BIG-IP Next Fixes and Known Issues¶
This list highlights known issues for this BIG-IP Next release.
Version: 20.2.0
Build: 20.2.0-2.375.1+0.0.43
Cumulative fixes from BIG-IP Next v20.2.0 that are included in this release
Known Issues in BIG-IP Next v20.2.0
Cumulative fixes from BIG-IP Next v20.2.0 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description |
1487969 | CVE-2023-47038 | K000138640 | CVE-2023-47038 on f5-csm-icb |
1486045 | CVE-2023-47038 | K000138640 | CVE-2023-47038 on f5-csm-bird |
1486329 | CVE-2023-47038 | K000138640 | CVE-2023-47038: Perl Vulnerability |
1483733-2 | CVE-2023-47038 | K000138640 | CVE-2023-47038 in perl-base on f5-access-apmd-egress-sidecar |
BIG-IP Next Fixes
ID Number | Severity | Links to More Info | Description |
1497709 | 1-Blocking | GSLB Sync Group does not reconnect at certificate rotation or reboot | |
1497549 | 1-Blocking | Manual or automatic failover of an instance results in unhealthy cluster after CM upgrade★ | |
1495485 | 1-Blocking | CA file reference for OCSP rule is incorrect. | |
1495481-1 | 1-Blocking | CRLDP Authentication rule does not work with valid certificates | |
1495469 | 1-Blocking | PUT /api/v1/systems/<system-id>/host-dns does not work | |
1469329 | 1-Blocking | Using L1-network with VLANs in VE PUT/onboard no longer generates default L2 and L3 networks. | |
1430281 | 1-Blocking | QKVIEW output not captured for resource-manager and platform-manager after factory reset | |
1411249 | 1-Blocking | During upgrade activity, TMM cores is found on HA DUT | |
1353565-2 | 1-Blocking | Certain extreme SSL traffic patterns may impact throughput | |
1538581 | 2-Critical | Next setup script may fail to create tmm interfaces if DHCP address assigned | |
1498497 | 2-Critical | Traffic disruption in upgraded BIG-IP Next Central Manager application service from 20.0.x to 20.1.0 | |
1497641 | 2-Critical | When no security policies are created, "create" button is enabled for Auditor role | |
1496457-4 | 2-Critical | TMM crash under certain traffic patterns when an HTTP/2 profile is applied. | |
1494509 | 2-Critical | Expression field is missing for few endpoints security agents. | |
1490089 | 2-Critical | Policy execution is denied with Antivirus check. | |
1488105-2 | 2-Critical | CVE-2022-48522 in perl-base on f5-access-renderer | |
1487777 | 2-Critical | CVE-2022-48522 Perl Vulnerability | |
1486365 | 2-Critical | CVE-2022-48522 Perl Vulnerability | |
1483777-2 | 2-Critical | CVE-2022-48522 in perl-base on f5-access-apmd-egress-sidecar | |
1472745-1 | 2-Critical | TMM container is restarted by kubernetes | |
1351325 | 2-Critical | Cannot delete a tagged VLAN and recreate an untagged VLAN with same name within ~10 minutes | |
1322973-8 | 2-Critical | A particular sequence of HTTP packets may cause TMM to crash | |
1576397 | 3-Major | BIG-IP Next Central Manager UI shows external storage as disabled even though it was enabled during setup | |
1574821 | 3-Major | BIG-IP Next Central Manager VM instances shutdown a in High availability cluster do not restart few of the Pods | |
1501461-1 | 3-Major | CVE-2014-10077: Crash in i18n Ruby Gem | |
1497365-1 | 3-Major | BIG-IP Monitor not utilised for Generic Hosts | |
1497361-1 | 3-Major | Global Resiliency Group creation time increases as number of non provisioned group members increases | |
1496901-1 | 3-Major | Name specified for "SPECIFY THE CERTIFICATES DETAILS FOR THIS APPLICATION" cannot contain special characters | |
1496897-1 | 3-Major | Inability to disable Global Resiliency in an application once enabled | |
1495141 | 3-Major | Unable to modify or add roles to an existing user | |
1495037-1 | 3-Major | Global Resiliency Group allows creation without validating empty entries for group name/DNS listener name | |
1495001-1 | 3-Major | Cannot edit Global Resiliency Group once created | |
1494993-1 | 3-Major | Cannot use the same group name again on same GSLB instance | |
1490853 | 3-Major | Setup script produces warnings "Netplan configuration should NOT be accessible by others." | |
1490525 | 3-Major | The execution of the Per Session Access policy is halting when the Linux FPC attempts to initiate a VPN connection | |
1481801 | 3-Major | Session.policy.result.policy_path variable is incorrect when multiple agents are used inside a macro policy | |
1474837 | 3-Major | Failed to load the webtop when advanced resource assign agent is added after endpoint security agents | |
1474733 | 3-Major | iRules are out of order after migraiton to BIG-IP Next Central Manager | |
1474121 | 3-Major | Deployment errors when Access policy is set to "Global" | |
1473477 | 3-Major | Access Webtop resource configuration is missing from migrated application service | |
1355649-2 | 3-Major | TMM may crash while processing ILX::call commands | |
1328709 | 3-Major | The coredns pod continuously logs warnings | |
1205029-3 | 3-Major | BT1205029 | WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application |
1574997 | 4-Minor | BIG-IP Next Central Manager HA node installation requires logout to add node★ | |
1571741 | 4-Minor | Inappropriate Per Request Branch Contexts & Expressions in Access Policy Editor | |
1495245 | 4-Minor | Unable to deploy an application service without pool using standard template in BIG-IP Next Central Manager | |
1494909 | 4-Minor | Application Manager cannot view WAF information in the Security Workspace | |
1494905 | 4-Minor | Home screen button to Security Workspace disabled for user with Application Manager user role | |
1474781-1 | 4-Minor | Updated policy with invalid Inspection Services is deployed to Next instance without any error | |
1474777-1 | 4-Minor | Security Policies displays "None" on Application Service UI dashboard after deploying the application with Security Policy | |
1346905-2 | 4-Minor | Application Location and Source details missing in the application panel from the security policy grid | |
1567737 | 5-Cosmetic | Confusing yellow sign occurs on the Access Policy Editor screen |
Cumulative fix details for BIG-IP Next v20.2.0 that are included in this release
1576397 : BIG-IP Next Central Manager UI shows external storage as disabled even though it was enabled during setup
Component: BIG-IP Next
Symptoms:
BIG-IP Next Central Manager User Interface(UI) shows external storage as disabled even though it was enabled during setup.
In a BIG-IP Next Central Manager HA deployment, the BIG-IP Next Central Manager UI will not show external storage as being enabled.
Conditions:
Install BIG-IP Next Central Manager and as part of the installation steps, configure the external storage.
In the BIG-IP Next Central Manager UI, external storage configuration is shown as disabled.
Impact:
BIG-IP Next Central Manager UI shows external storage as disabled even though it was enabled during setup.
1574997 : BIG-IP Next Central Manager HA node installation requires logout to add node★
Component: BIG-IP Next
Symptoms:
As part of a BIG-IP Next Central Manager HA installation, the you must log out of the User Interface (UI), when the first node is added to the cluster.
Conditions:
1. Create 3 VM instances on BIG-IP Next Central Manager
2. From UI, change the BIG-IP Next Central Manager password for all 3 instances
3. Login to node-1
4. Click Set up button
5. Fill out the form and click Add
Impact:
You must log out and then re log-in to successfully add the new node.
Workaround:
Wait for up to 5 minutes for the BIG-IP Next Central Manager cluster to be ready before re-logging in.
1574821 : BIG-IP Next Central Manager VM instances shutdown a in High availability cluster do not restart few of the Pods
Component: BIG-IP Next
Symptoms:
In a BIG-IP Next Central Manager HA deployment, if one of the nodes is shutdown; then certain pods such as statefulsets, mbiq-llm and mbiq-upgrade-manager-feature do not automatically reschedule on other active nodes and remain in Pending state. Also, it may take up to 5 minutes for pods to get rescheduled to other active nodes and during this time BIG-IP Next Central manager services may not be available.
Conditions:
As part of a multi-node BIG-IP Next Central Manager deployment (HA deployment), if one of the nodes might become unavailable due to explicit node deletion or power failure. When this occurs, one or more of the Pods scheduled on those nodes goes into a Pending state.
Impact:
Central Manager services are unavailable.
Workaround:
The workaround is to manually delete the node from the cluster using command 'kubectl delete node <node-name>' and delete the PVCs of Pending pods. This will ensure the Pods get rescheduled fresh on other available nodes.
1571741 : Inappropriate Per Request Branch Contexts & Expressions in Access Policy Editor
Component: BIG-IP Next
Symptoms:
For Per-Request Access policies, when configuring rule branches using a predefined branch, the context dropdown shows a whole list of options, including all Per-Session contexts.
If choosing one of the predefined contexts and switching to advanced mode by toggling the "Advanced" button, the expression shown is for per-session not per-request.
Conditions:
Create a policy with policy type "Per-Request Policy", drag and drop any per-request rule on the access policy editor screen and edit rule branches using predefined contexts.
Impact:
Confusion at the user end and traffic might fail due to invalid expression.
Workaround:
When editing rule branches for the per-request rule, switch to advanced mode by toggling the "Advanced" button, enter the desired per-request expression, and save.
Fix:
- Predefined context dropdown should only contain options for supported Per-Request rules.
- When switching to "Advanced" mode, the expression should be correct per-request expression accordingly.
1567737 : Confusing yellow sign occurs on the Access Policy Editor screen
Component: BIG-IP Next
Symptoms:
A warning banner remains fixed on top of the policy editor, persisting indefinitely.
A yellow icon with an exclamation mark in the middle comes on the top-right corner of all the rules and flows while adding a rule to the editor screen.
Conditions:
Drag and drop the required rule on the access policy editor screen.
Impact:
Confusion at the user end.
Workaround:
The yellow sign that comes on each rule/flow block disappears if you provide all the mandatory properties.
For those rules that do not require any change, saving the rule again removes the yellow sign.
The banner on top stays irrespective of even if there is no rule/flow with missing mandatory values.
Fix:
The yellow icon should only appear on rules/flows that require some mandatory values to be provided by the user and should disappear when all the mandatory values are provided.
The banner on top of the editor screen should be visible only if there is any rule/flow showing the yellow icon.
1538581 : Next setup script may fail to create tmm interfaces if DHCP address assigned
Component: BIG-IP Next
Symptoms:
If a BIG-IP Next VE instance is deployed and the instance receives a DHCP address at startup, it will immediately configure and form a Kubernetes cluster. If the setup script is run after that and if VLANs are configured by the script, TMM will not have the VLANs assigned to it.
The problem is not immediately obvious, because the API will return the configured state, showing VLANs assigned to interfaces.
Conditions:
- BIG-IP Next VE.
- Versions 20.0 or 20.1.
- DHCP assigns address to mgmt.
- The setup script is run and VLANs are configured by it.
Impact:
The BIG-IP Next instance will be unable to handle data-plane traffic.
Workaround:
Do not assign DHCP addresses to the Next instance.
Or, if an address is already assigned to mgmt, do not configure VLANs when running the setup script.
Fix:
Setup script completes.
1501461-1 : CVE-2014-10077: Crash in i18n Ruby Gem
Component: BIG-IP Next
Symptoms:
Hash#slice in lib/i18n/core_ext/hash.rb in the i18n gem before 0.8.0 for Ruby allows remote attackers to cause a denial of service (application crash) via a call in a situation where :some_key is present in keep_keys but not present in the hash.
Conditions:
N/A
Impact:
N/A
Workaround:
N/A
Fix:
The Ruby gem has been updated to a fixed version.
1498497 : Traffic disruption in upgraded BIG-IP Next Central Manager application service from 20.0.x to 20.1.0
Component: BIG-IP Next
Symptoms:
Upon upgrading BIG-IP Next Central Manager from 20.0.x to 20.1.0 and redeploying the existing application services, users may experience traffic disruption. This is attributed to conflicts with TMM validation for "allVlans: true" and Default L3-Network.
Conditions:
When both the BIG-IP Next Central Manager and BIG-IP Next Instance are upgraded from from 20.0.x to 20.1.0 , and the existing application service is redeployed.
Impact:
Traffic will not work for existing application
Workaround:
If traffic is not working for the existing application after redeployment, users should delete the application and redeploy it with the same configuration to the BIG-IP Next Instance.
1497709 : GSLB Sync Group does not reconnect at certificate rotation or reboot
Component: BIG-IP Next
Symptoms:
GSLB Engine loses connection to another GSLB Engine Peers in a GSLB Sync Group and fails to reconnect.
Conditions:
When a GSLB Engine gets a certificate rotation, reboots, or experiences a temporary network issue that causes disconnection to another GSLB Engine Peers in a GSLB Sync Group, that connection can be not restored.
Impact:
The affected connection appears in a "half-open" state where one peer considers the connection open, another peer considers the connection closed and disconnects it every 10 seconds. As a result, GSLB Engines in a GSLB Sync Group have states of connections completely unsynced which results in the inability to distribute monitoring resources between each other and share statuses of resources.
Workaround:
Once any GSLB Engine in a GSLB Sync Group gets certificate rotation or reboots, all GSLB Engines in the GSLB Sync Group need to have re-created configuration for all non-local GSLB Engine Instances.
Fix:
GSLB Engine of client-side of gRPC connection needs to send heartbeat message at reconnection.
1497641 : When no security policies are created, "create" button is enabled for Auditor role
Component: BIG-IP Next
Symptoms:
When there are no security policies created, the auditor user role has the option to click "create" and configure a security policy. However, the user cannot save the policy.
Conditions:
The option to create a policy for an Auditor role is enabled when there are no WAF, Access, or SSLO policies created.
Impact:
The auditor user is able to create a security policy when it is not within the permissions of the role.
1497549 : Manual or automatic failover of an instance results in unhealthy cluster after CM upgrade★
Component: BIG-IP Next
Symptoms:
When upgrading from Kiwi Next HA cluster to Mango using Kiwi Central Manager, and subsequently upgrading Central Manager to Mango, there's a potential issue where Central Manager may be unable to communicate with the HA Next cluster due to a different certificate presented by the floating IP.
Conditions:
After upgrading an HA Cluster, followed by a Central Manager upgrade, and then executing a failover of the cluster.
Impact:
Instances within the HA cluster will be marked as unhealthy in the instances grid.
Workaround:
Following a CM upgrade to Mango, users should use CM to discover the standby node and accept the presented fingerprint. In case of a discovery failure with the error message "Instance <IP> could not be added...", users should exit the discovery UI and proceed with their operations.
Fix:
HA cluster will be healthy after failover.
1497365-1 : BIG-IP Monitor not utilised for Generic Hosts
Component: BIG-IP Next
Symptoms:
The BIG-IP Monitor is not used for monitoring generic hosts, despite the option being present in the UI.
Conditions:
The issue occurs when selecting the only available monitor in the UI while creating generic host entries.
Impact:
Currently, monitoring relies on ICMP monitors.
Workaround:
None
Fix:
Able to select various health monitors.
1497361-1 : Global Resiliency Group creation time increases as number of non provisioned group members increases
Component: BIG-IP Next
Symptoms:
The creation time of a Global Resiliency group is influenced by the number of instances selected for group creation when using non-provisioned BIG-IP Next devices.
Conditions:
Using BIG-IP Instances, that are not provisioned for DNS.
Impact:
Creating the group takes a lot of time, approximately 4-5 minutes for provisioning each instance.
Workaround:
Provision the BIG-IP instance with DNS from BIG-IP Next Central Manager before incorporating it into group creation.
Fix:
Provisioning is done in parallel for all the BIG-IP Next instance, hence minimising the time required.
1496901-1 : Name specified for "SPECIFY THE CERTIFICATES DETAILS FOR THIS APPLICATION" cannot contain special characters
Component: BIG-IP Next
Symptoms:
Name field for a certificate block accepts invalid characters causing the application deployment to fail with different reasons.
Possible errors:
* Failed to submit declaration to AS3: declaration is invalid
* : FAST-0002: Internal Server Error: Failed to create application tenantOLLlCnuuQB90XnE6CrGN1cA:test on BIG-IP Next instance: The property /tenantOLLlCnuuQB90XnE6CrGN1cA/test/tlsserver_local_cert_vs_place between_test_rsa name must be valid.
Conditions:
The name specified for "SPECIFY THE CERTIFICATES DETAILS FOR THIS APPLICATION" cannot contain special characters.
Impact:
Application deployment will fail.
Workaround:
Use only the following characters:
* Allowed characters are: "-","_", 0 to 9 and alphabets
1496897-1 : Inability to disable Global Resiliency in an application once enabled
Component: BIG-IP Next
Symptoms:
Global Resiliency, once enabled, cannot be disabled for an application.
Conditions:
Global Resiliency is enabled.
Impact:
Cannot disable the Global Resiliency.
Workaround:
Delete and recreate the application, then redeploy without enabling Global Resiliency.
Fix:
Global Resiliency Group can be enabled/disabled after application creation.
1496457-4 : TMM crash under certain traffic patterns when an HTTP/2 profile is applied.
Component: BIG-IP Next
Symptoms:
A TMM crash.
Conditions:
An LTM virtual server with an HTTP/2 profile attached.
Impact:
A TMM crash.
Workaround:
Set up HA pairs when configuring your BIG-IP device.
Fix:
The issue no longer occurs.
1495485 : CA file reference for OCSP rule is incorrect.
Component: BIG-IP Next
Symptoms:
OCSP Authentication agent if configured using the BIG-IP Next Central Manager does not provide the correct file reference to the trusted CA certificates used to verify the signature on the OCSP response
Conditions:
Create a policy with OCSP within a flow. Test the traffic through the policy.
Impact:
OCSP agent will not be executed if included in the policy. Access Session will not be established.
1495481-1 : CRLDP Authentication rule does not work with valid certificates
Component: BIG-IP Next
Symptoms:
Crash observed with CRLDP Authentication rule in the per session policy, the policy execution gets denied. It is continuously
getting redirected to https://<VS_IP>/my.policy_nonce?nonce=<nonce_token>
Conditions:
Create a policy with CRLDP rule within a flow. Test the traffic through the policy.
