Applies To:
Show Versions
BIG-IP versions 1.x - 4.x
- 4.2 PTF-10
Summary:
Contents:
Installing the PTF
Apply the PTF to the BIG-IP software, version 4.2 using the following process. The installation script saves your current configuration.
Important: If you are upgrading a BIG-IP redundant system, both units must be upgraded. We do not support running different PTF versions on the two units in a BIG-IP redundant system.
Important: If you are upgrading an IP Application Switch or a BIG-IP system that uses a CompactFlash® media drive, use the installation instructions at this link.
Note: This PTF upgrades the BIG-IP system and any additional modules you have installed, such as the 3-DNS or Link Controller modules.
- Change your directory to /var/tmp/ by typing the following command:
cd /var/tmp/ - Connect to the F5 Networks FTP site (ftp.f5.com).
- Make sure the FTP client on the BIG-IP system is in passive mode before you download the file. If you are unsure which mode the client is in, at the command line, type pass. The system indicates which mode the client is in; if it is not in passive mode, type pass again, and the client will change to passive mode.
- Download the PTF-4.2-10-BSD_OS-4.1.im file from the /crypto/bigip/ptfs/bigip42ptf10/ directory on the FTP site to the /var/tmp directory on the target BIG-IP system by typing the following command:
get /crypto/bigip/ptfs/bigip42ptf10/PTF-4.2-10-BSD_OS-4.1.im /var/tmp/PTF-4.2-10-BSD_OS-4.1.im - Install this PTF by typing the following command:
im PTF-4.2-10-BSD_OS-4.1.imThe BIG-IP system automatically reboots once it completes installation.
To upgrade an IP Application Switch or a CompactFlash® media drive, use the following process.
- Create a memory file system by typing the following command:
mount_mfs -s 200000 /mnt - Change your directory to /mnt by typing the following command:
cd /mnt - Connect to the F5 Networks FTP site (ftp.f5.com).
- Download the PTF-4.2-10-BSD_OS-4.1.im file from the /crypto/bigip/ptfs/bigip42ptf10/ directory on the FTP site to the /mnt directory on the target BIG-IP system by typing the following command:
get /crypto/bigip/ptfs/bigip42ptf10/PTF-4.2-10-BSD_OS-4.1.im /mnt/PTF-4.2-10-BSD_OS-4.1.im - Install this PTF by typing the following command:
im /mnt/PTF-4.2-10-BSD_OS-4.1.imThe BIG-IP system automatically reboots once it completes installation.
Note: This procedure provides over 90MB of temporary space on /mnt. The partition and the im package file are deleted upon rebooting.
Software enhancements and fixes
The following enhancement is included with this release
String comparisons in rules are no longer case sensitive (CR27580)
When you do string comparisons in rules, the string search is no longer case sensitive if the lowercase_uris internal is set and the rule is written with a lowercase string.
NTP version 4.1.2 (CR28474)
This version of the BIG-IP software includes the latest version of NTP, version 4.1.2.
What's fixed in this PTF
SMTP, POP3, and NNTP monitors (CR22815) (CR23568)
SMTP, POP3, and NNTP monitors now use the port number supplied.
Sending FIN Acknowledgments to client with OneConnect enabled (CR26099)
Client connections no longer hang, as OneConnectTM has been disabled for any connection which is expected to close at the end of the HTTP response.
Handling of Connection: close header from client in HTTP/1.1 (CR26110)
The connection to the server is no longer left in an idle state when the client sends a Connection: close header to the server.
tcpdump on a BIG-IP system running in ANIP mode (CR26111)
The tcpdump utility now functions correctly, no longer producing unexpected results on a BIG-IP system running in ANIP mode.
SYN flood no longer prevents some clients from connecting to SSL proxies (CR26230)
A SYN flood no longer prevents some clients from connecting to the SSL proxy.
SIP persistence and virtual servers with address translation disabled (CR26294)
SIP persistence now works correctly with virtual servers that have address translation disabled.
Upgrade installation (CR26442)
The BIG-IP software version 4.2 upgrade package no longer adds the following line to the bigip.conf file, thus, eliminating the undesired behavior caused by the line:
node * monitor use icmp.
Reading node_read_msg message (CR26613)
The BIG-IP system continues to function properly even when reading node_read_msg messages.
Link aggregation and STP (CR26923)
When the Tx or the Rx side of a fiber link goes down, the BIG-IP system no longer incorrectly reports the link as active.
RSA Blinding and software RSA private key operations, VU#997481 (CR26967)
We have turned on RSA Blinding for software RSA private key operations as noted in the Vulnerability Note VU#997481 on the CERT® Coordination Center website. This may impact SSL performance to some degree. For more information on the vulnerability, see http://www.kb.cert.org/vuls/id/997481.
The b load command and connection limits (CR27029)
The b load command no longer causes the connection count to be set to zero, so connection limits are honored.
SSL proxy virtual server configured with a last hop pool (CR27038)
We have corrected a problem that could stop traffic through an SSL proxy virtual server configured with a last hop pool.
Unsupported system_check tool (CR27052)
The system_check script is no longer running on all BIG-IP platforms. The system_check script was running on all platforms, but is supported only on IP Application Switch platforms. This script did not have any adverse effect on unsupported platforms.
Load balancing modes and honoring node connection limits (CR27125)
When using observed_member, predictive_member, predictive, or observed load balancing modes, the member and node addresses now honor node connection limits.
SSL proxy 100 Continue responses (CR27233)
The SSL proxy now correctly handles 100 Continue responses that span more then one packet. You can observe this activity only when the BIG-IP system and server have not made the three-way handshake by the time two halves of a POST are received by the BIG-IP system.
Condition in FastFlow (Fast Path) and order of T/TCP packets (CR27246)
The condition in FastFlow (Fast Path) that caused T/TCP packets to be out of order no longer exists. The T/TCP packets now arrive in proper order.
T/TCP connection closing (CR27253)
We have corrected a problem that prevented some T/TCP connections from closing correctly.
SSL proxy session IDs rejected by the server (CR27273)
If a server rejects a session ID from the SSL proxy, the proxy now discards the session ID and requests a new connection.
SSL proxy client-side connection close (CR27309)
If the server-side connection closes, the client-side connection is now closed using the correct timeout setting.
SSL proxy rewriting redirects in 302 responses (CR27436)
We have corrected a condition that may have caused the third redirect in a keep-alive session to be rewritten incorrectly.
CPU temperature readings for Application Switch platforms (CR27474)
The BIG-IP system system_check utility now reports CPU temperature readings for Application Switch platforms that support valid temperature sensing.
SSL proxy starting as a non-root user (CR27487)
We have resolved file access problems that occurred when the Configuration utility restarted the proxy process as a non-root user.
Using the Setup utility to configure the media type for an interface (CR27504)
When you use the Setup utility to configure the media type for an interface, the setting is now saved when you rerun the Setup utility.
Sending packets to default wildcard virtual servers (CR27517)
When you send a packet with a destination address of 0.0.0.0 to a default wildcard virtual server (0.0.0.0:0), the system no longer responds with unpredictable behavior.
Loading configurations with a large number of proxies (CR27557)
The BIG-IP software now supports loading configurations that have hundreds of proxies. Note that the number of keys and certificates should still remain small in order to guarantee fast load times.
F5 Networks traps configuration (CR27663)
When you are using F5 Networks SNMP traps, the BIG-IP system uses the value you configure for the agent address. In previous releases, the host name address was used for the agent address.
FIPS 140 with a very large configuration (CR27666)
If you are using FIPS 140 with a very large configuration (greater than 400 configuration items such as pools, virtual servers and monitors), you no longer experience a compatibility issue.
Loading .ucs files with NTP running (CR27763)
NTP now restarts properly when you have NTP enabled and you load the .ucs file using the Configuration utility.
Apache version 1.3.27 and mod_ssl version 2.8.14 (CR27827)
This version of the BIG-IP software includes Apache, version 1.3.27 and mod_ssl version 2.8.14.
Firewall sandwich configuration with FastFlow (Fast Path) and connection rebind enabled (CR27938)
When you enable FastFlow (Fast Path) on a virtual server with connection rebind enabled in a firewall sandwich configuration, connection rebind now rebinds correctly to a new node when the initial node is taken down.
SIP persistence with virtual servers (CR27977)
With SIP persistence configured, when the BIG-IP system sends traffic to a server, and the traffic returns from a different virtual server to be sent out again, the traffic now persists to a node on the correct server.
SIP persistence with address translation disabled (CR27978)
The BIG-IP system now handles fragmented SIP packets correctly when address translation is disabled.
ICMP host unreachable messages (CR28020)
When a node is behind a routing device that returns ICMP host unreachable messages to the BIG-IP system, it no longer causes BIG-IP system consume large amounts of the CPU.
Connection mirroring with a large number of virtual servers (CR28034)
Connection mirroring now works correctly when you have a large number of virtual servers with connection mirroring enabled.
Rules using starts_with operators (CR28128)
Rules using starts_with operators now function correctly when the http_uri is greater than 63 characters.
Cookie rewrite no longer inserts an extra CRLF for large cookies (CR28137)
When a server returns a cookie that has a large value, the BIG-IP system no longer inserts an additional CRLF when it rewrites the cookie for persistence information.
New option to save UCS files without including private keys (CR28235)
You can now save a UCS file without including private keys. To create a UCS file that does not include your private keys, use the following bigpipe command:
b config support save <filename>
Virtual server resets (CR28336)
In certain circumstances, resets (RSTs) are no longer sent out with the loopback address listed as the source address.
