Applies To:
Show Versions
BIG-IP versions 1.x - 4.x
- 4.2 PTF-07
Summary:
Contents:
Installing the PTF
Important: If you are upgrading a BIG-IP redundant system, both units must be upgraded. We do not support running different PTF versions on a BIG-IP redundant system.
Use the following instructions to apply the PTF to the BIG-IP system, version 4.2.
Important: If you are upgrading an IP Application Switch use the installation instructions here.
Apply the PTF to the BIG-IP software, version 4.2 using the following process. The install script saves your current configuration.
- Connect to the F5 Networks FTP site (ftp.f5.com).
For information about how to use the F5 Networks FTP site, refer to SOL167: Downloading software from F5 Networks.
- Use FTP in passive mode from the BIG-IP unit to download the file. To place FTP in passive mode, type pass at the command line before transferring the file.
- Download the correct PTF file to the /var/tmp/ directory on the target BIG-IP unit.
- For crypto BIG-IP systems, choose PTF-4.2-7-BSD_OS-4.1.im.
- For non-crypto systems, choose NOCRYPTOPTF-4.2-7-BSD_OS-4.1.im.
- Change your directory to /var/tmp/ by typing:
cd /var/tmp/ - Type the correct command to install this PTF:
- For crypto systems, type: im PTF-4.2-7-BSD_OS-4.1.im
- For non-crypto systems, type: im NOCRYPTOPTF-4.2-7-BSD_OS-4.1.im
To upgrade an IP Application Switch or a Compact Flash media drive (SSD), use the following process.
- Create a memory file system, by typing the following:
mount_mfs -s 200000 /mnt - Type the following command:
cd /mnt - Connect to the FTP site (ftp.f5.com).
- Download the correct file from the /crypto/bigip/ptfs/bigip42ptf7/ directory.
- For the crypto version of the BIG-IP software, choose PTF-4.2-7-BSD_OS-4.1.im
- For the non-crypto version, choose NOCRYPTOPTF-4.2-7-BSD_OS-4.1.im
- On the BIG-IP unit, run the im upgrade script, using the file name from the previous step as an argument:
im /mnt/<file name>When the im script is finished, the BIG-IP system reboots automatically.
Note: This procedure provides over 90MB of temporary space on /mnt. The partition and the im package file are deleted upon rebooting.
Software enhancements and fixes
What's fixed in this PTF
BSDI security vulnerability (CR16430)
A potential denial of service vulnerability in the C library (libc) of BSDI has been addressed. For information about the vulnerability, see Vulnerability Note VU#808552, Multiple ftpd implementations contain buffer overflows, which is available on the CERT website at http://www.cert.org.
Mirroring connections (CR22064)
The standby unit no longer reports a lower number of connections than the active unit.
Deleting action commands and files from the /tmp directory on the local system (CR22109)
There is a new cron job that deletes files and action commands that are older than one day from the /tmp directory.
syslog (CR22192)
syslogd is now more tolerant of network errors, and now functions correctly after reboot.
No-handler denials (CR22206)
The BIG-IP system no longer sends resets (RSTs) on no-handler denials.
ICMP traffic through VLAN groups (CR22207)
When a SNAT is configured through two VLAN groups, ICMP traffic is now handled correctly in all cases.
Resets due to no handler and VIP initiation failures (CR22213)
Resets (RSTs) due to no handler and VIP initiation failures are now auto-lasthopped.
VU#803539 (CR22222)
Vulnerability #803539, DNS stub resolvers vulnerable to buffer overflow, has been addressed. For more information on this vulnerability see http://www.kb.cert.org/vuls/id/803539.
b load with VLAN groups (CR22224)
b load no longer fails intermittently with VLAN groups.
CERT Advisory CA-2002-18, OpenSSH Vulnerabilities in Challenge Response Handling (CR22227)
The OpenSSH software running on the BIG-IP system has been upgraded to version 3.4p1 to address the security vulnerability that is outlined in CERT Advisory CA-2002-18.
SSL proxy with large POSTs (CR22424)
The SSL proxy no longer prematurely closes client connections on large POSTs.
STP (CR22531)
In an active-standby configuration, when you configure more then nine interfaces in an STP domain and the active unit is rebooted, the standby (rebooted) unit is now able to acquire a root bridge.
VLAN failsafe rebooting (CR22579)
You can now configure the BIG-IP system to prevent the standby unit from VLAN failsafe rebooting. Use the bigpipe command b internal set standby_failsafe_reboot = 0 to disable VLAN failsafe rebooting. The default is 1, or enabled.
IP Forwarding disabled after upgrade (CR22636)
IP Forwarding is disabled when you upgrade to BIG-IP 4.2 from 4.0 or 4.1.1
OpenSSL CERT VU#102795 VU#258555 VU#561275 VU#308891 VU#748355 (CR22727)
We have addressed the CERT release on OpenSSL: VU#102795 VU#258555 VU#561275 VU#308891 VU#748355 in this release.