Impact:
CRLDP rule will not be executed if included in the policy. Access Session will not be established.
Workaround:
None
1495469 : PUT /api/v1/systems/<system-id>/host-dns does not work
Component: BIG-IP Next
Symptoms:
Setting host DNS servers using PUT /api/v1/systems/<system-id>/host-dns does not change the host DNS servers
Conditions:
Send a PUT request to /api/v1/systems/<system-id>/host-dns
Impact:
The host DNS servers do not change
Workaround:
In VE, send a PUT request to /onboard instead
Fix:
In VE, send a PUT request to /onboard instead
1495245 : Unable to deploy an application service without pool using standard template in BIG-IP Next Central Manager
Component: BIG-IP Next
Symptoms:
When you create an application service without a pool the 'Review & Deploy' button is disabled.
Conditions:
1. Create an application service using a standard template.
2. Do not add a pool to the application service.
Impact:
The application service cannot be deployed when a pool is not attached.
Workaround:
When creating the application service, go to the Pools tab. Navigating to the Pools tab enables the'Review & deploy' button. You do not need to add pools.
1495141 : Unable to modify or add roles to an existing user
Component: BIG-IP Next
Symptoms:
Modifying a user's role or adding roles to a user is unavailable to users created without a display name or email.
Conditions:
1. Create user without adding a display name and email address.
2. Modify the assigned user roles.
3. Save your changes
Impact:
User role updates cannot be saved and an error is displayed.
Workaround:
Add a display name or email address to the changes and save. The recommendation is to create/modify a user by specifying Display Name or Email.
1495037-1 : Global Resiliency Group allows creation without validating empty entries for group name/DNS listener name
Component: BIG-IP Next
Symptoms:
Under specific circumstances, the UI allows the creation of a Global Resiliency Group without specifying a name and listener name.
Conditions:
Open the create group dialog and observe the "next" button is disabled; cancel out of it.
Reopen the dialog, and now the "next" button is enabled despite no entries are made in the required fields.
Impact:
This condition results in user being able to create a group without name which then cannot be deleted.
Workaround:
None
Fix:
Form validations for Global Resiliency Groups are fixed and working.
1495001-1 : Cannot edit Global Resiliency Group once created
Component: BIG-IP Next
Symptoms:
Once you create a Global Resiliency Group, it cannot be edited to add or delete group members.
Conditions:
Create a Global Resiliency Group.
Impact:
Cannot modify the Global Resiliency group details.
Workaround:
Delete the Global Resiliency group and recreate with different name and required parameters.
Fix:
Editing is allowed; user can add and delete instances.
1494993-1 : Cannot use the same group name again on same GSLB instance
Component: BIG-IP Next
Symptoms:
Global Resiliency Group creation fails.
Conditions:
Applying the same name of an existing, or previously existing, Global Resiliency Group on an instance.
Impact:
Global Resiliency Group creation will fail.
Workaround:
Use a different name for the creation of Global Resiliency Group.
Fix:
Global Resiliency Group name can be re-used after deleting the old one.
1494909 : Application Manager cannot view WAF information in the Security Workspace
Component: BIG-IP Next
Symptoms:
The Application Manager user role has view-only permissions to all modules within the security workspace. When an Access Manager logs in, they might not be able to view WAF information in the Security Workspace.
Conditions:
1. Log in to BIG-IP Next Central Manager as a user with an Application Manager role.
2. Go to the Security Workspace.
Impact:
No WAF visibility for Application Manager users.
Workaround:
Admin should add the user the role of 'Auditor' as well to have full view permission of the security workspace.
1494905 : Home screen button to Security Workspace disabled for user with Application Manager user role
Component: BIG-IP Next
Symptoms:
The 'Go to Security Workspace' shortcut button in BIG-IP Next Central Manager's home screen is disabled for users with an Application Manager role.
Conditions:
1. Log in to BIG-IP Next Central Manager with an Application Manager user role.
2. Go to the home screen and try to use the quick link to the Security Workspace.
Impact:
The 'Go to Security Workspace' button is disabled.
Workaround:
Use the Workspace icon to go to the Security Workspace. Users with an Application Manager role have view-only permission to this workspace.
1494509 : Expression field is missing for few endpoints security agents.
Component: BIG-IP Next
Symptoms:
Some of the endpoint security agents such as
Patch Management, Public File Sharing, Windows File check, Mac File check, Linux File Check, MAC
Process check does not contain the expression field.
Due to this issue, the application deployment is getting failed from CM to BIG-IP Next.
Conditions:
When they combine with other EPSEC agents.
Impact:
Policy/application deployment fails.
1490853 : Setup script produces warnings "Netplan configuration should NOT be accessible by others."
Component: BIG-IP Next
Symptoms:
On both Central Manager and Next instances, immediately after the "setup" script begins the activities, below error messages appears:
** (process:614): WARNING **: 17:47:14.483: Permissions for /etc/netplan/00-installer-config.yaml are too open. Netplan configuration should NOT be accessible by others.
Ubuntu (the base operating system) is creating the files with these permissions.
Conditions:
After the Central Manager or Next setup script begins to configure the system.
Impact:
None.
Workaround:
None.
Fix:
File permissions are set correctly.
1490525 : The execution of the Per Session Access policy is halting when the Linux FPC attempts to initiate a VPN connection
Component: BIG-IP Next
Symptoms:
Per Session Access policy execution is not working as expected whenever Linux FPC is trying to establish VPN.
Conditions:
This is observed for a per-session access policy which has Network Access Resource attached inside macro.
Impact:
Linux VPN tunnel cannot be established.
Workaround:
No work around available.
Fix:
Fix is not ready yet.
1490089 : Policy execution is denied with Antivirus check.
Component: BIG-IP Next
Symptoms:
If there is an antivirus check in the access policy, the policy always gets denied and the agent result is set to 0.
Conditions:
Antivirus check is included in the policy.
Impact:
The policy gets denied and does not proceed for further execution.
1488105-2 : CVE-2022-48522 in perl-base on f5-access-renderer
Component: BIG-IP Next
Symptoms:
In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.
Conditions:
N/A
Impact:
Although vulnerable code is present, we believe this vulnerability is not exploitable in any default, standard, or recommended configuration.
Workaround:
N/A
Fix:
Perl has been updated to a non-affected version.
1487969 : CVE-2023-47038 on f5-csm-icb
Links to More Info: K000138640
1487777 : CVE-2022-48522 Perl Vulnerability
Component: BIG-IP Next
Symptoms:
In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.
Conditions:
N/A
Impact:
N/A
Workaround:
N/A
Fix:
Perl has been updated to a non-vulnerable version.
1486365 : CVE-2022-48522 Perl Vulnerability
Component: BIG-IP Next
Symptoms:
In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.
Conditions:
N/A
Impact:
N/A
Workaround:
N/A
Fix:
Perl has been updated to a non-vulnerable version.
1486329 : CVE-2023-47038: Perl Vulnerability
Links to More Info: K000138640
1486045 : CVE-2023-47038 on f5-csm-bird
Links to More Info: K000138640
1483777-2 : CVE-2022-48522 in perl-base on f5-access-apmd-egress-sidecar
Component: BIG-IP Next
Symptoms:
In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.
Conditions:
N/A
Impact:
Although vulnerable code is present, we believe this vulnerability is not exploitable in any default, standard, or recommended configuration.
Workaround:
N/A
Fix:
Perl has been updated to a non-vulnerable version.
1483733-2 : CVE-2023-47038 in perl-base on f5-access-apmd-egress-sidecar
Links to More Info: K000138640
1481801 : Session.policy.result.policy_path variable is incorrect when multiple agents are used inside a macro policy
Component: BIG-IP Next
Symptoms:
When APM macro policy is configured with several agents, after policy execution session.policy.result.policy_path variable does not list some executed agents.
Conditions:
APM macro policy configured with several agents.
Impact:
Content of session.policy.result.policy_path variable is mostly used for troubleshooting, there is no end user impact.
Workaround:
N/A
Fix:
Correction for content of session.policy.result.policy_path has been made.
1474837 : Failed to load the webtop when advanced resource assign agent is added after endpoint security agents
Component: BIG-IP Next
Symptoms:
Failed to load the webtop when advanced resource assign agent is added after endpoint security agents.
Conditions:
If an Advanced resource assign Item is added after any VPN endpoint security Item such as "windows process check" or "Windows Info" then webtop is not publishing with the resources.
Impact:
Fails to load the webtop. An error is encountered on browser.
Workaround:
Add message box between Endpoint Security Item type and Resource Assign agent. Then policy item result properly carries forward and webtop will be published.
Fix:
Fix is not ready yet.
1474781-1 : Updated policy with invalid Inspection Services is deployed to Next instance without any error
Component: BIG-IP Next
Symptoms:
Updated policy is deployed to the BIG-IP Next instance without any error though Inspection Services that are attached through a service chain are not deployed to the next instance.
Conditions:
Deploying an updated policy to the BIG-IP Next instance with one or many inspection services that are not deployed on the specified next instance.
Impact:
Traffic processing may not happen as expected/Application would still use the old policy.
Workaround:
Deploy the inspection services to the instance.
1474777-1 : Security Policies displays "None" on Application Service UI dashboard after deploying the application with Security Policy
Component: BIG-IP Next
Symptoms:
Application Dashboard shows security policies as '0' though an SSL Orchestrator policy is attached to the application.
Conditions:
Deploy an application with an SSL Orchestrator policy.
Impact:
No functional impact.
Workaround:
None
1474733 : iRules are out of order after migraiton to BIG-IP Next Central Manager
Component: BIG-IP Next
Symptoms:
When migrating to BIG-IP Next Central Manager, the migration process might change the order of iRules, which can invalidate the application service.
Conditions:
1. Upload a UCS file to BIG-IP Next Central Manager's migration tool. The UCS includes iRules configured in a set order. For example:
{
/Common/b_irule_order_1st
/Common/c_irule_order_2nd
/Common/a_irule_order_3rd
}
2. Complete the application migration process.
3. Check the iRule order in the application service's declaration.
Impact:
The iRule list is out of order from the pre-migration configuration.
Workaround:
Verify the order of the iRules in the declaration post-migration:
Before deploying the application service, save the application service as a draft, and correct the order of the iRules in the declaration before you deploy to an instance.
1474121 : Deployment errors when Access policy is set to "Global"
Component: BIG-IP Next
Symptoms:
Deployment errors from BIG-IP Next Central Manager to an instance occur when deploying application services with the Access policy scope set to 'global'.
Conditions:
1. Create an Access policy with the "global" scope.
2. Attach that policy to either a FAST or AS3 application service.
3. Deploy the application service to an instance.
Impact:
Deployment fails with an error message from the AS3 feature (returning NATs error):
"The task failed, failure reason: AS3-0004: AS3 Unknown Error: Failed with unknown error: returned an unexpected response code 400 Deployment Failed: Code: 13158-00095, Detail: Failed to read request Query Param Error at: oneOf. Reason: value does not match any schema from "oneOf". "
Workaround:
Change the Access policy scope.
1473477 : Access Webtop resource configuration is missing from migrated application service
Component: BIG-IP Next
Symptoms:
When migrating an application service to BIG-IP Next Central Manager, the application service's Access policy Webtop resource configuration is missing.
Conditions:
1. Using the BIG-IP Next Central Manager migration tool, upload UCS file with resource assignment and webtop.
2. Complete the migration process
Impact:
Resource assignment agent has a reference to webtop resource, but the actual resource data is missing.
Workaround:
Once the Access policy is migrated to BIG-IP Next you can manually add the webtop resource to the policy.
1472745-1 : TMM container is restarted by kubernetes
Component: BIG-IP Next
Symptoms:
The sock driver experiences tx_errors sending out packets on the veth interface(tmctl -d blade -w 250 tmm/xnet/sock/stats), as shown below:
ifname q_id mmap_ring_drops rx_buf_err rx_io_err tx_err
------ ---- --------------- ---------- --------- --------
xeth0 0 0 0 0 70828320
Conditions:
- The TMM container's veth mtu uses a value less than 1500.
Impact:
- TMM stops processing traffic.
Fix:
- TMM no longer crashes.
1469329 : Using L1-network with VLANs in VE PUT/onboard no longer generates default L2 and L3 networks.
Component: BIG-IP Next
Symptoms:
On VE PUT /onboard with L1-network with VLANs no longer creates default L2 and L3 networks.
Conditions:
On VE send a PUT request to /onboard with L1-network with VLANs.
Impact:
Default L2 and L3 networks are no longer created.
Workaround:
You can manually create the L2 and L3 networks as needed.
Fix:
On VE PUT /onboard with L1-network with vlans no longer creates Default L2 and L3 networks.
1430281 : QKVIEW output not captured for resource-manager and platform-manager after factory reset
Component: BIG-IP Next
Symptoms:
QKVIEW output not getting captured for the resource-manager and platform-manager due to connection issues.
Conditions:
When the user generates a QKVIEW tarball after a factory reset operation.
Impact:
QKVIEW command output for resource-manager and platform-manager are not significant in terms of debugging. So user impact is very minimal.
Workaround:
Logs for resource-manager and platform-manager are already getting captured in the QKVIEW tarball which should be used for debugging.
1411249 : During upgrade activity, TMM cores is found on HA DUT
Component: BIG-IP Next
Symptoms:
TMM cores is found on one of the HA DUT during upgrade activity.
Conditions:
During run of "upgrade_ha_tests" suite in Stage5 ESXi.
Impact:
Traffic is impacted due to TMM crash.
Workaround:
None
Fix:
Properly remove the LUA item from the list before freeing it in SSM layer.
1355649-2 : TMM may crash while processing ILX::call commands
Component: BIG-IP Next
Symptoms:
Under certain conditions, TMM may crash while processing ILX::call commands.
Conditions:
-- iRule script including an ILX::call command in use.
Impact:
TMM crash leading to a failover event.
Workaround:
None.
Fix:
TMM now processes ILX::call commands as expected.
1353565-2 : Certain extreme SSL traffic patterns may impact throughput
Component: BIG-IP Next
Symptoms:
When high concurrent SSL traffic is sent to BIGIP, it causes peak high CPU usage. When CPU is busy, cryptographic functions are queued and deferred in a large amount which causes the system to unable to process traffic.
Conditions:
BIGIP system is under high CPU load due to a large number of concurrent SSL connections.
Impact:
SSL traffic performance may be impacted negatively.
Workaround:
The issue can be mitigated by putting an upper limit on the number of active SSL handshakes to a virtual server and/or entire BIGIP system. More information is available here - https://my.f5.com/manage/s/article/K83167850
Fix:
The TMM has better stability under extreme loads.
1351325 : Cannot delete a tagged VLAN and recreate an untagged VLAN with same name within ~10 minutes
Component: BIG-IP Next
Symptoms:
If you delete an existing tagged VLAN and attempt to create a new untagged VLAN with the same name within 10 minutes, the creation fails.
Conditions:
Delete an existing tagged VLAN then try to create a new untagged VLAN with the same name.
Impact:
Unable to create the new VLAN.
Workaround:
Try again in another 10 minutes.
1346905-2 : Application Location and Source details missing in the application panel from the security policy grid
Component: BIG-IP Next
Symptoms:
When clicking on the application counter in the WAF Policies list, a panel is opened with a list of the applications referencing the selected policy. The columns Source and Location are blank.
Conditions:
1. Create a WAF policy and attach to one or more application services.
2. Deploy application services with attached WAF policies.
3. Click the application counter from the WAF Policies list.
Impact:
The application service's location (BIG-IP Next instance) and source (name of template used) is not visible.
Workaround:
You can view the information about application service directly from the Applications workspace.
Go to the Applications workspace, and select the application service from My Application Services list. From the Application Service Topology, select the eye icon next to the application service tile to view the source and location details.
1328709 : The coredns pod continuously logs warnings
Component: BIG-IP Next
Symptoms:
The coredns pod in the kube-system namespace of the kubernetes cluster continuously logs the following warnings:
[WARNING] No files matching import glob pattern: /etc/coredns/custom/*.override
[WARNING] No files matching import glob pattern: /etc/coredns/custom/*.server
Conditions:
BIG-IP Next Central Manager VM has been created and assigned an IP address.
Impact:
There is no operational impact.
Fix:
The warnings are no longer logged.
1322973-8 : A particular sequence of HTTP packets may cause TMM to crash
Component: BIG-IP Next
Symptoms:
Tmm crashes and restarts
Conditions:
A basic http virtual server with rfc-compliance enabled in http profile and client sending the request with headers more than the max-header-count, results in crash under rare conditions
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
Tmm does not crash anymore.
1205029-3 : WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application
Links to More Info: BT1205029
Component: BIG-IP Next
Symptoms:
In some cases of WEBSSO same token is sent to different sessions in the backend.
Conditions:
WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application
Impact:
Situations where JWTs (via WEBSSO / OAuth Bearer profile) are being sent downstream for requests which belong to a different user. The problem seems to be related to when these requests share the same client IP address. This is a big problem when clients are using NAT themselves to mask different users/sessions behind the same IP address.
Fix:
When sessions are different we are clearing the cache tokens so that new tokens are generated for different sessions.
