Applies To:
Show VersionsBIG-IP versions 1.x - 4.x
- 2.0.1 PTF-04
Summary:
This note describes a Product Temporary Fix (PTF) to the BIG/ip Controller version 2.0.1, and it is recommended only for those customers who want the enhancements and fixes listed below. This PTF incorporates all fixes included in all PTFs subsequent to version 2.0.1. For complete information about version 2.0.1, please refer to the Release Notes for version 2.0.1.
Contents:
Installing the PTF
You can apply this PTF to version 2.0.1 of the BIG/ip Controller, as well as to 2.0.1-PTF-01, 2.0.1-PTF-02, and 2.0.1-PTF-03. Note that you do not have to apply previous PTFs; they are already included in the current PTF install.
Use the following process to install the PTF software:
- Click here and follow the instructions for using the F5 Networks FTP site.
- Download the v201PTF4domkit.tar file to the /var/tmp/ directory on the target BIG/ip Controller system.
International customers need to use FTP in passive mode from the BIG/ip Controller to download the v201PTF4intlkit.tar file. To place FTP in passive mode, type pass from the command line before transferring the file.
- Enter the following commands to install this PTF:
cd /var/tmp
tar-xvpf /var/tmp/v201PTF4domkit.tar - Run the following commands:
cd /var/tmp/upgrade_ptf
- Follow the on-screen instructions.
The install will automatically create a backup of your /etc/rc.local, /etc/inetd.conf and /etc/rc.sysctl files and remove any old files that are no longer used. If you have made changes to your /etc/rc.local file, you may need to edit the file and retype your modifications. Backups of the files are stored in /var/save/backupyymmdd.hhmm/ on your BIG/ip Controller.
Once you install the PTF software, refer to the Configuring and using the software section below.
Configuring and using the updated software
When you install this PTF, the only special configuration issues you might need to address are releated to the gateway failsafe feature. The gateway failsafe feature was originally released in BIG/ip Controller version 2.0.1PTF-03. If you previously installed 2.0.1PTF-03 and configured gateway failsafe at that time, you do not need to repeat the configuration process after installing the current PTF. If you never installed 2.0.1PTF-03 and you want to use the gateway failsafe feature, review the following section.
Configuring gateway failsafe on the BIG/ip Controller
Gateway failsafe is the ability for an active BIG/ip Controller to failover to the standby unit if it cannot communicate with a given router using an ICMP Echo Request to ping that router. Gateway failsafe periodically sends an ICMP Echo Request to the IP address you specify and then waits for an ICMP Echo Reply. In addition, after half the timeout duration expires, the BIG/ip Controller sends warnings to the console every second before the failover occurs. Use gateway failsafe when your BIG/ip Controller redundant system uses two different gateways to connect each unit to the Internet. If the primary gateway fails, the second BIG/ip Controller is still able to connect to the Internet through the second gateway.
In contrast to gateway failsafe, when the BIG/ip Controller uses the bigpipe interface command to set the failsafe mode, it broadcasts an ARP Request if no packets are detected on a given external interface. If that interface receives any Ethernet traffic at all, interface failsafe reports the site as up, and a failover does not occur. Gateway failsafe verifies that the actual path to the Internet is up or initiates a failover if the BIG/ip Controller does not receive the correct reply.
In order to configure this feature, you must specify the name or IP address of the router, the interval that ping packets are sent to the router, and the timeout duration for replies. The configuration information for gateway failsafe is stored in the /etc/bigd.conf file. The proper syntax for the entry is:
gateway <IP addr> <ping_interval> <timeout>
gateway <host name> <ping_interval> <timeout>
The <ping_interval> and <timeout> variables are in seconds. The <host name> variable refers to the name of a network device that resolves to an IP address. For example, either of the following lines, when added to the /etc/bigd.conf file, ensure that the BIG/ip Controller pings the router on IP address 10.1.1.1 and that if a response is not received in 10 seconds, the BIG/ip fails over to the standby unit.
gateway 10.1.1.1 5 10
gateway router 5 10
Gateway failsafe can be armed or disarmed from the command line at any time without changing the configuration stored in the /etc/bigd.conf file. In order to arm failsafe on the gateway, enter the following command:
bigpipe gateway failsafe arm
To permanently arm the gateway, add the arm command to the end of your /etc/rc.local file. To disarm the gateway, enter the following command:
bigpipe gateway failsafe disarm
To see the current armed status for the gateway, enter the following command:
bigpipe gateway failsafe
Note: The BIG/ip Controller supports pinging only one router using the ICMP protocol. The log messages are sent to the LOG_LOCAL1 facility and the level is LOG_EMERG. The standard syslog configuration (/etc/syslog.conf) directs these messages to the /var/log/bigd file. In addition to logging the message, each message is also written to the BIG/ip Controller console (/dev/console).
Fixes included in BIG/ip Controller version 2.0.1PTF-04
BIG/ip Controller version 2.0.1PTF-04 provides fixes for the following issues:
- Fix #1226: Update FTPD for CERT Advisory 99.03
The BIG/ip Controller now includes version 2.4.2 of WU-FTPD in accordance with CERT advisory 99.03. - Fix #1730: BIG/ip attempts ipforward of vip traffic under low memory
The BIG/ip Controller now contains more specific error processing for packet errors and low memory conditions, so that the packets are correctly handled. One specific improvement is that under certain error conditions, the BIG/ip Controller may now drop a packet destined for a virtual address instead of incorrectly attempting to forward the packet. The BIG/ip Controller supports new error counters that record these unusual events. - Fix #1753: ipfw filters allowed to block internal node status messages
When a filter rejects packets by default, the internal traffic to and from the 127.0.0.1 IP address needs to be correctly processed, rather than filtered, so that certain internal communications related to service checking can occur. These packets are now processed correctly without having to explicitly accept the IP address in the ipfw filter. - Fix #1759: exportable versions of Telnet
The BIG/ip Controller now contains version BSD 4.4 of the Telnet and Telnetd utility files for export.
Enhancements and fixes released in prior PTFs
The current PTF includes enhancements and fixes from all PTFs released after BIG/ip Controller version 2.0.1. Those enhancements and fixes are summarized below.
BIG/ip Controller version 2.0.1PTF-03
- Enhancement: Support for highly redundant external network configuration
A new feature called Gateway Failsafe has been added to this release to support highly redundant external network configurations. For more information, refer to the Configuring gateway failsafe on the BIG/ip Controller section. - Fix #756: Log rotation fails if sendmail.cf does not exist
The daily log rotation, controlled by the /etc/daily script, verifies that the sendmail.cf file exists on the BIG/ip Controller before sending the results. If the sendmail.cf file does not exist on the unit, then sendmail is not used. - Fix #1486: Add rcp/rsh in the system to support 3DNS Systems
The rcp and rsh programs have been added to the BIG/ip Controller software to support communications with international 3DNS Systems (available in 3DNS System, version 1.0.4). - Fix #1515: Netcat bug makes EAV fail and halts the process
The BIG/ip Controller now accounts for the way Netcat calls for a range of file descriptors, so that EAV works correctly. - Fix #1641: Possible instability with multiple passive FTP connections
The BIG/ip Controller now checks for unusual passive FTP connection scenarios and conflicts. It then takes steps to avoid or resolve the conflicts. The BIG/ip Controller also logs the problems for future analysis. - Fix #1649: Crc, alignment errors with full duplex bi-directional traffic through Intel NICs
The BIG/ip Controller now supports full duplex bi-directional traffic through Intel NICs by disabling the DMA Maximum Byte Counters and thus eliminating contention for the bus. - Fix #1755: Treaper not deleting SSL connections as expected
When using SSL persistence, the BIG/ip Controller now deletes connections from the connection table as expected. - Fix #1757: Traffic misdirected if multiple connections made from the same port
The BIG/ip Controller contains improved handling of conflicts that arise when a client attempts multiple connections from the same client port.
BIG/ip version 2.0.1PTF-02
- Fix #1395: TCP persistence does not work
TCP persistence now works properly with the persist_any_vip and persist_any_port_same_vip settings. - Fix #1430: Y2K problem setting date to February 29, 2000
The BIG/ip Controller now includes the BSDI patch, M310-023, which resolves this problem. - Fix #1434: Port rewrite not correct for TCP and UDP fragments
When a packet fragment arrives, the BIG/ip Controller now saves the fragment number according to the user's IP address. The remaining fragment packets are then forwarded to the correct node for that user's connection.
BIG/ip version 2.0.1PTF-01
- 1066: The BIG/ip Controller sends a reset when it receives a reset
The BIG/ip Controller now discards the resets it receives, in accordance with RFC 793. - 1346: Transparent Node Mode, UDP and ICMP not routed properly through firewalls
UDP and ICMP packets are now routed through firewalls using the node route. - 1350: Order of checking NATs and virtual servers reversed in Transparent Node Mode
When working in Transparent Node Mode, NATs are now checked before virtual servers so that a wildcard virtual server does not mask the NATs. In Normal Mode, virtual servers are still checked first. - 1387: ICMP need frag packets to a virtual server in Transparent Node Mode are not handled correctly
The BIG/ip Controller kernel now handles ICMP packets so that the route MTU is adjusted and an ICMP need to fragment message is sent to the sender. - 1388: ICMP need frag packets to a NAT external IP address are not handled correctly
The BIG/ip Controller kernel now handles ICMP packets so that the route MTU is adjusted and an ICMP need to fragment message is sent to the sender. - 1389: icmp_error receives a translated offending packet and calls icmp_reflect
The BIG/ip Controller kernel now saves a portion of the original packet and retranslates the packet before passing it to the icmp_error function. - 1390: BSD incorrectly sets icmp-nextmtu to if_mtu when generating an ICMP need frag packet
If Path MTU discovery is on and the BIG/ip Controller receives a packet that is longer than its MTU, BSD sends an ICMP need to fragment message with the icmp_nextmtu variable set to the MTU of the route, so that the sender can reduce its MTU for that route. Otherwise, BSD sends an ICMP need to fragment message with the icmp_nextmtu variable set to if_mtu. - 1398: Disabled nodes reject persistent connections
The BIG/ip Controller now allows persistent connections to continue after you disable a node.