Applies To:
Show VersionsLink Controller
- 4.5.9
Updated Date: 04/18/2019
Summary:
This release note documents version 4.5.9 of the Link Controller software. You can apply the software upgrade to version 4.5 and later. For information about installing the software, please refer to the instructions below.
F5 now offers both maintenance-only and new feature releases. Version 4.5.9 is a maintenance-only release which includes security updates and enhancements that stabilize the version 4.5 software, but it contains no major new features. For more information on our new release policies, please see New Versioning Schema for F5 Software Releases.
Version 4.5.9 is a release that addresses an error in the 4.5 PTF-08 code.
Contents:
Minimum system requirements
The minimum system requirements for this release are:
- Intel® Pentium® III 550MHz processor
- 512MB disk drive or CompactFlash® card
- 256MB RAM
- Supported browsers: Microsoft® Internet Explorer 5.0, 5.5, or 6.0; Netscape® Navigator 4.7x
Installing the software
Important: If you are upgrading a Link Controller redundant system, you must upgrade both units. We do not support running different versions on a Link Controller redundant system. Additionally, If you are updating the Link Controller module on a BIG-IP system, refer to the BIG-IP version 4.5 PTF-08 note for instructions on installing the PTF.
Important: If you are upgrading an IP Application Switch or a Link Controller unit that uses a CompactFlash® media drive, use the installation instructions here.
Note: If you have installed prior PTFs, this installation does not overwrite any configuration changes that you made for prior PTFs.
The following instructions explain how to install the BIG-IP Link Controller software version 4.5.9 onto existing systems running version 4.5 and later. The installation script saves your current configuration.
- Go to the Downloads site and locate the BIG-IP 4.5.9 upgrade file, BIGIP_4.5.9_Upgrade.im.
- Download the software image file.
For information about how to download software, refer to SOL167: Downloading software from F5 Networks.
- If you downloaded the image file to a directory other than /var/tmp, copy the image file to the /var/tmp/ directory on your BIG-IP system.
- Install this PTF by typing the following command:
im BIGIP_4.5.9_Upgrade.im The Link Controller automatically reboots once it completes installation.
To upgrade an IP Application Switch or a CompactFlash media drive, use the following process.
- Create a memory file system, by typing the following:
mount_mfs -s 200000 /mnt - Go to the Downloads site and locate the BIG-IP 4.5.9 upgrade file, BIGIP_4.5.9_Upgrade.im.
- Download the software image file.
For information about how to download software, refer to SOL167: Downloading software from F5 Networks.
- If you downloaded the image file to a directory other than /mnt, copy the image file to the /mnt directory on your BIG-IP system.
- On the BIG-IP unit, run the im upgrade script:
im /mnt/BIGIP_4.5.9_Upgrade.im The Link Controller automatically reboots once it completes installation.
Note: This procedure provides over 90MB of temporary space on /mnt. The partition and the im package file are deleted upon rebooting.
New features and fixes in this PTF
This PTF includes the following new features and fixes.
OneConnect issue in BIG-IP version 4.5 PTF-08 causes random sessions to time out (CR30588)
We have discovered a serious issue in BIG-IP version 4.5 PTF-08 that causes HTTP POST timeouts when delayed binding is configured. This issue may also prevent web pages from loading or displaying correctly. We have corrected this issue in this release.
BIND Vulnerability VU#734644, ISC BIND 8 vulnerable to cache poisoning via negative responses (CR30822)
This PTF addresses the BIND vulnerability that is described in Vulnerability Note VU#734644 on the CERT® Coordination Center Web site. For more information on the vulnerability, see http://www.kb.cert.org/vuls/id/734644.
Features and fixes released in prior PTFs
The current PTF includes the following features and fixes released in prior PTFs, as listed below. (Prior PTFs are listed with the most recent first.)
Version 4.5 PTF-08
Redundant systems and synchronizing the regkey.license file (CR27020)
When you save a .ucs file or run the b config sync command on a unit in a redundant system, the processes no longer synchronize the regkey.license file between the two units. Note that this issue affected only redundant systems.
New option to save UCS files without including private keys (CR27236)
You can now save a UCS file without including the private keys stored in the /config/bigconfig/ssl.key directory (only keys from this directory are excluded). To create a UCS file that does not include these private keys, use the following bigpipe command:
b config support save <filename>
Sync groups and the default wideip.conf file (CR27366)
If you manage your Link Controllers using a sync group, and on one of the sync group members you delete the wideip.conf file and then restart the 3dnsd daemon, the 3dnsd daemon creates a new default wideip.conf file that contains only basic system configuration information. The new wideip.conf file no longer causes the sync process to overwrite the wideip.conf file of the other sync group members with the newer file, effectively erasing the real configuration.
Viewing router and link status in the Configuration utility (CR27776)
The router status now displays correctly on the Metrics & Limits statistics screen, in the Configuration utility, when all the links for a router are down (red ball).
Parent object status and associated pools and virtual servers (CR27920)
If a link or pool has a status of gray (never available to the system for load balancing), any associated child objects, such as virtual servers, now inherit the status of the parent object and are not available for load balancing.
Using virtual servers associated with rules for outbound load balancing in wide IPs (CR28024)
When you associate a virtual server with a rule for inbound load balancing, that virtual server is now available for outbound load balancing also, in a wide IP. Previously, only virtual servers that were members of inbound load balancing pools were available for wide IPs.
Upgrades and overwriting the 3dns_snmptrap.conf file (CR28152)
When you upgrade to the current PTF, the upgrade no longer overwrites the existing 3dns_snmptrap.conf file during the upgrade process. If you have added custom traps to the file, you no longer need to create a backup file before you apply the upgrade.
The checktrap.pl script and the enterprise OID in traps (CR29481)
When the checktrap.pl script issues traps, it now sends the correct enterprise OID in the trap.
Timer error in BIND (CR29795)
A rare issue with timer updates in the BIND version 8 code has been fixed.
Version 4.5 PTF-07
Error messages in the Link Configuration screens in the Configuration utility (CR26851, CR27177)
The Link Controller no longer generates intermittent JSP 500 error messages when you change settings on the Link Configuration screens.
New CORBA Watchdog (CR27991)
This release contains a new monitor that checks the health of F5 CORBA and iControl related daemons. In order for CORBA and iControl to function properly, if any of these daemons fail, the monitor restarts all CORBA related daemons.
Version 4.5 PTF-06
There were no features or fixes for the BIG-IP Link Controller in version 4.5 PTF-06.
