Installing the PTF

Use the following instructions to apply the PTF to the BIG-IP Link Controller, version 4.3.

Apply the PTF to the BIG-IP Link Controller, version 4.3 using the following process. Note that the install script saves your current configuration.

1. Create a memory file system, by typing the following:
   mount_mfs -s 200000 /mnt



2. Type the following command:
   cd /mnt



3. Connect to the FTP site (ftp.f5.com).



4. Download the BIGIP_4.3-PTF02.im file from the /crypto/bigip/ptfs/bigip43ptf2 directory.



5. On the BIG-IP Link Controller, run the im upgrade script, using the file name from the previous step as an argument:
   im /mnt/<file name>

When the im script is finished, the unit reboots automatically.

Note: This procedure provides over 90MB of temporary space on /mnt. The partition and the im package file are deleted upon rebooting.

Software enhancements and fixes

What's new in this PTF (PTF-02)

CERT Vulnerability Note VU#797201 against tcpdump (CR22051)
We have addressed the vulnerabilities detailed in the CERT Vulnerability Note VU#797201 against tcpdump.

EDNS0 requests from BIND 8.3.3 and BIND 9 name servers (CR22215)
The Link Controller can now process EDNS0 requests that originate from BIND 8.3.3 and BIND 9 name servers. When the Link Controller receives an EDNS0 request, the controller embeds the additional EDNS0 record in the DNS response packet.

Graphing link traffic for multiple links (CR23725)
We have added the ability to graph link traffic for more than four links on the Link Report graphs.

BIG3D problem with GetInterfaces() (CR23780)
The big3d no longer hangs or shuts down prematurely in certain configurations with a large number of self IP/virtual server address combinations configured.

CERT Advisory CA-2002-18, OpenSSH Vulnerabilities in Challenge Response Handling (CR23813)
The OpenSSH software running on the Link Controller has been upgraded to version 3.4p1 to address the security vulnerability that is outlined in CERT Advisory CA-2002-18.

CERT Advisory CA-2002-23, Multiple Vulnerabilities In OpenSSL (CR23814)
In this PTF, we have addressed the following vulnerabilities in the CERT release on OpenSSL: VU#102795, VU#258555, VU#561275, VU#308891, VU#748355.

CERT Advisory CA-2002-19, Buffer Overflows in Multiple DNS Resolver Libraries (VU#803539) (CR23815)
Vulnerability #803539 (DNS stub resolvers vulnerable to buffer overflow) has been addressed in this PTF. For more information on this vulnerability see http://www.kb.cert.org/vuls/id/803539.

BSDI security vulnerability (CR23816)
A potential denial of service vulnerability in the C library (libc) of BSDI has been addressed. For information about the vulnerability, see Vulnerability Note VU#808552 (Multiple ftpd implementations contain buffer overflows) which is available on the CERT website at http://www.cert.org.

CERT Advisory CA-2002-17, Apache Web Server Chunk Handling Vulnerability (CR23818)
The security vulnerability that is outlined in CERT Advisory CA-2002-17 (Apache Web Server Chunk Handling Vulnerability) has been fixed.

Enhancements and fixes released in prior PTFs

Version 4.3 PTF-01

New Link Report statistics screens in the Configuration utility
You can now view a set of graphs, on the Link Report statistics screens in the Configuration utility, that show the link usage information in relation to the bandwidth pricing information for the links in your configuration. The set of graphs pertain to the following time periods: the previous 30 minutes, the previous 6 hours, and the previous 24 hours. To view the Link Report screens, follow these steps:

1. In the navigation pane, expand the Link Statistics item, and then click Links.
   The Link Statistics screen opens.



2. Click the Graph Link Summary button to view graphs that show the link usage information in relation to the bandwidth pricing information for all of the links in your configuration.



3. Click the Graph Link Detail button to view graphs that show the link usage information in relation to the bandwidth pricing information for a specific link.

BIG-IP is not adversely affected by broadcast pings originating from itself (CR19901)
BIG-IP is not adversely affected by broadcast pings originating from itself.

BIG-IP now sends a TCP RST when no routes are available (CR20114)
BIG-IP now sends a reset (RST) when auto-lasthop is enabled and no route is available. This enhances the performance of clients that do not resend TCP packets.

Required configuration changes

There are no required configuration changes in this PTF.

Known Issues

The following items are known issues in the current release.

Port mirroring on the IP Application Switch (CR18435)
Ports not configured in a VLAN are not mirrored on the IP Application Switch platform.

proxy_arp does not fail over on VLAN group (CR18928)
When the BIG-IP goes from active to standby and MAC masquerading is not configured, layer 2 forwarding VLAN groups continue to forward packets until the packets’ source ARP cache times out.

