f5 problem
TRANSCRIPT
-
8/19/2019 f5 Problem
1/58
Overview
A monitor is an important BIG-IP feature that verifies connections to pool members or nodes. A
health monitor is designed to report the status of a pool, pool member, or node on an ongoing
basis, at a set interval. When a health monitor mars a pool, pool member, or node down, the
BIG-IP s!stem stops sending traffic to the device.
A failing or misconfigured health monitor ma! cause traffic management issues similar, but not
limited, to the following"
• Connections to the virtual server are interrupted or fail.
• Web pages or applications fail to load or execute.
• Certain pool members or nodes receive more connections than others.
#he previousl!-mentioned s!mptoms ma! indicate that a health monitor is maring a pool, pool
member, or node down indefinitel!, or that a monitor is repeatedl! maring a pool member or
node down and then bac up $often referred to as a bouncing pool member or node%. &or
e'ample, if a misconfigured health monitor constantl! mars pool members down and then bac
up, connections to the virtual server ma! be interrupted or fail altogether. (ou will then need to
determine whether the monitor is misconfigured, the device or application is failing, or some
other factor is occurring that is causing the monitor to fail $such as networ-related issue%. #he
troubleshooting steps !ou tae will depend on the monitor t!pe and the observed s!mptoms.
When e'periencing health monitor issues, !ou can use the following troubleshooting steps"
• Identifying a failing health monitor
• Verifying monitor settings
• Troubleshooting monitor types
• Troubleshooting daemons related to health monitoring
• Related articles
Identif!ing a failing health monitor
#he BIG-IP software includes utilities $such as the )onfiguration utilit!, command line, or
*+P% that !ou can use to alert an administrator or help identif! when a health monitor mars
down a pool, pool member, or node. #he utilities are defined in the following sections.
Configuration utility
https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12531.html#1https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12531.html#2https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12531.html#3https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12531.html#4https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12531.html#5https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12531.html#2https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12531.html#3https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12531.html#4https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12531.html#5https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12531.html#1
-
8/19/2019 f5 Problem
2/58
#he following table lists )onfiguration utilit! pages where !ou can chec the status of pools,
pool members, and nodes"
Conguration
utility pageDescription ocation
!et"or# map$ummary of pools% pool
members% and nodes
Local Trafc & Network
Map & Show Map
'ools Current status of pool(membersLocal Trafc & Pools &
Statistics
'ool members Current status of pool(membersLocal Trafc & Pools &
Statistics
!odes Current status of nodes
Local Trafc & Nodes &
Statistics
Command line utilities
#he following table lists command line utilities that allow !ou to monitor the status of pools,
pool members, and nodes"
CI utility Description )xample commands
bigtopive statistics for pool members and
nodesbigtop *n
bigpipe
+,-.x
$tatistical information about pools% pool
members% and nodes
bigpipe pool sho"% bigpipe
node sho"
tmsh +,-.x
* ,,.x
$tatistical information about pools% pool
members% and nodes
tmsh sho" (ltm pool
/pool0name&
tmsh sho" (ltm node
/node0I'&
Logs
#he BIG-IP s!stem logs messages related to the health monitor to the /var/log/ltm file.
eviewing the log files is one wa! to determine the freuenc! with which the s!stem is maring
down pool members and nodes. /ogging related to monitor state changes are as follows"
• 'ools
-
8/19/2019 f5 Problem
3/58
When a health monitor mars all members of a pool down or up, messages that appear
similar to the following e'ample are logged to the /var/log/ltm file"
tmm err tmm012234" 56565578"9" +o members available for pool :Pool;name<
tmm err tmm012234" 56565776"9" Pool :Pool;name< now has available members
• 'ool members
When a health monitor mars pool members down or up, messages that appear similar to
the following e'ample are logged to the /var/log/ltm file"
notice mcpd073=14" 56525=98">" Pool member :*erverIP;port< monitor status down
notice mcpd073=14" 56525272">" Pool member :*erverIP;port< monitor status up.
• !odes
When a health monitor mars a node down or up, messages that appear similar to the
following e'ample are logged to the /var/log/ltm file"
notice mcpd073=14" 56525=15">" +ode :*erverIP< monitor status down.
notice mcpd073=14" 56525278">" +ode :*erverIP< monitor status up.
SNMP
When the BIG-IP s!stem is configured to send *+P traps and a health monitor mars a pool
member or node down or up, the s!stem sends the following traps"
• 'ool members
alert BIGIP;)P?;)P?@;POO/;@B@;O+;*#A#*
snmptrap OI?CD.6.9.=.6.1.6.992>.7.1.5.65D
E
alert BIGIP;)P?;)P?@;POO/;@B@;O+;*#A#*;P
snmptrap OI?CD.6.9.=.6.1.6.992>.7.1.5.66D
E
• !odes
alert BIGIP;)P?;)P?@;+O?@;A??@**;O+;*#A#*
snmptrap OI?CD.6.9.=.6.1.6.992>.7.1.5.67D
E
alert BIGIP;)P?;)P?@;+O?@;A??@**;O+;*#A#*;P
-
8/19/2019 f5 Problem
4/58
snmptrap OI?CD.6.9.=.6.1.6.992>.7.1.5.69D
E
Ferif!ing monitor settings
It is important to verif! that monitor settings are properl! defined for !our environment. &ore'ample, &> recommends that !ou configure most monitors with a timeout value of three times
the interval value, plus one. #his is to prevent the monitor from maring the node down before
the last chec is sent.
Simple monitors
A simple monitor is used to verif! the status of the destination node $or the path to the node
through a transparent device%. *imple monitors do not monitor individual protocols, services, or
applications on a node Hust the node address itself. #he BIG-IP s!stem provides the following
pre-configured simple monitor t!pes" gateway_icmp, icmp, tcp_echo, tcp_half_open. If !ou
determine that a simple monitor is maring a node down, !ou can verif! the following settings"
Note" #here are other monitor settings that can be defined for simple monitors. &or more
information, refer to the )onfiguration Guide for BIG-IP /ocal #raffic anagement.
• Interval(timeout ratio
)onfiguring an appropriate intervaltimeout ratio is important for simple monitors. In
most cases, the intervaltimeout should have a timeout value of three times the interval,
plus one. &or e'ample, the default ratio is >6=. Ferif! that the ratio is properl! defined.
• Transparent
A transparent monitor uses a path through the associated node to monitor the aliased
destination. Ferif! that the destination target device is reachable and configured properl!
for the monitor.
Extended Content erification !EC" monitors
@)F monitors use Send and #eceive string settings to retrieve content from pool members ornodes. #he BIG-IP s!stem provides the following pre-configured monitor t!pes" tcp, http, https,
and https_$$%. If !ou determine that a simple monitor is maring a node down, !ou can verif!
the following settings"
Note" #here are other monitor settings that can be defined for @)F monitors. &or more
information, refer to the )onfiguration Guide for BIG-IP /ocal #raffic anagement.
https://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.html
-
8/19/2019 f5 Problem
5/58
• Interval(timeout ratio
As with simple monitors, configuring the intervaltimeout ratio is important for @)F
monitors. In most cases, the intervaltimeout should have a timeout value of three times
the interval, plus one. &or e'ample, the default ratio for @)F monitors is >6=. Ferif! that
the ratio is properl! defined.
• Send string
#he Send string is a te't string that the monitor sends to the pool member. #he default
setting is &E' /, which retrieves a default J#/ file for a website. If the Send string is
not properl! constructed, the server ma! send an une'pected response and be
subseuentl! mared down b! the monitor. &or e'ample, if the server reuires the
monitor reuest to be (''P/)*) compliant, !ou must adHust the monitor Send string.
Note" &or information about modif!ing J##P reuests for use with J##P or J##P*application health monitors, refer to the following articles"
*O/76=2" )onstructing J##P reuests for use with the J##P or J##P* application
health monitor
*O/9771" J##P health checs ma! fail even though the node is responding correctl!
*O/65=>>" )/& characters appended to the J##P monitor *end string
• Receive string
#he #eceive string is the regular e'pression representing the te't string that the monitorloos for in the returned resource. @)F monitors reuests ma! fail and mar the pool
member down if the #eceive string is not configured properl!. &or e'ample, if
the #eceive string appears too late in the server response, or the server responds with a
redirect, the monitor mars the pool member down.
Note" &or information about modif!ing the monitor to issue a reuest to a redirection
target, refer to *O/9771" J##P health checs ma! fail even though the node is
responding correctl!.
• 1ser name and pass"ord
@)F monitors have +ser Name and Password settings, which can be used for resources
that reuire authentication. Ferif! whether the pool member reuires authentication and
ensure that the fields contain valid credentials.
#roubleshooting monitor t!pes
https://support.f5.com/kb/en-us/solutions/public/2000/100/sol2167.htmlhttps://support.f5.com/kb/en-us/solutions/public/2000/100/sol2167.htmlhttps://support.f5.com/kb/en-us/solutions/public/3000/200/sol3224.htmlhttps://support.f5.com/kb/en-us/solutions/public/10000/600/sol10655.htmlhttps://support.f5.com/kb/en-us/solutions/public/3000/200/sol3224.htmlhttps://support.f5.com/kb/en-us/solutions/public/3000/200/sol3224.htmlhttps://support.f5.com/kb/en-us/solutions/public/2000/100/sol2167.htmlhttps://support.f5.com/kb/en-us/solutions/public/2000/100/sol2167.htmlhttps://support.f5.com/kb/en-us/solutions/public/3000/200/sol3224.htmlhttps://support.f5.com/kb/en-us/solutions/public/10000/600/sol10655.htmlhttps://support.f5.com/kb/en-us/solutions/public/3000/200/sol3224.htmlhttps://support.f5.com/kb/en-us/solutions/public/3000/200/sol3224.html
-
8/19/2019 f5 Problem
6/58
Simple monitors
#roubleshooting connectivit! issues for a simple monitor is fairl! straightforward. If !ou
determine that a monitor is maring a node down $or the node is bouncing%, !ou can use the
following steps to troubleshoot the issue"
,. Determine the I' address of the nodes being mar#ed do"n.
