Applies To:
Show VersionsBIG-IP versions 1.x - 4.x
- 4.5 PTF-07
Updated Date: 04/18/2019
Summary:
This product temporary fix (PTF) provides new features and fixes for BIG-IP software version 4.5. The PTF includes all fixes released since version 4.5, including features and fixes originally released in prior PTFs. We recommend this PTF only for those customers who want the new features and fixes listed below. You can apply the PTF to BIG-IP software, version 4.5 and later. For information about installing the PTF, please refer to the instructions below.
Contents:
Minimum system requirements
The minimum system requirements for this release are:
- Intel® Pentium® III 550MHz processor
- 256MB disk drive or CompactFlash® card (if you have the 3-DNS module, you need a 512MB disk drive or CompactFlash® card)
- 256MB RAM
- Supported browsers: Microsoft® Internet Explorer 5.0, 5.5, and 6.0; Netscape® Navigator 4.7x
Note: The IM package for this PTF is quite large. If the disk drive in your platform does not meet the minimum requirement, you may not be able to successfully install this PTF.
Supported platforms
This release supports the following platforms:
- F35
- D25
- D30
- D35 (BIG-IP 520 and 540)
- D39 (BIG-IP 1000)
- D44 (BIG-IP 2400)
- D45 (BIG-IP 2000)
- D50 (BIG-IP 5000)
- D51 (BIG-IP 5100 and 5110)
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
Installing the software
The following instructions explain how to install the BIG-IP software, version 4.5 PTF-07 onto existing systems running version 4.5 and later. The install script saves your current configuration.
Important: If you are upgrading a BIG-IP redundant system, you must upgrade both units. We do not support running different versions on a BIG-IP redundant system.
Important: Before you run the Configuration utility to configure the unit, you must complete the authorization and licensing process. (For details, see the Activating the license section of the BIG-IP version 4.5 Release Note.) If you do not obtain a license before you run the Configuration utility, the system may behave in an unexpected manner.
Important: If you are upgrading an IP Application Switch or a BIG-IP system that uses a CompactFlash® media drive, use the installation instructions here.
Note: In rare instances, using a network computer to perform PXE installations of BIG-IP software causes corruption on the network computer hard drive. If you are using a network computer as a PXE server to install BIG-IP software, we recommend, as a precaution, that you back up any important data stored on the network computer hard drive.
- Change your directory to /var/tmp/ by typing the following command:
cd /var/tmp/ - Connect to the F5 Networks FTP site (ftp.f5.com).
- Make sure the FTP client on the BIG-IP system is in passive mode before you download the file. If you are unsure which mode the client is in, at the command line, type pass. The system indicates which mode the client is in; if it is not in passive mode, type pass again, and the client will change to passive mode.
- Download the BIGIP_4.5PTF-07.im file from the /crypto/bigip/ptfs/bigip45ptf7/ directory to the /var/tmp directory on the target BIG-IP system by typing the following command:
get /crypto/bigip/ptfs/bigip45ptf7/BIGIP_4.5PTF-07.im /var/tmp/BIGIP_4.5PTF-07.im - Install this PTF by typing the following command:
im BIGIP_4.5PTF-07.imThe BIG-IP system automatically reboots once it completes installation.
To upgrade an IP Application Switch or a CompactFlash® media drive, use the following process.
- Create a memory file system by typing the following command:
mount_mfs -s 200000 /mnt - Change your directory to /mnt by typing the following command:
cd /mnt - Connect to the F5 Networks FTP site (ftp.f5.com).
- Download the BIGIP_4.5PTF-07.im file from the /crypto/bigip/ptfs/bigip45ptf7/ directory to the /mnt directory on the target BIG-IP system by typing the following command:
get /crypto/bigip/ptfs/bigip45ptf7/BIGIP_4.5PTF-07.im /mnt/BIGIP_4.5PTF-07.im - Install this PTF by typing the following command:
im /mnt/BIGIP_4.5PTF-07.imThe BIG-IP system automatically reboots once it completes installation.
Note: This procedure provides over 90MB of temporary space on /mnt. The partition and the im package file are deleted upon rebooting.
New features and fixes in this PTF
This PTF contains an important fix for BIG-IP Link Controller, and support for new BIG-IP Blade Controllers.
checktrap.pl changed in this release (CR29613)
The checktrap.pl was changed in this release in order to accommodate new Nokia MIBs.
Features and fixes released in prior PTFs
The current PTF includes the following features and fixes released in prior PTFs, as listed below. (Prior PTFs are listed with the most recent first.)
Version 4.5 PTF-06
The 4.5 PTF-06 release included the following features and fixes.
Registration key display using Netscape version 4.72 on Linux (CR26820)
If you are using Netscape® version 4.72 with Linux® to add multiple registration keys, the License Administration screen now correctly displays the Current Registration Key list.
Load balancing modes and honoring node connection limits (CR27124)
When using observed_member, predictive_member, predictive, or observed load balancing modes, the member and node addresses now honor node connection limits.
FIPS 140 with a very large configuration (CR27237)
If you are using FIPS 140 with a very large configuration (greater than 400 configuration items such as pools, virtual servers and monitors), you no longer experience a compatibility issue.
UDP checksum when an incoming request has 0 UDP checksum (CR27240)
If an incoming UDP request has an initial checksum of 0, when the request is routed back through the BIG-IP system, the UDP checksum is now calculated correctly.
Condition in FastFlow (Fast Path) and order of T/TCP packets (CR27245)
The condition in FastFlow (Fast Path) that caused T/TCP packets to be out of order no longer exists. The T/TCP packets now arrive in proper order.
BIG-IP software now sends reset when all pool members are down with fallback disabled (CR27371)
The BIG-IP software now sends a reset when all members are down in a pool and fallback is disabled. In previous versions of the software, the packet was dropped.
Load balancing to disabled nodes (CR27422)
Pools now select nodes even when the nodes are disabled. The pool does not select a node if the node is down.
Using the Setup utility to configure the media type for an interface (CR27503)
When you use the Setup utility to configure the media type for an interface, the setting is now saved when you rerun the Setup utility.
Loading configurations with a large number of proxies (CR27555)
The BIG-IP software now supports loading configurations that have hundreds of proxies. Note that the number of keys and certificates should still remain small in order to guarantee fast load times.
imid persistence with pools and rules (CR27575) (CR27576)
Late-binding now functions correctly when you use the imid function to configure pool- and rule-based persistence.
OCSP configuration and protocol error logs (CR27600)
OCSP configuration and protocol errors are now logged to the SSL proxy log file /var/log/proxyd. OCSP revoked certificates are also logged with warnings on (proxyd -d 2).
OCSP with SSL proxy client certificate requests (CR27620) (CR27621)
OCSP is now supported in conjunction with the SSL proxy client certificate request feature. This allows client authorization using rules and the CertificateStatus header.
F5 Networks traps configuration (CR27664)
When you are using F5 Networks traps, the BIG-IP system uses the value you configure for the agent address. In previous releases, the host name address was used for the agent address.
Loading .ucs files with NTP running (CR27762)
If you have NTP enabled and you load the .ucs file using the Configuration utility, NTP now restarts properly.
FastFlow (Fast Path) with an out of order 4-way close (CR27859)
If you have FastFlow (Fast Path) configured, an out of order 4-way close no longer causes connections to close prematurely.
SIP persistence with virtual servers (CR27884)
With SIP persistence configured, when the BIG-IP system sends traffic to a server, and the traffic returns from a different virtual server to be sent out again, the traffic now persists to a node in the pool associated with the second virtual server.
Fixed string length limitations imposed by iRules relational operators (CR27906)
Rules using contains and ends_with operators now function correctly when the http_uri is greater than 64 characters.
OCSP: Web page displayed when OCSP response verify failure (CR27974)
Certain configuration error conditions, such as missing certificates in a trust chain, no longer cause revoked certificates to be granted access to the requested object.
Version 4.5 PTF-05
The 4.5 PTF-05 release included the following features and fixes.
Specified gigabit duplex setting on switches with fixed duplex settings (CR27755)
If the BIG-IP system is using gigabit interfaces and is plugged into a switch with a fixed duplex setting, you no longer need to configure the BIG-IP gigabit interface and the port on the switch to Auto before applying this PTF. The link between the BIG-IP system and the switch now functions correctly.
Version 4.5 PTF-04
The 4.5 PTF-04 release included the following features and fixes.
Because the PTF-04 release contained many new features, we have created an additional BIG-IP New Features Guide for version 4.5 PTF-04. In the following descriptions, you will find links to the New Features Guide, where we have described the features in more detail.
OCSP support
A significant feature in this release is support for the Online Certificate Status Protocol (OCSP). OCSP provides an alternative to a certificate revocation list (CRL), which is used during certificate verification to determine whether an SSL certificate presented by a client has been revoked. Because CRLs are updated only at regular intervals, the information in a CRL can sometimes be outdated at the time that it is checked. Using OCSP instead of a CRL eliminates this problem by ensuring that the revocation status of a client certificate is always current. For more information about configuring OCSP, please refer to the BIG-IP New Features Guide for version 4.5 PTF-04.
The system_check script
The system_check script is useful for displaying and logging hardware failures. For more information about the system_check script, please refer to the BIG-IP New Features Guide for version 4.5 PTF-04.