Version 4.5 PTF-05
The 4.5 PTF-05 release included the following features and fixes.
Specified gigabit duplex setting on switches with fixed duplex settings (CR27755)
If the BIG-IP system is using gigabit interfaces and is plugged into a switch with a fixed duplex setting, you no longer need to configure both the BIG-IP system's gigabit interface and the port on the switch to Auto before applying this PTF. The link between the BIG-IP system and the switch now functions correctly.
Router link status no longer displays incorrectly (CR27756)
Receiver 3-DNS Controllers in a sync group now correctly probe the state of the router links that are in their own data center. When the controller monitors virtual servers in the same data center, the virtual servers inherit the correct state of the router link.
Version 4.5 PTF-04
The 4.5 PTF-04 release included the following features and fixes.
SNMP trap sink (CR19769, CR24111)
The SNMP trap source is now an IP address that is routable to the trap sink.
Rebooting the system and lost interrupt error message (CR19813)
In certain circumstances when you reboot, you no longer receive the error message wd0: lost interrupt.
Changing the CORBA port number using the Configuration utility (CR19780)
You can no longer change the CORBA port number using the Configuration utility. The CORBA IIOP port should be set only to the default setting of 683.
SNMP checktrap (CR21701)
When the port for the node that is being marked up or down is any, checktrap now correctly identifies the port.
Windows uploads (CR22043)
Delayed acknowledgement packets (ACKs) no longer restrict Windows uploads at 40K per second.
Default wildcard ports (CR22191)
Default wildcard ports now can use ICMP monitoring.
Network virtual servers (CR22203)
You can now create more than 1024 network virtual servers without causing the BIG-IP system to become unstable.
Short-lived rapid connections from the same source IP (CR22232)
When dealing with short-lived rapid connections from the same source IP address, the BIG-IP system no longer arbitrarily resets some packets.
SNMP traffic and a VLAN that has port lockdown enabled (CR22677)
A VLAN configured with port lockdown enabled no longer passes SNMP traffic unless you have explicitly enabled the SNMP port using the open_snmp_port global setting.
Connection and packet display statistics with the bigtop utility (CR22709)
Connection and packet statistics now display correctly when you run the bigtop utility.
Upgrading from version 4.3 to version 4.5 and duplex billing status (CR23053, CR24773)
When you upgrade your Link Controller from version 4.3 to version 4.5, the upgrade process no longer enables duplex billing support, by default, for the links in your configuration.
Using a VLAN group configuration in transparent or translucent mode (CR24409)
You can now configure the BIG-IP system to bridge between two VLANs in either transparent or translucent mode without creating duplicate packets.
Upgrades and process checking in the snmpd.conf file (CR24450)
When you upgrade the software, the process checking entries (proc) in the snmpd.conf files are no longer populated with incorrect values.
Remote LDAP authentication and login errors (CR24487)
If you mistype the login name, and you are using remote LDAP authentication rather than RADIUS authentication, you no longer see a RADIUS error message.
Enabling one-time automatic discovery in the Setup utility (CR24565)
The Setup utility now includes an option to enable automatic discovery of the local system's configuration, and its peer's configuration, if applicable, when you run the Setup utility for the first time. This option is most useful if you are running the Link Controller module on a BIG-IP system.
Audit logs now show the correct user name (CR24600)
The audit logs now show the correct user name when a user makes configuration changes.
SNMP virtualAddressEntry table and wildcard virtual servers (CR24647)
The SNMP virtualAddressEntry table can now handle wildcard virtual servers.
Setting prepaid segments all to 0 (zero) and Over Prepaid setting on the Link Statistics screen (CR24680)
On the Link Statistics screen, in the Configuration utility, the Over Prepaid statistic now properly displays as No, under the following conditions:
- You do not set any bandwidth limits when you create the link
- You set the Prepaid Segment, on the Link Weighting screen, to 0 (zero)
Configuring the default gateway pool (CR24717, CR24740)
If you add only one default route when you run the Setup utility, the utility does not create a default gateway pool. If you then add a second link (and route) using the Link Configuration screen in the Configuration utility, the utility creates a default gateway pool and adds the second router to the pool. This process now automatically adds the first default route to the newly-created default gateway pool.
Name field on the Add VLAN Group and VLAN Group Properties pages (CR24719)
The maximum number of characters for a VLAN group name is 15 characters.
Monitor names in the Configuration utility and from the command line (CR24864)
Monitor names typed in the Configuration utility and the command line are no longer limited to 31 characters.
LDAP authentication and user names (CR24880)
If you use LDAP authentication, and you use the user name, user, the system no longer fails to update the configuration.
Audit logs and resetting statistics for services (CR24923)
The audit logs now correctly show the services when you reset statistics with the command b global stats reset.
Resetting statistics for node server (CR24924)
The audit logs now correctly show when you reset the statistics for a node server.
Gratuitous ARPs with MAC masquerading and VLAN failsafe configured (CR24925)
Gratuitous ARPs are now handled correctly in an active/standby redundant scenario with MAC masquerading and VLAN failsafe configured. When the active unit detects no traffic on the VLAN, such as when the cable is unplugged, or the unit is rebooted, the other unit becomes active. When the unit that was demoted to standby reboots, it now sends a gratuitous ARP for its self IP addresses.
SSH key generation now uses hardware random number generators when available (CR24955)
The BIG-IP system now uses hardware random number generators (when available) if you try to log in from an SSH client for which the BIG-IP system does not have a valid key. This increases the security of DSA host keys, and reduces the probability that the key can be guessed or that a random key collision could occur.
Reaper no longer sends RSTs for unaccepted, timed-out connection requests (CR24984)
We have corrected a problem that could be caused if a packet was sent from a client through a virtual server to a server, and the server did not answer before the connection timeout was reached, the reaper sent a reset packet (RST) in both directions.
TCP SYN packet to self IP that matches TIME_WAIT connection now handled correctly (CR24993)
If a TCP SYN packet is received for a self IP, and it matches an old connection that is in TIME_WAIT state (same source and destination address and port), the system no longer deletes the old connection and creates a new one.
Invalid OID for the shutdown trap in the SNMP MIB (CR25059)
The shutdown trap, in the SNMP MIB, now has the appropriate object identifier (OID) associated with it.
Connection table entry reaping for UDP packets with node address disabled (CR25186)
We have corrected a problem where in rare circumstances, connection table entries were not reaped for UDP packets when the node address was disabled.