(ou can determine the IP address or the nodes that the monitor is maring down b! using
the )onfiguration utilit!, command line utilities, or log files. (ou can uicl! search the
/var/log/ltm file for node status messages using command s!nta' that appears similar to
the following e'ample"
K cat varlogltm Lgrep M+odeM Lgrep MstatusM
Nan 76 6>"51"91 local9155a notice mcpd073=14" 56525=15">" +ode 65.65.=>.6 monitor
status down.Nan 76 6>"51"91 local9155a notice mcpd073=14" 56525=15">" +ode 627.71.=1.1 monitor
status down.
Nan 76 6>"51">6 local9155a notice mcpd073=14" 56525=15">" +ode 65.6.5.755 monitor
status down.
Nan 76 6>"51">6 local9155a notice mcpd073=14" 56525=15">" +ode 65.65.=>.677
monitor status down.
Nan 76 6>"51">6 local9155a notice mcpd073=14" 56525=15">" +ode 65.6.5.655 monitor
status uncheced.
Nan 76 6>"51">6 local9155a notice mcpd073=14" 56525=15">" +ode 66.6.6.6 monitor
status down.
Nan 76 6>"51">6 local9155a notice mcpd073=14" 56525=15">" +ode 627.6=.=>.9 monitor
status down.
Nan 76 6>"51">6 local9155a notice mcpd073=14" 56525=15">" +ode 627.6=.=>.773
monitor status down.
Note" If a large number of nodes are being mared down $or bouncing%, !ou can sort the
results b! IP addresses.
&or e'ample"
cat /var/log/ltm ,grep -Node- ,grep -status- , sort .t * . %0%n . $0$n
2. Chec# connectivity to the node.
If there are occurrences of node addresses being mared down and not bac up, or nodes
bouncing, chec the connectivit! to the nodes from the BIG-IP s!stem, using commands
-
8/19/2019 f5 Problem
7/58
such as ping, traceroute $BIG-IP 65.', 66.'% or tracepath $BIG-IP 3.'%. &or e'ample, if
!ou have determined that a simple monitor is maring the node address )1*)1*23*) down,
!ou can attempt to ping the resource from the BIG-IP s!stem as follows"
K ping -c 1 65.65.=>.6
PI+G 65.65.=>.6 $65.65.=>.6% >=$81% b!tes of data.
=1 b!tes from 65.65.=>.6" icmp;seC6 ttlC=1 timeC66.97 ms
=1 b!tes from 65.65.=>.6" icmp;seC7 ttlC=1 timeC8.383 ms
=1 b!tes from 65.65.=>.6" icmp;seC9 ttlC=1 timeC65.386 ms
=1 b!tes from 65.65.=>.6" icmp;seC1 ttlC=1 timeC3.38> ms
Note" #he previous ping output shows high round trip times, which ma! indicate a
networ issue or a slow responding node.
In addition, mae sure that the node is configured to respond to the simple monitor. &or
e'ample, tcp_echo is a simple monitor t!pe that reuires that the #)P echo service is
enabled on the nodes being monitored. #he BIG-IP sends *(+ segment with information
to be echoed b! the receiving device.
3. Chec# the monitor settings.
se the )onfiguration utilit! or command line utilities to verif! that the monitor settings
$such as the interval timeout ratio% are appropriate for the node.
&or e'ample, the following 4igpipe command lists the configuration for the icmp_new
monitor"
bigpipe monitor icmp;new list
#he following tmsh command lists the configuration for the icmp_new monitor"
tmsh list ltm monitor icmp;new
4. Create a custom monitor +if needed.
If !ou are using a default monitor and have determined that the settings are notappropriate for !our environment, consider creating and testing a new monitor with
custom settings.
5. 1se the tcpdump command to capture monitor tra6c.
If !ou are unable to determine the cause of a failing health monitor, it ma! be necessar!
to perform pacet captures on the BIG-IP s!stem.
-
8/19/2019 f5 Problem
8/58
Note" &or more information about running tcpdump, refer to *O/166" Overview of
pacet tracing with the tcpdump utilit!.
EC monitors
#roubleshooting issues for @)F monitors involves several steps. If !ou determine that an @)F
monitor is maring a pool member down $or the pool member is bouncing%, !ou can use the
following steps to troubleshoot the issue"
,. Determine the I' address of the pool members that the monitor is mar#ingdo"n by using the Conguration utility% command line utilities% or log les.
&or e'ample, search the /var/log/ltm file for pool member status messages as follows"
K cat varlogltm Lgrep -i Mpool memberM Lgrep MstatusMNan 76 6>"51"91 local9155a notice mcpd073=14" 56525=98">" Pool member
65.65.=>.6"76 monitor status node down.
Nan 76 6>"51"91 local9155a notice mcpd073=14" 56525=98">" Pool member
65.65.=>.6"85 monitor status node down.
Nan 76 6>"51"91 local9155a notice mcpd073=14" 56525=98">" Pool member
65.65.=>.6"85 monitor status node down.
Nan 76 6>"51"91 local9155a notice mcpd073=14" 56525=98">" Pool member
65.65.=>.6"85 monitor status node down.
Nan 76 6>"51">6 local9155a notice mcpd073=14" 56525=98">" Pool member
627.6=.=>.9"85 monitor status node down.Nan 76 6>"5>"5> local9155a notice mcpd073=14" 56525=98">" Pool member
627.6=.=>.9"85 monitor status uncheced.
2. Chec# connectivity to the pool member.
As previousl! stated, chec the connectivit! to the pool members from the BIG-IP s!stem
using the ping or traceroute commands.
3. Chec# the )CV monitor settings.
se the )onfiguration utilit! or command line utilities to verif! that the monitor settings
$such as the interval timeout ratio% are appropriate for the pool members.
&or e'ample, the following 4igpipe command lists the configuration for the http_new
monitor"
bigpipe monitor http;new list
https://support.f5.com/kb/en-us/solutions/public/0000/400/sol411.htmlhttps://support.f5.com/kb/en-us/solutions/public/0000/400/sol411.htmlhttps://support.f5.com/kb/en-us/solutions/public/0000/400/sol411.htmlhttps://support.f5.com/kb/en-us/solutions/public/0000/400/sol411.htmlhttps://support.f5.com/kb/en-us/solutions/public/0000/400/sol411.html
-
8/19/2019 f5 Problem
9/58
#he following tmsh command lists the configuration for the http_new monitor"
tmsh list ltm monitor http;new
4. Create a custom monitor +if needed.
If !ou are using a default monitor and have determined that the settings are not
appropriate for !our environment, consider creating and testing a new monitor with
custom settings.
5. Test the response from the application.
se a command line utilit! on the BIG-IP s!stem to test the response from the web
application. &or e'ample, the following command uses the curl $and time% command and
attempts to transfer data from the web server while timing the response"
K time curl http"65.65.=>.6
:html<
:head<
---
:bod!<
:html<
real 5m68.597s
user 5m5.595s
s!s 5m5.5=5s
Note" If !ou want to test a specific J##P reuest, including J##P headers, !ou can use
the telnet command to connect to the pool member.
&or e'ample"
telnet 5server6P7 5serverPort7
+e't, at the prompt, enter an appropriate J##P reuest line and J##P headers, pressing
Enter once after each line.
&or e'ample"
&E' / (''P/)*) :enter<
(ost8 www*yoursite*com :enter<
Connection8 close :enter<
:enter
-
8/19/2019 f5 Problem
10/58
7. 1se the tcpdump command to capture monitor tra6c.
Note8 9or more information about running tcpdump% refer to $:4,,8:vervie" of pac#et tracing "ith the tcpdump utility.
#roubleshooting daemons related to health monitoring
#he 4igd process manages health checing for pool members, nodes, and services on the BIG-IP
/# s!stem. #he 4igd process collects health checing status and communicates the status
information to the mcpd process, which stores the data in shared memor! so that the # can
read it. If !ou are having monitoring issues, !ou can chec the memor! utiliation of the 4igd
process. If the 9MEM is unusuall! high, or continuall! increases, the process ma! be leaing
memor!.
&or e'ample, to chec the current memor! utiliation of 4igd, use the ps command"
K ps au' Lgrep bigd
*@ PI? )P @ F*Q ** ##( *#A# *#A# #I@
)OA+?
root 9575 5.5 5.= 78758 65188 R * 7565 >"58 usrbinbigd
Note" If the 4igd process fails, the health chec status of pool members, nodes, and services
remain in their current state until the 4igd process is restarted. &or more information, refer to
*O/=3=2" When the BIG-IP /# bigd daemon fails, the health chec status of pool members,
nodes, and services remain unchanged until the bigd daemon is restarted.
In addition, it is possible to run the 4igd process in debug mode. ?ebug logging for the 4igd
process is e'tremel! verbose, as it logs multiple messages for ever! monitor attempt. &or
information about running 4igd in debug mode, contact &> #echnical *upport.
*upplemental Information
• $:,553-8 Debug logging and ;ITT'$ health monitors
• $:,-5,78 :vervie" of ;I
-
8/19/2019 f5 Problem
11/58
• 9or more information about the bigtop utility% refer to $:B3,@8 :vervie" ofthe bigtop utility
• 9or more information about the bigpipe utility% refer to the ;I15=98 GI ?evice anagement Overview to displa! device;trust;group
>9>85= +ot enough free dis space for live install of BIG-IP 67.5.5 from 66.>.9 F@
>91=95 pgrade BI+? to address )F@-756>->122
>991>8 Generate core file on J*B locup
>997>2#he tmsh config file merge ma! fail when A& securit! log profile is
present in merged file
>95677 Improvements in building Drolled up J&D images for h!pervisors
>73>53 )F@-756>-1=75 BI+? vulnerabilit!
