Applies To:
Show VersionsBIG-IP versions 1.x - 4.x
- 4.5.11
Updated Date: 04/18/2019
Summary:
This release note documents version 4.5.11 of the BIG-IP® software. You can apply the software upgrade to version 4.2 and later. For information about installing the software, please refer to the instructions below.
F5 now offers both maintenance and new feature releases. Version 4.5.11 is a maintenance release which includes security updates and enhancements that stabilize the version 4.5 software, but it contains no major new features. For more information on our new release polices, please see New Versioning Schema for F5 Software Releases.
Note: As of 4/7/05, we have changed and renamed the IM packages to prevent the configuration synchronization issue, where, on rare occasions, when you upgrade your system to version 4.5.11, the local LDAP database becomes corrupt, and breaks the configuration synchronization from the failover unit.
The new IM package prevents this configuration synchronization problem from occurring on upgrade, but the package does not repair a corrupt LDAP database. For instructions on how to restore a corrupt LDAP database, see SOL2499: How do I recreate the LDAP database if slapd will not start or will not authenticate? on the AskF5 Technical Support Web Site.
Contents:
Minimum system requirements and supported browsers
The minimum system requirements for this release are:
- Intel® Pentium® III 550MHz processor
- 256MB disk drive or CompactFlash® card (if you have the 3-DNS module, you need a 512MB disk drive or CompactFlash® card)
- 256MB RAM
The supported browsers for the Configuration utility are:
- Microsoft® Internet Explorer 5.0, 5.5, and 6.0
- Netscape® Navigator 4.7x
Note: The IM package for this release is quite large. If the disk drive in your platform does not meet the minimum requirement, you may not be able to successfully install this release.
Supported platforms
This release supports the following platforms:
- F35
- D25
- D30
- D35 (BIG-IP 520 and 540)
- D39 (BIG-IP 1000)
- D44 (BIG-IP 2400)
- D45 (BIG-IP 2000)
- D50 (BIG-IP 5000)
- D51 (BIG-IP 5100 and 5110)
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
Installing the software
Important: Before you run the Configuration utility to configure the unit, you must complete the authorization and licensing process. If you do not obtain a license before you run the Configuration utility, the system may behave in an unexpected manner.
If you are upgrading from version 4.2, you must upgrade your registration key.
Important: If you are upgrading a BIG-IP redundant system, you must upgrade both units. We do not support running different versions on a BIG-IP redundant system.
Important: If you are upgrading an IP Application Switch or a BIG-IP system that uses a CompactFlash® media drive, use the installation instructions here.
Note: In rare instances, using a notebook computer to perform PXE installations of BIG-IP software causes corruption on the notebook computer hard drive. If you are using a notebook computer as a PXE server to install BIG-IP software, we recommend, as a precaution, that you first back up any important data stored on the notebook computer hard drive.
The following instructions explain how to install the BIG-IP software, version 4.5.11 onto existing systems running version 4.5 and later. The installation script saves your current configuration.
- Go to the Downloads site and locate the BIG-IP 4.5.11 upgrade file, BIGIP_4.5.11_Upgrade-a.im.
- Download the software image and the BIGIP_4.5.11_Upgrade-a.md5 file.
For information about how to download software, refer to SOL167: Downloading software from F5 Networks.
- If you downloaded the image file to a directory other than /var/tmp, copy the image file to the /var/tmp/ directory on your BIG-IP system.
- Check the md5 of the upgrade file by typing the following command:
md5 BIGIP_4.5.11_Upgrade-a.im
cat BIGIP_4.5.11_Upgrade-a.md5
The two md5 values should be identical.Note: If the sums do not match, download the BIGIP_4.5.11_Upgrade-a.im file again and recheck the md5 for the file.
- Install this PTF by typing the following command:
im BIGIP_4.5.11_Upgrade-a.imThe BIG-IP system automatically reboots once it completes installation.
To upgrade an IP Application Switch or a BIG-IP system that uses a CompactFlash media drive, use the following process.
- Create a memory file system by typing the following command:
mount_mfs -s 200000 /mnt
- Go to the Downloads site and locate the BIG-IP 4.5.11 upgrade file, BIGIP_4.5.11_Upgrade-a.im.
- Download the software image and the BIGIP_4.5.11_Upgrade-a.md5 file.
For information about how to download software, refer to SOL167: Downloading software from F5 Networks.
- If you downloaded the image file to a directory other than /mnt, copy the image file to the /mnt directory on your BIG-IP system.
- Check the md5 of the upgrade file by typing the following command:
md5 BIGIP_4.5.11_Upgrade-a.im
cat BIGIP_4.5.11_Upgrade-a.md5
The two md5 values should be identical. - Install this PTF by typing the following command:
im /mnt/BIGIP_4.5.11_Upgrade-a.imThe BIG-IP system automatically reboots once it completes installation.
Note: This procedure provides over 90MB of temporary space on /mnt. The partition and the im package file are deleted upon rebooting.
Activating the license
Once you install the upgrade and connect the unit to the network, you need a valid license certificate to activate the software. To gain a license certificate, you need to provide two items to the license server: a registration key and a dossier.
The registration key is a 25-character string. You should have received the key by email. The registration key lets the license server know which F5 products you are entitled to license.
The dossier is obtained from the software, and is an encrypted list of key characteristics used to identify the platform.
You can obtain a license certificate using one of the following methods:
- Automatic license activation
You perform automatic license activation from the command line or from the web-based Configuration utility of an upgraded unit. This method automatically retrieves and submits the dossier to the F5 license server, as well as installs the signed license certificate. In order for you to use this method, the unit must be installed on a network with Internet access. - Manual license activation
You perform manual license activation from the Configuration utility, which is the software user interface. With this method, you submit the dossier to, and retrieve the signed license file from, the F5 license server manually. In order for you to use this method, the administrative workstation must have Internet access.
Note: You can open the Configuration utility using either Netscape Navigator 4.7x, or Microsoft Internet Explorer 5.0, 5.5, or 6.0.
To automatically activate a license from the command line for first time installation
- Type the user name root and the password default at the login prompt.
- At the prompt, type license. The following prompts display:
IP:
Netmask:
Default Route:
Select interface to use to retrieve license:
The unit uses this information to make an Internet connection to the license server. - After you type the Internet connection information, continue to the following prompt:
The Registration Key should have been included with the software or given
when the order was placed. Do you have your Registration Key? [Y/N]:
Type Y, and the following prompt displays:
Registration Key: - Type the 25-character registration key you received. If you received more than one key, enter all of the keys, separating each with a space.
The dossier is retrieved and sent to the F5 license server, and a signed license file is returned and installed. A message displays indicating the process was successful. - You are asked to accept the End User License Agreement.
The system is not fully functional until you accept this agreement. - You are prompted to reboot the system. Press Enter to reboot.
The system is not fully functional until you reboot.
To automatically activate a license from the command line for upgrades
- Type your user name and password at the logon prompt.
- At the prompt, type setup.
- Choose menu option L.
- The following prompt displays:
Number of keys: 1
If you have more than one registration key, enter the appropriate number. - The following prompt displays:
Registration Key:
Type the 25-character registration key you received. If you received more than one key, enter all of the keys, separating each with a space.
The dossier is retrieved and sent to the F5 license server, and a signed license file is returned and installed. A message displays indicating the process was successful. - When you are finished with the licensing process, type the following command to restart the services on the system:
bigstart restart
To manually activate a license using the Configuration utility
- Open the Configuration utility according to the type of BIG-IP unit you are licensing:
- If you are licensing a previously configured BIG-IP unit, open the Configuration utility using the configured address.
- If you are licensing a new BIG-IP unit, from the administrative workstation, open the Configuration utility using one of the following addresses: https://192.168.1.245 or https://192.168.245.245. These are default addresses on the units local area network.
- If you are licensing a previously configured BIG-IP unit, open the Configuration utility using the configured address.
- Type the user name and password, based on the type of BIG-IP unit you are licensing:
- If you are licensing a previously configured BIG-IP unit, type your user name and password at the logon prompt.
- If you are licensing a new BIG-IP system, type the user name root, and the password default at the logon prompt.
The Configuration utility menu displays. - If you are licensing a previously configured BIG-IP unit, type your user name and password at the logon prompt.
- Click License Utility to open the License Administration screen.
- In the Registration Key box, type the 25-character registration key that you received. If you have more than one key to install, click Enter More Keys to install multiple keys. Once you have entered all registration keys, click Manual Authorization.
- At the Manual Authorization screen, retrieve the dossier using one of the following methods:
- Copy the entire contents of the Product Dossier box.
- Click Download Product Dossier, and save the dossier to the hard drive.
- Copy the entire contents of the Product Dossier box.
- Click the link in the License Server box.
The Activate F5 License screen opens in a new browser window. - From the Activate F5 License screen, submit the dossier using one of the following methods:
- Paste the data you just copied into the Enter your dossier box, and click Activate.
- At the Product Dossier box, click Browse to locate the dossier on the hard drive, and then click Activate.
The screen returns a signed license file. - Paste the data you just copied into the Enter your dossier box, and click Activate.
- Retrieve the license file using one of the following methods:
- Copy the entire contents of the signed license file.
- Click Download license, and save the license file to the hard drive.
- Copy the entire contents of the signed license file.
- Return to the Manual Authorization screen, and click Continue.
- At the Install License screen, submit the license file using one of the following methods:
- Paste the data you copied into the License Server Output box, and click Install License.
- At the License File box, click Browse to locate the license file on the hard drive, and then click Install License.
The License Status screen displays status messages, and Process complete appears when the licensing activation is finished. - Paste the data you copied into the License Server Output box, and click Install License.
- Click License Terms, review the EULA, and accept it. The system is not fully functional until you accept this agreement.
- At the Reboot Prompt screen, select when you want to reboot the platform.
License activation is complete only after rebooting.
To automatically activate a license using the Configuration utility
- Open the Configuration utility according to the type of BIG-IP unit you are licensing:
- If you are licensing a previously configured BIG-IP unit, open the Configuration utility using the configured address.
- If you are licensing a new BIG-IP unit, from the administrative workstation, open the Configuration utility using one of the following addresses: https://192.168.1.245 or https://192.168.245.245. These are default addresses on the units local area network.
- If you are licensing a previously configured BIG-IP unit, open the Configuration utility using the configured address.
- Type the name and password, based on what type of BIG-IP unit you are licensing:
- If you are licensing a previously configured BIG-IP unit, type your user name and password at the logon prompt.
- If you are licensing a new BIG-IP unit, type the user name root, and the password default at the logon prompt.
The Configuration utility menu displays. - If you are licensing a previously configured BIG-IP unit, type your user name and password at the logon prompt.
- Click License Utility to open the License Administration screen.
- In the Registration Key box, type the 25-character registration key that you received. If you have more than one key to install, click Enter More Keys to install multiple keys. Once you have entered all registration keys, click Automated Authorization.
The License Status screen displays status messages, and Process complete appears when the licensing activation is finished. - Click License Terms, review the EULA, and accept it. The system is not fully functional until you accept this agreement.
- At the Reboot Prompt screen, select when you want to reboot the platform.
License activation is complete only after rebooting.
Fixes and enhancements in this release
This release includes the following fixes and enhancements.
Log messages during failover (CR23634)
If you have a redundant system configuration, when the active unit fails over, the following message is no longer logged to /var/log/bigd: bigapi_unit_mask fails Invalid message received from kernel
Creating invalid interface names (CR25890) (CR25950)
The command line utility no longer allows you to create invalid VLAN names that begin with the keyword vlan immediately followed by a number (for example vlan123).
Loopback addresses and pools (CR26184)
The loopback address is not a valid pool member. The Configuration utility and command line utility now enforce this, and you receive an error message if you attempt to add the loopback address to a pool.
Static routes configuration (CR26795) The /config/static_routes file replaces the /config/routes file in this release. The routes that are included in the /etc/netstart file are moved to the new /config/static_routes file. In addition, the system propagates changes to the static routes configuration from one unit to the peer unit during configuration synchronization. The system also updates static routes when you reload the configuration. For more information about configuring static routes, refer to SOL3687.
Sendmail version 8.12.11 (CR26810)
This version of the BIG-IP software includes sendmailTM version 8.12.11.
Resetting statistics on the BIG-IP FireGuard, the BIG-IP Load Balancer, and the BIG-IP Cache Controller (CR27060)
If you reset the statistics, the BIG-IP FireGuard, the BIG-IP Load Balancer, and the BIG-IP Cache Controller no longer create a core file.
Honoring client MSS (CR27160) (CR40193) The BIG-IP system now honors client maximum segment size (MSS) in all cases. This change may affect the way existing web aggregation configurations work, by preventing web aggregation to servers that advertise MSS lower than MSS advertised by the client.
Restarting NTP after configuration load (CR27424) (CR41220)
The ntpd daemon now restarts correctly when the configuration loads.
imid processing corrected (CR27481) (CR27752)
When performing iRules processing, the BIG-IP system now extracts the correct value for imid from a version 2 format User-Agent header. The system previously extracted one or two characters more than it should have. Relational tests performed on imid now work correctly, and imid persistence is more accurate in this release.
Preventing lock-up due to user-level resource exhaustion (CR27568)
In rare instances, it is possible that the system may lock up due to user-level resource exhaustion. If user-level resource exhaustion occurs, the BIG-IP system is unable to start any new processes, and you are not able to log in either remotely or using the console. If this occurs, you must hard-reset or power-cycle the system in order to restore normal operation.
In order to avoid this issue, we have added a new feature that helps protect against system lock-up due to user-level resource exhaustion. When you enable this feature, if the BIG-IP system is unable to start any new processes for a specified amount of time, a panic message is triggered which causes the system to reboot and fail over to the redundant unit. This feature is disabled by default.
To enable this feature, type the following:
set_deadman_timer <timeout>
Where <timeout> is the amount of time in seconds that the system is unable to execute processes before it reboots. The recommended setting is 183 seconds.
To disable this feature, type the following:
set_deadman_timer 0
To display the current status of the set_deadman_timer utility, type the following:
set_deadman_timer
Note: We recommend that you disable the set_deadman_timer utility any time you upgrade the BIG-IP software. This utility may cause the system to reboot prematurely during the software installation process.
Passphrase encryption for private keys removed (CR27817)
In the BIG-IP system you can no longer select the encrypt option when you configure a passphrase for private keys. (In previous releases, the encrypt option may have caused the system to fail if the configuration loads with proxies pointing at encrypted keys.)
Adding virtual servers in the Configuration utility with Any IP Traffic enabled (CR27835)
If you use the Configuration utility to add more than one virtual server to the same virtual address/net address, the BIG-IP system no longer disables the Any IP Traffic setting.
Deleting a virtual server from same IP address as SSL Proxy (CR27915)
If you delete a virtual server that resides on the same IP address as the SSL proxy, the proxy no longer stops responding to ARPs.
D35 system and the halt command (CR28079)
If you use the halt command on a D35 system and then press the Enter key to reboot the system, the system no longer enters into a netboot cycle after it reboots.
Duplicate FDB entries on 520/540 platforms (CR28214)
On BIG-IP 520/540 platforms, when a link signal is lost on an interface, the system now correctly deletes all associated FDB entries.
Self-IP addresses with 135 as the first octet (CR28316)
If you add a self-IP address with the number 135 as the first octet, incorrect duplicate VLANs no longer display when you type the bigpipe command vlan show.
bigtop utility delay setting (CR28435)
The bigtop utility ignores values for the -delay option that are less than or equal to 0.
Traps not included in the MIB definition (CR28436)
Traps not included in the MIB definition have been added to the LOAD-BAL-SYSTEM-MIB.txt file.
.1.3.6.1.4.1.3375.1.1.110.2.77 (fan .*? is failing) FAN_FAILING
.1.3.6.1.4.1.3375.1.1.110.2.76 (cpu .*? is too hot!) CPU_TOO_HOT
.1.3.6.1.4.1.3375.1.1.110.2.75 (cpu .*? fan is failing) CPU_FAN_FAILING
.1.3.6.1.4.1.3375.1.1.110.2.74 (power supply has failed) POWER_FAILED
Load times for large configuration with many proxies (CR28452) (CR29316)
The bigpipe sslproxy skip keycheck feature available in version 4.2 PTF-10 is now available in this version of the BIG-IP software. If you have a very large configuration with many proxies (50+) and you must reduce the configuration load time, you have the option of reducing the load time by disabling key and certificate validation.
To disable key and certificate validation using the command line utility, type the following:
bigpipe global sslproxy skip keycheck enable
To disable key and certificate validation using the Configuration utility, check the sslproxy skip keychecks check box on the Advanced Properties screen.
Active/Standby units configured with VLAN groups in translucent mode (CR28502)
If you have an active/standby redundant configuration with VLAN groups in translucent mode, monitors on the standby unit no longer fail in certain instances.
Configuring a fallback host using the Configuration utility (CR28550)
If you use the Configuration utility to configure a fallback host that contains a second http or https in the URI, the configuration loads correctly.
bigpipe vlan fdb show command (CR28562)
The output from the bigpipe vlan fdb show command now includes the corresponding VLAN name and tag for each heading. This makes the output easier to read if you have a large number of VLANs configured. If you are parsing this output with automated tools, you may need to modify the tools to reflect this format change.
Certificate key files (CR28589)
You can no longer use the Configuration utility Proxy Properties screen to view or delete the default.key or default.crt files. In previous releases, if you delete the default.key or default.crt files, it causes the local LDAP server to fail.
Serial number display command for IP Application Switch platforms (CR28808)
If you have an IP Application Switch platform, you can use the bigpipe serialnumber or bigpipe sn commands to display the serial number.
TCP half close (CR28904)
When a client closes a TCP connection, the BIG-IP system no longer closes the connection 15 seconds after it receives a FIN from the client if there is data going from the server to the client.
Redundant configurations with gateway failsafe enabled (CR29057)
In previous releases, if you had an active/standby configuration with gateway failsafe enabled, if the standby system was unable to reach the gateway, and the active system lost its connection to the gateway, both units went to a standby state. This issue is corrected in this release.
Out-of-order TCP segments (CR29158)
Out-of-order TCP segments no longer cause application processing (for example, header insert) to fail.
IP filter configuration (CR29196)
The Configuration utility no longer generates incorrect IP filter (ipfw) configurations for IP filter rules with specified source and/or destination service fields.
snmpdca monitor (CR29223)
If you use the snmpdca monitor to gather metric information, the dynamic ratio is now calculated correctly.
loadBalTrapPortString properties (CR29255)
The MIB description for loadBalTrapPortString is changed to correctly reflect the value returned.
SNAT limits (CR29349)
If you set a SNAT limit, you no longer have to set the value to 0 to remove the limit. In addition, if you load a bigip.conf file that does not have a SNAT limit configured, the previous SNAT limit value is no longer used incorrectly.
Network and hardware failover (CR29394)
If network and hardware failover are both running, and gateway failsafe is triggered, the current standby unit becomes active when the gateway becomes available.
Duplicate packets on 2400, 5100, and 5110 platforms (CR29456)
If you have a 2400, 5100, or 5110 BIG-IP platform, packets with an unknown destination coming in on an untagged 10/100 port no longer cause the BIG-IP system to send out duplicate packets.
SSL proxy failover configuration (CR29612)
The sslhardware failover setting no longer displays on the Redundant Properties screen in this release. To configure SSL proxy failover, use the sslproxy failover setting on the Advanced Properties screen.
Using the Configuration utility to change VLAN tags (CR29629)
If you use the Configuration utility to change the VLAN tag, it no longer incorrectly updates the network virtual address.
Add Proxy wizard (CR29631)
If you use the Configuration utility Add Proxy wizard to add a proxy and you do not specify a client CA from the list before you click Next, the wizard no longer uses the or choose text as the client CA file name.
mrad failure error messages (CR29660)
The mrad function is started only on the BIG-IP 2400 (D44) platform.
Secure mode for syslogd (CR29730)
By default, syslogd is now started in secure mode.
Error message in Configuration utility and valid range for VLAN tags (CR29793)
The allowable values for VLAN tags are 1 through 4094. If you inadvertently specify a value that is outside of the allowable range, you now see the correct error message.
Layer 7 traffic (CR29809)
If you have layer 7 traffic going through the BIG-IP system, and a server retransmits a packet that is larger than the original packet, the BIG-IP system no longer truncates the packet to the size of the original packet.
bigpipe l2_aging_time setting (CR30152)
When you reboot the BIG-IP system, the bigpipe l2_aging_time setting in the bigip_base.conf file no longer incorrectly returns to the default setting (300).
Base domain name limit for LDAP auth (authz) (CR30279) (CR41195)
The base domain name limit for LDAP auth (authz) has been increased from 64 to 2048 bytes in this release. In addition, if the owner attribute received from the LDAP server is 64 bytes or more, BIG-IP system no longer adds extraneous characters to the search request.
Authenticate is now a reserved keyword (CR30733)
The word authenticate has been added to the reserved keywords list in this release. Reserved keywords should never be used for naming when you configure the BIG-IP system.
IP Application Switch interface output error statistics (CR30995)
The IP Application Switch platform no longer increments the output error counter incorrectly. This issue occurred only in rare instances, and does not affect the functionality of the BIG-IP system.
