. Identify the process that is stuck, and note the number at the start of its line (its process ID).
    - If "/usr/bin/tmsh load sys geoip" still appears, it is likely the stuck process.
    - If not, check whether any other commands stand out from the list.
    - As a fallback: Any command with a long command-line that starts with "/bin/bash". (That said: If one of these is waiting on a child process, that child process must be dealt with first.)
4. Run "kill -9 #####", using the process ID above.

When the situation has been resolved, the relevant update task on BIG-IQ will show that another BIG-IP has finished, and its task details page will have a new row in the table showing a failure for the affected BIG-IP device. If this was the last BIG-IP device that the update task was waiting upon, the update task will now appear as finished; if any additional update tasks are queued, the next update task will start.

To avoid the problem in the future:
The device administrator can temporarily take one or more BIG-IP devices offline, before starting a GeoIP Database Management update task that includes those BIG-IP devices.

882121-2 : Global config items are not indexed when objects have over 2000 fields

Component: REST Framework and TMOS Platform

Symptoms:
BIG-IQ cannot index large global config items with over 2000 objects.

Conditions:
Global config items larger then 2000 fields will not be indexed

Impact:
Global config items with 2000+ fields will not be indexed

Workaround:
This can be fix it as follows.
# cd /usr/share/rest/tokumon/config/modules
# vim global.js

---> Change
    settings: {}, // Use these to ovewrite parts or all of ES_SETTINGS

---> To
    settings: {
        "index" : {
            "mapping" : {
              "total_fields" : {
                "limit" : "5000"
              }
            }
        }
    }, // Use these to ovewrite parts or all of ES_SETTINGS

:wq!

876565-1 : Log files in /var/log/appiq not removed after 10 days

Component: AppIQ

Symptoms:
There are sizing limits that the number are size of log files generated per day, but no control over the number of days the log files can be saved. Due to this, log files accumulate. This creates a problem for /var partition and functionality of certain features.

Conditions:
Frequent logging

Impact:
Impact on /var/ partition, space gets consumed and manual intervention requires cleanup.

Workaround:
1. Manual intervention to cleanup /var/log/appiq sub folder log files.

872237 : Analytics iApp causes CPU spikes

Component: AppIQ

Symptoms:
CPU spikes may occur on a BIG-IP device managed by BIG-IQ. This is a result of BIG-IQ iApp regularly querying the status of the VSs/pools on BIG-IP.

Conditions:
1. Configure an iApp to collect statistics from managed BIG-IP devices that have devices with more than 600 virtual servers and/or 400 pools in the system configuration.

2. Enable statistics collection from BIG-IQ

Impact:
CPU cores on BIG-IP device regularly reach maximum usage, once statistics collection is enabled.

871701 : Access reports may be missing

Component: BIG-IQ Access

Symptoms:
When a user initiates an installation or an upgrade of BIG-IQ, the Access monitoring dashboards may be blank and not display any aggregated data.

Conditions:
This may occur during installation or upgrade after restarted your BIG-IQ.

Impact:
Access reports may not show any charts.

Workaround:
Use the command "bigstart restart restjavad" to restart the service. Wait for few minutes for the system to reboot and make all of the services available. Recheck the Access Monitoring dashboards to ensure all the reports have populated.

868865 : Message details are not visible for BIG-IP 15.0.x devices

Component: BIG-IQ Access

Symptoms:
When only BIG-IP 15.0.x devices are discovered, message column of the logs under Monitoring -> Access -> Logging messages(All) do not display (appears blank).

Conditions:
This happens when you discover only BIG-IP 15.0.x devices from BIG-IQ.

Impact:
Log message description does not appear in the message column.

Workaround:
If you discover a device running a version other than 15.0.x, the message column displays content.

868577 : Phishing alerts with URI containing 'extended' ASCII chars are encoded incorrectly while forwarding to WebSafe

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
Alerts for phishing attempts, that contain a URI with extended ASCII characters, may not display properly in the BIG-IQ alert details.

Conditions:
- Configure a local BIGIQ to forward alerts to the SOC dashboard
- Generate alert with Greek letters at the URL field to be inserted to the BIG-IQ.
- Alert should arrive at SOC dashboard.

Impact:
The URL field displays at the SOC forwarded alert, contains incorrect characters.

865285 : Setting the Zone on the BIG-IQ General Properties page is not effective

Component: BIG-IQ System User Interface

Symptoms:
When you create a new zone on the BIG-IQ General Properties page, the zone name reverts to default.

Conditions:
1. Navigate to System>>THIS DEVICE>> General Properties, and
then click Edit.
2. For Zone, choose, Create New. Give zone a new name and
click Update.
3. Click Update again to confirm.
4. Add a message to the Custom Login Message.
5. Click Save & Close.

Impact:
The new zone setting is not retained and reverts to default.

Workaround:
You can select an existing zone on this page, you just can't create a new one.

So if you you need a new zone, you can create it on properties page for one of the DCDs attached to this BIG-IQ.

1. System>>BIG-IQ DATA COLLECTION>>BIG-IQ Data Collection
   Devices, then select a DCD.
2. On the PROPERTIES tab, click Edit.
3. For Zone, choose, "Create New". Type the name for the
   new zone and click Continue.
4. Click Save & Close.
    You can now select the zone you just created for the BIG-IQ, the DCDs that are attached to it or any of the managed BIG-IP devices.
5. Now navigate back to System>>THIS DEVICE>> General Properties, and then click Edit.
6. Select the zone for this BIG-IQ, then click Update, then click Update again to confirm.
7. When the zone change completes, make sure to make no other changes to the BIG-IQ properties and click Cancel.

The zone change is retained for the BIG-IQ. If you need to make additional changes to the properties, you can now do so without impacting the zone setting.

863613 : Changes in parent policy-builder settings might need a second deploy to sync child policies

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Changing a parent policy in learning mode, or other learn attributes under policy-builder settings, may not be reflected in child policies after initial deployment to BI-IQ.

Conditions:
On BIG-IP
1. Have a parent policy with disabled learning mode and policy building section that has mandatory inheritance.
2. Have a child policy for the parent from step 1 with wildcard wc/urls.
On BIG-IQ:
3. Change parent learning mode to manual
4. Deploy changes
5. Re-deploy

Impact:
There are differences to the child policy after deployment.

