Applies To:
Show Versions
BIG-IP versions 1.x - 4.x
- 4.6.3
Updated Date: 04/18/2019
Summary:
Important: BIG-IP software version 4.6.3 is no longer available for download. We have discovered an issue which, under certain circumstances, may result in the system becoming unresponsive if the header insert attribute is enabled on a pool or SSL proxy. This issue is only present in BIG-IP version 4.6.3, not versions 4.6.2 and earlier. If you currently have version 4.6.3 installed, please contact F5 Networks Technical Support for a hotfix to this issue. We will resolve the issue, and release version 4.6.4 in the near future.
This release note documents version 4.6.3 of the BIG-IP® software. You can apply the software upgrade to version 4.5 and later. For information about installing the software, please refer to the instructions below.
F5 now offers both maintenance-only and new feature releases. Version 4.6.3 is a feature release that is based on version 4.5.12 code. This release includes all features and fixes included in versions 4.5.12 and 4.6.2. For more information on our new release polices, please see New Versioning Schema for F5 Software Releases.
Warning: This is a feature release, not a maintenance release. Unless you need specific features that are new to this feature release, please upgrade to the latest maintenance release instead.
Contents:
Minimum system requirements and supported browsers
The minimum system requirements for this release are:
- Intel® Pentium® III 550MHz processor
- 256MB disk drive or CompactFlash® card (if you have the 3-DNS module, you need a 512MB disk drive or CompactFlash® card)
- 256MB RAM
The supported browsers for the Configuration utility are:
- Microsoft® Internet Explorer 5.0, 5.5, and 6.0
- Netscape® Navigator 4.7x
Note: The IM package for this release is quite large. If the disk drive in your platform does not meet the minimum requirement, you may not be able to successfully install this release.
Supported platforms
This release supports the following platforms:
- D35 (BIG-IP 520 and 540)
- D39 (BIG-IP 1000)
- D44 (BIG-IP 2400)
- D45 (BIG-IP 2000)
- D50 (BIG-IP 5000)
- D51 (BIG-IP 5100 and 5110)
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
Installing the software
Important: Before you run the Configuration utility to configure the unit, you must complete the authorization and licensing process. (For details, see the Activating the license section of the BIG-IP version 4.5 Release Note.) If you do not obtain a license before you run the Configuration utility, the system may behave in an unexpected manner.
Important: If you are upgrading a BIG-IP redundant system, you must upgrade both units. We do not support running different versions on a BIG-IP redundant system.
Important: If you are upgrading an IP Application Switch or a BIG-IP system that uses a CompactFlash® media drive, use the installation instructions here.
Note: In rare instances, using a notebook computer to perform PXE installations of BIG-IP software causes corruption on the notebook computer hard drive. If you are using a notebook computer as a PXE server to install BIG-IP software, we recommend, as a precaution, that you first back up any important data stored on the notebook computer hard drive.
The following instructions explain how to install the BIG-IP software, version 4.6.3 onto existing systems running version 4.5 and later. The installation script saves your current configuration.
- Go to the Downloads site and locate the BIG-IP 4.6.3 upgrade file, BIGIP_4.6.3_Upgrade.im.
- Download the software image and the BIGIP_4.6.4_Upgrade.md5 file.
For information about how to download software, refer to SOL167: Downloading software from F5 Networks.
- If you downloaded the image file to a directory other than /var/tmp, copy the image file to the /var/tmp/ directory on your BIG-IP system.
- Install this PTF by typing the following command:
im BIGIP_4.6.3_Upgrade.imThe BIG-IP system automatically reboots once it completes installation.
To upgrade an IP Application Switch or a BIG-IP system that uses a CompactFlash media drive, use the following process.
- Create a memory file system by typing the following command:
mount_mfs -s 200000 /mnt
- Change your directory to /mnt by typing the following command:
cd /mnt
- Go to the Downloads site and locate the BIG-IP 4.6.3 upgrade file, BIGIP_4.6.3_Upgrade.im.
- If you downloaded the image file to a directory other than /mnt, copy the image file to the /mnt directory on your BIG-IP system.
- Install this PTF by typing the following command:
im /mnt/BIGIP_4.6.3_Upgrade.imThe BIG-IP system automatically reboots once it completes installation.
Note: This procedure provides over 90MB of temporary space on /mnt. The partition and the im package file are deleted upon rebooting.
Activating the license
Once you install the upgrade and connect the unit to the network, you need a valid license certificate to activate the software. To gain a license certificate, you need to provide two items to the license server: a registration key and a dossier.
The registration key is a 25-character string. You should have received the key by email. The registration key lets the license server know which F5 products you are entitled to license.
The dossier is obtained from the software, and is an encrypted list of key characteristics used to identify the platform.
You can obtain a license certificate using one of the following methods:
- Automatic license activation
You perform automatic license activation from the command line or from the web-based Configuration utility of an upgraded unit. This method automatically retrieves and submits the dossier to the F5 license server, as well as installs the signed license certificate. In order for you to use this method, the unit must be installed on a network with Internet access. - Manual license activation
You perform manual license activation from the Configuration utility, which is the software user interface. With this method, you submit the dossier to, and retrieve the signed license file from, the F5 license server manually. In order for you to use this method, the administrative workstation must have Internet access.
Note: You can open the Configuration utility using either Netscape Navigator 4.7x, or Microsoft Internet Explorer 5.0, 5.5, or 6.0.
To automatically activate a license from the command line for first time installation
- Type the user name root and the password default at the logon prompt.
- At the prompt, type license. The following prompts display:
IP:
Netmask:
Default Route:
Select interface to use to retrieve license:
The unit uses this information to make an Internet connection to the license server.
- After you type the Internet connection information, continue to the following prompt:
The Registration Key should have been included with the software or given when the order was placed. Do you have your Registration Key? [Y/N]:
Type Y, and the following prompt displays:
Registration Key:
- Type the 25-character registration key you received. If you received more than one key, enter all of the keys, separating each with a space.
The dossier is retrieved and sent to the F5 license server, and a signed license file is returned and installed. A message displays indicating the process was successful.
- You are asked to accept the End User License Agreement.
The system is not fully functional until you accept this agreement.
- You are prompted to reboot the system. Press Enter to reboot.
The system is not fully functional until you reboot.
To automatically activate a license from the command line for upgrades
- Type your user name and password at the logon prompt.
- At the prompt, type setup.
- Choose menu option L.
- The following prompt displays:
Number of keys: 1
If you have more than one registration key, enter the appropriate number.
- The following prompt displays:
Registration Key:
Type the 25-character registration key you received. If you received more than one key, enter all of the keys, separating each with a space.
The dossier is retrieved and sent to the F5 license server, and a signed license file is returned and installed. A message displays indicating the process was successful.
- When you are finished with the licensing process, type the following command to restart the services on the system:
bigstart restart
To manually activate a license using the Configuration utility
- Open the Configuration utility according to the type of BIG-IP unit you are licensing:
- If you are licensing a previously configured BIG-IP unit, open the Configuration utility using the configured address.
- If you are licensing a new BIG-IP unit, from the administrative workstation, open the Configuration utility using one of the following addresses: https://192.168.1.245 or https://192.168.245.245. These are default addresses on the units local area network.
- If you are licensing a previously configured BIG-IP unit, open the Configuration utility using the configured address.
- Type the user name and password, based on the type of BIG-IP unit you are licensing:
- If you are licensing a previously configured BIG-IP unit, type your user name and password at the logon prompt.
- If you are licensing a new BIG-IP system, type the user name root, and the password default at the logon prompt.
The Configuration utility menu displays.
- If you are licensing a previously configured BIG-IP unit, type your user name and password at the logon prompt.
- Click License Utility to open the License Administration screen.
- In the Registration Key box, type the 25-character registration key that you received. If you have more than one key to install, click Enter More Keys to install multiple keys. Once you have entered all registration keys, click Manual Authorization.
- At the Manual Authorization screen, retrieve the dossier using one of the following methods:
- Copy the entire contents of the Product Dossier box.
- Click Download Product Dossier, and save the dossier to the hard drive.
- Copy the entire contents of the Product Dossier box.
- Click the link in the License Server box.
The Activate F5 License screen opens in a new browser window.
- From the Activate F5 License screen, submit the dossier using one of the following methods:
- Paste the data you just copied into the Enter your dossier box, and click Activate.
- At the Product Dossier box, click Browse to locate the dossier on the hard drive, and then click Activate.
The screen returns a signed license file.
- Paste the data you just copied into the Enter your dossier box, and click Activate.
- Retrieve the license file using one of the following methods:
- Copy the entire contents of the signed license file.
- Click Download license, and save the license file to the hard drive.
- Copy the entire contents of the signed license file.
- Return to the Manual Authorization screen, and click Continue.
- At the Install License screen, submit the license file using one of the following methods:
- Paste the data you copied into the License Server Output box, and click Install License.
- At the License File box, click Browse to locate the license file on the hard drive, and then click Install License.
The License Status screen displays status messages, and Process complete appears when the licensing activation is finished.
- Paste the data you copied into the License Server Output box, and click Install License.
- Click License Terms, review the EULA, and accept it.
- At the Reboot Prompt screen, select when you want to reboot the platform.
License activation is complete only after rebooting.
To automatically activate a license using the Configuration utility
- Open the Configuration utility according to the type of BIG-IP unit you are licensing:
- If you are licensing a previously configured BIG-IP unit, open the Configuration utility using the configured address.
- If you are licensing a new BIG-IP unit, from the administrative workstation, open the Configuration utility using one of the following addresses: https://192.168.1.245 or https://192.168.245.245. These are default addresses on the units local area network.
- If you are licensing a previously configured BIG-IP unit, open the Configuration utility using the configured address.
- Type the name and password, based on what type of BIG-IP unit you are licensing:
- If you are licensing a previously configured BIG-IP unit, type your user name and password at the logon prompt.
- If you are licensing a new BIG-IP unit, type the user name root, and the password default at the logon prompt.
The Configuration utility menu displays.
- If you are licensing a previously configured BIG-IP unit, type your user name and password at the logon prompt.
- Click License Utility to open the License Administration screen.
- In the Registration Key box, type the 25-character registration key that you received. If you have more than one key to install, click Enter More Keys to install multiple keys. Once you have entered all registration keys, click Automated Authorization.
The License Status screen displays status messages, and Process complete appears when the licensing activation is finished.
- Click License Terms, review the EULA, and accept it.
- At the Reboot Prompt screen, select when you want to reboot the platform.
License activation is complete only after rebooting.
