Release Note: BIG-IP LTM and TMOS 11.6.

Original Publication Date: 01/13/2016

This release note documents the version 11.6.0 release of BIG-IP Local Traffic Manager and TMOS. You
can apply the software upgrade to systems running software versions 10.1.0 (or later) or 11.x.
- Platform support
- Configuration utility browser support
- User documentation for this release
- New in 11.6.0
- Installation overview
- Installation checklist
- Installing the software
- Post-installation tasks
- Installation tips
- Upgrading from earlier versions
- Upgrading earlier configurations
- Fixes in 11.6.0
- Behavior changes in 11.6.0
- Known issues
- Contacting F5 Networks
- Legal notices

Platform support
This version of the software is supported on the following platforms:
PLATFORM NAME
BIG-IP 800 (LTM only)
BIG-IP 1600
BIG-IP 3600
BIG-IP 3900
BIG-IP 6900
BIG-IP 8900
BIG-IP 8950
BIG-IP 11000
BIG-IP 11050
BIG-IP 2000s, BIG-IP 2200s
BIG-IP 4000s, BIG-IP 4200v
BIG-IP 5000s, 5050s, 5200v, 5250v
BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255
BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255
VIPRION B2100 Blade
VIPRION B2150 Blade

PLATFORM ID
C114
C102
C103
C106
D104
D106
D107
E101
E102
C112
C113
C109
D110
D113
A109
A113

PLATFORM NAME
VIPRION B2250 Blade
VIPRION B4100, B4100N Blade
VIPRION B4200, B4200N Blade
VIPRION B4300, B4340N Blade
VIPRION C2200 Chassis
VIPRION C2400 Chassis
VIPRION C4400, C4400N Chassis
VIPRION C4480, C4480N Chassis
VIPRION C4800, C4800N Chassis
Virtual Edition (VE)
vCMP Guest

PLATFORM ID
A112
A100, A105
A107, A111
A108, A110
D114
F100
J100, J101
J102, J103
S100, S101
Z100
Z101

These platforms support various licensable combinations of product modules. This section provides
general guidelines for module support.
Most of the support guidelines relate to memory. The following list applies for all memory levels:

o
o
o
o
o
o

vCMP supported platforms

VIPRION B2100, B2150, B2250, B4200, B4300, B4340N
BIG-IP 5200v, 7200v, 10200v
PEM and CGNAT supported platforms
VIPRION B2100, B2150, B2250, B4300, B4340N
BIG-IP 5x00v(s), 7x00v(s), 10x00v(s)
BIG-IP Virtual Edition (VE) (Not including Amazon Web Service Virtual Edition) (3 GB, 10
GB production and combination lab models)
PEM and CGNAT may be provisioned on the VIPRION B4200, but it is not recommended
for production, only for evaluation. PEM may be provisioned on the VIPRION B2100, but it is not
recommended for production, only for evaluation. Use the B4300 or B4340N instead.
BIG-IP 800 platform support
The BIG-IP 800 platform supports Local Traffic Manager (LTM) only, and no other
modules.

Memory: 12 GB or more
All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE
and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all
modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP
license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB
The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100
and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned
with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this
category.)

No more than three modules should be provisioned together.

On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only
one other module.

In the case of Access Policy Manager (APM) and SWG together, no module other than LTM may
be provisioned, and LTM provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB
and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of
memory actually available and thus fits in this category.)

No more than three modules (not including AAM) should be provisioned together.
Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can
only be provisioned standalone.
Analytics (AVR) counts towards the two module-combination limit (for platforms with less than
6.25 GB of memory).

Memory: 4 GB or less
The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests
provisioned with 4 GB or less of memory.

No more than two modules may be configured together.

AAM should not be provisioned, except as Dedicated.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula:
(platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).
As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5
GB.
For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a
single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only
the following products or product combinations for a single-core guest:

BIG-IP LTM standalone only

BIG-IP GTM standalone only
BIG-IP LTM and GTM combination only

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

Microsoft Internet Explorer 8.x, 11.x

Mozilla Firefox 27.x
Google Chrome 32.x

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP LTM / VE
11.6.0 Documentation page.

New in 11.6.0
Security
BIG-IP External Crypto-offload (early access)
This release provides early access to the ability to leverage SSL Crypto operations from one BIG-IP
system to other BIG-IP systems, offloading cryptographic operations to an external system (a crypto
provider). For example, this feature allows an LTM VE instance (the crypto client) to offload RSA
operations to an external BIG-IP system with RSA hardware acceleration (the crypto provider).

Latency compression selection strategy

This release introduces a new default compression selection strategy, Latency, which favors the latency of
compression providers and delays selection of a provider until data arrives. This strategy helps to better
distribute the workload placed on each provider. New installations of 11.6.0 have latency as the default
compression selection. Upgrading to 11.6.0 changes the default compression selection to latency. For
more information, see SOL15523: New latency compression strategy and compression provider selection
method.

OCSP stapling with certificate status caching

OCSP stapling is the process in which a TLS server (acting as the OCSP client) interfaces with the OCSP
server for a valid revocation status of its TLS certificate, and "staples" the signed OCSP response to the
TLS handshake. The TLS client receives the stapled OCSP response and verifies the signature,
validating the TLS server's certificate. This feature improves certification response time, and helps protect
the identity of the client.

SSL RSA Root Certificate support in hardware

Due to their ability to provide downstream validation of intermediate certificates, SSL Root Certificates
require extra protection. As a result, most new CA Root Certificates are moving to larger key length (4
KB); however this can results in a performance hit. Adding support for SSL RSA Certificates in hardware,
along with SSL Keys, provides protection and improves performance.

STARTTLS for LDAP

STARTTLS is an extension to plain text communication protocols. This feature offers a way to upgrade a
plain text LDAP connection to an encrypted (TLS or SSL) connection instead of using a separate port for
encrypted communication.

Appliance Mode improvements

Appliance Mode provides the ability to lock-down the BIG-IP system, reducing the attack surface and
points for exploit. This functionality can make it difficult for 3rd party components that are not fully
integrated into the BIG-IP system, for example, those that utilize TMSH commands. These commands are
now included to improve configuration, setup, and troubleshooting

Enhanced system authentication methods for LTM BIG-IP

Utilizing APM, this release provides enhanced LTM System Authentication for the different methods:
LDAP, RADIUS, Local User, TACACS+ to deliver a richer set of options such as AAA, fail-back, and dualauthentication.

IPFIX over TLS, over TCP

IPFIX over SSL/TLS provides the ability to encrypt the logging information that is sent offbox to a logging
destination.

Enhanced user access control

This release adds granularity to BIG-IP access control. For any BIG-IP user, a BIG-IP administrator with
the appropriate user role can now grant user access to multiple administrative partitions (instead of
access to one or all only), and can assign multiple user roles to the user, one for each partition to which
the user has access.

Hardware/platform support/maintenance
DSCP mapped to eight hardware CoS queues on egress
This release provides support for traffic being prioritized and dropped selectively using Differentiated
Services Code Point (DSCP), based on a limited number of traffic classes that are mapped to eight userconfigurable Class of Service (CoS) priorities on egress. This feature is supported only on these
platforms: VIPRION B2250 blade, VIPRION B2150 blade, VIPRION B2100 blade, VIPRION B4300 blade,
BIG-IP 10000 Series platform, BIG-IP 7000 Series platform, and BIG-IP 5000 Series platform.

Disk erase on SSD and HDD platforms

This release now provides end users with the ability to perform a single pass/zero write disk erase
operation of solid-state disk (SSDs) drives and hard disk drives (HDDs). For more information, see

SOL15521: Using the 'Security Erase Unit' ATA command to perform a disk erase for SSDs and HDDs,
available at support.f5.com/kb/en-us/solutions/public/15000/500/sol15521.html.

BIG-IP 2000/4000 Series appliance platforms L2 enhancements

This release introduces enhanced L2 support, including these features on the BIG-IP 2000/4000
appliance platforms: STP (Spanning Tree Protocol), LLDP (Link Layer Discovery Protocol), ARL (Address
Resolution Table), and enhanced Traffic Management Shell (tmsh) Layer 2 Forwarding table commands.

