Professional Documents
Culture Documents
A monitor is an important BIG-IP feature that verifies connections to pool members or nodes. A
health monitor is designed to report the status of a pool, pool member, or node on an ongoing
basis, at a set interval. When a health monitor marks a pool, pool member, or node down, the
BIG-IP system stops sending traffic to the device.
A failing or misconfigured health monitor may cause traffic management issues similar, but not
limited, to the following:
The previously-mentioned symptoms may indicate that a health monitor is marking a pool, pool
member, or node down indefinitely, or that a monitor is repeatedly marking a pool member or
node down and then back up (often referred to as a bouncing pool member or node). For
example, if a misconfigured health monitor constantly marks pool members down and then back
up, connections to the virtual server may be interrupted or fail altogether. You will then need to
determine whether the monitor is misconfigured, the device or application is failing, or some
other factor is occurring that is causing the monitor to fail (such as network-related issue). The
troubleshooting steps you take will depend on the monitor type and the observed symptoms.
When experiencing health monitor issues, you can use the following troubleshooting steps:
Related articles
The following table lists Configuration utility pages where you can check the status of pools,
pool members, and nodes:
Configuration
utility page
Description
Location
Network map
Pools
Pool members
Nodes
Description
Example commands
bigtop
bigtop -n
bigpipe
(10.x)
Logs
The BIG-IP system logs messages related to the health monitor to the /var/log/ltm file.
Reviewing the log files is one way to determine the frequency with which the system is marking
down pool members and nodes. Logging related to monitor state changes are as follows:
Pools
When a health monitor marks all members of a pool down or up, messages that appear
similar to the following example are logged to the /var/log/ltm file:
tmm err tmm[4779]: 01010028:3: No members available for pool <Pool_name>
tmm err tmm[4779]: 01010221:3: Pool <Pool_name> now has available members
Pool members
When a health monitor marks pool members down or up, messages that appear similar to
the following example are logged to the /var/log/ltm file:
notice mcpd[2964]: 01070638:5: Pool member <ServerIP_port> monitor status down
notice mcpd[2964]: 01070727:5: Pool member <ServerIP_port> monitor status up.
Nodes
When a health monitor marks a node down or up, messages that appear similar to the
following example are logged to the /var/log/ltm file:
notice mcpd[2964]: 01070640:5: Node <ServerIP> monitor status down.
notice mcpd[2964]: 01070728:5: Node <ServerIP> monitor status up.
SNMP
When the BIG-IP system is configured to send SNMP traps and a health monitor marks a pool
member or node down or up, the system sends the following traps:
Pool members
alert BIGIP_MCPD_MCPDERR_POOL_MEMBER_MON_STATUS {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.10"
}
alert BIGIP_MCPD_MCPDERR_POOL_MEMBER_MON_STATUS_UP {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.11"
}
Nodes
alert BIGIP_MCPD_MCPDERR_NODE_ADDRESS_MON_STATUS {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.12"
}
alert BIGIP_MCPD_MCPDERR_NODE_ADDRESS_MON_STATUS_UP {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.13"
}
Verifying monitor settings
It is important to verify that monitor settings are properly defined for your environment. For
example, F5 recommends that you configure most monitors with a timeout value of three times
the interval value, plus one. This is to prevent the monitor from marking the node down before
the last check is sent.
Simple monitors
A simple monitor is used to verify the status of the destination node (or the path to the node
through a transparent device). Simple monitors do not monitor individual protocols, services, or
applications on a node; just the node address itself. The BIG-IP system provides the following
pre-configured simple monitor types: gateway_icmp, icmp, tcp_echo, tcp_half_open. If you
determine that a simple monitor is marking a node down, you can verify the following settings:
Note: There are other monitor settings that can be defined for simple monitors. For more
information, refer to the Configuration Guide for BIG-IP Local Traffic Management.
Interval/timeout ratio
Transparent
A transparent monitor uses a path through the associated node to monitor the aliased
destination. Verify that the destination target device is reachable and configured properly
for the monitor.
Extended Content Verification (ECV) monitors
ECV monitors use Send and Receive string settings to retrieve content from pool members or
nodes. The BIG-IP system provides the following pre-configured monitor types: tcp, http, https,
and https_443. If you determine that a simple monitor is marking a node down, you can verify
the following settings:
Note: There are other monitor settings that can be defined for ECV monitors. For more
information, refer to the Configuration Guide for BIG-IP Local Traffic Management.
Interval/timeout ratio
As with simple monitors, configuring the interval/timeout ratio is important for ECV
monitors. In most cases, the interval/timeout should have a timeout value of three times
the interval, plus one. For example, the default ratio for ECV monitors is 5/16. Verify that
the ratio is properly defined.
Send string
The Send string is a text string that the monitor sends to the pool member. The default
setting is GET /, which retrieves a default HTML file for a website. If the Send string is
not properly constructed, the server may send an unexpected response and be
subsequently marked down by the monitor. For example, if the server requires the
monitor request to be HTTP/1.1 compliant, you must adjust the monitor Send string.
Note: For information about modifying HTTP requests for use with HTTP or HTTPS
application health monitors, refer to the following articles:
SOL2167: Constructing HTTP requests for use with the HTTP or HTTPS application
health monitor
SOL3224: HTTP health checks may fail even though the node is responding correctly
SOL10655: CR/LF characters appended to the HTTP monitor Send string
Receive string
The Receive string is the regular expression representing the text string that the monitor
looks for in the returned resource. ECV monitors requests may fail and mark the pool
member down if the Receive string is not configured properly. For example, if
the Receive string appears too late in the server response, or the server responds with a
redirect, the monitor marks the pool member down.