Known Issues in BIG-IP Next v20.2.0
BIG-IP Next Issues
ID Number | Severity | Links to More Info | Description |
1353589 | 1-Blocking | Provisioning of BIG-IP Next Access modules is not supported on VELOS, but containers continue to run | |
1352969 | 1-Blocking | Upgrades with TLS configuration can cause TMM crash loop | |
1350285-1 | 1-Blocking | Traffic is not passing after the tenant is licensed and network is configured | |
1329853-1 | 1-Blocking | Application traffic is intermittent when more than one virtual server is configured | |
1324545-1 | 1-Blocking | L3 validation fails after a BIG-IP Next HA instance fails over | |
1321417-1 | 1-Blocking | BT1321417 | Cannot use WAF modules on VELOS on deploying tenant with 10 CPUs |
1280713 | 1-Blocking | VELOS high availability (HA) cluster goes into active/active after upgrade★ | |
1189933-1 | 1-Blocking | BIG-IP Next Central displays a BIG-IP Next Instance as 'IsHealthy': true even if traffic isn't passing | |
1162213-1 | 1-Blocking | Incorrect state when upgrading a BIG-IP Next HA instance★ | |
1104625 | 1-Blocking | The BIG-IP Next VE tmstat table does include stats for the management interface | |
1576277 | 2-Critical | Instance backup file creation fails after upgrade to v20.2.0 | |
1561053-1 | 2-Critical | Application status migration status incorrectly labeled as green when certain properties are removed | |
1560493-1 | 2-Critical | Inaccurate Reflection of Selfip Prefix Length in TMM Statistics and "ip addr" Output | |
1492705 | 2-Critical | During upgrading to BIG-IP Next 20.1.0, the BIG-IP Next 20.1.0 Central Manager failed to connect with BIG-IP Next 20.0.2 instance | |
1466305 | 2-Critical | Anomaly in factory reset behavior for DNS enabled BIG-IP Next deployment | |
1365005 | 2-Critical | Analytics data is not restored after upgrading to BIG-IP Next version 20.0.1 | |
1354265 | 2-Critical | The icb pod may restart during install phase | |
1294565 | 2-Critical | After upgrading, login api may return 401 with correct credentials | |
1283629-1 | 2-Critical | Deploying an application with the same name as another deployed application fails | |
1271477 | 2-Critical | BIG-IP Next instance on VELOS reports unhealthy status if upgrade fails★ | |
1268361 | 2-Critical | API GET /upgrade/systems/{system_id}/stats/{type} is VE specific only★ | |
1232993-1 | 2-Critical | Forced reboot during BIG-IP Next upgrade can cause instability★ | |
1162253 | 2-Critical | Monitors in an application cannot be removed from stacks and traffic stops running | |
1123381 | 2-Critical | Standby node in a BIG-IP Next HA instance loses it's license when HA is disassembled | |
1090205 | 2-Critical | Floating IP address for a BIG-IP Next HA instance is unavailable during an active node reboot | |
1087937 | 2-Critical | API endpoints do not support page query | |
1083205 | 2-Critical | Default network is the only supported network | |
1078013-1 | 2-Critical | BIG-IP Next HA instance fails when VLANs exist or invalid VLANs are submitted | |
1574685 | 3-Major | Generated WAF report can be loaded without text | |
1574681 | 3-Major | Dynamic Parameter Extract from allowed URLs doesn't show in the parameter in the WAF policy | |
1574573 | 3-Major | Global Resiliency Group status not reflecting correctly on update | |
1574565 | 3-Major | Inability to Edit Generic Host While Re-Enabling Global Resiliency | |
1572681-1 | 3-Major | Data Group Changes not getting reflected on BIG-IP after deployment when removing key-value pairs | |
1569969-1 | 3-Major | WAF policy with default DoS profile cannot be migrated | |
1569589-1 | 3-Major | Default values of Access policy are not migrated | |
1567129 | 3-Major | Unable to deploy Apps on BIG-IP Next v20.2.0 created using Instantiation from v20.1.x★ | |
1566745-1 | 3-Major | L3VirtualAddress set to ALWAYS advertise will not advertise if there is no associated Stack behind it | |
1560561 | 3-Major | Instance Manager and Security Manager roles are required to deploy Inspection Service with VLAN changes | |
1495017 | 3-Major | BIG-IP Next Hostname, Group Name and FQDN name should adhere to RFC 1123 specification | |
1495005 | 3-Major | Cannot create Global Resiliency Group with multiple instances if the DNS instances have same hostname | |
1494997 | 3-Major | Deleting a GSLB instance results in record creation of GR group in BIG-IP Next Central Manager | |
1491197 | 3-Major | Server Name (TLS ClientHello) Condition in policy shouldn't be allowed when "Enable UDP" option is selected in application under Protocols & Profiles | |
1491121 | 3-Major | Patching a new application service's parameters overwrites entire application service parameters | |
1489945 | 3-Major | HTTPS applications with self-signed certificates traffic is not working after upgrading BIG-IP Next instances to new version of BIG-IP Next Central Manager | |
1474801 | 3-Major | BIG-IP Next Central Manager creates a default VRF for all VLANS of the onboarded Next device | |
1472669 | 3-Major | idle timer in BIG-IP Next Central Manager can log out user during file uploads★ | |
1403861 | 3-Major | Data metrics and logs will not be migrated when upgrading BIG-IP Next Central Manager from 20.0.2 to a later release | |
1394945 | 3-Major | No Bot defense due to DNS resolving issue | |
1393389 | 3-Major | QKView creation for BIG-IP Next Central Manager might not complete | |
1366321-1 | 3-Major | BIG-IP Next Central Manager behind a forward-proxy | |
1365433 | 3-Major | Creating a BIG-IP Next instance on vSphere fails with "login failed with code 501" error message★ | |
1360121-1 | 3-Major | Unexpected virtual server behavior due to removal of objects unsupported by BIG-IP Next | |
1360097-1 | 3-Major | Migration highlights and marks "net address-list" as unsupported, but addresses are converted to AS3 format | |
1360093-1 | 3-Major | Abbreviated IPv6 destination address attached to a virtual server is not converted to AS3 format | |
1359209-1 | 3-Major | The health of application service shown as "Good" when deployment fails as a result of invalid iRule syntax | |
1358985-1 | 3-Major | Failed deployment of migrated application services to a BIG-IP Next instance | |
1355605 | 3-Major | "NO DATA" is displayed when setting names for appliction services, virtual servers and pools, that exceed max characters | |
1326385 | 3-Major | Floating self-IP address for a BIG-IP Next HA instance | |
1325297 | 3-Major | Metrics are missing for application services with names longer than 24 characters | |
1306317-1 | 3-Major | Telemetry services with invalid hostnames are not rejected by the API | |
1306229 | 3-Major | Updating a self-IP address on a BIG-IP Next instance that was created from BIG-IP Next Central Manager does not work | |
1296721 | 3-Major | App template default values can override configured properties for existing applications upon redeploy | |
1294081-1 | 3-Major | AS3 applications configured with HTTP2 and TLS do not function | |
1293901 | 3-Major | If pool member/endpoint name is omitted, app creation/edit screen might crash | |
1293137 | 3-Major | At least one toggle field on every page needs to be visited before the application can deploy successfully | |
1291621 | 3-Major | Cannot delete certificate after removing BIG-IP Next instance from BIG-IP Next Central Manager | |
1286181-1 | 3-Major | Add a service with Transport Layer Security (TLS), but one or more of the certs is missing or invalid | |
1286173-1 | 3-Major | Telemetry services that do not exist appear to have been deleted using an API call | |
1267981 | 3-Major | BIG-IP Next pool monitors use management network as fallback | |
1251181 | 3-Major | VLAN names longer than 15 characters can cause issues with troubleshooting | |
1235089 | 3-Major | Selected signatures for cookies are not added to overriden signature section | |
1234093 | 3-Major | BIG-IP Next Central Manager iRules do not support double quote characters | |
1233681 | 3-Major | Redeploying an application fails after you renew the certificates for an HTTPS application | |
1231089 | 3-Major | Multiple applications can be configured with duplicate values for virtualAddresses and virtualPort | |
1230993 | 3-Major | 'Mandatory request body is missing' violation in staging but request is unexpectedly blocked | |
1220077 | 3-Major | Failover for a BIG-IP Next HA instance between upgrades can time out★ | |
1216889 | 3-Major | Incorrect application count is displayed on BIG-IP Next Central Manager iRules page after a BIG-IP Next instance is removed | |
1195281-1 | 3-Major | Endpoint is down when sendString contains double escaped characters | |
1172933 | 3-Major | Stack name must be unique in an application regardless of types | |
1134225 | 3-Major | K000138849 | AS3 declarations with a SNAT configuration do not get removed from the underlying configuration as expected |
1122689-3 | 3-Major | Cannot modify DNS configuration for a BIG-IP Next VE instance through API | |
1120457-1 | 3-Major | Data interfaces for BIG-IP Next VE are not visible on the host after the interface configuration is sent to TMM | |
1120417 | 3-Major | Machine ID on the BIG-IP Next properties pages shows an error | |
1117817 | 3-Major | Interface assignments are unpredictable when more than 4 interfaces are configured | |
1117805 | 3-Major | Unable to determine the TMM interface for MAC addresses on BIG-IP Next VE from the API | |
1117765 | 3-Major | BIG-IP Next Central Manager displays empty network interface metrics for a BIG-IP Next instance | |
1112285 | 3-Major | Cannot update management IP address on BIG-IP Next HA instances | |
1110805 | 3-Major | Setup needs to be finished on the host OS before BIG-IP Next can function properly. | |
1109933-1 | 3-Major | Unexpected behavior when multiple routes with identical route configuration and different names are created | |
1107757-1 | 3-Major | Large numbers of AS3/API requests can trigger job timeout errors. | |
1107533-1 | 3-Major | Upgrading a BIG-IP Next instance endpoint does not accept file names★ | |
1106573 | 3-Major | If an application deployment fails due to BIG-IP Next instability, the policies referenced in the application cannot be deleted from BIG-IP Next Central Manager | |
1089201 | 3-Major | BIG-IP Next HA instance in an HA configuration fails when control plane IP address is configured incorrectly | |
1087881 | 3-Major | Network API endpoints reject Content-Type application/hal+json | |
1086221-1 | 3-Major | Content-Type response header does not match documented in BIG-IP Next OpenAPI spec | |
1085753 | 3-Major | Overwritten application deployments display in applications list | |
1079873 | 3-Major | Text in first column of a BIG-IP Next Central Manager grid might overlap with text in subsequent columns | |
1078533-1 | 3-Major | Cannot delete a BIG-IP Next instance from BIG-IP Next Central Manager | |
1060829 | 3-Major | Unable to delete template from BIG-IP Next Central Manager if it was used for the application deployment | |
1058837 | 3-Major | Incorrect item count following application deletion and subsequent deletions fail | |
1057493 | 3-Major | 'HTTP::header insert' command does not work under ASM iRule events | |
1053009-1 | 3-Major | Transaction in progress message and dropped connections using Files API to upload a cert/key | |
1576273 | 4-Minor | No L1-Networks in an instance causes BIG-IP Next Central Manager upgrade to v20.2.0 to fail★ | |
1575549 | 4-Minor | BIG-IP Next Central Manager discovery requires an instance to have both Default L2-Network and Default L3-Network if either one already exists | |
1564157 | 4-Minor | BIG-IP Next Central Manager requires VELOS/rSeries systems to use an SSL certificate containing the host IP address in the CN or SANs list. | |
1560605 | 4-Minor | Global Resiliency functionality fails to meet expectations on Safari browsers | |
1498421 | 4-Minor | Restoring Central Manager (VE) with KVM HA Next instance fails on a new BIG-IP Next Central Manager | |
1498121 | 4-Minor | BIG-IP Next Central Manager upgrade alerts not visible in global bell icon | |
1490381-1 | 4-Minor | Pagination for iRules page not supported with a large number of iRules | |
1394625-1 | 4-Minor | Application service failes to deploy even if marked as green (ready to deploy) | |
1365445 | 4-Minor | Creating a BIG-IP Next instance on vSphere fails with "login failed with code 401" error message★ | |
1365417 | 4-Minor | Creating a BIG-IP Next VE instance in vSphere fails when a backslash character is in the provider username★ | |
1360709 | 4-Minor | Application page can show an error alert that includes "FAST delete task failed for application" | |
1360621 | 4-Minor | Adding a Control Plane VLAN must be done only during BIG-IP Next HA instance creation | |
1354645 | 4-Minor | Error displays when clicking "Edit" on the Instance Properties panel | |
1350365 | 4-Minor | Performing licensing changes directly on a BIG-IP Next instance | |
1325769 | 4-Minor | VLANs with a blank tag cannot be used to create a BIG-IP Next instance | |
1325713-1 | 4-Minor | Monthly backup cannot be scheduled for the days 29, 30, or 31 | |
1325369 | 4-Minor | Saved JSON Web Token licenses do not appear after upgrade | |
1306997 | 4-Minor | Deselecting the Tagged Interface when creating a BIG-IP Next HA instance on VELOS causes an error | |
1305761 | 4-Minor | While configuring a BIG-IP Next HA instance, the "Next" button is enabled while the instance is still checking node state | |
1305757 | 4-Minor | Configuring a BIG-IP Next HA instance from BIG-IP Next Central Manager returns an error | |
1294393 | 4-Minor | Sorting and filtering create instance tasks on the My Instances page | |
1294137 | 4-Minor | BIG-IP Next HA instance creation fails | |
1291473 | 4-Minor | Creating a BIG-IP Next HA instance with instances that have deployed applications | |
1284665-1 | 4-Minor | When adding a new BIG-IP Next instance, the error message from an unsuccessful addition attempt is not cleared | |
1235105 | 4-Minor | Endpoint grid is shown only for applications that use the HTTPS-Load-Balancing-Service template | |
1209649-1 | 4-Minor | Load More' button reloads data already on the page for FAST Apps on BIG-IP Next Central Manager | |
1137869 | 4-Minor | Attempting to create an application from BIG-IP Next Central Manager sometimes fails | |
1114841-2 | 4-Minor | Creating a BIG-IP Next HA instance from BIG-IP Next Central Manager fails | |
1113593 | 4-Minor | BIG-IP Next Central Manager cannot deploy an application to an unhealthy BIG-IP Next instance | |
1109633 | 4-Minor | Creating a BIG-IP Next HA instance on VE from BIG-IP Next Central Manager | |
1106477 | 4-Minor | Cannot control the order of the fields generated from a BIG-IP Next Central Manager application template | |
1104397 | 4-Minor | When creating a new application from BIG-IP Next Central Manager, the form might show the deployment status of an application created previously in the same session | |
1104393 | 4-Minor | Testing an application deployment from BIG-IP Next Central Manager and copying to clipboard | |
1090405 | 4-Minor | Error messages in logs: pem block and tls failed to find PEM data | |
1082417 | 4-Minor | Application status displays as deployed before it has been created | |
1227605 | 5-Cosmetic | Item count on the BIG-IP Next Central Manager My Apps and Instances pages shows -1 items | |
1113045 | 5-Cosmetic | BIG-IP Next Central Manager displays No Data for mgmt network interface metrics |
Known Issue details for BIG-IP Next v20.2.0
1576277 : Instance backup file creation fails after upgrade to v20.2.0
Component: BIG-IP Next
Symptoms:
Instance backup fails on BIG-IP Next Central Manager version 20.2.0 with message:
'Backup file creation failed'
Conditions:
A BIG-IP Next Central Manager version 20.1.1 and BIG-IP Next version 20.1.0
1. Upgrade the BIG-IP Next instances to version 20.2.0.
2. In the BIG-IP Next Central Manager UI, go to Infrastructure > Instances.
3. Create a backup file for the instance by selecting the desired BIG-IP Next instance, select the Actions menu, select Back Up & Schedule and input the required information.
4. Create a backup file for the instance by selecting the desired BIG-IP Next instance, click Actions and select Back Up & Schedule and input the required information.
5. In the BIG-IP Next Central Manager UI, go to Infrastructure > Instances > Backup & Restore.
Impact:
Instance backup file generation fails with message:
'Backup file creation failed"
Workaround:
Once you have upgraded the BIG-IP Next instances to version 20.2.0, you need to delete large image files as they prevent the successful backup. In addition, you need to delete the failed backup file.
You must send API calls to the instance to remove the large upgrade files and failed backup files before the backup will succeed. This example uses Postman to send the API calls. The following is an example procedure with variables {{ }} around them. You can use variables or insert the actual value for each request:
1. Send a login request to BIG-IP Next Central Manager and record the “access_token” from the response. This is used to make all other API calls.
a. Use the command POST https://{{remote-CM-address}}/api/login, or if no variables are used, then use the command POST https://10.145.69.227/api/login
b. The body for the request is a JSON object with the credentials for the user.
{ "username": "username", "password": "password" }
2. Send a request to BIG-IP Next Central Manager's inventory and identify the instance that you want to delete the file from. Record the “id” from the response. The access_token from the previous step is used as the Bearer Token for the request. Repeat this for all other requests as well:
GET https://{{remote-CM-address}}/api/device/v1/inventory
3. Delete the large image files and failed backup files. Send a request for the files present on the instance. Note the instance ID from the previous step is used in the request URL. In the response, record the "id" for the "file name" or "description" in the response. Example files:
- The upgrade image file: BIG-IP Next 20.2.0....tgz
- The original backup file: backup and restore of the system
GET https://{{remote-CM-address}}/api/device/v1/proxy/{{remote-Big-IP-Next-ID}}?path=/files
4. Send a request to delete the file on the instance. The file ID from the previous step and paste it to the end of delete URL. For example:
DELETE https://{{remote-CM-address}}/api/device/v1/proxy/{{remote-Big-IP-Next-ID}}?path=/files/644fcd02-fa38-4383-ac1c-f67e0c899e0d
5.Wait at least 20 minutes after the deletion before initiating steps to create another instance backup.
IMPORTANT NOTE: The file deletion process can take up to 20 minutes to complete. If the files are not fully deleted, the new backup attempt will fail.
6. If required, repeat step 4 to delete any other large files, unrelated to upgrade, such as QKView or core files.
1576273 : No L1-Networks in an instance causes BIG-IP Next Central Manager upgrade to v20.2.0 to fail★
Component: BIG-IP Next
Symptoms:
Upgrade to of BIG-IP Next Central Manager v20.2.0 fails.
Conditions:
BIG-IP Next Central Manager has an instance with no L1-Networks.
Impact:
Cannot upgrade to v20.2.0.
Workaround:
Add a blank DefaultL1Network to each instance using instance editor.
