Release Notes : BIG-IP PEM 11.5.0

Applies To:

Show Versions Show Versions

BIG-IP PEM

  • 11.5.0
Release Notes
Original Publication Date: 05/21/2014 Updated Date: 04/18/2019

Summary:

This release note documents the version 11.5.0 release of BIG-IP Policy Enforcement Manager (PEM).

Contents:

Supported platforms

This version of the software is supported on the following platforms:

Platform name Platform ID
BIG-IP 800 (LTM only) C114
BIG-IP 1600 C102
BIG-IP 3600 C103
BIG-IP 3900 C106
BIG-IP 6900 D104
BIG-IP 8900 D106
BIG-IP 8950 D107
BIG-IP 11000 E101
BIG-IP 11050 E102
BIG-IP 2000s, BIG-IP 2200s C112
BIG-IP 4000s, BIG-IP 4200v C113
BIG-IP 5000s, BIG-IP 5200v

BIG-IP 5050 (requires 11.4.1 HF3)

C109
BIG-IP 7000s, BIG-IP 7200v

BIG-IP 7050 (requires 11.4.1 HF3)

D110
BIG-IP 10000s, BIG-IP 10200v D113
BIG-IP 10050 (requires 11.4.1 HF3) D112
VIPRION B2100 Blade A109
VIPRION B2150 Blade A113
VIPRION B2250 Blade A112
VIPRION C2200 Chassis D114
VIPRION C2400 Chassis F100
VIPRION B4100, B4100N Blade A100, A105
VIPRION B4200, B4200N Blade A107, A111
VIPRION B4300, B4340N Blade A108, A110
VIPRION C4400, C4400N Chassis J100, J101
VIPRION C4480, C4480N Chassis J102, J103
VIPRION C4800, C4800N Chassis S100, S101
Virtual Edition (VE) Z100
vCMP Guest Z101

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory on the platform or provisioned guest. For vCMP support and for Policy Enforcement Module (PEM), Carrier-Grade NAT (CGNAT), and the BIG-IP 800 platform, the following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2100, B2150, B2250, B4200, B4300, B4340N
    • BIG-IP 5200v, 7200v, 10200v
  • PEM and CGNAT supported platforms
    • VIPRION B2150, B2250, B4300, B4340N
    • BIG-IP 5200v, 7200v, 10200v
    • BIG-IP Virtual Edition (VE) (Not including Amazon Web Service Virtual Edition)
    • PEM and CGNAT may be provisioned on the VIPRION B4200, but it is not recommended for production, only for evaluation. PEM may be provisioned on the VIPRION B2100, but it is not recommended for production, only for evaluation. Use the B4300 or B4340N instead.
  • BIG-IP 800 platform support
    • The BIG-IP 800 platform supports Local Traffic Manager (LTM) only, and no other modules.

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • Note that Global Traffic Manager (GTM) and Link Controller (LC) do not count toward the module-combination limit.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category).

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Note that GTM and LC do not count toward the module-combination limit.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.

VIPRION and vCMP caching and deduplication requirements

Application Acceleration Manager (AAM) supports the following functionality when configuring vCMP and VIPRION platforms.

  • AAM does not support disk-based caching functionality on vCMP platforms. AAM requires memory-based caching when configuring it to run on vCMP platforms.
  • AAM supports disk-based caching functionality on VIPRION chassis or blades.
  • AAM does not support deduplication functionality on vCMP platforms, or VIPRION chassis or blades.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory - 3 GB) x (cpus_assigned_to_guest / total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 8.x and 9.x
  • Mozilla Firefox 15.0.x
  • Google Chrome 21.x

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP PEM / VE11.5.0 Documentation page.

Fixes in 11.5.0

ID number Description
403154 When updating signatures,/classification_base.conf is now manually updated from the tmsh.
404047 The BIG-IP system comes with a publisher called local-db-publisher. This publisher can now be used as hsl endpoint for reporting.
406311 Wait for 2 or more flows for the connection to not reset while dropping. After that, the user will not see any resets on that specific connection.
408153 Now, diameter messages (CCR and RAA messages) generated by the BIG-IP system, have the P bit (proxy-able) set.
419729 The auto-sync works for syncing the custom-created SPM (PEM) profiles with PEM policies.
422993 PEM is now listed as a module and can be provisioned in platform B4340N.
425821 No crash occurs when invalid classification ID is skipped.

Fixes in 11.4.1

ID number Description
408153 Now, diameter messages (CCR and RAA messages) generated by the BIG-IP system, have the P bit (proxy-able) set.
419729 The auto-sync works for syncing the custom created SPM (PEM) profiles with PEM policies.
422993 PEM is now listed as a module and can be provisioned.
425821 No crash occurs when invalid classification ID is skipped.

Fixes in 11.4.0

ID number Description
397157 Added Service Chain options configuration to Policy Enforcement > Forwarding > Service Chains screen in PEM.
398666 Added lsn-pool property to Forwarding Endpoint screen in PEM.
400065

New Classification Protocol Bundle provided with this version correctly classifies the active FTP over IPv6 data channel.

400799 The DIAMETER::state command is now implemented for the diameter-endpoint profile and any profiles derived from it (such as the gx-endpoint profile).
402868 Now the PEM susbscriber import feature properly imports files which include white space in the file's name.
400385 IPv6 RADIUS virtual servers no longer become unavailable when modified to use an IPv4 address.
404107 Now without restarting tmm when the Gx server IP is changed, the changes take effect and BIG-IP connects to the new PCRF.

