Applies To:
Show Versions
BIG-IQ Centralized Management
- 5.4.0
BIG-IQ CM Hotfix Release Information
Version: 5.4.0
Build: 7467.0
Hotfix Rollup: 2
NOTE: This release DOES NOT include fixes for the Spectre or Meltdown vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754).
F5 is currently developing fixes which will be released in a future version. Please see K91229003 for current Spectre and Meltdown information.
Cumulative fixes from BIG-IQ CM v5.4.0 Hotfix 1 that are included in this release
Known Issues in BIG-IQ CM v5.4.x
Functional Change Fixes
None
BIG-IQ Configuration - Access Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 702833-1 | 3-Major | Network Access List IPv6 LAN Address Space mask error |
BIG-IQ Configuration - Local Traffic Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 705083-1 | 3-Major | Unable to create UDP virtual servers |
BIG-IQ Monitoring - Logs Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 702847 | 3-Major | Device field in ASM event displayed in BIG-IQ GUI shows N/A instead of BIG-IP device name |
BIG-IQ Local Traffic & Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 703908-1 | 2-Critical | maxSegmentSize of 0 in TCP profile is not accepted |
BIG-IQ DNS Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 703480 | 3-Major | DnsConfigCopyTaskWorker fails to import topology when region name has a space |
REST Framework and TMOS Platform Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 703559-1 | 3-Major | BIG-IQ unable to retrieve authentication token from BIG-IP 13.1.0+ using remote authentication |
BIG-IQ Web Application Security (ASM) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 703091 | 1-Blocking | Enhance startup logic for central policy builder process to avoid potential race condition | |
| 705270 | 3-Major | Web Application Manager, Editor and Security Manager roles do not have permissions to accept central policy builder suggestions for a policy | |
| 705104-1 | 3-Major | Unexpected differences/conflicts displayed after latest F5 Signature file released |
Cumulative fixes from BIG-IQ CM v5.4.0 Hotfix 1 that are included in this release
Functional Change Fixes
None
BIG-IQ Device Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 698616-1 | 3-Major | K40755239 | Upgrades targetting clustered devices (Viprion or vCMP) fail with a timeout error |
| 701265 | 4-Minor | Health upload schedule, selection by device group, shows deleted devices |
BIG-IQ Network Security Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 700399-1 | 2-Critical | K24906352 | FW rules are not deployed on AFM in order |
REST Framework and TMOS Platform Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 701703 | 3-Major | K14550300 | BIG-IQ upgrade from 5.3.0 to 5.4.0 may fail when Access groups are configured★ |
| 701264 | 3-Major | K22136541 | BSON-type UNDEFINED error after BIG-IQ version 5.3 to 5.4 upgrade |
BIG-IQ Web Application Security (ASM) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 701045-1 | 2-Critical | Deploying a shared ASM policy to one virtual server could cause it to be removed from other virtual servers | |
| 701485-1 | 3-Major | K49064145 | Storage upgrade fails when upgrading to BIG-IQ version 5.4 when previous configuration has a user defined ASM signature set created without a filter |
BIG-IQ Shared Security Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 699069-2 | 2-Critical | To deploy DoS Profiles to BIG-IP versions 13.0.0 and later, Application Security Module must be provisioned on the BIG-IP |
Cumulative fix details for BIG-IQ CM v5.4.0 Hotfix 2 that are included in this release
705270 : Web Application Manager, Editor and Security Manager roles do not have permissions to accept central policy builder suggestions for a policy
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
Some users receive a 403 Not Authorized error when attempting to manually accept a policy suggestion generated by the Central Policy Manager.
Conditions:
This happens for users with the role of Web Application Manager, Web Application Editor, or Security Manager.
Impact:
Non-privileged users cannot manually accept central policy builder suggestions.
Workaround:
Provide users with Administrator role access to manually accept these suggestions.
Fix:
After installing this fix, you must:
1) Note/record the built-in role names for each of your users and user groups.
2) Execute the /usr/bin/rbac-reset command on each BIG-IQ console device, so that roles are regenerated with the proper access privileges.
3) After the system is back up, add the users and groups back to the built-in roles saved in step 1.
Users with the role of Web Application Manager, Web Application Editor, or Security Manager can now manually accept policy suggestions from the central policy manager.
705104-1 : Unexpected differences/conflicts displayed after latest F5 Signature file released
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
After discovering or rediscovering a BIG-IP device, unexpected conflicts display for Security Systems during the import phase.
Conditions:
When you deploy a new ASM signature file to BIG-IP devices, before import, BIG-IQ displays differences in the signature systems because of changes to textual descriptions deployed by the new signature file.
Impact:
These changes are benign, but need to be resolved during the import process.
Workaround:
If you see such differences, select Use BIG-IP to resolve the conflicts.
