Release Notes : ARX 6.4.0

Applies To:

Show Versions Show Versions


  • 6.4.0
Release Notes
Original Publication Date: 08/29/2013


These release notes document the version 6.4.0 release of the ARX software. We recommend this release for those customers who want the features and fixes listed in Features and Fixes in This Release.

This release is cumulative and includes all features and fixes released since version 5.0.1. You can apply the software upgrade to 5.0.0 and later.

Note: F5 offers general availability releases and general sustaining releases. For detailed information on our policies, refer to Solution 8986, F5 software life-cycle policy.


User Documentation for This Release

In addition to these release notes, the following user documentation is relevant to this release.

  • Site Planning
  • ARX Compatibility Matrix
  • Installation and Maintenance:
    • ARX-VE Installation Guide
    • ARX-VE Installation Card
    • ARX-500 Hardware Installation Guide
    • ARX-500 Installation Card
    • ARX-1500 Hardware Installation Guide
    • ARX-1500 Installation Card
    • ARX-2000 Hardware Installation Guide
    • ARX-2000 Installation Card
    • ARX-2500 Hardware Installation Guide
    • ARX-2500 Installation Card
    • ARX-4000 Hardware Installation Guide
    • ARX-4000 Installation Card
    • Hardware Reference Guide
  • Graphical-User Interface (GUI) Manuals:
    • GUI Quick Start: Network
    • GUI Quick Start: NFS Storage
    • GUI Quick Start: CIFS Storage
    • ARX Manager Storage Guide (Online Help)
  • Command-Line Interface (CLI) Manuals:
    • CLI Network Guide
    • CLI Storage Guide
    • CLI Maintenance Guide
    • CLI Reference
  • SNMP Reference
  • Log Catalog
  • Secure Agent Installation
  • Master Glossary
  • Master Index
  • License Agreement

These manuals are available from the ARX GUI or CLI. From the GUI, click on the Documentation link in the navigation panel. From the CLI, use the show software command for a complete listing of the ARX manuals, then use the following command to upload the manual from the ARX:

copy software manual-name destination-url

You can also find the product documentation on the ARX version 6.4.0 Documentation page of the F5 Online-Knowledge Base web site, along with an extensive solutions database.

[ Top ]

Minimum System Requirements and Supported Browsers

The minimum supported browsers for the ARX Manager GUI are:

  • Microsoft® Internet Explorer® (IE), version 6.0
  • Mozilla® Firefox® 1.5, and other browsers that use the Mozilla engine

Later versions are also supported. IE 9 is not supported in native mode, and must be run using Compatibility View.

[ Top ]

Supported Platforms

This release supports the following ARX platforms:

  • ARX-VE
  • ARX-500
  • ARX-1500
  • ARX-2000
  • ARX-2500
  • ARX-4000

To review the ARX platform life cycle solution, see: sol4309: The F5 platform life cycle support policy.

Supported Vendor Equipment

Refer to the ARX Compatibility Matrix for a complete list of vendor equipment that is certified for use with this release. Refer to AskF5 solution 10909.

Third-Party Software Versions for Security Scans

The following third-party software packages are relevant to SCAP-compliant security scans of the ARX, from products like Retina:

  • Apache HTTP server, version 2.2.3-4
  • Apache Tomcat, version 6.0.36
  • OpenSSL, version 0.9.8n
  • OpenSSH, version 4.9p1
  • Telnet, version 0.17-34
  • SNMP, version 5.2.3-7etch4
  • NFS Kernel Server, version 1:1.0.10-6+etch.1
  • NFS Portmapper, version 5-26
  • Apache 2 Authentication Module, version 3.2.4-2
    This is for authentications with the ARX API.
[ Top ]

Installing the Software

For an existing installation, you can upgrade to 6.4.0 from any of the following releases:

  • 6.3.0
  • 6.2.0
  • 6.1.1
  • 6.1.0
  • 6.0.0
  • 5.3.1 (ARX-VE only)
  • 5.2.2
  • 5.2.0
  • 5.1.9
  • 5.1.7
  • 5.1.5
  • 5.1.0
  • 5.0.7
  • 5.0.6
  • 5.0.5
  • 5.0.1
  • 5.0.0

For installation instructions, refer to the Upgrading Software chapter of the CLI Maintenance Guide. If you are upgrading an ARX-1500 or ARX-2500, you must also perform a firmware upgrade. For upgrade instructions, refer to the Upgrading Firmware section in the Upgrading Software chapter of the CLI Maintenance Guide. This firmware includes new BIOS firmware, which requires 30 minutes to install.

If you must upgrade from an earlier Release (such as 4.1.3) or an interim release (such as 5.2.2), upgrade both peers to one of the above 5.x releases before upgrading them both to the current release.

In a redundant pair, you must invoke an additional failover after both peers have been upgraded. The final failover, with both peers at 6.4.0, makes it possible to perform the final upgrade of internal databases and enable the dependent features.

When upgrading an ARX 1500 or ARX 2500 from a release prior to Release 6.2.0, a metalog latency trap may be raised during the upgrade process. The trap should clear within minutes of completing the rolling upgrade.

To install a new ARX system, refer to the ARX's installation manual. A hard copy is included with each hardware platform, and an online copy of the ARX-VE Installation Guide is available with its OVF file.

To review the ARX software support solution, see: sol8466: ARX software support policy.

Configuration Changes

Release 6.2.0 introduced support for large-file migrations that are not vulnerable to interruptions from snapshots and network issues (see Large File Migration for details). After you upgraded to 6.2.x or 6.3.x, the new behavior (staged migrations) became the default for all managed volumes. Release 6.4.0 changes the default back to the pre-6.2.0 behavior, direct migrations. If you want any of your managed volumes to use staged migrations, you must use the gbl-ns-vol policy migrate-method staged CLI command (or its GUI equivalent) to explicitly reset the migration method. Run this in every volume that should use staged migrations.

This applies to running global-config scripts as well as upgrades; if you run a global-config script from a 6.2.x or 6.3.x system where policy migrate-method staged is the correct setting for a given volume, you must explicitly set the volume that way after the script has finished running.

If you upgraded from a release prior to 6.3.0, refer to the Required Configuration Changes section, which contains important information about activating your license. You must do this before using the new software.

If you upgraded an ARX-2500 chassis from a release prior to 6.2.0, we also recommend that you use the no resource-profile legacy CLI command to take advantage of the performance improvements in Release 6.2.0. Refer to Improved ARX-2500 Performance with New Resource Profile for details about this feature.

Downgrading to an Earlier Release

Downgrades are not recommended. Contact F5 Support if you feel you need to downgrade to an earlier software release. For detailed instructions, refer to the Upgrading Software chapter in the CLI Maintenance Guide; this contains a section specific to downgrades.

Warning If you downgrade to Release 5.0.5 or earlier, do not downgrade the firmware with it. Earlier firmware could render the ARX unresponsive.

[ Top ]

Features and Fixes in This Release


Release 6.4.0 includes the following new features:


Release 6.4.0 includes support for SMB2, a new version of the original SMB protocol. SMB2 performs all of the functions of the SMB (CIFS) protocol with a smaller command set, and offers potential performance improvements.

NOTE: Performance improvements from the use of SMB2 are a network level phenomenon; they would only be a result of more efficient interactions between SMB2 clients and the ARX device. Testing has not detected any significant performance degradation or improvement on the ARX system itself. The most significant performance improvements observed with SMB2 occurred in pure Windows environments, with Windows 7 (and later) clients.

F5 Networks recommends using only SMB2 filers that have been tested for SMB2 support at F5. The F5 Data Solutions Compatibility Matrix (included with this doc set) lists all filers that have been fully qualified for SMB2 support behind the ARX.

You must use the gbl smb2-allowed CLI command or its GUI equivalent to enable SMB2. For CLI-configuration details, refer to the ARX CLI Reference entry for the smb2-allowed command.

Support added for use of native Windows NT information levels

The ARX has been enhanced to support use of native Windows NT information levels in some queries. This is known in CIFS as NT infolevel passthrough. This enhancement aligns the ARX more closely with current Windows use.


Release 6.4.0 adds the following fixes to the ARX:

The volume software wrote innocuous TRANFS-1-NOTE-INVOCTL messages into the syslog. The software no longer logs these messages.

The VLAN configuration in the CLI behaved inconsistently, depending on the order in which you specified a tag and a member interface for the VLAN.

If you marked an interface with tag enabled for a VLAN, and then identified that same interface as a non-tagged member of that VLAN, the interface appeared twice in the output of show vlan summary and show running-config, both as a "tag" and a "member." This misconfiguration is no longer possible.

Issues where some place rules were not starting and some were not working/progressing have been resolved.

For a channel to support LACP, you must provide the same LACP-configuration settings at both ends of the channel. Incompatible LACP settings can lead to unpredictable ARX behavior.

The traps lacpConfigMismatchRaise (301) and lacpConfigMismatchClear (302) indicate the raising and clearing of incompatible or mismatched LACP configuration settings. Note that these traps are supported on the ARX-2000 and ARX-4000 only. For details, see the ARX SNMP Reference.

pepd rapid IPC handle create/destroy when ipc_dnas_pepi fails to respond. pepd needs to recreate the IPC handle rather than destroy/create so that the same client socket gets reused. This issue has been fixed.

If the VIP is configured to use the parameter source-ip, then an interface VLAN must be configured as well.

Some installations have a firewall between the ARX and its clients, and require VIPs on multiple client VLANs. In those situations, the ARX’s single default route (created with the ip route command) causes the ARX to send all response packets over the default route’s VLAN. If that VLAN is not the same as the VIP’s VLAN, the firewall typically drops the response packet.

To solve this specific problem on an ARX-1500 or ARX-2500, you can use the ip route...source-ip command to make a separate default route for each VIP. Any packet received at the VIP uses this default route with the same VIP as its source IP.

For details, see the ARX CLI Reference for the ip route...source-ip command and, in particular the second paragraph of the guidelines for that command.

414314, 416416, 416739, 418602
During a rename operation if the new filename were to collide with the alternate name (the 8.3 name) of an existing file, a memory allocation problem could cause dNAS to core repeatedly. This problem has been fixed.

SMTP behaved incorrectly by sending reports to (the default) regardless of the email address specified as the target.

This behavior has been fixed and SMTP now sends reports (and emails with attachments) to the target email address.

In cases of MPNS (multi-protocol namespace) and with clients using NFS2 to mount to a NetApp filer where a qtree exists inside a volume, a destructive rename operation that occurs in the qtree could cause dNAS to core and the unit to reload. This problem has been fixed.

An issue with SPN not being updated after an SPN change has been fixed.

Copying various files through the ARX using SMB2 caused issues. NSM timed out (failed to respond to VCIFS). These issues occurred only in early previews of the 6.4.0 software and have been addressed in the released version.

The default value for 'policy migrate-mode' has reverted to 'direct'.

Customers that desire 'staged' operation must set the policy migrate-mode appropriately after upgrading to 6.4.0.

[ Top ]

Features and Fixes in Prior Releases

The current release includes the features and fixes that were distributed in prior releases, as listed below. (Prior releases are listed with the most recent first.)

Release 6.3.0

Release 6.3.0 included several new features and fixes, described in the sections below.


Release 6.3.0 included the following new features, also included in this release:

Support Added for Offline Access/Client-Side Caching

Support had been added for the case when a Windows client uses offline access for a file on a remote CIFS share and Windows creates a local copy of the file for the client. The client can use that local copy whenever the client machine is disconnected from the CIFS share, and can later sync the local copy with the original whenever the CIFS-share connection is up.

By default, clients can select directories and files for offline access manually. You can use the export offline-access command to also automatically enable offline access for any file the client opens (with or without network optimization), or to disable all offline access.

To accommodate the CIFS offline access/client-side caching feature, the section, Controlling Access to Offline Shares has been added to the ARX CLI Storage-Management Guide. Consult also the ARX CLI Reference Guide entry for the export offline-access command.

CIFS Altname Collision Management

Volumes that support CIFS have additional possible naming-collision obstacles, caused by back-end servers keeping an extra name for some files and directories. Support has been added for the ARX to handle these naming collisions transparently.

This ability was added in response to bug 383020.

For supporting details on this issue, consult the ARX CLI Maintenance Guide. Specifically, see Managing Collisions With CIFS 8.3 Names.

Hitachi HNAS (powered by BlueArc) Platform Support for ARX Snapshots

Snapshot support has been added for Hitachi HNAS (powered by BlueArc) platforms. ARX volumes can now coordinate snapshots (point-in-time copies) of all back-end shares on this platform (CIFS only).

Snapshot browsing is also supported on this platform.

SNMP Traps for LACP Mismatches

An enhancement was made to a pre-existing ARX daemon to periodically poll and compare peer LACP configuration with the local ARX. The enhancement includes raise and clear traps specific to an ARX channel number as well as channel-specific warning logs containing the details of the LACP mismatch.

Support for Filesets Based on the CIFS Offline Attribute

You can now use the offline command to choose files based on the setting for the CIFS offline attribute.

You can use such a fileset to identify all files with this CIFS attribute and migrate them (or avoid migrating them) accordingly.

The offline setting is the only supported CIFS attribute in a CIFS-attribute fileset. This type of fileset is available to all namespaces and volumes that support CIFS. It is not available in an NFS-only namespace.

This ability was added in response to bug 376364.


Release 6.3.0 added the following fixes to the ARX:

AS the "show interface" command was displaying the MAC addresses for the management ports on a pair of HA ARXs, they did not appear unique. In fact, from the shell, the MAC addresses were unique. The issue causing the incorrect command output has been fixed.

The "no report" option is the default for snapshot rules. However, when a snapshot archive location was configured, where a snapshot is automatically deleted following a successful copy to the archive, a remove report would always be generated. This behavior has been modified so that the remove report is generated only when a report prefix is configured.

The setting of policy-cifs-attributes-fileset was not recorded correctly in the global-config. This has been fixed.

386426, 364892
(RFE) SNMPD has been made restartable

An issue was reported where the software versions as displayed on the local and remote (HA paired) switches were swapped. This has been fixed.

Fixed a problem where a policy-cifs-attributes-fileset setting cannot be removed via the GUI.

The NSMD on ARX 1500/2500 could generate cores due to an internal packet buffer being exhausted.

A problem encountered when entering proxy ip addresses through the GUI has been fixed.

386300, 394382
An open transactions leak caused by calling a third-party utility too frequently has been fixed.

Some Solaris clients can specify size limitations for NFS RPCs. When this happens and filers respond with RPCs larger than this limitation, the ARX does not "trim" the RPC, resulting in the Solaris client not receiving the RPC response. This happens only on ARX-1500 and ARX-2500 on releases after 6.0.0.

Windows snapshots may fail when multiple external-filer objects are created with the same IP address and they are used by the metadata share and the data share(s) in the same volume.

NFS snapshots do not support the behavior set with the offline-behavior ... deny-access command. The deny-access behavior is to return an NFS error for each file that is offline (that is, for each file on a back-end filer that is unreachable). The command has no effect when an NFS client is browsing snapshots; the ARX never returns an error (or any response) for snapshot queries to offline filers, possibly causing an NFS-client application to hang.

A problem where the active switch was receiving excessive metalog-latency-raise traps has been fixed.

The corner case where a customer attempts to replace an ARX, neglects to activate its license, and allows the ARX to continue running in the unlicensed state has been fixed in this release. Note that connecting an unlicensed ARX device with a running-configuration to the network could significantly impact client performance.

Formerly, the ARX code allowed the state of the metadata-only share to be changed to "importing." It has been fixed to ignore the state of the metadata-only share when importing.

If a saved running-config was executed on an ARX that was recently upgraded from a pre-5.3.0 release to higher-versioned release, an additional configuration record would be created that was associated with the snmp- server traps command.

Because only one record was expected by the ARX software, unpredictable behavior resulted when sending traps. The code was modified to work only with the record having a certain primary key. If another record exists, it is ignored.

An issue where incomplete configuration of a filer's secondary IP addresses could cause connection failure between the ARX and the filer and, eventually, cause the ARX to run out of Radix resource for file server transaction IDs has been fixed.

An issue has been fixed where after deleting a large report via the GUI, the report disappeared from the listing, but disk space was not freed up.

An issue where the Policy engine had failed to detect stale mount points and completed without migrating shares has been fixed.

An issue where a read-only domain controller (RODC) with big RID numbers does not work with the ARX CIFS service has been fixed.

A problem in which the configuration of LACP on the ARX was described incorrectly in the ARX CLI Network-Management Guide has been fixed.

To establish LACP on a channel for ARX-500, ARX-2000, and ARX-4000, use lacp passive on the ARX and lacp active on the peer. If you connect two ARX peers over a channel in a redundant configuration, use lacp passive on both ARX peers to establish LACP. One of them assumes the active LACP role automatically.

To establish LACP on a channel for ARX-1500 and ARX-2500, use lacp active on the ARX and lacp passive on the peer. If you connect two ARX peers over a channel in a redundant configuration, use lacp active on both ARX peers to establish LACP. One of them assumes the passive LACP role automatically.

On the ARX-1500 and the ARX-2500, an SNMP walk shows incorrect usage statistics for the ARX processors. Specifically, the numbers for "usageLast1minute" and "usageLast5minutes" are incorrect for each processor.

Workaround: Use the show processors CLI command to find the correct usage numbers for ARX-1500 and ARX-2500 processors.

An issue with an inability to import a new share has been fixed. The reason the new share would not import is that an import of a previous share failed and that share was removed from the volume after it failed to import.

ARX subshare synchronization is now more resilient in cases where an administrator places a back-end share "myshare" to coincide with an existing ARX-generated share, say "_acopia_myshare_42$". This unexpected back-end filer change formerly caused a subshrmgtd core; now the daemon can effectively recover from this situation.

The code path that was logging a message containing the following and returning an incorrect error has been fixed:

FP_LOOKUP_ERROR: "Unknown Ecode Type"

Messages of this type can safely be ignored.

The inability to cancel an import if the ARX has a long running full directory fault-in has been fixed.

386678, 393615
Idle CIFS client connections were not properly terminated on all post-6.0.0 ARX-1500, ARX-2500, and ARX-VE platforms.

Other platforms (ARX-2000, ARX-4000, etc) have always idled out CIFS client connections after 15 minutes of inactivity. Now ARX-1500, ARX-2500, and ARX-VE platforms will do the same.

Workaround: This could potentially exhaust client connections if there are a lot of idle connections that don't terminate themselves. There is a workaround to identify those idle connections and terminate them manually.

NFS snapshot management is distinct from NFS snapshot browsing. You can manage NFS snapshots on EMC, NETAPP, Data Domain, and Blue Arc filers.

Snapshot browsing is supported for EMC, NETAPP, and Data Domain filers.

Adding DR configuration on an ARX which already has a namespace with a CIFS sam-reference config option creates a spurious entry in the configuration database.

This isn't a problem until the user wants to remove the namespace with the remove service command. The command fails with the error EXT_FILER_IN_USE.

Workaround: If the DR cluster reporting EXT_FILER_IN_USE is the disabled cluster, the clear global-config command can be used to remove all global configuration. Otherwise, all except the external filer reported in the EXT_FILER_IN_USE error can be removed with step- by step removal of the service in the following order: CIFS service, global server, namespace, and associated external filers.

Release 6.2.0

Release 6.2.0 included several new features and fixes, described in the sections below.


Release 6.2.0 included the following new features, also included in this release:

Support for New ARX-1500 and ARX-2500 Platforms

ARX v6.2.0 provided support for new ARX-1500 and ARX-2500 platforms; specifically new disk drive trays. The new platforms also include fans that run at a faster speed. You may notice that the units run louder and produce a greater air flow.

The new platforms are functionally equivalent to existing ARX-1500 and ARX-2500 platforms.

If your installation has upgraded existing ARX-1500 or ARX-2500 systems instead of installing the new platform, the hardware documentation for 6.4.0 contains some information that does not apply to your model. For former versions of the ARX-1500 or ARX-2500 chassis, consult:

  • Rev C of the ARX-1500 Hardware Installation Guide
  • Rev B of the ARX-1500 Quick Installation card
  • Rev C of the ARX-2500 Hardware Installation Guide
  • Rev B of the ARX-2500 Quick Installation card
  • Rev C ARX-1500/2500 Hard Drive FRU

These are included in the current software release; you can retrieve these earlier versions from the GUI or download them from the CLI.

Volume Migrations

Volume software shares memory and other resources with other volumes in the same volume group. Each volume group is a failure domain; a catastrophic failure in one volume may affect other volumes in the same group, but volumes in other groups are insulated from any such failure. Release 6.2.0 allows you to migrate a volume from one volume group to another.

Changing IP Addresses for Back-End Filers and Servers

Release 6.2 offers an operation for designating a new IP address for a back-end filer/server. You can use the ip address ... change-to command to specify one or more IP addresses for your external-filers, then use the ext-filer-ip-addrs activate command to reboot the ARX and activate all the address changes. If the ARX has a redundant peer, this command reboots both peers. This causes a service outage, so you should run the command during non-busy hours. The CLI prompts for confirmation before rebooting; type yes to proceed.

Immediately Synchronizing the CIFS-Service Delegation Settings with AD Settings

After the delegation settings for a CIFS service change at a domain controller (DC), the ARX software can take up to 10 minutes to synchronize with the change. Delegation settings determine whether or not the ARX CIFS service is allowed to authenticate a client once on behalf of all CIFS servers behind it, unconstrained (to any other CIFS server) or constrained to a specific set of CIFS servers. Release 6.2.0 introduces an operation to synchronize the ARX immediately with these Active-Directory changes. You can use the sync cifs delegation CLI command or its GUI equivalent to invoke this operation.

Improved ARX-2500 Performance with New Resource Profile

Release 6.2.0 contains performance improvements for the ARX-2500 with the new resource profile feature. This feature dedicates three separate hardware cores to network processing. The former resource profile divided the processing among four virtual cores, but these cores shared their hardware resources. Upgraded ARX-2500 devices retain their pre-6.2.0 "legacy" profile. You can use the no resource-profile legacy CLI command to upgrade to the new profile. This is recommended as a best practice.

It is necessary to reboot the ARX-2500 after executing the resource-profile command in order for it to take effect. (For a redundant pair, you must make certain to reboot both ARX-2500s; use the dual -reboot command to do this.) This is true also when replaying a saved configuration.

Improved Data Domain Snapshot Support

The ARX software now supports virtual snapshots for Data Domain filers running Data Domain OS 5.

Large File Migration

The ARX now supports the migration of very large files while snapshots are being executed on the containing volume. Previously, in-process file migrations were cancelled when it was time to execute a snapshot.

The policy migrate-method CLI command has been made available to enable you to control the method the ARX uses to migrate files. It has two options: staged (the default and recommended behavior) and direct.

The default behavior, staged, makes the policy engine migrate each file to a hidden staging area at the destination share, and then move the file to its final name and location. This method succeeds while the volume is taking snapshots, with a modest performance penalty.

An alternative method, direct, is also available. Direct migration makes the policy engine migrate all of its files directly to their destinations. If a snapshot occurs in the middle of a direct migration, the migration is cancelled and must be restarted from the beginning on any later migration attempt. If the file is large enough to require a very long migration time, regular snapshots could prevent the file from ever fully migrating. However, direct migrations may be faster than staged migrations sometimes, especially in a volume that migrates large numbers of small files.

NFS Snapshot Browsing

The ARX now supports the presentation of NFS snapshots and the ability to browse them via the ARX's virtual IP address.

