f5 problem

8/19/2019 f5 Problem

1/58

Overview

A monitor is an important BIG-IP feature that verifies connections to pool members or nodes. A

health monitor is designed to report the status of a pool, pool member, or node on an ongoing

basis, at a set interval. When a health monitor mars a pool, pool member, or node down, the

BIG-IP s!stem stops sending traffic to the device.

A failing or misconfigured health monitor ma! cause traffic management issues similar, but not

limited, to the following"

• Connections to the virtual server are interrupted or fail.

• Web pages or applications fail to load or execute.

• Certain pool members or nodes receive more connections than others.

#he previousl!-mentioned s!mptoms ma! indicate that a health monitor is maring a pool, pool

member, or node down indefinitel!, or that a monitor is repeatedl! maring a pool member or

node down and then bac up $often referred to as a bouncing pool member or node%. &or

e'ample, if a misconfigured health monitor constantl! mars pool members down and then bac

up, connections to the virtual server ma! be interrupted or fail altogether. (ou will then need to

determine whether the monitor is misconfigured, the device or application is failing, or some

other factor is occurring that is causing the monitor to fail $such as networ-related issue%. #he

troubleshooting steps !ou tae will depend on the monitor t!pe and the observed s!mptoms.

When e'periencing health monitor issues, !ou can use the following troubleshooting steps"

• Identifying a failing health monitor

• Verifying monitor settings

• Troubleshooting monitor types

• Troubleshooting daemons related to health monitoring

• Related articles

Identif!ing a failing health monitor

#he BIG-IP software includes utilities $such as the )onfiguration utilit!, command line, or

*+P% that !ou can use to alert an administrator or help identif! when a health monitor mars

down a pool, pool member, or node. #he utilities are defined in the following sections.

Configuration utility

https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12531.html#1https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12531.html#2https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12531.html#3https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12531.html#4https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12531.html#5https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12531.html#2https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12531.html#3https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12531.html#4https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12531.html#5https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12531.html#1


2/58

#he following table lists )onfiguration utilit! pages where !ou can chec the status of pools,

pool members, and nodes"

Conguration

utility pageDescription ocation

!et"or# map$ummary of pools% pool

members% and nodes

Local Trafc & Network

Map & Show Map

'ools Current status of pool(membersLocal Trafc & Pools &

Statistics

'ool members Current status of pool(membersLocal Trafc & Pools &

Statistics

!odes Current status of nodes

Local Trafc & Nodes &

Statistics

Command line utilities

#he following table lists command line utilities that allow !ou to monitor the status of pools,

pool members, and nodes"

CI utility Description )xample commands

bigtopive statistics for pool members and

nodesbigtop *n

bigpipe

+,-.x

$tatistical information about pools% pool

members% and nodes

bigpipe pool sho"% bigpipe

node sho"

tmsh +,-.x

* ,,.x

$tatistical information about pools% pool

members% and nodes

tmsh sho" (ltm pool

/pool0name&

tmsh sho" (ltm node

/node0I'&

Logs

#he BIG-IP s!stem logs messages related to the health monitor to the /var/log/ltm file.

eviewing the log files is one wa! to determine the freuenc! with which the s!stem is maring

down pool members and nodes. /ogging related to monitor state changes are as follows"

• 'ools


3/58

When a health monitor mars all members of a pool down or up, messages that appear

similar to the following e'ample are logged to the /var/log/ltm file"

tmm err tmm012234" 56565578"9" +o members available for pool :Pool;name<

tmm err tmm012234" 56565776"9" Pool :Pool;name< now has available members

• 'ool members

When a health monitor mars pool members down or up, messages that appear similar to

the following e'ample are logged to the /var/log/ltm file"

notice mcpd073=14" 56525=98">" Pool member :*erverIP;port< monitor status down

notice mcpd073=14" 56525272">" Pool member :*erverIP;port< monitor status up.

• !odes

When a health monitor mars a node down or up, messages that appear similar to the

following e'ample are logged to the /var/log/ltm file"

notice mcpd073=14" 56525=15">" +ode :*erverIP< monitor status down.

notice mcpd073=14" 56525278">" +ode :*erverIP< monitor status up.

SNMP

When the BIG-IP s!stem is configured to send *+P traps and a health monitor mars a pool

member or node down or up, the s!stem sends the following traps"

• 'ool members

alert BIGIP;)P?;)P?@;POO/;@B@;O+;*#A#*

snmptrap OI?CD.6.9.=.6.1.6.992>.7.1.5.65D

E

alert BIGIP;)P?;)P?@;POO/;@B@;O+;*#A#*;P

snmptrap OI?CD.6.9.=.6.1.6.992>.7.1.5.66D

E

• !odes

alert BIGIP;)P?;)P?@;+O?@;A??@**;O+;*#A#*

snmptrap OI?CD.6.9.=.6.1.6.992>.7.1.5.67D

E

alert BIGIP;)P?;)P?@;+O?@;A??@**;O+;*#A#*;P


4/58

snmptrap OI?CD.6.9.=.6.1.6.992>.7.1.5.69D

E

Ferif!ing monitor settings

It is important to verif! that monitor settings are properl! defined for !our environment. &ore'ample, &> recommends that !ou configure most monitors with a timeout value of three times

the interval value, plus one. #his is to prevent the monitor from maring the node down before

the last chec is sent.

Simple monitors

A simple monitor is used to verif! the status of the destination node $or the path to the node

through a transparent device%. *imple monitors do not monitor individual protocols, services, or

applications on a node Hust the node address itself. #he BIG-IP s!stem provides the following

pre-configured simple monitor t!pes" gateway_icmp, icmp, tcp_echo, tcp_half_open. If !ou

determine that a simple monitor is maring a node down, !ou can verif! the following settings"

Note" #here are other monitor settings that can be defined for simple monitors. &or more

information, refer to the )onfiguration Guide for BIG-IP /ocal #raffic anagement.

• Interval(timeout ratio

)onfiguring an appropriate intervaltimeout ratio is important for simple monitors. In

most cases, the intervaltimeout should have a timeout value of three times the interval,

plus one. &or e'ample, the default ratio is >6=. Ferif! that the ratio is properl! defined.

• Transparent

A transparent monitor uses a path through the associated node to monitor the aliased

destination. Ferif! that the destination target device is reachable and configured properl!

for the monitor.

Extended Content erification !EC" monitors

@)F monitors use Send and #eceive string settings to retrieve content from pool members ornodes. #he BIG-IP s!stem provides the following pre-configured monitor t!pes" tcp, http, https,

and https_$$%. If !ou determine that a simple monitor is maring a node down, !ou can verif!

the following settings"

Note" #here are other monitor settings that can be defined for @)F monitors. &or more

information, refer to the )onfiguration Guide for BIG-IP /ocal #raffic anagement.

https://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.html


5/58

• Interval(timeout ratio

As with simple monitors, configuring the intervaltimeout ratio is important for @)F

monitors. In most cases, the intervaltimeout should have a timeout value of three times

the interval, plus one. &or e'ample, the default ratio for @)F monitors is >6=. Ferif! that

the ratio is properl! defined.

• Send string

#he Send string is a te't string that the monitor sends to the pool member. #he default

setting is &E' /, which retrieves a default J#/ file for a website. If the Send string is

not properl! constructed, the server ma! send an une'pected response and be

subseuentl! mared down b! the monitor. &or e'ample, if the server reuires the

monitor reuest to be (''P/)*) compliant, !ou must adHust the monitor Send string.

Note" &or information about modif!ing J##P reuests for use with J##P or J##P*application health monitors, refer to the following articles"

*O/76=2" )onstructing J##P reuests for use with the J##P or J##P* application

health monitor

*O/9771" J##P health checs ma! fail even though the node is responding correctl!

*O/65=>>" )/& characters appended to the J##P monitor *end string

• Receive string

#he #eceive string is the regular e'pression representing the te't string that the monitorloos for in the returned resource. @)F monitors reuests ma! fail and mar the pool

member down if the #eceive string is not configured properl!. &or e'ample, if

the #eceive string appears too late in the server response, or the server responds with a

redirect, the monitor mars the pool member down.

Note" &or information about modif!ing the monitor to issue a reuest to a redirection

target, refer to *O/9771" J##P health checs ma! fail even though the node is

responding correctl!.

• 1ser name and pass"ord

@)F monitors have +ser Name and Password settings, which can be used for resources

that reuire authentication. Ferif! whether the pool member reuires authentication and

ensure that the fields contain valid credentials.

#roubleshooting monitor t!pes

https://support.f5.com/kb/en-us/solutions/public/2000/100/sol2167.htmlhttps://support.f5.com/kb/en-us/solutions/public/2000/100/sol2167.htmlhttps://support.f5.com/kb/en-us/solutions/public/3000/200/sol3224.htmlhttps://support.f5.com/kb/en-us/solutions/public/10000/600/sol10655.htmlhttps://support.f5.com/kb/en-us/solutions/public/3000/200/sol3224.htmlhttps://support.f5.com/kb/en-us/solutions/public/3000/200/sol3224.htmlhttps://support.f5.com/kb/en-us/solutions/public/2000/100/sol2167.htmlhttps://support.f5.com/kb/en-us/solutions/public/2000/100/sol2167.htmlhttps://support.f5.com/kb/en-us/solutions/public/3000/200/sol3224.htmlhttps://support.f5.com/kb/en-us/solutions/public/10000/600/sol10655.htmlhttps://support.f5.com/kb/en-us/solutions/public/3000/200/sol3224.htmlhttps://support.f5.com/kb/en-us/solutions/public/3000/200/sol3224.html


6/58

Simple monitors

#roubleshooting connectivit! issues for a simple monitor is fairl! straightforward. If !ou

determine that a monitor is maring a node down $or the node is bouncing%, !ou can use the

following steps to troubleshoot the issue"

,. Determine the I' address of the nodes being mar#ed do"n.

