Release Notes : BIG-IP version 4.5.9 Release Note

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 4.5.9
Release Notes
Software Release Date: 01/13/2004
Updated Date: 04/18/2019

Summary:

This release note documents version 4.5.9 of the BIG-IP software. You can apply the software upgrade to version 4.5 and later. For information about installing the software, please refer to the instructions below.

F5 now offers both maintenance-only and new feature releases. Version 4.5.9 is a maintenance-only release which includes security updates and enhancements that stabilize the version 4.5 software, but it contains no major new features. For more information on our new release policies, please see New Versioning Schema for F5 Software Releases.

Version 4.5.9 is a release that addresses an error in the 4.5 PTF-08 code.

Contents:


Minimum system requirements

The minimum system requirements for this release are:

  • Intel® Pentium® III 550MHz processor
  • 256MB disk drive or CompactFlash® card (if you have the 3-DNS module, you need a 512MB disk drive or CompactFlash® card)
  • 256MB RAM
  • Supported browsers: Microsoft® Internet Explorer 5.0, 5.5, and 6.0; Netscape® Navigator 4.7x

 

Note: The IM package for this PTF is quite large. If the disk drive in your platform does not meet the minimum requirement, you may not be able to successfully install this PTF.

 

[ Top ]

Supported platforms

This release supports the following platforms:

  • F35
  • D25
  • D30
  • D35 (BIG-IP 520 and 540)
  • D39 (BIG-IP 1000)
  • D44 (BIG-IP 2400)
  • D45 (BIG-IP 2000)
  • D50 (BIG-IP 5000)
  • D51 (BIG-IP 5100 and 5110)

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

 

[ Top ]

Installing the software

Important:  If you are upgrading a BIG-IP redundant system, you must upgrade both units. We do not support running different versions on a BIG-IP redundant system.

Important:  Before you run the Configuration utility to configure the unit, you must complete the authorization and licensing process. (For details, see the Activating the license  section of the BIG-IP version 4.5 Release Note.) If you do not obtain a license before you run the Configuration utility, the system may behave in an unexpected manner.

Important:  If you are upgrading an IP Application Switch or a BIG-IP system that uses a CompactFlash® media drive, use the installation instructions here.

Important:  When upgrading a BIG-IP system with a large configuration and a large number of proxies (100+), and the initial reboot has completed, the message Completing Upgrade... displays. Please note that this message may display for some time while the upgrade script validates your configuration.

Note:  In rare instances, using a network computer to perform PXE installations of BIG-IP software causes corruption on the network computer hard drive. If you are using a network computer as a PXE server to install BIG-IP software, we recommend, as a precaution, that you back up any important data stored on the network computer hard drive.

The following instructions explain how to install the BIG-IP software, version 4.5.9 onto existing systems running version 4.5 and later. The install script saves your current configuration.

  1. Go to the Downloads site and locate the BIG-IP 4.5.9 upgrade file, BIGIP_4.5.9_Upgrade.im.

     

  2. Download the software image file.

    For information about how to download software, refer to SOL167: Downloading software from F5 Networks.

  3. If you downloaded the image file to a directory other than /var/tmp, copy the image file to the /var/tmp/ directory on your BIG-IP system.

     

  4. Install this PTF by typing the following command:
    im BIGIP_4.5.9_Upgrade.im

    The BIG-IP system automatically reboots once it completes installation.


To upgrade an IP Application Switch or a CompactFlash® media drive, use the following process.

  1. Create a memory file system by typing the following command:

    mount_mfs -s 200000 /mnt

  2. Go to the Downloads site and locate the BIG-IP 4.5.9 upgrade file, BIGIP_4.5.9_Upgrade.im.

     

  3. Download the software image file.

    For information about how to download software, refer to SOL167: Downloading software from F5 Networks.

  4. If you downloaded the image file to a directory other than /mnt, copy the image file to the /mnt directory on your BIG-IP system.

     

  5. Install this PTF by typing the following command:
    im /mnt/BIGIP_4.5.9_Upgrade.im

    The BIG-IP system automatically reboots once it completes installation.

Note:  This procedure provides over 90MB of temporary space on /mnt.  The partition and the im package file are deleted upon rebooting.

[ Top ]

New features and fixes in this PTF

This PTF includes the following new features and fixes.

OneConnect issue in BIG-IP version 4.5 PTF-08 causes random sessions to time out  (CR30588)
We have discovered a serious issue in BIG-IP version 4.5 PTF-08 that causes HTTP POST timeouts when delayed binding is configured. This issue may also prevent web pages from loading or displaying correctly. We have corrected this issue in this release.

BIND Vulnerability VU#734644, ISC BIND 8 vulnerable to cache poisoning via negative responses (CR30822)
This PTF addresses the BIND vulnerability that is described in Vulnerability Note VU#734644 on the CERT® Coordination Center Web site. For more information on the vulnerability, see http://www.kb.cert.org/vuls/id/734644.

[ Top ]

Features and fixes released in prior PTFs

The current PTF includes the following features and fixes released in prior PTFs, as listed below. (Prior PTFs are listed with the most recent first.)

Version 4.5 PTF-08

ipfwcisco, ipfwcircuit, and ipfwnat binary files  (CR26473) (CR29717)
The ipfwcisco, ipfwcircuit, and ipfwnat binary files and man pages have been removed from this release.

SMTP, POP3, and NNTP monitors  (CR26534)
You can now specify port numbers for the SMTP, POP3, and NNTP monitors.

Proxy configuration on a FIPS-equipped BIG-IP system (CR26799)
FIPS-equipped systems have no port listening process on TCP port 9004. Connecting to port 9004 no longer disables FIPS processing.

regkey.license synchronization (CR27020)
When you save a .ucs file on a unit in a redundant system, the save process no longer synchronizes the regkey.license file between the two units. Note that this issue affected only redundant systems.

Using the command line interface to view and configure persistence settings  (CR27042)
The bigpipe persist command is no longer valid. Depending on what you want to do, you should use either the bigpipe global persist or bigpipe pool commands instead. You can use the b global persist command to configure global persistence settings. You can use the bigpipe pool command to view persistence information for a specific pool.

New option to save UCS files without including private keys  (CR27236)
You can now save a UCS file without including the private keys stored in /config/bigconfig/ssl.key (only keys from this directory will be excluded). To create a UCS file that does not include these private keys, use the following bigpipe command:
b config support save <filename>

Using the Configuration utility to change the admin user password  (CR27796)
Now when you use the Configuration utility to change the admin user password, you now receive the following correct message:
The password has been changed.
You must close this browser session and open a new browser session to authenticate using your new password.

Previous versions of the software displayed the inaccurate message:
The password has been changed.
Your old password will expire shortly. At that point, you will be prompted to log in again with your new password.

System IP address in snmpd.conf when performing configsync  (CR27822)
When you run the configsync command /etc/snmpd.conf on the target system, the file now contains the correct IP address.

bigpipe global show system_type command  (CR27921)
The bigpipe global show system_type command now functions correctly on the D39 platform.

Firewall sandwich configuration with FastFlow (Fast Path) and connection rebind enabled  (CR27939)
In a firewall sandwich configuration connection, the connection rebind feature now functions correctly and rebinds to a new node when the initial node is taken down. This issue occurred only if FastFlow (Fast Path) was enabled on a virtual server with connection rebind enabled.

SIP persistence with address translation disabled  (CR27979)
The BIG-IP system now handles fragmented SIP packets correctly when address translation is disabled.

OCSP: Web page displayed  (CR28005)
Certain configuration error conditions, such as missing certificates in a trust chain, no longer cause revoked certificates to be granted access to the requested object.

Global health checking  (CR28014)
You can now scale health checks on the BIG-IP system. The global default setting has been changed from 512 to 2048.

ICMP destination host unreachable messages now handled properly by bigd (CR28021)
When a node is behind a routing device that returns ICMP destination host unreachable messages to the BIG-IP system in response to a service check, bigd no longer consumes large amounts of the processor.

Connection mirroring with a large number of virtual servers   (CR28033)
Connection mirroring now works correctly when you have a large number of virtual servers with connection mirroring enabled.

SNMP trap configuration settings  (CR28044)
The SNMP trap configuration settings used to map traps together now function correctly; the active and standby trap mappings are no longer reversed.

SSL proxy header  (CR28064)
The SSL proxy header eol option now terminates certificates properly.

Client CRL paths and SSL proxy  (CR28070)
The SSL proxy now works correctly when you specify a valid client CRL path for a proxy.

Failover with extremely high volumes of traffic  (CR28096)
In rare situations involving extremely high volumes of traffic, the BIG-IP system previously stopped processing traffic and displayed a system is not responding message, causing the system to failover to the standby unit. This process works correctly in this release.

Cascading switch configuration  (CR28097)
If you have a BIG-IP 1000, 2400 or 5100 with connectivity being handled through two cascading switches, one connected to the 10/100 ports and the other to the GIG ports, a host that is connected to one of the switches and then moved to the other switch no longer loses new traffic until the l2_aging_time expires. Previously, the fdb table would contain two entries for the host, one for the port connected to the original switch and one for the port to which the second switch is connected.

Nokia SSH and SNMP traps  (CR28120)
In the case of an authentication failure, SNMP and SSH traps are now handled correctly.

Nokia NetAct NODE_DOWN traps  (CR28121)
This release handles Nokia NetAct NODE_DOWN traps correctly. When a node that is in a down state comes back up, alarms are cleared in the alarm table.

Rules using starts_with operators  (CR28129)
Rules using starts_with operators now function correctly when the http_uri is greater than 63 characters.

Cookie rewrite no longer inserts an extra CRLF for large cookies  (CR28138)
When a server returns a cookie that has a large value, the BIG-IP system no longer inserts an additional CRLF when it rewrites the cookie for persistence information.

SNAT automap  (CR28154)
SNAT automap no longer causes local ephemeral ports to cycle quickly.

SOAP::Lite Perl package added  (CR27468) (CR28174)
The SOAP::Lite Perl package has been added to this release. iControl SDK scripts that are dependent on SOAP::Lite function correctly when you upgrade to this PTF.

SSL re-encryption connections  (CR28184)
SSL re-encryption connections are now reaped properly.

nCipher FIPS software update  (CR28187)
This release includes an updated version of the nCipher FIPS software.

BIG-IP syncookies and zero window sizes  (CR28193)
Clients behind certain types of firewalls no longer reject BIG-IP system acknowledgements when a zero window is advertised.

Extremely high rates of incoming packets  (CR28200)
When the BIG-IP system is subjected to extremely high rates of incoming packets for a sustained amount of time, the BIG-IP system no longer becomes unstable.

Making changes to the proxy configuration  (CR28234)
After you make changes to the proxy configuration, you no longer need to reload the new configuration in order for the proxy to properly verify CA certificates.

SSL proxy rewriting redirects in 302 responses (CR28237)
The SSL proxy now correctly rewrites redirects in 302 responses after the first one is received in a keep-alive stream.

Small mbufs overwritten during port translation  (CR28244) (CR29683)
In some cases, small (128 byte) message(byte) buffers [mbufs] were overwritten during port translation. This problem occurred only when small IPs were translated to large IPs over active FTP connections. This issue is corrected in this release.

New script file executed during system boot  (CR28247)
This release includes a startup script file run during system start up, that you can add scripts to. If you add a file named startup to the /config directory, it is run on startup following the addition of static routes.

Interrupt coalescing in the Intel wx driver (CR28334)
We have added an update from an errata for the Intel wx driver which caused an Intel gigabit network card to stop processing traffic. When the error occurred, the message "wx<n> device timeout" was logged. The fix is automatic if you are using the ANIP or SMP kernels.

Virtual server resets  (CR28337)
When you define a loopback virtual server, with zero values for the middle bites, the BIG-IP system no longer sends resets (RSTs) out with the loopback address listed as the source address.

Logging parsing errors  (CR28342)
In this version of the BIG-IP software, the proxy, by default, logs parsing errors. In previous 4.5 versions of the BIG-IP software, parsing errors were logged only when you manually started the proxy with -d 4.

Very large cookies with rules  (CR28354)
The rules for testing content at the end of cookies no longer fail when the system receives very large cookies.

VLAN bridging with non-IP traffic  (CR28356)
When you use VLAN bridging, the BIG-IP system now handles all non-IP traffic correctly.

Using the == operator in a rule  (CR28384)
The BIG-IP system is now stable when using the == operator in a rule.

BIG-IP system reboot involving HTTP cookies  (CR28385)
Certain HTTP cookie usage no longer causes the BIG-IP system to reboot.

Core capturing facilities enabled on install  (CR28396)
A script to enable core capturing is automatically run when you install this version of the BIG-IP software. If you want to disable core capture, you can use the config_savecore disable command.

checktrap.pl changes  (CR28405) (CR28455)
This version of the BIG-IP software includes a change in the behavior of the checktrap.pl utility. If the very first event is a clear, the BIG-IP system triggers a rebuild, and sends a corresponding clear trap instead of a rebuild event trap. (See the /etc/snmptrap.conf file for a list of clears.)

SSL proxy with dual processor systems in SMP mode  (CR28414)
If you have a dual CPU system using SMP mode and you configure an SSL proxy, the system no longer experiences a memory leak.

WMI monitor  (CR28424)
If WMI is not responding when queried, any information you are requesting has a value of 0. In this release, the WMI monitor now interprets the message correctly and marks the node as down.

Packet floods on the D44  (CR28425)
When it experiences a packet flood, the 3.1 port on the D44 (BIG-IP 2000) no longer floods ingress packets back to the 3.1 interface. This issue occurred only if PVA was active.

Syncookies and communication between the proxy and the virtual server  (CR28444)
If the total number of connections through a proxy exceeds the global syncookie threshold, any virtual server without a loopback address (127.0.0.0/8) cannot be accessed though the loopback. If this occurs, the BIG-IP system now sends SYN acknowledgements correctly through the loopback to the proxy, and no longer sends replies over the same interface that the client used to connect to the proxy.

iSNAT with non-local members  (CR28446)
iSNAT now works correctly when a SNAT pool and load balancing pool have members that are not on the same network.

Invalid evaluation license  (CR28448)
If you have an evaluation license for the BIG-IP software and you invalidate the license by adjusting the system time/date, you can now reset the evaluation license by obtaining a new license key from your F5 Networks Sales Representative.

System statistics reset  (CR28472)
On the System Statistics screen in the Configuration utility, when you click Reset All System Stats, the Max Connections field and the error fields are now reset correctly.

NTP version 4.1.2  (CR28475)
This version of the BIG-IP software includes the latest version of NTP, version 4.1.2.

Incorrect fan failure errors  (CR28482)
In certain cases, 4.5x versions of the BIG-IP software reported incorrect fan failure errors on some BIG-IP hardware platforms. This issue is fixed in this release.

Proxies that reference CRLs  (CR28483)
If you are upgrading to version 4.5 PTF-06 or later from a previous version of the BIG-IP software, proxies that reference CRLs now load properly.

tcpdump upgrade  (CR28492)
Versions 3.7.1 and earlier of tcpdump contain a buffer overflow that may be triggered by badly formed NFS packets. Other types of packets may also trigger the buffer overflow. We have corrected this issue in this release.

Route deletion for existing traffic  (CR28503)
Manually deleting static routes while traffic is running though the BIG-IP system no longer causes the system to become unstable.

URI expansion in a rule with HTTP/1.0 requests  (CR28523)
If you use URI expansion in a rule, when the system handles HTTP/1.0 requests it is no longer possible to have a blank URI as an outcome.

realpath(3) function contains off-by-one buffer overflow (VU#743092) (CR28546)
We have addressed the vulnerability that is outlined in VU#743092, realpath(3) function contains off-by-one buffer overflow, in this PTF. For details on the vulnerability, see http://www.cert.org.

L7 traffic and TCP half-close connections  (CR28561)
When the BIG-IP system is processing L7 traffic and a client closes a connection, if this half-close is followed by data from the server, the BIG-IP system now sends correct acknowledgment numbers back to the client.

mapclass2node rule now handles non-matches gracefully (CR28564)
The mapclass2node function now functions correctly when the first argument is another function which fails. For example, in previous releases, the following rule caused the BIG-IP system to panic when findclass did not find a member of ClassA in http_uri:
select mapclass2node(findclass(http_uri, ClassA), ClassB, " ")

UDP connections with SNAT automap enabled  (CR28574)
UDP packets are now sent through a network forwarding virtual server when SNAT automap is enabled.

HTTP virtual servers with connection mirroring enabled  (CR28607)
If you configure an HTTP virtual server and enable connection mirroring, the system no longer create a core file when presented with large numbers of connections per second.

Intel GIG Cu network interface card driver settings  (CR28613)
If your system includes the Intel Gig Cu NIC driver, it no longer displays unsupported media type settings. Also, the auto-negotiation speed is now reported correctly.

SNMP memory handing optimization  (CR28630)
This release includes changes that optimize memory handling for SNMP.

PVA-equipped systems  (CR28990)
Implementing major configuration changes on a PVA-equipped system no longer causes packet loss.

Dell 82544EI NIC  (CR29051)
The Dell 82544EI copper gig network card is no longer incorrectly detected as 10 Mps.

ASIC no longer reconfigured after disabling a node on a PVA-equipped system  (CR29103)
If you disable a node on a PVA-equipped system, this action no longer results in an ASIC reconfiguration.

4.2 software upgrades and the /etc/syslog.conf file  (CR29125)
If you upgrade from a 4.2 version of the software to 4.5 PTF-08, the /etc/syslog.conf file is now updated correctly.

bigpipe fo -? command  (CR29126)
The bigpipe fo -? command functions correctly in this release.

Command line certificate-generation using OpenSSL (CR29156)
Certificate generation now functions correctly when you use the OpenSSL command line.

OpenSSH contains buffer management errors (VU#333628)  (CR29208)
This PTF addresses the vulnerability that is outlined in VU#333628, OpenSSH contains buffer management errors. For details on the vulnerability, see http://www.cert.org.

SSL to server proxies loading during 4.2 upgrade  (CR29317)
SSL to server proxies now load correctly when you upgrade from BIG-IP software version 4.2 PTF-10.

Certificate Admin screen  (CR29323)
The Certificate Admin screen now displays correctly even when you have over 60 keys and certificates configured.

OneConnect with cookie insert  (CR29326)
When you have OneConnect configured, the cookie insert function now works correctly when requests contain extra CRLFs.

b node virtual and b node actual commands  (CR29460) (CR29542)
We have removed the bigpipe commands b node virtual and b node actual from this version of the software.

OpenSSL security advisory  (CR29464)
This PTF addresses the security vulnerabilities that are listed in OpenSSL® security advisory [30 September 2003], Vulnerabilities in ASN.1 parsing. This PTF upgrades the OpenSSL package to version 0.9.7c. For more information on the security advisory, see http://www.openssl.org/news/secadv_20030930.txt.

Simple persistence performance  (CR29546)
This release includes code changes that improve simple persistence performance.

302 redirects  (CR29553)
After 302 redirects that contain body entities, subsequent 302 redirects are now rewritten correctly.

Client HTTP requests resolved to nodes that are down  (CR29557)
The BIG-IP system no longer panics if a client HTTP request is resolved by a Layer 7 rule to a node that is down at the same time as the client closes the connection.

Route lookup failures  (CR29591)
Route lookup failures no longer occur when you make configuration changes or when the system is experiencing extensive memory utilization. In previous versions of the software, if the route allocation function failed to allocate a route, this issue caused the BIG-IP system to reboot and display a System is not responding message.

Loading configuration files while running server-side SSL proxy  (CR29623)
If you have a server-side SSL proxy running when you reload the configuration file, the proxy process no longer shuts down.

SNMP OID behavior  (CR30142)
An SNMP walk of the BIG-IP system MIB starting at system.sysObjectID.0 results in a response of enterprises.ucdavis.ucdSnmpAgent.bigip. This is the correct behavior. In older versions of the BIG-IP software, the OID responded with f5 Enterprise instead of ucdavis.

Version 4.5 PTF-07

The 4.5 PTF-07 release included the following features and fixes.

This PTF contains an important fix for BIG-IP Link Controller, and support for new BIG-IP Blade Controllers.

Version 4.5 PTF-06

The 4.5 PTF-06 release included the following features and fixes.

Registration key display using Netscape version 4.72 on Linux  (CR26820)
If you are using Netscape® version 4.72 with Linux® to add multiple registration keys, the License Administration screen now correctly displays the Current Registration Key list.

Load balancing modes and honoring node connection limits  (CR27124)
When using observed_member, predictive_member, predictive, or observed load balancing modes, the member and node addresses now honor node connection limits.

FIPS 140 with a very large configuration  (CR27237)
If you are using FIPS 140 with a very large configuration (greater than 400 configuration items such as pools, virtual servers and monitors), you no longer experience a compatibility issue.

UDP checksum when an incoming request has 0 UDP checksum   (CR27240)
If an incoming UDP request has an initial checksum of 0, when the request is routed back through the BIG-IP system, the UDP checksum is now calculated correctly.

Condition in FastFlow (Fast Path) and order of T/TCP packets   (CR27245)
The condition in FastFlow (Fast Path) that caused T/TCP packets to be out of order no longer exists. The T/TCP packets now arrive in proper order.

BIG-IP software now sends reset when all pool members are down with fallback disabled (CR27371)
The BIG-IP software now sends a reset when all members are down in a pool and fallback is disabled. In previous versions of the software, the packet was dropped.

Load balancing to disabled nodes  (CR27422)
Pools now select nodes even when the nodes are disabled. The pool does not select a node if the node is down.

Using the Setup utility to configure the media type for an interface  (CR27503)
When you use the Setup utility to configure the media type for an interface, the setting is now saved when you rerun the Setup utility.

Loading configurations with a large number of proxies  (CR27555)
The BIG-IP software now supports loading configurations that have hundreds of proxies. Note that the number of keys and certificates should still remain small in order to guarantee fast load times.

imid persistence with pools and rules  (CR27575) (CR27576)
Late-binding now functions correctly when you use the imid function to configure pool- and rule-based persistence.

OCSP configuration and protocol error logs  (CR27600)
OCSP configuration and protocol errors are now logged to the SSL proxy log file /var/log/proxyd. OCSP revoked certificates are also logged with warnings on (proxyd -d 2).

OCSP with SSL proxy client certificate requests  (CR27620) (CR27621)
OCSP is now supported in conjunction with the SSL proxy client certificate request feature. This allows client authorization using rules and the CertificateStatus header.

F5 Networks traps configuration  (CR27664)
When you are using F5 Networks traps, the BIG-IP system uses the value you configure for the agent address. In previous releases, the host name address was used for the agent address.

Loading .ucs files with NTP running  (CR27762)
If you have NTP enabled and you load the .ucs file using the Configuration utility, NTP now restarts properly.

FastFlow (Fast Path) with an out of order 4-way close (CR27859)
If you have FastFlow (Fast Path) configured, an out of order 4-way close no longer causes connections to close prematurely.

SIP persistence with virtual servers (CR27884)
With SIP persistence configured, when the BIG-IP system sends traffic to a server, and the traffic returns from a different virtual server to be sent out again, the traffic now persists to a node in the pool associated with the second virtual server.

Fixed string length limitations imposed by iRules relational operators (CR27906)
Rules using contains and ends_with operators now function correctly when the http_uri is greater than 64 characters.

OCSP: Web page displayed when OCSP response verify failure  (CR27974)
Certain configuration error conditions, such as missing certificates in a trust chain, no longer cause revoked certificates to be granted access to the requested object.

checktrap.pl changed in this release  (CR29613)
The checktrap.pl was changed in this release in order to accommodate new Nokia MIBs.

Version 4.5 PTF-05

The 4.5 PTF-05 release included the following features and fixes.

Specified gigabit duplex setting on switches with fixed duplex settings  (CR27755)
If the BIG-IP system is using gigabit interfaces and is plugged into a switch with a fixed duplex setting, you no longer need to configure the BIG-IP gigabit interface and the port on the switch to Auto before applying this PTF. The link between the BIG-IP system and the switch now functions correctly.

Version 4.5 PTF-04

The 4.5 PTF-04 release included the following features and fixes.

Because the PTF-04 release contained many new features, we have created an additional BIG-IP New Features Guide for version 4.5 PTF-04. In the following descriptions, you will find links to the New Features Guide, where we have described the features in more detail.

OCSP support
A significant feature in this release is support for the Online Certificate Status Protocol (OCSP). OCSP provides an alternative to a certificate revocation list (CRL), which is used during certificate verification to determine whether an SSL certificate presented by a client has been revoked. Because CRLs are updated only at regular intervals, the information in a CRL can sometimes be outdated at the time that it is checked. Using OCSP instead of a CRL eliminates this problem by ensuring that the revocation status of a client certificate is always current. For more information about configuring OCSP, please refer to the BIG-IP New Features Guide for version 4.5 PTF-04.

The system_check script
The system_check script is useful for displaying and logging hardware failures. For more information about the system_check script, please refer to the BIG-IP New Features Guide for version 4.5 PTF-04.

SYN Check
The new SYN Check TM feature mitigates a particular type of denial-of-service attack known as a SYN flood. A SYN flood is an attack against a system for the purpose of exhausting that systems resources. For more information about configuring the SYN Check feature, please refer to the BIG-IP New Features Guide for version 4.5 PTF-04.

New format for the SSLClientCertSerialNumber header
We have made an enhancement to the SSL Accelerator proxy. This change to the SSLCLientCertSerialNumber header gives users who write rules based on certificate serial numbers the ability to write to a consistent format, regardless of the length of the serial number. For more information about this new format, please refer to the BIG-IP New Features Guide for version 4.5 PTF-04.

Script to set up core capture
We have added a new script to automate core capturing on a BIG-IP system. The script runs automatically after you install this PTF and reboot the system, if the system has a hard drive. It provides functionality to enable and disable core capture.

After you install this PTF, the script runs, and creates the /var/crash directory. In addition, if the swap partition on the primary drive is not sufficiently large to capture the core file, but another unused partition is found to be, that partition is used for core capture.

You can disable this functionality with the following command:
config_savecore -disable

You can re-enable the functionality with the following command:
config_savecore -enable

Important: As long as this functionality is enabled, you see the message savecore: no core dump during boot time.

SSL Proxy caches server-side SSL sessions per IP address
We have added a new global variable that provides the ability to change how the session ID is reused by server-side sessions for IP addresses. If you want the SSL proxy to attempt to reuse the same session ID no matter what the client (source) IP address is, set the global to the default setting disable. If you want the SSL proxy to reuse connection IDs this way, type the following command:
global sslproxy serverssl cache per client addr disable

When the variable is set to enable, the SSL proxy attempts to reuse a session ID only when the client (src) address is the same as it was in the original session with that ID. If you want the SSL proxy to reuse connections this way, type the following command:
global sslproxy serverssl cache per client addr enable

Performance gain in SSL processing
In previous releases, two-processor appliances had one processor dedicated to network I/O and one processor dedicated to other system processes that perform functions like handling SSL traffic. In certain cases, you can switch to SMP mode and have both processors dedicated to processing SSL traffic. You can achieve a performance gain in SSL processing by using SMP mode, but only if your configuration meets the following requirements:

  • The system is a Dual CPU platform
  • The system is for processing SSL only
  • The system is not handling significant quantities of L2 or L4 traffic
  • You want an increase in the SSL proxy performance

If your BIG-IP system is handling mixed network traffic such as Virtual Addresses that only perform L2 traffic and Virtual Addresses that do SSL processing on the same box, you should leave the system configured the way it is, SMP mode will not help this configuration. SMP mode only helps the performance of systems that are exclusively using the BIG-IP for SSL traffic.

If you want the increased SSL proxy performance provided by the SMP mode, and are willing to sacrifice the processing of other types of network traffic, then you may want to consider switching your system to SMP mode. Type the following command to put the system in SMP mode:
b db set Local.Bigip.Boot.Kernel = SMP

After you change the kernel setting in the bigdb, type the following command to restart sod:
bigstart restart sod

After sod restarts, type the following command to reboot the system:
reboot

Type the following command if you want to switch back to ANIP mode:
b db set Local.Bigip.Boot.Kernel = ANIP

NOTE:   An alternative to putting the system in SMP mode is to create a scalable SSL configuration as described in the BIG-IP Controller Solutions Guide, Chapter 11, Configuring an SSL Accelerator.

CORBA port number in the Configuration utility (CR19780)
We removed the ability to change the CORBA port number in the Configuration utility. The CORBA IIOP port should only be set to the default setting of 683.

Raw Ethernet packets in ANIP mode (CR20274)
We have corrected the way ANIP mode handles raw Ethernet packets. Previously, raw Ethernet packets would occasionally cause a race condition.

Header insert and header erase attributes (CR21617)
There is no longer a 128 byte limitation on the header insert and header erase attributes.

