Release Notes : BIG-IP Controller PTF note version, version 2.1.2 PTF-01

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 2.1.2 PTF-01
Release Notes
Original Publication Date: 11/05/1999 Updated Date: 04/18/2019

Summary:

This product temporary fix (PTF) provides fixes for BIG/ip Controller, version 2.1.2.  The PTF includes all fixes released since version 2.1.2, including fixes originally released in prior PTFs.

Contents:

Installing the PTF

Apply the PTF to BIG/ip Controller version 2.1.2 using the following process:

  1. Click here and follow the instructions for using the F5 Networks FTP site.

    Use FTP in passive mode from the BIG/ip Controller to download the file. To place FTP in passive mode, type pass from the command line before transferring the file.

  2. Download the appropriate file to the /var/tmp/ directory on the target BIG/ip Controller:
    • For US BIG/ip Controllers, download the v212ptf1domkit.tar file.
    • For international BIG/ip Controllers, download the v212ptf1intlkit.tar file.
  3. Enter the following commands to install this PTF:

    cd /var/tmp>
    tar -xvpf v212ptf1domkit.tar
    (Domestic HA/HA+ and LB)
    tar -xvpf v212ptf1intlkit.tar (International HA/LB)

  4. Run the following commands:

    cd /
    var/tmp/upgrade_ptf

  5. Follow the on-screen instructions.

The install automatically creates a backup of the /etc/syslog.conf file in /var/save/backupyymmdd_hhmm/ on the BIG/ip Controller and removes any old files that are no longer used. If you have made changes to the /etc/syslog.conf file, you may need to edit that file and retype your modifications.

The checksums for this PTF are available in a file called sums, which can be downloaded from the FTP site.

Once you have installed the PTF software, please refer to the Configuring and using the updated software section below.


Enhancements in this release

  • Added support for a new type of Gigabit Ethernet adapter
    Added support for a new type of Gigabit Ethernet adapter. The new interfaces are named sk0 or sk1, where the number, 0 or 1 in this case, is the interface number.
  • Mapping proxies for persistence
    Added a rule to support mapping source IP addresses to nodes with support for a mask. This makes certain proxies look the same for persistence. By default, this feature is on. For more information, see Mapping proxies for persistence.
  • Upgrade to BIND Version 8
    The BIG/ip Controllers that were originally shipped with version 2.1 or later already have BIND 8 pre-installed. Older BIG/ip Controllers, even if they have been upgraded to version 2.1, 2.1.1, or 2.1.2, still run BIND 4. After installing this PTF, BIG/ip will be running BIND 8, regardless of previous configuration. For more information, see Configuring the BIG/ip Controller version 2.1.x as a DNS forwarding proxy.

What's fixed in this PTF

  • CR 2002:  Problem with service checking a large number of nodes
    Fixed a problem with service checking a large number of nodes that could consume a large amount of CPU cycles.
  • CR 4649:  bigpipe incorrectly rejecting 0 and 255 in IP addresses
    Fixed a problem that caused bigpipe to reject IP addresses ending in 0 or 255. As long as the host portion of the IP address is not entirely zero bits or one bit, it is valid.
  • CR 4757:  Line sending auth.* to checktrap.pl says auth* in syslog.conf
    Fixed the line piping auth.* to checktrap.pl.
  • CR 4780:  SNAT, passive ftp, to a vip fails
    Fixed a problem that would cause a an FTP passive connection to another virtual server to fail.
  • CR 4782:  F5 Configuration utility breaks bigd.conf whenever there are \n\n in the send string
    Fixed a problem that would cause the F5 Configuration utility to break the bigd.conf file.
  • CR 4860:  Node down command missing
    This update adds the node <node> up/down command back into bigpipe. Those using persistence must use the bigpipe node <node> down to take down a node. This command is recommended to prevent persisting connections from coming through.
  • CR 4866:  hostname MIB entry returning unknown
    Fixed a problem that with the hostname MIB-II entry that prevented it from returning the proper host information.
  • CR 4894:  FTP conflicts lead to inflated connection counts
    Fixed a problem that would cause certain FTP port conflicts to delete existing connections when a client creates a new data connection.
  • CR 4904:  Removal of node from vip can inflate nodehead connection counts
    Fixed a problem with connection counts when a node was removed from a virtual server.
  • CR 4907:  VLAN ID wrap-around problem
    Fixed a problem with VLAN tags over 256.
  • CR 4946:  Removing SNAT with UDP connections
    Fixed a problem that occurred when removing a SNAT that had UDP connections.
  • CR 4953:  Added the ability to enable host name lookup for service checking logs
    A new -lookup command line option has been added to bigdnode. By default, the host name lookups are disabled. To enable host name lookups you must specify -lookup on the command line that starts bigdnode in the /etc/rc.local file. For more information, see Enable host name lookup for service checking logs.
  • CR 4955:  Increase window size for proxied connections
    Increased the window size for proxied connections from 512 to 8760.
  • CR 5009:  Incorrect reporting of global current connection count
    Fixed a problem that could cause incorrect global connection statistics to be reported.

Configuring and using the updated software

This section includes configuration information for new features in this PTF.

Enable host name lookup for service checking logs

A new -lookup command line option has been added to bigdnode. By default, the host name lookups are disabled. To enable host name lookups you must specify -lookup on the command line that starts bigdnode.

For example, here is the entry in the /etc/rc.local:

# BIG/ip failover daemon
if [ -x /sbin/sod ]; then
      echo " sod (and bigd)."; /sbin/sod -- bigd ${bigdflags} -- -lookup 2> /dev/null
fi

Mapping proxies for persistence

By default, the map proxies for persistence feature is turned on. The AOL proxy addresses are hardcoded in this release. This enables you to use client IP address persistence with a simple persistmask, but forces all AOL clients to persist to the same server. All AOL clients will persist to the node that was picked for the first AOL client connection received.

The class B networks, 195.93 and 205.188, are mapped to 152.163 for persistence. For example, client 195.93.3.4 would map to 152.63.3.4 for persistence records only. This mapping is done prior to applying the persist mask. Use bigpipe vip persist dump to verify the mapping is working.

To turn this feature off, set the following sysctl variable to 0. From the command line, type the following command:

sysctl -w bigip.persist_map_proxies=0

Configuring BIG/ip Controller version 2.1 and the 2.1.2 upgrade as a DNS forwarding proxy

The BIG/ip Controller version 2.1 and the 2.1.2 upgrade upgraded the version of BIND on the controller from BIND 4 to BIND 8. The section Configuring DNS proxy, page 4-55, in the BIG/ip Controller Administrator Guide for version 2.1 describes how to configure BIND 4 as a DNS forwarding proxy.

This section of the PTF note describes how to configure BIG/ip Controllers with BIND 8 (version 2.1 and the 2.1.2 upgrade) as a DNS forwarding proxy. This provides DNS for nodes behind the BIG/ip Controller without using IP forwarding, secure network address translation (SNAT), or network address translation (NAT).

Typically when internal nodes need DNS, you implement SNAT, NAT, or IP forwarding on the BIG/ip Controller to provide a path for the internal nodes to get to the DNS server directly. NATs and IP forwarding also open up the internal network. Setting up the BIG/ip Controller as a DNS forwarding proxy tightens up the security for connections going to the internal network on the BIG/ip Controller. Virtual servers on the BIG/ip Controller are already relatively secure. Only the ports specifically allowed in the bigip.conf file are open. So the goal is to eliminate the use of NATs or IP forwarding to close up the inside network.

Note:   If the internal nodes require the ability to accept or originate connections that are not virtual server services, and the BIG/ip Controller is the route used for these connections, then disabling SNATs, NATs, or IP forwarding is not an option.

Only the active BIG/ip Controller should be configured as a DNS proxy with named running. The /sbin/bigip_active script is called when the BIG/ip Controller becomes active. The first step you must take to implement the BIG/ip Controller as a forwarding proxy is to put the external shared IP address alias into DNS. You must have a fully qualified domain name (FQDN) and reverse name lookup in the primary DNS for your site.

To set up the BIG/ip Controller as a forwarding proxy, follow these instructions:

1. Comment out the named section in /etc/rc file:

      echo -n 'starting network daemons:'
      #if [ -f /etc/named.conf ]; then
      # echo -n ' named'; named
      #fi

Note:  The BIG/ip Controller version 2.1.2 upgraded from BIND 4 to BIND 8. BIND 4 uses named.boot and BIND 8 uses named.conf. If you find references to the named.boot, change it to named.conf

2. Add the the following entry to the /sbin/bigip_active file:

      if [ -f /etc/named.conf ]
      then
       named
      fi

3. Make sure it is executable

      chmod 755 /sbin/bigip_active

4. Create or modify the /etc/named.conf file. Modify x.x.x.x; y.y.y.y; with the proper name server addresses. Make sure you keep the trailing semi-colon (;).