Changes to existing features
This release includes the following changes in product behavior.
| Solution | Description |
| SOL739 | Versions of software packages used in this release |
| SOL1020 | Reserved words for this release |
| SOL3689 | Routes in /config/routes and /etc/netstart are removed |
| SOL3746 | The bigpipe vlan fdb command now displays entries arranged by VLAN |
| SOL3747 | The user is now prevented from deleting the LDAP default.key |
| SOL3813 | The performance of the certificate map feature was improved |
| SOL3893 | Error 331836 was made more descriptive |
| SOL3960 | The global syncookie threshold default was changed to 500,000 for PVA-equipped systems |
| SOL3962 | The full option was removed from hardware acceleration |
| SOL3996 | sfd will now respawn if it fails or is killed |
| SOL4011 | Routes are now reloaded when changes to VLANs, interfaces, or self addresses are made |
| SOL4366 | DNS proxy port now closed by default and a new global to open it |
| SOL4025 | sshd.conf is now backed up when an upgrade is run |
| SOL4037 | State mirroring has been redesigned in this version |
| SOL4045 | New checks on TCP header validity |
| SOL4048 | New check for valid FIN sequence number for delayed binding connections |
| SOL4071 | The snmpdca log now rotates |
| SOL4108 | Situations causing virtual server demotion to software acceleration have been reduced |
| SOL4179 | Hardware platforms supported by this release |
| SOL4180 | SEE-IT providers are no longer included in this release |
| SOL4192 | BIG-IP status window no longer uses Java |
| SOL4325 | Fragmented packets may not be handled correctly |
| SOL4338 | Checks are now performed to ensure that chunk header content complies with RFC2616 |
| SOL4366 | DNS proxy port can now be closed when not in use |
| SOL4379 | SNAT pools performance has been improved |
| SOL4402 | big3d will now log a message when it exits |
| SOL4551 | Any remaining components of the node virtual configuration have been removed |
| SOL4557 | The checktrap.pl script will now allow the question mark (?) character |
New features in this release
This release includes the following new features.
Connection Rate Limit settings (CR24840)
This release of the BIG-IP system includes new Connection Rate and Rate Limit settings with which you can measure the number of connections per second. You can then use this statistic to limit the number of connections to a node address. This feature is useful if there are times when you expect to have insufficient resources to service all requests, but you also want to ensure that all available servers are performing at maximum capacity. For example, if you have a data center that has enough capacity to handle the load when all the servers are functional, but you need to bring down half of the servers at a certain time in order to update the content. In this instance, the load may exceed the capacity of the remaining servers and cause the servers to become overloaded and unable to function at their maximum sustainable capacity. To avoid this situation, you can configure the BIG-IP system node connection rate limits to the maximum sustainable rate for each server. This prevents the servers from becoming over-burdened, and thus fewer requests are discarded.
In addition, if you are using the 3-DNS Controller to load balance traffic between data centers, you can use the virtual server rate limit in conjunction with global Available Connection Rate or Quality of Service load balancing to shift the load from the degraded data center to a data center with sufficient capacity.
For more information on configuring the Connection Rate and Rate Limit settings, see SOL4183: Can BIG-IP limit connections to a node based on the rate of requests rather than the number of concurrent requests?
Static routes configuration (CR26795)
The /config/static_routes file replaces the /config/routes file in this release. In addition, the system propagates changes to the static routes configuration from one unit to the peer unit during configuration synchronization. The system also updates static routes when you reload the configuration (bigpipe load or bigpipe base load).
You can also reload static routes by typing the following:
bigstart reinit static-routes
To modify the /config/static_routes file from the command line utility, enter one static route per line using the following syntax:
destination gateway [options]
where:
- destination is the target of the route entered as IP address (for example, 1.2.3.4) or CIDR prefix (1.2.3.0/24)
- gateway is IP address of the next hop
- options are any other options accepted by the route command (see man route for details)
The system ignores blank lines and/or lines beginning with a hash mark (#).
Note: The syntax for the new configuration file differs from the old file (/config/routes).
For more information, see solutions SOL3687, SOL4011, and SOL3691.
Load times for large configuration with many proxies (CR28452) (CR29316)
The bigpipe sslproxy skip keycheck feature available in version 4.2 PTF-10 is now available in this version of the BIG-IP software. If you have a very large configuration with many proxies (50+) and you must reduce the configuration load time, you have the option of reducing the load time by disabling key and certificate validation.
To disable key and certificate validation using the command line utility, type the following:
bigpipe global sslproxy skip keycheck enable
To disable key and certificate validation using the Configuration utility, check the sslproxy skip keychecks check box on the Advanced Properties screen.
For more information, see solutions SOL3742.
Including non-printable characters in send and receive strings (CR42161)
This release of the BIG-IP software allows you to insert non-printable characters in send and receive strings. This feature allows you to monitor node status more accurately using escape sequences in the send and recv strings. The BIG-IP system currently supports the following sequences:
| Escape sequence | Meaning |
| \a | alert (bell) |
| \b | backspace |
| \e | escape |
| \f | formfeed |
| \n | new line |
| \r | carriage return |
| \t | tab |
| \v | vertical tab |
| \\ | back slash |
| \' | single quote |
| \xHH | hex ASCII code (H = hex digit) |
| \xONN | octal ASCII code (N = octal digit) |
Note that the NUL character ASCII 0 is not allowed.
For more information on including non-printable characters in send and receive strings, see SOL4186: How do I enter escape sequences in an ECV health monitor's send and receive strings?
Configuration load time settings (CR43629)
In this release you can configure the amount of time that the BIG-IP system waits for the configuration to load before it the system begins load balancing traffic. The default setting is 15 seconds, and this should be adequate for most configurations. However, in instances where the configuration takes longer than 15 seconds to load, the BIG-IP system may begin load balancing based on a partially-loaded configuration. This situation can occur if you have an older platform and are loading a very large configuration. If you experience this issue, we recommend that you increase the default timeout for configuration load time. For more information, see SOL4322: How do I configure the configuration load timeout?
Log message reliability improvements (CR43835)
In this release, the BIG-IP system delivers log messages more reliably in cases where there is a burst of logging activity.
For more information, see SOL3563.
New fixes in this release
In the 4.6.3 release, on a trial basis, we have modified the format for displaying CRs for fixes and known issues. The CRs are now listed in a table format, with the corresponding solution listed next to the CR. Clicking the solution link directs you to the more detailed solution document that is posted on the AskF5 Technical Support Web Site. We continually update these solution documents on AskF5 as new details become available. If additional known issues are discovered after we release version 4.6.3, we will update the known issues table with the new CR and solution numbers, with the goal of keeping you current on our known issues.
If you encounter a solution that does not have an active link, it is likely that we have not yet had a chance to get the solution posted on AskF5, but please continue to check this table for new content or links.
This release includes the following new fixes.
| CR | Solution | Description |
| CR17426 | SOL274 | BIG-IP won't allow a wildcard certificate that contains multiple wildcards |
| CR22419 | SOL4408 | Inability to delete files during an upgrade can result in unallocated iNodes |
| CR22954 | SOL3805 | sysObjectID is not correctly mapped in the MIB |
| CR23634 | SOL3678 | sod reports unnecessary bigapi_unit_mask errors |
| CR24041 | SOL4325 | Fragmented packets might not be handled correctly |
| CR24720 | SOL274 | BIG-IP won't allow a wildcard certificate that contains multiple wildcards |
| CR26184 | SOL3679 | Adding a member on the loopback network drops network connectivity |
| CR26184 | SOL3732 | Server appliances do not delete FDB entries when a link goes down |
| CR26515 | SOL4406 | CRLs fail if installed at the command line, using the default path |
| CR26564 | SOL3684 | Help for bigpipe monitor did not exist |
| CR27060 | SOL3694 | bigpipe pool stats reset command can cause a core dump |
| CR27160 | SOL3696 | Aggregation might not work properly when client connections have small MSS |
| CR27161 | SOL3701 | Help for bigpipe class did not exist |
| CR27161 | SOL3703 | Help for bigpipe interface did not exist |
| CR27161 | SOL3705 | Help for bigpipe reset did not exist |
| CR27161 | SOL3707 | Help for bigpipe list did not exist |
| CR27161 | SOL3710 | Help for bigpipe merge did not exist |
| CR27161 | SOL3711 | Help for bigpipe base save did not exist |
| CR27161 | SOL3712 | Help for bigpipe base list did not exist |
| CR27161 | SOL3713 | Help for bigpipe save did not exist |
| CR27205 | SOL3715 | Syslog listens on UDP port 514 |
| CR27271 | SOL4315 | Ingress rate filters might trigger a memory leak or cause the system to become unstable |
| CR27335 | SOL4315 | Ingress rate filters might trigger a memory leak or cause the system to become unstable |
| CR27424 | SOL3717 | NTP no longer fails after loading the configuration using the Configuration utility |
| CR27752 | SOL3720 | The iRule imid() function returns an extra character |
| CR27817 | SOL3723 | The genkey utility no longer prompts for a passphrase |
| CR27821 | SOL4317 | SNMP walks against bigsnmpd might trigger a memory leak |
| CR27835 | SOL3725 | Creating new virtual servers for an existing address removes any_ip |
| CR27915 | SOL3728 | Deleting virtual server, proxy, or SNAT with common address stops ARP response |
| CR27978 | SOL4325 | Fragmented packets might not be handled correctly |
| CR28079 | SOL3729 | Server appliances enter a netboot loop after the system issues a halt |
| CR28316 | SOL1660 | Zombie processes may be generated when a terminal server is attached |
| CR28316 | SOL3733 | Duplicate VLANs appear when a self IP address on the 135./8 network is configured |
| CR28388 | SOL4325 | Fragmented packets might not be handled correctly |