Windows uploads (CR22043)
Delayed acknowledgement packets (ACKs) no longer restrict Windows uploads at 40K per second.

Using the MGMT interface on units that include the Packet Velocity ASIC (CR22599)
It is important that you use the MGMT interface (3.1) on units that include the Packet Velocity ASIC for administration only. We recommend that you do not use the MGMT interface on a VLAN you plan to use for load balancing traffic.

Connection and packet statistics (CR22709)
Connection and packet statistics now display correctly when you run the bigtop utility.

SIP persistence: two exact SIP UDP messages (CR24304)
The BIG-IP system no longer creates two connection table entries when two identical SIP UDP packets are received.

Using fallback persistence with SIP persistence (CR24306)
You can now use the simple_timeout simple persistence setting as a fallback for SIP persistence.

Using a VLAN group configuration in transparent or translucent mode (CR24409)
You can now configure the BIG-IP unit to bridge between two VLANs in either transparent or translucent mode without creating duplicate packets.

Process-checking field in snmpd.conf (CR24450)
We have corrected the process checking field (proc) in the snmpd.conf. It now puts the correct information into the ucd prTable.

Remote authentication server responses (CR24487)
If you have remote authentication configured and you mistype a password or user login, the correct remote authentication server responds.

User name in audit logs (CR24600)
The audit logs now show the correct user name when a user makes configuration changes.

SNMP virtualAddressEntry table and wildcard virtual servers (CR24647)
The SNMP virtualAddressEntry table can now handle wildcard virtual servers.

Name field on the Add VLAN Group and VLAN Group Properties page (CR24719)
The maximum number of characters for a VLAN group name is 15 characters.

Monitor name limitations (CR24864)
Monitor names typed in the Configuration utility and the command line are no longer limited to 31 characters.

Authorization: setting the user key to "user" (CR24880)
You can now set the authorization user key to user without causing a syntax error when you load the configuration.

Audit logs and resetting statistics for services (CR24923)
The audit logs now correctly show the services when you reset statistics with the command b global stats reset.

Resetting statistics for node server (CR24924)
The audit logs now display correctly when the statistics are reset for a node server.

Gratuitous ARPs with MAC masquerading and VLAN failsafe configured (CR24925)
Gratuitous ARPs are now handled correctly in an active/standby redundant scenario with MAC masquerading and VLAN failsafe configured. When the active unit detects no traffic on the VLAN, such as when the cable is unplugged, or the unit is rebooted, the other unit becomes active. When the unit that was demoted to standby reboots, it now sends a gratuitous ARP for its self IP addresses.

DELL: Large BSDi Partition and DOS in the FDISK table (CR24941)
We have corrected a problem that could have caused an error during installation on some DELL platforms.

Increased SSH DSA host key security (CR24955)
SSH key generation now uses hardware random number generators when available. This increases the security of the SSH DSA host keys and reduces the probability that the key can be guessed, or that a random key collision could occur.

Rule hierarchy modification for direct node selection and cookie insert (CR24957)
We have changed the rule hierarchy so that direct node selection occurs before cookie insert.

DELL: watchdog timeout resetting (CR24962)
We have corrected watchdog timeout reset problems with fixes from the Broadcom erratum for BCM5700 chips.

Unaccepted, timed-out connection requests (CR24984)
We have corrected a problem that could be caused if a SYN packet was sent from a client through a virtual server to a server, and the server did not answer before the connection timeout was reached. Previously, the reaper sent an RST in both directions.

TCP SYN packets received for a self IP address that matches TIME_WAIT connection (CR24993)
If a TCP SYN packet is received for a self IP address, and it matches an old connection that is in TIME_WAIT state (same source and destination address and port), the system deletes the old connection and creates a new one.

CPU statistics reported correctly in multiprocessor mode (CR25018)
When the BIG-IP system is running in multiprocessor mode, CPU usage metrics are now reported correctly when you use the top utility.

VLAN-keyed connections on the 2400 platform (CR25046)
We have corrected a problem with VLAN-keyed connections on the 2400 platform. The packet and byte statistics occasionally were not counted for pools and SNATs.

OID for the shutdown trap in the SNMP MIB (CR25059)
The shutdown trap, in the SNMP MIB, now has the correct object identifier (OID) associated with it.

SSL proxy consuming all available file descriptors (CR25081)
We have corrected a problem that caused the SSL proxy to consume all available file descriptors.

Savecore captures on large hard drives (CR25083)
The savecore program now functions correctly on large hard drives.

Server FINs from early-closed late-bound connections (CR25094)
Server FINs from early-closed late-bound connections are now returned properly to the client.

Pool::set_persist_mode() to type_expression through the iControl SDK without expression (CR25096)
You can now set up the Pool::set_persist_mode() to type_expression through the iControl SDK without an expression without causing system instability.

Error message on shutdown (CR25110)
On switch platforms, we have corrected a situation that caused an error message to display as the system shut down to reboot.

Tcpdump on the 5000 series with mirror VLAN and mirror hash enabled (CR25129)
We have corrected a problem that prevented tcpdump from showing traffic on the 5000 series with mirror VLAN and mirror hash enabled.

BIG-IP Application Switch as the only active STP in the network  (CR25162)
If the BIG-IP Application Switch is the only STP-enabled entity in the network, parallel ports go to a forwarding state because the switch ignores its returning bridge protocol data unit (BPDU) frames. This leaves the network open to bridge loops. To avoid this situation, we recommend that you disable STP if you only have one BIG-IP Application Switch in your network. Use the following command to disable STP on the BIG-IP system:

b stp <stp_name> disable

VLAN groups and non-IP traffic (CR25176)
VLAN groups can now forward non-IP traffic.

Connection table entry reaping for UDP packets with node address disabled (CR25186)
We have corrected a problem where, in rare circumstances, connection table entries were not reaped for UDP packets when the node address was disabled.

FIPS: nCipher driver debug messages (CR25308)
The FIPS nCipher driver no longer outputs debug messages.

E-Commerce Controller: Adding a virtual server with a wildcard port (CR25314)
When you add a virtual server with a wildcard port, port translation is now disabled by default in both the Configuration utility and from the command line.

Connection rebinding with members that have different priorities (CR25348)
Connection rebinding with members that have different priorities now works correctly.

Default VLANs on 5100 and 5110 platforms (CR25352)
The default VLANs on the 5100 and 5110 platforms are now mapped consistently in the following manner:
VLAN admin
untagged interfaces 3.1
VLAN external
untagged interfaces 2.1
VLAN internal
untagged interfaces 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 1.22 1.23 1.24 2.2 2.3 2.4

Clean up of logs during upgrade on systems with the Packet Velocity ASIC (CR25405)
We have improved clean up of logs during the upgrade on systems with the Packet Velocity ASIC.

SNMP: data from globalAttr* (CR25429)
We have updated the data for the SNMP globalAttr*. Also, we have corrected the following spelling errors:

globalAttrMaintenceMode is now globalAttrMaintenanceMode.

globalAttrPersistAccrossVirtuals is now globalAttrPersistAcrossVirtuals.

Also, we have changed the globalAttrPersistTimerUsedAsLimit to use either timeout or limit rather than true or false. The default setting is timeout.

MAC masquerade addresses and forcing a system to standby (CR25453)
When you purposefully change the state on a BIG-IP unit in a redundant system from active to standby, the first octet of the MAC address for any self IPs that you have configured may change to 02. This happens only when your configuration meets all of the following conditions:

  • You are running BIG-IP HA software.
  • You have VLANs that are not a part of a VLAN group.
  • The self IPs for those VLANs have a MAC masquerade address configured.
  • You force the active unit in a redundant system to standby, without rebooting.

Hardware Acceleration of forwarding pools (CR25462)
The Packet Velocity ASIC now partially accelerates forwarding pools.

Statistics for interfaces that are in a VLAN but not in use (CR25470)
The bigpipe interface show command no longer incorrectly reports statistics for interfaces that are in a VLAN but not in use.

SNMP: enterprises.ucdavis.memory.* OID (CR25488)
The enterprises.ucdavis.memory.* now returns valid information.

SSL proxy bigdb keys listed in /config/default.txt (CR25502)
We have updated the SSL proxy bigdb keys listed in /config/default.txt.

The persist dump command (CR25520)
We have corrected a problem with the b persist dump command that caused the error message Name exceeds maximum length to be displayed. This message is no longer displayed.

Virtual server bound to VLAN after deletion (CR25524)
We have corrected a problem where a virtual server was bound to a VLAN that had two or more networks configured even after you attempted to delete it.

/var/log/bigd: shut down of checkd (CR25525)
When checkd shuts down, the correct message is now logged in /var/log/bigd. The message is now checkd: exiting.

Memory usage with IP rate filtering or SSL proxy re-encryption (CR25542)
We have corrected a problem where under certain memory overload conditions, using IP rate filters or SSL proxy re-encryption could cause system instability.

The bigpipe interface media show command (CR25544)
The b interface media show command now shows the media type for the specified interface.

SSL proxy rewriting redirects in 302 responses (CR25550)
The SSL proxy now correctly rewrites redirects in 302 responses after the first one is received in a keep-alive stream.

Associating multiple monitors with the same service (CR25572)
You can now associate multiple monitors with the same service using the Configuration utility, and not receive the message Error 132 - Monitor template not found.

Connection reuse and FastFlow (Fast Path) (CR25595)
We have streamlined how the FastFlow (Fast Path) feature reuses certain connections. The connections are now handled more efficiently.

Certificate expiration dates on the Certificate List Screen (CR25610)
The certificate expiration dates on the Certificate List Screen now display the correct expiration dates.

Logging forced down to /var/log/bigd (CR25614)
When you force a node to the DOWN state using the Configuration utility, or from the command line, the forced down state is now logged in /var/log/bigd.

Redirect rewrites for HTTP/0.9 requests on the SSL proxy (CR25624)
We corrected a problem with redirect rewrites for HTTP/0.9 requests on the SSL proxy that produced the log message No space in response line.

nCipher card failure (CR25629)
The BIG-IP system now fails over to the peer unit when an nCipher card fails.

SSL proxy performing an HTTP header insert (CR25671)
We have corrected a problem where, in rare circumstances, an SSL proxy performing an HTTP header insert could assume it had received the end of the header.

Dual processors detected with no GNIC (CR25694)
The SMP kernel is now used automatically in dual processor systems with no gigabit Ethernet NICs.

New proxy ARP exclusion class (CR25801)
You can now create a proxy ARP exclusion class on the BIG-IP system, proxy_arp_exclude. Use this class to prevent the BIG-IP system from generating gratuitous ARP requests to its peer unit when you have a redundant system using VLAN Groups. To configure the proxy_arp_exclude class, in the navigation pane, click Classes, and then click the Add Class button. (For assistance with the settings, click the Help button.) You can also find information about the proxy_arp_exclude class in the BIG-IP Reference Guide, version 4.5.

Interrupt coalescing in the Intel wx driver (CR25823)
We have added an update from an errata for the Intel wx driver which caused an Intel gigabit network card to stop processing traffic. When the error occurred, the message "wx<n> device timeout" was logged. The fix is automatic if you are using the ANIP or SMP kernel.

IP Application Switch: IS-IS multicast packets on the ingress port (CR25935)
IP Application Switch platforms no longer re-broadcast IS-IS multicast packets on the ingress port.

Dual processor system running in ANIP mode during core dump (CR25943)
Dual processor systems running in ANIP mode can now create core files that are more useful.

Command line and Configuration utility QoS values on pools (CR25944)
You can now enter only valid QoS values for pools. The valid range is 0 to 7.

Connection reaping if the client closes the connection without sending data (CR25983)
For late-binding connections, if the client negotiates a connection without sending any request, the connection is reaped.

Swap partition size (CR26010)
We have increased the swap partition size to 2 gigabytes.

SSL proxy: 100 Continue responses (CR26034)
SSL Proxy now rewrites 302 redirects seen after a 100 Continue message (usually sent by the server after a POST operation).

Reboot of standby 2400 unit and connectivity with the active unit (CR26078)
We have corrected a problem where in certain cases, on the 2400 platform with network failover configured, rebooting the standby unit in an active/standby redundant configuration caused the active unit to lose existing connections. We recommend that if you require network failover, you configure the admin ports (port number 3.1) for failover.

Rules precedence problems (CR26097)
We have corrected a rules syntax precedence problem that could cause extra parentheses to be added to rule syntax saved in the /config/bigip.conf.

Redirect rule and extra '/' (CR26107)
We have corrected a problem that added an extra forward slash (/) to redirect rule syntax.

Forwarding pool causes annunciator LED to flash yellow (CR26116)
If you configure a forwarding pool on any platform, the yellow alarm LED flashes yellow indicating a pool with zero active nodes. In this case, the yellow alarm LED is benign.

Connection rebinding for UDP with FastFlow (Fast Path) enabled (CR26135)
Connection rebinding now functions correctly with UDP packets when you have FastFlow (Fast Path) enabled.

Using the address 127.0.0.x as a member in a pool  (CR26174)
Using the address 127.0.0.x (where x is the host number) as a member in a pool, no longer causes the BIG-IP system to hang.

Handling of 'Connection: close' header from client in HTTP/1.1 (CR26177)
We have corrected how the system handles Connection: close header from client in HTTP/1.1.

Closing connections with One Connect enabled (CR26178)
With One Connect enabled, the FIN-ACK was not being sent through to the client. We have corrected this problem. If you see this problem, please contact support for the solution.

Failover: Synchronization of mirrored connections on a standby box (CR26197)
Mirrored connections from an active unit are now mirrored on the standby unit as soon as the standby unit is rebooted or restarted.

Packets with a TCP checksum of 0 (CR26202)
We have corrected a problem that caused packets with a TCP checksum of 0 to be transformed to a checksum of 0xFFFF by FastFlow (Fast Path).

Late-binding state out of synchronization with Keep-Alives (CR26221)
We have corrected a synchronization problem between the state of a connection handled by a late-binding virtual server and the keep-alive state of the connection on the server that could cause the connection to lock up or behave unpredictably. This problem affected the cookie insert feature, the hash cookie feature, and rules. One of the ways you could observe this problem was that a new connection could be paired with an existing connection and the existing content could be sent to the client requesting the new connection.

SSL proxy and error log messages when CRLs are out of date (CR26240)
The SSL proxy now logs an error message when a Certificate Revocation List (CRL) is out of date.

Multiple VLAN SNATs when virtual servers are fully accelerated (CR26242)
When you have multiple VLAN SNATs configured, they are now partially accelerated by the Packet Velocity TM ASIC when virtual servers are fully accelerated.

Advanced Routing Modules: OSPF module during an LSA update (CR26268)
We have corrected a problem that was destabilizing the OSPF module during LSA updates.

SIP persistence and virtual servers with address translation disabled (CR26278)
SIP persistence now works correctly with virtual servers that have address translation disabled.

The b load command and connection limits (CR26451)
The b load command no longer causes the connection count to be set to zero, which prevented connection limits from being honored.

bigpipe values allowed for ip_tos (CR26478)
The bigpipe command now limits the possible values for ip_tos to the correct value range (0 - 255).

SNMP: settings for virtualServerFailoverFlags (CR26509)
We have updated the values for virtualServerFailoverFlags. The appropriate values are nonmirroring and mirrorconnections.

Upgraded OpenSSL (CR26518)
We have upgraded OpenSSL to version 0.9.7a. This upgrade includes various security fixes and enhancements including the following:

  • Security: Important security-related bug fixes
  • Security: Support for OCSP, the Online Certificate Status Protocol
  • ENGINE: Can be built without the ENGINE framework
  • Assembler: IA32 assembler enhancements
  • Configuration: The no-err option now works properly
  • SSL/TLS: Now handles manual certificate chain building
  • SSL/TLS: Certain session ID malfunctions corrected
  • RFC Compliance: emailAddress is the new established x509 attribute for certificates

    Note:  All certificate headers that contain an e-mail field such as Issuer or Subject now have the header emailAddress= . In previous releases this header was Email=.

Port Translation default settings for the Configuration utility and command line (CR26543)
The following settings are the updated default port translation settings for both the Configuration utility and the command line:

Type of object Port Translation
net:* disabled
ip:* disabled
vlan:* disabled
*:* disabled
ip:port enabled
net:port enabled
vlan:port enabled
*:port disabled

URI with rule redirect using port (:p) when port is 80 (CR26618)
We have corrected a problem that was adding extra characters to the end of the URI redirected using the port 80.

Advanced Routing Modules configuration files (CR26619)
The configuration files for the Advanced Routing Modules now save and load correctly when daemons are started up.

ITCM.log rotation (CR26781)
The ITCM.log is now rotated daily.

Advanced Routing Modules creating a core file (CR26783)
We have corrected a problem that was causing the Advanced Routing Modules to create a core file if the full path was not specified for the log file.

SSL proxy certificate serial number consistency (CR26800)
The SSL proxy certificate serial numbers are now listed in a consistent format.

Authorization: adminpw value (CR26824)
The adminpw setting is now saved correctly when you load a configuration using the b config load command.

bge message on reboot (CR26827)
When you reboot the 1000 and 5100 series platforms, you no longer see this unnecessary message:
bge0: bge_wait_bit_clr timeout: reg=0x468 mask=0x2

bigpipe: imid parsing (CR26875)
We have corrected a problem that prevented the imid rule syntax from being parsed correctly with, or without braces.

wd0: lost interrupt message (CR26943)
You no longer see the following benign error message when you upgrade your system:
wd0: lost interrupt

RULES: Loading configuration with external classes (CR26952)
When the configuration loads, classes are now loaded before pools. This eliminates a problem with using external classes with mapclass2node option in the pool selection.

SSL: turn on RSA Blinding for software RSA private key operations (VU#997481) (CR26966)
We have turned on RSA Blinding for software RSA private key operations as noted in the CERT vulnerability note VU#997481. This may impact SSL performance to some degree.

T/TCP connection closing (CR26972)
We have corrected a problem that prevented some T/TCP connections from closing correctly.

Network virtual server loading in a particular order with others on the same subnetwork (CR26988)
We have corrected a problem that was preventing network virtual servers on the same subnetwork from working if they were not ordered in the /conf/bigip.conf file in a particular order. Now they work in any order.

SSL Proxy: handling BMP, IA5, and UTF8 certificate strings with LDAP authentication (CR27018)
The SSL proxy can now handle BMP, IA5, and UTF8 certificate strings with LDAP authentication. This increases the BIG-IP system's compatibility with Microsoft's SiteServer and Active Directory.

SSL proxy virtual server configured with a last hop pool (CR27040)
We have corrected a problem that could stop traffic through an SSL proxy virtual server configured with a last hop pool.

Transaction level on systems monitored by the iControl TM Services Manager (CR27192)
We have reduced the level of transactions generated on systems monitored by the iControl TM Services Manager.

Licensed system without EULA acceptance (CR27215)
A warning is now displayed if the system is licensed but you have not accepted the EULA.

SSL proxy: a very long URI followed by header insert and another header value (CR27218)
The SSL proxy can now handle connections in situations where there is a very long URI and an inserted header with no client headers (just a bare request).

SSL proxy: 100 Continue responses (CR27234)
The SSL proxy now correctly handles 100 Continue responses that are up to 140 bytes. You can observe this activity only when the BIG-IP system and server have not made the three-way handshake by the time two halves of a POST are received by the BIG-IP system.

SSL proxy: session IDs rejected by the server (CR27274)
The SSL proxy no longer attempts to reuse session IDs rejected by the server.

Rotation of the /var/log/cron file (CR27355)
The /var/log/cron file is now rotated daily instead of weekly.

Version 4.5 PTF-03

The 4.5 PTF-03 release included the following fix.

HTTP requests through a Layer 7 virtual server with a specific size (CR25868)
We corrected a problem in version 4.5 of the BIG-IP software that could cause the system to become unstable when HTTP requests of certain specific sizes were received through a rule using a Layer 7 variable or through a pool with a Layer 7 attribute.

Version 4.5 PTF-02

The 4.5 PTF-02 release included the following features and fixes.

Layer 7 Checksum Validation
A new global, l7_validate_checksums, is included in this release. We recommend that you do not change the value of this global variable unless you are instructed to by a support representative.

UDP checksums and TFTP packets  (CR22113, CR25181)
In rare instances, the checksums for TFTP packets were incorrect. This issue has been resolved.

Apache web server and the CERT Coordination Center vulnerability, VU#672683 (CR24689)
This PTF addresses the vulnerability in the Tomcat package for the Apache web server that is described in Vulnerability Note VU#672683 on the CERT® Coordination Center Web site. For more information on the vulnerability, see http://www.kb.cert.org/vuls/id/672683.

iControl SOAP null nat_addr value for NAT::set_arp used with the iControlPortal (CR24914)
The iControlPortal no longer becomes unstable when it processes an iControl SOAP null nat_addr value for NAT::set_arp.

Zero length IP/UDP packets received by the system when forwarding is enabled (CR24931)
If you have forwarding enabled, zero length IP/UDP packets no longer destabilize the system.

Incorrect TCP checksum causing virtual server to send packets (CR24983)
Virtual servers no longer send packets when the TCP checksum is incorrect. In order to implement this fix, please contact support.

Mid-stream SSL renegotiations with the SSL proxy (CR24989)
The SSL proxy can now handle mid-stream SSL renegotiations.

SSL proxy sending ACKs to clients with late binding (CR25015)
The SSL proxy now sends acknowledgement packets (ACKs) to clients correctly when handling late binding connections.

Connection statistics when you change the configuration under load (CR25044)
On the 2400 platform, the connection statistics are now correct even if you change the configuration under load.

Root servers list for BIND (CR25064)
The root servers list file for BIND, root.hint, has been updated to include the most current list of root servers.

Dual processor system without a gigabit interface (CR25104)
The BIG-IP 540 platform now supports two processors correctly if there is no gigabit Ethernet interface installed in the platform.

Strict string evaluation for cookie hash persistence (CR25122)
Improved the cookie name lookup and hash mode for cookie hash persistence.

SSL TPS performance with increasing concurrent clients (CR25164)
Optimized the SSL transaction per second (TPS) performance when there is an increasing number of concurrent clients.

SSL proxy forwarding unparsed server response to client (CR25168)
When rewriting of redirects is enabled, the SSL proxy no longer forwards an unparsed server response to the client.

Configuring serial terminal as console (CR25183, CR25414, and CR25445)
You can now configure the serial terminal as the console on all platforms.

Deleting a SNAT and re-adding it to the configuration (CR25198)
The SNAT current connections statistics are now correct after you delete a SNAT and then add it back to the configuration.

Comparing class values (CR25236)
You can now use the contains, starts_with, and ends_with operators to compare class values.

Licensing in the web-based Configuration utility (CR25239)
Corrected a problem when licensing the standby unit through the web-based Configuration utility that could cause traffic to stop on the active unit.

Instability when using Universal Inspection Engine redirect (CR25358)
The Universal Inspection Engine redirect feature no longer causes instability in the system.

Unit ID with a SNAT translation (CR25372)
You can now include a unit number after the SNAT translation address.

Version 4.5 PTF-01

The 4.5 PTF-01 release included the following features and fixes.

Added support for the 2400 platform
This release includes enhanced support for the F5 Networks 2400 platform.

Viewing licensing error log files from the Configuration utility (CR25055)
You can now view the log files for errors that occur during the licensing process using the Configuration utility. A View Log File button appears on the licensing screen when the licensing process generates errors.

Resets (RSTs) from aging-out connections   (CR22219)
Resets (RSTs) from aging-out connections no longer cause some connections to hang due to incorrect sequence numbers for the resets.

CA-2002-31, Multiple Vulnerabilities in BIND (CR25085)
This PTF addresses the security vulnerabilities that are listed in CERT® advisory, CA-2002-31, Multiple Vulnerabilities in BIND. This PTF upgrades the BIND package to version 8.3.4. For more information on the CERT advisory, see http://www.cert.org/advisories/CA-2002-31.html.

[ Top ]

Optional configuration changes

Once the software is installed, you have the option of making any or all of the following configuration changes.

Changes to trap syntax
If you are upgrading to version 4.5 PTF-07 from a previous version of the BIG-IP software, the traps syntax has been changed.

The new syntax is as follows:
local0.*     /var/run/trapper
local1.*     /var/run/trapper
local2.*     /var/run/trapper
auth.*       /var/run/trapper

Note: In order to start or restart trap throwing functionality, you need to reboot the BIG-IP system.

[ Top ]

Known issues

The following items are known issues in the current release.

Fan and temperature monitoring with SNMP
SNMP queries for fan speed, CPU temperature, and power supply status are functional for certain platforms. Currently, fan and temperature monitoring is supported only for the following platforms:

1000
2000
2400
5000
5100
5110

For these platforms, automatic periodic monitoring is automatically enabled. However, the system_check script does affect performance. You can disable the system_check script by commenting out (add leading # sign) to the line in /etc/crontab which runs the system_check utility. This version does not support fan and temperature SNMP monitoring in the following platforms:
D25
D30
F35
D35 (520 and 540)

Wildcard certificates in the Cert Admin screen (CR17426)
The Cert Admin screen in the Configuration utility currently only allows *.<domain_name> for wildcard certificates. A domain name of *.*.<domain_name> is not supported on the Cert Admin screen.

Upgrading the software and the MindTerm SSH Console (CR18436)
When you upgrade the software for the BIG-IP system, you cannot use the MindTerm SSH Console, because the upgrade stops and restarts the SSH service. To upgrade the software, use a serial console instead.

The RADIUS port in /etc/services (CR20136)
Previous releases of this software use the RADIUS port 1645 as the default in /etc/services. This release uses the new IANA RADIUS port 1812.

L2 proxy ARP forwarding exclusion list  (CR20647)
In order to prevent the active unit from forwarding ARP requests for the standby unit (or other hosts to which proxy ARP forwarding is not wanted), you can now define a proxy ARP exclusion list. To configure this feature, you can define a proxy_arp_exclude class, and add any self-IPs on the standby and active units to it. The BIG-IP units do not forward ARP requests from the hosts defined in this class.
For example, to create a proxy_arp_exclude class use the following syntax:
b class proxy_arp_exclude { host <self IP 1> host <self IP 2> ... host <self IP N> }

If you use VLAN groups, you must configure a proxy ARP forwarding exclusion list. We recommend that you configure this feature if you use VLAN groups with a BIG-IP redundant system. The reason is that both BIG-IP units need to communicate directly with their gateways and the back-end nodes. Creating a proxy ARP exclusion list prevents the original IP address of a packet from being translated by the BIG-IP system. The BIG-IP system forwards traffic directly to the destination.

If you do not configure a proxy ARP exclusion group for systems configured with VLAN groups, you may see problems such as:

  • Nodes being marked down for a period of time after a failover
  • The inability to access resources through the active BIG-IP unit when there are multiple physical or logical connections to the same VLAN group (especially likely to be noticed when there are multiple connections between the active and standby BIG-IP units)

SNAT automap incompatibilities (CR20801)
Default gateway pools, forwarding virtual servers, and forwarding pools are incompatible with SNAT automap. Configuring a default gateway pool with a forwarding virtual server or a forwarding pool is also incompatible. To work around this incompatibility, you can configure a network wildcard virtual server in front of the SNAT. The wildcard virtual server routes by connection, using the cached routes.

ICMP pings updating MAC addresses for nodes in the ARP table(CR21228)
ICMP pings are not updating the MAC addresses for all nodes in the ARP table. This has no affect on the functionality of the BIG-IP system. The only way to view these entries, is to type the command arp -na, which lists the ARP table.

bigpipe proxy show command  (CR21750)
The bigpipe proxy show command incorrectly displays accepted connections, as well as queued connections that have not yet been accepted.

HTTP 1.1 HEAD requests and cookie persistence  (CR22070) (CR30255)
If you configure a virtual server and a pool with cookie persistence enabled, when a client opens a keep alive connection and issues several HTTP 1.1 HEAD requests, the BIG-IP system may lose its connection state. If this occurs, the BIG-IP system may fail to insert cookies in most of the replies. Also, if the get command is issued for a relatively large file, the connection breaks after the first few packets of data are sent.

Manually deleting connections handled by the Packet Velocity ASIC (CR22494)
Manually deleting connections that are handled by the Packet Velocity TM ASIC does not generate a TCP reset.

Configuring the admin port for node connectivity (CR22599)
We recommend that you do not configure the admin port for node connectivity.

Changing active-active failback values (CR22715)
In active-active configurations, we recommend that you do not change the default failback value of 60 seconds. If you change this value, failback may not work as designed.

Log messages during failover  (CR23634)
If you have a redundant pair of BIG-IP units, when the BIG-IP system fails over the following warning messages may be logged to /var/log/bigd.
bigapi_unit_mask fails Invalid message received from kernel
You can disregard these warning messages.

Creating node pools when gated fails (CR23668)
In rare cases, the default route may be removed if you create a node pool at the same time gated fails. If this happens, run the Setup utility and add the default route back to the configuration. You can run the Setup utility from the command line by typing setup. You can access the Web-based Setup utility from the welcome page of the Web-based Configuration utility.

Changing IP addresses on VLANs (CR24468)
If you use the Setup utility to change the floating IP addresses on VLANs, the web server settings are not updated. To update the web server settings, choose the (W) Configure web server option.

TOS or QoS values in FTP data connections (CR24644)
FTP data connections have incorrect TOS or QoS values set in the BIG-IP software. Both values are set to 0.

iControl SOAPPortal: .NET serialization errors on several methods (CR24862)
The following methods do not serialize correctly under certain situations. This is due to a problem in the .NET frameworks serialization. For nested structures within arrays, the framework cannot support an empty array represented as a single XML element.
For example, this method does not serialize:
<return type='Array' ArrayType='tns:someType[0]/>

This method does serialize:
<return type='Array' ArrayType='tns:someType[0]></return>

SNAT automap and acceleration (CR24959)
On the 2400 platform, if you configure SNAT automap and do not associate the SNAT with a virtual server, the traffic is not accelerated by the Packet Velocity TM ASIC. Note that you can associate the SNAT with a wildcard virtual server to accelerate any SNAT automap traffic.

SSL proxy processes with non-idle connections (CR25080)
Some idle connections may not be closed as long as the SSL proxy continues to receive data within the idle connection timeout, and the server-side connection remains open.

Product Announcement: Content converter feature for Akamai (ARLs) removed from BIG-IP products for EOL (CR25082)
With this release, we are announcing the End-of-Life (EOL) of the content converter feature for converting Akamai ARLs. This applies to all fully licensed BIG-IP products running version 4.5 PTF-04 or later. As a result of this action, newly shipped or upgraded versions of the BIG-IP software no longer include this feature. If you want to continue using this functionality, do not upgrade to this version of the software. If you do plan to upgrade to this version of the software, we recommend that you remove all related configuration information from the bigip.conf file before you upgrade.

The b conn dump verbose command and values for packet counts or byte counts (CR25119)
The bigpipe command, b conn dump verbose, displays incorrect values for packet counts and byte counts.

Configuring a single default gateway member (CR25141)
If you configure only a single default gateway member, that address is configured as the default route. It is not displayed as a default gateway pool.

Simple persistence timers and the 2400 platform (CR25182)
Simple persistence timeout global settings function slightly differently on the 2400 platform than on other BIG-IP platforms. With the 2400 platform, the global mode global persist timer timeout causes the persist timer to be updated every 30 seconds when a connection that references the persist entry is still alive. On other platforms, the persist timer is updated with every packet inbound from the client.

E-Commerce Controller and setting port translation option for wildcard ports (CR25336)
On the E-Commerce Controller only, when you configure a virtual server with a wildcard port (*) using the Configuration utility, the default port translation setting is set to enable instead of disable. Note that this does not occur when you use the bigpipe utility. If you want to configure virtual servers with wildcard ports, and you want to disable the port translation, add the virtual server using the following bigpipe command (rather than using the Configuration utility):
bigpipe virtual <ip_address:0> use pool <pool_name>

Harmless message during configuration (CR25399)
You may see the message startup bigstpd: (pid 169) already running during configuration. This message is harmless.

SNMP: updated the globalAttr* values (CR25429)
This release includes revised globalAttr* values for SNMP. These values include globalAttrOpen3DNSPorts and globalAttrOpenCorbaPorts. For a complete list of the updated descriptions, refer to the MIB.

SNMP OIDs switch platform support (CR25458)
The SNMP OIDs dot1*, dot3*, and limited rmon OIDs are supported by only switch platforms. These platforms include the 1000, 2000, and 5000 series.

SSH access host restrictions configured in /etc/hosts.allow (CR25530)
In previous versions, /etc/ssh3/sshd2_config and /etc/sshd_config controlled SSH access. This upgrade reverts to an SSH access level that allows all hosts to connect. Upgrading to this version ignores previously configured SSH access restrictions configured in /etc/ssh3/sshd2_config and /etc/sshd_config. If you require restricted SSH access to certain networks/IP addresses, you need to reconfigure these restrictions once the upgrade has been completed. To do this, type the following command to start the Setup utility and then press Enter:
config
Choose option S (Configure SSH) and set the restrictions you prefer.

Disabling a virtual server that is under heavy traffic load (CR25538)
If you disable a virtual server that is under heavy traffic load, the BIG-IP log may fill the /var partition. To work around this problem, you can configure syslogd to log to a remote system, or you can shut off logging on local0.*. For alternative solutions, contact support.

CPU temperature readings on Tyan 2765 motherboards (Application Switch platforms) (CR25641)
Some older motherboard revisions may incorrectly display CPU too hot messages. For more information about this issue, please read this solution: Error message: CPU too hot!.

Transparent VLAN group mode with FastFlow (Fast Path) acceleration (CR25727)
The transparent VLAN group mode is not accelerated by the FastFlow (Fast Path) feature.

Adding support access after initial setup (CR25821)
If you add support access with the (Y) Set support access option in the Setup utility after you complete the initial setup of the system, the support IP addresses are not added to the hosts.allow file. To correct this situation, run the (S) Configure SSH option in the Setup utility to re-initialize the SSH information on the system.

VLAN names with "vlan" followed by any number of digits cause a syntax error  (CR25890)
VLAN names that start with the text vlan, and are followed by any number of digits (for example, vlan123), cause a syntax error. We recommend that you do not use the text, vlan, as the initial portion of a VLAN name.

Creating invalid interface names (CR25950)
It is possible to create invalid interface names in your configuration by entering an invalid VLAN name from the command line. For more information about invalid VLAN names, see (CR25890).

Late binding virtual server with 500 MTU router and large request (CR26025)
If a client sends a large request, greater than 460 bytes, through a router set to 500 MTU, the BIG-IP system does not forward the request to the server.

Switching to a single route configuration if you have a gateway pool in use (CR26143)
If you create a default gateway pool, and then you decide to change to a single route, we recommend that you do not delete the gateway pool even if you change the router configuration so that there is only one router in the pool.

Using 127.0.0.x as a pool member causes the system to lose network connectivity (CR26184)
If you add a node with an IP address of 127.0.0.x to a pool, the system loses connectivity to the network. The only way to reboot the system after this happens is to use the reboot switch. We recommend that you do not add nodes with this address range to a pool.

Changing iControl settings does not restart the CORBA portal (CR26384)
If you use the Setup utility (setup) to change iControl settings, you must manually restart the CORBA portal. To restart the CORBA portal, type the following commands from the command line:

bigstart shutdown portal
bigstart startup

LDAP group name naming conventions (CR26418)
LDAP authentication for groups does not work properly when there are spaces in the group name. To avoid authentication issues with groups when you use LDAP authentication, do no use spaces in the group names.

Generating certificates with openSSL after upgrading the software (CR26456)
After you upgrade the software, you may run into issues when you use the openSSL command line utility to generate certificates or certificate signing requests (CSRs). If you experience difficulties with this task, run the genconf command to update the openssl.conf file.

SSL proxy down due to error condition (CR26487)
If the SSL proxy is down due to an error condition, the b proxy show command still shows the proxy is enabled.

Proxies configured using the command line and default CRL recognition  (CR26515)
When you use the command line interface to configure a proxy, if you do not specify a path for a certificate revocation list (CRL), the default CRL path is ignored and all client certificates are accepted regardless of their status. In order for the proxy to validate certificates properly through CRL, you must define a specific CRL path or file in the proxy. However, you use the Configuration utility to configure a proxy, the default CRL path is recognized correctly.

Error message for ip_tos values (CR26566)
The valid ip_tos values are 0 - 255 or 65536, which returns ip_tos to a blank state. If you type an invalid value, you see the following incorrect error message: The requested IP TOS value is invalid. [0..65535].

Setting up a virtual server using the command mirror conn disable (CR26601)
If you use the bigpipe command mirror conn disable or mirror conn disable when you create a virtual server, connection mirroring is enabled. To avoid enabling this variable when you set up a virtual server, do not use the mirror conn disable attribute. If you define a virtual server without the mirror conn enable or mirror conn disable attribute, connection mirroring is disabled.

Disabling the SNMP Auth Trap Enable setting using the Configuration utility (CR26610)
If you try to disable the Auth Trap Enable setting on the SNMP Administration screen in the Configuration utility, the SNMP configuration file, /etc/snmpd.conf, is modified with an incorrect setting of 0 (zero), and the following error is generated in the SNMP log:
"/etc/snmpd.conf: line ##: Error: authtrapenable must be 1 or 2

To correct this error and disable the Auth Trap Enable setting, you can edit the /etc/snmpd.conf file, and change the authtrapenable value to 2, disable.

Message from /etc/daily script in regards to beholder (CR26612)
When /etc/daily runs, it checks to see if there is a /var/run/beholder.pid file and if it exists, it attempts to rotate the /var/log/rmon.log file. When the rotate log function runs, the following message is logged to /var/log/daily.out for the beholder script:

bigstart: @293: start script beholder not found

Advanced routing modules: terminal settings after exiting vtysh (CR26631)
With the advanced routing modules, after you enter the vtysh router interface, your terminal settings are incorrect. If this problem occurs, type reset to correct the problem.

Losing connectivity during configuration of second unit in a redundant system (CR26705)
When you configure a unit from the command line Setup utility, we recommend that you reboot the unit after you complete the configuration. This activates the license and allows traffic to pass through the system. Also, before you reboot the system, it is in the active mode and unlicensed. While the unit is in the active mode, the other unit in the redundant system is placed in standby mode. If left in this state, traffic cannot pass through the system.

Resetting the statistics and verbose log level 32 (Stat Reset Detail) (CR26822)
The verbose log level 32 (Stat Reset Detail) does not log a message when you reset the statistics.

MSS advertised to backend servers on SSL proxy connections (CR26839)
The BIG-IP system advertises the wrong maximum segment size (MSS) to the backend server if your configuration has an SSL proxy connecting to virtual server on the loopback device (lo0). The advertised MSS respects the MTU of lo0 which is, by default, 4352 (so the resulting MSS is 4312).

Upgrade installation adds node * monitor use icmp to e-Commerce Controller (CR26877)
The BIG-IP 4.5 scratch CD installation adds the following line to the bigip.conf file on the e-Commerce Controller:

node * monitor use icmp
This monitor type is not supported on the e-Commerce Controller.

Combining transparent monitors (CR26915)
You cannot combine transparent monitors using the and rule.

Setup utility does not preserve MAC masquerade settings (CR26922)
The Setup utility does not preserve MAC masquerade settings. We recommend that you use the bigpipe utility or the web-based Configuration utility to make configuration changes after you have completed your initial setup. However, if you want to use the Setup utility to make changes to the configuration, and you want to preserve the MAC masquerade settings, then after you finish your configuration changes, recreate your MAC masquerade settings with bigpipe or the Configuration utility before you reboot the unit.

Accessing sticky persistence table through iControl (CR26957)
If you have a pool with sticky persistence turned on, and mask set to 255.255.255.0, with a network virtual server, you will not get any records when you attempt to access the data through the iControl methods get_sticky_connection_table or get_persistent_connection_table. To work around this problem, call get_sticky_mask before passing the traffic.

Changing the system IP address and updating the IP address for the CORBA portal in bigdb (CR27037)
If you change the IP address of the system using the Configuration utility, the system does not update the IP address for IIOP and FSSL for the CORBA portal in the bigdb. To change the CORBA address for IIOP and FSSL, run the Setup utility (setup) from the command line, and choose the option (I) Initialize iControl portal.

Key management: displaying BMP and UTF8 strings (CR27049)
The key management system does not properly display BMP and UTF8 strings in certificates.

Resetting statistics on the BIG-IP FireGuard, the BIG-IP Load Balancer, and the BIG-IP Cache Controller (CR27060)
If you use the bigpipe command, b pool stats reset, the BIG-IP FireGuard, the BIG-IP Load Balancer, and the BIG-IP Cache Controller will create a core file. If you use the Configuration utility to reset the statistics these BIG-IP systems may create the same core file.

5000 series with 256 MB Compact Flash and multiple .ucs files (CR27064)
Because of file system size limitations on the 256 MB drive, we recommend that you limit the number of .ucs files you save on the system.

The header erase feature (CR27084)
The header erase feature only looks at the first header. Subsequent headers are not erased.

Changing the virtual server target under load (CR27090)
If you change the virtual server target under load, from a pool to a rule, or a rule to a pool, the system could create a core file.

Misleading message on new installations (CR27091)
If you are installing the software for the first time, you may see the misleading message in /var/log/proxyd:

'proxyd[pid]: No proxies were successfully configured. Exiting.'
This message is benign.

Adding a switch interface to the admin vlan (CR27103)
Adding a switch interface to the admin VLAN causes large volumes of traffic. We recommend that you do not add a switch interface to the admin VLAN.

CompactFlash® media drives and logging for named  (CR27132)
When named is running, it generates status and usage messages as part of its normal behavior. If you are running named on a system with a CompactFlash media drive, these messages may fill up the /var/log/ messages directory. To avoid this, periodically delete the status and usage messages for named.

Configuration files with a large number of proxies   (CR27159)
Configuration files with a large number of proxies may take a long time to load.

Honoring certain client MSS limits  (CR27160)
Under certain circumstances the BIG-IP system may not honor certain client maximum segment size (MSS) limits. This problem is rare and happens only if multiple clients with different MSS limits access the BIG-IP from the same source address through address translation.

Setting the reaper hiwater and reaper lowater values  (CR27169)
If you set the reaper hiwater and reaper lowater values to the same number, you do not receive an error message, but the bigip.conf file does not load. In order for the BIG-IP configuration to load properly, reaper hiwater and reaper lowater cannot be set to the same value.

Dynamic ratio load balancing and snmpdca with Counter32 OIDs  (CR27202)
If you are using dynamic ratio load balancing with the snmpdca pinger for metrics collection, and you configure an OID that returns type Counter32 (that is, the Windows TM 2000 Server Enterprise OID), the returned data may not be interpreted correctly. As a result, dynamic ratio load balancing does not function properly.

Server-side proxy listening on port 80 with TCP half-close  (CR27203)
When you have a proxy configured that is listening on port 80, and you are using server-side SSL, client TCP connections using half-close may not complete properly.

RADIUS server configuration and Netscape  (CR27212)
If you configure remote login for RADIUS, and you set an invalid IP address for the primary RADIUS server, and a valid IP address for the secondary RADIUS server, you may not be able to log in using a Netscape browser. This can also happen if your primary RADIUS server is down. We recommend that you use an alternative browser with this type of configuration.