Periodic scans of compact flash media (CR22780)
The BIG-IP software now performs periodic scans of compact flash media, which allows soft errors in media to be corrected.
Enhancements and fixes released in prior PTFs
Version 4.2PTF06
Memory exhaustion under heavy load with the large packets (CR17982)
Fixed a problem that could cause memory to be exhausted when the unit is under heavy load of large packets.
Generating keys using the Configuration utility (CR19239)
The Configuration utility now generates keys/certificates correctly for the SSL proxy.
bigpipe load verify (CR19551)
Using bigpipe verify mode no longer causes unexpected errors.
SSL proxy under heavy load (CR20276)
Running an SSL proxy under heavy load for extended periods of time no longer takes up abnormal amounts of system resources.
bigsnmpd (CR20628)
bigsnmpd no longer becomes unstable when providing data for a large number of pools with a very large number of nodes defined to each pool.
Setup utility error messages (CR20711)
After you complete the VLAN and networking sections of the Setup utility, you no longer receive harmless config error messages.
Multicast traffic and auto-lasthop (CR20822)
Auto-lasthop is now disabled for multicast traffic.
X509 Configuration (CR20947)
If the BIG-IP configuration files are not specified, the default configuration values for X509 data are now set properly.
Occasional problem with SSL Proxy when dumping stats (CR21065)
The SSL Proxy no longer experiences an occasional floating-point exception error when dumping stats (sending proxyd a SIGUSR1).
SSL proxy redirect (CR21154)
SSL proxy redirect now functions correctly after a 304 Not Modified Since reply from the server.
Configuration utility (CR21166)
In an active-active redundant configuration, the SSL proxy is now accessible through the web-based Configuration utility after failover.
poolMemberPriority (CR21174)
poolMemberPriority can now be set to values other than -1.
Logging for VLAN specific wildcard virtual servers (CR21204)
The correct IP address is now logged for VLAN specific wildcard virtual servers.
Idle HTTP keep-alive hash (CR21205)
BIG-IP system performance is no longer adversely affected when keep-alives are enabled and a large number of idle HTTP connections are being used.
FTP listener hash table (CR21286)
The FTP listener hash table is now VLAN-aware so that FTP connections may pass through the BIG-IP multiple times without SNATs.
VLAN-keyed connection table (CR21288)
When you establish a connection through a virtual server referencing a forwarding pool, which travels back out through a SNAT, the VLAN-keyed connection table now resolves the connection properly.
HTTP 304 response codes (CR21308)
HTTP 304 response codes now assume an implicit content length of 0.
Connections through a forwarding virtual server (CR21310)
The reaper now resets both ends of a connection through a forwarding virtual server.
SSL proxy and pools (CR21320)
The BIG-IP software no longer allows an SSL proxy to be a member of a pool.
CALL-ID (CR21338)
Matching of the SIP Call-ID field is no longer case-sensitive.
HTTP redirects (CR21356)
HTTP redirects now function properly when a client sends an MSS of 0.
bigsnmpd (CR21369)
bigsnmpd now sends a valid trap OID when it sends a cold start trap.
Connection rebinding (CR21403)
Connection rebinding with no available nodes no longer causes the BIG-IP system to become unstable.
HTTP header insertion (CR21435)
HTTP header insertion no longer has buffer boundary check problems.
Mirror-to ports (CR21635)
When you define a port as a mirror-to port, and then delete the mirror, the port is now restored to its previous state and passes traffic correctly.
Multicast packets (CR21665)
Internal interfaces on switch appliances are now configured for promiscuous receipt of multicast packets.
SNAT timeout (CR21671)
The SNAT timeout setting no longer affects virtual server timeout.
Large HTTP requests (CR21715)
HTTP requests greater than 2K no longer cause the BIG-IP parser to become unstable.
Unconnected ports (CR21721)
Unconnected fast ethernet ports on a VLAN receiving broadcast frames no longer display incorrect interface statistics.
SSH Daemon log messages (CR21824)
Insufficient resources on some systems no longer prevent the SSH daemon from handling early connections.
Header insertion (CR21953)
Header insertion now functions properly with cookie persistence when using rules.
CERT Advisory CA-2002-17, Apache Web Server Chunk Handling Vulnerability
The security vulnerability that is outlined in CERT Advisory CA-2002-17, Apache Web Server Chunk Handling Vulnerability, has been fixed.
CERT Advisory VU#797201 against tcpdump (CR22049)
We have addressed vulnerabilities detailed in the CERT advisory against tcpdump.
Version 4.2PTF05
Support for the Dell PowerEdge 2650 platform
This release includes support for the Dell PowerEdge 2650 platform.
Version 4.2PTF04
MAC addresses for VLANs on IP Application Switch (CR15611)
On the IP Application switch, VLANs may now use the first member interface's MAC address as the MAC address for the BIG-IP on that VLAN. This duplicates the functionality on the server appliance.
Status lights (CR18605)
In an active-active configuration, the annunciator lights now show the correct status (active or standby) on each unit.