Fix:
This issue no longer occurs.
705083-1 : Unable to create UDP virtual servers
Component: BIG-IQ Configuration - Local Traffic
Symptoms:
Trying to create a virtual server with a UDP profile returns the following error:
Error on server request
Worker http://localhost:8100/cm/adc-core/working-config/ltm/virtual failed validation with status 500: java.lang.IllegalArgumentException: object includes reference that is null or empty.
The following error can be found in the /var/log/restjavad.0.log log:
[ERROR][02 Feb 2018 16:51:30 WET][/cm/adc-core/working-config/ltm/virtual AdcVirtualWorkingConfigCollectionWorker] Validation failure: java.lang.IllegalArgumentException: object includes reference that is null or empty.
Conditions:
-- Running v5.4.0.
-- Virtual server has an associated UDP profile.
Impact:
Unable to create virtual servers with a UDP profile on the BIG-IQ device.
Workaround:
Create the virtual server on BIG-IP system and import into BIG-IQ.
Note: No modifications of the virtual server can be saved in the BIG-IQ environment.
Fix:
You can now create a virtual server and associate a UDP profile.
703908-1 : maxSegmentSize of 0 in TCP profile is not accepted
Component: BIG-IQ Local Traffic & Management
Symptoms:
If the max segment size (MSS) value configured for the TCP profile on a BIG-IP system is set to 0, BIG-IQ will fail to import it.
[ERROR][23 Jan 2018 13:41:15 CST][/cm/adc-core/working-config/ltm/profile/tcp AdcProfileTcpWorkingConfigCollectionWorker] Validation failure: java.lang.IllegalArgumentException: maxSegmentSize 0 must be between 536 and 1460
Conditions:
TCP Profile max segment size is 0.
Impact:
BIG-IQ cannot manage LTM (or other services).
Workaround:
Per the LTM manual:
Max Segment Size (MSS) specifies the largest amount of data that the system can receive in a single TCP segment, not including the TCP and IP headers. If the value is 0 (zero), the system calculates the value from the MTU. The default value is 1460 bytes.
The default MTU is 1500 and the header is 40 bytes. That is why the max segment size is 1460 (1500-50).
As a workaround you should be able to set the max segment size to (MTU-40).
Unfortunately, this will work only if your MSS is within the current validated range on BIG-IQ.
Fix:
The BIG-IQ now has the correct validation for TCP profile maxSegmentSize property.
703559-1 : BIG-IQ unable to retrieve authentication token from BIG-IP 13.1.0+ using remote authentication
Component: REST Framework and TMOS Platform
Symptoms:
In BIG-IP 13.1.0, a change was made to how the BIG-IP handles the calls to authenticate, when an external authentication provider is configured. With this change, the caller is forced to use the authentication provider the BIG-IP system is configured to use, and it does not fall back to local authentication. This change results in a failure of the BIG-IQ authentication call to the BIG-IP system when an external authentication provider is configured. This is used at the beginning of device discovery, therefore discovery fails.
Conditions:
This occurs when the following conditions are met:
-- Running BIG-IQ versions up to and including 5.4 HF1.
-- External authentication provider is configured on the BIG-IP system.
-- Trying to discover BIG-IP systems running version 13.1.0 and newer.
Impact:
When an external authentication provider is configured on the BIG-IP system, device discovery from the BIG-IQ fails.
Workaround:
1. On the BIG-IP system, set the authentication provider to local.
2. On the BIG-IQ device, discover/import the device using local user admin.
3. On the BIG-IP system, set the authentication provider to the external/remote one.
4. As the BIG-IQ device already has the authentication token for the device, communication with the device still works. The BIG-IQ device can re-discover/re-import the device.
Important: However, DO NOT remove the device from the BIG-IQ device, as that causes authentication to fail.
Fix:
Device discovery for all the supported BIG-IP versions succeeds.
703480 : DnsConfigCopyTaskWorker fails to import topology when region name has a space
Component: BIG-IQ DNS Management
Symptoms:
The discovery/import of DNS from BIG-IP to BIG-IQ will fail
Conditions:
If the GTM region name configured on the BIG-IP has includes a space.
Impact:
BIG-IQ DNS will not show GTM/GSLB configuration of imported BIG-IP/Sync Group
Workaround:
Do not use spaces when creating GTM region BIG-IP.
Fix:
You can now discover and import a BIG-IP that includes a space for the GTM region.
703091 : Enhance startup logic for central policy builder process to avoid potential race condition
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
Event listeners used by the data collection devices (DCD) may fail to start after a reboot or upgrade has been performed.
Conditions:
In some cases, a race condition might occur after an upgrade or reboot.
Impact:
The Central Policy Manager daemon fails to start properly. The failure of the Central Policy Manager daemon startup causes a secondary failure when attempting to start an event listener.
