• Software enhancements and fixes

Installing the PTF

Use the following instructions to apply the PTF to the BIG-IP, version 4.2.

Important:  If you are upgrading an IP Application Switch use the installation instructions here.

Apply the PTF to the BIG-IP, version 4.2 using the following process. The install script saves your current configuration.

1. Connect to the F5 Networks FTP site (ftp.f5.com).

   Use FTP in passive mode from the BIG-IP to download the file. To place FTP in passive mode, type pass at the command line before transferring the file.

2. Download the correct PTF file to the /var/tmp/ directory on the target BIG-IP.
   • For crypto BIG-IP units, choose PTF-4.2-2-BSD_OS-4.1.im.
   • For non-crypto units, choose NOCRYPTOPTF-4.2-2-BSD_OS-4.1.im.
3. Change your directory to /var/tmp/ by typing:

   cd /var/tmp/

   Enter the following command to install this PTF:

   • For crypto, type: im PTF-4.2-2-BSD_OS-4.1.im
   • For non-crypto, type: im NOCRYPTOPTF-4.2-2-BSD_OS-4.1.im

   The BIG-IP automatically reboots once it completes installation.

To upgrade an IP Application Switch or a Compact Flash media drive (SSD), use the following process:

1. Create a memory file system, by typing the following:

   mount_mfs -s 200000 /mnt

2. Type the following command:

   cd /mnt

3. Connect to the FTP site (ftp.f5.com).
4. If you are running the crypto version of the BIG-IP, download the file PTF-4.2-2-BSD_OS-4.1.im from the /crypto/bigip/ptfs/bigip42ptf2/ directory.
   If you are running the non-crypto version, download the file NOCRYPTOPTF-4.2-2-BSD_OS-4.1.im from the /crypto/bigip/ptfs/bigip42ptf2/ directory.
5. On the BIG-IP, run the im upgrade script, using the file name from the previous step as an argument:

   im /mnt/<file name>

   When the im script is finished, the BIG-IP reboots automatically.

Note: This procedure provides over 90MB of temporary space on /mnt. The partition and the im package file are deleted upon rebooting.

Software enhancements and fixes

What's new in this PTF (PTF-02)

Shell interpreted characters in monitors
Monitors can now pass shell interpreted characters, such as &, <, and > in parameters.

Port mirroring on the IP Application Switch  (CR18435)
Ports not configured in a VLAN are now mirrored on the IP Application Switch.

T/TCP session pass through to L4 virtual servers  (CR18792)
This version supports T/TCP session initiation to layer 4 (L4) virtual servers. If a session times out without a 4-way close, it will be removed from the connection table without sending a TCP reset (RST).

VLAN-keyed connections feature  (CR19388)
The BIG-IP now supports VLAN-keyed connections. VLAN-keyed connections are used when traffic for the same connection must pass through the BIG-IP several times, on multiple pairs of VLANs (or in different VLAN groups). This feature has several applications, including but not limited to, firewall sandwiches where there is only one set of BIG-IP units and both sides of the firewall sandwich are connected to the units. The VLAN-keyed connections feature is enabled by default. To disable this feature use the following bigpipe command:
b internal set honor_vlans = 0

Sequence number tracking  (CR19393)
Out of order packets sent to a delayed binding virtual server no longer cause sequence number tracking to become out of sync.

TCP 4-way close  (CR19591)
TCP 4-way close is now properly detected in all cases when packets are dropped or sent out of order by an upstream device.

Resets from a virtual server to a proxy  (CR19667)
A reset from a virtual server due to a denial (such as port not enabled) now has last hop routing support. This means a RST from a virtual server to a proxy will go through the proxy instead of from the external interface to the client.

iControl messages through ITCMSystemService  (CR19714)
Intermittent problems using the iControl ITCMSystem interfaces no longer cause instability.

iControl  (CR19809)
iControl SOAP mappings for IP address parameters are now correct.

iControl user access  (CR19892)
iControl user access is now consistent for BIG-IP CORBA and SOAP portals.

proxyd: 90%+ CPU utilization  (CR19896)
There are no longer issues with proxyd and high CPU utilization.

Insert cookie mode  (CR19930)
Insert cookie mode in certain circumstances no longer causes the BIG-IP to become unstable.

iControl LocalLB::Pool  (CR19967)
iControl LocalLB::Pool can now query the persistence table.

OneConnect state engine  (CR20010)
The OneConnect state engine no longer incorrectly changes states when chunking.

Setup utility  (CR20127)
The Setup utility now only writes VLANs which have associated interfaces to bigip_base.conf.

get_router_address  (CR20137)
The iControl get_router_address command can now return all strings.

iControl SOAP interface  (CR20237)
iControl can now connect to the SOAP interface on a shared address.