Note: For information about modifying the monitor to issue a request to a redirection
target, refer to SOL3224: HTTP health checks may fail even though the node is
responding correctly.
ECV monitors have User Name and Password settings, which can be used for resources
that require authentication. Verify whether the pool member requires authentication and
ensure that the fields contain valid credentials.
Troubleshooting monitor types
Simple monitors
Troubleshooting connectivity issues for a simple monitor is fairly straightforward. If you
determine that a monitor is marking a node down (or the node is bouncing), you can use the
following steps to troubleshoot the issue:
1. Determine the IP address of the nodes being marked down.
You can determine the IP address or the nodes that the monitor is marking down by using
the Configuration utility, command line utilities, or log files. You can quickly search the
/var/log/ltm file for node status messages using command syntax that appears similar to
the following example:
# cat /var/log/ltm |grep 'Node' |grep 'status'
Jan 21 15:04:34 local/3400a notice mcpd[2964]: 01070640:5: Node 10.10.65.1 monitor
status down.
Jan 21 15:04:34 local/3400a notice mcpd[2964]: 01070640:5: Node 172.24.64.4 monitor
status down.
Jan 21 15:04:51 local/3400a notice mcpd[2964]: 01070640:5: Node 10.1.0.200 monitor
status down.
Jan 21 15:04:51 local/3400a notice mcpd[2964]: 01070640:5: Node 10.10.65.122
monitor status down.
Jan 21 15:04:51 local/3400a notice mcpd[2964]: 01070640:5: Node 10.1.0.100 monitor
status unchecked.
Jan 21 15:04:51 local/3400a notice mcpd[2964]: 01070640:5: Node 11.1.1.1 monitor
status down.
Jan 21 15:04:51 local/3400a notice mcpd[2964]: 01070640:5: Node 172.16.65.3 monitor
status down.
Jan 21 15:04:51 local/3400a notice mcpd[2964]: 01070640:5: Node 172.16.65.229
monitor status down.
Note: If a large number of nodes are being marked down (or bouncing), you can sort the
results by IP addresses.
For example:
cat /var/log/ltm |grep 'Node' |grep 'status' | sort -t . -k 3,3n -k 4,4n
2. Check connectivity to the node.
If there are occurrences of node addresses being marked down and not back up, or nodes
bouncing, check the connectivity to the nodes from the BIG-IP system, using commands
such as ping, traceroute (BIG-IP 10.x, 11.x) or tracepath (BIG-IP 9.x). For example, if
you have determined that a simple monitor is marking the node address 10.10.65.1 down,
you can attempt to ping the resource from the BIG-IP system as follows:
# ping -c 4 10.10.65.1
PING 10.10.65.1 (10.10.65.1) 56(84) bytes of data.
64 bytes from 10.10.65.1: icmp_seq=1 ttl=64 time=11.32 ms
64 bytes from 10.10.65.1: icmp_seq=2 ttl=64 time=8.989 ms
64 bytes from 10.10.65.1: icmp_seq=3 ttl=64 time=10.981 ms
64 bytes from 10.10.65.1: icmp_seq=4 ttl=64 time=9.985 ms
Note: The previous ping output shows high round trip times, which may indicate a
network issue or a slow responding node.
In addition, make sure that the node is configured to respond to the simple monitor. For
example, tcp_echo is a simple monitor type that requires that the TCP echo service is
enabled on the nodes being monitored. The BIG-IP sends SYN segment with information
to be echoed by the receiving device.
3. Check the monitor settings.
Use the Configuration utility or command line utilities to verify that the monitor settings
(such as the interval / timeout ratio) are appropriate for the node.
For example, the following bigpipe command lists the configuration for the icmp_new
monitor:
bigpipe monitor icmp_new list
The following tmsh command lists the configuration for the icmp_new monitor:
tmsh list /ltm monitor icmp_new
4. Create a custom monitor (if needed).
If you are using a default monitor and have determined that the settings are not
appropriate for your environment, consider creating and testing a new monitor with
custom settings.
5. Use the tcpdump command to capture monitor traffic.
If you are unable to determine the cause of a failing health monitor, it may be necessary
to perform packet captures on the BIG-IP system.
Note: For more information about running tcpdump, refer to SOL411: Overview of
packet tracing with the tcpdump utility.
ECV monitors
Troubleshooting issues for ECV monitors involves several steps. If you determine that an ECV
monitor is marking a pool member down (or the pool member is bouncing), you can use the
following steps to troubleshoot the issue:
1. Determine the IP address of the pool members that the monitor is marking
down by using the Configuration utility, command line utilities, or log files.
For example, search the /var/log/ltm file for pool member status messages as follows:
# cat /var/log/ltm |grep -i 'pool member' |grep 'status'
Jan 21 15:04:34 local/3400a notice mcpd[2964]: 01070638:5: Pool member
10.10.65.1:21 monitor status node down.
Jan 21 15:04:34 local/3400a notice mcpd[2964]: 01070638:5: Pool member
10.10.65.1:80 monitor status node down.
Jan 21 15:04:34 local/3400a notice mcpd[2964]: 01070638:5: Pool member
10.10.65.1:80 monitor status node down.
Jan 21 15:04:34 local/3400a notice mcpd[2964]: 01070638:5: Pool member
10.10.65.1:80 monitor status node down.