MAC masquerade addresses and forcing a system to standby (CR25453)
When you purposefully change the state on a BIG-IP unit in a redundant system from active to standby, the first octet of the MAC address for any self IPs that you have configured no longer changes to 02. This happened only under certain conditions.
Turning off Total Traffic Limit after setting all limits (CR25466)
In the Configuration utility on the Link Configuration screen, you can now turn off the total traffic limit for a link once you have configured a limit for total traffic.
bigpipe interface show command returns data for interfaces (CR25470)
The bigpipe interface show command now returns data for interfaces that are passing traffic.
SNMP: enterprises.ucdavis.memory.* OID now returns valid information (CR25488)
The enterprises.ucdavis.memory.* now returns valid information.
Associating multiple monitors with the same service (CR25572)
You can now associate multiple monitors with the same service with the Configuration utility and not receive the message Error 132 - Monitor template not found.
Logging the forced down state for nodes (CR25614)
When you force a node to the DOWN state using the Configuration utility, or from the command line, the forced down state is now logged in the /var/log/bigd file.
Synchronizing Link Controllers with 3-DNS Controllers (CR25753)
If your network includes both 3-DNS Controllers and Link Controllers, you can add the Link Controllers to the 3-DNS sync group, if you have one configured. For details on adding a Link Controller to a 3-DNS sync group, see the Adding a Link Controller to a 3-DNS sync group section of this PTF note.
New proxy ARP exclusion class (CR25801)
You can now create a proxy ARP exclusion class on the Link Controller, proxy_arp_exclude. Use this class to prevent the Link Controller from generating gratuitous ARP requests to its peer unit when you have a redundant system. To configure the proxy_arp_exclude class, in the navigation pane, click Classes, and then click the Add Class button. (For assistance with the settings, click the Help button.) You can also find information about the proxy_arp_exclude class in the BIG-IP Reference Guide, version 4.5.
If you use VLAN groups, you must configure a proxy ARP forwarding exclusion list. We recommend that you configure this feature if you use VLAN groups with a BIG-IP redundant systems. The reason is that both BIG-IP units need to communicate directly with their gateways and the back-end nodes. Creating a proxy ARP exclusion list prevents traffic from being proxied through the active BIG-IP due to proxy ARP. This traffic needs to be sent directly to the destination, not proxied.
If you do not configure a proxy ARP exclusion group for systems configured with VLAN groups, you may see problems such as:
- Nodes being marked down for a period of time after a failover.
- The inability to access resources through the active BIG-IP unit when there are multiple physical or logical connections to the same VLAN group (especially likely to be noticed when there are multiple connections between the active and standby BIG-IP units).
Reboot of standby 2400 unit and connectivity with the active unit (CR26078)
We have corrected a problem where in certain cases, on the 2400 platform with network failover configured, rebooting the standby unit in an active/standby redundant configuration caused the active unit to lose existing connections. We recommend that if you require network failover, you configure the admin ports (port number 3.1) for failover.
Multiple VLAN SNATs when virtual servers are fully accelerated (CR26242)
On a platform with the Packet Velocity ASIC, when you have multiple VLAN SNATs configured, they are now partially accelerated when virtual servers are fully accelerated.
The b load command and connection limits (CR26451)
The b load command no longer causes connection limits to break.
The bigpipe command and values for ip_tos (CR26478)
The bigpipe command now limits the possible values for ip_tos to the correct value range (0 - 255).
The OpenSSL package has been upgraded (CR26518)
The OpenSSL package has been upgraded to version 0.9.7a. This upgrade addresses several recent security issues with OpenSSL. For more information on the resolved security issues, see the CERT web site at http://www.cert.org.
Port translation default settings for the Configuration utility and command line (CR26543)
The following settings are the default port translation settings for both the Configuration utility and the command line:
Type of object | Port Translation |
net:* | disabled |
ip:* | disabled |
vlan:* | disabled |
*:* | disabled |
ip:port | enabled |
net:port | enabled |
vlan:port | enabled |
*:port | disabled |
Losing connectivity during configuration of second unit in a redundant system (CR26705)
When you configure a unit from the command line Setup utility, we recommend that you reboot the unit after you complete the configuration. This activates the license and allows traffic to pass through the system. Also, before you reboot the system it is in the active mode and unlicensed. While the unit is in the active mode, the other unit in the redundant system is placed in standby mode. If left in this state, traffic can not pass through the system.
Log rotation for the ITCM.log file (CR26781)
The frequency of the log rotation for the ITCM.log file has been increased from once every 7 days to once every 24 hours. This improves the system efficiency if you are monitoring the controller with the iControl Services Manager.
Admin password for authentication and updating the configuration (CR26824)
The adminpw setting is now saved correctly when you load a configuration using the b config load command.
bge message on reboot (CR26827)
You no longer see the following message when you reboot the 1000 and 5100 series platforms:
bge0: bge_wait_bit_clr timeout: reg=0x468 mask=0x2
Network virtual server loading in a particular order with others on the same subnet (CR26988)
We have corrected a problem that was preventing network virtual servers on the same subnet from working if they were not ordered in the /conf/bigip.conf file in a particular order.
Transaction level on systems monitored by the iControl™ Services Manager (CR27192)
We have reduced the quantity of transactions generated on systems monitored by the iControl Services Manager.
Configuration utility: display warning if product is licensed however the EULA has not been accepted (CR27215)
A warning is now displayed if the system is licensed but you have not accepted the EULA.
Understanding the system_check script
The system_check script is useful for displaying and logging hardware failures. For more information about the system_check script, please refer to the BIG-IP New Features Guide for version 4.5 PTF-04.
Configuring SYN Check
The new SYN Check™ feature mitigates a particular type of denial-of-service attack known as a SYN flood. A SYN flood is an attack against a system for the purpose of exhausting that systems resources. For more information about configuring the SYN Check feature, refer to the BIG-IP New Features Guide for version 4.5 PTF-04.
Script to set up core capture
We have added a new script to automate core capturing on a BIG-IP system, if the system has a hard drive. The script runs automatically after you install this PTF and reboot the system. It provides functionality to enable and disable core capture.
After you install this PTF, the script runs, and creates the /var/crash directory. In addition, if the swap partition on the primary drive is not sufficiently large to capture the core file, but another unused partition is found to be, that partition is used for core capture.