SSL proxy rewriting redirects in 302 responses (CR28343)
The SSL proxy now correctly rewrites redirects in 302 responses after the first one is received in a keep-alive stream.
Process to create FIPS security world has changed (CR28355)
In this release of the BIG-IP software, the bigpipe commands sw-init and sw-rest have been replaced by the bigpipe command new-world. For information about the new-world command and FIPS configuration, see Configuring the FIPS 140 Hardware for the BIG-IP Software Version 4.2 PTF-10.
BIG-IP system reboot involving HTTP cookies (CR28363)
Certain use of HTTP cookies no longer causes the BIG-IP system to reboot.
Memory issue with SNAT (CR28390)
We fixed an issue with memory not being cleared for bigsnmp, which caused unexpected behavior with snmpd.
Load times for large configuration with many proxies (CR28452)
If you have a very large configuration with many proxies and you must reduce the configuration load time, you have the option of reducing the load time by disabling key and certificate validation. To disable key and certificate validation use the following bigpipe command:
bigpipe global sslproxy skip keycheck enable
Possible tcpdump buffer overflow with badly formed NFS packets (CR28491)
We have added a FreeBSD patch to fix a potential issue with buffer overflow that may have been triggered by badly-formed NFS packets.
Processing cookies that span a single packet (CR28955)
When the BIG-IP system connects to a virtual server with a request that contains a cookie larger than a single packet, rules now process correctly, load-balancing the connection to the proper server.
Enhancements and fixes released in prior PTFs
Version 4.2PTF09
Process additions to /etc/snmpd.conf (CR15241)
We have updated the process list in /etc/snmpd.conf by adding the following processes:
ITCMPortal
LocalLBServer
ITCMSystemServer
ITCMManagementServer
ITCMNetworkingServer
Sending a service down reset on attempted initiation (CR17555)
The BIG-IP software now sends a reset when all members are down in a pool and fallback is disabled. In previous version of the software, the packet was dropped.
Deprecated SNMP OIDs in the LOAD-BAL-SYSTEM-MIB (CR19767)
In the LOAD-BAL-SYSTEM-MIB.txt file, we marked the following OIDs as deprecated:
virtualServerSslNew
virtualServerSslHits
virtualServerSslTimouts
virtualServerSslMisses
virtualServerPersistTimeout
virtualServerPersistMask
virtualServerSticky
virtualServerStickyMask
virtualServerCookieMethod
Error message during reboot on some 5000 series (D5x) platforms (CR19813)
When you reboot, you no longer receive the benign error message wd0: lost interrupt on certain 5000 (D5x) platforms.
ntpdate functionality with a local DNS server (CR19940)
The ntpdate function now works correctly when you have a local DNS server configured.
Updated the LOAD-BAL-SYSTEM-MIB to correct certain reported errors (CR20454)
The LOAD-BAL-SYSTEM-MIB no longer returns certain errors when you check it with a MIB walking utility.
Updated the PLATFORM-MIB to correct certain reported errors (CR20462)
The PLATFORM-MIB no longer returns certain errors when you check it with a MIB walking utility.
Loading the previous configuration after upgrade (CR20616)
We have corrected a problem that could prevent the previous configuration (/config/bigip.conf) from loading automatically after the PTF upgrade is complete. After the initial reboot, the configuration is loaded and the unit is rebooted again.
Command line and Configuration utility QoS values on pools (CR21189)
You can now only enter QoS values for pools that are valid: 0 to 7.
SNMP checktrap (CR21701)
When the port for the node that is being marked up or down is any, the checktrap function now correctly identifies the state.
Failover on SSL accelerator hardware failure (CR21728)
The SSL proxy now responds correctly to the Configuration utility and command line interface configuration options for failover on SSL accelerator hardware failure.
iControl: add additional state mappings for get_[node_address]availability() (CR21772)
This release includes additional iControl state mappings for get_[node_address]availability().
Added the ITCMLocalLB.Failover.wsdl for SOAP (CR21833)
We added the ITCMLocalLB.Failover.wsdl to /usr/local/www/iControl/wsdl/.
Updated the predefined AOL Class (CR21950)
This release contains an updated version of the predefined AOL Class.
Using command to force failover in an active/standby redundant system with network failover configured (CR22013)
Previously, the system could become unstable if you issued a command to force failover in an active/standby redundant system with network failover configured. We have corrected that problem.
Windows file uploads through virtual servers and SSL accelerators (CR22043)
We corrected a problem that could cause delayed ACK packets to throttle Windows uploads to 40K per second.
Client requests to Layer 7 virtual server (CR22055)
We corrected a problem that caused connection shutdown to stall if a client sent no request to a Layer 7 virtual server and then attempted to close the connection.
The 5000 series automatic reboot (CR22117)
The 5000 series (D5x) now automatically reboots after creating a core diagnostic file.
iControl: Pool::get_persist_mode_cookie_mode (CR22126)
The iControl Pool::get_persist_mode_cookie_mode method now returns the correct result.
Loading a configuration with a large number of self IP addresses (CR22152)
You can now load configurations with a large number of self IP addresses without destabilizing named.
The VLAN group configuration and broadcast ARP replies (CR22235)
The VLAN group configuration no longer passes broadcast ARP replies.
Correct CPU count with SNMP (CR22255)
The globalAttrCPUCount, globalStatCPUCount, and platform.cpu.cpuCount SNMP OIDs now report the correct CPU count.
HTTPS monitor: reorganized the default cipher list provided to the pinger (CR22262)
We reorganized the default cipher list provided for the HTTPS monitor. This increases the chance the negotiated cipher will have a lower impact on performance.
User configured VLAN names in the VLAN fail-safe log messages (CR22290)
The VLAN fail-safe log messages now use the VLAN name you configured instead of the internal VLAN name.
bigsnmpd shut down and restart on an idle BIG-IP system (CR22325)
We reduced the impact on the CPU of bignsmpd shutting down and restarting on an idle BIG-IP system.
Resetting the base configuration before you run the Setup utility causes fatal errors at the Configure Interfaces step (CR22331)
When you reset the base configuration (with the command, bigpipe base reset), and then run the Setup utility (by typing setup), the BIG-IP system no longer experiences errors when you get to the Configure Interfaces step in the utility.
Node state changes in the bigip.conf file (CR22345)
When you set a node to a force down state, the information is now saved to the bigip.conf file whether you use either the Configuration utility or the command line interface.
FIPS hardserver (CR22389)
BIG-IP systems with FIPS cards no longer encounter errors when more than 200 concurrent connections are opened to the SSL proxy.
TCP, UCP, and IP denials (CR22472)
You can view TCP, UDP, and IP denials (if enabled through verbose log level) in the BIG-IP Log on the Logs screen.
memberEntry and wildcard virtual servers (CR22671)
The SNMP memberEntry OID now returns the values for wildcard virtual servers. To see the values for the other virtual servers in the table, use the snmpget command.
Setup utility when the system’s broadcast address is not compatible with the system’s IP address/netmask (CR22675)
When you configure the system's IP address and netmask, and you change the broadcast address so that it does not match the IP address/netmask combination, the Setup utility does not experience fatal errors when you enter a default route.
The proxy_arp_exclusion class (CR22695)
The proxy_arp_exclusion class is now available on all versions of the BIG-IP system.
SNMP nodesAddr (CR22704)
The SNMP nodesAddr object no longer adversely affects the ability of the RLX plugin to recognize pool membership.
Serial Number from License file on the Properties Page (CR22833)
The product serial number now appears in the correct format on the Properties Page.
Logging a node forced down (CR22850)
When you force a node down, an event is logged. When no monitor is associated with a node or node address that you force down, the message added to the log file when the node is marked up is Reverts to Unchecked.
Disabled nodes and erroneous log messages (CR22880)
When you disable a connection on the Node Properties screen in the Configuration utility, and sessions are still enabled, the process no longer writes the following messages to the /var/log/bigd file:
kernel: Node <ip:port> Enabled
kernel: Node <ip:port> Enabled
Invalid domain names (CR22895)
The fallback host in pools now accepts domain names that begin with a digit; for example, abc.123.net.
Condition in ANIP mode could destabilize the controller (CR22945)
We have corrected a condition in ANIP mode that could destabilize the controller.
SNMP: the sysObjectID OID when queried returns unknown for operating system portion (CR22954)
When queried, the SNMP sysObjectID returns the string OID: enterprise.ucdavis.ucdSnmpAgent.bigip.
corba server messages before syncing disks during normal reboot (CR22955)
You no longer see the following error messages when you reboot the system:
pid 274 (LocalLBServer), uid 0: exited on signal 6
pid 287 (ITCMSystemServer), uid 0: exited on signal 6
pid 297 (ITCMNetworkingSe), uid 0: exited on signal 6
Path MTU discovery through a SNAT automap (CR23017)
Path MTU discovery now works correctly through a SNAT automap.
SNMP: no shutdown trap message is generated on a monitoring client station (CR23037)
A shutdown trap message now generates when the snmpd shuts down.
SSL proxy logging of mismatched keys and certificates (CR23076)
If the SSL proxy exits when loading due to an incorrect key/certificate combination, a log message is generated.
Running the config command with no self IP addresses (CR23112)
You can now run the config command from the command line without having any self IP addresses configured.
SSL proxy nCipher FIPS card errors with more than 200 concurrent connections (CR23115)
BIG-IP systems with FIPS cards no longer encounter errors when more than 200 concurrent connections are opened to the proxy.
