Installing the upgrade

You can apply this release to version 1.8.3, as well as to v2.0, v2.0PTF-01, v2.0PTF-02, and v2.0PTF-03. Note that you do not have to apply previous PTFs; they are already included in the current install.

Use the following process to install the software:

1. Click here and follow the instructions for using the F5 Networks FTP site.
2. Download bigipv201domkit.tar file to the /var/tmp/ directory on the BIG/ip Controller.
   
   International customers need use FTP in passive mode from the BIG/ip Controller to download the bigipv201intlkit.tar file. To place FTP in passive mode, type pass from the command line before transfering the file.
3. Enter the following commands to install this PTF:

   cd /var/tmp
   tar -xpf /var/tmp/bigipv201domkit.tar

4. From the root, execute the following command:

   /var/tmp/upgrade_install

5. Follow the on-screen instructions.

The install will automatically create a backup of your /etc/rc.local and /etc/rc.sysctl files and remove any old files that are no longer used. If you have made changes to your /etc/rc.local file, you may need to edit the file and retype your modifications. Backups of the files are stored in /var/save/backupyymmdd.hhmm/ on your BIG/ip Controller.

Once you install the software, refer to the Configuring and using the updated software section below, which contains important information about changing parameter settings in the bigip.conf file.

What's new in this version

New features and enhancements

• 624:  Persistent netmasks for virtual servers
  You can now set the persistence for netmasks for virtual servers. Similar to the persist_ignore_last_octet and persist_ignore_last_xxx setting with a netmask. There is new bigpipe vip command syntax to support this feature. For details, see Using the new BIG/pipe command syntax.
• 832:  Support for Telnet and FTP
  Provided for international customers, the Telnet and FTP applications allow for remote administration of the BIG/ip system, where SSL and SSH are not available. For details, see Configuring the BIG/ip Controller for remote administration via Telnet and FTP.
• 882:  Support for more than two NICS in the F5 Configuration utility
  The F5 Configuration utility supports configuring and monitoring of BIG/ip systems with more than two NICs. You can manage the additional interfaces via the Add VIP, Global VIP Properties, Add NAT, and Nat Properties screens. For more details about configuring network interface cards, see the online help for the F5 Configuration utility.
• 891:  Bind changes for DNS proxy shared aliases
  To enable NameD to recognize requests to the shared alias, you can now use the new /sbin/bigip_active script, which runs NameD when the BIG/ip Controller goes from standby to active status. For more details, see the 3DNS documentation.
• 1045:  Open up port 4353 for use by iQuery
  Port 4345 is now registered with the IANA as the standard port for the iQuery protocol. The BIG/ip kernel and 3DNS can now use port 4353 for iQuery requests. Note that port 245 is still supported for backwards compatibility. For more information about how this feature affects 3DNS functionality, see Using new iQuery options in the 3DNS System Release Notes, version 1.0.4.
  

Fixes

• 840:  Statistic counter problem
  The statistics counter in the F5 Configuration utility now matches the results when you run the bigpipe vip command.
• 876:  UDP timeouts can delete TCP connections
  When you specify a timeout value for UDP persistence on a virtual port and you have also set persistence for TCP connections on that same virtual port, the UDP timeout previously caused the current TCP connection to be deleted. BIG/ip now provides more robust timeout support for both UDP and TCP persistence. The TCP persistance for the virtual port is no affected by the UDP persistence timeout value.

• 895:  NAT definition can fail if the interface is not specified
  When defining a NAT, you now do not have to explicitly specify the interface.

• 912:  System statistics screen shows negative out bits
  The system statistics screen now shows the correct number of out bits.

• 913:  SNMP sysDescr doesn't get set
  The correct initialization routines are now setting sysDescr upon SNMP initialization.
  