IPv6 support in ePVA (requires 11.6.0 HF5)

The 11.6.0 HF5 release features support for IPv6 in ePVA for the VIPRION B2250 blade.

UC-APL certification
This release includes features that support UC-APL (Unified Capabilities Approved Product List)
certification requirements, including: smart card (CAC) authentication to the management interface,
configurable banners for confidentiality, FIPS 140-2 compliance, SSL/TLS key requirements, and
Appliance mode for DISA/STIG.

System support for multiple hardware (FPGA bitstream) profiles

This release adds system support that enables users to choose from two different available hardware
(FPGA firmware) profiles based on provisioning: standard balanced performance profile and an L4optimized performance profile. This feature is currently available only on the VIPRION B2250 blade in a
C2200 chassis.

Traffic group limit increased from 15 to 127

This release supports a maximum of 127 traffic groups that you can configure within a Sync-Failover
device group. Earlier releases supported a maximum of 15 traffic groups only.

General Functionality
Object move and rename (early access)
This release provides early access to the feature that enables move/rename of specific BIG-IP object
types, such as virtual servers, virtual addresses, pools (implicitly moves pool members), nodes, monitors,
profiles, iRules, iApps, device names, self IP addresses, iCall, and folders. Note that this functionality is
not provided for VLANs or Partitions.

L7 Policy Matching Enhancements

This release provides a variety of enhancements to L7 policy matching (CPM).

Cubic and Westwood+ congestion control

This release adds the Cubic and Westwood+ congestion control algorithms.

Early retransmit
This release introduces support for an experimental RFC to recover lost segments quickly.

Dynamic TCP tuning

Modification of TCP profile parameters via iRules.

Tail loss probe

This release contains an enhancement to reduce the impact of retransmission timeouts (RTO) on web
transactions.

TCP profile redesign

This release provides a redesign of the TCP profile page, to enhance usability.

FIX protocol-based routing together with low latency

FIX data that is available in the first 2144 bytes of a flow can be parsed and used in traffic management,
such as routing a flow to a specific backend server based on SenderCompID. Performance L4 virtual
servers can extract application data to make the traffic management decisions. Once the decision has
been made, the flow is moved to the ePVA for low-latency TCP-based data transfer.

Adaptive response time monitoring

This release provides Adaptive response time monitoring, which measures the amount of time between
when the BIG-IP system sends a probe to a resource and when the system receives a response from the
resource. It adds an extra dimension to existing monitor capabilities. Use adaptive response time
monitoring to enhance server utilization under heavy load and to optimize moderately configurable web
applications that are served by servers with limited capacity.

Populate pools by FQDN

This release includes the ability to configure a BIG-IP system with nodes and pool members that are
identified with fully-qualified domain names (FQDNs). When configuring pool members with FQDN,
addresses dynamically follow DNS changes. Fully dynamic DNS-managed pools may even be created.

Device Trust Group on the Device Management Overview page

The Device Management Overview page in the BIG-IP Configuration utility now reports the status of the
special trust device group, which contains all devices in the local trust domain. This new status on the

Overview page can help users troubleshoot and resolve sync issues, which are sometimes caused by
device trust not being properly established.

IPFIX support with iRules

Ability to use iRules to generate log messages encoded in IPFIX/NetFlow format, containing standard and
custom Information Elements.

Support Alert Functionality

The new alert system aligns with and is part of the Unified Logging Infrastructure, with its configuration
officially part of standard MCP schemas/CMI/DG, and so on, so that alerts can be raised for any message
that originated in the system that is potentially destined for any/all endpoints, including offbox
destinations.

Net-SNMP Upgraded to Version 5.7.2

The Net-SNMP software on the BIG-IP system is now upgraded to version 5.7.2.

Kernel Upgraded to RedHat 6.4 Version

The kernel on the BIG-IP system is now upgraded to RedHat 6.4 version 2.6.32-358.23.2.

HTTP 2.0 (experimental) Profile

Local Traffic functionality now includes an HTTP/2 profile type that you can use to manage HTTP/2 traffic,
improving the efficiency of network resources while reducing the perceived latency of requests and
responses. The Local Traffic HTTP/2 profile enables you to achieve these advantages by multiplexing
streams and compressing headers with Transport Layer Security (TLS) or Secure Sockets Layer (SSL)
security. Note that subsequent versions of the HTTP/2 protocol might be incompatible with this release.
The HTTP 2.0 specification is currently in a draft phase (draft 13).

SPDY 3.1
This release supports SPDY version 3.1 functionality.

iCheck functionality improves monitors scalability

In this release, the BIG-IP system includes new iCheck functionality, which improves scalability of FTP,
SMTP, POP3, and IMAP monitors. iCheck functionality supports more monitors, while reducing the load
on BIG-IP systems. For example, FTP monitoring provides a 600% improvement in sustained monitor
performance. Additionally, iCheck functionality provides smoother performance characteristics as
monitors approach full capacity. For example, F5 Networks tested 6,000 monitors showing smooth traffic
characteristics throughout the range.

High performance SIP proxy

In this release, you can use the BIG-IP system as a Session Initiation Protocol (SIP) proxy. When the
BIG-IP system is placed between your SIP routers, session border controllers, and soft switches, you can
configure the system to route and load balance SIP messages across the servers on your SIP network.

IPSec IKEv2 support

IPsec options on Big-IP systems now include support for IKEv2. When you configure IKE peers, you can
choose between IKEv1 and IKEv2. If you choose IKEv2, you have the additional benefit of using route
domains.

Bandwidth measurement per subscriber and/or flow

This release includes a mechanism for bandwidth measurement (rate or bytes) per subscriber, per
application, or per flow. Other elements in the network can use this information to dynamically apply
relevant services, for example, video encoding.

vCMP
802.1QinQ on switch enabled platforms
This release supports IEEE 802.1QinQ on switch-enabled platforms: 5000, 7000, 10000, B2100, B2200,
B4300 series platforms, which allows for overlapping VLAN IDs, particularly benefiting vCMP or Partitions
and route-domain deployments

vCMP virtual disk templates

You can speed up vCMP guest deployment by using virtual disk templates. On the first vCMP guest
installation, the vCMP system creates a virtual disk template for the specific initial-image (and, if present,
initial-hotfix). For subsequent guest installations of the same initial-image/hotfix, vCMP host
administrators can use the virtual disk template, which speeds up the deployment process.

vCMP guest data visible from host

This version provides a summary of vCMP guest data from within the vCMP host. This data facilitates
access to the current state of each guest. The BIG-IP Configuration utility shows the current active
software image, the provisioned modules, and HA status. You can access each guest for additional
information, such as Installed Images and Available Images, and other Resource Provisioned information
such as License Status, Required Disk and Required Memory. The Guest name link opens the guest's
Properties tab. The HA Status shows a Failed link when there is an HA Status failure. The link opens the
guest's HA Status tab.

vCMP guest access to ISO/hotfix images from hypervisor

vCMP now allows file access from within a vCMP guest to the images stored on the host (hypervisor)
side. This facilitates installation of ISO/hotfix images to guests and reduces storage space for those
images.

Historical vCMP Statistics

From the vCMP host, you can view detailed historical vCMP statistics in the Analytics section of the
Configuration utility. The statistics provide an overview of vCMP performance, network throughput, CPU
usage, and disk usage in graphical form. You can customize the information that is displayed, the time
periods, and what information you want to appear on the overview screen.

CGNAT
CGNAT: Improved compatibility of CGNAT ALG port selection
This release improves compatibility of application layer gateway (ALG) profiles with Carrier-Grade NAT
(CGNAT) port picking methods, including Deterministic NAT (DNAT) and Port Block Allocation (PBA)
translation modes. Improved CGNAT port selection compliance is now available in the FTP, SIP and
RTSP ALG profiles, allowing the ALGs to select the correct port based on the subscriber, and provide
reliable reverse mappings of translated addresses for all traffic.

CGNAT: Port Block Allocation support

Port block allocation (PBA) mode is an address-port translation mode option that reduces CGNAT
logging, by logging only the allocation and release of each block of ports. When a subscriber first
establishes a network connection, the BIG-IP system reserves a block of ports on a single IP address for
that subscriber, and logs the block allocation. The system releases the block when no more connections
are using it, and logs the block release. This functionality reduces the logging overhead, which
significantly decreases log storage and improves system performance when compared to NAPT logging,
because the CGNAT logs only the allocation and release of each block of ports once.

