Release Notes : BIG-IP Controller PTF Notes, version 4.2 PTF-04

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 4.2 PTF-04
Release Notes
Original Publication Date: 10/07/2002 Updated Date: 04/18/2019


This product temporary fix (PTF) provides enhancements and fixes for the BIG-IP, version 4.2.  The PTF includes all fixes released since version 4.2.


Installing the PTF

Important:  If you are upgrading a redundant pair of BIG-IP units, both units must be upgraded. Running different PTF versions on a redundant pair of BIG-IP units is not supported.

Use the following instructions to apply the PTF to the BIG-IP, version 4.2. 

Important:  If you are upgrading an IP Application Switch use the installation instructions here.

Apply the PTF to the BIG-IP, version 4.2 using the following process.  The install script saves your current configuration.

  1. Connect to the F5 Networks FTP site (

    Use FTP in passive mode from the BIG-IP to download the file.  To place FTP in passive mode, type pass at the command line before transferring the file. 

  2. Download the correct PTF file to the /var/tmp/ directory on the target BIG-IP.
    • For crypto BIG-IP units, choose
    • For non-crypto units, choose
  3. Change your directory to /var/tmp/ by typing:
    cd /var/tmp/
  4. Enter the following command to install this PTF:
    • For crypto, type:  im
    • For non-crypto, type:  im

    The BIG-IP automatically reboots once it completes installation.

To upgrade an IP Application Switch or a Compact Flash media drive (SSD), use the following process:

  1. Create a memory file system, by typing the following:
    mount_mfs -s 200000 /mnt
  2. Type the following command:
    cd /mnt
  3. Connect to the FTP site (
  4. If you are running the crypto version of the BIG-IP, download the file from the /crypto/bigip/ptfs/bigip42ptf4/ directory.
    If you are running the non-crypto version, download the file from the /crypto/bigip/ptfs/bigip42ptf4/ directory.
  5. On the BIG-IP, run the im upgrade script, using the file name from the previous step as an argument:
    im /mnt/<file name>

    When the im script is finished, the BIG-IP reboots automatically.

Note:  This procedure provides over 90MB of temporary space on /mnt.  The partition and the im package file are deleted upon rebooting.

[ Top ]

Software enhancements and fixes

What's new in this PTF (PTF-04)

MAC addresses for VLANs on IP Application Switch  (CR15611)
On the IP Application switch, VLANs may now use the first member interface's MAC address as the MAC address for the BIG-IP on that VLAN. This duplicates the functionality on the server appliance.

Status lights  (CR18605)
In an active-active configuration the annunciator lights now show the correct status (active or standby) on each unit.

VLAN headers for tagged interfaces  (CR18623)
The BIG-IP no longer inserts random QoS values into 802.1Q VLAN headers.

Extra characters in log file  (CR18879)
When UDP port * is enabled and UDP timeout is set to 0 (zero), extra characters are no longer entered in the log file.

RADIUS_pinger  (CR19271)
The RADIUS_pinger no longer intermittently marks nodes down.

Dell 2650 ESM-4 support  (CR19325) (CR20100) (CR21178) (CR21179) (CR21183) (CR21208) (CR21221) (CR21222)
The BIG-IP now supports the Dell 2650 platform.

bigip.conf file  (CR19361)
A large bigip.conf file now loads more quickly when aliasing is used for node monitors.

IMAP_pinger default folder  (CR20043)
If you do not specify an IMAP_pinger folder when defining a monitor based on the IMAP_monitor, the default folder "INBOX" will be used.

SNMP with wildcard virtual servers  (CR20125)
The snmpwalk command now returns the correct values for virtual servers when a wildcard virtual server is defined.

Support for iControl v2.1  (CR20178)
This version supports iControl v2.1.

