Applies To:
Show VersionsBIG-IP versions 1.x - 4.x
- 4.6.2
Updated Date: 04/18/2019
Summary:
This release note documents version 4.6.2 of the BIG-IP® software. You can apply the software upgrade to version 4.5 and later. For information about installing the software, please refer to the instructions below.
F5 now offers both maintenance-only and new feature releases. Version 4.6.2 is a feature release that is based on version 4.5.10 code. This release includes all features and fixes included in versions 4.5.10 and 4.6.1. For more information on our new release polices, please see New Versioning Schema for F5 Software Releases.
Warning: This is a feature release, not a maintenance release. Unless you need specific features that are new to this feature release, please upgrade to the latest maintenance release instead.
Contents:
Minimum system requirements and supported browsers
The minimum system requirements for this release are:
- Intel® Pentium® III 550MHz processor
- 256MB disk drive or CompactFlash® card (if you have the 3-DNS module, you need a 512MB disk drive or CompactFlash® card)
- 256MB RAM
The supported browsers for the Configuration utility are:
- Microsoft® Internet Explorer 5.0, 5.5, and 6.0
- Netscape® Navigator 4.7x
Note: The IM package for this release is quite large. If the disk drive in your platform does not meet the minimum requirement, you may not be able to successfully install this release.
Supported platforms
This release supports the following platforms:
- F35
- D25
- D30
- D35 (BIG-IP 520 and 540)
- D39 (BIG-IP 1000)
- D44 (BIG-IP 2400)
- D45 (BIG-IP 2000)
- D50 (BIG-IP 5000)
- D51 (BIG-IP 5100 and 5110)
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
Installing the software
Important: Before you run the Configuration utility to configure the unit, you must complete the authorization and licensing process. (For details, see the Activating the license section of the BIG-IP version 4.5 Release Note .) If you do not obtain a license before you run the Configuration utility, the system may behave in an unexpected manner.
Important: If you are upgrading a BIG-IP redundant system, you must upgrade both units. We do not support running different versions on a BIG-IP redundant system.
Important: If you are upgrading an IP Application Switch or a BIG-IP system that uses a CompactFlash® media drive, use the installation instructions here.
Note: In rare instances, using a notebook computer to perform PXE installations of BIG-IP software causes corruption on the notebook computer hard drive. If you are using a notebook computer as a PXE server to install BIG-IP software, we recommend, as a precaution, that you first back up any important data stored on the notebook computer hard drive.
The following instructions explain how to install the BIG-IP software, version 4.6.2 onto existing systems running version 4.5 and later. The installation script saves your current configuration.
- Go to the Downloads site and locate the BIG-IP 4.6.2 upgrade file, BIGIP_4.6.2_Upgrade.im.
- Download the software image and the BIGIP_4.6.2_Upgrade.md5 file.
For information about how to download software, refer to SOL167: Downloading software from F5 Networks.
- If you downloaded the image file to a directory other than /var/tmp, copy the image file to the /var/tmp/ directory on your BIG-IP system.
- Check the md5 of the upgrade file by typing the following command:
md5 BIGIP_4.6.2_Upgrade.im
cat BIGIP_4.6.2_Upgrade.md5The two md5 values should be identical.
- Install this PTF by typing the following command:
im BIGIP_4.6.2_Upgrade.imThe BIG-IP system automatically reboots once it completes installation.
To upgrade an IP Application Switch or a BIG-IP system that uses a CompactFlash media drive, use the following process.
- Create a memory file system by typing the following command:
mount_mfs -s 200000 /mnt - Change your directory to /mnt by typing the following command:
cd /mnt
- Go to the Downloads site and locate the BIG-IP 4.6.2 upgrade file, BIGIP_4.6.2_Upgrade.im.
- Download the software image and the BIGIP_4.6.2_Upgrade.md5 file.
For information about how to download software, refer to SOL167: Downloading software from F5 Networks.
- If you downloaded the image file to a directory other than /var/tmp, copy the image file to the /var/tmp/ directory on your BIG-IP system.
- Check the md5 of the upgrade file by typing the following command:
md5 BIGIP_4.6.2_Upgrade.im
cat BIGIP_4.6.2_Upgrade.md5The two md5 values should be identical.
- Install this PTF by typing the following command:
im /mnt/BIGIP_4.6.2_Upgrade.imThe BIG-IP system automatically reboots once it completes installation.
Note: This procedure provides over 90MB of temporary space on /mnt. The partition and the im package file are deleted upon rebooting.
Activating the license
Once you install the upgrade and connect the unit to the network, you need a valid license certificate to activate the software. To gain a license certificate, you need to provide two items to the license server: a registration key and a dossier.
The registration key is a 25-character string. You should have received the key by email. The registration key lets the license server know which F5 products you are entitled to license.
The dossier is obtained from the software, and is an encrypted list of key characteristics used to identify the platform.
You can obtain a license certificate using one of the following methods:
- Automatic license activation
You perform automatic license activation from the command line or from the web-based Configuration utility of an upgraded unit. This method automatically retrieves and submits the dossier to the F5 license server, as well as installs the signed license certificate. In order for you to use this method, the unit must be installed on a network with Internet access. - Manual license activation
You perform manual license activation from the Configuration utility, which is the software user interface. With this method, you submit the dossier to, and retrieve the signed license file from, the F5 license server manually. In order for you to use this method, the administrative workstation must have Internet access.
Note: You can open the Configuration utility using either Netscape Navigator 4.7x, or Microsoft Internet Explorer 5.0, 5.5, or 6.0.
To automatically activate a license from the command line for first time installation
- Type the user name root and the password default at the logon prompt.
- At the prompt, type license. The following prompts display:
IP:
Netmask:
Default Route:
Select interface to use to retrieve license:
The unit uses this information to make an Internet connection to the license server. - After you type the Internet connection information, continue to the following prompt:
The Registration Key should have been included with the software or given when the order was placed. Do you have your Registration Key? [Y/N]:
Type Y, and the following prompt displays:
Registration Key: - Type the 25-character registration key you received. If you received more than one key, enter all of the keys, separating each with a space.
The dossier is retrieved and sent to the F5 license server, and a signed license file is returned and installed. A message displays indicating the process was successful. - You are asked to accept the End User License Agreement.
The system is not fully functional until you accept this agreement. - You are prompted to reboot the system. Press Enter to reboot.
The system is not fully functional until you reboot.
To automatically activate a license from the command line for upgrades
- Type your user name and password at the logon prompt.
- At the prompt, type setup.
- Choose menu option L.
- The following prompt displays:
Number of keys: 1
If you have more than one registration key, enter the appropriate number. - The following prompt displays:
Registration Key:
Type the 25-character registration key you received. If you received more than one key, enter all of the keys, separating each with a space.
The dossier is retrieved and sent to the F5 license server, and a signed license file is returned and installed. A message displays indicating the process was successful. - When you are finished with the licensing process, type the following command to restart the services on the system:
bigstart restart
To manually activate a license using the Configuration utility
- Open the Configuration utility according to the type of BIG-IP unit you are licensing:
- If you are licensing a previously configured BIG-IP unit, open the Configuration utility using the configured address.
- If you are licensing a new BIG-IP unit, from the administrative workstation, open the Configuration utility using one of the following addresses: https://192.168.1.245 or https://192.168.245.245. These are default addresses on the units local area network.
- If you are licensing a previously configured BIG-IP unit, open the Configuration utility using the configured address.
- Type the user name and password, based on the type of BIG-IP unit you are licensing:
- If you are licensing a previously configured BIG-IP unit, type your user name and password at the logon prompt.
- If you are licensing a new BIG-IP system, type the user name root, and the password default at the logon prompt.
The Configuration utility menu displays. - If you are licensing a previously configured BIG-IP unit, type your user name and password at the logon prompt.
- Click License Utility to open the License Administration screen.
- In the Registration Key box, type the 25-character registration key that you received. If you have more than one key to install, click Enter More Keys to install multiple keys. Once you have entered all registration keys, click Manual Authorization.
- At the Manual Authorization screen, retrieve the dossier using one of the following methods:
- Copy the entire contents of the Product Dossier box.
- Click Download Product Dossier, and save the dossier to the hard drive.
- Copy the entire contents of the Product Dossier box.
- Click the link in the License Server box.
The Activate F5 License screen opens in a new browser window. - From the Activate F5 License screen, submit the dossier using one of the following methods:
- Paste the data you just copied into the Enter your dossier box, and click Activate.
- At the Product Dossier box, click Browse to locate the dossier on the hard drive, and then click Activate.
The screen returns a signed license file. - Paste the data you just copied into the Enter your dossier box, and click Activate.
- Retrieve the license file using one of the following methods:
- Copy the entire contents of the signed license file.
- Click Download license, and save the license file to the hard drive.
- Copy the entire contents of the signed license file.
- Return to the Manual Authorization screen, and click Continue.
- At the Install License screen, submit the license file using one of the following methods:
- Paste the data you copied into the License Server Output box, and click Install License.
- At the License File box, click Browse to locate the license file on the hard drive, and then click Install License.
The License Status screen displays status messages, and Process complete appears when the licensing activation is finished. - Paste the data you copied into the License Server Output box, and click Install License.
- Click License Terms, review the EULA, and accept it.
- At the Reboot Prompt screen, select when you want to reboot the platform.
License activation is complete only after rebooting.
To automatically activate a license using the Configuration utility
- Open the Configuration utility according to the type of BIG-IP unit you are licensing:
- If you are licensing a previously configured BIG-IP unit, open the Configuration utility using the configured address.
- If you are licensing a new BIG-IP unit, from the administrative workstation, open the Configuration utility using one of the following addresses: https://192.168.1.245 or https://192.168.245.245. These are default addresses on the units local area network.
- If you are licensing a previously configured BIG-IP unit, open the Configuration utility using the configured address.
- Type the name and password, based on what type of BIG-IP unit you are licensing:
- If you are licensing a previously configured BIG-IP unit, type your user name and password at the logon prompt.
- If you are licensing a new BIG-IP unit, type the user name root, and the password default at the logon prompt.
The Configuration utility menu displays. - If you are licensing a previously configured BIG-IP unit, type your user name and password at the logon prompt.
- Click License Utility to open the License Administration screen.
- In the Registration Key box, type the 25-character registration key that you received. If you have more than one key to install, click Enter More Keys to install multiple keys. Once you have entered all registration keys, click Automated Authorization.
The License Status screen displays status messages, and Process complete appears when the licensing activation is finished. - Click License Terms, review the EULA, and accept it.
- At the Reboot Prompt screen, select when you want to reboot the platform.
License activation is complete only after rebooting.
New features and fixes in this release
This release includes the following new features and fixes.
Monitor instances with identical destinations and different templates (CR14311)
In previous releases it was not possible to create multiple monitor instances with the same destination. (The destination of a monitor instance is derived from the destination address and port of the associated monitor template. If destination address is not specified in the monitor template, the associated node address and port are used.) In this release you can create multiple monitor instances with the same destination, as long as the monitor instances are associated with different monitor templates.
You can use this feature in conjunction with the "port translation on a per-pool basis" functionality to configure monitoring and load balancing to different applications on the same port. For more information, see Monitoring and load balancing to different applications on the same port in the Optional configuration changes section of this release note.
Combining transparent monitors (CR26915)
You can now combine transparent monitors using the logical AND operation.
The system_check tool for IP Application Switch platforms (CR27354)
The system_check script for IP Application Switch platforms is disabled by default in this release. This change does not affect existing configurations. If system_check is enabled, the script remains in an enabled state when you upgrade to this version of the BIG-IP software.
System statistics screen (CR28085)
This release includes a System Graph Statistics screen in the Configuration utility that displays statistics about the BIG-IP system in a graphical format so that you can view changes and trends in statistics over time. The System Graph Statistics screen displays statistics including CPU usage, memory usage, throughput, connections per second, and packets per second.
To view the System Graph Statistics screen, in the left pane of the Configuration utility, click Statistics and then click System Graphs. (The System Graphs are not available on the E-Commerce Controller).
In addition, this release includes new SNMP OIDs including SSL proxy TPS and throughput. The new SNMP OIDs improve performance monitoring for the BIG-IP system using network management software. The new SNMP OIDs replace proxydstats for SSL proxy monitoring.
SNMP version 2c traps (CR28909)
The BIG-IP system now supports SNMP version 2c traps. You can enable this feature using the command line utility. Use the following command to enable this feature:
bigpipe db set Common.Bigip.SNMP.UseV1 = "false"
After you enable or disable this variable, you must stop and restart the checktrap.pl and syslogd utilities. It is important that you start the checktrap.pl utility before you start the syslogd utility.
Note: This release does not support using Nokia traps in conjunction with SNMP version 2c traps. If you enable SNMP version 2c traps and Nokia NetAct, you receive Nokia NetAct version 1 traps only.
Header insertion with selective re-encryption (CR31960)
If you configure a proxy and you have header insertion and selective re-encryption enabled, 206 partial response messages no longer cause application load errors.
