• Installing the upgrade

Installing the upgrade

You can apply this release to version 1.8.3, and version 2.0, as well as to version 2.0.1, v2.0.1PTF-01, v2.0.1PTF-02, v2.0.1PTF-03, and v2.0.1PTF-04. Note that you do not have to apply previous PTFs; they are already included in the current install.

Use the following process to install the software:

1. Click here and follow the instructions for using the F5 Networks FTP site.
   
   
2. Download the bigipv204domkit.tar file to the /var/tmp/ directory on the BIG/ip Controller.
   
   Customers who are using International versions of BIG/ip need to download the bigipv204intlkit.tar. Customers who are using LB versions of BIG/ip need to download the bigipv204lbdomkit.tar. To place FTP in passive mode, type pass from the command line before transferring the file.

3. Using the sum command, verify that the checksum numbers match the checksum numbers shown below for each file:
   
   bigipv204hadomkit.tar -----> 51162 15210
   bigipv204intlkit.tar  -----> 43075 7200
   bigipv204lbdomkit.tar -----> 44319 8730

4. Enter the following commands to install this PTF:

   cd /var/tmp
   tar -xpf bigipv204hadomkit.tar (Domestic HA and HA+)
   tar -xpf bigipv204lbdomkit.tar (Domestic LB)
   tar -xpf bigipv204intlkit.tar (International HA/LB)

5. From the root, enter the following command:

   /var/tmp/upgrade_install

6. Follow the on-screen instructions.

The install will automatically create a backup of the following files in /var/save/backupyymmdd_hhmm/ on your BIG/ip Controller and remove any old files that are no longer used. If you have made changes to the files in the following list, you may need to edit the file and retype your modifications:

/etc/rc.local
/etc/rc.sysctl
/etc/syslog.conf
/etc/daily
/etc/snmpd.conf
/etc/snmptrap.conf

Customers upgrading their LB or international versions of the BIG/ip Controller now have the opportunity to configure either a Telnet or FTP server during the upgrade, or at a later time. During the upgrade process, a window asks if you want to configure either Telnet or FTP if it is not already configured. Follow the instructions.

If you choose to configure Telnet or FTP at a later time, enter the appropriate command:

config_telnetd

config_ftpd

What's new in this version

Enhancements

• Upgrade support for Telnet and FTP server configuration in the LB and all international products.
  Upgrade configuration is now simplified and standardized for the upgrade process.

• First-Time Boot Utility now creates the failover file
  The First-Time Boot Utility now prompts you for information to create the /etc/bigip.failover file, which simplifies the process of synchronizing your BIG/ip Controller redundant system.

• Optimized Interrupt Handling increases performance
  

Fixes

• 1316:  httpd config/reconfig does not work as expected and instead creates a core file
  The upgrade now correctly installs the F5 Configuration utility and web server software, so that all scripts run as expected.

• 1989: A UDP packet sent to a wrong port in Transparent Node mode can cause a fault in the BIG/ip Controller.
  The BIG/ip Controller now responds to the UDP packet appropriately.

• 1999: When using Transparent Node mode, there is an unacceptable slow down in the BIG/ip Controller.
  The BIG/ip Controller no longer creates duplicate persistence entries that lead to slow downs.

• 2033: An attempt in FTP to retrieve a file that does not exist, makes the FTP session unusable.
  The BIG/ip Controller now processes subsequent PORT commands so the FTP sessions can recover from certain errors.

• 2038: BIG/ip Controller was not using the first persistence value that was specified for SSL.
  The BIG/ip Controller now uses the first persistence time value for SSL.

• 2059: The Macintosh Netscape browser times out when connection to a VIP with a SSL.
  The BIG/ip Controller now correctly handles SSL packets from the Macintosh Netscape browser.

Configuring and using the new software

When you install this release, the only special configuration issues you might need to address are related to the gateway failsafe feature. The gateway failsafe feature was originally released in BIG/ip Controller version 2.0.1PTF-03. If you previously installed 2.0.1PTF-03 and configured gateway failsafe at that time, you do not need to repeat the configuration process after installing the current PTF. If you never installed 2.0.1PTF-03 and you want to use the gateway failsafe feature, review the following section.