SYN Check
The new SYN CheckTM feature mitigates a particular type of denial-of-service attack known as a SYN flood. A SYN flood is an attack against a system for the purpose of exhausting that systems resources. For more information about configuring the SYN Check feature, please refer to the BIG-IP New Features Guide for version 4.5 PTF-04.
New format for the SSLClientCertSerialNumber header
We have made an enhancement to the SSL Accelerator proxy. This change to the SSLCLientCertSerialNumber header gives users who write rules based on certificate serial numbers the ability to write to a consistent format, regardless of the length of the serial number. For more information about this new format, please refer to the BIG-IP New Features Guide for version 4.5 PTF-04.
Script to set up core capture
We have added a new script to automate core capturing on a BIG-IP system. The script runs automatically after you install this PTF and reboot the system, if the system has a hard drive. It provides functionality to enable and disable core capture.
After you install this PTF, the script runs, and creates the /var/crash directory. In addition, if the swap partition on the primary drive is not sufficiently large to capture the core file, but another unused partition is found to be, that partition is used for core capture.
You can disable this functionality with the following command:
config_savecore -disable
You can re-enable the functionality with the following command:
config_savecore -enable
Important: As long as this functionality is enabled, you see the message savecore: no core dump during boot time.
SSL Proxy caches server-side SSL sessions per IP address
We have added a new global variable that provides the ability to change how the session ID is reused by server-side sessions for IP addresses. If you want the SSL proxy to attempt to re-use the same session ID no matter what the client (source) IP address is, set the global to the default setting disable. If you want the SSL proxy to reuse connection IDs this way, type the following command:
global sslproxy serverssl cache per client addr disable
When the variable is set to enable, the SSL proxy attempts to re-use a session ID only when the client (src) address is the same as it was in the original session with that ID. If you want the SSL proxy to reuse connections this way, type the following command:
global sslproxy serverssl cache per client addr enable
Performance gain in SSL processing
In previous releases, two-processor appliances had one processor dedicated to network I/O and one processor dedicated to other system processes that perform functions like handling SSL traffic. In certain cases, you can switch to SMP mode and have both processors dedicated to processing SSL traffic. You can achieve a performance gain in SSL processing by using SMP mode, but only if your configuration meets the following requirements:
- The system is a Dual CPU platform
- The system is for processing SSL only
- The system is not handling significant quantities of L2 or L4 traffic
- You want an increase in the SSL proxy performance
If your BIG-IP system is handling mixed network traffic such as Virtual Addresses that only perform L2 traffic and Virtual Addresses that do SSL processing on the same box, you should leave the system configured the way it is, SMP mode will not help this configuration. SMP mode only helps the performance of systems that are exclusively using the BIG-IP for SSL traffic.
If you want the increased SSL proxy performance provided by the SMP mode, and are willing to sacrifice the processing of other types of network traffic, then you may want to consider switching your system to SMP mode. Type the following command to put the system in SMP mode:
b db set Local.Bigip.Boot.Kernel = SMP
After you change the kernel setting in the bigdb, type the following command to restart sod:
bigstart restart sod
After sod restarts, type the following command to reboot the system:
reboot
Type the following command if you want to switch back to ANIP mode:
b db set Local.Bigip.Boot.Kernel = ANIP
NOTE: An alternative to putting the system in SMP mode is to create a scalable SSL configuration as described in the BIG-IP Controller Solutions Guide, Chapter 11, Configuring an SSL Accelerator.
CORBA port number in the Configuration utility (CR19780)
We removed the ability to change the CORBA port number in the Configuration utility. The CORBA IIOP port should only be set to the default setting of 683.
Raw Ethernet packets in ANIP mode (CR20274)
We have corrected the way ANIP mode handles raw Ethernet packets. Previously, raw Ethernet packets would occasionally cause a race condition.
Header insert and header erase attributes (CR21617)
There is no longer a 128 byte limitation on the header insert and header erase attributes.
Windows uploads (CR22043)
Delayed acknowledgement packets (ACKs) no longer restrict Windows uploads at 40K per second.
Using the MGMT interface on units that include the Packet Velocity ASIC (CR22599)
It is important that you use the MGMT interface (3.1) on units that include the Packet Velocity ASIC for administration only. We recommend that you do not use the MGMT interface on a VLAN you plan to use for load balancing traffic.
Connection and packet statistics (CR22709)
Connection and packet statistics now display correctly when you run the bigtop utility.
SIP persistence: two exact SIP UDP messages (CR24304)
The BIG-IP system no longer creates two connection table entries when two identical SIP UDP packets are received.
Using fallback persistence with SIP persistence (CR24306)
You can now use the simple_timeout simple persistence setting as a fallback for SIP persistence.
Using a VLAN group configuration in transparent or translucent mode (CR24409)
You can now configure the BIG-IP unit to bridge between two VLANs in either transparent or translucent mode without creating duplicate packets.
Process-checking field in snmpd.conf (CR24450)
We have corrected the process checking field (proc) in the snmpd.conf. It now puts the correct information into the ucd prTable.
Remote authentication server responses (CR24487)
If you have remote authentication configured and you mistype a password or user login, the correct remote authentication server responds.
User name in audit logs (CR24600)
The audit logs now show the correct user name when a user makes configuration changes.
SNMP virtualAddressEntry table and wildcard virtual servers (CR24647)
The SNMP virtualAddressEntry table can now handle wildcard virtual servers.
Name field on the Add VLAN Group and VLAN Group Properties page (CR24719)
The maximum number of characters for a VLAN group name is 15 characters.
Monitor name limitations (CR24864)
Monitor names typed in the Configuration utility and the command line are no longer limited to 31 characters.
Authorization: setting the user key to "user" (CR24880)
You can now set the authorization user key to user without causing a syntax error when you load the configuration.
Audit logs and resetting statistics for services (CR24923)
The audit logs now correctly show the services when you reset statistics with the command b global stats reset.
Resetting statistics for node server (CR24924)
The audit logs now display correctly when the statistics are reset for a node server.
Gratuitous ARPs with MAC masquerading and VLAN failsafe configured (CR24925)
Gratuitous ARPs are now handled correctly in an active/standby redundant scenario with MAC masquerading and VLAN failsafe configured. When the active unit detects no traffic on the VLAN, such as when the cable is unplugged, or the unit is rebooted, the other unit becomes active. When the unit that was demoted to standby reboots, it now sends a gratuitous ARP for its self IP addresses.
DELL: Large BSDi Partition and DOS in the FDISK table (CR24941)
We have corrected a problem that could have caused an error during installation on some DELL platforms.
Increased SSH DSA host key security (CR24955)
SSH key generation now uses hardware random number generators when available. This increases the security of the SSH DSA host keys and reduces the probability that the key can be guessed, or that a random key collision could occur.
Rule hierarchy modification for direct node selection and cookie insert (CR24957)
We have changed the rule hierarchy so that direct node selection occurs before cookie insert.
DELL: watchdog timeout resetting (CR24962)
We have corrected watchdog timeout reset problems with fixes from the Broadcom erratum for BCM5700 chips.
Unaccepted, timed-out connection requests (CR24984)
We have corrected a problem that could be caused if a SYN packet was sent from a client through a virtual server to a server, and the server did not answer before the connection timeout was reached. Previously, the reaper sent an RST in both directions.
TCP SYN packets received for a self IP address that matches TIME_WAIT connection (CR24993)
If a TCP SYN packet is received for a self IP address, and it matches an old connection that is in TIME_WAIT state (same source and destination address and port), the system deletes the old connection and creates a new one.
CPU statistics reported correctly in multiprocessor mode (CR25018)
When the BIG-IP system is running in multiprocessor mode, CPU usage metrics are now reported correctly when you use the top utility.
VLAN-keyed connections on the 2400 platform (CR25046)
We have corrected a problem with VLAN-keyed connections on the 2400 platform. The packet and byte statistics occasionally were not counted for pools and SNATs.
OID for the shutdown trap in the SNMP MIB (CR25059)
The shutdown trap, in the SNMP MIB, now has the correct object identifier (OID) associated with it.
SSL proxy consuming all available file descriptors (CR25081)
We have corrected a problem that caused the SSL proxy to consume all available file descriptors.
Savecore captures on large hard drives (CR25083)
The savecore program now functions correctly on large hard drives.
Server FINs from early-closed late-bound connections (CR25094)
Server FINs from early-closed late-bound connections are now returned properly to the client.
Pool::set_persist_mode() to type_expression through the iControl SDK without expression (CR25096)
You can now set up the Pool::set_persist_mode() to type_expression through the iControl SDK without an expression without causing system instability.
Error message on shutdown (CR25110)
On switch platforms, we have corrected a situation that caused an error message to display as the system shut down to reboot.
Tcpdump on the 5000 series with mirror VLAN and mirror hash enabled (CR25129)
We have corrected a problem that prevented tcpdump from showing traffic on the 5000 series with mirror VLAN and mirror hash enabled.
BIG-IP Application Switch as the only active STP in the network (CR25162)
If the BIG-IP Application Switch is the only STP-enabled entity in the network, parallel ports go to a forwarding state because the switch ignores its returning bridge protocol data unit (BPDU) frames. This leaves the network open to bridge loops. To avoid this situation, we recommend that you disable STP if you only have one BIG-IP Application Switch in your network. Use the following command to disable STP on the BIG-IP system:
b stp <stp_name> disable
VLAN groups and non-IP traffic (CR25176)
VLAN groups can now forward non-IP traffic.
Connection table entry reaping for UDP packets with node address disabled (CR25186)
We have corrected a problem where, in rare circumstances, connection table entries were not reaped for UDP packets when the node address was disabled.
FIPS: nCipher driver debug messages (CR25308)
The FIPS nCipher driver no longer outputs debug messages.
E-Commerce Controller: Adding a virtual server with a wildcard port (CR25314)
When you add a virtual server with a wildcard port, port translation is now disabled by default in both the Configuration utility and from the command line.
Connection rebinding with members that have different priorities (CR25348)
Connection rebinding with members that have different priorities now works correctly.
Default VLANs on 5100 and 5110 platforms (CR25352)
The default VLANs on the 5100 and 5110 platforms are now mapped consistently in the following manner:
VLAN admin
untagged interfaces 3.1
VLAN external
untagged interfaces 2.1
VLAN internal
untagged interfaces 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 1.22 1.23 1.24 2.2 2.3 2.4
Clean up of logs during upgrade on systems with the Packet Velocity ASIC (CR25405)
We have improved clean up of logs during the upgrade on systems with the Packet Velocity ASIC.
SNMP: data from globalAttr* (CR25429)
We have updated the data for the SNMP globalAttr*. Also, we have corrected the following spelling errors:
globalAttrMaintenceMode is now globalAttrMaintenanceMode.
globalAttrPersistAccrossVirtuals is now globalAttrPersistAcrossVirtuals.
Also, we have changed the globalAttrPersistTimerUsedAsLimit to use either timeout or limit rather than true or false. The default setting is timeout.
MAC masquerade addresses and forcing a system to standby (CR25453)
When you purposefully change the state on a BIG-IP unit in a redundant system from active to standby, the first octet of the MAC address for any self IPs that you have configured may change to 02. This happens only when your configuration meets all of the following conditions:
- You are running BIG-IP HA software.
- You have VLANs that are not a part of a VLAN group.
- The self IPs for those VLANs have a MAC masquerade address configured.
- You force the active unit in a redundant system to standby, without rebooting.
Hardware Acceleration of forwarding pools (CR25462)
The Packet Velocity ASIC now partially accelerates forwarding pools.
Statistics for interfaces that are in a VLAN but not in use (CR25470)
The bigpipe interface show command no longer incorrectly reports statistics for interfaces that are in a VLAN but not in use.
SNMP: enterprises.ucdavis.memory.* OID (CR25488)
The enterprises.ucdavis.memory.* now returns valid information.
SSL proxy bigdb keys listed in /config/default.txt (CR25502)
We have updated the SSL proxy bigdb keys listed in /config/default.txt.
The persist dump command (CR25520)
We have corrected a problem with the b persist dump command that caused the error message Name exceeds maximum length to be displayed. This message is no longer displayed.
Virtual server bound to VLAN after deletion (CR25524)
We have corrected a problem where a virtual server was bound to a VLAN that had two or more networks configured even after you attempted to delete it.
/var/log/bigd: shut down of checkd (CR25525)
When checkd shuts down, the correct message is now logged in /var/log/bigd. The message is now checkd: exiting.
Memory usage with IP rate filtering or SSL proxy re-encryption (CR25542)
We have corrected a problem where under certain memory overload conditions, using IP rate filters or SSL proxy re-encryption could cause system instability.
The bigpipe interface media show command (CR25544)
The b interface media show command now shows the media type for the specified interface.
SSL proxy rewriting redirects in 302 responses (CR25550)
The SSL proxy now correctly rewrites redirects in 302 responses after the first one is received in a keep-alive stream.
Associating multiple monitors with the same service (CR25572)
You can now associate multiple monitors with the same service using the Configuration utility, and not receive the message Error 132 - Monitor template not found.
Connection reuse and FastFlow (Fast Path) (CR25595)
We have streamlined how the FastFlow (Fast Path) feature reuses certain connections. The connections are now handled more efficiently.
Certificate expiration dates on the Certificate List Screen (CR25610)
The certificate expiration dates on the Certificate List Screen now display the correct expiration dates.
Logging forced down to /var/log/bigd (CR25614)
When you force a node to the DOWN state using the Configuration utility, or from the command line, the forced down state is now logged in /var/log/bigd.
Redirect rewrites for HTTP/0.9 requests on the SSL proxy (CR25624)
We corrected a problem with redirect rewrites for HTTP/0.9 requests on the SSL proxy that produced the log message No space in response line.
nCipher card failure (CR25629)
The BIG-IP system now fails over to the peer unit when an nCipher card fails.
SSL proxy performing an HTTP header insert (CR25671)
We have corrected a problem where, in rare circumstances, an SSL proxy performing an HTTP header insert could assume it had received the end of the header.
Dual processors detected with no GNIC (CR25694)
The SMP kernel is now used automatically in dual processor systems with no gigabit Ethernet NICs.
New proxy ARP exclusion class (CR25801)
You can now create a proxy ARP exclusion class on the BIG-IP system, proxy_arp_exclude. Use this class to prevent the BIG-IP system from generating gratuitous ARP requests to its peer unit when you have a redundant system using VLAN Groups. To configure the proxy_arp_exclude class, in the navigation pane, click Classes, and then click the Add Class button. (For assistance with the settings, click the Help button.) You can also find information about the proxy_arp_exclude class in the BIG-IP Reference Guide, version 4.5.
Interrupt coalescing in the Intel wx driver (CR25823)
We have added an update from an errata for the Intel wx driver which caused an Intel gigabit network card to stop processing traffic. When the error occurred, the message "wx<n> device timeout" was logged. The fix is automatic for customers using the ANIP kernel. Please contact Support if you are running the SMP kernel on your system.
IP Application Switch: IS-IS multicast packets on the ingress port (CR25935)
IP Application Switch platforms no longer re-broadcast IS-IS multicast packets on the ingress port.
Dual processor system running in ANIP mode during core dump (CR25943)
Dual processor systems running in ANIP mode can now create core files that are more useful.
Command line and Configuration utility QoS values on pools (CR25944)
You can now enter only valid QoS values for pools. The valid range is 0 to 7.
Connection reaping if the client closes the connection without sending data (CR25983)
For late-binding connections, if the client negotiates a connection without sending any request, the connection is reaped.
Swap partition size (CR26010)
We have increased the swap partition size to 2 Gigabytes.
SSL proxy: 100 Continue responses (CR26034)
SSL Proxy now rewrites 302 redirects seen after a 100 Continue message (usually sent by the server after a POST operation).
Reboot of standby 2400 unit and connectivity with the active unit (CR26078)
We have corrected a problem where in certain cases, on the 2400 platform with network failover configured, rebooting the standby unit in an active/standby redundant configuration caused the active unit to lose existing connections. We recommend that if you require network failover, you configure the admin ports (port number 3.1) for failover.
Rules precedence problems (CR26097)
We have corrected a rules syntax precedence problem that could cause extra parentheses to be added to rule syntax saved in the /config/bigip.conf.
Redirect rule and extra '/' (CR26107)
We have corrected a problem that added an extra forward slash (/) to redirect rule syntax.
Forwarding pool causes annunciator LED to flash yellow (CR26116)
If you configure a forwarding pool on any platform, the yellow alarm LED flashes yellow indicating a pool with zero active nodes. In this case, the yellow alarm LED is benign.
Connection rebinding for UDP with FastFlow (Fast Path) enabled (CR26135)
Connection rebinding now functions correctly with UDP packets when you have FastFlow (Fast Path) enabled.
Using the address 127.0.0.x as a member in a pool (CR26174)
Using the address 127.0.0.x (where x is the host number) as a member in a pool, no longer causes the BIG-IP system to hang.
Handling of 'Connection: close' header from client in HTTP/1.1 (CR26177)
We have corrected how the system handles Connection: close header from client in HTTP/1.1.
Closing connections with One Connect enabled (CR26178)
With One Connect enabled, the FIN-ACK was not being sent through to the client. We have corrected this problem. If you see this problem, please contact support for the solution.
Failover: Synchronization of mirrored connections on a standby box (CR26197)
Mirrored connections from an active unit are now mirrored on the standby unit as soon as the standby unit is rebooted or restarted.
Packets with a TCP checksum of 0 (CR26202)
We have corrected a problem that caused packets with a TCP checksum of 0 to be transformed to a checksum of 0xFFFF by FastFlow (Fast Path).
Late-binding state out of synchronization with Keep-Alives (CR26221)
We have corrected a synchronization problem between the state of a connection handled by a late-binding virtual server and the keep-alive state of the connection on the server that could cause the connection to lock up or behave unpredictably. This problem affected the cookie insert feature, the hash cookie feature, and rules. One of the ways you could observe this problem was that a new connection could be paired with an existing connection and the existing content could be sent to the client requesting the new connection.
SSL proxy and error log messages when CRLs are out of date (CR26240)
The SSL proxy now logs an error message when a Certificate Revocation List (CRL) is out of date.
Multiple VLAN SNATs when virtual servers are fully accelerated (CR26242)
When you have multiple VLAN SNATs configured, they are now partially accelerated by the Packet VelocityTM ASIC when virtual servers are fully accelerated.