ARP requests with incorrect source protocol address (CR34526)
The BIG-IP system no longer uses inactive floating self-IP addresses or virtual server addresses in the source protocol address field for ARP requests. If the system cannot generate an ARP request because there is no usable IP address available on a VLAN, the BIG-IP system logs the following warning message to /var/log/messages:
kernel: arpresolve: no usable src addr on iface: <interface_index>
The system log this message on BIG-IP systems that have a VLAN configured with only floating self-IP addresses; this type of configuration is not supported.
IBM HS20 Model Type 8832 : Watchdog no longer fails to trigger (CR34882)
IBM has issued a firmware update for the IBM eServer BladeCenter HS20 Type 8832 (2.8GHz and up) that resolves the issue that deactivated the watchdog timer in previous releases. The link to the IBM firmware update is: http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-45486. The firmware version is 1.07. While it states compatibility with BIOS revision 1.0, we have used only BIOS 1.04 and later in our testing.
Large numbers of concurrent connections with the same SNAT address (CR34952) (CR35007) (CR38200)
The BIG-IP system no longer becomes unstable if more than 63,000 concurrent connections use the same SNAT translation address as their server-side client address.
SNMP trap utility (CR35371) (CR35372)
The BIG-IP system no longer allows arbitrary text to be processed in an insecure fashion by the SNMP trap utility.
Buffering application data and malformed packets (CR36158) (CR38198)
When the BIG-IP system is buffering application data, a very specific malformed packet no longer causes the BIG-IP system to become unstable.
CERT VU#303448 (CR38331)
This release addresses the security issue described in CERT vulnerability note VU#303448, mod_ssl contains a format string vulnerability in the ssl_log() function. For more information on the resolved security issue, see http://www.kb.cert.org/vuls/id/303448
global reaper hiwater and global reaper lowater settings (CR38433)
If you use the command line utility to configure the global reaper hiwater or global reaper lowater settings, the configuration now loads correctly.
RSA SecurID authentication using the Configuration utility
The Configuration utility now includes support for RSA SecurID® authentication, the remote authentication protocol used by RSA ACE/Server® software. RSA SecurID authentication is a two-part authentication mechanism that requires both a user ID and a passcode that changes every 60 seconds. For more information on RSA SecurID authentication, please see http://www.rsasecurity.com/node.asp?id=1156. To configure RSA SecurID authentication, see Configuring RSA SecurID authentication in the Optional configuration changes section of this release note.
Version rollback script
This release includes a rollback script that allows you to return to the previous version of the BIG-IP software, after you upgrade. This script is designed to allow you to rollback the software version in instances where you upgrade before you discover that the new version of the software is incompatible with your specific network configuration. You can use the script to return only within the major version (see SOL4476: BIG-IP Software Lifecycle Policy) of the BIG-IP software that was installed on the system prior to the upgrade. Any configuration changes you make after the upgrade are lost when you run the rollback script.
To use the rollback feature you must create a rollback IM package before you upgrade to a different version of the software.
To create a rollback IM package in /var/tmp/rb using the version 4.6.3 mkrb file, use the following procedure:
- Change your directory to /var/tmp by typing the following command:
cd /var/tmp - Extract the mkrb file from the 4.6.2 upgrade package by typing the following command:
tar C / -xzf BIGIP_4.6.2_Upgrade.im usr/local/bin/mkrb - Create the necessary rollback files by typing the following command:
/usr/local/bin/mkrb BIGIP_4.6.2_Upgrade.im
This creates an IM package that you can run on the BIG-IP system if you want to return to the previous version of the software. The IM upgrade package you create is located in the /var/tmp/rb directory.
To install the rollback IM package, type the following commands:
cd /var/tmp/rb
im <rollback_im_package_name>.im
Note: If you install the rollback package created by the script and decide that you want to upgrade to a later version of the software in the future, you will need to use the im -force /var/tmp/rb/<rollback_im_package_name>.im command to install the IM package.
SSL Proxy support for non-HTTP protocols
SSL proxy now supports non-HTTP protocols including LDAP over SSL (LDAPS) and Telnet over SSL (TELNETS). You can enable SSL proxy support for these protocols using either the command line utility or the Configuration utility.
To enable support for non-HTTP protocols using the command line, type the following commands:
b global sslproxy serverssl nonhttp enable
b save
To enable support for non-HTTP protocols using the Configuration utility, use the following procedure:
- Click System and then click the Advanced Properties tab.
The Advanced Properties screen displays. - In the SSL Proxy table, check the serverssl nonhttp enable box.
Clear the box to disable this feature.
Note: The BIG-IP system does not support FTPS.
SSL node monitoring performance enhancements
In previous releases SSL node monitoring had a significant impact on SSL proxy performance. This release includes several SSL node monitoring enhancements which greatly reduce the impact on SSL proxy performance. In addition, there are three new parameters that you can configure in order to increase SSL proxy performance. For information on how to configure the new parameters, see SSL node monitoring performance enhancements in the Optional configuration changes section of this release note.
Persistent connections through nodes at connection limit
In this release you can configure the BIG-IP system to allow persistent connections to continue to be load balanced through a node after the connection limit for the node has been reached. The Persist Override Limit setting is disabled by default. To enable this setting using the command line utility, type the following:
node <node_ip>[:<service>] persist_override_limit enable
To enable this setting using the Configuration utility, check the Persist Override Limit box on the Node Properties screen.
SSL persistence session ID
The bigpipe <pool> persist dump command now displays the SSL session ID along with client connections and their ages.
LDAP monitor security
You can now configure a security attribute for the LDAP monitor. You have the option of selecting SSL, TLS, or none. If you select TLS or SSL, connections to the remote LDAP database are sent over a secure TLS or SSL connection. If you select none, the system connects to the remote LDAP database using an unencrypted connection. To configure this option using the command line utility, specify a security attribute and give it one of three values: ssl, tls, or none. The following is an example of an LDAP monitor with SSL security configured.
monitor ldap {
# type ldap
interval 10
timeout 31
dest *:*
username ""
password ""
base ""
filter ""
security "ssl"
}
To configure this option using the Configuration utility, select ssl, tls, or none from the Security list on the Add Monitor or Monitor Properties screen.
If you have any external LDAPS_pingers in your existing configuration, we recommend that you replace the external LDAPS_pinger instances with LDAP monitors with a TLS or SSL security attribute enabled.
Support for TFTP
This version of the BIG-IP software includes support for TFTP (Trivial File Transport Protocol rev 2 - rfc1350) traffic control. TFTP configuration objects must use TFTP port 69.
System health monitor timing
In this release we have improved the algorithm that the BIG-IP system uses to perform health monitoring at offset intervals in order to prevent spikes in CPU consumption.
snmp_dca_base monitor port configuration
The snmp_dca_base monitor now correctly uses the specified port.
SNMP link up/down traps
New SNMP traps are included in this release. Traps are now issued each time a link goes up or down. The new traps are loadBalTrapLinkUp and loadBalTrapLinkDown.
SSL certificate expiration check
This release includes a new utility that checks weekly for SSL certificates that are expired or are about to expire, and logs warning messages in /var/log/bigip. In addition, the system issues two new SNMP traps, loadBalTrapCertExpired and loadBalTrapCertExpiring, for SSL certificates that are expired or are about to expire.
Port translation on a per-pool basis
In this release we have added a configuration option that allows you to enable or disable port translation for specific pools. Port translation uses an alias port that identifies to the external network a specific node managed by the BIG-IP system. In previous releases, the disable port translation option was only available at virtual server level. Port translation for pools is enabled by default.
- To configure port translation at the pool level using the command line utility, use the following syntax:
bigpipe pool <pool_name> translate port [enable|disable] - To configure port translation at the pool level using the Configuration utility, check the Enable Port Translation box on the Add Pool or Pool Properties screens.
You can use this feature in conjunction with the monitor instances with identical destinations and different templates functionality to configure monitoring and load balancing to different applications on the same port. For more information, Monitoring and load balancing to different applications on the same port in the Optional configuration changes section of this release note.
Features and fixes released in prior releases
The current release includes the features and fixes that were distributed in prior releases, as listed below. (Prior releases are listed with the most recent first.)
Version 4.6.1
The OpenSSL package has been upgraded to version 0.9.7d (CR33306) (CR33755)
The OpenSSL package has been upgraded to version 0.9.7d. This upgrade addresses several recent security issues with OpenSSL described in Technical Cyber Security Alert TA04-078A. This version addresses CERT vulnerabilities VU#288574 and VU#484726. For more information on the resolved security issues, see http://www.us-cert.gov/cas/techalerts/TA04-078A.html.
The system_check utility (CR34596) (CR34745)
When you run the system_check utility, it no longer incorrectly reports version is incorrect.
String comparisons in rules (CR8717)
When you use a string comparison in a rule, it is case insensitive if you enclose the string expression in a tolower() function and compare it with a lowercase string literal. For example, in the comparison (tolower(http_uri) ends_with "jpg"), where http_uri is the string expression, and "jpg" is the lowercase string literal, the http_uri values JPG, JpG, or jpg, all return a comparison value of true.
Version 4.6
SSL proxy selective encryption (CR23920)
This release provides the option of configuring SSL re-encryption at the pool level. For more information, see the BIG-IP New Features Guide for version 4.6, Chapter 2, SSL Proxy Selective Re-encryption .
Passing ICMP packets through a SNAT (CR25315)
This release includes improvements in the way the BIG-IP system handles ICMP echo replies through a SNAT.
When two clients each send an ICMP echo through a SNAT on the BIG-IP system, the system now routes the ICMP echo replies and the ICMP time exceeded message back to the correct client.
In addition, when the BIG-IP system is configured to perform ICMP monitoring, and a client sends an ICMP echo through SNAT automap on the BIG-IP system, the system now correctly routes replies to either the BIG-IP system or the client, as appropriate.
CRL authentication enhancements (CR27421)
This release includes enhancements to Certificate Revocation List (CRL) functionality, including the addition of CRL management using distribution points, and a configurable update interval that refreshes CRLs at a specified interval. For more information, see the BIG-IP New Features Guide for version 4.6, Chapter 4, CRL Authentication Enhancements .
Node counting (CR28476)
This release includes the active_nodes function, which indicates how many nodes in the pool are available for load balancing. The active_nodes function is useful for configuring rules that send traffic to a particular pool, based on how many nodes are available in that pool. For more information, see the BIG-IP New Features Guide for version 4.6, Chapter 3, Node Counting Rule Function .
SID reuse (CR30941)
SID reuse now works correctly with the SMP kernel.
Optional configuration changes
Once you have installed the software, you can use any of the following new configuration options to update your configuration.
Configuring RSA SecurID authentication
You can now configure an external (remote) RSA SecurID® authentication server to manage user authentication for the BIG-IP system. When you enable RSA SecurID authentication, all users subsequently attempting to log on to a BIG-IP system must enter a user ID and PASSCODE that changes every 60 seconds, which are checked against user data stored on the RSA SecurID authentication server. If the user password and authenticator are found and verified on the RSA SecurID authentication server, the user is authenticated. In the event that authentication fails with an external RSA SecurID authentication server, you can log in with accounts locally, such as the root and admin accounts.
Use the following procedure to configure RSA SecurID authentication on the BIG-IP system.
- At the command line utility, type config.
The Initial Setup menu displays. - Select, C to configure remote authentication.
- When prompted whether you want to change your current configuration, type Y to continue.
- You are asked to select the type of remote authentication used on the system. Select either RSA SecurID Authentication (Web UI only) or RSA SecurID Authentication (Web UI) / RADIUS (CLI/iControl) and press Enter.
- Follow the prompts and type Q to quit the Setup utility.
- If you chose to configure RSA SecurID Authentication (Web UI) / RADIUS (CLI/iControl) then you need to type the following db key, at the command line:
bigpipe db set Local.Bigip.FTB.authType = "SECURID" - Once you enable RSA SecurID authentication on the BIG-IP system, you must use the Configuration utility to complete the configuration. Open a browser session, and in the left pane of the Configuration utility, click System Admin.
The User Administration screen displays. - Click the RSA SecurID® Authentication Configuration link. This link displays only if RSA SecurID authentication is enabled on the BIG-IP system.
The RSA SecurID authentication Configuration screen displays. - To configure remote RSA SecurID authentication, you need to install the RSA SecurID authentication configuration file on the BIG-IP system. This file is generated on the RSA ACE/Server, and is usually called sdconf.rec. You need to transfer the sdconf.rec file to your windows system before you can import it to the BIG-IP system.
On the SecurID Configuration screen, click the Browse button to locate the sdconf.rec file, and click Install to config/ace/sdconf.rec to upload the configuration file. For information on generating the sdconf.rec file, please see the ACE/Server documentation included with the ACE/Server. - Once you upload the sdconf.rec file to the BIG-IP system, you need to restart httpd from the command line. Restart httpd, by typing the following command:
bigstart restart httpd - After you enable RSA SecurID authentication and upload the configuration file, you need to set the authorization level, or role, for each user you want to allow to access the BIG-IP system. Add an account and role for each user in the User Administration screen of the Configuration utility. Since the RSA SecurID authentication server handles the password authentication, you do not need to enter a password for these users. For detailed instructions on setting roles for users, see Chapter 18, Administering the BIG-IP System, in the BIG-IP Reference Guide.
SSL node monitoring performance enhancements
This release includes several SSL node monitoring enhancements which greatly reduce the performance impact on SSL. In addition, there are three new parameters that you can configure in order to increase SSL monitor performance. The following sections describe how to configure the new parameters.
Compatibility mode setting
This release includes a compatibility mode setting that enables multiple workarounds for known issues in the implementation of SSL and TLS. This setting enables the following workarounds:
SSL_OP_MICROSOFT_SESS_ID_BUG
SSL_OP_NETSCAPE_CHALLENGE_BUG
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
SSL_OP_MSIE_SSLV2_RSA_PADDING
SSL_OP_SSLEAY_080_CLIENT_DH_BUG
SSL_OP_TLS_D5_BUG
SSL_OP_TLS_BLOCK_PADDING_BUG
SSL_OP_TLS_ROLLBACK_BUG
SSL_OP_SINGLE_DH_USE
SSL_OP_EPHEMERAL_RSA
SSL_OP_PKCS1_CHECK_1
SSL_OP_PKCS1_CHECK_2
SSL_OP_NETSCAPE_CA_DN_BUG
SSL_OP_NON_EXPORT_FIRST
SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
This setting may be required to connect to certain web servers; however, compatibility mode is less secure then normal mode. Compatibility mode is off by default. To enable compatibility mode, include the key word ssl_compat in the node monitor. The following is a sample node monitor with this feature enabled:
monitor mymonitor {
# type https
use "https"
send "GET /"
recv "^Ciphers"
cipherlist "DEFAULT:!3DES"
clientcert "sslnode.crt"
ssl_compat
}
Cipher list
The cipher list parameter allows you to specify a customized cipher list for each node monitor. You can use this feature to disable insecure protocols such as SSL2 or expensive symmetric protocols such as 3DES.
For example, if the client cipher list is "DEFAULT:+SHA:+3DES:!DH", then RC4 and MD5 are given priority over the more expensive 3DES and SHA algorithms. (Diffie-Helman (DH, ADH and EDH) is not supported by the node monitor in this version of the software.)
To customize the cipher list for a node monitor, include the new cipherlist tuple in the node monitor parameters. The following is a sample node monitor with this feature configured:
monitor mymonitor {
# type https
use "https"
send "GET /"
recv "^Ciphers"
cipherlist "DEFAULT:!3DES"
clientcert "sslnode.crt"
ssl_compat
}
Client certificate
With this release you can specify a customized client certificate that the BIG-IP system presents during the connection. The client certificate allows you to monitor SSL nodes that require client authentication. The client certificate parameter is the file name or path to the file that contains both a client certificate and the corresponding private key. You can combine existing file pairs in a single file. For example:
# cat cli1.crt cli1.key >> /config/bigconfig/ssl.crt/thecli.crt
Important: Enabling the client certificate feature may negatively impact proxy performance. The client certificate option may cause a potential security issue if you are using the BIG-IP system in an ISP or ASP network where multiple, unrelated customers share the BIG-IP system.
To configure the client certificate parameter, include the clientcert tuple in the monitor. The value can be a full path to a certificate. If you do not specify the full path, the BIG-IP system uses the default path, /config/bigconfig/ssl.crt. The following is a sample node monitor with this feature configured:
monitor mymonitor {
# type https
use "https"
send "GET /"
recv "^Ciphers"
cipherlist "DEFAULT:!3DES"
clientcert "ssl.crt"
ssl_compat
}
Monitoring and load balancing to different applications on the same port
Using the new port translation and monitor enhancements included in this release, the BIG-IP system can now monitor and load balance different applications on the same port. For example, requests for cgi, asp and HTML pages can all be serviced through port 80. However, you may want to monitor the health and limit connections for each of these three applications separately.
You can configure a virtual server that references a rule that directs requests to three different pools. This allows the BIG-IP system to collect separate statistics at the pool and pool member level. With port translation enabled, however, all pool members must reference a node on port 80, and pool members in different pools all point to the same node. Because health monitoring is performed at the node level, and the pool members refer to the same node, members in different pools share the same health state. The same is true of node connection limits.
However, because the virtual port and the actual port on the servers are the same, port translation is no longer necessary. If you disable port translation for each pool you want to monitor, you can change the port of the members in these pools even though traffic through the box continues to have a client destination port of 80. If you change the port for members of some of the pools, separate nodes are created for each pool member. You can select any port numbers: the port numbers that you specify are not important. Once separate nodes are created, it is possible to have separate health states and connection limits.
Using the ability to create monitor instances with the same destination and different monitor templates, you can create monitor instances that monitor port 80, but use three different methods specific to the applications. These monitor instances then set the health state of the nodes which are specific to the application. For example, if the cgi monitor instance with the identifier (1.1.1.2:80:http_cgi) does not receive the expected response to a request, the health state of the associated node with identifier (1.1.1.2:81) is set to DOWN. This causes the BIG-IP system to direct traffic away from the cgi_pool pool member with the identifier (1.1.1.2:81) while regular_pool and asp_pool load balancing remain the same.
Note that the identifier of the monitor instance is derived from its destination and the name of the associated monitor template. The monitor instance destination is derived from the associated template destination. If the template destination is incomplete, the monitor instance destination is derived from the associated node. In the following example, the http_cgi monitor destination is *:80 and the node is 1.1.1.2:81 resulting in a monitor instance destination of 1.1.1.2:80.
Example:
#pools
pool regular_pool {
member 1.1.1.1:80
member 1.1.1.2:80
}
pool cgi_pool {
translate port disable
member 1.1.1.1:81
member 1.1.1.2:81
}
pool asp_pool {
translate port disable
member 1.1.1.1:82
member 1.1.1.2:82
}
#rules
rule app_switch {
if (http_uri ends_with "cgi") {
use pool cgi_pool
}
else if (http_uri ends_with "asp") {
use pool asp_pool
}
else {
use pool regular_pool
}
}
#monitors
monitor http_cgi {
# type http
use "http"
interval 5
timeout 16
dest *:80
send "GET /index.cgi"
recv "200 OK"
username ""
password ""
}
monitor http_asp {
# type http
use "http"
interval 5
timeout 16
dest *:80
send "GET /index.asp"
recv "200 OK"
username ""
password ""
}
node 1.1.1.1:80 1.1.1.2:80 use monitor http
node 1.1.1.1:81 1.1.1.2:81 use monitor http_cgi
node 1.1.1.1:82 1.1.1.2:82 use monitor http_asp
virtual 5.5.5.5:80 use rule app_switch
Known issues
The following items are known issues in the current release.
Fan and temperature monitoring with SNMP
SNMP queries for fan speed, CPU temperature, and power supply status are functional for certain platforms. Currently, fan and temperature monitoring is supported only for the following platforms:
2000
2400
5000
5100
5110
For these platforms, automatic periodic monitoring is automatically enabled. However, the system_check script does affect performance. You can disable the system_check script by commenting out (add leading # sign) to the line in /etc/crontab which runs the system_check utility. This version does not support fan and temperature SNMP monitoring in the following platforms:
D25
D30
F35
D35 (520 and 540)
Wildcard certificates in the Cert Admin screen (CR17426)
The Cert Admin screen in the Configuration utility currently only allows *.<domain_name> for wildcard certificates. A domain name of *.*.<domain_name> is not supported on the Cert Admin screen.
Upgrading the software and the MindTerm SSH Console (CR18436)
When you upgrade the BIG-IP software from the MindTerm SSH Console, in some cases, MindTerm may hang. This has no effect on the upgrade procedure.
The RADIUS port in /etc/services (CR20136)
Previous releases of this software use the RADIUS port 1645 as the default in /etc/services. This release uses the new IANA RADIUS port 1812.
L2 proxy ARP forwarding exclusion list (CR20647)
In order to prevent the active unit from forwarding ARP requests for the standby unit (or other hosts to which proxy ARP forwarding is not wanted), you can now define a proxy ARP exclusion list. To configure this feature, you can define a proxy_arp_exclude class, and add any self-IPs on the standby and active units to it. The BIG-IP units do not forward ARP requests from the hosts defined in this class.
For example, to create a proxy_arp_exclude class use the following syntax:
b class proxy_arp_exclude { host <self IP 1> host <self IP 2> ... host <self IP N> }
If you use VLAN groups, you must configure a proxy ARP forwarding exclusion list. We recommend that you configure this feature if you use VLAN groups with a BIG-IP redundant system. The reason is that both BIG-IP units need to communicate directly with their gateways and the back-end nodes. Creating a proxy ARP exclusion list prevents the original IP address of a packet from being translated by the BIG-IP system. The BIG-IP system forwards traffic directly to the destination.
If you do not configure a proxy ARP exclusion group for systems configured with VLAN groups, you may see problems such as:
- Nodes being marked down for a period of time after a failover
- The inability to access resources through the active BIG-IP unit when there are multiple physical or logical connections to the same VLAN group (especially likely to be noticed when there are multiple connections between the active and standby BIG-IP units)
SNAT automap incompatibilities (CR20801)
Default gateway pools, forwarding virtual servers, and forwarding pools are incompatible with SNAT automap. Configuring a default gateway pool with a forwarding virtual server or a forwarding pool is also incompatible. To work around this incompatibility, you can configure a network wildcard virtual server in front of the SNAT. The wildcard virtual server routes by connection, using the cached routes.
ICMP pings updating MAC addresses for nodes in the ARP table(CR21228)
ICMP pings are not updating the MAC addresses for all nodes in the ARP table. This has no effect on the functionality of the BIG-IP system. The only way to view these entries is to type the command arp -na, which lists the ARP table.
bigpipe proxy show command (CR21750)
The bigpipe proxy show command incorrectly displays accepted connections, as well as queued connections that have not yet been accepted.
Manually deleting connections handled by the Packet Velocity ASIC (CR22494)
Manually deleting connections that are handled by the Packet Velocity TM ASIC does not generate a TCP reset.
Configuring the admin port for node connectivity (CR22599)
We recommend that you do not configure the admin port for node connectivity.
Changing active-active failback values (CR22715)
In active-active configurations, we recommend that you do not change the default failback value of 60 seconds. If you change this value, failback may not work as designed.
Gateway failsafe and active-active configurations (CR22728) (CR33581)
The gateway failsafe feature is not currently supported for active-active configurations. If you want use a similar configuration, we recommend that you configure the VLAN failsafe feature in combination with a default gateway pool.
Log messages during failover (CR23634)
If you have a pair of BIG-IP redundant units, when the BIG-IP system fails over, the following warning messages may be logged to /var/log/bigd.
bigapi_unit_mask fails Invalid message received from kernel
You can disregard these warning messages.
Changing IP addresses on VLANs (CR24468)
If you use the Setup utility to change the floating IP addresses on VLANs, the web server settings are not updated. To update the web server settings, choose the (W) Configure web server option.
TOS or QoS values in FTP data connections (CR24644)
FTP data connections have incorrect TOS or QoS values set in the BIG-IP software. Both values are set to 0.
iControl SOAPPortal: .NET serialization errors on several methods (CR24862)
The following methods do not serialize correctly under certain situations. This is due to a problem in the .NET frameworks serialization. For nested structures within arrays, the framework cannot support an empty array represented as a single XML element.
For example, this method does not serialize:
<return type='Array' ArrayType='tns:someType[0]/>
This method does serialize:
<return type='Array' ArrayType='tns:someType[0]></return>
SNAT automap and acceleration (CR24959)
On the 2400 platform, if you configure SNAT automap and do not associate the SNAT with a virtual server, the traffic is not accelerated by the Packet Velocity TM ASIC. Note that you can associate the SNAT with a wildcard virtual server to accelerate any SNAT automap traffic.
SSL proxy processes with non-idle connections (CR25080)
Some idle connections may not be closed as long as the SSL proxy continues to receive data within the idle connection timeout, and the server-side connection remains open.
Product Announcement: Content converter feature for Akamai (ARLs) removed from BIG-IP products for EOL (CR25082)
With this release, we are announcing the End-of-Life (EOL) of the content converter feature for converting Akamai ARLs. This applies to all fully licensed BIG-IP products running version 4.5 PTF-04 or later. As a result of this action, newly shipped or upgraded versions of the BIG-IP software no longer include this feature. If you want to continue using this functionality, do not upgrade to this version of the software. If you do plan to upgrade to this version of the software, we recommend that you remove all related configuration information from the bigip.conf file before you upgrade.
The b conn dump verbose command and values for packet counts or byte counts (CR25119)
The bigpipe command, b conn dump verbose, displays incorrect values for packet counts and byte counts.