CGNAT: MAP Border Relay support

Mapping of Address and Port with Encapsulation, as defined by the IETF draft draft-ietf-softwire-map-10,
is a stateless IPv4 to IPv6 transition technology, which provides a scalable, high performance solution for
mapping private IPv4 addresses to public IPv4 addresses and transporting traffic over an IPv6
infrastructure. The BIG-IP system plays the role of the border relay (BR) in a MAP deployment, supporting
MAP deployments alongside stateful CGNAT solutions.

CGNAT: Configurable logging enhancements

This release provides configurable log profiles for ALG and LSN logging. It allows a user to control the
type of log messages generated, and also inclusion of optional log elements in the logged message. The

ALG (FTP,SIP, RTSP) logging profile allows for the configuration of logging options for various events that
apply to high-speed logging destinations. The LSN logging profile allows for the configuration of logging
options for various LSN events that apply to high-speed/IPFIX logging destinations.

Documentation
LTM Concepts and TMOS Concepts guides
The LTM Concepts and TMOS Concepts guides have been broken into smaller guides. This provides
more focused and easier-to-find relevant content. The following list details the guides that now contain
this content:
BIG-IP System: Essentials
BIG-IP System: Initial Configuration
BIG-IP Local Traffic Management Basics
BIG-IP System: User Account Administration
BIG-IP Digital Certificates: Administration
BIG-IP Folders: Administration
BIG-IP System: iRules Concepts
BIG-IP Local Traffic Management: Profiles Reference
BIG-IP System: Operations
BIG-IP TMOS: Routing Administration
BIG-IP System: SSL Administration

Installation overview
This document covers very basic steps for installing the software. You can find complete, step-by-step
installation and upgrade instructions in the following guides, and we strongly recommend that you
reference these documents to ensure successful completion of the installation process.

Upgrade from 11.x configurations: BIG-IP Systems: Upgrading 11.x Software

Upgrade from 10.x Active-Standby configurations: BIG-IP Systems: Upgrading Active-Standby

Systems

Upgrade from 10.x Active-Active configurations: BIG-IP Systems: Upgrading Active-Active

Systems

Installation checklist
Before you begin:

Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878:
Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
Update/reactivate your system license, if needed, to ensure that you have a valid service check
date.
Ensure that your system is running version 10.1.0 or later and is using the volumes formatting
scheme.
Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for
the operation. (If you need to create this directory, use the exact name /shared/images.)
Configure a management port.
Set the console and system baud rate to 19200, if it is not already.
Log on as an administrator using the management port of the system you want to upgrade.
Boot into an installation location other than the target for the installation.
Save the user configuration set (UCS) in the /var/local/ucs directory on the source
installation location, and copy the UCS file to a safe place on another device.
Log on to the standby unit, and only upgrade the active unit after the standby upgrade is
satisfactory.
Turn off mirroring.
If you are running Application Acceleration Manager, set provisioning to Minimum.
If you are running Policy Enforcement Manager, set provisioning to Nominal.
If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the
browser-based Configuration utility using the Software Management screens, available in the System
menu. Choose the installation method that best suits your environment.
INSTALLATION METHOD

COMMAND

Install to existing volume, migrate

source configuration to destination

tmsh install sys software image [image name] volume

[volume name]

Install from the browser-based

Configuration utility

Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.
tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3

Post-installation tasks
This document covers very basic steps for installing the software. You can find complete, step-by-step
installation and upgrade instructions in the following guides, and we strongly recommend that you
reference these documents to ensure successful completion of the installation process.

Upgrade from 11.x configurations: BIG-IP Systems: Upgrading 11.x Software

Upgrade from 10.x Active-Standby configurations: BIG-IP Systems: Upgrading Active-Standby

Systems

Upgrade from 10.x Active-Active configurations: BIG-IP Systems: Upgrading Active-Active

Systems
After the installation finishes, you must complete the following steps before the system can pass traffic.
1.
2.

Ensure the system rebooted to the new installation location.

Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878:
Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
3.
Log on to the browser-based Configuration utility.

4.
Run the Setup utility.
5.
Provision the modules.
6.
Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP
TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an
Active-Active Configuration Using the Setup Utility.

Installation tips

The upgrade process installs the software on the inactive installation location that you specify.
This process usually takes between three minutes and seven minutes. During the upgrade process,
you see messages posted on the screen. For example, you might see a prompt asking whether to
upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade
the EUD, type yes, otherwise, type no.
You can check the status of an active installation operation by running the command watch tmsh
show sys software, which runs the show sys software command every two seconds. Pressing Ctrl +
C stops the watch feature.
If installation fails, you can view the log file. The system stores the installation log file as
/var/log/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running.
Warning: Do not use the 10.x installation methods (the Software Management screens, the b software
or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or
operate on partitions. Depending on the operations you perform, doing so might render the system
unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format
the system for partitions, and then use a version 9.x installation method described in the version 9.x
release notes to install the version 9.x software.

Upgrading from version 10.1.0 (or later) or 11.x

When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management
screens in the Configuration utility to complete these steps. To open the Software Management screens,
in the navigation pane of the Configuration utility, expand System, and click Software Management. For
information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 10.1.0

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP
versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to
those versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this
version, the system might reboot additional times to perform all necessary firmware upgrades.

Upgrading earlier configurations

When you upgrade from an earlier versions of the software, you might need to know about or take care of
these configuration-specific issues.
ID NUMBER
ID 223704
ID 366172
ID 370964
ID 378430
ID 384569
ID 394873
ID 398067
ID 399013
ID 399510
ID 401367
ID 401828
ID 402528
ID 403592
ID 403667

DESCRIPTIO

When you imp

A pre-v11.x co
When upgradin
"When upgrad
"If an object is
{ addr 10.10.20
The upgrade p
As of version 1
identical.
On 10.x-to-11.
"On BIG-IP Vir
Version 11.x a
"Problem: The
There is now m
combinations a
Platforms with
In this release,
any configurat

Fixes in 11.6.0
ID NUMBER
ID 284330
ID 336255
ID 336601
ID 349680
ID 361094
ID 364302
ID 367759
ID 376894
ID 380290
ID 382606
ID 395894
ID 409732
ID 411101
ID 411723
ID 415946
ID 416250
ID 417006
ID 418685
ID 419664
ID 421964
ID 422085
ID 422094
ID 423061
ID 423482
ID 424698
ID 424931
ID 426087
ID 426600
ID 429011
ID 429365
ID 431239

DESCRIPT

"Beginning in
"This fix intro
the TCP conn
MTU set to m
Correct the p
This issue ha
The system p
On BIG-IP VE
External data
Benign agent
Fixed a TMM
HTTP::cookie
~/bin will only
Resolved an
There is now
The BIG-IP s
Added timeo
"Thales HSM
primary slot."
You can now
Performing m
BIG-IP system
sysL2Forwar
Data connect
Creating or m
Removing th
An LTM Polic
Minimize num
"After upgrad
tmm loop will
External link
FTP data con
RTSP establi

ID NUMBER
ID 431240
ID 431926
ID 431957
ID 431985
ID 432720
ID 434730
ID 436674
ID 436811
ID 437285
ID 437430
ID 437637
ID 437703
ID 437906
ID 438046
ID 438159
ID 438504
ID 438826
ID 438877
ID 439013
ID 439300
ID 439424
ID 439490
ID 439653
ID 440179
ID 440181
ID 440425
ID 440466
ID 440685
ID 440729
ID 440756
ID 440812
ID 440941
ID 441270
ID 441336
ID 441573
ID 441638
ID 442020
ID 442022
ID 442034
ID 442336
ID 442391
ID 442410
ID 442579
ID 442584
ID 442869
ID 442993
ID 443098
ID 444178
ID 445597
ID 445610
ID 445761
ID 445924
ID 446402
ID 446682
ID 447080
ID 447390
ID 448054
ID 448476
ID 448606

DESCRIPT

RTSP ALG w
The TCP pro
When a full lo
Monitor insta
The BIG-IP w
Automatic inc
The SNMPv3
Pool membe
Updated soc
Alertd now su
Log message
You can now
WebSockets
Unattached a
With the fix, n
The show sys
Eliminate rac
The SASP m
Validation no
Due to missin
"SafeNet HS
install.sh will
The BIG-IP s
Long-lived co
No memory l
The iRule CA
In this releas
A DNS name
"Fix memory
Fix involves s
'tmsh save sy
When a wildc
Fix issues dis
The fix involv
Before v11.5.
The ultimate
Keep the cac
Router bit is
"Upgrade to B
SSL persiste
Issued has b
DAD and uns
Resolved TM
Allow "DEFA
Making confi
The primary
Only the defa
The Proxy SS
The policy wi
LSN pool clie
VXLAN tunne
iRule FIX eve
Changed cod
Deterministic
the fix for this
VLAN tagged
Loose-close
Secondary b
Updated med
The listener r

ID NUMBER
ID 448787
ID 449017
ID 449636
ID 449798
ID 449872
ID 449896
ID 449920
ID 449989
ID 450031
ID 450058
ID 450091
ID 450202
ID 450377
ID 450584
ID 450652
ID 450698
ID 451041
ID 451059
ID 451319
ID 451479
ID 451544
ID 451843
ID 451917
ID 451960
ID 452090
ID 452121
ID 452232
ID 452315
ID 452387
ID 452454
ID 452487
ID 452689
ID 453200
ID 453328
ID 453332
ID 453798
ID 454053
ID 454562
ID 455138
ID 455267
ID 455361
ID 455553
ID 455980
ID 456753
ID 456859
ID 457109
ID 457130
ID 457221
ID 457293
ID 457300
ID 457330
ID 458563
ID 458597
ID 458600
ID 458676
ID 459001
ID 459052
ID 459195
ID 459211
ID 459723

DESCRIPT

Connection t
F5 found pot
'tmsh load sy
An issue has
Using a mix o
Deterministic
A memory lea
Can now sav
No more logs
Added chang
The logging w
Fix MSS calc
With this fix t
Safenet HA is
BIG-IP 5250v
Use a consis
The parsing o
clientssl profi
Honor Conte
Fixed the form
There are no
Bridge no lon
Prevented le
Monitors con
MCPD valida
BIG-IP now s
iRule no long
Connection r
HTTP::heade
Forward RST
The pool mem
Other tunnel
Improve gene
Log processi
Fixed an issu
A performanc
Improved sec
Prevented m
No memory l
When forwar
Fixed improp
No multiple r
This bug reso
Fix the UNIC
Interface to h
A range chec
Configuration
Now a "." is r
When the ori
Improved ICo
When doing
We no longer
Now there is
The condition
Possible inte
PVA statistics
The -f option
Before updat
Specify a dat
CMI rsync da

ID NUMBER
ID 459929
ID 459973
ID 460178
ID 460197
ID 460390
ID 460593
ID 461592
ID 462351
ID 462447
ID 463652
ID 464683
ID 464691
ID 465799
ID 465803
ID 465804
ID 465908
ID 466752
ID 467066
ID 467706
ID 467931
ID 468300
ID 469139
ID 469867
ID 470175
ID 470402
ID 470994
ID 471070
ID 471873
ID 472157
ID 489113

DESCRIPT

Support large
You can now
oamd shutdo
active_reque
Profile SMTP
The user can
The device c
Stats for polic
do not use an
Consider Clie
Upgrade from
The message
OpenSSL ha
OpenSSL is b
OpenSSL is b
BIG-IP TLS v
Monitor insta
Local-ip setti
Forward and
"A new comm
HTTP now w
Modify virtua
Removing su
dnatutil can p
Active FTP c
tmm now cor
Grant users w
Validation is a
Chrome will n
PVA status a

Behavior changes in 11.6.0

ID NUMBER
ID 226043
ID 284330
ID 325239
ID 343561
ID 345389
ID 395894
ID 418340
ID 421570
ID 422094
ID 427579
ID 431240
ID 431272
ID 436518
ID 437398
ID 437931
ID 439013
ID 440095
ID 446402
ID 451258
ID 458322
ID 461851
ID 466233

DESCRIPT

There is one
When it is se
Providing IP
"The user ""a
password for
Set-Cookie2
The HTTP::c
RQ-LTM-164
Beginning in
changed how
ALG now has
"HA-Group s
ALGs now ha
ALGs now ha
"Here is a de
source or the
When datagr
The persist c
It's no longer
The following
deterministic
Formerly, the
"The way http
"With the new
The following

ID NUMBER

DESCRIPT

0: 49

1: 49

2: 16

3: 15

5: 49

6: 49

7: 15

8: 49

9: 49

10: 1

11: 1

13: 4

14: 4

15: 1

Known issues
ID NUMBER
ID 221946
ID 221956
ID 221963
ID 222005
ID 222034
ID 222184
ID 222221
ID 222287
ID 222344
ID 223031
ID 223412

DESCRIPTION

01070950:3: Cluster Member IP address 10.0.0.1

Beginning with version 10.0.0, the system reports
When you are logged on to a cluster managemen
"On boot, the following message might be seen.
If HTTP::respond is called in LB_FAILED with lar
LB_FAILED event, perform a 302 Redirect to ano
When the license expires, if you are on the Licen
The BIG-IP system may fail to complete an SSL h
Protocol during the SSL handshake. To work arou
On multi-core platforms running in CMP mode, ra
If a route learned via any dynamic routing protoco
If you run the tcpdump utility from a B4100 blade
When configuring a ConfigSync peer IP address,

ID NUMBER
ID 223421
ID 223426
ID 223542
ID 223634
ID 223651
ID 223796
ID 223830
ID 223885
ID 223954
ID 224073
ID 224142
ID 224195
ID 224294
ID 224372
ID 224402
ID 224406
ID 224520
ID 224665
ID 224680
ID 224881
ID 225358
ID 225431
ID 225588
ID 225851
ID 226113
ID 226892
ID 226964
ID 227272
ID 227281
ID 227319
ID 227362
ID 227369
ID 246726
ID 246825
ID 246871
ID 246962
ID 246983
ID 247012
ID 247094
ID 247099
ID 247122
ID 247135
ID 247200
ID 247216
ID 247241
ID 247300
ID 247310
ID 247709

DESCRIPTION

assign requested address" ConfigSync operation

If a disk is removed from an array, the serial num
If you apply to a virtual server a TCP profile with
SOL12241: A virtual server with the MD5 signatu
You cannot simply change the speed of an existin
The Traffic Management Shell (tmsh) may not dis
the default (BIG-IP 10.x). The system is unable to
An SSH File Transfer Protocol (SFTP) client migh
When an SFP is not inserted in a VIPRION interf
It is possible that with increased throughput, SNM
If you apply a hash persistence profile to a FastL
profile instead of FastL4. If a hash persistence pr
The system does not include the .tmshrc file in a
Pinging the floating self-ip from the command line
There is a pause negotiation mismatch in a trunk
The system does not prevent you from deleting a
SASP monitor validates timeout and interval altho
When you are connected using the serial console
When you specify a custom configsync user (tha
The dashboard cannot handle numbers that exce
The bcm56xxd service's small form-factor plugga
The Proxy Exclusion List setting is not aware of a
http://support.f5.com/kb/en-us/solutions/public/12
When you use the Wireshark program to view a p
On AOM-equipped platforms, changing the mana
Both units probe both gateway fail-safe pools reg
Disabling the LCD System Menu does not persis
Error conditions such as unreachable IP address
tmsh cannot remove missing array members. Wh
"ACPI: Unable to locate RSDP ACPI Error: A vali
With packet filter enabled with a default action of
certain connections. This issue occurs when all o
information, see SOL12831: Using packet filters
Node marked down by a monitor that is waiting fo
for manual resume has marked a node as down,
If you replace a tri-speed copper small form-facto
When a full-proxy HTTP virtual with ramcache, fa
Ramcache configurations that approach the limit
When you are using Fast L4 profiles and the PVA
Generating a SIGINT or SIGQUIT on the serial co
A virtual address is defined as the IP address wit
servers after disabling the virtual address, availab
You might encounter unexpected behavior when
When you are on the license summary general p
The system counts route domain health check tra
A display issue in the browser-based Configuratio
even though it might appear that they are functio
If you use a SIP or HTTPS monitor on a server th
If you have state mirroring enabled, when you up
After an import default operation, the prompt is se
When a system timeout occurs, the system grays
Linux represents long VLAN names using the firs
When a user configured for one role is logged on
The help frame crops the right edge of some of th
Occasionally, when you create an installation rep
production to prevent the potential failure from af
"You should not use the SSL::respond method w
There is an extremely rare chance that, if the hig
respective messages. If the key matching the old
"When you change the idle timeout in System :: P

ID NUMBER
ID 247727
ID 247894
ID 248489
ID 248678
ID 248932
ID 249083
ID 284910
ID 291327
ID 291541
ID 291584
ID 291689
ID 291704
ID 291719
ID 291723
ID 291742
ID 291756
ID 291761
ID 291768
ID 291777
ID 291782
ID 291784
ID 291786
ID 305069
ID 305091
ID 305096
ID 305319
ID 305380
ID 336885
ID 336986
ID 338426
ID 338450
ID 342319
ID 342325
ID 342423
ID 344226
ID 345092
ID 345529
ID 347174
ID 348431
ID 348502
ID 348503
ID 349242
ID 349629
ID 351934
ID 352560
ID 352840
ID 352925
ID 352957

DESCRIPTION

and you can safely ignore them."

