Lỗi could not create ios router couldnt connect to hypervisor năm 2024
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Show Can't create a Hyper-V virtual switch on 64-bit versions of Windows 10
In this articleThis article solves an error message when you try to re-create a Hyper-V virtual switch (vSwitch) for the same physical adapter. Applies to: Windows 10 - all editions Original KB number: 3101106 SymptomsAfter you delete a vSwitch on a computer that has been upgraded to Windows 10, you can't re-create the vSwitch for the same physical adapter. When this problem occurs, you receive the following error message: Virtual Switch Manager Error applying Virtual Switch Properties changes Failed while adding virtual Ethernet switch connections. It indicates that the vSwitch still exists, even though it's no longer listed in the Hyper-V Virtual Switch Manager. CauseThis problem occurs because a new network setup functionality introduced in Windows 10 doesn't completely delete all objects from the previous vSwitch installation. This problem is scheduled to be fixed in the next Windows 10 update. ResolutionTo fix this problem automatically, select the following Download link. In the File Download dialog box, select Run or Open, and then follow the steps in the Easy fix wizard. ID Number CVE Solution Article(s) Description CVE-2019-11811 K01512680 CVE-2019-11811 kernel: use-after-free in drivers ID Number Severity Solution Article(s) Description 3-Major GTP v1 APN is not decoded/encoded properly ID Number Severity Solution Article(s) Description 2-Critical Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades 3-Major Invalid SessionDB messages are sent to Standby 3-Major Configsync.copyonswitch variable is not functioning on reboot 3-Major Loading config file with imish removes the last character Local Traffic Manager Fixes ID Number Severity Solution Article(s) Description 1-Blocking HSM hardening 2-Critical After upgrade, the copied SSL vhf/vht profile prevents traffic from passing★2-Critical BIG-IP D120 platform reports page allocation failures in N3FIPS driver 3-Major SNAT iRule is not working with HTTP/2 and HTTP Router profiles 4-Minor A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed Global Traffic Manager (DNS) Fixes ID Number Severity Solution Article(s) Description 1-Blocking Multiple issues affecting the RESOLV::lookup iRule command following the fix to ID1007049.★3-Major GTM daemon leaks memory when reading GTM link objects Application Security Manager Fixes ID Number Severity Solution Article(s) Description 2-Critical ASM attack signature may not match as expected 2-Critical ASM hardening 2-Critical ASM Load hangs after upgrade★3-Major Cannot create child policy when the signature staging setting is not equal in template and parent policy 3-Major Reset cause: "Internal error ( requested abort (payload release error))" 3-Major Full Sync Requests Caused By Failed Relayed Call to delete_suggestion 3-Major Hardening of Live-Update 3-Major Live Update does not work properly after upgrade★3-Major Live Update default factory file for Server Technologies cannot be reinstalled 3-Major Add option to skip percent characters during normalization 3-Major Requests are missing on traffic event logging 3-Major Fixing issue with input normalization 4-Minor BD sometimes encounters errors related to TS cookie building Application Visibility and Reporting Fixes ID Number Severity Solution Article(s) Description 3-Major Fail to detach HTTP profile from virtual server 3-Major Avrd core when avrd process is stopped or restarted 3-Major A core file is generated upon avrd process restart or stop Access Policy Manager Fixes ID Number Severity Solution Article(s) Description 3-Major SWG as a Service license improvements 3-Major Profile type 'swg-transparent' should be selected on create page when 'create-new' is selected for SwgAsService in SSL Orchestrator ID Number Severity Solution Article(s) Description 2-Critical TMM SIGSEGV core in Message Routing Framework 2-Critical Tmm may crash with SIP-ALG deployment in a particular race condition 2-Critical SIP message routing may cause tmm crash 3-Major SIP messages with unbalanced escaped quotes in headers are dropped 3-Major GTP log message contains no useful information 3-Major In very rare condition, BIG-IP may crash when SIP ALG is deployed 4-Minor GTP::ie count does not work with -message option 4-Minor 'GTP::header extension count' iRule command returns 0 Advanced Firewall Manager Fixes ID Number Severity Solution Article(s) Description 3-Major Protocol Any displayed as HOPTOPT in AFM policy view 3-Major VLAN/Tunnels not listed when creating a new rule via GUI Protocol Inspection Fixes ID Number Severity Solution Article(s) Description 3-Major Firewall Manager user role is not allowed to configure/view protocol inspection profiles Guided Configuration Fixes ID Number Severity Solution Article(s) Description 3-Major Hardening of iApps processing Cumulative fix details for BIG-IP v16.1.1 that are included in this release996381-1 : ASM attack signature may not match as expectedComponent: Application Security Manager Symptoms: When processing traffic with ASM, attack signature 200000128 may not match as expected. Conditions: - Attack signature 200000128 enabled. Impact: Processed traffic may not match all expected attack signatures Workaround: N/A Fix: Attack signature 200000128 now matches as expected. 996113-2 : SIP messages with unbalanced escaped quotes in headers are droppedComponent: Service Provider Symptoms: Dropped SIP messages. Conditions: -- MRF SIP virtual server -- SIP Header Field has an escaped quote Impact: Certain SIP messages are not being passed via MRF. Workaround: None 995405-1 : After upgrade, the copied SSL vhf/vht profile prevents traffic from passing★Component: Local Traffic Manager Symptoms: After an RPM upgrade, SSL Orchestrator traffic does not pass Conditions: Upgrading SSL Orchestrator via RPM Impact: Traffic will not pass. Workaround: Bigstart restart tmm Fix: Fixed an issue that was preventing from passing after an RPM upgrade. 993913-4 : TMM SIGSEGV core in Message Routing FrameworkComponent: Service Provider Symptoms: TMM crashes on SIGSEGV. Conditions: This can occur while passing traffic through the message routing framework. Impact: Traffic disrupted while tmm restarts. Workaround: None 993489-1 : GTM daemon leaks memory when reading GTM link objectsComponent: Global Traffic Manager (DNS) Symptoms: The gtmd process memory consumption is higher than expected. Conditions: DNS is provisioned and a provisioned GTM link object has been loaded. Impact: Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations. Workaround: None 992213-3 : Protocol Any displayed as HOPTOPT in AFM policy viewComponent: Advanced Firewall Manager Symptoms: The 'any' option for the AFM policy rule protocol is displayed incorrectly in the GUI. Conditions: -- Create a rule and set protocol as 'any'. -- Navigate to active rules. Impact: GUI shows an incorrect value. Workaround: None Fix: GUI Shows correct value for rule protocol option. 986937-3 : Cannot create child policy when the signature staging setting is not equal in template and parent policyComponent: Application Security Manager Symptoms: When trying to create a child policy, you get an error: FAILURE: "Could not update the Policy policy1. Inherited values may not be changed." Conditions: -- Parent policy created with signature staging disabled. -- Creating a new child policy with that policy as a parent. Impact: You are unable to create the child policy and the system presents an error. Workaround: Create the policy without assigning it to the parent, and then assign it to the parent policy on the Inheritance Settings page. Fix: The error no longer occurs on child policy creation. 981069-3 : Reset cause: "Internal error ( requested abort (payload release error))"Component: Application Security Manager Symptoms: An unexpected RST occurs on inbound traffic. The RST cause shows "Internal error ( requested abort (payload release error))" Conditions: When all the following conditions are met: - The system was upgraded to a version where ID910253 is fixed - TS cookie coming from a previous version - data guard in non blocking (masking) - response that is not zipped and has a textual content type Impact: Traffic is affected. Workaround: Any of the following actions can resolve the issue: 1. Turn off data guard or change it to blocking. 2. Make the server reply with zipped responses (perhaps by adding the accept-encoding: gzip using an iRule). 3. Add an additional response related feature. 4. Use the following iRule in case there aren't cookie related enforcement: when HTTP_REQUEST { set cookies [HTTP::cookie names] foreach aCookie $cookies { if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} { HTTP::cookie remove $aCookie } } } Fix: Fixed an issue that was triggering resets on traffic. 980617-1 : SNAT iRule is not working with HTTP/2 and HTTP Router profilesComponent: Local Traffic Manager Symptoms: On HTTP/2 full-proxy virtual servers, the snatpool command in an iRule is accepted but the source address server-side is not changed. Conditions:
1.) Basic HTTP profile and HTTP/2 profile is configured on BIG-IP systems
2.) iRule with snatpool Impact: Unable to use snatpool (and possibly snat) in iRule to control the server-side source address. Workaround: Configure SNAT under the virtual server configuration, rather than in an iRule. 974241-3 : Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple bladesComponent: TMOS Symptoms: Mcpd exists with error similar to: 01070734:3: Configuration error: Configuration from primary failed validation: 010713cf:3: Configuration group '/Common/test1_end_deny_ag' has invalid source '/Common/standard' Conditions: 1. VIPRION or vCMP guest with multiple blades in a cluster 2. Create a access policy with modern customization enabled Impact: Mcpd restarts leading to failover. Workaround: Use standard customization and not modern customization. 970329-1 : ASM hardeningComponent: Application Security Manager Symptoms: Under certain conditions, ASM does not follow current best practices. Conditions: - ASM provisioned Impact: Attack detection is not triggered as expected Workaround: N/A Fix: Attack detection is now triggered as expected 965229-5 : ASM Load hangs after upgrade★Component: Application Security Manager Symptoms: ASM upgrade hangs, and you see the following in var/log/ts/asm_start.log: ----- asm_start|DEBUG|Nov 15 07:04:41.751|25365|F5::ConfigSync::restore_active_policies,,Restoring active policy - policy /Common/my_portal (id = 603) ... END OF FILE ... ----- In /var/log/asm:
-----
2020-11-15T06:01:23+00:00 localhost notice boot_marker : -===[ HD1.cm6250 - BIG-IP 13.1.3.4 Build 0.255.5 Conditions: -- ASM provisioned -- 600 or more security policies -- Performing an upgrade Impact: ASM post upgrade config load hangs and there are no logs or errors Workaround: None 962589-4 : Full Sync Requests Caused By Failed Relayed Call to delete_suggestionComponent: Application Security Manager Symptoms: When using parent policies with learning enabled in an auto-sync device group, in some use cases deleting an ignored suggestion on a parent policy will cause a full sync to occur. This can cause unexpected delays in configuration being synchronized between peers, and in the event of repeated instances in quick succession could fill the /var partition Conditions:
Impact: ASM configuration requests a full sync which can cause unexpected slowness in config synchronization and may fill the /var partition if done multiple times in quick succession. A full /var partition can lead to bd cores. 954425-4 : Hardening of Live-UpdateComponent: Application Security Manager Symptoms: Under certain conditions, the Live-Update process does not follow current best practices. Conditions: - Live-Update in use - Specially-crafted update files Impact: The Live-Update process does not follow current best practices. Workaround: N/A Fix: The Live-Update process now follows current best practices. 951133-4 : Live Update does not work properly after upgrade★Component: Application Security Manager Symptoms: After upgrading BIG-IP version the Live Update "Check for Update" button does not respond. Conditions: Upgrading from a version that did not have Live Update to a new version which includes Live Update Impact: Live Update can't query for new updates. Workaround: Restart tomcat process: \> bigstart restart tomcat 941625-3 : BD sometimes encounters errors related to TS cookie buildingComponent: Application Security Manager Symptoms: BD sometimes print errors related to TS cookie building when receiving ASM cookies with account_id: -- BEM|ERR |May 19 17:49:55.800|0983|response_header_accumulator.c:0200|Error: CookieMgrBuildCookie failed. ans 1 job 2957561040. -- IO_PLUGIN|ERR |May 19 17:49:55.800|0983|io_plugin.c:3320|TMEVT_RESPONSE: Cannot build a ts cookie. Conditions: -- Cookie protection is enabled. -- The BIG-IP software is upgraded from a version that was earlier than 15.1.x. Impact: The cookie is not built and an error is logged. Workaround: None. 924945-5 : Fail to detach HTTP profile from virtual serverComponent: Application Visibility and Reporting Symptoms: The virtual server might stay attached to the initial HTTP profile. Conditions: Attaching new HTTP profiles or just detaching an existing one. Impact: The virtual server stays attached to the former HTTP profile, meaning that the virtual server might be attached to a different HTTP profile than what the GUI displays. Configuration changes to the HTTP profile the GUI shows as attached are not reflected in the virtual server. For example, the new HTTP profile might enable XFF, but if the former attached profile does not enable it, the virtual server does not accept XFF. Workaround: Create new similar virtual server and attach it to the correct HTTP profile. 920149-3 : Live Update default factory file for Server Technologies cannot be reinstalledComponent: Application Security Manager Symptoms: Live Update default factory file for Server Technologies cannot be reinstalled once it is no longer the currently installed update file. Conditions: This occurs: -- Once another update file for Server Technologies has been installed (most likely, a newer file). -- If the device has been upgraded from a prior release such that the currently installed Server Technologies file is from the previous release, and is not the default factory file for the current release. Impact: Live Update default factory file for Server Technologies cannot be reinstalled. Workaround: None. 919301-1 : GTP::ie count does not work with -message optionComponent: Service Provider Symptoms: The 'GTP::ie count' iRule command does not work with the -message option. The command fails with an error: wrong # args: should be "-type Conditions: Issue the 'GTP::ie count' command with -message command, for example: GTP::ie count -message $m -type apn Impact: iRules fails and it could cause connection abort. Workaround: Swap order of argument by moving -message to the end, for example: GTP::ie count -type apn -message $m There is a warning message due to iRules validation, but the command works in runtime. Fix: 'GTP::ie' count is now working with -message option. 913413-1 : 'GTP::header extension count' iRule command returns 0Component: Service Provider Symptoms: The 'GTP::header extension count' iRule command always returns 0 (zero). Conditions: This is encountered when using 'GTP::header extension count' in an iRule. Impact: The command returns false information. Workaround: None Fix: 'GTP::header extension count' command now returns number of header extension correctly. 913085-6 : Avrd core when avrd process is stopped or restartedComponent: Application Visibility and Reporting Symptoms: When the avrd process is stopped or restarted, it fails with core before the exit. A core file with the name starting with SENDER_HTTPS (for example, SENDER_HTTPS.bld0.0.9.core.gz) can be found in /shared/cores/ directory. Conditions: A BIG-IP system is registered on BIG-IQ and has established an HTTPS connection with BIG-IQ for sending stats data. Impact: Avrd cores while exiting. There is no impact on BIG-IP system functionality. Workaround: None. Fix: Avrd no longer cores when avrd process is stopped or restarted. 912945-3 : A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signedComponent: Local Traffic Manager Symptoms: In a virtual configured with multiple client SSL profiles, the profile with ECDSA-signed cert is not selected even though its CN/SAN matching the SNI extension of ClientHello. Conditions: -- A virtual server with multiple client SSL profiles. -- The SNI of,,lientHello does not match the 'server name' of any profile. -- The cert in the profile is ECDSA-signed and its CN/SAN matches SNI extension of ClientHello. -- That profile in is not selected. Impact: The incorrect client SSL profile is selected. Workaround: Configure the 'Server Name' option in the client SSL profile. Fix: Fixed an issue with client SSL profile selection. 911141-1 : GTP v1 APN is not decoded/encoded properlyComponent: Service Provider Symptoms: GTP v1 APN element was decoded/encoded as octetstring and Only GTP v2 APN element is decoded/encoded as DNS encoding. Conditions: - GTP version 1. - APN element. Impact: iRules become more complex when dealing with GTP v1 APN element, as it may need to convert between octetstring and dotted style domain name value after decoding or before encoding the data. Workaround: Use iRules to convert between octetstring and dotted style domain name values. Fix: GTP version 1 APN information element is now decoded/encoded as DNS encoding. Behavior Change: GTP v1 apn element is now decoded/encoded using DNS-like encoding. Previously, it was decoded/encoded as octetstring. 909161-1 : A core file is generated upon avrd process restart or stopComponent: Application Visibility and Reporting Symptoms: Sometime when avrd process is stopped or restarted, a core is generated. Conditions: Avrd process is stopped or restarted. Impact: Avrd creates a core file but there is no other negative impact to the system. Workaround: None 888289-8 : Add option to skip percent characters during normalizationComponent: Application Security Manager Symptoms: An attack signature is not detected. Conditions: -- The payload is filled with the percent character in between every other character. -- The bad unescape violation is turned off. -- The illegal metacharacter violation is turned off. Impact: An attack goes undetected. Workaround: Turn on the bad unescape violation or the metacharacter violation. Fix: Added an internal parameter, normalization_remove_percents. Its default is 0 (zero), meaning that the previous behavior is maintained. When enabled, the normalization of the data before running the signature removes the percent characters (as it does to high ASCII and space characters). 887117-4 : Invalid SessionDB messages are sent to StandbyComponent: TMOS Symptoms: SessionDB messages sent from Active to Standby are dropped due to inconsistencies detected in the message. You see logs in /var/log/ltm: SessionDB ERROR: received invalid or corrupt HA message; dropped message. Conditions: -- High availability (HA) pair configuration. -- SessionDB messages sent from Active to Standby. Impact: Standby drops these messages Workaround: None. 805821-1 : GTP log message contains no useful informationComponent: Service Provider Symptoms: GTP profile and GTP iRules provide no useful information in order to proceed with troubleshooting. Conditions: GTP profile or iRules fails to process message Impact: User lacks of information for troubleshooting Workaround: N/A Fix: GTP error log has been replaced with a more useful message. The new log message provides more intuitive information including the reason and, in some messages, location of data that causes the failure. 797797-7 : CVE-2019-11811 kernel: use-after-free in driversSolution Article: K01512680 1040677 : BIG-IP D120 platform reports page allocation failures in N3FIPS driverComponent: Local Traffic Manager Symptoms: Despite having free memory, the BIG-IP system logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example: swapper/6: page allocation failure: order:2, mode:0x204020 After that, a stack trace follows. The process name in the line ('swapper/16', in this example). You may see generic Linux processes or processes specific to F5 in that line. Conditions: This issue is known to occur on the appliance D120 (iSeries i15820-DF). Impact: As different processes can experience this issue, and the system may behave unpredictably. Software installation may fail. Workaround: You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves. It is recommend to increase this to 128 MB (131072 KB). When instantiating this workaround, consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one. -- If you want the workaround to survive reboots only, perform the following procedure:
# clsh "sysctl -w vm.min_free_kbytes=131072" # clsh "echo -e '\n# Workaround for ID 851785' >> /etc/sysctl.conf" # clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf" -- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
# clsh "sysctl -w vm.min_free_kbytes=131072" # echo -e '\n# Workaround for ID851785' >> /config/startup # echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades. Once the issue is fixed in a future BIG-IP version, remove the workarounds: -- To remove the first workaround:
-- To remove the second workaround:
To verify the workaround is in place, run the following command (this should return the desired amount in KB): # clsh "cat /proc/sys/vm/min_free_kbytes" Fix: The BIG-IP system no longer experiences excessive kernel page allocation failures. 1039069-1 : Multiple issues affecting the RESOLV::lookup iRule command following the fix to ID1007049.★Component: Global Traffic Manager (DNS) Symptoms: For more information on the specific issues fixed, please refer to: https://cdn.f5.com/product/bugtracker/ID1010697.html https://cdn.f5.com/product/bugtracker/ID1037005.html https://cdn.f5.com/product/bugtracker/ID1038921.html Please note the only versions 15.1.3.1 and 16.1.0 are affected. Conditions: -- Running BIG-IP version 15.1.3.1 or 16.1.0 -- RESOLV::lookup iRule is used Impact: Multiple issues can occur with the RESOLV::lookup command, such as DNS resolutions failing or incorrect DNS responses being received. Workaround: None Fix: - 1024101-1 : SWG as a Service license improvementsComponent: Access Policy Manager Symptoms: SWG sessions maxed out and the SWG license is not released until the APM session is ended. Conditions: SWG and APM are in use. Impact: SWG sessions are tied to APM sessions and can reach the limit and not be recycled even if the APM session is not actively using SWG. Workaround: None Fix: Fixed an issue with SWG session tracking. 1023341-1 : HSM hardeningComponent: Local Traffic Manager Symptoms: Under certain conditions, HSM interactions do not follow current best practices. Conditions: - HSM in use Impact: Certain HSM interactions do not follow current best practices. Workaround: N/A Fix: HSM interactions now follow current best practices. 1022625-2 : Profile type 'swg-transparent' should be selected on create page when 'create-new' is selected for SwgAsService in SSL OrchestratorComponent: Access Policy Manager Symptoms: When creating a new service, certain default access profiles are not automatically selected. Conditions: 1. SSL Orchestrator + APM + SWG provisioned 2. Select 'create-new' for access profile drop-down when adding a SwgAsService in SSL Orchestrator A new tab opens with the profile creation page, but the access profile type drop-down does not have any type selected. Impact: When adding a SwgAsService in SSL Orchestrator, the only supported access profile type is SWG-Transparent, hence it should be automatically selected. Workaround: None Fix: Fixed an issue with automatic profile selection. 1019829-2 : Configsync.copyonswitch variable is not functioning on rebootComponent: TMOS Symptoms: Configsync.copyonswitch variable is not functioning properly during reboot to another partition Conditions: -- db variable configsync.copyonswitch modified -- hostname is changed in global-settings -- reboot to another partition Impact: The hostname will be changed back to the default hostname after reboot 1018309-5 : Loading config file with imish removes the last characterComponent: TMOS Symptoms:
While loading a configuration from the file with IMISH ('imish -f printf 'log file /var/log/zebos.log1' >/shared/tmp/new.cfg Running imish -r 0 -f /shared/tmp/new.cfg have the last character missing like below: log file /var/log/zebos.log Conditions:
Loading a config with 'imish -f Note: This command is used with the bigip_imish_config Ansible module. Impact: Configuration commands cannot be created properly. Workaround: For CLI, use extra control char at the end or \n. 1018145 : Firewall Manager user role is not allowed to configure/view protocol inspection profilesComponent: Protocol Inspection Symptoms: A user account with the "firewall-manager" role that is assigned permissions only to custom partitions will not be able to configure protocol inspection profiles. Conditions: -- A user account is created with the role firewall-manager. -- A custom partition is created. -- The newly created user is given access to the newly created partition. Impact: Any user account without access to "/Common" partition is not allowed to configure protocol inspection profiles. Workaround: - If the user account is provided access to "/Common" partition as well, the user should be able to configure protocol-inspection profiles in the newly created custom partitions. Fix: The permissions are granted for any non-admin user to configure protocol inspection profiles in a custom partition as long as they have access to "/Common" partition as well. 1013569-1 : Hardening of iApps processingComponent: Guided Configuration Symptoms: Under certain conditions, iApps do not follow current best practices. Conditions: - iApps in use Impact: iApps do not follow current best practices. Workaround: N/A Fix: iApps now follow current best practices. 1012721-4 : Tmm may crash with SIP-ALG deployment in a particular race conditionComponent: Service Provider Symptoms: Tmm crashes in SIP-ALG deployment Conditions: - SIP-ALG is deployed - While processing first SIP REGISTER at server-side Impact: Traffic disrupted while tmm restarts. Workaround: None Fix: Tmm no longer crashes in this race condition 1008561-4 : In very rare condition, BIG-IP may crash when SIP ALG is deployedComponent: Service Provider Symptoms: Under certain conditions, BIG-IP may crashes while processing SIP ALG traffic Conditions: - SIP ALG is deployed - Inbound call received Impact: TMM crash leading to a failover event. Traffic is interrupted during BIG-IP restart Workaround: N/A Fix: BIG-IP now processes SIP ALG traffic as expected 1007821-3 : SIP message routing may cause tmm crashComponent: Service Provider Symptoms: In very rare circumstances, tmm may core while performing SIP message routing. Conditions: This can occur while passing traffic when SIP message routing is enabled. Impact: Traffic disrupted while tmm restarts. Workaround: None Fix: SIP message routing no longer results in a core due to internal memory errors in message parsing. 1005105-3 : Requests are missing on traffic event loggingComponent: Application Security Manager Symptoms: Some traffic requests are missing in Security :: Event Logs. Conditions: -- Local logging enabled -- Two or more virtual servers passing heavy traffic Impact: High CPU load prevents the Policy Builder from analyzing and sending all traffic requests to the request log. Workaround: None Fix: The Policy Builder now attempts to send traffic requests to the request log, even when learning analysis is limited due to high CPU load. 1000741-1 : Fixing issue with input normalizationComponent: Application Security Manager Symptoms: Under certain conditions, ASM does not follow current best practices. Conditions: - ASM provisioned Impact: Attack detection is not triggered as expected Workaround: N/A Fix: Attack detection is now triggered as expected 1000405-1 : VLAN/Tunnels not listed when creating a new rule via GUIComponent: Advanced Firewall Manager Symptoms: Available tunnels are not displayed on the AFM rules-creation page in the GUI. Conditions: -- Navigate to the firewall network rules creation page in the GUI. -- In the rules source section, under the VLAN/Tunnel dropdown, select the 'specify' option. Impact: Available tunnels do not display in the select box. Cannot specify tunnels for firewall rules from the GUI. Workaround: Use tmsh to specify tunnels for firewall rules. Fix: The available tunnels now display in the VLAN/Tunnels dropdown. Known Issues in BIG-IP v16.1.x TMOS IssuesID Number Severity Solution Article(s) Description 1-Blocking Rebooting a blade causes MCPd to core as it rejoins the cluster 1-Blocking Booting into a newly installed hotfix volume may stall on RAID-capable platforms★1-Blocking K19272127 Provisioning high availability (HA) setup wizard fails to load, reports 'No Access' 1-Blocking Installing EHF on particular platforms fails with error "RPM transaction failure" 2-Critical K34172543 Error log: Failed to reset strict operations; disconnecting from mcpd★2-Critical Unable to create APM policies in a sync-only folder★2-Critical Incorrect hostname is seen in logging files 2-Critical Mcpd restarts on Secondary VIPRION blades upon modifying a vCMP guest's management IP address or gateway. 2-Critical Acceleration section of virtual server page not available in DHD 2-Critical Traffic may be affected after tmm is aborted and restarted 2-Critical Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash 2-Critical During reset of high-speed interfaces, TMMs may mistakenly continue hardware watchdog checks 2-Critical Qkview generation from Configuration Utility fails 2-Critical Tmm core on GCP 2-Critical Mcpd crash when bulk deleting Bot Defense profiles 2-Critical Not able to add more than 6 NICs on VE running in Azure 2-Critical Tomcat restarts with error java.lang.OutOfMemoryError 2-Critical IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm 2-Critical TMM continually restarts with errors 'invalid index from net device' and 'device_init failed' 2-Critical Wrong FDB table entries with same MAC and wrong VLAN combination 2-Critical SSL Orchestrator config sync issues between HA-pair devices 2-Critical Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log 2-Critical Tmm crash 2-Critical Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration. 2-Critical In rare occurrences related to PostgreSQL monitor, the mcpd process restarts 2-Critical BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type 2-Critical BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict' 2-Critical Client-SSL Object's description can be updated using CLI and with REST PATCH operation 2-Critical Handle x520 PF DOWN/UP sequence automatically by VE 2-Critical K30588577 min-up-members and using gateway-failsafe-device on the same pool. 2-Critical Sorting pool members by 'Member' causes 'General database error' 2-Critical K06520200 'No access' error page displays for APM policy export and apply options 2-Critical Correctable machine check errors [mce] should be suppressed 2-Critical Unable to poll Dynamic routing protocols SNMP OID's on non-default route domain 2-Critical Configsync syncs the node's monitor status 2-Critical After reboot of standby and terminating peer, some IPsec traffic-selectors are still online 2-Critical IPsec traffic selector state may show incorrect state on high availability (HA) standby device 2-Critical Changes to an admin user's account properties may result in MCPD crash and failover 2-Critical Forcing a file system check on the next system reboot does not check all filesystems. 2-Critical Security->Policies in Virtual Server web page spins mcpd 100%, which later cores 2-Critical Config sync fails after provisioning APM or changing BIG-IP license 2-Critical Systemauth.primaryadminuser set to anything but 'admin' causes internal error for mcp-state check 2-Critical During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid. 2-Critical BIG-IP tenants on VELOS cannot install EHFs 3-Major After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states. 3-Major IPsec IKEv1 tunnels fail after a config sync from Standby to Active 3-Major Mcpd consumes excessive CPU while collecting stats. 3-Major Log hostname should be consistent when it contains ' . ' 3-Major Accessing pool members from configuration utility is slow with large config 3-Major TMM CPU imbalance with GRE/TB and GRE/MPLS traffic 3-Major Round-robin Disaggregator for hardware and software 3-Major After UCS restore on HA pair, one of the devices is missing folder /var/config/rest/iapps/f5-iappslx-ssl-orchestrator 3-Major AVR Inspection Dashboard 'Last Month' does not show all data points 3-Major PVA accelerated traffic does not update route domain stats 3-Major Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file. 3-Major Inconsistency in tmsh 'object mode' for some configurations 3-Major Updatecheck script hangs/Multiple updatecheck processes 3-Major The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5 3-Major The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations. 3-Major The vCMP host does not report the correct number of guest CPUs on the guest page of the GUI 3-Major Cannot specify IPv6 management IP addresses using GUI 3-Major Pva_stats for server side connections do not update for redirected flows 3-Major SecureVault on BIG-IP tenant does not store unit key securely 3-Major Software install on vCMP guest via block-device may fail with error 'reason unknown' 3-Major Alarm LED remains active on Secondary blades even after LCD alerts are cleared 3-Major IP Reputation option not shown in GUI. 3-Major Neurond enters a restart loop after FPGA update. 3-Major Show running config interface CLI could not fetch the interface info and crashes the imi 3-Major Improve apm logging when loading sys config fails due to corruption of epsec rpm database 3-Major Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node 3-Major Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members. 3-Major Net-snmp5.8 crash 3-Major Fix for ID871561 might not work as expected on the VCMP host 3-Major Unable to create additional login tokens for the default admin user account 3-Major In the GUI, searching for virtual server addresses does not match address lists 3-Major Unable to set a port list in the GUI for an IPv6 address for a virtual server 3-Major Pfmand crash during bootup 3-Major iRule command 'table' fails to resume when used with Diameter 'irule_scope_msg' 3-Major Syncookie HW mode not cleared when modifying VLAN config. 3-Major LDAP remote authentication fails when empty attribute is returned 3-Major File object checksum attribute is not updated when an external data-group file or external monitor file is edited from GU 3-Major Unable to view iApp component due to error 'An error has occurred while trying to process your request.'★3-Major iSeries LCD changes to secure mode after multiple reboots 3-Major DAG redirects packets to non-existent tmm 3-Major BWC: flows might stall when using dynamic BWC policy 3-Major Error logged installing Engineering Hotfix: Argument isn't numeric★3-Major Local password policy not enforced when auth source is set to a remote type. 3-Major Sod restarts continuously 3-Major Ltm policy MCP objects are not being synced over to the peer device 3-Major Tunnels using autolasthop might drop traffic with ICMP route unreachable 3-Major LDAP referrals not supported for 'cert-ldap system-auth'★3-Major Tcpdump is failing on tmm 0.x interfaces 3-Major inaccurate number of trunk members reported by bcm56xxd/bcmLINK 3-Major imish command hangs when ospfd is enabled 3-Major Racoon daemon may crash once at startup 3-Major Non-admin users cannot run show running-config or list sys 3-Major Password memory not effective even when password policy is configured 3-Major Memory leak in BWC::Measure 3-Major FailoverState device status and CM device status do not match shortly after triggering failover 3-Major Guestagentd core 3-Major Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change. 3-Major BIG-IP VE Migration feature fails for 1NIC 3-Major The vCMP CPU usage stats are incorrect 3-Major Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors★3-Major Intermittent auth failures with remote LDAP auth for BIG-IP managment 3-Major Update oprofile tools for compatibility with current architecture 3-Major LDAP remote authentication for REST API calls may fail during authorization 3-Major LCD touch panel reports "Firmware update in progress" indefinitely★3-Major Systemd not deleting user journals 3-Major Mcpd fails to start for single NIC VE devices configured in a trust domain 3-Major BIG-IP 10350V-F platform reported page allocation failures in N3FIPS driver 3-Major Command 'tmsh save /sys config' fails to save the configuration and hangs 3-Major Multicast route entries are not populating to tmm after failover 3-Major TMM crash after sessiondb ref_cnt overflow 3-Major Loading UCS file for the first time not updating MCP DB 3-Major REST API to /mgmt/tm/ltm/pool/members/stats will fail for some pools 3-Major LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots 3-Major SNMP response times may be long when processing requests 3-Major Default IPv4 IP address is assigned to Alt-Address in isolated vCMP guest; vCMP host or guest are upgraded and guest is 'Inoperative'★3-Major TMSH allows creation of duplicate community strings for SNMP v1/v2 access 3-Major Previously deleted user account might get authenticated 3-Major High number of vcmp guests on clusters and discovery appliances may result in retries for guest deployment 3-Major Continual mcpd process restarts after removing big logs when /var/log is full 3-Major Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI. 3-Major ZebOS might miss kernel routes after mcpd deamon restart 3-Major -s option in qkview help does not indicate maximum size 3-Major Bash shell still accessible for admin even if disabled 3-Major In a device group, a non-empty partition can be deleted by a peer device during a config sync 3-Major Updatecheck logs bogus 'Update Server unavailable' on every run 3-Major iHealth upload error does not clear 3-Major Failure when using transactions to create and publish policies 3-Major System posts error message: 01010054:3: tmrouted connection closed 3-Major 'Unlicensed objects' error message appears despite there being no unlicensed config 3-Major Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP 3-Major System statistics may fail to update, or report negative deltas due to delayed stats merging 3-Major The "Permitted Versions" field of "tmsh show sys license" only shows on first boot 3-Major Certificate Order Manager: renew requests to the Comodo (now Sectigo) CA are unsuccessful. 3-Major IPsec IKEv1 intermittent but consistent tunnel setup failures 3-Major GTM AAAA pool can be deleted from the configuration despite being in use by an iRule. 3-Major The audit forwarders may prematurely time out waiting for TACACS responses 3-Major Asynchronous REST task IDs do not persist across process restarts 3-Major No Access Error When Policy is applied to the Virtual Server 3-Major The /var partition may become 100% full requiring manual intervention to clear space 3-Major TMM crash on BIG-IP Virtual Edition using DPDK and xnet drivers 3-Major In some cases, cpcfg does not trigger selinux relabel, leaving files unlabeled 3-Major Searching for IPv4 strings in statistics module does not work. 3-Major Misleading 'Symmetric Unit Key decrypt failure - decrypt failure' when loading UCS from another BIG-IP 3-Major BGP sending malformed update missing Tot-attr-len of '0. 3-Major Wrong trunk_id is associated in bcm56xxd. 3-Major Mcpd fails to reply if a request is proxied to another daemon and the connection to that daemon closes 3-Major MCPD delay in processing a query_all message if the update_status bit is set 3-Major REST operation takes a long time when two different users perform tasks in parallel 3-Major BIG-IP Virtual Edition drops UDP packets 3-Major Client flow might not get offloaded to PVA in embryonic state 3-Major Monitor information not seen in GUI 3-Major Inherited-traffic-group setting of floating IP does not sync on incremental sync 3-Major icrd_child may core with high numbers of open file descriptors 3-Major Enforce password expiry after local user creation 3-Major VLAN failsafe does not trigger on guest 3-Major Fix DPDK RSS configuration settings 3-Major REST Requests return 401 Unauthorized when using Basic Auth 3-Major BGP route map community value cannot be set to the required range when using AA::NN notation 3-Major FIPS: importing a stub SSL key file results in 2 keys that share the same FIPS device 3-Major Dynamic CRL configured with client authentication profile as "Request" causes connection termination without certificate 3-Major Syslog: invalid level/facility from /usr/libexec/smart_parse.pl 3-Major IPsec: tmm SIGSEGV in getlocaladdr in ikev2_initiate 3-Major Forwarded PVA offload requests fail on platforms with multiple PDE/TMM 3-Major TACACS authentication fails with tac_author_read: short author body 3-Major Statemirror address can be configured on management network or clusterd restarting 3-Major The mcpd error for virtual server profiles incompatible needs to have more details 3-Major Nitrox 3 FIPS: Upgrade from v12.1.x to v14.1.x results in new .key.exp files for the FIPS keys created before upgrade.★3-Major An unused traffic-selector can prevent an IKEv2 IPsec tunnel from working 3-Major 'error: /bin/haloptns unexpected error -- 768' log messages generated on A110 and D112 platforms 3-Major Virtual server created with address-list in custom partition non-RD0 does not create listener 3-Major Cannot edit virtual server in GUI after loading config with traffic-matching-criteria 3-Major More specific dynamic or static routes created for application traffic processing can erroneously replace the route to the management subnet. 3-Major Static routes created for application traffic processing can erroneously replace the route to the management subnet. 3-Major Live Update of Browser Challenges and Anti-Fraud are not cleaned up 3-Major NETFLOW/IPFIX observationTimeMilliseconds Information Element value is not populated correctly. 3-Major Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd 3-Major HA failover connectivity using the cluster management address does not work on VIPRION platforms★3-Major PAM Authenticator can cause authorization failure if it fails to lock /var/log/tallylog 3-Major When restjavad.useextramb is set, java immediately uses more resident memory in linux 3-Major SCTP forwarding flows based on VTAG for bigproto 3-Major At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log 3-Major TCP segments with an incorrect checksum are transmitted when the sock driver is used in AWS deployments (e.g., 1NIC) 3-Major Ping missing from list of Types for OAuth Client 3-Major Tmm core due to corrupt list of ike-sa instances for a connection 3-Major A partition other than /Common may fail to save the configuration to disk 3-Major During bootup AWS BIG-IP endpoint was not licensed when custom gateway configured over management interface 3-Major TMM crash in IPIP tunnel creation with a pool route 3-Major The cmp-hash VLAN setting does not apply to trunked interfaces. 3-Major An i11800 cannot deploy a four core vCMP guest if the remaining cores are in use 3-Major Missing IKEv2 listeners can send IKE packets to the IKEv1 racoon daemon 3-Major Mcpd may run out of memory when build image is missing★3-Major Turboflex page in GUI reports 'profile.Features is undefined' error★3-Major MCP validation should prevent defining multiple virtual servers with the same virtual address but with different subnet masks 3-Major Image2disk does not work on F5OS BIG-IP tenant.★3-Major Enabling DHCP for management should not be allowed on vCMP guest 3-Major Modifying mgmt-dhcp options should not be allowed on VCMP guest 3-Major CMP Forwarded flows do not get syncache counter decremented when only server-side is PVA accelerated 3-Major Active fails to resend ipsec ikev2_message_id_sync if no response received 3-Major Systemd hangs and is unresponsive 3-Major Changing syslog remote port requires syslog-ng restart to take effect 3-Major Virtual Edition systems replicate host traffic to all TMMs when a multicast MAC address is the traffic's nexthop 3-Major GUI display of DHCPv6 profile not correct for virtual server in non-default route-domain 3-Major Self IP address creation fails with 'ioctl failed: No such device' 3-Major Restore of UCS leads to incorrect UID on authorized_keys★3-Major URI rewriting is incorrect for "data:" and "javascript:" 3-Major IPSec SA's missing after reboot 3-Major Under some circumstances, the "Local Traffic" menu in System -> Configuration is inaccessible in the GUI 3-Major The "iq" column is missing from the ndal_tx_stats table 3-Major Set auto-failback-enabled moved to false after upgrade★3-Major Alarm LED and LCD alert cleared prematurely on startup for missing PSU input 3-Major Unable to edit custom inband monitor in the GUI 3-Major Incorrect virtual server list returned in response to status request 3-Major Failover script cannot read /config/partitions/ after upgrade★3-Major Slower REST calls after update for CVE-2021-22986 3-Major High CPU usage when upgrading from previous version★3-Major Tmm crash when using ipsec 3-Major Control plane is sluggish when mcpd processes a query for virtual server and address statistics 3-Major Error: out of stack space 3-Major Tcpdump with :p (peer flow) flag does not capture forwarded between TMMs 3-Major Static mac entry on trunk is not programmed on CPU-only blades 3-Major NIST SP800-90B compliance 3-Major SNMP OID ltmSipsessionProfileStatVsName and ltmSiprouterProfileStatVsName returns empty string 3-Major PAYG license becomes invalid when swapping associated NICs for instances in both Azure and AWS. 3-Major ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected 3-Major Switch L2 forwarding entries learnt on multi-blade trunk in one blade needs to be synchronized to other blades of that trunk 3-Major Maximum Login Failures lockout for root and admin 3-Major VE CPU higher after upgrade, given same throughput 3-Major UCS load with 'reset-trust' may not work properly if base configuration fails to load★4-Minor Unable to change initial admin password from GUI after root password change 4-Minor Command 'run util bash' event is not captured in log when initially executed 4-Minor GRE Transparent Ethernet Bridging inner MAC overwrite 4-Minor Tmsh run sys failover standby with a device specified but no traffic group fails 4-Minor i40evf Requested 4 queues, but PF only gave us 16. 4-Minor Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs 4-Minor Mandatory arguments missing in tmsh security protocol-inspection profile help 4-Minor Watchdog reset due to CPU stall detected by rcu_sched 4-Minor Kernel nf_conntrack table might get full with large configurations. 4-Minor Guest user not able to see virtual server details when ASM policy attached 4-Minor IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby 4-Minor Accessing Dashboard page with AVR provisioned causes continuous audit logs 4-Minor Show net bwc policy prints bytes-per-second instead of bits-per-second 4-Minor LTM iRule validation performance improvement by tracking procedure/event that have been validated 4-Minor Hertfordshire county missing from GTM Region list 4-Minor Incorrect Active/Standby status in CLI Prompt after failover test 4-Minor Incorrect warning: Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family. 4-Minor Accessing the BIG-IP system's WebUI via special proxy solutions may fail 4-Minor Malformed JSON files may be present on vCMP host 4-Minor A vCMP guest may not provide guest health stats to the vCMP host 4-Minor Unable to create SNMP trap in the GUI 4-Minor Confusing log messages on certain user/role/partition misconfiguration when using remote role groups 4-Minor iSeries AOM web UI update fails to complete.★4-Minor tmsh logs boost assertion when running child process and reaches idle-timeout 4-Minor Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time 4-Minor Errors when platform-migrate loading UCS using trunks on vCMP guest 4-Minor K71255118 VCMP Guest CM device name not set to hostname when deployed 4-Minor K84370515 Some time zones prevent configuring trust with a peer device using the GUI. 4-Minor Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition 4-Minor MCP error on loading a UCS archive with a global flow eviction policy 4-Minor TMM with BFD confgured might crash under significant memory pressure 4-Minor BFD sessions remain DOWN after graceful TMM restart 4-Minor Kernel warnings from NIC driver Realtek 8139 4-Minor Racoon may crash in rare cases 4-Minor Overlapping summary routes might not be advertised after ospf process restart. 4-Minor Remove unused CA-bundles 4-Minor No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration. 4-Minor Sensor read errors on VIPRION C2200 chassis 4-Minor MPLS label stripping needs next protocol indicator 4-Minor VCMP Guest CPU usage shows abnormal values at the Host 4-Minor Provide a configuration flag to disable BGP peer-id check. 4-Minor BGP session resets during traffic-group failover 4-Minor MCP daemon does not log an error message upon connection failure to PostgreSQL server. 4-Minor Audit role users cannot see folder properties under sys-folder 4-Minor Re-establishing BFD session might take longer than expected. 4-Minor Missing required logs for "tmsh modify disk directory" command 4-Minor Misleading "Enabling NAT64 for virtual server with security NAT policy configured is redundant/not required." warning 4-Minor Ike stops with error ikev2_send_request: [WINDOW] full window 4-Minor In BIG-IP GUI using "Select All" with filters is not working appropriately for policies 4-Minor Subnet mask property of virtual addresses not displayed in management GUI 4-Minor TurboFlex Profile setting reverts to turboflex-base after upgrade★4-Minor Online help is missing for CRL in client SSL profile and server SSL profile 4-Minor Missing TMSH help description for client-ssl profile 'CRL' 4-Minor The default size of the subagent object cache possibly leading to slow snmp response time★4-Minor The BIG-IP GUI fails to reset the statistics for an IPv6 pool member and returns an error. 4-Minor GRE/TB-encapsulated fragments are not forwarded. 4-Minor OSPF vertex-threshold should be at least 100 5-Cosmetic Device Trust Certificates Expiring after 2038-01-19 show date of 1969 5-Cosmetic Pendsec utility incorrectly starts on i2x00/i4x00 platform with NON WD disk Local Traffic Manager Issues ID Number Severity Solution Article(s) Description 1-Blocking Log Message: Clock advanced by Global Traffic Manager (DNS) Issues ID Number Severity Solution Article(s) Description 2-Critical K29290121 Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt★2-Critical Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings 2-Critical Tmm SIGSEGV in rrset_array_lock,services/cache/rrset.c 2-Critical TMM crashes as a result of repeated loads of the GEOIP database 2-Critical DNS cache configured and tmm stuck in 'not ready' state indefinitely after TMM restart or reboot★2-Critical Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules. 2-Critical TMM may crash under memory pressure when performing DNS resolution 2-Critical String operation against DNS resource records cause tmm memory corruption 2-Critical Tcl resume on invalid connection flow can cause tmm crash 3-Major ZoneRunner returns error 'Resolver returned no such record' 3-Major Status of GTM monitor instance is constantly flapping 3-Major Static target string as CNAME pool member might cause config load failure if wide IP with same name exists in another partition 3-Major GTM persistence records linger in tmm 3-Major Customized device certs will break scripts relying on /config/httpd/conf/ssl.crt/server.crt 3-Major A DNS Cache (or Network DNS Resolver) returns SERVFAIL to some queries. 3-Major DNS Express: SOA stops showing up in statistics from second zone transfer 3-Major Tmm leaks memory after each DNSSEC query when netHSM is not connected 3-Major [Regression of ID787881 & ID761032] DNSX fails to sign zone transfer using tsig key after failure 3-Major Hash collisions in fastDNS packet processing 3-Major Old local config is synced to other devices in the sync group. 3-Major DNS/GTM daemon big3d does not accept ECDH or DH ciphers 3-Major IPv6-based bind (named) views do not work 3-Major GTM HTTP/HTTPS monitors cannot be modified via GUI 3-Major GTM virtual servers have the wrong status 3-Major DNS Resource Records can be lost in certain circumstances 3-Major Wide IP alias validation error during sync or config load 3-Major Unable to save UCS 3-Major Unbound's backoff algorithm interacts badly with net resolver iRules 3-Major The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug 3-Major The iqsyncer utility may not write the core file for system signals 3-Major SELinux policies may prevent from iqsh/iqsyncer dumping core 3-Major TMM fails to sign responses from BIND when BIND has 'dnssec-enable no' 3-Major [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist 3-Major iRule command “RESOLVER::name_lookup” returns null for responses more than 512 bytes 3-Major When running a debug version of TMM, an assertion may be triggered due to and expired DNS lookup 3-Major DNS response recursion desired (rd) flag does not match DNS query when using iRule command DNS::header rd 3-Major GUI and REST API unable to add virtual servers containing a space in the name to a pool 3-Major Forward zone deleted when wideip updated 3-Major RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20 3-Major GTM marks virtual servers offline even when LTM virtual servers are available. 3-Major Warning message with UDP on DOH server side. 3-Major Missing GTM probes when max synchronous probes are exceeded 3-Major Deleted GTM link is not removed from virtual server object and causes load failure. 3-Major RRSIG missing for CNAME with RDATA in different zone 3-Major TMM crashes when handling Network DNS resolver Traffic. 3-Major PEM and Analytics tabs are displayed when accessing DoH Proxy/Server profiles. 3-Major Virtual server flapping when the active and standby devices have different configuration. 