Advanced Routing Modules: OSPF module during an LSA update (CR26268)
We have corrected a problem that was destabilizing the OSPF module during LSA updates.
SIP persistence and virtual servers with address translation disabled (CR26278)
SIP persistence now works correctly with virtual servers that have address translation disabled.
The b load command and connection limits (CR26451)
The b load command no longer causes the connection count to be set to zero, which prevented connection limits from being honored.
bigpipe values allowed for ip_tos (CR26478)
The bigpipe command now limits the possible values for ip_tos to the correct value range (0 - 255).
SNMP: settings for virtualServerFailoverFlags (CR26509)
We have updated the values for virtualServerFailoverFlags. The appropriate values are nonmirroring and mirrorconnections.
Upgraded OpenSSL (CR26518)
We have upgraded OpenSSL to version 0.9.7a. This upgrade includes various security fixes and enhancements including the following:
- Security: Important security-related bug fixes
- Security: Support for OCSP, the Online Certificate Status Protocol
- ENGINE: Can be built without the ENGINE framework
- Assembler: IA32 assembler enhancements
- Configuration: The no-err option now works properly
- SSL/TLS: Now handles manual certificate chain building
- SSL/TLS: Certain session ID malfunctions corrected
Port Translation default settings for the Configuration utility and command line (CR26543)
The following settings are the updated default port translation settings for both the Configuration utility and the command line:
Type of object | Port Translation |
net:* | disabled |
ip:* | disabled |
vlan:* | disabled |
*:* | disabled |
ip:port | enabled |
net:port | enabled |
vlan:port | enabled |
*:port | disabled |
URI with rule redirect using port (:p) when port is 80 (CR26618)
We have corrected a problem that was adding extra characters to the end of the URI redirected using the port 80.
Advanced Routing Modules configuration files (CR26619)
The configuration files for the Advanced Routing Modules now save and load correctly when daemons are started up.
ITCM.log rotation (CR26781)
The ITCM.log is now rotated daily.
Advanced Routing Modules creating a core file (CR26783)
We have corrected a problem that was causing the Advanced Routing Modules to create a core file if the full path was not specified for the log file.
SSL proxy certificate serial number consistency (CR26800)
The SSL proxy certificate serial numbers are now listed in a consistent format.
Authorization: adminpw value (CR26824)
The adminpw setting is now saved correctly when you load a configuration using the b config load command.
bge message on reboot (CR26827)
When you reboot the 1000 and 5100 series platforms, you no longer see this unnecessary message:
bge0: bge_wait_bit_clr timeout: reg=0x468 mask=0x2
bigpipe: imid parsing (CR26875)
We have corrected a problem that prevented the imid rule syntax from being parsed correctly with, or without braces.
wd0: lost interrupt message (CR26943)
You no longer see the following benign error message when you upgrade your system:
wd0: lost interrupt
RULES: Loading configuration with external classes (CR26952)
When the configuration loads, classes are now loaded before pools. This eliminates a problem with using external classes with mapclass2node option in the pool selection.
SSL: turn on RSA Blinding for software RSA private key operations (VU#997481) (CR26966)
We have turned on RSA Blinding for software RSA private key operations as noted in the CERT vulnerability note VU#997481. This may impact SSL performance to some degree.
T/TCP connection closing (CR26972)
We have corrected a problem that prevented some T/TCP connections from closing correctly.
Network virtual server loading in a particular order with others on the same subnetwork (CR26988)
We have corrected a problem that was preventing network virtual servers on the same subnetwork from working if they were not ordered in the /conf/bigip.conf file in a particular order. Now they work in any order.
SSL Proxy: handling BMP, IA5, and UTF8 certificate strings with LDAP authentication (CR27018)
The SSL proxy can now handle BMP, IA5, and UTF8 certificate strings with LDAP authentication. This increases the BIG-IP system's compatibility with Microsoft's SiteServer and Active Directory.
SSL proxy virtual server configured with a last hop pool (CR27040)
We have corrected a problem that could stop traffic through an SSL proxy virtual server configured with a last hop pool.
Transaction level on systems monitored by the iControlTM Services Manager (CR27192)
We have reduced the level of transactions generated on systems monitored by the iControlTM Services Manager.
Licensed system without EULA acceptance (CR27215)
A warning is now displayed if the system is licensed but you have not accepted the EULA.
SSL proxy: a very long URI followed by header insert and another header value (CR27218)
The SSL proxy can now handle connections in situations where there is a very long URI and an inserted header with no client headers (just a bare request).
SSL proxy: 100 Continue responses (CR27234)
The SSL proxy now correctly handles 100 Continue responses that are up to 140 bytes. You can observe this activity only when the BIG-IP system and server have not made the three-way handshake by the time two halves of a POST are received by the BIG-IP system.
SSL proxy: session IDs rejected by the server (CR27274)
The SSL proxy no longer attempts to reuse session IDs rejected by the server.
Rotation of the /var/log/cron file (CR27355)
The /var/log/cron file is now rotated daily instead of weekly.
Version 4.5 PTF-03
The 4.5 PTF-03 release included the following fix.
HTTP requests through a Layer 7 virtual server with a specific size (CR25868)
We corrected a problem in version 4.5 of the BIG-IP software that could cause the system to become unstable when HTTP requests of certain specific sizes were received through a rule using a Layer 7 variable or through a pool with a Layer 7 attribute.
Version 4.5 PTF-02
The 4.5 PTF-02 release included the following features and fixes.
Layer 7 Checksum Validation
A new global, l7_validate_checksums, is included in this release. We recommend that you do not change the value of this global variable unless you are instructed to by a support representative.
UDP checksums and TFTP packets (CR22113, CR25181)
In rare instances, the checksums for TFTP packets were incorrect. This issue has been resolved.
Apache web server and the CERT Coordination Center vulnerability, VU#672683 (CR24689)
This PTF addresses the vulnerability in the Tomcat package for the Apache web server that is described in Vulnerability Note VU#672683 on the CERT® Coordination Center Web site. For more information on the vulnerability, see http://www.kb.cert.org/vuls/id/672683.
iControl SOAP null nat_addr value for NAT::set_arp used with the iControlPortal (CR24914)
The iControlPortal no longer becomes unstable when it processes an iControl SOAP null nat_addr value for NAT::set_arp.
Zero length IP/UDP packets received by the system when forwarding (CR24931)
Zero length IP/UDP packets received when forwarding is enabled no longer destabilizes the system.
Incorrect TCP checksum causing virtual server to send packets (CR24983)
Virtual servers no longer send packets when the TCP checksum is incorrect. In order to implement this fix, please contact support.
Mid-stream SSL renegotiations with the SSL proxy (CR24989)
The SSL proxy can now handle mid-stream SSL renegotiations.
SSL proxy sending ACKs to clients with late binding (CR25015)
The SSL proxy now sends acknowledgement packets (ACKs) to clients correctly when handling late binding connections.
Connection statistics when you change the configuration under load (CR25044)
On the 2400 platform, the connection statistics are now correct even if you change the configuration under load.
Root servers list for BIND (CR25064)
The root servers list file for BIND, root.hint, has been updated to include the most current list of root servers.
Dual processor system without a gigabit interface (CR25104)
The BIG-IP 540 platform now supports two processors correctly if there is no gigabit Ethernet interface installed in the platform.
Strict string evaluation for cookie hash persistence (CR25122)
Improved the cookie name lookup and hash mode for cookie hash persistence.
SSL TPS performance with increasing concurrent clients (CR25164)
Optimized the SSL transaction per second (TPS) performance when there is an increasing number of concurrent clients.
SSL proxy forwarding unparsed server response to client (CR25168)
When rewriting of redirects is enabled, the SSL proxy no longer forwards an unparsed server response to the client.
Configuring serial terminal as console (CR25183, CR25414, and CR25445)
You can now configure the serial terminal as the console on all platforms.
Deleting a SNAT and re-adding it to the configuration (CR25198)
The SNAT current connections statistics are now correct after you delete a SNAT and then add it back to the configuration.
Comparing class values (CR25236)
You can now use the contains, starts_with, and ends_with operators to compare class values.
Licensing in the web-based Configuration utility (CR25239)
Corrected a problem when licensing the standby unit through the web-based Configuration utility that could cause traffic to stop on the active unit.
Instability when using Universal Inspection Engine redirect (CR25358)
The Universal Inspection Engine redirect feature no longer causes instability in the system.
Unit ID with a SNAT translation (CR25372)
You can now include a unit number after the SNAT translation address.
Version 4.5 PTF-01
The 4.5 PTF-01 release included the following features and fixes.
Added support for the 2400 platform
This release includes enhanced support for the F5 Networks 2400 platform.
Viewing licensing error log files from the Configuration utility (CR25055)
You can now view the log files for errors that occur during the licensing process using the Configuration utility. A View Log File button appears on the licensing screen when the licensing process generates errors.
Resets (RSTs) from aging-out connections (CR22219)
Resets (RSTs) from aging-out connections no longer cause some connections to hang due to incorrect sequence numbers for the resets.
CA-2002-31, Multiple Vulnerabilities in BIND (CR25085)
This PTF addresses the security vulnerabilities that are listed in CERT® advisory, CA-2002-31, Multiple Vulnerabilities in BIND. This PTF upgrades the BIND package to version 8.3.4. For more information on the CERT advisory, see http://www.cert.org/advisories/CA-2002-31.html.