When you create a new profile or edit an existing
The iRule substr function cannot use a string with
If the user configuration set (UCS) file you roll for
In previous releases 'bridge_in_standby' for vlang
"During a system reboot, the BIG-IP system may
are logged on have logged off. The system posts
An address wildcard virtual server has to be dele
The BIG-IP system may continue to generate ser
HTTP virtual server configuration is removed. As
deleted , available here http://support.f5.com/kb/e
Configuring a virtual server for multicast commun
If there are static Address Resolution Protocol (A
ConfigSync operation. Procedure for BIG IP v11.
command: bigpipe arp static list 3.) Identify the o
When backslash is used to escape quote in exter
When you use the Weighted Least Connections (
screen by clicking its link in the Local Traffic Pool
If you replace a copper (Cu) small form-factor plu
When the Configuration utility restarts, system wr
At system startup, you might see messages abou
In the ltm.log file, you might see mcpd warning m
On a multi-drive system, when you remove a driv
When you complete a new installation, the Firefo
If you create VLANs in an administrative partition
any administrative partition where you create VLA
The software does not support running small form
Running tmsh load sys config operation (on versi
or "bigpipe db bigpipe.displayservicenames false
If you set the import save value to 1 (one) and im
When you use the domaintool utility to delete a d
Using the COMPRESS::disable call in an HTTP_
You can create duplicate virtual servers with sam
When using the vi editor to edit files on the BIG-I
SNMP queries for ltmUserStatProfileStat values
If you initialize the Federal Information Processin
fips key to fips load /sys"
There is a memory leak that affects Firefox 3.6 bu
If a hard drive is in the process of replicating and
Clusterd can core on shutdown under certain circ
On VIPRION blades, the BIG-IP system might log
When you add a Domain Name System (DNS) se
If username and password have not been configu
The statsd process computes the value for syste
happens at this time. -- Before the blade dropped
Trying to create a CRLDP server using a name th
"When a RAID system is booting, the system pos
The BIG-IP Configuration utility may incorrectly a
are configured with a wildcard service port, availa
When starting BIG-IP VE on a Hyper-V platform,
"If you cancel a qkview when it is being generate
Deleting or renaming a vdisk from the file system
"WMI monitor reports ""not found"" for LoadPerce
The load balancing method 'Ratio Least Connect
"The error is usually similar to : 01070257:3: Req
Booting with SSD installed, you will be able to se
Proxy SSL is incompatible with persistence profil
When using partition default route domains, an a
Updating a suspended iRule assigned via profile
Established flows via virtual servers with iRules u

ID NUMBER
ID 353249
ID 353621
ID 354467
ID 354972
ID 355299
ID 355564
ID 355616
ID 356611
ID 356658
ID 356705
ID 356938
ID 357262
ID 357391
ID 357656
ID 357822
ID 357852
ID 357874
ID 358063
ID 358099
ID 358191
ID 358575
ID 358615
ID 358655
ID 359393
ID 359395
ID 359491
ID 359774
ID 359873
ID 360122
ID 360134
ID 360485
ID 360675
ID 361181
ID 361315
ID 361470
ID 362225
ID 362405
ID 362874
ID 363216
ID 363284
ID 363541
ID 363756
ID 363912
ID 364407
ID 364522
ID 364588
ID 364717
ID 364978
ID 364994
ID 365006
ID 365219
ID 365555
ID 365756
ID 365757

DESCRIPTION

LTM Virtual Server Bytes in/out and Packets in/ou

You can get an error from tmsh when adding a de
When you create an opaque VLAN group before
In some cases, TMSH does not properly recogniz
PVA acceleration can be configured on a platform
"The Error message ""The requested unknown (/
ltm virtual-address objects are only shown in tms
You can invoke imish (the shell for configuring dy
"Message is logged when remote authenticated u
After completing the setup wizard in the Configur
Special characters (such as the Yen sign) in data
When a logging pool is not available, the system
The racoon IKE (ISAKMP/Oakley) key managem
When you use bigstart restart to restart all daemo
User can use "delete cm trust-domain all" to crea
If a device that is part of an established trust-dom
"Creating an overlapping route can cause an unc
If you issue the command 'restart sys service all'
If two devices have different provisioned modules
"If the user resets the trust and changes the host
The traditional ConfigSync mechanism has been
Because there is no 'add' option for unicast-addre
The system posts an error message 'No such file
In order to be compliant with the FIPS-140 stand
Invalid or empty SSL certificates, keys, or CRLs w
When a system's hostname is set by the user via
In v11.x, pools used in an HA group must be in C
LTM-initiated SSL renegotiation is not attempted
The iControl method System.Statistics.reset_all_
6400, 6800, 8400, and 8800 platforms with Caviu
Node statistics, especially after a statistics reset,
Creating a configuration object with a FIPS 140 k
You can run the command 'fipsutil -f init' to force
2097152 bytes, now using a total of 10485760 by
usage from profiles before resetting or re-initializi
if you go to the System : Preferences screen and
If a virtual server's destination address is entered
Disabling connection queuing via "tmsh edit" whi
If a vdisk migration occurs, the original copy is le
that slot but synchronizes the software, configura
There is a misleading Upgrading Device Trust ba
devmgmgtd. * Reset trust.
A virtual server might indicate 'vlans-disabled', bu
The cipher list 'DEFAULT:!NATIVE' is different on
You can create an 'and' rule for the default node
Simultaneous blade-to-blade migrations of guest
action. Executing 'vretry' one blade at a time and
In rare occasions, when there are no monitors as
When vCMP is provisioned and guests are create
A user with the app_editor role can create an app
Running the show cmd from /Common to display
There is an issue when using the node-port optio
If an active/standby system is misconfigured with
When OneConnect is in use, server-side flows ar
Installing a 10.x UCS on a "clean" 11.0 will cause
"Trust upgrade fails when upgrading from version
upgrade for version 10.x high availability configur
The DES ciphers have been deprecated for TLS
During the load of a bad SCF file, once an error o
Mixed mode is presented as an option for extra d

ID NUMBER
ID 365767
ID 365836
ID 366060
ID 367072
ID 367198
ID 367714
ID 367996
ID 368888
ID 369596
ID 369640
ID 371647
ID 372209
ID 373467
ID 374067
ID 374109
ID 374333
ID 375207
ID 375605
ID 375887
ID 376120
ID 376166
ID 376447
ID 377231
ID 378055
ID 378967
ID 379002
ID 380047
ID 380415
ID 381123
ID 381710
ID 382040
ID 382252
ID 382363
ID 382577
ID 382613
ID 383128
ID 383442
ID 384717
ID 385274
ID 385508
ID 385825
ID 385915
ID 386778
ID 387106
ID 387448
ID 388098
ID 388273
ID 389397
ID 389912
ID 389976
ID 390423
ID 390764
ID 392085
ID 393647
ID 395148
ID 395269