Jan 21 15:04:51 local/3400a notice mcpd[2964]: 01070638:5: Pool member
172.16.65.3:80 monitor status node down.
Jan 21 15:05:05 local/3400a notice mcpd[2964]: 01070638:5: Pool member
172.16.65.3:80 monitor status unchecked.
2. Check connectivity to the pool member.
As previously stated, check the connectivity to the pool members from the BIG-IP system
using the ping or traceroute commands.
3. Check the ECV monitor settings.
Use the Configuration utility or command line utilities to verify that the monitor settings
(such as the interval / timeout ratio) are appropriate for the pool members.
For example, the following bigpipe command lists the configuration for the http_new
monitor:
bigpipe monitor http_new list
The following tmsh command lists the configuration for the http_new monitor:
tmsh list /ltm monitor http_new
4. Create a custom monitor (if needed).
If you are using a default monitor and have determined that the settings are not
appropriate for your environment, consider creating and testing a new monitor with
custom settings.
5. Test the response from the application.
Use a command line utility on the BIG-IP system to test the response from the web
application. For example, the following command uses the curl (and time) command and
attempts to transfer data from the web server while timing the response:
# time curl http://10.10.65.1
<html>
<head>
--</body>
</html>
real 0m18.032s
user 0m0.030s
sys 0m0.060s
Note: If you want to test a specific HTTP request, including HTTP headers, you can use
the telnet command to connect to the pool member.
For example:
telnet <serverIP> <serverPort>
Next, at the prompt, enter an appropriate HTTP request line and HTTP headers, pressing
Enter once after each line.
For example:
GET / HTTP/1.1 <enter>
Host: www.yoursite.com <enter>
Connection: close <enter>
<enter>
TTY
STAT
START
2010
5:08
TIME
/usr/bin/bigd
Note: If the bigd process fails, the health check status of pool members, nodes, and services
remain in their current state until the bigd process is restarted. For more information, refer to
SOL6967: When the BIG-IP LTM bigd daemon fails, the health check status of pool members,
nodes, and services remain unchanged until the bigd daemon is restarted.
In addition, it is possible to run the bigd process in debug mode. Debug logging for the bigd
process is extremely verbose, as it logs multiple messages for every monitor attempt. For
information about running bigd in debug mode, contact F5 Technical Support.
Supplemental Information
SOL3451: Content length limits for HTTP and HTTPS health monitors
For more information about the bigtop utility, refer to SOL7318: Overview of
the bigtop utility
For more information about the bigpipe utility, refer to the BIG-IP Command
Line Interface Guide (9.4.x) and the Bigpipe Utility Reference Guide (10.x)
For more information about the tmsh utility, refer to the Traffic Management
Shell (tmsh) Reference Guide
ID
Description
Number
11.5.3
HF2
The tmsh config file merge may fail when AFM security log profile is
present in merged file
524326
Can delete last IP address on a BIG-IP GTM server but cannot load a
config with a BIG-IP GTM server with no IPs
Sync when licensed for ASM/AFM fails to sync pool with "Load balancing
feature not licensed" error
IKEv1 for IPsec does not work when VLAN cmp-hash is set to non-default
values
The tmsh load sys config merge file 'filename' takes significant time for
firewall rulelist configuration
507575
507331
507327 Programs that read stats can leak memory on errors reading files
506041 Folders belonging to a device group can show up on devices not in the
group
501517
CuSFP module plugged in during links-down state will cause remote linkup
420107
530829 UDP traffic sent to the host may leak memory under certain conditions
530795
In FastL4 TCP virtual servers, ICMP might send wrong SEQ number/ACK
number
530769
521522
521408
521336 pkcs11d initialization retry might post misleading error messages and
eventually result in pkcs11d creating a core file
520540
HTTP Basic authentication may cause the TMM to stop responding if the
header is too large
Configuration objects with more than four vlans in vlan list may cause
memory utilization to increase over time
515139
Active FTP session with inherit profile and address translation disabled
may not decrement pool member current connections statistics
514729
514604 Nexthop object can be freed while still referenced by another structure
512383
Hardware flow stats are not consistently cleared during fastl4 flow
teardown
512062
510638
[DNS] Config change in dns cache resolver does not take effect until TMM
restart
507529
Active crash with assert: tmm failed assertion, non-zero ha_unit required
for mirrored flow
504105
RRDAG enabled UDP ports may be used as source ports for locally
originated traffic
501516
If a very large number of monitors is configured, bigd can run out of file
descriptors when it is restarted
499422
478592
When using the SSL forward proxy feature, clients might be presented with
expired certificates
468375 TMM stops responding when MPTCP JOIN arrives in the middle of a flow
465590 Mirrored persistence information is not retained while flows are active
462714
Source address persistence record times out even while traffic is flowing
on FastL4 profile virtual server
460627
455762
zxfrd might stop responding when the zone file (zxfrd.bin) is deleted from
the directory /var/db
Responses from DNS transparent cache will no longer contain RRSIG for
queries without DO bit set
422087
420341
Connection Rate Limit Mode when limit is exceeded by one client also
throttles others
FastL4 tcp handshake timeout is not honored, connection lives for idle
timeout
375887 Cluster member disable or reboot can leak a few cross blade trunk packets
374339 HTTP::respond/redirect might make TMM unresponsive under low-
memory conditions
374067
big3d https monitor is unable to correctly monitor the web server when
SSL protocol is changed
225443
532030
526856
516523
Full ASM ConfigSync was happening too often in a Full Sync Auto-Sync
Device Group
516522
After upgrade from any pre-11.4.x to 11.4.x (or later) the configured
redirect URL location is empty
514061
Certain upgrade paths to 11.6.x would lose the redirect URL configuration
for Alternate Response Pages
537000
531883 Windows 10 App Store VPN Client must be detected by BIG-IP APM
531483 Copy profile might end up with error
530697 Windows Phone 10 platform detection
529392