Apache+Mod_SSL on BIG-IP has a buffer overflow  (CR20196)
We have addressed security issues regarding an Apache+Mod_SSL buffer overflow. For more information see

Windows Terminal Server (WTS) persistence  (CR20241)
This release includes an updated version of the BIG-IP Windows Terminal Server (WTS) persistence feature. WTS persistence provides an efficient way of load balancing traffic to and maintaining persistent connections between Windows clients and servers that are running Microsoft's Terminal Services service. When BIG-IP WTS persistence is enabled, a Windows .NET Enterprise server participating in session sharing can redirect a mis-targeted connection to the BIG-IP virtual server, instead of to another server directly. This ability to redirect connections to the BIG-IP allows the BIG-IP to assume responsibility for redirecting connections to the appropriate servers when necessary. Also, when WTS persistence is enabled on a BIG-IP and the servers in the pool participate in session sharing, the BIG-IP load balances a Terminal Services connection according to the way that the user has configured the BIG-IP for load balancing. Thus, the use of Windows .NET Enterprise servers and session sharing, combined with the BIG-IP WTS persistence feature, provides more sophisticated load balancing and more reliable reconnection when servers become disconnected. For more information about this feature, see the technical note Configuring BIG-IP Windows Terminal Server Persistence .

big3d and TCP  (CR20244)
TCP now functions properly with big3d on the IP Application Switch.

Obsolete VLAN commands  (CR20254)
Using obsolete VLAN commands no longer causes errors when loading.

Default TCP timeout for SNATs  (CR20270)
Loading a SNAT with a default TCP timeout no longer cause errors.

Active FTP port collision resolution  (CR20417)
Active FTP port collision resolution through a SNAT now functions correctly.

Unsuccessful login reporting for SSH, RSH, RCP, and FTP  (CR20435)
Previously the BIG-IP recorded unsuccessful login attempts for Telnet only. The /var/log/secure file now shows unsuccessful login attempts for SSH, RSH ,RCP, and FTP.

Setting port 0 timeout  (CR20469)
You can now set the port 0 timeout without causing SNAT connections to be reaped with that timeout.

bigip.conf entries  (CR20483)
Extra entries will no longer be logged in bigip.conf.

VLAN limits  (CR20486)
The maximum number of VLANs is now set correctly for the IP Application Switch.

Setup utility  (CR20543)
The Setup utility no longer adds deleted ICMP monitors.

Any-IP through SNAT initiation failure  (CR20559)
With any_ip_through_snat disabled, when an any-IP packet originates from a member of a SNAT, the BIG-IP now attempts to IP forward the packet instead of rejecting it.

HTTP chunking interprets carriage-return/line-feed (CRLF) when straddling packet boundary  (CR20564)
The BIG-IP now correctly interprets carriage-return/line-feed (CRLF) when it is split across two packets.

Sequence numbers on out of order packets  (CR20567)
When in layer 7 (L7) forwarding mode, the BIG-IP now checks to make sure that packets from the server are in the correct order before adjusting sequence numbers.

Dynamic Ratio  (CR20580)
Dynamic Ratio now functions correctly.

IM now accepts the + character  (CR20595)
The IM now accepts the + character in file names for configuration installation.

Late binding connections through fast path  (CR20598)
Late binding connections that go through fast path are now closed properly by the BIG-IP.

Node limits  (CR20661)
Node limits are now enforced even if there is a short time between connections.

SNAT automap with OneConnect  (CR20710)
You can now use SNAT automap with OneConnect without slowing performance.

Display address names for long host names  (CR20712)
bigpipe no longer creates errors when displaying long host names.

proxyd  (CR20718)
proxyd no longer sets its exit code incorrectly when daemonizing.

proxyd HTTP parsing  (CR20722) (CR20726)
proxyd HTTP parsing now uses normal amounts of system resources.

TOS values on delayed binding connections  (CR20733)
The BIG-IP no longer sets illegal TOS values on delayed binding connections.

Reserved keywords list  (CR20747)
The word "cache" is now one of the reserved keywords in the Configuration utility. For more information about the reserved keywords, see the list of reserved keywords.

Setup utility  (CR20752)
When you re-run the Setup utility and change your original configuration, all configuration data is now rewritten properly.

Class strings is 64 bytes or longer  (CR20772)
bigpipe no longer creates errors when a class string is 64 bytes or longer.

Occasional hang on reboot at 'syncing disks...'  (CR20778)
BIG-IP no longer occasionally hangs when rebooted or halted during a period of file system activity.

Java on BIG-IP  (CR20797)
Running a scanner against BIG-IP no longer causes the Java process to reach 99%.

Multicast traffic and auto-lasthop  (CR20822)
Auto-lasthop is now disabled for multicast traffic.

FQDN and bigpipe virtual commands  (CR20859)
Specifying FQDN in a bigpipe virtual command no longer causes bigpipe to become unstable.

Network with Hardwired failover  (CR20864)
The active unit no longer goes standby after peer reboots.

proxyd under heavy load  (CR20880)
proxyd and TPS connection limits now function properly under heavy connection load.

VLAN/loopback information  (CR20886)
The ifTable now includes VLAN and loopback information.

SSL Persistence  (CR20995)
SSL Persistence now functions correctly.

gated OSPF routing protocol  (CR20997)
The gated OSPF routing protocol now works with multiple IP address on the same IP network.

Server-side SSL proxy  (CR21029)
Server-side SSL proxy no longer attempts to resume SSL sessions to servers when cache size is set to zero.

Outbound load balancing  (CR21050)
When you use the default gateway pool for outbound load balancing, outbound requests are no longer routed out of the wrong interface.

OpenSSL  (CR21073)
OpenSSL now uses the correct default path for the configuration files.

Deleting routes  (CR21095)
Deleting routes no longer causes the BIG-IP to become unstable when using VLAN-keyed connections.

Wild card virtual servers on VLANs  (CR21107)
Using VLAN-based wild card virtual servers no longer exhausts system resources.

/etc/crontab and /config/crontab files  (CR21110)
The /etc/crontab and /config/crontab files are no longer empty.

Keep-alives  (CR21112)
The BIG-IP no longer assumes keep-alives are on when a client makes a POST request.

Simple persistence with default mask  (CR21117)
Simple persistence with a default mask, no longer sends connections to the same node.

Nodes with connection limits  (CR21133)
Nodes with connection limits specified, listed after a disabled node in the configuration file, are no longer incorrectly disabled.

Interfaces MIB  (CR21137)
The interfaces MIB no longer takes up abnormal amounts of system resources.

SSL To Server has been optimized  (CR21151)
In some cases, large amounts of data through a re-encrypting SSL proxy caused the proxy to become unstable. This has been fixed for this release.

Broadcom BCM570x driver  (CR20990) (CR21155) (CR21184)
The BIG-IP now supports the Broadcom BCM570x family of Gigabit Ethernet NICs.

Additional requests on keep-alive connections  (CR21197)
When a client makes an additional HTTP request on a keepalive connection, the new request is now parsed to determine the HTTP version of the additional request.

Gateway failsafe  (CR21198)
When you configure a node and an ICMP monitor with the same IP address as the default gateway and gateway failsafe is armed, BIG-IP now correctly updates both the gateway failsafe and the node status.

Error message  (CR21215)
Upon rebooting the BIG-IP no longer displays an error message at the login prompt.

bigSNMP on BIG-IP version 4.2 with PTF02 installed  (CR21254)
On a stand alone BIG-IP 4.2 with PTF02 installed, keeping the BIG-IP in an idle state for long periods of time may cause bigSNMP to become unstable.

What's new from PTF-03

Link down on standby failover feature  (CR20821)
The link-down-on-standby failover feature now works properly on the IP application switch when auto-negotiation is disabled.

L7 with large requests   (CR20875) (CR20885)
BIG-IP now works properly with L7 features and large requests.

What's new from PTF-02

Shell interpreted characters in monitors
Monitors can now pass shell interpreted characters, such as &, <, and > in parameters.

Port mirroring on the IP Application Switch  (CR18435)
Ports not configured in a VLAN are now mirrored on the IP Application Switch.

T/TCP session pass through to L4 virtual servers  (CR18792)
This version supports T/TCP session initiation to layer 4 (L4) virtual servers. If a session times out without a 4-way close, it is removed from the connection table without sending a TCP reset (RST).