You can disable this functionality with the following command:
config_savecore -disable
You can re-enable the functionality with the following command:
config_savecore -enable
Important: As long as this functionality is enabled, you see the message savecore: no core dump during boot time.
Version 4.5 PTF-03
There were no features or fixes for the BIG-IP Link Controller in version 4.5 PTF-03.
Version 4.5 PTF-02
The 4.5 PTF-02 release included the following features and fixes.
Enhancements to inbound load balancing
This PTF adds a new load balancing method, fallback, and two new load balancing modes for the fallback method, drop_packet and explicit_ip. The fallback method and load balancing modes are applicable to inbound load balancing only. The Link Controller uses the fallback method when the preferred and alternate load balancing modes do not provide an available virtual server to return as an answer to a query. When you specify the drop_packet mode, the Link Controller does nothing with the packet, and simply drops the request. (Note that a typical LDNS server iteratively queries other authoritative name servers when it times out on a query.) When you specify the explicit_ip mode, the 3-DNS Controller returns the IP address that you specify as the fallback IP as an answer to the query. Note that the IP address that you specify is not monitored for availability before being returned as an answer. When you use the explicit_ip mode, you can specify a disaster recovery site to return when no load balancing mode returns an available virtual server.
You can configure the fallback method only from the command line. For information on configuring the fallback method and load balancing mode, see the Configuring the fallback method for inbound load balancing section of this PTF note.
UDP checksums and TFTP packets (CR22113, CR25181)
In rare instances, the checksums for TFTP packets were incorrect. This issue has been resolved.
Resets (RSTs) with incorrect sequence numbers (CR22219)
Resets (RSTs) from aging-out connections no longer cause some connections to hang due to incorrect sequence numbers for the resets.
Apache web server and the CERT Coordination Center vulnerability, VU#672683 (CR24689)
This PTF addresses the vulnerability in the Tomcat package for the Apache web server that is described in Vulnerability Note VU#672683 on the CERT® Coordination Center web site. For more information on the vulnerability, see http://www.kb.cert.org/vuls/id/672683.
iControl BaseServer::get_interfaces function and the 3dnsd process (CR24912)
The following iControl function, ITCMGlobalLB::BaseServer::get_interfaces, no longer causes the 3dnsd process to stop running when you specify an invalid type within the function.
Root servers list for BIND (CR25064)
The root servers list file for BIND, root.hint, has been updated to include the most current list of root servers.
Invalid metrics statistics and graphs for down remote links (CR25146)
The Link Statistics screen, in the Configuration utility, no longer displays very large, invalid values for remote links that are down (red ball). The link statistics graphs now accurately display the data for both the link that is down, and any available links.
Using a serial terminal as a console (CR25183)
This PTF fixes the serial terminal as the console functionality, as described in the 3-DNS Reference Guide, Chapter 6, Monitoring and Administration, so that it works with all 2U controller platforms.
Version 4.5 PTF-01
The 4.5 PTF-01 release included the following features and fixes.
CA-2002-31, Multiple Vulnerabilities in BIND
This PTF addresses the security vulnerabilities that are listed in CERT® advisory, CA-2002-31, Multiple Vulnerabilities in BIND. This PTF upgrades the BIND package to version 8.3.4. For more information on the CERT advisory, see http://www.cert.org/advisories/CA-2002-31.html.
Support for the 2400 platform
This release includes enhanced support for the F5 Networks 2400 platform.
Viewing licensing error log files from the Configuration utility (CR25055)
You can now view the log files for errors that occur during the licensing process using the Configuration utility. A View Log File button appears on the licensing screen when the licensing process generates errors.
Optional configuration changes
Once the software is installed, you have the option of making any or all of the following configuration changes.
Adding a Link Controller to a 3-DNS sync group
If you have both 3-DNS Controllers and one or more Link Controllers in your network, you can add the Link Controllers to the 3-DNS Controllers' sync group, in a few simple steps. There are three tasks to adding a Link Controller to a 3-DNS sync group:
- Run the merge_configs script on the sync group's principal controller.
- Add the Link Controller to the sync group using the principal controller's Configuration utility.
- Run the 3dns_add script on the Link Controller.
The following sections explain the specific steps for each of the previous tasks. You must perform these tasks in the order they are listed.
Important: Before you add the Link Controller to the 3-DNS sync group, we recommend that you back up both the 3-DNS configuration and the Link Controller configuration.
To run the merge_configs script
From the command line on the principal 3-DNS Controller, run the merge_configs script by typing the following command, where <ip_address>is the IP address of the Link Controller that you want to add to the sync group.
/usr/local/bin/merge_configs -peer <ip_address>
To make the sync group aware of the Link Controller
Using the Configuration utility on the principal 3-DNS Controller, add the Link Controller to the sync group.
- In the navigation pane, click 3-DNS Sync.
The Synchronization screen opens. - On the toolbar, click Add to Group.
The Add a 3-DNS to a Sync Group screen opens. - Check the box next to the controller that you want to add to the sync group, and click Add.
To add the Link Controller to the sync group and start synchronization
The final step in adding the Link Controller to a 3-DNS sync group is to run the 3dns_add script on the Link Controller. The script moves the synchronized configuration to the Link Controller, and finalizes the sync group setup.
- From the command line of the Link Controller, run the 3dns_add script.
3dns_add
The script runs, and finalizes the setup of the sync group.
Configuring the fallback method for inbound load balancing
You can configure the fallback method using the new load balancing modes either by using the Configuration utility, or by editing the wideip.conf file from the command line. You can specify either the Drop Packet load balancing mode, or the Explicit IP load balancing mode. Note that if you specify the Explicit IP mode, you also specify a fallback IP address.
To configure the fallback method with the Drop Packet mode using the Configuration utility
- In the navigation pane, expand the Link Configuration item, and then click Inbound LB.
The Wide IP list screen opens. - In the Wide IP column, click the name of the wide IP that you want to modify.
The Wide IP Properties screen opens. - Click the Wide IP Load Balancing tab.
The Load Balancing Options screen opens. - In the Fallback box, select Drop Packet.
- Click Apply.
The Configuration utility updates the configuration with the changes.
To configure the fallback method using the drop_packet mode from the command line
- To ensure that the configuration files contain the same information as the memory cache, type the following command:
3ndc dumpdb - Open the /etc/wideip.conf file in a text editor (either vi or pico).
- Use the syntax highlighted in the sample below to configure the fallback method with the drop_packet mode.
- Save and close the file.