DESCRIPTION

The verify option during a load .scf file operation

Changing provisioning using two commands in se
vcmp level dedicated;submit cli transaction;quit"|
There is an issue that is rarely encountered in FT
Running the command 'tmsh show sys hardware
Running 'tmsh show sys hardware' on appliances
When accessing the serial console on some BIG
functionality. The BIG-IP system can be accessed
Chunked HTTP responses might not be unchunk
The system allows you to create a virtual server (
'tmsh show ltm pool' command doesn't show the
If an iRule is assigned to two different virtuals in d
When using ACA kerberos delegation, users mus
When the certificate used to verify a signed iRule
MD5 certificate do not work with TLS 1.2. This oc
Using the 'snatpool' command in the CLIENT_AC
The radvd config is not migrated to tmsh syntax d
When the rate of new connections (CPS) is extre
On rare occasions, tmsh writes an innocuous err
Management IP addresses that are not saved in
Using the cluster member 'disable' command with
When a non-default route domain is configured fo
QSFP+ module ports do not allow a media capab
If a VLAN group member is used in the configura
member (that is, in this case, the group is already
VIPRION B4300 blades only support 9600 and 1
The serial console on the B2100 blade in a VIPR
Users in partitions attached to sync-only device g
MSRDP persistence fails when pool members ar
Listing objects that exist in partitions other than /C
TMM CPU utilization statistics reported by sFlow
Enabling more than 10 sFlow receivers may impa
The test-monitor and test-pool-monitor command
Config sync fails after changing IP address of a p
On 11.4.0 and up this only happens if a full load i
If TMM cores, the High Speed Bridge (HSB) drive
The system does not require min-up-members of
When you run the imish 'terminal monitor' comma
On VIPRION 4400 chassis containing B4100 bla
While upgrading or booting between versions on
If a packet is split into multiple fragments and the
While viewing 'watch-trafficgroup-device', if devic
This issue shows when an IPsec flow is routed vi
Loading a pre-11.0.0 UCS onto a system running
The CMI watch_* scripts (such as watch-deviceg
When using the tmsh command 'list net interface
IPsec in HA deployment cannot use anonymous
Ramcache statistics are associated with only one
Monitoring device group status from a device from
Running dmesg can report hda cable detect erro
On a VIPRION, the failover daemon does not com
On 12050/12250 (D111) and 10350N (D112) plat
A chassis uses a yellow Secondary LED on seco
There is a memory leak in the kerberos delegatio
Performing a 'sync from group' causes a mismatc
BFD session may not show the correct session "U
On a standalone BIG-IP system, on the propertie
The availability status for objects configured with
When setting the baud rate for the front panel se
Reapplying a template to reconfigure an Applicat

ID NUMBER
ID 395720
ID 396122
ID 396273
ID 396278
ID 396293
ID 396294
ID 396831
ID 398947
ID 399073
ID 399470
ID 399726
ID 400078
ID 400346
ID 400584
ID 400778
ID 402115
ID 402455
ID 402855
ID 402873
ID 403002
ID 403613
ID 403688
ID 403764
ID 404398
ID 404588
ID 405255
ID 405356
ID 405539
ID 406071
ID 406238
ID 406500
ID 406878
ID 408599
ID 408810
ID 409059
ID 410036
ID 410114
ID 410223
ID 411636
ID 411875
ID 412458
ID 414018
ID 414160
ID 414454
ID 415483
ID 415961
ID 416727
ID 417045
ID 417526
ID 417548
ID 417720
ID 417899
ID 418509

DESCRIPTION

On the BIG-IP 4000 platform, sometimes on boot

In a non-homogeneous cluster, validation on a se
When running dmesg, you might see errors simil
If you set MGMT IP address using the LCD modu
that is reporting a non-existent error condition.
SNAT bounceback does not work when the non-d
At startup, the BIG-IP 4000 logs a message 'SwE
Provisioning Virtual Clustered Multiprocessing (v
It is possible that the text 'serial8250: too much w
You might encounter the error 'err ntpd[5766]: Fre
Switch based platforms incorrectly identify Fiber
"tmm restarted during license or config loading. N
When removing a pluggable module from some s
A DHCP option field populated with a properly for
installation time.
lsn-pool object can be created without any memb
On a VIPRION system during failover in which th
Using the command 'tmsh show sys memory' dis
Before attempting synchronization using the GUI
If a config is created with route domains and a co
Source IP address for SNMP traps is inconsisten
address (10.x.x.y): sys snmp { traps { my_trap { c
It is not possible to set up configuration synchron
The drop counters for the 1.x interfaces on the 20
Hardware syncookies currently require both clien
If a log message is not matched by any filter, then
Using tmsh merge to update route-domains does
LSN iRules persistence-entry get/set and inboun
Issuing a 'reset-stats net interface' command in tm
Hot swapping hard drives at a rate of approximat
| grep -i sata Example Output: ata1: SATA link do
Id: 00 Lun: 00 Vendor: ATA Model: WDC WD1000
When you disable an interface, the state shows D
The command [clock -clicks milliseconds] on 32 b
FTP active mode data connection does not work
Applying a self-ip to a tunnel type vlan will conne
If you have a version of TMOS on multiple device
iRule node command does not work under LB_S
BIG-IP with Vyatta neighbor on a single link may
Hairpin connections are not supported for NAT64
"If a client and server attempt to resume a TLS co
When OSPF protocol running on BIG-IP system
For a virtual with a SIP profile configured as an A
/Common/test { defaults-from /Common/mblb iso
The LCD System is enhanced with a new menu f
The persist command generates an erroneous in
It is possible to misconfigure a SIP ALG virtual by
Hairpin connections between different subscriber
Configuring the VLAN used for inter-device mirro
When you update an iRule and replace an event
A license activated on 11.2.1, or later, is not back
Unused HTTP Class profiles are not rolled forwa
"Under rare conditions, a BIG-IP appliance may e
Upon shutdown, the system posts the message '
"When a power cable is reconnected to a power
hardware sensor notice: Power Supply 2 GPIO s
The FIPS key object contains an encrypted copy
"If a power supply fan unit becomes jammed or e
If you run the command 'service network restart'
It is not possible to match a literal ( in the stream

ID NUMBER
ID 418709
ID 418890
ID 418924
ID 418967
ID 419345
ID 419621
ID 419623
ID 419733
ID 419741
ID 420053
ID 420184
ID 420213
ID 420344
ID 420689
ID 421092
ID 421311
ID 421702
ID 421718
ID 421851
ID 421971
ID 422087
ID 422259
ID 422292
ID 422315
ID 423304
ID 423392
ID 424228
ID 424568
ID 424649
ID 425017
ID 425018
ID 425347
ID 425817
ID 425826
ID 425992
ID 426128
ID 426129
ID 427260
ID 427580
ID 427924
ID 428752
ID 428976
ID 429013
ID 429075
ID 429096
ID 429213
ID 429613
ID 430265
ID 430354
ID 430915
ID 431283
ID 431411
ID 431480
ID 431936

DESCRIPTION

The LCD module might report the error 'Low fan

When trying to upgrade from version 10.x to vers
Secondary blades in a cluster go into swap when
If two iRules in HTTP_RESPOND events are pre
Changing Master Key on the standby of an HA co
After a blade failover, an existing inbound session
If a command that needs to suspend processing
BIG-IP systems configured with additional non-de
TMM can crash and dump core. Core analysis is
Although the IPFIX Logging Destination accepts
A transaction fails when you create a new folder
The system posts an error message during trust
When BFD is configured between the HA pair ne
A single configuration file (SCF) as generated by
The maximum number of named variables in an
'user_disabled unchecked' node becomes 'user_
The BIG-IP system publishes the mgmt MAC add
"Resetting the log.bcm56xxd.level variable in tms
When iRules are saved into bigip.conf, the first lin
Renewing an existing certificate fails in UI if a use
"As a result of this issue, you may encounter the
"An IPFIX logging destination is configured with a
successful, the BIG IP will not be able to establis
"When a BIG-IP IPFIX logging destination uses th
failure to be detected quickly. The BIG-IP system
When trying to remove certain interfaces from lis
Objects may display extra parameters that don't b
In previous versions of iRules, the variable tcl_pla
information, see SOL14544: The tcl_platform iRu
If a virtual server is created without an assigned p
When a certificate contains multiple/nested OUs,
Blades will continually fail over with a large enoug
For Thales HSM clients, the tmm and pkcs11d da
Loading a SCF after modifying self IP may cause
http://support.f5.com/kb/en-us/solutions/public/14
vCMP guests report 'unknown' as platform type. T
The boot_marker entries found in system logs mi
"Unit in HA configuration constantly cored until th
If the BIG-IP mgmt interface is connected to a sw
If the passphrase for the pkcs12 file being installe
CGNAT translation logs sent to ArcSight HSL des
Type tmsh show sys pptp and it shows the identic
When a PSU is absent from the system, LCD wa
When inserting a new blade in a VIPRION C2400
with the correct hash type).
Occasionally, on shutdown/reboot of a platform, d
If a self IP is configured for advertisement in OSP
Log file permissions for one specific log file were
Unable to use the WMI monitor to monitor a pool
Various tools, including the Dashboard, display a
"A race condition may occur in which a monitor in
to monitor 2 different nodes which have the same
TACACS+ accounting packets are only sent to th
If an iRule runs a periodic after{} command conta
When an alarm light is present on the primary bla
When a power supply or fan tray FRU is inserted
"Binary command does not check if the offset arg
"Multicast NTP received by BIG-IP systems from
Occasionally, you might encounter a situation in w
The SASP monitor does not mark pool members