(ou can determine the IP address or the nodes that the monitor is maring down b! using

the )onfiguration utilit!, command line utilities, or log files. (ou can uicl! search the

/var/log/ltm file for node status messages using command s!nta' that appears similar to

the following e'ample"

K cat varlogltm Lgrep M+odeM Lgrep MstatusM

Nan 76 6>"51"91 local9155a notice mcpd073=14" 56525=15">" +ode 65.65.=>.6 monitor

status down.Nan 76 6>"51"91 local9155a notice mcpd073=14" 56525=15">" +ode 627.71.=1.1 monitor

status down.

Nan 76 6>"51">6 local9155a notice mcpd073=14" 56525=15">" +ode 65.6.5.755 monitor

status down.

Nan 76 6>"51">6 local9155a notice mcpd073=14" 56525=15">" +ode 65.65.=>.677

monitor status down.


status uncheced.


status down.

Nan 76 6>"51">6 local9155a notice mcpd073=14" 56525=15">" +ode 627.6=.=>.9 monitor

status down.

Nan 76 6>"51">6 local9155a notice mcpd073=14" 56525=15">" +ode 627.6=.=>.773

monitor status down.

Note" If a large number of nodes are being mared down $or bouncing%, !ou can sort the

results b! IP addresses.

&or e'ample"

cat /var/log/ltm ,grep -Node- ,grep -status- , sort .t * . %0%n . $0$n

2. Chec# connectivity to the node.

If there are occurrences of node addresses being mared down and not bac up, or nodes

bouncing, chec the connectivit! to the nodes from the BIG-IP s!stem, using commands


7/58

such as ping, traceroute $BIG-IP 65.', 66.'% or tracepath $BIG-IP 3.'%. &or e'ample, if

!ou have determined that a simple monitor is maring the node address )1*)1*23*) down,

!ou can attempt to ping the resource from the BIG-IP s!stem as follows"

K ping -c 1 65.65.=>.6

PI+G 65.65.=>.6 $65.65.=>.6% >=$81% b!tes of data.

=1 b!tes from 65.65.=>.6" icmp;seC6 ttlC=1 timeC66.97 ms



=1 b!tes from 65.65.=>.6" icmp;seC1 ttlC=1 timeC3.38> ms

Note" #he previous ping output shows high round trip times, which ma! indicate a

networ issue or a slow responding node.

In addition, mae sure that the node is configured to respond to the simple monitor. &or

e'ample, tcp_echo is a simple monitor t!pe that reuires that the #)P echo service is

enabled on the nodes being monitored. #he BIG-IP sends *(+ segment with information

to be echoed b! the receiving device.

3. Chec# the monitor settings.

se the )onfiguration utilit! or command line utilities to verif! that the monitor settings

$such as the interval timeout ratio% are appropriate for the node.

&or e'ample, the following 4igpipe command lists the configuration for the icmp_new

monitor"

bigpipe monitor icmp;new list

#he following tmsh command lists the configuration for the icmp_new monitor"

tmsh list ltm monitor icmp;new

4. Create a custom monitor +if needed.

If !ou are using a default monitor and have determined that the settings are notappropriate for !our environment, consider creating and testing a new monitor with

custom settings.

5. 1se the tcpdump command to capture monitor tra6c.

If !ou are unable to determine the cause of a failing health monitor, it ma! be necessar!

to perform pacet captures on the BIG-IP s!stem.


8/58

Note" &or more information about running tcpdump, refer to *O/166" Overview of

pacet tracing with the tcpdump utilit!.

EC monitors

#roubleshooting issues for @)F monitors involves several steps. If !ou determine that an @)F

monitor is maring a pool member down $or the pool member is bouncing%, !ou can use the

following steps to troubleshoot the issue"

,. Determine the I' address of the pool members that the monitor is mar#ingdo"n by using the Conguration utility% command line utilities% or log les.

&or e'ample, search the /var/log/ltm file for pool member status messages as follows"

K cat varlogltm Lgrep -i Mpool memberM Lgrep MstatusMNan 76 6>"51"91 local9155a notice mcpd073=14" 56525=98">" Pool member

65.65.=>.6"76 monitor status node down.

Nan 76 6>"51"91 local9155a notice mcpd073=14" 56525=98">" Pool member






Nan 76 6>"51">6 local9155a notice mcpd073=14" 56525=98">" Pool member

627.6=.=>.9"85 monitor status node down.Nan 76 6>"5>"5> local9155a notice mcpd073=14" 56525=98">" Pool member

627.6=.=>.9"85 monitor status uncheced.

2. Chec# connectivity to the pool member.

As previousl! stated, chec the connectivit! to the pool members from the BIG-IP s!stem

using the ping or traceroute commands.

3. Chec# the )CV monitor settings.

se the )onfiguration utilit! or command line utilities to verif! that the monitor settings

$such as the interval timeout ratio% are appropriate for the pool members.

&or e'ample, the following 4igpipe command lists the configuration for the http_new

monitor"

bigpipe monitor http;new list

https://support.f5.com/kb/en-us/solutions/public/0000/400/sol411.htmlhttps://support.f5.com/kb/en-us/solutions/public/0000/400/sol411.htmlhttps://support.f5.com/kb/en-us/solutions/public/0000/400/sol411.htmlhttps://support.f5.com/kb/en-us/solutions/public/0000/400/sol411.htmlhttps://support.f5.com/kb/en-us/solutions/public/0000/400/sol411.html


9/58

#he following tmsh command lists the configuration for the http_new monitor"

tmsh list ltm monitor http;new

4. Create a custom monitor +if needed.

If !ou are using a default monitor and have determined that the settings are not

appropriate for !our environment, consider creating and testing a new monitor with

custom settings.

5. Test the response from the application.

se a command line utilit! on the BIG-IP s!stem to test the response from the web

application. &or e'ample, the following command uses the curl $and time% command and

attempts to transfer data from the web server while timing the response"

K time curl http"65.65.=>.6

:html<

:head<

---

:bod!<

:html<

real 5m68.597s

user 5m5.595s

s!s 5m5.5=5s

Note" If !ou want to test a specific J##P reuest, including J##P headers, !ou can use

the telnet command to connect to the pool member.

&or e'ample"

telnet 5server6P7 5serverPort7

+e't, at the prompt, enter an appropriate J##P reuest line and J##P headers, pressing

Enter once after each line.

&or e'ample"

&E' / (''P/)*) :enter<

(ost8 www*yoursite*com :enter<

Connection8 close :enter<

:enter


10/58

7. 1se the tcpdump command to capture monitor tra6c.

Note8 9or more information about running tcpdump% refer to $:4,,8:vervie" of pac#et tracing "ith the tcpdump utility.

#roubleshooting daemons related to health monitoring

#he 4igd process manages health checing for pool members, nodes, and services on the BIG-IP

/# s!stem. #he 4igd process collects health checing status and communicates the status

information to the mcpd process, which stores the data in shared memor! so that the # can

read it. If !ou are having monitoring issues, !ou can chec the memor! utiliation of the 4igd

process. If the 9MEM is unusuall! high, or continuall! increases, the process ma! be leaing

memor!.

&or e'ample, to chec the current memor! utiliation of 4igd, use the ps command"

K ps au' Lgrep bigd

*@ PI? )P @ F*Q ** ##( *#A# *#A# #I@

)OA+?

root 9575 5.5 5.= 78758 65188 R * 7565 >"58 usrbinbigd

Note" If the 4igd process fails, the health chec status of pool members, nodes, and services

remain in their current state until the 4igd process is restarted. &or more information, refer to

*O/=3=2" When the BIG-IP /# bigd daemon fails, the health chec status of pool members,

nodes, and services remain unchanged until the bigd daemon is restarted.

In addition, it is possible to run the 4igd process in debug mode. ?ebug logging for the 4igd

process is e'tremel! verbose, as it logs multiple messages for ever! monitor attempt. &or

information about running 4igd in debug mode, contact &> #echnical *upport.

*upplemental Information

• $:,553-8 Debug logging and ;ITT'$ health monitors

• $:,-5,78 :vervie" of ;I


11/58

• 9or more information about the bigtop utility% refer to $:B3,@8 :vervie" ofthe bigtop utility

• 9or more information about the bigpipe utility% refer to the ;I15=98 GI ?evice anagement Overview to displa! device;trust;group

>9>85= +ot enough free dis space for live install of BIG-IP 67.5.5 from 66.>.9 F@

>91=95 pgrade BI+? to address )F@-756>->122

>991>8 Generate core file on J*B locup

>997>2#he tmsh config file merge ma! fail when A& securit! log profile is

present in merged file

>95677 Improvements in building Drolled up J&D images for h!pervisors

>73>53 )F@-756>-1=75 BI+? vulnerabilit!