  921:  CERT Advisory CA-98.13 - TCP/IP Denial of Service
  BIG/ip is safe from the attacks described in this CERT advisory.
• 932:  SNMP sends 'hostname' as the trap source address
  The SNMP trap source is now set correctly by the BIG/ip Controller.
• 934:  FTP - BIG/ip rewrites the 227 reply to a PASV command
  The BIG/ip Controller now successfully translates the IP address reply for PASV commands from non-RFC compliant FTP clients.
• 940:  the F5 Configuration utility memory leak when refreshing screens
  When using the Netscape browser with the F5 Configuration utility, poor performance due to refreshing the display has been greatly improved. See the Known issues section for more information.
• 946:  SNMP - Now processes multiple lines of input from SyslogD
  When SyslogD sends more than one message down a pipe, the BIG/ip checktrap functionality can now process the multiple lines of input.
• 947:  UDP fragments trashed by BIG/ip
  The BIG/ip controller now adjusts the checksum on only the first fragment.
• 952:  SSL Persistence Crashes BIG/ip
  When using SSL persistence, BIG/ip now correctly handles older versions of the SSL handshake proxy.
• 1014:  BIG/config - bigip.persist_time_used_as_limit=0 does not work
  The bigip.persist_time_used_as_limit system control variable now correctly resets the persistence timer on each packet, so that, when this variable is set to zero, the connection does not expire as long as there is traffic.
• 1018:  Heavy SNMP activity precludes BIG/ip configuration
  The SNMP daemon, bigsnmpd, has been updated so that it uses the bigload domain instead of the bigpipe domain and no longer interferes with the BIG/ip configuration when SNMP activity is high.
• 1019: persist_any_vip and persist_any_vip_same_port do not work with SSL plus non-SSL virtual servers
  The persistence records are now shared between virtual servers that are SSL and non-SSL so that when you move between the two types of virtual servers, the persistence is maintained.
• 1051:  Transparent Node Mode - BIG/ip resets half connection on reap
  When in Transparent Node Mode, the BIG/ip Controller was sending the server reset to the firewall's IP address instead of to the server. The BIG/ip Controller now sends the reset to the server on your firewall.
• 1071:  BIG/ip does not load balance UDP port 53
  The BIG/ip Controller now load balances UDP port 53.
• 1091:  Special SSL blocks round_robin for SSL traffic
  The Round Robin load balancing mode now functions correctly for special SSL traffic.
• 1101:  SNMP - snmptrap.conf has incorrect OIDs for traps
  This problem has been resolved. The OIDs in snmptrap.conf now match the MIB.

Configuring and using the new software

Changes you must make to the configuration if you are running GateD

When using the BIG/ip Controller in a redundant system, and you are running GateD, you may need to edit the /sbin/bigip_active and the /sbin/bigip_standby files on both units. For example, if your network is configured with OSPF running on the external network and RDP on the internal network, when the BIG/ip Controller fails over, there can only be one RDP server. To ensure that the BIG/ip Controller, when it fails over, reconfigures the standby unit to become the RDP server upon going active, edit the /sbin/bigip_active and the /sbin/bigip_standby files on both units and remove the comment character (#) from the following lines.

if [ -f /etc/gated.conf]
then
     /usr/sbin/gated_go_active
fi

Configuring the BIG/ip Controller for remote administration via Telnet and FTP

International users can now perform remote administration of the BIG/ip Controller with Telnet and transfer files with FTP. Telnet and FTP are installed and ready to use. Note that, when connecting for command line administration with bigpipe, you must enter the user name and password that you specified for remote administration. However, when using the F5 Configuration utility, you enter the web administrator's user name and password that you specified for the F5 web server.

When synchronizing redundant systems with the F5 Configuration utility, you must specify the web administrator's user name and password for the second BIG/ip Controller in the Synchronize Configuration screen, in order to establish a connection and ensure that the second unit accepts the updated files. Note that this is not the same user name and password that you specified during the First Time Boot Utility for remote administration, but rather it is the user name and password required to start the web administration session.

To synchronize configurations with the F5 Configuration utility:

1. From the see/IT homepage, click BIG/config.
2. From the BIG/ip System Properties screen, click Sync Configurations on the toolbar.
3. On the Synchronize Configuration screen in the Failover Access (Web admin) section, enter the web administration user name and password for the second machine.
4. Click Synchronize Configurations to transfer your current configuration to the second machine.

Using the new BIG/pipe command syntax

The BIG/pipe command line utility contains new syntax related to persistence for virtual servers.

