f5 Problem

Overview
A monitor is an important BIG-IP feature that verifies connections to pool members or nodes. A
health monitor is designed to report the status of a pool, pool member, or node on an ongoing
basis, at a set interval. When a health monitor marks a pool, pool member, or node down, the
BIG-IP system stops sending traffic to the device.
A failing or misconfigured health monitor may cause traffic management issues similar, but not
limited, to the following:
Connections to the virtual server are interrupted or fail.
Web pages or applications fail to load or execute.
Certain pool members or nodes receive more connections than others.
The previously-mentioned symptoms may indicate that a health monitor is marking a pool, pool
member, or node down indefinitely, or that a monitor is repeatedly marking a pool member or
node down and then back up (often referred to as a bouncing pool member or node). For
example, if a misconfigured health monitor constantly marks pool members down and then back
up, connections to the virtual server may be interrupted or fail altogether. You will then need to
determine whether the monitor is misconfigured, the device or application is failing, or some
other factor is occurring that is causing the monitor to fail (such as network-related issue). The
troubleshooting steps you take will depend on the monitor type and the observed symptoms.
When experiencing health monitor issues, you can use the following troubleshooting steps:
Identifying a failing health monitor
Verifying monitor settings
Troubleshooting monitor types
Troubleshooting daemons related to health monitoring
Related articles
Identifying a failing health monitor

The BIG-IP software includes utilities (such as the Configuration utility, command line, or
SNMP) that you can use to alert an administrator or help identify when a health monitor marks
down a pool, pool member, or node. The utilities are defined in the following sections.
Configuration utility
The following table lists Configuration utility pages where you can check the status of pools,
pool members, and nodes:
Configuration
utility page
Description
Location
Network map
Summary of pools, pool

members, and nodes
Local Traffic > Network

Map > Show Map
Pools
Current status of pool/members
Local Traffic > Pools >

Statistics
Pool members
Current status of pool/members
Local Traffic > Pools >

Statistics
Nodes
Current status of nodes
Local Traffic > Nodes >

Statistics
Command line utilities

The following table lists command line utilities that allow you to monitor the status of pools,
pool members, and nodes:
CLI utility
Description
Example commands
bigtop
Live statistics for pool members and

nodes
bigtop -n
bigpipe
(10.x)
Statistical information about pools, pool

members, and nodes
bigpipe pool show, bigpipe

node show
tmsh (10.x Statistical information about pools, pool

- 11.x)
members, and nodes
tmsh show /ltm pool

<pool_name>
tmsh show /ltm node
<node_IP>
Logs
The BIG-IP system logs messages related to the health monitor to the /var/log/ltm file.
Reviewing the log files is one way to determine the frequency with which the system is marking
down pool members and nodes. Logging related to monitor state changes are as follows:
Pools
When a health monitor marks all members of a pool down or up, messages that appear
similar to the following example are logged to the /var/log/ltm file:
tmm err tmm[4779]: 01010028:3: No members available for pool <Pool_name>
tmm err tmm[4779]: 01010221:3: Pool <Pool_name> now has available members
Pool members
When a health monitor marks pool members down or up, messages that appear similar to
the following example are logged to the /var/log/ltm file:
notice mcpd[2964]: 01070638:5: Pool member <ServerIP_port> monitor status down
notice mcpd[2964]: 01070727:5: Pool member <ServerIP_port> monitor status up.
Nodes
When a health monitor marks a node down or up, messages that appear similar to the
following example are logged to the /var/log/ltm file:
notice mcpd[2964]: 01070640:5: Node <ServerIP> monitor status down.
notice mcpd[2964]: 01070728:5: Node <ServerIP> monitor status up.
SNMP
When the BIG-IP system is configured to send SNMP traps and a health monitor marks a pool
member or node down or up, the system sends the following traps:
Pool members
alert BIGIP_MCPD_MCPDERR_POOL_MEMBER_MON_STATUS {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.10"
}
alert BIGIP_MCPD_MCPDERR_POOL_MEMBER_MON_STATUS_UP {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.11"
}
Nodes
alert BIGIP_MCPD_MCPDERR_NODE_ADDRESS_MON_STATUS {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.12"
}
alert BIGIP_MCPD_MCPDERR_NODE_ADDRESS_MON_STATUS_UP {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.13"
}
Verifying monitor settings
It is important to verify that monitor settings are properly defined for your environment. For
example, F5 recommends that you configure most monitors with a timeout value of three times
the interval value, plus one. This is to prevent the monitor from marking the node down before
the last check is sent.
Simple monitors
A simple monitor is used to verify the status of the destination node (or the path to the node
through a transparent device). Simple monitors do not monitor individual protocols, services, or
applications on a node; just the node address itself. The BIG-IP system provides the following
pre-configured simple monitor types: gateway_icmp, icmp, tcp_echo, tcp_half_open. If you
determine that a simple monitor is marking a node down, you can verify the following settings:
Note: There are other monitor settings that can be defined for simple monitors. For more
information, refer to the Configuration Guide for BIG-IP Local Traffic Management.
Interval/timeout ratio
Configuring an appropriate interval/timeout ratio is important for simple monitors. In

most cases, the interval/timeout should have a timeout value of three times the interval,
plus one. For example, the default ratio is 5/16. Verify that the ratio is properly defined.
Transparent
A transparent monitor uses a path through the associated node to monitor the aliased
destination. Verify that the destination target device is reachable and configured properly
for the monitor.
Extended Content Verification (ECV) monitors
ECV monitors use Send and Receive string settings to retrieve content from pool members or
nodes. The BIG-IP system provides the following pre-configured monitor types: tcp, http, https,
and https_443. If you determine that a simple monitor is marking a node down, you can verify
the following settings:
Note: There are other monitor settings that can be defined for ECV monitors. For more
information, refer to the Configuration Guide for BIG-IP Local Traffic Management.
Interval/timeout ratio
As with simple monitors, configuring the interval/timeout ratio is important for ECV
monitors. In most cases, the interval/timeout should have a timeout value of three times
the interval, plus one. For example, the default ratio for ECV monitors is 5/16. Verify that
the ratio is properly defined.
Send string
The Send string is a text string that the monitor sends to the pool member. The default
setting is GET /, which retrieves a default HTML file for a website. If the Send string is
not properly constructed, the server may send an unexpected response and be
subsequently marked down by the monitor. For example, if the server requires the
monitor request to be HTTP/1.1 compliant, you must adjust the monitor Send string.
Note: For information about modifying HTTP requests for use with HTTP or HTTPS
application health monitors, refer to the following articles:
SOL2167: Constructing HTTP requests for use with the HTTP or HTTPS application
health monitor
SOL3224: HTTP health checks may fail even though the node is responding correctly
SOL10655: CR/LF characters appended to the HTTP monitor Send string
Receive string
The Receive string is the regular expression representing the text string that the monitor
looks for in the returned resource. ECV monitors requests may fail and mark the pool
member down if the Receive string is not configured properly. For example, if
the Receive string appears too late in the server response, or the server responds with a
redirect, the monitor marks the pool member down.
Note: For information about modifying the monitor to issue a request to a redirection
target, refer to SOL3224: HTTP health checks may fail even though the node is
responding correctly.
User name and password
ECV monitors have User Name and Password settings, which can be used for resources
that require authentication. Verify whether the pool member requires authentication and
ensure that the fields contain valid credentials.
Troubleshooting monitor types
Simple monitors
Troubleshooting connectivity issues for a simple monitor is fairly straightforward. If you
determine that a monitor is marking a node down (or the node is bouncing), you can use the
following steps to troubleshoot the issue:
1. Determine the IP address of the nodes being marked down.
You can determine the IP address or the nodes that the monitor is marking down by using
the Configuration utility, command line utilities, or log files. You can quickly search the
/var/log/ltm file for node status messages using command syntax that appears similar to
the following example:
# cat /var/log/ltm |grep 'Node' |grep 'status'
Jan 21 15:04:34 local/3400a notice mcpd[2964]: 01070640:5: Node 10.10.65.1 monitor
status down.
status down.
status down.
Jan 21 15:04:51 local/3400a notice mcpd[2964]: 01070640:5: Node 10.10.65.122
monitor status down.
status unchecked.
status down.
status down.
Jan 21 15:04:51 local/3400a notice mcpd[2964]: 01070640:5: Node 172.16.65.229
monitor status down.
Note: If a large number of nodes are being marked down (or bouncing), you can sort the
results by IP addresses.
For example:
cat /var/log/ltm |grep 'Node' |grep 'status' | sort -t . -k 3,3n -k 4,4n
2. Check connectivity to the node.
If there are occurrences of node addresses being marked down and not back up, or nodes
bouncing, check the connectivity to the nodes from the BIG-IP system, using commands
such as ping, traceroute (BIG-IP 10.x, 11.x) or tracepath (BIG-IP 9.x). For example, if
you have determined that a simple monitor is marking the node address 10.10.65.1 down,
you can attempt to ping the resource from the BIG-IP system as follows:
# ping -c 4 10.10.65.1
PING 10.10.65.1 (10.10.65.1) 56(84) bytes of data.
64 bytes from 10.10.65.1: icmp_seq=1 ttl=64 time=11.32 ms
Note: The previous ping output shows high round trip times, which may indicate a
network issue or a slow responding node.
In addition, make sure that the node is configured to respond to the simple monitor. For
example, tcp_echo is a simple monitor type that requires that the TCP echo service is
enabled on the nodes being monitored. The BIG-IP sends SYN segment with information
to be echoed by the receiving device.
3. Check the monitor settings.
Use the Configuration utility or command line utilities to verify that the monitor settings
(such as the interval / timeout ratio) are appropriate for the node.
For example, the following bigpipe command lists the configuration for the icmp_new
monitor:
bigpipe monitor icmp_new list
The following tmsh command lists the configuration for the icmp_new monitor:
tmsh list /ltm monitor icmp_new
4. Create a custom monitor (if needed).
If you are using a default monitor and have determined that the settings are not
appropriate for your environment, consider creating and testing a new monitor with
custom settings.
5. Use the tcpdump command to capture monitor traffic.
If you are unable to determine the cause of a failing health monitor, it may be necessary
to perform packet captures on the BIG-IP system.
Note: For more information about running tcpdump, refer to SOL411: Overview of
packet tracing with the tcpdump utility.
ECV monitors
Troubleshooting issues for ECV monitors involves several steps. If you determine that an ECV
monitor is marking a pool member down (or the pool member is bouncing), you can use the
following steps to troubleshoot the issue:
1. Determine the IP address of the pool members that the monitor is marking
down by using the Configuration utility, command line utilities, or log files.
For example, search the /var/log/ltm file for pool member status messages as follows:
# cat /var/log/ltm |grep -i 'pool member' |grep 'status'
Jan 21 15:04:34 local/3400a notice mcpd[2964]: 01070638:5: Pool member
10.10.65.1:21 monitor status node down.
172.16.65.3:80 monitor status unchecked.
2. Check connectivity to the pool member.
As previously stated, check the connectivity to the pool members from the BIG-IP system
using the ping or traceroute commands.
3. Check the ECV monitor settings.
Use the Configuration utility or command line utilities to verify that the monitor settings
(such as the interval / timeout ratio) are appropriate for the pool members.
For example, the following bigpipe command lists the configuration for the http_new
monitor:
bigpipe monitor http_new list
The following tmsh command lists the configuration for the http_new monitor:
tmsh list /ltm monitor http_new
4. Create a custom monitor (if needed).
If you are using a default monitor and have determined that the settings are not
appropriate for your environment, consider creating and testing a new monitor with
custom settings.
5. Test the response from the application.
Use a command line utility on the BIG-IP system to test the response from the web
application. For example, the following command uses the curl (and time) command and
attempts to transfer data from the web server while timing the response:
# time curl http://10.10.65.1
<html>
<head>
--</body>
</html>
real 0m18.032s
user 0m0.030s
sys 0m0.060s
Note: If you want to test a specific HTTP request, including HTTP headers, you can use
the telnet command to connect to the pool member.
For example:
telnet <serverIP> <serverPort>
Next, at the prompt, enter an appropriate HTTP request line and HTTP headers, pressing
Enter once after each line.
For example:
GET / HTTP/1.1 <enter>
Host: www.yoursite.com <enter>
Connection: close <enter>
<enter>
6. Use the tcpdump command to capture monitor traffic.