>72=95 )F@-756>-6288 " Open**/ Fulnerabilit!

>72576 BIG-IT iApp statistics corrected for empt! pool use cases

>7=163 ?eleting an iApp service ma! fail

https://support.f5.com/kb/en-us/solutions/public/7000/300/sol7318.htmlhttps://support.f5.com/kb/en-us/solutions/public/7000/300/sol7318.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/900/sol16909.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/900/sol16912.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/900/sol16938.htmlhttps://support.f5.com/kb/en-us/solutions/public/7000/300/sol7318.htmlhttps://support.f5.com/kb/en-us/solutions/public/7000/300/sol7318.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/900/sol16909.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/900/sol16912.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/900/sol16938.html


12/58

>7197=)an delete last IP address on a BIG-IP G# server but cannot load a

config with a BIG-IP G# server with no IPs

>7167= #he ?B variable provision.tomcat.e'tramb is cleared on first boot

>798=9 istats help not clear for negative increment

>7967> ?isablingenabling blades in cluster can result in inconsistent failover state>79597 emu-vm F@+O vulnerabilit! )F@-756>-91>=

>75=15

#he i)ontrol anagement.Qone.get;one$% method can return one

options in a format inconsistent for use with the

anagement.Qone.set;one;option$% method

>751== Abilit! to edit i)all scripts is removed from resource administrator role

>63822 @'ternal pluggable module interfaces not disabled correctl!

>63931*!nc when licensed for A*A& fails to s!nc pool with D/oad balancing

feature not licensedD error

>635=8 ?evice trust setup can reuire restart of devmgmtd>68593 BIG-IT iApp statistics corrected for partition use cases

>62>85 OP#-556> on 65555-series appliance ma! cause bcm>=''d restarts

>6===3 sod core caused failover

>6==68 )F@-7569-2171

>6=681IU@v6 for IPsec does not wor when F/A+ cmp-hash is set to non-default

values

>69321 #ransaction validation errors on obHect references

>6936= *tring i*tat rollup not consistent with multiple blades

>69=13 #ransaction validation errors on obHect references

>691>1 An snmpwal with a large configuration can tae too long

>69987 esolution of multiple Open**/ vulnerabilities

>65663 J*B performance can be suboptimal when transmitting #*O pacets

>53287 #*O pacets can be dropped with low #

>53>51 @'cessive time to savelist a firewall rule-list configuration

>53>59#he tmsh load s!s config merge file MfilenameM taes significant time for

firewall rulelist configuration

>52>2> An incorrectl! formatted +AP# creation b! wa! of i)ontrol can cause anerror

>52996sing saved configuration with 66.>.7 on AW* ma! cause **/v9 to beenabled

>52972 Programs that read stats can lea memor! on errors reading files

>5=516 &olders belonging to a device group can show up on devices not in the

group

https://support.f5.com/kb/en-us/solutions/public/16000/600/sol16620.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/400/sol16472.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/600/sol16620.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/400/sol16472.html


13/58

>5=591 +#P vulnerabilities $)F@-7561-3732, )F@-7561-3738%

>57798)onnectivit! and traffic interruption issues caused b! a stuc J*B transmit

ring

>56>62A ver! large configuration can cause transaction timeouts on secondar!

blades>55536 )F@-756>-5751 " Open**/ Fulnerabilit!

1337=5 ?eleting trust-domain fails when standb! IP is in ha-order

132>=1 Improve Jigh *peed Bridge diagnostic logging on transmitreceive failures

13>99> BW) related # core

135>92Persistence ecords displa! in GI might cause s!stem to becomeunresponsive with large number of records

18=2>8 anagement port unreachable after install

189=89)P continues running after Dne'pected e'ception caught in

)PProcessor""rm;?B/owJighWideD error 186=3= &ailover error message Msod out of shmemM in varlogltm

1231=5 *ession?b ma! be trapped in wrong JA state during initialiation

12>=12 FIPIO+ Jost PI) firmware version 2.57 update

129918 hbInterval value not set to 955 sec after upgrade

1279=> #he v)P worer-lite s!stem occasionall! stops due to timeouts

125681In )onfiguration utilit!, unable to view or edit obHects in /ocal #raffic ""

iules "" ?ata Group /ist

1=>553 FIPIO+ B7655-series /OP firmware version 7.65 update

1=1519 Integration of &irmware for the 7555 *eries Blades

1=51>= &W @/@A*@" Incorporate Whitethorne BIO* 7.5=.761.5

1=5111 FIPIO+ B1955 BIO* version 7.59.5>7.5 update

1=5178 BIG-IP 7555-1555-series BIO* version 7.57.626.5 update

1=5177 &W @/@A*@" Incorporate #readstone BIO* 1.56.55=.5

1=515= FIPIO+ B7655-series BIO* version 6.5=.519.5 update

1=5932 &W @/@A*@" Incorporate Fictoria 7 BIO* 6.7=.567.5

1>>7=1 @rror messages are not clear when adding member to device trust fails

1>6=57 ?P? pacet drops with e!ed F/A+ connections

11252>)u*&P module plugged in during lins-down state will cause remote lin-

up

119738 &W elease" Incorporate Fictoria7 /OP firmware v6.75

116655 iApp partition behavior corrected

19==87 *&P modules show a higher optical power output for disabled switch ports

https://support.f5.com/kb/en-us/solutions/public/16000/300/sol16392.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/300/sol16393.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/100/sol16139.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/300/sol16392.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/300/sol16393.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/100/sol16139.html


14/58

175652# could become unresponsive when modif!ing J#/ profile

configuration

165938 s!s db tmrouted.rhifailoverdela! does not seem to wor

15>2>7 onitors sourced from specific source ports can fail

9=1328 Activestandb! s!stem configured with unit 7 failover obHects

9=77=2)onfiguring networ failover on a FIPIO+ cluster using the blade

management addresses results in M)annot assign reuested addressM errors

9>3221 Pools in JA groups other than )ommon

9>>==6sod logs error 565c559b"9" bind fails on recv;soc;fd, )annot assignreuested address

>96>2= # memor! lea in traffic handling

>953=9BIG-IP #/* does not correctl! verif! &inished.verif!;data on non-)avium

platforms

>95873 ?P traffic sent to the host ma! lea memor! under certain conditions

>9523>In &ast/1 #)P virtual servers, I)P might send wrong *@T numberA)U number

>952=3&> *&PV module becomes unpopulated after mcpd is restarted in a

clustered environment

>78197 )ontrol plane )P usage reported too high

>7287= IP Intelligence update failed" issing **/ certificate

>72=13

pgrade will reset )iphers field in clientssl or server ssl profiles to

?@&A/# if the current cipherstring would have effectivel! contained no

ciphersuites

>71=== ?+* licensed rate limits might be unintentionall! activated

>79523 erged ma! stop responding when file descriptors e'hausted

>77281 After restart, s!stem remains in the I+OP@A#IF@ state

>77612 Mtmsh load s!s configM fails after e! conversion to &IP* using web GI

>76869 )luster is removed from JA group on restart

>76221 #raceroute and I)P errors ma! be bloced b! A& polic!

>76>18 *!stem possibl! stops responding in *P?(

>76>98Ueep-alive transmissions do not resume after failover of flows on an /1

virtual, when the seuence number is nown

>76>77#raceroute through BIG-IP ma! displa! destination IP address at BIG-IP

hop

>76158Incorrect configuration in Big#)P virtual servers can lead to # producing a core file

>7699= pcs66d initialiation retr! might post misleading error messages and

eventuall! result in pcs66d creating a core file


15/58

>75>15J##P Basic authentication ma! cause the # to stop responding if the

header is too large

>6858= *afenet J* #raffic failure after s!stem rebootswitchover

>68575 Improved handling of certain J##P t!pes.

>62>>= ?+**@) unsigned referral response is improperl! formatted

>6>2>3)onfiguration obHects with more than four vlans in vlan list ma! cause

memor! utiliation to increase over time

>6>693Active P session with inherit profile and address translation disabled

ma! not decrement pool member current connections statistics

>6127365.7.6 s!stem with **/ profile specif!ing ciphers D?@&A/#"JIGJ"

@?ID fails to upgrade to 66.>.6

>61=51 +e'thop obHect can be freed while still referenced b! another structure

>67989Jardware flow stats are not consistentl! cleared during fastl1 flow

teardown

>675=7A db variable to disable verification of *)#P checsum when ingress

pacet checsum is ero

>65=980?+*4 )onfig change in dns cache resolver does not tae effect until #

restart

>52>73Active crash with assert" tmm failed assertion, non-ero ha;unit reuired

for mirrored flow

>52672 ?+* cache resolver is inserted into a wrong list on creation

>51833?uplicated snat-translation addresses are possible $a named and an

anon!mous 0created b! snatpool4 one%

>5165>?AG enabled ?P ports ma! be used as source ports for locall!

originated traffic

>59761 nder high load, cr!pto ueues ma! become stuc

>57119After enabling a blade, pool members are mared down because

monitoring starts too soon

>56>6=If a ver! large number of monitors is configured, bigd can run out of file

descriptors when it is restarted

133177An optimistic A)U sent b! a server in response to a BIG-IP &I+A)U

pacet results in a &I+A)U storm

132>81 #he A bit on ?+* response ma! not be set

13=2>8onitor Parameters saved to config in a certain order ma! not construct

parameters correctl!