| CR28434 | SOL3736 | Running bigtop with a negative delay locks the console |
| CR28435 | SOL3736 | Running bigtop with a negative delay locks the console |
| CR28436 | SOL3737 | The FAN_FAILING, CPU_TOO_HOT, CPU_FAN_FAILING, and POWER_FAILED SNMP traps do not work |
| CR28502 | SOL2758 | Nodes might be marked down incorrectly when translucent VLAN groups are used |
| CR28543 | SOL2729 | Messages might be printed to the console when rules are used |
| CR28549 | SOL3745 | The Configuration utility rejects a fallback host that contains another http:// |
| CR28550 | SOL3745 | The Configuration utility rejects a fallback host that contains another http:// |
| CR28608 | SOL4325 | Fragmented packets might not be handled correctly |
| CR28637 | SOL4325 | Fragmented packets might not be handled correctly |
| CR28904 | SOL3749 | Half-closed connections might be terminated while data is still being transferred |
| CR29158 | SOL3750 | Out of order, zero length packets might cause header insert functions to fail |
| CR29196 | SOL3751 | Random non-TCP, non-UDP protocol packets are blocked when IP filters are enabled |
| CR29218 | SOL3803 | SNAT connections and health monitors might experience overlapping connections |
| CR29223 | SOL3767 | The snmp_dca monitor does not work properly with very large coefficients |
| CR29255 | SOL3768 | The description of the OID loadBalTrapPortString is incorrect |
| CR29282 | SOL3803 | SNAT connections and health monitors might experience overlapping connections |
| CR29349 | SOL3769 | SNAT connection limits can only be removed by setting them to zero |
| CR29456 | SOL3770 | Duplicate ARPs might be sent when determining the destination of a packet |
| CR29612 | SOL3778 | SSL proxy hardware failover can be configured in multiple places |
| CR29629 | SOL3779 | Changing a VLAN tag might change the IP address of network virtual servers |
| CR29631 | SOL3780 | The SSL proxy Advanced Properties page accepts the value "Or choose..." |
| CR29660 | SOL3781 | mrad might become unstable and produce core files on platforms that do not contain a PVA |
| CR29751 | SOL3783 | The bigpipe verify load command rejects configurations using SNAT connection mirroring |
| CR29730 | SOL3715 | Syslog listens on UDP port 514 |
| CR29793 | SOL3785 | Inaccurate VLAN tag error message exists in the Configuration utility |
| CR29809 | SOL3786 | Retransmitted packets larger than the original are not accepted in some cases |
| CR29843 | SOL3787 | BIG-IP 2400, 5000, and 5100 units might lock up during reboot |
| CR30142 | SOL3805 | sysObjectID is not correctly mapped in the MIB |
| CR30152 | SOL3806 | The global l2_aging_time might be saved in the wrong location |
| CR30152 | SOL3808 | The global VLANs unique_mac might be saved in the wrong location |
| CR30235 | SOL3809 | Spurious "No nodes up" messages are logged |
| CR30279 | SOL3810 | SSL proxies truncate domain name information at 64 bytes |
| CR30349 | SOL142 | SSL persistence will not mirror successfully after a failover and then a fail back |
| CR30722 | SOL3750 | Out of order, zero-length packets might cause header insert functions to fail |
| CR30995 | SOL3815 | Fiber gigabit ports show output errors on switch appliances |
| CR31150 | SOL206 | The state mirroring daemon may crash during configsync |
| CR31251 | SOL3805 | sysObjectID is not correctly mapped in the MIB |
| CR31393 | SOL3821 | The global reaper setting can be set to zero |
| CR31907 | SOL3823 | proxyd can become unstable when enforcing licensing limits |
| CR31944 | SOL3824 | If an HTTP header match string is longer than the HTTP headers, a hang can result |
| CR32164 | SOL3892 | The snmp_dca monitor might load the CPU excessively |
| CR32164 | SOL3897 | The snmp_dca monitor is able to mark nodes down |
| CR32258 | SOL4094 | If pools or members are removed from an active configuration the system might become unstable |
| CR32362 | SOL3895 | ARP responses might be ignored if a VLAN and VLAN group share the same MAC address |
| CR32375 | SOL3896 | Dropped packet counters in netstat and bigpipe interface might be inconsistent |
| CR32410 | SOL3897 | The snmp_dca monitor is able to mark nodes down |
| CR32759 | SOL754 | dot1dStaticEntry OID value does not have a bounded range, although a range is required |
| CR32760 | SOL3898 | Gratuitous ARP responses are not passed by VLAN groups |
| CR32797 | SOL3899 | The output from bigpipe pool show has omitted priority and ratio information |
| CR32815 | SOL3901 | Packets containing a CRLF before the headers do not have a cookie inserted |
| CR32874 | SOL3902 | Use of a forwarding pool with syn cookies can result in the system becoming unstable |
| CR32923 | SOL3903 | Proxy connections hang when target virtual server has translation disabled |
| CR33118 | SOL3905 | The checkcert command have the wrong directories hard coded |
| CR33286 | SOL3906 | The /etc/syslog.conf comments indicate the wrong location of checktrap.pl |
| CR33627 | SOL3909 | The BIG-IP system attempts to re-use connections to servers that did not close their side |
| CR33664 | SOL3910 | Connections might be reset with a 0 sequence number after a failover |
| CR33713 | SOL3911 | Packets sent from node to client do not reset the connection timer |
| CR33803 | SOL3912 | Unintended limit is placed on the size of input from text boxes using POST |
| CR34199 | SOL3913 | Unstable condition can occur during connection setup with syncookies enabled |
| CR34228 | SOL3914 | The snmp_dca monitor incorrectly reports disk usage over 4GB |
| CR34446 | SOL3915 | Problems with internal interface drivers might make the BIG-IP system unresponsive |
| CR34525 | SOL3917 | The standby may send a gratuitous ARP using the floating IP address |
| CR34608 | SOL3919 | The bigsnmpd might cause the system to become unstable if all interface statistics are read |
| CR34635 | SOL3920 | Error 331789 can occur in the Configuration utility |
| CR34786 | SOL3921 | Dependencies can only be removed in the same multiples they were added |
| CR34837 | SOL142 | SSL persistence will not mirror successfully after a failover and then a fail back |
| CR34852 | SOL3922 | The PVA can become unresponsive if directed to delete connections |
| CR34952 | SOL3957 | System can hang when subjected to a syn flood with SNAT enabled |
| CR35007 | SOL3958 | SNAT can take a long time to find a source port |
| CR35124 | SOL4109 | SSL connections that are not cleanly shutdown are reaped at 1005 seconds |
| CR35216 | SOL3961 | Connections sending data after zero receive window was requested are reset |
| CR35407 | SOL3963 | Maximum accepted URI length in a redirect rule is 1280 bytes |
| CR35420 | SOL3965 | Packets passing through a forwarding virtual server have their TOS bit set to zero |
| CR35424 | SOL3966 | Changing the netmask of a network virtual server does not work |
| CR35476 | SOL3967 | Querying the OID .1.3.6.1.2.1.17.1.1 when FDB has many entries can cause bigsnmpd to become unstable |
| CR35525 | SOL4318 | The system does not send a reset when an established but unused connection is timed out |
| CR35552 | SOL3968 | VLAN failsafe does not always work properly on PVA-equipped systems |
| CR35572 | SOL4404 | Adding too many members to a class can cause the Configuration utility to become unstable |
| CR35588 | SOL3184 | The bigpipe verify never passes a configuration that contains external classes |
| CR35631 | SOL3971 | Use of very large classes is inefficient and could make the BIG-IP system unresponsive |
| CR35745 | SOL3972 | SMTP health checks can fail if a DNS server is not available |
| CR36046 | SOL3973 | VLAN failsafe begins countdown before traffic generation begins |
| CR36158 | SOL3974 | Incorrectly formatted packets sent to a rule can cause the system to become unstable |
| CR36275 | SOL3975 | Oracle pinger might fail to start |
| CR36277 | SOL3975 | Oracle pinger might hang on start-up |
| CR36329 | SOL3976 | HTTP HEAD requests cause the SSL proxy to truncate message bodies |
| CR36359 | SOL3976 | HTTP HEAD requests cause the SSL proxy to truncate message bodies |
| CR36377 | SOL4405 | High speed interface statistics are reported in the wrong units |
| CR36548 | SOL4107 | Monitors created in the Configuration utility might have an additional carriage return |
| CR36630 | SOL3977 | SSL proxies incorrectly translate the Range header |
| CR36631 | SOL3977 | SSL proxies incorrectly translate the Range header |
| CR36659 | SOL3922 | Internal commands might cause the PVA to become unresponsive |
| CR36661 | SOL3922 | Internal commands might cause the PVA to become unresponsive |
| CR37076 | SOL3235 | The radius pinger contains ^M characters |
| CR37147 | SOL3987 | The system might become unstable when running the ANIP kernel and using the bpf device |
| CR37260 | SOL3988 | DMA support is disabled on the D35 platform |
| CR37281 | SOL4024 | The Add Proxy pages do not work correctly with the Netscape Navigator browser. |
| CR37620 | SOL3990 | SSL proxies assume that a missing content length header means no body follows |
| CR37627 | SOL3991 | Header erase feature is case sensitive |
| CR37627 | SOL3992 | Header erase feature can modify header names |
| CR37729 | SOL3993 | SSL proxies cannot handle CRLs that use "nextUpdate=NONE" |
| CR37741 | SOL3997 | SFD might queue more messages than it can transmit, and might transmit at bad times |
| CR37770 | SOL3998 | Buffer mismatch in mapclass2node might cause the system to become unstable |
| CR37861 | SOL3999 | SSL proxy might become unstable when it cannot find a place to insert a header |
| CR38259 | SOL3805 | sysObjectID is not correctly mapped in the MIB |
| CR38330 | SOL3277 | mod_ssl is subject to the vulnerability described in CERT VU#303448 |
| CR38332 | SOL4002 | OneConnect drops client acknowledgements while in split pending state |
| CR38368 | SOL4003 | Both reaper water marks are not written when either one is configured |
| CR38372 | SOL3277 | mod_ssl was subject to the vulnerability described in CERT VU#303448 |
| CR38377 | SOL4003 | Both reaper water marks are not written when either one is configured |
| CR38514 | SOL4004 | SNAT processing is inefficient and could cause instability |
| CR38873 | SOL4008 | bigipprovider.cgi can not read pool names longer than 32 characters |
| CR39078 | SOL4009 | libpng version 1.0.9 contain security vulnerabilities |
| CR39088 | SOL4010 | Reboot of the active system might result in a failback after reboot |
| CR39184 | SOL4016 | External ports are set to forwarding rather than blocking mode during start-up |
| CR39211 | SOL4073 | An unstable system might result from inadequate pre-allocated memory pages |
| CR39371 | SOL147 | The java status window requires RADIUS and Secure ID login after one hour, but fails |
| CR39573 | SOL4018 | iRule log function might add extra characters if a small string is used |
| CR39890 | SOL4022 | FTP health check writes file to /var/tmp |
| CR39932 | SOL3330 | Authorization group names no longer allow invalid characters |
| CR39936 | SOL4370 | e-Commerce Controllers cannot display system graphs |
| CR39978 | SOL4046 | Timeout on SYN retransmission to nodes is reset by client traffic |