526578 Network Access client proxy settings are not applied on German Windows
526492 DNS resolution fails for Static and Optimized Tunnels on Windows 10
526275 VMware View RSA/RADIUS two factor authentication fails
526084 Windows 10 platform detection for BIG-IP EDGE Client
525920 VPE fails to display access policy
525562 Debug TMM stops responding during initialization
525429 DTLS renegotiation sequence number compatibility
525384 Networks Access PAC file now can be located on SMB share
524909 Windows info agent could not be passed from Windows 10
524756 APM log is filled with errors about failing to add/delete session entry
523431
Windows Cache and Session Control cannot support a period in the access
profile name
523390
523329
523327 In very rare cases Machine Certificate service may fail to find private key
523222
520145
519198 [Policy Sync] UI General Exception Error when sync a policy in nondefault partition as non-default admin user
518981 RADIUS accounting STOP message may not include long class attributes
518260
517988
APM cannot get groups from an LDAP server, when LDAP server is
configured to use non-default port
517441
Gateways for excluded address space routes are not adjusted correctly
during roaming between networks on Windows machines
514912 Portal Access scripts had not been inserted into HTML page in some cases
514220 New iOS-based VPN client may fail to create IPv6 VPN tunnels
513969
UAC prompt is shown for machine cert check for non-limited users, even
if machine cert check service is running
513953 RADIUS Auth/Acct might fail if server response size is more than 2K
513706 Incorrect metric restoration on Network Access on disconnect (Windows)
513581
513283 Mac Edge Client does not send client data if access policy expired
513201 Edge client is missing localization of some English text in Japanese locale
513165
511961 BIG-IP Edge Client does not display logon page for FirePass
511854 Rewriting URLs at client side does not rewrite multi-line URLs
511648 On standby, TMM can produce a core file when active system sends
leasepool HA commands to standby device
511441 Memory leak on request Cookie header is longer than 1024 bytes
510709
Websso start URI match fails if there are more than 2 start URIs in SSO
configuration
510596
Logon Page agent gets empty user input in clientless mode 3 when a
Variable Assign agent resides in front of it
TMM cores while using APM network Access and no leasepool is created
on the BIG-IP system
494565 CSS patcher stops responding when a quoted value consists of spaces only
494189 Poor performance in clipboard channel when copying
493006 Export of huge policies might end up with 'too many pipes opened' error
492701
Resolved LSOs are overwritten by source device in new Policy Sync with
new LSO
492305
Recurring file checker does not interrupt session if client machine has
missing file
483792
Different Outlook users with same password and client IP are tied to a
single APM session when using Basic auth
Edge-Client client shows an error about corrupted config file, when user's
profile and temp folders located on different partitions
474779
EAM process fails to register channel threads (MPI channel) with TMM,
and subsequent system call fails
474698
BIG-IP as IdP can send incorrect 'Issuer' element for some SLO requests
under certain conditions
474058
473255
472256 The tmsh and tmctl report unusually high counter values
472062
471874
VDI plugin stops responding when trying to respond to the client after the
client has disconnected
471117 iframe with JavaScript in 'src' attribute not handled correctly in IE11
468441 OWA2013 may work incorrectly by way of Portal Access in IE10/11
468433 OWA2013 may work incorrectly by way of Portal Access in IE10/11
468137 Network Access logs missing session ID
466745 Cannot set the value of a session variable with a leading hyphen
464547
Show proper error message when VMware View client sends invalid
credentials to APM
461597 MAC edge client does not follow HTTP 302 redirect if new site has
untrusted self-signed certificate
454784
in VPE %xx symbols such as the variable assign agent might be invalidly
decoded
HTML5 VMware View Client does not work with APM when virtual
server is on non-default route domain
437744 SAML SP service metadata exported from APM may fail to import
437670 Race condition in APM windows client on modifying DNS search suffix
425882
420512
All Messages report does not display any data when the Log Levels are
selected to filter data based on Log Levels
416115
Edge client continues to use old IP address even when server IP address
changed
APM Network Access tunnel slows down and loses data in secure
renegotiation on Linux and Mac clients
Assertion 'valid proxy' can occur after a configuration change with active
IVS flows
512054 CGNAT SIP ALG - RTP connection not created after INVITE
511326
503652
Some SIP UDP connections are lost immediately after enabling a blade on
the Active HA unit
499701 SIP Filter drops UDP flow when ingressq len limit is reached
480311 ADAPT should be able to work with OneConnect
448493 SIP response from the server to the client gets dropped
533808
515187
Certain ICMP packets are evaluated twice against Global and Route
Domain ACL rules
All descriptions for ports-list's members are flushed after the port-list was
updated
509919
526295
BIG-IP stops responding in debug mode when using PEM iRule to create a
session with calling-station-id and called-station-id
511064
495913 TMM produces a core file when CCA-I policy received with uninstall
491771
Using catch to suppress 'invalid command' errors resulting from invalid use
of [] around a parking command in a proc can cause TMM to panic
478399
PEM subscriber sessions are created without PEM licensed, if "radiusLBsubscriber-awre" profile is configured
464273
PEM: CCR-I for the Gx session has only one subscriber ID type, even if
the session created has more than one type
450779
PEM source or destination flow filter attempts to match against both source
and destination IPs of a flow
449643
Error message "Gx uninit failed!" and "Gy unint failed!" received during
boot of the system
439249 PEM:Initial quota request in the rating group request is not as configured
438608
PEM: CCR-U triggered during Gy session may not have Request Service
Unit (RSU)
438092
514236
If an APM policy sync puts the new policy on a member of a sync-failover device group, the
sync of the sync-failover group failed. This now succeeds.
