Installing the PTF

Apply the PTF to BIG-IP, version 4.0 using the following process.  The install script saves your current configuration.

1. Connect to the F5 FTP site (ftp.f5.com).

   Use FTP in passive mode from the BIG-IP Controller to download the file.  To place FTP in passive mode, type pass from the command line before transferring the file. 

2. Download the correct PTF file to the /var/tmp/ directory on the target BIG-IP Controller.
   For crypto controllers, choose PTF-4.0-3-BSD_OS-4.1.im, for non-crypto controllers choose NOCRYPTOPTF-4.0-3-BSD_OS-4.1.im.



3. Change your directory to /var/tmp/ by typing:
   cd /var/tmp/



4. Enter the following command to install this PTF:
   For crypto, type:  im PTF-4.0-3-BSD_OS-4.1.im
   For no-crypto, type:  im NOCRYPTOPTF-4.0-3-BSD_OS-4.1.im


The BIG-IP Controller will automatically reboot once it completes installation.

After you install the PTF, please refer to the Configuring and using the updated software. 

Fixes

What's fixed in this PTF (PTF-03)

BIG-IP is now stable under load (CR15119)
The BIG-IP is now stable under load. You no longer see the following error message: t_kill: connection node is NOT in bigip_table!

Telnetd security (CR15803)
Updated telnetd to improve security (CERT CA-2001-21.)

Suppressed benign message (CR16703)
Suppressed benign message: parse_http: ignoring unexpected client data

SSL virtual servers (CR16593)
Using SSL connection mirroring and SSL persistence mirroring on virtual servers no longer causes the BIG-IP to become unstable.

Malformed packet instability (CR15940 and CR16336)
Malformed packets no longer cause the BIG-IP to become unstable.

L2 forwarding (CR15346)
Standby system in an L2 forwarding configuration no longer logs spurious ARP overwrite messages.

SNAT timeout (CR15629)
SNATs with virtual servers defined now time out connections properly.

VLANs and multicast packets (CR15737)
VLANs now accept multicast packets properly.

GateD and address or routing changes (CR15738)
GateD now applies address and routing changes correctly to VLANs.

FTP connection tracking ephemeral ports (CR15893)
Enhanced the tracking of FTP data connections on ephemeral ports.

Auto lasthop feature and active FTP (CR15911)
Auto lasthop now properly handles active FTP data connections.

Node/member without route (CR15975)
You now receive a warning when you attempt to add a member to a pool that does not have a route.

HTTP redirect (CR16012)
Added the ability to specify a protocol identifier for the HTTP redirect feature. For more information, see Configurable protocol identifier for HTTP redirection.

SNMP node statistics (CR16107)
Made node statistics available through SNMP.

Setting ARP disable (CR16171)
Disabling ARP on a network virtual server no longer destabilizes the BIG-IP.

Automap with SSL proxy (CR16312)
SNAT automap now works properly with the SSL proxy.

Network and wildcard virtual servers (CR16364)
You can now disable network and wildcard virtual servers on a VLAN.

Intermittent throughput with SSL/akamaizer gateway (CR16493)
You no longer have intermittent throughput with the SSL/akamaizer gateway.

FIN-PUSH on small responses (CR16646)
The FIN-PUSH for small responses is now propagated properly when you are using rules and cookie persistence.

memberStatus reports incorrectly (SNMP) (CR15885)
The memberStatus now reports member status correctly.

System information report (iControl) (CR15913)
System information is now reported properly through iControl IDL.

Interfaces get_version (iControl) (CR16360)
The interfaces get_version IDL now properly reports the iControl version.