Workaround:
Reboot the BIG-IP DCD device that reported the errors.
Fix:
Enhancements have been made to the sequencing and checking performed during the startup process so the race condition no longer occurs.
702847 : Device field in ASM event displayed in BIG-IQ GUI shows N/A instead of BIG-IP device name
Component: BIG-IQ Monitoring - Logs
Symptoms:
When viewing ASM events sent to the BIG-IQ environment, the BIG-IQ displays incorrect information in the field designated for the device name. This field should show the name of the BIG-IP system that is the originator of the event.
Conditions:
Viewing events in the BIG-IQ environment.
Impact:
Cannot see the correct BIG-IP device name information for ASM Events. The BIG-IQ populates the device name field in the GUI using the contents of the Device ID field from the event database, which for the BIG-IP system is N/A.
Workaround:
None.
Fix:
The GUI now populates the Device field with the correct information from the event database.
702833-1 : Network Access List IPv6 LAN Address Space mask error
Component: BIG-IQ Configuration - Access
Symptoms:
After entering the IP address and the mask for the field 'IPV6 LAN Address Space', two issues occur:
-- The IPv6 addresses and mask are showing in IPv4 format.
-- The IPv6 mask is incorrect.
Conditions:
-- Client Settings configured as Advanced.
-- Traffic Options as 'Use split tunneling for traffic' while Creating/editing network access object.
-- Save after entering IP address and the mask for the field 'IPV6 LAN Address Space'.
Impact:
Incorrect IP address and mask. Save or Save and Close buttons are not enabled.
Workaround:
None.
Fix:
IPv6 address and mask Validator are fixed.
IP address and Mask are showing the correct data after save.
701703 : BIG-IQ upgrade from 5.3.0 to 5.4.0 may fail when Access groups are configured★
Solution Article: K14550300
Component: REST Framework and TMOS Platform
Symptoms:
Upgrade fails and tokuupgrade.log contains the following messages:
Error: [SNAPU] Found invalid generation undefined when making generation link for https://localhost/mgmt/cm/access/working-config ...
at throwSnapuError (./020-platform-snapshots.js:1215:15)
at makeGenLink (./020-platform-snapshots.js:1114:13)
at sanityCheckLiveDocuments (./020-platform-snapshots.js:1489:68)
at runSanityChecks (./020-platform-snapshots.js:1267:18)
at ScriptEntry.upgrade [as upgradeFunc] (./020-platform-snapshots.js:158:5)
at upgradeToVersionDir (/var/config/rest/tokuupgrade/src/upgradeversions.js:252:21)
at upgradeToVersion (/var/config/rest/tokuupgrade/src/upgradeversions.js:155:5)
at /var/config/rest/tokuupgrade/src/tokuupgrade.js:113:13
Note: Error messages may vary but can generally be identified by the upgrade script 020-platform-snapshots.js and a link starting with https://localhost/mgmt/cm/access.
Conditions:
-- BIG-IQ manages multiple Access Policy Manager (APM) devices.
-- BIG-IQ is configured to use Access Groups.
-- An APM device is removed from one device group and added to another device group.
-- An Access Group snapshot was created while the APM device belonged to the initial device group.
-- BIG-IQ is upgraded before a new / updated Access Group snapshot is created.
Impact:
Upgrade from 5.3.0 to 5.4.0 will fail.
Workaround:
1) To work around this issue, reboot to the previous BIG-IQ version.
2) Delete all Access snapshots before upgrading again: Deployment :: Access :: Snapshots
3) Perform the upgrade again.
For more information, see K14550300: BIG-IQ system upgrades from 5.3.0 to 5.4.0 may fail when Access Groups are configured https://support.f5.com/csp/article/K14550300.
Fix:
BIG-IQ now correctly transforms Access snapshots during the storage upgrade step of the BIG-IQ version 5.4.0 upgrade procedure.
701485-1 : Storage upgrade fails when upgrading to BIG-IQ version 5.4 when previous configuration has a user defined ASM signature set created without a filter
Solution Article: K49064145
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
After upgrading to BIG-IQ 5.4.0 and booting into the new volume, the BIG-IQ CLI displays a "STORAGE_UPGRADE_FAILED" error message and user interface displays "Waiting for BIG-IQ services to become available..."
The tokuupgrade log also displays the following message: TypeError: Cannot read property 'attackTypeReference' of undefined
Conditions:
This can happen if the previous configuration on the BIG-IQ has an ASM signature set created by manually selectiing individual signatures rather than through a filter.
Impact:
Upgrades cannot be completed successfully on the configuration.
Fix:
This release includes a fix that works properly on signature sets without filters.