Configuring gateway failsafe on the BIG/ip Controller

Gateway failsafe is the ability for an active BIG/ip Controller to failover to the standby unit if it cannot communicate with a given router using an ICMP Echo Request to ping that router. Gateway failsafe periodically sends an ICMP Echo Request to the IP address you specify and then waits for an ICMP Echo Reply. In addition, after half the timeout duration expires, the BIG/ip Controller sends warnings to the console every second before the failover occurs. Use gateway failsafe when your BIG/ip Controller redundant system uses two different gateways to connect each unit to the Internet. If the primary gateway fails, the second BIG/ip Controller is still able to connect to the Internet through the second gateway.

In contrast to gateway failsafe, when the BIG/ip Controller uses the bigpipe interface command to set the failsafe mode, it broadcasts an ARP Request if no packets are detected on a given external interface. If that interface receives any Ethernet traffic at all, interface failsafe reports the site as up, and a failover does not occur. Gateway failsafe verifies that the actual path to the Internet is up or initiates a failover if the BIG/ip Controller does not receive the correct reply.

In order to configure this feature, you must specify the name or IP address of the router, the interval that ping packets are sent to the router, and the timeout duration for replies. The configuration information for gateway failsafe is stored in the /etc/bigd.conf file. The proper syntax for the entry is:

gateway <IP addr> <ping_interval> <timeout>
gateway <host name> <ping_interval> <timeout>

The <ping_interval> and <timeout> variables are in seconds. The <host name> variable refers to the name of a network device that resolves to an IP address. For example, either of the following lines in the /etc/bigdf.conf file ensure that the BIG/ip Controller pings the router on IP address 10.1.1.1 and that if a response is not received in 10 seconds, the BIG/ip fails over to the standby unit.

gateway 10.1.1.1 5 10
gateway router 5 10

Gateway failsafe can be armed or disarmed from the command line at any time without changing the configuration stored in the /etc/bigd.conf file. In order to arm failsafe on the gateway, enter the following command:

bigpipe gateway failsafe arm

To permanently arm the gateway, add the arm command to the end of your /etc/rc.local file. To disarm the gateway, enter the following command:

bigpipe gateway failsafe disarm

To see the current armed status for the gateway, enter the following command:

bigpipe gateway failsafe

Note:   The BIG/ip Controller supports pinging only one router using the ICMP protocol. The log messages are sent to the LOG_LOCAL1 facility and the level is LOG_EMERG. The standard syslog configuration (/etc/syslog.conf) directs these messages to the /var/log/bigd file. In addition to logging the message, each message is also written to the BIG/ip Controller console (/dev/console).

Enhancements and fixes released in prior versions

The current version includes enhancements and fixes from all versions released after BIG/ip Controller version 2.0. Those enhancements and fixes are summarized below.

BIG/ip Controller version 2.0.1 fixes

• 1226: Update FTPD for CERT Advisory 99.03
  The BIG/ip Controller now includes version 2.4.2 of WU-FTPD in accordance with CERT advisory 99.03.

• 1730: BIG/ip attempts ipforward of vip traffic under low memory
  The BIG/ip Controller now contains more specific error processing for packet errors and low memory conditions, so that the packets are correctly handled. One specific improvement is that under certain error conditions, the BIG/ip Controller may now drop a packet destined for a virtual address instead of incorrectly attempting to forward the packet. The BIG/ip Controller supports new error counters that record these unusual events. .

• 1753: ipfw filters allowed to block internal node status messages
  When a filter rejects packets by default, the internal traffic to and from the 127.0.0.1 IP address needs to be correctly processed, rather than filtered, so that certain internal communications related to service checking can occur. These packets are now processed correctly without having to explicitly accept the IP address in the ipfw filter.

• 756: Log rotation fails if sendmail.cf does not exist
  The daily log rotation, controlled by the /etc/daily script, verifies that the sendmail.cf file exists on the BIG/ip Controller before sending the results. If the sendmail.cf file does not exist on the unit, then sendmail is not used.

• 1486: Add rcp/rsh in the system to support 3DNS Systems
  The rcp and rsh programs have been added to the BIG/ip Controller software to support communications with international 3DNS Systems (available in 3DNS System, version 1.0.4).

• 1515: Netcat bug makes EAV fail and halts the process
  The BIG/ip Controller now accounts for the way Netcat calls for a range of file descriptors, so that EAV programs that use Netcat work correctly.

• 1641: Possible instability with multiple passive FTP connections
  The BIG/ip Controller now checks for unusual passive FTP connection scenarios and conflicts. It then takes steps to avoid or resolve the conflicts. The BIG/ip Controller also logs the problems for future analysis.

• 1649: Crc, alignment errors with full duplex bi-directional traffic through Intel NICs
  The BIG/ip Controller now supports full duplex bi-directional traffic through Intel NICs by disabling the DMA Maximum Byte Counters and thus eliminating contention for the bus.

• 1755: Treaper not deleting SSL connections as expected
  When using SSL persistence, the BIG/ip Controller now deletes connections from the connection table as expected.

• 1757: Traffic misdirected if multiple connections made from the same port
  The BIG/ip Controller contains improved handling of conflicts that arise when a client attempts multiple connections from the same client port.
  

• 1430: Y2K problem setting date to February 29, 2000
  The BIG/ip Controller now includes the BSDI patch, M310-023, which resolves this problem.

• 1434: Port rewrite not correct for TCP and UDP fragments
  When a packet fragment arrives, the BIG/ip Controller now saves the fragment number according to the user's IP address. The remaining fragment packets are then forwarded to the correct node for that user's connection.

• 1066: The BIG/ip Controller sends a reset when it receives a reset
  The BIG/ip Controller now discards the resets it receives, in accordance with RFC 793.

• 1346: Transparent Node Mode, UDP and ICMP not routed properly through firewalls
  UDP and ICMP packets are now routed through firewalls using the node route.

• 1350: Order of checking NATs and virtual servers reversed in Transparent Node Mode
  When working in Transparent Node Mode, NATs are now checked before virtual servers so that a wildcard virtual server does not mask the NATs. In Normal Mode, virtual servers are still checked first.

• 1387: ICMP need frag packets to a virtual server in Transparent Node Mode are not handled correctly
  The BIG/ip Controller kernel now handles ICMP packets so that the route MTU is adjusted and an ICMP need to fragment message is sent to the sender.

• 1388: ICMP need frag packets to a NAT external IP address are not handled correctly
  The BIG/ip Controller kernel now handles ICMP packets so that the route MTU is adjusted and an ICMP need to fragment message is sent to the sender.

• 1389: icmp_error receives a translated offending packet and calls icmp_reflect
  The BIG/ip Controller kernel now saves a portion of the original packet and retranslates the packet before passing it to the icmp_error function.

• 1390: BSD incorrectly sets icmp-nextmtu to if_mtu when generating an ICMP need frag packet
  If Path MTU discovery is on and the BIG/ip Controller receives a packet that is longer than its MTU, BSD sends an ICMP need to fragment message with the icmp_nextmtu variable set to the MTU of the route, so that the sender can reduce its MTU for that route. Otherwise, BSD sends an ICMP need to fragment message with the icmp_nextmtu variable set to if_mtu.
  

• 1398: Disabled nodes reject persistent connections
  The BIG/ip Controller now allows persistent connections to continue after you disable a node.

BIG/ip Controller version 2.0.1

• 624:  Persistent netmasks for virtual servers
  You can now set the persistence for netmasks for virtual servers. Similar to the persist_ignore_last_octet and persist_ignore_last_xxx setting with a netmask. There is new bigpipe vip command syntax to support this feature.
  
  
• 832:  Support for Telnet and FTP
  Provided for international customers, the Telnet and FTP applications allow for remote administration of the BIG/ip system, where SSL and SSH are not available.
  
  
• 882:  Support for more than two NICs in BIG/config
  The F5 Configuration utility supports configuring and monitoring of BIG/ip systems with more than two NICs. You can manage the additional interfaces via the Add VIP, Global VIP Properties, Add NAT, and Nat Properties screens. For more details about configuring network interface cards, see the online help for the F5 Configuration utility.
  
  
• 891:  Bind changes for DNS proxy shared aliases
  To enable NameD to recognize requests to the shared alias, you can now use the new /sbin/bigip_active script, which runs NameD when the BIG/ip Controller goes from standby to active status. For more details, see the 3DNS documentation.
  
  
• 1045:  Open up port 4353 for use by iQuery
  Port 4345 is now registered with the IANA as the standard port for the iQuery protocol. The BIG/ip kernel and 3DNS can now use port 4353 for iQuery requests. Note that port 245 is still supported for backwards compatibility. For more information about how this feature affects 3DNS functionality, see Using new iQuery options in the 3DNS System Release Notes, version 1.0.4.
  

• 840:  Statistic counter problem
  The statistics counter in the F5 Configuration utility now matches the results when you run the bigpipe vip command.

• 876:  UDP timeouts can delete TCP connections
  When you specify a timeout value for UDP persistence on a virtual port and you have also set persistence for TCP connections on that same virtual port, the UDP timeout previously caused the current TCP connection to be deleted. BIG/ip now provides more robust timeout support for both UDP and TCP persistence. The TCP persistence for the virtual port is no affected by the UDP persistence timeout value.M

• 895:  NAT definition can fail if the interface is not specified
  When defining a NAT, you now do not have to explicitly specify the interface.

• 912:  System statistics screen shows negative out bits
  The system statistics screen now shows the correct number of out bits.

• 913:  SNMP sysDescr doesn't get set
  The correct initialization routines are now setting sysDescr upon SNMP initialization.

• 921:  CERT Advisory CA-98.13 - TCP/IP Denial of Service
  BIG/ip is safe from the attacks described in this CERT advisory.

• 932:  SNMP sends 'hostname' as the trap source address
  The SNMP trap source is now set correctly by the BIG/ip Controller.

• 934:  FTP - BIG/ip rewrites the 227 reply to a PASV command
  The BIG/ip Controller now successfully translates the IP address reply for PASV commands from non-RFC compliant FTP clients.

• 940:  BIG/config memory leak when refreshing screens
  When using the Netscape browser with the F5 Configuration utility, poor performance due to refreshing the display has been greatly improved.

• 946:  SNMP - Now processes multiple lines of input from syslogd
  When syslogd sends more than one message down a pipe, the BIG/ip checktrap functionality can now process the multiple lines of input.

• 947:  UDP fragments trashed by BIG/ip
  The BIG/ip controller now adjusts the checksum on only the first fragment.

• 952:  SSL Persistence Crashes BIG/ip
  When using SSL persistence, BIG/ip now correctly handles older versions of the SSL handshake proxy.

• 1014:  BIG/config - bigip.persist_time_used_as_limit=0 does not work
  The bigip.persist_time_used_as_limit system control variable now correctly resets the persistence timer on each packet, so that, when this variable is set to zero, the connection does not expire as long as there is traffic.

• 1018:  Heavy SNMP activity precludes BIG/ip configuration
  The SNMP daemon, bigsnmpd, has been updated so that it uses the bigload domain instead of the bigpipe domain and no longer interferes with the BIG/ip configuration when SNMP activity is high.

• 1019:  persist_any_vip and persist_any_vip_same_port do not work with SSL plus non-SSL virtual servers
  The persistence records are now shared between virtual servers that are SSL and non-SSL so that when you move between the two types of virtual servers, the persistence is maintained.

• 1051:  Transparent Node Mode - BIG/ip resets half connection on reap
  When in Transparent Node Mode, the BIG/ip Controller was sending the server reset to the firewall's IP address instead of to the server. The BIG/ip Controller now sends the reset to the server on your firewall.

• 1071:  BIG/ip does not load balance UDP port 53
  The BIG/ip Controller now load balances UDP port 53.

• 1091:  Special SSL blocks round_robin for SSL traffic
  The Round Robin load balancing mode now functions correctly for special SSL traffic.

• 1101:  SNMP - snmptrap.conf has incorrect OIDs for traps
  This problem has been resolved. The OIDs in snmptrap.conf now match the MIB.