Release Notes : BIG-IP PEM 12.1.0

Applies To:

Show Versions Show Versions

BIG-IP PEM

  • 12.1.0
Release Notes
Original Publication Date: 04/20/2017 Updated Date: 04/18/2019

Summary:

This release note documents the version 12.1.0 release of BIG-IP Policy Enforcement Manager (PEM).

Contents:

Platform support

This version of the software is supported on the following platforms:

Platform name Platform ID
BIG-IP 800 (LTM only) C114
BIG-IP 1600 C102
BIG-IP 3600 C103
BIG-IP 3900 C106
BIG-IP 6900 D104
BIG-IP 8900 D106
BIG-IP 8950 D107
BIG-IP 11000 E101
BIG-IP 11050 E102
BIG-IP 2000s, BIG-IP 2200s C112
BIG-IP 4000s, BIG-IP 4200v C113
BIG-IP 5000s, 5050s, 5200v, 5250v C109
BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255 D110
BIG-IP 12250v D111
BIG-IP 10150s-NEBS, 10350v (AC), 10350v-NEBS (requires 12.0.0 HF1), 10350v-FIPS (requires 11.5.4 HF1) D112
BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255 D113
VIPRION B2100 Blade (for evaluation only) A109
VIPRION B2150 Blade A113
VIPRION B2250 Blade A112
VIPRION B4200, B4200N Blade (for evaluation only) A107, A111
VIPRION B4450 Blade A114
VIPRION B4300, B4340N Blade A108, A110
VIPRION C2200 Chassis D114
VIPRION C2400 Chassis F100
VIPRION C4400, C4400N Chassis J100, J101
VIPRION C4480, C4480N Chassis J102, J103
VIPRION C4800, C4800N Chassis S100, S101
Virtual Edition (VE) Z100
vCMP Guest Z101

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

  • PEM supported platforms
    • VIPRION B2100, B2150, B2250, B4300, B4340N
    • BIG-IP 5x00v(s), 7x00v(s), 10x00v(s)
    • BIG-IP Virtual Edition (VE) (Not including Amazon Web Service Virtual Edition) (3 GB, 10 GB production and combination lab models)
    • PEM may be provisioned on the VIPRION B4200, but it is not recommended for production, only for evaluation. PEM may be provisioned on the VIPRION B2100, but it is not recommended for production, only for evaluation. Use the B4300 or B4340N instead.

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • In the case of Access Policy Manager (APM) and SWG together, no module other than LTM may be provisioned, and LTM provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.
  • ASM can be provisioned with this amount of memory, but a sizing exercise should be performed to ensure that it does not hit capacity issues.

VIPRION and vCMP caching and deduplication requirements

Application Acceleration Manager (AAM) supports the following functionality when configuring vCMP and VIPRION platforms.

  • AAM does not support disk-based caching functionality on vCMP platforms. AAM requires memory-based caching when configuring it to run on vCMP platforms.
  • AAM supports disk-based caching functionality on VIPRION chassis or blades.
  • AAM does not support deduplication functionality on vCMP platforms, or VIPRION chassis or blades.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:
  • BIG-IP LTM standalone only
  • BIG-IP GTM standalone only
  • BIG-IP LTM and GTM combination only

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 11.x
  • Mozilla Firefox 27.x
  • Google Chrome 32.x

BIG-IQ – BIG-IP compatibility

SOL14592: Compatibility between BIG-IQ and BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP PEM / VE12.1.0 Documentation page.

New in 12.1.0

Hitless TAC DB upgrade support

This release provides support for manual trigger download of licensed or custom TAC DB from a configured or pre-defined location. The activation of the DB is hitless.

Ability to detect RAN congestion

This feature allows to detect congestion in the Radio Access Network (RAN) and decide what protective action needs to be applied to the traffic. It allows to configure a threshold configuration so that the administrator can define the expected bandwidth for a subscriber.

Dissociate Custom DB support

Prior to this release URL filtering license included the ability to query on Webroot DB and on custom DB. With this feature the license enables only Webroot DB, because the Custom DB is enabled by default with the PEM license.

Ability to preserve the DF flag in the IP header on PEM UDP listener

This feature provides support in UDP profile to allow or configure behavior, which affects server side connection of the proxy to set and unset or preserve the Don’t Fragment (DF) flag.

