Applies To:

Show Versions Show Versions

Release Note: BIG-IP LTM and TMOS version 11.0.0
Release Note

Original Publication Date: 04/17/2014

Summary:

This release note documents the version 11.0.0 release of BIG-IP Local Traffic Manager and TMOS.

Contents:

- Supported hardware
- User documentation for this release
- New in 11.0.0
- Installation overview
     - Installation checklist
     - Installing the software
     - Post-installation tasks
     - Installation tips
- Upgrading from earlier versions
- Fixes in 11.0.0
- Behavior changes in 11.0.0
- Known issues
- Contacting F5 Networks
- Legal notices

Supported hardware

You can apply the software upgrade to systems running software versions 10.1.0 (or later) or 11.x. For a list of supported platforms, see SOL9412: The BIG-IP release matrix. For information about which platforms support which module combinations, see SOL10288: BIG-IP software and platform support matrix.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP LTM / VE 11.0.0 Documentation page.

New in 11.0.0

Device Service Clustering

In this release, the Traffic Management Operation System (TMOS) within the BIG-IP system includes an underlying architecture that allows you to create an N+1 redundant system configuration, known as device service clustering (DSC). This redundant system architecture provides both synchronization of multiple BIG-IP configuration data and high availability at user-defined levels of granularity.

iApps

In this release, you can create customized templates to quickly and easily deploy applications on your network. iApps allow creation of application-centric configuration interfaces on BIG-IP systems, reducing configuration time and increasing accuracy of complex traffic management configurations.

Analytics

This release provides Analytics, a module that provides application visibility and reporting capabilities. Using this module, you can analyze performance of web applications by viewing detailed metrics for applications, virtual servers, pool members, URLs, and specific countries. You can also view detailed statistics about application traffic running through the BIG-IP system.

Diameter Enhancements

In this release, BIG-IP Local Traffic Manager (LTM) load balances and persists requests that applications send to servers running Diameter services. The BIG-IP system can also monitor each server to ensure that the Diameter service remains up and running.

IPv4-to-IPv6 Gateway

In this release, BIG-IP LTM functions as an IPv4-to-IPv6 gateway. You configure the radvd service to send out ICMPv6 routing advisory messages, and to respond to ICMPv6 route solicitation messages. This allows the BIG-IP system to support auto-configuration of downstream nodes, and the downstream nodes to automatically discover that the BIG-IP system is their router. Note that in version 11.1.0 and later, the radvd daemon has been removed and its functionality moved into TMOS. That means that instead of configuring the radvd daemon, you configure route advertisements using tmsh. See the 'net router-advertisement' section of the tmsh manual or the tmsh command-line help for information.

TCP Request Queuing in Pools

In this release, TCP request queuing provides the ability to queue connection requests that exceed the capacity of connections for a pool, pool member, or node, as determined by the connection limit. Consequently, instead of dropping connection requests that exceed the capacity of a pool, pool member, or node, TCP request queuing enables those connection requests to reside within a queue in accordance with defined conditions until capacity becomes available.

Certificate Administrator Role

This release provides a Certificate Administrator Role. A user that is assigned this role can only manage SSL certificates.

Per Module Statistics

In this release, you can view "real-time" CPU and memory usage statistics for individual modules.

Per Virtual Server Statistics

In this release, you can view "real-time" profile and CPU usage statistics for individual virtual servers.

Out of Band TCP Connections

This release provides the ability to establish out of band TCP Connections from an iRule.

Read and Write Access to TCP Options

This release provides read and write access to the TCP options field using iRules.

You can find extensive information about iRules on the F5 DevCentral web site.

SNMP Support for Dynamic Routing Protocols

This release provides SNMP support for ZebOS dynamic routing protocols.

tmsh Description Field for Configurable Components

In this release, there is a Description field available for configurable tmsh components.

TLS 1.2 Support

This release supports Transport Layer Security (TLS) 1.2, the SHA 2 Cipher, and SHA256 hash.

Request Logging Profile

The new Request Logging profile enables configuration log entries to be reported when requests/responses are received, supports audit logging of HTTP/decrypted HTTPS requests/responses, and enables specification of a response to be issued when an specific requests/responses occur. For example, the system uses this response when you enable Respond On Error to suggest a retry, or to redirect the browser to an alternate page. Although there are no specific examples in the online help that describe how to craft Template and Error Template entries, you can find a table of supported parameters in the BIG-IP WebAccelerator System: Implementations guide on AskF5.

Version 11.0.0 Documentation

This release provides an enhanced documentation paradigm for Local Traffic Manager, Global Traffic Manager, and Link Controller. Concept guides and implementation guides replace the former configuration guides. This change helps make information more accessible and more task-focused, which improves the user experience and enhances usability.

Proxy SSL Support

This release provides Proxy SSL support in Client SSL and Server SSL profiles, which enables direct client-server authentication. You can find information about Proxy SSL in the Big-IP Local Traffic Manager: Implementations guide on AskF5.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Active-Standby Systems and BIG-IP Systems: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  • Update/reactivate your system license, if needed, to ensure that you have a valid service check date.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Active-Standby Systems and BIG-IP Systems: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