Host names not resolved by DNS during a bp load (CR23487)
Host names are now resolved properly when you use the bp load command.
Length limit for member addresses (CR23495)
The member address can now be any length to support long host names.
Changing tag on a VLAN in a SNAT automap duplicates listing (CR23505)
Changing the tag on a VLAN in a SNAT automap no longer creates a duplicate listing.
Prevent virtual address of 127.0.0.1 (CR23793)
You can no longer create a virtual address of 127.0.0.1. Creating a virtual server with this IP address could cause a conflict with the loopback device.
Modifying TCP timeout on service used by SSL proxy does not restart the SSL proxy (CR23811)
The SSL proxy is now restarted when its service timeouts change. This allows the new values to take effect for proxies.
The iControl Portal exits with SIGABRT when different credentials are passed (CR23826)
We corrected a problem that could cause the iControl Portal to exit (with SIGABRT) when different credentials were passed.
Interface down errors on failover with aggregated interfaces (CR23877)
The standby_link_down_time function now operates as expected. If one or more Intel 10/100 interfaces on the appliance is set to 100MB full duplex and you configure a standby_link_down_time, the interface is marked down (no link), for the amount of time specified as the standby_link_down_time before the link becomes active again. This link down time allows the switch connected to the BIG-IP system to update its bridging tables. Also, if the two or more interfaces are aggregated and the media is set to auto, the interfaces become active after failing over.
SNMP virtualAddressEntry table and wildcard virtual servers (CR24648)
The SNMP virtualAddressEntry table now lists virtual servers and wildcard virtual servers correctly.
GateD restarting during the configuration synchronization process (CR24805)
During the configuration synchronization process, GateD is now shut down and restarted.
MAC masquerading and VLAN failsafe on the failover interface (CR24926) (CR26002)
A unit that boots into standby mode does not send a gratuitous ARP for any self-IPs. This can be a problem when an active unit using MAC masquerading reboots into standby due to VLAN failsafe, because the "new" hardware address is not advertised to the LAN.
Broadcom chip no longer asserts on reboot if the Broadcom chip is in bad state (CR24958)
On an IP Application Switch, the BIG-IP system would assert while shutting down for a reboot command if the Broadcom chips were in a bad state. We have corrected this problem.
TCP SYN packet to self IP that matches TIME_WAIT connection is handled properly (CR24991)
If the BIG-IP system receives a TCP SYN packet for a self IP that matches an old connection that is in TIME_WAIT (same source and destination address and port), the connection is now handled properly.
Remove test NTP Mill Creek Time Server (CR24996)
We removed the Mill Creek Time Server that was included for testing purposes only.
Making configuration changes using the Configuration utility and the SSL proxy (CR25084)
When you make changes to the SSL proxy configuration using the browser-based Configuration utility, the BIG-IP system now properly restarts the SSL proxy.
Using a virtual server as a pool member (CR25116)
You can now add a virtual server as a member of a pool.
After upgrading the system, the kernel cannot find the root device (CR25142)
After you install the upgrade im package, the system kernel can now reliably find the root device.
Connection rebinding when pool members have different priorities (CR25165)
If you have a pool configured whose member nodes have different priorities, and you have enabled connection rebinding, when a node with a higher priority fails, connection rebinding now occurs as expected.
VLAN groups do not forward non-IP traffic (CR25174)
A VLAN group configuration now forwards non-IP traffic.
SSL accelerator driver outputting debug messages (CR25265)
We changed the debug level of some messages that were incorrect. This eliminates the display of debug messages.
BPDU frames through a tagged VLAN (CR25269)
Bridge protocol data unit (BPDU) frames can now pass through a tagged VLAN.
SSL proxy HTTP header insert can mistakenly assume end of header received (CR25289) (CR25170)
We have corrected a problem where, in rare circumstances, an SSL proxy performing an HTTP header insert could assume it had received the end of the header.
Provided the ability to enter a Universal Inspection Engine redirect without the %u variable (CR25359)
We provided the ability to enter a Universal Inspection Engine redirect without the %u variable
Access to the NTP documentation (CR25368)
You can now access the NTP documentation from the Welcome page of the Configuration utility.
SNMP: data from globalAttr* has been updated (CR25428)
We have updated the data for the SNMP globalAttr*. Also, we have corrected the following spelling errors:
globalAttrMaintenceMode is now globalAttrMaintenanceMode. globalAttrPersistAccrossVirtuals is now globalAttrPersistAcrossVirtuals.
Also, we have changed the globalAttrPersistTimerUsedAsLimit to use either timeout or limit rather than true or false. The default setting is timeout.
VLAN MAC can acquire local-mod bit on ACTIVE to STANDBY transition (CR25487)
When you are using MAC masquerading outside of a VLAN group, an active unit that becomes standby without rebooting switches back to the physical address. However, it also has the locally-modified bit set (bit 2 in the first octet). The locally-modified bit should normally be set only if the VLAN is part of a VLAN group.
The bigpipe pool show command and member priority (CR25518)
The bigpipe pool show command now shows the member priority.
Dual processor system without a gigabit interface (CR25532)
The BIG-IP 540 platform now supports two processors correctly even if there is no gigabit Ethernet interface installed in the platform.
SSL proxy rewriting redirects in 302 responses after the first one is received in a keep-alive stream (CR25549)
The SSL proxy now correctly rewrites redirects in 302 responses after the first one is received in a keep-alive stream.
Persist mode none no longer persists even when a simple timeout is specified (CR25552)
The persist mode none no longer persists, even when simple timeout is set to a non-zero value.
SIP persistence: two exact sip messages establishing flows (CR25589)
SIP persistence now establishes only one flow for two exact SIP messages.
Using simple persistence as a fallback with SIP persistence (CR25590)
You can now configure a simple persistence timeout as a fallback for SIP persistence.
Connection reuse with Fast Flow (CR25594)
We have streamlined how the Fast Flow feature reuses certain connections.
Failover daemon: use the SMP kernel when dual processors detected with no GNIC (CR25693)
The SMP kernel is now used automatically in dual processor systems with no gigabit Ethernet NICs.
One SSL proxy in SMP mode with 2 processors (CR25717)
When the BIG-IP system is running in SMP mode with two processors, only one SSL proxy instance will run.
Error displayed on input of invalid format for ssl insert http header string (CR25735)
A warning error is returned by the Configuration utility if you do not use the correct name: value format when you create or add a header insert string.
bigpipe: entry of values for ip_tos (CR25742)
The bigpipe utility now returns an error if you attempt to enter an invalid ip_tos value for a pool.
The commands setup and config for the Setup utility (CR25750)
You can now start the Setup utility with the command setup or the command config.
Interrupt coalescing in the Intel wx driver (CR25824)
We have added an update from an errata for the Intel wx driver which caused an Intel gigabit network card to stop processing traffic. When the error occurred, the message "wx<n> device timeout" was logged. The fix is automatic for customers using the ANIP kernel. Please contact Support if you are running the SMP kernel on your system.
Turned system_check back on in /config/crontab (CR25826)
The system_check script now runs automatically.
Warning added when you enter a value for class greater than allowed (CR25854)
If you enter a value for class greater than should be allowed, you now see a warning message.
Virtual servers created with iControl and timeouts (CR25897)
Virtual servers created with iControl now have their timeout reset values enabled by default.
Script to setup core capture (CR25981)
We have added a new script to automate core capturing on a BIG-IP system. The script runs automatically after you install this PTF and reboot the system, if the system has a hard drive. It provides functionality to enable and disable core capture.
After you install this PTF, the script runs, and creates the /var/crash directory. In addition, if the swap partition on the primary drive is not sufficiently large to capture the core file but another unused partition is found to be, that partition is used for core capture.
You can disable this functionality with the following command:
config_savecore -disableYou can re-enable the functionality with the following command:
config_savecore -enableImportant: As long as this functionality is enabled, you will see the message savecore: no core dump during boot time.
SSL proxy 100 Continue responses (CR26035)
The SSL proxy now correctly handles 100 Continue messages.
iControl: LocalLBServer::Pool methods memory leak (CR26082)
We have corrected a problem with the LocalLBServer::Pool method that was leaking memory.
Last hop can return self UDP traffic with the wrong source address (CR26128)
We have corrected a problem that could cause the last hop to return self UDP traffic with the wrong source address.
E-Commerce Controller: SNAT statistics option (CR26175)
You can now find the SNAT Statistics option under Statistics in the navigation pane of the Configuration utility.
Late-binding state can get out of synchronization with Keep-Alives (CR26386)
We have corrected a synchronization problem between the state of a connection handled by a late-binding virtual server and the keep-alive state of the connection on the server that could cause the connection to lock up or behave unpredictably. This problem affected the cookie insert feature, the hash cookie feature, and rules. One of the ways you could observe this problem was that a new connection could be paired with an existing connection and the existing content could be sent to the client requesting the new connection.
Version 4.2PTF08
CA-2002-31, Multiple Vulnerabilities in BIND (CR25088) (CR24036)
This PTF addresses the security vulnerabilities that are listed in CERT® advisory, CA-2002-31, Multiple Vulnerabilities in BIND. This PTF upgrades the BIND package to version 8.3.4. For more information on the CERT advisory, see http://www.cert.org/advisories/CA-2002-31.html.
Mid-stream SSL renegotiations and SSL proxy hang (CR13168)
SSL proxy no longer hangs when it receives mid-stream SSL renegotiations.
SSL accelerator performance issues (CR21034)
SSL accelerator performance no longer drops off when you have more than 1000 concurrent connections.