New in 11.5.0

Gy Support and Quota Management

This release provides support for quota management and prepaid charging per subscriber, or application with PEM and communication with the OCS in the mobile network using the 3GPP Gy interface. This is a license-based feature.

Dynamic Service Chaining

The dynamic service chaining feature makes the service chain intelligent and flexible with these abilities:
  • The ability to add/skip different VAS endpoints through policy-based, forwarding endpoint selection.
  • Perform header insertion/removal per leg of the VAS chain depending on the policy.
  • The ability to include a sideband VAS in the service chain using ICAP as the protocol (multiple ICAP sideband connection per service chain).

Classify IP protocols

This feature includes support for several non-TCP/non-UDP protocols like IPsec, GRE, IPinIP, ICMP and SCTP. When upgrading from a previous release, the virtual server for all protocols does not include the IPOther profile.

Steering on Response

This feature supports the ability to analyse the response message and apply steering policy action for the flow, or for transaction when the policy decision cannot be made based on only the request message, and it requires both the request and response messages.

Statistics and Debuggability

This feature adds improvements to the debuggability, health monitoring, and troubleshooting features in previous releases. This release includes subscriber-level stats, more Gx stats, Gy stats, RADIUS stats, and HSL stats. Statistics for specific subscribers is available for detailed troubleshooting to show flows, classification results, policy, and action.

Transactional Classification and Policy Enforcement

The transactional classification feature enables moving from flow-based classification to transaction-based classification. The traffic is classified after the first transaction; a policy action is assigned each time the classification result changes and matches a different policy. This increases granularity of traffic policing and visibility.
Note:
This feature is only applicable to HTTP applications.

URL Categorization

This feature provides the ability to enforce policies configured as part of the subscriber profile based on the URL category type. The URL categorization is obtained by querying an internal repository. Also, the URL categorization is transaction-aware and is a licensed feature.

Behavior changes in 11.4.0

ID umber Description
ID 424209 The default bandwidth control policy is not created automatically when the first bandwidth control policy is created, and is not deleted by default when the last bwc policy is deleted. The default-bwc-policy is treated similarly to other bandwidth control policies. You can create a bandwidth control policy by this name and use it as required.

Known issues

ID number Description
397397 When multiple static subscriber information is loaded from a .csv file, the subscriber information is lost if enter or CRLF is not entered at the end of each record line. To workaround this issue, press the Enter key or insert the CRLF character at the end of each row in the .csv file.
398416 In this release, volume threshold is supported. However, time threshold does not qualify for Gx reporting as it is not specified in the standard. To workaround this issue, do not use time threshold.
398922 Only a single instance of the diameter-endpoint profile is supported in this release: the system-supplied default gx-endpoint profile. As a result, diameter-endpoint profiles cannot be created or deleted in the GUI or in tmsh.
399119 If a policy rule matched with flow filters drop or redirect the traffic, that traffic will not match other policy rules that use classification filters.
400372 The protocol msn_video is used by MSN Messenger for video conversations and is supported for MSN Messenger 8 and earlier.
400893 The .csv file for uploading static subscribers has multiple lines with Mac end-of-line. To work around this issue, convert the file into WIN file format and upload from the GUI or tmsh. This resolves the issue.
403374 On rare occasions, when a policy is installed with 15 rules and reporting is configured on them, only 14 of the reports are generated when multiple flows (traffic) are sent matching all of them. Maximum usage reports per subscriber is supported.
406311 If gate status disabled action is enforced while using profile FastL4, the client will see unwanted connection resets. To work around this issue, set the srDB using the db var tmm.pem.srdb.entry.step to 240.
406349 If the dynamic_spm_bwc_policy is not created, dynamic PCC rules are not applied. To work around this issue, ensure that the dynamic_spm_bwc_policy is configured with proper parameters prior to getting dynamic PCC rules from the PCRF.
409201 If you change the SPM (PEM) profile of a virtual during a certain flow, the flow will not get policy reevaluation. Instead, only new flows will be using the new policies that are attached to the profile.
410763 If the monitoring key is longer than 1053 characters, an error message is issued. To work around this issue, use monitoring keys fewer than 1053 characters.
417139 Modifying Session state through iRules may cause issues over Gx. To work around this issue, do not modify the session state if session is active.
427429 No statistics are available for troubleshooting with the new "show pem irule" stats command.
427844 Any tunneling traffic such IPsec, GRE, and IPIP cannot be steered by the BIG-IP system to a different endpoint. This is because the traffic is encapsulated and targets only the destination endpoint.
428178 All IP addresses that are identified as frequent are not stored in the database, and thus are not categorized.
428420 Some IP addresses are categorized as unknown on the BIG-IP system, even though they are categorized in the cloud database of webroot.
430344 A URL categorization limitation is that a small set of URLs are categorized as unknown on the BIG-IP system, even though they may get categorized in the cloud database of webroot.
435596 The CEC hitless upgrade does not sync files between active-standby setup, using device group. To work around this issue, change standby to active to do CEC hitless upgrade.
438549 If you turn on the SNAT pool or SNAT Automap on IPOther virtual, no traffic passes through in most cases. In some cases, the traffic passes but the out stats (packets and bytes) is zero. To workaround this, do not turn on SNAT pool or SNAT Automap on IPOther virtual that processes IPsec traffic.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices