---

Minimum system requirements and supported browsers

The minimum system requirements for this release are:

• Intel® Pentium® III 550MHz processor
• 512MB disk drive or CompactFlash® card
• 256MB RAM

The supported browsers for the Configuration utility are:

• Microsoft® Internet Explorer 5.0, 5.5, and 6.0
• Netscape® Navigator 4.7x

---

Installing the software

Important:  If you are upgrading a Link Controller redundant system, you must upgrade both units. We do not support running different versions on a Link Controller redundant system. Additionally, If you are updating the Link Controller module on a BIG-IP system, refer to the BIG-IP version 4.6.2 note for instructions on installing the upgrade.

Important:  If you are upgrading an IP Application Switch or a Link Controller unit that uses a CompactFlash® media drive, use the installation instructions here.

Note:  If you have installed prior releases, this installation does not overwrite any configuration changes that you made for prior releases.

The following instructions explain how to install the BIG-IP Link Controller software version 4.6.2 onto existing systems running version 4.5 and later. The installation script saves your current configuration.

1. Go to the Downloads site and locate the BIG-IP 4.6.2 upgrade file, BIGIP_4.6.2_Upgrade.im.
   
   
2. Download the software image and the BIGIP_4.6.2_Upgrade.md5 file.

   For information about how to download software, refer to SOL167: Downloading software from F5 Networks.

3. If you downloaded the image file to a directory other than /var/tmp, copy the image file to the /var/tmp/ directory on your BIG-IP system.
   
   
4. Check the md5 of the upgrade file by typing the following command:
   
   md5 BIGIP_4.6.2_Upgrade.im
   
   cat BIGIP_4.6.2_Upgrade.md5

   The two md5 values should be identical.

5. Install the IM by typing the following command:
   
   im BIGIP_4.6.2_Upgrade.im The Link Controller automatically reboots once it completes installation.
   

To upgrade an IP Application Switch or a CompactFlash media drive, use the following process.

1. Create a memory file system, by typing the following:
   

   mount_mfs -s 200000 /mnt

2. Go to the Downloads site and locate the BIG-IP 4.6.2 upgrade file, BIGIP_4.6.2_Upgrade.im.
   
   
3. Download the software image and the BIGIP_4.6.2_Upgrade.md5 file.

   For information about how to download software, refer to SOL167: Downloading software from F5 Networks.

4. If you downloaded the image file to a directory other than /var/tmp, copy the image file to the /var/tmp/ directory on your BIG-IP system.
   
   
5. Check the md5 of the upgrade file by typing the following command:
   
   md5 BIGIP_4.6.2_Upgrade.im
   cat BIGIP_4.6.2_Upgrade.md5

   The two md5 values should be identical.

6. On the BIG-IP unit, run the im upgrade script:
   
   im /mnt/BIGIP_4.6.2_Upgrade.im

   The Link Controller automatically reboots once it completes installation.

Note:  This procedure provides over 90MB of temporary space on /mnt.  The partition and the im package file are deleted upon rebooting.

---

Activating the license

Once you install the upgrade and connect the unit to the network, you need a valid license certificate to activate the software. To gain a license certificate, you need to provide two items to the license server: a registration key and a dossier.

The registration key  is a 25-character string. You should have received the key by email. The registration key lets the license server know which F5 products you are entitled to license.

The dossier  is obtained from the software, and is an encrypted list of key characteristics used to identify the platform.

You can obtain a license certificate using one of the following methods:

• Automatic license activation
  
  You perform automatic license activation from the command line or from the web-based Configuration utility of an upgraded unit. This method automatically retrieves and submits the dossier to the F5 license server, as well as installs the signed license certificate. In order for you to use this method, the unit must be installed on a network with Internet access.
  
  
• Manual license activation
  
  You perform manual license activation from the Configuration utility, which is the software user interface. With this method, you submit the dossier to, and retrieve the signed license file from, the F5 license server manually. In order for you to use this method, the administrative workstation must have Internet access.

Note:  You can open the Configuration utility with Netscape Navigator version 4.7x, or Microsoft Internet Explorer version 5.0, 5.5, or 6.0.

To automatically activate a license from the command line for first time installation

1. Type the user name root and the password default at the logon prompt.
   
   
2. At the prompt, type license. The following prompts display:
   
   IP:
   Netmask:
   Default Route:
   Select interface to use to retrieve license:
   
   The unit uses this information to make an Internet connection to the license server.
   
   
3. After you type the Internet connection information, continue to the following prompt:
   
   The Registration Key should have been included with the software or given when the order was placed. Do you have your Registration Key? [Y/N]:
   
   Type Y, and the following prompt displays:
   
   Registration Key:
   
   
4. Type the 25-character registration key you received. If you received more than one key, enter all of the keys, separating each with a space.
   
   The dossier is retrieved and sent to the F5 license server, and a signed license file is returned and installed. A message displays indicating the process was successful.
   
   
5. You are asked to accept the End User License Agreement.
   
   The system is not fully functional until you accept this agreement.
   
   
6. You are prompted to reboot the system. Press Enter to reboot.
   
   The system is not fully functional until you reboot.
   
   

To automatically activate a license from the command line for upgrades

1. Type your user name and password at the logon prompt.
   
   
2. At the prompt, type setup.
   
   
3. Choose menu option L.
   
   
4. The following prompt displays:
   
   Number of keys: 1
   
   If you have more than one registration key, enter the appropriate number.
   
   
5. The following prompt displays:
   
   Registration Key:
   
   Type the 25-character registration key you received. If you received more than one key, enter all of the keys, separating each with a space.
   
   The dossier is retrieved and sent to the F5 license server, and a signed license file is returned and installed. A message displays indicating the process was successful.
   
   
6. When you are finished with the licensing process, type the following command to restart the services on the system:
   
   bigstart restart
   

To manually activate a license using the Configuration utility

1. Open the Configuration utility according to the type of BIG-IP unit you are licensing:
   
   
   • If you are licensing a previously configured BIG-IP unit, open the Configuration utility using the configured address.
     
     
   • If you are licensing a new BIG-IP unit, from the administrative workstation, open the Configuration utility using one of the following addresses: https://192.168.1.245 or https://192.168.245.245. These are default addresses on the units local area network.
     
2. Type the user name and password, based on the type of BIG-IP unit you are licensing:
   
   
   • If you are licensing a previously configured BIG-IP unit, type your user name and password at the logon prompt.
     
     
   • If you are licensing a new BIG-IP system, type the user name root, and the password default at the logon prompt.
     

   The Configuration utility menu displays.

3. Click License Utility to open the License Administration screen.
   
   
4. In the Registration Key box, type the 25-character registration key that you received. If you have more than one key to install, click Enter More Keys to install multiple keys. Once you have entered all registration keys, click Manual Authorization.
   
   
5. At the Manual Authorization screen, retrieve the dossier using one of the following methods:
   
   
   • Copy the entire contents of the Product Dossier box.
     
     
   • Click Download Product Dossier, and save the dossier to the hard drive.
     
6. Click the link in the License Server box.
   
   The Activate F5 License screen opens in a new browser window.
   
   
7. From the Activate F5 License screen, submit the dossier using one of the following methods:
   
   
   • Paste the data you just copied into the Enter your dossier box, and click Activate.
     
     
   • At the Product Dossier box, click Browse to locate the dossier on the hard drive, and then click Activate.
     
   The screen returns a signed license file.
   
   
8. Retrieve the license file using one of the following methods:
   
   
   • Copy the entire contents of the signed license file.
     
     
   • Click Download license, and save the license file to the hard drive.
     
9. Return to the Manual Authorization screen, and click Continue.
   
   
10. At the Install License screen, submit the license file using one of the following methods:
    
    
    • Paste the data you copied into the License Server Output box, and click Install License.
      
      
    • At the License File box, click Browse to locate the license file on the hard drive, and then click Install License.
      
    The License Status screen displays status messages, and Process complete appears when the licensing activation is finished.
    
    
11. Click License Terms, review the EULA, and accept it.
    
    
12. At the Reboot Prompt screen, select when you want to reboot the platform.
    
    License activation is complete only after rebooting.
    
    

To automatically activate a license using the Configuration utility

1. Open the Configuration utility according to the type of BIG-IP unit you are licensing:
   
   
   • If you are licensing a previously configured BIG-IP unit, open the Configuration utility using the configured address.
     
     
   • If you are licensing a new BIG-IP unit, from the administrative workstation, open the Configuration utility using one of the following addresses: https://192.168.1.245 or https://192.168.245.245. These are default addresses on the units local area network.
     
2. Type the name and password, based on what type of BIG-IP unit you are licensing:
   
   
   • If you are licensing a previously configured BIG-IP unit, type your user name and password at the logon prompt.
     
     
   • If you are licensing a new BIG-IP unit, type the user name root, and the password default at the logon prompt.
     
   The Configuration utility menu displays.
   
   
3. Click License Utility to open the License Administration screen.
   
   
4. In the Registration Key box, type the 25-character registration key that you received. If you have more than one key to install, click Enter More Keys to install multiple keys. Once you have entered all registration keys, click Automated Authorization.
   
   The License Status screen displays status messages, and Process complete appears when the licensing activation is finished.
   
   
5. Click License Terms, review the EULA, and accept it.
   
   
6. At the Reboot Prompt screen, select when you want to reboot the platform.
   
   License activation is complete only after rebooting.
   

---

New features and fixes in this release

This release includes the following new features and fixes.

System statistics screen  (CR28085)
This release includes a System Graph Statistics screen in the Configuration utility that displays statistics about the BIG-IP system in a graphical format so that you can view changes and trends in statistics over time. The System Graph Statistics screen displays statistics including CPU usage, memory usage, throughput, connections per second, and packets per second.
To view the System Graph Statistics screen, in the left pane of the Configuration utility, click Statistics and then click System Graphs.

ARP requests with incorrect source protocol IP address  (CR34526)
The BIG-IP system no longer uses inactive floating self-IP addresses or virtual server addresses in the source protocol address field for ARP requests. If the system cannot generate an ARP request because there is no usable IP address available on a VLAN, the BIG-IP system logs the following warning message to /var/log/messages:

kernel: arpresolve: no usable src addr on iface: <interface_index>

The system may log this message during a config sync from active to standby or during a configuration load on the standby unit. The system may also log this message on BIG-IP systems that have a VLAN configured with only floating self-IP addresses; this type of configuration is not supported.

Support for BIND 9.2.2 
This version of the BIG-IP software includes the BIND DNS server version 9.2.2. This version of the BIND software contains security enhancements as well as DNS protocol enhancements. For added security, the named utility now runs in a chroot environment. This version of the Link Controller software does not support A6 or ipv6 (AAAA) records.

Important:  If you are currently using BIND version 8, be aware that the file system layout has changed and there are new executables and scripts in version 9.2.2. If you have named.conf or zone-files stored in non-standard locations, you need to move these files before you upgrade to this version of the software. For more information see, BIND 9 file system migration in the Required configuration changes section of this release note.

RSA SecurID authentication 
This version of the BIG-IP software includes support for RSA SecurID® authentication, the remote authentication protocol used by RSA ACE/Server® software. RSA SecurID authentication is a two-part authentication mechanism that requires both a user ID and a passcode that changes every 60 seconds. For more information on RSA SecurID authentication, please see http://www.rsasecurity.com/node.asp?id=1156. To configure RSA SecurID authentication, see Configuring RSA SecurID authentication in the Optional configuration changes section of this release note.

Version rollback script 
This release includes a rollback script that allows you to return to the previous version of the BIG-IP software, after you upgrade. This script is designed to allow you to rollback the software version in instances where you upgrade before you discover that the new version of the software is incompatible with your specific network configuration. You can use the script to return only within the major version (see SOL4476: BIG-IP Software Lifecycle Policy) of the BIG-IP software that was installed on the system prior to the upgrade. Any configuration changes you make after the upgrade are lost when you run the rollback script.

To use the rollback feature you must create a rollback IM package before you upgrade to a different version of the software.

