Applies To:
Show Versions
BIG-IP versions 1.x - 4.x
- 2.1.3
Summary:
Contents:
Installing the upgrade
You can apply this release to version 1.8.3 and later. Do not apply previous PTFs; they are already included in the current installation.
Use the following process to install the software:
- Click here and follow the instructions for using the F5 Networks FTP site.
- Download bigipv213domkit.f5.tar file to the /var/tmp/ directory on the BIG/ip Controller.
Customers with International versions of the BIG/ip Controller need to download the bigipv213intlkit.f5.tar. Customers who are using LB versions of the BIG/ip Controller need to download the bigipv213lbdomkit.f5.tar. To place FTP in passive mode, type pass from the command line before transferring the file. - Enter the following commands to install this software:
cd /var/tmp
tar -xpf bigipv213domkit.f5.tar (Domestic HA and HA+)
tar -xpf bigipv213lbdomkit.f5.tar (Domestic LB)
tar -xpf bigipv213intlkit.f5.tar (International HA/LB) - From the root, enter the following command:
/var/tmp/upgrade_install
- Follow the on-screen instructions.
The installation automatically creates a backup of the following files in /var/save/backupyymmdd_hhmm/ on the BIG/ip Controller and removes any old files that are no longer used. If you have made changes to a file in the following list, you may need to edit that file and retype your modifications:
/etc/rc.local
/etc/rc.sysctl
/etc/syslog.conf
/etc/daily
/etc/snmpd.conf
/etc/snmptrap.conf
Customers upgrading LB or International versions of the BIG/ip Controller now have the opportunity to configure either a Telnet or FTP server during the upgrade, or they can do the configuration at a later time. During the upgrade process, you are prompted to configure either Telnet or FTP if they have not been configured. Follow the instructions.
If you choose to configure Telnet or FTP at a later time, type the appropriate command:
config_telnetd
config_ftpd
During the final step in an International upgrade, you are prompted for the type of system you are upgrading: single or redundant. If you choose redundant, you are prompted to type in the user ID and password for accessing the BIG/ip web server. This information is used when synchronizing configurations (configsync).
Note: During an upgrade, you may see the error message "Bad interface name passed to the kernel" when the BIG/ip Controller starts to reboot. This error is harmless. It is a result of the drivers unfamiliarity with the new configuration files. After the upgrade automatically reboots, the new drivers should correspond with the new configuration files correctly.
The checksums for this release are available in a file called sums, which can be downloaded from the FTP site.
What's new in this version
- Enhancement: Upgrade version of BIND
Upgraded the version of BIND installed on the BIG/ip Controller to BIND 8.2.2 patch level 4. This version contains enhanced security. After you install this release, the BIG/ip Controller will be running BIND 8, regardless of previous configuration. For more information, see Configuring the BIG/ip Controller version 2.1.x as a DNS forwarding proxy.
From PTF-01 and PTF-02
The following enhancements are included in this release from previous PTFs.
- Enhancement: Added support for a new type of Gigabit Ethernet adapter
Added support for a new type of Gigabit Ethernet adapter. The new interfaces are named sk0 or sk1, where the number, 0 or 1 in this case, is the interface number. - Enhancement: Mapping proxies for persistence
Added a rule to support mapping source IP addresses to nodes with support for a mask. This makes certain proxies look the same for persistence. By default, this feature is on. For more information, see Mapping proxies for persistence. - Enhancement: Added a new script for updating and creating F5 support accounts
Added a new script for updating and creating F5 support accounts. This script allows you to configure a new password for F5 support accounts or disable the accounts. After you install this release, the script automatically prompts you to either disable the F5 support user account, or change the password used to access that account.
Fixes for this release
- CR 5380: big3d does not probe host VS using ICMP
Changed big3d to allow probing of host virtual servers using the ICMP protocol. - CR 5296: Cookie persistence problem with multiple cookies on one line
Fixed a problem where a browser submitting multiple cookies could keep the BIG/ip Controller from recognizing its own cookie. - CR 5250: First-Time Boot utility support account access
Updated the First-Time Boot utility to make it possible to change the support account password or disable it completely. - CR 5342: Rebuild the password database
Rebuilt the password database to fix a problem when running whoami logged in as the root user. The user support would display instead of the user root. - CR 5327: Updated Intel NIC driver
Updated the network interface driver to fix a problem that could cause the BIG/ip Controller to crash under load.
From BIG/ip Controller 2.1.2. PTF-01 and PTF-02
The following fixes are included in this release from BIG/ip Controller 2.1.2 PTF-01 and PTF-02.
- CR 5242: Read-only user can view any text file
Fixed a problem in the F5 Configuration utility that could allow a read-only user to view the contents of text files on the BIG/ip Controller. - CR 5232: SSL and external service checks can cause other service checks to timeout
Fixed a problem with SSL and external service checks that could cause other service checks to timeout. - CR 5009: Incorrect reporting of global current connection count
Fixed a problem that could cause incorrect global connection statistics to be reported. - CR 4955: Increase window size for proxied connections
Increased the window size for proxied connections from 512 to 8760. - CR 4953: Added the ability to enable host name lookup for service checking logs
A new -lookup command line option has been added to bigdnode. By default, the host name lookups are disabled. To enable host name lookups, you must specify -lookup on the command line that starts bigdnode in the /etc/rc.local file. For more information, see Enable host name lookup for service checking logs. - CR 4946: Removing SNAT with UDP connections
Fixed a problem that occurred when removing a SNAT that had UDP connections. - CR 4907: VLAN ID wrap-around problem
Fixed a problem with VLAN ID tags higher than 256. - CR 4904: Removal of node from vip can inflate nodehead connection counts
Fixed a problem with connection counts when a node was removed from a virtual server. - CR 4894: FTP conflicts lead to inflated connection counts
Fixed a problem that would cause certain FTP port conflicts to delete existing connections when a client creates a new data connection. - CR 4866: hostname MIB entry returning unknown
Fixed a problem with the host name MIB-II entry that prevented it from returning the proper host information. - CR 4860: Node down command missing
This update adds the node <node> up/down command back into bigpipe. Those using persistence must use the bigpipe node <node> down to take down a node. This command is recommended to prevent persisting connections from coming through. - CR 4782: F5 Configuration utility breaks bigd.conf whenever there are \n\n in the send string
Fixed a problem that would cause the F5 Configuration utility to break the bigd.conf file. - CR 4780: SNAT, passive ftp, to a vip fails
Fixed a problem that would cause an FTP passive connection to another virtual server to fail. - CR 4757: Line sending auth.* to checktrap.pl says auth* in syslog.conf
Fixed the line piping auth.* to the checktrap.pl script. - CR 4649: bigpipe incorrectly rejecting 0 and 255 in IP addresses
Fixed a problem that caused bigpipe to reject IP addresses ending in 0 or 255. As long as the host portion of the IP address is not entirely zero bits or one bit, it is valid. - CR 2002: Problem with service checking a large number of nodes
Fixed a problem with service checking a large number of nodes that could consume a large amount of CPU cycles.
Configuring and using the new software
This section includes configuration information for features in this release.
Enable host name lookup for service checking logs
A new -lookup command line option has been added to bigdnode. By default, the host name lookups are disabled. To enable host name lookups, you must specify -lookup on the command line that starts bigdnode.
For example, here is the entry in the /etc/rc.local:
# BIG/ip failover daemonif [ -x /sbin/sod ]; then
echo " sod (and bigd)."; /sbin/sod -- bigd ${bigdflags} -- -lookup 2> /dev/null
fi
Mapping proxies for persistence
By default, the map proxies for persistence feature is turned on. The AOL proxy addresses are hard-coded in this release. This enables you to use client IP address persistence with a simple persistmask, but forces all AOL clients to persist to the same server. All AOL clients will persist to the node that was picked for the first AOL client connection received.
The class B networks, 195.93 and 205.188, are mapped to 152.163 for persistence. For example, client 195.93.3.4 would map to 152.63.3.4 for persistence records only. This mapping is done prior to applying the persist mask. Use bigpipe vip persist dump to verify that the mapping is working.
To turn this feature off, set the following sysctl variable to 0. From the command line, type the following command:
sysctl -w bigip.persist_map_proxies=0Configuring BIG/ip Controller version 2.1 and the 2.1.2 upgrade as a DNS forwarding proxy
The BIG/ip Controller version 2.1 and the 2.1.2 upgrade updated the version of BIND on the controller from BIND 4 to BIND 8. The section Configuring DNS proxy, page 4-55, in the BIG/ip Controller Administrator Guide for version 2.1, describes how to configure BIND 4 as a DNS forwarding proxy.
This section of the PTF note describes how to configure BIG/ip Controllers with BIND 8 (version 2.1 and the 2.1.2 upgrade) as a DNS forwarding proxy. This provides DNS for nodes behind the BIG/ip Controller without using IP forwarding, secure network address translation (SNAT), or network address translation (NAT).
Typically when internal nodes need DNS, you implement SNAT, NAT, or IP forwarding on the BIG/ip Controller to provide a path for the internal nodes to get to the DNS server directly. NATs and IP forwarding also open up the internal network. Setting up the BIG/ip Controller as a DNS forwarding proxy tightens up the security for connections going to the internal network on the BIG/ip Controller. Virtual servers on the BIG/ip Controller are already relatively secure. Only the ports specifically allowed in the bigip.conf file are open. So the goal is to eliminate the use of NATs or IP forwarding to close up the inside network.
Note: If the internal nodes require the ability to accept or originate connections that are not virtual server services, and the BIG/ip Controller is the route used for these connections, then disabling SNATs, NATs, or IP forwarding is not an option.
Only the active BIG/ip Controller should be configured as a DNS proxy with named running. The /sbin/bigip_active script is called when the BIG/ip Controller becomes active. The first step you must take to implement the BIG/ip Controller as a forwarding proxy is to put the external shared IP address alias into DNS. You must have a fully qualified domain name (FQDN) and reverse name lookup in the primary DNS for your site.
To set up the BIG/ip Controller as a forwarding proxy, follow these instructions:
1. Comment out the named section in /etc/rc file:
echo -n 'starting network daemons:'
#if [ -f /etc/named.conf ]; then
# echo -n ' named'; named
#fi
Note: The BIG/ip Controller version 2.1.2 upgraded from BIND 4 to BIND 8. Remember, BIND 4 uses named.boot and BIND 8 uses named.conf. If you find references to the named.boot, change it to named.conf
2. Add the following entry to the /sbin/bigip_active file:
if [ -f /etc/named.conf ]
then
named
fi
3. Add the following entry to the /sbin/bigip_standby file:
if [ -f /var/run/named.pid ] ; then
kill `cat /var/run/named.pid` > /dev/null 2>&1
fi
4. Make sure they are executable.
chmod 755 /sbin/bigip_active
chmod 755 /sbin/bigip_standby
5. Create or modify the /etc/named.conf file. Modify x.x.x.x; y.y.y.y; with the proper name server addresses. Make sure you keep the trailing semi-colon (;).
options {
forward only;
forwarders {
x.x.x.x; y.y.y.y;
};
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
zone "localhost" IN {
type master;
file "/etc/namedb/localhost.zone";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "/etc/namedb/127.0.0.zone";
};
zone "." IN {
type hint;
file "/etc/namedb/root.hint";
};
6. If there is an /etc/named.boot file, delete it.
7. Modify the /etc/namedb/localhost.zone file. Modify the name.domain and serial line for your network.
$ORIGIN localhost.
@ 1D IN SOA bigipname.domain.com. root.bigipname.domain.com. (
1999102801 ; serial ( yyyymmddrr rr=revision)
3H ; refresh
15M ; retry
1W ; expire
1D ) ; minimum
1D IN NS @
1D IN A 127.0.0.1
8. Create the /etc/namedb/127.0.0.zone file. Modify the serial line for your network.
@ 1D IN SOA localhost. root.localhost. (
1999102801 ; serial ( yyyymmddrr rr=revision)
3H ; refresh
15M ; retry
1W ; expire
1D ) ; minimum
1D IN NS localhost.
1 1D IN PTR localhost.
9. Create the /etc/namedb/root.hint file. You can cut and paste this entire example with no modification.
; <<>> DiG 2.2 <<>> @192.5.5.241
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; -<<HEADER>>- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr aa rd; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 9
;; QUERY SECTION:
;; ., type = NS, class = IN
;; ANSWER SECTION:
. 6D IN NS C.ROOT-SERVERS.NET.
. 6D IN NS D.ROOT-SERVERS.NET.
. 6D IN NS E.ROOT-SERVERS.NET.
. 6D IN NS I.ROOT-SERVERS.NET.
. 6D IN NS F.ROOT-SERVERS.NET.
. 6D IN NS G.ROOT-SERVERS.NET.
. 6D IN NS A.ROOT-SERVERS.NET.
. 6D IN NS H.ROOT-SERVERS.NET.
. 6D IN NS B.ROOT-SERVERS.NET.
;; ADDITIONAL SECTION:
C.ROOT-SERVERS.NET. 5w6d16h IN A 192.33.4.12
D.ROOT-SERVERS.NET. 5w6d16h IN A 128.8.10.90
E.ROOT-SERVERS.NET. 5w6d16h IN A 192.203.230.10
I.ROOT-SERVERS.NET. 5w6d16h IN A 192.36.148.17
F.ROOT-SERVERS.NET. 5w6d16h IN A 192.5.5.241
G.ROOT-SERVERS.NET. 5w6d16h IN A 192.112.36.4
A.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.4
H.ROOT-SERVERS.NET. 5w6d16h IN A 128.63.2.53
B.ROOT-SERVERS.NET. 5w6d16h IN A 128.9.0.107
;; Total query time: 8 msec
;; FROM: wisdom.home.vix.com to SERVER: 192.5.5.241
;; WHEN: Fri Nov 22 00:08:05 1996
;; MSG SIZE sent: 17 rcvd: 312
10. Point the resolv.conf on the node at the BIG/ip Controller internal shared IP alias.
11. Point the resolv.conf on BIG/ip Controller at localhost.
nameserver 127.0.0.1
12. Verify that the /etc/hosts file has localhost on the 127.1 line.
13. The BIG/ip Controller external shared alias IP address must have an FQDN and reverse name lookup in DNS.
14. Restart the namedb service if this is the active controller. The named should be set only to run on the active BIG/ip Controller.
ndc restart
If you can do an nslookup from the internal node without IP forwarding, NATs, or SNATs configured on the BIG/ip Controller, then the BIG/ip Controller is now a DNS forwarding proxy.
Known Issues
The F5 Configuration utility does not handle virtual servers configured with 0 or 255 in the last octet. If a virtual server is configured with 0 or 255 in the last octet, no virtual servers are displayed in the F5 Configuration utility.