123=87 # generates hundreds of I)P pacets in response to a single pacet

128=62 ?o not include ma'imum #)P options length in calculating ** on I)PP#


16/58

128>37When using the **/ forward pro'! feature, clients might be presented with

e'pired certificates

128193 nnecessar! re-transmission of pacets on higher I)P P#

1287>2nnecessar! re-transmission of pacets on I)P notifications even when

# is not changed12=532 #)P *erver ** option is ignored in verified accept mode

121=56 P connections are being offloaded to ePFA

1=8127ne'pected ordering of internal events can lead to # producing a core

file

1=892> # stops responding when P#)P NOI+ arrives in the middle of a flow

1=>>35 irrored persistence information is not retained while flows are active

1=7261*ource address persistence record times out even while traffic is flowing

on &ast/1 profile virtual server

1=5=72 *A*P monitor starts a new connection to the Group Worload anager$GW% server when a connection to it alread! e'ists

1>>2=7?+* cache statistics no longer incremented improperl! due to mirrored

cache data

1>1568 +e'thop to tmm5 ref-count leaage could cause # core

1>7193# ma! stop responding when enabling ?O* weepflood if a # process has multiple threads

1>63=5 J##P* monitors do not wor with &IP* e!s

1>5861 @arl! J##P response might cause rare Mserver drainedM assertion

113818 ?iameter onitor not waiting for all fragments

1196>2'frd might stop responding when the one file $'frd.bin% is deleted fromthe director! vardb

117=8= ?+*S #ransfers occur on ?+*S authoritative server change

196789 iule binar! scan ma! core # when the offset is large

177652esponses from ?+* transparent cache will no longer contain *IG for

ueries without ?O bit set

177582/ow memor! condition caused b! am )ache ma! result in # producing a core file

175916 )onnection ate /imit ode when limit is e'ceeded b! one client alsothrottles others

1631>8 J##P is more efficient in buffering data

157167&ast/1 tcp handshae timeout is not honored, connection lives for idletimeout

92>882 )luster member disable or reboot can lea a few cross blade trun pacets

921993 J##P""respondredirect might mae # unresponsive under low-


17/58

memor! conditions

9215=2sing )/I@+#;A))@P#@? iule to set *+A# pool on One)onnect

virtual server interferes with eepalive connections

9>737> pdating a suspended iule and # process restart

917569 #)P filter does not send eepalives in &I+;WAI#;7

>7==33# might stop responding if BIG-IP ?+* iule nodes;up references an

invalid IPPort

>6==8> Qoneunner might fail to load valid one files

>6==85 Qoneunner might fail when loading valid one files

>6>232sing os;score command in /@;I+I# event causes # to stopresponding

>6>599 0Q?4 A memor! lea in rd

>6>595 0Q?4 A memor! lea in Qrd

13=22> 0G#4 0big9d4 nable to receive mar /# virtual server up if there isanother F* with same ltm;name for the BIG-IP monitor

123581 Qoneunner can fail to respond to commands after a F@ resume

126863#he big9d agent restarts periodicall! when upgrading the agent on a

v66.1.5 or prior s!stem, and )ommon )riteria mode is enabled

1=>3>6 If net self description sie C=>U, gtmd restarts continuousl!

9>9>>= big9d https monitor is unable to correctl! monitor the web server when**/ protocol is changed

77>119gtmparse fails to load if !ou add unsupported *IP monitor parameters to

the config

>97595A* @*#" )ustom signature set created b! wa! of @*# is differentthan when created from GI

>7=8>=Dse of uninitialied valueD warning appears on )* installation due to

A* signature inconsistenc!

>71178 Adding multiple signature sets concurrentl! b! wa! of @*#

>71551 Adding multiple signatures concurrentl! b! wa! of @*#

>797=6 A* @*#" )P Persistence is not triggered b! wa! of @*# actions

>797=5 Appl! Polic! finishes with coapi;uer! failure displa!ed

>79756 @'pired files are not cleaned up after receiving an A* anual*!nchroniation

>7523= Jigh A*)II characters availabilit! for polic! encoding

>75>8>)hanging securit! polic! application language is not validated or propagated properl!

>75785 Perl produces a core file after appl!ing polic! action


18/58

>6=>79&ull A* )onfig*!nc was happening too often in a &ull *!nc Auto-*!nc

?evice Group

>6=>77After upgrade from an! pre-66.1.' to 66.1.' $or later% the configuredredirect / location is empt!

>615=6 &alse positive scenario caused *#P transactions to hang and eventuall!reset

>67==8 A* @*#" nable to )onfigure )licHacing Protection b! wa! of @*#

>65133 @nforcer stops responding after *!nc in an A*-onl! ?evice Group

>5=152)ertain upgrade paths to 66.=.' would lose the redirect / configurationfor Alternate esponse Pages

182175 B? stops responding upon stress on session tracing

>99538 #raffic capture filter not catching all relevant transactions

>96>7= issing entr! in *T/ table leads to misleading A* reports

>7>258 AF reports of last !ear are missing the last month data>63577 pgrade process fails to convert A* predefined scheduled-reports

>93569?+* resolution does not wor on a Windows 65 destop with multiple

+I)s after FP+ connection has been established in some cases

>92555Installation of @dge )lient can cause Windows 65 to stop responding in

some cases

>912>> ?eleting AP virtual server produces @;+O#;&O+? error

>97>77 )F@-756>-6239

>97931 )lient to log value of D*earch/istD registr! e!

>9753= achine )ertificate )hecer is not bacward compatible with 66.1.6 $andearlier% when atch&T?+ rule is used

>96889 Windows 65 App *tore FP+ )lient must be detected b! BIG-IP AP

>96189 )op! profile might end up with error

>95=32 Windows Phone 65 platform detection

>73937Win65 and I@66 is not determined in case of ?I@)# rule of pro'!

autoconfig script

>7827= A?/?AP cache sie reduced

>78=2>BIG-IP @?G@ )lient can indefinitel! sta! in a Ddisconnecting...D state

when captive portal session e'pired>72233 Open**/ librar! in AP clients updated to resolve multiple vulnerabilities

>7=899 everse Pro'! produces N* error" Mis;firefo'M is undefined

>7=2>1 &>unistaller.e'e stops responding during uninstall

>7==62 # stops responding when logging a matched A)/ entr! with IP protocol set to 7>>

https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16937.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/900/sol16937.html


19/58

>7=>28 +etwor Access client pro'! settings are not applied on German Windows

>7=137 ?+* resolution fails for *tatic and Optimied #unnels on Windows 65

>7=72> Fware Fiew *AA?I* two factor authentication fails

>7=581 Windows 65 platform detection for BIG-IP @?G@ )lient

>7>375 FP@ fails to displa! access polic!

>7>>=7 ?ebug # stops responding during initialiation

>7>173 ?#/* renegotiation seuence number compatibilit!

>7>981 +etwors Access PA) file now can be located on *B share

>71353 Windows info agent could not be passed from Windows 65

>712>= AP log is filled with errors about failing to adddelete session entr!

>79196Windows )ache and *ession )ontrol cannot support a period in the access profile name

>79935inor memor! lea on IdP when */O is configured on bound *P

connectors

>79973When BIG-IP is used as *A/ Identit! Provider$IdP%, # ma! restart

under certain conditions

>79972 In ver! rare cases achine )ertificate service ma! fail to find private e!

>79777)itri' J#/> client fails to start from *torefront in integration mode

when Access Polic! is configured with edirect ending

>7689> 0Polic! *!nc4 )onnectivit! profile with a customied logo fails

>76229 emor! lea in Portal Access

>76>5= +etwor Access does not restore loopbac route on multi-homed machine

>7525> @dge client contains multiple duplicate entries in server list

>75=17 ewrite plugin should chec length of &lash files and tags

>75935 euse e'isting option is ignored for smtp servers

>75738 Nava applet does not wor

>7575>ewrite plugin could stop responding malformed Action*cript 9 bloc in

&lash file

>7561>0Polic! *!nc4 OutOfemor!@rror e'ception when s!ncing a big and

comple' AP polic!

