Applies To:
Show Versions
F5 SSL Orchestrator
- 16.0.0
Summary:
This release note documents the version 8.0 release of F5 SSL Orchestrator.
Contents:
- Platform support
- Guided Configuration browser support
- User documentation for this release
- Features in SSL Orchestrator
- Fixes
- Known Issues
- Install and upgrade SSL Orchestrator
- Contacting F5
- Legal notices
Platform support
SSL Orchestrator standalone base license is supported on the following platforms:
| Chassis name |
Platform ID |
|---|---|
| VPR-22XX, VPR-24XX, VPR-4480, VPR-4800 | --- |
| C2100 | --- |
| C2200 | D114 |
| C4400 | J100 |
If SSL Orchestrator is the standalone base license installed on your system, you can add the following modules:
- URLF Filtering (subscription)
- IPI (subscription)
- Network HSM
- Access Policy Manager (APM)
- Secure Web Gateway (SWG)
- Advanced Routing
F5 BIG-IP Local Traffic Manager (LTM) base license with SSL Orchestrator as an add-on is supported on any available iSeries, Bourne, and VIPRION platforms:
| Platform name |
|---|
| 2000, i2000 |
| 4000, i4000 |
| 5000, i5000 |
| 7000, i7000 |
| 10000, i10000 |
| 11000, i11000 |
| 12000 (Bourne) |
| i15000 |
| Chassis name: VPR-22XX, VPR-24XX, VPR-4480, VPR-4800 |
Guided Configuration browser support
The Guided Configuration acts as the template for SSL Orchestrator. This release supports the following browsers and versions for use with Guided Configuration for SSL Orchestrator:
- Microsoft Internet Explorer 11.x - Only 32-bit browsers are supported.
- Mozilla Firefox 55.x
- Google Chrome 61.x
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the SSL Orchestrator Documentation page.
Features in SSL Orchestrator
F5 recommends you review the entire SSL Orchestrator release notes and setup guide prior to upgrading and configuring a deployment.
Guided Configuration for SSL Orchestrator
Guided configuration is meant to guide you through setting up a particular use case on the SSL Orchestrator system. Each template requests minimal input and provides contextual help to assist users during setup. The current version of the Guided Configuration is displayed on the landing page. When a later upgrade becomes available, you can use the available link next to the version number to download it from downloads.f5.com then upload and install Guided Configuration for SSL Orchestrator on BIG-IP. Prior to installing and upgrading to the latest version of SSL Orchestrator, ensure that you read the release notes and setup guide for any prerequisites, task details, or troubleshooting and recovery steps during installation or upgrade.
SSL Orchestrator High Availability (HA) behavior improvements
A streamlined SSL Orchestrator upgrade procedure allows upgrade capabilities that do not break the HA pair.
Strict Update option (Protected/Unprotected Configurations) improvements
The SSL Orchestrator Protected/Unprotected Configurations improvements provide: the ability to view the configuration differences between created and out of band (OOB) modified changes; the ability to preview configuration changes before applying the changes to the system; the option to either overwrite configuration changes or accept the changes before deployment.
Modify network objects through iAppLX
This feature allows you to change network objects thru iApplx. Network objects created for SSL Orchestrator Services like IPs and VLANs can now be modified once created without needing to delete/recreate the service in order to change the network objects.
HA-Status monitoring and remediation dashboard
SSL Orchestrator upgrades, deployments, and synchronization can be painful if the HA pair is in a bad state. This feature provides status of your HA pair before the upgrade and a remediation button to help fix any issues to ensure you proceed with the HA upgrade when in a good state. This feature also prevents unwanted configuration changes or modifications to an existing SSL Orchestrator configuration, minimizing discrepancies between the two HA devices and their configuration.
SSL Orchestrator HA diagnostics and sync-repair tool
SSL Orchestrator users with a HA setup may use the ha-sync tool and script to troubleshoot and fix HA setup issues (such as when gossip has gone out of sync, when some REST blocks are missing/out of sync, or even when MCP data is out of sync between devices).
