Release Notes : BIG-IP LTM and TMOS version 10.2.0

Applies To:

Show Versions Show Versions


  • 10.2.0
Release Notes
Updated Date: 08/23/2013


This release note documents the version 10.2.0 release of BIG-IP Local Traffic Manager and TMOS.


Supported hardware

You can apply the software upgrade to systems running software versions 9.3.x, 9.4.x, 9.6.x, and 10.x. For a list of supported platforms, see SOL9412: The BIG-IP release matrix. For information about which platforms support which module combinations, see SOL10288: BIG-IP software and platform support matrix.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP LTM / VE 10.2.0 Documentation page.

New in 10.2.0

BIG-IP Local Traffic Manager Virtual Edition

You can now run the BIG-IP system in a virtual machine environment. BIG-IP Local Traffic Manager Virtual Edition (VE) is a version of the BIG-IP system that runs as a virtual machine, packaged to run with a VMware hypervisor on a machine running Microsoft Windows, or on a Linux-hosted machine. BIG-IP Local Traffic Manager Virtual Edition includes all features of BIG-IP Local Traffic Manager, running on the standard BIG-IP Traffic Management Operating System (TMOS).

EtherIP tunneling between data centers

The EtherIP tunnel is designed as a generic way of bridging two remote data centers. To configure an EtherIP tunnel, you use VLANs that span pairs of BIG-IP systems in separate data centers. This enables uninterrupted support for existing IP connections before and after a live migration event in which the application resource is moved from the local to the remote data center.

Application templates

This release includes additional application templates. An application template corresponds to a particular application, such as generic DNS traffic management, and provides a fast, efficient way to configure the BIG-IP system to process the associated traffic. The application templates added in this release are:
  • Generic DNS
  • Microsoft Exchange 2010 Client Access server (CAS), (formerly known as Outlook Web Access), which supports Outlook Anywhere, POP3, and IMAP4 virtual servers
  • VMware View

XML content-based routing

You can now route XML messages to different destinations based on specific content in a document. The system queries document content using an XML Path Language (XPath) expression, which assures fast, simple, and accurate operation. For example, you can specify a purchase-order (PO) routing scheme, in which the system routes a PO totaling less than $10k to one pool member, and a PO totaling more than $10k to another pool member.

Receive Disable String (RECV drain string) monitor option

In this release, you can configure the Receive String attribute and a new Receive Disable String attribute Receive Disable String for HTTP, HTTPS, TCP, and UDP monitors. When configured in certain combinations, these attributes cause all existing connections to be methodically drained from the server instead of being dropped suddenly. This feature is helpful when you are planning to perform maintenance on the server. For configuration information, see Configuring Receive Disable String (RECV drain string) monitor option.

Virtual Location monitor

The Virtual Location monitor optimizes end-user response time in environments with dynamic distribution of application resources across multiple data centers. When using the Virtual Location monitor, the BIG-IP sets the Priority Group value of all local pool members to 2 (a higher priority). When a member of a load balancing pool migrates to a remote data center the Virtual Location monitor lowers the members Priority Group value to 1 (a lower priority). This value adjustment results in subsequent connections being sent to local pool members only if available. If no local pool members are available, connections are sent to the remote pool member.

TCP persist timeout configuration (CR75559-8)

There is now a TCP profile option for specifying the length of time that the TCP connection can receive zero-length window probes before the system closes the connection. The Zero Window Length option has default value of 20000 milliseconds. If you set the value to 0 (zero), the system closes the connection immediately upon receiving a zero-length window probe. The timer starts when an effective window size becomes zero, and stops when the window size becomes greater than zero. When the interval reaches the value specified, the connection is terminated. This setting is useful for handling slow clients with small buffers, such as cell phones.

User authentication lockout

You can now deny access to a user after a configured number of failed authentication attempts. The administrator can then reset the lock to re-enable access for the user.

Public Key Infrastructure/Common Access Card (PKI/CAC) support

The BIG-IP Kerberos Delegation authentication module has been extended so that the system can now transition SSL certificates to Kerberos credentials. More specifically, the BIG-IP Advanced Client Authentication component can offload SSL processing and authenticate the identity of an end-user based on an attribute obtained from a Common Access Card (CAC) certificate.

BIG-IP Access Policy Manager on 3600, 3900, 6900, 6900 FIPS, 8900, 8950, and 11050 platforms

You can provision a free ten-concurrent-connection license of the BIG-IP Access Policy Manager module for web application access management on the following BIG-IP platforms: 3600 (C103), 3900 (C106), 6900 (D104), 6900 FIPS (D104), 8900 (D106), 8950 (D107), and 11050 (E102). The BIG-IP Access Policy Manager is a software component of the BIG-IP hardware platform that provides your users with secured connection to Local Traffic Manager virtual servers, specific web applications, or the entire corporate network. For provisioning details, see BIG-IP Systems: Getting Started Guide. For more information about BIG-IP Access Policy Manager and its associated documentation, see Release Note: BIG-IP Access Policy Manager version 10.2.0.

Module integration into the Configuration utility

In this release, the Application Security Manager module and Web Accelerator system are now fully integrated into the BIG-IP Configuration utility.

Support for two new platforms

This release provides support for the new 8950 and 11050 platforms, which are designed to provide superior performance. For more information, see Platform Guide: 8950 and Platform Guide: 11050, available in the AskF5 Knowledge Base.

Logging to RADIUS or TACACS+ accounting servers

When you configure the new logging to RADIUS or TACACS+ accounting servers feature, the BIG-IP system forwards audit log messages to remote Remote Authentication Dial In User Service (RADIUS) and Terminal Access Controller Access-Control System Plus (TACACS+) servers in appropriate logging format. For configuration information, see Configuring logging to RADIUS or TACACS+ accounting servers.

When you configure the new logging to RADIUS or TACACS+ accounting servers feature, the BIG-IP system forwards audit log messages to remote Remote Authentication Dial In User Service (RADIUS) and Terminal Access Controller Access-Control System Plus (TACACS+) servers in appropriate logging format. For configuration information, see Configuring logging to RADIUS or TACACS+ accounting servers.

Installation overview

This document lists only the very basic steps for installing the software. The BIG-IP Systems: Getting Started Guide contains details and step-by-step instructions for completing an installation. F5 recommends that you consult the getting started guide for all installation operations.

Installation checklist

Before you begin:

  • If using partitions, reformat for the 10.1.0 and later partition size, if needed (partitions created using version 9.x or 10.0.x do not accommodate the 10.1.0 and later software).
  • Reactivate the license and update the service contract.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are upgrading from version 9.3.x or 9.4.x, run im <downloaded_filename.iso> to copy over the new installation utility.
  • If you are running WAN Optimization Manager, set provisioning to Minimum.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP- volume HD1.3

Post-installation tasks

This document lists only the very basic steps for installing the software. The BIG-IP Systems: Getting Started Guide contains details and step-by-step instructions for completing an installation. F5 recommends that you consult the getting started guide for all installation operations.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Log on to the browser-based Configuration utility.
  3. Run the Setup utility.
  4. Provision the modules.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running. Software version 10.x introduced the ability to run multiple modules based on platform. The number and type of modules that can be run simultaneously is strictly enforced through licensing. For more information, see SOL10288: BIG-IP software and platform support matrix.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

Upgrading from version 9.6.x or 10.x

When you upgrade from software version 9.6.x or 10.x, you can use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help, or the relevant chapters in the BIG-IP Systems: Getting Started Guide.

Important: Upgrading a version 9.6.x platform to version 10.x also performs a BIOS upgrade. (You can find more information in the following Solution: SOL10633: BIOS update may be required before installing BIG-IP version 10.1.0 or later on the VIPRION platform.) If you also apply a version 10.x hotfix when you attempt the software upgrade, the operation fails to install the new BIOS. This can cause additional issues. For more information, see SOL10548: The BIOS of the VIPRION platform is not upgraded when installing BIG-IP version 10.0.x and a hotfix in a single step and SOL10016: A VIPRION kernel panic occurs following an upgrade to BIG-IP version 10.x.

Upgrading from version 9.3.x or 9.4.x

If you plan to install this version of the software onto a system running 9.3.x or 9.4.x, you must perform a one-time upgrade procedure to make your system ready for the new installation process. When you update from software version 9.3.x or 9.4.x to 10.x, you cannot use the Software Management screens in the Configuration utility. Instead, you must run the image2disk utility on the command line. For information about using the image2disk utility, see the BIG-IP Systems: Getting Started Guide.

Upgrading from versions earlier than 9.3.x

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x or from BIG-IP versions 9.0.x through 9.2.x. You must be running software version 9.3.x, 9.4.x, 9.6.x, or 10.x. For details about upgrading to those versions, see the release notes for the associated release.

Important: Beginning with version 10.0.0 of the software, a redundant system configuration must contain failover peer management addresses for each unit. If you roll forward a redundant system configuration from 9.3.x or 9.4.x, the units start up correctly, but the system logs a message every ten minutes reminding you to configure the peer management addresses. To configure the failover peer management addresses, navigate to System > High Availability > Network Failover , and specify the management IP address of the peer unit in the Peer Management Address field. Then do the same on the other unit in the configuration. Once you specify both IP addresses, the system should operate as expected. For more information, see SOL9947: Change in Behavior: The Peer Management Address setting is required for BIG-IP version 10.x systems configured for network failover.

Fixes in 10.2.0

The current release includes the fixes and enhancements from previous releases and the fixes that were distributed in SOL11853: Overview of BIG-IP version 10.2.0 HF1 with the exception of the following Change Requests (CRs):

  • CR136629: The performance of queries for pool member and node address statistics.
  • CR139372: The High Speed Logging feature and logging binary data.

This release includes the following fix.

ID Number Description
CR134037 Corrected fixed-ratio calculations to improve performance and accuracy.
Note: After you have installed the software, you can use any of the following configuration options to update your configuration.

Configuring Receive Disable String (RECV drain string) monitor option

Receive Disable String (RECV drain string) monitor option: The Receive Disable String advanced configuration setting applies to HTTP, HTTPS, TCP, and UDP monitors. You can use a Receive String value together with a Receive Disable String value to match the value of a response from the origin web server and create one of three states for a pool member or node: Up (Enabled), Up (Disabled), or Down. When a pool member or node is Up (Enabled), a new connection can be made. When Up (Disabled), a new connection cannot be made, existing connections become depleted, and maintenance can be performed on the server. When Down, a new connection cannot be made, existing connections are immediately terminated, and maintenance can be performed on the server. Additionally, if you choose to set the Reverse setting to Yes, the Receive Disable String option becomes unavailable and the monitor marks the pool, pool member, or node Down when the test is successful.

Receive String matches Receive Disable String matches State of pool member or node
Yes No Up (Enabled)
No Yes Up (Disabled)
No No Down
Note: F5 Networks recommends using mutually exclusive values for Receive String and Receive Disable String. If a response matches both values, the monitor indicates the state as Up (Enabled).

Configuring logging to RADIUS or TACACS+ accounting servers

This release introduces RADIUS and TACACS+ accounting support, where syslog messages that are written to the /var/log/audit log are sent in encrypted form to either a RADIUS (port 1813) or TACACS+ (port 49) accounting server. You can use the Traffic Management shell (tmsh) to configure the RADIUS or TACACS+ components.