1575549 : BIG-IP Next Central Manager discovery requires an instance to have both Default L2-Network and Default L3-Network if either one already exists
Component: BIG-IP Next
Symptoms:
Discovering an instance on BIG-IP Next Central Manager requires the instance only be discovered if it is configured with neither Default L2-Network or Default L3-Network, or has both of them, and Default L2-Network be under the Default L3-Network.
Conditions:
A BIG-IP Next Central Manager user attempts to discover an instance they own. Before discovering this instance on BIG-IP Next Central Manager, the user configured it with an L2 Network named "Default L2-Network" and an L3 Network named something other than "Default L3-Network". When the user tries discovering the instance on CM, discovery failed noting that Default L2-Network was present, but no Default L3-Network.
Impact:
BIG-IP Next Central Manager cannot discover an instance if either one of "Default L2-Network" or "Default L3-Network" exist, but not both.
Workaround:
If a user configures an instance with an L2 Network named Default L2-Network, they should create an L3 network named Default L3-Network and have its L2 Network be the default L2. If neither exists, or both exist, and the Default L2 is under the Default L3, discovery succeeds.
1574685 : Generated WAF report can be loaded without text
Component: BIG-IP Next
Symptoms:
When generating a WAF report, the loaded print screen for PDF is displayed without text content.This issue is reported primarily on Mac OS and intermittently.
Conditions:
No specific conditions apply, it happens intermittently and mainly on Mac operating systems.
Impact:
The report doesn't contain text and is not usable.
Workaround:
Retry generating a WAF report.
1574681 : Dynamic Parameter Extract from allowed URLs doesn't show in the parameter in the WAF policy
Component: BIG-IP Next
Symptoms:
After successfully creating a dynamic parameter with its respective extract URLs, reentering the parameter settings won't show the saved extract URLs.
Conditions:
Configure a WAF policy parameter as 'Dynamic' with extract URLs.
Impact:
Inability to see configured extract URLs from the UI parameter configuration screen within the WAF policy.
Workaround:
Go to the WAF policy and select the Policy Editor from the Panel menu. Once in the policy editor, search for the key word "extractions": The JSON shows the parameter extraction with its respective extract URLs.
1574573 : Global Resiliency Group status not reflecting correctly on update
Component: BIG-IP Next
Symptoms:
After updating the Global Resiliency group, the group status may not immediately switch to "DEPLOYING," potentially causing the UI to inaccurately reflect the ongoing provisioning process, despite deployment being in progress.
Conditions:
During updates to the Global Resiliency group.
Impact:
Update Status of Global Resiliency Group is incorrect.
Workaround:
To mitigate this issue, wait for approximately 5 minutes after updating the Global Resiliency group. This will allow the DNS listener address to become available for the newly added instance.
1574565 : Inability to Edit Generic Host While Re-Enabling Global Resiliency
Component: BIG-IP Next
Symptoms:
Following the re-enabling of Global Resiliency from a previously disabled state, users are unable to simultaneously add or edit Generic Hosts.
Conditions:
During the re-enabling process of Global Resiliency.
Impact:
Unable to add or edit Generic Host information.
Workaround:
Refrain from making any changes to the Generic Host when re-enabling Global Resiliency from a previously disabled state.
After the application has been deployed, users can then proceed to add or modify Generic Hosts during the next application edit.
1572681-1 : Data Group Changes not getting reflected on BIG-IP after deployment when removing key-value pairs
Component: BIG-IP Next
Symptoms:
Once a Data Group is deployed to a BIG-IP instance as part of application deployment, upon changing the values. The data group is redeployed automatically to the BIG-IP instance. Now if a user adds a key or changes an existing key value those are getting re-deployed correctly but if the user is trying to delete a key that is not getting reflected in the BIG-IP instance.
Conditions:
A Data Group should be created and deployed to a BIG-IP instance and then the user tries to remove a row (key & value) from the Data Group.
Impact:
User will be able to add a key or change the value of an existing key but not remove an existing key.
Workaround:
If you want to remove a key-value pair, you must create a new Data Group, refer the new data group inside the SSL Orchestrator policy, and redeploy the SSL Orchestrator policy.
1569969-1 : WAF policy with default DoS profile cannot be migrated
Component: BIG-IP Next
Symptoms:
A WAF policy with a default L7 DoS profile cannot be imported/migration to BIG-IP Next Central Manager.
Conditions:
Migrate a virtual server containing a WAF policy and default DoS profile to BIG-IP Next Central Manager.
Impact:
During the application migration (application selection) step of the migration wizard:
- Application status is blue (application can be only saved as draft).
- WAF policy is underlined in yellow.
- WAF policy cannot be imported to BIG-IP Next Central Manager (skipped status).
1569589-1 : Default values of Access policy are not migrated
Component: BIG-IP Next
Symptoms:
Default values of an Access policy are not migrated to BIG-IP Next Central Manager.
Conditions:
Migrate a virtual server with an Access policy that contains default values.
Impact:
- Access Policy imported to BIG-IP Next Central Manager does not have default values populated.
- If the affected policy is deployed to a BIG-IP Next instance, it will use default values applied by BIG-IP Next.
Workaround:
From the BIG-IP Next Central Manager UI, you can edit Access policy values for property or leave it un-selected.
1567129 : Unable to deploy Apps on BIG-IP Next v20.2.0 created using Instantiation from v20.1.x★
Component: BIG-IP Next
Symptoms:
1. Install BIG-IP Next Central Manager with v20.1.x build BIG-IP-Next-CentralManager-20.1.1-0.0.1.
2. Deploy 2 tenants on rseries via IOD process with v20.1.x build(20.1.0-2.279.0+0.0.75) and 20.2.0 build(20.2.0-2.375.1+0.0.1). Configure L1-L3 during IOD process on both tenants.
3. Deploy FastL4 migrated app on the v20.2.0 tenant. Observed below error during deployment-
The task failed, failure reason: AS3-0007: AS3 Deploy Error: Failed to accept request on BIG-IP Next instance: {"code":422,"message":"At least one L3-network object must be configured before applying a declaration.","errors":[]}
Conditions:
If v20.2.0 BIG-IP Next was created using instantiation from BIG-IP Next Central Manager.
Impact:
Since there are no default objects created for v20.1.x BIG-IP Next Central Manager and v20.2.0 BIG-IP Next combination, the application creation will fail as it expects the presence of a VRF object.
Workaround:
1. Upgrade BIG-IP Next Central Manager to v20.2.0 and create VLANs by editing the BIG-IP instance and make sure to check the "Default VRF" check box.
1566745-1 : L3VirtualAddress set to ALWAYS advertise will not advertise if there is no associated Stack behind it
Component: BIG-IP Next
Symptoms:
L3VirtualAddress set to RHI Mode ALWAYS advertise will not advertise if there is no associated Application Stack behind it.
Conditions:
Configuration of RHI Mode to ALWAYS advertise on an L3VirtualAddress without an associated Application Stack.
Impact:
L3VirtualAddress will not be advertised as expected.
1564157 : BIG-IP Next Central Manager requires VELOS/rSeries systems to use an SSL certificate containing the host IP address in the CN or SANs list.
Component: BIG-IP Next
Symptoms:
BIG-IP Next Central Manager requires that virtualization providers use a valid SSL certificate. A self-signed certificate can also be explicitly accepted by BIG-IP Next Central Manager users, if the certificate otherwise passes SSL validation successfully.
When F5OS generates self-signed SSL certificates for its HTTPS services, it does not include the actual hostname or IP address in the Common Name or Subject Alternative Names (SANs) fields. As a result, this self-signed certificate will not pass SSL validation for strict TLS clients, because the HTTPS server name does not match any Subject names in the certificate.
Conditions:
A BIG-IP Next Central Manager user attempts to add a VELOS or rSeries system as a virtualization provider, when the VELOS or rSeries system is using the default self-signed certificate generated by the system.
Impact:
BIG-IP Next Central Manager cannot successfully add VELOS or rSeries systems as virtualization providers, and therefore cannot dynamically create new BIG-IP Next instances on VELOS or rSeries systems.
Workaround:
1. Create a self-signed SSL certificate that includes the F5OS system's actual IP address in the Subject Alternative Names (SANs) field. For example, the following steps can be used:
A. Save the following data into a file named “ip-san.cnf":
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = XX
stateOrProvinceName = N/A
localityName = N/A
organizationName = Self-signed certificate
commonName = F5OS Self-signed certificate
[req_ext]
subjectAltName = @alt_names
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = 127.0.0.1
DNS.1 = f5platform.host
B. Edit the file -- change the IP address at the end to be the IP address of the F5OS system. Optionally, other certificate fields may also be updated if the new cert should have specific values for them (e.g., commonName, organizationName, localityName, etc.).
C. Run the following command, to create the two certificate files "ip-san-cert.pem" and "ip-san-key.pem”:
openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout ip-san-key.pem -out ip-san-cert.pem -config ip-san.cnf
2. In the VELOS Partition or rSerie s Hardware UI:
A. Navigate to the AUTHENTICATION & ACCESS -> TLS Configuration page.
B. Locate and update the "TLS Certificate" and "TLS Key" text boxes to the new Cert file & Key file, respectively.
C. The F5OS system will then use this new certificate with its HTTPS services.
1561053-1 : Application status migration status incorrectly labeled as green when certain properties are removed
Component: BIG-IP Next
Symptoms:
When migrating applications to BIG-IP Next, certain unsupported properties might be removed during the migration process, but the virtual server status is incorrectly labelled as "Ready for migration" (green status), rather than notify with a "Warning" (yellow status).
Conditions:
Migration of a UCS to BIG-IP Central Manager that contains application services with certain unsupported properties. Some examples are:
min-active-members
slow-ramp-time
Following migration, the following can be reviewed:
- Virtual server status is green ("Ready for migration")
- Virtual server contains configuration with tmsh objects that can be translated into AS3 classes supported in BIG-IP Next.
- tmsh objects that contain unsupported properties cannot be translated into configurable options for AS3 class.
AS3 Schema Reference: https://clouddocs.f5.com/bigip-next/latest/schemasupport/schema-reference.html
Impact:
Unsupported properties are silently dropped without logs and the status of the migration is incorrect (status is green, but should be yellow). The application service after migration might not be functional because of the missing properties.
1560605 : Global Resiliency functionality fails to meet expectations on Safari browsers
Component: BIG-IP Next
Symptoms:
Global Resiliency Group UI main pane goes under the left navigation in Safari browser.
Conditions:
When creating a Global Resiliency group in Safari browser.
Impact:
Not able to create Global Resiliency Group.
Workaround:
Use Chrome browser for creating Global Resiliency Group.
1560561 : Instance Manager and Security Manager roles are required to deploy Inspection Service with VLAN changes
Component: BIG-IP Next
Symptoms:
Security Manager alone cannot deploy the inspection service because inspection service depends on instance APIs.
Conditions:
When we navigate from inspection service to instance level screen, the instance API fails, and it does not show any instances in the grid as it does not meet the correct permissions required to access the API.
Impact:
Will not be able to deploy the inspection service.
Workaround:
Have security manager and instance manager as the roles.
1560493-1 : Inaccurate Reflection of Selfip Prefix Length in TMM Statistics and "ip addr" Output
Component: BIG-IP Next
Symptoms:
Changes to the prefix length of selfips are not reflected in TMM statistics or the "ip addr" output.
Conditions:
Configure an L1-network with VLAN and self-ip with a certain prefix, then altering the prefix length or subnet of the self-ip.
Impact:
The modifications made to the self-ip prefix length are not reflected in TMM statistics.
Workaround:
To address changes in self-ip subnets, it is necessary to delete the L1-network and subsequently re-add it.
1498421 : Restoring Central Manager (VE) with KVM HA Next instance fails on a new BIG-IP Next Central Manager
Component: BIG-IP Next
Symptoms:
The user cannot restore BIG-IP Next Central Manager for the first time.
Conditions:
BIG-IP Next Central Manager on VE managing instances which includes a KVM HA instance.
Impact:
For first time, user will not be able to restore the backup archive into a new BIG-IP Next Central Manager.
Workaround:
The user must perform a second restoration of the backup archive into a new BIG-IP Next Central Manager.
1498121 : BIG-IP Next Central Manager upgrade alerts not visible in global bell icon
Component: BIG-IP Next
Symptoms:
User of BIG-IP Next Central Manager not able to see the alerts sent by upgrade of BIG-IP Next Central Manager.
Conditions:
During upgrade of Central Manager from version 20.0.x to 20.1.x, it may encounter errors.
Impact:
Alerts does not reflect in the 'Global Bell Icon' if there are errors during BIG-IP Next Central Manager upgrade.
1495017 : BIG-IP Next Hostname, Group Name and FQDN name should adhere to RFC 1123 specification
Component: BIG-IP Next
Symptoms:
Hostname, Group Name and FQDN Name used in Global Resiliency feature should be lowercase.
Conditions:
Providing names for above mentioned fields with capital letters causes failure.
Impact:
Group creation or FQDN creation fails when capital letters are used in them.
Workaround:
Always create names with small letters and should adhere to RFC 1123 specification.
1495005 : Cannot create Global Resiliency Group with multiple instances if the DNS instances have same hostname
Component: BIG-IP Next
Symptoms:
The hostname is defaulted and cannot be modified when the hostname is not specified for the BIG-IP Next instances on BIG-IP Next Central Manager
Conditions:
Create a Global Resiliency Group with more than one BIG-IP Next instance with same name.
Impact:
Global Resiliency Group creation fails.
Workaround:
Make sure the hostname is set and unique for the BIG-IP Next instances going to be used in Global Resiliency Group creation.
1494997 : Deleting a GSLB instance results in record creation of GR group in BIG-IP Next Central Manager
Component: BIG-IP Next
Symptoms:
Deleting the BIG-IP instance from the "Infrastructure -> My Instances" will disrupt the Global Resiliency Configuration using those instances.
Conditions:
The issue occurs when an instance is deleted directly while it is being used in a Global Resiliency Configuration.
Impact:
Deleting the instance under these conditions will break the Global Resiliency feature, leading to DNS resolution failure for the GR Group.
Workaround:
Refrain from deleting the instances when they are currently being used in a Global Resiliency Group.
1492705 : During upgrading to BIG-IP Next 20.1.0, the BIG-IP Next 20.1.0 Central Manager failed to connect with BIG-IP Next 20.0.2 instance
Component: BIG-IP Next
Symptoms:
BIG IP Next 20.1.0 Central Manager is managing BIG-IP Next 20.0.2 instances.
When upgrading Next instance from BIG-IP 20.0.2 to BIG-IP 20.1.0, Central Manager failed to connect with the instance.
Conditions:
BIG IP Next 20.1.0 Central Manager managing BIG-IP Next 20.0.2 instances.
Impact:
Connection to BIG-IP Next instances fails.
Workaround:
Following is the workaround:
1. Start with BIG-IP Next Central Manager of 20.0.2 managing BIG-IP Next 20.0.2 instances
2. Upgrade Next instances of 20.0.2 version to 20.1.0 version
3. Upgrade Central Manager from 20.0.2 version to 20.1.0 version.
1491197 : Server Name (TLS ClientHello) Condition in policy shouldn't be allowed when "Enable UDP" option is selected in application under Protocols & Profiles
Component: BIG-IP Next
Symptoms:
Validation is not available in BIG-IP Next Central Manager for the mutually exclusive configurations "Enable UDP" in application and "TLS ClientHello" condition in SSL Orchestrator policies.
When we deploy Application with UDP enabled, then attach SSL Orchestrator policies to the application, it should not have "TLS Client Hello" condition based on "Server Name".
Conditions:
Below are the condition in sequence:
1. Create an application with UDP enabled
2. Create and Attach an sslo policy, to that application, which has "TLS ClientHello" condition based on "Server Name" and deployed to next instance.
Impact:
Traffic processing will not work as the configuration is not valid and will not be sent to TMM until fixed.
1491121 : Patching a new application service's parameters overwrites entire application service parameters
Component: BIG-IP Next
Symptoms:
When sending a PATCH API request to append an application service's parameters, all parameter are completely replaced with changes, rather than partially changing the parameters according to the PATCH request.
Conditions:
Use a PATCH API request to partially update application service parameters.
Deploy changes.
Impact:
If you send incomplete application service parameters, the changes will completely replace the existing parameters, and only partial parameters will be saved. This will lead to failed application service deployment as the parameters are incomplete.
Workaround:
When using the API request to change application service parameters, include in the body of the request full application service parameters, and not just partial changes.
1490381-1 : Pagination for iRules page not supported with a large number of iRules
Component: BIG-IP Next
Symptoms:
Pagination is not supported in the iRules data grid when 100s of iRules are configured to BIG-IP Next Central Manager.
Conditions:
This issue occurs when there are 100s of iRules on BIG-IP Next Central Manager, which do not fit in a single iRule view.
Impact:
If iRules data exceeds about 500, then all iRules data will be shown at once. So it will be difficult to find specific iRules.
Workaround:
Search for iRule name from the search bar to find a specific iRule.
1489945 : HTTPS applications with self-signed certificates traffic is not working after upgrading BIG-IP Next instances to new version of BIG-IP Next Central Manager
Component: BIG-IP Next
Symptoms:
HTTPS traffic is not working after upgrading the BIG-IP Next instances for the application service previously deployed using BIG-IP Next Central Manager version 20.0.x.
Conditions:
1. Install BIG-IP Next Central Manager version 20.0.x and add BIG-IP Next instance(s).
2. Deploy the HTTP application service with a self-signed certificate created on BIG-IP Next Central Manager to an instance.
3. Observed traffic is working fine.
4. Now upgrade from 20.0.x to the newest version and observe HTTPS had traffic stopped working.
Impact:
This impacts HTTPS application service traffic.
Workaround:
1. Upgrade BIG-IP Next Central Manager to latest version.
2. Create new self-signed certificates for the already deployed self-signed certificates through application services.
3. Replace the existing self-signed certificate in the application service with newly created self-signed certificate and re-deploy the application service.
