Applies To:Show Versions
BIG-IP versions 1.x - 4.x
These release notes cover changes since version 2.0. This release is recommended, but not mandatory, for all customers. It contains significant new features and various bug fixes. This release applies to both US and International versions of BIG/ip HA and BIG/ip LB.
Installing the upgrade
You can apply this release to version 1.8.3, and version 2.0, as well as to version 2.0.1, v2.0.1PTF-01, v2.0.1PTF-02, v2.0.1PTF-03, and v2.0.1PTF-04. Note that you do not have to apply previous PTFs; they are already included in the current install.
Use the following process to install the software:
- Click here and follow the instructions for using the F5 Networks FTP site.
- Download the bigipv204domkit.tar file to the /var/tmp/ directory
on the BIG/ip Controller.
Customers who are using International versions of BIG/ip need to download the bigipv204intlkit.tar. Customers who are using LB versions of BIG/ip need to download the bigipv204lbdomkit.tar. To place FTP in passive mode, type pass from the command line before transferring the file.
- Using the sum command, verify that the checksum numbers match the
checksum numbers shown below for each file:
bigipv204hadomkit.tar -----> 51162 15210
bigipv204intlkit.tar -----> 43075 7200
bigipv204lbdomkit.tar -----> 44319 8730
- Enter the following commands to install this PTF:
tar -xpf bigipv204hadomkit.tar (Domestic HA and HA+)
tar -xpf bigipv204lbdomkit.tar (Domestic LB)
tar -xpf bigipv204intlkit.tar (International HA/LB)
- From the root, enter the following command:
- Follow the on-screen instructions.
The install will automatically create a backup of the following files in /var/save/backupyymmdd_hhmm/ on your BIG/ip Controller and remove any old files that are no longer used. If you have made changes to the files in the following list, you may need to edit the file and retype your modifications:
Customers upgrading their LB or international versions of the BIG/ip Controller now have the opportunity to configure either a Telnet or FTP server during the upgrade, or at a later time. During the upgrade process, a window asks if you want to configure either Telnet or FTP if it is not already configured. Follow the instructions.
If you choose to configure Telnet or FTP at a later time, enter the appropriate command:
- Upgrade support for Telnet and FTP server configuration in the LB and
all international products.
Upgrade configuration is now simplified and standardized for the upgrade process.
- First-Time Boot Utility now creates the failover file
The First-Time Boot Utility now prompts you for information to create the /etc/bigip.failover file, which simplifies the process of synchronizing your BIG/ip Controller redundant system.
- Optimized Interrupt Handling increases performance
- 1316: httpd config/reconfig does not work as expected and instead
creates a core file
The upgrade now correctly installs the F5 Configuration utility and web server software, so that all scripts run as expected.
- 1989: A UDP packet sent to a wrong port in Transparent Node mode can
cause a fault in the BIG/ip Controller.
The BIG/ip Controller now responds to the UDP packet appropriately.
- 1999: When using Transparent Node mode, there is an unacceptable slow
down in the BIG/ip Controller.
The BIG/ip Controller no longer creates duplicate persistence entries that lead to slow downs.
- 2033: An attempt in FTP to retrieve a file that does not exist, makes
the FTP session unusable.
The BIG/ip Controller now processes subsequent PORT commands so the FTP sessions can recover from certain errors.
- 2038: BIG/ip Controller was not using the first persistence value that
was specified for SSL.
The BIG/ip Controller now uses the first persistence time value for SSL.
- 2059: The Macintosh Netscape browser times out when connection to a VIP
with a SSL.
The BIG/ip Controller now correctly handles SSL packets from the Macintosh Netscape browser.
When you install this release, the only special configuration issues you might need to address are related to the gateway failsafe feature. The gateway failsafe feature was originally released in BIG/ip Controller version 2.0.1PTF-03. If you previously installed 2.0.1PTF-03 and configured gateway failsafe at that time, you do not need to repeat the configuration process after installing the current PTF. If you never installed 2.0.1PTF-03 and you want to use the gateway failsafe feature, review the following section.