Upgrading from version 10.1.0 (or later) or 11.x

When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 10.1.0

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Fixes in 11.0.0

ID Number Description
ID 221972 Previously, connection flow timers were calculated using a reference from the system time (seconds since epoch). In the event that system time changed, connection flows could be aged out prematurely or removed entirely. Connection flow timers are now calculated using a monotonic timer derived from the system uptime (seconds since boot), not the system time.
ID 222455 TMM previously queued only one packet per flow for a given destination when there was a pending neighbor ARP response. The default depth is four packets and can be configured by adding the bigdb variable tmm.nbr.pbqlen.
ID 222533 Using HTTP::Respond and LB::Reselect together within the LB_FAILED event no longer causes tmm to crash.
ID 222626 BIG-IP 11.0 supports 4-byte ASN in BGP as defined in RFC4893.
ID 222635 The TCP transmit window scale is now set properly in the event that the server sends data before the client does.
ID 222888 Previously, persistence record timers were calculated using a reference from the system time (seconds since epoch). In the event that system time changed, persistence records could be aged out prematurely or removed entirely. Persistence record timers are now calculated using a monotonic timer derived from the system uptime (seconds since boot), not the system time.
ID 223587 A condition where mcpd could potentially leak memory has been corrected.
ID 223625 A condition where tmm could crash when using SSL:renegotiate within the HTTP_REQUEST context has been corrected.
ID 223667 Inband health monitors no longer mark a node down when a client request is split into two or more segments with a delay of 20ms or greater between segments.
ID 223766 HTTP GET requests including a message body, combined with RamCache usage and an HTTP::respond command in an LB_FAILED event no longer cause connections to stall and avoid the configured idle timeout.
ID 223787 This release corrects the race condition that caused the system to write out a core file and posts the panic notice "Pool member is passive downed" failed when, in a specific configuration, a monitor other than the passive monitor marks a pool member down.
ID 223836 ID 223836, CR132172 In server SSL profiles, Renegotiation is now enabled by default.
ID 223883 TMM no longer crashes when you change the assignment of an iRule to a virtual server when the iRule contains any commands that may suspend execution (such as after, table, and persist).
ID 224060 On 1600, 3600, 3900, 6900, and 8900, and 8950 platforms, the values in sysIfxStat portion of the F5-BIGIP-SYSTEM-MIB file are now updated properly.
ID 224085 On VIPRION systems with PUMA II blades, erroneous blade power down/up messages sent from clusterd when no power up or down event has happened have been eliminated.
ID 224111 snmpd no longer fails and cores when executing snmpwalk with certain command-line parameters.
ID 224391 The system now correctly parses an iRule if commands that contain an escape character (previously described as a suspended command following an escaped newline character).
ID 224966 When the nameservers are changed using tmsh modify dns name-servers, the system restarts the httpd service to reload the DNS configuration.
ID 224993 On a partitioned system, a virtual server could not be deleted that had an http class with WebAccelerator set to Accelerate at creation time. This issue has been resolved.
ID 225190 The root account home directory (/root) permissions have been modified so as to be only user readable, writable, and executable.
ID 225257 The syscheck and oprofile users have the home directory properly set to ‘/’.
ID 225328 As a tool for diagnosing the cause of TCP RST packets, the system may be globally configured to include a very brief explanation as the payload in each RST packet and/or to log this reason whenever sending a RST packet. This behavior is controlled by setting the corresponding DB variables TM.RstCause.Pkt and/or TM.RstCause.Log to "enable". The default for both is "disable", and this should be considered the correct setting in a production environment, since use of this functionality may impair stability.
ID 225448 4096-bit SSL keys in Server SSL profiles (ID 225448, CR139406) The system now correctly supports 4096-bit SSL keys to configure Server SSL profiles.
ID 225514 A bug has been fixed where in certain circumstances, TMM could leak memory in CMP mode while handling internal SSL certificate chain structures.
ID 225824 A memory leak observed in tamd when using a RADIUS authentication profile has been corrected.
ID 225863 Previously, if you set the timeout value for insert, passive or rewrite cookie persistence profiles in bigip.conf (as this value is not exposed in the web GUI), if you updated other settings for those profiles via the web GUI, the timeout setting would be lost and would revert to the system default of 180 seconds. This has been resolved and the system now preserves the setting manually added in bigip.conf.
ID 226027 Statistics of FTP virtual servers for ACTIVE connections now properly include PVA and ephemeral traffic on the correct side/direction of the connection.
ID 226119 The use of "foreach" in an iRule now properly iterates over a paired index.
ID 226399 Wildcard virtual server/virtual server listening on UDP port 62720 (ID 226399, ID 248017, CR141404) VIPRION systems correctly handle traffic after configuring a wildcard virtual server or a virtual server listening on UDP port 62720.
ID 226458 TMM no longer cores and restarts when an iRule command executes causing the rule engine to suspend, and a subsequent, malformed UDP packet arrives on the same connection. The following log message is an indication that this bug has been encountered: Assertion "validate up->pkt" failed.
ID 226475 tmsh now displays stp bridge information and stp state.
ID 226828 The SNMP object ltmPoolMemberStatAddr now contains the correct IP address information for pool members with route domain.
ID 226972 In previous releases, the system reused client IDs from previous sessions to reestablish SSL connections. Now, in situations where security changes in the BIG-IP configuration, for example, an iRule changes the security parameter to request or require client certificates, the system establishes a new SSL connection with the client and does not reuse the previously established session ID.
ID 227123 When an iRule uses HTTP::path to modify the path in a URI that also contains a query string, the query string is properly preserved.
ID 227144 When load balancing UDP datagrams, the flow table is properly checked in order to prevent a server-initiated flow from inadvertently using the same port as an in-progress client-initiated flow.
ID 227148 Adds the ability to import and export partial text configuration in TMSH.
ID 227179 The htpasswd utility has been removed from the system.
ID 227180 Ownership and permissions for the web server configuration files have been fixed.
ID 227220 Prior to 11.0, the caching system would treat a request as cacheable by default, and would then check the specified URI regexes (exclude, pinned, include) to modify the cacheability. This left no easy way to specify that only a given list of URIs was to be cached. Starting in 11.0, the previous "include" regex has been renamed to "include-override"; existing configurations are automatically changed by the upgrade process. Further, the default is now to consider a URI non-cacheable, and a new "include" regex has been added, which defaults to match all URIs. In this way, any configuration from a previous release should behave exactly as it has in previous releases, but new configurations can easily specify that only a given list of URIs should be cached. Just as before, the exclude and pinned regexes take precedence over (what is now in v11 known as) the include-override regex. Also, the exclude, pinned, and include-override regex will all take precedence over the include regex.
ID 227221 TMM no longer cores under certain conditions when the internal interfaces are reset.
ID 246935 The SOAP monitor now correctly takes into account the protocol setting in the monitor configuration. Regardless of the destination port, a setting of "https" will result in the SOAP monitor connecting to the server over SSL/TLS, while a setting of "http" will result in an unencrypted connection.
ID 247643 The boot process no longer hangs if the syslog-ng process is not running while Apache is initializing.
ID 247801 When the static ARP entry is added while a dynamic entry exists for the same address, the static ARP entry takes precedence, and you no longer see two ARP entries for the same address.
ID 247972 TMM no longer immediately reuses source ports for server-side connections when the same TMM handles multiple consecutive connections from a single client with CMP enabled.
ID 291695 The system now load balance messages as expected for the ratio load balancing method, for virtual servers configured with RADIUS, Diameter, or SIP profiles.
ID 293854 NTLM connection pool variables are now correctly initialized and ntlmconnpool no longer crashes during SharePoint transactions.
ID 325315 SNMP support has been added to Advance Routing.
ID 330791 The PVA-TMM I/O channel is no longer reset after a pvad synchronization on systems with a PVA2. This condition previously caused the following messages to be logged very close to one another:
  • pvad[2064]: 01130003:6: PVA2 incoherency detected; synchronization required.
  • pvad[2064]: 01130003:6: Resetting PVA i/o channel after 0 failed retries.
  • pvad[2064]: 01130003:6: PVA2 synchronization complete
ID 336355 The "tomcat" user no longer has access to a shell.
ID 336817 TMM now correctly converts TCP timestamps for SYN-ACK replies from remote servers before sending them on to the Linux host when more than one initial SYN was transmitted. This avoids, for instance, monitoring connections periodically being reset when remote servers are slow to acknowledge the initial SYN.
ID 337175 Fixed issue where fragmented IP packets from the Linux host (such as large SNMP responses) are delivered with incorrect port or dropped.
ID 337562 URI::decode now properly handles strings that do not convert well to UTF-8.
ID 338062 On 3400, 6400, 6800, 8400, and 8800 platforms, that is, platforms with Packet Velocity application-specific integrated circuit (PVA), the system now correctly sends ICMP Unreachable - Fragmentation Needed packets to FastL4 virtual servers set for PVA assist.
ID 338150 For the HTTPS monitor, mid-stream SSL renegotiation has been enabled in order to handle monitoring servers that do not request the client certificate until after application data starts flowing, specifically, Microsoft Internet Information Services (IIS) versions 6 and IIS 7.
ID 339291 The default maximum size of the IPv6 routing table has been increased to 8192 entries.
ID 339379 TMM and HTTP::header sanitize command (ID 339379) Traffic Management Microkernel (TMM) now responds correctly when the virtual server references an iRule with the HTTP::header sanitize command.
ID 339461 When using copper SFPs to connect 10M or 100M hosts, the interface is correctly configured and comes up properly.
ID 339744 This release corrects the condition that caused the Traffic Management Microkernel (TMM) core events, which produced a ** SIGSEGV ** that included the following notices: notice fault addr: 0x68 and notice fault code: 0x1.
ID 339847 msktutil and domaintool utilities and unprivileged users (ID 339847) The msktutil and domaintool utilities no longer crash when run by an unprivileged user, reporting the message glibc detected-msktutil: munmap_chunk(): invalid pointer: 0xff920190. The output now correctly reports that the logged on user must be an administrator.
ID 339955 The Configuration utility now correctly updates the /config/bigip_sys.conf file so that ConfigSync or configuration reload does not disable initial network failover configuration.
ID 340081 A crash no longer occurs when an iRule suspends then returns from suspension after the connection closes.
ID 340274 BIG-IP LTM no longer prefers a client-offered SSL cypher when using COMPAT mode.
ID 340336 The peer certificate mode auto is now the functional equivalent of ignore. The mode auto remains, but functions the same as ignore.
ID 340407 Basic TCP monitors that are associated with a pool or pool member that is not listening on the monitored port, no longer erroneously mark a node up when it is actually down.
ID 340651 This release corrects the condition on VIPRION platforms, in which setting the db variable vlan mac assignment to global resulted in some or all of the VLANs receiving a zero MAC assignment, which could cause no traffic to pass on a VLAN. You can now set db variable vlan mac assignment to global and there are no longer VLANs with MAC address of zero.
ID 340659 RESOLV::lookup -ptr now properly returns PTR records.
ID 340696 The system now correctly handles a large number of self IP addresses or VLANs when starting up the ntpd process, and no longer halts with a segmentation violation or related crash.
ID 340718 sod no longer crashes when failover debugging is enabled and the log file grows beyond 2 GB in size.
ID 341217 Trailing semicolon and whitespace and removing HTTP cookie (ID 341217) The system now correctly removes the trailing semicolon ( ; ) and whitespace when removing an HTTP cookie from the HTTP header data.
ID 341329 Routing Modules have been officially added in VADC.
ID 341404 VLAN group Proxy Exclusion List now correctly loads on secondary blades in a VIPRION cluster.
ID 341414 CompactFlash and swap partition (ID 341414) The system no longer incorrectly uses the CompactFlash® card as a swap partition. Now, the system correctly uses a swap partition on the system hard drive.
ID 341663 Persistence table additions and lookups on CMP systems no longer assume there will only be one entry per connection, allowing for persistence to maintained when the server-side connection is switched to a different pool.
ID 342010 iRule command table keys -subtable (ID 342010) Use of the table keys -subtable iRule command no longer causes a memory leak.
ID 342044 Now monitors are able to provide correct server status when the server sends more than one response per monitor probe.
ID 342976 On VIPRION, clusterd no longer miscalculates the clock skew of a secondary blade, which caused a reboot to be issued when ntpd moves the clock forward.
ID 343037 snmpd now functions properly with IPv6 and with route domains.
ID 343150 IPv4 and IPv6 addressing may be used for Config Sync operations.
ID 343610 An issue causing snmpget and snmpwalk to perform slowly on the 6400/6800/8400/8800 platforms has been fixed.
ID 344159 TMM no longer leaks memory when using the "after" command in an iRule under certain circumstances.
ID 345047 The handling of large numbers of virtual servers has been improved, and the CPU usage for the pvad process should no longer be adversely affected in such situations.
ID 345057 When a VLAN group has a self IP, but none of the member VLANs have self IPs, enabling VLAN failsafe on any of the VLANs in the group no longer results in the failsafe triggering without cause.
ID 345266 TMM no longer reverts the datagram_lb setting when configured in a UDP profile along with a message-based load balancing configuration.
ID 345300 If an iRule returns from a suspended state to a flow that is dying, execution is discontinued.
ID 345314 A condition where the LB_FAILED event could fire twice leading to a tmm crash has been resolved.
ID 345634 RESOLV::lookup now properly resolves IPv6 PTR records.
ID 345712 TMM no longer crashes when an iRule calls the TCP::notify command multiple times during the lifetime of a connection.
ID 345873 A condition causing connection to get stuck in "Authenticating...." when using the iOS (iPhone/iPad) Edge Client has been corrected.
ID 345944 BIND update (ID 345944) BIND has been updated to mitigate two vulnerabilities, tracked by the Common Vulnerabilities and Exposures (CVE) project as CVE-2010-3613 and CVE-2010-3615.
ID 346107 When using VLAN groups, egress traffic is correctly handled (no longer dropped) when the egress VLAN is the same as the ingress VLAN, when using a non-VLAN-group listener.
ID 346202 On the VIPRION system, the system_check utility now correctly checks the temperature on all blade types.
ID 346580 With certain configurations that include reselect on service down with pool members that are at least one hop away, tmm no longer crashes if a configuration file is loaded while traffic is flowing to the virtual.
ID 346901 The 8900 NEBS platform is now checked properly for timezone updates.
ID 347053 Stability enhancements have been made to mcpd when using node monitors.
ID 347628 You can specify the netmask in an iRule in dotted quad format, for example, /255.255.255.0. In versions 10.0.0 through 10.2.1 of the software, this functionality was deprecated. In 10.2.2, the functionality has been restored.
ID 347838 This release corrects an issue that caused ICMPv6 traceroute to BIG-IP to always fail.
ID 347858 A condition under which mcpd could potentially leak memory has been corrected.
ID 347898 Enabling "Verified Accept" on a TCP profile assigned to an IPv6 virtual server no longer produces a switchboard failsafe and a tmm core.
ID 347921 The tm.rejectunmatched db key setting is now honored properly on virtual servers using FastL4 profiles.
ID 347973 Intermittent failures of mcpd to subscribe to stats segments should no longer cause an exit and core file to be generated.
ID 348141 VIPRION 2400 platforms no longer display "invalid trunk" entries in the forwarding database when self-IPs are added or deleted from the system.
ID 348225 A condition where tmm could loop trying to send the same SACK hole packet has been resolved.
ID 348368 The RFC1997 restrictions on BGP community strings imposed by ZebOS 7.5 and newer have been removed to restore the ZebOS 5.4 ability for users to set community strings to any value.
ID 348529 The STREAM filter no longer misses some matches when the target string is smaller than the source string.
ID 348660 An RST sent by a client connected to a virtual server using a TCP profile with "Verified Accept" no longer leaves that virtual server in a hung state.
ID 349216 A condition where tmm cores when a ramcache proxy lookup is done on an aborted request has been fixed.
ID 349312 The firmware and bootloader versions for the 8900 platform are now correctly cached during system startup and no longer generate an error message.
ID 349373 A defect has been addressed which could cause TMM to core and restart under some conditions when an iRule command causes the TCL interpreter to suspend and resume. The failure condition could be accompanied by a variety of log messages in /var/log/tmm, including the following:
  • Assertion "valid tclconn for cf" failed.
ID 349481 TMM no longer crashes under circumstances when an MTU update is done on a connection flow that already has an existing mss value, even if mss = 0.
ID 349872 A condition that could cause clusterd to leak memory has been fixed.
ID 349964 Logging from mcpd has been enhanced.
ID 350080 Stability enhancements to mcpd have been made.
ID 350218 Link Aggregation Control Protocol (LACP) now properly enforces the partner SysId match check to prevent aggregation of ports connected to different remote switches.
ID 350434 In previous releases, certain iRule commands (for example, table and persist) might not complete when executed in the CLIENT_CLOSED event. In this release, commands of this type complete correctly.
ID 350652 A defect has been addressed which could cause TMM to core and restart in certain connection teardown conditions when using ramcache.
ID 350982 A condition that could cause clusterd on VIPRION systems to leak memory has been corrected.
ID 351579 Moving a virtual server from one server definition to another in the wideip.conf configuration file will no longer cause stale monitor configurations to remain in operation.
ID 352552 The HA group percent score is now updated correctly after reboot.
ID 353505 In the absence of a default route LTM monitor may start probing a node on a non-local subnet via the management interface. After adding a default route it used to keep sending the probes with the management IP as the source address. This issue has been fixed.
ID 353871 Fixed an issue where certain certificates would be displayed with an invalid expiration date (an extra 1900 years was mistakenly added).
ID 353934 File and directory permissions for /shared/ssh/root now have the proper umask settings.
ID 354398 TMM will no longer forward packets originating from the host when a routing loop is configured elsewhere in the network that sends the packets back to the LTM on the vlan they were originally sent out on.
ID 354597 The tmm process no longer cores and restarts when an empty input string is passed to any of the URI:: iRule commands.
ID 354998 Persistence profiles using the map proxies feature now correctly map IPv4 addresses with the data group configured by the Persist.WellKnownProxyClass bigdb variable.
ID 355152 This release corrects a chmand process leak that occurred on the 1600, 3600, 3900, 6900, 8900, 8950, 11000, and 11050 platforms (more specifically, platforms with the Always-On Management (AOM) subsystem).
ID 356287 Connections to FastL4 virtual servers are no longer incorrectly reset when they receive invalid ICMP messages.
ID 356655 The BIG-IP Dashboard now correctly displays platform limits for the VIPRION 2400.
ID 356718 In Appliance mode, running an edit command in tmsh invokes the nano editor instead of the vi editor.
ID 356849 The /var/log/tmm now shows the correct OCTEON revision number.
ID 357324 PVAD no longer writes duplicate MAC addresses to the limited (size of 16) PVA2 L2 table, avoiding a situation where the table could fill up unnecessarily. The following log message is an indication that the L2 table has filled up: 01130001:4: PVA memory constraint : can have no more than 16 vlans in unique MAC mode
ID 357841 The following VIPRION blade powered up and down messages should no longer be erroneously logged: Apr 15 23:37:07 slot1/host1 err clusterd[4638]: 013a0009:3: Blade 1: blade 3 powered DOWN. Apr 15 23:37:07 slot1/host1 err clusterd[4638]: 013a0009:3: Blade 1: blade 4 powered DOWN. Apr 15 23:37:08 slot1/host1 notice clusterd[4638]: 013a0010:5: Blade 1: blade 3 powered up. Apr 15 23:37:08 slot1/host1 notice clusterd[4638]: 013a0010:5: Blade 1: blade 4 powered up.
ID 358180 There are new statistics measures to support secure SSL connection renegotiation. secure_handshakes: The number of handshakes, including mid-stream re-negotiations, performed with peers supporting SSL secure renegotiation. insecure_handshake_accepts: The number of handshakes, including mid-stream re-negotiations, performed with peers not supporting SSL secure renegotiation. insecure_handshake_rejects: The number of rejected initial handshakes with peers not supporting SSL secure renegotiation. insecure_renegotiation_rejects: The number of rejected renegotiation attempts by peers not supporting SSL secure renegotiation.
ID 358623 The SIP protocol now correctly handles expired flows when an iRule is suspended while executing a SIP iRule event.
ID 358625 A defect causing TMM SIGFPE cores due to an improper handling of certain iRule commands (for example, "persist") has been fixed. A panic log message such as the following is a possible indication that this bug has been encountered:
  • panic: Tcl Object bdba8dc is currently on free list
ID 358684 A defect has been corrected, which could cause interfaces on a VIPRION 2400 blade to occasionally show as missing (MS).
ID 358774 The following benign log message no longer appears on non-cluster systems at startup and shutdown: 012a0004:4: halGetChassisAllSlots: error 1 May 9 06:16:33 localhost err fpdd[4375]: 00010038:3: Unknown HAL API error, returned (1) for request halGetChassisAllSlots
ID 358788 TMM no longer crashes when the TMM is restarted on the standby machine in a high-availability configuration that includes connection mirroring. Making configuration changes to an HA channel configuration that includes connection mirroring no longer cause TMM to core.
ID 358865 TMM no longer exits with a SIGFPE in certain situations when a Standard virtual server is targeting a FastL4 virtual server. The following panic string is an indication that this issue was encountered: Assertion "flow in use" failed.
ID 359466 Connections are now correctly re-mirrored after a failover event, regardless of when the alternative HA mirror link state has been marked as "down".
ID 359620 Stale mirroring entries on the switch chip no longer cause LACP packets to be dropped.
ID 359730 "SSL::cert" iRule commands can now correctly be called during a SERVERSSL_HANDSHAKE event on virtual servers that have serverssl profiles. Rather than returning empty results, accurate server certificate information is now returned.
ID 360515 BIND has been updated to mitigate the vulnerabilities in CVE-2011-1910.
ID 361121 Rather than having no effect, the TCP::respond iRule command now sends a TCP packet with no payload when called with an empty string.
ID 361300 When upgrading from a previous release, all blades in a chassis now correctly initialize the base MAC address.
ID 361562 The pvad process handling of large numbers of virtual servers and other objects has been improved.
ID 361676 6900, 8900, 8950, and 11050 platforms using hard drives greater than 500 GB, no longer fail to create a logical volume for datastor when provisioning WOM. To determine what size disk you have, log on to the command-line interface using the root account, and run the command pvscan.
ID 361741 Authentication to a BIG-IP system via iControl should no longer fail due to corrupt PAM tallylog files. The following log messages are an indication that this problem has occurred:
  • PAM Couldn't write /var/log/pam/tallylog, -138170000 bytes : Resource temporarily unavailable
ID 361777 The VIPRION 2400 platform no longer fails to perform a thermal shutdown of blades. Previously, blades would occasionally fail to shutdown.
ID 361782 When an iRule command that causes a suspension to occur (for example, the "table" command) is executed on a FastL4 virtual server, the following error message is no longer logged, and rule execution will not be prematurely terminated:
  • Attempted to resume iRule for closed flow (listener virtual_server)
ID 361839 The stream filter now correctly forwards iRule events that it is unaware of (for example, ASM::violation_data), rather than silently dropping them and thus potentially causing connections to stall.
ID 361864 The hardware information for LOP and BUC devices is now reported correctly.
ID 361952 An issue causing the PVAD daemon to core no longer occurs on the 6800 platform.
ID 362109 SNAT and Automap now work correctly for additional protocols. The flow key's local port is not adjusted to 0 unless the protocol is TCP, UDP, or SCTP.
ID 362175 TMM's connection flow table is no longer corrupted by the ungraceful shutdown of any TMM.
ID 362436 The following log message is no longer erroneously displayed during normal system startup: Jun 22 05:53:49 tmm warning tmm[30894]: 01010031:4: Device warning: hsb 0.1 - 1 hw watchdog timeouts
ID 362851 The Dashboard utility now displays platform limits for all VIPRION systems as the maximum value for a fully-loaded chassis.
ID 363027 Fixed a delete permissions issue with locally authenticated users.
ID 363030 If the DB variable tmrouted.queryperiod is set to a value that requires querying virtual servers more than once per second, the system now queries correctly and no longer drives up CPU usage.
ID 363082 The correct product category ("VIPRION") is now provided when calling the iControl function System::get_system_information() against PB200 and PB200-NEBS VIPRION blades.
ID 363310 BIND has been updated to mitigate the vulnerabilities in CVE-2011-2464.
ID 363988 The following log messages are no longer erroneously printed to /var/log/tmm on VIPRION 2400 systems: Skip potential RQM forward pkts read error and Skip potential RQM drop pkts read error.
ID 364024 1 GB SFPs now correctly establish an "up" state on B2100 (VIPRION 2400 blade).
ID 364112 VIPRION 2400 blades now correctly take the chassis MAC address as their base when they are inserted into a new chassis.
ID 364699 ClientHello SSL messages greater than 256 bytes in length no longer cause connections to clientssl virtual servers to stall, or re-negotiations to fail.
ID 365295 Heavy session table usage no longer results in connection stalls on 11000/11050.

