Release Notes : BIG-IP Controller 4.5

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 4.5.0
Release Notes
Software Release Date: 10/31/2002
Updated Date: 04/18/2019

Summary:

This release note documents version 4.5 of the BIG-IP software. You can apply the software upgrade to versions 4.1.1 and later. For information about installing the software upgrade, please refer to the instructions below.

Contents:

Minimum system requirements

This section describes the minimum system requirements for this release.

  • Intel® Pentium® III 550MHz processor
  • 256MB disk drive or CompactFlash® card (if you have the 3-DNS module, you need a 512MB disk drive or CompactFlash® card)
  • 256MB RAM
  • Supported browsers: Microsoft® Internet Explorer 5.0 or 5.5; Netscape® Navigator 4.7x

 

[ Top ]

Supported platforms

This release supports these platforms:

  • F35
  • D25
  • D30
  • D35 (BIG-IP 520 and 540)
  • D39 (BIG-IP 1000)
  • D44 (BIG-IP 2000)
  • D45 (BIG-IP 2400)
  • D50 (BIG-IP 5000)
  • D51 (BIG-IP 5100 and 5110)

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

 

[ Top ]

Installing the upgrade

Important: We recommend that you apply the latest PTF after you upgrade to version 4.5 of the BIG-IP software. If you have already upgraded to version 4.5, or you are not sure which version level is installed on your system, you can check the version by typing b version from the command line. For more information about downloading the latest PTF, see SOL167: Downloading software from F5 Networks.

Use the following instructions to apply the upgrade to the BIG-IP software, version 4.1.1 and later. The installation script saves your current configuration.

Warning:  Before you install the software, you must have a valid registration key. If you do not have a valid registration key, DO NOT attempt to install the software. If you choose to continue without obtaining a registration key, the BIG-IP system will not be fully functional. If you do not have a registration key, please contact your vendor to obtain one.

Important:  If you have a valid license file from a previous version of the BIG-IP software, use the following site to obtain a new license key: http://tech.f5.com/license/license.html.

The latest version of the release note is available at http://tech.f5.com.

Important:  If you are upgrading an IP Application Switch or a BIG-IP system that uses a solid state disk (SSD), use the installation instructions here.

  1. Connect to the F5 Networks, Inc., FTP site (ftp.f5.com). You are provided access to this service as part of the maintenance agreement with F5 Networks. Contact your vendor if you do not have a user ID and password for the F5 FTP site.

  2. Download the following file and the corresponding MD5 file:
    BIGIP_4.5_Upgrade.im

    Note:  If you want to create a CD image of the upgrade, download the bigip45crypto.iso.

  3. Download the upgrade file to the /var/tmp/ directory on the target BIG-IP unit.

  4. On the BIG-IP unit, change to the /var/tmp/ directory by typing:
    cd /var/tmp/

  5. Type the following command to get the MD5 checksum of the upgrade file:
    md5 BIGIP_4.5_Upgrade.im
    Compare the number in the MD5 file with the number output by the md5 command. The numbers should match.
    • If they do not match, try downloading a new version of the file from the F5 Networks FTP site (ftp.f5.com).
    • If the MD5 sums match, continue with the installation.


  6. Type the following command to install this upgrade:
    im BIGIP_4.5_Upgrade.im

  7. You are prompted to enter your registration key. Enter the registration key and press Enter. If you do not have a registration key, please contact your vendor to obtain one.

    The BIG-IP unit automatically reboots multiple times as it completes installation.

To upgrade an IP Application Switch or a Compact Flash media drive (SSD), use the following process.

  1. Create a memory file system, by typing the following command:
    mount_mfs -s 200000 /mnt

  2. Type the following command:
    cd /mnt

  3. Connect to the FTP site (ftp.f5.com).

  4. Download the correct im package and the corresponding MD5 file from the F5 Networks, Inc., ftp site (ftp.f5.com).
    For this upgrade, the file name is BIGIP_4.5_Upgrade.im

  5. Type the following command to get the MD5 checksum of the upgrade file:
    md5 BIGIP_4.5_Upgrade.im
    Compare the number in the MD5 file with the number output by the md5 command. The numbers should match.
    • If they do not match, download a new file from the F5 Networks FTP site (ftp.f5.com).
    • If the MD5 sums match, continue with the installation.


  6. On the BIG-IP unit, run the im upgrade script, using the file name from the previous step as an argument:
    im /mnt/<file name>

  7. You are prompted to enter your registration key. Enter the registration key and press Enter. If you do not have a registration key, please contact your vendor to obtain one.

    When the im script is finished, the BIG-IP unit reboots automatically.

Note:  This procedure provides over 90MB of temporary space on /mnt.  The partition and the im package files are deleted upon rebooting.

[ Top ]

Activating the license

To activate the software, you need a valid license certificate. To gain a license certificate, you need to provide two items to the license server: a registration key and a dossier.

The registration key is a 25-character string. You should have received the key by email. The registration key lets the license server know which F5 products you are entitled to license.

The dossier is obtained from the software, and is an encrypted list of key characteristics used to identify the platform.

You can obtain a license certificate using one of the following methods:

  • Automatic license activation
    You perform automatic license activation from the command line or from the web-based Configuration utility of an upgraded unit. This method automatically retrieves and submits the dossier to the F5 license server, as well as installs the signed license certificate. In order for you to use this method, the unit must be installed on a network with Internet access.
  • Manual license activation
    You perform manual license activation from the Configuration utility, which is the software user interface. With this method, you submit the dossier to, and retrieve the signed license file from, the F5 license server manually. In order for you to use this method, the administrative workstation must have Internet access.

Note:  You can open the Configuration utility with Netscape Navigator version 4.7, or Microsoft Internet Explorer version 5.0 or 5.5. The Configuration utility is not supported in Netscape Navigator version 6.0.

To automatically activate a license from the command line for first time installation

  1. Type the user name root and the password default at the log on prompt.

  2. At the prompt, type license. The following prompts display:
    IP:
    Netmask:
    Default Route:
    Select interface to use to retrieve license:

    The unit uses this information to make an Internet connection to the license server.

  3. After you type the Internet connection information, continue to the following prompt:
    The Registration Key should have been included with the software or given when the order was placed. Do you have your Registration Key? [Y/N]:

    Type Y, and the following prompt displays:
    Registration Key:

  4. Type the 25-character registration key you received. If you received more than one key, enter your primary key and then click Add to enter the additional add-on option registration keys.
    The dossier is retrieved and sent to the F5 license server, and a signed license file is returned and installed. A message displays indicating the process was successful.

  5. You are asked to accept the End User License Agreement.
    The system is not fully functional until you accept this agreement.

  6. You are prompted to reboot the system. Press Enter to reboot.
    The system is not fully functional until you reboot.

To automatically activate a license from the command line for upgrades

  1. Type your user name and password at the log on prompt.

  2. At the prompt, type setup.

  3. Choose menu option L.

  4. The following prompt displays:
    Number of keys: 1
    If you have more than one registration key, enter the appropriate number.

  5. The following prompt displays:
    Registration Key:
    Type the 25-character registration key you received. If you received more than one key, enter all of the keys separated by blanks.
    The dossier is retrieved and sent to the F5 license server, and a signed license file is returned and installed. A message displays indicating the process was successful.

  6. When you are finished with the licensing process, type the following command to restart the services on the system:
    bigstart restart

To manually activate a license using the Configuration utility

  1. Open the Configuration utility according to the type of BIG-IP unit you are licensing:
    • If you are licensing a previously configured BIG-IP unit, open the Configuration utility using the configured address.

    • If you are licensing a new BIG-IP unit, from the administrative workstation, open the Configuration utility using one of the following addresses: https://192.168.1.245 or https://192.168.245.245. These are default addresses on the units local area network.


  2. Type the user name and password, based on the type of BIG-IP unit you are licensing:
    • If you are licensing a previously configured BIG-IP unit, type your user name and password at the log on prompt.

    • If you are licensing a new BIG-IP system, type the user name root, and the password default at the log on prompt.

    The Configuration utility menu displays.

  3. Click License Utility to open the License Administration screen.

  4. In the Registration Key box, type the 25-character registration key that you received. If you have more than one key to install, click Enter More Keys to install multiple keys. Once you have entered all registration keys, click Manual Authorization.

  5. At the Manual Authorization screen, retrieve the dossier using one of the following methods:

    • Copy the entire contents of the Product Dossier box.

    • Click Download Product Dossier, and save the dossier to the hard drive.

  6. Click the link in the License Server box.
    The Activate F5 License screen opens in a new browser window.

  7. From the Activate F5 License screen, submit the dossier using one of the following methods:

    • Paste the data you just copied into the Enter your dossier box, and click Activate.

    • At the Product Dossier box, click Browse to locate the dossier on the hard drive, and then click Activate.

    The screen returns a signed license file.

  8. Retrieve the license file using one of the following methods:

    • Copy the entire contents of the signed license file.

    • Click Download license, and save the license file to the hard drive.


  9. Return to the Manual Authorization screen, and click Continue.

  10. At the Install License screen, submit the license file using one of the following methods:

    • Paste the data you copied into the License Server Output box, and click Install License.

    • At the License File box, click Browse to locate the license file on the hard drive, and then click Install License.

    The License Status screen displays status messages, and Process complete appears when the licensing activation is finished.

  11. Click License Terms, review the EULA, and accept it.

  12. At the Reboot Prompt screen, select when you want to reboot the platform.
    License activation is complete only after rebooting.

To automatically activate a license using the Configuration utility

  1. Open the Configuration utility according to the type of BIG-IP unit you are licensing:
    • If you are licensing a previously configured BIG-IP unit, open the Configuration utility using the configured address.

    • If you are licensing a new BIG-IP unit, from the administrative workstation, open the Configuration utility using one of the following addresses: https://192.168.1.245 or https://192.168.245.245. These are default addresses on the units local area network.

  2. Type the name and password, based on what type of BIG-IP unit you are licensing:
    • If you are licensing a previously configured BIG-IP unit, type your user name and password at the log on prompt.

    • If you are licensing a new BIG-IP unit, type the user name root, and the password default at the log on prompt.

    The Configuration utility menu displays.

  3. Click License Utility to open the License Administration screen.

  4. In the Registration Key box, type the 25-character registration key that you received. If you have more than one key to install, click Enter More Keys to install multiple keys. Once you have entered all registration keys, click Automated Authorization.

    The License Status screen displays status messages, and Process complete appears when the licensing activation is finished.

  5. Click License Terms, review the EULA, and accept it.

  6. At the Reboot Prompt screen, select when you want to reboot the platform.
    License activation is complete only after rebooting.
[ Top ]

New features and enhancements

Enhanced support for managing SSL connections
This release includes several new features designed to further simplify the administration of SSL connections. These features include extensive web-based screens for centralized key management, and support for certificate revocation lists (CRLs). Another new SSL feature is the ability for an SSL proxy to interoperate with an LDAP database to authorize users based on client certificates. This LDAP database can reside either locally on the BIG-IP system, or remotely on another server on your network. Lastly, you can now limit the number of connections coming into an SSL proxy, for security or load balancing reasons. For more information on managing SSL connections, see the BIG-IP Reference Guide, Chapter 7, SSL Accelerator Proxies.

Easy system account creation
With this release, the BIG-IP system now offers a centralized Setup screen to set the passwords for the three system accounts: root, admin, and support. For the support account, you can also specify whether to allow command line access, Web access, or both. For more information on managing user accounts, see the BIG-IP Reference Guide, Chapter 17, Administering the BIG-IP System.

Security enhancements
You can now use the Setup utility to configure a remote LDAP or RADIUS authentication server. With this feature, you no longer need to directly edit configuration files to set up your LDAP or RADIUS authentication server. For more information about configuring remote authentication, see the BIG-IP Reference Guide, Chapter 2, Using the Setup Utility.

Also, this release of the BIG-IP system expands the number of user roles that you can assign to user accounts for the purpose of user authorization. In addition to the standard Full Read/Write, Partial Read/Write, and Read-Only access levels, you can now choose from three additional access levels. These access levels define which of the three interfaces an administrator can use to access the BIG-IP system (the Configuration utility, the command line interface, or the iControl interface). These user authorization roles are stored in the local LDAP database on the BIG-IP system and are designed to operate in concert with centralized LDAP and RADIUS authentication. For more information on managing user accounts, see the BIG-IP Reference Guide, Chapter 17, Administering the BIG-IP System.

Other useful security features in this release are intrusion detection and protection from denial-of-service attacks. This release includes two new features to assist in detecting network intruders--VLAN mirroring and clone pools. By enabling a clone pool, any traffic directed to a pool is automatically sent to a node within a replicated pool. The release also includes two new global variables to define high-water and low-water marks, for the adaptive reaping of connections. For more information VLAN mirroring and clone pools, see the BIG-IP Reference Guide, Chapter 3, Post-Setup Tasks, VLANs, and Chapter 4, Pools.

Universal Inspection Engine The Universal Inspection Engine (UIE) allows you to apply business decisions to applications and web services, and provides granular control for switching, persistence, and application level security. The BIG-IP system version 4.5 has the ability to read all HTTP or TCP content.

  • Universal content switching
    Through a number of new rule elements, such as a set of functions and the variables http_content and tcp_content, you can now write expressions within rules that search not only HTTP headers, but also HTTP and TCP data content to make load balancing decisions. As part of the new iRules syntax, these new variables and functions significantly enhance your ability to select the pools that most suit your traffic management needs.

  • Universal persistence
    Universal persistence allows you to persist on any string within a packet, or persist directly on a specific pool member. You can enable universal persistence by including rules-syntax expressions within a pool definition. In this way, a pool can perform load-balancing operations such as sending traffic to a specific node within the pool, or load-balancing traffic based on any string or node that you define. Furthermore, the rules syntax has been expanded to allow rules to intelligently persist requests to cache servers based on more granular information in a request. Universal persistence is particularly useful for persisting HTTP or TCP content that is unique to your application. Examples of universal persistence are for i-mode phone users and for working with BEA Weblogic servers by creating persistence maps on BEA Weblogic identifiers. For more information about the Universal Inspection Engine and iRules, see the BIG-IP Reference Guide, Chapter 5, iRules.

Other rule enhancements
In addition to the new rule functions and variables designed for universal content switching, the rules syntax has been further expanded to include two new rule statements, log and accumulate. Furthermore, you can now store your class lists externally instead of within the bigip.conf file. Storing your class lists externally improves performance and allows for incremental updates to those lists. To support this feature, you can store external class lists using either the Configuration utility or the iControl interface. For more information about these new functions, see the BIG-IP Reference Guide, Chapter 5, iRules.

Enhanced support for global variables
A number of new global variables are included in this release, such as variables that define high-water and low-water marks for the adaptive reaping of connections to prevent denial-of-service attacks. Also, the Configuration utility now shows all global variables and presents them in categories, according to function. For more information about these global variables, see the BIG-IP Reference Guide, Appendix A, bigpipe Command Syntax.

RealServer plug-in for UNIX systems
With this release comes support for RealSystem® Server systems running on the UNIX operating system. This feature provides the ability to dynamically load balance and monitor UNIX systems that are running the RealSystem® Server application. Once you have compiled and installed the plug-in, you can set up your pool for dynamic load balancing, and create a health monitor to monitor the traffic load on the RealSystem® Server system. For more information about the RealSystem Server plug-in, see the BIG-IP Reference Guide, Chapter 11, Monitors.

New health monitor features
This release includes a new EAV health monitor, udp, which allows you to check the status of UDP connections. Also, the reverse attribute, which marks a node as down based on a received string, is now available for the https and https_443 monitors. For more information about these monitors, see the BIG-IP Reference Guide, Chapter 11, Monitors.

Other load balancing enhancements
This release includes several new load balancing features, including enhanced administration of load-balanced connections. For example, through the Configuration utility, bigpipe command, or bigapi, you can now dump connections verbosely, or configure a timeout for idle HTTP connections. Also, by writing rule-type expressions within pool definitions, you can cause a pool to send a connection directly to one of its pool members. For more information these features, see the BIG-IP Reference Guide, Chapter 5, iRules and Chapter 4, Pools.

Support for Link Controller
This release of the BIG-IP system includes an add-on Link Controller module for all BIG-IP HA systems. This module includes such features as support for single routers with multiple IP addresses and uplinks, full duplex billing support, and support for multiple outbound router pools. Also included is a significantly enhanced Web user interface, designed to ease basic link-controller configuration steps and provide more detailed statistics information.

[ Top ]

Configuring and using the new software

Required configuration changes

Licensing changes
All users installing this upgrade are required to obtain a new license. To obtain a new license, follow the instructions for Activating the license.

Important:  You must complete the authorization and licensing process before you run the configuration utility to configure the unit. If you do not obtain a license before you run the configuration utility, the system may behave in an unexpected manner.

Read mode classes cannot be changed by the BIG-IP software (CR23259)
The BIG-IP software does not change Read mode classes. This means that classes are not automatically reloaded when you change the underlying file. To reload the class data in the kernel, simply define the class again. The existing data for the class is deleted and the new data is loaded.

Changes to the admin account during an upgrade
When upgrading to BIG-IP version 4.5 from a previous version, the BIG-IP system manages the Configuration utility access level assigned to the admin account by retaining the same access level that was assigned to the account prior to the upgrade. Once the upgrade is completed, we recommend that you promote the access level on this account to CLI + Full Read/Write.

Using certificate revocation lists (CRLs)  (CR23468)
If you are using certificate revocation lists (CRLs), it is important to note that CRLs can become outdated. It is common for a CRL to require an update anywhere from every day to every 30 days. If a CRL becomes outdated, the BIG-IP system does not accept any certificates, revoked or valid. It is important to have a plan in place to ensure that updated CRL files are entered on your BIG-IP system as soon as they become available.
To find out when a CRL file is going to need to be updated, enter the following command from the /config/bigconfig/ssl.crl directory:
openssl crl -in <crl name> -text -noout

Configuring remote authentication after upgrade  (CR24544)
Use the following procedure to configure remote authentication after an upgrade:

  1. When configuring remote authentication after an upgrade you must first create an "admin" user with the User Administration screen in the Configuration utility. The admin user must have CLI + Full R/W authentication.

  2. Run config to enable remote authentication.

  3. Set the Default Role and/or create new remote user roles. All web users besides admin will be converted to "remote user roles" and need to have passwords on the remote authentication server before they have access. Creating the admin account ensures that at least one user on the system will have Configuration utility access to configure the Default Role and other remote user roles.

 

[ Top ]

Known issues

The following items are known issues in the current release.

For the latest known issues for this release, please refer to AskF5 (http://tech.f5.com)

Fan and temperature monitoring with SNMP
SNMP queries for fan speed, CPU temperature, and power supply status are functional for certain platforms. Currently, fan and temperature monitoring is supported only for the following platforms:

520 and 540
1000
2000
2400
5000
5100
5110

For these platforms, automatic periodic monitoring is not automatically enabled. You can enable periodic monitoring by uncommenting the line in /config/crontab which runs system_check every two minutes. However, the system_check script does affect performance. Fan and temperature SNMP monitoring are not supported in the following platforms with this version of the BIG-IP software:
D25
D30
F35

SSH access host restrictions are now configured in /etc/hosts.allow (CR25530)
In previous versions /etc/ssh2/sshd2_config and /etc/sshd_config controlled SSH access. Upgrading to this version ignores previously configured SSH access restrictions configured in /etc/ssh2/sshd2_config and /etc/sshd_config. This upgrade reverts to an SSH access level that allows all hosts to connect. If you require restricted SSH access to certain networks/IP addresses you need to reconfigure these restrictions once the upgrade has been completed. To do this, type the following command to start the Setup utility and then press Enter:

config

Choose option S (Configure SSH) and set the restrictions you prefer.

The RADIUS port in /etc/services (CR20136)
Previous releases of this software use the RADIUS port 1645 as the default in /etc/services. This release uses the new IANA RADIUS port 1812.

Changing active-active failback values (CR22715)
In active-active configurations, we recommend that you do not change the default failback value of 60 seconds. If you change this value, failback may not work as designed.

Lower connection rate (CR23803)
In this release, BIG-IP platforms, such as the 520 and 2000, equipped with a single processor, are expected to have a maximum new connection rate approximately 10% lower than the version 4.2 release. This has no additional performance impact other than a reduction of the maximum connection rate. This does not affect the general performance of the single processor systems, and has no affect on dual processor systems.

b snat dump verbose  (CR3519)
The b snat dump verbose command does not show the target address of the SNAT connection.

Tagged VLAN members as members of an aggregate in another VLAN   (CR16353)
The configuration parser does not prevent you from adding tagged VLAN members as members of an aggregate in another VLAN. This configuration is not supported.

Error messages  (CR19543)
A timeout message may display when nothing is plugged into the Intel Gig ether card. This message is harmless and does not effect the operation of the BIG-IP system.

Setting active-active mode using the Configuration utility  (CR19794)
With network failover enabled, you cannot use the Configuration utility to configure active-active mode. When you have network failover enabled, use the command line interface to set active-active mode.

You must delete a SNAT before you can redefine it  (CR19798)
In the Configuration utility, before you can redefine a SNAT, you must delete it.

Link aggregation and STP  (CR20268)
When the Tx side of a fiber link goes down, the Rx link does not. This can cause problems when using link aggregation or STP.

Broadcom 582x driver error message  (CR20461)
Currently the Broadcom 582x driver does not return an error if the hardware operation times out.

Default gateway pools with SNAT automap  (CR20801)
Configuring a default gateway pool with SNAT automat causes packets in a single connection to be sent to multiple routers. In this case errant packets may not be re-SNATed. If you want to configure default gateway pools and SNAT automap, we recommend that you configure a wildcard network virtual server in front of the SNAT. The wildcard virtual server then routes by connection, using the cached node routes.

Header insert  (CR21617)
When you specify the header insert attribute for a pool, 128 bytes is the maximum allowable header length. If you exceed this length, the pool is configured without header insertion.

Interface show verbose  (CR21625)
When an interface has been added to a VLAN but the BIG-IP unit has not been rebooted, the interface show verbose command indicates that Intel Copper NIC has "No Carrier".

Windows uploads  (CR22043)
Delayed-acks may throttle Windows uploads to 40K per second.

Failover when the nCipher card fails  (CR22172)
The BIG-IP system does not currently support failover when the nCipher card fails.

Resets (RSTs) from aging out connections can have incorrect sequence numbers   (CR22219)
In certain cases, resets (RSTs) from aging out connections can have incorrect sequence numbers. This may cause some connections to hang.

Changing the support user role using the Setup utility  (CR22593)
If you want to change the support user role using the Setup utility, you must remove the support user and then re-add the support user with the desired role.

IpInfusion OSPF routing  (CR22751)
If you are using the IpInfusion OSPF routing daemon in an active-standby configuration, the OSPF daemon on the standby unit does not participate in the routing process until the standby unit becomes active. If the unit is active and running OSPF when fail-over occurs, the OSPF daemon stops participating in the routing process and routes then timeout according to the configured OSPF intervals.

Partial Read/Write and Read Only users cannot synchronize passwords to other unit  (CR22774)
Partial Read/Write and Read Only users can change their passwords, however; these users cannot run configsync to synchronize the changed passwords to the other unit. We recommend these users change their passwords manually on both units.

Configsync  (CR22778)
When you run configsync, you may have to re-login to the target BIG-IP unit.

The ftpd and user authentication  (CR22894)
The ftpd only authenticates users that are in /etc/passwd.

Very large configurations and bigtop  (CR22982)
Very large configurations, for example 260K with 2500 virtual servers, may slow bigtop down significantly.

Defining default VLANs in the Web-based Setup utility  (CR23048)
The Web-based Setup utility does not prevent you from adding the same interface to different VLANs. When you save the configuration, the interface is assigned to the last VLAN to which you added it.

SSL Proxy: Feature to rewrite redirects not compatible with the plain text proxy   (CR23059)
Configuring rewrite redirects with a proxy where client-side SSL is disabled (and server-side SSL enabled) is not supported.

Viewing port denial warnings using the Configuration utility  (CR23108)
The Illegal Attempts screen has been removed from the Configuration utility in this release. To view port denial warnings that have been logged in the Configuration utility, click Log Files in the navigation pane, and select the BIG-IP Log tab.

Configuration utility: Enable reset on service down and connection rebind features not compatible  (CR23202)
Attempting to set the enable reset on service down and connection rebind features on a virtual server returns an error message that states these features are not compatible. However, the Configuration utility creates the virtual server.

The ARP table next hop is not updated if all node pings and health checks are removed  (CR23504)
In certain situations, the ARP table next hop is not updated if all node pings and health checks are removed.

ARP replies to the virtual server node  (CR23460)
The BIG-IP system does not forward ARP replies to the virtual server node.

bigpipe proxy show  (CR23848)
bigpipe proxy show may display current and max connection statistics which exceed the limit. This is because the current connection count includes connections that the proxy has not yet accepted and has already closed, but for which the kernel is holding a connection data structure.

Error message when attempting to delete base monitors  (CR24073)
If you attempt to delete the TCP or UDP base monitors, you receive the following inaccurate error message: syntax error, refer to extended help for assistance. This error message should read: Root monitor templates may not be deleted.

Host names that begin with a digit  (CR24133)
bigpipe does not recognize host names that start with a digit.

Kernel message: unexpected chip or driver state  (CR24149)
If you are passing large amounts of traffic through an aggregated link, and one or all of the connections on the link go down, you may see a kernel message similar to the following:
Error: LinkScan: Unit 1 Port 21: bcm_port_update failed: Unexpected chip or driver state
This message is harmless and has no effect on the operation of the Big-IP system.

memory_reboot_percent and dumptftp combination may lead to delayed recovery  (CR24295)
If you surpass the value set for the memory_reboot_percent, and have dumptftp configured, there may be a small delay before a unit can fail-over.

Errant STP message in the BIG-IP system log  (CR24300)
A message may be logged that the STP daemon has started on a system where you are not using STP. This message is harmless.

Netmask with a trailing .  (CR24323)
If you configure a netmask with a trailing "." for example (255.255.255.0.), you may receive a load error.

Configuration utility: Key ID and certificate ID lengths  (CR24372)
The Configuration utility does not warn you if you create a key ID or certificate ID that is over the maximum number of characters allowed. The maximum key ID length allowed is 58 characters. The maximum certificate ID length allowed is 59 characters.

VLAN group in non-opaque mode  (CR24409)
When you configure the BIG-IP system to bridge between two VLANs in either transparent or translucent mode, packets that are destined to the same VLAN as they were received on are transmitted back to the segment, causing duplicate packets. To fix this problem, set the bridge mode to opaque, or use a switch instead of a hub.

Creating .ucs file names  (CR24425)
You are currently able to create .ucs file names that contain invalid characters. If you attempt to install these files, you receive an invalid character error message, and the .ucs files do not install.

Mismatched certificates prevent archive importing  (CR24437)
Keys and certificates that have the same name but are not logically paired (public key does not match private key) prevents the successful import of new archives. These files must be deleted or renamed.

VLAN mirroring is not available for LB, FLB, and CLB products  (CR24465)
The command line interface allows you to set up VLAN mirroring for the LB, FLB, and CLB products; however, this feature is not supported on these platforms and VLAN mirroring does not work. If you want to use VLAN mirroring, you must have a license for the HA product, or a Switch Appliance.

Configuring FTP  (CR24479)
When you run the Setup utility, the external VLAN has port lockdown enabled by default. If you are configuring FTP, remember that the only VLANs that will be accessible through FTP are VLANs with port lockdown disabled.

Deleting the Default Gateway Pool using the Setup utility   (CR24519)
If you define a default gateway pool using the Setup utility, and then define a virtual server or other network objects on the pool, you will not be able to delete the pool using the Setup utility as long as the pool is in use. In order to delete the pool using the Setup utility, you must first remove all IP addresses and network objects associated with the pool.

Upgrade error messages  (CR24534)
During upgrade, bigpipe load may display error messages during the first load. These error messages are harmless and do not affect the upgrade process.

globalStatMaxConn SNMP OID  (CR24553)
The globalStatMaxConn SNMP OID's description says "Maximum number of active connections allowed." The correct meaning of this OID is "The maximum number of connections this load balancer has serviced at one time."

Invalid BIG-IP e-Commerce Controller config options  (CR24566)
When you run config for the BIG-IP e-Commerce Controller, the invalid redundant system option is listed in the menu. Redundant options are not available for the standalone BIG-IP e-Commerce Controller.

Logging  (CR24600)
Users may be incorrectly logged as the root user.

FTP data connection does not set TOS or QOS  (CR24644)
FTP does not currently set the QOS and TOS bits on the data connection.

Apache Tomcat VU#672683  (CR24689)
The BIG-IP system is vulnerable to VU#672683.

Configuration utility: VLAN Group and VLAN Group Properties pages name box  (CR24719)
The VLAN Group and VLAN Group Properties pages in the Configuration utility allow you to type 31-character names in the name box. However, the maximum name length supported is 15 characters.

Upgrade error messages  (CR24744)
If you upgrade from a BIG-IP 4.2 product with a previously running configuration, after the first time you reboot you may receive error messages. These error messages are harmless and do not effect the operation of the BIG-IP system.

ANIP kernel on a dual-processor machine  (CR24758) (CR23640)
Configuring or booting the ANIP kernel on a dual-processor machine that does not have any ANIP-capable (gigabit) interfaces may cause the system to become unstable. If the kernel is not in ANIP mode (see the cpu anip command to determine this), we recommend that you change to the SMP kernel for better utilization of the second processor.

iControl and remote authentication  (CR24868)
If an iControl client (such as configsync) connects to the portal with remote authentication enabled and soon afterward the system is changed to use local authentication, subsequent iControl requests into the portal are rejected with the InvalidUser exception. To prevent this, we recommend that you shut down and restart the portal using the following commands:

      bigstart shutdown portal
      bigstart startup

The bigip.conf retains Certificate Map information  (CR24769)
In the Configuration utility, if you set up the authorization model to use Certificate Map, and then change the authorization model to just use Certificate, the bigip.conf retains the Certificate Map information. However, the authorization model switches to Certificate without affecting the functionality.

Network failover with gateway failsafe  (CR24870)
When using network failover and gateway failsafe, you must use the force active and force standby failover feature

authz user key  (CR24880)
If you enter "user" for the authz user key your configuration will not load properly.

Rebooting the controller and mra.config.log.[nn] files in the /var/log directory (CR24922)
When you reboot the BIG-IP system, you may see the following file, mra.config.log.[nn] in the /var/log directory. These files and their output are not relevant to the BIG-IP server appliance, and are, therefore, benign.

Memory exhaustion side-effects  (CR24940)
In certain circumstances, proxyd and other user processes may not respond when memory is exhausted.

Switch platforms and STP  (CR25113)
Using the halt command to halt the system with Spanning Tree Protocol (STP) enabled and participating in a STP domain may create a bridge loop on the switch platform.

Changes in US and Canada Daylight Saving Time (CR58321)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes are not reflected in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.

[ Top ]