An issue has been resolved that affected the ability to modify a vCMP guest's
management network mode.
459155 Included the physdev netfilter module into the BIG-IP kernel package.
459694
vCMP guest's ability to interfere with the management network of the hypervisor has
been restricted.
459753 "bigstart restart" on a secondary blade no longer causes clusterd to restart continuously.
459973
The Include Cluster option in the HA Group configuration cannot be disabled using the
Configuration utility.
Saving a single partition out of the configuration ('save sys config' with the 'partitions
462315 { p1 }' option) now writes the configuration file properly. It previously appended to the
file but now overwrites it as it should.
462943
Resolved issue where rewrite CSS filter/parser may use stale iovs in declaration_state
resulting in SIGSEGV.
470796 CVE-2014-4023.
471070 Non-administrative users cannot modify Client SSL profiles.
471704
The vcmpd process is no longer vulnerable to malicious data passed from a vCMP
guest.
478922
Resolved issue that ICSA logging did not contain information that is required for
certification.
481648
The ipaddrTable's ipAdEntIfIndex value now matches the ifTable's ifIndex value for the
same interface.
The guest-specific configuration information blocks are now isolated from each other
and the hypervisor is protected against invalid data injected by a vCMP guest.
Use true timeout instead of retries limit when initializing the FIPS device, and
subsequently power cycle the unit to recover the FIPS device.
The crash that happens in the AFM logging module, when the TCP connection to a log
destination server is re-established, is fixed.
492460
01070265:3: The Virtual Server () cannot be deleted because it is in use by a sflow http
data source (). This no longer occurs.
226892
Resolved intermittent issue when return packets were dropped after configuring packet
filters for DNS traffic or traffic with IP fragments.
424931
Creation of a large file, such as a UCS archive is now handled correctly, and the csyncd
process no longer causes high CPU utilization.
428864
Lowering the virtual server connection limit now works, even when traffic is already
being processed.
433946
Benign rsync errors are no longer logged in /var/log/ltm and instead are tracked by way
of stats in the 'csync_stat' table.
436097 When the TMM restarts, pkcs11d also must be restarted automatically if present.
436811 BIG-IP database monitors may report an incorrect pool member status.
This spurious error message may have previously been displayed when the local user
database feature was configured:
437875
437906 WebSockets and the HTTP CONNECT method now work with OneConnect.
439424 SafeNet HSM install now needs to be done only on the primary slot on the BIG-IP
cluster-mode chassis systems such as VIPRION. A single install on the primary slot will
take care of installing SafeNet on all active slots. On any already-open sessions to the
BIG-IP slots, the PATH environment variable will need to be reloaded by running
'source ~/.bash_profile' to be able to use SafeNet utilities. If at a later stage a new blade
is added or a disabled, or a powered-off blade is made active or is powered-on, the user
will have to run 'safenet-sync.sh -p ' *only* on the new secondary slot. If the new slot is
made primary before running safenet-sync.sh on it, then the regular install procedure
The BIG-IP system now reconnects to SafeNet HSM if the connection is interrupted, so
connections continue as expected.
439513 NETHSM: Initial few connection drops after each TMM restart.
439540 Restart the pkcs11d process. The command is "tmsh restart sys service pkcs11d".
441894 Pkcs11d watchdog functionality avoids manual restart.
443098 The Proxy SSL feature no longer leaks memory.
447515 The TMM process may resume a suspended iRule on the wrong connection flow.
449798
The BIG-IP system may not correctly monitor pool members after the mcpd process
restarts.
450031 The BIG-IP system may incorrectly log 'Limiting closed port RST response' messages.
450804 Improved TLS finish messages.
451218 Corrected Nitrox TLS padding.
452121
In the event of an invalid parameter in the clienthello, the correct TLS version will be
set in the alert.
454636
The logging destination IP address only matches virtual servers, so no HSL logging is
lost.
The TMM will no longer produce a core file on startup when traffic arrives before
transitioning to cmp ready.
TMM will set a known route domain when processing SIP Requests to prevent panics
caused by an invalid route domain.
480113
FIPS exported keys can now be successfully installed in FIPS cards without causing
config-sync failure.
Virtual servers with Client SSL profiles may not respond to SSL handshakes after a
ConfigSync.
485188
When the SSL ClientHello contains the SCSV marker, if the client protocol offered is
not the latest that the virtual server supports, a fatal alert will be sent.
488208 Can properly upgrade to OpenSSL 1.0.1j without breaking RSA PKCS#1.5 decryption.
470394
The BIG-IP system calculates the correct number of members in the active priority
group when the slow ramp feature is triggered.
470994
The TMM now correctly applies TSO processing to outbound packets, so TMM no
longer segfaults.
The TMM will still log critical-level messages, but the system continues to function
properly.