Behavior changes in 11.0.0

ID Number Description
ID 208624 The default value for slow ramp time was changed from 0 (disabled) to 10 seconds.
ID 222483 bigd monitoring that used SSL had previously sent "SSLv2 Client Hello" to establish secure connections. This version, turns off the use of SSLv2 Hello in favor of a TLS Hello.
ID 223709 Cross route domain after upgrade (ID 223709, CR131366) In this release, there is a Strict Isolation option for route-domain configuration. The option is enabled by default. So existing configurations that direct traffic across route domain boundaries will no longer work after upgrading. When that happens, the system logs in /var/log/ltm a message similar to the following: Oct 24 16:29:46 local/tmm1 warning tmm1[6636]: 01200011:4: Connection rejected from IP 10.20.20.12%2 port 33845 to IP 10.10.10.20%1 port 80: One of the route domains is strict. To have traffic cross the route domain boundary, disable the Strict Isolation option in Network > Route Domains for ingress and egress route domains.
ID 224579 Oracle JDBC monitor syntax change. The Database field is renamed to Connection string, and uses new syntax. The old database syntax is: %node_ip%:%node_port%:<db name> An example of the new database syntax is: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=%node_ip%)(PORT=%node_port)) (CONNECT_DATA=(SID=<db name>)) (SERVER=dedicated)) When upgrading, the old database string is converted to the new connection string syntax.
ID 336820 This release does not support the use of bigpipe or tmsh to add a software ISO image to the system. Supported methods include using the Import procedure by clicking the Import button on the System:Software Management:Image List page within the web management interface or using scp to copy the ISO image to the /shared/images directory prior to installation.
ID 340221 The Create button has been removed from the volume-creation portion of the Software Management screen. Instead, you specify a new name to create a volume when you initiate an installation operation.
ID 342790 COMPAT ciphers used to be displayed for server cipher strings such as ALL, HIGH, LOW, MEDIUM, etc. Now, COMPAT ciphers are displayed only if you explicitly indicate in the cipher string that the COMPAT ciphers be shown. For example, cipher strings such as ALL and LOW display only Native ciphers. LOW:COMPAT displays all LOW ciphers including Native and COMPAT. HIGH+COMPAT displays the HIGH ciphers that are COMPAT; Native ones are not displayed.
ID 348217 The system no longer counts pool members that are still ramping up (because of a slow ramp setting) against the minimum-up member requirement for subsequent priority group activation.
ID 351457 This release provides new TCP profile attributes: Initial Congestion Window Size, Initial Receive Window Size, Initial Retransmission Timeout Base Multiplier for SYN Retransmission, and Delay Window Control. Based on RFC3390, the initial window size is set to 3 * MSS. The new TCP profile settings allow configuration of a larger base multiplier (n * MSS) for the initial window size, which can help deliver applications faster and improve response time. Descriptions of the controls appear in the online help for the TCP profile.
ID 353344 Previous versions of the BIG-IP system installed two software slots as part of a clean installation. The current version of BIG-IP now installs only one software slot as part of a clean installation. For the live install feature to work correctly, customers should ensure that at least two software slots are installed on each blade in the system.
ID 354518 The VIPRION 2400 has an RJ45-type connector for the Console port. Part of the updated functionality of the Always-On Management (AOM) serial port includes auto-baud, meaning that when you connect a cable to the Console port and issue a break from the keyboard, the system enables scrolling through baud rates using the return key. If you accidentally plug an active Ethernet cable (that is, a cable carrying network traffic rather than serial terminal data) into the Console port, when you power up the blade, the auto-baud functionality might engage, even though the cable is not connected to a valid serial terminal. This occurs because, depending on the traffic on the cable, network communications can simulate the effect of issuing a break, which initiates auto-baud. If you are already in this condition, after you remove the Ethernet cable and connect a valid serial cable, you will likely see garbled content on the serial terminal until you reset the AOM serial port’s baud rate to match the terminal’s baud rate. To synchronize AOM and terminal baud rates, follow these steps:
  1. Issue a break (using the <BREAK> key on the keyboard).
  2. Press return to have AOM cycle through the supported baud rates (115200, 57600, 38400, 19200, and 9600)
  3. When the baud rates are synchronized, the following prompt appears --- Press <ESC>( for AOM Command Menu. You can then press Esc ( to access the AOM Command Menu.
ID 356804 There is a new way of handling files with external data group definitions: before assigning it to external class, a file must be imported using System :: File Management :: Data Group File List. For example, to import an iRule file and use it:
  1. Go to System :: File Management :: Data Group File List.
  2. Click Import.
  3. Specify the file you want to use, or use Browse to find it.
  4. Click Import.
  5. Go to Local Traffic :: iRules :: Data Group List.
  6. Click Create.
  7. In Name, type the name of the file.
  8. From the Type list, select (External File).
  9. From the File Name list, select the Data Group File you imported earlier.
  10. Click Finished.
ID 357725 The cli-settings ip-addr setting has been removed. The command is relevant only to bigpipe, which has been removed in version 11.0.0.
ID 361252 As a result of various bugs identified from customers, we have changed how persisted connections apply against ratio and fixed ratio load balancing behavior to better conform to what customers expect.
ID 362117 Provisioning settings are no longer included in ConfigSync operations. To completely sync all objects, all systems must be provisioned similarly.
ID 364288 Some objects that were accessible from any context in system versions prior to v11.0 are no longer accessible with the same scope. A user might receive an inappropriate error message during a list or modify command. If the system gives the incorrect error message, change context to /Common and attempt the command again.
ID 365635 The ssldump utility does not decode data when protocol is TLS v1.2. There is no workaround for this issue in this release. For information about the ssldump utility, see SOL10209: Overview of packet tracing with the ssldump utility, available in the AskF5 Knowledge Base.
ID 367753 In this release, the software uses ssmtp to perform mail forwarding to a mail host for locally generated email messages from the BIG-IP system. The Postfix mail transfer agent has been removed. You can find information on how to configure ssmtp in SOL13182 and SOL13182: Change in Behavior: Postfix has been removed from BIG-IP software and SOL13180: Configuring the BIG-IP system to deliver locally generated email messages (11.x) in the AskF5 Knowledge Base.
TMM move to 64-bit As memory density increases, F5 Networks has made the strategic decision to move TMM to 64 bit with the version 11.0 release. In moving to 64 bits, the Traffic Management Operation System (TMOS) provides performance benefits in areas such as the ability to address all the physical address space. For example, we can utilize the full 48 GB of memory on the new 11000 platform. We can now build systems that can address an almost infinite amount of RAM with enhanced algorithm performance. The move from 32-bit to 64-bit TMM does increase the number of pointers and memory used per connection; therefore, with version 11.0, for each platform, the number of concurrent connections will be less. This is not specific to F5 Networks: every ADC vendor that uses a 64-bit OS also has fewer-concurrent-connection capacity vs. the capacity on a 32-bit OS.