4. After successfully re-deploying the application service, make sure traffic is working on the instance.
5. Delete the old self-signed certificate(s) created in the earlier versions of BIG-IP Next Central Manager.
1474801 : BIG-IP Next Central Manager creates a default VRF for all VLANS of the onboarded Next device
Component: BIG-IP Next
Symptoms:
BIG-IP Next Central Manager creates a default VRF for all VLANS of the onboarded Next device.
Conditions:
The user wants to use specific VLANS for application traffic.
Impact:
Users would not be able to select VLANS for an application.
Workaround:
1. User must create VLANs using /L1 Networks endpoint directly on BIG-IP Next, before adding the device to BIG-IP Next Central Manager.
2. The user can add the device to CM and choose the VLANs for SSL Orchestrator use cases.
Subsequently:
1. User should perform L1Network related operations on Next only.
1472669 : idle timer in BIG-IP Next Central Manager can log out user during file uploads★
Component: BIG-IP Next
Symptoms:
During a file upload, the UI idle timer will log out after ~ 20 minutes, possibly terminating the file upload, or making it appear as though the upload hasn't completed when it has.
Conditions:
Upload a file to BIG-IP Next Central Manager.
Impact:
File upload is incomplete.
Workaround:
Interact periodically with the UI by moving the mouse or pressing keys in the browser window during a file upload that takes longer than ~20 minutes. This will reset the idle timer and prevent the UI from terminating the user session.
1466305 : Anomaly in factory reset behavior for DNS enabled BIG-IP Next deployment
Component: BIG-IP Next
Symptoms:
Factory reset API does not bring TMM to default provisioned modules. DNS pods along with cne-proxy and cne-controller are not deleted.
Conditions:
BIG-IP Next cluster with DNS provisioned and WAF disabled.
Impact:
BIG-IP Next cluster with DNS provisioned will not go back to default deployment and user will have to deprovision DNS and re-provision WAF.
Workaround:
Deprovision DNS if cluster needs to go to factory defaults.
1403861 : Data metrics and logs will not be migrated when upgrading BIG-IP Next Central Manager from 20.0.2 to a later release
Component: BIG-IP Next
Symptoms:
In the version 20.1.0 of BIG-IP Next Central Manager, OpenSearch is replaced by Elasticsearch as the main storage for data metrics and logs.
Due to incompatibility between OpenSearch and Elasticsearch, metrics and logs that are stored on BIG-IP Next Central Manager in earlier versions will not be available after upgrading.
Conditions:
Upgrade BIG-IP Next Central Manager from a release version prior to 20.1.0.
Impact:
After the upgrade is complete, the data metrics and logs from the previous version will not be available on the upgraded BIG-IP Next Central Manager.
Workaround:
None.
1394945 : No Bot defense due to DNS resolving issue
Component: BIG-IP Next
Symptoms:
DNS name dynamic resolution issue in F5OS.
Conditions:
Specific to the rSeries/VELOS platforms.
Impact:
Bot reverse lookup is not working, and therefore no Bot defense enforcement.
Workaround:
None
1394625-1 : Application service failes to deploy even if marked as green (ready to deploy)
Component: BIG-IP Next
Symptoms:
Deployment fails for a migrated application service that is marked green (ready for deployment.
Conditions:
During application migration, upload a UCS with a virtual server that has clientssl profile attached that points to a cert/key pair with RSA 512 OR 1024 key (unsupported).
Complete the migration and pre-deployment process, and deploy the application service.
Impact:
The application service will not have a deployment location option and can only be saved as a draft.
1393389 : QKView creation for BIG-IP Next Central Manager might not complete
Component: BIG-IP Next
Symptoms:
When gathering a QKView from BIG-IP Next Central Manager it might not complete the process when one of executed sub-commands returns an error.
Conditions:
Execute QKView creation for BIG-IP Next Central Manager.
Impact:
Unable to gather a QKView from BIG-IP Next Central Manager.
Process returns error, see example:
"error: unable to upgrade connection: container not found ("fluentd")"
1366321-1 : BIG-IP Next Central Manager behind a forward-proxy
Component: BIG-IP Next
Symptoms:
Using "forward proxy" for external network calls from BIG-IP Next Central Manager fails.
Conditions:
When the network environment BIG-IP Next Central Manager is deployed in has a policy of routing all external calls through a forward proxy.
Impact:
BIG-IP Next Central Manager does not currently support proxy configurations, so you cannot deploy BIG-IP Next instances in that environment.
Workaround:
Allow BIG-IP Next Central Manager to connect to external endpoints by bypassing the "forward proxy" until BIG-IP Next Central Manager supports proxy configurations.
1365445 : Creating a BIG-IP Next instance on vSphere fails with "login failed with code 401" error message★
Component: BIG-IP Next
Symptoms:
Creating a BIG-IP Next VE instance in vShpere fails.
Conditions:
This happens when the randomly generated initial admin password contains an unsupported character.
Impact:
Creating a BIG-IP Next VE instance fails.
Workaround:
Try recreating the BIG-IP Next VE instance.
1365433 : Creating a BIG-IP Next instance on vSphere fails with "login failed with code 501" error message★
Component: BIG-IP Next
Symptoms:
Creating a BIG-IP Next VE instance fails and returns a code 503 error.
Conditions:
Attempting to create a BIG-IP Next VE instance from BIG-IP Next Central Manager when the vSphere environment has insufficient resources.
Impact:
Creating a BIG-IP Next VE instance fails.
Workaround:
Use one of the following workarounds.
- Retry creating the BIG-IP Next instance.
- Create the BIG-IP Next instance directly in the vSphere provider environment then add it to BIG-IP Next Central Manager.
1365417 : Creating a BIG-IP Next VE instance in vSphere fails when a backslash character is in the provider username★
Component: BIG-IP Next
Symptoms:
If you include a backslash character in the provider username when creating a BIG-IP Next VE instance creation fails because BIG-IP Next Central Manager parses it as an escape character.
Conditions:
Creating a BIG-IP Next VE instance that includes a backslash character in the provider username.
Impact:
Creation of the BIG-IP Next instance fails.
Workaround:
Do not use the backslash character in the provider username.
1365005 : Analytics data is not restored after upgrading to BIG-IP Next version 20.0.1
Component: BIG-IP Next
Symptoms:
After upgrading from BIG-IP Next version 20.0 to 20.0.1, analytic data is not restored.
Conditions:
After upgrading from BIG-IP Next version 20.0 to 20.0.1.
Impact:
Analytics data is not automatically restored after upgrading and cannot be restored manually.
1360709 : Application page can show an error alert that includes "FAST delete task failed for application"
Component: BIG-IP Next
Symptoms:
After you successfully delete a BIG-IP Next instance that has application services deployed to it, an alert banner on the Applications page states that the delete task failed even though it's successful.
Conditions:
Delete a BIG-IP Next instance and then navigate to the Applications page.
Impact:
This can cause confusion.
1360621 : Adding a Control Plane VLAN must be done only during BIG-IP Next HA instance creation
Component: BIG-IP Next
Symptoms:
If you attempt to edit a BIG-IP Next HA instance properties to add a Control Plane VLAN, it fails.
Conditions:
Editing the properties for an existing BIG-IP Next VE HA instance and attempting to add a Control Plane VLAN.
Impact:
The attempt to edit/add Control Plane VLAN fails.
Workaround:
Create the Control Plane VLAN when you initially create the BIG-IP Next HA instance.
1360121-1 : Unexpected virtual server behavior due to removal of objects unsupported by BIG-IP Next
Component: BIG-IP Next
Symptoms:
The migration process ensures that application services are supported by BIG-IP Next. If a property value is not currently supported by BIG-IP Next, it is removed and is not present in the AS3 declaration. If the object was a default value, the object is replaced by a default value that is supported by BIG-IP Next.
Conditions:
1. Migration a UCS archive from BIG-IP to BIG-IP Next Central Manager.
2. Review the AS3 declaration during the Pre Deployment staged.
Example for "cache-size" property of "web-acceleration" profile:
- BIG-IP config cache-size = 500mb OR 0mb
- AS3 schema supported range = 1-375mb
- BIG-IP Next stack (clientSide/caching/cacheSize) supported range 1-375mb
- AS3 output created by migration does not produce "cacheSize" property if cache-size is greater than 375mb or lower than 1mb.
- Deployment of AS3 declaration uses BIG-IP Next defaults in both cases (cache-size 375 or 0mb)
Impact:
Default values of virtual server's objects may change, impacting virtual server's behavior.
Workaround:
Although you cannot use values which are unsupported by BIG-IP Next, you can update the AS3 declaration with missing properties to specify values other than default ones added during the migration process.
To do so, read: https://clouddocs.f5.com/bigip-next/latest/schemasupport/schema-reference.html
to modify AS3 declaration by adding missing properties and specifying values within supported range.
1360097-1 : Migration highlights and marks "net address-list" as unsupported, but addresses are converted to AS3 format
Component: BIG-IP Next
Symptoms:
Objects of a type: "net address-list" are incorrectly marked as unsupported, while virtual servers in AS3 output contain the property "virtualAddresses".
Conditions:
If an address list is used to configure a virtual server, it will be highlighted as unsupported in the configuration editor even if it is properly translated to AS3 "virtualAddresses" property.
Example of the object:
net address-list /tenant3892a81b1f9e6/application_11/IPv6AddressList {
addresses {
fe80::1ff:fe23:4567:890a-fe80::1ff:fe23:4567:890b { }
fe80::1ff:fe23:4567:890c { }
fe80::1ff:fe23:4567:890d { }
}
description IPv6
}
Example of an AS3 property:
"virtualAddresses": [
"fe80::1ff:fe23:4567:890a-fe80::1ff:fe23:4567:890b",
"fe80::1ff:fe23:4567:890c",
"fe80::1ff:fe23:4567:890d"
],
Impact:
- The object is translated to virtualAddresses property in the AS3, but an application is marked as yellow.
- The object is translated, but one of the values from the address list is not supported on BIG-IP Next (IPv6 value range)
Workaround:
Verify that all addresses from 'net address-list' object are configured as "virtualAddresses" property value list in the AS3 output.
Verify that all addresses from 'net address-list' are supported on BIG-IP Next. Remove or modify virtualAddresses value list if needed.
1360093-1 : Abbreviated IPv6 destination address attached to a virtual server is not converted to AS3 format
Component: BIG-IP Next
Symptoms:
Service class in AS3 output does not have 'virtualAddresses' property, for example:
"Common_virtual_test": {
"snat": "none",
"class": "Service_TCP",
"profileTCP": {
"use": "/tenant017b16b41f5c7/application_9_SMtD/tcp_default_v14"
},
"persistenceMethods": []
}
Conditions:
Migrate an application service with abbreviated IPv6 address:
ltm virtual-address /tenant017b16b41f5c7/application_9_SMtD/aa::b {
address aa::b
arp enabled
traffic-group /Common/traffic-group-1
Impact:
Virtual server is misconfigured, no listener on a specific IP address is created.
Workaround:
All application services containing virtual servers configured with abbreviated IPv6 addresses should be updated once they are migrated to BIG-IP Next Central Manager.
Go to Applications -> My Application Services, find your application service name and edit it.
Find your virtual server name and update it with a property
"virtualAddresses": [
"aa::b",
]
like this:
"Common_virtual_test": {
"snat": "none",
"class": "Service_TCP",
"virtualAddresses": [
"aa::b",
],
"profileTCP": {
"use": "/tenant017b16b41f5c7/application_9_SMtD/tcp_default_v14"
},
"persistenceMethods": []
}
1359209-1 : The health of application service shown as "Good" when deployment fails as a result of invalid iRule syntax
Component: BIG-IP Next
Symptoms:
When an application servvice with an invalid iRule is deployed to an instance from BIG-IP Next Central Manager, deployment is shown as successful but the post deployment iRule validation failed on the instance. Health status should be changed to "Critical/Warning" but it is still shown as "good".
Conditions:
Deploy an application service with an invalid iRule.
Impact:
Incorrect status of the application service is shown in the My Application Services page.
Workaround:
Always try to use a valid iRule when deploying to BIG-IP Next.
1358985-1 : Failed deployment of migrated application services to a BIG-IP Next instance
Component: BIG-IP Next
Symptoms:
Deployment of a migrated application service to a BIG-IP Next instance might fail even if the declaration is valid. This can occur after the application service was successfully saved as draft on BIG-IP Next Central Manager
The following can appear in the deployment logs:
- No event with error code from deployment to instance in migration logs
- 202 response code "in progress" from deployment to instance in migration logs
- 503 response code "Configuration in progress" from deployment to instance in migration logs
Conditions:
1. Migrate an application service during a migration session
2. Select a deployment location and deploy the application service.
Review the migration log: the application service was successfully saved to BIG-IP Next Central Manager, but the deployment to the selected location failed with error.
Impact:
There are 3 different errors that can result in the deployment logs (Deployment Summary>View logs):
Reason 1:
Migration process started.
Application: <application name> saved as draft to BIG-IP Next Central Manager.
Migration process failed.
Reason 2:
Migration process started
Application: <application name> saved as draft to BIG-IP Next Central Manager.
Log Message: Deployment to <BIG-IP Next IP address> failed with the error: '{'code': 202, 'host': '<hostname>, 'message': 'in progress', 'runTime': 0, 'tenant': '<tenant name>'}'.
Migration process failed.
Reason 3:
If you are currently processing the same AS3 declaration sent from a different source or migration session:
Migration process started.
Application: <application name> saved as draft to BIG-IP Next Central Manager.
Log message: Deployment to <BIG-IP Next IP address> failed with the error: '{'code': 503, 'errors': [], 'message': 'Configuration operation in progress on device, please try again later.'}'.
Migration process failed.
Workaround:
The application service was successfully saved as a draft on BIG-IP Next Central Manager.
You can go to My Application Services, select the application service that failed to deploy, and deploy the application service to a selected instance location.
1355605 : "NO DATA" is displayed when setting names for appliction services, virtual servers and pools, that exceed max characters
Component: BIG-IP Next
Symptoms:
"NO DATA" is displayed in the application metrics charts when setting a name that exceeds 33 characters for an application service, pool, or virtual server.
Conditions:
1. Create an application service with a virtual server and a pool.
2. Set the name of each of the objects above to be 34 characters or longer.
3. Add an endpoint to the pool.
4. Deploy the application service, and wait for the application service to pass traffic.
Impact:
"NO DATA" is displayed in the application service, pool and virtual server data metrics charts.
Workaround:
When creating an application the names of the application services, pools and virtual servers cannot exceed 33 characters.
1354645 : Error displays when clicking "Edit" on the Instance Properties panel
Component: BIG-IP Next
Symptoms:
When editing the properties of a BIG-IP Next instances page, a "Error: unsupported platform type" displays.
Conditions:
When viewing the Instances page, the BIG-IP Next instance's hostname to view its properties. On the Instance Properties panel, click the Edit button.
Impact:
This can cause confusion.
Workaround:
Wait for the BIG-IP Next instance's hostname to load on Instance Properties panel before clicking the Edit button.
1354265 : The icb pod may restart during install phase
Component: BIG-IP Next
Symptoms:
The icb may generate a core during the install phase which will cause a restart of icb pod. However, we have observed icb to restart fine with no issues.
Conditions:
The issue is seen during the upgrade install.
Impact:
Post-first panic, icb restarts fine and no known bad impact is observed.
Workaround:
None
1353589 : Provisioning of BIG-IP Next Access modules is not supported on VELOS, but containers continue to run
Component: BIG-IP Next
Symptoms:
1) Containers that belong to the BIG-IP Next Access module keep running on BIG-IP Next all the time on VELOS & rSeries.
2) On VE, the containers run only if the BIG-IP Next Access module is provisioned using: /api/v1/systems/{systemID}/provisioning api
Conditions:
This is observed all the time when BIG-IP Next is deployed on VELOS/r-series.
Impact:
Containers that belong to the BIG-IP Next Access module keep running all the time and this can lead to wastage of resources on VELOS & rSeries.
Workaround:
If you do not want to run BIG-IP Next Access containers as part of a BIG-IP Next tenant deployment, you can use this workaround before installing the tenant:
1) Run the following command on the standby controller:
sed -i 's/access: true/access: false/g' /var/F5/partition<partition-ID>/SPEC/<IMAGE_VERSION>. yaml
2) Trigger failover from partition cli ->:
system redundancy go-standby
3) Install the tenant.
1352969 : Upgrades with TLS configuration can cause TMM crash loop
Component: BIG-IP Next
Symptoms:
After upgrading from a version prior to 20.0.1, connection is lost.
Conditions:
- Keys and certificates are configured as files in TLS configuration.
- Upgrading from a version prior to 20.0.1.
Impact:
An error similar to the following is logged: Failed to connect to <IP address port: xx> No route to host
Workaround:
After upgrading, reconfigure the private key files so that validation properly occurs.
Fix any existing mismatch keys and certificates.
1350365 : Performing licensing changes directly on a BIG-IP Next instance
Component: BIG-IP Next
Symptoms:
BIG-IP Next Central Manager will become out of sync with a managed BIG-IP Next instance if you perform licensing actions directly to the BIG-IP Next instance.
Conditions:
Add a BIG-IP Next instance to BIG-IP Next Central Manager. Perform licensing actions directly on the BIG-IP Next instance.
Impact:
BIG-IP Next Central Manager is no longer synchronized with its managed instance.
1350285-1 : Traffic is not passing after the tenant is licensed and network is configured
Component: BIG-IP Next
Symptoms:
After configuring and licensing the BIG-IP Next tenant, such as after an upgrade, traffic is not passing.
Conditions:
A BIG-IP Next tenant is configured without vlans, and a /PUT to create the L1 networking interface is performed; and then vlans are later allocated to the tenant. In this scenario, the (later-) allocated vlans will not take effect for the previously configured L1 network interface.
Impact:
Data traffic associated with the later-added vlans will not be processed.
Workaround:
Workaround is to allocate vlans to the BIG-IP Next tenant before the /PUT call to create the L1 network interface; at which point the L1 network interface will be associated with a vlan allocated to that BIG-IP Next instance.
1329853-1 : Application traffic is intermittent when more than one virtual server is configured
Component: BIG-IP Next
Symptoms:
After deploying an application containing multiple virtual servers, only one of the virtual servers responds to clients.
In the Central Manager GUI, one virtual server is marked as red and the other is marked as green, even though you can ping all of the pool members for each of the virtual servers.
Conditions:
-- The application contains multiple virtual servers
-- The virtual addresses for each of the virtual servers is identical and the port is identical
Alternatively, you could encounter this by deploying two different applications where the virtual address and port are identical.
Impact:
The application will deploy without error even if an IP address/port conflict occurs, and traffic will be disrupted to one or both of the virtual addresses.
Workaround:
Assign different virtual addresses and/or virtual ports for different application services. If any two existing applications has same listeners defined, you can change the data by adding unique listeners and re-deploy.
1326385 : Floating self-IP address for a BIG-IP Next HA instance
Component: BIG-IP Next
Symptoms:
Traffic does not pass to a newly-created BIG-IP Next HA instance.
Conditions:
When you do not use the existing floating self IP address when creating a BIG-IP Next HA instance and instead specifying the existing floating self-IP in the "Active Node IP Address" or "Standby Node IP Address" fields.
Impact:
Creation of the BIG-IP Next HA instance appears successful, but traffic does not flow.
Workaround:
Always assign the existing floating self IP as the "Floating IP Address".
1325769 : VLANs with a blank tag cannot be used to create a BIG-IP Next instance
Component: BIG-IP Next
Symptoms:
Creation of a BIG-IP Next HA instance fails.
Conditions:
1. From BIG-IP Next Central Manager, navigate to Infrastructure > My Instances > Start adding instances > Create a new instance
2. When you reach the Networking page add VLANs but leave the tags blank.
5. Continue creating the instance then Deploy.
Impact:
Creation fails with an error saying the tag must be an integer.
Workaround:
Instead of leaving the tag blank, use the number 0 to represent an untagged VLAN.
1325713-1 : Monthly backup cannot be scheduled for the days 29, 30, or 31
Component: BIG-IP Next
Symptoms:
You cannot schedule a monthly backup on the last 3 days of the month (29, 30, or 31) because some months do not contain these days (for example, February).
Conditions:
Creating a monthly backup schedule from BIG-IP Next Central Manager that contains the days 29, 30, or 31.
Impact:
If you select these days for your schedule, BIG-IP Next Central Manager returns a 500 error.
1325369 : Saved JSON Web Token licenses do not appear after upgrade
Component: BIG-IP Next
Symptoms:
After upgrading BIG-IP Next Central Manager using the backup and restore feature, saved JWT licenses do not appear.
Conditions:
Upgrading BIG-IP Next Central Managing using the backup and restore feature.
Impact:
Saved JWT license tokens are missing.
Workaround:
Re-add the JWT licenses to BIG-IP Next Central Manager.
1325297 : Metrics are missing for application services with names longer than 24 characters
Component: BIG-IP Next
Symptoms:
When viewing data metrics for an application service with a name longer than 24 characters, no data is displayed in the charts.
Conditions:
1. Create an application service with a name that uses more than 24 characters.
2. Deploy the application service and collect traffic data.
3. View the application service's data metrics.
Impact:
No data metrics are displayed in the application service's charts.
Workaround:
When you create an application service, do not use more than 24 characters for the application service name.
1324545-1 : L3 validation fails after a BIG-IP Next HA instance fails over
Component: BIG-IP Next
Symptoms:
After a BIG-IP Next HA instance fails over to the standby node, L3 network validation fails with the following error:
Validating L3 networks failed due to VLAN duplication.
Conditions:
BIG-IP Next HA instance fails over to the standby node.
Impact:
You cannot send a new config due to a configuration error.
1321417-1 : Cannot use WAF modules on VELOS on deploying tenant with 10 CPUs
Links to More Info: BT1321417
Component: BIG-IP Next
Symptoms:
Cannot use WAF functionality on a BIG-IP Next tenant installed on VELOS when the number of CPUs assigned to tenant is not one of these values: 4, 8, 12, 18, 22.
Conditions:
Install a BIGIP-Next tenant on VELOS with an unsupported CPU core count. Supported CPU values are [4, 8, 12, 18, 22].
Impact:
Cannot configure WAF policies for a BIG-IP Next tenant.
Workaround:
Install a BIG-IP Next tenant with CPUs of the following values: [4, 8, 12, 18, 22 ]
1306997 : Deselecting the Tagged Interface when creating a BIG-IP Next HA instance on VELOS causes an error
Component: BIG-IP Next
Symptoms:
If you deselect the Tagged Interface for the Data Plan VLAN when creating a BIG-IP Next HA instance on VELOS, you get an error.
Conditions:
Configure a BIG-IP Next HA instance on VELOS and deselect the Tagged Interface for the Data Plane VLAN.
Impact:
Submitting this invalid task will result in an error.
Workaround:
Always select the Tagged Interface when creating a BIG-IP Next HA instance on VELOS.
1306317-1 : Telemetry services with invalid hostnames are not rejected by the API
Component: BIG-IP Next
Symptoms:
Add services with invalid hostnames, the API response is 202, but it should be 400 Bad Request.
Conditions:
Add services with bad hostnames, for example "host name" or ".10.10.10".
Impact:
BIG-IP Next did not successfully set up the logging destination, so the customer will not see their logs getting streamed to the third-party destination.
The services are not added in the otel config but will show up in the BIG-IP Next config. The service creation failed messages can be found in the debug log.
1306229 : Updating a self-IP address on a BIG-IP Next instance that was created from BIG-IP Next Central Manager does not work
Component: BIG-IP Next
Symptoms:
If you create a BIG-IP Next instance from BIG-IP Next Central Manager and then later update the instance's self-IP address, the update does not return an error, but the self-IP address is not updated as expected.
Conditions:
1. Create an instance from BIG-IP Next Central Manager with VLANs.
2. Edit the BIG-IP Next instance with a new self-IP Address.
3. Deploy the edit request.
Impact:
The self-IP address is not updated.
Workaround:
Create a new instance with the updated self-IP address and delete the old instance.
1305761 : While configuring a BIG-IP Next HA instance, the "Next" button is enabled while the instance is still checking node state
Component: BIG-IP Next
Symptoms:
When creating a BIG-IP Next HA instance, you're not prevented from advancing through the process by clicking the Next button even when the standby node's health has not yet been verified. If the standby node has important data, such as running apps, you may not see a warning and may overwrite that data unintentionally.
Conditions:
Creating a BIG-IP Next HA instance from BIG-IP Next Central Manager.
Impact:
You're allowed to navigate past this step without seeing warning messages if the secondary node has critical data, including apps.
Workaround:
Wait for the check to complete.
1305757 : Configuring a BIG-IP Next HA instance from BIG-IP Next Central Manager returns an error
Component: BIG-IP Next
Symptoms:
While configuring a BIG-IP Next HA instance, the VLANs page might display green check marks indicating a valid configuration even though self-IP addresses have not yet been entered.
Conditions:
Attempting to configure a BIG-IP Next HA instance.
Impact:
An error is returned.
Workaround:
Enter self-IP addresses when configuring a BIG-IP Next HA instance.
1296721 : App template default values can override configured properties for existing applications upon redeploy
Component: BIG-IP Next
Symptoms:
The app wizard is incorrectly loading default values from app templates. When the application is re-deployed, the configured settings are overridden by the default settings.
Conditions:
An application has been created and values other than default the values have been configured. When the application is redeployed it uses default values.
Impact:
User may deploy incorrect values when redeploying an app.
Workaround:
Re-enter expected values before re-deploying. Check the Summary page to confirm that the values are correct.
1294565 : After upgrading, login api may return 401 with correct credentials
Component: BIG-IP Next
Symptoms:
After upgrading a BIG-IP Next HA instance from version 0.12.0 to version 0.13.0, you might get 401 authentication error.
Conditions:
Upgrading BIG-IP Next HA instance from version 0.12.0 to 0.13.0.
Impact:
Traffic is not passed.
Workaround:
N/A
1294393 : Sorting and filtering create instance tasks on the My Instances page
Component: BIG-IP Next
Symptoms:
Unable to filter or sort create instance tasks on the My Instances page.
Conditions:
Navigate to Infrastructure > Instances screen. Create instance tasks that were performed in the last 15 minutes display.
Impact:
Running/failed create instance tasks from the last 15 minutes always appear at the bottom of the My Instances page.
1294137 : BIG-IP Next HA instance creation fails
Component: BIG-IP Next
Symptoms:
BIG-IP Next HA instance creation fails if you select more than one floating IP address for a Traffic VLAN.
Conditions:
Selecting more than one floating IP address for a Traffic VLAN when creating a BIG-IP Next HA instance.
Impact:
BIG-IP Next HA creation fails.
Workaround:
Select only one floating IP address for a Traffic VLAN when creating a BIG-IP Next HA instance.
1294081-1 : AS3 applications configured with HTTP2 and TLS do not function
Component: BIG-IP Next
Symptoms:
AS3 incorrectly configures the application object (/api/v1/applications) with the TLS setting enabled. This setting causes a TMM validation error and the HTTP2 application is not functional.
Conditions:
Application object (/api/v1/applications) properties:
- serverSide.http2.enforceTLSRequirements is set to "true"
- missing "serverSide.tls" property
Impact:
You cannot use AS3 to setup an HTTP2 application with TLS enabled.
1293901 : If pool member/endpoint name is omitted, app creation/edit screen might crash
Component: BIG-IP Next
Symptoms:
When creating apps that include Endpoints (pool members), users must enter a name for each pool member even though the field is not marked as required. If there is more than one pool member and at least one pool member does not have a name, the page crashes and shows a white screen until the user navigates away or refreshes the page.
Conditions:
There is more than one pool member in the app and at least one pool member does not have a name.
Impact:
Users are unable to safely create pool members with no name.
Workaround:
Add a name to every pool member.
1293137 : At least one toggle field on every page needs to be visited before the application can deploy successfully
Component: BIG-IP Next
Symptoms:
When you create an application using the `http` template in the Examples set, you will need to edit at least one toggle on every page for the application to be deployed. The page needs to have been edited for the deploy to be enabled.
Conditions:
Deploying an app using `http` template under `Examples`
Impact:
In the summary page, you may see that some modules are not set to true or false and deploy may not be enabled.
Workaround:
Edit at least one of the toggle fields on each page in the workflow before attempting to deploy the application.
1291621 : Cannot delete certificate after removing BIG-IP Next instance from BIG-IP Next Central Manager
Component: BIG-IP Next
Symptoms:
After removing a BIG-IP Next instance from BIG-IP Next Central manager, certificates found on applications associated with the deleted instance cannot be removed successfully from BIG-IP Next Central Manager.
Conditions:
1.Install the certificate on BIG-IP Next Central Manager.
2.Create application with template that supports certificates.
3.Deploy the application to a BIG-IP Next instance.
4.Remove the BIG-IP Next instance from BIG-IP Next Central Manager (associated applications are removed from the My Apps page on the BIG-IP Next Central Manager, but still exist on the BIG-IP Next instance).
5.Try to remove the deleted certificate directly from the BIG-IP Next Central Manager.
Impact:
Trying to delete a certificate used by an application hosted on a BIG-IP Next instance and then deleted from the BIG-IP Next Central Manager will not be successful.
1291473 : Creating a BIG-IP Next HA instance with instances that have deployed applications
Component: BIG-IP Next
Symptoms:
If you create a BIG-IP Next HA instance from existing BIG-IP Next instances with deployed applications, BIG-IP Next Central Manager removes the applications from the standby BIG-IP Next instance with or without a warning message. In addition, BIG-IP Next Central Manager might not display previously configured VLANs for selection.
Conditions:
Create a BIG-IP Next HA instance with existing instances that have deployed applications.
Impact:
BIG-IP Next Central Manager deletes the applications to the standby BIG-IP Next instance in the BIG-IP Next HA configuration and does not display previously configured VLANs for selection.
Workaround:
To work around this, click "Previous" during the workflow to create a BIG-IP Next HA instance to return to the previous step, then press "Next" again. The VLANs display properly, allowing you to select them.
1286181-1 : Add a service with Transport Layer Security (TLS), but one or more of the certs is missing or invalid
Component: BIG-IP Next
Symptoms:
Successfully add a new service to the BIG-IP Next configuration, but no logs are created.
Conditions:
Add a service that includes TLS, but the certificate, private key, or root certificate authority is missing or invalid.
Impact:
Users might be confused with the newly added service, because it appears to have been added to the BIG-IP Next configuration. But the service is not added to the otel config and no otel telemetry service is created. Therefore no logs are exported.
1286173-1 : Telemetry services that do not exist appear to have been deleted using an API call
Component: BIG-IP Next
Symptoms:
Attempt to delete a service UUID that does not exist. BIG-IP Next returns "SUCCEEDED" even though the delete task fails.
Conditions:
Delete a service that does not exist in the BIG-IP Next configuration. (for example DELETE https://{{SERVER}}/api/v1/services/00000000-0000-0000-0000-000000000000)
Impact:
The services are not deleted but no error is returned.
1284665-1 : When adding a new BIG-IP Next instance, the error message from an unsuccessful addition attempt is not cleared
Component: BIG-IP Next
Symptoms:
If you use an incorrect username for BIG-IP Next Central Manager and try to add a new BIG-IP Next instance, an error is returned.
If you fix BIG-IP Next Central Manager user name, you can successfully add an instance but the error still displays.
Conditions:
Add a new BIG-IP Next instance when there is an error from the previous instance discovery process.
Impact:
BIG-IP Next Central Manager displays an error that could cause confusion.
Workaround:
When the alert for the error shows up while adding a BIG-IP Next instance, dismiss the error alert.
1283629-1 : Deploying an application with the same name as another deployed application fails
Component: BIG-IP Next
Symptoms:
When attempting to deploy an application that has been validated, it fails.
Conditions:
Attempting to deploy a valid application that has the same name as another deployed application.
Impact:
Unable to deploy application even though it appears to have validated successfully.
Workaround:
All applications must have unique names. Do not create an application with the same name as an application that is already deployed.
1280713 : VELOS high availability (HA) cluster goes into active/active after upgrade★
Component: BIG-IP Next
Symptoms:
VELOS high availability (HA) cluster goes into active/active after upgrade and can put the nodes/tenants can be in an unhealthy state.
Conditions:
After First Upgrade: Always
After Second Upgrade: Not Always
Impact:
As the two nodes are in active/active, a failover cannot be performed and both nodes might try to behave as primary.
Workaround:
Take the BIG-IP Next instances out of the HA configuration, upgrade each standalone BIG-IP Next instance, and recreate the BIG-IP Next HA instance on VELOS.
1271477 : BIG-IP Next instance on VELOS reports unhealthy status if upgrade fails★
Component: BIG-IP Next
Symptoms:
If the operation fails when upgrading from BIG-IP Next software version 0.10.0 to 0.11.0 or 0.12.0, the VELOS tenant is marked as unhealthy.
Conditions:
-- BIG-IP Next instance is running software version 0.10.0.
-- You upgrade to software version 0.11.0 or 0.12.0.
-- The upgrade operation fails.
Impact:
The BIG-IP Next VELOS tenant is reported as unhealthy.
Workaround:
You can work around this issue by retrying BIG-IP Next tenant upgrade to version 0.11.0 or 0.12.0 using these steps:
1. Initiate upgrade from version 0.10.0 to 0.11.0 or 0.12.0.
2. SSH into the active member of the high availability (HA) configuration.
3. If upgrade is successful (i.e., version 0.11.0 or 0.12.0 is marked 'deployed' in helm history), nothing needs to be done:
watch "helm history <tenant_name> -n <partition_number>"
4. If upgrade fails for some reason, the operation automatically triggers rollback to version 0.10.0 (i.e., the last release is marked 'pending rollback' in helm history). At this point, perform the following procedure:
4.1. Stop the FCDN service on the tenant:
oc scale deployment <tenant_name>-f5-fcdn-sync -n <partition_number> --replicas=0
4.2. SSH into the partition's blade.
4.3. Check whether the FCDN backup is available:
ls /mnt/disks/<partition_number>/f5-upgrade-hooks/backup/f5-fcdn-config.tar
4.4 If f5-fcdn-config.tar is not available, the upgrade failed due to a different reason.
Important: This workaround is intended for use only with this specific failure. It is not applicable to any other type of failure, so you should stop here if the .tar is not available.
4.5. If f5-fcdn-config.tar is available, back up existing FCDN config files and clear them:
cd /mnt/disks/<partition_number>/f5-fcdn-config
tar -cf ../f5-fcdn-config.tar *
rm -rf *
4.6. Restore the FCDN config backup:
tar -xf /mnt/disks/<partition_number>/f5-upgrade-hooks/backup/f5-fcdn-config.tar -C /mnt/disks/<partition_number>/f5-fcdn-config
4.7. Restart the FCDN service:
oc scale deployment <tenant_name>-f5-fcdn-sync -n <partition_number> --replicas=1
4.8. Wait for FCDN to come up:
oc get pods -n <partition_number> | grep <tenant_name>-f5-fcdn-sync
6. Monitor rollback progress:
watch "helm history <tenant_name> -n <partition_number>"
7. Once rollback is completed (i.e., the last release is marked 'deployed' in helm history), the system should be back up and running BIG-IP Next software version 0.10.0.
1268361 : API GET /upgrade/systems/{system_id}/stats/{type} is VE specific only★
Component: BIG-IP Next
Symptoms:
The upgrade statistics API is not available for BIG-IP Next instances on VELOS; invoking this API results in an error.
Conditions:
Attempting to get upgrade statistics for VELOS BIG-IP Next tenants.
Impact:
You cannot get upgrade stats like you can for BIG-IP Next VE.
Workaround:
For BIG-IP Next instances on VELOS, use the VELOS tenant APIs to receive upgrade status.
1267981 : BIG-IP Next pool monitors use management network as fallback
Component: BIG-IP Next
Symptoms:
Monitor traffic goes across the management network.
Conditions:
When no data-plane route is found, the pool monitor will use the management network.