What's fixed from PTF-02

Using b load under heavy traffic
You can now use the b load command while passing traffic. (CR15288)

Simple persistence
Using simple persistence with any IP or UDP no longer causes the BIG-IP Controller to become unstable. (CR15404)

Support access
You now configure FTP and telnet support access with two separate check boxes in the web-based First-Time Boot utility. For more information, see Changes to support access configuration in the web-based First-Time Boot utility. (CR15057)

Product versioning
Using the web-based First-Time Boot utility now correctly sets the XLB version of the product. (CR15232)

NIC media types
Using the web-based First-Time Boot utility now correctly sets the media type for NICs. (CR15247)

Portal startup
You no longer see the following spurious error message during bigstart boot up. 
bigstart: startup portal
bigstart: kill portal 10 seconds expired

(CR15401)

SSD
If a solid state drive is detected, the installation process does not allow you to install the standard PTF.  Please contact F5 Services to get the upgrade for SSD. (CR15402)

f5isapi.dll improvements
Improved the performance of the f5isapi.dll. (CR15465)

VLAN naming
VLAN naming has been adjusted to accommodate multiple interface network cards. (CR15474)

Configuration files
bigpipe now permits you to save very large configuration files. (CR15477)

Certificate information
You no longer need to re-enter certificate information when you re-run the web-based First-Time Boot utility. (CR15056)

VLANs and VLAN groups
You can no longer delete a VLAN that is a member of a VLAN group. (CR15283)
(CR15284)

Static routes
You can now delete static routes manually once the controller is up and running.  (CR15373)

What's fixed from PTF-01

Auto lasthop
Auto lasthop for non-TCP traffic on a firewall sandwich no longer leads to routing loops. (CR15088)

Configuration synchronization and IP addresses
Configuration synchronization is no longer dependent on a peer IP address and its hostname IP address. (CR15017)

Configuration synchronization and uptime
Configuration synchronization no longer fails after a week of uptime. (CR15383)

First-Time Boot utility (web-based)
The Properties page for VLANs in the web-based First-Time Boot utility now displays correctly in Internet Explorer version 4.0. (CR15052)

Gigabit NICs
The gigabit NIC now functions with older systems (for example, Pentium II). (CR14994)

Layer 2 forwarding
Layer 2 forwarding can now forward packets to off-interface hosts. (CR15313)

Lasthop routes and the ipforward cached route
The timing issue that was affecting lasthop routes and the ipforward cached route is now fixed. (CR14012)

Monitors
Existing monitors are now retained when a "Monitor instance already exists" error occurs. (CR14908)

Virtual servers
A virtual server with a wildcard service and an HTTP pool with port translation is now enabled. (CR14922)

VLANs (maximum number)
The maximum number of VLANs allowed is now 256. (CR14798)

VLAN renaming
An error no longer appears when you rename a VLAN from the Configuration utility. (CR15053)

Web administrator user account
The default web administrator user account is no longer left available after configuration when using the web-based First-Time Boot Utility. (CR15054)

New features and enhancements

This section contains descriptions of new features and enhancements added with this release.

Configurable protocol identifier for HTTP redirection

This release includes support for new syntax that allows you to configure a protocol identifier for the HTTP redirection feature. For example, you want to specify an HTTPS site for www.yoursite.com, you would type fallback https://www.yoursite.com instead of the standard fallback syntax in the bigip.conf.

The following example defaults to redirect to an HTTP URL:

fallback www.yoursite.com

The following example overrides the protocol identifier with an HTTPS prefix:

fallback https://www.yoursite.com

The following example overrides the protocol identifier with an FTP prefix:

fallback ftp://www.yoursite.com

Configuring and using the new software

Media types
Use the following command to get a list of appropriate media types for an interface.

ifconfig -m <interface name>

Tips on setting the preferred controller in redundant BIG-IP Controller installations
If you are using the force_master flag to set a specific controller to be the preferred active unit, we recommend that you set the force_slave flag on the controller that you want to run primarily as a secondary controller.  The force-slave flag must be set if you are using network fail-over.  For more information about these flags, see the BIG-IP Reference Guide, v.4.0, Setting a specific controller to be the preferred active unit. (CR12279)

Known issues

The following items are known issues in the current release.

SSL proxy header insertion with SEARCH method
Recent changes to the SSL Proxy HTTP header insertion mechanism require client requests to begin with one of GET, POST, or HEAD; if the client request does not begin with one of these methods, HTTP headers are not inserted by the proxy. Certain versions of Internet Explorer send the non-standard SEARCH method while communicating with Outlook Web Access. This results in browser warnings regarding mixed secure and insecure content. Other applications may be affected by this issue.