Optional configuration changes
Once the software is installed, you have the option of making any or all of the following configuration changes.
Changes to trap syntax
If you are upgrading to version 4.5 PTF-07 from a previous version of the BIG-IP software, the traps syntax has been changed.
The new syntax is as follows:
local0.* /var/run/trapper
local1.* /var/run/trapper
local2.* /var/run/trapper
auth.* /var/run/trapper
Note: In order to start or restart trap throwing functionality, you need to reboot the BIG-IP system.
Known issues
The following items are known issues in the current release.
Fan and temperature monitoring with SNMP
SNMP queries for fan speed, CPU temperature, and power supply status are functional for certain platforms. Currently, fan and temperature monitoring is supported only for the following platforms:
2000
2400
5000
5100
5110
For these platforms, automatic periodic monitoring is automatically enabled. However, the system_check script does affect performance. You can disable the system_check script by commenting out (add leading # sign) to the line in /etc/crontab which runs the system_check utility. This version does not support fan and temperature SNMP monitoring in the following platforms:
D25
D30
F35
D35 (520 and 540)
Wildcard certificates in the Cert Admin screen (CR17426)
The Cert Admin screen in the Configuration utility currently only allows *.<domain_name> for wildcard certificates. A domain name of *.*.<domain_name> is not supported on the Cert Admin screen.
Upgrading the software and the MindTerm SSH Console (CR18436)
When you upgrade the software for the BIG-IP system, you cannot use the MindTerm SSH Console, because the upgrade stops and restarts the SSH service. To upgrade the software, use a serial console instead.
The RADIUS port in /etc/services (CR20136)
Previous releases of this software use the RADIUS port 1645 as the default in /etc/services. This release uses the new IANA RADIUS port 1812.
L2 proxy ARP forwarding exclusion list (CR20647)
In order to prevent the active unit from forwarding ARP requests for the standby unit (or other hosts to which proxy ARP forwarding is not wanted), you can now define a proxy ARP exclusion list. To configure this feature, you can define a proxy_arp_exclude class, and add any self-IPs on the standby and active units to it. The BIG-IP units do not forward ARP requests from the hosts defined in this class.
For example, to create a proxy_arp_exclude class use the following syntax:
b class proxy_arp_exclude { host <self IP 1> host <self IP 2> ... host <self IP N> }
If you use VLAN groups, you must configure a proxy ARP forwarding exclusion list. We recommend that you configure this feature if you use VLAN groups with a BIG-IP redundant system. The reason is that both BIG-IP units need to communicate directly with their gateways and the back-end nodes. Creating a proxy ARP exclusion list prevents the original IP address of a packet from being translated by the BIG-IP system. The BIG-IP system forwards traffic directly to the destination.
If you do not configure a proxy ARP exclusion group for systems configured with VLAN groups, you may see problems such as:
- Nodes being marked down for a period of time after a failover
- The inability to access resources through the active BIG-IP unit when there are multiple physical or logical connections to the same VLAN group (especially likely to be noticed when there are multiple connections between the active and standby BIG-IP units)
SNAT automap incompatibilities (CR20801)
Default gateway pools, forwarding virtual servers, and forwarding pools are incompatible with SNAT automap. Configuring a default gateway pool with a forwarding virtual server or a forwarding pool is also incompatible. To work around this incompatibility, you can configure a network wildcard virtual server in front of the SNAT. The wildcard virtual server routes by connection, using the cached routes.
ICMP pings updating MAC addresses for nodes in the ARP table(CR21228)
ICMP pings are not updating the MAC addresses for all nodes in the ARP table. This has no affect on the functionality of the BIG-IP system. The only way to view these entries, is to type the command arp -na, which lists the ARP table.
Manually deleting connections handled by the Packet Velocity ASIC (CR22494)
Manually deleting connections that are handled by the Packet VelocityTM ASIC does not generate a TCP reset.
Configuring the admin port for node connectivity (CR22599)
We recommend that you do not configure the admin port for node connectivity.
Changing active-active failback values (CR22715)
In active-active configurations, we recommend that you do not change the default failback value of 60 seconds. If you change this value, failback may not work as designed.
Creating node pools when gated fails (CR23668)
In rare cases, the default route may be removed if you create a node pool at the same time gated fails. If this happens, run the Setup utility and add the default route back to the configuration. You can run the Setup utility from the command line by typing setup. You can access the Web-based Setup utility from the welcome page of the Web-based Configuration utility.
Changing IP addresses on VLANs (CR24468)
If you use the Setup utility to change the floating IP addresses on VLANs, the web server settings are not updated. To update the web server settings, choose the (W) Configure web server option.
TOS or QoS values in FTP data connections (CR24644)
FTP data connections have incorrect TOS or QoS values set in the BIG-IP software. Both values are set to 0.
iControl SOAPPortal: .NET serialization errors on several methods (CR24862)
The following methods do not serialize correctly under certain situations. This is due to a problem in the .NET frameworks serialization. For nested structures within arrays, the framework cannot support an empty array represented as a single XML element.
For example, this method does not serialize:
<return type='Array' ArrayType='tns:someType[0]/>
This method does serialize:
<return type='Array' ArrayType='tns:someType[0]></return>
SNAT automap and acceleration (CR24959)
On the 2400 platform, if you configure SNAT automap and do not associate the SNAT with a virtual server, the traffic is not accelerated by the Packet VelocityTM ASIC. Note that you can associate the SNAT with a wildcard virtual server to accelerate any SNAT automap traffic.
SSL proxy processes with non-idle connections (CR25080)
Some idle connections may not be closed as long as the SSL proxy continues to receive data within the idle connection timeout, and the server-side connection remains open.
Product Announcement: Content converter feature for Akamai (ARLs) removed from BIG-IP products for EOL (CR25082)
With this release, we are announcing the End-of-Life (EOL) of the content converter feature for converting Akamai ARLs. This applies to all fully licensed BIG-IP products running version 4.5 PTF-04 or later. As a result of this action, newly shipped or upgraded versions of the BIG-IP software no longer include this feature. If you want to continue using this functionality, do not upgrade to this version of the software. If you do plan to upgrade to this version of the software, we recommend that you remove all related configuration information from the bigip.conf file before you upgrade.
The b conn dump verbose command and values for packet counts or byte counts (CR25119)
The bigpipe command, b conn dump verbose, displays incorrect values for packet counts and byte counts.
Configuring a single default gateway member (CR25141)
If you configure only a single default gateway member, that address is configured as the default route. It is not displayed as a default gateway pool.
Simple persistence timers and the 2400 platform (CR25182)
Simple persistence timeout global settings function slightly differently on the 2400 platform than on other BIG-IP platforms. With the 2400 platform, the global mode global persist timer timeout causes the persist timer to be updated every 30 seconds when a connection that references the persist entry is still alive. On other platforms, the persist timer is updated with every packet inbound from the client.
E-Commerce Controller and setting port translation option for wildcard ports (CR25336)
On the E-Commerce Controller only, when you configure a virtual server with a wildcard port (*) using the Configuration utility, the default port translation setting is set to enable instead of disable. Note that this does not occur when you use the bigpipe utility. If you want to configure virtual servers with wildcard ports, and you want to disable the port translation, add the virtual server using the following bigpipe command (rather than using the Configuration utility):
bigpipe virtual <ip_address:0> use pool <pool_name>
Harmless message during configuration (CR25399)
You may see the message startup bigstpd: (pid 169) already running during configuration. This message is harmless.
SNMP: updated the globalAttr* values (CR25429)
This release includes revised globalAttr* values for SNMP. These values include globalAttrOpen3DNSPorts and globalAttrOpenCorbaPorts. For a complete list of the updated descriptions, refer to the MIB.
SNMP OIDs switch platform support (CR25458)
The SNMP OIDs dot1*, dot3*, and limited rmon OIDs are supported by only switch platforms. These platforms include the 1000, 2000, and 5000 series.
SSH access host restrictions configured in /etc/hosts.allow (CR25530)
In previous versions, /etc/ssh3/sshd2_config and /etc/sshd_config controlled SSH access. This upgrade reverts to an SSH access level that allows all hosts to connect. Upgrading to this version ignores previously configured SSH access restrictions configured in /etc/ssh3/sshd2_config and /etc/sshd_config. If you require restricted SSH access to certain networks/IP addresses, you need to reconfigure these restrictions once the upgrade has been completed. To do this, type the following command to start the Setup utility and then press Enter:
config
Choose option S (Configure SSH) and set the restrictions you prefer.
Disabling a virtual server that is under heavy traffic load (CR25538)
If you disable a virtual server that is under heavy traffic load, the BIG-IP log may fill the /var partition. To work around this problem, you can configure syslogd to log to a remote system, or you can shut off logging on local0.*. For alternative solutions, contact Support.
CPU temperature readings on Tyan 2765 motherboards (Application Switch platforms) (CR25641)
Some older motherboard revisions may incorrectly display CPU too hot messages. For more information about this issue, please read this solution: SOL2116: Error message: CPU too hot!
Transparent VLAN group mode with FastFlow (Fast Path) acceleration (CR25727)
The transparent VLAN group mode is not accelerated by the FastFlow (Fast Path) feature.