Version rollback script
This release includes a rollback script that allows you to return to the previous version of the BIG-IP software, after you upgrade. This script is designed to allow you to rollback the software version in instances where you upgrade before you discover that the new version of the software is incompatible with your specific network configuration. You can use the script to return only within the major version (see SOL4476: BIG-IP Software Lifecycle Policy) of the BIG-IP software that was installed on the system prior to the upgrade. Any configuration changes you make after the upgrade are lost when you run the rollback script.
To use the rollback feature you must create a rollback IM package before you upgrade to a different version of the software.
To create a rollback IM package in /var/tmp/rb using the version 4.6.3 mkrb file, use the following procedure:
- Change your directory to /var/tmp by typing the following command:
cd /var/tmp - Extract the mkrb file from the 4.5.11 upgrade package by typing the following command:
tar -C / -xzf BIGIP_4.5.11_Upgrade-a.im usr/local/bin/mkrb - Create the necessary rollback files by typing the following command:
mkrb BIGIP_4.5.11_Upgrade-a.im
This creates an IM package that you can run on the BIG-IP system if you want to return to the previous version of the software. The IM upgrade package you create is located in the /var/tmp/rb directory.
To install the rollback IM package, type the following commands:
cd /var/tmp/rb
im <rollback_im_package_name>.im
Note: If you install the rollback package created by the script and decide that you want to upgrade to a later version of the software in the future, you need to use the im -force /var/tmp/rb/<rollback_im_package_name>.im command to install the IM package.
bigpipe global reaper hiwater (CR31393)
The BIG-IP system no longer allows you to configure invalid values for the bigpipe global reaper hiwater and reaper lowater settings. Valid values for these settings are between 65-100.
Redundant configurations with a large number of SSL proxies (CR31682)
If you have a redundant configuration with a very large number of SSL proxies configured, during config sync the LocalLBServer process no longer generates core files.
Low proxy TPS settings and large amounts of traffic (CR31907)
When you have a proxy that is licensed for a low TPS setting (100 TPS or similar) and the proxy receives a lot of traffic, connections over the TPS limit are queued up. If the quantity of connections in this queue reaches a significant number, the proxy no longer fails.
HTTP header rules (CR31944)
When the BIG-IP system has an HTTP header rule with a long matching URL, if the last line of the client's HTTP request header is short, it no longer causes the client connection to hang.
snmpdca monitor and CPU usage (CR32164)
The snmpdca monitor no longer performs an SNMP compile of MIBs for each instance of the monitor. In previous releases this caused increased CPU usage on the BIG-IP system.
Deleting pools (CR32258) (CR41502)
If you delete a pool that is receiving traffic, the BIG-IP system now works correctly. It no longer becomes unstable on reboot or during configsync.
VLAN group and members with the same MAC masquerade address (CR32362)
If you assign the same MAC masquerade address to a VLAN group and a VLAN in the VLAN group, the BIG-IP system now creates ARP table entries for replies to its own ARP requests.
IP Application Switch packet drop count reporting under heavy load (CR32375)
If you have an IP Application Switch platform running under heavy load, the packet drop count reported by the bigpipe interface show command no longer fluctuates incorrectly.
snmp_dca monitor (CR32410)
The snmp_dca monitor no longer incorrectly marks nodes as down in certain circumstances.
ARP replies through VLAN groups (CR32760)
The BIG-IP system now forwards gratuitous ARP replies through VLAN groups.
bigpipe pool show command output in software version 4.5x (CR32797)
This version of the BIG-IP software includes the option to change the output from the bigpipe pool show command to match the output of the bigpipe pool show command in 4.2x versions.
The 4.5 output is the same as the 4.2 output, with one exception -- in the 4.5 output, there is no space between PRIORITY and 5, and in the 4.2 output, there is a space between PRIORITY and 5. See the following examples of the output from the bigpipe pool show for both the 4.2x and 4.5x versions:
4.2 output:
POOL plain_pool LB_METHOD round_robin
| (cur, max, limit, tot) = (0, 0, 0, 0)
| (pckts,bits) in = (0, 0), out = (0, 0)
+-- MEMBER 10.10.99.12:http PRIORITY 5 ACTIVE,UNCHECKED
To change the output to the 4.2x version using the command line utility, type the following:
bigpipe db set Local.Bigip.BigPipe.ShowPriority = "true"
4.5 output:
POOL plain_pool LB_METHOD round_robin
| (cur, max, limit, tot) = (0, 0, 0, 0)
| (pckts,bits) in = (0, 0), out = (0, 0)
+-- MEMBER 10.10.99.12:http PRIORITY5 ACTIVE,UNCHECKED
To change the output to the 4.5x version using the command line utility, type the following:
bigpipe db set Local.Bigip.BigPipe.ShowPriority = "true"
Cookie persistence (CR32815)
If the BIG-IP system receives a packet containing one or more CRLFs and then receives a packet containing a GET request with cookie persistence, the BIG-IP system no longer ignores the cookie.
Forwarding pools on systems under heavy load (CR32874)
If you have a forwarding pool configured and the BIG-IP system is running under very heavy load, if a syncookie threshold is triggered, the system remains stable.
SSL proxy with virtual server address and port translation disabled (CR32923)
If you configure an SSL proxy that directs traffic to a virtual server that has address and port translation disabled, traffic is handled correctly in this release.
Certificate check script (CR33118)
The certificate verification utility checkcert functions correctly in this release.
TCP and UDP timeouts on BIG-IP 2400 IP Application Switch platforms (CR33121)
For BIG-IP 2400 IP Application Switch platforms, if the TCP or UDP timeout for a service is less than software reaper period, the BIG-IP system no longer incorrectly sets the virtual server hardware acceleration mode to software only.
Connections through a late-binding virtual server (CR33627)
If connection aggregation is enabled, connections through a late-binding virtual server no longer hang. When you enable web aggregation, connections handled by a late-binding virtual server no longer hang if a client closes a connection before acknowledging the entire reply from server. This issue affected client requests that were aggregated to the server connection used by the client that decided to close early.
Connection mirroring for redundant systems (CR33664)
If you have a pair of BIG-IP units configured in a redundant system, and you have connection mirroring enabled, mirrored connections are now reaped properly after failover.
UDP virtual server (CR33713)
If you configure a UDP virtual server, the idle timeout is refreshed for each packet sent from the client to the server, and for each packet sent from the server to the client.
Large internal class definitions (CR33803)
If you load a large configuration that has a large internal class configured, and you use the Configuration utility to modify the internal class, the Configuration utility no longer fails.
bigpipe global vlangroups show command (CR34112)
If you use the bigpipe global vlangroups show command, you no longer receive a syntax error.
Deleting pools with active connections (CR34199)
We have added functionality in this release that protects against system instability if you delete a pool with active connections.
snmp_dca monitor (CR34228)
The snmp_dca monitor now returns correct values in all cases.
BGE NIC hardware issue (CR34446)
We have corrected an issue with the internal BGE network interfaces that caused some or all of the external interfaces to appear to have failed. The failure occurred infrequently under heavy load on BIG-IP 5000, 5100, and 5110 platforms and is accompanied by log messages containing the text: kernel: bge0: watchdog timeout resetting or kernel: bge1: watchdog timeout resetting. In addition, we have increased the amount of information recorded by BGE watchdog timeout log messages.
ARP requests with incorrect source protocol address (CR34525)
The BIG-IP system no longer uses inactive floating self-IP addresses or virtual server addresses in the source protocol address field for ARP requests. If the system cannot generate an ARP request because there is no usable IP address available on a VLAN, the BIG-IP system logs the following warning message to /var/log/messages:
kernel: arpresolve: no usable src addr on iface: <interface_index>
This message is logged on BIG-IP systems that have a VLAN configured with only floating self-IP addresses; this type of configuration is not supported.
The bigsnmpd agent (CR34608)
In previous releases, the bigsnmpd agent may have produced a core file when performing an snmpwalk on a switch. If this occured, the snmpwalk ended at the interface portion of the MIB. This issue is corrected in this release.
Read-only users and the Pool Properties screen (CR34635)
If you log on as a Read-only user and you use the Configuration utility to view the Pool Properties screen, if you then click Sticky Connections and return to the Pool Properties screen, you no longer receive an error message.
BIG-IP 2400 IP Application Switch running under heavy load (CR34690)
If you have a BIG-IP 2400 IP Application Switch Packet Velocity ASIC (PVA) running under heavy load and you issue a bigpipe conn delete command, the system no longer hangs.
BIG-IP 2400 and FTP connections (CR34852)
If FTP data connections are accelerated by the BIG-IP 2400 IP Application Switch Packet Velocity ASIC (PVA) and the control connection is terminated, the system no longer hangs.
Large numbers of concurrent connections with the same SNAT address (CR34952) (CR35007) (CR38200)
The BIG-IP system no longer becomes unstable if more than 63,000 concurrent connections use the same SNAT translation address as their server-side client address.
stpd error message (CR35077)
If you receive an stpd error message, the error message no longer includes the pointer value instead the error code.
BIG-IP 2400 IP Application Switch and SYN cookies (CR35078)
If you have a BIG-IP 2400 IP Application Switch, the SYN cookie default threshold is increased to 500k in this release.
PTF-04 and later: unacknowledged SSL shutdown alerts (CR35124)
This release corrects an issue in BIG-IP software version PTF-04 and later, where a connection may hang if the client does not acknowledge an SSL shutdown alert.
TCP connections (CR35216)
The BIG-IP system no longer resets connections if the syncookie threshold is triggered and the client acknowledges the SYN from the BIG-IP system.
SNMP trap utility (CR35371) (CR35372) (CR40063)
The BIG-IP system no longer allows arbitrary text to be processed in an insecure fashion by the SNMP trap utility.
Full hardware acceleration mode is no longer supported (CR35400) (CR40566)
Full hardware acceleration mode is no longer supported in this release. The bigpipe global hw_acceleration full command is removed. Partial acceleration mode is the maximum hardware acceleration level available in this release. Systems that have full hardware acceleration mode enabled are converted to partial acceleration mode during the upgrade.
URIs redirected from iRules (CR35407)
The BIG-IP system no longer truncates URIs redirected from iRules if they are too long to fit in a single packet.
ToS traffic through a forwarding virtual server (CR35420)
If you configure a forwarding virtual server or a SNAT (in a SNAT configuration forwarding traffic without using pools), when ToS traffic passes through the BIG-IP system, the system no longer resets the TOS value to zero.
Modifying the netmask for a network virtual server (CR35424)
If you use the Configuration utility to modify the netmask for a network virtual server, your changes take effect right away. You do not need to use the bigpipe load command.
bigsnmpd utility (CR35476)
The bigsnmpd utility no longer fails during probing.
VLAN failsafe on the BIG-IP 2400 IP Application Switch (CR35552)
VLAN failsafe now functions correctly on the BIG-IP 2400 IP Application Switch.
External classes and the bigpipe load verify command (CR35588)
If you have a configuration that includes an external class and you use the bigpipe load verify command, the BIG-IP system remains stable.
IP class kernel data structure performance improvements (CR35631) (CR40543)
This release provides improved performance of the IP class kernel data structure.
Configurations with a large number of proxies and certificates (CR35695)
Configurations with a large number of proxies (up to 200) and a large number of certificates (up to 200) no longer cause the Configuration utility Certificate Admin screen to fail, or display incorrectly.
SMTP monitor requirements (CR35745)
The SMTP monitor no longer requires that you specify a domain name. In previous releases, if a DNS server failed and no domain was specified, this requirement caused the BIG-IP system to incorrectly mark nodes DOWN.
Specifying bigd socket reuse behavior at internal monitor ping intervals (CR35956)
We have added a new bigdb variable in this release that allows you to specify the bigd socket reuse behavior at internal monitor ping intervals. The default behavior is the same as in previous releases, where bigd keeps the socket open for 3 ping intervals if the server does not respond. You can modify the default behavior by setting the new variable to 0. When the variable is set to 0, bigd shuts down the previous socket and opens a new socket connection at each ping interval. Type the following command to set the bigd socket reuse variable to 0:
b db set Common.Bigip.Bigd.ReuseSocket = 0
Premature failsafe warning messages (CR36046)
The BIG-IP system no longer generates premature failsafe warning messages when the network is idle.
Buffering application data and malformed packets (CR36158) (CR38198)
When the BIG-IP system is buffering application data, a very specific malformed packet no longer causes the BIG-IP system to become unstable.
Oracle pinger (CR36277)
The Oracle pinger no longer hangs on startup.
SSL proxy and HEAD requests that do not contain a body (CR36359) (CR37620)
The SSL proxy now correctly interprets server replies to HEAD requests that provide a content length but do not contain a body. The SSL proxy no longer issues a log message for this type of connection.
SSL proxy HTTP headers (CR36631)
If the client provides Range and If-Range HTTP headers, the SSL proxy preserves them correctly.
Partial PVA acceleration (CR36659) (CR36661)
In previous releases, if you used partial Packet Velocity ASIC (PVA) acceleration, when a very large amount of traffic travelled through BIG-IP system, a flow search command from BIG-IP kernel to PVA may have caused the PVA to hang. This issue is resolved in this release.
BIG-IP 2400 IP Application Switch acceleration mode settings (CR36741)
If you have a BIG-IP 2400 IP Application Switch and you set the acceleration mode to none, the system no longer hangs under heavy load.
RADIUS_dictionary file format (CR37076)
The RADIUS_dictionary file is formatted correctly in this release.
Dual CPU platforms running in ANIP mode (CR37147)
If you have a dual CPU platform running in ANIP mode, using the tcp_half_open monitor to perform service checks no longer causes the system to become unstable.
BIG-IP 520 and 540 platforms under heavy load (CR37260)
We have corrected an issue with the DMA settings on BIG-IP 520 and 540 platforms that could result in data corruption errors in files written to the hard disk when the system is running under heavy load.
Pool header erase function (CR37627)
The pool header erase function is no longer case-sensitive.
Client certificate authentication using a Certificate Revocation List (CRL) (CR37729)
If you are using client certificate authentication with a CRL, if the CRL does not have a Next Update time specified, the proxy no longer produces a core file when it receives a client certificate.
Redundant systems and the stateful failover utility (CR37740)
If the stateful failover utility goes down, it comes back up automatically in this release.
Connection mirroring and large numbers of connections (CR37741)
We have improved the way in which the stateful failover utility handles large numbers of connections if you have a redundant configuration and you are using connection mirroring.
Using the mapclass2node operator in a rule (CR37770)
The BIG-IP system is now stable when using the mapclass2node operator in a rule.
Proxies and large request headers (CR37861) (CR40294)
Large request headers no longer cause the proxy to produce a core file.
VLAN groups in the Virtual Server Properties screen (CR38112)
The Configuration utility Virtual Server Properties screen now includes VLAN groups in the Existing and Disabled lists.
Web aggregation and persistent server-side connections (CR38205)
If you set web aggregation to none, the BIG-IP system now terminates persistent server-side connections correctly. In addition, persistent server-side connections are now terminated with a 4-way close (FIN) instead of a RESET. Please contact F5 support if you need to restore to previous behavior.
OneConnect and L7 processing during HTTP keepalives (CR38332)
When a client makes a second HTTP request before fully acknowledging the previous request (this can happen if packets from the client to the BIG-IP system are lost and a client retransmit occurs), the BIG-IP system now allows partial acknowledgements to be sent through in order to avoid a hung connection.
CERT VU#303448 (CR38372) (CR40106)
This release addresses the security issue described in CERT vulnerability note VU#303448, mod_ssl contains a format string vulnerability in the ssl_log() function. For more information on the resolved security issue, see http://www.kb.cert.org/vuls/id/303448.
Performance improvements for SNAT (CR38514)
In this release we have improved performance for systems with a large number of SNATs configured.
Long pool names (CR38873)
Pool names that contain more than 32 characters no longer cause the BIG-IP system to produce a core file.
Apache web server and CAN-2004-0492 (CR39069)
This release addresses the Apache web server vulnerability that is described in CAN-2004-0492, Apache Mod_Proxy Remote Buffer Overflow, on the CERT® Coordination Center Web site.
Race condition during failover (CR39088)
In previous releases it was possible that a race condition during failover may cause both units to go to a standby state. This release corrects this issue.
Self IP address configuration (CR39129)
This release includes the following changes for the self-IP, if it is the only self-IP configured on the network:
- If the default gateway pool has a node on the self-IP, the Configuration utility does not allow you to delete the self-IP.
- The Configuration utility warns you if there are static routes on the network shared by the self-IP.
- If the VLAN attribute on the self-IP changes, the BIG-IP system deletes any static routes that use the self-IP and re-adds the static routes using the routing socket, so that the routes reflect the updated correct IP address.
STP and bridging loops during startup (CR39184)
STP is now disabled on all external ports and auto-forwarding is enabled on all non-STP ports during startup. This change prevents bridging loops during startup which can cause the BIG-IP system to hang or panic.
DNS proxy and UDP traffic (CR39266)
If you configure DNS proxy on the BIG-IP system, we have included a new global variable that allows you to specify how the system handles UDP traffic. When you enable open_dnsproxy_ports, the BIG-IP system allows UDP traffic with the source port 53 to go to destination port 53, or any ephemeral port >= 1024. When you disable open_dnsproxy_ports, traffic from source port 53 is blocked. The global variable open_dnsproxy_ports is enabled by default.
To configure the open_dnsproxy_ports setting using the command line utility, type the following:
bigpipe global open_dnsproxy_ports enable|disable
To disable the open_dnsproxy_ports setting from the Configuration utility, clear the open_dnsproxy_ports check box in the Service Access table.
Log statements in rules (CR39573)
Log statements in rules no longer cause the system to write unnecessary characters in the log.
Support for the Intel® PRO 1000 MT copper NIC (CR39756)
The BIG-IP software now supports the Intel® Pro 1000 MT single port copper NIC based on the 82545GM chip (device ID 0x1026).
NaN in the NTP drift file (CR39806)
We have corrected a problem that caused NaNs to occur in the NTP drift file.
FTP monitor temporary file storage (CR39890)
The FTP monitor now uses /var/run instead of /var/tmp for temporary file storage.
The installation process creates a backup of sshd.conf (CR39945)
The BIG-IP system now creates a backup of the /config/ssh/sshd.conf file during the software installation process. The backup file is saved as: /config/ssh/sshd.conf.backup.'date +"%Y-%m-%d"'.
Ethernet frames with multicast destination MAC addresses (CR39981)
The BIG-IP system no longer accepts Ethernet frames that have a multicast destination MAC address for load-balancing and/or address translation (NAT/SNAT). Please contact F5 support if you need to restore the previous behavior.
Header insertion for keep-alive requests (CR40015)
When the BIG-IP system receives a keep-alive request, it no longer reuses header_insert data from the previous header entry.
Configurations with a large number of proxies (CR40055)
Configurations with a large number of proxies (160+) no longer cause the Configuration utility to fail.
SNMP traps with a large number of virtual servers (CR40071)
If you configure a large number of virtual servers (300+) SNMP trap monitoring is no longer extremely slow.
Class configuration and the starts_with function (CR40141)
If you create a class that uses starts_with function, it no longer performs a linear search instead of a binary search.
OSPF message-digest authentication (CR40172)
OSPF message-digest authentication works correctly in this release.
SSL Proxy queries multiple OCSP responders (CR40211)
The proxy now queries all qualifying OCSP responders, until one of them returns a yes or no answer for a certificate.
Class configuration and log files (CR40234)
If you modify a class configuration and you have logging enabled, the BIG-IP system no longer writes improperly formatted messages to syslog. In previous releases these messages caused syslog to fail.
Panic with message "system is not responding" (CR40266)
This release corrects an issue that in certain instances caused the BIG-IP system to panic, and display the message system not responding, and reboot.
SIP persistence and Call-ID (CR40268)
SIP persistence now functions correctly with Call-ID identifiers.
IPV4 specifications enforced when configuring virtual server IP addresses (CR40286)
When you create a virtual server, the BIG-IP system now verifies that the byte values you specify for each component of the IPV4 IP address are between 0 and 255. If you specify a value outside of this range, you receive an error message. In previous releases, if you specified an invalid byte value such as b virtual 1192.168.1.100:80, it may have caused unexpected behavior.
snmpdca.log file rotation on BIG-IP 5000 platforms (CR40334)
If you have a BIG-IP 5000 platform, the system now rotates the snmpdca.log file daily if this file is in use.
Failure to limit number of TCP segments held in reassembly queue VU#395670 (CAN-2004-0171) (CR40389)
This release addresses the security vulnerability described in VU#395670 and CERT® advisory, CAN-2004-0171, Failure to limit number of TCP segments held in reassembly queue.
In addition, this release includes a new system configuration variable that allows you to specify the maximum length of the TCP re-assembly queue. The default value for this setting is 1024, which should be adequate for most configurations.
To configure this setting, use the following syntax:
sysctl -w net.inet.tcp.reass_maxqlen=<new_value>
To display the current value for this setting, type the following command:
sysctl net.inet.tcp.reass_maxqlen
Apache Web Server version 1.3.32 (CR40460)
This release includes version 1.3.32 of the Apache Web Server.
Using the Configuration utility to generate certificate requests (CR40468)
If you use the Configuration utility to generate certificate requests, the State list now populates the State field with the full state name, not just the two-letter abbreviation. If you want to continue to use the two-letter abbreviation, you can type the two-letter abbreviation into this field. However, we recommend that you use the full name of the state, because VeriSign® may reject certificate requests that use the short form.