The Tomcat package and the Java daemon (CR21652) (CR23023)
The Tomcat package and the Java daemon (javad) have been removed from the software. The BIG-IP system does not currently use either of these components.
Service check timing (CR21841)
Service checks of a given type are now staggered over time. Previously, service checks tended to cluster, that is, to run at the same time.
Enabling the interface card (CR22041)
The ifconfig up and bigpipe interface enable commands now properly enable the network interface.
The shutdown process and L7 virtual servers (CR22055)
The shutdown process no longer stalls if a client sends no request to a layer 7 (L7) virtual server, and just closes the connection.
SSL proxy memory leak (CR22065)
When the SSL proxy is configured to insert client certificate HTTP headers, this process no longer causes a memory leak.
Force Active/Force Standby commands and network failover (CR22093)
The force active and force standby commands now work properly with network failover.
UDP checksums and TFTP packets (CR22113)
In rare instances, the checksums for TFTP packets were incorrect. This problem has been fixed.
Mirroring SSL persistence (CR22142)
Mirroring SSL persistence no longer causes the BIG-IP system to become unstable.
The SSL proxy and client certificate format (CR22178)
When the SSL proxy inserts a client certificate into an HTTP request, the SSL proxy now appends a carriage return/line feed (CRLF) and a space to the end of each line in the client certificate.
Network virtual servers (CR22202)
Creating more than 1024 network virtual servers no longer causes the BIG-IP system to become unstable.
Short-lived rapid connections from the same source IP (CR22232)
When dealing with short-lived rapid connections from the same source IP address, the BIG-IP system no longer arbitrarily resets some packets.
Transparent VLAN groups (CR22235)
The BIG-IP system no longer passes broadcast ARP requests through transparent VLAN groups.
Creating an SSL proxy using iControl (CR22236)
After creating an SSL proxy using iControl, you no longer need to manually restart the SSL proxy in order for the newly created proxy to function properly.
SNMP ifTable (CR22257)
The SNMP ifTable now correctly lists VLANs.
Port translation (CR22320)
Port translation now functions properly for all ports.
SSL proxy redirect rewriting (CR22379)
HTTP requests with a body but no content-length no longer generate a log message.
Freed memory now released (CR22674)
Memory freed by a userland process is now released properly.
SNMP traffic no longer passing through a VLAN that has port lockdown enabled (CR22677)
A VLAN configured with port lockdown enabled no longer allows SNMP traffic, when you have not explicitly enabled the SNMP port using the open_snmp_port global setting.
Network failover in active-active mode and failback delay (CR22715)
When the rebooted BIG-IP unit comes up, the unit that remained active now waits for the amount of time specified by the failback delay setting before it returns connections to its peer unit.
Disabling SNMP and rebooting the controller (CR22762)
When you disable SNMP using the Configuration utility and you reboot the controller, the bigstart script no longer generates a new snmp.conf file.
VLAN mirroring (CR22976)
VLAN mirroring now forwards resets from IDS (intrusion detection system) devices.
Cookie insert mode with large POSTs (CR22980)
Cookie insert mode now functions properly with large client POST requests.
CPU resources and the SSL proxy (CR23019)
The shutdown behavior of closing connections no longer causes the SSL proxy to consume all CPU resources on a BIG-IP unit.
Server-SSL proxy and flushing data to clients (CR23101)
An SSL proxy configured with server-side SSL enabled no longer delays flushing all data received until the server-side connection is closed.
VLAN groups and ARP requests (CR23237)
When the BIG-IP system is configured with a VLAN group, and the FDB is full (512 MAC addresses on a VLAN), the BIG-IP system now sends an ARP reply to all the interfaces including the interface that it received the ARP request on.
SSL Proxy and large requests (CR23434)
When the SSL proxy is handling many large requests, the client connection no longer hangs.
Setting pool member priorities to zero (CR23464)
You can now set the priority for a pool member to zero.
VLAN groups, MAC masquerading, and redundant systems (CR23593)
When you have a VLAN group and are using MAC masquerading, the nodes on the standby unit no longer are marked down because the standby unit does not receive ARP replies.
Cookie persistence header formatting (CR23596)
When the cookie persistence header is missing a space after the colon (Cookie:), the BIG-IP system no longer drops the packet.
Cookie persist mode, small packets, and the no_http_one_connect variable (CR23612)
When you are using cookie persist mode, and the no_http_one_connect variable is set to yes, the BIG-IP system no longer splits the request when the response fits within one packet.
Windows Terminal Server persistence (CR23628)
Persistence to servers running the Windows Terminal Service no longer fails.
Visibility of loopback traffic (CR237754)
When a proxy is defined for a virtual server that points to a virtual server on the loopback network, and IP forwarding is enabled, you can no longer see loopback traffic on the wire from a BIG-IP system.
STP configuration (CR23822)
A Spanning Tree Protocol (STP) configuration is no longer deleted when the same STP domain is configured on both units.
The self_conn_timeout variable (CR24025)
The bigpipe save command now saves any non-default value assigned to the global variable self_conn_timeout.
SIP Call-ID persistence (CR24236)
The BIG-IP system no longer issues a panic when you define the Session Initiation Protocol (SIP) Call-ID persistence simple_timeout value.
Restarting the ntpd daemon (CR24260)
The ntpd daemon now starts after you run the bigpipe config sync command.
Rule operators and classes (CR24283)
Using an operator and specifying a class within a rule no longer causes the BIG-IP system to issue a panic.
Stateless traffic handling (CR24614)
The BIG-IP system now correctly handles stateless traffic.
Version of ntpd daemon (CR24620)
The BIG-IP system now includes the correct version of the ntpd daemon.
SOAP portal and incorrect schema type (CR24658)
With respect to the Easysoap toolkit, the SOAP portal no longer returns an empty scheme type for empty arrays.
Apache Tomcat vulnerability (CR24691)
Javascript can no longer be maliciously embedded into a .JSP file request and subsequently inserted into an error message.
Dual processor system without a gigabit interface (CR24758)
The BIG-IP 540 platform now supports two processors correctly if there is no gigabit Ethernet interface installed in the platform.
Cookie hash persistence mode (CR24853)
When the cookie hash persistence mode cannot find a string match, the BIG-IP system now uses the fallback load balancing mode, rather than continuing to perform the hash.
bigipprovider.cgi application and SEE-IT (CR24859)
When the BIG-IP system is configured for non-reachable DNS server, the bigipprovider.cgi application now returns results in a timely manner.
Forwarding zero-length IP/UDP packets (CR24929)
If IP forwarding or forwarding for a VLAN group is enabled, the BIG-IP system no longer issues a panic when a UDP packet contains no data.
Switch platforms and STP (CR24992)
Using the halt command to halt the system with Spanning Tree Protocol (STP) enabled and participating in a STP domain no longer creates a bridge loop on the switch platform.
Appearance of memory leak (CR25007)
A memory leak no longer appears when the big3d utility probes a large number of hosts.
The SSL proxy (CR25014)
When processing data from the loopback interface, the SSL proxy now parses data correctly, and returns complete acknowledgements to the client.
Root servers list for BIND (CR25063)
The root servers list file for BIND, root.hints, has been updated to include the most current list of root servers.
False-positive alarms (CR25159)
The config/crontab program no longer issues false-positive alarms.
ldconfig warning message (CR25297)
A ldconfig warning message no longer appears when running the Setup utility for the first time or after configuring DNS.
Version 4.2PTF07
BSDI security vulnerability (CR16430)
A potential denial of service vulnerability in the C library (libc) of BSDI has been addressed. For information about the vulnerability, see Vulnerability Note VU#808552, Multiple ftpd implementations contain buffer overflows, which is available on the CERT website at http://www.cert.org.
Mirroring connections (CR22064)
The standby unit no longer reports a lower number of connections than the active unit.
Deleting action commands and files from the /tmp directory on the local system (CR22109)
There is a new cron job that deletes files and action commands that are older than one day from the /tmp directory.
syslog (CR22192)
syslogd is now more tolerant of network errors, and now functions correctly after reboot.
No-handler denials (CR22206)
The BIG-IP system no longer sends resets (RSTs) on no-handler denials.
ICMP traffic through VLAN groups (CR22207)
When a SNAT is configured through two VLAN groups, ICMP traffic is now handled correctly in all cases.
Resets due to no handler and VIP initiation failures (CR22213)
Resets (RSTs) due to no handler and VIP initiation failures are now auto-lasthopped.
VU#803539 (CR22222)
Vulnerability #803539, DNS stub resolvers vulnerable to buffer overflow, has been addressed. For more information on this vulnerability see http://www.kb.cert.org/vuls/id/803539.
b load with VLAN groups (CR22224)
The b load command no longer fails intermittently with VLAN groups.
CERT Advisory CA-2002-18, OpenSSH Vulnerabilities in Challenge Response Handling (CR22227)
The OpenSSH software running on the BIG-IP system has been upgraded to version 3.4p1 to address the security vulnerability that is outlined in CERT Advisory CA-2002-18.
SSL proxy with large POSTs (CR22424)
The SSL proxy no longer prematurely closes client connections on large POSTs.
STP (CR22531)
In an active-standby configuration, when you configure more then nine interfaces in an STP domain and the active unit is rebooted, the standby (rebooted) unit is now able to acquire a root bridge.
VLAN failsafe rebooting (CR22579)
You can now configure the BIG-IP system to prevent the standby unit from VLAN failsafe rebooting. Use the bigpipe command b internal set standby_failsafe_reboot = 0 to disable VLAN failsafe rebooting. The default is 1, or enabled.
