Applies To:

Show Versions Show Versions

Release Note: BIG-IP LTM and TMOS 11.3.0
Release Note

Original Publication Date: 06/05/2014

Summary:

This release note documents the version 11.3.0 release of BIG-IP Local Traffic Manager and TMOS.

Contents:

- Supported hardware
- Configuration utility browser support
- User documentation for this release
- New in 11.3.0
- New in 11.2.1
- New in 11.2.0
- New in 11.1.0
- New in 11.0.0
- Installation overview
     - Installation checklist
     - Installing the software
     - Post-installation tasks
     - Installation tips
- Upgrading from earlier versions
- Upgrading earlier configurations
- Upgrading vCMP guests from version 11.x
- Fixes in 11.3.0
- Fixes in 11.2.1
- Fixes in 11.2.0
- Fixes in 11.1.0
- Fixes in 11.0.0
- Behavior changes in 11.3.0
- Behavior changes in 11.2.1
- Behavior changes in 11.2.0
- Behavior changes in 11.1.0
- Behavior changes in 11.0.0
- Known issues
- Contacting F5 Networks
- Legal notices

Supported hardware

You can apply the software upgrade to systems running software versions 10.1.0 (or later) or 11.x. For a list of supported platforms, see SOL9412: The BIG-IP release matrix. For information about which platforms support which module combinations, see SOL10288: BIG-IP software and platform support matrix.

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 8.x and 9.x
  • Mozilla Firefox 15.0.x
  • Google Chrome 21.x

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP LTM / VE 11.3.0 Documentation page.

New in 11.3.0

CGNAT infrastructure

The Carrier-Grade Network Address Translation (CGNAT) product builds upon functionality in BIG-IP systems, and addresses the IPv4 address depletion problem by extending IPv4 address space and providing an evolutionary transition to IPv6. CGNAT capabilities in the BIG-IP system provides an application-aware, high-performance, flexible, and highly scalable solution to IPv4-to-IPv6 transition and interoperability.

Advance Routing Module support for ECMP

Equal-cost multi-path routing (ECMP) is a routing mechanism for routing traffic flow along multiple paths of equal cost, with the goal of achieving equally-distributed link load sharing. By load balancing traffic over multiple paths, ECMP offers potential increases in bandwidth, as well as some level of fault tolerance when a path on the network becomes unavailable.

Bidirectional Forward Detection (BFD)

With Bidirectional Forward Detection (BFD), an administrator can use a single method to check for failure over any media, even those which lack failure detection. The centralized, consistent method facilitates network planning and profiling.

HTTP content adaption

The BIG-IP system now includes support for HTTP content adaptation, using the industry-standard Internet Content Adaptation Protocol (ICAP). When you add a new Internal type of virtual server, along with some content adaptation profiles and a pool of ICAP servers, to your configuration, the BIG-IP system can adapt the content of any HTTP request or response before forwarding the request or response to its destination. Sample uses of HTTP content adaptation are to perform virus scanning or content filtering.

SPDY profile

With a special Early Access license, this release provides a Local Traffic Manager SPDY profile that you can use for evaluation and testing. This version of the SPDY profile is not intended for production use. Documentation for the options and settings of this profile can be found in the respective Traffic Management Shell (tmsh) man pages, the Traffic Management Shell (tmsh) Reference Guide, and the accompanying SPDY Implementations reference. Should you encounter any problems with this functionality, please contact your F5 Networks representative. Resolution of any software defects found in this version may appear in a future release. To acquire an Early Access license and the SPDY Implementations reference, please contact your F5 Networks account executive.

SSL Forward Proxy

By enabling the BIG-IP system to act as a SSL Forward Proxy, the BIG-IP system can decrypt outgoing SSL traffic, analyze and log the contents, manage traffic, and make use of web acceleration. Added benefits include default-deny SSL-certificate handling, CA white lists, and web certificate decision making. (Note: To take advantage of the additional benefits requires third-party subscription services, as well as the use of iRules or configuration of ICAP support.)

Unified logging framework extensions

With the new unified logging feature, you can send logs from all BIG-IP products to a central location. The logs can be stored on the BIG-IP system and accessed using MySQL, or sent to remote high-speed log servers, such as Remote Syslog, ArcSight, or Splunk.

Bandwidth Controller (BWC)

Assign a bandwidth ceiling and enforcement to applications, interfaces, subscribers, and subscriber groups with the bandwidth controller (BWC). With BWC, a large number of session bandwidths can be managed fairly, while maintaining quality of service (throughput, number of connections, number of sessions).

Bandwidth limits per route domain

The Bandwidth Controller added in 11.3.0 provides the ability to set granular bandwidth levels on a number of attributes including route domain. This provides the ability to define quality of service to ensure service-level agreements (SLAs) can be defined and met.

ICMP response configuration on a per-virtual server basis

You can now configure whether or not a virtual server responds to ping commands. Ping operates by sending Internet Control Message Protocol (ICMP) echo request packets to the target host and waiting for an ICMP response. With this functionality, you can control the network visibility of your applications.

Mgmt interface support for DHCP

Deploying Dynamic Host Configuration Protocol (DHCP) on the management port allows automatic IP address configuration and connection, enabling automation of BIG-IP deployment.

IP Tunnel support per route domain

Tunnel endpoint addresses can be configured with a route domain beyond the default. Additionally, the interface representing the tunnel can be added to a route domain. The route domain of the interface need not match that of the tunnel endpoint addresses. This allows inner traffic and outer traffic to belong each to a different route domain. This change only applies to IPIP, GRE, and EtherIP tunnels.

Transparent tunneling support

Transparent tunnels give the BIG-IP system the ability to inspect and/or manipulate encapsulated traffic that is flowing through a BIG-IP system, while presenting the illusion that the traffic flows through the device undisturbed.

Ratio based load balancing with CARP persistence

Cache Array Routing Protocol (CARP) Persistence now leverages pool member ratio to enhance traffic distribution to heterogeneous server pools. Administrators can direct more traffic to more capable servers. The pool member's ratio is considered when calculating the hash value in the CARP mode of hash persistence.

2000s/2200s/10200v Platforms

This release features support for the 2000s, 2200s and the 10200v platforms, appliance platforms which are key to F5's Intelligent Services Platform delivering industry leading application level performance and flexible scale to enable organizations of all sizes to deploy and consolidate advanced application delivery services. For more information, see Platform Guide: 2000s / 2200s and Platform Guide: 10200v.

VIPRION C4800 Platform

This release features support for the VIPRION C4800 Chassis Platform which is a new 8-blade chassis supporting the recently announced B4300 blades. The C4480 doubles the intelligent on-demand scale of the previous VIPRION C4480 chassis. For more information, see Platform Guide: VIPRION 4800.

Hyper-V hypervisor support

This release provides full support for Hyper-V, a native hypervisor that enables platform virtualization on x86-64 system.

KVM hypervisor support

This release provides full support Kernel-based Virtual Machine (KVM), a virtualization infrastructure for the Linux kernel.

New in 11.2.1

BIG-IP 4000 platform

This release provides support for the new BIG-IP 4000 platform. The 4000 platform is a new design providing leading price/performance, as well as leading performance/watt-saving on datacenter power and cooling costs in a 1U form factor. For more information, see Platform Guide: BIG-IP 4000 platform.

Consolidated sync status for Device Service Clustering (DSC)

This release provides a single BIG-IP Configuration utility Overview screen to quickly view sync status for all device groups defined on the BIG-IP system. For each device group, you can determine whether a config sync is required, view the recommended sync action, and sync the BIG-IP configuration among device group members. In general, you can easily manage config sync tasks for all device groups at a glance, from a single location in the BIG-IP Configuration utility.

Connection rate limit per virtual server, pool member, or node

In this release, you can configure a connection rate limit per virtual server, pool member, or node. A virtual server, pool member, or node can prevent an excessive number of connection requests during events such as a Denial of Service (DoS) attack or a high-demand shopping event. When you specify a connection rate limit, the system controls the number of allowed new connections per second, thus providing a manageable increase in connections without compromising availability. You can find the options: Connection Rate Limit, Connection Rate Limit Mode, Connection Rate Limit Source Mask, and Connection Rate Limit Destination Mask on the configuration and properties screens for Virtual Servers, and the Connection Rate Limit option on a pool member's properties screen, as well as the configuration and properties screens for Nodes. Online help provides additional information about functionality.

Diffie-Hellman SSL key exchange cipher

The Diffie-Hellman SSL key exchange cipher, which provides perfect forward secrecy (PFS), is now included natively. This provides better performance for configurations using Diffie-Hellman, especially on physical platforms that have hardware SSL acceleration.

Serial output logging

Always-On Management (AOM) version 10.1.13 now saves the recent contents of serial output from the host across host reboots, even when no serial console is attached. The system writes contents to log files on both the AOM and the host, either after a host reboot/power event or at a user's request. Note that this feature is not enabled by default. To enable it, you must manually change and restart the hostconsh script.

New in 11.2.0

Google Chrome support

This release provides full support for current releases of the Google Chrome browser.

SPDY profile

With a special Early Access license, this release provides a Local Traffic Manager SPDY profile that you can use for evaluation and testing. This version of the SPDY profile is not intended for production use. Documentation for the options and settings of this profile can be found in the respective Traffic Management Shell (tmsh) man pages, the Traffic Management Shell (tmsh) Reference Guide, and the accompanying SPDY Implementations reference. Should you encounter any problems with this functionality, please contact your F5 Networks representative. Resolution of any software defects found in this version may appear in a future release. To acquire an Early Access license and the SPDY Implementations reference, please contact your F5 Networks account executive.

BEAST Exploit protection

In this release, TLS 1.1 support in hardware, provides additional protection against the BEAST Exploit vulnerability found in SSL 3.0/TLS 1.0.

IPv6 standards compliance

In this release, the BIG-IP IPv6 standards compliance has been improved.

DSC debugging tools

In this release, the cm module of tmsh includes a number of powerful tools for viewing information and statistics about the BIG-IP system and the traffic and device groups you have configured.

Transitioning between IP infrastructure supported

In this release, for L3 encapsulation tunnels, the BIG-IP system now supports mixed address types, that is, IPv6-in-IPv4 and IPv4-in-IPv6 encapsulations for transitioning between IP infrastructure. These mechanisms are represented by RFC4213 and RFC2473, respectively.

Terminating IPIP encapsulation tunnels supported

In this release, the BIG-IP system can now terminate encapsulation tunnels originating from third party devices, without you having to specify the IP address for every device.

DNS cache

In this release, you can configure a cache on the BIG-IP system to cache DNS responses. The next time the system receives a query for a response that exists in the cache, the system returns the response from the cache.

Customized SNMP MIBs

In this release, the BIG-IP system supports the creation of customized MIB entries using TCL commands to provide visibility to statistics and information that are not available through standard MIBs.

DHCP Relay renewal forwarding

In this release, DHCP Relay renewal traffic is handled by the DHCP Relay profile.

sFlow support

In this release, you can configure the BIG-IP system to poll internal data sources and send data samples to an sFlow receiver. (Currently, the BIG-IP system supports only counter sampling on only VLANs and interfaces.) You can use the collected data to analyze the performance of the BIG-IP system.

Provisioning and device version requirements for iApp templates

iApp templates can now check for installed BIG-IP modules, as well as set minimum and maximum BIG-IP versions, and warn users of missing modules and incompatible version use before deploying the template as an application service. Template authors can specify the required BIG-IP modules and the minimum and maximum BIG-IP versions in the Template Properties screen of the Configuration utility. Template validity is also indicated in the Validity column of the Template List.

Diameter monitor enhanced

In this release, enhancements have been made to improve Diameter monitor operation. To support graceful shutdown of a Diameter monitor session, a DPR is now sent after a CEA is received. If a CEA is not received, the BIG-IP system tears down the connection and does not send a DPR. From the BIG-IP system's point of view, the server is down. To resolve conflicts between active and standby units if the end-user configured origin-host creates conflicts, the BIG-IP system now adds the local box host name according to user configuration. The unique origin-host prevents detecting the wrong status caused by two units using the same origin-host because the server may accept only one connection from a single origin-host.

SCTP remote multi-homing

In this release, BIG-IP software supports SCTP remote multi-homing with multiple IP address for a single connection.

TCL packages for iApps and tmsh scripts

In this release, the BIG-IP system includes some common TCL packages. The iApps and tmsh scripts are now extensible through the standard TCL mechanisms. Note that these libraries are not available for use in iRules.

LDAP authorization enhanced to search for group membership

In this release, you can use LDAP membership as a part of remote role determination when you are assigning a role to a user of the BIG-IP system.

IPv6 support for the management port

In this release, you can use IPv6 addresses for the BIG-IP system management interface.

Private per-object metadata

In this release, using tmsh or iControl, you can define metadata and retrieve user-defined metadata for certain BIG-IP LTM and GTM configuration objects, including virtual addresses and iApp application services. This metadata is in the form of a string key-value pair, as well as a Boolean value that indicates whether the key should be persisted or is ephemeral.

Memory usage improvement

In this release, the BIG-IP system Configuration utility memory usage has been improved.

SCTP support

In this release, the BIG-IP system supports SCTP per RFC 2960.

B4300 enhancement

In this release, vCMP Guest access to hardware SSL and compression resources has been enhanced on the B4300 blades.

HTTP to HTTPS redirect option for the Configuration utility

In this release, you can configure the BIG-IP system to redirect HTTP requests for the BIG-IP system Configuration utility to HTTPS.

BIG-IP IPsec certification

For this release, BIG-IP IPsec was certified by ICSA. iControl now supports IPsec.

VMware vCloud Director support

In this release, BIG-IP Virtual Edition supports VMware vCloud Director.

% notation hiding on default RD-enabled

The BIG-IP route domains feature includes the concept of default route domains, to minimize the need for you to specify the %<ID> notation. When you designate a route domain as the default route domain in a partition, any BIG-IP system objects (such as node addresses) in that partition that do not include the %<ID> notation in their IP addresses are automatically associated with the default route domain.

iRules support for protocols with separate data channel

In this release, you can specify existing iRules that you want the virtual server to apply to the data channel of FTP or RTSP traffic. Additionally, this feature can provide byte counts for all of the supported protocols (FTP, RTSP, and so on) that have either separate data channels or hierarchically organized data channels. This feature is available when you have assigned an FTP or RTSP profile to a virtual server.

Targeted traffic group failover

When you force a traffic group into a standby state, you can choose the specific device to which the traffic group fails over, if the device group has more than two members. Forcing a traffic group into a standby state causes the traffic group to become active on the selected device.

Multiple route domains for Advanced Routing Modules supported

In this release, for each route domain on the BIG-IP system (including route domain 0), you can enable one or more dynamic routing protocols. For example, you can enable BGP4 and OSPFv3 on a specific route domain. When you enable dynamic routing on a specific route domain, the BIG-IP system creates a dynamic routing instance. This dynamic routing instance is made up of the core dynamic routing daemons (imi and nsm), as well each relevant dynamic routing protocol daemon.

SIP OneConnect

In this release, the SIP OneConnect feature allows connection flow reuse between inbound and outbound virtual servers for UDP connections. This feature addresses common SIP client behavior where source and destination ports are both 5060. See the BIG-IP LTM Concepts Guide for more details about how to implement SIP OneConnect.

IP intelligence

In this release, you can use iRules to determine the reputation of an IP address and operate based on that reputation. The IP reputation database is regularly updated, and contains the following categories:

  • Windows Exploits: IP addresses that have exercised various exploits against Windows resources using browsers, programs, downloaded files, scripts, or operating system vulnerabilities.
  • Web Attacks: IP addresses that have launched web attacks of various forms.
  • Botnets: IP addresses representing compromised computers on the Internet that are now part of a botnet (machines that send spam messages, launch various attacks, or behave in other unpredictable ways).
  • Scanners: IP addresses that have been observed to scan ports or networks, typically to identify vulnerabilities for subsequent exploits.
  • Denial of Service: IP addresses that have launched denial of service attacks, often requests for legitimate services, but which occur at such a fast rate that targeted systems cannot respond and become overloaded or unable to service legitimate clients.
  • Reputation: IP addresses that issue HTTP requests with a low average reputation, or that request only known malware sites.
  • Phishing: IP addresses associated with phishing websites (sources that attempt to acquire information such as user names, passwords, and credit card details by masquerading as a trustworthy entity).
  • Proxy: IP addresses associated with web proxies, which can be used to conceal an attacker's identity.
  • Network: Networks (/24) in which the majority of IP addresses have exhibited suspicious behavior.

You can configure the system to reject a request from IP addresses in a specific reputation category. To enable this feature, run the command tmsh modify sys db iprep.autoupdate value enable. To disable this feature, run the command tmsh modify sys db iprep.autoupdate value disable. To look up the reputation of a specific IP address, run the command iprep_lookup <IP address>. For this release, only IPv4-formatted IP addresses are supported. A free 30 day evaluation of the IP intelligence service is available.

New in 11.1.0

IPv6 to IPv4

In this release, you can configure the BIG-IP Local Traffic Manager (LTM) to load balance IPv6-only client connection requests to IPv4-only servers on your network by returning an AAAA record response to the client.

Route Domains for IPv6

In this release, Route Domains support IPv6, providing the same capabilities of IPv4, including strict isolation between route domains and overlapping IP addresses, as well as support of a single route domain for both IPv4 and IPv6 virtual servers in the same route domain.

Analytics Enhancements

In this release, analytics:
  • Support IPv6
  • Support VIPRION platforms
  • Work in vCMP
  • Support statistics in TMSH
  • Store AVR statistics in the iStats library
  • Support configuration through iControl
  • Support iRule hooks

Virtual Edition

This release adds Microsoft Hyper-V (Lab only) and Citrix XenServer support in addition to VMware vSphere for all BIG-IP Virtual Editions (Local Traffic Manager, Access Policy Manager, Application Security Manager, Edge Gateway, Global Traffic Manager, WebAccelerator, and WAN Optimization Manager).

iRule Commands Referencing External Files (iFiles)

In this release, you can use an iRule to get external content or files and present the results.

Digitally Signed iRules

In this release, you can digitally sign iRules, providing the ability to verify that an iRule has not changed since it was signed by the author. You can now verify downloaded and imported iRules, as well as iRules that are deployed across an organization. If the verification test fails, the iRule will not load, thus protecting the user from any unknown changes. If necessary, a user can override this option and load the iRule even if verification fails.

iRule Editor Role

In this release, an iRule Editor Role provides the ability to create and modify new iRules, while preventing the ability to assign an iRule to a new virtual server unless that iRule was previously assigned.

Cryptographic Operations for iRules

In this release, iRules support encryption and decryption of data that is compatible with external devices. iRules support includes the following ciphers:

  • RC4
  • DES
  • 3DES
  • AES
Additionally, iRules support includes the following encryption modes:
  • ECB
  • CBC
  • CTR

DNS iRules

DNS iRules provide fully customizable intelligent DNS. The new DNS iRules commands are applied to the DNS listener and triggered by the DNS_REQUEST and DNS_RESPONSE events. They require a DNS profile and are enabled as part of the Global Traffic Manager module or the new DNS add-on bundle for Local Traffic Manager. DNS iRules adds commands useful for modifying and inspecting DNS packets. Capabilities include: manipulating (read/modify) DNS queries, DNS resource records (RR), and DNS responses. Additional commands provide the ability to control DNS flow by dynamically enabling and disabling DNS features. DNS iRules make it easy to implement DNS filtering, query logging, and other DNS firewall use cases.

You can find extensive information about iRules on the F5 DevCentral web site.

Link Layer Discovery Protocol

In this release, Network Management Systems use Link Layer Discovery Protocol (LLDP) to identify and map the physical topology of a network, which is useful in the troubleshooting and orchestration of the network. The BIG-IP system can provide the following information by using LLDP:
  • Chassis ID
  • Port ID
  • TTL
  • Port Description
  • System Name
  • System Description
  • System Capabilities
  • Management Address
  • Port VLAN ID (untagged VLAN ID)
  • Port and Protocol VLAN ID
  • VLAN Name (complete list of tagged/untagged VLANs)
  • Protocol Identity
  • MAC/PHY
  • Link Aggregation
  • Maximum Frame Size
  • Product Model

SSL SAN Certificates

In this release, you can manage SSL Certificates by means of TMSH and the BIG-IP Configuration utility.

Transport Layer Security Server Name Indication

This release supports Transport Layer Security (TLS) Server Name Indication (SNI) in the SSL Stack.

TMSH Shared Alias File

In this release, aliases are stored in the configuration, making content accessible to other users on the BIG-IP system. You can create aliases for scripts or define a standard for consistent use.

BIG-IP nPath Encapsulation Tunneling to Pool Members

In this release, you can establish encapsulation tunnels from a BIG-IP system to backend pool members. This is an enhancement to nPath. We now offer IP Tunnel (L3) Encapsulation in nPath to pool members. This functionality supports IPv4 and IPv6 addresses. You can configure BIG-IP Encapsulation Tunneling by means of TMSH and iControl, enabling encapsulation for a pool and disabling encapsulation by pool member.

Dynamic Host Configuration Protocol Relay

In this release, the BIG-IP system introduces the Dynamic Host Configuration Protocol (DHCP) Relay virtual server, providing the ability to proxy DHCP requests between VLANs.

Jumbo Frame Support

This release provides 1800-byte frame support on: BIG-IP 3900, 6900, 89x0, and 110x0 platforms, and on B4100 (PB100) and B4200 (PB200) blades. This release also provides 9198-byte frame support on B2100-bladed BIG-IP 2400 chassis.

NTLM/NTLMv2 Authentication Support for HTTP/HTTPS Monitors

For an HTTP/HTTPS monitor to successfully use NTLM or NTLMv2 authentication, a monitor must meet the following configuration requirements:
  • The monitor must have a send string. Because it is necessary to use HTTP version 1.1, the send string must be, at minimum: "GET /<optional file name/path> HTTP/1.1\r\nHost: <host name of website>"
  • The monitor must have a receive string.
  • The monitor cannot be a reverse monitor.
  • The monitor must have a username. The user name may be either a simple username or it can be the domain/username. Both '\' and '/' are recognized.
  • The monitor must have a password.
Once this monitor is associated with a pool or pool member, it only enacts NTLM if the request with Basic Auth gets a 401 response with a WWW-Authenticate header set to NTLM. At this point the NTLM handshake should commence. Here is an example monitor:
ltm monitor http /Common/http_testauth { defaults-from /Common/http destination *:* interval 5 password default recv 200 OK send "GET / HTTP/1.1\\r\\nHost: portal.authtest.tc.requestsite.com" time-until-up 0 timeout 16 username AUTHTEST/administrator }

Note that the domain, in this case AUTHTEST, must be capitalized for authentication to be successful.

New in 11.0.0

Device Service Clustering

In this release, the Traffic Management Operation System (TMOS) within the BIG-IP system includes an underlying architecture that allows you to create an N+1 redundant system configuration, known as device service clustering (DSC). This redundant system architecture provides both synchronization of multiple BIG-IP configuration data and high availability at user-defined levels of granularity.

iApps

In this release, you can create customized templates to quickly and easily deploy applications on your network. iApps allow creation of application-centric configuration interfaces on BIG-IP systems, reducing configuration time and increasing accuracy of complex traffic management configurations.

Analytics

This release provides Analytics, a module that provides application visibility and reporting capabilities. Using this module, you can analyze performance of web applications by viewing detailed metrics for applications, virtual servers, pool members, URLs, and specific countries. You can also view detailed statistics about application traffic running through the BIG-IP system.

Diameter Enhancements

In this release, BIG-IP Local Traffic Manager (LTM) load balances and persists requests that applications send to servers running Diameter services. The BIG-IP system can also monitor each server to ensure that the Diameter service remains up and running.

IPv4-to-IPv6 Gateway

In this release, BIG-IP LTM functions as an IPv4-to-IPv6 gateway. You configure the radvd service to send out ICMPv6 routing advisory messages, and to respond to ICMPv6 route solicitation messages. This allows the BIG-IP system to support auto-configuration of downstream nodes, and the downstream nodes to automatically discover that the BIG-IP system is their router. Note that in version 11.1.0 and later, the radvd daemon has been removed and its functionality moved into TMOS. That means that instead of configuring the radvd daemon, you configure route advertisements using tmsh. See the 'net router-advertisement' section of the tmsh manual or the tmsh command-line help for information.

TCP Request Queuing in Pools

In this release, TCP request queuing provides the ability to queue connection requests that exceed the capacity of connections for a pool, pool member, or node, as determined by the connection limit. Consequently, instead of dropping connection requests that exceed the capacity of a pool, pool member, or node, TCP request queuing enables those connection requests to reside within a queue in accordance with defined conditions until capacity becomes available.

Certificate Administrator Role

This release provides a Certificate Administrator Role. A user that is assigned this role can only manage SSL certificates.

Per Module Statistics

In this release, you can view "real-time" CPU and memory usage statistics for individual modules.

Per Virtual Server Statistics

In this release, you can view "real-time" profile and CPU usage statistics for individual virtual servers.

Out of Band TCP Connections

This release provides the ability to establish out of band TCP Connections from an iRule.

Read and Write Access to TCP Options

This release provides read and write access to the TCP options field using iRules.

You can find extensive information about iRules on the F5 DevCentral web site.

SNMP Support for Dynamic Routing Protocols

This release provides SNMP support for ZebOS dynamic routing protocols.

tmsh Description Field for Configurable Components

In this release, there is a Description field available for configurable tmsh components.

TLS 1.2 Support

This release supports Transport Layer Security (TLS) 1.2, the SHA 2 Cipher, and SHA256 hash.

Request Logging Profile

The new Request Logging profile enables configuration log entries to be reported when requests/responses are received, supports audit logging of HTTP/decrypted HTTPS requests/responses, and enables specification of a response to be issued when an specific requests/responses occur. For example, the system uses this response when you enable Respond On Error to suggest a retry, or to redirect the browser to an alternate page. Although there are no specific examples in the online help that describe how to craft Template and Error Template entries, you can find a table of supported parameters in the BIG-IP WebAccelerator System: Implementations guide on AskF5.

Version 11.0.0 Documentation

This release provides an enhanced documentation paradigm for Local Traffic Manager, Global Traffic Manager, and Link Controller. Concept guides and implementation guides replace the former configuration guides. This change helps make information more accessible and more task-focused, which improves the user experience and enhances usability.

Proxy SSL Support

This release provides Proxy SSL support in Client SSL and Server SSL profiles, which enables direct client-server authentication. You can find information about Proxy SSL in the Big-IP Local Traffic Manager: Implementations guide on AskF5.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Active-Standby Systems and BIG-IP Systems: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  • Update/reactivate your system license, if needed, to ensure that you have a valid service check date.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Active-Standby Systems and BIG-IP Systems: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

Upgrading from version 10.1.0 (or later) or 11.x

When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 10.1.0

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Upgrading earlier configurations

When you upgrade from an earlier versions of the software, you might need to know about or take care of these configuration-specific issues.

ID Number Description
ID 223704 When you import a single configuration file (SCF file) that contain VLANs of the same name that exist in different administrative partitions, the operation fails with a unknown operation error. To work around this issue, before installing an SCF file, run the tmsh load sys config default command. This returns the system to the default configuration, so subsequent configuration import operations should succeed as expected.
ID 366172 A pre-v11.x configuration that was created with the bigpipe cli ip addr option set to name may cause configuration load failure on upgrade due to resolved names saved to the bigp.conf file rather than IP addresses. The workaround is to change the cli setting to 'cli ip addr number', save the config on the pre-v11.x unit, and then run the upgrade.
ID 370964 When upgrading a 10.x standard active/standby pair, the recommendation is to start with the device with the numerically highest management IP address. There is a change in behavior in 11.1.0 that automatically selects the system with the highest management IP address as the active member of the device group. Depending on your configuration, an upgrade could result in lost traffic.
ID 378430 "When upgrading to version 11.x, with a WAM policy containing no nodes, the upgrade fails with the following error message: Tmsh load failed: 01071419:3: Published policy (/Common/empty_policy) must have at least one node. Unexpected Error: Loading configuration process failed. There are two options for working around this problem: 1. Before upgrading, add a new node to the empty policy with the default settings. Publish the policy. Then upgrade. 2. Before upgrading, remove the empty policy from any applications and delete the policy. You may create a copy of the policy before deleting, as long as you do not publish the copied policy. Then upgrade."
ID 384569 "If an object is in a partition with the default route domain set, and that object refers to an object with an IP address in /Common, a config rolled forward from a previous release might not load. - When using the default route domain for a partition, all objects with addresses should be in that partition. To work around this issue, move objects into /Common or edit the config file and for all conflicting objects in common, append %0 to the name/address. For example, if a pool in partition_1 references a member in route-domain 0: ... shell write partition Common node 10.10.20.1 { addr 10.10.20.1 } ... shell write partition partition_1 pool rd0-pool1 { members 10.10.20.1:any {} } ... change it to: ... shell write partition Common node 10.10.20.1%0 { addr 10.10.20.1 } ... shell write partition partition_1 pool rd0-pool1 { members 10.10.20.1%0:any {} } ..."
ID 394873 The upgrade process does not update Tcl scripts (such as iRules) in the configuration. This might cause issues when iRule syntax changes between releases. After upgrading, you might need to modify iRules to reflect any changes in iRule syntax.
ID 398067 As of version 11.0 a check is performed to ensure a failover unicast address actually exists. In configurations using the management port for failover, the management IP and unicast failover IP must be identical for failover to function properly. They must also be identical before upgrading. Releases preceding and including 11.3.0 do not automatically modify the unicast failover IP when the management IP is changed or vice-versa. This can cause failures when loading the config after an upgrade. This is an example error: 0107146f:3: Self-device unicast source address cannot reference the non-existent Self IP (a failover IP); Create it in the /Common folder first. Before upgrading, ensure that the management IP and unicast failover IP are identical.
ID 399013 On 10.x-to-11.x upgrade, the UCS restore lowers the cache size by 25% for all web-acceleration profiles.
ID 399510 "On BIG-IP Virtual Edition systems running software prior to 11.3.0 with statically configured management port IP addresses only, disable the DHCP service with the command ""tmsh modify sys global-setting mgmt-dhcp disabled"" prior to upgrading to this release of BIG-IP software. Disabling the DHCP service prior to upgrading will preserve the static IP address configuration as part of the installation. Statically configured management port IP addresses on BIG-IP hardware platforms are not required to have this configuration change prior to upgrading."
ID 401367 Version 11.x added validation around the use of CACHE:: commands on virtual servers with RAM cache enabled. The result is that upgrading from version 10.x to 11.x fails under certain configuration conditions, for example, if the configuration contains a CACHE_RESPONSE event in an iRule, and there is not an associated Web Acceleration profile applied to that virtual server. To work around the upgrade failure, locate and remove the applicable iRules and virtual servers in the configuration, and try loading the configuration again.
ID 401828 "Problem: The below configurations are invalid for a SIP VS a)tcp virtual with a udp profile+sip profile b) udp virtual with a tcp profile+sip profile Result: If such a configuration exists in previous versions, it will load in 11.3 but may cause a core. Solution: Customer must fix their configuration manually - a) A SIP tcp virtual must have TCP as one of its profile type. b) A SIP udp virtual must have UDP as one of its profile type."
ID 402528 There is now more stringent validation on protocol profile combinations. You cannot configure UDP, TCP, and SCTP protocol profiles for handling the same client-side or server-size traffic. In addition, the following profiles are mutually exclusive: SIP, RTSP, HTTP, Diameter, RADIUS, FTP, and DNS. If one of these profiles is assigned to a virtual server, you cannot assign another one. In the past, the BIG-IP system did not prevent such invalid combinations; now it does. If you have previous configurations containing this invalid combination of profiles, you must correct the configuration before the upgrade can succeed. When you upgrade from pre-11.3.x versions, if you see such an error message during configuration load, fix those invalid combinations and try the upgrade again.
ID 403592 Platforms with less than 6.5 GB memory cannot be upgraded to version 11.3.0 if three or more modules are provisioned. Note that upgrades from version 10.0.x display only an "upgrade failed" message as a software status. All other versions show a clear error message, guiding the users to SOL13988. Before upgrading, make sure you have only one or two modules provisioned if the BIG-IP system has less than 6.5 GB of memory.
ID 403667 In this release, improved validation does not allow users to upgrade or configure VLANs with names greater than 64 characters. This mitigates system instability found when this validation was not present. During upgrade from 10.x to 11.x, this new validation code prevents VLANs with names longer than 64 characters from passing validation. The problem is complicated by the fact that the BIG-IP system prefixes partition_path to vlan_name. That means that a VLAN named vlan_site6 in the Common partition is actually named /Common/vlan_site6. If you have VLANs with names longer than 64 characters, upgrade fails. To work around this, change the VLAN names before upgrading. This involves changing the VLAN name as well as any configuration objects that refer to that VLAN.