ID NUMBER
ID 432242
ID 432407
ID 432998
ID 433223
ID 433323
ID 433466
ID 433572
ID 433897
ID 434356
ID 434364
ID 434517
ID 434573
ID 435022
ID 435332
ID 435385
ID 435494
ID 435646
ID 435670
ID 435814
ID 435946
ID 436813
ID 436825
ID 437226
ID 437586
ID 437768
ID 437905
ID 438048
ID 438177
ID 438324
ID 438666
ID 438674
ID 439507
ID 439628
ID 440199
ID 440215
ID 440346
ID 440365
ID 440431
ID 440959
ID 441013
ID 441146
ID 441297
ID 441482
ID 441719
ID 441789
ID 441796

DESCRIPTION

reached.
Active device incorrectly marks pool members do
The GUI becomes inaccessible after the system
system is already in this unresponsive state, issu
The mssql monitor marks one pool member down
looking at the customer's response, they are runn
"On a VIPRION B4300 blade, VIPRION B2250 b
retrieve stats from the Broadcom switch chip, the
When a client request contains no-cache directiv
When the bundled interface (e.g., 2.1) is disabled
DTLS does not work with rfcdtls cipher on the B2
If a datagroup contains entries that are longer tha
When an internal/external data-group configuratio
"When upgrading from 10.x or installing a 10.x or
not install properly, and/or the configuration on in
If a HTTP_RESPONSE event fires due to the ser
"While running a version of BIG-IP older than the
automation scripts which depend on correctly ma
TMM might crash if an ICMP packet refers to a cl
If there are users defined on a version 10.2.1 BIG
[All] }
Unable to access the GUI. This occurs with frequ
DTLS handshake may fail when UDP messages
lsn-pool inbound setting does not work when not
If the DB variable Persist.WellKnownProxyClass
CGNAT connections for a single client might exce
"TMSH incorrectly allows a user to configure two
Messages for sync statuses differ when there is a
Under certain conditions, nodes (or any other obj
domain ID to 0 before upgrading, then set it back
The SERVER_CLOSED execution counter is inc
When running lspci -vv (or -vvv) on blades contai
ignore this output from dmesg and in kern.log.
Do not use 'bigip1' as a device name. The BIG-IP
Both ltm and/or tmm logs may show buffer overfl
quickassist.compression.buffsize_multiplier (curr
You might encounter a tmm core when the iRule
RSA key/cert pair must be configured as a defau
Virtual servers configured with Fast HTTP profile
iControl/REST relies on automatic parsing of tms
The log filter functionality in TMOS allows users t
Running the qkview utility might take a very long
Updating the Dynamic Ratio of a node or pool me
administrator's pending changes to the configura
node_name='/Common/10.50.5.251' and port='25
Using the LCD buttons to change the console ba
When setting the Ethernet ports on BIG-IP 5000
If devices are in a failover device group, and this
At upgrade or UCS installation time, one or more
any references to them in the configuration befor
The hud_http_method_respond() does not work w
"Symptoms: - within the threshold of configured t
monitor: --------------------------------- tmsh create sy
"When you change root password in single user m
Flooding on forwarding ports are being delayed d
When you restart mcpd on 2000/4000 series plat
Although there is a tmsh provision command sho
GB of memory, LTM provisioning must be set to N
The CRYTPO command can trigger a core when
If provisioning is changed too quickly some proce
"When you run hsb_snapshot or qkview from the

ID NUMBER
ID 441888
ID 442227
ID 442409
ID 442477
ID 442489
ID 442569
ID 442613
ID 442647
ID 442961
ID 445430
ID 445800
ID 446712
ID 446713
ID 446717
ID 446963
ID 447043
ID 447874
ID 447958
ID 448409
ID 448493
ID 449158
ID 449502
ID 449596
ID 449747
ID 451549
ID 452683
ID 452837
ID 453232
ID 453362
ID 454209
ID 454640
ID 454671
ID 454672
ID 455090
ID 455284

ID 455467
ID 455525
ID 456024
ID 456378
ID 456508
ID 456837
ID 456854
ID 457149
ID 457799
ID 457934
ID 458526
ID 458527
ID 458528
ID 458822
ID 459382
ID 459471
ID 459596
ID 459671

DESCRIPTION

Hardware syn cookies are not supported on nonWhen using tmsh, a user can set the start time o
"The panic results in log messages in ltm log: 13
The admin of a vCMP system performs a softwar
time. Thus, the next action that requires additiona
reserved attribute directly such that it is less than
The values when viewing the licensed SSL and c
There are some SELinux errors that can occur in
After user modifies tag map data group content, t
Due to a mistaken internal object-size conversion
When more packets per second than defined in T
While nominal and minimum are not supported in
BIG-IP configurations fail to load after upgrading
up 0 dest *:* } pool poolA { monitor all smtp-defau
When FTP is used with LSN pool, the data conne
1st boot to v11.5.0 causes daemon restarts and e
When running 'tmsh show sys hardware' on the P
When messages are queued after processing of
"Ltm policies have operands that can be matched
HTTP pipeline request might cause TCP window
"A slow clientside SSL connection may result in a
The 'verify' option on the 'load sys config' comma
SIP response is not forwarded to the client. They
"Http request to a vs:80 with a default pool and a
Diameter monitor script doesn't allow custom gro
At the command line, when you issue the 'show b
All of the self links and reference links in iControl
If a fan tray is removed and replaced with anothe
The one-line option does not work for some confi
It is not possible to add a device in the ca-device
The double-tagging packet stats counters are on
SSL forward proxy does not work with OneConne
TMM crash with a backtrace including dns_dev_p
"Secondary blades' mcpd instances may restart o
When SIP is used with LSN pool, the media conn
When RTSP is used with LSN pool, the media co
"#" is TCL comment command which causes the
Firewall rules intended to restrict access to an AP

'/sbin/iptables -D INPUT -p tcp --dport 5

'/sbin/iptables -D INPUT -p tcp -m tcp -

'/sbin/iptables -A INPUT -p tcp -m tcp -.
QinQ VLAN functionality requires supported vers
"If for some special reasons, the role and partition
When vCMP is not provisioned, and you load vC
When using ipother profile, if there's an iRule tha
Deleting persistence entries via iRules in PBA mo
For double vlan tagged packets when a switch po
You might see error messages indicating that a s
If a local password policy with password expiry is
Configuration validation disallows creation of a st
Some connections through a virtual server using
When a BIG-IP device is running the spanning tre
When running spanning tree, a BIG-IP device se
When a BIG-IP product is configured to use STP
"tmsh show sys cluster all-properties Availability o
The GWM server can reset the TCP connection t
ssl-ocsp and ssl-cc-ldap auth profiles can contain
"Packets leaking onto network Memory leak appe
iRules source different procs from different partiti