3-Major Topology region returns narrowest scope netmask without matching 3-Major Non-200 HTTP status codes fail to be matched by GTM HTTP(S) monitors 3-Major [GTM] Upgrade failure - 01070022:3: The monitor template min was not found.★3-Major Zxfrd core and continual restart when out of configured space 3-Major DNS cache resolver could not connect to remote DNS server with snatpool if multiple routes exist 3-Major GTM monitor times out if monitoring a virtual server with translation address 3-Major GTM Pool member set to monitor type "none" results in big3d: timed out 3-Major Modifying GTM pool members with replace-all-with results in pool members with order 0 3-Major Config fails to load for large config on platform with Platform FIPS license enabled 3-Major DNS msg_ObjType can cause buffer overrun due to lack of NUL terminator 3-Major Modify wideip pools with replace-all-with results pools with same order 0 3-Major Link Controller auto-discovery does not remove deleted virtual servers 3-Major Cannot update/display GTM/DNS listener route advertisement correctly 4-Minor Zrd in restart loop with empty named.conf 4-Minor DNSSEC manual key created with other algorithms ends up using RSA/SHA1 algorithm 4-Minor SIP/HTTPS monitor attached to generic-host virtual server and pool shows 'blank' reason 4-Minor Zonerunner can't edit TXT records containing a + symbol - "Resolver returned no such record" 4-Minor Fix of ID722682 prevents GTM config load when the virtual server name contains a colon★4-Minor The 'Reconnect' and 'Reconnect All' buttons do not work if reached via a particular section of the DNS GUI. 4-Minor Nslookup might generate a core during system restart 4-Minor iRule 'drop' command does not drop packets when used in DNS_RESPONSE 4-Minor Big3d cannot log the full XML buffer data 4-Minor TMUI is unable to change the Alias Address of DNS/GTM Monitors 4-Minor DNS logging does not support Splunk format log 4-Minor LCD IP address is missing from /etc/hosts on iSeries 4-Minor [GTM][GUI] Not able to enable/disable pool member from pool member property page 4-Minor The gtm_add command fails but reports no error Application Security Manager Issues ID Number Severity Solution Article(s) Description 2-Critical Device fails to request full sync 2-Critical ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476' 2-Critical ASM virtual server names configuration CRC collision is possible 2-Critical Latency reduce in case of empty parameters. 2-Critical TMM might crash when Bot Defense is configured for multiple domains 2-Critical TMM crash in certain cases 2-Critical Rare TMM crash when using Bot Defense Challenge 2-Critical Asmlogd suddenly deletes all request log protobuf files and records from the database 2-Critical TMM might crash after configuration failure 3-Major Bot Defense browser verification fails upon iframes of different top-level domains 3-Major Event Log and Traffic Learning screens fail to load request details★3-Major BD crash 3-Major Dropped requests are reported as blocked in Reporting/charts 3-Major Cannot create XML profile based on WSDL when wsdl contains empty soap:address – getting error ‘Column 'object_uri' cannot be null’ 3-Major Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine 3-Major ASM blocks WebSocket frames with signature matched but Transparent policy 3-Major Asmlogd stops deleting old protobufs 3-Major Asmlogd stops deleting old protobufs 3-Major MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files 3-Major Issues in verification of Bot Defense with F5 Anti-Bot Mobile SDK 3-Major Payloads with large number of elements in XML take a lot of time to process 3-Major Inactive ASM policies are deleted upon upgrade 3-Major BD does not use all the CPU cores 3-Major Attack signature updates fail to install with Installation Error.★3-Major Live update error" 'Try to reload page' 3-Major URLs starting with double slashes might not be loaded when using a Bot Defense Profile. 3-Major BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration★3-Major Icap server connection adjustments 3-Major ASMConfig Handler undergoes frequent restarts 3-Major Apply Policy action is not synchronized after making bulk signature changes 3-Major ASM Configuration is Lost on License Reactivation★3-Major False positives Mismatched message key on ASM TS cookie 3-Major Missing configuration after upgrade★3-Major ASM initial configuration script fails after upgrade★3-Major TMM xdata leak on websocket connection with asm policy without websocket profile 3-Major Unable to pick up the properties of the parameters from audit reports. 3-Major ASM Critical Warnings during UCS load after upgrade to v15.1.0 or above★3-Major Staging of URL does not affect apply value signatures 3-Major High CPU during specific dos mitigation 3-Major Chrome sometimes ignores cross-site bot-defense cookies 3-Major TMM might crash when unsupported bot iRule is used 3-Major Policy changes learning mode to automatic after upload and sync 3-Major Session awareness entries aren't mirrored to both sides of an active-active deployment. 3-Major Route domain IP exception is being treated as trusted (for learning) after being deleted 3-Major CORS : default port of origin header is set 80, even when the protocol in the header is https 3-Major HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message 3-Major False positive RFC compliant violation 3-Major Bot Defense does not support iOS's WKWebView framework 3-Major ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN 3-Major Configuraton update triggers from MCP to ASM are ignored 3-Major ASM changed cookie value 3-Major Message: childInheritanceStatus is not compatible with parentInheritanceStatus★3-Major Remote log messages are separated into 2 lines if max_request_size limit falls exactly on \n char. 3-Major XML profile is created incorrectly from WSDL 3-Major Brute force attack is detected too soon 4-Minor Modifying bot defense allow list via replace-all-with fails with match-order error 4-Minor Inheritance of staging_period_in_days from policy template 4-Minor Accept-Encoding header is stripped by Bot Defense profile in case of incompatible file extension and a dot in the file name 4-Minor Browser Challenges update file cannot be installed after upgrade★4-Minor Wrong display of signature references in violation details 4-Minor Applied Blocking Masks discrepancy between local/remote event log 4-Minor Requests fail to load when backend server overrides request cookies and Bot Defense is used 4-Minor Errors in IE11 console appearing with Bot Defense profile 4-Minor Traffic learning page counts Disabled signatures when they are ready to be enforced 4-Minor Nice level BigDB paramter is not applied for BD 4-Minor Accept Request button is clickable for unlearnable violation illegal host name 4-Minor Policy Properties screen does not load and display 4-Minor TMM crash in certain cases 4-Minor Illegal cross-origin after successful CAPTCHA 4-Minor Apply Policy can get ignored in auto-sync setup, while importing/replacing several existing policies with policies that have Policy Builder enabled 4-Minor In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs 4-Minor User-defined bot sigs that are created in tmsh don't overlap staged factory bot sigs 4-Minor Additional Tcl variables showing information from the AntiBot Mobile SDK 4-Minor Bot Defense Logs indicate the mobile debugger is used even when it is not 4-Minor Traffic Learning: Accept actions for multiple suggestions not localized Application Visibility and Reporting Issues ID Number Severity Solution Article(s) Description 2-Critical GUI widgets pages are not functioning correctly 3-Major Context use and syntax changes clarification 3-Major Incorrect sum(hits_count) value in aggregate tables 3-Major Incorrect BD Swap Size units on ASM Resources chart 3-Major AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade 3-Major Avrd core when connection to BIG-IQ data collection device is not available 3-Major AVRD may core when restarting due to data collection device connection timeout 3-Major AVRD crash when configured to send data externally 3-Major The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category 3-Major Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab 4-Minor Analytics data not displayed for Pool Names 4-Minor User-defined report scheduling fails 4-Minor AVR core files have unclear names 4-Minor Sending ASM report via AWS SES failed duo to wrong content type 4-Minor tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name 5-Cosmetic Zone colors in ASM swap usage graph are incorrect Access Policy Manager Issues ID Number Severity Solution Article(s) Description 0-Unspecified NetworkAccess assigns 1.1.1.1 address to remote ppp endpoint APM VPN 2-Critical When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection 2-Critical TMM may crash when processing traffic with per-session APM Access Policy 2-Critical Upgrade from v14.1.x to v15.1.2.1 or later fails for app-tunnel, RDP and config migration★2-Critical Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core 3-Major TMM core with ACCESS::policy evaluate iRule 3-Major APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)★3-Major "Restrict to Single Client IP" option is ignored for vmware VDI 3-Major Per-request policy execution may timeout. 3-Major NTLM RPC exception: Failed to verify checksum of the packet 3-Major APM reset after upgrade and modify of LDAP Group Lookup★3-Major Restarting MCPD via command line may not restart the aced process 3-Major AD group cache query performance 3-Major VPN Tunnel establishment fails with some ipv6 address 3-Major APM OAuth - Auth Server attached iRule works inconsistently 3-Major In rare cases tmm crash is observed when using APM as RDG proxy. 3-Major JWT Claim value without quotes is invalid 3-Major Kerberos replay cache leaks file descriptors 3-Major Inefficient APM processing in large configurations. 3-Major APM - users end up with SSO disabled for their session, admin intervention required to clear session 3-Major APM logon page is not rendered if db variable "ipv6.enabled" is set to false 3-Major Session variable "session.user.agent" does not get populated for edge clients 3-Major APM Portal Access does not add automatically the / after the URL encoded (after the '$$'), Redirect breaks 3-Major Reverse proxy traffic fails when a per-request policy is attached to a virtual server. 3-Major OAuth Claim display order incorrect in VPE 3-Major Slow file descriptor leak in urldbmgrd (sockets open over time) 3-Major VDI desktops and apps freeze with Vmware and Citrix intermittently 3-Major Subsession variable values mixing between sessions 3-Major APM uses wrong session key when iRule for ActiveSync is used resulting in passwords corruption 3-Major Changing User login password using VMware View Horizon client results in “HTTP error 500” 3-Major Traffic disruption when virtual server is assigned to a non-default route domain★3-Major Artifact resolution on SAML IdP fails with error 'SAML SSO: Cannot find SP connector' 3-Major Websso puts quotation marks around non-string claim type 'custom' values 4-Minor OAuth refresh token not found 4-Minor Feeding empty username and password to the Logon Page followed by RadiusAuthAgent shows the session as Logged out 4-Minor Unknown browscap value sent by the client. 4-Minor TMM memory utilization increases after upgrade★4-Minor Errno=(Invalid cross-device link) after SCF merge 4-Minor Sessiondb entries related to Oauth module not cleaned up in certain conditions 4-Minor Accessing attribute using attributeNode value does not work with Portal Access ID Number Severity Solution Article(s) Description 2-Critical Tmm may crash with SIP-ALG deployment in a particular race condition 2-Critical Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds 3-Major MR_INGRESS iRules that change diameter messages corrupt diam_msg 3-Major Tmm crash with ICAP filter 3-Major MRF per peer mode is not working in vCMP guest. 3-Major Unable to add a serverssl profile into a virtual server containing a FIX profile 3-Major TMM generates core when iRule executes a nexthop command and SIP traffic is sent 3-Major BIG-IP systems disconnect the DIAMETER transport connection if it receives an answer message without a Result-Code AVP 4-Minor MRF DIAMETER to select automatic removal of a persistence entry on completion of a transaction 4-Minor There might be wrong memory handling when message routing feature is used Advanced Firewall Manager Issues ID Number Severity Solution Article(s) Description 2-Critical No Access Error While trying to create a sub-rule under the Network Firewall rule list 2-Critical Packet tester crashes TMM when vlan external source-checking is enabled 2-Critical Core file on blade slot2 after reboot (TMM SIGSEGV in pktclass_classifier) 2-Critical iprep.protocol with auto-detect fails when DNS takes time to resolve 3-Major DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option 3-Major DNS DoS profile (Error Vector) does not mitigate/detect at the virtual server level. 3-Major Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade★3-Major DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware 3-Major DDoS: ICMP attacks are not hardware-mitigated 3-Major Total address and Total endpoints is shown as '0' in nat stats 3-Major Packet with routing header IPv6 as next header in IP layer fails to be forwarded 3-Major SIP ALG not processing IPv6 in NAT64 UDP 3-Major Unnecessary authorization header added in the response for an IP intelligence feed list request 3-Major Memory allocation error while creating an address list with a large range of IPv6 addresses★3-Major Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time 3-Major TCP Packets are not dropped in IP Intelligence 3-Major AFM rule loops when 'Send to Virtual' is used with Virtual Server iRule 'LB::reselect' 3-Major Virtual server security policy - An error has occurred while trying to process your request 3-Major A user with role "Firewall Manager" cannot open the Rule List editor in UI 3-Major NAT policies page unusable due to the page load time 3-Major Cannot modify Security "global-network" Logging Profile 3-Major Nested address lists can increase configuration load time 3-Major Bdosd does not create /var/bdosd/*.json 3-Major Core generated for autodosd daemon when synchronization process is terminated 3-Major Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered 3-Major Tmm performance impact for DDoS vector on virtual server when hardware mitigation is enabled 3-Major DoS TCP SYN-ACK vector with 'suspicious' set to true impacts MD5 AUTH (BGP) functionality 4-Minor DoS events do not include the attack name for "tcp syn ack flood" 4-Minor Incorrect SPVA counter incremented during Sweep attack on profile 4-Minor Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts 4-Minor Firewall rule to block ICMP/DHCP from 'required' to 'default'★4-Minor UI: Partition does not work when clicking through security zones 4-Minor DDOS: BDOS: Warning messages related to high availability (HA) watchdog seen on system bring up 4-Minor Disabling DoS TCP SYN-ACK does not clear suspicious event count option Policy Enforcement Manager Issues ID Number Severity Solution Article(s) Description 2-Critical Possible TMM crash with a multi-IP PEM subscriber configured with more than 16 IP addresses 2-Critical Unable to provision PEM on VELOS platform 3-Major System reports{{validation_errors}} 3-Major PEM ephemeral listeners with source-address-translation may not count subscriber data 3-Major Memory leak due to session context not freed 3-Major "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs 3-Major Changes to DHCP Profile are not used by tmm ID Number Severity Solution Article(s) Description 2-Critical Device using CGNAT + subscriber discovery license shows unknown for pem_subscriber-id 2-Critical Unknown subscriber in PBA deployment may cause CPU spike 3-Major CGNAT GUI shows blank page when applying SIP profile 3-Major Multiple entries for CGNAT when PBA pools allocation is defined: for each request, a new entry is created 4-Minor CGNAT+Subscriber Discovery - NAT IP with wrong route domain on the CGNAT Log Fraud Protection Services Issues ID Number Severity Solution Article(s) Description 2-Critical During upgrade to 16.1, the previous FPS Engine live update remains active★3-Major Special JSON characters in Dom Signatures breaks configuration Anomaly Detection Services Issues ID Number Severity Solution Article(s) Description 3-Major Default DoS profile creation from tmsh is incorrectly interpreted by DoS profile GUI Traffic Classification Engine Issues ID Number Severity Solution Article(s) Description 2-Critical Unable to load Traffic Classification package 3-Major Sysdb variable not working from tmsh 3-Major URLCAT: Vulnerability Scan finds many Group/User Read/Write (666/664/662) files 4-Minor Unconstrained wr_urldbd size causing box to OOM 4-Minor Video resolution mis-prediction 4-Minor Video resolution mis-predictions 4-Minor UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters. ID Number Severity Solution Article(s) Description 2-Critical Modifying the default management port can break internal functionality 3-Major iAppLX packages not rolled forward after BIG-IP upgrade★3-Major WebUI shows error: Error getting auth token from login provider★4-Minor REST endpoint registration errors in restjavad logs 4-Minor Restjavad may fail to cleanup ucs file handles even with ID767613 fix 4-Minor BIG-IP Admin role credentials are not usable for getting device discovered by BIG-IQ ID Number Severity Solution Article(s) Description 3-Major Scriptd coring while running f5.automated_backup script Protocol Inspection Issues ID Number Severity Solution Article(s) Description 3-Major AFM IPS engine takes action on unspecified services 3-Major An error is encountered when enabling reset-learning to all the signatures of a protocol inspection profile in the GUI. 3-Major Protocol Inspection compliance check 10208 gtp_disallowed_message_types does not take GTP version into account Guided Configuration Issues ID Number Severity Solution Article(s) Description 3-Major Continuous connection refused errors in restjavad ID Number Severity Solution Article(s) Description 3-Major Missing SNI information when using non-default domain https monitor running in tmm mode 3-Major Delays marking Nodes or Pool Members DOWN with in-TMM monitoring 3-Major SSL monitor continues to send previously configured server SSL configuration after removal 3-Major In-TMM monitors do not work after TMM crashes 3-Major Transparent DNS monitor does not work after upgrade★4-Minor Bigd.mgmtroutecheck setting ignored by in-tmm monitors after bigstart restart ID Number Severity Solution Article(s) Description 3-Major Server-speaks-first traffic might not work with SSL Orchestrator 3-Major "Server-speak-first" traffic might not work with SSL Orchestrator 3-Major Tmm continuously cores when parsing custom category URLs Known Issue details for BIG-IP v16.1.x999881-6 : Tcl command 'string first' not working if payload contains Unicode characters.Component: Local Traffic Manager Symptoms: Tcl command 'string first' returns an incorrect value when Unicode characters are present in the payload. Conditions: -- Tcl command 'string first' is used in iRules. -- Payload contains Unicode characters. Impact: Traffic processing with iRules that contains the 'string first' command might not work as expected. Workaround: You can use any of the following workarounds: -- Use iRuleLX. -- Do not use Unicode characters in the payload. -- Use a custom Tcl proc to iterate through the string using lindex 999709-6 : iRule 'pool'/'virtual' commands not triggered in CLIENT_ACCEPTED with HTTP/2.Component: Local Traffic Manager Symptoms: The 'pool'/'virtual' iRule commands cause the specified pool to be used directly. However, with HTTP/2, the 'pool'/'virtual' command may fail to execute within the CLIENT_ACCEPTED event. This results in no traffic being sent. Conditions: -- A 'pool'/'virtual' command is used under CLIENT_ACCEPTED event. -- An HTTP/2 profile applied to virtual server. -- The HTTP/2 protocol in use. -- HTTP/2 Message Routing is disabled. Impact: With HTTP/2 configured, the iRule 'pool'/'virtual' commands fail to execute within the CLIENT_ACCEPTED event, causing no traffic to be sent to the desired pool/virtual. Workaround: As a workaround, you may use HTTP_REQUEST event instead of CLIENT_ACCEPTED in iRule syntax. 999669-1 : Some HTTPS monitors are failing after upgrade when config has different SSL option★Component: Local Traffic Manager Symptoms: Some HTTPS monitors are failing after upgrade when the config has different SSL option properties for different monitors. Conditions: -- Individual SSL profiles exist for different HTTPS monitors with SSL parameters. -- A unique server SSL profile is configured for each HTTP monitor (one with cert/key, one without). Impact: Some HTTPS monitors fail. Pool is down. Virtual server is down. Workaround: None 999125-1 : After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states.Component: TMOS Symptoms: After a device (or multiple devices) in a sync-failover device-group undergoes a management IP change, multiple devices in the group can be stuck indefinitely in improper Active/Active or Standby/Standby failover states. Conditions: -- One or more devices belonging to a sync-failover device-group undergo a management IP change. Impact: -- The affected units are unable to pass traffic, as they are either both Standby or Active (resulting in either no service availability or IP address conflicts in the network). Workaround: If you are planning to change management IP addresses on your devices, consider doing so during a maintenance window, in order to account for the eventuality this issue might occur. Then, if this issue does occur, you can restore correct system functionality by restarting the sod daemon on all units that had their management IP address changed. To do so, run the following command: tmsh restart sys service sod Note: This is a one-time workaround, and the issue may re-occur if the devices undergo further management IP address changes in the future. 999097-1 : SSL::profile may select profile with outdated configurationComponent: Local Traffic Manager Symptoms: Under some circumstances, an iRule-selected SSL profile may a send previously configured certificate to the peer. Conditions: iRule command SSL::profile is used to select a profile that is not attached to the VIP, and changes have been made in the profile's cert-key-chain field. Impact: The TLS client may receive an outdated certificate that does not match with the current configuration, potentially leading to handshake failures. Workaround: Avoid making changes to a profile that is actively being used by the iRule command. 999085-1 : REST endpoint registration errors in restjavad logsComponent: Device Management Symptoms: Errors are logged to /var/log/restjavad.0.log at the SEVERE log level: [SEVERE]... [IcrWorker] Unable to register iControl endpoint "/xxxx/xxxx". Error: uriPath '/tm/xxxx/xxxx' already registered Conditions: The system reports these errors during startup of the restjavad service because of multiple registrations of the same endpoint. Impact: There is no functional impact and these errors can be ignored. Workaround: None 999021-2 : IPsec IKEv1 tunnels fail after a config sync from Standby to ActiveComponent: TMOS Symptoms: When racoon (the IKEv1 daemon) sees a tunnel config change, which occurs due to a config sync from the standby device, the change causes tmm and racoon to have conflicting views on the state of that tunnel. If the IKEv1 tunnel is up at the time of the config change, tmm fails to restart the tunnel. Conditions: -- IPsec IKEv1 tunnel in use. -- Changes made to IPsec IKEv1 tunnel on the Standby BIG-IP device, which are then sync'd to the Active BIG-IP device. -- And/or a full config sync from the Standby to Active BIG-IP system. Impact: IPsec IKEv1 tunnels fail and do not start again. Workaround: -- Do not make changes to IPsec IKEv1 tunnels on the Standby device. -- Avoid full syncs from Standby to Active. How to recover when the problem occurs: -- Disable the affected ike-peer and re-enable it. 998957-1 : Mcpd consumes excessive CPU while collecting stats.Component: TMOS Symptoms: Mcpd CPU utilization is 100%. Conditions: This can occur when the BIG-IP system has a large number of virtual servers, pools, and pool members for which statistics are being collected. Impact: CPU utilization by mcpd is excessive. Workaround: None 998649-1 : Log hostname should be consistent when it contains ' . 'Component: TMOS Symptoms: Messages that are logged to journald use the configured hostname, while sylog-ng uses the hostname (machine name) and truncates it starting at the first '.' (period). This results in hostnames being inconsistent when it contains '.'; e.g., 'my.hostname' is logged as 'my' by syslog-ng, and 'my.hostname' by journald. This can make it difficult for log analysis tools to work with the log files. Conditions: -- Hostname contains a period -- Viewing log files emitted from journald and from syslog-ng Impact: The full hostname is logged for system logs while logs that go directly to syslog-ng use a truncated hostname. Workaround: None. 998253-4 : SNI configuration is not sent via HTTPS when in-tmm monitors are disabledComponent: Local Traffic Manager Symptoms: The Server Name Indication (SNI) extension is missing on the HTTPS handshake. Conditions: -- Global in-tmm monitors are disabled -- HTTPS monitor traffic Impact: The HTTPS client-server handshake occurs without a TLS SNI. Workaround: None 998221-1 : Accessing pool members from configuration utility is slow with large configComponent: TMOS Symptoms: Accessing the pool members page from the BIG-IP Configuration Utility/GUI is slow compared with accessing Pool members from TMSH/CLI. Conditions: -- Accessing pool member information through the BIG-IP configuration utility. -- Thousands of pools and pool members in the configuration. Impact: In the GUI, it takes approximately 20-30 seconds, whereas the CLI returns results in less than 1 second, Managing pool members from configuration utility is very slow causing performance impact. Workaround: None 997793-3 : Error log: Failed to reset strict operations; disconnecting from mcpd★Solution Article: K34172543 Component: TMOS Symptoms: After rebooting the device you are unable to access the GUI. When checking the ltm logs in the SSH / console, it repeatedly prompts an error: Failed to reset strict operations; disconnecting from mcpd. Conditions: Previous EPSEC packages that are still residing on the system from old BIG-IP versions is installing upon boot. An internal timer can cause the installation to be aborted and all daemons to be restarted via 'bigstart restart' Impact: Mcpd fails to fully load and the device fails to come up fully, and it cannot pass traffic. Workaround: 1. Stop the overdog daemon first by issuing the command: systemctl stop overdog 2. Restart all services by issuing the command: bigstart restart 3. Wait for 10 to 20 mins until EPSEC packages are successfully installed and mcpd successfully starts. 997561-5 : TMM CPU imbalance with GRE/TB and GRE/MPLS trafficComponent: TMOS Symptoms: When handling unidirectional GRE traffic, a lack of inner payload entropy can lead to CPU pinning. In some circumstances, handling this traffic should not require maintaining state across TMMs. Conditions: This occurs with GRE/TB (transparent ethernet bridging) and GRE/MPLS traffic. Impact: TMM utilization across CPUs is imbalanced, which can impact overall device performance. Workaround: None 997541-5 : Round-robin Disaggregator for hardware and softwareComponent: TMOS Symptoms: GRE tunnel traffic is pinned to one CPU. Conditions: GRE traffic is passed through BIG-IP system. Impact: Traffic is pinned to one CPU and overall performance is degraded. Workaround: None 997313-2 : Unable to create APM policies in a sync-only folder★Component: TMOS Symptoms: Unable to configure an APM policy in a sync-only folder, or the configuration fails to load after an upgrade, with an error message similar to: -- err mcpd[mcpd_pid]: 01070734:3: Configuration error: Invalid Devicegroup Reference. The customization_group (/Common/sync-only/example_apm_customization) requires customization_source (/Common/standard) to be syncd to the same devices Conditions: -- Multiple BIG-IP devices configured in a sync-only device group, but different/non-overlapping failover device groups -- APM policy being created in a folder or partition associated with sync-only device group. Impact: -- Unable to create the access policy. -- The configuration fails to load and the device remains inoperative. Workaround: You can use either of the following strategies to prevent the issue: --Do not create APM policies in a sync-only folder. --Disable MCPD device-group reference validation for the sync-only folder, e.g.: tmsh modify sys folder /Common/sync-only no-ref-check true tmsh save sys config 996649-6 : Improper handling of DHCP flows leading to orphaned server-side connectionsComponent: Local Traffic Manager Symptoms: When there are multiple client-side flows tied to a single server-side DHCP flow, timeout handling on the client-side flows is incorrect and might lead to a server-side flow getting orphaned. This results in traffic from the server not making its way back to the client. Conditions: Regular DHCP virtual server in use. Impact: Traffic is not passed to the client. Workaround: None. 996261-1 : Zrd in restart loop with empty named.confComponent: Global Traffic Manager (DNS) Symptoms: The zrd process enters a restart loop: logger[20015]: Re-starting zrd Conditions: This occurs when /var/named/config/named.conf is empty. Impact: The zrd process enters a restart loop. If the device is in a sync group, zrd enters a restart loop on all devices. Workaround: Restore content to the named.conf file. 996145-1 : After UCS restore on HA pair, one of the devices is missing folder /var/config/rest/iapps/f5-iappslx-ssl-orchestratorComponent: TMOS Symptoms: After restoring via UCS file, the SSL Orchestrator page reads: Not Found The requested URL was not found on this server Conditions: -- Devices are in a high availability (HA) pair -- SSL Orchestrator deployed -- A UCS file is loaded Impact: SSL Orchestrator is not available. /var/config/rest/iapps/f5-iappslx-ssl-orchestrator is not restored correctly during UCS load. Workaround: Restore the UCS file again 996001-5 : AVR Inspection Dashboard 'Last Month' does not show all data pointsComponent: TMOS Symptoms: A daily-based report (report with resolution of one day in each data-point) can be provided to only request with up-to 30 days. A request with 31 days shows only 2 entries. Conditions: This occurs when generating a 'Last Month' report for a month that contains 31 days of data. Impact: AVR Inspection Dashboard displays less data than expected: 2 points instead of 31 points. Workaround: None 995605-2 : PVA accelerated traffic does not update route domain statsComponent: TMOS Symptoms: PVA accelerated traffic does not update route domain stats Conditions: -- PVA accelerated traffic. -- Viewing the route domain stats. Impact: The route domain stats may be inaccurate Workaround: Use the virtual server stats or ifc_stats instead. 995369-1 : DNSSEC manual key created with other algorithms ends up using RSA/SHA1 algorithmComponent: Global Traffic Manager (DNS) Symptoms: Generated DNSSEC keys always use RSA/SHA1 algorithm. Conditions: DNSSEC keys are generated with manual key management method. Impact: You are unable to create DNSSEC keys with other algorithms. Workaround: Choose automatic key management method. 995097-1 : Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file.Component: TMOS Symptoms: After reloading the configuration from a file, management-dhcp supersede options whose values contained a double quote character (") no longer contain the character. For instance, after reloading the configuration, the following section: # tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options sys management-dhcp sys-mgmt-dhcp-config { supersede-options { domain-name { value { "example.com" } } domain-name-servers { value { 8.8.8.8 } } domain-search { value { "example.com" } } } } Becomes: # tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options sys management-dhcp sys-mgmt-dhcp-config { supersede-options { domain-name { value { example.com } } domain-name-servers { value { 8.8.8.8 } } domain-search { value { example.com } } } } This also affects the configuration file for the dhclient/dhclient6 daemons that the system automatically generates from the aforementioned config stanza. Conditions: This issue occurs when the following statements apply: - The values of management-dhcp supersede options contain double quote characters. - The configuration is reloaded from file. The BIG-IP system reloads the configuration from file in the following cases: -- When you issue the 'tmsh load sys config' command. -- After an upgrade, as the mcpd binary database does not exist yet. -- When troubleshooting requires removing the mcpd binary database and reloading the config from file. -- When the system is relicensed. -- When system provisioning changes. -- When a UCS/SCF archive is restored. -- When someone merges in config from file or terminal (but this is limited to the actual contents being merged in, not the entire configuration). Impact: The in-memory mcpd configuration relating to management-dhcp supersede options is incorrect. The /etc/dhclient.conf file that is automatically generated contains incorrect syntax. As a result of this, the dhclient/dhclient6 daemons fail to parse the file and run with an incomplete configuration. Ultimately, the system does not behave as configured in regard to its management-dhcp configuration. Workaround: Reapply the desired management-dhcp supersede-options configuration using the tmsh utility. For example, to restore the intended in-memory configuration shown under Symptoms, you would run within tmsh: # modify sys management-dhcp sys-mgmt-dhcp-config supersede-options none # modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-search { value add { \"example.com\" } } } # modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name { value add { \"example.com\" } } } # modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name-servers { value add { 8.8.8.8 } } } # save sys config On versions earlier than 15.0.0, you must also restart the dhclient/dhclient6 daemons by running: bigstart restart dhclient dhclient6 Note that the workaround is not permanent and will be invalidated the next time the config is loaded from file again. 994985-3 : CGNAT GUI shows blank page when applying SIP profileComponent: Carrier-Grade NAT Symptoms: The virtual server properties GUI page shows blank when a SIP profile is applied to the virtual server. Conditions: -- Create virtual server and attach a SIP profile. -- Navigate to virtual server properties page. Impact: The virtual server properties page does not display the configuration. Workaround: None. 994365-1 : Inconsistency in tmsh 'object mode' for some configurationsComponent: TMOS Symptoms: Tmsh does not support object mode when modifying certain configurations, such as the node configuration. This results in misleading error 'not found' even though the configuration is available. Conditions: Modify node config results in error, even though the config is present. # Node Object 'example' is created successfully (tmos)# create ltm node example address 1.2.3.4 # On modifying the node 'example', tmsh gives error (tmos)# modify ltm node example Data Input Error: node "example" not found The modify command does work when a property is specified: (tmos)# modify ltm node example description "Node 1234" Impact: Inconsistent tmsh syntax when using 'object mode' for modifying the configuration. Workaround: Use 'tmsh modify' commands, or the GUI, to make the required changes without 'entering' the object in tmsh. 994361-2 : Updatecheck script hangs/Multiple updatecheck processesComponent: TMOS Symptoms: Multiple updatecheck and 'rpm -qf' processes running simultaneously. Updatecheck is not functional Conditions: Updatecheck is run periodically via a cronjob. Updatecheck runs 'rpm -qf' command. Impact: Due to that 'rpm -qf' command hangs. This causes multiple updatecheck and 'rpm -qf' processes. High CPU and memory usage. The most likely explanation is that rpmdb has gotten corrupted. Workaround: To rebuild rpmdb: 1. Halt all running updatecheck and 'rpm -qf' processes. 2. Run these commands: rm /var/lib/rpm/__db* rpm --rebuilddb 994305-3 : The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5Component: TMOS Symptoms: Features supported in newer versions of open-vm-tools are not available. Conditions: This issue may be seen when running in VMware environments. Impact: Features that require a later version of open-vm-tools are not available. Workaround: None. 994221-1 : ZoneRunner returns error 'Resolver returned no such record'Component: Global Traffic Manager (DNS) Symptoms: ZoneRunner returns error 'Resolver returned no such record'. Conditions: When trying to retrieve TXT records with single backslash. Impact: Not able to manage TXT record. Workaround: Use double backslashes to retrieve TXT records. 994081-1 : Traffic may be dropped with an Immediate idle timeout setting.Component: Local Traffic Manager Symptoms: When the idle timeout is set to Immediate, flows may be expired while packets are buffered. Buffered packets are dropped. This can impact iRules and non-L4 virtual servers. Conditions: -- Idle timeout set to Immediate. -- iRules are configured or non-L4 virtual servers are used. Impact: Traffic is dropped. Workaround: You can use either workaround: -- Configure an L4 virtual server. -- Consider removing iRules. 994013-1 : Modifying bot defense allow list via replace-all-with fails with match-order errorComponent: Application Security Manager Symptoms: An error occurs when modifying the allow list (or in case of 'load sys config verify' with similar configuration): 01b90026:3: Bot defense profile (/Common/bot-defense-device-id-generate-before-access) error: match-order should be unique. Conditions: -- Either modification via replace-all-with: tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist replace-all-with { first_1 { match-order 1 source-address 10.0.0.0/8 url /foo } second_2 { match-order 2 source-address ::/32 url /bar } } -- Or delete all, add, save and load-verify: tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist delete { all } tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist add { first_1 { match-order 1 source-address 10.0.0.0/8 url /foo } second_2 {match-order 2 source-address ::/32 url /bar}} tmsh save sys config load sys config verify Impact: You are unable to add-replace the bot defense allow list configuration Workaround: You can use either of the following workarounds: -- Change match-order of defaults in profile_base.conf to use match-order 3 and up (and load config). -- Change match-order of custom modify command (to continue with match-order 3 and up). 993613-7 : Device fails to request full syncComponent: Application Security Manager Symptoms: Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs Conditions: -- A manual sync device group is configured and ASM sync is enabled. -- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction. Impact: -- The device that is meant to receive the config sync never requests or receives it. -- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic. -- ASM GUI becomes unresponsive. -- Large number of asm_config_server processes increases host memory usage Workaround: Halting asm_config_server on the stuck device restores the working state and request a new sync. 993517-1 : Loading an upgraded config can result in a file object error in some casesComponent: Local Traffic Manager Symptoms: After an upgrade from a version prior to 13.1.0, when loading a configuration that has had an HTTPS monitor in it, if that configuration has not yet been saved, you may see errors like this in the LTM log: -- 0107134a:3: File object by name (DEFAULT) is missing. If you run 'tmsh load sys config verify' on this configuration, the system also posts the error on the screen. Conditions: -- Upgrading from a version prior to 13.1.0. -- At least one HTTPS monitor that has the kEDH cipher in its cipherlist. -- Upgrading to version 13.1.1.4 or later. -- Loading the configuration (either automatically on startup, or manually). Impact: Other than the error message, there is no impact. Workaround: After the initial reboot, save the configuration. 993457-1 : TMM core with ACCESS::policy evaluate iRuleComponent: Access Policy Manager Symptoms: TMM segfaults in packtag_literal_pointer_release() during TCLRULE_CLIENT_CLOSED event attempting a session release. Conditions: -- The ACCESS::policy evaluate is still in progress when TCLRULE_CLIENT_CLOSED event is triggered. -- While the TCLRULE_CLIENT_CLOSED is in process, the ACCESS::policy evaluation completes. Impact: This triggers a race condition and causes the tmm crash. Traffic disrupted while tmm restarts. Workaround: None 993269-3 : DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite optionComponent: Advanced Firewall Manager Symptoms: Using DoS timestamp cookies together with a FastL4 profile with the timestamp rewrite option enabled might lead to traffic failures. DoS timestamp cookies might also lead to problems with traffic generated by the Linux host. Conditions: -- DoS timestamp cookies are enabled, and either of the following: -- FastL4 profile with the timestamp rewrite option enabled. -- Traffic originating from Linux host. Impact: Traffic is dropped due to incorrect timestamps. Workaround: Disable timestamp cookies on the affected VLAN. 992813-7 : The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations.Component: TMOS Symptoms: The mcpd daemon performs validation of the request-options and supersede-options a BIG-IP administrator specifies via the tmos.sys.management-dhcp endpoint in tmsh. As the list of dhcp-options known to mcpd is outdated, it is possible you may be returned an error when attempting to configure valid request-options or supersede-options. For example, you may be returned the following error when attempting to supersede the domain-search option: 01071627:3: Management Dhcp resource supersede-option - Invalid dhcp option: domain-search Conditions: You attempt to configure a dhcp-option unknown to mcpd as part of the request-options or supersede-options properties. Note: A common dhcp-option of which mcpd has no knowledge is domain-search. You are unlikely to experience this issue unless you are requesting or superseding this particular dhcp-option. Impact: You are unable to instantiate the desired management-dhcp configuration. Workaround: None 992449-1 : The vCMP host does not report the correct number of guest CPUs on the guest page of the GUIComponent: TMOS Symptoms: The total number of cores for a multi-slot vCMP guest is not shown correctly on the GUI page for a vCMP guest. Conditions: -- vCMP Host on VIPRION platforms with multiple blades. -- vCMP guest spanning two or more blades. Impact: Incorrect number of cores listed. -- The vCMP :: Guest List page shows all cores for all slots. -- The vCMP -> Guest List specific_guest page shows only cores for that guest's slot. Workaround: View the Guest List page to see a graphical representation of the number of cores per guest. 992253-4 : Cannot specify IPv6 management IP addresses using GUIComponent: TMOS Symptoms: You are unable to set the IPv6 mgmt IP address using the GUI, even if the IPv6 address format is a not a short address. When you submit the change, the field is empty. Conditions: Attempt to set up IPv6 management address using the GUI Impact: You are unable to configure IPv6 management addresses using the GUI. Workaround: Use tmsh: tmsh create sys management-ip /992241-3 : Unable to change initial admin password from GUI after root password changeComponent: TMOS Symptoms: While trying to change the admin password from GUI, an error occurs: -- Authentication failed: Password expired. Update password via /mgmt/shared/authz/users. Conditions: -- Change the password for the root user the first time, before the admin password has been changed. This action sets both the root and admin password at the same time. -- Navigate to the GUI and attempt to update the admin password. Impact: GUI password change fails. Workaround: You can use either of the following workarounds: -- Change the password admin via the GUI before changing the root admin via ssh. -- After changing the root password, use tmsh to set the admin password using the command: modify auth user admin password. 992233-1 : DNS DoS profile (Error Vector) does not mitigate/detect at the virtual server level.Component: Advanced Firewall Manager Symptoms: The GUI makes it appear as if the DNS malformed vector can be configured at the virtual server level when it cannot be. Conditions: Using the GUI to configure DoS vectors in the virtual server context. Impact: The GUI allows you configure something that does not actually work. Workaround: None 992097-4 : Incorrect hostname is seen in logging filesComponent: TMOS Symptoms: -- On the local blade, slot information is missing from LTM logs. Only the hostname is logged. -- For messages received from another blade, the hostname is replaced by the word "slotX". Conditions: Multi-bladed VIPRION or VIPRION-based vCMP guest. Impact: Remote log collectors cannot identify the log message based on hostname and/or blade number. Workaround: None 992053-4 : Pva_stats for server side connections do not update for redirected flowsComponent: TMOS Symptoms: Pva_stats for server side connections do not update for the re-directed flows Conditions: -- Flows that are redirected to TMM. -- Server flows are offloaded to PVA. Impact: PVA stats do not reflect the offloaded flow. Workaround: None 991829-1 : Continuous connection refused errors in restjavadComponent: Guided Configuration Symptoms: Continuous connection refused errors observed in restjavad. [com.f5.rest.workers..AsmConfigWorker] nanoTime:[879945045679087] threadId:[63] Exception:[org.apache.thrift.transport.TTransportException: java.net.ConnectException: Connection refused (Connection refused) [8100/tm/asm/owasp/task OWASPTaskScheduleWorker] Unexptected exception in getting all the polcies: org.apache.thrift.transport.TTransportException: java.net.ConnectException: Connection refused (Connection refused) Conditions: The errors are observed regardless of asm provisioning Impact: This causes noisy log file of restjavad. Workaround: None 991765-3 : Inheritance of staging_period_in_days from policy templateComponent: Application Security Manager Symptoms: Enforcement readiness period of newly created Policy does not get its value from Policy Template. Conditions: Creating new ASM Policy from a template with an Enforcement readiness period different from the default (default is 7). Impact: Newly created policy has an incorrect configuration. Workaround: Create the Policy using tmsh or REST API. 991265-3 : Persistence entries point to the wrong servers for longer periods of timeComponent: Local Traffic Manager Symptoms: Persistence entries point to the wrong servers for a longer than expected. Conditions: A pool member goes down, causing the persistence entry to change to a new pool member. Then, the pool member comes back up. Impact: The persistence entry does not change to the pool member that came back up. It does not expire as client requests using this cookie continue to refresh the persistence entry that goes to the wrong server. This can delay recovery of the pool members when they are marked down for regular maintenance, or if all pool members are cycled up/down periodically, it causes persistence entries to point to the wrong servers for longer periods of time than necessary. Workaround: None. 990929-2 : Status of GTM monitor instance is constantly flappingComponent: Global Traffic Manager (DNS) Symptoms: Status of GTM monitor instance is constantly flapping. Conditions: GTM devices in a GTM sync group configured with IP addresses that can not communicate with each other. Impact: Resources are marked offline constantly. Workaround: Remove from the GTM server object definition the IP addresses that do not communicate with each other. 990853-1 : Mcpd restarts on Secondary VIPRION blades upon modifying a vCMP guest's management IP address or gateway.Component: TMOS Symptoms: The mcpd daemon restarts on all secondary VIPRION blades after logging error messages similar to the following example to the /var/log/ltm file: -- err mcpd[6250]: 0107098a:3: The ip address (10.10.10.3%1) for a VCMP Mgmt IP in partition () references a route domain (1) in a different partition (part1). Objects may only reference objects in the same or the 'Common' partition -- err mcpd[6250]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107098a:3: The ip address (10.10.10.3%1) for a VCMP Mgmt IP in partition () references a route domain (1) in a different partition (part1). Objects may only reference objects in the same or the 'Common' partition... failed validation with error 17238410. Conditions: -- Multi-blade VIPRION system provisioned as vCMP host. -- The system is configured with partitions using non-default route-domains. -- Using the GUI, an Administrator attempts to modify the management IP address or management gateway of a vCMP guest. -- A non-Common partition is selected in the GUI Partition drop-down menu when making the change. Impact: MCPD restarts, causing all other daemons on the blade to restart as well. The vCMP guests running on the affected blades suffer an outage and are unable to process traffic while the daemons restart. Workaround: Ensure that when you make management IP address or gateway changes to a vCMP guest, you do so while the Common partition is selected in the GUI. 990461-5 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade★Component: Advanced Firewall Manager Symptoms: If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version. Conditions: -- Per virtual server SYN cookie threshold is set. -- SYN cookie threshold is set to a value higher than 4095. Impact: A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration. Workaround: Manually update the SYN cookie threshold values after an upgrade. 990173-1 : Dynconfd repeatedly sends the same mcp message to mcpdComponent: Local Traffic Manager Symptoms: If dynconfd sends a single message to mcpd containing two or more operations, and one of the operations fails mcpd validation, dynconfd repeatedly sends same message to mcpd. An example of two operations in one mcp message would be an ephemeral node creation and an ephemeral pool member creation in a single mcp message. Conditions: This can occur when: -- Using FQDN nodes and FQDN pool members. -- There is an additional issue where the message from dynconfd fails validation within mcpd (e.g., a misconfiguration in which the monitor assigned to the pool is configured with a wildcard destination and the pool member is added to the pool with a port of '0' or 'any'. Impact: By repeatedly resending the same messages, which fail repeatedly, dynconfd causes increased mcpd CPU utilization. This might cause the population of ephemeral nodes and pool members to fail and become out of sync with what the DNS server is resolving. Workaround: Examine the LTM logs for mcpd error messages indicating failed attempts to create ephemeral nodes or ephemeral pool members, and resolve the cause of the failed node or pool-member creation. 989937-2 : Device Trust Certificates Expiring after 2038-01-19 show date of 1969Component: TMOS Symptoms: If you import a Certificate into the Device Trust Certificates that expires after 2038-01-19, the system GUI shows an expiration date of 1969. Conditions: Certificate expiring on/after 2038-01-19T03:14:08Z. Impact: The expiration date in the GUI shows 1969. This does not impact iquery or device function. Workaround: You can use the command line interface to view the certificate: $ cd /config/big3d $ openssl crl2pkcs7 -nocrl -certfile client.crt | openssl pkcs7 -print_certs -noout -text | grep "Issuer:\|Subject:\|Not Before:\|Not After :" 989529-1 : AFM IPS engine takes action on unspecified servicesComponent: Protocol Inspection Symptoms: Specific ports configured in the IPS profile are not taken into account during the matching action exercised by the IPS subsystem. As a result, all ports are matched. Conditions: Service ports specified under Security :: Protocol Security : Inspection Profiles :: service type (e.g., HTTP). Impact: Increased resource usage and excessive logging. Workaround: None. 989517-3 : Acceleration section of virtual server page not available in DHDComponent: TMOS Symptoms: The acceleration section in the virtual server page(UI) is not visible if a DHD license is installed. Conditions: The acceleration section is not visible in case "Dos" is provisioned Impact:
Workaround: A virtual server with parameters present in the Acceleration table can still be created using TMSH 988793-2 : SecureVault on BIG-IP tenant does not store unit key securelyComponent: TMOS Symptoms: BIG-IP tenants running on the VELOS platform do not store the SecureVault unit key securely. Conditions: BIG-IP tenant running on the VELOS platform. Impact: The BIG-IP tenant does not utilize secure storage for unit key. Workaround: None 988645-4 : Traffic may be affected after tmm is aborted and restartedComponent: TMOS Symptoms: Traffic may be affected after tmm is aborted and restarted. /var/log/tmm contains a lot of "DAG Proxy failed" messages. Conditions: -- A BIG-IP device is deployed in a VELOS tenant -- Tmm aborts and restarts for some reason. Impact: Traffic disrupted while tmm restarts. Traffic may be disrupted even after tmm has restarted. Workaround: Reboot the tenant 987885-6 : Half-open unclean SSL termination might not close the connection properlyComponent: Local Traffic Manager Symptoms: Upon receiving TCP FIN from the client in the middle of the SSL Application Data, the BIG-IP system does not close the connection on either client- or server-side (i.e., it does not 'forward' the FIN on the server-side as it normally does) causing the connection to go stale until the timeout is reached. Conditions: -- TCP and SSL profiles configured on a virtual server. -- Client terminates the connection in the middle of an SSL record. Impact: Connection termination does not happen. Connection remains in the connection table until idle timeout is reached. Workaround: None. 987709-6 : Static target string as CNAME pool member might cause config load failure if wide IP with same name exists in another partitionComponent: Global Traffic Manager (DNS) Symptoms: GTM config fails to load with errors similar to this: 01070726:3: Pool 5 /Common/cnamepool1 in partition Common cannot reference GTM wideip pool member 5 /Common/cnamepool1 gslb.mycompany.com /App2/gslb.mycompany.com 1 in partition App2 Unexpected Error: Loading configuration process failed Conditions: There is a wide IP with the same name in another partition as the static target CNAME pool member. Impact: Gtm config fails to load. Workaround: Create the wide IP first and then add the static target CNAME pool member. 987637-3 : DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardwareComponent: Advanced Firewall Manager Symptoms: BIG-IP systems mitigate traffic on all of the IP addresses in an address list when certain DoS vectors are detected on a virtual server. Conditions: -- BIG-IP hardware platform equipped with Neuron (BIG-IP iSeries) -- Virtual server configured with a DoS profile -- Flood traffic reaches the virtual server Impact: For Neuron-supported hardware, virtual servers with subnet destinations are not properly mitigated when flood vectors are detected. Workaround: None 987605-3 : DDoS: ICMP attacks are not hardware-mitigatedComponent: Advanced Firewall Manager Symptoms: ICMP/Fragments attacks against a virtual server with a DOS profile are not mitigated by hardware. Conditions: ICMP/Fragments attacks mitigation/detection is configured on a virtual system with neuron-capable hardware. Impact: ICMP/Fragments attacks mitigation/detection is handled in software. A large volume of attack traffic can spike the tmm CPU. Workaround: None 987453-3 : Bot Defense browser verification fails upon iframes of different top-level domainsComponent: Application Security Manager Symptoms: When using Bot Defense on a page which has an iframe to a different top-level domain, the iframe may fail to load. Conditions: Page has an iframe on a different top-level domain than that of the main page. Note that iframes with different sub-domains are not impacted. Impact: Page resources may fail to load. Workaround: None 987401-1 : Increased TMM memory usage on standby unit after pool flapComponent: Local Traffic Manager Symptoms: TMM memory usage on a BIG-IP standby device might be substantially higher than an active device. Conditions: Standby device with UDP mirroring traffic and datagram-load-balancing disabled. Impact: The standby device may not be able to take over traffic when failover happens. Workaround: None. 987301-3 : Software install on vCMP guest via block-device may fail with error 'reason unknown'Component: TMOS Symptoms: When installing an engineering hotfix (EHF) on a vCMP guest via block-device, sometimes it fails with 'reason unknown'. -- /var/log/liveinstall may contain an error similar to: I/O error : Input/output error /tmp/lind_util.voCQOs/BIGIP1610/install/fsinfo.xml:1: parser error : Document is empty -- /var/log/kern.log may contain an error similar to: Aug 14 14:15:54 bigip1 info kernel: attempt to access beyond end of device Aug 14 14:15:54 bigip1 info kernel: sr0: rw=0, want=3560560, limit=312712 Conditions: This might occur after multiple attempts to install an EHF on a vCMP guest via block-device: tmsh install sys software block-device-hotfix Hotfix-BIGIP-14.1.2.6.0.77.2-ENG.iso volume HD1.3 Impact: Sometimes the EHF installation fails on the guest. Workaround: -- Retry the software installation. -- If the software installation continues to fail, copy the ISO images into the vCMP guest, and use those to perform the installation. 987081-1 : Alarm LED remains active on Secondary blades even after LCD alerts are clearedComponent: TMOS Symptoms: When a condition occurs which causes an alert message to be logged to the LCD display for a VIPRION chassis, the Alarm LED on the blade where the condition was reported may be set (to solid or flashing amber or red) according to the severity of the reported condition. When the LCD alert messages are cleared, the Alarm LED on the Primary blade in the chassis will be cleared (or set according to remaining alert messages if only a subset of messages are cleared). However, the Alarm LED on the Secondary blades in the chassis will not be cleared, and will continue to indicate the highest severity of the previously reported alert messages. Conditions: This occurs when: -- A condition is reported by a Secondary blade in the chassis which causes its Alarm LED to be set (to solid or flashing amber or red) and a message logged to the chassis LCD display. -- The LCD alert messages are cleared, such as by issuing the 'tmsh reset-stats sys alert lcd' command. Impact: The Alarm LED on one or more Secondary blades in the chassis continues to indicate an alert condition even after the previously reported alert messages have been cleared. Workaround: To restore the Secondary blade LEDs to their proper state, restart the fpdd daemon on each affected blade. For example, if the Alarm LED is not reset on the blade in slot 4, issue one of the following commands from the console of the Primary blade in the chassis: -- clsh --slot=4 "bigstart restart fpdd" -- ssh slot4 "bigstart restart fpdd" Alternately, you may log in to the console of the affected blade and issue the 'bigstart restart fpdd' command directly. 987077-3 : TLS1.3 with client authentication handshake failureComponent: Local Traffic Manager Symptoms: SSL handshakes are failing, and TLS clients send 'Bad Record MAC' errors. Conditions: -- LTM authentication profile using OSCP and TLS1.3. -- Client application data arrives during LTM client authentication iRule. Impact: A handshake failure occurs. Workaround: Use TLS1.2 or use TLS1.3 without LTM authentication profile. 986821-1 : Command 'run util bash' event is not captured in log when initially executedComponent: TMOS Symptoms: The initiation of 'run util bash' is not captured in the audit log (/var/log/audit) Conditions: Run 'run util bash' command in tmsh mode. Impact: The timestamp for a 'run util bash' command will occur when the subshell exits, not when the subshell is first executed. It is difficult to determine when the bash subshell started. Workaround: None 985953-6 : GRE Transparent Ethernet Bridging inner MAC overwriteComponent: TMOS Symptoms: Traffic not being collected by virtual server and therefore not being forwarded to the nodes. Conditions: Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address. Impact: Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel. Workaround: None 985925-3 : Ipv6 Routing Header processing not compatible as per Segments Left value.Component: Local Traffic Manager Symptoms: Packet should forward the packet with the route header unmodified when Segments Left is 0 (zero). It performs as expected when Segments Left is non-zero by dropping the packet and sending an ICMP error. Conditions: -- An IPv6 packet whose Next Header in IP header is Routing Header IPv6. -- In the Routing Header IPv6 header, the Type field is 0. -- In the Routing Header IPv6 header, the Segment Left field is 0. Impact: With Next Header field in IP header being Routing Header for IPv6, BIG-IP system fails to forward the ICMPv6 Echo Request packet to server, rather, it drops the packet. Workaround: None 985749-1 : TCP exponential backoff algorithm does not comply with RFC 6298Component: Local Traffic Manager Symptoms: The algorithms used for TCP exponential backoff are different for SYN and non-SYN packets. Conditions: Using TCP. Impact: Retransmission timeout interval depends on the inclusion/exclusion of SYN flag. Workaround: None 985401-1 : ProxySSL virtual servers should work with web acceleration (ramcache) profiles attachedComponent: Local Traffic Manager Symptoms: Attempting to attach a web acceleration profile to a virtual server that has an SSL profile with ProxySSL enabled will result in the following validation error: A validation error similar to: 01070734:3: Configuration error: Proxy SSL is not compatible with Web Acceleration profile on Virtual Server ( Conditions: -- Virtual server using an SSL profile with ProxySSL enabled. -- Attaching a web acceleration (webacceleration) profile to the virtual server. Impact: Unable to use the web acceleration profile with ProxySSL virtual servers. Workaround: Avoid using ProxySSL virtual servers with web acceleration (ramcache) profiles attached. 985205-2 : Event Log and Traffic Learning screens fail to load request details★Component: Application Security Manager Symptoms: Event Log and Traffic Learning screens get stuck with loading animation. and request details are not displayed. Conditions: This problem might be introduced during upgrading, so you see the symptom with the post-upgrade version (boot location). Impact: Event Log and Traffic Learning screens do not function as expected. Workaround: You can manually trigger populating missing items in the database to recover from the problem. 1. When this problem occurs, you see all or some of rows have no value in the following output: # mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "select rest_uuid from PLC.VIOLATIONS" +---+
2. Trigger populating those missing values: # perl -MF5::ASMConfig::Entity::Base -MF5::DbUtils -MF5::Utils::Rest -e 'F5::Utils::Rest::populate_uuids(dbh => F5::DbUtils::get_dbh())' 3. Verify those values are indeed populated" # mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "select rest_uuid from PLC.VIOLATIONS" +----+
4. You might need to restart this daemon to make the changes take effect. # pkill -f asm_config_server 5. Wait 30 seconds. NOTE: None of these steps have any impact on traffic. The last step halts ASM control plane functionality for 30 seconds or so. During that time you lose access to the ASM part of GUI, cannot change the ASM configuration, and cannot perform config-sync operations. 984897-1 : Some connections performing SSL mirroring are not handled correctly by the Standby unit.Component: Local Traffic Manager Symptoms: Some of the connections performing SSL mirroring do not advance through TCP states as they should on the Standby unit. Additionally, these connections do not get removed from the connection table of the Standby unit when the connections close. Instead, they linger on until the idle timeout expires. Conditions: A virtual server configured to perform SSL connection mirroring. Impact: Should the units fail over, some connections may not survive as expected. Additionally, given a sufficient load and a long idle timeout, this could cause unnecessary TMM memory utilization on the Standby unit. Workaround: None. 984765-2 : APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)★Component: Access Policy Manager Symptoms: NTLM User logon authentication fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED) from the Active Directory (AD) server. Conditions: -- Upgrading from legacy versions to BIG-IP v14.1.2 or later. -- AD servers are updated with latest security patches from Microsoft. Impact: NTLM Authentication fails after a week. APM end user client logon (such as Outlook users, Remote Desktop Users, and Browser-based NTLM Auth logons that use BIG-IP APM as forward/reverse proxy) fails, and the service is down. Workaround: To resolve the issue temporarily, use either of the following: -- Reset the NTLM Machine Account with the 'Renew Machine Password' option. -- Run the command: bigstart restart nlad The problem can reappear after a week, so you must repeat these steps each time the issue occurs. 984657 : Sysdb variable not working from tmshComponent: Traffic Classification Engine Symptoms: When cloud_only system db variable is enabled, urlcat_query returns categorization from webroot from tmsh Conditions: The following sys db variable is enabled: cloud_only You attempt to run the following command: tmsh list sys db urlcat_query Impact: Sysdb variables does not work from tmsh 984593-1 : BD crashComponent: Application Security Manager Symptoms: BD crashes. Conditions: The conditions under which this occurs are unknown. Impact: Traffic disrupted while bd restarts. Workaround: None. 984585-3 : IP Reputation option not shown in GUI.Component: TMOS Symptoms: Cannot configure IP Reputation option from the GUI. Conditions: Configuring the LTM policy type 'IP Reputation' using the GUI, when the 'IP Intelligence' module is licensed in time-limited modules. Impact: The IP Reputation option is not shown in GUI configuration list. Cannot create LTM policies with IP Reputation. Workaround: Use tmsh to configure IP Reputation. 984521-4 : Accept-Encoding header is stripped by Bot Defense profile in case of incompatible file extension and a dot in the file nameComponent: Application Security Manager Symptoms: Bot Defense profile checks if a page is not an HTML page by checking the file extension (among other ways). In case the filename contains a dot (.) - the parsing is wrong and it is not detected as incompatible. As a result, the Accept-Encoding header is removed (to allow injection in the response). Conditions: -- Bot Defense profile is attached to s virtual server configured with any response injection (Device ID, Browser Verification, or Single Page Application). Request is sent to an incompatible file extension (one of gif,png,bmp,jpg,ico,css,mp3,mp4,mpg,avi,wmv,mov,3gp,fla,swf,js), and filename contains a dot (.). Impact: Accept-Encoding header is removed, causing the server to not send a gzipped response. Workaround: Add this specific URL to sys db: dosl7.parse_html_excluded_urls 981485-6 : Neurond enters a restart loop after FPGA update.Component: TMOS Symptoms: After FPGA firmware upgrade, the neurond process might enter a restart loop, unable to recover. When the problem is present you might see logs similar to: -- notice chmand[6674]: 012a0005:5: FPGA PNP FW upgrade check: req type 0, file:Latest -- notice chmand[6674]: 012a0005:5: FPGA: Requesting type: 0, vers: Latest -- notice chmand[6674]: 012a0005:5: FPGA: current type: 2, vers: hsb_5SGXEA7H2F35C2_t37dc_1d10_v5.23.5.0_d20.06.11.00.bit -- notice chmand[6674]: 012a0005:5: FPGA: match for type: 0, vers: hsb_5SGXEA7H2F35C2_t37dc_1d10_v5.6.7.0_d20.06.11.00.bit -- notice chmand[6674]: 012a0005:5: removed /var/db/mcpdb.* FPGA current disk firmware updated to: /L7L4_BALANCED_FPGA type: 0 -- notice chmand-fpga-pnp[17551]: Stopping TMM, BCM56xxd, and neurond -- notice logger[17553]: /bin/bash /etc/init.d/fw_pnp_upgrade upgrade restart ==> /usr/bin/bigstart stop tmm bcm56xxd neurond Conditions: FPGA firmware mismatch, leading to FPGA firmware upgrade. Impact: Enhanced flow acceleration provided by the Neuron chip cannot be utilized. Workaround: Perform a full system restart. 981145-1 : DoS events do not include the attack name for "tcp syn ack flood"Component: Advanced Firewall Manager Symptoms: BIG-IQ does not display the attack name for a 'tcp syn ack flood' attack. Conditions: DoS on BIG-IP enabled to address 'tcp syn ack flood' attack. Impact: Lack of DoS attack information. The mitigation occurs as expected. Only the notification information is missing. Workaround: None. 979213-1 : Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.Component: Local Traffic Manager Symptoms: Upon reviewing the performance graphs in the GUI, you may notice significant spikes in the Throughput(bits) and Throughput(packets) graphs. The spikes may report unrealistically high levels of traffic. Note: Detailed throughput graphs are not affected by this issue. Conditions: This issue occurs when the following conditions are met: -- The BIG-IP device is a physical system. -- TMM was restarted on the system. -- At some point, at least one interface was up on the system and recorded some traffic. Impact: This issue is purely cosmetic but might cause concern when reviewing the performance graphs. Workaround: None. 978953-3 : The value of the sys db variable vlan.backplane.mtu intermittently out-of-sync with the value of the MTU of the kernel interface tmm_bp during the initial boot upComponent: Local Traffic Manager Symptoms: During the initial boot of the device the MTU of the tmm_bp kernel interface is out-of-sync with the value of sys db vlan.backplane.mtu as well as out-of-sync with the MTU displayed by the following command: tmsh show /net vlan all-properties -hidden. tmsh list net vlan tmm_bp all-properties -hidden. Additionally, running the following command: modify sys db vlan.backplane.mtu value Conditions: This issue occurs on the first boot intermittently. Impact: When the values are seen at non-sync, after the modification of the backplane vlan mtu and saving the config, changing the mtu config value does not last through a reboot. Workaround: Rebooting the device resolves the issue 977953-3 : Show running config interface CLI could not fetch the interface info and crashes the imiComponent: TMOS Symptoms: The confd command 'show running-config' does not display interface information if nsm and bgpd are the only processes running. If you run 'show running-config interface', imi crashes. Conditions: 1. nsm and bgpd are the daemons running. 2. Run the "show running-config" command Impact: Imish cannot retrieve interface information from the show running-config command. Workaround: * Enable OSPF. For example, # tmsh modify /net route-domain 0 routing-protocol add { BGP OSPFv3 } # ps -ef | egrep -i ospf root 11954 4654 0 11:25 ? S 0:00 ospf6d%0 977625-1 : GTM persistence records linger in tmmComponent: Global Traffic Manager (DNS) Symptoms: -- GTM persistence records are not cleared. -- GTM still answers from persist records even though the persist records not listed by the "tmsh show gtm persist" command. Conditions: Persistence for wideip or application is disabled and then enabled quickly afterwards Impact: GTM answers from stale persist records. Workaround: Do not enable persistence right after disabling. 977449-1 : Total address and Total endpoints is shown as '0' in nat statsComponent: Advanced Firewall Manager Symptoms:
Total address and Total endpoints is shown as '0' (zero) in the output of 'show ltm nat-stats roll-up-level fw-nat-source-translation-object name Conditions: The prefix length for IPv6 source translation is configured as less than or equal to 64. Impact: There is no functional impact, as only the 'show' output is affected for the two stats. Workaround: None 977153-3 : Packet with routing header IPv6 as next header in IP layer fails to be forwardedComponent: Advanced Firewall Manager Symptoms: BIG-IP systems fail to follow RFC 5095, which specifies the traffic should be forwarded. Conditions: This symptom is found when the following conditions are met: -- An IPv6 packet whose Next Header in IP header is Routing Header IPv6. -- In the Routing Header IPv6 header, the Type field is 0. -- In the Routing Header IPv6 header, the Segment Left field is 0. Impact: This failure in forwarding ICMP error message prevents the BIG-IP AFM product from completing certification. Workaround: None. 976621-1 : SIP ALG not processing IPv6 in NAT64 UDPComponent: Advanced Firewall Manager Symptoms: NAT64 UDP does not work with application layer gateway (ALG) profiles configured for SIP traffic. Conditions: -- ALG profiles configured for SIP traffic. -- NAT and IPv6 UDP traffic. Impact: NAT translation does not happen for IPv6 UDP traffic with SIP ALG. Workaround: Enable NAT64 explicitly for UDP SIP traffic to be translated. 976525-5 : Transparent monitors can have the incorrect source address when snat.hosttraffic is enabledComponent: Local Traffic Manager Symptoms: In BIG-IP v13.1.3.2 and later, there is new functionality to SNAT the traffic coming from the host system. When there are multiple routes to a destination address and transparent monitors are in use, tmm occasionally picks the wrong source IP for these connections. Conditions: -- The db variable snat.hosttraffic is enabled. -- Gateway pool with multiple members. -- Transparent monitors. Impact: The system chooses the wrong source IP address for the egress interface. That incorrect source IP address might cause traffic to return on the wrong VLAN. Workaround: Use either of the following workarounds: -- Disable VLAN keyed connections: modify sys db connection.vlankeyed value disable -- Upgrade to a version with a fix for ID 826905 (https://cdn.f5.com/product/bugtracker/ID826905.html) and disable snat.hosttraffic. 976517-2 : Tmsh run sys failover standby with a device specified but no traffic group failsComponent: TMOS Symptoms:
The tmsh run /sys failiover standby device Syntax Error: There is no failover device with a name (/Common/bigip2.localhost). Conditions: Two or more BIG-IPs configured with high availability (HA) Impact: You are required to specify all the traffic groups you want to failover to a peer. Workaround: For each traffic group that you want to failover to a peer run the tmsh run /sys failover standby. For example if you want to fail over both traffic groups traffic-group-1 and traffic-group-2 to failover to bigip2.localhost, run the following: tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-1 tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-2 If you want the device to be standby for all traffic groups but you don't care what device takes over as active, run the following command (note there is no traffic-group nor device): tmsh run /sys failover standby 976337-2 : i40evf Requested 4 queues, but PF only gave us 16.Component: TMOS Symptoms: During BIG-IP system boot, a message is logged: i40evf 0000:05:00.0: Requested 4 queues, but PF only gave us 16. Conditions: -- BIG-IP Virtual Edition configured for SR-IOV -- E810 virtual functions (VFs) Impact: A message is logged but it is benign and can be ignored. 975725-5 : Wildcard virtual servers do not forward L3 unicast traffic sent to L2 broadcastComponent: Local Traffic Manager Symptoms: L3 unicast traffic with L2 broadcast destination MAC (ff:ff:ff:ff:ff:ff) matching wildcard virtual servers is not handled properly. Conditions: Wildcard virtual server is configured to handle such traffic. Impact: Traffic will not be forwarded properly. Workaround: Use specific non-wildcard virtual-server. 974513-7 : Dropped requests are reported as blocked in Reporting/chartsComponent: Application Security Manager Symptoms: Dropped requests are reported as blocked in Reporting/charts. Conditions: Request is dropped (or client side challenge / captcha is not answered) as part of a brute force mitigation or a slow post attack causes dropping of a request. Impact: Data reported might be incorrect. There is a filter for dropped requests which, when selected, does not show anything, even when there are drops. Workaround: None. 974205-5 : Unconstrained wr_urldbd size causing box to OOMComponent: Traffic Classification Engine Symptoms: The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests. Conditions: This occurs when processing a large volume of distinct and valid URLCAT requests. Impact: The device eventually runs out of memory (OOM condition). Workaround: Restart the wr_urldbd process: restart sys service wr_urldbd 973341-1 : Customized device certs will break scripts relying on /config/httpd/conf/ssl.crt/server.crtComponent: Global Traffic Manager (DNS) Symptoms: Bigip_add, big3d_install, gtm_add will not work. Conditions: Device cert is customized. Impact: Bigip_add, big3d_install, gtm_add not work. Workaround: Copy the content of the new cert to default file "/etc/httpd/conf/ssl.crt/server.crt". 969553-1 : A DNS Cache (or Network DNS Resolver) returns SERVFAIL to some queries.Component: Global Traffic Manager (DNS) Symptoms: - A DNS Cache (or Network DNS Resolver) returns SERVFAIL responses to clients, despite the BIG-IP system receiving a good (albeit delayed) response from upstream servers. - When this happens, the BIG-IP system can be seen reject the responses from the upstream servers with ICMP errors (Destination unreachable - Port unreachable). - If the db key dnscacheresolver.loglevel is set to debug5, the following error message is visible in the /var/log/ltm file when this issue occurs: debug tmm[13147]: DNScache: request example.com. has exceeded the maximum number of glue fetches 17 to a single delegation point - If a Network DNS Resolver is used with an HTTP Explicit Proxy profile, the symptoms can appear as "503 Service Unavailable" responses to clients due to DNS lookup failure. Conditions: This issue occurs when the following conditions are met: - A DNS Cache (or Network DNS Resolver) is in use on the BIG-IP system. - The aforementioned object is configured with a forward-zone that uses multiple servers to perform resolutions. - The RTT of the servers fluctuates. For example, the servers are generally fast to reply for most domains, but take extra time to reply for a given domain. - 'Randomize Query Character Case' is enabled in the DNS Cache (or Network DNS Resolver). - If the requests for the domain take a long time to resolve, BIG-IP may reply with SERVFAIL. Impact: Clients of the BIG-IP DNS Cache (or Network DNS Resolver) are not returned an answer. As a result, application failures may occur. Workaround: You can work around this issue by changing 'Randomize Query Character Case' to 'No' in the DNS Cache (or Network DNS Resolver) settings. 969317-4 : "Restrict to Single Client IP" option is ignored for vmware VDIComponent: Access Policy Manager Symptoms: The Restrict to Single Client IP option in the Access Policy is not being honored for VMware VDI. Conditions: - Configure APM Webtop with vmware VDI. - Set "Restrict to Single Client IP" option in Access Profile. - Try to launch vmware desktop on one client. Copy the launch URI - Try to launch vmware desktop from other client using the copied URI. Impact: A connection from the second client is allowed, but it should not be allowed. 968953-1 : Unnecessary authorization header added in the response for an IP intelligence feed list requestComponent: Advanced Firewall Manager Symptoms: Empty authorization header in the response for an IP intelligence feed list request. Conditions: Feed list configured without username/password pair. Impact: Feed List request from dwbld adds unnecessary Authorization header. There is no functional impact. Workaround: None. 968949-7 : Keepalives aren't sent in FIN_WAIT_2 when using a TCP profileComponent: Local Traffic Manager Symptoms: When a client-side connection goes into FIN_WAIT_2, BIG-IP does not send keepalives even if they are being sent on the server-side connection. Conditions: - Virtual server configured with a TCP profile and network listener. Impact: Client-side connections timeout prematurely. As a result, the server-side connections end up being open indefinitely. Workaround: No workaround currently known. 968929-2 : TMM may crash when resetting a connection on an APM virtual serverComponent: Local Traffic Manager Symptoms: TMM crashes. Conditions: - HTTP profile without fallback host. - iRules. Impact: Traffic disrupted while tmm restarts. Workaround: Configure fallback host to an HTTP profile that redirects the request to a specified location. 968581-4 : TMSH option max-response for "show /ltm profile ramcache" command may not comply with its descriptionComponent: Local Traffic Manager Symptoms: The TMSH command "show /ltm profile ramcache" has a max-response option to output a number of records designated in this parameter. Due to calculation algorithm, the command may output less records than RAMCACHE stores or more records than the limit prescribes. Conditions: -- A virtual server is configured on BIG-IP. -- A webacceleration profile with no web application is attached to the virtual server. -- Traffic is sent over the virtual server with a number of unique cacheable documents that exceed a designated limit. Impact: Output of the command may not match to actual list of stored documents in RAMCACHE. 967905-5 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crashComponent: TMOS Symptoms: Tmm crashes. Conditions: -- static bwc -- virtual to virtual chain Impact: Traffic disrupted while tmm restarts. Workaround: Do not use the static bwc on a virtual chain. 967769-1 : During reset of high-speed interfaces, TMMs may mistakenly continue hardware watchdog checksComponent: TMOS Symptoms: Tmm crashes and restarts. The following panic message is found in /var/log/tmm: notice panic: ../dev/hsb/if_hsb.c:6129: Assertion "HSB lockup, see ltm and tmm log files" failed. Conditions: -- Running on a platform that incorporates 'HiGig MAC' network interfaces. -- Some error or glitch is detected on the high-speed bus (HSB). -- Software commands a reset of the HSB and interface hardware. Impact: Traffic disrupted while tmm restarts. Workaround: None 967737-3 : DNS Express: SOA stops showing up in statistics from second zone transferComponent: Global Traffic Manager (DNS) Symptoms: Start of Authority (SOA) record is not displayed in zone statistics. Conditions: The issue appears after the 2nd zone transfer. Impact: This is a cosmetic issue without any actual impact. Workaround: None 967573-3 : Qkview generation from Configuration Utility failsComponent: TMOS Symptoms: When you attempt to generate a qkview using the Configuration Utility, the system fails to generate a qkview. Conditions: Trying to generate a Qkview using the Configuration Utility. Impact: The Configuration Utility cannot be used to generate a qkview. Workaround: Use the qkview command to generate a qkview from the command line. 967557-1 : Improve apm logging when loading sys config fails due to corruption of epsec rpm databaseComponent: TMOS Symptoms: Loading sys config fails and mcpd may not be running properly due to corruption of EPSEC rpm database. It is difficult to tell from logs that the issue is with epsec rpm database. This error may be the only indication: emerg load_config_files[10761]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- Error: failed to reset strict operations; disconnecting from mcpd. Will reconnect on next command. Conditions: Loading of sys config fails due to corruption of EPSEC rpm database. Impact: Difficult to troubleshoot the root cause for config load failure. 967353-1 : HTTP proxy should trim spaces between a header field-name and colon in its downstream responses.Component: Local Traffic Manager Symptoms: Client receives no response along with a connection reset by the BIG-IP system. Conditions: -- HTTP profile is enabled on the BIG-IP system. -- Server sends HTTP response with one or more header field names separated with the trailing colon by a space. Impact: HTTP responses that should be delivered to the client by the proxy are not being sent out. Workaround: None 967245-1 : Incorrect SPVA counter incremented during Sweep attack on profileComponent: Advanced Firewall Manager Symptoms: Incorrect SPVA counters updated. Conditions: Configure DoS Sweep vector on an SPVA supported device. Impact: Usage of dos_spva_stat will result in displaying incorrect counters. 966949-6 : Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template nodeComponent: TMOS Symptoms: If an FQDN template node is configured with "autopopulate enabled" and the FQDN name resolves to multiple IP addresses, multiple FQDN ephemeral nodes will be created. If the FQDN template node is then deleted, the associated FQDN ephemeral nodes (sharing the same FQDN name) will not be deleted as expected. Conditions: This may occur under the following conditions: -- An FQDN template node is configured with "autopopulate enabled" -- The configured DNS server resolves the FQDN name to multiple IP addresses -- You are running an Affected Version of BIG-IP, or an Engineering Hotfix based on a non-Affected Version of BIG-IP which contains a fix for ID 722230 This issue does not occur if only one FQDN ephemeral node is created for the associated FQDN template node. Impact: Unused FQDN ephemeral nodes may remain in the active configuration. -- Since is it not possible to delete an FQDN template node if there are any FQDN template pool members referring to that node, it is not possible for any FQDN ephemeral pool members to remain when the steps that lead to this issue occur. -- Since traffic can only be passed to FQDN ephemeral pool members, the existence of the unused FQDN ephemeral nodes does not lead to traffic being passed to such nodes. Workaround: It is possible to work around this issue by one of the following methods: -- Manually deleting the remaining FQDN ephemeral nodes using the "tmsh" command-line interface (CLI) (Note that this is normally not possible. It is possible to manually delete an FQDN ephemeral node only if the corresponding FQDN template node no longer exists.) -- Restarting BIG-IP (for example, using the command "bigstart restart") 966613-6 : Cannot create XML profile based on WSDL when wsdl contains empty soap:address – getting error ‘Column 'object_uri' cannot be null’Component: Application Security Manager Symptoms:
Perl error returned when saving new XML content profile using wsdl file with empty soap:address node " Conditions:
Creating a new content profile using a wsdl file which contains a " When this content profile is saved, ASM attempts to create an associated URL with no value, which fails validation. Impact: After trying to save the content profile, you see an error message: "Could not create XML Profile; Error: DBD::mysql::db do failed: Column 'object_uri' cannot be null" Workaround:
Delete the node " 966461-7 : Tmm leaks memory after each DNSSEC query when netHSM is not connectedComponent: Global Traffic Manager (DNS) Symptoms: Tmm memory increases per DNSSEC query. Conditions: NetHSM is configured but is disconnected Impact: Tmm high memory consumption. Workaround: Connect the netHSM. 965837-4 : When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connectionComponent: Access Policy Manager Symptoms: When BIG-IP is configured with a PingAccess profile and an SSL profile is associated with both the BIG-IP virtual server and a ping access configuration, an active connection to the virtual server may lead to a TMM crash. Conditions: -- SSL is configured on both the BIG-IP virtual server that contains the ping access profile and ping access configuration. -- Active connection to the BIG-IP virtual server -- Config sync is triggered or "tmsh load sys config" is triggered Impact: Traffic disrupted while tmm restarts. Workaround: No workaround. 965785-4 : Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machineComponent: Application Security Manager Symptoms: DCC.HSL_DATA_PROFILES table on standby machine stay empty after sync process. Error for DB insert failure into table DCC.HSL_DATA_PROFILES thrown in asm_config_server.log. Conditions: There is no specific condition, the problem occurs rarely. Impact: Sync process requires an additional ASM restart Workaround: Restart ASM after sync process finished 965053-4 : [Regression of ID787881 & ID761032] DNSX fails to sign zone transfer using tsig key after failureComponent: Global Traffic Manager (DNS) Symptoms: DNSX fails to sign zone transfer using tsig key. Conditions: A transfer error occurs while DNSX is initializing. Impact: DNSX zones are not been updated. Workaround: Re-enter the tsig key secret. 964533-2 : Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logsComponent: TMOS Symptoms: The BIG-IP system tmm logs show multiple session_process_pending_event_callback errors. Conditions: This can occur while passing normal traffic, if a session is deleted before all the session db callback events are handled. Impact: Numerous error event entries found in the TMM log: notice session_process_pending_event_callback ERROR: could not send callback to 10.10.10.10:460 - 10.10.10.10:80 ERR_NOT_FOUND. There is no impact other than additional log entries. Workaround: None. 964125-6 : Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.Component: TMOS Symptoms: Mcpd might core and restart if it fails to process a query for all node statistics in less than 5 minutes. There is more then one avenue where node statistics would be queried. The BIG-IP Dashboard for LTM from the GUI is one example. Conditions: Thousands of FQDN nodes and pools with FQDN pool members and a query for all node statistics. Impact: Mcpd restarted which will cause services to failover. Traffic and configuration disrupted while mcpd restarts. 963541-1 : Net-snmp5.8 crashComponent: TMOS Symptoms: Snmpd crashes. Conditions: This does not always occur, but it may occur after a subagent (bgpd) is disconnected. Impact: Snmpd crashes. 962177-6 : Results of POLICY::names and POLICY::rules commands may be incorrectComponent: Local Traffic Manager Symptoms: When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results. Conditions: -- BIG-IP has a virtual server with one or more traffic policies having more than one rule. -- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection. Impact: Traffic processing may not provide expected results. 961653-3 : Unable to retrieve DNS link statistics via SNMP OID gtmLinkStatRateComponent: Local Traffic Manager Symptoms: Unable to retrieve link statistics via SNMP OID gtmLinkStatRate config # snmpwalk -c public localhost F5-BIGIP-GLOBAL-MIB::gtmLinkStatRate F5-BIGIP-GLOBAL-MIB::gtmLinkStatRate = No Such Object available on this agent at this OID Conditions: A BIG-IP DNS/LC system configured with link objects. Try to do an snmpwalk for F5-BIGIP-GLOBAL-MIB::gtmLinkStatRate which is not successful. Impact: BIG-IP DNS system link statistics cannot be retrieved via SNMP. Workaround: No workaround. 961509-5 : ASM blocks WebSocket frames with signature matched but Transparent policyComponent: Application Security Manager Symptoms: WebSocket frames receive a close frame Conditions: -- ASM provisioned -- ASM policy attached to a virtual server -- WebSocket profile attached to a virtual server -- ASM policy transparent mode enabled Impact: WebSocket frame blocked in transparent mode Workaround: Change signatures blocking settings to Learn = Yes, Alarm = Yes, Block = No 961001-5 : Arp requests not resolved for snatpool members when primary blade goes offlineComponent: Local Traffic Manager Symptoms: Arp requests not resolved for snatpool members and traffic does not go through when the primary blade becomes offline. Conditions: -- VIPRION platforms serving as AAA and Diameter virtual server to load-balance. -- route-domain configured other than 0. -- Radius authentication pool and snatpool are configured. -- Primary blade goes offline and new Primary is not elected. Impact: Traffic failure when primary became offline. Workaround: Disable primary blade which is offline. 959965-1 : Asmlogd stops deleting old protobufsComponent: Application Security Manager Symptoms: Protobuf files are being cleaned only when trying to write to the protobuf file and on startup. Conditions: This occurs during normal operation. Impact: /var/asmdata1 can run out of disk space. Workaround: None 959957-1 : Asmlogd stops deleting old protobufsComponent: Application Security Manager Symptoms: Asmlogd restarts and there are asmlogd errors: asmlogd|ERR|Oct 19 13:46:35.199|6005|,,asmlogd ended unexpectedly asmlogd|ERR|Oct 19 13:46:35.203|6005|,,Can't call method "size" on an undefined value at /usr/local/share/perl5/F5/RequestLog.pm line 1902. Conditions: Disk is full -- the following warnings are being displayed: err diskmonitor[3483]: 011d0004:3: Disk partition /var/asmdata1 (slot 1) has only 0% free Impact: Old protobuf files are not cleaned up. Workaround:
Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix. 959613-1 : SIP/HTTPS monitor attached to generic-host virtual server and pool shows 'blank' reasonComponent: Global Traffic Manager (DNS) Symptoms:
When you double-monitor a Generic Host Virtual Server (pool level + virtual server level) using the same SIP/HTTPS monitor, the 'Reason' is omitted from the output. 'tmsh show gtm server Conditions: Double-monitor a Generic Host virtual server (pool level + virtual server level) using the same SIP/HTTPS monitor. Impact: Impedes your ability to identify the failure/success reason quickly. Workaround: Do not use the same monitor on both the virtual server and the pool level. 959241-1 : Fix for ID871561 might not work as expected on the VCMP hostComponent: TMOS Symptoms: Attempting to deploy an engineering hot fix (EHF) for ID871561 (https://cdn.f5.com/product/bugtracker/ID871561.html) fails in the same manner Conditions: -- Attempting to install an EHF containing a fix for ID871561 on a vCMP guest -- The fix for ID871561 has not already been applied to the vCMP guest Impact: Unable to perform software installations on vCMP guests using installation media located on the vCMP host even if fix for ID871561 is available on VCMP guest. Workaround: Option 1: \=========== Make sure that the .iso files for both base image and engineering hotfix are copied to the vCMP guest (under /shared/images) before starting the installation. If installing the software from the command line, use syntax similar to the following: tmsh install sys software hotfix Option 2: \=========== Even if the engineering hotfix installation has failed, the base image should still have been installed properly. You can restart the vCMP guest and perform a hotfix installation on top of already installed base image, using syntax similar to the following: tmsh install sys software hotfix Option 3: \=========== Even if the engineering hotfix installation has failed, the base image should still have been installed properly. Ensure there is copy of the engineering hotfix image locally within the vCMP Guest. Then restart the lind service on the vCMP Guest: tmsh restart sys service lind If running the vCMP Guest on multiple slots, you may need to restart lind on all slots. From the primary slot on the vCMP Guest, run: clsh tmsh restart sys service lind The hotfix installation should begin again, this time using the hotfix from within the /shared/images/ location on the vCMP Guest. Option 4: \=========== Manually eject the CD from the vCMP guest's virtual CD drive, and then restart lind. On the vCMP Guest: 1. Confirm the wrong ISO image is still locked (inserted in the CD drive): isoinfo -d -i /dev/cdrom Note: Pay attention to the volume ID in the output from within the vCMP guest. 2. Unlock (eject) the image: eject -r -F /dev/cdrom && vcmphc_tool -e 3. Verify the CD drive is now empty: isoinfo -d -i /dev/cdrom The output should report an error that includes: <...> Sense Code: 0x3A Qual 0x00 (medium not present) Fru 0x0 <…> 4. Restart lind: tmsh restart sys service lind If running the vCMP Guest on multiple slots, you may need to restart lind on all vCMP Guest slots. From the primary slot on the vCMP Guest, run: clsh tmsh restart sys service lind 959057-5 : Unable to create additional login tokens for the default admin user accountComponent: TMOS Symptoms: When remote user authentication is configured, BIG-IP systems apply maximum active login token limitation of 100 to the default admin user account. Conditions: Remote Authentication is configured Impact: Unable to create more than 100 tokens for admin when remote authentication is configured 958785-8 : FTP data transfer does not complete after QUIT signalComponent: Local Traffic Manager Symptoms: When a QUIT signal is sent over an FTP connection to an FTP virtual server during a data transfer, the data connection is closed immediately instead of waiting until the transfer is complete. Conditions: - BIG-IP configured with an FTP virtual server - A client connects to the FTP virtual server - Client starts an FTP data transfer - Client sends a QUIT signal before the data transfer completes. Impact: FTP data connections are closed prematurely, causing incomplete data transfers. Workaround: This does not occur if the FTP profile for the FTP virtual server has inherit-parent-profile set to enable. 958601-4 : In the GUI, searching for virtual server addresses does not match address listsComponent: TMOS Symptoms: In the GUI, if you filter the virtual server listing using an IP address, or part of an IP address, if there are any virtual servers that are using an address list that contains an address that matches that search string, those virtual servers will not show up in the search results. Similarly, if you filter the virtual server listing using an IP address, or part of an IP address, if there are any virtual servers that are using an address that matches the search string, but are using a port list, those virtual servers will not show up in the search results. Conditions: -- Using Address Lists or Port lists with a virtual server. -- Using the GUI to search for virtual servers based on address. Impact: Virtual servers that should match a search are not found. Workaround: None. 958157-4 : Hash collisions in fastDNS packet processingComponent: Global Traffic Manager (DNS) Symptoms: FastDNS packet processing might cause unexpected traffic drops. Conditions: -- FastDNS is in use. The problem is more likely to occur on a systems with a low number of TMMs. Impact: Unexpected traffic drops 957993-4 : Unable to set a port list in the GUI for an IPv6 address for a virtual serverComponent: TMOS Symptoms: When creating a virtual server in the GUI with an IPv6 destination address and a port list (shared object) or a source address list (shared object), the system returns an error similar to: 0107028f:3: The destination (0.0.0.0) address and mask (ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) for virtual server (/Common/vs03-v6_dns) must be be the same type (IPv4 or IPv6). Conditions: -- Creating or updating a virtual server. -- Attempting to use an IPv6 Host address with a Port List shared object or a Source Address List shared object. Impact: Unable to create/modify virtual server. Workaround: Create an Address List shared object with the IPv6 address in it and use that instead of the Host address. 957637-1 : Pfmand crash during bootupComponent: TMOS Symptoms: The pfmand process crashes and writes out a core during bootup on certain platforms. Conditions: -- Platforms i4000/i2000/i4800/i2800/i4600/i2600/i850. -- BIG-IP software version is v14.1.x. Impact: Network connection lost while pfmand restarts. Workaround: None 956645-4 : Per-request policy execution may timeout.Component: Access Policy Manager Symptoms: When attempting to access a resource that requires subsession validation, the client may receive an HTTP 503 "Service Unavailable" response, and the logs indicate that per-request policy execution time has expired. Conditions: Multiple connections are accessing the same subsession, triggering subsession lock contention. Impact: Some clients will fail to connect to their destination. Workaround: Add criteria to the gating criteria to enable more fine-grained subroutines to reduce subsession contention. For example, add category, or application name, to the gating criteria. In the case of API protection, consider concatenating credentials with the resource hostname (plus port). Increase the per-request policy execution timeout value, controlled by the variable tmm.access.prp_global_timeout, to a higher value. 956133-2 : MAC address might be displayed as 'none' after upgrading★Component: Local Traffic Manager Symptoms: The MAC Address of a BIG-IP Virtual Edition network interface is displayed as 'none' after upgrading. Conditions: 1. The VLAN MTU is set to less than 1280 bytes on a BIG-IP network interface. 2. Upgrade BIG-IP to 14.1.0 or above from BIG-IP versions below 14.1.0 Impact: Traffic disrupted when the MAC address is set to 'none' Workaround: None. 956109-4 : Modifying a traffic-matching-criteria with a port-list during a full sync may result in an incorrect configuration on the sync targetComponent: Local Traffic Manager Symptoms: In a device service cluster, changing a traffic-matching-criteria object's port configuration and then performing a full-sync will cause the sync target's traffic-matching-criteria ports to be modified incorrectly. Once systems are in this state, further ConfigSyncs may result in these error messages: err mcpd[6489]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127. err mcpd[6489]: 01071488:3: Remote transaction for device group /Common/Failover to commit id 250 6869100131892804718 /Common/tmc-sync-2-bigip1.test 0 failed with error 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127.. Conditions: -- Two or more BIG-IPs in a DSC. -- Using traffic-matching-criteria, and making changes. Impact: BIG-IP configurations are out of sync (even though they show "In Sync"). Affected virtual servers will process more traffic than configured. Workaround: On an affected system, perform one of the two procedures to correct MCPD's in-memory configuration: 1. Remove the traffic-matching criteria from all virtual servers (or only affected virtual servers, if known), and then re-add the traffic-matching criteria. 2. Save the configuration and then follow the procedure in K13030: Forcing the mcpd process to reload the BIG-IP configuration. tmsh save sys config clsh touch /service/mcpd/forceload clsh reboot 956013-4 : System reports{{validation_errors}}Component: Policy Enforcement Manager Symptoms: A {{validation_errors}} at Subscriber Management :: Control Plane Listeners and Data Plane Listeners with ipv6 addresses Conditions: Specifying an IPv6 address in the expression in Subscriber Management :: Control Plane Listeners and Policy Enforcement :: Data Plane Listeners. Impact: Cannot access the BIG-IP GUI through IPv6 address from any web browser. Admin/User cannot enter input through GUI. Workaround: None. 955953-5 : iRule command 'table' fails to resume when used with Diameter 'irule_scope_msg'Component: TMOS Symptoms: 'table' command fails to resume causing processing of traffic to halt due to 'irule_scope_msg' causing iRule processing to proceed in a way that 'table' does not expect. Conditions: - iRule using 'table' command - Diameter 'irule_scope_msg' enabled Impact: Traffic processing halts (no crash) 955617-8 : Cannot modify properties of a monitor that is already in use by a poolComponent: Local Traffic Manager Symptoms: Modifying monitor properties gives error, if it is attached to a pool with Node/Pool member instance. 0107082c:3: Cannot modify the destination address of monitor /Common/my_monitor Conditions: -- Monitor with alias address field as default properties. -- Pool containing a node or pool member. -- Monitor is attached to the pool. Impact: Monitor properties can't be modified if they are in use by a pool. Workaround: Remove monitor, modify it, and then add it back. 953601-4 : HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versionsComponent: Local Traffic Manager Symptoms: HTTPS monitor marks pool member/nodes as down and they remain down until bigd is restarted or the monitor instance is removed and created again. Conditions: BIG-IP is configured with restrictive ciphers that are only compatible with TLS 1.2 (ECDH+AESGCM) but all of the TLS protocol versions are allowed. When HTTPS monitor TLS 1.0 handshake fails, due to incompatible ciphers with the server being monitored. It does not try TLS 1.2 version and marks pool members or nodes as down. Impact: HTTPS monitor shows pool members or nodes down when they are up. Workaround: Restart bigd or remove and add monitors. 953477-1 : Syncookie HW mode not cleared when modifying VLAN config.Component: TMOS Symptoms: Changing VLAN configuration can cause BIG-IP get stuck in hardware syncookie mode. Conditions: - Changing VLAN configuration when vlan-based syncookies are active. For a list of platforms that support hardware syncookie protection, see https://support.f5.com/csp/article/K14779 Impact: Device is stuck in hardware syncookie mode and generates syncookies. Workaround: Run the following command: tmsh restart sys service tmm Impact of workaround: restarting tmm disrupts traffic. 952521-1 : Memory allocation error while creating an address list with a large range of IPv6 addresses★Component: Advanced Firewall Manager Symptoms: When trying to create a large IPv6 address-list IP range either via the GUI, tmsh, or from loading a previously saved config, MCPd will temporarily experience memory exhaustion and report an error "01070711:3: Caught runtime exception, std::bad_alloc" Conditions: When adding an IPv6 address range that contains a very large number of IPs. This does not affect IPv4. Impact: The IP address range cannot be entered. If upgrading from a non-affected version of TMOS where an IP range of this type has been saved to the config, a std::bad_alloc error will be printed when loading the config after upgrading. Workaround: Use CIDR notation or multiple, smaller IP ranges. 950953-3 : Browser Challenges update file cannot be installed after upgrade★Component: Application Security Manager Symptoms: After upgrading BIG-IP, the Browser Challenges factory default update file cannot be installed, and you see this error: Installation error: gpg: WARNING: unsafe ownership on homedir `/usr/share/live-update/share/gpg/browser_challenges_genesis_load'gpg: encrypted with 1024-bit ELG key, ID 7C3E3CE5, created 2007-03-20 "asm_sigfile_installer"gpg: Signature made Mon Aug 2 Conditions: The new file that comes with the installation is ready to install Impact: New updated cannot be installed Workaround: There are 2 options: 1. download a new version of the update file (if exists)