701265 : Health upload schedule, selection by device group, shows deleted devices
Component: BIG-IQ Device Management
Symptoms:
If, when creating a QKView upload schedule, you select a device from anything other than the All BIG-IP Group Devices, BIG-IQ displays the device as Device Deleted when the schedule runs.
Impact:
This can be confusing.
Workaround:
To work around this issue, select devices only from the all BIG-IQ group when creating a QKView upload schedule.
Fix:
The device group selector has been removed and all available device display.
701264 : BSON-type UNDEFINED error after BIG-IQ version 5.3 to 5.4 upgrade
Solution Article: K22136541
Component: REST Framework and TMOS Platform
Symptoms:
After upgrading BIG-IQ to version 5.4, when attempting to access BIG-IP LTM pools and pool members, you might receive the following error:
'Found unexpected BSON type UNDEFINED.'
Conditions:
This happens after upgrading to BIG-IQ 5.4. The pool members impacted are those located in the 'Common' partition without folders.
Impact:
Re-importing the device might fail and you might be unable to access pool members.
Fix:
This issue is now fixed.
701045-1 : Deploying a shared ASM policy to one virtual server could cause it to be removed from other virtual servers
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
When a BIG-IP device has a single policy and 2 virtual servers, assigning the ASM policy to the second virtual server prompts the removal of the policy from the first virtual server.
Conditions:
This happens when you deploy a policy assignment for an ASM policy to a second virtual server on a BIG-IP device.
Impact:
The deployment assignment removes the policy's assignment from the first virtual server.
Fix:
This issue no longer occurs.
700399-1 : FW rules are not deployed on AFM in order
Solution Article: K24906352
Component: BIG-IQ Network Security
Symptoms:
In certain conditions if a change is made to rule-ordering for BIG-IQ AFM and then deployed to a BIG-IP device, the rule order between BIG-IQ and BIG-IP are different.
Conditions:
This happens only under the following conditions:
1. Only when rules move. There is no issues for rules added, changed, or removed.
2. Only when a block of 2 or more rules move together. If only 1 rule moved, there is no issue. If more than 1 rules move to different positions, there is no issue.
3. Only when block moves with 2 or more positions. If a whole block of rule move by 1 position only, it works as expected.
Impact:
Subsequent deploys continue to show differences between Big-IQ and Big-IP rule ordering.
Workaround:
To work around this issue, use one of the following solutions:
1. Move a rule, then deploy it, rather than several move and deploy at rule at once.
2. If such change is necessary, add a change to "description" field for each moved rule. Taking above example, there are 2 rules that moved; B and C. While editing policy, edit rule B and change or add something to description. This is the field just below rule name. If you already has a description in place, append it with a char like "." etc. This will force a change in the rule and correct rule ordering will be applied.
Fix:
This release includes a fix for this issue that forces changes to all the affected rules when a rule moves. Now all affected rules deployed match in rule-ordering on BIG-IQ and BIG-IP.
699069-2 : To deploy DoS Profiles to BIG-IP versions 13.0.0 and later, Application Security Module must be provisioned on the BIG-IP
Component: BIG-IQ Shared Security
Symptoms:
Deployment of the Network Security configuration to a BIG-IP running version 13.0.0 or higher fails, if the BIG-IP does not have the Application Security Module (ASM) provisioned and a DoS Profile change exists.
Conditions:
This happens when:
1. A BIG-IP device is running version 13.0.0 or later.
2. The Application Security Module is not provisioned.
3. A DoS Profile change exists in the deployment evaluation.
Impact:
When this happens, you can't manage DoS Profiles on a BIG-IP from BIG-IQ. All Network Security deployments will fail as long a DoS Profile deployment change is part of the deployment and the outlined conditions are met.
Workaround:
To manage DoS Profiles from BIG-IQ, you must provision the Application Security Module in at least the Minimum provisioning setting. You can do this even if BIG-IP does not have a license for the Application Security Module.
If you can't provision the Application Security Module on the BIG-IP, then you must manage the DoS Profiles directly on BIG-IP and import the new configuration into BIG-IQ. This will allow you to manage all other Network Security device configurations from BIG-IQ.
Fix:
BIG-IQ now checks that the ASM module is provisioned and transforms the HTTP white list as needed.
698616-1 : Upgrades targetting clustered devices (Viprion or vCMP) fail with a timeout error
Solution Article: K40755239
Component: BIG-IQ Device Management
Symptoms:
When upgrading a clustered device to (a Viprion chassis or a vCMP guest hosted on a Viprion chassis) to BIG-IQ version 5.4, the task will stall waiting for the target to reboot, and eventually time out and report the error "Timeout waiting for device to return from reboot".
Conditions:
This happens for any BIG-IQ version 5.4 upgrade targeting a clustered device, once the upgrade task reaches the reboot phase.