Known issues

ID Number Description
ID 222005 On boot, the following message might be seen. It is innocuous and can be ignored: err ti_usb_3410_5052.c: ti_interrupt_callback - DATA ERROR, port 0, data 0x6C
ID 222034 If HTTP::respond is called in LB_FAILED with large headers and/or body, the response may be truncated. TCP congestion-control state determines the threshold. For example, with slow-start enabled, and no data having yet been sent to the client, the response will be truncated after two packets.
ID 222041 If a blade is pulled from a chassis without shutting it down, it will be marked as failed (RED) until a new blade is put into that slot or a cluster-wide reboot. To avoid this problem, shut down a blade before removing it from the chassis. To fix the problem if it occurs, either do a cluster-wide reboot (when this cluster is not in use) or place a spare blade in the slot, wait until it goes non-red, and then shut it down before removing it.
ID 222051 iRule data collect and release (CR110761, CR113485) There is a new iRules feature that provides support for suspending a running iRule (for example, with the after command). If you are running an indefinite collect operation (that is, the iRule is running a ::collect command with no arguments), and in response to a CLIENT_DATA event the iRule processes the payload to a certain point and then suspends iRule operation, when iRule operation resumes and the iRule issues a ::release command, the operation might release more data than the iRule processed. Specifically, data that arrives when the iRule is suspended does not trigger an additional CLIENT_DATA event. Here is an example of how to ensure that an iRule releases only the data that it has already processed: before running any command that suspends a running iRule, have the iRule save the ::payload length in a variable. When iRule operation resumes, have the iRule issue a ::release $payload_length command. You can find extensive information about iRules on the Dev Central web site, available at http://devcentral.f5.com/.
ID 222131 iRule data collect and release (CR110761, CR113485). There is a new iRules feature that provides support for suspending a running iRule (for example, with the after command). If you are running an indefinite collect operation (that is, the iRule is running a ::collect command with no arguments), and in response to a CLIENT_DATA event the iRule processes the payload to a certain point and then suspends iRule operation, when iRule operation resumes and the iRule issues a ::release command, the operation might release more data than the iRule processed. Specifically, data that arrives when the iRule is suspended does not trigger an additional CLIENT_DATA event. Here is an example of how to ensure that an iRule releases only the data that it has already processed: before running any command that suspends a running iRule, have the iRule save the ::payload length in a variable. When iRule operation resumes, have the iRule issue a ::release $payload_length command. You can find extensive information about iRules on the Dev Central web site, available at http://devcentral.f5.com/.
ID 222149 AOM-based appliance platforms do not currently support blinking LEDs for Host alarm conditions.
ID 222221 TCP::close doesn't work properly with SSL-related iRules. To work around this, remove tcp::close from the iRule. Although the SSL connection works, it will not be closed until a timeout.
ID 222344 Dynamic routes might override static management routes. If a route learned via any dynamic routing protocol exactly matches a management static route, traffic from the Linux host will follow the dynamic route. NOTE: Regarding affected modules, the problem affects any module provisioned in TMOS as the root cause is in the core functionality shared by all modules.
ID 222438 PVA2 might return corrupted data in response to a virtual server stats query. When this happens, you might see messages in /var/log/ltm such as: pvad[2099]: mra_lbdb_vxo_basic_::deserialize(): wrong type 1 pvad[2099]: 01130004:4: ../Pva2AsicFactory.cpp:724 - Dropping stats msg. VSO deserialize failed. This can usually be fixed by running the command "bigstart restart pvad" Note that doing so will disrupt traffic for a short interval.
ID 222666 If using the auto-failback feature of a traffic group, set the auto-failback delay to at least 60 seconds to allow for the state mirroring information to be re-mirrored.
ID 222806 If an httpclass selects a pool other than the default pool associated with the virtual, and the subsequent request on the same connection matches no httpclass, then the default pool is not applied; the previously selected pool continues to be used. Enabling OneConnect is a workaround for the base scenario. However, a similar issue resurfaces if RamCache is used in conjunction with OC. Either of the following should work, regardless of whether OC or RC are in use. 1. At the end of the httpclass list, include a catch-all httpclass (all selectors set to "none") which selects the desired default pool. 2. Configure the default in the virtual, as usual, but add the following iRule: when CLIENT_ACCEPTED priority 900 { set default_pool [LB::server pool] } when HTTP_CLASS_FAILED priority 100 { pool $default_pool }
ID 223031 tcpdump and packets on Puma I and Puma II (CR126976) If you run the tcpdump utility from a Puma I blade on a VIPRION chassis containing a mix of Puma I and Puma II blades, the process does not show packets from the Puma II blades. To work around this issue, run the tcpdump operation from the Puma II blade.
ID 223355 If you are using ldap auth or ldap system-auth in an Active Directory environment, we recommend you add the workaround line to ldap.conf, which will then stop chasing of all referrals. To work around this, Add the line: "REFERRALS no" to the /etc/openldap/ldap.conf file.
ID 223412 When configuring a ConfigSync peer IP address, the IP address must reside in the default route domain. The default route domain has an implicit value of zero (0). ConfigSync operations will fail if you configure a peer address that contains an explicit route domain ID. For example: 192.168.20.100%10 When a ConfigSync operation fails due to this issue, the BIG-IP system returns error messages that appear similar to the following example: Checking configuration on local system and peer system... Peer's IP address: 192.168.20.100%10 Caught SOAP exception: Error calling getaddrinfo for 192.168.20.100%10 (Temporary failure in name resolution) Error: There is a problem accessing the peer system. BIGpipe parsing error: 01110034:3: The configuration for running config-sync is incorrect.
ID 223421 (CR 129602) If a disk is removed from an array, the serial number of the disk persists in the system until it is removed. There is no workaround for this issue.
ID 223651 An SFTP client may emit an error message containing "Received message too long" when the user is unprivileged and may not use sftp.
ID 223724 On a system using Packet Velocity application-specific integrated circuit (ASIC) version 2 (PVA2) and version 10 (PVA10), specifically the 3400, 6400, 6800, 8400, and 8800 platforms, if you configure an inband monitor on a virtual server configured for FastL4 traffic, the Traffic Management Microkernel (TMM) never receives the traffic necessary to mark pool members up or down. You can work around this issue by setting Fast L4 Profile option PVA Acceleration to Assisted on these platforms.
ID 223787 On a back-end server that has a passive monitor assigned to it along with an active pool member or an active node monitor, when a monitor other than the passive monitor marks a pool member down, the system writes out a core file and posts the following message: notice panic: ../base/pool.c:3453: Assertion "Pool member is passive downed" failed. The workaround is to remove the passive monitor from the pool member.
ID 223796 When an SFP is not inserted in a VIPRION interface socket, the interface status should show "MS" (missing); instead the interface status might show "DN" (down).
ID 223830 It is possible that with increased throughput, SNMP stats might report lower TMM CPU usage values than top.
ID 223836 In server SSL profiles, when Strict Resume is enabled, the system fails to renegotiate with unpatched SSL servers. Although you can work around this by disabling Renegotiation on the associated server SSL profiles, the recommended remedy is to patch the vulnerable servers.
ID 223885 The hash persist profile was extended in 10.0 with new options, but is no longer supported in combination with FastL4 virtuals.
ID 223890 In v10.0, LB-related ratio values of up to 65535 were allowed in configs and via iControl. Currently, validation prevents any value greater than 100.
ID 223944 Under certain conditions, a given clusterd can start logging to /var/log/ltm at level "info" saying "Timer late 0.001999696 seconds" continually. This has been observed as frequently as every 20-30 seconds on primaries only. If the timer is late on the order of milliseconds, as it is in this example, this message can be safely ignored.
ID 223951 Redundancy State Preference can cause APM sessions to break in the event of failover. If the active unit fails and comes back up quickly, APM session information can get lost causing sessions to display inconsistently between active and standby units, or even completely fail. It is recommended to keep Redundancy State Preference set to None when using APM.
ID 223959 A BIG-IP system has limits to the number of objects that might be configured when the configuration contains virtual servers for which Packet Velocity ASIC (PVA) acceleration is required. If more than the specified maximum number of objects is configured, virtual servers that otherwise qualify for PVA acceleration are demoted to wire mode (no PVA acceleration). In wire mode, traffic will not be distributed among multiple links of a trunk and instead will all be sent down a default link. This can limit traffic throughput.
ID 224069 Hardware accelerated flows are timed out by software if there is no activity observed during a configurable period, which was recommended to be 60 seconds in a previous solution. Under the worst case, BIG-IP software probably can't receive flow status reports for both hardware flows in less than 88 seconds, therefore it is recommended to use 90 seconds as the configuration value.
ID 224195 The system does not prevent you from deleting a self IP address that an EtherIP tunnel uses, or from creating an EtherIP tunnel using nonexistence IP addresses. Doing so, however, results in an inoperable tunnel. To ensure that an EtherIP tunnel operates as expected, do not delete any of the self IP addresses that are associated with VLAN "wan" and specified in the EtherIP tunnel object.
ID 224249 When executing any of the following events: ASM_REQUEST_BLOCKING ASM_REQUEST_VIOLATION ASM_RESPONSE_VIOLATION REWRITE_RESPONSE_DONE REWRITE_REQUEST_DONE and when executing any of the commands that could suspend the iRule interpreter, including but not limited to "after" or "ASM::violation_data", if the connection is closed by any means, it is possible to get an iRule execution error.
ID 224294 SASP monitor validates timeout and interval although these values are not used by the monitor.
ID 224406 The dashboard cannot handle numbers that exceed 32 bits. If a statistic goes above that number, dashboard values will be incorrect.
ID 224507 When BIG-IP Virtual Edition (VE) is deployed on VMware®, the management port might not correctly reflect the uplink port speed of the vSwitch that it is connected to. This should have no adverse affects on actual management port traffic.
ID 224520 bcm56xxd service and SFP module type swaps (CR136646) The bcm56xxd service's small form-factor pluggable (SFP) plug_check mechanism (for example, bs_i2c_sfp_plug_check()) looks for module-detect signal changes every five seconds, and can miss a pluggable media type swap (that is, a swap from fiber SFP to copper SFP or SFP+) since the check does not look at pluggable media type changes. This can result in link failures, due to internal media settings that are still associated with a previously populated pluggable module.
ID 224599 Using iControl's Management.Provision.set_level() to provision modules, one must also call System.ConfigSync.save_config(), otherwise the provisioning state will not persist across a reboot.
ID 224698 Plugin-initiated connections do not use SNAT pool, if configured (Formerly CR 137381)
ID 224781 Virtual server Status filter and pagination (CR137680) Pagination does not work properly in the browser-based Configuration utility when using the Status filter. The workaround is to look through all pages when using that filter in order to determine the number of objects with the selected status.
ID 224881 On AOM-equipped platforms, changing the management IP via the front-panel LCD multiple times might result in fields on the LCD being displayed with a value of 0.0.0.0.
ID 225242 The nodes are not marked up until after the timeout has elapsed for default UDP monitors.
ID 225431 Disabling the LCD display is not persistent across system restarts. This is for diagnostic purposes.
ID 225550 Nodes and pool members forced offline by the user start being monitored if the configuration is reloaded (but they are still down or offline).
ID 225588 Error conditions such as unreachable IP addresses, and unavailable TACACS+/RADIUS services, are not logged to /var/log/ltm for the TACACS+ RADIUS audit forwarding accounting feature.
ID 225851 tmsh does not have a facility for removing "missing" array members. When an array member is physically removed from a system, the serial number will remain on the system, listed as a "missing" disk. If you need to remove this serial number from the list, you will have to use the GUI or the "array" command on the CLI.
ID 225915 Some LCD warning messages might not be displayed on LCD (such as "unit going standby") due to a race condition between the creation of these screens by the fpdd daemon and the arrival of the LCD warning messages to the fpdd daemon.
ID 225971 When route health injection is configured, advertised virtual addresses might be erroneously advertised by the LTM that is not active for the traffic group (formerly unit id) that the virtual address is assigned to.
ID 226158 This release disallows installation to 1500, 3400, or 3410 platforms.
ID 226303 For ICMP or HTTP monitors, the total shown in the page advance drop-down can be misleading if you have more than one page of instances. (This occurs only when the system is configured to display fewer than the number of available instances.) The Show all of (number) corresponds to the number of available instances for the monitor, not to the number of instances.
ID 226490 If an iRule parks the Tcl interpreter, then the STREAM profile incorrectly continues to pass through events, which may result in TMM crash.
ID 226564 The LTM Statistics and GTM Statistics dashboard components might perform very slowly and/or cause out of memory errors when used in environments with large configurations (e.g., thousands of LTM and/or GTM objects).
ID 226791 Due to screen limitations, the BIG-IP system LCD cannot display serial numbers larger than 16 characters. To see larger serial numbers, use the GUI or a tmsh command.
ID 226882 The iControl validation prevents creation of SASP monitor (Formerly CR 142320). Instead, create the SASP monitor on the command line (tmsh) or in the web browser.
ID 226923 If data is stored in the session cache containing UTF-8 multi-byte sequences in the range c080 through c0bf, then the retrieved data will be corrupted by unintended character-set conversion.
ID 226964 Node marked down by a monitor that is waiting for a manual resume mistakenly displays Enabled State in its GUI properties while it stays down. In 11.0.0 the workaround is to simply click on 'Update' button which truly enables the node.
ID 227189 When all evals have expired, the web browser shows All Evaluations have Ended warning only if one or more evaluated modules is provisioned. The command line shows EvalExpired regardless of what modules are provisioned. The web browser behavior is new in this release. The command-line behavior is as it was in version 10.x.
ID 227272 Link status after replacing tri-speed copper SFP with fiber SFP (ID227272, CR83207) If you replace a tri-speed copper small form-factor pluggable (SFP) module with a fiber SFP, you may have to reinsert the fiber SFP module a second time before it accurately reports link status.
ID 227276 GTM FTP monitors always mark IPv6 FTP servers down regardless of their true operational state.
ID 227281 When a full-proxy HTTP virtual with ramcache, fallback, and deferred accept configured executes reject command in CLIENT_ACCEPTED event, TMM restarts.
ID 227319 Ramcache configurations which approach the limit of total memory allowed for use by ramcache might cause caching to be disabled for one or more virtual servers.
ID 227358 Using the source port preserve strict option requires special considerations to ensure proper traffic flow and distribution.
ID 227369 Generating a SIGINT or SIGQUIT on the serial console during login causes all services to die and restart. Further, SIGQUIT may cause chmand and get caught in a loop of failed restarts, requiring a host reboot. This was fixed in 9.x and 10.0.x, but that fix had to be reverted in 10.1.0 and after.
ID 243799 Media speed messages in log file (CR137973) When starting the BIG-IP system or when removing an interface from a VLAN, the system logs media-related messages to the file /var/log/ltm. You can ignore these messages.
ID 247011 SSL keys and certificates for HTTPS and SIP monitors (CR107415) Unlike in SSL profiles, the system does not validate keys and certificates used for SIP and HTTPS monitors. That means that you can specify non-matching or invalid keys and certificates. There is no checking on the command line or in the browser-based Configuration utility to make sure keys and certificates are valid and usable.
ID 247559 --nosaveconfig: Do not save and restore config --nomoveconfig: Save/restore in same location; the installation location tmsh modify db liveinstall.moveconfig value disable tmsh modify db liveinstall.movelicense value disable tmsh modify db liveinstall.saveconfig value disable tmsh modify db liveinstall.savelicense value disable These db variables are currently documented in Solution 11267.
ID 247894 iRule substr function is not able to use a string with a number in it as a terminating string. Instead it converts that string to integer and mistakenly uses it as a substring length.
ID 248489 UCS error and remote user logon operations (ID248489, CR87863) If the user configuration set (UCS) file you roll forward at installation time contains a problem, subsequent system load operations can fail. If this happens, the remote users and administrators cannot log on to the system. To work around the situation, log on to the system as the root user or as the admin local user.
ID 248550 For a group name that contains spaces, the LDAP valid_group attribute not properly escaped with square brackets (Formerly CR 88837-1). The workaround is not to use spaces in valid groups.
ID 249083 Address wildcard virtual server has to be deleted and re-created when changed from IPv6 to IPv4. Without the intervening deletion, neither IPv6 nor IPv4 traffic matches the virtual. It works as expected when changing from IPv4 to IPv6 (Formerly CR 98831)
ID 283445 Encrypted key-to-FIPS conversion (CR98760). When you convert an encrypted key to Federal Information Processing Standards (FIPS) key, the system presents the error: Certificate/Key mismatch and does not perform the conversion. To perform a successful conversion in this case, you must use the command-line utility to decrypt the key, and then convert the key to a FIPS-type key.
ID 284753 Transparent IPv6 monitors do not work.
ID 291373 The small form-factor pluggable (SFP) ports on BIG-IP 8900 platforms are 10Gbps-only ports. On a BIG-IP 8900 platform, a SFP plus can operate at 1Gbps speed in an SFP slot, but SFP modules do not operate at 1Gbps speeds in an SFP plus slot. This is a hardware constraint.
ID 319551 traceroute6 to an IPv6 host incorrectly displays the hostname and IP address of the destination as that of the intermediate hops. The timing values reflect each hop in order, not the destination as indicated.
ID 336885 There is a memory leak that affects Firefox 3.6 but not Internet Explorer 8. The leak occurs because of an interaction between the dashboard and the web browser. The workaround is to use Internet Explorer to view the dashboard.
ID 336986 If a hard drive is in the process of replicating and an install to a non-existent volume set is started, the array status for the replicating drive will transition to "failed" while the volume sets are created. They are created at the very beginning of the installation, so this failed status should last no more than a minute. After the volume set is created, the status will go back to "replicating", as expected.
ID 337222 When creating an IP-based datagroup/class, any route domain information that is specified as part of the datagroup entries will be ignored by the iRule class, matchclass and findclass commands.
ID 337401 The behavior of the installer has changed with regard to the creation of new volume sets. In previous releases, an empty volume set could be created without a product installed to it. In 11.0, it is no longer possible to create an empty volume set. The creation of a new volume set is now done at install-time using TMSH or the GUI.
ID 337583 When using the percent up cluster members feature of ha-groups, the cluster member portion of the ha-group is not loaded correctly after a reboot (or mcpd restart).
ID 337774 When you tab-complete the command "tmsh show sys raid bay", the results show eight bays. This only affects platforms in the Apollo family, which have 4 bays.
ID 337824 GTM UI: Modifying VS attributes strips trailing spaces from server name causing the following error: VS <name_you_entered> server <server_name_you_entered> does not exist
ID 338426 Clusterd can core on shutdown under certain circumstances, seen only so far with vCMP. It only happens when clusterd is shutting down, after it has taken care of all notifications to other system components, so the core can be safely ignored.
ID 338450 On VIPRION blades, the BIG-IP system might log error messages about kernel-owned interfaces similar to the following messages (these are innocuous and can be ignored): slot1/mychassis notice chmand[3782]: 012a0005:5: Tmstat::updateMgmtIf: HAL Svc error: MiiNic: failed to send cmd to driver: readPseMii ioctl on: eth2Phy & Reg:1e:1a returns:Invalid argument slot1/mychassis notice chmand[3782]: 012a0005:5: Tmstat::updateMgmtIf: HAL Svc error: MiiNic: failed to send cmd to driver: getStatusReg: timeout wait for result
ID 338799 If a pool has all members down/disabled but is enabled itself, it shows up as green with an error message. The children pool members(s) might be disabled. There is no workaround for this issue.
ID 339681 tmsh does not support multiple .iso file installation with one command. This feature was part of bigpipe utility command set, but has yet to be introduced to tmsh. To work around this, issue each .iso file installation separately in a script or transaction.
ID 340696 NTPD fails to start when a large number of VLANs and/or self-IP addresses are configured.
ID 341019 Dashboard does not show connections that are generated when the type of virtual server is performance HTTP.
ID 342319 The parameters "recursion yes" and "forward only" are not being updated in named.conf when creating entries in the BIND Forwarder Server List from the GUI.
ID 342325 If username and password have not been configured for a RADIUS accounting monitor, it will try to connect with a <NULL> username-password.
ID 342423 The statsd process computes the value for system-wide CPU usage using a formula: process "A" CPU usage divided by the number of CPUs on the chassis. Assuming a chassis fully populated with PUMA I blades, the average is divided by 16. If a blade drops out, the number of CPUs is now 12, so while that blade is out of circulation, the data is divided by 12. However, even for the 5-second window: it is possible that the average might be calculated incorrectly. Example =========== From time1 to time4, there are 16 CPUs on the box, and processA is using 96% of its CPU. At time5, one of the blades drops out. The calculation to compute CPU and system usage happens at this time. Before the blade dropped out, the system-wide average was 96/16 = 6. When the blade drops out, the system-wide average is 96/12 = 8 That is a small difference. Although blades going down should not happen often, when it does happen, it is only the first 5-second system-wide average that is affected. The next average will be correct.
ID 342670 Some disk management interfaces show the shelves with letters and some use numbers. For now, shelf 1 == a and shelf 2 == b between interfaces.
ID 342734 The AOM is not reset under normal conditions, but if it should reboot, it is possible that the Host management interface traffic could be interrupted for as long as 10 seconds.
ID 343030 The named process might log the following error in daemon.log: Oct 22 09:44:24 local/localhost err named[8832]: 22-Oct-2010 09:44:24.278 general: error: managed-keys-zone ./IN/external: loading from master file 3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys failed: file not found Although it reported the error, the daemon is up and running, so you can safely ignore the error.
ID 343405 For the ToS property on all three protocol profiles (tcp/udp/sctp), the range of valid values is: 0-255, 65534 (Mimic), and 65535 (Pass Through). For the QoS property on all three protocol profiles (tcp/udp/sctp), the range of valid values is: 0-7 and 65535 (Pass Through). ==================== ToS property of all profiles (tcp, udp and sctp) can be set to Mimic and Pass Through, also can be set to these values by numeric equivalents (65534 and 65535) QoS property of all profiles (tcp, udp and sctp) can be set to Pass Through and it's numeric equivalent (65535) Also verify that it looks good in tmsh too.
ID 343467 Due to limitations in the firmware of the Cavium CN1620 FIPS 140 certified crypto accelerator, synchronization of FIPS security domains cannot be performed more than once every 5 minutes from the same device (i.e., using the device as the source for the synchronization).
ID 344132 Application Presentation Language (APL) "editchoice" elements within APL tables are rendered as "choice" elements without the ability to provide free-form edits.
ID 344226 Trying to create a CRLDP server using a name that already exists fails with the message "An error has occurred while trying to process your request." A more accurate message is "The requested CRLDP server (<crldp_server_name>) already exists in <partition_name>.".
ID 344231 The "Name" and "Address" fields for CRLDP Servers are required attributes even though they are not indicated as such in the GUI.
ID 344698 The provisioning level for vCMP should only be set to "dedicated" or to "none". Other levels are not supported and might not work.
ID 345092 When a RAID system is booting, the system posts the message: Press <CTRL-I>; to enter Configuration Utility... However, pressing Ctrl+I has no effect. It is not possible to enter the Configuration utility this way. This is a hardware constraint. Instead, you can configure RAID parameters through TMOS.
ID 345529 If you follow these steps, the system allows you to create the following invalid configuration. 1. Create a pool with wildcard members. 2. Assign member-specific health monitors to each member. 3. Assign a TCP health monitor to the pool. Instead, you should perform step 3 before step 2 to prevent the invalid configuration.
ID 345909 To halt a VIPRION 2400 blade, use the halt command rather than the shutdown command. If you use the shutdown -h now command, the system does not halt, but instead reboots.
ID 345930 The "IPv6 NoError Response" and "Enabled" fields are missing input controls for Inbound Wide-IPs in the Link Controller UI.
ID 345940 MSM v1.0 and v1.1 are not compatible with BIG-IP v11.0.0 and will not install properly.
ID 346072 An issue where a connection could be processed through a set of active modules in the wrong order has been corrected.
ID 346354 The cli admin-partitions update-partition is still available, though it should have been removed. The only available option shown with tab complete is none and this gives an error.
ID 346875 Even though the vg-reserved attribute is shown via "tmsh list sys disk" command. It is not supported on SSDs, and does not reserve the 1024 that is shown.
ID 347070 When configuring bigip to bigip ipsec tunnel, if the topology is like this Client -> bigip A -> bigip B -> Server then on bigip B (we called server side bigip), the ike-peer corresponding to <bigip A> should be set to "passive true". In short, the server side bigip should act as a passive ike-peer and should not initiate isakmp negotiation. To work around this, on the server side bigip, the corresponding ike-peer should be set to "passive true".
ID 347073 Configuration changes to objects are not immediately reflected in the LTM Statistics and GTM Statistics widgets in the dashboard.
ID 347077 When you create an application template that has Application Security Manager enabled, the system also creates an ASM application object. However, if you delete this application template, the system does not delete the ASM application object. To correctly delete an application template that has Application Security Manager enabled, perform the following actions in the following order: 1. Delete the virtual server. 2. Delete the HTTP Class. 3. Delete the ASM application object. 4. Delete the application template that has Application Security Manager enabled.
ID 347265 Additional configuration information HTTP classes and traffic bypassing module processing (ID 347265) Depending on your configuration of the HTTP class profile and the traffic on your system, some requests might bypass module processing by the Application Security Manager™ and the WebAccelerator™. We recommend you read SOL8018: Overview of the BIG-IP HTTP class traffic flow and SOL12268: Successive HTTP requests that do not match HTTP class may bypass the BIG-IP ASM in the AskF5 Knowledge Base. These solutions contain important configuration information needed to prevent traffic from bypassing Application Security Manager and the WebAccelerator module processing.
ID 348214 The openssl s_client command defaults to secure renegotiation. To support servers unpatched for secure renegotiation use the -legacy_renegotiation option instead.
ID 348502 It is highly recommended to only use tmsh commands or iControl to delete vdisks. Deleting a vdisk from the file system (e.g., using bash), can lead to unexpected behavior if the system later attempts to use the vdisk.
ID 348503 WMI monitor reports "not found" for LoadPercentage, CurrentConnection, GETRequestsPerSec and POSTRequestsPerSec when probing IIS 7.5 on Windows® 7.
ID 349062 In this release, we removed the SSL peer certification mode "auto" from all BIG-IP interfaces. The upgrade script contains logic to change "auto" to "ignore" in configuration files. However, we have not made a similar conversion for iRules because it is our policy not to alter iRules during upgrade. If you have iRules that use SSL peer certification mode "auto", you must change them to use "ignore". Otherwise, they will not work. There is no functional change incurred by doing so.
ID 349242 The load balancing method 'Ratio Least Connections (node)' does not perform correctly with 'Performance (Layer 4)' virtuals.
ID 349621 Drop to BIND performance has dropped in this release. The DNS Express feature in this release should alleviate the performance drop in BIND.
ID 349753 An empty sub-folder, even after saving, might not properly load during the tmsh command "load sys config partitions all".
ID 350109 It is strongly recommended to remove the "dont-insert-empty-fragments" option from the SSL profiles when enabling Proxy SSL. This will be performed automatically when creating a profile through the GUI, but might require a manual step when the profile is created from the command-line interface.
ID 350249 Only 8 TMMs are shown with "tmstat cpu" on platforms which have more than 8 CPUs.
ID 350652 A defect has been addressed which could cause TMM to core and restart in certain connection teardown conditions when using ramcache.
ID 350888 This version of the software does not support IPv6-formatted IP addresses on the management port. To work around this issue, you can use IPv4-formatted IP addresses for configuring the management port.
ID 351519 The configuration files used by pam and tamd are changing names between 10.2.x and this release. The files are currently being saved and then restored on upgrade, and in addition, the new files are being created when the associated mcp objects are created, which results in both the old and new versions of the files being present after upgrade.
ID 351614 Creating or modifying applications based on the f5.microsoft_exchange_2010 template can take several minutes when the template form is submitted using some versions of Internet Explorer®.
ID 351650 On 11000 platforms with SSD drives, the LCD incorrectly shows the SSD drives in bay 3 and 4 as part of its RAID status. As the SSDs are not part of RAID, they display a status of Unknown or Undefined for the SSD sled bays 3 and 4. A more accurate status is Not part of RAID.
ID 351874 When importing an ISO image into the Software Management screens in the Configuration utility, some browsers (for example, Microsoft Internet Explorer and Google Chrome), show /fakepath/ instead of the actual file path. This is expected behavior for HTML5-compatible browsers. You can work around this by adding the site to Trusted Sites. In addition, in Internet Explorer by setting the option Include local directory path when uploading files to a server in Internet Explorer :: Tools :: Internet Option :: Security :: Custom properties.
ID 351934 Booting with SSD installed, you will be able to see the SSD sled activity light blinking while the other spinning media sleds do not. This is normal.
ID 351959 The message "error on subcontainer 'ia_addr' insert (-1)" happens on all the platforms. The interface refreshing period is 30 seconds. So, the error is shown every 30 seconds. In most cases, this is "harmless". (http://sourceforge.net/tracker/index.php?func=detail&aid=1693039&group_id=12694&atid=112694) This message does not seem to affect our platform performance.
ID 352560 SplitSSL is incompatible with persistence profiles.
ID 352772 When using the percent up pool members feature of ha scoring, after a reboot an incorrect score is created for the pool members and an incorrect failover may occur.
ID 352835 Whenever a profile is created, an associated row is created in the profile stats table with the default listener name _listener. When a profile is associated with a virtual IP, another row is created with the listener name set to the virtual IP name, for example, httpcompression_listener. These rows are used to track the statistics and do not impact the ability to pass traffic.
ID 352848 If an HTTP client sends a request with a body, and there is a pipelined request following it, and there is an iRule performing an HTTP::collect, then the HTTP::payload command may include data from the following request(s).
ID 352925 Updating a suspended iRule assigned via profile causes the TMM process to restart when trying to return to the suspended iRule. To work around this, assign the iRule to the virtual server instead of assigning it to the profile.
ID 352957 Established flows via virtual servers with iRules using the "node <addr>" command to set the nexthop to a different address than the gateway returned in route lookup, or transparent flows to a pool member, might fail (due to mis-routing of packets) after a route table change, even if the change does not affect any of the addresses used in the flow. New flows established after the route table change will work as expected. There is no workaround for the problem.
ID 353101 SQL monitor hangs with <NULL> receive string. The workaround is to substitute the probable <NULL> receive strings by <substitute-value> strings using constructs like ifnull(<column-name>, <substitute-value>)