Upgrading vCMP guests from version 11.x

Warning: Upgrading to version 11.3.0 fails on Virtual Clustered Multiprocessing (vCMP) guests. Resolution of this issue is available in hotfixes for versions 11.x (Hotfix-BIGIP-11.1.0-2438.0-HF6 (or later), Hotfix-BIGIP-11.2.0-2747.0-HF4 (or later), and Hotfix-BIGIP-11.2.1-1042.0-HF3 (or later), and other hotfixes published after 12/17/2012), as well as with a patch fix file (available immediately). If there is a hotfix version available published after 12/17/2012, apply that hotfix before upgrading to version 11.3.0. If there is no hotfix available after that date, you must download the patch file.
Note: This is only on the vCMP guest (Z101 platform) and not the hypervisor. The hypervisor is unaffected.

You have two options to successfully upgrade vCMP guests to 11.3.0:

Upgrade to a hotfixed version 11.x

First apply a hotfix published after 12/17/2012 to the existing vCMP guest. To download a hotfix:

  1. Navigate to the F5 Downloads site (https://downloads.f5.com ).
  2. Select the hotfix file (published after 12/17/2012) for your configuration.
  3. Apply the hotfix using the System > System Management > Hotfix List screen,
  4. Retry the version 11.3.0 installation.

Get an IM patch file

If there is no applicable hotfixed version in which this problem is resolved, you can download a fix. The patch fix file name is patch.406748.im. To apply the patch:

  1. Navigate to the F5 Downloads site (https://downloads.f5.com ).
  2. Download the fix file to the BIG-IP system.
  3. In a shell on the BIG-IP system, run the command im patch.406748.im.
  4. Reboot the BIG-IP system.
  5. Retry the version 11.3.0 installation operation.

Fixes in 11.3.0

ID Number Description
ID 225019 BIG-IP Virtual Edition Network interfaces no longer process network traffic if they are disabled using BIG-IP software commands (although they might retain link state).
ID 226303 The Monitor Instance List now displays correct totals.
ID 227236 A log message was added to indicate when a rate ceiling limit is reached. Added a new DB variable 'rateshaper.logratelimit' which defines the time interval at which to log the rate ceiling limit reached message. A value of 0 for this db variable means that the logging is disabled. For example, a value of 3 means that, after the first instance of log ceiling limit reached is logged, wait for at least 3 seconds to verify if the ceiling limit is reached or not. Here is a sample log message: Sep 7 14:22:50 8900_83 notice rateshaper_input/1513: Rate ceiling limit triggered for rate class: /Common/testRateClass.
ID 246920 Transparent IPv6 monitors in LTM and GTM now work correctly.
ID 248139 Messages logged from TMM to syslog now correctly contain the hostname for the BIG-IP they are logged from, rather than the generic hostname "tmm".
ID 337583 When using the percent up cluster members feature of ha-groups, the cluster member portion of the ha-group is now loaded after a reboot.
ID 344231 The "Name" and "Address" fields for CRLDP Servers are now indicated as required fields.
ID 358362 Previously, object names beginning with 'default' or 'any' were forbidden by overly-restrictive validation. Object names may now begin with 'default' or 'any'. For example, "default_6" is accepted as a valid name.
ID 358442 HSB firmware version 1.4.2.0 provides internal stability and performance improvements for PB100 blades.
ID 361790 iControl System::Statistics::reset_all_statistics no longer hangs and produces a timeout error. Various daemons processing unexpected stats reset messages now remain stable.
ID 361790 iControl System::Statistics::reset_all_statistics no longer hangs and produces a timeout error. Various daemons processing unexpected stats reset messages now remain stable.
ID 364825 Keys that are stored on a FIPS card are now correctly included during device group synchronization.
ID 366831 Removed the DigiNotar CA certificate.
ID 373278 The source-address persistence failure issue has been fixed.
ID 374969 "A defect has been fixed which could cause master key decryption failures upon syncing configuration between devices. The following message in /var/log/ltm indicates such a failure condition: ""Master Key decrypt failure - decrypt failure - final"""
ID 376568 After this change, when an aggressive sweeper is called and connection reaped. a log is written mentioning how many connection are killed.
ID 376995 "tmsh create sys crypto key gen-csr" now properly includes any specified subject alternative name in the generated CSR.
ID 378043 Modifying a single GTM pool object in the GUI should no longer cause all pools to update with the same changes.
ID 378990 The SSL Certificate Common Name is now parsed correctly as the first CN listed in RFC2253 format.
ID 380036 tcpdump has been enhanced to handle peer flows via a :p interface parameter. For details, please refer to the BIG-IP section of the tcpdump manpage.
ID 380417 The new behavior does not require serverssl at the client side.
ID 380880 Database monitors now support multiple route domains.
ID 382366 An issue was corrected that could cause IPv6 port numbers or route domains to be misformatted in persistence cookies.
ID 383405 If a Copper SFP interface is administratively disabled when the BIG-IP system is rebooted, the Copper SFP interface will once again be able to pass traffic after the interface is re-enabled.
ID 383692 SSL monitors no longer use SSL ticket extensions, which works more reliably with older versions of SSL.
ID 383793 Load balancing information that was lost when using OneConnect is now preserved and available for logging.
ID 383906 Under certain circumstances, random memory may be zeroed out when OneConnect and HTTP::enable/disable are used together. This defect has been corrected.
ID 384634 In previous versions of BIG-IP after 11.1.0, there were conditions under which both the text of an iRule script and its priority (or order in application to the virtual) were changed and caused a core. This could also happen during configsync. These conditions have been addressed, and the core no longer occurs.
ID 384752 A guest deployed to a disabled blade should remain offline. Once the blade is re-enabled, the deployed guest successfully initializes itself and goes online.
ID 385333 A regression from v10's match-across-virtual persistence behavior in the case where the pools in question do not contain the same members has been corrected.
ID 385579 A condition that could lead to a TMM core during persistence-record mirroring when the standby device comes online has been corrected.
ID 385585 A condition that could lead to a TMM core due to other internal data inconsistencies has been corrected.
ID 385748 A defect was addressed which could cause CMI connections to occasionally fail to establish.
ID 386078 Fixed a defect which could cause TMM to core and restart when servers send responses with invalid 'Location' headers and redirect rewrite is enabled on the virtual server's HTTP profile.
ID 386769 The pool member's ratio is now considered when calculating the hash value in the CARP mode of hash persistence. Note that if you have pool member ratios set and are upgrading, this will result in some connections going to different pool members than the previous version (due to the ratio now be taking into account).
ID 386880 FastL4 virtual servers now correctly send reset on idle timeout when PVA acceleration is enabled on VIPRION blades.
ID 386991 DHCPv6 pool members are no longer required to have a persistent route to prevent a tmm crash.
ID 387107 The Geolocation IP database has been updated.
ID 387227 The ability to specify the IPv6 NoError TTL was added as an advanced configuration to GTM wide IPs.
ID 387342 For a virtual with a TCP profile and using a pool with queue-on-connection-limit enabled, if the client begins to close a queued connection, BIGIP now immediately resets that connection.
ID 387471 Previously, when CSS parser attempts to parse a CSS selector property value that is a quoted string and the string terminates unexpectedly (without a closing quote, and/or reaches EOF), the CSS parser could loop infinitely. Now CSS parser handles recovery from unexpected end of string in property value correctly.
ID 387625 TMM no longer leaks memory when an iRule "b64decode" call fails.
ID 387686 ISAKMP now consistently uses its source IP address based on the configured policy.
ID 387843 BIND has been updated to address CVE-2012-1667.
ID 387891 The GTM iRule should be URL encoding the iRule text properly, so using various characters such as &,?, and + should work now.
ID 388084 When using large memory-only documents (greater than 7.9 Mibibytes) datastor would leak storage. This has been fixed.
ID 388130 Corrected a problem where changing vlan tags when provisioned for vCMP would cause the host TMM to crash under certain conditions.
ID 388222 Some memory handling issues have been corrected.
ID 388460 HSB bitstream v2.1.46.1 for PB200 resolves Machine Check Exception ba00002000010c0f under low traffic and high CPU utilization.
ID 388625 HSBe firmware version 1.0.17.0 prevents silent reboots of BIG-IP 3900 systems that might occur under rare conditions when a specific pattern of writes occurs, and improves handling of oversize and truncated packets that occasionally resulted in corrupted ring buffer statistics.
ID 388646 If you disable "Process Recursion Desired" and the BIG-IP system receives a query with the RD flag set, the BIG-IP system now properly handles it through the configured Unhandled Query Action.
ID 388734 "The geoip_lookup tool still accepts a ""-f <file"" argument, but will now attempt to use the current database if no -f argument is specified. It will first attempt to open /shared/GeoIP/F5GeoIP.dat and if file does not exist, it will attempt to open /usr/share/GeoIP/F5GeoIP.dat"
ID 389078 "An issue that causes an iRule hang in the following circumstances has been corrected: * The virtual server has no default pool and is cmp-enabled. * You have an iRule that issues a [persist lookup uie {$value any pool}] before a pool is selected. * A request comes in that is handled by a TMM other than tmm0."
ID 389269 A defect involving validation errors on gateway_icmp objects on secondary slots causing mcpd restart loops has been corrected.
ID 389278 ICMP monitors no longer erroneously mark down IPv6 nodes that are also configured with a transparent gateway ICMP monitor.
ID 389280 An issue where insufficient validation could cause a connection to receive internal events belonging to another connection has been corrected.
ID 389324 Fixed a defect which could cause TMM to core and restart under certain conditions.
ID 389345 All vCMP guests are now correctly assigned trunk virtual members after a reboot of a chassis.
ID 389409 Modifying the connection limit on a pool member with a priority group configuration no longer causes the BIG-IP to fail to load-balance to pool members that are otherwise below the configured connection limit.
ID 389698 Packet filter with default action set to discard or reject no longer discards or drops ICMP monitor replies.
ID 390520 DSR tunnels and tunneled transparent monitors now correctly select an active gateway when the currently selected gateway is detected to be down.
ID 390569 The dependency issue between App Template TCL script and TMSH CLI script has been fixed.
ID 390768 Fixed a defect which could cause snmpd to restart and leave a core file.
ID 391073 Request logging with configurations using OneConnect, SSL, and WebAccelerator no longer omit IP address and port.
ID 391451 IP tunnels now support route domains.
ID 391607 The 'after' iRules command now requires a nonzero timeout in all cases. Previously, the validator would allow a zero timeout for a periodic command, which would trigger an assertion failure upon iRule execution.
ID 391874 The management port of BIGIP now correctly connects to a peer at 100Mbps. This resolves a previous issue where if a management port was disconnected during load of BIGIP, it would fail to connect at 100Mbps when the port was reconnected.
ID 391986 A code defect that causes CMP persistence lookups to fail after the first request returns has been corrected.
ID 392029 Statsd no longer leaks if ASM is configured.
ID 392037 Virtual servers with profile configured IPv6 to IPv4 mode as Secondary now respond the correct AAAA resource records for AAAA queries, rather than responding with rewritten A resource records.
ID 392100 Fixed a TMM core caused by the lookup of persistence entries.
ID 392361 BIND has been updated to address CVE-2012-3817.
ID 392817 Multipath routing (ECMP) does not support interface routes.
ID 393046 Kerberos delegation no longer causes stray files to consume excessive disk space or memory utilization.
ID 393294 Refreshing the browser page in GTM no longer throws an error.
ID 393408 Fixed a defect which could cause connections to stall while using fallback persistence.
ID 393530 HA groups can now use pools outside of the /Common partition.
ID 393671 SNMP traps are now correctly sent from the system when the primary blade in the cluster fails and a secondary blade takes over.
ID 393986 On the slave blade in a chassis, bgpd will no longer spin and consume excessive CPU.
ID 394066 A TMM crash in a cryptography routine has been fixed.
ID 394104 Enhanced content-type detection to no longer assume type binary upon reading one or more initial NUL characters.
ID 394484 In this release LTM fixed a bug that sometimes return a ETAG header with a 'NUL' (or 0) in the header.
ID 394488 Increased selectivity of files is now included in QkViews for enhanced speed and security.
ID 394580 The configuration in the Common partition is now loaded before that of others, to avoid a variety of post-upgrade configuration load issues.
ID 394725 Fixed a defect that could cause TMM to core and restart while handling connection persistence entries.
ID 394738 When the VCMP host assigns a VLAN to a guest, the guest now takes into account the default-route-domain for the associated partition.
ID 394743 IP-fragmented packets going through VIP-targeting-VIP are now handled properly.
ID 394789 On a VLAN with VLAN failsafe configured, the system now prevents the currently active vCMP guest from sending itself a probe to which it responds (which might have prevented the VLAN failsafe from triggering).
ID 395272 HSB bitstream v2.1.47.1 update resolves a Super I/O watchdog timeout reboot on BIG-IP 11050 systems.
ID 395360 A regression was fixed which could cause valid LDAP system users to not authenticate.
ID 395582 Fixed a defect which could cause TMM to hold excessive amounts of memory while processing APM or ASM traffic.
ID 395767 Fix a regression which could cause vlan failsafes to intermittently not function.
ID 396158 Users are now able to delete 'send', 'receive' and 'disable' parameters from configured monitors in the GUI.
ID 396308 SNMP ifSpeed OID now correctly reports the interface's current bandwidth in bits per second.
ID 396492 TMM no longer consumes excessive memory when an DNSCache resolver is configured and handles large amounts of concurrent traffic.
ID 397152 tmm crash is fixed when a fail-over happens for ftp when a lasthop pool is configured for ftp VS and the fail-over action is reselect.
ID 397435 "The product has been updated to a version of BIND to deal with CERT http://www.isc.org/software/bind/advisories/cve-2012-4244"
ID 397836 Removing an operational PSU from a 4000 platform now operates correctly, and no longer results in spurious "Fan speed too low," "hardware sensor critical alarm," "Power supply #2 fan-1: fan speed (0) is too low," or "localhost emerg system_check" messages on the console. In addition, removing an operational PSU from a 4000 platform correctly results in a red Alarm LED and a CRITICAL error on the LCD screen, however, when you clear the alarm from the LCD module, the error does not return.
ID 397981 Resolves an issue where a host power on command issued from the AOM menu may fail the first time after an AOM host power off command on BIG-IP 4000 platforms.
ID 398084 Metastor recovery has been disabled, which fixes a rarely encountered core dump on shutdown.
ID 398102 Fixed an issue which could cause traffic disruptions when running v11.2.0 or later vCMP guests on vCMP 11.1.0 or earlier host.
ID 398482 Fixed a TMM core caused by usage of Web Accelerator and RAMCache.
ID 398593 Fixed a problem that Route pool fail-over does not work for ftp.
ID 398594 Fixed a rare issue when changing passwords.
ID 398974 In this release, there is a VIPRION 2000 Series-specific change in the clock interrupt initialization to correct CPU-utilization imbalance.
ID 399213 IPv6 trunking now works on 4000 platforms and will distribute well across trunk members provided there are two, four, or eight members in your trunk.
ID 399661 On the 2000s / 2200s and 4200v platforms in 11.2.1 the first time you insert an SFP in interface 2.1 or 2.2 after booting with no SFP inserted the SFP would not be recognized. This corrects this issue.
ID 399825 Passive FTP now works when a no-translate virtual server and a gateway pool are configured. Previously, the client received a RST with cause "NO ROUTE to host".
ID 400775 The maximum number of trunk members on the 2000, 2200 and 4000 platforms is now correctly set to 8.
ID 400780 UI user may get a message 'The log publisher <name_of_publisher> is referenced by one or more configuration objects' when they try to delete the log publisher. This happens when they have set up a Log Filter or an AFM Network Event log that uses the log publisher. They need to find and remove those items before they can delete the publisher.
ID 400789 This fixes BIND vulnerability CVE-2012-5166: Specially crafted DNS data can cause a lockup in named.
ID 401193 A self IP can be created within a partition which has a default route domain set.
ID 402164 Interfaces 2.1 and 2.2 on the 2000s / 2200s and 4200v platforms did not correctly account for dropped packets due to full rings. These packets now show up as drops in the interface stats.
ID 402394 The / and /Common folders now have a trafficgroup assigned after upgrade.
ID 402457 This fix solved the memory leaking when executing TCL commands like "connect".
ID 402801 This issue has been fixed to handle packets with an MTU size larger than 1500 to avoid unnecessary fragmentation that may lead to data corruption.
ID 402999 BIG-IP no longer transmits Destination Lookup Failure packets for addresses that it is not Active for.
ID 403306 Fixed a TMM core that could be caused by iSession and FTP traffic.
ID 403564 Changed logic to wait for the request to complete before sending the response.
ID 403604 Fixed a potential memory leak in ServerSSL when authenticate-name is used.

Fixes in 11.2.1

ID Number Description
ID 315196 When vlangroups are deployed in an HA pair, non-gratuitous ARPs by hosts on child VLANs will not update the ARP entry on the standby LTM.
ID 337583 When using the percent up cluster members feature of ha-groups, the cluster member portion of the ha-group is now loaded after a reboot.
ID 342185 This release corrects a crash that occasionally occurred when an incorrect packet arrived in loop-back i/f (VIP to VIP) and the corresponding flow was in TIME-WAIT state.
ID 358442 HSB firmware version 1.4.2.0 provides internal stability and performance improvements for PB100 blades.
ID 364825 Keys that are stored on a FIPS card are now correctly included during device group synchronization.
ID 371934 This release exposes pluggable module serial numbers using the tmsh list net interface command.
ID 376387 The fpga_state utility successfully connects to the FPGA loader device on platforms supported by BIG-IP v11.2.x, accepts only platform IDs to identify the platform type, and no longer supports update" functionality implemented by "bladectl -u" and "chmand -u".
ID 381613 The system now reports the chassis fan status correctly.
ID 382366 An issue was corrected that could cause IPv6 port numbers or route domains to be misformatted in persistence cookies.
ID 383793 Load balancing information that was lost when using OneConnect is now preserved and available for logging.
ID 384514 3900 platforms occasionally experienced intermittent blinking LEDs on the front panel at power up. This issue no longer exists.
ID 384515 1600 and 3600 platforms occasionally experienced intermittent blinking LEDs on the front panel at power up. This issue no longer exists.
ID 384797 RARP packets proxied across a vlangroup are now subject to proxy exclusion lists and are not erroneously bridged by a standby unit.
ID 385457 IPSec traffic now works correctly over IPv6.
ID 385493 The system now logs the correct tmm notice: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:568, when running tcpdump on a TMM-owned hidden interface, and does not log the halGEtChassisAllSlots warning.
ID 387227 The ability to specify the IPv6 NoError TTL was added as an advanced configuration to GTM wide IPs.
ID 387471 Previously, when CSS parser attempts to parse a CSS selector property value that is a quoted string and the string terminates unexpectedly (without a closing quote, and/or reaches EOF), the CSS parser could loop infinitely. Now CSS parser handles recovery from unexpected end of string in property value correctly.
ID 387686 ISAKMP now consistently uses its source IP address based on the configured policy.
ID 387843 BIND has been updated to address CVE-2012-1667.
ID 387917 On secondary blades, mcpd no longer exits when persist records are deleted outside /Common on cluster-enabled systems.
ID 388130 Corrected a problem where changing vlan tags when provisioned for vCMP would cause the host TMM to crash under certain conditions.
ID 388222 Some memory handling issues have been corrected.
ID 388460 HSB bitstream v2.1.46.1 for PB200 resolves Machine Check Exception ba00002000010c0f under low traffic and high CPU utilization.
ID 388474 Qkview now correctly captures information from all blades in a VIPRION 4400 chassis.
ID 388625 HSBe firmware version 1.0.17.0 prevents silent reboots of BIG-IP 3900 systems that might occur under rare conditions when a specific pattern of writes occurs, and improves handling of oversize and truncated packets that occasionally resulted in corrupted ring buffer statistics.
ID 388646 If you disable "Process Recursion Desired" and the BIG-IP system receives a query with the RD flag set, the BIG-IP system now properly handles it through the configured Unhandled Query Action.
ID 388786 A performance problem when using certain IP:port combinations has been corrected.
ID 389269 A defect involving validation errors on gateway_icmp objects on secondary slots causing mcpd restart loops has been corrected.
ID 389345 All vCMP guests are now correctly assigned trunk virtual members after a reboot of a chassis.
ID 389944 DNSX no longer returns the parent NS of CNAME target zone.
ID 391073 Request logging with configurations using OneConnect, SSL, and WebAccelerator no longer omit IP address and port.
ID 392100 Fixed a TMM core caused by the lookup of persistence entries.
ID 392159 On chassis-based platforms (VIPRIONs), the Access Policy Manager module's apd service incorrectly used floating self-IP addresses to communicate with host daemons instead of an internal TMM IP address (127.20.x.x). This is no longer an issue.
ID 392361 BIND has been updated to address CVE-2012-3817.
ID 394488 Increased selectivity of files is now included in QkViews for enhanced speed and security.