Specifying persistence timeouts for virtual servers and ports

The bigpipe persist command defines a persistence timeout at the port level. Now, you can also set a persistence timeout for individual virtual servers, using the new persist argument for the bigpipe vip command, which overrides the persistence timeout set at the port level.

bigpipe vip <virt addr:port> persist <persistence timeout>

The <persistence timeout> variable is specified in seconds. By defining persistence at the port and virtual server level, you can customize the traffic patterns for your virtual servers. For example, if you want all traffic through port 80 to persist for 60 seconds, but traffic for port 80 on one particular virtual server to persist for 100 seconds, use the following sequence of commands:

bigpipe vip 210.11.140.11:80 define 20.10.10.1:80 define 20.10.10.2:80
bigpipe vip 210.11.140.12:80 define 20.10.10.3:80 define 20.10.10.4:80
bigpipe vip 210.11.140.13:80 define 20.10.10.5:80 define 20.10.10.6:80
bigpipe persist 80 60
bigpipe vip 210.11.140.11:80 persist 100

With these settings, all traffic through port 80 for virtual servers in general persists for 60 seconds, while only the traffic through 210.11.140.11:80 persists for 100 seconds.

Specifying persistence masks for virtual servers

You can set a persistence mask for virtual servers, using the new persistmask argument for the bigpipe vip command. The persistence mask determines persistence based on the portion of the client's IP address that is specified in the mask. The persistence mask method provides a means to deal with dynamic IP addresses, where a firewall protects the client's IP address by altering it. For more information about dynamic IP addresses, see SSL persistence and dynamic IP addresses in Chapter 9, Load Balancing, in the BIG/ip Installation and Users Guide.

This method can be used with both SSL and non-SSL virtual servers. When used with SSL virtual servers, the persistence timeout acts as a backup to the session ID persistence. For more information, see Using SSL persistence with simple persistence in Chapter 9, Load Balancing, in the BIG/ip Installation and Users Guide.

bigpipe vip <virt addr:port> persistmask <persistence mask>

The <persistence mask> variable is specified in the format of a network mask. To share persistence records for all clients coming from the same network, use the following sequence of commands:

bigpipe vip 210.11.140.11:80 persist 100
bigpipe vip 210.11.140.11:80 persistmask 255.255.255.0

Given this scenario, all clients who have the same first three numbers in their IP address will be considered to be the same client according to the BIG/ip persistence record in the lookup table. All connections from those clients will be sent to the same node, when the second client connects within 100 seconds of the first. To remove a persistence mask, specify a full mask as follows:

bigpipe vip 210.11.140.11:80 persistmask 255.255.255.255

If you are sharing persistence across virtual servers by setting the sysctl variables persist_on_any_vip_same_port or persist_on_any_vip (see Appendix C, BIG/ip System Control Variables in the BIG/ip Installation and Users Guide), and you set a persist mask on one or more of the virtual servers, you must set the same persist mask for each virtual server that will share persistence records.

Known issues

• For international versions of this release, incoming connections that are in FTP passive mode cannot be accepted by the BIG/ip Controller. In effect, this means that BIG/ip Controllers cannot directly communicate with each other via FTP mode. You can use the default FTP active mode to communicate with the BIG/ip Controller. To enable the BIG/ip Controller to accept FTP passive mode communications, set the sysctl variable bigip.open_3dns_lockdown_ports to 1 (on) to unlock the ports.
• Some users may experience slow performance due to potential memory leaks when using Netscape to view the Statistics screen in the F5 Configuration utility. We recommend that you set the refresh rate to a lower value and that you periodically close and restart your browser in order to reset the memory allocation.
• When adding a virtual server or NAT, you do not need to choose an external interface, as default is already selected. Default refers to the external interface whose IP address relates to the IP address of the virtual server or NAT. If no match is found, the F5 Configuration utility selects the first interface name. To determine which external interface is the first one, use the Unix command ifconfig -a from the command line of the BIG/ip Controller. If you have more than two interfaces, you may see additional external interfaces in the list. site. The F5 Configuration utility may display the external interface as default instead of the actual interface name you selected. This situation occurs if you select an external interface that is also the default interface when creating the virtual server from the Add Virtual Server screen or NAT from the Add NAT screen.