>75668 ?uplicate server entries in *erver /ist>633== AP D*ession FariablesD report shows user passwords in plain te't

>638=1 emor! lea on /2 ?!namic A)/

>6316>BIG-IP AP networ access tunnel ephemeral listeners ignore iules$related-rules from main virtual %

>63638 0Polic! *!nc4 I General @'ception @rror when s!nc a polic! in non-

default partition as non-default admin user


20/58

>68386 A?I* accounting *#OP message ma! not include long class attributes

>687=5issing +#/**P;#AG@#;I+&O flag on +#/**P;)JA//@+G@

message

>62388# ma! stop responding if access profile is updated while connections

are active>62827 Include pro'! hostname in logs in case of name resolution failure

>62>=1AP cannot get groups from an /?AP server, when /?AP server is

configured to use non-default port

>62116apd ma! stop responding when A?I* accounting message is greaterthan 7U

>6261= /og I? 56135>98 ma! be truncated

>6=893 Add client t!pe detection for icrosoft @dge browser

>6=1=7Gatewa!s for e'cluded address space routes are not adHusted correctl!

during roaming between networs on Windows machines

>6=52> /inu' command line client fails with on-demand cert

>6>319D*ession variablesD report ma! show empt! if session variable value

contains non-@nglish characters

>61367 Portal Access scripts had not been inserted into J#/ page in some cases

>61775 +ew iO*-based FP+ client ma! fail to create IPv= FP+ tunnels

>693=3A) prompt is shown for machine cert chec for non-limited users, evenif machine cert chec service is running

>693>9 A?I* AuthAcct might fail if server response sie is more than 7U

>6925= Incorrect metric restoration on +etwor Access on disconnect $Windows%

>69>86# occasionall! stops responding when http pa!load is scanned through*WG

>69789 ac @dge )lient does not send client data if access polic! e'pired

>69756 @dge client is missing localiation of some @nglish te't in Napanese locale

>696=>*A/ *ervice Provider generated */O reuests do not contain

M*essionInde'M attribute

>69538 localdb;m!sl;restore.sh failed with e'it code

>6791> ?!namic user record removed from memcache but remains in !*T/

>6771> achine certificate agent on O* S 65.8 and O* S 65.3 uses local hostname instead of hostname

>663=6 BIG-IP @dge )lient does not displa! logon page for &irePass

>668>1 ewriting /s at client side does not rewrite multi-line /s

>66=18 On standb!, # can produce a core file when active s!stem sendsleasepool JA commands to standb! device


21/58

>66116 emor! lea on reuest )ooie header is longer than 6571 b!tes

>65253Websso start I match fails if there are more than 7 start Is in **O

configuration

>65>3=Broen ?+* resolution on /inu' client when D?+* ?efault ?omain

*uffi'D is empt!>651>3 In some cases Access does not redirect client reuests

>53135 0I@654" attach@vent does not wor

>52=86 Window.postessage$% does not send obHects in I@66

>52976Nava*cript error if user-defined obHect contains +// values in MoriginMandor MdataM fields

>5266= Web-application issues andor une'pected e'ceptions

>5=779 A I in reuest to cab-archive in i+otes is rewritten incorrectl!

>5>2>> *ome scripts on d!namicall! loaded html page could be not e'ecuted

>511=6 /ogon Page agent gets empt! user input in clientless mode 9 when aFariable Assign agent resides in front of it

>55398 +etwor Access can be interrupted if second +I) is disconnected

>551>5A* and AP on same virtual server caused *et-)ooie header

modification done b! A* to be not honored b! AP websso

138287 )onfig snapshots are deleted when failover happens

132=72# cores while using AP networ Access and no leasepool is createdon the BIG-IP s!stem

132668 # ma! restart when *A/ */O is triggered

13>257 ac @dge )lient cannot be downloaded sometimes from management I

13>99=/ogon page is not displa!ed correctl! when Dforce password changeD is on

for local users

131>=> )** patcher stops responding when a uoted value consists of spaces onl!

131683 Poor performance in clipboard channel when cop!ing

13955= @'port of huge policies might end up with Mtoo man! pipes openedM error

137256esolved /*Os are overwritten b! source device in new Polic! *!nc with

new /*O

13795>ecurring file checer does not interrupt session if client machine has

missing file137613 Inline Nava*cript with J#/ entities ma! be handled incorrectl!

135895 Protected Worspace is not supported on Windows 65

18829= &i'ed problem with i+otes 3 Instant essaging

18865> # ma! generate core file during certain config change

182933 F?I plugin stops responding when Fiew client disconnects prematurel!


22/58

189237When i*ession control channel is disabled, do not assign app tunnel,

*?P, opt tunnel resources

18978= AP !*T/ database full as log;session;details table eeps growing

187=33 FP@ displa!ing Dncaught #!pe@rrorD

1877=3 AP support for Windows 65 out-of-the-bo' detection1877== +etwor Access cannot be established for Windows 65

1877>6 Portal Access. /ocation.href$url% support is added

187716 Windows 65 cannot be properl! detected

18761> #e't in buttons are not centered correctl! for higher ?PI settings

1852=6 &i'ed issue causing #unnel*erver to stop responding during reconnect

1231>6?ifferent Outloo users with same password and client IP are tied to asingle AP session when using Basic auth

128137 Incorrect handling of J#/ entities in attribute values

128999@dge-)lient client shows an error about corrupted config file, when userMs

profile and temp folders located on different partitions

121223@A process fails to register channel threads $PI channel% with #,and subseuent s!stem call fails

121=38BIG-IP as IdP can send incorrect MIssuerM element for some */O reuests

under certain conditions

1215>8When the BIG-IP s!stem is configured as *ervice Provider, AP? ma!restart under certain conditions

1297>>Navascript sibmit$% method could be rewritten incorrectl! inside of MwithM

statement1277>= #he tmsh and tmctl report unusuall! high counter values

1275=7nmangled reuests when form.submit with arguments is called in the page

126821F?I plugin stops responding when tr!ing to respond to the client after the

client has disconnected

126662 iframe with Nava*cript in MsrcM attribute not handled correctl! in I@66

1=8116 OWA7569 ma! wor incorrectl! b! wa! of Portal Access in I@6566

1=8199 OWA7569 ma! wor incorrectl! b! wa! of Portal Access in I@6566

1=8692 +etwor Access logs missing session I?1==21> )annot set the value of a session variable with a leading h!phen

1=1>12*how proper error message when Fware Fiew client sends invalid

credentials to AP

1=6>32 A) edge client does not follow J##P 957 redirect if new site hasuntrusted self-signed certificate


23/58

1>2357 +o @A- log stactrace in varlogapm on @A crash event.

1>22=5 @A not redirecting stdoutstderr from standard libraries to varlogapm

1>2=59 )ooies handling issue with *afari on iO*=, iO*2

1>2>7>When ?+* resolution for App#unnel resource fails, the resource is

removed

1>1281in FP@ '' s!mbols such as the variable assign agent might be invalidl!

decoded

1>158= Portal Access issues with &irefo' version 7=.5.5 or later

1>91>> Added support of *A/ *ingle /ogout to @dgeclient

1>7>72achine )ertificate )hecer Agent alwa!s wors in Datch *ubHect )+ to&T?+D mode

1>76=9 )ross-domain functionalit! is broen in A? Tuer!

1>61=3 AP ser Identit! daemon does not generate a core file

117>78 ?emangle filter stops responding

115816 sso and apm split tunneling log message is at notice level

1983=3J#/> Fware Fiew )lient does not wor with AP when virtualserver is on non-default route domain

192211 *A/ *P service metadata e'ported from AP ma! fail to import

192=25 ace condition in AP windows client on modif!ing ?+* search suffi'

17>887Windows @dge)lientMs configuration file could be corrupted on s!stem

rebootsleep

17139= apm;mobile;ppc.css has duplicate 6st line

179787BIG-IP Nava*cript includes can be improperl! inHected in case of

conditional comment presence

175>67All essages report does not displa! an! data when the /og /evels areselected to filter data based on /og /evels

16=66>@dge client continues to use old IP address even when server IP address

changed

1588>6 *ome Nava applications do not wor through BIG-IP server

157239AP +etwor Access tunnel slows down and loses data in securerenegotiation on /inu' and ac clients

>77796 # ma! stop responding when a client resets a connection>761>> Images transcoded to WebP format delivered to @dge browser

>6128> # stops responding when processing AA-optimied video /s

>66>91A large number of regular e'pressions in match rules on path-segments

ma! cause an AA polic! to tae too long to load

12=1=5 WA ange J##P header limited to eight ranges


24/58

176236 Out of emor! @rror

132983 @'traneous dedup;admin core

1=676= )annot rename some files using )I&* optimiation of the BIG-IP s!stem

1>2>=8/oading of configuration fails intermittentl! due to WO) Plug-in-related

issues>76>>= Assertion Dvalid pcbD in #)P1 with I)AP adaptation

>6=5>2Assertion Mvalid pro'!M can occur after a configuration change with active

IF* flows

>675>1 )G+A# *IP A/G - #P connection not created after I+FI#@

>6697=*IP *B*)IB@ message not forwarded b! the BIG-IP s!stem whenconfigured as *IP A/G with translation

>59=>7*ome *IP ?P connections are lost immediatel! after enabling a blade on

the Active JA unit

133256 *IP &ilter drops ?P flow when ingress len limit is reached185966 A?AP# should be able to wor with One)onnect

118139 *IP response from the server to the client gets dropped

>99858nable to create new rule for virtual server if order is set to

DbeforeDDafterD

>9999= ?ispla! MdescriptionM for port list members

>958=>A& /ogging regression for Globaloute ?omain ules incorrectl! usingvirtual server logging profile $if it e'ists%

>71218 P))? optimiation for IP address range

>791=> /og an error message when firewall rule serialiation fails due toma'imum blob limit being hit

>6>682)ertain I)P pacets are evaluated twice against Global and oute?omain A)/ rules

>6>667 ?ela!ed ehash initialiation causes crash when memor! is fragmented

>69>=>

A& Uill-on-the-fl! does not re-evaluate e'isting flows against an!