VLAN headers for tagged interfaces (CR18623)
The BIG-IP system no longer inserts random QoS values into 802.1Q VLAN headers.
Extra characters in log file (CR18879)
When UDP port * is enabled and UDP timeout is set to 0 (zero), extra characters are no longer entered in the log file.
RADIUS_pinger (CR19271)
The RADIUS_pinger no longer intermittently marks nodes down.
Dell 2650 ESM-4 support (CR19325) (CR20100) (CR21178) (CR21179) (CR21183) (CR21208) (CR21221) (CR21222)
The BIG-IP system now supports the Dell 2650 platform.
bigip.conf file (CR19361)
A large bigip.conf file now loads more quickly when aliasing is used for node monitors.
IMAP_pinger default folder (CR20043)
If you do not specify an IMAP_pinger folder when defining a monitor based on the IMAP_monitor, the default folder "INBOX" is used.
SNMP with wildcard virtual servers (CR20125)
The snmpwalk command now returns the correct values for virtual servers when a wildcard virtual server is defined.
Support for iControl v2.1 (CR20178)
This version supports iControl v2.1.
Apache+Mod_SSL on BIG-IP has a buffer overflow (CR20196)
We have addressed security issues regarding an Apache+Mod_SSL buffer overflow. For more information see http://archives.neohapsis.com/archives/bugtraq/2002-02/0313.html.
Windows Terminal Server (WTS) persistence (CR20241)
This release includes an updated version of the BIG-IP Windows Terminal Server (WTS) persistence feature. WTS persistence provides an efficient way of load balancing traffic to and maintaining persistent connections between Windows clients and servers that are running Microsoft's Terminal Services service. When BIG-IP WTS persistence is enabled, a Windows .NET Enterprise server participating in session sharing can redirect a mis-targeted connection to the BIG-IP virtual server, instead of to another server directly. This ability to redirect connections to the BIG-IP allows the BIG-IP to assume responsibility for redirecting connections to the appropriate servers when necessary. Also, when WTS persistence is enabled on a BIG-IP and the servers in the pool participate in session sharing, the BIG-IP load balances a Terminal Services connection according to the way the user has configured the BIG-IP for load balancing. Thus, the use of Windows .NET Enterprise servers and session sharing, combined with the BIG-IP WTS persistence feature, provides more sophisticated load balancing and more reliable reconnection when servers become disconnected. For more information about this feature, see the technical note Configuring BIG-IP Windows Terminal Server Persistence .
big3d and TCP (CR20244)
TCP now functions properly with big3d on the IP Application Switch.
Obsolete VLAN commands (CR20254)
Using obsolete VLAN commands no longer causes errors when loading.
Default TCP timeout for SNATs (CR20270)
Loading a SNAT with a default TCP timeout no longer cause errors.
Active FTP port collision resolution (CR20417)
Active FTP port collision resolution through a SNAT now functions correctly.
Unsuccessful login reporting for SSH, RSH, RCP, and FTP (CR20435)
Previously the BIG-IP system recorded unsuccessful login attempts for Telnet only. The /var/log/secure file now shows unsuccessful login attempts for SSH, RSH ,RCP, and FTP.
Setting port 0 timeout (CR20469)
You can now set the port 0 timeout without causing SNAT connections to be reaped with that timeout.
bigip.conf entries (CR20483)
Extra entries are no longer logged in bigip.conf.
VLAN limits (CR20486)
The maximum number of VLANs is now set correctly for the IP Application Switch.
Setup utility (CR20543)
The Setup utility no longer adds deleted ICMP monitors.
Any-IP through SNAT initiation failure (CR20559)
With any_ip_through_snat disabled, when an any-IP packet originates from a member of a SNAT, the BIG-IP system now attempts to IP forward the packet instead of rejecting it.
HTTP chunking interprets carriage-return/line-feed (CRLF) when straddling packet boundary (CR20564)
The BIG-IP system now correctly interprets carriage-return/line-feed (CRLF) when it is split across two packets.
Sequence numbers on out of order packets (CR20567)
When in layer 7 (L7) forwarding mode, the BIG-IP software now checks to make sure that packets from the server are in the correct order before adjusting sequence numbers.
Dynamic Ratio (CR20580)
Dynamic Ratio now functions correctly.
IM now accepts the + character (CR20595)
The IM now accepts the + character in file names for configuration installation.
Late binding connections through fast path (CR20598)
The BIG-IP system now properly closes late binding connections that go through fast path.
Node limits (CR20661)
Node limits are now enforced even if there is a short time between connections.
SNAT automap with OneConnect (CR20710)
You can now use SNAT automap with OneConnect without slowing performance.
Display address names for long host names (CR20712)
bigpipe no longer creates errors when displaying long host names.
proxyd (CR20718)
proxyd no longer sets its exit code incorrectly when daemonizing.
proxyd HTTP parsing (CR20722) (CR20726)
proxyd HTTP parsing now uses normal amounts of system resources.