Impact:
The task will not correctly register that the target device has rebooted into the newly installed volume. The task will continue waiting for the target device to reboot until a timeout expires, even though the target device has correctly rebooted. Once the timeout expires, BIG-IQ reports an error.
Workaround:
If you don't need to perform any post-upgrade steps, then you can consider the upgrade successful, manually verify the target device booted properly into the target volume.
Another to select the Pause for reboot option for the Software Installation task, then when the task pauses cancel the task and reboot the target device manually.
Fix:
Upgrades targeting Viprions and Viprion-hosted vCMP guests now correctly detect when the target device has rebooted, and proceed without timing out and reporting an error.
Known Issues in BIG-IQ CM v5.4.x
BIG-IQ Configuration - Access Issues
| ID Number | Severity | Solution Article(s) | Description |
| 697674 | 3-Major | Object is not visible after User with a custom Role marks it as a device specific | |
| 686162-1 | 3-Major | OAuth Profile deployment fails with JWK config failed trust verification with trusted CA bundle | |
| 634100 | 4-Minor | Possible user conflict when editing access policies |
BIG-IQ Device User Interface Issues
| ID Number | Severity | Solution Article(s) | Description |
| 698430-1 | 3-Major | Attempts to backup over 500 BIG-IP devices fail |
BIG-IQ Monitoring - Dashboards & Reports Issues
| ID Number | Severity | Solution Article(s) | Description |
| 698670-1 | 3-Major | Exporting Network Access Connections Dashboard to CSV |
BIG-IQ Access Issues
| ID Number | Severity | Solution Article(s) | Description |
| 698644 | 3-Major | Pinning Policy evaluation |
BIG-IQ Local Traffic & Management Issues
| ID Number | Severity | Solution Article(s) | Description |
| 698569-1 | 3-Major | Deployment of eviction policy deletion can disconnect BIG-IP HA cluster running version 11.6.x | |
| 697847-1 | 3-Major | Device RMA for Local Traffic can be incomplete if the device has IPFIX or Remote High-Speed Log Destinations | |
| 697478-1 | 3-Major | SSL file operation fails for non-admin user with error "Unable to add file to storage" | |
| 688198-1 | 4-Minor | Log Filter device pinning for referenced Log Publisher |
BIG-IQ Device Management Issues
| ID Number | Severity | Solution Article(s) | Description |
| 697141 | 3-Major | Health statistics for managed devices after upgrading to BIG-IQ version 5.4 | |
| 692135-1 | 4-Minor | Stats collection agent out of date alert |
BIG-IQ Fraud Protection Service (FPS) Issues
| ID Number | Severity | Solution Article(s) | Description |
| 688609-1 | 3-Major | FPS: Changes to web service configuration are populated to data collection devices with some delay |
BIG-IQ Network Security Issues
| ID Number | Severity | Solution Article(s) | Description |
| 695669-1 | 3-Major | Deploying from Network Security or Web Application Security removes the virtual server from the BIG-IP if it is deleted from LOCAL TRAFFIC | |
| 691239 | 4-Minor | Failure to discover BIG-IP device with "Failed to decrypt" message |
REST Framework and TMOS Platform Issues
| ID Number | Severity | Solution Article(s) | Description |
| 693497-1 | 3-Major | Creating or editing a custom Resource Group with multiple Access (APM) objects selected | |
| 693399-1 | 3-Major | Changes popup does not have a loading indicator | |
| 689279-1 | 3-Major | Removing the last DCD in a cluster | |
| 691531 | 4-Minor | Resource Group form's preview section |
BIG-IQ Web Application Security (ASM) Issues
| ID Number | Severity | Solution Article(s) | Description |
| 698460-1 | 3-Major | Editing the session tracking policy sub-collection when an individual login page was selected | |
| 697588 | 3-Major | ASM: deployment for signature configuration changes | |
| 694675-1 | 3-Major | Configuration import for multiple large policies | |
| 639347-1 | 3-Major | Creating or removing a custom signature |
Known Issue details for BIG-IQ CM v5.4.x
698670-1 : Exporting Network Access Connections Dashboard to CSV
Component: BIG-IQ Monitoring - Dashboards & Reports
Symptoms:
An error message appears when you try to export Network Access Connections dashboard to CSV.
Conditions:
When you click the Export button from Network Access Connections Dashboard
Impact:
Cannot export Network Access Connections Dashboard Data to CSV.
698644 : Pinning Policy evaluation
Component: BIG-IQ Access
Symptoms:
When deploying a pinning policy evaluation, it fails with the following error:
"Evaluation error for Access, Difference operation failed: Object {OBJ_NAME} does not exist in snapshot"
Conditions:
User has pinned {OBJ_NAME} to the Pinning Policy of the device for which evaluation/deployment failed with above error.