Firtual*elfIP A)/ policies if a Global or oute-?omain rule action ismodified from Accept-?ecisivel! to Accept

>6577=All descriptions for ports-listMs members are flushed after the port-list was

updated

>53363)ustomer ma! e'perience incorrect counter update for *elfIP traffic on

cluster

132=26 iApp GI" nable to add &W Polic!ule to conte't b! wa! of iApp

13>197 Add new log messages for A& rule blob loadactivation in datapath

18>885 nable to appl! A* polic! with forwarding )P polic! using the GI,

generic error


25/58

1=8=88 Initial s!nc fails for upgraded pair $66.>.' to 66.=%

1>3571@rror /1 pacets were hitting configured W/ entries protocol was not

being matched for them

>7=73>BIG-IP stops responding in debug mode when using P@ iule to create a

session with calling-station-id and called-station-id

>665=1epeated installuninstall of polic! with usage monitoring stops after

second time

13>369 # produces a core file when ))A-I polic! received with uninstall

136226sing catch to suppress Minvalid commandM errors resulting from invalid useof 04 around a paring command in a proc can cause # to panic

128933P@ subscriber sessions are created without P@ licensed, if Dradius/B-

subscriber-awreD profile is configured

1=1729P@" ))-I for the G' session has onl! one subscriber I? t!pe, even ifthe session created has more than one t!pe

1>5223P@ source or destination flow filter attempts to match against both source

and destination IPs of a flow

113=19@rror message DG' uninit failedD and DG! unint failedD received during boot of the s!stem

193713 P@"Initial uota reuest in the rating group reuest is not as configured

198=58P@" ))- triggered during G! session ma! not have euest *ervice

nit $*%

198537P@" ))- triggered b! A during G! session will not haveeuested *ervice nit $*%

>6179= 0GI40G#4 GI does not prefi' partition to device-name for BIG-IP?+* *erver IP addresses

>7>>3> &i' memor! lea of inbound socets in restHavad

>53729 hostagentd consumes memor! over time

>53675BIG-IT is unable to discover older BIG-IP versions due to over-ealousgrooming

>66=>6 )F@-756>->5>8" Performance improvement in pacet processing

66.>.9

J&6>66=>6 Performance improvement in pacet processing

If an AP polic! s!nc puts the new polic! on a member of a s!nc-failover device group, thes!nc of the s!nc-failover group failed. #his now succeeds.



26/58

113655

#unnel interfaces can be used b! iule ne'thoplasthop commands to set a flowMs

ne'thoplasthop behaviors. 6. #o send traffic to the tunnel, use Dne'thop tun5 ...D on

)/I@+#;A))@P#@? iule event, or Dlasthop tun5 ...D on *@F@;)O++@)#@?iule event. 7. A point-to-point tunnel can be supplied with an IP address, although it

does not have an effect. 9. A wild-card tunnel can be supplied with the IP address of the

remote-point to build the tunnel on the fl!.1>>966 v)P guestMs access to the management networ of the h!pervisor has been restricted.

1>26==An issue has been resolved that affected the abilit! to modif! a v)P guestMs

management networ mode.

1>36>> Included the ph!sdev netfilter module into the BIG-IP ernel pacage.

1>3=31v)P guestMs abilit! to interfere with the management networ of the h!pervisor has been restricted.

1>32>9 Dbigstart restartD on a secondar! blade no longer causes clusterd to restart continuousl!.

1>3329#he Include )luster option in the JA Group configuration cannot be disabled using the

)onfiguration utilit!.

1=796>*aving a single partition out of the configuration $Msave s!s configM with the Mpartitions p6 EM option% now writes the configuration file properl!. It previousl! appended to the

file but now overwrites it as it should.

1=7319esolved issue where rewrite )** filterparser ma! use stale iovs in declaration;state

resulting in *IG*@GF.

12523= )F@-7561-1579.

126525 +on-administrative users cannot modif! )lient **/ profiles.

126251#he vcmpd process is no longer vulnerable to malicious data passed from a v)P

guest.

12=6>2 *ecurit! patches applied to rb> librar!.

1223>3Internal structure improvements, no customer facing functionalit! changes have beenmade.

128377esolved issue that I)*A logging did not contain information that is reuired for

certification.

186=18#he ipaddr#ableMs ipAd@ntIfInde' value now matches the if#ableMs ifInde' value for thesame interface.

18919= pdate to AW* /icense files.

1811>9 Jarmless messages logged with /OP daemon registration.

181=9> pdate openssl to latest version.

182855#he guest-specific configuration information blocs are now isolated from each other

and the h!pervisor is protected against invalid data inHected b! a v)P guest.

12185> Internal build improvement.

12=>76se true timeout instead of retries limit when initialiing the &IP* device, and

subseuentl! power c!cle the unit to recover the &IP* device.



27/58

122=66 Appl! ound obin ?AG to icmp echo onl!.

122888 I)*A logging is no longer missing information that is reuired for certification.

1236>7 BIG-IP platform 65555s65755v657>5vB1955B1915+ is susceptible to parit! error.

1892=7 A) address conflicts no longer occur between v)P guests.

181933 OFA will onl! create one slot and leave the remaining dis space free.

18=>61#he crash that happens in the A& logging module, when the #)P connection to a log

destination server is re-established, is fi'ed.

1881=6 Improve base build process and remove duplicate code.

137999esolved a s!s-ichec bug that caused an auto;schema misconfiguration. #his occurs

on all platforms.

1371=5

#his error message previousl! occurred intermittentl! when tr!ing to delete a virtual

server and use s&low"

565257=>"9" #he Firtual *erver $% cannot be deleted because it is in use b! a sflow httpdata source $%. #his no longer occurs.

77=837esolved intermittent issue when return pacets were dropped after configuring pacet

filters for ?+* traffic or traffic with IP fragments.

171396)reation of a large file, such as a )* archive is now handled correctl!, and the csyncd process no longer causes high )P utiliation.

1788=1/owering the virtual server connection limit now wors, even when traffic is alread!

being processed.

19931=Benign rs!nc errors are no longer logged in varlogltm and instead are traced b! wa!of stats in the Mcs!nc;statM table.

19=532 When the # restarts, pcs66d also must be restarted automaticall! if present.

19=866 BIG-IP database monitors ma! report an incorrect pool member status.

19282>

#his spurious error message ma! have previousl! been displa!ed when the local user

database feature was configured"

56526251"9" +ot running command $usrlibe'eclocaldb;m!sl;restore.sh% because

the reuest came from an untrusted connection. #his error message has alwa!s beenharmless, but now it no longer is displa!ed.

19235= Web*ocets and the J##P )O++@)# method now wor with One)onnect.

193171 *afe+et J* install now needs to be done onl! on the primar! slot on the BIG-IP

cluster-mode chassis s!stems such as FIPIO+. A single install on the primar! slot willtae care of installing *afe+et on all active slots. On an! alread!-open sessions to theBIG-IP slots, the PA#J environment variable will need to be reloaded b! running

Msource X.bash;profileM to be able to use *afe+et utilities. If at a later stage a new blade

is added or a disabled, or a powered-off blade is made active or is powered-on, the userwill have to run Msafenet-s!nc.sh -p M Yonl!Y on the new secondar! slot. If the new slot is

made primar! before running safenet-s!nc.sh on it, then the regular install procedure



28/58

using nethsm-safenet-install.sh will be reuired on the new primar! slot.

193135#he BIG-IP s!stem now reconnects to *afe+et J* if the connection is interrupted, so

connections continue as e'pected.

193>69 +@#J*" Initial few connection drops after each # restart.

193>15 estart the pcs))d process. #he command is Dtmsh restart s!s service pcs66dD.116831 Pcs))d watchdog functionalit! avoids manual restart.

119538 #he Pro'! **/ feature no longer leas memor!.

112>6> #he # process ma! resume a suspended iule on the wrong connection flow.

113238#he BIG-IP s!stem ma! not correctl! monitor pool members after the mcpd process

restarts.

1>5596 #he BIG-IP s!stem ma! incorrectl! log M/imiting closed port *# responseM messages.

1>5851 Improved #/* finish messages.

1>6768 )orrected +itro' #/* padding.

1>7676#he BIG-IP s!stem now supports multiple *afe+et networ-J*s configured in an

JA group.

1>7=78 Add a 4igd4 variable for the pcs))d threads.

1>99>8 emor! lea is fi'ed.

1>11=> )orrected # #/* padding.

1>112=In the event of an invalid parameter in the clienthello, the correct #/* version will be

set in the alert.

1>1=9=#he logging destination IP address onl! matches virtual servers, so no J*/ logging islost.

1>1=37 Assigning MafterM obHect to a variable no longer causes memor! leas.

1>=8>3 Interface to hardware compression has improved allocation strateg!.

1>8>>=#he # will no longer produce a core file on startup when traffic arrives before

transitioning to cmp read!.

1=58=8 #he # no longer crashes if networ J* is improperl! configured.

1=6>28 /arge session obHect handling is improved.

1=76=9 Allow +on Blade 5 PI communication even after congestion.

1=7=13 #he # no longer crashes under heav! load.

1=9357 &lat-buffer allocator for hardware compression tuned to be less greed!.

1=16=9)ustomied cert-e!-chain of the child client-ssl profile is reverted to parentMs profile

cert-e!-chain during config load.

1=28=8 @nsured that monitor reason strings no longer lea.