- Commit the changes to the configuration by typing:
3ndc reload
wideip { ... pool { name "Pool" dynamic_ratio yes preferred qos alternate rr fallback drop_packet address <vs_ip_address> address <vs_ip_address> |
To configure the fallback method with the Explicit IP mode using the Configuration utility
- In the navigation pane, expand the Link Configuration item, and then click Inbound LB.
The Wide IP list screen opens. - In the Wide IP column, click the name of the wide IP that you want to modify.
The Wide IP Properties screen opens. - Click the Wide IP Load Balancing tab.
The Load Balancing Options screen opens. - In the Fallback box, select Explicit IP.
- In the Fallback IP box, type the IP address for the server or host to which you want the Link Controller to forward the packet.
- Click Apply.
The Configuration utility updates the configuration with the changes.
To configure the fallback method with the explicit_ip mode from the command line
- To ensure that the configuration files contain the same information as the memory cache, type the following command:
3ndc dumpdb - Open the /etc/wideip.conf file in a text editor (either vi or pico).
- Use the syntax highlighted in the sample below to configure the fallback method with the explicit_ip mode.
- Save and close the file.
- Commit the changes to the configuration by typing:
3ndc reload
wideip { ... pool { name "Pool" dynamic_ratio yes preferred qos alternate rr fallback explicit_ip fallback_ip <ip_address> address <vs_ip_address> address <vs_ip_address> |
Known issues
The following items are known issues in the current release.
Setting active-active mode using the web-based Configuration utility (CR19794)
With network failover enabled, you cannot use the Configuration utility to configure active-active mode. When you have network failover enabled, use the command line interface to set active-active mode.
Values for Link Limits (CR20744)
On the Modify Link screen in the Configuration utility, when you type values for bandwidth limits, and you type a number that is not divisible by 8, the Configuration utility rounds the value to the next lowest number that is divisible by 8.
Manually deleting connections handled by the Packet Velocity ASIC (CR22494)
Manually deleting connections that are handled by the Packet Velocity™ ASIC does not generate a TCP reset.
Using the MGMT interface on units that include the Packet Velocity ASIC (CR22599)
It is important that you use the MGMT interface (3.1) for system administration only on units that include the Packet Velocity ASIC. We recommend that you do not use the MGMT interface on a VLAN you plan to use for load balancing traffic.
Changing active-active failback values (CR22715)
In active-active configurations, we recommend that you do not change the default failback value of 60 seconds. If you change this value, failback may not work as designed.
Layer 2 (L2) forwarding two VLANs on one interface (CR23460)
When a VLAN group is bridging across the internal and external VLANs with the same IP network on both sides of the BIG-IP system, and you configure only one interface, with VLAN tags for both internal and external VLANs, the network becomes unusable. In this type of configuration, you need to configure one interface for each VLAN in the VLAN group in order for the BIG-IP system to function correctly.
Default route, creating node pools, and gated failures (CR23668)
In rare cases, the default route may be removed if you create a node pool at the same time gated fails. If this happens, run the Setup utility and add the default route back to the configuration. You can run the Setup utility from the command line by typing setup. You can access the Web-based Setup utility from the welcome screen of the Web-based Configuration utility.
Titles for Billing Estimate graphs (CR23770)
When you change the date or time range on the Billing Estimate screen in the Link Statistics, the titles on the graphs do not update to reflect the changes. If you are using Internet Explorer, you can update the titles by holding down the Control key, right-clicking in the screen, and then clicking Refresh. If you are using Netscape Navigator, you can update the titles by holding down the Shift key, right-clicking in the screen, and then clicking Refresh.
Platforms using Broadcom 570x controllers (CR24388, CR25464)
On rare occasions, some platforms using Broadcom 570x controllers may experience short interruptions in network connectivity.
Changing IP addresses on VLANs and updating the administration web server settings (CR24468)
If you use the Setup utility to change the floating IP addresses on VLANs, the web server settings are not updated. To update the web server settings, choose the (W) Configure web server option.
Deleting the Default Gateway Pool using the Setup utility (CR24519)
If you define a default gateway pool using the Setup utility, and then define a virtual server or other network objects on the pool, you will not be able to delete the pool using the Setup utility as long as the pool is in use. In order to delete the pool using the Setup utility, you must first remove all IP addresses and network objects associated with the pool.
TOS or QoS values in FTP data connections (CR24644)
FTP data connections have incorrect TOS or QoS values set. Both values are set to 0.
Viewing wide IPs created in the 3-DNS Controller module from the Link Controller module (CR24842)
Wide IPs that you create in the 3-DNS Controller module that contain more than one pool, display only the first pool of the wide IP in the Inbound LB screen in the Link Controller module. You may encounter this known issue only when you are running a BIG-IP system with both the 3-DNS Controller module and the Link Controller module.
iControl SOAPPortal: .NET serialization errors on several methods (CR24862)
The following methods do not serialize correctly under certain situations. This is due to a problem in the .NET frameworks serialization. For nested structures within arrays, the framework cannot support an empty array represented as a single XML element.
For example, this method does not serialize:
<return type='Array' ArrayType='tns:someType[0]/>
This method does serialize:
<return type='Array' ArrayType='tns:someType[0]></return>
The BIG-IP Link Controller Solutions Guide in the Configuration utility (CR24946)
The BIG-IP Link Controller Solutions Guide is not available from the Welcome screen in the Configuration utility. You can obtain this guide from the Software and Documentation CD by navigating to the /doc directory, and opening the lc_solutions.pdf file. You can also obtain the guide from the AskF5 web site (http://tech.f5.com).
SNAT automap and acceleration (CR24959)
On the 2400 platform, if you configure SNAT automap and do not associate the SNAT with a virtual server, the traffic is not accelerated by the Packet Velocity TM ASIC. Note that you can associate the SNAT with a wildcard virtual server to accelerate any SNAT automap traffic.
Changing the hardware acceleration mode and resetting connections (CR25009)
When you change the hardware acceleration mode for a pool, and there are current connections for the nodes in the pool, the connections do not reset when you use the b conn reset command. The connections do close when they reach their time-to-live (TTL) value.
The b conn dump verbose command and values for packet counts or byte counts (CR25119)
The bigpipe command, b conn dump verbose, displays incorrect values for packet counts and byte counts.
Microsoft® Internet Explorer security settings and the Link Configuration screens (CR25444)
If you are using a browser session in Internet Explorer to view the Configuration utility, and you have changed the security level for the browser to a setting higher than Medium (the default), then the Link Configuration screens do not work properly. The errors in the Link Configuration screens occur because the Link Controller's web server uses cookies. To avoid this error, set the security level for the browser session to Medium or lower.