User has objects of same type and with same name in multiple Access Groups. i.e. ad_employee present in multiple Access Groups.
Impact:
User is not able to evaluate and deploy configuration changes to the target device.
Workaround:
User must revisit the Pinning Policy for the device and make sure {OBJ_NAME} and other selected objects are from the Access Group to which the device belongs to.
User can use Global Search to find out {OBJ_NAME} and look at the Related Items section under preview for each object in the search result to find out which object is pinned in Pinning Policy.
User can also open Pinning Policy page and make sure correct {OBJ_NAME} is pinned by removing and carefully attaching correct {OBJ_NAME}.
698569-1 : Deployment of eviction policy deletion can disconnect BIG-IP HA cluster running version 11.6.x
Component: BIG-IQ Local Traffic & Management
Symptoms:
Under specific conditions, when you deploy a change to a BIG-IP HA cluster running version 11.6, that deletes both an eviction policy reference and its associated eviction policy.
Conditions:
This issue occurs only on an 11.6.x HA cluster when the eviction policy reference is part of a virtual server or is the general eviction policy reference. This doesn't happen occur when the eviction policy reference is part of a route domain. The issue also does not on occur on BIG-IP 12.x (latest hotfix) HA clusters and above.
Impact:
This causes a failed deployment and disconnects the BIG-IP cluster.
Workaround:
Perform a two-step deployment.
First, delete the reference to the eviction policy and create a deployment with "Keep Unused Objects" selected. When you deploy these changes, BIG-IQ removes only the eviction policy reference.
Next, create a second deployment. This time, select "Remove Unused Objects". When you deploy these changes, BIG-IQ removes the eviction policy.
If your HA cluster is in a disconnected state as a result of a one-step deployment with "Remove Unused Objects" selected, you can restore the HA cluster by performing a manual sync on the BIG-IP. The BIG-IP might be offline for a minute or so before the BIG-IP cluster is restored.
698460-1 : Editing the session tracking policy sub-collection when an individual login page was selected
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
You can't edit the session tracking sub-collection when an individual login page is defined. A popup message is shown, with a message indicating that there is an unexpected error, illegal reference.
Conditions:
The issue happens only when editing a session tracking configuration that was previously configured with a login page selected (use individual login page). Saving the initial selection of a login page will work as expected.
Impact:
An error is shown on the page, changes are not saved.
Workaround:
To avoid this error while editing, do the following:
a. Change the 'Application Username' first dropdown to 'None'
b. Save and close (there is a need to navigate out of the page, so 'Save' alone is insufficient).
c. Navigate to the policy session tracking configuration
d. Re-select the login page
e. Make the required changes
f. Save
698430-1 : Attempts to backup over 500 BIG-IP devices fail
Component: BIG-IQ Device User Interface
Symptoms:
A backup task fails with no indication of error in the UI. The restjavad logs have an error similar to:
[WARN][11 Dec 2017 15:31:20 EST][ LogUncaughtExceptionHandler] Uncaught exception on thread 42 com.f5.rest.workers.storage.ShortTransactionRequestProcessor: java.lang.StackOverflowError
Conditions:
This issue occurs when attempting to backup more than 500 BIG-IPs in a single task and the devices are selected individually and not by a device group.
Impact:
No backups are created.
Workaround:
The issue can be avoided by doing a group backup instead of selecting all the devices individually. Alternatively, the backups can be broken into groups of fewer than 500 BIG-IP devices.
697847-1 : Device RMA for Local Traffic can be incomplete if the device has IPFIX or Remote High-Speed Log Destinations
Component: BIG-IQ Local Traffic & Management
Symptoms:
If you select "Remove Services" (RMA) for a managed device that has the newly added Log Destination objects IPFIX or Remote High-Speed Log, the removal can be incomplete leaving some objects for this device existing in the Local Traffic Configuration.
Conditions:
This only happens if the RMA occurs for a BIG-IP that has Log Destinations IPFIX and/or Remote High-Speed Log
Impact:
The RMA process will be incomplete, leaving objects such as Pools and Nodes for the RMAd device still in the Local Traffic configuration.
Workaround:
Prior to RMA, you must manually remove any IPFIX or Remote High-Speed Log objects for this device.
Go to Configuration -> Local Traffic -> Logs -> Log Destinations. One by one, edit each Log Destination of the above two kinds. In the 'Device Specific' section at the bottom of the screen, remove each object for the device to be RMAd.
After this, RMA can proceed as normal with no side-effects.
697674 : Object is not visible after User with a custom Role marks it as a device specific
Component: BIG-IQ Configuration - Access
Symptoms:
If a user is associated with a custom Role configured in strict mode, user will not be able see object which they mark a shared object as device specific.
Conditions:
This can happen when a custom Role is in strict mode and associated with a Resource Group with access to only specific objects instead "Any Instance" option.