TOS values on delayed binding connections (CR20733)
The BIG-IP system no longer sets illegal TOS values on delayed binding connections.
Reserved keywords list (CR20747)
The word "cache" is now one of the reserved keywords in the Configuration utility. For more information about the reserved keywords, see the list of reserved keywords.
Setup utility (CR20752)
When you re-run the Setup utility and change your original configuration, all configuration data is rewritten properly.
Class strings is 64 bytes or longer (CR20772)
bigpipe no longer creates errors when a class string is 64 bytes or longer.
Occasional hang on reboot at 'syncing disks...' (CR20778)
The BIG-IP system no longer occasionally hangs when rebooted or halted during a period of file system activity.
Java on BIG-IP (CR20797)
Running a scanner against the BIG-IP system no longer causes the Java process to reach 99%.
FQDN and bigpipe virtual commands (CR20859)
Specifying FQDN in a bigpipe virtual command no longer causes bigpipe to become unstable.
Network with Hardwired failover (CR20864)
The active unit no longer goes standby after peer reboots.
proxyd under heavy load (CR20880)
proxyd and TPS connection limits now function properly under heavy connection load.
VLAN/loopback information (CR20886)
The ifTable now includes VLAN and loopback information.
SSL Persistence (CR20995)
SSL Persistence now functions correctly.
gated OSPF routing protocol (CR20997)
The gated OSPF routing protocol now works with multiple IP addresses on the same IP network.
Server-side SSL proxy (CR21029)
Server-side SSL proxy no longer attempts to resume SSL sessions to servers when cache size is set to zero.
Outbound load balancing (CR21050)
When you use the default gateway pool for outbound load balancing, outbound requests are no longer routed out of the wrong interface.
OpenSSL (CR21073)
OpenSSL now uses the correct default path for the configuration files.
Deleting routes (CR21095)
Deleting routes no longer causes the BIG-IP system to become unstable when using VLAN-keyed connections.
Wild card virtual servers on VLANs (CR21107)
Using VLAN-based wild card virtual servers no longer exhausts system resources.
Keep-alives (CR21112)
The BIG-IP system no longer assumes keep-alives are on when a client makes a POST request.
Simple persistence with default mask (CR21117)
Simple persistence with a default mask, no longer sends connections to the same node.
Nodes with connection limits (CR21133)
Nodes with connection limits specified, listed after a disabled node in the configuration file, are no longer incorrectly disabled.
Interfaces MIB (CR21137)
The interfaces MIB no longer takes up abnormal amounts of system resources.
SSL To Server has been optimized (CR21151)
Large amounts of data through a re-encrypting SSL proxy no longer cause proxyd to become unstable.
Broadcom BCM570x driver (CR20990) (CR21155) (CR21184)
The BIG-IP system now supports the Broadcom BCM570x family of Gigabit Ethernet NICs.
Additional requests on keep-alive connections (CR21197)
When a client makes an additional HTTP request on a keepalive connection, the BIG-IP software now parses the new request to determine the HTTP version of the additional request.
Gateway failsafe (CR21198)
When you configure a node and an ICMP monitor with the same IP address as the default gateway and gateway failsafe is armed, the BIG-IP system now correctly updates both the gateway failsafe and the node status.
Error message (CR21215)
Upon rebooting, the BIG-IP system no longer displays an error message at the login prompt.
bigSNMP on BIG-IP version 4.2 with PTF02 installed (CR21254)
On a stand-alone BIG-IP version 4.2 with PTF02 installed, keeping the BIG-IP system in an idle state for long periods of time no longer causes bigSNMP to become unstable.
Version 4.2PTF03
Link down on standby failover feature (CR20821)
The link-down-on-standby failover feature now works properly on the IP application switch when auto-negotiation is disabled.
L7 with large requests (CR20875) (CR20885)
The BIG-IP system now works properly with L7 features and large requests.
Version 4.2PTF02
Shell interpreted characters in monitors
Monitors can now pass shell interpreted characters, such as &, <, and > in parameters.
Port mirroring on the IP Application Switch (CR18435)
Ports not configured in a VLAN are now mirrored on the IP Application Switch.
T/TCP session pass through to L4 virtual servers (CR18792)
This version supports T/TCP session initiation to layer 4 (L4) virtual servers. If a session times out without a 4-way close, it is removed from the connection table without sending a TCP reset (RST).
VLAN-keyed connections feature (CR19388)
The BIG-IP system now supports VLAN-keyed connections. VLAN-keyed connections are used when traffic for the same connection must pass through the BIG-IP system several times, on multiple pairs of VLANs (or in different VLAN groups). This feature has several applications, including but not limited to, firewall sandwiches where there is only one set of BIG-IP units and both sides of the firewall sandwich are connected to the units. The VLAN-keyed connections feature is enabled by default. To disable this feature use the following bigpipe command:
b internal set honor_vlans = 0
Sequence number tracking (CR19393)
Out of order packets sent to a delayed binding virtual server no longer cause sequence number tracking to become out of sync.