Note: For more information about running tcpdump, refer to SOL411:
Overview of packet tracing with the tcpdump utility.
Troubleshooting daemons related to health monitoring

The bigd process manages health checking for pool members, nodes, and services on the BIG-IP
LTM system. The bigd process collects health checking status and communicates the status
information to the mcpd process, which stores the data in shared memory so that the TMM can
read it. If you are having monitoring issues, you can check the memory utilization of the bigd
process. If the %MEM is unusually high, or continually increases, the process may be leaking
memory.
For example, to check the current memory utilization of bigd, use the ps command:
# ps aux |grep bigd
USER PID %CPU %MEM VSZ RSS
COMMAND
root 3020 0.0
0.6
28208 10488 ?
TTY
STAT
START
2010
5:08
TIME
/usr/bin/bigd
Note: If the bigd process fails, the health check status of pool members, nodes, and services
remain in their current state until the bigd process is restarted. For more information, refer to
SOL6967: When the BIG-IP LTM bigd daemon fails, the health check status of pool members,
nodes, and services remain unchanged until the bigd daemon is restarted.
In addition, it is possible to run the bigd process in debug mode. Debug logging for the bigd
process is extremely verbose, as it logs multiple messages for every monitor attempt. For
information about running bigd in debug mode, contact F5 Technical Support.
Supplemental Information
SOL15530: Debug logging and BIG-IP system resource utilization
SOL3451: Content length limits for HTTP and HTTPS health monitors
SOL10516: Overview of BIG-IP pool status
SOL10966: Determining which monitor triggered a change in the availability

of a node or pool member (9.x - 10.x)
SOL15408: Troubleshooting BIG-IP GTM monitors
For more information about the bigtop utility, refer to SOL7318: Overview of
the bigtop utility
For more information about the bigpipe utility, refer to the BIG-IP Command
Line Interface Guide (9.4.x) and the Bigpipe Utility Reference Guide (10.x)
For more information about the tmsh utility, refer to the Traffic Management
Shell (tmsh) Reference Guide
Original Publication Date: 06/25/2015

Updated Date: 09/29/2015
F5 has recently discovered and corrected a number of issues that affect customers running BIGIP 11.5.3. F5 recommends that all customers currently running BIG-IP 11.5.3 install the latest
cumulative rollup hotfix.
The following table lists the rollup hotfixes released for BIG-IP 11.5.3. The table lists each
hotfix, along with the ID numbers of issues that the corresponding hotfix resolves, and a
description of each issue. If an article exists for the issue, the ID number contains a link to a
corresponding article.
Note: These rollup hotfixes are cumulative; each hotfix contains all fixes included in the
previous hotfixes. For example, HF3 includes all IDs fixed in HF1 and HF2.
BIG-IP
Version
ID
Description
Number
11.5.3
HF2
546410 Configuration may fail to load when upgrading from v10.X

542898 Virtual Edition: Disk partition /var shows 100% after live install to 12.0.0
540638 GUI Device Management Overview to display device_trust_group
535806 Not enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE
534630 Upgrade BIND to address CVE-2015-5477
533458 Generate core file on HSB lockup
533257
The tmsh config file merge may fail when AFM security log profile is
present in merged file
530122 Improvements in building "rolled up HF" images for hypervisors

529509 CVE-2015-4620 BIND vulnerability
527630 CVE-2015-1788 : OpenSSL Vulnerability
527021 BIG-IQ iApp statistics corrected for empty pool use cases
526419 Deleting an iApp service may fail
524326
Can delete last IP address on a BIG-IP GTM server but cannot load a
config with a BIG-IP GTM server with no IPs
524126 The DB variable provision.tomcat.extramb is cleared on first boot

523863 istats help not clear for negative increment
523125 Disabling/enabling blades in cluster can result in inconsistent failover state
523032 qemu-kvm VENOM vulnerability CVE-2015-3456
The iControl Management.Zone.get_zone() method can return zone
520640 options in a format inconsistent for use with the
Management.Zone.set_zone_option() method
520466 Ability to edit iCall scripts is removed from resource administrator role
519877 External pluggable module interfaces not disabled correctly
519394
Sync when licensed for ASM/AFM fails to sync pool with "Load balancing
feature not licensed" error
519068 Device trust setup can require restart of devmgmtd

518039 BIG-IQ iApp statistics corrected for partition use cases
517580 OPT-0015 on 10000-series appliance may cause bcm56xxd restarts
516669 sod core caused failover
516618 CVE-2013-7424
516184
IKEv1 for IPsec does not work when VLAN cmp-hash is set to non-default
values
513974 Transaction validation errors on object references

513916 String iStat rollup not consistent with multiple blades
513649 Transaction validation errors on object references
513454 An snmpwalk with a large configuration can take too long
513382 Resolution of multiple OpenSSL vulnerabilities
510119 HSB performance can be suboptimal when transmitting TSO packets
509782 TSO packets can be dropped with low MTU
509504 Excessive time to save/list a firewall rule-list configuration
509503
The tmsh load sys config merge file 'filename' takes significant time for
firewall rulelist configuration
507575
An incorrectly formatted NAPTR creation by way of iControl can cause an

error
507331
Using saved configuration with 11.5.2 on AWS may cause SSLv3 to be

enabled
507327 Programs that read stats can leak memory on errors reading files
506041 Folders belonging to a device group can show up on devices not in the
group
506034 NTP vulnerabilities (CVE-2014-9297, CVE-2014-9298)

502238
Connectivity and traffic interruption issues caused by a stuck HSB transmit

ring
501517
A very large configuration can cause transaction timeouts on secondary

blades
500091 CVE-2015-0204 : OpenSSL Vulnerability

499260 Deleting trust-domain fails when standby IP is in ha-order
497564 Improve High Speed Bridge diagnostic logging on transmit/receive failures
495335 BWC related TMM core
490537
Persistence Records display in GUI might cause system to become

unresponsive with large number of records
486758 Management port unreachable after install

483683
MCP continues running after "Unexpected exception caught in

MCPProcessor::rm_DBLowHighWide" error
481696 Failover error message 'sod out of shmem' in /var/log/ltm

479460 SessionDb may be trapped in wrong HA state during initialization
475647 VIPRION Host PIC firmware version 7.02 update
473348 hbInterval value not set to 300 sec after upgrade
472365 The vCMP worker-lite system occasionally stops due to timeouts
470184
In Configuration utility, unable to view or edit objects in Local Traffic ::

iRules :: Data Group List
465009 VIPRION B2100-series LOP firmware version 2.10 update

464043 Integration of Firmware for the 2000 Series Blades
460456 FW RELEASE: Incorporate Whitethorne BIOS 2.06.214.0
460444 VIPRION B4300 BIOS version 2.03.052.0 update
460428 BIG-IP 2000-/4000-series BIOS version 2.02.171.0 update
460422 FW RELEASE: Incorporate Treadstone BIOS 4.01.006.0
460406 VIPRION B2100-series BIOS version 1.06.043.0 update
460397 FW RELEASE: Incorporate Victoria 2 BIOS 1.26.012.0
455264 Error messages are not clear when adding member to device trust fails
451602 DPD packet drops with keyed VLAN connections
447075
CuSFP module plugged in during links-down state will cause remote linkup
443298 FW Release: Incorporate Victoria2 LOP firmware v1.20

441100 iApp partition behavior corrected
436682 SFP modules show a higher optical power output for disabled switch ports
420107
TMM could become unresponsive when modifying HTML profile

configuration
410398 sys db tmrouted.rhifailoverdelay does not seem to work

405752 Monitors sourced from specific source ports can fail
364978 Active/standby system configured with unit 2 failover objects
362267
Configuring network failover on a VIPRION cluster using the blade

management addresses results in 'Cannot assign requested address' errors
359774 Pools in HA groups other than Common

355661
sod logs error 010c003b:3: bind fails on recv_sock_fd, Cannot assign

requested address
531576 TMM memory leak in traffic handling

530963
BIG-IP TLS does not correctly verify Finished.verify_data on non-Cavium

platforms
530829 UDP traffic sent to the host may leak memory under certain conditions
530795
In FastL4 TCP virtual servers, ICMP might send wrong SEQ number/ACK
number
530769
F5 SFP+ module becomes unpopulated after mcpd is restarted in a

clustered environment
528432 Control plane CPU usage reported too high

527826 IP Intelligence update failed: Missing SSL certificate
Upgrade will reset Ciphers field in clientssl or server ssl profiles to
527649 DEFAULT if the current cipherstring would have effectively contained no
ciphersuites
524666 DNS licensed rate limits might be unintentionally activated
523079 Merged may stop responding when file descriptors exhausted
522784 After restart, system remains in the INOPERATIVE state
522147 'tmsh load sys config' fails after key conversion to FIPS using web GUI
521813 Cluster is removed from HA group on restart
521774 Traceroute and ICMP errors may be blocked by AFM policy
521548 System possibly stops responding in SPDY
521538
Keep-alive transmissions do not resume after failover of flows on an L4

virtual, when the sequence number is known
521522
Traceroute through BIG-IP may display destination IP address at BIG-IP

hop
521408
Incorrect configuration in BigTCP virtual servers can lead to TMM

producing a core file
521336 pkcs11d initialization retry might post misleading error messages and
eventually result in pkcs11d creating a core file
520540
HTTP Basic authentication may cause the TMM to stop responding if the
header is too large
518086 Safenet HSM Traffic failure after system reboot/switchover

518020 Improved handling of certain HTTP types.
517556 DNSSEC unsigned referral response is improperly formatted
515759
Configuration objects with more than four vlans in vlan list may cause
memory utilization to increase over time
515139
Active FTP session with inherit profile and address translation disabled
may not decrement pool member current connections statistics
514729
10.2.1 system with SSL profile specifying ciphers "DEFAULT:!HIGH:!

MEDIUM" fails to upgrade to 11.5.1
514604 Nexthop object can be freed while still referenced by another structure
512383
Hardware flow stats are not consistently cleared during fastl4 flow
teardown
512062
A db variable to disable verification of SCTP checksum when ingress

packet checksum is zero
510638
[DNS] Config change in dns cache resolver does not take effect until TMM
restart
507529
Active crash with assert: tmm failed assertion, non-zero ha_unit required
for mirrored flow
507127 DNS cache resolver is inserted into a wrong list on creation

504899
Duplicated snat-translation addresses are possible (a named and an

anonymous [created by snatpool] one)
504105
RRDAG enabled UDP ports may be used as source ports for locally
originated traffic
503214 Under high load, crypto queues may become stuck

502443
After enabling a blade, pool members are marked down because

monitoring starts too soon
501516
If a very large number of monitors is configured, bigd can run out of file
descriptors when it is restarted
499422
An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK

packet results in a FIN/ACK storm
497584 The RA bit on DNS response may not be set

496758
Monitor Parameters saved to config in a certain order may not construct

parameters correctly
479682 TMM generates hundreds of ICMP packets in response to a single packet

478617 Do not include maximum TCP options length in calculating MSS on ICMP
PMTU
478592
When using the SSL forward proxy feature, clients might be presented with
expired certificates
478439 Unnecessary re-transmission of packets on higher ICMP PMTU

478257
Unnecessary re-transmission of packets on ICMP notifications even when

MTU is not changed
476097 TCP Server MSS option is ignored in verified accept mode

474601 FTP connections are being offloaded to ePVA
468472
Unexpected ordering of internal events can lead to TMM producing a core

file
468375 TMM stops responding when MPTCP JOIN arrives in the middle of a flow
465590 Mirrored persistence information is not retained while flows are active
462714
Source address persistence record times out even while traffic is flowing
on FastL4 profile virtual server
460627
SASP monitor starts a new connection to the Group Workload Manager

(GWM) server when a connection to it already exists
455762
DNS cache statistics no longer incremented improperly due to mirrored

cache data
454018 Nexthop to tmm0 ref-count leakage could cause TMM core

452439
TMM may stop responding when enabling DOS weep/flood if a TMM

process has multiple threads
451960 HTTPS monitors do not work with FIPS keys

450814 Early HTTP response might cause rare 'server drained' assertion
449848 Diameter Monitor not waiting for all fragments
443157
zxfrd might stop responding when the zone file (zxfrd.bin) is deleted from
the directory /var/db
442686 DNSX Transfers occur on DNSX authoritative server change

431283 iRule binary scan may core TMM when the offset is large
422107
Responses from DNS transparent cache will no longer contain RRSIG for
queries without DO bit set
422087
Low memory condition caused by Ram Cache may result in TMM

producing a core file
420341
Connection Rate Limit Mode when limit is exceeded by one client also
throttles others
419458 HTTP is more efficient in buffering data

402412
FastL4 tcp handshake timeout is not honored, connection lives for idle
timeout
375887 Cluster member disable or reboot can leak a few cross blade trunk packets
374339 HTTP::respond/redirect might make TMM unresponsive under low-
memory conditions
374067
Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect

virtual server interferes with keepalive connections
352925 Updating a suspended iRule and TMM process restart