Configuring SSH access host restrictions (CR25530)
In previous versions, the /etc/ssh3/sshd2_config and /etc/sshd_config files controlled SSH access. Upgrading to version 4.5 ignores previously-configured SSH access restrictions configured in the /etc/ssh3/sshd2_config and /etc/sshd_config files. This upgrade reverts to an SSH access level that allows all hosts to connect. If you require restricted SSH access to certain networks/IP addresses, you need to reconfigure these restrictions once you have completed the upgrade. To do this, type the following command to start the Setup utility, and then press Enter:
setup
Choose option (S) Configure SSH, and set the restrictions you prefer.
Adding support access after initial setup (CR25821)
If you add support access with the (Y) Set support access option in the Setup utility after you complete the initial setup of the system, the support IP addresses are not added to the hosts.allow file. To correct this situation, run the (S) Configure SSH option in the Setup utility to re-initialize the SSH information on the system.
VLAN names and syntax errors (CR25890)
VLAN names that start with the text vlan, and are followed by any number of digits (for example, vlan123), cause a syntax error. We recommend that you do not use the text, vlan, as the initial portion of a VLAN name.
Creating invalid interface names (CR25950)
It is possible to create invalid interface names in your configuration by entering an invalid VLAN name from the command line. For more information about invalid VLAN names, see (CR25890).
Using 127.0.0.x as a pool member and network connectivity (CR26184)
If you add a node with an IP address of 127.0.0.x to a pool, the system loses connectivity to the network. The only way to reboot the system after this happens is to use the reboot switch. We recommend that you do not add nodes with this address range to a pool.
Changing iControl settings and restarting the CORBA portal (CR26384)
If you use the Setup utility (setup) to change iControl settings, you must manually restart the CORBA portal. To restart the CORBA portal, type the following commands from the command line:
bigstart shutdown portal
bigstart startup
LDAP group name naming conventions (CR26418)
LDAP authentication for groups does not work properly when there are spaces in the group name. To avoid authentication issues with groups when you use LDAP authentication, do no use spaces in the group names.
Error message for ip_tos values (CR26566)
If you type an invalid value for the ip_tos setting, you see the following incorrect error message: The requested IP TOS value is invalid. [0..65535]. The valid ip_tos values are 0 - 255 or 65536, which returns ip_tos to a blank state.
Disabling the SNMP Auth Trap Enable setting using the Configuration utility (CR26610)
If you try to disable the Auth Trap Enable setting on the SNMP Administration screen in the Configuration utility, the SNMP configuration file, /etc/snmpd.conf, is modified with an incorrect setting of 0 (zero), and the following error is generated in the SNMP log:
/etc/snmpd.conf: line ##: Error: authtrapenable must be 1 or 2
To correct this error and disable the Auth Trap Enable setting, you can edit the /etc/snmpd.conf file, and change the authtrapenable value to 2, disable.
Losing connectivity during configuration of second unit in a redundant system (CR26705)
When you configure a unit from the command line Setup utility, we recommend that you reboot the unit after you complete the configuration. This activates the license and allows traffic to pass through the system. Before you reboot the system, it is in the active mode and unlicensed. While the unit is in the active mode, the other unit in the redundant system is placed in standby mode. If the units are left in this state, traffic cannot pass through the system.
The Setup utility and MAC masquerade settings (CR26922)
The Setup utility, setup, does not preserve MAC masquerade settings. We recommend that you use the bigpipe utility or the web-based Configuration utility to make configuration changes after you have completed your initial setup. However, if you want to use the Setup utility to make changes to the configuration, and you want to preserve the MAC masquerade settings, then after you finish your configuration changes, recreate your MAC masquerade settings with bigpipe or the Configuration utility before you reboot the unit.
Changing the system IP address and updating the IP address for the CORBA portal in bigdb (CR27037)
If you change the IP address of the system using the Configuration utility, the system does not update the IP address for IIOP and FSSL for the CORBA portal in the bigdb. To change the CORBA address for IIOP and FSSL, run the Setup utility (setup) from the command line, and choose the option (I) Initialize iControl portal.
Adding a switch interface to the admin vlan (CR27103)
Adding a switch interface to the admin VLAN causes large volumes of traffic. We recommend that you do not add a switch interface to the admin VLAN.
Load balancing modes and honoring node connection limits (CR27124)
When using the observed_member, predictive_member, predictive, or observed load balancing modes, the member and node addresses do not honor node connection limits.
CompactFlash® media drives and logging for the named daemon (CR27132)
When the named daemon is running, it generates status and usage messages as part of its normal behavior. If you are running the named daemon on a system with a CompactFlash media drive, these messages may fill up the /var/log/messages file. To avoid this, periodically delete the status and usage messages for the named daemon.
RADIUS server configuration and Netscape (CR27212)
If you configure remote login for RADIUS, and you set an invalid IP address for the primary RADIUS server, and a valid IP address for the secondary RADIUS server, you may not be able to log in using a Netscape browser. This can also happen if your primary RADIUS server is down. We recommend that you use an alternative browser with this type of configuration.
User administration for remote authentication using the Configuration utility (CR27223)
With remote authentication configured, if you use the Configuration utility to add a new user, you may receive an internal server error message when you press Enter, and then click the Done button. The user is added when you press Enter. When using local authorization, the Enter key is ignored, and you must click the Done button in order to add a new user.
UDP packet checksum calculations (CR27240)
The checksum deltas for UDP packets whose initial checksum is 0 (zero) are not calculated correctly, so the BIG-IP system may return traffic to the client with an invalid checksum.
Deleting the default gateway pool using the Setup utility (CR27260)
The command line Setup utility, (setup), does not delete the default gateway pool when you remove all of the pool's members. To work around this issue, delete the default gateway pool using the browser-based Configuration utility.
Unsupported system_check tool (CR27354)
Though the system_check script is running on all BIG-IP platforms, it is supported on the IP Application Switch platforms only. This script has no adverse effects on unsupported platforms.
User roles in a redundant system configuration (CR27477)
If you modify the default role for a user on one unit in a redundant system, when you synchronize the configuration, the modified role setting is not copied over to the other unit. In order to have the same user roles specified on both units, you must configure this setting on both units in the redundant system.
