Applies To:
Show VersionsBIG-IP PEM
- 12.1.0
Summary:
This release note documents the version 12.1.0 release of BIG-IP Policy Enforcement Manager (PEM).
Contents:
- Platform support
- Configuration utility browser support
- BIG-IQ – BIG-IP compatibility
- User documentation for this release
- New in 12.1.0
- Known issues
- Fixes in 12.1.0
- Supported high availability configuration for Policy Enforcement Manager
- Installation overview
- Contacting F5 Networks
- Legal notices
Platform support
This version of the software is supported on the following platforms:
Platform name | Platform ID |
---|---|
BIG-IP 800 (LTM only) | C114 |
BIG-IP 1600 | C102 |
BIG-IP 3600 | C103 |
BIG-IP 3900 | C106 |
BIG-IP 6900 | D104 |
BIG-IP 8900 | D106 |
BIG-IP 8950 | D107 |
BIG-IP 11000 | E101 |
BIG-IP 11050 | E102 |
BIG-IP 2000s, BIG-IP 2200s | C112 |
BIG-IP 4000s, BIG-IP 4200v | C113 |
BIG-IP 5000s, 5050s, 5200v, 5250v | C109 |
BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255 | D110 |
BIG-IP 12250v | D111 |
BIG-IP 10150s-NEBS, 10350v (AC), 10350v-NEBS (requires 12.0.0 HF1), 10350v-FIPS (requires 11.5.4 HF1) | D112 |
BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255 | D113 |
VIPRION B2100 Blade (for evaluation only) | A109 |
VIPRION B2150 Blade | A113 |
VIPRION B2250 Blade | A112 |
VIPRION B4200, B4200N Blade (for evaluation only) | A107, A111 |
VIPRION B4450 Blade | A114 |
VIPRION B4300, B4340N Blade | A108, A110 |
VIPRION C2200 Chassis | D114 |
VIPRION C2400 Chassis | F100 |
VIPRION C4400, C4400N Chassis | J100, J101 |
VIPRION C4480, C4480N Chassis | J102, J103 |
VIPRION C4800, C4800N Chassis | S100, S101 |
Virtual Edition (VE) | Z100 |
vCMP Guest | Z101 |
These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.
Most of the support guidelines relate to memory. The following list applies for all memory levels:
- PEM supported platforms
- VIPRION B2100, B2150, B2250, B4300, B4340N
- BIG-IP 5x00v(s), 7x00v(s), 10x00v(s)
- BIG-IP Virtual Edition (VE) (Not including Amazon Web Service Virtual Edition) (3 GB, 10 GB production and combination lab models)
- PEM may be provisioned on the VIPRION B4200, but it is not recommended for production, only for evaluation. PEM may be provisioned on the VIPRION B2100, but it is not recommended for production, only for evaluation. Use the B4300 or B4340N instead.
Memory: 12 GB or more
All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.
Memory: 8 GB
The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)
- No more than three modules should be provisioned together.
- On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
- In the case of Access Policy Manager (APM) and SWG together, no module other than LTM may be provisioned, and LTM provisioning must be set to None.
Memory: Less than 8 GB and more than 4 GB
The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)
- No more than three modules (not including AAM) should be provisioned together.
- Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
- Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).
Memory: 4 GB or less
The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.
- No more than two modules may be configured together.
- AAM should not be provisioned, except as Dedicated.
- ASM can be provisioned with this amount of memory, but a sizing exercise should be performed to ensure that it does not hit capacity issues.
VIPRION and vCMP caching and deduplication requirements
Application Acceleration Manager (AAM) supports the following functionality when configuring vCMP and VIPRION platforms.
- AAM does not support disk-based caching functionality on vCMP platforms. AAM requires memory-based caching when configuring it to run on vCMP platforms.
- AAM supports disk-based caching functionality on VIPRION chassis or blades.
- AAM does not support deduplication functionality on vCMP platforms, or VIPRION chassis or blades.
vCMP memory provisioning calculations
The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).
As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.