TCP 4-way close (CR19591)
TCP 4-way close is now properly detected in all cases when packets are dropped or sent out of order by an upstream device.
Resets from a virtual server to a proxy (CR19667)
A reset from a virtual server due to a denial (such as port not enabled) now has last hop routing support. This means a RST from a virtual server to a proxy will go through the proxy instead of from the external interface to the client.
iControl messages through ITCMSystemService (CR19714)
Intermittent problems using the iControl ITCMSystem interfaces no longer cause instability.
iControl (CR19809)
iControl SOAP mappings for IP address parameters are now correct.
iControl user access (CR19892)
iControl user access is now consistent for BIG-IP CORBA and SOAP portals.
proxyd: 90%+ CPU utilization (CR19896)
There are no longer issues with proxyd and high CPU utilization.
Insert cookie mode (CR19930)
Insert cookie mode in certain circumstances no longer causes the BIG-IP system to become unstable.
iControl LocalLB::Pool (CR19967)
iControl LocalLB::Pool can now query the persistence table.
OneConnect state engine (CR20010)
The OneConnect state engine no longer incorrectly changes states when chunking.
Setup utility (CR20127)
The Setup utility now only writes VLANs that have associated interfaces to bigip_base.conf.
get_router_address (CR20137)
The iControl get_router_address command can now return all strings.
iControl SOAP interface (CR20237)
iControl can now connect to the SOAP interface on a shared address.
Sending packets on GVRP/GMRP (CR20242)
Sending packets on GVRP/GMRP no longer causes a multicast storm.
iControl (CR20243)
iControl ITCMSystem::enable_ntpd and get_ntpd_status commands now use bigstart.
Fallback host names without quotes (CR20266)
bigpipe now handles fallback host names correctly in all circumstances.
Allocating strings for internal VLAN names and checkd (CR20272)
checkd no longer exhausts system resources.
iQuery over UDP (CR20287)
When you are using iQuery over UDP, messages are now routed over the correct interface and have the correct source address.
SSL-to-Server with late binding connections (CR20408)
SSL-to-Server now functions correctly with late binding connections.
FTP port collision resolution through a SNAT (CR20417)
Active FTP port collision resolution through a SNAT now functions correctly.
VLAN groups can now be configured to bridge at L2 (CR20467)
The BIG-IP system now supports transparent L2 forwarding. For more information on configuring this feature, see Layer 2 forwarding transparency in the Optional configuration changes section of this PTF note.
The standby unit no longer attempts L2 or L3 forwarding.
L2 proxy ARP forwarding exclusion list (CR20647)
In order to prevent the active unit from forwarding ARP requests for the standby unit (or other hosts to which proxy ARP forwarding is not desired), you can now define a proxy arp exclusion list. To configure this feature, you can define a proxy_arp_exclude class and add any self-IPs on the standby and active units to it. The BIG-IP units will not forward ARP requests to or from the hosts defined in this class.
For example, to create a proxy_arp_exclude class use the following syntax:
b class proxy_arp_exclude { host <self IP 1> host <self IP 2> ... host <self IP N> }
VLAN group active/standby pair (CR20648)
When a BIG-IP unit in a VLAN group switches from active to standby mode, it now drops the links on its interfaces. This is so that any connected switches will recognize that all proxy arped MAC addresses are on the currently active BIG-IP unit, not on the standby. This feature can be configured with a new BIG-IP internal variable standby_link_down_time. This value specifies how long a unit that just went standby should keep all of its links down. The value is in tenths of a second, so a value of 50 would be equivalent to 5 seconds. The default is 0, and this disables the feature.
For example, to enable this feature and set the variable standby_link_down_time to 50 use following syntax:
b internal set standby_link_down_time = 50
Version 4.2PTF01
SSL Proxy: Improved traffic throttling (CR20229)
The SSL Proxy is now much more efficient at handling the scenario when the bandwidth between the client and the proxy is significantly less than the bandwidth from the proxy to the server. This is done by limiting the server-to-proxy bandwidth to the bandwidth of the proxy-to-client.
Akamaizer Proxy performance (CR20167)
Performance of the akamaizer proxy has been improved.
BIG-IP now sends a TCP RST when no routes are available (CR20114)
The BIG-IP system now sends a reset (RST) when auto-lasthop is enabled and no route is available. This enhances the performance of clients that do not resend TCP packets.
SSL Proxy: 100% CPU utilization freezes existing connections (CR19966)
We improved the way the SSL proxy handles prematurely disconnected clients.
Broadcast pings originating from the BIG-IP (CR19901)
The BIG-IP system is not adversely affected by broadcast pings originating from itself.
Required configuration changes
List of reserved keywords
With this version of the BIG-IP software, there is a list of keywords that are reserved. You cannot use any words in the list when you create configurations from the web-based Configuration utility, or from the command line. For more information about the reserved keywords, see the list of reserved keywords.