Stretch Cluster Support

F5 Networks now explicitly supports "stretch clusters." Stretch clusters are redundant ARX pairs in which the two chassis in the cluster are separated geographically, but in which the redundancy interface is a direct connection between the two ARX chassis without an intervening network switch. For the ARX-2500, long-reach optical connectors and short-reach copper connectors are available for supporting low-latency direct connections over the switch's 10-Gigabit Ethernet interfaces.

Administrators must recognize that ARX performance for stretch clusters degrades very significantly as latency between the ARX peers increases. The actual performance that you witness will vary according to the ARX models that you use, the geographical distance between them, the protocol in use, the nature of the files and directories that are managed, and the operations that are performed on those files and directories. During our own testing of this feature, F5 Networks observed typical performance degradation of about 30% for 0.2 ms latency between peers, degradation of about 90% for 1 ms latency between peers, and degradation of about 95% for 2 ms latency between peers.

The show redundancy metalog CLI command is useful for monitoring the connection between redundant peers that are separated by long distances. The output from this command includes the latency between the two peers, measured in microseconds.

Pre-Windows 2000 Domain Name Support Enhancement

If a pre-win2k domain name, used when the environment does not use Active Directory or does not support Kerberos authentication, is not configured explicitly, the pre-win2k domain name now is discovered automatically during AD configuration and/or AD discovery. In the unlikely event that a pre-win2k domain name is not identified at that time, the ARX will derive a pre-win2k domain name as a last resort. This is done by truncating the FQDN to the first 15 characters before the first period.

Domain Controller Load-Balancing

Kerberos authentication requests now are distributed (load-balanced) across all of the online DCs in a domain. The set of domain controllers across which the requests are load-balanced is the set of all DCs that are preferred and online, or, if no preferred DCs are online, the set of all DCs that are non-preferred and online.

Hard-Link Migration

It is now possible to migrate hard links off of a share, using the source command without any fileset to drain all of the files and directories off of the share, or, alternatively, you can use the new migrate hard-links CLI command to enable migration of files that match a fileset and have hard links.

Hard link migration is disabled by default, and is configured as "no migrate hard-links".

This feature is for NFS services only.

Directory Structure Reporting

You can now display a summary of a managed volume's directory structure without having to run an actual metadata report, using the new CLI command nsck report dir-structure". This command generates a directory structure report that you can view later.

SSL Certificate Installation

It is possible now to manage SSL certificates from the ARX Manager GUI, and support for this function is provided now in the ARX CLI as well. This includes the ability to regenerate a self-signed SSL certificate, import a CA-signed certificate and CA certificate chain, and modify the SSL cipher suite used by the ARX to negotiate SSL connection parameters.

Uploading Release Files via HTTP and HTTPS

Software release files now can be uploaded to the ARX using HTTP and HTTPS via ARX Manager.

Offline Shares

The ARX now enables you to configure behavior for offline NFS filesystems. The new CLI command, offline-behavior, enables you to specify a "deny-access" setting that allows offline NFS exports to return an access error, causing the NFS client to mark the export with "Permission denied". The NFS request will continue its operation, accessing those NFS exports that are online, without the request hanging while it awaits a response from the offline NFS file system.

The default setting for the command, offline-behavior retry, configures the same behavior that was exhibited at all times in earlier releases, in which the the client keeps retrying the request and waiting for that export to respond. This may result in the the request hanging indefinitely.

ARX Manager Common Operations Enhancements

The Common Operations page in the ARX Manager GUI, as well as its constituent tabs, has been revised and enhanced to provide more streamlined access to a variety of frequently-used configuration tasks.


Release 6.2.0 added the following fixes to the ARX:

A problem with a snapshot process starting in the middle of a switch replacement rendezvous and causing a failure to rejoin has been fixed.

This release contains an upgrade to the latest version of Apache Tomcat (6.0.36). The upgrade resolves security vulnerabilities found by a vulnerability scan run against the ARX platform.

When a large packet was fragmented into many frames and the number of frames exceeded an internal limit, the packet was not processed correctly. This issue has been fixed.

A problem where the OK button was not available in the ARX Manager's Edit NFS Access Control List page, preventing the user from saving changes to an ACL has been fixed.

A share farm's constrain-files setting was ignored by place rules when promoting directories into the share farm without constrain-directories set.

Files now stay on the same share as the parent directory, but the directories are placed round-robin in the farm.

389913, 390417
In ARX Manager, the WinRm port and the Windows cluster check box can now be changed without having to change the File Server Type.

NFS snapshot browsing may need to combine the results from multiple back-end shares to present the readdir results to a client.

If any of the shares are offline, then no results should be returned or we risk returning partial results. If the client's cache contains partial results, then the client will not recover correctly when the share comes back online.

The definition of host switch included in the description of the show namespace command in the ARX CLI Reference has been clarified as, "typically the ARX peer where the volume was originally created."

The F5 Data Solutions Compatibility Matrix now lists supported copiers and scanners in the Client Host Interoperability section.

The ARX CLI Reference had an inaccurate example for the auto-migrate command.

The ARX software was updated to improve resiliency in the event of internal metadata inconsistency.

Fixed a CIFS issue where message ids used to send RPCs within the ARX were incorrectly being returned to the pool that tracked client message ids. This would cause an assertion in the NSM code and a subsequent crash.

382346, 382284
The ARX software now collects export usage statistics more efficiently when a client requests that usage information, reducing delays when other clients access files or folders in the share.

Improved logging when subshare access is denied due to 'nsck rebuild.'

ARX trap processing behavior has been revised to correct a problem that could result in core file generation.

The ARX's handling of CIFS file handles has been improved to reduce the likelihood of core file generation when writing to files.

In rare situations, using the remove-share offline command to remove a share caused namespace software to fail. This fix prevents that failure.

A problem that caused samrefoffline traps to be sent following an upgrade of the ARX software has been fixed. The standby ARX no longer performs SAM filer probes, and the SNMP trap will be sent now only after four consecutive failures.

The ARX Manager GUI now executes snapshots correctly when the snapshot interval is changed. Previously, changing the snapshot interval from, for example, every four hours to every six hours, caused the next snapshot to be executed six hours from the time the interval was changed rather than six hours from the previous snapshot.

The description of collision handling with CIFS "8.3" filer-generated names in the ARX CLI Maintenance Guide has been clarified to emphasize that the ARX does not support 8.3 FGNs, and 8.3 FGN creation should be disabled on back- end filers.

A problem that caused a crash due to an inability to write to a full metalog partition has been fixed.

The command snmp-server trap is no longer deleted from the running configuration when snmp-server trap private is executed subsequently.

A problem that caused metadata inconsistency for folders created via the ARX has been fixed. A folder created via the ARX and subsequently renamed via the ARX to use an "8.3" name was not renamed on the back-end filer itself, resulting in a metadata inconsistency.

The ARX user guides and online help have been updated to cite the number of volume groups supported by ARX-1500 as 6. Previously, the user documentation cited an incorrect number of 12.

379716, 368265
A problem in the exchange of hardware information between two ARX-2500s that prevented them from re-pairing after downgrading their software has been fixed.

A problem that caused a licensing error message to appear when two ARXes could not communicate to form a redundant pair has been fixed.

The show exports operation generally needs admin-level credentials to read ABE settings for filer shares. If run under lesser credentials, ABE was always reported as not set. Now it is reported as not available, to distinguish this from the actual state of not being set. '?' in the attributes table identifies the not-reported state.

The description of the Role, the type of process that typically runs on one processor core or another, now appears correctly in appropriate topics in the ARX Manager online help. Previously, this description was absent.

The ARX Manager Share Summary page now displays the text "[root-backing]" under the name of the share that is the volume root backing share.

A problem with close requests and CIFS behavior that caused the creation of core files has been fixed.

The ARX Manager GUI now displays file credit allocation information accurately on the Status page. Previously, this page often showed that 0 file credits had been allocated.

370672, 370784
A problem that caused a core file to be created when a second 10-Gigabit Ethernet port was added to channel 1 on an ARX-4000 has been fixed.

373813, 378148
An internal problem that caused spurious SMXIP inconsistency traps to be sent has been fixed.

A problem that could prevent redundant pairs from forming following a software upgrade has been fixed.

A problem that caused the loading of configurations to fail during disaster recovery as a result of an unavailable domain controller has been fixed.

372463, 32531
A problem that caused copy FTP sessions to continue running in the background after the command to cancel the copy had been executed has been fixed.

A problem that caused the ARX Manager GUI to display an error message if a policy schedule that had been displayed previously was deleted using the CLI has been fixed.

A problem that prevented HA pairing of two ARXes in a cluster following a reload executed shortly after an upgrade has been fixed.

The ARX CLI Network-Management Guide has been revised to emphasize the need to enable LACP on both sides of the redundancy link when configuring a redundant ARX pair.

When redundant ARX pairs are in use, F5 Networks recommends strongly that you configure a link-aggregation channel for the redundancy link to ensure resilient and optimized performance.

The execution of the clear global-config command on a replacement ARX during the replacement rendezvous caused a problem in which IP addresses in that previous configuration might be marked incorrectly as not in use when they still were in use, resulting in new services not starting correctly. This problem has been fixed.

The ARX software now ignores the ".clusterConfig" directory exposed by Dell Fluid File System software.

The ARX Manager GUI Initial Setup wizard now requires only two proxy IP addresses for configuration of an ARX-1500. Previously, this wizard incorrectly required you to provide four proxy IP addresses for an ARX-1500.

A problem with the timing of requests to access CIFS shares that caused core files to be created has been fixed.

A problem that caused the creation of core files during the system shutdown process has been fixed.

Shares with names ending in the character "$" are no longer allowed to be exported with the "filer-subshare hidden" setting. Previously, attempts to do this caused the creation of core files.

The creation of an export is prevented now if it uses the same hidden back end share as another export.

378089, 35528
A problem that caused the ARX to generate a core file when the VIP received an excessive stream of ICMP ECHO requests with many small fragments has been fixed.

A change was made to the handling of debug messages for ARX policy behavior to reduce an excessive number of metalog latency traps that were being raised.

A problem that caused snapshot rules with identical names to fail when the proxy user was not configured properly has been fixed.

A problem that caused the ARX to to respond incorrectly to SNMP get requests with a proxy IP address rather than the correct IP address for the interface has been fixed.

371714, 371713
The ARX now allows users to join domains using all username formats supported by Windows. Previously, the ARX did not support the use of usernames registered in different domains, or of full Kerberos names in the same domain.

The show redundancy history CLI command now displays the "WRONG_PASSWORD" error message when appropriate when an attempt is made to access a CIFS quorum disk using an incorrect password.

NSMs now restart correctly if multiple NSMs exhibit warm-restarts in succession, and it is no longer necessary to execute a failover to restore correct NSM behavior.

The ARX now displays an error message if an attempt is made to add a VLAN to a redundancy channel.

The CLI move command works correctly now, removing the local report file upon completion of the copy process.

A problem that prevented the creation of a new share because of a discrepancy in permission modes between the ARX and the back-end filer has been fixed.

When converting a managed volume to a direct volume, the ARX now warns you of the presence of metadata, and instructs you to remove the metadata prior to converting to a direct volume.

With SMB signing on, one rare error path would cause the NSM to experience a crash in its statistics processing. This error condition has been found and fixed.

A software problem that caused a warm start to be logged incorrectly as a power failure has been fixed.

A problem that caused a policy schedule end time to be displayed as prior to the policy schedule start time has been fixed.

In the example shown for the show master-key command in the ARX CLI Reference, an invalid password was shown previously. This has been corrected in the most recent version of the guide.

The entry for the import priority command in the ARX CLI Reference now states explicitly that the first-configured share is assigned the master for the volume.s root directory, and the import priority does not change this. Read the complete entry in the ARX CLI Reference for detailed guidelines.

A problem in instrumentation functionality for the ARX-500 that caused the creation of a core file when IPC connection problems occurred has been fixed.

ARX error messages have been improved to provide better notification if an attempt is made to replace an ARX in a pair in which the replacement switch and its peer have a software version mismatch.

The section titled, "Replacing a Redundant Peer" that is present in all ARX Hardware Installation guides has been revised to describe more clearly all considerations involved in the replacement of an ARX in a redundant pair configuration.

A problem that caused the generation of a core file as a result of handling a bad SMB packet has been fixed.

An extraneous space character in the "" file that caused trouble in some MIB compilers has been removed.

Adding, removing, or changing a VLAN interface description no longer causes the corresponding port and SSH sessions to reset.

Upgrading a configuration from V5.1.9 no longer causes the policy debug minimum-free-space 1024 setting to be exposed in the global configuration.

Executing the show processors command on an ARX-500 that has reached its bounce limit no longer results in the generation of a core file.

The policy stop command now works correctly, passing the volume group instance ID rather than the volume ID.

ARX-1500 and ARX-2500 did not support Redhat Enterprise Linux 3 (taroon) as an NFS filer. This was due to an incompatibility in NFS security, which is now resolved.

The ARX-1500 and ARX-2500 formerly failed to send the SNMP trap, ramMissingRaise, when a memory module was missing. Now these platforms both support the ramMissingRaise trap.

For the ARX-VE, the ARX-1500, and the ARX-2500, an snmpwalk operation on the ifTable returned internal interfaces (such as "dummy," "bond," and "loopback") along with relevant interfaces. Now the same snmpwalk returns only the interfaces that are visible with the show interface summary CLI command.

372571, 361417
In a namespace in which both NFS2 and NFS3-TCP are configured, NFS3-UDP is configured automatically by the ARX, and cannot be removed.

Version 6.1.1

Release 6.1.1 was a maintenance release including a number of new fixes, described below:

413272, 411625
An error that was occurring in the kernel that caused NFS metadata and NFS imports to fail on some configurations has been fixed. The fix targets the ARX-1500, ARX-2500, and ARX-VM platforms.

A design limitation on the number of outstanding notify-change requests could cause syslog to be flooded with 'No available message id for notify-change request' messages. The excessive logging has been curtailed. Consideration is being given to addressing the limitation in a future ARX release.

An error in handling TREE_DISCONNECT SMBs from Windows Server 2003 clients could cause CLIENT_CONN_TEARDOWN errors to be written to syslog. This has now been fixed.

A failure of the stats daemon caused the ARX to core. This failure has been addressed.

When the client establishes more than one user session in a connection and SMB signing is required, the subsequent tree connect operation will fail due to a parsing issue. This problem has been fixed.

CIFS file cache backend collision handling has been improved. After detecting the collision and failing the client, the file on the backend filer is closed and a response sent to VCIFS.

A problem that caused the NSM to core because of memory exhaustion due to flow control issues on the filer has been fixed.

A watchdog timeout issue caused the NSM to core. This has been fixed.

NLAD could core due to memory exhaustion in a large configuration where there are multiple Domain Controllers and tens of virtual services.

There was a problem in the NSM logic where responses from DNAS are processed. This problem, which could cause NSM to core, has been fixed.

Various commands that are intended to modify an existing configuration object erroneously create an invalid partially-initialized object if applied to a non-existing object. This can happen if an object (namespace, volume, or share) is deleted in one session, while there is a CLI session currently in that configuration mode. The result is an invalid global-config that cannot be repaired or modified. This problem has been fixed.

watchdog reset after installing 6.01.001-14126-EHF1.rel

The "show interface..." command for 2/13 and 2/14 are now included in the collect-diag information.

389590, 397554, 385098, 401777, 390537, 390990, 402930, 392501, 394518, 395540, 396431, 396847
Loss of HA and service/backend links in same second

The error handling in the subshare demon has been enhanced to prevent network instability from causing a subshare sync to fail.

A problem where an NFS client could hang due to a timeout while waiting for a message from the server is fixed.

During an ARX rolling upgrade from a release prior to 6.0.0, the "CIFS browsing" portion of the upgrade sometimes triggers GSMD (Global Service Manager) to enter a tight loop on the backup ARX.

This issue was preceded by numerous transaction conflicts on the Exports table and was related to ARX configurations containing a large number of CIFS exports. Conditions were added to assure that only the active ARX will perform the CIFS browsing upgrade and for it to do so prior to starting services.

Some power supplies were spuriously displayed as "Absent" in the output of the show chassis command.

A problem with NLMD coring after a restart of the GUI has been fixed.

The ARX API logging daemon may create a core dump file when the ARX API receives HTTP requests that are not related to API functions.

3877224, 388817
During an ARX rolling upgrade from a release prior to 6.0.0, the "CIFS browsing" portion of the upgrade sometimes triggers GSMD (Global Service Manager) to enter a tight loop on the backup ARX.

This issue was preceded by numerous transaction conflicts on the Exports table and was related to ARX configurations containing a large number of CIFS exports. Conditions were added to assure that only the active ARX will perform the CIFS browsing upgrade and for it to do so prior to starting services.

The issue of an NSM crash caused by watchdog timeout while Connection Manager tries to add presto packets into a blocked list has been fixed.

386798, 389168
In large subshare configurations, the subshare management daemon's remote procedure call (RPC) response thread could cease to service RPC requests during periodic OMDB cleanup activities.

This cleanup work has now been moved to a separate thread, so that RPCs can always be serviced in a timely manner.

A metadata corruption problem that caused core files to be generated has been fixed. The problem occurred when a single filesystem was exported via multiple nodes and exported as metadata shares and subsequently destaged.

A problem that caused a lock timeout issue and a 30-second delay when opening Excel files on an Isilon filer with Microsoft Office has been fixed.

The description of the SUBSHRMGT-0-WARN-SSHR_MISSING_PATH_PREVENTS_SYNC logging message has been revised with clearer details.

A double NSM fault and failover has been fixed.

The severity of the "xiplip-inconsistency-raise" event has been lowered to Warning from Critical, and its associated description has been clarified to describe the event's possible causes more explicitly.

Added sysstat_historical script to parse statsmon data files on the switch and from collects.

A problem with Kerberos cache utilization that caused the system partition to be filled completely has been fixed.

A problem that caused access via the ARX to be slow in the wake of DCslow and DCtransitions errors has been fixed.

The ARX now clears FILE_ATTRIBUTE_COMPRESSED bits prior to their being sent to an Isilon filer, avoiding any complications with moving compressed files to an Isilon filer.

The show metalog usage command now displays the correct month in its output.

381139, 382545
The software thresholds for fan log messages have been adjusted to avoid excessive and spurious logging of fan activity messages.

The ARX's logging has been improved to provide better notification if the directory underlying a subshare is removed from the back-end filer, rendering the subshare unusable.

Large Kerberos tickets resulting from users with large numbers of group memberships no longer cause error messages to be generated.

A spurious error message, WMI-0-ERR-WMI_DESTINATION_UNREACHABLE_FAULT, has been removed from the software, and no longer will appear in logs. Previously, this message appeared unnecessarily for some file server configurations.

379086, 376874
Multiple snapshot rules associated with a common schedule now create the corresponding snapshots correctly. Previously, some of the snapshots may have been of the wrong share.

The show fastpath resources command produced truncated output on the ARX-1500 and ARX-2500.

The snapshotOpFail trap no longer refers to an "unknown rule."

Upgrading the ARX software to Release 6.1.0 no longer causes a "filer-type windows" entry to be removed from an external filer definition.

In some circumstances, the ARX sent a WINS registration packet with the domain name tagged as "unique" rather than as "group". This has been corrected.

If you removed an ARX share with more than 38 characters in its name, the ARX created a place rule (to drain the share) with a name length greater than 64 characters. This exceeded the maximum length for a rule name, thereby making it impossible to delete the rule through the CLI. Now rule names can be up to 1024 characters.

A problem that caused a core file to be generated by a race condition between the beginning of a share import and the import of a new share ha been fixed.

366074, 372790
Certain database corruptions cause progressively slower database-response times, and an internal database-cleanup process was timing out before it cleaned the database. In one case, the progressively-slower database resulted in virtual-service outages after an upgrade. The timeout for the database-cleanup process is now long enough to work around this issue and repair database corruptions.

368594, 371493
A problem with the count form of the ip proxy-0 command that caused proxy IP address assignments to be created out of order, and resulting subsequently in the creation of core files, has been fixed.

A problem in which the deletion of a share farm containing shares caused those shares to not appear in the Tiered Storage wizard has been fixed.

Auto negotiation now works correctly on out-of-band management ports.

The ARX 1500 and ARX 2500 no longer exhibit problems with configurations that use VLAN 1 and in which all interfaces are used as members of channels.

A problem that caused a single logical IP address to be associated with multiple proxy IP addresses has been fixed. In addition, the SNMP trap that was raised when this occurred has been corrected to refer to logical IP addresses rather than external IP addresses.

370246, 370024
Complete support for the Status and Alert LEDs on the ARX 1500 and ARX 2500 is provided now. Complete descriptions of the LED behavior are provided in the ARX Hardware Reference Guide.

Version 6.1.0

Release 6.1.0 included several new features and fixes, described in the sections below.


Release 6.1.0 added the following features to the ARX:

Statistics Monitoring

A new stats-monitor process now runs in the ARX software, monitoring the time taken for requests to filers, requests to clients, requests to other external devices, and internal processing. If the times increase by a wide-enough margin over a long-enough time, the stats-monitor places an alert message into the ARX syslog file. You can use the stats-monitor CLI command to enter a new CLI mode, where you can enable SNMP traps for each of these alerts. You can also change the alert thresholds from this mode. These statistics are logged in corresponding files, and their running histories can be displayed.

The ARX collects all of the statistics by default, but no analysis is performed until the stats-monitor is configured. As such, the corresponding alerts are not displayed in the syslog by default.

The stats-monitor command and its sub modes are beta-level software in Release 6.1.0. They have not been tested as rigorously as other 6.1.0 features. You use the terminal beta command to reveal all beta-level commands, including this one.

NetApp Volume Level Import

Support has been added for multi-protocol configurations in which ARX managed volume shares are imported from NetApp filers at the NetApp volume level (as opposed to at the Qtree level).

In previous releases, migrations would fail in such configurations. This increased support does not entail any command changes or additions.

Enhanced Volume Free Space Reporting For CIFS

It is possible now to display the free space for a volume in the context of the user account and path used to access the volume. This enhancement supports path-based quotas. The freespace cifs-quota CLI command has been added to gbl-ns-vol mode, enabling volume free space to be displayed based on the credentials of the user executing the command and the path by which the volume is accessed.

This behavior is disabled by default (no freespace cifs-quota), causing the system-wide free space algorithm to be used, as was the case in previous releases. Use the filer-subshares CLI command to enable CIFS subshares prior to using this feature; refer to the ARX CLI Storage-Management Guide for complete instructions.

Note that this command pertains specifically to CIFS clients, and has no effect upon NFS queries.

Enhanced Free Space Reporting By Directory Master Only

The functionality for reporting volume size and free space has been enhanced so that it is possible to display the free space only for the back-end file system that is being accessed, rather than for the entire managed volume. This is useful in cases such as file migration, in which the temporary existence of two filesystems for the one in migration could otherwise distort the results of volume size and free space reporting. This is accomplished via a new argument for the existing freespace calculation CLI command, dir-master-only, which causes the share in question to be queried only on the storage resource at which its master instance resides.

In addition, the freespace apparent-size CLI command has been added to gbl-ns-vol-shr mode, enabling an administrator to configure an artificial capacity value for the volume that is less than or equal to its actual capacity. This command is accessible only in dir-master-only mode.

This functionality has no effect on policies and shadow volumes, for which actual free space, not apparent size and free space, is in use at all times.

NSM Warm Restart

NSM warm restart now is supported on older ARX platforms with multiple cores (ARX-1000, ARX-2000, ARX-4000, and ARX-6000). This feature improves behavior associated with the older processor designs used by those platforms, and is not relevant to the newer ARX-1500 and ARX-2500 models.

One aspect of NSM recovery is that once an NSM reanimates, not all cores within the same processor can be Up again without reloading; this is inherent to the design of the NSM.s internal failover behavior. The system functions at a reduced level when this occurs. NSM warm restart functionality addresses this situation by restarting only the NSM core that failed. The other cores within the same processor remain unaffected. When restarted, the NSM comes back Up (not in Standby) and resumes its normal traffic load.

NSM warm restart functionality is disabled by default.

Execute the nsm warm-restart CLI command in config mode to enable NSM warm restart. The no nsm warm-restart CLI command disables the functionality.


Release 6.1.0 adds the following fixes to the ARX:

On an ARX 1500 or ARX 2500, there may be a connection refused error immediately following the enabling of a share or during the failure of a share to import. In the first case, simply execute the enable command a second time. In the second case, remove the share and re-enable it.

359768, 358779
A problem that prevented namespace-software instances from restarting correctly following ARX reboot has been fixed.

365480, 377081
A problem with the handling of proxy IP addresses that caused them to be displayed out of order following execution of the show health command has been fixed.

358440, 367861
A problem that caused an active ARX to not come back up after a failover has been corrected with a non-user-visible change to the redundancy software.

364072, 372846
A problem that prevented users from accessing other volumes when they had a destaged volume mounted has been fixed.

A problem that caused the show processor command to report erroneously low memory values for the ARX 1500 and ARX 2500 has been fixed.

A problem that caused snapshot creation to fail on Windows servers using UTC as their timezone has been fixed.

369688, 370792
A problem that caused virtual services to take four to five minutes to restart following a failover has been fixed by changing the ARX's management of TCP connections to metadata filers.

369319, 372385
A performance degradation problem caused by file descriptors not being released at the appropriate times has been fixed.

A problem that caused the ARX to send port mapper requests to a client from virtual IP addresses other than the virtual IP address to which the client was connected has been fixed.

The CIFS protocol specification requires that filer-assigned tree connection identifiers be unique across a single tree connection. The Sun filer violated this rule, causing the ARX to be unable to connect more than one user session to any given share. The ARX has been changed to be less sensitive to strict protocol adherence in this regard.

A problem that caused snapshot creation to fail due to replica-snap shares being included in the snapshot has been fixed.

In Release 6.0.0, RAID verification runs automatically every five minutes, which affects Metalog performance on ARX 1500 and ARX 2500. Once Release 6.1.0 is installed on ARX 1500 or ARX 2500, RAID verification runs once per day at 23:00, beginning the day after Release 6.1.0 is installed. On other ARX platforms, the RAID verification behavior will not change after Release 6.1.0 is installed. If the RAID verification mode is manual, and RAID verification has not been run on ARX 1500 or ARX 2500 in the last 24 hours, the traplog will show an entry reminding the user to execute RAID verification.

365373, 367709
A problem existed that when volume configuration was edited via the GUI, the metadata shares in ARX disaster recovery clusters would become mis-configured. This problem manifested only in disaster recovery clusters and is fixed now.

An internal timing issue that previously caused a core during shutdown of the metalog daemon has been addressed.

If users activate the licenses on switches in the same redundant switch pair at different dates, the expiration times for these licenses will be different. License keys with different expiration dates that are used in a redundant ARX pair now cause a trap to be raised only if the difference in the expiration dates is greater than one day.

The software now checks more closely to prevent multiple users in concurrent configuration sessions from creating overlapping global servers.

The ARX now provides an appropriate error message if the client attempts to perform a destructive rename of a file system object that is not supported.

EMC servers support 3 or more colon (:) characters in their named-stream names. This naming convention is unsupported by other CIFS servers, so previous ARX releases could not migrate these named streams from an EMC server to another vendor's server.

Now, whenever an ARX migrates an EMC named stream with this naming issue, it renames the stream so that the migration can succeed. The ARX software keeps the first and last colon, and replaces each intermediate colon with '~'. For example, the ARX changes




at the target file server. The name remains the same at the EMC server.

The show statistics filer CLI command now displays round trip times for CIFS and NFS responses, providing more data about filer performance.

In releases before 5.02.000, a CIFS-only managed volume occasionally included user- based and path-based storage quotas in its free-space calculations. For example, if a CIFS client had a quota of 5G on a back-end Windows share with 500G of actual space, the CIFS client only saw 5G for that Windows share. If filer subshares were configured in the ARX volume, path-based quotas were also taken into account on some occasions.

These quota-based free-space calculations were inconsistent, so they were eliminated in Release 5.02.000. Following that Release, all CIFS clients saw the full free space on all back-end shares behind their ARX volumes, regardless of any space quotas those clients may have had on the back-end Windows Servers.

The current release introduces the freespace cifs- quota CLI command, providing reliable support for the original behavior. With this option enabled, clients see the sum of the quota-based free space on the volume's back-end shares, not the sum of the full free space. Thus, CIFS clients with a 1G quota see only 1G of space, and connections to a CIFS subshare with a 5G quota see only 5G of space.

346315, 365990
A problem that caused ARX clients to disconnect when the standby ARX in a redundant pair had its software reloaded has been fixed.

The remove-share command no longer fails due to an excessively short timeout value for obtaining free space information for the shares it is used to remove. The corresponding timeout value has been increased to prevent this from happening.

When a remote syslog is configured for an ARX, the syslog file no longer uses "localhost" as the ARX hostname.

An internal change has been made in the NSM software to prevent the NSM from crashing when it attempts to log a catalog message.

28837, 359460
On ARX HA pairs, changes in global configuration data are synchronized to each ARX database with a two-phase commit, starting with the standby. A small time window exists where if the standby ARX reboots in the middle of a two-phase transaction, the active ARX might hold the transaction open (in limbo) due to uncertainty of the remote commit.

Limbo transactions now are rolled back on the active ARX if the standby is known to be down. In this case, it doesn't matter if the transaction was committed on the standby, because, when it pairs up with the active again, all of its global data will be resynchronized.

A problem related to the at schedule command and automatic retries caused by DB transaction conflicts has been fixed. The at schedule command now handles transaction retries independently of the automatic retry mechanism used by the rest of the CLI.

352585, 351662
Snapshot creation no longer holds open filer share records for long periods of time, reducing the corresponding transaction conflicts.

Shares are no longer marked as "Pending Import" when a recursive sync is performed on a volume that is in the same instance in which another volume is imported after the beginning of the sync operation.

Previously, if the state of a share changed in the process of a failover, it was possible that the share was not marked online on the new active switch. This has been fixed.

When using the show redundancy quorum-disk command, the fractional part of a minute is no longer included in the most current interval. For example, if the most recent interval is 10:00 - 10:33, but the current time is 10:33:45, the last 45 seconds of data will no longer be included. This rectifies a problem in which heartbeat latency counts were not consistent.

Enabling a virtual service using ARX Manager when the virtual service has been configured with a cluster name now works correctly.

Place rules no longer return a "Target full" message if the target is a share farm that includes only a single share.

The filer type windows cluster command has been added to configure a Windows Server 2008 (or later) file server explicitly as a cluster node. This fixes a problem in which the disabling of NetBIOS on Windows Server 2008 (or later) cluster nodes caused ARX snapshots to identify cluster nodes incorrectly as non-cluster nodes, and fail to create snapshots. The command also adds the capability to discover the Windows Server 2008 (or later) cluster through WinRM when the cluster is not set explicitly through the CLI.

The "STALLED" trap now appears for directory import operations only if a single directory has failed to complete import for over 60 seconds.

A check is made now to see if the client connection state referenced by a transaction is still valid before error statistics are accessed and incremented. This fixes a crash that was caused by disconnection from the front end and subsequent attempts to increment error statistics associated with that client connection state.

An internal issue that sometimes caused namespace creation using the GUI to generate a Java core dump has been corrected.

A problem that prevented configuration of more than six channels on an ARX has been corrected. The ARX now allows configuration of up to eight channels, as described in the ARX user documentation.

360963, 364660, 365759, 365760
A problem in which a network outage caused corruption in the NSM's packet buffer and a subsequent double free of memory that resulted in a core file has been fixed.

To avoid network capture file data loss when merging large capture files (> 2GB) on an ARX-4000, use the no-merge option in the no capture session command.

The ARX now provides faster snapshot creation on slow Windows file servers hosting large numbers of snapshots.

357345, 357155
Shadow volume functionality now creates the .acopia directory on Samba filers differently, creating the directory without specifying a security descriptor, and making and applying an appropriate ACL. This fixes a problem that caused shadow volume creation to fail when running SUSE Enterprise Linux 11 and Samba Version 3.4.3-1.19.1-2426-SUSE-CODE11.

357895, 365739
The ARX software now checks to make sure that an IP address assigned to an interface on an ARX 1500 or ARX 2500 is not in use on the switch already.

Executing the clear statistics migration command for a specified volume now clears statistics for that volume only, and does not affect other volumes.

The maximum number of snapshots that are identified with instance numbers now matches the maximum number of snapshots retained per rule. This maximum number is 1024.

A problem that caused place-rules to run after reload rather than according to their configured scheduled has been fixed.

You can use the domain-join operation to join an Organizational Unit (OU) within a Windows domain. The documentation and online help indicate that you should use a backslash character (\\) to separate the layers in a nested OU, but the domain-join previously failed with this separator. Now the domain-join succeeds with a backslash in the OU.

Support for multi-protocol namespaces in NFS services no longer allows exporting from different namespaces with inconsistent protocols. For example, exporting from namespace A with protocol NFS2 and exporting from namespace B with protocol NFS3 is not allowed now.

NFS TCP connections no longer get stuck in the RETRYING state and cause the service to hang if an NSM on ARX-2000 or ARX-4000 crashes and the switch fails over to its redundant peer.

Executing the show exports external -filer no longer displays the string, "64: Bad Source:" for the Ping output. This was a cosmetic issue that did not affect the rest of the command output.

363569, 358069
The Tiered Storage wizard in the ARX GUI now displays existing namespaces and volumes the first time it is invoked. Previously, existing namespaces and volumes did not appear in the wizard until it had been invoked a second time.

A series of proxy IP addresses ( through that are allocated for use on older ARX platforms are included in the command output when show ip proxy-addresses is executed on ARX-1500, ARX-2500, and ARX-VE. The output for this command on ARX-1500, ARX-2500, and ARX-VE now indicates that the corresponding MAC address for each proxy IP address as "Unresolved"; previously, an unused MAC address was shown for each.

Enabling a port on VLAN 4009 on the ARX-1500 and ARX-2500 no longer causes the unit to reboot.

The F5-proprietary traplog SNMP MIB now is supported for ARX 1500 and ARX 2500.

Version 6.0.0

Release 6.0.0 included the following features and fixes, also included in this release.


ARX-1500 and ARX-2500

Release 6.0.0 supports two new hardware platforms: the ARX-1500 and the ARX-2500. These are 1U devices. The ARX-1500 has eight 1-Gigabit interfaces, and the ARX-2500 has four 1-Gigabit interfaces and two 10-Gigabit interfaces.

Multiple Namespaces Behind a Single VIP

Clients can now access multiple namespaces through a single Virtual IP (VIP) address.

ARX Feature Licensing

As of Release 6.0.0, ARX feature functionality is controlled on each ARX by a license file that determines which features are active and which are disabled, according to the terms of the license agreement associated with that specific ARX. An ARX cannot be used without a valid license, and any customer upgrading to Release 6.0.0+ must obtain and activate a license in order to use the features and functions of the ARX.

Improved Performance For File System Enumeration

Performance of certain directory enumeration operations for NFS clients has been enhanced by reducing the client-to-ARX network traffic by 50:1. This is noticeable especially if the NFS client's network path to the ARX is low bandwidth, high latency, or both.

Probes and Windows Domain Authentication Enhancements

Release 6.0.0 provides a number of supportability enhancements and improvements of the CIFS subsystem, including new probe commands and configuration enforcement.

Support for EUC-JP Character Encoding for NFS

NFS character encoding is the numeric encoding for the characters used in human language. In former releases, the ARX supported two character encodings for its NFS services: ISO 8859-1 and UTF8. As of Release 6.0.0, NFS on the ARX also supports EUC-JP and Shift-JIS, two encodings for Japanese, along with KSC5601.

Terminology Change: VPU Domains Become Volume Groups

Each ARX volume resides in a volume group, in which the group has a finite amount of memory and processing power to be shared among its volumes. Volume groups are a means of isolating namespaces in the ARX's memory so that the failure of one or more namespaces in one volume group does not affect the performance of namespaces in other volume groups.

In previous releases, volume groups were known as "VPU domains." The terms "VPU" and "VPU domain" are no longer valid as of Release 5.3.0. This change in terminology has been made to reflect more accurately the use of dynamic, virtualized resources in newer ARX models.


Release 6.0.0 adds the following fixes to the ARX:

As of this release, there is a minor change to the Adaptec 5405z RAID controllers which requires an updated version of firmware for proper functionality of CLI RAID commands.

The current controllers use firmware version "5.2-0[17945]"

The new controllers use firmware version "5.2-0[19203]".

The output from the ARX CLI command show chassis disk will show the firmware version and can be used to determine which controller the chassis is using.

There are downgrade limitations that should be considered because using releases or hotfix releases which are "unaware" of this new firmware version will not work properly with the new RAID controllers.

Before downgrading from this release, please consult F5 support for further guidance if your chassis has the new RAID controller.

385203, 384491
A problem with the handling of internal logical IP addresses for redundant pairs of ARX-1500s and ARX-2500s that caused Mac OS clients to be unable to use their desktops has been fixed.

382020, 380783
A problem that caused exhaustion of the database connection pool and resulting in high CPU load and ARX Manager running extremely slowly has been fixed.

A transaction leak that caused the junior ARX in a redundant pair to reboot unexpectedly has been fixed.

A problem with the handling of share counts that could prevent the association of volumes with volume groups has been fixed.

A problem with a drastically inflated packet size that caused the ARX parser buffer to overflow has been fixed.

Policy stalling with FASTPATH_RPC_FAILED

A problem with the handling of volume groups in NVRAM that resulted in access being denied to back-end shares has been fixed.

376528, 377631, 379572
A problem with the snapshot functionality that caused it to raise a VIP fence all the time, even when snapshot consistency was not set, has been fixed.

371405, 374824
A problem in the ARX CLI caused some IP routes to be displayed with /16 subnets when they were in fact configured with subnets of other lengths. This has been fixed.

A problem that caused Windows 2003 clients to enumerate shares very slowly when connected to an ARX has been fixed.

Internal changes were made to the ARX's CIFS configuration functionality to avoid delays when synching subshares.

The copy ftp and copy scp commands now support the use of the license keyword when specifying a destination for copied license files.

An internal change has been made to the ARX's NFS file caching so that an error occurs rather than a fault if the cache is missed.

The ARX 1500 and ARX 2500 now properly reject HTTP requests to the ARX VIP.

A problem that caused a paired NSM core when a replacement ARX re-establishes redundancy has been fixed.

The ARX 1500 and ARX 2500 no longer exhibit problems with configurations that use VLAN 1 and in which all interfaces are used as members of channels.

356566, 362646
In the ARX GUI, it is now possible to select a volume and run a metadata report for it. Previously, you were required to select a share.

It is no longer necessary to clear an expired ARX software evaluation license before activating a new evaluation license.

354991, 362808
When disabling "email-event tech-support", "no enable" now is added to the running configuration explicitly. Previously, "enable" was simply removed from the configuration.

Automatic license activation now works correctly regardless of whether an in-band management interface is configured or not.

The show filer connections CLI command now works correctly on ARX-1500, ARX-2500, and ARX-VE.

359470, 360509
A problem that caused DNAS to generate a core file during a read-only share import has been fixed.

When you use the ARX Manager (GUI) to add a new file server to the configuration, you can click a check box labeled Supports Snapshots. In previous releases, the following sequence failed:

  1. check that box,
  2. click Save,
  3. go back and uncheck the Supports Snapshots box.

Now the operation succeeds after the above sequence.

352357, 356190
If the backup ARX rebooted while the active ARX was processing a configuration change, the internal database process held open a transaction indefinitely. This open transaction resulted in a growing set of syslog messages, indicating that "Object Manager transaction id ... is now time-period seconds old." This also slowed the performance of other processes on the ARX.

A poorly-timed reboot of the backup ARX no-longer triggers these issues.

During a disk replacement in an ARX-2000 or ARX-4000, it was possible for the ARX to misinterpret the state of the failed disk and its replacement. When this occurred, the incorrect disk state blocked the raid rebuild operation. This prevented the overall disk replacement from succeeding.

The ARX-2000 or ARX-4000 occasionally recorded an incorrect battery temperature, and then sent spurious nvramBatteryFail traps.

The CLI Reference and CLI Storage Guide described an incorrect syntax for nested OUs. The context of this documentation is the domain-join operation, which joins an ARX CIFS service to a Windows Domain (or an OU within a domain). The documentation stated that you should separate each OU layer with a backslash (\) character; the CLI documentation now shows the correct forward slash (/).

The ARX SNMP Reference has been updated to reflect that internal disk usage is monitored via the systemResourceThresholdRaise and systemResourceThresholdClear traps.

Some ARX 500 units were released to the field without programmed serial numbers that should be displayed when the show chassis command is executed. The process of acquiring a base registration key for ARX software license activation has been modified to accommodate these units.

After a software upgrade from a pre-5.2.0 Release to a post-5.2.0 Release, the show policy command failed with a POLICY_UPGRADING error. Now the command succeeds after the upgrade.

It is possible, but generally inadvisable, to make changes in the ARX global configuration under these circumstances:

  • there are two ARX devices, joined in a redundant pair,
  • one has upgraded to a new software release, but the other has not, yet, and
  • the peer with the lower release is active.

In former releases, there was no warning in the CLI or the ARX manager (GUI) when you entered the gbl CLI mode or otherwise started to edit the global configuration. Now there is an appropriate warning.

An ARX-VE disconnected a CIFS client that tried to copy a file to an ARX service with a particular configuration issue. This failure occurred when SMB signatures were enabled on only the back-end server and not the front-end CIFS service on the ARX.

When a redundant pair is unable to form due to a "Peer synchronization failure", the collect, show namespace, or show virtual service operations often took excessive time. This only occurred on the initial rendezvous for the redundant pair. Now these operations are slowed by only 1 to 4 minutes by these circumstances, as opposed to hours.

The ARX VIP PORTMAP service did not respond correctly for non-supported RPC service versions, which prevented the use of common RPC-query tools. For example, rpcinfo -t arx-vip 100003 (NFS) and rpcinfo -t arx-vip 100021 (NLM) both failed. Now, both of those commands succeed for any ARX VIP running an NFS service.

In a multi-protocol (CIFS and NFS) ARX volume with "euc-jp" character encoding, the ARX software arbitrarily changed filenames with tilde (~) characters. CIFS clients saw the name correctly, but NFS clients saw a different name. In this release, NFS clients and CIFS clients see tilde characters correctly in all filenames.

37389, 356436
An issue that caused a core dump when a service began to exit but had not completed has been fixed.

Previously, all 'filer-subshare' exports that shared out a single CIFS volume (or a multi-protocol volume supporting CIFS) were required to have unique names, even when the subshare exports were configured in different CIFS services. This restriction no longer exists.

The Tiered Storage wizard under the Policy > Place Rules menu has been modified so that it handles optional filesets and intersection filesets correctly.

Previously, the wizard included a selection that corresponded to a deprecated CLI command that the ARX software no longer recognized.

343058, 342994, 342941, 342994
An issue that had caused problems with switch replacement under a specific set of circumstances has been fixed.

The circumstances were:

  • The export path in an external-filer configuration was greater than 900 bytes, or the description for a policy schedule was greater than 255 bytes.
  • You upgraded the ARX cluster from Release 5.0.6 or earlier.
  • One of the peers in the cluster irrevocably failed, and you replaced it.

If all of the above conditions were met, the replaced peer (in the Backup role) was not able to rejoin the cluster.

The policy engine logged a syslog message whenever it refused to migrate a file to a share that was too full. (A share is considered too full when it has dropped to its minimum free space, set with the policy freespace command or its GUI equivalent.) These messages were correct, but excessive. Now the syslog only includes a summary message for many migrations at a time.

Mac running 10.5.8 and DAVE 7.1.2 was unable to access a direct share through the ARX

The NSM now will refuse Transaction2 requests and responses that appear to use a segmentation protocol that the NSM does not currently support.

A log error message has been added to warn users when they access a CIFS service that uses a different name in DNS than it does in Active Directory.

A problem that caused the CLI to generate a core file when the ssh-host-key rsa encrypted-hostkey command was invoked with command completion (i.e., ssh-host- key rsa encrypted-hostkey ?) has been fixed.

Erroneous log messages reporting internal errors are no longer written when an attempt to create a snapshot fails because the filer is at capacity already.

A problem with ARX-VE evaluation license keys that caused spurious CIFS browsing upgrade messages to appear has been fixed.

343244, 344331
The ARX sometimes exceeded 2,048 simultaneous tree connections in a single TCP connection. Some back-end file servers cannot tolerate this number of tree connections per TCP connection.

An ARX-CIFS service issued a STATUS_INVALID_PARAMETER response whenever a client tried to copy an EFS encrypted file to the service. This resulted in an unclear error at the Windows-client application. Now the CIFS service returns a STATUS_ACCESS_DENIED error, which is more likely to be interpreted into an understandable error by client applications.

The initial-boot script contained an unclear directive at the end:

"press yes to continue, or r to restart"

This could be misinterpreted as a command for rebooting the ARX. Now the interview clearly states that "r" only restarts the interview script.

Management of Active Directory using the active-directory commands now requires only storage-engineer privilege, rather than crypto-officer privilege.

A maximum of 30 snapshot rules can be associated with a single schedule.

A problem that caused virtual services to to get stuck at "Starting" has been fixed.

A problem has been fixed in which deleted folders would re-appear empty when performed by a Windows 7 client accessing a home directory via DFS and the ARX.

348789, 348355
The NSM no longer crashes when a backup ARX takes over for an ARX that has rebooted following an excessive number of connections.

338795, 338143
A problem that prevented the addition of Active Directory accounts when changing folder or file level security permissions through the ARX VIP has been fixed.

An ambiguous NOTE-type message has been clarified to describe the corresponding issue more explicitly.

An error message informing users that the same name cannot be configured for WINS name and WINS alias has been clarified.

The show redundancy CLI command no longer sends DNS PTR queries to name servers.

A problem that occasionally caused the show policy CLI command to return a spurious POLICY_INTERNAL_ERROR message has fixed.

A problem that prevented MacOS 10.4 and 10.5 clients from copying files in multi-protocol namespaces via CIFS has been fixed.

The ARX-2000 no longer gets stuck at the GRUB menu during the boot process.

Version 5.3.1

Release 5.3.1 included the following features and fixes, also included in this release.


ARX-VE Production Release

Release 5.3.1 introduced a production version of the new ARX Virtual Edition (VE) platform, which runs as a VM guest on hypervisor hardware. This is a software-only platform for the storage services of the ARX, with production-grade limits for maximum number of volumes, file-server shares, files, and so on. Release 5.3.0 was the trial version of the ARX-VE, which is also supported in the current release.