   options {
      forward only;
      forwarders {
            x.x.x.x; y.y.y.y;
      };
      /*
      * If there is a firewall between you and nameservers you want
      * to talk to, you might need to uncomment the query-source
      * directive below. Previous versions of BIND always asked
      * questions using port 53, but BIND 8.1 uses an unprivileged
      * port by default.
      */
      // query-source address * port 53;
   };

   zone "localhost" IN {
      type master;
      file "/etc/namedb/localhost.zone";
   };
   zone "0.0.127.in-addr.arpa" IN {
      type master;
      file "/etc/namedb/127.0.0.zone";
   };

   zone "." IN {
      type hint;
      file "/etc/namedb/root.hint";
   };

5. If there is an /etc/named.boot file, delete it.

6. Modify the /etc/namedb/localhost.zone file. Modify the name.domain and serial line for your network.

      $ORIGIN localhost.
      @ 1D IN SOA bigipname.domain.com. root.bigipname.domain.com. (
      1999102801 ; serial ( yyyymmddrr rr=revision)
      3H ; refresh
      15M ; retry
      1W ; expire
      1D ) ; minimum

      1D IN NS @
      1D IN A 127.0.0.1

7. Create the /etc/namedb/127.0.0.zone file. Modify the serial line for your network.

   @ 1D IN SOA localhost. root.localhost. (
      1999102801 ; serial ( yyyymmddrr rr=revision)
      3H ; refresh
      15M ; retry
      1W ; expire
      1D ) ; minimum

      1D IN NS localhost.
   1 1D IN PTR localhost.

8. Create the /etc/namedb/root.hint file. You can cut and paste this example with no modification.

; <<>> DiG 2.2 <<>> @192.5.5.241
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; -<<HEADER>>- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr aa rd; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 9
;; QUERY SECTION:
;;      ., type = NS, class = IN

;; ANSWER SECTION:
.                       6D IN NS        C.ROOT-SERVERS.NET.
.                       6D IN NS        D.ROOT-SERVERS.NET.
.                       6D IN NS        E.ROOT-SERVERS.NET.
.                       6D IN NS        I.ROOT-SERVERS.NET.
.                       6D IN NS        F.ROOT-SERVERS.NET.
.                       6D IN NS        G.ROOT-SERVERS.NET.
.                       6D IN NS        A.ROOT-SERVERS.NET.
.                       6D IN NS        H.ROOT-SERVERS.NET.
.                       6D IN NS        B.ROOT-SERVERS.NET.
;; ADDITIONAL SECTION:
C.ROOT-SERVERS.NET.     5w6d16h IN A    192.33.4.12
D.ROOT-SERVERS.NET.     5w6d16h IN A    128.8.10.90
E.ROOT-SERVERS.NET.     5w6d16h IN A    192.203.230.10
I.ROOT-SERVERS.NET.     5w6d16h IN A    192.36.148.17
F.ROOT-SERVERS.NET.     5w6d16h IN A    192.5.5.241
G.ROOT-SERVERS.NET.     5w6d16h IN A    192.112.36.4
A.ROOT-SERVERS.NET.     5w6d16h IN A    198.41.0.4
H.ROOT-SERVERS.NET.     5w6d16h IN A    128.63.2.53
B.ROOT-SERVERS.NET.     5w6d16h IN A    128.9.0.107

;; Total query time: 8 msec
;; FROM: wisdom.home.vix.com to SERVER: 192.5.5.241
;; WHEN: Fri Nov 22 00:08:05 1996
;; MSG SIZE sent: 17 rcvd: 312

9. Point the resolv.conf on the node at the BIG/ip Controller external shared IP alias.

10. Point the resolv.conf on BIG/ip Controller at localhost.

     nameserver localhost

11. Verify the /etc/hosts file has localhost on the 127.1 line.

12. The BIG/ip Controller external shared alias IP address must have an FQDN and reverse name lookup in DNS.

13. Restart the namedb service if this is the active controller. The named should only be set to run on the active BIG/ip Controller.

     ndc restart

If you can do an nslookup from the internal node without IP forwarding, NATs, or SNATs configured on the BIG/ip Controller, then the BIG/ip Controller is now a DNS forwarding proxy.


Known Issues

The F5 Configuration utility does not handle virtual servers configured with 0 or 255 in the last octet. If a virtual server is configured with 0 or 255 in the last octet, no virtual servers are displayed in the F5 Configuration utility.