CPU usage during failover (CR40589)
This release corrects an issue that caused an increase in CPU usage during failover.
ICMP messages and embedded IP header checksums (CR40715)
In this release the BIG-IP system correctly updates the ICMP message checksums including the embedded IP header checksum.
Redundant configurations with gateway failsafe enabled (CR40889)
In an active-standby configuration with gateway failsafe enabled, if the active system loses its connection to the gateway and switches to a standby state, it no longer remains in a standby state when its connection to the gateway is restored.
Trunking and multiple interfaces on the same VLAN (CR40923)
If you configure two interfaces on the same VLAN that is connected to an external switch, but you do not configure trunking for the interfaces, it no longer causes a kernel panic, nor does it halt the network.
FTP_pinger attributes (CR40954)
In this release you can configure the FTP_pinger as a file name, or as a relative or absolute path.
WTS persistence and connection mirroring (CR40980)
You can now configure WTS persistence on the BIG-IP system without causing connection mirroring to fail.
SNAT pools with 60+ members (CR41017)
Adding more than 60 members to a SNAT pool no longer causes the bigip.conf file to produce errors.
OpenBSD RADIUS Authentication Bypass Vulnerability (CR41076)
This release includes the patch that corrects the RADIUS security vulnerability described in BugTraq ID 11227. For more information on this vulnerability, see http://www.securityfocus.com/bid/11227.
System logging reliability enhancement (CR41113)
This release includes a new variable that you can configure in order to make system logging more reliable if you have a large number of log messages.
The following are examples of configurations that may benefit from this feature:
- The configuration contains a relatively large (> 200) number of nodes.
- An external monitoring system is using SNMP traps sent from the BIG-IP system to monitor node health.
In these types of configurations, it is possible for a flood of messages to fill the client's send buffer causing the message to be dropped after a single attempt. To avoid this issue, you can now assign a numeric value to the /etc/syslogretries.conf link. This prompts the syslog client to retry the message a specified number of times.
To configure this feature, use the following syntax:
ln -s <number of attempts> /etc/syslogretries.conf
For example, to specify 5000 attempts, type the following command:
ln -s 5000 /etc/syslogretries.conf
Note that if you have a redundant system configuration, you must configure this setting on both units.
To restore the default behavior, remove the /etc/syslogretries.conf link.
iRules processing and HTTP 1.0 connections (CR41411)
In previous versions of the BIG-IP software, in certain rare circumstances, the BIG-IP system failed to perform iRules and other processing for transactions in the keep-alive HTTP stream. This issue occurred only when FastFlow (Fast Path) was enabled, the stream was HTTP version 1.0, and the GET request was broken up into two or more packets. This issue is corrected in this release.
SSL re-encryption and session re-use (CR41455)
If you are using SSL re-encryption and the server supplies empty session IDs, the SSL Proxy disables session re-use.
Removed limitations on the header insert and cookie insert attributes (CR41519)
The BIG-IP system no longer checks GET requests for binary characters when deciding whether to use cookie insertion. In versions 4.5 PTF-04 through 4.5.10 of the BIG-IP software, the BIG-IP system fails to perform cookie insertion for traffic with headers that include Chinese characters in the GET request.
Configurations with rules that use 63 character string literals (CR42397)
The system no longer experiences a user-space memory corruption issue if you configure rules that use 63 character string literals.
TCP checksum (CR42468)
We have corrected a problem that caused packets with a TCP checksum of 0 to be transformed to a checksum of 0xFFFF.
Fixes and enhancements in prior maintenance releases
The current release includes the fixes and enhancements that were distributed in prior maintenance releases, as listed below. (Prior releases are listed with the most recent first.)
Version 4.5.10
HTTP 1.1 HEAD requests (CR22070) (CR30255)
The BIG-IP system now correctly handles HTTP 1.1 HEAD requests on keep-alive connections.
BIG-IP 2400 IP Application Switch logging (CR28058)
The BIG-IP 2400 IP Application Switch Packet Velocity ASIC (PVA) no longer incorrectly logs configuration updates. In previous versions, this extra logging caused CPU utilization to increase.
ZebOS Advanced Routing Modules version 5.4 (CR28198) (CR30176) (CR30517) (CR30518) (CR30519) (CR30520) (CR30533) (CR32764)
This release of the BIG-IP software supports the ZebOS Advanced Routing Modules (ARM) version 5.4.
In addition, this release includes the following implementation fixes and enhancements for ZebOS Advanced Routing Modules:
- OSPF works correctly on VLANs with virtual servers
- All routing protocols can be configured to work correctly in active/standby configurations
- Default route origination works correctly for all supported protocols
- ZebOS now correctly tracks VLAN and IP address configuration changes
- Only relevant network interfaces and addresses are displayed in vtysh utility and saved in the configuration file
Default netmask for virtual addresses (CR28198)
The default netmask for virtual addresses configured on the loopback interface is changed to 255.255.255.255.
NAT and out of order UDP fragments (CR28388)
4.5x versions of the BIG-IP software do not pass out-of-order IP fragments, for security and performance reasons. In this release, we added additional options for handling out-of-order IP fragments. If your configuration requires this type of modification, please contact F5 support.
IP fragmentation (CR28456)
An issue involving IP fragmentation that occurred only in very rare instances, no longer causes the BIG-IP system to become unstable.
Non-standard TCP connection streams can appear to cause issues with cookie insertion (CR28647)
TCP SYN packets matching an established connection may be forwarded to the back-end server even if they are received by the BIG-IP system during an established connection. In order to resolve this issue, we have added additional options for handling this type of mid-stream SYN packet. If your configuration requires this type of modification, please contact F5 support.
Clone pools with SSL proxy (CR28871)
The BIG-IP system no longer experiences a minor memory leak related to using clone pools in conjunction with an SSL proxy.
Default SNATs on the BIG-IP 2400 IP Application Switch platform (CR28994)
Default SNATs now work correctly when you use partial acceleration on the BIG-IP 2400 IP Application Switch platform.
Administrative web server changes (CR29422)
The BIG-IP administrative webserver has been modified to support only the necessary HTTP methods. HTTP methods that are not used by the Configuration utility have been removed from this version of the BIG-IP software.
Certificate issuer/subject names longer than 240 bytes (CR29430)
If a certificate has an issuer or subject name longer than 240 bytes, the name is no longer truncated when it is inserted into an HTTP header.
BIG-IP e-Commerce Controller TCP and ICMP echo service checks (CR29437)
In this release, you can configure TCP and ICMP echo service checks on the BIG-IP e-Commerce Controller.
Cookie insertion with XML packets (CR29461)
When a client sends an XML packet and a propfind request, when the server responds with a 401 Unauthorized error message, the BIG-IP system now properly inserts a cookie.
MAC masquerading on a VLAN and failover (CR29494)
When MAC masquerade is enabled, the BIG-IP system that is going to stand by issues two gratuitous ARPs for its unique, non-shared IP address. The first gratuitous ARP no longer broadcasts the MAC masquerade address.
Default gateway pool changes cause the the BIG-IP 2400 IP Application Switch PVA configuration to be updated (CR29587)
The BIG-IP 2400 IP Application Switch no longer unnecessarily updates the Packet Velocity ASIC (PVA) configuration when there are changes to the default gateway pool.
The bigpipe load and bigpipe base load commands (CR29614)
We have added additional flexibility to the bigpipe load and bigpipe base load commands. The bigpipe utility now allows you to execute a shell script before or after the bigpipe load or bigpipe base load commands. You can use the following bigpipe db variables to configure this functionality:
Common.Bigip.Load.Pre (Executes before bigpipe load)
Common.Bigip.Load.Post (Executes after bigpipe load)
Common.Bigip.BaseLoad.Pre (Executes before bigpipe base load)
Common.Bigip.BaseLoad.Post (Executes after bigpipe base load)
For example, if you want to run a script before the bigpipe base load command is run, you would use the following syntax:
bigpipe db set Common.Bigip.BaseLoad.Pre = /root/base_pre.sh
In this example, the command runs the script /root/base_pre.sh before loading the base configuration.
NRF0 timeout messages on the BIG-IP 2400 IP Application switch (CR29617)
This release corrects a problem with the BIG-IP 2400 IP Application Switch platform, that in rare instances, caused NRF0 timeout messages to be logged in pva.log file and caused packets to be dropped for several seconds.
Error messages in pva.log file (CR29634)
For BIG-IP 2400 IP Application Switch platforms, if you delete a node from a pool while the system is performing a health check, incorrect error messages are no longer logged in the pva.log file.
Global SNAT timeout setting with a wildcard virtual server (CR29639)
If you have configured a wildcard virtual server timeout and a global SNAT timeout setting, the reaper now differentiates between the two settings.
BIG-IP 2400 IP Application Switch platforms and ICMP traffic through VLAN groups (CR29663)
If you have a BIG-IP 2400 IP Application Switch platform and you configure a VLAN group, the VLAN group now passes ICMP type 3 code 4 packets correctly.
Header insertion buffer (CR29711)
This release corrects a condition associated with header inserts that caused the BIG-IP system to panic under certain circumstances.
fdb dump utility enhancement (CR29804)
To make debugging easier, the fdb dump utility now includes both software and hardware fdb entries.
Connection mirroring with port lockdown (CR29848)
Connection mirroring no longer fails when you have open_failover_ports and port lockdown enabled.
Connection mirroring and idle connections (CR29865)
If you are using connection mirroring, long-lived and idle connections are no longer reaped prematurely when the system fails over.
Configuring reaper lowater settings (CR29866) (CR38368) (CR38377)
Valid reaper lowater settings are no longer rejected.
SSL client key exchange (CR29951)
This release addresses an SSL key exchange issue that caused high latency, excessive CPU usage (100%) for up to twenty minutes at a time, and a high cancelled crypto operations value.
gated (CR29983)
GateD is no longer supported, and GateD functionality has been removed in this release. If you want to configure dynamic routing, we recommend that you use the ZebOS Advanced Routing Modules. For more information on dynamic routing please see the BIG-IP Reference Guide, Chapter 11, Advanced Routing Modules.
Current connection count for nodes (CR30001)
The BIG-IP system now checks the current connection count every time it is incremented/decremented for any node or node service. This ensures that no connections are dropped incorrectly when the connection limit for a node is reached.
IP Application Switch platform (5000, 5100) and IEEE 802.1 packets (CR30041)
When the IP Application Switch platform (5000, 5100) receives IEEE 802.1 packets from devices on the network, the BIG-IP system now correctly maps the device MAC address, and ARP replies from the BIG-IP system to the switches or routers are now sent correctly.
Multiple VLAN acceleration on the BIG-IP 2400 IP Application Switch platform (CR30044)
If you have a BIG-IP 2400 IP Application Switch platform, the system now accelerates multiple VLAN virtual servers correctly.
Default media speed (CR30132)
If you have BIG-IP PTF-08 or BIG-IP version 4.5.9 installed, in certain cases the Configuration utility incorrectly set the default media speed to 1000FX, Full Duplex instead of Auto. This issue is corrected in this release.
Route lookup caching (CR30176)
The BIG-IP system now updates routes to load-balanced objects correctly when the routing table changes. As a result, the BIG-IP system no longer checks the availability of nodes and SNAT/NAT origin IP addresses when loading the configuration.
Upgrading systems with large configurations (CR30280)
When upgrading a BIG-IP system with a large configuration and a large number of proxies (100+), and the initial reboot has completed, the upgrade script no longer takes up to several minutes to validate your configuration.
SSL session ID cache functionality and system resources (CR30362) (CR30940)
On systems with two processors in SMP mode, the SSL session ID cache functionality now works properly.
Connection state for late-binding connections and RST packets (CR30377)
If a client sends a reset (RST) packet for an open, established, late-binding connection, and the ACK number does not fully acknowledge data relayed from the BIG-IP system, the BIG-IP system no longer misinterprets that connection as open, when it is actually closed.
Large proxy quantity and fatal errors in the Configuration utility (CR30441)
The display limit for proxies and key/certificate pairs in the Configuration utility has been increased from 128 to 325.
SMBus error messages and BIG-IP D35 platforms (CR30468)
This release corrects an issue that causes BIG-IP D35 (520 and 540) platforms to log smbh_io_wait_ready Bus Busy Timeout - status: 01 error messages in the BIG-IP log file. These error messages are no longer displayed during normal operation.
Logging for the BIG-IP 2400 IP Application Switch platform (CR30478)
The BIG-IP 2400 IP Application Switch platform no longer generates change notifications for global variables when the setting for the global variable has not changed. In previous versions, this extra logging caused the Packet Velocity ASIC (PVA) log file /var/log/pva.log to fill up.
Disk usage calculation errors in the snmpdca utility (CR30499)
The smnpdca utility contained a disk usage calculation error that, in rare instances, caused the utility to fail. This issue has been corrected in this release.
vtysh command line shell settings(CR30520)
In previous versions of the BIG-IP software, when you exit from the ZebOS vtysh command line shell, the terminal settings are erased. We have corrected this issue in this release.
LOAD-BAL-SYSTEM-MIB.txt file and service status object IDs (CR30531)
The LOAD-BAL-SYSTEM-MIB.txt file now has object IDs (OIDs) defined for the up and down status of a service.
IP forwarding (CR30565)
If you enable IP forwarding, when the BIG-IP system receives an untagged packet on an interface that does not belong to a VLAN (tagged 802.1q trunk), the BIG-IP system no longer forwards the packet to next hop according to the routing table. The BIG-IP system now discards all untagged packets received on tagged interfaces. If you are experiencing this problem with this change, please contact F5 support.
Errors disabling VLANs for a default SNAT (CR30585)
The BIG-IP system no longer reports an error if a VLAN with SNAT automap is disabled.
OneConnect and L7 processing during HTTP keepalives (CR30586)
When a client makes a second HTTP request before fully acknowledging the previous request (this could happen if packets from the client to the BIG-IP system are lost and a client retransmit occurs), subsequent requests are now processed correctly through OneConnect.
Default SNAT configuration on a BIG-IP 2400 IP Application Switch platform (CR30590)
If you configure a default SNAT with a VLAN disabled, it no longer causes the Packet Velocity ASIC (PVA) configuration to fail.
SSL proxy, node connection limits, and errors in the connection table (CR30597)
In previous versions of BIG-IP software, in very rare instances, a client connection may be incorrectly left open until the service timeout is reached. This release corrects this issue.
Rate limiting (CR30615)
An issue relating to rate limiting that caused the BIG-IP system to become unstable under certain conditions, is fixed in this release.
Matching SNAT and virtual server addresses (CR30629)
If a SNAT address and a virtual server address are identical, if the virtual server IP address changes, the SNAT is no longer incorrectly set to ARP disable.
BIG-IP 2400 IP Application Switch platforms (CR30645)
When the status of a node changes (for example, a node is down detected by BIG-IP health monitor) on the BIG-IP 2400 IP Application Switch platform, it no longer causes packet loss.
The BIG-IP system now allows mixed case FTP commands (CR30763)
The BIG-IP system now allows the use of mixed case FTP commands (PORT, port, pORt, etc.). Previously, when the BIG-IP system received FTP traffic containing mixed case PORT commands, the system handled the traffic incorrectly resulting in 500 Illegal PORT Command errors.
FTP connections through SNAT (CR30883)
The BIG-IP system no longer incorrectly reaps active FTP connections with long duration data transfers through a SNAT, when the SNAT timeout is reached on the control connection.
FastFlow (Fast Path) with address translation disabled (CR31033)
If FastFlow (Fast Path) is enabled (default) and you disable address translation, long running streams of UDP traffic no longer cause the system to send ARP requests to an incorrect target node, which breaks the connection.
tcpdump version 3.8.1 (CR31089)
This version of the software includes version 3.8.1 of the tcpdump software.
Using the TCP health monitor on FTP or SMTP servers (CR31099)
The BIG-IP system no longer incorrectly marks down FTP or SMTP nodes.
Upgrade changed setting on re-encryping (serverssl) SSL proxy (CR31120)
Software upgrades for previous versions of the BIG-IP software added the server-side SSL configuration parameter serverssl server cert ignore to any SSL proxies with serverssl enabled. Now this change occurs only if you install .ucs files from BIG-IP software versions older then 4.2x.
Links on the autorun CD splash screen (CR31181)
The links on the autorun CD splash screen direct you to tech.f5.com instead of the autorun CD. This saves disk space and allows you to get the most updated version of the documentation from tech.f5.com.
BIG-IP 2400 IP Application Switch platforms with disabled virtual servers (CR31373)
If you have a BIG-IP 2400 IP Application Switch platform and you disable a virtual server, when the configuration is loaded or changed the disabled virtual server no longer prevents the configuration from being generated.
SSL proxy on the SMP kernel (CR31466)
This release corrects a memory allocation issue that caused connections to be closed prematurely if you configured an SSL proxy on the SMP kernel.
bigpipe bigstpd utility (CR31572)
The bigstpd utility no longer produces a core file when the BIG-IP system receives an STP packet on a port that is no longer part of an STP domain.
BIG-IP 2400 IP Application Switch bigpipe load (CR31691)
The BIG-IP 2400 IP Application Switch no longer unnecessarily updates the switch configuration when a node goes up or down right after the bigpipe load command is run.
Running the /etc/daily script (CR31845) (CR32856)
Running the /etc/daily script while the system is under high load no longer causes performance issues.
iRules and the starts_with function (CR31894)
If you are using iRules, the starts_with one of class rule now functions correctly in all cases.
BIG-IP 2400 IP Application Switch log level (CR31923)
The BIG-IP 2400 IP Application Switch no longer unnecessarily updates the entire switch configuration when the logging level is set to debug.
BIG-IP 2400 IP Application Switch platforms and node object updates (CR32103)
If you have a BIG-IP 2400 IP Application Switch platform, when node attributes change, the BIG-IP system no longer updates node objects in the Packet Velocity ASIC (PVA) for nodes used by partially accelerated virtual servers only.
Verbose logging removed for BIG-IP 2400 IP Application Switch platforms (CR32233)
If you have a BIG-IP 2400 IP Application Switch platform, several instances of verbose logging were changed to debug logging only, and these messages no longer display in the /var/log/pva.log file.
Support for the Intel® PRO 1000 MF Fiber NIC (CR32717) (CR32744)
The BIG-IP software now supports the Intel® Pro 1000 MF Fiber NIC based on the 82545GM chip (device ID 0x1027).
Configuration utility Persistent Connections screen (CR32804)
If you use the Configuration utility Persistent Connections screen to view the persistent connections for a client IP address, you no longer receive errors.
Upgrade enhanced to detect corrupt files (CR32967)
The im utility used for installing BIG-IP software upgrades now detects corrupt files at the time the files are extracted.
Redundant systems and networks with netmasks that match their address class (CR33056)
After a configuration synchronization, the BIG-IP system now properly re-installs static routes for networks with netmasks matching their address class.
Default scrub timer setting changed on IP Application Switch platforms (CR33081)
For BIG-IP 2400 IP Application Switch platforms in Full acceleration mode, the default pva scrub timer setting has been changed from 5000 to 8000 milliseconds. This change helps reduce the chance that the BIG-IP switch configuration will experience memory issues.
Default acceleration mode for BIG-IP 2400 IP Application Switch platforms (CR33185)
The default acceleration mode is changed in this release for the BIG-IP 2400 IP Application Switch platform. In this release, the default acceleration mode is Partial.
SSL proxy and Certificate map (CR33276)
The SSL proxy now works correctly when you use the Certificate map feature.
The OpenSSL package has been upgraded to version 0.9.7d (CR33306)
This OpenSSL version addresses CERT vulnerabilities VU#288574 and VU#484726, also described in Cyber Security Alert TA04-078A. For more information on the resolved security issues, see http://www.us-cert.gov/cas/techalerts/TA04-078A.html.
Version 4.5.9
OneConnect issue in BIG-IP version 4.5 PTF-08 causes random sessions to time out (CR30588) (CR30793)
We have discovered a serious issue in BIG-IP version 4.5 PTF-08 that causes HTTP POST timeouts when delayed binding is configured. This issue may also prevent web pages from loading or displaying correctly. We have corrected this issue in this release.
BIND Vulnerability VU#734644, ISC BIND 8 vulnerable to cache poisoning via negative responses (CR30822)
This release includes BIND version 8.3.7. This version of BIND addresses the BIND vulnerability that is described in Vulnerability Note VU#734644 on the CERT® Coordination Center Web site. For more information on the vulnerability, see http://www.kb.cert.org/vuls/id/734644.
Version 4.5 PTF-08
ipfwcisco, ipfwcircuit, and ipfwnat binary files (CR26473) (CR29717)
The ipfwcisco, ipfwcircuit, and ipfwnat binary files and man pages have been removed from this release.
SMTP, POP3, and NNTP monitors (CR26534)
You can now specify port numbers for the SMTP, POP3, and NNTP monitors.
Proxy configuration on a FIPS-equipped BIG-IP system (CR26799)
FIPS-equipped systems have no port listening process on TCP port 9004. Connecting to port 9004 no longer disables FIPS processing.
regkey.license synchronization (CR27020)
When you save a .ucs file on a unit in a redundant system, the save process no longer synchronizes the regkey.license file between the two units. Note that this issue affected only redundant systems.