Fixes in 11.2.0

ID Number Description
ID 223810 Moved Records Per Screen, Start Screen, Default System Settings, Display Hostnames When Possible, Statistics Format, and Screen Refresh Interval fields to BigDB, allowing them to be saved and restored via UCS actions.
ID 223904 The BIG-IP provides AES encryption via HTTP profile settings and iRules commands. Besides encryption, the feature handles authentication and tamper-detection. There are important fixes and performance improvements to those features in this version.
ID 224113 The BIG-IP provides AES encryption via HTTP profile settings and iRules commands. Besides encryption, the feature handles authentication and tamper-detection. There are important fixes and performance improvements to those features in this version.
ID 225445 SSL handshakes with large, but RFC-compliant, messages (for example, large certificate chains) are now correctly handled by the BIG-IP.
ID 225550 When a pool member or node address that has been forced down (user-down) is loaded from the config file health checks for that pool member or node address will be disabled. This will not be true for pool members if the same pool member is present in another pool that has the same monitor. In that case health checks will be enabled.
ID 226185 The sod process is now more resilient to malformed traffic on the High Availability channel connection.
ID 226923 Binary data stored in the session cache is now encoded and decoded correctly.
ID 247192 SNMP Version 3 trap configuration objects will not roll forward from a previous software version. You will need to recreate those objects after the upgrade is completed.
ID 248019 The system no longer posts the benign error 'Internal error, duplicate configuration elements refer to the same persistent config' in response to syslog remote server logs during log rotation.
ID 249012 "With this bug fixed, now log command can take either ip address or facility as its argument. Example: log 127.0.0.1 ""Hello"" log local0. ""Hi"""
ID 347070 When you are using IPsec between a BIG-IP pair, it is no longer necessary to enable the Passive setting for the IKE peer on the server-side BIG-IP device.
ID 350888 Either IPv4 or IPv6 addresses are accepted for the management port. Netmask may be entered either as part of the IP address using a prefix or by selecting a prefix or a netmask or by typing in a netmask.
ID 352153 "Two new flags have been introduced to the HTTP::cookie iRule command: 1. when ""-detected"" is used, it will return a string describing the actual cookie version as detected by BIG-IP. Some possible values are: Netscape, RFC2109 and RFC2965. 2. When ""-declared"" is used, the existing behavior is maintained, which is to return the version as declared by the cookie header itself"
ID 354014 HTTP HEAD requests to virtual servers with OneConnect profiles no longer fail to load-balance subsequent HTTP requests on the same TCP connection.
ID 355754 The syslog include command now validates configuration changes before they're added to the syslog-ng.conf. An invalid configuration change is prevented from being added.
ID 355813 The BIG-IP provides AES encryption via HTTP profile settings and iRules commands. Besides encryption, the feature handles authentication and tamper-detection. There are important fixes and performance improvements to those features in this version.
ID 359867 You can now flush Security Associations (SAs) using tmsh.
ID 361911 The BIG-IP provides AES encryption via HTTP profile settings and iRules commands. Besides encryption, the feature handles authentication and tamper-detection. There are important fixes and performance improvements to those features in this version.
ID 361912 The BIG-IP provides AES encryption via HTTP profile settings and iRules commands. Besides encryption, the feature handles authentication and tamper-detection. There are important fixes and performance improvements to those features in this version.
ID 361914 The BIG-IP provides AES encryption via HTTP profile settings and iRules commands. Besides encryption, the feature handles authentication and tamper-detection. There are important fixes and performance improvements to those features in this version.
ID 363467 The defaults-from property is now specified, if it was not specified on an authentication profile in the 10.x configuration.
ID 363483 Deletion of the tmsh component 'net ipsec ike-daemon' is no longer allowed.
ID 364378 Properties with substitution variables are no longer overwritten via the GUI. An 'Other..' selection now exists in the drop-down box.
ID 365106 Invalid Configsync.password message no longer occurs when loading a saved UCS file.
ID 366090 The HTTP compression profile now correctly determines how to compress content (that is, it uses "compress text content"). In addition, the system no longer inserts a superfluous Vary: Accept-Encoding HTTP header of responses when compression is not configured.
ID 366918 VIPRION 2400 blades now compute IPv6 checksums in hardware
ID 368308 The failover daemon (sod) no longer triggers the link-down-on-standby feature when resolving the situation where more than one device is active.
ID 369163 Previously, when a SASP monitor had marked pool members and the parent pool as UP, and then the backend GWM goes away, the /var/tmp/saspd.log and /var/log/ltm log show the GWM is unavailable, but the pool and its members remain UP. The pool members are now correctly marked down if the GWM is unreachable.
ID 369257 TMM no longer leaks memory for Content Revocation List data structures when system configuration loads occur.
ID 369293 Remotely authenticated admin users are now able to save configurations and run commands such as tcpdump and qkview without errors.
ID 369615 There is no longer a limitation on the number of traffic selectors.
ID 369841 In this release, the system first uses the configured DNS when resolving the licensing server, which resolves issues related to Automatic activation using a list of root name servers that might be blocked.
ID 370007 Additional information is now logged when MPI connections are lost in a chassis, which can help in debugging MPI problems.
ID 370406 A previous issue that was triggered when BGP was restarted has been corrected. Aggregation is applied only after all route-maps are loaded.
ID 370525 Device group sync validation errors will now be correctly reported.
ID 370572 Profile search now follows the conventional object search methodology which is used on pool, virtual server, rule, etc.
ID 370787 TMM no longer leaks "ssl(variable)" memory when iRules select SSL profiles that are not directly attached to any virtual server.
ID 371298 clientssl profiles with Client Cert set to "require" and Frequency set to "always" no longer cause incorrect SSL session IDs to be sent to the client.
ID 371369 The kernel clock source has been adjusted to eliminate jitter encountered with periodic alarms.
ID 371677 The system no longer goes into an inoperative state when restarting only the mcpd daemon in certain circumstances.
ID 371793 Removing a SASP monitor from a pool and shutting down the GWM no longer allows the saspd daemon to continuously retry connection attempts.
ID 371832 SASPD no longer cores after stopping the GWM, removing the monitor, adding the monitor back, and re-starting the GWM.
ID 371862 While the SASP GWM is running and pool members are up, removing the monitor no longer causes continuous "err mcpd: monitor instance not found" log messages.
ID 371881 When SASP GWM loses connection then reconnects, the pool members that are being monitored are now correctly polled upon reconnection.
ID 371940 "The config-sync operation on one side of the HA pair no longer incorrectly resets the interface configuration on the remote side. The customized interface configuration is now left intact and the configuration is not included in the config sync operation."
ID 371949 Black-hole routes inserted to the TMOS route table by dynamic routing protocols (Advanced Routing Modules) are no longer ignored by TMMs. The ignored routes were being correctly inserted to the host (Linux) route table and were correctly displayed in tmsh, but had no effect on traffic passing through TMMs. This has been corrected.
ID 371952 Dynamically learned blackhole routes are now correctly deleted from the TMOS route table.
ID 372061 Remote role definitions created from the GUI are now properly saved to a configuration file.
ID 372140 When BGP dynamic routing is configured and a route-map not setting route next-hop is used for outbound filtering, the BGP Advanced Routing Module no longer sends an incorrect (all zeroes) next-hop in route updates.
ID 372237 The TMM no longer crashes when attempting to reselect after a node failure. This was previously occurring on a virtual server configured with a FastL4 profile and a pool configured with the option "action-on-service-down" set to reselect.
ID 372238 The TMM will no longer experience occasional restarts when an RTSP or FTP data connection happens to be initiated first by the server.
ID 372241 An error no longer occurs when rolling forward a configuration from a pre-v11.x system that contains a route domain configured with a parent id. The configuration was previously and incorrectly converting the "parent id" variable to a "parent name" variable, which caused a configuration load failure on initial startup.
ID 372275 The active/standby determination for an HA group no longer incorrectly results in all devices in standby state. Additional adjustments have been made to prevent a tie in the HA status.
ID 372590 BIND has been updated to 9.6-ESV-R5-P1 to mitigate CVE-2011-4313.
ID 372618 The virtual-disk parameter vdisk now can be specified without the ".img" extension. If vdisk is given without ".img" extension, the system automatically appends the extension to the file name. If there exists a vdisk with this name, the system correctly posts an alert.
ID 372667 Iterating headers in requests for policy matching now pass negative numbers correctly, so policy node matching can complete successfully.
ID 372679 Corrections have been made to prevent the TMM from coring during DTLS renegotiation.
ID 372726 Memory and packets are no longer leaked if there is an internal error sending a packet through a tunnel. This was only known to happen when using IPsec with jumbo Ethernet frames.
ID 372804 The internal High Speed Bridge interfaces on the BIG-IP 2400 platform no longer cease to pass traffic under certain conditions.
ID 372864 A processing error for SSL-enabled virtual servers, which could cause TMM to core and restart under certain conditions, has been fixed.
ID 373174 Users may now paste configuration list output in TMSH and successfully load the configuration.
ID 373222 Adjustments have been made in the ProxySSL and SNI hash handling code to prevent occasional memory leaks.
ID 373250 Fixed an issue with Proxy SSL. We now correctly scan multiple messages in the same record during handshake and process each one.
ID 373315 Adjustments have been made in the ProxySSL and SNI hash handling code to prevent aborted flows and tmm crashes.
ID 373388 When a SASP monitor is removed from pool, and the GWM is stopped, adding the monitor back and restarting the GWM now correctly begins continuous polling.
ID 373404 Opening the Dashboard in the GUI no longer causes excessive logging to /tmp/rrdstats.log and a potential to fill up the host filesystem.
ID 373469 The LCD now displays the correct status when an active unit is rebooted.
ID 373486 Stopping and restarting the SASP GWM no longer generates cores.
ID 373513 Previously, when renewing or importing an SSL certificate associated with one SSL virtual, all other SSL virtuals were using the updated certificate. This incorrect behavior has been fixed.
ID 373747 TMM no longer cores and restarts under certain conditions while processing specific HTTP::header or CACHE::header iRule commands.
ID 373827 With multiple devices in a device group, the saspd daemon no longer generates cores in any of the devices in the device group when a SASP monitor is removed from a pool and replaced.
ID 374025 The tmm periodically receives traffic stats from HSB hardware for each ePVA-assisted connection and updates its traffic volume by comparing with the previously received traffic stats. In previous releases, tmm did not properly save the previous traffic stats, thus causing the wrong traffic volume computation. In this release, the traffic statistics from HSB hardware for each ePVA-assisted connection are correctly calculated.
ID 374065 High CPU utilization for Big3d no longer occurs during a device group sync between an HA pair configuration contains a large number of objects while EM collecting statistics.
ID 374176 There is no longer an issue where CPU utilization spikes when a sync-failover device group and a large datagroup file are configured.
ID 374185 TMM no longer leaks memory when an iRule issues "SSL::cert issuer" commands.
ID 374305 Creating self IPs with IPv6 and route domains configured are now less restrictive and no longer restricts tmm-only listeners configured for use on the backplane as was the behavior on prior releases.
ID 374347 When importing an iApp template, the user-configurable option to overwrite an existing template or not, is now correctly honored.
ID 374390 "HTTP_RESPONSE iRules that access HTTP::status caused a Tcl exception when executed on an early response. An early response is an HTTP response that arrives before the request has finished; this something that can happen on requests with a body (e.g. POST requests)."
ID 374428 A previous CPU statistics issue has been corrected by introducing a new method for calculating the CPU idle time.
ID 374457 When viewing the pools for a configured wideip in the GUI that contains a wildcard character (such as *.f5.com), the pools for that wideip now display correctly.
ID 374603 You can now use the db variable IPsec.ICSAForceIPFrag to configure IPsec in networks that require an MTU size that is smaller than regular IP packets.
ID 374609 IPsec now logs sufficient details to describe the reason for packet rejection.
ID 374685 Virtual servers with clientssl profiles now correctly accept client certificates signed with SHA2-based hash algorithms for TLS1.2 sessions.
ID 375089 An iRule using the table command in a DIAMETER_EGRESS event now works correctly. Essentially, the Diameter core protocol is peer based so the semantic for server has been adjusted.
ID 375335 Local Traffic Manager and Global Traffic Manager https monitors no longer cause the bigd or big3d processes to leak memory when configured to send client certificates to their target servers.
ID 375490 "The following messages no longer appear in the console when PXE booting some blades: /etc/rc.sysinit: line 8: /sbin/klogd: No such file or directory rm: cannot remove '/workspace.reservation.bin': No such file or directory"
ID 375590 Intermittent routing failures with an IPsec deployment in a redundant or HA configuration have been fixed.
ID 375992 Configuration validation has been added to protect against deleting tunnel objects that are referenced by virtual servers.
ID 376116 Installing a FIPS key into a device using the "tmsh install sys crypto" command no longer produces the error message "The requested unknown (/Common/fips117.key) already exists in partition Common." when the key object already exists in the configuration.
ID 376227 Route advertisement now works for Virtual Addresses that are assigned to a traffic group of "none".
ID 376433 Configurations which contain VLANs with an MTU of more than 1500 now correctly load and handle jumbo frames after an upgrade from an earlier release.
ID 376538 The LCD panel now works correctly after performing a bigstart restart.
ID 376554 The sod process is now more resilient to malformed traffic on the High Availability channel connection.
ID 376758 SNMP traps for bigipNotifyObjMsg events from the F5-BIGIP-COMMON-MIB no longer omit the values for bigipNotifyObjNode and bigipNotifyObjPort. For example, pool member monitor status traps now correctly display the affected user-assigned name or IP address and port of the pool member.
ID 376984 "The following messages are no longer erroneously logged to /var/log/racoon.log under normal circumstances: ERROR: failed to recv from pfkey (Inappropriate ioctl for device) ERROR: failed to recv from pfkey (Resource temporarily unavailable) INFO: socket # hung up or read error. Close socket ERROR: invalid policy type. ERROR: libipsec failed pfkey open: Success ERROR: unknown AF: 0 ERROR: no socket matches address family 2"
ID 377006 A memory leak which would occur while mirroring traffic from a Standard (L7) virtual server has been corrected.
ID 377175 "TMM no longer restarts with the following log message when mistakenly using a TCP iRule command on an SCTP virtual server, or under certain conditions when executing a TCP::release command in a CLIENT_DATA event: Assertion ""Neither pending nor enqueued."" failed. Assertion ""tclrule ctx not in progress"" failed."
ID 377230 The watchdog mechanism no longer experiences false-positives and now applies to all platforms. The message in /var/log/tmm has been changed to "Octeon watchdog timeout at <n> ticks: no new work accepted since <m> ticks." This message indicates a genuine h/w or s/w failure that locks up the device or driver. The consequent consumer messages "provider not responding" will still occur, but the message in the tmm0 log gives an earlier indication closer to the source of the problem. The providers are all TMMs in the hypervisor on vCMP and all TMMs on LTM, but the watchdog and message are only active in the lowest numbered TMM that attaches each octeon device (tmm0 on most platforms). The consumers are in the guest on vCMP and all tmms on LTM.
ID 377359 Added a new DB variable, ipsec.disablepfs, to allow disabling of PFS in phase 2.
ID 377400 The performance of saving or listing large Global Traffic Manager configurations has been improved.
ID 377449 Content Based Routing iRule now returns the correct values.
ID 377505 When enabling timing for iRules that execute commands that temporarily suspend execution (such as 'after', 'table', 'persist'), the iRule's CPU cycle statistics will no longer report excessively large and incorrect values.
ID 377540 A new version of fipskey export has been added to allow customers to recover .exp files from the FIPS device.
ID 377842 HTTP Redirect Rewrite now correctly handles the case where the server-side Location: header is shorter than the URI to be rewritten. This avoids the following panic: 'Assertion "size maps to buffer cache of equal or greater buffer size" failed'.
ID 378093 tmsh no longer displays incorrect values for historical performance statistics. For example, the following command should display accurate numbers for current and historical data:
  • tmsh show sys performance throughput historical
ID 378172 Dashboard CPU usage was incorrect on multi-blade systems. It would spike to 100% because stats from all blades were added together before the rates were calculated.
ID 378487 Virtual servers of type DHCP Relay now correctly work with Clustered Multi-Processing.
ID 378505 The rsyncd daemon no longer attempts reverse-lookup on config-sync IP addresses during the config-sync process, thus avoiding possible timeouts during name resolution.
ID 378743 An invalid assumption in the HTTP parser where attributes precede cookie names has been corrected. Previously, certain legal cookies could lead to a core.
ID 378990 The SSL Certificate Common Name is now parsed correctly as the first CN listed in RFC2253 format.
ID 379000 "Remotely authenticated users are now able to set cli preferences and create private aliases. Prior to this, errors such as the following would have been seen: bigip@(p4-019)(cfg-sync Standalone)(/S4-green-P:Active (/Partition One)(tmos)# modify cli preference stat-units raw 01071507:3: User, testuser, doesn't exist for for cli preference."
ID 379236 TMM no longer restarts with a SIGSEGV when handling traffic on a virtual server with a compression-enabled HTTP profile and an iRule with the COMPRESS::nodelay command.
ID 379237 This release fixes an issue in which enabling VLAN failsafe could cause system restarts.
ID 379412 The sod process is now more resilient to malformed traffic on the High Availability channel connection.
ID 379537 IKE now consistently succeeds in renegotiation when recovering from a link failure.
ID 379600 A defect resulting from an SSH misconfiguration on certain platforms has been resolved.
ID 379633 Fixed an issue where TMM will crash if there is an error in a SERVER_CLOSED iRule on a FastL4 virtual.
ID 379920 Enabling list-all-properties for cli preferences no longer unexpectedly changes interface settings when saving and loading the system configuration.
ID 379995 A remote user name with a "\" can now login correctly. MCP validation of remote user names has been adjusted to allow backslashes.
ID 380267 This release fixes the imish cmd handling for 'log file.'
ID 380802 When using ha scoring a restarted system could momentarily have a greater score than its peer and cause a temporary failover to itself. This occurred if the user used the percent up pool members feature. When a system starts pool members are marked "checking" which is considered up. A system with down pool members would have a higher score until the pool members were determined to be really down. This problem has been fixed.
ID 381119 When redistributing routes into BGP, all redistribute statements are correctly loaded.
ID 381224 HTTP header parsing has been made more resilient, avoiding potential restarts when iterating over all HTTP headers in iRules.
ID 381230 A defect which could cause virtual servers with SIP profiles and Source Port set to Preserve Strict to drop packets has been corrected.
ID 381347 A defect which could cause Local Traffic Manager pool or node monitors to fail intermittently due to a faulty internal clock source has been corrected.
ID 381703 Debug log messages are no longer redirected to /var/log/snmpd.log, unless snmpd is started in debug mode.
ID 382078 Fix for list being modified while being traversed.
ID 382165 IPIP encapsulated monitors can now correctly use gateway pools as routes.
ID 382292 The TMM no longer crashes when black-hole route makes gateway or gateway pool member unreachable.
ID 382353 WA safely supports datastor restarts in all cases.
ID 382830 The default alert-timeout and handshake-timeout value has been decreased from 60 seconds to 10 seconds. This is a security improvement for protecting against potential denial-of-service (DoS) attacks. The configuration can be changed per custom ssl profile to longer value if needed.
ID 382855 Upgrading standalone systems with a failover unit ID of 2 in a single configuration file no longer cause a failure to load the system configuration after upgrade.
ID 383333 EtherIP-encapsulated fragments now correctly go through the EtherIP tunnel, and are correctly decapsulated and reassembled.
ID 384174 TMM no longer leaks SSL-related memory due to the existence of, among other things, Application Visibility and Reporting profiles enabled for large configurations.
ID 384392 A condition that could cause snmpd to leak node names has been fixed.
ID 384720 A defect which could cause TMM to restart with a SIGSEGV while processing IPIP encapsulated transparent monitors has been corrected.
ID 384818 Using tmsh to edit a GTM or LTM pool, or a GTM server, now correctly issues a modify command instead of a create command.
ID 385576 Fixed in 11.1.0-hf3.
ID 385694 A defect which could cause the B4300 blade to negotiate to an incorrect backplane speed in the VIPRION 4400 chassis has been corrected.
ID 385975 The WebAccelerator module is no longer susceptible to issues described in CVE-2012-0247 and CVE-2012-0248.
ID 387107 The Geolocation IP database has been updated.

Fixes in 11.1.0

ID Number Description
ID 222666 The auto-failback delay is now set to 60 seconds by default, to allow for the state mirroring information to be re-mirrored for traffic groups.
ID 224446 DNSSEC now supports SHA-2 per RFC 5702
ID 226490 This release corrects an issue that could cause TMM to crash when an iRule parks the Tcl interpreter, then the STREAM profile incorrectly continues to pass through events.
ID 291261 When multiple self IPs are configured on a VLAN or VLANGROUP that is not part of the default route domain, traffic from the host, including monitors, now consistently uses the first configured self IP as the source address.
ID 315596 The AUTH_RESULT, AUTH_SUCCESS, AUTH_FAILURE, AUTH_WANTCREDENTIAL, and AUTH_ERROR iRule events can now support iRule commands that temporarily suspend execution to get their result (for example, the commands "after", "table", "RESOLV::lookup").
ID 342860 The iRule command TMM::cmp_unit can now be used in the RULE_INIT event.
ID 344132 Application Presentation Language (APL) "editchoice" elements are now rendered as ComboBox controls.
ID 349658 The system presents an alert with a warning message when AVR is selected to be un-provisioned and has a virtual server with an Analytics profile assigned to it.
ID 351614 This release fixes a delay that occurred when creating applications based on the built-in Exchange 2010 template. The creation process is now significantly faster.
ID 353788 An alert pops up with a warning message now appears when ASM is selected to be un-provisioned but has an HTTP Class, with Application Security enabled, assigned to the virtual server.
ID 354386 You no longer must use the full path to specify the default-from property when creating NTLM profile from tmsh.
ID 354605 Leveraging dynamic load method in net-snmp to load and execute F5 MIB module in snmpd results in less CPU utilization
ID 355676 SSL Close Notify alerts are now consistently sent by clientssl and serverssl virtual servers before a FIN is sent to the client or server when the unclean shutdown setting is "disable".
ID 355996 IP Tunneling now works when using Direct Server Return.
ID 357507 Clientside ssl connections are no longer reset when a session resumes. Previously, after completing the handshake, the client sent application data and received an alert from the server before the client was ready.
ID 358654 You can now download CSV files containing valid data from the Dashboard.
ID 359597 Fixed an issue with TMM internal clock calibration that could cause a few dropped persistent connections on disabled blades.
ID 360213 Exposed additional description fields for the following objects in the web administrative interface: vlans, vlan groups, monitors, route domains, wide ip, datacenter, distributed applications, listeners.
ID 360581 The actual vCMP timeout value used for a given VM start/install/migrate attempt is shown correctly in the output of the show command, even if a timeout value is changed during an attempt.
ID 361268 In this release, the system correctly constrains rate-shaping objects to be created only in /Common.
ID 361744 IPv6-mapped-IPv4 addresses in hybrid format are now supported in any context where an IPv6 address is supported, including the FTP EPRT command.
ID 363232 "TMM no longer fails with the following log messages on 6900 platforms due to internal interface errors:
  • Assertion ""buffer is valid"" failed.
  • *** TMM 0 - PDE 0 - super jumbo frame ***
  • *** TMM 1 - PDE 1 - shorter than crc ***
ID 363444 Configuration files under /etc/alertd/ can now be copied to and from the BIG-IP system, using scp, when appliance mode is configured, allowing administrators to customize SNMP traps and email alerts for specific log messages.
ID 363547 In this release, the failsafe action correctly occurs immediately when a VLAN group member triggers a failsafe condition, regardless of the state of other VLANs in the group.
ID 364227 The assertion 'assertion "completed request is in ring" failed' no longer occurs.
ID 364276 Fixed an issue where trying to automatically license a Virtual BIG-IP would fail when using temporary network settings.
ID 364324 On the System : Users: Remote Role Groups page, you can now delete the remote-role group with the largest line order number.
ID 364437 Link Controller GUI: removed the erroneous table columns from wideip member stats and wideip details stats tables.
ID 364626 Multiple session table lookup commands no longer cause erroneous results to be returned for Network Access virtual servers.
ID 364685 Previously the sync status message of a sync group always showed Standalone if there were only subordinate non-authority devices in the trust group. Now the status properly reflects the sync status with the other devices.
ID 364918 Syncing configuration changes from a Link Controller to a Global Traffic Manager in the same sync group no longer causes the monitors to fail to load on the GTM.
ID 364923 You no longer have to use the full path when modifying an iApp Application Service via iControl
ID 364941 This release provides an additional button allows the chassis to reboot the current active blade without rebooting the secondary.
ID 364961 The IP tunnel interface no longer toggles up and down when the tunnel attributes are changed via TMSH.
ID 365173 This release provides support for monitor traffic to traverse any tunnel configured on a pool or pool member. When encapsulation is configured, monitor traffic sent to a pool member is encapsulated (according to the profile); monitor traffic returned to the BIG-IP (from the server pool member) is not encapsulated (by the server pool member).
ID 365256 "Traffic groups are now load balanced. When a failover occurs, the traffic group becomes active on the device with the least load. If two devices have the same load, the traffic group becomes active on the device with the greatest traffic group score. A load of one unit means the device is active for one traffic group, two for two traffic groups, and so on."
ID 365261 This fixes a known defect in the way configuration is loaded for a single partition. Loading a single partition configuration no longer shows this error.
ID 365370 The Alarm LED no longer turns yellow on boot-up on the 6900, 6900S, 11000, and VIPRION 2400 platforms.
ID 365507 The required character sets jar file has been included to allow the MSSQL monitor to support multiple language encodings.
ID 365582 A GTM iRule that refers to a pool without specifying the full path (e.g., [pool pool1]) will now work correctly when that pool is found in multiple folders. Correct behavior is to always choose the pool in the wideip's folder, and to dynamically switch if a pool (with the same name as in the iRule) is added/deleted in that folder.
ID 365771 The system now correctly constrains the cache size so that it cannot be zero.
ID 365917 When modifying an iApps application service using iControl, the implementation script is now correctly executed to update the objects owned by the application.
ID 365921 The system now correctly restricts a file name to not allow special characters. This enables a file saved to the primary blade to be synced to secondary blades.
ID 366185 Diameter Application Template online help now displays correctly.
ID 366325 Online help no longer references bigpipe commands.
ID 366419 Evaluate transfer-encoding headers in a case-insensitive manner to ensure proper interaction of compression and chunked encoding.
ID 366505 Byte Range requests sent to the Admin GUI or an APM login page are now limited to at most 5 byte range sets, to prevent the vulnerability described in CVE-2011-3192.
ID 366601 The marketing name for part number 200-0194-04 is no longer incorrectly identified as a 6600 platform.
ID 366831 Removed the DigiNotar CA certificate.
ID 366881 "Previously, if a chassis had a blade present at some point and then that blade was permanently removed (or specifically if the TMMs on that blade were permanently stopped), the remaining blades in the chassis would incorrectly think the missing blade had returned after a 25 day period. Traffic is no longer sent to the missing blade preventing lost traffic."
ID 367476 The Unit ID reference has been removed from the online help.
ID 367836 This release corrects an issue involving excessive memory usage and crash/core when loading GTM configs with large numbers of virtual servers with topology records.