IP Forwarding disabled after upgrade (CR22636)
IP Forwarding is disabled when you upgrade to BIG-IP 4.2 from 4.0 or 4.1.1
OpenSSL CERT VU#102795 VU#258555 VU#561275 VU#308891 VU#748355 (CR22727)
We have addressed the CERT release on OpenSSL: VU#102795 VU#258555 VU#561275 VU#308891 VU#748355 in this release.
Periodic scans of compact flash media (CR22780)
The BIG-IP software now performs periodic scans of compact flash media, which allows soft errors in media to be corrected.
Version 4.2PTF06
Memory exhaustion under heavy load with the large packets (CR17982)
Fixed a problem that could cause memory to be exhausted when the unit is under heavy load of large packets.
Generating keys using the Configuration utility (CR19239)
The Configuration utility now generates keys/certificates correctly for the SSL proxy.
bigpipe load verify (CR19551)
Using bigpipe verify mode no longer causes unexpected errors.
SSL proxy under heavy load (CR20276)
Running an SSL proxy under heavy load for extended periods of time no longer takes up abnormal amounts of system resources.
bigsnmpd (CR20628)
bigsnmpd no longer becomes unstable when providing data for a large number of pools with a very large number of nodes defined to each pool.
Setup utility error messages (CR20711)
After you complete the VLAN and networking sections of the Setup utility, you no longer receive harmless config error messages.
Multicast traffic and auto-lasthop (CR20822)
Auto-lasthop is now disabled for multicast traffic.
X509 Configuration (CR20947)
If the BIG-IP configuration files are not specified, the default configuration values for X509 data are now set properly.
Occasional problem with SSL Proxy when dumping stats (CR21065)
The SSL proxy no longer experiences an occasional floating-point exception error when dumping stats (sending the SSL proxy a SIGUSR1).
SSL proxy redirect (CR21154)
SSL proxy redirect now functions correctly after a 304 Not Modified Since reply from the server.
Configuration utility (CR21166)
In an active-active redundant configuration, the SSL proxy is now accessible through the web-based Configuration utility after failover.
poolMemberPriority (CR21174)
poolMemberPriority can now be set to values other than -1.
Logging for VLAN specific wildcard virtual servers (CR21204)
The correct IP address is now logged for VLAN specific wildcard virtual servers.
Idle HTTP keep-alive hash (CR21205)
BIG-IP system performance is no longer adversely affected when keep-alives are enabled and a large number of idle HTTP connections are being used.
FTP listener hash table (CR21286)
The FTP listener hash table is now VLAN-aware so that FTP connections may pass through the BIG-IP system multiple times without SNATs.
VLAN-keyed connection table (CR21288)
When you establish a connection through a virtual server referencing a forwarding pool, which travels back out through a SNAT, the VLAN-keyed connection table now resolves the connection properly.
HTTP 304 response codes (CR21308)
HTTP 304 response codes now assume an implicit content length of 0.
Connections through a forwarding virtual server (CR21310)
The reaper now resets both ends of a connection through a forwarding virtual server.
SSL proxy and pools (CR21320)
The BIG-IP software no longer allows an SSL proxy to be a member of a pool.
CALL-ID (CR21338)
Matching of the SIP Call-ID field is no longer case-sensitive.
HTTP redirects (CR21356)
HTTP redirects now function properly when a client sends an MSS of 0.
bigsnmpd (CR21369)
The bigsnmpd now sends a valid trap OID when it sends a cold start trap.
Connection rebinding (CR21403)
Connection rebinding with no available nodes no longer causes the BIG-IP system to become unstable.
HTTP header insertion (CR21435)
HTTP header insertion no longer has buffer boundary check problems.
Mirror-to ports (CR21635)
When you define a port as a mirror-to port, and then delete the mirror, the port is now restored to its previous state and passes traffic correctly.
Multicast packets (CR21665)
Internal interfaces on switch appliances are now configured for promiscuous receipt of multicast packets.
SNAT timeout (CR21671)
The SNAT timeout setting no longer affects virtual server timeout.
Large HTTP requests (CR21715)
HTTP requests greater than 2K no longer cause the BIG-IP system parser to become unstable.
Unconnected ports (CR21721)
Unconnected fast ethernet ports on a VLAN receiving broadcast frames no longer display incorrect interface statistics.
SSH daemon log messages (CR21824)
Insufficient resources on some systems no longer prevent the SSH daemon from handling early connections.
Simple persistence (CR21929)
Simple persistence is now properly disabled by default.
Header insertion (CR21953)
Header insertion now functions properly with cookie persistence when using rules.
CERT Advisory CA-2002-17, Apache Web Server Chunk Handling Vulnerability
The security vulnerability that is outlined in CERT Advisory CA-2002-17, Apache Web Server Chunk Handling Vulnerability, has been fixed.
CERT Advisory VU#797201 against tcpdump (CR22049)
We have addressed vulnerabilities detailed in the CERT advisory against tcpdump.
Version 4.2PTF05
Support for the Dell PowerEdge 2650 platform
This release includes support for the Dell PowerEdge 2650 platform.
Version 4.2PTF04
MAC addresses for VLANs on IP Application Switch (CR15611)
On the IP Application Switch, VLANs may now use the first member interface's MAC address as the MAC address for the BIG-IP system on that VLAN. This duplicates the functionality on the server appliance.
Status lights (CR18605)
In an active-active configuration, the annunciator lights now show the correct status (active or standby) on each unit.
VLAN headers for tagged interfaces (CR18623)
The BIG-IP system no longer inserts random QoS values into 802.1Q VLAN headers.
Extra characters in log file (CR18879)
When UDP port * is enabled and UDP timeout is set to 0 (zero), extra characters are no longer entered in the log file.
RADIUS_pinger (CR19271)
The RADIUS_pinger no longer intermittently marks nodes down.
Dell 2650 ESM-4 support (CR19325) (CR20100) (CR21178) (CR21179) (CR21183) (CR21208) (CR21221) (CR21222)
The BIG-IP system now supports the Dell 2650 platform.
bigip.conf file (CR19361)
A large bigip.conf file now loads more quickly when aliasing is used for node monitors.
IMAP_pinger default folder (CR20043)
If you do not specify an IMAP_pinger folder when defining a monitor based on the IMAP_monitor, the default folder "INBOX" is used.
SNMP with wildcard virtual servers (CR20125)
The snmpwalk command now returns the correct values for virtual servers when a wildcard virtual server is defined.
Support for iControl v2.1 (CR20178)
This version supports iControl v2.1.
Apache+Mod_SSL on BIG-IP has a buffer overflow (CR20196)
We have addressed security issues regarding an Apache+Mod_SSL buffer overflow. For more information see http://archives.neohapsis.com/archives/bugtraq/2002-02/0313.html.
Windows Terminal Server (WTS) persistence (CR20241)
This release includes an updated version of the BIG-IP Windows Terminal Server (WTS) persistence feature. WTS persistence provides an efficient way of load balancing traffic to and maintaining persistent connections between Windows clients and servers that are running Microsoft's Terminal Services service. When BIG-IP WTS persistence is enabled, a Windows .NET Enterprise server participating in session sharing can redirect a mis-targeted connection to the BIG-IP system virtual server, instead of to another server directly. This ability to redirect connections to the BIG-IP system allows the BIG-IP system to assume responsibility for redirecting connections to the appropriate servers when necessary. Also, when WTS persistence is enabled on a BIG-IP system and the servers in the pool participate in session sharing, the BIG-IP system load balances a Terminal Services connection according to the way the user has configured the BIG-IP system for load balancing. Thus, the use of Windows .NET Enterprise servers and session sharing, combined with the BIG-IP system WTS persistence feature, provides more sophisticated load balancing and more reliable reconnection when servers become disconnected. For more information about this feature, see the technical note Configuring BIG-IP Windows Terminal Server Persistence .
The big3d agent and TCP (CR20244)
TCP now functions properly with the big3d agent on the IP Application Switch.
Obsolete VLAN commands (CR20254)
Using obsolete VLAN commands no longer causes errors when loading.
Default TCP timeout for SNATs (CR20270)
Loading a SNAT with a default TCP timeout no longer cause errors.
Active FTP port collision resolution (CR20417)
Active FTP port collision resolution through a SNAT now functions correctly.
Unsuccessful login reporting for SSH, RSH, RCP, and FTP (CR20435)
Previously the BIG-IP system recorded unsuccessful login attempts for Telnet only. The /var/log/secure file now shows unsuccessful login attempts for SSH, RSH ,RCP, and FTP.
Setting port 0 timeout (CR20469)
You can now set the port 0 timeout without causing SNAT connections to be reaped with that timeout.
bigip.conf entries (CR20483)
Extra entries are no longer logged in the bigip.conf file.
VLAN limits (CR20486)
The maximum number of VLANs is now set correctly for the IP Application Switch.
Setup utility (CR20543)
The Setup utility no longer adds deleted ICMP monitors.
Any-IP through SNAT initiation failure (CR20559)
With any_ip_through_snat disabled, when an any-IP packet originates from a member of a SNAT, the BIG-IP system now attempts to use IP forwarding for the packet instead of rejecting it.
HTTP chunking interprets carriage-return/line-feed (CRLF) when straddling packet boundary (CR20564)
The BIG-IP system now correctly interprets carriage-return/line-feed (CRLF) when it is split across two packets.
Sequence numbers on out of order packets (CR20567)
When in layer 7 (L7) forwarding mode, the BIG-IP software now checks to make sure that packets from the server are in the correct order before adjusting the sequence numbers.