VLAN-keyed connections feature  (CR19388)
The BIG-IP now supports VLAN-keyed connections. VLAN-keyed connections are used when traffic for the same connection must pass through the BIG-IP several times, on multiple pairs of VLANs (or in different VLAN groups). This feature has several applications, including but not limited to, firewall sandwiches where there is only one set of BIG-IP units and both sides of the firewall sandwich are connected to the units. The VLAN-keyed connections feature is enabled by default. To disable this feature use the following bigpipe command:
b internal set honor_vlans = 0

Sequence number tracking  (CR19393)
Out of order packets sent to a delayed binding virtual server no longer cause sequence number tracking to become out of sync.

bigpipe verify command  (CR19551)

The bigpipe verify command now functions correctly.

TCP 4-way close  (CR19591)
TCP 4-way close is now properly detected in all cases when packets are dropped or sent out of order by an upstream device.

Resets from a virtual server to a proxy  (CR19667)
A reset from a virtual server due to a denial (such as port not enabled) now has last hop routing support. This means a RST from a virtual server to a proxy will go through the proxy instead of from the external interface to the client.

iControl messages through ITCMSystemService  (CR19714)
Intermittent problems using the iControl ITCMSystem interfaces no longer cause instability.

iControl  (CR19809)
iControl SOAP mappings for IP address parameters are now correct.

iControl user access  (CR19892)
iControl user access is now consistent for BIG-IP CORBA and SOAP portals.

proxyd: 90%+ CPU utilization  (CR19896)
There are no longer issues with proxyd and high CPU utilization.

Insert cookie mode  (CR19930)
Insert cookie mode in certain circumstances no longer causes the BIG-IP to become unstable.

iControl LocalLB::Pool  (CR19967)
iControl LocalLB::Pool can now query the persistence table.

OneConnect state engine  (CR20010)
The OneConnect state engine no longer incorrectly changes states when chunking.

Setup utility  (CR20127)
The Setup utility now only writes VLANs that have associated interfaces to bigip_base.conf.

get_router_address  (CR20137)
The iControl get_router_address command can now return all strings.

iControl SOAP interface  (CR20237)
iControl can now connect to the SOAP interface on a shared address.

Sending packets on GVRP/GMRP  (CR20242)
Sending packets on GVRP/GMRP no longer causes a multicast storm.

iControl  (CR20243)
iControl ITCMSystem::enable_ntpd and get_ntpd_status commands now use bigstart.

Fallback host names without quotes  (CR20266)
bigpipe now handles fallback host names correctly in all circumstances.

Allocating strings for internal VLAN names and checkd  (CR20272)
checkd no longer exhausts system resources.

iQuery over UDP  (CR20287)
When you are using iQuery over UDP, messages are now routed over the correct interface and have the correct source address.

SSL-to-Server with late binding connections  (CR20408)
SSL-to-Server now functions correctly with late binding connections.

FTP port collision resolution through a SNAT  (CR20417)
Active FTP port collision resolution through a SNAT now functions correctly.

VLAN groups can now be configured to bridge at L2  (CR20467)
The BIG-IP now supports transparent L2 forwarding. For more information on configuring this feature, see Layer 2 forwarding transparency in the Optional configuration changes section of this PTF note.

Standby unit  (CR20502)
The standby unit no longer attempts L2 or L3 forwarding.

L2 proxy ARP forwarding exclusion list  (CR20647)
In order to prevent the active unit from forwarding ARP requests for the standby unit (or other hosts to which proxy ARP forwarding is not desired), you can now define a proxy arp exclusion list. To configure this feature, you can define a proxy_arp_exclude class and add any self-IPs on the standby and active units to it. BIG-IP will not forward ARP requests to or from the hosts defined in this class.
For example, to create a proxy_arp_exclude class use the following syntax:
b class proxy_arp_exclude { host <self IP 1> host <self IP 2> ... host <self IP N> }

VLAN group active/standby pair  (CR20648)
When a BIG-IP in a VLAN group switches from active to standby mode, it now drops the links on its interfaces. This is so that any connected switches will recognize that all proxy arped MAC addresses are on the currently active BIG-IP, not on the standby. This feature can be configured with a new BIG-IP internal variable standby_link_down_time. This value specifies how long a unit that just went standby should keep all of its links down. The value is in tenths of a second, so a value of 50 would be equivalent to 5 seconds. The default is 0, and this disables the feature.
For example, to enable this feature and set the variable standby_link_downtime to 50 use following syntax:
b internal set standby_link_down_time = 50

What's new from PTF-01

SSL Proxy: Improved traffic throttling  (CR20229)
The SSL Proxy is now much more efficient at handling the scenario when the bandwidth between the client and the proxy is significantly less than the bandwidth from the proxy to the server. This is done by limiting the server-to-proxy bandwidth to the bandwidth of the proxy-to-client.