Fixes in 11.0.0

ID Number Description
ID 221972 Previously, connection flow timers were calculated using a reference from the system time (seconds since epoch). In the event that system time changed, connection flows could be aged out prematurely or removed entirely. Connection flow timers are now calculated using a monotonic timer derived from the system uptime (seconds since boot), not the system time.
ID 222455 TMM previously queued only one packet per flow for a given destination when there was a pending neighbor ARP response. The default depth is four packets and can be configured by adding the bigdb variable tmm.nbr.pbqlen.
ID 222533 Using HTTP::Respond and LB::Reselect together within the LB_FAILED event no longer causes tmm to crash.
ID 222626 BIG-IP 11.0 supports 4-byte ASN in BGP as defined in RFC4893.
ID 222635 The TCP transmit window scale is now set properly in the event that the server sends data before the client does.
ID 222888 Previously, persistence record timers were calculated using a reference from the system time (seconds since epoch). In the event that system time changed, persistence records could be aged out prematurely or removed entirely. Persistence record timers are now calculated using a monotonic timer derived from the system uptime (seconds since boot), not the system time.
ID 223587 A condition where mcpd could potentially leak memory has been corrected.
ID 223625 A condition where tmm could crash when using SSL:renegotiate within the HTTP_REQUEST context has been corrected.
ID 223667 Inband health monitors no longer mark a node down when a client request is split into two or more segments with a delay of 20ms or greater between segments.
ID 223766 HTTP GET requests including a message body, combined with RamCache usage and an HTTP::respond command in an LB_FAILED event no longer cause connections to stall and avoid the configured idle timeout.
ID 223787 This release corrects the race condition that caused the system to write out a core file and posts the panic notice "Pool member is passive downed" failed when, in a specific configuration, a monitor other than the passive monitor marks a pool member down.
ID 223836 ID 223836, CR132172 In server SSL profiles, Renegotiation is now enabled by default.
ID 223883 TMM no longer crashes when you change the assignment of an iRule to a virtual server when the iRule contains any commands that may suspend execution (such as after, table, and persist).
ID 224060 On 1600, 3600, 3900, 6900, and 8900, and 8950 platforms, the values in sysIfxStat portion of the F5-BIGIP-SYSTEM-MIB file are now updated properly.
ID 224085 On VIPRION systems with PUMA II blades, erroneous blade power down/up messages sent from clusterd when no power up or down event has happened have been eliminated.
ID 224111 snmpd no longer fails and cores when executing snmpwalk with certain command-line parameters.
ID 224391 The system now correctly parses an iRule if commands that contain an escape character (previously described as a suspended command following an escaped newline character).
ID 224966 When the nameservers are changed using tmsh modify dns name-servers, the system restarts the httpd service to reload the DNS configuration.
ID 224993 On a partitioned system, a virtual server could not be deleted that had an http class with WebAccelerator set to Accelerate at creation time. This issue has been resolved.
ID 225190 The root account home directory (/root) permissions have been modified so as to be only user readable, writable, and executable.
ID 225257 The syscheck and oprofile users have the home directory properly set to ‘/’.
ID 225328 As a tool for diagnosing the cause of TCP RST packets, the system may be globally configured to include a very brief explanation as the payload in each RST packet and/or to log this reason whenever sending a RST packet. This behavior is controlled by setting the corresponding DB variables TM.RstCause.Pkt and/or TM.RstCause.Log to "enable". The default for both is "disable", and this should be considered the correct setting in a production environment, since use of this functionality may impair stability.
ID 225448 4096-bit SSL keys in Server SSL profiles (ID 225448, CR139406) The system now correctly supports 4096-bit SSL keys to configure Server SSL profiles.
ID 225514 A bug has been fixed where in certain circumstances, TMM could leak memory in CMP mode while handling internal SSL certificate chain structures.
ID 225824 A memory leak observed in tamd when using a RADIUS authentication profile has been corrected.
ID 225863 Previously, if you set the timeout value for insert, passive or rewrite cookie persistence profiles in bigip.conf (as this value is not exposed in the web GUI), if you updated other settings for those profiles via the web GUI, the timeout setting would be lost and would revert to the system default of 180 seconds. This has been resolved and the system now preserves the setting manually added in bigip.conf.
ID 226027 Statistics of FTP virtual servers for ACTIVE connections now properly include PVA and ephemeral traffic on the correct side/direction of the connection.
ID 226119 The use of "foreach" in an iRule now properly iterates over a paired index.
ID 226399 Wildcard virtual server/virtual server listening on UDP port 62720 (ID 226399, ID 248017, CR141404) VIPRION systems correctly handle traffic after configuring a wildcard virtual server or a virtual server listening on UDP port 62720.
ID 226458 TMM no longer cores and restarts when an iRule command executes causing the rule engine to suspend, and a subsequent, malformed UDP packet arrives on the same connection. The following log message is an indication that this bug has been encountered: Assertion "validate up->pkt" failed.
ID 226475 tmsh now displays stp bridge information and stp state.
ID 226828 The SNMP object ltmPoolMemberStatAddr now contains the correct IP address information for pool members with route domain.
ID 226972 In previous releases, the system reused client IDs from previous sessions to reestablish SSL connections. Now, in situations where security changes in the BIG-IP configuration, for example, an iRule changes the security parameter to request or require client certificates, the system establishes a new SSL connection with the client and does not reuse the previously established session ID.
ID 227123 When an iRule uses HTTP::path to modify the path in a URI that also contains a query string, the query string is properly preserved.
ID 227144 When load balancing UDP datagrams, the flow table is properly checked in order to prevent a server-initiated flow from inadvertently using the same port as an in-progress client-initiated flow.
ID 227148 Adds the ability to import and export partial text configuration in TMSH.
ID 227179 The htpasswd utility has been removed from the system.
ID 227180 Ownership and permissions for the web server configuration files have been fixed.
ID 227220 Prior to 11.0, the caching system would treat a request as cacheable by default, and would then check the specified URI regexes (exclude, pinned, include) to modify the cacheability. This left no easy way to specify that only a given list of URIs was to be cached. Starting in 11.0, the previous "include" regex has been renamed to "include-override"; existing configurations are automatically changed by the upgrade process. Further, the default is now to consider a URI non-cacheable, and a new "include" regex has been added, which defaults to match all URIs. In this way, any configuration from a previous release should behave exactly as it has in previous releases, but new configurations can easily specify that only a given list of URIs should be cached. Just as before, the exclude and pinned regexes take precedence over (what is now in v11 known as) the include-override regex. Also, the exclude, pinned, and include-override regex will all take precedence over the include regex.
ID 227221 TMM no longer cores under certain conditions when the internal interfaces are reset.
ID 246935 The SOAP monitor now correctly takes into account the protocol setting in the monitor configuration. Regardless of the destination port, a setting of "https" will result in the SOAP monitor connecting to the server over SSL/TLS, while a setting of "http" will result in an unencrypted connection.
ID 247643 The boot process no longer hangs if the syslog-ng process is not running while Apache is initializing.
ID 247801 When the static ARP entry is added while a dynamic entry exists for the same address, the static ARP entry takes precedence, and you no longer see two ARP entries for the same address.
ID 247972 TMM no longer immediately reuses source ports for server-side connections when the same TMM handles multiple consecutive connections from a single client with CMP enabled.
ID 291695 The system now load balance messages as expected for the ratio load balancing method, for virtual servers configured with RADIUS, Diameter, or SIP profiles.
ID 293854 NTLM connection pool variables are now correctly initialized and ntlmconnpool no longer crashes during SharePoint transactions.
ID 325315 SNMP support has been added to Advance Routing.
ID 330791 The PVA-TMM I/O channel is no longer reset after a pvad synchronization on systems with a PVA2. This condition previously caused the following messages to be logged very close to one another:
  • pvad[2064]: 01130003:6: PVA2 incoherency detected; synchronization required.
  • pvad[2064]: 01130003:6: Resetting PVA i/o channel after 0 failed retries.
  • pvad[2064]: 01130003:6: PVA2 synchronization complete
ID 336355 The "tomcat" user no longer has access to a shell.
ID 336817 TMM now correctly converts TCP timestamps for SYN-ACK replies from remote servers before sending them on to the Linux host when more than one initial SYN was transmitted. This avoids, for instance, monitoring connections periodically being reset when remote servers are slow to acknowledge the initial SYN.
ID 337175 Fixed issue where fragmented IP packets from the Linux host (such as large SNMP responses) are delivered with incorrect port or dropped.
ID 337562 URI::decode now properly handles strings that do not convert well to UTF-8.
ID 338062 On 3400, 6400, 6800, 8400, and 8800 platforms, that is, platforms with Packet Velocity application-specific integrated circuit (PVA), the system now correctly sends ICMP Unreachable - Fragmentation Needed packets to FastL4 virtual servers set for PVA assist.
ID 338150 For the HTTPS monitor, mid-stream SSL renegotiation has been enabled in order to handle monitoring servers that do not request the client certificate until after application data starts flowing, specifically, Microsoft Internet Information Services (IIS) versions 6 and IIS 7.
ID 339291 The default maximum size of the IPv6 routing table has been increased to 8192 entries.
ID 339379 TMM and HTTP::header sanitize command (ID 339379) Traffic Management Microkernel (TMM) now responds correctly when the virtual server references an iRule with the HTTP::header sanitize command.
ID 339461 When using copper SFPs to connect 10M or 100M hosts, the interface is correctly configured and comes up properly.
ID 339744 This release corrects the condition that caused the Traffic Management Microkernel (TMM) core events, which produced a ** SIGSEGV ** that included the following notices: notice fault addr: 0x68 and notice fault code: 0x1.
ID 339847 msktutil and domaintool utilities and unprivileged users (ID 339847) The msktutil and domaintool utilities no longer crash when run by an unprivileged user, reporting the message glibc detected-msktutil: munmap_chunk(): invalid pointer: 0xff920190. The output now correctly reports that the logged on user must be an administrator.
ID 339955 The Configuration utility now correctly updates the /config/bigip_sys.conf file so that ConfigSync or configuration reload does not disable initial network failover configuration.
ID 340081 A crash no longer occurs when an iRule suspends then returns from suspension after the connection closes.
ID 340274 BIG-IP LTM no longer prefers a client-offered SSL cypher when using COMPAT mode.
ID 340336 The peer certificate mode auto is now the functional equivalent of ignore. The mode auto remains, but functions the same as ignore.
ID 340407 Basic TCP monitors that are associated with a pool or pool member that is not listening on the monitored port, no longer erroneously mark a node up when it is actually down.
ID 340651 This release corrects the condition on VIPRION platforms, in which setting the db variable vlan mac assignment to global resulted in some or all of the VLANs receiving a zero MAC assignment, which could cause no traffic to pass on a VLAN. You can now set db variable vlan mac assignment to global and there are no longer VLANs with MAC address of zero.
ID 340659 RESOLV::lookup -ptr now properly returns PTR records.
ID 340696 The system now correctly handles a large number of self IP addresses or VLANs when starting up the ntpd process, and no longer halts with a segmentation violation or related crash.
ID 340718 sod no longer crashes when failover debugging is enabled and the log file grows beyond 2 GB in size.
ID 341217 Trailing semicolon and whitespace and removing HTTP cookie (ID 341217) The system now correctly removes the trailing semicolon ( ; ) and whitespace when removing an HTTP cookie from the HTTP header data.
ID 341329 Routing Modules have been officially added in VADC.
ID 341404 VLAN group Proxy Exclusion List now correctly loads on secondary blades in a VIPRION cluster.
ID 341414 CompactFlash and swap partition (ID 341414) The system no longer incorrectly uses the CompactFlash® card as a swap partition. Now, the system correctly uses a swap partition on the system hard drive.
ID 341663 Persistence table additions and lookups on CMP systems no longer assume there will only be one entry per connection, allowing for persistence to maintained when the server-side connection is switched to a different pool.
ID 342010 iRule command table keys -subtable (ID 342010) Use of the table keys -subtable iRule command no longer causes a memory leak.
ID 342044 Now monitors are able to provide correct server status when the server sends more than one response per monitor probe.
ID 342976 On VIPRION, clusterd no longer miscalculates the clock skew of a secondary blade, which caused a reboot to be issued when ntpd moves the clock forward.
ID 343037 snmpd now functions properly with IPv6 and with route domains.
ID 343150 IPv4 and IPv6 addressing may be used for Config Sync operations.
ID 343610 An issue causing snmpget and snmpwalk to perform slowly on the 6400/6800/8400/8800 platforms has been fixed.
ID 344159 TMM no longer leaks memory when using the "after" command in an iRule under certain circumstances.
ID 345047 The handling of large numbers of virtual servers has been improved, and the CPU usage for the pvad process should no longer be adversely affected in such situations.
ID 345057 When a VLAN group has a self IP, but none of the member VLANs have self IPs, enabling VLAN failsafe on any of the VLANs in the group no longer results in the failsafe triggering without cause.
ID 345266 TMM no longer reverts the datagram_lb setting when configured in a UDP profile along with a message-based load balancing configuration.
ID 345300 If an iRule returns from a suspended state to a flow that is dying, execution is discontinued.
ID 345314 A condition where the LB_FAILED event could fire twice leading to a tmm crash has been resolved.
ID 345634 RESOLV::lookup now properly resolves IPv6 PTR records.
ID 345712 TMM no longer crashes when an iRule calls the TCP::notify command multiple times during the lifetime of a connection.
ID 345873 A condition causing connection to get stuck in "Authenticating...." when using the iOS (iPhone/iPad) Edge Client has been corrected.
ID 345944 BIND update (ID 345944) BIND has been updated to mitigate two vulnerabilities, tracked by the Common Vulnerabilities and Exposures (CVE) project as CVE-2010-3613 and CVE-2010-3615.
ID 346107 When using VLAN groups, egress traffic is correctly handled (no longer dropped) when the egress VLAN is the same as the ingress VLAN, when using a non-VLAN-group listener.
ID 346202 On the VIPRION system, the system_check utility now correctly checks the temperature on all blade types.
ID 346580 With certain configurations that include reselect on service down with pool members that are at least one hop away, tmm no longer crashes if a configuration file is loaded while traffic is flowing to the virtual.
ID 346901 The 8900 NEBS platform is now checked properly for timezone updates.
ID 347053 Stability enhancements have been made to mcpd when using node monitors.
ID 347628 You can specify the netmask in an iRule in dotted quad format, for example, /255.255.255.0. In versions 10.0.0 through 10.2.1 of the software, this functionality was deprecated. In 10.2.2, the functionality has been restored.
ID 347838 This release corrects an issue that caused ICMPv6 traceroute to BIG-IP to always fail.
ID 347858 A condition under which mcpd could potentially leak memory has been corrected.
ID 347898 Enabling "Verified Accept" on a TCP profile assigned to an IPv6 virtual server no longer produces a switchboard failsafe and a tmm core.
ID 347921 The tm.rejectunmatched db key setting is now honored properly on virtual servers using FastL4 profiles.
ID 347973 Intermittent failures of mcpd to subscribe to stats segments should no longer cause an exit and core file to be generated.
ID 348141 VIPRION 2400 platforms no longer display "invalid trunk" entries in the forwarding database when self-IPs are added or deleted from the system.
ID 348225 A condition where tmm could loop trying to send the same SACK hole packet has been resolved.
ID 348368 The RFC1997 restrictions on BGP community strings imposed by ZebOS 7.5 and newer have been removed to restore the ZebOS 5.4 ability for users to set community strings to any value.
ID 348529 The STREAM filter no longer misses some matches when the target string is smaller than the source string.
ID 348660 An RST sent by a client connected to a virtual server using a TCP profile with "Verified Accept" no longer leaves that virtual server in a hung state.
ID 349216 A condition where tmm cores when a ramcache proxy lookup is done on an aborted request has been fixed.
ID 349312 The firmware and bootloader versions for the 8900 platform are now correctly cached during system startup and no longer generate an error message.
ID 349373 A defect has been addressed which could cause TMM to core and restart under some conditions when an iRule command causes the TCL interpreter to suspend and resume. The failure condition could be accompanied by a variety of log messages in /var/log/tmm, including the following:
  • Assertion "valid tclconn for cf" failed.
ID 349481 TMM no longer crashes under circumstances when an MTU update is done on a connection flow that already has an existing mss value, even if mss = 0.
ID 349872 A condition that could cause clusterd to leak memory has been fixed.
ID 349964 Logging from mcpd has been enhanced.
ID 350080 Stability enhancements to mcpd have been made.
ID 350218 Link Aggregation Control Protocol (LACP) now properly enforces the partner SysId match check to prevent aggregation of ports connected to different remote switches.
ID 350434 In previous releases, certain iRule commands (for example, table and persist) might not complete when executed in the CLIENT_CLOSED event. In this release, commands of this type complete correctly.
ID 350652 A defect has been addressed which could cause TMM to core and restart in certain connection teardown conditions when using ramcache.
ID 350982 A condition that could cause clusterd on VIPRION systems to leak memory has been corrected.
ID 351579 Moving a virtual server from one server definition to another in the wideip.conf configuration file will no longer cause stale monitor configurations to remain in operation.
ID 352552 The HA group percent score is now updated correctly after reboot.
ID 353505 In the absence of a default route LTM monitor may start probing a node on a non-local subnet via the management interface. After adding a default route it used to keep sending the probes with the management IP as the source address. This issue has been fixed.
ID 353871 Fixed an issue where certain certificates would be displayed with an invalid expiration date (an extra 1900 years was mistakenly added).
ID 353934 File and directory permissions for /shared/ssh/root now have the proper umask settings.
ID 354398 TMM will no longer forward packets originating from the host when a routing loop is configured elsewhere in the network that sends the packets back to the LTM on the vlan they were originally sent out on.
ID 354597 The tmm process no longer cores and restarts when an empty input string is passed to any of the URI:: iRule commands.
ID 354998 Persistence profiles using the map proxies feature now correctly map IPv4 addresses with the data group configured by the Persist.WellKnownProxyClass bigdb variable.
ID 355152 This release corrects a chmand process leak that occurred on the 1600, 3600, 3900, 6900, 8900, 8950, 11000, and 11050 platforms (more specifically, platforms with the Always-On Management (AOM) subsystem).
ID 356287 Connections to FastL4 virtual servers are no longer incorrectly reset when they receive invalid ICMP messages.
ID 356655 The BIG-IP Dashboard now correctly displays platform limits for the VIPRION 2400.
ID 356718 In Appliance mode, running an edit command in tmsh invokes the nano editor instead of the vi editor.
ID 356849 The /var/log/tmm now shows the correct OCTEON revision number.
ID 357324 PVAD no longer writes duplicate MAC addresses to the limited (size of 16) PVA2 L2 table, avoiding a situation where the table could fill up unnecessarily. The following log message is an indication that the L2 table has filled up: 01130001:4: PVA memory constraint : can have no more than 16 vlans in unique MAC mode
ID 357841 The following VIPRION blade powered up and down messages should no longer be erroneously logged: Apr 15 23:37:07 slot1/host1 err clusterd[4638]: 013a0009:3: Blade 1: blade 3 powered DOWN. Apr 15 23:37:07 slot1/host1 err clusterd[4638]: 013a0009:3: Blade 1: blade 4 powered DOWN. Apr 15 23:37:08 slot1/host1 notice clusterd[4638]: 013a0010:5: Blade 1: blade 3 powered up. Apr 15 23:37:08 slot1/host1 notice clusterd[4638]: 013a0010:5: Blade 1: blade 4 powered up.
ID 358180 There are new statistics measures to support secure SSL connection renegotiation. secure_handshakes: The number of handshakes, including mid-stream re-negotiations, performed with peers supporting SSL secure renegotiation. insecure_handshake_accepts: The number of handshakes, including mid-stream re-negotiations, performed with peers not supporting SSL secure renegotiation. insecure_handshake_rejects: The number of rejected initial handshakes with peers not supporting SSL secure renegotiation. insecure_renegotiation_rejects: The number of rejected renegotiation attempts by peers not supporting SSL secure renegotiation.
ID 358623 The SIP protocol now correctly handles expired flows when an iRule is suspended while executing a SIP iRule event.
ID 358625 A defect causing TMM SIGFPE cores due to an improper handling of certain iRule commands (for example, "persist") has been fixed. A panic log message such as the following is a possible indication that this bug has been encountered:
  • panic: Tcl Object bdba8dc is currently on free list
ID 358684 A defect has been corrected, which could cause interfaces on a VIPRION 2400 blade to occasionally show as missing (MS).
ID 358774 The following benign log message no longer appears on non-cluster systems at startup and shutdown: 012a0004:4: halGetChassisAllSlots: error 1 May 9 06:16:33 localhost err fpdd[4375]: 00010038:3: Unknown HAL API error, returned (1) for request halGetChassisAllSlots
ID 358788 TMM no longer crashes when the TMM is restarted on the standby machine in a high-availability configuration that includes connection mirroring. Making configuration changes to an HA channel configuration that includes connection mirroring no longer cause TMM to core.
ID 358865 TMM no longer exits with a SIGFPE in certain situations when a Standard virtual server is targeting a FastL4 virtual server. The following panic string is an indication that this issue was encountered: Assertion "flow in use" failed.
ID 359466 Connections are now correctly re-mirrored after a failover event, regardless of when the alternative HA mirror link state has been marked as "down".
ID 359620 Stale mirroring entries on the switch chip no longer cause LACP packets to be dropped.
ID 359730 "SSL::cert" iRule commands can now correctly be called during a SERVERSSL_HANDSHAKE event on virtual servers that have serverssl profiles. Rather than returning empty results, accurate server certificate information is now returned.
ID 360515 BIND has been updated to mitigate the vulnerabilities in CVE-2011-1910.
ID 361121 Rather than having no effect, the TCP::respond iRule command now sends a TCP packet with no payload when called with an empty string.
ID 361300 When upgrading from a previous release, all blades in a chassis now correctly initialize the base MAC address.
ID 361562 The pvad process handling of large numbers of virtual servers and other objects has been improved.
ID 361676 6900, 8900, 8950, and 11050 platforms using hard drives greater than 500 GB, no longer fail to create a logical volume for datastor when provisioning WOM. To determine what size disk you have, log on to the command-line interface using the root account, and run the command pvscan.
ID 361741 Authentication to a BIG-IP system via iControl should no longer fail due to corrupt PAM tallylog files. The following log messages are an indication that this problem has occurred:
  • PAM Couldn't write /var/log/pam/tallylog, -138170000 bytes : Resource temporarily unavailable
ID 361777 The VIPRION 2400 platform no longer fails to perform a thermal shutdown of blades. Previously, blades would occasionally fail to shutdown.
ID 361782 When an iRule command that causes a suspension to occur (for example, the "table" command) is executed on a FastL4 virtual server, the following error message is no longer logged, and rule execution will not be prematurely terminated:
  • Attempted to resume iRule for closed flow (listener virtual_server)
ID 361839 The stream filter now correctly forwards iRule events that it is unaware of (for example, ASM::violation_data), rather than silently dropping them and thus potentially causing connections to stall.
ID 361864 The hardware information for LOP and BUC devices is now reported correctly.
ID 361952 An issue causing the PVAD daemon to core no longer occurs on the 6800 platform.
ID 362109 SNAT and Automap now work correctly for additional protocols. The flow key's local port is not adjusted to 0 unless the protocol is TCP, UDP, or SCTP.
ID 362175 TMM's connection flow table is no longer corrupted by the ungraceful shutdown of any TMM.
ID 362436 The following log message is no longer erroneously displayed during normal system startup: Jun 22 05:53:49 tmm warning tmm[30894]: 01010031:4: Device warning: hsb 0.1 - 1 hw watchdog timeouts
ID 362851 The Dashboard utility now displays platform limits for all VIPRION systems as the maximum value for a fully-loaded chassis.
ID 363027 Fixed a delete permissions issue with locally authenticated users.
ID 363030 If the DB variable tmrouted.queryperiod is set to a value that requires querying virtual servers more than once per second, the system now queries correctly and no longer drives up CPU usage.
ID 363082 The correct product category ("VIPRION") is now provided when calling the iControl function System::get_system_information() against PB200 and PB200-NEBS VIPRION blades.
ID 363310 BIND has been updated to mitigate the vulnerabilities in CVE-2011-2464.
ID 363988 The following log messages are no longer erroneously printed to /var/log/tmm on VIPRION 2400 systems: Skip potential RQM forward pkts read error and Skip potential RQM drop pkts read error.
ID 364024 1 GB SFPs now correctly establish an "up" state on B2100 (VIPRION 2400 blade).
ID 364112 VIPRION 2400 blades now correctly take the chassis MAC address as their base when they are inserted into a new chassis.
ID 364699 ClientHello SSL messages greater than 256 bytes in length no longer cause connections to clientssl virtual servers to stall, or re-negotiations to fail.
ID 365295 Heavy session table usage no longer results in connection stalls on 11000/11050.

Behavior changes in 11.3.0

ID Number Description
ID 354986 You can use tmsh to create virtual server configurations where the server-side profile does not match the virtual server's protocol type. This type of configuration, however, is no longer supported in the GUI.
ID 379978 You can now set a score for a virtual server in the Configuration utility. You must select the Advanced option from the Configuration list for this setting to display. The BIG-IP GTM uses this score to load balance traffic using the Quality of Service (QoS) load balancing method.
ID 382225 The following platforms have reached End of New Software Development and therefore do not support v11.2: 6400, 6800, 8400, and 8800. These platforms are still supported by F5 Networks. For more information, refer to SOL9412: The BIG-IP release matrix.
ID 384509 When configuring Full Webtop Popup Window Settings (through Advanced Customization), changing the Show Statistics Table setting now affects the application tunnel popup as well as the network access popup.
ID 387135 "This feature makes the following tmsh attributes obsolete: ltm virtual 'snat' ltm virtual 'snatpool' They are replaced by (merged into) the 'source-address-translation' attribute, with the sub-attributes 'type' and 'pool'. OBSOLETE: tmsh create ltm virtual v snat none USE INSTEAD: tmsh create ltm virtual v source-address-translation { type none } OBSOLETE: tmsh create ltm virtual v snat automap USE INSTEAD: tmsh create ltm virtual v source-address-translation { type automap } OBSOLETE: tmsh create ltm virtual v snatpool sp USE INSTEAD: tmsh create ltm virtual v source-address-translation { type snat pool sp } Also note that 'type' is now required when setting 'pool'. This was not the case with 'snatpool'."
ID 387342 For a virtual with a TCP profile and using a pool with queue-on-connection-limit enabled, if a client begins to close a connection while it is still queued, BIGIP will now reset the connection immediately. Previously, BIGIP behavior varied depending on several factors (clientssl, buffered request data) and under some circumstances resulted in lingering connections.
ID 391451 IP tunnels now support route domains. Tunnel endpoint addresses can be configured with a route domain other than the default. Additionally, the interface representing the tunnel can be added to a route domain. The route domain of the interface need not match that of the tunnel endpoint addresses. This allows inner traffic and outer traffic to belong each to a different route domain. This change only applies to IPIP, GRE, and EtherIP tunnels.
ID 393382 HSL::open will now take -publisher <logging publisher> as arguments.
ID 394309 In F5-BIGIP-SYSTEM-MIB, sysSystemUptimeInSec (.1.3.6.1.4.1.3375.2.1.6.7.0) OID has been added under sysSystem to provide the uptime of the system in seconds.
ID 394728 "Before this change, ""tmsh save/load sys config"" saved or loaded configuration in the current partition only. With this change, ""tmsh save/load sys config"" will save or load configuration in all partitions. Basically, it is equivalent to ""tmsh save/load sys config partitions all"". To achieve the previous default behavior, the two ways can do: 1. ""tmsh save/load sys config partitions {<current_partition_name> }"" 2. ""tmsh save/load sys config current-partition"" (current-partition option is newly added in this release.) For an example, if you are in /Common partition,""tmsh save/load sys config current-partition"" or ""tmsh save/load sys config partitions { Common }"". These two will save/load everything in the ""/Common"" partition."
ID 397258 "DHCP is enabled by default for this release of BIG-IP software. Live installation will preserve the previous settings if DHCP was enabled or disabled. SCF files with static management port addressing should have the command ""modify sys global-settings mgmt-dhcp disable"" inserted prior to any ""sys management-ip"" or ""sys management-route"" commands."
ID 397975 The TMM can address more than 4GB of memory in BIG-IP Virtual Edition for this release of software.
ID 403442 ePVA with jumbo frames has reduced throughput in this release. This is a regression from prior releases.
ID 404282 Less than 4 gigabytes of assigned virtual machine memory will result in a BIG-IP that boots with a single TMM and will not be CMP enabled. For CMP workloads, assign at least 4 gigabytes of memory in this release of BIG-IP software.
Analytics Profile Properties changes Due to system changes, we made the following changes to the Analytics Profile Properties screen:
  • Removed the collected metrics Server Latency and Throughput because they are now automatically collected
  • Removed the setting Transaction Sampling Ratio. You can enable or disable sampling, but you cannot set the sampling ratio. If sampling is disabled, the system learns information from every transaction, while if sampling is enabled, the system learns information from a sample of the total number of transactions.
  • Removed the Trust XFF check box. You now configure the system to trust XFF from the HTTP profile configuration of the LTM module. Navigate to Local Traffic > Profiles > Services > HTTP, open the properties of an HTTP service, and enable the Accept XFF check box.
ID 453981 In versions earlier than 11.3.0, the system allowed configuration of /31 IPv4 addresses as self-IP addresses, even though they are nominally allowed only in point-to-point links (RFC 3021). In version 11.3.0, the handling of /31 IPv4 addresses was strengthened to match the RFC. That means that, on configurations upgraded to 11.3.0 or later, GTM sync operations cannot succeed if the upgraded configuration contains /31 IPv4 addresses defined as self-IP addresses. If you encounter unexpected sync failures after upgrade to 11.3.0 or later, change any self-IP addresses to /32 IPv4 addresses.

Behavior changes in 11.2.1

ID Number Description
ID 391989 In F5-BIGIP-LOCAL-MIB, ltmNodeAddrStatCurrentConnsPerSec (.1.3.6.1.4.1.3375.2.2.4.2.3.1.22) and ltmNodeAddrStatDurationRateExceeded (.1.3.6.1.4.1.3375.2.2.4.2.3.1.23) OIDs have been added under ltmNodeAddrStatTable; ltmPoolMemberStatCurrentConnsPerSec (.1.3.6.1.4.1.3375.2.2.5.4.3.1.30) and ltmPoolMemberStatDurationRateExceeded (.1.3.6.1.4.1.3375.2.2.5.4.3.1.31) OIDs have been added under ltmPoolMemberStatTable; ltmVirtualServStatCurrentConnsPerSec (.1.3.6.1.4.1.3375.2.2.10.2.3.1.34) and ltmVirtualServStatDurationRateExceeded (.1.3.6.1.4.1.3375.2.2.10.2.3.1.35) OIDs have been added under ltmVirtualServStatTable.

Behavior changes in 11.2.0

ID Number Description
ID 224369 New DNS monitor for LTM has been implemented in this release. Please, see product documentation and online help for further information.
ID 240593 While all other naming conventions remain the same, BIG-IP now allows user names to start with numeric characters (0-9), including purely-numeric user names.
ID 247789 In this release, SNMP traps, RADIUS log messages, and Syslog log messages are sourced from the VIPRION cluster management IP address. Therefore, the route you define to the BIG-IP system on the SNMP manager must be the route to the VIPRION system's cluster management IP address. In addition, you must ensure that firewalls and other internal software can accommodate SNMP traps, RADIUS log messages, and Syslog log messages sourced from the VIPRION cluster management IP address. If you configured these traps and log messages to be sourced from the blade management IP addresses, the operations may not function as expected after upgrading.
ID 345907 In F5-BIGIP-SYSTEM-MIB, arx1500 (.1.3.6.1.4.1.3375.2.1.3.4.49), arx2500 (.1.3.6.1.4.1.3375.2.1.3.4.50), bigip11000F (.1.3.6.1.4.1.3375.2.1.3.4.51), bigip11050F (.1.3.6.1.4.1.3375.2.1.3.4.52), bigip6900F (.1.3.6.1.4.1.3375.2.1.3.4.53), bigip6900N (.1.3.6.1.4.1.3375.2.1.3.4.54), bigip6900S (.1.3.6.1.4.1.3375.2.1.3.4.55), bigip8900F (.1.3.6.1.4.1.3375.2.1.3.4.56), bigip8950S (.1.3.6.1.4.1.3375.2.1.3.4.57), and bigipPb200N (.1.3.6.1.4.1.3375.2.1.3.4.58) OIDs have been added under sysDeviceModelOIDs.
ID 361222 TCP MD5 authentication support has been added for IPv6 neighbors BGP.
ID 365123 New options are available for configuration of the command line prompt to display the fully qualified domain name, mcp phase and last configuration load status of a BIG-IP. Instructions for modifying the environmental variable PS1 can be found in the file /etc/bashrc, which can be modified for all users. For individual users, the PS1 variable may be configured via a .bashrc file in the users home directory.
ID 365635 The ssldump utility might not decode data for protocol TLS v1.1 or v1.2. There is no workaround for this issue in this release. For information about the ssldump utility, see SOL10209: Overview of packet tracing with the ssldump utility, available in the AskF5 Knowledge Base.
ID 367620 Persist profiles based on with source_addr and dest_addr, in which CARP has also been selected as the hash algorithm, can be toggled to include the corresponding port number in the hash calculation. This behavior is controlled on a global basis by two new DB variables: Persist.SrcAddrCarpIpPort and Persist.DestAddrCarpIpPort. Both take values 'enable' and 'disable', with 'disable' as the default.
ID 368299 In F5-BIGIP-LOCAL-MIB, a new ltmDnsProfileStat (.1.3.6.1.4.1.3375.2.2.6.14.2) object has been added to provide statistics information for DNS profiles. Additionally, ltmDnsProfileDns64Mode (.1.3.6.1.4.1.3375.2.2.6.14.1.2.1.5), ltmDnsProfileDns64PrefixType (.1.3.6.1.4.1.3375.2.2.6.14.1.2.1.6), ltmDnsProfileDns64Prefix (.1.3.6.1.4.1.3375.2.2.6.14.1.2.1.7), ltmDnsProfileDns64AdditionalRewrite (.1.3.6.1.4.1.3375.2.2.6.14.1.2.1.8), ltmDnsProfileDnsLastAction (.1.3.6.1.4.1.3375.2.2.6.14.1.2.1.9), ltmDnsProfileUseLocalBind (.1.3.6.1.4.1.3375.2.2.6.14.1.2.1.10), ltmDnsProfileDnsExpressEnabled (.1.3.6.1.4.1.3375.2.2.6.14.1.2.1.11), ltmDnsProfileDnssecEnabled (.1.3.6.1.4.1.3375.2.2.6.14.1.2.1.12), ltmDnsProfileCacheEnabled (.1.3.6.1.4.1.3375.2.2.6.14.1.2.1.13), ltmDnsProfileDnsCache (.1.3.6.1.4.1.3375.2.2.6.14.1.2.1.14), and ltmDnsProfileProcessRd (.1.3.6.1.4.1.3375.2.2.6.14.1.2.1.15) OIDs have been added under ltmDnsProfileTable.
ID 369628 There is no longer a MAX LIMIT for a rate class set at 2 G. The rate limit is now 20 G.
ID 369943 DHCPrelay proxy added support for dhcpv6.
ID 370519 "Tunnel interfaces are now propagated to dynamic routing protocols. This allows networks connected to or reachable via tunnels to be advertised via dynamic routing. NOTE: IGP dynamic routing protocols such as OSPF, IS-IS and RIP cannot establish adjacency over tunnel interfaces."
ID 371131 User authentication on BIG-IP through LDAP server may now use LDAP membership as a part of remote role determination when assigning a role to a user of the BIG-IP system.
ID 371946 TLS version 1.1 (RFC 4346) is now supported.
ID 374447 DHCPrelay proxy added support for multi-hop DHCP requests. Now BIGIP DHCPrelay virtual server can handle both requests directly from a client or requests relayed from another DHCP relay agent.
ID 375096 IPv6 router-advertisement functionality has now moved to the TMM and can be configured via iControl. Refer to the iControl documentation for more information.
ID 375283 BIG-IP added support for user customizable MIB. Custom MIB entries can be configured in an optional config file /config/snmp/custom_mib.tcl.
ID 375639 In F5-BIGIP-SYSTEM-MIB, the sysAttrConfigsyncState (.1.3.6.1.4.1.3375.2.1.1.1.1.6.0) object has been deprecated and replaced by the sysCmSyncStatus (.1.3.6.1.4.1.3375.2.1.14.1) and sysCmSyncStatusDetails (.1.3.6.1.4.1.3375.2.1.14.2) objects.
ID 375918 In F5-BIGIP-SYSTEM-MIB, a new sysCmTrafficGroupStatus (.1.3.6.1.4.1.3375.2.1.14.5) object has been added to provide information about status of the traffic group(s) on the BIG-IP system.
ID 376350 In F5-BIGIP-SYSTEM-MIB, sysAttrFailoverActiveMode (.1.3.6.1.4.1.3375.2.1.1.1.1.10.0), sysAttrFailoverForceActive (.1.3.6.1.4.1.3375.2.1.1.1.1.11.0), sysAttrFailoverForceStandby (.1.3.6.1.4.1.3375.2.1.1.1.1.12.0), sysAttrFailoverUnitMask (.1.3.6.1.4.1.3375.2.1.1.1.1.19.0), and sysAttrFailoverUnitId (.1.3.6.1.4.1.3375.2.1.1.1.1.20.0) objects have been deprecated, and new sysCmFailoverStatus (.1.3.6.1.4.1.3375.2.1.14.3) and sysCmFailoverStatusDetails (.1.3.6.1.4.1.3375.2.1.14.4) objects have been added to provide information about failover status on the BIG-IP system.
ID 376751 During upgrade, you might see the following messages: "notice chmand[14978]: 012a0005:5: FANTRAY PIC boot loader (v1.14) is not supported", "notice chmand[14978]: 012a0005:5: FANTRAY PIC boot loader v1.20 or later is required to upgrade the firmware to v3.01." These are non-critical messages about boot-loader version support for upgrading fan-tray firmware to v3.01. An associated issue that happens rarely, occurs when multiple blades make fan-speed requests. Software versions earlier than v3.01 software does not aggregate fan-speed requests, and because the fan tray immediately acts on the requests, if different blades request different fan speeds, the fans could oscillate. This is an unlikely occurrence because the blades check the same temperatures and should send similar fan-speed requests. Even if the fan speeds oscillate, however, the system maintains chassis cooling.
ID 382225 The following platforms have reached End of New Software Development and therefore do not support v11.2: 6400, 6800, 8400, and 8800. These platforms are still supported by F5 Networks. For more information, refer to SOL9412: The BIG-IP release matrix.
ID 382308 When specifying a unicast address for network failover only, you must use self IP addresses from the default routing domain.
ID 382882 A mgmt interface configured by DHCP (Dynamic Host Configuration Protocol automatic addressing) have the comment "configured by dhcp" associated with it. This comment persists with a statically addressed configuration and can be safely removed if desired.
ID 383987 SSL renegotiation is now enabled by default. In previous versions, SSL renegotiation was disabled by default.

Behavior changes in 11.1.0

ID Number Description
ID 227306 The radvd service is now fully and completely incorporated within TMOS. The configuration that was used by radvd (specified in the /etc/radvd.conf file) is now part of the BIG-IP system configuration and can now be set using tmsh. For more information, see the 'net router-advertisement' section of the tmsh manual or the tmsh command-line help.
ID 367753, ID 371627 In this release, the software uses ssmtp to perform mail forwarding to a mail host for locally generated email messages from the BIG-IP system. The Postfix mail transfer agent has been removed. You can find information on how to configure ssmtp in SOL13182 and SOL13182: Change in Behavior: Postfix has been removed from BIG-IP software and SOL13180: Configuring the BIG-IP system to deliver locally generated email messages (11.x) in the AskF5 Knowledge Base.
ID 368186 The sysCpuNumber and sysCpuTable OIDs (under sysCpu) have been deprecated and replaced by sysCpuSensorNumber and sysCpuSensorTable OIDs (under sysCpuSensor).
ID 370927 In this release, there is a new option, lifetime, for the create key command (sys crypto key). Lifetime specifies the number of days the certificate will be valid for, and is useful in conjunction with the gen-certificate option when generating a key as well as a certificate.
ID 370964 "When upgrading a 10.x standard active/standby pair, the recommendation is to start with the device with the numerically highest management IP address. There is a change in behavior in 11.1.0 that automatically selects the system with the highest management IP address as the active member of the HA group. Depending on your configuration, an upgrade could result in lost traffic."