Optional configuration changes
Layer 2 forwarding transparency
In previous releases, VLAN groups have been a hybrid of layer 2 (L2) proxy ARP with layer 3 (L3) forwarding. In this release, you can configure pure L2 operation for VLAN groups. To configure this, you can set the internal variable transparent_vlangroups to one of the following three values:
0 (default) - traditional proxy ARP with L3 forwarding
1 - L2 forwarding with locally unique bit toggled in ARP response across the VLANs
2 - L2 forwarding with original MAC address of remote system preserved across VLANs
For more information on configuring this feature, see solution brief 1541 at tech.f5.com.
Wildcard forwarding virtual server
If you are currently using IP forwarding for BIG-IP version 4.0 and higher, we strongly recommend that you use a wildcard forwarding virtual server instead of or in addition to IP forwarding. With the additional features in BIG-IP 4.x, using a wildcard forwarding virtual server is faster than using IP forwarding. A wildcard forwarding virtual server also allows you to get statistics on the exact amount of traffic flowing through the system.
If you want to configure a wildcard forwarding virtual server to handle IP forwarded traffic, use the following procedure on your 4.x system. You can perform this procedure on-the-fly without causing any interruption of service.
- To set up timeouts type the following commands:
bigpipe service 0 tcp enable
bigpipe service 0 timeout tcp 30
bigpipe service 0 udp enable
bigpipe service 0 timeout udp 30 - Set up a wildcard forwarding virtual server by typing the following command:
bigpipe virtual 0.0.0.0:0 forward - If you want to allow protocols other than TCP and UDP through the forwarding virtual server, use the following command. The default timeout is 15 seconds.
bigpipe virtual 0.0.0.0 any_ip enable
If you want to change the default timeout for this setting, use this syntax:
bigpipe virtual 0.0.0.0 any_ip timeout <seconds>
For example, if you want to change the default timeout to 5 seconds, type this command:
bigpipe virtual 0.0.0.0 any_ip timeout 5 - To save your new configuration, type:
bigpipe save
For more information on wildcard forwarding virtual servers, see the BIG-IP Solutions Guide.
Changing the default log levels for the webserver (CR21656) (CR21746)
When you install this PTF, the IM package overwrites the webserver configuration file httpd.conf. The webserver log level and SSL webserver log level are reset to new default settings. The webserver log level controls how much information about general web requests is logged. The SSL log level (ssl_log_level) applies only to SSL-enabled web servers, and controls how much information about SSL transactions is logged. The default log level for the webserver is set to emerg. The default SSL log level is set to none. If you want to change these default log levels, you can use the command line interface to manually configure this setting. For a list of valid webserver log levels and SSL webserver log levels, see the tables below.
Use the following set of steps to change the default log levels for the webserver.
- To manually configure the webserver log level, use one or both of the following commands:
- To configure the logging level for standard messages, type:
bigpipe db set Common.Bigip.Webserver.log_level = <level> - To configure the logging level for SSL messages, type:
bigpipe db set Common.Bigip.Webserver.ssl_log_level = <level>
- To configure the logging level for standard messages, type:
- After you designate a log level, activate your changes by typing the following command:
/usr/sbin/first_time/tweak_httpd
Configure access logging for the webserver using the following process:
- To enable or disable access logging use one of the following commands:
- To enable access logging for the webserver, type this command:
bigpipe db set Common.Bigip.Webserver.log_access = 1 - To disable access logging for the webserver, type this command:
bigpipe db set Common.Bigip.Webserver.log_access = 0
- To enable access logging for the webserver, type this command:
- Activate your changes by typing the following command:
/usr/sbin/first_time/tweak_httpd
| Level | Description | Example |
| none | No logging is written | |
| emerg | Emergencies - system is unusable | "Child cannot open lock file. Exiting" |
| alert | Action must be taken immediately | "getpwuid: couldn't determine user name from uid" |
| crit | Critical Conditions | "socket: Failed to get a socket, exiting child" |
| error | Error conditions | "Premature end of script headers" |
| warn | Warning conditions | "child process 1234 did not exit, sending another SIGHUP" |
| notice | Normal but significant condition | "httpd: caught SIGBUS, attempting to dump core in ..." |
| info | Informational | "Server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers)..." |
| debug | Debug-level messages | "Opening config file ..." |
The following table contains a list of valid log levels for SSL messages.
| Level | Description | |
| none | No dedicated SSL logging is written, but messages of level error are written to the general Apache error log file. | |
| error | Logs messages of the error type only that is, messages that show fatal situations (processing is usually stopped). | |
| warn | Logs warning messages, which show non-fatal problems (processing is usually continued). | |
| info | Logs informational messages, which show major processing steps. | |
| trace | Logs trace messages, messages which show minor processing steps. | |
| debug | Logs debugging messages, which show development and low-level I/O information. |
Known Issues
The following items are known issues in the current release.
Running config with no self IP addresses (CR23112)
If you run config from the command line without having any self IP addresses configured, config does not function properly. If there are no self IP addresses configured on the BIG-IP system, you must add a self IP address before running config.