- BIG-IP LTM standalone only
- BIG-IP GTM standalone only
- BIG-IP LTM and GTM combination only
Configuration utility browser support
The BIG-IP Configuration Utility supports these browsers and versions:
- Microsoft Internet Explorer 11.x
- Mozilla Firefox 27.x
- Google Chrome 32.x
BIG-IQ – BIG-IP compatibility
SOL14592: Compatibility between BIG-IQ and BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP PEM / VE12.1.0 Documentation page.
New in 12.1.0
Hitless TAC DB upgrade support
This release provides support for manual trigger download of licensed or custom TAC DB from a configured or pre-defined location. The activation of the DB is hitless.
Ability to detect RAN congestion
This feature allows to detect congestion in the Radio Access Network (RAN) and decide what protective action needs to be applied to the traffic. It allows to configure a threshold configuration so that the administrator can define the expected bandwidth for a subscriber.
Dissociate Custom DB support
Prior to this release URL filtering license included the ability to query on Webroot DB and on custom DB. With this feature the license enables only Webroot DB, because the Custom DB is enabled by default with the PEM license.
Ability to preserve the DF flag in the IP header on PEM UDP listener
This feature provides support in UDP profile to allow or configure behavior, which affects server side connection of the proxy to set and unset or preserve the Don’t Fragment (DF) flag.
Tethering Detection based on TCP fingerprints
The feature detects if a subscriber is tethering. It is included as a PEM action and can be enabled or disabled. A reporting destination can also be specified to which reports can be sent out whenever a subscriber goes from non-tethering state to tethering state and vice versa.
Usability and Statistics enhancement
This feature has support for subscriber snapshot with flexible criteria like subnet, subscriber ID and AVP. There is also selective purging of Session DB and a new Radius, Gx and Gy statistics.
Support for Sd/TDF interface
This feature provides support of 3GPP Release 11 defined Sd interface towards the PCRF.
Debugability and visibility enhancement
This feature provides added functionality for performing operations on multiple subscriber sessions and subscriber snapshot with flexible criteria like subnet, subscriber ID, AVP etc.
Enhancement of URL filtering to support multiple custom DBs
URL categorization has the ability to support flexible URL filtering policies for blacklisting or whitelisting purposes. There is also support for multiple custom DBs (up to 8) with the ability to support custom DB without Webroot DB.
Known issues
ID number | Description |
---|---|
397397 | When multiple static subscriber information is loaded from a .csv file, the subscriber information is lost if enter or CRLF is not entered at the end of each record line. To workaround this issue, press the Enter key or insert the CRLF character at the end of each row in the .csv file. |
398416 | In this release, volume threshold is supported. However, time threshold does not qualify for Gx reporting as it is not specified in the standard. To workaround this issue, do not use time threshold. |
398922 | Only a single instance of the diameter-endpoint profile is supported in this release: the system-supplied default gx-endpoint profile. As a result, diameter-endpoint profiles cannot be created or deleted in the GUI or in tmsh. |
399119 | If a policy rule matched with flow filters drop or redirect the traffic, that traffic will not match other policy rules that use classification filters. |
400372 | The protocol msn_video is used by MSN Messenger for video conversations and is supported for MSN Messenger 8 and earlier. |
400893 | The .csv file for uploading static subscribers has multiple lines with Mac end-of-line. To work around this issue, convert the file into WIN file format and upload from the GUI or tmsh. This resolves the issue. |
403374 | On rare occasions, when a policy is installed with 15 rules and reporting is configured on them, only 14 of the reports are generated when multiple flows (traffic) are sent matching all of them. Maximum usage reports per subscriber is supported. |
410763 | If the monitoring key is longer than 1053 characters, an error message is issued. To work around this issue, use monitoring keys fewer than 1053 characters. |
417139 | Modifying Session state through iRules may cause issues over Gx. To work around this issue, do not modify the session state if session is active. |
427429 | No statistics are available for troubleshooting with the new "show pem irule" stats command. |
428420 | Some IP addresses are categorized as unknown on the BIG-IP system, even though they are categorized in the cloud database of webroot. |
428456 | Usage monitoring count received via CCA does not work. It will be always 0. |
