Symptoms ... Firewall rules intended to restrict access to an APM daemon running on the BIG-IP system might incorrectly interfere with TCP monitor traffic generated by the BIG-IP system on port 54321. ... Impact ... This may result in monitors incorrectly failing, and pool members incorrectly marked down. ... A packet capture of the monitor traffic will show the BIG-IP system receive a SYN/ACK from a pool member, and respond with an ICMP port unreachable error. ... Conditions ... This can occur even if a BIG-IP system is not provisioned for APM or SWG. ... As a workaround, add these iptables commands to the '/config/startup' script, and reboot the BIG-IP system (or manually run these commands once). ... Fix Information ... Firewall rules no longer incorrectly interfere with TCP monitor traffic generated by the BIG-IP system on port 54321. ... Behavior Change