Compact Flash drive errors (CR21375) (CR21376) (CR21397) (CR21657) (CR21659) (CR21660) (CR21663)
In some cases, D4x/D5x compact flash drives may exhibit hard read errors. These error messages are logged in both the console and to /var/log/messages. The following is an example of the type of error message you may receive:
Apr 12 15:55:41 bip2 kernel: wd0g: hard error reading fsbn 34624 of 34624-34655 (wd0 bn 449344; cn 624 tn 1 sn 16) status 51 error 4
Apr 12 15:55:41 bip2 kernel: wd0: resetting controller
If you are experiencing this type of error, please see the Compact Flash Recovery technical note on tech.f5.com.
Permissions of .crt files (SSL proxy) (CR19438)
CA files (.crt) or chain files (.chain) no longer fail to load, in certain situations, because of file permission problems. These errors are presented in the /var/log/proxyd log file.
SNMP trap sink (CR19769)
Currently the SNMP trap source is the hostname of the BIG-IP that it is coming from. It should be from an IP address that is routable to the trap sink.
Setting active-active mode using the web-based Configuration utility (CR19794)
With network failover enabled, you cannot use the Configuration utility to configure active-active mode. When you have network failover enabled, use the command line interface to set active-active mode.
Error message (CR19813)
When you reboot, in certain circumstances you may receive the error message wd0: lost interrupt. This message is only a warning, and does not affect the operation of the BIG-IP unit.
Broadcom 582x driver error message (CR20461)
Currently the Broadcom 582x driver does not return an error if the hardware operation times out.
Memory exhaustion side-effects (CR20496)
In certain circumstances, proxyd and other userland processes may not respond when memory is exhausted.
Loading the previous configuration after upgrade (CR20616)
In some cases, after you upgrade to PTF-07, the previous configuration is not loaded automatically. If this happens, you should load your configuration by typing /sbin/sod
Update snmptrap configuration file (CR21363)
When upgrading a previously upgraded 4.1.1 system, the /etc/snmptrap.conf file is not updated properly which may cause some snmptraps to fail.
The Tomcat package is binding to multiple ports (CR21652)
The Tomcat package is binding to *:8080 as well as to 127.0.0.1:8007. To work around this issue, open the following file, /usr/local/tomcat/conf/server.xml, and comment out the <Connector> ... "8080"...</Connector> statement.
snmp checktrap (CR21701)
When the port for the node that is being marked up or down is any, checktrap may not correctly identify it.
Failover on SSL accelerator hardware failure (CR21728)
The SSL proxy silently ignores the Configuration utility and command line interface configuration options for this feature, and observes only the corresponding, deprecated bigdb key. Fro more information, refer to SOL1997: Known Issue: The Configuration utility appears to allow SSL proxy hardware failover to be configured, but this setting does not actually work.
Force Active/Force Standby incorrect with Network Failover (CR22013) (CR22093)
Performing force active/force standby commands can result in the force standby box being and staying active while the force master box remains standby.
Enabling the interface card (CR22041)
The ifconfig up and bigpipe interface enable commands may not enable the interface card properly in some cases.
Windows uploads (CR22043)
Delayed-acks may throttle Windows uploads to 40K per second.
L7 VIP (CR22055)
If a client sends no request to a Layer 7 VIP and just the closes connection, shutdown may stall.
UDP checksums and TFTP packets (CR22113)
In rare instances, the checksums for TFTP packets are incorrect.
iControl: Pool::get_persist_mode_cookie_mode (CR22126)
iControl Pool::get_persist_mode_cookie_mode may return the incorrect result.
Mirroring SSL persistence (CR22142)
Mirroring SSL persistence may cause the BIG-IP system to become unstable.
Failover when the nCipher card fails (CR22172)
The BIG-IP system does not currently support failover when the nCipher card fails.
Default wildcard ports (CR22191)
Default wildcard ports do not use ICMP monitoring.
BIG-IP log (CR22195)
When you reboot or run config from the command line interface, the BIG-IP log file may report that proxyd and namesurfer exited abnormally. These log messages are benign warnings and do not indicate a serious error.
Network virtual servers (CR22202)
Creating more than 1024 network virtual servers may cause the BIG-IP system to become unstable.
b load with VLAN groups (CR22224)
When you create multiple VLANs, and then create a VLAN group with a single self IP address, the configuration may not load properly. If your configuration fails to load during bootup, you can restore your previous configuration from backup.
Short-lived rapid connections from the same source IP (CR22232)
When dealing with short-lived rapid connections from the same source IP address, the BIG-IP system may arbitrarily reset some packets.
Transparent VLAN groups (CR22235)
The BIG-IP system passes broadcast ARP requests through transparent VLAN groups.
Creating an SSL proxy using iControl (CR22236)
After creating an SSL proxy using iControl, you must manually restart proxyd in order for the newly created proxy to function properly. To start proxyd, log on to the BIG-IP system and run /sbin/proxyd.
ifTable (CR22257)
The ifTable function may not list VLANs.