Configuring a single default gateway member (CR25141)
If you configure only a single default gateway member, that address is configured as the default route. It is not displayed as a default gateway pool.
Simple persistence timers and the 2400 platform (CR25182)
Simple persistence timeout global settings function slightly differently on the 2400 platform than on other BIG-IP platforms. With the 2400 platform, the global mode global persist timer timeout causes the persist timer to be updated every 30 seconds when a connection that references the persist entry is still alive. On other platforms, the persist timer is updated with every packet inbound from the client.
e-Commerce Controller and setting port translation option for wildcard ports (CR25336)
On the e-Commerce Controller only, when you configure a virtual server with a wildcard port (*) using the Configuration utility, the default port translation setting is set to enable instead of disable. Note that this does not occur when you use the bigpipe utility. If you want to configure virtual servers with wildcard ports, and you want to disable the port translation, add the virtual server using the following bigpipe command (rather than using the Configuration utility):
bigpipe virtual <ip_address:0> use pool <pool_name>
Harmless message during configuration (CR25399)
You may see the message startup bigstpd: (pid 169) already running during configuration. This message is harmless.
SNMP: updated the globalAttr* values (CR25429)
This release includes revised globalAttr* values for SNMP. These values include globalAttrOpen3DNSPorts and globalAttrOpenCorbaPorts. For a complete list of the updated descriptions, refer to the MIB.
SNMP OIDs switch platform support (CR25458)
The SNMP OIDs dot1*, dot3*, and limited rmon OIDs are supported by only switch platforms. These platforms include the 1000, 2000, and 5000 series.
SSH access host restrictions configured in /etc/hosts.allow (CR25530)
In previous versions, /etc/ssh3/sshd2_config and /etc/sshd_config controlled SSH access. This upgrade reverts to an SSH access level that allows all hosts to connect. Upgrading to this version ignores previously configured SSH access restrictions configured in /etc/ssh3/sshd2_config and /etc/sshd_config. If you require restricted SSH access to certain networks/IP addresses, you need to reconfigure these restrictions once the upgrade has been completed. To do this, type the following command to start the Setup utility and then press Enter:
config
Choose option S (Configure SSH) and set the restrictions you prefer.
Disabling a virtual server that is under heavy traffic load (CR25538)
If you disable a virtual server that is under heavy traffic load, the BIG-IP log may fill the /var partition. To work around this problem, you can configure syslogd to log to a remote system, or you can shut off logging on local0.*. For alternative solutions, contact support.
CPU temperature readings on Tyan 2765 motherboards (Application Switch platforms) (CR25641)
Some older motherboard revisions may incorrectly display CPU too hot messages. For more information about this issue, refer to SOL2116: Error message: CPU too hot!.
Transparent VLAN group mode with FastFlow (Fast Path) acceleration (CR25727)
The transparent VLAN group mode is not accelerated by the FastFlow (Fast Path) feature.
Adding support access after initial setup (CR25821)
If you add support access with the (Y) Set support access option in the Setup utility after you complete the initial setup of the system, the support IP addresses are not added to the hosts.allow file. To correct this situation, run the (S) Configure SSH option in the Setup utility to re-initialize the SSH information on the system.
VLAN names with "vlan" followed by any number of digits cause a syntax error (CR25890)
VLAN names that start with the text vlan, and are followed by any number of digits (for example, vlan123), cause a syntax error. We recommend that you do not use the text, vlan, as the initial portion of a VLAN name.
Creating invalid interface names (CR25950)
It is possible to create invalid interface names in your configuration by entering an invalid VLAN name from the command line. For more information about invalid VLAN names, see (CR25890).
Late binding virtual server with 500 MTU router and large request (CR26025)
If a client sends a large request, greater than 460 bytes, through a router set to 500 MTU, the BIG-IP system does not forward the request to the server.
Switching to a single route configuration if you have a gateway pool in use (CR26143)
If you create a default gateway pool, and then you decide to change to a single route, we recommend that you do not delete the gateway pool even if you change the router configuration so that there is only one router in the pool.
Using 127.0.0.x as a pool member causes the system to lose network connectivity (CR26184)
If you add a node with an IP address of 127.0.0.x to a pool, the system loses connectivity to the network. The only way to reboot the system after this happens is to use the reboot switch. We recommend that you do not add nodes with this address range to a pool.
Changing iControl settings does not restart the CORBA portal (CR26384)
If you use the Setup utility (setup) to change iControl settings, you must manually restart the CORBA portal. To restart the CORBA portal, type the following commands from the command line:
bigstart shutdown portal
bigstart startup
LDAP group name naming conventions (CR26418)
LDAP authentication for groups does not work properly when there are spaces in the group name. To avoid authentication issues with groups when you use LDAP authentication, do no use spaces in the group names.
Generating certificates with openSSL after upgrading the software (CR26456)
After you upgrade the software, you may run into issues when you use the openSSL command line utility to generate certificates or certificate signing requests (CSRs). If you experience difficulties with this task, run the genconf command to update the openssl.conf file.
SSL proxy down due to error condition (CR26487)
If the SSL proxy is down due to an error condition, the b proxy show command still shows the proxy is enabled.
Proxies configured using the command line and default CRL recognition (CR26515)
When you use the command line interface to configure a proxy, if you do not specify a path for a certificate revocation list (CRL), the default CRL path is ignored and all client certificates are accepted regardless of their status. In order for the proxy to validate certificates properly through CRL, you must define a specific CRL path or file in the proxy. However, you use the Configuration utility to configure a proxy, the default CRL path is recognized correctly.
Error message for ip_tos values (CR26566)
The valid ip_tos values are 0 - 255 or 65536, which returns ip_tos to a blank state. If you type an invalid value, you see the following incorrect error message: The requested IP TOS value is invalid. [0..65535].
Setting up a virtual server using the command mirror conn disable (CR26601)
If you use the bigpipe command mirror conn disable or mirror conn disable when you create a virtual server, connection mirroring is enabled. To avoid enabling this variable when you set up a virtual server, do not use the mirror conn disable attribute. If you define a virtual server without the mirror conn enable or mirror conn disable attribute, connection mirroring is disabled.
Disabling the SNMP Auth Trap Enable setting using the Configuration utility (CR26610)
If you try to disable the Auth Trap Enable setting on the SNMP Administration screen in the Configuration utility, the SNMP configuration file, /etc/snmpd.conf, is modified with an incorrect setting of 0 (zero), and the following error is generated in the SNMP log:
"/etc/snmpd.conf: line ##: Error: authtrapenable must be 1 or 2
To correct this error and disable the Auth Trap Enable setting, you can edit the /etc/snmpd.conf file, and change the authtrapenable value to 2, disable.
Message from /etc/daily script in regards to beholder (CR26612)
When /etc/daily runs, it checks to see if there is a /var/run/beholder.pid file and if it exists, it attempts to rotate the /var/log/rmon.log file. When the rotate log function runs, the following message is logged to /var/log/daily.out for the beholder script:
bigstart: @293: start script beholder not found
Advanced routing modules: terminal settings after exiting vtysh (CR26631)
With the advanced routing modules, after you enter the vtysh router interface, your terminal settings are incorrect. If this problem occurs, type reset to correct the problem.
Losing connectivity during configuration of second unit in a redundant system (CR26705)
When you configure a unit from the command line Setup utility, we recommend that you reboot the unit after you complete the configuration. This activates the license and allows traffic to pass through the system. Also, before you reboot the system, it is in the active mode and unlicensed. While the unit is in the active mode, the other unit in the redundant system is placed in standby mode. If left in this state, traffic cannot pass through the system.
Resetting the statistics and verbose log level 32 (Stat Reset Detail) (CR26822)
The verbose log level 32 (Stat Reset Detail) does not log a message when you reset the statistics.
MSS advertised to backend servers on SSL proxy connections (CR26839)
The BIG-IP system advertises the wrong maximum segment size (MSS) to the backend server if your configuration has an SSL proxy connecting to virtual server on the loopback device (lo0). The advertised MSS respects the MTU of lo0 which is, by default, 4352 (so the resulting MSS is 4312).
Upgrade installation adds node * monitor use icmp to e-Commerce Controller (CR26877)
The BIG-IP 4.5 scratch CD installation adds the following line to the bigip.conf file on the e-Commerce Controller:
node * monitor use icmp
This monitor type is not supported on the e-Commerce Controller.
Setup utility does not preserve MAC masquerade settings (CR26922)
The Setup utility does not preserve MAC masquerade settings. We recommend that you use the bigpipe utility or the web-based Configuration utility to make configuration changes after you have completed your initial setup. However, if you want to use the Setup utility to make changes to the configuration, and you want to preserve the MAC masquerade settings, then after you finish your configuration changes, recreate your MAC masquerade settings with bigpipe or the Configuration utility before you reboot the unit.
Accessing sticky persistence table through iControl (CR26957)
If you have a pool with sticky persistence turned on, and mask set to 255.255.255.0, with a network virtual server, you will not get any records when you attempt to access the data through the iControl methods get_sticky_connection_table or get_persistent_connection_table. To work around this problem, call get_sticky_mask before passing the traffic.
Changing the system IP address and updating the IP address for the CORBA portal in bigdb (CR27037)
If you change the IP address of the system using the Configuration utility, the system does not update the IP address for IIOP and FSSL for the CORBA portal in the bigdb. To change the CORBA address for IIOP and FSSL, run the Setup utility (setup) from the command line, and choose the option (I) Initialize iControl portal.
Key management: displaying BMP and UTF8 strings (CR27049)
The key management system does not properly display BMP and UTF8 strings in certificates.
Resetting statistics on the BIG-IP FireGuard, the BIG-IP Load Balancer, and the BIG-IP Cache Controller (CR27060)
If you use the bigpipe command, b pool stats reset, the BIG-IP FireGuard, the BIG-IP Load Balancer, and the BIG-IP Cache Controller will create a core file. If you use the Configuration utility to reset the statistics these BIG-IP systems may create the same core file.
5000 series with 256 MB Compact Flash and multiple .ucs files (CR27064)
Because of file system size limitations on the 256 MB drive, we recommend that you limit the number of .ucs files you save on the system.
The header erase feature (CR27084)
The header erase feature only looks at the first header. Subsequent headers are not erased.
Changing the virtual server target under load (CR27090)
If you change the virtual server target under load, from a pool to a rule, or a rule to a pool, the system could create a core file.
Misleading message on new installations (CR27091)
If you are installing the software for the first time, you may see the misleading message in /var/log/proxyd:
'proxyd[pid]: No proxies were successfully configured. Exiting.'
This message is benign.
Adding a switch interface to the admin vlan (CR27103)
Adding a switch interface to the admin VLAN causes large volumes of traffic. We recommend that you do not add a switch interface to the admin VLAN.
CompactFlash® media drives and logging for named (CR27132)
When named is running, it generates status and usage messages as part of its normal behavior. If you are running named on a system with a CompactFlash media drive, these messages may fill up the /var/log/ messages directory. To avoid this, periodically delete the status and usage messages for named.
Configuration files with a large number of proxies (CR27159)
Configuration files with a large number of proxies may take a long time to load.
Honoring certain client MSS limits (CR27160)
Under certain circumstances the BIG-IP system may not honor certain client maximum segment size (MSS) limits. This problem is rare and happens only if multiple clients with different MSS limits access the BIG-IP from the same source address through address translation.
Setting the reaper hiwater and reaper lowater values (CR27169)
If you set the reaper hiwater and reaper lowater values to the same number, you do not receive an error message, but the bigip.conf file does not load. In order for the BIG-IP configuration to load properly, reaper hiwater and reaper lowater cannot be set to the same value.
Dynamic ratio load balancing and snmpdca with Counter32 OIDs (CR27202)
If you are using dynamic ratio load balancing with the snmpdca pinger for metrics collection, and you configure an OID that returns type Counter32 (that is, the Windows TM 2000 Server Enterprise OID), the returned data may not be interpreted correctly. As a result, dynamic ratio load balancing does not function properly.
Server-side proxy listening on port 80 with TCP half-close (CR27203)
When you have a proxy configured that is listening on port 80, and you are using server-side SSL, client TCP connections using half-close may not complete properly.
RADIUS server configuration and Netscape (CR27212)
If you configure remote login for RADIUS, and you set an invalid IP address for the primary RADIUS server, and a valid IP address for the secondary RADIUS server, you may not be able to log in using a Netscape browser. This can also happen if your primary RADIUS server is down. We recommend that you use an alternative browser with this type of configuration.
User administration for remote authentication using the Configuration utility (CR27223)
With remote authentication configured, if you use the Configuration utility to add a new user, you may receive an internal server error message when you press Enter and then click the Done button. The user is added when you press Enter. When using local authorization, the Enter key is ignored and you must click the Done button in order to add a new user.
Deleting the default gateway pool using the Setup utility (CR27260)
The command line Setup utility, (setup), does not delete the default gateway pool when you remove all of the pool's members. To work around this issue, delete the default gateway pool using the browser-based Configuration utility.