Dynamic Ratio (CR20580)
Dynamic Ratio now functions correctly.
IM now accepts the + character (CR20595)
The IM now accepts the + character in file names for configuration installation.
Late-binding connections through fast path (CR20598)
The BIG-IP system now properly closes late-binding connections that go through fast path.
Node limits (CR20661)
Node limits are now enforced even if there is a short time between connections.
SNAT automap with OneConnect (CR20710)
You can now use SNAT automap with OneConnect without slowing performance.
Display address names for long host names (CR20712)
bigpipe no longer creates errors when displaying long host names.
The SSL proxy exiting incorrectly (CR20718)
The SSL proxy no longer sets its exit code incorrectly when daemonizing.
The SSL proxy and HTTP parsing (CR20722) (CR20726)
An SSL proxy performing HTTP parsing now uses normal amounts of system resources.
TOS values on delayed binding connections (CR20733)
The BIG-IP system no longer sets illegal TOS values on delayed binding connections.
Reserved keywords list (CR20747)
The word "cache" is now one of the reserved keywords in the Configuration utility. For more information about the reserved keywords, see the list of reserved keywords.
Setup utility (CR20752)
When you re-run the Setup utility and change your original configuration, all configuration data is rewritten properly.
Class strings is 64 bytes or longer (CR20772)
bigpipe no longer creates errors when a class string is 64 bytes or longer.
Occasional hang on reboot at syncing disks (CR20778)
The BIG-IP system no longer occasionally hangs when rebooted or halted during a period of file system activity.
Java on BIG-IP (CR20797)
Running a scanner against the BIG-IP system no longer causes the Java process to reach 99% CPU utilization.
FQDN and bigpipe virtual commands (CR20859)
Specifying a fully qualified domain name (FQDN) in a bigpipe virtual command no longer causes bigpipe to become unstable.
Network with hard-wired failover (CR20864)
The active unit no longer goes into standby mode after its peer reboots.
The SSL proxy under heavy load (CR20880)
The SSL proxy and TPS connection limits now function properly under heavy connection load.
VLAN/loopback information (CR20886)
The ifTable now includes VLAN and loopback information.
SSL Persistence (CR20995)
SSL Persistence now functions correctly.
gated OSPF routing protocol (CR20997)
The gated OSPF routing protocol now works with multiple IP addresses on the same IP network.
Server-side SSL proxy (CR21029)
Server-side SSL proxy no longer attempts to resume SSL sessions to servers when cache size is set to zero.
Outbound load balancing (CR21050)
When you use the default gateway pool for outbound load balancing, outbound requests are no longer routed out of the wrong interface.
OpenSSL (CR21073)
OpenSSL now uses the correct default path for the configuration files.
Deleting routes (CR21095)
Deleting routes no longer causes the BIG-IP system to become unstable when using VLAN-keyed connections.
Wild card virtual servers on VLANs (CR21107)
Using VLAN-based wild card virtual servers no longer exhausts system resources.
Keep-alives (CR21112)
The BIG-IP system no longer assumes keep-alives are on when a client makes a POST request.
Simple persistence with default mask (CR21117)
Simple persistence with a default mask, no longer sends connections to the same node.
Nodes with connection limits (CR21133)
Nodes with connection limits specified, listed after a disabled node in the configuration file, are no longer incorrectly disabled.
Interfaces MIB (CR21137)
The interfaces MIB no longer takes up abnormal amounts of system resources.
SSL To Server has been optimized (CR21151)
Large amounts of data through a re-encrypting SSL proxy no longer cause the SSL proxy to become unstable.
Broadcom BCM570x driver (CR20990, CR21155, CR21184)
The BIG-IP system now supports the Broadcom BCM570x family of Gigabit Ethernet NICs.
Additional requests on keep-alive connections (CR21197)
When a client makes an additional HTTP request on a keepalive connection, the BIG-IP software now parses the new request to determine the HTTP version of the additional request.
Gateway failsafe (CR21198)
When you configure a node and an ICMP monitor with the same IP address as the default gateway and gateway failsafe is armed, the BIG-IP system now correctly updates both the gateway failsafe and the node status.
Error message when you reboot (CR21215)
Upon rebooting, the BIG-IP system no longer displays an error message at the login prompt.
bigsnmp utility on BIG-IP system version 4.2 with PTF02 installed (CR21254)
On a stand-alone BIG-IP version 4.2 with PTF02 installed, keeping the BIG-IP system in an idle state for long periods of time no longer causes the bigsnmp utility to become unstable.
Version 4.2PTF03
Link down on standby failover feature (CR20821)
The link-down-on-standby failover feature now works properly on the IP application Switch when auto-negotiation is disabled.
L7 with large requests (CR20875) (CR20885)
The BIG-IP system now works properly with L7 features and large requests.
Version 4.2PTF02
Shell-interpreted characters in monitors
Monitors can now pass shell-interpreted characters, such as &, <, and >, in parameters.
Port mirroring on the IP Application Switch (CR18435)
Ports not configured in a VLAN are now mirrored on the IP Application Switch.
T/TCP session pass through to L4 virtual servers (CR18792)
This version supports T/TCP session initiation to layer 4 (L4) virtual servers. If a session times out without a four-way close, it is removed from the connection table without sending a TCP reset (RST).
VLAN-keyed connections feature (CR19388)
The BIG-IP system now supports VLAN-keyed connections. VLAN-keyed connections are used when traffic for the same connection must pass through the BIG-IP system several times, on multiple pairs of VLANs (or in different VLAN groups). This feature has several applications, including but not limited to, firewall sandwiches where there is only one set of BIG-IP units and both sides of the firewall sandwich are connected to the units. The VLAN-keyed connections feature is enabled by default. To disable this feature use the following bigpipe command:
b internal set honor_vlans = 0
Sequence number tracking (CR19393)
Out of order packets sent to a delayed binding virtual server no longer cause sequence number tracking to become out of sync.
TCP 4-way close (CR19591)
TCP 4-way close is now properly detected in all cases when packets are dropped or sent out of order by an upstream device.
Resets from a virtual server to a proxy (CR19667)
A reset from a virtual server due to a denial (such as port not enabled) now has last hop routing support. This means a RST from a virtual server to a proxy will go through the proxy instead of from the external interface to the client.
iControl messages through ITCMSystemService (CR19714)
Intermittent problems using the iControl ITCMSystem interfaces no longer cause instability.
iControl (CR19809)
iControl SOAP mappings for IP address parameters are now correct.
iControl user access (CR19892)
iControl user access is now consistent for BIG-IP system CORBA and SOAP portals.
The SSL proxy: 90%+ CPU utilization (CR19896)
There are no longer issues with the SSL proxy and high CPU utilization.
Insert cookie mode (CR19930)
Insert cookie mode in certain circumstances no longer causes the BIG-IP system to become unstable.
iControl LocalLB::Pool (CR19967)
iControl LocalLB::Pool can now query the persistence table.
OneConnect state engine (CR20010)
The OneConnect state engine no longer incorrectly changes states when chunking.
Setup utility (CR20127)
The Setup utility now only writes VLANs that have associated interfaces to the bigip_base.conf file.
get_router_address (CR20137)
The iControl get_router_address command can now return all strings.
iControl SOAP interface (CR20237)
iControl can now connect to the SOAP interface on a shared address.
Sending packets on GVRP/GMRP (CR20242)
Sending GVRP/GMRP packets no longer causes a multicast storm.
iControl (CR20243)
iControl ITCMSystem::enable_ntpd and get_ntpd_status commands now use bigstart.
Fallback host names without quotes (CR20266)
bigpipe now handles fallback host names correctly in all circumstances.
Allocating strings for internal VLAN names and checkd (CR20272)
checkd no longer exhausts system resources.
iQuery over UDP (CR20287)
When you are using iQuery over UDP, messages are now routed over the correct interface and have the correct source address.
SSL-to-Server with late binding connections (CR20408)
SSL-to-Server now functions correctly with late-binding connections.
FTP port collision resolution through a SNAT (CR20417)
Active FTP port collision resolution through a SNAT now functions correctly.
VLAN groups can now be configured to bridge at L2 (CR20467)
The BIG-IP system now supports transparent L2 forwarding. For more information on configuring this feature, see Layer 2 forwarding transparency in the Optional configuration changes section of this PTF note.
The standby unit no longer attempts L2 or L3 forwarding.
L2 proxy ARP forwarding exclusion list (CR20647)
In order to prevent the active unit from forwarding ARP requests for the standby unit (or other hosts to which proxy ARP forwarding is not desired), you can now define a proxy ARP exclusion list. To configure this feature, you can define a proxy_arp_exclude class, and add any self-IPs on the standby and active units to it. The BIG-IP units do not forward ARP requests from the hosts defined in this class.
For example, to create a proxy_arp_exclude class use the following syntax:
b class proxy_arp_exclude { host <self IP 1> host <self IP 2> ... host <self IP N> }
If you use VLAN groups, you must configure a proxy ARP forwarding exclusion list. We recommend that you configure this feature if you use VLAN groups with a BIG-IP redundant systems. The reason is that both BIG-IP units need to communicate directly with their gateways and the back-end nodes. Creating a proxy ARP exclusion list prevents traffic from being proxied through the active BIG-IP unit due to proxy ARP. This traffic needs to be sent directly to the destination, not proxied.
If you do not configure a proxy ARP exclusion group for systems configured with VLAN groups, you may see problems such as:
- Nodes being marked down for a period of time after a failover
- The inability to access resources through the active BIG-IP unit when there are multiple physical or logical connections to the same VLAN group (especially likely to be noticed when there are multiple connections between the active and standby BIG-IP units).