Behavior changes in 11.0.0

ID Number Description
ID 208624 The default value for slow ramp time was changed from 0 (disabled) to 10 seconds.
ID 222483 bigd monitoring that used SSL had previously sent "SSLv2 Client Hello" to establish secure connections. This version, turns off the use of SSLv2 Hello in favor of a TLS Hello.
ID 223709 Cross route domain after upgrade (ID 223709, CR131366) In this release, there is a Strict Isolation option for route-domain configuration. The option is enabled by default. So existing configurations that direct traffic across route domain boundaries will no longer work after upgrading. When that happens, the system logs in /var/log/ltm a message similar to the following: Oct 24 16:29:46 local/tmm1 warning tmm1[6636]: 01200011:4: Connection rejected from IP 10.20.20.12%2 port 33845 to IP 10.10.10.20%1 port 80: One of the route domains is strict. To have traffic cross the route domain boundary, disable the Strict Isolation option in Network > Route Domains for ingress and egress route domains.
ID 224579 Oracle JDBC monitor syntax change. The Database field is renamed to Connection string, and uses new syntax. The old database syntax is: %node_ip%:%node_port%:<db name> An example of the new database syntax is: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=%node_ip%)(PORT=%node_port)) (CONNECT_DATA=(SID=<db name>)) (SERVER=dedicated)) When upgrading, the old database string is converted to the new connection string syntax.
ID 336820 This release does not support the use of bigpipe or tmsh to add a software ISO image to the system. Supported methods include using the Import procedure by clicking the Import button on the System:Software Management:Image List page within the web management interface or using scp to copy the ISO image to the /shared/images directory prior to installation.
ID 340221 The Create button has been removed from the volume-creation portion of the Software Management screen. Instead, you specify a new name to create a volume when you initiate an installation operation.
ID 342790 COMPAT ciphers used to be displayed for server cipher strings such as ALL, HIGH, LOW, MEDIUM, etc. Now, COMPAT ciphers are displayed only if you explicitly indicate in the cipher string that the COMPAT ciphers be shown. For example, cipher strings such as ALL and LOW display only Native ciphers. LOW:COMPAT displays all LOW ciphers including Native and COMPAT. HIGH+COMPAT displays the HIGH ciphers that are COMPAT; Native ones are not displayed.
ID 348217 The system no longer counts pool members that are still ramping up (because of a slow ramp setting) against the minimum-up member requirement for subsequent priority group activation.
ID 351457 This release provides new TCP profile attributes: Initial Congestion Window Size, Initial Receive Window Size, Initial Retransmission Timeout Base Multiplier for SYN Retransmission, and Delay Window Control. Based on RFC3390, the initial window size is set to 3 * MSS. The new TCP profile settings allow configuration of a larger base multiplier (n * MSS) for the initial window size, which can help deliver applications faster and improve response time. Descriptions of the controls appear in the online help for the TCP profile.
ID 353344 Previous versions of the BIG-IP system installed two software slots as part of a clean installation. The current version of BIG-IP now installs only one software slot as part of a clean installation. For the live install feature to work correctly, customers should ensure that at least two software slots are installed on each blade in the system.
ID 354518 The VIPRION 2400 has an RJ45-type connector for the Console port. Part of the updated functionality of the Always-On Management (AOM) serial port includes auto-baud, meaning that when you connect a cable to the Console port and issue a break from the keyboard, the system enables scrolling through baud rates using the return key. If you accidentally plug an active Ethernet cable (that is, a cable carrying network traffic rather than serial terminal data) into the Console port, when you power up the blade, the auto-baud functionality might engage, even though the cable is not connected to a valid serial terminal. This occurs because, depending on the traffic on the cable, network communications can simulate the effect of issuing a break, which initiates auto-baud. If you are already in this condition, after you remove the Ethernet cable and connect a valid serial cable, you will likely see garbled content on the serial terminal until you reset the AOM serial port’s baud rate to match the terminal’s baud rate. To synchronize AOM and terminal baud rates, follow these steps:
  1. Issue a break (using the <BREAK> key on the keyboard).
  2. Press return to have AOM cycle through the supported baud rates (115200, 57600, 38400, 19200, and 9600)
  3. When the baud rates are synchronized, the following prompt appears --- Press <ESC>( for AOM Command Menu. You can then press Esc ( to access the AOM Command Menu.
ID 356804 There is a new way of handling files with external data group definitions: before assigning it to external class, a file must be imported using System :: File Management :: Data Group File List. For example, to import an iRule file and use it:
  1. Go to System :: File Management :: Data Group File List.
  2. Click Import.
  3. Specify the file you want to use, or use Browse to find it.
  4. Click Import.
  5. Go to Local Traffic :: iRules :: Data Group List.
  6. Click Create.
  7. In Name, type the name of the file.
  8. From the Type list, select (External File).
  9. From the File Name list, select the Data Group File you imported earlier.
  10. Click Finished.
ID 357725 The cli-settings ip-addr setting has been removed. The command is relevant only to bigpipe, which has been removed in version 11.0.0.
ID 361252 As a result of various bugs identified from customers, we have changed how persisted connections apply against ratio and fixed ratio load balancing behavior to better conform to what customers expect.
ID 362117 Provisioning settings are no longer included in ConfigSync operations. To completely sync all objects, all systems must be provisioned similarly.
ID 364288 Some objects that were accessible from any context in system versions prior to v11.0 are no longer accessible with the same scope. A user might receive an inappropriate error message during a list or modify command. If the system gives the incorrect error message, change context to /Common and attempt the command again.
ID 365635 The ssldump utility does not decode data when protocol is TLS v1.2. There is no workaround for this issue in this release. For information about the ssldump utility, see SOL10209: Overview of packet tracing with the ssldump utility, available in the AskF5 Knowledge Base.
ID 367753 In this release, the software uses ssmtp to perform mail forwarding to a mail host for locally generated email messages from the BIG-IP system. The Postfix mail transfer agent has been removed. You can find information on how to configure ssmtp in SOL13182 and SOL13182: Change in Behavior: Postfix has been removed from BIG-IP software and SOL13180: Configuring the BIG-IP system to deliver locally generated email messages (11.x) in the AskF5 Knowledge Base.
TMM move to 64-bit As memory density increases, F5 Networks has made the strategic decision to move TMM to 64 bit with the version 11.0 release. In moving to 64 bits, the Traffic Management Operation System (TMOS) provides performance benefits in areas such as the ability to address all the physical address space. For example, we can utilize the full 48 GB of memory on the new 11000 platform. We can now build systems that can address an almost infinite amount of RAM with enhanced algorithm performance. The move from 32-bit to 64-bit TMM does increase the number of pointers and memory used per connection; therefore, with version 11.0, for each platform, the number of concurrent connections will be less. This is not specific to F5 Networks: every ADC vendor that uses a 64-bit OS also has fewer-concurrent-connection capacity vs. the capacity on a 32-bit OS.