User administration for remote authentication using the Configuration utility  (CR27223)
With remote authentication configured, if you use the Configuration utility to add a new user, you may receive an internal server error message when you press Enter and then click the Done button. The user is added when you press Enter. When using local authorization, the Enter key is ignored and you must click the Done button in order to add a new user.

Deleting the default gateway pool using the Setup utility  (CR27260)
The command line Setup utility, (setup), does not delete the default gateway pool when you remove all of the pool's members. To work around this issue, delete the default gateway pool using the browser-based Configuration utility.

Performance tools exhibit fluctuations in the maximum TPS  (CR27297)
An enhancement added to increase SSL performance with large numbers of concurrent connections may cause some performance tools to exhibit fluctuations in the maximum TPS when you use them to perform benchmark tests. For example, when you check SSL performance using the IxWeb tool you may see oscillating SSL performance readings. These variations have very little effect on the actual metric performance.

Setting the open_telnet_port default value  (CR27331)
If you have a redundant configuration and you disable open_telnet_port on the active unit before you synchronize the configuration, the configuration file leaves open_telnet_port at its last state (enabled) rather then disabling it. After you load this type of configuration, we recommend that you check the state of the open_telnet_port setting.

SSL performance when running in ANIP mode  (CR27333)
When you are running the BIG-IP system in ANIP mode, you may experience a 12-15% decrease in SSL performance. This decrease in performance is due to the addition of OpenSSL version 0.9.7a.

Unsupported system_check tool  (CR27354)
The system_check script is running on all BIG-IP platforms. The system_check script is supported only on IP Application Switch platforms. This script does not have any adverse effect on unsupported platforms.

User roles in a redundant system configuration  (CR27477)
If you modify the default role for a user on one unit in a redundant system, when you synchronize the configuration, the modified role setting is not copied over to the other unit. In order to have the same user roles specified on both units, you must configure this setting on both units in the redundant system.

DoCoMo 2.0 requests  (CR27481)
When the BIG-IP system receives a DoCoMo 2.0 request, the BIG-IP system includes everything in the request up to and including the \r in the persistence string. The BIG-IP system should not include the \r in the persistence string.
Also, when you use the bigpipe pool persist dump command, the command prints control characters.

SIP persistence and NAT or SNAT  (CR27515)
SIP persistence does not work correctly when you use NAT or SNAT.

iRules and logging  (CR27574)
In rare instances when the BIG-IP system is using logging and variable substitution in iRules, the system may display one or two random characters at the end of the correctly displayed log text.

Keeping the system clock and responder clock synchronized  (CR27620)
The internal BIG-IP system clock and the responder clock must be synchronized. If they are not synchronized to within 5 minutes of each other, the SSL proxy may hang. In order to keep the clocks synchronized, you can use NTP on the BIG-IP system.

SSL proxy : OCSP status  (CR27621)
The status returned from the inserted header ClientCertStatus may display the incorrect error code, error 1, when a certificate is revoked.

SSL proxy : OCSP impact on SSL proxy performance  (CR27622)
If you configure the OCSP feature, you may see an impact on SSL proxy performance.

Redundant configurations in active/active mode  (CR27639)
When you have a BIG-IP redundant system, with both units in active/active mode, the Configuration utility in certain cases may incorrectly display the self IP as unit 1 when it should be unit 2. This issue does not affect the performance of the BIG-IP system.

Setting media speeds  (CR27772)
If you want to set media speeds, and you have a copper gigabit NIC, you must configure auto-negotiate between the BIG-IP system and the connected switches.

New rule syntax requirements for literal strings  (CR27784)
The rules syntax has changed in version 4.5 PTF-04, and there is now a literal string limit of 63 characters. If you have previously configured rules that contain literal strings longer than 63 characters, these rules may fail to load after you upgrade to PTF-04. Rules that worked correctly in previous versions may now produce the following error message:
In rule test: String literal too long (max 63 chars)
If you have this type of rule configured, we recommend that you modify the rule syntax to use literal strings that are less than 63 characters in length. See New rule syntax requirements for literal strings in the Workarounds for known issues section for details.

Using the Setup utility to configure the media type for an interface  (CR27793)
When you use the Setup utility to configure the media type for an interface, the BIG-IP system does not save this setting when you rerun the Setup utility. You must configure this setting each time you run the Setup utility.

Memory leak in bigapi  (CR27821)
There is a memory leak in bigapi, found through bigsnmpd, which can occur during SNMP queries.

Adding virtual servers in the Configuration utility with Any IP Traffic enabled  (CR27835)
When you use the Configuration utility to add a virtual server and you enable Any IP Traffic, each time you then add another virtual server on the same virtual address/net address, Any IP Traffic is disabled. To work around this issue, go to the Virtual Address Properties screen and enable Any IP Traffic for the new virtual server.

MindTerm SSH console, Java™ Virtual Machine, and the Configuration utility  (CR27864)
The Configuration utility may become unresponsive when all of the following conditions are met:

  • You have Java Virtual Machine enabled on a Windows® workstation

  • You are using the Configuration utility to configure the system

  • You open a MindTerm SSH console session from the navigation pane

  • You return to the Configuration utility without closing the MindTerm SSH console

If you experience this problem, you must use the Windows Task Manager to close both the browser session and the SSH session. To avoid this issue, we recommend that you either disable Java Virtual Machine while you are configuring the system, or close the MindTerm SSH console session before returning to the Configuration utility.

Deleting a virtual server from same IP address as SSL Proxy  (CR27915)
The SSL proxy may stop responding to ARPs if you delete a virtual server that resides on the same IP address as the proxy.

Harmless timeout messages during reboot  (CR27928)
When you reboot the BIG-IP system, you may see timeout messages for ZebOS and ITCM portal. These messages are harmless and have no effect on the operation of the BIG-IP system.

Configuring virtual servers and nodes that share IP addresses  (CR27931)
When you create a forwarding virtual server or a virtual server that has address translation disabled, if the virtual server shares an IP address with a node and you turn on ARP disable, the BIG-IP system may continue to respond to ARP requests. This configuration may cause the BIG-IP system to report duplicate IP addresses and block access to the node. If you want to use this type of configuration, we recommend that you configure a static ARP entry for the node.

Server Appliance platform baud rates  (CR27961)
For Server Appliance platforms, the baud rate for the serial console depends on whether version 4.2 or 4.5 of the BIG-IP software was initially installed on the platform. For version 4.2 and version 4.5 units that have been upgraded from version 4.2, the serial console baud rate is 9600. For new units with version 4.5 installed, that were not upgraded from version 4.2, the serial console baud rate matches the baud rate set by the BIOS.

Enabling svcdown_reset  (CR27962)
If you enable svcdown_reset from either the command line interface or the Configuration utility, you must reload the configuration for your changes to take effect.

SNMP version and probing  (CR27971)
If you have enabled SNMP probing for a host or similar device, and you specify SNMP version 2, the SNMP probing may fail if the host or device is using SNMP version 1. This happens because SNMP version 2 uses 64-bit counters and SNMP version 1 uses 32-bit counters. To avoid this error, ensure that you specify the SNMP version (1 or 2) that corresponds with the SNMP version on the device that is being probed.

Disabling the memory_reboot_percent global  (CR27975)
You cannot disable the memory_reboot_percent global by setting the variable to 0.

Loading configurations with hundreds of proxies defined  (CR27997)
Loading a configuration with hundreds of proxies defined may cause the proxyd process to become unstable. Traffic is not disturbed, but a core file and error message occur. No user intervention is necessary.

The imid() function causes syntax errors  (CR28008)
Using the imid() function in rules or universal persistence expressions causes a syntax error. The imid function works correctly.

Status LED during power supply failure  (CR28012)
The status LED may incorrectly remain green when the bottom power supply fails.

Transparent VLANs with a connection through a virtual server  (CR28018)
If you have two transparent VLANs configured in a group with a connection through a virtual server, under certain circumstances the transparent VLAN group may use its own MAC address. If you encounter this issue, we recommend that you use opaque mode for VLAN groups, especially if you are using any type of delayed binding that requires the BIG-IP system to handle the return packet.

Setup utility and VLAN tag configuration  (CR28027)
If you use the Setup utility to configure VLAN tags or add new VLANs with tags and self IPs, and you use the command line utility to modify interfaces after VLAN tags are added, all of the tagged interfaces and associated data (self and shared IPs) are removed from the configuration files. You may need to reconfigure these settings, or use the backup file to restore these settings.

SSL Proxy client auth must use client certificate CA field  (CR28028)
When using the Configuration utility to configure an SSL proxy, if you set the Client Certificate field to either request or require, you must also enter a value for the Client Cert CA file field. If you do not enter a value for this field, the Configuration utility does not produce an error message, however you must enter a value in order for the configuration to work.

global sslhardware failover configuration load time  (CR28031)
If you enable global sslhardware failover, the configuration load time may increase dramatically.

Using the Configuration utility to create external health monitors  (CR28036)
When you create an external health monitor and include a variable where the value is a string with two variables separated by a comma, the Configuration utility does not set the value of the second variable. The Configuration utility separates the two variables at the comma and sets the value of the first variable in the string only. If you use the command line utility to create an external health monitor, values for variables separated with a comma in the string are set correctly.

Nokia NetAct feature  (CR28039)
Please note that when you apply this upgrade, if you are using the Nokia NetAct feature, the old /etc/snmptrap.conf file is used. The Nokia NetAct feature uses an extended format of this file. If you want to use the Nokia NetAct feature, after you apply the upgrade you must modify the /etc/snmptrap.conf file. You should use /etc/snmptrap.conf.example as a template for modifying the snmptrap.conf file.

MSRDP persistence  (CR28050)
You can not set MSRDP persistence using the Configuration utility. If you want to set MSRDP persistence, we recommend that you use the command line utility to configure this feature.

D35 system with system halt command  (CR28079)
If you use the system halt command on a D35 system and then press the Enter key to reboot the system, the system reboots, but it enters into a netboot cycle. If you have this issue, we recommend that you power cycle the system, or push the reset button.

Reconfiguring the BIG-IP system using the Setup utility  (CR28116)
If you use the Setup utility to configure multiple gateways or VLANs, we recommend that you reboot the BIG-IP system before you run the Setup utility a second time. Rerunning the Setup utility with multiple gateways or VLANs configured without rebooting, may cause the BIG-IP system to become unstable.

Duplicate IP address issues on redundant pairs with floating self-IP addresses (CR28124)
If you have a pair of units in a BIG-IP redundant system, you may experience duplicate IP addresses on the active unit when you perform a config sync under the following conditions:

  • You configure a floating self-IP address on an IP network where non-floating self-IP addresses have not yet been configured.
  • You configure a monitor for a node on this new IP network.

If you are using this type of configuration, we recommend that you configure a non-floating self-IP address on both units for each network.

Incorrect product version in log files  (CR28133)
The BIG-IP system log files may report the incorrect version of the product. This has no effect on the functionality of the BIG-IP system. To view the correct product version, type cat /VERSION at the command line.

ICMP pings through a SNAT  (CR28148)
When a client pings ICMP through a SNAT, if another client behind the BIG-IP system pings ICMP through the same SNAT, the second client receives both ICMP replies.

Duplicate node UP messages in the log table  (CR28194)
In certain circumstances you may see duplicate node UP messages in the log table (/var/run/alarm_log_tbl). You can ignore these messages; they do not affect the function of the BIG-IP system.

Duplicate FDB entries on 520/540 platforms  (CR28214)
On the BIG-IP 520/540 platforms, when a link goes down, the system does not delete the FDB entry. If you are using VLAN groups, this can cause the system to create duplicate FDB entries with the same MAC address, but different ports. This can result in a loss of traffic until the entry is removed. The BIG-IP system should delete the FDB entries when a link goes down.

Error message during boot sequence  (CR28276)
When you start the BIG-IP system, you may see the error, WARNING: conflict at irq 12. You can ignore this message, as it has no effect on the function of the BIG-IP system.

PXE installation  (CR28313)
In rare instances, using a network computer to perform PXE installations of BIG-IP software causes corruption on the network computer hard drive. If you are using a network computer as a PXE server to install BIG-IP software, we recommend, as a precaution, that you back up any important data stored on the network computer hard drive.

Self-IP addresses with 135 as the first octet  (CR28316)
If you add a self-IP address with the number 135 as the first octet, duplicate VLANs display incorrectly when you type the bigpipe command vlan show. This has no effect on the actual VLAN configuration.

Adding a monitor using the Configuration utility  (CR28333)
When you use the Configuration utility to add a monitor that contains the string Authorization: Basic {anything here}, the Configuration utility may not load the Authorization portion of the string.

cpio command  (CR28365)
The cpio command is not available in 4.5 versions of the BIG-IP software.

NAT and out of order UDP fragments  (CR28388)
When using NAT, the 4.5 versions of the BIG-IP software currently do not pass out-of-order UDP fragments.

SSL proxy with delayed binding  (CR28408)
When you are using SSL proxy with delayed binding enabled, the proxy may retransmit packets too quickly.

Creating VLANs using the command line utility  (CR28429)
When you use the command line utility to create VLANs, the VLAN names cannot exceed 12 characters. The manual incorrectly states that VLAN names may be up to 15 characters in length.

bigtop utility delay setting  (CR28435)
The bigtop utility accepts values less than -1 second for the delay option, which causes the bigtop utility to refresh the screen as fast as possible. We recommend that you configure this option with a value of 1 second or longer.

Traps for the system_check utility not included in the MIB definition file  (CR28436)
The following system_check traps have been added to the default /etc/snmptrap.conf file, however, they have not been added to the LOAD-BAL-SYSTEM-MIB.txt file.
.1.3.6.1.4.1.3375.1.1.110.2.77 (fan .*? is failing)  FAN_FAILING
.1.3.6.1.4.1.3375.1.1.110.2.76 (cpu .*? is too hot!)  CPU_TOO_HOT
.1.3.6.1.4.1.3375.1.1.110.2.75 (cpu .*? fan is failing)  CPU_FAN_FAILING
.1.3.6.1.4.1.3375.1.1.110.2.74 (power supply has failed)  POWER_FAILED

Using the b verify command to check for errors  (CR28451)
If you use the b verify command after editing the bigip.conf file, the b verify command does not properly detect misspellings or syntax errors. If you attempt to load a bigip.conf file that has a misspelling or syntax error, the BIG-IP system does not function until you correct the error and reload the bigip.conf file.

Possible tcpdump buffer overflow with badly formed NFS packets  (CR28492)
Versions 3.7.1 and earlier of tcpdump contain a buffer overflow that may be triggered by badly formed NFS packets. Other types of packets may also trigger the buffer overflow.

Proxy connection limits  (CR28498)
When you set the connection limit for proxyd, and the proxy connection limit is reached, the proxy incorrectly continues to accept new connections. Once the connection limit is reached, the proxy should stop accepting new connections. Connections do not successfully complete until the number of connections drops below the configured connection limit.

Active/Standby units configured with VLAN groups in transparent mode  (CR28502)
If you have a pair of BIG-IP units in an active/standby redundant configuration with VLAN groups in transparent mode, monitors on the standby unit may occasionally fail. To avoid this problem, we recommend that you tune down the ARP timers and/or increase the number of monitor timeouts. This ensures that the ARP table data is correct when monitor packets are sent. You should set the monitor timeout to at least 35 seconds. Another way to avoid this issue is to configure static ARP and FDB entries for nodes that need to be monitored.

iRules with Windows Media9 connections  (CR28543)
If you use an iRule to parse and persist Windows Media9 connections with the logging option enabled, log messages may be displayed on both the client's initial connection and on follow up connections for content from the Media Server.

Configuring a fallback host using the Configuration utility  (CR28550)
If you use the Configuration utility to configure a fallback host that contains a second http or https in the URI, the configuration may fail to load. If you are using a fallback host that contains a second http or https, we recommend that you use the command line utility to configure this setting.

bigpipe commands that contain invalid trailing arguments  (CR28581)
If you type a bigpipe command that contains an invalid trailing argument, the bigpipe utility produces a syntax error, but may run the command anyway. In this situation, the command should fail.

Certificate key files  (CR28589)
If you are using the Configuration utility Cert Admin screen to configure proxies, you can select a proxy to view its properties. A list of certificates and keys displays. You can view and delete the default.key file from the list. If you delete the default.key file, it causes the local LDAP server to fail. We recommend that you do not delete the default.key file from the configuration.

Intel GIG Cu network interface card driver settings  (CR28597)
The Intel Gig Cu NIC driver currently supports only auto negotiation. You cannot select the port media type setting.

Remote authentication configuration  (CR28598)
In some cases, when you configure remote authentication, the config utility may fail to perform a standard IP address check. If this happens, httpd.conf may fail when the system restarts.

Self IP address configuration  (CR28601)
When you configure a VLAN and a self IP address, the system allows you to use 255 as the last octet of the self IP address. We do not recommend that you use this value.

Configuring SIP persistence  (CR28628)
If you use the command line utility to configure SIP persistence, you may receive a syntax error. Instead, we recommend that you use the Configuration utility to configure SIP persistence. Note: when you use the Configuration utility to configure SIP persistence, you must enter a valid timeout entry. Invalid timeout entries may cause the BIG-IP system to use an incorrect timeout value.

SIP persistence and out-of-order UDP fragments from Linux systems  (CR28637)
If you have SIP persistence configured, the BIG-IP system does not handle out-of-order UDP fragments from Linux systems correctly.

Lock up during installation  (CR28646)
In extremely rare cases, the BIG-IP system may lock up when you install an upgrade of the BIG-IP software. This issue happens only on the SMP kernel and may be file system related. If this occurs, the BIG-IP system panics and eventually reboots. You can restore the system by reinstalling the software, or by changing the running kernel from SMP to ANIP.

Flawed TCP connection streams can appear to cause issues with cookie insertion  (CR28647)
When the BIG-IP system receives a mid-stream SYN resulting from a flaw in the TCP client, the BIG-IP system forwards the SYN to the server. This behavior may cause it to appear as though the BIG-IP system is not performing cookie insertion when there is a flaw in the TCP client, but it is working correctly.

BEA WebLogic Server support  (CR28656)
The wlnode function does not currently work with BEA WebLogic Server TM.

Duplicate inode allocation error messages  (CR28659)
In rare instances, the BIG-IP system creates a core file when the ffs_valloc() function allocates an inode data structure in a file system that has already been allocated. The duplicate allocation error may cause the BIG-IP system to become unstable.

Media duplex settings  (CR28823)
If you are upgrading to the BIG-IP software version 4.5x from software version 4.1.1, the syntax for media duplex settings is not updated correctly. It may be necessary for you to reconfigure these settings.

Self IP and VLAN configuration changes  (CR28831)
If you use the Configuration utility to make changes to the self IP or VLAN configuration, the default route and any static routes may be overwritten. You may need to reconfigure static routes using the command line utility.

Clone pools on SSL proxy virtual servers  (CR28871)
If you configure clone pools on an SSL proxy virtual server, the BIG-IP system may experience a slow memory leak.

TCP half close  (CR28904)
When a client closes a TCP connection, the BIG-IP system closes the connection 15 seconds after it receives a FIN from the client, even when there is still data going from the server to the client.

Default SNATs on PVA-equipped systems  (CR28994)
Default SNATs are not configured for partial acceleration. This can cause SNATs to function improperly on PVA-equipped systems. If you want to avoid this issue, we recommend that you configure partial acceleration using the following global bigpipe command: bigpipe global hw_acceleration enable.

SNMP logging  (CR29003)
The snmp_dca_base monitor does not currently perform any logging, even if you enable logging for SNMP.

bigpipe bigstat and bigpipe bigstat -bigip commands  (CR29011)
The bigpipe bigstat and bigpipe bigstat -bigip commands do not function correctly in BIG-IP version 4.5x.

Active-standby configuration with gateway failsafe enabled  (CR29057)
In an active-standby configuration with gateway failsafe enabled, if the standby system is unable to reach the gateway, and the active system loses its connection to the gateway, both units go to a standby state. If this happens, you can disable gateway failsafe, causing one unit to become active. Another way to avoid this issue is to enable the force active option on one of the systems.

PVA-equipped systems  (CR29087)
If you use the bigpipe load command on a PVA-equipped system, the system statistics return to zero and remain at zero.

sudo utility  (CR29135)
The sudo utility allows a user with non-root permissions to execute root functions (as a superuser) from the command line. The sudo utility permissions are set incorrectly in 4.5x versions of the BIG-IP software. In order to use the sudo utility, you must set the permissions on the binary to 4011. For more information on how to configure the sudo utility, review Solution 519 (SOL519) on the AskF5 website, http://tech.f5.com.

OneConnect with out-of-order segments in keep-alive connections  (CR29158)
If you are using OneConnect TM, out-of-order segments in keep-alive connections may cause header insertion on subsequent transactions to fail.

Diffie-Helman and proxyd  (CR29193)
The DH (Diffie-Helman) key exchange protocol does not currently work if you configure an SSL proxy.

IP filter configuration  (CR29196)
The Configuration utility generates incorrect IP filter (ipfw) configurations for IP filter rules with specified source and/or destination service fields. Incorrect IP filter configurations are also generated if your configuration contains IP filter rules that match established TCP connections. This issue occurs because IP filter rules generated by the Configuration utility do not check whether the matching packets are TCP or UDP. This may cause the BIG-IP system to incorrectly drop or permit some non-TCP and non-UDP packets. If you want to configure IP filter rules, we recommend that you use the command line utility instead of the Configuration utility.

snmpdca monitor  (CR29223)
If you use the snmpdca monitor to gather metric information, the dynamic ratio is calculated incorrectly.

loadBalTrapPortString properties  (CR29255)
If you use the command line utility to view properties for loadBalTrapPortString, one of the properties does not correspond with its description. SYNTAX INTEGER should be SYNTAX DisplayString.

nexthop network address  (CR29265)
The BIG-IP system incorrectly calculates the nexthop network address by adding the nexthop address and the translation address netmask. It should be calculated by adding the nexthop address and the nexthop netmask.

VLAN configuration  (CR29291)
If you use the Configuration utility to configure a VLAN, and you do not select an interface, the VLAN is not saved. You must select a VLAN interface in order for the VLAN to be saved.

PVA-equipped systems  (CR29312)
Statistics for Packet Velocity ASIC (PVA)-equipped systems may be incorrect.

bigpipe sslproxy skip keycheck command  (CR29316)
The bigpipe sslproxy skip keycheck command available in version 4.2 PTF-10 is not available in 4.5x versions of the BIG-IP software.

Forwarding non-IP traffic through VLAN groups and redundant systems  (CR29334) (CR29806)
We introduced the ability to forward non-IP traffic through VLAN groups in BIG-IP version 4.5 PTF-04, and the functionality was enabled by default. When this functionality is enabled, the BIG-IP system also forwards non-IP traffic through both the active and standby units in a redundant system, which can result in a bridge loop. To mitigate this known issue, in this release (version 4.5 PTF-08), we are changing the default setting so that the functionality is disabled by default. If you understand the current limitations of this feature, and want to enable the feature, see Forwarding non-IP traffic through VLAN groups and redundant systems in the Workarounds for known issues section.

User permissions and upgrading from 4.2x  (CR29337)
If you are upgrading from a 4.2x version of the BIG-IP software, and you have added additional users to the BIG-IP system configuration using vipw, user permissions are reset to their default states.

SNAT limits  (CR29349)
If you set a SNAT limit, the only way to remove the limit is to assign a value of 0 to it. In addition, if you load a bigip.conf file that does not have a SNAT limit configured, the previous SNAT limit value is preserved.

Dual CPU license for the Dell 2650 platform  (CR29393)
Although the license server will grant a dual CPU license for the Dell PowerEdge server appliance, the BIG-IP software does not support dual CPU operation on the Dell 2650 platform.

Network and hardware failover  (CR29394)
If network and hardware failover are both running, and gateway failsafe is triggered, the current standby unit becomes active when the gateway becomes available.

SNAT pool statistic integers  (CR29407)
SNAT pool statistic integers may be incorrect.

snmpdca command line utility help  (CR29421)
The /usr/local/lib/pingers/snmpdca -h help command displays error messages for snmpget.

Certificate issuer/subject names longer then 240 bytes  (CR29430)
If a certificate has an issuer or subject name longer than 240 bytes, the name is truncated when it is inserted into the HTTP header.

BIG-IP E-Commerce Controller TCP and ICMP echo service checks  (CR29437)
The BIG-IP E-Commerce Controller Configuration utility does not currently support TCP and ICMP echo service checks. However, you can use the command line utility to configure ICMP echo service checks.

Duplicate packets on D44 and D51 platforms  (CR29456)
If you have a D44 or D51 BIG-IP platform, packets with an unknown destination coming in on an untagged 10/100 port may cause the BIG-IP system to send out duplicate packets.

Cookie insertion with XML packets  (CR29461)
In some cases, when a client sends an XML packet and a propfind request, and the server responds with a 401 Unauthorized error message, the BIG-IP system may fail to insert a cookie when the server responds.

Naming pools  (CR29470)
If you use the Configuration utility to create a pool, and you assign the new pool the same name as an existing pool, the existing pool is overwritten. You can avoid this issue by assigning a different name for each pool that you create.

Client-side cookie insertion  (CR29475)
Client-side cookie insertion may fail if the BIG-IP system receives packets with missing segments on the server-side.

MAC masquerading on a VLAN and failover  (CR29494)
If you have MAC masquerading enabled on a VLAN, after failover the standby box issues two gratuitous ARPs for its unique, non-shared IP address. The first gratuitous ARP is from the MAC masquerade MAC address, and the second is issued from the unique MAC address. The standby unit should not use the MAC masquerade address.

Default gateway pool changes cause the mrad configuration to be updated  (CR29587)
The BIG-IP system unnecessarily updates the mrad configuration when there are changes to the default gateway pool.

D51 interface media type  (CR29602)
If you have a D51 BIG-IP system, the bigpipe interface 2.2 media command returns an inaccurate media type of 1000BaseTX for a fiber port. The media type should display as 1000BaseSX.

Interface MIB index error message  (CR29606)
If you use SNMP lint or an MIB test tool to test the interface MIB, you may encounter an error message indicating that the ifRcvAddressAddress element has no size restriction.

Changing a host name using the Configuration utility  (CR29611)
If you use the Configuration utility to change a host name, the httpd.conf file is not automatically updated.

SSL proxy failover  (CR29612)
The sslproxy failover option on the Redundant Properties screen does not work correctly. If you use the Configuration utility to configure SSL failover, we recommend that you use the sslhardware failover check box on the Advanced Properties screen.

DNS configuration  (CR29628)
The Setup utility and the Configuration utility may produce different DNS configurations. When you configure the BIG-IP system using the Setup utility, the system is always configured to use DNS. If you use the Configuration utility to configure DNS, you can select whether you want the system to use DNS.

Using the Configuration utility to change VLAN tags  (CR29629)
If you use the Configuration utility to change the VLAN tag, it may incorrectly update the network virtual address. If the updated network virtual address is incorrect, you may need to reconfigure it. We recommend that you avoid this issue by using the command line utility to make changes to VLAN tags.

Reboots and /var/log directory filesystem corruption  (CR29630)
After 150 and up to 800 hard reboots, the /var/log/ directory may contain corrupt file data.

Add Proxy wizard  (CR29631)
If you use the Configuration utility Add Proxy wizard to add a proxy, and you do not specify a client CA from the list box before you click Next, the wizard uses the or choose text as the client CA file name and writes it to the configuration file. We recommend that you avoid this issue by selecting a valid file name for this field.

Error messages in pva.log file  (CR29634)
If you delete a node from a pool while PVA is performing a health check, incorrect error messages may be logged in the pva.log file. You can disregard these error messages.

Global SNAT timeout setting with a wildcard virtual server  (CR29639)
If you have configured a wildcard virtual server and a global SNAT timeout setting, the reaper intermittently honors the SNAT timeout setting.

mrad failure error messages  (CR29660)
The mrad function is currently started on all BIG-IP platforms. This function should run only on the BIG-IP 2400 (D44). This issue does not effect the functionality of the BIG-IP system, but in some cases you may notice mrad failure error messages. If you do not have a BIG-IP 2400, you can disregard these messages.

PVA-equipped systems and ICMP traffic through VLAN groups  (CR29663)
If you have a PVA-equipped system and you configure a VLAN group, the VLAN group may fail to pass ICMP type 3 code 4 packets.

Reset segments and server-side connections   (CR29709)
If a SYN packet was sent from a server through a virtual server to a client, and the client does not answer before the connection timeout is reached, the reaper sends an RST in both directions.

Header insertion buffer  (CR29711)
When the BIG-IP system processes a header insert and the original HTTP request is within the header insert size of the current buffer, the system may panic.

VLAN mirroring  (CR29744)
If you are using VLAN mirroring, when you reboot you may notice error messages that indicate that the probe feature is not activated. These messages are incorrect, and have no effect on the BIG-IP system.

Optional OCSP responder values  (CR29782)
If you create an OCSP responder definition and assign values to the optional respcert, signcert, signkey fields, there is no command to delete these definitions. If you need to remove these definitions, you can delete the specific lines from the responder definition in /config/bigip.conf file.

Error message in Configuration utility and valid range for VLAN tags  (CR29793)
The allowable values for VLAN tags are 1 through 4094. However, if you inadvertently specify a value that is outside of the allowable range, you see the following error message:
Error 335953 -- You have entered an invalid VLAN tag value. VLAN tags must be between 1 and 4096.
The error message incorrectly specifies a range of 1 through 4096, rather than 1 through 4094.

Layer 7 traffic  (CR29809)
If you have layer 7 traffic going through the BIG-IP system, and a server retransmits a packet that is larger than the original packet, the BIG-IP system truncates the packet to the size of the original packet.

Connection mirroring on the BIG-IP 2400 platform with hw_acceleration enabled  (CR29850)
If you have a BIG-IP 2400, connection mirroring does not work correctly with hw_acceleration enabled. In order for connection mirroring to work, we recommend that you set hw_acceleration to none.

Configuring reaper hiwater and reaper lowater settings  (CR29866)
When you configure both the reaper hiwater and reaper lowater settings, valid reaper lowater settings may be rejected when the original reaper hiwater setting conflicts with a new reaper lowater setting.

IIS6.0 Windows 2003 Server  (CR30072) (CR30073) (CR30074)
The BIG-IP system does not currently support the following functionality on Internet Information Services (IIS) 6.0 webserver, which is part of Microsoft® Windows® 2003 server product:

  • Real Media monitor
  • Dynamic Ratio Load Balancing
  • SSL Redirect

 

Default setting for min_active_members  (CR30143)
The default value for min_active_members is incorrect and may cause the BIG-IP system to prioritize traffic incorrectly. The default value for min_active_members is currently set to 0. We recommend that you configure min_active_members to a value of 1 or greater.

FTP data statistics for the origin address  (CR30145)
If you configure SNAT for servers behind the BIG-IP system, and you use FTP from the server in order to transfer data, the statistics for the translation address are correct. However, the FTP data statistics for the origin address are incorrect.

Reset All SNATs control  (CR30147)
If you are using the Configuration utility and you select Reset All SNATs on the SNAT Statistics screen, the statistics for the translation address are not cleared. You must clear the values for the translation address statistics separately.

bigpipe l2_aging_time setting  (CR30152)
When you reboot the BIG-IP system, the bigpipe l2_aging_time setting in the bigip_base.conf file returns to the default setting (300).

automap default SNAT and VLAN configuration  (CR30153) (CR30585)
The automap default SNAT does not allow you to disable VLANs. If you attempt to disable VLANS on the automap default SNAT, you receive an error message.

STP interfaces add all command  (CR30259)
The bigpipe STP interfaces add all command adds all members of a trunk to the STP domain. This command should only add the controlling member of a trunk to a STP domain. In addition, if you manually add non-controlling members of a link-aggregated trunk to a STP domain, you do not receive a warning message.

Upgrading systems with large configurations  (CR30280)
When upgrading a BIG-IP system with a large configuration and a large number of proxies (100+), and the initial reboot has completed, the message Completing Upgrade... displays. Please note that this message may display for some time while the upgrade script validates your configuration.

Unlicensed system and error messages during boot cycle  (CR30288)
You may see the following error message when you are booting a system that is not yet licensed:
Initialized Watchdog: TYAN SUPER I/O /config/bigip_base.conf: "Probe control features are not available." in line 262

The message is benign, and does not affect system functionality.

VLAN groups on IP Application Switch platforms and non-IP traffic  (CR30313)
The IP Application Switch platforms (5000, 5100) do not properly forward non-IP traffic through VLAN groups.

Memory usage statistics and the bigpipe ms command  (CR30323)
The bigpipe ms command is inaccurately reporting the memory usage percent when you have also set high-water and low-water reaper values. The command is reporting a memory usage percent that is much lower that the actual memory usage percent.

BIG-IP web server resources and multiple simultaneous users  (CR30327)
If a large number of users are logged into the Configuration utility at the same time, the Configuration utility may not function properly because the web server's resources are overextended. To avoid this issue, you can set the MaxClients option to 32 or lower, in the /config/bigconfig/httpd.conf file.

Generating key/cert pairs and domain name format  (CR30343)
In the Configuration utility, when you try to generate a key/cert pair for a domain name that starts with an integer (for example, 222domain.com), the BIG-IP system generates an error, and does not create the key/cert pair. To work around this issue, you can import an existing certificate. Alternately, you can generate the key/cert pair from the command line. First, run the genconf command and provide the requested information. Next, run the genkey <cert filename> command, where <cert filename> is the name of the certificate that you are creating.

SSL persistence mirroring and the failback mechanism on a redundant system  (CR30349)
When a redundant system experiences a failover and then a failback (the active unit goes to standby and then back to active), the system does not properly retain the SSL persistence record on the failback mechanism. Note that the system properly retains the SSL persistence record on the initial failover.

SSL session ID cache functionality and system resources  (CR30362)
In BIG-IP versions 4.5PTF-07 and 4.5PTF-08, on systems with two processors in SMP mode, the SSL session ID cache functionality is not working properly.

Connection state for late-binding connections and RST packets  (CR30377)
If a client sends a reset (RST) packet for an open, established, late-binding connection, and the ACK number does not fully acknowledge data relayed from the BIG-IP system, the BIG-IP system may discard the RST packet, and misinterpret that connection as open, when it is actually closed.

Large proxy quantity and fatal errors in the Configuration utility  (CR30441)
If you have a large number of proxies configured (more than 128), the Configuration utility experiences fatal errors when the system tries to list the proxies or the key/cert pairs on the Certificate Administration screen.

SMBus error messages and older BIG-IP appliance platforms  (CR30468)
In rare cases, after you apply the 4.5PTF-08 upgrade on older BIG-IP appliance platforms (D35), you may see the following error message in the BIG-IP log file:
smbh_io_wait_ready Bus Busy Timeout - status: 01

The error message is benign, as it does not apply to the D35 platform.

Excessive logging for Packet Velocity ASIC   (CR30478)
The Packet Velocity ASIC (PVA) is generating change notifications for global variables, even when the setting for the global variable has not actually changed. This extra logging may inadvertently fill up the PVA log file, /var/log/pva.log.

Viewing pool member statistics on systems with the Packet Velocity ASIC  (CR30498)
When you run the following bigpipe command, b virtual <address> show, on a BIG-IP system with full PVA acceleration, the command does not display incremental updates to the virtual server's statistics. If you are running the BIG-IP system with full PVA acceleration, you can view the incremental updates either by viewing them in the Configuration utility or by using the following bigpipe command: b node <address> show.

Disk usage calculation errors in the snmpdca utility  (CR30499)
The smnpdca utility contains a disk usage calculation error that, in rare instances, may cause the utility to fail.

Redundant systems and software upgrades from BIG-IP version 4.2, to BIG-IP version 4.5 and later  (CR30500)
When you upgrade a standby unit from BIG-IP version 4.2, to BIG-IP version 4.5 and later, the unit is unlicensed for a brief time. During the time that the unit is unlicensed, it may change from standby to active.

The bigpipe pool modify fallback command and specifying URIs  (CR30505)
When you specify a host and a URI path in the bigpipe pool <poolname> modify fallback command, the command fails. However, if you specify only a host and no URI path, the command works as it should. For example, the following syntax, which specifies only a host address (192.1.1.1), works:
bigpipe pool <poolname> modify { fallback http://192.1.1.1 }

The following syntax, which specifies both a host and a URI, does not work:
bigpipe pool <poolname> modify { fallback http://192.1.1.1/index.html }

Port mirroring syntax error in the BIG-IP Reference Guide, version 4.5  (CR30509)
In the BIG-IP Reference Guide, on page 3-46, the port mirror syntax example uses the admin port (3.1), which is not a valid port for a mirroring configuration. If you configure port mirroring on your system, do not use the admin port.

The LOAD-BAL-SYSTEM-MIB.txt file and service status object IDs  (CR30531)
The LOAD-BAL-SYSTEM-MIB.txt file currently does not have object IDs (OIDs) defined for the up or down status of a service.

Configuring port mirroring and using an interface that has traffic  (CR30544)
If you are configuring port mirroring on your BIG-IP system, you cannot configure a port that has any traffic whatsoever on it as the mirror-to port.

Errors disabling VLANs for a default SNAT  (CR30585)
When you create a default SNAT using the automap option, and then later try to disable one or more of the default SNAT's enabled VLANs, the system generates an error and the VLANs are not disabled. Note that the error occurs when you make this change using either the Configuration utility or bigpipe.

SSL proxy, node connection limits, and errors in the connection table  (CR30597)
If two clients connect to the BIG-IP at or near the same time, client one's connection may remain in the connection table after it makes it's request. This can happen when all of the following conditions are met:

  • You use connection limits on nodes in conjunction with an SSL proxy.

  • You do not configure late-binding on the virtual server for those nodes.

  • The BIG-IP system reaps the client two connection before client one makes a request.

Note that this problem occurs whenever the retransmit interval and the keep-alive interval expire simultaneously, and resources become available during the last retransmission interval. You can avoid this problem by setting the keep-alive timeout to 75. To change the keep-alive timeout from the command line, change to the etc/rc.sysctl file, locate the following line, sysctl -w net.inet.tcp.conntimeo=30, and change the value from 30 to 75. Save and close the file when you have finished.

Warning:  We strongly recommend that you make this change only if you are experiencing this known issue. Please contact support for assistance if you need it.

bigpipe monitor command  (CR30600)
You receive a syntax error if you use both <ip addr>:<service> and <ip addr> in the IP list for the bigpipe monitor command <ip list> <enable | disable>.

SSL proxy source IP address  (CR30601)
If you configure a target server with SSL proxy, SNAT automap does not change the source IP address. In addition, if the BIG-IP proxy is not included in the return path, the original virtual server address is not substituted, causing the client to reject the response.

IP Application Switch statistics reporting  (CR30917)
In an IP Application switch platform, the b interface show command does not show all input errors and dropped frames on the switch platforms.

SID reuse for SSL acceleration and the SMP kernel  (CR30940)
Session ID (SID) reuse does not currently work with the SMP kernel.

bigpipe quiet_boot disable command  (CR30956)
When you use the bigpipe bp save command, the system does not save the global quiet_boot disable setting in the configuration file.

IP Application Switch interface output error statistics  (CR30995)
In rare instances, the IP Application Switch platform may randomly increase the internal error counter. These errors are reported by Netstat® as Oerrs. These errors are incorrect, and do not effect the functionality of the BIG-IP system.

Configuration utility statistics  (CR31009)
The Configuration utility statistics for Max Conn Deny and Memory Usage are inaccurate. We recommend that you use the command line utility to view these statistics.

FastFlow (Fast Path) with address translation disabled  (CR31033)
If FastFlow (Fast Path) is enabled (default) and you disable address translation, long running streams of UDP traffic may cause the system to send ARP requests to an incorrect target node, which breaks the connection.

HTTPS monitor  (CR31053)
In certain cases, when the BIG-IP system receives very large requests, the HTTPS monitor may fail to find the receive rule string.

Log message after upgrade  (CR31058)
When you upgrade your BIG-IP system, and you reboot the system, you may see the following log message: bigapi_unit_mask fails Specified unit mask incorrect This log message is incorrect and has no effect on the BIG-IP system.

TCP node monitor and FTP  (CR31099)
The BIG-IP system may incorrectly mark FTP nodes down when the system is under load or when you have a large number of nodes configured.

Using the IP address 213.13.118.129:80  (CR31104)
If you add a pool with a member node with the IP address 213.13.118.129:80, when the address and port select a virtual server on the local system, it causes the BIG-IP system to panic and the configuration to be deleted. The issue occurs only when the address and service numbers are 213.13.118.129 and 80 respectively. If you want to avoid this issue, we recommend that you do not assign the IP address 213.13.118.129 to nodes on the BIG-IP system.

Changes in US and Canada Daylight Saving Time (CR58321)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes are not reflected in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.

[ Top ]

Workarounds for known issues

The following description provides a workaround for the corresponding known issue listed in the Known issues section.

New rule syntax requirements for literal strings (CR27784)

This workaround describes how to modify the rule syntax to use literal strings that are less than 63 characters in length.

The following is an example of a rule which will fail to load because of a literal string that is longer than 63 characters:

rule test {    if (http_host == "portal.siterequest.com") {
      if (http_uri == "/" or http_uri == "") {
         redirect to "<http://%h/portal/server.pt?space=MyPage&cached=true&parentname=Login&parentid=1&userid=2&control=SetP age&PageID=-2>"
      }
      else if (http_uri contains "portal/HTTPServlet?space=CreateAccountAS") {
         redirect to "<http://www.siterequest.com/portalaccount/>"
      }
      else {
         use pool Pool1
      }
   }
   else {
      use pool Pool1
   }
}

For the rule to function correctly, you must change the syntax in the rule to the following:

rule test {
   if (http_host == "portal.siterequest.com") {
      if (http_uri == "/" or http_uri == "") {
         redirect to "<http://%h/portal/server.pt" + "?space=MyPage&cached=true&parentname=Login" + "&parentid=1&userid=2&co ntrol=SetPage&PageID=-2>"
      }
      else if (http_uri contains "portal/HTTPServlet?space=CreateAccountAS") {
         redirect to "<http://www.siterequest.com/portalaccount/>"
      }
      else {
         use pool Pool1
      }
   }
   else {
      use pool Pool1
   }
}

Forwarding non-IP traffic through VLAN groups and redundant systems (CR29806, CR29334)

We recommend that you enable this feature only if you fully understand its current limitations.

To forward non-IP traffic through VLAN groups

  1. Enable non-IP traffic forwarding by typing the following command:
    echo "b internal set vlangroup_nonip = 1">>/config/routes

  2. If you have a redundant system, type the following command to update the peer unit:
    b configsync all

  3. Reboot the BIG-IP system.

The non-IP traffic forwarding feature is now enabled, and the BIG-IP system will forward non-IP traffic through VLAN groups, and through both the active and the standby units in redundant systems.

[ Top ]

Acknowledgement updates

This product contains software based on oprofile, which is protected under the GNU Public License.

[ Top ]