>72=95 )F@-756>-6288 " Open**/ Fulnerabilit!
>72576 BIG-IT iApp statistics corrected for empt! pool use cases
>7=163 ?eleting an iApp service ma! fail
https://support.f5.com/kb/en-us/solutions/public/7000/300/sol7318.htmlhttps://support.f5.com/kb/en-us/solutions/public/7000/300/sol7318.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/900/sol16909.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/900/sol16912.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/900/sol16938.htmlhttps://support.f5.com/kb/en-us/solutions/public/7000/300/sol7318.htmlhttps://support.f5.com/kb/en-us/solutions/public/7000/300/sol7318.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/products/big-ip_ltm.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/900/sol16909.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/900/sol16912.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/900/sol16938.html
-
8/19/2019 f5 Problem
12/58
>7197=)an delete last IP address on a BIG-IP G# server but cannot load a
config with a BIG-IP G# server with no IPs
>7167= #he ?B variable provision.tomcat.e'tramb is cleared on first boot
>798=9 istats help not clear for negative increment
>7967> ?isablingenabling blades in cluster can result in inconsistent failover state>79597 emu-vm F@+O vulnerabilit! )F@-756>-91>=
>75=15
#he i)ontrol anagement.Qone.get;one$% method can return one
options in a format inconsistent for use with the
anagement.Qone.set;one;option$% method
>751== Abilit! to edit i)all scripts is removed from resource administrator role
>63822 @'ternal pluggable module interfaces not disabled correctl!
>63931*!nc when licensed for A*A& fails to s!nc pool with D/oad balancing
feature not licensedD error
>635=8 ?evice trust setup can reuire restart of devmgmtd>68593 BIG-IT iApp statistics corrected for partition use cases
>62>85 OP#-556> on 65555-series appliance ma! cause bcm>=''d restarts
>6===3 sod core caused failover
>6==68 )F@-7569-2171
>6=681IU@v6 for IPsec does not wor when F/A+ cmp-hash is set to non-default
values
>69321 #ransaction validation errors on obHect references
>6936= *tring i*tat rollup not consistent with multiple blades
>69=13 #ransaction validation errors on obHect references
>691>1 An snmpwal with a large configuration can tae too long
>69987 esolution of multiple Open**/ vulnerabilities
>65663 J*B performance can be suboptimal when transmitting #*O pacets
>53287 #*O pacets can be dropped with low #
>53>51 @'cessive time to savelist a firewall rule-list configuration
>53>59#he tmsh load s!s config merge file MfilenameM taes significant time for
firewall rulelist configuration
>52>2> An incorrectl! formatted +AP# creation b! wa! of i)ontrol can cause anerror
>52996sing saved configuration with 66.>.7 on AW* ma! cause **/v9 to beenabled
>52972 Programs that read stats can lea memor! on errors reading files
>5=516 &olders belonging to a device group can show up on devices not in the
group
https://support.f5.com/kb/en-us/solutions/public/16000/600/sol16620.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/400/sol16472.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/600/sol16620.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/400/sol16472.html
-
8/19/2019 f5 Problem
13/58
>5=591 +#P vulnerabilities $)F@-7561-3732, )F@-7561-3738%
>57798)onnectivit! and traffic interruption issues caused b! a stuc J*B transmit
ring
>56>62A ver! large configuration can cause transaction timeouts on secondar!
blades>55536 )F@-756>-5751 " Open**/ Fulnerabilit!
1337=5 ?eleting trust-domain fails when standb! IP is in ha-order
132>=1 Improve Jigh *peed Bridge diagnostic logging on transmitreceive failures
13>99> BW) related # core
135>92Persistence ecords displa! in GI might cause s!stem to becomeunresponsive with large number of records
18=2>8 anagement port unreachable after install
189=89)P continues running after Dne'pected e'ception caught in
)PProcessor""rm;?B/owJighWideD error 186=3= &ailover error message Msod out of shmemM in varlogltm
1231=5 *ession?b ma! be trapped in wrong JA state during initialiation
12>=12 FIPIO+ Jost PI) firmware version 2.57 update
129918 hbInterval value not set to 955 sec after upgrade
1279=> #he v)P worer-lite s!stem occasionall! stops due to timeouts
125681In )onfiguration utilit!, unable to view or edit obHects in /ocal #raffic ""
iules "" ?ata Group /ist
1=>553 FIPIO+ B7655-series /OP firmware version 7.65 update
1=1519 Integration of &irmware for the 7555 *eries Blades
1=51>= &W @/@A*@" Incorporate Whitethorne BIO* 7.5=.761.5
1=5111 FIPIO+ B1955 BIO* version 7.59.5>7.5 update
1=5178 BIG-IP 7555-1555-series BIO* version 7.57.626.5 update
1=5177 &W @/@A*@" Incorporate #readstone BIO* 1.56.55=.5
1=515= FIPIO+ B7655-series BIO* version 6.5=.519.5 update
1=5932 &W @/@A*@" Incorporate Fictoria 7 BIO* 6.7=.567.5
1>>7=1 @rror messages are not clear when adding member to device trust fails
1>6=57 ?P? pacet drops with e!ed F/A+ connections
11252>)u*&P module plugged in during lins-down state will cause remote lin-
up
119738 &W elease" Incorporate Fictoria7 /OP firmware v6.75
116655 iApp partition behavior corrected
19==87 *&P modules show a higher optical power output for disabled switch ports
https://support.f5.com/kb/en-us/solutions/public/16000/300/sol16392.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/300/sol16393.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/100/sol16139.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/300/sol16392.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/300/sol16393.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/100/sol16139.html
-
8/19/2019 f5 Problem
14/58
175652# could become unresponsive when modif!ing J#/ profile
configuration
165938 s!s db tmrouted.rhifailoverdela! does not seem to wor
15>2>7 onitors sourced from specific source ports can fail
9=1328 Activestandb! s!stem configured with unit 7 failover obHects
9=77=2)onfiguring networ failover on a FIPIO+ cluster using the blade
management addresses results in M)annot assign reuested addressM errors
9>3221 Pools in JA groups other than )ommon
9>>==6sod logs error 565c559b"9" bind fails on recv;soc;fd, )annot assignreuested address
>96>2= # memor! lea in traffic handling
>953=9BIG-IP #/* does not correctl! verif! &inished.verif!;data on non-)avium
platforms
>95873 ?P traffic sent to the host ma! lea memor! under certain conditions
>9523>In &ast/1 #)P virtual servers, I)P might send wrong *@T numberA)U number
>952=3&> *&PV module becomes unpopulated after mcpd is restarted in a
clustered environment
>78197 )ontrol plane )P usage reported too high
>7287= IP Intelligence update failed" issing **/ certificate
>72=13
pgrade will reset )iphers field in clientssl or server ssl profiles to
?@&A/# if the current cipherstring would have effectivel! contained no
ciphersuites
>71=== ?+* licensed rate limits might be unintentionall! activated
>79523 erged ma! stop responding when file descriptors e'hausted
>77281 After restart, s!stem remains in the I+OP@A#IF@ state
>77612 Mtmsh load s!s configM fails after e! conversion to &IP* using web GI
>76869 )luster is removed from JA group on restart
>76221 #raceroute and I)P errors ma! be bloced b! A& polic!
>76>18 *!stem possibl! stops responding in *P?(
>76>98Ueep-alive transmissions do not resume after failover of flows on an /1
virtual, when the seuence number is nown
>76>77#raceroute through BIG-IP ma! displa! destination IP address at BIG-IP
hop
>76158Incorrect configuration in Big#)P virtual servers can lead to # producing a core file
>7699= pcs66d initialiation retr! might post misleading error messages and
eventuall! result in pcs66d creating a core file
-
8/19/2019 f5 Problem
15/58
>75>15J##P Basic authentication ma! cause the # to stop responding if the
header is too large
>6858= *afenet J* #raffic failure after s!stem rebootswitchover
>68575 Improved handling of certain J##P t!pes.
>62>>= ?+**@) unsigned referral response is improperl! formatted
>6>2>3)onfiguration obHects with more than four vlans in vlan list ma! cause
memor! utiliation to increase over time
>6>693Active P session with inherit profile and address translation disabled
ma! not decrement pool member current connections statistics
>6127365.7.6 s!stem with **/ profile specif!ing ciphers D?@&A/#"JIGJ"
@?ID fails to upgrade to 66.>.6
>61=51 +e'thop obHect can be freed while still referenced b! another structure
>67989Jardware flow stats are not consistentl! cleared during fastl1 flow
teardown
>675=7A db variable to disable verification of *)#P checsum when ingress
pacet checsum is ero
>65=980?+*4 )onfig change in dns cache resolver does not tae effect until #
restart
>52>73Active crash with assert" tmm failed assertion, non-ero ha;unit reuired
for mirrored flow
>52672 ?+* cache resolver is inserted into a wrong list on creation
>51833?uplicated snat-translation addresses are possible $a named and an
anon!mous 0created b! snatpool4 one%
>5165>?AG enabled ?P ports ma! be used as source ports for locall!
originated traffic
>59761 nder high load, cr!pto ueues ma! become stuc
>57119After enabling a blade, pool members are mared down because
monitoring starts too soon
>56>6=If a ver! large number of monitors is configured, bigd can run out of file
descriptors when it is restarted
133177An optimistic A)U sent b! a server in response to a BIG-IP &I+A)U
pacet results in a &I+A)U storm
132>81 #he A bit on ?+* response ma! not be set
13=2>8onitor Parameters saved to config in a certain order ma! not construct
parameters correctl!