430344 | An URL categorization limitation is that a small set of URLs are categorized as unknown on the BIG-IP, even though they may get categorized in the cloud database of webroot. |
435596 | The CEC hitless upgrade does not sync files between active-standby setup, using device group. To work around this issue, change standby to active to do CEC hitless upgrade. |
438549 | If you turn on the SNAT pool or SNAT Automap on IPOther virtual, no traffic passes through in most cases. In some cases, the traffic passes but the out stats (packets and bytes) is zero. To workaround this, do not turn on SNAT pool or SNAT Automap on IPOther virtual that processes IPsec traffic. |
453959 | The UDP virtual used by PEM treats TTL differently than the standard UDP forwarding virtual. The standard UDP forwarding virtual decrements TTL whereas the UDP virtual reinitializes TTL to 255. In the event that there is a routing loop in the network, which traverses a BIG-IP running PEM, this behavior would prevent TTL from expiring and thus exacerbate the effects of the loop. |
461531 | The tower column in the Active Sessions table (Policy Enforcement > Subscribers) is displayed incorrectly. |
465937 | If a virtual server's port is specified as ANY for Gx/Gy(address is 0.0.0.0, MCP validation does not allow us to create it. A virtual-destination has to be unique. |
465946 | If both DHCP and RADIUS protocol is used to discover subscriber, the subscriber discovery is unpredictable. Both methods cannot be used simultaneously for subscriber discovery. |
466162 | If the destination address is set to be ::/0 in DHCPv6 relay mode, the multicasting traffic will not hit the DHCPv6 virtual. |
466891 | If a classification profile is disabled in virtual server settings, the PEM policy Flow Reporting action and PEM policy Header Insert Action are not applied. To work around this issue, enable classification on the Virtual Server settings page. |
470890 | While adding virtual servers from the listener data plane page, (in the GUI) only the first VLAN in the list is selected. To work around this, select all VLANs from the list, or go to the virtual server page and modify there. |
472713 | Sometimes, in IE8, while searching for particular active session by session IP an error message appears. The error message says that the system is trying to process your request. |
484245 | Using the GUI to delete a network firewall rule causes a change to other rules that specify ports. This occurs when using the GUI to delete a firewall rule, and there are other rules that are limited to specific ports. The port changes to 'any' in all network firewall rules that specify ports. For example, any firewall rules that match traffic on port '80' change to match on port 'any' when this issue occurs. Use tmsh, iControl, and BIG-IQ to manage firewall rules. Use port lists instead of specifying ports. These could include lists with a single port. |
501896 | If a small piece of custom configuration is to be added in PEM GUI, in the existing built-in protocol profile for using it, a new protocol profile has to be manually created from the scratch. To workaround this, use tmsh's cp command: cp _sys_radius_proto_all CUSTOM_RADIUS_PP. |
503362 | The PEM policy custom filter specifies irules that evaluate to true or false. If the iRule command is asynchronous, the behavior is undefined. To workaround this, please make sure the iRule commands specified in the custom filter are not asynchronous. |
507131 | If the BIG-IP system is updated with the latest software, then the custom TacDB will be lost. To workaround this, please be sure to save a backup before upgrading the system. |
509684 | When CCR-U is not initiated by RADIUS Accounting, it does not contain configured custom AVPs. |
520081 | TMSH command to import custom TAC-DB displays attributes that are not supported. For example, poll-interval, user, password and app-service options. |
524351 | When CCR-U is not initiated by RADIUS Accounting, it does not contain configured custom AVPs. |
522934 | Some PCRF's require subscription ID in all CCR messages over Gx/Gy for easier session management. To workaround this, set sys db variable tmm.diameter.application.encode.subscriber.id.in.all.ccr to True to see Subscription ID in CCR-u and CCR-T messages as well. By default, it is set to true. |
524339 | Present design accepts Custom TAC-DB to be defined in specific format and fields. For example, TAC-ID, Make, Model, OS-info needs to be in same order. Change in order results in improper log messages and also affects the DTOS and Tethering functionality. |
524350 | TMSH command, create ltm tacdb customdb to import the custom TAC-DB through URL method only supports local file location. |