Gateway failsafe is the ability for an active BIG/ip Controller to failover to the standby unit if it cannot communicate with a given router using an ICMP Echo Request to ping that router. Gateway failsafe periodically sends an ICMP Echo Request to the IP address you specify and then waits for an ICMP Echo Reply. In addition, after half the timeout duration expires, the BIG/ip Controller sends warnings to the console every second before the failover occurs. Use gateway failsafe when your BIG/ip Controller redundant system uses two different gateways to connect each unit to the Internet. If the primary gateway fails, the second BIG/ip Controller is still able to connect to the Internet through the second gateway.
In contrast to gateway failsafe, when the BIG/ip Controller uses the bigpipe interface command to set the failsafe mode, it broadcasts an ARP Request if no packets are detected on a given external interface. If that interface receives any Ethernet traffic at all, interface failsafe reports the site as up, and a failover does not occur. Gateway failsafe verifies that the actual path to the Internet is up or initiates a failover if the BIG/ip Controller does not receive the correct reply.
In order to configure this feature, you must specify the name or IP address of the router, the interval that ping packets are sent to the router, and the timeout duration for replies. The configuration information for gateway failsafe is stored in the /etc/bigd.conf file. The proper syntax for the entry is:
gateway <IP addr> <ping_interval>
gateway <host name> <ping_interval> <timeout>
The <ping_interval> and <timeout> variables are in seconds. The <host name> variable refers to the name of a network device that resolves to an IP address. For example, either of the following lines in the /etc/bigdf.conf file ensure that the BIG/ip Controller pings the router on IP address 10.1.1.1 and that if a response is not received in 10 seconds, the BIG/ip fails over to the standby unit.
gateway 10.1.1.1 5 10
gateway router 5 10
Gateway failsafe can be armed or disarmed from the command line at any time without changing the configuration stored in the /etc/bigd.conf file. In order to arm failsafe on the gateway, enter the following command:
bigpipe gateway failsafe arm
To permanently arm the gateway, add the arm command to the end of your /etc/rc.local file. To disarm the gateway, enter the following command:
bigpipe gateway failsafe disarm
To see the current armed status for the gateway, enter the following command:
bigpipe gateway failsafe
Note: The BIG/ip Controller supports pinging only one router using the ICMP protocol. The log messages are sent to the LOG_LOCAL1 facility and the level is LOG_EMERG. The standard syslog configuration (/etc/syslog.conf) directs these messages to the /var/log/bigd file. In addition to logging the message, each message is also written to the BIG/ip Controller console (/dev/console).
The current version includes enhancements and fixes from all versions released after BIG/ip Controller version 2.0. Those enhancements and fixes are summarized below.
BIG/ip Controller version 2.0.1 fixes
- 1226: Update FTPD for CERT Advisory 99.03
The BIG/ip Controller now includes version 2.4.2 of WU-FTPD in accordance with CERT advisory 99.03.
- 1730: BIG/ip attempts ipforward of vip traffic under low memory
The BIG/ip Controller now contains more specific error processing for packet errors and low memory conditions, so that the packets are correctly handled. One specific improvement is that under certain error conditions, the BIG/ip Controller may now drop a packet destined for a virtual address instead of incorrectly attempting to forward the packet. The BIG/ip Controller supports new error counters that record these unusual events. .
- 1753: ipfw filters allowed to block internal node status messages
When a filter rejects packets by default, the internal traffic to and from the 127.0.0.1 IP address needs to be correctly processed, rather than filtered, so that certain internal communications related to service checking can occur. These packets are now processed correctly without having to explicitly accept the IP address in the ipfw filter.
- 756: Log rotation fails if sendmail.cf does not exist
The daily log rotation, controlled by the /etc/daily script, verifies that the sendmail.cf file exists on the BIG/ip Controller before sending the results. If the sendmail.cf file does not exist on the unit, then sendmail is not used.
