Applies To:Show Versions
BIG-IP versions 1.x - 4.x
- 4.1.1 PTF-06
Installing the PTF
Use the following instructions to apply the PTF to the BIG-IP, version 4.1.1.
Note: Applying this upgrade changes some of your configuration files. To restore your current configuration after the upgrade see Restoring the previous configuration after upgrade.
Important: If you are upgrading an IP Application Switch use the installation instructions here.
Apply the PTF to the BIG-IP, version 4.1.1 using the following process.
- Connect to the F5 Networks FTP site (ftp.f5.com).
Use FTP in passive mode from the BIG-IP to download the file. To place FTP in passive mode, type pass at the command line before transferring the file.
- Download the correct PTF file to the /var/tmp/ directory on the target BIG-IP.
- For crypto BIG-IP units, choose PTF-4.1.1-6-BSD_OS-4.1.im.
- For non-crypto units, choose NOCRYPTOPTF-4.1.1-6-BSD_OS-4.1.im.
- Change your directory to /var/tmp/ by typing:
- Enter the following command to install this PTF:
- For crypto, type: im PTF-4.1.1-6-BSD_OS-4.1.im
- For non-crypto, type: im NOCRYPTOPTF-4.1.1-6-BSD_OS-4.1.im
The BIG-IP automatically reboots once it completes installation.
To upgrade an IP Application Switch or a Compact Flash media drive (SSD), use the following process:
- Create a memory file system, by typing the following:
mount_mfs -s 200000 /mnt
- Type the following command:
- Connect to the FTP site (ftp.f5.com).
- If you are running the crypto version of the BIG-IP, download the file PTF-4.1.1-6-BSD_OS-4.1.im from the /crypto/bigip/ptfs/bigip411ptf6 directory.
If you are running the non-crypto version, download the file NOCRYPTOPTF-4.1.1-6-BSD_OS-4.1.im from the /nocrypto/bigip/ptfs/bigip411ptf6 directory.
- On the BIG-IP, run the im upgrade script, using the file name from the previous step as an argument:
im /mnt/<file name>
When the im script is finished, the BIG-IP reboots automatically.
Note: This procedure provides over 90MB of temporary space on /mnt. The partition and the im package file are deleted upon rebooting.
Software enhancements and fixes
What's new in this PTF (PTF-06)
VLAN headers for tagged interfaces (CR18623)
The BIG-IP no longer inserts random QoS values into 802.1Q VLAN headers.
bigpipe load verify (CR19550)
Running bigpipe load verify or bigpipe load verify path/file no longer creates monitor errors.
BIG-IP now sends a TCP RST when no routes are available (CR20114)
BIG-IP now sends a reset (RST) when auto-lasthop is enabled and no route is available. This enhances the performance of clients that do not resend TCP packets.
Default TCP timeout for SNATs (CR20271)
Loading a SNAT with a default TCP timeout no longer cause errors.
The standby unit in a redundant system no longer attempts L2 or L3 forwarding.
Late binding connections through fast path (CR20598)
The BIG-IP now closes late binding connections that go through fast path properly.
TOS values on delayed binding connections (CR20733)
The BIG-IP no longer sets illegal TOS values on delayed binding connections.
SSL proxy and pools (CR21319)
The BIG-IP no longer allows an SSL proxy to be a member of a pool.
Resets from a virtual server to a proxy (CR21445)
A reset (RST) from a virtual server due to a denial (such as port not enabled) now has last hop routing support. This means that a reset from a virtual server to a proxy goes through the proxy, instead of from the external interface to the client.
Allocating strings for internal VLAN names and checkd (CR21446)
checkd no longer exhausts system resources.
FTP port collision resolution through a SNAT (CR21447)
Active FTP port collision resolution through a SNAT now functions correctly.
SNAT automap with OneConnect (CR21449)
You can now use SNAT automap with OneConnect without slowing performance.
Additional requests on keep-alive connections (CR21452)
When a client makes an additional HTTP request on a keep-alive connection, the new request is now parsed to determine the HTTP version of the additional request.
Gateway failsafe (CR21454)
When you configure a node and an ICMP monitor with the same IP address as the default gateway and gateway failsafe is armed, BIG-IP now correctly updates both the gateway failsafe and the node status.
Sending packets on GVRP/GMRP (CR21455)
Sending packets on GVRP/GMRP no longer causes a multicast storm.
Network with hardwired failover (CR21458)
The active unit no longer goes into standby mode after its peer reboots and failover functions correctly when STP is in use
Server-side SSL proxy (CR21504)
Server-side SSL proxy no longer attempts to resume SSL sessions to servers when cache size is set to zero.
VLAN failsafe (CR21521)
Setting the VLAN failsafe timeout to less than 10 seconds no longer causes the file system to lock up.