Workaround:
Redeploy the policies to synchronized the child policies with the parent policy changes.

863605 : LTM policy gets removed from VIP when making changes to VIP & deploying them via BIG-IQ

Component: BIG-IQ Local Traffic & Management

Symptoms:
Deploying changes to an existing virtual server configuration can remove a previously attached LTM (Local Traffic) policy. This LTM policy is initially attached once a Web Application Security policy is applied to the virtual server.

Conditions:
1) Create a virtual server on BIG-IQ
2) Attach a security policy to that virtual server from BIG-IQ
3) Deploy the LTM configuration
4) Deploy the Web App Security config
5) Make a change to the virtual server on BIG-IQ
6) Deploy the LTM configuration to your BIG-IP device
7) Go to the BIG-IP and see that the LTM policy and ASM policy have been removed from the virtual server

Impact:
The LTM policy is removed from the virtual server.

Workaround:
Re-deploy Web Application Security from BIG-IQ, and the LTM policy and ASM policies are attached as expected.

862701 : Azure SSG f5-cloud-libs can fail if scale-out of more than one device.

Component: BIG-IQ Application Management

Symptoms:
If you deploy an Azure service scaling group (SSG) and manually scale out 2 or more BIG-IP VE devices, the f5-cloud-libs might assign the same hostnames to those devices.

Conditions:
Manually scaling out two or more BIG-IP VE devices in an SSG.

Impact:
Scale out will fail and SSG is placed in a Paused state.

Workaround:
Normal scale-out is performed one device at a time. Manual scale-out by more than one should be avoided.

862697 : Initial deployment or scale-out of BIG-IP VE devices to an SSG in an Azure cloud fails with a 409 error

Component: BIG-IQ Application Management

Symptoms:
When you deploy a service scaling group (SSG) or scale-out BIG-IP devices to an Azure cloud it might fail with a 409 error and the SSG will be paused.

Conditions:
Initial setup of the SSG on Azure or scaling out BIG-IP VE devices in an existing SSG.

Impact:
The SSG will be placed in a Paused state.

Workaround:
This is a transient issue and retrying the operation will succeed. If you creating a new SSG configuration, remove any existing SSG first. If you're scaling out and this happens, scale in and scale out again.

862357 : UI does not display entries after SNMP access configuration

Component: BIG-IQ System User Interface

Symptoms:
When an SNMP profile is configured and saved, the UI incorrectly updates that there are no entries. Refresh of page makes it get all entries displayed, including newly configured profile entries.

Conditions:
Navigate to System> THIS DEVICE > SNMP Configuration > SNMP Access (v1, v2C)
Click Create
Fill in fields on Record Properties
Click Save & Close

Impact:
UI incorrectly displays "There are no items in this view".

Workaround:
Refresh the screen to display entries as expected.

860473 : Connection timeout is not configurable for the TACACS+ authentication provider

Component: REST Framework and TMOS Platform

Symptoms:
The TACACS+ authentication provider uses a fixed, hard-coded value (5 seconds) for the timeout to get a response from the TACACS+ server. If a request to the TACACS+ server to authenticate a user or to retrieve the user properties does not complete within 5 seconds, the request fails. This causes the BIG-IQ authentication of a remote TACACS+ user to fail as well.

Conditions:
When you use a TACACS+ authentication provider to authenticate to BIG-IQ and the TACACS+ server is too slow, it will probably time out before you get authenticated.

Impact:
TACACS+ user authentication to BIG-IQ fails.

Workaround:
N/A

859709 : Full name of the default pool does not display on the LTM virtual server properties screen

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
LTM Virtual Server properties screen shows only the first 32 to 40 characters of default pool's full name.

Conditions:
1. Log in with read-only permissions.
2. Navigate to Configuration>LOCAL TRAFFIC>Virtual Servers.
3. Click the name of a virtual server and scroll down to the Default Pool drop-down box.

Impact:
If the default pool has a long name, read-only users cannot see the full name of the default pool.

Workaround:
Try to keep the pool name short.

851853 : iApp object's monitors and profiles do not get deleted

Component: BIG-IQ Configuration - Infrastructure

Symptoms:
When Strict Updates is set, removing the iApp does not remove the iApp shared objects from BIG-IQ.
If you do not set the Strict Update option for a selected iApp, this issue does not occur.

Conditions:
1. Discover a BIG-IP that has an iApp that has the Strict Update option selected
2. BIG-IQ keeps any shared objects (like monitors or profiles) that are imported and are part of that iApp... even if the iApp is removed from the BIG-IP.

Impact:
If you don't fully understand the concept of shared objects, it won't make sense to you why the objects are still on the BIG-IP.

Workaround:
If possible, don't use the strict update option for iApp.

845713 : BIG-IQ does not create a self IP when floating IP option is enabled

Component: BIG-IQ Configuration - Network

Symptoms:
When creating a self IP from the user interface, BIG-IQ returns the following error:

Worker http://localhost:8100/cm/adc-core/working-config/net/self failed validation with status 500: java.lang.IllegalArgumentException: Floating status disabled in self-ip object /Common/tttt is different from TrafficGroup floating status enabled

Conditions:
Creating a floating IP address from the BIG-IQ user interface.

Impact:
Cannot create a floating IP address from the BIG-IQ user interface.

Workaround:
Create the floating IP address from the command line using a REST API and specifying:
"floating":"enabled",

843305-5 : Users assigned to custom roles cannot deploy objects to BIG-IP devices

Component: BIG-IQ System User Interface

Symptoms:
Users assigned to custom roles cannot deploy objects to BIG-IP devices if the custom role was created from the BIG-IQ Roles screen.

Conditions:
A custom role (BIG-IQ version 5.4) or custom service role (BIG-IQ version 6.0 and later) created from the BIG-IQ Roles screen.

Impact:
Users assigned to custom roles cannot deploy objects to BIG-IP devices.

Workaround:
To resolve this issue:
1. From the command line, run the following commands, and then assign the Resource Groups to the custom role you need for the user to deploy specific objects for a service (for example, an ASM policy).