- 1486: Add rcp/rsh in the system to support 3DNS Systems
The rcp and rsh programs have been added to the BIG/ip Controller software to support communications with international 3DNS Systems (available in 3DNS System, version 1.0.4).
- 1515: Netcat bug makes EAV fail and halts the process
The BIG/ip Controller now accounts for the way Netcat calls for a range of file descriptors, so that EAV programs that use Netcat work correctly.
- 1641: Possible instability with multiple passive FTP connections
The BIG/ip Controller now checks for unusual passive FTP connection scenarios and conflicts. It then takes steps to avoid or resolve the conflicts. The BIG/ip Controller also logs the problems for future analysis.
- 1649: Crc, alignment errors with full duplex bi-directional traffic through
The BIG/ip Controller now supports full duplex bi-directional traffic through Intel NICs by disabling the DMA Maximum Byte Counters and thus eliminating contention for the bus.
- 1755: Treaper not deleting SSL connections as expected
When using SSL persistence, the BIG/ip Controller now deletes connections from the connection table as expected.
- 1757: Traffic misdirected if multiple connections made from the same
The BIG/ip Controller contains improved handling of conflicts that arise when a client attempts multiple connections from the same client port.
- 1430: Y2K problem setting date to February 29, 2000
The BIG/ip Controller now includes the BSDI patch, M310-023, which resolves this problem.
- 1434: Port rewrite not correct for TCP and UDP fragments
When a packet fragment arrives, the BIG/ip Controller now saves the fragment number according to the user's IP address. The remaining fragment packets are then forwarded to the correct node for that user's connection.
- 1066: The BIG/ip Controller sends a reset when it receives a reset
The BIG/ip Controller now discards the resets it receives, in accordance with RFC 793.
- 1346: Transparent Node Mode, UDP and ICMP not routed properly through
UDP and ICMP packets are now routed through firewalls using the node route.
- 1350: Order of checking NATs and virtual servers reversed in Transparent
When working in Transparent Node Mode, NATs are now checked before virtual servers so that a wildcard virtual server does not mask the NATs. In Normal Mode, virtual servers are still checked first.
- 1387: ICMP need frag packets
to a virtual server in Transparent Node Mode are not handled correctly
The BIG/ip Controller kernel now handles ICMP packets so that the route MTU is adjusted and an ICMP need to fragment message is sent to the sender.
- 1388: ICMP need frag packets
to a NAT external IP address are not handled correctly
The BIG/ip Controller kernel now handles ICMP packets so that the route MTU is adjusted and an ICMP need to fragment message is sent to the sender.
- 1389: icmp_error receives
a translated offending packet and calls icmp_reflect
The BIG/ip Controller kernel now saves a portion of the original packet and retranslates the packet before passing it to the icmp_error function.
- 1390: BSD incorrectly sets icmp-nextmtu
to if_mtu when generating an
ICMP need frag packet
If Path MTU discovery is on and the BIG/ip Controller receives a packet that is longer than its MTU, BSD sends an ICMP need to fragment message with the icmp_nextmtu variable set to the MTU of the route, so that the sender can reduce its MTU for that route. Otherwise, BSD sends an ICMP need to fragment message with the icmp_nextmtu variable set to if_mtu.
- 1398: Disabled nodes reject persistent connections
The BIG/ip Controller now allows persistent connections to continue after you disable a node.
BIG/ip Controller version 2.0.1New features and enhancements
- 624: Persistent netmasks for virtual servers
You can now set the persistence for netmasks for virtual servers. Similar to the persist_ignore_last_octet and persist_ignore_last_xxx setting with a netmask. There is new bigpipe vip command syntax to support this feature.
- 832: Support for Telnet and FTP
Provided for international customers, the Telnet and FTP applications allow for remote administration of the BIG/ip system, where SSL and SSH are not available.
- 882: Support for more than two NICs in BIG/config
The F5 Configuration utility supports configuring and monitoring of BIG/ip systems with more than two NICs. You can manage the additional interfaces via the Add VIP, Global VIP Properties, Add NAT, and Nat Properties screens. For more details about configuring network interface cards, see the online help for the F5 Configuration utility.