Configuring ratio as an alternate load balancing method (CR27547)
If you use the Configuration utility to create a wide IP and you configure Ratio load balancing as the alternate method, when you click the Virtual Servers tab, there is currently no option available for setting the ratio value for each member of the wide IP pool. This option is available through the Configuration utility only when you select Ratio as the preferred method. If you have a configuration that uses Ratio as the alternate method, we recommend that you use the command line utility to configure these settings.
Redundant configurations in active/active mode (CR27639)
When you have a BIG-IP redundant system, with both units in active/active mode, the Configuration utility in certain cases may incorrectly display the self IP as unit 1 when it should be unit 2. This issue does not affect the performance of the BIG-IP system.
Copper gigabit NICs and setting media speeds (CR27772)
If you want to set media speeds, and you have a copper gigabit NIC, you must configure auto-negotiate between the BIG-IP system and the connected switches.
Using the Setup utility to configure the media type for an interface (CR27793)
When you use the Setup utility to configure the media type for an interface, the BIG-IP system does not save this setting when you rerun the Setup utility. You must configure this setting each time you run the Setup utility.
MindTerm SSH console, Java™ Virtual Machine, and the Configuration utility (CR27864)
The Configuration utility may become unresponsive, when all of the following conditions are met:
- You have Java Virtual Machine enabled on a Windows® workstation
- You are using the Configuration utility to configure the system
- You open a MindTerm SSH console session from the navigation pane
- You return to the Configuration utility without closing the MindTerm SSH console
If you experience this problem, you must use the Windows Task Manager to close both the browser session and the SSH session. To avoid this issue, we recommend that you either disable Java Virtual Machine while you are configuring the system, or close the MindTerm SSH console session before returning to the Configuration utility.
Hops calculations for Hops load balancing mode (CR27878)
The Link Controller is inaccurately calculating the number of hops for the Hops load balancing mode for inbound load balancing. This results in all configured links appearing to use the same number of router hops for inbound traffic. We recommend that you use one of the other load balancing modes for inbound load balancing. Note that this also affects the data for average router hops on the Internet Link Evaluator screen in the Configuration utility.
SNMP version and probing (CR27971)
If you have enabled SNMP probing for a host or similar device, and you specify SNMP version 2, the SNMP probing may fail if the host or device is using SNMP version 1. This happens because SNMP version 2 uses 64-bit counters and SNMP version 1 uses 32-bit counters. To avoid this error, ensure that you specify the SNMP version (1 or 2) that corresponds with the SNMP version on the device that is being probed.
ICMP monitors and availability status for routers and links (CR27998)
When you configure an ICMP monitor for a link (which also monitors the link's router), and you enable the Any IP setting and the SNAT Automap setting for the wildcard virtual server, the Link Controller may incorrectly mark the availability status for the link (and its router) as down (red ball), and subsequently stop using the link for load balancing. This happens because the Link Controller is using the same self IP address for self traffic and any IP traffic. If you experience this known issue, refer to the ICMP monitors for self IP addresses, wildcard virtual servers, and link status workaround in the following section of this PTF note.
Setup utility and VLAN tag configuration (CR28027)
If you use the Setup utility to configure VLAN tags or add new VLANs with tags and self IPs, and you use the command line utility to modify interfaces after VLAN tags are added, all of the tagged interfaces and associated data (self and shared IPs) are removed from the configuration files. You may need to reconfigure these settings, or use the backup file to restore these settings.
BIG-IP virtual server information and updates to the wideip.conf file (CR28057)
When you add or delete a BIG-IP virtual server, which specifies the same IP address but a different port than an existing virtual server, the Link Controller does not properly make the change in the wideip.conf file.
Deleting links and the Link Statistics screen (CR28072)
In the Configuration utility, the Link Statistics screen incorrectly displays links that have been deleted from the configuration. This issue can occur if you are running the 3-DNS module on a BIG-IP sytem, and you have autoconf with no delete enabled on the 3-DNS Controller, and can affect system functionality as well as display. For instance, if you delete the link on the BIG-IP system/software and the 3-DNS Controller thinks a link exists, then the system does not function properly.
Reconfiguring a standalone system as a unit in a redundant system (CR28116)
If you have a standalone system that you later decide to reconfigure as a unit in a redundant system, the system may experience failures when you reconfigure the networking and IP addresses.
Incorrect product version in log files (CR28133)
The BIG-IP system log files may report the incorrect version of the product. This has no effect on the functionality of the BIG-IP system. To view the correct product version, type cat /VERSION at the command line.
Changes to the checktrap.pl script (28405)
This version of the BIG-IP software includes two changes in the behavior of the checktrap.pl script. First, rebuild events are no longer logged to the alarm_* files. Second, if the very first event is a clear, the BIG-IP system triggers a rebuild, and sends a corresponding "rebuild event" trap, and not a "clear" trap. (See the /etc/snmptrap.conf file for a list of clears.)
LDAP authentication (CR28431)
If you use the Setup utility to configure remote LDAP authentication, and give an LDAP user full read/write and command line utility access, when you log in through the LDAP server as a full access user, certain portions of the Configuration utility may continue to show objects as having Read Only Access.
bigpipe commands that contain invalid trailing arguments (CR28581)
If you type a bigpipe command that contains an invalid trailing argument, the bigpipe utility produces a syntax error, but may run the command anyway. In this situation, the command should fail.
Rerunning the Configure DNS option in the Setup utility and overwriting an existing named.conf file (CR28614)
In the Setup utility (setup), when you rerun the Configure DNS (D) option, you overwrite the existing named.conf file with an empty named.conf file. To avoid this issue, before you rerun the Configure DNS (D) option in the Setup utility, we recommend that you create a backup copy of the named.conf file. Once you have rerun the Configure DNS (D) option, you can copy the contents of the backup copy of the named.conf file into the new named.conf file.
Configuration utility error messages (CR29360)
In rare instances, when you modify the Link Configuration screens in the Configuration utility, you may experience errors. If you click Inbound LB, and then immediately click Links during the config sync process, you may receive the following error:
An error has occurred in the Configuration utility. You may need to restart one or more daemons, or the system, to resolve this error. Contact support for more information.
This type of error may also occur on the target BIG-IP system when you click the links described above, and then are prompted to re-authenticate while the config sync process is still running on the peer BIG-IP system. In rare instances, a white HTML screen may display. If you experience any of these error conditions, you can safely restore the Configuration utility by clicking any of the links under Link Configuration.