# restcurl -X POST /shared/authorization/patch-resource-groups -d '{"resourceGroupName":"Relevant Devices Resource Group","resourceGroupDisplayName":"Relevant Devices Resource Group" ,"resourceGroupDescription":"Resource group containing relevant devices API for use with deployment","referenceExpressionsPatches":[{"targetKind":"cm:global:utility:device-association:deviceassociationstate" ,"referenceExpressions":[{"expression":"/cm/global/utility/device-association"}]}]}' # restcurl -X POST /shared/authorization/patch-resource-groups -d '{"resourceGroupName":"Deploy Configuration Resource Group" ,"resourceGroupDisplayName":"Deploy Configuration Resource Group","resourceGroupDescription":"Resource group containing relevant deploy API for use with deployment" ,"referenceExpressionsPatches":[{"targetKind":"cm:adc-core:tasks:deploy-configuration:deployconfigtaskstate","referenceExpressions":[{"expression":"/cm/adc-core/tasks/deploy-configuration/*"}]}]}'

2. Login as admin.

3. Create a new user, such as 'Exampleuser'.

4. Create a new resource group and add some objects to it, for example: Add POLICIES: WEB APPLICATION SECURITY.

5. Create a new custom service role.
   a. Add role type, for example 'Web App Security Manager'.
   b. Set role mode, Strict.
   c. Add the resource group created in step 1 and 2, as resource groups (in 7.1, skip step 1 and add the Resource Group Deployer).
   d. Assign user 'Exampleuser' the custom service role.

6. Login as 'Exampleuser', in order to deploy changes, select the object from the CONFIGURATION tab and click on the Deploy action to deploy changes.
Note: After creating the Deployment for your selected BIGIP device(s), you might not be able to see the differences between BIGIQ and BIGIP, this is the known issue to be worked on in the future.

7. To access to the history of the deployments, that user must manually navigate to the following URL:
https://<big-iq ip>/ui/deployment.

843109 : Using an incorrect password to import a certificate from BIG-IP does not result in an error message

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
If you enter an incorrect password when you import a certificate from a BIG-IP, BIG-IQ does not display an error message.

Conditions:
1. Navigate to Configuration>Certificate Management>Certificate and Keys.
2. Click the Import button and then select Import from BIG-IP Devices.
3. Select a BIG-IP device, then type a user name and password and click Import.
The import page closes immediately and BIG-IQ displays the main Certificates & Keys page.

Impact:
If the import fails, it will not obvious.

Workaround:
1. Navigate to Configuration>Certificate Management>Certificate and Keys.
2. Click Import button and then select Import from BIG-IP Devices.
3. Select a BIG-IP device. BIG-IQ displays the certificate import status in the preview panel. You can also check the restjavad.0.log on the BIG-IQ to monitor for errors.

842605 : Log in fails when BIG-IQ is not in operational state

Component: General BIG-IQ User Experience

Symptoms:
If you attempt to log in to a BIG-IQ that is not yet running, BIG-IQ returns an error.

Conditions:
When the system is not in an operational state.

Impact:
BIG-IQ returns an error.

Workaround:
Wait until BIG-IQ has completely started up before trying to log in.

841949 : Unable to create topology record for DNS with Data Center as the destination

Component: BIG-IQ Search

Symptoms:
If you create a topology record in BIG-IQ and try to set a Data Center as the destination, the selector option is blank.

Conditions:
Create a topology rule in BIG-IQ and try to set a Data Center as the destination.

Impact:
You cannot choose the data center as the topology rule destination.

Workaround:
When you choose the destination for the topology record, select one of the options other than Data Center.

840101 : ElasticSearch snapshot view

Component: BIG-IQ Configuration - Infrastructure

Symptoms:
Not all existing snapshots appear in UI if an error occurs during snapshot removal.

Conditions:
When you select multiple ES snapshots for deletion sometimes only one is removed from the filesystem while the others remain but no longer show up in the UI.

Impact:
ES snapshots take up space in the /var filesystem which can fill up and cause problems with other systems that need available space.

Workaround:
To work around this in the UI, select only a single ES snapshot at a time for deletion.

You can also delete the snapshots from the command line as follows:

1. curl -s localhost:9200/_snapshot/backup/_all | jq > /tmp/es_snapshot_summary
2. From /tmp/es_snapshot_summary get all snapshot names and save in /tmp/snapshot_names
3. Iterate /tmp/snapshot_names to fetch snapshot name one at a time and search for the presence in restcurl -u user:password /mgmt/cm/shared/esmgmt/es-snapshots/
4. If snapshot name is present in /mgmt/cm/shared/esmgmt/es-snapshots/ then it is not a stale entry and nothing to be done and continue to iterate.
5. If snapshot name is not present in /mgmt/cm/shared/esmgmt/es-snapshots/ then it is a stale entry and trigger { curl -X DELETE "localhost:9200/_snapshot/backup/<snapshot_name>?pretty" } for cleanup. If delete operation failed and reason for failure is 503[another delete request in progress] then wait for sometime [30 seconds] and reattempt[max reattempt count 3] and proceed.

839349 : Boot-marker logline added not only to most recent files but also to older files

Component: REST Framework and TMOS Platform

Symptoms:
Syslog is adding boot-marker logline not only to the most recent files but to the older files as well.

Conditions:
General use of BIG-IQ system for some period of time will result in log file rotation. Reboot the system after the rotation and the log files will get the boot-marker line added.

Impact:
This can cause confusion if the log files are being used for troubleshooting.

Workaround:
The log file configuration can be modified to zip the file once log rotation occurs. If this is done, the bootlogmarker.sysinit will ignore the files and will not add the boot-marker line.
For example altering the '.log' format of the log files in /etc/restjavad.log.conf can fix the issue.

838265 : Agentmanager should not depend on elasticsearch cluster status to start

Component: AppIQ

Symptoms:
The cluster state is red, but the relevant indices for the agentmanager are all fully available.

Conditions:
System has a DCD in its configuration.

Impact:
Customers with functional clusters might stop receiving statistics because the agentmanager will not start.