1=325># will set a nown route domain when processing *IP euests to prevent panics

caused b! an invalid route domain.

126529 +ow, when # is restarted, all JA connections are reestablished.



29/58

1212>2 Open**/ *ecurit! Advisor! 8=61 $6.5.6i pdate%.

1223=2P#)P component now correctl! applies #*O processing to outbound pacets, so

# no longer segfaults.

185669&IP* e'ported e!s can now be successfull! installed in &IP* cards without causing

config-s!nc failure.

185=33

Increased the ma'imum statemirror.ueuelen db variable limits. If necessar!, the

statemirror.ueuelen can now be increased be!ond 7>= B up to 6 GB. +ote that

increasing the statemirror.ueuelen increases memor! reuirements to appro'imatel!twice the ueuelen multiplied b! the number of #s, and also increases the time

reuired to detect an error in the mirroring connection. #he statemirror.ueuelen should

be ept as low as possible to prevent repeated failure.

189978Firtual servers with )lient **/ profiles ma! not respond to **/ handshaes after a

)onfig*!nc.

18>688When the **/ )lientJello contains the *)*F marer, if the client protocol offered is

not the latest that the virtual server supports, a fatal alert will be sent.

188758 )an properl! upgrade to Open**/ 6.5.6H without breaing *A PU)*K6.> decr!ption.

125931#he BIG-IP s!stem calculates the correct number of members in the active priorit!

group when the slow ramp feature is triggered.

125331#he # now correctl! applies #*O processing to outbound pacets, so # no

longer segfaults.

12>5>> esolved core caused b! accounting miscalculation of +itro' IO flows.

1222>9

#his change allows !ou to use immediate idle timeout on ?P serverside flows as a

woraround for *IP message loss andor connection failures if $and onl! if% the logic of

the *IP processing does not e'pect an! return traffic to match the serverside

connections. )onfiguration that reuires this woraround, but which e'pects returntraffic to match the serverside flow, could not have wored correctl! $without specific

iule based band-aids% even before the first affected version.

185733#he Firtual Address throttling dela!ed update mechanism has been made more robust,and will now send dela!ed updates $roughl! 9 seconds after change% regardless of

previous status, guaranteeing that Firtual Address status will reach all subscribers.

189321 nrecognied options are now ignored.

181173#he # will still log critical-level messages, but the s!stem continues to function

properl!.

18=5== #he # does not product a core file.

122715**/ will properl! renegotiate rather than terminate connections when the session

e'pires.

182858 )ost lin load balancing software support has reached @O/.

718182#he enforcer does not convert parameter values into the web application language when parameters are defined as Dfile uploadD or Dignore valueD in the securit! polic!.

1911=6 Improved the s!stemMs integration with Guardium.



30/58

19>>75

&i'ed an issue that occasionall! stopped !ou from deleting an A* securit! polic! that

was created using a template after !ou rolled-forward the polic!Ms configuration from a

previous version.

1>1617 esolved intermittent @nforcer crash due to specific reuests.

1=6578 v)P" &i'ed an issue that caused the @nforcer to crash in a clustered environment.

126659

#here is a new internal parameter" Dignore;null;in;multipart;te'tD. When the internal

parameter is set, a null in reuest violation is not issued when a null appears in the

reuest. If the parameter is defined as file upload in the securit! polic!, no violation isissued. If the parameter is defined as something else, the violation Dnull in multipart

reuestD is issued. If the parameter is not defined in the securit! polic!, the violation

Dnull in reuestD is issued.

12=623

Brute force reporting" #he brute force reported operation mode $#ransparent or

Blocing% is now the same when the attac starts and ends. Previousl!, the s!stem

would occasionall! change the operation mode logged when the attac ended.

12=636

#o enable !ou to b!pass unicode validation on S/ and N*O+ profiles, we added twointernal parameters" - rela';unicode;in;'ml" #he default is 5, which is the current

behavior. When the value is changed to 6, a Dbad unicode characterD does not produce

an S/ malformed violation. A Dbad unicode characterD might be a legal unicode

character that does not appear in the mapping of the s!stemMs S/ parser. -rela';unicode;in;Hson" #he default is 5 which is the current behavior. When the value

is changed to 6, a Dbad unicode characterD does not produce a N*O+ malformed

violation. A Dbad unicode characterD might be a legal unicode character that does notappear in the mapping of the s!stemMs N*O+ parser.

186>27&i'ed an issue that caused the s!stem to not report a navigation parameter that appeared

in the PO*# data.

186237 &i'ed an issue where specific reuests occasionall! caused the @nforcer to stopresponding.

12==76&i'ed an issue where Bot ?etection in the Web *craping feature created Nava*cript

errors in the web application using Internet @'plorer.

189136 &i'ed a memor! corruption issue.

186>16 emor! lea in the onP? daemon that occurs in some situations has been resolved.

18=972 Web Application *ecurit! Administrator added to the list of allowed administrators.

992628 BIG-IP @dge )lient falls bac to #/* from ?#/* if http-pro'! is used.

938=>2esolved on all platforms where the active session count might be significantl! large, at

times, liel! due to a counter underflow.

159==5Application icons $&inder, *potlight, /aunchpad, +otification )enter, ?oc, enu Bar%

have been updated for retina displa!s.

1688>5A? ma! now be the last auth agent in the FWare view access polic!.

sernamepassworddomain preserved and then passed to the bacend.

175383When using an access polic! with Windows /ogon Integration, if !ou are denied access

once, !ou can tr! again.


31/58

175335*upport for smart cards was added to )lient )ert Inspection and On ?emand )ert

Inspection with Windows /ogon Integration.

176356showrestorebutton"i"5 can be specified in ?P )ustom Parameters. sers will no longer see this Mestore downM button.

177868D*tore information about client software in session variablesD setting is removed fromthe Fisual Polic! @ditor for these @ndpoint *ecurit! $)lient-*ide% software checs"

Antivirus, Anti-*p!ware, &irewall, Jard ?is @ncr!ption, Patch anagement, Peer-to- peer, and Windows Jealth Agent.

17==79 Improved PA) file download mechanisms.

172895 +etwor Access connection will not be established if PA) file specified in +A resource

cannot be downloaded within 95 seconds.

1739=7@dge )lient properl! reconnects when networ connectivit! is restored. Previousl! fullreconnection was done in this case and the previous session was not removed.

195>96)omputer group polic! settings are updated after establishing FP+ connection with

Windows /ogon Integration.

196865&i' une'pected e'ceptions when using Uerberos auth agent in a multi-domain **Oconfiguration.

197999

Nava Application #unnels now wor when Internet @'plorer 66 runs with @nhanced

Protected ode. Jowever, the tunnel is bound to 672.5.5.6 due to limitations of this

mode.

199719BIG-IP IdP subtracts three minutes from the +otBefore timestamp in an assertion toaccommodate *ervice Providers whose clocs might be behind.

19=622&i'ed arbitrar! commands e'ecution" chec cab file and webpage are located on same

server.

19=685 @dge )lient will onl! install controls from trusted hosts.

19=689 )hec if critical section obHect was initialied before deleting it.

198737esolved issue of Web App#unnel re-using wrong e'isting loopbac for different

bacend server IP.

198295&i'ed B*O? caused b! ?+* rela! filtering driver in a ver! specific condition on

Windows SP *P9.

193785 BIG-IP @dge )lient installation ma! trigger a Windows 8.6 s!stem failure.

115237)lient pro'! settings specified in a +etwor Access resource are applied without an

occasional miss now.

116968BIG-IP AP password updates ma! fail for user account names that contain a periodcharacter.

1169>>Improved FWare Fiew native client error reporting and prompting for the new

password.

116>52 *W& patcher now behaves properl!.

116895 Incorrect overriding of FP+ driver was causing B*O?. Old driver is now uninstalled



32/58

before new one is installed.

117>38 ?o not close session if session timeout chec reuest fails.

112569 Browser detection Nava*cript improved to support Internet @'plorer 66.

112957AP correctl! supports MredirectM ending in an access polic! for web browser clients

when deplo!ed for )itri' Web Interface in pro'! mode.

113616Jave improved notifications to the user when the BIG-IP @dge )lient must reboot to

complete updates.

1>56>>&i'ed incorrect handling of component installer that resulted in an *I installer to act

as though installation had failed.

1>6769 Added logs to distinguish static IP allocation from d!namic IP allocation.

1>68=1 Alwa!s preserve locall! configured ?+* suffi'es when establishing FP+ connection.

1>7=61 @dge client now contains *A *ecurI? software toen support for O* S.

1>7=68 /?AP servers in a pool will now timeout correctl! if a node cannot be reached.

1>7=76 /ogon page changes for integrating *A *oft toen *?U with the edge client.

1>7=7>@dge client cannot automaticall! retrieve *A *ecurI? software toen if configured on/ogon page.

1>9688)ustom ?ialer no longer sta!s in an Authenticated state for 15 seconds to negotiate the

IPv= protocol when IPv= is not enabled.

1>1977When Allow /ocal ?+* *ervers option is enabled, ?+* servers from interfaces that

are down, will not be added to FP+ e'clusion list.

1>=366A certain scenario in BIG-IP G# deplo!ment was fi'ed where access to certain

corporate resource might be denied despite networ access connection.

1>86=2 Improve logging and error code checs for @A OA component.