Performance tools exhibit fluctuations in the maximum TPS (CR27297)
An enhancement added to increase SSL performance with large numbers of concurrent connections may cause some performance tools to exhibit fluctuations in the maximum TPS when you use them to perform benchmark tests. For example, when you check SSL performance using the IxWeb tool you may see oscillating SSL performance readings. These variations have very little effect on the actual metric performance.
Setting the open_telnet_port default value (CR27331)
If you have a redundant configuration and you disable open_telnet_port on the active unit before you synchronize the configuration, the configuration file leaves open_telnet_port at its last state (enabled) rather then disabling it. After you load this type of configuration, we recommend that you check the state of the open_telnet_port setting.
SSL performance when running in ANIP mode (CR27333)
When you are running the BIG-IP system in ANIP mode, you may experience a 12-15% decrease in SSL performance. This decrease in performance is due to the addition of OpenSSL version 0.9.7a.
User roles in a redundant system configuration (CR27477)
If you modify the default role for a user on one unit in a redundant system, when you synchronize the configuration, the modified role setting is not copied over to the other unit. In order to have the same user roles specified on both units, you must configure this setting on both units in the redundant system.
DoCoMo 2.0 requests (CR27481)
When the BIG-IP system receives a DoCoMo 2.0 request, the BIG-IP system includes everything in the request up to and including the \r in the persistence string. The BIG-IP system should not include the \r in the persistence string.
Also, when you use the bigpipe pool persist dump command, the command prints control characters.
SIP persistence and NAT or SNAT (CR27515)
SIP persistence does not work correctly when you use NAT or SNAT.
iRules and logging (CR27574)
In rare instances when the BIG-IP system is using logging and variable substitution in iRules, the system may display one or two random characters at the end of the correctly displayed log text.
Keeping the system clock and responder clock synchronized (CR27620)
The internal BIG-IP system clock and the responder clock must be synchronized. If they are not synchronized to within 5 minutes of each other, the SSL proxy may hang. In order to keep the clocks synchronized, you can use NTP on the BIG-IP system.
SSL proxy : OCSP status (CR27621)
The status returned from the inserted header ClientCertStatus may display the incorrect error code, error 1, when a certificate is revoked.
SSL proxy : OCSP impact on SSL proxy performance (CR27622)
If you configure the OCSP feature, you may see an impact on SSL proxy performance.
Redundant configurations in active/active mode (CR27639)
When you have a BIG-IP redundant system, with both units in active/active mode, the Configuration utility in certain cases may incorrectly display the self IP as unit 1 when it should be unit 2. This issue does not affect the performance of the BIG-IP system.
Setting media speeds (CR27772)
If you want to set media speeds, and you have a copper gigabit NIC, you must configure auto-negotiate between the BIG-IP system and the connected switches.
New rule syntax requirements for literal strings (CR27784)
The rules syntax has changed in version 4.5 PTF-04, and there is now a literal string limit of 63 characters. If you have previously configured rules that contain literal strings longer than 63 characters, these rules may fail to load after you upgrade to PTF-04. Rules that worked correctly in previous versions may now produce the following error message:
In rule test: String literal too long (max 63 chars)
If you have this type of rule configured, we recommend that you modify the rule syntax to use literal strings that are less than 63 characters in length. See New rule syntax requirements for literal strings in the Workarounds for known issues section for details.
Using the Setup utility to configure the media type for an interface (CR27793)
When you use the Setup utility to configure the media type for an interface, the BIG-IP system does not save this setting when you rerun the Setup utility. You must configure this setting each time you run the Setup utility.
Memory leak in bigapi (CR27821)
There is a memory leak in bigapi, found through bigsnmpd, which can occur during SNMP queries.
Adding virtual servers in the Configuration utility with Any IP Traffic enabled (CR27835)
When you use the Configuration utility to add a virtual server and you enable Any IP Traffic, each time you then add another virtual server on the same virtual address/net address, Any IP Traffic is disabled. To work around this issue, go to the Virtual Address Properties screen and enable Any IP Traffic for the new virtual server.
MindTerm SSH console, Java™ Virtual Machine, and the Configuration utility (CR27864)
The Configuration utility may become unresponsive when all of the following conditions are met:
- You have Java Virtual Machine enabled on a Windows® workstation
- You are using the Configuration utility to configure the system
- You open a MindTerm SSH console session from the navigation pane
- You return to the Configuration utility without closing the MindTerm SSH console
If you experience this problem, you must use the Windows Task Manager to close both the browser session and the SSH session. To avoid this issue, we recommend that you either disable Java Virtual Machine while you are configuring the system, or close the MindTerm SSH console session before returning to the Configuration utility.
Deleting a virtual server from same IP address as SSL Proxy (CR27915)
The SSL proxy may stop responding to ARPs if you delete a virtual server that resides on the same IP address as the proxy.
Harmless timeout messages during reboot (CR27928)
When you reboot the BIG-IP system, you may see timeout messages for ZebOS and ITCM portal. These messages are harmless and have no effect on the operation of the BIG-IP system.
Configuring virtual servers and nodes that share IP addresses (CR27931)
When you create a forwarding virtual server or a virtual server that has address translation disabled, if the virtual server shares an IP address with a node and you turn on ARP disable, the BIG-IP system may continue to respond to ARP requests. This configuration may cause the BIG-IP system to report duplicate IP addresses and block access to the node. If you want to use this type of configuration, we recommend that you configure a static ARP entry for the node.
Server Appliance platform baud rates (CR27961)
For Server Appliance platforms, the baud rate for the serial console depends on whether version 4.2 or 4.5 of the BIG-IP software was initially installed on the platform. For version 4.2 and version 4.5 units that have been upgraded from version 4.2, the serial console baud rate is 9600. For new units with version 4.5 installed, that were not upgraded from version 4.2, the serial console baud rate matches the baud rate set by the BIOS.
Enabling svcdown_reset (CR27962)
If you enable svcdown_reset from either the command line interface or the Configuration utility, you must reload the configuration for your changes to take effect.
SNMP version and probing (CR27971)
If you have enabled SNMP probing for a host or similar device, and you specify SNMP version 2, the SNMP probing may fail if the host or device is using SNMP version 1. This happens because SNMP version 2 uses 64-bit counters and SNMP version 1 uses 32-bit counters. To avoid this error, ensure that you specify the SNMP version (1 or 2) that corresponds with the SNMP version on the device that is being probed.
Disabling the memory_reboot_percent global (CR27975)
You cannot disable the memory_reboot_percent global by setting the variable to 0.
Loading configurations with hundreds of proxies defined (CR27997)
Loading a configuration with hundreds of proxies defined may cause the proxyd process to become unstable. Traffic is not disturbed, but a core file and error message occur. No user intervention is necessary.
The imid() function causes syntax errors (CR28008)
Using the imid() function in rules or universal persistence expressions causes a syntax error. The imid function works correctly.
Status LED during power supply failure (CR28012)
The status LED may incorrectly remain green when the bottom power supply fails.
Transparent VLANs with a connection through a virtual server (CR28018)
If you have two transparent VLANs configured in a group with a connection through a virtual server, under certain circumstances the transparent VLAN group may use its own MAC address. If you encounter this issue, we recommend that you use opaque mode for VLAN groups, especially if you are using any type of delayed binding that requires the BIG-IP system to handle the return packet.
Setup utility and VLAN tag configuration (CR28027)
If you use the Setup utility to configure VLAN tags or add new VLANs with tags and self IPs, and you use the command line utility to modify interfaces after VLAN tags are added, all of the tagged interfaces and associated data (self and shared IPs) are removed from the configuration files. You may need to reconfigure these settings, or use the backup file to restore these settings.
SSL Proxy client auth must use client certificate CA field (CR28028)
When using the Configuration utility to configure an SSL proxy, if you set the Client Certificate field to either request or require, you must also enter a value for the Client Cert CA file field. If you do not enter a value for this field, the Configuration utility does not produce an error message, however you must enter a value in order for the configuration to work.
global sslhardware failover configuration load time (CR28031)
If you enable global sslhardware failover, the configuration load time may increase dramatically.
Using the Configuration utility to create external health monitors (CR28036)
When you create an external health monitor and include a variable where the value is a string with two variables separated by a comma, the Configuration utility does not set the value of the second variable. The Configuration utility separates the two variables at the comma and sets the value of the first variable in the string only. If you use the command line utility to create an external health monitor, values for variables separated with a comma in the string are set correctly.
Nokia NetAct feature (CR28039)
Please note that when you apply this upgrade, if you are using the Nokia NetAct feature, the old /etc/snmptrap.conf file is used. The Nokia NetAct feature uses an extended format of this file. If you want to use the Nokia NetAct feature, after you apply the upgrade you must modify the /etc/snmptrap.conf file. You should use /etc/snmptrap.conf.example as a template for modifying the snmptrap.conf file.
MSRDP persistence (CR28050)
You can not set MSRDP persistence using the Configuration utility. If you want to set MSRDP persistence, we recommend that you use the command line utility to configure this feature.
D35 system with system halt command (CR28079)
If you use the system halt command on a D35 system and then press the Enter key to reboot the system, the system reboots, but it enters into a netboot cycle. If you have this issue, we recommend that you power cycle the system, or push the reset button.
Reconfiguring the BIG-IP system using the Setup utility (CR28116)
If you use the Setup utility to configure multiple gateways or VLANs, we recommend that you reboot the BIG-IP system before you run the Setup utility a second time. Rerunning the Setup utility with multiple gateways or VLANs configured without rebooting, may cause the BIG-IP system to become unstable.
Duplicate IP address issues on redundant pairs with floating self-IP addresses (CR28124)
If you have a pair of units in a BIG-IP redundant system, you may experience duplicate IP addresses on the active unit when you perform a config sync under the following conditions:
- You configure a floating self-IP address on an IP network where non-floating self-IP addresses have not yet been configured.
- You configure a monitor for a node on this new IP network.
If you are using this type of configuration, we recommend that you configure a non-floating self-IP address on both units for each network.
Incorrect product version in log files (CR28133)
The BIG-IP system log files may report the incorrect version of the product. This has no effect on the functionality of the BIG-IP system. To view the correct product version, type cat /VERSION at the command line.
ICMP pings through a SNAT (CR28148)
When a client pings ICMP through a SNAT, if another client behind the BIG-IP system pings ICMP through the same SNAT, the second client receives both ICMP replies.
Duplicate node UP messages in the log table (CR28194)
In certain circumstances you may see duplicate node UP messages in the log table (/var/run/alarm_log_tbl). You can ignore these messages; they do not affect the function of the BIG-IP system.
SSL node monitor (CR28211)
If you configure an SSL node monitor, and a node you are monitoring goes down and then comes back up, the SSL node monitor may continue to report the node as down. If you restart the proxy, the node status is refreshed and the monitor reports the correct node status.
Duplicate fdb entries on 520/540 platforms (CR28214)
On the BIG-IP 520/540 platforms, when a link goes down, the system does not delete the fdb entry. If you are using VLAN groups, this can cause the system to create duplicate FDB entries with the same MAC address, but different ports. This can result in a loss of traffic until the entry is removed. The BIG-IP system should delete the FDB entries when a link goes down.
Error message during boot sequence (CR28276)
When you start the BIG-IP system, you may see the error, WARNING: conflict at irq 12. You can ignore this message, as it has no effect on the function of the BIG-IP system.
PXE installation (CR28313)
In rare instances, using a notebook computer to perform PXE installations of BIG-IP software causes corruption on the notebook computer hard drive. If you are using a notebook computer as a PXE server to install BIG-IP software, we recommend, as a precaution, that you back up any important data stored on the notebook computer hard drive.
Self-IP addresses with 135 as the first octet (CR28316)
If you add a self-IP address with the number 135 as the first octet, duplicate VLANs display incorrectly when you type the bigpipe command vlan show. This has no effect on the actual VLAN configuration.
Adding a monitor using the Configuration utility (CR28333)
When you use the Configuration utility to add a monitor that contains the string Authorization: Basic {anything here}, the Configuration utility may not load the Authorization portion of the string.
cpio command (CR28365)
The cpio command is not available in 4.5 versions of the BIG-IP software.
SSL proxy with delayed binding (CR28408)
When you are using SSL proxy with delayed binding enabled, the proxy may retransmit packets too quickly.
Creating VLANs using the command line utility (CR28429)
When you use the command line utility to create VLANs, the VLAN names cannot exceed 12 characters. The manual incorrectly states that VLAN names may be up to 15 characters in length.
bigtop utility delay setting (CR28435)
The bigtop utility accepts values less than -1 second for the delay option, which causes the bigtop utility to refresh the screen as fast as possible. We recommend that you configure this option with a value of 1 second or longer.
Traps for the system_check utility not included in the MIB definition file (CR28436)
The following system_check traps have been added to the default /etc/snmptrap.conf file, however, they have not been added to the LOAD-BAL-SYSTEM-MIB.txt file.