SSL will properly renegotiate rather than terminate connections when the session
expires.
487808 Cost link load balancing software support has reached EOL.
248487
The enforcer does not convert parameter values into the web application language when
parameters are defined as "file upload" or "ignore value" in the security policy.
Fixed an issue that occasionally stopped you from deleting an ASM security policy that
435520 was created using a template after you rolled-forward the policy's configuration from a
previous version.
454142 Resolved intermittent Enforcer crash due to specific requests.
461028 vCMP: Fixed an issue that caused the Enforcer to crash in a clustered environment.
There is a new internal parameter: "ignore_null_in_multipart_text". When the internal
parameter is set, a null in request violation is not issued when a null appears in the
request. If the parameter is defined as file upload in the security policy, no violation is
471103
issued. If the parameter is defined as something else, the violation "null in multipart
request" is issued. If the parameter is not defined in the security policy, the violation
"null in request" is issued.
Brute force reporting: The brute force reported operation mode (Transparent or
476179 Blocking) is now the same when the attack starts and ends. Previously, the system
would occasionally change the operation mode logged when the attack ended.
To enable you to bypass unicode validation on XML and JSON profiles, we added two
internal parameters: - relax_unicode_in_xml: The default is 0, which is the current
behavior. When the value is changed to 1, a "bad unicode character" does not produce
an XML malformed violation. A "bad unicode character" might be a legal unicode
476191 character that does not appear in the mapping of the system's XML parser. relax_unicode_in_json: The default is 0 which is the current behavior. When the value
is changed to 1, a "bad unicode character" does not produce a JSON malformed
violation. A "bad unicode character" might be a legal unicode character that does not
appear in the mapping of the system's JSON parser.
481572
Fixed an issue that caused the system to not report a navigation parameter that appeared
in the POST data.
481792
Fixed an issue where specific requests occasionally caused the Enforcer to stop
responding.
476621
Fixed an issue where Bot Detection in the Web Scraping feature created JavaScript
errors in the web application using Internet Explorer.
Resolved on all platforms where the active session count might be significantly large, at
times, likely due to a counter underflow.
403660
Application icons (Finder, Spotlight, Launchpad, Notification Center, Dock, Menu Bar)
have been updated for retina displays.
418850
AD may now be the last auth agent in the VMWare view access policy.
Username/password/domain preserved and then passed to the backend.
420989
When using an access policy with Windows Logon Integration, if you are denied access
once, you can try again.
420990
Support for smart cards was added to Client Cert Inspection and On Demand Cert
Inspection with Windows Logon Integration.
421901
"Store information about client software in session variables" setting is removed from
the Visual Policy Editor for these Endpoint Security (Client-Side) software checks:
422818
Antivirus, Anti-Spyware, Firewall, Hard Disk Encryption, Patch Management, Peer-topeer, and Windows Health Agent.
426623 Improved PAC file download mechanisms.
427830
Network Access connection will not be established if PAC file specified in NA resource
cannot be downloaded within 30 seconds.
429362
Edge Client properly reconnects when network connectivity is restored. Previously full
reconnection was done in this case and the previous session was not removed.
430531
Computer group policy settings are updated after establishing VPN connection with
Windows Logon Integration.
431810
Fix unexpected exceptions when using Kerberos auth agent in a multi-domain SSO
configuration.
Java Application Tunnels now work when Internet Explorer 11 runs with Enhanced
432333 Protected Mode. However, the tunnel is bound to 127.0.0.1 due to limitations of this
mode.
433243
BIG-IP IdP subtracts three minutes from the NotBefore timestamp in an assertion to
accommodate Service Providers whose clocks might be behind.
436177
Fixed arbitrary commands execution: check cab file and webpage are located on same
server.
436180 Edge Client will only install controls from trusted hosts.
436183 Check if critical section object was initialized before deleting it.
438292
Resolved issue of Web AppTunnel re-using wrong existing loopback for different
backend server IP.
438730
Fixed BSOD caused by DNS relay filtering driver in a very specific condition on
Windows XP SP3.
439280 BIG-IP Edge Client installation may trigger a Windows 8.1 system failure.
440792
Client proxy settings specified in a Network Access resource are applied without an
occasional miss now.
441318
BIG-IP APM password updates may fail for user account names that contain a period
character.
441355
Improved VMWare View native client error reporting and prompting for the new
password.
APM correctly supports 'redirect' ending in an access policy for web browser clients
when deployed for Citrix Web Interface in proxy mode.
449141
Have improved notifications to the user when the BIG-IP Edge Client must reboot to
complete updates.
450155
Fixed incorrect handling of component installer that resulted in an MSI installer to act
as though installation had failed.
Edge client cannot automatically retrieve RSA SecurID software token if configured on
Logon page.
453188
Custom Dialer no longer stays in an Authenticated state for 40 seconds to negotiate the
IPv6 protocol when IPv6 is not enabled.
454322
When Allow Local DNS Servers option is enabled, DNS servers from interfaces that
are down, will not be added to VPN exclusion list.
456911
A certain scenario in BIG-IP GTM deployment was fixed where access to certain
corporate resource might be denied despite network access connection.
458167 Improve logging and error code checks for EAM / OAM component.
459870
Now BIG-IP Edge Client in Always Connected mode properly processes cancelling
captive portal detection.
459953
When an LDAP query runs and the user password is not retrieved or necessary, a
misleading error message about NULL cyphertext is no longer logged.
460265 apmd crashes with null tcl interpreter object. This is now fixed.