To configure the BIG-IP system for logging to RADIUS or TACACS+ accounting servers

  1. In the browser-based Configuration utility, navigate to System > Logs > Options and select Enable from the bigpipe list in the Audit Logging section.
  2. Using the tmsh utility on the command line, navigate to the /sys module.
  3. Within the /sys module, modify the config.auditing.forward.destination component to use an IPv4 or IPv6 address for the destination. For example, to configure a destination IPv4 address of, use the following command: tmsh modify sys db config.auditing.forward.destination value
  4. Modify the config.auditing.forward.sharedsecret component to use a secret string. For example, to configure a secret string called mysecret, use the following command: tmsh modify sys db config.auditing.forward.sharedsecret value mysecret
  5. Modify the config.auditing.forward.type component to use either radius or tacacs+. For example, to configure tacacs+, use the following command: tmsh modify sys db config.auditing.forward.type value tacacs+

After you complete these steps to configure RADIUS or TACACS+ accounting support, the system automatically creates a log file in the destination specified.

Note: Here are some additional considerations for configuring RADIUS or TACACS+ accounting support:
  • If connectivity to the remote auditing server is lost, messages are not transmitted and there is no message-retransmission mechanism. You can still find those messages in the /var/log/audit log on the BIG-IP system, however.
  • All messages are fully written to the log file on the BIG-IP system; however, on the accounting server, messages are truncated to 255 characters.
  • When you set the variable type to radius or tacacs+ for config.auditing.forward.type, you must also specify a secret string for config.auditing.forward.sharedsecret.
  • You must use port 1813 for logging to RADIUS accounting servers, and port 49 for logging to TACACS+ accounting servers.
  • To disable logging to RADIUS or TACACS+ accounting servers
  1. Navigate to the /sys module.
  2. Within the /sys module, set the config.auditing.forward.type component to none using the following command: tmsh modify sys db config.auditing.forward.type value none
  • To customize messages from the audit log to the accounting servers
  1. Modify the Tcl procedure called Transform in /etc/syslog-ng/audit_forwarder.tcl. (You must use the exact procedure name Transform.)
  2. To have the change take effect, run the command bigstart restart syslog-ng at the tmsh command line.
Note: This feature gives you total control over what is sent to the accounting server. However, although you can modify the script in any way to change what is sent to an accounting server, F5 Networks supports only the unmodified script.
Note: Here are some additional considerations for customized messages:
  • A Transform procedure for a customized message must return a transformed string.
  • Default functionality for a customized message leaves the message unchanged when the Tcl procedure is omitted, the Tcl file does not exist, or an error occurs on evaluation.
  • This procedure does not modify messages written to the /var/log/audit file.

Tcl Transform procedure options for customized messages

You can also use the following additional Tcl procedures. These procedures are mutually exclusive, so uncomment only the one you want to use and comment out the other one.

  • To configure the /etc/syslog-ng/audit_forwarder.tcl script not to send variants of bigpipe show and bigpipe list commands, comment out the top procedure and uncomment the second procedure in the file.
  • To modify the Tcl script to skip the first 16 characters, comment out the second procedure, and uncomment the third procedure. This eliminates the date and time portion of the message. Since the accounting server truncates messages to 256 characters, this might be useful to include more relevant data from longer messages.

Behavior changes in 10.2.0

ID Number Description
CR109429-1 The browser-based Configuration utility increments the total requests statistic for virtual servers only when the virtual server uses an HTTP profile, or when the virtual server is a Performance (HTTP) type.
CR110198, CR127136, CR134054-1 F5 Networks has changed the default behavior for SSL profiles that do not have customized cipher lists. The set of ciphers negotiable by default no longer includes DES-CBC-SHA and all MD5 cipher suites. You can re-enable these ciphers by customizing the SSL profiles' ciphers attribute with the desired ciphers explicitly enabled and/or selecting the appropriate clientssl-insecure-compatible or serverssl-insecure-compatible profile from which to inherit default settings that include the deprecated ciphers.
CR131461 In version 10.2.0 when you boot from a DVD, thumb drive, or Pre-boot Execution Environment (PXE) server, the system presents a menu. You can press Enter to initiate an installation operation. The system indicates that you can also use Ctrl+C to access the command line shell to perform additional installation operations. In version 10.2.0, however, when you use Ctrl+C at this point, the system leaves a boot partition mounted, which causes all subsequent installation operations to fail. For more information about the known issue and its workaround, see Manufacturing installation menu and Ctrl+C to enter Bash (CR138343). In previous releases, the system did not present the menu, but instead presented the command line shell immediately.
CR135199 The BIG-IP products support an extensive range of SSL ciphers. You can find an overview of the SSL ciphers BIG-IP systems support in SOL8802: Overview of SSL ciphers supported in BIG-IP systems, and an updated list of all SSL ciphers supported on the BIG-IP product in SOL6808: SSL Ciphers supported on the BIG-IP 1500,1600, 3400, 3600, 3900, 6400, 6800, 6900, 8400, 8800, and 8900 platforms.
CR135548-1 When you create a new TCP, HTTP, or HTTPS monitor in version 10.2.0, you must include \r\n at the end of a non-empty Send String, for example GET /\r\n instead of GET /. If you do not include \r\n at the end of the Send String, the TCP, HTTP, or HTTPS monitor fails.
Communication between BIG-IP or 3-DNS version 4.x and version 10.1.0 or later A 3-DNS Controller or BIG-IP system running version 4.x cannot communicate with BIG-IP systems configured with version 10.1.0 or later. For more information, see SOL11106: Change in Behavior: iQuery communication is not supported between BIG-IP or 3-DNS version 4.x and BIG-IP LTM or GTM version 10.1.0 or later.
VLAN failsafe timeout value behavior change In software versions 9.x, the system did not enforce a minimum value for the VLAN failsafe timeout value. Beginning in version 10.0.0, the minimum allowed VLAN failsafe timeout value is 10 seconds. Before you upgrade from version 9.x to version 10.x, F5 Networks recommends that you change your VLAN failsafe timeout value to 10 or greater in order to ensure a successful configuration load after the upgrade has been completed. For more information, see SOL7066: Overview of VLAN failsafe.
ID 226957 The bigpipe syntax for creating pools has changed. In version 10.0.1, the syntax was b pool [PoolName] members [IP:Port] session [disable|enable]. In version 10.2.0, the syntax is b pool [PoolName] members [IP:Port] session user [disabled|enabled]. Any monitors you have that use the old syntax should be modified before or after upgrading. Going forward, it is recommended that you use tmsh instead of bigpipe for scripting.

Known issues

ID Number Description
CR55926 If the active unit in a redundant system reboots, the standby unit goes active and handles any established connections that were mirrored. However, when the previously active box comes back up, it does not re-synchronize the state for the mirrored connections. This means that the mirrored connections are lost in a subsequent failure or a forced fail-back. This does not affect connections that end before the second restart and failover. Also, this does not apply to Fast L4 profiles.
CR79065, CR83552, ID 250921, ID 251174, ID 319551 When, due to time-to-live (TTL) exceeded, the BIG-IP system drops IPv6 traffic being sent through a network virtual server or SNAT, the BIG-IP system responds with a destination-unreachable ICMP6 message. The BIG-IP system's IP address should be listed as the source in the ICMP response, and the client IP address should be listed as the destination. However, the BIG-IP system incorrectly reports the dropped IPv6 packet's destination address as the source address of the ICMP6 response. The result, from the client's perspective, is that BIG-IP system does not show up as a hop; the server is seen in place of the BIG-IP system.
CR80078-1, CR128607 If you replace a copper (Cu) small form-factor pluggable (SFP) with a fiber SFP, the link might remain down, even when connected to an active peer. The workaround is to issue a bigstart restart bcm56xxd command.
CR80191 In order to change the baud rate when you are using a serial terminal console server on the VIPRION platform, you must follow a specific sequence to change the baud rate in three places, or you can lose communication with the system.
  1. On each blade in the system, run the following command:
  2. bigpipe baud rate <your_baud_rate_value>
  3. Make sure to complete this change on all blades in the system before proceeding to step 2.
  4. Next, change the Serial Port Redirector (SPR) baud rate by pressing ESC( to access the SPR Command Menu. When the menu opens, select B -- Set baud rate, and select from the six settings displayed.
  5. Finally, change the baud rate of your serial terminal server.
  6. The syntax for completing this step varies depending on the terminal server you are using, so you should consult your serial terminal server documentation for more specific information.
CR83207 If you replace a tri-speed copper small form-factor pluggable (SFP) module with a fiber SFP, you may have to reinsert the fiber SFP module a second time before it accurately reports link status.
CR85137 If you run the b ntp servers delete command when no such Network Time Protocol (NTP) server exists in the configuration, the system adds the server. The workaround is to make sure the server exists before trying to delete it.
CR86175, CR119480 Although the b <object> edit command is referenced in product documentation, the command is disabled in this release. If you run the b <object> edit command, the system presents a message indicating that the feature is not implemented.
CR87863 If the user configuration set (UCS) file you roll forward at installation time contains a problem, subsequent system load operations can fail. If this happens, the remote users and administrators cannot log on to the system. To work around the situation, log on to the system as the root user or as the admin local user.
CR90249, ID 227304 The Multiple Spanning Tree Protocol (MSTP) specifies that the system handles spanning tree packets in accordance with the MSTP protocol. When you create a new MSTP configuration on the system, the new MSTP configuration name is not retained following a system reboot or after running the bigstart restart command. For more information, see SOL8212: The BIG-IP LTM does not retain the MSTP configuration name following a reboot.
CR91719 If you have duplicate names for SNATs in the bigip.conf file, the pvad service restarts and writes out a core file. To work around this situation, make sure each SNAT in the configuration has a unique name.
CR92541 When RAM cache calculates the amount of memory available or allowed, it should take CMP into account. In this release, RAM cache does not take CMP into account.
CR93185, CR116200 Many load balancing methods are implemented so that the system divides the connection limit among running Traffic Management Microkernel (TMM) services. If you set the connection limit to low values, the results you see might not be what you expect. For example, some nodes might receive more connections than you expect, and other nodes that you expect to receive connections might not receive any. These apparent anomalies are discernible only with small numbers of connections, and disappear with large numbers of connections.
CR94039 When the pvad service queries a very large number of objects (for example, 2000 nodes), the pvad service might use as much as 27% of CPU. This condition is intermittent, and might have other requisites. There is no workaround.
CR96888 Occasionally, a system restart might result in the system posting to the console messages of the following type: sshd(pam_audit)[4559]: user=root(pqizzjl1l) tty=/def/pts/1 host= attempts=1 start="Tue Aug 5 17:25:09 2008" end="Tue Aug 5 17:27:54 2008". sshd(pam_audit)[4559]: 01070417:0: AUDIT - user root - RAW: sshd(pam_audit): user=root(pqizzjl1l) tty=/def/pts/1 host= attempts=1 start="Tue Aug 5 17:25:09 2008" end="Tue Aug 5 17:27:54 2008". These messages occur when the system shuts down logging to the syslog-ng file before all users who are logged on have logged off. Should this error occur, when the system comes back up, you can use the boot marker in the audit files to confirm that the system logged out the remaining users.
CR97188 Running the command b persist show on a cluster might return incomplete results in certain avoidable situations. To ensure complete results, leave the bigpipe shell read partition at all, and log on as a user who is authorized to view all partitions.
CR97299-1 The Status LED briefly shows green on power up. The LED should be blank or amber. Early during initialization, the software sets the LED color to amber, and finally to green once cluster quorum is reached. You can safely ignore the transient green LED on power up.
CR98536 When you are using Fast L4 profiles, make sure to set the PVA Acceleration setting to None if you also specify the Mimic setting for IP ToS to Client or IP ToS to Server. Otherwise, the system cannot perform the mimic functionality.
CR100240 When the bd process restarts, the system stops all internal connections. If the next event that arrives on a halted connection is an HTTP request, the attempt to disable the plugin in HTTP_REQUEST fails, which logs a Tcl error to the /var/log/ltm file. This is a benign error message that you can safely ignore.
CR102064 The b config check all command returns different results depending on whether you run the command on a chassis (such as a VIPRION system) or an appliance (such as a BIG-IP 6900). On a chassis, the system returns the message No reports have been received. On an appliance, the system returns a response similar to the following messages: DAEMON STATUS bcm56xxd Configuration OK at 14062d 21:07:29 Last error at 14062d 21:07:29 Message: Received remote heartbeat registration message: pid=8714, timeout=60
CR102918 When you click the Clear Performance Data button in any view, the operation clears data for all historical statistics, not just the data for the specific view you are in.
CR103199 When you specify the cluster management IP address, the netmask defaults to /32, or In order to use cluster member addresses, the netmask must be no more than /30, or Always specify the netmask when specifying the cluster management IP address if you plan ever to use cluster member addresses. That way, the address always gets set correctly, and you can configure the cluster member addresses on the same network.
CR103500 The 10.x installer creates four volumes by default, which differs from the two partitions that the 9.3.x and 9.4.x installer created.
CR103956 If you have a Single Configuration File (SCF) that contains an snmpd element, you cannot automatically roll forward that configuration. Instead, you must first modify the entry in the SCF so that it conforms to the current format. In this case, you must add braces ( { and } ) around the snmpd entry.
CR103958 If you have a Single Configuration File (SCF) that contains elements or formats that the current version does not support (for example, an SCF that contains the element failsafe action failover restart tm as a failsafe action), you cannot automatically roll forward that configuration. Instead, you must first modify the entry in the SCF so that it conforms to the current format. In the case of failover restart, the system supports the following failsafe options: failsafe action go offline, failsafe action reboot, failsafe action restart all, and failsafe action go offline abort tm.
CR104124 When you are on the license summary general properties screen and you refresh the browser after you reactivate a license, the system prompts you to log on again. There is no workaround for this issue.
CR104327, CR114895 If you install the 9.6.x version of the software on a volume that uses a nonstandard name (for example, HD.pc1 rather than HD1.1), you cannot access that volume using version 9.6.x of the software. To access volumes named in this manner, use version 10.x software.
CR104468, CR115056 The system does not prevent you from deleting all volumes, including the active volume, using the b software desired command. Doing so causes the system to boot into another location. To prevent potential system access problems, do not use the command line to delete the active volume.
CR104583, CR108667 Beginning with version 10.0.0, the system reports module memory mixed in with memory used by all processes. To determine actual memory usage, you must use standard Linux commands, such as ps, top, and other similar commands.
CR104647 On a VIPRION system with the active volume set above HD1.4, if you then add a blade that has 9.6.x installed and active, the system does not run the installation on the 9.6.x blade to bring it into the cluster. This occurs because 9.6.x is hardcoded to support volumes 1 through 4 and cannot dynamically create new volume sets. To work around this issue, make sure all blades you want to add are running 10.x, or use a volume set between 1 and 4.
CR105032 When you specify the host name for the b ntp servers add command, the system returns false positives when translating the host name to an IP address. The workaround is to add Network Time Protocol (NTP) servers using an IP address instead of a host name.
CR105101 If you use the high availability setup wizard and specify settings, when you click the Previous button, the system clears all the values you specified, so you must re-enter the values.
CR105216 When you are logged on to a cluster management address, and you or another user subsequently promotes one of the secondary blades to the primary, you and the other user might need to log on again.
CR105234 When you have the dashboard window open, the browser session never times out. When you close the dashboard window, the timeout interval takes effect again.
CR105511 If you configure secondary self IP addresses for a vlan/domain, the system uses the wrong self IP address for monitoring. In a typical scenario, the system uses the IP address that you created first as the primary IP address for monitoring. However, IPv6 in the Linux kernel does not set a preferred source by default. Because Linux treats routing domains like it treats IPv6 addresses, the Linux kernel does not set a preferred source. There is no workaround for this issue.
CR105604 If you reset the Host on a platform that contains an SCCP after the system has completed initialization, the system attempts to PXE boot, making DHCP requests repeatedly and indefinitely. The workaround is to first use the SCCP Command Menu option 2 to put the SCCP into the proper state, and then reboot the system. You can also recover by powering the unit off and back on again.
CR105627 In a redundant system that has Local Traffic Manager provisioned on both units and Global Traffic Manager provisioned on only one unit, you must provision Global Traffic Manager on the second unit. Failure to do so risks Global Traffic Manager becoming unprovisioned or unconfigured after a ConfigSync operation.
CR105797, CR114073 When you use the Software Management screens in the Configuration utility or the b software commands on the command line to create a volume on a system hard drive that is formatted using the partitioning scheme, the system appears to try to create the volume, but the operation fails. The system should alert you immediately that you cannot create a volume on a partitioned system hard drive. In general, the software does not support use of the volume management screens on systems that use the partitioning drive-formatting scheme.
CR106378 The system counts route domain health check traffic as part of IPv6 traffic statistic totals. If your configuration has a monitor on a pool in a routing domain, you will see an increase in IPv6 traffic. If you remove the monitor from the pool, the IPv6 statistics freeze (assuming there is no actual IPv6 traffic). There is no workaround for this issue.
CR106750 When you reboot a system from the serial console, the system reports the following message modprobe: modprobe: Can't locate module tun6to4... during the shutdown sequence. This message is benign, and you can safely ignore it.
CR106828 A display issue in the browser-based Configuration utility makes it appear as if users can modify user settings that they should not be able to access. For example, a user logs on using an account assigned a non-administrator role. When that user changes the password and clicks Update, the screen temporarily redisplays with available settings for file, partition, and shell access. The user can manipulate the controls, and select different settings. However, the system does not accept the change.
CR106830 This release supports only network failover for chassis-to-chassis failover on the VIPRION platform. Do not configure hardwired failover using any failover cable included with the VIPRION platform you received.
CR107046 The system requires a user to relogon after changing a password to the same password as the one previously configured. There is no workaround for this issue.
CR107415 Unlike in SSL profiles, the system does not validate keys and certificates used for SIP and HTTPS monitors. That means that you can specify non-matching or invalid keys and certificates. There is no checking on the command line or in the browser-based Configuration utility to make sure keys and certificates are valid and usable.
CR107443 If you use a SIP or HTTPS monitor on a server that requires authentication using a certificate signed by a certificate authority (CA), the monitor must use certificates signed by a CA that the server recognizes. Do not configure a monitor using certificates signed by an Intermediate CA because the monitor does not send such certificates to the server.