Minimum system requirements:

The ARX-VE requires the following resources from the hypervisor:

  • 2 CPU cores, 64-bit
  • 4 GB of memory
  • 1 Virtual NIC (VNIC) interface
  • 40 GB or more of disk space

These are defined in the OVF template. Please contact F5 technical support prior to making any change to the settings in the OVF template.

Converting from the trial version to the production version: Converting an ARX-VE running Release 5.3.1 from a trial version to a production version requires you to purchase an ARX-VE production license from F5 Networks. Clear the evaluation license and enable the production license. You will be warned to increase the memory allocated to the ARX-VE to 4GB, and to provision a second CPU core. You will then need to reload the ARX-VE instance.

The ARX-VE supports a single interface (a VNIC on its hypervisor host), which is used for management as well as client/server traffic. It differs from other ARX platforms in the following general ways:

  • The ARX-VE uses standard hypervisor clustering for redundancy. Therefore, none of the ARX-specific CLI commands or GUI operations for redundancy appear on the ARX-VE.
  • The ARX-VE does not support VLAN tagging. Its interface is only on VLAN 1, the default VLAN.
  • The ARX-VE can only be deployed in a single-arm network configuration, as described in the Site Planning manual.
  • The ARX-VE cannot support channels.
  • The ARX-VE does not have an out-of-band (OOB) management interface. You manage the ARX-VE with its in-band (VLAN) management IP on VLAN 1.
  • The ARX-VE does not manage its RAID array, so there are no RAID commands or operations in its management interfaces.
  • The ARX-VE system disk and metalog VMDK must be stored outside the VMhost if you want to use VMware high availability functionality. If VMware HA is required, the metalog VMDK must be stored on an NFS NAS, iSCSI SAN, or Fibre Channel SAN accessible by all members of the VMware cluster.
  • The ARX-VE does not support firmware upgrades.
  • The VMware console does not support copy and paste from outside applications, so you cannot copy an ARX running-config or global-config from an external file to the ARX-VE's CLI prompt. You can instead use the CLI copy command to upload a running-config and/or global-config file to the ARX, then use the run command to run the configuration commands in the ARX CLI. Alternatively, you can copy and paste using an SSH/telnet connection to the ARX's in-band IP address.

In addition, observe the following practices when operating the ARX-VE:

  • Do not use VMware Fault Tolerance in conjunction with ARX-VE.
  • Perform live migration of ARX-VE virtual machines (using VMware VMotion) only when the ARX-VE is idle or lightly loaded (e.g.,during off-hours). Live migration of ARX-VE while the virtual machine is processing traffic could produce unexpected results.
  • Similarly, in DRS environments, perform live migration of ARX-VE virtual machines (using VMware VMotion) only when the ARX-VE is idle or lightly loaded (e.g., during off-hours). Live migration of ARX-VE while the virtual machine is processing traffic could produce unexpected results. Disable automatic migrations by adjusting the VMware VMotion DRS Automation Level to Partially Automated, Manual or Disabled on a per-ARX-VE basis.


Release 5.3.1 added the following fixes to the ARX:

A problem with network mask handling that caused virtual services to fail to come online has been fixed.

When a managed volume's metadata share was offline, thereby disabling the managed volume, the ARX Manager's Namespace screen spuriously indicated that the volume was healthy.

A problem that caused core file creation due to a difference in the ARX-VE's handling of SMB signatures between the front end and the back end has been fixed.

Version 5.3.0

Release 5.3.0 included the following features and fixes, also included in this release.



Release 5.3.0 supports the new ARX Virtual Edition (VE) platform, which runs as a VM guest on hypervisor hardware. This is a software-only platform for the storage services of the ARX, useful for demonstrations of ARX storage as well as for pre-staging for one of the ARX hardware platforms.

The ARX-VE supports a single interface (a VNIC on its hypervisor host), which is used for management as well as client/server traffic. It differs from other ARX platforms in the following general ways:

  • The ARX-VE uses standard hypervisor clustering for redundancy. Therefore, none of the ARX-specific CLI commands or GUI operations for redundancy appear on the ARX-VE.
  • The ARX-VE does not support VLAN tagging. Its interface is only on VLAN 1, the default VLAN.
  • The ARX-VE can only be deployed in a single-arm network configuration, as described in the Site Planning manual.
  • The ARX-VE cannot support channels.
  • The ARX-VE does not have an out-of-band (OOB) management interface. You manage the ARX-VE with its in-band (VLAN) management IP on VLAN 1.
  • The ARX-VE does not manage its RAID array, so there are no RAID commands or operations in its management interfaces.
  • The ARX-VE metalog VMDK must be stored outside the VMserver if you want to use VMware high availability functionality. If VMware HA is required, the metalog VMDK must be stored on an NFS NAS, iSCSI SAN, or Fibre Channel SAN accessible by all members of the VMware cluster.
  • The ARX-VE does not support firmware upgrades.
  • The VMware console does not support copy and paste from outside applications, so you cannot copy an ARX running-config or global-config from an external file to the ARX-VE's CLI prompt. You can instead use the CLI copy command to upload a running-config and/or global-config file to the ARX, then use the run command to run the configuration commands in the ARX CLI.

NOTE: You cannot apply upgrade releases or hotfix updates to this version of ARX-VE.


Release 5.3.0 added the following fixes to the ARX:

As a result of updates to the ARX Linux kernel, the file tracking copy of metadata to an NFS share no longer causes user processes to hang. It is no longer necessary to use a CIFS share when copying metadata to the file tracking archive.

Executing the show exports command on a Windows filer that does not have Services For Unix installed no longer returns the 'STATUS_BAD_NETWORK_PATH' error message.

The Temporary file attribute for files and directories now is ignored.

A problem that prevented users from deleting directories from home drives when using Windows 7 and DFS has been fixed.

Displaying the security for an NFS mount from a client no longer causes the ARX to show the security for the mount incorrectly as "none".

A problem with TCP port allocation by the ARX that caused an NFS server to be unresponsive after ARX failover has been fixed.

A problem in the ARX HA functionality that prevented clients from accessing mounted directories has been fixed.

Windows 2008 R2 snapshots no longer fail when the Windows filer has more than 20 mount points.

343813, 347086
Changing a metadata share for an existing managed volume no longer causes an unexpected exit of the ARX GUI.

Version 5.2.2

This was a Maintenance Release for the 5.02.nnn series of software releases. It did not include any new features or enhancements. It contained the following fixes:

NetApp negative vfiler response not recognized by ARX

A problem with NetApp negative vfiler responses not being recognized by the ARX has been fixed.

The ARX was making unnecessary "vfiler status" query retries because it did not recognize the response "Use of vfilers requires a multistore license."

408318, 408158, 409258
Due to a bug in the kernel scheduler, 2 CPUs on the control plane could get into a race and block clock interrupts, causing the ARX to lock. The watchdog timer would time out and disable the links on the switch ports. This issue has been fixed.

During HA rendezvous, when redundancy is first enabled, it is possible to "no enable" redundancy on the ARX that will become the backup switch before it is fully established. As part of rolling back redundancy, all global scope data is removed from the joining ARX. Previously, it was possible for a database transaction conflict to prevent removal of this data. This would cause numerous split-brain conditions when the joining ARX resumed stand-alone function. In this situation, the joining ARX now reboots on failure to clear all global scope data. The data is then automatically removed during restart.

398376, 404364
A race condition between NSM and DNAS for file close can cause NSM to core. The problem has been fixed.

393763, 402634
An internal NSM data structure could get freed twice and cause NSM to core. The problem has been fixed.

A problem that caused NSM to core when the filer uses 64-byte NFS file handles has been fixed.

This issue applied to a disaster-recovery (DR) scenario, where the global configuration from a failed "active" ARX cluster was loaded onto a "backup" ARX cluster. If the active cluster had any wins-alias in its configuration, the load command failed on the backup cluster. Specifically, the load failed with an OM_RECORD_INSERT_FAILED error.

390045, 389340, 389341, 392518
NSM crashed due to a non-maskable interrupt (NMI) with an exception code. The NMI fired because the NSM failed to switch tasks within a certain amount of time.

For further root cause analysis, code has been changed to collect additional debug information if the issue arises again.

Users in a Windows-Management-Authorization (WMA) group were not granted appropriate permissions when a namespace had 2 or more WMA groups configured per namespace.

If only a single user is assigned to the namespace, then the permissions act correctly.

385244, 386858
A problem with the ARX's handling of multiple sessions using SMB signing that was recognized initially during offline file use has been fixed.

Windows Explorer and other applications can poll an ARX CIFS service for changes in a given directory and its subtree. The ARX response to each poll is called a change notification. The ARX service must poll all of the CIFS servers behind it, so a poll of a full subtree significantly increases network traffic. By default, the ARX CIFS service therefore only responds with changes in the root of the directory. Under the following circumstances, the ARX CIFS service sometimes returned empty responses:

  • The default was changed (with the cifs notify-change- mode CLI command, or its GUI equivalent) to include the full subtree on request,
  • the CIFS-client applications asked for full subtrees, and
  • the responses included long directory paths.

Copying an ARX release file from a namespace resulted in a spurious error, and the copy failed. The error was named FILE_COPY_SRC_NOT_REL, and it stated that the file requires a ".rel" extension. The error and failure occurred even when the file had the correct extension.

The snapshot remove and snapshot verify operations failed under the following circumstances:

  1. A snapshot was created in an ARX volume with multiple shares.
  2. Someone removed or added at least one share from the ARX volume.
  3. You ran either the snapshot remove or snapshot verify operation on the snapshot created in the first step.

The snapshot operations failed due to the changed volume state.

Replacing a failed hard disk in an ARX-4000 occasionally resulted in a system crash that produced a core-memory file. The core was produced by /acopia/bin/chassnew, as shown by the show cores core- file backtrace CLI command. This release corrects the software fault that caused the crash.

The text of the DCSLOW syslog message required some clarification.

374686, 375143
The ARX software declared the wrong DC was "slow" and stopped using it for Kerberos under the following circumstances:

  • a CIFS client tried to authenticate from a remote Windows domain, and
  • a DC was very slow to respond in an intermediate domain, between the client's domain and the ARX domain.

In this case, the ARX changed the DC in the client's domain from "Active" to "Backup" status. Now it demotes the correct DC, from the intermediate domain.

A CIFS volume with the filer-subshares feature occasionally failed when multiple offline shares came back online together. The failure occurred when:

  • one of those shares had a directory with two ARX-generated subshare names (_acopia_subshare-name_id, where the subshare-name is the same for both subshares), and
  • the volume chooses a different share first for subshare probing, a process that prepares all subshares for synchronization.

370677, 379209
Malformed NFS RPCs caused NSM cores to fail when they indicated a drastically inflated RPC size. Now, the ARX disconnects the ARX client instead of failing one of its NSM cores.

The auto-migrate feature is supposed to migrate files off of one share in a share farm when the share is above a "maintain-free-space" threshold, and it is supposed to stop migrating off the share after its free space rises to its "resume-migrate" threshold. When the policy engine performed a free-space probe at the wrong time, it canceled the auto-migrate operation before the share dropped down to its "resume-migrate" threshold. Now the free-space probe does not cancel the auto-migrate operation.

375408, 375786, 376495, 375083
The reports from the nsck ... report inconsistencies operation included non-existent metadata inconsistencies, and the nsck ... rebuild operation created metadata inconsistencies between the ARX volume and its back-end shares. Both of these issues stemmed from the same software problem, which is now resolved.

A problem that caused the copying of files 2GB and larger in size to time out on Mac OS X 10.7 (Lion) has been fixed.

A problem with hardware profile exchange between the two ARXes in a redundant pair that sometimes caused HA pairing to fail has been fixed.

A problem with subshare synching not working for Data Domain filers was caused by poor handling of case-sensitive path names and has been fixed.

375366, 377336, 377342, 377486, 377527
A problem that caused files marked as "delete-on-close" to be deleted prior to being closed has been fixed.

An invalid SSH keytype that caused the CLI to crash has been corrected.

unable to access vip after adding an export

When an ARX virtual snapshot takes longer than two minutes, the WinRM connection from ARX to the Windows file server may be reset by the Windows file server, causing the snapshot operation to fail. The ARX now re-establishes the WinRM connection and completes the snapshot operation with the new connection.

expect command to gather data needed for CCN licensing

bad value for last-name-offset in find-files results

Import failure with 112 or more user entries in the Security Tab

373157, 373574
NSM cored, 4 NSMs went standby

Global configs not propagating to jr switch

subshrmgtd cored when performing share removal

8.3 name collision causes file access disable/removal

A problem with start date tracking for place rules that prevented a scheduled place rule from running at its first scheduled time has been fixed.

367924, 372206
client unable to get directory listing

A problem that caused file history queries to return no files in the report has been fixed.

369794, 368478, 369209
An internal locking problem was corrected in a rarely encountered error path. Prior to this correction, if the error path was triggered, tasks within the ARX software could block indefinitely, leading to severely degraded user access to ARX-virtualized file systems.

366235, 367033, 368978
A problem that caused storage resources to become inaccessible to users has been corrected by changing the handling of timeouts in the ARX's path caching functionality.

Performing a shadow copy operation for a directory no longer fails with error code 26 ["Stage file failed"].

A metadata database problem that caused DNAS forced recoveries to occur has been fixed.

A problem that caused NFS TCP connections to back end filers to get stuck in the "Retrying" state, preventing access to the back end file systems, has been fixed.

346213, 364071, 365052
Adding user security through the VIP now works correctly, after a problem involving source ID mapping and domain strings was fixed.

A problem with report file permissions set by the ARX GUI that prevented such report files from being copied off of the ARX using the CLI has been fixed.

The timeout for connecting to a domain controller, for NTLM/NTLMv2 authentication when constrained delegation is used, has been increased from 10-20ms to about 10 seconds. This will allow the authentication mechanisms to work as expected when ARX is configured with domain controllers that are slower than normal.

Share-farms that are configured to constrain directories below a depth greater than 1 now behave correctly. Previously, constraints below a depth of 1 did not work.

A problem in which multiple place-rules targeted the same share-farm and caused the removal of each other's pending directory promotes has been fixed.

Using the quorum-disk command with the spn argument no longer changes the user's domain to that of the quorum disk SPN domain.

A problem that caused snapshots to fail on Windows 2003 filers due to erroneous handling of the drive letter and drive type has been fixed.

A problem in the software upgrade process that prevented the show policy command from displaying policy rules after the upgrade has been fixed.

A problem that caused the mounting of a TCP port using NFS v3 to fail has been fixed.

location broker cores.

Remove share failed, dncd failed assert.

361975, 363221
A problem that caused the NSM to generate core files due to a back-end connection aging out while an uncleared pending transaction was present has been fixed.

File history queries are no longer limited to 20,480 files.

A problem that caused share import reports with more than 1,000 entries to be incomplete has been fixed.

File tracking reports no longer fail when initiated after another file tracking report that had been canceled before being able to complete.

Internal timing errors that caused stale NFS file handles to occur during du and ls operations have been corrected.

A problem that caused managed volume snapshots to be in a permanent "requested" state following an extended period of filer down time has been fixed.

The prompt that appears upon execution of the nsck destage and nsck rebuild commands now requires you to type an explicit response, either yes or no. Previously, this prompt was not clear.

A problem that caused the NSM to produce a core file when the path cache was enabled has been fixed.

A case mismatch issue which caused a core file to be created when the case of the path for a subshare export did not match the case of the path for the back-end share has been fixed.

A problem that caused Active Directory users to be locked out of the ARX after a single failed login attempt has been fixed.

A case mismatch issue that prevented the removal of CIFS shares and generated a core file has been fixed.

Portable Apple devices (such as the iPad and iPhone) could not access ARX shares with the FileBrowser and NetPortal apps.

354569, 357049
An SNMP get operation sometimes caused the ARX software to fail, produce a core-memory file, and reboot. The failure occurred only if there was at least one CIFS-authentication failure in the database, the failure was one of a small set of failures, and CIFS-authentication statistics were included in the returned data.

351863, 349196, 349933
NSM processors on the ARX-4000 sometimes failed to boot after an upgrade to 5.2.0 (or later) firmware. This was only an issue on an ARX-4000 in a redundant pair. Now the processors boot successfully after a firmware upgrade.

ARX performance was slower than it should have been in lossy networks. When network retransmits occurred due to external network issues, the retransmit algorithm caused extra time to be lost. The retransmit algorithm has been improved so that it stops exacerbating ARX-performance problems in lossy networks.

Some upgrades of redundant pairs failed with an error on the upgraded (backup) peer, visible in the show redundancy output. The error prevented the redundant pair from forming. The error cleared when both peers were upgraded. Now, the error no longer occurs on upgrade.

Erroneous syslog messages are no longer generated when navigating a filer for which streams are disabled.

Log messages related to the mounting and connection of quorum disks have been improved to facilitate the troubleshooting process when access to the quorum disk is interrupted.

Displaying chassis information using the GUI sometimes displayed Disk Status as Good when the actual status was, in fact, Degraded. The criteria used to determine Disk Status has been modified to characterize that status more accurately as Optimal or Degraded.

The ARX supports the creation of VLAN IDs ranging from 1 to 4009, and now provides adequate warning against creating a VLAN with an ID higher than that.

341077, 344350, 348438
The no redundancy protocol CLI command now removes only external member ports from the private VLAN, and will not remove the internal ports assigned to that VLAN. In addition, the layer 2 software has been changed so that any attempt to delete the private VLAN is rejected. Also, the layer 2 software now includes additional instrumentation for diagnosing failures with IPC timeouts on SCM to NSM internal ports.

347303, 345679
A problem that occurred when an attempt to mount a CIFS quorum disk failed has been fixed, and the corresponding logging has been improved to translate the CIFS error/status code to a text string.

340643, 35742
The ARX now sends out all varbinds for all SNMP traps.

A problem that caused firmware mismatch error messages to be displayed even after a successful firmware upgrade has been fixed.

A problem that caused OMDB transactions to stay open for extended periods of time has been fixed.

When executing the quorum disk command for CIFS and using the optional spn argument, it is no longer necessary to capitalize the fully-qualified domain name.

The collect diag-info command now collects state information and core files correctly for NFS.

Previously, adding a tagged VLAN using the vlan-tag CLI command erroneously added an untagged VLAN entry using the same VLAN ID to the running configuration as well. This has been corrected.

Auto-migration now works correctly when the no volume scan option is used with the place rule.

A problem that caused error messages to indicate that SMB signing was not enabled, when, in fact, it was, has been fixed.

The size limit of the banner.txt file has been increased from 768 B to 1.5 kB.

Version 5.2.0

Release 5.2.0 included the following features and fixes, also included in this release.


Release 5.2.0 contained several supportability enhancements, CIFS enhancements and some other options designed to take advantage of popular file-server features. These are all described in the subsections below.

CIFS Service Enhancements

Release 5.2.0 contains several enhancements for CIFS front-end services. These are designed to tighten security and to improve ease-of-use for administrators.

Constrained Delegation

An ARX-CIFS service delegates its storage services to the filers behind it. Release 5.2.0 supports constrained delegation, so that you can constrain the CIFS service to delegate only to the file servers it uses. (Former software releases allowed the ARX to delegate its services to any filer.) If you use constrained delegation, the namespace behind the service no longer requires an NTLM-authentication server to support NTLM or NTLMv2, and you no-longer need to install an ARX Secure Agent (ASA) on any of the CIFS service's DCs.

Constrained delegation is only possible for a domain if the Domain's functional level is Windows 2003 or later.

A domain administrator can upgrade an ARX-CIFS service to constrained delegation at a Windows Domain Controller (DC). On the DC, the administrator invokes the Active Directory Users and Computers application, finds the machine account for the ARX service, trusts the account for "delegation to specified services only," and identifies all of the CIFS servers behind the ARX. On the ARX, the probe delegate-to command provides a list of all CIFS servers behind a particular ARX service, and confirms that they are properly configured at the DC.

After upgrading a CIFS service to use constrained delegation, it is possible for the service to require a configuration change. Refer to Required Configuration Changes for instructions.

NOTE: Constrained delegation is more secure than unconstrained delegation, and requires that all of the CIFS service's filers be joined to the same Windows domain as the CIFS service itself. Also, all of the filers must support Kerberos authentication.

SMB Signatures

ARX CIFS services and namespaces can now support SMB signing. SMB signing is the process of adding digital signatures to every Server Message Block (SMB) between a CIFS server and its clients. This protects against man-in-the-middle attacks, but creates a performance penalty.

If you implement SMB signing at your site, the ARX can support it as needed. You can enable SMB signing between CIFS clients and one of your CIFS services, and you can enable SMB signing between an ARX namespace and all of its filers.

Active-Directory Site Awareness

The ARX software uses its Active-Directory (AD) site to calculate its preferred Domain Controllers (DCs). In large AD deployments with multiple sites, the AD administrator can identify the sites and assign DCs and subnets to each site. The AD administrator performs this site configuration externally, on a DC. When the ARX automatically discovers the AD configuration (with the active-directory update seed-domain CLI command, or its GUI equivalent), it "prefers" DCs in the same site as its proxy-IP subnet. This removes the administrative burden of manually setting DC preferences on the ARX.

The subnet for the proxy-IP addresses must be assigned to an AD site for the automatic discovery to function properly. You assign a subnet to an AD site at the DC. Use the show ip proxy-addresses CLI command to find the subnet for your proxy-IP addresses.

CIFS-Subshare Enhancements

This release includes several enhancements for the CIFS subshare feature. A CIFS subshare is any CIFS share that exists in the directory tree of an imported CIFS share. Given the correct configuration, a client connecting to an ARX subshare also connects directly to the corresponding file-server subshare, instead of connecting to the import share above it. This ensures that the file server uses the subshare ACL instead of the root-share ACL.

This release enhances the subshare feature by making it easier to manage, especially in large configurations:

  • Subshare replication between back-end filers is now automatic, and no-longer requires the replicate flag in the filer subshare operation.
  • Former releases replicated all subshares discovered on the first-imported share. The ARX ignored any subshares on the second or subsequent imported shares. This release discovers all subshares on all back-end shares, and fully replicates them.
  • Formerly, subshare replication generated new share names in the format, "_acopia_native-name_id$," where the native-name was the name of the subshare that was being duplicated. Now the ARX only generates these names when a naming collision makes it necessary. In most cases, the native-name is duplicated on all back-end shares.
  • The new sync subshares from-namespace operation synchronizes all filer subshares behind a volume and then exports them through a CIFS service. This is done with a single CLI command or GUI operation.
  • A reverse operation, sync subshares from-service, takes all subshare definitions from a front-end CIFS service and replicates them on all the filers behind it. This provides a method for repairing a front-end subshare that is not fully backed by its back-end counterparts.
  • When you export a filer subshare, the ARX automatically replicates all subshare and ACL information on all required back-end subshares.

Two former CLI commands, sync shares and cifs export-subshares, are now obsolete. They have been removed from the CLI, and their GUI counterparts have been adapted to the new operations.

In releases prior to 5.2.0, in ARX Manager, there was a Discover button for subshares in the Create Virtual Service Wizard. In 5.2.0, the subshare "discovery" mechanism was changed/enhanced to include an asynchronous operation that changes the back-end file server configuration by adding subshares to any shares that don't include them already. This enhancement was deemed too heavy to be done as part of a wizard, so the button was removed. The new work flow is to create your virtual service, then edit your managed volume, click the share tab, and click the Sync button. This will sync all back-end subshares and export the sub-shares out the virtual service.