Using the command line interface to view and configure persistence settings (CR27042)
The bigpipe persist command is no longer valid. Depending on what you want to do, you should use either the bigpipe global persist or bigpipe pool commands instead. You can use the b global persist command to configure global persistence settings. You can use the bigpipe pool command to view persistence information for a specific pool.
New option to save UCS files without including private keys (CR27236)
You can now save a UCS file without including the private keys stored in /config/bigconfig/ssl.key (only keys from this directory will be excluded). To create a UCS file that does not include these private keys, use the following bigpipe command:
b config support save <filename>
Using the Configuration utility to change the admin user password (CR27796)
Now when you use the Configuration utility to change the admin user password, you now receive the following correct message:
The password has been changed.
You must close this browser session and open a new browser session to authenticate using your new password.
Previous versions of the software displayed the inaccurate message:
The password has been changed.
Your old password will expire shortly. At that point, you will be prompted to log in again with your new password.
System IP address in snmpd.conf when performing configsync (CR27822)
When you run the configsync command /etc/snmpd.conf on the target system, the file now contains the correct IP address.
bigpipe global show system_type command (CR27921)
The bigpipe global show system_type command now functions correctly on the D39 platform.
Firewall sandwich configuration with FastFlow (Fast Path) and connection rebind enabled (CR27939)
In a firewall sandwich configuration connection, the connection rebind feature now functions correctly and rebinds to a new node when the initial node is taken down. This issue occurred only if FastFlow (Fast Path) was enabled on a virtual server with connection rebind enabled.
SIP persistence with address translation disabled (CR27979)
The BIG-IP system now handles fragmented SIP packets correctly when address translation is disabled.
OCSP: Web page displayed (CR28005)
Certain configuration error conditions, such as missing certificates in a trust chain, no longer cause revoked certificates to be granted access to the requested object.
ICMP destination host unreachable messages now handled properly by bigd (CR28021)
When a node is behind a routing device that returns ICMP destination host unreachable messages to the BIG-IP system in response to a service check, bigd no longer consumes large amounts of the processor.
Connection mirroring with a large number of virtual servers (CR28033)
Connection mirroring now works correctly when you have a large number of virtual servers with connection mirroring enabled.
SNMP trap configuration settings (CR28044)
The SNMP trap configuration settings used to map traps together now function correctly; the active and standby trap mappings are no longer reversed.
SSL proxy header (CR28064)
The SSL proxy header eol option now terminates certificates properly.
Client CRL paths and SSL proxy (CR28070)
The SSL proxy now works correctly when you specify a valid client CRL path for a proxy.
Failover with extremely high volumes of traffic (CR28096)
In rare situations involving extremely high volumes of traffic, the BIG-IP system previously stopped processing traffic and displayed a system is not responding message, causing the system to failover to the standby unit. This process works correctly in this release.
Cascading switch configuration (CR28097)
If you have a BIG-IP 1000, 2400 or 5100 with connectivity being handled through two cascading switches, one connected to the 10/100 ports and the other to the GIG ports, a host that is connected to one of the switches and then moved to the other switch no longer loses new traffic until the l2_aging_time expires. Previously, the fdb table would contain two entries for the host, one for the port connected to the original switch and one for the port to which the second switch is connected.
Nokia SSH and SNMP traps (CR28120)
In the case of an authentication failure, SNMP and SSH traps are now handled correctly.
Nokia NetAct NODE_DOWN traps (CR28121)
This release handles Nokia NetAct NODE_DOWN traps correctly. When a node that is in a down state comes back up, alarms are cleared in the alarm table.
Rules using starts_with operators (CR28129)
Rules using starts_with operators now function correctly when the http_uri is greater than 63 characters.
Cookie rewrite no longer inserts an extra CRLF for large cookies (CR28138)
When a server returns a cookie that has a large value, the BIG-IP system no longer inserts an additional CRLF when it rewrites the cookie for persistence information.
SNAT automap (CR28154)
SNAT automap no longer causes local ephemeral ports to cycle quickly.
SOAP::Lite Perl package added (CR27468) (CR28174)
The SOAP::Lite Perl package has been added to this release. iControl SDK scripts that are dependent on SOAP::Lite function correctly when you upgrade to this PTF.
SSL re-encryption connections (CR28184)
SSL re-encryption connections are now reaped properly.
nCipher FIPS software update (CR28187)
This release includes an updated version of the nCipher FIPS software.
BIG-IP syncookies and zero window sizes (CR28193)
Clients behind certain types of firewalls no longer reject BIG-IP system acknowledgements when a zero window is advertised.
Extremely high rates of incoming packets (CR28200)
When the BIG-IP system is subjected to extremely high rates of incoming packets for a sustained amount of time, the BIG-IP system no longer becomes unstable.
Making changes to the proxy configuration (CR28234)
After you make changes to the proxy configuration, you no longer need to reload the new configuration in order for the proxy to properly verify CA certificates.
SSL proxy rewriting redirects in 302 responses (CR28237)
The SSL proxy now correctly rewrites redirects in 302 responses after the first one is received in a keep-alive stream.
Small mbufs overwritten during port translation (CR28244) (CR29683)
In some cases, small (128 byte) message(byte) buffers [mbufs] were overwritten during port translation. This problem occurred only when small IPs were translated to large IPs over active FTP connections. This issue is corrected in this release.
New script file executed during system boot (CR28247)
This release includes a startup script file run during system start up, that you can add scripts to. If you add a file named startup to the /config directory, it is run on startup following the addition of static routes.
Interrupt coalescing in the Intel wx driver (CR28334)
We have added an update from an errata for the Intel wx driver which caused an Intel gigabit network card to stop processing traffic. When the error occurred, the message "wx<n> device timeout" was logged. The fix is automatic if you are using the ANIP or SMP kernels.
Virtual server resets (CR28337)
When you define a loopback virtual server, with zero values for the middle bites, the BIG-IP system no longer sends resets (RSTs) out with the loopback address listed as the source address.
Logging parsing errors (CR28342)
In this version of the BIG-IP software, the proxy, by default, logs parsing errors. In previous 4.5 versions of the BIG-IP software, parsing errors were logged only when you manually started the proxy with -d 4.
Very large cookies with rules (CR28354)
The rules for testing content at the end of cookies no longer fail when the system receives very large cookies.
VLAN bridging with non-IP traffic (CR28356)
When you use VLAN bridging, the BIG-IP system now handles all non-IP traffic correctly.
Using the == operator in a rule (CR28384)
The BIG-IP system is now stable when using the == operator in a rule.
BIG-IP system reboot involving HTTP cookies (CR28385)
Certain HTTP cookie usage no longer causes the BIG-IP system to reboot.
Core capturing facilities enabled on install (CR28396)
A script to enable core capturing is automatically run when you install this version of the BIG-IP software. If you want to disable core capture, you can use the config_savecore disable command.
checktrap.pl changes (CR28405) (CR28455)
This version of the BIG-IP software includes a change in the behavior of the checktrap.pl utility. If the very first event is a clear, the BIG-IP system triggers a rebuild, and sends a corresponding clear trap instead of a rebuild event trap. (See the /etc/snmptrap.conf file for a list of clears.)
SSL proxy with dual processor systems in SMP mode (CR28414)
If you have a dual CPU system using SMP mode and you configure an SSL proxy, the system no longer experiences a memory leak.
WMI monitor (CR28424)
If WMI is not responding when queried, any information you are requesting has a value of 0. In this release, the WMI monitor now interprets the message correctly and marks the node as down.
Packet floods on the D44 (CR28425)
When it experiences a packet flood, the 3.1 port on the D44 (BIG-IP 2000) no longer floods ingress packets back to the 3.1 interface. This issue occurred only if Packet Velocity ASIC (PVA) was active.
Syncookies and communication between the proxy and the virtual server (CR28444)
If the total number of connections through a proxy exceeds the global syncookie threshold, any virtual server without a loopback address (127.0.0.0/8) cannot be accessed though the loopback. If this occurs, the BIG-IP system now sends SYN acknowledgements correctly through the loopback to the proxy, and no longer sends replies over the same interface that the client used to connect to the proxy.
Invalid evaluation license (CR28448)
If you have an evaluation license for the BIG-IP software and you invalidate the license by adjusting the system time/date, you can now reset the evaluation license by obtaining a new license key from your F5 Networks Sales Representative.
System statistics reset (CR28472)
On the System Statistics screen in the Configuration utility, when you click Reset All System Stats, the Max Connections field and the error fields are now reset correctly.
NTP version 4.1.2 (CR28475)
This version of the BIG-IP software includes the latest version of NTP, version 4.1.2.
Incorrect fan failure errors (CR28482)
In certain cases, 4.5x versions of the BIG-IP software reported incorrect fan failure errors on some BIG-IP hardware platforms. This issue is fixed in this release.
Proxies that reference CRLs (CR28483)
If you are upgrading to version 4.5 PTF-06 or later from a previous version of the BIG-IP software, proxies that reference CRLs now load properly.
tcpdump upgrade (CR28492)
Versions 3.7.1 and earlier of tcpdump contain a buffer overflow that may be triggered by badly formed NFS packets. Other types of packets may also trigger the buffer overflow. We have corrected this issue in this release.
Route deletion for existing traffic (CR28503)
Manually deleting static routes while traffic is running though the BIG-IP system no longer causes the system to become unstable.
URI expansion in a rule with HTTP/1.0 requests (CR28523)
If you use URI expansion in a rule, when the system handles HTTP/1.0 requests it is no longer possible to have a blank URI as an outcome.
realpath(3) function contains off-by-one buffer overflow (VU#743092) (CR28546)
We have addressed the vulnerability that is outlined in VU#743092, realpath(3) function contains off-by-one buffer overflow, in this PTF. For details on the vulnerability, see http://www.cert.org.
L7 traffic and TCP half-close connections (CR28561)
When the BIG-IP system is processing L7 traffic and a client closes a connection, if this half-close is followed by data from the server, the BIG-IP system now sends correct acknowledgment numbers back to the client.
mapclass2node rule now handles non-matches gracefully (CR28564)
The mapclass2node function now functions correctly when the first argument is another function which fails. For example, in previous releases, the following rule caused the BIG-IP system to panic when findclass did not find a member of ClassA in http_uri:
select mapclass2node(findclass(http_uri, ClassA), ClassB, " ")
UDP connections with SNAT automap enabled (CR28574)
UDP packets are now sent through a network forwarding virtual server when SNAT automap is enabled.
HTTP virtual servers with connection mirroring enabled (CR28607)
If you configure an HTTP virtual server and enable connection mirroring, the system no longer create a core file when presented with large numbers of connections per second.
Intel GIG Cu network interface card driver settings (CR28613)
If your system includes the Intel Gig Cu NIC driver, it no longer displays unsupported media type settings. Also, the auto-negotiation speed is now reported correctly.
SNMP memory handing optimization (CR28630)
This release includes changes that optimize memory handling for SNMP.
BIG-IP 2400 IP Application Switch platforms (CR28990)
Implementing major configuration changes on a BIG-IP 2400 IP Application Switch platform, no longer causes packet loss.
Dell 82544EI NIC (CR29051)
The Dell 82544EI copper gig network card is no longer incorrectly detected as 10 Mps.
ASIC no longer reconfigured after disabling a node on the BIG-IP 2400 IP Application Switch platform (CR29103)
If you disable a node on the BIG-IP 2400 IP Application Switch platform, this action no longer results in an ASIC reconfiguration.
4.2 software upgrades and the /etc/syslog.conf file (CR29125)
If you upgrade from a 4.2 version of the software to 4.5 PTF-08, the /etc/syslog.conf file is now updated correctly.
bigpipe fo -? command (CR29126)
The bigpipe fo -? command functions correctly in this release.
Command line certificate-generation using OpenSSL (CR29156)
Certificate generation now functions correctly when you use the OpenSSL command line.
OpenSSH contains buffer management errors (VU#333628) (CR29208)
This PTF addresses the vulnerability that is outlined in VU#333628, OpenSSH contains buffer management errors. For details on the vulnerability, see http://www.cert.org.
SSL to server proxies loading during 4.2 upgrade (CR29317)
SSL to server proxies now load correctly when you upgrade from BIG-IP software version 4.2 PTF-10.
Certificate Admin screen (CR29323)
The Certificate Admin screen now displays correctly even when you have over 60 keys and certificates configured.
OneConnect with cookie insert (CR29326)
When you have OneConnect configured, the cookie insert function now works correctly when requests contain extra CRLFs.
b node virtual and b node actual commands (CR29460) (CR29542)
We have removed the bigpipe commands b node virtual and b node actual from this version of the software.
OpenSSL security advisory (CR29464)
This PTF addresses the security vulnerabilities that are listed in OpenSSL® security advisory [30 September 2003], Vulnerabilities in ASN.1 parsing. This PTF upgrades the OpenSSL package to version 0.9.7c. For more information on the security advisory, see http://www.openssl.org/news/secadv_20030930.txt.
Simple persistence performance (CR29546)
This release includes code changes that improve simple persistence performance.
302 redirects (CR29553)
After 302 redirects that contain body entities, subsequent 302 redirects are now rewritten correctly.
Client HTTP requests resolved to nodes that are down (CR29557)
The BIG-IP system no longer panics if a client HTTP request is resolved by a Layer 7 rule to a node that is down at the same time as the client closes the connection.
Route lookup failures (CR29591)
Route lookup failures no longer occur when you make configuration changes or when the system is experiencing extensive memory utilization. In previous versions of the software, if the route allocation function failed to allocate a route, this issue caused the BIG-IP system to reboot and display a System is not responding message.
Loading configuration files while running server-side SSL proxy (CR29623)
If you have a server-side SSL proxy running when you reload the configuration file, the proxy process no longer shuts down.
SNMP OID behavior (CR30142)
An SNMP walk of the BIG-IP system MIB starting at system.sysObjectID.0 results in a response of enterprises.ucdavis.ucdSnmpAgent.bigip. This is the correct behavior. In older versions of the BIG-IP software, the OID responded with f5 Enterprise instead of ucdavis.
Version 4.5 PTF-07
The 4.5 PTF-07 release included the following features and fixes.
This PTF contains an important fix for BIG-IP Link Controller, and support for new BIG-IP Blade Controllers.
Version 4.5 PTF-06
The 4.5 PTF-06 release included the following features and fixes.
Registration key display using Netscape version 4.72 on Linux (CR26820)
If you are using Netscape® version 4.72 with Linux® to add multiple registration keys, the License Administration screen now correctly displays the Current Registration Key list.
Load balancing modes and honoring node connection limits (CR27124)
When using observed_member, predictive_member, predictive, or observed load balancing modes, the member and node addresses now honor node connection limits.
FIPS 140 with a very large configuration (CR27237)
If you are using FIPS 140 with a very large configuration (greater than 400 configuration items such as pools, virtual servers and monitors), you no longer experience a compatibility issue.
UDP checksum when an incoming request has 0 UDP checksum (CR27240)
If an incoming UDP request has an initial checksum of 0, when the request is routed back through the BIG-IP system, the UDP checksum is now calculated correctly.
Condition in FastFlow (Fast Path) and order of T/TCP packets (CR27245)
The condition in FastFlow (Fast Path) that caused T/TCP packets to be out of order no longer exists. The T/TCP packets now arrive in proper order.
BIG-IP software now sends reset when all pool members are down with fallback disabled (CR27371)
The BIG-IP software now sends a reset when all members are down in a pool and fallback is disabled. In previous versions of the software, the packet was dropped.
Load balancing to disabled nodes (CR27422)
Pools now select nodes even when the nodes are disabled. The pool does not select a node if the node is down.
Using the Setup utility to configure the media type for an interface (CR27503)
When you use the Setup utility to configure the media type for an interface, the setting is now saved when you rerun the Setup utility.
Loading configurations with a large number of proxies (CR27555)
The BIG-IP software now supports loading configurations that have hundreds of proxies. Note that the number of keys and certificates should still remain small in order to guarantee fast load times.
imid persistence with pools and rules (CR27575) (CR27576)
Late-binding now functions correctly when you use the imid function to configure pool- and rule-based persistence.
OCSP configuration and protocol error logs (CR27600)
OCSP configuration and protocol errors are now logged to the SSL proxy log file /var/log/proxyd. OCSP revoked certificates are also logged with warnings on (proxyd -d 2).
OCSP with SSL proxy client certificate requests (CR27620) (CR27621)
OCSP is now supported in conjunction with the SSL proxy client certificate request feature. This allows client authorization using rules and the CertificateStatus header.
F5 Networks traps configuration (CR27664)
When you are using F5 Networks traps, the BIG-IP system uses the value you configure for the agent address. In previous releases, the host name address was used for the agent address.
Loading .ucs files with NTP running (CR27762)
If you have NTP enabled and you load the .ucs file using the Configuration utility, NTP now restarts properly.
FastFlow (Fast Path) with an out of order 4-way close (CR27859)
If you have FastFlow (Fast Path) configured, an out of order 4-way close no longer causes connections to close prematurely.
SIP persistence with virtual servers (CR27884)
With SIP persistence configured, when the BIG-IP system sends traffic to a server, and the traffic returns from a different virtual server to be sent out again, the traffic now persists to a node in the pool associated with the second virtual server.
Fixed string length limitations imposed by iRules relational operators (CR27906)
Rules using contains and ends_with operators now function correctly when the http_uri is greater than 64 characters.
OCSP: Web page displayed when OCSP response verify failure (CR27974)
Certain configuration error conditions, such as missing certificates in a trust chain, no longer cause revoked certificates to be granted access to the requested object.
checktrap.pl changed in this release (CR29613)
The checktrap.pl was changed in this release in order to accommodate new Nokia MIBs.
Version 4.5 PTF-05
The 4.5 PTF-05 release included the following features and fixes.
Specified gigabit duplex setting on switches with fixed duplex settings (CR27755)
If the BIG-IP system is using gigabit interfaces and is plugged into a switch with a fixed duplex setting, you no longer need to configure the BIG-IP gigabit interface and the port on the switch to Auto before applying this PTF. The link between the BIG-IP system and the switch now functions correctly.
Version 4.5 PTF-04
The 4.5 PTF-04 release included the following features and fixes.
Because the PTF-04 release contained many new features, we have created an additional BIG-IP New Features Guide for version 4.5 PTF-04. In the following descriptions, you will find links to the New Features Guide, where we have described the features in more detail.
OCSP support
A significant feature in this release is support for the Online Certificate Status Protocol (OCSP). OCSP provides an alternative to a certificate revocation list (CRL), which is used during certificate verification to determine whether an SSL certificate presented by a client has been revoked. Because CRLs are updated only at regular intervals, the information in a CRL can sometimes be outdated at the time that it is checked. Using OCSP instead of a CRL eliminates this problem by ensuring that the revocation status of a client certificate is always current. For more information about configuring OCSP, please refer to the BIG-IP New Features Guide for version 4.5 PTF-04.
The system_check script
The system_check script is useful for displaying and logging hardware failures. For more information about the system_check script, please refer to the BIG-IP New Features Guide for version 4.5 PTF-04.
SYN Check
The new SYN CheckTM feature mitigates a particular type of denial-of-service attack known as a SYN flood. A SYN flood is an attack against a system for the purpose of exhausting that systems resources. For more information about configuring the SYN Check feature, please refer to the BIG-IP New Features Guide for version 4.5 PTF-04.
New format for the SSLClientCertSerialNumber header
We have made an enhancement to the SSL Accelerator proxy. This change to the SSLCLientCertSerialNumber header gives users who write rules based on certificate serial numbers the ability to write to a consistent format, regardless of the length of the serial number. For more information about this new format, please refer to the BIG-IP New Features Guide for version 4.5 PTF-04.
Script to set up core capture
We have added a new script to automate core capturing on a BIG-IP system. The script runs automatically after you install this PTF and reboot the system, if the system has a hard drive. It provides functionality to enable and disable core capture.
After you install this PTF, the script runs, and creates the /var/crash directory. In addition, if the swap partition on the primary drive is not sufficiently large to capture the core file, but another unused partition is found to be, that partition is used for core capture.
You can disable this functionality with the following command:
config_savecore -disable
You can re-enable the functionality with the following command:
config_savecore -enable
Important: As long as this functionality is enabled, you see the message savecore: no core dump during boot time.
SSL Proxy caches server-side SSL sessions per IP address
We have added a new global variable that provides the ability to change how the session ID is reused by server-side sessions for IP addresses. If you want the SSL proxy to attempt to reuse the same session ID no matter what the client (source) IP address is, set the global to the default setting disable. If you want the SSL proxy to reuse connection IDs this way, type the following command:
global sslproxy serverssl cache per client addr disable
When the variable is set to enable, the SSL proxy attempts to reuse a session ID only when the client (src) address is the same as it was in the original session with that ID. If you want the SSL proxy to reuse connections this way, type the following command:
global sslproxy serverssl cache per client addr enable
Performance gain in SSL processing
In previous releases, two-processor appliances had one processor dedicated to network I/O and one processor dedicated to other system processes that perform functions like handling SSL traffic. In certain cases, you can switch to SMP mode and have both processors dedicated to processing SSL traffic. You can achieve a performance gain in SSL processing by using SMP mode, but only if your configuration meets the following requirements:
- The system is a Dual CPU platform
- The system is for processing SSL only
- The system is not handling significant quantities of L2 or L4 traffic
- You want an increase in the SSL proxy performance
If your BIG-IP system is handling mixed network traffic such as Virtual Addresses that only perform L2 traffic and Virtual Addresses that do SSL processing on the same box, you should leave the system configured the way it is, SMP mode will not help this configuration. SMP mode only helps the performance of systems that are exclusively using the BIG-IP for SSL traffic.