342013 TCP filter does not send keepalives in FIN_WAIT_2
526699
TMM might stop responding if BIG-IP DNS iRule nodes_up references an

invalid IP/Port
516685 ZoneRunner might fail to load valid zone files

516680 ZoneRunner might fail when loading valid zone files
515797
Using qos_score command in RULE_INIT event causes TMM to stop

responding
515033 [ZRD] A memory leak in zrd

515030 [ZRD] A memory leak in Zrd
496775
[GTM] [big3d] Unable to receive mark LTM virtual server up if there is

another VS with same ltm_name for the BIG-IP monitor
479084 ZoneRunner can fail to respond to commands after a VE resume

471819
The big3d agent restarts periodically when upgrading the agent on a

v11.4.0 or prior system, and Common Criteria mode is enabled
465951 If net self description size =65K, gtmd restarts continuously

353556
big3d https monitor is unable to correctly monitor the web server when
SSL protocol is changed
225443
gtmparse fails to load if you add unsupported SIP monitor parameters to

the config
532030
ASM REST: Custom signature set created by way of REST is different

than when created from GUI
526856
"Use of uninitialized value" warning appears on UCS installation due to

ASM signature inconsistency
524428 Adding multiple signature sets concurrently by way of REST

524004 Adding multiple signatures concurrently by way of REST
523261 ASM REST: MCP Persistence is not triggered by way of REST actions
523260 Apply Policy finishes with coapi_query failure displayed
523201
Expired files are not cleaned up after receiving an ASM Manual

Synchronization
520796 High ASCII characters availability for policy encoding

520585
Changing security policy application language is not validated or

propagated properly
520280 Perl produces a core file after applying policy action
516523
Full ASM ConfigSync was happening too often in a Full Sync Auto-Sync
Device Group
516522
After upgrade from any pre-11.4.x to 11.4.x (or later) the configured
redirect URL location is empty
514061
False positive scenario caused SMTP transactions to hang and eventually

reset
512668 ASM REST: Unable to Configure Clickjacking Protection by way of REST

510499 Enforcer stops responding after Sync in an ASM-only Device Group
506407
Certain upgrade paths to 11.6.x would lose the redirect URL configuration
for Alternate Response Pages
487420 BD stops responding upon stress on session tracking

533098 Traffic capture filter not catching all relevant transactions
531526 Missing entry in SQL table leads to misleading ASM reports
525708 AVR reports of last year are missing the last month data
519022 Upgrade process fails to convert ASM predefined scheduled-reports
539013
DNS resolution does not work on a Windows 10 desktop with multiple

NICs after VPN connection has been established in some cases
537000
Installation of Edge Client can cause Windows 10 to stop responding in

some cases
534755 Deleting APM virtual server produces ERR_NOT_FOUND error

532522 CVE-2015-1793
532394 Client to log value of "SearchList" registry key
532096
Machine Certificate Checker is not backward compatible with 11.4.1 (and

earlier) when MatchFQDN rule is used
531883 Windows 10 App Store VPN Client must be detected by BIG-IP APM
531483 Copy profile might end up with error
530697 Windows Phone 10 platform detection
529392
Win10 and IE11 is not determined in case of DIRECT rule of proxy

autoconfig script
528726 AD/LDAP cache size reduced

528675
BIG-IP EDGE Client can indefinitely stay in a "disconnecting..." state

when captive portal session expired
527799 OpenSSL library in APM clients updated to resolve multiple vulnerabilities

526833 Reverse Proxy produces JS error: 'is_firefox' is undefined
526754 F5unistaller.exe stops responding during uninstall
526617 TMM stops responding when logging a matched ACL entry with IP
protocol set to 255
526578 Network Access client proxy settings are not applied on German Windows
526492 DNS resolution fails for Static and Optimized Tunnels on Windows 10
526275 VMware View RSA/RADIUS two factor authentication fails
526084 Windows 10 platform detection for BIG-IP EDGE Client
525920 VPE fails to display access policy
525562 Debug TMM stops responding during initialization
525429 DTLS renegotiation sequence number compatibility
525384 Networks Access PAC file now can be located on SMB share
524909 Windows info agent could not be passed from Windows 10
524756 APM log is filled with errors about failing to add/delete session entry
523431
Windows Cache and Session Control cannot support a period in the access
profile name
523390
Minor memory leak on IdP when SLO is configured on bound SP

connectors
523329
When BIG-IP is used as SAML Identity Provider(IdP), TMM may restart

under certain conditions
523327 In very rare cases Machine Certificate service may fail to find private key
523222
Citrix HTML5 client fails to start from Storefront in integration mode

when Access Policy is configured with Redirect ending
521835 [Policy Sync] Connectivity profile with a customized logo fails

521773 Memory leak in Portal Access
521506 Network Access does not restore loopback route on multi-homed machine
520705 Edge client contains multiple duplicate entries in server list
520642 Rewrite plugin should check length of Flash files and tags
520390 Reuse existing option is ignored for smtp servers
520298 Java applet does not work
520205
Rewrite plugin could stop responding malformed ActionScript 3 block in

Flash file
520145
[Policy Sync] OutOfMemoryError exception when syncing a big and

complex APM policy
520118 Duplicate server entries in Server List

519966 APM "Session Variables" report shows user passwords in plain text
519864 Memory leak on L7 Dynamic ACL
519415
BIG-IP APM network access tunnel ephemeral listeners ignore iRules

(related-rules from main virtual )
519198 [Policy Sync] UI General Exception Error when sync a policy in nondefault partition as non-default admin user
518981 RADIUS accounting STOP message may not include long class attributes
518260
Missing NTLMSSP_TARGET_INFO flag on NTLMSSP_CHALLENGE

message
517988
TMM may stop responding if access profile is updated while connections

are active
517872 Include proxy hostname in logs in case of name resolution failure

517564
APM cannot get groups from an LDAP server, when LDAP server is
configured to use non-default port
517441
apd may stop responding when RADIUS accounting message is greater

than 2K
517146 Log ID 01490538 may be truncated

516839 Add client type detection for Microsoft Edge browser
516462
Gateways for excluded address space routes are not adjusted correctly
during roaming between networks on Windows machines
516075 Linux command line client fails with on-demand cert

515943
"Session variables" report may show empty if session variable value

contains non-English characters
514912 Portal Access scripts had not been inserted into HTML page in some cases
514220 New iOS-based VPN client may fail to create IPv6 VPN tunnels
513969
UAC prompt is shown for machine cert check for non-limited users, even
if machine cert check service is running
513953 RADIUS Auth/Acct might fail if server response size is more than 2K
513706 Incorrect metric restoration on Network Access on disconnect (Windows)
513581
TMM occasionally stops responding when http payload is scanned through

SWG
513283 Mac Edge Client does not send client data if access policy expired
513201 Edge client is missing localization of some English text in Japanese locale
513165
SAML Service Provider generated SLO requests do not contain

'SessionIndex' attribute
513098 localdb_mysql_restore.sh failed with exit code

512345 Dynamic user record removed from memcache but remains in MySQL
512245
Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host

name instead of hostname
511961 BIG-IP Edge Client does not display logon page for FirePass
511854 Rewriting URLs at client side does not rewrite multi-line URLs
511648 On standby, TMM can produce a core file when active system sends
leasepool HA commands to standby device
511441 Memory leak on request Cookie header is longer than 1024 bytes
510709
Websso start URI match fails if there are more than 2 start URIs in SSO
configuration
510596
Broken DNS resolution on Linux client when "DNS Default Domain

Suffix" is empty
510459 In some cases Access does not redirect client requests

509490 [IE10]: attachEvent does not work
507681 Window.postMessage() does not send objects in IE11
507321
JavaScript error if user-defined object contains NULL values in 'origin'

and/or 'data' fields
507116 Web-application issues and/or unexpected exceptions

506223 A URI in request to cab-archive in iNotes is rewritten incorrectly
505755 Some scripts on dynamically loaded html page could be not executed
504461
Logon Page agent gets empty user input in clientless mode 3 when a
Variable Assign agent resides in front of it
500938 Network Access can be interrupted if second NIC is disconnected

500450
ASM and APM on same virtual server caused Set-Cookie header

modification done by ASM to be not honored by APM websso
498782 Config snapshots are deleted when failover happens

497627
TMM cores while using APM network Access and no leasepool is created
on the BIG-IP system
497118 TMM may restart when SAML SLO is triggered

495702 Mac Edge Client cannot be downloaded sometimes from management UI
495336
Logon page is not displayed correctly when "force password change" is on

for local users
494565 CSS patcher stops responding when a quoted value consists of spaces only
494189 Poor performance in clipboard channel when copying
493006 Export of huge policies might end up with 'too many pipes opened' error
492701
Resolved LSOs are overwritten by source device in new Policy Sync with
new LSO
492305
Recurring file checker does not interrupt session if client machine has
missing file
492149 Inline JavaScript with HTML entities may be handled incorrectly

490830 Protected Workspace is not supported on Windows 10
488736 Fixed problem with iNotes 9 Instant Messaging
488105 TMM may generate core file during certain config change
487399 VDI plugin stops responding when View client disconnects prematurely
483792
When iSession control channel is disabled, do not assign app tunnel,

MSRDP, opt tunnel resources
483286 APM MySQL database full as log_session_details table keeps growing

482699 VPE displaying "Uncaught TypeError"
482269 APM support for Windows 10 out-of-the-box detection
482266 Network Access cannot be established for Windows 10
482251 Portal Access. Location.href(url) support is added
482241 Windows 10 cannot be properly detected
482145 Text in buttons are not centered correctly for higher DPI settings
480761 Fixed issue causing TunnelServer to stop responding during reconnect
479451
Different Outlook users with same password and client IP are tied to a
single APM session when using Basic auth
478492 Incorrect handling of HTML entities in attribute values

478333
Edge-Client client shows an error about corrupted config file, when user's
profile and temp folders located on different partitions
474779
EAM process fails to register channel threads (MPI channel) with TMM,
and subsequent system call fails
474698
BIG-IP as IdP can send incorrect 'Issuer' element for some SLO requests
under certain conditions
474058
When the BIG-IP system is configured as Service Provider, APD may

restart under certain conditions
473255
Javascript sibmit() method could be rewritten incorrectly inside of 'with'

statement
472256 The tmsh and tmctl report unusually high counter values
472062
Unmangled requests when form.submit with arguments is called in the

page
471874
VDI plugin stops responding when trying to respond to the client after the
client has disconnected
471117 iframe with JavaScript in 'src' attribute not handled correctly in IE11
468441 OWA2013 may work incorrectly by way of Portal Access in IE10/11
468433 OWA2013 may work incorrectly by way of Portal Access in IE10/11
468137 Network Access logs missing session ID
466745 Cannot set the value of a session variable with a leading hyphen
464547
Show proper error message when VMware View client sends invalid
credentials to APM
461597 MAC edge client does not follow HTTP 302 redirect if new site has
untrusted self-signed certificate
457902 No EAM- log stacktrace in /var/log/apm on EAM crash event.