Impact:
F5 strongly discourages you to configure a health monitor to send probes using the management network because the management network is not intended for production traffic. F5 recommends that the pool members/nodes reside on a network that is reachable through TMM interfaces so health monitor probes are sent through TMM interfaces.
Workaround:
Ensure a data-plane route is configured before configuring the application.
1251181 : VLAN names longer than 15 characters can cause issues with troubleshooting
Component: BIG-IP Next
Symptoms:
If the VLAN name is longer than 15 characters, traffic originating from the debug-sidecar will not work correctly and can cause issues with troubleshooting.
Conditions:
The user creates an L1 network with a VLAN that has a name longer than 15 characters.
Impact:
Traffic that originates from the debug sidecar will not work correctly.
For example, if an internal VLAN is configured with a long name, the name in the output from 'ip addr' and 'ip route' on the debug sidecar will show a truncated name. Additionally, if a ping is attempted to a destination that is connected using this VLAN, the ping packets will be dropped and ping will fail.
Workaround:
Use VLAN names less than 16 characters long.
1235105 : Endpoint grid is shown only for applications that use the HTTPS-Load-Balancing-Service template
Component: BIG-IP Next
Symptoms:
When you open the application properties screen and select the Endpoints (Pool Members) tab, the Endpoints grid does not appear.
Note that the grid appears correctly when you open the application properties screen for an application that uses the HTTPS-Load-Balancing-Service template.
Conditions:
Create an application on BIG-IP Next Central Manager using any template other than HTTPS-Load-Balancing-Service.
Impact:
The endpoints grid is not shown under "Endpoints (Pool Members)" section for the application's details.
1235089 : Selected signatures for cookies are not added to overriden signature section
Component: BIG-IP Next
Symptoms:
When creating a cookie with overridden signatures from BIG-IP Next Central Manager, the signatures are not included in the overridden signatures list when the cookie is created.
Conditions:
Create a WAF policy cookie with an override signature list from BIG-IP Next Central Manager.
Impact:
The overridden signature list for the cookie are not included.
Workaround:
1) From BIG-IP Next Central Manager, create a cookie without the signature override. After the cookie is created, edit the cookie to add signatures.
2) Manually create a cookie with signature overrides.
1234093 : BIG-IP Next Central Manager iRules do not support double quote characters
Component: BIG-IP Next
Symptoms:
Deploying an iRule using a BIG-IP Next Central Manager FAST Application template fails.
Conditions:
iRule scripts that contain double quote characters cannot be deployed to a BIG-IP Next instance using BIG-IP Next Central Manager. For example:
when HTTP_REQUEST {
if { [HTTP::uri] eq "/test"} {
HTTP::header insert X-Forwarded-For [IP::remote_addr]
}
}
Impact:
iRules that use double quote characters cannot be deployed to a BIG-IP Next instance.
1233681 : Redeploying an application fails after you renew the certificates for an HTTPS application
Component: BIG-IP Next
Symptoms:
If a certificate for an HTTPS application is renewed after deploying the application from BIG-IP Next Central Manager to a BIG-IP Next instance, subsequent attempts to redeploy that application fail.
Conditions:
1. Deploy an application that uses a certificate.
2. Renew the certificate.
3. Attempt to deploy the application again.
4. Re-deployment fails.
Impact:
You cannot re-deploy the application after its certificate is renewed.
Workaround:
1. After you renew the certificate, deploy the application using a different certificate (not the renewed one).
2. After the deployment is successful, use the renewed certificate to re-deploy the application.
1232993-1 : Forced reboot during BIG-IP Next upgrade can cause instability★
Component: BIG-IP Next
Symptoms:
A forced reboot of a BIG-IP Next instance while an upgrade is in progress can make the instance unstable.
Conditions:
An upgrade is in progress and you manually reboot the BIG-IP Next instance.
Impact:
Manually rebooting a BIG-IP Next instance during an upgrade can instability and might result in configuration loss.
Do not manually reboot BIG-IP Next while an upgrade is in progress. Only automatic reboots triggered by the upgrade process itself are allowed.
Workaround:
Add and configure another BIG-IP Next instance with the newer version.
1231089 : Multiple applications can be configured with duplicate values for virtualAddresses and virtualPort
Component: BIG-IP Next
Symptoms:
It is possible to configure multiple applications that share the same IP address and port numbers.
Conditions:
You create two or more applications that share the same IP:port pairing.
Impact:
Unclear. Possible disruption of traffic.
Workaround:
Configure applications with unique IP:port pairings.
1230993 : 'Mandatory request body is missing' violation in staging but request is unexpectedly blocked
Component: BIG-IP Next
Symptoms:
Request is blocked on a staged URL for the violation 'Mandatory request body is missing'.
Conditions:
- 'Mandatory request body is missing' violation is set for blocking
- The URL is in staging
- 'Mandatory request body is missing' is enabled on the URL
Impact:
Requests are blocked unexpectedly. The expected behavior is for the requests to pass with staging violation.
Workaround:
None
1227605 : Item count on the BIG-IP Next Central Manager My Apps and Instances pages shows -1 items
Component: BIG-IP Next
Symptoms:
The item count on the lower corner of the BIG-IP Next Central Manager My Apps and Instances pages displays as -1.
Conditions:
When viewing items on the My Apps and Instance pages.
Impact:
You cannot determine the number of items on these screens using that metric.
1220077 : Failover for a BIG-IP Next HA instance between upgrades can time out★
Component: BIG-IP Next
Symptoms:
When you upgrade the standby node in a BIG-IP Next HA instance then upgrade the previously active node, failover times out.
Conditions:
Upgrading a BIG-IP Next HA instance.
Impact:
This can cause confusion.
Workaround:
Monitor the /health endpoint to find the nodes that have switched to the high availability (HA) state and proceed with the second upgrade.
1216889 : Incorrect application count is displayed on BIG-IP Next Central Manager iRules page after a BIG-IP Next instance is removed
Component: BIG-IP Next
Symptoms:
When you delete a BIG-IP Next instance from BIG-IP Next Central Manager, the corresponding applications deployed to that instance are deleted. However, the iRules do not remove their associations to those applications. This leads to:
1. Incorrect application count is shown in the iRules grid.
2. The iRule cannot be deleted because the application association still exists.
Conditions:
This happens only when applications are deleted as a result of removing a BIG-IP Next instance.
Impact:
1. An incorrect application count is shown in the iRules grid.
2. You cannot delete the iRule because the association with the application still exists.
1209649-1 : Load More' button reloads data already on the page for FAST Apps on BIG-IP Next Central Manager
Component: BIG-IP Next
Symptoms:
When you click the Load More button from the BIG-IP Next Central Manager FAST Apps page, it reloads the last page of data repeatedly.
Conditions:
Click the 'Load More' button on the BIG-IP Next Central Manager FAST Apps page after data is loaded.
Impact:
The last page is again added to the table, even though that data is already present. This occurs for each subsequent press of 'Load More'.
Workaround:
None
1195281-1 : Endpoint is down when sendString contains double escaped characters
Component: BIG-IP Next
Symptoms:
Endpoints (pool members) are down if HTTP monitor's "sendString" includes double escaped characters.
Conditions:
Configure HTTP monitor in Next native API with a sendString that has double escaped characters.
Example:
"sendString": "GET / HTTP/1.1\\r\\nHost:demo.local\\r\\nConnection: Close\\r\\n\\r\\n"
Impact:
Monitor marks Endpoints (Pool members) down.
Endpoint returns "400 Bad request" for monitor probe.
1189933-1 : BIG-IP Next Central displays a BIG-IP Next Instance as 'IsHealthy': true even if traffic isn't passing
Component: BIG-IP Next
Symptoms:
BIG-IP Next Central Manager displays a BIG-IP Next instance as 'IsHealthy' when it is not.
Conditions:
This happens if the BIG-IP Next instance's internal network configuration is missing. The configuration requires VLANs/proper network configuration needs to pass traffic. Even though the configuration is invalid, the status is reported as healthy.
Impact:
This status can cause confusion.
Workaround:
Correctly configure the BIG-IP Next instance's internal network so it can pass traffic properly.
1172933 : Stack name must be unique in an application regardless of types
Component: BIG-IP Next
Symptoms:
Multiple stacks can be included in an application. The name should only need to be unique for a specific type in that application. However, if the name is not unique in that application (regardless of the type), it triggers application errors.
Conditions:
Send PUT request to the /applications endpoint to create an application with two stacks of same name but different types:
{
"name": "App_1",
"description": "web server for f5-2",
"domainName": "www.f5-2.com",
"stacks":[
{
"stackType": "HttpRevProxy",
"name": "st1"
},
{
"stackType": "HttpSimpleProxy",
"name": "st1"
}
]
}
Impact:
The request is rejected.
1162253 : Monitors in an application cannot be removed from stacks and traffic stops running
Component: BIG-IP Next
Symptoms:
Monitors in an application cannot be removed from stacks and traffic stops running.
Conditions:
1. Create an application (with or without monitors).
2. Test to see if traffic is passing. It should pass for TCP monitors, but if you add http2 monitor traffic, traffic will not pass.
3. Try to update the stacks by removing the monitors.
4. Traffic stops, and the stacks also do not get updated.
Impact:
Traffic stops, and stacks also do not get updated
1162213-1 : Incorrect state when upgrading a BIG-IP Next HA instance★
Component: BIG-IP Next
Symptoms:
While upgrading a BIG-IP Next HA instance, when the configuration is partially upgraded, the state remains STANDALONE/NOT_READY instead of ACTIVE/STANDBY.
Conditions:
When only one of the nodes in a BIG-IP Next HA instance is upgraded.
Impact:
The /health endpoint reports an incorrect subsystem HA state for the data-store subsystem.
Workaround:
You can safely ignore the HA state during an upgrade and proceed with failover after a successful upgrade of the standby node.
1137869 : Attempting to create an application from BIG-IP Next Central Manager sometimes fails
Component: BIG-IP Next
Symptoms:
When attempting to create an application using FAST templates from BIG-IP Next Central Manager, it might fail with the following message:
max retries, please try again later
Conditions:
This issue occurs intermittently.
Impact:
Unable to create an application.
Workaround:
Try to create the application again. Application creation should succeed.
1134225 : AS3 declarations with a SNAT configuration do not get removed from the underlying configuration as expected
Links to More Info: K000138849
Component: BIG-IP Next
Symptoms:
AS3-configured L4-serversides object contains a SNAT property when it should not, given that SNAT was previously configured in the declaration and then subsequently removed.
Conditions:
SNAT configuration was specified in the AS3 declaration and then subsequently removed.
Impact:
A SNAT cannot be removed once it has been added.
Workaround:
Remove the L4-serversides object, either by removing the relevant configuration from the AS3 declaration or by using DELETE /api/v1/L4-serversides, and then re-POST the AS3 declaration without the SNAT.
1123381 : Standby node in a BIG-IP Next HA instance loses it's license when HA is disassembled
Component: BIG-IP Next
Symptoms:
When you disassemble a BIG-IP Next HA instance, the previous standby node loses its license.
Conditions:
After creating a BIG-IP Next HA instance, disassemble.
Impact:
Standby node loses its License.
Workaround:
Reapply the license to the previous standby node and recreate the BIG-IP Next HA instance again.
1122689-3 : Cannot modify DNS configuration for a BIG-IP Next VE instance through API
Component: BIG-IP Next
Symptoms:
Making updates to BIG-IP Next Virtual Edition (VE) DNS configuration through onboarding or the API does not update the DNS configuration as expected.
Conditions:
Making updates to a BIG-IP Next DNS configuration through the API.
Impact:
The BIG-IP Next instance continues to use the DNS servers supplied by DHCP on the interface by default.
Workaround:
Prior to updating the BIG-IP Next DNS configuration through the API, issue the following commands.
$ rm -f /etc/resolv.conf; touch /etc/resolv.conf
This removes all DNS configurations. DNS can then be managed through the BIG-IP Next instance's API, and the DNS provided by DHCP is ignored.
1120457-1 : Data interfaces for BIG-IP Next VE are not visible on the host after the interface configuration is sent to TMM
Component: BIG-IP Next
Symptoms:
Data interfaces for BIG-IP Next Virtual Edition (VE) are not visible on the host when running any tool that returns a list of interfaces. Data interfaces are not visible on the host after the interface configuration is sent to TMM.
Conditions:
L1-network configuration is sent to TMM using the REST API that specifies the interface details.
Impact:
The physical interfaces can be seen only from inside the TMM Pod and not on the host, which makes debugging network issues difficult.
Workaround:
To perform debug actions, into the debug sidecar Pod, use the following command:
kubectl exec -it deploy/f5-fsm-tmm -c f5-fsm-debug-sidecar -- bash
1120417 : Machine ID on the BIG-IP Next properties pages shows an error
Component: BIG-IP Next
Symptoms:
This occurs because the validation for machineID is invalid. This causes issues in the user interface of the BIG-IP Next instance, preventing you from updating other information on the Systems properties page.
Conditions:
BIG-IP Next is onboarded, and you visit the Systems properties page on the local BIG-IP Next instance.
Impact:
/system 'machineID' enforces validation but it cannot be updated
Workaround:
None
1117817 : Interface assignments are unpredictable when more than 4 interfaces are configured
Component: BIG-IP Next
Symptoms:
After booting BIG-IP Next Virtual Edition (VE) in a VMware EXSi environment using five or more interfaces, TMM does not order the interfaces in the same order that they were added in EXSi.
Conditions:
Configure BIG-IP Next VE in a VMware ESXi environment with five or more assigned interfaces.
Impact:
The traffic-passing tmm interfaces might not be connected to the VMware interfaces in the order that they were expected.
Workaround:
If you do not need more than four network adapters, remove the extra network adapters in VMware.
If you need more than four network adapters, log into the VM console and manually edit /etc/mbip/conf/ethmap to order the MAC addresses according to the network adapter ordering in VMware using the following procedure.
To obtain the network adapter ordering supplied by VMware, you can run the following command:
$ vmtoolsd --cmd "info-get guestinfo.ovfEnv" | grep "ve:Adapter" | awk -F '"' '{print $2}'
00:50:56:9d:36:50
00:50:56:9d:20:ba
00:50:56:9d:44:05
00:50:56:9d:bc:24
00:50:56:9d:e6:b8
Compare the interface ordering with the contents of /etc/mbip/conf/ethmap:
$ cat /etc/mbip/conf/ethmap
00:50:56:9d:36:50
00:50:56:9d:e6:b8 <=== incorrect order, it should have been the last interface
00:50:56:9d:20:ba
00:50:56:9d:44:05
00:50:56:9d:bc:24
In /etc/mbip/conf/ethmap, the first interface listed is the management (mgmt) interface in BIG-IP Next. The tmm will label subsequent interfaces as 1.1, 1.2, etc. Therefore the interface numbering would work this way:
00:50:56:9d:36:50 (mgmt)
00:50:56:9d:e6:b8 (1.1)
00:50:56:9d:20:ba (1.2)
00:50:56:9d:44:05 (1.3)
00:50:56:9d:bc:24 (1.4)
Since this ordering does not match the network interface order in VMware, you can fix it by editing /etc/mbip/conf/ethmap.
Using sudo to make the change to the file, change the interface ordering in /etc/mbip/conf/ethmap manually using a text editor. Or you can avoid using a text editor by using the following three commands:
sudo -i
vmtoolsd --cmd "info-get guestinfo.ovfEnv" | grep "ve:Adapter" | awk -F '"' '{print $2}' > /etc/mbip/conf/ethmap
exit
Confirm that the interface ordering in /etc/mbip/conf/ethmap is the same as what VMware reports
$ cat /etc/mbip/conf/ethmap
00:50:56:9d:36:50
00:50:56:9d:20:ba
00:50:56:9d:44:05
00:50:56:9d:bc:24
00:50:56:9d:e6:b8
$ vmtoolsd --cmd "info-get guestinfo.ovfEnv" | grep "ve:Adapter" | awk -F '"' '{print $2}'
00:50:56:9d:36:50
00:50:56:9d:20:ba
00:50:56:9d:44:05
00:50:56:9d:bc:24
00:50:56:9d:e6:b8
Note: If the vmtoolsd command does not work for some reason, you can go to vCenter and manually look at the MAC addresses of the interfaces and the order that they are in, and then ensure that /etc/mbip/conf/ethmap has the same ordering.
After editing the file, reboot BIG-IP Next. If L1-networking was already configured, you will need to reset and re-configure BIG-IP Next.
1117805 : Unable to determine the TMM interface for MAC addresses on BIG-IP Next VE from the API
Component: BIG-IP Next
Symptoms:
You are unable to use the API to determine the MAC addresses for TMM interfaces on BIG-IP Next Virtual Edition (VE).
Conditions:
From the API, you attempt to confirm the TMM interfaces (for example, 1.1 or 1.2) for your BIG-IP Next instance are in the same order as they are configured on the VMware ESXi environment.
Impact:
It is not possible to use the API to confirm the order of the TMM interface.
Workaround:
If you need to confirm the interface ordering, view the /etc/mbip/conf/ethmap file.
# cat /etc/mbip/conf/ethmap
00:50:56:ba:cc:18
00:50:56:ba:d8:b8
00:50:56:ba:ca:ce
The first interface listed is always the management (mgmt) interface. The tmm will label subsequent interfaces as 1.1, 1.2, etc. Therefore:
00:50:56:ba:cc:18 (mgmt)
00:50:56:ba:d8:b8 (1.1)
00:50:56:ba:ca:ce (1.2)
1117765 : BIG-IP Next Central Manager displays empty network interface metrics for a BIG-IP Next instance
Component: BIG-IP Next
Symptoms:
If network interface data is unavailable or incomplete (for example, in the event of a network error) for a managed BIG-IP Next instance, the Throughput In/Out graph might appear empty or display "No Data" when viewing the Network Interface for the BIG-IP Next instance's properties.
Conditions:
From BIG-IP Next Central Manager, select a managed BIG-IP Next instance. Click Network Interface. The page displays "No Data".