In future releases BIG-IP will support inserting HTTP headers in client requests with methods specified in RFC 2616, as well as SEARCH and any other non-standard methods of which we become aware.

3dnsd
For users of the combined BIG-IP Controller and 3-DNS Controller, if you add more than one interface IP address to IIOP HOST (no-crypto) or FSSL HOST (crypto) on the BIG-IP Controller, 3dnsd may become unstable. (CR15392)

VLAN and interface assignments
When you install the BIG-IP Controller from scratch, the default VLAN and interface assignments may not match what the web-based or command line First-Time Boot utility has as the assignments.  Once you configure the BIG-IP Controller, the assignments will be correct. (CR15080)

Using the WMI ISAPI Data Gathering agent with the winmgmt service
In order to work around certain functions in the winmgmnt service, the WMI ISAPI Data Gathering agent automatically restarts the winmgmt service every hour.  You can customize this restart interval by editing the registry using the following steps:

1. Open up the Registry Editor:
   You can either type regedit at the command line, or click the Start button, and click Run..., and then type regedit.
2. Under HKEY_LOCAL_MACHINE\Software, create a key named "F5":
   1. Double-click the HKEY_LOCAL_MACHINE key.
   2. Right-click Software key, and select New, then select Key.
   3. Type F5 for the new key name.
3. Under the F5 key, create a new subkey named WMIServiceRestartInterval:
   1. Right-click the newly created F5 key, and select New, then select Key.
   2. Type WMIServiceRestartInterval for the new subkey name.
4. Create registry settings for IntervalUnit and Interval for the WMIServiceRestartInterval subkey:
   1. Right-click the newly created WMIServiceRestartInterval key, select New and then select String Value.
   2. Change the name of the String Value to IntervalUnit, and specify an interval unit as the value data.  Valid values are: day, hour, minute, and second.
   3. Right-click the newly created WMIServiceRestartInterval key, select New, then select DWORD Value.
   4. Change the name of DWORD Value to Interval, and specify a numeric value.
5. Close the Registry Editor to save the changes, and restart the IIS Admin Service.

The Windows 2000 Service Pack 2 improves the handle leak in Winmgmt service, but, in some cases, the Virtual Memory usage of winmgmt service can still be high due to some caching operations within the winmgmt service. (CR14439)

Using NAT or SNAT with layer 2 forwarding
The layer 2 forwarding feature is not compatible for use with NATs or SNATs. (CR15342)

The OTCU does not migrate customizations to /etc/netstart
The OTCU does not migrate static route customizations to /etc/netstart. After you run the OTCU, you should add static route commands into /config/routes. (CR15528)

Web administrator password cannot contain a dollar sign ($)
The Web administrator password cannot contain a dollar sign ($). (CR15526)

Installing this release on an unsupported BIG-IP Controller platform
Do not install this release on an unsupported BIG-IP Controller platform. Installing this software on an unsupported platform may prevent the controller from booting up properly. CR N/A

cron jobs and sendmail configurations
After BIG-IP version 4.0 PTF-03 is installed, symbolic links in /config erroneously point to themselves. This prevents /config/weekly cron jobs and sendmail configurations from running successfully. If you see this error, either call F5 Networks Technical Support or install BIG-IP version 4.0 PTF-04 when it becomes available.

Changes to support access configuration in the web-based First-Time Boot utility
The functionality of the web-based First-Time Boot utility now matches the command line version of the First-Time Boot utility. In the crypto controller, the controls to allow support access via telnet and FTP have been removed from the web-based First-Time Boot utility.

In the non-crypto version of the software, the checkbox to allow the support account FTP and telnet access to the controller has been split into two separate check boxes. If you had previously configured a telnet or FTP support account on the BIG-IP Controller, you should verify the support logon is functional after the upgrade. If you change these settings at a later date, use the same configuration tool you used when you set them.

---

---