To create a rollback IM package in /var/tmp/rb using the version 4.6.3 mkrb file, use the following procedure:

1. Change your directory to /var/tmp by typing the following command:
   
   cd /var/tmp
   
   
2. Extract the mkrb file from the 4.6.2 upgrade package by typing the following command:
   
   tar C / -xzf <version>_Upgrade.im usr/local/bin/mkrb
   
   
3. Create the necessary rollback files by typing the following command:
   
   /usr/local/bin/mkrb <version>_Upgrade.im
   

This creates an IM package that you can run on the BIG-IP system if you want to return to the previous version of the software. The IM upgrade package you create is located in the /var/tmp/rb directory.
To install the rollback IM package, type the following commands:

cd /var/tmp/rb
im <rollback_im_package_name>.im

Note:  If you install the rollback package created by the script and decide that you want to upgrade to a later version of the software in the future, you will need to use the im -force /var/tmp/rb/<rollback_im_package_name>.im command to install the IM package.

named watchdog 
A new variable is included in this release that initiates a failover and restarts the named utility if the named utility fails for any reason. You can enable this variable using the command line utility. Use the following command to enable this feature:

bigpipe db set "Common.Bigip.Failover.OnNamedFail" = true

After you enable or disable this variable, we recommend that you start, stop, and restart the named utility using the following commands:

bigstart startup named
bigstart shutdown named
bigstart restart named

Support for TFTP 
This version of the BIG-IP software includes support for TFTP (Trivial File Transport Protocol rev 2 - rfc1350) traffic control. TFTP configuration objects must use TFTP port 69.

System health monitor timing 
The algorithm used by the BIG-IP system to perform health monitoring at offset intervals in order to prevent spikes in CPU consumption is improved in this release.

SNMP link up/down traps 
New SNMP traps are included in this release. Traps are now issued each time a link goes up or down. The new traps are loadBalTrapLinkUp and loadBalTrapLinkDown.

---

Features and fixes released in prior releases

The current release includes the features and fixes that were distributed in prior feature releases, as listed below.

Version 4.6.1

The OpenSSL package has been upgraded to version 0.9.7d (CR33306) (CR33755)
The OpenSSL package has been upgraded to version 0.9.7d. This upgrade addresses several recent security issues with OpenSSL described in Technical Cyber Security Alert TA04-078A. This version addresses CERT vulnerabilities VU#288574 and VU#484726. For more information on the resolved security issues, see http://www.us-cert.gov/cas/techalerts/TA04-078A.html.

Version 4.6

Passing ICMP packets through a SNAT  (CR25315)
This release includes improvements in the way the BIG-IP system handles ICMP echo replies through a SNAT.

When two clients each send an ICMP echo through a SNAT on the BIG-IP system, the system now routes the ICMP echo replies and the ICMP time exceeded message back to the correct client.

In addition, when the BIG-IP system is configured to perform ICMP monitoring, and a client sends an ICMP echo through SNAT automap on the BIG-IP system, the system now correctly routes replies to either the BIG-IP system or the client, as appropriate.

---

Required configuration changes

Once you have installed the software, you must make the following required configuration changes, if appropriate.

BIND 9 file system migration
If you are currently using BIND version 8, be aware that the file system layout has changed and there are new executables and scripts included in version 9. If you have named.conf or zone-files stored in non-standard locations, you need to move these files before you upgrade to this version of the software. If you have edited the named.conf or zone-files by hand, the named.conf files may not work properly when you upgrade. The BIG-IP system runs a check after upgrade to make sure that the named.conf and zone-files are working correctly. If the BIG-IP system detects problems converting these files, the system displays an error message in the Configuration utility, and logs error messages to the /var/named/etc/conversion.log log file. The table below lists the F5 standard file locations for BIND versions 8 and 9.

BIND 8	BIND 9	File
/etc/named.conf	/var/named/etc/named.conf	Main configuration file
/etc/namedb	/var/named/etc/namedb	Zone files
ndc	rdnc	ndc utility

BIND 9 does not support the ndc utility. The ndc utility is replaced with the rndc utility in this release. You can use the rndc utility to stop or re-load the configuration. However, we do not recommend using the rndc utility to start named. You should use the bigstart named or sod-named commands to start named.

---

Removing a controller from a sync group

If you are upgrading a Link Controller that belongs to a sync group, you must remove the controller from the sync group before you apply the upgrade. Once you have removed the controller from the sync group, you can proceed with the upgrade installation. Once you have upgraded all controllers to the same version, you can then re-create the sync group.

Note: You can remove the Link Controller from the sync group only from the Sync Group screen on a 3-DNS Controller. We recommend that you perform this task from the principal controller.

To remove a controller from a sync group using the Configuration utility

1. In the navigation pane of the principal controller, click 3-DNS Sync.
   
   The Synchronization screen opens.
   
   
2. In the Remove column, next to the controller that you want to remove from the sync group, click the Remove button.
   
   A popup screen opens to confirm the removal of the controller.
   
   
3. Click OK.
   
   The screen refreshes, and the controller is no longer listed as a member of the sync group.
   
   
4. Repeat these tasks for any additional sync group members that you want to remove from the sync group.
   

Alternately, you can remove the entire sync group, instead of removing the controllers one at a time.

To remove an entire sync group using the Configuration utility

1. In the navigation pane of the principal controller, click 3-DNS Sync.
   
   The Synchronization screen opens.
   
   
2. On the toolbar, click Remove this Group.
   
   A popup screen opens to confirm the removal of the sync group.
   
   
3. Click OK.
   
   The screen refreshes, and the Add a New Sync Group screen opens, where you can re-create the sync group once you have upgraded the software on all of the 3-DNS Controllers and Link Controllers that belong to the sync group.
   

---

Optional configuration changes

Once you have installed the software, you can use any of the following new configuration options to update your configuration.

Configuring RSA SecurID authentication
You can now configure an external (remote) RSA SecurID authentication server to manage user authentication for the 3-DNS system. When you enable RSA SecurID authentication, all users subsequently attempting to log on to a 3-DNS system must enter a user ID and PASSCODE that changes every 60 seconds, which are checked against user data stored on the RSA SecurID authentication server. If the user password and authenticator are found and verified on the RSA SecurID authentication server, the user is authenticated. In the event that authentication fails with an external RSA SecurID authentication server, you can log in with accounts locally, such as the root and admin accounts.

Use the following procedure to configure RSA SecurID authentication on the BIG-IP system.

1. At the command line utility, type config.
   
   The Initial Setup menu displays.
   