| CR39978 | SOL4047 | FIN wait timeout is set based on the time the FIN is received from the client |
| CR39978 | SOL4050 | Lost FIN packets are not retransmitted when closing node-side connections |
| CR39978 | SOL4051 | Client FIN packets are honored while a delayed binding connection is being set up |
| CR39981 | SOL4052 | Multicast traffic is processed, but should be passed unmodified |
| CR40010 | SOL4046 | Timeout on SYN retransmission to nodes is reset by client traffic |
| CR40010 | SOL4047 | FIN wait timeout is set based on the time the FIN is received from the client |
| CR40010 | SOL4050 | Lost FIN packets are not retransmitted when closing node-side connections |
| CR40010 | SOL4051 | Client FIN packets are honored while a delayed binding connection is being set up |
| CR40011 | SOL4053 | Patch for VU#303448 breaks interaction between config and genkey |
| CR40015 | SOL4055 | Header and cookie insertion is tied to connections, rather than pools |
| CR40034 | SOL4056 | The openssl command might become unstable with ca or ocsp options |
| CR40049 | SOL4046 | Timeout on SYN retransmission to nodes is reset by client traffic |
| CR40049 | SOL4047 | FIN wait timeout is set based on the time the FIN is received from the client |
| CR40049 | SOL4050 | Lost FIN packets are not retransmitted when closing node-side connections |
| CR40049 | SOL4051 | Client FIN packets are honored while a delayed binding connection is being set up |
| CR40055 | SOL4057 | The Configuration utility can become unstable when you define more than 160 SSL proxies |
| CR40106 | SOL4053 | The patch for VU#303448 breaks the interaction between config and genkey |
| CR40135 | SOL4053 | The patch for VU#303448 breaks the interaction between config and genkey |
| CR40141 | SOL4059 | Rules that use starts_with and a class with overlapping entries might fail |
| CR40172 | SOL4061 | The OSPF module does not work with MD5 message digesting |
| CR40389 | SOL3369 | The BIG-IP system and the 3-DNS Controller are vulnerable to VU#395670 / CAN-2004-0171 |
| CR40193 | SOL4062 | The final FIN acknowledgement is sent with an incorrect sequence number |
| CR40211 | SOL4064 | You can define multiple OCSP responders, but only the first is used |
| CR40234 | SOL4065 | If you modify or delete a class member, it causes the system to become unstable |
| CR40266 | SOL4066 | The BIG-IP system might become unstable when an SSL proxy and virtual server member have the same address |
| CR40268 | SOL4067 | SIP persistence does not correctly handle spaces in the Call-ID field |
| CR40286 | SOL4068 | Creating a virtual server with an invalid address creates a wildcard virtual |
| CR40294 | SOL4070 | POST requests beginning with a byte value greater than 128 might cause proxyd to become unstable |
| CR40389 | SOL4371 | It is now possible to set the size of the TCP reassembly queue |
| CR40390 | SOL3369 | The BIG-IP system and the 3-DNS Controller are vulnerable to VU#395670 / CAN-2004-0171 |
| CR40428 | SOL3372 | SNMP traps are sent using the wrong OID base |
| CR40433 | SOL4073 | An unstable system might result from an inadequate number of pre-allocated memory pages |
| CR40468 | SOL4074 | CSRs are created with US state abbreviations, rather than full names |
| CR40589 | SOL4075 | SFD might enter a loop and cause high CPU utilization |
| CR40715 | SOL4077 | ICMP checksums are not always updated when changes are made to ICMP messages |
| CR40815 | SOL4076 | UDP packets that lack a checksum have one inserted |
| CR40889 | SOL4083 | Gateway failsafe does not recover when a gateway responds after countdown begins |
| CR40923 | SOL4084 | Bridging storms can cause the system to become unstable |
| CR40980 | SOL4085 | Connection mirroring does not work correctly for MSRDP |
| CR41017 | SOL4086 | Creating large SNAT pools can cause the system to become unstable |
| CR41076 | SOL3456 | OpenBSD RADIUS authentication bypass vulnerability |
| CR41099 | SOL4087 | The qkview utility might enter an infinite loop and produce a large output file |
| CR41113 | SOL4088 | The syslog utility does not attempt enough retries when logging many simultaneous messages |
| CR41220 | SOL3717 | NTP fails when you load the configuration using the Configuration utility |
| CR41267 | SOL4378 | The man page for the dig command is omitted |
| CR41279 | SOL4090 | Deleting all self IP addresses associated with a route might cause the system to become unstable |
| CR41411 | SOL4092 | HTTP version 1.0 keep-alive sessions might not be properly identified |
| CR41450 | SOL3720 | The iRule imid() function returns an extra character |
| CR41473 | SOL4320 | The unit ID of a virtual server may be changed when a rule or pool is modified |
| CR41474 | SOL4409 | Classes that are in use can be deleted |
| CR41491 | SOL3751 | Random non-TCP, non-UDP protocol packets are blocked when IP filters are enabled |
| CR41502 | SOL4094 | If pools or members are removed from an active configuration the BIG-IP system might become unstable |
| CR41519 | SOL4095 | The BIG-IP system rejects HTTP GET requests containing characters with values greater than 128 |
| CR41567 | SOL4380 | Large TCP and UDP timeout values are displayed incorrectly |
| CR41599 | SOL2884 | SNMP VLAN input packet statistics display only bridged packets |
| CR41599 | SOL3024 | The netstat utility does not display VLAN MAC addresses correctlys |
| CR41687 | SOL4398 | Using the bigpipe node command to assign a monitor can cause the BIG-IP system to become unstable |
| CR41690 | SOL4400 | A memory leak in the bigd utility is triggered when nodes are assigned to the HTTPS monitor |
| CR41765 | SOL206 | The state mirroring daemon may crash during configsync |
| CR41770 | SOL4318 | A reset is not sent when an established but unused connection is timed out |
| CR41778 | SOL4325 | Fragmented packets might not be handled correctly |
| CR41874 | SOL754 | dot1dStaticEntry OID value does not have a bounded range, although a range is required |
| CR41880 | SOL4404 | Adding too many members to a class can cause the Configuration utility to become unstable |
| CR41881 | SOL4405 | High speed interface statistics are reported in the wrong units |
| CR41906 | SOL4317 | SNMP walks against bigsnmpd might trigger a memory leak |
| CR41929 | SOL4406 | CRLs fail if installed at the command line, using the default path |
| CR41942 | SOL4407 | Header insert displays error 331903 if the header is too long |
| CR41943 | SOL142 | SSL persistence will not mirror successfully after a failover and then a fail back |
| CR41948 | SOL4408 | Inability to delete files during an upgrade can result in unallocated iNodes |
| CR41952 | SOL3965 | Packets passing through a forwarding virtual server causes the TOS bit to be set to zero |
| CR41969 | SOL4320 | The unit ID of a virtual server might be changed when a rule or pool is modified |
| CR41970 | SOL4409 | Classes that are in use can be deleted |
| CR41971 | SOL3024 | The netstat utility does not display VLAN MAC addresses correctly |
| CR42016 | SOL4107 | Monitors created in the Configuration utility might have an additional carriage return |
| CR42055 | SOL4076 | UDP packets that lack a checksum have one inserted |
| CR42074 | SOL4317 | SNMP walks against bigsnmpd might trigger a memory leak |
| CR42134 | SOL2729 | Messages might be printed to the console when rules are used |
| CR42140 | SOL3975 | The Oracle pinger might fail to start |
| CR42156 | SOL4020 | The SSL pinger is too aggressive in marking down nodes |
| CR42168 | SOL4000 | The default certificate and key are no longer presented as options for SSL proxies |
| CR42209 | SOL3810 | SSL proxies truncate domain name information at 64 bytes |
| CR42215 | SOL3694 | The bigpipe pool stats reset command can cause a core dump |
| CR42216 | SOL3694 | The bigpipe pool stats reset command can cause a core dump |
| CR42321 | SOL4205 | The proxyd might become unstable during shutdown |
| CR42397 | SOL4097 | The Configuration utility might become unstable |
| CR42428 | SOL4097 | The Configuration utility might become unstable |
| CR42429 | SOL4207 | Apache mod_include vulnerability CAN-2004-0940 |
| CR42468 | SOL4099 | Apache mod_include vulnerability CAN-2004-0940 |
| CR42575 | SOL4325 | Fragmented packets might not be handled correctly |
| CR42763 | SOL4208 | The string "--" cannot be used in certificate names |
| CR42842 | SOL4322 | You can now configure the timeout period for loading the configuration |
| CR42843 | SOL4326 | System crashes, panics, and hangs that have been fixed in this release |
| CR42898 | SOL4102 | IP forwarding fails if return traffic matches a SNAT |
| CR43312 | SOL4315 | Ingress rate filters might trigger a memory leak or cause the system to become unstable |
| CR43320 | SOL4035 | Web aggregation fails if the server does not advertise MSS |
| CR43392 | SOL4323 | An unnecessary DNS lookup can cause loading of static routes to fail |
| CR43463 | SOL4328 | The ntpd daemon fails to run when more than 128 VLANs exist |
| CR43575 | SOL4325 | Fragmented packets might not be handled correctly |
| CR43577 | SOL4325 | Fragmented packets might not be handled correctly |
| CR43583 | SOL4328 | The ntpd daemon fails to run when more than 128 VLANs exist |
| CR43589 | SOL4329 | The SSL proxy cannot insert fields from client certificates encoded BMPString or UTF8String |
| CR43590 | SOL4329 | The SSL proxy cannot insert fields from client certificates encoded BMPString or UTF8String |
| CR43600 | SOL3740 | The SSL proxy cannot insert fields from client certificates encoded BMPString or UTF8String |
| CR43601 | SOL3740 | The SSL proxy cannot insert fields from client certificates encoded BMPString or UTF8String |
| CR43628 | SOL4326 | System crashes, panics, and hangs that have been fixed in this release |
| CR43629 | SOL4322 | You can now configure the timeout period for loading the configuration |
| CR43633 | SOL4323 | An unnecessary DNS lookup can cause loading of static routes to fail |
| CR43637 | SOL4318 | A reset is not sent when an established but unused connection is timed out |
| CR43643 | SOL4328 | The ntpd daemon fails to run when more than 128 VLANs exist |
| CR43645 | SOL4330 | HTTP HEAD requests might not work with rules, cookie persistence, or web aggregation |
| CR43647 | SOL4330 | HTTP HEAD requests might not work with rules, cookie persistence, or web aggregation |
| CR43681 | SOL4409 | Classes that are in use can be deleted |
| CR43682 | SOL4409 | You can configure BIG-IP to use a class that does not exist |
| CR43683 | SOL4208 | You can configure BIG-IP to use a class that does not exist |
| CR43718 | SOL3633 | Dynamic ratio can select a node that is down |
| CR43810 | SOL3737 | FThe FAN_FAILING, CPU_TOO_HOT, CPU_FAN_FAILING, and POWER_FAILED SNMP traps do not work |
| CR43927 | SOL4331 | A reset sent due to a discard statement in an L7 rule does not use last hop routing |
| CR43927 | SOL4332 | A reset is not sent when an L4 rule results in a discard statement |
| CR43928 | SOL4331 | A reset sent due to a discard statement in an L7 rule does not use last hop routing |
| CR43928 | SOL4332 | A reset is not sent when an L4 rule results in a discard statement |
| CR44028 | SOL3325 | The system can become unstable when FTP data connections are reaped |