Managed-Volume Shares Dedicated to Snapshot Repositories

The 5.2.0 release now supports replica-snapshot shares in managed volumes. A replica-snapshot share is a constantly-updated duplicate of one of the volume's standard shares. You use standard file-server-replication tools to copy the primary share's files to the replica-snapshot share, then the managed volume can snapshot the data at the replica-snapshot share. This allows you to keep a much smaller number of snapshots on the primary share. The managed volume's CIFS clients can access these snapshots through standard means (such as the "Previous Versions" tab in some Windows releases).

Disaster-Recovery (DR) Support for ARX Sites

A redundant pair of ARXes, called an ARX cluster, can now be used as a backup for an ARX cluster at a primary site. This feature is designed for sites where the back-end file servers independently synchronize data between the two sites. To prepare an ARX cluster for a disaster, you can copy the ARX's global configuration to its backup cluster on a regular schedule, so that the backup cluster always has an updated copy of the active cluster's configuration. In the event of a disaster at the active site, an administrator at the backup site can load and activate the configuration there. ARX clients can then connect to their services and storage at the backup site. The client-side names of all services and shares remain consistent after the site failover.

You can also fail over individual services from one site to another, so that some services run on one ARX cluster and other services run on the second cluster.

Active-Directory Authentication for ARX Administrators

ARX administrators can now use their Windows credentials to log into the CLI or GUI. This requires some minimal configuration to provide one or more Windows groups (such as "Domain Admins") with administrative privileges on the ARX, and to allow Active-Directory authentication into various access points (such as SSH for the CLI or HTTPS for the GUI). Use the authentication CLI command to allow AD authentication, and use the group CLI command to start provisioning a Windows group for ARX administration. For detailed instructions on these commands, refer to the CLI Reference.


This release also contains the auto-diagnostics feature, which can regularly collect usage statistics from your ARX and send them (through email, encrypted) to F5 Support. The engineers at F5 Support can analyze this data over time, watching for trends and, if necessary, contacting you about preventative actions. The feature is recommended, but it is optional; you can use the gbl-mode auto-diagnostics command (or its GUI equivalent) to activate the feature.

More Logs in "collect state" Payload

The collect state command (and its GUI equivalent) now includes important log files to aid with problem diagnosis, but still produces a zip file that is small enough to be portable. The collect state file requires a much shorter upload time than the zip file from collect all or collect diag-info. You can use collect state for an initial diagnosis, and possibly follow up with a later collect all if further diagnosis is required.


Release 5.2.0 supports a SOAP-based API for monitoring ARX configuration and file changes in its managed volumes. You can use third-party software that acts as a client for this API.


Release 5.2.0 included the following fixes, which are also included in this release:

A problem that caused share farms to be duplicated upon creation has been fixed.

A problem that prevented policies from being viewed or changed after upgrading the ARX software to Release 5.2 or higher has been fixed.

343205, 348017
Domain join operations failed when the ARX could not find a domain controller.

351078, 351352
Clients using Mac OSX 10.4.11 now can copy files via their mapped drives while using the GUI finder without receiving an error.

The problem had been caused by client PIDs being sent to the filer with values of 0 rather than with their correct values.

File pathnames now can be renamed to consist of more than 256 characters. previously, pathnames longer than 256 characters in length caused the ARX session to terminate unexpectedly.

File tracking archive searches no longer hang and cause OMDB transactions to be held open for extended periods of time.

A customer requested we add Sync Share functionality to the ARX Manager. You can locate this functionality now in the ARX Manager on the Managed Volumes Details Share Tab, with the Sync Shares button.

Previously, there were policy free space issues after a failover. The event processor now waits for the volume to be up and getting free space before events are processed.

Automatic Volume Sizing (AVS) was running too slow. When Automatic Volume Sizing was disabled, the AVS_NEAR_MAX_CAPACITY trap would trigger too early on small capacity volumes. It now traps when there is either 10 percent or 2M files free in the volume, whichever is smaller

The ARX lost contact with a back-end CIFS file server and when the ARX lost contact with the file server, it locked out all user access to all volumes/shares. This issue was fixed by adjusting the fault injection timeout path and updating the setup script to create shares more quickly.

After removing the smtp configuration, the box continued to send emails. This has been fixed in the software by reissuing some commands, including the exit command.

The software raised fan failure traps as a result of running a collect. This was remedied with a simple FPGA fix.

Constrained Delegation on the ARX did not function for multiple-tier authentications where an SFTP server was tier 1. That is, if an SFTP server delegated to the ARX-CIFS service, and the ARX-CIFS service in turn delegated to a CIFS server behind it, the SFTP clients could not get directory listings.

32938, 39223
If you have a router between the metadata file and the ARX, its possible that the ARX will receive an an ICMP unreachable from the router causing a service interruption(DNAS crashing and restarting). The ARX now handles ICMP unreachable from NFS metadata filers or routers in between.

By default, Windows 2008 R2 servers require 128-bit encryption for their NTLM SSP sessions. This encryption was not supported for filers behind the ARX. Now the ARX supports 128-bit encryption for NTLM SSP sessions.

Samba-based filers are implemented without "Domain Admin" privilege configured within the proxy-user. The samba server privilege probe now verifies that the proxy user is properly mapped to root.

The source IP in a message should be the ARX proxy-IP address, but for some reason, it's was the file server's IP. The fix was to correctly log the ARX proxy-IP address as the source IP address in the log message (instead of whatever information was left over in the buffer).

The interface was not removed from the vlan that had just been deleted. The code now removes the dangling interface.

The first issue is that it is possible to re-scan directories that make the files scanned counter larger than the total number of files in the volume. If that happens, we no longer display the % complete. The second issue is that the queue counters (first time migrates and the re queued migrates) used to get out of sync, causing the first time migrates to become 4294967295, this no longer happens.

The ARX previously considered a domain controller (DC) in another Active-Directory forest to be "unusable" if it had a particular security setting. (This status appeared in the output of the show active-directory status CLI command, or its GUI equivalent.) The DC security setting was "Minimum session security for NTLM SSP based (including secure RPC) clients", set to require 128 bit encryption. Now, you can enable this security setting on a Windows 2003+ DC in another forest and the ARX recognizes it as useable.

34630, 31831
All operations are now queued and executed asynchronously. Furthermore, TCMD does not reorder operations and always insert new operations at the end of the programming queue.

An NSM cored after a customer failed over its peer. This was due to a rare race condition and we implemented a solid reference counting scheme for this affected object.

We added a configurable parameter (maxResilverMinutes) to extend the timeout used for re silvering NVRAM to its peer for hardware redundancy.

A customer experienced repeated cores over a period of times. Now the code requires a new transaction to be used in a retry, at which point a new DB connection is established.

Previously, no warning was provided when a reload was issued and startup-config was deleted. One is now provided.

An ARX-4000 became unresponsive until it was rebooted and logging failed. This was fixed by a firmware upgrade for mid-plane raid controllers.

show firmware upgrade now indicates the correct status messages.

After issuing a reset, the box took too long to respond to pings. The fix was to make the raid status reporting software do the right thing when one of the physical raid drives is either physically missing or behaving as if it is physically missing.

Due to an atypical configuration, a customer experienced a dual NSM core when restarting the ARX Manager. The fix consisted of cleaning up state when a user removes a file server whose connection is down. Previously, this left over state prevented a user from reusing the IP address.

The ARX had HA synchronization issues and now the ARX now has improved HA capabilities.

There was a display issue with show channel stats with Good Oversize Frames = 0. Now you can see Good Oversize Frames value increase as you send jumbo frames.

The ARX-4000 display is counting frames that have a size between 1519 and 1521 bytes in the 1522-2047 bucket. The display correctly counts frames in the 1522-2017 range.

A tier1 rule got reset because it could not put a notification on the notification queue. The notification was the result of a rename. Renames will no longer cause the rule to reset.

A customer experienced errors in the show system status output due to incorrect CPU data. The code now uses CPU scaling and CPU data now displays correctly.

A policy appeared to be aborted. The code has been fixed so that we will not exempt internal admin client connections from tearing down file server connections/sessions. As long as policy releases all the connections, the file server sessions should get refreshed and any credential change in the back end should take effect. In addition, there is a new option to terminate all outbound file server connections used by the internal admin service.

The ARX filer-subshares feature sometimes creates shares on back-end file servers that begin with the prefix "_acopia_". Such share names have a well-defined syntax, and the ARX assumes that it is free to manipulate these shares. With this fix, the ARX is now more robust in its handling of "_acopia_" shares that do not follow the correct syntax (for example, shares created manually by a curious and inquisitive admin user). F5 strongly discourages manual creation of back-end shares whose names begin with the string "_acopia_".

In some cases, a busy file server and a busy ARX can cause the login process from the ARX to the file server to be altered - changing the timing of messages. In some rare cases, when authorization fails on the first attempt to the file server, the NSM that initiated the login would crash. This condition is now handled and the second authorization attempt will proceed normally.

21759, 36546
There were issues found with parent rename and directory renaming. Windows file servers will not allow the manipulation of directories that look like DOS device names (for example: COM1, LPT1, AUX). Unfortunately, Windows doesn't prevent the creation of such directory names. The ARX has to prevent the creation of directory names that would cause offense on file severs that won't accept them. These restrictions are enforced dynamically, and only happen if there are Windows filers in the volume. If a pathname includes a DOS device name as a pathname component, files/directories underneath that directory cannot be placed or migrated to a Windows file server. Also, a rename that would create such a pathname on a Windows file server is not allowed. Additionally, if such a name is discovered to exist on a Windows filer, the ARX will not import it. sync/import/inconsistency reports note the reserved names when they are encountered. Client-initiated proxy operations fail with ACCESS_DENIED and a log message. The corrective action is to rename the directory to something acceptable.

The number of supported attach points was not clearly define or enforced. We now count and enforce the maximum number of attach points that are allowed to be configured. Second, we now restrict the length of the front-end and back-end paths. This reduces memory consumption.

A customer was reloading the primary switch in an HA pair to recover from an NSM core. During the shutdown, the secondary switch lost access to the quorum disk. This caused the secondary switch to reboot per design because it cannot access the quorum and does not have heartbeat from the primary. The code has been fixed to keep the switch from losing access to the quorum disk.

A customer experienced CPU spikes and a performance degradation due to subtree notify changes. We now have a default ignore-subtree-flag setting that fixes this issue.

The ACLs are not migrated when tiering data to T2. We now treat oversize ACLs correctly.

A customer experienced a state where no "cifs auth stats" information could be retrieved with an SNMP "get" command. Code changes were made to provide this information.

Syslog messages were coming every 5 seconds instead of once. Now we only report if the state has changed.

When doing a show global server, the WINS aliases did not appear. Now the code displays the WINs aliases.

37858, 36483, 37793
A customer experienced an NSM core. We modified the NSM watchdog mechanism to improve our chances to diagnose these types of issues.

A user outage was caused by a share import. The code has been fixed so this won't happen.

When a share was enabled for the first time, from the GUI or CLI, and that share had no free space, it used to return an error that needed to be either more clear or changed entirely. This error message has been updated and known results of the write test be returned to the user.

A customer experienced a failover event that took 15 minutes for the VIPs on switch A to become accessible. Whereas the two VIPs on switch B are accessible instantly. This was due to a MAC addressing issue and this issue has been fixed.

Some clients who ran Excel macros at the end of the day said that the macros took a lot longer to complete than expected. We have fixed the software to no longer require OMDB access and no longer require a listener.

The software has been enhanced to include a new feature on the import report. When an import fails, for "Pathname not found during lookup" an entry now displays the actual path name.

We have enhanced the software to help define disaster recovery terms more clearly. We removed the force argument from the remove-share nomigrate command. We now say remove-share offline instead of remove-share nomigrate force. For the global namespace volume share no filer command the force argument has been changed to offline. And lastly, for the global namespace volume, the optional force argument was also changed to offline.

The ARX Manager became inaccessible after a core. The software has been fixed to restart automatically.

On a customer cluster, the ARX Manager is very slow to respond to listing request. We have restructured the way we store the policy configuration information in the ARX so that we can more efficiently retrieve the information when the CLI or GUI request it.

The ARX did not allow RADIUS authentication of users when RADIUS network device filters were turned on. We made fixes to the radius client code on the switch and the NAS-IP-Address is now returned.

When "haPairQDiskFreespaceWarningRaise" trap was created, it did not list in "show health". The code has been fixed to display this trap under show health.

The code was enhanced to move this message to LOG_DEBUG: "Could not properly determine the "active LIP" PIP; the SCM LIP address defaults to INADDR_ANY"

The ARX Manager has been enhanced to allow setting the WinRM port. This setting is now configurable from the File Server Add page or when you configure managed volumes using the wizard.

Occasionally, a shadow copy had failed during target volume rebuild. We change the way that the shadow volume receiver decides database rebuild by making the shadow volume receiver less sensitive to a single not found error.

The ARX Manager now displays the Place Rules report on the Place Rules Details page Current Scan Stats and Last Scan Stats.

Polling to a configured time server would continuously fail transmit and/or receive if it was configured on the ARX prior to an ARX network interface change. This sometimes happen when executing a saved running-config script, where numerous configuration commands are executed in rapid succession. The ntpd daemon was modified to automatically reconfigure its association with a time server after a maximum number of transmit/receive failures.

When a back-end share filled up behind a managed volume, and one of its CIFS clients attempted to change permissions on one of that share's directories, all of that managed volume's CIFS sessions hung. An administrator needed to increase the size of the share (or, in some cases, the NetApp quota) to restore CIFS service to the managed volume.

The ARX now detects disk-full conditions on its back-end filers, blocks client operations that could result in a widespread loss of service, and allows CIFS clients to resolve the problem by removing files. The ARX also sends SNMP traps to alert you of any directories or shares that are adversely affected by an out-of-space share. (See the SNMP Reference for full documentation on all SNMP traps.)

When an SNMP trap raises an alarm condition, the alarm appears in the output of the show health CLI command until it is cleared by another trap. In previous releases, there was no manual method for clearing these alarms. Release 5.2.0 introduced the clear health CLI command for this purpose.

In a filename fileset, recursion did not function when matching directory paths.

Snapshot delete operations on NetApp filers now retry when the snapshot is busy due to a snapmirror operation.

The /acopia/var/log/raidupgrade.log file now includes an entry for each time that the upgrade script was executed.

A problem that caused user-defined login banners set from a file to not survive reboots has been fixed.

The output of the collect state CLI command now includes syslog, procdat, and traplog output. For more details, see More Logs in "collect state" Payload.

Only the single cluster name is displayed now in the GUI when configuring disaster recovery and only one cluster has been configured.

A problem in which the renaming of a file on one share failed because a file with the new name existed already on another share has been fixed.

A firmware upgrade failure that caused the software upgrade process to fail when migrating to Release 5.2.0 has been fixed.

The show cifs-service client-activity CLI command has been improved to display the accurate number of user sessions per client.

The show cifs-sessions open-files CLI command now displays virtual pathnames accurately.

An internal error that caused errors accessing data on managed volumes, along with insufficient resource error messages, has been fixed.

A problem that caused age-based filesets to be displayed incorrectly has been fixed.

An internal problem that caused the creation of a core file has been fixed.

Many attempts to find files across directories with very large numbers of files no longer result in stranded or unresolved searches.

An issue in which performance degradation was caused by an excess of notification messages when a volume was accessed has been fixed.

A background process configures all attach points (in presentation, or direct, volumes) after a failover. In a system with a large number of attach points, this sometimes required several minutes. If another failover occurred before the process was finished, that failover sometimes required nearly one hour to complete. This fix dramatically increases the speed of attach-point configuration and failovers: the same configuration now takes approximately 1 minute.

Version 5.1.9

This was a Maintenance Release for the 5.01.nnn series of software releases. It did not include any new features or enhancements. It contained the following fixes:

A result of null during an LDAP search no longer causes a core file to be generated.

A problem that caused storage jobs to pause indefinitely following the execution of a cancel import command has been fixed. The problem was caused by an internal import lock that was not being released at the appropriate time.

Executing the nsck destage or nsck rebuild command now lists the affected services much more rapidly than before. Previously, it took a very long time for these commands to list all of the affected services before returning a prompt for the user to confirm the action.

The no inline-notify command now affects policy rule behavior only when the rule's schedule executes, and not when a volume pause policy schedule executes.

Need ability to gain disk/raid/ps diagnostic data without going to the shell

Previously, a TCP connection could not be established between the active ARX and backup ARX in an HA pair when each ARX had a local peer core in the Failed state. This has been fixed.

When a managed volume imported its shares using NFSv2, some files and directories were occasionally missed. The import succeeded, but the missed files/directories appeared as inconsistencies. Now an NFSv2 import captures all back-end files reliably.

Back-end snapshots went to the wrong NetApp volume when the NetApp volume met the following criteria:

  • it had a physical path that was different from its "masqueraded" NFS-export path,
  • the "masqueraded" path matched the path of a different physical volume,
  • the "masqueraded" path started with "/vol", and
  • the "masqueraded" path was imported into an ARX volume that supports snapshots.

Now the ARX takes snapshots of the correct (physical) NetApp path.

At some customer installations, two Microsoft Windows Server 2003 hot fixes (KB2478971 and KB2478960) were causing the ARX to mark the server's shares as "offline."

348799, 39560, 348979
Previously, when an NTLM server was removed while thousands of NAT rule actions were installed and in the initial state, the NSM watchdog could expire because the removal of the rules took longer than the watchdog allowed. Now, the watchdog continues to be serviced while the removal of NAT rule actions completes.

A rare race condition between a CIFS-client disconnect and an internal cancel- search command could potentially cause a software failure. The software failure produced a core-memory file. The race condition has been corrected.

Many CIFS clients were unable to connect to ARX storage during failovers and failbacks between NSM cores. The client outages sometimes lasted for several minutes. This fix addresses issues in the control plane that contributed to the outages.

When a switch replacement in a redundant pair repeatedly failed, clients had difficulty accessing the active ARX's front-end services.

The Network Services Module no longer generates a core file when bad server message blocks are received from the network.

351553, 350947
A problem in the NSMs memory allocation could cause the NSM to be shut down by the control plane. This has been fixed by ensuring that the internal watchdog is serviced in the memory heap management routines.

Temp files that are created in /acopia/reports/tmp during report copy operations now are deleted properly following execution, and no longer prevent the generation of new reports.

A problem that caused slow performance and WORKSLOW messages to be displayed has been fixed.

347298, 347192, 348800, 350191, 350964
The Network Services Module could generate core files when it receives multiple client requests that need to be sent to a filer, but the authorization credentials to that filer generate a failure (for example, a LOGON_FAILURE). This issue has been corrected.

Some operations (in particular metadata migration) failed to use the configured SPN as they should have. This prevented the operations from working when using a clustered Windows file server. This has been fixed to use the configured SPN.

344676, 342783
This fix involves changes made to assure Db-scope garbage collection is set to every 10,000 transactions after creating a new database.

A problem in which a report of space running out on one share caused loss of access to other virtual IP addresses and exports has been fixed.

341991, 342263, 343348
NSM cored due to taking too long when reassembling a long packet when there are many fragments. This issue has been addressed and fixed.

When a presentation (or direct) volume has an attach point into a managed volume with snapshots, the "~snapshot" directory was not always visible in the attach point. This only occurred if the attach point attached to one of the managed volume's subdirectories. For example, suppose a presentation volume, "/pvol", attaches one of its directories ("/pvol/attachDir") to a managed volume, "/mvol", at "/mvol/dir1/dir2." A client's directory listing of "/pvol/attachDir" did not include a "~snapshots" directory before this fix; now it does.

When a CIFS client's password expired in the middle of a connection to an ARX service, the ARX network software failed and created a core-memory file.

The show file-history archive ... contents operation failed for volumes with very large numbers of files (20 million or more).

When a file migrates to the ARX Cloud Extender (ARX-CE), the ARX-CE compresses the file and sets its "sparse file" attribute. Formerly, a file that migrated to the ARX-CE, then to an EMC Celerra, and back to the ARX-CE would be corrupted on the final migration. This is a file-server issue, caused by different uses of the "sparse file" attribute. Now the ARX works around this issue, so this migration path does not corrupt files.

Version 5.1.7

Release 5.1.7 included the following fixes, also included in this release:

In environments with Active Directory contents comprising hundreds of thousands of user accounts, the v5.1.7 HF2 Secure Agent sometimes failed to scan the entire user database, resulting in some users failing authentication. This has been addressed by changing the Secure Agent's default timeout to 60 minutes, allowing more time for the user database to be read.

A customer experienced a problem after performing a "shutdown" as part of DR test. When the box was powered back up, there was an error with the object manager database (which was then renamed), and the box came up without a configuration. This problem has been fixed.

A customer's performance data showed that the find_first2 requests seem to be up to 40X slower than the file server response time. The software has been fixed and performance has been significantly improved.

An NSM crash could happen in cases where there are connectivity/networking issues with a domain controller. While waiting for an authorization response from the control plane, the back-end file sever could tear down the TCP connection, causing memory corruption when the domain controller finally responds. Now, the NSM detects and corrects this situation to properly return an error to the client.

Under load, a CIFS client may issue multiple close requests to close a file (since there can be a delay in the response to the first close). When this happens, it was possible for the NSM to crash upon receipt of the response to the second close request since the NSM would access a freed object. This situation has been fixed to account for this possibility.

A customer experienced an NSM core. We fixed the assumption that the transaction2 operation responses always come from the file server. Transaction2 operation responses also come from the control plane. This log parameter mismatch was fixed.

338421, 38914, 39044, 337650, 339138
Under heavy load, it was possible for the NSM periodic cleanup functions to be starved and not run to completion and return filer connections that have gone down to the free pool. This could cause the NSM to run out of connections and be unable to service more clients. The periodic cleanup functions were changed so that this situation no longer happens.

There was a corner case where DNAS and the NSM lost communications of the DT message path and the NSM began to reconnect. In the meantime, the NSM was still processing NFS requests and attempted to send a lookup to DNAS, which failed. As part of the cleanup processing there was an attempt to release a DT message that was never allocated. This resulted in the NSM coring. We now check that the DT message path is in the connected stated before attempting release any DT resources.

A customer added an NFS list and experienced a core. This was fixed by fixing a lock around a call record.

When an NFSv2 client used the chmod, chown, or chgrp command on an ARX-volume directory, future ls -l commands erroneously showed a time stamp of December 31, 1969. The time-stamp display issue has been corrected in this release.

Shortly after a failover, the ls command hung in one of the ARX's NFS exports. This was due to a rare race condition in one of the network processors. The race condition is resolved in this release.

338082, 338250
A customer experienced a core because a file request timed-out. Now we do an extra look up for the object and rely on the file server response and not the object for the valid response.

A customer experienced a frequent pop up message concerning ARX Secure Agent. This was caused by a race-condition in the code between use of an object and freeing the object and this conflict has been fixed.

Database (DB) access through an ARX-CIFS volume failed when several DB-access commands were run in a macro. The ARX volume sometimes returned a "Disk or Network Error" message to the CIFS client running the macro.

An NSM crash could occur during network outages - specifically when back-end file servers tear down TCP connections to the ARX. This was fixed by more properly handling internal objects when this happens and not cause memory corruption in the NSM.