ID 353154 Creating an instance of an ltcfg object from iControl might fail with a field validation error.
ID 353249 LTM Virtual Server Bytes in/out and Packets in/out values may be larger than expected on PVA platforms, when using FastL4 profile with PVA in 'Assisted' mode.
ID 353374 Some ASM settings that are owned by an iApp Application Service may be writable even if strict-updates are enable for the application. This may allow inadvertent changes that may affect the functionality of the application. The changes may be overwritten the next time the application is updated
ID 353621 You can get an error from tmsh when adding a device to the trust-domain that says the device cannot be found: "The requested device (10.10.20.30) was not found." This error actually indicates the "name" parameter was not specified in the command.
ID 353623 In SNMP, the average MaxConns in sysGlobalStat always reports 0: F5-BIGIP-SYSTEM-MIB::sysStat{Client,Server}MaxConns{5s,1m,5m}.0
ID 353686 You cannot delete devices from the trust-domain using their IP addresses, even though that is how they are added. You need to use the device object name to delete devices from the trust-domain.
ID 353812 There is no way to show/modify global VLAN Group Proxy Exclusion List via tmsh. If you have config objects named all, you must rename them before upgrade.
ID 353837 The expression builder now spits out IPv4 and IPv6 code for the selected protocols. Additional syntax can be found by looking at the man page for tcpdump.
ID 353853 On the VIPRION platform, clusterd sometimes erroneously reports "Error adding cluster mgmt addr, HAL error 7". If the operation of a unit that has given this error is in question, check the IP addresses on each blade to verify that the floating cluster management address appears on only one interface of one blade.
ID 353944 Warning: You cannot simultaneously upgrade to version 10.1.0 or later and perform a formatting operation. Version 10.1.0 introduced the larger partition scheme, so upgrading from 9.x system requires a formatting operation. In addition, users who plan to migrate to logical volume management (LVM), the disk-management scheme introduced in 10.x, must also format the drive. However, the 1500, 3400, and 3410 platforms with the minimum 1 GB of RAM cannot accommodate a simultaneous upgrade and format operation. For information about upgrading and formatting for the larger partition size, see the related solution.
ID 354149 tmsh tab complete feature incorrectly adds a space to the command line when finishing a folder name for property items inside a single command.
ID 354161 If an BIND zone that underlies a DNS-Express zone expires, DNS-Express will continue to handle queries for that zone. Disable or delete the DNS-Express zone itself if you want DNS-Express to stop answering queries.
ID 354188 Connection mirroring for three or more devices will not be supported in this release.
ID 354221 LTM + ASM + WAM + AVR cannot be provisioned on 3600s.
ID 354386 References to ltcfg-based profiles do not properly disambiguate in context from given basenames.
ID 354467 When you create an opaque VLAN group before creating the route domain to assign it to, opaque mode does not work. To work around this issue, you can add the VLAN group to the route domain and then set its mode to opaque, or if you are already in this state, you can restart tmm.
ID 354972 In some cases, tmsh will not properly recognize hostnames as an item reference for commands.
ID 354986 We allow virtual server configurations where the server-side profile does not match the virtual server's protocol type. This type of configuration is supported via tmsh, but is not supported in the GUI.
ID 354993 When loading a UCS, the following message may appear in the ltm log: debug bigd[3980]: External program not found in monitor /Common/external @528, file conv_to_service.cpp This message is benign and it can be ignored.
ID 355018 GTM logging does not put the event name in the output. This has always been the case, so it is a widely known issue.
ID 355211 If mcpd is restarted on the lowest numbered blade in a cluster when that blade is primary, two primary changes will happen instead of one.
ID 355299 PVA acceleration can be configured on a platform without a physical Packet Velocity ASIC present. The setting has no actual effect and is harmless.
ID 355432 When a watchdog event happens, chmand logs false power-related failures. Here is the complete message from the ltm log related to the watchdog event: Mar 30 11:51:31 RackC641 notice chmand[3557]: 012a0005:5: CPLD indicates prior Host CPU subsystem reset Mar 30 11:51:31 RackC641 notice chmand[3557]: 012a0005:5: CPLD indicates prior System error Mar 30 11:51:31 RackC641 notice chmand[3557]: 012a0005:5: CPLD indicates prior Host CPU subsystem power-off Mar 30 11:51:31 RackC641 notice chmand[3557]: 012a0005:5: Host CPU subsystem reset - PCI reset asserted Mar 30 11:51:31 RackC641 notice chmand[3557]: 012a0005:5: Host CPU subsystem reset caused by a Southbridge system reset Mar 30 11:51:31 RackC641 warning chmand[3557]: 012a0004:4: System error caused by Host CPU(s) indicating thermal trip event Mar 30 11:51:31 RackC641 warning chmand[3557]: 012a0004:4: System error caused by DC-DC converter power output suspect Mar 30 11:51:31 RackC641 warning chmand[3557]: 012a0004:4: Mercury CPLD DC power error register = 0xff Mar 30 11:51:31 RackC641 warning chmand[3557]: 012a0004:4: Mercury CMOS Host Watchdog Reset Counter indicates 1 previous watchdog timer reset(s). These messages are incorrect, and you can safely ignore them.
ID 355555 Virtual servers attached to a FastHTTP profile sometimes send TCP resets after getting HTTP headers on the first few connections.
ID 355564 The Error message "The requested unknown (/Common/traffic-group-1 /Common/bigip1) was not found." might appear in the log during startup. This message does not indicate a problem, and can be ignored in this situation.
ID 355616 ltm virtual-address objects are only shown in tmsh list output when specifically requested, as in "list ltm virtual-address", not in commands such as "list ltm".
ID 355622 tmsh "list" output most commonly shows only user-specified settings, unless the "all-properties" argument is given, in which case both default and user-configured settings are shown. In this release, some default settings are shown in the "list" output, even when "all-properties" was not requested.
ID 355924 On DNS responses directly from a BIGIP (from gtm, dnssec, dns-express) the edns0 nsid option len and data will be stripped. If the response is not modified by the BIGIP (from BIND or pool member), then it will not be stripped.
ID 355937 GTM validation for pool members will currently reference the backing VS instead of the pool member. Also, the syntax for specifying a VS in an iRule is as follows: server_name vs_name This can be with or without a folder on the server name. The only issue is that tmsh uses a ":" to separate a pool member's server/vs_name, whereas iRules commands which reference a pool member expect the vs format as specified here.
ID 355973 Some none-CMI file object names can't start with alpha-numeric character.
ID 356073 Every part of the iApp template's presentation section is run every time, even the hidden parts. This means that anything that might crash, if something isn't provisioned, needs to be enclosed in a TCL block that is protected with a catch.
ID 356147 Version 11.0 added a new setting to the persistence profile for controlling the proxy map settings (proxy map class, mask, and mapped address attributes). However, TMUI support was not added for those. So, if you set them on a persistence profile using tmsh or iControl, the TMUI might unset them when viewing that profile.
ID 356287 The issue was that a FastL4 connection used by a virtual server could be reset/closed by a forged ICMP "Destination Unreachable" message, thus disrupting existing flows on a BIG-IP system.
ID 356319 You cannot reset the management port statistics (those that appear under Network: Interfaces: Statistics). The system does not report an error, but also does not reset statistics.
ID 356340 Additional virtual servers can be added to an AVR profile that is owned by an iApp Application Service even strict-updates are enable for the application. This may allow inadvertent changes that may affect the functionality of the application. These changes may be overwritten the next time the application is updated.
ID 356348 iApps application service objects will not be synced to GTM devices.
ID 356586 BIND v9.7, new in v11.0.0, requires an A (IP address) record for a Nameserver (NS) entry in its configuration. In the past, a FQDN or CNAME for the NS was sufficient. This means that upgrades of BIND configurations to v11.0.0 might fail to load if such an A record is not present (the symptom will be zrd stuck in a restart loop). The best solution is to create an A record for the NS *before* upgrading.
ID 356705 After completing the setup wizard in the configuration utility, the user is redirected to the welcome screen. The menu on the left should also change from the restricted setup menu to the full menu, but occasionally it does not. In this case, the workaround is to log out/in or refresh the browser.
ID 356718 In Appliance mode, all user gets nano editor.
ID 356814 Merging interval is controlled by a db variable merged.merge.interval. It is set, by default, to 1 second. To decrease cpu usage by the process "merged", this value may be changed with: tmsh modify sys db merged.merge.interval value N "0" will turn off merging of statistics. NOTE: This means that statistics will not be updated and all statistical data will be stale. The recommended range is between 1 and 10. Setting the value larger than 10 will mean that the statistics in the graphs will be unreliable as it is expected that the data will be updated at least once every 10 seconds. Another db variable for merged is: merged.nice.level By default this is ZERO. The range of allowed values is 0 to 19. This sets the Linux nice level of the merged process priority. The higher the number, the lower the priority of the process. This is another knob to tweak the performance impact of large configs and the merging of their stats.
ID 356849 On VIPRION 2400 platforms, /var/log/tmm shows the OCTEON revision as pass1 regardless of revision number. The log entry appears similar to the following: Cavium Octeon (0x1.10GHz 63xx rev pass1) 1024MB The pass1 designation is incorrect and should be the actual revision number.
ID 356862 Due to the migration from bigpipe to tmsh we no longer support bigpipe commands. If a bigpipe command is issued on a BIG-IP system running version 11.0.0, a core file can be produced. No interruption of service has been observed.
ID 356938 Special characters (such as the Yen sign) in data group names generate garbage characters. Do not use special characters of this type for data groups.
ID 357132 For disk usage modules capable of using a datastor, deploy all additional disks and provision them as type "datastor" prior to provisioning the module.
ID 357262 As a work-around, reqlog now closes the connection whenever it serves an http response on logging error. Ideally, it would keep the connection open when the protocol is HTTP1.1 or higher.
ID 357656 When you use "bigstart restart" to restart a guest, the system logs the message: Apr 25 15:43:27 slot1/vcmp1 notice chmand[7975]: 012a0005:5: Chmand cleanup: Slot:Led:Color (1:3:0) not succeed: virtual void Hal::NullAnnunSvc::ledSet(Hal::LedFunction&, Hal::LedColor&, uint32_t&, uint32_t&, uint32_t&) This is a benign message and you can safely ignore it.
ID 357705 Loading the default configuration may cause the system to go offline before resuming the active status.
ID 357708 The script GTMPARSE is no longer needed or supported in v11.0.
ID 357728 The cli-settings hostname-lookup setting has been deprecated. The command is relevant only to bigpipe, which has been removed in version 11.0.0.
ID 357822 User can use "delete cm trust-domain all" to create or fix trust-domain when loading a blank or inconsistent SCF.
ID 357852 If a device is part of a established trust-domain but is added into a second, separate trust-domain, the devices in the original trust-domain will still have references to the device. It is recommended that you delete the device from the trust-domain from a certificate authority before adding it to a different trust-domain.
ID 357874 Creating an overlapping route can cause an unclear configuration exception message, such as: 1. [root@ltm-56:Active] config # tmsh create net route test_route_ipv6 network 2002::1/128 gw 2002::3 2. [root@ltm-56:Active] config # tmsh create net route default-inet6 { gw 2002::1 } 01070712:3: Caught configuration exception (0), Netlink reply from kernel has error: -113 (for static route create: ::/0 gw 2002::1 in vlan '') - net/validation/routing.cpp, line 332.
ID 358019 NATs require a translation-address, but the error message does not indicate this. Instead, when you create the NAT, the message posted is 01020059:3: IP Address :: is invalid, must not be all zeros. To work around this, make sure to include a translation-address.
ID 358063 If you do a "restart sys service all" from tmsh shell, the next command you issue will result in the error message "The connection to mcpd has been lost, try again.".
ID 358099 If two devices have different provisioned modules, then the application with those modules configured in one device might not be able to sync to the other device. The two devices will be out of sync and cannot recover in this situation. For sync to occur correctly, both devices must have the same provisioning.
ID 358112 When adding an active device to a device group that has an active device it is non-deterministic which will remain the single active device after the add.
ID 358191 If the user resets the trust and changes the host name of the device, the other devices in the trust domain still show the unchanged, former host name and show the device as still attached.
ID 358268 The TMUI currently allows the DNS64 Prefix to be up to 128 bits (a full IPv6 address), but actually, a valid prefix is only the first 96 bits. Thus, the last 32 bits (last 2 hex tuples) should be all zeros (e.g., 64:ff9b:0:0:0:0:0:0).
ID 358413 TM shell replaces bigpipe shell as the primary command-line interface in version 11. Prior to upgrading your environment, please ensure that bigpipe scripts have been converted to TM shell.
ID 358575 The traditional ConfigSync mechanism has been antiquated and replaced with a more robust MCP-to-MCP communication mechanism. As a result, UCS files now load the full configuration in all cases, and no longer have the concept or ability to only load the "shared" portion. Loading of UCS files created on a different device is no longer supported.
ID 358615 When modifying failover unicast addresses via tmsh, user should be aware that all addresses must be specified even if the intention is to remove or add a single address to/from the list. For example, given a device with two existing unicast addresses, this command will replace both addresses with a single address: modify cm device centmgmt1.f5net.com unicast-address { { ip 10.10.10.1 } }
ID 358654 The dashboard "History" button might not successfully return a CSV file. Instead, the text might contain "invalid parameters". The dashboard history export function is currently broken. Users will not be able to export the dashboard history. We will look to fix this in HF1.
ID 358655 The No such file or directory error always shows up around kernel installation, but it does not negatively impact the installation itself.
ID 358698 The WebAccelerator module is not supported on 2 GB systems.
ID 358703 The dashboard includes UDP connections in the Open Connections window, but the help file states that only TCP connections are included.
ID 358725 6400, 6800, 8400, and 8800 platforms do not have sufficient disk space for AVR to be provisioned in conjunction with other supported module combinations.
ID 358855 Only the array command makes a drive with a failed SMART self-test visible to an end-user. We have a new feature in this release which automatically checks every new drive for SMART-type errors. If it finds any, the self-test fails and the drive can't be put into service. The results of this test are only seen when viewing the output of the "array".
ID 358996 With BIG-IP VE systems, a hypervisor's Layer 2 bridging device might remove quality of service (QoS) classification from packets.
ID 359075 After provisioning wom level none from a prior state of wom level dedicated, tomcat continuously restarts. If you reboot the system or do a tmsh restart sys service all, and wom is re-provisioned, tomcat no longer restarts.
ID 359089 If you configure a Web Acceleration profile for a virtual server without enabling a WebAccelerator application, an INFLATE hudfilter is unavailable, which will cause DECOMPRESS:: commands to fail.
ID 359393 In order to be compliant with the FIPS-140 standard. Keys cannot be exported from a FIPS card in plain text, hence they can only be exported by encrypting them with the master key on the FIPS card. If the master key on the FIPS card has changed since the keys have been exported, it will not be possible to import the keys back into the card.
ID 359395 Invalid or empty SSL certificates, keys, or CRLs will not be rolled forward on upgrade to v11.0.0.
ID 359491 When a system's hostname is set by the user via the tmsh setting "modify sys global-settings hostname new-hostname.example.com" only the local copy of the self device is set. Remote copies of the hostname are not updated accordingly. Thus, running the command "list cm device name-of-device hostname" would have the hostname "new-hostname.example.com" on the local machine and "old-hostname.example.com" on other machines in the trust domain.
ID 359774 In v11.0.0 an pools used in an HA group must be in /Common. If the user has a v10.x configuration that has pools in different partitions that are used in an HA group, an upgrade to v11.0.0 will fail.
ID 359776 The command tmsh modify does not properly parse multiple items in the same command for the cm module. To work around this, only modify one cm configuration item per command.
ID 359815 Dashboard can show random WAN optimization throughput spikes as approximately two times the actual bandwidth.