Known issues

ID Number Description
ID 403592 Platforms with less than 6.5 GB memory cannot be upgraded to version 11.3.0 if three or more modules are provisioned. Note that upgrades from version 10.0.x display only an "upgrade failed" message as a software status. All other versions show a clear error message, guiding the users to SOL13988. Before upgrading, make sure you have only one or two modules provisioned if the BIG-IP system has less than 6.5 GB of memory.
ID 221917 When the bd process restarts, the system stops all internal connections. If the next event that arrives on a halted connection is an HTTP request, the attempt to disable the plugin in HTTP_REQUEST fails, which logs a Tcl error to the /var/log/ltm file. This is a benign error message that you can safely ignore.
ID 221946 When you specify the cluster management IP address, the netmask defaults to /32, or 255.255.255.255. In order to use cluster member addresses, the netmask must be no more than /30, or 255.255.255.252. Always specify the netmask when specifying the cluster management IP address if you plan ever to use cluster member addresses. That way, the address always gets set correctly, and you can configure the cluster member addresses on the same network.
ID 221956 Beginning with version 10.0.0, the system reports module memory mixed in with memory used by all processes. To determine actual memory usage, you must use standard Linux commands, such as ps, top, and other similar commands.
ID 221963 When you are logged on to a cluster management address, and you or another user subsequently promotes one of the secondary blades to the primary, you and the other user might need to log on again.
ID 222005 "On boot, the following message might be seen. It is innocuous and can be ignored: err ti_usb_3410_5052.c: ti_interrupt_callback - DATA ERROR, port 0, data 0x6C"
ID 222034 If HTTP::respond is called in LB_FAILED with large headers and/or body, the response may be truncated. TCP congestion-control state determines the threshold. For example, with slow-start enabled, and no data sent to the client yet, the response will be truncated after two packets.
ID 222112 "When you start or stop the tcpdump utility on a VIPRION system, the system logs messages similar to the following entries in the /var/log/ltm file: slot1/tmm warning pu[24652]: 01230114:4: port movement detected for 00:01:23:45:67:10, vlan tmm_bp - 0.0 to 0.1 These messages are benign, and you can safely ignore them."
ID 222184 When the license expires, if you are on the License Summary page on a partition other than Common, the system automatically returns you to the Common partition, but does not activate the Reactivate button. The workaround is to select a different partition and then reselect the Common partition. This should reset the Reactivate button to an active state.
ID 222221 "TCP::close doesn't work properly with SSL-related iRules. To work around this, remove tcp::close from the iRule. Although the SSL connection works, it will not be closed until a timeout."
ID 222273 Many load balancing methods are implemented so that the system divides the connection limit among running Traffic Management Microkernel (TMM) services. If you set the connection limit to low values, the results you see might not be what you expect. For example, some nodes might receive more connections than you expect, and other nodes that you expect to receive connections might not receive any. These apparent anomalies are discernible only with small numbers of connections, and disappear with large numbers of connections.
ID 222287 On multi-core platforms running in CMP mode, rates configured in a rate class are internally divided between the active TMM instances. As a result, each flow is restricted to bandwidth equal to the configured rate divided by the number of active TMM instances. In order to achieve the actual rate set on the rate class, the system must be processing at least one flow on each active TMM instance. For more information, see SOL10858: Rate classes on CMP systems are divided among active TMM instances.
ID 222344 "Dynamic routes might override static management routes. If a route learned via any dynamic routing protocol exactly matches a management static route, traffic from the Linux host will follow the dynamic route. NOTE: Regarding affected modules, the problem affects any module provisioned in TMOS as the root cause is in the core functionality shared by all modules."
ID 222438 "PVA2 might return corrupted data in response to a virtual server stats query. When this happens, you might see messages in /var/log/ltm such as: pvad[2099]: mra_lbdb_vxo_basic_::deserialize(): wrong type 1 pvad[2099]: 01130004:4: ../Pva2AsicFactory.cpp:724 - Dropping stats msg. VSO deserialize failed. This can usually be fixed by running the command ""bigstart restart pvad"" Note that doing so will disrupt traffic for a short interval."
ID 222806 "If an httpclass selects a pool other than the default pool associated with the virtual, and the subsequent request on the same connection matches no httpclass, then the default pool is not applied; the previously selected pool continues to be used. Enabling OneConnect is a workaround for the base scenario. However, a similar issue resurfaces if RamCache is used in conjunction with OC. Either of the following should work, regardless of whether OC or RC are in use. 1. At the end of the httpclass list, include a catch-all httpclass (all selectors set to ""none"") which selects the desired default pool. 2. Configure the default in the virtual, as usual, but add the following iRule: when CLIENT_ACCEPTED priority 900 { set default_pool [LB::server pool] } when HTTP_CLASS_FAILED priority 100 { pool $default_pool }"
ID 223031 If you run the tcpdump utility from a Puma I blade on a VIPRION chassis containing a mix of Puma I and Puma II blades, the process does not show packets from the Puma II blades. To work around this issue, run the tcpdump operation from the Puma II blade.
ID 223412 "When configuring a ConfigSync peer IP address, the IP address must reside in the default route domain. The default route domain has an implicit value of zero (0). ConfigSync operations will fail if you configure a peer address that contains an explicit route domain ID. For example: 192.168.20.100%10 When a ConfigSync operation fails due to this issue, the BIG-IP system returns error messages that appear similar to the following example (in older versions of the software): Checking configuration on local system and peer system... Peer's IP address: 192.168.20.100%10 Caught SOAP exception: Error calling getaddrinfo for 192.168.20.100%10 (Temporary failure in name resolution) Error: There is a problem accessing the peer system. BIGpipe parsing error: 01110034:3: The configuration for running config-sync is incorrect. Or, for versions 11.0 and beyond: Apr 19 14:15:04 beaker-vm2 err mcpd[5766]: 01071430:3: Cannot create CMI listener socket on address 10.20.222.2%10, port 6699, Cannot assign requested address"
ID 223421 If a disk is removed from an array, the serial number of the disk persists in the system until it is removed. There is no workaround for this issue.
ID 223426 Enabling the TCP option for MD5 signatures does not cause TCP connections without MD5 signatures to be rejected or ignored. Enabling MD5 signatures allows the MD5 signature to be validated when it is present. Note that the problem does not affect TCP connections established from the host (for example, BGP connections).
ID 223542 You cannot simply change the speed of an existing interface in a trunk, you must either delete all the interfaces and add them back at the new speed, or delete the trunk and recreate it.
ID 223634 If you are in the tmsh utility, you can run the bigpipe utility to view dynamic Address Resolution Protocol (ARP) entries for a different route domain. To do so, run the command run util bigpipe arp <args...> at the tmsh command line.
ID 223651 An SSH File Transfer Protocol (SFTP) client may emit an error message containing "Received message too long" when the user is unprivileged and may not use SFTP.
ID 223720 If you restart the mcpd process and try to create a FIPS key, the operation occasionally fails with the message "Key generation failed: error 11 - Would overwrite file" To work around this, restart mcpd and try the operation again.
ID 223724 On a system using Packet Velocity application-specific integrated circuit (ASIC) version 2 (PVA2) and version 10 (PVA10), specifically the 3400, 6400, 6800, 8400, and 8800 platforms, if you configure an inband monitor on a virtual server configured for FastL4 traffic, the Traffic Management Microkernel (TMM) never receives the traffic necessary to mark pool members up or down. You can work around this issue by setting Fast L4 Profile option PVA Acceleration to Assisted on these platforms.
ID 223796 When an SFP is not inserted in a VIPRION interface socket, the interface status should show "MS" (missing); instead, the interface status might show "DN" (down).
ID 223830 It is possible that with increased throughput, SNMP stats might report lower TMM CPU usage values than top.
ID 223885 The hash persist profile was extended in 10.0 with new options, but is no longer supported in combination with FastL4 virtuals. The workaround is to use universal persist instead. You can also use the TCP or UDP profile instead of FastL4.
ID 223890 "In v10.0, LB-related ratio values of up to 65535 were allowed in configs and via iControl. Currently, validation prevents any value greater than 100."
ID 223954 The system does not include the .tmshrc file in a ConfigSync operation. That means that each unit in a high availability configuration might have a different set of remote users. You can manually sync the files by using a utility to copy the file from one system to the others.
ID 223959 A BIG-IP system has limits to the number of objects that may be configured when the configuration contains virtual servers for which Packet Velocity ASIC (PVA) acceleration is required. If more than the specified maximum number of objects is configured, virtual servers that otherwise qualify for PVA acceleration are demoted to wire mode (no PVA acceleration). For more information about the maximum number of objects allowed for the PVA, refer to SOL11038: Configuration sizing and PVA acceleration.
ID 223961 "You can create an external monitor that references an executable in the /usr/share/monitors directory. On a VIPRION system, when the system attempts to validate the monitor on a secondary blade (for example, when the primary blade loads a secondary blade), the system posts an error message similar to the following: emerg mcpd[2822]: 0107094e:0: File cache: fatal error (can't create backup file for (/usr/bin/monitors/builtins/SYSLOG_monitor), Read-only file system) (FileCache.cpp:1523) For the monitor to function properly and to prevent this error on VIPRION systems, copy any executable used by an external monitor to the /config/monitors directory."
ID 224069 "Hardware accelerated flows are timed out by software if there is no activity observed during a configurable period, which was recommended to be 60 seconds in a previous solution. In the worst case scenario, BIG-IP software probably can't receive flow status reports for both hardware flows in less than 88 seconds. Therefore, it is recommended to use 90 seconds as the configuration value."
ID 224073 Floating route domain self IP addresses do not respond to ping utility commands from the Linux host. If you need to access floating IP addresses using the ping utility, use an external source.
ID 224142 There is a pause negotiation mismatch in a trunk containing a mix of fiber and copper. To work around this issue, do not mix fiber and copper in the same trunk.
ID 224195 The system does not prevent you from deleting a self IP address that an EtherIP tunnel uses, or from creating an EtherIP tunnel using nonexistent IP addresses. Doing so, however, results in an inoperable tunnel. To ensure that an EtherIP tunnel operates as expected, do not delete any of the self IP addresses that are associated with VLAN "wan" and specified in the EtherIP tunnel object.
ID 224294 "SASP monitor validates timeout and interval although these values are not used by the monitor."
ID 224313 The system does not support state mirroring with overlapping IP addresses. If you configure connection mirroring using route domain-compatible state mirror IP addresses, the system does not mirror the connections.
ID 224372 When you are connected using the serial console to a multi-drive platform, you might see messages similar to the following: warning kernel: RAID1 conf printout and warning kernel: disk 0, wo:0, o:1, dev:dm-14. The messages are also logged in /var/log/kern.log file. These messages appear during the time a drive is rebuilding, and you can safely ignore them. Note that the messages appear only when you are directly connected by serial console. They do not appear when you are logged in using SSH.
ID 224402 When you specify a custom ConfigSync user (that is, an account other than admin), if you have specified a maximum number of password failures, the ConfigSync account is subject to the password lockout after the specified number of failures. To work around this issue, use the admin account as the ConfigSync user, or reset the non-standard account that is locked out.
ID 224406 The dashboard cannot handle numbers that exceed 32 bits. If a statistic goes above that number, dashboard values will be incorrect.
ID 224520 The bcm56xxd service's small form-factor pluggable (SFP) plug_check mechanism (for example, bs_i2c_sfp_plug_check()) looks for module-detect signal changes every five seconds, and can miss a pluggable media type swap (that is, a swap from fiber SFP to copper SFP or SFP+) because the check does not look at pluggable media type changes. This can result in link failures, due to internal media settings that are still associated with a previously populated pluggable module.
ID 224665 VLAN groups are partitionable objects, so that a VLAN group created in one partition cannot be modified in another partition. Proxy exclusion is a VLAN group setting, so the partition restrictions should be in effect. However, the system does not prevent you from adding proxy exclusion for a VLAN group in another partition. Doing so results in issues for VLAN groups, so you should not attempt such a configuration.
ID 224680 When you use the Wireshark program to view a packet from an EtherIP tunnel, the Wireshark program displays the EtherIP version as 0 rather than 3, as it should. This occurs because Wireshark evaluates the version based on the bottom four bits rather than the top. The Linux EtherIP implementation follows the same format used by coding developer David Kushi, which is correct according to RFC 3378 - EtherIP: Tunneling Ethernet Frames in IP Datagrams.
ID 224698 Plugin-initiated connections do not use a SNAT pool, if configured (formerly CR 137381).
ID 224881 On AOM-equipped platforms, changing the management IP via the front-panel LCD multiple times might result in fields on the LCD being displayed with a value of 0.0.0.0. The correct values will be displayed after a system restart.
ID 225242 The nodes are not marked up until after the timeout has elapsed for default UDP monitors.
ID 225358 Both units probe both gateway fail-safe pools regardless of their unit IDs.
ID 225417 The installer allows you to install version 9.x software onto 8950 (D107) or 11050 (E102) platforms; however, version 9.x software does not support the 8950 or 11050 platform. Installing 9.x software onto 8950 or 11050 platforms might result in a nonfunctional system, so do not install version 9.x software onto 8950 or 11050 platforms.
ID 225431 Disabling the LCD display is not persistent across system restarts. This is for diagnostic purposes.
ID 225521 "On a partitioned system, if a 9.x installation operation fails or halts for any reason, including being canceled by the customer, subsequent installation operations fail and post the following messages to the liveinstall.log file: info: /dev/sda5 is mounted; will not make a filesystem here! error: VolumeSet_rebuild_fs(sda, 1) failed Terminal error: Failed to install. See log file. To work around this issue, always reboot the system after a failed installation operation, and then try the operation again. Note that this occurs only with halted version 9.x installation operations. Halted version 10.x installation operations do not exhibit the issue." To work around this issue, always reboot the system after a failed installation operation, and then try the operation again. Note that this occurs only with halted version 9.x installation operations. Halted version 10.x installation operations do not exhibit the issue.
ID 225588 Error conditions such as unreachable IP addresses, and unavailable TACACS+/RADIUS services, are not logged to /var/log/ltm for the TACACS+ RADIUS audit forwarding accounting feature.
ID 225851 "tmsh does not have a facility for removing ""missing"" array members. When an array member is physically removed from a system, the serial number will remain on the system, listed as a ""missing"" disk. If you need to remove this serial number from the list, you will have to use the GUI or the ""array"" command on the CLI. On the CLI, use array, as follows: array --erase <serial number> The GUI also has the option to remove missing disk serial numbers in the System > Disk Management. The missing array member is listed just as it was before, but all we list is the serial number. Remove that from the array just as you would with an installed array disk and it will forget that missing serial number."
ID 226564 "The LTM Statistics and GTM Statistics dashboard components might perform very slowly and/or cause out of memory errors when used in environments with large configurations (e.g., thousands of LTM and/or GTM objects)."
ID 226791 Due to screen limitations, the BIG-IP system LCD cannot display serial numbers larger than 16 characters. To see larger serial numbers, use the GUI or a tmsh command.
ID 226892 With the packet filter enabled and its default action set to discard or reject, IP fragments matching an established connection may be dropped.
ID 226964 "Node marked down by a monitor that is waiting for a manual resume mistakenly displays ""Enabled"" state in its GUI properties while it stays down. In v11.0.0, the workaround is to click the Update button, which truly enables the node."
ID 227272 If you replace a tri-speed copper small form-factor pluggable (SFP) module with a fiber SFP, you may have to reinsert the fiber SFP module a second time before it accurately reports link status. To work around this, remove and reseat the fiber SFP module.
ID 227281 When a full-proxy HTTP virtual with ramcache, fallback, and deferred accept configured executes reject command in CLIENT_ACCEPTED event, TMM restarts.
ID 227319 Ramcache configurations which approach the limit of total memory allowed for use by ramcache might cause caching to be disabled for one or more virtual servers.
ID 227358 Using the source port preserve strict option requires special considerations to ensure proper traffic flow and distribution.
ID 227362 When you are using Fast L4 profiles, make sure to set the PVA Acceleration setting to None if you also specify the Mimic setting for IP ToS to Client or IP ToS to Server. Otherwise, the system cannot perform the mimic functionality.
ID 227368 Connections stall indefinitely beyond their timeout when clients send pipelined HTTP requests to virtual servers with fallback hosts configured, half-closing their connections and triggering a load balancing failure.
ID 227369 "Generating a SIGINT or SIGQUIT on the serial console during login causes all services to die and restart. Further, SIGQUIT may cause chmand and get caught in a loop of failed restarts, requiring a host reboot. This was fixed in 9.x and 10.0.x, but that fix had to be reverted in 10.1.0 and after. No longer occurs after the first successful login from the console."
ID 246825 When you click the Clear Performance Data button in any view, the operation clears data for all historical statistics, not just the data for the specific view you are in.
ID 246871 When you are on the license summary general properties screen and you refresh the browser after you reactivate a license, the system prompts you to log on again. There is no workaround for this issue.
ID 246890 The system does not prevent you from using the command line to delete all volumes, including the active volume. Doing so causes the system to boot into another location. To prevent potential system access problems, do not use the command line to delete the active volume.
ID 246943 In a redundant configuration that has Global Traffic Manager provisioned on only one unit, you must provision Global Traffic Manager on all units. Failure to do so risks Global Traffic Manager becoming unprovisioned or unconfigured after a ConfigSync operation.
ID 246962 The system counts route domain health check traffic as part of IPv6 traffic statistic totals. If your configuration has a monitor on a pool in a routing domain, you will see an increase in IPv6 traffic. If you remove the monitor from the pool, the IPv6 statistics freeze (assuming there is no actual IPv6 traffic). There is no workaround for this issue.
ID 246978 When you reboot a system from the serial console, the system reports the following message modprobe: modprobe: Can't locate module tun6to4... during the shutdown sequence. This message is benign, and you can safely ignore it.
ID 246983 A display issue in the browser-based Configuration utility makes it appear as if users can modify user settings that they should not be able to access. For example, a user logs on using an account assigned a non-administrator role. When that user changes the password and clicks Update, the screen temporarily redisplays with available settings for file, partition, and shell access. The user can manipulate the controls, and select different settings. However, the system does not accept the change.
ID 246984 This release supports only network failover for chassis-to-chassis failover on the VIPRION platform. Do not configure hardwired failover using any failover cable included with the VIPRION platform you received.
ID 247011 "Unlike in SSL profiles, the system does not validate keys and certificates used for SIP and HTTPS monitors. That means that you can specify non-matching or invalid keys and certificates. There is no checking on the command line or in the browser-based Configuration utility to make sure keys and certificates are valid and usable."
ID 247012 If you use a SIP or HTTPS monitor on a server that requires authentication using a certificate signed by a certificate authority (CA), the monitor must use certificates signed by a CA that the server recognizes. Do not configure a monitor using certificates signed by an Intermediate CA because the monitor does not send such certificates to the server.
ID 247076 The BIG-IP 8800 platform supports a maximum of 30,000 monitors in a single configuration. If you create more than 30,000 monitors, the BIG-IP 8800 might halt in a switchboard-failsafe state when you load the configuration.
ID 247094 If you have state mirroring enabled, when you upgrade one unit of a redundant system, the system post messages until all systems are running the same version of the software. tmm tmm[1917]: 01340001:3: HA Connection with peer 10.60.10.3:1028 established. There is no workaround for this condition. All units in a redundant system must be running the same version of the software.
ID 247099 After an import default operation, the prompt is set to reboot, but the operation does not instigate the reboot operation on the primary blade, although it does on the secondary blade. This is intentional behavior: the operation causes a reboot on secondary blades, but the primary blade does not reboot automatically in this case. To activate the imported configuration, reboot the primary blade.
ID 247156 If you deprovision a module, the system does not remove the configuration attributes associated with the module. Some configuration data, such as endpoint attribute definitions for the WAN Optimization Manager, might interfere with Local Traffic Manager tunnel operations. In this case, when the definitions for endpoint advertised route, endpoint local, and endpoint remote remain in the configuration after deprovisioning WAN Optimization Manager, the Local Traffic Manager tunnel resets connections that were established when you had the module provisioned. As a workaround, remove the definitions from the bigip.conf files on both BIG-IP systems.
ID 247200 When a user configured for one role is logged on to the browser-based Configuration utility, and you change that user's role to another type, also using the Configuration utility, the system logs off that user. When that user logs back on, the system writes to the catalina.out file error messages such as com.f5.mcp.io.McpIOException: java.io.EOFException: Error while reading message at. These messages are benign, and you can safely ignore them.
ID 247216 The help frame crops the right edge of some of the formula definitions on the Performance statistics screen. As a workaround, you can click the Launch button to view the full text.
ID 247241 "Occasionally, when you create an installation repository on a USB thumb drive from the BIG-IP system, the operation fails while copying the repository files to the thumb drive. (The failure might also occur when reading or writing any large file to the thumb drive from the BIG-IP system.) When the failure occurs, the system reboots and writes a log entry similar to the following in the /var/log/ltm file: Dec 10 11:13:12 local/8900 notice overdog[2401]: 01140108:5: Overdog scheduling exceeded 1/2 timeout of 5 seconds (measured:8060 ms) The workaround is to create the installation repository on a USB thumb drive using a Linux workstation, as documented in the BIG-IP Systems: Getting Started Guide. In any case, do not perform the operation on a BIG-IP system that is actively in production to prevent the potential failure from affecting live traffic."
ID 247247 "In the browser-based Configuration utility, if you try to set the provisioning level to Dedicated on a module when another module already has the Dedicated provisioning level, the system allows the change and sets the provisioning level to None on all other modules. When you use the command line for the same operation, the system presents an error: When a Dedicated provision level is set, all other module's provision levels must be set to None. To accomplish the change, you can use the Configuration utility, or you can use the command line to set the provisioning level to None for all other modules, and then set the Dedicated provisioning level on the module you want to configure. To do so, use the tmsh utility to issue the following commands (substituting your module names for <module-A> and <module-B>): (tmos)# create transaction batch mode](tmos)# modify sys provision <module-A> level dedicated batch mode](tmos)# modify sys provision <module-B> level none batch mode](tmos)# submit transaction"
ID 247300 "You should not use the SSL::respond method with a CLIENTSSL_CLIENTCERT iRule event with a COMPAT mode cipher, as it can result in a handshake failure."
ID 247310 There is an extremely rare chance that, if the high-availability mirroring connection fails and recovers, the result might be a new persistence record and an expired record using the same key to send their respective messages. For example, if a record comes in that would have matched an old one on the active system, it is possible that the old record's expiration action might arrive after the new record's update action. If the key matching the old record expires, the standby system incorrectly deletes the corresponding new record.
ID 247709 "When you change the idle timeout in System :: Preferences, the system must restart the httpd process. This results in a set of error messages similar to the following example: err httpd[6246]: [error] [client 127.0.0.1] Invalid method in request OPTIONS * HTTP/1.0 err httpd[6320]: [error] (9)Bad file descriptor: apr_socket_accept: (client socket) warning httpd[3064]: [warn] RSA server certificate CommonName (CN) `dhcp-137' does NOT match server name!? warning fcgi-[6376]: [warn] FastCGI: server ""/usr/local/www/mcpq/mcpq"" started (pid 6377) err httpd[6379]: [error] [client 127.0.0.1] Invalid method in request OPTIONS * HTTP/1.0 warning httpd[3064]: [warn] long lost child came home! (pid 6239) These messages occur primarily as a result of the process restart, and you can safely ignore them."
ID 247727 When you create a new profile or edit an existing profile using the all-properties option of the tmsh utility, unless you remove some options, all properties become custom; that is, profile properties no longer inherit parent settings. The workaround is to use the tmsh utility create and modify commands operations. When you do so, the system preserves the profile's properties inheritance.
ID 247742 Using an iRule command that suspends operation (for example, after, table, and persist), in a NAME_RESOLVED event causes the iRule to never resume. The workaround is to use the RESOLV::lookup command that suspends operation until resolution, and then returns the lookup result inline.
ID 247894 "iRule substr function is not able to use a string with a number in it as a terminating string. Instead it converts that string to integer and mistakenly uses it as a substring length."
ID 247909 You might encounter an issue in which the NTP servers do not sync after a system reboot. You can recognize this by running the command ntpq -p to determine whether some of the NTP servers continue to have a refid of .INIT. You might find the issue more pronounced on the VIPRION platform because every blade is an NTP peer of every other blade. (Note that a refid of .INIT is normal for any system with no defined NTP server. F5 strongly recommends defining an NTP server.) This appears to occur only on networks accessible through VLANs, and does not occur with NTP servers serviced by the management port. The issue can be particularly problematic for IPv6 addresses because the system caches the unreachable destination information. To work around the issue, when tmm is up and servicing traffic, run the command bigstart restart ntpd to restart the ntpd process.
ID 247918 TMM might crash if you run the commands b import default or tmsh load sys config default on a BIG-IP system with dynamic routing configured and active. Removal of a self-IP address on a VLAN with dynamic routing peers also might trigger the same problem. The system indicates the problem by presenting TMM panic messages containing the following text: Assertion "link route present" failed. In order to avoid the problem, do not run the commands b import default or tmsh load sys config default if dynamic routing is configured and active on the BIG-IP system, and do not remove self-IP addresses on VLANs with dynamic routing peers.
ID 248489 If the user configuration set (UCS) file you roll forward at installation time contains a problem, subsequent system load operations can fail. If this happens, the remote users and administrators cannot log on to the system. To work around the situation, log on to the system as the root user or as the admin local user.
ID 248550 For a group name that contains spaces, the LDAP valid_group attribute is not properly escaped with square brackets (formerly CR 88837-1). The workaround is to not use spaces in valid groups.
ID 248750 Many load balancing methods are implemented so that the system divides the connection limit among running Traffic Management Microkernel (TMM) services. If you set the connection limit to low values, the results you see might not be what you expect. For example, some nodes might receive more connections than you expect, and other nodes that you expect to receive connections might not receive any. These apparent anomalies are discernible only with small numbers of connections, and disappear with large numbers of connections.
ID 248932 "Occasionally, a system restart might result in the system posting to the console messages of the following type: sshd(pam_audit)[4559]: user=root(pqizzjl1l) tty=/def/pts/1 host=172.17.251.100 attempts=1 start=""Tue Aug 5 17:25:09 2008"" end=""Tue Aug 5 17:27:54 2008"". sshd(pam_audit)[4559]: 01070417:0: AUDIT - user root - RAW: sshd(pam_audit): user=root(pqizzjl1l) tty=/def/pts/1 host=172.17.251.100 attempts=1 start=""Tue Aug 5 17:25:09 2008"" end=""Tue Aug 5 17:27:54 2008"". These messages occur when the system shuts down logging to the syslog-ng file before all users who are logged on have logged off. Should this error occur, when the system comes back up, you can use the boot marker in the audit files to confirm that the system logged out the remaining users."
ID 248958 Running the tmsh or bigpipe command persist show on a cluster might return incomplete results in certain avoidable situations. To ensure complete results, leave the tmsh bigpipe shell read partition at all, and log on as a user who is authorized to view all partitions.
ID 249083 Address wildcard virtual server has to be deleted and re-created when changed from IPv6 to IPv4. Without the intervening deletion, neither IPv6 nor IPv4 traffic matches the virtual. It works as expected when changing from IPv4 to IPv6 (formerly CR 98831).
ID 249311 "(CR118392, CR118496) If you initialize the Federal Information Processing Standards (FIPS) card and convert non-FIPS keys to FIPS keys, you must restart the tmm process before the system starts using the keys. Assuming you have an SSL profile that uses the newly converted FIPS key, here is the command sequence to run: fipsutil -f init convert non fips key to fips b load If you try to run the system without restarting the tmm process, the system issues the following errors: 01260009:7: Connection error: ssl_hs_vfy_pms:2128: invalid pre-master secret (80) Connection error: ssl_basic_rx:232: mac miscompare (20)"
ID 283445 "(CR98760) When you convert an encrypted key to Federal Information Processing Standards (FIPS) key, the system presents the error ""Unsupported key size"", and does not perform the conversion. To perform a successful conversion in this case, you must use the command-line utility to decrypt the key, and then convert the key to a FIPS-type key."
ID 284910 Once you configure the BIG-IP system to use the base FastHTTP profile, the profile continues to prime server-side connections, even if there are no virtual servers currently configured to use the FastHTTP profile.
ID 285008 If the active unit in a redundant system reboots, the standby unit goes active and handles any established connections that were mirrored. However, when the previously active box comes back up, it does not re-synchronize the state for the mirrored connections. This means that the mirrored connections are lost in a subsequent failure or a forced fail-back. This does not affect connections that end before the second restart and failover. Also, this does not apply to Fast L4 profiles.
ID 291260 If you are viewing a statistics screen, the user session logged in to the system does not time out as it does when viewing other screens. If you need to maintain the regular timeout interval for logged in users, then navigate away from a statistics screen.
ID 291272 If you attempt to mirror virtual servers that have RAM Cache enabled, depending on the cache state, the system leaks the connection on the standby unit when the connection is closed on the active unit.
ID 291327 Configuring a virtual server for multicast communications inside a route domain does not work. Do not configure a virtual server for multicast communications inside a route domain.
ID 291373 The small form-factor pluggable (SFP) ports on BIG-IP 8900 platforms are 10Gbps-only ports. On a BIG-IP 8900 platform, a SFP plus can operate at 1Gbps speed in an SFP slot, but SFP modules do not operate at 1Gbps speeds in an SFP plus slot. This is a hardware constraint.
ID 291541 If there are static Address Resolution Protocol (ARP) entries targeted to the management network in either the existing configuration or in the configuration being installed or used in a ConfigSync operation, the configuration may fail to load. To work around the issue, first delete any static ARP entries targeted at the management network and then complete the configuration load or ConfigSync operation.
ID 291689 "When you use the Weighted Least Connections (Node) load balancing method, you must set a connection limit for each node prior to adding the pool member to the pool. In this release, you must use the following process to accomplish this. 1. Create a pool that uses the Weighted Least Connections (Node) load balancing method. 2. Explicitly create the node entries for the pool members on the Local Traffic Nodes Node List (create) screen. 3. For each node, specify a value other than 0 (zero) in the Connection Limit box. 4. Return to the pool configuration screen by clicking its link in the Local Traffic Pools Pool List. 5. Select the Members tab and add the pool members to the pool, using the same IP addresses as the nodes that you configured in the earlier step. If you fail to specify the connection limit for the node prior to adding the pool members, the system presents a configuration validation error."
ID 291704 If you replace a copper (Cu) small form-factor pluggable (SFP) with a fiber SFP, the link might remain down, even when connected to an active peer. The workaround is to issue a bigstart restart bcm56xxd command. From the command line, 'bigstart restart bcm56xxd'.
ID 291719 "When the Configuration Utility restarts, the system writes the following messages to catalina.out: log4j:ERROR A ""org.apache.log4j.ConsoleAppender"" object is not assignable to a ""org.apache.log4j.Appender"" variable. log4j:ERROR The class ""org.apache.log4j.Appender"" was loaded by log4j:ERROR [org.apache.catalina.loader.StandardClassLoader@1359c1b] whereas object of type log4j:ERROR ""org.apache.log4j.ConsoleAppender"" was loaded by [WebappClassLoader These messages are benign, and you can safely ignore them."
ID 291723 "At system startup, you might see messages similar to the following: mdadm: Unrecognised md component device - /dev/mapper/vg--db--sda-mdm.app.wom.dat.datastor mdadm: Unrecognised md component device - /dev/mapper/vg--db--sdb-mdm.app.wom.dat.datastor This occurs because datastor volumes are not intended to be combined into a redundant array. The disk management subsystem unintentionally tries to join them into an array, but fails. No adverse result occurs, and you can safely ignore these messages."
ID 291742 In the ltm.log file, you might see mcpd warning messages similar to the following:" warning mcpd[3002]: 01070156:4: Could not remove file /config/bigip/auth/pam.d/tmm_ldap. Please remove this file manually." When you navigate to the specified directory, you do not find the files. These messages are incorrect, and you can safely ignore them.
ID 291756 On a multi-drive system, if the LED is flashing when you remove a drive from the unit, the LED status does not turn green (as it should) when disk replication begins. If the LED is not flashing, the LED turns green immediately in the transition to replicating a drive. This is a cosmetic issue only, and has no effect on functionality.
ID 291761 When you complete a new installation, the Firefox browser may not recognize the SSL certificate. When this occurs, the browser-based Configuration utility posts the message Please wait while this BIG-IP device reboots, shutting down device. This spins forever and never returns. This behavior is Firefox-browser specific, so when the certificate is no longer viewed as valid, the Firefox browser ignores subsequent HTTP requests. The issue happens only when doing a fresh install. A configuration you roll forward includes the device certificates, so this is not an issue. The Microsoft Internet Explorer browser posts an accept-certificate dialog box when you restart the system.
ID 291767 The version of the image2disk utility that shipped with version 9.4.5 does not support the -format option. You can install a new version of the image2disk utility from a version 10.x ISO. First, to uninstall the version of the utility that shipped with 9.4.5, run the command rpm -e tm_install-2-1.0.96.0. The command removes the utility, but posts no message at completion. Then, to install a new version of the utility, run the command im /var/tmp/<iso_file>. For more information, see SOL10702: The image2disk utility that shipped with BIG-IP version 9.4.5 does not support the --format option.
ID 291768 If you create VLANs in an administrative partition other than Common, but do not create a route domain in that partition, then the VLANs you create in that partition are automatically assigned to route domain 0. If you later change the default route domain of that partition, the VLAN stays in its existing route domain, unless the VLAN has a self IP address or virtual IP address assigned to it. In that case, the VLAN moves to the new default route domain.
ID 291776 You might see an intermittent blank top banner in the browser-based configuration utility after an upgrade or installation operation. This might be especially likely when you use Microsoft Internet Explorer version 7 on a VIPRION system, and you leave the browser window open between the end of installation and the completion of the reboot operation. In this case, when you log on, the top banner is blank. You can use the browser refresh operation (F5 or Ctrl + F5) to redisplay the banner correctly.
ID 291777 The software does not support running small form-factor pluggable (SFP)+ on SFP ports on VIPRION systems that contain PB100 blades, even if the ports are running at 1 GB. Although the system does not prevent you from doing so, and you might find such a configuration functional, we do not support nor recommend running in this configuration.
ID 291782 Running tmsh load sys config operation (on version 11.0.0 and 11.1.0), or b load (on version 10.x), fails when pool member are configured with port numbers 63, 66, 172, 211, 564, and 629. In version 11.2.0, although the tmsh load operation completes for such configurations, the command "tmsh list ltm pool members" fails. The workaround is to use numbers other than these for pool member port configuration. If you want to use those ports, you can disable the utility from converting service names by running the command "tmsh modify sys db bigpipe.displayservicenames value false" (on version 11.x), or "bigpipe db bigpipe.displayservicenames false" (on version 10.x).
ID 291784 If you set the import save value to 1 and import a single configuration file (SCF), the import operation halts and does not resume. To work around this issue, set the import save value to 2 or more.
ID 291786 When you use the domaintool utility to delete a domain when you are configuring Kerberos delegation, if that domain serves as the default, the system removes the domain but leaves it as the designated default. To work around this issue, change the default to a different domain before the delete operation.
ID 291788 "Certain packet-size related events can result in messages similar to the following: crit tmm4[5689]: 01010025:2: Device error: hsb internal error PIM_RX_PORT_0_ERRS address 0x0000103c status 0x004e0100 These messages are benign, and you can safely ignore them."
ID 305069 "Using the COMPRESS::disable call in an HTTP_REQUEST event in an iRule does not work. As a workaround, use the COMPRESS::disable call in an HTTP_RESPONSE event instead."
ID 305091 You can create duplicate virtual servers with same address space that are enabled on different VLANs in the same partition. But you cannot create duplicate virtual servers with same address space enabled on different VLANs if the VLANs are in different partition.
ID 305096 When using the vi editor to edit files on the BIG-IP 6900, you might have to enter as many as three escapes to return to command mode from insert mode.
ID 305319 SNMP queries for ltmUserStatProfileStat values do not return accurate values for user stat profile fields. Instead, the system returns a 0 (zero) or a negative number as the value. There is no workaround for this issue.
ID 305320 Thumb drive installation fails when the drive contains two product installation images. To work around this issue, use thumb drives that contain only one image for installation.
ID 305380 "If you initialize the Federal Information Processing Standards (FIPS) card and convert non-FIPS keys to FIPS keys, you must reload the configuration (using the tmsh load command) or restart the tmm process (using the bigstart restart command) before the system starts using the keys. Assuming you have an SSL profile that uses the newly converted FIPS key and you plan to reload the configuration, here is the command sequence to run: fipsutil -f init convert non fips key to fips load /sys If you try to run the system without reloading the configuration or restarting the tmm process, the system issues the following errors: 01260009:7: Connection error: ssl_hs_vfy_pms:2128: invalid pre-master secret (80) Connection error: ssl_basic_rx:232: mac miscompare (20)"
ID 307982 Which platform you are using determines how the system calculates the hash to distribute packets to the trunk. On the VIPRION platform, the BIG-IP 6900, and the BIG-IP 8900, the system includes the port in the hash. On the other systems, the system calculates the hash using only the IP address. So when you specify source/destination IP address for the trunk distribution command, if the platform is one of the ones listed previously, the system creates the hash from the source/destination IP address and the TCP/UDP port. Otherwise, the system creates the hash from the source/destination IP address only.
ID 315650 "In order to change the baud rate when you are using a serial terminal console server on the VIPRION platform, you must follow a specific sequence to change the baud rate in three places, or you can lose communication with the system. 1- On each blade in the system, run the following command: bigpipe baud rate <your_baud_rate_value> Make sure to complete this change on all blades in the system before proceeding to step 2. 2- Next, change the Serial Port Redirector (SPR) baud rate by pressing ESC( to access the SPR Command Menu. When the menu opens, select B -- Set baud rate, and select from the six settings displayed. 3- Finally, change the baud rate of your serial terminal server. The syntax for completing this step varies depending on the terminal server you are using, so you should consult your serial terminal server documentation for more specific information."
ID 315763 When the pvad service queries a very large number of objects (for example, 2000 nodes), the pvad service might use as much as 27% of CPU. This condition is intermittent, and might have other requisites. There is no workaround.
ID 317544 "After installing, you might see a message similar to the following in the ltm log file. "" Apr 23 11:38:16 slot3/p4-019 err clusterd[2707]: 013a0004:3: Error deleting cluster mgmt addr, HAL error 7 "" This message is benign, and you can safely ignore it."
ID 323632 When you delete an interface that is configured for interface mirroring, the system halts mirroring on all other configured interfaces. To work around this issue, when you delete an interface-mirroring configuration, recreate the configuration using all interfaces. As an alternative, after deleting an interface, save the configuration and issue the command bigstart restart.
ID 324960 "big3d daemon on Services screen (CR134045, ID 324960) The big3d daemon appears on the Services screen of the BIG-IP Configuration utility even though the daemon is not installed on the system."
ID 326906 When you swap a blade to the same slot in a different VIPRION chassis, the system uses VLAN MAC addresses based on the old chassis. The workaround is to avoid moving a blade to the same slot in another chassis. If necessary, shift blades around in the target chassis so that the incoming blade always goes into a slot that is different from the one it came out of.
ID 333357 On first boot after initial installation on VIPRION systems, occasionally the system needs to reboot. In these cases, during the shutdown preceding reboot, you may see warnings from bigstart about getdb failing. In this context, these messages are harmless and may be ignored.