ID NUMBER
ID 459753
ID 460500
ID 460627
ID 460751
ID 460834
ID 461140
ID 461157
ID 461199
ID 461375
ID 461776
ID 462507
ID 462523
ID 462524
ID 462714
ID 463970
ID 464489
ID 465052
ID 465197
ID 466285
ID 466570
ID 466719
ID 466837
ID 466875
ID 467043
ID 467181
ID 467589
ID 467646
ID 467868
ID 468021
ID 468323
ID 468472
ID 468505
ID 468542
ID 469035
ID 469366
ID 469549
ID 469705
ID 470191
ID 470203
ID 470756
ID 470807
ID 471059
ID 471288
ID 471324
ID 471393
ID 471843
ID 472308
ID 472573
ID 472867
ID 472944
ID 473105
ID 473200
ID 473213
ID 473724

DESCRIPTION

When including cluster as a component of HA Gr

"When loading the config containing signed iRule
When the SASP monitor starts up, it can attempt
The RTP and RTCP conn flows get setup in resp
TMM asserts with tx_hist full during high rate of n
You cannot configure High Availability (HA) using
VLAN (VLAN on which each device can commun
There is no stats to indicate that the standby box
Memory increases when using certain iRule meth
The dhcp-enabled property was removed becaus
"Regardless of the setting of the DB variable 'qin
If CGNAT PBA is configured for block lifetimes, w
"installations of block-device-image or block-devi
"When a User-Agent identifies a browser which h
A source address persistence record created on
"When using ""LB::reselect pool <current pool>""
"User is unable to create or modify SSL profiles,
TMM cores when executing an HTTP::cookie com
The OData $filter is implemented only for filtering
"When certain users switch partitions, their displa
When grandchild (child of a child) monitor is view
The wrong address is used for BGP routing. "SEL
Using the GUI to modify a virtual server with mult
Egress packets have a source address that is no
Modifying banner and banner-text while sshd ser
The TMM can core if forced to shutdown while lo
"The /usr/share/mysql/purge_mysql_logs.pl scrip
and change the original check: unless( $provision
If the device experiences an IDE DMA timeout, s
The mcpd memory steadily increases until it runs
"When attempting to upgrade to 11.5.0 or later fro
files in the UCS archive.
bdpd has one occurrence of a SIGSEGV in bgp_
"TCP4 asserts if it receives spurious internal eve
tmsh crypto commands will fail when executed in
Virtual server with SPDY profile ignores SNAT 'N
"If the configuration included encrypted items -- li
A config sync operation might fail with a parent-p
receiving the configsync (to do so, save the confi
"Upon reviewing the log file in /var/log/ltm, a user
TMM panics with following string: "domain != RT_
Virtual with FastL4 with loose initiation and close
Setting a remote syslog destination to a localhos
Prior to sod restarting snmpd due to a heartbeat
When an iRule specifies a data-group that is not
An HTTP Cookie value containing a space appea
tmm might crash with session-related commands
"SNAT translation happens though SNAT list is co
all vlans to be disabled.
Saving very large files in /config results in failure
If a user is logged into the GUI, and that user's ac
When the management address changes (either
Cannot set a password of 14 characters --the ma
Using Firefox version 31 or later cannot connect
reinstall the version 30 Firefox browser.
"After STARTTLS handshake, SMTP communica
With 'pva-acceleration' set to 'guaranteed', the BI
Manually renaming a virtual server causes unexp
Failed system fan emergency alert is exhibited as
If a DC PSU hotswap is performed on BIG-IP 100

ID NUMBER
ID 474149
ID 474179
ID 474226
ID 474358
ID 474388
ID 474797
ID 474983
ID 475525
ID 475584
ID 475791
ID 475896
ID 476136
ID 476218
ID 476398
ID 476544
ID 476708
ID 476920
ID 477232
ID 477375
ID 477705
ID 477742
ID 477786
ID 477992
ID 478920
ID 478922
ID 478986
ID 479176
ID 479262
ID 479670
ID 480686
ID 481001
ID 481082
ID 481089
ID 481138
ID 481162
ID 481647
ID 481696
ID 482204
ID 483228
ID 483257
ID 483353
ID 483539
ID 483953
ID 484245
ID 485189
ID 485232
ID 485244
ID 485327
ID 485432
ID 485714
ID 486512
ID 486722
ID 487625
ID 487660
ID 487798
ID 488188

DESCRIPTION

that the appliance is left in a non-redundant PSU

SOD posts benign error message: Config digest
SOAP monitors configured with a leading ':' in the
LB_FAILED may not be triggered if persistence m
When saving/loading a configuration, a child mon
Certain conditions might produce error messages
"If malformed SSL packets are sent to Big-IP, the
"This issue occurs when issuing the 'tmsh show l
Connections fail to pass data and may be reset u
"Ingress packet count will differ from egress pack
tmm_panic occurs ("valid pcb") when a connectio
"Running the following command does not work:
On VIPRION B2250 and B4300/B4340N blades,
If the ePVA drops an evict command, then a flow
The TCP profile options Receive Window and Se
mcpd runs out of memory when a connection's se
In a very specific mesh network configuration as
RESOLV::lookup does not resolve if route domain
When using a LSN pool with persistence mode a
Rarely, the SASP monitor cores. This occurs whe
The 'untrusted-cert-response-control=drop' comm
The DTLS message sequence number is incorre
Depending on the release, sending a SYN packe
The log is never created. Error messages in /var/
SIP::discard is invoked only for the first 2 request
"Attempting to turn on ICSA logging for non-ESP
When power is removed from the PSU but the PS
The TMM attempts a DNS db load while starting.
The 'readPowerSupplyRegister error' is logged in
If a licensing operation happens when the VCMP
On an active VIPRION or vCMP guest with a VLA
and packet drops. The Self IP on the affected VL
Software auto update settings are not synced be
After performing a full sync, the auto update setti
After performing a full sync, sometimes the BIG-I
duplicate IS-IS routes in router IS-IS routing dupl
The vs-index field on virtual servers should be th
The OSPF daemon might assert if receiving a Lin
You might see a failover error message 'sod out o
Attempts to modify the ssh daemon logging level
A race condition in the terminate handler of the ic
Cannot delete keys without extension .key (and c
TMM may crash in HTTP compression in low-me
"Due to the incorrect MSS value, TMM might core
MSS option. If this issue occurs, then TMM will c
When traffic has an apparent path MTU of less th
Using the GUI to delete a network firewall rule ca
TMM might crash and generate a core if unable t
After re-enabling a blade, it does not go active ev
The 'halt' command will now power off various pla
"By default the tmsh cli global settings service va
when the mgmt port's subnet is changed, existing
"Notice the below log message in /var/log/ltm, Oc
Forwarded auditing messages contain the wrong
The default config-sync timeout is 300 seconds. T
Manually corrupting the filestore will cause qkview
"Oct 29 10:31:00 slot1/Smart debug tmm9[25268
Racoon core and connections issue with IPsec b
a result of the IPsec SA re-key attempt failures. T
qkview removes its temporary files on exit. If qkv

ID NUMBER
ID 488581
ID 489013
ID 489015
ID 489089
ID 489153
ID 489732
ID 490121
ID 490139
ID 490329
ID 491791
ID 493117
ID 493950
ID 494019
ID 494452
ID 494815
ID 494987
ID 495215
ID 495242
ID 495588
ID 495862
ID 495875
ID 500407

DESCRIPTION

'SSL::disable clientside' inside HTTP_REQUEST

SSD LCD RAID status menu shows incorrect me
"An LTM request-log profile that references a non
The BIG-IP system cannot detect the PSU state
corrective action. Plug the power cable into the P
"The log entry similar to the following appears in
With a 4300/4340 blade, 40 GB bundled interface
PVA current and maximum stats are incorrectly re
Loading iRules from the iRules file deletes last fe
Front panel LED status of a SFP+ pluggable mod
Performing a GET on nonexistent pool members
After changing the netmask of an advertised virtu
Virtual Server with unmatched context settings in
context, and then saving the UCS file. 2: After a f
System matches to previous Diameter Route App
When a response-adapt profile is applied to a vir
"Some iControl REST DELETE calls fail. These a
If `dont-insert-empty-fragments' is removed from
"Attempting to add a Device Management Peer r
The system posts the following message in the m
Configuration fails with Syntax Error after upgrad
"Virtual monitor status becomes yellow and get c
tmm might experience an infinite loop when selec
The following features are not supported on nondue to performance issues.