457760 EAM not redirecting stdout/stderr from standard libraries to /var/log/apm
457603 Cookies handling issue with Safari on iOS6, iOS7
457525
When DNS resolution for AppTunnel resource fails, the resource is

removed
454784
in VPE %xx symbols such as the variable assign agent might be invalidly
decoded
454086 Portal Access issues with Firefox version 26.0.0 or later

453455 Added support of SAML Single Logout to Edgeclient
452527
Machine Certificate Checker Agent always works in "Match Subject CN to

FQDN" mode
452163 Cross-domain functionality is broken in AD Query

451469 APM User Identity daemon does not generate a core file
442528 Demangle filter stops responding
440841 sso and apm split tunneling log message is at notice level
438969
HTML5 VMware View Client does not work with APM when virtual
server is on non-default route domain
437744 SAML SP service metadata exported from APM may fail to import
437670 Race condition in APM windows client on modifying DNS search suffix
425882
Windows EdgeClient's configuration file could be corrupted on system

reboot/sleep
424936 apm_mobile_ppc.css has duplicate 1st line

423282
BIG-IP JavaScript includes can be improperly injected in case of

conditional comment presence
420512
All Messages report does not display any data when the Log Levels are
selected to filter data based on Log Levels
416115
Edge client continues to use old IP address even when server IP address
changed
408851 Some Java applications do not work through BIG-IP server

402793
APM Network Access tunnel slows down and loses data in secure
renegotiation on Linux and Mac clients
522231 TMM may stop responding when a client resets a connection

521455 Images transcoded to WebP format delivered to Edge browser
514785 TMM stops responding when processing AAM-optimized video URLs
511534
A large number of regular expressions in match rules on path-segments

may cause an AAM policy to take too long to load
476460 WAM Range HTTP header limited to eight ranges
421791 Out of Memory Error

497389 Extraneous dedup_admin core
461216 Cannot rename some files using CIFS optimization of the BIG-IP system
457568
Loading of configuration fails intermittently due to WOC Plug-in-related

issues
521556 Assertion "valid pcb" in TCP4 with ICAP adaptation

516057
Assertion 'valid proxy' can occur after a configuration change with active
IVS flows
512054 CGNAT SIP ALG - RTP connection not created after INVITE
511326
SIP SUBSCRIBE message not forwarded by the BIG-IP system when

configured as SIP ALG with translation
503652
Some SIP UDP connections are lost immediately after enabling a blade on
the Active HA unit
499701 SIP Filter drops UDP flow when ingressq len limit is reached
480311 ADAPT should be able to work with OneConnect
448493 SIP response from the server to the client gets dropped
533808
Unable to create new rule for virtual server if order is set to

"before"/"after"
533336 Display 'description' for port list members

530865
AFM Logging regression for Global/Route Domain Rules incorrectly using

virtual server logging profile (if it exists)
524748 PCCD optimization for IP address range

523465
Log an error message when firewall rule serialization fails due to

maximum blob limit being hit
515187
Certain ICMP packets are evaluated twice against Global and Route
Domain ACL rules
515112 Delayed ehash initialization causes crash when memory is fragmented

AFM Kill-on-the-fly does not re-evaluate existing flows against any
513565 Virtual/SelfIP ACL policies if a Global or Route-Domain rule action is
modified from Accept-Decisively to Accept
510226
All descriptions for ports-list's members are flushed after the port-list was
updated
509919
Customer may experience incorrect counter update for SelfIP traffic on

cluster
497671 iApp GUI: Unable to add FW Policy/Rule to context by way of iApp

495432 Add new log messages for AFM rule blob load/activation in datapath
485880 Unable to apply ASM policy with forwarding CPM policy using the GUI,
generic error
468688 Initial sync fails for upgraded pair (11.5.x to 11.6)

459024
Error L4 packets were hitting configured WL entries; protocol was not

being matched for them
526295
BIG-IP stops responding in debug mode when using PEM iRule to create a
session with calling-station-id and called-station-id
511064
Repeated install/uninstall of policy with usage monitoring stops after

second time
495913 TMM produces a core file when CCA-I policy received with uninstall
491771
Using catch to suppress 'invalid command' errors resulting from invalid use
of [] around a parking command in a proc can cause TMM to panic
478399
PEM subscriber sessions are created without PEM licensed, if "radiusLBsubscriber-awre" profile is configured
464273
PEM: CCR-I for the Gx session has only one subscriber ID type, even if
the session created has more than one type
450779
PEM source or destination flow filter attempts to match against both source
and destination IPs of a flow
449643
Error message "Gx uninit failed!" and "Gy unint failed!" received during
boot of the system
439249 PEM:Initial quota request in the rating group request is not as configured
438608
PEM: CCR-U triggered during Gy session may not have Request Service
Unit (RSU)
438092
PEM: CCR-U triggered by RAR during Gy session will not have

Requested Service Unit (RSU)
514236
[GUI][GTM] GUI does not prefix partition to device-name for BIG-IP

DNS Server IP addresses
525595 Fix memory leak of inbound sockets in restjavad

509273 hostagentd consumes memory over time
509120
BIG-IQ is unable to discover older BIG-IP versions due to over-zealous

grooming
511651 CVE-2015-5058: Performance improvement in packet processing

11.5.3
HF1
511651 Performance improvement in packet processing
If an APM policy sync puts the new policy on a member of a sync-failover device group, the
sync of the sync-failover group failed. This now succeeds.
Tunnel interfaces can be used by iRule nexthop/lasthop commands to set a flow's

nexthop/lasthop behaviors. 1. To send traffic to the tunnel, use "nexthop tun0 ..." on
CLIENT_ACCEPTED iRule event, or "lasthop tun0 ..." on SERVER_CONNECTED
449100
iRule event. 2. A point-to-point tunnel can be supplied with an IP address, although it
does not have an effect. 3. A wild-card tunnel can be supplied with the IP address of the
remote-point to build the tunnel on the fly.
455311 vCMP guest's access to the management network of the hypervisor has been restricted.
457166
An issue has been resolved that affected the ability to modify a vCMP guest's
management network mode.
459155 Included the physdev netfilter module into the BIG-IP kernel package.
459694
vCMP guest's ability to interfere with the management network of the hypervisor has
been restricted.
459753 "bigstart restart" on a secondary blade no longer causes clusterd to restart continuously.
459973
The Include Cluster option in the HA Group configuration cannot be disabled using the
Configuration utility.
Saving a single partition out of the configuration ('save sys config' with the 'partitions
462315 { p1 }' option) now writes the configuration file properly. It previously appended to the
file but now overwrites it as it should.
462943
Resolved issue where rewrite CSS filter/parser may use stale iovs in declaration_state
resulting in SIGSEGV.
470796 CVE-2014-4023.
471070 Non-administrative users cannot modify Client SSL profiles.
471704
The vcmpd process is no longer vulnerable to malicious data passed from a vCMP
guest.
476157 Security patches applied to krb5 library.

477959
Internal structure improvements, no customer facing functionality changes have been

made.
478922
Resolved issue that ICSA logging did not contain information that is required for
certification.
481648
The ipaddrTable's ipAdEntIfIndex value now matches the ifTable's ifIndex value for the
same interface.
483436 Update to AWS License files.

484453 Harmless messages logged with LOP daemon registration.
484635 Update openssl to latest version.
487800
The guest-specific configuration information blocks are now isolated from each other
and the hypervisor is protected against invalid data injected by a vCMP guest.
474805 Internal build improvement.

476521
Use true timeout instead of retries limit when initializing the FIPS device, and
subsequently power cycle the unit to recover the FIPS device.
477611 Apply Round Robin DAG to icmp echo only.

477888 ICSA logging is no longer missing information that is required for certification.
479152 BIG-IP platform 10000s/10200v/10250v/B4300/B4340N is susceptible to parity error.
483762 MAC address conflicts no longer occur between vCMP guests.
484399 OVA will only create one slot and leave the remaining disk space free.
486514
The crash that happens in the AFM logging module, when the TCP connection to a log
destination server is re-established, is fixed.
488461 Improve base build process and remove duplicate code.

492333
Resolved a sys-icheck bug that caused an auto_schema misconfiguration. This occurs

on all platforms.
This error message previously occurred intermittently when trying to delete a virtual
server and use sFlow:
492460
01070265:3: The Virtual Server () cannot be deleted because it is in use by a sflow http
data source (). This no longer occurs.
226892
Resolved intermittent issue when return packets were dropped after configuring packet
filters for DNS traffic or traffic with IP fragments.
424931
Creation of a large file, such as a UCS archive is now handled correctly, and the csyncd
process no longer causes high CPU utilization.
428864
Lowering the virtual server connection limit now works, even when traffic is already
being processed.
433946
Benign rsync errors are no longer logged in /var/log/ltm and instead are tracked by way
of stats in the 'csync_stat' table.
436097 When the TMM restarts, pkcs11d also must be restarted automatically if present.
436811 BIG-IP database monitors may report an incorrect pool member status.
This spurious error message may have previously been displayed when the local user
database feature was configured:
437875
01071704:3: Not running command (/usr/libexec/localdb_mysql_restore.sh) because

the request came from an untrusted connection. This error message has always been
harmless, but now it no longer is displayed.
437906 WebSockets and the HTTP CONNECT method now work with OneConnect.
439424 SafeNet HSM install now needs to be done only on the primary slot on the BIG-IP
cluster-mode chassis systems such as VIPRION. A single install on the primary slot will
take care of installing SafeNet on all active slots. On any already-open sessions to the
BIG-IP slots, the PATH environment variable will need to be reloaded by running
'source ~/.bash_profile' to be able to use SafeNet utilities. If at a later stage a new blade
is added or a disabled, or a powered-off blade is made active or is powered-on, the user
will have to run 'safenet-sync.sh -p ' *only* on the new secondary slot. If the new slot is
made primary before running safenet-sync.sh on it, then the regular install procedure
using nethsm-safenet-install.sh will be required on the new primary slot.

439490
The BIG-IP system now reconnects to SafeNet HSM if the connection is interrupted, so
connections continue as expected.
439513 NETHSM: Initial few connection drops after each TMM restart.
439540 Restart the pkcs11d process. The command is "tmsh restart sys service pkcs11d".
441894 Pkcs11d watchdog functionality avoids manual restart.
443098 The Proxy SSL feature no longer leaks memory.
447515 The TMM process may resume a suspended iRule on the wrong connection flow.
449798
The BIG-IP system may not correctly monitor pool members after the mcpd process
restarts.
450031 The BIG-IP system may incorrectly log 'Limiting closed port RST response' messages.
450804 Improved TLS finish messages.
451218 Corrected Nitrox TLS padding.
452121
The BIG-IP system now supports multiple SafeNet network-HSMs configured in an

HA group.
452628 Add a bigdb variable for the pkcs11d threads.

453358 Memory leak is fixed.
454465 Corrected TMM TLS padding.
454476
In the event of an invalid parameter in the clienthello, the correct TLS version will be
set in the alert.
454636
The logging destination IP address only matches virtual servers, so no HSL logging is
lost.
454692 Assigning 'after' object to a variable no longer causes memory leaks.

456859 Interface to hardware compression has improved allocation strategy.
458556
The TMM will no longer produce a core file on startup when traffic arrives before
transitioning to cmp ready.
460868 The TMM no longer crashes if network HSM is improperly configured.

461578 Large session object handling is improved.
462163 Allow Non Blade 0 MPI communication even after congestion.
462649 The TMM no longer crashes under heavy load.
463902 Flat-buffer allocator for hardware compression tuned to be less greedy.
464163
Customized cert-key-chain of the child client-ssl profile is reverted to parent's profile

cert-key-chain during config load.
467868 Ensured that monitor reason strings no longer leak.

469705
TMM will set a known route domain when processing SIP Requests to prevent panics
caused by an invalid route domain.
471073 Now, when TMM is restarted, all HA connections are reestablished.
474757 OpenSSL Security Advisory 8/6/14 (1.0.1i Update).

477967
MPTCP component now correctly applies TSO processing to outbound packets, so

TMM no longer segfaults.
480113
FIPS exported keys can now be successfully installed in FIPS cards without causing
config-sync failure.
Increased the maximum statemirror.queuelen db variable limits. If necessary, the

statemirror.queuelen can now be increased beyond 256 MB up to 1 GB. Note that
increasing the statemirror.queuelen increases memory requirements to approximately
480699
twice the queuelen multiplied by the number of TMMs, and also increases the time
required to detect an error in the mirroring connection. The statemirror.queuelen should
be kept as low as possible to prevent repeated failure.
483328
Virtual servers with Client SSL profiles may not respond to SSL handshakes after a
ConfigSync.
485188
When the SSL ClientHello contains the SCSV marker, if the client protocol offered is
not the latest that the virtual server supports, a fatal alert will be sent.
488208 Can properly upgrade to OpenSSL 1.0.1j without breaking RSA PKCS#1.5 decryption.
470394
The BIG-IP system calculates the correct number of members in the active priority
group when the slow ramp feature is triggered.
470994
The TMM now correctly applies TSO processing to outbound packets, so TMM no
longer segfaults.
475055 Resolved core caused by accounting miscalculation of Nitrox I/O flows.

This change allows you to use immediate idle timeout on UDP serverside flows as a
workaround for SIP message loss and/or connection failures if (and only if) the logic of
the SIP processing does not expect any return traffic to match the serverside
477753
connections. Configuration that requires this workaround, but which expects return
traffic to match the serverside flow, could not have worked correctly (without specific
iRule based band-aids) even before the first affected version.
The Virtual Address throttling delayed update mechanism has been made more robust,
480299 and will now send delayed updates (roughly 3 seconds after change) regardless of
previous status, guaranteeing that Virtual Address status will reach all subscribers.
483974 Unrecognized options are now ignored.
484429
The TMM will still log critical-level messages, but the system continues to function
properly.
486066 The TMM does not product a core file.