ID 335619 Occasionally during system startup, you might see an error message similar to the following: err : Could not make connection with MCP, err 16908360 The error is benign, and you can safely ignore it.
ID 336885 There is a memory leak that affects Firefox 3.6 but not Internet Explorer 8. The leak occurs because of an interaction between the dashboard and the web browser. The workaround is to use Internet Explorer to view the dashboard. If running the dashboard for a long time, use Internet Explorer instead of Firefox.
ID 336986 If a hard drive is in the process of replicating and an install to a non-existent volume set is started, the array status for the replicating drive will transition to "failed" while the volume sets are created. They are created at the very beginning of the installation, so this failed status should last no more than 1 minute. After the volume set is created, the status will go back to "replicating", as expected.
ID 337222 When creating an IP-based datagroup/class, any route domain information that is specified as part of the datagroup entries will be ignored by the iRule class, matchclass and findclass commands.
ID 337774 When you tab-complete the command "tmsh show sys raid bay", the results show eight bays. This only affects platforms in the Apollo family, which have 4 bays.
ID 338390 If a user creates a new monitor ("inherits") from an existing user-created monitor on the system, then the enable/disable values will not inherit properly. All of the binary values will be set to disable despite user command-line input for the creation of the item. A user may modify the values after creation with no errors.
ID 338426 Clusterd can core on shutdown under certain circumstances, seen only so far with vCMP. It only happens when clusterd is shutting down, after it has taken care of all notifications to other system components, so the core can be safely ignored.
ID 338450 "On VIPRION blades, the BIG-IP system might log error messages about kernel-owned interfaces similar to the following messages (these are innocuous and can be ignored): slot1/mychassis notice chmand[3782]: 012a0005:5: Tmstat::updateMgmtIf: HAL Svc error: MiiNic: failed to send cmd to driver: readPseMii ioctl on: eth2Phy & Reg:1e:1a returns:Invalid argument slot1/mychassis notice chmand[3782]: 012a0005:5: Tmstat::updateMgmtIf: HAL Svc error: MiiNic: failed to send cmd to driver: getStatusReg: timeout wait for result"
ID 338799 "If a pool has all members down/disabled but is enabled itself, it shows up as green with the error message ""The children pool members(s) might be disabled."" There is no workaround for this issue."
ID 341928 A CMP redirected looped virtual (i.e., VIP targeting VIP on a different cluster node) can crash TMM.
ID 342319 The parameters "recursion yes" and "forward only" are not being updated in named.conf when creating entries in the BIND Forwarder Server List from the GUI. For more information, see SOL12224: Configuring the BIND forwarder server list does not correctly set additional options for the named.conf file, http://support.f5.com/kb/en-us/solutions/public/12000/200/sol12224.html.
ID 342325 If username and password have not been configured for a RADIUS accounting monitor, it will try to connect with a <NULL> username-password.
ID 342423 "The statsd process computes the value for system-wide CPU usage using a formula: process ""A"" CPU usage divided by the number of CPUs on the chassis. Assuming a chassis is fully populated with PUMA I blades, the average is divided by 16. If a blade drops out, the number of CPUs is now 12, so while that blade is out of circulation, the data is divided by 12. However, even for the 5-second window: it is possible that the average might be calculated incorrectly. Example =========== From time1 to time4, there are 16 CPUs on the box, and processA is using 96% of its CPU. At time5, one of the blades drops out. The calculation to compute CPU and system usage happens at this time. Before the blade dropped out, the system-wide average was 96/16 = 6. When the blade drops out, the system-wide average is 96/12 = 8. That is a small difference. Although blades going down should not happen often, when it does happen, it is only the first 5-second system-wide average that is affected. The next average will be correct."
ID 342670 Some disk management interfaces show the shelves with letters and some use numbers. For now, shelf 1 == a and shelf 2 == b between interfaces.
ID 344226 Trying to create a CRLDP server using a name that already exists fails with the message "An error has occurred while trying to process your request." A more accurate message is "The requested CRLDP server (<crldp_server_name>) already exists in <partition_name>.".
ID 344698 The provisioning level for vCMP should only be set to "dedicated" or to "none". Other levels are not supported and might not work.
ID 345092 "When a RAID system is booting, the system posts the message: Press <CTRL-I>; to enter Configuration Utility... However, pressing Ctrl+I has no effect. It is not possible to enter the Configuration utility this way. This is a hardware constraint. Instead, you can configure RAID parameters through TMOS."
ID 345529 The BIG-IP Configuration utility may incorrectly allow you to assign certain health monitors to pools while their pool members are configured with a wildcard service port. To workaround this issue, make sure to specify an Alias Port on a monitor when it needs to probe a specific service port on wildcard pool members. For more information, see SOL12400 at http://support.f5.com/kb/en-us/solutions/public/12000/400/sol12400.html.
ID 347073 Configuration changes to objects are not immediately reflected in the LTM Statistics and GTM Statistics widgets in the dashboard. To work around this issue, relaunch the dashboard.
ID 348214 The openssl s_client command defaults to secure renegotiation. To support servers unpatched for secure renegotiation use the -legacy_renegotiation option instead.
ID 348502 It is highly recommended to only use tmsh commands or iControl to delete vdisks. Deleting or renaming a vdisk from the file system (e.g., using bash) will not be detected by vcmpd and can lead to unexpected behavior if the system later attempts to use that vdisk.
ID 348503 "WMI monitor reports ""not found"" for LoadPercentage, CurrentConnection, GETRequestsPerSec, and POSTRequestsPerSec when probing IIS 7.5 on Windows 7."
ID 349062 In this release, we removed the SSL peer certification mode "auto" from all BIG-IP interfaces. The upgrade script contains logic to change "auto" to "ignore" in configuration files. However, we have not made a similar conversion for iRules because it is our policy not to alter iRules during upgrade. If you have iRules that use SSL peer certification mode "auto", you must change them to use "ignore". Otherwise, they will not work. There is no functional change incurred by doing so.
ID 349242 The load balancing method 'Ratio Least Connections (node)' does not perform correctly with 'Performance (Layer 4)' virtuals.
ID 349340 "Hotfix installation and formatting for volumes (ID 349340) You cannot simultaneously move to logical volume management (LVM) and install a hotfix. If you run the image2disk command with both the --hotfix and --format=volumes options, the system completes the hotfix installation, but does not format the drives. To work around this issue, format the system for volumes first, and then install the hotfix update."
ID 349753 An empty sub-folder, even after saving, might not properly load during the tmsh command "load sys config partitions all". If you delete an empty folder and then load the sys config, please create the folder again.
ID 350109 It is strongly recommended to remove the "dont-insert-empty-fragments" option from the SSL profiles when enabling Proxy SSL. This is done automatically when creating a profile through the GUI, but might require a manual step when the profile is created from the command-line interface.
ID 350249 Only 8 TMMs are shown with "tmstat cpu" on platforms which have more than 8 CPUs.
ID 351519 The configuration files used by pam and tamd are changing names between 10.2.x and this release. The files are currently being saved and then restored on upgrade, and in addition, the new files are being created when the associated mcp objects are created, which results in both the old and new versions of the files being present after upgrade.
ID 351650 On 11000 platforms with SSD drives, the LCD incorrectly shows the SSD drives in bay 3 and 4 as part of its RAID status. As the SSDs are not part of RAID, they display a status of "Unknown" or "Undefined" for the SSD sled bays 3 and 4. A more accurate status is "Not part of RAID."
ID 351874 When importing an ISO image into the Software Management screens in the Configuration utility, some browsers (for example, Microsoft Internet Explorer and Google Chrome), show /fakepath/ instead of the actual file path. This is expected behavior for HTML5-compatible browsers. You can work around this by adding the site to Trusted Sites. In addition, in Internet Explorer by setting the option Include local directory path when uploading files to a server in Internet Explorer :: Tools :: Internet Option :: Security :: Custom properties.
ID 351934 Booting with SSD installed, you will be able to see the SSD sled activity light blinking while the other spinning media sleds do not. This is normal.
ID 352560 SplitSSL is incompatible with persistence profiles.
ID 352840 When using partition default route domains, an attempt to load a previously saved configuration which had a different default route domain on a VIPRION may result in the secondary daemons restarting. To work around this, load the default configuration before loading a config that has a different default route domain on any partition.
ID 352848 If an HTTP client sends a request with a body, and there is a pipelined request following it, and there is an iRule performing an HTTP::collect, then the HTTP::payload command may include data from the following request(s).
ID 352925 Updating a suspended iRule assigned via profile causes the TMM process to restart when trying to return to the suspended iRule. To work around this, assign the iRule to the virtual server instead of assigning it to the profile.
ID 352957 Established flows via virtual servers with iRules using the "node <addr>" command to set the nexthop to a different address than the gateway returned in route lookup, or transparent flows to a pool member, might fail (due to mis-routing of packets) after a route table change, even if the change does not affect any of the addresses used in the flow. New flows established after the route table change will work as expected. There is no workaround for the problem.
ID 353101 "SQL monitor hangs with <NULL> receive string. The workaround is to substitute the probable <NULL> receive strings by <substitute-value> strings using constructs such as: ifnull(<column-name>, <substitute-value>)." The workaround is to substitute the probable <NULL> receive strings by <substitute-value> strings using constructs such as: ifnull(<column-name>, <substitute-value>).
ID 353154 Creating an instance of an ltcfg object from iControl might fail with a field validation error. The workaround is to create the new class instance using a transaction.
ID 353249 LTM Virtual Server Bytes in/out and Packets in/out values may be larger than expected on PVA platforms, when using FastL4 profile with PVA in 'Assisted' mode.
ID 353621 You can get an error from tmsh when adding a device to the trust-domain that says the device cannot be found: "The requested device (10.10.20.30) was not found." This error actually indicates the "name" parameter was not specified in the command.
ID 353623 In SNMP, the average MaxConns in sysGlobalStat always reports 0: F5-BIGIP-SYSTEM- MIB::sysStat{Client,Server}MaxConns{5s,1m,5m}.0
ID 353686 You cannot delete devices from the trust-domain using their IP addresses, even though that is how they are added. You need to use the device object name to delete devices from the trust-domain.
ID 353812 "There is no way to show/modify the global VLAN Group Proxy Exclusion List via tmsh. If you have config objects named ""all"", you must rename them before upgrade."
ID 353853 On the VIPRION platform, clusterd sometimes erroneously reports "Error adding cluster mgmt addr, HAL error 7". If the operation of a unit that has given this error is in question, check the IP addresses on each blade to verify that the floating cluster management address appears on only one interface of one blade. The workaround is to restart clusterd on the errant blade or change the floating management IP address temporarily.
ID 354149 The tmsh tab complete feature incorrectly adds a space to the command line when finishing a folder name for property items inside a single command.
ID 354467 When you create an opaque VLAN group before creating the route domain to assign it to, opaque mode does not work. To work around this issue, you can add the VLAN group to the route domain and then set its mode to opaque, or if you are already in this state, you can restart tmm.
ID 354518 "The VIPRION 2400 has an RJ45-type connector for the Console port. Part of the updated functionality of the Always-On Management (AOM) serial port includes auto-baud, meaning that when you connect a cable to the Console port and issue a break from the keyboard, the system enables scrolling through baud rates using the return key. If you accidentally plug an active Ethernet cable (that is, a cable carrying network traffic rather than serial terminal data) into the Console port, when you power up the blade, the auto-baud functionality might engage, even though the cable is not connected to a valid serial terminal. This occurs because, depending on the traffic on the cable, network communications can simulate the effect of issuing a break, which initiates auto-baud. If you are already in this condition, after you remove the Ethernet cable and connect a valid serial cable, you will likely see garbled content on the serial terminal until you reset the AOM serial port's baud rate to match the terminal's baud rate. To synchronize AOM and terminal baud rates 1. Issue a break (using the <BREAK> key on the keyboard). 2. Press return to have AOM cycle through the supported baud rates (115200, 57600, 38400, 19200, and 9600) 3. When the baud rates are synchronized, the following prompt appears --- Press <ESC>( for AOM Command Menu. You can then press Esc ( to access the AOM Command Menu."
ID 354972 In some cases, tmsh will not properly recognize hostnames as an item reference for commands. Use IP addresses instead of hostnames when creating addresses with tmsh in this release.
ID 354993 "When loading a UCS, the following message may appear in the ltm log: debug bigd[3980]: External program not found in monitor /Common/external @528, file conv_to_service.cpp This message is benign and it can be ignored."
ID 355299 PVA acceleration can be configured on a platform without a physical Packet Velocity ASIC present. The setting has no actual effect and is harmless.
ID 355564 "The Error message ""The requested unknown (/Common/traffic-group-1 /Common/bigip1) was not found."" might appear in the log during startup. This message does not indicate a problem, and can be ignored in this situation."
ID 355616 ltm virtual-address objects are only shown in tmsh list output when specifically requested, as in "list ltm virtual-address", not in commands such as "list ltm".
ID 355622 tmsh "list" output most commonly shows only user-specified settings, unless the "all-properties" argument is given, in which case both default and user-configured settings are shown. In this release, some default settings are shown in the "list" output, even when "all-properties" was not requested.
ID 355973 Some file object names cannot start with numeric characters.
ID 356069 If no route to the client exists and tmm uses autolasthop to direct return traffic to the client, FTP or RTSP data connections might fail. To work around this issue, add a viable route to FTP and RTSP client addresses.
ID 356073 Every part of the iApp template's presentation section is run every time, even the hidden parts. This means that anything that might crash (if something isn't provisioned) needs to be enclosed in a TCL block that is protected with a catch.
ID 356147 Version 11.0 added a new setting to the persistence profile for controlling the proxy map settings (proxy map class, mask, and mapped address attributes). However, TMUI support was not added for those. So, if you set them on a persistence profile using tmsh or iControl, the TMUI might unset them when viewing that profile.
ID 356319 You cannot reset the management port statistics (those that appear under Network: Interfaces: Statistics). The system does not report an error, but also does not reset statistics.
ID 356340 Additional virtual servers can be added to an AVR profile that is owned by an iApps Application Service even if strict-updates are enabled for the application. This may allow inadvertent changes that may affect the functionality of the application. These changes may be overwritten the next time the application is updated.
ID 356611 You can invoke imish (the shell for configuring dynamic routing) from tmsh. When you subsequently press Ctrl + Z, sshd and imishd start consuming CPU until the imish shell times out. This occurs when tmsh is not the login shell. If the system is already in this state, run the fg command, and then exit imish.
ID 356705 "After completing the setup wizard in the Configuration utility, the user is redirected to the Welcome screen. The menu at left should also change from the restricted setup menu to the full menu, but occasionally it does not. In this case, the workaround is to log out/in or refresh the browser."
ID 356804 "There is a new way of handling files with external data group definitions: before assigning it to external class, a file must be imported using System :: File Management :: Data Group File List. For example, to import an iRule file and use it: Go to System :: File Management :: Data Group File List. Click Import. Specify the file you want to use, or use Browse to find it. Click Import. Go to Local Traffic :: iRules :: Data Group List. Click Create. In Name, type the name of the file. From the Type list, select (External File). Click Finished."
ID 356938 Special characters (such as the Yen sign) in data group names generate garbage characters. Do not use special characters of this type for data groups.
ID 357262 As a workaround, reqlog now closes the connection whenever it serves an http response on logging error. Ideally, it would keep the connection open when the protocol is HTTP 1.1 or higher.
ID 357283 "If creating a new device group out of devices that have pre-existing config objects, the GUI will inaccurately report that the device group is ""in sync"". To work around this, either make a configuration change to the device group, or force a config-sync by issuing the following command in the tmsh shell from device 'foo': modify cm device-group [device group name] devices modify { foo { set-sync-leader } }"
ID 357391 "The first connection started prior to racoon being initialized fails. You must wait for racoon to initialize before first traffic is fired/processes. You can determine whether racoon is initialized by looking at /var/log/racoon.log. After configuring IPsec objects, /var/log/racoon.log reports that it has loaded the configuration and there is no error after it in a message similar to the following: 2011-04-27 11:03:35: INFO: Reloading configuration from ""/etc/racoon/racoon.conf"""
ID 357656 "When you use bigstart restart to restart all daemons on a guest, the system logs the message: Apr 25 15:43:27 slot1/vcmp1 notice chmand[7975]: 012a0005:5: Chmand cleanup: Slot:Led:Color (1:3:0) not succeed: virtual void Hal::NullAnnunSvc::ledSet(Hal::LedFunction&, Hal::LedColor&, uint32_t&, uint32_t&, uint32_t&) This is a benign message and you can safely ignore it."
ID 357705 "Loading the default configuration may cause the system to go offline before resuming the active status."
ID 357822 User can use "delete cm trust-domain all" to create or fix trust-domain when loading a blank or inconsistent SCF.
ID 357852 If a device is part of an established trust-domain but is added into a second, separate trust-domain, the devices in the original trust-domain will still have references to the device. It is recommended that you delete the device from the trust-domain from a certificate authority before adding it to a different trust-domain.
ID 357874 "Creating an overlapping route can cause an unclear configuration exception message, such as: 1. [root@ltm-56:Active] config # tmsh create net route test_route_ipv6 network 2002::1/128 gw 2002::3 2. [root@ltm-56:Active] config # tmsh create net route default-inet6 { gw 2002::1 } 01070712:3: Caught configuration exception (0), Netlink reply from kernel has error: -113 (for static route create: ::/0 gw 2002::1 in vlan '') - net/validation/routing.cpp, line 332."
ID 358019 "NATs require a translation-address, but the error message does not indicate this. Instead, when you create the NAT, the message posted is: 01020059:3: IP Address :: is invalid, must not be all zeros. To work around this, make sure to include a translation-address."
ID 358063 "If you do a ""restart sys service all"" from tmsh shell, the next command you issue will result in the error message: ""The connection to mcpd has been lost, try again."""
ID 358099 If two devices have different provisioned modules, then the application with those modules configured in one device might not be able to sync to the other device. The two devices will be out of sync and cannot recover in this situation. For sync to occur correctly, both devices must have the same provisioning.
ID 358191 "If the user resets the trust and changes the host name of the device, the other devices in the trust domain still show the unchanged, former host name and show the device as still attached."
ID 358268 The TMUI currently allows the DNS64 Prefix to be up to 128 bits (a full IPv6 address), but actually, a valid prefix is only the first 96 bits. Thus, the last 32 bits (last 2 hex tuples) should be all zeros (e.g., 64:ff9b:0:0:0:0:0:0).
ID 358575 The traditional ConfigSync mechanism has been replaced with a more robust MCP-to-MCP communication mechanism. As a result, UCS files now load the full configuration in all cases, and no longer have the concept or ability to only load the "shared" portion. Loading of UCS files created on a different device is no longer supported.
ID 358615 "When modifying failover unicast addresses via tmsh, user should be aware that all addresses must be specified even if the intention is to remove or add a single address to/from the list. For example, given a device with two existing unicast addresses, this command will replace both addresses with a single address: modify cm device centmgmt1.f5net.com unicast-address { { ip 10.10.10.1 } }"
ID 358655 The No such file or directory error always shows up around kernel installation, but it does not negatively impact the installation itself.
ID 358685 "You might see messages similar to the following when booting the VIPRION 2400. These can be ignored: ""PCI: Cannot allocate resource region 2 of device 0000:0a:00.0 PCI: Cannot allocate resource region 2 of device 0000:0a:00.1 PCI: Cannot allocate resource region 2 of device 0000:0c:00.0 PCI: Cannot allocate resource region 2 of device 0000:0c:00.1"""
ID 358855 "Only the array command makes a drive with a failed SMART self-test visible to an end-user. We have a new feature in this release which automatically checks every new drive for SMART-type errors. If it finds any, the self-test fails and the drive can't be put into service. The results of this test are only seen when viewing the output of the ""array""."
ID 359393 In order to be compliant with the FIPS-140 standard. Keys cannot be exported from a FIPS card in plain text, hence they can only be exported by encrypting them with the master key on the FIPS card. If the master key on the FIPS card has changed since the keys have been exported, it will not be possible to import the keys back into the card.
ID 359395 Invalid or empty SSL certificates, keys, or CRLs will not be rolled forward on upgrade to v11.0.0.
ID 359491 When a system's hostname is set by the user via the tmsh setting "modify sys global-settings hostname new-hostname.example.com" only the local copy of the self device is set. Remote copies of the hostname are not updated accordingly. Thus, running the command "list cm device name-of-device hostname" would have the hostname "new-hostname.example.com" on the local machine and "old-hostname.example.com" on other machines in the trust domain.
ID 359703 Zone transfers are made via a self-IP due to the global nature of the DNS Express database.
ID 359774 "In v11.0.0, pools used in an HA group must be in /Common. If the user has a v10.x configuration that has pools in different partitions that are used in an HA group, an upgrade to v11.0.0 will fail."
ID 359873 LTM-initiated SSL renegotiation will not be attempted when secure renegotiation is configured as required and the peer is unpatched (does not support SSL secure renegotiation). This applies both to configuration-based (e.g., renegotiate-period), as well as iRules-based attempts to renegotiate.
ID 359894 When creating a CLI transaction for the BIG-IP system ("batch commands"), an attempt to create a sys folder and modify that new folder in the same batch will fail. Any iControl app that creates a partition with the Management::Partition interface will need to be rewritten to use the Management::Folder interface.
ID 359978 LTM Throughput statistics might not match when comparing the Dashboard against other interfaces. The Dashboard throughput statistic includes traffic observed on all physical interfaces, layers 2-7. Throughput statistics in other interfaces are based on traffic passing through tmm.
ID 360097 vCMP guest names (and most TMOS configuration object names) must start with a letter, "/" or "_" and thereafter, consist of letters and numbers. They also cannot conflict with keywords and parameters for the command.
ID 360122 "The iControl method System.Statistics.reset_all_statistics() does not reset iStats. To work around this, do the following: 1. bigstart stop 2. Remove all files (not directories) in /var/tmstat2 3. bigstart start"
ID 360137 "After bringing up a BIG-IP newly licensed for Appliance Mode, the in-memory configuration is updated to change any user shell specifications set to bash to tmsh. However, if the configuration is not saved, those changes are lost and subsequent boot of the BIG-IP will fail to load the configuration file bigip_sys.conf. The workaround is to save the configuration after the first boot in Appliance Mode." Save the configuration via either the tmsh /sys save config command or by changing something in the GUI.
ID 360263 In this release, the VIPRION 2400 reports a CPU Count of 8 instead of the expected 4 on the Device Configuration screen in the browser-based Configuration utility. This occurs because the implementation of hyper-threading causes the system to report double the actual number of cores. There is no workaround for this issue.
ID 360477 Converting a single-slot guest in the deployed state to all-slot while the single-slot guest is performing a virtual disk migration will result in a VM booting up on the slot from which the virtual disk is being copied. This VM will use the virtual disk being copied, which can cause file system corruption on the newly copied virtual disk.
ID 360675 Creating a configuration object with a FIPS 140 key will always create a key in the FIPS 140 device even when the configuration objects are not saved. Configuration objects that are not saved will require the user to delete FIPS 140 keys manually from the device. Keys can be deleted manually with "tmsh delete sys crypto fips by-handle". Key handles can be listed with "tmsh show sys crypto fips".
ID 361028 In rare instances the bigpipe interface might show the management port (MGMT) as UP when there is no Ethernet physically connected to the port. The issue can usually be remedied with a blade reboot.
ID 361035 Trust-domain members overwritten when discovering existing pair. There is no workaround for this issue.
ID 361036 When the AOM powers down the Host for cause (for example, over temp) it abruptly stops the Host, bypassing a normal graceful power-down sequence. Because of this, some log messages sent from the AOM to the Host might be lost.
ID 361094 im command gives error if im package is in root directory (formerly CR 100844).
ID 361124 The App Editor role will be able to run any iApps template, but most of the iApps templates will not work for them because of permissions issues.
ID 361148 Under disk management, the hover over SSD lifetime estimate will always show "No remaining life estimate available" on new drives, until an SSD is used enough to have a media wearout value of at least 98% or lower.
ID 361181 "A ""fipsutil reset"" resets the FIPS card and deletes all keys in the card but it does not delete the configuration objects representing those keys. It also does not modify SSL profiles using those keys. This results in the system failing to load the configuration on reboot. An error like this will be generated: Jun 6 06:02:30 RackC6-6900-1 notice mcpd[5816]: 01390002:5: The size of the configuration DB has been extended by 2097152 bytes, now using a total of 10485760 bytes Jun 6 06:02:31 RackC6-6900-1 err mcpd[5816]: 010713e4:3: FIPS subsystem reported error while attempting file object operation: FipsMgr::get_handle_from_modulus error unable to obtain handle. Modulus(e1:fb:55...ef:89:b3), FIPS:ERR_HSM_NOT_INITIALIZED. Jun 6 06:02:31 RackC6-6900-1 err mcpd[5816]: 010713e4:3: FIPS subsystem reported error while attempting file object operation: fips_insert_masked_object error on import, ERR_HSM_NOT_INITIALIZED. Jun 6 06:02:31 RackC6-6900-1 err mcpd[5816]: 01070712:3: Caught configuration exception (0), unable to import FIPS 140 key (/Common/zzFIPSTest) from key file.) - sys/validation/FileObject.cpp, line 4714. Jun 6 06:02:32 RackC6-6900-1 err tmsh[6948]: 01420006:3: Loading configuration process failed. To avoid this situation, delete the FIPS keys and remove the usage from profiles before resetting the FIPS device. If the system gets into the failure condition as shown previously, do the following: 1. Edit the bigip.conf file where the FIPS key is referenced. Delete all occurrences of the key. 2. Delete the key from /config/ssl/ssl.cavfips 3. Find and delete the key from filestore/files_d/<partition-name>/certificate_key_d/ 4. Run ""tmsh load sys config partitions all"" to make sure the config loads. After this point, the config should load without issue after a reboot."
ID 361315 if you go to the System > Preferences screen and simply click the Update button without editing any values, the system incorrectly posts a Changes pending notice (that is, recommendation for synchronization). Many values on this screen are not even synchronized across BIG-IP devices.
ID 361318 If you want to turn on connection mirroring in iApps, turn off the strict update. Enable connection mirroring on all virtual servers that belong to the iApp. Then turn the strict update back on.
ID 361470 If a virtual server's destination address is entered into tmsh with invalid IPv4 or IPv6 numbering or a hostname, the error message "The requested virtual address (</PATH/ADDRESS>) was not found." will be displayed.
ID 361758 tmsh will fail to complete the configuration item name for profiles eam, mblb, html, ntlm, pluginclass, rba, sso, and smtp when the user presses <tab>.
ID 361784 "To add virtual servers to GTM pools, at minimum the user will need to provide this level of information: modify poolxyz members add {<hostname>:<partition>/<vsname>} (specifying the partition for the hostname is not necessary). NOTE: There is NO autocomplete help for any of this. You will need to do this completely and accurately or risk receiving a message such as: 01070226:3: Pool Member VS9eleven6 references a nonexistent Virtual Server"
ID 362225 Disabling connection queuing via "tmsh edit" while connections are queued will cause the queued connections to become stuck. The workaround is to use tmsh modify command instead of edit.
ID 362267 "If a user configures network failover on a VIPRION that uses a blade's management address as the unicast address, the other blades will not be able to use this address and will issue an error message. This is correct operation."
ID 362299 You cannot enable/disable virtual servers owned by an application service, with strict updates enabled from the virtual server properties page. A "strict updates" error results. The workaround is to enable/disable the virtual server from virtual server list page.
ID 362405 If a vdisk migration occurs, the original copy is left unchanged on the source slot. The copy will not ever be synchronized with the new vdisk copy on the destination slot. After the migration is successful, the original vdisk can be safely deleted but can also be kept as a valuable backup. However, note that if the guest is once again allocated to the slot containing the old vdisk, then that old vdisk will be used without it first synchronizing with any other vdisk. If that slot is the only one the guest is allocated to, it will boot up with the old software, configuration, and license that existed on the guest at the time the guest was migrated to another slot. If, however, the guest is already deployed on other slots, the guest will use the old vdisk on that slot but will synchronize the software, configuration, and license from the guest's primary slot, per normal clustering behavior.
ID 362406 "Tmsh show sys failover cable" does not show the peer cable status anymore due to changes in the configsync process.
ID 362874 "After upgrading, the following message was posted on the Configuration utility browser window for several hours. ""Upgrading Device Trust Device trust is still being upgraded. Please do not make modifications to Device Management or Traffic Groups pages while this message is displayed."" This occurs when a device that is configured to be in a redundant pair is upgraded to version 11.0, but its peer device cannot be contacted. The banner indicates that the device is waiting for its peer to be contacted. If the peer device is no longer in use, the following workaround should be used to remove the banner message: * Set the trust.configupdatedone db variable to ""true"". * Set the failover.isredundant db variable to ""false"". * Restart devmgmgtd. * Reset trust."
ID 362984 The console displays a message indicating the DHCP can be adjusted on a VIPRION system. Performing this command will have no effect on the configuration.
ID 362985 Displaying the configured syslog server with tmsh might require prepending the /Common/ path.
ID 363214 "For any virtual server that is configured with proxy-ssl, if during the handshake, the compression method is negotiated to anything other than NULL (no compression), for example, if client hello offers NULL and DEFLATE and the server accepts DEFLATE, then the SSL handshake does not succeed. To prevent this, the client or server must be configured not to offer/select compression, where possible."
ID 363216 "A virtual server might say 'vlans-disabled', but does not include a list of which ones are disabled if that list is empty. For example, this means that the virtual server is disabled for no VLAN entries, which is the default setting: ltm virtual sample_vs { destination any:any profiles { fastL4 { } } vlans-disabled } This is harmless. Use the command ""list ltm virtual all-properties"" to see the (empty) list of VLAN entries."
ID 363284 The cipher list 'DEFAULT:!NATIVE' is different on v10.2.2 (valid) and v11.0.0 (invalid, empty). This can cause configurations to fail loading on v11.0.0 during the upgrade. This occurs because ciphers "ALL" in the Client SSL profile only includes "NATIVE" ciphers. That means that "COMPAT" must be specified to include "COMPAT" ciphers (e.g., EXP, EDH). As all SSLv2 ciphers are COMPAT ciphers, this also means that "ALL:SSLv2" no longer includes SSLv2 ciphers. Note that this change impacts upgrade. So if your configuration uses COMPAT ciphers, it requires a configuration change (to specifically include COMPAT ciphers) for upgrade to complete successfully.
ID 363309 The max length for a pathed/folderized name is 255 characters.
ID 363332 After removing a device from the trust domain, the other devices believe the removed peer is unreachable, instead of removed from the trust domain. Removing a device from a trust domain is a two step process. You must update the trust domain on the device that is being removed and one other device that is still in the trust domain.
ID 363361 The matchclass command is deprecated in favor of class match command. Do not specify a datagroup name as if it were a global variable.
ID 363405 If you run the command 'tmsh list sys vcmp virtual-disk' and see the remaining object, it is highly recommended that you manually delete it. To do so, run the command 'tmsh delete sys vcmp virtual_disk <name>'. Failure to do so can cause unexpected validation errors in the future when configuring vCMP guests.
ID 363500 The system logs of a BIG-IP vCMP guest might show DriveReady Errors or an AbortedCommand in relation to /dev/hdc. These kernel warnings are innocuous and may be ignored.
ID 363541 "If a user creates an ""and"" rule for the default node monitor that includes the monitor ""/Common/none"" the state of the node will not be reported correctly."
ID 363756 "Simultaneous blade-to-blade migrations of guests might occur. In rare instances, it's possible that multiple migration tasks will take longer than the allocated interval and as such migrating guests might encounter a timeout. If this happens three times, the guest will be placed in the ""failed"" state. To recover a guest from this condition, wait until all guest migration tasks complete successfully or fail after three timed-out attempts. Then on any blade with a guest in the ""failed"" state, execute the ""vretry"" command. This will cause any guests in the failed state on that blade to retry the failed action. Executing ""vretry"" one blade at a time and waiting until all migration tasks on that blade are complete will avoid these failsafe timeouts. If a guest's retry attempts also fail, re-provisioning the guest might resolve the issue. To do this, change the guest's state to ""configured"" and then subsequently back to ""provisioned"" or ""deployed"", as preferred. Note that this might cause the guest to be allocated to a different blade." "To recover a guest from this condition, wait until all guest migration tasks complete successfully or fail after three timed-out attempts. Then on any blade with a guest in the ""failed"" state, execute the ""vretry"" command. This will cause any guests in the failed state on that blade to retry the failed action. Executing ""vretry"" one blade at a time and waiting until all migration tasks on that blade are complete will avoid these failsafe timeouts. If a guest's retry attempts also fail, re-provisioning the guest might resolve the issue. To do this, change the guest's state to ""configured"" and then subsequently back to ""provisioned"" or ""deployed"", as preferred. Note that this might cause the guest to be allocated to a different blade."
ID 363912 In rare occasions, when there are no monitors assigned as the default node monitor, an entry "none" may appear in the Active select box on the "Default Monitor" page in the Configuration Utility. This still represents the fact that no monitors are selected as the default node monitor and the BIG-IP will operate as such.
ID 364031 "When you are in a folder other than /Common, attempting to add or delete a remote-server for syslog gives the error: ""01020036:3: The requested configuration item ( /Common/foo/syslog syslog) was not found."" To workaround this, navigate to the /Common folder and try the operation again."
ID 364407 "Even after vCMP is deprovisioned, VLAN deletion/modification is incurring a verification check that prevents VLAN from being deleted/modified. To work around this, reprovision vCMP, delete/modify the guest, delete/modify the VLANs, and then deprovision vCMP (reboot required)."
ID 364467 You cannot save sysconfig after the license expires, so make sure to save before the license expires.
ID 364522 "A user with the app_editor role can create an app service; however, because app_editor users cannot create objects (they can only update and enable/disable them), app_editor users actually cannot create an app service. There are two workarounds: 1. Use the new add_member_v2 method, which does not have this constraint (the add_member command is deprecated). 2. Have a user with the appropriate role create/manage the node address prior to using add_member."
ID 364588 If you run the show command from /Common partition to display the details of a pool in another partition, the monitor instance line is missing. To work around this, navigate to the partition first. Then the show command presents the expected results.
ID 364717 "When using the node-port option with delete command for persistence persist-records, entries with the specified node-port should be deleted. Instead, the system deletes all the persist table entries irrespective of the port specified. Also, the show command with nonexistent port displays all the entries irrespective of the port specified."
ID 364776 The system does not prevent you from including pools from partitions other than Common in an HA-group. However, this configuration is not supported, and those pools will be removed from the HA-group when you modify pool settings.
ID 364831 "When snmpd is restarted, you might get this warning message in the log file: ""/config/snmp/subagents.conf: line 9: Warning: Unknown token: agentxPingInterval."" This message is benign and can safely be ignored."
ID 364939 "When a BIG-IP system has been configured as part of a trust domain for the purpose of config sync, and the configuration has been saved to the configuration files (tmsh save sys config partitions all), the following sequence of commands will incorrectly remove the BIG-IP system from the trust domain and config sync will not work: tmsh load sys config default (set the config back to factory defaults) tmsh load sys config partitions all (load the configuration from config files in /config/...)"
ID 364978 "If an active/standby system is misconfigured with unit 2 failover objects, two traffic groups are automatically created: traffic-group-1 and traffic-group-2. For traffic-group-2, the default device points toward the unit 2 box. Instead, it should point to the unit 1 box, because it is an active/standby pair. To work around this, modify the default device to point to the unit 1 box, using a command similar to the following: tmsh modify /cm traffic-group traffic-group-2 default-device <unit 1 device name>"
ID 365006 Installing a 10.x UCS on a "clean" 11.0 will cause daemons on secondary blades to restart.
ID 365219 "If you roll forward a user configuration set (UCS) file that contains the default admin password (that is, you never changed the admin password before upgrading to version 11.0.0), the system posts the following message: ""Config sync password is invalid."" The UCS file loads correctly, so you can safely ignore this error."
ID 365224 Immediately after configuring a sync-failover device group, all devices might come up with In-Sync status in which case config-sync command will not push the configuration to other devices. The workaround is to make any simple configuration change prior to running a config-sync command.
ID 365342 The forwarding IP virtual server stops working after a request logging profile is added.
ID 365375 DNS response packet is dropped when "DNS::edns0" command is used with nsid option and there is no edns0 resource record in the packet. To workaround this issue, always use "DNS::edns0 exist" and "DNS::edns0 exist nsid" to make sure the packet contains the edns0 RR.
ID 365545 Due to known interaction problems between the BIG-IP 11050 and Cavium firmware, NG FIPS cards occasionally cease to function after performing a large number of key management operations (such as creation, deletion, conversion). To resolve this issue, reboot the BIG-IP system, and FIPS functionality should be restored.
ID 365555 The DES ciphers have been deprecated for TLS V1.2 but TMM is including them. These ciphers are supported on earlier versions of SSL/TLS, such as SSLv3 and TLS v1.0, which are widely used. TLS v1.2 is trying to depreciate and move to higher standards. F5 recommends that you do not use these ciphers.
ID 365756 On error, partition folder has changed at the command line. Change it back to /Common and attempt to reload SCF after the fix.
ID 365757 "Mixed mode is presented as an option for extra disks. When applied, this configuration option will present an error message similar to ""01071372:3: Cannot change the mode for logical disk (HD2) from (NONE) to (MIXED). Disks cannot be changed to MIXED or CONTROL modes."". For this release of BIG-IP software, only None and Datastor are functional modes for extra disks."
ID 365767 The verify option during a load .scf file operation from tmsh on the VIPRION system will cause mcpd to restart. To work around this issue, do not use the verify option on VIPRION.
ID 365836 "When using tmsh to switch to a vCMP provisioned system, a transaction should be used. The commands to do this are: # tmsh > create cli transaction > modify sys provision ltm level none # All modules must be set to none. Add any other commands here to do so following the previous ltm example. > modify sys provision vcmp level dedicated > submit cli transaction Secondary blades will likely reboot automatically due to this operation. There are conditions where the primary will reboot automatically as well. If the primary does not reboot and the status is REBOOT_REQUIRED, you should wait two full minutes before rebooting the primary blade. This is to ensure that provisioning completes, the secondaries have rebooted, vcmpd starts and the system enters a quiescent state. This only needs to be done when changing provisioning."
ID 365979 After creating a new folder from tmsh the "tmsh save sys config partitions all" command should be run.
ID 366060 "FTP mirroring occasionally fails when connections come from tmm0. When it does fail the idle timer on the standby is not updated and the connection is reaped in the 30-50 second range."
ID 367072 Running the command 'tmsh show sys hardware' on appliance-based system shows a Registration Key field with a -- value, even on licensed systems. This field is designed only for chassis-based systems, so you can ignore the value
ID 367198 Running 'tmsh show sys hardware' on appliances shows a blank Registration Key field. This is by design; this field is intended for VIPRION chassis only.
ID 367216 "There are no specific examples in the online help for the Request Logging profile that describe how to craft Template and Error Template entries. However, you can find a table of supported parameters in the BIG-IP WebAccelerator System: Implementations Guide on AskF5. http://support.f5.com/content/kb/en-us/products/wa/manuals/product/wa_implementations_11_0_0/_jcr_content/pdfAttach/download/file.res/wa_implementations_11_0_0.pdf"
ID 368389 IPsec cannot be used with jumbo Ethernet frames.
ID 368512 Some actions [in the GUI] may result in a "Changes Pending" sync status, even though no configuration was modified. Manually syncing the devicegroup will fix the status.
ID 368853 The web interfaces for F5 products rely on HTML style sheets and JavaScript to display graphics and other objects. If you are using a web browser that does not support style sheets or JavaScript, or have these features disabled in the web browser you are using, some items may not display correctly or function properly on the browser screen. For example, you cannot create a Device Group in Microsoft Internet Explorer Compatibility View. To create a Device Group, turn off Compatibility View by clicking the Compatibility View button in the Internet Explorer 8 address bar.
ID 369607 You can set ignore signature for a specified rule through the GUI and iControl, but there is no similar tmsh command to set a specified rule to ignore a signature.