If you want the increased SSL proxy performance provided by the SMP mode, and are willing to sacrifice the processing of other types of network traffic, then you may want to consider switching your system to SMP mode. Type the following command to put the system in SMP mode:
b db set Local.Bigip.Boot.Kernel = SMP
After you change the kernel setting in the bigdb, type the following command to restart sod:
bigstart restart sod
After sod restarts, type the following command to reboot the system:
reboot
Type the following command if you want to switch back to ANIP mode:
b db set Local.Bigip.Boot.Kernel = ANIP
NOTE: An alternative to putting the system in SMP mode is to create a scalable SSL configuration as described in the BIG-IP Controller Solutions Guide, Chapter 11, Configuring an SSL Accelerator.
CORBA port number in the Configuration utility (CR19780)
We removed the ability to change the CORBA port number in the Configuration utility. The CORBA IIOP port should only be set to the default setting of 683.
Raw Ethernet packets in ANIP mode (CR20274)
We have corrected the way ANIP mode handles raw Ethernet packets. Previously, raw Ethernet packets would occasionally cause a race condition.
Header insert and header erase attributes (CR21617)
There is no longer a 128 byte limitation on the header insert and header erase attributes.
Windows uploads (CR22043)
Delayed acknowledgement packets (ACKs) no longer restrict Windows uploads at 40K per second.
Using the MGMT interface on units that include the Packet Velocity ASIC (CR22599)
It is important that you use the MGMT interface (3.1) on units that include the Packet Velocity ASIC for administration only. We recommend that you do not use the MGMT interface on a VLAN you plan to use for load balancing traffic.
Connection and packet statistics (CR22709)
Connection and packet statistics now display correctly when you run the bigtop utility.
SIP persistence: two exact SIP UDP messages (CR24304)
The BIG-IP system no longer creates two connection table entries when two identical SIP UDP packets are received.
Using fallback persistence with SIP persistence (CR24306)
You can now use the simple_timeout simple persistence setting as a fallback for SIP persistence.
Using a VLAN group configuration in transparent or translucent mode (CR24409)
You can now configure the BIG-IP unit to bridge between two VLANs in either transparent or translucent mode without creating duplicate packets.
Process-checking field in snmpd.conf (CR24450)
We have corrected the process checking field (proc) in the snmpd.conf. It now puts the correct information into the ucd prTable.
Remote authentication server responses (CR24487)
If you have remote authentication configured and you mistype a password or user login, the correct remote authentication server responds.
User name in audit logs (CR24600)
The audit logs now show the correct user name when a user makes configuration changes.
SNMP virtualAddressEntry table and wildcard virtual servers (CR24647)
The SNMP virtualAddressEntry table can now handle wildcard virtual servers.
Name field on the Add VLAN Group and VLAN Group Properties page (CR24719)
The maximum number of characters for a VLAN group name is 15 characters.
Monitor name limitations (CR24864)
Monitor names typed in the Configuration utility and the command line are no longer limited to 31 characters.
Authorization: setting the user key to "user" (CR24880)
You can now set the authorization user key to user without causing a syntax error when you load the configuration.
Audit logs and resetting statistics for services (CR24923)
The audit logs now correctly show the services when you reset statistics with the command b global stats reset.
Resetting statistics for node server (CR24924)
The audit logs now display correctly when the statistics are reset for a node server.
Gratuitous ARPs with MAC masquerading and VLAN failsafe configured (CR24925)
Gratuitous ARPs are now handled correctly in an active/standby redundant scenario with MAC masquerading and VLAN failsafe configured. When the active unit detects no traffic on the VLAN, such as when the cable is unplugged, or the unit is rebooted, the other unit becomes active. When the unit that was demoted to standby reboots, it now sends a gratuitous ARP for its self IP addresses.
DELL: Large BSDi Partition and DOS in the FDISK table (CR24941)
We have corrected a problem that could have caused an error during installation on some DELL platforms.
Increased SSH DSA host key security (CR24955)
SSH key generation now uses hardware random number generators when available. This increases the security of the SSH DSA host keys and reduces the probability that the key can be guessed, or that a random key collision could occur.
Rule hierarchy modification for direct node selection and cookie insert (CR24957)
We have changed the rule hierarchy so that direct node selection occurs before cookie insert.
DELL: watchdog timeout resetting (CR24962)
We have corrected watchdog timeout reset problems with fixes from the Broadcom erratum for BCM5700 chips.
Unaccepted, timed-out connection requests (CR24984)
We have corrected a problem that could be caused if a SYN packet was sent from a client through a virtual server to a server, and the server did not answer before the connection timeout was reached. Previously, the reaper sent an RST in both directions.
TCP SYN packets received for a self IP address that matches TIME_WAIT connection (CR24993)
If a TCP SYN packet is received for a self IP address, and it matches an old connection that is in TIME_WAIT state (same source and destination address and port), the system deletes the old connection and creates a new one.
CPU statistics reported correctly in multiprocessor mode (CR25018)
When the BIG-IP system is running in multiprocessor mode, CPU usage metrics are now reported correctly when you use the top utility.
VLAN-keyed connections on the 2400 platform (CR25046)
We have corrected a problem with VLAN-keyed connections on the 2400 platform. The packet and byte statistics occasionally were not counted for pools and SNATs.
OID for the shutdown trap in the SNMP MIB (CR25059)
The shutdown trap, in the SNMP MIB, now has the correct object identifier (OID) associated with it.
SSL proxy consuming all available file descriptors (CR25081)
We have corrected a problem that caused the SSL proxy to consume all available file descriptors.
Savecore captures on large hard drives (CR25083)
The savecore program now functions correctly on large hard drives.
Server FINs from early-closed late-bound connections (CR25094)
Server FINs from early-closed late-bound connections are now returned properly to the client.
Pool::set_persist_mode() to type_expression through the iControl SDK without expression (CR25096)
You can now set up the Pool::set_persist_mode() to type_expression through the iControl SDK without an expression without causing system instability.
Error message on shutdown (CR25110)
On switch platforms, we have corrected a situation that caused an error message to display as the system shut down to reboot.
Tcpdump on the 5000 series with mirror VLAN and mirror hash enabled (CR25129)
We have corrected a problem that prevented tcpdump from showing traffic on the 5000 series with mirror VLAN and mirror hash enabled.
BIG-IP Application Switch as the only active STP in the network (CR25162)
If the BIG-IP Application Switch is the only STP-enabled entity in the network, parallel ports go to a forwarding state because the switch ignores its returning bridge protocol data unit (BPDU) frames. This leaves the network open to bridge loops. To avoid this situation, we recommend that you disable STP if you only have one BIG-IP Application Switch in your network. Use the following command to disable STP on the BIG-IP system:
b stp <stp_name> disable
VLAN groups and non-IP traffic (CR25176)
VLAN groups can now forward non-IP traffic.
Connection table entry reaping for UDP packets with node address disabled (CR25186)
We have corrected a problem where, in rare circumstances, connection table entries were not reaped for UDP packets when the node address was disabled.
FIPS: nCipher driver debug messages (CR25308)
The FIPS nCipher driver no longer outputs debug messages.
E-Commerce Controller: Adding a virtual server with a wildcard port (CR25314)
When you add a virtual server with a wildcard port, port translation is now disabled by default in both the Configuration utility and from the command line.
Connection rebinding with members that have different priorities (CR25348)
Connection rebinding with members that have different priorities now works correctly.
Default VLANs on 5100 and 5110 platforms (CR25352)
The default VLANs on the 5100 and 5110 platforms are now mapped consistently in the following manner:
VLAN admin
untagged interfaces 3.1
VLAN external
untagged interfaces 2.1
VLAN internal
untagged interfaces 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 1.22 1.23 1.24 2.2 2.3 2.4
Clean up of logs during upgrade on systems with the Packet Velocity ASIC (CR25405)
We have improved clean up of logs during the upgrade on systems with the Packet Velocity ASIC.
SNMP: data from globalAttr* (CR25429)
We have updated the data for the SNMP globalAttr*. Also, we have corrected the following spelling errors:
globalAttrMaintenceMode is now globalAttrMaintenanceMode.
globalAttrPersistAccrossVirtuals is now globalAttrPersistAcrossVirtuals.
Also, we have changed the globalAttrPersistTimerUsedAsLimit to use either timeout or limit rather than true or false. The default setting is timeout.
MAC masquerade addresses and forcing a system to standby (CR25453)
When you purposefully change the state on a BIG-IP unit in a redundant system from active to standby, the first octet of the MAC address for any self IPs that you have configured may change to 02. This happens only when your configuration meets all of the following conditions:
- You are running BIG-IP HA software.
- You have VLANs that are not a part of a VLAN group.
- The self IPs for those VLANs have a MAC masquerade address configured.
- You force the active unit in a redundant system to standby, without rebooting.
Hardware Acceleration of forwarding pools (CR25462)
The Packet Velocity ASIC now partially accelerates forwarding pools.
Statistics for interfaces that are in a VLAN but not in use (CR25470)
The bigpipe interface show command no longer incorrectly reports statistics for interfaces that are in a VLAN but not in use.
SNMP: enterprises.ucdavis.memory.* OID (CR25488)
The enterprises.ucdavis.memory.* now returns valid information.
SSL proxy bigdb keys listed in /config/default.txt (CR25502)
We have updated the SSL proxy bigdb keys listed in /config/default.txt.
The persist dump command (CR25520)
We have corrected a problem with the b persist dump command that caused the error message Name exceeds maximum length to be displayed. This message is no longer displayed.
Virtual server bound to VLAN after deletion (CR25524)
We have corrected a problem where a virtual server was bound to a VLAN that had two or more networks configured even after you attempted to delete it.
/var/log/bigd: shut down of checkd (CR25525)
When checkd shuts down, the correct message is now logged in /var/log/bigd. The message is now checkd: exiting.
Memory usage with IP rate filtering or SSL proxy re-encryption (CR25542)
We have corrected a problem where under certain memory overload conditions, using IP rate filters or SSL proxy re-encryption could cause system instability.
The bigpipe interface media show command (CR25544)
The b interface media show command now shows the media type for the specified interface.
SSL proxy rewriting redirects in 302 responses (CR25550)
The SSL proxy now correctly rewrites redirects in 302 responses after the first one is received in a keep-alive stream.
Associating multiple monitors with the same service (CR25572)
You can now associate multiple monitors with the same service using the Configuration utility, and not receive the message Error 132 - Monitor template not found.
Connection reuse and FastFlow (Fast Path) (CR25595)
We have streamlined how the FastFlow (Fast Path) feature reuses certain connections. The connections are now handled more efficiently.
Certificate expiration dates on the Certificate List Screen (CR25610)
The certificate expiration dates on the Certificate List Screen now display the correct expiration dates.
Logging forced down to /var/log/bigd (CR25614)
When you force a node to the DOWN state using the Configuration utility, or from the command line, the forced down state is now logged in /var/log/bigd.
Redirect rewrites for HTTP/0.9 requests on the SSL proxy (CR25624)
We corrected a problem with redirect rewrites for HTTP/0.9 requests on the SSL proxy that produced the log message No space in response line.
nCipher card failure (CR25629)
The BIG-IP system now fails over to the peer unit when an nCipher card fails.
SSL proxy performing an HTTP header insert (CR25671)
We have corrected a problem where, in rare circumstances, an SSL proxy performing an HTTP header insert could assume it had received the end of the header.
Dual processors detected with no GNIC (CR25694)
The SMP kernel is now used automatically in dual processor systems with no gigabit Ethernet NICs.
New proxy ARP exclusion class (CR25801)
You can now create a proxy ARP exclusion class on the BIG-IP system, proxy_arp_exclude. Use this class to prevent the BIG-IP system from generating gratuitous ARP requests to its peer unit when you have a redundant system using VLAN Groups. To configure the proxy_arp_exclude class, in the navigation pane, click Classes, and then click the Add Class button. (For assistance with the settings, click the Help button.) You can also find information about the proxy_arp_exclude class in the BIG-IP Reference Guide, version 4.5.
Interrupt coalescing in the Intel wx driver (CR25823)
We have added an update from an errata for the Intel wx driver which caused an Intel gigabit network card to stop processing traffic. When the error occurred, the message "wx<n> device timeout" was logged. The fix is automatic if you are using the ANIP or SMP kernels.
IP Application Switch: IS-IS multicast packets on the ingress port (CR25935)
IP Application Switch platforms no longer re-broadcast IS-IS multicast packets on the ingress port.
Dual processor system running in ANIP mode during core dump (CR25943)
Dual processor systems running in ANIP mode can now create core files that are more useful.
Command line and Configuration utility QoS values on pools (CR25944)
You can now enter only valid QoS values for pools. The valid range is 0 to 7.
Connection reaping if the client closes the connection without sending data (CR25983)
For late-binding connections, if the client negotiates a connection without sending any request, the connection is reaped.
Swap partition size (CR26010)
We have increased the swap partition size to 2 gigabytes.
SSL proxy: 100 Continue responses (CR26034)
SSL Proxy now rewrites 302 redirects seen after a 100 Continue message (usually sent by the server after a POST operation).
Reboot of standby 2400 unit and connectivity with the active unit (CR26078)
We have corrected a problem where in certain cases, on the 2400 platform with network failover configured, rebooting the standby unit in an active/standby redundant configuration caused the active unit to lose existing connections. We recommend that if you require network failover, you configure the admin ports (port number 3.1) for failover.
Rules precedence problems (CR26097)
We have corrected a rules syntax precedence problem that could cause extra parentheses to be added to rule syntax saved in the /config/bigip.conf.
Redirect rule and extra '/' (CR26107)
We have corrected a problem that added an extra forward slash (/) to redirect rule syntax.
Forwarding pool causes annunciator LED to flash yellow (CR26116)
If you configure a forwarding pool on any platform, the yellow alarm LED flashes yellow indicating a pool with zero active nodes. In this case, the yellow alarm LED is benign.
Connection rebinding for UDP with FastFlow (Fast Path) enabled (CR26135)
Connection rebinding now functions correctly with UDP packets when you have FastFlow (Fast Path) enabled.
Using the address 127.0.0.x as a member in a pool (CR26174)
Using the address 127.0.0.x (where x is the host number) as a member in a pool, no longer causes the BIG-IP system to hang.
Handling of 'Connection: close' header from client in HTTP/1.1 (CR26177)
We have corrected how the system handles Connection: close header from client in HTTP/1.1.
Closing connections with One Connect enabled (CR26178)
With One Connect enabled, the FIN-ACK was not being sent through to the client. We have corrected this problem. If you see this problem, please contact Support for the solution.
Failover: Synchronization of mirrored connections on a standby box (CR26197)
Mirrored connections from an active unit are now mirrored on the standby unit as soon as the standby unit is rebooted or restarted.
Packets with a TCP checksum of 0 (CR26202)
We have corrected a problem that caused packets with a TCP checksum of 0 to be transformed to a checksum of 0xFFFF by FastFlow (Fast Path).
Late-binding state out of synchronization with Keep-Alives (CR26221)
We have corrected a synchronization problem between the state of a connection handled by a late-binding virtual server and the keep-alive state of the connection on the server that could cause the connection to lock up or behave unpredictably. This problem affected the cookie insert feature, the hash cookie feature, and rules. One of the ways you could observe this problem was that a new connection could be paired with an existing connection and the existing content could be sent to the client requesting the new connection.
SSL proxy and error log messages when CRLs are out of date (CR26240)
The SSL proxy now logs an error message when a Certificate Revocation List (CRL) is out of date.
Multiple VLAN SNATs when virtual servers are fully accelerated (CR26242)
When you have multiple VLAN SNATs configured, they are now partially accelerated by the Packet VelocityTM ASIC when virtual servers are fully accelerated.
Advanced Routing Modules: OSPF module during an LSA update (CR26268)
We have corrected a problem that was destabilizing the OSPF module during LSA updates.
SIP persistence and virtual servers with address translation disabled (CR26278)
SIP persistence now works correctly with virtual servers that have address translation disabled.
The b load command and connection limits (CR26451)
The b load command no longer causes the connection count to be set to zero, which prevented connection limits from being honored.
bigpipe values allowed for ip_tos (CR26478)
The bigpipe command now limits the possible values for ip_tos to the correct value range (0 - 255).
SNMP: settings for virtualServerFailoverFlags (CR26509)
We have updated the values for virtualServerFailoverFlags. The appropriate values are nonmirroring and mirrorconnections.
Upgraded OpenSSL (CR26518)
We have upgraded OpenSSL to version 0.9.7a. This upgrade includes various security fixes and enhancements including the following:
- Security: Important security-related bug fixes
- Security: Support for OCSP, the Online Certificate Status Protocol
- ENGINE: Can be built without the ENGINE framework
- Assembler: IA32 assembler enhancements
- Configuration: The no-err option now works properly
- SSL/TLS: Now handles manual certificate chain building
- SSL/TLS: Certain session ID malfunctions corrected
- RFC Compliance: emailAddress is the new established x509 attribute for certificates
Note: All certificate headers that contain an e-mail field such as Issuer or Subject now have the header emailAddress= . In previous releases this header was Email=.
Port Translation default settings for the Configuration utility and command line (CR26543)
The following settings are the updated default port translation settings for both the Configuration utility and the command line:
Type of object | Port Translation |
net:* | disabled |
ip:* | disabled |
vlan:* | disabled |
*:* | disabled |
ip:port | enabled |
net:port | enabled |
vlan:port | enabled |
*:port | disabled |
URI with rule redirect using port (:p) when port is 80 (CR26618)
We have corrected a problem that was adding extra characters to the end of the URI redirected using the port 80.
Advanced Routing Modules configuration files (CR26619)
The configuration files for the Advanced Routing Modules now save and load correctly when daemons are started up.
ITCM.log rotation (CR26781)
The ITCM.log is now rotated daily.
Advanced Routing Modules creating a core file (CR26783)
We have corrected a problem that was causing the Advanced Routing Modules to create a core file if the full path was not specified for the log file.
SSL proxy certificate serial number consistency (CR26800)
The SSL proxy certificate serial numbers are now listed in a consistent format.
Authorization: adminpw value (CR26824)
The adminpw setting is now saved correctly when you load a configuration using the b config load command.
bge message on reboot (CR26827)
When you reboot the 1000 and 5100 series platforms, you no longer see this unnecessary message:
bge0: bge_wait_bit_clr timeout: reg=0x468 mask=0x2
bigpipe: imid parsing (CR26875)
We have corrected a problem that prevented the imid rule syntax from being parsed correctly with, or without braces.
wd0: lost interrupt message (CR26943)
You no longer see the following benign error message when you upgrade your system:
wd0: lost interrupt
RULES: Loading configuration with external classes (CR26952)
When the configuration loads, classes are now loaded before pools. This eliminates a problem with using external classes with mapclass2node option in the pool selection.
SSL: turn on RSA Blinding for software RSA private key operations (VU#997481) (CR26966)
We have turned on RSA Blinding for software RSA private key operations as noted in the CERT vulnerability note VU#997481. This may impact SSL performance to some degree.
T/TCP connection closing (CR26972)
We have corrected a problem that prevented some T/TCP connections from closing correctly.
Network virtual server loading in a particular order with others on the same subnetwork (CR26988)
We have corrected a problem that was preventing network virtual servers on the same subnetwork from working if they were not ordered in the /conf/bigip.conf file in a particular order. Now they work in any order.
SSL Proxy: handling BMP, IA5, and UTF8 certificate strings with LDAP authentication (CR27018)
The SSL proxy can now handle BMP, IA5, and UTF8 certificate strings with LDAP authentication. This increases the BIG-IP system's compatibility with Microsoft's SiteServer and Active Directory.
SSL proxy virtual server configured with a last hop pool (CR27040)
We have corrected a problem that could stop traffic through an SSL proxy virtual server configured with a last hop pool.
Transaction level on systems monitored by the iControlTM Services Manager (CR27192)
We have reduced the level of transactions generated on systems monitored by the iControlTM Services Manager.
Licensed system without EULA acceptance (CR27215)
A warning is now displayed if the system is licensed but you have not accepted the EULA.
SSL proxy: a very long URI followed by header insert and another header value (CR27218)
The SSL proxy can now handle connections in situations where there is a very long URI and an inserted header with no client headers (just a bare request).
SSL proxy: 100 Continue responses (CR27234)
The SSL proxy now correctly handles 100 Continue responses that are up to 140 bytes. You can observe this activity only when the BIG-IP system and server have not made the three-way handshake by the time two halves of a POST are received by the BIG-IP system.
SSL proxy: session IDs rejected by the server (CR27274)
The SSL proxy no longer attempts to reuse session IDs rejected by the server.
Rotation of the /var/log/cron file (CR27355)
The /var/log/cron file is now rotated daily instead of weekly.
Version 4.5 PTF-03
The 4.5 PTF-03 release included the following fix.
HTTP requests through a Layer 7 virtual server with a specific size (CR25868)
We corrected a problem in version 4.5 of the BIG-IP software that could cause the system to become unstable when HTTP requests of certain specific sizes were received through a rule using a Layer 7 variable or through a pool with a Layer 7 attribute.
Version 4.5 PTF-02
The 4.5 PTF-02 release included the following features and fixes.
Layer 7 Checksum Validation
A new global, l7_validate_checksums, is included in this release. We recommend that you do not change the value of this global variable unless you are instructed to by a support representative.
UDP checksums and TFTP packets (CR22113, CR25181)
In rare instances, the checksums for TFTP packets were incorrect. This issue has been resolved.
Apache web server and the CERT Coordination Center vulnerability, VU#672683 (CR24689)
This PTF addresses the vulnerability in the Tomcat package for the Apache web server that is described in Vulnerability Note VU#672683 on the CERT® Coordination Center Web site. For more information on the vulnerability, see http://www.kb.cert.org/vuls/id/672683.
iControl SOAP null nat_addr value for NAT::set_arp used with the iControlPortal (CR24914)
The iControlPortal no longer becomes unstable when it processes an iControl SOAP null nat_addr value for NAT::set_arp.
Zero length IP/UDP packets received by the system when forwarding is enabled (CR24931)
If you have forwarding enabled, zero length IP/UDP packets no longer destabilize the system.
Incorrect TCP checksum causing virtual server to send packets (CR24983)
Virtual servers no longer send packets when the TCP checksum is incorrect. In order to implement this fix, please contact Support.
Mid-stream SSL renegotiations with the SSL proxy (CR24989)
The SSL proxy can now handle mid-stream SSL renegotiations.
SSL proxy sending ACKs to clients with late binding (CR25015)
The SSL proxy now sends acknowledgement packets (ACKs) to clients correctly when handling late binding connections.
Connection statistics when you change the configuration under load (CR25044)
On the 2400 platform, the connection statistics are now correct even if you change the configuration under load.
Root servers list for BIND (CR25064)
The root servers list file for BIND, root.hint, has been updated to include the most current list of root servers.
Dual processor system without a gigabit interface (CR25104)
The BIG-IP 540 platform now supports two processors correctly if there is no gigabit Ethernet interface installed in the platform.
Strict string evaluation for cookie hash persistence (CR25122)
Improved the cookie name lookup and hash mode for cookie hash persistence.
SSL TPS performance with increasing concurrent clients (CR25164)
Optimized the SSL transaction per second (TPS) performance when there is an increasing number of concurrent clients.
SSL proxy forwarding unparsed server response to client (CR25168)
When rewriting of redirects is enabled, the SSL proxy no longer forwards an unparsed server response to the client.
Configuring serial terminal as console (CR25183, CR25414, and CR25445)
You can now configure the serial terminal as the console on all platforms.
Deleting a SNAT and re-adding it to the configuration (CR25198)
The SNAT current connections statistics are now correct after you delete a SNAT and then add it back to the configuration.
Comparing class values (CR25236)
You can now use the contains, starts_with, and ends_with operators to compare class values.
Licensing in the web-based Configuration utility (CR25239)
Corrected a problem when licensing the standby unit through the web-based Configuration utility that could cause traffic to stop on the active unit.
Instability when using Universal Inspection Engine redirect (CR25358)
The Universal Inspection Engine redirect feature no longer causes instability in the system.
Unit ID with a SNAT translation (CR25372)
You can now include a unit number after the SNAT translation address.
Version 4.5 PTF-01
The 4.5 PTF-01 release included the following features and fixes.
Added support for the 2400 platform
This release includes enhanced support for the F5 Networks 2400 platform.
Viewing licensing error log files from the Configuration utility (CR25055)
You can now view the log files for errors that occur during the licensing process using the Configuration utility. A View Log File button appears on the licensing screen when the licensing process generates errors.
Resets (RSTs) from aging-out connections (CR22219)
Resets (RSTs) from aging-out connections no longer cause some connections to hang due to incorrect sequence numbers for the resets.
CA-2002-31, Multiple Vulnerabilities in BIND (CR25085)
This PTF addresses the security vulnerabilities that are listed in CERT® advisory, CA-2002-31, Multiple Vulnerabilities in BIND. This PTF upgrades the BIND package to version 8.3.4. For more information on the CERT advisory, see http://www.cert.org/advisories/CA-2002-31.html.
Optional configuration changes
Once you have installed the software, you can use any of the following new configuration options to update your configuration. Note that these new configuration options are the result of one or more of the fixes or enhancements listed above.
Changes to trap syntax
If you are upgrading from a version of the BIG-IP software prior to 4.5 PTF-07, the traps syntax has been changed.
The new syntax is as follows:
local0.* /var/run/trapper
local1.* /var/run/trapper
local2.* /var/run/trapper
auth.* /var/run/trapper
Note: In order to start or restart trap throwing functionality, you need to reboot the BIG-IP system.
Known issues
The following items are known issues in the current release.
Fan and temperature monitoring with SNMP
SNMP queries for fan speed, CPU temperature, and power supply status are functional for certain platforms. Currently, fan and temperature monitoring is supported only for the following platforms:
2000
2400
5000
5100
5110
For these platforms, automatic periodic monitoring is automatically enabled. However, the system_check script does affect performance. You can disable the system_check script by commenting out (add leading # sign) to the line in /etc/crontab which runs the system_check utility. This version does not support fan and temperature SNMP monitoring in the following platforms:
D25
D30
F35
D35 (520 and 540)
Cannot remove all monitors to create a monitorless state (CR15512)
A base ICMP monitor is always associated with each node. This monitor cannot be removed.
Wildcard certificates in the Cert Admin screen (CR17426)
The Cert Admin screen in the Configuration utility currently only allows *.<domain_name> for wildcard certificates. A domain name of *.*.<domain_name> is not supported on the Cert Admin screen.
Upgrading the software and the MindTerm SSH Console (CR18436)
When you upgrade the BIG-IP software from the MindTerm SSH Console, in some cases, MindTerm may hang. This has no effect on the upgrade procedure.
The RADIUS port in /etc/services (CR20136)
Previous releases of this software use the RADIUS port 1645 as the default in /etc/services. This release uses the new IANA RADIUS port 1812.
L2 proxy ARP forwarding exclusion list (CR20647)
In order to prevent the active unit from forwarding ARP requests for the standby unit (or other hosts to which proxy ARP forwarding is not wanted), you can now define a proxy ARP exclusion list. To configure this feature, you can define a proxy_arp_exclude class, and add any self-IPs on the standby and active units to it. The BIG-IP units do not forward ARP requests from the hosts defined in this class.
For example, to create a proxy_arp_exclude class use the following syntax:
b class proxy_arp_exclude { host <self IP 1> host <self IP 2> ... host <self IP N> }
If you use VLAN groups, you must configure a proxy ARP forwarding exclusion list. We recommend that you configure this feature if you use VLAN groups with a BIG-IP redundant system. The reason is that both BIG-IP units need to communicate directly with their gateways and the back-end nodes. Creating a proxy ARP exclusion list prevents the original IP address of a packet from being translated by the BIG-IP system. The BIG-IP system forwards traffic directly to the destination.
If you do not configure a proxy ARP exclusion group for systems configured with VLAN groups, you may see problems such as:
- Nodes being marked down for a period of time after a failover
- The inability to access resources through the active BIG-IP unit when there are multiple physical or logical connections to the same VLAN group (especially likely to be noticed when there are multiple connections between the active and standby BIG-IP units)
SNAT automap incompatibilities (CR20801)
Default gateway pools, forwarding virtual servers, and forwarding pools are incompatible with SNAT automap. Configuring a default gateway pool with a forwarding virtual server or a forwarding pool is also incompatible. To work around this incompatibility, you can configure a network wildcard virtual server in front of the SNAT. The wildcard virtual server routes by connection, using the cached routes.
ICMP pings updating MAC addresses for nodes in the ARP table(CR21228)
ICMP pings are not updating the MAC addresses for all nodes in the ARP table. This has no effect on the functionality of the BIG-IP system. The only way to view these entries is to type the command arp -na, which lists the ARP table.
bigpipe proxy show command (CR21750)
The bigpipe proxy show command incorrectly displays accepted connections, as well as queued connections that have not yet been accepted.
Manually deleting connections handled by the Packet Velocity ASIC (CR22494)
Manually deleting connections that are handled by the Packet VelocityTM ASIC does not generate a TCP reset.
Configuring the admin port for node connectivity (CR22599)
We recommend that you do not configure the admin port for node connectivity.
Changing active-active failback values (CR22715)
In active-active configurations, we recommend that you do not change the default failback value of 60 seconds. If you change this value, failback may not work as designed.
Gateway failsafe and active-active configurations (CR22728) (CR33581)
The gateway failsafe feature is not currently supported for active-active configurations. If you want use a similar configuration, we recommend that you configure the VLAN failsafe feature in combination with a default gateway pool.
Changing IP addresses on VLANs (CR24468)
If you use the Setup utility to change the floating IP addresses on VLANs, the web server settings are not updated. To update the web server settings, choose the (W) Configure web server option.
TOS or QoS values in FTP data connections (CR24644)
FTP data connections have incorrect TOS or QoS values set in the BIG-IP software. Both values are set to 0.
iControl SOAPPortal: .NET serialization errors on several methods (CR24862)
The following methods do not serialize correctly under certain situations. This is due to a problem in the .NET frameworks serialization. For nested structures within arrays, the framework cannot support an empty array represented as a single XML element.
For example, this method does not serialize:
<return type='Array' ArrayType='tns:someType[0]/>
This method does serialize:
<return type='Array' ArrayType='tns:someType[0]></return>
SNAT automap and acceleration (CR24959)
On the 2400 platform, if you configure SNAT automap and do not associate the SNAT with a virtual server, the traffic is not accelerated by the Packet VelocityTM ASIC. Note that you can associate the SNAT with a wildcard virtual server to accelerate any SNAT automap traffic.
SSL proxy processes with non-idle connections (CR25080)
Some idle connections may not be closed as long as the SSL proxy continues to receive data within the idle connection timeout, and the server-side connection remains open.
Product Announcement: Content converter feature for Akamai (ARLs) removed from BIG-IP products for EOL (CR25082)
With this release, we are announcing the End-of-Life (EOL) of the content converter feature for converting Akamai ARLs. This applies to all fully licensed BIG-IP products running version 4.5 PTF-04 or later. As a result of this action, newly shipped or upgraded versions of the BIG-IP software no longer include this feature. If you want to continue using this functionality, do not upgrade to this version of the software. If you do plan to upgrade to this version of the software, we recommend that you remove all related configuration information from the bigip.conf file before you upgrade.
The b conn dump verbose command and values for packet counts or byte counts (CR25119)
The bigpipe command, b conn dump verbose, displays incorrect values for packet counts and byte counts.
Configuring a single default gateway member (CR25141)
If you configure only a single default gateway member, that address is configured as the default route. It is not displayed as a default gateway pool.
Simple persistence timers and the 2400 platform (CR25182)
Simple persistence timeout global settings function slightly differently on the 2400 platform than on other BIG-IP platforms. With the 2400 platform, the global mode global persist timer timeout causes the persist timer to be updated every 30 seconds when a connection that references the persist entry is still alive. On other platforms, the persist timer is updated with every packet inbound from the client.
e-Commerce Controller and setting port translation option for wildcard ports (CR25336)
On the e-Commerce Controller only, when you configure a virtual server with a wildcard port (*) using the Configuration utility, the default port translation setting is set to enable instead of disable. Note that this does not occur when you use the bigpipe utility. If you want to configure virtual servers with wildcard ports, and you want to disable the port translation, add the virtual server using the following bigpipe command (rather than using the Configuration utility):
bigpipe virtual <ip_address:0> use pool <pool_name>
Harmless message during configuration (CR25399)
You may see the message startup bigstpd: (pid 169) already running during configuration. This message is harmless.
SNMP: updated the globalAttr* values (CR25429)
This release includes revised globalAttr* values for SNMP. These values include globalAttrOpen3DNSPorts and globalAttrOpenCorbaPorts. For a complete list of the updated descriptions, refer to the MIB.
SNMP OIDs switch platform support (CR25458)
The SNMP OIDs dot1*, dot3*, and limited rmon OIDs are supported by only switch platforms. These platforms include the 1000, 2000, and 5000 series.
SSH access host restrictions configured in /etc/hosts.allow (CR25530)
In previous versions, /etc/ssh2/sshd2_config and /etc/sshd_config controlled SSH access. This upgrade reverts to an SSH access level that allows all hosts to connect. Upgrading to this version ignores previously configured SSH access restrictions configured in /etc/ssh2/sshd2_config and /etc/sshd_config. If you require restricted SSH access to certain networks/IP addresses, you need to reconfigure these restrictions once the upgrade has been completed. To do this, type the following command to start the Setup utility and then press Enter:
config
Choose option S (Configure SSH) and set the restrictions you prefer.
Disabling a virtual server that is under heavy traffic load (CR25538)
If you disable a virtual server that is under heavy traffic load, the BIG-IP log may fill the /var partition. To work around this problem, you can configure syslogd to log to a remote system, or you can shut off logging on local0.*. For alternative solutions, contact Support.
CPU temperature readings on Tyan 2765 motherboards (Application Switch platforms) (CR25641)
Some older motherboard revisions may incorrectly display CPU too hot messages. For more information about this issue, please read SOL2116: Error message: CPU too hot!.
Transparent VLAN group mode with FastFlow (Fast Path) acceleration (CR25727)
The transparent VLAN group mode is not accelerated by the FastFlow (Fast Path) feature.
Adding support access after initial setup (CR25821)
If you add support access with the (Y) Set support access option in the Setup utility after you complete the initial setup of the system, the support IP addresses are not added to the hosts.allow file. To correct this situation, run the (S) Configure SSH option in the Setup utility to re-initialize the SSH information on the system.
Late binding virtual server with 500 MTU router and large request (CR26025)
If a client sends a large request, greater than 460 bytes, through a router set to 500 MTU, the BIG-IP system does not forward the request to the server.
Switching to a single route configuration if you have a gateway pool in use (CR26143)
If you create a default gateway pool, and then you decide to change to a single route, we recommend that you do not delete the gateway pool even if you change the router configuration so that there is only one router in the pool.
Changing iControl settings does not restart the CORBA portal (CR26384)
If you use the Setup utility (setup) to change iControl settings, you must manually restart the CORBA portal. To restart the CORBA portal, type the following commands from the command line:
bigstart shutdown portal
bigstart startup
LDAP group name naming conventions (CR26418)
LDAP authentication for groups does not work properly when there are spaces in the group name. To avoid authentication issues with groups when you use LDAP authentication, do no use spaces in the group names.
Generating certificates with openSSL after upgrading the software (CR26456)
After you upgrade the software, you may run into issues when you use the openSSL command line utility to generate certificates or certificate signing requests (CSRs). If you experience difficulties with this task, run the genconf command to update the openssl.conf file.
SSL proxy down due to error condition (CR26487)
If the SSL proxy is down due to an error condition, the b proxy show command still shows the proxy is enabled.
Proxies configured using the command line and default CRL recognition (CR26515)
When you use the command line interface to configure a proxy, if you do not specify a path for a certificate revocation list (CRL), the default CRL path is ignored and all client certificates are accepted regardless of their status. In order for the proxy to validate certificates properly through CRL, you must define a specific CRL path or file in the proxy. However, you use the Configuration utility to configure a proxy, the default CRL path is recognized correctly.
Error message for ip_tos values (CR26566)
The valid ip_tos values are 0 - 255 or 65536, which returns ip_tos to a blank state. If you type an invalid value, you see the following incorrect error message: The requested IP TOS value is invalid. [0..65535].
Setting up a virtual server using the command mirror conn disable (CR26601)
If you use the bigpipe command mirror conn disable or mirror conn disable when you create a virtual server, connection mirroring is enabled. To avoid enabling this variable when you set up a virtual server, do not use the mirror conn disable attribute. If you define a virtual server without the mirror conn enable or mirror conn disable attribute, connection mirroring is disabled.
Disabling the SNMP Auth Trap Enable setting using the Configuration utility (CR26610)
If you try to disable the Auth Trap Enable setting on the SNMP Administration screen in the Configuration utility, the SNMP configuration file, /etc/snmpd.conf, is modified with an incorrect setting of 0 (zero), and the following error is generated in the SNMP log:
"/etc/snmpd.conf: line ##: Error: authtrapenable must be 1 or 2
To correct this error and disable the Auth Trap Enable setting, you can edit the /etc/snmpd.conf file, and change the authtrapenable value to 2, disable.
Message from /etc/daily script in regards to beholder (CR26612)
When /etc/daily runs, it checks to see if there is a /var/run/beholder.pid file and if it exists, it attempts to rotate the /var/log/rmon.log file. When the rotate log function runs, the following message is logged to /var/log/daily.out for the beholder script:
bigstart: @293: start script beholder not found
Advanced routing modules: terminal settings after exiting vtysh (CR26631)
With the advanced routing modules, after you enter the vtysh router interface, your terminal settings are incorrect. If this problem occurs, type reset to correct the problem.
Losing connectivity during configuration of second unit in a redundant system (CR26705)
When you configure a unit from the command line Setup utility, we recommend that you reboot the unit after you complete the configuration. This activates the license and allows traffic to pass through the system. Also, before you reboot the system, it is in the active mode and unlicensed. While the unit is in the active mode, the other unit in the redundant system is placed in standby mode. If left in this state, traffic cannot pass through the system.
Resetting the statistics and verbose log level 32 (Stat Reset Detail) (CR26822)
The verbose log level 32 (Stat Reset Detail) does not log a message when you reset the statistics.
MSS advertised to backend servers on SSL proxy connections (CR26839)
The BIG-IP system advertises the wrong maximum segment size (MSS) to the backend server if your configuration has an SSL proxy connecting to virtual server on the loopback device (lo0). The advertised MSS respects the MTU of lo0 which is, by default, 4352 (so the resulting MSS is 4312).
Upgrade installation adds node * monitor use icmp to e-Commerce Controller (CR26877)
The BIG-IP 4.5 scratch CD installation adds the following line to the bigip.conf file on the e-Commerce Controller:
node * monitor use icmp
This monitor type is not supported on the e-Commerce Controller.
Setup utility does not preserve MAC masquerade settings (CR26922)
The Setup utility does not preserve MAC masquerade settings. We recommend that you use the bigpipe utility or the web-based Configuration utility to make configuration changes after you have completed your initial setup. However, if you want to use the Setup utility to make changes to the configuration, and you want to preserve the MAC masquerade settings, then after you finish your configuration changes, recreate your MAC masquerade settings with bigpipe or the Configuration utility before you reboot the unit.
Accessing sticky persistence table through iControl (CR26957)
If you have a pool with sticky persistence turned on, and mask set to 255.255.255.0, with a network virtual server, you will not get any records when you attempt to access the data through the iControl methods get_sticky_connection_table or get_persistent_connection_table. To work around this problem, call get_sticky_mask before passing the traffic.
Changing the system IP address and updating the IP address for the CORBA portal in bigdb (CR27037)
If you change the IP address of the system using the Configuration utility, the system does not update the IP address for IIOP and FSSL for the CORBA portal in the bigdb. To change the CORBA address for IIOP and FSSL, run the Setup utility (setup) from the command line, and choose the option (I) Initialize iControl portal.
Key management: displaying BMP and UTF8 strings (CR27049)
The key management system does not properly display BMP and UTF8 strings in certificates.
5000 series with 256 MB Compact Flash and multiple .ucs files (CR27064)
Because of file system size limitations on the 256 MB drive, we recommend that you limit the number of .ucs files you save on the system.
The header erase feature (CR27084)
The header erase feature only looks at the first header. Subsequent headers are not erased.
Changing the virtual server target under load (CR27090)
If you change the virtual server target under load, from a pool to a rule, or a rule to a pool, the system could create a core file.
Misleading message on new installations (CR27091)
If you are installing the software for the first time, you may see the misleading message in /var/log/proxyd:
'proxyd[pid]: No proxies were successfully configured. Exiting.'
This message is benign.
Adding a switch interface to the admin vlan (CR27103)
Adding a switch interface to the admin VLAN causes large volumes of traffic. We recommend that you do not add a switch interface to the admin VLAN.
CompactFlash® media drives and logging for named (CR27132)
When named is running, it generates status and usage messages as part of its normal behavior. If you are running named on a system with a CompactFlash media drive, these messages may fill up the /var/log/ messages directory. To avoid this, periodically delete the status and usage messages for named.
Configuration files with a large number of proxies (CR27159)
Configuration files with a large number of proxies may take a long time to load.
Setting the reaper hiwater and reaper lowater values (CR27169)
If you set the reaper hiwater and reaper lowater values to the same number, you do not receive an error message, but the bigip.conf file does not load. In order for the BIG-IP configuration to load properly, reaper hiwater and reaper lowater cannot be set to the same value.
Dynamic ratio load balancing and snmpdca with Counter32 OIDs (CR27202)
If you are using dynamic ratio load balancing with the snmpdca pinger for metrics collection, and you configure an OID that returns type Counter32 (that is, the WindowsTM 2000 Server Enterprise OID), the returned data may not be interpreted correctly. As a result, dynamic ratio load balancing does not function properly.
Server-side proxy listening on port 80 with TCP half-close (CR27203)
When you have a proxy configured that is listening on port 80, and you are using server-side SSL, client TCP connections using half-close may not complete properly.
RADIUS server configuration and Netscape (CR27212)
If you configure remote login for RADIUS, and you set an invalid IP address for the primary RADIUS server, and a valid IP address for the secondary RADIUS server, you may not be able to log in using a Netscape browser. This can also happen if your primary RADIUS server is down. We recommend that you use an alternative browser with this type of configuration.
User administration for remote authentication using the Configuration utility (CR27223)
With remote authentication configured, if you use the Configuration utility to add a new user, you may receive an internal server error message when you press Enter and then click the Done button. The user is added when you press Enter. When using local authorization, the Enter key is ignored and you must click the Done button in order to add a new user.
Deleting the default gateway pool using the Setup utility (CR27260)
The command line Setup utility, (setup), does not delete the default gateway pool when you remove all of the pool's members. To work around this issue, delete the default gateway pool using the browser-based Configuration utility.
Performance tools exhibit fluctuations in the maximum TPS (CR27297)
An enhancement added to increase SSL performance with large numbers of concurrent connections may cause some performance tools to exhibit fluctuations in the maximum TPS when you use them to perform benchmark tests. For example, when you check SSL performance using the IxWeb tool you may see oscillating SSL performance readings. These variations have very little effect on the actual metric performance.
Setting the open_telnet_port default value (CR27331)
If you have a redundant configuration and you disable open_telnet_port on the active unit before you synchronize the configuration, the configuration file leaves open_telnet_port at its last state (enabled) rather then disabling it. After you load this type of configuration, we recommend that you check the state of the open_telnet_port setting.
SSL performance when running in ANIP mode (CR27333)
When you are running the BIG-IP system in ANIP mode, you may experience a 12-15% decrease in SSL performance. This decrease in performance is due to the addition of OpenSSL version 0.9.7a.
User roles in a redundant system configuration (CR27477)
If you modify the default role for a user on one unit in a redundant system, when you synchronize the configuration, the modified role setting is not copied over to the other unit. In order to have the same user roles specified on both units, you must configure this setting on both units in the redundant system.
SIP persistence and NAT or SNAT (CR27515)
SIP persistence does not work correctly when you use NAT or SNAT.
iRules and logging (CR27574)
In rare instances when the BIG-IP system is using logging and variable substitution in iRules, the system may display one or two random characters at the end of the correctly displayed log text.
Keeping the system clock and responder clock synchronized (CR27620)
The internal BIG-IP system clock and the responder clock must be synchronized. If they are not synchronized to within 5 minutes of each other, the SSL proxy may hang. In order to keep the clocks synchronized, you can use NTP on the BIG-IP system.
SSL proxy : OCSP status (CR27621)
The status returned from the inserted header ClientCertStatus may display the incorrect error code, error 1, when a certificate is revoked.
SSL proxy : OCSP impact on SSL proxy performance (CR27622)
If you configure the OCSP feature, you may see an impact on SSL proxy performance.
Redundant configurations in active/active mode (CR27639)
When you have a BIG-IP redundant system, with both units in active/active mode, the Configuration utility in certain cases may incorrectly display the self IP as unit 1 when it should be unit 2. This issue does not affect the performance of the BIG-IP system.
Setting media speeds (CR27772)
If you want to set media speeds, and you have a copper gigabit NIC, you must configure auto-negotiate between the BIG-IP system and the connected switches.
New rule syntax requirements for literal strings (CR27784)
The rules syntax has changed in version 4.5 PTF-04, and there is now a literal string limit of 63 characters. If you have previously configured rules that contain literal strings longer than 63 characters, these rules may fail to load after you upgrade to PTF-04. Rules that worked correctly in previous versions may now produce the following error message:
In rule test: String literal too long (max 63 chars)
If you have this type of rule configured, we recommend that you modify the rule syntax to use literal strings that are less than 63 characters in length. See New rule syntax requirements for literal strings in the Workarounds for known issues section for details.
Using the Setup utility to configure the media type for an interface (CR27793)
When you use the Setup utility to configure the media type for an interface, the BIG-IP system does not save this setting when you rerun the Setup utility. You must configure this setting each time you run the Setup utility.
Memory leak in bigapi (CR27821)
There is a memory leak in bigapi, found through bigsnmpd, which can occur during SNMP queries.
MindTerm SSH console, Java™ Virtual Machine, and the Configuration utility (CR27864)
The Configuration utility may become unresponsive when all of the following conditions are met:
- You have Java Virtual Machine enabled on a Windows® workstation
- You are using the Configuration utility to configure the system
- You open a MindTerm SSH console session from the navigation pane
- You return to the Configuration utility without closing the MindTerm SSH console
If you experience this problem, you must use the Windows Task Manager to close both the browser session and the SSH session. To avoid this issue, we recommend that you either disable Java Virtual Machine while you are configuring the system, or close the MindTerm SSH console session before returning to the Configuration utility.
Harmless timeout messages during reboot (CR27928)
When you reboot the BIG-IP system, you may see timeout messages for ZebOS and ITCM portal. These messages are harmless and have no effect on the operation of the BIG-IP system.
Configuring virtual servers and nodes that share IP addresses (CR27931)
When you create a forwarding virtual server or a virtual server that has address translation disabled, if the virtual server shares an IP address with a node and you turn on ARP disable, the BIG-IP system may continue to respond to ARP requests. This configuration may cause the BIG-IP system to report duplicate IP addresses and block access to the node. If you want to use this type of configuration, we recommend that you configure a static ARP entry for the node.
Server Appliance platform baud rates (CR27961)
For Server Appliance platforms, the baud rate for the serial console depends on whether version 4.2 or 4.5 of the BIG-IP software was initially installed on the platform. For version 4.2 and version 4.5 units that have been upgraded from version 4.2, the serial console baud rate is 9600. For new units with version 4.5 installed, that were not upgraded from version 4.2, the serial console baud rate matches the baud rate set by the BIOS.
Enabling svcdown_reset (CR27962)
If you enable svcdown_reset from either the command line interface or the Configuration utility, you must reload the configuration for your changes to take effect.
Disabling the memory_reboot_percent global (CR27975)
You cannot disable the memory_reboot_percent global by setting the variable to 0.
Loading configurations with hundreds of proxies defined (CR27997)
Loading a configuration with hundreds of proxies defined may cause the proxyd process to become unstable. Traffic is not disturbed, but a core file and error message occur. No user intervention is necessary.
The imid() function causes syntax errors (CR28008)
Using the imid() function in rules or universal persistence expressions causes a syntax error. The imid function works correctly.
Status LED during power supply failure (CR28012)
The status LED may incorrectly remain green when the bottom power supply fails.
Transparent VLANs with a connection through a virtual server (CR28018)
If you have two transparent VLANs configured in a group with a connection through a virtual server, under certain circumstances the transparent VLAN group may use its own MAC address. If you encounter this issue, we recommend that you use opaque mode for VLAN groups, especially if you are using any type of delayed binding that requires the BIG-IP system to handle the return packet.
Setup utility and VLAN tag configuration (CR28027)
If you use the Setup utility to configure VLAN tags or add new VLANs with tags and self IPs, and you use the command line utility to modify interfaces after VLAN tags are added, all of the tagged interfaces and associated data (self and shared IPs) are removed from the configuration files. You may need to reconfigure these settings, or use the backup file to restore these settings.
SSL Proxy client auth must use client certificate CA field (CR28028)
When using the Configuration utility to configure an SSL proxy, if you set the Client Certificate field to either request or require, you must also enter a value for the Client Cert CA file field. If you do not enter a value for this field, the Configuration utility does not produce an error message, however you must enter a value in order for the configuration to work.
global sslhardware failover configuration load time (CR28031)
If you enable global sslhardware failover, the configuration load time may increase dramatically.
Using the Configuration utility to create external health monitors (CR28036)
When you create an external health monitor and include a variable where the value is a string with two variables separated by a comma, the Configuration utility does not set the value of the second variable. The Configuration utility separates the two variables at the comma and sets the value of the first variable in the string only. If you use the command line utility to create an external health monitor, values for variables separated with a comma in the string are set correctly.
Nokia NetAct feature (CR28039)
Please note that when you apply this upgrade, if you are using the Nokia NetAct feature, the old /etc/snmptrap.conf file is used. The Nokia NetAct feature uses an extended format of this file. If you want to use the Nokia NetAct feature, after you apply the upgrade you must modify the /etc/snmptrap.conf file. You should use /etc/snmptrap.conf.example as a template for modifying the snmptrap.conf file.
MSRDP persistence (CR28050)
You can not set MSRDP persistence using the Configuration utility. If you want to set MSRDP persistence, we recommend that you use the command line utility to configure this feature.
Reconfiguring the BIG-IP system using the Setup utility (CR28116)
If you use the Setup utility to configure multiple gateways or VLANs, we recommend that you reboot the BIG-IP system before you run the Setup utility a second time. Rerunning the Setup utility with multiple gateways or VLANs configured without rebooting, may cause the BIG-IP system to become unstable.
Duplicate IP address issues on redundant pairs with floating self-IP addresses (CR28124)
If you have a pair of units in a BIG-IP redundant system, you may experience duplicate IP addresses on the active unit when you perform a config sync under the following conditions:
- You configure a floating self-IP address on an IP network where non-floating self-IP addresses have not yet been configured.
- You configure a monitor for a node on this new IP network.
If you are using this type of configuration, we recommend that you configure a non-floating self-IP address on both units for each network.
Incorrect product version in log files (CR28133)
The BIG-IP system log files may report the incorrect version of the product. This has no effect on the functionality of the BIG-IP system. To view the correct product version, type cat /VERSION at the command line.
ICMP pings through a SNAT (CR28148)
When a client pings ICMP through a SNAT, if another client behind the BIG-IP system pings ICMP through the same SNAT, the second client receives both ICMP replies.
Duplicate node UP messages in the log table (CR28194)
In certain circumstances you may see duplicate node UP messages in the log table (/var/run/alarm_log_tbl). You can ignore these messages; they do not affect the function of the BIG-IP system.
Error message during boot sequence (CR28276)
When you start the BIG-IP system, you may see the error, WARNING: conflict at irq 12. You can ignore this message, as it has no effect on the function of the BIG-IP system.
PXE installation (CR28313)
In rare instances, using a notebook computer to perform PXE installations of BIG-IP software causes corruption on the notebook computer hard drive. If you are using a notebook computer as a PXE server to install BIG-IP software, we recommend, as a precaution, that you back up any important data stored on the notebook computer hard drive.
Adding a monitor using the Configuration utility (CR28333)
When you use the Configuration utility to add a monitor that contains the string Authorization: Basic {anything here}, the Configuration utility may not load the Authorization portion of the string.
cpio command (CR28365)
The cpio command is not available in 4.5 versions of the BIG-IP software.
SSL proxy with delayed binding (CR28408)
When you are using SSL proxy with delayed binding enabled, the proxy may retransmit packets too quickly.
Creating VLANs using the command line utility (CR28429)
When you use the command line utility to create VLANs, the VLAN names cannot exceed 12 characters. The manual incorrectly states that VLAN names may be up to 15 characters in length.
Using the b verify command to check for errors (CR28451)
If you use the b verify command after editing the bigip.conf file, the b verify command does not properly detect misspellings or syntax errors. If you attempt to load a bigip.conf file that has a misspelling or syntax error, the BIG-IP system does not function until you correct the error and reload the bigip.conf file.
Possible tcpdump buffer overflow with badly formed NFS packets (CR28492)
Versions 3.7.1 and earlier of tcpdump contain a buffer overflow that may be triggered by badly formed NFS packets. Other types of packets may also trigger the buffer overflow.
Proxy connection limits (CR28498)
When you set the connection limit for proxyd, and the proxy connection limit is reached, the proxy incorrectly continues to accept new connections. Once the connection limit is reached, the proxy should stop accepting new connections. Connections do not successfully complete until the number of connections drops below the configured connection limit.
iRules with Windows Media9 connections (CR28543)
If you use an iRule to parse and persist Windows Media9 connections with the logging option enabled, log messages may be displayed on both the client's initial connection and on follow up connections for content from the Media Server.
bigpipe commands that contain invalid trailing arguments (CR28581)
If you type a bigpipe command that contains an invalid trailing argument, the bigpipe utility produces a syntax error, but may run the command anyway. In this situation, the command should fail.
Intel GIG Cu network interface card driver settings (CR28597)
The Intel Gig Cu NIC driver currently supports only auto negotiation. You cannot select the port media type setting.
Remote authentication configuration (CR28598)
In some cases, when you configure remote authentication, the config utility may fail to perform a standard IP address check. If this happens, httpd.conf may fail when the system restarts.
Self IP address configuration (CR28601)
When you configure a VLAN and a self IP address, the system allows you to use 255 as the last octet of the self IP address. We do not recommend that you use this value.
Configuring SIP persistence (CR28628)
If you use the command line utility to configure SIP persistence, you may receive a syntax error. Instead, we recommend that you use the Configuration utility to configure SIP persistence. Note: when you use the Configuration utility to configure SIP persistence, you must enter a valid timeout entry. Invalid timeout entries may cause the BIG-IP system to use an incorrect timeout value.
SIP persistence and out-of-order UDP fragments from Linux systems (CR28637)
If you have SIP persistence configured, the BIG-IP system does not handle out-of-order UDP fragments from Linux systems correctly.
Lock up during installation (CR28646)
In extremely rare instances, the BIG-IP system may lock up when you install an upgrade of the BIG-IP software. This issue occurred only on the SMP kernel.
BEA WebLogic Server support (CR28656)
The wlnode function does not currently work with BEA WebLogic ServerTM.
Duplicate inode allocation error messages (CR28659)
In rare instances, the BIG-IP system creates a core file when the ffs_valloc() function allocates an inode data structure in a file system that has already been allocated. The duplicate allocation error may cause the BIG-IP system to become unstable.
Media duplex settings (CR28823)
If you are upgrading to the BIG-IP software version 4.5x from software version 4.1.1, the syntax for media duplex settings is not updated correctly. It may be necessary for you to reconfigure these settings.
Self IP and VLAN configuration changes (CR28831)
Static routes are not updated automatically when the IP address or VLAN configuration changes, unless the configuration is reloaded. If you use the Configuration utility to make changes to the self IP or VLAN configuration, the default route and any static routes may become invalid. If this occurs you need to reload the static routes. To reload the static routes stored in the /config/routes file, use the b load command, or reboot the BIG-IP system. For more information, see AskF5 Solution 2317 on the AskF5 website, http://tech.f5.com.
bigpipe bigstat and bigpipe bigstat -bigip commands (CR29011)
The bigpipe bigstat and bigpipe bigstat -bigip commands do not function correctly in BIG-IP version 4.5x.
BIG-IP 2400 IP Application Switch platforms (CR29087)
If you use the bigpipe load command on the BIG-IP 2400 IP Application Switch platform, the system statistics return to zero and remain at zero.
sudo utility (CR29135)
The sudo utility allows a user with non-root permissions to execute root functions (as a superuser) from the command line. The sudo utility permissions are set incorrectly in 4.5x versions of the BIG-IP software. In order to use the sudo utility, you must set the permissions on the binary to 4011. For more information on how to configure the sudo utility, review Solution 519 (SOL519) on the AskF5 website, http://tech.f5.com.
Diffie-Helman and proxyd (CR29193)
The DH (Diffie-Helman) key exchange protocol does not currently work if you configure an SSL proxy.
nexthop network address (CR29265)
The BIG-IP system incorrectly calculates the nexthop network address by adding the nexthop address and the translation address netmask. It should be calculated by adding the nexthop address and the nexthop netmask.
VLAN configuration (CR29291)
If you use the Configuration utility to configure a VLAN, and you do not select an interface, the VLAN is not saved. You must select a VLAN interface in order for the VLAN to be saved.
BIG-IP 2400 IP Application Switch platforms (CR29312)
Statistics for BIG-IP 2400 IP Application Switch platforms may be incorrect.
Forwarding non-IP traffic through VLAN groups and redundant systems (CR29334) (CR29806)
We introduced the ability to forward non-IP traffic through VLAN groups in BIG-IP version 4.5 PTF-04, and the functionality was enabled by default. When this functionality is enabled, the BIG-IP system also forwards non-IP traffic through both the active and standby units in a redundant system, which can result in a bridge loop. To mitigate this known issue, in this release (version 4.5 PTF-08), we are changing the default setting so that the functionality is disabled by default. If you understand the current limitations of this feature, and want to enable the feature, see Forwarding non-IP traffic through VLAN groups and redundant systems in the Workarounds for known issues section.
User permissions and upgrading from 4.2x (CR29337)
If you are upgrading from a 4.2x version of the BIG-IP software, and you have added additional users to the BIG-IP system configuration using vipw, user permissions are reset to their default states.
SNAT pool statistic integers (CR29407)
SNAT pool statistic integers may be incorrect.
snmpdca command line utility help (CR29421)
The /usr/local/lib/pingers/snmpdca -h help command displays error messages for snmpget.
Naming pools (CR29470)
If you use the Configuration utility to create a pool, and you assign the new pool the same name as an existing pool, the existing pool is overwritten. You can avoid this issue by assigning a different name for each pool that you create.
Client-side cookie insertion (CR29475)
Client-side cookie insertion may fail if the BIG-IP system receives packets with missing segments on the server-side.
D51 interface media type (CR29602)
If you have a D51 BIG-IP system, the bigpipe interface 2.2 media command returns an inaccurate media type of 1000BaseTX for a fiber port. The media type should display as 1000BaseSX.
Interface MIB index error message (CR29606)
If you use SNMP lint or an MIB test tool to test the interface MIB, you may encounter an error message indicating that the ifRcvAddressAddress element has no size restriction.
Changing a host name using the Configuration utility (CR29611)
If you use the Configuration utility to change a host name, the httpd.conf file is not automatically updated.
Reboots and /var/log directory filesystem corruption (CR29630)
After 150 and up to 800 hard reboots, the /var/log/ directory may contain corrupt file data.
Reset segments and server-side connections (CR29709)
If a SYN packet was sent from a server through a virtual server to a client, and the client does not answer before the connection timeout is reached, the reaper sends an RST in both directions.
VLAN mirroring (CR29744)
If you are using VLAN mirroring, when you reboot you may notice error messages that indicate that the probe feature is not activated. These messages are incorrect, and have no effect on the BIG-IP system.
Optional OCSP responder values (CR29782)
If you create an OCSP responder definition and assign values to the optional respcert, signcert, signkey fields, there is no command to delete these definitions. If you need to remove these definitions, you can delete the specific lines from the responder definition in /config/bigip.conf file.
Connection mirroring on the BIG-IP 2400 platform with hw_acceleration enabled (CR29850)
If you have a BIG-IP 2400, connection mirroring does not work correctly with hw_acceleration enabled. In order for connection mirroring to work, we recommend that you set hw_acceleration to none.
Dynamic ratio load balancing and IIS6.0 Windows 2003 Server (CR30072) (CR30073) (CR30074)
If you need to use dynamic ratio load balancing, we recommend that you configure dynamic ratio through SNMP. Due to compatibility issues, you must configure redirection on the Microsoft® Windows® Internet Information Services (IIS) 6.0 webserver (which is part of Microsoft ® Windows ® 2003 server product) without the aid of F5 Networks software. The BIG-IP system does not currently support the following functionality on IIS 6.0 webserver:
- Real Media monitor
- Dynamic Ratio Load Balancing
- SSL Redirect
Default setting for min_active_members (CR30143)
The default value for min_active_members is incorrect and may cause the BIG-IP system to prioritize traffic incorrectly. The default value for min_active_members is currently set to 0. We recommend that you configure min_active_members to a value of 1 or greater.
FTP data statistics for the origin address (CR30145)
If you configure SNAT for servers behind the BIG-IP system, and you use FTP from the server in order to transfer data, the statistics for the translation address are correct. However, the FTP data statistics for the origin address are incorrect.
Reset All SNATs control (CR30147)
If you are using the Configuration utility and you select Reset All SNATs on the SNAT Statistics screen, the statistics for the translation address are not cleared. You must clear the values for the translation address statistics separately.
automap default SNAT and VLAN configuration (CR30153) (CR30585)
The automap default SNAT does not allow you to disable VLANs. If you attempt to disable VLANS on the automap default SNAT, you receive an error message.
STP interfaces add all command (CR30259)
The bigpipe STP interfaces add all command adds all members of a trunk to the STP domain. This command should only add the controlling member of a trunk to a STP domain. In addition, if you manually add non-controlling members of a link-aggregated trunk to a STP domain, you do not receive a warning message.
Unlicensed system and error messages during boot cycle (CR30288)
You may see the following error message when you are booting a system that is not yet licensed:
Initialized Watchdog: TYAN SUPER I/O /config/bigip_base.conf: "Probe control features are not available." in line 262
The message is benign, and does not affect system functionality.
Memory usage statistics and the bigpipe ms command (CR30323)
The bigpipe ms command is inaccurately reporting the memory usage percent when you have also set high-water and low-water reaper values. The command is reporting a memory usage percent that is much lower that the actual memory usage percent.
BIG-IP web server resources and multiple simultaneous users (CR30327)
If a large number of users are logged into the Configuration utility at the same time, the Configuration utility may not function properly because the web server's resources are overextended. To avoid this issue, you can set the MaxClients option to 32 or lower, in the /config/bigconfig/httpd.conf file.