VLAN group active/standby pair (CR20648)
When a BIG-IP unit in a VLAN group switches from active to standby mode, it now drops the links on its interfaces. This is so that any connected switches will recognize that all MAC addresses received through proxy ARP are on the currently active BIG-IP unit, not on the standby. This feature can be configured with a new internal variable standby_link_down_time. This value specifies how long a unit that just went into standby mode should keep all of its links down. The value is in tenths of a second, so a value of 50 would be equivalent to 5 seconds. The default is 0, which disables the feature.
For example, to enable this feature and set the variable standby_link_down_time to 50 use following syntax:
b internal set standby_link_down_time = 50
Version 4.2PTF01
SSL proxy and improved traffic throttling (CR20229)
The SSL Proxy is now much more efficient at handling the scenario when the bandwidth between the client and the proxy is significantly less than the bandwidth from the proxy to the server. This is done by limiting the server-to-proxy bandwidth to the bandwidth of the proxy-to-client.
Akamaizer Proxy performance (CR20167)
Performance of the akamaizer proxy has been improved.
BIG-IP now sends a TCP RST when no routes are available (CR20114)
The BIG-IP system now sends a reset (RST) when auto-lasthop is enabled and no route is available. This enhances the performance of clients that do not resend TCP packets.
SSL proxy: 100% CPU utilization freezes existing connections (CR19966)
We improved the way the SSL proxy handles prematurely disconnected clients.
Broadcast pings originating from the BIG-IP (CR19901)
The BIG-IP system is not adversely affected by broadcast pings originating from itself.
Required configuration changes
List of reserved keywords
With this version of the BIG-IP software, there is a list of keywords that are reserved. You cannot use any words in the list when you create configurations from either the web-based Configuration utility or the command line. For more information about the reserved keywords, see the list of reserved keywords.
Optional configuration changes
Layer 2 forwarding transparency
In previous releases, VLAN groups have been a hybrid of layer 2 (L2) proxy ARP with layer 3 (L3) forwarding. In this release, you can configure pure L2 operation for VLAN groups. To configure this, you can set the internal variable transparent_vlangroups to one of the following three values:
0 (default) - traditional proxy ARP with L3 forwarding
1 - L2 forwarding with locally unique bit toggled in ARP response across the VLANs
2 - L2 forwarding with original MAC address of remote system preserved across VLANs
For more information on configuring this feature, see solution brief 1541 at tech.f5.com.
Wildcard forwarding virtual server
If you are currently using IP forwarding for BIG-IP version 4.0 and higher, we strongly recommend that you use a wildcard forwarding virtual server instead of, or in addition to, IP forwarding. With the additional features in BIG-IP software version 4.x, using a wildcard forwarding virtual server is faster than using IP forwarding. A wildcard forwarding virtual server also allows you to get statistics on the exact amount of traffic flowing through the system.
If you want to configure a wildcard forwarding virtual server to handle IP forwarded traffic, use the following procedure on your 4.x system. You can perform this procedure on-the-fly without causing any interruption of service.
- To set up timeouts, type the following commands:
bigpipe service 0 tcp enable
bigpipe service 0 timeout tcp 30
bigpipe service 0 udp enable
bigpipe service 0 timeout udp 30 - Set up a wildcard forwarding virtual server by typing the following command:
bigpipe virtual 0.0.0.0:0 forward - If you want to allow protocols other than TCP and UDP through the forwarding virtual server, use the following command. The default timeout is 15 seconds.
bigpipe virtual 0.0.0.0 any_ip enable - If you want to change the default timeout for this setting, use this syntax:
bigpipe virtual 0.0.0.0 any_ip timeout <seconds>
For example, if you want to change the default timeout to 5 seconds, type this command:
bigpipe virtual 0.0.0.0 any_ip timeout 5 - To save your new configuration, type:
bigpipe save
For more information on wildcard forwarding virtual servers, see the BIG-IP Solutions Guide.
Changing the default log levels for the web server
When you install this PTF, the IM package overwrites the web server configuration file httpd.conf. The web server log level and SSL web server log level are reset to new default settings. The web server log level controls how much information about general web requests is logged. The SSL log level (ssl_log_level) applies only to SSL-enabled web servers, and controls how much information about SSL transactions is logged. The default log level for the web server is set to emerg. The default SSL log level is set to none. If you want to change these default log levels, you can use the command line interface to manually configure this setting. For a list of valid webserver log levels and SSL web server log levels, see the tables below.
Use the following set of steps to change the default log levels for the webserver.
- To manually configure the web server log level, use one or both of the following commands:
- To configure the logging level for standard messages, type:
bigpipe db set Common.Bigip.Webserver.log_level = <level> - To configure the logging level for SSL messages, type:
bigpipe db set Common.Bigip.Webserver.ssl_log_level = <level>
- To configure the logging level for standard messages, type:
- After you designate a log level, activate your changes by typing the following command:
/usr/sbin/first_time/tweak_httpd
Configure access logging for the web server using the following process:
- To enable or disable access logging, use one of the following commands:
- To enable access logging for the web server, type this command:
bigpipe db set Common.Bigip.Webserver.log_access = 1 - To disable access logging for the web server, type this command:
bigpipe db set Common.Bigip.Webserver.log_access = 0
- To enable access logging for the web server, type this command:
- Activate your changes by typing the following command:
/usr/sbin/first_time/tweak_httpd
| Level | Description | Example |
| none | No logging is written | |
| emerg | Emergencies - system is unusable | "Child cannot open lock file. Exiting" |
| alert | Action must be taken immediately | "getpwuid: couldn't determine user name from uid" |
| crit | Critical Conditions | "socket: Failed to get a socket, exiting child" |
| error | Error conditions | "Premature end of script headers" |
| warn | Warning conditions | "child process 1234 did not exit, sending another SIGHUP" |
| notice | Normal but significant condition | "httpd: caught SIGBUS, attempting to dump core in ..." |
| info | Informational | "Server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers)..." |
| debug | Debug-level messages | "Opening config file ..." |
The following table contains a list of valid log levels for SSL messages.
| Level | Description | |
| none | No dedicated SSL logging is written, but messages of level error are written to the general Apache error log file. | |
| error | Logs messages of the error type only that is, messages that show fatal situations (processing is usually stopped). | |
| warn | Logs warning messages, which show non-fatal problems (processing is usually continued). | |
| info | Logs informational messages, which show major processing steps. | |
| trace | Logs trace messages, messages which show minor processing steps. | |
| debug | Logs debugging messages, which show development and low-level I/O information. |
Known issues
The following items are known issues in the current release.
Host names and SNMP trapsink messages (CR19769)
The host name provided in the SNMP trap messages may contain the host name of the system, rather than the host name that is routable in DNS.
Setting active-active mode using the web-based Configuration utility (CR19794)
With network failover enabled, you cannot use the Configuration utility to configure active-active mode. When you have network failover enabled, use the command line interface to set active-active mode.
Memory exhaustion side-effects (CR20496)
In certain circumstances, the SSL proxy and other userland processes may not respond when memory is exhausted.
Update snmptrap configuration file (CR21363)
When upgrading a previously upgraded 4.1.1 system, the /etc/snmptrap.conf file is not updated properly, which may cause some SNMP traps to fail. The /etc/snmptrap.conf.example file contains a listing of trap messages that are available.
Define nodes and VLANs before you start GateD (CR22007)
You should define nodes and VLANs before you start GateD. If you do not, GateD will become unstable.
Failover when the nCipher card fails (CR22172)
The BIG-IP system does not currently support failover if the nCipher card fails.
Error messages for the SSL proxy and NameSurfer in the BIG-IP log (CR22195)
When you reboot or run config from the command line, the BIG-IP log file may report that the SSL proxy and the NameSurfer® application exited abnormally. These log messages are benign warnings and do not indicate a serious error.
VLAN group with MAC masquerading (CR22558)
When you configure a VLAN group with MAC masquerading, nodes can go down on standby.
Cookie persistence may not work when Cookie: is missing a space after the colon (CR22651)
When the BIG-IP system receives a request with the space missing after the colon in the cookie header (Cookie:), the cookie may be missed and persistence is broken.
Setting the date (time) manually on a BIG-IP system (CR22684)
If you are running ntp, you should not have to adjust the time manually. However, if you have a situation where the clock on the BIG-IP system is more than a 1000 seconds off, you need to adjust the time manually. We recommend that you only change the date manually when the system is in standby mode.
Default route missing after gated fails while you are creating node pools (CR23668)
In certain rare cases, the default route may be removed if you create a node pool at the same time gated fails. If this happens, run the Setup utility and add the default route back to the configuration. You can run the Setup utility from the command line by typing setup. You can access the Web-based Setup utility from the welcome page of the Web-based Configuration utility.
bigpipe does not recognize host names which start with a digit (CR24132)
The bigpipe command line utility does not recognize host names that start with a digit. For example, the following command produces a syntax error:
b virtual 411.com:80 use pool pool-2
Changing IP addresses on VLANs does not change the administration web server settings (CR24468)
If you use the Setup utility to change the floating IP addresses on VLANs, the web server settings are not updated. To update the web server settings, choose the (W) Configure web server option.
Spanning Tree Protocol (STP) does not work properly if the BIG-IP Application Switch is the only active STP in the network (CR25128)
If the BIG-IP Application Switch is the only STP-enabled entity in the network, parallel ports go to a forwarding state because the switch ignores its returning BPDU frames. This leaves the network open to bridge loops. To avoid this situation, we recommend that you disable STP if you have only one BIG-IP Application Switch in your network.