ID 369841 In versions 10.2.x and 11.0.x, TMOS no longer has a hardcoded DNS set to resolve the licensing server. It instead uses a list of root name servers. If access to those servers is blocked, the automated license-reactivation process stalls in the browser-based Configuration utility. If the reactivation request does not time out, it eventually posts the reactivate screen, but offers only the Manual activation option. (The browser-based Configuration utility does not use any configured DNS for resolving the license server, which is necessary for Automatic activation.) You can configure automatic activation using the bash command line with the SOAPLicenseClient utility, as long as a configured DNS can resolve the F5 license server.
ID 370189 If you upgrade from BIGIP v10.x and have a virtual server with more than one httpclass attached the compression profiles will not be updated. Remove all but one httpclass from your virtual servers.
ID 370225 After a pool member is disabled from a DHCP Relay virtual server, connection flow data for the disabled pool member will persist until it times out.
ID 370272 "A DHCP Relay Virtual Server can point at a pool with Priority Group Activation configured. The Priority Group Activation configuration will be ignored, wherein relayed requests are sent to all Active pool members."
ID 370941 Only DNS names are accepted for subject alternative name, not EMAIL, URI, IP, or Other.
ID 370991 The Logs Local Traffic option under the system menu is not visible on systems provisioned WAM dedicated as of version 11. Version 10 displayed this menu option inadvertently.
ID 372209 When the certificate used to verify a signed iRule expires, the iRule verification status will still remain "Verified" as long as the certificate exists on the device. To avoid the misleading status, the signature for rules signed with an expired certificate should be modified to have the 'ignore verification' property set to true, or edited to remove the signature (edit the rule and remove the 'definition-signature' line).
ID 372295 LACP can enter a state in which ports in a trunk that have been moved or re-ordered do not fully function as a reference port when there is another, actual, functioning port in trunk. There is no workaround for this issue.
ID 372979 When using the config utility to configure a static IP address, it works correctly. But when using the config utility to select an automatic or DHCP address, the operation does not complete, and returns to the prompt without error. The workaround is to configure a static IP address.
ID 373467 MD5 certificate will not work with TLS 1.2. Client will not be able to authenticate with certificates that is signed with rsa-md5.
ID 374109 The radvd config is not migrated to tmsh syntax during a UCS restore. The workaround is to create the config manually with tmsh.
ID 374259 BIG-IP allows clientssl profiles to be associated with certificates that aren't imported in BIG-IP. This does not affect v11.x.
ID 374455 SNMP for the dynamic routing subsystem is only supported in the default route domain. For dynamic routing instances in other route domains, no SNMP information is available.
ID 374792 "Added the global DB variable ARP.ReapTimeout, analogous to IPv6.Nbr.ReapTimeout, to control expiration of ARP table entries. Note the default value remains the current 20 seconds, which is substantially smaller than the IPv6 default of 3600 seconds."
ID 374976 "When verified accept is enabled, there are two exposures 1. When the three way handshake is completed with a FIN/ACK rather than an ACK, there is an accounting issue which can prevent subsequent connections to that virtual from completing. 2. The sequence number on the final ACK of the three way handshake is not validated and an invalid sequence number is accepted which can lead to a TMM core."
ID 375207 "On rare occasions, tmsh will write an innocuous error message to /var/log/ltm based on a query to mcpd. The error appears as: 01070734:3: Configuration error: Invalid wildcard query, invalid or missing class ID"
ID 375605 Management IP addresses which are not saved in the configuration can remain on the interface after a reboot. Rebooting again or removing the unwanted address manually will solve the issue.
ID 375887 Using the cluster member 'disable' command with a trunk that spans blades can cause a brief period where received broadcast and multicast packets will egress out the enabled trunk members of the cluster. To an external device running spanning tree protocol or variant, this can look like a loop.
ID 376166 If you set the media capability of the 10 GbE port to 1 GbE, the system fails to turn the Link LED to amber. There is no workaround for this issue.
ID 376421 While blades boot up, the system posts the following benign message: "i8042.c: No controller found." This is a cosmetic issue and can be ignored.
ID 376447 "When using tmsh or iControl and the VLAN group feature, if a VLAN group member is used in the configuration of another object, an error may result similar to the following: 01070712:3: Caught configuration exception (0), Cannot create vlan 'vlanx' in rd0 - ioctl failed: File exists - net/validation/routing.cpp, line 395. To avoid the problem, when using tmsh and the vlan group feature, only use the VLAN groups, never their members, when configuring other objects. Furthermore, it is not necessary to work with the VLAN group member (that is, in this case, the group is already in the route domain, so adding the VLAN itself is not even necessary)."
ID 377231 VIPRION B4300 blades only support 9600 and 19200 baud, even though other baud rates are accepted.
ID 378055 The serial console on the B2100 blade in a VIPRION C2400 chassis cannot be set to 38400 using the tmsh command "tmsh mod sys console baud-rate 38400," but can be set using the AOM Command Menu. After setting to 38400 via the AOM Command Menu you can use the tmsh command to see that the baud rate has been set to 38400.
ID 378305 Because the first phase of the BIOS operates at a fixed baud rate of 19200, if you change the baud rate to any other speed, you do not see the BIOS splash screen, nor are you able to access BIOS setup while rebooting the B4200 blade. To see the splash screen or access BIOS setup, change the baud rate to 19200.
ID 378394 The command "tmsh list ltm" displays used pool twice, once with its members, once with pool properties. To work around this, use the command "tmsh list ltm pool" instead.
ID 379111 An upgraded configuration may fail to load after UCS install or software upgrade because during UCS creation files with spaces in their filenames are skipped for inclusion in the UCS.
ID 379213 If a guest provision or deployment stalls on 'waiting for other disk activity to finish', wait for all disk activity to finish. Once complete, bring the guest back to a configured state before attempting to provision or deploy again.
ID 379536 If you register a new category in the iRule for the FLOW_CLASSIFIED event using the command CLASSIFICATION::register, you must restart TMM service in order classify that event as the newly registered event
ID 379633 TMM crashes if there is an error in a SERVER_CLOSED iRule on a FastL4 virtual server. To work around this, ensure there are never any errors in SERVER_CLOSED iRules on FastL4 virtual servers.
ID 379656 The VIPRION B4400 chassis is cooled via side to side air flow. If multiple chassis are aligned in adjacent racks, the heated output air from one chassis becomes the input air to the next chassis and this can cause blade overheating. The workaround is to stagger the chassis vertically in adjacent racks so their cooling paths are not aligned.
ID 379738 "If a BIG-IP system has both an 11.x install and a 10.x install, in some cases falling back to 10.x will result in these error messages in /var/log/ltm Error 'unknown DS name 'rchits'' during rrd_update for rrd file '/var/rrd/ramcache If so, do the following bigstart stop statsd and either rm -f /var/rrd/ramcache* or cp /var/rrd/ramcache* to some permanent location. See note: bigstart start statsd statsd will then regenerated the rrd file. Note: this will result in the loss of RAMCACHE historical statistics. If that is unacceptable create a directory on /shared to hold the files example: While still running the 11.x partition bigstart stop statsd mkdir -p /shared/rrd11/ramcache mv /var/rrd/ramcache* /shared/rrd11/ramcache Then reboot to 10.x If you wish to restore these when switching back to 11.x (once rebooted to 11.x) bigstart stop statsd cp /shared/rrd11/ramcache/* /var/rrd/ bigstart start statsd"
ID 380047 Listing certain objects in subfolders of the current folder (e.g. 'list ltm profile ntlm my_subfolder/my_ntlm_profile') may not show any output. As a workaround, you can change into the subfolder ('cd my_subfolder') and then list the object: 'list ltm profile ntlm my_ntlm_profile'.
ID 380415 TMM CPU utilization statistics reported by sFlow or by running "tmsh show sys tmm-info" are less than actual TMM CPU utilization. TMM CPU utilization stats can be found by running "tmsh show sys proc-info tmm".
ID 381123 Enabling more than 10 sFlow receivers may impact the performance of the BIG-IP system and, therefore, is not recommended.
ID 381710 The test-monitor and test-pool-monitor commands require the monitor or pool argument to include its partition; e.g. /Common/pool1. Tab completion from inside a partition will cause the partition name to be omitted. To work around this, run these commands from the root partition, or to manually type the full pool or monitor argument including partition.
ID 381977 On a chassis if set IP to DHCP, GUI could not pass the set up page. To avoid this issue set IP option to manual and not DHCP.
ID 382109 When a power supply is removed, there is no warning or alert message on the console. PSU changes can still be detected from "tmsh show sys hardware", and when there is insufficient power from the PSUs plugged in, there will be NOTICE log messages in /var/log/ltm
ID 382335 When particular combinations of modules are provisioned, it's possible for the Memory graph on the System > Resource Provisioning page to show a small white rectangle at the end of the Management Memory Allocation. This is due to a rounding error and does not reflect a problem with the system.
ID 382577 The imish "terminal monitor" command has no effect in TMOS. The workaround is to configure log file (under /var/log) and use the tail command to monitor it in real-time. The workaround unfortunately does not work for users without access to bash.
ID 382613 On VIPRION 4400 chassis containing B4100 blades, the Speed LED stays with solid yellow when at 10Mb. This is not an indication of a problem with the system, even though the Platform Guide: VIPRION 4400 Series indicates that the Speed LED should blink yellow.
ID 382804 "There is a difference in time zone adjustment between VPE and tmsh. When a date and time is entered in tmsh, it is interpreted as local time. The input time is adjusted and stored as GMT time. However, when a date and time is entered in the VPE, there is no time zone adjustment. For this reason, the timestamp entered through tmsh will be different than the one entered through the VPE for the same date and time. As a result, pre-logon inspection will fail when using tmsh to configure the agent for endpoint Linux check file. The recommended workaround is to use the VPE to configure the agent for endpoint Linux check file. If tmsh must be used, then subtract or add the difference from your time zone with respect to GMT. PST time zone is -8:00hr from GMT. The date and time for the agent must be -8:00hr from PST."
ID 383128 While upgrading or booting between versions on the VIPRION B2400, B4200, and B4300 Blade Series, it should be expected that firmware upgrades between versions may delay the cluster from becoming active by up to fifteen minutes.
ID 383531 "Changing the management address for a vCMP guest BIG-IP system that is part of an HA pair might cause both members of the HA group to become active. To change the management address of a vCMP guest the device certificates must be updated within the guest manually. Use the following procedure: The cm device unicast-address ip/effective-ip fields must be corrected on each device to be used in the device group. ""tmsh modify cm device <device> unicast-address { { <dataplane address> } { <new management address> } }"" After this, remove the remote peer from the peer trust list on each machine and re-add it. The config sync group should resync and be back in order."
ID 383590 When upgrading multiple machines that are members of the same trust domain, it is possible during mid-upgrade that there will be inconsistent sync status messages across the trust domain. Once the upgrades are complete, and all machines are in running state on the same version, the sync status should return to a consistent status across the domain.
ID 383649 After reprovisioning a chassis from vCMP-dedicated to non-vCMP, a manual system reboot is required. Not performing this manual reboot might result in reduced SSL performance, as well as log messages indicating "using sw-based crypto/auth".
ID 383737 Ha-group and other ha methods are incompatible. The ha-group must either be enabled on all devices in the failover device group or it must be disabled on all devices in the failover device group. It is important to disable ha-groups before adding additional devices to the device trust.
ID 383763 If enough disk space has been reserved for virtual disk images, the system might prevent creation of additional virtual disks, even though there is currently enough disk space. The error message is "Insufficient disk space on /shared/vmdisks." If the error condition is encountered, remove unused virtual disk images from /shared/vmdisks. The system will recognize when enough space is available and begin any pending installations automatically.
ID 383767 "Thales generatekey command requires pkcs11d and tmm restart. On the Standby BIG-IP-1: 1. Run generatekey utility on Standby machine OR run rfs-sync –update to copy new keys from the RFS. 2. If the generatekey command was run, run the command rfs-sync –commit. 3. Run 'tmsh restart sys service pkcs11d'. 4. Run 'tmsh restart sys service tmm'. 5. Install the Certificate(s) and Key(s) to Filestore using tmsh. 6. Optional: Create the clientssl profile to use new key. On the Active BIG-IP-2: 1. Run 'tmsh run sys failover standby'. 2. Ensure new key is working appropriately on Bigip-1. 3. Run 'tmsh restart sys service pkcs11d. 4. Run 'tmsh restart sys service tmm'. 5. Run rfs-sync-update. 6. Run 'tmsh run cm config-sync from-group <device-group>'."
ID 384103 Intra-chassis connection mirroring may drop connections on trunks with LACP disabled. Enabling LACP is a best practice on all trunks and improves the reliability and speed of connection mirroring. Note that you will need to enable LACP on all devices that are members of the trunk.
ID 384356 MCPD is too permissive in the validation of file-object names, and it allows for the creation of file-objects with names which may be considered invalid in other contexts. For instance a file-object with a name which includes spaces may not be properly included in the UCS file. Best practice is to create object names of fewer than 63 characters (including the partition name), that do not begin with numbers (except Self IP addresses), and that contain no spaces or special characters other than underscore ( _ ), or hyphen ( - ).
ID 384463 If the UI reports "synchronize to group /Common/device_trust_group", this may be a result of devices in the trust domain whose system time is more than 5 minutes out of sync.
ID 384717 While viewing "watch-trafficgroup-device", if the devices in the device group change, the "watch-trafficgroup-device" can sometimes become non-responsive. Killing the tool and restarting after the device group membership stops changing will keep the "watch-trafficgroup-device" running stable.
ID 385328 Relayed DHCP requests that must be sent from the VLAN and/or interface with which it was received is not supported in this release of BIG-IP software.
ID 385340 The DHCP Relay LTM Profile will not function correctly when deployed on VIPRION BIG-IP systems.
ID 385345 Automatically configuring the management port IP address via DHCP is not supported on VIPRION platforms in BIG-IP software versions 10, 11.0, 11.1 and 11.2
ID 385508 Loading a pre-11.0 ucs onto a system running 11.0 or later will reset the device trust group, and should be avoided after the original migration. Save a new 11.0 ucs immediately after migration to 11.0 is complete and use this one going forward.
ID 385656 "Upon provisioning, deployment or disabling of a guest, administrative users logged into the vCMP host gui may be logged out prematurely. Logs detailing an invalid password change will be present and should be considered innocuous. err mcpd[8153]: 01070366:3: Bad password (admin): BAD PASSWORD: it is too short err mcpd[8153] 01070366:3: Bad password (root): BAD PASSWORD: it is based on a dictionary word"
ID 385796 The load status of the MCP daemon as shown by "tmsh show sys mcp-state" can become "config-load-in-progress" very infrequently. The other accompanying symptom is the lack of any error messages in the log files. This can be remedied by running "tmsh load sys config partitions all".
ID 385825 The CMI watch_* scripts (like watch_devicegroup_device) should not be allowed to run indefinitely as they may adversely affect performance of the box after a few hours.
ID 385849 On a chassis, if the /shared/db/cluster.conf file has a different number of members listed than there are slots in the chassis, clusterd can restart continuously. Sometimes this occurs when moving blades between chassis, but it can also occur because of direct modification to the cluster.conf file (cluster.conf is not intended to be modified, other than by the system). If there is another blade in the chassis that is working normally, stop clusterd using bigstart stop, remove the /shared/db/cluster.conf file and restart clusterd using bigstart start. The blade will get the correct cluster.conf from another member of the cluster.
ID 386032 Auto-MDIX stays enabled even when the management port settings are forced.
ID 386419 11.2.x has an updated version date. This means all users installing 11.2.x on vCMP guests first need to renew their license on the hypervisor. This helps ensure uninterrupted service on the guest as it starts up for the first time.
ID 386778 IPsec in HA deployment cannot use anonymous ike-peer "- Create a new ike-peer with the required remote IP field holding the remote peer's IP address. - If using PSK you are OK. If using RSA (the default) uncheck the verify certificate field - Change the presented ID and verified ID fields to ""address"" "
ID 387070 Using remote authentication, a remotely authenticated user can use ssh to login, but console login is denied. There is no workaround for this issue.
ID 387106 Ramcache statistics will be associated with only one vip per profile. The statistics for all of the vips that use this profile will be reflected in the ramcache statistics for that vip. The workaround is to create a copy of the Web Acceleration profile for each vip if the individual statistics are desired. However, this adds complexity to the configuration and should only be done when necessary.
ID 387361 If a device is rebooted and it comes up with a sync status of 'not all devices synced' and the other devices report a sync status of 'in sync', then the force sync cmd must to be run to correct this situation. To sync the group, run the following command on the device whose config you want to sync:" tmsh modify cm device-group device-group-failover devices modify {This.Device {set-sync-leader}} "
ID 387448 "When monitoring a device group status from a device that does not belong to that group, the config sync status reported could be inconsistent with the device-level status. For example, the sync status for device A is 'Changes Pending,' but the device-group to which device A belongs shows a status of 'In sync.' The workaround is to view the sync status from a device in the device group."
ID 387692 "On a BIG-IP system, IKE daemon racoon may post such vague messages in its log file under /var/log/racoon.log --- "racoon: WARNING: listening to wildcard address, broadcast IKE packet may kill you." The message is only shown if the IKE daemon's log-level is set to "warning", and is common among IKE daemon implementations that are based on the open-source RACOON package. The implication is minor."
ID 388098 "dmesg may display a message similar to the following: localhost warning kernel: hda: host side 80-wire cable detection failed, limiting max speed to UDMA33 This is expected and does not indicate any problem with the hardware or software."
ID 388273 "On a VIPRION, the failover daemon will not be able to communicate correctly with the peer chassis unless the customer configures the management port on each blade."
ID 389642 The "route" command will not display multiple nexthops for a route. If you have routes with multiple nexthops, use the "ip route show" or "ip -6 route show" command to view them, instead.
ID 389912 When a single blade chassis is in the standby mode, there is no blade LED indication that the chassis is in standby mode.
ID 389924 If multiple nexthops to a destination prefix are learned via dynamic routing (ECMP), traffic originated from the Linux host will only use one nexthop for all traffic to that prefix. Traffic passing through tmm will use all available nexthops.
ID 389976 There is a memory leak in the kerberos delegation feature. There is no current workaround.
ID 390248 Devices outside of a device group but in the trust domain may have an out-of-date Commit ID (CID) or Last-Successful-Sync (LSS) ID, causing configsync status to be displayed incorrectly on some devices and not others.
ID 390423 Performing a 'sync from group' currently causes a mismatch in LSS "Last Successful Sync" IDs such that viewing configsync status will be incorrect on some devices and not others.
ID 390764 BFD session may not show the correct session "Up Time" value when user displays BFD session information using the IMI shell command 'show bfd session detail'. This is due to a known issue in the current implementation where any innocuous session parameter update resets the session Up Time value. The actual BFD session itself functions correctly.
ID 391822 dhclient will always retry at a five minute interval in this release of BIG-IP software.
ID 392085 On a standalone Big-IP, on the Device Management ›› Devices ›› Properties page, the "Force to Standby" button may become available. Since this is a standalone unit and there is no Active/Standby pair, this button is not valid and it should not be clicked.
ID 392702 Modifying the traffic-group of a configuration object with "floating" set to "disabled" will silently fail. To work around this, set "floating" to "enabled" before modifying the traffic-group.
ID 393136 The power supply information in the output of 'tmsh show sys hardware' reflects only the power supplies that were present when the system started up. If a power supply is added after the system is running, 'tmsh show sys hardware' shows that the added power supply is active, but it does not show detailed information for the supply.
ID 393149 "BFD Echo functionality is not currently enabled in this version of TMOS. BFD Echo function is an adjunct to the two modes in BFD namely Asynchronous mode and Demand mode that enables validating full forwarding plane connectivity. At this time, BFD is supported in Asynchronous mode without BFD Echo function."
ID 393150 When loading a configuration with 42,000 items or more on a system with 8 GB of memory, you may experience up to 45 seconds of extra load time. To avoid this extra time, you can issue the following command before loading: "tmsh modify sys db provision.extramb 512".
ID 393647 The availability status for objects configured with a connection rate-limit can remain yellow even if the object is available to handle traffic. Once the connection rate falls below the configured value, the object's status will continue to show unavailable until the object receives additional traffic. This is a cosmetic issue and is limited to testing scenarios where the test tool stops sending traffic upon receiving a reset packet. ApacheBench is one such tool. In real world scenarios, continued traffic processing will automatically restore the correct status.
ID 394117 "When using a default route domain on a partition, if a virtual server is created with tmsh using a destination address that does not already exist, it may not be possible to modify the destination address. STEPS TO REPRODUCE: tmsh create auth partition partition1 tmsh create net route-domain /partition1/rd1 id 1 tmsh modify auth partition partition1 default-route-domain 1 tmsh create ltm virtual /partition1/my_vip destination 1.2.3.4:0 tmsh modify ltm virtual-address /partition1/1.2.3.4 arp disabled 01070734:3: Configuration error: Invalid virtual address modification. An address change from 1.2.3.4 to 1.2.3.4%1 is not supported. Workaround 1: Explicitly create the virtual address before creating the virtual server. For example, issue this command before issuing the 'tmsh create ltm virtual ...' command: tmsh create ltm virtual-address 1.2.3.4 Workaround 2: Use an explicit route-domain in the address in the tmsh command to create the virtual. For instance, use 1.2.3.4%1:0 in the previous example."
ID 395208 On the BIG-IP 4000 family of platforms, messages like 'subscriber(%pfmand): Snapshot for req_id(XX) getting removed due to timeout.' will appear in the ltm log. These messages are innocuous and should be ignored.
ID 395269 "Reapplying a template to reconfigure an Application Service Object will delete any firewall rules that have been created through the Security screen. To retain a set of firewall rules, include creation of the desired firewall rules in the template itself."
ID 395720 On the BIG-IP 4000 platform, sometimes on boot, Ethernet devices do not get renamed. For example, eth6 should be renamed to pf1-7. To work around this issue, reboot the device.
ID 395882 Using liveinstall with the save and transfer config options enabled to install another image of unlicensed 11.2.1 can cause the second volumes install to take extremely long to reach active status.
ID 396064 "Occasionally, if one of an In Sync failover pair is rebooted, the rebooted member comes up in a state other than ""In Sync"", and, since the other member of the pair is in the ""in Sync"" state, the tmsh ""run cm config-sync"" command fails to rectify the situation. If the device group in question is called DG1, pick a machine to be the config source, we'll call it SRC, and do a ""modify cm device-group DG1 devices modify { SRC { set-sync-leader } }"" in tmsh to fix the problem." If the device group in question is called DG1, pick a machine to be the config source, we'll call it SRC, and do a "modify cm device-group DG1 devices modify { SRC { set-sync-leader } }" in tmsh to fix the problem.
ID 396122 In a non-homogeneous cluster, validation on a secondary blade may fail if the module is not allowed or resources are not available. Make sure the primary member of a cluster is the blade with the least available resources (Puma1).
ID 396278 If you set MGMT IP address using the LCD module, the ltm log contains a message stating the management route was not found. This is the message: Aug 31 12:01:20 localhost err tmsh[9771]: 01420006:3: 01020036:3: The requested management route (/Common/default) was not found. This is a benign logging message, which is reporting a non-existent error condition.
ID 396293 SNAT bounceback does not work when the non-default CMP hash is used on a vlan carrying that kind of traffic.
ID 396294 At startup, the BIG-IP 4000 logs a message "SwEdge Error: No core edge found" in /var/log/ltm. This message is benign and reports a non-existent error condition.
ID 396729 If you have configured two mirroring connections (both a primary and secondary pair), when the inactive mirror connection is dropped and then re-established, fastL4 connections expire on the standby after the timeout. To work around this issue, configure only one mirroring connection.
ID 396831 Provisioning Virtual Clustered. Multiprocessing (vCMP) on the 4000 platform can cause a kernel panic. vCMP is not supported on the 4000 platform and the UI should not permit it to be provisioned. Please check the askf5 website for a list of platforms supporting vcmp.
ID 397146 DNS Services/DNSSEC/ GTM licensing is required in order to use the DNS firewall.
ID 397637 Fixed an issue that lasthop pool failover for ftp does not work for ftp, both upload and download. Especially, when fail-over involves two different networks.(in this case, connection.vlankeyed must be set to disabled)
ID 397939 "When a 4200v box is powered up, there will be a log message like this for each of the PSU plugged in. ""Sep 11 15:13:43 localhost crit chmand[7680]: 012a0013:2: Blade 0 hardware sensor critical alarm: : Bad"" This message is false negative and just indicates a power-on event."
ID 398084 "Recovery has been deprecated for some time now, and this capability has now been disabled in preparation for removal. The removal of the restart capability recovers some disk I/O and speeds up datastor shutdown and restart."
ID 398947 It is possible that the text "serial8250: too much work for irq4" may be seen on the host serial console. These messages are extremely rare. The cause of the message is a temporary overload of the serial port. However, once the serial port has recovered from the overload, it continues to operate normally. No character loss on the console has been observed when this condition is encountered.
ID 399203 Do not use 'src-ip' as the hash mode on an internet side interface vlan. This will result in poor performance and unexpected behavior.
ID 399213 On 11.2.1 IPv6 traffic passing over trunks on a 4000 platform does not get hashed by IP address, but rather by MAC address. This often ends up mainly using one link of the trunk.
ID 399464 HAL publishes a superset of possible media properties for SFP pluggable modules, which allows forced 10/100 media options for CuSFP pluggable modules.
ID 399470 Switch based platforms do not support Fiber Channel SFP modules.
ID 399622 Mcpd validation will fail and cause daemons to restart if the volume sizes on a cluster are not the same on all blades and the web-acceleration profile cache size or the sum of the cache sizes is set higher than the datastor volume size on a secondary blade. Make sure all volume sizes on a cluster are the same on all the blades. Or make sure web-acceleration profile cache size or the sum of the cache sizes is smaller than the smallest datastor volume.
ID 399837 When management IP address is switched between IPv4 and IPv6 addresses, the exsiting (old) management port ACL rules need to be cleaned up before switch and re-apply after switch.
ID 400008 On chassis systems, if a dynamic routing protocol is configured via imish and that config is saved, and then BFD is configured but NOT saved, subsequent blade failover can cause TMM to keep the BFD session up and running even though the BFD session should be dropped. After configuring BFD, save the configuration in imish by issuing the write command.
ID 400078 When removing a pluggable module from some specific Centaur or Treadstone ports, it is possible for the adjoining ports to loose link briefly, e.g. when removing a pluggable module form Centaur ports 1.1 or 1.5, it may cause established link on ports 1.2 or 1.6 respectively, to drop briefly.
ID 400346 a server_name field populated with a properly formatted URL in a DHCP response may cause the dhclient process to generate an error in daemon.log. The error message "err dhclient: suspect value in server_name option - discarded" is innocuous and can safely be ignored.
ID 400584 The TMSH command "ltm lsn-pool" allows you to create a pool with an empty member list. However the lsn-pool will not be functional until a memberlist is configured.
ID 400778 "On a Viprion, you may see the following log messages Oct 9 01:31:00 slot2/cluster err chmand[6909]: 012a0003:3: Physical disk CF1 not found for logical disk delete Oct 9 01:31:00 slot2/cluster err chmand[6909]: 012a0003:3: Physical disk HD1 not found for logical disk delete These messages should not show up on the platform and are harmless."
ID 400945 If there is a problem with vCMP guests, consult the log file /var/log/vcmp* (along with /var/log/ltm).
ID 400973 The BIG-IP system creates a log entry when a CPLD read fails. This is a cosmetic issue that occurs infrequently. The read event of a CPLD register may be initiated by "tmsh show sys hardware" and the log entry showed as following: Oct 3 17:08:41 localhost warning chmand[6513]: 012a0004:4: getLopCpldInfo read CPLD register 0x27 error: LopDev: sendLopCmd: Lopd status: 1 packet: action=1 obj_id=e sub_obj=1b slot_id=ff result=e len=0 crc=21fb payload= (error code:0xe)
ID 401220 LTM::LSN statistics Translation Mapping Request Count currently only shows successful translations. It should show total requests.
ID 401329 Connections established by clients through a DSLite tunnel and LSN may lose their connection if BIG-IP experiences a blade failure or a blade is removed from the chassis or failover occurs between units in a traffic group. The failure can be mitigated by enabling translation for the lsn-pool persistence=address-port, and loose connection initiation in FastL4 profile associated with the virtual server handling the traffic.
ID 401412 "The default dhclient request elements can be displayed with the command ""tmsh list sys management-dhcp sys-mgmt-dhcp-config"" These elements can be managed by using add/delete statements under the management-dhcp object. This example disables updates to the system hostname from DHCP: tmsh modify sys management-dhcp sys-mgmt-dhcp-config request-options delete { host-name }"
ID 401739 Creation of a large number (>10000) of custom categories or applications could lead to memory exhaustion and possibly crash the BIGIP.
ID 401917 When disk space is available on the primary blade of a chassis, but not available on one or more of the secondary blades mcpd validation will fail on the secondary blade(s) and cause mcpd to restart. Use the GUI or tmsh to remove any unused application volumes from secondary blades.
ID 402004 When the persistence mode or address range of a LSN pool is changed and there are active persistence mappings, the “Total Active Persistence Mappings” statistic will not immediately reflect the change. Any currently active persistence mappings that are invalidated by the change will be continued to be counted until they expire.
ID 402319 It is possible to create a publisher without any attached destinations. The preferred method to create a logging setup that discards messages is to not add a publisher to the relevant filter. It is also possible to create a publisher with no destinations and attach it to a filter, but this method may result in the inability to move your configuration on to a future release.
ID 402455 Before attempting synchronization using the GUI setup wizard, clocks of the BIG-IP devices must be synchronized. It is recommended to use a NTP server for this.
ID 402551 On 4000-series platforms, any trunk which does not consist of 1,2,4, or 8 members will have imbalanced traffic. On 4000-series platforms, use trunks with 1,2,4, or 8 ports in order to balance traffic evenly across links. Non-power-of-two configurations will work, but traffic will not be balanced.
ID 402743 In a rare case after upgrade, BIG-IP will fail to create new ClientSSL profile. Restart mcpd will be able to fix this issue.
ID 402850 ArcSight formatting is only available for logs coming from the Network Firewall Module or the Application Security Module.
ID 402855 If a config is created with route domains and a config is created that is identical except without any route domains, then while one config is loaded, a load of a UCS of the other config may fail. "Clear the current config by loading defaults before loading the UCS. i.e. tmsh load sys config default ; tmsh load sys ucs <ucs_name>"
ID 402864 "If /var/tmp is full, MySQL queries can fail, for example during an event logs report generation (under Security -> Event Logs) the error shows up in GUI and /var/log/avr/monpd.log contains the below line: Because : Error writing file '/var/tmp/......' (Errcode: 28) Workaround: Free some space under /shared disk partition." Free some space under /shared disk partition.
ID 403042 "The DNS Security profile and DNS settings of the DoS profile are available when either PSM or ASM are provisioned but require base DNS support to function. This is provided by the GTM, LC, and DR modules or one of the following add-on modules: DNS Services AWS Add-on: DNS DNS Services, Virtual Edition VIPRION ADD-ON: DNS License"
ID 403440 The system may encounter memory problems when attempting to display the entire connection table during peak traffic. To prevent system problems, please use filters to display only specific parts of the table per query.
ID 403560 HSL works only if the remote syslog server is configured on a VLAN with "default" hash.
ID 403613 The drop counters for the 1.x interfaces on the 2000s / 2200s and 4200v platforms currently do not work in LTM mode due to a hardware issue.
ID 403688 Hardware syncookies currently require both client side and server side profile context to have hardware syncookies enabled in order to function.
ID 403758 BFD does not work with IS-IS when it is configured only for IPv6.
ID 403764 If a log message is not matched by any filter, then the log will be processed by the syslog-ng daemon. To disable log processing by the syslog-ng daemon, create a filter with source equal to "all" and level equal to "debug" then route as desired.
ID 403829 When editing the configuration of a SNAT, changing the Translation type from IP Address to SNAT Pool will result in an error. "The workaround is to use tmsh to modify the SNAT pool with the following command: tmsh modify ltm snat my_snat { snatpool /Common/my_snat_pool }"
ID 403894 If the /shared/db/cluster.conf.<chassis_id> file gets linked to another chassis backup config file, this can cause the initial cluster formation to fail in various ways, especially if the chassis backup config files are from different types of chassis. To verify that this condition exists, type this command to the shell "ls -l /shared/db". There should be exactly two files with a link count of two, one of which is /shared/db/cluster.conf, and all the other files should have a link count of 1. To work around this, save all the cluster parameters that matter to your operation, as there is always the potential to lose this information, especially if this is the only functional blade in the chassis. You may find it generally useful to keep independent records of all the cluster parameters of all your chassis. Delete all the files in /shared/db that have an excessive link count. You can delete all the files in /shared/db as long as you have independent records of the cluster parameters or can regenerate the information. Touch the file /service/clusterd/forceload and do "bigstart restart clusterd" in the shell.
ID 404157 NAT 1:1 handles packets as expected, however NAT 1:1 statistics will not increment beyond zero in this release of software.
ID 404182 "To avoid the issue, use a filter with the show sys conn command that reduces the result set to below one million results. You can check the number of connections currently running on the system by issuing the command ""tmsh show sys performance conn""."
ID 404398 Using tmsh merge to update route-domains will not work. A workaround is to manually merge the changes to /config/bigip_base.conf (or /config/partitions/<partition_name>/bigip_base.conf) and load.
ID 404443 The VIPRION 4800 chassis only support blades running 11.3.0 software. If you attempt to add a blade running older versions, it will be unable to join the cluster and some daemons on that blade might begin restarting repeatedly.
ID 404537 "FTP active mode may not work with service provider DAG for the following cases -Virtual with automap or SNAT -Virtual with LSN pool that contains very few translation addresses. -In a cluster environment for a virtual with LSN pool that has persistence enabled, FTP active mode may stop working if blades are added or removed from the cluster. The workaround for this case is to delete all the persistence entries (using tmsh lsndb util - run util lsndb delete persist) after a change to the cluster -LSN::address iRule or snat iRule is used to select the translation address"
ID 404545 It is not necessary to run the eud_log command on the 10200v platform because the eud.log file is already in the \shared\log directory.
ID 404548 LSN iRule LSN::port and source-port=preserve-strict setting in virtual server configuration might fail if inbound connections are enabled on the LSN pool.
ID 404588 LSN iRules persistence-entry get/set and inbound-entry get/set may not work properly for RTSP if "after" command is used
ID 404598 CGNAT: iRule commands for persistence/inbound-entry get commands might not work in events after LB_SELECTED.
ID 404659 State mirroring within the eight-blade VIPRION 4800 chassis is not supported for this release. To workaround this, mirror between two separate chassis.
ID 404668 Device sync can be lost between a device with GTM and LTM licensed and provisioned, and a device with LTM licensed and GTM provisioned but not licensed. This can arise when loading scf files even if they reflect the current configuration. To work around this, after you load back the scf files and then save them, run a tmsh load cmd. This 'activates' the trust and requests a sync for the device group.
ID 404679 The F5-VPR-LTM-B4340N blade is not supported with vCMP with v11.3.0.
ID 404711 To prevent config sync issues, you should ensure that if you assign a tunnel to a non-floating self-IP, the tunnel should be placed in a folder that does not sync (the devicegroup setting is set to 'none').
ID 404819 "If a primary blade is successful at disk provisioning, a secondary blade that fails can remain in a state where the recovery steps are not obvious. This can arise if the secondary blade was provisioned with an application volume on another chassis and has less available disk space than the primary blade. The workaround is to bring the secondary blade up, and if mcpd is running, deprovision vcmp and delete the vmdisk application volume. If mcpd is not running, issue the following command: lvremove -f /dev/mapper/<name of disk volume with 'vmdisk' in name>"
ID 404852 "Local syslog logs may be concatenated when logging connections are unexpectedly closed. This results in logs of the form: syslog_header ... Msg1 <###>syslog_header ... Msg2 Where <###> is the syslog facility/priority code for Msg2 (also present for Msg1 but normally stripped when the log is written to a file). Note that msg2 may actually belong in a different file, but because it was appended to msg1, it will always end up in the same file as msg1."
ID 404858 If you have wccp configured, you can ignore all synchronization failures related to wccp, but pay attention to any other errors that might occur.
ID 405000 SessionDB mirroring between blades in an 8 blade chassis will lose approximately 10%-20% of entries when a blade fails.
ID 405255 Issuing a 'reset-stats net interface' command in tmsh does not clear the stats for an interface with status 'disabled'. Enabling the interface with 'modify net interface x.y enabled' before resetting stats causes the stats to correctly clear. The interface can be disabled again afterwards if desired.
ID 405281 On 2000s / 2200s platform and the VIPRION 4200v blade, manually configuring the 1 Gigabit interfaces (interfaces 1.1 through 1.8), to 1 Gigabit, is currently not supported (for example, running the command 'modify net interface 1.1 media 1000T-FD' does not set the interface speed to 1 Gigabit). In these cases, to support 1 Gigabit copper interfaces at 1 Gigabit speeds, set the interface to auto.
ID 405284 Inserting and removing SSD sleds from a running BIG-IP 11000 appliance may result in the system detecting and reporting the disks incorrectly on the Disk Management page of the Traffic Management User Interface. After inserting or removing SSD sleds from the BIG-IP 11000 appliance, it is recommended to reboot the device to work around this issue. To work around this issue, after inserting or removing SSD sleds from the BIG-IP 11000 appliance, reboot the device.
ID 405366 IPsec may stop handling incoming ESP packet after rekey. There is no workaround for this issue..
ID 405435 When integrating with Thales network HSM and the configuration is not correct, netHSM driver could crash TMM.
ID 405758 In v11.1.x, large SNMP responses cannot be delivered from the BIG-IP system. To work around this, run the command 'echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc' and then restart snmpd.
ID 406141 For all hardware platforms that are in an unlicensed state, LED behavior is undefined.
ID 406585 Bigip reboots when monitoring large number of nodes that are on a non-zero route domain.
ID 406590 While performing DC hotswap the power supply alarm LED turns red. This is benign and may be ignored.
ID 410998 After rapid removal/insertion of the VIPRION C4400/C4480 DC power supplies, it does not return to its normal operational state. Instead, both power supply LEDs (DC_OK_IN, DC_OK_OUT) remain off, and within 2 minutes, the BIG-IP system asserts an alarm on the command line and the blade (ALARM_LED=FLASH_RED). While a chassis is operating, it's acceptable to remove/reinsert a power supply; the system continues to operate without interruption. However, if a power supply is removed and immediately reinserted (e.g., within 2 seconds), that power supply's LED's may remain "OFF", and TMOS reports that power supply as "down". Rapid removal/insertion of power supply, approximately 2 second intervals or less. It is highly unlikely that a customer would perform this type rapid removal/insertion, impact minimal. Such a scenario can be resolved by removing the affected power supply, waiting 5 seconds, and then reinserting it. The alarms can then be cleared using standard processes. Note that this issue occurs only rarely. To avoid issue altogether, remove the power supply and wait 5 seconds before re-installing the power supply.
ID 416496 Cancelling tmsh during a show command might restart TMMs. The TMM processes, and possibly mcpd, may restart because the process runs out of memory if the command 'show sys connection' from tmsh is interrupted while processing. This intermittent issue occurs when the system has a large number of active connections in the TMM processes (number varies by platform), and tmsh is formatting the connection table for output. System restarts cause all connections to be lost, and the appliance is unusable for a short time while the processes begin again. Workaround: None, but you can prevent the issue from occurring by waiting for tmsh to complete the collection and formatting of connection table information. Specifically, do not interrupt the operation from the command 'show sys connection'.
ID 430728 The tmm process may crash when a connection is reset, typically with a panic message such as 'freed invalid pcb magic'. This occurs when the following conditions are met: -- A TCP iRule event other than CLIENT_CLOSED or SERVER_CLOSED is suspended. -- The peer sends a RST packet on the connection. -- There is an error in the suspended iRule, possibly as a side-effect of the RST packet being received. -- Code for a CLIENT_CLOSED or SERVER_CLOSED iRule event does exist. The BIG-IP system reboots or fails over. Workaround: Remove CLIENT_CLOSED and SERVER_CLOSED event, or run tmm.debug.
ID 445911 tmm fast forwarded flows are offloaded to ePVA, which is incorrect behavior. This occurs on ePVA. tmm fast forwarded flows are offloaded to ePVA, which is incorrect behavior. Workaround: For versions 11.3.x and 11.4.0, there is no workaround. On version 11.4.1 or later, you can use the following command to turn off tmm fast forward when using the guaranteed hardware acceleration mode: 'tmsh modify sys db tmm.ffwd.enable value false'.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)