.1.3.6.1.4.1.3375.1.1.110.2.77 (fan .*? is failing) FAN_FAILING
.1.3.6.1.4.1.3375.1.1.110.2.76 (cpu .*? is too hot!) CPU_TOO_HOT
.1.3.6.1.4.1.3375.1.1.110.2.75 (cpu .*? fan is failing) CPU_FAN_FAILING
.1.3.6.1.4.1.3375.1.1.110.2.74 (power supply has failed) POWER_FAILED
Using the b verify command to check for errors (CR28451)
If you use the b verify command after editing the bigip.conf file, the b verify command does not properly detect misspellings or syntax errors. If you attempt to load a bigip.conf file that has a misspelling or syntax error, the BIG-IP system does not function until you correct the error and reload the bigip.conf file.
Possible tcpdump buffer overflow with badly formed NFS packets (CR28492)
Versions 3.7.1 and earlier of tcpdump contain a buffer overflow that may be triggered by badly formed NFS packets. Other types of packets may also trigger the buffer overflow.
Proxy connection limits (CR28498)
When you set the connection limit for proxyd, and the proxy connection limit is reached, the proxy incorrectly continues to accept new connections. Once the connection limit is reached, the proxy should stop accepting new connections. Connections do not successfully complete until the number of connections drops below the configured connection limit.
Active/Standby units configured with VLAN groups in transparent mode (CR28502)
If you have a pair of BIG-IP units in an active/standby redundant configuration with VLAN groups in transparent mode, monitors on the standby unit may occasionally fail. To avoid this problem, we recommend that you tune down the ARP timers and/or increase the number of monitor timeouts. This ensures that the ARP table data is correct when monitor packets are sent. You should set the monitor timeout to at least 35 seconds. Another way to avoid this issue is to configure static ARP and FDB entries for nodes that need to be monitored.
iRules with Windows Media9 connections (CR28543)
If you use an iRule to parse and persist Windows Media9 connections with the logging option enabled, log messages may be displayed on both the client's initial connection and on follow up connections for content from the Media Server.
Configuring a fallback host using the Configuration utility (CR28550)
If you use the Configuration utility to configure a fallback host that contains a second http or https in the URI, the configuration may fail to load. If you are using a fallback host that contains a second http or https, we recommend that you use the command line utility to configure this setting.
bigpipe commands that contain invalid trailing arguments (CR28581)
If you type a bigpipe command that contains an invalid trailing argument, the bigpipe utility produces a syntax error, but may run the command anyway. In this situation, the command should fail.
Certificate key files (CR28589)
If you are using the Configuration utility Cert Admin screen to configure proxies, you can select a proxy to view its properties. A list of certificates and keys displays. You can view and delete the default.key file from the list. If you delete the default.key file, it causes the local LDAP server to fail. We recommend that you do not delete the default.key file from the configuration.
Intel GIG Cu network interface card driver settings (CR28597)
The Intel Gig Cu NIC driver currently supports only auto negotiation. You cannot select the port media type setting.
Remote authentication configuration (CR28598)
In some cases, when you configure remote authentication, the config utility may fail to perform a standard IP address check. If this happens, httpd.conf may fail when the system restarts.
Self IP address configuration (CR28601)
When you configure a VLAN and a self IP address, the system allows you to use 255 as the last octet of the self IP address. We do not recommend that you use this value.
Configuring SIP persistence (CR28628)
If you use the command line utility to configure SIP persistence, you may receive a syntax error. Instead, we recommend that you use the Configuration utility to configure SIP persistence. Note: when you use the Configuration utility to configure SIP persistence, you must enter a valid timeout entry. Invalid timeout entries may cause the BIG-IP system to use an incorrect timeout value.
SIP persistence and out-of-order UDP fragments from Linux systems (CR28637)
If you have SIP persistence configured, the BIG-IP system does not handle out-of-order UDP fragments from Linux systems correctly.
Lock up during installation (CR28646)
In extremely rare cases, the BIG-IP system may lock up when you install an upgrade of the BIG-IP software. This issue happens only on the SMP kernel and may be file system related. If this occurs, the BIG-IP system panics and eventually reboots. You can restore the system by reinstalling the software, or by changing the running kernel from SMP to ANIP.
BEA WebLogic Server support (CR28656)
The wlnode function does not currently work with BEA WebLogic Server TM.
Duplicate inode allocation error messages (CR28659)
In rare instances, the BIG-IP system creates a core file when the ffs_valloc() function allocates an inode data structure in a file system that has already been allocated. The duplicate allocation error may cause the BIG-IP system to become unstable.
Media duplex settings (CR28823)
If you are upgrading to the BIG-IP software version 4.5x from software version 4.1.1, the syntax for media duplex settings is not updated correctly. It may be necessary for you to reconfigure these settings.
Self IP and VLAN configuration changes (CR28831)
If you use the Configuration utility to make changes to the self IP or VLAN configuration, the default route and any static routes may be overwritten. You may need to reconfigure static routes using the command line utility.
TCP half close (CR28904)
When a client closes a TCP connection, the BIG-IP system closes the connection 15 seconds after it receives a FIN from the client, even when there is still data going from the server to the client.
bigpipe bigstat and bigpipe bigstat -bigip commands (CR29011)
The bigpipe bigstat and bigpipe bigstat -bigip commands do not function correctly in BIG-IP version 4.5x.
Active-standby configuration with gateway failsafe enabled (CR29057)
In an active-standby configuration with gateway failsafe enabled, if the standby system is unable to reach the gateway, and the active system loses its connection to the gateway, both units go to a standby state. If this happens, you can disable gateway failsafe, causing one unit to become active. Another way to avoid this issue is to enable the force active option on one of the systems.
BIG-IP 2400 IP Application Switch platforms (CR29087)
If you use the bigpipe load command on the BIG-IP 2400 IP Application Switch platform, the system statistics return to zero and remain at zero.
sudo utility (CR29135)
The sudo utility allows a user with non-root permissions to execute root functions (as a superuser) from the command line. The sudo utility permissions are set incorrectly in 4.5x versions of the BIG-IP software. In order to use the sudo utility, you must set the permissions on the binary to 4011. For more information on how to configure the sudo utility, refer to SOL519: Configuring sudo to allow non-root users to execute root level commands.
OneConnect with out-of-order segments in keep-alive connections (CR29158)
If you are using OneConnect TM, out-of-order segments in keep-alive connections may cause header insertion on subsequent transactions to fail.
Diffie-Helman and proxyd (CR29193)
The DH (Diffie-Helman) key exchange protocol does not currently work if you configure an SSL proxy.
IP filter configuration (CR29196)
The Configuration utility generates incorrect IP filter (ipfw) configurations for IP filter rules with specified source and/or destination service fields. Incorrect IP filter configurations are also generated if your configuration contains IP filter rules that match established TCP connections. This issue occurs because IP filter rules generated by the Configuration utility do not check whether the matching packets are TCP or UDP. This may cause the BIG-IP system to incorrectly drop or permit some non-TCP and non-UDP packets. If you want to configure IP filter rules, we recommend that you use the command line utility instead of the Configuration utility.
snmpdca monitor (CR29223)
If you use the snmpdca monitor to gather metric information, the dynamic ratio is calculated incorrectly.
loadBalTrapPortString properties (CR29255)
If you use the command line utility to view properties for loadBalTrapPortString, one of the properties does not correspond with its description. SYNTAX INTEGER should be SYNTAX DisplayString.
nexthop network address (CR29265)
The BIG-IP system incorrectly calculates the nexthop network address by adding the nexthop address and the translation address netmask. It should be calculated by adding the nexthop address and the nexthop netmask.
VLAN configuration (CR29291)
If you use the Configuration utility to configure a VLAN, and you do not select an interface, the VLAN is not saved. You must select a VLAN interface in order for the VLAN to be saved.
BIG-IP 2400 IP Application Switch platforms (CR29312)
Statistics for BIG-IP 2400 IP Application Switch platforms may be incorrect.
bigpipe sslproxy skip keycheck command (CR29316)
The bigpipe sslproxy skip keycheck command available in version 4.2 PTF-10 is not available in 4.5x versions of the BIG-IP software.
Forwarding non-IP traffic through VLAN groups and redundant systems (CR29334) (CR29806)
We introduced the ability to forward non-IP traffic through VLAN groups in BIG-IP version 4.5 PTF-04, and the functionality was enabled by default. When this functionality is enabled, the BIG-IP system also forwards non-IP traffic through both the active and standby units in a redundant system, which can result in a bridge loop. To mitigate this known issue, in this release (version 4.5 PTF-08), we are changing the default setting so that the functionality is disabled by default. If you understand the current limitations of this feature, and want to enable the feature, see Forwarding non-IP traffic through VLAN groups and redundant systems in the Workarounds for known issues section.
User permissions and upgrading from 4.2x (CR29337)
If you are upgrading from a 4.2x version of the BIG-IP software, and you have added additional users to the BIG-IP system configuration using vipw, user permissions are reset to their default states.
SNAT limits (CR29349)
If you set a SNAT limit, the only way to remove the limit is to assign a value of 0 to it. In addition, if you load a bigip.conf file that does not have a SNAT limit configured, the previous SNAT limit value is preserved.
Network and hardware failover (CR29394)
If network and hardware failover are both running, and gateway failsafe is triggered, the current standby unit becomes active when the gateway becomes available.
SNAT pool statistic integers (CR29407)
SNAT pool statistic integers may be incorrect.
snmpdca command line utility help (CR29421)
The /usr/local/lib/pingers/snmpdca -h help command displays error messages for snmpget.
Duplicate packets on D44 and D51 platforms (CR29456)
If you have a D44 or D51 BIG-IP platform, packets with an unknown destination coming in on an untagged 10/100 port may cause the BIG-IP system to send out duplicate packets.
Naming pools (CR29470)
If you use the Configuration utility to create a pool, and you assign the new pool the same name as an existing pool, the existing pool is overwritten. You can avoid this issue by assigning a different name for each pool that you create.
Client-side cookie insertion (CR29475)
Client-side cookie insertion may fail if the BIG-IP system receives packets with missing segments on the server-side.
D51 interface media type (CR29602)
If you have a D51 BIG-IP system, the bigpipe interface 2.2 media command returns an inaccurate media type of 1000BaseTX for a fiber port. The media type should display as 1000BaseSX.
Interface MIB index error message (CR29606)
If you use SNMP lint or an MIB test tool to test the interface MIB, you may encounter an error message indicating that the ifRcvAddressAddress element has no size restriction.
Changing a host name using the Configuration utility (CR29611)
If you use the Configuration utility to change a host name, the httpd.conf file is not automatically updated.
SSL proxy failover (CR29612)
The sslproxy failover option on the Redundant Properties screen does not work correctly. If you use the Configuration utility to configure SSL failover, we recommend that you use the sslhardware failover check box on the Advanced Properties screen.
DNS configuration (CR29628)
The Setup utility and the Configuration utility may produce different DNS configurations. When you configure the BIG-IP system using the Setup utility, the system is always configured to use DNS. If you use the Configuration utility to configure DNS, you can select whether you want the system to use DNS.
Using the Configuration utility to change VLAN tags (CR29629)
If you use the Configuration utility to change the VLAN tag, it may incorrectly update the network virtual address. If the updated network virtual address is incorrect, you may need to reconfigure it. We recommend that you avoid this issue by using the command line utility to make changes to VLAN tags.
Reboots and /var/log directory filesystem corruption (CR29630)
After 150 and up to 800 hard reboots, the /var/log/ directory may contain corrupt file data.
Add Proxy wizard (CR29631)
If you use the Configuration utility Add Proxy wizard to add a proxy, and you do not specify a client CA from the list box before you click Next, the wizard uses the or choose text as the client CA file name and writes it to the configuration file. We recommend that you avoid this issue by selecting a valid file name for this field.
mrad failure error messages (CR29660)
The mrad function is currently started on all BIG-IP platforms. This function should run only on the BIG-IP 2400 (D44). This issue does not affect the functionality of the BIG-IP system, but in some cases you may notice mrad failure error messages. If you do not have a BIG-IP 2400, you can disregard these messages.
Reset segments and server-side connections (CR29709)
If a SYN packet was sent from a server through a virtual server to a client, and the client does not answer before the connection timeout is reached, the reaper sends an RST in both directions.
VLAN mirroring (CR29744)
If you are using VLAN mirroring, when you reboot you may notice error messages that indicate that the probe feature is not activated. These messages are incorrect, and have no effect on the BIG-IP system.
Optional OCSP responder values (CR29782)
If you create an OCSP responder definition and assign values to the optional respcert, signcert, signkey fields, there is no command to delete these definitions. If you need to remove these definitions, you can delete the specific lines from the responder definition in /config/bigip.conf file.
Error message in Configuration utility and valid range for VLAN tags (CR29793)
The allowable values for VLAN tags are 1 through 4094. However, if you inadvertently specify a value that is outside of the allowable range, you see the following error message:
Error 335953 -- You have entered an invalid VLAN tag value. VLAN tags must be between 1 and 4096.
The error message incorrectly specifies a range of 1 through 4096, rather than 1 through 4094.
Layer 7 traffic (CR29809)
If you have layer 7 traffic going through the BIG-IP system, and a server retransmits a packet that is larger than the original packet, the BIG-IP system truncates the packet to the size of the original packet.
Connection mirroring on the BIG-IP 2400 platform with hw_acceleration enabled (CR29850)
If you have a BIG-IP 2400, connection mirroring does not work correctly with hw_acceleration enabled. In order for connection mirroring to work, we recommend that you set hw_acceleration to none.
Dynamic ratio load balancing and IIS6.0 Windows 2003 Server (CR30072) (CR30073) (CR30074)
If you need to use dynamic ratio load balancing, we recommend that you configure dynamic ratio through SNMP. Due to compatibility issues, you must configure redirection on the Microsoft® Windows® Internet Information Services (IIS) 6.0 webserver (which is part of Microsoft® Windows® 2003 server product) without the aid of F5 Networks software. The BIG-IP system does not currently support the following functionality on IIS 6.0 webserver:
- Real Media monitor
- Dynamic Ratio Load Balancing
- SSL Redirect
Default setting for min_active_members (CR30143)
The default value for min_active_members is incorrect and may cause the BIG-IP system to prioritize traffic incorrectly. The default value for min_active_members is currently set to 0. We recommend that you configure min_active_members to a value of 1 or greater.
FTP data statistics for the origin address (CR30145)
If you configure SNAT for servers behind the BIG-IP system, and you use FTP from the server in order to transfer data, the statistics for the translation address are correct. However, the FTP data statistics for the origin address are incorrect.
Reset All SNATs control (CR30147)
If you are using the Configuration utility and you select Reset All SNATs on the SNAT Statistics screen, the statistics for the translation address are not cleared. You must clear the values for the translation address statistics separately.
bigpipe l2_aging_time setting (CR30152)
When you reboot the BIG-IP system, the bigpipe l2_aging_time setting in the bigip_base.conf file returns to the default setting (300).
automap default SNAT and VLAN configuration (CR30153) (CR30585)
The automap default SNAT does not allow you to disable VLANs. If you attempt to disable VLANS on the automap default SNAT, you receive an error message.
STP interfaces add all command (CR30259)
The bigpipe STP interfaces add all command adds all members of a trunk to the STP domain. This command should only add the controlling member of a trunk to a STP domain. In addition, if you manually add non-controlling members of a link-aggregated trunk to a STP domain, you do not receive a warning message.
Unlicensed system and error messages during boot cycle (CR30288)
You may see the following error message when you are booting a system that is not yet licensed:
Initialized Watchdog: TYAN SUPER I/O /config/bigip_base.conf: "Probe control features are not available." in line 262
The message is benign, and does not affect system functionality.
Memory usage statistics and the bigpipe ms command (CR30323)
The bigpipe ms command is inaccurately reporting the memory usage percent when you have also set high-water and low-water reaper values. The command is reporting a memory usage percent that is much lower that the actual memory usage percent.
BIG-IP web server resources and multiple simultaneous users (CR30327)
If a large number of users are logged into the Configuration utility at the same time, the Configuration utility may not function properly because the web server's resources are overextended. To avoid this issue, you can set the MaxClients option to 32 or lower, in the /config/bigconfig/httpd.conf file.
Generating key/cert pairs and domain name format (CR30343)
In the Configuration utility, when you try to generate a key/cert pair for a domain name that starts with an integer (for example, 222domain.com), the BIG-IP system generates an error, and does not create the key/cert pair. To work around this issue, you can import an existing certificate. Alternately, you can generate the key/cert pair from the command line. First, run the genconf command and provide the requested information. Next, run the genkey <cert filename> command, where <cert filename> is the name of the certificate that you are creating.
SSL persistence mirroring and the failback mechanism on a redundant system (CR30349)
When a redundant system experiences a failover and then a failback (the active unit goes to standby and then back to active), the system does not properly retain the SSL persistence record on the failback mechanism. Note that the system properly retains the SSL persistence record on the initial failover.
Viewing pool member statistics on BIG-IP 2400 IP Application Switch platforms (CR30498)
When you run the following bigpipe command, b virtual <address> show, on a BIG-IP system with full Packet Velocity ASIC (PVA) acceleration, the command does not display incremental updates to the virtual server's statistics. If you are running the BIG-IP system with full PVA acceleration, you can view the incremental updates either by viewing them in the Configuration utility or by using the following bigpipe command: b node <address> show.
Redundant systems and software upgrades from BIG-IP version 4.2, to BIG-IP version 4.5 and later (CR30500)
When you upgrade a standby unit from BIG-IP version 4.2, to BIG-IP version 4.5 and later, the unit is unlicensed for a brief time. During the time that the unit is unlicensed, it may change from standby to active.
The bigpipe pool modify fallback command and specifying URIs (CR30505)
When you specify a host and a URI path in the bigpipe pool <poolname> modify fallback command, the command fails. However, if you specify only a host and no URI path, the command works as it should. For example, the following syntax, which specifies only a host address (192.1.1.1), works:
bigpipe pool <poolname> modify { fallback http://192.1.1.1 }
The following syntax, which specifies both a host and a URI, does not work:
bigpipe pool <poolname> modify { fallback http://192.1.1.1/index.html }
Configuring port mirroring and using an interface that has traffic (CR30544)
If you are configuring port mirroring on your BIG-IP system, you cannot configure a port that has any traffic whatsoever on it as the mirror-to port.
bigpipe monitor command (CR30600)
You receive a syntax error if you use both <ip addr>:<service> and <ip addr> in the IP list for the bigpipe monitor command <ip list> <enable | disable>.
SSL proxy source IP address (CR30601)
If you configure a target server with SSL proxy, SNAT automap does not change the source IP address. In addition, if the BIG-IP proxy is not included in the return path, the original virtual server address is not substituted, causing the client to reject the response.
ICMP ping fragments (CR30731)
The BIG-IP system handles ICMP ping fragments inconsistently.
IP Application Switch statistics reporting (CR30917)
In an IP Application switch platform, the b interface show command does not show all input errors and dropped frames on the switch platforms.
IP Application Switch interface output error statistics (CR30995)
In rare instances, the IP Application Switch platform may randomly increase the internal error counter. These errors are reported by Netstat® as Oerrs. These errors are incorrect, and do not affect the functionality of the BIG-IP system.
Configuration utility statistics (CR31009)
The Configuration utility statistics for Max Conn Deny and Memory Usage are inaccurate. We recommend that you use the command line utility to view these statistics.
HTTPS monitor (CR31053)
In certain cases, when the BIG-IP system receives very large requests, the HTTPS monitor may fail to find the receive rule string.
Log message after upgrade (CR31058)
When you upgrade your BIG-IP system, and you reboot the system, you may see the following log message: bigapi_unit_mask fails Specified unit mask incorrect This log message is incorrect and has no effect on the BIG-IP system.
Using a certain virtual address/port combination (CR31104)
If you configure a certain IP address:port for a virtual server and the same IP address/port combination for a pool member in the virtual server, it may cause system instability.
Global health checking (CR31153) (CR28014)
Global health checks on the BIG-IP system have been increased. If your configuration requires more then 512 health checks, please contact support for assistance.
bigpipe global reaper hiwater (CR31393)
You should configure the bigpipe global reaper hiwater and reaper lowater settings to values between 65-100. If you set the reaper hiwater or reaper lowater to the invalid value 0, you do not receive an error message, but this command blocks all connections to the BIG-IP system.
BIG-IP 2400 IP Application switch platforms (CR31605)
For BIG-IP 2400 IP Application switch platforms, if you make configuration changes and there is no self IP address configured, the BIG-IP system does not perform hardware load balancing.
Mapping requests to nodes using classes (CR31688)
If you create a class that has strings to map on the left and node specifications on the right, and you are using select mapclass2node to map requests to nodes, if the node specification has strings, the BIG-IP system will load balance the connection instead of selecting the node associated with the matched string.
Unreachable NAT address may cause errors (CR31893)
The BIG-IP system may generate ICMP unreachable messages containing the internal NAT origin address for packets that are sent to the NAT target address when the origin address cannot be reached.
Low proxy TPS settings and large amounts of traffic (CR31907)
When you have a proxy that is licensed for a low TPS setting (100 TPS or similar) and the proxy receives a lot of traffic, connections over the TPS limit are queued up. If the quantity of connections in this queue reaches a significant number, it may cause the proxy to fail.
HTTP header rules (CR31944)
When the BIG-IP system has an HTTP header rule with a long matching URL, if the last line of the client's HTTP request header is short, it may cause the client connection to hang.
D25 and D30 systems with Intel 82542 NICs (CR32147)
If you have a D25 or D30 with a Recortec motherboard and Intel 82542 NICs, the BIG-IP system may not pass traffic if the system runs under HTTP load for 1-30 minutes. BIG-IP systems with Intel 82553 NICs do not experience this issue.
snmpdca monitor and CPU usage (CR32164)
The snmpdca monitor performs an SNMP compile of the MIBs for each instance of the monitor. This causes increased CPU usage on the BIG-IP system.
64 bit SNMP counters (CR32179)
Only IP Application Switch platforms currently support 64 bit SNMP counters.
MAC addresses (CR32245)
When the bigpipe global auto_lasthop variable is enabled (default setting), the BIG-IP system does not respond to clients or servers with MAC addresses that match the pattern: xx:xx:00:00:00:00 and xx:xx:ff:ff:ff:ff.
Deleting pools that are receiving traffic (CR32258)
In rare instances, if you delete pools that are receiving traffic, the BIG-IP system panics on reboot or during configsync.
bigpipe node <node_ip>[:<service>] command (CR32273)
If you use the bigpipe node <node_ip>[:<service>] command, the first node is the only node that displays the correct IP address and service.
VLAN group and members with the same MAC masquerade address (CR32362)
If you assign the same MAC masquerade address to a VLAN group and a VLAN in the VLAN group, the BIG-IP system fails to make ARP table entries for replies to its own ARP requests.
ARP requests when the target hardware address is not set (CR32366)
When the BIG-IP system configures IP addresses on its interfaces, as it loads its configuration it sends ARP requests for each address to prompt other devices on the network to update their ARP tables for those addresses. If the target hardware address is not set, the BIG-IP system may send redundant information to some devices on the network. This may cause an issue if the network device does not ignore these redundant requests.
IP Application Switch packet drop count reporting under heavy load (CR32375)
If you have an IP Application Switch platform running under heavy load, the packet drop count reported by the bigpipe interface show command may go up and down incorrectly.
MIB walk for more then 12 hours (CR32378)
In certain circumstances, if you run a continuous MIB walk for 12 hours, the SNMP utility may fail.
snmp_dca monitor (CR32410)
In certain circumstances, the snmp_dca monitor may incorrectly mark nodes as down.
Hewlett-Packard ProLiant DL380 G3 Server: scanpci does not correctly detect devices in the 100MHz PCI-x slots (CR32476)
The scanpci utility does not correctly detect cards installed in PCI expansion slots 2 and 3 of the Hewlett-Packard® ProLiant DL380 Generation 3 Server platform. The BIG-IP software functions correctly with devices in these slots.
ARP replies through VLAN groups (CR32760)
The BIG-IP system does not currently forward gratuitous ARP replies through VLAN groups. In some network configurations, this may create compatibility issues with Cisco devices.
Mirrored connections on a redundant system (CR32771)
When you have connection mirroring and enabled on a redundant system, if the BIG-IP system fails over and immediately fails back, mirrored connections may be dropped intermittently during failover.
vlan unique_mac enable (CR32791)
The BIG-IP bigpipe global command vlan unique_mac enable does not work for multiple tagged VLANs that contain an identical tagged interface.
bigpipe pool show command output in software version 4.5x (CR32797)
4.5x versions of the BIG-IP software do not include the option to change the output from bigpipe pool show command to match the output of the bigpipe pool show command in 4.2x versions. The following are examples of the output from the bigpipe pool show for 4.2x and 4.5x versions:
4.2 output:
POOL plain_pool LB_METHOD round_robin
| (cur, max, limit, tot) = (0, 0, 0, 0)
| (pckts,bits) in = (0, 0), out = (0, 0)
+-- MEMBER 10.10.99.12:http PRIORITY 5 ACTIVE,UNCHECKED
4.5 output:
POOL plain_pool LB_METHOD round_robin
| (cur, max, limit, tot) = (0, 0, 0, 0)
| (pckts,bits) in = (0, 0), out = (0, 0)
+-- MEMBER 10.10.99.12:http ACTIVE,UNCHECKED
Cookie persistence (CR32815)
If the BIG-IP system receives a packet containing one or more CRLFs and then receives a packet containing a GET request with cookie persistence, the BIG-IP system ignores the cookie and load balances the GET request.
top command (CR32857)
The top command does not report system idle time properly for BIG-IP 2400 IP Application switch platforms in Partial acceleration mode. We recommend that you use the cpu bigip command to find the correct system idle time.