If an NFS client issued a /bin/ln command in a direct (or presentation) volume, the ARX volume sometimes responded with a spurious ESTALE error.

Previously, the client never cached any directory information, so it was forced to always run ls to ask the ARX for all the information. Using ls would always appear to be uniformly slow. A user would not see this with NFS clients & servers, since there is always some locality of reference. Now, repeated references to the same directories can be satisfied (almost) completely from the client's local directory cache, so it is much faster.

In NFS, a duplicate request sent by a client can, in very rare cases, receive two different replies from the file server: the first response yielding an error and the second response yielding a success. The NSM did not deal with this sequence properly (the verifiers did not match), which caused a crash. The ARX now handles this situation properly.

37422, 37992
During an upgrade, a virtual server hung in the starting state until browsing was disabled and then the global server went to enabled. Browsing could then be enabled again without incident. Now the volumes are enabled and assigned to an instance, which fixes this problem.

When trying to setup a trust between two domains, a customer got errors back that one of the DCs are offline, while the AD status shows them online. The ARX now checks the forest function level from any reachable DC and it only checks in the forest-trust configuration (Windows Active Directory ensures that only Windows 2003/Windows 2008 servers are used as DCs, checks to see if the forest function level is 2003 or above, and the forest function level can NOT be downgraded.

38789, 38233, 39336, and 39818
The ARX failed to reboot and fail over after an internal-disk (RAID) failure.

A problem that caused filename collisions during the use of the nsck rebuild CLI command has been fixed.

During a forest-to-forest trust configuration the Win2K8 R2 DC was not accepted. This is now fixed, but you must not configure the forest trust, but instead configure the kerberos-auto-realm-transversal.

37048, 337568
The active-directory alias operation failed for an ARX VIP unless the VIP's CIFS service was joined the "COMPUTERS" OU.

336269, 35475, 342748
An NSM core happened due to a double free of a presto packet in an NFS path coupled with a network outage,which resulted in a buffer corruption. The NSM can now send traffic to a file server in this situation without corrupting the buffer.

A customer experienced an NSM core on an HA pair, for twice on each, and a total of 4 times. We no longer process TCP ACKs for RON packets which have not finished being transmitted.

341263, 341478, 341975, 342147
An internal problem that caused the creation of a core file has been fixed.

Two new CIFS shares were added, one to the /data volume and one to the /data directory, which resulted in a core. The boxes ping-ponged until they reached the bounce limit. This was caused by a piece of code that was used to protect us from a volume name of "/". We now double check for the volume name and avoid this issue.

Version 5.1.5

Release 5.1.5 included the following fixes, also included in this release:

37677, 336690
Previously, when the "count" form of "ip proxy-address" was used after the hardware was set up, then the resultant EIP records were delivered in non-ascending order of EIP address. If the EIPs are processed out of order, then the LIPs for XIPLIP assignments were also out of order (and incorrect). The code has been modified to so that any out-of-order processing of EIP listener events won't cause any problems.

Previously, when the Shadow Copy Rule Edit page was accessed, the Publishing Mode drop-down was set to "Individual" regardless of the active shadow copy rule configuration on the ARX. The Publishing Mode drop-down box now sticks and matches the global-config.

Fix to ensure "no modify" import failures continue for non-mappable directories.

etch bash had a memory leak in the built-in read function.

Linux kernel bug that caused services to be unavailable after aborting a CLI "copy" when using NFS.

Apple and Kerberos compatibility improvements.

Fix to improve share removal function by making retries more robust.

Fix to prevent DME from crashing and triggering a reboot.

Packet capture using the "proxy-all" option was not capturing all packets.

MAC OS 10.6.X clients were unable to see sub folders.

ARX was unable to sync folder attributes. We made a change code so we log an internal error instead of sending a back packet. Debug logging now shows the exact type (MSGX_TOOBIG == 5).

Fix to preserve the "Modify" time when doing a migration.

A share that failed import and subsequently removed from ARX configuration left remnants in DNAS system which then prevented the share from being imported later.

If an ARX file system erroneously mounts a partition as read-only, the ARX now triggers a reboot to restore function.

An attempt to use a connection to a filer to add a share failed after a previous failed attempt did not delete the failed connection.

Small IP fragments were being handled incorrectly.

Fix to ensure that when you press the <Enter> key on the no enable namespace command, you drop back to the CLI with no action taken.

A software change to help identify who has open files on system mount point when an un-mount fails.

39645, 39394
A fix to prevent an NSM core by ensuring disconnect cleanup.

Device nodes in a multi protocol share that have case collisions could not be transferred.

An import missed files because a failed import share was re-enabled before the other shares had finished importing.

Multi protocol import was very slow due to volume being locked. Lock type changed to improve performance.

Delayed acknowledgement methodology caused NFS migration performance problems.

The Prune Target check box in the GUI's Edit Shadow-Copy Rule screen was persistently checked. If the prune-target feature was disabled previously, either from the GUI or the CLI, the GUI always displayed it as "enabled."

The migrate close-files failed with "access not permitted". Now, in a multi-protocol namespace that contains ntfs-qtrees, the ARX will check if the file is open before trying to migrate it.

The SNMP trap, dnsServerOffline, did not include the failed server's IP address in its message text. The CLI show health command, which shows only the name and the message text of each active trap, therefore did not show which DNS server had failed.

Reports from a file-placement rule did not include the rule's namespace or volume names.

When calculating internal mappings for a subshare in a particular CIFS service to back-end shares in a volume, the ARX is no longer confused by like-named subshares that point to other volumes.

An ARX Manager error report option was confusing as it was different between Edit Place Rules and Edit Snapshot. It now reads "Auto delete if no errors" in both places.

The CLI help text for the cifs authentication command neglected to mention NTLM. Now it mentions NTLM.

The reporting of no modify import for directories that are DFS links was incorrect. Now, the report should list an error of 'DF' which indicates that a DFS was found. In addition, the report should lists the directories that failed.

A failed import of a higher priority share in one volume no longer impacts the scheduling of an import of a lower priority share in another volume contained in the same VPU.

The start-time option for collect logs was not adhering to the specified time constraint. Now the CLI help spells out the correct time formats to use for collect logs.

If an import of a share with no-modify enabled resulted in a case-blind directory name collision the process failed with a -70 internal error. A -70 internal error will no longer be returned for import reports or in syslog.

After entering start (without a date/time) for a schedule, the place rule moved the wrong files. This has been fixed by removing the auto-adjust start time.

A core was generated by a race condition and memory leak.

The ARX Manager was not displaying proxy-user in the file history archive. The proxy-user now displays correctly.

The snapshot reconstitution script is not working with reports generated by ARX. The reconstitution script now works correctly.

The kernel.log file contained an excessive number of the following messages:

EDAC i5000 MC0: NON-FATAL ERRORS Found!!! 1st NON-FATAL Err Reg= 0x80000
EDAC i5000: THERMAL Error, bits= 0x80000

The ARX kernel now logs an appropriate number of these messages whenever the issue occurs.

The ARX code spuriously declared its Domain Controllers (DCs) to be "slow" if its DNS server required more than 2 seconds to respond. Most of the DNS queries from the ARX were unnecessary, and this caused the ARX-Kerberos processes to repeatedly switch from one redundant DC to another. The ARX Kerberos processes no-longer send out unnecessary DNS queries.

The domain-join operation resulted in an ADJOIN_PWCHANGE error for some network configurations. This occurred when an external routing device allowed traffic from the ARX's proxy-IP addresses to the domain controllers (DCs), but dropped traffic from the ARX's management-IP address. An internal ARX issue caused the ARX to incorrectly send some domain-join packets from the management-IP address instead of a proxy-IP address. As of this release, the ARX sends all of its domain-join packets from its proxy-IP addresses.

Disk drive numbering in the ARX-2000 Installation Guide has been corrected to identify Bay 1 as the top drive and Bay 2 as the bottom drive. This numbering matches the CLI drive designation and the labeling on the switch. The LED documentation has been updated to indicate that flicker indicates drive activity.

There was a problem with the default route in NSM, which caused several NSM cores around pro_arpcache.

Member itemization was not right in an error message. The correct variable now displays in the error message.

If a volume had a connection failure with its CIFS-metadata share, and then someone attempted a metadata migration before any client accessed the volume, the metadata migration failed with a VOL_MDMIGRATE_FILER_PROBE_FAILED error.

37067, 37331
An NSM-core processor, on rare occasions, failed when a CIFS client performed a FIND operation.

The GUI screen for setting a schedule (Policy -> Schedules -> Add...) sometimes created schedules that never fired. The check boxes under Interval -> Weekdays were ineffective.

The GUI field for editing a Place Rule's report prefix had no effect. The specific field was Policy -> Place Rules -> rule-name -> Edit -> Reports -> Prefix.

The GUI did not allow a storage-engineer to delete or verify snapshots. (A "storage-engineer" is an administrator's login account where the assigned admin role is "storage-engineer.")

A drop-down menu was malfunctioning in the GUI. The malfunctioning menu was at the following path: Policy -> Snapshots -> rule-name -> Rule. Whenever you used the drop-down menu, it reverted back to the first snapshot rule in the volume instead of the selected rule. Now it stays set to the selected rule.

When importing a volume in no-modify mode with multiple shares that are expected to merge, and you have "no import sync" and "no import rename-dir," and when the import hits a Case Collision or potentially some other variables, instead of continuing and doing a delayed fail as it should, the import fails immediately. There are two solutions. If you have run an import with "no modify", "no import rename-directory" and "no import sync-attributes", then with an attributes collision during import the report will show the directory which has attribute condition is marked as "skipped." If you do an import with "no modify", "no import rename-directory", with "import sync-attributes", then if you have an attributes collision it will log the inconsistency, stripe the directory, and continue to descend into that directory.

If you ran the show policy details on a volume with a rule that never ran before, the show operation reported an XSL transformation error. This error also appeared for collect diag-info, which invoked the show policy details command.

A file-placement rule failed at volume-scan time whenever a higher-priority rule with no volume-scan matched any the same files or directories. A no volume-scan rule can now co-exist with any other rule, without causing the other rule(s) to fail.

After removing an active-directory alias that was never accepted by any DC, the ARX software did not send an spnAliasUpdateClear trap. This left a persistent alarm condition, spnAliasUpdateRaise, on the ARX.

The no active-directory alias spn CLI command did not remove the SPN from the ARX database until the local DC removed it from the Active Directory DB. Now the ARX DB removes the SPN immediately, and the ARX software continues a background process to delete it from the Active Directory.

When the spnAliasUpdateRaise alarm appeared in the output of the show health CLI command, its Description field started with a "." character.

The following spurious message kept repeating in the error.log file;

SnapshotOp::setupSnapshotCreateGroup: Waiting for 'n' - 'm' more ckpt config records.

The ARX software no longer generates this log message.

The following unclear message appeared in the syslog whenever a volume lost its connection to its metadata share:

bdb_get_metadata_size(): cifs_shim_fstat on fd=134217738 failed [-1].

This message has been suppressed in favor of clearer log messages.

If a client renamed a file to a similar name during a managed-volume import, such as "file.doc" to "FILE.doc," the import could hang indefinitely. This also caused hangs for client operations during the import. Renames no longer cause these import issues.

The show statistics cifs-auth command had incomplete statistics for unsupported protocols. If a client attempted to authenticate with an unsupported CIFS protocol, the resulting failure was not counted in the main output of show statistics cifs-auth. Now it is.

The ARX's Network Services Module (NSM) terminated abruptly if a filer responded with a different SMB command code than the one that the ARX had sent. The ARX now compares the filer reply with the request and drops the reply in the event that they do not match.

On the ARX-500, when an IP address was added to an interface that was on VLAN 1, the IP address could not be removed completely, because it remained in the ARP cache. VLAN 1 was being re-mapped to the primary interface when the IP address was added to the interface. The functionality for removing IP addresses was changed to correct this.

An issue with the ARX's file-tracking functionality that caused failures in some cases has been fixed.

Mac OS X 10.6.3 clients were timing out when copying large directories into direct volumes.

Mac OS X clients were timing out when copying large directories into an ARX managed volume.

Long role names were causing SNMP traps to be sent to an email address after that address had been removed from the trap-recipient list.

Version 5.1.0

Release 5.1.0 included the following features and fixes, also included in this release:


Release 5.1.0 added the following new features to the ARX:

Release 5.1.0 supports the new ARX-2000 hardware platform, which is a 2U device with 12 1Gbps interfaces.

A Multi-Protocol Volume Supports NFS Symbolic Links (Symlinks) for its CIFS Clients
As of Release 5.1.0, a multi-protocol (NFS and CIFS) volume can display NFS symlinks to its CIFS clients, and allow its CIFS clients to traverse those symlinks. For example, if an NFS client creates a symlink named "pointerDir" that points to "randomDir," any CIFS client can cd to the "pointerDir" symlink to access the "randomDir" directory.

This feature does not support absolute symlinks (such as a link to "/vol/vol2/myDir"). It supports relative symlinks, such as a link to "../myDir" from the current directory.

Limiting CIFS Connections To Tier 2 Filer Servers
Some Tier-2 file servers cannot tolerate a large number of simultaneous CIFS connections. Release 5.1.0 accommodated those file servers with a feature that allows you to set a maximum number of CIFS connections to such a filer. You can use a CLI command, cifs connection-limit, or its GUI equivalent to set this maximum.

Policy Enhancements
The policy engine offers a number of enhancements as of Release 5.1.0, including the following.

  • Finer Control Over Share Free Space
    Release 5.1.0 added per-share controls over free space. For each share, you can establish a volume or percentage of free space to maintain. All policy rules, including share-farm directives, avoid consuming this free space. If a rule attempts to migrate any file to any share, it first verifies that the file will not reduce the share's free space below this level. If the file would violate this free-space limit, the rule pauses and monitors the share's free space. Once the share's free space rises to a higher level (perhaps because of other rules), the rule can resume migrating to the share.
    For any given share, you can control the amount of free space to maintain and the amount of free space required for the share to resume accepting file migrations.
  • Regular Reports on Inline Migrations
    A file-placement rule migrates files between volume scans. This occurs inline, whenever a client changes the file so that it no longer belongs on its current back-end share. For example, if a client changes the name of a file so that it fits a new fileset, a placement rule for that fileset migrates the file as needed. As of Release 5.1.0, you can create hourly or daily reports that show the number of migrated files, their combined size, the number of failed migrations, and other useful statistics.
  • Scheduling Enhancements
    One or more file-placement rules, snapshot rules, or other rules can use a schedule to run on a regular basis. Release 5.1.0 added more options to the schedule, such as options to run on the first or last Tuesday of the month, or to run on the 1st and 15th of every month.

Support for NTLMv2
The Release 5.1.0 software supports NTLMv2 authentication for its CIFS clients.

Kerberos Enhancements
Release 5.1.0 offered two enhancements for CIFS clients that authenticate with Kerberos:

  • Better Reliability in Lossy Networks
    The Kerberos software now uses TCP for its network communication instead of defaulting to UDP first.
  • Support for Forest-to-Forest Trusts with "Selective Authentication"
    In a Windows network, you can design a forest-to-forest trust with "Selective Authentication," where a specific list of Windows users in Forest A are allowed to access any services in Forest B. In previous releases of ARX software, Kerberos clients in Forest A could not use ARX services in Forest B. As of Release 5.1.0, you can configure the ARX software to use a special algorithm, auto-realm traversal, to fully support clients from the other side of a selective-authentication trust. From the CLI, you can use the Kerberos auto-realm-traversal command to use this algorithm.

Share-Import Priority
Release 5.1.0 introduced the import priority command to make a managed volume's file and directory mastership deterministic. A master directory is a directory in a managed volume that has duplicates on multiple back-end shares; one share has the master instance of the directory and the other shares have stripes with the same name, permissions, ACLs, and other attributes. A master file keeps its name, whereas matching files on other shares must change their names. You can use the new import priority command to set some shares to priority 1, so that they win mastership for all of their files and directories. This mastership is deterministic; higher-priority shares win mastership on every import and re-import.

Together with Seamless Import, which imports multiple shares while allowing full client access, this feature is a stepping stone toward a full DR solution. An import at Site A can now yield the same file/directory mastership as an import of the same data at DR Site B.


Release 5.1.0 added the following fixes to the ARX:

The CLI show exports command is intended to examine the shares on a filer or server before you define the server in the ARX database. However, the ARX requires a Service-Principal Name (SPN) to examine a Windows 2008 cluster, and the show exports command did not support an SPN option. Now it does.

An anti-virus (AV) scanner on a DC can potentially block the ARX Secure Agent (ASA) installation. Now a pop-up appears during the installation, prompting the installer to re-configure AV scans as needed.

An error in the power-supply numbering has been corrected in the ARX-4000 Hardware Installation Guide.

Previously, there were issues with how objects were handled by Active Directory. An optimization in the code path was made to improve the way internal communication is done between Secure Agent components.

Previously, the ARX Secure Agent, using fgdump, was stopping and restarting the anti-virus software. Now, the SA won't stop and restart anti-virus software during its scan phase.

A customer running ARX Secure Agent saw that temporary services were not removed and that the anti-virus software was not restarting. This was fixed by adding a hot fix to this release.

38854, 39204
Active Directory domain controllers would go into reboot cycle after installing Secure Agent 5.1.5 HF1.

39147, 39154
Disallow importing admin shares such as C$.

Customers requested that ARX Secure Agent not use windows temp directories. The new version of ARX Secure Agent now uses regular directories within the Secure Agent folder instead.

39032, 39125, 39138, 39247
Large file copies sometimes failed with "Error code 64: Network name is no longer specified."

38307, 38819
Timeouts pertaining to certain internal operations occasionally caused volumes to go offline, preventing the ARX from acquiring the free space of targets. This has been corrected.

Since upgrading, a customer got warning messages in the ASA log and Application section of the event log. We now include the secure agent kit that fixes the problem in the ARX software

Some clients were facing "user known" when authenticating via NTLM. The code now includes a fix to remedy this issue.

ARX-4000 units were erroneously raising traps indicating the nvram battery had failed. Implemented fix to raise the temperature threshold to appropriate level, thereby eliminating message.

37121, 37945, 38883
Previously, in the presence of authentication failures (typically due to mis-configuration), the NSM would crash while attempting to properly logoff in-progress CIFS sessions on a file server.

In a redundant pair where one ARX is upgraded to 5.1.0 and its peer is manufactured with 5.1.0, an administrator experienced a delay in logging in after a reboot. A login was not possible until the ARX reached global scope (that is, until it was possible to enter gbl mode in the CLI).

In an ARX with thousands of direct-mapped shares, with at least one CIFS export per share, the GUI operation to show their mappings consumed all system memory.

A problem that caused an outage during the import of shares has been fixed. Now, if a higher priority share fails to import its root directory, any lower priority shares will fail to import as well.

The ARX was mishandling incoming 'Query Path Info' requests that were fragmented over more than one TCP segment.This is a regression that was introduced in 5.1.0 and is now fixed.

The ARX Secure Agent was causing excessive logging. The code has been fixed to squelch excessive health checking.

A particular race condition during a managed-volume import could trigger an unnecessary auto-sync operation. The race condition occurred when one ARX client attempted to remove a file while another attempted to rename it. The auto-sync operation, designed to refresh a volume's metadata after import, had no effect.

The ARX policy engine never recognized that a previously-full target share now had free space. If a placement rule's target share filled to capacity, the rule never resumed after someone added free space.

When the Path and File fields where left blank in the GUI's File History Query page, the query failed without specifying the entry problem. Now the GUI prompts for the missing fields.

In the CLI and in the ARX Manager GUI, the collect operation failed whenever you attempted an NFS-copy to a multi-protocol volume. Now, you can use both NFS and CIFS to send a collect file to one of the ARX's multi-protocol volumes.

The copy nfs|cifs operation, which copies files to an ARX volume, is not supported from the backup ARX. Former releases did not include an explicit error message to explain this; an error message in the current release explains the issue clearly.

If a non-critical process failed to start properly, the ARX rebooted and created a core-memory file. Now a reboot (and failover) only occurs if a critical process fails to start.

The file-tracking daemon sometimes failed to start after an ARX reboot.

GUI did not sort cells correctly when they contained both alpha and numeric characters.

The no shadow operation did not properly remove the shadow-copy database from the volume's file servers.

The policy pause namespace volume operation, followed by a no policy pause, inappropriately caused a volume scan to start.

The output from show load-balancing sometimes displayed the incorrect slot/port number.

The output from show policy sometimes showed a volume as 'offline' when it was not.

The show ip route command on an ARX-4000 did not display "Mgmt" for the out-of-band management routes. It showed a VLAN instead.

This release resolves some Open-SSH vulnerabilities in previous ARX releases.

The ARX UI allowed a CIFS export with an illegal CIFS character, such as ":". It now blocks a name with any illegal CIFS character.

The ARX did not adequately support the removal of multiple shares from a single volume. Now it allows you to remove multiple shares from the same volume without any errors.

The CLI failed and created a core-memory file if an administrator entered the critical route command with an invalid subnet mask (such as "").

An internal metadata inconsistency caused a share removal to fail. (From the CLI, you can use remove-share migrate and similar commands to remove a share from a managed volume.) Managed-volume software can now successfully remove a share with these inconsistencies.

The online help was inaccurate for the windows-mgmt-auth CLI command, and it appeared next to the incorrect option.

If an administrator used an incorrect syntax for the copy command, the administrator's SSH connection hung.

The no wins command did not allow optional arguments for ease of use. Now it does.

When a managed-volume import failed due to a slow metadata share, there were no syslog messages indicating the cause of the failure. Now, syslog messages appear to describe the problem with the metadata share, and to associate the metadata-share issue with the failing import.

When a CIFS namespace had an NFS export and someone invoked the GUI's Virtual Services page, the GUI failed. The current release does not allow a CIFS-only namespace to offer any NFS exports.

The virtual server arx-name ? command should list the single valid VIP for the server, but it listed all the VIPs on the ARX. Now it only lists the correct VIP.

The show snmp-server command displayed no output unless there was at least one host to receive SNMP traps. (The snmp-server host command adds a host to receive traps.) Now the command displays the current SNMP configuration under any circumstances.

NFS write throughput to Data Domain dropped to zero.

Neither the ARX-4000 or the ARX-2000 were fully supported for SNMP walks.

The ARX was in a "too many open files" condition.

The ARX was persistently stuck due to metadata inconsistencies.

Reboot required after running config applied in order to get NTP to work. This issue has been fixed by by moving ntp server config to the end in running-config, so that ntpd starts polling the ntp server after running-config is done, without additional reboot or reset ntp server.

A CIFS client could not traverse an NFS symlink to a directory. Release 5.1.0 introduced CIFS-Symlink Support to address this issue.

The serial number was truncated in the GUI. This issue has been solved by adding the 2-digit manufacturer code before the serial number.

Adding SNMP server information with a port number created two entries. Now it does not create two entries.

Managed Volume went offline after an upgrade. This no longer happens.

A Data Domain filer behind a managed volume caused the volume to advertise "FAT32" as its file system. Now there is a CLI command that you can use to set the advertised file-system name.

The ARX boot-config file was lost after a software upgrade. This problem has been fixed.

Asymmetric network reboots, even when not joined back in the pair. This issue is now fixed.

A VIP Created in the GUI was offline, but was online when created in the CLI. Netbiosd has been fixed.

A shadow copy from a pre-5.0.0 site to a post-5.0.0 site caused a failover at the source site. The current release allows a shadow copy to cross between these releases without causing a reboot.