| CR44029 | SOL4333 | HTTP POSTs fail to pass an SSL proxy when redirect rewrites are enabled |
| CR44030 | SOL4333 | HTTP POSTs fail to pass an SSL proxy when redirect rewrites are enabled |
| CR44246 | SOL4152 | Critical security flaw in the BIG-IP system when OneConnect is enabled |
| CR44247 | SOL4152 | Critical security flaw in the BIG-IP system when OneConnect is enabled |
| CR44248 | SOL4152 | Critical security flaw in the BIG-IP system when OneConnect is enabled |
| CR44301 | SOL4326 | System crashes, panics, and hangs that have been fixed in this release |
| CR44302 | SOL4326 | System crashes, panics, and hangs that have been fixed in this release |
| CR44372 | SOL4351 | BIND VU#938617 |
| CR44375 | SOL4326 | System crashes, panics, and hangs that have been fixed in this release |
| CR44376 | SOL4326 | System crashes, panics, and hangs that have been fixed in this release |
| CR44557 | SOL4326 | System crashes, panics, and hangs that have been fixed in this release |
| CR44610 | SOL4317 | SNMP walks against bigsnmpd might trigger a memory leak |
| CR44712 | SOL4326 | 3dnsd might become unstable due to internal mishandling of long error messages |
| CR44807 | SOL4326 | 3dnsd might become unstable due to internal mishandling of long error messages |
| CR44994 | SOL4550 | The bigpipe man page references incorrect locations for the named.conf and named.boot files |
| CR45015 | SOL4326 | System crashes, panics, and hangs that have been fixed in this release |
| CR45051 | SOL4341 | Connections might be persisted to a down node when any_ip is enabled |
| CR45110 | SOL4341 | Connections might be persisted to a down node when any_ip is enabled |
| CR45187 | SOL4550 | The bigpipe man page references incorrect locations for the named.conf and named.boot files |
| CR45207 | SOL4397 | Virtual servers that match a network virtual server might be demoted to software |
| CR45302 | SOL4347 | A specific type of security scan can cause a panic and reboot |
| CR45303 | SOL4347 | A specific type of security scan can cause a panic and reboot |
| CR45349 | SOL3325 | The system can become unstable when FTP data connections are reaped |
| CR45359 | SOL4551 | Any remaining components of the node virtual configuration have been removed |
| CR45383 | SOL4381 | Connections might hang when content length in the response is missing or incorrect |
| CR45383 | SOL4381 | Connections might hang when content length in the response is missing or incorrect |
| CR45386 | SOL4553 | Adding a rate filter causes an error |
| CR45417 | SOL4553 | Adding a rate filter causes an error |
| CR45476 | SOL4555 | The configsync process might not be able to locate required executables |
| CR45477 | SOL4555 | The configsync process might not be able to locate required executables |
| CR45926 | SOL4542 | Walking the dot1dTpFdbAddress table does not generate any data |
| CR47021 | SOL4551 | Any remaining components of the node virtual configuration have been removed |
Features and fixes in prior releases
The current release includes the features and fixes that were distributed in prior feature releases, as listed below. (Prior releases are listed with the most recent first.)
Version 4.6.2
Monitor instances with identical destinations and different templates (CR14311)
In previous releases it was not possible to create multiple monitor instances with the same destination. (The destination of a monitor instance is derived from the destination address and port of the associated monitor template. If destination address is not specified in the monitor template, the associated node address and port are used.) In this release you can create multiple monitor instances with the same destination, as long as the monitor instances are associated with different monitor templates.
You can use this feature in conjunction with the "port translation on a per-pool basis" functionality to configure monitoring and load balancing to different applications on the same port. For more information, see Monitoring and load balancing to different applications on the same port in the Optional configuration changes section of this release note.
Combining transparent monitors (CR26915)
You can now combine transparent monitors using the logical AND operation.
The system_check tool for IP Application Switch platforms (CR27354)
The system_check script for IP Application Switch platforms is disabled by default in this release. This change does not affect existing configurations. If system_check is enabled, the script remains in an enabled state when you upgrade to this version of the BIG-IP software.
System statistics screen (CR28085)
This release includes a System Graph Statistics screen in the Configuration utility that displays statistics about the BIG-IP system in a graphical format so that you can view changes and trends in statistics over time. The System Graph Statistics screen displays statistics including CPU usage, memory usage, throughput, connections per second, and packets per second.
To view the System Graph Statistics screen, in the left pane of the Configuration utility, click Statistics and then click System Graphs.
In addition, this release includes new SNMP OIDs including SSL proxy TPS and throughput. The new SNMP OIDs improve performance monitoring for the BIG-IP system using network management software. The new SNMP OIDs replace proxydstats for SSL proxy monitoring.
SNMP version 2c traps (CR28909)
The BIG-IP system now supports SNMP version 2c traps. You can enable this feature using the command line utility. Use the following command to enable this feature:
bigpipe db set Common.Bigip.SNMP.UseV1 = "false"
After you enable or disable this variable, you must stop and restart the checktrap.pl and syslogd utilities. It is important that you start the checktrap.pl utility before you start the syslogd utility.
Note: This release does not support using Nokia traps in conjunction with SNMP version 2c traps. If you enable SNMP version 2c traps and Nokia NetAct, you receive Nokia NetAct version 1 traps only.
Header insertion with selective re-encryption (CR31960)
If you configure a proxy and you have header insertion and selective re-encryption enabled, 206 "partial response" messages no longer cause application load errors.
ARP requests with incorrect source protocol address (CR34526)
The BIG-IP system no longer uses inactive floating self-IP addresses or virtual server addresses in the source protocol address field for ARP requests. If the system cannot generate an ARP request because there is no usable IP address available on a VLAN, the BIG-IP system logs the following warning message to /var/log/messages:
kernel: arpresolve: no usable src addr on iface: <interface_index>
The system log this message on BIG-IP systems that have a VLAN configured with only floating self-IP addresses; this type of configuration is not supported.
IBM HS20 Model Type 8832 : Watchdog no longer fails to trigger  (CR34882)
IBM has issued a firmware update for the IBM eServer BladeCenter HS20 Type 8832 (2.8GHz and up) that resolves the issue that deactivated the watchdog timer in previous releases. The link to the IBM firmware update is: http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-45486 . The firmware version is 1.07. While it states compatibility with BIOS revision 1.0, we have used only BIOS 1.04 and later in our testing.
Large numbers of concurrent connections with the same SNAT address (CR34952) (CR35007) (CR38200)
The BIG-IP system no longer becomes unstable if more than 63,000 concurrent connections use the same SNAT translation address as their server-side client address.
SNMP trap utility (CR35371) (CR35372)
The BIG-IP system no longer allows arbitrary text to be processed in an insecure fashion by the SNMP trap utility.
Buffering application data and malformed packets (CR36158) (CR38198)
When the BIG-IP system is buffering application data, a very specific malformed packet no longer causes the BIG-IP system to become unstable.
CERT VU#303448 (CR38331)
This release addresses the security issue described in CERT vulnerability note VU#303448, mod_ssl contains a format string vulnerability in the ssl_log() function. For more information on the resolved security issue, see http://www.kb.cert.org/vuls/id/303448
global reaper hiwater and global reaper lowater settings (CR38433)
If you use the command line utility to configure the global reaper hiwater or global reaper lowater settings, the configuration now loads correctly.
RSA SecurID authentication using the Configuration utility
The Configuration utility now includes support for RSA SecurID® authentication, the remote authentication protocol used by RSA ACE/Server® software. RSA SecurID authentication is a two-part authentication mechanism that requires both a user ID and a passcode that changes every 60 seconds. For more information on RSA SecurID authentication, please see http://www.rsasecurity.com/node.asp?id=1156. To configure RSA SecurID authentication, see Configuring RSA SecurID authentication in the Optional configuration changes section of this release note.
Version rollback script
This release includes a rollback script that allows you to return to the previous version of the BIG-IP software, after you upgrade. This script is designed to allow you to rollback the software version in instances where you upgrade before you discover that the new version of the software is incompatible with your specific network configuration. You can use the script to return only within the major version (see SOL4476: BIG-IP Software Lifecycle Policy) of the BIG-IP software that was installed on the system prior to the upgrade. Any configuration changes you make after the upgrade are lost when you run the rollback script.
To use the rollback feature you must create a rollback IM package before you upgrade to a different version of the software.
Important: The mkrb file for version 4.6.2 contains a defect. If you install a rollback package created by the version 4.6.2 mkrb file, the rollback procedure will fail. If you are running version 4.6.2 and you want to create a rollback IM package, we recommend that you use the mkrb file included with version 4.6.3 to create the package.
To create a rollback IM package in /var/tmp/rb using the version 4.6.3 mkrb file, use the following procedure:
- Change your directory to /var/tmp by typing the following command:
cd /var/tmp
- Extract the mkrb file from the 4.6.3 upgrade package by typing the following command:
tar -C / -xzf BIGIP_4.6.3_Upgrade.im usr/local/bin/mkrb
- Create the necessary rollback files by typing the following command:
mkrb BIGIP_4.6.3_Upgrade.im
This creates an IM package that you can run on the BIG-IP system if you want to return to the previous version of the software. The IM upgrade package you create is located in the /var/tmp/rb directory.
To install the rollback IM package, type the following commands:
cd /var/tmp/rb
im <rollback_im_package_name>.im
Note: If you install the rollback package created by the script and decide that you want to upgrade to a later version of the software in the future, you will need to use the im -force /var/tmp/rb/<rollback_im_package_name>.im command to install the IM package.