Tethering Detection based on TCP fingerprints

The feature detects if a subscriber is tethering. It is included as a PEM action and can be enabled or disabled. A reporting destination can also be specified to which reports can be sent out whenever a subscriber goes from non-tethering state to tethering state and vice versa.

Usability and Statistics enhancement

This feature has support for subscriber snapshot with flexible criteria like subnet, subscriber ID and AVP. There is also selective purging of Session DB and a new Radius, Gx and Gy statistics.

Support for Sd/TDF interface

This feature provides support of 3GPP Release 11 defined Sd interface towards the PCRF.

Debugability and visibility enhancement

This feature provides added functionality for performing operations on multiple subscriber sessions and subscriber snapshot with flexible criteria like subnet, subscriber ID, AVP etc.

Enhancement of URL filtering to support multiple custom DBs

URL categorization has the ability to support flexible URL filtering policies for blacklisting or whitelisting purposes. There is also support for multiple custom DBs (up to 8) with the ability to support custom DB without Webroot DB.

Known issues

ID number Description
397397 When multiple static subscriber information is loaded from a .csv file, the subscriber information is lost if enter or CRLF is not entered at the end of each record line. To workaround this issue, press the Enter key or insert the CRLF character at the end of each row in the .csv file.
398416 In this release, volume threshold is supported. However, time threshold does not qualify for Gx reporting as it is not specified in the standard. To workaround this issue, do not use time threshold.
398922 Only a single instance of the diameter-endpoint profile is supported in this release: the system-supplied default gx-endpoint profile. As a result, diameter-endpoint profiles cannot be created or deleted in the GUI or in tmsh.
399119 If a policy rule matched with flow filters drop or redirect the traffic, that traffic will not match other policy rules that use classification filters.
400372 The protocol msn_video is used by MSN Messenger for video conversations and is supported for MSN Messenger 8 and earlier.
400893 The .csv file for uploading static subscribers has multiple lines with Mac end-of-line. To work around this issue, convert the file into WIN file format and upload from the GUI or tmsh. This resolves the issue.
403374 On rare occasions, when a policy is installed with 15 rules and reporting is configured on them, only 14 of the reports are generated when multiple flows (traffic) are sent matching all of them. Maximum usage reports per subscriber is supported.
410763 If the monitoring key is longer than 1053 characters, an error message is issued. To work around this issue, use monitoring keys fewer than 1053 characters.
417139 Modifying Session state through iRules may cause issues over Gx. To work around this issue, do not modify the session state if session is active.
427429 No statistics are available for troubleshooting with the new "show pem irule" stats command.
428420 Some IP addresses are categorized as unknown on the BIG-IP system, even though they are categorized in the cloud database of webroot.
428456 Usage monitoring count received via CCA does not work. It will be always 0.
430344 An URL categorization limitation is that a small set of URLs are categorized as unknown on the BIG-IP, even though they may get categorized in the cloud database of webroot.
435596 The CEC hitless upgrade does not sync files between active-standby setup, using device group. To work around this issue, change standby to active to do CEC hitless upgrade.
438549 If you turn on the SNAT pool or SNAT Automap on IPOther virtual, no traffic passes through in most cases. In some cases, the traffic passes but the out stats (packets and bytes) is zero. To workaround this, do not turn on SNAT pool or SNAT Automap on IPOther virtual that processes IPsec traffic.
453959 The UDP virtual used by PEM treats TTL differently than the standard UDP forwarding virtual. The standard UDP forwarding virtual decrements TTL whereas the UDP virtual reinitializes TTL to 255. In the event that there is a routing loop in the network, which traverses a BIG-IP running PEM, this behavior would prevent TTL from expiring and thus exacerbate the effects of the loop.
461531 The tower column in the Active Sessions table (Policy Enforcement > Subscribers) is displayed incorrectly.
465937 If a virtual server's port is specified as ANY for Gx/Gy(address is 0.0.0.0, MCP validation does not allow us to create it. A virtual-destination has to be unique.
465946 If both DHCP and RADIUS protocol is used to discover subscriber, the subscriber discovery is unpredictable. Both methods cannot be used simultaneously for subscriber discovery.
466162 If the destination address is set to be ::/0 in DHCPv6 relay mode, the multicasting traffic will not hit the DHCPv6 virtual.
466891 If a classification profile is disabled in virtual server settings, the PEM policy Flow Reporting action and PEM policy Header Insert Action are not applied. To work around this issue, enable classification on the Virtual Server settings page.
470890 While adding virtual servers from the listener data plane page, (in the GUI) only the first VLAN in the list is selected. To work around this, select all VLANs from the list, or go to the virtual server page and modify there.
472713 Sometimes, in IE8, while searching for particular active session by session IP an error message appears. The error message says that the system is trying to process your request.
484245 Using the GUI to delete a network firewall rule causes a change to other rules that specify ports. This occurs when using the GUI to delete a firewall rule, and there are other rules that are limited to specific ports. The port changes to 'any' in all network firewall rules that specify ports. For example, any firewall rules that match traffic on port '80' change to match on port 'any' when this issue occurs. Use tmsh, iControl, and BIG-IQ to manage firewall rules. Use port lists instead of specifying ports. These could include lists with a single port.
501896 If a small piece of custom configuration is to be added in PEM GUI, in the existing built-in protocol profile for using it, a new protocol profile has to be manually created from the scratch. To workaround this, use tmsh's cp command: cp _sys_radius_proto_all CUSTOM_RADIUS_PP.
503362 The PEM policy custom filter specifies irules that evaluate to true or false. If the iRule command is asynchronous, the behavior is undefined. To workaround this, please make sure the iRule commands specified in the custom filter are not asynchronous.
507131 If the BIG-IP system is updated with the latest software, then the custom TacDB will be lost. To workaround this, please be sure to save a backup before upgrading the system.
509684 When CCR-U is not initiated by RADIUS Accounting, it does not contain configured custom AVPs.
520081 TMSH command to import custom TAC-DB displays attributes that are not supported. For example, poll-interval, user, password and app-service options.
524351 When CCR-U is not initiated by RADIUS Accounting, it does not contain configured custom AVPs.
522934 Some PCRF's require subscription ID in all CCR messages over Gx/Gy for easier session management. To workaround this, set sys db variable tmm.diameter.application.encode.subscriber.id.in.all.ccr to True to see Subscription ID in CCR-u and CCR-T messages as well. By default, it is set to true.
524339 Present design accepts Custom TAC-DB to be defined in specific format and fields. For example, TAC-ID, Make, Model, OS-info needs to be in same order. Change in order results in improper log messages and also affects the DTOS and Tethering functionality.
524350 TMSH command, create ltm tacdb customdb to import the custom TAC-DB through URL method only supports local file location.
525633 Currently if PEM sends CCR-U and PCRF responds with CCA-U (PCRF lost session), PEM ignores and sends CCR-U. PCRF session is lost, that implies reboot or failover and it responds to session update requests with unknown session id. To work around this, delete the session on PEM end (configurable) and also recreate the same session (configurable) so that PCRF can get the context back up. tmm.pem.diameter.application.trigger.delete.onPeerfailure should be set to TRUE if PEM should delete the session based when PCRF complains session ID unknown. tmm.pem.session.ppe.recreate.afterPeerFailure Should be set to true if PEM should recreate the session.
528787 If a session delete is initiated through tmsh or RADIUS when connection is down, the session delete does not seem to be complete. When the connection comes up and RAR is sent immediately with an empty policy, PEM responds with RAA with DIAMETER_SUCCESS code even though session has been deleted.
528238 If a same policy with quota management action is added multiple times to the session through RAR (or CCA-u) then after 32 installs, any flow for the session is reset.
534323 When PEM is configured to support dual stack, one IPv4 and one IPv6 address, and if the interim contains the first IP address along with the new or second IP address of the session then PEM deletes the existing session and creates a new session.
537034 CPU spike seen after during Stress Test.
533734 Packet traces show DHCPv6 packets arriving via IP6 IP4 tunnel, are forwarded to the VIP but the packet is not forwarded to the backend server on VIPRION.
535041 Any virtual server with UDP profile executing iRule using parking command such as table set. The BIG-IP drops all UDP packets received while waiting for iRule execution to be completed. To workaround this, enable datagram-load-balancing in UDP profile associated with the virtual server. It will aggregate flows and process them in parallel, based on the timeout setting.
540227 When a TCP virtual with a Gx profile listens on port 3868 (DIAMETER port#), the virtual picks up packets from the Internet targeting port 3868 since there is no source IP filter. These packets were found to be bogus with no valid DIAMETER content. This led to triggering ASSERTs in the DIAMETER code.
546680 When the system boots up, the number of sessions created by PEM may not match the number of static subscribers configured on the device. Subsequent traffic for the absent sessions triggers creation of the sessions. However, these sessions are marked as belonging to dynamic subscribers as opposed to static subscribers. To workaround this, increase the SPM initialization delay to 60s through the sysDB variable tmm.pem.ssp.init.delay.
546213 When mapping a custom TACDB with more than 300K entries, 7% performance degradation of throughput is seen for about 10 seconds..
556785 Not all HTTP transactions make it through credits to iRule failures when FastL4 is enabled. To workaround this, issue can be avoided by not enabling FastL4 when iRules are present in this scenario.
561805 If failover happens during bulk deletion as a result of receiving Radius accounting on or off message, not all sessions are marked for deletion. As a result, after failover, some should-be-deleted PEM sessions remain.
564619 When the IPv6 prefix length is set to a value other than default value 128, and vlan cmp hash is set to either src-ip or dst-ip, the IP prefix DAG is activated for IPv6 traffic instead of SPDAG. The IP prefix DAG solely relies on SW DAG redirects, which will impact IPv6 performance.
564281 When using the debug version of the tmm, HA fail over may cause the tmm to assert when Gy is configured. To workaround this, the TMM (debug version) may core and restart resetting all connections.
564431 Lines without EOL characters cause "tmsh load pem subscriber file" and GUI import to fail.
568722 Gy quota and end of session reports are not sent for a session under certain conditions. The conditions include scenarios when classification is disabled on the virtual that handles the session or classification is enabled and no actions or classification filters under a session's policy. The other condition can be that classification is Enabled and there is no policy against a session. To workaround this, for the first two conditions, disable optimization where based on policies or actions and certain HUD nodes are removed.
588456 PEM deletes existing PEM Subscriber Session after lease time expires. DHCP renewal is not processed. BigIP DHCP module does not process the ACK, sent from the DHCP server, and update the lease time, which causes PEM subscriber session to be aged out.