832801 : BIG-IP with FIPS and BIG-IQ analytics iApp may become inaccessible

Component: AppIQ

Symptoms:
BIG-IP with FIPS and BIG-IQ analytics iApp installed causes FIPS to fail the integrity check and cause the system to halt at reboot and become inaccessible.

ltm log will show:

crit root: BIG-IP Integrity Check: [ FAIL ] -- Contact F5 Networks technical support.

The BIG-IP script /usr/libexec/sys-eicheck.py (Integrity Test) will fail due to at least one "critical file(s) missing", namely /etc/avr/tmstat_tables.xml

Conditions:
- FIPS system
- Discover BIG-IP using BIG-IQ device and enable statistics.
- The BIG-IQ analytics iApp will install on BIG-IP.

Impact:
The system is halted or otherwise unusable.

Workaround:
Change permissions on file:

# chmod -x /etc/avr/tmstat_tables.xml

Confirm executable flag set on file:

# ls -la /usr/libexec/sys-eicheck.py

832753 : IPV6 HA management addresses in local IPV6 subnet unreachable when IPv6 gateway down

Component: REST Framework and TMOS Platform

Symptoms:
BIG-IQ IPv6 management interface can not connect to other BIG-IQ management interfaces in local IPV6 subnet.

Conditions:
Management interface IPv6 default gateway is down.

Impact:
BIG-IQ is unable to reach HA peer or DCD.

Workaround:
Add the following to /config/user_alert.conf:

alert K44817040_workaround "Initial management network proposals triggered (initConfigStateMachine: mcp phase running)" {
exec command="/sbin/ifdown eth0; /sbin/ifup eth0"
}

830337-1 : Network object VLAN is device specific object

Component: BIG-IQ Local Traffic & Management

Symptoms:
BIG-IQ doesn't treat VLAN as per-device objects, instead it assumes that both members of an HA pair *MUST* have exactly the same configuration for VLANs.
When the devices are imported, it replaces the existing VLAN config with the one from the new imported device.
As a result, every time you try to do a full deployment, it tells you that it needs to modify the configuration of the VLAN

Conditions:
Big-IQ manages BIG-IP cluster pairs. Both BIG-IP have VLAN objects and their configuration are different.

Impact:
Deployment to Big-IP will push incorrect data and break the VLAN object on BIG-IP.

Workaround:
Manually fix VLAN object on BIG-IP every time a deployment is triggered. The mitigation is not friendly so the fix was treated as higher priority.

828617 : BIG IQ:GUI Cert/key page does not generate reports for all certificates

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
Option to generate all certificates does not work. Only certificate entries are uploaded.

Conditions:
Navigation
Configuration >> LOCAL TRAFFIC >> Certificate management >> Certificates and keys

Impact:
Not all certificates are included in the report.

Only the following entries are included in the report:
* f5-irule.crt
* default.crt
* f5-ca-bundle.crt
* ca-bundle.crt

No other entries are included in the report.

Workaround:
N/A

828605 : Pre-upgrade test script

Component: BIG-IQ System User Interface

Symptoms:
The pre-upgrade test script available on the F5 Download site, fails to correctly run the diskSpaceChecks in certain environments.

Conditions:
This can happen when:
Hardware BIG-IQ uses different python modules
Previous releases uses different python modules
Other .iso files in are in /shared/images

Impact:
Script fails to run.

Workaround:
None

827297 : Sorting Certificates and Keys columns

Component: BIG-IQ Device User Interface

Symptoms:
Sorting Certificates and Keys columns doesn't work as expected.

Conditions:
Navigate to the Certificates and Key page and click on a column header to sort the entries.

Impact:
The sort order on the page don't reflect what you'd expect. This can lead to confusion about whether the object you are looking for exists.

Workaround:
Instead of using sorting columns to find a particular certificate or key, use a filter.

827009-1 : BIG-IQ UI returns an error when you sort on a description column in a list

Component: BIG-IQ Search

Symptoms:
When you sort on a description column on BIG-IQ screens that contain a list, BIG-IQ returns an error.

Conditions:
Sorting on a description column causes BIG-IQ to return an error.

Impact:
You cannot sort on the description column.

Workaround:
None

825301-1 : The BIG-IQ Analytics iApp fails to execute on managed BIG-IP

Component: AppIQ

Symptoms:
1. The affected BIG-IP exhibits elevated CPU
2. The affected BIG-IP has the errors in /var/log/audit similar to:
Sep 9 10:45:20 slot2/BIG-IP-A notice scriptd[15709]: 014f0005:5: AUDIT - user=root action="periodic handler, run script: /Common/bigiq-analytics-send_stats" status="script did not successfully complete: (could not read "/shared/tmp/bigiq-analytics-stats_0": no such file or directory <-----

Conditions:
BIG-IQ 7.0.0.1-Final managing BIG-IP devices running versions 11.x, 12.x, 13.x, 14.x or v15.x.

Impact:
BIG-IQ is unable to collect statistics data from the affected BIG-IP.

824081 : If a BIG-IP device software ISO image upload fails, subsequent upload attempts also fail★

Component: BIG-IQ System User Interface

Symptoms:
If a BIG-IP device software ISO image fails, the image image is stored as incomplete in the /shared/images/tmp file. Until this incomplete image is deleted, you cannot upload another ISO image with the same name.

Conditions:
1. Navigate to Devices >> SOFTWARE MANAGEMENT >> Software Images >> Upload Image.
The image fails.

2. Navigate to Devices >> SOFTWARE MANAGEMENT >> Software Images >> Upload Image.
An error message displays.

Impact:
BIG-IQ displays the following error message:
An upload with same file is already taking place. Simultaneous upload of same file is not supported.

After the error message displays, the upload fails.

Workaround:
This issue does *not* resurface if you use the following navigation path to upload a BIG IP ISO image instead of the one that triggers the error.

System >> SOFTWARE MANAGEMENT >> IMAGES >> Upload Image

If there are transport errors with an upload and you try to upload the same image file again, BIG-IQ displays an Upload Image pop-up and an error message.

When you click Continue, BIG-IQ removes the incomplete copy of the image in the /shared/images/tmp folder, and then proceeds with your upload.