Sequence number tracking (CR19392)
Out of order packets to a delayed binding virtual server may cause synchronization errors in sequence number tracking.

TCP 4-way close detection (CR19591)
When an upstream device drops packets, or sends packets out of order, TCP 4-way close may not be properly detected.

Syslog pinger requires changes for increased resilience (CR19874)
If you define, delete, and then redefine a monitor, without deleting the changes in the /etc/syslog.conf file, the monitor may not function properly.

Error message on Modify Wide IP screen (CR20204)
You may occasionally see an error message (# 331845) on the Modify Wide IP screen. This message is benign.

Unique self IP addresses with different masks are seen as being on the same network (CR20378)
The Link Controller does not support supernetting. You cannot define two networks on the Link Controller where one of the networks includes the other.

Viewing link statistics and internal system traffic(CR20689)
When you review the Link Statistics screen in the Configuration utility, the data transfer rates do not include internal system traffic.

Upgrading the software and the /etc/hosts.allow file (CR20715)
When you upgrade the BIG-IP Link Controller version 4.3 software, and you use the im --force <filename>.im command, the /etc/hosts.allow file is deleted. You can resolve this issue by adding the following line to the /etc/hosts.allow file after you perform the upgrade:
big3d : ALL.

Values for Link Limits (CR20744)
When you type values for bandwidth limits, on the Modify Link screen in the Configuration utility, and you type a number that is not divisible by 8, the Configuration utility rounds the value to the next lowest number that is divisible by 8.

SNMP and link statistics (CR20849)
When you switch from internal statistics to SNMP-gathered statistics, the metrics display a 10-second long Mbps incongruity. This may result in very large rate values. This data value may take some time to flush out of the history averages. However, it affects the load-balancing algorithm for only one 10-second period.

Redundant system failover behavior (CR20851)
If you synchronize the Link Controller configuration from the standby unit to the active unit, failover occurs, and the standby unit becomes active. If you synchronize the Link Controller configuration from the active unit to the standby unit, no failover occurs.

Undefined virtual server error message in the Configuration Checker (CR20873)
If you run the Configuration Checker before you have completely configured the Link Controller, you may see the following error message about an undefined virtual server:
ERROR: Virtual server 0.15.254.0:0 is not associated with a currently defined vlan.

The error is benign. To avoid this error, refrain from running the Configuration Checker until you have performed all of the configuration tasks. Review Chapter 3, Configuring Links for Simple ISP Load Balancing, in the BIG-IP Link Controller Solutions Guide, for details on the configuration tasks.

Disabling a link and outbound traffic (CR21078)
When you disable a link from the Link List screen in the Configuration utility, the Link Controller does not stop sending current outbound traffic.

Adding users in a redundant system (CR21118)
When you add users on one unit in a redundant system, you must manually add the same user information to the second unit in the redundant system. If you add users only to one unit, the config sync process fails.

Nodes unexpectedly disabled (CR 21144)
If a configuration file contains a node disable command, followed by any number of node limit commands, the nodes listed in the node disable commands are errantly disabled. To work around this, enable the affected nodes using the node enable command. You can use the node enable command in the bigpipe utility, or you can insert the node enable command in the configuration file immediately following the node limit commands.

Using the prepaid segment cost variable and standby links (CR21202)

In the following situation, some traffic is not correctly distributed according to cost.

• One link has a prepaid segment for up to 2 Mbps. This link is the primary link and should receive all traffic up to 2 Mbps.
• A second link has no prepaid segment but does have an incremental segment. This link is the backup link and should receive traffic only if the primary link is completely saturated (using all available bandwidth.)

If the current traffic level is 1Mbps, .05 Mbps of the traffic is sent to the second link when all of the traffic should be sent to the primary link.

Note:  You do not see this problem if all links have a prepaid segment defined, or if no links have a prepaid segment defined.

The work around for this problem is to add the link_prepaid_factor global variable, as explained in the following instructions.

To modify the link_prepaid_factor

1. From the command line, open the wideip.conf file in the following directory, using either the vi or pico text editor:
   /config/3dns/etc/wideip.conf



2. Locate the global variables section of the wideip.conf file (# GLOBALS), and add the link_prepaid_factor global variable with a value of 100:
   link_prepaid_factor 100



3. Save and close the file.



4. Restart 3dnsd so that the Link Controller recognizes the changes, using the following command:
   3ndc restart

The Link Controller now distributes all traffic to the first link, up to the traffic limit that you set for the prepaid segment.