123=87 # generates hundreds of I)P pacets in response to a single pacet
128=62 ?o not include ma'imum #)P options length in calculating ** on I)PP#
-
8/19/2019 f5 Problem
16/58
128>37When using the **/ forward pro'! feature, clients might be presented with
e'pired certificates
128193 nnecessar! re-transmission of pacets on higher I)P P#
1287>2nnecessar! re-transmission of pacets on I)P notifications even when
# is not changed12=532 #)P *erver ** option is ignored in verified accept mode
121=56 P connections are being offloaded to ePFA
1=8127ne'pected ordering of internal events can lead to # producing a core
file
1=892> # stops responding when P#)P NOI+ arrives in the middle of a flow
1=>>35 irrored persistence information is not retained while flows are active
1=7261*ource address persistence record times out even while traffic is flowing
on &ast/1 profile virtual server
1=5=72 *A*P monitor starts a new connection to the Group Worload anager$GW% server when a connection to it alread! e'ists
1>>2=7?+* cache statistics no longer incremented improperl! due to mirrored
cache data
1>1568 +e'thop to tmm5 ref-count leaage could cause # core
1>7193# ma! stop responding when enabling ?O* weepflood if a # process has multiple threads
1>63=5 J##P* monitors do not wor with &IP* e!s
1>5861 @arl! J##P response might cause rare Mserver drainedM assertion
113818 ?iameter onitor not waiting for all fragments
1196>2'frd might stop responding when the one file $'frd.bin% is deleted fromthe director! vardb
117=8= ?+*S #ransfers occur on ?+*S authoritative server change
196789 iule binar! scan ma! core # when the offset is large
177652esponses from ?+* transparent cache will no longer contain *IG for
ueries without ?O bit set
177582/ow memor! condition caused b! am )ache ma! result in # producing a core file
175916 )onnection ate /imit ode when limit is e'ceeded b! one client alsothrottles others
1631>8 J##P is more efficient in buffering data
157167&ast/1 tcp handshae timeout is not honored, connection lives for idletimeout
92>882 )luster member disable or reboot can lea a few cross blade trun pacets
921993 J##P""respondredirect might mae # unresponsive under low-
-
8/19/2019 f5 Problem
17/58
memor! conditions
9215=2sing )/I@+#;A))@P#@? iule to set *+A# pool on One)onnect
virtual server interferes with eepalive connections
9>737> pdating a suspended iule and # process restart
917569 #)P filter does not send eepalives in &I+;WAI#;7
>7==33# might stop responding if BIG-IP ?+* iule nodes;up references an
invalid IPPort
>6==8> Qoneunner might fail to load valid one files
>6==85 Qoneunner might fail when loading valid one files
>6>232sing os;score command in /@;I+I# event causes # to stopresponding
>6>599 0Q?4 A memor! lea in rd
>6>595 0Q?4 A memor! lea in Qrd
13=22> 0G#4 0big9d4 nable to receive mar /# virtual server up if there isanother F* with same ltm;name for the BIG-IP monitor
123581 Qoneunner can fail to respond to commands after a F@ resume
126863#he big9d agent restarts periodicall! when upgrading the agent on a
v66.1.5 or prior s!stem, and )ommon )riteria mode is enabled
1=>3>6 If net self description sie C=>U, gtmd restarts continuousl!
9>9>>= big9d https monitor is unable to correctl! monitor the web server when**/ protocol is changed
77>119gtmparse fails to load if !ou add unsupported *IP monitor parameters to
the config
>97595A* @*#" )ustom signature set created b! wa! of @*# is differentthan when created from GI
>7=8>=Dse of uninitialied valueD warning appears on )* installation due to
A* signature inconsistenc!
>71178 Adding multiple signature sets concurrentl! b! wa! of @*#
>71551 Adding multiple signatures concurrentl! b! wa! of @*#
>797=6 A* @*#" )P Persistence is not triggered b! wa! of @*# actions
>797=5 Appl! Polic! finishes with coapi;uer! failure displa!ed
>79756 @'pired files are not cleaned up after receiving an A* anual*!nchroniation
>7523= Jigh A*)II characters availabilit! for polic! encoding
>75>8>)hanging securit! polic! application language is not validated or propagated properl!
>75785 Perl produces a core file after appl!ing polic! action
-
8/19/2019 f5 Problem
18/58
>6=>79&ull A* )onfig*!nc was happening too often in a &ull *!nc Auto-*!nc
?evice Group
>6=>77After upgrade from an! pre-66.1.' to 66.1.' $or later% the configuredredirect / location is empt!
>615=6 &alse positive scenario caused *#P transactions to hang and eventuall!reset
>67==8 A* @*#" nable to )onfigure )licHacing Protection b! wa! of @*#
>65133 @nforcer stops responding after *!nc in an A*-onl! ?evice Group
>5=152)ertain upgrade paths to 66.=.' would lose the redirect / configurationfor Alternate esponse Pages
182175 B? stops responding upon stress on session tracing
>99538 #raffic capture filter not catching all relevant transactions
>96>7= issing entr! in *T/ table leads to misleading A* reports
>7>258 AF reports of last !ear are missing the last month data>63577 pgrade process fails to convert A* predefined scheduled-reports
>93569?+* resolution does not wor on a Windows 65 destop with multiple
+I)s after FP+ connection has been established in some cases
>92555Installation of @dge )lient can cause Windows 65 to stop responding in
some cases
>912>> ?eleting AP virtual server produces @;+O#;&O+? error
>97>77 )F@-756>-6239
>97931 )lient to log value of D*earch/istD registr! e!
>9753= achine )ertificate )hecer is not bacward compatible with 66.1.6 $andearlier% when atch&T?+ rule is used
>96889 Windows 65 App *tore FP+ )lient must be detected b! BIG-IP AP
>96189 )op! profile might end up with error
>95=32 Windows Phone 65 platform detection
>73937Win65 and I@66 is not determined in case of ?I@)# rule of pro'!
autoconfig script
>7827= A?/?AP cache sie reduced
>78=2>BIG-IP @?G@ )lient can indefinitel! sta! in a Ddisconnecting...D state
when captive portal session e'pired>72233 Open**/ librar! in AP clients updated to resolve multiple vulnerabilities
>7=899 everse Pro'! produces N* error" Mis;firefo'M is undefined
>7=2>1 &>unistaller.e'e stops responding during uninstall
>7==62 # stops responding when logging a matched A)/ entr! with IP protocol set to 7>>
https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16937.htmlhttps://support.f5.com/kb/en-us/solutions/public/16000/900/sol16937.html
-
8/19/2019 f5 Problem
19/58
>7=>28 +etwor Access client pro'! settings are not applied on German Windows
>7=137 ?+* resolution fails for *tatic and Optimied #unnels on Windows 65
>7=72> Fware Fiew *AA?I* two factor authentication fails
>7=581 Windows 65 platform detection for BIG-IP @?G@ )lient
>7>375 FP@ fails to displa! access polic!
>7>>=7 ?ebug # stops responding during initialiation
>7>173 ?#/* renegotiation seuence number compatibilit!
>7>981 +etwors Access PA) file now can be located on *B share
>71353 Windows info agent could not be passed from Windows 65
>712>= AP log is filled with errors about failing to adddelete session entr!
>79196Windows )ache and *ession )ontrol cannot support a period in the access profile name
>79935inor memor! lea on IdP when */O is configured on bound *P
connectors
>79973When BIG-IP is used as *A/ Identit! Provider$IdP%, # ma! restart
under certain conditions
>79972 In ver! rare cases achine )ertificate service ma! fail to find private e!
>79777)itri' J#/> client fails to start from *torefront in integration mode
when Access Polic! is configured with edirect ending
>7689> 0Polic! *!nc4 )onnectivit! profile with a customied logo fails
>76229 emor! lea in Portal Access
>76>5= +etwor Access does not restore loopbac route on multi-homed machine
>7525> @dge client contains multiple duplicate entries in server list
>75=17 ewrite plugin should chec length of &lash files and tags
>75935 euse e'isting option is ignored for smtp servers
>75738 Nava applet does not wor
>7575>ewrite plugin could stop responding malformed Action*cript 9 bloc in
&lash file
>7561>0Polic! *!nc4 OutOfemor!@rror e'ception when s!ncing a big and
comple' AP polic!
>75668 ?uplicate server entries in *erver /ist>633== AP D*ession FariablesD report shows user passwords in plain te't
>638=1 emor! lea on /2 ?!namic A)/
>6316>BIG-IP AP networ access tunnel ephemeral listeners ignore iules$related-rules from main virtual %
>63638 0Polic! *!nc4 I General @'ception @rror when s!nc a polic! in non-
default partition as non-default admin user
-
8/19/2019 f5 Problem
20/58
>68386 A?I* accounting *#OP message ma! not include long class attributes
>687=5issing +#/**P;#AG@#;I+&O flag on +#/**P;)JA//@+G@
message
>62388# ma! stop responding if access profile is updated while connections
are active>62827 Include pro'! hostname in logs in case of name resolution failure
>62>=1AP cannot get groups from an /?AP server, when /?AP server is
configured to use non-default port
>62116apd ma! stop responding when A?I* accounting message is greaterthan 7U
>6261= /og I? 56135>98 ma! be truncated
>6=893 Add client t!pe detection for icrosoft @dge browser
>6=1=7Gatewa!s for e'cluded address space routes are not adHusted correctl!
during roaming between networs on Windows machines
>6=52> /inu' command line client fails with on-demand cert
>6>319D*ession variablesD report ma! show empt! if session variable value
contains non-@nglish characters
>61367 Portal Access scripts had not been inserted into J#/ page in some cases
>61775 +ew iO*-based FP+ client ma! fail to create IPv= FP+ tunnels
>693=3A) prompt is shown for machine cert chec for non-limited users, evenif machine cert chec service is running
>693>9 A?I* AuthAcct might fail if server response sie is more than 7U
>6925= Incorrect metric restoration on +etwor Access on disconnect $Windows%
>69>86# occasionall! stops responding when http pa!load is scanned through*WG
>69789 ac @dge )lient does not send client data if access polic! e'pired
>69756 @dge client is missing localiation of some @nglish te't in Napanese locale
>696=>*A/ *ervice Provider generated */O reuests do not contain
M*essionInde'M attribute
>69538 localdb;m!sl;restore.sh failed with e'it code
>6791> ?!namic user record removed from memcache but remains in !*T/
>6771> achine certificate agent on O* S 65.8 and O* S 65.3 uses local hostname instead of hostname
>663=6 BIG-IP @dge )lient does not displa! logon page for &irePass
>668>1 ewriting /s at client side does not rewrite multi-line /s
>66=18 On standb!, # can produce a core file when active s!stem sendsleasepool JA commands to standb! device
-
8/19/2019 f5 Problem
21/58
>66116 emor! lea on reuest )ooie header is longer than 6571 b!tes
>65253Websso start I match fails if there are more than 7 start Is in **O
configuration
>65>3=Broen ?+* resolution on /inu' client when D?+* ?efault ?omain
*uffi'D is empt!>651>3 In some cases Access does not redirect client reuests
>53135 0I@654" attach@vent does not wor
>52=86 Window.postessage$% does not send obHects in I@66
>52976Nava*cript error if user-defined obHect contains +// values in MoriginMandor MdataM fields
>5266= Web-application issues andor une'pected e'ceptions
>5=779 A I in reuest to cab-archive in i+otes is rewritten incorrectl!
>5>2>> *ome scripts on d!namicall! loaded html page could be not e'ecuted
>511=6 /ogon Page agent gets empt! user input in clientless mode 9 when aFariable Assign agent resides in front of it
>55398 +etwor Access can be interrupted if second +I) is disconnected
>551>5A* and AP on same virtual server caused *et-)ooie header
modification done b! A* to be not honored b! AP websso
138287 )onfig snapshots are deleted when failover happens
132=72# cores while using AP networ Access and no leasepool is createdon the BIG-IP s!stem
132668 # ma! restart when *A/ */O is triggered
13>257 ac @dge )lient cannot be downloaded sometimes from management I
13>99=/ogon page is not displa!ed correctl! when Dforce password changeD is on
for local users
131>=> )** patcher stops responding when a uoted value consists of spaces onl!
131683 Poor performance in clipboard channel when cop!ing
13955= @'port of huge policies might end up with Mtoo man! pipes openedM error
137256esolved /*Os are overwritten b! source device in new Polic! *!nc with
new /*O
13795>ecurring file checer does not interrupt session if client machine has
missing file137613 Inline Nava*cript with J#/ entities ma! be handled incorrectl!
135895 Protected Worspace is not supported on Windows 65
18829= &i'ed problem with i+otes 3 Instant essaging
18865> # ma! generate core file during certain config change
182933 F?I plugin stops responding when Fiew client disconnects prematurel!
-
8/19/2019 f5 Problem
22/58
189237When i*ession control channel is disabled, do not assign app tunnel,
*?P, opt tunnel resources
18978= AP !*T/ database full as log;session;details table eeps growing
187=33 FP@ displa!ing Dncaught #!pe@rrorD
1877=3 AP support for Windows 65 out-of-the-bo' detection1877== +etwor Access cannot be established for Windows 65
1877>6 Portal Access. /ocation.href$url% support is added
187716 Windows 65 cannot be properl! detected
18761> #e't in buttons are not centered correctl! for higher ?PI settings
1852=6 &i'ed issue causing #unnel*erver to stop responding during reconnect
1231>6?ifferent Outloo users with same password and client IP are tied to asingle AP session when using Basic auth
128137 Incorrect handling of J#/ entities in attribute values
128999@dge-)lient client shows an error about corrupted config file, when userMs
profile and temp folders located on different partitions
121223@A process fails to register channel threads $PI channel% with #,and subseuent s!stem call fails
121=38BIG-IP as IdP can send incorrect MIssuerM element for some */O reuests
under certain conditions
1215>8When the BIG-IP s!stem is configured as *ervice Provider, AP? ma!restart under certain conditions
1297>>Navascript sibmit$% method could be rewritten incorrectl! inside of MwithM
statement1277>= #he tmsh and tmctl report unusuall! high counter values
1275=7nmangled reuests when form.submit with arguments is called in the page
126821F?I plugin stops responding when tr!ing to respond to the client after the
client has disconnected
126662 iframe with Nava*cript in MsrcM attribute not handled correctl! in I@66
1=8116 OWA7569 ma! wor incorrectl! b! wa! of Portal Access in I@6566
1=8199 OWA7569 ma! wor incorrectl! b! wa! of Portal Access in I@6566
1=8692 +etwor Access logs missing session I?1==21> )annot set the value of a session variable with a leading h!phen
1=1>12*how proper error message when Fware Fiew client sends invalid
credentials to AP
1=6>32 A) edge client does not follow J##P 957 redirect if new site hasuntrusted self-signed certificate
-
8/19/2019 f5 Problem
23/58
1>2357 +o @A- log stactrace in varlogapm on @A crash event.
1>22=5 @A not redirecting stdoutstderr from standard libraries to varlogapm
1>2=59 )ooies handling issue with *afari on iO*=, iO*2
1>2>7>When ?+* resolution for App#unnel resource fails, the resource is
removed
1>1281in FP@ '' s!mbols such as the variable assign agent might be invalidl!
decoded
1>158= Portal Access issues with &irefo' version 7=.5.5 or later
1>91>> Added support of *A/ *ingle /ogout to @dgeclient
1>7>72achine )ertificate )hecer Agent alwa!s wors in Datch *ubHect )+ to&T?+D mode
1>76=9 )ross-domain functionalit! is broen in A? Tuer!
1>61=3 AP ser Identit! daemon does not generate a core file
117>78 ?emangle filter stops responding
115816 sso and apm split tunneling log message is at notice level
1983=3J#/> Fware Fiew )lient does not wor with AP when virtualserver is on non-default route domain
192211 *A/ *P service metadata e'ported from AP ma! fail to import
192=25 ace condition in AP windows client on modif!ing ?+* search suffi'
17>887Windows @dge)lientMs configuration file could be corrupted on s!stem
rebootsleep
17139= apm;mobile;ppc.css has duplicate 6st line
179787BIG-IP Nava*cript includes can be improperl! inHected in case of
conditional comment presence
175>67All essages report does not displa! an! data when the /og /evels areselected to filter data based on /og /evels
16=66>@dge client continues to use old IP address even when server IP address
changed
1588>6 *ome Nava applications do not wor through BIG-IP server
157239AP +etwor Access tunnel slows down and loses data in securerenegotiation on /inu' and ac clients
>77796 # ma! stop responding when a client resets a connection>761>> Images transcoded to WebP format delivered to @dge browser
>6128> # stops responding when processing AA-optimied video /s
>66>91A large number of regular e'pressions in match rules on path-segments
ma! cause an AA polic! to tae too long to load
12=1=5 WA ange J##P header limited to eight ranges
-
8/19/2019 f5 Problem
24/58
176236 Out of emor! @rror
132983 @'traneous dedup;admin core
1=676= )annot rename some files using )I&* optimiation of the BIG-IP s!stem
1>2>=8/oading of configuration fails intermittentl! due to WO) Plug-in-related
issues>76>>= Assertion Dvalid pcbD in #)P1 with I)AP adaptation
>6=5>2Assertion Mvalid pro'!M can occur after a configuration change with active
IF* flows
>675>1 )G+A# *IP A/G - #P connection not created after I+FI#@
>6697=*IP *B*)IB@ message not forwarded b! the BIG-IP s!stem whenconfigured as *IP A/G with translation
>59=>7*ome *IP ?P connections are lost immediatel! after enabling a blade on
the Active JA unit
133256 *IP &ilter drops ?P flow when ingress len limit is reached185966 A?AP# should be able to wor with One)onnect
118139 *IP response from the server to the client gets dropped
>99858nable to create new rule for virtual server if order is set to
DbeforeDDafterD
>9999= ?ispla! MdescriptionM for port list members
>958=>A& /ogging regression for Globaloute ?omain ules incorrectl! usingvirtual server logging profile $if it e'ists%
>71218 P))? optimiation for IP address range
>791=> /og an error message when firewall rule serialiation fails due toma'imum blob limit being hit
>6>682)ertain I)P pacets are evaluated twice against Global and oute?omain A)/ rules
>6>667 ?ela!ed ehash initialiation causes crash when memor! is fragmented
>69>=>
A& Uill-on-the-fl! does not re-evaluate e'isting flows against an!
Firtual*elfIP A)/ policies if a Global or oute-?omain rule action ismodified from Accept-?ecisivel! to Accept
>6577=All descriptions for ports-listMs members are flushed after the port-list was
updated
>53363)ustomer ma! e'perience incorrect counter update for *elfIP traffic on
cluster
132=26 iApp GI" nable to add &W Polic!ule to conte't b! wa! of iApp
13>197 Add new log messages for A& rule blob loadactivation in datapath
18>885 nable to appl! A* polic! with forwarding )P polic! using the GI,
generic error
-
8/19/2019 f5 Problem
25/58
1=8=88 Initial s!nc fails for upgraded pair $66.>.' to 66.=%
1>3571@rror /1 pacets were hitting configured W/ entries protocol was not
being matched for them
>7=73>BIG-IP stops responding in debug mode when using P@ iule to create a
session with calling-station-id and called-station-id
>665=1epeated installuninstall of polic! with usage monitoring stops after
second time
13>369 # produces a core file when ))A-I polic! received with uninstall
136226sing catch to suppress Minvalid commandM errors resulting from invalid useof 04 around a paring command in a proc can cause # to panic
128933P@ subscriber sessions are created without P@ licensed, if Dradius/B-
subscriber-awreD profile is configured
1=1729P@" ))-I for the G' session has onl! one subscriber I? t!pe, even ifthe session created has more than one t!pe
1>5223P@ source or destination flow filter attempts to match against both source
and destination IPs of a flow
113=19@rror message DG' uninit failedD and DG! unint failedD received during boot of the s!stem
193713 P@"Initial uota reuest in the rating group reuest is not as configured
198=58P@" ))- triggered during G! session ma! not have euest *ervice
nit $*%
198537P@" ))- triggered b! A during G! session will not haveeuested *ervice nit $*%
>6179= 0GI40G#4 GI does not prefi' partition to device-name for BIG-IP?+* *erver IP addresses
>7>>3> &i' memor! lea of inbound socets in restHavad
>53729 hostagentd consumes memor! over time
>53675BIG-IT is unable to discover older BIG-IP versions due to over-ealousgrooming
>66=>6 )F@-756>->5>8" Performance improvement in pacet processing
66.>.9
J&6>66=>6 Performance improvement in pacet processing
If an AP polic! s!nc puts the new polic! on a member of a s!nc-failover device group, thes!nc of the s!nc-failover group failed. #his now succeeds.
https://support.f5.com/kb/en-us/solutions/public/17000/000/sol17047.htmlhttps://support.f5.com/kb/en-us/solutions/public/17000/000/sol17047.html
-
8/19/2019 f5 Problem
26/58
113655
#unnel interfaces can be used b! iule ne'thoplasthop commands to set a flowMs
ne'thoplasthop behaviors. 6. #o send traffic to the tunnel, use Dne'thop tun5 ...D on
)/I@+#;A))@P#@? iule event, or Dlasthop tun5 ...D on *@F@;)O++@)#@?iule event. 7. A point-to-point tunnel can be supplied with an IP address, although it
does not have an effect. 9. A wild-card tunnel can be supplied with the IP address of the
remote-point to build the tunnel on the fl!.1>>966 v)P guestMs access to the management networ of the h!pervisor has been restricted.
1>26==An issue has been resolved that affected the abilit! to modif! a v)P guestMs
management networ mode.
1>36>> Included the ph!sdev netfilter module into the BIG-IP ernel pacage.
1>3=31v)P guestMs abilit! to interfere with the management networ of the h!pervisor has been restricted.
1>32>9 Dbigstart restartD on a secondar! blade no longer causes clusterd to restart continuousl!.
1>3329#he Include )luster option in the JA Group configuration cannot be disabled using the
)onfiguration utilit!.
1=796>*aving a single partition out of the configuration $Msave s!s configM with the Mpartitions p6 EM option% now writes the configuration file properl!. It previousl! appended to the
file but now overwrites it as it should.
1=7319esolved issue where rewrite )** filterparser ma! use stale iovs in declaration;state
resulting in *IG*@GF.
12523= )F@-7561-1579.
126525 +on-administrative users cannot modif! )lient **/ profiles.
126251#he vcmpd process is no longer vulnerable to malicious data passed from a v)P
guest.
12=6>2 *ecurit! patches applied to rb> librar!.
1223>3Internal structure improvements, no customer facing functionalit! changes have beenmade.
128377esolved issue that I)*A logging did not contain information that is reuired for
certification.
186=18#he ipaddr#ableMs ipAd@ntIfInde' value now matches the if#ableMs ifInde' value for thesame interface.
18919= pdate to AW* /icense files.
1811>9 Jarmless messages logged with /OP daemon registration.
181=9> pdate openssl to latest version.
182855#he guest-specific configuration information blocs are now isolated from each other
and the h!pervisor is protected against invalid data inHected b! a v)P guest.
12185> Internal build improvement.
12=>76se true timeout instead of retries limit when initialiing the &IP* device, and
subseuentl! power c!cle the unit to recover the &IP* device.
https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15297.htmlhttps://support.f5.com/kb/en-us/solutions/public/15000/700/sol15788.htmlhttps://support.f5.com/kb/en-us/solutions/public/15000/800/sol15853.htmlhttps://support.f5.com/kb/en-us/solutions/public/15000/200/sol15297.htmlhttps://support.f5.com/kb/en-us/solutions/public/15000/700/sol15788.htmlhttps://support.f5.com/kb/en-us/solutions/public/15000/800/sol15853.html
-
8/19/2019 f5 Problem
27/58
122=66 Appl! ound obin ?AG to icmp echo onl!.
122888 I)*A logging is no longer missing information that is reuired for certification.
1236>7 BIG-IP platform 65555s65755v657>5vB1955B1915+ is susceptible to parit! error.
1892=7 A) address conflicts no longer occur between v)P guests.
181933 OFA will onl! create one slot and leave the remaining dis space free.
18=>61#he crash that happens in the A& logging module, when the #)P connection to a log
destination server is re-established, is fi'ed.
1881=6 Improve base build process and remove duplicate code.
137999esolved a s!s-ichec bug that caused an auto;schema misconfiguration. #his occurs
on all platforms.
1371=5
#his error message previousl! occurred intermittentl! when tr!ing to delete a virtual
server and use s&low"
565257=>"9" #he Firtual *erver $% cannot be deleted because it is in use b! a sflow httpdata source $%. #his no longer occurs.
77=837esolved intermittent issue when return pacets were dropped after configuring pacet
filters for ?+* traffic or traffic with IP fragments.
171396)reation of a large file, such as a )* archive is now handled correctl!, and the csyncd process no longer causes high )P utiliation.
1788=1/owering the virtual server connection limit now wors, even when traffic is alread!
being processed.
19931=Benign rs!nc errors are no longer logged in varlogltm and instead are traced b! wa!of stats in the Mcs!nc;statM table.
19=532 When the # restarts, pcs66d also must be restarted automaticall! if present.
19=866 BIG-IP database monitors ma! report an incorrect pool member status.
19282>
#his spurious error message ma! have previousl! been displa!ed when the local user
database feature was configured"
56526251"9" +ot running command $usrlibe'eclocaldb;m!sl;restore.sh% because
the reuest came from an untrusted connection. #his error message has alwa!s beenharmless, but now it no longer is displa!ed.
19235= Web*ocets and the J##P )O++@)# method now wor with One)onnect.
193171 *afe+et J* install now needs to be done onl! on the primar! slot on the BIG-IP
cluster-mode chassis s!stems such as FIPIO+. A single install on the primar! slot willtae care of installing *afe+et on all active slots. On an! alread!-open sessions to theBIG-IP slots, the PA#J environment variable will need to be reloaded b! running
Msource X.bash;profileM to be able to use *afe+et utilities. If at a later stage a new blade
is added or a disabled, or a powered-off blade is made active or is powered-on, the userwill have to run Msafenet-s!nc.sh -p M Yonl!Y on the new secondar! slot. If the new slot is
made primar! before running safenet-s!nc.sh on it, then the regular install procedure
https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15888.htmlhttps://support.f5.com/kb/en-us/solutions/public/14000/800/sol14862.htmlhttps://support.f5.com/kb/en-us/solutions/public/15000/800/sol15888.htmlhttps://support.f5.com/kb/en-us/solutions/public/14000/800/sol14862.html
-
8/19/2019 f5 Problem
28/58
using nethsm-safenet-install.sh will be reuired on the new primar! slot.
193135#he BIG-IP s!stem now reconnects to *afe+et J* if the connection is interrupted, so
connections continue as e'pected.
193>69 +@#J*" Initial few connection drops after each # restart.
193>15 estart the pcs))d process. #he command is Dtmsh restart s!s service pcs66dD.116831 Pcs))d watchdog functionalit! avoids manual restart.
119538 #he Pro'! **/ feature no longer leas memor!.
112>6> #he # process ma! resume a suspended iule on the wrong connection flow.
113238#he BIG-IP s!stem ma! not correctl! monitor pool members after the mcpd process
restarts.
1>5596 #he BIG-IP s!stem ma! incorrectl! log M/imiting closed port *# responseM messages.
1>5851 Improved #/* finish messages.
1>6768 )orrected +itro' #/* padding.
1>7676#he BIG-IP s!stem now supports multiple *afe+et networ-J*s configured in an
JA group.
1>7=78 Add a 4igd4 variable for the pcs))d threads.
1>99>8 emor! lea is fi'ed.
1>11=> )orrected # #/* padding.
1>112=In the event of an invalid parameter in the clienthello, the correct #/* version will be
set in the alert.
1>1=9=#he logging destination IP address onl! matches virtual servers, so no J*/ logging islost.
1>1=37 Assigning MafterM obHect to a variable no longer causes memor! leas.
1>=8>3 Interface to hardware compression has improved allocation strateg!.
1>8>>=#he # will no longer produce a core file on startup when traffic arrives before
transitioning to cmp read!.
1=58=8 #he # no longer crashes if networ J* is improperl! configured.
1=6>28 /arge session obHect handling is improved.
1=76=9 Allow +on Blade 5 PI communication even after congestion.
1=7=13 #he # no longer crashes under heav! load.
1=9357 &lat-buffer allocator for hardware compression tuned to be less greed!.
1=16=9)ustomied cert-e!-chain of the child client-ssl profile is reverted to parentMs profile
cert-e!-chain during config load.
1=28=8 @nsured that monitor reason strings no longer lea.
1=325># will set a nown route domain when processing *IP euests to prevent panics
caused b! an invalid route domain.
126529 +ow, when # is restarted, all JA connections are reestablished.
https://support.f5.com/kb/en-us/solutions/public/15000/500/sol15579.htmlhttps://support.f5.com/kb/en-us/solutions/public/15000/200/sol15255.htmlhttps://support.f5.com/kb/en-us/solutions/public/15000/600/sol15647.htmlhttps://support.f5.com/kb/en-us/solutions/public/15000/500/sol15579.htmlhttps://support.f5.com/kb/en-us/solutions/public/15000/200/sol15255.htmlhttps://support.f5.com/kb/en-us/solutions/public/15000/600/sol15647.html
-
8/19/2019 f5 Problem
29/58
1212>2 Open**/ *ecurit! Advisor! 8=61 $6.5.6i pdate%.
1223=2P#)P component now correctl! applies #*O processing to outbound pacets, so
# no longer segfaults.
185669&IP* e'ported e!s can now be successfull! installed in &IP* cards without causing
config-s!nc failure.
185=33
Increased the ma'imum statemirror.ueuelen db variable limits. If necessar!, the
statemirror.ueuelen can now be increased be!ond 7>= B up to 6 GB. +ote that
increasing the statemirror.ueuelen increases memor! reuirements to appro'imatel!twice the ueuelen multiplied b! the number of #s, and also increases the time
reuired to detect an error in the mirroring connection. #he statemirror.ueuelen should
be ept as low as possible to prevent repeated failure.
189978Firtual servers with )lient **/ profiles ma! not respond to **/ handshaes after a
)onfig*!nc.
18>688When the **/ )lientJello contains the *)*F marer, if the client protocol offered is
not the latest that the virtual server supports, a fatal alert will be sent.
188758 )an properl! upgrade to Open**/ 6.5.6H without breaing *A PU)*K6.> decr!ption.
125931#he BIG-IP s!stem calculates the correct number of members in the active priorit!
group when the slow ramp feature is triggered.
125331#he # now correctl! applies #*O processing to outbound pacets, so # no
longer segfaults.
12>5>> esolved core caused b! accounting miscalculation of +itro' IO flows.
1222>9
#his change allows !ou to use immediate idle timeout on ?P serverside flows as a
woraround for *IP message loss andor connection failures if $and onl! if% the logic of
the *IP processing does not e'pect an! return traffic to match the serverside
connections. )onfiguration that reuires this woraround, but which e'pects returntraffic to match the serverside flow, could not have wored correctl! $without specific
iule based band-aids% even before the first affected version.
185733#he Firtual Address throttling dela!ed update mechanism has been made more robust,and will now send dela!ed updates $roughl! 9 seconds after change% regardless of
previous status, guaranteeing that Firtual Address status will reach all subscribers.
189321 nrecognied options are now ignored.
181173#he # will still log critical-level messages, but the s!stem continues to function
properl!.
18=5== #he # does not product a core file.
122715**/ will properl! renegotiate rather than terminate connections when the session
e'pires.
182858 )ost lin load balancing software support has reached @O/.
718182#he enforcer does not convert parameter values into the web application language when parameters are defined as Dfile uploadD or Dignore valueD in the securit! polic!.
1911=6 Improved the s!stemMs integration with Guardium.
https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15851.htmlhttps://support.f5.com/kb/en-us/solutions/public/15000/800/sol15851.html
-
8/19/2019 f5 Problem
30/58
19>>75
&i'ed an issue that occasionall! stopped !ou from deleting an A* securit! polic! that
was created using a template after !ou rolled-forward the polic!Ms configuration from a
previous version.
1>1617 esolved intermittent @nforcer crash due to specific reuests.
1=6578 v)P" &i'ed an issue that caused the @nforcer to crash in a clustered environment.
126659
#here is a new internal parameter" Dignore;null;in;multipart;te'tD. When the internal
parameter is set, a null in reuest violation is not issued when a null appears in the
reuest. If the parameter is defined as file upload in the securit! polic!, no violation isissued. If the parameter is defined as something else, the violation Dnull in multipart
reuestD is issued. If the parameter is not defined in the securit! polic!, the violation
Dnull in reuestD is issued.
12=623
Brute force reporting" #he brute force reported operation mode $#ransparent or
Blocing% is now the same when the attac starts and ends. Previousl!, the s!stem
would occasionall! change the operation mode logged when the attac ended.
12=636
#o enable !ou to b!pass unicode validation on S/ and N*O+ profiles, we added twointernal parameters" - rela';unicode;in;'ml" #he default is 5, which is the current
behavior. When the value is changed to 6, a Dbad unicode characterD does not produce
an S/ malformed violation. A Dbad unicode characterD might be a legal unicode
character that does not appear in the mapping of the s!stemMs S/ parser. -rela';unicode;in;Hson" #he default is 5 which is the current behavior. When the value
is changed to 6, a Dbad unicode characterD does not produce a N*O+ malformed
violation. A Dbad unicode characterD might be a legal unicode character that does notappear in the mapping of the s!stemMs N*O+ parser.
186>27&i'ed an issue that caused the s!stem to not report a navigation parameter that appeared
in the PO*# data.
186237 &i'ed an issue where specific reuests occasionall! caused the @nforcer to stopresponding.
12==76&i'ed an issue where Bot ?etection in the Web *craping feature created Nava*cript
errors in the web application using Internet @'plorer.
189136 &i'ed a memor! corruption issue.
186>16 emor! lea in the onP? daemon that occurs in some situations has been resolved.
18=972 Web Application *ecurit! Administrator added to the list of allowed administrators.
992628 BIG-IP @dge )lient falls bac to #/* from ?#/* if http-pro'! is used.
938=>2esolved on all platforms where the active session count might be significantl! large, at
times, liel! due to a counter underflow.
159==5Application icons $&inder, *potlight, /aunchpad, +otification )enter, ?oc, enu Bar%
have been updated for retina displa!s.
1688>5A? ma! now be the last auth agent in the FWare view access polic!.
sernamepassworddomain preserved and then passed to the bacend.
175383When using an access polic! with Windows /ogon Integration, if !ou are denied access
once, !ou can tr! again.
-
8/19/2019 f5 Problem
31/58
175335*upport for smart cards was added to )lient )ert Inspection and On ?emand )ert
Inspection with Windows /ogon Integration.
176356showrestorebutton"i"5 can be specified in ?P )ustom Parameters. sers will no longer see this Mestore downM button.
177868D*tore information about client software in session variablesD setting is removed fromthe Fisual Polic! @ditor for these @ndpoint *ecurit! $)lient-*ide% software checs"
Antivirus, Anti-*p!ware, &irewall, Jard ?is @ncr!ption, Patch anagement, Peer-to- peer, and Windows Jealth Agent.
17==79 Improved PA) file download mechanisms.
172895 +etwor Access connection will not be established if PA) file specified in +A resource
cannot be downloaded within 95 seconds.
1739=7@dge )lient properl! reconnects when networ connectivit! is restored. Previousl! fullreconnection was done in this case and the previous session was not removed.
195>96)omputer group polic! settings are updated after establishing FP+ connection with
Windows /ogon Integration.
196865&i' une'pected e'ceptions when using Uerberos auth agent in a multi-domain **Oconfiguration.
197999
Nava Application #unnels now wor when Internet @'plorer 66 runs with @nhanced
Protected ode. Jowever, the tunnel is bound to 672.5.5.6 due to limitations of this
mode.
199719BIG-IP IdP subtracts three minutes from the +otBefore timestamp in an assertion toaccommodate *ervice Providers whose clocs might be behind.
19=622&i'ed arbitrar! commands e'ecution" chec cab file and webpage are located on same
server.
19=685 @dge )lient will onl! install controls from trusted hosts.
19=689 )hec if critical section obHect was initialied before deleting it.
198737esolved issue of Web App#unnel re-using wrong e'isting loopbac for different
bacend server IP.
198295&i'ed B*O? caused b! ?+* rela! filtering driver in a ver! specific condition on
Windows SP *P9.
193785 BIG-IP @dge )lient installation ma! trigger a Windows 8.6 s!stem failure.
115237)lient pro'! settings specified in a +etwor Access resource are applied without an
occasional miss now.
116968BIG-IP AP password updates ma! fail for user account names that contain a periodcharacter.
1169>>Improved FWare Fiew native client error reporting and prompting for the new
password.
116>52 *W& patcher now behaves properl!.
116895 Incorrect overriding of FP+ driver was causing B*O?. Old driver is now uninstalled
https://support.f5.com/kb/en-us/solutions/public/15000/700/sol15776.htmlhttps://support.f5.com/kb/en-us/solutions/public/15000/300/sol15370.htmlhttps://support.f5.com/kb/en-us/solutions/public/15000/700/sol15776.htmlhttps://support.f5.com/kb/en-us/solutions/public/15000/300/sol15370.html
-
8/19/2019 f5 Problem
32/58
before new one is installed.
117>38 ?o not close session if session timeout chec reuest fails.
112569 Browser detection Nava*cript improved to support Internet @'plorer 66.
112957AP correctl! supports MredirectM ending in an access polic! for web browser clients
when deplo!ed for )itri' Web Interface in pro'! mode.
113616Jave improved notifications to the user when the BIG-IP @dge )lient must reboot to
complete updates.
1>56>>&i'ed incorrect handling of component installer that resulted in an *I installer to act
as though installation had failed.
1>6769 Added logs to distinguish static IP allocation from d!namic IP allocation.
1>68=1 Alwa!s preserve locall! configured ?+* suffi'es when establishing FP+ connection.
1>7=61 @dge client now contains *A *ecurI? software toen support for O* S.
1>7=68 /?AP servers in a pool will now timeout correctl! if a node cannot be reached.
1>7=76 /ogon page changes for integrating *A *oft toen *?U with the edge client.
1>7=7>@dge client cannot automaticall! retrieve *A *ecurI? software toen if configured on/ogon page.
1>9688)ustom ?ialer no longer sta!s in an Authenticated state for 15 seconds to negotiate the
IPv= protocol when IPv= is not enabled.
1>1977When Allow /ocal ?+* *ervers option is enabled, ?+* servers from interfaces that
are down, will not be added to FP+ e'clusion list.
1>=366A certain scenario in BIG-IP G# deplo!ment was fi'ed where access to certain
corporate resource might be denied despite networ access connection.
1>86=2 Improve logging and error code checs for @A OA component.
1>3825 +ow BIG-IP @dge )lient in Alwa!s )onnected mode properl! processes cancellingcaptive portal detection.