   
2. Select, C to configure remote authentication.
   
   
3. When prompted whether you want to change your current configuration, type Y to continue.
   
   
4. You are asked to select the type of remote authentication used on the system. Select SecurID and press Enter.
   
   
5. Follow the prompts and type Q to quit the Setup utility.
   
   
6. If you chose to configure RSA SecurID Authentication (Web UI) / RADIUS (CLI/iControl) then you need to type the following db key, at the command line:
   
   bigpipe db set Local.Bigip.FTB.authType = "SECURID"
   
   
7. Once you enable RSA SecurID authentication on the 3-DNS system, you must use the Configuration utility to complete the configuration. Open a browser session, and in the left pane of the Configuration utility, click System Admin.
   
   The User Administration screen displays.
   
   
8. Click the RSA SecurID® Authentication Configuration link. This link displays only if RSA SecurID authentication is enabled on the 3-DNS system.
   
   The SecurID Configuration screen displays.
   
   
9. To configure remote RSA SecurID authentication, you need to install the RSA SecurID authentication sdconf.rec configuration file on the 3-DNS system. This file is generated on the RSA ACE/Server, and is usually called sdconf.rec. You need to transfer the sdconf.rec file to your windows system before you can import it to the 3-DNS system.
   
   On the SecurID Configuration screen, click the Browse button to locate the sdconf.rec file, and click Install to config/ace/sdconf.rec to upload the configuration file. For information on generating the sdconf.rec file, please see the ACE/Server documentation included with the ACE/Server.
   
   
10. Once you upload the sdconf.rec file to the 3-DNS system, you need to restart httpd from the command line. Restart httpd, by typing the following command:
    
    bigstart restart httpd
    
    
11. After you enable RSA SecurID authentication and upload the configuration file, you need to set the authorization level, or role, for each user you want to allow to access the 3-DNS system. Add an account and role for each user in the User Administration screen of the Configuration utility. Since the RSA SecurID authentication server handles the password authentication, you do not need to enter a password for these users. For detailed instructions on setting roles for users, see the 3-DNS Reference Guide.
    
    

---

Known issues

The following items are known issues in the current release. Maintenance release known issues are cumulative, and include all known issues for a release.

Setting active-active mode using the web-based Configuration utility  (CR19794)
With network failover enabled, you cannot use the Configuration utility to configure active-active mode. When you have network failover enabled, use the command line interface to set active-active mode.

Values for Link Limits  (CR20744)
On the Modify Link screen in the Configuration utility, when you type values for bandwidth limits, and you type a number that is not divisible by 8, the Configuration utility rounds the value to the next lowest number that is divisible by 8.

Manually deleting connections handled by the Packet Velocity ASIC (CR22494)
Manually deleting connections that are handled by the Packet Velocity™ ASIC does not generate a TCP reset.

Using the MGMT interface on units that include the Packet Velocity ASIC (CR22599)
It is important that you use the MGMT interface (3.1) for system administration only on units that include the Packet Velocity ASIC. We recommend that you do not use the MGMT interface on a VLAN you plan to use for load balancing traffic.

Changing active-active failback values (CR22715)
In active-active configurations, we recommend that you do not change the default failback value of 60 seconds. If you change this value, failback may not work as designed.

Layer 2 (L2) forwarding two VLANs on one interface  (CR23460)
When a VLAN group is bridging across the internal and external VLANs with the same IP network on both sides of the BIG-IP system, and you configure only one interface, with VLAN tags for both internal and external VLANs, the network becomes unusable. In this type of configuration, you need to configure one interface for each VLAN in the VLAN group in order for the BIG-IP system to function correctly.

Titles for Billing Estimate graphs (CR23770)
When you change the date or time range on the Billing Estimate screen in the Link Statistics, the titles on the graphs do not update to reflect the changes. If you are using Internet Explorer, you can update the titles by holding down the Control key, right-clicking in the screen, and then clicking Refresh. If you are using Netscape Navigator, you can update the titles by holding down the Shift key, right-clicking in the screen, and then clicking Refresh.

Platforms using Broadcom 570x controllers (CR24388, CR25464)
On rare occasions, some platforms using Broadcom 570x controllers may experience short interruptions in network connectivity.

Changing IP addresses on VLANs and updating the administration web server settings (CR24468)
If you use the Setup utility to change the floating IP addresses on VLANs, the web server settings are not updated. To update the web server settings, choose the (W) Configure web server option.

Deleting the Default Gateway Pool using the Setup utility   (CR24519)
If you define a default gateway pool using the Setup utility, and then define a virtual server or other network objects on the pool, you will not be able to delete the pool using the Setup utility as long as the pool is in use. In order to delete the pool using the Setup utility, you must first remove all IP addresses and network objects associated with the pool.

TOS or QoS values in FTP data connections (CR24644)
FTP data connections have incorrect TOS or QoS values set. Both values are set to 0.

Viewing wide IPs created in the 3-DNS Controller module from the Link Controller module (CR24842)
Wide IPs that you create in the 3-DNS Controller module that contain more than one pool, display only the first pool of the wide IP in the Inbound LB screen in the Link Controller module. You may encounter this known issue only when you are running a BIG-IP system with both the 3-DNS Controller module and the Link Controller module.

iControl SOAPPortal: .NET serialization errors on several methods (CR24862)
The following methods do not serialize correctly under certain situations. This is due to a problem in the .NET frameworks serialization. For nested structures within arrays, the framework cannot support an empty array represented as a single XML element.

For example, this method does not serialize:
<return type='Array' ArrayType='tns:someType[0]/>

This method does serialize:
<return type='Array' ArrayType='tns:someType[0]></return>

The BIG-IP Link Controller Solutions Guide in the Configuration utility (CR24946)
The BIG-IP Link Controller Solutions Guide is not available from the Welcome screen in the Configuration utility. You can obtain this guide from the Software and Documentation CD by navigating to the /doc directory, and opening the lc_solutions.pdf file. You can also obtain the guide from the AskF5 web site (http://tech.f5.com).

SNAT automap and acceleration (CR24959)
On the 2400 platform, if you configure SNAT automap and do not associate the SNAT with a virtual server, the traffic is not accelerated by the Packet Velocity ^>TM ASIC. Note that you can associate the SNAT with a wildcard virtual server to accelerate any SNAT automap traffic.

Changing the hardware acceleration mode and resetting connections (CR25009)
When you change the hardware acceleration mode for a pool, and there are current connections for the nodes in the pool, the connections do not reset when you use the b conn reset command. The connections do close when they reach their time-to-live (TTL) value.

The b conn dump verbose command and values for packet counts or byte counts (CR25119)
The bigpipe command, b conn dump verbose, displays incorrect values for packet counts and byte counts.

Microsoft® Internet Explorer security settings and the Link Configuration screens (CR25444)
If you are using a browser session in Internet Explorer to view the Configuration utility, and you have changed the security level for the browser to a setting higher than Medium (the default), then the Link Configuration screens do not work properly. The errors in the Link Configuration screens occur because the Link Controller's web server uses cookies. To avoid this error, set the security level for the browser session to Medium or lower.

Configuring SSH access host restrictions (CR25530)
In previous versions, the /etc/ssh3/sshd2_config and /etc/sshd_config files controlled SSH access. Upgrading to version 4.5 ignores previously-configured SSH access restrictions configured in the /etc/ssh3/sshd2_config and /etc/sshd_config files. This upgrade reverts to an SSH access level that allows all hosts to connect. If you require restricted SSH access to certain networks/IP addresses, you need to reconfigure these restrictions once you have completed the upgrade. To do this, type the following command to start the Setup utility, and then press Enter:

setup

Choose option (S) Configure SSH, and set the restrictions you prefer.

Adding support access after initial setup (CR25821)
If you add support access with the (Y) Set support access option in the Setup utility after you complete the initial setup of the system, the support IP addresses are not added to the hosts.allow file. To correct this situation, run the (S) Configure SSH option in the Setup utility to re-initialize the SSH information on the system.

VLAN names and syntax errors (CR25890)
VLAN names that start with the text vlan, and are followed by any number of digits (for example, vlan123), cause a syntax error. We recommend that you do not use the text, vlan, as the initial portion of a VLAN name.

Creating invalid interface names (CR25950)
It is possible to create invalid interface names in your configuration by entering an invalid VLAN name from the command line. For more information about invalid VLAN names, see (CR25890).

Using 127.0.0.x as a pool member and network connectivity (CR26184)
If you add a node with an IP address of 127.0.0.x to a pool, the system loses connectivity to the network. The only way to reboot the system after this happens is to use the reboot switch. We recommend that you do not add nodes with this address range to a pool.

Changing iControl settings and restarting the CORBA portal (CR26384)
If you use the Setup utility (setup) to change iControl settings, you must manually restart the CORBA portal. To restart the CORBA portal, type the following commands from the command line:

bigstart shutdown portal
bigstart startup

LDAP group name naming conventions (CR26418)
LDAP authentication for groups does not work properly when there are spaces in the group name. To avoid authentication issues with groups when you use LDAP authentication, do no use spaces in the group names.

Error message for ip_tos values (CR26566)
If you type an invalid value for the ip_tos setting, you see the following incorrect error message: The requested IP TOS value is invalid. [0..65535]. The valid ip_tos values are 0 - 255 or 65536, which returns ip_tos to a blank state.

Disabling the SNMP Auth Trap Enable setting using the Configuration utility (CR26610)
If you try to disable the Auth Trap Enable setting on the SNMP Administration screen in the Configuration utility, the SNMP configuration file, /etc/snmpd.conf, is modified with an incorrect setting of 0 (zero), and the following error is generated in the SNMP log:

"/etc/snmpd.conf: line ##: Error: authtrapenable must be 1 or 2

To correct this error and disable the Auth Trap Enable setting, you can edit the /etc/snmpd.conf file, and change the authtrapenable value to 2, disable.

Losing connectivity during configuration of second unit in a redundant system (CR26705)
When you configure a unit from the command line Setup utility, we recommend that you reboot the unit after you complete the configuration. This activates the license and allows traffic to pass through the system. Before you reboot the system, it is in the active mode and unlicensed. While the unit is in the active mode, the other unit in the redundant system is placed in standby mode. If the units are left in this state, traffic cannot pass through the system.

The Setup utility and MAC masquerade settings (CR26922)
The Setup utility, setup, does not preserve MAC masquerade settings. We recommend that you use the bigpipe utility or the web-based Configuration utility to make configuration changes after you have completed your initial setup. However, if you want to use the Setup utility to make changes to the configuration, and you want to preserve the MAC masquerade settings, then after you finish your configuration changes, recreate your MAC masquerade settings with bigpipe or the Configuration utility before you reboot the unit.

Changing the system IP address and updating the IP address for the CORBA portal in bigdb (CR27037)
If you change the IP address of the system using the Configuration utility, the system does not update the IP address for IIOP and FSSL for the CORBA portal in the bigdb. To change the CORBA address for IIOP and FSSL, run the Setup utility (setup) from the command line, and choose the option (I) Initialize iControl portal.

Adding a switch interface to the admin vlan (CR27103)
Adding a switch interface to the admin VLAN causes large volumes of traffic. We recommend that you do not add a switch interface to the admin VLAN.

Load balancing modes and honoring node connection limits  (CR27124)
When using the observed_member, predictive_member, predictive, or observed load balancing modes, the member and node addresses do not honor node connection limits.

CompactFlash® media drives and logging for the named daemon (CR27132)
When the named daemon is running, it generates status and usage messages as part of its normal behavior. If you are running the named daemon on a system with a CompactFlash media drive, these messages may fill up the /var/log/messages file. To avoid this, periodically delete the status and usage messages for the named daemon.

RADIUS server configuration and Netscape  (CR27212)
If you configure remote login for RADIUS, and you set an invalid IP address for the primary RADIUS server, and a valid IP address for the secondary RADIUS server, you may not be able to log in using a Netscape browser. This can also happen if your primary RADIUS server is down. We recommend that you use an alternative browser with this type of configuration.

User administration for remote authentication using the Configuration utility  (CR27223)
With remote authentication configured, if you use the Configuration utility to add a new user, you may receive an internal server error message when you press Enter, and then click the Done button. The user is added when you press Enter. When using local authorization, the Enter key is ignored, and you must click the Done button in order to add a new user.

UDP packet checksum calculations  (CR27240)
The checksum deltas for UDP packets whose initial checksum is 0 (zero) are not calculated correctly, so the BIG-IP system may return traffic to the client with an invalid checksum.

Deleting the default gateway pool using the Setup utility (CR27260)
The command line Setup utility, (setup), does not delete the default gateway pool when you remove all of the pool's members. To work around this issue, delete the default gateway pool using the browser-based Configuration utility.

Unsupported system_check tool  (CR27354)
Though the system_check script is running on all BIG-IP platforms, it is supported on the IP Application Switch platforms only. This script has no adverse effects on unsupported platforms.

User roles in a redundant system configuration  (CR27477)
If you modify the default role for a user on one unit in a redundant system, when you synchronize the configuration, the modified role setting is not copied over to the other unit. In order to have the same user roles specified on both units, you must configure this setting on both units in the redundant system.

Configuring ratio as an alternate load balancing method  (CR27547)
If you use the Configuration utility to create a wide IP and you configure Ratio load balancing as the alternate method, when you click the Virtual Servers tab, there is currently no option available for setting the ratio value for each member of the wide IP pool. This option is available through the Configuration utility only when you select Ratio as the preferred method. If you have a configuration that uses Ratio as the alternate method, we recommend that you use the command line utility to configure these settings.

Redundant configurations in active/active mode  (CR27639)
When you have a BIG-IP redundant system, with both units in active/active mode, the Configuration utility in certain cases may incorrectly display the self IP as unit 1 when it should be unit 2. This issue does not affect the performance of the BIG-IP system.

Copper gigabit NICs and setting media speeds  (CR27772)
If you want to set media speeds, and you have a copper gigabit NIC, you must configure auto-negotiate between the BIG-IP system and the connected switches.

Using the Setup utility to configure the media type for an interface  (CR27793)
When you use the Setup utility to configure the media type for an interface, the BIG-IP system does not save this setting when you rerun the Setup utility. You must configure this setting each time you run the Setup utility.

MindTerm SSH console, Java™ Virtual Machine, and the Configuration utility (CR27864)
The Configuration utility may become unresponsive, when all of the following conditions are met:

• You have Java Virtual Machine enabled on a Windows® workstation
  
  
• You are using the Configuration utility to configure the system
  
  
• You open a MindTerm SSH console session from the navigation pane
  
  
• You return to the Configuration utility without closing the MindTerm SSH console
  

If you experience this problem, you must use the Windows Task Manager to close both the browser session and the SSH session. To avoid this issue, we recommend that you either disable Java Virtual Machine while you are configuring the system, or close the MindTerm SSH console session before returning to the Configuration utility.

Hops calculations for Hops load balancing mode (CR27878)
The Link Controller is inaccurately calculating the number of hops for the Hops load balancing mode for inbound load balancing. This results in all configured links appearing to use the same number of router hops for inbound traffic. We recommend that you use one of the other load balancing modes for inbound load balancing. Note that this also affects the data for average router hops on the Internet Link Evaluator screen in the Configuration utility.

SNMP version and probing (CR27971)
If you have enabled SNMP probing for a host or similar device, and you specify SNMP version 2, the SNMP probing may fail if the host or device is using SNMP version 1. This happens because SNMP version 2 uses 64-bit counters and SNMP version 1 uses 32-bit counters. To avoid this error, ensure that you specify the SNMP version (1 or 2) that corresponds with the SNMP version on the device that is being probed.

ICMP monitors and availability status for routers and links (CR27998)
When you configure an ICMP monitor for a link (which also monitors the link's router), and you enable the Any IP setting and the SNAT Automap setting for the wildcard virtual server, the Link Controller may incorrectly mark the availability status for the link (and its router) as down (red ball), and subsequently stop using the link for load balancing. This happens because the Link Controller is using the same self IP address for self traffic and any IP traffic. If you experience this known issue, refer to the ICMP monitors for self IP addresses, wildcard virtual servers, and link status workaround in the following section of this PTF note.

Setup utility and VLAN tag configuration  (CR28027)
If you use the Setup utility to configure VLAN tags or add new VLANs with tags and self IPs, and you use the command line utility to modify interfaces after VLAN tags are added, all of the tagged interfaces and associated data (self and shared IPs) are removed from the configuration files. You may need to reconfigure these settings, or use the backup file to restore these settings.

BIG-IP virtual server information and updates to the wideip.conf file (CR28057)
When you add or delete a BIG-IP virtual server, which specifies the same IP address but a different port than an existing virtual server, the Link Controller does not properly make the change in the wideip.conf file.

Deleting links and the Link Statistics screen  (CR28072)
In the Configuration utility, the Link Statistics screen incorrectly displays links that have been deleted from the configuration. This issue can occur if you are running the 3-DNS module on a BIG-IP sytem, and you have autoconf with no delete enabled on the 3-DNS Controller, and can affect system functionality as well as display. For instance, if you delete the link on the BIG-IP system/software and the 3-DNS Controller thinks a link exists, then the system does not function properly.

Reconfiguring a standalone system as a unit in a redundant system (CR28116)
If you have a standalone system that you later decide to reconfigure as a unit in a redundant system, the system may experience failures when you reconfigure the networking and IP addresses.

Incorrect product version in log files  (CR28133)
The BIG-IP system log files may report the incorrect version of the product. This has no effect on the functionality of the BIG-IP system. To view the correct product version, type cat /VERSION at the command line.

Changes to the checktrap.pl script  (28405)
This version of the BIG-IP software includes two changes in the behavior of the checktrap.pl script. First, rebuild events are no longer logged to the alarm_* files. Second, if the very first event is a clear, the BIG-IP system triggers a rebuild, and sends a corresponding "rebuild event" trap, and not a "clear" trap. (See the /etc/snmptrap.conf file for a list of clears.)

LDAP authentication  (CR28431)
If you use the Setup utility to configure remote LDAP authentication, and give an LDAP user full read/write and command line utility access, when you log in through the LDAP server as a full access user, certain portions of the Configuration utility may continue to show objects as having Read Only Access.

bigpipe commands that contain invalid trailing arguments  (CR28581)
If you type a bigpipe command that contains an invalid trailing argument, the bigpipe utility produces a syntax error, but may run the command anyway. In this situation, the command should fail.

Rerunning the Configure DNS option in the Setup utility and overwriting an existing named.conf file  (CR28614)
In the Setup utility (setup), when you rerun the Configure DNS (D) option, you overwrite the existing named.conf file with an empty named.conf file. To avoid this issue, before you rerun the Configure DNS (D) option in the Setup utility, we recommend that you create a backup copy of the named.conf file. Once you have rerun the Configure DNS (D) option, you can copy the contents of the backup copy of the named.conf file into the new named.conf file.