823565 : BIG-IQ REST framework JVM process crashing intermittently

Component: REST Framework and TMOS Platform

Symptoms:
The BIG-IQ REST framework JVM process (restjavad) is crashing intermittently when RAM memory is low or during highly intensive memory operations.

Conditions:
This happens when there's not enough RAM available for the normal operation of the BIG-IQ REST framework, especially in environments with a relatively large number of managed BIG-IP devices and related configuration objects, with a high volume of statistical data collected, an so forth.

Impact:
BIG-IQ management interface and device management workflows are temporarily unavailable.

Workaround:
The BIG-IQ REST framework would automatically recover after a crash of the related JVM process (restjavad). However, avoiding further crashes would require additional memory (RAM) for the BIG-IQ appliance (VE or hardware).

To work around this issue, increase the physical memory (RAM) for BIG-IQ (hardware or virtual).

822225 : Cancelling a queued deployment evaluation task

Component: REST Framework and TMOS Platform

Symptoms:
If you're running several deployment evaluations at the same time (or very near in time) and cancel one of the queued evaluations, the cancelled evaluation will get stuck in 'Cancelling' status.

The REST request will deploy something similar to the following:

# restcurl -u admin: mgmt/cm/firewall/tasks/deploy-configuration
{
  "items": [
    {
      "createChildTasks": true,
      "currentStep": "CHECK_LICENSE",
[...]
      "startDateTime": "2019-08-28T15:20:15.962+0100",
      "status": "CANCEL_REQUESTED",
      "type": "Full",
[...]

Conditions:
Cancelling a queued deployment evaluation.

Impact:
This deployment evaluation and all evaluations after it will never be run.

Workaround:
Restart restjavad to change status to FAILED.

821381 : Client certificate authentication settings are not preserved after upgrading from BIG-IQ v7.0.0 to v7.0.0.1

Component: REST Framework and TMOS Platform

Symptoms:
If client certificate authentication is enabled for BIG-IQ v7.0.0, and you upgrade BIG-IQ, the webd.conf file gets overridden/replaced. This means the client certificate authentication settings are lost, and authentication no longer works correctly.

Conditions:
Client certificate authentication is enabled on BIG-IQ v7.0.0.

Impact:
Authentication no longer works correctly.

Workaround:
You can avoid this issue by disabling client certificate authentication before you upgrade BIG-IQ, then re-enabling it back after the upgrade.

Alternatively, if BIG-IQ v7.0.0 client certificate authentication is not disabled before the upgrade, ssh into the BIG-IQ and type the following command at the shell prompt:

client-cert-auth -x

This resets BIG-IQ authentication to the default username/password authentication using the local authentication provider.

813665 : Discovery and management IP address are out of sync once tmsh operation used to change management IP address

Component: BIG-IQ System User Interface

Symptoms:
If the Big-IQ CM has been initially provisioned to have Management IP and Discovery IP with the same value then a later modification of Management IP via the CLI, creates sync issues.

Conditions:
Modify Management IP address using tmsh interface.

Impact:
The Discovery IP becomes out of sync, causing issues when adding DCD and during HA pairing.

Workaround:
If management IP becomes modified from the tmsh interface, then the (from the UI) the Discovery IP address should to be set with same value.

813121-1 : URIs are not inflated error on deployment

Component: REST Framework and TMOS Platform

Symptoms:
If you create an evaluation without deploying it, and then discover a BIG-IP with some changes (deletions or detachments for shared device-specific objects) in the working configuration, deploying the existing evaluation fails with the error "URIs were not inflated"

Conditions:
Deleting or detaching shared objects from a specific BIG-IP device's object after evaluation and before deployment.

Impact:
Deployment fails.

Workaround:
Create a new evaluation and deployment.

812717-1 : Some logging profiles do not display after upgrading to BIG-IQ v7.0.0

Component: BIG-IQ Configuration - Security - Shared Security

Symptoms:
After an upgrade from to BIG-IQ v7.0.0, some logging profiles do not display.

Conditions:
Upgrade to BIG-IQ v7.0.0.

Impact:
Some logging profiles do not display.

Workaround:
To display missing logging profiles, from the BIG-IQ command line, run the following:

for item_id in 96a784ae-904c-340e-aa4b-700dd693e51b 9ac61bf5-cedf-3625-af0e-00f0a98a1cc0 d2a5fc31-d153-3fff-a8ea-97de03f95d97 f0a05642-f8ac-39e1-9f67-98fc6b8f4449 5ec7ef41-7938-384a-8489-f68df693c9b2; do restcurl -X PATCH /cm/security-shared/working-config/log-profiles/$item_id -d '{hidden:false}'; done

812373 : Elasticsearch split brain situation when service is forced to restart

Component: BIG-IQ System User Interface

Symptoms:
Data collection cluster fails to collect data or respond to queries causing issues with event collection and visualization.

Conditions:
If one or more of the data collection devices becomes unreachable from the console or other data collection devices, due to networking, restarting, or other environmental issues, it is possible that the cluster can become unhealthy and unable to respond to inbound data or query requests.

Issues like excessive memory usage or network instability can trigger these erratic changes.

Impact:
Data collection and visualization becomes inoperative.

Workaround:
If data backups (snapshots) or data loss is acceptable then:
• Stop elasticsearch process on console and each data collection device (“bigstart stop elasticsearch”)
• Delete the /var/config/rest/elasticsearch/data directory on the devices
• Restart elasticsearch process on console and each data collection device (“bigstart start elasticsearch”)

812097 : Elasticsearch may crash and create core file when too little memory is allocated to BIG-IQ

Component: REST Framework and TMOS Platform

Symptoms:
If a BIG-IQ node, either console or DCD, has less than 32GB of RAM available (per node), the ElasticSearch instance on that node may crash and generate core file.

Conditions:
1. Install BIG-IQ with data collection, where at least one node (either console ore DCD) has 16GB RAM.
2. Using the BIG-IQ UI monitor several BIG-IP devices.

Impact:
The ElasticSearch log prints the following message in certain situations, e.g., large volume of stats collected:
java.lang.OutOfMemoryError: GC overhead limit exceeded

When the ElasticSearch is out of memory, it is not available for querying and/or storing new statistics.