Fail-safe log messages (CR22290)
Fixed fail-safe log messages use default internal VLAN names instead of the user-configured VLAN names.
Server-SSL proxy may delay flushing data to clients (CR23101)
An SSL proxy configured with server-side SSL enabled may delay flushing all data received until the server-side connection is closed.
4.2 upgrades (CR22303)
BIG-IP version 4.2 upgrades add the node * monitor use icmp line to bigip.conf.
Port translation (CR22320)
In some instances, port translation may not function properly for certain ports.
Resetting the base configuration before you run the Setup utility causes fatal errors at the Configure Interfaces step (CR22331)
When you reset the base configuration (with the command, bigpipe base reset), and then run the Setup utility (by typing setup), the controller experiences fatal errors when you get to the Configure Interfaces step in the utility. To avoid the errors, do not reset the base configuration before you run the Setup utility.
Node state changes in the bigip.conf file (CR22345)
If you use either the Configuration utility or the command line interface to configure a node to a force down state, this information may not be saved to the bigip.conf file.
SSL proxy redirect rewriting (CR22379)
HTTP requests with a body but no content-length generate the following spurious log message: parse error: ran out on spaces. These log messages are benign warnings and do not indicate a serious error.
FIPS hardserver (CR22389)
More than 120 concurrent connections may cause the FIPS hardserver to become unstable.
Illegal attempts statistics (CR22472)
Illegal attempts statistics do not display in the Configuration utility. Illegal attempts display correctly in the bigip log file.
VLAN group with MAC masquerading (CR22558)
When you configure a VLAN group with MAC masquerading, nodes can go down on standby.
Spikes in the system’s CPU usage (CR22561)
The Java daemon, javad, may cause the CPU usage for the 3-DNS Controller to occasionally spike to 90%. Note that the 3-DNS Controller does not currently use the javad daemon. To disable the javad daemon, review Solution 1895 (SOL1895) on the AskF5 website, http://tech.f5.com.
Cookie persistence may not work when Cookie: is missing a space after the colon (CR22651)
When the BIG-IP receives a request with the space missing from the cookie header, the cookie may be missed and persistence is broken.
snmpwalk: memberEntry (CR22671)
snmpwalk: memberEntry is not returning values for wildcard virtual servers.
Freed memory not released (CR22674)
Memory freed by a userland process is not released until the process exits.
Setup utility may fail when the system’s broadcast address is not compatible with the system’s IP address/netmask (CR22675)
When you configure the system's IP address and netmask, and you change the broadcast address so that it does not match the IP address/netmask combination, the Setup utility may experience fatal errors when you enter a default route. To avoid this error, we recommend that you accept the default broadcast address.
SNMP traffic is passing through a vlan that has port lockdown enabled (CR22677)
A VLAN configured with port lockdown enabled allows SNMP traffic regardless of whether you have explicitly enabled the SNMP port using the open_snmp_port global setting.
proxy_arp_exclusion (CR22695)
proxy_arp_exclusion class may not be available on all versions of the BIG-IP system.
SNMP nodesAddr (CR22704)
The SNMP nodesAddr object displays an empty string which adversely affects the ability of the plugin to recognize pool membership.
Network Failover in Active-Active Mode - Failback Delay (CR22715)
When the rebooted BIG-IP unit comes up, the single active unit delays for Common.Bigip.Failover.FailbackDelay seconds (default 60) before handing over the unit number to the recently rebooted machine. This feature is not working correctly, there is no delay at all, when using network failover.
Disabling SNMP and rebooting the controller (CR22762)
When you disable SNMP using the Configuration utility, the utility renames the SNMP configuration file, snmpd.conf, to /etc/snmpd.conf.disabled. When you reboot the controller, the bigstart script checks for the snmpd.conf file before trying to start the SNMP daemon. Because the file has been renamed, however, the bigstart script assumes that the file does not exist and generates a new snmp.conf file.
SMTP, POP3 and NNTP monitors (CR22815)
SMTP, POP3 and NNTP monitors may not use the port number supplied.
Log messages (CR22880)
You may receive confusing log messages when a node is marked down. When you disable a node from the Configuration utility a node is marked down, but an enabled message is written to /var/log/bigd.
Invalid domain names (CR22895)
The fallback host in pools does not accept domain names that begin with a digit instead of an alpha character.
VLAN mirroring (CR22976)
VLAN mirroring does not forward reset from an IDS device.
Cookie insert mode with large POSTs (CR22980)
Cookie insert mode may not function properly with large client POST requests.
proxyd (CR23019)
Under rare circumstances, the shutdown behavior of closing connections can cause proxyd to consume all CPU resources on a BIG-IP unit. This can occur when a connection has data waiting and there is no available socket, or an unexpected return code fails to notify proxyd of the closed socket.
proxyd logging (CR23063)
Currently, if proxyd exits when loading due to an incorrect key/certificate combination, it does not generate any log messages.