CR107852 On BIG-IP 8400 and 8800 platforms, IPv4 fragments of a large User Datagram Protocol (UDP) datagram will be incorrectly modified at offset 6 from the end of the IP header (the location that would be the UDP checksum if the fragment were a full UDP datagram) from 0xfff to 0x0000. Although there is no workaround for this issue, it is not a common case.
CR107874 The VIPRION platform may experience a kernel panic and reboot following an upgrade to BIG-IP version 10.0.0. This issue occurs if the system is running BIOS firmware earlier than build 461, and the VIPRION unit is upgraded to version 10.0.0 with the management interface connected to a subnet with live traffic. For more information and a workaround for this condition, see SOL10016: A VIPRION kernel panic occurs following an upgrade to BIG-IP version 10.0.0.
CR107883 This release does not support USB CD-ROM or DVD-ROM drives devices that exceed the high-power USB current specification of five unit loads (500mA) per port.
CR107927, CR110084 Linux represents long VLAN names using the first 13 characters and an appended ~1. If you use the Linux system command ifconfig to retrieve the interface configuration of a VLAN with a name longer than 9 characters, the operation truncates the name to 8 or 9 characters. To work around this issue, use the ip addr show command to retrieve the VLAN using the IP address.
CR108728, CR113440 In the browser-based Configuration utility, if you try to set the provisioning level to Dedicated on a module when another module already has the Dedicated provisioning level, the system allows the change and sets the provisioning level to None on all other modules. When you use the command line for the same operation, the system presents an error: When a Dedicated provision level is set, all other module's provision levels must be set to None. To accomplish the change, you can use the Configuration utility, or you can use the command line to set the provisioning level to None for all other modules, and then set the Dedicated provisioning level on the module you want to configure. To do so, use the tmsh utility to issue the following commands (substituting your module names for <module-A> and <module-B>): (tmos)# create transaction batch mode](tmos)# modify sys provision <module-A> level dedicated batch mode](tmos)# modify sys provision <module-B> level none batch mode](tmos)# submit transaction
CR108819 The BIG-IP 8800 platform supports a maximum of 30,000 monitors in a single configuration. If you create more than 30,000 monitors, the BIG-IP 8800 might halt in a switchboard-failsafe state when you load the configuration.
CR108965, CR114966 When a user is logged on, if you use the b config install <ucs file>, b import <ucs file>, or b config sync commands, or when performing a ConfigSync operation in the Configuration utility to load a configuration that contains the same user, but with a different password, the system does not log off that user. After that user logs off, or when that user's session times out, that user must use the password from the new configuration to log on.
CR109131 On a system whose drives are formatted as volumes, on the Resource Provisioning screen in the Current Resource Allocation area, there is a section that displays Disk provisioning; if the drives are formatted as partitions, there is no Disk provisioning section. However, if you issue the b provision command on the command line, the results show a column for disk provisioning information.
CR109230-1 If you attempt to mirror virtual servers that have RAM Cache enabled, depending on the cache state, the system leaks the connection on the standby unit when the connection is closed on the active unit.
CR109301 If you have state mirroring enabled, when you upgrade one unit of a redundant system, the system post messages until both systems are running the same version of the software. tmm tmm[1917]: 01340001:3: HA Connection with peer established. There is no workaround for this condition. Both units in a redundant system must be running the same version of the software.
CR109381 After a b import default operation, the prompt is set to reboot, but the operation does not instigate the reboot operation on the primary blade, although it does on the secondary blade. This is intentional behavior: the operation causes a reboot on secondary blades, but the primary blade does not reboot automatically in this case. To activate the imported configuration, reboot the primary blade.
CR109472 Beginning with version 10.0.0, you no longer need the hotfix uninstall packages. Instead, you can use the b software commands to change the revision level of any 10.x image location to a higher or lower revision. For more information, see the man page for the b software command, available on the command line by typing man software.
CR109834 When a system timeout occurs, the system grays out the screen behind the timeout alert box. Although you can access the browser window scroll bars to view the contents of the grayed-out screen, none of the options are active.
CR109917 When you delete an interface that is configured for interface mirroring, the system halts mirroring on all other configured interfaces. To work around this issue, when you delete an interface-mirroring configuration, recreate the configuration using all interfaces. As an alternative, after deleting an interface, save the configuration and issue the command bigstart restart.
CR110014 The secondary blades in a chassis log messages using the user name mcpd-primary. That means that when the root user issues certain commands on the primary blade, such as one to disable a virtual server, the system logs messages similar to the following: Oct 21 13:29:39 slot4/prd-061 alert mcpd[2415]: 01070921:1: Virtual Server 'new_test_virtual_8255' on partition 'Common' disabled by user 'root'. Oct 21 13:29:39 slot3/prd-061 alert mcpd[11909]: 01070921:1: Virtual Server 'new_test_virtual_8255' on partition 'Common' disabled by user 'mcpd-primary'. Oct 21 13:29:39 slot1/prd-061 alert mcpd[27136]: 01070921:1: Virtual Server 'new_test_virtual_8255' on partition 'Common' disabled by user 'mcpd-primary'. These messages accurately represent the action taken and the origin of the command, and do not indicate an error condition.
CR110269 In version 10.0.0, when attaching a child class to a parent class, the system takes into account the rate of the parent class when verifying that the parent's rate ceiling is not exceeded. Now, the sum of a parent class' rate and child classes' rates cannot exceed the parent's rate ceiling. In previous releases, the system allowed the parent's rate to be, at most, equal to the rate ceiling, regardless of the rates of the child classes. This could have led to oversubscribing the configured rate ceiling in certain cases where traffic was assigned directly to a parent class. If you are rolling forward a configuration from a previous build, a quick workaround is to set the rates of all parent classes to 0bps by running the following command: bigpipe rate class <parent class name> rate 0bps. As a general rule, avoid assigning non-zero rates to parent rate classes.
CR110761, CR113485 There is a new iRules feature that provides support for suspending a running iRule (for example, with the after command). If you are running an indefinite collect operation (that is, the iRule is running a ::collect command with no arguments), and in response to a CLIENT_DATA event the iRule processes the payload to a certain point and then suspends iRule operation, when iRule operation resumes and the iRule issues a ::release command, the operation might release more data than the iRule processed. Specifically, data that arrives when the iRule is suspended does not trigger an additional CLIENT_DATA event. Here is an example of how to ensure that an iRule releases only the data that it has already processed: before running any command that suspends a running iRule, have the iRule save the ::payload length in a variable. When iRule operation resumes, have the iRule issue a ::release $payload_length command. You can find extensive information about iRules on the Dev Central web site, available at
CR110791 If you deprovision a module, the system does not remove the configuration attributes associated with the module. Some configuration data, such as endpoint attribute definitions for the WAN Optimization Module, might interfere with Local Traffic Manager tunnel operations. In this case, when the definitions for endpoint advertised route, endpoint local, and endpoint remote remain in the configuration after deprovisioning WAN Optimization Module, the Local Traffic Manager tunnel resets connections that were established when you had the module provisioned. As a workaround, remove the definitions from the bigip.conf files on both BIG-IP systems.
CR110984 If you have multiple sessions on a system and you change the active location to a different partition or volume, the first session you use to attempt a connection works to return you to the pre-10.0.0 version. The other browser sessions present different, unexpected results. As a workaround, when you change the active volume or partition and reboot the system, close all other active browser sessions, and reestablish the connection when the reboot finishes.
CR111081 Beginning with the 10.0.0 version of the software, there is a longer interval between the time you restart the system to when you can access the browser-based Configuration utility. For example, a typical interval on 9.4.5 software on a BIG-IP 1500 platform was 25 seconds. In 10.0.0, the interval is 95 seconds. This occurs because of the provisioning functionality, so each module must check its provisioning state during startup.
CR111495 Version 10.0.0 of the software introduced new ha actions that the upgrade process cannot easily map to previous version's ha actions for daemon heartbeats. If you changed the ha actions for a daemon heartbeat, the upgrade process returns the action to the default. After the upgrade installation finishes, you can configure the daemon heartbeat ha actions you want. (In the Configuration utility System > High Availability > Fail-safe screen.)
CR111700 When a user configured for one role is logged on to the browser-based Configuration utility, and you change that user's role to another type, also using the Configuration utility, the system logs off that user. When that user logs back on, the system writes to the catalina.out file error messages such as Error while reading message at. These messages are benign, and you can safely ignore them.
CR112077 The system requires that you run the Setup utility in the browser-based Configuration utility, even if you have already configured the system using the command line. This occurs because there is a hard-coded requirement for the Setup utility to run at least once. You can prevent the Setup utility from running by running the following command: b db false.
CR112120 When you create a pool in one partition that includes a node from the Common partition, if the node has no associated screen name, when that node is referenced from a third partition, the system posts the error 01070726:3: A pool may only reference nodes in the same partition or the common partition (xyz_pool: and removes the node from the Common partition. The workaround is to add a screen name to the node. To do so, at the command line, issue a command similar to the following example: b node { screen dontremove }
CR112128 The help frame crops the right edge of some of the formula definitions on the Performance statistics screen. As a workaround, you can click the Launch button to view the full text.
CR112411-2 The version 10.1.0 release contains the new OpenSSH client and server, which addresses the vulnerability Plaintext Recovery Attack Against SSH, reported as CPNI-957037. When an older client connects to the new server, however, a vulnerability exists. If you are still using old SSH clients, you should manually set those client's cipher list to only include CTR ciphers. To use only CTR ciphers for the OpenSSH client, the command line must include the following option: -c aes128-ctr,aes192-ctr,aes256-ctr.
CR112953 When you start or stop the tcpdump utility on a VIPRION system, the system logs messages similar to the following entries in the /var/log/ltm file: slot1/tmm warning pu[24652]: 01230114:4: port movement detected for 00:01:23:45:67:10, vlan tmm_bp - 0.0 to 0.1 These messages are benign, and you can safely ignore them.
CR113055 If you issue the commands b cluster all ha state or b cluster default ha state, the system always returns the result offline. This is because there is no cluster ha state to report. To get the state of a system, you can use the browser-based Configuration utility. The system displays the state at the top of every screen.
CR113134-6 Occasionally, when you create an installation repository on a USB thumb drive from the BIG-IP system, the operation fails while copying the repository files to the thumb drive. (The failure might also occur when reading or writing any large file to the thumb drive from the BIG-IP system.) When the failure occurs, the system reboots and writes a log entry similar to the following in the /var/log/ltm file: Dec 10 11:13:12 local/8900 notice overdog[2401]: 01140108:5: Overdog scheduling exceeded 1/2 timeout of 5 seconds (measured:8060 ms) The workaround is to create the installation repository on a USB thumb drive using a Linux workstation, as documented in the BIG-IP Systems: Getting Started Guide. In any case, do not perform the operation on a BIG-IP system that is actively in production to prevent the potential failure from affecting live traffic.
CR113322 On a system with a very large persistence table (millions of entries) running the command b persist show might cause the system to become unstable or fail over. To show an individual record, you can use the command b persist client <client_addr> show.
CR113601 The Templates and Wizards menu does not change even when templates are not available under the license.
CR113812 If you use wildcard characters to specify IP addresses in the b httpd allow command, the result is that the system forbids all access to the browser-based Configuration utility. The workaround is to use other forms of specifying IP addresses. For example, b httpd allow 10.10.*.* does not work; instead use a command similar to b httpd allow
CR113919 If you are in a partition other than Common when you reactivate a license, the system automatically changes the partition to the Common partition. There is no workaround for this issue.