477240
SSL will properly renegotiate rather than terminate connections when the session
expires.
487808 Cost link load balancing software support has reached EOL.
248487
The enforcer does not convert parameter values into the web application language when
parameters are defined as "file upload" or "ignore value" in the security policy.
434461 Improved the system's integration with Guardium.
Fixed an issue that occasionally stopped you from deleting an ASM security policy that
435520 was created using a template after you rolled-forward the policy's configuration from a
previous version.
454142 Resolved intermittent Enforcer crash due to specific requests.
461028 vCMP: Fixed an issue that caused the Enforcer to crash in a clustered environment.
There is a new internal parameter: "ignore_null_in_multipart_text". When the internal
parameter is set, a null in request violation is not issued when a null appears in the
request. If the parameter is defined as file upload in the security policy, no violation is
471103
issued. If the parameter is defined as something else, the violation "null in multipart
request" is issued. If the parameter is not defined in the security policy, the violation
"null in request" is issued.
Brute force reporting: The brute force reported operation mode (Transparent or
476179 Blocking) is now the same when the attack starts and ends. Previously, the system
would occasionally change the operation mode logged when the attack ended.
To enable you to bypass unicode validation on XML and JSON profiles, we added two
internal parameters: - relax_unicode_in_xml: The default is 0, which is the current
behavior. When the value is changed to 1, a "bad unicode character" does not produce
an XML malformed violation. A "bad unicode character" might be a legal unicode
476191 character that does not appear in the mapping of the system's XML parser. relax_unicode_in_json: The default is 0 which is the current behavior. When the value
is changed to 1, a "bad unicode character" does not produce a JSON malformed
violation. A "bad unicode character" might be a legal unicode character that does not
appear in the mapping of the system's JSON parser.
481572
Fixed an issue that caused the system to not report a navigation parameter that appeared
in the POST data.
481792
Fixed an issue where specific requests occasionally caused the Enforcer to stop
responding.
476621
Fixed an issue where Bot Detection in the Web Scraping feature created JavaScript
errors in the web application using Internet Explorer.
483491 Fixed a memory corruption issue.

481541 Memory leak in the MonPD daemon that occurs in some situations has been resolved.
486327 Web Application Security Administrator added to the list of allowed administrators.
337178 BIG-IP Edge Client falls back to TLS from DTLS if http-proxy is used.
398657
Resolved on all platforms where the active session count might be significantly large, at
times, likely due to a counter underflow.
403660
Application icons (Finder, Spotlight, Launchpad, Notification Center, Dock, Menu Bar)
have been updated for retina displays.
418850
AD may now be the last auth agent in the VMWare view access policy.
Username/password/domain preserved and then passed to the backend.
420989
When using an access policy with Windows Logon Integration, if you are denied access
once, you can try again.
420990
Support for smart cards was added to Client Cert Inspection and On Demand Cert
Inspection with Windows Logon Integration.
421901
showrestorebutton:i:0 can be specified in RDP Custom Parameters. Users will no longer

see this 'Restore down' button.
"Store information about client software in session variables" setting is removed from
the Visual Policy Editor for these Endpoint Security (Client-Side) software checks:
422818
Antivirus, Anti-Spyware, Firewall, Hard Disk Encryption, Patch Management, Peer-topeer, and Windows Health Agent.
426623 Improved PAC file download mechanisms.
427830
Network Access connection will not be established if PAC file specified in NA resource
cannot be downloaded within 30 seconds.
429362
Edge Client properly reconnects when network connectivity is restored. Previously full
reconnection was done in this case and the previous session was not removed.
430531
Computer group policy settings are updated after establishing VPN connection with
Windows Logon Integration.
431810
Fix unexpected exceptions when using Kerberos auth agent in a multi-domain SSO
configuration.
Java Application Tunnels now work when Internet Explorer 11 runs with Enhanced
432333 Protected Mode. However, the tunnel is bound to 127.0.0.1 due to limitations of this
mode.
433243
BIG-IP IdP subtracts three minutes from the NotBefore timestamp in an assertion to
accommodate Service Providers whose clocks might be behind.
436177
Fixed arbitrary commands execution: check cab file and webpage are located on same
server.
436180 Edge Client will only install controls from trusted hosts.
436183 Check if critical section object was initialized before deleting it.
438292
Resolved issue of Web AppTunnel re-using wrong existing loopback for different
backend server IP.
438730
Fixed BSOD caused by DNS relay filtering driver in a very specific condition on
Windows XP SP3.
439280 BIG-IP Edge Client installation may trigger a Windows 8.1 system failure.
440792
Client proxy settings specified in a Network Access resource are applied without an
occasional miss now.
441318
BIG-IP APM password updates may fail for user account names that contain a period
character.
441355
Improved VMWare View native client error reporting and prompting for the new
password.
441507 SWF patcher now behaves properly.

441830 Incorrect overriding of VPN driver was causing BSOD. Old driver is now uninstalled
before new one is installed.

442598 Do not close session if session timeout check request fails.
447013 Browser detection JavaScript improved to support Internet Explorer 11.
447302
APM correctly supports 'redirect' ending in an access policy for web browser clients
when deployed for Citrix Web Interface in proxy mode.
449141
Have improved notifications to the user when the BIG-IP Edge Client must reboot to
complete updates.
450155
Fixed incorrect handling of component installer that resulted in an MSI installer to act
as though installation had failed.
451213 Added logs to distinguish static IP allocation from dynamic IP allocation.

451864 Always preserve locally configured DNS suffixes when establishing VPN connection.
452614 Edge client now contains RSA SecurID software token support for OS X.
452618 LDAP servers in a pool will now timeout correctly if a node cannot be reached.
452621 Logon page changes for integrating RSA Soft token SDK with the edge client.
452625
Edge client cannot automatically retrieve RSA SecurID software token if configured on
Logon page.
453188
Custom Dialer no longer stays in an Authenticated state for 40 seconds to negotiate the
IPv6 protocol when IPv6 is not enabled.
454322
When Allow Local DNS Servers option is enabled, DNS servers from interfaces that
are down, will not be added to VPN exclusion list.
456911
A certain scenario in BIG-IP GTM deployment was fixed where access to certain
corporate resource might be denied despite network access connection.
458167 Improve logging and error code checks for EAM / OAM component.
459870
Now BIG-IP Edge Client in Always Connected mode properly processes cancelling
captive portal detection.
459953
When an LDAP query runs and the user password is not retrieved or necessary, a
misleading error message about NULL cyphertext is no longer logged.
460265 apmd crashes with null tcl interpreter object. This is now fixed.
462258
After fix, an ldap operation times out in 3 minutes, so a thread will not block any other
operation, and service can recover as soon as connection to the backend is restored.
462481 OAM code is fixed with proper exception handling where Oracle API calls are made.
463505 Added factor authentication support for the Edge Client soft token integration.
463538
Edge Client now correctly sends PIN for RSA Soft Token clients while in New Pin
mode.
463735 [SecurID SDK] In case of PIN change, user is prompted to input Passcode to PIN field.
463776
VMware View client does not freeze when APM PCoIP is used and user authentication
fails against VCS 5.3.
464313 Now dynamically created forms with absolute action path are handled correctly, even
with a non-empty BASE tag.

464319
[SHP2013][IE10-IE11]: Calendar widget does not work in Announcement edit page.

This is now fixed.
466605 JavaScript: Portal Access variable 'r' is now a local variable.

466617
Now routes for Exclude Address Space are correctly removed when NA connection is
terminated if the client was switched to another network.
466797
Now EdgeClient shows warning about session expiration when maximum session
timeout is reached.
466898 Enterprise Manager now reports work correctly when accessed through Portal Access.
Previously, Policy Sync would add whitespace to Forms-based SSO configuration
467287 objects, which prevented the configuration from running. Now Forms-based SSO
configuration does not have whitespace added and the configuration runs as expected.
467597
InspectionHost plugin will now be installed to the "current user" profile (as opposed to
all users) and, therefore, will no longer prompt for administrative password.
468478
When the 32k storage limit is reached, the oldest application cookie is discarded,
allowing the application to continue processing new data.
Implemented a throttling mechanism, so that when the number of fds in the queue
reaches a certain threshold, apd will stop accepting new requests, until the number of
fds in the queue decreases to a defined level. We introduced three db-variables; - to
469960
enable/disabling throttling - to define a high water mark beyond which release of any
connection handle will be stopped, and - a low water mark to allow further connection
from TMM.
470225 Machine Certificate checker now correctly works in Internet Explorer 11.
471014 Openssl improvements.
471331
Fixed intermittent resets when access policy execution in progress simultaneously from
multiple browser tabs.
471452
When URLs from multiple browser tabs starts access policy, the landing URL is set to
the URL from the browser that finished the access policy execution.
471714
CRLF is used at the end of the header and as a separator between header and email
body in emails generated by APM Email agent, conforming to RFC 5322.
Emails sent by 'Email Action' agent when received by certain SMTP servers contains
471825 empty body. Email agent was updated to comply with RFC 5322 to include "Date:"
header.
471893
A problem in which the BIG-IP system when, configured as a SAML IdP , might reboot
TMM when running SLO protocol in certain conditions has been fixed.
472040
TMM with BZ 455113 no longer crashes when using the ACCESS::session iRule
command.
472216 Fixed alignment of the connection duration counter for customized Edge Clients.
472825
Dashboard no longer displays a dip in active session count when primary blade comes
back from a reboot.
473377 Fixed to accept NameID format.

473386 Improved Machine Certificate Checker matching criteria for FQDN case.
473697
HD Encryption check now provides a way to check encryption status of all drives or
system drive only.
473728
Now the absolute action path for any form in an HTML page is rewritten correctly at
submit time.
474392
Code signing of executables (app, plugin and installer) have been updated to Apple's
latest (v2) signature requirement.
474532
Proper validation was added to check that correct messages were received on the proper
URL. Logging was added for failing cases.
474730
Now forms with absolute action path and tag with id=action inside are handled
correctly.
474757 OpenSSL Security Advisory 8/6/14 (1.0.1i Update).

475163 Now HTML forms without action attribute are handled correctly.
475262
Resolved issue when APM configured with URL ("https://....") Edge Client for
Windows does not resolve APM hostname while reconnecting.
475360 Resolved issue when Edge client remembers specific VS URI after it is redirected.
475650 Issue is fixed that caused TMM to occasionally restart when processing SLO messages.
EAM used to send multiple cookies headers in HTTP message. Multiple HTTP headers
475682 like this are treated as comma-separated by some receivers. Now EAM adds a single
Cookie header with the cookies delimited by a semi-colon.
475770 Improved routing table management for 2 and more network interfaces.
475847 Now tag end is determined correctly in case of dynamically created content.
476133
_lastUseTime in OAM ObSSOCookie is updated on successful authentication and

authorization process.
477445
Client modified to restore routing table state and select active interface (on a system
connected to the same network segment through multiple interfaces).
477474 HTML Attributes with names using '-' are now handled correctly in Portal Access.
477540
apmd no longer crashes with null tcl interpreter object when used with an
ACCESS::policy valuate iRule command.
477642
In Portal Access, assignment of an empty string to location.hash property no longer

causes page reload loop in Firefox.
477841 Safari 8 will now properly use the admin-defined proxy settings, if available.
477966
User can restart the BIG-IP system to fix custom report error. Make sure the table
apm.log_param_metadata_ui is created in mysql db.
478115
The action attribute value of a form HTML tag is now properly rewritten in the
Minimal Content Rewriting mode when it starts with a "/".
478222 Seven new categories and one category name changed category in URL Filter DB.
478285
An issue with routing table not being restored correctly in multi-homed environment
when server settings disallow local subnet access is now fixed.
479524
Portal Access no longer crashes if the URL in a "Refresh" header matches a Portal
Access bypass list entry.
The errant behavior is caused by an improper URL being presented by the error page.
479715 When APM checks the improper URL, the same error page is issued. This has now
been corrected.
480047 BIG-IP EdgeClient can now generate CTU report.
480247
Edge client does not update its application directory anymore, instead it uses
/Library/Application\ Support/ directory.
480360 MAC edge client was fixed so that it does not block textexpander's functionality.
480995 APM client components are now using extended logging by default.
481020
Resolved intermittent routing table issue that caused Traffic to not flow through tunnel
if proxy server is load balanced.
481046
Wrapper for scriptTag.text='source script' is fixed to rewrite 'source script' for all
browsers.
481203
While creating memcache entry, the username is normalized into utf8 lower case. This
ensures that there is only one entry for all combinations of usernames.
481257 CTU report now includes information on "OPSWAT Integration Libraries V3".
If the customer does not need optimized tunnels, app tunnels, or remote desktop, they
481663 can safely disable (run disable) the db variable "isession.ctrl.apm", which disables the
isession. They would then run "bigstart restart tmm apd" so the db variable takes effect.
483113
A cosmetic issue with the server selection menu showing white background is now
fixed.
483379
An issue with Edge Client consuming high CPU and having unresponsive menu icon is
now fixed.
484315 Security patches applied to krb5 library.

485304 Fixed root cause of crash - improper memory management.
485465 Issue causing TMM core is fixed.
486661 This is an RFE feature.
487472
An issue with Java installer failing to install the InspectionHost plugin and creating a
zero byte file under ~/Library/Internet Plug-Ins/ is fixed.
467633 Ensured extra spaces was not added to the minified CSS.
426482 The Octeon will now properly handle decompressing large files without any failures.
479889 Memory leaks on iSession + iControl setup have been resolved.
480305
Fixed iControl / isession memory leak issue; set proper log level to prevent log
flooding.
472376 Drop processing the message if the ingress pcb is no longer present.
478442
Core in sip filter no longer occurs when sending HUDEVT message while processing
of HUDCTL message.
When operating in firewall (AFM) mode, for example, default deny, the BIG-IP system
429885 now counts and logs (if enabled) any traffic that does not match a Virtual or Self IP and
is being dropped or rejected.
478816 An enhancement that allows logging the TCP events and errors on fastL4 virtual.
480194 Perform VS DWBL lookup after accept-decisive firewall rule matches at global level.
The load factor controls the minimum percentage of fullness that needs to be reached
before the table is expanded to a larger size. Setting the load factor to 25, by default,
481189
prevents the firewall rule compiler from growing the table size too aggressively and
results in big firewall BLOB.
481706 Improved security logging to reduce incorrect messages.
484013
Fixes a memory leak when TMM is overloaded, and forwards flows to the peer, and
packet classification is enabled with "log translation fields" in the logging.
478462 Whitelist counts now increment appropriately.

480125 100+ rules may now be displayed in the active rules page.
476904 Adjusted Logging levels to remove potentially confusing messages.
456963 Fixed NULL pointer dereference.
482442
State changes for wide IPs should be updated correctly when the "Update" button is
clicked in the Configuration utility wide IP properties page.
11.5.1
HF5
365764
It is now possible to run a UCS load even if there are

partitions still containing GTM objects.
376120
tmrouted no longer restarts when reconfiguring a

previously deleted route domain.
404716
Decapsulated tunnel packets are correctly handled by

packet filter.
405067
The BIG-IP system applies the active bonus value

when the HA score is zero.
413689
Certain virtual server configurations may cause

TMM to produce a core file.
421317
A virtual server may not be marked unavailable

when the pool status is marked unavailable.
429871
F5 improvement of the integration of latest epsec

packages.
438159
Users can now use pre-shared key with anonymous

ike-peer for IKEv1 negotiation.
440179
Fixed memory leak in creating a wildcard DS-Lite

tunnel.
441063
The DNS and NTP commands may cause the Traffic

Management Shell to exit and produce a core file.
441174
Don't handle fragmented packets in Round Robin

DAG.
445924
Changed code to allow IP multicast packets to be

delivered to all blades so that OSPF failover can
occur.
446352
IKE negotiation is now successful and the IPsec

tunnel comes up properly and passes traffic with
NAT-T and floating tunnel end point address.
447266
Took steps to ensure that MCP would not attempt to

modify an object that has been both created and
deleted in the same transaction.
448054
Secondary blades now are sent the sync status

information from primary blades, so the sync status
will not be reset if the primary blade fails over.
450089
Add diagnostic code to the request_group to abort

when it is being deleted while actively processing.
450129
LOP (Lights Out Processor) firmware version 2.08

for VIPRION B2100, B2150 resolves the following
issues: (ID446907) Alarm LED may be Red upon
powering up VIPRION B2100, B2150 blades
(ID439435) AOM Command Menu no longer reports
failure when successfully powering up VIPRION
B2100 or B2150 blades.
450458
Resolved build creation issue due to the dependency

of various objects that need to be built before
compiling sources that use them.
450684
Corrected an internal report used for QA/testing.
450693
F5 Internal: Correction to internal firmware report.
450694
F5 Internal: Correction to internal firmware report.
450794
An issue with handling DHCP information in virtual

environments has been corrected.
451424
A connection timeout between snmpd and the SNMP

subagent may produce a core file.
451458
Fixed leasepool stat to return data only for primary

blade.
451602
Changed the interface match to look up host interface

instead of vlan interface.
453256
The save mechanism in TMSH has been updated to

save the monitor parameter fields in correct format
for a subsequent load.

453432
Fixed a number of NVGRE config cleanup issues

that were causing the crash.
453700
Changed JVM default settings to use less memory

and allow TMM to acquire needed memory during its
startup.
453951
The sys db security.commoncriteria setting value no

longer reverts.
455138
Fixed a memory leak that occurred when the route

for the remote endpoint of a tunnel was
misconfigured.
456064
Modifying the default stream profile may cause the

mcpd process to enter a locked state.
456735
Tunnel objects are now properly freed after deletion.
456914
Resolved potential crash found in improved

automation testing.
456916
Fixed an issue with iControl REST calls timing out.
457130
Loading the BIG-IP configuration from the command

line may incorrectly enable ICMP Echo for virtual
addresses.
457326
Make leasepool stats data structure consistent with

leasepool stats table definition.
458198
The BIG-IP system may fail to forward traffic

through an ip6ip4 tunnel when the MTU is set to
non-default values.
459123
Updated name validation to throw an error when

invalid characters are included in the name.
460593
The user can create multiple VXLAN tunnels with

same local endpoint address when flooding type is
multipoint or none.
461581
In the existing behavior, tunnel objects are config

synced automatically to a standby device. The DB
variable "iptunnel.configsync" can be set to "disable"
in order to disable the automatic config sync of
tunnel objects. The default value of the DB variable
is "enable". Please note that before creating any
tunnel objects, the DB variable should be set
accordingly if needed, and toggling its value
subsequently could lead to an unexpected behavior.
461592
The device can process inbound VXLAN packets

even if it is in a standby mode.
462045
Increase the timeout for activating the new HSB

bitfile.
463603
IPv6 any address "::/0" is saved properly in

configuration file.
464024
Ensure that all pipes are closed when a TMSH

command is completed.
466034
Treat VxLAN packets as UDP packets by default in

HW.
466752
Monitor instance is now correctly enabled or

disabled after an incremental sync.
468021
"wom-default-clientssl" and "clientssl-insecurecompatible" were added to two fixup scripts, and

code to prevent infinite recursion was added to
another script.
471496
Standby node sends LSA summary for the default

route with a value of 16777215. The ospf routers in
the stub area pick active node as the gateway for the
default route.
472613
Power supply status changes are now reported

correctly on BIG-IP 5000/7000 Series platforms after
power supply removal or insertion. LBH no longer
watchdogs without a network address set.
474166
ConfigSync operations may rarely fail with an sflow

receiver object error reported.
474465
Average system CPU and busiest CPU calculation is

now based on the critical data plane processing.
477031
No TMM restart when deleting multiple VXLAN

tunnels with flooding type multipoint.
479681
Run rsync-cmi in background so that we don't block

(and slow down mcpd).
480248
Resolved DB 13 error while uploading the UCS.
480931
Multiple GNU Bash vulnerabilities.
348194
Allow configuration of FIN_WAIT2 timeout.
411101
Resolved an issue found in F5 testing for ability to

tcpdump mgmt_bp_* and loopback. Also added
vm_tap_* for guests.
416250
Added timeout to cancel incomplete SSL handshakes

and retry.
418889
A TMM crash bug has been fixed.
421964
BIG-IP system now correctly aggregates an LACP-
enabled link.
435652
SSL acceleration card timing vulnerability CVE2014-4024.
439653
The BIG-IP system may log an error message for

every request when there are changes to a local
traffic policy association.
439712
Single SSL transfers will perform much better on

4200/2200.
442410
Resolved TMM error message 'HUDEVT_EXPIRED

(Connection expired) bad pcb magic (0x00585858)'
and TMM core on standby member of HA
configuration with connection mirroring and
connection pooling (OneConnect) enabled.
442584
Making configuration changes, such as

adding/removing a profile, to the targeted virtual will
not adversely affect policy execution.
445411
The Nitrox crypto accelerator will no longer hang

when performing RSA verification.
445571
Support Connection Mirroring with BigTCP.
446820
TMM no longer crashes due to a poorly formatted

log call.
447091
Users may be unable to delete packet filter rules from

the BIG-IP system.
447390
FastL4 virtual servers with the Loose Close option

enabled may intermittently fail to pass traffic.
448327
Prevent memory leak when iRule suspends or stops a

DNS command.
448606
A listener reference count overflow may cause the

TMM process to restart and produce a core file.
449636
'tmsh load sys config' no longer makes some policy's

actions ineffective.
449845
The TMM process may produce a core file and

restart when processing DNS iRule commands.
450101
Option code 0x0008 to the client-subnet of the

EDNS0 record is now recognized.
450202
Fix MSS calculation when using fastl4.
450584
Safenet HA is now supported.
450689
The statistic is now properly displayed.
450713
Out-of-order segments received after FIN will be

forwarded as expected.
451340
Enable faster performing software client

authentication and disable ec cert/keys.
451889
Made changes to once again allow the attr_type to be

optional for all forms of RADIUS::avp.
452232
The DNS::question iRule command may return an

incorrect value.
452264
A new iRule command [HTTP::proxy disable] has

been added so (explicit) proxy request handing can
be turned off and the request can be forwarded to
another proxy.
452387
HTTP::header is_redirect now works correctly again.
452439
TMM will not crash when enabling DOS

sweep/flood detection feature regardless of
threading.
452579
Corrected calculation of server-side MSS.
454463
A memory leak when executing a suspended DNS

iRule many times has been fixed.
454853
An LTM policy with incorrect http-header name or

http-cookie name no longer causes a crash.
455361
Fixed improper handling of ICMP (Internet Control

Message Protocol) 'Fragmentation Required'
messages from routers. Bug resulted in extremely
inefficient behavior by BIG-IP TCP segmentation
offload if path MTU (Maximum Transmission Unit)
was smaller than what TCP endpoints negotiated.
455553
No multiple retransmission of the entire send queue

when the MSS size is improperly large.
456942
Using the DNS::name iRule command to modify the

Resource Record name of a DNS message may cause
TMM to produce a core file and restart.
458597
A memory leak may occur when transferring zone

RRs to DNS Express.
459001
PVA statistics for each flow are tracked in hardware

and software. The software copy of the hardware
flow statistics was not correctly reset when flows
were evicted from the PVA hardware and then
subsequently reloaded back into the hardware. This
eventually resulted in a numeric underflow in the
statistics counters that were then displayed with very
large positive values.
460197
active_requests is updated when a flow using hw
acceleration is reset.
465866
The current tag file only indexes the sources for

TMM. This makes it difficult when debugging
customer issues that reference code within libraries,
primary tmjail (xbuf/xfrags) and tmm_tcl. The fix is
simple: index libraries that are commonly used,
along with TMM.
466260
A crash bug where TMM asserts 'we always have

room in tx ring.' has been fixed.
467986
TMM no longer cores when running the command

'tmsh show ltm dns cache records key cache
myCache' on a cache with stored DNS key records.
470715
A new db variable vlan.backplane.mtu is added to

configure tmm_bp vlan mtu size, default to 1640.
472532
cipher id 0x006b (dhe-rsa-aes256-sha256) has been

added.
475231
Connection remains open after dispatching

CLIENTSSL_CLIENTCERT iRule event, which
prevents accessing invalid memory.
476386
Resolved issue found by f5 testing DHE-RSAAES256-SHA256 and DHE-RSA-AES128-SHA256

to be supported for tls1. Remove case where both
TLS and DTLS renegotiation with client
authentication will fail found in testing. Resolved
duplicate line issue found by F5 testing to ensure
correct building of release. Performance Fixes ID
Number Description.
447250
A TMM crash bug involving PEM under high load

has been fixed. Global Traffic Manager Fixes ID
Number Description.
439854
The BIG-IP GTM system may mark down BIG-IP

LTM 10.2.x virtual servers.
440284
The LTM big3d now correctly identifies and

monitors 10.2.4 or earlier LTM virtual servers.
442133
Disabling Synchronize on one GTM no longer

disables Sync on all GTMs in the sync group.
451985
We delay sending the configuration timestamp until

the end transaction message has been received. This
fixes the problem with sync becoming disabled.
463369
Fix problem found by F5 testing that prevents GTM

sync issues when changing configurations.
Application Security Manager Fixes ID Number
Description.
248487
The enforcer does not convert parameter values into

the web application language when parameters are
defined as "file upload" or "ignore value" in the
security policy.
438809
To improve brute force mitigation, we made the

following changes: -We added a new internal
parameter: bf_num_sec_per_value. This defines how
many seconds is a single measure unit for a failed
login. For example, if you want to configure 7 failed
logins per 5 seconds, in the Configuration utility
configure "7" as the threshold value (the "Failed
Login Attempts Rate reached" setting in the
Detection Criteria area of the Brute Force Protection
Configuration screen), and from the command line
configure "5" as the value of this internal parameter.
If this value is configured, the system will detect an
attack only by the threshold (and not by the
increase). If this value is configured, all traffic from
suspicious IP addresses are blocked. The default
value for the internal parameter is 1 second. -In the
Configuration utility, we removed the validation for
all the threshold and minimal values. You can put
now very low values such as 1 or 2 in the detection
and suspicious criteria.
440057
We corrected how the system logs requested URLs

that contain navigation parameters configured in the
security policy.
449946
The Enforcer correctly sends information to the

Policy Builder about specific value and name meta
characters that were previously mishandled.
453568
The client side challenge mechanism now correctly

reconstructs the referrer header.
460514
To prevent the system from running out of memory,

the system requests a configuration sync 5 minutes
after a failed one, and not sooner.
469798
We prevented a deadlock that occurred when sending

synchronization events.
469825
We fixed an issue where rarely the Enforcer crashed

when trying to match signatures on the body of a reconstructed POST request. Access Policy Manager
Fixes ID Number Description.
225651
The installation path for the BIG-IP Edge Client was
updated to avoid collision with third-party software

installations.
238350
The new network access setting, Use Local Proxy

Settings, is introduced. When it is enabled, after the
client establishes a network access connection, proxy
settings configured on the client continue to be used.
398134
Now APM supports non-ascii usernames and

passwords when performing NTLM Front-end
Authentication and NTLM Back-end SSO.
419809
An error message formatting issue was fixed.
425070
The HTML profile code was improved for security

reasons.
425507
An issue in which logd could start to consume 99%

of CPU after table rotation has been fixed.
425731
A TCP reset is no longer sent to a client during

access policy execution.
431512
Now APM validates the origin header of the

WebSocket handshake and accepts connections with
correct origin only.
436569
Now icons are displayed for Citrix applications on an

APM webtop when Kerberos SSO is used.
437326
Now APM supports Citrix Receiver for HTML5

version 2.1.
437881
In an HA configuration, any users deleted from the

lcaalDB on the current unit are now deleted from the
standby unit also.
438278
The Access Profile which is associated with one or

more AAA server objects can be deleted with the fix
provided.
439463
Now Citrix Receiver for Mac and iOS gets the

correct config.xml file when working through a WiFi router and APM is integrated with Citrix Web
Interface.
439518
User now can sync over the changes to all the

location specific configuration such as optimized-app
in network-access or pool item in pool once that 'Use
Source Configuration on Target' is set to YES in
policy sync dialog.
440290
APM now prevents the retransmission of policy sync

requests that caused status messages to fluctuate.
440385
Support of Internet Explorer 10 (without
compatibility mode) for machine certificate checker

was added.
441210
The TMM process provides more robust handling for

PCoIP traffic.
441553
A Network Access client can now connect

successfully after one or more failovers.
441659
Fixed User-mode installer service: it does not require

admin rights for limited users anymore.
441681
You can now use the Firefox browser to successfully

edit these actions from the Visual Policy Editor:
Advanced Resource Assign, LDAP Group Mapping,
AD Group Mapping, and BWC Resource Assign.
442393
APM will now attempt to terminate Citrix session

when user logs out of APM Webtop.
442656
Fixed race condition of multiple

establishments/teardown of PPP tunnels lead to loss
of availability of leasepool addresses.
445399
Support was added for Network Access over PPPoE.
445970
[Java][Mac][NA][EPS] NA and EPS auto installation

is now working with Java 7 update 51.
448896
An HTML page with base URI (HREF attribute of

the BASE tag) is rewritten correctly.
450033
Windows View client 2.3 can consistently launch

desktops via APM.
450298
Logging on to Outlook Web App 2013 (SP1) using

portal access with Firefox browser now works
without producing an error.
450360
Now Citrix Session Sharing works correctly for any

version of XenApp.
450728
Now APM correctly handles VMware View client

requests with empty body.
450845
Under logging stress, logd no longer writes duplicate

fd errors in the log.
451260
After upgrading directly from 11.4.0 to 11.6.0, the

configuration loads successfully now even if it
contains "citrix-client-package" files that were
uploaded (and unzipped) using the GUI.
451387
Support of button-less logon pages is added to BIGIP Edge Client.
451588
Portal access renders the data correctly when creating
a new item on SharePoint 2013.

451777
If a connection issue or a database problem occurs

the first time that a user tries to create a custom
report, an error message displays now.
452182
Flash ActionScript 3 rewriter now correctly rewrites

URLs containing "../".
452344
HexToBinReverse() now incorrectly converts

unicode strings.
453164
Routes are restored after disconnecting from the

Network Access connection.
453514
A problem in memcached causing intermittent

failures was fixed.
453531
Multidomain SSO no longer resets on secondary

authentication domains.
453722
Alleviate issues such as GUI unresponsiveness or

even disconnect when policy sync is applied to a
device group that contains 5 or more members.
454010
APM now recognizes Internet Explorer in

compatibility mode on Windows 8.1 correctly.
454248
Fixed unnecessary localdbmgr messages logged in

/var/log/apm every minute at the notice level.
454369
The URLDB plugin comes up properly now and

traffic proceeds normally.
454370
The messages that communicate status of PolicySync

between devices can arrive unordered. This is now
fixed.
454547
Forms - Client Initiated SSO authentication handles

decryption failure correctly.
454759
Now APM reports http error 500 when View

Connection Server response is not 200 OK and
writes an error log message.
454899
Guest user will get access denied response when use

the token of admin user request to
create/delete/modify local db user.
455039
Now Citrix HTML5 Receiver v.1.3 available with

Storefront 2.5 can be hosted in APM Sandbox and
launched from APM Full Webtop.
455113
ACCESS::session data get has been extended to

return configuration variables: ACCESS::session
data get [-sid ] [-secure] [-config] [-ssid ].
455284
IPTables rules to protect ANT server refactored to

eliminate interference with other protocols.
455426
Now user with apostrophe in the name can log in

with Citrix Receiver successfully.
455892
Now APM support AGEE SSO to new Citrix

StoreFront 2.5 backends.
456098
Remove the logic for specific internal requestID in

XUI.
456714
Fixed for cases when Assertion does not contain

SessionIndex and SLO is configured.
457925
When BIG-IP as SAML SP, IdP initiated

authentication now works with the first attempt.
458199
Resource delete handler should check for the

reference by psync-dynamic-resource.
458211
The EAM module now continues to function

correctly when the size of a cookie in the HTTP
request is greater than 4095.
458447
An issue in Network access; where customer would

see "IPv4 Addr collision" in logs has been fixed.
458485
The code is updated so that APD no longer crashes

on certain VPE expressions, such as Date Time check
or 'encoding' command due to a change introduced
by fixing 424938.
459780
Added [APM] Network Access option: "Do not

enforce IP scopes in Proxy-Auto-Configuration".
459977
If there is a space in value for radio or select type

input, logon page does not show the input elements.
This is now fixed.
460062
Access policy export works correctly even when a

resource with a long name has been assigned in the
policy.
460272
Additional logging included for troubleshooting

captive portal detection.
460645
Users can now close logon window in "Locked

Client" mode.
460715
Fixed using F5 captive portal probe URL in BIG-IP

EDGE client for Windows instead of default
Microsoft captive portal detection URL.
460762
Citrix apps consistently start from APM Webtop

when using Kerberos SSO to XML Broker.
460939
Additional exception processing (for

ObAccessException from the SDK) was added to the
EAM module. The module now handles this
exception by displaying an error.
460958
Cannot Start built-in PAC file server after multiple

connecting/disconnecting edge client multiple times.
This is now fixed.
461087
Fixed [APM] Crash in ActiveXDialer if proxy

address is missing.
461624
A problem with APD in chassis that resulted in the

portal access connection terminating has been fixed.
462143
Show main EDGE client UI when user click on

Connect, Disconnect or Auto-Connect button in a
system tray.
462669
For Windows Phone clients in BIG-IP APM 11.6

session.client.platform value changed from "WinP8"
to "WindowsPhone".
463508
The slowness is due to an unnecessary sleep of 1

second even when creating configuration snapshot is
successful. The fix is to re-factor the retry logic such
that sleep is performed when creating configuration
snapshot has failed.
464159
JavaScript: Now isolated submit() calls are handled

correctly and form action paths are rewritten at such
calls. The situation when a submit() call refers to a
separate function is also supported.
464748
In portal access, a cookie with an empty or wrong

expires field no longer causes a JavaScript failure.
465338
The curl-apd component (curl7.25.0) no longer

enables SSL_MODE_RELEASE_BUFFERS; it is no
longer affected by OpenSSL vulnerability CVE2010-5298.
465339
The curl-apd component (curl7.25.0) no longer

enables SSL_MODE_RELEASE_BUFFERS and is
no longer affected by OpenSSL vulnerability CVE2014-0198.
466317
The following OpenSSL vulnerabilities have been

addressed in APM clients: CVE-2014-0221, CVE2014-0224, CVE-2014-0195, CVE-2014-3470.
466325
Continuous policy checks now doesn't kill the

session if some configuration, configured to be
ignored, changes on client side.
466488
Under high load conditions when the HTTP auth

agent is configured in the access policy, now the
access policy daemon (APD) continues to respond.
466877
Issue with signature validation is fixed.
467849
Split tunnel is improved when connecting to a

FirePass with an APM build of the edge client.
468889
Issue is now fixed when AFM is enabled with

Optimized Tunnel and traffic is no longer dropped.
469100
JavaScript index expressions with list of values are

now correctly rewritten by Portal Access.
469335
Validation is improved to ensure that a custom URL

category includes at least one URL.
469754
User that is deleted from the local user database can

no long log in regardless.
470382
Location-specific objects display correctly in the

Policy Sync GUI whether the Location Specific
check box is cleared or selected on the Static
Resources screen.
470414
Portal Access no longer crashes when rewriting some

incorrect flash files.
470675
Improved security found by internal F5 testing.
471125
Resolved rare condition that causes Edge-Client to

work improperly when Client uses proxy to connect
to BIG-IP.
473286
Resolved error deleting folder: Cannot remove

directory with symlink to sandbox for partition.
474657
Edge-Client stops after authenticating thru Captive

Portal. OLH is now updated to reflect changes in
Machine Certificate Auth certificate selection
criteria. [OLH] "APM Access Profile Log - 404
ERROR" added. WebAccelerator Fixes ID Number
Description.
450030
The Vary on user-agent header is properly generated

whenever WebP content is served. Enterprise
Manager Fixes ID Number Description.
449988
Values returned by big3d are now escaped so special

characters do not create parse errors. Service
Provider Fixes ID Number Description.
450001
Flow control in SIPP filter no longer blocks flow

improperly.
450019
LB::prime or mblb_connect now executes outside of
the TCL execution. Priming will actually happen

after one event cycle later.
450055
When the HTTP terminates its connection, the BIGIP system receives an SSL encryption alert along
with a FIN from the server (close SSL from the
server), the BIG-IP system completes the HTTP
response before closing the client connection.
452440
TMM CPU/Memory grows in accordance with the

connections. If the SIP connections remains steady
the resource utilization will be steady.
454348
The BIG-IP system delays closing the internal

connection to the IVS after the final chuck of the
ICAP response has been received, until all the
payload has been transmitted to the HTTP
destination.
455006
Invalid UDP datagrams that interfered with SIP

processing are now dropped. Advanced Firewall
Manager Fixes ID Number Description.
462266
The issue is fixed now to clean up the memory

associated with the old AFM policy on a Self IP
context when the context is modified to have a new
AFM policy. This issue is now fixed so TMM will
not be restarted if AFM is provisioned and 'tmsh load
sys conf default' is done. TMM crash (panic) is fixed
now and TMM no longer panics scenarios with
SPDY or HTTP Prefetching enabled. Policy
Enforcement Manager Fixes ID Number Description.
441554
The issue is fixed so that PEM can handle large

number of new subscribers even when Gx connection
is down.
442548
A TMM crash bug has been fixed. BIG-IP/PEM will

now work with PEM + fastL4 use cases with http
profile enabled.
444770
This issue is fixed that a Rating Group can be

assigned to different PEM rules without extra MSCC
in CCR.
449862
Fixed a crash bug involving the handling of RAR

messages.
453548
A new PEM session will be created and replace any

old existing session in an inconsistent state due to
fail-over.
460006
Added support of numeric characters in PEM
rule/policy names.
11.5.1
HF4
461089
This issues is fixed now. All subscribers are loaded

properly after TMM restart.
464841
The max length of the Gy redirect address has been

increased from 64 bytes to 256 bytes to
accommodate the majority of the use case in real
world.
464850
The issue has been fixed that BIG-IP/PEM will

handle a new flow that has no session created when
quota management is specified in global policy.
466002
BIG-IP/PEM will now properly handle the case when

2 or more policies from PCRF refer to the same
existing rating group.
468123
Custom attributes will now be added and will be

returned when session is queried.
468809
TMM will no longer crash during subscriber

provisioning testing with Gx connection reestablished.
470690
Session cleaning priority has been lowered and CPU

will not spike when sessions are deleted or replaced
with Gx enabled.
470850
PEM will now clean up the session if CCA-T

received with 5002 error code.
471867
A memory leak when the CCR-I is dropped by iRule

has been fixed.
471910
DB variable
Tmm.pem.diameter.application.silentDelete.prov.erro
r.sessions is available. It should be set to enabled if
sessions need to be silently deleted.
472860
The session statistics for sessions created by

RADIUS will now get incremented whenever the
user runs an iRule on the RADIUS virtual that
creates a new session.
474638
Custom attribute create/update will no longer harm

the policy list. DNS Fixes ID Number Description.
448914
Object name field now has a correct input validation

and escapes JavaScript.
449017
F5 found potential data inconsistency between tmsh

and icrd in date formats in testing, and resolved to
prevent customer issues.
453332
Fixed an issue with iControl REST calls timing out.
457300
Improved iControl REST resources to allow naming

with spaces to meet customer requirements.
458109
Prevented icrd crash on the BIG-IP system while the

BIG-IQ system was discovering the BIG-IP system.
463655
Fixes MCPd crash during certain iControl REST

transactions.
406649
Installing a hotfix will no longer cause apd to

continuously restart.
455733
Fixed crash in dwbld daemon.
432080
Data-plane (traffic) performance for Application

Security Manager workloads is significantly
improved.
439758
We improved how the Policy Builder handles

requests with multiple learning suggestions.
440378
Added tmctl stats for dcc, bd_agent, and correlation

daemons. This allows visibility into internal
state/processing of the daemons to provide external
visibility into their internal state/processing to assist
diagnostics/debugging.
441213
You can now modify a security policy created from

iApps (iApps > Application Services).
450241
The Enterprise Manager system can now discover

ASM devices.
455389
We improved how the system decides on the content

profile when there is a request with multiple contenttype headers.
455391
We improved how the system parses query strings in

absolute URLs.
459255
We raised the limit of the Explicit File Type Name

length from 8 characters to 255 characters.
440763
We fixed an issue that caused TMM and avrd to

produce a core file if you assign an Application
Security policy, Analytics profile, and DoS Layer 7
Protection profile on a virtual server.
447693
We corrected an issue where some reports generated

from the Configuration utility or from tmsh
commands did not work.
448585
We fixed an issue when Throughput and Latency

were reported incorrectly in cases of incomplete
transactions when sampling is enabled.
457982
/var/avr/loader will no longer get filled with files that

are written by avrd.
462561
We fixed a case that caused avrd to crash when

external logging of traffic capturing is used.
462968
Subnet statistics are now migrated after a version

upgrade.
464238
AVR profiles with identical names on different

partitions can now be created.
466922
Now Max TPS and Throughput are displayed

properly in HTTP Analytics (if configured in
Analytics profile) when drilling down from virtual
server to pool members.
464287
When an iRule with HTTP::respond command and

Analytics profile are attached to the virtual server,
HTTP responses from the BIG-IP system will no
longer contain redundant chunk headers (at the end).
451777
When there is something wrong with DB, connection

issues arise during the first time you create a custom
report, and you see the following behavior when
creating a custom report in the UI:
1) Will show error popup.
2) Available Fields pane will not show "Available
Fields" infinitely.
3) The correct available list displays after the
DB/connection issue is fixed.
(No need to restart tomcat to get correct list).
421016
Issues with AFM + APM configurations no longer

occur.
440817
Sweeper no longer reaps a flow that would have

matched a rule in either global or corresponding
route-domain classifier.
442988
Fixed the date format and removed focus for the

Time field in the event logs page advanced search.
443300
A new field "Referencing Rule" displays the actual

name of the rule that references a rule-list. If the rule
is a regular, non-referencing rule, same rule name is
displayed in the "Referencing Rule" field.
453377
Resolved the error where a network firewall rule is

configured on a Self IP context, and an iRule is
specified in the configuration, an error occurs and the
rule does not correctly process traffic.
453779
place-before and place-after are now handled
correctly in transactions that contain changes to

multiple rules sub-collections.
454435
Setting an iRule in a firewall rule attached to the

virtual server using iControl method
Local.VirtualServer.set_fw_rule_irule no longer fails
when the iRule name does not start with the folder
name. The framework automatically prepends the
folder to the iRule name.
454953
The self-ip and virtual server FW rules cannot be

converted from a regular rule, to a reference, to a
rule-list with PUT.
455744
Fixed management IP firewall rules compilation

failure.
456107
AFM rule matching action is now consistent with

logging for EPHEMERAL connections.
459719
Pccd BF Hash table changes were made to reduce

pccd BLOB size.
459758
Restart pccd to avoid blob-size growth (pccd always

starts from scratch).
461582
AFM will now do ACL and IP Intelligence match for

the first TCP packet of a new flow if:
a) it is SYN
or
b) it is ACK and syncookie matched
or
c) loose-initialization is enabled (for fastl4)
462903
TMM is getting stopped by SOD due to a heartbeat

miss (when trying to load huge firewall policies); this
issue is fixed.
464774
Added new db variable pccd.rule.debug to display

micro-rules and micro-rules number for each firewall
rule.
464916
Added another url parameter indicating the type of

policy (enforced or staged) so that the UI does not
revert to the default policy type (enforced) when
viewing the second page of the staged rules.
464990
Error no longer occurs when reordering a rule list.
465963
Reset stats button is now fixed for policy rules made

of rule list.
468194
Fixed the regression issue introduced due to fix for

BZ 461582.
469129
pccd no longer stops responding when compiling a

firewall policy with a large number of IP addresses,
but compiling such policy can take several hours. To
reduce compilation time, set variable
pccd.hash.load.factor value to 25.
469507
Management port rules are now cleaned up properly

from Linux iptables when they are being removed
from the configuration and pccd.alwaysfromscratch
db variable is set to true.
What are differences between IKEv1 and IKEv2? (IKEv1 vs. IKEv2)
IKEv1
IKEv2 (SIMPLE and RELIABLE!)
IPsec SA
Child SA (Changed)
Exchange modes:
Main mode
Aggressive mode
Only one exchange procedure is defined.

Exchange modes were obsoleted.
Exchanged messages to establish

VPN.
Main mode: 9 messages
Aggressive mode: 6
messages
Only 4 messages.
Authentication methods ( 4
methods ):
Only 2 methods:
Pre-Shared Key (PSK)
Digital Signature (RSA-Sig)
Pre-Shared Key (PSK)
Public Key Encryption
Digital Signature (RSA-Sig)
Revised Mode of Public key

Encryption
Both peers must use the same
authentication method.
Each peer can use a different authentication

method (Asymmetrical authentication).
(e.g. Initiator: PSK and Responder: RSA-Sig)
Traffic selector:
Only a combination of a
source IP range, a
destination IP range, a
source port and a
destination port is allowed
per IPsec SA.
Exact agreement of the

traffic selector between
peers is required.
Lifetime for SAs:

Agreement between peers is
required.
Multi-hosting:
Basically, NOT supported.
Multiple combinations of a source IP

range, a destination IP range, a source
port range and a destination port range
are allowed per Child SA. Of course, IPv4
and IPv6 addresses can be configured for
the same Child SA.
Narrowing traffic selectors between peers

is allowed.
NOT negotiated. Each peer can delete SAs

anytime by exchanging DELETE payloads.
Supported by using multiple IDs on a single IP

address and port pair.
Rekeying:
NOT defined.
Defined.
NAT Traversal:
Defined as an extension.
Supported by default.
Dead Peer Detection / Keep-alive

for SAs:
Defined as an extension.
Supported by default.
Remote Access VPN:

NOT defined. Supported by
Supported by default:
vender-specific implementations:
Extensible Authentication Protocol (EAP)
Mode config
User authentication over EAP is
associated with IKE's authentication.
XAUTH

Multi-homing:
Mobile Clients:
DoS protections:
Configuration payload (CP)
Supported by MOBIKE (IKEv2 Mobility and

Multihoming Protocol: RFC 4555).
Supported by MOBIKE (IKEv2 Mobility and

Multihoming Protocol: RFC 4555).
Anti-replay function is supported.
'Cookies' is supported for mitigating

flooding attacks.
Many vulnerabilities in IKEv1 were fixed.
More reliable.
All message types are defined as Request

and Response pairs.
A procedure to delete SAs is defined.
A procedure to retransmit a message is

defined.
Less reliable than IKEv2.
Extensions are very poor.

Useful extentions in actual network
environment.
"Redirect Mechanism for IKEv2

(RFC5685)"
"IKEv2 Session Resumption (RFC5723)"
"An Extension for EAP-Only Authentication

in IKEv2 (RFC5998)"
"Protocol Support for High Availability of
IKEv2/IPsec (RFC6311)"
"A Quick Crash Detection Method for the

Internet Key Exchange Protocol (IKE)
(RFC6290)"
etc.
See the IETF ipsecme-WG's web page.
See also RFC 4303, 4306, 4718 and 5996 for more details.
Back to Top
Copyright 2011 T.HANADA All Rights Reserved.

f5 Problem

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

f5 Problem

Uploaded by

Copyright:

Available Formats

Overview

Connections to the virtual server are interrupted or fail.

Web pages or applications fail to load or execute.

Certain pool members or nodes receive more connections than others.

Identifying a failing health monitor

Verifying monitor settings

Troubleshooting monitor types

Troubleshooting daemons related to health monitoring

Identifying a failing health monitor

Summary of pools, pool

Local Traffic > Network

Current status of pool/members

Local Traffic > Pools >

Current status of pool/members

Local Traffic > Pools >

Current status of nodes

Local Traffic > Nodes >

Command line utilities

Live statistics for pool members and

Statistical information about pools, pool

bigpipe pool show, bigpipe

tmsh (10.x Statistical information about pools, pool

tmsh show /ltm pool

Configuring an appropriate interval/timeout ratio is important for simple monitors. In

User name and password

6. Use the tcpdump command to capture monitor traffic.

Troubleshooting daemons related to health monitoring

SOL15530: Debug logging and BIG-IP system resource utilization

SOL10516: Overview of BIG-IP pool status

SOL10966: Determining which monitor triggered a change in the availability

SOL15408: Troubleshooting BIG-IP GTM monitors

Original Publication Date: 06/25/2015

546410 Configuration may fail to load when upgrading from v10.X

530122 Improvements in building "rolled up HF" images for hypervisors

524126 The DB variable provision.tomcat.extramb is cleared on first boot

519068 Device trust setup can require restart of devmgmtd

513974 Transaction validation errors on object references

An incorrectly formatted NAPTR creation by way of iControl can cause an

Using saved configuration with 11.5.2 on AWS may cause SSLv3 to be

506034 NTP vulnerabilities (CVE-2014-9297, CVE-2014-9298)

Connectivity and traffic interruption issues caused by a stuck HSB transmit

A very large configuration can cause transaction timeouts on secondary

500091 CVE-2015-0204 : OpenSSL Vulnerability

Persistence Records display in GUI might cause system to become

486758 Management port unreachable after install

MCP continues running after "Unexpected exception caught in

481696 Failover error message 'sod out of shmem' in /var/log/ltm

In Configuration utility, unable to view or edit objects in Local Traffic ::

465009 VIPRION B2100-series LOP firmware version 2.10 update

443298 FW Release: Incorporate Victoria2 LOP firmware v1.20

TMM could become unresponsive when modifying HTML profile

410398 sys db tmrouted.rhifailoverdelay does not seem to work

Configuring network failover on a VIPRION cluster using the blade

359774 Pools in HA groups other than Common

sod logs error 010c003b:3: bind fails on recv_sock_fd, Cannot assign

531576 TMM memory leak in traffic handling

BIG-IP TLS does not correctly verify Finished.verify_data on non-Cavium

F5 SFP+ module becomes unpopulated after mcpd is restarted in a

528432 Control plane CPU usage reported too high

Keep-alive transmissions do not resume after failover of flows on an L4

Traceroute through BIG-IP may display destination IP address at BIG-IP

Incorrect configuration in BigTCP virtual servers can lead to TMM

518086 Safenet HSM Traffic failure after system reboot/switchover

10.2.1 system with SSL profile specifying ciphers "DEFAULT:!HIGH:!