Impact:
User will not be able to see an object which is marked as device specific.
Workaround:
When you create a Custom Role in Strict mode, select the "Any Instance" option when you specify a Source for the associated Custom Resource Group if you are giving Special permission "Mark Shared" in associated Custom Role Type.
697588 : ASM: deployment for signature configuration changes
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
Deployment for signature configuration changes sometimes fails with the message: "Could not set active".
Conditions:
The issue might happen when changes are deployed to user-defined signatures configuration and the BIG-IP does not have a fix for bug 608988.
Impact:
Deployment failure.
Workaround:
Redeploying the change usually succeeds.
697478-1 : SSL file operation fails for non-admin user with error "Unable to add file to storage"
Component: BIG-IQ Local Traffic & Management
Symptoms:
When creating or importing SSL certificates, keys, and CRLs, or renewing SSL certificates, the error "Unable to add file to storage" may be seen. The BIG-IQ log file /var/log/restjavad.0.log will show a message like this:
[WARN][07 Dec 2017 11:52:53 PST][/cm/adc-core/tasks/certificate-management/c035275b-8680-4206-b43b-d9deba70e89f/worker CertMgmtTaskWorker] A file failed to be saved to storage! java.lang.IllegalStateException: failed patching LFOState: com.mongodb.MongoWriteException: Lock not granted. Try restarting the transaction.
Conditions:
This error can occur the first time a user performs an operation that involves adding an SSL file (certificate, key, or CRL) to BIG-IQ's storage after services on the BIG-IQ have been restarted.
Impact:
Users have to retry the operation any time services are restarted on BIG-IQ, or the BIG-IQ is rebooted.
Workaround:
Retry the operation. The second and subsequent attempts should succeed.
697141 : Health statistics for managed devices after upgrading to BIG-IQ version 5.4
Component: BIG-IQ Device Management
Symptoms:
For about 24 hours after upgrading to BIG-IQ version 5.4, framework and license health statistics might change from healthy to unhealthy for your managed BIG-IP devices.
Conditions:
Upgrading a BIG-IQ managing one or more BIG-IPs to 5.4.0.
Impact:
Minimal. If BIG-IQ is upgraded from 5.0 or 5.1, the BIG-IP framework cannot be upgraded during the windows of time that BIG-IQ shows the BIG-IP framework being healthy.
Workaround:
The issue will self-resolve within 24 hours after the upgrade.
695669-1 : Deploying from Network Security or Web Application Security removes the virtual server from the BIG-IP if it is deleted from LOCAL TRAFFIC
Component: BIG-IQ Network Security
Symptoms:
When a virtual server is deleted from Local Traffic on the BIG-IQ, deploying from Network Security or Web Application Security will remove the virtual server from the BIG-IP.
Conditions:
When a virtual server is deleted from Local Traffic on the BIG-IQ but the change is not yet deployed to the BIG-IP.
Impact:
The virtual server on the BIG-IP is removed. This may surprise some users.
694675-1 : Configuration import for multiple large policies
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
Configuration import failure can occur when multiple large policies are imported for the same device. An error of "Unable to post difference sub-collection results; too many differences" will be displayed in the UI.
Conditions:
The issue may occur when multiple large policies are imported. If the overall object count in policies for the imported device exceeds 200000 the issue might occur.
Impact:
Failure to import configuration for the selected device.
Workaround:
To workaround this issue, first export some of the large policies from the BIG-IP and import them as XML files into the BIG-IQ system before doing the device configuration import.
693497-1 : Creating or editing a custom Resource Group with multiple Access (APM) objects selected
Component: REST Framework and TMOS Platform
Symptoms:
If you select multiple Access (APM) objects while creating or editing a custom Resource Group, BIG-IQ displays a "No related items found" message.
Conditions:
This happens when you're creating editing a custom Resource Group and select multiple APM objects.
Impact:
Selecting multiple Objects for an Access (APM) Resource Group might result in missing permissions for Users associated with the custom role for that Resource Group.
Workaround:
To work around this issue, select only one Access (APM) object at a time.
693399-1 : Changes popup does not have a loading indicator
Component: REST Framework and TMOS Platform
Symptoms:
The changes popup dialog does not have a loading indicator.
Conditions:
In some cases the differences can take a few seconds to appear in the dialog, for example, when viewing Web Application Signature changes in the Audit Log.
Impact:
You might assume that no difference exists before the diff loads.
Workaround:
Wait for a few seconds for a diff to appear.