Workaround:
1. Increase the memory of the BIG-IQ console and DCD nodes to 32GB RAM each.

2. Verify that the ElasticSearch cluster is healthy again and statistics are displayed under the BIG-IQ monitoring tab

812065 : Pools & pool-member stats are not collected after upgrade

Component: AppIQ

Symptoms:
In some rare instances after upgrading to BIG-IQ version 7.0, BIG-IQ might not collect pool & pool-member statistics information.

Conditions:
When you upgrade from BIG-IQ version 6.x to 7.0.
To identify the presence of the issue, go to: Monitoring -> Dashboards -> Local Traffic -> Pools & Pool Members.
If stats are displayed - then the upgrade process was completed properly.

Impact:
Statistical information about pool and pool-member activities is not being collected and this information is not displayed in the corresponding dashboards.

Workaround:
The root cause of this problem is in ElasticSearch index mapping. To work around this issue, update the mapping manually:
1. unzip the attachment and place under /tmp on the CM.
2. run ./fix_es_mapping.sh

New mapping definitions take effect after the index is switched, so it can take up to 1 hour before BIG-IQ can collect statistis.

811773-1 : BIG-IQ Web Application Security event log page does not list events after upgrade to BIG-IQ v7.0

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Due to an upgrade problem, the Web Application Security event logs screens do not open after an upgrade to BIG-IQ v7.0.

Conditions:
The issue happens after upgrading BIG-IQ with a DCD cluster and the Web Application Security listener enabled.

Impact:
The Brute Force Attacks and Event Logs screens fail to load, so you cannot monitor these events.

Workaround:
1. Navigate to System > BIG-IQ DATA COLLECTION > BIG-IQ Data Collection Devices.
2. Click the name of the relevant DCD device.
3. Click Services.
4. Click Activate for the Web Application Security listener.

811069 : Overriding deeply nested fields in AS3 Templates can cause them to appear at deployment time.

Component: BIG-IQ Application Management

Symptoms:
Overriding certain deeply nested fields in AS3 Templates sometimes makes them appear as editable when you use the template to deploy an application service, even though they are not configured to be visible or editable.

Conditions:
Select "override" on All the fields of a nested object. For example, the "Security_Log_Profile" class contains many deeply nested class objects. The JSON schema for the "Security_Log_Profile" could look like:
{
  "properties": {
    "class": {},
    "application": {
      "type": "object",
      "properties": {
        "localStorage": {
          "type": "boolean",
          "default": false,
          "const": false
        },
        "maxEntryLength": {
          "type": "string",
          "default": "64k",
          "const": "64k"
        },
        "remoteStorage": {
          "type": "string",
          "default": "bigiq",
          "const": "bigiq"
        },
        "reportAnomaliesEnabled": {
          "type": "boolean",
          "default": true,
          "const": true
        },
        "servers": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "address": {
                "type": "string",
                "default": "10.1.10.6",
                "const": "10.1.10.6"
              },
              "port": {
                "type": "string",
                "default": "8514",
                "const": "8514"
              }
            }
          }
        },
        "storageFilter": {
          "type": "object",
          "properties": {
            "requestType": {
              "type": "string",
              "const": "illegal",
              "default": "illegal"
            }
          }
        }
      }
    }
  },
  "type": "object",
  "additionalProperties": false
}

Note that this class cannot have anything edited by the "const" keywords throughout the declaration.

Impact:
When the template is used to deploy an application service, fields appear as editable, even though they're not. If you attempt to edit the values, BIG-IQ returns an error.

Workaround:
Either avoid making edits to these fields, or:

If you're not sure which fields to avoid, use the API to deploy the application service along with the schema overlay.

809149-1 : Attempting to enable remote loggin configuration

Component: BIG-IQ Monitoring - Logs

Symptoms:
When attempting to enable remote logging configuration, BIG-IQ returns an error:

The requested Node (/Common/access-remote-syslog-node-*) already exists in partition.

Conditions:
This happens when you attempt to enable remote logging configuration.

Impact:
You are unable to Access reports from the Monitoring tab.

807385-1 : Egress gateway pool unselect empty the dropdown

Component: BIG-IQ Access

Symptoms:
If you select an existing pool in egress, then unselect it, the pool menu becomes empty.

Conditions:
When you select a pool with an egress, and then unselect it.

Impact:
The pool menu becomes empty.

Workaround:
Switch the gateway pool ratio to default and change back to use existing.

804213 : BIG-IQ cannot handle same AVR profile for BIG-IP V13.x and V14.x

Component: AppIQ

Symptoms:
Due to differences between BIG-IP versions 13.x and 14.x in the AVR Profile, using one AVR profile in BIG-IQ for both fails.

Conditions:
Having mix of BIG-IPs in versions 14.x and previous versions (12.1 or 13.x), or upgrading to 14.x.

Impact:
On discovery: When discovering a 14.x device that was upgraded from 13.x or prior version, a conflict is raised and the user has to choose by which version to keep the profile.

On deployment: Depends on how a profile is discovered, when deployed back to a different BIG-IP version, the deployment will fail.

Workaround:
Keep different profiles for the v14.x versions and for the previous versions.

801581 : L7 Security Dashboard and Application Dashboard do not display enforcement mode updates to AS3 applications

Component: BIG-IQ Application Management

Symptoms:
An incorrect enforcement mode is displayed in BIG-IQ's dashboards for AS3 application's Web Application Security services, when a user makes changes to the enforcement mode.

To get the correct protection mode displayed on the L7 Security dashboard, you must discover and import the ASM service to BIG-IP before and after you update an AS3 Web Application Security policy (WAF) and deploy it a BIG-IP device.

Conditions:
WAF protection is deployed with an AS3 application using an ASM policy referenced in the following declaration:

"policyWAF": {
"bigip": "/Common/asm-policy-name"
}

This does not apply to AS3 application referencing the ASM policy in a URL.

Impact:
The protection mode in the Applications (Applications > APPLICATIONS) and L7 Security Dashboard (Monitoring > DASHBOARDS > L7 Security) might not be correct.

