f5 Problem PDF

Overview
A monitor is an important BIG-IP feature that verifies connections to pool members or nodes. A
health monitor is designed to report the status of a pool, pool member, or node on an ongoing
basis, at a set interval. When a health monitor marks a pool, pool member, or node down, the
BIG-IP system stops sending traffic to the device.
A failing or misconfigured health monitor may cause traffic management issues similar, but not
limited, to the following:
 Connections to the virtual server are interrupted or fail.
 Web pages or applications fail to load or execute.
 Certain pool members or nodes receive more connections than others.
The previously-mentioned symptoms may indicate that a health monitor is marking a pool, pool
member, or node down indefinitely, or that a monitor is repeatedly marking a pool member or
node down and then back up (often referred to as a bouncing pool member or node). For
example, if a misconfigured health monitor constantly marks pool members down and then back
up, connections to the virtual server may be interrupted or fail altogether. You will then need to
determine whether the monitor is misconfigured, the device or application is failing, or some
other factor is occurring that is causing the monitor to fail (such as network-related issue). The
troubleshooting steps you take will depend on the monitor type and the observed symptoms.
When experiencing health monitor issues, you can use the following troubleshooting steps:
 Identifying a failing health monitor
 Verifying monitor settings
 Troubleshooting monitor types
 Troubleshooting daemons related to health monitoring
 Related articles
Identifying a failing health monitor
The BIG-IP software includes utilities (such as the Configuration utility, command line, or
SNMP) that you can use to alert an administrator or help identify when a health monitor marks
down a pool, pool member, or node. The utilities are defined in the following sections.
Configuration utility
The following table lists Configuration utility pages where you can check the status of pools,
pool members, and nodes:
Configuration
Description Location
utility page
Summary of pools, pool Local Traffic > Network

Network map
members, and nodes Map > Show Map
Local Traffic > Pools >

Pools Current status of pool/members
Statistics
Local Traffic > Pools >

Pool members Current status of pool/members
Statistics
Local Traffic > Nodes >

Nodes Current status of nodes
Statistics
Command line utilities
The following table lists command line utilities that allow you to monitor the status of pools,
pool members, and nodes:
CLI utility Description Example commands
Live statistics for pool members and

bigtop bigtop -n
nodes
bigpipe Statistical information about pools, pool bigpipe pool show, bigpipe
(10.x) members, and nodes node show
tmsh show /ltm pool

tmsh (10.x Statistical information about pools, pool <pool_name>
- 11.x) members, and nodes tmsh show /ltm node
<node_IP>
Logs
The BIG-IP system logs messages related to the health monitor to the /var/log/ltm file.
Reviewing the log files is one way to determine the frequency with which the system is marking
down pool members and nodes. Logging related to monitor state changes are as follows:
 Pools
When a health monitor marks all members of a pool down or up, messages that appear
similar to the following example are logged to the /var/log/ltm file:
tmm err tmm[4779]: 01010028:3: No members available for pool <Pool_name>

tmm err tmm[4779]: 01010221:3: Pool <Pool_name> now has available members
 Pool members
When a health monitor marks pool members down or up, messages that appear similar to
the following example are logged to the /var/log/ltm file:
notice mcpd[2964]: 01070638:5: Pool member <ServerIP_port> monitor status down

notice mcpd[2964]: 01070727:5: Pool member <ServerIP_port> monitor status up.
 Nodes
When a health monitor marks a node down or up, messages that appear similar to the
following example are logged to the /var/log/ltm file:
notice mcpd[2964]: 01070640:5: Node <ServerIP> monitor status down.

notice mcpd[2964]: 01070728:5: Node <ServerIP> monitor status up.
SNMP
When the BIG-IP system is configured to send SNMP traps and a health monitor marks a pool
member or node down or up, the system sends the following traps:
 Pool members
alert BIGIP_MCPD_MCPDERR_POOL_MEMBER_MON_STATUS {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.10"
}
alert BIGIP_MCPD_MCPDERR_POOL_MEMBER_MON_STATUS_UP {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.11"
}
 Nodes
alert BIGIP_MCPD_MCPDERR_NODE_ADDRESS_MON_STATUS {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.12"
}
alert BIGIP_MCPD_MCPDERR_NODE_ADDRESS_MON_STATUS_UP {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.13"
}
Verifying monitor settings
It is important to verify that monitor settings are properly defined for your environment. For
example, F5 recommends that you configure most monitors with a timeout value of three times
the interval value, plus one. This is to prevent the monitor from marking the node down before
the last check is sent.
Simple monitors
A simple monitor is used to verify the status of the destination node (or the path to the node
through a transparent device). Simple monitors do not monitor individual protocols, services, or
applications on a node; just the node address itself. The BIG-IP system provides the following
pre-configured simple monitor types: gateway_icmp, icmp, tcp_echo, tcp_half_open. If you
determine that a simple monitor is marking a node down, you can verify the following settings:
Note: There are other monitor settings that can be defined for simple monitors. For more
information, refer to the Configuration Guide for BIG-IP Local Traffic Management.
 Interval/timeout ratio
Configuring an appropriate interval/timeout ratio is important for simple monitors. In

most cases, the interval/timeout should have a timeout value of three times the interval,
plus one. For example, the default ratio is 5/16. Verify that the ratio is properly defined.
 Transparent
A transparent monitor uses a path through the associated node to monitor the aliased
destination. Verify that the destination target device is reachable and configured properly
for the monitor.
Extended Content Verification (ECV) monitors
ECV monitors use Send and Receive string settings to retrieve content from pool members or
nodes. The BIG-IP system provides the following pre-configured monitor types: tcp, http, https,
and https_443. If you determine that a simple monitor is marking a node down, you can verify
the following settings:
Note: There are other monitor settings that can be defined for ECV monitors. For more
information, refer to the Configuration Guide for BIG-IP Local Traffic Management.
 Interval/timeout ratio
As with simple monitors, configuring the interval/timeout ratio is important for ECV
monitors. In most cases, the interval/timeout should have a timeout value of three times
the interval, plus one. For example, the default ratio for ECV monitors is 5/16. Verify that
the ratio is properly defined.
 Send string
The Send string is a text string that the monitor sends to the pool member. The default
setting is GET /, which retrieves a default HTML file for a website. If the Send string is
not properly constructed, the server may send an unexpected response and be
subsequently marked down by the monitor. For example, if the server requires the
monitor request to be HTTP/1.1 compliant, you must adjust the monitor Send string.
Note: For information about modifying HTTP requests for use with HTTP or HTTPS
application health monitors, refer to the following articles:
SOL2167: Constructing HTTP requests for use with the HTTP or HTTPS application
health monitor
SOL3224: HTTP health checks may fail even though the node is responding correctly
SOL10655: CR/LF characters appended to the HTTP monitor Send string
 Receive string
The Receive string is the regular expression representing the text string that the monitor
looks for in the returned resource. ECV monitors requests may fail and mark the pool
member down if the Receive string is not configured properly. For example, if
the Receive string appears too late in the server response, or the server responds with a
redirect, the monitor marks the pool member down.
Note: For information about modifying the monitor to issue a request to a redirection
target, refer to SOL3224: HTTP health checks may fail even though the node is
responding correctly.
 User name and password
ECV monitors have User Name and Password settings, which can be used for resources
that require authentication. Verify whether the pool member requires authentication and
ensure that the fields contain valid credentials.
Troubleshooting monitor types

Simple monitors
Troubleshooting connectivity issues for a simple monitor is fairly straightforward. If you

determine that a monitor is marking a node down (or the node is bouncing), you can use the
following steps to troubleshoot the issue:
1. Determine the IP address of the nodes being marked down.
You can determine the IP address or the nodes that the monitor is marking down by using
the Configuration utility, command line utilities, or log files. You can quickly search the
/var/log/ltm file for node status messages using command syntax that appears similar to
the following example:
# cat /var/log/ltm |grep 'Node' |grep 'status'

Jan 21 15:04:34 local/3400a notice mcpd[2964]: 01070640:5: Node 10.10.65.1 monitor
status down.
status down.
status down.
Jan 21 15:04:51 local/3400a notice mcpd[2964]: 01070640:5: Node 10.10.65.122
monitor status down.
status unchecked.
status down.
status down.
Jan 21 15:04:51 local/3400a notice mcpd[2964]: 01070640:5: Node 172.16.65.229
monitor status down.
Note: If a large number of nodes are being marked down (or bouncing), you can sort the
results by IP addresses.
For example:
cat /var/log/ltm |grep 'Node' |grep 'status' | sort -t . -k 3,3n -k 4,4n
2. Check connectivity to the node.
If there are occurrences of node addresses being marked down and not back up, or nodes
bouncing, check the connectivity to the nodes from the BIG-IP system, using commands
such as ping, traceroute (BIG-IP 10.x, 11.x) or tracepath (BIG-IP 9.x). For example, if
you have determined that a simple monitor is marking the node address 10.10.65.1 down,
you can attempt to ping the resource from the BIG-IP system as follows:
# ping -c 4 10.10.65.1
PING 10.10.65.1 (10.10.65.1) 56(84) bytes of data.
64 bytes from 10.10.65.1: icmp_seq=1 ttl=64 time=11.32 ms
Note: The previous ping output shows high round trip times, which may indicate a
network issue or a slow responding node.
In addition, make sure that the node is configured to respond to the simple monitor. For
example, tcp_echo is a simple monitor type that requires that the TCP echo service is
enabled on the nodes being monitored. The BIG-IP sends SYN segment with information
to be echoed by the receiving device.
3. Check the monitor settings.
Use the Configuration utility or command line utilities to verify that the monitor settings
(such as the interval / timeout ratio) are appropriate for the node.
For example, the following bigpipe command lists the configuration for the icmp_new
monitor:
bigpipe monitor icmp_new list
The following tmsh command lists the configuration for the icmp_new monitor:
tmsh list /ltm monitor icmp_new
4. Create a custom monitor (if needed).
If you are using a default monitor and have determined that the settings are not
appropriate for your environment, consider creating and testing a new monitor with
custom settings.
5. Use the tcpdump command to capture monitor traffic.
If you are unable to determine the cause of a failing health monitor, it may be necessary
to perform packet captures on the BIG-IP system.
Note: For more information about running tcpdump, refer to SOL411: Overview of
packet tracing with the tcpdump utility.
ECV monitors
Troubleshooting issues for ECV monitors involves several steps. If you determine that an ECV
monitor is marking a pool member down (or the pool member is bouncing), you can use the
following steps to troubleshoot the issue:
1. Determine the IP address of the pool members that the monitor is marking
down by using the Configuration utility, command line utilities, or log files.
For example, search the /var/log/ltm file for pool member status messages as follows:
# cat /var/log/ltm |grep -i 'pool member' |grep 'status'

Jan 21 15:04:34 local/3400a notice mcpd[2964]: 01070638:5: Pool member
10.10.65.1:21 monitor status node down.
172.16.65.3:80 monitor status unchecked.
2. Check connectivity to the pool member.
As previously stated, check the connectivity to the pool members from the BIG-IP system
using the ping or traceroute commands.
3. Check the ECV monitor settings.
Use the Configuration utility or command line utilities to verify that the monitor settings
(such as the interval / timeout ratio) are appropriate for the pool members.
For example, the following bigpipe command lists the configuration for the http_new
monitor:
bigpipe monitor http_new list

The following tmsh command lists the configuration for the http_new monitor:
tmsh list /ltm monitor http_new
4. Create a custom monitor (if needed).
If you are using a default monitor and have determined that the settings are not
appropriate for your environment, consider creating and testing a new monitor with
custom settings.
5. Test the response from the application.
Use a command line utility on the BIG-IP system to test the response from the web
application. For example, the following command uses the curl (and time) command and
attempts to transfer data from the web server while timing the response:
# time curl http://10.10.65.1

<html>
<head>
---
</body>
</html>
real 0m18.032s
user 0m0.030s
sys 0m0.060s
Note: If you want to test a specific HTTP request, including HTTP headers, you can use
the telnet command to connect to the pool member.
For example:
telnet <serverIP> <serverPort>
Next, at the prompt, enter an appropriate HTTP request line and HTTP headers, pressing
Enter once after each line.
For example:
GET / HTTP/1.1 <enter>

Host: www.yoursite.com <enter>
Connection: close <enter>
<enter>
6. Use the tcpdump command to capture monitor traffic.
Note: For more information about running tcpdump, refer to SOL411:

Overview of packet tracing with the tcpdump utility.
Troubleshooting daemons related to health monitoring
The bigd process manages health checking for pool members, nodes, and services on the BIG-IP
LTM system. The bigd process collects health checking status and communicates the status
information to the mcpd process, which stores the data in shared memory so that the TMM can
read it. If you are having monitoring issues, you can check the memory utilization of the bigd
process. If the %MEM is unusually high, or continually increases, the process may be leaking
memory.
For example, to check the current memory utilization of bigd, use the ps command:
# ps aux |grep bigd
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME
COMMAND
root 3020 0.0 0.6 28208 10488 ? S 2010 5:08 /usr/bin/bigd
Note: If the bigd process fails, the health check status of pool members, nodes, and services
remain in their current state until the bigd process is restarted. For more information, refer to
SOL6967: When the BIG-IP LTM bigd daemon fails, the health check status of pool members,
nodes, and services remain unchanged until the bigd daemon is restarted.
In addition, it is possible to run the bigd process in debug mode. Debug logging for the bigd
process is extremely verbose, as it logs multiple messages for every monitor attempt. For
information about running bigd in debug mode, contact F5 Technical Support.
Supplemental Information
 SOL15530: Debug logging and BIG-IP system resource utilization
 SOL3451: Content length limits for HTTP and HTTPS health monitors
 SOL10516: Overview of BIG-IP pool status
 SOL10966: Determining which monitor triggered a change in the availability

of a node or pool member (9.x - 10.x)
 SOL15408: Troubleshooting BIG-IP GTM monitors

 For more information about the bigtop utility, refer to SOL7318: Overview of
the bigtop utility
 For more information about the bigpipe utility, refer to the BIG-IP Command
Line Interface Guide (9.4.x) and the Bigpipe Utility Reference Guide (10.x)
 For more information about the tmsh utility, refer to the Traffic Management
Shell (tmsh) Reference Guide
Original Publication Date: 06/25/2015

Updated Date: 09/29/2015
F5 has recently discovered and corrected a number of issues that affect customers running BIG-
IP 11.5.3. F5 recommends that all customers currently running BIG-IP 11.5.3 install the latest
cumulative rollup hotfix.
The following table lists the rollup hotfixes released for BIG-IP 11.5.3. The table lists each
hotfix, along with the ID numbers of issues that the corresponding hotfix resolves, and a
description of each issue. If an article exists for the issue, the ID number contains a link to a
corresponding article.
Note: These rollup hotfixes are cumulative; each hotfix contains all fixes included in the
previous hotfixes. For example, HF3 includes all IDs fixed in HF1 and HF2.
BIG-IP ID
Description
Version Number
11.5.3 546410 Configuration may fail to load when upgrading from v10.X
HF2 542898 Virtual Edition: Disk partition /var shows 100% after live install to 12.0.0
540638 GUI Device Management Overview to display device_trust_group
535806 Not enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE
534630 Upgrade BIND to address CVE-2015-5477
533458 Generate core file on HSB lockup
The tmsh config file merge may fail when AFM security log profile is
533257
present in merged file
530122 Improvements in building "rolled up HF" images for hypervisors
529509 CVE-2015-4620 BIND vulnerability
527630 CVE-2015-1788 : OpenSSL Vulnerability
527021 BIG-IQ iApp statistics corrected for empty pool use cases
526419 Deleting an iApp service may fail
Can delete last IP address on a BIG-IP GTM server but cannot load a
524326
config with a BIG-IP GTM server with no IPs
524126 The DB variable provision.tomcat.extramb is cleared on first boot
523863 istats help not clear for negative increment
523125 Disabling/enabling blades in cluster can result in inconsistent failover state
523032 qemu-kvm VENOM vulnerability CVE-2015-3456
The iControl Management.Zone.get_zone() method can return zone
520640 options in a format inconsistent for use with the
Management.Zone.set_zone_option() method
520466 Ability to edit iCall scripts is removed from resource administrator role
519877 External pluggable module interfaces not disabled correctly
Sync when licensed for ASM/AFM fails to sync pool with "Load balancing
519394
feature not licensed" error
519068 Device trust setup can require restart of devmgmtd
518039 BIG-IQ iApp statistics corrected for partition use cases
517580 OPT-0015 on 10000-series appliance may cause bcm56xxd restarts
516669 sod core caused failover
516618 CVE-2013-7424
IKEv1 for IPsec does not work when VLAN cmp-hash is set to non-default
516184
values
513974 Transaction validation errors on object references
513916 String iStat rollup not consistent with multiple blades
513649 Transaction validation errors on object references
513454 An snmpwalk with a large configuration can take too long
513382 Resolution of multiple OpenSSL vulnerabilities
510119 HSB performance can be suboptimal when transmitting TSO packets
509782 TSO packets can be dropped with low MTU
509504 Excessive time to save/list a firewall rule-list configuration
The tmsh load sys config merge file 'filename' takes significant time for
509503
firewall rulelist configuration
An incorrectly formatted NAPTR creation by way of iControl can cause an
507575
error
Using saved configuration with 11.5.2 on AWS may cause SSLv3 to be
507331
enabled
507327 Programs that read stats can leak memory on errors reading files
506041 Folders belonging to a device group can show up on devices not in the
group
506034 NTP vulnerabilities (CVE-2014-9297, CVE-2014-9298)
Connectivity and traffic interruption issues caused by a stuck HSB transmit
502238
ring
A very large configuration can cause transaction timeouts on secondary
501517
blades
500091 CVE-2015-0204 : OpenSSL Vulnerability
499260 Deleting trust-domain fails when standby IP is in ha-order
497564 Improve High Speed Bridge diagnostic logging on transmit/receive failures
495335 BWC related TMM core
Persistence Records display in GUI might cause system to become
490537
unresponsive with large number of records
486758 Management port unreachable after install
MCP continues running after "Unexpected exception caught in
483683
MCPProcessor::rm_DBLowHighWide" error
481696 Failover error message 'sod out of shmem' in /var/log/ltm
479460 SessionDb may be trapped in wrong HA state during initialization
475647 VIPRION Host PIC firmware version 7.02 update
473348 hbInterval value not set to 300 sec after upgrade
472365 The vCMP worker-lite system occasionally stops due to timeouts
In Configuration utility, unable to view or edit objects in Local Traffic ::
470184
iRules :: Data Group List
465009 VIPRION B2100-series LOP firmware version 2.10 update
464043 Integration of Firmware for the 2000 Series Blades
460456 FW RELEASE: Incorporate Whitethorne BIOS 2.06.214.0
460444 VIPRION B4300 BIOS version 2.03.052.0 update
460428 BIG-IP 2000-/4000-series BIOS version 2.02.171.0 update
460422 FW RELEASE: Incorporate Treadstone BIOS 4.01.006.0
460406 VIPRION B2100-series BIOS version 1.06.043.0 update
460397 FW RELEASE: Incorporate Victoria 2 BIOS 1.26.012.0
455264 Error messages are not clear when adding member to device trust fails
451602 DPD packet drops with keyed VLAN connections
CuSFP module plugged in during links-down state will cause remote link-
447075
up
443298 FW Release: Incorporate Victoria2 LOP firmware v1.20
441100 iApp partition behavior corrected
436682 SFP modules show a higher optical power output for disabled switch ports
TMM could become unresponsive when modifying HTML profile
420107
configuration
410398 sys db tmrouted.rhifailoverdelay does not seem to work
405752 Monitors sourced from specific source ports can fail
364978 Active/standby system configured with unit 2 failover objects
Configuring network failover on a VIPRION cluster using the blade
362267
management addresses results in 'Cannot assign requested address' errors
359774 Pools in HA groups other than Common
sod logs error 010c003b:3: bind fails on recv_sock_fd, Cannot assign
355661
requested address
531576 TMM memory leak in traffic handling
BIG-IP TLS does not correctly verify Finished.verify_data on non-Cavium
530963
platforms
530829 UDP traffic sent to the host may leak memory under certain conditions
In FastL4 TCP virtual servers, ICMP might send wrong SEQ number/ACK
530795
number
F5 SFP+ module becomes unpopulated after mcpd is restarted in a
530769
clustered environment
528432 Control plane CPU usage reported too high
527826 IP Intelligence update failed: Missing SSL certificate
Upgrade will reset Ciphers field in clientssl or server ssl profiles to
527649 DEFAULT if the current cipherstring would have effectively contained no
ciphersuites
524666 DNS licensed rate limits might be unintentionally activated
523079 Merged may stop responding when file descriptors exhausted
522784 After restart, system remains in the INOPERATIVE state
522147 'tmsh load sys config' fails after key conversion to FIPS using web GUI
521813 Cluster is removed from HA group on restart
521774 Traceroute and ICMP errors may be blocked by AFM policy
521548 System possibly stops responding in SPDY
Keep-alive transmissions do not resume after failover of flows on an L4
521538
virtual, when the sequence number is known
Traceroute through BIG-IP may display destination IP address at BIG-IP
521522
hop
Incorrect configuration in BigTCP virtual servers can lead to TMM
521408
producing a core file
521336 pkcs11d initialization retry might post misleading error messages and
eventually result in pkcs11d creating a core file
HTTP Basic authentication may cause the TMM to stop responding if the
520540
header is too large
518086 Safenet HSM Traffic failure after system reboot/switchover
518020 Improved handling of certain HTTP types.
517556 DNSSEC unsigned referral response is improperly formatted
Configuration objects with more than four vlans in vlan list may cause
515759
memory utilization to increase over time
Active FTP session with inherit profile and address translation disabled
515139
may not decrement pool member current connections statistics
10.2.1 system with SSL profile specifying ciphers "DEFAULT:!HIGH:!
514729
MEDIUM" fails to upgrade to 11.5.1
514604 Nexthop object can be freed while still referenced by another structure
Hardware flow stats are not consistently cleared during fastl4 flow
512383
teardown
A db variable to disable verification of SCTP checksum when ingress
512062
packet checksum is zero
[DNS] Config change in dns cache resolver does not take effect until TMM
510638
restart
Active crash with assert: tmm failed assertion, non-zero ha_unit required
507529
for mirrored flow
507127 DNS cache resolver is inserted into a wrong list on creation
Duplicated snat-translation addresses are possible (a named and an
504899
anonymous [created by snatpool] one)
RRDAG enabled UDP ports may be used as source ports for locally
504105
originated traffic
503214 Under high load, crypto queues may become stuck
After enabling a blade, pool members are marked down because
502443
monitoring starts too soon
If a very large number of monitors is configured, bigd can run out of file
501516
descriptors when it is restarted
An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK
499422
packet results in a FIN/ACK storm
497584 The RA bit on DNS response may not be set
Monitor Parameters saved to config in a certain order may not construct
496758
parameters correctly
479682 TMM generates hundreds of ICMP packets in response to a single packet
478617 Do not include maximum TCP options length in calculating MSS on ICMP
PMTU
When using the SSL forward proxy feature, clients might be presented with
478592
expired certificates
478439 Unnecessary re-transmission of packets on higher ICMP PMTU
Unnecessary re-transmission of packets on ICMP notifications even when
478257
MTU is not changed
476097 TCP Server MSS option is ignored in verified accept mode
474601 FTP connections are being offloaded to ePVA
Unexpected ordering of internal events can lead to TMM producing a core
468472
file
468375 TMM stops responding when MPTCP JOIN arrives in the middle of a flow
465590 Mirrored persistence information is not retained while flows are active
Source address persistence record times out even while traffic is flowing
462714
on FastL4 profile virtual server
SASP monitor starts a new connection to the Group Workload Manager
460627
(GWM) server when a connection to it already exists
DNS cache statistics no longer incremented improperly due to mirrored
455762
cache data
454018 Nexthop to tmm0 ref-count leakage could cause TMM core
TMM may stop responding when enabling DOS weep/flood if a TMM
452439
process has multiple threads
451960 HTTPS monitors do not work with FIPS keys
450814 Early HTTP response might cause rare 'server drained' assertion
449848 Diameter Monitor not waiting for all fragments
zxfrd might stop responding when the zone file (zxfrd.bin) is deleted from
443157
the directory /var/db
442686 DNSX Transfers occur on DNSX authoritative server change
431283 iRule binary scan may core TMM when the offset is large
Responses from DNS transparent cache will no longer contain RRSIG for
422107
queries without DO bit set
Low memory condition caused by Ram Cache may result in TMM
422087
producing a core file
Connection Rate Limit Mode when limit is exceeded by one client also
420341
throttles others
419458 HTTP is more efficient in buffering data
FastL4 tcp handshake timeout is not honored, connection lives for idle
402412
timeout
375887 Cluster member disable or reboot can leak a few cross blade trunk packets
374339 HTTP::respond/redirect might make TMM unresponsive under low-
memory conditions
Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect
374067
virtual server interferes with keepalive connections
352925 Updating a suspended iRule and TMM process restart
342013 TCP filter does not send keepalives in FIN_WAIT_2
TMM might stop responding if BIG-IP DNS iRule nodes_up references an
526699
invalid IP/Port
516685 ZoneRunner might fail to load valid zone files
516680 ZoneRunner might fail when loading valid zone files
Using qos_score command in RULE_INIT event causes TMM to stop
515797
responding
515033 [ZRD] A memory leak in zrd
515030 [ZRD] A memory leak in Zrd
[GTM] [big3d] Unable to receive mark LTM virtual server up if there is
496775
another VS with same ltm_name for the BIG-IP monitor
479084 ZoneRunner can fail to respond to commands after a VE resume
The big3d agent restarts periodically when upgrading the agent on a
471819
v11.4.0 or prior system, and Common Criteria mode is enabled
465951 If net self description size =65K, gtmd restarts continuously
big3d https monitor is unable to correctly monitor the web server when
353556
SSL protocol is changed
gtmparse fails to load if you add unsupported SIP monitor parameters to
225443
the config
ASM REST: Custom signature set created by way of REST is different
532030
than when created from GUI
"Use of uninitialized value" warning appears on UCS installation due to
526856
ASM signature inconsistency
524428 Adding multiple signature sets concurrently by way of REST
524004 Adding multiple signatures concurrently by way of REST
523261 ASM REST: MCP Persistence is not triggered by way of REST actions
523260 Apply Policy finishes with coapi_query failure displayed
Expired files are not cleaned up after receiving an ASM Manual
523201
Synchronization
520796 High ASCII characters availability for policy encoding
Changing security policy application language is not validated or
520585
propagated properly
520280 Perl produces a core file after applying policy action
Full ASM ConfigSync was happening too often in a Full Sync Auto-Sync
516523
Device Group
After upgrade from any pre-11.4.x to 11.4.x (or later) the configured
516522
redirect URL location is empty
False positive scenario caused SMTP transactions to hang and eventually
514061
reset
512668 ASM REST: Unable to Configure Clickjacking Protection by way of REST
510499 Enforcer stops responding after Sync in an ASM-only Device Group
Certain upgrade paths to 11.6.x would lose the redirect URL configuration
506407
for Alternate Response Pages
487420 BD stops responding upon stress on session tracking
533098 Traffic capture filter not catching all relevant transactions
531526 Missing entry in SQL table leads to misleading ASM reports
525708 AVR reports of last year are missing the last month data
519022 Upgrade process fails to convert ASM predefined scheduled-reports
DNS resolution does not work on a Windows 10 desktop with multiple
539013
NICs after VPN connection has been established in some cases
Installation of Edge Client can cause Windows 10 to stop responding in
537000
some cases
534755 Deleting APM virtual server produces ERR_NOT_FOUND error
532522 CVE-2015-1793
532394 Client to log value of "SearchList" registry key
Machine Certificate Checker is not backward compatible with 11.4.1 (and
532096
earlier) when MatchFQDN rule is used
531883 Windows 10 App Store VPN Client must be detected by BIG-IP APM
531483 Copy profile might end up with error
530697 Windows Phone 10 platform detection
Win10 and IE11 is not determined in case of DIRECT rule of proxy
529392
autoconfig script
528726 AD/LDAP cache size reduced
BIG-IP EDGE Client can indefinitely stay in a "disconnecting..." state
528675
when captive portal session expired
527799 OpenSSL library in APM clients updated to resolve multiple vulnerabilities
526833 Reverse Proxy produces JS error: 'is_firefox' is undefined
526754 F5unistaller.exe stops responding during uninstall
526617 TMM stops responding when logging a matched ACL entry with IP
protocol set to 255
526578 Network Access client proxy settings are not applied on German Windows
526492 DNS resolution fails for Static and Optimized Tunnels on Windows 10
526275 VMware View RSA/RADIUS two factor authentication fails
526084 Windows 10 platform detection for BIG-IP EDGE Client
525920 VPE fails to display access policy
525562 Debug TMM stops responding during initialization
525429 DTLS renegotiation sequence number compatibility
525384 Networks Access PAC file now can be located on SMB share
524909 Windows info agent could not be passed from Windows 10
524756 APM log is filled with errors about failing to add/delete session entry
Windows Cache and Session Control cannot support a period in the access
523431
profile name
Minor memory leak on IdP when SLO is configured on bound SP
523390
connectors
When BIG-IP is used as SAML Identity Provider(IdP), TMM may restart
523329
under certain conditions
523327 In very rare cases Machine Certificate service may fail to find private key
Citrix HTML5 client fails to start from Storefront in integration mode
523222
when Access Policy is configured with Redirect ending
521835 [Policy Sync] Connectivity profile with a customized logo fails
521773 Memory leak in Portal Access
521506 Network Access does not restore loopback route on multi-homed machine
520705 Edge client contains multiple duplicate entries in server list
520642 Rewrite plugin should check length of Flash files and tags
520390 Reuse existing option is ignored for smtp servers
520298 Java applet does not work
Rewrite plugin could stop responding malformed ActionScript 3 block in
520205
Flash file
[Policy Sync] OutOfMemoryError exception when syncing a big and
520145
complex APM policy
520118 Duplicate server entries in Server List
519966 APM "Session Variables" report shows user passwords in plain text
519864 Memory leak on L7 Dynamic ACL
BIG-IP APM network access tunnel ephemeral listeners ignore iRules
519415
(related-rules from main virtual )
519198 [Policy Sync] UI General Exception Error when sync a policy in non-
default partition as non-default admin user
518981 RADIUS accounting STOP message may not include long class attributes
Missing NTLMSSP_TARGET_INFO flag on NTLMSSP_CHALLENGE
518260
message
TMM may stop responding if access profile is updated while connections
517988
are active
517872 Include proxy hostname in logs in case of name resolution failure
APM cannot get groups from an LDAP server, when LDAP server is
517564
configured to use non-default port
apd may stop responding when RADIUS accounting message is greater
517441
than 2K
517146 Log ID 01490538 may be truncated
516839 Add client type detection for Microsoft Edge browser
Gateways for excluded address space routes are not adjusted correctly
516462
during roaming between networks on Windows machines
516075 Linux command line client fails with on-demand cert
"Session variables" report may show empty if session variable value
515943
contains non-English characters
514912 Portal Access scripts had not been inserted into HTML page in some cases
514220 New iOS-based VPN client may fail to create IPv6 VPN tunnels
UAC prompt is shown for machine cert check for non-limited users, even
513969
if machine cert check service is running
513953 RADIUS Auth/Acct might fail if server response size is more than 2K
513706 Incorrect metric restoration on Network Access on disconnect (Windows)
TMM occasionally stops responding when http payload is scanned through
513581
SWG
513283 Mac Edge Client does not send client data if access policy expired
513201 Edge client is missing localization of some English text in Japanese locale
SAML Service Provider generated SLO requests do not contain
513165
'SessionIndex' attribute
513098 localdb_mysql_restore.sh failed with exit code
512345 Dynamic user record removed from memcache but remains in MySQL
Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host
512245
name instead of hostname
511961 BIG-IP Edge Client does not display logon page for FirePass
511854 Rewriting URLs at client side does not rewrite multi-line URLs
511648 On standby, TMM can produce a core file when active system sends
leasepool HA commands to standby device
511441 Memory leak on request Cookie header is longer than 1024 bytes
Websso start URI match fails if there are more than 2 start URIs in SSO
510709
configuration
Broken DNS resolution on Linux client when "DNS Default Domain
510596
Suffix" is empty
510459 In some cases Access does not redirect client requests
509490 [IE10]: attachEvent does not work
507681 Window.postMessage() does not send objects in IE11
JavaScript error if user-defined object contains NULL values in 'origin'
507321
and/or 'data' fields
507116 Web-application issues and/or unexpected exceptions
506223 A URI in request to cab-archive in iNotes is rewritten incorrectly
505755 Some scripts on dynamically loaded html page could be not executed
Logon Page agent gets empty user input in clientless mode 3 when a
504461
Variable Assign agent resides in front of it
500938 Network Access can be interrupted if second NIC is disconnected
ASM and APM on same virtual server caused Set-Cookie header
500450
modification done by ASM to be not honored by APM websso
498782 Config snapshots are deleted when failover happens
TMM cores while using APM network Access and no leasepool is created
497627
on the BIG-IP system
497118 TMM may restart when SAML SLO is triggered
495702 Mac Edge Client cannot be downloaded sometimes from management UI
Logon page is not displayed correctly when "force password change" is on
495336
for local users
494565 CSS patcher stops responding when a quoted value consists of spaces only
494189 Poor performance in clipboard channel when copying
493006 Export of huge policies might end up with 'too many pipes opened' error
Resolved LSOs are overwritten by source device in new Policy Sync with
492701
new LSO
Recurring file checker does not interrupt session if client machine has
492305
missing file
492149 Inline JavaScript with HTML entities may be handled incorrectly
490830 Protected Workspace is not supported on Windows 10
488736 Fixed problem with iNotes 9 Instant Messaging
488105 TMM may generate core file during certain config change
487399 VDI plugin stops responding when View client disconnects prematurely
When iSession control channel is disabled, do not assign app tunnel,
483792
MSRDP, opt tunnel resources
483286 APM MySQL database full as log_session_details table keeps growing
482699 VPE displaying "Uncaught TypeError"
482269 APM support for Windows 10 out-of-the-box detection
482266 Network Access cannot be established for Windows 10
482251 Portal Access. Location.href(url) support is added
482241 Windows 10 cannot be properly detected
482145 Text in buttons are not centered correctly for higher DPI settings
480761 Fixed issue causing TunnelServer to stop responding during reconnect
Different Outlook users with same password and client IP are tied to a
479451
single APM session when using Basic auth
478492 Incorrect handling of HTML entities in attribute values
Edge-Client client shows an error about corrupted config file, when user's
478333
profile and temp folders located on different partitions
EAM process fails to register channel threads (MPI channel) with TMM,
474779
and subsequent system call fails
BIG-IP as IdP can send incorrect 'Issuer' element for some SLO requests
474698
under certain conditions
When the BIG-IP system is configured as Service Provider, APD may
474058
restart under certain conditions
Javascript sibmit() method could be rewritten incorrectly inside of 'with'
473255
statement
472256 The tmsh and tmctl report unusually high counter values
Unmangled requests when form.submit with arguments is called in the
472062
page
VDI plugin stops responding when trying to respond to the client after the
471874
client has disconnected
471117 iframe with JavaScript in 'src' attribute not handled correctly in IE11
468441 OWA2013 may work incorrectly by way of Portal Access in IE10/11
468433 OWA2013 may work incorrectly by way of Portal Access in IE10/11
468137 Network Access logs missing session ID
466745 Cannot set the value of a session variable with a leading hyphen
Show proper error message when VMware View client sends invalid
464547
credentials to APM
461597 MAC edge client does not follow HTTP 302 redirect if new site has
untrusted self-signed certificate
457902 No EAM- log stacktrace in /var/log/apm on EAM crash event.
457760 EAM not redirecting stdout/stderr from standard libraries to /var/log/apm
457603 Cookies handling issue with Safari on iOS6, iOS7
When DNS resolution for AppTunnel resource fails, the resource is
457525
removed
in VPE %xx symbols such as the variable assign agent might be invalidly
454784
decoded
454086 Portal Access issues with Firefox version 26.0.0 or later
453455 Added support of SAML Single Logout to Edgeclient
Machine Certificate Checker Agent always works in "Match Subject CN to
452527
FQDN" mode
452163 Cross-domain functionality is broken in AD Query
451469 APM User Identity daemon does not generate a core file
442528 Demangle filter stops responding
440841 sso and apm split tunneling log message is at notice level
HTML5 VMware View Client does not work with APM when virtual
438969
server is on non-default route domain
437744 SAML SP service metadata exported from APM may fail to import
437670 Race condition in APM windows client on modifying DNS search suffix
Windows EdgeClient's configuration file could be corrupted on system
425882
reboot/sleep
424936 apm_mobile_ppc.css has duplicate 1st line
BIG-IP JavaScript includes can be improperly injected in case of
423282
conditional comment presence
All Messages report does not display any data when the Log Levels are
420512
selected to filter data based on Log Levels
Edge client continues to use old IP address even when server IP address
416115
changed
408851 Some Java applications do not work through BIG-IP server
APM Network Access tunnel slows down and loses data in secure
402793
renegotiation on Linux and Mac clients
522231 TMM may stop responding when a client resets a connection
521455 Images transcoded to WebP format delivered to Edge browser
514785 TMM stops responding when processing AAM-optimized video URLs
A large number of regular expressions in match rules on path-segments
511534
may cause an AAM policy to take too long to load
476460 WAM Range HTTP header limited to eight ranges
421791 Out of Memory Error
497389 Extraneous dedup_admin core
461216 Cannot rename some files using CIFS optimization of the BIG-IP system
Loading of configuration fails intermittently due to WOC Plug-in-related
457568
issues
521556 Assertion "valid pcb" in TCP4 with ICAP adaptation
Assertion 'valid proxy' can occur after a configuration change with active
516057
IVS flows
512054 CGNAT SIP ALG - RTP connection not created after INVITE
SIP SUBSCRIBE message not forwarded by the BIG-IP system when
511326
configured as SIP ALG with translation
Some SIP UDP connections are lost immediately after enabling a blade on
503652
the Active HA unit
499701 SIP Filter drops UDP flow when ingressq len limit is reached
480311 ADAPT should be able to work with OneConnect
448493 SIP response from the server to the client gets dropped
Unable to create new rule for virtual server if order is set to
533808
"before"/"after"
533336 Display 'description' for port list members
AFM Logging regression for Global/Route Domain Rules incorrectly using
530865
virtual server logging profile (if it exists)
524748 PCCD optimization for IP address range
Log an error message when firewall rule serialization fails due to
523465
maximum blob limit being hit
Certain ICMP packets are evaluated twice against Global and Route
515187
Domain ACL rules
515112 Delayed ehash initialization causes crash when memory is fragmented
AFM Kill-on-the-fly does not re-evaluate existing flows against any
513565 Virtual/SelfIP ACL policies if a Global or Route-Domain rule action is
modified from Accept-Decisively to Accept
All descriptions for ports-list's members are flushed after the port-list was
510226
updated
Customer may experience incorrect counter update for SelfIP traffic on
509919
cluster
497671 iApp GUI: Unable to add FW Policy/Rule to context by way of iApp
495432 Add new log messages for AFM rule blob load/activation in datapath
485880 Unable to apply ASM policy with forwarding CPM policy using the GUI,
generic error
468688 Initial sync fails for upgraded pair (11.5.x to 11.6)
Error L4 packets were hitting configured WL entries; protocol was not
459024
being matched for them
BIG-IP stops responding in debug mode when using PEM iRule to create a
526295
session with calling-station-id and called-station-id
Repeated install/uninstall of policy with usage monitoring stops after
511064
second time
495913 TMM produces a core file when CCA-I policy received with uninstall
Using catch to suppress 'invalid command' errors resulting from invalid use
491771
of [] around a parking command in a proc can cause TMM to panic
PEM subscriber sessions are created without PEM licensed, if "radiusLB-
478399
subscriber-awre" profile is configured
PEM: CCR-I for the Gx session has only one subscriber ID type, even if
464273
the session created has more than one type
PEM source or destination flow filter attempts to match against both source
450779
and destination IPs of a flow
Error message "Gx uninit failed!" and "Gy unint failed!" received during
449643
boot of the system
439249 PEM:Initial quota request in the rating group request is not as configured
PEM: CCR-U triggered during Gy session may not have Request Service
438608
Unit (RSU)
PEM: CCR-U triggered by RAR during Gy session will not have
438092
Requested Service Unit (RSU)
[GUI][GTM] GUI does not prefix partition to device-name for BIG-IP
514236
DNS Server IP addresses
525595 Fix memory leak of inbound sockets in restjavad
509273 hostagentd consumes memory over time
BIG-IQ is unable to discover older BIG-IP versions due to over-zealous
509120
grooming
511651 CVE-2015-5058: Performance improvement in packet processing
11.5.3
511651 Performance improvement in packet processing
HF1
If an APM policy sync puts the new policy on a member of a sync-failover device group, the
sync of the sync-failover group failed. This now succeeds.
Tunnel interfaces can be used by iRule nexthop/lasthop commands to set a flow's
nexthop/lasthop behaviors. 1. To send traffic to the tunnel, use "nexthop tun0 ..." on
CLIENT_ACCEPTED iRule event, or "lasthop tun0 ..." on SERVER_CONNECTED
449100
iRule event. 2. A point-to-point tunnel can be supplied with an IP address, although it
does not have an effect. 3. A wild-card tunnel can be supplied with the IP address of the
remote-point to build the tunnel on the fly.
455311 vCMP guest's access to the management network of the hypervisor has been restricted.
An issue has been resolved that affected the ability to modify a vCMP guest's
457166
management network mode.
459155 Included the physdev netfilter module into the BIG-IP kernel package.
vCMP guest's ability to interfere with the management network of the hypervisor has
459694
been restricted.
459753 "bigstart restart" on a secondary blade no longer causes clusterd to restart continuously.
The Include Cluster option in the HA Group configuration cannot be disabled using the
459973
Configuration utility.
Saving a single partition out of the configuration ('save sys config' with the 'partitions
462315 { p1 }' option) now writes the configuration file properly. It previously appended to the
file but now overwrites it as it should.
Resolved issue where rewrite CSS filter/parser may use stale iovs in declaration_state
462943
resulting in SIGSEGV.
470796 CVE-2014-4023.
471070 Non-administrative users cannot modify Client SSL profiles.
The vcmpd process is no longer vulnerable to malicious data passed from a vCMP
471704
guest.
476157 Security patches applied to krb5 library.
Internal structure improvements, no customer facing functionality changes have been
477959
made.
Resolved issue that ICSA logging did not contain information that is required for
478922
certification.
The ipaddrTable's ipAdEntIfIndex value now matches the ifTable's ifIndex value for the
481648
same interface.
483436 Update to AWS License files.
484453 Harmless messages logged with LOP daemon registration.
484635 Update openssl to latest version.
The guest-specific configuration information blocks are now isolated from each other
487800
and the hypervisor is protected against invalid data injected by a vCMP guest.
474805 Internal build improvement.
Use true timeout instead of retries limit when initializing the FIPS device, and
476521
subsequently power cycle the unit to recover the FIPS device.
477611 Apply Round Robin DAG to icmp echo only.
477888 ICSA logging is no longer missing information that is required for certification.
479152 BIG-IP platform 10000s/10200v/10250v/B4300/B4340N is susceptible to parity error.
483762 MAC address conflicts no longer occur between vCMP guests.
484399 OVA will only create one slot and leave the remaining disk space free.
The crash that happens in the AFM logging module, when the TCP connection to a log
486514
destination server is re-established, is fixed.
488461 Improve base build process and remove duplicate code.
Resolved a sys-icheck bug that caused an auto_schema misconfiguration. This occurs
492333
on all platforms.
This error message previously occurred intermittently when trying to delete a virtual
server and use sFlow:
492460
01070265:3: The Virtual Server () cannot be deleted because it is in use by a sflow http
data source (). This no longer occurs.
Resolved intermittent issue when return packets were dropped after configuring packet
226892
filters for DNS traffic or traffic with IP fragments.
Creation of a large file, such as a UCS archive is now handled correctly, and the csyncd
424931
process no longer causes high CPU utilization.
Lowering the virtual server connection limit now works, even when traffic is already
428864
being processed.
Benign rsync errors are no longer logged in /var/log/ltm and instead are tracked by way
433946
of stats in the 'csync_stat' table.
436097 When the TMM restarts, pkcs11d also must be restarted automatically if present.
436811 BIG-IP database monitors may report an incorrect pool member status.
This spurious error message may have previously been displayed when the local user
database feature was configured:
437875
01071704:3: Not running command (/usr/libexec/localdb_mysql_restore.sh) because
the request came from an untrusted connection. This error message has always been
harmless, but now it no longer is displayed.
437906 WebSockets and the HTTP CONNECT method now work with OneConnect.
439424 SafeNet HSM install now needs to be done only on the primary slot on the BIG-IP
cluster-mode chassis systems such as VIPRION. A single install on the primary slot will
take care of installing SafeNet on all active slots. On any already-open sessions to the
BIG-IP slots, the PATH environment variable will need to be reloaded by running
'source ~/.bash_profile' to be able to use SafeNet utilities. If at a later stage a new blade
is added or a disabled, or a powered-off blade is made active or is powered-on, the user
will have to run 'safenet-sync.sh -p ' *only* on the new secondary slot. If the new slot is
made primary before running safenet-sync.sh on it, then the regular install procedure
using nethsm-safenet-install.sh will be required on the new primary slot.
The BIG-IP system now reconnects to SafeNet HSM if the connection is interrupted, so
439490
connections continue as expected.
439513 NETHSM: Initial few connection drops after each TMM restart.
439540 Restart the pkcs11d process. The command is "tmsh restart sys service pkcs11d".
441894 Pkcs11d watchdog functionality avoids manual restart.
443098 The Proxy SSL feature no longer leaks memory.
447515 The TMM process may resume a suspended iRule on the wrong connection flow.
The BIG-IP system may not correctly monitor pool members after the mcpd process
449798
restarts.
450031 The BIG-IP system may incorrectly log 'Limiting closed port RST response' messages.
450804 Improved TLS finish messages.
451218 Corrected Nitrox TLS padding.
The BIG-IP system now supports multiple SafeNet network-HSMs configured in an
452121
HA group.
452628 Add a bigdb variable for the pkcs11d threads.
453358 Memory leak is fixed.
454465 Corrected TMM TLS padding.
In the event of an invalid parameter in the clienthello, the correct TLS version will be
454476
set in the alert.
The logging destination IP address only matches virtual servers, so no HSL logging is
454636
lost.
454692 Assigning 'after' object to a variable no longer causes memory leaks.
456859 Interface to hardware compression has improved allocation strategy.
The TMM will no longer produce a core file on startup when traffic arrives before
458556
transitioning to cmp ready.
460868 The TMM no longer crashes if network HSM is improperly configured.
461578 Large session object handling is improved.
462163 Allow Non Blade 0 MPI communication even after congestion.
462649 The TMM no longer crashes under heavy load.
463902 Flat-buffer allocator for hardware compression tuned to be less greedy.
Customized cert-key-chain of the child client-ssl profile is reverted to parent's profile
464163
cert-key-chain during config load.
467868 Ensured that monitor reason strings no longer leak.
TMM will set a known route domain when processing SIP Requests to prevent panics
469705
caused by an invalid route domain.
471073 Now, when TMM is restarted, all HA connections are reestablished.
474757 OpenSSL Security Advisory 8/6/14 (1.0.1i Update).
MPTCP component now correctly applies TSO processing to outbound packets, so
477967
TMM no longer segfaults.
FIPS exported keys can now be successfully installed in FIPS cards without causing
480113
config-sync failure.
Increased the maximum statemirror.queuelen db variable limits. If necessary, the
statemirror.queuelen can now be increased beyond 256 MB up to 1 GB. Note that
increasing the statemirror.queuelen increases memory requirements to approximately
480699
twice the queuelen multiplied by the number of TMMs, and also increases the time
required to detect an error in the mirroring connection. The statemirror.queuelen should
be kept as low as possible to prevent repeated failure.
Virtual servers with Client SSL profiles may not respond to SSL handshakes after a
483328
ConfigSync.
When the SSL ClientHello contains the SCSV marker, if the client protocol offered is
485188
not the latest that the virtual server supports, a fatal alert will be sent.
488208 Can properly upgrade to OpenSSL 1.0.1j without breaking RSA PKCS#1.5 decryption.
The BIG-IP system calculates the correct number of members in the active priority
470394
group when the slow ramp feature is triggered.
The TMM now correctly applies TSO processing to outbound packets, so TMM no
470994
longer segfaults.
475055 Resolved core caused by accounting miscalculation of Nitrox I/O flows.
This change allows you to use immediate idle timeout on UDP serverside flows as a
workaround for SIP message loss and/or connection failures if (and only if) the logic of
the SIP processing does not expect any return traffic to match the serverside
477753
connections. Configuration that requires this workaround, but which expects return
traffic to match the serverside flow, could not have worked correctly (without specific
iRule based band-aids) even before the first affected version.
The Virtual Address throttling delayed update mechanism has been made more robust,
480299 and will now send delayed updates (roughly 3 seconds after change) regardless of
previous status, guaranteeing that Virtual Address status will reach all subscribers.
483974 Unrecognized options are now ignored.
The TMM will still log critical-level messages, but the system continues to function
484429
properly.
486066 The TMM does not product a core file.
SSL will properly renegotiate rather than terminate connections when the session
477240
expires.
487808 Cost link load balancing software support has reached EOL.
The enforcer does not convert parameter values into the web application language when
248487
parameters are defined as "file upload" or "ignore value" in the security policy.
434461 Improved the system's integration with Guardium.
Fixed an issue that occasionally stopped you from deleting an ASM security policy that
435520 was created using a template after you rolled-forward the policy's configuration from a
previous version.
454142 Resolved intermittent Enforcer crash due to specific requests.
461028 vCMP: Fixed an issue that caused the Enforcer to crash in a clustered environment.
There is a new internal parameter: "ignore_null_in_multipart_text". When the internal
parameter is set, a null in request violation is not issued when a null appears in the
request. If the parameter is defined as file upload in the security policy, no violation is
471103
issued. If the parameter is defined as something else, the violation "null in multipart
request" is issued. If the parameter is not defined in the security policy, the violation
"null in request" is issued.
Brute force reporting: The brute force reported operation mode (Transparent or
476179 Blocking) is now the same when the attack starts and ends. Previously, the system
would occasionally change the operation mode logged when the attack ended.
To enable you to bypass unicode validation on XML and JSON profiles, we added two
internal parameters: - relax_unicode_in_xml: The default is 0, which is the current
behavior. When the value is changed to 1, a "bad unicode character" does not produce
an XML malformed violation. A "bad unicode character" might be a legal unicode
476191 character that does not appear in the mapping of the system's XML parser. -
relax_unicode_in_json: The default is 0 which is the current behavior. When the value
is changed to 1, a "bad unicode character" does not produce a JSON malformed
violation. A "bad unicode character" might be a legal unicode character that does not
appear in the mapping of the system's JSON parser.
Fixed an issue that caused the system to not report a navigation parameter that appeared
481572
in the POST data.
Fixed an issue where specific requests occasionally caused the Enforcer to stop
481792
responding.
Fixed an issue where Bot Detection in the Web Scraping feature created JavaScript
476621
errors in the web application using Internet Explorer.
483491 Fixed a memory corruption issue.
481541 Memory leak in the MonPD daemon that occurs in some situations has been resolved.
486327 Web Application Security Administrator added to the list of allowed administrators.
337178 BIG-IP Edge Client falls back to TLS from DTLS if http-proxy is used.
Resolved on all platforms where the active session count might be significantly large, at
398657
times, likely due to a counter underflow.
Application icons (Finder, Spotlight, Launchpad, Notification Center, Dock, Menu Bar)
403660
have been updated for retina displays.
AD may now be the last auth agent in the VMWare view access policy.
418850
Username/password/domain preserved and then passed to the backend.
When using an access policy with Windows Logon Integration, if you are denied access
420989
once, you can try again.
Support for smart cards was added to Client Cert Inspection and On Demand Cert
420990
Inspection with Windows Logon Integration.
showrestorebutton:i:0 can be specified in RDP Custom Parameters. Users will no longer
421901
see this 'Restore down' button.
"Store information about client software in session variables" setting is removed from
the Visual Policy Editor for these Endpoint Security (Client-Side) software checks:
422818
Antivirus, Anti-Spyware, Firewall, Hard Disk Encryption, Patch Management, Peer-to-
peer, and Windows Health Agent.
426623 Improved PAC file download mechanisms.
Network Access connection will not be established if PAC file specified in NA resource
427830
cannot be downloaded within 30 seconds.
Edge Client properly reconnects when network connectivity is restored. Previously full
429362
reconnection was done in this case and the previous session was not removed.
Computer group policy settings are updated after establishing VPN connection with
430531
Windows Logon Integration.
Fix unexpected exceptions when using Kerberos auth agent in a multi-domain SSO
431810
configuration.
Java Application Tunnels now work when Internet Explorer 11 runs with Enhanced
432333 Protected Mode. However, the tunnel is bound to 127.0.0.1 due to limitations of this
mode.
BIG-IP IdP subtracts three minutes from the NotBefore timestamp in an assertion to
433243
accommodate Service Providers whose clocks might be behind.
Fixed arbitrary commands execution: check cab file and webpage are located on same
436177
server.
436180 Edge Client will only install controls from trusted hosts.
436183 Check if critical section object was initialized before deleting it.
Resolved issue of Web AppTunnel re-using wrong existing loopback for different
438292
backend server IP.
Fixed BSOD caused by DNS relay filtering driver in a very specific condition on
438730
Windows XP SP3.
439280 BIG-IP Edge Client installation may trigger a Windows 8.1 system failure.
Client proxy settings specified in a Network Access resource are applied without an
440792
occasional miss now.
BIG-IP APM password updates may fail for user account names that contain a period
441318
character.
Improved VMWare View native client error reporting and prompting for the new
441355
password.
441507 SWF patcher now behaves properly.
441830 Incorrect overriding of VPN driver was causing BSOD. Old driver is now uninstalled
before new one is installed.
442598 Do not close session if session timeout check request fails.
447013 Browser detection JavaScript improved to support Internet Explorer 11.
APM correctly supports 'redirect' ending in an access policy for web browser clients
447302
when deployed for Citrix Web Interface in proxy mode.
Have improved notifications to the user when the BIG-IP Edge Client must reboot to
449141
complete updates.
Fixed incorrect handling of component installer that resulted in an MSI installer to act
450155
as though installation had failed.
451213 Added logs to distinguish static IP allocation from dynamic IP allocation.
451864 Always preserve locally configured DNS suffixes when establishing VPN connection.
452614 Edge client now contains RSA SecurID software token support for OS X.
452618 LDAP servers in a pool will now timeout correctly if a node cannot be reached.
452621 Logon page changes for integrating RSA Soft token SDK with the edge client.
Edge client cannot automatically retrieve RSA SecurID software token if configured on
452625
Logon page.
Custom Dialer no longer stays in an Authenticated state for 40 seconds to negotiate the
453188
IPv6 protocol when IPv6 is not enabled.
When Allow Local DNS Servers option is enabled, DNS servers from interfaces that
454322
are down, will not be added to VPN exclusion list.
A certain scenario in BIG-IP GTM deployment was fixed where access to certain
456911
corporate resource might be denied despite network access connection.
458167 Improve logging and error code checks for EAM / OAM component.
Now BIG-IP Edge Client in Always Connected mode properly processes cancelling
459870
captive portal detection.
When an LDAP query runs and the user password is not retrieved or necessary, a
459953
misleading error message about NULL cyphertext is no longer logged.
460265 apmd crashes with null tcl interpreter object. This is now fixed.
After fix, an ldap operation times out in 3 minutes, so a thread will not block any other
462258
operation, and service can recover as soon as connection to the backend is restored.
462481 OAM code is fixed with proper exception handling where Oracle API calls are made.
463505 Added factor authentication support for the Edge Client soft token integration.
Edge Client now correctly sends PIN for RSA Soft Token clients while in New Pin
463538
mode.
463735 [SecurID SDK] In case of PIN change, user is prompted to input Passcode to PIN field.
VMware View client does not freeze when APM PCoIP is used and user authentication
463776
fails against VCS 5.3.
464313 Now dynamically created forms with absolute action path are handled correctly, even
with a non-empty BASE tag.
[SHP2013][IE10-IE11]: Calendar widget does not work in Announcement edit page.
464319
This is now fixed.
466605 JavaScript: Portal Access variable 'r' is now a local variable.
Now routes for Exclude Address Space are correctly removed when NA connection is
466617
terminated if the client was switched to another network.
Now EdgeClient shows warning about session expiration when maximum session
466797
timeout is reached.
466898 Enterprise Manager now reports work correctly when accessed through Portal Access.
Previously, Policy Sync would add whitespace to Forms-based SSO configuration
467287 objects, which prevented the configuration from running. Now Forms-based SSO
configuration does not have whitespace added and the configuration runs as expected.
InspectionHost plugin will now be installed to the "current user" profile (as opposed to
467597
all users) and, therefore, will no longer prompt for administrative password.
When the 32k storage limit is reached, the oldest application cookie is discarded,
468478
allowing the application to continue processing new data.
Implemented a throttling mechanism, so that when the number of fds in the queue
reaches a certain threshold, apd will stop accepting new requests, until the number of
fds in the queue decreases to a defined level. We introduced three db-variables; - to
469960
enable/disabling throttling - to define a high water mark beyond which release of any
connection handle will be stopped, and - a low water mark to allow further connection
from TMM.
470225 Machine Certificate checker now correctly works in Internet Explorer 11.
471014 Openssl improvements.
Fixed intermittent resets when access policy execution in progress simultaneously from
471331
multiple browser tabs.
When URLs from multiple browser tabs starts access policy, the landing URL is set to
471452
the URL from the browser that finished the access policy execution.
CRLF is used at the end of the header and as a separator between header and email
471714
body in emails generated by APM Email agent, conforming to RFC 5322.
Emails sent by 'Email Action' agent when received by certain SMTP servers contains
471825 empty body. Email agent was updated to comply with RFC 5322 to include "Date:"
header.
A problem in which the BIG-IP system when, configured as a SAML IdP , might reboot
471893
TMM when running SLO protocol in certain conditions has been fixed.
TMM with BZ 455113 no longer crashes when using the ACCESS::session iRule
472040
command.
472216 Fixed alignment of the connection duration counter for customized Edge Clients.
Dashboard no longer displays a dip in active session count when primary blade comes
472825
back from a reboot.
473377 Fixed to accept NameID format.
473386 Improved Machine Certificate Checker matching criteria for FQDN case.
HD Encryption check now provides a way to check encryption status of all drives or
473697
system drive only.
Now the absolute action path for any form in an HTML page is rewritten correctly at
473728
submit time.
Code signing of executables (app, plugin and installer) have been updated to Apple's
474392
latest (v2) signature requirement.
Proper validation was added to check that correct messages were received on the proper
474532
URL. Logging was added for failing cases.
Now forms with absolute action path and tag with id=action inside are handled
474730
correctly.
474757 OpenSSL Security Advisory 8/6/14 (1.0.1i Update).
475163 Now HTML forms without action attribute are handled correctly.
Resolved issue when APM configured with URL ("https://....") Edge Client for
475262
Windows does not resolve APM hostname while reconnecting.
475360 Resolved issue when Edge client remembers specific VS URI after it is redirected.
475650 Issue is fixed that caused TMM to occasionally restart when processing SLO messages.
EAM used to send multiple cookies headers in HTTP message. Multiple HTTP headers
475682 like this are treated as comma-separated by some receivers. Now EAM adds a single
Cookie header with the cookies delimited by a semi-colon.
475770 Improved routing table management for 2 and more network interfaces.
475847 Now tag end is determined correctly in case of dynamically created content.
_lastUseTime in OAM ObSSOCookie is updated on successful authentication and
476133
authorization process.
Client modified to restore routing table state and select active interface (on a system
477445
connected to the same network segment through multiple interfaces).
477474 HTML Attributes with names using '-' are now handled correctly in Portal Access.
apmd no longer crashes with null tcl interpreter object when used with an
477540
ACCESS::policy valuate iRule command.
In Portal Access, assignment of an empty string to location.hash property no longer
477642
causes page reload loop in Firefox.
477841 Safari 8 will now properly use the admin-defined proxy settings, if available.
User can restart the BIG-IP system to fix custom report error. Make sure the table
477966
apm.log_param_metadata_ui is created in mysql db.
The action attribute value of a form HTML tag is now properly rewritten in the
478115
Minimal Content Rewriting mode when it starts with a "/".
478222 Seven new categories and one category name changed category in URL Filter DB.
An issue with routing table not being restored correctly in multi-homed environment
478285
when server settings disallow local subnet access is now fixed.
Portal Access no longer crashes if the URL in a "Refresh" header matches a Portal
479524
Access bypass list entry.
The errant behavior is caused by an improper URL being presented by the error page.
479715 When APM checks the improper URL, the same error page is issued. This has now
been corrected.
480047 BIG-IP EdgeClient can now generate CTU report.
Edge client does not update its application directory anymore, instead it uses
480247
/Library/Application\ Support/ directory.
480360 MAC edge client was fixed so that it does not block textexpander's functionality.
480995 APM client components are now using extended logging by default.
Resolved intermittent routing table issue that caused Traffic to not flow through tunnel
481020
if proxy server is load balanced.
Wrapper for scriptTag.text='source script' is fixed to rewrite 'source script' for all
481046
browsers.
While creating memcache entry, the username is normalized into utf8 lower case. This
481203
ensures that there is only one entry for all combinations of usernames.
481257 CTU report now includes information on "OPSWAT Integration Libraries V3".
If the customer does not need optimized tunnels, app tunnels, or remote desktop, they
481663 can safely disable (run disable) the db variable "isession.ctrl.apm", which disables the
isession. They would then run "bigstart restart tmm apd" so the db variable takes effect.
A cosmetic issue with the server selection menu showing white background is now
483113
fixed.
An issue with Edge Client consuming high CPU and having unresponsive menu icon is
483379
now fixed.
484315 Security patches applied to krb5 library.
485304 Fixed root cause of crash - improper memory management.
485465 Issue causing TMM core is fixed.
486661 This is an RFE feature.
An issue with Java installer failing to install the InspectionHost plugin and creating a
487472
zero byte file under ~/Library/Internet Plug-Ins/ is fixed.
467633 Ensured extra spaces was not added to the minified CSS.
426482 The Octeon will now properly handle decompressing large files without any failures.
479889 Memory leaks on iSession + iControl setup have been resolved.
Fixed iControl / isession memory leak issue; set proper log level to prevent log
480305
flooding.
472376 Drop processing the message if the ingress pcb is no longer present.
Core in sip filter no longer occurs when sending HUDEVT message while processing
478442
of HUDCTL message.
When operating in firewall (AFM) mode, for example, default deny, the BIG-IP system
429885 now counts and logs (if enabled) any traffic that does not match a Virtual or Self IP and
is being dropped or rejected.
478816 An enhancement that allows logging the TCP events and errors on fastL4 virtual.
480194 Perform VS DWBL lookup after accept-decisive firewall rule matches at global level.
The load factor controls the minimum percentage of fullness that needs to be reached
before the table is expanded to a larger size. Setting the load factor to 25, by default,
481189
prevents the firewall rule compiler from growing the table size too aggressively and
results in big firewall BLOB.
481706 Improved security logging to reduce incorrect messages.
Fixes a memory leak when TMM is overloaded, and forwards flows to the peer, and
484013
packet classification is enabled with "log translation fields" in the logging.
478462 Whitelist counts now increment appropriately.
480125 100+ rules may now be displayed in the active rules page.
476904 Adjusted Logging levels to remove potentially confusing messages.
456963 Fixed NULL pointer dereference.
State changes for wide IPs should be updated correctly when the "Update" button is
482442
clicked in the Configuration utility wide IP properties page.
11.5.1 It is now possible to run a UCS load even if there are

365764
HF5 partitions still containing GTM objects.
tmrouted no longer restarts when reconfiguring a
376120
previously deleted route domain.
Decapsulated tunnel packets are correctly handled by
404716
packet filter.
The BIG-IP system applies the active bonus value
405067
when the HA score is zero.
Certain virtual server configurations may cause
413689
TMM to produce a core file.
A virtual server may not be marked unavailable
421317
when the pool status is marked unavailable.
F5 improvement of the integration of latest epsec
429871
packages.
Users can now use pre-shared key with anonymous
438159
ike-peer for IKEv1 negotiation.
440179 Fixed memory leak in creating a wildcard DS-Lite
tunnel.
The DNS and NTP commands may cause the Traffic
441063
Management Shell to exit and produce a core file.
Don't handle fragmented packets in Round Robin
441174
DAG.
Changed code to allow IP multicast packets to be
445924 delivered to all blades so that OSPF failover can
occur.
IKE negotiation is now successful and the IPsec
446352 tunnel comes up properly and passes traffic with
NAT-T and floating tunnel end point address.
Took steps to ensure that MCP would not attempt to
447266 modify an object that has been both created and
deleted in the same transaction.
Secondary blades now are sent the sync status
448054 information from primary blades, so the sync status
will not be reset if the primary blade fails over.
Add diagnostic code to the request_group to abort
450089
when it is being deleted while actively processing.
LOP (Lights Out Processor) firmware version 2.08
for VIPRION B2100, B2150 resolves the following
issues: (ID446907) Alarm LED may be Red upon
450129 powering up VIPRION B2100, B2150 blades
(ID439435) AOM Command Menu no longer reports
failure when successfully powering up VIPRION
B2100 or B2150 blades.
Resolved build creation issue due to the dependency
450458 of various objects that need to be built before
compiling sources that use them.
450684 Corrected an internal report used for QA/testing.
450693 F5 Internal: Correction to internal firmware report.
450694 F5 Internal: Correction to internal firmware report.
An issue with handling DHCP information in virtual
450794
environments has been corrected.
A connection timeout between snmpd and the SNMP
451424
subagent may produce a core file.
Fixed leasepool stat to return data only for primary
451458
blade.
Changed the interface match to look up host interface
451602
instead of vlan interface.
453256 The save mechanism in TMSH has been updated to
save the monitor parameter fields in correct format
for a subsequent load.
Fixed a number of NVGRE config cleanup issues
453432
that were causing the crash.
Changed JVM default settings to use less memory
453700 and allow TMM to acquire needed memory during its
startup.
The sys db security.commoncriteria setting value no
453951
longer reverts.
Fixed a memory leak that occurred when the route
455138 for the remote endpoint of a tunnel was
misconfigured.
Modifying the default stream profile may cause the
456064
mcpd process to enter a locked state.
456735 Tunnel objects are now properly freed after deletion.
Resolved potential crash found in improved
456914
automation testing.
456916 Fixed an issue with iControl REST calls timing out.
Loading the BIG-IP configuration from the command
457130 line may incorrectly enable ICMP Echo for virtual
addresses.
Make leasepool stats data structure consistent with
457326
leasepool stats table definition.
The BIG-IP system may fail to forward traffic
458198 through an ip6ip4 tunnel when the MTU is set to
non-default values.
Updated name validation to throw an error when
459123
invalid characters are included in the name.
The user can create multiple VXLAN tunnels with
460593 same local endpoint address when flooding type is
multipoint or none.
In the existing behavior, tunnel objects are config
synced automatically to a standby device. The DB
variable "iptunnel.configsync" can be set to "disable"
in order to disable the automatic config sync of
461581 tunnel objects. The default value of the DB variable
is "enable". Please note that before creating any
tunnel objects, the DB variable should be set
accordingly if needed, and toggling its value
subsequently could lead to an unexpected behavior.
461592 The device can process inbound VXLAN packets
even if it is in a standby mode.
Increase the timeout for activating the new HSB
462045
bitfile.
IPv6 any address "::/0" is saved properly in
463603
configuration file.
Ensure that all pipes are closed when a TMSH
464024
command is completed.
Treat VxLAN packets as UDP packets by default in
466034
HW.
Monitor instance is now correctly enabled or
466752
disabled after an incremental sync.
"wom-default-clientssl" and "clientssl-insecure-
compatible" were added to two fixup scripts, and
468021
code to prevent infinite recursion was added to
another script.
Standby node sends LSA summary for the default
route with a value of 16777215. The ospf routers in
471496
the stub area pick active node as the gateway for the
default route.
Power supply status changes are now reported
correctly on BIG-IP 5000/7000 Series platforms after
472613
power supply removal or insertion. LBH no longer
watchdogs without a network address set.
ConfigSync operations may rarely fail with an sflow
474166
receiver object error reported.
Average system CPU and busiest CPU calculation is
474465
now based on the critical data plane processing.
No TMM restart when deleting multiple VXLAN
477031
tunnels with flooding type multipoint.
Run rsync-cmi in background so that we don't block
479681
(and slow down mcpd).
480248 Resolved DB 13 error while uploading the UCS.
480931 Multiple GNU Bash vulnerabilities.
348194 Allow configuration of FIN_WAIT2 timeout.
Resolved an issue found in F5 testing for ability to
411101 tcpdump mgmt_bp_* and loopback. Also added
vm_tap_* for guests.
Added timeout to cancel incomplete SSL handshakes
416250
and retry.
418889 A TMM crash bug has been fixed.
421964 BIG-IP system now correctly aggregates an LACP-
enabled link.
SSL acceleration card timing vulnerability CVE-
435652
2014-4024.
The BIG-IP system may log an error message for
439653 every request when there are changes to a local
traffic policy association.
Single SSL transfers will perform much better on
439712
4200/2200.
Resolved TMM error message 'HUDEVT_EXPIRED
(Connection expired) bad pcb magic (0x00585858)'
442410 and TMM core on standby member of HA
configuration with connection mirroring and
connection pooling (OneConnect) enabled.
Making configuration changes, such as
442584 adding/removing a profile, to the targeted virtual will
not adversely affect policy execution.
The Nitrox crypto accelerator will no longer hang
445411
when performing RSA verification.
445571 Support Connection Mirroring with BigTCP.
TMM no longer crashes due to a poorly formatted
446820
log call.
Users may be unable to delete packet filter rules from
447091
the BIG-IP system.
FastL4 virtual servers with the Loose Close option
447390
enabled may intermittently fail to pass traffic.
Prevent memory leak when iRule suspends or stops a
448327
DNS command.
A listener reference count overflow may cause the
448606
TMM process to restart and produce a core file.
'tmsh load sys config' no longer makes some policy's
449636
actions ineffective.
The TMM process may produce a core file and
449845
restart when processing DNS iRule commands.
Option code 0x0008 to the client-subnet of the
450101
EDNS0 record is now recognized.
450202 Fix MSS calculation when using fastl4.
450584 Safenet HA is now supported.
450689 The statistic is now properly displayed.
450713 Out-of-order segments received after FIN will be
forwarded as expected.
Enable faster performing software client
451340
authentication and disable ec cert/keys.
Made changes to once again allow the attr_type to be
451889
optional for all forms of RADIUS::avp.
The DNS::question iRule command may return an
452232
incorrect value.
A new iRule command [HTTP::proxy disable] has
been added so (explicit) proxy request handing can
452264
be turned off and the request can be forwarded to
another proxy.
452387 HTTP::header is_redirect now works correctly again.
TMM will not crash when enabling DOS
452439 sweep/flood detection feature regardless of
threading.
452579 Corrected calculation of server-side MSS.
A memory leak when executing a suspended DNS
454463
iRule many times has been fixed.
An LTM policy with incorrect http-header name or
454853
http-cookie name no longer causes a crash.
Fixed improper handling of ICMP (Internet Control
Message Protocol) 'Fragmentation Required'
messages from routers. Bug resulted in extremely
455361
inefficient behavior by BIG-IP TCP segmentation
offload if path MTU (Maximum Transmission Unit)
was smaller than what TCP endpoints negotiated.
No multiple retransmission of the entire send queue
455553
when the MSS size is improperly large.
Using the DNS::name iRule command to modify the
456942 Resource Record name of a DNS message may cause
TMM to produce a core file and restart.
A memory leak may occur when transferring zone
458597
RRs to DNS Express.
PVA statistics for each flow are tracked in hardware
and software. The software copy of the hardware
flow statistics was not correctly reset when flows
were evicted from the PVA hardware and then
459001
subsequently reloaded back into the hardware. This
eventually resulted in a numeric underflow in the
statistics counters that were then displayed with very
large positive values.
460197 active_requests is updated when a flow using hw
acceleration is reset.
The current tag file only indexes the sources for
TMM. This makes it difficult when debugging
customer issues that reference code within libraries,
465866
primary tmjail (xbuf/xfrags) and tmm_tcl. The fix is
simple: index libraries that are commonly used,
along with TMM.
A crash bug where TMM asserts 'we always have
466260
room in tx ring.' has been fixed.
TMM no longer cores when running the command
467986 'tmsh show ltm dns cache records key cache
myCache' on a cache with stored DNS key records.
A new db variable vlan.backplane.mtu is added to
470715
configure tmm_bp vlan mtu size, default to 1640.
cipher id 0x006b (dhe-rsa-aes256-sha256) has been
472532
added.
Connection remains open after dispatching
475231 CLIENTSSL_CLIENTCERT iRule event, which
prevents accessing invalid memory.
Resolved issue found by f5 testing DHE-RSA-
AES256-SHA256 and DHE-RSA-AES128-SHA256
to be supported for tls1. Remove case where both
TLS and DTLS renegotiation with client
476386
authentication will fail found in testing. Resolved
duplicate line issue found by F5 testing to ensure
correct building of release. Performance Fixes ID
Number Description.
A TMM crash bug involving PEM under high load
447250 has been fixed. Global Traffic Manager Fixes ID
Number Description.
The BIG-IP GTM system may mark down BIG-IP
439854
LTM 10.2.x virtual servers.
The LTM big3d now correctly identifies and
440284
monitors 10.2.4 or earlier LTM virtual servers.
Disabling Synchronize on one GTM no longer
442133
disables Sync on all GTMs in the sync group.
We delay sending the configuration timestamp until
451985 the end transaction message has been received. This
fixes the problem with sync becoming disabled.
463369 Fix problem found by F5 testing that prevents GTM
sync issues when changing configurations.
Application Security Manager Fixes ID Number
Description.
The enforcer does not convert parameter values into
the web application language when parameters are
248487
defined as "file upload" or "ignore value" in the
security policy.
To improve brute force mitigation, we made the
following changes: -We added a new internal
parameter: bf_num_sec_per_value. This defines how
many seconds is a single measure unit for a failed
login. For example, if you want to configure 7 failed
logins per 5 seconds, in the Configuration utility
configure "7" as the threshold value (the "Failed
Login Attempts Rate reached" setting in the
Detection Criteria area of the Brute Force Protection
Configuration screen), and from the command line
438809
configure "5" as the value of this internal parameter.
If this value is configured, the system will detect an
attack only by the threshold (and not by the
increase). If this value is configured, all traffic from
suspicious IP addresses are blocked. The default
value for the internal parameter is 1 second. -In the
Configuration utility, we removed the validation for
all the threshold and minimal values. You can put
now very low values such as 1 or 2 in the detection
and suspicious criteria.
We corrected how the system logs requested URLs
440057 that contain navigation parameters configured in the
security policy.
The Enforcer correctly sends information to the
449946 Policy Builder about specific value and name meta
characters that were previously mishandled.
The client side challenge mechanism now correctly
453568
reconstructs the referrer header.
To prevent the system from running out of memory,
460514 the system requests a configuration sync 5 minutes
after a failed one, and not sooner.
We prevented a deadlock that occurred when sending
469798
synchronization events.
We fixed an issue where rarely the Enforcer crashed
when trying to match signatures on the body of a re-
469825
constructed POST request. Access Policy Manager
Fixes ID Number Description.
225651 The installation path for the BIG-IP Edge Client was
updated to avoid collision with third-party software
installations.
The new network access setting, Use Local Proxy
Settings, is introduced. When it is enabled, after the
238350
client establishes a network access connection, proxy
settings configured on the client continue to be used.
Now APM supports non-ascii usernames and
398134 passwords when performing NTLM Front-end
Authentication and NTLM Back-end SSO.
419809 An error message formatting issue was fixed.
The HTML profile code was improved for security
425070
reasons.
An issue in which logd could start to consume 99%
425507
of CPU after table rotation has been fixed.
A TCP reset is no longer sent to a client during
425731
access policy execution.
Now APM validates the origin header of the
431512 WebSocket handshake and accepts connections with
correct origin only.
Now icons are displayed for Citrix applications on an
436569
APM webtop when Kerberos SSO is used.
Now APM supports Citrix Receiver for HTML5
437326
version 2.1.
In an HA configuration, any users deleted from the
437881 lcaalDB on the current unit are now deleted from the
standby unit also.
The Access Profile which is associated with one or
438278 more AAA server objects can be deleted with the fix
provided.
Now Citrix Receiver for Mac and iOS gets the
correct config.xml file when working through a Wi-
439463
Fi router and APM is integrated with Citrix Web
Interface.
User now can sync over the changes to all the
location specific configuration such as optimized-app
439518 in network-access or pool item in pool once that 'Use
Source Configuration on Target' is set to YES in
policy sync dialog.
APM now prevents the retransmission of policy sync
440290
requests that caused status messages to fluctuate.
440385 Support of Internet Explorer 10 (without
compatibility mode) for machine certificate checker
was added.
The TMM process provides more robust handling for
441210
PCoIP traffic.
A Network Access client can now connect
441553
successfully after one or more failovers.
Fixed User-mode installer service: it does not require
441659
admin rights for limited users anymore.
You can now use the Firefox browser to successfully
edit these actions from the Visual Policy Editor:
441681
Advanced Resource Assign, LDAP Group Mapping,
AD Group Mapping, and BWC Resource Assign.
APM will now attempt to terminate Citrix session
442393
when user logs out of APM Webtop.
Fixed race condition of multiple
442656 establishments/teardown of PPP tunnels lead to loss
of availability of leasepool addresses.
445399 Support was added for Network Access over PPPoE.
[Java][Mac][NA][EPS] NA and EPS auto installation
445970
is now working with Java 7 update 51.
An HTML page with base URI (HREF attribute of
448896
the BASE tag) is rewritten correctly.
Windows View client 2.3 can consistently launch
450033
desktops via APM.
Logging on to Outlook Web App 2013 (SP1) using
450298 portal access with Firefox browser now works
without producing an error.
Now Citrix Session Sharing works correctly for any
450360
version of XenApp.
Now APM correctly handles VMware View client
450728
requests with empty body.
Under logging stress, logd no longer writes duplicate
450845
fd errors in the log.
After upgrading directly from 11.4.0 to 11.6.0, the
configuration loads successfully now even if it
451260
contains "citrix-client-package" files that were
uploaded (and unzipped) using the GUI.
Support of button-less logon pages is added to BIG-
451387
IP Edge Client.
451588 Portal access renders the data correctly when creating
a new item on SharePoint 2013.
If a connection issue or a database problem occurs
451777 the first time that a user tries to create a custom
report, an error message displays now.
Flash ActionScript 3 rewriter now correctly rewrites
452182
URLs containing "../".
HexToBinReverse() now incorrectly converts
452344
unicode strings.
Routes are restored after disconnecting from the
453164
Network Access connection.
A problem in memcached causing intermittent
453514
failures was fixed.
Multidomain SSO no longer resets on secondary
453531
authentication domains.
Alleviate issues such as GUI unresponsiveness or
453722 even disconnect when policy sync is applied to a
device group that contains 5 or more members.
APM now recognizes Internet Explorer in
454010
compatibility mode on Windows 8.1 correctly.
Fixed unnecessary localdbmgr messages logged in
454248
/var/log/apm every minute at the notice level.
The URLDB plugin comes up properly now and
454369
traffic proceeds normally.
The messages that communicate status of PolicySync
454370 between devices can arrive unordered. This is now
fixed.
Forms - Client Initiated SSO authentication handles
454547
decryption failure correctly.
Now APM reports http error 500 when View
454759 Connection Server response is not 200 OK and
writes an error log message.
Guest user will get access denied response when use
454899 the token of admin user request to
create/delete/modify local db user.
Now Citrix HTML5 Receiver v.1.3 available with
455039 Storefront 2.5 can be hosted in APM Sandbox and
launched from APM Full Webtop.
455113 ACCESS::session data get has been extended to
return configuration variables: ACCESS::session
data get [-sid ] [-secure] [-config] [-ssid ].
IPTables rules to protect ANT server refactored to
455284
eliminate interference with other protocols.
Now user with apostrophe in the name can log in
455426
with Citrix Receiver successfully.
Now APM support AGEE SSO to new Citrix
455892
StoreFront 2.5 backends.
Remove the logic for specific internal requestID in
456098
XUI.
Fixed for cases when Assertion does not contain
456714
SessionIndex and SLO is configured.
When BIG-IP as SAML SP, IdP initiated
457925
authentication now works with the first attempt.
Resource delete handler should check for the
458199
reference by psync-dynamic-resource.
The EAM module now continues to function
458211 correctly when the size of a cookie in the HTTP
request is greater than 4095.
An issue in Network access; where customer would
458447
see "IPv4 Addr collision" in logs has been fixed.
The code is updated so that APD no longer crashes
on certain VPE expressions, such as Date Time check
458485
or 'encoding' command due to a change introduced
by fixing 424938.
Added [APM] Network Access option: "Do not
459780
enforce IP scopes in Proxy-Auto-Configuration".
If there is a space in value for radio or select type
459977 input, logon page does not show the input elements.
This is now fixed.
Access policy export works correctly even when a
460062 resource with a long name has been assigned in the
policy.
Additional logging included for troubleshooting
460272
captive portal detection.
Users can now close logon window in "Locked
460645
Client" mode.
Fixed using F5 captive portal probe URL in BIG-IP
460715 EDGE client for Windows instead of default
Microsoft captive portal detection URL.
460762 Citrix apps consistently start from APM Webtop
when using Kerberos SSO to XML Broker.
Additional exception processing (for
ObAccessException from the SDK) was added to the
460939
EAM module. The module now handles this
exception by displaying an error.
Cannot Start built-in PAC file server after multiple
460958 connecting/disconnecting edge client multiple times.
This is now fixed.
Fixed [APM] Crash in ActiveXDialer if proxy
461087
address is missing.
A problem with APD in chassis that resulted in the
461624
portal access connection terminating has been fixed.
Show main EDGE client UI when user click on
462143 Connect, Disconnect or Auto-Connect button in a
system tray.
For Windows Phone clients in BIG-IP APM 11.6
462669 session.client.platform value changed from "WinP8"
to "WindowsPhone".
The slowness is due to an unnecessary sleep of 1
second even when creating configuration snapshot is
463508 successful. The fix is to re-factor the retry logic such
that sleep is performed when creating configuration
snapshot has failed.
JavaScript: Now isolated submit() calls are handled
correctly and form action paths are rewritten at such
464159
calls. The situation when a submit() call refers to a
separate function is also supported.
In portal access, a cookie with an empty or wrong
464748
expires field no longer causes a JavaScript failure.
The curl-apd component (curl7.25.0) no longer
enables SSL_MODE_RELEASE_BUFFERS; it is no
465338
longer affected by OpenSSL vulnerability CVE-
2010-5298.
The curl-apd component (curl7.25.0) no longer
enables SSL_MODE_RELEASE_BUFFERS and is
465339
no longer affected by OpenSSL vulnerability CVE-
2014-0198.
The following OpenSSL vulnerabilities have been
466317 addressed in APM clients: CVE-2014-0221, CVE-
2014-0224, CVE-2014-0195, CVE-2014-3470.
466325 Continuous policy checks now doesn't kill the
session if some configuration, configured to be
ignored, changes on client side.
Under high load conditions when the HTTP auth
466488 agent is configured in the access policy, now the
access policy daemon (APD) continues to respond.
466877 Issue with signature validation is fixed.
Split tunnel is improved when connecting to a
467849
FirePass with an APM build of the edge client.
Issue is now fixed when AFM is enabled with
468889
Optimized Tunnel and traffic is no longer dropped.
JavaScript index expressions with list of values are
469100
now correctly rewritten by Portal Access.
Validation is improved to ensure that a custom URL
469335
category includes at least one URL.
User that is deleted from the local user database can
469754
no long log in regardless.
Location-specific objects display correctly in the
Policy Sync GUI whether the Location Specific
470382
check box is cleared or selected on the Static
Resources screen.
Portal Access no longer crashes when rewriting some
470414
incorrect flash files.
470675 Improved security found by internal F5 testing.
Resolved rare condition that causes Edge-Client to
471125 work improperly when Client uses proxy to connect
to BIG-IP.
Resolved error deleting folder: Cannot remove
473286
directory with symlink to sandbox for partition.
Edge-Client stops after authenticating thru Captive
Portal. OLH is now updated to reflect changes in
Machine Certificate Auth certificate selection
474657
criteria. [OLH] "APM Access Profile Log - 404
ERROR" added. WebAccelerator Fixes ID Number
Description.
The Vary on user-agent header is properly generated
450030 whenever WebP content is served. Enterprise
Manager Fixes ID Number Description.
Values returned by big3d are now escaped so special
449988 characters do not create parse errors. Service
Provider Fixes ID Number Description.
Flow control in SIPP filter no longer blocks flow
450001
improperly.
450019 LB::prime or mblb_connect now executes outside of
the TCL execution. Priming will actually happen
after one event cycle later.
When the HTTP terminates its connection, the BIG-
IP system receives an SSL encryption alert along
450055 with a FIN from the server (close SSL from the
server), the BIG-IP system completes the HTTP
response before closing the client connection.
TMM CPU/Memory grows in accordance with the
452440 connections. If the SIP connections remains steady
the resource utilization will be steady.
The BIG-IP system delays closing the internal
connection to the IVS after the final chuck of the
454348 ICAP response has been received, until all the
payload has been transmitted to the HTTP
destination.
Invalid UDP datagrams that interfered with SIP
455006 processing are now dropped. Advanced Firewall
Manager Fixes ID Number Description.
The issue is fixed now to clean up the memory
associated with the old AFM policy on a Self IP
context when the context is modified to have a new
AFM policy. This issue is now fixed so TMM will
462266 not be restarted if AFM is provisioned and 'tmsh load
sys conf default' is done. TMM crash (panic) is fixed
now and TMM no longer panics scenarios with
SPDY or HTTP Prefetching enabled. Policy
Enforcement Manager Fixes ID Number Description.
The issue is fixed so that PEM can handle large
441554 number of new subscribers even when Gx connection
is down.
A TMM crash bug has been fixed. BIG-IP/PEM will
442548 now work with PEM + fastL4 use cases with http
profile enabled.
This issue is fixed that a Rating Group can be
444770 assigned to different PEM rules without extra MSCC
in CCR.
Fixed a crash bug involving the handling of RAR
449862
messages.
A new PEM session will be created and replace any
453548 old existing session in an inconsistent state due to
fail-over.
460006 Added support of numeric characters in PEM
rule/policy names.
This issues is fixed now. All subscribers are loaded
461089
properly after TMM restart.
The max length of the Gy redirect address has been
increased from 64 bytes to 256 bytes to
464841
accommodate the majority of the use case in real
world.
The issue has been fixed that BIG-IP/PEM will
464850 handle a new flow that has no session created when
quota management is specified in global policy.
BIG-IP/PEM will now properly handle the case when
466002 2 or more policies from PCRF refer to the same
existing rating group.
Custom attributes will now be added and will be
468123
returned when session is queried.
TMM will no longer crash during subscriber
468809 provisioning testing with Gx connection re-
established.
Session cleaning priority has been lowered and CPU
470690 will not spike when sessions are deleted or replaced
with Gx enabled.
PEM will now clean up the session if CCA-T
470850
received with 5002 error code.
A memory leak when the CCR-I is dropped by iRule
471867
has been fixed.
DB variable
Tmm.pem.diameter.application.silentDelete.prov.erro
471910
r.sessions is available. It should be set to enabled if
sessions need to be silently deleted.
The session statistics for sessions created by
RADIUS will now get incremented whenever the
472860
user runs an iRule on the RADIUS virtual that
creates a new session.
Custom attribute create/update will no longer harm
474638
the policy list. DNS Fixes ID Number Description.
Object name field now has a correct input validation
448914
and escapes JavaScript.
11.5.1 449017 F5 found potential data inconsistency between tmsh

HF4 and icrd in date formats in testing, and resolved to
prevent customer issues.
453332 Fixed an issue with iControl REST calls timing out.
Improved iControl REST resources to allow naming
457300
with spaces to meet customer requirements.
Prevented icrd crash on the BIG-IP system while the
458109
BIG-IQ system was discovering the BIG-IP system.
Fixes MCPd crash during certain iControl REST
463655
transactions.
Installing a hotfix will no longer cause apd to
406649
continuously restart.
455733 Fixed crash in dwbld daemon.
Data-plane (traffic) performance for Application
432080 Security Manager workloads is significantly
improved.
We improved how the Policy Builder handles
439758
requests with multiple learning suggestions.
Added tmctl stats for dcc, bd_agent, and correlation
daemons. This allows visibility into internal
440378 state/processing of the daemons to provide external
visibility into their internal state/processing to assist
diagnostics/debugging.
You can now modify a security policy created from
441213
iApps (iApps > Application Services).
The Enterprise Manager system can now discover
450241
ASM devices.
We improved how the system decides on the content
455389 profile when there is a request with multiple content-
type headers.
We improved how the system parses query strings in
455391
absolute URLs.
We raised the limit of the Explicit File Type Name
459255
length from 8 characters to 255 characters.
We fixed an issue that caused TMM and avrd to
produce a core file if you assign an Application
440763
Security policy, Analytics profile, and DoS Layer 7
Protection profile on a virtual server.
We corrected an issue where some reports generated
447693 from the Configuration utility or from tmsh
commands did not work.
448585 We fixed an issue when Throughput and Latency
were reported incorrectly in cases of incomplete
transactions when sampling is enabled.
/var/avr/loader will no longer get filled with files that
457982
are written by avrd.
We fixed a case that caused avrd to crash when
462561
external logging of traffic capturing is used.
Subnet statistics are now migrated after a version
462968
upgrade.
AVR profiles with identical names on different
464238
partitions can now be created.
Now Max TPS and Throughput are displayed
properly in HTTP Analytics (if configured in
466922
Analytics profile) when drilling down from virtual
server to pool members.
When an iRule with HTTP::respond command and
Analytics profile are attached to the virtual server,
464287
HTTP responses from the BIG-IP system will no
longer contain redundant chunk headers (at the end).
When there is something wrong with DB, connection
issues arise during the first time you create a custom
report, and you see the following behavior when
creating a custom report in the UI:
1) Will show error popup.
451777
2) Available Fields pane will not show "Available
Fields" infinitely.
3) The correct available list displays after the
DB/connection issue is fixed.
(No need to restart tomcat to get correct list).
Issues with AFM + APM configurations no longer
421016
occur.
Sweeper no longer reaps a flow that would have
440817 matched a rule in either global or corresponding
route-domain classifier.
Fixed the date format and removed focus for the
442988
Time field in the event logs page advanced search.
A new field "Referencing Rule" displays the actual
name of the rule that references a rule-list. If the rule
443300
is a regular, non-referencing rule, same rule name is
displayed in the "Referencing Rule" field.
Resolved the error where a network firewall rule is
configured on a Self IP context, and an iRule is
453377
specified in the configuration, an error occurs and the
rule does not correctly process traffic.
453779 place-before and place-after are now handled
correctly in transactions that contain changes to
multiple rules sub-collections.
Setting an iRule in a firewall rule attached to the
virtual server using iControl method
Local.VirtualServer.set_fw_rule_irule no longer fails
454435
when the iRule name does not start with the folder
name. The framework automatically prepends the
folder to the iRule name.
The self-ip and virtual server FW rules cannot be
454953 converted from a regular rule, to a reference, to a
rule-list with PUT.
Fixed management IP firewall rules compilation
455744
failure.
AFM rule matching action is now consistent with
456107
logging for EPHEMERAL connections.
Pccd BF Hash table changes were made to reduce
459719
pccd BLOB size.
Restart pccd to avoid blob-size growth (pccd always
459758
starts from scratch).
AFM will now do ACL and IP Intelligence match for
the first TCP packet of a new flow if:
a) it is SYN
461582 or
b) it is ACK and syncookie matched
or
c) loose-initialization is enabled (for fastl4)
TMM is getting stopped by SOD due to a heartbeat
462903 miss (when trying to load huge firewall policies); this
issue is fixed.
Added new db variable pccd.rule.debug to display
464774 micro-rules and micro-rules number for each firewall
rule.
Added another url parameter indicating the type of
policy (enforced or staged) so that the UI does not
464916
revert to the default policy type (enforced) when
viewing the second page of the staged rules.
464990 Error no longer occurs when reordering a rule list.
Reset stats button is now fixed for policy rules made
465963
of rule list.
468194 Fixed the regression issue introduced due to fix for
BZ 461582.
pccd no longer stops responding when compiling a
firewall policy with a large number of IP addresses,
469129 but compiling such policy can take several hours. To
reduce compilation time, set variable
pccd.hash.load.factor value to 25.
Management port rules are now cleaned up properly
from Linux iptables when they are being removed
469507
from the configuration and pccd.alwaysfromscratch
db variable is set to true.
What are differences between IKEv1 and IKEv2? (IKEv1 vs. IKEv2)
IKEv1 IKEv2 (SIMPLE and RELIABLE!)
IPsec SA Child SA (Changed)
Exchange modes:
 Main mode Only one exchange procedure is defined.

Exchange modes were obsoleted.
 Aggressive mode
Exchanged messages to establish

VPN.
 Main mode: 9 messages Only 4 messages.
 Aggressive mode: 6
messages
Authentication methods ( 4
methods ):
 Pre-Shared Key (PSK) Only 2 methods:
 Digital Signature (RSA-Sig)  Pre-Shared Key (PSK)
 Public Key Encryption  Digital Signature (RSA-Sig)
 Revised Mode of Public key

Encryption
Both peers must use the same

Each peer can use a different authentication
authentication method. method (Asymmetrical authentication).
(e.g. Initiator: PSK and Responder: RSA-Sig)
Traffic selector:
 Only a combination of a
 Multiple combinations of a source IP
source IP range, a
range, a destination IP range, a source
destination IP range, a
port range and a destination port range
source port and a
are allowed per Child SA. Of course, IPv4
destination port is allowed
and IPv6 addresses can be configured for
per IPsec SA.
the same Child SA.
 Exact agreement of the

 Narrowing traffic selectors between peers
traffic selector between
is allowed.
peers is required.
Lifetime for SAs:

Agreement between peers is NOT negotiated. Each peer can delete SAs
required. anytime by exchanging DELETE payloads.
Multi-hosting:
Supported by using multiple IDs on a single IP
Basically, NOT supported.
address and port pair.
Rekeying:
Defined.
NOT defined.
NAT Traversal:
Supported by default.
Defined as an extension.
Dead Peer Detection / Keep-alive

for SAs: Supported by default.
Defined as an extension.
Remote Access VPN:

NOT defined. Supported by Supported by default:
vender-specific implementations:
 Extensible Authentication Protocol (EAP)
 Mode config
 User authentication over EAP is
 XAUTH associated with IKE's authentication.
 Configuration payload (CP)
Multi-homing:
Supported by MOBIKE (IKEv2 Mobility and
Multihoming Protocol: RFC 4555).
Mobile Clients:
Supported by MOBIKE (IKEv2 Mobility and
Multihoming Protocol: RFC 4555).
 Anti-replay function is supported.

DoS protections:
Basically, NOT supported.  'Cookies' is supported for mitigating
flooding attacks.
 Many vulnerabilities in IKEv1 were fixed.
More reliable.
 All message types are defined as Request

and Response pairs.
Less reliable than IKEv2.
 A procedure to delete SAs is defined.
 A procedure to retransmit a message is

defined.
Extensions are very poor.

Useful extentions in actual network
environment.
 "Redirect Mechanism for IKEv2

(RFC5685)"
 "IKEv2 Session Resumption (RFC5723)"
 "An Extension for EAP-Only Authentication

in IKEv2 (RFC5998)"
 "Protocol Support for High Availability of

IKEv2/IPsec (RFC6311)"
 "A Quick Crash Detection Method for the

Internet Key Exchange Protocol (IKE)
(RFC6290)"
etc.
See the IETF ipsecme-WG's web page.
See also RFC 4303, 4306, 4718 and 5996 for more details.
Back to Top
Copyright © 2011 T.HANADA All Rights Reserved.

f5 Problem PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

f5 Problem PDF

Uploaded by

Copyright:

Available Formats

Overview

 Connections to the virtual server are interrupted or fail.

 Web pages or applications fail to load or execute.

 Certain pool members or nodes receive more connections than others.

 Identifying a failing health monitor

 Verifying monitor settings

 Troubleshooting monitor types

 Troubleshooting daemons related to health monitoring

Identifying a failing health monitor

Summary of pools, pool Local Traffic > Network

Local Traffic > Pools >

Local Traffic > Pools >

Local Traffic > Nodes >

Command line utilities

CLI utility Description Example commands

Live statistics for pool members and

tmsh show /ltm pool

tmm err tmm[4779]: 01010028:3: No members available for pool <Pool_name>

notice mcpd[2964]: 01070638:5: Pool member <ServerIP_port> monitor status down

notice mcpd[2964]: 01070640:5: Node <ServerIP> monitor status down.

Verifying monitor settings

Configuring an appropriate interval/timeout ratio is important for simple monitors. In

Extended Content Verification (ECV) monitors

 User name and password

Troubleshooting monitor types

Troubleshooting connectivity issues for a simple monitor is fairly straightforward. If you

1. Determine the IP address of the nodes being marked down.

# cat /var/log/ltm |grep 'Node' |grep 'status'

cat /var/log/ltm |grep 'Node' |grep 'status' | sort -t . -k 3,3n -k 4,4n

2. Check connectivity to the node.

3. Check the monitor settings.

bigpipe monitor icmp_new list

tmsh list /ltm monitor icmp_new

4. Create a custom monitor (if needed).

5. Use the tcpdump command to capture monitor traffic.

# cat /var/log/ltm |grep -i 'pool member' |grep 'status'

2. Check connectivity to the pool member.

3. Check the ECV monitor settings.

bigpipe monitor http_new list

tmsh list /ltm monitor http_new

4. Create a custom monitor (if needed).

5. Test the response from the application.

# time curl http://10.10.65.1

telnet <serverIP> <serverPort>

GET / HTTP/1.1 <enter>

Note: For more information about running tcpdump, refer to SOL411:

Troubleshooting daemons related to health monitoring

# ps aux |grep bigd

 SOL15530: Debug logging and BIG-IP system resource utilization

 SOL10516: Overview of BIG-IP pool status

 SOL10966: Determining which monitor triggered a change in the availability

 SOL15408: Troubleshooting BIG-IP GTM monitors

Original Publication Date: 06/25/2015

11.5.1 It is now possible to run a UCS load even if there are

11.5.1 449017 F5 found potential data inconsistency between tmsh

IKEv1 IKEv2 (SIMPLE and RELIABLE!)

IPsec SA Child SA (Changed)

 Main mode Only one exchange procedure is defined.

Exchanged messages to establish

 Main mode: 9 messages Only 4 messages.

 Pre-Shared Key (PSK) Only 2 methods:

 Digital Signature (RSA-Sig)  Pre-Shared Key (PSK)

 Public Key Encryption  Digital Signature (RSA-Sig)