Sending packets on GVRP/GMRP  (CR20242)
Sending packets on GVRP/GMRP no longer causes a multicast storm.

iControl  (CR20243)
iControl ITCMSystem::enable_ntpd and get_ntpd_status commands now use bigstart.

Fallback host names without quotes  (CR20266)
bigpipe now handles fallback host names correctly in all circumstances.

Allocating strings for internal VLAN names and checkd  (CR20272)
checkd no longer exhausts system resources.

iQuery over UDP  (CR20287)
When using iQuery over UDP messages are now routed over the correct interface and have the correct source address.

SSL-to-Server with late binding connections  (CR20408)
SSL-to-Server now functions correctly with late binding connections.

FTP port collision resolution through a SNAT  (CR20417)
Active FTP port collision resolution through a SNAT now functions correctly.

VLAN groups can now be configured to bridge at L2  (CR20467)
The BIG-IP now supports transparent L2 forwarding. For more information on configuring this feature see Layer 2 forwarding transparency in the Optional configuration changes section of this PTF note.

Standby unit  (CR20502)
The standby unit no longer attempts L2 or L3 forwarding.

L2 proxy ARP forwarding exclusion list  (CR20647)
In order to prevent the active unit from forwarding ARP requests for the standby unit (or other hosts to which proxy ARP forwarding is not desired), you can now define a proxy arp exclusion list. To configure this feature, you can define a proxy_arp_exclude class and add any self-IPs on the standby and active units to it. BIG-IP will not forward ARP requests to or from the hosts defined in this class.
For example, to create a proxy_arp_exclude class use the following syntax:
b class proxy_arp_exclude { host <self IP 1> host <self IP 2> ... host <self IP N> }

VLAN group active/standby pair  (CR20648)
When a BIG-IP in a VLAN group switches from active to standby mode, it now drops the links on its interfaces. This is so that any connected switches will recognize that all proxy arped MAC addresses are on the currently active BIG-IP, not on the standby.

This feature can be configured with a new BIG-IP internal variable standby_link_down_time. This value specifies how long a unit that just went standby should keep all of its links down. The value is in tenths of a second, so a value of 50 would be equivalent to 5 seconds. The default is 0, and this disables the feature.
For example, to enable this feature and set the variable standby_link_downtime to 50 use following syntax:
b internal set standby_link_down_time = 50

What's new from PTF-01

SSL Proxy: Improved traffic throttling  (CR20229)
The SSL Proxy is now much more efficient at handling the scenario when the bandwidth between the client and the proxy is significantly less than the bandwidth from the proxy to the server. This is done by limiting the server-to-proxy bandwidth to the bandwidth of the proxy-to-client.

Akamaizer Proxy performance  (CR20167)
Performance of the akamaizer proxy has been improved.

BIG-IP now sends a TCP RST when no routes are available   (CR20114)
BIG-IP now sends a reset (RST) when auto-lasthop is enabled and no route is available. This enhances the performance of clients that do not resend TCP packets.

SSL Proxy: 100% CPU utilization freezes existing connections   (CR19966)
Improved the way the SSL proxy handles prematurely disconnected clients.

Broadcast pings originating from the BIG-IP  (CR19901)
BIG-IP is not adversely affected by broadcast pings originating from itself.

Required configuration changes

Restoring the previous configuration after upgrade

When you install this PTF, the IM package may overwrite some configuration files in /etc.
For 4.1.1 versions and earlier, when you install an IM package for an upgrade or PTF, a UCS file is automatically created with a date stamped filename. The UCS file is located in the UCS path:  /usr/local/ucs/backupYYMMDD_HHMM.ucs

Example: /usr/local/ucs/backup020102_1345.ucs

To restore all configuration data saved in the UCS file, and make all necessary conversions to the restored configuration files, type the following bigpipe command:
bigpipe config install backup020102_1345

You will need to reboot the system for these changes to take effect.

Known Issues

The following items are known issues in the current release.

Permissions of .crt files (SSL proxy)  (CR19438)
CA files (.crt) or chain files (.chain) no longer fail to load in certain situations, because of file permission problems. These errors are presented in the /var/log/proxyd log file.

Setting active-active mode using the web-based Configuration utility  (CR19794)
With network failover enabled you will not be able to configure active-active mode using the Configuration utility. When you have network failover enabled, use the command line interface to set active-active mode.

Loading the previous configuration after upgrade  (CR20616)
In some cases, after you upgrade to PTF-02, the previous configuration will not be loaded automatically. If this happens, you should load your configuration by typing /sbin/sod

SSL proxy under heavy load  (CR20276)
Running an SSL proxy under heavy load for extended periods of time may take up abnormal amounts of system resouces. In very extreme circumstances this issue may exhaust system resources.