The GUI's Status page reported an incorrect value for available Files Allocated. This issue was fixed in the GUI by calculating the remaining files based on hardware type not configured VPUs.

The GUI displayed a working CIFS service as disabled. This issue has now been fixed.

The GUI and CLI warning When disabling a share, have GUI and CLI warning messages match. The GUI warning has been updated to reflect the warning.

MPNS namespaces had poor CIFS performance, due to using UDP. The default now is for Kerberos to request TCP.

Asymmetric read-only enabled by default on new share config. As of 5.0.1, we support NetApp environments where the cifs.ntfs_ignore_unix_security_ops option is set to "on."

Forest to Forest Trust did not work with selective authentication. Now there is a CLI command, kerberos auto-realm-traversal, that can configure the ARX to function with selective authentication.

Accessing GUI through IE took a very long time.This issue is fixed in this release and the pages no longer take a long time to load.

NTLM authentication server incorrectly shows offline if the IP address cannot be resolved by the ARX. This was fixed by adding 60 seconds before starting NTLM Secure-Agent monitoring during system startup.

Kerberos clients were unable to connect after an update to 4.0.1. This issue is fixed and the ARX no longer advertises NTLMSSP in Kerberos namespaces unless they also have NTLM[v2] or else have anon-access enabled

A customer experienced a failure to replicate a subshare. This issue is fixed and now the ARX deletes all subshare mapping records instead of generated only records.

Full tree walks were happening after database rebuild, which was caused by the lack of synchronization in the shadow receiver. This issue was fixed by enabling the path lock at the right time and on right paths.

An internal error caused the show chassis command to hang, and it caused the ARX to send fanFail traps.

LIP_LIB & L2SW_LVL7 messages kept appearing every 5 minutes. The problem is cause because the ARX asks for Slot 2 processor 2 on an ARX-500, which does not exist this problem has been fixed.

On an ARX-500, GSMD (an internal software process) occasionally cored during ARX startup.

Smtp server names did not allow digits as their first characters. The ARX now complies with RFC1123 section 2.1, which allow smtp servers to have a hostname that starts with a digit.

The managed-volume software failed and generated a core-memory file during import. This problem has been fixed.

The ARX MIB was not compliant with RFC 2578. Now, the ARX MIB is compliant.

The Remove Share report did not indicate shares that had an "access denied" problem. The software now indicates in the remove report whether the error came from the share being removed or he relocate-dirs share.

The ARX would sometimes experience an NSM crash when processing CIFS traffic from previously disconnected trees. The ARX now properly drops this traffic.

GUI: Added new status icons to the Exports page. These now include all of the following: Offline (red star), Degraded (yellow triangle), Online (green circle),Read Only (yellow triangle), Not Found (red star), Unavailable (red Star), and Snapshot (green circle).

If power is lost to the ARX during the firmware upgrade process, the ACM processor gets stuck in downloading while booting up. This was due to a software change and the software has been fixed.

A Windows 7 client could not see any ARX snapshots in the "Previous Versions" tab. This tab now displays snapshots for Windows 7 clients.

Version 5.0.7

This was a Maintenance Release for the 5.00.nnn series of software releases. It did not include any new features or enhancements beyond those of Release 5.0.5. It contained the following fixes:

The ARX now reports correctly when a directory imported for multiple protocols uses the same name with different case characters.

346648, 346301
A bug in the NFSv3 TCP proxy code caused a buffer overflow, which resulted in memory corruption and crashes when a 64K WRITE was forwarded to the control plane by the NSM. This forwarding happens only when a client sends a WRITE request with a stale file handle as all other WRITEs are handled completely in the NSM. This has been fixed.

Version 5.0.6

This was a Maintenance Release for the 5.00.nnn series of software releases. It did not include any new features or enhancements beyond those of Release 5.0.5. It contained the following fixes:

An NFS service occasionally created a very large database file, and that file caused reboots to take a very long time. The file grew at a fast rate for NFS clients that mounted, unmounted, and remounted the NFS service at a high frequency. Now, the database file grows at a slower rate for constant NFS mount and unmount operations.

Policy rules were stuck in a "Migrating" state after all selected files moved.

A customer noted six cores. This was fixed by adjusting the loop count to 10000.

The CLI daemon now correctly reports that no transactions are left after completing CLI commands.

The file tracking archive behavior was holding database transactions open for too long. We now we use a separate transaction for each rule. This limits the time a transaction is open to one set of archive operations.

38544, 38346, 38587, 38588
An NSM crash could happen in cases where there are connectivity/networking issues with a domain controller. While waiting for an authorization response from the control plane, the back-end file server could tear down the TCP connection, causing memory corruption when the domain controller finally responds. The NSM now detects and corrects this situation to properly return an error to the client.

Fix to address SSB read failures and falsely indicating fan failures.

38493, 38615
A problem in which the deletion of a snapshot rule for which there were snapshots present prevented the browsing of other snapshots has been fixed.

An NFS volume sometimes encountered an error, NSM_PRESTO_PKT_MUTEX_ERROR, when a file-history-archive rule took snapshots on back-end filers. This stopped all NFS access to the volume, and required a restart of its front-end NFS service(s).

The snapshot-create reports from a file-history-archive rule contained incorrect file-server information for the metadata share. The incorrect information was the filer name and NFS-export name.

When shares in a presentation volume have multiple attach points to managed volumes, the 'show host... path' used to display wrong path information. The fix was to use additional qualifier for the attach name when querying the OMDB for path information.

A customer with an unusual VLAN configuration experienced asymmetric routing issues. This was fixed with a patch.

The ARX didn't do symmetric routing w.r.t. VIP when NFS clients were on locally attached VLANs. The code change was to give precedence to the per-vlan default route if available.

Setting the nfs-param rsize or wsize failed for direct (presentation) volumes.

Erroneous error message (SSRM-0-ERR-SSRM_TOO_MANY_VSRECS) has been removed. This only manifested if multiple volumes used the same metadata share.

Added CLI command to optionally change the LACP timeout from "short" to "long".

38041, 37765, 38209, 38864
Using the CLI to copy files within a CIFS namespace sometimes caused an internal database failure.

The ARX now has increased capacity for NFS ACLs from 512 to 1024.

If the Active-Directory (AD) forests were configured manually on the ARX, it was possible to create a CIFS-access problem. The problem was that CIFS clients from trusted domains could not connect to front-end CIFS shares on the ARX.

There was inconsistent output between the global-config and namespace.

38714, 38511, 37020, 336329
The CLI daemon no longer crashes\cores when running "show reports".

A Linux client with cifsvfs could not copy one file over another. The error was "Permission denied."

If a CIFS-client application sends a packet with a pass-through Information Level, the ARX (which does not support pass-through levels) should reject it with a STATUS_INVALID_PARAMETER response. Before this fix, it was incorrectly responding with STATUS_SUCCESS. This created unpredictable results for the client application.

When DCs in the local Active Directory gave repetitively slow responses to Kerberos/UDP queries, the ARX's network processors sometimes ran out of UDP ports.

When changes are made in a directory, the wrong number of files is returned when doing a directory listing.

System wouldn't boot with long host name. Host names now limited to 32 characters.

The capture session operation unnecessarily duplicates internal TCP-ACK packets, and continues to duplicate them after you stop the capture session. (This duplication does not occur for an ARX-500 chassis, or for any capture session that captures packets to/from all proxy-IP addresses.) Now the no capture session operation stops the internal packet duplication.

Large numbers of TCP duplicate packets were being generated and were visible in network traces. This has been corrected.

39599, 338787, 339803
Watchdog timeouts caused two NSM cores. The code was fixed by changing the timer from 32bit to 64bits.

A snapshot remove operation for a particular back-end share would always time out after 50 seconds. This was insufficient for some back-end servers. After your ARX gets the fix for this issue, F5 Support can set a higher timeout for snapshot-related commands if required for your site.

37387, 38238
When a shadow-copy operation copied a file over 4 Gigabytes, it occasionally failed and produced a large core-memory file. This issue was related to issue 35679.

Users were unable to view the contents of the snapshots from the previous version tab. When they clicked on the snapshot, it produced an error.

37522, 38337
A customer experienced an XSDD core.

A crash resulting from race condition during file attributes update no longer occurs.

There was a bug in the ARX-500 Macau FPGA upgrade handling.

A fix to ensure a user can browse into a newly created snapshot entry.

38536, 38574
Enhancement to provide CLI option to change the Minimum Retransmit Timeout (RTO Min) in effort to better manager packet retransmissions.

Version 5.0.5

Release 5.0.5 included the following features and fixes:


Release 5.0.5 is functionally equivalent to Release 5.0.1.

ARX Release 5.0.5 is a maintenance update that provides support for new ARX-4000 hardware; specifically a new control plane with new power supplies.

You can identify whether or not you have the new hardware by a physical examination. The original version of the ARX-4000 used a control plane containing six 3 1/2 inch disk drives. (The serial numbers of these commodity servers start with BZDS.) The new ARX-4000 uses a control plane that contains two 2 1/2 inch disk drives. (The serial numbers of the new chassis start with 0700.)

If your installation has upgraded existing ARX-4000 systems instead of upgrading to the new platform, the ARX-4000 documentation for 5.0.5 contains some information that does not apply to your model. For former versions of the ARX-4000 chassis, consult:

  • Rev E of the ARX-4000 Hardware Installation Guide
  • Rev C of the ARX-4000 Installation Card

These are included in your 5.0.5 release; you can retrieve these earlier versions from the GUI or download them from the CLI.


There was a DNAS core and continuous reboots of cluster.

Release 5.0.5 added the following fixes to the ARX:

Snapshots fail with a managed volume with a share farm with two shares. Timeouts for the snapshots have been increased and this fixes the problem.

If you issue a Snapshot Remove command, then all of the contents of the virtual snapshot you are removing will be removed regardless of the current snapshot contents settings.

Spurious battery temperature values were being reported.

There was an error in CPU speed calculation logic. Now the CPU speed is correctly reported.

Previously, deleting a report would only unlink the report name from the file system. The disk space for the report file would only be freed when all references to that report were removed (unlinked). Other references to a report could include being opened for copying or collection, and so on.

Now, when a report is deleted, it is first truncated meaning that the report is terminated. There can be no remaining references to the report. After that, when the report file is removed, not only will its name be removed from the file system but its disk space will be freed immediately. Therefore, there can now be no discrepancy between the amount of disk space that is reported for /acopia/reports before and after the switch is reloaded.

The ARX Manager can take a null pointer exception while editing an Export due to Back button use. Do not use the Back button in releases prior to 5.0.5. You can use the back button in 5.0.5 and higher.

The no ip address command for the NTLM authentication server was not fully implemented. This operation is now allowed as long as the NTLM authentication server is not in use by a namespace.

Previously, the maximum snmp-server entry limit was being checked prior to adding and deleting an entry. If the maximum snmp-server entry limit had already been reached, the operation failed. The fix was to only check the limit when adding a new entry.

ARX-4000+ Control plane power supply LEDs do not change to amber (or otherwise indicate failure).

It is difficult to detect a power supply fan failure on the new ARX-4000 control plane. The control plane power supply LEDs do not change color or indicate failure in any way that you can detect visually. However, if you think a fan failure has occurred, you can inspect each power supply fan to determine if the fan is dead and to detect air movement (or the lack of air movement).

If you have access to the CLI, enter the show chassis chassinfo command which shows the status of all 4 power supplies. It is best not to rely on the LEDs because the LED states are different for each power supply manufacturer.

Prior to release 5.0.5 the ARX-4000 power supply numbering was inconsistent between the data plane and control plane.

Prior to 5.0.5, when facing the back of the ARX-4000, the control plane power supplies were designated 1/1 (top) and 1/2 (bottom). The data plane power supplies were designated left-to-right as 2/2 and 2/1, respectively.

Starting with 5.0.5, the ARX-4000 includes a new control plane (with new power supplies) and a re-numbering of the data plane power supplies. When facing the back of the box, the control plane power supplies are designated left-to-right as 1/1 and 1/2, respectively. The data plane power supplies are designated left-to-right as 2/1 and 2/2, respectively.

When upgrading an existing ARX-4000 to 5.0.5, take note of these changes. If you experience a data plane power supply failure and consult the output of the show chassis chassinfo, it reflects the new designations. For example, the following output indicates a failure of the left-hand data plane power supply.

bstnA# show chassis chassinfo

Hostname UUID
------------------------------------ --------------------------------------
bstnA d9bdece8-9866-11d8-91e3-f48e42637d58

Chassis Type Model Number HW Ver. Serial
------------ ------------------------------------ ------- -------------
ARX-4000 SR2500ALLX-F5 0700000006

Chassis Environment:
Base MAC Address Power Fan(setting) Temperature
----------------- -------------- ------------- -------------
00:0a:49:17:78:00 Online Online Normal(<62 C)

Power Details:
Supply State
------ -----
1/1 Online
1/2 Online
2/1 Failed
2/2 Online

An ARX cored during the import of share, due to an uninitialized structure. Import now correctly initializes this structure and this problem has been fixed.

Version 5.0.1

Release 5.0.1 included the following features and fixes, also included in this release.


Release 5.0.1 is functionally equivalent to Release 5.0.0.


Release 5.0.1 adds the following fixes to the ARX:

The CIFS security-id/name translation daemon was incorrectly handling cached information on untranslatable security-ids, causing assertion failures.

Kerberos was causing failure errors in DC logs.

After an upgrade from 3.2.2 to 5.0.1 some MAC OSX users were not being able to login or they experienced degradation in network response.

Older snapshots were not being deleted by an ARX volume. Now older snapshots are being deleted correctly.

Mac users were getting significant performance hits through the ARX. This issue has now been fixed.

If a managed volume already imported a share from an NTFS qtree, it was unable to import another share from an NTFS qtree with the "ntfs_ignore_unix_security_ops" option. The new share stayed indefinitely in the "Pending Import" state. This only occurred if the first share was imported before an upgrade and the remaining shares were imported after an upgrade.

When CIFS clients unexpectedly cancelled their connections in the middle of a "find" operation (such as Transaction2FindFirst), NSM software allocated memory without freeing it. If this happened often enough, the ARX sent nsmResourceThreshold traps for the "cifsSidBitmap" resource. Eventually, some CIFS clients were unable to connect. The problem is resolved in this Release.

A client could send a non-Latin 1 character sequence file name to a Latin 1 namespace during an import. We now restrict and deny non-Latin 1 sequence files during an import to a Latin 1 namespace.

A direct (or presentation) volume could not attach to an NFSv3/UDP export unless the export also supported NFSv2. Direct volumes can now attach to NFSv3/UDP exports whether or not the exports also support NFSv2.

An integer overflow prevented the shadow volume copy from copying files over 4G. In addition, there was the large memory consumption by shadow receiver. A fix was put in place to prevent integer overflow when the file size is over 4G. A throttle was implemented to prevent the potential large memory consumption by the shadow receiver.

The NSM was generating a core when the NSM failed to handle an error reply from a file server for a transaction of snapshot. The issue occurred when multiple transactions were done at the same time while the ARX was waiting for response from the file server, the ARX deleted the cache information incorrectly, then caused an NSM core.

Mac OS X clients using SMB file sharing components that are part of the OS were unable to mount shares hosted on the ARX. This was caused by a crash of the NetAuthAgent component on Mac OS X. ARX software in this release works around this problem.

Administrators were unable to change the quorum disk location when the quorum disk was offline. Administrators now can change the location of the quorum disk when it is offline.

Previously, shadow volumes encountered sharing violations in .acopia_shadow and then cored. This has been fixed.

The ARX erroneously allowed you to assign the same secondary-IP address to multiple external-filer configurations. Now the CLI and GUI prevent this mis-configuration.

[ Top ]

Required Configuration Changes

Release 6.2.0 introduced support for large-file migrations that are not vulnerable to interruptions from snapshots and network issues (recall Large File Migration, above). After you upgraded to 6.2.x or 6.3.x, the new behavior (staged migrations) became the default for all managed volumes. Release 6.4.0 changes the default back to the pre-6.2.0 behavior, direct migrations. If you want any of your managed volumes to use staged migrations, you must use the gbl-ns-vol policy migrate-method staged CLI command (or its GUI equivalent) to explicitly reset the migration method. Run this in every volume that should use staged migrations.

This applies to running global-config scripts as well as upgrades; if you run a global-config script from a 6.2.x or 6.3.x system where policy migrate-method staged is the correct setting for a given volume, you must explicitly set the volume that way after the script has finished running.

For Upgrades from Older Releases

If you are upgrading from an earlier release, you may require additional configuration changes based on the features you use. The subsections below explain the configuration changes required for various upgrade paths.

For Upgrades from Release 6.2.0 or 6.3.0

As mentioned above, Release 6.2.0 introduced support for large-file migrations that are not vulnerable to interruptions from snapshots and network issues. (recall Large File Migration, above). After you upgraded to 6.2.x or 6.3.x, the new behavior (staged migrations) became the default for all managed volumes. Release 6.4.0 changes the default back to the pre-6.2.0 behavior, direct migrations. If you want any of your managed volumes to use staged migrations, you must use the gbl-ns-vol policy migrate-method staged CLI command (or its GUI equivalent) to explicitly reset the migration method. Run this in every volume that should use staged migrations.

This applies to running global-config scripts as well as upgrades; if you run a global-config script from a 6.2.x or 6.3.x system where policy migrate-method staged is the correct setting for a given volume, you must explicitly set the volume that way after the script has finished running.

For Upgrades from Before 6.0.0


Starting with Release 5.3.0, the ARX supported licensing of its software on the new ARX-VE. Release 6.0.0+ supports licensing on all ARX platforms.

Before you can use or configure storage services on the ARX, you must activate a valid license. If the ARX has a network connection to the F5 license server at, you can automatically activate the license with the license activate command or its GUI equivalent Otherwise, you can use a manual activation process. Automatic and manual activation are described in the following documents:

  • ARX Manager Storage Guide (Online Help)
  • CLI Network Guide
  • CLI Reference

SAM-Reference Requirements

Release 6.0.0 introduced an option to place multiple namespaces behind a single VIP; for CIFS namespaces, this places new constraints on the sam-reference file server. When CIFS clients ask for available groups to assign to a given file or directory, they invoke a query to the sam-reference file server. If the VIP hosts a single namespace, the sam-reference file server requires all local groups defined in its that namespace. If the VIP hosts multiple namespaces, the sam-reference server must define all local groups from all file servers behind all of those namespaces.

The "character-encoding cifs" CLI Command

The CLI command, character-encoding cifs no longer exists as of Release 6.0.0. It has been superseded by the wins-name-encoding command in gbl-cifs mode. The former command was in gbl-ns mode. If you run an older global-config script with the gbl-ns command, the command does not function.

For Upgrades from Before 5.2.0

Release 5.2.0 introduced constrained delegation for its CIFS services, and we strongly recommend implementing it for your existing CIFS services. A member of the "Domain Admins" group can implement this at a domain controller (DC). Constrained delegation is a more secure method for running your CIFS services than the unconstrained delegation that was previously available on the ARX. Additionally, clients can use NTLM or NTLMv2 to authenticate to a CIFS service without the aid of an ARX Secure Agent. This is not a required change, but it is strongly recommended.

Rejoining a CIFS Service to its Domain

A CIFS service with a long name may need to rejoin its domain after the change to constrained delegation. If the CIFS service has a name longer than 15 bytes, DCs will reject NTLM or NTLMv2 authentications from the service's clients. (The service name is the first part of the service's FQDN; for example, "myco" would be the name of the service at "") The CIFS-service software raises an SNMP trap if it detects this condition. See the SNMP Reference for details on SNMP traps.

To correct this condition, use the domain-join CLI command or its GUI equivalent. This operation truncates the CIFS-service name and creates a new machine account at the DCs with the shorter name. The CLI or GUI displays the shorter name after you invoke the domain-join operation.

Verify that All Proxy Users Use an FQDN Domain

Any namespace that supports CIFS access has a proxy user that it uses as its identity. The proxy-user configuration is a username, password, and Windows domain that is valid in your Windows network. The proxy user's Domain should always be an FQDN (such as "") instead of a short name (such as "mysrvr"). This ensures that the ARX can authenticate with Kerberos, which can be vitally important in some situations. This is required to support Constrained Delegation.

  1. Use show namespace namespace-name to find the name of the "proxy-user" for a given namespace.
  2. Use show proxy-user proxy-user-name to see the configured Windows Domain for the proxy user.
  3. If the Windows Domain is a short name, you can use the windows-domain command in gbl-proxy-user mode to change it to an FQDN. (Use the pre-win2k-name argument if you need to specify both the FQDN and a short name that is completely different from the FQDN.)
  4. If the DNS domain name is different than the Active Directory domain name (disjoint domain), the Active Directory FQDN should be used for the global server name. If the DNS FQDN is configured in this type of environment, Kerberos authentication will not work, and enumerating Active Directory groups though the ARX VIP may not be possible.
Rediscovering the AD Forest

The ARX database now keeps the pre-Windows-2000 names for every domain in its active-directory (AD) forest. If your AD forest has a domain with a pre-Windows-2000 name that is not the first component of the full domain name, you must re-discover the AD forest. For example, if a domain in the forest is named "" but its pre-Windows-2000 name is "COMPANY" instead of "myco," the ARX software needs to know that some CIFS clients may use "COMPANY" as their domain name. Otherwise, those clients cannot authenticate. You can use the active-directory update CLI command or its GUI equivalent to re-discover the AD forest, including all pre-Windows-2000 domain names.

For Upgrades from Before 5.0.6

This section only applies to installations that upgrade from Release 5.0.6 or earlier. After the upgrade beyond Release 5.1.0, you require the following configuration changes to support all of the release's new features.

Upgrading the Secure Agent for NTLMv2 Support

The ARX cannot support NTLMv2 until all of its ARX Secure Agents (ASAs) are upgraded beyond 5.1.0, too. After you upgrade the ARX to this release, you must also upgrade at least one ASA. We recommend upgrading all of them. There are two versions of the ASA kit: a 32-bit version and a 64-bit version. Refer to the ARX Secure Agent Installation Guide for detailed ASA-download and upgrade instructions.

NOTE: The ASA formerly used pwdump to access a database on the DC; the 5.1.0 release of the ASA software uses other means instead. Please update any anti-virus (AV) application running on your DCs before you use the new ASA version. Refer to Solution Note 10026 for detailed instructions.

CIFS Symlinks: New Scan for Existing Volumes

If your system contained any multi-protocol (CIFS and NFS) volumes before the upgrade to this release, the volumes require a configuration change to take advantage of a software feature. The feature is symlink support for CIFS clients, described above. To activate CIFS symlinks for a multi-protocol volume, use the no cifs deny-symlinks CLI command. You can run this command from gbl-ns-vol mode for the multi-protocol volume. Once you allow CIFS symlinks, the volume must scan its back-end servers for NFS symlinks and record them in its metadata. A CLI prompt allows you to run the scan as a background process; enter yes to proceed with the scan.

For example, this command sequence adds CIFS symlinks support to the "insur~/claims" volume. The prompt indicates that a back-end scan is required, and offers the opportunity to run it in the background:

bstnA(gbl)# namespace insur volume /claims
bstnA(gbl-ns-vol[insur~/claims])# no cifs deny-symlinks

This volume's configuration has been upgraded from a prior software release.
If symlinks exist in the volume, the volume's metadata must be synchronized
before CIFS clients can take advantage of this feature. You can synchronize
the metadata at any time. User access is not affected by this process but it
may run for hours or days if the volume contains hundreds of millions of files.