462258
After fix, an ldap operation times out in 3 minutes, so a thread will not block any other
operation, and service can recover as soon as connection to the backend is restored.
462481 OAM code is fixed with proper exception handling where Oracle API calls are made.
463505 Added factor authentication support for the Edge Client soft token integration.
463538
Edge Client now correctly sends PIN for RSA Soft Token clients while in New Pin
mode.
463735 [SecurID SDK] In case of PIN change, user is prompted to input Passcode to PIN field.
463776
VMware View client does not freeze when APM PCoIP is used and user authentication
fails against VCS 5.3.
464313 Now dynamically created forms with absolute action path are handled correctly, even
Now routes for Exclude Address Space are correctly removed when NA connection is
terminated if the client was switched to another network.
466797
Now EdgeClient shows warning about session expiration when maximum session
timeout is reached.
466898 Enterprise Manager now reports work correctly when accessed through Portal Access.
Previously, Policy Sync would add whitespace to Forms-based SSO configuration
467287 objects, which prevented the configuration from running. Now Forms-based SSO
configuration does not have whitespace added and the configuration runs as expected.
467597
InspectionHost plugin will now be installed to the "current user" profile (as opposed to
all users) and, therefore, will no longer prompt for administrative password.
468478
When the 32k storage limit is reached, the oldest application cookie is discarded,
allowing the application to continue processing new data.
Implemented a throttling mechanism, so that when the number of fds in the queue
reaches a certain threshold, apd will stop accepting new requests, until the number of
fds in the queue decreases to a defined level. We introduced three db-variables; - to
469960
enable/disabling throttling - to define a high water mark beyond which release of any
connection handle will be stopped, and - a low water mark to allow further connection
from TMM.
470225 Machine Certificate checker now correctly works in Internet Explorer 11.
471014 Openssl improvements.
471331
Fixed intermittent resets when access policy execution in progress simultaneously from
multiple browser tabs.
471452
When URLs from multiple browser tabs starts access policy, the landing URL is set to
the URL from the browser that finished the access policy execution.
471714
CRLF is used at the end of the header and as a separator between header and email
body in emails generated by APM Email agent, conforming to RFC 5322.
Emails sent by 'Email Action' agent when received by certain SMTP servers contains
471825 empty body. Email agent was updated to comply with RFC 5322 to include "Date:"
header.
471893
A problem in which the BIG-IP system when, configured as a SAML IdP , might reboot
TMM when running SLO protocol in certain conditions has been fixed.
472040
TMM with BZ 455113 no longer crashes when using the ACCESS::session iRule
command.
472216 Fixed alignment of the connection duration counter for customized Edge Clients.
472825
Dashboard no longer displays a dip in active session count when primary blade comes
back from a reboot.
HD Encryption check now provides a way to check encryption status of all drives or
system drive only.
473728
Now the absolute action path for any form in an HTML page is rewritten correctly at
submit time.
474392
Code signing of executables (app, plugin and installer) have been updated to Apple's
latest (v2) signature requirement.
474532
Proper validation was added to check that correct messages were received on the proper
URL. Logging was added for failing cases.
474730
Now forms with absolute action path and tag with id=action inside are handled
correctly.
Resolved issue when APM configured with URL ("https://....") Edge Client for
Windows does not resolve APM hostname while reconnecting.
475360 Resolved issue when Edge client remembers specific VS URI after it is redirected.
475650 Issue is fixed that caused TMM to occasionally restart when processing SLO messages.
EAM used to send multiple cookies headers in HTTP message. Multiple HTTP headers
475682 like this are treated as comma-separated by some receivers. Now EAM adds a single
Cookie header with the cookies delimited by a semi-colon.
475770 Improved routing table management for 2 and more network interfaces.
475847 Now tag end is determined correctly in case of dynamically created content.
476133
477445
Client modified to restore routing table state and select active interface (on a system
connected to the same network segment through multiple interfaces).
477474 HTML Attributes with names using '-' are now handled correctly in Portal Access.
477540
apmd no longer crashes with null tcl interpreter object when used with an
ACCESS::policy valuate iRule command.
477642
477841 Safari 8 will now properly use the admin-defined proxy settings, if available.
477966
User can restart the BIG-IP system to fix custom report error. Make sure the table
apm.log_param_metadata_ui is created in mysql db.
478115
The action attribute value of a form HTML tag is now properly rewritten in the
Minimal Content Rewriting mode when it starts with a "/".
478222 Seven new categories and one category name changed category in URL Filter DB.
478285
An issue with routing table not being restored correctly in multi-homed environment
when server settings disallow local subnet access is now fixed.
479524
Portal Access no longer crashes if the URL in a "Refresh" header matches a Portal
Access bypass list entry.
The errant behavior is caused by an improper URL being presented by the error page.
479715 When APM checks the improper URL, the same error page is issued. This has now
been corrected.
480047 BIG-IP EdgeClient can now generate CTU report.
480247
Edge client does not update its application directory anymore, instead it uses
/Library/Application\ Support/ directory.
480360 MAC edge client was fixed so that it does not block textexpander's functionality.
480995 APM client components are now using extended logging by default.
481020
Resolved intermittent routing table issue that caused Traffic to not flow through tunnel
if proxy server is load balanced.
481046
Wrapper for scriptTag.text='source script' is fixed to rewrite 'source script' for all
browsers.
481203
While creating memcache entry, the username is normalized into utf8 lower case. This
ensures that there is only one entry for all combinations of usernames.