950305-5 : Analytics data not displayed for Pool NamesComponent: Application Visibility and Reporting Symptoms: You cannot see reports (statistics->analytics->pool) when you choose to view by pool names. Conditions: This is encountered in the statistics screen. Impact: You can't see the statistics->analytics->pool report when you choose view by pool names. 950201-3 : Tmm core on GCPComponent: TMOS Symptoms: When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering. TMM panic with this message in a tmm log file: panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed. Conditions: -- VE running on GCP. -- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors. Impact: Traffic disrupted while tmm restarts. Workaround: You can use either of the following workarounds: -- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141 -- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off. Note: Each of these workarounds have performance impact. 950153-3 : LDAP remote authentication fails when empty attribute is returnedComponent: TMOS Symptoms: LDAP /AD Remote authentication fails and the authenticating service may crash. The failure might be intermittent. Conditions: LDAP/AD server SearchResEntry includes attribute with empty or NULL value. This can be seen in tcpdump of the LDAP communication in following ways 1. No Value for attribute . Example in tcpdump taken on affected user : vals: 1 item AttributeValue: 2. 1. NULL Value for attribute . Example in tcpdump taken on affected user : vals: 1 item AttributeValue: 00 Impact: Logging in via the GUI will fail silently Logging in via ssh will cause the sshd service on LTM to crash and logs will be seen under /var/log/kern.log The logs will be similar to : info kernel: : [460810.000004] sshd[31600]: segfault at 0 ip 00002b3abcb2ef3e sp 00007fffef3431a0 error 4 in pam_ldap.so[2b3abcb2c000+7000] info kernel: : [460810.002036] traps: sshd[31598] general protection ip:fffffffffffffff3 sp:80000 error:0 Workaround: There is no Workaround on the LTM side. For LDAP, you change/add the value from none/NULL on the affected attribute to ANY dummy value which will prevent the issue 950069-1 : Zonerunner can't edit TXT records containing a + symbol - "Resolver returned no such record"Component: Global Traffic Manager (DNS) Symptoms: When attempting to use zonerunner to edit a TXT record that contains a plus character, BIG-IP DNS presents the error message 'Resolver returned no such record'. Conditions: A TXT record exists with RDATA (the value of the TXT record) containing one or more + symbols Impact: Unable to edit the record. Workaround: Two workarounds available: 1. Use zonerunner to delete the record and then recreate it with the desired RDATA value 2. Manually edit the bind zone file (see K7032) 949477-4 : NTLM RPC exception: Failed to verify checksum of the packetComponent: Access Policy Manager Symptoms: NTLM authentication fails with the error: RPC exception: Failed to verify checksum of the packet. Conditions: -- Start nlad process with 'encryption'. -- Configure a user, and map that user to a huge number of groups. -- Configure NTLM front-end authentication. Impact: User authentication fails. Workaround: 1. Run the 'nlad' process with '-encrypt no' in the file /etc/bigstart/startup/nlad. 2. Disable encryption for nlad: # vim /etc/bigstart/startup/nlad change: exec /usr/bin/${service} -use-log-tag 01620000 to: exec /usr/bin/${service} -use-log-tag 01620000 -encrypt no 3. Restart nlad to make the change effective, and to force the schannel to be re-established: # bigstart restart nlad 949137-1 : Clusterd crash and vCMP guest failoverComponent: Local Traffic Manager Symptoms: Clusterd crashes and a vCMP guest fails over. Conditions: The exact conditions under which this occurs are unknown. It can occur during normal operation. Impact: Memory corruption and clusterd can crash, causing failover. Workaround: None. 948601-1 : File object checksum attribute is not updated when an external data-group file or external monitor file is edited from GUComponent: TMOS Symptoms: SHA1 checksum attribute/property of the file object is not persisted/published/propagated to the MCP datastore/GUI. Conditions: This could be observed when an external data-group file or external monitor file definition is edited from GUI. Below mentioned is the workflow where the issue can be seen/replicated, System ›› File Management : Data Group File List >> FILE Edit the "definition" field of the file object & click update. 1.) edit sys file data-group "filename" 2.) list sys file data-group "filename" Aforementioned commands can be used from TMOS shell to understand the correct behavior that is expected when the same is done from GUI Impact: You are unable to identify whether the file object was modified by just validating/comparing the file object's metadata/schema property i.e. "checksum SHA1" Workaround: None 948113-1 : User-defined report scheduling failsComponent: Application Visibility and Reporting Symptoms: A scheduled report fails to be sent. An error message with the following format may appear on /var/log/avr/monpd.log file (some parts of the error message were replaced with '.....' in here to leave only the common parts): DB|ERROR|....... Error (err-code 1054) executing SQL string : ..... ..... ..... Because : Unknown column ....... in 'order clause' Conditions: 1. Using predefined-report in scheduled-report. 2. Predefined-report has more than one measure. 3. Sort-by value is different from the first measure on predefined-report Impact: Internal error for AVR report for ASM pre-defined. Workaround: First, remount /usr to read-write: mount -o remount,rw /usr Next, open file /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm and change the following line: push(@measures,@{$base_request->{measures}}[0]); to this: push(@measures,@{$base_request->{sort_by}}[0]->{measure}); The above can be achieved with the following script-line (please first backup the Client.pm file and then verify it changed it correctly): sed -i 's/push(@measures,@{\$base_request->{measures}}\[0\])/push(@measures,@{$base_request->{sort_by}}[0]->{measure})/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm Lastly, remount /usr back to read-only: mount -o remount,ro /usr 948065-1 : DNS Responses egress with an incorrect source IP address.Component: Local Traffic Manager Symptoms: DNS responses over a certain size egress the BIG-IP with an incorrect source IP address set. Conditions: Large responses of ~2460 bytes from local BIND Impact: The response to the client appears to be coming from the wrong source IP address, and the request fails. Workaround: Change 'max-udp-size' in BIND to a smaller value reduces the size of response, which stops the fragmentation. Note: This workaround has limitations, as some records in 'Additional Section' are truncated. 947745-3 : Tcp proxy does not ignore HUDEVT_CHILD_CONNECTED and gives an errorComponent: Local Traffic Manager Symptoms: Tcp proxy does not ignore HUDEVT_CHILD_CONNECTED and gives an error message: hud_tcp_serverside_handler/3676: 10.0.0.20.21 - 10.10.10.1.51147: unexpected serverside message HUDEVT_CHILD_CONNECTE Conditions: FTP profile is in use Impact: Logs entries in the log file Workaround: None 947613-2 : APM reset after upgrade and modify of LDAP Group Lookup★Component: Access Policy Manager Symptoms: -- Per-Request Policy fails. -- APM reset the connection. Conditions: Upgrade from 13.1.3.4 to 15.1.0.4 and modify the LDAP Group Lookup. Impact: APM resets the connection. Workaround: 1. Create a new empty object with the same expression as the LDAP Group Lookup. 2. Restart the system: bigstart restart tmm 947341-4 : MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables filesComponent: Application Security Manager Symptoms:
Conditions: ASM/AVR provisioned Impact: MySQL out of resources when opening files PRX.REQUEST_LOG Corrupt Workaround:
Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix. 947217-6 : Fix of ID722682 prevents GTM config load when the virtual server name contains a colon★Component: Global Traffic Manager (DNS) Symptoms: GTM is unable to load the configuration. Conditions: -- GTM has been upgraded to a version with fix for ID722682 from a version that does not have the fix for ID722682 -- A GTM server has a name with no colon -- That GTM server has a virtual server with colon in the name -- That virtual server is added to a pool Impact: GTM config file cannot be loaded successfully after upgrade. Workaround: Edit bigip_gtm.conf manually to delete "\\" or replace colon ":" with other non-reserved char. such as "-". 946185-3 : Unable to view iApp component due to error 'An error has occurred while trying to process your request.'★Component: TMOS Symptoms: When accessing the iApp Components tab, the system presents an error similar to the following: An error has occurred while trying to process your request. Conditions: -- With or without Partitions configured. -- Navigate to GUI iApps :: Application Services : Applications, to view a custom iApp. -- More likely to occur after upgrade. Impact: Unable to view/modify iApps via GUI iApps :: Application Services : Applications screen. Workaround: To reconfigure the iApp, do the following: 1. Navigate to the following location in the GUI: Local Traffic :: Virtual Server List 2. Click the Application Link :: Reconfigure. Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page. 944381-2 : Dynamic CRL checking for client certificate is not working when TLS1.3 is used.Component: Local Traffic Manager Symptoms: In SSL reverse proxy, dynamic CRL checking for client certificate is not working when TLS 1.3 handshake is used. The SSL handshake successfully completed even though the client certificate is revoked. Conditions: -- Dynamic CRL checking enabled on a client-ssl profile -- The client-side SSL handshake uses TLS1.3. Impact: The handshake should fail but complete successfully 944173-4 : SSL monitor stuck does not change TLS versionComponent: Local Traffic Manager Symptoms: The SSL monitor remains in the current TLS version and does not switch to another version when a server changes. Conditions: -- SSL monitor configured. -- Server configuration changes from TLSv1.2 to TLSv1. Impact: Pool members marked down. Workaround: Use the In-TMM monitor. 944121-4 : Missing SNI information when using non-default domain https monitor running in tmm modeComponent: In-tmm monitors Symptoms: In-tmm https monitors do not send the SNI (Server Name Indication) information for non-default route domain pool members. Conditions: -- SNI is configured in serverssl profile a -- serverssl profile is assigned to in-tmm https monitors -- https monitors are monitoring pool members that are in a non-default route domain. Impact: The TLS connection might fail. Workaround: None 943441-4 : Issues in verification of Bot Defense with F5 Anti-Bot Mobile SDKComponent: Application Security Manager Symptoms: Verification may be incomplete when using the F5 Anti-Bot Mobile SDK with the Bot Defense profile. Conditions: -- Using the Bot Defense profile together with the F5 Anti-Bot Mobile SDK. -- Enabling the Mobile Applications section in the profile. Impact: Mobile application verification may be incomplete. Workaround: None 943109-4 : Mcpd crash when bulk deleting Bot Defense profilesComponent: TMOS Symptoms: When bulk deleting a large number of Bot Defense profiles (around 450 profiles) using TMSH, mcpd could crash. Conditions: This can be encountered during bulk delete of Bot Defenese profiles via tmsh. Impact: Crash of mcpd causing failover. Workaround: Delete the Bot Defense profiles in smaller batches to avoid the possible crash. 942217-6 : Virtual server keeps rejecting connections for rstcause 'VIP down' even though virtual status is 'available'Component: Local Traffic Manager Symptoms: With certain configurations, virtual server keeps rejecting connections for rstcause 'VIP down' after 'trigger' events. Conditions: Required Configuration: -- On the virtual server, the service-down-immediate-action is set to 'reset' or 'drop'. -- The pool member has rate-limit enabled. Required Conditions: -- Monitor flap, or adding/removing monitor or configuration change made with service-down-immediate-action. -- At that time, one of the above events occur, the pool member's rate-limit is active. Impact: Virtual server keeps rejecting connections. Workaround: Delete one of the conditions. Note: The affected virtual server may automatically recover upon the subsequent monitor flap, etc., if no rate-limit is activated at that time. 941773-1 : Video resolution mis-predictionComponent: Traffic Classification Engine Symptoms: Certain video traffic is not getting classified with high accuracy. Conditions: - Behavioral classifier for Classification Engine is enabled Impact: - Mis-predictions can lead to higher definition videos being categorized as low-definition videos and vice versa. 941765-1 : Video resolution mis-predictionsComponent: Traffic Classification Engine Symptoms: BIG-IP's traffic playback resolution prediction is calculated on all individual connections of a client's video stream. Conditions: - Video streaming client downloads through BIG-IP - Video is downloaded using multiple connections. Impact: - Mis-prediction in the video resolution. 940837-4 : The iRule command node is not triggered in CLIENT_ACCEPTED with HTTP/2.Component: Local Traffic Manager Symptoms: The node iRule command causes the specified server node to be used directly, thus bypassing any load-balancing. However, with HTTP/2, the node command may fail to execute within the CLIENT_ACCEPTED event. This results in no traffic being sent to configured node. Conditions: -- A node command is used under CLIENT_ACCEPTED event. -- An HTTP/2 profile applied to virtual server. -- The HTTP/2 protocol in use. Impact: With HTTP/2 configured, the iRule node command fails to execute within the CLIENT_ACCEPTED event, causing no traffic to be sent to the desired node. Workaround: As a workaround, you may use HTTP_REQUEST event instead of CLIENT_ACCEPTED in iRule syntax. 940733-5 : Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt★Solution Article: K29290121 Component: Global Traffic Manager (DNS) Symptoms: The system fails during the boot-up process, reports a libcrypto validation error, and the system halts. The console will show this error: Power-up self-test failures: OpenSSL: Integrity test failed for libcrypto.so This occurs after one of the following: -- Upgrading a FIPS-enabled BIG-IP system, booting to a volume running an earlier software version -- running big3d_install from a BIG-IP GTM to an LTM Conditions: -- FIPS-licensed BIG-IP system. -- Upgrade. -- Boot into an volume running an earlier version of the software. Another way to encounter the issue is: -- FIPS-licensed BIG-IP LTM. -- BIG-IP DNS (GTM) device running a higher software version than the LTM. -- Run big3d_install from GTM pointing to FIPS-licensed LTM. Impact: System boots to a halted state. Workaround: Before booting to the volume with the earlier version, delete /shared/bin/big3d. Note: This issue might have ramifications for DNS/GTM support. DNS/GTM is not FIPS certified. If the target software volume has already experienced this issue (the system boots to a halted state), follow the instructions in K25205233: BIG-IP System halted while booting. Halt at boot after FIPS Integrity Check Result FAIL :: https://support.f5.com/csp/article/K25205233, in addition to deleting /shared/bin/big3d. For additional information, see K29290121: Rollback after upgrade or big3d_install may cause FIPS to halt system on boot :: https://support.f5.com/csp/article/K29290121. 940225-4 : Not able to add more than 6 NICs on VE running in AzureComponent: TMOS Symptoms: Azure BIG-IP Virtual Edition (VE) with more than 6 NICs fails to boot. Conditions: -- Standard_DS4_v2 Azure instance type. -- Mellanox ConnectX-3 ethernet controller. -- A greater-than-2-NIC template is used, for example https://github.com/F5Networks/f5-azure-arm-templates/tree/master/supported/standalone/n-nic/existing-stack/byol with "numberOfAdditionalNics" set. -- Accelerated networking is enabled on two or more NICs. Impact: Not able to boot BIG-IP VM with 8 NICs, which should be supported for Standard_DS4_v2 instance type: 8 vCPU 28 GiB 8 Max NICs Adding more NICs to the instance makes the device fail to boot. Workaround: None 939877-3 : OAuth refresh token not foundComponent: Access Policy Manager Symptoms: When an OAuth client sends a refresh token to renew the access token, BIG-IP reports an error: err tmm[13354]: 01990004:3: /Common/my_OAuth_v1:Common: Request Refresh Token from Source ID ... failed. Error Code (id_not_found) Error Description (The refresh token is not found) Conditions: -- The refresh token expiration interval is longer than authcode and accesstoken. -- The Authorization code table entry does not exist because of an internal clearing/purging operation. -- tmm restarts or failover to standby thus losing refresh-token value from primarydb Impact: OAuth APM client end user fails to renew the access token even with a valid refresh token. Workaround: Clear/reset the Authorization code column value manually: As a root user run below BIG-IP shell
(tmos)# list apm oauth db-instance
apm oauth db-instance oauthdb { db-name Copy the value corresponding to Log into mysql from the bash prompt: # mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) mysql> use mysql> update master set auth_code = NULL where refresh_token='affected_refresh_token_id'; (Substitute the affected refresh token ID with affected_refresh_token_id in the previous command.) 939249-1 : iSeries LCD changes to secure mode after multiple rebootsComponent: TMOS Symptoms: After repeatedly rebooting an iSeries platform, the LCD can become erroneously set to secure mode on its own, and you are unable to use the menus on the LCD. Conditions: -- Repeated reboots of the device. -- The db lcd.showmenu value initially set to enable are required. -- Other required conditions are not fully known. Impact: -- LCD becomes set to secure mode. -- The bigdb variable lcd.showmenu is changed to 'disable'. Workaround: Run the commands: tmsh modify sys db lcd.showmenu value disable tmsh modify sys db lcd.showmenu value enable This clears the secure mode of the LCD. 938545-1 : Oversize plugin Tcl object results can result in 0-length messages and plugin crashComponent: Local Traffic Manager Symptoms: Bd crashes. Conditions: -- ASM enabled. -- iRule used. -- Command arguments are greater than maximum MPI message size. Impact: ASM traffic disrupted while bd restarts. Workaround: None. 938145-3 : DAG redirects packets to non-existent tmmComponent: TMOS Symptoms: -- Connections to self-IP addresses may fail. -- SYNs packets arrive but are never directed to the Linux host. Conditions: -- Provision as vCMP dedicated host. -- Create a self-IP address with appropriate allow-service. Impact: Repeated attempts to connect to the self-IP (e.g., via ssh) fail. Workaround: None 937649-4 : Flow fwd broken with statemirror.verify enabled and source-port preserve strictComponent: Local Traffic Manager Symptoms: Flow forwarding does not work with statemirror.verify enabled and source-port is preserve strict. Depending on the number of tmms and the IP addresses/ports on the network, this causes return traffic to get dropped. Traffic captures show packets leaving the BIG-IP system on one tmm and being returned on another. The return traffic that encounters the second tmm is dropped. Conditions: -- Mirroring is enabled. -- High availability (HA) peer is connected. -- The source-port setting is preserve-strict. -- The statemirror.verify option is enabled. -- There is more than one tmm. Impact: Server-side return traffic to the BIG-IP is dropped. This causes connection timeouts and resets. Workaround: -- Disable statemirror.verify, disable source-port preserve-strict, disable mirroring. -- On BIG-IP Virtual Edition (VE), add the following to tmm_init.tcl on both units and restart tmm: ndal ignore_hw_dag yes 937573-1 : Connections drop in virtual server with Immediate Action On Service Down set to DropComponent: Local Traffic Manager Symptoms: In a virtual server configured with Immediate Action On Service Down set to Drop and an iRule to pick a pool different from the one attached to the virtual server, if the default pool is attached in an offline state, connections are always dropped even when the default pool becomes available later. Conditions: - Virtual server configured with Immediate Action On Service Down set to Drop. - An iRule selects a different pool from the one attached to the virtual server. Impact: Connections are silently dropped. Workaround: Change the virtual server's Immediate Action On Service Down setting to None. 937541-4 : Wrong display of signature references in violation detailsComponent: Application Security Manager Symptoms: The number '1' is added to the signature reference in violation details in the Request Log. Conditions: You click the '?' icon near signature name to view signature details and there are references for this signature Impact: The number 1 is shown before the link 937481-5 : Tomcat restarts with error java.lang.OutOfMemoryErrorComponent: TMOS Symptoms: In the GUI, while trying to list a large configuration, tomcat restarts with error java.lang.OutOfMemoryError: Java heap space due to a large read operation. Conditions: -- From the GUI, navigate to Local Traffic :: Pools :: Pool List. -- The configuration contains approximately 10,000 objects (objects include pools, nodes, virtual servers, etc.). Impact: When the system attempts to list the large configuration, tomcat restarts, resulting in 503 error. Workaround: Use the provision.tomcat.extramb database variable to increase the maximum amount of Java virtual memory available to the tomcat process. Impact of workaround: Allocating additional memory to Apache Tomcat may impact the performance and stability of the BIG-IP system. You should perform this procedure only when directed by F5 Technical Support after considering the impact to Linux host memory resources. -- Using a utility such as free or top, determine if you have enough free memory available to use this procedure. For example, the following output from the free utility shows 686844 kilobytes available: total used free shared buffers cachedMem: 16472868 15786024 686844 807340 827748 2543836 -/+ buffers/cache: 12414440 4058428 Swap: 1023996 0 1023996 -- View the current amount of memory allocated to the tomcat process by typing one of the following commands: ps | grep " -client" | egrep -o Xmx'[0-9]{1,5}m' The command output appears similar to the following example: Xmx260m Xmx260m -- View the current value of the provision.tomcat.extramb database variable by typing the following command tmsh list /sys db provision.tomcat.extramb -- Set the provision.tomcat.extramb database variable to the desired amount of additional memory to be allocated using the following command syntax:
modify /sys db provision.tomcat.extramb value -- If the device is part of a high availability (HA) configuration, the provision.tomcat.extramb database value should be synchronized to the peer devices from the command line. To run the ConfigSync process, use the following command syntax:
tmsh run /cm config-sync For example, the following command pushes the local device's configuration to remote devices in the Syncfailover device group: tmsh run /cm config-sync to-group Syncfailover -- Restart the tomcat process by typing the following command: restart /sys service tomcat 936777-1 : Old local config is synced to other devices in the sync group.Component: Global Traffic Manager (DNS) Symptoms: Newly added DNS/GTM device may sync old local config to other devices in the sync group. Conditions: Newly added DNS/GTM device has a more recent change than other devices in the sync group. Impact: Config on other DNS/GTM devices in the sync group are lost. Workaround: You can use either of the following workarounds: -- Make a small DNS/GTM configuration change before adding new devices to the sync group. -- Make a small DNS/GTM configuration change on the newly added device to re-sync the correct config to other DNS/GTM devices. 936417-4 : DNS/GTM daemon big3d does not accept ECDH or DH ciphersComponent: Global Traffic Manager (DNS) Symptoms: The DNS/GTM big3d daemon does not accept ECDH or DH ciphers. Conditions: Connections to big3d with ECDH or DH ciphers. Impact: ECDH/DH ciphers do not work with big3d. Workaround: Do not use ECDH/DH ciphers. 936361-2 : IPv6-based bind (named) views do not workComponent: Global Traffic Manager (DNS) Symptoms: Bind does not match IPv6 addresses configured for a zone view, and returns REFUSED responses, rather than the expected answers. After enabling debug logging in bind (see K14680), the apparent source address of the IPv6 DNS requests shows as being in the fe80::/96 range, rather than the IPv6 source address that sent the request. For example: debug 1: client @0x579bf188 fe80::201:23ff:fe45:6701%10 4299: no matching view in class 'IN'Conditions: - BIG-IP DNS is provsioned - One or more ZoneRunner views is defined using IPv6 addresses. - A DNS query is sent from an IPv6 source address Impact: You cannot use DNS views in bind (zonerunner) based on IPv6 addresses. Workaround: If possible, use only IPv4 addresses to define views for DNS queries 935945-2 : GTM HTTP/HTTPS monitors cannot be modified via GUIComponent: Global Traffic Manager (DNS) Symptoms: GUI reports an error when modifying DNS/GTM HTTP/HTTPS monitors: 01020036:3: The requested monitor parameter (/Common/http-default 2 RECV_STATUS_CODE=) was not found. Conditions: RECV_STATUS_CODE has never been set for the DNS/GTM HTTP/HTTPS monitors. Impact: Not able to make changes to DNS/GTM HTTP/HTTPS monitors through GUI. Workaround: If 'recv-status-code' has never been set, use tmsh instead. Note: You can set 'recv-status-code' using tmsh, for example: tmsh modify gtm monitor http http-default recv-status-code 200 935769-5 : Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long timeComponent: Advanced Firewall Manager Symptoms: Version upgrade takes more time than usual when the config contains address-lists with a lot of IP addresses. The same delay will be observed with 'tmsh load sys config' as well. Conditions: -- Configure address-list with 10K to 20K IP addresses or address ranges or subnets. -- Attempt upgrade / reboot of the platform. Impact: Version upgrade / 'tmsh load sys config' process takes a long time than usual. Workaround:
935485-4 : BWC: flows might stall when using dynamic BWC policyComponent: TMOS Symptoms: When multiple flows are passing through the single instance of BWC policy, one or more flows might stall for a few seconds or more. The fairness among the flows is also affected. Conditions: -- BWC dynamic policy is enabled. -- Multiple flows are passing through a single instance of the BWC dynamic policy. Impact: Some of the flows may stall. Workaround: None. 935249-3 : GTM virtual servers have the wrong statusComponent: Global Traffic Manager (DNS) Symptoms: GTM virtual servers have the wrong status (up when they should be down, or down when they should be up). Conditions: -- The GTM virtual servers are monitored with an HTTP or HTTPS monitor that performs HTTP status matching. -- The status code (for example, 200) being searched for in the response appears elsewhere than in the first line (for example, in a following header). Impact: The system incorrectly matches the status code in a response line which is not the Status-Line. As a result, the availability status reported for a virtual server may be incorrect. This may cause the GTM system to send traffic to unsuitable resources causing application disruptions. Workaround: You can work around this issue by not performing HTTP status matching in your HTTP/HTTPS GTM monitors. 935193-4 : With APM and AFM provisioned, single logout ( SLO ) failsComponent: Local Traffic Manager Symptoms: SAML Single log out (SLO) fails on BIG-IP platforms. The SAML module on the BIG-IP system reports following error messages: -- SAML SSO: Error (12) Inflating SAML Single Logout Request -- SAML SSO: Error (12) decoding SLO message -- SAML SSO: Error (12) extracting SAML SLO message Conditions: Failures occur with Redirect SLO. Impact: SAML single logout does not work. Workaround: Use POST binding SLO requests. 935177-3 : IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmmComponent: TMOS Symptoms: TMM crashes when the maximum transmission unit (MTU) or 'Use PMTU' setting is changed while passing IPsec traffic. Conditions: -- IPsec tunnel configured and passing traffic. -- The MTU or 'Use PMTU' setting for the IPsec tunnel (in interface mode) is changed. Impact: Traffic disrupted while tmm restarts. Workaround: Do not change MTU or PMTU settings for the tunnel while it is passing traffic. The settings can be changed while passing traffic, but TMM may crash very soon after the change. If the settings are changed and TMM does not crash soon after, then it will not spontaneously crash at some later point. 934825-2 : Restarting MCPD via command line may not restart the aced processComponent: Access Policy Manager Symptoms: Configurations with secure ID authentication may face issues after restarting MCPD using the command line (bigstart restart mcpd). Conditions: Executing the "bigstart restart mcpd" from command line does not always restart the aced process. Impact: Configurations with secure ID authentication may face issues after restarting MCPD and may not restart the aced process. Workaround: "bigstart restart mcpd" is not the recommended way to restart MCPD. Please restart the BIG-IP system to reflect any changes you have made. 934697-5 : Route domain not reachable (strict mode)Component: Local Traffic Manager Symptoms: Network flows are reset and errors are found in /var/log/ltm: Route domain not reachable (strict mode). Conditions: This might happen in either of the following scenarios: Scenario 1 \========== -- LTM with iRules configured. -- The iRule directs traffic to a node that is in a route domain. Scenario 2 \========== -- LTM with an LTM policy configured. -- The policy directs traffic to a node that is in a route domain. Impact: Traffic is not sent to the node that is in a route domain. The iRule 'node' method and/or LTM policy 'node' specification require a route_domain to be specified in order for the traffic to be sent to a node that is assigned to a route domain. Workaround: Specify the node along with Route domain ID. -- For iRules, change from this: when HTTP_REQUEST { node 10.10.10.10 80 } To this (assuming route domain 1): when HTTP_REQUEST { node 10.10.10.10%1 80 } -- For LTM policies, change from this: actions { &nbnbsp;0 { forward select node 10.2.35.20 } } To this (assuming route domain 1): actions { 0 { forward select node 10.2.35.20%1 } } 933777-5 : Context use and syntax changes clarificationComponent: Application Visibility and Reporting Symptoms: There are two context and syntax-related issues: -- In v14.x, the context for tmsh analytics commands related to server side connections changed. For example, 'total-server-side-conns' became a simple 'server-side-conns'. -- In v13.x and 14.x, the calculation method for 'max-tps' changed from cumulative to commutative. Conditions: This occurs in either of the following scenarios: -- Using tmsh analytics commands related to max-tps in v13.x or later. -- Using tmsh analytics commands related to server side connections in BIG-IP v14.x and later. Impact: Stats names do not reflect their actual values. The 'max-tps' value is no longer valid for client IP context. These changes might have varied impacts, depending on your configuration. Workaround: None 933597-5 : Mandatory arguments missing in tmsh security protocol-inspection profile helpComponent: TMOS Symptoms: Missing mandatory arguments for tmsh security protocol-inspection profile command list. Conditions: Profile - Configures the protocol inspection profiles Module - security protocol-inspection profile Impact: Tmsh does not specify the mandatory arguments, which makes it difficult to write any script or automate the tmsh command around this security profile. Workaround: Specify the following arguments for this profile: -- Ports 932857-5 : Delays marking Nodes or Pool Members DOWN with in-TMM monitoringComponent: In-tmm monitors Symptoms: When configured with a large number of in-TMM monitors, Nodes or Pool Members may not be marked DOWN immediately after the configured timeout period once the target stops responding to pings. Conditions: This may occur when: -- In-TMM monitoring is enabled (via sys db bigd.tmm). -- A large number of Nodes and/or Pool Members (several hundreds or thousands) are configured and monitored. Impact: Nodes or Pool Members which are not responsive may not be marked DOWN in a timely fashion. Workaround: You can work around this issue by disabling in-TMM monitoring, at the expense of decreased monitoring performance (higher CPU usage by the bigd daemon). 932485-5 : Incorrect sum(hits_count) value in aggregate tablesComponent: Application Visibility and Reporting Symptoms: If the results gathered for sum(hits_count) are very large (e.g., 15000300000), the system does not report the correct values in the AVR tables. Conditions: -- Insert a very large amount of data (approximately 4.5 milliard or more) to one of AVR tables. -- Review the value of the sum(hits_count) column. Impact: The system reports incorrect values in AVR tables when dealing with large numbers Workaround: None. 932189-1 : Incorrect BD Swap Size units on ASM Resources chartComponent: Application Visibility and Reporting Symptoms: The 'BD Swap Size' reported on the 'Security :: Reporting : ASM Resources : Memory Utilization' page is much too high and incorrect. Conditions: ASM provisioned. Impact: Graphically reported BD swap memory usage is incorrect. Workaround: None. 932137-7 : AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgradeComponent: Application Visibility and Reporting Symptoms: After upgrade, AFM statistics show non-relevant data. Conditions: BIG-IP system upgrade -- Leftovers files remain in /shared/avr_afm partition from other versions. Impact: Non-relevant data are shown in AFM statistics. Workaround: Delete the non-relevant data manually from MariaDB/MySQL. 932133-1 : Payloads with large number of elements in XML take a lot of time to processComponent: Application Security Manager Symptoms: ASM experiences high CPU and latency usage while processing a large XML request. Conditions: -- ASM provisioned -- HTTP request with a large XML payload (several MB) is sent to the backend server which triggers the XML parser. Impact: High CPU and latency occurs while bd processes the payload. This may cause a bottleneck for different requests that arrive concurrently with the large XML payload request. Workaround: None 931149-3 : Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty stringsComponent: Global Traffic Manager (DNS) Symptoms: RESOLV::lookup returns an empty string. Conditions: The name being looked up falls into one of these categories: -- Forward DNS lookups in these zones: - localhost - onion - test - invalid -- Reverse DNS lookups for: - 127.0.0.0/8 - ::1 - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 - 0.0.0.0/8 - 169.254.0.0/16 - 192.0.2.0/24 - 198.51.100.0/24 - 203.0.113.0/24 - 255.255.255.255/32 - 100.64.0.0/10 - fd00::/8 - fe80::/10 - 2001:db8::/32 - ::/64 Impact: RESOLV::lookup fails. Workaround: Use a DNS Resolver ('net dns') and RESOLVER::name_lookup / DNSMSG:: instead of RESOLV::lookup: 1. Configure a local 'net dns' resolver, replacing '192.88.99.1' with the IP address of your DNS resolver: tmsh create net dns-resolver resolver-for-irules answer-default-zones no forward-zones add { . { nameservers add { 192.88.99.1:53 } } } 2. Use an iRule procedure similar to this to perform PTR lookups for IPv4 addresses: proc resolv_ptr_v4 { addr_v4 } { # Convert $addr_v4 into its constituent bytes set ret [scan $addr_v4 {%d.%d.%d.%d} a b c d] if { $ret != 4 } { return } # Perform a PTR lookup on the IP address $addr_v4, and return the first answer set ret [RESOLVER::name_lookup "/Common/resolver-for-irules" "$d.$c.$b.$a.in-addr.arpa" PTR] set ret [lindex [DNSMSG::section $ret answer] 0] if { $ret eq "" } { # log local0.warn "DNS PTR lookup for $addr_v4 failed." return } # Last element in '1.1.1.10.in-addr.arpa. 600 IN PTR otters.example.com' return [lindex $ret end] } -- In an iRule, instead of: RESOLV::lookup @192.88.9.1 $ipv4_addr Use: call resolv_ptr_v4 $ipv4_addr 930217-1 : Zone colors in ASM swap usage graph are incorrectComponent: Application Visibility and Reporting Symptoms: In GUI ASM memory utilization chart, 'BD swap size, Total swap size' graph show inconsistent background colors. It looks like these colors are assigned with an assumption that swap usage is shown as percentage but it is shown as absolute value. Conditions: -- ASM is provisioned. -- Viewing ASM memory utilization chart/ Impact: Potential confusion viewing colors in ASM memory utilization chart. Workaround: None. This is a cosmetic issue only. 929909-3 : TCP Packets are not dropped in IP IntelligenceComponent: Advanced Firewall Manager Symptoms: When an IP address is added to IP Intelligence under Denial-Of_service Category at a global level, and a TCP flood with that IP address occurs, IP Intelligence does not drop those packets Conditions: TCP traffic on BIG-IP with IP Intelligence enabled and provisioned Impact: When adding an IP address to an IP Intelligence category, UDP traffic from that IP address is dropped, but TCP traffic is not dropped. 929429-8 : Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensedComponent: Local Traffic Manager Symptoms: Whenever you create Oracle or SQL (mssql, mysql or postgresql) database monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs. Conditions: -- Create an Oracle or SQL database LTM monitor. -- Add a pool member to the Oracle or SQL database monitor created. -- Platform FIPS is licensed. Impact: High CPU Usage due to the loading of libraries whenever new connection is created. Workaround: None. 929213-2 : iAppLX packages not rolled forward after BIG-IP upgrade★Component: Device Management Symptoms: Certain iAppLX packages are not rolled forward after a BIG-IP upgrade or restoring a UCS file generated from an affected system, and will be unavailable for use. 1. f5-cloud-failover-1.4.0-0.noarch.rpm 2. f5-service-discovery-1.2.9-2.noarch.rpm 3. f5-telemetry-1.12.0-3.noarch.rpm Conditions: -> Installing any of the below iAppLX packages 1. f5-cloud-failover-1.4.0-0.noarch.rpm 2. f5-service-discovery-1.2.9-2.noarch.rpm 3. f5-telemetry-1.12.0-3.noarch.rpm -> Performing an upgrade -> Trying to access the LX packages from GUI by navigating to iApps -> Package Management LX Impact: After upgrading or restoring a UCS file generated from an affected system, the cloud-failover, service discovery, and telemetry iAppLX apps are not available for use, and will result in 404 error, while accessing them from GUI Workaround: The package needs to be uninstalled and installed again for use. Steps: -> From GUI, Navigate to iApps -> Package Management LX -> select the package to uninstall and click on Uninstall -> click on Import and provide the path of package to install again 929173-3 : Watchdog reset due to CPU stall detected by rcu_schedComponent: TMOS Symptoms: Rcu_sched detected CPU stall, which can cause vCMP host reboot. The device reboots without core and records "Host Watchdog timeout." Conditions: Host undergoing a watchdog reset in a vCMP environment. Impact: CPU RCU stalls and host watchdog reboots 929133-6 : TMM continually restarts with errors 'invalid index from net device' and 'device_init failed'Component: TMOS Symptoms: VLANs with a name that that start with "eth" will cause tmm to fail and restart. Conditions: Vlan name that starts with "eth" Impact: Since tmm fails to start, the BIG-IP cannot serve traffic. Workaround: Rename all vlans that start with "eth" 928665-4 : Kernel nf_conntrack table might get full with large configurations.Component: TMOS Symptoms: Linux host connections are unreliable, and you see warning messages in /var/log/kern.log: warning kernel: : [182365.380925] nf_conntrack: table full, dropping packet. Conditions: This can occur during normal operation for configurations with a large number of monitors, for example, 15,000 or more active entries. Impact: Monitors are unstable/not working at all. Workaround: 1. Modify /etc/modprobe.d/f5-platform-el7-conntrack-default.conf increasing the hashsize value: options nf_conntrack hashsize=262144 2. Save the file. 3. Reboot the system. 928353-4 : Error logged installing Engineering Hotfix: Argument isn't numeric★Component: TMOS Symptoms: When installing an Engineering Hotfix, the following error may be logged in /var/log/liveinstall.log: Argument "" isn't numeric in numeric eq (==) at /var/tmp/install/pkgcpio/usr/local/lib/tm_install/Hotfix.pm line 651. Conditions: This error may occur when installing an Engineering Hotfix, if the Engineering Hotfix does not include an update to the nash-initrd component. Impact: The error message gives a mistaken impression that the Engineering Hotfix did not install successfully. However, it does install correctly, and the system operates without issue. You can safely ignore this message. Workaround: None. 928161-3 : Local password policy not enforced when auth source is set to a remote type.Component: TMOS Symptoms: The local password policy is not enforced when the auth source type is set to the value of 'Remote'. Any non-default password policy changes are not enforced for local users. Conditions:
Impact: The system does not enforce any of the non-default local password policy options. For example, even if the required-uppercase is set to 2, a local user's password can be set to something less than 2. Even if the minimum-length is set to 12, a local user's password can be set to something less than 12. Another example, even if the max-duration is set to 90 days, the password does not expire for 99999 days (the default). Workaround: None 927633-4 : Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panicComponent: Local Traffic Manager Symptoms: Log messages written to /var/log/ltm: -- notice tmm2[30394]: 01010259:5: External Datagroup (/Common/dg1) queued for update. -- notice panic: ../kern/sys.c:1081: Assertion "entry != NULL" failed. Conditions: -- Create datagroups. -- Some condition causes a datagroup to not be present (e.g., delete, rename operations, or another, internal operation). -- Load the config. Impact: Internal mapping of external datagroup fails. Datagroup creation fails. Workaround: None. 927589-1 : ILX::call command response get truncatedComponent: Local Traffic Manager Symptoms: If a response to an ILX::call command is larger than 64 KB, data is truncated. Conditions: -- iRule script including an ILX::call command in use. -- Return response is greater than 64 KB. Impact: iRule fails and the connection aborts. Workaround: None. 927441-5 : Guest user not able to see virtual server details when ASM policy attachedComponent: TMOS Symptoms: When ASM is attached to a Virtual Server, a BIG-IP user account configured with the Guest role cannot see virtual server details. An error message is printed instead: 01070823:3: Read Access Denied: user (guestuser) type (GTM virtual score). Conditions: -- ASM Policy attached to virtual server. -- Logging onto the BIG-IP system using an account configured with the guest user role. -- Running the command: tmsh show ltm virtual detail Impact: Cannot view virtual server details. Workaround: None. 927025-1 : Sod restarts continuouslyComponent: TMOS Symptoms: After upgrading to v14.1.2.6, sod keeps restarting and dumping core. Conditions: This occurs when /dev/shm/chmand is missing and the system restarts chmand and sod upon reload. Note: It is unknown how this condition might occur. Impact: Unstable sod process can affect failover functionality in BIG-IP systems. Note: This happens only the first time after upgrade. To recover, you must power down the system for a full reboot. Workaround: Run the following command: restorecon /dev/shm/chmand 926845-7 : Inactive ASM policies are deleted upon upgradeComponent: Application Security Manager Symptoms: Upon upgrade, active ASM policies are preserved, and inactive policies are deleted. Conditions: -- Configuration contains active and inactive ASM policies. -- Upgrade the BIG-IP system to any later version. -- You can check existing ASM policies in tmsh: tmsh list asm policy Impact: Only the active ASM policies are preserved; the inactive policies are deleted. Workaround: None. 926549-3 : AFM rule loops when 'Send to Virtual' is used with Virtual Server iRule 'LB::reselect'Component: Advanced Firewall Manager Symptoms: With some configurations, executing a command such as 'tmsh show security firewall global-rules active' loops continuously, causing stat counters to rise, and possibly log messages to be written to /var/log/ltm. Conditions: -- AFM is routing traffic to a Virtual Server through the 'Send to Virtual' option. -- The target Virtual Server uses the 'LB_FAILED' iRule to select a new Virtual Server through virtual command and 'LB::reselect'. Impact: The iRule loops continuously, causing stat counters to rise, and possibly logging messages in /var/log/ltm. Workaround: This configuration should be avoided, but if it is used, and if this does happen, you can restart tmm: bigstart restart tmm This stops the current looping, until it is triggered again. Impact of workaround: Traffic disrupted while tmm restarts. 926425-4 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic startsComponent: Advanced Firewall Manager Symptoms: Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection continue to be unsupported until hardware SYN cookies are disabled. Conditions: SYN Cookie activated on Neuron-capable platforms: + VIPRION B4450N blade + BIG-IP iSeries devices (ix800) except the i850, ix2800, and ix4800: -- BIG-IP i5800 Series -- BIG-IP i7800 Series -- BIG-IP i11800 Series -- BIG-IP i15800 Series Impact: This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate. Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options are not taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead. Workaround: You can use any of the following to clear the HSB issue: -- Restart neurond. -- Restart TMM, -- Reboot the device. 926085-2 : GUI: Node/port monitor test not possible in the GUI, but works in tmshComponent: Local Traffic Manager Symptoms: The node address field is disabled when trying to create a custom HTTP/HTTPS/FTP monitor, so you cannot enter a node address. This prevents you from using the Test operation to test this type of monitor in the GUI. Conditions: -- In a new monitor derived from HTTP/HTTPS/FTP, click the Test tab. -- View the Address field, and then try to run the test. Impact: The Address field is disabled, with *.* in the field. You cannot enter a node address. The test fails with a message: invalid monitor destination of *.*:80. invalid monitor destination of *.*:443. (:port used to test) Workaround: Run either of the following tmsh commands: for HTTP
-- tmsh run ltm monitor http my_http destination -- tmsh modify ltm monitor http my_http destination *:* for HTTPS
-- tmsh run ltm monitor https my_https destination -- tmsh modify ltm monitor https my_https destination *:* 924589-3 : PEM ephemeral listeners with source-address-translation may not count subscriber dataComponent: Policy Enforcement Manager Symptoms: When a PEM profile is associated with a protocol that can create dynamic server-side listeners (such as FTP), and source-address-translation is also enabled on the virtual server, traffic on that flow (for example ftp-data) is not associated with the subscriber, and is therefore not counted or categorized. Conditions: -- Listener configured with PEM and FTP profiles -- Some form of source address translation is enabled on the listener (for example, SNAT, Automap, SNAT Pool) Impact: Inaccurate subscriber traffic reporting and classification. Workaround: None. 924297-4 : Ltm policy MCP objects are not being synced over to the peer deviceComponent: TMOS Symptoms: An LTM policy does not sync to the peer device, but the devices report "In Sync". Conditions: -- Sync/failover device group with full load on sync disabled -- A draft policy is attached to a parent policy's rule actions and published. -- A config sync occurs (manually or automatically) Impact: The LTM policy does not sync to the peer device. Workaround: Perform a full config sync: tmsh run cm config-sync force-full-load-push to-group 923221-8 : BD does not use all the CPU coresComponent: Application Security Manager Symptoms: Not all the CPUs are utilized. The CPUs that are not loaded are those with ID greater than 31. Conditions: BIG-IP is installed on a device with more than 32 cores. Impact: ASM does not use all of the available CPU cores. Workaround: 1. Modify the following file on the BIG-IP system: /usr/local/share/perl5/F5/ProcessHandler.pm Change this: ALL_CPUS_AFFINITY => '0xFFFFFFFF' To this: ALL_CPUS_AFFINITY => '0xFFFFFFFFFFFF', 2. Restart the asm process: bigstart restart asm. 922737-1 : TMM crashComponent: Local Traffic Manager Symptoms: TMM crashes with a sigsegv while passing traffic Conditions: Virtual server with a Connector profile that redirects to an internal virtual server on the same BIG-IP system Impact: Traffic disrupted while tmm restarts. 922641-6 : Any iRules that park in a clientside or serverside command leave the iRule attached to the wrong flowComponent: Local Traffic Manager Symptoms: iRule commands issued after a clientside or serverside command operate on the wrong peer flow. Conditions: An iRule contains a script that parks in a clientside or serverside command. Examples of parking commands include 'table' and 'persist'. Impact: The iRule commands operate on the wrong peer flow. Workaround: Avoid using commands that park inside the clientside or serverside command. 922613-6 : Tunnels using autolasthop might drop traffic with ICMP route unreachableComponent: TMOS Symptoms: Traffic that should be encapsulated and sent via tunnel might get dropped with an ICMP error, destination unreachable, unreachable route. This happens in a scenario where no route exists towards the remote tunnel endpoint and the BIG-IP system relies on autolasthop to send the encapsulated traffic back to the other end of the tunnel. Conditions: No route exists to the other end of the tunnel. Impact: Traffic dropped with ICMP error, destination unreachable, unreachable route. Workaround: Create a route towards the other remote end of the tunnel. 922413-8 : Excessive memory consumption with ntlmconnpool configuredComponent: Local Traffic Manager Symptoms: OneConnect allows load balancing of HTTP requests from the same client connection over a pool of server side connections. When NTLM authentication is used, the NTLM Conn Pool allows reuse of server-side connections for authenticated client side connections. It holds HTTP authentication headers which is no longer necessary once a client is authenticated. Conditions: -- The virtual server is configured with both OneConnect and NTLM Conn Pool profiles. -- A large number of client systems with NTLM authentication are load balanced via the virtual server with long-lived connections. Impact: The BIG-IP system experiences memory pressure, which may result in an out-of-memory condition and a process crash, and potentially cause failover and interruption of traffic processing. Workaround: None. 922185-3 : LDAP referrals not supported for 'cert-ldap system-auth'★Component: TMOS Symptoms: Admin users are unable to log in. Conditions: -- Remote LDAP auth enabled. -- Administrative users are authenticated with the 'cert-ldap' source. -- The admin user tries to log in. Impact: The cert-ldap authentication does not work, so login fails. Workaround: Manually edit the /etc/nslcd.conf and set the referrals to no. 922153-5 : Tcpdump is failing on tmm 0.x interfacesComponent: TMOS Symptoms: The tcpdump command exits immediately with an error: errbuf ERROR:TMM side closing: Aborted tcpdump: pcap_loop: TMM side closing: Aborted Conditions: Capturing the packets on tmm interfaces. Impact: Unable to capture the packets on specific tmm interfaces. Workaround: There are two possible workarounds: -- Start tcpdump on the tmm that actually owns the interface using the TCPDUMP_ADDR command; for example, using blade1 for 1/0.16, run the command: TCPDUMP_ADDR=127.1.1.16 tcpdump -w testcap.pcap -s 0 -i 1/0.16 -- Send the TCPDUMP_ADDR command to a specific tmm, which could work from any blade (127.20. TCPDUMP_ADDR=127.20.1.16 tcpdump -w testcap.pcap -s 0 -i 1/0.16 922105-1 : Avrd core when connection to BIG-IQ data collection device is not availableComponent: Application Visibility and Reporting Symptoms: When a BIG-IP system is configured to work with BIG-IQ but cannot connect due to network problems, avrd restarts itself every 10 minutes. During such restarts, a core is sometimes generated. Conditions: BIG-IP system is registered on BIG-IQ, but there is no network connectivity for any number of reasons. Impact: No impact since there is no network connectivity with BIG-IQ, and the data from the BIG-IP system cannot be sent anywhere. Workaround: Attempts to connect to BIG-IQ can be disabled manually by the following command: tmsh modify analytics global-settings use-offbox disabled 922053-1 : inaccurate number of trunk members reported by bcm56xxd/bcmLINKComponent: TMOS Symptoms: The "bcmLINK" process (sometimes referred to as "bcm56xxd") may fail with a segmentation fault and be restarted, leaving behind a core-dump file for "bcmLINK". An error message may be logged about the condition "max_mbrs > 0". Conditions: -- occurs in multi-blade VIPRION system with trunked interfaces -- precise trigger is not known Impact: Momentary disruption of traffic handling by TMM. Workaround: None known. 921993-1 : LTM policy with a 'contains' operator does not work as expected when using an external data group.Component: Local Traffic Manager Symptoms: If a combination of other operators and the 'contains' operator are used in LTM Policy, searches might fail if the hashing-based operators have not populated the target entries. Conditions: -- LTM policy with 'contains' operator. -- Use of external datagroups. Impact: LTM policy might not work as expected with external data groups. Workaround: Use either of the following workarounds: -- If applicable, change the 'contains' operator to 'starts_with' in the policy. -- Change the policy into an iRule (executing '[class get Component: Application Security Manager Symptoms:
Installing a new Attack Signature Update (ASU) file on ASM/AWAF device that has large number of active policies can result in a failure due to memory exceptions. The following errors can be observed: /var/log/ts/asm_config_server.log:
F5::ASMConfig::Handler::handle_error,,Code: 406 , Error message = Process size (232341504) has exceeded max size (200000000) /var/log/asm
crit perl[19751]: 01310027:2: ASM subsystem error (apply_asm_attack_signatures ,F5::LiveUpdate::PayloadHandler::clean_fail): Fail load update files: TSocket: timed out reading 1024 bytes from n.n.n.n:9781 Conditions:
1. Adding and activating a large number of policies on a BIG-IP system configured with ASM/AWAF. It is not known exactly how many policies are required to encounter this, but it appears to be between 50 and 90 where this becomes a risk. 2. Installing a new ASU file Impact:
The attack signature update fails. Workaround:
Impact of workaround:
Performing this workaround requires restarting ASM, so it affects traffic processing briefly; therefore, it is recommended that you perform this during a maintenance window. Increase 'max memory size' from the default ~200 MB (200000000) to 300 MB: 1. Take a backup of the original file.