Workaround:
If you have made changes to an AS3 application's enforcement mode, and do not see your deployed changes reflected in BIG-IQ, use one of the following workflows:

If user roles of security manager or admin were used to make enforcement mode changes:
1. Login as the security manager user role to the BIG-IQ system.
2. Discover and import the BIG-IP device that hosts the ASM policy and AS3 WAF application.

To manually redeploy the AS3 application and trigger an update:
1. Go to Applications > APPLICATIONS and select the application and then the affected AS3 application service
2. Select Properties icon from the map at the center of the screen.
3. Select the Configuration tab at the center of the screen.
4. Enter a value in the description field.
5. Click Save.
Once saved, the AS3 application is refreshed and information about the enforcement mode should display as expected.

796601-1 : Invalid parameter in errdefsd while processing hostname db_variable

Component: REST Framework and TMOS Platform

Symptoms:
Errdefsd crashes, creates a core file, and restarts.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Possible loss of some logged messages.

Workaround:
None.

782241 : VCMP host reports disc usage stats to BIG-IQ while all other health parameters are not reported

Component: BIG-IQ App Visibility and Reporting (AVR)

Symptoms:
When BIG-IP clients are configured as VCMP, BIG-IQ shows health statistics from VCMP Host and VCMP guest machines. VCMP guest statistics are shown as expected, however VCMP host statistics contains only disc usage data.

Conditions:
BIG-IP is configured as VCMP system.

Impact:
The VCMP statistics shown are incomplete.

781061-1 : Device Type is Unmanaged in license pool if the device is licensed by BIG-IQ before importing

Component: BIG-IQ Device Management

Symptoms:
If an unmanaged BIG-IP device is licensed from BIG-IQ, and later it is discovered and imported, the "Device Type" in the license pool on BIG-IQ shows the device as unmanaged, even if it is discovered and imported.

Conditions:
The device is licensed first, and then discovered and imported.

Impact:
There is no real impact on the device management. It only makes the user confusing when looking at the device type on the license pool page.

Workaround:
Discover and import the BIG-IP device first before you license it.

759069 : Full access session variables on BIG-IQ

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
When viewing the session variables for an Access session, the full set of variables visible on BIG-IP are not shown on BIG-IQ

Conditions:
1. Configure BIG-IQ with Access Stats Collection
2. Monitor BIG-IP with active Network Access connections

Impact:
Lack of full session visibility on BIG-IQ.

721768 : If you change the unique ID of a managed BIG-IP device, BIG-IQ displays the BIG-IP device and its objects twice

Component: BIG-IQ Device Management

Symptoms:
BIG-IQ shows the same BIG-IP device twice in the BIG-IQ device inventory if the BIG-IP device's unique ID was changed. By design, BIG-IQ considers different IDs different devices.

Conditions:
BIG-IP generates a new unique ID during certain operations, for example when removing the f5-rest-device-id file and restarting restjavad.

This might also happen if a UCS backup is restored onto a new BIG-IP device.

Impact:
This can cause issues when BIG-IQ tries to manage those devices.

Workaround:
Identify the duplicate BIG-IP objects, and then remove them. To do this:

Confirm there are duplicate device objects representing a single managed BIG-IP device. To do this, create some bash functions.

1. Create helper functions. From the BIG-IQ CLI, type the following commands to create BASH shell script functions:

          list-devices(){ restcurl shared/resolver/device-groups/cm-bigip-allDevices/devices'?$select=address,hostname,machineId,selfLink'; }

          list-dups() { list-devices| grep address | cut -d ':' -f2 | tr -d '",' | sort -n | uniq -c | grep -v -w 1; }

These two commands create functions that can then be run as commands:

-- list-devices <ENTER> gives an abbreviated list of all discovered devices on the BIG-IQ.

-- list-dups <ENTER> lists any IP addresses reported for more that one object, and the number of instances in which the IP was found.

2) Run function list-dups to find any objects with more than one instance object using the same IP address. On the BIG-IQ CLI:

        list-dups <ENTER>

-- In the output, the first number is the number of duplicates associated with the trailing IP address. If there is no output, no duplicates were found.

-- In the following example, one IP address duplicate was found:

        # list-dups
        2 10.111.0.97

3) List the object duplicates so that the invalid one can be identified. On the BIG-IQ CLI:

       list-devices | grep -A4 <dup address>

       Example:

        # list-devices | grep -A4 10.111.0.97
      "address": “10.111.0.97",
      "hostname": "sdprod1.mydomain.com",
      "machineId": "22718bcc-71c3-4700-87c4-b28ed959b2df",
      "selfLink": "https://localhost/mgmt/shared/resolver/device-groups/cm-bigip-allDevices/devices/22718bcc-71c3-4700-87c4-b28ed959b2df"
    },
--
      "address": "10.111.0.97",
      "hostname": "sdprod1.mydomain.com",
      "machineId": "4b777e75-ec75-464d-ac9f-548a7153103c",
      "selfLink": "https://localhost/mgmt/shared/resolver/device-groups/cm-bigip-allDevices/devices/4b777e75-ec75-464d-ac9f-548a7153103c"
    },

4) Identify the valid object by going to the CLI of the actual BIG-IP device listed in the last output, and run the following command on its CLI:

        cat /config/f5-rest-device-id

The output is the BIG-IP system's correct UUID.

Note: Before proceeding to the next step, it is recommended that you create a UCS snapshot of the BIG-IQ.

5) Remove the invalid device object.

Run the following command on the BIG-IQ CLI, substituting the UUID with the incorrect one (i.e., the one that does not match the correct UUID retrieved in the previous step):

restcurl shared/resolver/device-groups/cm-bigip-allDevices/devices/<UUID> -X DELETE

Example:
     restcurl shared/resolver/device-groups/cm-bigip-allDevices/devices/22718bcc-71c3-4700-87c4-b28ed959b2df -X DELETE

Once all invalid objects are removed from the BIG-IQ, the procedure is finished.