The ha-sync script includes the diagnostic capability to identify potential issues and can print out all of the issues found with the HA setup. The ha-sync script can then perform a sync-up, which should fix those issues, and ensure that both devices are fully in sync (both in MCP and REST). See the F5 Guided Configuration for SSL Orchestrator: High Availability Diagnostics and Sync-Repair Tool guide for detailed information.
Guided Configuration for SSL Orchestrator TLS 1.3 support
TLS 1.3 support is provided in Guided Configuration for SSL Orchestrator for inbound cases, both clientssl and serverssl, for enhanced performance and security.
SSL Orchestrator Topologies
SSL Orchestrator configuration topologies define the type of traffic (transparent or explicit) and the direction of traffic flow (inbound or outbound) you wish to inspect. These deployment settings, which can be modified as needed without undeploying a configuration, are complimented by SSL management settings that assist you in defining inbound decryption and outbound decryption, setting your service types (such as HTTP, ICAP, Layer 2/Layer 3 inline, and receive-only/TAP services) and creating your service policies by defining per-request and per-session policy settings that can be managed through a virtual policy editor.
- Outbound transparent proxy
- Outbound explicit proxy
- Inbound reverse proxy
- Outbound layer 2
- Inbound layer 2
The Existing Application topology is an inbound topology that allows you to create services, service chains, and security policies and attach them to an existing reverse proxy BIG-IP application.
Licensing and Provisioning for SSL Orchestrator Access Integration
Updated SSL Orchestrator Setup Utility with resource provisioning capabilities for licensed and unlicensed modules.
Multi-Layered Security
In order to solve specific security challenges, security administrators are accustomed to manually chaining together multiple point products, creating a bare-bones “security chain” consisting of multiple services. A typical chain may include components like Data Leak Prevention (DLP) scanners, Web Application Firewalls (WAF), Intrusion Prevention and Detection Systems (IPS and IDS), Malware Analysis tools, Secure Web Gateways (SWG), and more. In this model, all user sessions are provided the same level of security, as this “daisy chain” of services is hard-wired.
Virtual Clustered Multiprocessing (vCMP)
SSL Orchestrator supports Virtual Clustered Multiprocessing (vCMP) to provision and manage multiple hosted instances of the BIG-IP software on a single hardware platform.
Classification Engine
Classification Engine provides a rich set of methods based on context to dynamically determine how best to optimize the flow through the security stack. Context can minimally come from the following:
- Source IP/subnet
- Destination IP/subnet
- IP intelligence category - Subscription
- IP geolocation
- Host and domain name
- URL filtering category - Subscription
- Destination port
- Protocol
Other classifiers with greater flexibility are also available in the SSL Orchestrator VPE and with iRules to optimize and evaluate additional information.
Deployment Modes
- Single device mode
- High availability (HA) active/standby mode
In addition, the system can detect and transparently handle an explicit proxy between SSL Orchestrator and the internet.
SSL Orchestrator Analytics
SSL Orchestrator analytics provide a customizable view into your SSL Orchestrator statistics, and enable you to flexibly choose the information you want to view based on specified ranges of time that you can select and adjust.
Statistics generated:
- Hit Count
- Client Bytes Out Per Second
- Duration
- Server Bytes In
- Server Bytes In Per Second
- Hit Count Per Second
- Server Bytes Out Per Second
- Client Bytes In
- Client Bytes In Per Second
- Client Bytes Out
- Server Bytes Out
Statistics are generated for the following dimensions:
- Client Cipher Names
- Client Cipher Versions
- Server Cipher Names
- Server Cipher Versions
- Virtual Servers
- Site IP Addresses
- Traffic Types
- Decryption Status
- Policy Actions
- Service Paths
- URL Categories
- Applications
- Application Families
- IP Reputation
- Destination Countries
L7 Application Protocol Settings
SSL Orchestrator supports L7 application protocol settings allowing you to select a protocol to listen for specific traffic (IMAP, SMTPS, POP3, FTP, HTTP) to be processed.