Generating key/cert pairs and domain name format (CR30343)
In the Configuration utility, when you try to generate a key/cert pair for a domain name that starts with an integer (for example, 222domain.com), the BIG-IP system generates an error, and does not create the key/cert pair. To work around this issue, you can import an existing certificate. Alternately, you can generate the key/cert pair from the command line. First, run the genconf command and provide the requested information. Next, run the genkey <cert filename> command, where <cert filename> is the name of the certificate that you are creating.
SSL persistence mirroring and the failback mechanism on a redundant system (CR30349)
When a redundant system experiences a failover and then a failback (the active unit goes to standby and then back to active), the system does not properly retain the SSL persistence record on the failback mechanism. Note that the system properly retains the SSL persistence record on the initial failover.
Viewing pool member statistics on BIG-IP 2400 IP Application Switch platforms (CR30498)
When you run the following bigpipe command, b virtual <address> show, on a BIG-IP system with full Packet Velocity ASIC (PVA) acceleration, the command does not display incremental updates to the virtual server's statistics. If you are running the BIG-IP system with full PVA acceleration, you can view the incremental updates either by viewing them in the Configuration utility or by using the following bigpipe command: b node <address> show.
Redundant systems and software upgrades from BIG-IP version 4.2, to BIG-IP version 4.5 and later (CR30500)
When you upgrade a standby unit from BIG-IP version 4.2, to BIG-IP version 4.5 and later, the unit is unlicensed for a brief time. During the time that the unit is unlicensed, it may change from standby to active.
The bigpipe pool modify fallback command and specifying URIs (CR30505)
When you specify a host and a URI path in the bigpipe pool <poolname> modify fallback command, the command fails. However, if you specify only a host and no URI path, the command works as it should. For example, the following syntax, which specifies only a host address (192.1.1.1), works:
bigpipe pool <poolname> modify { fallback http://192.1.1.1 }
The following syntax, which specifies both a host and a URI, does not work:
bigpipe pool <poolname> modify { fallback http://192.1.1.1/index.html }
Configuring port mirroring and using an interface that has traffic (CR30544)
If you are configuring port mirroring on your BIG-IP system, you cannot configure a port that has any traffic whatsoever on it as the mirror-to port.
bigpipe monitor command (CR30600)
You receive a syntax error if you use both <ip addr>:<service> and <ip addr> in the IP list for the bigpipe monitor command <ip list> <enable | disable>.
SSL proxy source IP address (CR30601)
If you configure a target server with SSL proxy, SNAT automap does not change the source IP address. In addition, if the BIG-IP proxy is not included in the return path, the original virtual server address is not substituted, causing the client to reject the response.
ICMP ping fragments (CR30731)
The BIG-IP system handles ICMP ping fragments inconsistently.
IP Application Switch statistics reporting (CR30917)
In an IP Application switch platform, the b interface show command does not show all input errors and dropped frames on the switch platforms.
Configuration utility statistics (CR31009)
The Configuration utility statistics for Max Conn Deny and Memory Usage are inaccurate. We recommend that you use the command line utility to view these statistics.
HTTPS monitor (CR31053)
In certain cases, when the BIG-IP system receives very large requests, the HTTPS monitor may fail to find the receive rule string.
Log message after upgrade (CR31058)
When you upgrade your BIG-IP system, and you reboot the system, you may see the following log message: bigapi_unit_mask fails Specified unit mask incorrect This log message is incorrect and has no effect on the BIG-IP system.
Using a certain virtual address/port combination (CR31104)
If you configure a certain IP address:port for a virtual server and the same IP address/port combination for a pool member in the virtual server, it may cause system instability.
Global health checking (CR31153) (CR28014)
Global health checks on the BIG-IP system have been increased. If your configuration requires more then 512 health checks, please contact support for assistance.
BIG-IP 2400 IP Application switch platforms (CR31605)
For BIG-IP 2400 IP Application switch platforms, if you make configuration changes and there is no self IP address configured, the BIG-IP system does not perform hardware load balancing.
Mapping requests to nodes using classes (CR31688)
If you create a class that has strings to map on the left and node specifications on the right, and you are using select mapclass2node to map requests to nodes, if the node specification has strings, the BIG-IP system will load balance the connection instead of selecting the node associated with the matched string.
Unreachable NAT address may cause errors (CR31893)
The BIG-IP system may generate ICMP unreachable messages containing the internal NAT origin address for packets that are sent to the NAT target address when the origin address cannot be reached.
64 bit SNMP counters (CR32179)
Only IP Application Switch platforms currently support 64 bit SNMP counters.
MAC addresses (CR32245)
When the bigpipe global auto_lasthop variable is enabled (default setting), the BIG-IP system does not respond to clients or servers with MAC addresses that match the pattern: xx:xx:00:00:00:00 and xx:xx:ff:ff:ff:ff.
bigpipe node <node_ip>[:<service>] command (CR32273)
If you use the bigpipe node <node_ip>[:<service>] command, the first node is the only node that displays the correct IP address and service.
ARP requests when the target hardware address is not set (CR32366)
When the BIG-IP system configures IP addresses on its interfaces, as it loads its configuration it sends ARP requests for each address to prompt other devices on the network to update their ARP tables for those addresses. If the target hardware address is not set, the BIG-IP system may send redundant information to some devices on the network. This may cause an issue if the network device does not ignore these redundant requests.
MIB walk for more then 12 hours (CR32378)
In certain circumstances, if you run a continuous MIB walk for 12 hours, the SNMP utility may fail.
Hewlett-Packard ProLiant DL380 G3 Server: scanpci does not correctly detect devices in the 100MHz PCI-x slots (CR32476)
The scanpci utility does not correctly detect cards installed in PCI expansion slots 2 and 3 of the Hewlett-Packard® ProLiant DL380 Generation 3 Server platform. The BIG-IP software functions correctly with devices in these slots.
Mirrored connections on a redundant system (CR32771)
When you have connection mirroring and enabled on a redundant system, if the BIG-IP system fails over and immediately fails back, mirrored connections may be dropped intermittently during failover.
vlan unique_mac enable (CR32791)
The BIG-IP bigpipe global command vlan unique_mac enable does not work for multiple tagged VLANs that contain an identical tagged interface.
top command (CR32857)
The top command does not report system idle time properly for BIG-IP 2400 IP Application switch platforms in Partial acceleration mode. We recommend that you use the cpu bigip command to find the correct system idle time.
SNAT pool statistics are incorrect (CR32944)
When you use the bigpipe snatpool show command, it displays incorrect statistics.
Clone pools in a proxy configuration (CR33006)
Clone pools do not function correctly when you configure a proxy.
Incorrect node statement in bigip.conf (CR33129)
When you create a pool and associate a monitor with the address of any member of that pool, if you then delete the pool, an incorrect node statement may be saved in bigip.conf. This inaccurate node statement can cause the configuration to fail when loading.
global snat timeout setting (CR33621)
If you configure the global snat timeout setting, it has no effect on the SNAT timeout value.
Retransmitted packets from the server (CR33744)
Under certain very rare circumstances, the BIG-IP system may drop retransmitted packets from the server.
SNMP trap for standby unit during failover (CR33773)
The BIG-IP system no longer issues SNMP trap 40, STANDBY_BIGIP.
Extremely long key and certificate file names (CR33778)
There is currently no enforced limit on the length of key and certificate file names. However, if your certificate or key file names are extremely long, they may display incorrectly in the Configuration utility. In addition, you may receive the following error message, Error 196 -- unable to verify client-side key or cert file.
SNMP BIGIP REBOOT trap (CR33878)
The BIG-IP system does not issue SNMP trap number 44, BIGIP REBOOT.
NTP health monitor UDP source port (CR33920)
The BIG-IP default NTP health monitor uses ephemeral port selection to select the source UDP port. This may cause a source port conflict if the source UDP port is anything other then the RFC designated UDP port 123.
Memory statistics (CR33921)
The memory statistics reported by vmstat and SNMP UCD memAvailReal may not be identical. The SNMP UCD memAvailReal utility reports slightly higher memory statistics then the vmstat utility.
CPU temperature values (CR33922)
If the BIG-IP system is not able to obtain the CPU temperature value, an incorrect CPU temperature value of 255 is reported. This incorrect high value may cause the system to log false CPU temperature warning messages.
FastFlow (Fast Path) and auto_lasthop (CR34142)
If FastFlow (Fast Path) and bigpipe global auto_lasthop are both enabled, any changes you make to the node's MAC address may result in poor performance or hanging connections. If you have this issue, we recommend that you disable auto_lasthop or disable FastFlow (Fast Path) for any virtual servers that refer to pools that contain nodes whose MAC address may change.
Missing software connection table entries on BIG-IP 2400 IP Application Switch platforms (CR34165)
BIG-IP 2400 IP Application switch platforms in partial acceleration mode may prematurely remove software connection table entries for extremely long-lived idle connections, even if the connections still exist in the hardware connection table. Although the system removes the software connection table entry, the hardware still handles the connections correctly. However, these connections do not display when you perform a bigpipe conn dump.
Using the Setup utility to configure duplex settings (CR34267)
If you use the command line Setup utility to configure the duplex settings for BIG-IP system interfaces, the settings may not be saved correctly when you exit the Setup utility.
Unlicensed redundant configurations (CR34609)
If you have a redundant configuration and one of the BIG-IP units is not licensed, and you run the Setup utility on the unlicensed unit, the BIG-IP system automatically activates the shared self IP address.
Support is a reserved keyword (CR34832)
Support is now a reserved keyword. The Configuration utility does not produce an error message if you use the keyword support, however, reserved keywords should never be used for any naming in the BIG-IP system configuration.
MAC masquerade address (CR35223)
If you configure the same MAC masquerade address on two VLANs, when you load the configuration the BIG-IP system does not produce an error message. This configuration is not supported, however, and may cause problems with network devices.
SMP kernel and NIC wx: device timeout (CR35291)
In rare instances, if you have a large configuration and you are using the SMP kernel, the network card may stop processing traffic and a wx<n>: device timeout (where <n> is the number of the network interface card) is displayed. The interface appears as though it is down, or unplugged, and the BIG-IP software is unable to reset it. This issue can occur if you are using the SMP kernel on a D50 or D45 platform, or if your BIG-IP platform has specific Intel® Ethernet cards (all versions of Intel gigabit fiber and copper are affected). Network cards using Intel chips with the following part designations are affected:
82542
82543
82544
To find out whether the BIG-IP system is using the SMP kernel, type the following:
bigpipe summary
If the command returns BIG-IP Mode = UP MODE or SMP MODE, the system is using the SMP kernel.
If you are experiencing this issue, reboot the BIG-IP system to bring the interface down and back up. In most cases, this corrects the issue. If this does not resolve the issue or the issue occurs repeatedly, we recommend that you use the following procedure.
Important: This fix may impact performance.
Use the following steps to disable coalescing:
- Using vi or pico, edit the /etc/boot.default file.
- Add the following to the bottom of the file:
-wxnointaggr - Reboot the BIG-IP system.
Telnet and FTP ports (CR35320)
The Configuration utility Advanced Properties screen does not open the Telnet or FTP ports correctly. We recommend that you use the command line utility to open these ports.
bigpipe load command and large configurations (CR35418)
If you use the Configuration utility to make extensive changes to a large configuration, the configuration may fail to load properly when you use the bigpipe load command.
SNMP OID statistics (CR35527)
If you configure a forwarding virtual server, SNMP OID statistics may not work correctly.
The checktrap.pl script and the enterprise OID in traps (CR29481) (CR35534)
When the checktrap.pl script issues traps, it does not send the correct enterprise OID in the trap.
Next-hop selection for nodes (CR35554)
The BIG-IP system may incorrectly determine the next-hop address for nodes accessible only through a gateway.
Interface statistics (CR35606)
The interface statistics collected by the hardware may be cleared prematurely.
Gateway failsafe timeout value (CR35752)
If you configure gateway failsafe and the BIG-IP system does not locate the gateway, the system displays an unusually large negative timeout value.
Static routes on redundant systems (CR35761)
If you have a redundant system, static routes may not be updated properly when the system fails over or when the IP address changes. This may result in static routes that point to the wrong interface, and incorrect interface source addresses stored in routes.
Active/Standby configurations with VLAN groups configured (CR35955)
If you have an active/standby redundant system configuration with a VLAN group configured, broadcast and/or multicast packets bridged through the VLAN group on the active unit may cause the standby unit to dynamically learn MAC addresses on the incorrect ports. When the standby unit becomes active, this behavior can cause the system to drop frames with destination MAC addresses that match incorrectly learned port entries until they expire.
any_ip for virtual servers that share an IP address (CR36237)
If you enable any_ip on a virtual server that points to a pool or rule and then create a new virtual server that uses the same virtual IP address but has any_ip disabled, the BIG-IP system incorrectly disables any_ip on the original virtual server.
Self IP address configuration (CR36291)
In rare instances, the BIG-IP system can become unstable while loading a configuration with a large number of self IP addresses and static routes or when the ifconfig utility is used to configure a self IP address. The BIG-IP system does not support configuring IP addresses with ifconfig. We recommend that you use the bigpipe utility instead.
HTTP or HTTPS monitors (CR36548)
When you use the Configuration utility to create a monitor that inherits properties from either the HTTP or HTTPS monitor templates, when you enter a user name and password for the monitor, an extra \n is written before the HTTP version on the request line.
NTP settings (CR36782)
If you run the Setup utility and you re-configure the NTP settings, you must use the bigstart restart ntpd command in order for your changes to take effect.
Local time zone settings and config.ucs installation (CR36993)
The local time zone setting is not preserved when you install a configuration from a config.ucs file. We recommend that you update this setting using the Setup utility after you install a new configuration.
External monitors and reporting (CR37038)
External monitors may incorrectly list NODE DOWN instead of SERVICE DOWN. In addition, external monitors may incorrectly list the SERVICE DOWN status report instead of the ADDR DOWN status report for node addresses that are unresponsive. This issue does not affect load balancing.
Incorrectly formatted ARP messages (CR37097)
The BIG-IP system responds to incorrectly formatted ARP messages that have incorrect hard and prot sizes. The BIG-IP system should ignore these messages.
External service monitors (CR37118)
External monitors may cause an erroneous SERVICE UP message if they fail to timeout prior to the monitor interval value. If you want to avoid this issue, we recommend that you configure an external monitor script timeout that is less than the interval time period in the monitor definition.
Netscape version 4.7.8 and proxy configuration (CR37281)
If you use the Configuration utility and Netscape version 4.7.8 to configure a proxy, you may receive an error. We recommend that you use a different version of Netscape, or a different browser, to configure proxies.
IMAP monitor message number parameter (CR37711)
When you configure an IMAP monitor, if you specify the optional message number (message_num) parameter, the monitor ignores this parameter.
SNAT automap configuration (CR37986)
SNAT automap does not allow unlimited concurrent connections through the SNAT. Instead, it allows the user to create a configuration where a single SNAT can translate to multiple translation addresses (which are also self IP addresses). Because of this, configurations that have only a few automap-enabled IP addresses available on the nexthop network can cause a SNAT to become saturated.
If you have this issue, we recommend that you create a SNAT pool with several IP addresses on the network, and change the default SNAT to reference the SNAT pool. For example, if you have only one automap self IP on the internal VLAN, the system actually saturates the SNAT faster than if you create a standard default SNAT with its own translation IP which is not shared with monitors.
It is important to add enough translation addresses to the SNAT pool to keep the number of concurrent connections per translation address below 32,000. If the number of concurrent connections per translation address goes above this saturation level, there may be a negative impact on performance.
Configuration utility Statistics screens (CR38685)
The Configuration utility Statistics screens incorrectly display 1k bits as 1024 bits, instead of 1000 bits.
Traps and logging (CR39325)
If you configure the system to send out traps, rapid logging may cause the system to drop traps and log messages. This type of rapid logging may occur when you load a configuration of several hundred nodes, at which time the system checks all of the nodes logs their status. You can avoid this issue by adjusting the log levels for syslog configuration items. In addition, you may want to edit the /etc/snmptrap.conf files and comment out traps that are not important for your configuration.
Using the rule builder to create rules that contain not (CR39364)
The Configuration utility rule builder may incorrectly construct a not rule.
For example, if you use the rule builder to build the following:
if (not http_uri matches_regex "something") { use pool one } else { use pool two }
This syntax is incorrect, causing the rule to select pool two even when you make a query with the URI containing something.
In order for the rule to function correctly, you must edit the rule, including the extra parentheses (), as follows:
if (not (http_uri matches_regex "something")) { use pool one } else { use pool two }
RADIUS authentication log in (CR39371)
When you configure RADIUS authentication, if the following occurs:
- The authentication Java applet times out.
- You are prompted to log in again.
- When you enter your name and password, the log in prompt displays again.
We recommend that you cancel the Java login and continue without it, or close and reopen the browser.
DNS proxy feature (CR39489)
The DNS proxy feature works only if the system is licensed for 3-DNS Controller.
Character limitations when defining LDAP authz model Valid Group List (CR39932)
When you use the Configuration utility to create an LDAP authz model, you can enter invalid characters for the Valid Group List without receiving an error. These invalid characters may prevent the BIG-IP system from loading the configuration. For information on configuring a Valid Group List and the associated valid character set, see AskF5 Solution 3330 on the AskF5 website, http://tech.f5.com.
global auto lasthop and actual path MTU (CR40434)
If you have global auto lasthop enabled (default value), the BIG-IP system does not check the actual path MTU for the route to the host. If the client's path MTU is smaller than the size of the packet sent from the server (or vice versa), the BIG-IP system fails to generate an ICMP unreachable message with the new path MTU value to the server host. The server host uses this value to adjust its path MTU value on the route to the client. To avoid this issue you can disable global auto lasthop.
IP DF settings for layer 7 traffic (CR40435)
For layer 7 HTTP traffic, if the DF (Don't Fragment) bit of the first HTTP response packet is set, the BIG-IP system sets the bit to 0 when it forwards the packet to the client.
Using the Configuration utility to delete a virtual server netmask (CR40561)
If you create a virtual server and use the Virtual Server Advanced Properties screen in the Configuration utility to delete a netmask, the netmask is not deleted. If you want to delete the netmask for a virtual server, we recommend that you use the command line utility.
Header insertion and the GET line (CR40826)
If you configure header insertion and a client sends an HTTP GET line that is less than full, header insertion may fail. This issue is rare, and has been found to occur only with certain versions of Telnet during manual testing. If you experience this issue during manual testing, we recommend that you use a version of Telnet that includes the line by line mode or line mode options.
Network virtual server and proxy configuration (CR40861)
In this release, the system prevents you from incorrectly configuring the same address for a network virtual server and a proxy.
Modifying pools or rules with an active-active configuration (CR41969)
If you have an active-active configuration, and you use either the Configuration utility or the CLI to modify a pool or rule for a virtual server that is associated with unit 2, the system incorrectly changes the ID for unit 2 to unit 1.
UDP statistic counters (CR42917)
UDP statistic counters are not incrementing, and in some cases statistic counters are reset to zero.
Using the Configuration utility to disable network failover (CR43147)
If you use the Configuration utility to disable network failover, the database key is not deleted.
Passing traffic to a NAT or IP forwarding address (CR45527)
The BIG-IP system erroneously drops a packet when the packet matches a wildcard server, but does not match an existing flow, even if IP forwarding is enabled or an appropriate NAT exists.
Changes in US and Canada Daylight Saving Time (CR58321)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes are not reflected in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.
Workarounds for known issues
The following sections describe workarounds for the corresponding known issues listed in the previous section.
New rule syntax requirements for literal strings (CR27784)
This workaround describes how to modify the rule syntax to use literal strings that are less than 63 characters in length.
The following is an example of a rule which will fail to load because of a literal string that is longer than 63 characters:
if (http_host == "portal.siterequest.com") {
if (http_uri == "/" or http_uri == "") {
redirect to "<http://%h/portal/server.pt?space=MyPage&cached=true&parentname=Login&parentid=1&userid=2&control=SetPage&PageID=-2>"
}
else if (http_uri contains "portal/HTTPServlet?space=CreateAccountAS") {
redirect to "<http://www.siterequest.com/portalaccount/>"
}
else {
use pool Pool1
}
}
else {
use pool Pool1
}
}
For the rule to function correctly, you must change the syntax in the rule to the following:
if (http_host == "portal.siterequest.com") {
if (http_uri == "/" or http_uri == "") {
redirect to "<http://%h/portal/server.pt" + "?space=MyPage&cached=true&parentname=Login" + "&parentid=1&userid=2&control=SetPage&PageID=-2>"
}
else if (http_uri contains "portal/HTTPServlet?space=CreateAccountAS") {
redirect to "<http://www.siterequest.com/portalaccount/>"
}
else {
use pool Pool1
}
}
else {
use pool Pool1
}
}
Forwarding non-IP traffic through VLAN groups and redundant systems (CR29806, CR29334)
We recommend that you enable this feature only if you fully understand its current limitations.
To forward non-IP traffic through VLAN groups
- Enable non-IP traffic forwarding by typing the following command:
echo "b internal set vlangroup_nonip = 1">>/config/routes - If you have a redundant system, type the following command to update the peer unit:
b configsync all - Reboot the BIG-IP system.
The non-IP traffic forwarding feature is now enabled, and the BIG-IP system will forward non-IP traffic through VLAN groups, and through both the active and the standby units in redundant systems.