★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade

*********************** NOTICE ***********************

For additional support resources and technical documentation, see:

The F5 Networks Technical Support web site: http://www.f5.com/support/
The AskF5 web site: https://support.f5.com/csp/#/home
The F5 DevCentral web site: http://devcentral.f5.com/

******************************************************

Subscriptions

Product Usage

Trials

Registration Keys

Downloads

Applies To:

BIG-IQ Centralized Management

Cumulative fix details for BIG-IQ CM v7.1.0 that are included in this release

898445-2 : When user makes analytics retention configuration changes from UI, changes may not behave as expected

893977 : BIG-IQ does not properly export to XML ASM Response Page Login Page default values

867557 : Unable to edit Web Application Security policy builder Learn from Responses option

858017 : Users with viewer roles unable to create attack signature filter in the Web Application Security policy

830153 : Deployment failure after upgrading BIG-IP devices running version 13.1 or earlier

817613 : Filter for identifying signature by Signature ID

805457 : Error in UI and query service log when viewing raw DDoS attacks

804601 : Custom user role does not display application and application services statistics

781109 : The "Export Inventory" button on the BIG-IP Devices page exports all managed devices

Known Issue details for BIG-IQ CM v7.1.x

903229 : Pruning of expired backups fails due to a failed query.

903149 : Cannot edit and save Remote Desktop configurations

903121 : Evaluation and deployment failure: error obtaining aclOrder value for Remote Desktop objects

902349 : BIG-IQ CM has itself as DCD and cannot be removed

902081 : AS3 template UI cannot set persistenceMethods to an empty array

901969 : Users created during heavy rbac procedures may be unable to login until fully processed

901689 : L7 Dashboard grid does not report number of DoS attacks correctly

901465 : Save and Close button is not enabled in pool details page after adding pool members

901277 : HTTP2 Monitors are not supported

901145 : Save and close button in adding pool member screen is only enabled if a description is added for the pool member

901065 : Restore task for siloed configuration may not return expected results

900889 : After copying the ISO file to a DCD fails during a BIG-IQ cluster upgrade, retrying the upgrade fails because the previous file copy is reported in progress.★

900857 : A failed upgrade seems to still be in progress, so you can't start a new upgrade.★

900849 : Issues with Save & Next button after BIG-IP upgrade in an SSLO topology running RPM version 5.4

900697 : The timezone used in the Postgres log files is different than the timezone used in the restjavad log files

900625 : ISO file fails to copy to DCD during regular BIG-IQ DCD cluster upgrade★

900597 : UCS created while in setup mode cannot be restored

900577 : Orphaned objects in topology and virtual server disappear when trying to disable a virtual server or pool member from the Configuration Tab

900573 : A declarative onboarding (DO) request without "BigIqSettings" in API

900565 : Error message when creating Auto Failover of BIG-IQ High Availability cluster

900557 : CRMD core file is returned if create a BIG-IQ auto failover HA config and then create a manual HA configuration

900469 : Customization Type field is missing for Webtop Lists objects

900453 : Deleting a BIG-IP VE in an Azure cloud

900445 : BIG-IQ allows you to delete peer device with legacy application service

900413 : Configuration tab is not available for users with Access Auditor role

900397 : BIG-IQ UI does't display an error message when you try to remove services from a device with a legacy application service deployed on it

900389 : Creating a tunnel on a BIG-IP device in an HA cluster

899885 : Cannot remove Behavioral DoS template, once selected

899789 : Updates to legacy application service pool members or virtual servers deployed on a BIG-IP cluster are not displayed

899737 : Cannot create BIG-IP VE on Azure if the VE name contains special characters

899609 : Deployment of an imported Existing Application SSLO topology may fail from BIG-IQ

899601 : Number of services in the SSL Orchestrator topology list page shows 0 for imported topologies

899329 : When exiting setup mode BIG-IQ returns a 502 error

899321 : BIG-IQ allows you to create a service scaling group (SSG) for AWS with an invalid name

899285 : After you upgrade to version 7.1, imported AS3 application service configurations on the BIG-IQ might not be marked as AS3

899213 : Contents column for a certificate changes from RSA Key to RSA Certificate & Key when you use the Name filter to find it

899069 : Deployment of an access policy with LDAP Group agent fails

899013 : Onboarded devices display as unmanaged on Licenses page

898925 : Analytics are not available for legacy application services because the BIG-IP cluster is not in sync

898665 : Adding a peer BIG-IQ to HA configuration after primary BIG-IQ was reset to standalone

898641 : AS3 application deployment UI: persistence method(s), iRule & Firewall Address List do no render values from template correctly

898609 : LTM policy and firewall policy limitations within the BIG-IQ AS3 template UI

898489 : Deleting an in-use template leaves application creator roles in undefined state in role editor

898341 : BIG-IP may stop sending statistics following a DCD reboot

898133 : Force-Delete API does not support service catalog application services on SSGs

894077 : User can deploy an application using a template to which you did not explicitly specify permissions.

893653 : Hierarchical privileges to unlock Security Objects are missing

893505 : Onboarding of a BIG-IP from a standby BIG-IQ configured in an HA pair

892901 : After using the Remove SSL Orchestrator Configuration button in 5.X SSL Orchestrator RPM versions, the topology deployment fails

892609 : GSLB/DNS objects that are part of an AS3 application are editable using the Configuration tab

892041 : New BIG-IQ first-time installation with IPv6 management port

891569 : Erroneous uploads are not deleted when the database is not saved

891353-1 : Cannot open online help results from finder menu

891001 : Viewing virtual servers with certain properties, sometimes makes it appear that you made revisions to them

890329 : When creating a service catalog application service, sometimes the deployment fails

890129 : Bot profile requires manual role-type configuration

890029 : After upgrading to BIG-IQ version 7.1, client certificate authentication fails

888813 : When you manage software upgrades or GeoIP databases in an HA configuration, you must upload the files in both the active and stand-by devices.

888749 : Creating an Evaluation/Deployment creates a Snapshot which may be difficult to delete.

888553 : Error while updating AS3 Application: New endpoint mgmt/shared/appsvcs/info was not up in 60 seconds.

887301 : AS3 dashboard lists an incorrect number of servers if the AS3 declaration specifies an fqdn member that includes both hostname and serverAddresses

883913 : GeoIP Database Management: If a remote command freezes while updating a BIG-IP device, it can block subsequent new GeoIP Database update attempts from starting.