- 891: Bind changes for DNS proxy shared aliases
To enable NameD to recognize requests to the shared alias, you can now use the new /sbin/bigip_active script, which runs NameD when the BIG/ip Controller goes from standby to active status. For more details, see the 3DNS documentation.
- 1045: Open up port 4353 for use by iQuery
Port 4345 is now registered with the IANA as the standard port for the iQuery protocol. The BIG/ip kernel and 3DNS can now use port 4353 for iQuery requests. Note that port 245 is still supported for backwards compatibility. For more information about how this feature affects 3DNS functionality, see Using new iQuery options in the 3DNS System Release Notes, version 1.0.4.
- 840: Statistic counter problem
The statistics counter in the F5 Configuration utility now matches the results when you run the bigpipe vip command.
- 876: UDP timeouts can delete TCP connections
When you specify a timeout value for UDP persistence on a virtual port and you have also set persistence for TCP connections on that same virtual port, the UDP timeout previously caused the current TCP connection to be deleted. BIG/ip now provides more robust timeout support for both UDP and TCP persistence. The TCP persistence for the virtual port is no affected by the UDP persistence timeout value.M
- 895: NAT definition can fail if the interface is not specified
When defining a NAT, you now do not have to explicitly specify the interface.
- 912: System statistics screen shows negative out bits
The system statistics screen now shows the correct number of out bits.
- 913: SNMP sysDescr doesn't get set
The correct initialization routines are now setting sysDescr upon SNMP initialization.
- 921: CERT Advisory CA-98.13 - TCP/IP Denial of Service
BIG/ip is safe from the attacks described in this CERT advisory.
- 932: SNMP sends 'hostname' as the trap source address
The SNMP trap source is now set correctly by the BIG/ip Controller.
- 934: FTP - BIG/ip rewrites the 227 reply to a PASV command
The BIG/ip Controller now successfully translates the IP address reply for PASV commands from non-RFC compliant FTP clients.
- 940: BIG/config memory leak when refreshing screens
When using the Netscape browser with the F5 Configuration utility, poor performance due to refreshing the display has been greatly improved.
- 946: SNMP - Now processes multiple lines of input from syslogd
When syslogd sends more than one message down a pipe, the BIG/ip checktrap functionality can now process the multiple lines of input.
- 947: UDP fragments trashed by BIG/ip
The BIG/ip controller now adjusts the checksum on only the first fragment.
- 952: SSL Persistence Crashes BIG/ip
When using SSL persistence, BIG/ip now correctly handles older versions of the SSL handshake proxy.
- 1014: BIG/config - bigip.persist_time_used_as_limit=0 does not
The bigip.persist_time_used_as_limit system control variable now correctly resets the persistence timer on each packet, so that, when this variable is set to zero, the connection does not expire as long as there is traffic.
- 1018: Heavy SNMP activity precludes BIG/ip configuration
The SNMP daemon, bigsnmpd, has been updated so that it uses the bigload domain instead of the bigpipe domain and no longer interferes with the BIG/ip configuration when SNMP activity is high.
- 1019: persist_any_vip
do not work with SSL plus non-SSL virtual servers
The persistence records are now shared between virtual servers that are SSL and non-SSL so that when you move between the two types of virtual servers, the persistence is maintained.
- 1051: Transparent Node Mode - BIG/ip resets half connection on
When in Transparent Node Mode, the BIG/ip Controller was sending the server reset to the firewall's IP address instead of to the server. The BIG/ip Controller now sends the reset to the server on your firewall.
- 1071: BIG/ip does not load balance UDP port 53
The BIG/ip Controller now load balances UDP port 53.
- 1091: Special SSL blocks round_robin
for SSL traffic
The Round Robin load balancing mode now functions correctly for special SSL traffic.
- 1101: SNMP - snmptrap.conf
has incorrect OIDs for traps
This problem has been resolved. The OIDs in snmptrap.conf now match the MIB.