Fixes
Note: The following bugs are applicable to the SSL Orchestrator iAppLX (UI and BIG-IP configuration automation) and not BIG-IP (SSL Orchestrator traffic processing). Refer to the corresponding BIG-IP release notes for further detail about your version.
| ID number | Description |
|---|---|
| 750663 | Changes made in SSL Orchestrator Interception Rules may be overwritten, without warning, after the redeployment of the topology. Fix: A warning message is now displayed on the topology list page indicating that changes made in Interception Rules may be overwritten after the redeployment of topology. |
| 760760 | The Deploy button is greyed out after you attempt to rearrange the order of the Rules in the Security Policy topology. Impact: The user cannot redeploy edited Rules in the Security Policy topology because the Deploy button remains greyed out. Workaround/Fix: The form name is now set so deploy, and thus the button, immediately gets notified about editing by drag and drop (and thus can be clicked and the edited Rules in the Security Policy topology can be redeployed). |
| 822993 | HTTP traffic passing through an L3 explicit proxy SSL Orchestrator deployment may fail under certain conditions when the deployment object name contains the '-' character (a dash). HTTP requests moving through an explicit proxy may suffer from a connection reset. Fix: SSL Orchestrator deployment names with the '-' character (a dash) now continue to pass HTTP traffic through an L3 explicit proxy deployment and will not result in a connection reset. |
| 825065 | Changes made in SSL Orchestrator Interception Rules may be overwritten after a redeployment of the topology. Fix: SSL Orchestrator now provides the ability to see configuration differences between created and non-strict modified changes. |
| 832725 | SSL Orchestrator L2 Outbound topology VLANs are not filtering correctly when editing an Interception Rule mini workflow, resulting in a list of all VLANs in place of a filtered list of VLANs. Fix: All SSL Orchestrator L2 Outbound topology VLANs filter as requested. |
| 835469 | When upgrading from any SSL Orchestrator 5.x and 6.0 version to 6.1 and higher, the Security Policy upgrade fails (in error state) when any pending Orchestrator Block (OB) is getting carried forwarded into the new partition. Workaround: Before installing the new ISO, and before booting into the new partition, make sure there is no OB in pending, deployed, or error state. If there is an OB, delete it by selecting iApps > Application Services > Applications LX> from the menu. Fix: Any upgrade from 6.1 to a later version with a pending OB is carried forward and will not result in an error. |
| 843345 | The SSL Orchestrator configuration deployment fails in the HA environment when a deployment is triggered while the HA infrastructure replication mechanism is not in a good state. This results in different configuration revisions with data out of sync in both devices. Fix: Synchronization of the configuration revisions and data now occurs when they are out of sync. The HA infrastructure replication mechanism will result in a working (good) state. |
| 851437 | In SSL Orchestrator, when a deployment is triggered while the high availability (HA) infrastructure replication mechanism is not in a good state, the configuration revisions may differ and the data may be out of sync in both HA devices causing the deployment to fail. Fix: The fix ensure to sync the configuration revisions and data when they are out of sync. The HA infrastructure replication mechanism should, however, be in a good state. |
| 852517 | The TAP service deployment in the high availability (HA) environment fails while showing the following error message: Invalid ARP static entry, the IP address already exists. Fix: The deployment failure on TAP service no longer occurs. |
| 856801 | Deployment fails for Explicit Proxy when the configuration name 20 characters long with the following error: Deployment failed for sslo_ob_TOPOLOGY_CREATE_sslo_This_is_a_long__name Error: transaction failed:01071529:3: The tunnel name (/Common/sslo_This_is_a_long__name.app/sslo_This_is_a_long__name-xp-tunnel) cannot be longer than 64 characters. Fix: A SSL Orchestrator UI validation has been added to the application name restricting it to 15 characters or less if the topology is for Explicit Proxy. |
| 857533 | The SSL Orchestrator deployment may fail with an error such as: (object) is already exist in the system. This occurs mostly in a high availability (HA) environment and is due to a previous deployment timing out or when an HA deployment fails only on one side. This results in SSL Orchestrator failing to redeploy. Fix: The validation logic related to deploying SSL Orchestrator after a deployment failure occurs is now fixed. |
| 857937 | When viewing the Services page, data fails to display in the "Pool Member Status" column. This issue is often seen on the standby device and occasionally on the active device. Fix: The pool member status information will now always populate and the "Pool Member Status" column on the Service page will also properly populate. |
| 858909 | When using the Chrome browser, categories with long names cannot be deleted. After the category "Advanced Malware Command and Control" has been added to a policy list, and the list of rules is long enough to create a scroll bar, you are unable to delete the category "Advanced Malware Command and Control" because the element to delete it is behind the scrollbar. Workaround: Use a different browser such as Firefox or Edge. Fix: The window should be wide enough that the X is no longer hidden behind the scrollbar. |
| 865105 | Editing L2 Service To/From VLAN pairs where the VLANs are interchanged and the interfaces are changed together and then deployed can cause new Service problems requiring cleanup of related objects or manual reboot. If you combine two actions when editing an L2 Service and deploying, an error message appears: 'Deployment failed for sslo_ob_SERVICE_MODIFY_ssloS_GENERIC Error: Error: transaction failed:01070712:3: Cannot set MAC address for ssloN_a1 - ioctl failed: No such device'. After this occurs, you are unable to create services. This can occur when making this change in an L2 Service: 1. Swap the 'From' and 'To' VLANs. 2. Deploy. 3. Swap the 'From and 'To' VLANs back; additionally, change the interface assignment. 4. Deploy. You get an error: You are then unable to make changes to the service until you manually reset the affected service / VLAN / selfIP, and reboot the device. Workaround: Do not combine the two actions of interchanging To/From VLANs and then changing their Interfaces before deploying; instead, perform each action separately and deploy separately. 1. Swap the 'From' and 'To' VLANs. 2. Deploy. 3. Swap the 'From and 'To' VLANs back. 4. Deploy. 5. Change an Interface belonging to one of these switched back VLANs. 6.Deploy. Fix: The other VLANs and Interface related issues for L2 Service are fixed in this bug. However, the only test case (mentioned in the Conditions) will be fixed in https://bugzilla.olympus.f5net.com/show_bug.cgi?id=877017. |
| 869677 | Resetting device trust triggers the pending upgrade process on high availability (HA) device. When SSL Orchestrator configuration upgrade is pending due to blade HA state and you reset the device trust, the upgrade process resumes and starts deployment of the SSL Orchestrator configuration. 1. HA environment. 2. Configuration upgrade is pending due to HA error after ISO or RPM upgrade. 3. Device trust is reset. SSL Orchestrator configuration gets upgraded on individual devices. Workaround: None. This is functioning as designed. If device trust is reset, the device becomes a standalone device and triggers the pending configuration upgrade. |
| 872969 | Strictness Icon is always enabled in Preview Merge Config Step of a Pending Config. When a configuration's Strictness is disabled, the lock icon indicates it is unlocked. Now if the configuration is modified, the Preview Merge Config button is enabled. When this button is clicked, the page shows the differences of the configuration outside SSL Orchestrator and within. Now if the deployment process is abandoned and you go back to the main page (grid view), the configuration is shown as pending, with the Strictness button disabled. This is expected as the config is in pending status. However, the strictness shows enabled, though the strictness is disabled. If the pending config is deleted or deployed, the Strictness icon shows its true status. When a strictness disabled configuration is modified and preview merge config button is clicked and Cancel is clicked on this page, it takes you back to main page and shows the Strictness icon enabled, irrespective of what the true status is. No impact as the button is disabled (this is expected). Howeve,r this can be confusing as it does not reflect the true status of Strictness. Workaround: No workaround when the config is in pending status. However, the true status of Strictness is reflected when the pending config is either deployed or deleted. Fix: User can either deploy or delete the pending configuration to see the actual state of the Strictness field. |
| 874929 | During the SSL configuration of SSL Orchestrator, some SSL certificates are not displayed in the UI when the certificates list contains bundled certificates. In result, you are unable to use the UI to assign a certificate bundle as a certificate. Fix: All the certificates, including bundled certificates, can be selected in the SSL configuration of SSL Orchestrator UI. |
| 877017 | Editing L2 Service To/From vlan pairs where the Vlans are interchanged and the interfaces are changed together and then deployed can cause new Service problems requiring cleanup of related objects or manual reboot. If the user combines 2 actions when editing an L2 Service and then deploys an error message appears that then requires the user to clean all related service,vlan,selfIp objects or rebooting the linux box before they can create any services again. These 2 actions are to interchange (or swap) the From VLAN and TO VLAN entries and then change their respective interfaces and then deploy. An MCP error will be generated from the backend. This error is: 'Deployment failed for sslo_ob_SERVICE_MODIFY_ssloS_GENERIC Error: Error: transaction failed:01070712:3: Cannot set MAC address for ssloN_a1 to 'fa:16:3e:f4:9d:ae' in rd65000 - ioctl failed: No such device'. The user will then require extensive cleanup of related service,vlan,selfIp objects or a machine reboot to recover the ability to create or edit any services. After creating an L2 Service carry out the following edits. 1. Interchange From and To VLANs. 2. Deploy. 3. Switch it back to From and To VLANs and change an Interface belonging to one of these switched back VLANs. 4.Deploy. An MCP error will be generated from the backend. The error message is similar to - 'Deployment failed for sslo_ob_SERVICE_MODIFY_ssloS_GENERIC Error: Error: transaction failed:01070712:3: Cannot set MAC address for ssloN_a1 to 'fa:16:3e:f4:9d:ae' in rd65000 - ioctl failed: No such device'. This is because ‘from’ IP address of an L2 Service is set with route domain 0 and ‘to’ IP address of an L2 Service is set with route domain 65xxx. When you try to swap the ‘From’ and ‘To’ IP addresses and also change the interface, they cannot find each other because they are in different route domains. Mitigation: Do not combine the 2 actions of interchanging To/From vlans and then changing their Interfaces before deploying. Do each action separately and deploy separately. 1. Interchange From and To VLANs 2. Deploy 3. Switch it back to From and To VLANs. 4. Deploy. 5. Change an Interface belonging to one of these switched back VLANs. 6.Deploy. Workaround: Note: An app cleanup will not work. Note: An high availability (HA) setup requires carrying out step 1 below for each machine. 1. load sys config and then run bigstart restart on the machine. Fix: To avoid the user from getting into this situation, a message with the instruction - to accomplish this task in 2 steps (instead of 1) - is displayed and the buttons are disabled. |
| 887109 | Upgrading from SSL Orchestrator 5.6+ (5.6, 5.7, 5.8) or 6.3 to 7.0 or 7.1 leads to redeployment error "HAAwareICRDeployProcessor: Error: transaction failed:"0.0.0.0%0%0/0" Invalid route domain". Workaround: Go to the topology with the error and manually fix the error from the Interception Rule screen and then redeploy. Fix: Fixed the double injection of the %0 to make sure the upgrade path succeeds. |
| 889621 | HA UCS restore for SSL Orchestrator. When you restore the SSL Orchestrator UCS on only one device in the high availability (HA) configuration, and then try to sync the configuration, the operation does not complete successfully. This happens when an SSLO HA configuration UCS is restored and synced on only one device. Configuration does not sync on the peer device. Workaround: Restore the UCS on both units. Each unit should have its own UCS file. Note: Do not use the same UCS file to restore on both units unless the UCS is generated using RMA steps. Fix: This is functioning as designed because SSLO HA sync does not take care of REST storage. |
| 890645 | Rebooting the BIG-IP system or restnoded leads to the “existing application” topology to disappear from the SSL Orchestrator topology list and there is nowhere to retrieve the configuration. Fix: Rebooting SSL Orchestrator no longer removes the topology. |
| 891101 | User is able to deploy a topology without completing the topology workflow. Before deploying the SSL Orchestrator topology, the user must complete all the steps. The issue is that the user is able to deploy the application without completing all the steps and deployment fails. This happens with the new topology creation with network flow. When user tries to deploy , deployment ends in error state because all the steps are not completed. Workaround: Before deployment, make sure all the steps are completed. Fix: Fix has been added to disable the Deploy button when any of the steps are not completed. |
| 892273 | SSL Orchestrator deployment after app cleanup fails in HA setup. After app clean up is performed, deploying any config fails in the HA setup. After performing app clean up/delete all (the Delete button on the top-right corner of the landing/tabs view page), you are unable to deploy any new configuration. Workaround: 1. Wait until the system posts the 'Deployment failed' message. 2. Deploy the same config again. The config deploys without any error message (if the configuration is valid). Fix: Fixed an issue with being unable to deploy new configuration after app cleanup. |
| 894689 | SSL Orchestrator high availability (HA): Deleting any configuration reports error in the log. Deleting any configuration in a HA setup reports error messages in the log: severe: [ErrorHandlingModule] RestOperation failed: "/shared/iapp/f5-iappslx-ssl-orchestrator/objValidate". Delete any configuration in an high availability (HA) setup. There is no impact. The intended object is deleted. Only the message is erroneous. Fix: Ensured that in HA setup, deletion avoids the error messages in the logs. |
| 897109 | SSL Orchestrator topology deployment fails with "URI path not registered" error. During certain transitory conditions involving the REST framework (e.g. UCS backup/restore), when the REST framework is being restarted, the BIG-IP SSL Orchestrator user interface may become temporarily unavailable or have limited functionality. For example, attempting to deploy an SSL Orchestrator topology, may result in a "URI path not registered" error. Using the BIG-IQ SSL Orchestrator user interface during BIG-IP REST framework transitory state (starting or restarting), e.g. during UCS backup/restore. Temporary limited SSL Orchestrator user interface functionality, e.g. SSL Orchestrator topology deployment. Workaround: Refresh the SSL Orchestrator configuration page in the BIG-IP user interface. Alternatively you may exit SSL Orchestrator configuration page in the BIG-IP user interface then access SSL Orchestrator configuration page again, before attempting to deploy. |
| 897117 | When editing an existing topology in SSL Orchestrator Interception Rule, no indication of what has been modified is provided and changes may be overwritten after the redeployment of the topology. Fix: A warning message is now displayed on the Interception Rule and summary page if changes made may be overwritten after the redeployment of topology. |
| 903805 | After upgrade the f5-iappslx-ssl-orchestrator RPM versions are different on vCMP guests in HA mode. After upgrading a vCMP host configured in high availability (HA) mode, one of the vCMP guests still has the previous version of the f5-iappslx-ssl-orchestrator RPM, and the related iAppLX SSLO configuration is lost. This problem may surface on vCMP hosts configured in HA mode, after upgrade. The vCMP guest loses the SSLO iApp LX configuration, so it cannot steer SSLO application-delivery-related network traffic. Workaround: 1. On a successfully configured vCMP guest where the upgrade resulted in a consistent state, ensure that the correct version of the f5-iappslx-ssl-orchestrator RPM is present. 2. Use the ha-sync script to restore a consistent REST framework state across the HA peers by running the following command in a terminal: ha-sync -f -t rest -H <HA_PEER>. (where <HA_PEER> is the IP address of the vCMP guest that exhibits the issue.). Fix: After upgrade the f5-iappslx-ssl-orchestrator RPM versions now match after upgrade on vCMP guests in HA mode. |
| 904141 | SSL Orchestrator: On vCMP chassis Blade failover during upgrade or deployment may cause deployment or upgrade failure. On vCMP chassis when blade failover occurs during an SSL Orchestrator RPM upgrade or SSL Orchestrator configuration deployment, the upgrade and deployment may end up in an error state. Blade failover occurs during SSL Orchestrator RPM upgrade or deployment. Upgrade may fail and config will end up in error or non upgraded state. The deployment config may end up in an error state. Workaround: Re-deploying the non upgraded configuration or configuration in error will resolve the problem. |
| 905141 | In SSL Orchestrator, deploying a custom inbound topology in Advanced Mode may not attach the Security Policy to the virtual server. This issue occurs when you toggle between 'None' and any other value in the Access Profiles dropdown in the Interception Rules step of the topology workflow. Fix: When toggling between values in the Access Profiles dropdown, the correct Security Policy is now attached to the virtual server. |
| 906017 | SSLO high availability (HA) pair is in an incorrect state after license reactivation. When HA peers have both licenses expire and reactivate, the Active unit reports an error: One or more SSL Orchestrator configurations are in an incorrect state. Look for errors in /var/log/restnoded/restnoded.log for corrective action to those configurations before making additional changes to avoid further errors: SSLO HA configuration; Deployed topologies; Licenses expire and are reactivated. HA configuration does not function properly. Workaround: Run the following command: restcurl -X POST -d '{"resetDevices": true}' /mgmt/shared/iapp/f5-iappslx-ssl-orchestrator/ha-remediation. Note: If this does correct the issue, you must delete and rebuild the device group. |
| 906329 | In SSL Orchestrator, the strict-update (strictness) option icon is shown for Existing Application topologies in the topology tab view. However, strict-update is not applicable for Existing Application topologies and should not be shown. The strictness icon should be available only in the Services and Security Policies tab view for services and security policies created as part of an Existing Application topology. Fix: The strictness icon is no longer shown for Existing Application topologies in the topology tab view. |
| 906953 | After upgrading SSL Orchestrator from 14.1, Rules are missing for all security policies. When upgrading with an Existing Application topology, the upgrade sequence fails and the configuration is not upgraded, causing additional issues and may result in a deployment failure. Fix: When upgrading with an Existing Application topology, the upgrade sequence now succeeds with the configuration properly upgraded. |
| 907197 | When enabling strict-update on security policy, message displaying security policy as undefined. When Strictness for Security Policy is enabled, there is a warning displayed on the page that indicates that there is a pending object. The warning should show the name of the pending object, in this case security policy. But instead of the name, the message says Undefined. Click the Strictness icon to enable it for Security policy. There is no functional impact. The object is created. Only the warning is not clear, as the name of the pending object is not displayed. Fix: The system now makes sure the name of the security policy configuration is appended to the warning message. |
Known Issues
| ID number | Description |
|---|---|
| 873173 | SSL Forward Proxy does not mirror the forged Online Certificate Status Protocol (OCSP) responses to the session database on the standby high availability (HA) device. In result, the OCSP Responder on the BIG-IP system is unable to respond to out-of-band OCSP requests right after a failover event occurs and before the SSL handshake is performed with the backend server. Workaround: The OCSP responses succeed after the new active device performs a SSL handshake to the backend server, which would then re-forge and cache the server certificate and status. |
| 876585 | Modifying iRule on virtual in TMUI is not triggering the proper reconciliation for SSL Orchestrator. Modifying only iRule on virtual server through TMUI will not trigger the iRule properly and reconcile to SSL Orchestrator UI's Interception Rule page or potential topology page. Workaround: Click the update button for virtual server on TMUI which will trigger a quick reconciliation |
| 892489 | Deployment or upgrade failure when restnoded and restjavad restarts during the process. SSL Orchestrator deployed configuration ends up in error state after deployment or SSL Orchestrator configuration ends up en error state after upgrade if restnoded or restjavad re-starts during the process. Restnoded or restjavad re-starts during the upgrade and deployment process. Deployed SSL Orchestrator configuration will be in error state after upgrade or deployment or delete or update. Workaround: Re-deploying the error out configuration can end up in successful state if there is no error in the configuration itself. |
| 892497 | SSL Orchestrator deployment failure and timeout due to high CPU usage. SSL Orchestrator fails to deploy if a deployment is created when CPU usage is very high. Often this ends up in deployment timeout. CPU spikes during at the time of deployment. SSL Orchestrator configuration will end up in error state. Workaround: Re-deploy the configuration again. |
| 903465 | REST database replication time period. If there is an intermittent static state of any iAppLX application, it will take 2 minutes for REST storage to get replicated on the secondary blade. If you modify SSL Orchestrator or any iAppLX application during that time, the configuration changes are lost. You may also get an error: [OrchestratorConfigProcessor] Deployment failed for Error: Unable to PATCH block from BINDING to BINDING state. Saved configuration and failover events occur before REST can replicate the state to a secondary blade. You must make your changes again. Workaround: None. |
| 907605 | Upgrade non-strict SSL Orchestrator application to 8.0 does not trigger out-of-band change reconciliation. In v8.0, certain out-of-band that is reconcilable to the SSL Orchestrator GUI are reconciled, but that does not happen for applications that are non-strict before upgrade. Application is non-strict before upgrade. Modifying such configurations using the SSL Orchestrator GUI might lead to overwriting the out-of-band change. Workaround: Click the Update button in the GUI for each object in the non-strict application that has an out-of-band change on it. As an alternative, to be sure you get every object, you can review each object that is created (primarily virtual servers, pools, and SSL profiles that have a greater impact). |
Install and upgrade SSL Orchestrator
If you previously installed SSL Orchestrator 16.0.0-8.0 (build 16) and encountered bug 898065 (where the non-floating self IP address generated over high availability (HA) devices conflicted when the service generated the same non-floating self IP address across all HA devices, causing traffic to be intermittently dropped), F5 recommends you upgrade to the latest 16.0.0-8.0 build (build 18.0) and then delete and reconfigure the specific service configured in SSL Orchestrator 16.0.0-8.0 (build 16) described in bug 898065.
Note: To verify, check both HA devices by selecting Network > Self IPs and review whether the non-floating self IP addresses across both devices are duplicated. If they are, follow the above procedure to fix.
If you previously installed SSL Orchestrator 16.0.0-8.0 (build 16) but did not encounter bug 898065, F5 recommends you upgrade to the latest 16.0.0-8.0 build (build 18.0). SSL Orchestrator build 18.0 contains the non-floating self IP address conflict issue fix (898065) from build 16.0 and an additional HA issue fix (898137).
If you did not previously install SSL Orchestrator 16.0.0-8.0 and you currently have a version of SSL Orchestrator prior to 5.0, or are installing SSL Orchestrator for the first time, refer to the complete installation and upgrade instructions for F5 SSL Orchestrator in the SSL Orchestrator: Setup version 16.0.0-8.0 guide.
To install the F5 SSL Orchestrator 8.0 and you do not have an existing SSL Orchestrator add-on license, or a previous version of SSL Orchestrator installed, download the image from downloads.f5.com. For complete step-by-step installation instructions, see the BIG-IP Systems: Upgrading Software guide.
To upgrade to the newest version of SSL Orchestrator from a previous version prior to 5.0, or you have an existing add-on license, follow the recommended upgrade steps found in the SSL Orchestrator recommended upgrade procedure section in the SSL Orchestrator: Setup guide. This procedure walks you through the uninstallation and deletion of existing SSL Orchestrator applications and RPM before installing the new ISO image.
If you do not follow the recommended upgrade procedure to undeploy your previous SSL Orchestrator deployments, as well as uninstall your previous version of the application, further manual steps are required to reset your environment and undeploy the previous version. See the Upgrade from previous SSL Orchestrator versions using the recovery procedure task steps in the SSL Orchestrator: Setup guide based on the previous version of SSL Orchestrator you are upgrading from and your access to the BIG-IP Applications LX menu.
These upgrade steps are required since previously deployed SSL Orchestrator configurations cannot be rolled forward or imported into the new version of SSL Orchestrator. Following one of the recommended upgrade procedures will assist you in preparing your system for a clean installation.
Contacting F5
| North America | 1-888-882-7535 or (206) 272-6500 |
| Outside North America, Universal Toll-Free | +800 11 ASK 4 F5 or (800 11275 435) |
| Additional phone numbers | Regional Offices |
| Web | http://www.f5.com |
| support@f5.com |
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
| F5 Support | Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology. |
| AskF5 Knowledge Base | The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source. |
| BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer | BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration. |
| F5 DevCentral | Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more. |
| Communications Preference Center | Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products. |