525633 | Currently if PEM sends CCR-U and PCRF responds with CCA-U (PCRF lost session), PEM ignores and sends CCR-U. PCRF session is lost, that implies reboot or failover and it responds to session update requests with unknown session id. To work around this, delete the session on PEM end (configurable) and also recreate the same session (configurable) so that PCRF can get the context back up. tmm.pem.diameter.application.trigger.delete.onPeerfailure should be set to TRUE if PEM should delete the session based when PCRF complains session ID unknown. tmm.pem.session.ppe.recreate.afterPeerFailure Should be set to true if PEM should recreate the session. |
528787 | If a session delete is initiated through tmsh or RADIUS when connection is down, the session delete does not seem to be complete. When the connection comes up and RAR is sent immediately with an empty policy, PEM responds with RAA with DIAMETER_SUCCESS code even though session has been deleted. |
528238 | If a same policy with quota management action is added multiple times to the session through RAR (or CCA-u) then after 32 installs, any flow for the session is reset. |
534323 | When PEM is configured to support dual stack, one IPv4 and one IPv6 address, and if the interim contains the first IP address along with the new or second IP address of the session then PEM deletes the existing session and creates a new session. |
537034 | CPU spike seen after during Stress Test. |
533734 | Packet traces show DHCPv6 packets arriving via IP6 IP4 tunnel, are forwarded to the VIP but the packet is not forwarded to the backend server on VIPRION. |
535041 | Any virtual server with UDP profile executing iRule using parking command such as table set. The BIG-IP drops all UDP packets received while waiting for iRule execution to be completed. To workaround this, enable datagram-load-balancing in UDP profile associated with the virtual server. It will aggregate flows and process them in parallel, based on the timeout setting. |
540227 | When a TCP virtual with a Gx profile listens on port 3868 (DIAMETER port#), the virtual picks up packets from the Internet targeting port 3868 since there is no source IP filter. These packets were found to be bogus with no valid DIAMETER content. This led to triggering ASSERTs in the DIAMETER code. |
546680 | When the system boots up, the number of sessions created by PEM may not match the number of static subscribers configured on the device. Subsequent traffic for the absent sessions triggers creation of the sessions. However, these sessions are marked as belonging to dynamic subscribers as opposed to static subscribers. To workaround this, increase the SPM initialization delay to 60s through the sysDB variable tmm.pem.ssp.init.delay. |
546213 | When mapping a custom TACDB with more than 300K entries, 7% performance degradation of throughput is seen for about 10 seconds.. |
556785 | Not all HTTP transactions make it through credits to iRule failures when FastL4 is enabled. To workaround this, issue can be avoided by not enabling FastL4 when iRules are present in this scenario. |
561805 | If failover happens during bulk deletion as a result of receiving Radius accounting on or off message, not all sessions are marked for deletion. As a result, after failover, some should-be-deleted PEM sessions remain. |
564619 | When the IPv6 prefix length is set to a value other than default value 128, and vlan cmp hash is set to either src-ip or dst-ip, the IP prefix DAG is activated for IPv6 traffic instead of SPDAG. The IP prefix DAG solely relies on SW DAG redirects, which will impact IPv6 performance. |
564281 | When using the debug version of the tmm, HA fail over may cause the tmm to assert when Gy is configured. To workaround this, the TMM (debug version) may core and restart resetting all connections. |
564431 | Lines without EOL characters cause "tmsh load pem subscriber file" and GUI import to fail. |
568722 | Gy quota and end of session reports are not sent for a session under certain conditions. The conditions include scenarios when classification is disabled on the virtual that handles the session or classification is enabled and no actions or classification filters under a session's policy. The other condition can be that classification is Enabled and there is no policy against a session. To workaround this, for the first two conditions, disable optimization where based on policies or actions and certain HUD nodes are removed. |
588456 | PEM deletes existing PEM Subscriber Session after lease time expires. DHCP renewal is not processed. BigIP DHCP module does not process the ACK, sent from the DHCP server, and update the lease time, which causes PEM subscriber session to be aged out. |
Fixes in 12.1.0
ID number | Description |
---|---|
406311 | The client does not see any resets when the gate status disabled action is enforced. The enforcement happens while using profile FastL4 and after waiting for two or more flows for the connection. |
412036 | If a PEM enabled UDP virtual is hit by DHCP broadcasting traffic, you can define a DHCP virtual that has an enabled subscriber discovery feature on its DHCPv4 profile. |