# cp /etc/ts/tools/asm_config_server.cfg /var/tmp/asm_config_server.original.cfg 2. Add the following to the end of file /etc/ts/tools/asm_config_server.cfg:
# AsyncMaxMemorySize=314572800 3. Restart ASM.
# bigstart restart asm Component: Local Traffic Manager Symptoms:
The HTTP session initiated by curl hangs. Conditions:
-- The problem occurs when the file to be compressed meets the following criteria:
-- The following platforms with Intel QAT are affected:
+ B4450N (A114)
+ i4000 (C115)
+ i10000 (C116/C127)
+ i7000 (C118)
+ i5000 (C119)
+ i11000 (C123)
+ i11000 (C124)
+ i15000 (D116)
-- File size to be compressed is less than compression.qat.dispatchsize.
-- File size to be compressed is one of specific numbers from this list: 65535, 32768, 16384, 8192, 4096. Impact:
Connection hangs, times out, and resets. Workaround:
Use software compression. Component: Service Provider Symptoms:
-- 'DIAMETER::host origin' command may not be set correctly. There are errors in ltm/log:
err tmm[18562]: 014c0001:3: DIAMETER: hud_diam_handle error: Not found Conditions:
-- Virtual server is configured with a diameter profile enabled with an ingress iRule, for example: ltm rule Diameter - iRule {
when MR_INGRESS {
DIAMETER:: host origin "hostname.realm.example"
}
} -- Traffic arrives containing CER and ULR messages. Impact:
Using the iRule to change the host origin corrupts the diameter message. Workaround:
None. Component: TMOS Symptoms:
IKE-SAs are deleted on standby BIG-IP systems after a failover. Conditions:
-- High availability (HA) environment
-- Dead-peer detection (DPD) / liveness checks are enabled
-- An HA failover occurs This is a timing issue and can occur intermittently during a normal failover. Impact:
Some of the IKE-SAs are missing on the standby device. When a failover happens, IPsec traffic will be dropped for those missing SAs. Workaround:
Set IKE DPD interval time to ZERO (i.e., disable). Component: Global Traffic Manager (DNS) Symptoms:
DNS Zone syncing is missing Resource Records. Conditions:
This occurs when a large number of configuration changes, including Wide IP changes, are made simultaneously on multiple GTM/DNS devices in a sync group. Impact:
DNS Resource Records can be missing from the BIND DNS database. The impact of this is that if GSLB Load Balancing falls back to BIND, the DNS Resource Records may not be present. Workaround:
Restrict configuration (Wide IP) changes to one GTM/DNS device in a device group. Note: It is also possible to turn off Zone Syncing. GTM/DNS configuration is still synced, but the you lose the ability to sync non-Wide IP changes to the BIND DB. If you do not utilize ZoneRunner to add additional non-Wide IP records, this is a problem only when GSLB resorts to Fallback to BIND. This can be mitigated with DNSX and DNS (off device) for non Wide IP Resource Records. Component: Global Traffic Manager (DNS) Symptoms:
DB validation exception occurs during sync or config load: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (gtm_wideip_alias) object ID (1 /Common/alias.test.com www.test.com). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:gtm_wideip_alias status:13)
Unexpected Error: Loading configuration process failed. Conditions:
-- Wide IP has an alias associated with it.
-- Sync or load the config. Impact:
You are unable to load config or full sync from peer GNS/GTM. Workaround:
Follow this procedure:
1. Delete the wide IP alias on the destination device.
2. Try the sync or load config operation again. Component: Service Provider Symptoms:
Tmm crashes while passing traffic. Conditions:
-- Per-request policies configured.
-- ICAP is configured. This is rare condition that occurs intermittently. Impact:
Traffic disrupted while tmm restarts. Workaround:
None. Component: Local Traffic Manager Symptoms:
An assert is reported in the logs:
panic: ../net/ifc.c:975: Assertion "ifc ref valid" failed. Conditions:
The conditions under which this occurs are unknown. Impact:
Tmm crashes and restarts. Traffic disrupted while tmm restarts. Workaround:
None. Component: TMOS Symptoms:
Running the imish command hangs when ospfd is enabled. Conditions:
-- Dynamic routing enabled.
-- The ospfd protocol is enabled.
-- Running the imish command. Impact:
The imish operation hangs. Workaround:
Restart the ospfd daemon. Component: TMOS Symptoms:
Navigating to Statistics :: Dashboard in the GUI with AVR or APM provisioned causes continuous audit logging and restjavad logs. Conditions:
-- AVR provisioned
-- An administrator navigates to Statistics :: Dashboard. Impact:
The continuous extra logs might lead to confusion and may not be helpful. Workaround:
None. Component: Application Visibility and Reporting Symptoms:
If avrd fails a core file created in this case is named accordung to the thread name and has no indication that it belongs to avr, for example: SENDER_HTTPS.bld0.0.9.core.gz Conditions:
Avrd fails with a core Impact:
It is inconvenient for identifying the process that caused the core. Component: Local Traffic Manager Symptoms:
TMM might core and restart when FTP traffic is being proxied by a BIG-IP device. Conditions:
-- Both FTP and Classification profiles are applied to a virtual server.
-- The FTP profile has inherit-parent-profile enabled. Impact:
-- TMM crashes and restarts
-- Failover, loss of service during restart.
-- Traffic disrupted while tmm restarts. Workaround:
None. Component: Global Traffic Manager (DNS) Symptoms:
You are unable to create a backup UCS. You see a warning in /var/log/restjavad.0.log: [WARNING][8100/tm/shared/sys/backup/306b4630-aa74-4a3d-af70-0d49bdd1d89e/worker UcsBackupTaskWorker] Failure with backup process 306b4630-aa74-4a3d-af70-0d49bdd1d89e.
This is followed by a list of some files in /var/named/config/namedb/. Conditions:
Named has some Slave zones configured and is going through frequent zone transfer. Impact:
You are unable to create a UCS file. Workaround:
Stop named zone transfer while doing UCS backup. Component: TMOS Symptoms:
Tmm and mcpd cores for slot2 Conditions:
On the standby chassis, reboot the primary blade and wait for it to rejoin the cluster. Once it does, mcpd will core. Impact:
Traffic disrupted while tmm and mcpd mcpd restarts. Workaround:
N/A Component: TMOS Symptoms:
When the IKEv1 racoon daemon starts, it may immediately exit with a core file. Conditions:
One of the following events may lead to the restart:
-- BIG-IP systems start or restart as a standalone device.
-- BIG-IP becomes the Active member of High Availability (HA) setup. Impact:
Racoon restarts. Because this restart happens when racoon is trying to start, no IPsec IKEv1 tunnels are affected because they are down anyway. Workaround:
None Component: Local Traffic Manager Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle, or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully. Conditions:
-- An LTM pool or pool members is configured to use an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- A 'send' string is configured for the monitor.
-- A 'receive' string is not configured. Impact:
The database monitor marks the pool member down, even in cases where the pool member is actually pingable. Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable). Component: TMOS Symptoms:
Lower-privileged users, for instance guests or operators, are unable to list the configuration in tmsh, and get an error: Unexpected Error: Can't display all items, can't get object count from mcpd. The list /sys or list /sys telemd commands trigger the following error: 01070823:3: Read Access Denied: user (oper) type (Telemd configuration). Conditions:
User account with a role of guest, operator, or any role other than admin. Impact:
You are unable to show the running config, or use list or list sys commands. Workaround:
Logon with an account with admin access. Component: Application Security Manager Symptoms:
The system exhibits various symptoms related to sync and control plane, and reports errors similar to the following: /var/log/: asm:
-- (asm_config_server.pl,F5::Cgc::Channel::send): Failed to send a message, error:15638476. ts_debug.log:
-- |ZEROMQ|May 21 23:27:31.840|24813|25914|25914|epoll.cpp:0060|~epoll_t()|(zmq_assert) Assertion failed: load.get () == 0 Conditions:
-- Two devices in a sync-failover/sync-only device group.
-- Other conditions required to reproduce this issue are under investigation. Note: The occurrences of the Cgc::Channel message in the /var/log/ and /var/log/ts/asm_config_server logs are the most reliable indicator of this issue. Impact:
-- Config-sync does not work, resulting in a different configuration among the devices in a sync group. -- Security log profile changes are not propagated to other devices. -- Portions of the GUI hang, e.g.: Security module tab, and 'security' menu under virtual server. -- Policies with learning enabled do not generate learning suggestions. Workaround:
Restart asm_config_server on the units in the device group. # pkill -f asm_config_server Component: Global Traffic Manager (DNS) Symptoms:
Using RESOLVER::name_lookup in an iRule against a net resolver forward zone name server that happens to be down can result in the iRule pausing for up to a few minutes. Conditions:
Nameserver configures as fwd-zone in net resolver should be down. Impact:
The connection to the virtual server is paused for a significant amount of time. Workaround:
Use a pool of dns-servers, and configure the pool to monitor the backend dns servers and load balance to healthy pool members. Component: Global Traffic Manager (DNS) Symptoms:
The iqsyncer utility leaks memory. Conditions:
-- There is a large bigip_gtm.conf.
-- The log.gtm.level is set to debug. Impact:
The iqsyncer utility exhausts memory and is killed. Workaround:
Do not set log.gtm.level equal to or higher than debug. Component: Application Visibility and Reporting Symptoms:
When you attempt to send an ASM report via AWS SES, the message bounces with the following message:
Could not send e-mails: SMTP Error: data not accepted.; Transaction failed: Expected MIME type, got ;; Error code: 554. This occurs because the BIG-IP system is sending out the report message with an empty Content-Type in the multipart MIME, which the AWS mail host cannot process. Conditions:
This is encountered in the following scenario:
1. Set up SMTP and ASM schedule report.
2. Click Send Now, and get the error message in GUI.
3. SSH into the BIG-IP system.
4. Add this line under the following snippet: [admin@bigip:Active:Standalone] ~ # chmod 644 /var/ts/dms/script/avrexport/avrmail.php
[admin@bigip:Active:Standalone] ~ # vi /var/ts/dms/script/avrexport/avrmail.php if (!$mail_subject) $mail_subject = "BIG-IP Analytics Report";
if (!$mail_body) $mail_body = "Attached to this e-mail is a BIG-IP Analytics Report issued at $mail_time\n\n";
if (!$mail_from) $mail_from = 'BIG-IP Reporter';
if (!$mail_content_type) $mail_content_type = 'text/html'; <<<< Add this line for add text/html into content type. [admin@bigip:Active:Standalone] ~ # chmod 444 /var/ts/dms/script/avrexport/avrmail.php 5. Click Send Now again and it works. Note: To use AWS SES, you must verify your email address first (as a Sender). You can search SES in AWS and verify your email in Email Addresses. AWS sends an email. Click the embedded link after receipt, and then you can use it as the Sender address on the BIG-IP system. Impact:
Cannot receive ASM reports. Component: Local Traffic Manager Symptoms:
Thales installation script fails with error message. ERROR: Could not reach Thales HSM " Conditions:
This occurs when the ICMP ping is blocked between the BIG-IP system and netHSM. Impact:
Thales/nCipher NetHSM client software installation fails. Workaround:
Unblock ICMP ping between the BIG-IP system and netHSM. Component: Local Traffic Manager Symptoms:
Use of the LB::down command in an iRule may not have the desired effect, or may result in pool members that are down for load balancing, but indicate up/available in the GUI and CLI. Specifically, the pool member is marked down within the tmm instance executing the iRule, but the status change is not updated to mcpd, or to other tmm instances. As a result, the message 'Pool /Common/mypool member /Common/1.1.1.1:80 monitor status iRule down' does not appear in the log, and the status of the pool member is not updated when viewed in the GUI or via 'tmsh show ltm pool xxxx members'. Note: If [event info] is logged in the LB_FAILED event, it will indicate that the load balancing decision failed due to "connection limit" Conditions:
Using the LB::down command in an iRule. Impact:
Because mcpd believes the pool member to be up, it does not update tmm's status, so tmm continues to regard it as down indefinitely, or until a monitor state change occurs. If the LB::down command is used on all members of a pool, the affected tmms cannot load balance to that pool, even though the GUI/tmsh indicate that the pool has available members. Because pool member status is stored on per-tmm basis and incoming connections are distributed across tmms using a hash, this can lead to apparently inconsistent results, where some traffic (traffic hitting a particular tmm) is rejected with an RST cause of 'No pool member available'. Workaround:
- Delete and recreate affected pool members
(or) Restart tmm
(or) Restart the BIG-IP. There is no direct workaround, but the use of an inband monitor instead of the LB::down command may be effective. You must tune the inband monitor's settings to values consistent with the desired behavior. Component: Global Traffic Manager (DNS) Symptoms:
In certain instances, the iqsyncer utility may not write the core file for system signals. Conditions:
-- SELinux policies enabled.
-- Run the iqsyncer utilities to initiate a core dump with system signals SIGABRT, SIGQUIT, and SIGSEGV. Impact:
The iqsyncer utility does not write core file. Workaround:
Disable SELinux with 'setenforce 0'. You can now generate a core with a SIGQUIT (-3), but not with SIGABRT or SIGSEGV. Component: Global Traffic Manager (DNS) Symptoms:
SELinux policies may prevent the iqsh/iqsyncer utilities from dumping core information. Conditions:
-- SELinux policies enabled.
-- Run the iqsh/iqsyncer utilities to initiate a core dump. Impact:
The operation does not result in dumping the core information. Workaround:
Disable SELinux with 'setenforce 0'. Component: TMOS Symptoms:
The BIG-IP system does not prevent you from specifying previously used passwords, even if Secure Password Enforcement is enabled with password memory set to a non-zero value. Conditions:
-- Password memory in auth settings is not 0 (zero).
-- Attempt to specify a previously specified password Impact:
Password history to prevent user from using same password is not enforced. Workaround:
None. Component: Performance Symptoms:
All configurations might see a 13%-16% drop in TPS performance while running vCMP on VIPRION and iSeries platforms with the 'host' upgraded to v16.1.0. Conditions:
-- All configurations
-- Running vCMP on VIPRION and iSeries platforms
-- 'Host' upgraded to v16.1.0 Impact:
Performance degradation in vCMP. If you are running vCMP on VIPRION and iSeries platforms, first evaluate your scenarios and capacity plan if you plan to upgrade the 'host' to 16.1.0. Note: There is no performance degradation when v16.1.0 'guest' instances are run on an earlier 'host' version. Guidance: In determining whether to upgrade the vCMP host to v16.1.0, carefully evaluate the performance and sizing requirements of your specific configuration. Workaround:
None Component: TMOS Symptoms:
Memory leak in BWC calculator. Conditions:
When the HSL log publisher is attached to the BWC::Measure instance in the Bandwidth policy. Impact:
A memory leak occurs. Workaround:
None. Component: Local Traffic Manager Symptoms:
Custom iRule events are executed before the embedded APM iRule events, despite the custom iRule's priority value being larger than the APM iRule's priority value. Conditions:
-- APM is provisioned.
-- Custom iRule with a priority value larger the APM iRule's priority value. Impact:
Custom iRule event is executed before APM iRule event. Workaround:
None. Component: Application Security Manager Symptoms:
When trying to update Attack Signatures. the following error message is shown: Could not communicate with system. Try to reload page. Conditions:
Insufficient disk space to update the Attack Signature. Impact:
Live Update unable to restore the database during startup. Device runs out of disk space, which leads to failure in writing live update hsqldb log file. The liveupdatedb.script file, which is based on the .log file, is truncated and missing necessary settings in order to initialize the live update database. Workaround:
This following procedure restores the database to its default, initial state: 1. Remove the sigfile.tmp.* directories under /var/ts/var/tmp. 2. Delete the script:
delete /var/lib/hsqldb/live-update/liveupdatedb.script 3. Create a new script:
create new /var/lib/hsqldb/live-update/liveupdatedb.script. 4. Add the following lines to create the live update database schema and set the SA user as expected: CREATE SCHEMA PUBLIC AUTHORIZATION DBA
CREATE MEMORY TABLE AVAILABILITY(ID VARCHAR(255) NOT NULL,ERRORMESSAGE VARCHAR(255),LASTCHECKDATETIME BIGINT,LASTCHECKUPDATEFILE VARCHAR(255),STATUS VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT AVAILABILITY_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE INSTALLSCHEDULE(ID VARCHAR(255) NOT NULL,APPLYATALLTIMES BOOLEAN,APPLYONALLDAYS BOOLEAN,APPLYONFRIDAYS BOOLEAN,APPLYONMONDAYS BOOLEAN,APPLYONSATURDAYS BOOLEAN,APPLYONSUNDAYS BOOLEAN,APPLYONTHURSDAYS BOOLEAN,APPLYONTUESDAYS BOOLEAN,APPLYONWEDNESDAYS BOOLEAN,ENDTIME VARCHAR(255),FREQUENCY VARCHAR(255),STARTTIME VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT INSTALLSCHEDULE_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE UPDATEFILE(ID VARCHAR(255) NOT NULL,CREATEDATETIME BIGINT,FILELOCATION VARCHAR(255),FILENAME VARCHAR(255),ISFILEAVAILABLE BOOLEAN,ISFILEMANUALLYUPLOADED BOOLEAN,ISGENESIS BOOLEAN,MD5 VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT UPDATEFILE_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE INSTALLATION(ID VARCHAR(255) NOT NULL,ADDEDENTITIESCOUNT INTEGER,DELETEDENTITIESCOUNT INTEGER,ERRORMESSAGE VARCHAR(255),LASTREADMEFILENAME VARCHAR(255),LASTUPDATEMICROS BIGINT,LOADDATETIME BIGINT,MODIFIEDENTITIESCOUNT INTEGER,README VARCHAR(500000),STATUS VARCHAR(255),"TYPE" VARCHAR(255),UPDATEFILE_ID_OID VARCHAR(255),CONSTRAINT INSTALLATION_PK PRIMARY KEY(ID),CONSTRAINT INSTALLATION_FK1 FOREIGN KEY(UPDATEFILE_ID_OID) REFERENCES UPDATEFILE(ID))
CREATE INDEX INSTALLATION_N49 ON INSTALLATION(UPDATEFILE_ID_OID)
CREATE MEMORY TABLE INSTALLATION_DELETEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_DELETEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_DELETEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_DELETEDENTITYLIST_N49 ON INSTALLATION_DELETEDENTITYLIST(ID_OID)
CREATE MEMORY TABLE INSTALLATION_MODIFIEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_MODIFIEDENTITYLIST_N49 ON INSTALLATION_MODIFIEDENTITYLIST(ID_OID)
CREATE MEMORY TABLE INSTALLATION_ADDEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_ADDEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_ADDEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_ADDEDENTITYLIST_N49 ON INSTALLATION_ADDEDENTITYLIST(ID_OID)
CREATE USER SA PASSWORD ""
GRANT DBA TO SA
SET WRITE_DELAY 20
SET SCHEMA PUBLIC 5. Restart the tomcat process:
bigstart restart tomcat Component: Local Traffic Manager Symptoms:
With immediate idle-timeout, flows may be closed before a datagram is forwarded. Conditions:
-- Immediate idle-timeout is set on the server context of a UDP virtual server. Impact:
Datagrams are dropped periodically depending on traffic load. Workaround:
None. Component: Local Traffic Manager Symptoms:
The iRules LX workspaces belong on only one device in a Device Service Cluster (DSC). If you have the same iRules LX workspace configured on multiple devices and then perform a config sync operation, the sdmd daemon cores. Conditions:
-- Multiple devices configured with the same iRules LX workspace in a DSC.
-- Change one of the devices such that the configuration requires a config sync.
-- Perform the config sync. Impact:
The sdmd daemon cores. Although having multiple devices configured with the same iRules LX workspace is an incorrect configuration, sdmd should not core. Workaround:
When the iRules LX workspace is correctly configured, i.e., on only one device in a DSC, there is no need to config sync, so this issues does not occur. Component: TMOS Symptoms:
After triggering failover, the result returned by the API endpoint /mgmt/tm/shared/bigip-failover-state (the BIG-IP failover state worker) may not match the actual device failover state. Conditions:
This may happen on an high availability (HA) setup with a sync-failover device group. Impact:
Actions that require the correct output of the BIG-IP failover state worker may fail. For instance, deleting an SSL Orchestrator topology followed by immediately triggering failover may encounter this issue, causing the deletion to fail. Workaround:
After waiting for a short amount of time, the BIG-IP failover state worker gets in sync with the device failover state. So in the example of deleting an SSL Orchestrator topology, the deletion should be successful if you try again after a short wait. Component: Local Traffic Manager Symptoms:
The most common symptom is when csyncd repeatedly syncs the GeoIP files and loads the GeoIP database, causing a large number of Clock advanced messages on all tmms. Repeated log messages similar to the following are reported when a secondary slot logs into the primary slot to load the sys geoip database: -- info sshd(pam_audit)[17373]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=x.x.x.x attempts=1 start="Wed Apr 29 13:50:49 2020".
-- notice tmsh[17401]: 01420002:5: AUDIT - pid=17401 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys geoip. Conditions:
-- VIPRION or vCMP guests.
-- Either of the following:
- First installing the GeoIP database if the /shared/GeoIP/v2 directory does not exist.
- When a new blade is installed into a chassis. Impact:
Repeated logs of Clock advanced messages. Workaround:
Run the command:
clsh bigstart restart csyncd Component: TMOS Symptoms:
Guestagentd crashes on a vCMP guest. Conditions:
This can occur during normal operation in a vCMP environment. Impact:
Guestagentd crashes on the vCMP guest, and the vCMP host does not have accurate guest information, such as version, provisioning, high availability (HA) status, and tmm status. Workaround:
None. Component: Access Policy Manager Symptoms:
Active Directory queries are slow. Conditions:
-- Active Directory (AD) authentication used
-- There are lots of AD caches in the environment, and users are in deeply nested groups. Impact:
Active Directory query time can be excessive. Component: Global Traffic Manager (DNS) Symptoms:
TMM fails to sign responses from BIND. Conditions:
BIND has 'dnssec-enable no' in named.conf. Impact:
TMM fails to sign responses from BIND. Workaround:
Remove 'dnssec-enable no' from named.conf in options section. Component: Access Policy Manager Symptoms:
VPN Tunnel establishment fails with some ipv6 address Conditions:
- APM is provisioned.
- Network Access with IPv6 virtual server is configured. Impact:
VPN Tunnel cannot be established. Workaround:
1. Disable the DB variable isession.ctrl.apm:
tmsh modify sys db isession.ctrl.apm value disable 2. Perform 'Apply Access Policy' for the access policy attached to the virtual server. Important: The iSession control channel is needed if optimized apps are configured, so use this workaround only when 'No optimized apps are configured' is set (available in the GUI by navigating to Access :: Connectivity / VPN : Network Access (VPN) : Network Access Lists :: {NA resources} :: 'Optimization' tab). Component: Local Traffic Manager Symptoms:
HTML profile performs a re-chunk even though HTML::disable has been executed in the HTTP_RESPONSE event. Conditions:
Using HTML::disable in an HTTP_RESPONSE event. Impact:
The HTML profile still performs a re-chunk. Workaround:
None. Component: TMOS Symptoms:
-- The 'tmsh show cm failover-status' command shows a status of 'Error' when the command is run on a peer of a device that underwent a management IP address change. -- Should the sod_tg_conn_stat or sod_tg_msg_stat tmstat tables be inspected using the tmctl command, the tables show stale information in the entry_key column. Note: Additionally, in certain cases, it is possible for failover functionality to be broken after the management IP address change, meaning devices remain stuck in an improper Active/Active or Standby/Standby state. This further aspect of the issue is tracked under ID999125. This ID tracks only the cosmetic defect. Conditions:
-- Two or more devices in a sync-failover device-group.
-- The management IP address is changed on one of the devices. The error appears under either of these conditions:
-- The 'tmsh show cm failover-status' is run on a peer of the device that underwent the management IP address change.
-- The sod_tg_conn_stat or sod_tg_msg_stat tmstat tables are inspected using the tmctl command. Impact:
The 'tmsh show cm failover-status' command indicates an error. Workaround:
You can work around this issue by running the following command on the peers of the device which underwent a management IP address change: tmsh restart sys service sod Component: Local Traffic Manager Symptoms:
Loopback traffic (local traffic) destined to a virtual server might get dropped when the incoming packet matches a terminating connection flow. Conditions:
-- VLAN filter is enabled on the virtual server created for loopback traffic processing.
-- An incoming packet matches a terminating connection flow (i.e., the connection flow terminates because of timeout, being dropped by iRule, etc.). Impact:
Traffic that is matched against a terminating connection flow of a virtual is not processed by the virtual server. Workaround:
Because this filter is ignored for loopback traffic, removing the 'Enabled On VLAN' filter at the virtual server mitigates the issue. Component: Global Traffic Manager (DNS) Symptoms:
Making changes to wide IP pools through GUI management do not take effect. Conditions:
-- GTM configuration contains a sufficiently high number of pools (~ 15,000).
-- Using the GUI to assign a pool to a wide IP. Impact:
Changes do not take effect. Unable to use the GUI to manage which pools are associated with a wide IP. Workaround:
Use TMSH. Component: Local Traffic Manager Symptoms:
TMM crashes and generates a core file. Conditions:
-- System is provisioned for at least ASM, AVR, and LTM.
-- An LTM pool is configured to use connection queuing.
-- The LTM pool is used on a virtual server with an analytics profile. Impact:
Tmm might crash. Traffic disrupted while tmm restarts. Workaround:
Disable connection queuing on the pool. Component: Local Traffic Manager Symptoms:
If a TCP profile is configured with a syn-rto-base value that is lower than minimum-rto, the first retransmission might happen after syn-rto-base. This behavior is encountered only if the BIG-IP system is unable to compute the new RTO value before the retransmission timer expires, meaning: -- The BIG-IP system has not received a packet with a TCP timestamp reply.
-- The BIG-IP system has not received an ACK for a timed sequence number. Conditions:
Configured value of syn-rto-base is lower than minimum-rto. Impact:
Retransmission might happen sooner than expected. Workaround:
There are two possible workarounds: -- Avoid using a syn-rto-base value that is lower than the minimum-rto value (the default values are 3 seconds for syn-rto-base and 1 second for minimum-rto). -- Consider enabling timestamps to allow faster RTT measurement. Component: Local Traffic Manager Symptoms:
As of BIG-IP version 14.1, HTTP iRule commands that inspect HTTP state after the commands HTTP::respond, HTTP::redirect, and HTTP::retry returns errors instead of returning corrupt data (https://support.f5.com/csp/article/K23237429). When the NTLM profile is configured, it does the same through a built-in TCL rule where among several things, it tries to check if HTTP::cookie exists. If a profile like HTTP exists wherein a redirect/respond/retry is configured, it results in a TCL error informing the admin that they are accessing an invalid HTTP state. Conditions:
-- NTLM profile is configured alongside HTTP profile
-- One of the redirect/respond/retry commands has been executed before the NTLM profile accesses the state of HTTP (for ex. HTTP::collect, HTTP::close, HTTP::cookie, etc.). Impact:
Tcl error is seen in /var/log/ltm informing the admin that the iRule operation executed after HTTP::redirect/retry/respond is not supported. For example -
TCL error: _plugin_rule_/Common/ntlm_default_iis Component: Local Traffic Manager Symptoms:
SYNs received with TSVal <= TS.Recent are dropped without sending an ACK in FIN-WAIT-2 state. Conditions:
-- Timestamps are enabled in TCP profile.
-- Local TCP connection is in FIN-WAIT-2 state.
-- Remote TCP connection abandoned the flow.
-- A new TCP connection sends a SYN with TSVal <= TS.Recent to the local connection. Impact:
The new TCP connection cannot infer the half-open state of Local TCP connections, which prevents faster recovery of half-open connections. The local TCP connection stays around for a longer time. Workaround:
There are two workarounds: -- Reduce the Fin Wait 2 timeout (the default: 300 sec) so that TCP connection is terminated sooner. -- Disable TCP Timestamps. Component: Application Security Manager Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure. Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period. Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense. Workaround:
None. Component: TMOS Symptoms:
The 'tmsh show net bwc policy' is printing out bits-per-second in the value field, but the name field says 'bytesPerSec'. Conditions:
Running the tmsh command:
tmsh show net bwc policy Impact:
The stats are in bits-per-second, but the label says bytesPerSec. Although there is no functional impact, the incorrect label could cause confusion. Workaround:
None. Component: Local Traffic Manager Symptoms:
Under certain circumstances, the TMM ixvf driver for the Virtual Function (VF) of an SRIOV x520 / 82599 card can lock up the tx queue. Conditions:
Conditions are unknown. Impact:
No further transmit is possible. Workaround:
None Component: Local Traffic Manager Symptoms:
The following messages are found in the QKViews:
"bigipA notice MCP bulk connection aborted, retrying"
"bigipA notice Initiating TMM shutdown" Prior to this, the TMM process logs that it is waiting for its instances to reach different states. For example,
"localhost notice ixlv(1.3)[0:7.0]: Waiting for tmm1 to reach state 1..." In the /var/log/ltm file, the following message are found sometimes.
"bigip1 crit tmm9[19358]: 01230017:2: Unable to attach to PCI device 00:09.00 for Interface 1.5" Conditions:
BIG-IP VE with SR-IOV enabled on a Red Hat Enterprise Linux 7.7 which is a part of Red Hat OpenStack Platform 13 Impact:
The TMM process restarts without a core file repeatedly.
Traffic disrupted while tmm restarts. Component: TMOS Symptoms:
When a saved UCS is attempted to be restored in a new BIG-IP Virtual Edition (VE) in order to migrate the configuration, it fails. load_config_files[28221]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- 01071412:3: Cannot delete IP (x.x.x.x) because it is used by the system config-sync setting. Conditions:
The UCS load step might fail if the DB variable Provision.1NicAutoconfig is set to disable. Impact:
The UCS restore fails. Workaround:
The DB variable can be set to enable before loading the UCS. # tmsh modify sys db provision.1nicautoconfig value enable Component: Global Traffic Manager (DNS) Symptoms:
“RESOLVER::name_lookup” returns null. Conditions:
Response is larger than 512 bytes. Impact:
“RESOLVER::name_lookup” returns empty answer. Component: Global Traffic Manager (DNS) Symptoms:
TMM Cored with SIGSEGV. Conditions:
N/A. Impact:
Traffic disrupted while tmm restarts. Component: Application Security Manager Symptoms:
A policy add/modify/delete fails with the following error: -- crit g_server_rpc_handler_async.pl[19406]: 01310027:2: ASM subsystem error (asm_config_server.pl ,F5::ASMConfig::Handler::log_error_and_rollback): Failed on insert to DCC.VS_RAMCACHE (DBD::mysql::db do failed: Duplicate entry '375946375' for key 'PRIMARY'). Conditions:
This can occur when adding a policy. The chance of it occurring increases when there are many virtual servers. Impact:
Every config update fails. Workaround:
Figure out which virtual servers have the CRC collision (by looking into DCC.RAMCACHE_VS). Change the name of one of these virtual servers. You can get the name of the affected virtual server by using the entry reported in the 'Duplicate entry' log, and running this command. mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e 'SELECT * FROM DCC.VS_RAMCACHE WHERE vs_name_crc = 375946375' Component: Application Security Manager Symptoms:
When booting to a boot location for the first time, the system does not come on-line. Conditions:
-- There is a large configuration.
-- VLAN failsafe is configured, and the failsafe-action is something other than failover.