692135-1 : Stats collection agent out of date alert
Component: BIG-IQ Device Management
Symptoms:
Upgrades to latest version of BIG-IQ can mistakenly trigger the "Stats collection agent out of date" alert
Conditions:
Upgrade to latest version of BIG-IQ
Impact:
Cosmetic
Workaround:
Rediscover BIG-IP device to clear alert
691531 : Resource Group form's preview section
Component: REST Framework and TMOS Platform
Symptoms:
On the Resource Group form, the lower section of the page shows a grid featuring objects which can be added to the resource group. The lower right section shows a preview of objects selected in the lower left portion. If you select one or more items, then deselect them, you might see outdated preview content in the lower right portion of the page.
Conditions:
When you select and deselect resource group objects.
Impact:
You might see outdated preview content.
691239 : Failure to discover BIG-IP device with "Failed to decrypt" message
Component: BIG-IQ Network Security
Symptoms:
BIG-IQ fails to discover a BIG-IP device with one of the following error messages:
"Failed to decrypt silverline password.."
"Failed to decrypt ssh profile auth info private key.."
"Failed to decrypt feed password.."
Conditions:
When BIG-IP IControl REST fails to decrypt the password or private key from the MCP database, the BIG-IP passes the encrypted password/private key to the BIG-IQ during discovery. When this occurs, the BIG-IQ cannot decrypt the password/private key which causes discovery to fail.
Impact:
BIG-IQ fails to discover BIG-IP systems with the specified error message.
Workaround:
In the BIG-IP tmsh shell, issue the following command:
restart sys service restjavad
Once the restart is complete, rediscover the BIG-IP device.
689279-1 : Removing the last DCD in a cluster
Component: REST Framework and TMOS Platform
Symptoms:
When you remove the last DCD in a cluster, the cluster health dsiplays as RED and alerts/stats/events ingestion is NOT happening.
Conditions:
Last DCD in the cluster was removed.
Impact:
alerts/stats/events ingestion is NOT happening.
Workaround:
After removing the last DCD, if you want to start from a clean slate, run the reset-data-collection-cluster script.
688609-1 : FPS: Changes to web service configuration are populated to data collection devices with some delay
Component: BIG-IQ Fraud Protection Service (FPS)
Symptoms:
FPS: Changes to web service configuration are populated to data collection devices with some delay.
Impact:
There is a delay of up to 5 minutes before the changes take effect.
Workaround:
Customers are advised to wait for 5 minutes for the changes to take effect.
688198-1 : Log Filter device pinning for referenced Log Publisher
Component: BIG-IQ Local Traffic & Management
Symptoms:
In ADC configuration, both Log Filters and Log Publishers need to be pinned to any device(s) that they are to be deployed to. This is because there are no device-specific objects that refer to these shared objects.
In most cases, BIG-IQ will automatically keep device pinning in-sync between Log Filters and any Log Publishers that they reference.
However, in the case of Log Filters being pinned to a new device, the corresponding Log Publisher (if the Filter, in fact, references a Log Publisher) will not be automatically pinned to the same device.
Conditions:
This happens for any Log Filter that is pinned to a new device.
Impact:
Unless the user also pins the corresponding Log Publisher to the device, the deployment will fail.
Workaround:
You must pin both the Log Filter as well as the referenced Log Publisher to all device(s).
686162-1 : OAuth Profile deployment fails with JWK config failed trust verification with trusted CA bundle
Component: BIG-IQ Configuration - Access
Symptoms:
For OAuth Profile with Support JWT Token enabled, BIGIP verifies the primary key trust with Trusted Certificate Authorities. This trust verification is not done on BIG-IQ. If the user configures a mismatch primary key and trusted CA, the deployment fails.
Conditions:
When a mismatch primary key and trusted CA bundle is selected for OAuth Profile.
Impact:
Verification of the primary key and trusted Certificate Authority Bundle in OAuth Profile (when Support JWT Token is enabled) is not done in BIG-IQ, the Deployment fails.
Workaround:
Configure the matching Trusted Certificate Authority Bundle for the chosen Primary Key in order for the deployment to succeed.
639347-1 : Creating or removing a custom signature
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
Intermittently, after creating or removing a custom signature, you might have to refresh your browser for the change to display.
Conditions:
After creating or removing a custom signature.
Impact:
The changes don't take effect.
Workaround:
If you have waited more than 10 seconds and have not yet seen the changes take effect, manually refresh your browser.
634100 : Possible user conflict when editing access policies
Component: BIG-IQ Configuration - Access
Symptoms:
If multiple users open the same policy with no pending changes, some user changes will not be made known to the other users.
Conditions:
Only changes are to policy endings, macro properties, or macro terminals.
Impact:
Changes made to policy endings, macro properties, or macro terminals are not seen by the other users until they refresh the browser.
Workaround:
If a user wants to make a change to policy endings, macro properties, or macro terminals, they could indicate that the policy is being modified by temporarily changing something in the diagram. This will cause changes from other uses to be blocked.
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/