Akamaizer Proxy performance  (CR20167)
Performance of the akamaizer proxy has been improved.

BIG-IP now sends a TCP RST when no routes are available   (CR20114)
BIG-IP now sends a reset (RST) when auto-lasthop is enabled and no route is available. This enhances the performance of clients that do not resend TCP packets.

SSL Proxy: 100% CPU utilization freezes existing connections   (CR19966)
We improved the way the SSL proxy handles prematurely disconnected clients.

Broadcast pings originating from the BIG-IP  (CR19901)
BIG-IP is not adversely affected by broadcast pings originating from itself.

[ Top ]

Required configuration changes

List of reserved keywords

With this version of the BIG-IP software, there is a list of keywords that are reserved.  You cannot use any words in the list when you create configurations from the web-based Configuration utility, or from the command line.  For more information about the reserved keywords, see the list of reserved keywords.

Optional configuration changes

Layer 2 forwarding transparency

In previous releases, VLAN groups have been a hybrid of layer 2 (L2) proxy ARP with layer 3 (L3) forwarding. In this release you can configure pure L2 operation for VLAN groups. To configure this, you can set the internal variable transparent_vlangroups to one of the following three values:

      0 (default) - traditional proxy ARP with L3 forwarding
      1 - L2 forwarding with locally unique bit toggled in ARP response across the VLANs
      2 - L2 forwarding with original MAC address of remote system preserved across VLANs
For more information on configuring this feature, see solution brief 1541 at

Wildcard forwarding virtual server

If you are currently using IP forwarding, for BIG-IP version 4.0 and higher we strongly recommend that you use a wildcard forwarding virtual server instead of or in addition to IP forwarding. With the additional features in BIG-IP 4.x, using a wildcard forwarding virtual server is faster than using IP forwarding. A wildcard forwarding virtual server also allows you to get statistics on the exact amount of traffic flowing through the system.

If you want to configure a wildcard forwarding virtual server to handle IP forwarded traffic, use the following procedure on your 4.x system. You can perform this procedure on-the-fly without causing any interruption of service.

  1. To set up timeouts type the following commands:
    bigpipe service 0 tcp enable
    bigpipe service 0 timeout tcp 30
    bigpipe service 0 udp enable
    bigpipe service 0 timeout udp 30
  2. Set up a wildcard forwarding virtual server by typing the following command:
    bigpipe virtual forward
  3. If you want to allow protocols other than TCP and UDP through the forwarding virtual server, use the following command. The default timeout is 15 seconds.
    bigpipe virtual any_ip enable
    If you want to change the default timeout for this setting, use this syntax:
    bigpipe virtual any_ip timeout <seconds>
    For example, if you want to change the default timeout to 5 seconds, type this command:
    bigpipe virtual any_ip timeout 5
  4. To save your new configuration, type:
    bigpipe save

For more information on wildcard forwarding virtual servers, see the BIG-IP Administrator Guide.

[ Top ]

Known Issues

The following items are known issues in the current release.

Permissions of .crt files (SSL proxy)  (CR19438)
CA files (.crt) or chain files (.chain) no longer fail to load in certain situations, because of file permission problems. These errors are presented in the /var/log/proxyd log file.

Setting active-active mode using the web-based Configuration utility  (CR19794)
With network failover enabled, you will not be able to configure active-active mode using the Configuration utility. When you have network failover enabled, use the command line interface to set active-active mode.

Loading the previous configuration after upgrade  (CR20616)
In some cases, after you upgrade to PTF-04, the previous configuration will not be loaded automatically. If this happens, you should load your configuration by typing /sbin/sod

SSL proxy under heavy load  (CR20276)
Running an SSL proxy under heavy load for extended periods of time may take up abnormal amounts of system resources. In very extreme circumstances, this issue may exhaust system resources.

[ Top ]