CR114167 Invoking a TCP::collect method from the SERVER_CONNECTED iRule event might cause associated connections to stall and timeout when running the tmm.debug daemon. This should not affect typical deployments since the tmm.default daemon behaves as expected in this configuration, and an administrator must explicitly configure the Traffic Management Microkernel (TMM) to use debug mode. Note that you should set TMM to debug mode only when requested to do so by an F5 Technical Support representative. The F5 Networks Technical Support representative will ensure that your system stays stabilized in this mode and will assist you in interpreting the debug output.
CR114381 Configuring a virtual server for multicast communications inside a route domain does not work. Do not configure a virtual server for multicast communications inside a route domain.
CR114766 When the license expires, if you are on the License Summary page on a partition other than Common, the system automatically returns you to the Common partition, but does not activate the Reactivate button. The workaround is to select a different partition and then reselect the Common partition. This should reset the Reactivate button to an active state.
CR115139, CR130414 Do not use the b software add | delete commands on a partitioned system. Doing so results in the access errors on the partitions. For example, if you try to delete an existing partition using the b software delete command, the system posts a failed to delete volumeset error. In this case, run the command b software product none version none build none on the partition. This removes the installation from the partition, and you can install the software again. If you try to add a partition using the b software add command and see a failed to create volumeset error, in this case, run the command b software delete on the partition you tried to create. This removes the failed attempt from the Software Status table, so you can try your installation operation again.
CR115326, CR115328 You should not use the SSL::respond method with a CLIENTSSL_CLIENTCERT iRule event. This can result in a handshake failure, because the CLIENTSSL_CLIENTCERT event can fire before the connection is ready for the transmission of user data.
CR115670 If you add a user, either explicitly or by restoring a user configuration set (UCS) file that contains the user, and that user has different access or role settings, the system reports an error similar to the following: Nov 6 09:02:08 slot4/p4-019 err mcpd[3533]: 0107082a:3: Disconnecting user yyy2 on change of user role data (partition:Common->PartitionOne). This is a benign message, and you can safely ignore it.
CR115736 The system does not honor the Maximum Transmission Unit (MTU) value for VLANs. To get the value to persist, delete the VLAN first, then recreate it with the settings you want. After the configuration is saved, the settings persist. Otherwise, the system uses the default MTU value of 1500.
CR115774 If you move blades between a chassis running software version 9.6.x and a chassis running 10.x, the 10.x system might report incorrect volume information about the blade that came from the 9.6.x chassis. F5 Networks does not recommend switching blades between chassis running differing versions of the software.
CR115916 There is an extremely rare chance that, if the high-availability mirroring connection fails and recovers, the result might be a new persistence record and an expired record using the same key to send their respective messages. For example, if a record comes in that would have matched an old one on the active system, it is possible that the old record's expiration action might arrive after the new record's update action. If the key matching the old record expires, the standby system incorrectly deletes the corresponding new record.
CR116108 USB1.1 CD-ROM Drives are not supported on the BIG-IP 8900 platform.
CR116929 Because the CompactFlash media drive is not a valid installation target, the system should prevent you from selecting it. However, this version of the software allows you to target a CompactFlash drive. If you accidentally installed to the CompactFlash drive, the system posts a failed to install state for the CompactFlash drive. The workaround to return to the original state is to issue the command b software CF1.x product none version none build none and then issue the command bigstart restart lind on the command line.
CR117427 In this version of the software, you cannot use Global Traffic Manager to monitor or send traffic to any virtual servers that are in a route domain. Therefore, Global Traffic Manager is not supported to run on a Local Traffic Manager system that is using route domains.
CR117428 If you are using the ZebOS advanced routing modules, it is important to consider the following:
  • Dynamic routing is supported on interfaces in the default route domain. The advanced routing modules cannot access interfaces, self IP and virtual addresses, and static routes in non-default route domains. A static route is considered as belonging to a non-default route domain if either the destination or the nexthop gateway address belongs to a route domain other than the default route domain.
  • All routes learned by way of dynamic routing protocols are inserted into the routing table for the default route domain only.
  • With respect to advertising routes, virtual addresses, or self IP addresses to other routers, the advanced routing modules advertise only those routes or addresses that are in the default route domain. As previously stated, the advanced routing modules are not aware of routes or addresses in other route domains.
CR117429 The route domains feature does not support IPv6-formatted IP addresses in this version of the software.
CR117430 Some command line diagnostic tools, such as curl and traceroute do not work with route domains.
CR117431 Custom monitors that are not IPv6 aware (for example, EAV (Extended Application Verification) monitors) do not work with route domains.
CR117480 There is the possibility of a failed version 9.4.7 installation when installing on a system that also contains version 10.x software. When the failure occurs, the last three lines in the /var/tmp/install/session.log file are: install.error: An installation error has occurred; code 130 install.debug: Session ended install.error: Critical failure; no fallback possible. To work around the issue, you can use the PXE or thumb-drive methods to install the software.
CR115798 The small form-factor pluggable (SFP) ports on BIG-IP 8900 platforms are 10Gbps-only ports. On a BIG-IP 8900 platform, a SFP plus can operate at 1Gbps speed in an SFP slot, but SFP modules do not operate at 1Gbps speeds in an SFP plus slot. This is a hardware constraint.
CR117359 Do not use the b sshd include parameter without assistance from the F5 Technical Support team. The system does not validate the commands issued using the include parameter. If you use this parameter incorrectly, you put the functionality of the system at risk.
CR117809 If you run the grub_default -d command to view the boot configuration information of the grub.conf file, the initial arrow key press moves the menu selector highlight two spaces instead of one. After, the initial key press, the arrow keys operate normally when maneuvering (meaning that if you press the arrow keys once, the highlight moves one space in the arrow direction).
CR118049 Enterprise Manager software versions 1.2, 1.4, 1.6, and 1.7 do not support BIG-IP system software version 10.0.0. There is no workaround for this issue.
CR119247-1 When you swap a blade to the same slot in a different VIPRION chassis, the system uses VLAN MAC addresses based on the old chassis. The workaround is to avoid moving a blade to the same slot in another chassis. If necessary, shift blades around in the target chassis so that the incoming blade always goes into a slot that is different from the one it came out of.
CR120321 After installing, you might see a message similar to the following in the ltm log file. Apr 23 11:38:16 slot3/p4-019 err clusterd[2707]: 013a0004:3: Error deleting cluster mgmt addr, HAL error 7 This message is benign, and you can safely ignore it.
CR120550 This version of the software supports systems with multiple drives using the RAID disk management operations. We have not removed the sparedisk utility, which was included in version 10.0.1 to support operations on multi-drive systems. The workaround is to use the RAID features for these types of operations. You should use the sparedisk utility only on version 10.0.1 systems. For related issues, see the known issue for CR120550, CR127003, and CR138582 .
CR120190-2, CR127965-2 Do not use the --nomoveconfig option with the image2disk command (or the db variable LiveInstall.MoveConfig set to disabled) for systems with existing installations of Application Security Manager. Doing so removes all content from the associated database. Instead, you should ensure that the configuration on the installation source matches the one on the installation destination. To do so, save the UCS configuration file on the location you want to preserve, and apply that configuration to the destination before beginning the installation operation. Here are the steps to perform.
  1. Boot into the location containing the configuration and database you want to preserve.
  2. To save the existing configuration and database, run the command bigpipe config save <your_ucs_file>.
  3. Copy the .ucs file to a secure, remote location.
  4. Boot into the location you want to update.
  5. To move the configuration and database to the target installation location, run the command bigpipe config install <your_ucs_file>.
  6. Install or upgrade the software using procedures described in the section Installing the software.
CR120828 When you roll forward a 9.x user configuration set (UCS) file that is configured for Application Security Manager and Global Traffic Manager, provisioning for Global Traffic Manager is not enabled. To enable Global Traffic Manager using the browser-based Configuration utility, in the navigation pane, expand System, and click Resource Provisioning. In the Module Resource Provisioning section, select the provisioning level you want from the Global Traffic (GTM) and Link Controller (LC) drop-down lists.
CR120943 If you deprovision the WebAccelerator system, Application Security Manager, or Protocol Security Module, the system retains the mysql database volume. Because the database might contain important configuration data for the deprovisioned modules, you must determine whether or not to retain the mysql database volume. For information about locating and removing an unneeded mysql database volume, see the associated Solution in the AskF5 Knowledge Base.
CR120550, CR127003, and CR138582 On 6900 and 8900 platforms, the RAID functionality supersedes the sparedisk utility, which was provided in version 10.0.1 to support operations on multi-drive systems. The 8950 and 11050 platforms do not support the sparedisk utility, although the utility is present on those platforms as well. In this version of the software, although you should not use the sparedisk utility for any operation, F5 Networks has not removed the utility. Running various commands (for example, making a disk active using the command sparedisk -m) can result in an unstable disk situation. Instead, you should use the RAID features for all multi-disk operations. You should use the sparedisk utility only on 6900 and 8900 platforms running version 10.0.1.
CR121134 The 8900 platform comes with a post-10.0.0 version of the software installed both hard drives. If you decide to downgrade to version 10.0.0, the software installs correctly. However, the version 10.0.0 software management scheme was not designed to work with a second hard drive. If you downgrade to version 10.0.0 on the second hard drive, do not operate on the second hard drive using the b software commands or the Software Management screens in the browser-based Configuration utility.
CR122160 If there are static Address Resolution Protocol (ARP) entries targeted to the management network in either the existing configuration or in the configuration being installed or used in a ConfigSync operation, the configuration may fail to load. To work around the issue, first delete any static ARP entries targeted at the management network and then complete the configuration load or ConfigSync operation.
CR119132, CR125534, ID 222400 Depending on what processes run after restarting the system, you might see the following error message: warning process `<processname>' is using deprecated sysctl (syscall) net.ipv6.neigh.tmm0.base_reachable_time; Use net.ipv6.neigh.tmm0.base_reachable_time_ms instead This is a benign message, and you can safely ignore it.
CR125790 After deprovisioning modules, the system might run sluggishly or respond slowly to commands. The system returns to a normal operational state after approximately 1 minute if you leave the system to recover, or approximately three minutes if you run commands during this time. The slow response time occurs while the system recovers virtual memory after a deprovisioning operation.
CR125800 The iRule statistics counters inaccurately report an inflated number of iterations of an iRule when an iRule event suspends. There is no workaround for this issue.
CR126842-1 On platforms equipped with Packet Velocity application-specific integrated circuit (ASIC) version 10 (PVA10), specifically the BIG-IP 8400 and BIG-IP 8800 platforms, client-requested TCP maximum segment size (MSS) may not be honored if the PVA10 is in hardware syn-cookie mode. This can result in a larger-than-requested MSS being set with the back-end server, causing the server packets to be dropped before reaching the client. This problem occurs because of a problem in the PVA10 hardware. To avoid this problem, disable hardware syn cookies by setting the connection threshold to 0 (zero) by running the following command on the system command line: b db Pva.SynCookies.ConnectionThreshold = 0.
CR126976 If you run the tcpdump utility from a PB100 blade on a VIPRION chassis containing a mix of PB100 and PB200 blades, the process does not show packets from the PB200 blades. To work around this issue, run the tcpdump operation from the PB200 blade.
CR127003 Although you should not use the sparedisk utility in this version of the software (see known issue CR120550), the utility remains in the software. If you run the command sparedisk -m, the system marks an active disk as a spare disk without notice or warning. Changing the active disk to a spare can result in an unstable disk situation. The workaround is to use the RAID features for these types of operations. You should use the sparedisk utility only on version 10.0.1 systems.
CR127123 Every time you run a b load command on 1600, 6900, and 8900 platforms, the system posts a message similar to the following: local/tmm3 notice tmm3[19557]: 01010029:5: Clock advanced by 112 ticks. This message is a diagnostic message only, so you can safely ignore this message.
CR127332 As of version 10.1.0, the system no longer supports user accounts with custom home directories. If you upgrade a configuration containing user accounts with custom home directories, after reboot, the system becomes inoperative because it cannot load the configuration. You can prevent the issue before upgrading by running the following command to change the user's home directory, or you can run the following command after upgrading to recover from the error condition: tmsh modify auth user <name> home-dir /home/<name>
CR127435 When you run the image2disk utility from the Management Operating System (MOS) of a system, the process has no active configuration to use for installation, so the operation halts with an error: error: No configuration found in HD1.1 (location looks empty). Use '--nosaveconfig' if appropriate. To work around this issue, run the command again, and specify the --nosaveconfig option.
CR127754 When you use the Weighted Least Connections (Node) load balancing method, you must set a connection limit for each node prior to adding the pool member to the pool. In this release, you must use the following process to accomplish this.
  1. Create a pool that uses the Weighted Least Connections (Node) load balancing method.
  2. Explicitly create the node entries for the pool members on the Local Traffic > Nodes > Node List (create) screen.
  3. For each node, specify a value other than 0 (zero) in the Connection Limit box.
  4. Return to the pool configuration screen by clicking its link in the Local Traffic > Pools > Pool List .
  5. Select the Members tab and add the pool members to the pool, using the same IP addresses as the nodes that you configured in the earlier step.
If you fail to specify the connection limit for the node prior to adding the pool members, the system presents a configuration validation error.
CR127803 When you view the Software Management List screen or the result of the b software desired show command, you might see the CF designation that represents the CompactFlash drive listed as a possible installation destination. 10.x installation is not supported on the CompactFlash drive, so do not select it as an installation target. This happens only on systems with drives using the partitioning formatting scheme.
CR127971 When a drive is replicating or being added or removed in the Management Operating System (MOS), the md operation outputs all its status to the terminal, which can make it difficult to perform recovery operations, such as removing or adding a drive. The workaround is to wait for the replication operation to complete before performing recovery operations.
CR128272 When you specify any method other than Round Robin for load balancing traffic from virtual servers configured with RADIUS, Diameter, or SIP profiles, you can see unexpected results, such as the system sending most of the traffic to only one pool member. To work around this issue, use the Round Robin load balancing method with virtual servers configured with RADIUS, Diameter, or SIP profiles.
CR128600 Provisioning statistics shows the size on only one physical disk. To find the size of your datastor on a multi-disk system, review the output of running the command b datastor list all. As a general rule, if you have two disks installed, the cache is always double the size indicated in the provisioning statistics.
CR128875 If you perform an operation that requires loading the configuration on a volume that has insufficient disk space to contain it, the operation fails at the module-provisioning step. Depending on the modules you provision and the space available, the failure might occur when rolling forward a configuration at installation, running bigpipe config install <config.ucs>, or provisioning modules in a command line operation. When the provisioning failure occurs, the system logs a message in the /var/log/ltm file: 01071008:3: Provisioning failed with error 1 - 'Disk limit exceeded. <nnn> MB are required to provision these modules, but only <nnn> MB are available.' To recover, free up sufficient disk space by removing unneeded volumes using the command: bigpipe software desired HDn.n delete, and then try the operation again.
CR129216 We have changed from using a Linux 2.4 kernel to a Linux 2.6 kernel. This has resulted in a difference in how Linux accounting reports CPU usage. Linux accounting shows CPU spikes even when the Traffic Management Microkernel (TMM) is lightly loaded. These spikes represent artifacts, and you can safely ignore them.
CR129458 The output of the b platform command incorrectly refers to the 3600 and 3900 platforms as a blade. Specifically, the output reads BLADE TEMPERATURE (slot/sensor) instead of CHASSIS TEMPERATURE. The error is cosmetic only.
CR129674 When the Configuration Utility restarts, the system writes the following messages to catalina.out: log4j:ERROR A "org.apache.log4j.ConsoleAppender" object is not assignable to a "org.apache.log4j.Appender" variable. log4j:ERROR The class "org.apache.log4j.Appender" was loaded by log4j:ERROR [org.apache.catalina.loader.StandardClassLoader@1359c1b] whereas object of type log4j:ERROR "org.apache.log4j.ConsoleAppender" was loaded by [WebappClassLoader These messages are benign, and you can safely ignore them.
CR129698 When you change the idle timeout in System :: Preferences, the system must restart the httpd process. This results in a set of error messages similar to the following example: err httpd[6246]: [error] [client] Invalid method in request OPTIONS * HTTP/1.0 err httpd[6320]: [error] (9)Bad file descriptor: apr_socket_accept: (client socket) warning httpd[3064]: [warn] RSA server certificate CommonName (CN) `dhcp-137' does NOT match server name!? warning fcgi-[6376]: [warn] FastCGI: server "/usr/local/www/mcpq/mcpq" started (pid 6377) err httpd[6379]: [error] [client] Invalid method in request OPTIONS * HTTP/1.0 warning httpd[3064]: [warn] long lost child came home! (pid 6239) These messages occur primarily as a result of the process restart, and you can safely ignore them.
CR129710 Enabling the TCP option for MD5 signatures does not cause TCP connections without MD5 signatures to be rejected or ignored. Enabling MD5 signatures allows the MD5 signature to be validated when it is present.
CR129711 At system startup, you might see messages similar to the following: mdadm: Unrecognised md component device - /dev/mapper/ mdadm: Unrecognised md component device - /dev/mapper/ This occurs because datastor volumes are not intended to be combined into a redundant array. The disk management subsystem unintentionally tries to join them into an array, but fails. No adverse result occurs, and you can safely ignore these messages.
CR129786 When you enable Display Host Names when Possible in System :: Preferences, and then display objects whose addresses exist in a route domain other than 0, the address might display with the % notation on some screens in the browser-based Configuration utility. There is no workaround for this issue.
CR129836 There is no edit capability for the NTLM profile in the tmsh utility. There is no workaround for this issue.
CR130427 You cannot simply change the speed of an existing interface in a trunk, you must either delete all the interfaces and add them back at the new speed, or delete the trunk and recreate it.
CR130468 In the ltm.log file, you might see mcpd warning messages similar to the following: warning mcpd[3002]: 01070156:4: Could not remove file /config/bigip/auth/pam.d/tmm_ldap. Please remove this file manually. When you navigate to the specified directory, you do not find the files. These messages are incorrect, and you can safely ignore them.
CR130582 When the following series of events happen, the client system can perceive the BIG-IP system as unresponsive, and eventually the connection times out as a results of reaching the TCP timeout interval. This is the series of events.
  • client1 sends a Capabilities-Exchange-Request (CER) command.
  • server1 responds with a Capabilities-Exchange-Answer (CEA) command.
  • client1 sends an Accounting-Request (ACR) command.
  • The BIG-IP system sends the connection to server2 (that is, the BIG-IP system sends a CER to server2 first, before it sends an ACR).
  • server2, however, responds with CEA result-code 5010 (that is, there are no common applications supported between the peers), so the BIG-IP system deletes the connection with server2.
  • client1 continues to wait for a response to its ACR.
  • The BIG-IP system has no response forclient1, however.
  • Eventually, client1 connection may be closed because the connection reaches the TCP timeout.
CR130639 RAMCACHE, IPV6, and SSL Compression were added by default to the base Local Traffic Manager license in the version 10.0.0 software release. The feature flags are enabled and the system reports them when you run the b version command. However, on the 1500, 3400, and 6400 platforms, the system displays these features in the Optional Modules section of the License screen in the browser-based Configuration utility.
CR130662 In a multi-drive system, if a drive fails or it suddenly removed from the unit, the system retains knowledge of the drive so you might see messages like: info: /dev/vg-db-sdb/mdm.dat.share: read failed after 0 of 4096 at 0: Input/output error err kernel: scsi 1:0:0:0: rejecting I/O to dead device. These occur on the screen if you are connected using a serial console, or in the kernel log file if you are through SSH. To completely eliminate these messages, you can reboot to clear the system's knowledge of the removed drive.
CR130702 When you have versions 10.0.x and 10.1.x simultaneously installed on a multi-drive system, booting from a 10.1.x to a 10.0.x location sometimes fails. This is due to a constraint in logical volume management (LVM) for the version 10.0.x software. To prevent this issue, reduce the number of installation locations before rebooting to versions earlier than 10.1.0. You should have only two HDn.n installation locations or one MDn.n installation location in addition to the pre-10.1.0 installation location. To remove installation locations, run the command bigpipe software desired HD1.n delete.
CR130720 There is a duplicate MODULE-COMPLIANCE section in the F5-BIGIP-COMMON-MIB.txt file. You can correct this error by editing the file to remove the duplicate entry. This might be difficult, since the /usr file system is read only, making it difficult to edit /usr/share files. However, you can still edit the file by changing the fstab file and rebooting the system.
CR130798 On a multi-drive system, if the LED is flashing when you remove a drive from the unit, the LED status does not turn green (as it should) when disk replication begins. If the LED is not flashing, the LED turns green immediately in the transition to replicating a drive. This is a cosmetic issue only, and has no effect on functionality.
CR130844 When you create a new profile or edit an existing profile using the all-properties option of the tmsh utility, unless you remove some options, all properties become custom; that is, profile properties no longer inherit parent settings. The workaround is to use the tmsh utility create and modify commands operations. When you do so, the system preserves the profile's properties inheritance.
CR130846 If you have WAN Optimization Module provisioned on multi-drive systems, and you use the command array --remove or tmsh modify sys raid array MD1 remove to remove a drive, the system removes all but the datastor volume on the removed drive. If you then try to add the drive back, the operation fails. To work around this issue, deprovision the WAN Optimization Module, and then run the command array --add or tmsh modify sys raid array MD1 add to add the drive back. Then you can provision WAN Optimization Module back to its original setting.
CR130902 If you are in the tmsh utility, you can run the bigpipe utility to view dynamic Address Resolution Protocol (ARP) entries for a different route domain. To do so, run the command run util bigpipe arp <args...> at the tmsh command line.
CR131108, CR132835 The serial console baud rate of systems with Always-On Management (AOM) (1600, 3600, 3900, 6900, and 8900 platforms) can be corrupted if you install using a serial console baud rate other than 19200. When the corruption occurs, you see garbage characters on the serial console. To prevent this issue, change the baud rate to 19200 before installing. When reboot after installation is complete, you can set a different baud rate.
CR131168 In this release, when you use the LCD to change from a higher baud rate down to 19200, the host serial console can become garbled, while Always-On Management (AOM) displays correctly. To recover, reboot the system. Note that you can successfully change baud rates for the host from low to high using the LCD, and output is not garbled.
CR131188 When you complete a new installation, the Firefox browser may not recognize the SSL certificate. When this occurs, the browser-cased Configuration utility posts the message Please wait while this BIG-IP device reboots, shutting down device. This spins forever and never returns. This behavior is Firefox-browser specific, so when the certificate is no longer viewed as valid, the Firefox browser ignores subsequent HTTP requests. The issue happens only when doing a fresh install. A configuration you roll forward includes the device certificates, so this is not an issue. The Microsoft Internet Explorer browser posts an accept-certificate dialog box when you restart the system.
CR131256 The text-display mode for the switchboot utility supports a maximum of six volume locations. To boot to a location higher than volume six, you can use the switchboot -b option on the command line.
CR131317 If you encounter an installation operation that fails with a final error failed to install because of a process lock, retry the operation.
CR131332 When you import a single configuration file (SCF file) that contain VLANs of the same name but in different administrative partitions, the operation fails with a BIGpipe unknown operation error. To work around this issue, before installing an SCF file, run the b import default command. This returns the system to the default configuration, so subsequent configuration import operations should succeed as expected.
CR131343 The version of the image2disk utility that shipped with version 9.4.5 does not support the -format option. You can install a new version of the image2disk utility from a version 10.x ISO. First, to uninstall the version of the utility that shipped with 9.4.5, run the command rpm -e tm_install-2- The command removes the utility, but posts no message at completion. Then, to install a new version of the utility, run the command im /var/tmp/<iso_file>. For more information, see SOL10702: The image2disk utility that shipped with BIG-IP version 9.4.5 does not support the --format option.
CR131470 Enabling TCP MD5 authentication of TCP connections for BGP on VIPRION systems might result in extended time required for BGP sessions to be established. It may also cause BGP failure of the graceful restart after changing the primary location due to the timeout condition causing temporary loss of BGP peering and deletion of routes learned and advertised through BGP, and resulting in temporary traffic disruption. We do not recommend using TCP MD5 authentication for BGP on the VIPRION system.
CR131475 If you create VLANs in an administrative partition other than Common, but do not create a route domain in that partition, then the VLANs you create in that partition are automatically assigned to route domain 0. If you later change the default route domain of that partition, the VLAN stays in its existing route domain, unless the VLAN has a self IP address or virtual IP address assigned to it. In that case, the VLAN moves to the new default route domain.
CR131544 If you restart the mcpd process and try to create a FIPS key, the operation occasionally fails with the message Key generation failed: error 11 - Would overwrite file To work around this, restart mcpd and try the operation again.
CR131555 On a system using Packet Velocity application-specific integrated circuit (ASIC) version 2 (PVA2) and version 10 (PVA10), specifically the 3400, 6400, 6800, 8400, and 8800 platforms, if you configure an inband monitor on a virtual server configured for Fast L4 traffic, the Traffic Management Microkernel (TMM) never receives the traffic necessary to mark pool members up or down. You can work around this issue by setting Fast L4 Profile option PVA Acceleration to Assisted on these platforms.
CR131632 If you have 10.1.x installed on a 8400 or 8800 platform and plan to downgrade to 9.4.x, you must net-boot, or boot from removable media. Using the direct installation method results in a failed operation, and the system hangs at logon time.
CR131760 Using an iRule command that suspends operation (for example, after, table, and persist), in a NAME_RESOLVED event causes the iRule to never resume. The workaround is to use the RESOLV::lookup command that suspends operation until resolution, and then returns the lookup result inline.
CR131880 You might see an intermittent blank top banner in the browser-based configuration utility after an upgrade or installation operation. This might be especially likely when you use Microsoft Internet Explorer version 7 on a VIPRION system, and you leave the browser window open between the end of installation and the completion of the reboot operation. In this case, when you log on, the top banner is blank. You can use the browser refresh operation (F5 or Ctrl + F5) to redisplay the banner correctly.
CR131999 The software does not support running small form-factor pluggable (SFP)+ on SFP ports on VIPRION systems that contain PB100 blades, even if the ports are running at 1 GB. Although the system does not prevent you from doing so, and you might find such a configuration functional, we do not support nor recommend running in this configuration.
CR132270 When you run the command b software desired to install the software, when you look at the output of bigpipe software status on the command line or looking at the progress bar in the Configuration utility, you might notice that progress suspends for approximately three minutes when the operation reaches 10% complete, and again for approximately 1 minute at 100%. These are part of the normal operation of the installation process, and you can safely ignore the suspended activity.
CR132382 If you use the nano command-line editor to edit a multi-line alias command, the operation fails unless you have enabled long line wrap in the nano editor. If the alias is only one line long, the operation works successfully. To enable long line wrap in nano press Esc + l (the lowercase letter "L," not the number "one.") For more help, see the help for the nano editor. You can also use the vi editor to modify multi-line alias commands.
CR132465 Do not issue the command modify cli admin-partitions while the system is completing a batch mode transaction. If you do, you might encounter a problem that you can remedy by pressing Ctrl + C. Otherwise, the operation eventually times out. You can review content returned when running the command help cli transaction for information about how to remove the admin-partitions command from the transaction.
CR132482 A b load operation fails when pool member are configured with port numbers 63, 66, 172, 211, 564, and 629. The workaround is to use numbers other than these for pool member port configuration. You can also disable the bigpipe utility from converting service names by running the command bigpipe db bigpipe.displayservicenames false.
R132580 If you set the import save value to 1 and import a single configuration file (SCF), the import operation halts and does not resume. To work around this issue, set the import save value to 2 or more.
CR132598 When you change assignments of iRules to a virtual server, if the iRule has any commands that might suspend operation (for example, after, table, and persist), those pending commands might evoke a system restart when the newly assigned iRule goes into effect.
CR132691 On the 1500, 3400, 3410, 4100, 6400, 6800, 8400, and 8800 platforms, you cannot establish an outgoing connection from the SCCP using SCCP version, the version of the SCCP that ships with the 10.1.0 software. To work around this issue, use SCCP version, the version that ships with version 9.4.8 software.
CR132782 If you modify your password and shell access at the same time, the system does not register the password change. To work around this issue, modify the password and the shell access separately.
CR132909 When you use the domaintool utility to delete a domain when you are configuring Kerberos delegation, if that domain serves as the default, the system removes the domain but leaves it as the designated default. To work around this issue, change the default to a different domain before the delete operation.
CR132974 Certain packet-size related events can result in messages similar to the following: crit tmm4[5689]: 01010025:2: Device error: hsb internal error PIM_RX_PORT_0_ERRS address 0x0000103c status 0x004e0100 These messages are benign, and you can safely ignore them.
CR132979 The system does not include the .tmshrc file in a ConfigSync operation. That means that the each unit in a redundant system configuration has a different set of remote users. You can manually sync the two files by using a utility to copy the file from one system to another.
CR132985 This version of the software does not support monitoring of Microsoft SQL Server 2000 servers.
CR133035 You can create an external monitor that references an executable in the /usr/share/monitors directory. On a VIPRION system, when the system attempts to validate the monitor on a secondary blade (for example, when the primary blade loads a secondary blade), the system posts an error message similar to the following: emerg mcpd[2822]: 0107094e:0: File cache: fatal error (can't create backup file for (/usr/bin/monitors/builtins/SYSLOG_monitor), Read-only file system) (FileCache.cpp:1523) For the monitor to function properly and to prevent this error on VIPRION systems, copy any executable used by an external monitor to the /config/monitors directory.
CR133179 If you have previously run the image2disk utility to install the software, when you run the image2disk utility a subsequent time without specifying a --format style, the system posts the message: Terminal error: SVM (Software Volume Management) is available, and this is not a format request. Please use SVM. This occurs because the 10.0.1 and later software management scheme provides a more substantive set of installation methods: the Software Management screens in the browser-based Configuration utility, the command line use of tmsh install and b software commands, and support for automated and enterprise-level installation and upgrade management operations through Enterprise Manager and the F5 Management Pack using the iControl API. You should use the image2disk utility only for initial installation operations and for subsequent installation operations that also include formatting.
CR133844, ID 224073 Floating route domain self IP addresses do not respond to ping utility commands from the Linux host. If you need to access floating IP addresses using the ping utility, use an external source.
CR133981, CR135997 Currently shipping Federal Information Processing Standards (FIPS) hardware does not support 4096-bit keys. If you try to create a 4096-bit FIPS key, the system posts an error similar to the following: gencert generating 4096 bit FIPS key: error 18 - ERR_KEY_HANDLE_INVALID. This error indicates that the FIPS card cannot handle 4096 bit, in this context. If you try to use the converted key, the system restarts tmm and statsd services, posting emerg logger: Re-starting <service> messages and creating core files.
CR134115 The online help for SSL certificates lists an incorrect command for retrieving not-valid-before certificates. The correct command is openssl x509 -noout -text -in /config/httpd/conf/ssl.crt/server.crt.
CR134321 There is a pause negotiation mismatch in a trunk containing a mix of fiber and copper. To work around this issue, do not mix fiber and copper in the same trunk.
CR134694 The system does not prevent you from deleting a self IP address that an EtherIP tunnel uses, or from creating an EtherIP tunnel using a nonexistent IP addresses. Doing so, however, results in an inoperable tunnel. To ensure that an EtherIP tunnel operates as expected, do not delete any of the self IP addresses that are associated with VLAN "wan" and specified in the EtherIP tunnel object.
CR135422 The system does not support state mirroring with overlapping IP addresses. If you configure connection mirroring using route domain-compatible state mirror IP addresses, the system does not mirror the connections.
CR135745 When you are connected using the serial console to a multi-drive platform, you might see messages similar to the following: warning kernel: RAID1 conf printout and warning kernel: disk 0, wo:0, o:1, dev:dm-14. The messages are also logged in /var/log/kern.log file. These messages appear during the time a drive is rebuilding, and you can safely ignore them. Note that the messages appear only when you are directly connected by serial console. They do not appear when you are logged in using SSH.
CR135992 When you specify a custom ConfigSync user (that is, an account other than admin), if you have specified a maximum number of password failures, the ConfigSync account is subject to the password lockout after the specified number of failures. To work around this issue, use the admin account as the ConfigSync user, or reset the non-standard account that is locked out.
CR136646 The bcm56xxd service's small form-factor pluggable (SFP) plug check mechanism looks for module-detect signal changes every five seconds, and can miss a pluggable media type swap (that is, a swap from fiber SFP to copper SFP or SFP+) since the check does not look at pluggable media type changes. This can result in link failures, due to internal media settings that are still associated with a previously populated pluggable module. In addition, the Inter-Integrated Circuit (I2C) SFP plug check currently does not update the media option list after detecting module status changes and prior to publishing the information. Media options are otherwise updated/published on link-UP events.
CR136763 After deleting an object, if you change partitions or refresh the screen, the system presents an error message similar to the following: General database error retrieving information. This occurs because the system is trying to display the properties screen for the now-deleted object. To work around this issue, refrain from changing partitions or refreshing the browser until the system correctly registers the delete operation, by navigating to a different location or re-selecting the same location from the navigation menu.
CR136848 When using two Open Shortest Path First (OSPF) router processes with ZebOS, changes on one routing process deletes routes that still exist on the other. There is no workaround for this issue.
CR137220 VLAN groups are partitionable objects, so that a VLAN group created in one partition cannot be modified in another partition. Proxy exclusion is a VLAN group setting, so the partition restrictions should be in effect. However, the system does not prevent you from adding proxy exclusion for a VLAN group in another partition. Doing so results in issues for VLAN groups, so you should not attempt such a configuration.
CR137290 When you use the Wireshark program to view a packet from an EtherIP tunnel, the Wireshark program displays the EtherIP version as 0 rather than 3, as it should. This occurs because Wireshark evaluates the version based on the bottom four bits rather than the top. The Linux EtherIP implementation follows the same format used by coding developer David Kushi, which is correct according to RFC 3378 - EtherIP: Tunneling Ethernet Frames in IP Datagrams.
CR137376, CR138046, ID 342197 Installing or upgrading a system that has a full disk can fail. A disk might be full for several reasons, for example:
  • WAN Optimization Module is provisioned as Nominal, which does not allow the system to allocate enough space for the new Maintenance Operating System (MOS) or installation location
  • There are too many installation locations configured
  • Application Security Manager or WebAccelerator System is provisioned for multiple installation locations
  • You are installing/upgrading to version 10.1.0 or later on a version 10.0.x or 9.x partition, which is too small to hold the version 10.1.0 or later image
  • You are upgrading a 6900 or 6800 platform
There are several workarounds, depending on the cause of the disk-full condition. One option is to back up your existing configuration and perform a clean installation, another is to remove unneeded boot locations, another is to deprovision WAN Optimization Module and then save and reboot before upgrading, and there are others. For more information, see SOL10636: Upgrading to BIG-IP version 10.1.0 fails with a 'Disk full' error message.
CR137447-1 Although syslog remote server now supports IPv6 addresses, it does not support IPv6-resolvable hostnames. To use syslog on a remote server, you must use the IPv6 address, and not the hostname that resolves to the IPv6 address.
CR137680 Pagination does not work properly in the browser-based Configuration utility when using the Status filter. The workaround is to look through all pages when using that filter in order to determine the number of objects with the selected status.
CR137868 Occasionally during system startup, you might see an error message similar to the following: err : Could not make connection with MCP, err 16908360 The error is benign, and you can safely ignore it.
CR137877, CR139101 Occasionally during system startup, you might see multiple instances of error message similar to one of the following: err mcpd[3980]: 01070994:3: tmstat_request: tmstat_subscribe failed: No such file or directory. err mcpd[3682]: 01070994:3: tmstat_request: tmstat_subscribe failed: Unknown error 4126537205. After the system fully initializes, the message disappears and the system runs as expected, so you can safely ignore this message.
CR138146 You might encounter an issue in which the NTP servers do not sync after a system reboot. You can recognize this by running the command ntpq -p to determine whether some of the NTP servers continue to have a refid of .INIT. You might find the issue more pronounced on the VIPRION platform because every blade is an NTP peer of every other blade. (Note that a refid of .INIT is normal for any system with no defined NTP server. F5 strongly recommends defining an NTP server.) This appears to occur only on networks accessible through VLANs, and does not occur with NTP servers serviced by the management port. The issue can be particularly problematic for IPv6 addresses because the system caches the unreachable destination information. To work around the issue, when tmm is up and servicing traffic, run the command bigstart restart ntpd to restart the ntpd process.
CR138343 If you halt an in-progress installation operation (for example, by pressing Ctrl + C in response to the manufacturing installation menu that appears when booting from a DVD, thumb drive, or Pre-boot Execution Environment (PXE) server) the system leaves a boot partition mounted, which causes all subsequent installation-related operations to fail. When this occurs, the system posts errors and messages similar to the following: info: Initializing partition table on disk: hda1 error: sfdisk failed; bc_ratio=504, total_KiB=8257032, total_cyl=16383 Can't save log permanently; no boot volume available. Log saved to /tmp/install.log To work around this issue, you can unmount the boot partition. To do so, run the following command, substituting the disk name listed in your error messages for /hda1: umount /dev/hda1. You can now proceed with other command-line installation tasks such as diskinit and image2disk operations.
CR138345 The physmem utility is obsolete. To determine accurate platform memory, use the b platform command, or if the b platform command is not available, use the operating system command free. The physmem utility does not correctly calculate memory for recent releases. For example, running the physmem command on a 11050 (E102) platform with 32 GB of memory, physmem reports only 3 GB.
CR138348 On the 11050 platform, if the system halts unexpectedly, or when you shut down the system using Always-On Management (AOM) menu option 3 (or other AOM shutdown options), the LCD does not reset. It simply freezes and shows whatever was on the LCD when the system went down. On other platforms, the LCD changes to show that the system is powered off or shutting down.
CR138432 HTTP Class profiles are prioritized alphabetically rather than in the order given. There is no workaround for this issue.
CR138442 On a system that is actively learning dynamic routes, if you run a b import default command, tmm asserts, and writes to the log file error messages similar to the following: 0x0050da4c in tmm_panic, 0x0050da81 in tmm_assert, 0x006fcdf3 in route_delete, and others. To work around this issue, do not run the b import default command while a system is actively learning dynamic routes.
CR138558 A Diameter origin-host attribute with 50 or more characters causes BIG-IP systems to fail on Device-Watchdog-Request (DWR). The workaround is to use origin-host attributes of fewer than 50 characters.
CR138780 On first boot after initial installation on VIPRION systems, occasionally the system needs to reboot. In these cases, during the shutdown preceding reboot, you may see warnings from bigstart about getdb failing. In this context, these messages are harmless and may be ignored.
CR139347 The installer allows you to install version 9.x software onto 8950 (D107) or 11050 (E102) platforms; however, version 9.x software does not support the 8950 or 11050 platform. Installing 9.x software onto 8950 or 11050 platforms might result in a nonfunctional system, so do not install version 9.x software onto 8950 or 11050 platforms.
CR131945, CR139352 Do not use the image2disk utility command --noarray option in conjunction with the --format=partitions option. Doing so can result in a nonfunctional system. Any command containing the --noarray option should always include the --format=volumes option. This essentially removes RAID and replaces it with a single disk that uses logical volume management (LVM).
CR139534 If you use the bigpipe or tmsh utilities to set the import save limit to 1 (one) (by using the tmsh command modify cli global-settings import-save 1 or the bigpipe command cli import save 1), the system appears to hang when you import a single configuration file (SCF). To work around this issue, set the import limit to a value greater than 1. The default value is 2.
CR139563 When a server is one hop away in a route domain configuration, after a bigstart restart operation, the BIG-IP system fails to communicate with that server. To enable communication, the system must first resolve the IP address for the gateway, so you can work around this issue by monitoring the gateway IP address.
CR139588 On a partitioned system, if a 9.x installation operation fails or halts for any reason, including being canceled by the customer, subsequent installation operations fail and post the following messages to the liveinstall.log file: info: /dev/sda5 is mounted; will not make a filesystem here! error: VolumeSet_rebuild_fs(sda, 1) failed Terminal error: Failed to install. See log file. To work around this issue, always reboot the system after a failed installation operation, and then try the operation again. Note that this occurs only with halted version 9.x installation operations. Halted version 10.x installation operations do not exhibit the issue.
CR139591 When you run the command tmsh list ltm pool <pool_name> all-properties, the system does not display the status property for the pool member, unless you have forced the pool member down, in which case the system shows a status of down. To work around this issue, run the command tmsh show ltm pool <pool_name> detail.
CR139668 You should not use the tmsh utility commands session monitor-enabled | disabled or the equivalent bigpipe utility commands session mon enabled | disabled; however, the system does not prevent you from doing so. This type of status should be controlled by the monitor option Receive Disable String. Running these commands overrides the actual state of the pool member or node, so that the system reports a disabled state regardless of whether the monitor sets the pool member or node into the disabled state. The state remains disabled until you run the b load command, which returns you to the correct state. If you meant to enable or disable the pool members or nodes, you can use the tmsh utility commands session enabled | disabled or the bigpipe utility commands session user enabled | disabled.
CR139754 On the 1500 and 3400 platforms with 1 GB of memory, you cannot simultaneously format and upgrade to version 10.2.x. If you run the image2disk command with the --format=volumes or --format=partitions option on a 1 GB 1500 and 3400 platform formatted for partitions, the installation operation halts with the following message: Terminal error: System memory of 1 GiB is insufficient for 'format=volumes' with this product image; 1.5 GiB is required This occurs because the system must move into memory all of the product sources so that the disk can be reformatted. This occurs only when formatting and upgrading to version 10.2.0 simultaneously. The workaround is to use a thumb drive or DVD USB drive as the installation source, or to use a PXE installation method. For more information, see SOL11396: Error message: Terminal error: System memory of 1 GiB is insufficient for 'format=volumes' with this product image; 1.5 GiB is required. Note that in all cases, when upgrading from 9.x, you must first run the im command against the 10.x.iso file to extract the 10.x installation utility. You can find specific instructions in Upgrading from earlier versions.
CR139782 The online help for pool member ratio states that the supported range is from 1 to 65535. The actual supported range is from 1 to 100.
CR139786 If you use special characters in a pool name, the system posts an error message stating that only the following characters are allowed .*/-:_?=@,&. In fact, pool names only accept period (.), underscore (_), and hyphen (-).
CR140154 This release does not support using a command that suspends iRule processing (session, persist add/lookup/delete, table, after) in the AUTH_RESULT event in an iRule. There is no workaround for this issue.
CR140238 When you apply a version 10.x hotfix, the base software ISO image must be present in the /shared/images directory, along with the hotfix image. If there is no base software ISO image, no hotfix update operation begins, and the system presents a message similar to the following: waiting for image (BIG-IP 10.0.1 402.16). This message is misleading. The system is actually waiting for the base image. For example, for version 10.0.1, the base image is BIGIP- To work around this issue, copy the base ISO image BIGIP-10. file to the /shared/images directory, and try the hotfix update again.
ID 223787 On a back-end server that has a passive monitor assigned to it along with an active pool member or an active node monitor, when a monitor other than the passive monitor marks a pool member down, the system writes out a core file and posts the following message: notice panic: ../base/pool.c:3453: Assertion "Pool member is passive downed" failed. The workaround is to remove the passive monitor from the pool member.
ID 223959 A BIG-IP system has limits to the number of objects that may be configured when the configuration contains virtual servers for which Packet Velocity ASIC (PVA) acceleration is required. If more than the specified maximum number of objects is configured, virtual servers that otherwise qualify for PVA acceleration are demoted to wire mode (no PVA acceleration). For more information about the maximum number of objects allowed for the PVA, refer to SOL11038: Configuration sizing and PVA acceleration.
ID 339850 Although the system allows you to create a node whose name contains a leading digit, the bigpipe utility rejects service names with leading digits. This can cause bigip.conf to fail to load, including a bigip.conf file that you upgraded from version 9.x. For example, if you have a pool with a member named 3446, when you load the bigip.conf file, the system posts the error: BIGpipe parsing error: 012e0022:3: The requested value ( }) is invalid (show | <pool member list> | none) [add | delete]) for 'members' in 'pool' To work around this issue, run the command b cli service number to have bigpipe use service numbers instead of names.
ID 340651 On VIPRION platforms, setting the db variable vlan mac assignment to global results in some or all of the VLANs receiving a zero MAC assignment, which can cause no traffic to pass on a VLAN. The workaround is to set the vlan mac assignment db variable to a value other than global.
ID 341804 (ID 341276 duped to ID 341804) The predictive and observed load balancing methods always choose the same pool member when there are no other concurrent connections. For example, if you open 50 connections to the same virtual server, but you close each connection before opening the next one, the BIG-IP system will load balance all 50 connections to the same pool member (the last one in the pool). Note that both load balancing methods work as intended when the current connection count of the virtual server is greater than 1. While this behavior is benign, it may generate some confusion when analyzing pool member statistics.
ID 343150 When you specify Use Primary Connection Mirror Address as the ConfigSync Peer setting, and Network Mirroring is configured with IPv6 addresses, ConfigSync output contain following strings: [root@ltm-61:Active] config # b config sync Checking configuration on local system and peer system... Peer's IP address: 2222::2 Synchronizing Master Keys...Sync: No peer Address or invalid peer address Saving active configuration... To work around this issue, you can use IPv4 addresses, or you can select the ConfigSync Peer setting Specify IP Address and specify the IPv6 address manually.
ID 347605 During hardware power-up, you might observe diagnostic output similar to the following messages: BoardInit0 HvmLoadStart CpuInit0 These messages represent diagnostic output from the BIOS that has no effect on the operation of the system. You can safely ignore these messages.
ID 349340 You cannot simultaneously move to logical volume management (LVM) and install a hotfix. If you run the image2disk command with both the --hotfix and --format=volumes options, the system completes the hotfix installation, but does not format the drives. To work around this issue, format the system for volumes first, and then install the hotfix update.
ID 350888 This version of the software does not support IPv6-formatted IP addresses on the management port. To work around this issue, you can use IPv4-formatted IP addresses for configuring the management port.
ID 351874 When importing an ISO image into the Software Management screens in the Configuration utility, some browsers (for example, Microsoft Internet Explorer and Google Chrome), show /fakepath/ instead of the actual file path. This is expected behavior for HTML5-compatible browsers. You can work around this by adding the site to trusted sites. In addition, in Internet Explorer by setting the option Include local directory path when uploading files to a server in Internet Explorer Tools > Internet Option > Security > Custom level Security Settings - Internet Zone screen.
ID 354467 When you create an opaque VLAN group before creating the route domain to assign it to, opaque mode does not work. To work around this issue, you can add the VLAN group to the route domain and then set its mode to opaque, or if you are already in this state, you can restart the tmm daemon.
ID 355152 On the 1600, 3600, 3900, 6900, 8900, 8950, 11000, and 11050 platforms (more specifically, platforms with the Always-On Management (AOM) subsystem), you might see increasing chmand consumption of memory space. For more information, see SOL12941: The chmand process leaks memory on BIG-IP platforms containing the AOM subsystem.
ID 355294 On a cluster, installing a User Configuration Set (.ucs) file containing dynamic routing fails to assign IP addresses to the ZebOS Network Services Module (NSM) interface. As a result, dynamic routing does not work. The workaround is to restart the tmrouted daemon by running the following command: clsh bigstart restart tmrouted.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802

For additional information, please visit

Legal notices