Installing the PTF

Apply the PTF to BIG-IP Controller version 3.0 using the following process:

1. Click here and follow the instructions for using the F5 Networks FTP site.

   Use FTP in passive mode from the BIG-IP Controller to download the file. To place FTP in passive mode, type pass from the command line before transferring the file.

2. Download the appropriate file to the /var/tmp/ directory on the target BIG-IP Controller:
   • For US BIG-IP Controllers, download the v30ptf4domkit.tar file.
   • For international BIG-IP Controllers, download the v30ptf4intlkit.tar file.
3. Enter the following commands to install this PTF:

   cd /var/tmp
   tar -xvpf v30ptf4domkit.tar (Domestic HA/HA+ and LB)
   tar -xvpf v30ptf4intlkit.tar (International HA/LB)

4. Run the following commands:
   

   cd /
   var/tmp/upgrade_ptf

5. Follow the on-screen instructions.

The install automatically creates a backup of the /etc/syslog.conf file in /var/save/backupyymmdd_hhmm/ on the BIG-IP Controller and removes any old files that are no longer used. If you have made changes to the /etc/syslog.conf file, you may need to edit that file and retype your modifications.

The checksums for this PTF are available in a file called sums, which can be downloaded from the FTP site.

Once you have installed the PTF software, please refer to the Configuring and using the updated software.

---

What's fixed in this PTF

• CR 7482:  Cookie persistence could destabilize the BIG-IP Controller under certain conditions
  Fixed a problem that could allow a malformed TCP packet in the payload to a cookie virtual server to destabilize the BIG-IP Controller.
• CR 7412:  Rules that use cookies could destabilize the BIG-IP Controller in certain situations
  Fixed a problem that in certain cases could cause rules that use cookies to destabilize the BIG-IP Controller.
• CR 7409:  Regular and cookie persistence can hang new connections
  Fixed a problem that could cause new connections to hang when persistence was configured on the BIG-IP Controller.
• CR 7336:  Added large hard drive support
  Added support for large IDE hard drives.
• CR 7259:  The BIG-IP Controller does not support %2E encoding of periods in cookies
  Added support for %2E encoding of periods in cookies.
• CR 6076:  The BIG-IP Controller does not support cookies that expire when the browser is closed
  Added support for cookies that expire when the browser is closed. You can configure cookie persistence to expire when the browser closes. To set the cookie to expire when the browser closes, set the cookie timeout to zero: 0d 00:00:00. For more information, see Setting cookies to expire when the browser closes.

Released in prior PTFs

BIG-IP Controller version 3.0PTF-03

• CR 7131:  Connections fail with persist_on_any_vip or persist_on_any_port_same_vip
  Fixed a problem with the sysctl variables persist_on_any_vip and persist_on_any_port_same_vip that could cause the connection to persist to the wrong port.
• CR 7007:  String "cookie:" not identified correctly by cookie persistence
  Fixed a problem that could cause a string with a different case to be ignored by cookie persistence. The string search is no longer case sensitive.
• CR 5873:  An empty configuration file is loaded in the BIG-IP Controller
  Fixed a problem that could allow you to load a blank configuration file on the BIG-IP Controller.
• CR 5335:  Problem with FTP pinger marks nodes down
  Fixed a problem with the FTP pinger that could cause the BIG-IP Controller to mark nodes down.

BIG-IP Controller version 3.0PTF-02

• CR 6588:  Forwarding virtual servers do not support FTP
  Added support for FTP through forwarding virtual servers.

• CR 4849:  Network virtual servers
  Added support for network virtual servers. For more information, see Configuring a network virtual server.

BIG-IP Controller version 3.0PTF-01

• CR 6122:  Encryption for big3d conversations is not turned off on international controllers
  3DNS Controllers now automatically disable encryption on big3d agents residing on international controllers.
• CR 6249:  ICMP port unavailable messages return a corrupt encapsulated IP header
  When sending a UDP packet to a BIG-IP Controller through an unavailable port, the returned message you receive now contains the original IP header that was sent out with the UDP packet.
• CR 6358:  International missing some of the new help files
  Online help for the international version of the BIG-IP System Properties page and Virtual Server Properties page is now current.
• CR 6391:  FTP data connections do not utilize lasthop routing feature
  FTP data connections now use the lasthop routing feature.
• CR 6394:  BIG/top crashes if DNS names are longer than 22 bytes
  When performing a DNS name lookup, BIG/top now uses a buffer that exceeds 22 bytes.
• CR 6399: Virtual servers outbound UDP blocked through source and destination interface
  Outbound UDP packets are no longer blocked when source and destination processing are simultaneously enabled.
• CR 6400:  Reverse ECV service checks fail
  Bignode reverse service ping now correctly handles responses larger than one packet.

---

Configuring and using the updated software

The following configuration options are available with this PTF.

Setting cookies to expire when the browser closes

Set the cookie timeout to 0d 00:00:00 if you want cookies persistence cookies to expire when the browser closes. You can change this timeout in the F5 Configuration utility or from the command line.

To set the cookie timeout to zero in the F5 Configuration utility

1. In the navigation pane, click Pools.
   The Pool screen opens
2. In the Pool list, click the pool you want configure.
   The Pool Properties screen opens.
3. In the toolbar, click the Persistence button.
   The Pool Persistence screen opens.
4. In the Persistence Type Active Cookie section of the table, change all timeout values to zero (0).
5. Click the Apply button.

To set the cookie timeout to zero in from the command line
Use the following syntax to change the cookie timeout to zero.

bigpipe vip <virt_addr>:<port> define <node_addr>:<port> special cookie <insert | rewrite> 0d 00:00:00

For example, the command might look like this for the virtual server 10.10.10.101:80 that uses insert cookie mode: bigpipe vip 10.10.10.101:80 define 10.10.10.56 10.10.10.57 10.10.10.57 special cookie insert 0d 00:00:00

Configuring a network virtual server

You can configure a network virtual server with this release. A network virtual server is a virtual server that handles a whole network range, instead of just one IP address, or all IP addresses (wildcard virtual servers). For example, the following virtual server handles all traffic addresses in the 192.168.1.0 network:

bigpipe vip 192.168.1.0:0 none {
    netmask 255.255.255.0 broadcast 192.168.1.255
    use pool ingress_firewalls
}

Note:  Network virtual servers should be assigned to interface none.

A network virtual server is a virtual server that has no bits set in the host portion of the IP address. In other words, the host portion is zero. You must specify a network mask to indicate which portion of the address is the network address and which portion is the host address. In the previous example, since the network mask is 255.255.255.0, the network portion of the address is 192.168.1 and the host portion is .0. The previous example would direct all traffic destined to the subnet 192.168.1.0/24 through BIG-IP Controller to the ingress_firewalls pool.

Another way you can use this feature is to create a catch-all webserver for an entire subnet. For example, you could create the following network virtual server:

bigpipe vip 192.168.1.0:http none {
    netmask 255.255.255.0 broadcast 192.168.1.255
    use pool default_webservers
}

This configuration directs a web connection destined to any address within the subnet 192.168.1.0/24 to the default_webservers pool.

---

Known issues

Issues with the BIG-IP NAT bounceback
The NAT bounceback feature allows a node on the internal network to access a virtual server and be load balanced to another set of internal servers (nodes). In versions prior to 3.0, NAT bounceback is enabled automatically when you create a NAT or SNAT. In BIG-IP Controller versions 3.0 and later this feature is disabled by the upgrade process.

To avoid a possible site interruption when using NAT bounceback, after you apply the BIG-IP Controller version 3.0 upgrade (or later), follow these steps on the command line:

1. First, turn on destination address processing on the internal interface with the following command:

   bigpipe interface exp1 dest enable

2. Synchronize the configuration with the other BIG-IP Controller version 3.0 or later.

   bigpipe configsync

If you configure the BIG-IP Controller with the F5 Configuration utility, follow these steps:

Enable destination address processing on the internal interface with the F5 Configuration utility

1. In the navigation pane, click NICs.
   The Network Interface Cards screen opens. You can view the current settings for each interface in the Network Interface Card table.
2. In the Network Interface Card table, click the name of the internal interface you want to configure.
   The Network Interface Card Properties screen opens.
3. To enable destination processing for this interface, click the Enable Destination Processing check box.
4. Click the Apply button.

After you configure destination processing on the internal interface, synchronize the configuration of the redundant BIG-IP Controller system.

1. In the navigation pane, click the BIG-IP logo.
   The BIG-IP Properties screen opens.
2. In the toolbar, click the Sync Configuration button.
   The Synchronize Configuration screen opens.
3. Click the Synchronize button.

---

---