Setup utility (CR21526)
The Setup utility no longer adds deleted icmp monitors.
OneConnect state engine (CR21527)
The OneConnect state engine no longer incorrectly changes states when chunking.
Setting port 0 timeout (CR21528)
You can now set the port 0 timeout without causing SNAT connections to be reaped within that timeout.
Simple persistence with default mask (CR21529)
Simple persistence with a default mask no longer sends connections to the same node.
Nodes with connection limits (CR21576)
Nodes with specified connection limits are no longer incorrectly disabled when they are listed after a disabled node in the configuration file.
What's new from PTF-05
bigsnmpd Oulu test suite (CR20443)
bigsnmpd now passes the Oulu test suite. More information about this test suite can be found at: http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/ .
What's new from PTF-04
Resets from a virtual server (CR15745)
Resets from virtual servers which are due to denials (such as port not enabled) now have last hop routing support.
Nodes and bigsnmpd (CR18208)
nodesEntry no longer exhausts system resources.
First-Time Boot utility (CR18345)
The First-Time Boot utility now resets the default route correctly.
bigsnmpd (CR18659) (CR18569)
The bigsnmpd no longer exhausts system resources.
Pending FTP data channel connections (CR18596)
The BIG-IP now correctly removes pending FTP data channel connections from the FTP connection table placeholder list.
Single quotes in checktrap (CR18647)
Checktrap can now handle messages that contain single quotation marks.
bigsnmpd and NAT (CR18699)
The bigsnmpd and NAT no longer cause bigsnmpd to become unstable.
SSL proxy (CR18670)
The BIG-IP now reports the correct VLANs that have been disabled for the proxy.
IMAP monitor (CR18784)
The IMAP monitor no longer arbitrarily marks a node down or stops pinging a node after running for a period of time.
Failsafe ARP requests (CR18856)
Failsafe ARP requests are now correctly formatted.
SNAT automap (CR18809)
SNAT automap is now faster under heavy load.
Keep-alives are now correct with HTTP 1.0 requests to 1.1 servers without connection headers.
The 3dnsd no longer returns duplicate answers for certain LDNS systems.
Selectively disable restart of bigstpd for config sync (CR19126)
When using config sync, you can now selectively disable the restart of bigstpd.
ntpd now runs properly on boot up.
VLAN groups (CR19195)
VLAN groups can now bridge at layer 2 as well as layer 3.
Cookie hash mode now decodes escaped characters (CR19219)
L7 hashing and comparison is now HTTP escape-character aware.
Loading the bigip.conf file (CR19361)
Aliasing the health of a node list to a specific monitor instance no longer causes the bigip.conf file to load slowly.
Sequence number tracking (CR19392)
Out of order packets sent to a delayed binding virtual server no longer cause sequence number tracking to become out of sync.
SNAT automap (CR19534)
After extended amounts of time and traffic, SNAT automap no longer requires a reboot.
Setup utility (CR19546)
Using the Setup utility to configure only one VLAN no longer causes the Setup utility to hang.
TCP 4-way close (CR19591)
TCP 4-way close is now properly detected in all cases when packets are dropped or sent out of order by an upstream device.
Resets from a virtual server to a proxy (CR19667)
A reset from a virtual server due to a denial (such as port not enabled) now has last hop routing support. This means a RST from a virtual server to a proxy will go through the proxy instead of from the external interface to the client.
CERT advisory against UCD-snmpd (CR19824)
We have addressed vulnerabilities detailed in the CERT advisory against UCD-snmpd.
IP and UDP packets through lasthop pool (CR19863)
Node routes now function properly when IP or UDP packets pass through the lasthop pool.
syslog pinger modified for increased resilience (CR19874)
If you define, delete, and then re-define a monitor, the monitor now functions correctly.
Cookie persistence insert mode (CR19929)
Using cookie persistence insert mode when server responses are preceded by large HTTP 100 continue responses no longer causes the BIG-IP to become unstable.
What's new from PTF-03
iControl BIG-IP Corba portal (CR18076)
The iControl portal for BIG-IP is now automatically configured to listen on a default port.
Transparent monitor for wildcard port (CR18094)
Transparent monitors for the wildcard port are no longer problematic.
Pool members (CR18103)
Saving and restoring a configuration no longer reorders pool members.
Certain systems no longer hang on Disc Sync during VLAN failsafe failover.
Any IP through NAT (CR18131)
Any IP through NAT now functions independently of SNAT automap settings.
Layer 2 forwarding mode with proxy arping (CR18189)
Layer 2 forwarding mode with proxy arping is now compatible with Cisco HSRP.
Discard rule (CR18276)
Using the discard statement in a rule with UDP and Any IP no longer causes the BIG-IP to become unstable.
Deleting FTP data virtual server (CR18314)
Deleting the FTP data virtual server while traffic is flowing no longer causes the BIG-IP to become unstable.