1>33>9When an /?AP uer! runs and the user password is not retrieved or necessar!, a
misleading error message about +// c!pherte't is no longer logged.
1=57=> apmd crashes with null tcl interpreter obHect. #his is now fi'ed.
1=77>8After fi', an ldap operation times out in 9 minutes, so a thread will not bloc an! otheroperation, and service can recover as soon as connection to the bacend is restored.
1=7186 OA code is fi'ed with proper e'ception handling where Oracle API calls are made.
1=9>5> Added factor authentication support for the @dge )lient soft toen integration.
1=9>98@dge )lient now correctl! sends PI+ for *A *oft #oen clients while in +ew Pin
mode.
1=929> 0*ecurI? *?U4 In case of PI+ change, user is prompted to input Passcode to PI+ field.
1=922=Fware Fiew client does not freee when AP P)oIP is used and user authentication
fails against F)* >.9.
1=1969 +ow d!namicall! created forms with absolute action path are handled correctl!, even
-
8/19/2019 f5 Problem
33/58
with a non-empt! BA*@ tag.
1=19630*JP756940I@65-I@664" )alendar widget does not wor in Announcement edit page.
#his is now fi'ed.
1===5> Nava*cript" Portal Access variable MrM is now a local variable.
1===62 +ow routes for @'clude Address *pace are correctl! removed when +A connection isterminated if the client was switched to another networ.
1==232 +ow @dge)lient shows warning about session e'piration when ma'imum session
timeout is reached.
1==838 @nterprise anager now reports wor correctl! when accessed through Portal Access.
1=2782
Previousl!, Polic! *!nc would add whitespace to &orms-based **O configuration
obHects, which prevented the configuration from running. +ow &orms-based **O
configuration does not have whitespace added and the configuration runs as e'pected.
1=2>32InspectionJost plugin will now be installed to the Dcurrent userD profile $as opposed toall users% and, therefore, will no longer prompt for administrative password.
1=8128When the 97 storage limit is reached, the oldest application cooie is discarded,
allowing the application to continue processing new data.
1=33=5
Implemented a throttling mechanism, so that when the number of fds in the ueuereaches a certain threshold, apd will stop accepting new reuests, until the number of
fds in the ueue decreases to a defined level. We introduced three db-variables - to
enabledisabling throttling - to define a high water mar be!ond which release of an!
connection handle will be stopped, and - a low water mar to allow further connectionfrom #.
12577> achine )ertificate checer now correctl! wors in Internet @'plorer 66.
126561 Openssl improvements.
126996&i'ed intermittent resets when access polic! e'ecution in progress simultaneousl! from
multiple browser tabs.
1261>7When /s from multiple browser tabs starts access polic!, the landing / is set to
the / from the browser that finished the access polic! e'ecution.
126261)/& is used at the end of the header and as a separator between header and email
bod! in emails generated b! AP @mail agent, conforming to &) >977.
12687>
@mails sent b! M@mail ActionM agent when received b! certain *#P servers contains
empt! bod!. @mail agent was updated to compl! with &) >977 to include D?ate"D
header.
126839 A problem in which the BIG-IP s!stem when, configured as a *A/ IdP , might reboot# when running */O protocol in certain conditions has been fi'ed.
127515# with BQ 1>>669 no longer crashes when using the A))@**""session iule
command.
12776= &i'ed alignment of the connection duration counter for customied @dge )lients.
12787>?ashboard no longer displa!s a dip in active session count when primar! blade comes bac from a reboot.
-
8/19/2019 f5 Problem
34/58
-
8/19/2019 f5 Problem
35/58
12878>An issue with routing table not being restored correctl! in multi-homed environment
when server settings disallow local subnet access is now fi'ed.
123>71Portal Access no longer crashes if the / in a DefreshD header matches a PortalAccess b!pass list entr!.
12326> #he errant behavior is caused b! an improper / being presented b! the error page.When AP checs the improper /, the same error page is issued. #his has now
been corrected.
185512 BIG-IP @dge)lient can now generate )# report.
185712@dge client does not update its application director! an!more, instead it uses
/ibrar!ApplicationZ *upport director!.
1859=5 A) edge client was fi'ed so that it does not bloc te'te'panderMs functionalit!.
18533> AP client components are now using e'tended logging b! default.
186575esolved intermittent routing table issue that caused #raffic to not flow through tunnelif pro'! server is load balanced.
18651=Wrapper for script#ag.te'tCMsource scriptM is fi'ed to rewrite Msource scriptM for all
browsers.
186759While creating memcache entr!, the username is normalied into utf8 lower case. #hisensures that there is onl! one entr! for all combinations of usernames.
1867>2 )# report now includes information on DOP*WA# Integration /ibraries F9D.
186==9
If the customer does not need optimied tunnels, app tunnels, or remote destop, the!
can safel! disable $run disable% the db variable Disession.ctrl.apmD, which disables the
isession. #he! would then run Dbigstart restart tmm apdD so the db variable taes effect.
189669A cosmetic issue with the server selection menu showing white bacground is now
fi'ed.
189923An issue with @dge )lient consuming high )P and having unresponsive menu icon is
now fi'ed.
18196> *ecurit! patches applied to rb> librar!.
18>951 &i'ed root cause of crash - improper memor! management.
18>1=> Issue causing # core is fi'ed.
18===6 #his is an &@ feature.
182127An issue with Nava installer failing to install the InspectionJost plugin and creating a
ero b!te file under X/ibrar!Internet Plug-Ins is fi'ed.
1=2=99 @nsured e'tra spaces was not added to the minified )**.17=187 #he Octeon will now properl! handle decompressing large files without an! failures.
123883 emor! leas on i*ession V i)ontrol setup have been resolved.
18595>&i'ed i)ontrol isession memor! lea issue set proper log level to prevent log
flooding.
12792= ?rop processing the message if the ingress pcb is no longer present.
-
8/19/2019 f5 Problem
36/58
128117)ore in sip filter no longer occurs when sending J?@F# message while processing
of J?)#/ message.
17388>When operating in firewall $A&% mode, for e'ample, default den!, the BIG-IP s!stemnow counts and logs $if enabled% an! traffic that does not match a Firtual or *elf IP and
is being dropped or reHected.
12886= An enhancement that allows logging the #)P events and errors on fast/1 virtual.
185631 Perform F* ?WB/ looup after accept-decisive firewall rule matches at global level.
186683
#he load factor controls the minimum percentage of fullness that needs to be reached before the table is e'panded to a larger sie. *etting the load factor to 7>, b! default,
prevents the firewall rule compiler from growing the table sie too aggressivel! and
results in big firewall B/OB.
18625= Improved securit! logging to reduce incorrect messages.
181569&i'es a memor! lea when # is overloaded, and forwards flows to the peer, and pacet classification is enabled with Dlog translation fieldsD in the logging.
1281=7 Whitelist counts now increment appropriatel!.
18567> 655V rules ma! now be displa!ed in the active rules page.
12=351 AdHusted /ogging levels to remove potentiall! confusing messages.
1>=3=9 &i'ed +// pointer dereference.
187117*tate changes for wide IPs should be updated correctl! when the DpdateD button is
cliced in the )onfiguration utilit! wide IP properties page.
66.>.6
J&>9=>2=1
It is now possible to run a )* load even if there are
partitions still containing G# obHects.
92=675tmrouted no longer restarts when reconfiguring a
previousl! deleted route domain.
15126=?ecapsulated tunnel pacets are correctl! handled b!
pacet filter.
15>5=2#he BIG-IP s!stem applies the active bonus valuewhen the JA score is ero.
169=83)ertain virtual server configurations ma! cause
# to produce a core file.
176962 A virtual server ma! not be mared unavailable
when the pool status is mared unavailable.
173826&> improvement of the integration of latest epsec
pacages.
1986>3sers can now use pre-shared e! with anon!mousie-peer for IU@v6 negotiation.
115623 &i'ed memor! lea in creating a wildcard ?*-/ite
tunnel.
https://support.f5.com/kb/en-us/solutions/public/14000/100/sol14155.htmlhttps://support.f5.com/kb/en-us/solutions/public/14000/200/sol14286.htmlhttps://support.f5.com/kb/en-us/solutions/public/14000/400/sol14463.htmlhttps://support.f5.com/kb/en-us/solutions/public/14000/100/sol14155.htmlhttps://support.f5.com/kb/en-us/solutions/public/14000/200/sol14286.htmlhttps://support.f5.com/kb/en-us/solutions/public/14000/400/sol14463.html
-
8/19/2019 f5 Problem
37/58
1165=9#he ?+* and +#P commands ma! cause the #raffic
anagement *hell to e'it and produce a core file.
116621?onMt handle fragmented pacets in ound obin?AG.
11>371 )hanged code to allow IP multicast pacets to bedelivered to all blades so that O*P& failover can
occur.
11=9>7IU@ negotiation is now successful and the IPsectunnel comes up properl! and passes traffic with
+A#-# and floating tunnel end point address.
1127==#oo steps to ensure that )P would not attempt tomodif! an obHect that has been both created and
deleted in the same transaction.
1185>1
*econdar! blades now are sent the s!nc status
information from primar! blades, so the s!nc statuswill not be reset if the primar! blade fails over.
1>5583Add diagnostic code to the reuest;group to abort
when it is being deleted while activel! processing.
1>5673
/OP $/ights Out Processor% firmware version 7.58
for FIPIO+ B7655, B76>5 resolves the followingissues" $I?11=352% Alarm /@? ma! be ed upon
powering up FIPIO+ B7655, B76>5 blades
$I?19319>% AO )ommand enu no longer reportsfailure when successfull! powering up FIPIO+
B7655 or B76>5 blades.
1>51>8
esolved build creation issue due to the dependenc!
of various obHects that need to be built beforecompiling sources that use them.
1>5=81 )orrected an inter