Synchronize the metadata for the '/claims' volume now? [yes/no] yes
bstnA(gbl-ns-vol[insur~/claims])# ...

To perform the scan (and fully-activate CIFS symlinks) later, you can run the sync files namespace-name volume vol-name command on the volume's namespace. You can run this at any time.

The ARX Manager UI also provides an interface for running the no cifs deny-symlinks and/or the sync files operations.

This operation is not necessary for any multi-protocol volume created after the upgrade to 5.1.0. By default, new volumes allow CIFS clients to use symlinks, and the symlink scan is performed during the initial import of the volume's back-end shares.

Windows 2003 Clusters

If you previously used a Windows 2003 cluster behind a managed volume, you require one of two configurations to continue using the cluster. The first is recommended as a best practice, and the second is for sites where the cluster does not have a shared Service-Principal Name (SPN):

  1. Add the cluster's shared SPN to its configuration on the ARX. From the CLI, you can use the gbl-ext-filer spn command to set this. For example, spn This must be a virtual SPN, one that persists after a cluster failover.
    This implies that the cluster's virtual-CIFS service must join the local AD domain. For sites where this is not possible, use the option below.
  2. Do not configure any SPN for the Windows 2003 cluster. This is contrary to the user documentation, which states that an SPN is recommended for any Windows cluster or Kerberos-supporting server.
    From the CLI, you can use the gbl-ext-filer no spn command to remove the SPN configuration.

In either case, you can use the show external-filer command to map the Windows 2003 cluster's VIP to an "external filer" name on the ARX. Then use external-filer filer-name to enter the CLI mode for that filer, and then the spn or no spn command as needed.

For example, the following command sequence finds the external-filer name for a Windows 2003 cluster and sets its SPN:

gffstnA# show external-filer
Name IP Address Description
ch-wd-win1 Windows Server 1, back room
ch-wd-win2 Windows Server 2, cluster next to Win1
ch-wd-nas NAS filer in computer lab
gffstnA# global
gffstnA(gbl)# external-filer ch-wd-win2
gffstnA(gbl-filer[ch-wd-win2])# spn fs2k8c95@GGH.MEDARCH.ORG
gffstnA(gbl-filer[ch-wd-win2])# ...

For Upgrades from Before 5.0.1

This section only applies to installations that upgrade from Release 5.0.0 or earlier.

Once you have installed the software, you must make the following required configuration change(s).

Unicode Upgrade

This section is for administrators who need to upgrade from releases prior to 5.0.0. The 5.0.0 Release includes a new Unicode library that may have an effect on client files and/or directories. The new version of Unicode adds 168 lower-case versions of characters that were uppercase-only in the previous version. The characters derive from the following languages:

  • Native-American languages from modern-day Canada, including SENĆOŦEN.
  • Greek symbols for editorial markings.
  • Cyrillic letters that may not be current.
  • Georgian letters from an ancient ecclesiastical alphabet.
  • Glagolitic letters; Glagolitic is a historical Slavic alphabet.
  • Coptic letters, used by the original Christians in Egypt.

After the upgrade to Release 5.0.0, clients cannot open any files or directories with any of these rare characters in their names. This problem should be very rare. The symptoms are different for files than they are for directories, as explained below. If you see these symptoms on any of your files or directories, escalate the problem to F5 Support.


If a Windows client attempts to open a file with one of these characters in its name, an error similar to this appears in Windows Explorer:

Cannot find the \\VIP\unicode/dir1/file%c8%ba.txt

You can resolve this by synchronizing the volume's metadata with the filenames on the filer. From the GUI, go to the Managed Volume Details screen for the volume and click the Sync... button. From the CLI, you can use the sync files command on the ARX volume. This resolves all such file-naming issues in the volume.


Windows Explorer returns the following error if it attempts to open a directory with one of these characters in its name:

Refers to location that is unavailable

You must rebuild the managed volume if it contains such a directory. From the GUI, go to the Managed Volume Details screen for the volume and click the Rebuild... button. From the CLI, use the nsck ... rebuild command.

[ Top ]

Known Issues

The following items are known issues in the current release.


Getting rampart errors in api_error.log. (339710)
A large number of API calls in a short period of time may cause rampart errors to be written to the log.

This issue was identified during pre-release stress testing.

First found in Software Release 5.2.0.

The ARX API does not accept digest authentication in its SOAP requests. (340615)
The ARX API only accepts basic authentication in its SOAP requests.

Workaround: To ensure that passwords are sent in encrypted form, use HTTPS (instead of HTTP) to connect to the ARX API.

First found in Software Release 5.2.0.

Authentication statistics are not updated when the API caller is authenticated by Active Directory. (341266)
Authentication statistics are not updated when the API caller is authenticated by Active Directory.

First found in Software Release 5.2.0.

Authentication and Security

The uninstall of the ARX Secure Agent may fail to reboot the DC. (35754)
The uninstall of the Secure Agent must reboot the host machine (typically a DC) to finish. The uninstall process has failed to reboot the host DC on some occasions, but the failure is rare.

First found in Software Release 5.1.0.

Recovery: Manually reboot the DC if the uninstall process fails to reboot it automatically.

Chassis Management

On a few occasions we've found that it is necessary to shutdown/startup a newly built ESX-based vARX For Networking To work properly. (366744)
First found in Software Release 6.1.0.

LEDs remain on/lit continuously after chassis power switch has been toggled to the off position. (372477)
The Status and Alarm LEDs on the ARX 2500 remain lit continuously even after the unit's power switch has been set to the Off position.

The LEDs remain lit as long as the power cord is plugged in. If the power cord is unplugged after the power switch has been turned off, the LEDs will turn off, and the LEDs will remain off if the power cord is plugged back in subsequently. When the unit is turned on again, the LEDs will update normally, in the expected sequence.

This functionality is controlled by non-F5 component vendor firmware.

First found in Software Release 6.1.1.

LED Status and Trap can take up to ~5 minutes to occur after power supply status change - consider configurable polling interval. (372495)
It can take up to five minutes for a power supply interruption to be indicated by the ARX's Alarm and Status LEDs, or by SNMP trap.

First found in Software Release 6.1.1.

"downgrade available" still showing after firmware downgrade on an ARX-500. (387943)

First found in Software Release 5.2.2.

CIFS Proxy/Virtualization

Windows "reparse points" are not supported by the ARX. (359438)

First found in Software Release 5.3.1.

MMC management for sessions unusable with unresolvable IP Addresses. (26343)
If a client uses MMC to display active ARX sessions, and the local name service (such as DNS) cannot resolve the IP addresses of ARX clients, the MMC interface becomes sluggish.

First found in Software Release 2.5.1.

Workaround: Add all ARX clients to the local name service.

False detection of metadata skew in multiprotocol namespaces with SMB2. Metadata skew is reported, but the synchronization job fails to find any skew to repair. (423565)

This issue occurs only when SMB2 is used in a multiprotocol namespace and with directories containing NFS symbolic links.

The issue results in many false reports of skews, both in syslog and in autosync reports. The targets of the symbolic links are not visible to SMB2 users.

First found in Software Release 6.4.0.

Workaround: None.

CLI Infrastructure

Leading 2 digits missing from NSM serial # 'show chassis' output. (387525)

First found in Software Release 5.1.9.

config replay fails due to DB schema changes. (27866)
Some upgrades result in database-schema changes. If this upgrade includes a database change, do not use previously-saved configuration scripts because these scripts will not implement the changes properly. Use the 'copy global-config' command to copy (and save) the switch's new global configuration.

See the section, Installing the Software, to determine whether or not this release contains a database change.

First found in Software Release 3.0.0.

Workaround: After upgrading to the new release, use the 'copy global- config' command to copy (and save) the switch's global configuration to a local file, a remote server, or an E-mail recipient.

Under very rare circumstances, the ARX may block administrative logins after a reboot. (32537)
An ARX in the F5-Development laboratory did not allow administrative logins after a reboot. Logins to the serial-Console port always timed out after entering the administrative password, and logins to the Out-of-Band Management port (typically labeled "MGMT") were rejected with this error message:

ssh_exchange_identification: Connection closed by remote host

F5 Development has been unable to reproduce this problem, despite hundreds of reboots. We note it here until the problem is proven to be unreproducible at any customer site.

First found in Software Release 4.1.0.

Recovery: Power cycle the ARX.

The copy namespace command does not work on direct (presentation) mapped volumes. (34692)
The copy namespace operation cannot copy a file to a CIFS file server behind a direct (presentation) volume.

First found in Software Release 5.0.0.

Inconsistent check for zero-length files with "collect logs". (372220)
The check for zero-length files is not applied consistently when the "collect logs" command is executed. The results will vary depending on whether a date range is used with the command or not.

First found in Software Release 6.1.0.

Using the show file-history command with the path argument and no other options displays only those paths that contain files. (384976)

The command will not show directories that are empty or that contain only other directories.

First found in Software Release 6.1.1.

Common Driver Code

When upgrading an ARX 1500 or ARX 2500 to a new software release, volume software may slow down and a metalog latency trap may be raised. (365401)
The trap should clear within minutes of completing the rolling upgrade. If possible, perform a software upgrade only during low-traffic hours. This applies to a stand-alone ARX, an active ARX (in a redundant pair), and a standby ARX.

First found in Software Release 6.1.0.


The collect logs command does not overwrite data to an existing file correctly when placing the output on a remote host via FTP. (372138)
Instead, garbage data is appended to the original data in the existing file.

First found in Software Release 6.1.0.

Disaster Recovery

Load Cfg - conflict resolution doesn't allow remote cluster specific entries. (340060)
Once a configuration is up and running on a switch, loading a config file that has cluster-specific commands for the remote cluster will be ignored due to the conflict resolution rules.

This has a significant effect on failover/failback behavior between ARX clusters.

First found in Software Release 5.2.0.

dr load will fail if archive is not available. (410493)

First found in Software Release 6.2.0.HFRU-4.


UTF-8 Chinese characters are truncated in namespace name. (30941)
If a user enters Chinese characters that exceed the GUI's limit for any input field, the GUI will not issue an error message but instead simply truncates the input.

The GUI input fields limit input based on characters and not bytes. When entering multi-byte characters, the input may be truncated if the total number of bytes representing the characters exceed the internal byte limit.

First found in Software Release 3.2.0.

The GUI process uses 100% of CPU 1.1 on an ARX with thousands of reports. (31068)

First found in Software Release 2.7.1.

SSH Applet for CLI freezes when pressing <TAB> key. (340230)
This phenomenon occurs as a result of the interaction between a third-party applet and the web browser in use.

First found in Software Release 5.2.0.

Make ARX GUI compatible with IE 9. (374020)
IE 9 is not supported in native mode, and must be run using Compatibility View.

When using ARX Manager with IE9 Compatibility View enabled, the Active License Information on the Licenses page appears far to the right-hand side of the page.

First found in Software Release 6.0.0.

High Availability

Certain ARX platforms may experience multiple failovers under the following circumstances: (375102)

  • the platform is an ARX-1000, ARX-2000, ARX-4000, or ARX-6000,
  • a client and/or server subnet is carried on VLAN 1, and
  • channels are in use.

This issue is still under close investigation, as a large number of installations meet the above criteria without experiencing this issue. The issue has only occurred at a single site at press time.

First found in Software Release 6.1.0.

Workaround: Move all of your client and server subnets to a VLAN other than VLAN 1. Contact F5 Support if you need assistance with this procedure.

Kernel Mode

A RAID rebuild never completes for a drive if you remove it and replace it during the rebuild operation (354351)
If you remove an ARX-1500 or ARX-2500 hard disk during a raid rebuild operation, the rebuild may never complete after you replace the disk.

First found in Software Release 6.0.0.

Workaround: Allow a raid rebuild operation to complete before removing the disk that you are rebuilding.

L2 Software

NSB ARX in-band interface link down if configuration hardwired for 100 Mb/s. (385320)
The ARX-1500 and ARX-2500 do not support configuration of 100 Mb/s speed on an in- band management interface.

First found in Software Release 6.4.0.

Interface remains Down after change speed from 100Mb/s to 1Gb/s (ARX-500+). (386208)
On an ARX-500+, an interface will remain down after changing the speed from 100Mb/s to 1Gb/s.

Workaround: Execute shutdown and no shutdown on the interface to bring it back up.

First found in Software Release 6.2.0.


Email Home, DNS, and NTP do not work with OOB management. (24595)
The ARX cannot send email messages through the out-of-band (OOB) management interface. NTP, DNS, RADIUS, and snapshot-management services (SSH and RSH) are also unsupported through the OOB interface.

All email notifications from the ARX go out through an in-band (VLAN) management interface, configured with the interface vlan CLI command. At least one in-band-management interface must have a route to the email server for email notifications to function. The same applies to NTP, DNS, and RADIUS services, as well as SSH and RSH for managing filer snapshots.

First found in Software Release 2.4.1.

Workaround: Use the cfg-mode ip route command (without the mgmt flag) to add a static IP route to the email server(s), NTP server(s), DNS server(s), and/or RADIUS servers. All filers and file servers must have a route to be useable by the ARX at all, so this is less likely to be an issue for SSH and RSH.

Linux Infrastructure

The ARX-VE does not support the use of virtual machine snapshots. (344833)

First found in Software Release 5.3.0.

Namespace Software

Solaris 8 clients cannot access data after upgrade from 6.1.1 to 6.3.0. (416147)

First found in Software Release 6.3.0.

Workaround: Use submount configuration where the clients mount vip:/export/directory.

NSCK reports do not identify "marked" multi-protocol directories where you should run a sync files operation. (23891)

Some multi-protocol (NFS and CIFS) directories are "marked" for special processing. These directories contain files and/or subdirectories one of these naming issues:

  • the name resembles a Filer-Generated Name (FGN, such as "myfile~1.txt"), or
  • the name produces an FGN on its back-end filers (such as "my:file.txt," or "MYFILE" in the same directory as "myfile").

If a directory is marked with one of these naming issues, the volume performs extra processing whenever a client tries to introduce an entry with the other naming issue. Depending on the outcome of the processing, the new client entry could become NFS-only (inaccessible to CIFS clients). Refer to the CLI Maintenance Guide for details.

Clients can resolve these issues by accessing the volume through its VIP and renaming the directory's entries. However, the directory mark persists after all of its child entries have been correctly renamed; you use the sync files CLI command to remove the mark.

The issue is that there are no reports that identify a directory as "marked" after its entries have been correctly renamed.

First found in Software Release 2.5.0.

Workaround: Use 'sync files' to clear the directory mark immediately after renaming its entries.

Spurious metadata inconsistency in CIFS presentation volumes. (354538)
If you run a metadata-inconsistency report on a CIFS-only presentation (or direct) volume, all of the attach points appear as inconsistencies in the report. (You can invoke the metadata-inconsistency report with the nsck ... report inconsistencies CLI command or its GUI equivalent.).

First found in Software Release 6.0.0.

Share removal operations may fail if the share path is greater than 4,096 characters in length. (364533)

First found in Software Release 5.1.7.

An NFS service may become suspended if an nsck rebuild of a volume does not complete. (367641)
The volume that does not complete the rebuild is not exported.

First found in Software Release 5.2.0.

The published direct share limit of 8192 is unsupportable with current ARX software architecture. (375265)
The ARX license limits for direct shares are too high; configuring an ARX up to the system limit (i.e. direct_shares_per_system) is usually possible, but leaves the ARX in an unusable state, with commands such as 'show namespace' taking a long time to execute. F5 has decided against lowering these license limits for now. it is recommended to limit the number of direct shares per system to around 1024.

First found in Software Release 6.2.0.

Need to work around MD inconsistency on storage remove. (377220)
A remove-share operation can fail if a directory is missing on the share you are trying to remove, and therefore cannot be promoted to the remaining shares. This error should not prevent the successful completion of the share removal.

First found in Software Release 6.2.0.


Customer outages caused by adding new IP interfaces to NetApp, Isilon, and Dell-FFS. (341951)
The NetApp filer responds to portmap requests from the ARX with an IP address that is different than that sent by the ARX. The ARX declines the portmap response and the corresponding NFS service goes offline.

Workaround: Add secondary IP addresses to the external filer definition.

First found in Software Release 5.1.7.

NSM Software

Fastpath latency number is very large. (419966)

Incorrect average latency will be observed from fastpath statistics. SMBv2 only. Affected CLI commands include:

  • show statistics namespace X fastpath
  • show statistics namespace X volume Y fastpath

where X and Y denote the namespace and volume being queried.

First found in Software Release 6.4.0.

Solaris clients hang when issuing an ls on any share within a PNS direct attached volume.
Some Solaris clients can specify size limitations for NFS RPCs. When this happens and filers respond with RPCs larger than this limitation, the ARX does not "trim" the RPC, resulting in the Solaris client not receiving the RPC response. This happens only on ARX-1500 and ARX-2500 on releases after 6.0.0.

Spurious errors appear in the syslog after an NSM failover. (25782)
NSM processors have redundant peers, even in an ARX that is not configured for overall redundancy. If an NSM processor fails, its peer processes packets for both. If nsm recovery is enabled, the failed processor comes back online and waits to take over for the running processor. The failed processor may repeatedly put the following message in the syslog:

NAT rule TCP/ip-address:port for remote action ip-address-2:port-2 type 3 not found.

This syslog message is spurious.

First found in Software Release 2.5.1.

On the ARX 4000, CoreCollector code has been changed and may display old cores that were never collected and reported. (34722)

The new CoreCollector code now correctly reports all cores from the current release and previous releases. It may find cores that were never previously collected and reported.

First found in Software Release 5.0.0.

Workaround: Please find and note the creation date of any new core files reported after upgrade, prior to contacting F5 Customer Support.

NTP Client/Service

Timezone Change: Fabs500 not updating timezone correctly. (24526)
The CLI "show clock" output does not always show the correct time after a time-zone change.

You can use the 'clock timezone' CLI command to set the time zone of the ARX. On rare occasions, the output from the 'show clock' command does not show the correct time after this change. For example:

ARXa500# clock set 14:43:00 01/11/2007 ARXa500# show clock Local time: Thu Jan 11 14:43:02 2007 EST -0500 America New_York Universal time: Thu Jan 11 19:43:02 2007 UTC ARXa500# config ARXa500(cfg)# clock timezone America Denver ARXa500(cfg)# show clock Local time: Thu Jan 11 14:43:13 2007 EST -0500 America Denver Universal time: Thu Jan 11 19:43:13 2007 UTC

The time does not conform to the new time zone, though the correct new time zone (America Denver) does appear in the output.

First found in Software Release 2.4.3.

Workaround: Log out of the CLI and log back in.

During the hour of transition from daylight-savings time to standard time, the clock set CLI command incorrectly interprets times in some time zones. (24709)

Times are ambiguous in the hour when daylight-savings time reverts to standard time, once per year. Suppose the transition occurs at 3 AM on the day of the daylight-savings change: time passes from 3 to 4 AM in daylight-savings time, then the clock goes back to 3 AM for standard time, and then time passes from 3 to 4 AM again. In some time zones, if you reset the clock to a time between 3 and 4 AM, the clock set command may not interpret your time correctly. If this occurs, the ARX assumes that the transition to standard time has already occurred.

This only occurs in time zones that are East of the Prime Meridian, with positive offsets from UTC.

First found in Software Release 2.4.3.

Workaround: Avoid the clock set command during the day and hour of transition.


Policy schedule fails and uses incorrect time when configured for 11pm on Saturday. (343985)
A file-placement rule with an age-based fileset can function incorrectly when it uses a schedule with the following settings:

  • a start time in the 11 O'Clock hour, and
  • set to run every Saturday.

The time calculation can fail on the night before the fall DST change. This causes the file-placement rule to run with an invalid time stamp and migrate the wrong files.

First found in Software Release 5.1.7.

Policy can loop when executing a rule in an ARX that uses SMB2. Fastpath CPU use is near 100% for an extended period. Volume-group CPU use is also high. (423667)

This condition can occur if a directory is removed at the same time that policy is evaluating a rule against it.

As a result, users may see slow responses and no progress on application of policies.

First found in Software Release 6.4.0.

Workaround: Reload the ARX system.

Shadow Volume

Shadow Copy Rule hangs indefinitely (instead of terminating immediately) when the RON connection to the target share fails. (32110)
A shadow-copy rule should fail as soon as the RON connection to the target filer fails. Instead, it continues indefinitely, waiting for the RON connection to return.

First found in Software Release 5.0.0.

Shadow-copy fails for invalid named stream on EMC filer. (366633)
The ARX makes its best effort when performing shadow-copy of streams that have invalid names on an EMC filer to a Windows shadow volume. As a result, the shadow-copy operation may be unsuccessful.

First found in Software Release 6.1.0.

SNMP Infrastructure

Incorrect values in snmpwalk output. (376742)
If you take a managed volume offline with nsck ... destage and then remove its shares, the removed shares remain visible in an SNMP walk of the volume. The counters for these non-existent shares never change. The next time the ARX reboots, the removed shares no longer appear in the SNMP view of the volume.

First found in Software Release 6.2.0.


ARX-500, ARX-2000, and ARX-4000 do not send 'nsmResourceThreshold' traps until the NSM resource is >100%. (356176)
The ARX monitors its NSM resources and should send an nsmResourceThreshold SNMP trap whenever an NSM process attempts to exceed 80%, 90%, or 100% of any of these resources. The issue is that the ARX does not send any nsmResourceThreshold trap until a process tries to exceed 100% of an NSM resource. It does not send traps when an NSM resource exceeds 80% or 90% of its capacity.

This does not apply to the ARX-VE, ARX-1500, or ARX-2500 platforms.

First found in Software Release 3.2.2.

If you replay a 5.2.0+ global-config on a system with an earlier release, domain-join fails for CIFS services. (39767)
The run configs global-config-file CLI command "plays" the global-config-file on the ARX, so that the ARX takes the full storage and policy configuration in that file. Every global-config file contains a special CLI command, kerberos-creds, to keep its CIFS services joined to their Windows Domains during this operation. The 5.2.0 version of this hidden command has changed, so the command fails if played on an ARX running an older release. Therefore, the CIFS services are unjoined to their domains after you use run configs global-config-file.

First found in Software Release 5.2.0.

Workaround: Manually edit the 5.2.0+ global config file so that the kerberos-creds command conforms to earlier releases. Specifically, remove the last three entries from the command. For example, if you find an entry like this in the 5.2.0+ global-config file:

ac1.MEDARCH.ORG MEDARCH.ORG 1Fkua3z04b6mvQrB4K4/+Q== ac1$ HOST/ac1.MEDARCH.ORG 2

You remove the last three entries:

ac1.MEDARCH.ORG MEDARCH.ORG 1Fkua3z04b6mvQrB4K4/+Q==

The above command can play back on an ARX running a pre-5.2.0 release.

Systems Management

IPC error when attempting to remove an offline share. (409274)

First found in Software Release 6.4.0.

Workaround: Removing an offline share using the GUI will result in the following error IPC_CALL_ERROR: RPC call to 'slmConfd::slm_migrate_share_1' failed: RPC: Can't encode arguments [1]. To remove this share, please use the CLI without the async flag.

Contacting F5 Networks

F5 Online Knowledge Base:
F5 Services Support Online:
F5 Software Trial Support:

For additional information, please visit