Large client requests, cookie persistence, and proxy performance (CR25195)
When you have cookie persistence enabled, and the BIG-IP system receives a large request from a client, such as a POST request with a lot of data, the proxy performance degrades and the proxy may truncate the packet.
Certain SNMP OIDs are only supported by switch platforms (CR25458)
The SNMP OIDs dot1*, dot3*, and limited rmon OIDs are only supported by switch platforms. These platforms include the 1000, 2000, and 5000 series.
VLAN that has mac_masq enabled sends gratuitous ARPs for self IP addresses when properties change (CR25569)
When you make a change to a VLAN that has mac_masq enabled, all self IP addresses on the BIG-IP system send gratuitous ARPs.
The "w" command reports wrong time since login (CR25672)
The w command reports the incorrect amount of time that a user has been logged in.
Benign messages to STDOUT during upgrade (CR25682, CR26345)
It is normal to see the following benign messages during the installation of the PTF:
Extracting manifest: /PTF-4.2-10-BSD_OS-4.1.im
Installing new version of IM
Restarting install of package with new IM
Extracting manifest: /PTF-4.2-10-BSD_OS-4.1.im
Saving configuration to UCS file: /usr/local/ucs/backup_upgrade.ucs
Saving active configuration...
Creating UCS for config save request...
shutdown inetd: not running
cat: /usr/local/namesurfer/run/ns.pid: No such file or directory
cat: /usr/local/namesurfer/run/webui.pid: No such file or directory
usage: kill [-s signal_name] pid ...
kill -l [exit_status]
kill -signal_name pid ...
kill -signal_number pid ...
bigstart: namesurfer exited abnormally, status = 1
shutdown sod-3dnsd: not running
shutdown gated: not running
Installing files.
Forwarding pool causes annunciator LED to flash yellow (CR25939)
If you configure a forwarding pool on any platform, the yellow alarm LED will flash yellow indicating a pool with zero active nodes. In this case, the yellow alarm LED is benign.
Configuring MAC Masquerading on the VLAN handling network failover (CR26100)
We recommend that you do not configure MAC Masquerading on a VLAN configured for network failover. Create a separate VLAN for network failover that is not configured for MAC Masquerading.
Using the address 127.0.0.x as a member in a pool (CR26174)
We recommend that you do not use the address 127.0.0.x (where x is the host number) as a member in a pool. Creating a member in this IP range can cause a conflict with the loopback device.
SSL proxy and error log messages when CRLs are out of date (CR26241)
The SSL proxy is not logging an error message when a Certificate Revocation List (CRL) is out of date.
Config sync from two simultaneous sessions of the bigpipe utility (CR26314)
Running the config sync command simultaneously from two bigpipe sessions accessing the same controller can destabilize the BIG-IP system.
File left behind in /var/tmp after upgrade (CR26394)
There is one file left behind in /var/tmp after upgrading. You can safely remove this file. The file is:
update_libc4.tgz
Hardserver opens listening socket on TCP port 9004 (CR26798)
When the proxy hardserver on a FIPS-equipped BIG-IP system spins, it opens a listening socket on TCP port 9004 to communicate with proxyd. This listening socket opens up on all interfaces and VLANs. In this type of configuration, a normal TCP socket connect may cause the hardserver process to stop. Also, when running the NESSUS scanner, under certain circumstances this may cause the hardserver to fail. If you have this type of configuration, we recommend that you enable port lockdown to avoid this issue.
Incorrect NAT configuration message in the BIG-IP system log (CR26985)
When you have NATs configured and you perform a bigpipe load, for each NAT defined you may see the following messages in the BIG-IP system log:
The NAT specified is not defined.
NAT 10.10.10.1 to 192.168.102.1 **defined**
You can disregard the NAT specified is not defined. message, it is incorrect and has no effect on the NAT configuration.
Redirects using %u insert entire URL instead of URI (CR27228)
Redirects using %u may insert the entire URL instead of the URI.
Setting the open_telnet_port default value (CR27330)
If you have a redundant configuration and you disable open_telnet_port on the active unit before you synchronize the configuration, the configuration file leaves open_telnet_port at its last state (enabled) rather then disabling it. After you load this type of configuration, we recommend that you check the state of the open_telnet_port setting.
Issuing a bigpipe config load command from the Configuration utility (CR27423)
If you load a .ucs file from the Configuration utility using the bigpipe command page, the following daemons are not restarted properly: ntpd, httpd, snmpd, and NameSurfer®.
Adding virtual servers in the Configuration utility with Any IP Traffic enabled (CR27842)
When you use the Configuration utility to add a virtual server and you enable Any IP Traffic, each time you then add another virtual server on the same virtual address/net address, Any IP Traffic is disabled. To work around this issue, go to the Virtual Address Properties screen, and enable Any IP Traffic for the new virtual server.
Setup utility settings (CR27866)
When you run the Setup utility for the first time, most of the configuration options are not saved until you elect to save your changes at the end of the configuration process. The following three Setup utility options, however, are saved as soon as you configure the settings: the option where you accept the EULA, the option where you select whether the BIG-IP system is a redundant configuration, and the option where you select whether the product is activated.
Deleting a virtual server from same IP address as SSL Proxy (CR27914)
The SSL proxy may stop responding to ARPs if you delete a virtual server that resides on the same IP address as the proxy.
Disabling SNMP traps (CR28045)
If you disable SNMP traps, the following incorrect error message is logged in the /var/log/snmpd.log file:
/etc/snmpd.conf: line 23: Error: authtrapenable must be 1 or 2
This error message has no effect on the SNMP configuration.
Persistence entries are deleted once all connection limits have been reached (CR28061)
When you have enabled simple persistence for a pool and all of the members of that pool have connection limits associated with them, persistence entries are deleted, once all connection limits have been reached.
Duplicate IP address issues on redundant pairs with floating self-IP addresses (CR28123)
If you have a pair of units in a BIG-IP redundant system, you may experience duplicate IP addresses on the active unit when you perform a config sync under the following conditions:
- You configure a floating self-IP address on an IP network where non-floating self-IP addresses have not yet been configured.
- You configure a monitor for a node on this new IP network.
Global SNAT timeout setting with a wildcard virtual server (CR28149)
If you have configured a wildcard virtual server and a global SNAT timeout setting, the reaper intermittently honors the SNAT timeout setting.
Self-IP addresses with 135 as the first octet (CR28309)
If you add a self-IP address with the number 135 as the first octet, duplicate VLANs display incorrectly when you type the bigpipe command vlan show. This has no effect on the actual VLAN configuration.
PXE installation (CR28313)
In rare instances, using a network computer to perform PXE installations of BIG-IP software causes corruption on the network computer hard drive. If you are using a network computer as a PXE server to install BIG-IP software, we recommend, as a precaution, that you back up any important data stored on the network computer hard drive.
NTP (CR28332)
Occasionally an invalid floating point value (NaN) is placed into the ntp.drift file, causing ntpd to shut down.
Using the hardware platform's external alarm indicator light to track the status of nodes (CR28399)
If you are using the hardware platform's external alarm indicator light to track the status of nodes, when a node goes down, the alarm light illuminates as it should; however, a few seconds later, the alarm light incorrectly goes out even though the status of the downed node has not changed.
Platforms with SCSI hard drive interfaces may display error messages (CR28423)
Platforms with SCSI hard drive interfaces may display the following benign error message:
Serious error, trying to continue: Operating system call failed: open reply channel special file /dev/sg1, Device not configured
This error message is incorrect and has no effect on the functionality of the BIG-IP system.
bigtop utility delay setting (CR28434)
The bigtop utility accepts values less than -1 second for the delay option, which causes the bigtop utility to refresh the screen as fast as possible. We recommend that you configure this option with a value of 1 second or longer.
Creating new security world on system with existing security world (CR28445)
Due to a limitation with the new-world command, you may experience a problem while recreating or overwriting a security world system. To work around this limitation, complete the following steps:
- Remove or rename the directory /config/bigconfig/ssl.nfast/local.
# rm -rf /config/bigconfig/ssl.nfast/local - Recreate the directory /config/bigconfig/ssl.nfast/local.
# mkdir /config/bigconfig/ssl.nfast/local - Restart the computer.
- Create a new security world.
Configuration utility VLAN interfaces display issue (CR28478)
If you use the Configuration utility to re-arrange the interfaces on VLANs you may experience a display issue with certain browsers. If you add or remove interfaces from a VLAN and click Apply, the Current Interfaces box may not be resized properly.
Proxy connection limits (CR28499)
When you set the connection limit for proxyd, and the proxy connection limit is reached, the proxy incorrectly continues to accept new connections. Once the connection limit is reached, the proxy should stop accepting new connections. Connections do not successfully complete until the number of connections drops below the configured connection limit.
SIP persistence and out-of-order UDP fragments from Linux systems (CR28608)
If you have SIP persistence configured, the BIG-IP system does not handle out-of-order UDP fragments from Linux systems correctly.
Configuring SIP persistence (CR28627)
If you use the command line utility to configure SIP persistence, you may receive a syntax error. We recommend that you instead use the Configuration utility to configure SIP persistence. Note: when you use the Configuration utility to configure SIP persistence, you must enter a valid timeout entry. Invalid timeout entries may cause the BIG-IP system to use an incorrect timeout value.
Acknowledgement updates
This product contains software based on oprofile, which is protected under the GNU Public License.