481257 CTU report now includes information on "OPSWAT Integration Libraries V3".
If the customer does not need optimized tunnels, app tunnels, or remote desktop, they
481663 can safely disable (run disable) the db variable "isession.ctrl.apm", which disables the
isession. They would then run "bigstart restart tmm apd" so the db variable takes effect.
483113
A cosmetic issue with the server selection menu showing white background is now
fixed.
483379
An issue with Edge Client consuming high CPU and having unresponsive menu icon is
now fixed.
An issue with Java installer failing to install the InspectionHost plugin and creating a
zero byte file under ~/Library/Internet Plug-Ins/ is fixed.
467633 Ensured extra spaces was not added to the minified CSS.
426482 The Octeon will now properly handle decompressing large files without any failures.
479889 Memory leaks on iSession + iControl setup have been resolved.
480305
Fixed iControl / isession memory leak issue; set proper log level to prevent log
flooding.
472376 Drop processing the message if the ingress pcb is no longer present.
478442
Core in sip filter no longer occurs when sending HUDEVT message while processing
of HUDCTL message.
When operating in firewall (AFM) mode, for example, default deny, the BIG-IP system
429885 now counts and logs (if enabled) any traffic that does not match a Virtual or Self IP and
is being dropped or rejected.
478816 An enhancement that allows logging the TCP events and errors on fastL4 virtual.
480194 Perform VS DWBL lookup after accept-decisive firewall rule matches at global level.
The load factor controls the minimum percentage of fullness that needs to be reached
before the table is expanded to a larger size. Setting the load factor to 25, by default,
481189
prevents the firewall rule compiler from growing the table size too aggressively and
results in big firewall BLOB.
481706 Improved security logging to reduce incorrect messages.
484013
Fixes a memory leak when TMM is overloaded, and forwards flows to the peer, and
packet classification is enabled with "log translation fields" in the logging.
State changes for wide IPs should be updated correctly when the "Update" button is
clicked in the Configuration utility wide IP properties page.
11.5.1
HF5
365764
376120
404716
405067
413689
421317
429871
438159
440179
441063
441174
445924
446352
447266
448054
450089
450129
450458
450684
450693
450694
450794
451424
451458
451602
453256
453700
453951
455138
456064
456735
456914
456916
457130
457326
458198
459123
460593
461581
461592
462045
463603
464024
466034
466752
468021
471496
472613
474166
474465
477031
479681
480248
480931
348194
411101
416250
418889
421964
enabled link.
435652
439653
439712
442410
442584
445411
445571
446820
447091
447390
448327
448606
449636
449845
450101
450202
450584
450689
450713
451340
451889
452232
452264
452387
452439
452579
454463
454853
455361
455553
456942
458597
459001
460197
acceleration is reset.
465866
466260
467986
470715
472532
475231
476386
447250
439854
440284
442133
451985
463369
Description.
248487
438809
440057
449946
453568
460514
469798
469825
225651
398134
419809
425070
425507
425731
431512
436569
437326
437881
438278
439463
439518
440290
440385
441553
441659
441681
442393
442656
445399
445970
448896
450033
450298
450360
450728
450845
451260
451387
451588
452182
452344
453164
453514
453531
453722
454010
454248
454369
454370
454547
454759
454899
455039
455113
455284
455426
455892
456098
456714
457925
458199
458211
458447
458485
459780
459977
460062
460272
460645
460715
460762
460939
460958
461087
461624
462143
462669
463508
464159
464748
465338
465339
466317
466325
466488
466877
467849
468889
469100
469335
469754
470382
470414
470675
471125
473286
474657
450030
449988
450001
450019
450055
When the HTTP terminates its connection, the BIGIP system receives an SSL encryption alert along
with a FIN from the server (close SSL from the
server), the BIG-IP system completes the HTTP
response before closing the client connection.
452440
454348
455006
462266
441554
442548
444770
449862
453548
460006
rule/policy names.
11.5.1
HF4
461089
464841
464850
466002
468123
468809
470690
470850
471867
471910
DB variable
Tmm.pem.diameter.application.silentDelete.prov.erro
r.sessions is available. It should be set to enabled if
sessions need to be silently deleted.
472860
474638
448914
449017
453332
457300
458109
463655
406649
455733
432080
439758
440378
441213
450241
455389
455391
459255
440763
447693
448585
457982
462561
462968
464238
466922
464287
451777
421016
440817
442988
443300
453377
453779
454435
454953
455744
456107
459719
459758
461582
462903
464774
464916
464990
465963
468194
469129
469507
What are differences between IKEv1 and IKEv2? (IKEv1 vs. IKEv2)
IKEv1
IPsec SA
Child SA (Changed)
Exchange modes:
Main mode
Aggressive mode
Aggressive mode: 6
messages
Only 4 messages.
Authentication methods ( 4
methods ):
Only 2 methods:
authentication method.
Traffic selector:
Only a combination of a
source IP range, a
destination IP range, a
source port and a
destination port is allowed
per IPsec SA.
Rekeying:
NOT defined.
Defined.
NAT Traversal:
Defined as an extension.
Supported by default.
Supported by default.
Multi-homing:
Basically, NOT supported.
Mobile Clients:
Basically, NOT supported.
DoS protections:
Basically, NOT supported.
More reliable.
IKEv2/IPsec (RFC6311)"
etc.
See the IETF ipsecme-WG's web page.
See also RFC 4303, 4306, 4718 and 5996 for more details.
Back to Top