Configuration utility error messages  (CR29360)
In rare instances, when you modify the Link Configuration screens in the Configuration utility, you may experience errors. If you click Inbound LB, and then immediately click Links during the config sync process, you may receive the following error:

An error has occurred in the Configuration utility. You may need to restart one or more daemons, or the system, to resolve this error. Contact support for more information.

This type of error may also occur on the target BIG-IP system when you click the links described above, and then are prompted to re-authenticate while the config sync process is still running on the peer BIG-IP system.
In rare instances, a white HTML screen may display. If you experience any of these error conditions, you can safely restore the Configuration utility by clicking any of the links under Link Configuration.

The checktrap.pl script and the enterprise OID in traps  (CR29481) (CR35534)
When the checktrap.pl script issues traps, does not send the correct enterprise OID in the trap.

Error message in Configuration utility and valid range for VLAN tags  (CR29793)
The allowable values for VLAN tags are 1 through 4094. However, if you inadvertently specify a value that is outside of the allowable range, you see the following error message:

Error 335953 -- You have entered an invalid VLAN tag value. VLAN tags must be between 1 and 4096.

The error message incorrectly specifies a range of 1 through 4096, rather than 1 through 4094.

Forwarding non-IP traffic through VLAN groups and redundant systems  (CR29806, CR29334)
We introduced the ability to forward non-IP traffic through VLAN groups in BIG-IP version 4.5 PTF-04, and the functionality was enabled by default. When this functionality is enabled, the BIG-IP system also forwards non-IP traffic through both the active and standby units in a redundant system, which can result in a bridge loop. To mitigate this known issue, in this release (version 4.5 PTF-08), we are changing the default setting so that the functionality is disabled by default. If you understand the current limitations of this feature, and want to enable the feature, see Forwarding non-IP traffic through VLAN groups and redundant systems in the Workarounds for known issues section.

Dynamic ratio load balancing and IIS6.0 Windows 2003 Server  (CR30072) (CR30073) (CR30074)
If you need to use dynamic ratio load balancing, we recommend that you configure dynamic ratio through SNMP. Due to compatibility issues, you must configure redirection on the Microsoft® Windows® Internet Information Services (IIS) 6.0 webserver (which is part of Microsoft® Windows® 2003 server product) without the aid of F5 Networks software. The BIG-IP system does not currently support the following functionality on IIS 6.0 webserver:

• Real Media monitor
• Dynamic Ratio Load Balancing
• SSL Redirect

Default setting for min_active_members  (CR30143)
The default value for min_active_members is incorrect and may cause the BIG-IP system to prioritize traffic incorrectly. The default value for min_active_members is currently set to 0. We recommend that you configure min_active_members to a value of 1 or greater.

bigpipe l2_aging_time setting  (CR30152)
When you reboot the Link Controller system, the bigpipe l2_aging_time setting in the bigip_base.conf file returns to the default setting (300).

automap default SNAT and VLAN configuration  (CR30153) (CR30585)
The automap default SNAT does not allow you to disable VLANs. If you attempt to disable VLANS on the automap default SNAT, you receive an error message.

Inaccurate log message for virtual server status  (CR30235)
When a virtual server is marked down (red), the Link Controller sends a log message that says no nodes up. Instead, the log message should indicate that the virtual server is down.

Default routes and specifying a router for path probing  (CR30310)
When you have not configured a default route, but you specify a router for path probing, the big3d agent ignores the specified route and issues an error message because the agent cannot find a default route. To work around this issue, we recommend that you configure a default route.

Redundant systems and software upgrades from BIG-IP version 4.2, to BIG-IP version 4.5 and later  (CR30500)
When you upgrade a standby unit from BIG-IP version 4.2, to BIG-IP version 4.5 and later, the unit is unlicensed for a brief time. During the time that the unit is unlicensed, it may change from standby to active.

Errors disabling VLANs for a default SNAT  (CR30585)
When you create a default SNAT using the automap option, and then later try to disable one or more of the default SNAT's enabled VLANs, the system generates an error and the VLANs are not disabled. Note that the error occurs when you make this change using either the Configuration utility or bigpipe.

bigpipe monitor command  (CR30600)
You receive a syntax error if you use both <ip addr>:<service> and <ip addr> in the IP list for the bigpipe monitor command <ip list> <enable | disable>.

Configuration utility statistics  (CR31009)
The Configuration utility statistics for Max Conn Deny and Memory Usage are inaccurate. We recommend that you use the command line utility to view these statistics.

Viewing the Link Configuration options from the Configuration utility  (CR31005) (CR30560)
If you log in to the Link Controller system as one of the following user types: Web Read Only, Partial Web Read/Write, or CLI + Full Web Read Write, you may receive errors when you attempt to view any of the Link Controller-specific options under Link Configuration. In addition, if you log in to the system as a CLI + Full Read/Write user, you may have read-only access to this portion of the Configuration utility. In order for you to view the Link Configuration options from the Configuration utility, we recommend that you log in as a Full Web Read/Write or admin user.

Using the IP address 213.13.118.129:80  (CR31104)
If you add a pool with a member node with the IP address 213.13.118.129:80, when the address and port select a virtual server on the local system, it causes the BIG-IP system to panic and the configuration to be deleted. The issue occurs only when the address and service numbers are 213.13.118.129 and 80 respectively. If you want to avoid this issue, we recommend that you do not assign the IP address 213.13.118.129 to nodes on the BIG-IP system.

Principal Link Controller in a sync group  (CR31551)
If you disable a data center that includes the principal Link Controller in a sync group, the Link Controller is disabled by inheritance. This disables probing, which in turn causes all objects in the network to be marked as down.

sync groups and zone file configuration  (CR32148)
In rare instances, if you have a Link Controller configured in a sync group, when the system copies over the zone file configuration, the sync_zones utility may fail to start.

Random load balancing method  (CR32762)
If you configure a Wide IP and use Random as the load balancing method for pools, the load is incorrectly distributed in a way that is similar to Ratio load balancing.

External self IP address configuration  (CR32962)
When you remove an external self IP address from the configuration, the link to the external IP address may display in the Links screen up to several minutes after the address is removed. If you click on the link, you receive a JSP 500 error.