454498 | If DHCP virtual was configured to work in forwarding mode, it drops all broadcasting ( coming from source 0.0.0.0 and going to 255.255.255.255) DHCP traffic. This applies on both protocols DHCPv4 and DHCPv6. If you want to support broadcasting DHCP traffic, then the DHCP virtual has to be configured in Relay mode rather than Forwarding mode. |
469519 | BigTCP clears the NOREASSEMBLY flag on vip creation forcing reassemble of IP fragments. |
493067 | When using the PEM::subscriber irule commands, the subscriber-type field is required but it can be any valid type, which does not have to match the subscriber session. |
504627 | Alive or Valid sessions will not be deleted before the timeout any more due to a lack of traffic. |
528787 | PEM sends RAA with UNABLE_TO_COMPLY code if session is marked for deleted. |
549283 | A log message has been added to indicate the state transitions for Gx and Gy sessions. |
557675 | A small number of PEM sessions can be looked up by their session-ip and their subscriber-id. |
563262 | The error is due to missing classification information. Please make sure the classification information is specified. |
577863 | Fix the DHCP server routing table, so that DHCP server can deliver DHCP reply packet back to client successfully. |
Supported high availability configuration for Policy Enforcement Manager
Policy Enforcement Manager is supported in an active-standby and active-active configuration with two BIG-IP systems only.
Installation overview
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference the information to ensure successful completion of the installation process.
Installation checklist
Before you begin:
- Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
- Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see SOL7727 - License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
- Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
- Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
- Configure a management port.
- Set the console and system baud rate to 19200, if it is not already.
- Log on as an administrator using the management port of the system you want to upgrade.
- Boot into an installation location other than the target for the installation.
- Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
- Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
- Turn off mirroring.
- If you are running Application Acceleration Manager, set provisioning to Minimum.
- If you are running Policy Enforcement Manager, set provisioning to Nominal.
- If you are running Advanced Firewall Manager, set provisioning to Nominal.
Installing the software
Installation method | Command |
---|---|
Install to existing volume, migrate source configuration to destination | tmsh install sys software image [image name] volume [volume name] |
Install from the browser-based Configuration utility | Use the Software Management screens in a web browser. |
Sample installation command
The following command installs version 11.2.0 to volume 3 of the main hard drive.
tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3
Post-installation tasks
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference the information to ensure successful completion of the installation process.
- Ensure the system rebooted to the new installation location.
- Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
- Log on to the browser-based Configuration utility.
- Run the Setup utility.
- Provision the modules.
- Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Installation tips
- The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
- You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
- If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.
Contacting F5 Networks
Phone: | (206) 272-6888 |
Fax: | (206) 272-6802 |
Web: | http://support.f5.com |
Email: | support@f5.com |
For additional information, please visit http://www.f5.com.
How to Contact F5 Support or the Anti-Fraud SOC
- By phone in the U.S. (accessible 24x7): 888-88askf5 (888-882-7535).
- International contact numbers: http://www.f5.com/training-support/customer-support/contact/.
- The Support Coordinator can contact the SOC as needed.
You can manage cases online at F5 WebSupport (registration required). To register email CSP@F5.com with your F5 hardware serial numbers and contact information.
You can contact the Anti-Fraud SOC as follows:
- By phone in the U.S. (accessible 24x7): 866-329-4253 (Option #3 for Anti-Fraud)
- International contact numbers: https://f5.com/products/platforms/silverline/f5-silverline-ddos-protection
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: http://support.f5.com/kb/en-us.html
- The F5 DevCentral web site: http://devcentral.f5.com/
- AskF5 TechNews
F5 Networks Technical Support
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
F5 DevCentral
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
AskF5 TechNews
- Weekly HTML TechNews
- The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
- Periodic plain text TechNews
- F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.