SNAT automap port check (CR18383)
The number of ports available for SNAT automap has been increased. The BIG-IP no longer runs out of ports as quickly on SNAT automapped addresses when SNAT automap is being used to aggregate all clients to one particular address.
Delayed binding (CR18439)
The rule and cookie features no longer miss SSL traffic when keep alives are enabled.
bigpipe help (CR18447)
bigpipe help now gives the correct syntax for bigpipe quiet_boot
IP forwarding between VLAN groups (CR18460)
The BIG-IP no longer allows forwarding between VLAN groups when IP forwarding is turned off.
Server-side SSL (CR18470)
Server-side SSL no longer causes proxyd to destabilize.
XML trunk metrics (CR18480)
The BIG-IP XML provider can now display trunk metrics.
VLAN failsafe with MAC masquerading (CR18506)
VLAN failsafe with MAC masquerading now sends the correct MAC address from the standby BIG-IP.
Defining pools (CR18512)
Redefining a pool that is referenced by a cache rule no longer causes the BIG-IP to hang.
What's new from PTF-02
SSL proxy (CR17829)
When clients prematurely disconnect from SSL proxy, the proxyd daemon no longer becomes unstable.
snmpdca now supports user-specifiable SNMP community names.
BIG-IP connection table (CR17911)
FTP proxies no longer cause duplicate connection table entries.
HTTP and HTTPS monitors (CR17926)
Authorization information for the HTTP and HTTPS monitors is now correct.
iControl SOAP portal .NET compatibility (CR17928)
The iControl SOAP portal is now compatible with Microsoft's .NET.
SEE-IT XML provider (CR17933)
The SEE-IT Network Manager can now collect statistics and performance information from the BIG-IP.
Cache rules (CR17960)
BIG-IP cache rules now function properly with non-transparent caches and Keep-Alives.
Running tcpdump on a VLAN under extremely heavy load no longer causes the BIG-IP to become unstable.
Cookie persistence (CR17972)
Cookie insert and cookie rewrite modes now function correctly with SSL-to-Server.
Port mirroring (CR17983)
Configuring port mirroring no longer causes traffic to be delayed.
The following CRs have been fixed for iControl: (CR17851) (CR17902) (CR17923) (CR17932) (CR17934) (CR17999) (CR18012)
What's new from PTF-01
SIP improvements (CR17599)
This PTF includes Session Initiation Protocol (SIP) improvements including load-balancing support and Call-ID persistence for proxy servers that receive SIP messages sent through UDP.
Translated connection rebinding feature (CR17600)
The BIG-IP now allows for rebinding of translated connections.
Stray interrupts from the SSL driver (CR17602)
The SSL driver no longer causes stray interrupts.
SEE-IT provider for BIG-IP (CR17605)
The SEE-IT provider for the BIG-IP is now reporting correct interface names.
svcdown_reset now sends RSTs (CR17617)
The svcdown_reset command now sends RSTs on attempted initiation.
Monitors: node address timeout (CR17655)
When using monitors, you can now adjust the node address timeout setting.
SIP and IP fragments (CR17598)
BIG-IP now correctly detects when all IP fragments of a datagram have been received.
Type of service (TOS) value on delayed binding connections (CR17614)
The BIG-IP now sets a correct type of service (TOS) value on delayed binding connections.
Web-based First-Time Boot utility intermittent issues (CR17660)
Web-based First-Time Boot utility issues with change webadmin userid and password are now fixed.
Keep-alives are now more robust (CR17671)
Keep-alives with problematic CGIs are now more robust.
iControl SOAP WSDL (CR17685)
iControl now works with the MSSOAP Toolkit
Web-based First-Time Boot utility (CR17697)
The web-based First-Time Boot utility can now assign port numbers to separate VLANs on dual port NICs.
VLAN creation (CR17700)
The maximum number of VLANs you can create on an IP Application Switch is 63. (The maximum for the Controller platform is 256) If you create more then 63 VLANs, you receive an error message.
bigsnmpd and system resources (CR17736)
The bigsnmpd no longer exhausts system resources.
SNAT Automap functionality (CR17779)
SNAT Automap now functions correctly.
SNAT port collision resolution (CR17798)
SNAT virtual server connections and non-TCP SNAT connections are now resolved properly.
Client POST with SSL proxy and client header insertion may time out (CR17894)
A Client POST with SSL proxy and client header insertion no longer times out.
Required configuration changes
Restoring the previous configuration after upgrade
When you install this PTF, the IM package may overwrite some configuration files in /etc.
For 4.1.1 versions and earlier, when you install an IM package for an upgrade or PTF, a UCS file is automatically created with a date stamped filename. The UCS file is located in the UCS path: /usr/local/ucs/backupYYMMDD_HHMM.ucs
To restore all configuration data saved in the UCS file, and make all necessary conversions to the restored configuration files, type the following bigpipe command:
bigpipe config install backup020102_1345.ucs
You will need to reboot the system for these changes to take effect.
Maximum number of characters for hostnames
For BIG-IP hostnames the maximum number of characters in the hostname segment of a FQDN is 39 characters. The maximum number of characters in the label of a FQDN is 20 characters. For example:
Optional configuration changes
Changing the default log levels for the webserver (CR21656) (CR21746)
When you install this PTF, the IM package will overwrite the webserver configuration file httpd.conf. The webserver log level and SSL webserver log level will be reset to new default settings. The webserver log level controls how much information about general web requests is logged. The SSL log level (ssl_log_level) applies only to SSL-enabled web servers, and controls how much information about SSL transactions is logged. The default log level for the webserver will be set to emerg. The default SSL log level will be set to none. If you want to change these default log levels you can use the command line interface to manually configure this setting. For a list of valid webserver log levels and SSL webserver log levels see the tables below.
Use the following set of steps to change the default log levels for the webserver.
- To manually configure the webserver log level use one or both of the following commands:
- To configure the logging level for standard messages, type:
bigpipe db set Common.Bigip.Webserver.log_level = <level>
- To configure the logging level for SSL messages, type:
bigpipe db set Common.Bigip.Webserver.ssl_log_level = <level>
- To configure the logging level for standard messages, type:
- After you designate a log level, activate your changes by typing the following command:
Configure access logging for the webserver using the following process:
- To enable or disable access logging use one of the following commands:
- To enable access logging for the webserver, type this command:
bigpipe db set Common.Bigip.Webserver.log_access = 1
- To disable access logging for the webserver, type this command:
bigpipe db set Common.Bigip.Webserver.log_access = 0
- To enable access logging for the webserver, type this command:
- Activate your changes by typing the following command:
|none||No logging is written|
|emerg||Emergencies - system is unusable.||"Child cannot open lock file. Exiting"|
|alert||Action must be taken immediately.||"getpwuid: couldn't determine user name from uid"|
|crit||Critical Conditions.||"socket: Failed to get a socket, exiting child"|
|error||Error conditions.||"Premature end of script headers"|
|warn||Warning conditions.||"child process 1234 did not exit, sending another SIGHUP"|
|notice||Normal but significant condition.||"httpd: caught SIGBUS, attempting to dump core in ..."|
|info||Informational.||"Server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers)..."|
|debug||Debug-level messages.||"Opening config file ..."|
This table contains a list of valid log levels for SSL messages:
|none||no dedicated SSL logging is written, but messages of level error are written to the general Apache error log file|
|error||logs messages of the error type only that is, messages that show fatal situations (processing is usually stopped)|
|warn||logs warning messages, which show non-fatal problems (processing is usually continued)|
|info||logs informational messages, which show major processing steps|
|trace||logs trace messages, messages which show minor processing steps|
|debug||logs debugging messages, which show development and low-level I/O information.|
The following items are known issues in the current release.
Saving configuration files (CR16451)
If you use the config save command to backup the current BIG-IP configuration prior to installing a new configuration, in certain circumstances you may receive the warning message Error:config sync/save/install already in progress. This message is only a warning and does not affect the operation of BIG-IP.
Update status in the LOAD-BAL-MIB.txt (CR17864)
The return status for virtual server status is reversed for ready and disabled.
Installing the IM package (CR19190) (CR20020)
When you install this PTF, it is possible that the IM package overwrites some configuration files in /etc. The procedure to recover these files is documented in the Required configuration changes section of this PTF note.
Installation warning message (CR19990)
When you install this PTF, you may receive the following message:
/sbin/ldconfig: warning: can't open /shlib/libOB.so (no such file or directory), skipping.
This message is only a warning and does not affect the operation of BIG-IP.
Compact Flash drive errors (CR21649) (CR21654) (CR21655) (CR21658) (CR21661) (CR21662)
In some cases D4x/D5x compact flash drives may exhibit hard read errors. These error messages are logged in both the console and to /var/log/messages. The following is an example of the type of error message you may receive:
Apr 12 15:55:41 bip2 kernel: wd0g: hard error reading fsbn 34624 of 34624-34655 (wd0 bn 449344; cn 624 tn 1 sn 16) status 51 error 4
Apr 12 15:55:41 bip2 kernel: wd0: resetting controller
If you are experiencing this type of error please see the Compact Flash Recovery technical note on ask.f5.com.
SMBIOS message during startup (CR21881)
The System Management BIOS (SMBIOS) message during startup, may incorrectly report the D45 platform as D50.
Connection mirroring of short-lived connections (CR21883)
We do not recommend using connection mirroring on short-lived connections on the BIG-IP. This may lead to instability when SSL-proxied connections are mirrored in active-active configurations.