Release Notes : BIG-IP Controller Release Note, version 3.3.1

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 3.3.1
Release Notes
Original Publication Date: 01/04/2000 Updated Date: 04/18/2019


These release notes cover changes since version 3.3.  This release is a minor release.  This release applies to both global BIG-IP Controller releases and BIG-IP Controller releases that do not contain SSL cryptography technology (non-crypto). 


Installing the upgrade

You can apply this release to version 2.0 and later.  Do not apply previous PTFs; they are included in this installation. 

Note:  The installation procedure has changed slightly from the one you used with previous versions of the software.  With this version, you need only untar the install script upgrade_install.  When you run the install script, the script untars and installs only the files required to upgrade your installation.  If the BIG-IP Controller you are upgrading has a solid state drive (SSD), you must use the new procedure.  For more information on upgrading the BIG-IP Controller with a solid state drive, see Solid state drive installation notes in the Known issues section of this document.

Use the following process to install the software:

  1. Click here and follow the instructions for using the F5 Networks FTP site.
  2. Download bigipv331kit.f5.tar file to the /var/tmp/ directory on the BIG-IP Controller. 

    If you are using a non-crypto version restricted by cryptography export laws, you need to download the bigipv331nocryptokit.f5.tar.  To place FTP in passive mode, type pass from the command line before transferring the file. 
    • To install the global release of this software, type the following commands:

      cd /var/tmp
      tar -xvpf bigipv331kit.f5.tar upgrade_install

    • To install the non-crypto release of this software, type the following commands:

      cd /var/tmp
      tar -xvpf bigipv331nocryptokit.f5.tar upgrade_install

  3. From the root (/), enter the following command:


  4. Follow the on-screen instructions.

The installation automatically creates a backup of the following files in /var/save/backupyymmdd_hhmm/ on the BIG-IP Controller:


Note:  If you have made changes to a file in this list, you may need to edit that file and retype your modifications.

If you are upgrading a version of the BIG-IP Controller that does not contain SSL cryptography technology (non-crypto), you now have the option to configure either a Telnet or FTP server during the upgrade, or you can do the configuration at a later time.  The upgrade process prompts you to configure either Telnet or FTP if they have not been configured.  Follow the on-screen instructions. 

When you are ready to configure Telnet or FTP, type one of the following commands to start the appropriate configuration utility:



Note:  During an upgrade, you may see the error message "Bad interface name passed to the kernel" when the BIG-IP Controller starts to reboot.  This error is harmless.  It is a result of the unfamiliarity of the drivers with the new configuration files.  After the upgraded controller automatically reboots, the new drivers should correspond to the new configuration files correctly. 

The checksums for this release are available in a file called sums, which can be downloaded from the FTP site. 

What's new in this version


  • Upgraded to BIND-8.2.2-P7
    Upgraded the version of BIND installed on the BIG-IP Controller to 8.2.2 patch level 7.  This version contains enhanced security.  After you install this release, the BIG-IP Controller will be running BIND 8, regardless of previous configuration.
  • Network Map popup screen
    The Network Map opens in a new browser window instead of the main window of the configuration utility. For more information on this see the Network Map section under Configuring and using the updated software.
  • Improved SSL gateway performance
    With this upgrade of the BIG-IP Controller we have significant improvements in the SSL gateway performance.
  • Updated Network Interface Card drivers
    The BIG-IP Controller now supports the Adaptec Starfire interface NICs.  The driver name is SF, e.g., SF0, SF1, SF2, etc. The driver supports any mix of the 1 port, 2 port, or 4 port version.
  • SEE-IT compatibility
    With this upgrade of the BIG-IP Controller you can use the SEE-IT Network Manager once you install bigiplistener.