Adding support access after initial setup (CR25821)
If you add support access with the (Y) Set support access option in the Setup utility after you complete the initial setup of the system, the support IP addresses are not added to the hosts.allow file. To correct this situation, run the (S) Configure SSH option in the Setup utility to re-initialize the SSH information on the system.
VLAN names with "vlan" followed by any number of digits cause a syntax error (CR25890)
VLAN names that start with the text vlan, and are followed by any number of digits (for example, vlan123), cause a syntax error. We recommend that you do not use the text, vlan, as the initial portion of a VLAN name.
Creating invalid interface names (CR25950)
It is possible to create invalid interface names in your configuration by entering an invalid VLAN name from the command line. For more information about invalid VLAN names, see (CR25890).
Late binding virtual server with 500 MTU router and large request (CR26025)
If a client sends a large request, greater than 460 bytes, through a router set to 500 MTU, the BIG-IP system does not forward the request to the server.
Switching to a single route configuration if you have a gateway pool in use (CR26143)
If you create a default gateway pool, and then you decide to change to a single route, we recommend that you do not delete the gateway pool even if you change the router configuration so that there is only one router in the pool.
Using 127.0.0.x as a pool member causes the system to lose network connectivity (CR26184)
If you add a node with an IP address of 127.0.0.x to a pool, the system loses connectivity to the network. The only way to reboot the system after this happens is to use the reboot switch. We recommend that you do not add nodes with this address range to a pool.
Replacing existing CRL files (CR26203)
If you replace an existing CRL file in the /config/bigconfig/ssl.crl directory, you must then type the b load command to activate the new CRL.
Changing iControl settings does not restart the CORBA portal (CR26384)
If you use the Setup utility (setup) to change iControl settings, you must manually restart the CORBA portal. To restart the CORBA portal, type the following commands from the command line:
bigstart shutdown portal
bigstart startup
LDAP group name naming conventions (CR26418)
LDAP authentication for groups does not work properly when there are spaces in the group name. To avoid authentication issues with groups when you use LDAP authentication, do no use spaces in the group names.
Generating certificates with openSSL after upgrading the software (CR26456)
After you upgrade the software, you may run into issues when you use the openSSL command line utility to generate certificates or certificate signing requests (CSRs). If you experience difficulties with this task, run the genconf command to update the openssl.conf file.
SSL proxy down due to error condition (CR26487)
If the SSL proxy is down due to an error condition, the b proxy show command still shows the proxy is enabled.
Proxies configured using the command line and default CRL recognition (CR26515)
When you use the command line interface to configure a proxy, if you do not specify a path for a certificate revocation list (CRL), the default CRL path is ignored and all client certificates are accepted regardless of their status. In order for the proxy to validate certificates properly through CRL, you must define a specific CRL path or file in the proxy. However, you use the Configuration utility to configure a proxy, the default CRL path is recognized correctly.
Error message for ip_tos values (CR26566)
The valid ip_tos values are 0 - 255 or 65536, which returns ip_tos to a blank state. If you type an invalid value, you see the following incorrect error message: The requested IP TOS value is invalid. [0..65535].
Setting up a virtual server using the command mirror conn disable (CR26601)
If you use the bigpipe command mirror conn disable or mirror conn disable when you create a virtual server, connection mirroring is enabled. To avoid enabling this variable when you set up a virtual server, do not use the mirror conn disable attribute. If you define a virtual server without the mirror conn enable or mirror conn disable attribute, connection mirroring is disabled.
Disabling the SNMP Auth Trap Enable setting using the Configuration utility (CR26610)
If you try to disable the Auth Trap Enable setting on the SNMP Administration screen in the Configuration utility, the SNMP configuration file, /etc/snmpd.conf, is modified with an incorrect setting of 0 (zero), and the following error is generated in the SNMP log:
"/etc/snmpd.conf: line ##: Error: authtrapenable must be 1 or 2
To correct this error and disable the Auth Trap Enable setting, you can edit the /etc/snmpd.conf file, and change the authtrapenable value to 2, disable.
Message from /etc/daily script in regards to beholder (CR26612)
When /etc/daily runs, it checks to see if there is a /var/run/beholder.pid file and if it exists, it attempts to rotate the /var/log/rmon.log file. When the rotate log function runs, the following message is logged to /var/log/daily.out for the beholder script:
bigstart: @293: start script beholder not found
Advanced routing modules: terminal settings after exiting vtysh (CR26631)
With the advanced routing modules, after you enter the vtysh router interface, your terminal settings are incorrect. If this problem occurs, type reset to correct the problem.
Losing connectivity during configuration of second unit in a redundant system (CR26705)
When you configure a unit from the command line Setup utility, we recommend that you reboot the unit after you complete the configuration. This activates the license and allows traffic to pass through the system. Also, before you reboot the system, it is in the active mode and unlicensed. While the unit is in the active mode, the other unit in the redundant system is placed in standby mode. If left in this state, traffic cannot pass through the system.
Resetting the statistics and verbose log level 32 (Stat Reset Detail) (CR26822)
The verbose log level 32 (Stat Reset Detail) does not log a message when you reset the statistics.
MSS advertised to backend servers on SSL proxy connections (CR26839)
The BIG-IP system advertises the wrong maximum segment size (MSS) to the backend server if your configuration has an SSL proxy connecting to virtual server on the loopback device (lo0). The advertised MSS respects the MTU of lo0 which is, by default, 4352 (so the resulting MSS is 4312).
Upgrade installation adds node * monitor use icmp to e-Commerce Controller (CR26877)
The BIG-IP 4.5 scratch CD installation adds the following line to the bigip.conf file on the e-Commerce Controller:
node * monitor use icmp
This monitor type is not supported on the e-Commerce Controller.
Combining transparent monitors (CR26915)
You cannot combine transparent monitors using the and rule.
Setup utility does not preserve MAC masquerade settings (CR26922)
The Setup utility does not preserve MAC masquerade settings. We recommend that you use the bigpipe utility or the web-based Configuration utility to make configuration changes after you have completed your initial setup. However, if you want to use the Setup utility to make changes to the configuration, and you want to preserve the MAC masquerade settings, then after you finish your configuration changes, recreate your MAC masquerade settings with bigpipe or the Configuration utility before you reboot the unit.
Accessing sticky persistence table through iControl (CR26957)
If you have a pool with sticky persistence turned on, and mask set to 255.255.255.0, with a network virtual server, you will not get any records when you attempt to access the data through the iControl methods get_sticky_connection_table or get_persistent_connection_table. To work around this problem, call get_sticky_mask before passing the traffic.
regkey.license synchronization (CR27020)
The regkey.license file is synchronized when you perform a configuration synchronization or save a .ucs file. You can avoid this problem by adding the file to the list of files that are ignored when generating .ucs files, and synchronizing the configuration in the bigdb. For example, you could type the following command to set this value:
b db set Common.Bigip.CS.save.120.ignore = "regkey.license"
Changing the system IP address and updating the IP address for the CORBA portal in bigdb (CR27037)
If you change the IP address of the system using the Configuration utility, the system does not update the IP address for IIOP and FSSL for the CORBA portal in the bigdb. To change the CORBA address for IIOP and FSSL, run the Setup utility (setup) from the command line, and choose the option (I) Initialize iControl portal.
Key management: displaying BMP and UTF8 strings (CR27049)
The key management system does not properly display BMP and UTF8 strings in certificates.
Resetting statistics on the BIG-IP FireGuard, the BIG-IP Load Balancer, and the BIG-IP Cache Controller (CR27060)
If you use the bigpipe command, b pool stats reset, the BIG-IP FireGuard, the BIG-IP Load Balancer, and the BIG-IP Cache Controller will create a core file. If you use the Configuration utility to reset the statistics these BIG-IP systems may create the same core file.
5000 series with 256 MB Compact Flash and multiple .ucs files (CR27064)
Because of file system size limitations on the 256 MB drive, we recommend that you limit the number of .ucs files you save on the system.
The header erase feature (CR27084)
The header erase feature only looks at the first header. Subsequent headers are not erased.
Changing the virtual server target under load (CR27090)
If you change the virtual server target under load, from a pool to a rule, or a rule to a pool, the system could create a core file.
Misleading message on new installations (CR27091)
If you are installing the software for the first time, you may see the misleading message in /var/log/proxyd:
'proxyd[pid]: No proxies were successfully configured. Exiting.'
This message is benign.
Adding a switch interface to the admin vlan (CR27103)
Adding a switch interface to the admin VLAN causes large volumes of traffic. We recommend that you do not add a switch interface to the admin VLAN.
CompactFlash® media drives and logging for named (CR27132)
When named is running, it generates status and usage messages as part of its normal behavior. If you are running named on a system with a CompactFlash media drive, these messages may fill up the /var/log/ messages directory. To avoid this, periodically delete the status and usage messages for named.
Configuration files with a large number of proxies (CR27159)
Configuration files with a large number of proxies may take a long time to load.
Honoring certain client MSS limits (CR27160)
Under certain circumstances the BIG-IP system may not honor certain client maximum segment size (MSS) limits. This problem is rare and happens only if multiple clients with different MSS limits access the BIG-IP from the same source address through address translation.
Setting the reaper hiwater and reaper lowater values (CR27169)
If you set the reaper hiwater and reaper lowater values to the same number, you do not receive an error message, but the bigip.conf file does not load. In order for the BIG-IP configuration to load properly, reaper hiwater and reaper lowater cannot be set to the same value.
Dynamic ratio load balancing and snmpdca with Counter32 OIDs (CR27202)
If you are using dynamic ratio load balancing with the snmpdca pinger for metrics collection, and you configure an OID that returns type Counter32 (that is, the WindowsTM 2000 Server Enterprise OID), the returned data may not be interpreted correctly. As a result, dynamic ratio load balancing does not function properly.
Server-side proxy listening on port 80 with TCP half-close (CR27203)
When you have a proxy configured that is listening on port 80, and you are using server-side SSL, client TCP connections using half-close may not complete properly.
RADIUS server configuration and Netscape (CR27212)
If you configure remote login for RADIUS, and you set an invalid IP address for the primary RADIUS server, and a valid IP address for the secondary RADIUS server, you may not be able to log in using a Netscape browser. This can also happen if your primary RADIUS server is down. We recommend that you use an alternative browser with this type of configuration.
User administration for remote authentication using the Configuration utility (CR27223)
With remote authentication configured, if you use the Configuration utility to add a new user, you may receive an internal server error message when you press Enter and then click the Done button. The user is added when you press Enter. When using local authorization, the Enter key is ignored and you must click the Done button in order to add a new user.
Deleting the default gateway pool using the Setup utility (CR27260)
The command line Setup utility, (setup), does not delete the default gateway pool when you remove all of the pool's members. To work around this issue, delete the default gateway pool using the browser-based Configuration utility.
Performance tools exhibit fluctuations in the maximum TPS (CR27297)
An enhancement added to increase SSL performance with large numbers of concurrent connections may cause some performance tools to exhibit fluctuations in the maximum TPS when you use them to perform benchmark tests. For example, when you check SSL performance using the IxWeb tool you may see oscillating SSL performance readings. These variations have very little effect on the actual metric performance.
Setting the open_telnet_port default value (CR27331)
If you have a redundant configuration and you disable open_telnet_port on the active unit before you synchronize the configuration, the configuration file leaves open_telnet_port at its last state (enabled) rather then disabling it. After you load this type of configuration, we recommend that you check the state of the open_telnet_port setting.
SSL performance when running in ANIP mode (CR27333)
When you are running the BIG-IP system in ANIP mode, you may experience a 12-15% decrease in SSL performance. This decrease in performance is due to the addition of OpenSSL version 0.9.7a.
Unsupported system_check tool (CR27354)
The system_check script is running on all BIG-IP platforms. The system_check script is supported only on IP Application Switch platforms. This script does not have any adverse effect on unsupported platforms.
SOAP::Lite Perl package removed (CR27468) (CR28174)
The SOAP::Lite Perl package has been removed in this release. Any iControl SDK scripts that are dependant on SOAP::Lite will not function after you upgrade to this PTF.
Keeping the system clock and responder clock synchronized (CR27620)
The internal BIG-IP system clock and the responder clock must be synchronized. If they are not synchronized to within 5 minutes of each other, the SSL proxy may hang. In order to keep the clocks synchronized, you can use NTP on the BIG-IP system.
SSL proxy : OCSP status (CR27621)
The status returned from the inserted header ClientCertStatus may display the incorrect error code, error 1, when a certificate is revoked.
SSL proxy : OCSP impact on SSL proxy performance (CR27622)
If you configure the OCSP feature, you may see an impact on SSL proxy performance.
Setting media speeds (CR27772)
If you want to set media speeds, and you have a copper gigabit NIC, you must configure auto-negotiate between the BIG-IP system and the connected switches.
New rule syntax requirements for literal strings (CR27784)
The rules syntax has changed in version 4.5 PTF-04, and there is now a literal string limit of 63 characters. If you have previously configured rules that contain literal strings longer than 63 characters, these rules may fail to load after you upgrade to PTF-04. Rules that worked correctly in previous versions may now produce the following error message:
In rule test: String literal too long (max 63 chars)
If you have this type of rule configured, we recommend that you modify the rule syntax to use literal strings that are less than 63 characters in length. See New rule syntax requirements for literal strings in the Workarounds for known issues section for details.
Memory leak in bigapi (CR27821)
There is a memory leak in bigapi, found through bigsnmpd. The leak manifests when you perform any SNMP queries.
System IP address in snmpd.conf when performing configsync (CR27822)
When you run the configsync command, the system IP address in the configuration file may not match the IP address on the target system. To correct this problem, run /usr/local/lib/ucs_convert/02005000_snmpd.conf.
Adding virtual servers in the Configuration utility with Any IP Traffic enabled (CR27835)
When you use the Configuration utility to add a virtual server and you enable Any IP Traffic, each time you then add another virtual server on the same virtual address/net address, Any IP Traffic is disabled. To work around this issue, go to the Virtual Address Properties screen and enable Any IP Traffic for the new virtual server.
MindTerm SSH console, Java™ Virtual Machine, and the Configuration utility (CR27864)
The Configuration utility may become unresponsive when all of the following conditions are met:
- You have Java Virtual Machine enabled on a Windows® workstation
- You are using the Configuration utility to configure the system
- You open a MindTerm SSH console session from the navigation pane
- You return to the Configuration utility without closing the MindTerm SSH console
If you experience this problem, you must use the Windows Task Manager to close both the browser session and the SSH session. To avoid this issue, we recommend that you either disable Java Virtual Machine while you are configuring the system, or close the MindTerm SSH console session before returning to the Configuration utility.
Deleting a virtual server from same IP address as SSL Proxy (CR27915)
The SSL proxy may stop responding to ARPs if you delete a virtual server that resides on the same IP address as the proxy.
bigpipe global show system_type command (CR27921)
The bigpipe global show system_type command does not function correctly on the D39 platform.
Harmless timeout messages during reboot (CR27928)
When you reboot the BIG-IP system, you may see timeout messages for zebOS and ITCM portal. These messages are harmless and have no effect on the operation of the BIG-IP system.
Configuring virtual servers and nodes that share IP addresses (CR27931)
When you create a forwarding virtual server or a virtual server that has address translation disabled, if the virtual server shares an IP address with a node and you turn on ARP disable, the BIG-IP system may continue to respond to ARP requests. This configuration may cause the BIG-IP system to report duplicate IP addresses and block access to the node. If you want to use this type of configuration, we recommend that you configure a static ARP entry for the node.
Firewall sandwich configuration with FastFlow (Fast Path) and connection rebind enabled (CR27939)
In a firewall sandwich configuration connection, rebind may fail to rebind correctly to a new node when the initial node is taken down. This occurs only when FastFlow (Fast Path) is enabled on the virtual server with connection rebind enabled.
Server Appliance platform baud rates (CR27961)
For Server Appliance platforms, the baud rate for the serial console depends on whether version 4.2 or 4.5 of the BIG-IP software was initially installed on the platform. For version 4.2 and version 4.5 units that have been upgraded from version 4.2, the serial console baud rate is 9600. For new units with version 4.5 installed, that were not upgraded from version 4.2, the serial console baud rate matches the baud rate set by the BIOS.
Enabling svcdown_reset (CR27962)
If you enable svcdown_reset from either the command line interface or the Configuration utility, you must reload the configuration for your changes to take effect.
SNMP version and probing (CR27971)
If you have enabled SNMP probing for a host or similar device, and you specify SNMP version 2, the SNMP probing may fail if the host or device is using SNMP version 1. This happens because SNMP version 2 uses 64-bit counters and SNMP version 1 uses 32-bit counters. To avoid this error, ensure that you specify the SNMP version (1 or 2) that corresponds with the SNMP version on the device that is being probed.
Disabling the memory_reboot_percent global (CR27975)
You cannot disable the memory_reboot_percent global by setting the variable to 0.
SIP persistence with address translation disabled (CR27979)
The BIG-IP system may not handle fragmented SIP packets correctly if address translation is disabled.
Loading configurations with hundreds of proxies defined (CR27997)
Loading a configuration with hundreds of proxies defined may cause the proxyd process to become unstable. Traffic is not disturbed, but a core file and error message occur. No user intervention is necessary.
The imid() function causes syntax errors (CR28008)
Using the imid() function in rules or universal persistence expressions causes a syntax error. The imid function works correctly.
Status LED during power supply failure (CR28012)
The status LED may incorrectly remain green when the bottom power supply fails.
Transparent VLANs with a connection through a virtual server (CR28018)
If you have two transparent VLANs configured in a group with a connection through a virtual server, under certain circumstances the transparent VLAN group may use its own MAC address. If you encounter this issue, we recommend that you use opaque mode for VLAN groups, especially if you are using any type of delayed binding that requires the BIG-IP system to handle the return packet.
ICMP host unreachable messages (CR28021)
When a node is behind a routing device that returns ICMP host unreachable messages to the BIG-IP system, it may cause CPU usage to increase rapidly.
global sslhardware failover configuration load time (CR28031)
If you enable global sslhardware failover, the configuration load time may increase dramatically.
Using the Configuration utility to create external health monitors (CR28036)
When you create an external health monitor and include a variable where the value is a string with two variables separated by a comma, the Configuration utility does not set the value of the second variable. The Configuration utility separates the two variables at the comma and sets the value of the first variable in the string only. If you use the command line utility to create an external health monitor, values for variables separated with a comma in the string are set correctly.