-- The BIG-IP system is an appliance. Impact:
BIG-IP processes continually restart (VLAN failsafe-action failover-restart-tm), or the BIG-IP system continually reboots (VLAN failsafe-action reboot) Workaround:
Either disable VLAN failsafe or set the failsafe-action to failover during an upgrade. Component: Local Traffic Manager Symptoms:
When a session variable key length is 65 KB, session mirroring fails for that specific key. Conditions:
-- APM high availability (HA) setup.
-- Access Policy is configured and synced across both devices.
-- A session variable key of ~65 KB arrives Impact:
The session key does not get mirrored to standby. Workaround:
None Component: Application Security Manager Symptoms:
Request getting to the ICAP server takes a long time to process (several seconds), which makes the whole transaction slower than expected. When testing the connection to the ICAP server itself, you determine that it is fast. Conditions:
This happens especially with large file uploads that are mixed with smaller file uploads. The smaller uploads are waiting for the bigger upload. Impact:
Slow responses to specific requests. Workaround:
None. Component: Global Traffic Manager (DNS) Symptoms:
The 'Reconnect' and 'Reconnect All' buttons (introduced in BIG-IP version 14.1.0 to restart some or all iQuery connections) do not work when clicked. The 'Reconnect' button does not become enabled when a server is selected from the list, and an error is logged in the browser console. The 'Reconnect All' button is clickable but returns the error when clicked:
No response action specified by the request. Conditions:
You have accessed the buttons via the following GUI path: DNS :: GSLB :: Data Centers :: [dc name] > Servers Impact:
The buttons do not work, making the corresponding feature unavailable from the GUI. Workaround:
Access the buttons using the following alternative GUI path: DNS :: GSLB :: Servers Component: Application Security Manager Symptoms:
Under some settings and load the RPC handler for the tsconfd process restarts frequently. Conditions:
When processing a large number of configuration updates. Impact:
The RPC handler for the tsconfd process restarts frequently, causing unnecessary churn and noisy logs Workaround:
None Component: Application Security Manager Symptoms:
Traffic load with many empty parameters may lead to increased latency. Conditions:
Sending requests with many empty parameters Impact:
Traffic load with many empty parameters may cause increased latency through the BIG-IP system. Workaround:
None Component: TMOS Symptoms:
The vCMP CPU usage stats are incorrect when process on a secondary blade has the same PID as that of primary blade's qemu process. Conditions:
A process on a secondary blade has the same PID as that of primary blade's qemu process. Impact:
The vCMP CPU usage stats are intermittently incorrect. Workaround:
None. Component: Local Traffic Manager Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'. You may see errors: -- err statsd[5005]: 011b0600:3: Error ''/var/rrd/endpisession' is too small (should be 15923224 bytes)' during rrd_update for rrd file '/var/rrd/endpisession'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/endpisession'. Conditions:
Truncation of a binary file in /var/rrd. Impact:
Stats are no longer collected. Statsd and rrdshim deadlock. Workaround:
Remove the truncated file and restart statsd:
bigstart restart statsd Component: Global Traffic Manager (DNS) Symptoms:
Nslookup generates a core file. The core file name might start with "nslookup", "isc-worker", "isc-timer" or "isc-socket". Conditions:
Multiple instances of nslookup are running when the system shuts down. Impact:
A core file is generated. However, since this is during system shutdown, the impact should be minimal. Component: Application Security Manager Symptoms:
Applied Blocking Masks discrepancy between local/remote event log, ASM logging event logs both locally and remotely to BIG-IQ has discrepancy. Conditions:
This occurs when "Applied Blocking Masks" logs are emitted on a device where local and remove event logging is configured. Impact:
This is cosmetic but can lead to confusion. Component: TMOS Symptoms:
Traffic does not pass on tagged VLANs when a BIG-IP Virtual Edition (VE) is deployed on a Hyper-V hypervisor. This may manifest as traffic failing after an upgrade from earlier (unaffected) software versions. Note: This functionality worked as expected in v13.x and earlier, and if the same VE is downgraded to v13.x, VLAN tagging functionality is restored. This is due to an interoperability issue between RedHat Enterprise Linux (RHEL) and Microsoft Hyper-V, which seems to affect RHEL v7.3 and RHEL v7.5. Hyper-V on Windows Server 2016 and Windows Server 2012 do not seem to identify the version of the built-in LIS correctly on Centos 7.3 or Centos 7.5 (which are built on RHEL 7.3 and RHEL 7.5 respectively). Although there is a statement of support by Microsoft for VLAN tagging on RHEL 7.3 and 7.5 when running on Hyper-V, that functionality does not appear to work at present: Supported CentOS and Red Hat Enterprise Linux virtual machines on Hyper-V :: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/Supported-CentOS-and-Red-Hat-Enterprise-Linux-virtual-machines-on-Hyper-V. Conditions:
-- BIG-IP VE is deployed on a Hyper-V hypervisor.
-- VLAN configured in BIG-IP VE with tagged interfaces, e.g.: net vlan external {
interfaces {
1.1 {
tagged
}
}
tag 4000
} -- At present, VLAN tagging on the v14.x and v15.x releases does not work because those releases are running on CentOS 7.3 and 7.5 respectively, which both are affected by the MS/RHEL interoperability issue. -- BIG-IP v12.x and v13.x use a different (older) CentOS version, so VLAN tagging works without issue on those releases. Impact:
-- The system does not prevent you from configuring tagged VLANs, even though they do not pass traffic. -- Although upgrades complete and you can reboot into the new boot location (or you can set up on Hyper-V from scratch), traffic does not pass (into the guest) across VLANs that are tagged. Important: If using tagged VLANs on VE setups on Hyper-V is critical to your configuration, you might want to elect to postpone upgrading from a working, v12.x and v13.x release. Workaround:
Essentially, there is no workaround in this release; you must reconfigure the virtual machine to use separate, untagged interfaces for each VLAN. Note: Although this is technically a problem between Hyper-V and the built-in LIS on RHEL 7.3/7.5, this issue is being tracked internally in this bug. Component: TMOS Symptoms:
There are intermittent auth failures when accessing the BIG-IP administration interfaces via SSH or the GUI. Conditions:
-- Remote LDAP auth is configured.
-- An idle timeout RST is received on the LDAP connection before the configured auth LDAP idle-timeout expires. This RST might be generated by tmm (if the connection to the LDAP server is via a defined VLAN), some other intervening device on the network, or from the LDAP server itself (depending on its connection time limit). Impact:
There might be intermittent remote-auth failures. Workaround:
Set the auth ldap idle-timeout to a smaller value, for example, via tmsh:
modify auth ldap system-auth idle-timeout 299 Component: Local Traffic Manager Symptoms:
When attaching the port-list to virtual server dest:port-list, the route domain of the virtual server is changed to the default value of 0, and the port-list is not correctly applied. This is encountered in the GUI but not in the CLI. Conditions:
Using port-list along with virtual server in non default route domain using the GUI. Impact:
You are unable to use the GUI to attach a port-list that uses a non-default route domain to a virtual server. Workaround:
Use tmsh to attach a port-list to a virtual server if the port-list uses a non-default route domain. Component: TMOS Symptoms:
Current operf as shipped with BIG-IP is out of date and will not work. Per the oprofile page (https://oprofile.sourceforge.io/news/) the version included in our systems (0.9.9) was released in 2013. Conditions:
Opcontrol still works but operf will not load.
# operf --version
use the opcontrol command instead of operf. Impact:
Outdated operf means that it cannot be used for troubleshooting purposes. Component: Local Traffic Manager Symptoms:
The iRule command LB::down is supposed to send an immediate monitor probe, but it does not. Conditions:
-- Executing LB::down in an iRule. Impact:
A monitor probe is not immediately sent, which may cause a pool member to be marked down longer than it should be. Component: Global Traffic Manager (DNS) Symptoms:
When running a debug TMM, if a DNS lookup takes more than 30 seconds, TMM may assert with a message similar to the following in the /var/log/ltm file: -- notice panic: ../modules/hudfilter/3dns/cache_resolver.c:2343: Assertion "standalone refcnt must be one" failed. Conditions:
-- Using the debug TMM.
-- Executing a DNS lookup that expires. Impact:
TMM crash and (in a high availability (HA) configuration) failover. Workaround:
Do not use the debug TMM. Component: Local Traffic Manager Symptoms:
When an HTTP compression profile is enabled on BIG-IP platforms with Intel QuickAssist Technology (Intel QAT) compression accelerators, gzip errors are produced. Conditions:
This occurs when the following conditions are met: -- The following platforms with Intel QAT are affected:
+ 4450 blades
+ i4600/i4800
+ i10600/i10800
+ i7600/i7800
+ i5600/i5800
+ i11600/i11800
+ i11400/i11600/i11800
+ i15600/i15800 -- The compression.qat.dispatchsize variable is set to any of the following values:
+ 65535
+ 32768
+ 16384
+ 8192 -- The size of the file being compressed is a multiple of the compression.qat.dispatchsize value, for exampld: + 65355*32768
+ 8192*32768 Impact:
Clients cannot decompress the compressed file because there is an invalid gzip footer. Workaround:
Disable hardware compression and use software compression. Component: Global Traffic Manager (DNS) Symptoms:
DNS response recursion desired (rd) flag does not match the DNS query when using the iRule command DNS::header rd. Conditions:
-- iRule command DNS::header rd is used to set DNS query rd bit to a different value.
-- At least one wide IP is configured. Impact:
DNS response rd flag does not match the DNS query. This is not RFC compliant. Workaround:
Do not configure any wide IPs. Component: TMOS Symptoms:
LDAP (or Active Directory) remote authentication fails during authorization for REST API calls. Clients receive 401 Unauthorized messages and /var/log/restjavad.x.log may report messages similar to the following: -- [I][1978][26 Mar 2021 13:23:36 UTC][8100/shared/authn/login AuthnWorker] User remoteuser failed to login from 192.0.2.1 using the tmos authentication provider -- [WARNING][807][26 Mar 2021 14:43:24 UTC][RestOperationIdentifier] Failed to validate Authentication failed. Conditions:
LDAP (or Active Directory) remote authentication configured with a User Template instead of a Bind Account. Impact:
Unable to authenticate as remote-user for access that uses authorization, like REST API calls. Workaround:
You can use either of the following workarounds: -- Configure LDAP/AD remote authentication to utilize a Bind account instead of the User Template.
-- Create a local user account for each remote user, allowing local authorization (authentication remains remote). Component: Application Security Manager Symptoms:
After an action that affects thousands of objects, a subsequent Apply Policy may be missed by a peer. Conditions:
-- Devices are in an auto-sync device group with ASM sync enabled.
-- A bulk action that affects thousands of objects is performed (e.g., enforcing or disabling all signatures).
-- An Apply Policy action is taken immediately afterwards. Impact:
Peer devices that are still busy processing the large request miss the Apply Policy action, and it is never sent again. Workaround:
Make a spurious change and reapply the policy. Component: Local Traffic Manager Symptoms:
BIG-IP systems provide manipulation tools over a connection with an LTM policy and/or iRule. LTM policy takes precedence over iRules and has an option to shutdown a connection based on satisfied conditions. When a connection is closing, an iRule should not be executed under the same conditions. Conditions:
-- The BIG-IP system has a virtual server with an LTM policy and an iRule.
-- The LTM policy has action 'shutdown connection' under certain conditions.
-- The iRule has an event which is triggered under the same conditions. Impact:
The iRule is executed before the connection is being reset. Workaround:
None. Component: TMOS Symptoms:
After a software upgrade that includes an LCD firmware update, the LCD touch panel may remain stuck reporting an error indefinitely / for longer than 30 minutes:
Firmware update in Progress may take up to 30 minutes. Conditions:
This issue occurs when all of the following conditions are met: -- You have one of the following BIG-IP platforms:
* i850
* i2x00
* i4x00
* i5x00
* i7x00
* i10x00
* i11x00
* i15x00
* HRC-i2x00
* HRC-i5x00
* HRC-i10x00 -- You perform a software upgrade that updates the firmware on the LCD touch panel, e.g. upgrading from BIG-IP v13.1.x to BIG-IP v14.1.x or newer. Impact:
The system is functional, but the LCD displays the firmware update screen indefinitely. The LCD cannot be used while it is frozen on the firmware update warning screen. Workaround:
Important: Before attempting this workaround, check that there are no indications the system is still performing a firmware update (such as a terminal prompt), and that the following messages can be found in /var/log/ltm after the most recent boot: notice chmand[6302]: 012a0005:5: firmware update succeeded.
notice chmand[6302]: 012a0005:5: Firmware check finished. These messages indicates that the firmware update has finished, and the LCD is displaying the warning screen in error, so it is safe to perform the workaround. Reboot the BIG-IP system to return the LCD to normal operation. After a reboot of the BIG-IP operating system, the LCD touch panel should be responsive. Component: TMOS Symptoms:
When setting 'SystemMaxUse' to any value, systemd does not honor this limit, and the specified size is exceeded. Conditions:
Using a non-TMOS user account with external authentication permission. Note: Systemd-journald is configured to create a user journal for every remote user that logs into the BIG-IP system. Impact:
Journald filling up the file system. These journals are allocated with a minimum size of 4MiB and are not removed when the log entries age-out. Workaround:
Option 1:
To immediately free up space, manually remove per-user journal logs from the following location:
/var/log/journal/*/user-* Option 2:
To prevent the system from creating these journal files going forward: 1. Edit /etc/systemd/journald.conf and add the following at the bottom of the file:
SplitMode=none 2. Restart systemd-journal service
# systemctl restart systemd-journald 3. Delete the existing user journal files from /var/log
# rm /var/log/journal/*/user-* Note:
-- You must apply this workaround separately to each blade of a VIPRION or vCMP guest running on a VIPRION.
-- You must reapply this workaround after performing software installations. Component: TMOS Symptoms:
Forwarding DataBase (FDB) table has duplicate MAC entries with the incorrect VLANs. MAC entries are correct in the switch but not in the control plane. Conditions:
Enable L2Wire. Impact:
Duplicate MAC entries with incorrect VLANs in FDB table. Workaround:
Restart bcm56xxd:
bigstart restart bcm56xxd Note: You can use tmsh to see the table:
tmsh -m show net fdb Component: Local Traffic Manager Symptoms:
There can be an undisciplined clock stanza in /etc/ntp.conf, resulting in an undisciplined clock. NTP documentation:
http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock Conditions:
This might occur in at least the following ways:
-- No server is specified in 'sys ntp servers {}'.
-- A server does exist, but an improper method was used to configure the NTP server. Impact:
When the LOCAL undisciplined clock is left as a valid time-source, it delays the system synchronizing time to a real NTP server. It can also result in time being adjusted incorrectly if the the remote time-source becomes unreachable. Workaround:
Configure a dummy server via 'ntp servers {}' that does not respond. While this removes the undisciplined local clock, it does result in ntpd having an unreachable time source, and could be flagged in diagnostics, misdirect other troubleshooting, generate unnecessary traffic, etc. However, if the 'dummy' source starts responding, it could become a rogue time source. Component: TMOS Symptoms:
Loading (with merge) a configuration file that references some iRules results in validating every iRule and ends up validating the same procedures multiple times for every virtual server a single iRule is associated with. Conditions:
Configuration which has 100's of virtual servers, some iRules that are assigned to all virtual servers and a few library iRules. Impact:
Task fails (via REST) or ends up taking a really long time when run manually. Workaround:
None. Component: Local Traffic Manager Symptoms:
Version: 13.1.3.1 # tmsh list ltm profile tcp tcp proxy-buffer-high proxy-buffer-low
ltm profile tcp tcp {
proxy-buffer-high 49152
proxy-buffer-low 32768
} proxy-buffer-high
Specifies the highest level at which the receive window is closed.
The default value is 49152. proxy-buffer-low
Specifies the lowest level at which the receive window is closed.
The default value is 32768. Version: 14.1.2.2 # list ltm profile tcp TCP proxy-buffer-high proxy-buffer-low
ltm profile tcp tcp {
proxy-buffer-high 65535
proxy-buffer-low 32768
} proxy-buffer-high
Specifies the highest level at which the receive window is closed.
The default value is 131072. proxy-buffer-low
Specifies the lowest level at which the receive window is closed.
The default value is 98304. Conditions:
Looking at the help for proxy-buffer-high and proxy-buffer-low in tmsh Impact:
The default value for proxy-buffer-high is 65535 and the default value for proxy-buffer-low is 32768, but the help text indicates that the defaults are 13072 and 98304 respectively. Component: TMOS Symptoms:
SSL Orchestrator configuration deployment across BIG-IP devices in a high-availability (HA) group may result in inconsistent state, if during deployment the connectivity between the HA peers is lost. Conditions:
Deploying SSL Orchestrator configuration across BIG-IP devices in an HA group. Impact:
Inconsistent SSL Orchestrator configuration on BIG-IP devices in an HA group. Workaround:
Run the /usr/bin/ha-sync script. See ha-sync -h for help. Component: In-tmm monitors Symptoms:
After an SSL profile has been removed from a monitor, a monitor instance continues to use settings from the previously-configured server SSL profile, such as client certificate or ciphers or supported TLS versions. Conditions:
-- In-TMM monitors enabled.
-- SSL monitor configured with a server SSL profile.
-- Setting the monitor's 'SSL Profile' parameter to 'none'. Impact:
The previously configured settings, such as certificate or cipher, continue to be used for monitoring pool members, which may result in unexpected health check behavior/pool member status. Workaround:
An administrator can avoid this issue by ensuring the monitor's 'SSL Profile' parameter specifies a profile (i.e., is not 'none'). Note: In some software versions, changing a monitor's SSL profile from one profile to a different profile may not take effect. For information about this behavior, see https://cdn.f5.com/product/bugtracker/ID912425.html Component: TMOS Symptoms:
Single NIC BIG-IP Virtual Edition (VE) devices configured in a trust domain (e.g., in high availability (HA)) cannot reload a running configuration when restarted and/or when mcpd fails to load the config, and reports a validation error: err mcpd[25194]: 0107146f:3: Self-device config sync address cannot reference the non-existent Self IP ([IP ADDR]); Create it in the /Common folder first. Conditions:
Single NIC VE devices configured in a trust domain (e.g., HA) Impact:
The mcpd process fails to start, and the configuration does not load. Workaround:
Manually copy and paste the self IP configuration snippet into the /config/bigip_base.conf file: 1. Connect to the CLI. 2. Edit bigip_base.conf, and add the following: net self self_1nic {
address 10.0.0.1/24
allow-service {
default
}
traffic-group traffic-group-local-only
vlan internal
} Note: replace 10.0.0.1 with the IP indicated in the error message 3. Save the changes and exit. 4. Load the configuration using the command:
tmsh load sys config 5. If APM or ASM is provisioned/configured, then also restart services with this command:
bigstart restart Component: TMOS Symptoms:
Despite having free memory, the BIG-IP system logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example: swapper/13: page allocation failure: order:2, mode:0x204020 After that, a stack trace follows. The process name in the line ('swapper/16', in this example). You may see generic Linux processes or processes specific to F5 in that line. Conditions:
This issue is known to occur on the appliance 10350V-F D112. Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory. Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves. It is recommend to increase this to 128 MB (131072 KB). When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one. -- If you want the workaround to survive reboots only, perform the following procedure: # clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID 851785' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf" -- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure: # clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID851785' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades. Once the issue is fixed in a future BIG-IP version, remove the workarounds: -- To remove the first workaround: -- To remove the second workaround: To verify the workaround is in place, run the following command (this should return the desired amount in KB): # clsh "cat /proc/sys/vm/min_free_kbytes" Component: Local Traffic Manager Symptoms:
When blades 1 and 4 are disabled on the active chassis, the failover period is between 3.4 to 4.7 seconds before the next-active device starts processing messages. If the blades are physically pulled from the chassis,
the failure occurs within 1 second. Conditions:
-- Multi-blade VIPRION system
-- Blades 1 and 4 are connected to the network via trunks, blades 2 and 3 are CPU-only blades
-- Blades 1 and 4 are disabled via the GUI Impact:
Significant delay before BIG-IP delivers a web page during between-cluster failover Component: Local Traffic Manager Symptoms:
Validation for TCP::collect was changed in BIG-IP software v12.0.0 (with the introduction of JET specifications). Prior to 12.0.0, there were no restrictions on the values of the two arguments. As of 12.0.0, the first argument ('collect_bytes') must be a positive integer, and the second argument ('skip_bytes) must be a non-negative integer. Occurrences of 'TCP::collect 0 0' in iRules experience issues when upgrading to a newer version, producing warnings in LTM log: /Common/T_collect:9: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "invalid argument 0; expected syntax spec:"136 17][TCP::collect 0 0]. Conditions:
-- Using a version of BIG-IP software earlier than 12.0.0, configure an iRule with a 'TCP::collect 0 0' command.
-- Upgrade to 12.0.0 or later. Impact:
Warning in the LTM log file. The iRules containing 0 values do not function as expected. There is no other impact. Workaround:
Change 'TCP::collect 0 0' to a value other than 0 (zero) in any iRules before or after upgrade. Component: TMOS Symptoms:
The 'tmsh save /sys config' command hangs and fails to save the configuration if there is a memory allocation failure when creating the reply. Conditions:
-- A large number of iApps: in the thousands.
-- Each iApp has tens of variables. Impact:
Because tmsh cannot save the configuration, if the BIG-IP system reboots, any changes made since the last successful save are lost. Workaround:
Run the command:
tmsh save /sys config binary This does not save the configuration to files in /config, but it does at least allow you to save the binary configuration. That way, you can reboot the BIG-IP system and not lose the configuration. Note: It is possible that a reboot will provide sufficient memory to save to configuration files. It depends on the configuration of virtual memory at the time of the save. It is possible that every time you want to save the config, you must use the binary option. Component: TMOS Symptoms:
Systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log. Bare ')' being logged to /var/log/user.log., for example: cat /var/log/user.log
[...]: Deleting file /shared/core/*.core.*
[...]: Deleting file /shared/core/*.core.*
[...] )
[...] ) Conditions:
This occurs when the system logs syslog messages containing embedded newlines, such as - The cron process tries and fails to send an email because of output about a cron script.
- Modify syslog include configuration
- Apply ASM policy configuration change
- GTM.debugprobelogging output from big3d Impact:
The logging subsystem accepts syslog messages with embedded newlines, and writes first line to the appropriate file, and remaining lines to /var/log/user.log. Workaround:
View the logs using journalctl -D /var/log/journal Component: iApp Technology Symptoms:
When the iApp, f5.automated_backup, script is terminated due to the max-script-run-time, the script still continues and finishes, sometimes with scriptd coring and posting error messages in /var/log/ltm: -- info logger[17173]: f5.automated_backup iApp autobackup: STARTED
-- info logger[17175]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs GENERATING -- err scriptd[13532]: 014f0004:3: script has exceeded its time to live, terminating the script <-- after 20 secs, it continues even after the scriptd core. -- notice sod[3235]: 01140041:5: Killing /usr/bin/scriptd pid 13532.
-- warning sod[3235]: 01140029:4: high availability (HA) daemon_heartbeat scriptd fails action is restart.
-- info logger[19370]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs SAVED LOCALLY
(/var/local/ucs)
-- info logger[19372]: f5.automated_backup iApp autobackup: FINISHED Conditions:
Configure the iApp application with f5.automated_backup template to do auto-backup at regular intervals. Impact:
Scriptd core. Workaround:
Increasing the sys scriptd max-script-run-time higher then the default of 300 seconds might be helpful if the higher timeout allows the script to complete. For example, if the script is saving a UCS and the save takes 400 seconds, then increasing the max-script-run-time to 430 seconds would allow the script to finish and would work around this issue. Component: Application Security Manager Symptoms:
After re-activating a BIG-IP license, if the configuration fails to load and reverts to a base config load, the ASM policy config contains 'default' or 'stub' policies, even after fixing the error that caused the configuration to fail to load. Conditions: Impact:
ASM policy configuration is lost and all policies are reverted to empty 'stubs' Workaround:
In the case of license re-activation/before upgrade: Run the command "tmsh load sys config verify" prior to license activation on ASM units to be sure that the config will pass parsing and avoid the fallback to base configuration load. In a case of booting the system into the new version: Option 1: 1. Using the steps in either K4423 or K8465, fix the issue that was preventing the config to load.
2. Reload the config from the fixed UCS file using the command in K13132. Option 2: 1. Roll back to the old version.
2. Fix the issue that was preventing the config to load.
3. Before activating the Boot Location of the new version at System >> Software Management : Boot Locations, make sure to set the option Install Configuration to Yes. see: K64400324 Option 3: If one of the high availability (HA) units successfully upgraded, then use config-sync to push the working config to the failing unit. Component: Global Traffic Manager (DNS) Symptoms:
The iRule 'drop' command may not drop a DNS response when called under DNS_RESPONSE event. Conditions:
iRule drop is used under DNS_RESPONSE event. Impact:
DNS response may be improperly forwarded to the client. Workaround:
Use DNS::drop instead. Component: Local Traffic Manager Symptoms:
Due to a known issue, BIG-IP may create multiple connections for packets that should belong to a single flow. These connections will stay in the connection table until the idle timeout is reached. These connections can be used for forwarding the traffic. Conditions:
BIG-IP may create multiple connections for packets that should belong to a single flow when both following conditions are true:
- Packets are coming at a very high rate from the network.
- Flow handling these packets is torn down. Impact:
This might result in packets from the client being handled by one flow and packets from the server being handled by a different flow. Component: Application Security Manager Symptoms:
ASM system triggers false positives for ASM Cookie Hijacking violation with reason "Mismatched message key" Conditions:
-- An HTTP request containing an old frame cookie with a different message key from the main ts cookie is rejected
-- The cookie is left intact Impact:
All subsequent requests are rejected on ASM Cookie Hijacking violation Workaround:
1. Disable "Learn Host Names" flag all policies. If the policy builder is on manual mode, they need to change it back to Auto mode, disable "Learn Host Names", then change to manual mode. OR 2. Delete the mismatched cookie. This will cause the violations to stop occurring if the request comes from a legit endpoint Component: Application Visibility and Reporting Symptoms:
Avrd crashes, one or more core avrd files exist in /var/core Conditions:
-- A BIG-IP system is managed by BIG-IQ via secure channel
-- Avrd is restarted. Impact:
Avrd cores as it is shutting down. During avrd shutdown, the BIG-IQ data collection device (DCD) is unreachable for 10 minutes Workaround:
None. Component: Policy Enforcement Manager Symptoms:
TMM crash. Conditions:
PEM configured with a multi-IP subscriber with more than 16 IP addresses. Impact:
Traffic disrupted while tmm restarts. Workaround:
Do not create a PEM subscriber with more than 16 IP addresses. Component: Policy Enforcement Manager Symptoms:
Memory increases slowly Conditions:
A PEM iRule times out Impact:
Memory could be exhausted depending on the frequency of the command timeouts Component: Local Traffic Manager Symptoms:
The BIG-IP system might close a connection when the HTTP response payload is modified and sent without chunking encoding. If communication goes over an HTTP connection, the BIG-IP system closes a connection to tell a client that a response is served. With HTTP/2 connections, an unsized response is marked with the END_STREAM flag. This case is not accounted for, and the BIG-IP system closes HTTP communication with a server anyway. Conditions:
-- A virtual server has an http/2 profile configured on the client side.
-- There are other profiles configured which can modify the HTTP response payload. Impact:
The BIG-IP system wastes resources not reusing a server side HTTP connection when an unsized response is sent over an HTTP/2 connection to a client. Workaround:
None. Component: Access Policy Manager Symptoms:
The iRule attached to the OAuth Resource Server (RS) is not triggered when the traffic hits the virtual server. Conditions:
The issue occurs during a reboot of the BIG-IP device containing an OAuth server config and an attached iRule, or when the iRule is initially assigned to the OAuth Server. Impact:
OAuth scope check agent fails with 'HTTP error 503': as the iRule attached to the RS virtual server is not triggered. Workaround:
For existing OAuth servers with the iRule attached, modify the iRule, for example, adding a log. This makes the iRule trigger when it is initially attached or loaded. Component: Access Policy Manager Symptoms:
Tmm may crash when APM is configured as an RDG proxy to access Microsoft remote desktops and applications. Conditions:
APM is used as RDG proxy Impact:
Traffic disrupted while tmm restarts. Workaround:
None Component: TMOS Symptoms:
Multicast route entries are not populating in tmm after failover. ZebOS has the multicast entries, but tmm does not. Conditions:
-- High Availability (HA) configured, with multicast traffic.
-- A failover occurs. Impact:
Multicast traffic does not pass through properly Workaround:
Clear the multicast entries in ZebOS manually:
\> clear ip mroute *
\> clear ip igmp group Component: Local Traffic Manager Symptoms:
If a connection that has a fully closed client-side, but a server-side still in FIN_WAIT_2, receives a SYN matching the same connflow, the idle time is reset. This can result in the fin-wait-2-timeout never being reached. The SYN will be responded to with a RST - 'TCP Closed' Conditions:
- Client side connection has been fully closed. This may occur if a client SSL profile is in use and an 'Encrypted Alert' has been received.
- Server side has sent a FIN which has been ACK'd, but no FIN has been received from the server.
- SYN received matching the existing connflow before the FIN-WAIT-2-timeout has been reached (300 default). Impact:
Connection may fail to be removed in a timely manner. New connection attempts are RST with 'TCP Closed' Workaround:
You can use either of the following:
-- Ensure servers are sending FIN's so as not to leave the connection in a FIN_WAIT_2 state. -- Mitigate the issue by lowering the FIN-WAIT-2-timeout to a smaller value, e.g., FIN-WAIT-2-timeout 10. Component: TMOS Symptoms:
Log message that indicates this issue may happen:
session_reply_multi: ERROR: unable to send session reply: ERR_BOUNDS
[...] valid s_entry->ref_cnt Conditions:
-- Specific MRF configuration where all 500 session entries are owned by a single tmm. -- High rate of session lookups with a lot of entries returned. Note: This issue does not affect HTTP/2 MRF configurations. Impact:
TMM core: the program terminates with signal SIGSEGV, Segmentation fault. Traffic disrupted while tmm restarts. Workaround:
1. Change MRF configuration to spread session lookups across multiple tmms.
2. Reduce the sub-key entries to far below 500. Component: Global Traffic Manager (DNS) Symptoms:
Big3d cannot log the full XML buffer data: -- notice big3d[12212]: 012b600d:5: Probe from ::ffff:11.11.1.21:45011: len 883/buffer = Conditions:
The gtm.debugprobelogging variable is enabled. Impact:
Not able to debug big3d monitoring issues efficiently. Workaround:
None. Component: Application Visibility and Reporting Symptoms:
AVRD can crash repeatedly when configured to send telemetry data externally. Conditions:
-- AVR is configured to send telemetry data to an external source (like connection with BIG-IQ).
-- Large number of config objects in the system, such as virtual servers and pool members. Impact:
AVRD process crashes, and telemetry data is not collected. Workaround:
Split the configuration updates into smaller batches Component: TMOS Symptoms:
Hertfordshire county is missing from Regions in the United Kingdom Country/State list. Conditions:
-- Creating a GTM region record.
-- Attempting to select Hertfordshire county for the United Kingdom. Impact:
Cannot select Hertfordshire county from United Kingdom Country/State list. Workaround:
None. Component: TMOS Symptoms:
When the tunnel count is high, tmm can crash. Conditions:
This issue was not reproducible and steps are unknown as it occurs randomly. Impact:
Traffic disrupted while tmm restarts. Workaround:
None Component: TMOS Symptoms:
MCP DB is not updated after loading a UCS file. Conditions:
1. Save UCS with 'flow-control' default value 'tx-rx'.
2. Modify the value from 'rx-tx' to 'none'.
3. Save another UCS with modified value.
4. Load the UCS with default value, everything works fine here.
5. Load the UCS with the modified value. Impact:
The 'flow-control' setting gets changed. The functionality does not work after the first UCS load as MCP DB is not getting updated. Workaround:
Load the same UCS again. The MCP DB gets updated properly. Component: Application Security Manager Symptoms:
When Bot Defense is used on the backend server that overrides request cookies, requests to non-HTML resources may fail, or may receive the whitepage JavaScript challenge. An example is when a back-end server responds with a Set-Cookie header containing empty values for each cookie request cookie it does not recognize. Conditions:
-- Bot Defense is enabled.
-- Backend server is overriding the Bot Defense cookies with the TS prefix. Impact:
Some URLs fail to load following the JavaScript challenge. Workaround:
Use an iRule to strip the TSPD_101 cookie from the request before forwarding it to the backend: when HTTP_REQUEST_RELEASE {
HTTP::cookie remove "TSPD_101"
} Component: TMOS Symptoms:
After running 'promptstatusd -y' to check current failover status, it displays an incorrect Active/Standby status in the CLI prompt. Conditions:
This occurs under the following conditions: 1. Modify the db variable: bigdb failover.state.
2. Check that /var/prompt/ps1 and CLI prompt reflect the setting.
2. Reboot the BIG-IP system. Impact:
Status shown in the prompt does not change. Workaround:
Do not run 'promptstatusd -y' command manually. The db variable 'failover.state is a status-reporting variable. The system does not report status manually set to something other than the actual status. Note: 'promptstatusd' is not a BIG-IP user command, it is a daemon. It is highly unlikely that manually running this command will produce information that is useful or relevant to the status being sought. Component: Access Policy Manager Symptoms:
JSON payload is invalid since claims are generated without quotes(") Conditions:
BIG-IP creates JWT claim value without quotes when scope is not openid. Impact:
Token is invalid. Workaround:
Replace claim type 'string' with 'custom' adding quotes after backslash. apm oauth oauth-claim /Common/uid {
claim-name uid
claim-type custom
claim-value "\"%{session.custom.name:noconv}\""
} Component: Local Traffic Manager Symptoms:
In OneConnect environments, when the default pool is updated for the first time, active connections reconnect to new pool members. Further update to pool configuration has no impact on traffic. Conditions:
-- Virtual server configured with OneConnect profile.
-- Default pool is updated when active connections are present. Impact:
Active traffic disrupted. Workaround:
None. Component: TMOS Symptoms:
GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats may fail with error 404 Conditions:
This impacts pools which start with the letter 'm'. This because those endpoints contain objects with incorrect selflinks For example
1. Query to below pool (that starts with letter 'm') will work as it contains the right selflink
- Pool: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats"
- selfLink: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats?ver=x.x.x.x" 2. Query to below pool (that does NOT start with letter 'm') may not work as it contains the wrong selflink
- Pool: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats"
- selfLink: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats?ver=x.x.x.x" In above example you will notice the word 'members' shows up expectedly in selflink for case 2 Impact:
You may see errors with GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats Workaround:
You may use the following workarounds 1. Use /mgmt/tm/ltm/pool/members/stats, which does return the pool member stats for every pool 2. For each pool member in /mgmt/tm/ltm/pool, issue a GET for: /mgmt/tm/ltm/pool/ Component: TMOS Symptoms:
In reboot case, the BIG-IP system buffers the shutdown sequence log messages and writes them to disk once the syslog service starts during the boot process. The boot_marker message is written before shutdown messages sync to disk. This leads to out-of-sequence log messages, making it difficult to determine when the service stop occurred. Conditions:
Reboot the BIG-IP system. Impact:
Log messages appear out of order. It is difficult to tell whether service stop happened as part of reboot, or any error during the subsequent boot process. Workaround:
None. Component: Local Traffic Manager Symptoms:
OneConnect profile in conjunction with 'Source-port preserve-strict' or cmp-hash setting of 'dst-ip' or 'src-ip' on the server-side VLAN may result in zombie forwarding flows. On the server-side the incoming traffic hits a different TMM from the one that handles the outgoing traffic. Unexpected 'Inet port exhaustion' messages may be logged in the LTM log file. Conditions:
-- OneConnect configured. And one of the following: -- Source-port is set to preserve-strict.
-- The cmp-hash setting on the server-side VLAN is set to 'dst-ip' or 'src-ip'. Impact:
Zombie forwarding flows. Over time, the current allocation count grows and does not return to its prior level when traffic stops. The current allocation can be checked with this command:
# tmctl memory_usage_stat name=connflow -s name,cur_allocs Workaround:
You can use any of the following workarounds: -- Remove the OneConnect profile from the Virtual Server. -- Do not use 'source-port preserve' setting on the Virtual Server. -- Set the 'cmp-hash default' on the server-side VLAN if it is set to 'cmp-hash src-ip' or 'cmp-hash dst-ip'. Note: After making this change, it may be necessary to run the command 'tmsh restart sys service tmm', which will clear the old flows but also impact traffic. Traffic interrupted while tmm restarts. Component: TMOS Symptoms:
SNMP queries to the BIG-IP system may take longer (up to 15% more time) to process on BIG-IP systems with large configurations. mcpd CPU usage increases by a small amount (up to 10%) during these queries. Conditions:
-- Large configuration.
-- Using SNMP to query statistics on the BIG-IP system. Impact:
A small increase in response time to SNMP requests to the BIG-IP. Some SNMP queries might fail due to timeouts. mcpd CPU usage is slightly elevated while processing these queries. Workaround:
If the responses to SNMP queries are taking too long, MCPD and SNMPD may overburden the control plane. It may be necessary to lengthen the timeout and retry values used by the SNMP client. It may also be helpful to trim what is queried, for example, not repetitively walking large tables like the Virtual Server or LTM Pool Member tables for statistics. Component: Local Traffic Manager Symptoms:
TMM crashes while changing settings. Conditions:
Seen on multi-blade chassis with either one of the options:
-- Running system with DoS and other traffic.
-- Create a new vCMP guest and deploy it. Impact:
Traffic disrupted while tmm restarts. Workaround:
None. Component: TMOS Symptoms:
VCMP host or guest is upgraded, and the vCMP guest is 'Inoperative', with messages similar to the following in /var/log/ltm: -- warning clusterd[1546]: 013a0005:4: Clusterd using /VERSION for SW specification.
-- info clusterd[1546]: 013a0023:6: Blade 1: No info received from slot: Starting up
-- err clusterd[1546]: 013a0004:3: result {
-- err clusterd[1546]: 013a0004:3: result.code 17237812
-- err clusterd[1546]: 013a0004:3: result.attribute float_mgmt2_ip
-- err clusterd[1546]: 013a0004:3: result.message 01070734:3: Configuration error: Cluster alt-address: 192.168.1.246 cannot be the same address family as cluster address: 192.168.1.246
-- err clusterd[1546]: 013a0004:3: }
-- err clusterd[1546]: 013a0004:3: Per-invocation log rate exceeded; throttling.
-- notice clusterd[1546]: 013a0006:5: Disconnecting from mcpd.
-- info clusterd[1546]: 013a0007:6: clusterd stopping... Conditions:
-- Isolated vCMP guest.
-- Both 'Address' and 'Alt-Address' are assigned the same IPv4 address.
-- Upgrade occurs. Impact:
Upon host/guest upgrade, vCMP guest is 'Inoperative'. Workaround:
-- For new vCMP guests, or prior to booting the vCMP guest to an affected version for the first time, assign it a management-ip from the vCMP host. This prevents the alt-address from being assigned and the issue from occurring on subsequent upgrades. tmsh modify vcmp -- For existing vCMP guests already on an affected version, but not currently experiencing the issue, assign a management-ip from the vCMP host and remove the alt-address from within the vCMP guest to prevent the issue from occurring in a future upgrade or reboot: host# tmsh modify vcmp guest guest# tmsh modify sys cluster default alt-address none -- When already upgraded and seeing the issue on a guest, set a management-ip from the vCMP host and run the following commands within the guest to remove the alternate address from the configuration file: host# tmsh modify vcmp guest guest# bigstart stop clusterd
guest# sed -i s/alt_addr=.*// -i /shared/db/cluster.conf
guest# bigstart start clusterd Component: Global Traffic Manager (DNS) Symptoms:
The GUI and REST API are unable to add virtual servers containing a space in the name to a pool. Conditions:
Virtual server name contains a space. Impact:
Unable to manage pool members if the virtual server contains a space in the name. Workaround:
Use tmsh. Component: Local Traffic Manager Symptoms:
On a single virtual server, when 'TLS Renegotiation' is enabled in an associated Client SSL profile, the system should prevent enabling the 'Enforce TLS Requirements' option in the associated HTTP/2 profile. Conditions:
BIG-IP system validation does not prevent this configuration in the following scenario: 1. Disable the 'Enforce TLS Requirements' option in the HTTP/2 profile.
2. Enable 'TLS Renegotiation' in the Client SSL profile.
3. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile. Impact:
The configuration does not load if saved, and reports an error: 01070734:3: Configuration error: In Virtual Server (/Common/http2vs) an http2 profile with enforce-tls-requirements enabled is incompatible with clientssl profile '/Common/my_clientssl'; renegotiation must be disabled. Workaround:
If enabling 'Enforce TLS Requirements' in an HTTP/2 profile configured on a virtual server, ensure that 'TLS Renegotiation' is disabled in all Client SSL profiles on that virtual server. Component: Local Traffic Manager Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes. This happens in the following instances:
- Blade reset.
- Booting up or shutting down.
- Running 'bigstart restart'.
- Setting a blade state from/to primary/secondary. During these events, there is a small chance that ingress ACK packet of previously established BGP connection is going to be disaggregated to the new processing group(TMMs) and selected TMM is ready to process traffic, but is not ready yet to process traffic for existing connection. In this case, connection isn't processed and reset instead. Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BGP peering is configured.
-- CMP state change is occurred on one of the blades.
-- BGP ingress ACK packet is disaggregated to TMM, which either wrong TMM or not ready to process the packet of already established connection Impact:
Affected BGP peering is reset and dynamic routes learnt by the configured protocol are withdrawn, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh. In most cases, unexpected routing decisions are from networks learnt by affected routing protocols when the routing process on the BIG-IP system becomes unreachable. However, this state is short-lived, because the peering is recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes. Workaround:
There is no workaround, but the issue was never seen with a configuration where CMP hash of affected VLAN is changed back to Default value. Component: Application Security Manager Symptoms:
TMM might crash and generate a core file when using a Bot Defense profile that is configured for multiple domains. Conditions:
Bot Defense is configured with multiple 'Related Site Domains' and attached to a virtual server. Impact:
TMM crash with core. Traffic disrupted while tmm restarts. Workaround:
None, Component: In-tmm monitors Symptoms:
The bigd.mgmtroutecheck db variable can be enabled to prevent monitor traffic from going through the management interface (for information, see K14549: Overview of the 'bigd.mgmtroutecheck' database key :: https://support.f5.com/csp/article/K14549); however, if in-tmm monitors are configured, the setting will be ignored after a bigstart restart. Conditions:
-- bigd.mgmtroutecheck is enabled
-- bigd.tmm is enabled (i.e., in-tmm monitors are configured).
-- tmm has a route configured to the management interface.
-- A pool member exists that matches a route through the management interface.
-- bigstart restart is performed. Impact:
In-tmm monitor traffic uses the management interface if there is a route to the pool member via the management interface, even when bigd.mgmtroutecheck indicates it is enabled. Workaround:
None Component: Local Traffic Manager Symptoms:
If the cluster management IP address is not in the list of failover network unicast addresses, the blade management IP addresses in the unicast mesh will not be able to receive failover messages from peer devices. Conditions:
-- VIPRION chassis or vCMP guest on a VIPRION chassis.
-- Per-blade management IP addresses listed in the failover network unicast mesh.
-- No cluster management IP address listed. Impact:
The blade management IP addresses in the failover network unicast mesh stop functioning: [root@VIP2200-R75-S5:/S1-green-P::Standby:In Sync] config # tmctl -w 200 -S sod_tg_conn_stat
entry_key local_failover_addr remote_device_name pkts_received transitions last_msg status
----- --- ------ - --- -- --
10.200.75.8->10.10.10.1:1026 10.10.10.1:1026 VIP2200-R75-S8.sin.pslab.local 3249 3 1555399271 1
10.200.75.8->10.200.75.3:1026 10.200.75.3:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <
10.200.75.8->10.200.75.4:1026 10.200.75.4:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 < Workaround:
You can add an explicit management IP firewall rule to allow this traffic: tmsh modify security firewall management-ip-rules rules add { accept_udp_1026 { place-before first ip-protocol udp destination { ports add { 1026 } } action accept } } This will add a firewall policy so port 1026 is no longer locked down, and the blade management IP addresses in the unicast mesh should begin to function properly. Component: TMOS Symptoms:
TMSH allows you to create multiple access records with the same IP protocol, same Source IP network, and same community string. Conditions:
Duplicate access records are created in TMSH. Impact:
Unintended permissions can be provided when an undesired access record with the correct community string is matched to a request instead of the desired access record. Workaround:
Use the Configuration Utility to manage SNMP v1/2c access records. (The GUI properly flags the error with the message:
The specified SNMP community already exists in the database. If you use tmsh, ensure that community strings remain unique within each Source IP Network for each IP protocol. Component: TMOS Symptoms:
It is possible, although unlikely, for a vCMP host to scan the /shared/vmdisks directory for virtual disk files while the directory is unmounted. As such, virtual disk files that existed before the reboot will not be detected, and the vCMP host will proceed to create them again. The virtual disks get created again, delaying the guests from booting. Once the guests finally boot, they have no configuration. Additionally, the new virtual disk files are created on the wrong disk device, as /shared/vmdisks is still unmounted. Symptoms for this issue include: -- Running the 'mount' command on affected host blades and noticing that /shared/vmdisks is not mounted. -- Running the 'tmsh show vcmp guest' command on affected host blades (early on after the reboot) and noticing some guests have status 'installing-vdisk'. -- Running the 'lsof' command on affected and unaffected host blades shows different device numbers for the filesystem hosting the virtual disks, as shown in the following example (note 253,16 and 253,1): qemu-kvm 19386 qemu 15u REG 253,16 161061273600 8622659 /shared/vmdisks/s1g2.img qemu-kvm 38655 qemu 15u REG 253,1 161061273600 2678798 /shared/vmdisks/s2g1.img -- The /var/log/ltm file includes entries similar to the following example, indicating new virtual disks are being created for one of more vCMP guests: info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Adding.
