Release Notes :
BIG-IP Analytics 12.0.0
Applies To:
Show Versions
BIG-IP Analytics
- 12.0.0
Original Publication Date: 05/26/2016
Updated Date: 04/18/2019
Summary:
This release note documents the version 12.0.0 release of BIG-IP Analytics (AVR). You can apply the software upgrade to systems running software versions 10.1.0 (or later), or 11.x.
Contents:
- Platform support
- Configuration utility browser support
- BIG-IQ – BIG-IP Compatibility
- User documentation for this release
- New features introduced in 12.0.0
- Installation overview
- Upgrading from earlier versions
- Upgrading earlier configurations
- Changing the resource provisioning level of the Analytics Module
- Setting the Analytics Module resource provisioning level to Nominal from the command line
- Setting the Analytics Module resource provisioning level to Nominal using the Configuration utility
- Fixes in 12.0.0
- Known issues
- Contacting F5 Networks
- Legal notices
Platform support
This version of the software is supported on the following platforms:
| Platform name | Platform ID |
|---|---|
| BIG-IP 1600 | C102 |
| BIG-IP 3600 | C103 |
| BIG-IP 3900 | C106 |
| BIG-IP 6900 | D104 |
| BIG-IP 8900 | D106 |
| BIG-IP 8950 | D107 |
| BIG-IP 11050 | E102 |
| BIG-IP 2000s, BIG-IP 2200s | C112 |
| BIG-IP 4000s, BIG-IP 4200v | C113 |
| BIG-IP 5000s, 5050s, 5200v, 5250v | C109 |
| BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255 | D110 |
| BIG-IP 12250v | D111 |
| BIG-IP 10150s-NEBS, 10350v (AC), 10350v-NEBS (requires 12.0.0 HF1) | D112 |
| BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255 | D113 |
| VIPRION B2100 Blade | A109 |
| VIPRION B2150 Blade | A113 |
| VIPRION B2250 Blade | A112 |
| VIPRION B4200, B4200N Blade | A107, A111 |
| VIPRION B4300, B4340N Blade | A108, A110 |
| VIPRION C2200 Chassis | D114 |
| VIPRION C2400 Chassis | F100 |
| VIPRION C4400, C4400N Chassis | J100, J101 |
| VIPRION C4480, C4480N Chassis | J102, J103 |
| VIPRION C4800, C4800N Chassis | S100, S101 |
| Virtual Edition (VE) | Z100 |
| vCMP Guest | Z101 |
These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.
Most of the support guidelines relate to memory. The following list applies for all memory levels:
- vCMP supported platforms
- VIPRION B2100, B2150, B2250, B4200, B4300, B4340N
- BIG-IP 5200v, 7200v, 10200v
Memory: 12 GB or more
All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.
Memory: 8 GB
The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)
- No more than three modules should be provisioned together.
- On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
- In the case of Access Policy Manager (APM) and SWG together, no module other than LTM may be provisioned, and LTM provisioning must be set to None.
Memory: Less than 8 GB and more than 4 GB
The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)
- No more than three modules (not including AAM) should be provisioned together.
- Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
- Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).
Memory: 4 GB or less
The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.
- No more than two modules may be configured together.
- AAM should not be provisioned, except as Dedicated.
- ASM can be provisioned with this amount of memory, but a sizing exercise should be performed to ensure that it does not hit capacity issues.
vCMP memory provisioning calculations
The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).
As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.
For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:
- BIG-IP LTM standalone only
- BIG-IP GTM standalone only
- BIG-IP LTM and GTM combination only
Configuration utility browser support
The BIG-IP Configuration Utility supports these browsers and versions:
- Microsoft Internet Explorer 8.x, 11.x
- Mozilla Firefox 27.x
- Google Chrome 32.x
BIG-IQ – BIG-IP Compatibility
SOL14592: Compatibility between BIG-IQ and BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP Analytics / VE 12.0.0 Documentation page.
New features introduced in 12.0.0
This release includes the following new items.
ASM resources
The system now displays CPU usage of Application Security Manager (ASM) resources, system ASM bypass information, and the system memory usage of ASM resources. To view these statistics, navigate to .
vCMP reports
While each guest running over vCMP has full or partial visibility for different modules running within it (AVR, ASM, AFM, APM, and so on), in the past, the vCMP host had very limited visibility to different trends regarding resource consumption for each of the guests running within it. In this version, we added the following analytics data:
- Connection and traffic
- Hardware Acceleration
- Memory statistics
We added the following screens to the menu: Connection and Traffic, Hardware Acceleration, and Memory.
CGNAT statistics
If you enable CGNAT, you can view active large-scale NAT (LSN) pool statistics in graphical charts on the system. Several charts are available, and they show the following information:
- Translation endpoints for all active LSN pools.
- Logging attempts and failures for all LSN pools.
- Port block allocation (PBA) translations.
- Port Control Protocol (PCP) requests.
To view these statistics, navigate to .
Process CPU Utilization statistics
You can now view how much CPU (in percentage) is being used by each process running on your system. To view these statistics, navigate to .
AVR HTTP reports and DoS Application reports: Show Host name as part of URL by configuration
We enabled the option to display the hostname as part of the URL (for example, some_hostname/index.php). To enable this option, from tmsh, set the database variable Avr.IncludeServerInUri to enable. It is disabled by default (meaning, the hostname is not displayed by default as part of the URL).
Examples:
modify sys db avr.includeserverinuri value enable
modify sys db avr.includeserverinuri value disable
Exporting reports
You can now export data from the .
Overview screen enhancements
The DoS Overview screen () now displays the total number of attacks, and the number of attacks in progress, according to the following attack severities: high impact attacks, medium impact attacks, and low impact attacks. You can filter which data the system displays on the Overview screen according to DoS types: Application, DNS, SIP, and Network. The attacks table was moved from the DoS Application Attacks screen () to the DoS Overview screen ().
Analytics support for REST API
All Analytics data that is available to users today from the Configuration utility and tmsh commands is also available to query using F5 Network’s REST API. For more information regarding the REST API, read the REST API documentation, at https://devcentral.f5.com/.
Reports of PEM subscribers
Analytics now collects and reports information about Policy Enforcement Manager (PEM) subscribers. You can view statistics on the PEM Statistics screen () filtered by subscribers and the subscriber’s name. For more information about PEM, see the PEM documentation on https://support.f5.com.
Installation overview
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference the information to ensure successful completion of the installation process.
Installation checklist
Before you begin:
- Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
- Update/reactivate your system license, if needed, to ensure that you have a valid service check date.
- Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
- Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
- Configure a management port.
- Set the console and system baud rate to 19200, if it is not already.
- Log on as an administrator using the management port of the system you want to upgrade.
- Boot into an installation location other than the target for the installation.
- Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
- Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
- Turn off mirroring.
- If you are running Application Acceleration Manager, set provisioning to Minimum.
- If you are running Policy Enforcement Manager, set provisioning to Nominal.
- If you are running Advanced Firewall Manager, set provisioning to Nominal.
Installing the software
You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
| Installation method | Command |
|---|---|
| Install to existing volume, migrate source configuration to destination | tmsh install sys software image [image name] volume [volume name] |
| Install from the browser-based Configuration utility | Use the Software Management screens in a web browser. |
Sample installation command
The following command installs version 11.2.0 to volume 3 of the main hard drive.
tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3
Post-installation tasks
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference the information to ensure successful completion of the installation process.
After the installation finishes, you must complete the following steps before the system can pass traffic.
- Ensure the system rebooted to the new installation location.
- Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
- Log on to the browser-based Configuration utility.
- Run the Setup utility.
- Provision the modules.
- Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.
Installation tips
- The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
- You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
- If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.
Upgrading from earlier versions
Your upgrade process differs depending on the version of software you are currently running.
Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.
Upgrading from version 10.1.0 (or later) or 11.x
When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.
Upgrading from versions earlier than 10.1.0
You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.
Automatic firmware upgrades
If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.
Upgrading earlier configurations
When you upgrade from an earlier versions of the software, you might need to know about or take care of these configuration-specific issues.
| ID Number | Description |
|---|---|
| ID 223704 | When you import a single configuration file (SCF file) that contain VLANs of the same name that exist in different administrative partitions, the operation fails with a unknown operation error. Upgrading configurations with VLANs of the same name in different administrative partitions. Upgrade operation fails with a unknown operation error. Workaround: Before installing an SCF file, run the tmsh load sys config default command. This returns the system to the default configuration, so subsequent configuration import operations should succeed as expected. |
| ID 401828 | The following configurations are invalid for a SIP virtual server: a) TCP virtual server with a UDP profile and a SIP profile. b) UDP virtual server with a TCP profile and a SIP profile. TCP virtual server with a UDP profile and a SIP profile, or a UDP virtual server with a TCP profile and a SIP profile. If such a configuration exists in previous versions, it loads in 11.3.x but may cause a core. Workaround: "Fix the configuration manually, as follows: a) A SIP TCP virtual server must have TCP as one of its profile type. b) A SIP UDP virtual server must have UDP as one of its profile type." |
| ID 415961 | Unused HTTP Class profiles are not rolled forward during upgrade or UCS restore. If you have defined HTTP Class profiles but have not assigned them to virtual servers, the system does not bring forward those profiles into the new configuration when you upgrade. No Policy is created from the HTTP Class profile and the profile does not appear in the new configuration. This occurs when upgrading a pre-v11.4.0 configuration with a HTTP Class profile not attached to a virtual server. You might lose unused HTTP Class profiles in the configuration. Workaround: Attach all HTTP Class profiles to a virtual server before upgrade or save of a UCS. |
| ID 434364 | "When upgrading from 10.x or installing a 10.x originated UCS on 11.x, bigpipe is used to parse the newly created file-object definitions which had been generated from files in the 10.x install. If the filename being upgraded to file-object starts with a '.', then on initial load, bigpipe will give an error while trying to load the generated configuration, resulting in an error message similar to: BIGpipe parsing error (/config/bigpipe/bigip.conf Line 107): 012e0017:3: The requested item (.myfile.txt {) is invalid (external_monitor_file_object_key | show | list | help) for 'external monitor file object'" The installation of a UCS or configuration roll-forward from 10.x to 11.x in which the previous install had files that were upgraded to file-objects, but whose filename started with a '.' The UCS will not install properly, and/or the configuration on initial boot will not load. Workaround: Edit the name of the file-object in question which would be found in /config/bigpipe/bigip.conf to remove the leading '.' character from the object name, and make any references to the file-object match that change. |
| ID 435332 | If there are users defined on a version 10.2.1 BIG-IP system to have administrator or resource-admin roles, and they have partition access to a single partition, these user config objects fail to load during an upgrade to version 11.x. "Here is a sample user config from 10.2.1: user v-abban { password crypt '$1$UIPmGYdY$yewCx.a2qNDauz/UB1Jbp/' description 'v-abban' group 500 home '/home/v-abban' shell '/bin/false' role administrator in Common }" Upgrade or load UCS fails with the following error: 01070821:3: User Restriction Error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition. Workaround: Prior to upgrade, edit the bigip_sys.conf to have the role line as follows: ... role administrator in [All] } |
| ID 435482 | In versions prior to 11.4.0, the UCS does not save files containing spaces in the names. That means that any files that had spaces in the name would not be written to the UCS file and the UCS save would appear to succeed. When a UCS file which was saved in this manner is subsequently applied to 11.4.0 or greater, the configuration load will fail because the referenced file(s) (with spaces in their names) are not present in the UCS. "1. The UCS being applied was saved in a release prior to 11.4.0. 2. The configuration contained config objects with spaces in their names. 3. The UCS is being applied to 11.4.0 or greater." After upgrading into the newer release, the initial config load will fail. Alternatively, manually loading any UCS saved in this manner will result in a similar configuration load failure. Workaround: Boot back to the previous version and rename all the files in question so they don't have spaces in their names. Save the UCS again, and upgrade. |
| ID 436075 | Using syslog include field when the command 'syslog-ng -s' does not succeed before the upgrade. Using syslog include field. It is possible to roll forward an include field with invalid syntax. This will cause the configuration to fail to load. Workaround: When using the syslog include field, ensure that the command 'syslog-ng -s' succeeds before the upgrade. |
| ID 436212 | "If a copper SFP module is installed and a configuration is loaded which sets that module's speed and duplex, this configuration might fail to load. The /var/log/ltm file shows an error similar to the following and the config fails to load. 01070318:3: The requested media for interface 1.1 is invalid." "The system being upgraded needs to have a copper SFP module installed in order to encounter this issue. There are two ways to arrive at this state: when upgrading and at runtime. This runtime error and its workaround is covered in SOL14556, available at http://support.f5.com/kb/en-us/solutions/public/14000/500/sol14556.html. When applying a UCS from a previous version of TMOS, this condition can also be triggered." The upgrade fails after booting into TMOS for the first time. Workaround: "To work around this issue, edit /config/bigip_base.conf so that the lines specifying the 'media-sfp' setting are set to 'auto', similar to the following example. Once all interfaces using a non-auto setting are changed, the configuration should load. net interface 1.1 { media-sfp auto }" |
| ID 436825 | Under certain conditions, nodes (or any other object with an IP address) in a partition that belong to route domain 0 will be treated as part of the default route domain for the partition after an upgrade. "All of these conditions must be true: - A system is being upgraded from any TMOS v10.x release to any TMOS v11.x release after 11.1. Upgrading to 11.0 or 11.1 is not affected, but the upgrade process resets the partition's default-route-domain setting to 0. - It has a partition that has its default route domain set to a nonzero route domain - That partition contains nodes with no route domain set (so the default is used) - That partition contains other nodes in route domain 0" Those objects may no longer be addressable or able to connect. Workaround: "Set the partition's default route domain ID to 0 before upgrading, then set it back to its previous value after the upgrade. This field is only used by the GUI and shell, so temporarily changing it to 0 will have no effect on the dataplane." |
| ID 448409 | The command 'load sys config verify' causes loss of sync configuration and initiates a provisioning cycle. The 'verify' option on the 'load sys config' command is designed to ensure that a configuration (either from a file or pasted to the terminal) is valid, but not have it take effect. This affects the ConfigSync communication channel if configured. The ConfigSync connection, including the connections to other devices, might be lost. In addition, provisioning might be impacted. Workaround: You can avoid this issue by using the 'load sys config verify' command 'merge' option, which keeps the current configuration during the validation step. Once affected by this issue, the workaround is to re-load the full configuration using the command: tmsh load sys config partitions all. |
| ID 449617 | If a configuration file includes a passphrase for an ssl-key file object, the object may fail to validate when loading the configuration. Passphrase present in ssl-key file object Configuration fails to load Workaround: Remove passphrase line from the file object. |
| ID 450050 | "Following upgrade from 10.x to 11.x, the config file fails to load. An error similar to the following is logged: ""load_config_files: ""/usr/libexec/bigpipe load"" - failed. -- BIGpipe parsing error (/config/bigpipe/bigip.conf Line xxxx): 012e0020:3: The requested item (respondasm {) is invalid (<profile arg> | show | list | edit | delete | stats reset) for 'profile'.""" "- Upgrading from 10.x to 11.x - respondclass configuration directives were introduced into the customer's /config/bigip.conf profile respondclass XXXX { ... }" Configuration fails to load. Workaround: It is safe in version 11.0 onwards to manually delete a "profile respondclass XXXX {" block. |
| ID 488417 | Cannot load config after upgrade if the admin account is disabled and replaced with a custom user. The system posts the message: 01070829:5: Input error: can't create user, role partition mapping, user does not exist, username, Unexpected Error: Loading configuration process failed. This occurs when upgrading a system on which the root admin account is disabled and replaced with a custom admin user account. You cannot upgrade if the root admin account is disabled. Workaround: Switch back to the volume where you disabled the root admin account, and load the configuration from there. You can then disable root access and create a custom admin user account. |
| ID 489015 | An LTM request-log profile that references a non-existent pool can pass validation in 11.1, but fails beyond 11.2 with an error similar to "The requested Pool (/Common/poolname) was not found." This can cause a load failure when rolling forward the configuration. An invalid request-log profile referencing a non-existent pool, upgrading from 11.1. Failure to load config post-upgrade. Workaround: Correct the request-log profile in the config either prior to upgrade or by editing the config after. |
| ID 490139 | Loading iRules from the iRules file deletes last few comment lines immediately preceding the closing bracket. This occurs when loading an iRule file from versions prior to 11.5.1. Although the comments are removed, this does not affect iRule functionality. Workaround: Put comments in places other than immediately above the closing bracket. |
| ID 496663 | iRule object in non-Common partition referenced from another partition results in upgrade/configuration load failure in 11.x. This occurs when upgrading/loading a configuration containing an iRule in one non-Common partition that references an object in another non-Common partition. A configuration of this type can be saved only using pre-11.x versions of the software. The config upgrade fails, and the UCS/configuration files cannot be loaded. The system posts an error message similar to the following: 'myucs.ucs' failed with the following error message: 'Rule [/UNCOMMONPARTITION/RULEABC] error: Unable to find rule_object (...) referenced at line xyz: [element]'. Workaround: None. |
| ID 513239 | The configuration might fail to load upon upgrade from 10.x to 11.x if the configured SSL profile cache-size value exceeds the maximum supported value on 11.x. SSL profile exists with cache-size greater than 262144 (if upgrading to version 11.0.0 though version 11.4.1) or greater than 4194304 (if upgrading to version 11.5.0 and later). Upgrade from version 10.x to version 11.x fails. The system posts an version-specific error: -- If upgrading to version 11.0.0 through version 11.4.1: 01071313:3: The requested cache size value (4294967295) is out of range for client SSL profile (/Common/my_large_cache); should be in range from 0 to 262144. -- If upgrading to version 11.5.0 and later: 01071313:3: The requested cache size value (4294967295) is out of range for client SSL profile (/Common/my_large_cache); should be in range from 0 to 4194304. Workaround: Prior to upgrade, change the version 10.x cache-size to a value that is supported on the upgraded version. On versions 11.0.0 through 11.4.1, the supported range is from 0 to 262144; on version 11.5.0 and later, the supported range is from 0 to 4194304. |
| ID 513501 | "When upgrading from a version prior to 11.5 to 11.5 or newer, the configuration may fail to load with and error similar to: ""LSN pool is configured with a prefix address that overlaps with a prefix address on another LSN pool"" If the configuration contains an overlapping DNAT and NAPT lsn pool." "On versions prior to 11.5, tmsh would allow users to configure overlapping DNAT and NAPT pools despite this configuration being invalid and non functional. Fixes to the validation were added in 11.5. However when upgrading from previous versions, if a configuration contains overlapping DNAT and NAPT pools it will fail to load the configuration on versions newer than 11.5." Configuration will fail to load on upgrade. Workaround: Edit bigip.conf and find the overlapping LSN pools. Either remove one of the pools or change the mode on the DNAT pool to NAPT. |
| ID 523797 | The upgrade script failed to update the file path name for snmp.process_name, causing a validation error. Workaround: Edit the process name path to reflect the location. |
| ID 528881 | When upgrading to an affected version, if a NAT has a name with spaces in it, the upgraded configuration does not load. The BIG-IP system must be configured with NATs that have spaces in their names. The configuration does not load on the upgraded system. Workaround: Remove spaces in NAT names before upgrading. Specifically: the initial letter must be a letter, underscore ( _ ), or forward slash ( / ), and subsequent characters may be letters, numbers, periods ( . ), hyphens ( - ), underscores ( _ ), or forward slashes ( / ). |
| ID 530011 | Upgrading from 10.2.x to 11.x and see that iRule causes error when iRule event triggered: CLIENT_ACCEPTED - Illegal argument. TCP::option get on profile without tcp option setting (line 1) invoked from within 'TCP::option get 8'. Using rules.tcpoption.settings set specifying tcp option to collect. iRules that use TCP::option and depend on rules.tcpoption.settings do not work as expected when upgrading from 10.2.x to 11.x. Workaround: Configure TCP profile after upgrade that collects appropriate tcp option for iRule: create ltm profile tcp profile_name tcp-options "{8 last}". |
| ID 532559 | If the client-ssl profile is /Common/clientssl, its parent profile is itself. But the configuration uses 'defaults-from none'. Add 'defaults-from none' under client-ssl profile '/Common/clientssl'. The upgrade fails. This occurs because the script extracts the line 'defaults-from none' and treats 'none' is its parent profile. Workaround: None. |
Changing the resource provisioning level of the Analytics Module
After upgrading or installing a new version, before you can use the Analytics Module, you must set the Analytics Module resource provisioning level to Nominal. You can do this from the command line, or using the Configuration utility.
Important: Wait 5 minutes after you set the resource provisioning level before making any configuration changes to the Analytics Module. The system overrides all configuration changes that are made before this process is completed. When the process is not completed, the system informs you by displaying, in the Configuration utility, this message: AVR is not ready. The system informs you when the process is completed by indicating in the log (/var/log/avr) the following message: AVR started successfully.
Setting the Analytics Module resource provisioning level to Nominal from the command line
You can set the Analytics Module resource provisioning level to Nominal from the command line.
- Open the command-line interface utility.
- Type the command: tmsh modify sys provision avr level nominal .
- Type the command: tmsh save sys config.
The screen refreshes, and the resource provisioning level of the Analytics Module is set to Nominal.
Setting the Analytics Module resource provisioning level to Nominal using the Configuration utility
You can set the Analytics Module resource provisioning level to Nominal using the Configuration utility.
The screen refreshes, and the resource provisioning level of the Analytics Module is set to Nominal.
Fixes in 12.0.0
This release includes the following fixes.
| ID Number | Description |
|---|---|
| 428162 | AVR reporting now correctly displays VLAN Group names. |
| 446272 | The network DoS analytics report is no longer empty while the network DoS log has attack entries. |
| 461234 | If the system processes HTTP requests with malformed XFF, and the security policy's Accept XFF/Trust XFF Header option is enabled, the system now correctly identifies the real IP addresses that sent this traffic, and they are no longer shown as "::". |
| 467802 | If MySQL is down, monpd will go down without causing a core dump. |
| 467945 | We fixed an issue where the system had duplicated data, leading to display of the following warning message in the AVR monpd log: Some rows of load_stat_asm_http_ip_xxxxxxxxxx.x not loaded (xxxxx rows affected). |
| 470559-1 | We fixed a rare condition where TMM crashed due to traffic stress with rapid changes made to Traffic capturing profiles. |
| 471289 | If both ASM and Analytics are provisioned, and you have created an Analytics profile, you can use the tmsh command show analytics report view-by dosl7-profile to view analytics results even if a DoS profile is not configured for, and attached to, a virtual server. |
| 472117 | REST API: Now you can modify a scheduled-report type, and it will automatically reset the other type's attribute (predefinedReportName or multiLeveledReport). |
| 472782 | When a user configures a new filter on the screen using the Violation Rating field (for example, Violation Rating: At least 3), that filter now also works correctly on the screen. |
| 472969 | The maximum number of AVR profiles in the system is 264. If you try to create more than 264 AVR profiles, MCP now generates the following message: Can't generate more than 264 AVR profiles, and the system will not create the profiles. |
| 474251 | IP addresses are now properly cleaned from lookup tables, making room so new IP addresses can be collected. |
| 474465 | Average system CPU and busiest CPU calculation is now based on the critical data plane processing. |
| 474613 | Configuration upgrade from versions 11.2, 11.1 or 11.0 now succeeds and works correctly even when two analytics profiles on different partitions are configured with the same remote login server IP address. |
| 474814 | Advanced Filters on ASM Charts pages on custom reports are now saved when upgrading to a newer version. |
| 475439, 500457 | We fixed a synchronization problem in AVR lookups that sometimes caused TMM and other daemons, such as the Enforcer, to crash. |
| 478346 | We fixed an issue that sometimes caused the system to collect incorrect AVR statistics. |
| 480350 | We fixed an issue that intermittently caused TMM to crash when APM and AVR are provisioned together. |
| 481541 | Previously, a memory leak in the monpd daemon occurred in some situations. It no longer occurs. |
| 488713 | AVRD now handles an unhandled exception when using the Thrift server. |
| 489682 | If an ASM predefined report was created in a previous version and the system was updated, it could have caused the configuration upgrade to fail. This failure no longer occurs. |
| 496560 | We fixed an issue that intermittently caused TMM to crash when APM and AVR are provisioned together. This fix is additional to the one provided in ID 480350. |
| 496624 | This fix supports ID 496560 for the better handling of ingress events. |
| 497376 | The desired XFF header is taken as the one that represents the HTTP request IP address. |
| 499287 | When the global Security Policy is selected on the screen, exporting the page (either to a PDF or to e-mail) now works correctly. |
| 499315 | Added functionality to collect the full URL (with host name) to AVR statistics. |
| 503471 | We fixed a memory leak. |
| 504414 | We added these previously missing fields to the external report: DosL7ProfileName, TransactionOutcome, and DosL7AttackID. |
| 508544 | AVR injects CSPM JavaScript only when the payload contains an HTML tag. This is the correct behavior. |
| 518663 | If page-load-time is enabled in the AVR profile, and the response is small enough to not be chunked, AVR will promise to the client a CSPM injection in the response by adding to the Content-length header. If no <html> tag is found in the response, the system now injects empty spaces to fill in the missing bytes in order to prevent the client from timing out. |
| 531526 | Aggregated activity is now reported even when there are many entities to report and some are aggregated. |
Known issues
The following items are known issues in the current release.
| ID Number | Description |
|---|---|
| 344054 | The system calculates statistics in the graphs differently than in the table. In the graphs, the system displays a snapshot of statistics recorded at a specific point in time, every five minutes. In the table, the system displays a cumulative number of statistics recorded. |
| 344763 | It may take a few minutes for graphs to display changes made to the Analytics configuration. |
| 346255 | Analytics does not collect page load time statistics for gzipped (compressed) responses. |
| 351257 | Health monitor requests for Global Traffic Manager (GTM) pools or servers are shown in Analytics statistics. (Note that GTM is BIG-IP DNS as of version 12.0.) |
| 368119 | AVR+APM: If an Analytics profile is assigned to a virtual server and an Access Profile is assigned to same virtual server, then statistics for pool members are not displayed for page load time. |
| 372174 | After changing the sampling ratio, you must restart the MD service by running the command: bigstart restart md. |
| 379479 | For chunked responses, the system reports the average HTTP response size in the Configuration utility and database as at least 25 bytes less than its actual size. This is because the system does not report the header "Transfer-Encoding:chunked" and the numbers that indicate the chunked size. |
| 396068 | Sometimes when you drill down on the screen, the system displays the following error message: Cannot drilldown into entity: %s . |
| 396131 | Although the system permits you to select options from the filter to view statistics by a client IP address and then drill down to view statistics for a custom domain-name ("query name"), you should not. This filter combination is invalid and does not produce results. |
| 397064 | If you stop and restart a "bigstart" daemon (for example, if you run the command bigstart restart mysql) afterward, you must also run the command bigstart start to restart dependent daemons. |
| 402353 | AVR concurrent session statistics available in iRules are not reset to zero when the traffic is completely stopped. So a later event that triggers iRules and checks for the concurrent number of active sessions does not acquire a value of zero. Instead, it acquires the number of active sessions for some time in the past when there was traffic activity. |
| 404106 | When sending HTTP traffic through a virtual server configured with AVR and Response-Adapt profiles, and the ICAP server modifies the response, AVR does not report any activity for the virtual server. |
| 407631 | There may be situations where the system's DOS mechanism detects a DoS attack, but the RAM-cache handles the attacking transactions instead of the module. In these cases, while the system detects the attack, the system does not report the attack unless AVR is also assigned to the virtual server. |
| 414273 | The results of a user-created filter on the screen may appear differently when using the same filter on the screen. |
| 415883 | On rare occasions, provisioning changes that involve the AVR, ASM or AFM modules can cause TMM to continuously restart after the machine is reactivated. A reboot to the machine solves the problem (by running the command "reboot"). |
| 419676 | When you define an alert on an Analytics profile that is assigned to multiple virtual servers, and that alert is defined for any maximum TPS, latency or throughput on an application or pool member, that alert will not be notified, and the LTM log (/var/log/ltm) will show an error message: could not find id or measure field in report .... |
| 441578 | If you use an iRule to disable AVR from collecting statistics for a specific URL, that URL does not receive Application Security DoS protection even if Application Security DoS protection is enabled on the virtual server. |
| 455027 | Application-level DoS reporting: If traffic runs through a virtual server that is not assigned to DoS profile, it is published as Aggregated instead of using a more descriptive value, as "Unknown" or "N/A". |
| 472291 | If AVR is provisioned, and statistics are produced while traffic is running through a virtual server assigned to an Analytics profile, the Configuration utility does not automatically log out after the logout period (configured in the Idle Time Before Automatic Logout setting in the screen) when any Analytics screen under the Statistics menu is opened. |
Contacting F5 Networks
| Phone: | (206) 272-6888 |
| Fax: | (206) 272-6802 |
| Web: | http://support.f5.com |
| Email: | support@f5.com |
For additional information, please visit http://www.f5.com.
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: http://support.f5.com/kb/en-us.html
- The F5 DevCentral web site: http://devcentral.f5.com/
- AskF5 TechNews
F5 Networks Technical Support
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
F5 DevCentral
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
AskF5 TechNews
- Weekly HTML TechNews
- The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
- Periodic plain text TechNews
- F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.
