Applies To:

Show Versions Show Versions

Release Note: BIG-IP LTM and TMOS version 10.1.0
Release Note

Software Release Date: 12/17/2009
Updated Date: 08/23/2013

Summary:

This release note documents the version 10.1.0 release of BIG-IP® Local Traffic Manager and TMOS®. To review what is new and fixed in this release, refer to New in version 10.1.0 and Fixed in version 10.1.0. For existing customers, you can apply the software upgrade to versions 9.3.x, 9.4.x, 9.6.x, and 10.x. For information about installing the software, refer to Installing the software.

Note: F5 offers general availability releases and general sustaining releases. For detailed information on our policies, refer to Solution 8986, F5 software lifecycle policy, which is available in the AskF5SM Knowledge Base, http://support.f5.com.

Contents:

- User documentation for this release
- Minimum system requirements and supported browsers
- Supported platforms
- Installing the software
- Upgrading from earlier versions
- New in version 10.1.0
- Behavior changes in version 10.1.0
- Fixed in version 10.1.0
- Known issues
- Contacting F5 Networks

[ Top ]

User documentation for this release

In addition to these release notes, the following user documentation is relevant to this release.

You can find the product documentation and the solutions database in the Ask F5 Knowledge Base.

[ Top ]

Minimum system requirements and supported browsers

The minimum system requirements for this release are:

  • System hard drive
  • 1 GB RAM

Important: You cannot run this software on a BIG-IP 1500 platform with 768 MB RAM. You must upgrade to 1 GB RAM.

Note: You cannot run this software on a CompactFlash® media drive; you must use the system's hard drive.

You can work with the BIG-IP system Configuration utility using the following browsers:

  • Microsoft® Internet Explorer®, version 6.0x, and version 7.0x
  • Mozilla® Firefox®, version 3.0x

Note that we recommend that you leave the browser cache options at the default settings, and disable popup blockers and other browser add-ons or plug-ins.

[ Top ]

Supported platforms

This release supports the following platforms:

  • BIG-IP 1500 (C36) - with 1 GB RAM
  • BIG-IP 1600 (C102)
  • BIG-IP 3400 (C62)
  • BIG-IP 3410 (C100)
  • BIG-IP 3600 (C103)
  • BIG-IP 3900 (C106)
  • BIG-IP 4100 (D46) - unit running Application Security Manager only
  • BIG-IP 4500 (D43) - unit running WebAccelerator System only
  • BIG-IP 6400 (D63)
  • BIG-IP 6800 (D68)
  • BIG-IP 6900 (D104)
  • BIG-IP 8400 (D84)
  • BIG-IP 8800 (D88)
  • BIG-IP 8900 (D106)
  • VIPRION (J100, J101)

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

Note: The hardware and software for each unit in a redundant system configuration must match.

[ Top ]

Installing the software

This section lists only the very basic steps for installing the software. The BIG-IP® Systems: Getting Started Guide contains details and step-by-step instructions for completing an installation. F5 recommends that you consult the getting started guide for all installation operations.

Before you begin, ensure that you have completed the following:

  • Reformat for the new 10.1.x partition size (partitions created using version 9.x or 10.0.x do not accommodate the 10.1.x software. ).
  • Reactivate the license and update the service contract.
  • Downloaded the .iso file from F5 Downloads to /shared/images on the source for the operation.
    (If you need to create this directory, use this exact name /shared/images.)
  • Check that the drives have at least minimal formatting.
  • Configure a management port.
  • Set the baud rate to 19200, if it is not already.
  • Log on using the management port of the system you want to upgrade.
  • Log on to an installation location other than the target for the installation.
  • Log on using an account with administrative rights.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location.
  • Log on to the standby unit, and upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are upgrading from 9.3.x or 9.4.x, run im <downloaded_filename.iso> to copy over the new installation utility.
  • If you are running WAN Optimization Module, set the module's provisioning to Minimum before upgrading.

Installation consists of the following steps.

  1. To copy the upgrade utility, run the command im (for first-time 9.x-to-10.x installation).
  2. To install the software and roll forward the configuration on the active installation location, use one of the following methods:

Warning: Do not use the --nomoveconfig option described in the following procedure on systems with existing, running installations of Application Security Manager. Doing so removes all content from the associated database. Instead, ensure that the configuration on the source installation location matches the one on the destination. To do so, save the UCS configuration on the location you want to preserve, and apply that configuration to the destination before or after the installation operation.

  • To format for volumes and migrate the configuration from the source to the destination (for fully 10.x environments), run the command:
    image2disk --instslot=HD<n.n> --format=volumes <downloaded_filename.iso>
  • To format for volumes and preserve the configuration on the destination (for fully 10.x environments), run the command:
    image2disk --instslot=HD<n.n> --nomoveconfig --format=volumes <downloaded_filename.iso>
  • To format for partitions (for mixed 9.x and 10.x environments), run the command:
    image2disk --instslot=HD<n.n> --format=partitions <downloaded_filename.iso>
  • To install from the command line without formatting (not for first-time 10.x installation), run the command:
    bigpipe software desired HD<n.n>version 10.x build <nnnn.n> product BIG-IP
  • To install from the version 10.x browser-based Configuration utility, use the Software Management screens.

After the installation finishes, you must complete the following steps before the system can pass traffic.

  1. Ensure the system rebooted to the new installation location.
  2. Log on to the browser-based Configuration utility.
  3. Run the Setup utility, if needed.
  4. Provision the modules.

Each of these steps is covered in detail in the BIG-IP® Systems: Getting Started Guide, and we strongly recommend that you reference the guide to ensure successful completion of the installation process.

The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.

To watch an in-progress installation operation, run the command watch b software status, which runs the b software status command every two seconds. Pressing Ctrl+C stops the watch feature.

If installation fails, you can view the log file. For image2disk installations, the system logs messages to the file you specify using the --t option. For other installations, the system stores the installation log file as /var/log/liveinstall.log.

[ Top ]

Upgrading from earlier versions

How you upgrade from earlier versions depends on the version of software you have.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

Important: BIG-IP version 10.x introduced the ability to run multiple modules based on platform. The number and type of modules that can be run simultaneously is strictly enforced through licensing. For more information, see SOL10288: Supported product module combinations by platform for the BIG-IP version 10.x software branch.

Upgrading from version 9.6.x or 10.x

When you upgrade from software version 9.6.x or 10.x, you can use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help, or the relevant chapters in the BIG-IP® Systems: Getting Started Guide.

Important: Upgrading a version 9.6.x platform to version 10.x also performs a BIOS upgrade. (You can find more information in the following Solution: SOL10633: BIOS update may be required before installing BIG-IP version 10.1.0 or later on the VIPRION platform.) If you also apply a version 10.x hotfix when you attempt the software upgrade, the operation fails to install the new BIOS. This can cause additional issues. For more information, see SOL10548: The BIOS of the VIPRION platform is not upgraded when installing BIG-IP version 10.0.x and a hotfix in a single step and SOL10016: A VIPRION kernel panic occurs following an upgrade to BIG-IP version 10.x.

Upgrading from version 9.3.x or 9.4.x

If you plan to install this version of the software onto a system running 9.3.x or 9.4.x, you must perform a one-time upgrade procedure to make your system ready for the new installation process. When you update from software version 9.3.x or 9.4.x to 10.x, you cannot use the Software Management screens in the Configuration utility. Instead, you must run the image2disk utility on the command line. For information about using the image2disk utility, see the BIG-IP® Systems: Getting Started Guide.

Upgrading from versions earlier than 9.3.x

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x or from BIG-IP versions 9.0.x through 9.2.x. You must be running software version 9.3.x, 9.4.x, 9.6.x, or 10.x. For details about upgrading to those versions, see the release notes for the associated release.

Important: Beginning with version 10.0.0 of the software, a redundant system configuration must contain failover peer management addresses for each unit. If you roll forward a redundant system configuration from 9.3.x or 9.4.x, the units start up correctly, but the system logs a message every ten minutes reminding you to configure the peer management addresses. To configure the failover peer management addresses, navigate to the Network Failover screen, available under High Availability on the System menu on the navigation pane, and specify the management IP address of the peer unit in the Peer Management Address field. Then do the same on the other unit in the redundant system. Once you specify both IP addresses, the system should operate as expected. For more information, see SOL9947: Change in Behavior: The Peer Management Address setting is required for BIG-IP version 10.x systems configured for network failover.

[ Top ]

New in version 10.1.0

WAN application delivery Services
The base BIG-IP® Local Traffic Manager license includes a subset of features from the WAN Optimization Module. Using these features, you can configure one BIG-IP system to discover and connect to another, similarly configured BIG-IP system, and create iSession connections between them for optimization, encryption, and granular control of traffic over the WAN.

Access Policy Manager
This release includes the Access Policy Manager, which gives you access to remote resources over a secure connection. With this feature, system administrators can securely access to BIG-IP systems from anywhere.

Edge Gateway platform
The BIG-IP® Edge Gateway platform provides application delivery tailored for the network edge. Edge Gateway is available on the 1600, 3600, 3900, 6900, and 8900 hardware platforms. The Edge Gateway product combines services from the WAN Optimization Module, the WebAccelerator, and Access Policy Manager. This combination provides secure, accelerated remote access to networks and applications. Features include credential caching and proxying (CCP) for single-sign on, a visual policy editor for creating access policies, HTTP forms-based authentication configuration, endpoint security, caching, compression, asymmetric and symmetric network and application acceleration.

High availability
In this release, you can configure HA groups: a set of trunks, pools, clusters, or any combination of these, that the system uses to calculate overall health scores for units in redundant system configurations. Using HA groups, you can have failover occur more quickly because failing over based on HA scores is faster than failures in hardware or daemons.

Application templates
This release includes additional application templates. An application template corresponds to a particular application, such as Oracle® E-Business Suite, and provides a fast, efficient way to configure the BIG-IP system to process the associated traffic. The application templates added in this release are:

  • Generic nPath (Direct Server Return)
  • Microsoft® Exchange Outlook® Web App (OWA) and RPC Client Access
  • Microsoft Office Communications Server (OCS)
  • Oracle® E-Business Suite
  • PeopleSoft 9.0

Route domain
We have expanded the route domain feature in this release to include default route domain designation for administrative partitions. In addition, route domains now support enforcement of cross-routing restrictions.

New script component in tmsh
With this release, you can use the tmsh script component to build Tcl scripts to automate and customize management of the BIG-IP® system. This feature gives you the ability to extend tmsh to build commands that are customized to your environment.

Health monitors and profiles
In this release, we have added health monitors for the Diameter server and RADIUS Accounting server and profiles for the Diameter server and RADIUS load balancing.

PKCS#12 certificate import
We have included the Public-Key Cryptography Standards (PKCS) number 12 (PKCS#12) certificate import type for use with SSL certificates for clients, servers, and the BIG-IP device.

Weighted load balancing methods
This release introduces the Weighted Least Connections (member) and Weighted Least Connections (node) methods for load balancing connections. These methods use an algorithm that the system determines based on connection limits and number of active connections.

Behavior changes in version 10.1.0

Virtual server total statistics and HTTP (CR109429-1)
The browser-based Configuration utility increments the total requests statistic for virtual servers only when the virtual server uses an HTTP profile, or when the virtual server is a Performance (HTTP) type.

Communication between BIG-IP or 3-DNS version 4.x and version 10.1.0 or later
A 3-DNS® Controller or BIG-IP® system running version 4.x cannot communicate with BIG-IP® systems configured with version 10.1.0 or later. For more information, see SOL11106: Change in Behavior: iQuery communication is not supported between BIG-IP or 3-DNS version 4.x and BIG-IP LTM or GTM version 10.1.0 or later.

Cipher list changes in version 10.1.0 (CR110198, CR127136)
In version 10.1.0, F5 Networks added support for SSL Datagram Transport Layer Security version 1 (DTLS1) as native ciphers that can be hardware-accelerated. In addition, the Diffie Hellman (DH) ciphers were removed from the default SSL cipher lists. The DH ciphers are still available for use in the product, but they are no longer part of the default cipher lists.