SNAT pool statistics are incorrect (CR32944)
When you use the bigpipe snatpool show command, it displays incorrect statistics.
Clone pools in a proxy configuration (CR33006)
Clone pools do not function correctly when you configure a proxy.
TCP and UDP timeouts on the BIG-IP 2400 IP Application Switch platform (CR33121)
For BIG-IP 2400 IP Application Switch platforms, if the TCP or UDP timeout for a service is less than software reaper period, the BIG-IP system incorrectly sets the virtual server hardware acceleration mode to software only.
Incorrect node statement in bigip.conf (CR33129)
When you create a pool and associate a monitor with the address of any member of that pool, if you then delete the pool, an incorrect node statement may be saved in bigip.conf. This inaccurate node statement can cause the configuration to fail when loading.
global snat timeout setting (CR33621)
If you configure the global snat timeout setting, it has no effect on the SNAT timeout value.
Connections through a late-binding virtual server (CR33627)
If connection aggregation is enabled, connections through a late-binding virtual server may hang.
UDP virtual server (CR33713)
If you configure a UDP virtual server, the idle timeout is refreshed for each packet sent from the client to the server. The idle timeout is not refreshed, however, for each packet sent from the server to the client. This issue may cause the BIG-IP system to reap connections prematurely if a long transfer of (server-to-client) data occurs.
Retransmitted packets from the server (CR33744)
Under certain very rare circumstances, the BIG-IP system may drop retransmitted packets from the server.
SNMP trap for standby unit during failover (CR33773)
The BIG-IP system no longer issues SNMP trap 40, STANDBY_BIGIP.
Extremely long key and certificate file names (CR33778)
There is currently no enforced limit on the length of key and certificate file names. However, if your certificate or key file names are extremely long, they may display incorrectly in the Configuration utility. In addition, you may receive the following error message, Error 196 -- unable to verify client-side key or cert file.
Large internal class definitions (CR33803)
If you load a large configuration that has a large internal class configured, and you use the Configuration utility to modify the internal class, the Configuration utility may fail. If you experience this issue we recommend that you use the command line utility to modify the internal class.
SNMP BIGIP REBOOT trap (CR33878)
The BIG-IP system does not issue SNMP trap number 44, BIGIP REBOOT.
NTP health monitor UDP source port (CR33920)
The BIG-IP default NTP health monitor uses ephemeral port selection to select the source UDP port. This may cause a source port conflict if the source UDP port is anything other then the RFC designated UDP port 123.
Memory statistics (CR33921)
The memory statistics reported by vmstat and SNMP UCD memAvailReal may not be identical. The SNMP UCD memAvailReal utility reports slightly higher memory statistics then the vmstat utility.
CPU temperature values (CR33922)
If the BIG-IP system is not able to obtain the CPU temperature value, an incorrect CPU temperature value of 255 is reported. This incorrect high value may cause the system to log false CPU temperature warning messages.
bigpipe global vlangroups show command (CR34112)
If you use the bigpipe global vlangroups show command, you receive a syntax error.
FastFlow (Fast Path) and auto_lasthop (CR34142)
If FastFlow (Fast Path) and bigpipe global auto_lasthop are both enabled, any changes you make to the node's MAC address may result in poor performance or hanging connections. If you have this issue, we recommend that you disable auto_lasthop or disable FastFlow (Fast Path) for any virtual servers that refer to pools that contain nodes whose MAC address may change.
Missing software connection table entries on BIG-IP 2400 IP Application Switch platforms (34165)
BIG-IP 2400 IP Application switch platforms in partial acceleration mode may prematurely remove software connection table entries for extremely long-lived idle connections, even if the connections still exist in the hardware connection table. Although the system removes the software connection table entry, the hardware still handles the connections correctly. However, these connections do not display when you perform a bigpipe conn dump.
snmp_dca monitor (CR34228)
The snmp_dca monitor may return incorrect values.
Using the Setup utility to configure duplex settings (CR34267)
If you use the command line Setup utility to configure the duplex settings for BIG-IP system interfaces, the settings may not be saved correctly when you exit the Setup utility.
Unlicensed redundant configurations (CR34609)
If you have a redundant configuration and one of the BIG-IP units is not licensed, and you run the Setup utility on the unlicensed unit, the BIG-IP system automatically activates the shared self IP address.
Read-only users and the Pool Properties screen (CR34635)
If you log on as a Read-only user and you use the Configuration utility to view the Pool Properties screen, if you then click Sticky Connections and return to the Pool Properties screen, you may receive an error message. You can ignore this message.
BIG-IP 2400 IP Application Switch running under heavy load (CR34690)
If you have a BIG-IP 2400 IP Application Switch Packet Velocity ASIC (PVA) running under heavy load and you issue a bigpipe conn delete command, the system may hang.
Support is a reserved keyword (CR34832)
Support is now a reserved keyword. The Configuration utility does not produce an error message if you use the keyword support, however, reserved keywords should never be used for any naming in the BIG-IP system configuration.
BIG-IP 2400 and FTP connections (CR34852)
If FTP data connections are accelerated by the BIG-IP 2400 IP Application Switch Packet Velocity ASIC (PVA) and the control connection is terminated, under certain circumstances the system may hang.
BIG-IP 2400 IP Application Switch and SYN cookies (CR35078)
If you have a BIG-IP 2400 IP Application Switch handling a large number of connections per second, if the SYN cookie default threshold of 150k is reached, it may adversely effect performance. If the Packet Velocity ASIC (PVA) is accelerating connections, the BIG-IP system should not use SYN cookies until the PVA's connection limit is reached.
TCP connections (CR35216)
During TCP connections, certain clients send data along with the final acknowledgement. If this occurs, the BIG-IP system sends a reset, instead of a zero acknowledgment, back to the client.
MAC masquerade address (CR35223)
If you configure the same MAC masquerade address on two VLANs, when you load the configuration the BIG-IP system does not produce an error message. This configuration is not supported, however, and may cause problems with network devices.
Telnet and FTP ports (CR35320)
The Configuration utility Advanced Properties screen does not open the Telnet or FTP ports correctly. We recommend that you use the command line utility to open these ports.
URIs redirected from iRules (CR35407)
The BIG-IP system truncates URIs redirected from iRules if they are too long to fit in a single packet.
bigpipe load command and large configurations (CR35418)
If you use the Configuration utility to make extensive changes to a large configuration, the configuration may fail to load properly when you use the bigpipe load command.
ToS traffic through a forwarding virtual server (CR35420)
If you configure a forwarding virtual server, when ToS traffic passes through the BIG-IP system, the system resets the ToS value to zero.
Modifying the netmask for a network virtual server (CR35424)
If you use the Configuration utility to modify the netmask for a network virtual server, your changes do not take effect until you load the configuration using the bigpipe load command.
SNMP OID statistics (CR35527)
If you configure a forwarding virtual server, SNMP OID statistics may not work correctly.
The checktrap.pl script and the enterprise OID in traps (CR29481) (CR35534)
When the checktrap.pl script issues traps, it does not send the correct enterprise OID in the trap.
VLAN failsafe (CR35552)
VLAN failsafe does not function correctly on the BIG-IP 2400.
Next-hop selection for nodes (CR35554)
The BIG-IP system may incorrectly determine the next-hop address for nodes accessible only through a gateway.
External classes and the bigpipe load verify command (CR35588)
If you have a configuration that includes an external class and you use the bigpipe load verify command, it may cause the BIG-IP system to become unstable.
Interface statistics (CR35606)
The interface statistics collected by the hardware may be cleared prematurely.
Gateway failsafe timeout value (CR35752)
If you configure gateway failsafe and the BIG-IP system does not locate the gateway, the system displays an unusually large negative timeout value.
Static routes on redundant systems (CR35761)
If you have a redundant system, static routes may not be updated properly when the system fails over or when the IP address changes. This may result in static routes that point to the wrong interface, and incorrect interface source addresses stored in routes.
Rollback script and named files (CR35809)
If you upgrade from a 4.5.x version of the BIG-IP software to version 4.6.2, and you use the rollback script to return to the 4.5.x version previously installed on the BIG-IP system, the named files for version 4.6.2 remain on the system in /var/named/etc. Only the file in /etc/named.conf is valid. BIG-IP version 4.6.2 named files located in /var/named/etc are valid only for version 4.6.2. These files do not affect the functionality of BIG-IP systems running software prior to version 4.6.2.
any_ip for virtual servers that share an IP address (CR36237)
If you enable any_ip on a virtual server that points to a pool or rule and then create a new virtual server that uses the same virtual IP address but has any_ip disabled, the BIG-IP system incorrectly disables any_ip on the original virtual server.
Self IP address configuration (CR36291)
In rare instances, the BIG-IP system can become unstable while loading a configuration with a large number of self IP addresses and static routes or when the ifconfig utility is used to configure a self IP address. The BIG-IP system does not support configuring IP addresses with ifconfig. We recommend that you use the bigpipe utility instead.
SSL proxy and HEAD requests that do not contain a body (CR36359)
The SSL proxy may incorrectly interpret server replies to HEAD requests that provide a content length but do not contain a body.
HTTP or HTTPS monitors (CR36548)
When you use the Configuration utility to create a monitor that inherits properties from either the HTTP or HTTPS monitor templates, when you enter a user name and password for the monitor, an extra \n is written before the HTTP version on the request line.
SSL proxy HTTP headers (CR36631)
The SSL proxy does not preserve the Range and If-Range HTTP headers if the client provides them.
Partial PVA acceleration (CR36659) (CR36661)
If you have a BIG-IP system using partial Packet Velocity ASIC (PVA) acceleration, in rare instances, when there is a very large amount of traffic going through BIG-IP system, a flow search command from BIG-IP kernel to PVA could cause PVA to hang.
Acceleration mode settings (CR36741)
If you have a BIG-IP 2400 and you set the acceleration mode to none, the system may hang under heavy load.
NTP settings (CR36782)
If you run the Setup utility and you re-configure the NTP settings, you must use the bigstart restart ntpd command in order for your changes to take effect.
Traps and logging (CR39325)
If you configure the system to send out traps, rapid logging may cause the system to drop traps and log messages. This type of rapid logging may occur when you load a configuration of several hundred nodes, at which time the system checks all of the nodes logs their status. You can avoid this issue by adjusting the log levels for syslog configuration items. In addition, you may want to edit the /etc/snmptrap.conf files and comment out traps that are not important for your configuration.
RADIUS authentication log in (CR39371)
If the following happens when you configure RADIUS authentication:
- the authentication java applet times out
- you are prompted to log in again
- when you enter your name and password, the log in prompt displays again
then we recommend that you cancel the java login and continue without it, or close and reopen the browser.
Changes in US and Canada Daylight Saving Time (CR58321)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes are not reflected in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.
Workarounds for known issues
The following sections describe workarounds for the corresponding known issues listed in the previous section.
New rule syntax requirements for literal strings (CR27784)
This workaround describes how to modify the rule syntax to use literal strings that are less than 63 characters in length.
The following is an example of a rule which will fail to load because of a literal string that is longer than 63 characters:
if (http_host == "portal.siterequest.com") {
if (http_uri == "/" or http_uri == "") {
redirect to "<http://%h/portal/server.pt?space=MyPage&cached=true&parentname=Login&parentid=1&userid=2&control=SetPage&PageID=-2>"
}
else if (http_uri contains "portal/HTTPServlet?space=CreateAccountAS") {
redirect to "<http://www.siterequest.com/portalaccount/>"
}
else {
use pool Pool1
}
}
else {
use pool Pool1
}
}
For the rule to function correctly, you must change the syntax in the rule to the following:
if (http_host == "portal.siterequest.com") {
if (http_uri == "/" or http_uri == "") {
redirect to "<http://%h/portal/server.pt" + "?space=MyPage&cached=true&parentname=Login" + "&parentid=1&userid=2&control=SetPage&PageID=-2>"
}
else if (http_uri contains "portal/HTTPServlet?space=CreateAccountAS") {
redirect to "<http://www.siterequest.com/portalaccount/>"
}
else {
use pool Pool1
}
}
else {
use pool Pool1
}
}
Forwarding non-IP traffic through VLAN groups and redundant systems (CR29806, CR29334)
We recommend that you enable this feature only if you fully understand its current limitations.
To forward non-IP traffic through VLAN groups
- Enable non-IP traffic forwarding by typing the following command:
echo "b internal set vlangroup_nonip = 1">>/config/routes - If you have a redundant system, type the following command to update the peer unit:
b configsync all - Reboot the BIG-IP system.
The non-IP traffic forwarding feature is now enabled, and the BIG-IP system will forward non-IP traffic through VLAN groups, and through both the active and the standby units in redundant systems.