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:0]
notice vcmpd[x]: 01510006:5: Guest (s2g1): Creating VDisk (/shared/vmdisks/s2g1.img)
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:1]
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_ACQUIRING_VDISK->VS_WAITING_INSTALL
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_WAITING_INSTALL->VS_INSTALLING_VDISK
notice vcmpd[x]: 01510006:5: Guest (s2g1): Installing image (/shared/images/BIGIP-12.1.2.0.0.249.iso) to VDisk (/shared/vmdisks/s2g1.img).
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:2] Conditions:
-- VIPRION chassis provisioned in vCMP mode with more than one blade in it. -- Large configuration with many guests. -- The VIPRION chassis is rebooted. -- A different issue, of type 'Configuration from primary failed validation' occurs during startup on one or more Secondary blades. By design, MCPD restarts once on affected Secondary blades, which is the trigger for this issue. An example of such a trigger issue is Bug ID 563905: Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades. Impact:
-- Loss of entire configuration on previously working vCMP guests. -- The /shared/vmdisks directory, in its unmounted state, may not have sufficient disk space to accommodate all the virtual disks for the vCMP guests designated to run on that blade. As such, some guests may fail to start. -- If you continue using the affected guests by re-deploying configuration to them, further configuration loss may occur after a new chassis reboot during which this issue does not happen. This occurs because the guests would then be using the original virtual disk files; however, their configuration may have changed since then, and so some recently created objects may be missing. Workaround:
There is no workaround to prevent this issue. However, you can minimize the risk of hitting this issue by ensuring you are running a software version (on the host system) where all known 'Configuration from primary failed validation' issues have been resolved. If you believe you are currently affected by this issue, please contact F5 Networks Technical Support for assistance in recovering the original virtual disk files. Component: Global Traffic Manager (DNS) Symptoms:
When a forward zone is configured in zonerunner, and a wideip is configured in the same zone, BIG-IP may delete the bind zone whenever the wide ip's pool members are modified. Subsequent modifications of the same zone will then result in a new primary zone being created in bind. Conditions:
- A forward zone is configured in bind (zonerunner)
- The pool members associated with a wideip are modified Impact:
Queries that do not match wideips are passed to bind for processing, and are no longer forwarded to the nameserver configured in the forward zone. Workaround:
- Recreate the zonerunner forward zone after modifying the wideip Component: Local Traffic Manager Symptoms:
When the server connection fails to be established due to server being down or actively rejecting the connection, LB_FAILED should fire and allow a new destination to be selected via iRule. Conditions:
- iRule with LB_FAILED event
- server connection establishment fails Impact:
Selection of a new destination via LB_FAILED is not possible, thus the client connection will be aborted. Workaround:
No workaround available. Component: TMOS Symptoms:
Possible indications include the following: -- Errors such as the following may appear in ltm/log: - notice postgres[10872]: [466-1] WARNING: pgstat wait timeout.
- notice sod[27693]: 01140041:5: Killing /usr/bin/mcpd pid 7144.
- BD_CONF|ERR| ...failed to connect to mcpd after 5 retries, giving up...
- BD_CONF|ERR| ...can't read message from mcp conn, status:16908291.
- BD_MISC|CRIT| ...Received SIGABRT - terminating. -- Errors such as the following may appear in the dwbld/log: - Couldn't send BLOB notification - MCP err 16908291.
- Got a terminate/abort signal - terminating ...
- Terminating mcp_bridge thread. -- Processes may restart unexpectedly, including mcpd, bd, and postgresql. Conditions:
-- The 'mcpd' process attempts to read monitoring data from the PostgreSQL server, but no data is available. -- A contributing factor might be that the AFM module is licensed but not configured. Impact:
Failing to receive a monitoring response from the SQL server, MCPD goes into an infinite loop and skips the heartbeat report, resulting in its restart. While MCPD is restarting, the system is offline and does not process traffic. After restart, system operation returns to normal. Workaround:
The chance of occurrence can be minimized by making sure that control-plane processes have sufficient memory to run efficiently. Component: TMOS Symptoms:
The BIG-IP Virtual Edition's virtio driver is incompatible with the Q35 machine type. Conditions:
-- BIG-IP Virtual Edition with the virtio driver.
-- Setting the machine type to Q35 on the hypervisor. Impact:
The BIG-IP will not use the virtio driver, using the sock (or unic, in versions prior to 14.1.0) driver instead. Component: TMOS Symptoms:
A user account which may have originally been manually configured as a local user (auth user) but may have since been removed, might still get authenticated and be able to modify the BIG-IP configuration. Conditions:
-- User account configured as local user.
-- The user account is deleted later. (Note: The exact steps to produce this issue are not yet known). Impact:
The deleted user that no longer exists in the local user list and which is also not explicitly authorized by remote role groups, can get authenticated. The deleted user is also able to modify the BIG-IP configuration via iControl. Workaround:
None. Component: Global Traffic Manager (DNS) Symptoms:
RESOLV::lookup returns empty string. Conditions:
Input bytes array is at length of 4, 16, or 20. For example:
[RESOLV::lookup @dnsserveraddress -a [binary format a* $host1.d1test.com]] Impact:
RESOLV::lookup returns empty string. Workaround:
Use lindex 0 to get the first element of the array. For example:
[RESOLV::lookup @dnsserveraddress -a [lindex [binary format a* $host1.d1test.com] 0]] Component: TMOS Symptoms:
- Guests coming up with retries and
- Messages like below in the LTM log Guest (XXX): Killing VM process. Conditions:
- Clusters or discovery appliances host
- High number of vcmp guests being deployed Impact:
VCMP guests may become unable to pass traffic. Component: Advanced Firewall Manager Symptoms:
If firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work. Conditions:
-- Firewall is configured on the management port.
-- Firewall is configured with an ICMP rule to block. Impact:
ICMP packets cannot be blocked with a firewall rule to drop on management port. ICMP packets are allowed from the management port. Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions. # /sbin/iptables -N id760355 # /sbin/iptables -I INPUT 1 -j id760355 # /sbin/iptables -A id760355 -i mgmt -p icmp --icmp-type 8 -s 172.28.4.32 -j DROP 760354-7 : Continual mcpd process restarts after removing big logs when /var/log is fullComponent: TMOS Symptoms: The BIG-IP device suddenly stops passing traffic. You might see errors similar to the following: err mcpd[15230]: 01070596:3: An unexpected failure has occurred, TAP creation failed (tmm): Permission denied - net/validation/routing.cpp, line 168, exiting... Conditions: This might occur when when /var/log is full and then you remove big logs. Impact: The mcpd process restarts continuously. This occurs because tmm blocks mcpd from restarting after /var/log fills up. Workaround: Empty the contents of big size log files under /var/log and reboot the BIG-IP system. 758491-5 : When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keysComponent: Local Traffic Manager Symptoms: For Thales: The ltm/log shows SSL handshake failures with similar lines (this is for Diffie-Hellman Key Exchange): -- warning bigip1 tmm1[28813] 01260013 SSL Handshake failed for TCP 192.0.2.1:5106 -> 192.0.2.200:5607 -- warning bigip1 tmm1[28813] 01260009 Connection error: ssl_hs_vfy_sign_srvkeyxchg:13583: sign_srvkeyxchg (80) -- debug bigip1 tmm1[28813] 01260036 FIPS acceleration device error: fips_poll_completed_reqs: req: 4 status: 0x1 : Cancel -- err bigip1 pkcs11d[26259] 01680002 Key table lookup failed. error. After enabling pkcs11d debug, the pkcs11d.debug log shows: -- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_CLASS -- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_CLASS matches -- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_ID -- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_ID does not match <=== For Safenet: -- warning tmm1[17495]: 01260009:4: Connection error: ssl_hs_vfy_sign_srvkeyxchg:13544: sign_srvkeyxchg (80) -- warning tmm1[17495]: 01260013:4: SSL Handshake failed for TCP 10.1.1.11:6009 -> 10.1.1.201:443 -- err pkcs11d[5856]: 01680002:3: Key table lookup failed. error. Conditions: 1. Keys were created on earlier versions of BIG-IP software, no matter if using tmsh (Safenet) or using fipskey.nethsm (Thales, Safenet) and the device was upgraded to 14.1.0 or later. 2. Keys were created on BIG-IP v14.1.0 or later directly, using fipskey.nethsm (Thales). For Safenet, fipskey.nethsm was deprecated in 14.0.0. Impact: SSL handshake failures. Workaround: There are two workarounds: -- Re-create the keys using tmsh command. IMPORTANT: This workaround is suitable for deployments that are new and not in production. -- Re-import the keys from nethsm using:
tmsh install sys crypto key You can find the key_label here: -- The rightmost string in the output of the Thales command: nfkminfo -l -- The string after label= in the 'cmu list' command for Safenet. 757787-5 : Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI.Component: TMOS Symptoms: When creating a new rule or modifying an existing rule in a LTM/AFM Policy policy using the WebUI, the operation fails and an error similar to the following example is returned: Transaction failed:010715bd:3: The parent folder is owned by application service (/Common/MyPolicy.app/MyPolicy), the object ownership cannot be changed to (). Conditions: -- The LTM/AFM Policy belongs to an Application Service (iApp). -- The modification is attempted via the WebUI. Impact: Unable to make changes to existing LTM/AFM Policies. Workaround: Use the tmsh utility to make the necessary modifications to the LTM/AFM Policy. For example, the following command modifies an existing rule: tmsh modify ltm policy myapp.app/Drafts/myapp_l7policy rules modify { 0 { conditions modify { 0 { http-method equals values { GET POST } } } } } 757486-2 : Errors in IE11 console appearing with Bot Defense profileComponent: Application Security Manager Symptoms: When Bot Defense profile is used and has Browser Verification enabled to either Verify Before Access, or Verify After Access, Microsoft Internet Explorer v11 (IE11) Browsers may display the following errors in the browser console: HTML1512: Unmatched end tag. a.html (26,1) HTML1514: Extra " " tag found. Only one "" tag should exist per document. a.html (28,1)Conditions: -- Bot Defense profile is enabled with Browser Verification. -- End user clients are using the IE11 browser. Impact: Cosmetic error messages appear in an end user's browser console. Workaround: In order to work around this issue, inject the scripts to the ' ' tag instead of the '' tag. This can be done using this tmsh command:tmsh mod sys db dosl7.parse_html_inject_tags value after,body,before,/body` 756830-6 : BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'Component: TMOS Symptoms: The BIG-IP system may fail source translation for connections matching a virtual server that has connection mirroring enabled and source port selection set to 'preserve strict'. Conditions: Connections match a virtual server that has following settings: - Connection mirroring is enabled. - Source Port set to 'Preserve Strict'. In addition, CMP hash selection (DAG mode) on the corresponding VLANs is set to 'Default DAG'. Impact: Source translation may fail on BIG-IP system, leading to client connection failures. Workaround: You can try either of the following: -- Do not use the Source Port setting of 'Preserve Strict'. -- Disable connection mirroring on the virtual server. 755976-9 : ZebOS might miss kernel routes after mcpd deamon restartComponent: TMOS Symptoms: After an mcpd daemon restart, sometimes (in ~30% of cases) ZebOS is missing some of kernel routes (virtual addresses). One of the most common scenario is a device reboot. Conditions: -- Dynamic routing is configured. -- Virtual address is created and Route Advertisement is configured: imish -e 'sh ip route kernel' -- mcpd daemon is restarted or device is rebooted. Impact: The kernel route (virtual address) is not added to the ZebOS routing table and cannot be advertised. Workaround: There are several workarounds; here are two: -- Restart the tmrouted daemon: bigstart restart tmrouted -- Recreate the affected virtual address. 755061-1 : iRule audit logs may be written to separate filesComponent: Local Traffic Manager Symptoms: Only the first line of an iRule audit log is written into /var/log/audit. The rest of the iRule is logged to /var/log/messages. Conditions: This is encountered when iRule audit logging is enabled and iRule events are triggered. Impact: Snippets of iRules appear in unexpected locations. Workaround: Although there is no workaround, if you have sensitive information in your iRules and want to prevent it from appearing in audit logs, you can disable audit logging. 753712-4 : Incorrect warning: Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family.Component: TMOS Symptoms: An incorrect warning message is given when the inline source/dest address is changed: -- warning mcpd[6927]: 01071859:4: Warning generated : Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family. Conditions: This occurs after you create a traffic-matching-criteria (port-list, address-list) with different source and destination addresses. Impact: An incorrect and confusing warning message is given. This warning does not affect traffic processing. It is inadvertently triggered when reading the configuration of the traffic matching profile. Virtual servers should continue to work, and the config should load as expected, despite the warning. Workaround: None 752077-4 : Kerberos replay cache leaks file descriptorsComponent: Access Policy Manager Symptoms: APMD reports 'too many open files' error when reading HTTP requests: -- err apmd[15293]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 113 Msg: epoll_create() failed [Too many open files]. -- err apmd[15293]: 01490000:3: ApmD.cpp func: "process_apd_request()" line: 1801 Msg: Error 3 reading/parsing response from socket 1498. strerror: Too many open files, queue size 0, time since accept There are file descriptor dumps in /var/log/apm showing many deleted files with name krb5_RCXXXXXX: -- err apmd[15293]: 01490264:3: 1492 (/shared/tmp/krb5_RCx8EN5y (deleted)) : cloexec, Fflags[0x8002], read-write -- err apmd[15293]: 01490264:3: 1493 (/shared/tmp/krb5_RCnHclFz (deleted)) : cloexec, Fflags[0x8002], read-write -- err apmd[15293]: 01490264:3: 1494 (/shared/tmp/krb5_RCKGW8ia (deleted)) : cloexec, Fflags[0x8002], read-write Conditions: This failure may happen if the access policy uses Kerberos authentication, Active Directory authentication, or Active Directory query. The conditions under which the Kerberos replay cache leaks is unknown. Impact: APM end users experience intermittent log on issues. Workaround: None. 751451-4 : When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profilesComponent: Local Traffic Manager Symptoms: If there are HTTPS monitor objects that were created using BIG-IP software v12.x, when the BIG-IP is upgraded directly to v14.0.0 or later, the operation automatically creates server SSL profiles for the HTTPS monitors as needed. Those server SSL profile objects do not have 'no-tlsv1.3' included in their 'options' configuration. Conditions: -- Having HTTPS monitors configured in v12.x before upgrading. -- Directly upgrading from v12.x to v14.0.0 or later Impact: TLSv1.3 gets enabled on the server SSL profiles. Workaround: -- To avoid this issue, upgrade from v12.x to v13.x, and then upgrade to v14.0.0 or later -- To mitigate this issue, modify the affected profile to disable TLSv1.3. 749757-4 : -s option in qkview help does not indicate maximum sizeComponent: TMOS Symptoms: When running qkview with the -h option to obtain help, the -s (size) option is incorrectly rendered. It should read: [ -s Conditions: -- Running qkview -h. -- Viewing the -s (size) option help. Impact: The measurement size, bytes, is missing, which might result in confusion. Workaround: Use the -s option as normal, but be advised that the number should be in bytes, and that the maximum number is 104857600. 749332-1 : Client-SSL Object's description can be updated using CLI and with REST PATCH operationComponent: TMOS Symptoms: REST PUT fails to update the object description when proxy-ca-cert and proxy-ca-key are not configured, and triggers an error: SSL forward proxy RSA CA key is missing. Conditions: Issue is seen only with REST PUT operation, and when proxy-ca-cert and proxy-ca-key are not configured. Impact: REST PUT operation cannot be used to update/modify the description. Workaround: You can use either of the following: -- You can use TMSH to update/modify the description, even if proxy-ca-cert and proxy-ca-key are not configured. -- You can also use PATCH operation and send only the required field which need modification. 743950-6 : TMM crashes due to memory leak found during SSL OCSP with C3D feature enabledComponent: Local Traffic Manager Symptoms: TMM raises a segmentation violation and restarts. Conditions: -- Set up client-side and server-side SSL with: + Client Certificate Constrained Delegation (C3D) enabled. + OCSP enabled. -- Supply SSL traffic. Impact: Memory leaks when traffic is supplied. When traffic intensifies, more memory leaks occur, and eventually, tmm raises a segmentation fault, crashes, and restarts itself. All SSL connections get terminated. Traffic disrupted while tmm restarts. Workaround: Disable C3D. 742753-8 : Accessing the BIG-IP system's WebUI via special proxy solutions may failComponent: TMOS Symptoms: If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail. Conditions: This issue is known to happen with special proxy solutions that do one of the following things: - Remove the Referer header. - Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another. Impact: Users cannot log on to the BIG-IP system's WebUI. Workaround: As a workaround, you can do any of the following things: - Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution). - Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header). - Modify the proxy solution so that it inserts compatible Referer and Host headers. 737739-4 : Bash shell still accessible for admin even if disabledComponent: TMOS Symptoms: With the administrator role, you have an option in TMUI to disable or restrict terminal access. If you disable or restrict access, the corresponding REST endpoint is neither disabled nor restricted. Conditions: Use TMUI as the admin, or as a user with the administrator role, and either of the following: -- Disable terminal access. -- Restrict access to TMSH. Impact: Users with the Administrator role can obtain shell access via REST. With terminal access disabled: -- If you attempt to login using SSH, you will not be to do so. -- If you make a POST request to the /mgmt/tm/util/bash endpoint with a body that includes a command to run, that command will be run. With access to TMSH restricted: -- A POST request to the /mgmt/tm/util/bash endpoint that includes a body with a command to run will be run. Workaround: None. 737692-5 : Handle x520 PF DOWN/UP sequence automatically by VEComponent: TMOS Symptoms: When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that is passed to the BIG-IP-VE). If an x520 device's PF is set down and then up, tmm does not recover traffic on that interface. Conditions: -- VE is using a VF from a PF. -- The PF is set down and then up. Impact: VE does not process any traffic on that VF. Workaround: Reboot VE. 724653-5 : In a device group, a non-empty partition can be deleted by a peer device during a config syncComponent: TMOS Symptoms: In a device cluster, a BIG-IP administrator can add a non-synced object to a partition on one device, then delete that partition on a peer device, syncing the delete (this is assuming the partition is empty on the peer). Conditions: -- Two or more devices in a device service cluster. -- Using partitions that contain only non-synced objects. -- Deleting the partition on a peer and syncing the changes to the other devices. Impact: The partition is deleted on the peer device, even though it still contains non-synced objects. 720610-4 : Updatecheck logs bogus 'Update Server unavailable' on every runComponent: TMOS Symptoms: The updatecheck operation erroneously logs that the Update Server is unavailable on every run, successful or not. Conditions: The BIG-IP system is configured to run the Automatic Update Check feature. Impact: Misleading messages in the log file, implying that the update server is not available. Workaround: None. 718291-4 : iHealth upload error does not clearComponent: TMOS Symptoms: If an error occurs that sets the iHealth error string, then this string is never cleared. Conditions: Setting an invalid hostname for db variable proxy.host. Impact: The system reports the following error string: curl: (56) Recv failure: Connection reset by peer. This error message is never cleared, despite running a successful upload. The bogus error message could result in unnecessary confusion after a successful upload. Workaround: To clear the error message, run the following command: /usr/bin/guishell -c "update diags_ihealth_request set error_str='';" 717806-8 : In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configuredComponent: Local Traffic Manager Symptoms: Load average peaks are observed when a high number of monitors (>= 200) are configured across 'n' bigd instances. Conditions: When a high number of monitors are configured across 'n' bigd instances. CPU load peaks appear and disappear periodically. Impact: No performance impact Workaround: None 717174-5 : WebUI shows error: Error getting auth token from login provider★Component: Device Management Symptoms: Occasionally, the BIG-IP Admin Utility TMUI fails to function correctly and produces the following error: Error getting auth token from login provider. This occurs when the BIG-IP REST Daemon restjavad fails to start up properly. Conditions: This error most often occurs on the first or second boot after upgrade, and more often on Virtual Edition BIG-IP platforms running on oversubscribed or slow hypervisors. Impact: TMUI and any other BIG-IP system components that rely on REST Workers such as: OpenID Connect key rotation discovery, portions of the TMOS Web Configuration Utility, and Guided Configuration (AGC and WGC) fail to function properly. Workaround: Restarting the BIG-IP REST daemons restjavad and restnoded will usually correct the problem. To do so, connect to the SSH console and issue the following two commands: bigstart restart restjavad bigstart restart restnoded 713183-7 : Malformed JSON files may be present on vCMP hostComponent: TMOS Symptoms: Malformed JSON files may be present on vCMP host. Conditions: All needed conditions are not yet defined. - vCMP is provisioned. - Guests are deployed. - Software versions later than 11.6.0 for both guest/host may be affected. Impact: Some vCMP guests may not show up in the output of the command: tmsh show vcmp health In addition, there might be files present named using the following structure:
/var/run/vcmpd/ There is no functional impact to the guests or to the host, other than these lost tables, which are provided as a convenience to the vCMP host administrator. Workaround: None. 712241-8 : A vCMP guest may not provide guest health stats to the vCMP hostComponent: TMOS Symptoms: A vCMP guest usually provides the vCMP host with some guest health statistics as a convenience to the vCMP host administrator. These stats are: -- mgmt/tm/sys/ha-status -- mgmt/tm/sys/software/status -- mgmt/tm/sys/software/provision These tables are created by the host when host vcmpd queries the guest over the vmchannel using REST. These RESTful queries may sometimes fail, causing the queried vCMP guest to be omitted in the display of the output of the following command: $ tmsh show vcmp guest Conditions: -- vCMP provisioned. -- Guests are deployed. -- Host vcmpd queries the guest over the vmchannel using REST. Impact: There is no functional impact to the guests or to the host, other than these lost tables. -- Some vCMP guests may not show up in the output of the following command: tmsh show vcmp health
-- Some guests may appear with the wrong status in the GUI. Such as being grey when it should be green.
-- Files containing guest information, kept in:
/var/run/vcmpd/ Workaround: There is no workaround at this time. 708680-4 : TMUI is unable to change the Alias Address of DNS/GTM MonitorsComponent: Global Traffic Manager (DNS) Symptoms: TMUI (the GUI) is unable to change the Alias Address of DNS/GTM Monitors. Conditions: -- Using the GUI. -- DNS/GTM monitors with alias address. -- Attempting to change the Alias Address. Impact: Cannot change the Alias Address. Workaround: Use tmsh. 706782-6 : Inefficient APM processing in large configurations.Component: Access Policy Manager Symptoms: In configurations with large numbers of virtual servers or other entities, the apmd, oauth, and localdbmgr processes may consume large amounts of system resources. Conditions: -- Large configuration. -- APM provisioned. -- Multiple traffic groups exacerbate the effect. Impact: Heavy use of odd-numbered CPU cores may slow all control-plane operations, including user-interface response. Workaround: None known. 705869-1 : TMM crashes as a result of repeated loads of the GEOIP databaseComponent: Global Traffic Manager (DNS) Symptoms: TMM crashes. Conditions: Repeatedly loading the GeoIP database in rapid succession. Impact: Traffic disrupted while tmm restarts. Workaround: Don't do repeated load of GeoIP Database. 703226-3 : Failure when using transactions to create and publish policiesComponent: TMOS Symptoms: Use batch mode transactions to create Virtual Servers with Policies containing rules. Conditions: Create and publish in the same transaction a Policy containing rules. Impact: Operation fails. This occurs because the system is trying to look up a policy that does not exist because the 'create' operation is not yet complete. This might happen when the create and publish operations occur simultaneously, which might happen in response to scripts from iApps, batch mode creation of policies, UCS load, upgrade operation--all try to create domain trust, and all might include the policy create in the same operation. Workaround: Separate the create Policy and publish Policy operations into two transactions when the Policy contains rules. 696363-7 : Unable to create SNMP trap in the GUIComponent: TMOS Symptoms: Trying to create a SNMP trap may fail in the GUI with the following error message: An error has occurred while trying to process your request. Conditions: -- Trap destinations are configured using the GUI: When trap destinations are configured in the GUI, the trap name is generated using the destination IP address. -- Traps of the same destination address were previously created and deleted. Impact: GUI parameter checking does not work as expected. BIG-IP Administrator is unable to create a SNMP trap session. Workaround: To work around this issue when using the GUI, remove all traps that have the same destination address as the new one that failed. Then re-add your destination. Tip: You can use tmsh to create/delete/modify SNMP traps, which enables viewing of the generated names, making it easier to understand what error has occurred. 690928-6 : System posts error message: 01010054:3: tmrouted connection closedComponent: TMOS Symptoms: Beginning in BIG-IP 12.0.0, the tmrouted process pushes dynamic routes directly to the Traffic Management Microkernel (TMM). This message indicates the system is shutting down and is expected behavior during the reboot or shutdown process. The appearance of this message on a stable running system may indicate an issue with tmrouted functionality. System posts the following message in /var/log/ltm: 01010054:3: tmrouted connection closed Conditions: This message occurs when all of the following conditions are met: -- You have configured the BIG-IP system to use dynamic routing. -- The BIG-IP system is in the process of shutting down or rebooting. Impact: This message is benign, unless you view the message on a stable running system. In this case, the message may indicate an issue with the tmrouted process. Workaround: None. 689147-6 : Confusing log messages on certain user/role/partition misconfiguration when using remote role groupsComponent: TMOS Symptoms: When using remote role groups to set user/role/partition information, user login fails, but logs in /var/log/secure indicate that authentication was successful. Errors similar to the following appear in /var/log/ltm: -- User restriction error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition. -- Input error: invalid remote user credentials, partition does not exist, broken-partition Errors similar to the following appear in /var/log/secure: tac_authen_pap_read: invalid reply content, incorrect key? Conditions: Using remote role groups to set user/role/partition information for remote users, and either of the following: -- A remote user is configured with the role of administrator, resource administrator, auditor, or web application security administrator, with access to a particular partition, rather than all. (These roles require access to all partitions.) -- A remote user is configured with partition access set to a partition that does not exist on the BIG-IP system. Impact: The messages in /var/log/secure may be confusing and make it more difficult to diagnose the login failure. Workaround: Check /var/log/ltm for more specific error messages. 686783-1 : UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters.Component: Traffic Classification Engine Symptoms: If a UrlCat custom database feed list has URLs containing a www prefix or capital letters, the URLs are not categorized when queried. Conditions: The UrlCat custom database feed list with URL containing www prefix or capital letters, Impact: Improper classification Workaround: Using an iRule can help classify the URL. 683534-2 : 'tmsh show sys connection' command prompt displaying 4 billion connections is misleadingComponent: Local Traffic Manager Symptoms: The 'tmsh show sys connection' may present a prompt asking you to confirm you want to display ~4 billion (4,294,967,295) connections: # show sys connection max-result-limit infinite Really display 4294967295 connections? (y/n) Conditions: -- The 'tmsh show sys connection' command is executed with max-result-limit option set to infinite. Impact: The value shown in the prompt (4294967295) is misleading, and does not reflect the actual number of connections being handled by the system. The 4294967295 number represents the maximum value the field can hold, not the number of actual connections. Workaround: None 674026-6 : iSeries AOM web UI update fails to complete.★Component: TMOS Symptoms: Upon upgrading a BIG-IP version, AOM web UI updates can sometimes fail. Conditions: This occurs when upgrading a BIG-IP system's software version on iSeries platforms. Impact: After booting to a new version, the AOM web UI update fails with an error message in /var/log/ltm similar to the following: err bmcuiupdate[20824]: Failed updated AOM web UI with return code 2 Workaround: At the bash prompt run: /etc/lcdui/bmcuiupdate This triggers another upgrade attempt, and the result is logged in /var/log/ltm. This should not be service-affecting. 673573-8 : tmsh logs boost assertion when running child process and reaches idle-timeoutComponent: TMOS Symptoms: An idle-timeout occurs while running a sub-process in interactive mode, resulting in a log message. tmsh logs a benign but ominous-looking critical error to the console and to /var/log/ltm if a tmsh command reaches idle timeout and a spawned sub-process is still running. The errors in /var/log/ltm begin with the following text: 'boost assertion failed' Conditions: -- tmsh command reaches idle timeout. -- Spawned sub-process is still running. Impact: Although the wording indicates a failure, the message is benign and you can safely ignore it. Workaround: None. 672963-1 : MSSQL monitor fails against databases using non-native charsetComponent: Local Traffic Manager Symptoms: MSSQL monitor is fails against databases using non-native charset. Conditions: MSSQL monitor configured to monitor a database that is using non-native charset (ISO-8859-1). Impact: MSSQL monitoring always marks node / member down. Workaround: On BIG-IP v13.x and v14.0.x, you can work around this issue using the following steps: 1. Log in to the BIG-IP console into a bash prompt. 2. Run the following command: mount -o remount,rw /usr; ln -s /usr/java-64/openjdk/lib/charsets.jar /usr/java/openjdk/lib/charsets.jar; mount -o remount,ro /usr 3. Restart bigd: bigstart restart bigd 663754-1 : Modifying the default management port can break internal functionalityComponent: Device Management Symptoms: Modifying the default management port for httpd 443 (ssl-port) to anything else via tmsh, will break the below functionality : 1. Gossip Framework : REST high availability (HA) sync framework will not work. 2. Licensing via BIG-IQ 3. selfLinks will be wrong Conditions: Changing the default management port of BIG-IP for httpd from 443 to anything else. Impact: BIG-IP will be unable to provide below functionality : 1. Gossip Framework : REST high availability (HA) sync framework will not work. 2. Licensing via BIG-IQ 3. selfLinks will be wrong 4. iAppLx, SSL Orchestrator, Access Guided Configuration, AS3 will be affected as these modules depends on Gossip Workaround: NA 662301-8 : 'Unlicensed objects' error message appears despite there being no unlicensed configComponent: TMOS Symptoms: An error message appears in the GUI: This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device. Examination of the configuration and license shows that there are no configuration errors or unlicensed configuration objects. The device is operational. Conditions: The BIG-IP system is licensed and the configuration loaded. Impact: Error message appears in the GUI stating that the device is not operational. However, the device is operational. Workaround: On an appliance, restart mcpd by running the following command: bigstart restart mcpd On a VIPRION or vCMP guest running on a VIPRION, restart MCPD on all blades by running the following command: clsh bigstart restart mcpd Note: This causes a system to go offline while services restart. Traffic disrupted while services restart. 659579-6 : Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system timeComponent: TMOS Symptoms: Logs on icrd, restnoded, and restjavad are in the UTC time zone and are not aligned to the system time, which makes it difficult to determine the time during troubleshooting operations. Conditions: Checking the icrd, restnoded, and restjavad logs timestamps. Impact: Difficult to troubleshoot as the logs are not aligned with system time. Workaround: None 658943-5 : Errors when platform-migrate loading UCS using trunks on vCMP guestComponent: TMOS Symptoms: During platform migration from a physical BIG-IP system to a BIG-IP vCMP guest, the load fails with one of these messages: 01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform. Unexpected Error: Loading configuration process failed. 01070338:3: Cannot create trunk [name of trunk], maximum limit reached Unexpected Error: Loading configuration process failed. Conditions: -- The source device is a physical BIG-IP device with one or more trunks with or without LACP in its configuration. -- The destination device is a vCMP guest. Impact: The platform migration fails and the configuration does not load. Workaround: You can use one of the following workarounds: -- Remove all trunks from the source configuration prior to generation of the UCS. -- Before loading the UCS archive onto the target BIG-IP, edit the archive and remove the trunk configuration from ./config/bigip_base.conf, and then repack the UCS. -- After the UCS load fails, edit the configuration manually on the destination to remove trunk references, and then reload the configuration. 658850-6 : Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCPComponent: TMOS Symptoms: When you load a UCS file using the platform-migrate parameter, the mgmt-dhcp value (enabled, disabled, or unset) will overwrite the value on the destination. Depending on the effect, this could change the destination's management IP and default management route. If the UCS does not have mgmt-dhcp explicitly written out, note that its value is treated as the default for the local system, which varies by the type of system. On Virtual Edition (VE) platforms, the default is to enable DHCP. On all other platforms, the default is to disable DHCP. Conditions:
This occurs when loading a UCS using the platform-migrate parameter:
tmsh load sys ucs Impact: Changing the mgmt-dhcp value on the destination can result in management changing from statically configured to DHCP or DHCP to statically configured. This can result in loss of management access to the device, requiring in-band or console access. Workaround: There are a few ways to avoid this issue: 1. Specify the "keep-current-management-ip" parameter to the "load sys ucs" command, for instance: tmsh load sys ucs Note: The "keep-current-management-ip" parameter is undocumented and will not appear in context help or tab completion. 2. If you want to reset the target device to use a static IP, run the following commands after loading the UCS with the platform-migrate command: tmsh modify sys global-settings mgmt-dhcp disabled
tmsh create sys management-ip 646768-6 : VCMP Guest CM device name not set to hostname when deployedSolution Article: K71255118 Component: TMOS Symptoms: When you access the vCMP guest instance after you deploy the system, the instance uses the hostname bigip1. Conditions: This issue occurs when all of the following conditions are met: -- The BIG-IP system is running v11.6.0 or earlier. -- You configure a vCMP guest instance that is running BIG-IP v11.6.0 or later. -- You have configured the vCMP guest instance with a hostname other than bigip1. -- You deploy the vCMP guest instance. Impact: The vCMP guest does not use the configured hostname. Workaround: -- In tmsh, run the following commands, in sequence: mv cm device bigip1 HOSTNAME save sys config -- Rename the device name in the GUI. 574762-4 : Forwarding flows leak when a routing update changes the egress vlanComponent: Local Traffic Manager Symptoms: Forwarding flow doesn’t expire and leaks a connflow object. Conditions: Conditions to hit this are a route change on forwarded flows. Impact: Memory leak. Workaround: None 550526-3 : Some time zones prevent configuring trust with a peer device using the GUI.Solution Article: K84370515 Component: TMOS Symptoms: AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, and AWDT time zones prevent configuring trust with a peer device using the GUI. Conditions: -- Setting a BIG-IP system timezone to AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, or AWDT. -- Using the GUI to add a peer device to a trust configuration. Impact: Adding a peer device using the GUI fails. Workaround: You can use either of the following workarounds (you might find the first one easier): -- Temporarily set the device timezone to a non-affected timezone (e.g.; UTC), establish trust, and set it back: 1. Navigate to System :: Platform. 2. Under 'Time Zone', select 'UTC', and click 'Update' 3. Repeat steps one and two to change all devices that are to be part of the trust domain. 4. Establish device trust by navigating to Device Management :: Device Trust :: Add all peers to be part of the trust domain. 5. Once trust is established, navigate to System :: Platform, and change Time Zone back to preferred time zone. -- Use tmsh to add a peer device in these timezones: AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, or AWDT. 547947-2 : Feeding empty username and password to the Logon Page followed by RadiusAuthAgent shows the session as Logged outComponent: Access Policy Manager Symptoms: Session logs out. No error messages or retry logon page. ----- Your session is finished. Logged out successfully. Thank you for using BIG-IP. To open a new session, please click here. ------ Conditions: Your environment has an access policy like the following Success Start -> Logon Page -> Radius Auth > Advanced resource assign (webtop) -> allow. | | failure -------> Deny. If you connect to the virtual server with this access policy and provide an empty username and password, you are logged out of the session and asked to open a new session page. Impact: Without providing proper username and password, user is shown the error "Logged out successfully.", which is improper. Workaround: No mitigation observed. 528894-5 : Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partitionComponent: TMOS Symptoms: Configuration stanzas that do not belong in the files of a non-Common partition appear there. These stanzas could include, for example, 'net trunk' or 'sys ha-group' objects. Conditions: -- The system includes partitions other than Common. -- Configuration in a partition other than Common is modified. -- A Config-Sync operation not involving an overwrite takes place (it is also possible to reproduce this issue on a standalone BIG-IP system by doing a save operation like the following: "tmsh save sys config partitions { Common other }"). Impact:
/config/partitions/ /config/bigip_base.conf will no longer contain config stanzas that belong there. Note that the impact is mostly cosmetic. An affected device will still be able to correctly load its configuration even if some config stanzas appear in the wrong flat config file. However, Administrators performing audits of the flat config files will be perplexed as to why some stanzas are moving back and forth between partitions. Workaround: If you wish to restore your flat config files to their proper state after the issue has already occurred, simply run "tmsh save sys config" on the affected device. Alternatively, to prevent the issue in the first place, you can Config-Sync using the following command "tmsh run cm config-sync force-full-load-push to-group Note that neither workaround is permanent and the issue will reoccur. 499348-14 : System statistics may fail to update, or report negative deltas due to delayed stats mergingComponent: TMOS Symptoms: Under some conditions, the BIG-IP system might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (e.g., all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters. The system performance graphs will also appear to have gaps / be missing data at the times that this occurs. Conditions: This occurs when there are frequent changes occurring to the underlying statistics data structures. This might occur under the following conditions: -- The system is spawning/reaping processes on a frequent basis (e.g., when there is a large number of external monitors). -- iRules are frequently using 'SSL::profile' to select different SSL profiles on a virtual server (this can cause per-virtual server, per-profile statistics to be created and deleted on a regular basis). Impact: Statistics fail to merge, which results in incorrect view of system behavior and operation. Workaround: This issue has two workarounds: 1. Reduce the frequency of changes in the statistics data structures. The specific action to take depends on what is triggering them. To do so, use any or all of the following: -- Reduce the frequency of configuration changes. -- Reduce the use of 'SSL::profile' in iRules. -- Reduce the number/frequency of processes being spawned by the system. 2. Switch statistics roll-ups to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. To do so, set the 'merged.method' DB key to 'slow_merge' using the following command: tmsh modify sys db merged.method value slow_merge. 464708-3 : DNS logging does not support Splunk format logComponent: Global Traffic Manager (DNS) Symptoms: DNS logging does not support Splunk format logging. It fails to log the events, instead logging err messages: hostname="XXXXXXXXXXXXX.XX",errdefs_msgno="01230140:3: Conditions: DNS logging configured for Splunk format. Impact: DNS logging does not log Splunk format to HSL. Workaround: Use an iRule to send Splunk-formatted messages to the Splunk server. For example: ltm rule dns_logging_to_splunk { when DNS_REQUEST { set ldns [IP::client_addr] set vs_name [virtual name] set q_name [DNS::question name] set q_type [DNS::question type] set hsl [HSL::open -proto UDP -pool splunk-servers] HSL::send $hsl "<190>,f5-dns-event=DNS_REQUEST,ldns=$ldns,virtual=$vs_name,query_name=$q_name,query_type=$q_type" } when DNS_RESPONSE { set ldns [IP::client_addr] set vs_name [virtual name] set q_name [DNS::question name] set q_type [DNS::question type] set answer [DNS::answer] set hsl [HSL::open -proto UDP -pool splunk-servers] HSL::send $hsl "<190>,f5-dns-event=DNS_RESPONSE,ldns=$ldns,virtual=$vs_name,query_name=$q_name,query_type=$q_type,answer=\"$answer\"" } } 382363-8 : min-up-members and using gateway-failsafe-device on the same pool.Solution Article: K30588577 Component: TMOS Symptoms: The system does not require setting a pool's min-up-members greater than 0 (zero) when also using gateway-failsafe-device on the same pool. Conditions: A pool's min-up-members is 0 when gateway-failsafe-device is set. Impact: Failure to set min-up-members greater than 0 when using gateway-failsafe-device might cause errors. The tmm might crash. Workaround: Set min-up-members greater than 0 when using gateway-failsafe-device. 349706-4 : NetworkAccess assigns 1.1.1.1 address to remote ppp endpoint APM VPNComponent: Access Policy Manager Symptoms: Network access sends 1.1.1.1 as X-VPN-serer-IP and Edge client reserves this IP for PPP communication with APM server. Conditions: -- VPN is configured on BIG-IP. -- Edge Client/webtop is used to connect to VPN. Impact: If VPN is connected: 1. The user may not access the 1.1.1.1 address from the client machine. 2. if 1.1.1.1 is used as a dns server ip in Network Access configuration, DNS resolution may fail on the client machine. Workaround: NA 1053741-4 : Bigd may exit and restart abnormally without logging a reasonComponent: Local Traffic Manager Symptoms: Certain fatal errors may cause the bigd daemon to exit abnormally and restart to recover. For many such fatal errors, bigd logs a message in the LTM log (/var/log/ltm) indicating the fatal error that occurred. For some causes, no message is logged to indicate what error occurred to cause big to exit abnormally and restart Conditions: This may occur when bigd encounters a fatal error when monitoring LTM pool members, particularly (although not exclusively) when using In-TMM monitor functionality (sys db bigd.tmm = enable). Impact: It may be difficult to diagnose the reason that caused bigd to exit abnormally and restart. Workaround: To enable logging of all fatal errors that cause bigd to exit abnormally and restart, enable bigd debug logging: tmsh modify sys db bigd.debug value enable With bigd debug logging enabled, bigd messages (including such fatal errors) will be logged to /var/log/bigdlog 1053149-1 : A FastL4 TCP connection which is yet to fully establish fails to update its internal SEQ space when a new SYN is received.Component: Local Traffic Manager Symptoms: Depending on the software version running on the BIG-IP system, this issue can manifest in one of two ways: - Versions with the fix for ID1008077 will fail to forward the client's final ACK (from the TCP 3-way handshake) to the server. Eventually, once the TCP handshake timeout expires, the BIG-IP system will reset both sides of the connection. - Versions without the fix for ID1008077 will forward the traffic correctly, but will not advance the internal FastL4 state for the connection. Given enough traffic for the same 4-tuple, the connection may never expire. Traffic for subsequent connections will appear to be forwarded correctly, but no load-balancing will occur due to the original connection not having expired yet. Conditions: A FastL4 TCP connection not completing the TCP handshake correctly, and the client retrying with a new (different SEQ number) SYN. Impact: Traffic failures (intended as either connections failing to establish, or improper load-balancing occurring). 1053037-7 : MCP error on loading a UCS archive with a global flow eviction policyComponent: TMOS Symptoms: Attempting to load a UCS archive with a global flow eviction policy results in an error like the following. loaddb[3609]: 01080023:3: Error return while getting reply from mcpd: 0x1070911, 01070911:3: The requested flow_eviction_policy object (/Common/otters) does not exist for global_flow_eviction_policy in ltm (/Common/ltm) Error 0x1070911 occurred: 01070911:3: The requested flow_eviction_policy object (/Common/otters) does not exist for global_flow_eviction_policy in ltm (/Common/ltm) Despite this error, restoring the UCS archive continues on, and may succeed. Conditions: -- Loading a UCS archive with a non-default global-flow-eviction-policy configured. -- The existing configuration on the BIG-IP system does not define the same eviction policy. Impact: The above mentioned error message is printed to the logs. It should be safe to ignore the error if the UCS otherwise loads successfully. Workaround: Ignore the error message. 1051589-1 : Missing configuration after upgrade★Component: Application Security Manager Symptoms: After a successful UCS load, some parts of the security configuration are missing. Conditions: -- ASM provisioned -- Limited disk space in /shared -- Upgrade or create and then install a UCS Impact: A device after upgrade or UCS install is missing some of the security configuration. Workaround: Clear out disk space in /shared before attempting an upgrade or creating a UCS 1051237-1 : ASM initial configuration script fails after upgrade★Component: Application Security Manager Symptoms: After upgrading the system, the ASM initial configuration script fails with below error message: asm|INFO|Sep 23 22:34:07.480|16920|,,01070265:3: The ASM policy (/Common/test) cannot be deleted because it is in use by a API Protection Profile (/Common/test). asm|INFO|Sep 23 22:34:07.507|16920|,,failed to initialize Conditions: -- ASM security policy exists which is referenced by an API Protection Profile -- Upgrade or load a UCS with such a configuration onto a device where ASM is not yet provisioned Impact: UCS loading or upgrade fails Workaround: On a freshly installed device (installed with liveinstall.saveconfig and liveinstall.moveconfig disabled) Provision ASM, wait for the device to become Active Load (using TMSH) the UCS file 1051125-1 : GTM marks virtual servers offline even when LTM virtual servers are available.Component: Global Traffic Manager (DNS) Symptoms: GTM virtual servers have a status of offline when they should be marked as available. Conditions: -- Sync group of two GTM devices with a large number of virtual servers (2k). -- All the LTM virtual servers corresponding to GTM Virtual servers are available. -- Add a third GTM into the sync group. Impact: LTM virtual servers are marked offline. 1050697-4 : Traffic learning page counts Disabled signatures when they are ready to be enforcedComponent: Application Security Manager Symptoms: The traffic learning page counts Disabled signatures when they are ready to be enforced. Conditions: Policy has a disabled signature. Impact:
Traffic learning page shows different counts of "ready to be enforced" signatures compared to Security ›› Application Security : Security Policies : Policies List ›› Workaround: None 1050661-1 : Warning message with UDP on DOH server side.Component: Global Traffic Manager (DNS) Symptoms: DOH with server side flow using UDP results in a DoH server that is unable to deliver DNS replies larger than 4096 bytes to the DoH client (a truncated (TC) response will be sent instead). Conditions: 1. A DNS profile that has all the internal DNS resolution features turned off (gslb, cache, dns-express, local-bind), so that DNS requests are load balanced to the pool tmsh create ltm profile dns dns-pool-only enable-dns-express no enable-dnssec no enable-gtm no process-rd no use-local-bind no 2. A pool pointing to a DNS server tmsh create ltm pool dns-pool-only members add {x.x.x.x:53} 3. An LTM virtual server that has TCP on the clientside (DoH server) and UDP on the server-side flow. tmsh create ltm virtual vs-doh-server destination x.x.x.x:443 ip-protocol tcp profiles add {doh-server tcp { context clientside } udp_gtm_dns { context serverside } http2 http clientssl-secure dns-pool-only } Trigger by sending a DoH request to the virtual-server for a DNS resource record that is larger than 4096 bytes. A truncated response will be returned to the DoH client. Since the client is already using TCP (and HTTPS) to send the query, it can not retry the query using TCP like a traditional client could do. Impact: DNS responses with the TC (truncated) bit are received via the BIG-IP DoH virtual server. Note that this is correct behavior, per RFC8484, for this configuration. Workaround: 1. Use TCP on the server-side flow (this is the default if you don't specifically set the serverside to use UDP). The use of TCP will mean that each DNS request requires a TCP 3WHS and 4-way close. (or) 2. Instead of configuring DNS servers as pool members, configure them as forward-zone nameservers for dns-cache, and enable dns cache in the DNS profile. (or) 3. Ensure that the configuration is only used when you can be certain that no replies larger than 4096 bytes will ever be provided by the DNS server (pool member) 1050457-1 : The "Permitted Versions" field of "tmsh show sys license" only shows on first bootComponent: TMOS Symptoms: As of BIG-IP Virtual Edition version 15.0.0, running "tmsh show sys license" should show the Permitted Versions. After the system is rebooted, this information is no longer displayed by TMSH. Conditions: -- Running the 'tmsh show sys license' command after a reboot Impact: Unable to see the permitted versions for the license. Workaround: The list of permitted versions can be seen in the /config/bigip.license file, by looking for Exclusive_version: config # grep Exclusive_version /config/bigip.license Exclusive_version : 11.6.* Exclusive_version : 12.*.* Exclusive_version : 13.*.* Exclusive_version : 14.*.* Exclusive_version : 15.*.* Exclusive_version : 16.*.* Exclusive_version : 5.*.* Exclusive_version : 6.*.* Exclusive_version : 7.*.* 1050165 : APM - users end up with SSO disabled for their session, admin intervention required to clear sessionComponent: Access Policy Manager Symptoms: If a user is trying to access a webtop resource that is configured behind APM single sign-on (SSO) which has failed for some reason, then the SSO process for that user is disabled for the rest of that session's life time. Conditions: -- Configure Kerberos SSO -- Configure a network resource (a user's mail box configured on exchnage server, or an IIS based web service) Impact: BIG-IP Admin has to intervene to release the affected session manually. Workaround: None 1050153 : Unknown browscap value sent by the client.Component: Access Policy Manager Symptoms: APM logs 'Unknown browscap' messages: Unknown browscap value 'x86_64' sent by the client. Unknown browscap value 'MacOS' sent by the client. Conditions: -- An access policy implements different actions for different platforms -- Certain APM clients connect Impact: 'Unknown browscap' messages are logged and certain clients are not classified as expected. 1050089-5 : TMM crash in certain casesComponent: Application Security Manager Symptoms: TMM crash in certain cases Conditions: Bot defense profile is used in TMM Impact: Traffic disrupted while tmm restarts. Workaround: None 1049237-1 : Restjavad may fail to cleanup ucs file handles even with ID767613 fixComponent: Device Management Symptoms: Files that restjavad makes available for download (such as UCS files in /var/local/ucs) can be held open indefinitely if a requesting client (such as a BIG-IQ which is out of disk space) does not complete the download. Since these files remain open, you may see low disk space even after deleting the associated files, and you may see items listed with '(deleted)' in lsof output. Additionally, on a software version with ID767613 fix, you may see restjavad NullPointerException errors on /var/log/restjavad.*.log. [SEVERE][1837][23 Sep 2021 10:18:16 UTC][RestServer] java.lang.NullPointerException at com.f5.rest.workers.FileTransferWorker$3.run(FileTransferWorker.java:230) at com.f5.rest.common.ScheduleTaskManager$1$1.run(ScheduleTaskManager.java:68) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:473) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1152) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:622) at java.lang.Thread.run(Thread.java:748) Conditions: -- Files restjavad makes available for download. -- The requesting client does not complete the download. Impact: Low disk space, items listed with '(deleted)' when listed using lsof. Workaround: To free the file handles, restart restjavad: # tmsh restart sys service restjavad Files that were deleted now have their space reclaimed. 1049229-1 : No Access Error While trying to create a sub-rule under the Network Firewall rule listComponent: Advanced Firewall Manager Symptoms: An authenticated administrative user is redirected to a 'No Access' error page while trying to create a sub-rule under the Network Firewall rule list from the GUI. Conditions: Create a sub-rule under the Network Firewall rule list. Impact: Cannot create a sub-rule under the Network Firewall rule list. 1049085-3 : Booting into a newly installed hotfix volume may stall on RAID-capable platforms★Component: TMOS Symptoms: Upon booting into a RAID volume containing a newly installed instance of BIG-IP system software which is an Engineering Hotfix, the following messages may appear, after which the boot process stalls: [...] [ 11.705219] dracut-initqueue[324]: mdadm: Duplicate MD device names in conf file were found. [ 133.844644] dracut-initqueue[324]: Warning: dracut-initqueue timeout - starting timeout scripts [ 133.932885] dracut-initqueue[324]: mdadm: Devices UUID-012345678:9abcdef0:12345678:9abcdef0 and UUID-abcdef01:23456789:abcdef01:23456789 have the same name: /dev/md4 [...] [ *** ] A start job is running for dev-disk... Conditions:
Impact: Impossible to boot into the volume of the new installation, it is necessary to physically reboot the device and revert to a previously working volume to rectify the problem. Workaround: Instead of installing the hotfix directly, first install the plain base version on which the hotfix is based and boot into it - this will resolve the problem with the duplicate entries in /etc/mdadm.conf. Then install the hotfix as normal. 1048949-1 : TMM xdata leak on websocket connection with asm policy without websocket profileComponent: Application Security Manager Symptoms: Excessive memory consumption, tmm core. Conditions: - ASM provisioned - ASM policy attached to a virtual server - Websocket profile isn't attached to the virtual server - Long lived websocket connection with messages Impact: Excessive memory consumption, tmm crash. Traffic disrupted while tmm restarts. Workaround: Attach the websocket profile to the virtual server 1048685-4 : Rare TMM crash when using Bot Defense ChallengeComponent: Application Security Manager Symptoms: When using the Bot Defense Profile on Blocking mode, TMM could crash on rare cases with a core dump. Conditions: Using the Bot Defense profile on blocking mode. Impact: Traffic disrupted while tmm restarts. Workaround: None 1048617-3 : Nice level BigDB paramter is not applied for BDComponent: Application Security Manager Symptoms: Nice level BigDB parameter is not applied for BD when BIG-IP is using split-planes Conditions: BIG-IP supports split-planes and nice level DB variable is set to non-zero. Impact: BD niceness level does not change. Workaround: None 1048541-1 : Certificate Order Manager: renew requests to the Comodo (now Sectigo) CA are unsuccessful.Component: TMOS Symptoms: A BIG-IP Administrator utilizing the 'Certificate Order Manager' feature is unable to renew SSL certificates issued by the Comodo (now Sectigo) certification authority. Conditions: Using the 'Certificate Order Manager' feature on BIG-IP to renew SSL certificates issued by the Comodo (now Sectigo) certification authority. Impact: The renew requests fail. 1048445-1 : Accept Request button is clickable for unlearnable violation illegal host nameComponent: Application Security Manager Symptoms: For the following violations: - VIOL_HOSTNAME (Hostname violation) - VIOL_HOSTNAME_MISMATCH (Hostname mismatch violation) The accept button is clickable when it should not. Accept Request button should be disabled for this violations. Conditions: Generate an illegal host name or hostname mismatch violation. Impact: Request will not be accepted even though you have elected to accept the illegal request. Workaround: Do not accept the request to hostname and hostname mismatch violation, no ASM config changes will be triggered. 1048425-4 : Packet tester crashes TMM when vlan external source-checking is enabledComponent: Advanced Firewall Manager Symptoms: TMM SIGFPE Core Assertion "packet must already have an ethernet header". Conditions: Run the AFM Packet Tracer when external source-checking is enabled on the VLAN. Impact: Traffic disrupted while tmm restarts. Workaround: Disable source checking on the vlan. 1048141-3 : Sorting pool members by 'Member' causes 'General database error'Component: TMOS Symptoms: The configuration utility (web UI) returns 'General database error' when sorting pool members. The pool member display does not work for the duration of the login. Conditions: Sorting the pool member list by member. Impact: A pool's pool member page cannot be displayed. Workaround: Clear site and cached data on browser and do not sort by pool member. 1048137-2 : IPsec IKEv1 intermittent but consistent tunnel setup failuresComponent: TMOS Symptoms: IKEv1 tunnels fail to start or re-key after an upgrade. Conditions: -- IPsec IKEv1 tunnels Impact: IPsec tunnels will not work as expected. Workaround: The only workaround is to switch to IKEv2. 1048033-1 : Server-speaks-first traffic might not work with SSL OrchestratorComponent: SSL Orchestrator Symptoms: Server-speaks-first traffic does not pass through BIG-IP SSL Orchestrator. BIG-IP does not do service chaining to the service that has port-remap enabled. Conditions: - Interception Rule has verified accept enabled. - Security policy is service chaining and port-remap is enabled on one of the security services Impact: Connection does not succeed, client sees a reset after timeout. Workaround: Disable port-remap on service and redeploy. 1047933-1 : Virtual server security policy - An error has occurred while trying to process your requestComponent: Advanced Firewall Manager Symptoms: While loading the security tab page in the virtual server configuration page, you see an error: "An error has occurred while trying to process your request" Conditions: This is encountered when clicking the security tab in the virtual server configuration page, when there are a large number of virtual servers on the BIG-IP system (~2500). Impact: Delay in security tab page loading times and possible page timeout. Workaround: None 1047581-3 : Ramcache can crash when serving files from the hot cacheComponent: Local Traffic Manager Symptoms: Under certain circumstances, TMM may crash when processing traffic for a virtual server that uses RAM Cache. Conditions: - RAM Cache configured - Document served not out of the hotcache - The server served with must-revalidate. - The server 304 contains a 0 byte gzip payload Impact: Traffic disrupted while tmm restarts. Workaround: None 1047377-1 : "Server-speak-first" traffic might not work with SSL OrchestratorComponent: SSL Orchestrator Symptoms: Server-speaks-first traffic does not pass through BIG-IP SSL Orchestrator. BIG-IP does not perform a TCP three-way handshake to the server. Conditions: SSL Orchestrator interception rule has an attached security policy that is service chaining and at-least one service has port-remap enabled. Impact: Connection does not succeed, client sees a reset after timeout. Workaround: Disable port-remap on service and redeploy. 1047169-1 : GTM AAAA pool can be deleted from the configuration despite being in use by an iRule.Component: TMOS Symptoms: A BIG-IP Administrator is incorrectly able to delete a GTM AAAA pool from the configuration, despite this object being referenced in an iRule in use by an AAAA wideip. An error similar to the following example will be visible in the /var/log/gtm file should the iRule referencing the pool run after the pool has been deleted: err tmm[11410]: 011a7001:3: TCL error: Rule /Common/my_rule Note the error message incorrectly reports the pool as type A (it should report type AAAA). Conditions: -- Two GTM pools of type A and AAAA share the same exact name (which is legal). -- The pool name is referenced in an iRule by the 'pool' command. -- The iRule is in use by an AAAA wideip. -- A BIG-IP Administrator attempts to delete the AAAA pool. Impact: The system incorrectly allows the deletion of the AAAA pool from the configuration. Consequently, the next time the GTM configuration is reloaded from file, the operation will fail. Additionally, traffic which relied on the pool being present in the configuration will fail. 1046917-4 : In-TMM monitors do not work after TMM crashesComponent: In-tmm monitors Symptoms: After TMM crashes and restarts, in-TMM monitors do not run. Monitored pool members are down. Conditions: -- In-TMM monitors are enabled. -- TMM exits abnormally, as a result of one of the following: + TMM crashing and restarting + TMM being sent a termination signal (i.e. using 'pkill' to kill TMM) Note: This issue does not occur if TMM is restarted using 'bigstart' or 'tmsh sys service'. Impact: Monitored pool members are offline. Workaround: One of the following: 1. Do not use in-TMM monitors. 2. After TMM restarts, manually restart bigd: tmsh restart sys service bigd 3. Add an entry to /config/user_alert.conf such as the following, so that the system restarts bigd when TMM starts up. alert id1046917 "Tmm ready - links up." { exec command="bigstart restart bigd" } Note: This change must be made separately on each device in a ConfigSync device group. 1046785-1 : Missing GTM probes when max synchronous probes are exceededComponent: Global Traffic Manager (DNS) Symptoms: GTM probes are missing, resources are marked down. Conditions: Max synchronous probes are exceeded. Impact: Resources are marked down. 1046693-4 : TMM with BFD confgured might crash under significant memory pressureComponent: TMOS Symptoms: TMM might crash when processing BFD traffic under high memory pressure. Conditions: - BFD in use. - TMM under high memory pressure. Impact: Traffic disrupted while tmm restarts. 1046669-1 : The audit forwarders may prematurely time out waiting for TACACS responsesComponent: TMOS Symptoms: If a TACACS server takes longer than five seconds to respond, the audit forwarder will reset the connection. Conditions: -- Using remote TACACS logging. -- TACACS server takes longer than 5 seconds to respond to logging requests. Impact: Misleading log messages. 1046261-1 : Asynchronous REST task IDs do not persist across process restartsComponent: TMOS Symptoms: If an asynchronous task is started via REST and the iControl REST process(es) restart, the task ID is lost and queries regarding its state will result in "Task not found" responses. Conditions: -- Starting an asynchronous process via REST. -- The iControl REST process(es) restart. Impact: Unable to get the status of an asynchronous task. If you are using iControl REST to load a UCS, you will be unable to determine the status of the UCS load. 1045913-1 : COMPRESS::disable/COMPRESS::enable don't work reliably for selective compressionComponent: Local Traffic Manager Symptoms: When using selective compression, COMPRESS::disable after a compressed response on the same connection will remove the Accept-Encoding header on the subsequent request and then correctly not compress the response. The Accept-Encoding header should be left in place to allow the server to compress the response, if able. Conditions: 1. Virtual server with HTTP profile and selective compression using conditional COMPRESS::disable/COMPRESS::enable iRules with a server capable of responding with compressed content. 2. A client requests compressed documents over a persistent connection Impact: Client may receive some uncompressed responses in cases where compression was expected. Workaround: An iRule that can insert an Accept-Encoding header at HTTP_REQUEST_RELEASE time which would allow the server to compress, if capable. 1045549-4 : BFD sessions remain DOWN after graceful TMM restartComponent: TMOS Symptoms: BFD sessions remain DOWN after graceful TMM restart Conditions: TMM is gracefully restarted, for example with 'bigstart restart tmm' command. Impact: BFD sessions remain DOWN after graceful TMM restart Workaround: After restarting TMM, restart tmrouted. 1045421-1 : No Access Error When Policy is applied to the Virtual ServerComponent: TMOS Symptoms: An authenticated administrative user is redirected to a 'No Access' error page while trying to apply a policy to a virtual server from the GUI. Conditions: Apply a policy to a virtual server. Impact: Cannot apply a policy to a virtual server. 1045277-4 : The /var partition may become 100% full requiring manual intervention to clear spaceComponent: TMOS Symptoms: The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following: 011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade. Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion. Conditions: Process traffic while DoS Dashboard is open Impact: The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition. Workaround: Important: This workaround is temporary, and may need to be periodically performed either manually or from a script. Impact of Workaround: While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen. Run the following commands, in sequence: bigstart stop restjavad rm -rf /var/config/rest/storage*.zip rm -rf /var/config/rest/*.tmp bigstart start restjavad Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation. 1044893 : Kernel warnings from NIC driver Realtek 8139Component: TMOS Symptoms: Excessive kernel logs occur from the NIC driver Realtek 8139 Conditions: -- Realtek 8139 driver is used -- Packets with partial checksum and protocol IPPROTO_TCP/IPPROTO_UDP arrives Impact: The Realtek 8139 driver logs excessive kernel warnings. 1044873-1 : Deleted GTM link is not removed from virtual server object and causes load failure.Component: Global Traffic Manager (DNS) Symptoms: The configuration fails to load with an error: 01070712:3: Values (/Common/Link_to_delete) specified for Virtual Server (/Common/vs1 /Common/HTTPP): foreign key index (explicit_link_FK) do not point at an item that exists in the database. Unexpected Error: Loading configuration process failed. Conditions: -- Create GTM link -- Assign specific link to any virtual server object -- Delete link object -- Run tmsh load sys config gtm-only (or create a sync group and the sync will fail) Impact: GTM config fails to load or config sync. Workaround: Remove any assigned virtual servers from the link prior to deleting it. 1044577-2 : TMM crash on BIG-IP Virtual Edition using DPDK and xnet driversComponent: TMOS Symptoms: TMM crashes Conditions: -- BIG-IP Virtual Edition using DPDK and xnet drivers -- More than one tmm Impact: Traffic disrupted while tmm restarts. Workaround: - Use only 1 TMM - Use some other driver combination other than DPDK-xnet 1044281-1 : In some cases, cpcfg does not trigger selinux relabel, leaving files unlabeledComponent: TMOS Symptoms: Under certain circumstances, if a configuration is copied to a boot location that has has already been booted into, files restored by the UCS archive remain unlabeled. After booting to the target volume, the BIG-IP will not function and will have the status "INOPERATIVE". Conditions: -- APM is provisioned. -- Performing a cpcfg copy to another volume. Impact: -- APM localdbmgr restarts, and fails to restore configuration from UCS archive -- Spurious system permissions failures as a result of SELinux Workaround: After booting into the affected boot location, force an SELinux relabeling: # touch /.autorelabel && reboot 1044121-3 : APM logon page is not rendered if db variable "ipv6.enabled" is set to falseComponent: Access Policy Manager Symptoms: When accessing a Virtual Server with an access policy, users are redirected to the hangup page. Conditions: Db variable "ipv6.enabled" is set to false Impact: Users will not be able to access the virtual server and associated resources behind it. Workaround: Keep the value of db variable "ipv6.enabled" set to true. # setdb "ipv6.enabled" true 1044021-2 : Searching for IPv4 strings in statistics module does not work.Component: TMOS Symptoms: In Statistics :: Module statistics : Local Traffic : Pools, in "Display Options", if you choose "Statistics Type" as "Pools" and search for some IPv4 ip with partial words, the search will not return expected results. Conditions: Searching for an IPv4 address in the "Statistics" module. Impact: It is not possible to filter for IPv4 addresses. Workaround: None 1043805-3 : ICMP traffic over NAT does not work properly.Component: Local Traffic Manager Symptoms: ICMP traffic hitting a NAT translation address is dropped and not sent further to the originating address. Conditions: -- An LTM NAT is configured. -- ICMP traffic arrives. Impact: ICMP traffic fails to be forwarded over the NAT. 1043533-3 : Unable to pick up the properties of the parameters from audit reports.Component: Application Security Manager Symptoms: In the GUI under Security ›› Application Security : Audit : Reports, if you select "User-input parameters..." in the menu "Security Policy Audit Reports", then click on the parameter to retrieve the properties, you will see this error: " Could not retrieve parameter; Could not get the Parameter, No matching record was found." Conditions:
Impact: A page error occurs. Workaround: 1. Open in a separate tab the following screen: Security ›› Application Security : Parameters : Parameters List 2. Under "Parameter List" title, there is a filter dropdown with the "Parameter Contains" texting. 3. On the blank part (before "Go" button) type the name of the required parameter. 4. You will get the desired page with the desired parameter properties. 1043357-4 : SSL handshake may fail when using remote crypto clientComponent: Local Traffic Manager Symptoms: ServerSSL handshake fails when verifying ServerKeyExchange message. Conditions: Remote crypto client is configured and the ServerSSL profile connects using an ephemeral RSA cipher suite. Impact: The virtual server is unable to connect to the backend server. Workaround: Use non-ephemeral RSA or ECDSA cipher suite on ServerSSL. 1043277-4 : 'No access' error page displays for APM policy export and apply optionsSolution Article: K06520200 Component: TMOS Symptoms: An authenticated administrative user is redirected to a 'NO ACCESS' error page while exporting/applying an APM policy. Conditions: Authenticated administrative user makes a GUI request to apply/export an APM policy. Impact: Cannot export/apply an APM policy. Workaround: None 1043141-1 : Misleading 'Symmetric Unit Key decrypt failure - decrypt failure' when loading UCS from another BIG-IPComponent: TMOS Symptoms: Loading a UCS file from another BIG-IP results in an error message similar to: "/usr/bin/tmsh -n -g -a load sys config partitions all platform-migrate" - failed. -- 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure The error message is misleading as the issue is unrelated to master key decryption. Conditions: -- Loading a UCS archive from a different BIG-IP. -- The UCS archive does not contain a ".unitkey" file. -- The target system does have the correct master key value configured. -- There is some other MCPD validation issue in the configuration. Impact: Platform migration fails with a misleading error message. Workaround: Once the issue has happened, you can either: - Examine the LTM log file for other error messages from MCPD and then correct the configuration issue(s). OR: - Re-start MCPD. 1043017-4 : Virtual-wire with standard-virtual fragmentationComponent: Local Traffic Manager Symptoms: A standard virtual-server configured on top of a virtual-wire has unexpected handling of fragmented IP traffic. Conditions: Standard virtual-server configured on top of a virtual-wire handling fragmented IP traffic. Impact: - Fragments missing on egress. - Packet duplication on egress. Workaround: Use fastl4 virtual-server instead. 1043009 : TMM dump capture for compression engine hangComponent: Local Traffic Manager Symptoms: TMM crashes Conditions: The system detects a Nitrox hang and attempts to reset it. Impact: Traffic disrupted while tmm restarts. Workaround: Set Nitrox3.Compression.HangReset db variable to reset 1042993-3 : Provisioning high availability (HA) setup wizard fails to load, reports 'No Access'Solution Article: K19272127 Component: TMOS Symptoms: An authenticated administrative user is redirected to a 'NO ACCESS' error page while running the high availability (HA) setup wizard. Conditions: Authenticated administrative user makes a GUI request to Run Config Sync/HA setup wizard Impact: You are unable to run/finish the Config Sync/HA setup wizard to completion Workaround: None 1042913-2 : Pkcs11d CPU utilization jumps to 100%Component: Local Traffic Manager Symptoms: CPU utilization of pkcs11d increases to 100%. Conditions: This occurs when pkcs11d is disconnected from the external HSM. Impact: As the pkcs11d consumes most of the CPU, other processes are starved for CPU. Workaround: None. 1042737-4 : BGP sending malformed update missing Tot-attr-len of '0.Component: TMOS Symptoms: BIG-IP might send a malformed BGP update missing Tot-attr-len of '0 when performing a soft reset out. Conditions: -- Multiple traffic groups configured. -- A BGP soft reset occurs. Impact: BGP peering resets. 1042605-1 : ASM Critical Warnings during UCS load after upgrade to v15.1.0 or above★Component: Application Security Manager Symptoms: Following an upgrade, an error occurs: ERROR: Failed during loading ASM configuration. An "ASM critical warning" banner is displayed in the ASM GUI. Conditions: -- ASM is upgraded to v15.1.0 or above -- The following query returns results prior to upgrading: SELECT policy_name_crc FROM DCC.ACCOUNTS accounts WHERE policy_name NOT IN (SELECT name FROM PLC.PL_POLICIES) Impact: ASM upgrade is aborted due to an exception: Can't call method "clear_traffic_data" on unblessed reference 1042589-1 : Wrong trunk_id is associated in bcm56xxd.Component: TMOS Symptoms: When a set of interfaces are moved from one trunk to another, the now empty trunk is left with a valid association in bcm56xxd, and deleting that trunk can cause a valid trunk to be removed in the BCM hardware. 'tmsh show net trunk MY_TRUNK' shows the trunk is UP, but in fact the trunk is unconfigured in hardware. Conditions: Moving the interfaces across trunks. i.e. tmsh modify net trunk MY_OLD_TRUNK interfaces none tmsh modify net trunk MY_NEW_TRUNK interfaces add { 1.1 1.2 } tmsh delete net trunk MY_OLD_TRUNK Impact: May cause an L2 traffic loop. 1042509-1 : On an HTTP2 gateway virtual server, TMM does not ever update the stream's window for a large POST requestComponent: Local Traffic Manager Symptoms: On an HTTP2 gateway virtual server (HTTP/2 on clientside, no httprouter profile), TMM does not update the stream's window (i.e. acking data at the HTTP/2 stream layer). This causes large HTTP requests with payloads (i.e. POSTs) to stall and eventually time out. TMM does sometimes send WINDOW_UPDATE messages for the entire connection, but not for the stream. Since flow control is required at both the connection and stream levels, the client stalls out. Conditions: -- Virtual server with HTTP2 profile -- Configured as HTTP2 Gateway (HTTP2 profile on clientside and no 'httprouter' profile) -- Client sends large data transfer to the virtual server Impact: Client data transfer through HTTP/2 virtual server (POST / PUT / etc) fails. Workaround: Use an HTTP router profile (assign the 'httprouter' profile to the virtual server, or select the 'HTTP MRF Router' option in TMUI) 1042505-1 : Session variable "session.user.agent" does not get populated for edge clientsComponent: Access Policy Manager Symptoms: Access policy agents and iRules that depend on "session.user.agent" session variable fail to execute properly. Conditions: Access polices have agents that depend on the value of session variable "session.user.agent" for its execution. Impact: Any access policy agents that depend on this session variable will not be able to follow the rules. Workaround: An iRule can be used to generate a session variable. For example: # This event fires once per session when ACCESS_SESSION_STARTED { log local0. "Setting User-Agent based on HTTP data - [HTTP::header User-Agent]" ACCESS::session data set session.custom.client.useragent [HTTP::header User-Agent] Use this variable in the VPE to make some decision} 1042009-1 : Mcpd fails to reply if a request is proxied to another daemon and the connection to that daemon closesComponent: TMOS Symptoms: Mcpd does not reply to the request if the publisher's connection closes/fails, in this case when bcm56xxd is restarted. The perceivable signs of the failure are the snmpwalk failing with a timeout and the "MCPD query response exceeding" log messages Conditions:
while true;do date; snmpwalk -v2c -c public 127.0.0.1 sysDot1dbaseStat;sleep 2;done Sample output: Sat Aug 21 00:57:23 PDT 2021 F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatResetStats.0 = INTEGER: 0 F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatMacAddr.0 = STRING: 0:23:e9:e3:8b:41 F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatNumPorts.0 = INTEGER: 12 F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatType.0 = INTEGER: transparentonly(2)
bigstart restart bcm56xxd 4a) the snmpwalk will continually report the following: Timeout: No Response from 127.0.0.1 And snmpd will continually log "MCPD query response exceeding" every 30 seconds in /var/log/ltm Impact: SNMP stopped responding to queries after upgrade Workaround: Snmpd restart 1041989-4 : APM Portal Access does not add automatically the / after the URL encoded (after the '$$'), Redirect breaksComponent: Access Policy Manager Symptoms: If the Location header does not end with '/' in direct case, the rewritten URL misses the forward slash character '/'. APM does not add automatically the / after the URL encoded(after $$)? e.g https://website Is rewritten as https://apm/f5-w- If the caption URI is https://website without / at the end, APM will rewrite it as https://apm/f5-w- Conditions: -- APM Portal Access -- Redirect response Location header does not end with '/' - after the {scheme://host:port} Impact: Missing / after redirection - Page does not load Workaround: Add '/' through iRule in redirect response header. 1041985-1 : TMM memory utilization increases after upgrade★Component: Access Policy Manager Symptoms: TMM memory utilization increases after upgrading. The keep-alive interval of the _tmm_apm_portal_tcp default profile is set to a value that is less than the Idle Timeout setting. Conditions: -- APM enabled and passing traffic -- The configuration has a profile that uses or is derived from _tmm_apm_portal_tcp where the keep-alive interval was reduced to 60 Note that this can be encountered any time a tcp profile contains a keep-alive interval setting that is less than the idle timeout. For more information about the relationship between keep-alive and idle time out, see K13004262: Understanding Idle Timeout and Keep Alive Interval settings in the TCP profile, available at https://support.f5.com/csp/article/K13004262 Impact: TMM memory may increase while passing traffic. Workaround: Change the tcp keep alive interval to the default setting of 1800 seconds. 1041889-2 : RRSIG missing for CNAME with RDATA in different zoneComponent: Global Traffic Manager (DNS) Symptoms: RRSIG missing for CNAME. Conditions: -- CNAME record with RDATA in different zone. -- One zone dynamically signed. -- The other zone in local BIND (ZoneRunner) with static DNSSEC records. Impact: DNSSEC validation failure. 1041865-4 : Correctable machine check errors [mce] should be suppressedComponent: TMOS Symptoms: Log emerg in kern.log similar to: emerg kernel: mce: [Hardware Error]: CPU 0: Machine Check: 0 Bank 10: cc003009000800c1 Conditions: Correctable errors can be identified by analyzing the 16‐bit value shown in bits [31:16] of the 64‐bit error from the /var/log/kern.log message. When bits [31:16] = 0008 this is a correctable error and not failing hardware. An example is shown below. Log error matches this pattern: Machine Check: 0 [bank number]: [cc003009][0008][00c1] bits [31:16] = 0008 Impact: Correctable errors are logged in kern.log and to the console. There is no functional impact. Workaround: None 1041801-1 : TMM crashes when handling Network DNS resolver Traffic.Component: Global Traffic Manager (DNS) Symptoms: TMM crashes and produces a core file. Conditions: -- The configuration involves a Network DNS resolver object and it receives traffic. Impact: Traffic disrupted while tmm restarts. 1041765-2 : Racoon may crash in rare casesComponent: TMOS Symptoms: Racoon may crash when NAT Traversal is on and passing IPsec traffic in IKEv1. Conditions: -- IKEv1 IPsec tunnel configured -- NAT Traversal is on in ike-peer configuration. Impact: Racoon will crash and any IKEv1 tunnels will restart Workaround: Use IKEv2 only. 1041657-1 : PEM and Analytics tabs are displayed when accessing DoH Proxy/Server profiles.Component: Global Traffic Manager (DNS) Symptoms: The BIG-IP GUI displays the PEM and Analytics tabs for DNS over HTTPS (DoH) Proxy/Server profiles. These tabs should not be present. Conditions: This occurs when viewing the DoH proxy or server profile. A PEM and analytics tab is visible when it should not be. Impact: Wrong display of PEM and Analytics profile tabs in the GUI. Workaround: None. 1041625-5 : Virtual server flapping when the active and standby devices have different configuration.Component: Global Traffic Manager (DNS) Symptoms: The virtual server status flaps. Conditions: 1. Virtual server auto discovery enabled. 2. Configured GTM server is configured for high availability (HA). 3. The active and standby devices have different IP addresses for the same virtual server. Impact: The virtual server status flaps and traffic might be interrupted. Workaround: Make the active and standby devices have the same configuration. 1041317-1 : MCPD delay in processing a query_all message if the update_status bit is setComponent: TMOS Symptoms: When there are a significant number of virtual servers or pools, mcpd can take a several seconds to respond to query_all messages, if the update_status is set to 1 in the message. Conditions: Update_status is set to 1 in the message. This could occur, for example, with the following snmp command snmpget -v2c -c public localhost ltmVsStatusNumber.0 Impact: While mcpd is busy updating the status for each virtual server or pool, mcpd will not able to to respond to any messages. Control plane operations might timeout. 1041225-4 : Missing SHA-384 cipher suites in outgoing LDAP TLS ClientHelloComponent: Local Traffic Manager Symptoms: BIG-IP does not send SHA-384 ciphers in the advertised ciphers list in the Client Hello when initiating LDAP/TLS with a pool member (in the case of a monitor). Conditions: You have LDAP servers which support SHA-384 ciphers only for LDAP/TLS authentication. Impact: Servers requiring SHA-384 for LDAP/TLS authentication will not be able to authenticate. 1041149-1 : Staging of URL does not affect apply value signaturesComponent: Application Security Manager Symptoms: When a URL is staged and a value content signature is detected, the matched request is blocked. Conditions: -- URL is set to staging; -- Only default ("Any") content profile is present, set to apply value signatures (all other content profiles deleted); -- Request matches attack signature Impact: The request for staged URL is blocked Workaround: Configure relevant content profiles or leave the default content profiles configuration. 1041113 : BIG-IP Admin role credentials are not usable for getting device discovered by BIG-IQComponent: Device Management Symptoms: BIG-IQ is unable to discover BIG-IP with admin role user (not default admin user). Conditions: The admin of BIG-IQ is attempting to add a BIG-IP using its an account with admin role (that is not the default admin account). Impact: BIG-IQ fails to discover BIG-IP. Workaround: Restart the restjavad process on BIG-IP and reattempt device discovery from BIG-IQ. 1040957-1 : The ipother profile can be used with incompatible profiles in a virtual serverComponent: Local Traffic Manager Symptoms: The BIG-IP system does not prevent the ipother profile from being used with incompatible profiles in a virtual server. -- Log messages such as the following in the LTM log file: err tmm[28670]: 01010008:3: Proxy initialization failed for /Common/example_vs. Defaulting to DENY. err tmm[28670]: 01010008:3: Listener config update failed for /Common/example_vs: ERR:ERR_ARG -- Log messages such as the following in TMM's log file: notice hudchain contains precluded clientside filter: IPOTHER Conditions: Creating or modifying a virtual server to use the ipother profile with an incompatible profile. Impact: Invalid configuration. TMM traffic passing does not behave the way virtual server configuration dictates it should. Workaround: Remove the incompatible profile(s) from the virtual server. 1040829-4 : Errno=(Invalid cross-device link) after SCF mergeComponent: Access Policy Manager Symptoms: A single config file (SCF) merge fails with the following error: 01070712:3: failed in syscall link(/var/system/tmp/tmsh/IHxlie/files_d/Common_d/customization_group_d/:Common:otters-connectivity_1_secure_access_client_customization_62552_1, /config/filestore/.trash_bin_d/.current_d/Common_d/customization_group_d/:Common:otters-connectivity_1_secure_access_client_customization_62552_1) errno=(Invalid cross-device link) Conditions: A customization group with the same name is present in both the SCF file and the BIG-IP device. Impact: SCF merge fails Workaround: None 1040685-4 : Core file on blade slot2 after reboot (TMM SIGSEGV in pktclass_classifier)Component: Advanced Firewall Manager Symptoms: Tmm crashes after reboot. Conditions: This is encountered intermittently after rebooting a blade. Impact: Slot usable until manual intervention. Traffic disrupted while tmm restarts. Note: this issue happened only once and no further occurrence was reported. 1040573-4 : REST operation takes a long time when two different users perform tasks in parallelComponent: TMOS Symptoms: It takes excessive time to execute multiple REST(icr) requests in parallel by different users. Conditions: Multiple iControl REST operations are performed by different users in parallel. Impact: BIG-IP system performance is impacted. Workaround: Use only one user to process the multiple requests. OR Use an iControl REST transaction containing multiple requests. 1040361-1 : TMM crashes during its startup when TMC destination port list attached/deleted to virtual serverComponent: Local Traffic Manager Symptoms: -- Log message written to TMM log file: panic: ../kern/page_alloc.c:736: Assertion "vmem_hashlist_remove not found" failed. Conditions: -- Virtual Server using a traffic-matching-criteria (TMC) with a destination-port-list, with multiple distinct ranges of ports. Impact: Traffic disrupted while tmm restarts. Workaround: Do not use Traffic Matching Criteria with destination port lists. 1040153-1 : Topology region returns narrowest scope netmask without matchingComponent: Global Traffic Manager (DNS) Symptoms: BIG-IP returns malformed packets or the narrowest scope not matching the request. Conditions: Mixed sub networks with different mask length. Impact: Malformed packets. Workaround: Do not put mixed subnets in one region. 1040117-2 : BIG-IP Virtual Edition drops UDP packetsComponent: TMOS Symptoms: BIG-IP Virtual Edition drops padded UDP packets when the hardware will accept and forward these same packets. Conditions: -- BIG-IP Virtual Edition -- Padded UDP packets are sent Impact: UDP packets are dropped, potentially disrupted traffic 1040045-3 : Unable to delete trunk member on a VCMP guestComponent: Local Traffic Manager Symptoms: After deleting a trunk member on a VCMP hypervisor, the change may not propagate to the guest. Conditions: -- VCMP guest -- A trunk member that is UP -- The trunk member is deleted on the hypervisor Impact: The guest does not have the current trunk information Workaround: Down the interface on the VCMP hypervisor before removing it (tmos)# modify net interface 2/3.1 disabled (tmos)# modify net trunk trunk_1 interfaces del { 2/3.1 } 1040017-5 : Final ACK validation during flow accept might fail with hardware SYN CookieComponent: Local Traffic Manager Symptoms: With hardware SYN cookie mode enabled, final ACK validation during flow accept fails and ACK packets are dropped. Such error messages are being logged in LTM logs : "An Enforced Device DOS attack start was detected for vector TCP half-open" Conditions: -- Hardware SYN Cookie is enabled -- BIG-IP is under TCP half-open attack and packet hits a CMP forwarding flow Impact: ACK packets are wrongly dropped, causing traffic interruption. Workaround: Disable hardware SYN Cookie 1039725-1 : Reverse proxy traffic fails when a per-request policy is attached to a virtual server.Component: Access Policy Manager Symptoms: Reverse proxy or inbound traffic fails during SSL renegotiation when a per-request policy is attached to the virtual server. Conditions: -- SSL Orchestrator is licensed and provisioned. -- Per-request policy is attached to virtual server. -- Client or backend server initiates SSL renegotiation. Impact: Reverse proxy traffic fails during SSL renegotiation. Workaround: If renegotiation is not required then it can be disabled on BIG-IP. The client SSL and server SSL profiles have 'Renegotiation' settings. If it is set to disabled, BIG-IP or SSL Orchestrator does not do SSL renegotiation. 1039609-1 : Unable to poll Dynamic routing protocols SNMP OID's on non-default route domainComponent: TMOS Symptoms: You are unable to extract the dynamic routing protocols configuration information via an SNMP walk. Conditions: Example taken below is for BGP: -- Create BGP config in non-default route-domain, establish peer with some router. -- Create snmp community in non-default route domain -- Run snmp walk for BGP4 mib (1.3.6.1.2.1.15). Certain key MIB OIDs from the BGP configuration like bgpPeerRemoteAddr,bgp4PathAttrIpAddrPrefixLen are missing. Impact: Dynamic routing protocols SNMP OID polling not working when they are in a non-default route-domain. 1039553-1 : Non-200 HTTP status codes fail to be matched by GTM HTTP(S) monitorsComponent: Global Traffic Manager (DNS) Symptoms: GTM virtual servers have the wrong status (up when they should be down, or down when they should be up, depending on the monitor's configuration). Conditions: -- The GTM virtual servers are monitored with an HTTP or HTTPS monitor that performs HTTP status matching. -- The monitor tries to match an HTTP status code other than 200 (for example, 301). -- The monitor uses HTTP version 1.0 or 1.1 for the request (the default is 0.9). Impact: The system incorrectly considers all non-200 responses a failed monitor attempt, despite what the user specified as acceptable status codes in the monitor's configuration. As a result, the availability status reported for a virtual server may be incorrect. This may cause the GTM system to send traffic to unsuitable resources causing application disruptions. Workaround: You can work around this issue in any of the following ways: -- Use HTTP version 0.9 for the monitor requests. -- Match on the 200 HTTP status code. -- Do not use HTTP status matching altogether. 1039349-1 : HTTP statistics not updatedComponent: Local Traffic Manager Symptoms: HTTP redirect stats are not incremented when a redirect occurs. Conditions: The virtual server to which the client will be connecting is configured with "fallback" setting on http profile and pool member is intentionally disabled to get the traffic redirect to another virtual. Impact: HTTP statistics are not updated 1039329-2 : MRF per peer mode is not working in vCMP guest.Component: Service Provider Symptoms: MRF diameter setup, in peer profile "auto-initialization" and "per peer" mode are enabled, but no connection attempts towards the pool member occur. When the mode is switched to "per tmm" or "per blade", connections are established. Conditions: The peer connection mode in the peer profile is set to "per peer". Impact: The "per peer" setting does not work. Workaround: Switch the connection mode to "per tmm" or "per blade" 1039277-4 : TMM coreComponent: Local Traffic Manager Symptoms: Tmm crashes while passing traffic Conditions: - http virtual server - httprouter - http2 profile Impact: Traffic disrupted while tmm restarts. 1039245-2 : Policy Properties screen does not load and displayComponent: Application Security Manager Symptoms: On the Security ›› Application Security : Security Policies : Policies List page, if you click one of the policies, the page gets stuck in " Loading policy general settings... " Conditions: This occurs if you try to view a policy that has no template associated Impact: Unable to use the GUI for the affected ASM policies. Workaround: # cp /var/ts/dms/script/dist/angular/TsuiAngularPoliciesScripts.min.js /shared/TsuiAngularPoliciesScripts.min.js.bk # chmod 644 /var/ts/dms/script/dist/angular/TsuiAngularPoliciesScripts.min.js # sed -i -e 's/"POLICY_TEMPLATE_GRAPHQL/p.policy.template\&\&"POLICY_TEMPLATE_GRAPHQL/' /var/ts/dms/script/dist/angular/TsuiAngularPoliciesScripts.min.js # chmod 444 /var/ts/dms/script/dist/angular/TsuiAngularPoliciesScripts.min.js # bigstart restart httpd 1039145-1 : Tenant mirroring channel disconnects with peer and never reconnects after failoverComponent: Local Traffic Manager Symptoms: `tmctl -d blade ha_stat` shows missing mirroring connections Conditions: This occurs with high availability (HA) pairs. Impact: HA mirroring does not function correctly Workaround: None 1039049-2 : Installing EHF on particular platforms fails with error "RPM transaction failure"Component: TMOS Symptoms: -- Installing an EHF fails with the error "RPM transaction failure" -- Errors similar to the following are seen in the liveinstall.log file: info: RPM: /var/tmp/rpm-tmp.LooFVF: line 11: syntax error: unexpected end of file info: RPM: error: %preun(fpga-tools-atlantis-15.1.3-0.0.11.i686) scriptlet failed, exit status 2 Conditions: -- Installing an EHF that contains the 'fpga-tools-atlantis' package -- Using the following platforms: + BIG-IP i4600 / i4800 + BIG-IP i2600 / i2800 + BIG-IP i850 Impact: EHF installation fails. Workaround: None 1039041 : Log Message: Clock advanced by |