Error message in Configuration utility and valid range for VLAN tags (CR29793)
The allowable values for VLAN tags are 1 through 4094. However, if you inadvertently specify a value that is outside of the allowable range, you see the following error message:
Error 335953 -- You have entered an invalid VLAN tag value. VLAN tags must be between 1 and 4096.
The error message incorrectly specifies a range of 1 through 4096, rather than 1 through 4094.
Forwarding non-IP traffic through VLAN groups and redundant systems (CR29806, CR29334)
We introduced the ability to forward non-IP traffic through VLAN groups in BIG-IP version 4.5 PTF-04, and the functionality was enabled by default. When this functionality is enabled, the BIG-IP system also forwards non-IP traffic through both the active and standby units in a redundant system, which can result in a bridge loop. To mitigate this known issue, in this release (version 4.5 PTF-08), we are changing the default setting so that the functionality is disabled by default. If you understand the current limitations of this feature, and want to enable the feature, see Forwarding non-IP traffic through VLAN groups and redundant systems in the Workarounds for known issues section.
IIS6.0 Windows 2003 Server (CR30072) (CR30073) (CR30074)
The BIG-IP system does not currently support the following functionality on Internet Information Services (IIS) 6.0 webserver, which is part of Microsoft® Windows® 2003 server product:
- Real Media monitor
- Dynamic Ratio Load Balancing
- SSL Redirect
Default setting for min_active_members (CR30143)
The default value for min_active_members is incorrect and may cause the BIG-IP system to prioritize traffic incorrectly. The default value for min_active_members is currently set to 0. We recommend that you configure min_active_members to a value of 1 or greater.
bigpipe l2_aging_time setting (CR30152)
When you reboot the Link Controller system, the bigpipe l2_aging_time setting in the bigip_base.conf file returns to the default setting (300).
automap default SNAT and VLAN configuration (CR30153) (CR30585)
The automap default SNAT does not allow you to disable VLANs. If you attempt to disable VLANS on the automap default SNAT, you receive an error message.
Default routes and specifying a router for path probing (CR30310)
When you have not configured a default route, but you specify a router for path probing, the big3d agent ignores the specified route and issues an error message because the agent cannot find a default route. To work around this issue, we recommend that you configure a default route.
Redundant systems and software upgrades from BIG-IP version 4.2, to BIG-IP version 4.5 and later (CR30500)
When you upgrade a standby unit from BIG-IP version 4.2, to BIG-IP version 4.5 and later, the unit is unlicensed for a brief time. During the time that the unit is unlicensed, it may change from standby to active.
The LOAD-BAL-SYSTEM-MIB.txt file and service status object IDs (CR30531)
The LOAD-BAL-SYSTEM-MIB.txt file currently does not have object IDs (OIDs) defined for the up or down status of a service.
Errors disabling VLANs for a default SNAT (CR30585)
When you create a default SNAT using the automap option, and then later try to disable one or more of the default SNAT's enabled VLANs, the system generates an error and the VLANs are not disabled. Note that the error occurs when you make this change using either the Configuration utility or bigpipe.
bigpipe monitor command (CR30600)
You receive a syntax error if you use both <ip addr>:<service> and <ip addr> in the IP list for the bigpipe monitor command <ip list> <enable | disable>.
bigpipe quiet_boot disable command (CR30956)
When you use the bigpipe bp save command, the system does not save the global quiet_boot disable setting in the configuration file.
Configuration utility statistics (CR31009)
The Configuration utility statistics for Max Conn Deny and Memory Usage are inaccurate. We recommend that you use the command line utility to view these statistics.
Viewing the Link Configuration options from the Configuration utility (CR31005) (CR30560)
If you log in to the Link Controller system as one of the following user types: Web Read Only, Partial Web Read/Write, or CLI + Full Web Read Write, you may receive errors when you attempt to view any of the Link Controller-specific options under Link Configuration. In addition, if you log in to the system as a CLI + Full Read/Write user, you may have read-only access to this portion of the Configuration utility. In order for you to view the Link Configuration options from the Configuration utility, we recommend that you log in as a Full Web Read/Write or admin user.
Using the IP address 213.13.118.129:80 (CR31104)
If you add a pool with a member node with the IP address 213.13.118.129:80, when the address and port select a virtual server on the local system, it causes the BIG-IP system to panic and the configuration to be deleted. The issue occurs only when the address and service numbers are 213.13.118.129 and 80 respectively. If you want to avoid this issue, we recommend that you do not assign the IP address 213.13.118.129 to nodes on the BIG-IP system.
The checktrap.pl script and the enterprise OID in traps (CR31119)
When the checktrap.pl script issues traps, it sends the BIG-IP enterprise OID instead of the 3-DNS OID in the trap.
Round trip time and hops no longer work together, nor do UDP and ICMP (CR42529)
The round trip time (RTT) and latency (Hops) Quality of Service (QOS) coefficients no longer work together for QOS probing. If RTT and Hops are configured at the same time, the 3-DNS Controller uses RTT.
For local DNS (LDNS) probing, the 3-DNS Controller does not support using both UDP and ICMP. If you select UDP and ICMP, the 3-DNS Controller removes UDP from the list, and uses ICMP.
Changes in US and Canada Daylight Saving Time (CR58321)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes are not reflected in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.
Workarounds for known issues
The following sections describe workarounds for some of the known issues listed in the previous section.
Forwarding non-IP traffic through VLAN groups and redundant systems (CR29806, CR29334)
We recommend that you enable this feature only if you fully understand its current limitations.
To forward non-IP traffic through VLAN groups
- Enable non-IP traffic forwarding by typing the following command:
echo "b internal set vlangroup_nonip=1">>/config/routes - If you have a redundant system, type the following command to update the peer unit:
b configsync all
- Reboot the BIG-IP system.
The non-IP traffic forwarding feature is now enabled, and the BIG-IP system will forward non-IP traffic through VLAN groups, and through both the active and the standby units in redundant systems.
ICMP monitors for self IP addresses, wildcard virtual servers, and link status (CR27998)
If you experience the ICMP monitors and availability status for routers and links known issue, described in the previous section, then one of the two following workarounds may help you resolve the issue in your network.
One workaround is to use an additional self IP address in the interfaces list. The additional self IP address needs to have SNAT automap disabled, and needs to be listed before the self IP address that has SNAT automap enabled. If your network is limited by available IP addresses, then you may need to use the second workaround to address this known issue.
The second workaround is to disable the Any IP setting on the wildcard virtual server.