ID 359894 When creating a CLI transaction for the BIG-IP system ("batch commands"), an attempt to create a sys folder and modify that new folder in the same batch will fail.
ID 359978 LTM Throughput statistics might not match when comparing the Dashboard against other interfaces. The Dashboard throughput statistic includes traffic observed on all physical interfaces, layers 2-7. Throughput statistics in other interfaces are based on traffic passing through tmm.
ID 360097 vCMP guest names (and most TMOS configuration object names) must start with a letter, "/" or "_" and thereafter consist of letters and numbers. They also cannot conflict with keywords and parameters for the command.
ID 360122 The iControl method System.Statistics.reset_all_statistics() does not reset iStats.
ID 360134 6400, 6800, 8400, and 8800 platforms with Cavium NITROX Federal Information Processing Standards (FIPS) cards do not support secure SSL renegotiation with RC4 ciphers. Initial SSL handshakes are unaffected, but attempts to perform mid-connection rehandshakes fail when SSL secure renegotiation is negotiated. You can work around this by disabling SSL renegotiation or RC4 ciphers. Platforms with Cavium NITROX-PX FIPS cards are unaffected.
ID 360241 The strict-negotiation option, which was added as a default option on the SSL profile, might cause negotiation failure after upgrading. This is relevant when upgrading configurations containing SSL profiles from versions prior to 11.0.0. This means that when a WOM device on one side is upgraded, the SSL negotiation with the other WOM fails. To work around this, you can do either of the following: -- Disable strict-negotiation on the upgraded SSL profile. -- Upgrade the other WOM to this release.
ID 360263 In this release, the VIPRION 2400 reports a CPU Count of 8 instead of the expected 4 on the Device Configuration screen in the browser-based Configuration utility. This occurs because the implementation of hyper-threading causes the system to report double the actual number of cores. There is no workaround for this issue.
ID 360270 Resolv::lookup -ptr and Name::lookup -ptr are not caching returned records, so the tmm must perform a query each time. This could result in slower than expected performance.
ID 360290 If a guest's VM fails to deploy with the error message "Invalid vCMP configuration- no interfaces allocated.", then there could be a problem with a blade's interfaces. Run "tmsh show net interface" and, if any blade has interfaces in the "miss" state that should be in the "up" or "down" state, it is recommended to reboot that blade to recover from the error state.
ID 360477 Converting a single-slot guest in the deployed state to all-slot while the single-slot guest is performing a virtual disk migration will result in a VM booting up on the slot from which the virtual disk is being copied. This VM will use the virtual disk being copied, which can cause file system corruption on the newly copied virtual disk.
ID 360566 Do not partition vlans that are to be used by a vCMP guest.
ID 360581 Changing a vCMP timeout bigdb variable (vcmp.timeout.starting, vcmp.timeout.installing, or vcmp.timeout.migrating) while a VM is starting, installing, or migrating, respectively, the new timeout value won't be used until the next attempt. However, if the current attempt times out, the new timeout value will be shown in the error message despite the old timeout value having been used. For example, if a timeout value of 600 seconds is changed to 1000, the operation will still timeout after 600 seconds, but the error message will say "Timed out after 1000 seconds."
ID 360613 Before initiating trust after doing a restart (or bigstart), you need to make sure that devmgmtd is up. This takes a few seconds after reboot or bigstart restart.
ID 360675 Creating a configuration object with a FIPS 140 key will always create a key in the FIPS 140 device even when the configuration objects are not saved. Configuration objects that are not saved will require the user to delete FIPS 140 keys manually from the device.
ID 361016 When trying to add a vdisk, the error: "Insufficient disk space on /shared/vmdisksvdisks" can occur. To alleviate this error, the vmdisks in /shared/vmdisks should be deleted via tmsh or the GUI until the indicated amount of space has been freed. The number should update once per second, so deleting the vdisk(s) will automatically show you how much additional space needs to be freed.
ID 361027 Continuation lines in HTTP headers now are parsed correctly.
ID 361035 Trust-domain members overwritten when discovering existing pair. There is no workaround for this issue.
ID 361036 When the AOM powers down the Host for cause (e.g., over temp) it abruptly stops the Host, bypassing a normal graceful power-down sequence. Because of this, some log messages being sent from the AOM to the Host might be lost.
ID 361094 im command gives error if im package is in root directory (Formerly CR 100844)
ID 361124 The App Editor role will be able to run any iApp template, but most of the iApp templates will not work for them because of permissions issues.
ID 361129 To save memory and cpu processing, we only store the first 255 characters of an object name in the stats segment. All objects with matching names in the stats segments have their stats merged. If more than one object has a name that matches in the first 255 characters, the stats for those objects will be merged into one row.
ID 361148 Under disk management, the hover over SSD lifetime estimate will always show "No remaining life estimate available" on new drives, until an SSD is used enough to have a media wearout value of at least 98% or lower.
ID 361181 A "fipsutil reset" resets the FIPS card and deletes all keys in the card but it does not delete the configuration objects representing those keys. It also does not modify SSL profiles using those keys. This results in the system failing to load the configuration on reboot. An error like this will be generated: Jun 6 06:02:30 RackC6-6900-1 notice mcpd[5816]: 01390002:5: The size of the configuration DB has been extended by 2097152 bytes, now using a total of 10485760 bytes Jun 6 06:02:31 RackC6-6900-1 err mcpd[5816]: 010713e4:3: FIPS subsystem reported error while attempting file object operation: FipsMgr::get_handle_from_modulus error unable to obtain handle. Modulus(e1:fb:55...ef:89:b3), FIPS:ERR_HSM_NOT_INITIALIZED. Jun 6 06:02:31 RackC6-6900-1 err mcpd[5816]: 010713e4:3: FIPS subsystem reported error while attempting file object operation: fips_insert_masked_object error on import, ERR_HSM_NOT_INITIALIZED. Jun 6 06:02:31 RackC6-6900-1 err mcpd[5816]: 01070712:3: Caught configuration exception (0), unable to import FIPS 140 key (/Common/zzFIPSTest) from key file.) - sys/validation/FileObject.cpp, line 4714. Jun 6 06:02:32 RackC6-6900-1 err tmsh[6948]: 01420006:3: Loading configuration process failed.
ID 361268 Mcpd validation will allow rate-shaping and packet-filter policies to be created in any context. This is inconsistent with system versions before v11.0; the objects were considered usable from any context.
ID 361315 if you go to the System: Preferences screen and simply push the Update button without editing any values, the system incorrectly posts a Changes pending notice, that is, recommendation for synchronization. Many values on this screen are not even synchronized across BIG-IP devices.
ID 361318 If you want to turn on connection mirroring in iApps, turn off the strict update. Enable connection mirroring on all virtual servers that belong to the iApp. Then turn the strict update back on.
ID 361330 Enabling longest match on the topology list will re-order the list. This will be problematic for larger lists and if the customer is making use of a unique ordering for their inbound LDNSs.
ID 361397 Under extremely rare circumstances, on start up of clusterd, if it cannot communicate with mcpd, it will repeatedly state being out of shmem. When mcpd is up stable, and the other daemons are waiting for it to release its running semaphore, restarting clusterd will clear this condition.
ID 361470 If a virtual server's destination address is entered into tmsh with invalid IPv4 or IPv6 numbering or a hostname, the error message "The requested virtual address (</PATH/ADDRESS>) was not found." will be displayed.
ID 361650 Starting with 11.0.0, it takes no less than 15 seconds for BIG-IP GTM to save any configuration change, regardless of whether it is made in the Configuration utility or in tmsh.
ID 361744 FTP EPRT does not accept IPv6-mapped-IPv4 address in hybrid format. There is no workaround for this issue.
ID 361758 tmsh will fail to complete the configuration item name for profiles eam, mblb, html, ntlm, pluginclass, rba, sso, and smtp when the user presses <tab>.
ID 361784 To add virtual servers to GTM pools, at minimum the user will need to provide this level of information: modify poolxyz members add {<hostname>:<partition>/<vsname>} (specifying the partition for the hostname is not necessary). NOTE: There is NO autocomplete help for any of this. You will need to do this completely and accurately or risk getting a message like this: 01070226:3: Pool Member VS9eleven6 references a nonexistent Virtual ServerNote that there is NO autocomplete help for any of this - the user will need to do this completely and accurately or risk getting a message like this: 01070226:3: Pool Member VS9eleven6 references a nonexistent Virtual Server
ID 361790 iControl System::Statistics::reset_all_statistics hangs and eventually gets a timeout error. As a possible workaround, try bigstart stop zrd, if you don't depend on that daemon.
ID 361793 Config-sync from a devicegroup does not work in this release. iControl System::ConfigSync::synchronize_from_group does not work in this release.
ID 361976 If an iso file is removed from the filesystem, either by a user in bash or another unexpected problem, guests relying on that iso will display confusing error messages when being re-deployed. The workaround/fix is to locate the iso being used for the guest(s) and place it back in /shared/images.
ID 362054 In version 11.0.0, you cannot associate a statistics profile with a GTM listener. You associate statistics profiles with a listener via the LTM virtuals page, but in this case, you will receive an error.
ID 362142 Loading large geoip databases can cause tmm to miss its heartbeat timeout - SOD then sig aborts tmm.
ID 362163 If the user needs to change the rndc.key file in /var/named/config the user must first run: "bigstart stop named zrd" Change the key file then run: "bigstart start named zrd" NOTE: If one were to run named on a non-bigip and changed the keys, the user would have to manually restart named in that case as well.
ID 362225 Disabling connection queuing via "tmsh edit" while connections are queued will cause the queued connections to become stuck.
ID 362267 If a user configures network failover on a Viprion that uses a blade's management address as the unicast address, the other blades will not be able to use this address and will issue an error message. This is correct operation.
ID 362299 You cannot enable/disable virtual servers owned by application service with strict updates enabled from the virtual server properties page. A strict updates error results.
ID 362405 If a vdisk migration occurs, the original disk copy is left unchanged on the initial blade. The copy will not be synchronized with the migrated disk on the new blade. After migration is successful, the older disk image can be safely deleted.
ID 362406 `Tmsh show sys failover cable` does not show the peer cable status anymore due to changes in the configsync process.
ID 362413 If a monitor send or receive string contains a backslash character, this backslash will be escaped (prepended with another backslash) when the monitor is listed in tmsh. This causes no harm; the monitor still functions properly.
ID 362734 The iRule events AUTH_ERROR, AUTH_FAILURE, AUTH_SUCCESS, and AUTH_WANTCREDENTIAL have been deprecated since version 9.4.0.
ID 362802 If the server closed the connection after sending 401 response, websso in APM module may not work for portal access application.
ID 362874 After upgrading, the following message was posted on the Configuration utility browser window for several hours. "Upgrading Device Trust Device trust is still being upgraded. Please do not make modifications to Device Management or Traffic Groups pages while this message is displayed." This occurs when a device that is configured to be in a redundant pair is upgraded to 11.0, but its peer device cannot be contacted. The banner indicates that the device is waiting for its peer to be contacted. If the peer device is no longer in use, the workaround should be used to remove the banner message.
ID 362984 The console displays a message indicating the DHCP can be adjusted on a VIPRION system. Performing this command will have no effect on the configuration.
ID 362985 Displaying the configured syslog server with tmsh might require prepending the /Common/ path.
ID 363059 Renaming a top-level policy node may cause an unintended re-ordering of policy nodes, resulting in a different prioritization of matching criteria.
ID 363214 For any virtual that is configured with proxy-ssl, if during the handshake, the compression method is negotiated to anything other than NULL (no compression), such as client hello offers NULL and DEFLATE and server accepts DEFLATE, then the SSL handshake will not succeed.
ID 363216 A virtual server might say 'vlans-disabled', but does not include a list of which ones are disabled if that list is empty. For example, this means that the virtual is disabled for no VLAN entries, the default setting: ltm virtual sample_vs { destination any:any profiles { fastL4 { } } vlans-disabled } This is harmless. Use the command "list ltm virtual all-properties" to see the (empty) list of VLAN entries.
ID 363277 The persistent non-oc asm connection should get aborted on the second request, but it does not. We are working on this issue.
ID 363284 The cipher list 'DEFAULT:!NATIVE' is different on v10.2.2 (valid) and v11.0.0 (invalid, empty). This can cause upgraded configurations to fail loading on v11.0.0. The failure occurs because ciphers "ALL" in the Client SSL profile only includes "NATIVE" ciphers. That means that "COMPAT" must be specified to include "COMPAT" ciphers (e.g., EXP, EDH). As all SSLv2 ciphers are COMPAT ciphers, this also means that "ALL:SSLv2" no longer includes SSLv2 ciphers. Note that this change impacts upgrade. So if your configuration uses COMPAT ciphers, it requires a configuration change (to specifically include COMPAT ciphers) for upgrade to complete successfully.
ID 363309 The max length for a pathed/folderized name is 255 characters.
ID 363332 After removing a device from the trust-domain, the other devices believe the removed peer is unreachable, instead of removed from the trust-domain.
ID 363361 The matchclass command is deprecated in favor of class match command, to compare the content of a datagroup as a global variable.
ID 363405 When canceling a guest's install/migrate process(es) by setting its state to Configured, the system deletes the partial virtual disk image from the file system but does not delete the virtual-disk object. If you run the command tmsh list sys vcmp virtual-disk and see the remaining object, it is highly recommended that you manually delete the virtual disk. To do so, run the command tmsh delete sys vcmp virtual_disk <name>. Failure to do so can cause unexpected validation errors in the future when configuring vCMP guests.
ID 363467 Authentication profile objects (TMSH namespace 'ltm auth profile') require that the defaults-from property be specified. This was required but not enforced in TMOS 10.x.
ID 363500 The system logs of a BIG-IP vCMP guest might show /dev/hdc DriveReady Errors or an AbortedCommand. These are innocuous and may be ignored.
ID 363541 If a user creates an "and" rule for the default node monitor that includes the monitor "/Common/none" the state of the node will not be reported correctly.
ID 363756 Simultaneous blade-to-blade migrations of guests might occur. In rare instances, it's possible that multiple migration tasks will take longer than the allocated interval and as such migrating guests might encounter a timeout. If this happens three times, the guest will be placed in the "failed" state. To recover a guest from this condition, wait until all guest migration tasks complete successfully or fail after three timed-out attempts. Then on any blade with a guest in the "failed" state, execute the "vretry" command. This will cause any guests in the failed state on that blade to retry the failed action. Executing "vretry" one blade at a time and waiting until all migration tasks on that blade are complete will avoid these failsafe timeouts. If a guest's retry attempts also fail, re-provisioning the guest might resolve the issue. To do this, change the guest's state to "configured" and then subsequently back to "provisioned" or "deployed", as preferred. Note that this might cause the guest to be allocated to a different blade.
ID 363912 In rare occasions, when there are no monitors assigned as the default node monitor, an entry "none" may appear in the Active select box on the "Default Monitor" page in the Configuration Utility. This still represents the fact that no monitors are selected as the default node monitor and the BIG-IP will operate as such.
ID 363988 The following log messages are erroneously printed to /var/log/tmm on VIPRION 2400 systems: Skip potential RQM forward pkts read error and Skip potential RQM drop pkts read error. These are benign, and you can safely ignore them.
ID 364031 When you are in a folder other than /Common, attempting to add or delete a remote-server for syslog gives the error: 01020036:3: The requested configuration item ( /Common/foo/syslog syslog) was not found. Navigate to the /Common folder and try the operation again.
ID 364042 The contents of the /var/named and /config/big3d directories are not synced between high availability configurations in this release.
ID 364165 Synchronize FROM Group button does not work in version 11.0.0. There is no workaround for this issue.
ID 364227 The system reports 'assertion "completed request is in ring" failed' during system shutdown/restart. LTM log file indicates this with messages such as "Failover event detected." This is not a failover event and you can safely ignore the assertion and log message.
ID 364292 Stateless non-UDP virtual servers are not supported in this release.
ID 364324 On the System : Users: Remote Role Groups page, the remote-role group with the largest line order number cannot be deleted. Instead, you can delete the group within its Properties page.
ID 364378 Configuring remote role groups from the command line allows use of variable names for values (denoted with %). The GUI does not support this type of configuration, and any remote role configuration updates performed from the GUI will wipe any variable configuration that was previously configured from the command line.
ID 364432 UDP monitors do not work on Gemini when db var udp.hash = ipport.
ID 364437 Link Controller GUI: wideip member stats and wideip details stats tables don't line up properly and contain erroneous table columns.
ID 364467 You cannot save sysconfig after the license expires, but this should not cause larger issues.
ID 364522 A user with the app_editor role can create an app service; however, because app_editor users cannot create objects (they can only update and enable/disable them), app_editor users actually cannot create an app service.
ID 364526 Ramcache report for iControl should report slot, tmm, and rank. Ramcache records should show the slot as 1-based.
ID 364588 If you run the show command from /Common partition to display the details of a pool in another partition, the monitor instance line is missing. To work around this, navigate to the partition first. Then the show command presents the expected results.
ID 364645 If the sum of the cache sizes for the Web Acceleration profiles is set to the maximum allowed, the BIG-IP system will stop caching.
ID 364704 When taking a snapshot of a BIG-IP VE system running in VMware, do not include the virtual machine's memory in the snapshot. Taking a snapshot of the virtual machine's memory often pauses the virtual machine and produces undesired results.
ID 364717 When using the node-port option with delete command for persistence persist-records, entries with the specified node-port should be deleted. Instead, the system deletes all the persist table entries irrespective of the port specified. Also, the show command with nonexistent port displays all the entries irrespective of the port specified.
ID 364774 You have to create a redundant-bigip server object via tmsh for LC by hand.
ID 364776 The system does not prevent you from including pools from partitions other than Common in an HA-group. However, this configuration is not supported, and those pools will be removed from the HA-group when you modify pool settings.
ID 364812 The error message "Command (lsof /shared/vmdisks/Test-V1-15.img) failed: Child exited with non-zero exit code: 1" reported by vcmpd in /var/log/ltm is benign and should be ignored. It is part of normal operation for vcmpd.
ID 364825 Keys that are stored on a FIPS card are incorrectly not included during device group synchronization. The encrypted key (.exp) files must be manually copied to other devices and installed with tmsh: tmsh install sys crypto key <desired-keyname> from-local-file <path-and-keyname> security-type fips
ID 364831 When snmpd is restarted, you might get this warning message in the log file: /config/snmp/subagents.conf: line 9: Warning: Unknown token: agentxPingInterval.
ID 364918 If GTM and Link Controller are configured in the same sync group, then syncing configuration changes from Link Controller breaks those monitors on GTM that are not licensed on a Link Controller. To recover from this issue, reload the configuration on GTM. Make all configuration changes on GTM to avoid this issue.
ID 364923 A full path must be used when modifying an iApp Application Service via iControl
ID 364941 The reboot button will reboot all blades in the cluster. The reboot button can be found here: System ›› Configuration : Device : General
ID 364978 If an active/standby system is misconfigured with unit 2 failover objects, two traffic groups are automatically created: traffic-group-1 and traffic-group-2. For traffic-group-2, the default device points toward the unit 2 box. Instead, it should point to the unit 1 box, because it is an active/standby pair. To work around this, modify the default device to point to the unit 1 box, using a command similar to the following: tmsh modify /cm traffic-group traffic-group-2 default-device <unit 1 device name>
ID 364981 On the System : Preferences screen, changing Idle time before automatic logout to any non-default value causes the CPU usage to increase.
ID 365006 Installing a 10.x UCS on a "clean" 11.0 will cause daemons on secondary blades to restart.
ID 365106 Using a version 11.0.0 user configuration set (UCS) file to upgrade a system results in the following message: WARNING: Configsync.password value is invalid in the UCS. This data will not be rolled forward. Actually, the data is rolled forward, so you can ignore this message.
ID 365110 If you find you cannot change the device's mirror ip address or secondary mirror ip address, change the mirror ip address using the db variable StateMirror.Ipaddr and the secondary mirror ip address using the db variable StateMirror.Secondary.Ipaddr.
ID 365141 BIND Vulnerability: [CVE-2011-1910]. A remote, unauthenticated attacker can cause the named daemon to crash creating a denial of service (DoS) condition (assertion failure and daemon exit) via a negative response containing large RRSIG RRsets.
ID 365153 If you find you cannot change the device's mirror ip address or secondary mirror ip address, change the mirror ip address using the db variable StateMirror.Ipaddr and the secondary mirror ip address using the db variable StateMirror.Secondary.Ipaddr.
ID 365164 Occasionally, the command to create and install vCMP guests times out. You can use the following command to extend the timeout period so that the process completes: tmsh modify sys db vcmp.timeout.installing value 1800
ID 365219 If you roll forward a user configuration set (UCS) file that contains the default admin password (that is, you never changed the admin password before upgrading to version 11.0.0), the system posts the following message: Config sync password is invalid. The UCS file loads correctly, and you can safely ignore this error.
ID 365224 Right after configuring a sync-failover device group, all devices might come up with In-Sync status in which case config-sync command will not push the configuration to other devices.
ID 365255 Don't do a load on specific partitions; do a load all.
ID 365256 N+M failover algorithm is based on Management IP, and does not distribute Traffic Groups as evenly as needed.
ID 365261 There is a known defect in the way configuration is loaded for a single partition. The workaround is to load all partitions, using "tmsh load sys config partitions all".
ID 365342 Forwarding IP virtual server stops working after a request logging profile is added.
ID 365370 On the 6900, 6900S, 11000, and VIPRION 2400 platforms, 10-20 seconds after the system boots up, the Alarm LED might light up yellow. This occurs because of two informational messages and does not indicate an error condition. To clear the alarm condition, run the command "clearlcd_warning". The Alarm LED will function normally thereafter. Notes: This command must be invoked each time the unit is powered on. Also, in this particular scenario, you cannot clear the Alarm LED using the LCD buttons.
ID 365375 DNS response packet is dropped when "DNS::edns0" command is used with nsid option and there is no edns0 resource record in the packet.
ID 365384 MAC Masquerade Address: Specifies a unique, floating Media Access Control (MAC) address that you create and assign to each traffic group, which indirectly associates that address with any floating IP addresses associated with that traffic group. This ensures that any traffic destined for the relevant traffic group reaches an available device after failover has occurred, because the MAC masquerade address floats to the available device along with the traffic group. Without a MAC masquerade address, on failover the sending host must relearn the MAC address for the newly active device, either by sending an ARP request for the IP address for the traffic or by relying on the gratuitous ARP from the newly active device to refresh its stale ARP entry. When you assign a MAC masquerade address to a traffic group, the BIG-IP system sends a gratuitous ARP to notify other hosts on the network of the new address. If you intend to use a MAC masquerade address, you must first create the address using an industry-standard method for creating a locally administered MAC address. Auto Failback: Indicates that a traffic group that has failed over to another device fails back to its default device whenever that default device is available, even when other devices in the group are more available. If Auto Failback is not enabled, when the traffic group fails over to another device, the traffic group runs on that device until failover occurs again. In this case, the traffic group only fails over to its default device when the availability of the default device equals or exceeds the availability of other devices in the group. Auto Failback Timeout: Specifies the number of seconds after which auto-failback expires. Floating: Indicates whether the traffic group floats to another device (that is, When you initially run the Setup utility, the system creates two traffic groups: A default traffic group named traffic-group-1, which contains the floating self IP addresses that you configured for VLANs internal and external, as well as any configured iApps application services, virtual IP addresses, NATs, or SNAT translation addresses. A default non-floating traffic group named traffic-group-local-only, which contains the static self IP addresses that you configured for VLANs internal and external. Because the device is not a member of device group, the traffic group never fails over to another device.
ID 365545 Due to known problems in the current Cavium firmware, CN16XX cards will occasionally cease to function after performing a large number of key management operations (such as creation, deletion, conversion). To resolve this issue, reboot the BIG-IP system, and FIPS functionality should be restored.
ID 365555 The DES ciphers have been deprecated for TLS V1.2 but TMM is including them. These ciphers are supported on earlier versions of SSL/TLS, such as SSLv3 and TLS v1.0, which are widely used. TLS v1.2 is trying to depreciate and move to higher standards. F5 recommends that you do not use these ciphers.
ID 365639 If tmm has no self IP on a vlangroup, or a self IP in a different subnet than some nodes, proxy ARP for those nodes will only succeed if there are no routes in tmm that match the ARP target IP.
ID 365665 If your clustered BIG-IP runs in VCMP mode and you disable a slot on the hypervisor, the VCMP guests on that slot will repeatedly log messages similar to the following into their ltm log file: "Blade 1: blade 1 powered DOWN." (your blade number may differ) The messages won't stop until you enable the slot on the hypervisor.
ID 365756 On error, partition folder has changed at the command line. Change it back to /Common to attempt to load SCF again after the fix.
ID 365757 Mixed mode is presented as an option for extra disks. When applied, this configuration option will present an error message similar to "01071372:3: Cannot change the mode for logical disk (HD2) from (NONE) to (MIXED). Disks cannot be changed to MIXED or CONTROL modes.". For this release of BIG-IP software, only None and Datastor are functional modes for extra disks.
ID 365764 Loading a UCS with no custom partition in it fails on a system that has any GTM objects defined in a custom partition.
ID 365767 The verify option during a load .scf file operation from tmsh on the VIPRION system will cause mcpd to restart.
ID 365836 When using tmsh to switch to a vCMP provisioned system, a transaction should be used. The commands to do this are: # tmsh > create cli transaction > modify sys provision ltm none # All modules must be set to none. Add any other commands here to do so following the previous ltm example. > modify sys provision vcmp dedicated > submit cli transaction Secondary blades will likely reboot automatically due to this operation. There are conditions where the primary will reboot automatically as well. If the primary does not reboot and the status is REBOOT_REQUIRED, you should wait two full minutes before rebooting the primary blade. This is to ensure that provisioning completes, the secondaries have rebooted, vcmpd starts and the system enters a quiescent state. This only needs to be done when changing provisioning.
ID 365900 The GTM Listeners list page times out on an LTM/GTM combo box if there are large numbers of LTM virtual servers configured (>5000). You can use tmsh to list/search GTM listeners.
ID 365921 When saving a single configuration file (scf) with the tmsh command that uses the time-stamp option, i.e., "save sys config file <mytest.scf> time-stamp" the file is created on the primary blade only. An error is written out to the /var/log/ltm file every couple of minutes that this file failed to sync to the secondaries. To correct this, the file needs to be manually synced to the secondary blades, and the full path of the file is required when copying to the secondary blades. The colons in the file name should be escaped as well.
ID 365976 In rare circumstances, it is possible for gtmd to SIGSEGV when topology records are deleted from GTM configuration.
ID 365979 After creating a new folder from tmsh the "tmsh save sys config partitions all" command should be run.
ID 366060 FTP mirroring occasionally fails when connections come from tmm0. When it does fail the idle timer on the standby is not updated and the connection is reaped in the 30-50 second range.
ID 366165 Configuration changes to topology records do not get saved automatically to the configuration file.
ID 366172 A pre-version-11.x configuration that was created with the bigpipe cli ip addr option set to name may cause configuration load failure on upgrade due to resolved names saved to the bigp.conf file rather than IP addresses. The workaround is to change the cli setting to cli ip addr number, save the config on the pre-version-11.x unit, and then run the upgrade.
ID 366185 When viewing the Diameter Application Template online help file, the browser displays a warning message that references the template's help content. This is due to an error in the HTML for the application template help, and does not indicate any functional problem with the template. You can eliminate the error by creating a copy of the Diameter template, deleting the string <a name="vs_tls_offload"></a> in the HTML Help section, and clicking Finish. The help for the copy of the template loads without error.
ID 366325 The online help contains two occurrences of the b command: Network : Self IPs : New Self IP for Port Lockdown and Overview : Performance for Rewrite Transaction Data. These commands appear in the online help in error: version 11.x no longer supports the bigpipe utility. The command tmsh list net self-allow replaces b self allow list and tmsh show apm profile rewrite replaces b rewrite or b profile rewrite.
ID 366331 The Cookie Persistence profile online help should contain the following description for Always Send Cookie: Specifies that the BIG-IP system returns the persistence cookie with every response, instead of only the first response on a connection.
ID 366403 After modifying the BIG-IP system configuration by adding or removing Network Interfaces, the interface numbering might appear out of order and NICs may appear that are no longer present. If you change the number of virtual interfaces on the BIG-IP VE system after a binary MCPD database has been created, the system does not detect the change when subsequently rebooted. To ensure that the system properly detects the new or removed interfaces, type the command rm /var/db/mcpd* at the BIG-IP VE command prompt, and reboot the system. To view the actual TMM-to-vSwitch interface mapping, compare the MAC addresses of the interfaces displayed in the BIG-IP Configuration utility to those displayed in hypervisors configuration. They may need a simple adjustment to map to the correct networks.
ID 366934 On 11000 and 11050 platforms, if you enter the Always-On Management (AOM) Menu and press 'P,' AOM reboots. Although this does not affect host operation, you can avoid this problem by not using the 'P' command on the AOM Menu.
ID 367072 Running the command 'tmsh show sys hardware' on appliance-based system shows a Registration Key field with a -- value, even on licensed systems. This field is designed only for chassis-based systems, so you can ignore the value.
ID 366934 There are no specific examples in the online help for the Request Logging profile help that describes how to craft Template and Error Template entries. However, you can find a table of supported parameters in the BIG-IP WebAccelerator System: Implementations guide on AskF5. see http://support.f5.com/kb/en-us/products/wa/manuals/product/wa_implementations_11_0_0.html.
ID 371961 There is a new way of handling files with external data group definitions. Before assigning it to an external class, the file must be imported using options on the System > File Management > Data Group File List screen. The online help incorrectly indicates that files must exist in a specific subdirectory.
ID 401367 Version 11.x added validation around the use of CACHE:: commands on virtual servers with RAM cache enabled. The result is that upgrading from version 10.x to 11.x fails under certain configuration conditions, for example, if the configuration contains a CACHE_RESPONSE event in an iRule, and there is not an associated Web Acceleration profile applied to that virtual server. To work around the upgrade failure, locate and remove the applicable iRules and virtual servers in the configuration, and try loading the configuration again.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)