Fixes in 12.1.0

ID number Description
406311 The client does not see any resets when the gate status disabled action is enforced. The enforcement happens while using profile FastL4 and after waiting for two or more flows for the connection.
412036 If a PEM enabled UDP virtual is hit by DHCP broadcasting traffic, you can define a DHCP virtual that has an enabled subscriber discovery feature on its DHCPv4 profile.
454498 If DHCP virtual was configured to work in forwarding mode, it drops all broadcasting ( coming from source 0.0.0.0 and going to 255.255.255.255) DHCP traffic. This applies on both protocols DHCPv4 and DHCPv6. If you want to support broadcasting DHCP traffic, then the DHCP virtual has to be configured in Relay mode rather than Forwarding mode.
469519 BigTCP clears the NOREASSEMBLY flag on vip creation forcing reassemble of IP fragments.
493067 When using the PEM::subscriber irule commands, the subscriber-type field is required but it can be any valid type, which does not have to match the subscriber session.
504627 Alive or Valid sessions will not be deleted before the timeout any more due to a lack of traffic.
528787 PEM sends RAA with UNABLE_TO_COMPLY code if session is marked for deleted.
549283 A log message has been added to indicate the state transitions for Gx and Gy sessions.
557675 A small number of PEM sessions can be looked up by their session-ip and their subscriber-id.
563262 The error is due to missing classification information. Please make sure the classification information is specified.
577863 Fix the DHCP server routing table, so that DHCP server can deliver DHCP reply packet back to client successfully.

Supported high availability configuration for Policy Enforcement Manager

Policy Enforcement Manager is supported in an active-standby and active-active configuration with two BIG-IP systems only.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference the information to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
  • Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see SOL7727 - License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference the information to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

How to Contact F5 Support or the Anti-Fraud SOC

You can contact a Network Support Center as follows:

You can manage cases online at F5 WebSupport (registration required). To register email CSP@F5.com with your F5 hardware serial numbers and contact information.

You can contact the Anti-Fraud SOC as follows:

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices