Applies To:

Show Versions Show Versions

Release Note: BIG-IP PEM 11.3.0
Release Note

Original Publication Date: 08/29/2013

Summary:

This release note documents the version 11.3.0 release of BIG-IP Policy Enforcement Manager.

Contents:

- Supported hardware
- Configuration utility browser support
- User documentation for this release
- New in 11.3.0
- Supported high availability configuration for Policy Enforcement Manager
- Installation overview
     - Installation checklist
     - Installing the software
     - Post-installation tasks
     - Installation tips
- Known issues
- Contacting F5 Networks
- Legal notices

Supported hardware

You can apply the software upgrade to systems running software versions 10.x or 11.x. For a list of supported platforms, see SOL9412: The BIG-IP release matrix. For information about which platforms support which module combinations, see SOL10288: BIG-IP software and platform support matrix.

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 8.x and 9.x
  • Mozilla Firefox 15.0.x and 9.0.x
  • Google Chrome 21.x

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP PEM / VE 11.3.0 Documentation page.

New in 11.3.0

Application Subscriber Awareness

Application and subscriber awareness allows traffic classification, while mapping network traffic to the recognized applications and takes into account the source of traffic generation for a subscriber. This information can be further used for application and subscriber visibility, reporting, and policy enforcement.

Application Subscriber Visibility

The application subscriber visibility feature provides business intelligence with visibility into the applications that subscribers use and also monitors the usage consumption. Policy Enforcement Manager classifies traffic, and measures volume and bandwidth consumption (per subscriber and per application), so you can view statistics to understand the current situation on the network. This information might be processed by an external analytics solution, which presents various reports that can be used for trending analysis and system troubleshooting.

Policing

Policy Enforcement Manager enforces policies provisioned by the Policy and Charging Rules Function (PCRF, see 3GPP TS 23.203 version 9.6.0 Release 9) or policies that are manually configured on the BIG-IP system. Enforcement policies can filter traffic based on application type or flow information. iRules can be used for creation and termination of sessions, policy assignments, and report formatting. Policy enforcement actions can be applied to the traffic as well. This includes enforcing bandwidth control by limiting application use, and using DSCP and link quality of service (QoS) marking for delegating policy enforcement actions to other enforcing devices, such as routers. Bandwidth controller, which is another policy action, is the next generation QoS solution. It works with Policy Enforcement Manager to manage bandwidth per subscriber, per application, or per network egress link.

Intelligent Traffic Steering

Enforcement policies can be created to steer particular types of traffic to external components that provide expert services for that traffic. For example, video traffic from certain subscribers can be forwarded to video optimization servers so that the subscriber receives seamless and optimized video traffic flow. Traffic can also be directed to multiple locations that can provide a number of value-added services, such as antivirus, parental control, and web caching.

Reporting

The reporting functionality addresses application and subscriber visibility. It enables the service providers to control and report the type of traffic in their network. Policy Enforcement Manager implements the reporting functionality by delivering reporting data (usage monitoring) over Gx, and uses the BIG-IP high-speed logging (HSL) infrastructure. HSL logging can include flow-based or session-based information, and it might be sent to an external analytics system.

Supported high availability configuration for Policy Enforcement Manager

Policy Enforcement Manager is supported in an active-standby and active-active configuration with two BIG-IP systems only.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP System: Upgrading Active/Standby Systems and BIG-IP System: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Update/reactivate your system license, if needed, to ensure that you have a valid service check date.
  • Ensure that your system is running version 10.0.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running WAN Optimization Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP System: Upgrading Active/Standby Systems and BIG-IP System: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Log on to the browser-based Configuration utility.
  3. Run the Setup utility.
  4. Provision the modules.
  5. Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS Implementations Creating an Active/Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Known issues

ID Number Description
403592 Platforms with less than 6.5G memory cannot be upgraded to 11.3 if three or more modules are provisioned. Note that upgrades from 10.0.x display only an "upgrade failed" message as a software status. All other versions show a clear error message, guiding the users to SOL13988. Before upgrading, make sure you have only one or two modules provisioned if the BIG-IP system has less than 6.5G of memory.
397157 The service-option attribute of Policy Enforcement > Forwarding > Service Chains is configurable only in tmsh for the 11.3 release.
397397 When multiple static subscriber information is loaded from a .csv file, the subscriber information is lost if enter or CRLF is not entered at the end of each record line. To workaround this issue, press Enter or insert the CRLF character at the end of each row in the .csv file.
398922 Only a single instance of the diameter-endpoint profile is supported in this release: the system-supplied default "gx-endpoint" profile. As a result, diameter-endpoint profiles cannot be created or deleted in the GUI or in tmsh.
398416 If Gx reporting is selected for a rule, the BIG-IP system does not process the thresholds specified. It is expected that PCRF over Gx interface specifies the thresholds for each subscriber. Even though the option exists to specify the threshold for Gx reporting, it will be ignored.
398666 In order to combine forwarding endpoints and LSNAT, configure the final egress network to the Internet using the egress-interfaces option on the LSNAT pool.
399119 If a policy matched with flow filters drop or redirect the traffic, that traffic will not match other policy rules which use classification filters.
400065 Active FTP over IPv6 data channel traffic is classified as unknown.
400370 The Gmail webmail traffic is identified as a standard Gmail application, even when the Gmail basic HTML view is opened.
400372 The protocol msn_video is used by MSN Messenger for video conversations and is supported for MSN Messenger 8 and earlier.
400385 When you create an IPv6 radius listener, you then modify the RADIUS virtual to use IPv4. The RADIUS virtual will not work until you do bigstart restart tmm. To work around this issue, do not try to reassign IPv6 RADIUS virtual server to IPv4. If you need an IPv4 RADIUS server, create an IPv4 RADIUS virtual server manually. Otherwise, if you have an IPv6 RADIUS virtual server and want to use it for IPv4 instead, you will have to do bigstart restart tmm from the command prompt in order for the change to take effect. Hence, a RADIUS virtual server will work only after you do bigstart restart tmm if you change its address from IPv6 to IPv4.
400799 The DIAMETER::state command is not implemented for the diameter-endpoint profile or any profiles derived from it (such as the gx-endpoint profile). iRule developers should avoid using the DIAMETER::state command in iRules assigned to diameter-endpoint virtuals.
400893 The .csv file for uploading static subscribers has multiple lines with Mac end of line. To work around this issue, convert the file into WIN file format and upload from the GUI or tmsh. This will solve the issue.
401739 Creation of a large number (>10000) of custom categories or applications could lead to memory exhaustion and possibly crash the BIG-IP system.
402868 The PEM Subscriber import feature does not properly handle importing files which include whitespace in the file's name. To work around this issue, rename such subscriber data files to remove whitespace before importing.
403374 On rare occasions, when a policy is installed with 15 rules and reporting is configured on them, only 14 of the reports are generated when multiple flows (traffic) are sent matching all of them. Maximum usage reports per subscriber is supported.
404107 A virtual server using the gx-endpoint profile will not disconnect from a pool member that is removed from the pool unless the service-down-action of the pool is set to either drop or reset. To work around this issue, configure the pool associated with the gx-endpoint virtual to have a service-down-action of either drop or reset.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, fill out the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email). To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you would like to subscribe with. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)