This occurs when some error prevents the retrieval of the metrics data.
Impact:
There is no functional impact; this is a cosmetic issue.
Workaround:
None
1114841-2 : Creating a BIG-IP Next HA instance from BIG-IP Next Central Manager fails
Component: BIG-IP Next
Symptoms:
If the task for creating a BIG-IP Next HA instance from BIG-IP Next Central Manager fails, the node specified as standby might display in an unknown state and might be unreachable or might not be discovered by BIG-IP Next Central Manager.
Conditions:
1. Add two BIG-IP Next standalone instances.
2. Create a BIG-IP Next HA instance using one as the active node and the other as a standby node.
Impact:
The standby node in the BIG-IP Next HA instance might be unreachable or not discoverable by BIG-IP Next Central Manager.
Workaround:
Reconfigure the standby node or recreate the BIG-IP Next HA instance.
1113593 : BIG-IP Next Central Manager cannot deploy an application to an unhealthy BIG-IP Next instance
Component: BIG-IP Next
Symptoms:
Attempting to deploy an application to an unhealthy BIG-IP Next instance fails with the following message:
invalid character 'h' after object key:value pair
Conditions:
From BIG-IP Next Central Manager, create an application, select a BIG-IP Next instance in an unhealthy state, and click the Test Deployment button.
Impact:
Application deployment fails.
Workaround:
None
1113045 : BIG-IP Next Central Manager displays No Data for mgmt network interface metrics
Component: BIG-IP Next
Symptoms:
When viewing the network interface stats for a managed BIG-IP Next instance from BIG-IP Next Central Manager, the interface selection drop-down includes an interface named 'mgmt'. Selecting this will show 'No Data' for all graphs.
Conditions:
Selecting the interface dropdown menu item 'mgmt' to view the network interface stats for a managed BIG-IP Next instance
Impact:
No functional impact. This interface can be ignored.
Workaround:
None
1112285 : Cannot update management IP address on BIG-IP Next HA instances
Component: BIG-IP Next
Symptoms:
Changing the management IP address of a BIG-IP Next high availability (HA) instance fails.
For a standalone BIG-IP Next instance, although the REST endpoints can be accessed using the new management IP address, the default system's object is not updated with the new management IP address.
Conditions:
1) Update the management IP address of a BIG-IP Next HA instance.
2) Reboot the BIG-IP Next HA instance.
Impact:
The new management IP address change is not preserved. You cannot change the management IP addresses on a BIG-IP Next HA instance.
Workaround:
None
1110805 : Setup needs to be finished on the host OS before BIG-IP Next can function properly.
Component: BIG-IP Next
Symptoms:
High availability (HA) state of the TMM container is in NOT-READY on both active and standby nodes.
There may also be errors about missing interfaces:
01010007:3: Config error: interface not found: 1.1
Conditions:
The network device(s) are not set up on the host OS.
Impact:
Cannot pass traffic on BIG-IP Next.
Workaround:
Make sure the network is properly set up on the host OS before you install BIG-IP Next.
1109933-1 : Unexpected behavior when multiple routes with identical route configuration and different names are created
Component: BIG-IP Next
Symptoms:
If you create multiple routes with identical route configurations but with different names, these are treated as a single entry in TMM. As a result, deletion of one of the routes using the external API results in a mismatch between the external API database and the TMM route table.
Conditions:
-- Create two static routes with different names but an identical route configuration.
-- List the routes using the external API so that you see two routes in the list.
-- Delete either route.
Impact:
-- The list queried using the external API now shows one remaining route.
-- In TMM, both routes with identical route configuration are treated as a single route entry.
-- This gets deleted when one of the route is deleted.
-- The external API lists a route entry which internally does not exist in TMM.
Workaround:
Use the same name when creating multiple routes with identical route configurations.
1109633 : Creating a BIG-IP Next HA instance on VE from BIG-IP Next Central Manager
Component: BIG-IP Next
Symptoms:
When creating a BIG-IP Next HA instance on VE, BIG-IP Next Central Manager might return alerts that make it appear the BIG-IP Next HA creation failed.
Conditions:
This can happen when there is latency with the network and the "Yes, Add HA Node" button is clicked more than once.
Impact:
This could cause confusion as it might appear the BIG-IP Next HA creation failed.
Workaround:
Click the "Yes, Add HA Node" button only once.
1107757-1 : Large numbers of AS3/API requests can trigger job timeout errors.
Component: BIG-IP Next
Symptoms:
When sending a large number of requests using AS3 or the API over a short period of time, TIMEOUT errors occur, leading to job failure.
Conditions:
When repeated (100+) job calls are performed using AS3.
Impact:
The ICB module will temporarily lose its connection to the database. This will self correct given time.
Workaround:
Increase the period of time when AS3/API requests are performed.
1107533-1 : Upgrading a BIG-IP Next instance endpoint does not accept file names★
Component: BIG-IP Next
Symptoms:
When upgrading BIG-IP Next software, you must use the UUID of the file that is returned by file upload API (step 1 of the upgrade process), instead of the actual name of file uploaded.
Conditions:
Upgrading a BIG-IP Next instance using the PUT PUT /upgrade endpoint.
Impact:
Do not use the actual file name. Use the name returned by the upload file's API.
Workaround:
In the PUT /upgrade API, for the field 'fileName' use the name returned by upload file's API.
1106573 : If an application deployment fails due to BIG-IP Next instability, the policies referenced in the application cannot be deleted from BIG-IP Next Central Manager
Component: BIG-IP Next
Symptoms:
If the BIG-IP Next Central Manager application deployment fails due to the instability of a BIG-IP Next instance, the failure is not properly communicated to the dependent features, so you can't delete the policies (for example, WAF, Access, and so forth) that are referenced in the application template from BIG-IP Next Central Manager.
Conditions:
An application deployment fails because the target BIG-IP Next instance is unstable or unhealthy.
Impact:
The policies (for example, WAF, Access, and so forth) that are referenced in the application template cannot be deleted from BIG-IP Next Central Manager when an application deployment fails.
1106477 : Cannot control the order of the fields generated from a BIG-IP Next Central Manager application template
Component: BIG-IP Next
Symptoms:
For application templates containing additional policy definitions (for example: WAFPolicyName, ClonedWAFPolicyName), the auto-generated fields on the BIG-IP Next Central Manager application management page are not ordered as expected.
Conditions:
When an application template contains additional policy definitions.
Impact:
The auto-generated form is not ordered properly.
Workaround:
N/A
1104625 : The BIG-IP Next VE tmstat table does include stats for the management interface
Component: BIG-IP Next
Symptoms:
On a BIG-IP Next Virtual Edition (VE), the API call to api/v1/systems/<sys-id>/interfaces returns the interface name "mgmt". But when executed, the API query api/v1/metrics/systems/<sys-id> does not have the mgmt stats in response.
Conditions:
-- BIG-IP Next has the mgmt interface configured.
-- API GET query to api/v1/metrics/systems/<sys-id>
Impact:
The management interface is in the list of interfaces but statistics are not available.
Workaround:
None
1104397 : When creating a new application from BIG-IP Next Central Manager, the form might show the deployment status of an application created previously in the same session
Component: BIG-IP Next
Symptoms:
When creating multiple applications in the same session, the form might show the deployment status of an application that was created previously in the same session.
Conditions:
Attempt to deploy multiple applications in the same session.
Impact:
Until you attempt to deploy the application, the displayed status will be incorrect.
Workaround:
Refresh the BIG-IP Next Central Manager browser to update the status.
1104393 : Testing an application deployment from BIG-IP Next Central Manager and copying to clipboard
Component: BIG-IP Next
Symptoms:
When testing an application deployment from BIG-IP Next Central Manager and clicking the button to copy content to the clipboard, the content is not consistently copied.
Conditions:
When testing an application deployment from BIG-IP Next Central Manager.
Impact:
The content isn't copied to the clipboard.
Workaround:
Manually select and copy the JSON text instead of using the clipboard button.
1090405 : Error messages in logs: pem block and tls failed to find PEM data
Component: BIG-IP Next
Symptoms:
When viewing logs, multiple error messages similar to the following might display:
pem block of Certificate Authority was empty
error loading Certificate: tls: failed to find any PEM data in certificate input
Conditions:
Viewing logs.
Impact:
These are benign messages that have no impact on BIG-IP Next functionality.
Workaround:
None
1090205 : Floating IP address for a BIG-IP Next HA instance is unavailable during an active node reboot
Component: BIG-IP Next
Symptoms:
When rebooting the active node in a BIG-IP Next HA instance, the floating IP address is unreachable until the active node has completed the reboot (about 2 to 4 minutes).
Conditions:
After creating a BIG-IP Next HA instance and rebooting the active node through the API.
Impact:
The floating IP address for the active node is unavailable while it's rebooting.
During this, traffic passes and rules, and other policies operate on the newly active node as expected. Only the BIG-IP Next HA instance's management IP address is unavailable.
Using the BIG-IP Next HA instance's management IP address does not return a response during the reboot operation. The management IP address becomes available once the newly active node back in a healthy state.
Workaround:
Although there is no workaround to prevent this issue, the new active node fully functions as active within seconds after failover and traffic is passed as expected.
APIs are accessible using the newly active node's management IP address.
You can use the BIG-IP Next floating IP address again after rebooting the active node.
1089201 : BIG-IP Next HA instance in an HA configuration fails when control plane IP address is configured incorrectly
Component: BIG-IP Next
Symptoms:
When creating a BIG-IP Next HA instance with the incorrect control plane IP address, it fails with a message similar to the following and you cannot revise the control plane IP address.
Job status: FAILED
Error message: Unable to start https server on peer node (w.x.y.z).
State of second node in the health check response from first node: UNREACHABLE
State of second node in the health check response from second node: STANDALONE
Conditions:
Creating a BIG-IP Next HA next configuration with an incorrect control plane IP address.
Impact:
BIG-IP Next HA instance configuration fails.
Workaround:
Delete the existing BIG-IP Next HA instance and recreate using the correct control plane IP address.
1087937 : API endpoints do not support page query
Component: BIG-IP Next
Symptoms:
The 'page' query is not supported.
Conditions:
This issue is seen when the API is called directly. There is no impact on the functionality if BIG-IP Next Central Manager or AS3 is used.
Impact:
Pagination of results does not function correctly.
Workaround:
Remove 'limit' parameter. This causes all objects to be returned in the response.
1087881 : Network API endpoints reject Content-Type application/hal+json
Component: BIG-IP Next
Symptoms:
The Network API endpoints respond to HTTP PUT requests containing the header 'Content-Type: application/hal+json' with an HTTP 415 'Unsupported Media Type' error.
Conditions:
Send an HTTP PUT request with the header "Content-Type: application/hal+json' to any of the following endpoints:
/L1-networks
/L2-networks
/L2-forwards
/L3-networks
/L3-forwards
/L4-clientsides
/L4-serversides
Impact:
A 415 'Unsupported Media Type" response occurs and changes are not made.
Workaround:
Send an HTTP PUT request with the header 'Content-Type: application/json' and a request body of type application/json.
1086221-1 : Content-Type response header does not match documented in BIG-IP Next OpenAPI spec
Component: BIG-IP Next
Symptoms:
The value of the Content-Type response header does not match those documented in the OpenAPI spec for BIG-IP Next:
The defined content-types for responses to GET /metrics/systems/{systemId} are:
application/json and application/hal+json
Conditions:
Requesting Content-Type response header with the command GET /metrics/systems/{systemId}.
Impact:
Response does not contain the expected application/json and application/hal+json type. Instead, it contains 'Content-Type: text/plain'.
Workaround:
None
1085753 : Overwritten application deployments display in applications list
Component: BIG-IP Next
Symptoms:
If you deploy an application from BIG-IP Next Central Manager to a BIG-IP Next instance that has the same tenant and application name as a previous deployment on that instance, the previous deployment still appears in the applications list.
Conditions:
Deploying an application with the same tenant and application name does not remove the previous application from the list.
Impact:
Applications that have been overwritten still display in the application list, but don't actually exist. This doesn't cause an issue, but might cause confusion and a cluttered application list.
Workaround:
To work around this issue, do not deploy to the same tenant, application, and BIG-IP Next instance in multiple deployments.
1083205 : Default network is the only supported network
Component: BIG-IP Next
Symptoms:
The default network created is the only supported network object under /L1-Networks. Deleting this default network, or creating additional L1-Networks, might operate partially, but that configuration is not supported.
Conditions:
A new L1-Network is created, or the 'Default Network' is deleted from the OpenAPI.
Impact:
Traffic could unexpectedly stop.
Workaround:
Do not use L1-Network objects other than the default network.
Note: If traffic unexpectedly stops through use of custom networks, deleting any VLANs whose vlan-tag is repeated across other existing L1-Networks might restore functionality, but this is not guaranteed.
1082417 : Application status displays as deployed before it has been created
Component: BIG-IP Next
Symptoms:
Before an application has been created, its status incorrectly displays as "Completed deployment successfully".
Conditions:
Click the '+ Create' button to create a new Application; then scroll down to the Status field.
Impact:
The information is incorrect and confusing.
Workaround:
None
1079873 : Text in first column of a BIG-IP Next Central Manager grid might overlap with text in subsequent columns
Component: BIG-IP Next
Symptoms:
Text in first column of a BIG-IP Next Central Manager grid overlaps with text in subsequent columns if the item in the first column (for example, an object's name) is very long.
Conditions:
Text in the BIG-IP Next Central Manager's first column (for example, an object's name) is very long. This can also occur if the browser window is very small.
Impact:
Text in the first column of a grid overlaps with text in subsequent columns, making it difficult to read.
Workaround:
Expand the size of your browser window. This will only help to a certain extent.
1078533-1 : Cannot delete a BIG-IP Next instance from BIG-IP Next Central Manager
Component: BIG-IP Next
Symptoms:
Cannot delete a managed BIG-IP Next instance that was reset to factory defaults or has been powered off because BIG-IP Next Central Manager cannot reach the instance for authentication.
Conditions:
Attempt to delete a managed BIG-IP Next instance that has been reset to factory defaults or has been powered off.
Impact:
You cannot delete it from BIG-IP Next Central Manager's inventory. You cannot reach another instance with the same IP address.
1078013-1 : BIG-IP Next HA instance fails when VLANs exist or invalid VLANs are submitted
Component: BIG-IP Next
Symptoms:
If you create a BIG-IP Next HA instance with an invalid VLAN, it might appear as if it were successfully created even though it is not correctly configured at the platform level.
Conditions:
This happens when a configuration is submitted to /services/{id}/cluster to initiate an HA configuration, and that configuration contains a VLAN that is either not assigned to the tenant, or assigned but in use by the dataplane.
Impact:
BIG-IP Next HA instance configuration fails. The tenant does not operate as expected.
Workaround:
Perform a factory reset on any node entering this state, as various issues arise from a node incorrectly behaving as if it were part of a pair. At worst, the 'paired' peer device may also be affected.
Ensure the VLAN being submitted in the HA request payload is assigned to the tenant by the VELOS admin, and that the VLAN is not already configured for use by the dataplane (i.e., there are no references to that VLAN by name or ID in other OpenAPI objects).
1060829 : Unable to delete template from BIG-IP Next Central Manager if it was used for the application deployment
Component: BIG-IP Next
Symptoms:
Deleting a template from the template screen of BIG-IP Next Central Manager fails if the template was previously used for an application deployment.
Conditions:
Attempting to delete a template from BIG-IP Next Central Manager that was previously used for an application deployment.
Impact:
You cannot delete the template.
Workaround:
From the API, use the following procedures to remove the template parameters.
1. Get the ID of the template that failed to be removed
Send a GET request to API https://BIGIP-NEXT-CM-IP/api/as3-workflow/v1/templates?filter=name eq 'template-name'
2. Find the template parameters item that's referring to the template.
Send a GET request to API https://BIGIP-NEXT-CM-IP/api/as3-workflow/v1/parameters?filter=templateID eq 'template ID'
3. Remove the template parameters
Send a DELETE request to API https://BIGIP-NEXT-CM-IP/api/as3-workflow/v1/parameters/<parameters ID>
4. The template can be removed now either through the API call or the BIG-IP NEXT Central Manager user interface.
1058837 : Incorrect item count following application deletion and subsequent deletions fail
Component: BIG-IP Next
Symptoms:
BIG-IP Next Central Manager displays an incorrect selected item count after a delete operation, after which you cannot delete additional items.
Conditions:
This occurs in the following scenario:
-- Create several applications.
-- Click the checkbox next to one in the application services list and delete it.
-- Attempt to delete another one.
Impact:
The number of items selected is incorrect, reflecting a higher number than you actually have selected. When in this state, you cannot delete additional items.
Workaround:
Navigate to a different page and return, or refresh the page.
1057493 : 'HTTP::header insert' command does not work under ASM iRule events
Component: BIG-IP Next
Symptoms:
The iRule command 'HTTP::header insert' does not add the new header to the request sent to the server.
Conditions:
Under iRule events ASM_REQUEST_DONE and ASM_REQUEST_VIOLATION
Impact:
'HTTP::header insert' command cannot be used in the ASM_REQUEST_DONE and ASM_REQUEST_VIOLATION iRule events.
Workaround:
Insert headers in another event like ASM_REQUEST_BLOCKING
1053009-1 : Transaction in progress message and dropped connections using Files API to upload a cert/key
Component: BIG-IP Next
Symptoms:
Using Files API to upload a cert/key pair that references the key/cert pair in an application results in a log message followed by dropped HTTPS connections:
tmm1[7]: 01260000:2: Profile 56f16812-264c-11ec-9d63-02420a03010b: transaction in progress, profile not reloaded.
Conditions:
Use Files API to upload a cert/key pair that references an application.
Impact:
Application does not work. Connections are dropped.
Workaround:
Reconfigure the application with the certificate and key as an inline blob rather than referencing the cert/key uploaded using Files API.
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support website: http://www.f5.com/support/
- The MyF5 website: https://my.f5.com/manage/s/
- The F5 DevCentral website: http://devcentral.f5.com/