What's fixed in this version

  • CR 10835:  Evaluating a "discard" in a non-proxy rule can destabilize the BIG-IP Controller 
    The BIG-IP Controller evaluates a "discard" in a non-proxy rule without performance issues.
  • CR 10816:  Incorrect handling of rule error causing system to panic  
    If the BIG-IP Controller cannot resolve a rule, the session is discarded and the system no longer panics.
  • CR 10809:   Bigtop is incorrectly reporting node state (up or down) 
    Bigtop now correctly reports node state.
  • CR 10802:  Adaptec Starfire NIC performance issue  
    The auto-negotiation problem has been fixed and this improves performance.
  • CR 10700:  The BIG-IP Controller permits cookie-persistent connections to a downed node  
    Using bigpipe node <node> down now prevents clients with cookie-persistence from getting through to the downed node; instead the client is load balanced as if it were a new connection.
  • CR 10676:  Abnormal SSL traffic may cause memory fault and system reboot  
    The BIG-IP Controller can now run under the conditions that previously caused the memory fault and reboot.
  • CR 10588:   ICMPs originating from the BIG-IP Controller may use a virtual address as the source address
    ICMPs now use an administrative address as the source address.  
  • CR 10536:  Upon failover with MAC Masquerading, node address service check results may be incorrect  
    Gratuitous ARPs are now sent for administrative addresses, therefore node address service checks are marked correctly.
  • CR 10524:  After failover, snmpget returns incorrect status  
    The command snmpget was reporting failover status incorrectly. snmpget now returns the correct results after failover.
  • CR 10506:  Many concurrent connections to remote origin servers can destabilize the BIG-IP Controller
    The BIG-IP Controller now manages many concurrent connections without the performance issue. 
  • CR 10502:   A residual SNAT connection is left after a bounceback connection using FastFlow (FastPath) architecture
    The SNAT connection is now cleared after a bounceback connection using FastFlow architecture.  
  • CR 10434:  The watchdog card timer needs to be increased
    The increased watchdog card timer prevents hard drive corruption.  
  • CR 10375:   The command vmstat -m returns an error
    The command vmstat -m no longer returns incorrect data.  
  • CR 10359:  SNMP is missing a few of the UC Davis MIB entries
    The missing UC Davis MIB entries have been included. 
  • CR 10357:   Deleting a virtual server configured with a wildcard port deletes all other virtual servers with that IP address
    You can now delete a virtual server configured with a wildcard port without affecting other virtual servers that have the same IP address.  
  • CR 10311:  The command bigpipe -s may incorrectly calculate port display parameters  
    The port line can now be longer than 67 characters on a dual unit without causing configsync to fail and take the backup unit out of service on failover.
  • CR 10310:  Potential crash with FastFlow (FastPath) forwarding on under heavy use  
    Under tested circumstances, having FastFlow forwarding on should not cause the BIG-IP Controller to crash with heavy use.
  • CR 10286:  OID does not return the interface's physical address
    Fixed the UC Davis MIB so that it now returns the appropriate information.  
  • CR 10221:   SSL accelerator logs should be rotated
    SSL accelerator logs are now rotated.  
  • CR 10196:  The BIG-IP Controller SNMP agent may cause possible performance issues
    The BIG-IP SNMP agent has been updated. 
  • CR 10014:  OID not consistent with UC Davis OID  
    We have updated the OID to be consistent with traps defined in the UC Davis MIB.
  • CR 9975:  Resetting the stats for a virtual server specifying port 0 resets stats for all virtual servers with that IP address
    You can now reset a virtual server with port 0 without resetting the other virtual servers with that IP address. 

Configuring and using the updated software

This release provides the following configuration options. 

Network Map

You can now access the Network Map from an icon found in the title bar in the Configuration utility.  This icon opens a new browser window rather than opening the Network Map in the main browser window.  You can click on nodes, virtual servers, and node addresses on the Network Map popup screen to open the properties page for that item in the main browser window.  You can keep the Network Map popup screen open while working in the Configuration utility, and click the Refresh button to update the page. To use the Network Map
  1. Click the Network Map compass icon.
    The Network Map popup screen opens.
  2. Click a node address (or node or virtual server).
    The properties page for that node address opens in the Configuration utility main browser window.

The SEE-IT Network Manager

You can now use the SEE-IT Network Manager with the BIG-IP Controller. The SEE-IT Network Manager that includes content delivery network functionality only works with the BIG-IP Controller version 3.3.1.  Install bigiplistener on the BIG-IP Controller by doing the following:

Note: The bigiplistener cannot be installed on a BIG-IP Controller that has a solid state drive (SSD) due to space limitations of the drive.

To install the bigiplistener331
  1. Click here and follow the instructions for using the F5 Networks FTP site.
  2. Download the bigiplistener331.tar file to the /var/tmp directory of the BIG-IP Controller.
  3. To install the bigiplistener, type the following commands: cd /
    tar -xvf /var/tmp/bigiplistener331.tar
  4. Open the Corba port using the following command: sysctl -w bigip.open_corba_ports=1
  5. When you add the BIG-IP Controller to the content delivery network via the SEE-IT Network Manager, the user name and password you enter must already be configured on the BIG-IP Controller's web server.

Known issues

The following are known issues with the BIG-IP Controller, version 3.3.1 as of the release date.  For known issues subsequent to the release date, please go to AskF5.  Once you have logged in, type "known issues" and click Ask.  Select the correct version number and click Ask again.

  • Forward proxy caching
    If a cache rule is not required, you achieve better performance with your BIG-IP Controller and your cache servers by using a layer 4 configuration with Destination Address Affinity (sticky persistence) to stripe content across the cache servers.

  • Cache rule
    Numeric expressions do not work in the cache rule, e.g., 'cache ( 0 ) {}' or 'cache ( 1 ) {}'.

  • Content_hash_size
    Depending on BIG-IP Controller memory and configuration, you should use a content_hash_size no greater than 4 million.  This is based on having 128 MB on the BIG-IP Controller, with 32 MB of that free.  A content_hash_size greater than this may destabilize the BIG-IP Controller.

  • Intelligent hot cache population
    Hot_pool members must be in the cache_pool for intelligent hot cache population to work correctly.

  • Node statistics
    The Total connections statistic from the Network Map Virtual Servers and Nodes section is the total number of connections for all virtual servers using that node (the same as the bigpipe node command). It is not the number of connections attributable to a single virtual server (the same as the bigpipe vip command).

  • JavaScript errors
    When using Internet Explorer, if you click the Network Map icon when the Network Map popup screen is already open, you may get a JavaScript error.  Click Yes to dismiss the error message.  The Network Map popup screen is already open, and you can navigate to it in the same manner in which you would go to any other open browser window. 

    When using Internet Explorer 4.02 only, when you click Apply on the ECV Properties page, you may get a Javascript error.  Click Yes to dismiss the error message.  The error message does not affect any changes made on the ECV screen, your changes have been applied.


  • Mirroring connections
    Connections resulting from cookie persistence or late binding rules cannot be mirrored.
  • Using Internet Explorer 5.5 with this version of the Configuration utility
    If you use Internet Explorer 5.5, there are certain instances that cause a Security Information dialog box to open.  For example, if you navigate to the Tool Options page and select the color palette icon (to open the color palette and select a color).  The Security Information dialog box states:  "This page contains both secure and nonsecure items.  Do you want to display the nonsecure items?"  The button choices are Yes, No, and More Information.  You should click Yes in response to this dialog box as this is an erroneous error message, your secure connection to the BIG-IP Controller is intact. 

    If you select No, access is blocked to other areas of the tool.  If this happens, restart Internet Explorer, reinitiate the HTTPS session to the BIG-IP Controller, and click Yes to the security warning.  You should only have to answer Yes to this warning once per session.

  • Allowing TCP access on SNMP port 161
    Please note:  We do not recommend allowing TCP access on SNMP port 161 on an external interface; it may open up the BIG-IP Controller to security problems.

    To allow TCP access on the SNMP port 161, it is necessary to type the following command:

    bigpipe interface <interface_name> adminport open

    You will also need to edit the /etc/rc.local file by adding -T TCP.

    Change this setting:

    # BIG/ip SNMP Agent
    if [ -f /etc/snmpd.conf ]; then
         /sbin/bigsnmpd -c /etc/snmpd.conf -P /var/run/

    To this:

    # BIG/ip SNMP Agent
    if [ -f /etc/snmpd.conf ]; then
         /sbin/bigsnmpd -c /etc/snmpd.conf -P /var/run/ -T TCP

    We have added a fix for a problem in the UC Davis utilities that prevented TCP queries from working.

  • Issues with the SSL Accelerator feature
    An SSL Accelerator connection has a fixed reap time of 300 seconds.  An SSL Accelerator connection that targets a virtual server connection is terminated when the virtual server connection is terminated.  A virtual server connection targeted by an SSL Accelerator connection is terminated when the SSL Accelerator connection is terminated.
  • Restart the proxyd after overwriting keys and certificates
    If you overwrite existing keys or certificates in the SSL gateway configuration using the Configuration utility or from the command line, you must restart the proxyd from the command line in order for the changes to take effect.  Restart the proxyd by typing the following command on both units:

  • Advisory message: Accepting host < IP address of other controller > key without checking
    This message appears the first time you run the configsync command between two BIG-IP Controllers that you have not synchronized before.  This warning advises you that no DNS or other authentication was performed to guarantee the identity of the remote system. 
  • Interface selected inconsistently
    Some versions of the BIG-IP Controller are not consistent in how they choose the interface for state mirroring and other controller-to-controller communication.  Newer versions ask you which interface to use.  This can result in two BIG-IP Controllers with different interface choices for state mirroring.  This can cause state mirroring to fail and make it impossible to enable active-active mode.  You can use the following command to check which interface is set on each BIG-IP Controller (sample output is also shown):

    b1:/etc# bigdba -d - 2>&1 | grep -i statemirror.ipaddr
    Local.Bigip.Statemirror.IPAddr = ""
    b2:/etc# bigdba -d - 2>&1 | grep -i statemirror.ipaddr
    Local.Bigip.Statemirror.IPAddr = ""

    Make sure that the IP addresses shown are on the same internal subnet.  If they are not, then the BIG/db needs to be changed manually to correct the problem.  To fix the problem, follow this procedure:

    1. To open the database, run the command:

      bigdba /var/f5/bigdb/user.db

    2. Within the database, type the following commands:

      > Local.Bigip.Statemirror.IPAddr="<correct_ip_addr>"
      > quit

    3. After you are finished, reboot the BIG-IP Controller.
  • Persist mask default is
    The simple persistence mask is < by default.  The mask may be reset to the < state by setting its value to either or
  • The default SNAT and NATs from the BIG-IP Controller versions 2.1.x
    If your configuration contains a default SNAT and NATs, you receive an error as the BIG-IP Controller reads the configuration file.  This configuration is not supported in BIG-IP Controller version 3.1.1 or later.  To fix this error, you must remove either the default SNAT or the NATs from the /etc/bigip.conf file. 
  • Issues with the BIG-IP Controller NAT bounceback
    The NAT bounceback feature allows a node on the internal network to access a virtual server and be load balanced to another set of internal servers (nodes).  In versions prior to 3.0, NAT bounceback is enabled automatically when you create a NAT or SNAT.  In BIG-IP Controller versions 3.0 and later, this feature is disabled by the upgrade process.  To avoid a possible site interruption when using NAT bounceback

    After you apply the BIG-IP Controller version 3.0 upgrade (or later), follow these steps on the command line:

    1. First, turn on destination address processing for the internal interface with the following command:

      bigpipe interface exp1 dest enable

    2. Synchronize the configuration with the other BIG-IP Controller version 3.0 or later. 

      bigpipe configsync

    Enable destination address processing on the internal interface with the Configuration utility

    1. In the navigation pane, click NICs.
      The Network Interface Cards screen opens.  You can view the current settings for each interface in the Network Interface Card table. 
    2. In the Network Interface Card table, click the name of the internal interface you want to configure.
      The Network Interface Card Properties screen opens.
    3. To enable destination processing for the interface, click the Enable Destination Processing check box.
    4. Click the Apply button.

    After you configure destination processing on the internal interface, synchronize the configuration of the redundant BIG-IP Controller system.

    1. In the toolbar, click the Sync Configuration button.
      The Synchronize Configuration screen opens.
    2. Click the Synchronize button.
  • BIG-IP Controller, version 3.3.x, compatibility with the 3-DNS Controller
    The BIG-IP Controller, version 3.3.x, is compatible with the 3-DNS Controller, version 2.x.  Previous versions of the 3-DNS Controller are not supported with this release.
  • Interface configuration
    The /etc/bigip.interfaces file is being phased out.  Interface settings are now stored in BIG/db.
  • State mirroring in the BIG-IP Controller
    In order for state mirroring to work properly after a configuration change, you must follow these general guidelines:
    1. Make your configuration changes.
    2. Synchronize the configuration between the two controllers.  You can run the bigpipe configsync all command, or use the Configuration utility Config Sync feature.
  • Certificate error with Netscape Navigator 4.61 and 4.7
    Although it is very unlikely, you can receive the error "Netscape has encountered bad data from the server" when attempting to connect to the Configuration utility with Netscape Navigator versions 4.61 and 4.7.  This error may occur if you have a new BIG-IP Controller installed and a cached certificate is present in the copy of Netscape you use to access the Configuration utility.  If you see this error message, use this procedure to get a new certificate:
    1. Select the Netscape Security icon.
    2. Navigate to Certificates and then click Web Sites.
      Delete the existing certificate for the BIG-IP Controller.
    3. Connect to the BIG-IP Controller and accept the new certificate.
  • Using the browser back button is discouraged
    The Configuration utility is a CGI application that does forms processing.  We strongly recommend you do not use the browser back button after clicking the Apply button multiple times.  This can, with supported versions of Netscape (4.5 and later), result in the display of historical data.  Clicking the Apply button at this point overwrites the new data with the historical data.
  • Active-active unit auto-recovery delay
    The fail-over daemon (sod) now calculates a delay that is used to wait before an active unit returns an ID to a recovered unit.  This delay is based on timeout_node, timeout_svc, interface failsafe timeout, and gateway pinger timeout settings.  This delay might last up to several minutes.  This delay is not used in manual failback mode.
  • The pingnode alias option does not work with node port "any:0"
    The pingnode alias option does not work if you assign the node port any:0 to nodes.  You cannot assign a wildcard port in this instance, you must use a defined port number for pingnode.
  • You cannot reset individual pool statistics from the command line
    Currently, you cannot reset statistics for individual pools from the command line.  You can reset the statistics for an entire pool from the Configuration utility.  You cannot reset the statistics for an individual pool member.
    1. From the Navigation pane, click Statistics and the Pool.
    2. Click the Reset button in the Reset Stats column.
  • Solid state drive installation notes
    By following the directions in Installing the upgrade in this document, you should be able to install the upgrade without issue.  To ensure a smooth upgrade:
    • Make sure you do not have a directory in /tmp called /tmp/ramdisk.  The install script will create /tmp/ramdisk, but the script will not be able to proceed if /tmp/ramdisk exists prior to installation.
    • Make sure you have at least 40 MB of memory free.  If you do not have at least 40 MB of memory free, the script will be unable to mount ramdisk and will quit the installation without making any changes to your system.
    • Delete any rotating logs from /var/log.