Installing the PTF

Use the following instructions to apply the PTF to the BIG-IP, version 4.1.1. 

Important:  If you are upgrading an IP Application Switch use the installation instructions here.

Apply the PTF to the BIG-IP, version 4.1.1 using the following process.  The install script saves your current configuration. To restore your current configuration after the upgrade see Restoring the previous configuration after upgrade.

1. Connect to the F5 Networks FTP site (ftp.f5.com).

   Use FTP in passive mode from the BIG-IP to download the file.  To place FTP in passive mode, type pass at the command line before transferring the file. 

2. Download the correct PTF file to the /var/tmp/ directory on the target BIG-IP.
   
   • For crypto BIG-IP units, choose PTF-4.1.1-4-BSD_OS-4.1.im.
   • For non-crypto units, choose NOCRYPTOPTF-4.1.1-4-BSD_OS-4.1.im.
3. Change your directory to /var/tmp/ by typing:
   cd /var/tmp/
4. Enter the following command to install this PTF:
   
   • For crypto, type:  im PTF-4.1.1-4-BSD_OS-4.1.im
   • For non-crypto, type:  im NOCRYPTOPTF-4.1.1-4-BSD_OS-4.1.im
   
   The BIG-IP automatically reboots once it completes installation.

To upgrade an IP Application Switch or a Compact Flash media drive (SSD), use the following process:

1. Create a memory file system, by typing the following:
   mount_mfs -s 200000 /mnt
2. Type the following command:
   cd /mnt
3. Connect to the FTP site (ftp.f5.com).
4. If you are running the crypto version of the BIG-IP, download the file PTF-4.1.1-4-BSD_OS-4.1.im from the /crypto/bigip/bigip411 directory.
   If you are running the non-crypto version, download the file NOCRYPTOPTF-4.1.1-4-BSD_OS-4.1.im from the /nocrypto/bigip/bigip411nocrypto directory.
5. On the BIG-IP, run the im upgrade script, using the file name from the previous step as an argument:
   im /mnt/<file name>

   When the im script is finished, the BIG-IP reboots automatically.

Note:  This procedure provides over 90MB of temporary space on /mnt.  The partition and the im package file are deleted upon rebooting.

 

Software enhancements and fixes

What's new in this PTF (PTF-04)

Resets from a virtual server  (CR15745)
Resets from virtual servers which are due to denials (such as port not enabled) now have last hop routing support.

Nodes and bigsnmpd  (CR18208)
nodesEntry no longer exhausts system resources. First-Time Boot utility  (CR18345)
The First-Time Boot utility now resets the default route correctly. bigsnmpd  (CR18659) (CR18569)
The bigsnmpd no longer exhausts system resources. Pending FTP data channel connections  (CR18596)
The BIG-IP now correctly removes pending FTP data channel connections from the FTP connection table placeholder list. Single quotes in checktrap  (CR18647)
Checktrap can now handle messages that contain single quotation marks. bigsnmpd and NAT  (CR18699)
The bigsnmpd and NAT no longer cause bigsnmpd to become unstable. SSL proxy  (CR18670)
The BIG-IP now reports the correct VLANs that have been disabled for the proxy. IMAP monitor  (CR18784)
The IMAP monitor no longer arbitrarily marks a node down or stops pinging a node after running for a period of time. Failsafe ARP requests  (CR18856)
Failsafe ARP requests are now correctly formatted. SNAT automap  (CR18809)
SNAT automap is now faster under heavy load. Keep-alives  (CR18901)
Keep-alives are now correct with HTTP 1.0 requests to 1.1 servers without connection headers. 3dnsd  (CR19061)
The 3dnsd no longer returns duplicate answers for certain LDNS systems. BIG-IP FR: selectively disable restart of bigstpd for config sync  (CR19126)
When using config sync, you can now selectively disable the restart of bigstpd. ntpd   (CR19183)
ntpd now runs properly on boot up. VLAN groups  (CR19195)
VLAN groups can now bridge at layer 2 as well as layer 3. Cookie hash mode now decodes escaped characters  (CR19219)
L7 hashing and comparison is now HTTP escape-character aware.

Loading the bigip.conf file (CR19361)
Aliasing the health of a node list to a specific monitor instance no longer causes the bigip.conf file to load slowly.

Sequence number tracking  (CR19392)
Out of order packets sent to a delayed binding virtual server no longer cause sequence number tracking to become out of sync.

SNAT automap  (CR19534)
After extended amounts of time and traffic, SNAT automap no longer requires a reboot. Setup utility  (CR19546)
Using the Setup utility to configure only one VLAN no longer causes the Setup utility to hang.

TCP 4-way close  (CR19591)
TCP 4-way close is now properly detected in all cases when packets are dropped or sent out of order by an upstream device.

Resets from a virtual server to a proxy  (CR19667)
A reset from a virtual server due to a denial (such as port not enabled) now has last hop routing support. This means a RST from a virtual server to a proxy will go through the proxy instead of from the external interface to the client.

CERT advisory against UCD-snmpd  (CR19824)
We have addressed vulnerabilities detailed in the CERT advisory against UCD-snmpd. IP and UDP packets through lasthop pool  (CR19863)
Node routes now function properly when IP or UDP packets pass through the lasthop pool.

syslog pinger modified for increased resilience  (CR19874)
If you define, delete, and then re-define a monitor, the monitor now functions correctly.

Cookie persistence insert mode  (CR19929)
Using cookie persistence insert mode when server responses are preceded by large HTTP 100 continue responses no longer causes the BIG-IP to become unstable.

What's new from PTF-03

iControl BIG-IP Corba portal (CR18076)
The iControl portal for BIG-IP is now automatically configured to listen on a default port.

Transparent monitor for wildcard port (CR18094)
Transparent monitors for the wildcard port are no longer problematic.

Pool members (CR18103)
Saving and restoring a configuration no longer reorders pool members.

Failover (CR18110)
Certain systems no longer hang on Disc Sync during VLAN failsafe failover.

Any IP through NAT (CR18131)
Any IP through NAT now functions independently of SNAT automap settings.

Layer 2 forwarding mode with proxy arping (CR18189)
Layer 2 forwarding mode with proxy arping is now compatible with Cisco HSRP.

Discard rule (CR18276)
Using the discard statement in a rule with UDP and Any IP no longer causes the BIG-IP to become unstable.

Deleting FTP data virtual server (CR18314)
Deleting the FTP data virtual server while traffic is flowing no longer causes the BIG-IP to become unstable.

SNAT automap port check (CR18383)
The number of ports available for SNAT automap has been increased. The BIG-IP no longer runs out of ports as quickly on SNAT automapped addresses when SNAT automap is being used to aggregate all clients to one particular address.

Delayed binding (CR18439)
The rule and cookie features no longer miss SSL traffic when keep alives are enabled.

bigpipe help (CR18447)
bigpipe help now gives the correct syntax for bigpipe quiet_boot

IP forwarding between VLAN groups (CR18460)
The BIG-IP no longer allows forwarding between VLAN groups when IP forwarding is turned off.

Server-side SSL (CR18470)
Server-side SSL no longer causes proxyd to destabilize.

XML trunk metrics (CR18480)
The BIG-IP XML provider can now display trunk metrics.

VLAN failsafe with MAC masquerading (CR18506)
VLAN failsafe with MAC masquerading now sends the correct MAC address from the standby BIG-IP.

Defining pools (CR18512)
Redefining a pool that is referenced by a cache rule no longer causes the BIG-IP to hang.

What's new from PTF-02

SSL proxy (CR17829)
When clients prematurely disconnect from SSL proxy, the proxyd daemon no longer becomes unstable.

snmpdca (CR17836)
snmpdca now supports user-specifiable SNMP community names.

BIG-IP connection table (CR17911)
FTP proxies no longer cause duplicate connection table entries.

HTTP and HTTPS monitors (CR17926)
Authorization information for the HTTP and HTTPS monitors is now correct.

iControl SOAP portal .NET compatibility (CR17928)
The iControl SOAP portal is now compatible with Microsoft's .NET.

SEE-IT XML provider (CR17933)
The SEE-IT Network Manager can now collect statistics and performance information from the BIG-IP.

Cache rules (CR17960)
BIG-IP cache rules now function properly with non-transparent caches and Keep-Alives.

tcpdump (CR17964)
Running tcpdump on a VLAN under extremely heavy load no longer causes the BIG-IP to become unstable.

Cookie persistence (CR17972)
Cookie insert and cookie rewrite modes now function correctly with SSL-to-Server.

Port mirroring (CR17983)
Configuring port mirroring no longer causes traffic to be delayed.

iControl
The following CRs have been fixed for iControl: (CR17851) (CR17902) (CR17923) (CR17932) (CR17934) (CR17999) (CR18012)

What's new from PTF-01

SIP improvements (CR17599)
This PTF includes Session Initiation Protocol (SIP) improvements including load-balancing support and Call-ID persistence for proxy servers that receive SIP messages sent through UDP.

Translated connection rebinding feature (CR17600)
The BIG-IP now allows for rebinding of translated connections.

Stray interrupts from the SSL driver (CR17602)
The SSL driver no longer causes stray interrupts.

SEE-IT provider for BIG-IP (CR17605)
The SEE-IT provider for the BIG-IP is now reporting correct interface names.

svcdown_reset now sends RSTs (CR17617)
The svcdown_reset command now sends RSTs on attempted initiation.

Monitors: node address timeout (CR17655)
When using monitors, you can now adjust the node address timeout setting.

SIP and IP fragments (CR17598)
BIG-IP now correctly detects when all IP fragments of a datagram have been received.

Type of service (TOS) value on delayed binding connections (CR17614)
The BIG-IP now sets a correct type of service (TOS) value on delayed binding connections.

Web-based First-Time Boot utility intermittent issues (CR17660)
Web-based First-Time Boot utility issues with change webadmin userid and password are now fixed.

Keep-alives are now more robust (CR17671)
Keep-alives with problematic CGIs are now more robust.

iControl SOAP WSDL (CR17685)
iControl now works with the MSSOAP Toolkit

Web-based First-Time Boot utility (CR17697)
The web-based First-Time Boot utility can now assign port numbers to separate VLANs on dual port NICs.

VLAN creation (CR17700)
The maximum number of VLANs you can create on an IP Application Switch is 63. (The maximum for the Controller platform is 256)  If you create more then 63 VLANs, you receive an error message. 

bigsnmpd and system resources (CR17736)
The bigsnmpd no longer exhausts system resources.

SNAT Automap functionality (CR17779)
SNAT Automap now functions correctly.

SNAT port collision resolution (CR17798)
SNAT virtual server connections and non-TCP SNAT connections are now resolved properly.

Client POST with SSL proxy and client header insertion may time out (CR17894)
A Client POST with SSL proxy and client header insertion no longer times out.

Required configuration changes

Restoring the previous configuration after upgrade

When you install this PTF, the IM package may overwrite some configuration files in /etc.
For 4.1.1 versions and earlier, when you install an IM package for an upgrade or PTF, a UCS file is automatically created with a date stamped filename. The UCS file is located in the UCS path:  /usr/local/ucs/backupYYMMDD_HHMM.ucs

Example: /usr/local/ucs/backup020102_1345.ucs

To restore all configuration data saved in the UCS file, and make all necessary conversions to the restored configuration files, type the following bigpipe command:
bigpipe config install backup020102_1345

You will need to reboot the system for these changes to take effect.

Known Issues

The following items are known issues in the current release.

Saving configuration files  (CR16451)
If you use the config save command to backup the current BIG-IP configuration prior to installing a new configuration, in certain circumstances you may receive the warning message Error:config sync/save/install already in progress. This message is only a warning and does not affect the operation of BIG-IP.

Update status in the LOAD-BAL-MIB.txt (CR17864)
The return status for virtual server status is reversed for ready and disabled.

Installing the IM package  (CR19190) (CR20020)
When you install this PTF, it is possible that the IM package overwrites some configuration files in /etc. The procedure to recover these files is documented in the Required configuration changes section of this PTF note.

Installation warning message  (CR19990)
When you install this PTF, you may receive the following message:
Installing files.
/sbin/ldconfig: warning: can't open /shlib/libOB.so (no such file or directory), skipping.
This message is only a warning and does not affect the operation of BIG-IP.