1>3825 +ow BIG-IP @dge )lient in Alwa!s )onnected mode properl! processes cancellingcaptive portal detection.

1>33>9When an /?AP uer! runs and the user password is not retrieved or necessar!, a

misleading error message about +// c!pherte't is no longer logged.

1=57=> apmd crashes with null tcl interpreter obHect. #his is now fi'ed.

1=77>8After fi', an ldap operation times out in 9 minutes, so a thread will not bloc an! otheroperation, and service can recover as soon as connection to the bacend is restored.

1=7186 OA code is fi'ed with proper e'ception handling where Oracle API calls are made.

1=9>5> Added factor authentication support for the @dge )lient soft toen integration.

1=9>98@dge )lient now correctl! sends PI+ for *A *oft #oen clients while in +ew Pin

mode.

1=929> 0*ecurI? *?U4 In case of PI+ change, user is prompted to input Passcode to PI+ field.

1=922=Fware Fiew client does not freee when AP P)oIP is used and user authentication

fails against F)* >.9.

1=1969 +ow d!namicall! created forms with absolute action path are handled correctl!, even


33/58

with a non-empt! BA*@ tag.

1=19630*JP756940I@65-I@664" )alendar widget does not wor in Announcement edit page.

#his is now fi'ed.

1===5> Nava*cript" Portal Access variable MrM is now a local variable.

1===62 +ow routes for @'clude Address *pace are correctl! removed when +A connection isterminated if the client was switched to another networ.

1==232 +ow @dge)lient shows warning about session e'piration when ma'imum session

timeout is reached.

1==838 @nterprise anager now reports wor correctl! when accessed through Portal Access.

1=2782

Previousl!, Polic! *!nc would add whitespace to &orms-based **O configuration

obHects, which prevented the configuration from running. +ow &orms-based **O

configuration does not have whitespace added and the configuration runs as e'pected.

1=2>32InspectionJost plugin will now be installed to the Dcurrent userD profile $as opposed toall users% and, therefore, will no longer prompt for administrative password.

1=8128When the 97 storage limit is reached, the oldest application cooie is discarded,

allowing the application to continue processing new data.

1=33=5

Implemented a throttling mechanism, so that when the number of fds in the ueuereaches a certain threshold, apd will stop accepting new reuests, until the number of

fds in the ueue decreases to a defined level. We introduced three db-variables - to

enabledisabling throttling - to define a high water mar be!ond which release of an!

connection handle will be stopped, and - a low water mar to allow further connectionfrom #.

12577> achine )ertificate checer now correctl! wors in Internet @'plorer 66.

126561 Openssl improvements.

126996&i'ed intermittent resets when access polic! e'ecution in progress simultaneousl! from

multiple browser tabs.

1261>7When /s from multiple browser tabs starts access polic!, the landing / is set to

the / from the browser that finished the access polic! e'ecution.

126261)/& is used at the end of the header and as a separator between header and email

bod! in emails generated b! AP @mail agent, conforming to &) >977.

12687>

@mails sent b! M@mail ActionM agent when received b! certain *#P servers contains

empt! bod!. @mail agent was updated to compl! with &) >977 to include D?ate"D

header.

126839 A problem in which the BIG-IP s!stem when, configured as a *A/ IdP , might reboot# when running */O protocol in certain conditions has been fi'ed.

127515# with BQ 1>>669 no longer crashes when using the A))@**""session iule

command.

12776= &i'ed alignment of the connection duration counter for customied @dge )lients.

12787>?ashboard no longer displa!s a dip in active session count when primar! blade comes bac from a reboot.


34/58


35/58

12878>An issue with routing table not being restored correctl! in multi-homed environment

when server settings disallow local subnet access is now fi'ed.

123>71Portal Access no longer crashes if the / in a DefreshD header matches a PortalAccess b!pass list entr!.

12326> #he errant behavior is caused b! an improper / being presented b! the error page.When AP checs the improper /, the same error page is issued. #his has now

been corrected.

185512 BIG-IP @dge)lient can now generate )# report.

185712@dge client does not update its application director! an!more, instead it uses

/ibrar!ApplicationZ *upport director!.

1859=5 A) edge client was fi'ed so that it does not bloc te'te'panderMs functionalit!.

18533> AP client components are now using e'tended logging b! default.

186575esolved intermittent routing table issue that caused #raffic to not flow through tunnelif pro'! server is load balanced.

18651=Wrapper for script#ag.te'tCMsource scriptM is fi'ed to rewrite Msource scriptM for all

browsers.

186759While creating memcache entr!, the username is normalied into utf8 lower case. #hisensures that there is onl! one entr! for all combinations of usernames.

1867>2 )# report now includes information on DOP*WA# Integration /ibraries F9D.

186==9

If the customer does not need optimied tunnels, app tunnels, or remote destop, the!

can safel! disable $run disable% the db variable Disession.ctrl.apmD, which disables the

isession. #he! would then run Dbigstart restart tmm apdD so the db variable taes effect.

189669A cosmetic issue with the server selection menu showing white bacground is now

fi'ed.

189923An issue with @dge )lient consuming high )P and having unresponsive menu icon is

now fi'ed.

18196> *ecurit! patches applied to rb> librar!.

18>951 &i'ed root cause of crash - improper memor! management.

18>1=> Issue causing # core is fi'ed.

18===6 #his is an &@ feature.

182127An issue with Nava installer failing to install the InspectionJost plugin and creating a

ero b!te file under X/ibrar!Internet Plug-Ins is fi'ed.

1=2=99 @nsured e'tra spaces was not added to the minified )**.17=187 #he Octeon will now properl! handle decompressing large files without an! failures.

123883 emor! leas on i*ession V i)ontrol setup have been resolved.

18595>&i'ed i)ontrol isession memor! lea issue set proper log level to prevent log

flooding.

12792= ?rop processing the message if the ingress pcb is no longer present.


36/58

128117)ore in sip filter no longer occurs when sending J?@F# message while processing

of J?)#/ message.

17388>When operating in firewall $A&% mode, for e'ample, default den!, the BIG-IP s!stemnow counts and logs $if enabled% an! traffic that does not match a Firtual or *elf IP and

is being dropped or reHected.

12886= An enhancement that allows logging the #)P events and errors on fast/1 virtual.

185631 Perform F* ?WB/ looup after accept-decisive firewall rule matches at global level.

186683

#he load factor controls the minimum percentage of fullness that needs to be reached before the table is e'panded to a larger sie. *etting the load factor to 7>, b! default,

prevents the firewall rule compiler from growing the table sie too aggressivel! and

results in big firewall B/OB.

18625= Improved securit! logging to reduce incorrect messages.

181569&i'es a memor! lea when # is overloaded, and forwards flows to the peer, and pacet classification is enabled with Dlog translation fieldsD in the logging.

1281=7 Whitelist counts now increment appropriatel!.

18567> 655V rules ma! now be displa!ed in the active rules page.

12=351 AdHusted /ogging levels to remove potentiall! confusing messages.

1>=3=9 &i'ed +// pointer dereference.

187117*tate changes for wide IPs should be updated correctl! when the DpdateD button is

cliced in the )onfiguration utilit! wide IP properties page.

66.>.6

J&>9=>2=1

It is now possible to run a )* load even if there are

partitions still containing G# obHects.

92=675tmrouted no longer restarts when reconfiguring a

previousl! deleted route domain.

15126=?ecapsulated tunnel pacets are correctl! handled b!

pacet filter.

15>5=2#he BIG-IP s!stem applies the active bonus valuewhen the JA score is ero.

169=83)ertain virtual server configurations ma! cause

# to produce a core file.

176962 A virtual server ma! not be mared unavailable

when the pool status is mared unavailable.

173826&> improvement of the integration of latest epsec

pacages.

1986>3sers can now use pre-shared e! with anon!mousie-peer for IU@v6 negotiation.

115623 &i'ed memor! lea in creating a wildcard ?*-/ite

tunnel.



37/58

1165=9#he ?+* and +#P commands ma! cause the #raffic

anagement *hell to e'it and produce a core file.

116621?onMt handle fragmented pacets in ound obin?AG.

11>371 )hanged code to allow IP multicast pacets to bedelivered to all blades so that O*P& failover can

occur.

11=9>7IU@ negotiation is now successful and the IPsectunnel comes up properl! and passes traffic with

+A#-# and floating tunnel end point address.

1127==#oo steps to ensure that )P would not attempt tomodif! an obHect that has been both created and

deleted in the same transaction.

1185>1

*econdar! blades now are sent the s!nc status

information from primar! blades, so the s!nc statuswill not be reset if the primar! blade fails over.

1>5583Add diagnostic code to the reuest;group to abort

when it is being deleted while activel! processing.

1>5673

/OP $/ights Out Processor% firmware version 7.58

for FIPIO+ B7655, B76>5 resolves the followingissues" $I?11=352% Alarm /@? ma! be ed upon

powering up FIPIO+ B7655, B76>5 blades

$I?19319>% AO )ommand enu no longer reportsfailure when successfull! powering up FIPIO+

B7655 or B76>5 blades.

1>51>8

esolved build creation issue due to the dependenc!

of various obHects that need to be built beforecompiling sources that use them.

1>5=81 )orrected an inter

f5 problem

Documents