SSL Proxy support for non-HTTP protocols
SSL proxy now supports non-HTTP protocols including LDAP over SSL (LDAPS) and Telnet over SSL (TELNETS). You can enable SSL proxy support for these protocols using either the command line utility or the Configuration utility.
To enable support for non-HTTP protocols using the command line, type the following commands:
b global sslproxy serverssl nonhttp enable
b save
To enable support for non-HTTP protocols using the Configuration utility, use the following procedure:
- Click System and then click the Advanced Properties tab.
The Advanced Properties screen displays. - In the SSL Proxy table, check the serverssl nonhttp enable box.
Clear the box to disable this feature.
Note: The BIG-IP system does not support FTPS.
SSL node monitoring performance enhancements
In previous releases SSL node monitoring had a significant impact on SSL proxy performance. This release includes several SSL node monitoring enhancements which greatly reduce the impact on SSL proxy performance. In addition, there are three new parameters that you can configure in order to increase SSL proxy performance. For information on how to configure the new parameters, see SSL node monitoring performance enhancements in the Optional configuration changes section of this release note.
Persistent connections through nodes at connection limit
In this release you can configure the BIG-IP system to allow persistent connections to continue to be load balanced through a node after the connection limit for the node has been reached. The Persist Override Limit setting is disabled by default. To enable this setting using the command line utility, type the following:
node <node_ip>[:<service>] persist_override_limit enable
To enable this setting using the Configuration utility, check the Persist Override Limit box on the Node Properties screen.
SSL persistence session ID
The bigpipe <pool> persist dump command now displays the SSL session ID along with client connections and their ages.
LDAP monitor security
You can now configure a security attribute for the LDAP monitor. You have the option of selecting SSL, TLS, or none. If you select TLS or SSL, connections to the remote LDAP database are sent over a secure TLS or SSL connection. If you select none, the system connects to the remote LDAP database using an unencrypted connection. To configure this option using the command line utility, specify a security attribute and give it one of three values: ssl, tls, or none. The following is an example of an LDAP monitor with SSL security configured.
monitor ldap {
# type ldap
interval 10
timeout 31
dest *:*
username ""
password ""
base ""
filter ""
security "ssl"
}
To configure this option using the Configuration utility, select ssl, tls, or none from the Security list on the Add Monitor or Monitor Properties screen.
If you have any external LDAPS_pingers in your existing configuration, we recommend that you replace the external LDAPS_pinger instances with LDAP monitors with a TLS or SSL security attribute enabled.
Support for TFTP
This version of the BIG-IP software includes support for TFTP (Trivial File Transport Protocol rev 2 - rfc1350) traffic control. TFTP configuration objects must use TFTP port 69.
System health monitor timing
In this release we have improved the algorithm that the BIG-IP system uses to perform health monitoring at offset intervals in order to prevent spikes in CPU consumption.
snmp_dca_base monitor port configuration
The snmp_dca_base monitor now correctly uses the specified port.
SNMP link up/down traps
New SNMP traps are included in this release. Traps are now issued each time a link goes up or down. The new traps are loadBalTrapLinkUp and loadBalTrapLinkDown.
SSL certificate expiration check
This release includes a new utility that checks weekly for SSL certificates that are expired or are about to expire, and logs warning messages in /var/log/bigip. In addition, the system issues two new SNMP traps, loadBalTrapCertExpired and loadBalTrapCertExpiring, for SSL certificates that are expired or are about to expire.
Port translation on a per-pool basis
In this release we have added a configuration option that allows you to enable or disable port translation for specific pools. Port translation uses an alias port that identifies to the external network a specific node managed by the BIG-IP system. In previous releases, the disable port translation option was only available at virtual server level. Port translation for pools is enabled by default.
- To configure port translation at the pool level using the command line utility, use the following syntax:
bigpipe pool <pool_name> translate port [enable|disable]
- To configure port translation at the pool level using the Configuration utility, check the Enable Port Translation box on the Add Pool or Pool Properties screens.
You can use this feature in conjunction with the monitor instances with identical destinations and different templates functionality to configure monitoring and load balancing to different applications on the same port. For more information, Monitoring and load balancing to different applications on the same port in the Optional configuration changes section of this release note.
Version 4.6.1
The OpenSSL package has been upgraded to version 0.9.7d (CR33306) (CR33755)
The OpenSSL package has been upgraded to version 0.9.7d. This upgrade addresses several recent security issues with OpenSSL described in Technical Cyber Security Alert TA04-078A. This version addresses CERT vulnerabilities VU#288574 and VU#484726. For more information on the resolved security issues, see http://www.us-cert.gov/cas/techalerts/TA04-078A.html.
The system_check utility (CR34596) (CR34745)
When you run the system_check utility, it no longer incorrectly reports version is incorrect.
String comparisons in rules (CR8717)
When you use a string comparison in a rule, it is case insensitive if you enclose the string expression in a tolower() function and compare it with a lowercase string literal. For example, in the comparison (tolower(http_uri) ends_with "jpg"), where http_uri is the string expression, and "jpg" is the lowercase string literal, the http_uri values JPG, JpG, or jpg, all return a comparison value of true.
Version 4.6
SSL proxy selective encryption (CR23920)
This release provides the option of configuring SSL re-encryption at the pool level. For more information, see the BIG-IP New Features Guide for version 4.6, Chapter 2, SSL Proxy Selective Re-encryption.
Passing ICMP packets through a SNAT (CR25315)
This release includes improvements in the way the BIG-IP system handles ICMP echo replies through a SNAT.
When two clients each send an ICMP echo through a SNAT on the BIG-IP system, the system now routes the ICMP echo replies and the ICMP time exceeded message back to the correct client.
In addition, when the BIG-IP system is configured to perform ICMP monitoring, and a client sends an ICMP echo through SNAT automap on the BIG-IP system, the system now correctly routes replies to either the BIG-IP system or the client, as appropriate.
CRL authentication enhancements (CR27421)
This release includes enhancements to Certificate Revocation List (CRL) functionality, including the addition of CRL management using distribution points, and a configurable update interval that refreshes CRLs at a specified interval. For more information, see the BIG-IP New Features Guide for version 4.6, Chapter 4, CRL Authentication Enhancements.
Node counting (CR28476)
This release includes the active_nodes function, which indicates how many nodes in the pool are available for load balancing. The active_nodes function is useful for configuring rules that send traffic to a particular pool, based on how many nodes are available in that pool. For more information, see the BIG-IP New Features Guide for version 4.6, Chapter 3, Node Counting Rule Function.
SID reuse (CR30941)
SID reuse now works correctly with the SMP kernel.
Known issues
| CR | Solution | Description |
| CR571 | SOL808 | Reverse ECV monitors mark nodes up only as frequently as the timeout period |
| CR14962 | SOL4539 | Connecting to the standby system may result in an address conflict warning message |
| CR15998 | SOL4539 | Connecting to the standby system may result in an address conflict warning message |
| CR20647 | SOL4539 | Connecting to the standby system may result in an address conflict warning message |
| CR20801 | SOL213 | SNATs route by packet, rather than by connection as virtual servers do |
| CR21228 | SOL216 | Auto-lasthop prevents update of ARP information for self address traffic |
| CR21750 | SOL497 | The bigpipe proxy show command may not display the correct values for current and max connections |
| CR22494 | SOL507 | For connections accelerated by the PVA, BIG-IP does not send a reset to the client or the node |
| CR22728 | SOL837 | Failover does not occur when gateway failsafe is triggered for active-active units in a redundant pair. |
| CR23564 | SOL783 | Saved a new copies of snmptrap.conf can conflict after an upgrade |
| CR24772 | SOL5131 | HTTP POSTs are slow when cookie persistence is enabled |
| CR25821 | SOL816 | F5 source addresses are not added to hosts.allow when the support account is enabled |
| CR25874 | SOL271 | BIG-IP will not work correctly with administrative user names longer than 15 characters |
| CR26137 | SOL4111 | It is not possible to set cookie attributes when using cookie persistence |
| CR26567 | SOL222 | Client MSS is not provided to the node when syncookies are in use |
| CR26610 | SOL336 | Disabling SNMP traps using the configuration utility causes an error |
| CR26612 | SOL848 | The beholder-ctrl bigstart script does not include the stop and start command functions, which results in an error |
| CR26843 | SOL359 | It is not possible to configure a URI path for a fallback host using the command line |
| CR26953 | SOL4148 | The bigpipe snatpool show command displays incorrect values for a new SNAT pool |
| CR27049 | SOL4301 | Subject and Issuer data is not displayed correctly for certificates encoded using BMPSTRING or UTF8STRING |
| CR27061 | SOL4148 | The bigpipe snatpool show command displays incorrect values for a new SNAT pool |
| CR27090 | SOL226 | The system may crash when the target of a virtual server is changed |
| CR27158 | SOL494 | BIG-IP disables ARP for all of virtual servers even though it is disabled for only a single virtual server |
| CR27202 | SOL727 | The SNMPDCA monitor is not fully compatible with the Microsoft http_server MIB |
| CR27229 | SOL363 | Changes to bigdb keys are not saved unless the configuration is saved |
| CR27260 | SOL371 | Default gateway pools cannot be changed using the config command |
| CR27515 | SOL236 | SIP persistence does not key connections to a particular virtual server |
| CR27515 | SOL239 | SIP persistence does not work correctly when the SIP connection is handled by a SNAT |
| CR27547 | SOL298 | Ratio settings are not available when ratio is used as the alternate load balancing mode |
| CR27607 | SOL4252 | The bigpipe pool command does not display SIP persistence records |
| CR27635 | SOL151 | The vlangroups global setting only applies to the first configured VLAN group |
| CR27639 | SOL428 | The unit ID of a self address local to unit 2 is reported as unit 1 in active-active pairs |
| CR27650 | SOL433 | Hops factories must be configured by hand before hops LB will work on a Link Controller |
| CR27975 | SOL240 | It is not possible to set the global memory_reboot_percent to 0 |
| CR28012 | SOL250 | The status LED incorrectly displays green on a standby unit when a power supply has failed |
| CR28035 | SOL4120 | Java error is reported when you assign the Oracle health monitor to an invalid node |
| CR28057 | SOL461 | Changing the port of a virtual server will result in multiple virtual server statements |
| CR28072 | SOL467 | It is possible to partially remove a link by deleting its self address and VLAN |
| CR28099 | SOL486 | BIG-IP will continue to probe any routers that are defined for a datacenter, even if you have deleted all of the BIG-IP prober factories |
| CR28124 | SOL241 | The standby unit will configure a floating self address if it does not have its own self address |
| CR28217 | SOL1435 | The Configuration utility allows a maximum of 15 characters for an Auth Model role in the Valid Roles list. |
| CR28333 | SOL184 | The Configuration utility will not create an ECV monitor that includes an Authorization: header |
| CR28346 | SOL251 | BIG-IP cannot be configured to pass bootp traffic |
| CR28421 | SOL3734 | SSL proxies may retransmit multiple packets from a connection |
| CR28429 | SOL1566 | Setup utility does not allow VLAN names with more than 12 characters |
| CR28451 | SOL1643 | The bigpipe verify command does not detect misspelled monitor names or monitors that do not exist. |
| CR28533 | SOL5143 | Web aggregation may fail when a default SNAT automap is enabled |
| CR28656 | SOL520 | The wlnode() function does not work with BEA Web Logic 7.0 and later versions |
| CR29394 | SOL5135 | BIG-IP may fail back to a previous failover state in a very specific and unusual configuration |
| CR29395 | SOL5135 | BIG-IP may fail back to a previous failover state in a very specific and unusual configuration |
| CR29407 | SOL4148 | The bigpipe snatpool show command displays incorrect values for a new SNAT pool |
| CR29421 | SOL1863 | When attempting to print the snmpget help screen, the snmp_dca health monitor enters a loop |
| CR29475 | SOL200 | Insert mode cookie persistence may fail very rarely due to node-side packet loss |
| CR29602 | SOL249 | The bigpipe interface command incorrectly reports the media type of fiber ports as 1000BaseTX |
| CR29606 | SOL1864 | SNMP monitoring software reports an error when it attempts to query the ifRcvAddressAddress OID entry in the ifRcvAddressEntry table |
| CR29709 | SOL242 | BIG-IP will send a reset to the node when deleting a connection that was never fully established |
| CR29744 | SOL256 | BIG-IP reports that "Probe control features are not available" when VLAN mirroring is enabled |
| CR29751 | SOL3783 | The verify command rejects configurations using SNAT connection mirroring |
| CR29801 | SOL4407 | An unhelpful error message is provided when a header insert is entered that is too long |
| CR29988 | SOL243 | Connections may be deleted as much as 30 seconds after they are timed out |
| CR30143 | SOL244 | Priority load balancing does not work when minimum active members is set to 0 |
| CR30493 | SOL4149 | ITCMPortal may crash when using large amounts of memory |
| CR30731 | SOL4154 | Fragmented ICMP ping requests may not be passed by BIG-IP |
| CR30783 | SOL2942 | Default gateway entry is converted to a default gateway pool |
| CR30877 | SOL4242 | The im -Q command does not always report the correct versions for installed packages |
| CR31044 | SOL245 | In rare circumstances, BIG-IP may crash during configsync |
| CR31182 | SOL207 | Virtual server performance is lower on virtual servers that have not processed L7 traffic |
| CR31994 | SOL246 | BigAPI may not free memory successfully in some circumstances |
| CR32179 | SOL2100 | The maximum value for 32-bit counters is 4,194,302 |
| CR32242 | SOL4391 | Node select expressions can be configured with invalid classes |
| CR32791 | SOL4040 | The global vlans unique_mac may not work when VLANs contain the same tagged interface |
| CR32826 | SOL208 | The header insert and erase features may not work when requests contain carriage returns before the command |
| CR32944 | SOL4148 | The bigpipe snatpool show command displays incorrect values for a new SNAT pool |
| CR33116 | SOL4032 | The system may crash if you configure a header insert on traffic that is not decrypted |
| CR33223 | SOL4407 | An unhelpful error message is provided when a header insert is entered that is too long |
| CR33581 | SOL837 | Failover does not occur when gateway failsafe is triggered for active-active units in a redundant pair. |
| CR33583 | SOL3344 | SNMP statistics for the loopback interface are not collected |
| CR33584 | SOL3344 | SNMP statistics for the loopback interface are not collected |
| CR33774 | SOL5141 | Retransmissions from node to client may be dropped after packet loss between client and BIG-IP |
| CR33815 | SOL761 | The table that contains Nokia NetAct SNMP traps may grow very large and use disk space |
| CR33878 | SOL3566 | When you restore the archived snmptrap.conf file after an upgrade, BIG-IP uses the previous version of the snmptrap.conf file. |
| CR33921 | SOL3657 | Available memory reported by the "memAvailReal" OID and the "vmstat" command differs |
| CR33922 | SOL258 | BIG-IP may report the CPU temperature as 255 degrees when it cannot determine the CPU temperature |
| CR34022 | SOL654 | Nodes that are monitored with a monitor rule are reported as unchecked |
| CR34056 | SOL658 | The symbolic link generation page does not provide scroll bars when output exceeds one screen |
| CR34267 | SOL4717 | BIG-IP changes the interface media settings after running the Setup utility |
| CR34409 | SOL209 | In very rare circumstances, BIG-IP may crash repeatly |
| CR35320 | SOL309 | The telnet and FTP servers are not started when you enable telnet and FTP |
| CR35527 | SOL3775 | BIG-IP doesn't provide data for existing pool members in the "PoolMemberEntry" OID table |
| CR35752 | SOL5080 | Gateway failsafe can cause a failover immediately after it is enabled |
| CR35906 | SOL144 | Internal, hidden interfaces may be displayed by bigpipe vlan fdb show |
| CR36811 | SOL310 | Link statistics are not displayed correctly after links are added or removed |
| CR36993 | SOL265 | Time zone information is not restored after system software is reinstalled |
| CR37500 | SOL808 | Reverse ECV monitors mark nodes up only as frequently as the timeout period |
| CR37746 | SOL808 | Reverse ECV monitors mark nodes up only as frequently as the timeout period |
| CR37847 | SOL4149 | ITCMPortal may crash when using large amounts of memory |
| CR37915 | SOL4149 | ITCMPortal may crash when using large amounts of memory |
| CR37986 | SOL5142 | Health monitors may attempt to use source ports that are already in use |
| CR38085 | SOL800 | The SSL ECV monitor cannot negotiate an SSLv2 connection |
| CR38086 | SOL145 | Copper gigabit switch ports should not allow manual media settings |
| CR38087 | SOL145 | Copper gigabit switch ports should not allow manual media settings |
| CR40319 | SOL694 | An error is displayed if you refresh the Configuration utility after creating a link |
| CR40826 | SOL247 | Header insert will not work when the full HTTP command is not received at once |
| CR40861 | SOL699 | SSL proxy address and port information is not checked for invalid addresses or characters |
| CR40884 | SOL715 | The Configuration utility prompts for a netmask for individual virtual servers |
| CR41694 | SOL5144 | ZebOS routing may not work correctly when SSL proxy target virtual servers are bound to loopback |
| CR41762 | SOL151 | The vlangroups global setting only applies to the first configured VLAN group |
| CR41763 | SOL184 | The Configuration utility will not create an ECV monitor that includes an Authorization: header |
| CR41764 | SOL200 | Insert mode cookie persistence may fail very rarely due to node-side packet loss |
| CR41766 | SOL207 | Virtual server performance is lower on virtual servers that have not processed L7 traffic |
| CR41767 | SOL208 | The header insert and erase features may not work when requests contain carriage returns before the command |
| CR41768 | SOL4148 | The bigpipe snatpool show command displays incorrect values for a new SNAT pool |
| CR41769 | SOL209 | In very rare circumstances, BIG-IP may crash repeatly |
| CR41771 | SOL213 | SNATs route by packet, rather than by connection as virtual servers do |
| CR41772 | SOL216 | Auto-lasthop prevents update of ARP information for self address traffic |
| CR41773 | SOL222 | Client MSS is not provided to the node when syncookies are in use |
| CR41774 | SOL226 | The system may crash when the target of a virtual server is changed |
| CR41775 | SOL236 | SIP persistence does not key connections to a particular virtual server |
| CR41775 | SOL239 | SIP persistence does not work correctly when the SIP connection is handled by a SNAT |
| CR41776 | SOL240 | It is not possible to set the global memory_reboot_percent to 0 |
| CR41777 | SOL241 | The standby unit will configure a floating self address if it does not have its own self address |
| CR41779 | SOL242 | BIG-IP will send a reset to the node when deleting a connection that was never fully established |
| CR41780 | SOL243 | Connections may be deleted as much as 30 seconds after they are timed out |
| CR41781 | SOL244 | Priority load balancing does not work when minimum active members is set to 0 |
| CR41782 | SOL245 | In rare circumstances, BIG-IP may crash during configsync |
| CR41783 | SOL246 | BigAPI may not free memory successfully in some circumstances |
| CR41784 | SOL808 | Reverse ECV monitors mark nodes up only as frequently as the timeout period |
| CR41785 | SOL247 | Header insert will not work when the full HTTP command is not received at once |
| CR41786 | SOL249 | The bigpipe interface command incorrectly reports the media type of fiber ports as 1000BaseTX |
| CR41788 | SOL250 | The status LED incorrectly displays green on a standby unit when a power supply has failed |
| CR41790 | SOL251 | BIG-IP cannot be configured to pass bootp traffic |
| CR41792 | SOL256 | BIG-IP reports that "Probe control features are not available" when VLAN mirroring is enabled |
| CR41793 | SOL258 | BIG-IP may report the CPU temperature as 255 degrees when it cannot determine the CPU temperature |
| CR41795 | SOL265 | Time zone information is not restored after system software is reinstalled |
| CR41798 | SOL271 | BIG-IP will not work correctly with administrative user names longer than 15 characters |
| CR41799 | SOL298 | Ratio settings are not available when ratio is used as the alternate load balancing mode |
| CR41803 | SOL2942 | Default gateway entry is converted to a default gateway pool |
| CR41805 | SOL309 | The telnet and FTP servers are not started when you enable telnet and FTP |
| CR41807 | SOL310 | Link statistics are not displayed correctly after links are added or removed |
| CR41819 | SOL336 | Disabling SNMP traps using the configuration utility causes an error |
| CR41820 | SOL336 | Disabling SNMP traps using the configuration utility causes an error |
| CR41822 | SOL359 | It is not possible to configure a URI path for a fallback host using the command line |
| CR41823 | SOL363 | Changes to bigdb keys are not saved unless the configuration is saved |
| CR41824 | SOL371 | Default gateway pools cannot be changed using the config command |
| CR41827 | SOL428 | The unit ID of a self address local to unit 2 is reported as unit 1 in active-active pairs |
| CR41832 | SOL461 | Changing the port of a virtual server will result in multiple virtual server statements |
| CR41833 | SOL467 | It is possible to partially remove a link by deleting its self address and VLAN |
| CR41834 | SOL486 | BIG-IP will continue to probe any routers that are defined for a datacenter, even if you have deleted all of the BIG-IP prober factories |
| CR41838 | SOL520 | The wlnode() function does not work with BEA Web Logic 7.0 and later versions |
| CR41848 | SOL4407 | An unhelpful error message is provided when a header insert is entered that is too long |
| CR41850 | SOL654 | Nodes that are monitored with a monitor rule are reported as unchecked |
| CR41851 | SOL658 | The symbolic link generation page does not provide scroll bars when output exceeds one screen |
| CR41860 | SOL694 | An error is displayed if you refresh the Configuration utility after creating a link |
| CR41861 | SOL699 | SSL proxy address and port information is not checked for invalid addresses or characters |
| CR41862 | SOL715 | The Configuration utility prompts for a netmask for individual virtual servers |
| CR41873 | SOL727 | The SNMPDCA monitor is not fully compatible with the Microsoft http_server MIB |
| CR41877 | SOL761 | The table that contains Nokia NetAct SNMP traps may grow very large and use disk space |
| CR41889 | SOL783 | Saved a new copies of snmptrap.conf can conflict after an upgrade |
| CR41891 | SOL816 | F5 source addresses are not added to hosts.allow when the support account is enabled |
| CR41892 | SOL848 | The beholder-ctrl bigstart script does not include the stop and start command functions, which results in an error |
| CR41895 | SOL494 | BIG-IP disables ARP for all of virtual servers even though it is disabled for only a single virtual server |
| CR41898 | SOL1435 | The Configuration utility allows a maximum of 15 characters for an Auth Model role in the Valid Roles list. |
| CR41900 | SOL1566 | Setup utility does not allow VLAN names with more than 12 characters |
| CR41901 | SOL1643 | The bigpipe verify command does not detect misspelled monitor names or monitors that do not exist. |
| CR41904 | SOL1863 | When attempting to print the snmpget help screen, the snmp_dca health monitor enters a loop |
| CR41905 | SOL1864 | SNMP monitoring software reports an error when it attempts to query the ifRcvAddressAddress OID entry in the ifRcvAddressEntry table |
| CR41913 | SOL2100 | The maximum value for 32-bit counters is 4,194,302 |
| CR41915 | SOL3344 | SNMP statistics for the loopback interface are not collected |
| CR41916 | SOL3344 | SNMP statistics for the loopback interface are not collected |
| CR41918 | SOL3566 | When you restore the archived snmptrap.conf file after an upgrade, BIG-IP uses the previous version of the snmptrap.conf file. |
| CR41919 | SOL3657 | Available memory reported by the "memAvailReal" OID and the "vmstat" command differs |
| CR41921 | SOL3775 | BIG-IP doesn't provide data for existing pool members in the "PoolMemberEntry" OID table |
| CR41923 | SOL4024 | The Add Proxy pages do not work correctly with the Netscape Navigator browser. |
| CR41930 | SOL5080 | Gateway failsafe can cause a failover immediately after it is enabled |
| CR41936 | SOL4301 | Subject and Issuer data is not displayed correctly for certificates encoded using BMPSTRING or UTF8STRING |
| CR41942 | SOL4407 | An unhelpful error message is provided when a header insert is entered that is too long |
| CR41985 | SOL5135 | BIG-IP may fail back to a previous failover state in a very specific and unusual configuration |
| CR42010 | SOL5141 | Retransmissions from node to client may be dropped after packet loss between client and BIG-IP |
| CR42057 | SOL497 | The bigpipe proxy show command may not display the correct values for current and max connections |
| CR42114 | SOL5142 | Health monitors may attempt to use source ports that are already in use |
| CR42119 | SOL5143 | Web aggregation may fail when a default SNAT automap is enabled |
| CR42147 | SOL4717 | BIG-IP changes the interface media settings after running the Setup utility |
| CR42150 | SOL5144 | ZebOS routing may not work correctly when SSL proxy target virtual servers are bound to loopback |
| CR42907 | SOL5023 | BIG-IP can run out of memory when loading very large configurations |
| CR43900 | SOL4252 | The bigpipe pool command does not display SIP persistence records |
| CR45017 | SOL5040 | The PVA will reconfigure itself if it detects duplicate SSL proxy addresses |
| CR46405 | SOL4810 | BIG-IP and 3-DNS may report "date not found" during installation |
| CR46407 | SOL4810 | BIG-IP and 3-DNS may report "date not found" during installation |
| CR46509 | SOL4497 | Switch appliances do not send an SNMP trap when booting because the switch ports are disabled |
| CR46515 | SOL5039 | The Configuration utility cannot successfully import FIPS keys |
| CR46516 | SOL5039 | The Configuration utility cannot successfully import FIPS keys |
| CR46624 | SOL5074 | BIG-IP ignores the first data packet when syn cookie processing is active |
| CR46624 | SOL5074 | BIG-IP ignores the first data packet when syn cookie processing is active |
| CR46706 | SOL5149 | BIG-IP will disable ARP for SNAT automap if ARP is disabled on a wildcard virtual server |
| CR46975 | SOL4596 | iRules that contain a large number of decode_uri functions may fail |
| CR46976 | SOL4596 | iRules that contain a large number of decode_uri functions may fail |
| CR47153 | SOL4579 | Connection mirroring does not work on virtual servers that use cookie persistence |
| CR47221 | SOL4575 | BIG-IP will silently remove asterisks from auth model group names |
| CR47235 | SOL4572 | The login.conf file may be overwritten during an upgrade |
| CR47236 | SOL4572 | The login.conf file may be overwritten during an upgrade |
| CR47237 | SOL4583 | The BIG-IP system is vulnerable to VU#222750 |
| CR47261 | SOL4583 | The BIG-IP system is vulnerable to VU#222750 |
| CR47262 | SOL4583 | The BIG-IP system is vulnerable to VU#222750 |
| CR47276 | SOL4574 | BIG-IP and 3-DNS will not prevent you from installing unsupported versions on older hardware |
| CR47296 | SOL4583 | The BIG-IP system is vulnerable to VU#222750 |
| CR47719 | SOL4819 | The BIG-IP system might become unresponsive when performing delayed binding operations |
| CR47829 | SOL4821 | The BIG-IP system might reset HTTP connections that contain a retransmitted response |
| CR47830 | SOL4821 | The BIG-IP system might reset HTTP connections that contain a retransmitted response |
| CR47979 | SOL4665 | Editing IP filters and ICMP packet denial |
| CR48148 | SOL5040 | The PVA will reconfigure itself if it detects duplicate SSL proxy addresses |
| CR48152 | SOL4809 | BIG-IP and 3-DNS are vulnerable to CAN-2005-1278, CAN-2005-1279, and CAN-2005-1280 |
| CR48153 | SOL4809 | BIG-IP and 3-DNS are vulnerable to CAN-2005-1278, CAN-2005-1279, and CAN-2005-1280 |
| CR48262 | SOL4583 | The BIG-IP system is vulnerable to VU#222750 |
| CR48301 | SOL4718 | When configured to perform header insertion, a buffer overrun can cause BIG-IP to behave unpredictably |
| CR48313 | SOL4583 | The BIG-IP system is vulnerable to VU#222750 |
| CR48563 | SOL4821 | The BIG-IP system might reset HTTP connections that contain a retransmitted response |
| CR48598 | SOL5052 | An SSL proxy will not attempt to reconnect to an LDAP server after failing three attempts |
| CR48599 | SOL5052 | An SSL proxy will not attempt to reconnect to an LDAP server after failing three attempts |
| CR48750 | SOL4853 | When running more than 400 SSL health monitors, the bigd process may run out of memory |
| CR48759 | SOL4854 | Rule operations that match content will fail if the text ends in a duplicated character followed by an underscore |
| CR48761 | SOL4854 | Rule operations that match content will fail if the text ends in a duplicated character followed by an underscore |
| CR49272 | SOL4532 | The BIG-IP system and 3-DNS Controller are vulnerable to CAN-2005-0758, CAN-2005-0988, and CAN-2005-1228 |
| CR49273 | SOL4532 | The BIG-IP system and 3-DNS Controller are vulnerable to CAN-2005-0758, CAN-2005-0988, and CAN-2005-1228 |
| CR49295 | SOL5023 | BIG-IP can run out of memory when loading very large configurations |
| CR49336 | SOL4616 | BIG-IP and 3-DNS are vulnerable to CAN-2005-0488 |
| CR49337 | SOL4616 | BIG-IP and 3-DNS are vulnerable to CAN-2005-0488 |
| CR49454 | SOL5070 | BIG-IP does not delete mirrored SSL session ID persistence records |
| CR49455 | SOL5070 | BIG-IP does not delete mirrored SSL session ID persistence records |
| CR49457 | SOL5045 | The active unit may crash after failover when mirroring is enabled |
| CR49458 | SOL5045 | The active unit may crash after failover when mirroring is enabled |
| CR49691 | SOL4326 | BIG-IP may panic when mirroring large numbers of SSL session ID persistence records |
| CR49692 | SOL4326 | BIG-IP may panic when mirroring large numbers of SSL session ID persistence records |
| CR49695 | SOL5069 | The SNMP daemon may become unresponsive or crash when sending data |
| CR49696 | SOL5069 | The SNMP daemon may become unresponsive or crash when sending data |
| CR49773 | SOL5083 | Connections may not be rebound to a new node after all nodes became unavailable |
| CR49774 | SOL5083 | Connections may not be rebound to a new node after all nodes became unavailable |
| CR50382 | SOL4331 | BIG-IP may send a reset to the wrong VLAN when a rule results in a discard statement |
| CR50383 | SOL4331 | BIG-IP may send a reset to the wrong VLAN when a rule results in a discard statement |
| CR50387 | SOL4808 | NTLM authentication may fail when a site is accessed through a delayed binding virtual server |
| CR50712 | SOL4808 | NTLM authentication may fail when a site is accessed through a delayed binding virtual server |
| CR51441 | SOL144 | Internal, hidden interfaces might be displayed by bigpipe vlan fdb show command |
| CR58321 | SOL6551 | Changes in US and Canada Daylight Saving Time |
| N/A | SOL4001 | The checktrap.pl script will now allow the question mark (?) character |