Nokia NetAct feature (CR28039)
Please note that when you apply this upgrade, if you are using the Nokia NetAct feature, the old /etc/snmptrap.conf file is used. The Nokia NetAct feature uses an extended format of this file. If you want to use the Nokia NetAct feature, after you apply the upgrade you must modify the /etc/snmptrap.conf file. You should use /etc/snmptrap.conf.example as a template for modifying the snmptrap.conf file.
MSRDP persistence (CR28050)
You can not set MSRDP persistence using the Configuration utility. If you want to set MSRDP persistence, we recommend that you use the command line utility to configure this feature.
Reconfiguring the BIG-IP system using the Setup utility (CR28116)
If you use the Setup utility to configure multiple gateways or VLANs, we recommend that you reboot the BIG-IP system before you run the Setup utility a second time. Rerunning the Setup utility with multiple gateways or VLANs configured without rebooting, may cause the BIG-IP system to become unstable.
Duplicate node UP messages in the log table (CR28194)
In certain circumstances you may see duplicate node UP messages in the log table (/var/run/alarm_log_tbl). You can ignore these messages; they do not affect the function of the BIG-IP system.
Making changes to the proxy configuration (CR28234)
After you make changes to the proxy configuration, you need to reload the new configuration in order for the proxy to properly verify CA certificates.
SSL proxy rewriting redirects in 302 responses (CR28237)
The SSL proxy now correctly rewrites redirects in 302 responses after the first one is received in a keep-alive stream.
Error message during boot sequence (CR28276)
When you start the BIG-IP system, you may see the error, WARNING: conflict at irq 12. You can ignore this message, as it has no effect on the function of the BIG-IP system.
PXE installation (CR28313)
In rare instances, using a network computer to perform PXE installations of BIG-IP software causes corruption on the network computer hard drive. If you are using a network computer as a PXE server to install BIG-IP software, we recommend, as a precaution, that you back up any important data stored on the network computer hard drive.
Self-IP addresses with 135 as the first octet (CR28316)
If you add a self-IP address with the number 135 as the first octet, duplicate VLANs display incorrectly when you type the bigpipe command vlan show. This has no effect on the actual VLAN configuration.
Adding a monitor using the Configuration utility (CR28333)
When you use the Configuration utility to add a monitor that contains the string Authorization: Basic {anything here}, the Configuration utility may not load the Authorization portion of the string.
Virtual server resets (CR28337)
In certain circumstances, resets (RSTs) may be sent out with the loopback address listed as the source address. In order for you to avoid this problem, we recommend that when you define a loopback virtual server, you assign a non-zero byte for either of the middle bytes of the address. For example, 127.0.1.x or 127.3.3.x instead of 127.0.0.x.
Logging parsing errors (CR28342)
In BIG-IP software version 4.2, the proxy, by default, logs parsing errors. In BIG-IP software version 4.5, parsing errors are logged only when you manually start the proxy with -d 4.
Very large cookies with rules (CR28354)
Very large cookies may cause the rules for testing content at the end of cookies to fail.
VLAN bridging with non-IP traffic (CR28356)
In certain cases when you use VLAN bridging, the BIG-IP system does not handle non-IP traffic correctly.
cpio command (CR28365)
The cpio command is not available in 4.5 versions of the BIG-IP software.
Using the == operator in a rule (CR28384)
In rare instances, using the == operator in a rule causes the BIG-IP system to become unstable.
NAT and out of order UDP fragments (CR28388)
When using NAT, the 4.5 versions of the BIG-IP software currently do not pass out-of-order UDP fragments.
checktrap.pl changes (28405)
This version of the BIG-IP software includes two changes in the behavior of the checktrap.pl utility. First, rebuild events are no longer logged to the alarm_* files. Second, if the very first event is a clear, the BIG-IP system triggers a rebuild, and sends a corresponding "rebuild event" trap, and not a "clear" trap. (See the /etsnmptrap.conf file for a list of clears.)
WMI monitor (CR28424)
If WMI is not responding when queried, any information you are requesting will have a value of 0. In this case, the WMI monitor may return the message server too busy, and continue to mark the node as up; the WMI monitor should mark the node as down.
Packet floods on the D44 (CR28425)
When it experiences a packet flood, the 3.1 port on the D44 (BIG-IP 2000) may flood ingress packets back to the 3.1 interface. This issue occurs only when PVA is active.
Creating VLANs using the command line utility (CR28429)
When you use the command line utility to create VLANs, the VLAN names cannot exceed 12 characters. The manual incorrectly states that VLAN names may be up to 15 characters in length.
bigtop utility delay setting (CR28435)
The bigtop utility accepts values less than -1 second for the delay option, which causes the bigtop utility to refresh the screen as fast as possible. We recommend that you configure this option with a value of 1 second or longer.
Certain SNMP traps are not defined in the MIB file (CR28436)
The following SNMP traps defined in snmptrap.conf are not defined in the MIB file:
.1.3.6.1.4.1.3375.1.1.110.2.77 (fan .*? is failing) FAN_FAILING
.1.3.6.1.4.1.3375.1.1.110.2.76 (cpu .*? is too hot!) CPU_TOO_HOT
.1.3.6.1.4.1.3375.1.1.110.2.75 (cpu .*? fan is failing) CPU_FAN_FAILING
.1.3.6.1.4.1.3375.1.1.110.2.74 (power supply. *? has failed) POWER_FAILED
Syncookies and communication between the proxy and the virtual server (CR28444)
If the total number of connections through a proxy exceeds the global syncookie threshold, any virtual server without a loopback address (127.0.0.0/8) cannot be accessed though the loopback. The BIG-IP system sends SYN acknowledgements directly to the client instead of through the loopback to the proxy. Replies are sent over the same interface that the client used to connect to the proxy. This problem does not occur if you have late binding configured. If you are experiencing this problem, we recommend that you disable syncookies on connections to virtual servers through loopback.
iSNAT with non-local members (CR28446)
iSNAT works only if the SNAT pool and load balancing pool have members on the same network.
Using the b verify command to check for errors (CR28451)
If you use the b verify command after editing the bigip.conf file, the b verify command does not properly detect misspellings or syntax errors. If you attempt to load a bigip.conf file that has a misspelling or syntax error, the BIG-IP system does not function until you correct the error and reload the bigip.conf file.
System statistics reset (CR28472)
On the System Statistics screen in the Configuration utility, when you click Reset All System Stats, the Max Connections field and the error fields are not reset.
Proxies that reference CRLs (CR28483)
If you are upgrading to version 4.5 PTF-06 or PTF-07 from a previous version of the BIG-IP software, proxies that reference CRLs may fail to load.
Possible tcpdump buffer overflow with badly formed NFS packets (CR28492)
Versions 3.7.1 and earlier of tcpdump contain a buffer overflow that may be triggered by badly formed NFS packets. Other types of packets may also trigger the buffer overflow.
Proxy connection limits (CR28498)
When you set the connection limit for proxyd, and the proxy connection limit is reached, the proxy incorrectly continues to accept new connections. Once the connection limit is reached, the proxy should stop accepting new connections. Connections do not successfully complete until the number of connections drops below the configured connection limit.
Active/Standby units configured with VLAN groups in transparent mode (CR28502)
If you have a pair of BIG-IP units in an active/standby redundant configuration with VLAN groups in transparent mode, monitors on the standby unit may occasionally fail. To avoid this problem, we recommend that you tune down the ARP timers and/or increase the number of monitor timeouts. This ensures that the ARP table data is correct when monitor packets are sent. You should set the monitor timeout to at least 35 seconds. Another way to avoid this issue is to configure static ARP and FDB entries for nodes that need to be monitored.
Route deletion for existing traffic (CR28503)
Manually deleting static routes while traffic is running though the BIG-IP system may cause the system to become unstable. If you want to delete a route, you must first delete the virtual servers and nodes that use that route.
Changes in US and Canada Daylight Saving Time (CR58321)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes are not reflected in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.
Workarounds for known issues
The following description provides a workaround for the corresponding known issue listed in the Known issues section.
New rule syntax requirements for literal strings (CR27784)
This workaround describes how to modify the rule syntax to use literal strings that are less than 63 characters in length.
The following is an example of a rule which will fail to load because of a literal string that is longer than 63 characters:
if (http_uri == "/" or http_uri == "") {
redirect to "<http://%h/portal/server.pt?space=MyPage&cached=true&parentname=Login&parentid=1&userid=2&control=SetP age&PageID=-2>"
}
else if (http_uri contains "portal/HTTPServlet?space=CreateAccountAS") {
redirect to "<http://www.siterequest.com/portalaccount/>"
}
else {
use pool Pool1
}
}
else {
use pool Pool1
}
}
For the rule to function correctly, you must change the syntax in the rule to the following:
if (http_host == "portal.siterequest.com") {
if (http_uri == "/" or http_uri == "") {
redirect to "<http://%h/portal/server.pt" + "?space=MyPage&cached=true&parentname=Login" + "&parentid=1&userid=2&co ntrol=SetPage&PageID=-2>"
}
else if (http_uri contains "portal/HTTPServlet?space=CreateAccountAS") {
redirect to "<http://www.siterequest.com/portalaccount/>"
}
else {
use pool Pool1
}
}
else {
use pool Pool1
}
}