One-time auto-discovery option  (CR32975)
The one-time auto-discovery option in the Setup utility runs each time you use the Setup utility. This option also runs each time 3dnsd is restarted. This option should only run the first time the Setup utility is started.

Wide IP port numbers replaced by service names and configuration errors  (CR32977)
In the Configuration utility, the Link Controller is automatically replacing wide IP port numbers with service names. If you subsequently modify any settings for the wide IP, you see an invalid port error message when you click Update. To work around this issue, when you modify the wide IP, change the wide IP port setting back to the port number before you click Update.

Link Autoconf On/No Delete setting  (CR32989)
If you delete a self IP address that matches a link, the Link Controller Configuration utility does not display the associated self IP and VLAN. This issue does not affect the Link Controller configuration.

Autoconf and BIG-IP virtual servers  (CR33161)
Autoconf does not compile a complete list of BIG-IP virtual servers in all cases.

Incorrect pending values in the Configuration utility  (CR33666)
In certain circumstances when a link goes down, the Configuration displays an incorrect "Pending" value for the link. This value may display in the Configuration utility until you use the 3ndc restart command.

Static depends configuration  (CR33671)
If you enable or disable Static Depends, you must use the 3ndc restart command in order for the virtual server to be updated correctly.

Gray status icon for virtual servers  (CR34599)
If the status icon for a virtual server is gray on the Pool, Virtual Servers, or Virtual Server Statistics screens, this indicates that the Link Controller can not locate the virtual server in the network managed by the controller.

Creating virtual servers using the Configuration utility  (CR35019)
In order for virtual servers to display in the Link Statistics or Virtual Server screens, you must be add them to a wide IP.

Error messages logged in /var/log/3dns  (CR35714)
If you use the bigstart restart all command, the following error messages may be stored in the /var/log/3dns log:

sod-portal: One or more of the corba daemons has been incorrectly restarted.
sod-portal: Killing corba daemons in order to insure clean restart.
sod-portal: Restarting corba daemons.

You can disregard these error messages.

TTL settings for zones associated with wide-IPs  (CR35963)
If you are using NameSurfer and you add a wide-IP to a zone, the wide-IP time-to-live (TTL) setting is used instead of any previously configured TTL setting for that zone. If you add two wide-IPs with different TTL settings to the same zone, the second wide-IP TTL is used.

Modifying zones that are associated with wide-IPs  (CR35963)
If you use NameSurfer to add records to a zone associated with one or more wide-IPs, if you use the Configuration utility to modify one of the wide-IPs, the records may be overwritten. In addition, if you use the Configuration utility to change the TTL for a zone, the records will be overwritten.

NTP settings  (CR36782)
If you run the Setup utility and you re-configure the NTP settings, you must use the bigstart restart ntpd command in order for your changes to take effect.

Router probing using SNMP version 1  (CR36863)
In rare instances, the SNMP version 1 router metrics are calculated incorrectly. If you have this issue, we recommend that you use version 2 SNMP router metrics instead.

Principal controllers in redundant systems  (CR36864)
If you have two Link Controllers in a redundant configuration and you shut down the principal system (3ndc stop), the standby Link Controller does not become principal system.

Virtual server capacity load balancing  (CR36926)
If you use virtual server capacity load balancing mode, the Link Controller does not check whether virtual servers are disabled and may load balance traffic to disabled virtual servers.

Selecting links for probing  (CR36998)
If you have links defined, in certain cases the 3dnsd utility picks the best data center to handle probing instead of the best link. In most cases, the data center is adequate for probing.

Traps and logging (CR39325)
If you configure the system to send out traps, rapid logging may cause traps and log messages to be dropped. This type of rapid logging may occur when you load a configuration of several hundred nodes. At that time all of the nodes are checked and their status is logged. You can avoid this issue by adjusting the log levels for syslog configuration items. In addition, you may want to edit the /etc/snmptrap.conf files and comment out traps that are unimportant for your configuration.

Round trip time and hops no longer work together, nor do UDP and ICMP (CR42529)
The round trip time (RTT) and latency (Hops) Quality of Service (QOS) coefficients no longer work together for QOS probing. If RTT and Hops are configured at the same time, the 3-DNS Controller uses RTT.

For local DNS (LDNS) probing, the 3-DNS Controller does not support using both UDP and ICMP. If you select UDP and ICMP, the 3-DNS Controller removes UDP from the list, and uses ICMP.

Changes in US and Canada Daylight Saving Time (CR58321)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes are not reflected in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.

Workarounds for known issues

The following sections describe workarounds for the corresponding known issues listed in the previous section.

---

Forwarding non-IP traffic through VLAN groups and redundant systems (CR29806, CR29334)

We recommend that you enable this feature only if you fully understand its current limitations.

To forward non-IP traffic through VLAN groups

1. Enable non-IP traffic forwarding by typing the following command:
   
   echo "b internal set vlangroup_nonip=1">>/config/routes
   
   
2. If you have a redundant system, type the following command to update the peer unit:
   
   b configsync all
   
   
3. Reboot the BIG-IP system.
   

The non-IP traffic forwarding feature is now enabled, and the BIG-IP system will forward non-IP traffic through VLAN groups, and through both the active and the standby units in redundant systems.

---

ICMP monitors for self IP addresses, wildcard virtual servers, and link status (CR27998)

If you experience the ICMP monitors and availability status for routers and links known issue, described in the previous section, then one of the two following workarounds may help you resolve the issue in your network.

One workaround is to use an additional self IP address in the interfaces list. The additional self IP address needs to have SNAT automap disabled, and needs to be listed before the self IP address that has SNAT automap enabled. If your network is limited by available IP addresses, then you may need to use the second workaround to address this known issue.

The second workaround is to disable the Any IP setting on the wildcard virtual server.

---

Copyright © 2003-2005, F5 Networks, Inc., Seattle, Washington. All rights reserved.
F5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, iControl, GLOBAL-SITE, SEE-IT, EDGE-FX, FireGuard, iRules, Internet Control Architecture, IP Application Switch, Packet Velocity, SYN Check, CONTROL YOUR WORLD, uRoam, and FirePass are registered trademarks or trademarks of F5 Networks, Inc., in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their respective owners. F5 Networks' trademarks may not be used in connection with any product or service except as permitted in writing by F5.