License check behavior change (CR114586)
In previous releases, whether the system installed the license file from the user configuration set (UCS) depended on the Service check date and Licensed date values in the bigip.license file, both in the UCS and on the system. Now, when you install from the UCS onto the system, the system always installs the license file onto the system.

SIP headers and special characters (CR116361)
In this release, the system supports the use of all ASCII printable characters in SIP headers. Certain characters, such as quotation marks ( " ) and backslash ( \ ), need to be escaped with a backslash for the monitor to correctly parse the header. The command line adds an extra level of parsing, which requires that you increase the number of escape characters when using the command line to define a backslash compared with the number you specify in the browser-based Configuration utility definition. This is correct functionality. We cover it here because the behavior changed from earlier versions. In this release, you add one escape character in the Configuration utility, and three on the command line (for a total of two and four, respectively), to get one backslash. Note that this increased-escaping requirement is relevant only when the character you want is a literal backslash. For other characters that need escaping, you can use the normal number of backslashes for escaping SIP header special characters (one in the Configuration utility, and three on the command line).

SSL::cert iRule commands (CR116806)
The following iRule commands now apply to the lifetime of the SSL session, and not only for the connection in which the system receives the client certificate:

  SSL::cert <index> #GET_PEER_CERT
  SSL::cert issuer <index> #GET_PEERCERTISSUER
  SSL::cert count # GET_PEER_CERTCOUNT


With this change, the system stores the received peer certificate in the SSL session, so that the certificate is available to the specified iRule commands as long as the SSL session is valid. In previous releases, the CLIENTSSL_CLIENTCERT iRule event retrieved the peer certificate; now the stored certificate can also be retrieved inside the HTTP_REQUEST event.

Statistics reporting on LCD panel (CR116422, CR129776)
In this version of the software, we have removed statistics reporting on the LCD panel. The browser-based Configuration utility and the command line interface provide better reporting of statistics.

FIPS driver and bigstart restart tmm command (CR118391)
BIG-IP software versions 9.4.7, and later, and 10.1.x ship with an updated Federal Information Processing Standards (FIPS) driver. After initializing the FIPS card using the command fipsutil -f init, you must run the command bigstart restart tmm to restart the tmm process. Versions 9.3.x, 9.4.1 through 9.4.6, and 10.0.x ship with an older FIPS driver that does not require a restart of the tmm process after initializing the FIPS card.

tmsh and bash prompt and mcpd busy (CR118464)
In this version of the software, a tmsh prompt of status unknown or a bash prompt enclosed in question marks (?) indicates that the mcpd process is temporarily unavailable. This might occur when the mcpd daemon is busy handling a request that requires running external scripts. In previous releases, the system posted no message or indicator of a unknown or busy status.

Classes in configurations and upgrade (CR118866)
If you roll forward a version 9.4.x configuration that contains a defined class that does not exist, the resulting configuration fails to load. This is correct functionality. Previous versions did not validate whether defined classes existed before rolling forward a configuration. You can work around this issue by ensuring the external class file has been created on the system before loading a configuration that references it. If the external class is no longer required, you can remove the class definition that references the nonexistent class file. For more information, see the associated Solution in the SOL10139: A configuration referencing a nonexistent external class file fails to load.

SSL session cache and CMP (CR123255)
In this release, the SSL session cache is shared across multiple TMM instances on CMP systems (that is, SSL session cache is CMP-aware), so a returning client no longer needs to reestablish SSL key exchange parameters when the system distributes the connection to a different TMM instance.

Long user name and configuration installation (CR124040)
In this release, user names can be no longer than 31 characters. If you have an existing configuration that contains users with names longer than 31 characters, the installation roll-forward operation fails. The workaround is to change the user names in the configuration before you upgrade.

Multiple persistence profiles and the bigpipe and tmsh utilities (CR116612)
There is a difference in how the bigpipe and tmsh utilities handle default persistence profile selection. When you add multiple persistence profiles to a virtual server, the bigpipe utility stores the profiles in alphabetical order and selects the first one as the default. For bigpipe, therefore, there is always a default persistence profile. Using the tmsh utility, you can specify the attribute default no for every persistence profile, if you wish. In that case, there is no specific default, although bigpipe commands still designate the alphabetically first persistence profile as the default. In tmsh, if you specifically set a profile to default yes, bigpipe retains that profile as the default and lists that profile first in the list. Note that you cannot use bigpipe commands to change the profile bigpipe uses as the default.

No ksh support in 10.1.x (CR133351)
Beginning with version 10.1.0, the /bin/ksh binary is no longer available. If you are using ksh-based scripts, they will not work in 10.1.x, and upgrading will fail. To work around this change, you can rewrite your ksh-based Extended Application Verification (EAV) monitor scripts in bash.

iQuery communications with BIG-IP 4.x devices
As of this release, the Global Traffic Manager system no longer supports iQuery communications with BIG-IP version 4.x devices.

VLAN failsafe timeout value behavior change
In software versions 9.x, the system did not enforce a minumum value for the VLAN failsafe timeout value. Beginning in version 10.0.0, the minimum allowed VLAN failsafe timeout value is 10 seconds. Before you upgrade from version 9.x to version 10.x, F5 Networks recommends that you change your VLAN failsafe timeout value to 10 or greater in order to ensure a successful configuration load after the upgrade has been completed. For more information, see SOL7066: Overview of VLAN failsafe.

HTTPS monitor with no receive string and node status (ID 207411, CR120157)
In versions prior to 10.1.0, a null response from an HTTPS service with no receive string would be marked as UP. This behavior changed in version 10.1.0 to require at least one byte of data after SSL negotiation to be considered UP. For more information, see SOL10904: An HTTPS monitor incorrectly marks a node as UP when no data was sent in the server response.

Cross route domain after upgrade (ID 223709, CR131366)
In this release, there is a Strict Isolation option for route-domain configuration. The option is enabled by default. So existing configurations that direct traffic across route domain boundaries will no longer work after upgrading. When that happens, the system logs in /var/log/ltm a message similar to the following:

Oct 24 16:29:46 local/tmm1 warning tmm1[6636]: 01200011:4: Connection rejected from IP
10.20.20.12%2 port 33845 to IP 10.10.10.20%1 port 80: One of the route domains is strict.

To have traffic cross the route domain boundary, disable the Strict Isolation option in Network >> Route Domains for ingress and egress route domains.

Fixed in version 10.1.0

Network failover and peer management address (CR108434, ID 212404, ID 247048)
Rolled forward configurations that do not contain peer management addresses defined now work correctly (although the system logs a message every ten minutes as a reminder to configure the addresses, if they are not already configured).

[ Top ]

Known issues

This release contains the following known issues.

L7 mirrored connections after restart and failover (CR55926)
If the active unit in a redundant system reboots, the standby unit goes active and handles any established connections that were mirrored. However, when the previously active box comes back up, it does not re-synchronize the state for the mirrored connections. This means that the mirrored connections are lost in a subsequent failure or a forced fail-back. This does not affect connections that end before the second restart and failover. Also, this does not apply to Fast L4 profiles.

ICMP time exceeded on IPv6-addressed packets (CR79065, CR83552, ID 250921, ID 251174, ID 319551)
When, due to time-to-live (TTL) exceeded, the BIG-IP system drops IPv6 traffic being sent through a network virtual server or SNAT, the BIG-IP system responds with a destination-unreachable ICMP6 message. The BIG-IP system's IP address should be listed as the source in the ICMP response, and the client IP address should be listed as the destination. However, the BIG-IP system incorrectly reports the dropped IPv6 packet's destination address as the source address of the ICMP6 response. The result, from the client's perspective, is that BIG-IP system does not show up as a hop; the server is seen in place of the BIG-IP system.

Link status after replacing tri-speed copper SFP with fiber SFP (CR83207)
If you replace a tri-speed copper small form-factor pluggable (SFP) module with a fiber SFP, you may have to reinsert the fiber SFP module a second time before it accurately reports link status.

Copper SFP and fiber SFP swapping (CR80078-1, CR128607)
If you replace a copper (Cu) small form-factor pluggable (SFP) with a fiber SFP, the link might remain down, even when connected to an active peer. The workaround is to issue a bigstart restart bcm56xxd command.

Baud rate setting and serial console access on VIPRION (CR80191)
In order to change the baud rate when you are using a serial terminal console server on the VIPRION® platform, you must follow a specific sequence to change the baud rate in three places, or you can lose communication with the system.

  1. On each blade in the system, run the following command:
    bigpipe baud rate <your_baud_rate_value>
    Make sure to complete this change on all blades in the system before proceeding to step 2.
  2. Next, change the Serial Port Redirector (SPR) baud rate by pressing ESC( to access the SPR Command Menu. When the menu opens, select B -- Set baud rate, and select from the six settings displayed.
  3. Finally, change the baud rate of your serial terminal server.
    The syntax for completing this step varies depending on the terminal server you are using, so you should consult your serial terminal server documentation for more specific information.

NTP server delete and nonexistent servers (CR85137)
If you run the b ntp servers delete command when no such Network Time Protocol (NTP) server exists in the configuration, the system adds the server. The workaround is to make sure the server exists before trying to delete it.

b <object> edit command (CR86175, CR119480)
Although the b <object> edit command is referenced in product documentation, the command is disabled in this release. If you run the b <object> edit command, the system presents a message indicating that the feature is not implemented.

Command b profile http all ramcache entry all show and error message (CR86593-1)
When using the command line to query for RAM Cache entries, if you specify anything (for example, filtration parameters such as uri or an unnecessary all) after ramcache entry other than actions (for example, show), you must include a specific profile name. If you do not, the system posts an error message. For example, if you issue the command b profile http all ramcache entry all show, the system returns the following messages:

  config # b profile http all ramcache entry all show
  BIGpipe unknown operation error:
    Profile name must be specified.

UCS error and remote user logon operations (CR87863)
If the user configuration set (UCS) file you roll forward at installation time contains a problem, subsequent system load operations can fail. If this happens, the remote users and administrators cannot log on to the system. To work around the situation, log on to the system as the root user or as the admin local user.

MSTP configuration name following a reboot (CR90249, ID 227304)
The Multiple Spanning Tree Protocol (MSTP) specifies that the system handles spanning tree packets in accordance with the MSTP protocol. When you create a new MSTP configuration on the system, the new MSTP configuration name is not retained following a system reboot or after running the bigstart restart command. For more information, see SOL8212: The BIG-IP LTM does not retain the MSTP configuration name following a reboot.

Duplicate SNATs in bigip.conf file (CR91719)
If you have duplicate names for SNATs in the bigip.conf file, the pvad service restarts and writes out a core file. To work around this situation, make sure each SNAT in the configuration has a unique name.

RAM cache, CMP, and memory sizing calculations (CR92541)
When RAM cache calculates the amount of memory available or allowed, it should take CMP into account. In this release, RAM cache does not take CMP into account.

Load balancing methods and low connection limits with low numbers of connections on multiple TMM services (CR93185, CR116200)
Many load balancing methods are implemented so that the system divides the connection limit among running Traffic Management Microkernel (TMM) services. If you set the connection limit to low values, the results you see might not be what you expect. For example, some nodes might receive more connections than you expect, and other nodes that you expect to receive connections might not receive any. These apparent anomalies are discernible only with small numbers of connections, and disappear with large numbers of connections.

CPU usage when pvad monitors many nodes (CR94039)
When the pvad service queries a very large number of objects (for example, 2000 nodes), the pvad service might use as much as 27% of CPU. This condition is intermittent, and might have other requisites. There is no workaround.

System restart and pam_audit messages on the console (CR96888)
Occasionally, a system restart might result in the system posting to the console messages of the following type:

  sshd(pam_audit)[4559]: user=root(pqizzjl1l) tty=/def/pts/1 host=172.17.251.100 attempts=1 start="Tue Aug 5 17:25:09 2008" end="Tue Aug 5 17:27:54 2008".
  sshd(pam_audit)[4559]: 01070417:0: AUDIT - user root - RAW: sshd(pam_audit): user=root(pqizzjl1l) tty=/def/pts/1 host=172.17.251.100 attempts=1 start="Tue Aug 5 17:25:09 2008" end="Tue Aug 5 17:27:54 2008".

These messages occur when the system shuts down logging to the syslog-ng file before all users who are logged on have logged off. Should this error occur, when the system comes back up, you can use the boot marker in the audit files to confirm that the system logged out the remaining users.

b persist show on cluster and incomplete results (CR97188)
Running the command b persist show on a cluster might return incomplete results in certain avoidable situations. To ensure complete results, leave the bigpipe shell read partition at all, and log on as a user who is authorized to view all partitions.

Status LED state after startup (CR97299-1)
The Status LED briefly shows green on power up. The LED should be blank or amber. Early during initialization, the software sets the LED color to amber, and finally to green once cluster quorum is reached. You can safely ignore the transient green LED on power up.

Resource Administrator and Administrator roles in partitions other than Common (CR98262)
In this release, only the Common partition can contain users with the Resource Administrator and Administrator roles. If you create users with these roles in other partitions, when you load the configuration, the system posts the error: BIGpipe user modification error: 01070821:3: User Restriction Error: The system user (admin-users) must be created in the Common partition, and the configuration does not load. In addition, a Resource Administrator cannot load a configuration that has users who are not in the Common partition. There is no workaround for this issue.

PVA acceleration and Mimic IP ToS (CR98536)
When you are using Fast L4 profiles, make sure to set the PVA Acceleration setting to None if you also specify the Mimic setting for IP ToS to Client or IP ToS to Server. Otherwise, the system cannot perform the mimic functionality.

bd restart and Tcl error messages (CR100240)
When the bd process restarts, the system stops all internal connections. If the next event that arrives on a halted connection is an HTTP request, the attempt to disable the plugin in HTTP_REQUEST fails, which logs a Tcl error to the /var/log/ltm file. This is a benign error message that you can safely ignore.

SCF with different hostname value than system (CR102008)
If you have a Single Configuration File (SCF) that contains a different hostname value than the system, you cannot automatically roll forward that configuration. Instead, you must first modify the entry in the SCF so that the hostname matches the system.

b config check all command on chassis and appliance (CR102064)
The b config check all command returns different results depending on whether you run the command on a chassis (such as a VIPRION® system) or an appliance (such as a BIG-IP® 6900). On a chassis, the system returns the message: No reports have been received. On an appliance, the system returns a response similar to the following messages:

DAEMON STATUS bcm56xxd
   Configuration OK at 14062d 21:07:29
   Last error at 14062d 21:07:29
      Message: Received remote heartbeat registration message: pid=8714, timeout=60

Clear Performance Data button on detailed graphs (CR102918)
When you click the Clear Performance Data button in any view, the operation clears data for all historical statistics, not just the data for the specific view you are in.

Cluster member address and default netmask (CR103199)
When you specify the cluster management IP address, the netmask defaults to /32, or 255.255.255.255. In order to use cluster member addresses, the netmask must be no more than /30, or 255.255.255.252. Always specify the netmask when specifying the cluster management IP address if you plan ever to use cluster member addresses. That way, the address always gets set correctly, and you can configure the cluster member addresses on the same network.

Install and number of volumes behavior change (CR103500)
The 10.x installer creates four volumes by default, which differs from the two partitions that the 9.3.x and 9.4.x installer created.

System failover and b failover offline | online show commands (CR103596)
The command line help for the failover command indicates that the following commands are valid: b failover offline [show], b failover online [show]. Issuing either command without the optional show argument takes the system offline or online. Issuing the command with the show argument results in the following parsing error: 012e0051:3: The requested attribute (show) is invalid for 'failover'. These are invalid commands that you should not use; they should not appear in the help.

snmpd section in SCF (CR103956)
If you have a Single Configuration File (SCF) that contains an snmpd element, you cannot automatically roll forward that configuration. Instead, you must first modify the entry in the SCF so that it conforms to the current format. In this case, you must add braces ( { and } ) around the snmpd entry.

Unsupported SCF entries from earlier versions (CR103958)
If you have a Single Configuration File (SCF) that contains elements or formats that the current version does not support (for example, an SCF that contains the element failsafe action failover restart tm as a failsafe action), you cannot automatically roll forward that configuration. Instead, you must first modify the entry in the SCF so that it conforms to the current format. In the case of failover restart, the system supports the following failsafe options: failsafe action go offline, failsafe action reboot, failsafe action restart all, and failsafe action go offline abort tm.

Browser refresh on license properties page and user logon prompt (CR104124)
When you are on the license summary general properties screen and you refresh the browser after you reactivate a license, the system prompts you to log on again. There is no workaround for this issue.

err request_module messages at startup time (CR104325)
When you start up a system, you might see some of the following error messages. The messages are entirely benign, and you can safely ignore them.

Aug 4 11:16:34 slot4/RackB31 err request_module[net-pf-5]: waitpid(29047,...) failed, errno 512
Aug 4 11:18:56 slot1/RackB31 err request_module[net-pf-3]: waitpid(12541,...) failed, errno 512
Aug 4 11:22:01 slot4/RackB31 err request_module[block-major-43]: waitpid(31300,...) failed, errno 512

Extended volume names and 9.6.x (CR104327, CR114895)
If you install this version of the software on a volume that uses a nonstandard name (for example, HD.pc1 rather than HD1.1), you cannot access that volume using version 9.6.x of the software. To access volumes named in this manner, use version 10.x software.

Command line delete volumes (CR104468, CR115056)
The system does not prevent you from deleting all volumes, including the active volume, using the b software desired command. Doing so causes the system to boot into another location. To prevent potential system access problems, do not use the command line to delete the active volume.

Volume sets above HD1.4 and 9.6.x installation (CR104647)
On a VIPRION® system with the active volume set above HD1.4, if you then add a blade that has 9.6.x installed and active, the system does not run the installation on the 9.6.x blade to bring it into the cluster. This occurs because 9.6.x is hardcoded to support volumes 1-4 and cannot dynamically create new volume sets. To work around this issue, make sure all blades you want to add are running 10.x, or use a volume set between 1 and 4.

NTP server add and host name (CR105032)
When you specify the host name for the b ntp servers add command, the system returns false positives when translating the host name to an IP address. The workaround is to add Network Time Protocol (NTP) servers using an IP address instead of a host name.

High availability setup wizard settings and the Previous button (CR105101)
If you use the high availability setup wizard and specify settings, when you click the Previous button, the system clears all the values you specified, so you must re-enter the values.

Profile editing and system timeout (CR105105)
If you are editing a profile in the browser-based Configuration utility when the system times you out and requests a new logon operation, the system sends you to the Welcome screen instead of the screen of the profile you were editing when you were logged off.

Primary blade failover and user logon (CR105216)
When you are logged on to a cluster management address, and you or another user subsequently promotes one of the secondary blades to the primary, you and the other user might need to log on again.

Dashboard window and browser session timeout (CR105234)
When you have the dashboard window open, the browser session never times out. When you close the dashboard window, the timeout interval takes effect again.

Secondary self IP addresses and monitoring (CR105511)
If you configure secondary self IP addresses for a vlan/domain, the system uses the wrong self IP address for monitoring. In a typical scenario, the system uses the IP address that you created first as the primary IP address for monitoring. However, IPv6 in the Linux kernel does not set a preferred source by default. Because Linux treats routing domains like it treats IPv6 addresses, the Linux kernel does not set a preferred source. There is no workaround for this issue.

Reboot during system initialization on systems with SCCP (CR105604)
If you reset the Host on a platform that contains an SCCP after the system has completed initialization, the system attempts to PXE boot, making DHCP requests repeatedly and indefinitely. The workaround is to first use the SCCP Command Menu option 2 to put the SCCP into the proper state, and then reboot the system. You can also recover by powering the unit off and back on again.

Global Traffic Manager not provisioned and ConfigSync (CR105627)
In a redundant system that has Local Traffic Manager provisioned on both units and Global Traffic Manager provisioned on only one unit, you must provision Global Traffic Manager on the second unit. Failure to do so risks Global Traffic Manager becoming unprovisioned or unconfigured after a ConfigSync operation.

Partitioned systems and creating volumes (CR105797, CR114073)
When you use the Software Management screens in the Configuration utility or the b software commands on the command line to create a volume on a system hard drive that is formatted using the partitioning scheme, the system appears to try to create the volume, but the operation fails. The system should alert you immediately that you cannot create a volume on a partitioned system hard drive. In general, the software does not support use of the volume management screens on systems that use the partitioning drive-formatting scheme.

Route domain health check traffic and IPv6 statistics (CR106378)
The system counts route domain health check traffic as part of IPv6 traffic statistic totals. If your configuration has a monitor on a pool in a routing domain, you will see an increase in IPv6 traffic. If you remove the monitor from the pool, the IPv6 statistics freeze (assuming there is no actual IPv6 traffic). There is no workaround for this issue.

Message modprobe: modprobe: Can't locate module tun6to4 (CR106750)
When you reboot a system from the serial console, the system reports the following message modprobe: modprobe: Can't locate module tun6to4... during the shutdown sequence. This message is benign, and you can safely ignore it.

Availability of user controls after password change (CR106828)
A display issue in the browser-based Configuration utility makes it appear as if users can modify user settings that they should not be able to access. For example, a user logs on using an account assigned a non-administrator role. When that user changes the password and clicks Update, the screen temporarily redisplays with available settings for file, partition, and shell access. The user can manipulate the controls, and select different settings. However, the system does not accept the change.

VIPRION and hardwired failover (CR106830)
This release supports only network failover for chassis-to-chassis failover on the VIPRION® platform. Do not configure hardwired failover using any failover cable included with the VIPRION platform you received.

User relogon after no password change (CR107046)
The system requires a user to relogon after changing a password to the same password as the one previously configured. There is no workaround for this issue.

SSL keys and certificates for HTTPS and SIP monitors (CR107415)
Unlike in SSL profiles, the system does not validate keys and certificates used for SIP and HTTPS monitors. That means that you can specify non-matching or invalid keys and certificates. There is no checking on the command line or in the browser-based Configuration utility to make sure keys and certificates are valid and usable.

SIP and HTTPS monitors and Intermediate CA signed certificates (CR107443)
If you use a SIP or HTTPS monitor on a server that requires authentication using a certificate signed by a certificate authority (CA), the monitor must use certificates signed by a CA that the server recognizes. Do not configure a monitor using certificates signed by an Intermediate CA because the monitor does not send such certificates to the server.

UDP checksum in IPv4 fragment (CR107852)
On BIG-IP 8400 and 8800 platforms, IPv4 fragments of a large User Datagram Protocol (UDP) datagram will be incorrectly modified at offset 6 from the end of the IP header (the location that would be the UDP checksum if the fragment were a full UDP datagram) from 0xfff to 0x0000. Although there is no workaround for this issue, it is not a common case.

VIPRION kernel panic and upgrade to version 10.0.0 (CR107874)
The VIPRION® platform may experience a kernel panic and reboot following an upgrade to BIG-IP version 10.0.0. This issue occurs if the system is running BIOS firmware earlier than build 461, and the VIPRION unit is upgraded to version 10.0.0 with the management interface connected to a subnet with live traffic. For more information and a workaround for this condition, see SOL10016: A VIPRION kernel panic occurs following an upgrade to BIG-IP version 10.0.0.

CD-ROM or DVD-ROM drives that exceed the USB current specification (CR107883)
This release does not support USB CD-ROM or DVD-ROM drives devices that exceed the high-power USB current specification of five unit loads (500mA) per port.

Long VLAN name in Linux and fetching interface (CR107927, CR110084)
Linux represents long VLAN names using the first 13 characters and an appended ~1. If you use the Linux system command ifconfig to retrieve the interface configuration of a VLAN with a name longer than 9 characters, the operation truncates the name to 8 or 9 characters. To work around this issue, use the ip addr show command to retrieve the VLAN using the IP address.

Memory report for modules (CR108667)
In this release, the system reports module memory mixed in with memory used by all processes. To determine actual memory usage, you must use standard Linux commands, such as ps, top, and other similar commands.

Module provisioning level set to Dedicated (CR108728, CR113440)
In the browser-based Configuration utility, if you try to set the provisioning level to Dedicated on a module when another module already has the Dedicated provisioning level, the system allows the change and sets the provisioning level to None on all other modules. When you use the command line for the same operation, the system presents and error: When a Dedicated provision level is set, all other module's provision levels must be set to None. To accomplish the change, you can use the Configuration utility, or you can use the command line to set the provisioning level to None for all other modules, and then set the Dedicated provisioning level on the module you want to configure. To do so, use the tmsh utility to issue the following commands (substituting your module names for <module-A> and <module-B>):

  (tmos)# create transaction
  [batch mode](tmos)# modify sys provision <module-A> level dedicated
  [batch mode](tmos)# modify sys provision <module-B> level none
  [batch mode](tmos)# submit transaction

Monitor limit on BIG-IP 8800 (CR108819)
The BIG-IP 8800 platform supports a maximum of 30,000 monitors in a single configuration. If you create more than 30,000 monitors, the BIG-IP 8800 might halt in a switchboard-failsafe state when you load the configuration.

Same user, different password (CR108965, CR114966)
When a user is logged on, if you use the b config install <ucs file>, b import <ucs file>, or b config sync commands, or when performing a ConfigSync operation in the Configuration utility to load a configuration that contains the same user, but with a different password, the system does not log off that user. After that user logs off, or when that user's session times out, that user must use the password from the new configuration to log on.

Default route domain information (CR108975)
In the browser-based Configuration utility, the Route Domain List screen shows the Default Route Domain information. However, the command line does not display the default route domain information in b route domain command results.

Disk provisioning information on partitioned system (CR109131)
On a system whose drives are formatted as volumes, on the Resource Provisioning screen in the Current Resource Allocation area, there is a section that displays Disk provisioning; if the drives are formatted as partitions, there is no Disk provisioning section. However, if you issue the b provision command on the command line, the results show a column for disk provisioning information.

RAM Cache-enabled virtual servers and connection leak on standby unit (CR109230-1)
If you attempt to mirror virtual servers that have RAM Cache enabled, depending on the cache state, the system leaks the connection on the standby unit when the connection is closed on the active unit.

HA Connection with peer established messages during upgrade (CR109301)
If you have state mirroring enabled, when you upgrade one unit of a redundant system, the system post messages until both systems are running the same version of the software. tmm tmm[1917]: 01340001:3: HA Connection with peer 10.60.10.3:1028 established. There is no workaround for this condition. Both units in a redundant system must be running the same version of the software.

Reboot on blades after b import operation (CR109381)
After a b import default operation, the prompt is set to reboot, but the operation does not instigate the reboot operation on the primary blade, although it does on the secondary blade. This is intentional behavior: the operation causes a reboot on secondary blades, but the primary blade does not reboot automatically in this case. To activate the imported configuration, reboot the primary blade.

Hotfix uninstall package behavior change (CR109472)
In this release, you no longer need the hotfix uninstall packages. Instead, you can use the b software commands to change the revision level of any 10.x image location to a higher or lower revision. For more information, see the man page for the b software command, available on the command line by typing man software.

Screen visible after timeout (CR109834)
When a system timeout occurs, the system grays out the screen behind the timeout alert box. Although you can access the browser window scroll bars to view the contents of the grayed-out screen, none of the options are active.

Mirroring interface delete and mirroring halt (CR109917)
When you delete an interface that is configured for interface mirroring, the system halts mirroring on all other configured interfaces. To work around this issue, when you delete an interface-mirroring configuration, recreate the configuration using all interfaces. As an alternative, after deleting an interface, save the configuration and issue the command bigstart restart.

Secondary blades and mcpd-primary user messages (CR110014)
The secondary blades in a chassis log messages using the user name mcpd-primary. That means that when the root user issues certain commands on the primary blade, such as one to disable a virtual server, the system logs messages similar to the following:

Oct 21 13:29:39 slot4/prd-061 alert mcpd[2415]: 01070921:1: Virtual Server 'new_test_virtual_8255' on partition 'Common' disabled by user 'root'.
   Oct 21 13:29:39 slot3/prd-061 alert mcpd[11909]: 01070921:1: Virtual Server 'new_test_virtual_8255' on partition 'Common' disabled by user 'mcpd-primary'.
   Oct 21 13:29:39 slot1/prd-061 alert mcpd[27136]: 01070921:1: Virtual Server 'new_test_virtual_8255' on partition 'Common' disabled by user 'mcpd-primary'.

These messages accurately represent the action taken and the origin of the command, and do not indicate an error condition.

Rate ceiling behavior change (CR110269)
In this release, when attaching a child class to a parent class, the system takes into account the rate of the parent class when verifying that the parent's rate ceiling is not exceeded. Now, the sum of a parent class' rate and child classes' rates cannot exceed the parent's rate ceiling. In previous releases, the system allowed the parent's rate to be, at most, equal to the rate ceiling, regardless of the rates of the child classes. This could have led to oversubscribing the configured rate ceiling in certain cases where traffic was assigned directly to a parent class. If you are rolling forward a configuration from a previous build, a quick workaround is to set the rates of all parent classes to 0bps by running the following command: bigpipe rate class <parent class name> rate 0bps. As a general rule, avoid assigning non-zero rates to parent rate classes.

iRule data collect and release (CR110761, CR113485)
There is a new iRules feature that provides support for suspending a running iRule (for example, with the after command). If you are running an indefinite collect operation (that is, the iRule is running a ::collect command with no arguments), and in response to a CLIENT_DATA event the iRule processes the payload to a certain point and then suspends iRule operation, when iRule operation resumes and the iRule issues a ::release command, the operation might release more data than the iRule processed. Specifically, data that arrives when the iRule is suspended does not trigger an additional CLIENT_DATA event. Here is an example of how to ensure that an iRule releases only the data that it has already processed: before running any command that suspends a running iRule, have the iRule save the ::payload length in a variable. When iRule operation resumes, have the iRule issue a ::release $payload_length command. You can find extensive information about iRules on the Dev Central web site, available at http://devcentral.f5.com/.

Configuration data and module deprovisioning (CR110791)
If you deprovision a module, the system does not remove the configuration attributes associated with the module. Some configuration data, such as endpoint attribute definitions for the WAN Optimization Module, might interfere with Local Traffic Manager tunnel operations. In this case, when the definitions for endpoint advertised route, endpoint local, and endpoint remote remain in the configuration after deprovisioning WAN OPtimization Module, the Local Traffic Manager tunnel resets connections that were established when you had the module provisioned. As a workaround, remove the definitions from the bigip.conf files on both BIG-IP systems.

Multiple sessions and switchboot to previous version (CR110984)
If you have multiple sessions on a system and you change the active location to a different partition or volume, the first session you use to attempt a connection works to return you to the pre-10.0.0 version. The other browser sessions present different, unexpected results. As a workaround, when you change the active volume or partition and reboot the system, close all other active browser sessions, and reestablish the connection when the reboot finishes.

Configuration utility accessibility (CR111081)
On this version of the software, there is a longer interval between the time you restart the system when you can access the browser-based Configuration utility. For example, a typical interval on 9.4.5 software on a BIG-IP 1500 platform was 25 seconds. In 10.0.0, the interval is 95 seconds.

Upgrade and ha actions (CR111495)
This version of the software introduced new ha actions that the upgrade process cannot easily map to previous version's ha actions for daemon heartbeats. If you changed the ha action for a daemon heartbeat, the upgrade process returns the action to the default. After the upgrade installation finishes, you can configure the daemon heartbeat ha actions you want. (In the Configuration utility, you can find the Fail-safe settings on the High Availability screen, available on the System menu in the navigation pane.)

McpIOException exception catalina.out and changing user role in Configuration utility (CR111700)
When a user configured for one role is logged on to the browser-based Configuration utility, and you change that user's role to another type, also using the Configuration utility, the system logs off that user. When that user logs back on, the system writes to the catalina.out file error messages such as com.f5.mcp.io.McpIOException: java.io.EOFException: Error while reading message at. These messages are benign, and you can safely ignore them.

Password policy disabled and message in ltm log file (CR111848)
If you set the number of required numeric characters for a password, yet you disable password policy checking, when you create a password that is longer than six characters but contains no numbers, the system posts following message in the ltm log file:

01070366:3: Bad password (operator_common): BAD PASSWORD: needs numeric characters

This message appears only in the log file; it is not presented to the user. This message is spurious, and you can safely ignore it.

Password policy message (CR112076)
When you enable password policy checking, if you create a password that does not meet the password-policy criteria, the system presents a message. The message indicates that the operation failed because the new password is based on a dictionary word, regardless of the reason for the failure. The functionality is correct; only the message is inaccurate.

Setup utility and already configured system (CR112077)
The system requires that you run the Setup utility in the browser-based Configuration utility, even if you have already configured the system using the command line. This occurs because there is a hardcoded requirement for the Setup utility to run at least once. You can prevent the Setup utility from running by running the following command: b db setup.run false.

Node use in partitions (CR112120)
When you create a pool in one partition that includes a node from the Common partition, if the node has no associated screen name, when that node is referenced from a third partition, the system posts the error 01070726:3: A pool may only reference nodes in the same partition or the common partition (xyz_pool:1.1.1.1) and removes the node from the Common partition. The workaround is to add a screen name to the node. To do so, at the command line, issue a command similar to the following example: b node 1.1.1.1 { screen dontremove }

Performance statistics formula display (CR112128)
The help frame crops the right edge of some of the formula definitions on the Performance statistics screen. As a workaround, you can click the Launch button to view the full text.

System shell and mkdisk utility (CR112255)
The mkdisk utility functions only if the system shell, /bin/sh, is bash or a symbolic or hard link to bash.

OpenSSH vulnerability in old SSH clients (CR112411-2)
The version 10.1.0 release contains the new OpenSSH client and server, which addresses the vulnerability Plaintext Recovery Attack Against SSH, reported as CPNI-957037. When an older client connects to the new server, however, a vulnerability exists. If you are still using old SSH clients, you should manually set those client's cipher list to only include CTR ciphers. To use only CTR ciphers for the OpenSSH client, the command line must include the following option: -c aes128-ctr,aes192-ctr,aes256-ctr.

Installation and message for ntpdate step time server offset (CR112464)
Occasionally during installation, you might see the message ntpdate[12549]: step time server 127.2.0.2 offset 0.474943 sec. The message is benign, and you can safely ignore it.

Firefox 2.x and system memory usage (CR112524)
You can use the Firefox 2.x browser to manage a BIG-IP system. Firefox 2.x has some well-documented memory usage growth-over-time variances, and using Firefox 2.x to access the BIG-IP system is no exception. The workaround is to use Firefox 3.x, or to periodically close the browser session and open a new one.

Port movement warning message and tcpdump on VIPRION (CR112953)
When you start or stop the tcpdump utility on a VIPRION® system, the system logs messages similar to the following entries in the /var/log/ltm file:

slot1/tmm warning pu[24652]: 01230114:4: port movement detected for 00:01:23:45:67:10, vlan tmm_bp - 0.0 to 0.1

These messages are benign, and you can safely ignore them.

Cluster ha state (CR113055)
If you issue the commands b cluster all ha state or b cluster default ha state, the system always returns the result offline. This is because there is no cluster ha state to report. To get the state of a system, you can use the browser-based Configuration utility. The system displays the state at the top of every screen.

Watchdog timeout reboot and copying large files to USB thumb drive (CR113134-6)
Occasionally, when you create an installation repository on a USB thumb drive from the BIG-IP system, the operation fails while copying the repository files to the thumb drive. (The failure might also occur when reading or writing any large file to the thumb drive from the BIG-IP system.) When the failure occurs, the system reboots and writes a log entry similar to the following in the /var/log/ltm file:

Dec 10 10:13:12 local/8900 notice overdog[2401]: 01140108:5: Overdog scheduling exceeded 1/2 timeout of 5 seconds (measured:8060 ms)

The workaround is to create the installation repository on a USB thumb drive using a Linux workstation, as documented in the BIG-IP® Systems: Getting Started Guide. In any case, do not perform the operation on a BIG-IP system that is actively in production to prevent the potential failure from affecting live traffic.

Large number of persistent connections and bp persist show (CR113322)
On a system with a very large persistence table (millions of entries) running the command b persist show might cause the system to become unstable or fail over. To obtain an accurate count of persistence entries, use the command tmctl --wrap=100 memory_usage_stat | grep persist. The last column shown represents the current number of persistence records. If you want to show an individual record, you can use the command b persist client <client_addr> show.

TCP profile congestion control settings (CR113431)
On a TCP profile, the Packet Loss Ignore Rate and Packet Loss Ignore Burst settings, which perform congestion control, are not operational for this release. Leave them set to the default value of 0.

Templates and Wizards menu (CR113601)
The Templates and Wizards menu does not change even when templates are not available under the license.

Wildcards in b httpd allow and Configuration utility access (CR113812)
If you use wildcard characters to specify IP addresses in the b httpd allow command, the result is that the system forbids all access to the browser-based Configuration utility. The workaround is to use other forms of specifying IP addresses. For example, b httpd allow 10.10.*.* does not work; instead use a command similar to b httpd allow 10.10.0.0/255.255.0.0.

License reactivation and partition setting (CR113919)
If you are in a partition other than Common when you reactivate a license, the system automatically changes the partition to the Common partition. There is no workaround for this issue.

tmm.debug and TCP::collect from SERVER_CONNECTED iRule (CR114167)
Invoking a TCP::collect method from the SERVER_CONNECTED iRule event might cause associated connections to stall and timeout when running the tmm.debug daemon. This should not affect typical deployments since the tmm.default daemon behaves as expected in this configuration, and an administrator must explicitly configure the Traffic Management Microkernel (TMM) to use debug mode. Note that you should set TMM to debug mode only when requested to do so by an F5 Technical Support representative. The F5 Networks Technical Support representative will ensure that your system stays stabilized in this mode and will assist you in interpreting the debug output.

Cfm1F5Util error and multiple fipsutil monitor commands (CR114185)
Running the command fipsutil monitor multiple times followed by a fipsutil reset or fipsutil crash command, leaves the FIPS card in a test-failed state and causes the system to issue messages such as Cfm1F5Util? error (line 1335): Library Initialization : 0xffffffff : Undefined Error Code. As a workaround, make sure the system has time to completely process one fipsutil monitor command before issuing subsequent fipsutil reset or fipsutil crash commands. Note that in general, fipsutil reset or fipsutil crash commands are for testing purposes, and you should not use them in typical operations.

Multicast, virtual servers, and route domains (CR114381)
Configuring a virtual server for multicast communications inside a route domain does not work. Do not configure a virtual server for multicast communications inside a route domain.

License reactivation and the navigation pane License item (CR114587)
Intermittently, reactivating an existing or expired license can show only a License entry in the navigation pane in the browser-based Configuration utility. In most cases, invoking the browser's refresh or reload feature returns the proper content to the navigation pane.

License reactivation and changing partitions (CR114764)
After the system finishes reactivating a license when you are on the full License Summary screen, if you change to a partition other than Common, the system returns you to the Reactivate License property screen.

Reactivate button and partition selection (CR114766)
When the license expires, if you are on the License Summary page on a partition other than Common, the system automatically returns you to the Common partition, but does not activate the Reactivate button. The workaround is to select a different partition and then reselect the Common partition. This should reset the Reactivate button to an active state.

b software add and delete commands on partitioned systems (CR115139, CR130414)
Do not use the b software add | delete commands on a partitioned system. Doing so results in the access errors on the partitions. For example, if you try to delete an existing partition using the b software delete command, the system posts a failed to delete volumeset error. In this case, run the command b software product none version none build none on the partition. This removes the installation from the partition, and you can install the software again. If you try to add a partition using the b software add command and see a failed to create volumeset error, in this case, run the command b software delete on the partition you tried to create. This removes the failed attempt from the Software Status table, so you can try your installation operation again.

Entitlement check failure during installation (CR115236)
If the system fails the entitlement check when you attempt an upgrade, the system posts the following message:

warning: License entitlement check failed. Please reactivate. Cannot continue (use --nvlicenseok to force).

If you then use the --nvlicenseok to force installation to continue, the resulting installation completes without a valid license, and you must relicense the system. The error message should actually read:

Software version not covered by service agreement. Reactivate license before continuing.

If you reactivate your license before installing, you can prevent the error.

SSL::respond and CLIENTSSL_CLIENTCERT iRules (CR115328)
You should not use the SSL::respond method with a CLIENTSSL_CLIENTCERT iRule event. This combination results in a handshake failure, because the CLIENTSSL_CLIENTCERT event happens before the connection is ready for the transmission of user data.

Authentication statistics (CR115521)
The system returns correct authentication profile statistics when profiles are queried individually. However, summaries, such as data returned on the Performance Statistics screen in the browser-based Configuration utility or values reported by the global option in Traffic Management Shell (the tmsh utility) do not properly summarize the cumulative statistics from those profiles, but instead return values of 0 (zero).

TCP Profile Verified Accept setting and optimized connections (CR115565)
On a TCP profile, the Verified Accept setting ensures that the system can communicate with the server before it establishes a client connection. In this release, this setting works fine on Local Traffic Management but has no effect on optimized traffic.

Duplicate users with different partition access and disconnecting user message (CR115670)
If you add a user, either explicitly or by restoring a user configuration set (UCS) file that contains the user, and that user has different access or role settings, the system reports an error similar to the following message:
Nov 6 09:02:08 slot4/p4-019 err mcpd[3533]: 0107082a:3: Disconnecting user yyy2 on change of user role data (partition:Common->PartitionOne).

This is a benign message, and you can safely ignore it.

MTU setting for VLANs (CR115736)
The system does not honor the Maximum Transmission Unit (MTU) value for VLANs. To get the value to persist, delete the VLAN first, then recreate it with the settings you want. After the configuration is saved, the settings persist. Otherwise, the system uses the default MTU value of 1500.

Blade changes between versions (CR115774)
If you move blades between a chassis running software version 9.6.x and a chassis running 10.x, the 10.x system might report incorrect volume information on the blade that came from the 9.6.x chassis. F5 Networks does not recommend switching blades between chassis running differing versions of the software.

Incorrectly expired persist entries on standby system (CR115916)
There is an extremely rare chance that, if the high-availability mirroring connection fails and recovers, the result might be a new persistence record and an expired record using the same key to send their respective messages. For example, if a record comes in that would have matched an old one on the active system, it is possible that the old record's expiration action might arrive after the new record's update action. If the key matching the old record expires, the standby system incorrectly deletes the corresponding new record.

USB1.1 CD-ROM Drives and the BIG-IP 8900 platform (CR116108)
USB1.1 CD-ROM Drives are not supported on the BIG-IP 8900 platform.

Verified Accept option in TCP profile help (CR116118)
The Verified Accept option is missing from the TCP profile online help. On a TCP profile, the Verified Accept setting ensures that the system can communicate with the server before it establishes a client connection.

Hash profile and http_wan-optimized-compression profile (CR116124)
When you use both the Hash Persistence profile and the http_wan-optimized-compression HTTP profile, operations fail if you set the Hash Length and Hash Buffer Limit values in the Hash profile to 1000. To work around this issue, set the Hash Length and Hash Buffer Limit values to 100. Note that this workaround does not correct the issue on VIPRION® systems. For this issue, do not combine these profiles in configurations on VIPRION platforms.

Pass-phrase-protected certificates on VIPRION platforms (CR116238)
This release does not support the use of pass-phrase-protected certificates on VIPRION® systems.

CompactFlash and failed to install message (CR116929)
Because the CompactFlash® media drive is not a valid installation target, the system should prevent you from selecting it. However, this version of the software allows you to target a CompactFlash drive. If you accidentally installed to the CompactFlash drive, the system posts a failed to install state for the CompactFlash drive. The workaround to return to the original state is to issue the command bigstart restart lind on the command line.

Route domains and Global Traffic Manager (CR117427)
In this version of the software, you cannot use Global Traffic Manager to monitor or send traffic to any virtual servers that are in a route domain. Therefore, Global Traffic Manager is not supported to run on a Local Traffic Manager system that is using route domains.

Route domains and the advanced routing modules (ZebOS) (CR117428)
If you are using the ZebOS® advanced routing modules, it is important to consider the following:

  • Dynamic routing is supported on interfaces in the default route domain. The advanced routing modules cannot access interfaces, self IP and virtual addresses, and static routes in non-default route domains. A static route is considered as belonging to a non-default route domain if either the destination or the nexthop gateway address belongs to a route domain other than the default route domain.
  • All routes learned by way of dynamic routing protocols are inserted into the routing table for the default route domain only.
  • With respect to advertising routes, virtual addresses, or self IP addresses to other routers, the advanced routing modules advertise only those routes or addresses that are in the default route domain. As previously stated, the advanced routing modules are not aware of routes or addresses in other route domains.

Route domains and IPv6 (CR117429)
The route domains feature does not support IPv6-formatted IP addresses in this version of the software.

Route domains and diagnostic utilities (CR117430)
Some command line diagnostic tools, such as curl and traceroute do not work with route domains.

Route domains and custom monitors (CR117431)
Custom monitors that are not IPv6 aware (for example, EAV (Extended Application Verification) monitors) do not work with route domains.

Version 9.4.7 installation on system also containing 10.x (CR117480)
There is the possibility of a failed version 9.4.7 installation when installing on a system that also contains version 10.x software. When the failure occurs, the last three lines in the /var/tmp/install/session.log file are:

   install.error: An installation error has occurred; code 130
   install.debug: Session ended
   install.error: Critical failure; no fallback possible.

To work around the issue, you can use install the software using the PXE or thumb drive methods.

SFP and SFP plus speeds (CR115798)
The small form-factor pluggable (SFP) ports on BIG-IP 8900 platforms are 10Gbps-only ports. On a BIG-IP 8900 platform, a SFP plus can operate at 1Gbps speed in an SFP slot, but SFP modules do not operate at 1Gbps speeds in an SFP plus slot.

sshd include and system access (CR117359)
Do not use the b sshd include parameter without assistance from the F5 Technical Support team. The system does not validate the commands issued using the include parameter. If you use this parameter incorrectly, you put the functionality of the system at risk.

Highlight movement on initial key press (CR117809)
If you run the grub_default -d command to view the boot configuration information of the grub.conf file, the initial arrow key press moves the menu selector highlight two spaces instead of one. After, the initial key press, the arrow keys operate normally when maneuvering (meaning that if you press the arrow keys once, the highlight moves one space in the arrow direction).

Enterprise Manager and BIG-IP software version 10.0.0 (CR118049)
Enterprise Manager software versions 1.2, 1.4, 1.6, and 1.7 do not support BIG-IP system software version 10.0.0. There is no workaround for this issue.

Amber Alarm LED (CR118217)
The front panel Alarm LED turns amber within approximately 60 seconds after initialization on a TMOS®, BIG-IP® 6900, or BIG-IP 8900 system. This is the result of the system treating an informational message, Unit Going Active, as a warning. There is no error/warning condition present, and you can clear the Alarm LED by pressing the Check key twice on the LCD panel.

Blade swap and VLAN MAC addresses (CR119247-1)
When you swap a blade to the same slot in a different VIPRION® chassis, the system uses VLAN MAC addresses based on the old chassis. The workaround is to avoid moving a blade to the same slot in another chassis. If necessary, shift blades around in the target chassis so that the incoming blade always goes into a slot that is different from the one it came out of.

Message err clusterd[2707]: 013a0004:3: Error deleting cluster mgmt addr, HAL error 7 (CR120321)
After installing, you might see a message similar to the following in the ltm log file. Apr 23 11:38:16 slot3/p4-019 err clusterd[2707]: 013a0004:3: Error deleting cluster mgmt addr, HAL error 7. This message is benign, and you can safely ignore it.

Multi-drive systems and sparedisk (CR120550)
This version of the software supports systems with multiple drives using the RAID disk management operations. We have not removed the sparedisk utility, which was included in version 10.0.1 to support operations on multi-drive systems. The workaround is to use the RAID features for these types of operations. You should use the sparedisk utility only on version 10.0.1 systems. For related issues, see known issue Multiple disk drives and sparedisk -m (CR127003).

--nomoveconfig and loss of database configuration (CR120190-2, CR127965-2)
Do not use the --nomoveconfig option with the image2disk command (or the db variable LiveInstall.MoveConfig set to disabled) for systems with existing installations of Application Security Manager . Doing so removes all content from the associated database. Instead, you should ensure that the configuration on the installation source matches the one on the installation destination. To do so, save the UCS configuration file on the location you want to preserve, and apply that configuration to the destination before beginning the installation operation. Here are the steps to perform.

  1. Boot into the location containing the configuration and database you want to preserve.
  2. To save the existing configuration and database, run the command bigpipe config save <your_ucs_file>.
  3. Copy the .ucs file to a secure, remote location.
  4. Boot into the location you want to update.
  5. To move the configuration and database to the target installation location, run the command bigpipe config install <your_ucs_file>.
  6. Install or upgrade the software using procedures described in Installing the Software.

Roll forward from 9.x and Application Security Manager and Global Traffic Manager (CR120828)
When you roll forward a 9.x user configuration set (UCS) file that is configured for Application Security Manager and Global Traffic Manager, provisioning for Global Traffic Manager is not enabled. To enable Global Traffic Manager using the browser-based Configuration utility, in the navigation pane, expand System, and click Resource Provisioning. In the Module Resource Provisioning section, select the provisioning level you want from the Global Traffic (GTM) and Link Controller (LC) drop-down lists.

Neighbor Solicitation messages and IPv6-formatted addresses (CR120842)
When you have an IPv6-formatted IP address, and a node sends a Neighbor Solicitation message whose hop limit is not equal to 255, the system should ignore the message; however, it fails to ignore it. There is no workaround for this issue

mysql database volume and deprovisioning (CR120943)
If you deprovision the WebAccelerator system, Application Security Manager, or Protocol Security Module, the system retains the mysql database volume. Because the database might contain important configuration data for the deprovisioned modules, you must determine whether or not to retain the mysql database volume. For information on locating and removing an unneeded mysql database volume, see the associated Solution in the Ask F5 Knowledge Base.

Second hard disk on the 8900 and version 10.0.0 (CR121134)
The 8900 platform comes with version 10.0.1 installed both hard drives. If you decide to downgrade to version 10.0.0, the software installs correctly. However, the version 10.0.0 software management scheme was not designed to work with a second hard drive. If you downgrade to version 10.0.0 on the second hard drive, do not operate on the second hard drive using the b software commands or the Software Management screens in the browser-based Configuration utility.

Delete all VLANs using iControl and blade errors (CR121237)
Using iControl to delete all VLANs causes the primary blade on a VIPRION® system to go offline. To work around this condition, use the iControl Networking.VLAN.delete_vlan function to delete each individual VLAN. If your system is already in this condition, reboot the blade or issue a bigstart restart command on the affected blade.

Sensor check fan speed data (CR121475)
In this release, the command b platform may report fan speeds as high as 19 KB RPM on some BIG-IP 1600 and BIG-IP 3600 units. Also, if a fan is malfunctioning, the command system_check -D may report incorrectly that the fan is properly functioning. To get correct fan speed and temperature readings for these units, you can use the End User Diagnostics (EUD) software.

Static ARP entries and configuration load (CR122160)
If there are static Address Resolution Protocol (ARP) entries targeted to the management network in either the existing configuration or in the configuration being installed or used in a ConfigSync operation, the configuration may fail to load. To work around the issue, first delete any static ARP entries targeted at the management network and then complete the configuration load or ConfigSync operation.

warning process `<processname>' is using deprecated sysctl (syscall) (CR125534)
Depending on what processes run after restarting the system, you might see the following error message: warning process `<processname>' is using deprecated sysctl (syscall) net.ipv6.neigh.tmm0.base_reachable_time; Use net.ipv6.neigh.tmm0.base_reachable_time_ms instead. This is a benign message, and you can safely ignore it.

Deprovisioning modules and system performance (CR125790)
After deprovisioning modules, the system might run sluggishly or respond slowly to commands. The system returns to a normal operational state after approximately 1 minute if you leave the system to recover, or approximately three minutes if you run commands during this time. The slow response time occurs while the system recovers virtual memory after a deprovisioning operation.

Rule stats counters and iRule suspension (CR125800)
The iRule statistics counters inaccurately report an inflated number of iterations of an iRule when an iRule event suspends. There is no workaround for this issue.

Client requested TCP MSS and PVA10 hardware-syn-cookie enabled systems (CR126842-1)
On platforms equipped with Packet Velocity® application-specific integrated circuit (ASIC) version 10 (PVA10), specifically the BIG-IP 8400 and BIG-IP 8800 platforms, client-requested TCP maximum segment size (MSS) may not be honored if the PVA10 is in hardware syn-cookie mode. This can result in a larger-than-requested MSS being set with the back-end server, causing the server packets to be dropped before reaching the client. This problem occurs because of a problem in the PVA10 hardware. To avoid this problem, disable hardware syn cookies by setting the connection threshold to 0 (zero) by running the following command: b db Pva.SynCookies.ConnectionThreshold = 0 on the system command line.

MD5 and default SSL ciphersuites (CR126857)
The F5 Networks default set of SSL ciphersuites for negotiation with SSL-enabled virtual servers currently includes (Message-Digest algorithm 5) MD5. MD5 cipher weaknesses are documented widely, and use of the algorithm itself is not recommended (http://www.kb.cert.org/vuls/id/836068). In the future, F5 Networks might modify the set of SSL ciphersuites to exclude MD5. Until this occurs, however, you can proactively disable applicable SSL cipherlists by appending the text :!MD5 to the present value of an SSL profile's cipherlist attribute, for example, DEFAULT:!MD5.

tcpdump and packets on PB100 and PB200 (CR126976)
If you run the tcpdump utility from a PB100 blade on a VIPRION® chassis containing a mix of PB100 and PB200 blades, the process does not show packets from the PB200 blades. To work around this issue, run the tcpdump operation from the PB200 blade.

Multiple disk drives and sparedisk -m (CR127003)
Although you should not use the sparedisk utility in this version of the software (see known issue Multi-drive systems and sparedisk (CR120550)), we have not removed the utility from the software. If you run the command sparedisk -m, the system marks an active disk as a spare disk without notice or warning. Changing the active disk to a spare can result in an unstable disk situation. The workaround is to use the RAID features for these types of operations. You should use the sparedisk utility only on version 10.0.1 systems.

b load and clock advance on 1600, 6900, and 8900 platforms (CR127123)
Every time you run a b load command on 1600, 6900, and 8900 platforms, the system posts a message similar to the following example: local/tmm3 notice tmm3[19557]: 01010029:5: Clock advanced by 112 ticks. This message is a diagnostic message only, so you can safely ignore this message.

User accounts with custom home directories and upgrading (CR127332)
As of version 10.1.0, the system no longer supports user accounts with custom home directories. If you upgrade a configuration containing user accounts with custom home directories, after reboot, the system becomes inoperative because it cannot load the configuration. You can prevent the issue before upgrading by running the following command to change the user's home directory, or you can run the command after upgrading to recover from the error condition:

  tmsh modify auth user <name> home-dir /home/<name>

No configuration and running image2disk (CR127435)
When you run the image2disk utility from the Management Operating System (MOS) of a system, the process has no active configuration to use for installation, so the operation halts with an error:

  error: No configuration found in HD1.1 (location looks empty).
  Use '--nosaveconfig' if appropriate.


To workaround this issue, run the command again, and specify the --nosaveconfig option.

Weighted Least Connections (Node) and connection limits (CR127754)
When you use the Weighted Least Connections (Node) load balancing method, you must set a connection limit for each node prior to adding the pool member to the pool. In this release, you must use the following process to accomplish this.
 

  1. Create a pool that uses the Weighted Least Connections (Node) load balancing method.
  2. Navigate to the Local Traffic :: Nodes :: Node List (create) screen to explicitly create the node entries for the pool members.
  3. For each node, specify a value other than 0 (zero) in the Connection Limit box.
  4. Return to the pool configuration screen by clicking its link in the Local Traffic :: Pools :: Pool List.
  5. Select the Members tab and add the pool members to the pool, using the same IP addresses as the nodes that you configured in the earlier step.

If you fail to specify the connection limit for the node prior to adding the pool members, the system presents a configuration validation error.

CF drive and 10.x installation (CR127803)
When you view the Software Management List screen or the result of the b software desired show command, you might see the CF designation that represents the CompactFlash® drive listed as a possible installation destination. 10.x installation is not supported on the CF drive, so do not select it as an installation target. This happens only on systems with drives using the partitioning formatting scheme.

Drive processing and recovery operations (CR127971)
When a drive is replicating or being added or removed in the Management Operating System (MOS), the md operation outputs all its status to the terminal, which can make it difficult to perform recovery operations, such as removing or adding a drive. The workaround is to wait for the replication operation to complete before performing recovery operations.

RADIUS, Diameter, or SIP virtual servers and load balancing (CR128272)
When you specify any method other than Round Robin for load balancing traffic from virtual servers configured with RADIUS, Diameter, or SIP profiles, you can see unexpected results, such as the system sending most of the traffic to only one pool member. To work around this issue, use the Round Robin load balancing method with virtual servers configured with RADIUS, Diameter, or SIP profiles.

Provisioning statistics on a multi-disk system (CR128600)
Provisioning statistics shows the size on only one physical disk. To find the size of your datastor on a multi-disk system, review the output of running the command b datastor list all. As a general rule, if you have two disks installed, the cache is always double the size indicated in the provisioning statistics.

Insufficient disk space and provisioning failure (CR128875)
If you perform an operation that requires loading the configuration on a volume that has insufficient disk space to contain it, the operation fails at the module-provisioning step. Depending on the modules you provision and the space available, the failure might occur when rolling forward a configuration at installation, running bigpipe config install <config.ucs>, or provisioning modules in a command line operation. When the provisioning failure occurs, the system logs a message in the /var/log/ltm file: 01071008:3: Provisioning failed with error 1 - 'Disk limit exceeded. <nnn> MB are required to provision these modules, but only <nnn> MB are available.' To recover, free up sufficient disk space by removing unneeded volumes using the command: bigpipe software desired HDn.n delete, and then try the operation again.

Linux accounting shows new TMM scheduler overhead (CR129216)
We have changed from using a Linux 2.4 kernel to a Linux 2.6 kernel. This has resulted in a difference in how Linux accounting reports CPU usage. Linux accounting shows CPU spikes even when the Traffic Management Microkernel (TMM) is lightly loaded. These spikes represent artifacts, and you can safely ignore them.

b platform temperature output on the 3600 and 3900 platforms (CR129458)
The output of the b platform command incorrectly refers to the 3600 and 3900 platforms as a blade. Specifically, the output reads BLADE TEMPERATURE (slot/sensor) instead of CHASSIS TEMPERATURE. The error is cosmetic only

org.apache.log4j.Appender exception incatalina.out and dialog box display (CR129674)
When the Configuration Utility restarts, the system writes the following messages to catalina.out:

  log4j:ERROR A "org.apache.log4j.ConsoleAppender" object is not assignable to a "org.apache.log4j.Appender" variable.
  log4j:ERROR The class "org.apache.log4j.Appender" was loaded by
  log4j:ERROR [org.apache.catalina.loader.StandardClassLoader@1359c1b] whereas object of type
  log4j:ERROR "org.apache.log4j.ConsoleAppender" was loaded by [WebappClassLoader


These messages are benign, and you can safely ignore them.

Idle timeout preference and httpd errors (CR129698)
When you change the idle timeout in System :: Preferences, the system must restart the httpd process. This results in a set of error messages similar to the following example:

  err httpd[6246]: [error] [client 127.0.0.1] Invalid method in request OPTIONS * HTTP/1.0
  err httpd[6320]: [error] (9)Bad file descriptor: apr_socket_accept: (client socket)
  warning httpd[3064]: [warn] RSA server certificate CommonName (CN) `dhcp-137' does NOT match server name!?
  warning fcgi-[6376]: [warn] FastCGI: server "/usr/local/www/mcpq/mcpq" started (pid 6377)
  err httpd[6379]: [error] [client 127.0.0.1] Invalid method in request OPTIONS * HTTP/1.0
  warning httpd[3064]: [warn] long lost child came home! (pid 6239)


These messages occur primarily as a result of the process restart, and you can safely ignore them.

TCP and MD5 signatures (CR129710)
Enabling the TCP option for MD5 signatures does not cause TCP connections without MD5 signatures to be rejected or ignored. Enabling MD5 signatures allows the MD5 signature to be validated when it is present.

Unrecognised md component device message (CR129711)
At system startup, you might see messages similar to the following examples:

  mdadm: Unrecognised md component device -
  /dev/mapper/vg--db--sda-mdm.app.wom.dat.datastor
  mdadm: Unrecognised md component device -
  /dev/mapper/vg--db--sdb-mdm.app.wom.dat.datastor


This occurs because datastor volumes are not intended to be combined into a redundant array. The disk management subsystem unintentionally tries to join them into an array, but fails. No adverse result occurs, and you can safely ignore these messages.

Display Host Name option and route domain % notation (CR129786)
When you enable Display Host Names when Possible in System :: Preferences, and then display objects whose addresses exist in a route domain other than 0, the address might display with the % notation on some screens in the browser-based Configuration utility. There is no workaround for this issue.

tmsh and NTLM profile edit (CR129836)
There is no edit capability for the NTLM profile in the tmsh utility. There is no workaround for this issue.

Command line and Configuration utility handling of the diameter monitor origin host value (CR130058)
The command line allows you to specify a value such as www.f5.com for the diameter monitor's origin host attribute. The browser-based Configuration utility, however, expects this value to be in dotted-quad format (for example, 10.10.10.10). So that the configuration can load without error, specify the value in dotted-quad format.

mcpd warning messages and removing auth/pam.d files manually (CR130468)
In the ltm.log file, you might see mcpd warning messages similar to the following example: warning mcpd[3002]: 01070156:4: Could not remove file /config/bigip/auth/pam.d/tmm_ldap. Please remove this file manually. When you navigate to the specified directory, you do not find the files. These messages are incorrect, and you can safely ignore them.

Client timeout when CER sent before ACR (CR130582)
When the following series of events happen, the client system can perceive the BIG-IP system as unresponsive, and eventually the connection times out as a results of reaching the TCP timeout interval. This is the series of events.

 - client1 sends a Capabilities-Exchange-Request (CER) command.
 - server1 responds with a Capabilities-Exchange-Answer (CEA) command.
 - client1 sends an Accounting-Request (ACR) command.
 - The BIG-IP system sends the connection to server2 (that is, the BIG-IP system sends a CER to server2 first, before it sends an ACR).
 - server2, however, responds with CEA result-code 5010 (that is, there are no common applications supported between the peers), so the BIG-IP system deletes the connection with server2.
 - client1 continues to wait for a response to its ACR.
 - The BIG-IP system has no response for client1, however.
 - Eventually, client1 connection may be closed because the connection reaches the TCP timeout.

RAMCACHE, IPV6, and SSL Compression and Licenses screen placement (CR130639)
RAMCACHE, IPV6, and SSL Compression were added by default to the base Local Traffic Manager license in the version 10.0.0 software release. The feature flags are enabled and the system reports them when you run the b version command. However, on the 1500, 3400, and 6400 platforms, the system displays these features in the Optional Modules section of the License screen in the browser-based Configuration utility.

Command line messages and removed drives (CR130662)
In a multi-drive system, if a drive fails or it suddenly removed from the unit, the system retains knowledge of the drive so you might see messages like:

  info: /dev/vg-db-sdb/mdm.dat.share: read failed after 0 of 4096 at 0: Input/output error
  err kernel: scsi 1:0:0:0: rejecting I/O to dead device.


These occur on the screen if you are connected using a serial console, or in the kernel log file if you are through SSH. To completely eliminate these messages, you can reboot to clear the system's knowledge of the removed drive.

Failure booting from 10.1.0 to pre-10.1.0 installation locations on multi-drive systems (CR130702)
When you have versions 10.0.x and 10.1.0 simultaneously installed on a multi-drive system, booting from a 10.1.0 to a 10.0.x location sometimes fails. This is due to a constraint in logical volume management (LVM) for the version 10.0.x software. To prevent this issue, reduce the number of installation locations before rebooting to versions earlier than 10.1. You should have only two HDn.n installation locations or one MDn.n installation location in addition to the pre-10.1.0 installation location. To remove installation locations, run the command bigpipe software desired HD1.n delete.

Duplicate MODULE-COMPLIANCE in F5-BIGIP-COMMON-MIB.txt (CR130720)
There is a duplicate MODULE-COMPLIANCE section in the F5-BIGIP-COMMON-MIB.txt file. You can correct this error by editing the file to remove the duplicate entry. This might be difficult, since the /usr file system is read only, making it difficult to edit /usr/share files. However, you can still edit the file by changing the fstab and rebooting.

LED status change and replication (CR130798)
On a multi-drive system, if the LED is flashing when you remove a drive from the unit, the LED status does not turn green (as it should) when disk replication begins. If the LED is not flashing, the LED turns green immediately in the transition to replicating a drive. This is a cosmetic issue only, and has no effect on functionality.

Profile create or edit and the all-properties option (CR130844)
When you create a new profile or edit an existing profile using the all-properties option of the tmsh utility, unless you remove some options, all properties become custom; that is, profile properties no longer inherit parent settings. The workaround is to use the tmsh utility create and modify commands operations. When you do so, the system preserves the profile's properties inheritance.

WAN Optimization Module on multi-drive systems (CR130846)
If you have WAN Optimization Module provisioned on multi-drive systems, and you use the command array --remove or tmsh modify sys raid array MD1 remove to remove a drive, the system removes all but the datastor volume on the removed drive. If you then try to add the drive back, the operation fails. To work around this issue, deprovision the WAN Optimization Module, and then run the array --add or tmsh modify sys raid array MD1 add to add the drive back. Then you can provision WAN Optimization Module back to its original setting.

Handle to cpmirror.dat.share and installation (CR130881)
On install completion to a multi-drive system, you might see these messages:

  error: close request on non-existent handle
  warning: boot entry st.eud does not exist
  info: Installation succeeded.
  Handle to cpmirror.dat.share was never released.


These messages are benign, and you can safely ignore them.

Dynamic ARP entries for different route domains (CR130902)
If you are in the tmsh utility, you can run the bigpipe utility to view dynamic Address Resolution Protocol (ARP) entries for a different route domain. To do so, run the command run util bigpipe arp <args...> at the tmsh command line.

Garbage characters on console with different baud rate on host and AOM (CR131108, CR132835)
The serial console baud rate of systems with Always-On Management (AOM) (1600, 3600, 3900, 6900, and 8900 platforms) can be corrupted if you install using a serial console baud rate other than 19200. When the corruption occurs, you see garbage characters on the serial console. To prevent this issue, change the baud rate to 19200 before installing. When reboot after installation is complete, you can set a different baud rate.

LCD and baud rate changes (CR131168)
In this release, when you use the LCD to change from a higher baud rate down to 19200, the host serial console can become garbled, while Always-On Management (AOM) displays correctly. To recover, reboot the system. Note that you can successfully change baud rates for the host from low to high using the LCD, and output is not garbled.

Firefox and Internet Explorer behavior and new SSL certificate after installation or upgrade (CR131188)
When you complete a new installation, the Firefox browser may not recognize the SSL certificate. When this occurs, the browser-cased Configuration utility posts the message Please wait while this BIG-IP device reboots, shutting down device. This spins forever and never returns. This behavior is Firefox-browser specific, so when the certificate is no longer viewed as valid, the Firefox browser ignores subsequent HTTP requests. The issue happens only when doing a fresh install. A configuration you roll forward includes the device certificates, so this is not an issue. The Microsoft® Internet Explorer® browser posts an accept-certificate dialog box when you restart the system.

switchboot operations with more than six volumes (CR131256)
The text-display mode for the switchboot utility supports a maximum of six volume locations. To boot to a location higher than volume six, you can use the switchboot -b option on the command line.

Multi-disk systems and redundancy (CR131293, CR132984)
If you remove a disk while the power is off, turn the system on and then off, replace that same disk, and then turn on the system, the software lists the disk as being part of the array, but none of the disk volumes are actually redundant. Instead of correctly marking the disk as failed, however, the system reports its status as ok. The indicator of this condition is an uneven t/s/r count for the disk, as reported in the output of the array command. Here is an example:

  [root@localhost:ACTIVE] config # array
  bay name t/s/r count state serial number
  --- ----- --------- --- -------------------
   1  HD2  14/14/0  ok  WD-WCAT19198978
   2  HD1  13/13/0  ok  WD-WCARW3483890


In this case, the disk in bay 1 is properly formed, but the disk in bay 2 is not a complete copy. For this example, you perform the following steps to recover the disk in bay 2:

  1. Run the command array --remove HD1 to remove the disk.
  2. Run the command array.
  3. When the system reports the disk in bay 2 as undefined, run the command array --add HD1 to add the drive.

The system builds the newly added disk in bay 2 as a mirror of the disk in bay 1.

Installation and process lock (CR131317)
If you encounter an installation operation that fails with a final error failed to install because of a process lock, retry the operation.

SCF file import and VLAN creation error (CR131332)
When you import a single configuration file (SCF file) that contain VLANs of the same name but in different administrative partitions, the operation fails with a BIGpipe unknown operation error. To work around this issue, before installing an SCF file, run the b import default command. This returns the system to the default configuration, so subsequent configuration import operations should succeed as expected.

image2disk utility from version 9.4.5 (CR131343)
The version of the image2disk utility that shipped with version 9.4.5 does not support the -format option. You can install a new version of the image2disk utility from a version 10.x ISO. First, to uninstall the version of the utility that shipped with 9.4.5, run the command rpm -e tm_install-2-1.0.96.0. The command removes the utility, but posts no message at completion. Then, to install a new version of the utility, run the command im /var/tmp/<iso_file>. For more information, see SOL10702: The image2disk utility that shipped with BIG-IP version 9.4.5 does not support the --format option.

Multiple reboots starting a blade on clustered systems (CR131363)
Occasionally, when starting a blade, the clusterd process may request a reboot for time synchronization an additional one to three times in a row. This happens only to blades that have yet to fully join the cluster and so are not passing traffic. The net effect is to delay that blade joining the cluster for a few minutes.

diskinit and sfdisk error (CR131441)
If you run the diskinit utility with no arguments, and then run the diskinit utility again with options or run the image2disk utility without rebooting, the operation fails and posts an error similar to the following message:

error: sfdisk failed; bc_ratio=8032.58652549568, total_KiB=160836480, total_cyl=20023

To work around this error, you must have console access to the system, either through a console server or directly through the serial connection. Once you boot into the MOS, you lose connection with the system. At the command line, type mosreboot to reboot into the Maintenance Operating System (MOS). Once reboot is complete, you can reformat the disk by typing diskinit –style [volumes|partitions], or you can install using the appropriate image2disk commands.

VIPRION source port mismatch between host and tmm for TCP MD5 authentication for BGP (CR131470)
Enabling TCP MD5 authentication of TCP connections for BGP on VIPRION® systems might result in extended time required for BGP sessions to be established. It may also cause BGP failure of the graceful restart after changing the primary location due to the timeout condition causing temporary loss of BGP peering and deletion of routes learned and advertised through BGP, and resulting in temporary traffic disruption. We do not recommend using TCP MD5 authentication for BGP on the VIPRION system.

VLANs and default route domains in administrative partitions (CR131475)
If you create VLANs in an administrative partition other than Common, but do not create a route domain in that partition, then the VLANs you create in that partition are automatically assigned to route domain 0. If you later change the default route domain of that partition, the VLAN stays in its existing route domain, unless the VLAN has a self IP address or virtual IP address assigned to it. In that case, the VLAN moves to the new default route domain.

fipskey errors after mcpd startup (CR131544)
If you restart the mcpd process and try to create a FIPS key, the operation occasionally fails with the message Key generation failed: error 11 - Would overwrite file. To work around this, restart mcpd and try the operation again.

Inband monitors on Fast L4 virtual servers and PVA acceleration (CR131555)
On a system using Packet Velocity® application-specific integrated circuit (ASIC) version 2 (PVA2) and version 10 (PVA10), specifically the 3400, 6400, 6800, 8400, and 8800 platforms, if you configure an inband monitor on a virtual server configured for Fast L4 traffic, the Traffic Management Microkernel (TMM) never receives the traffic necessary to mark pool members up or down. You can work around this issue by setting Fast L4 Profile option PVA Acceleration to Assisted on these platforms.

iRule NAME_RESOLVED event and suspension (CR131760)
Using an iRule command that suspends operation (for example, after, table, and persist), in a NAME_RESOLVED event causes the iRule to never resume. The workaround is to use the RESOLV::lookup command that suspends operation until resolution, and then returns the lookup result inline.

10.1.x to 9.4.x downgrade on 8400 or 8800 platforms (CR131632)
If you have 10.1.x installed on a 8400 or 8800 platform and plan to downgrade to 9.4.x, you must net-boot, or boot from removable media. Using the direct installation method results in a failed operation, and the system hangs at logon time.

Top browser banner info blank and installation or upgrade (CR131880)
You might see an intermittent blank top banner in the browser-based configuration utility after an upgrade or installation operation. This might be especially likely when you use Microsoft® Internet Explorer® version 7 on a VIPRION® system, and you leave the browser window open between the end of installation and the completion of the reboot operation. In this case, when you log on, the top banner is blank. You can use the browser refresh operation (F5 or Ctrl+F5) to redisplay the banner correctly.

image2disk options --format=partitions --noarray options and system problems (CR131945)
Do not use the --noarray and --format=partitions options together in an image2disk operation. If you do, the system becomes nonfunctional. If you want partitions, use the --format=partitions option without the --noarray option. If you want volumes on a single disk of a multi-disk system, you can use the image2disk with --format=volumes and --noarray option to accomplish the result.

SPF+ on SPF ports on VIPRION systems with Puma I blades (CR131999)
The software does not support running small form-factor pluggable (SFP)+ on SPF ports on VIPRION® systems that contain PB100 blades, even if the ports are running at 1 GB. Although the system does not prevent you from doing so, and you might find such a configuration functional, we do not support nor recommend running in this configuration.

Operation suspension during installation (CR132270)
When you run the command b software desired to install the software, when you look at the output of bigpipe software status on the command line or looking at the progress bar in the Configuration utility, you might notice that progress suspends for approximately three minutes when the operation reaches 10% complete, and again for approximately 1 minute at 100%. These are part of the normal operation of the installation process, and you can safely ignore the suspended activity.

Edit of multi-line alias command with nano command line editor (CR132382)
If you use the nano command line editor to edit a multi-line alias command, the operation fails unless you have enabled long line wrap in the nano editor. If the alias is only one line long, the operation works successfully. To enable long line wrap in nano press Esc+l (the lowercase letter "L," not the number "one.") For more help, see the help for the nano editor. You can also use the vi editor to editor multi-line alias commands.

UDP virtual server disable or enable and incompatible profiles (CR132444)
If you have a virtual server configured to use the UDP protocol and a Client SSL profile, when you try to disable or enable that virtual server from the Virtual Server List screen in the browser-based Configuration utility, the system posts the error message 01070095:3: Virtual server <vs_name> lists incompatible profiles and leaves the virtual server unchanged. To disable or enable a virtual server configured in this way, use the Virtual Address List instead. From the Virtual Server List screen, click the Virtual Address List tab, check the box associated with that virtual server, and then click Disable or Enable.

Batch transaction and modify cli admin-partitions command (CR132465)
Do not issue the command modify cli admin-partitions while the system is completing a batch mode transaction. If you do, you might encounter a problem that you can remedy by pressing Ctrl+C. Otherwise, the operation eventually times out. You can review content returned when running the command help cli transaction for information on how to remove the admin-partitions command from the transaction.

b load and pool members with port numbers of 63, 66, 172, 211, 564, and 629 (CR132482)
A b load operation fails when pool member are configured with port numbers 63, 66, 172, 211, 564, and 629. The workaround is to use numbers other than these for pool member port configuration. You can also disable the bigpipe utility from converting service names by running the command bigpipe db bigpipe.displayservicenames false.

Value 1 for import save and importing (CR132580)
If you set the import save value to 1 and import a single configuration file (SCF), the import operation halts and does not resume. To work around this issue, set the import save value to 2 or more.

Suspended iRule commands and changing iRule assignments on virtual servers (CR132598)
When you change assignments of iRules to a virtual server, if the iRule has any commands that might suspend operation (for example, after, table, and persist), those pending commands might evoke a system restart when the newly assigned iRule goes into effect.

External connections and SCCP version 12.0.8.4.0 on certain platforms (CR132691)
On the 1500, 3400, 3410, 4100, 6400, 6800, 8400, and 8800 platforms, you cannot establish an outgoing connection from the SCCP using SCCP version 12.0.8.4.0, the version of the SCCP that ships with the 10.1.0 software. To work around this issue, use SCCP version 12.0.6.5.0, the version that ships with version 9.4.8 software.

Upgrade to 10.1.0 and LCD on multi-drive systems (CR132778)
When you apply a pre-10.1.0-created user configuration set (UCS file) to a multi-disk system, the operation overwrites the existing configuration, including the LCD screens. The version 10.1.0 software provides access to multi-drive platforms using LCD screens. In this case, the UCS-apply operation restores the screens from the software version where you created the UCS file. That means that there is no RAID Status informational screen in the LCD. To determine multi-disk status information, you can use the operations provided on the command line and in the browser-based Configuration utility.

Simultaneous password and shell access change (CR132782)
If you modify your password and shell access at the same time, the system does not register the password change. To work around this issue, modify the password and the shell access separately.

Mixed blade types and unknown DS name messages (CR132859)
If the VIPRION® system has a mix of PB100 and PB200 blades, when the PB100 has become a primary blade and the PB200 a secondary and then they switch, you might see messages similar to the following in the log files: err statsd[16290]: 011b0600:3: Error 'unknown DS name 'S1C4user'' during rrd_update for rrd file '/var/rrd/bladescpu'. These messages are benign, and you can safely ignore them. You can prevent the error by ensuring that the PB200 is the primary blade. To do so, stop the clusterd process on all the blades except the PB200. Once the PB200 becomes be primary, you can restart clusterd on the other blades.

domaintool delete of default domain (CR132909)
When you use the domaintool utility to delete a domain when you are configuring Kerberos delegation, if that domain serves as the default, the system removes the domain but leaves it as the designated default. To work around this issue, change the default to a different domain before the delete operation.

crit tmm4[5689]: 01010025:2: Device error: hsb internal error (CR132974)
Certain packet-size related events can result in messages similar to the following example: crit tmm4[5689]: 01010025:2: Device error: hsb internal error PIM_RX_PORT_0_ERRS address 0x0000103c status 0x004e0100. These messages are benign, and you can safely ignore them.

ConfigSync and .tmshrc files for remote users (CR132979)
The system does not include the .tmshrc file in a ConfigSync operation. That means that the each unit in a redundant system configuration has a different set of remote users. You can manually sync the two files by using a utility to copy the file from one system to another.

MSSQL monitor and Microsoft SQL Server 2000 (CR132985)
This version of the software does not support monitoring of Microsoft® SQL Server® 2000 servers.

External monitors on VIPRION systems and file cache: fatal error messages (CR133035)
You can create an external monitor that references an executable in the /usr/share/monitors directory. On a VIPRION® system, when the system attempts to validate the monitor on a secondary blade (for example, when the primary blade loads a secondary blade), the system posts an error message similar to the following: emerg mcpd[2822]: 0107094e:0: File cache: fatal error (can't create backup file for (/usr/bin/monitors/builtins/SYSLOG_monitor), Read-only file system) (FileCache.cpp:1523). For the monitor to function properly and to prevent this error on VIPRION systems, copy any executable used by an external monitor to the /config/monitors directory.

APM limited (CR133057)
The Access Policy (APM) item on the Resource Provisioning screen contains the label Limited mode available without a license. This functionality is not available in this release.

Copper SFP interfaces and PB100 blades (CR133158)
Rarely, copper SFP interfaces on a PB100 blade might go offline and stay off line until the blade's power is cycled. Therefore F5 recommends you use the fixed copper (RJ45) or standard fiber SFP interfaces rather than the Copper SFP interfaces in production.

Interactive mode and system hang at startup (CR134203)
When you boot up a BIG-IP® system, the system posts a message Press 'I' to enter interactive startup. If you press I or Shift+I, the system hangs indefinitely. You can exit the suspended state by pressing Ctrl+C, after which the system works as expected. Interactive mode is not supported in this version of the software.

Assertion "unlinked" failed and TMM core (CR134940)
When you are configured for SSL session caching on platforms that provide clustered multi-processing (CMP) capability, you might encounter a Traffic Management Microkernel (TMM) process issue indicated by the following assert message:

../modules/hudfilter/ssl/ssl_session.c:682: Assertion "unlinked" failed.

For more information about this issue, see SOL11161: Virtual servers using SSL session caching may experience TMM panic. You can work around the issue by disabling SSL session caching. Alternatively, there is a software hotfix available to address this issue. You can contact the F5 Support team at support@f5.com to ask for the hotfix available for CR134940.

AUTH_RESULT and suspend commands (CR140154)
This release does not support using a command that suspends iRule processing (session, persist add/lookup/delete, table, after) in the AUTH_RESULT event in an iRule. There is no workaround for this issue.

Installing hotfix and waiting for image message (CR140238)
When you apply a version 10.x hotfix, the base software ISO image must be present in the /shared/images directory, along with the hotfix image. If there is no base software ISO image, no hotfix update operation begins, and the system presents a message similar to the following: waiting for image (BIG-IP 10.0.1 402.16). This message is misleading. The system is actually waiting for the base image. For example, for version 10.0.1, the base image is BIGIP-10.0.1.283.0.iso. To work around this issue, copy the base ISO image BIGIP-10.x.x.xxx.x.iso file to the /shared/images directory, and try the hotfix update again.

Hotfix installation and formatting for volumes (ID 349340)
You cannot simultaneously move to logical volume management (LVM) and install a hotfix. If you run the image2disk command with both the --hotfix and --format=volumes options, the system completes the hotfix installation, but does not format the drives. To work around this issue, format the system for volumes first, and then install the hotfix update.

Predictive and observed load balancing behavior (ID 341804)
(ID 341276 duped to ID 341804) The predictive and observed load balancing methods always choose the same pool member when there are no other concurrent connections. For example, if you open 50 connections to the same virtual server, but you close each connection before opening the next one, the BIG-IP system will load balance all 50 connections to the same pool member (the last one in the pool).

Note: Both load balancing methods work as intended when the current connection count of the virtual server is greater than 1.

While this behavior is benign, it may generate some confusion when analyzing pool member statistics.

[ Top ]

Contacting F5 Networks

  Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com


Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)