Applies To:

Show Versions Show Versions

Archived Release Note: 3-DNS Controller, PTF Note 4.2 PTF-10
Release Note

Updated Date: 02/16/2005

This article has been archived, and is no longer maintained.

Summary:

This product temporary fix (PTF) provides enhancements and fixes for the 3-DNS Controller, version 4.2. The PTF includes all fixes released since version 4.2, including fixes originally released in prior PTFs.

Contents:

- Installing the PTF
     - Updating the big3d agent
- Software enhancements and fixes
     - What’s new in this PTF
     - What’s fixed in this PTF
     - Enhancements and fixes released in prior PTFs
- Configuration changes
     - Required configuration changes
     - Optional configuration changes
- Known issues
- Work-arounds for known issues
     - Allocating memory resources for the named daemon
     - Configuring bridge mode in version 4.2
     - Configuring RSH on non-crypto systems
     - Removing a controller from a sync group
     - Resetting the SSH key
     - Setting the Quality of Service load balancing mode
     - Using the Global Availability or Ratio load balancing mode within a pool
- Acknowledgement updates

Installing the PTF

The current PTF installs enhancements and fixes from all PTFs released after 3-DNS Controller, version 4.2. (For details, see the following section, Software enhancements and fixes.).

Apply the PTF to the 3-DNS Controller, version 4.2 using the following process.  Note that the installation script saves your current configuration.

Important: If you are upgrading a 3-DNS Controller that belongs to a sync group, you must remove the controller from the sync group before you apply the PTF. Failure to do so may cause irrevocable damage to the controllers in the sync group that are running older versions of the software. Once you have upgraded all controllers to the same version, you can then re-create the sync group. For details on removing a controller from a sync group, see Removing a controller from a sync group. Once you have removed the controller from the sync group, you can proceed with the PTF installation.

Note:  If you are updating the 3-DNS Controller module on a BIG-IP system, refer to the BIG-IP version 4.2 PTF-10 note for instructions on installing the PTF.

Note:  If you have installed prior PTFs, this installation does not overwrite any configuration changes that you made for prior PTFs.

  1. Change your directory to /var/tmp/ by typing the following command:
    cd /var/tmp/
  2. Connect to the F5 Networks FTP site (ftp.f5.com).
  3. Make sure the FTP client on the 3-DNS Controller is in passive mode before you download the file. If you are unsure which mode the client is in, at the command line, type pass. The system indicates which mode the client is in; if it is not in passive mode, type pass again, and the client will change to passive mode.
  4. Download the PTF-4.2-10-BSD_OS-4.1.im file from the /crypto/bigip/ptfs/bigip42ptf10/ directory on the FTP site to the /var/tmp directory on the target 3-DNS Controller by typing the following command:
    get /crypto/bigip/ptfs/bigip42ptf10/PTF-4.2-10-BSD_OS-4.1.im /var/tmp/PTF-4.2-10-BSD_OS-4.1.im
  5. Install this PTF by typing the following command:
    im PTF-4.2-10-BSD_OS-4.1.im

    The 3-DNS Controller automatically reboots once it completes installation.


Updating the big3d agent

After the PTF installation has completed, you need to install the new version of the big3d agent on all BIG-IP systems, EDGE-FX Caches, and GLOBAL-SITE systems known to the 3-DNS Controller, as follows:

  1. Log on to the 3-DNS Controller at the command line.
  2. Type 3dnsmaint to open the 3-DNS Maintenance menu.
  3. Select Install and Start big3d, and press Enter.
    The 3-DNS Controller detects all BIG-IP systems, EDGE-FX Caches, and GLOBAL-SITE systems in the network, and updates their big3d agents with the appropriate version of the agent.
  4. Press Enter to return to the 3-DNS Maintenance menu.
  5. Type Q to quit.

For more information about the big3d agent, see the 3-DNS Reference Guide, Chapter 3, The big3d Agent.

[ Top ]

Software enhancements and fixes

What’s new in this PTF

Named and NameSurfer scripts added to bigstart (CR 26102)
You can now use the bigstart script to start, stop, restart, and get status on both the named daemon and the NameSurfer® application.

Enhancements to the big3d agent and service checks using the TCP protocol (CR26320)
You can now configure the big3d agent to fully close the connection when performing a service check (rather than having the agent just send a reset packet). For information on configuring this option, see Fully closing TCP connections.

What’s fixed in this PTF

Error messages for the checkd process on standalone 3-DNS Controllers (CR25477)
If you have a standalone 3-DNS Controller, the checkd process (which is not used by the 3-DNS Controller) no longer generates error messages in the /var/log/bigd file.

Setting all virtual server ratios in a pool to 0 (CR26397)
The 3-DNS Controller no longer becomes unstable when you set the ratios of all virtual servers in a pool to 0.

Virtual servers with disabled VLANs and memory leak (CR26536)
A virtual server with a disabled VLAN no longer causes the big3d agent to experience a slow memory leak.

Encryption key size and system errors on previous software versions (CR26572)
The encryption key size in versions prior to 4.5 PTF-04 could generate a key that causes the big3d agent to become unstable. 3-DNS Controller software, version 4.5 PTF-04 and later, is now backward-compatible with BIG-IP systems running previous software versions. The affected software versions are BIG-IP version 1.0.3 through BIG-IP version 4.2 PTF-09.

BIG-IP virtual server status display and node connections limit (CR26585)
The 3-DNS Controller no longer incorectly displays a virtual server status as down (red ball) when you have configured, on the BIG-IP system itself, a node connections limit for that virtual server.

Limits for current connections on BIG-IP systems (CR26833)
When you set a limit on current connections for a BIG-IP system, and that connection limit has been exceeded, the 3-DNS Controller no longer uses a virtual server belonging to the BIG-IP system as a response to a query.

rand() function and receiving invalid memory location (CR26911)
The 3dnsd daemon no longer becomes unstable when the rand() function returns a value that receives an invalid memory location. This problem occurred only in rare instances.

CPU resources and large topology configurations (CR27465)
The 3dnsd daemon no longer consumes excessive CPU resources when you have a very large topology statement and you have not added the include geoloc netIana.inc statement into the wideip.conf file.

Fallback load balancing method and Round Robin load balancing mode (CR27589)
If you set the fallback load balancing method for a wide IP pool to Round Robin, and no virtual servers in the pool are available for load balancing, the 3-DNS Controller no longer returns only the first virtual server listed in the pool.

3dnsd updating iQuery version (CR27806)
When a BIG-IP system is updated to the same version as the 3-DNS Controller, the 3dnsd daemon now updates the iQuery version for the remote BIG-IP system without requiring a 3ndc restart on the 3-DNS Controller.

ECV service checks and requests that use GZIP compression (CR28192)
The 3-DNS Controller now correctly handles ECV service requests that use GZIP compression. The 3-DNS Controller no longer marks a virtual server down when a virtual server responds to a service check with a file that uses GZIP compression.

ECV service checks and FTP status code 125  (CR28296)
An ECV service check on the FTP service no longer incorrectly marks a virtual server as down (red ball) if that virtual server returns the FTP status code 125 in response to the ECV query.

Online help on Linux with Netscape 4.79 (CR28375)
The online help now correctly displays if you are using Netscape Navigator 4.79 with a Linux® operating system.

[ Top ]

Enhancements and fixes released in prior PTFs

Version 4.2 PTF09

Updating the Return to DNS counter (CR20139)
The Return to DNS counter now updates properly when none of the specified load balancing methods for a wide IP is able to select a pool and virtual server to respond to a query.

Syntax errors on the big3d man page (CR22071)
The syntax has been corrected for the following arguments on the command line version of the big3d man page:

  • -max_active_scanners
  • -max_active_probers
  • -max_active_hops
  • -max_active_snmp

Resetting the base configuration before you run the Setup utility and fatal errors at the Configure Interfaces step (CR22331)
When you reset the base configuration (with the command bigpipe base reset), and then run the Setup utility (by typing setup), the controller no longer experiences fatal errors when you get to the Configure Interfaces step in the utility.

Setup utility and configuring the system’s broadcast address (CR22675)
When you configure the system's IP address and netmask, and you change the broadcast address so that it does not match the IP address/netmask combination, the Setup utility no longer experiences fatal errors when you enter the default route.

SNMP callbacks are now cleared when a session ends (CR22856)
The 3dnsd daemon no longer stops running when an SNMP session does not end gracefully.

Configuring network failover (CR23128)
In the Configuration utility, on the System - General screen, you can now configure the 3-DNS Controller to use network failover, in addition to, or instead of, hard-wired failover. Note that you use the failover options only if you have a redundant system. For details on configuring network failover using the Configuration utility, see Configuring network failover in the Optional configuration changes section of this PTF note.

Deleting objects using the Configuration utility and sync groups (CR24102)
When you delete an object using the Configuration utility for the principal controller in a sync group, the object no longer remains in the Configuration utility for any receiver controllers in the sync group.

Viewing the Probers statistics screen and Netscape Navigator (CR24844)
If you are using Netscape Navigator to view the Configuration utility, and you have probers in your configuration, the Probers statistics screen now displays properly.

Editing the license file and parsing errors (CR25309)
If you edit the license file (which is not supported), and you add spaces rather than tabs, the 3-DNS Controller no longer experiences parsing errors.

Changing the ratio setting for virtual servers in pools (CR25329)
When you modify the ratio setting (to a value other than 1) for a virtual server in a pool, you can now set the ratio back to 1.

BIND 9 EDNS0 requests (CR26218)
The 3-DNS Controller now properly processes EDNS0 requests from BIND servers running version 9.2.1 and later, by ignoring the Z field in the DNS message header. This behavior complies with RFC 2671, Extension Mechanisms for DNS (EDNS0).

Version 4.2PTF08

CA-2002-31, Multiple Vulnerabilities in BIND (CR25088)
This PTF addresses the security vulnerabilities that are listed in CERT® advisory, CA-2002-31, Multiple Vulnerabilities in BIND. This PTF upgrades the BIND package to version 8.3.4. For more information on the CERT advisory, see http://www.cert.org/advisories/CA-2002-31.html.

SNMP probes and host servers (CR19784)
The 3-DNS Controller now uses the version of SNMP that is appropriate for the host that the controller is probing, rather than always using SNMP, version 1.

The Tomcat package and the Java daemon (CR21652, CR22561)
The Tomcat package and the Java daemon (javad) have been removed from the software. The 3-DNS Controller does not currently use either of these components.

UDP checksums and TFTP packets (CR22113)
In rare instances, the checksums for TFTP packets were incorrect. This problem has been fixed.

SNMP traffic no longer passing through a VLAN that has port lockdown enabled (CR22677)
A VLAN configured with port lockdown enabled no longer allows SNMP traffic when you have not explicitly enabled the SNMP port using the open_snmp_port global setting.

Disabling SNMP and rebooting the controller (CR22762)
When you disable SNMP using the Configuration utility and you reboot the controller, the bigstart script no longer generates a new snmp.conf file.

Updating the big3d agent (CR23458)
The big3d agent in this PTF (PTF08) resolves the issues with the big3d agent for BIG-IP systems running version 4.2 and later. Be sure to update the big3d agent for all of your systems, as described in the Updating the big3d agent section of the PTF installation instructions.

Topology load balancing enhancement (CR24059)
When you set the load balancing mode to Topology, and no topology records match an incoming request, the 3-DNS Controller no longer randomly selects a virtual server for the response. Instead, the controller tries to use the alternate or fallback load balancing mode.

Enhancements to probing (CR24981)
The 3-DNS Controller now staggers the host probing and the ECV probing processes so that the controller resources are not overburdened. Additionally, if a host or a host virtual server is down for more than four sequential probing cycles, the polling period for that host or host virtual server is extended to three times the normal polling period.

big3d agent memory leak and probing large quantities of hosts (CR25007)
The big3d agent no longer experiences a memory leak when the 3-DNS Controller is probing a large number of hosts (for example, more than 500).

Root servers list for BIND (CR25063)
The root servers list file for BIND, root.hint, has been updated to include the most current list of root servers.

Version 4.2PTF07

CERT Advisory CA-2002-23, Multiple Vulnerabilities In OpenSSL
The security vulnerabilities that are outlined in CERT Advisory CA-2002-23, Multiple Vulnerabilities In OpenSSL, have been fixed.

CERT Advisory CA-2002-18, OpenSSH Vulnerabilities in Challenge Response Handling
The OpenSSH software running on the 3-DNS Controller has been upgraded to version 3.4p1 to address the security vulnerability that is outlined in CERT Advisory CA-2002-18.

BSDI security vulnerability (CR16430)
A potential denial of service vulnerability in the C library (libc) of BSDI has been addressed. For information about the vulnerability, see Vulnerability Note VU#808552, Multiple ftpd implementations contain buffer overflows, which is available on the CERT website at http://www.cert.org.

Manually re-enabling virtual servers when they change status from down to up (CR21894)
Previously, when a virtual server changed status from down to up, the virtual server was immediately available for load balancing. You can now choose to manually re-enable virtual servers for load balancing availability when their status changes from down to up by activating the Manual Resume setting. If you activate the Manual Resume setting, when a virtual server changes status from up to down, the controller also disables the virtual server. When the virtual server’s status changes back to up, you have to re-enable the virtual server before it is actually available for load balancing.

For details on configuring the Manual Resume setting, see the Optional configuration changes section of this PTF note.

The named daemon no longer experiences fatal errors when there are more than 500 IP addresses configured on a BIG-IP system running the 3-DNS Controller module (CR22075, CR22911)
The named daemon no longer experiences fatal errors under the following conditions:

  • You are running the 3-DNS module on a BIG-IP system, and
  • You have more than 500 IP addresses in the BIG-IP configuration

The 3dns_action script and deleting action commands on the local system (CR22108, CR22109)
The 3dns_action script now deletes action commands, which are generated by the local system’s 3dnsd daemon, from the /tmp/sync_wideip_cmds directory on the local system. There is also a cron job that deletes files and action commands that are older than one day from the /tmp directory.

Updating persistence records when the 3dnsd daemon restarts (CR22380)
In situations where the 3dnsd daemon restarts, for example, when you reboot the 3-DNS Controller, the controller now synchronizes any persistent connections with another controller in the sync group.

The Return to DNS load balancing mode and floating self IP addresses (CR22570)
The Return to DNS load balancing mode now works properly with floating self IP addresses. Previously, the 3-DNS Controller was unable to properly use the Return to DNS load balancing mode to route packets when the controller had a floating self IP address.

New SNMP OIDs for enable and disable actions (CR22631)
When you enable or disable an object in the 3-DNS Controller configuration, this action now generates an SNMP trap based on new object identifiers (OIDs) in the 3-DNS MIB. You can view the 3-DNS MIB from the home screen of the Configuration utility.

EDNS0 requests from BIND 8.3.3 and BIND 9 name servers (CR22697)
The 3-DNS Controller can now process EDNS0 requests that originate from BIND 8.3.3 and BIND 9 name servers. When the 3-DNS Controller receives an EDNS0 request, the controller embeds the additional EDNS0 record in the DNS response packet.

Synchronizing among sync group members when a controller reboots (CR22912)
When a 3-DNS Controller that is a member of a sync group reboots, the controller no longer loses the ability to synchronize with the other controllers in the sync group.

Version 4.2PTF06

CERT Advisory CA-2002-17, Apache Web Server Chunk Handling Vulnerability
The security vulnerability that is outlined in CERT Advisory CA-2002-17, Apache Web Server Chunk Handling Vulnerability, has been fixed.

Updated big3d agents (CR21360, CR21637)
The big3d agent has been updated. To ensure that the BIG-IP, EDGE-FX Cache, and GLOBAL-SITE systems in your network are running the most recent big3d agent, be sure to follow the instructions in the Updating the big3d agent section of this PTF note.

The named daemon and memory usage (CR21420)
The named daemon no longer stops running when it uses more than 16MB of RAM.

Unexpectedly closed TCP connections with outstanding path probes (CR21530)
When the TCP connection for a large number of active iQuery path probes is unexpectedly closed or dropped, the big3d agent no longer stops running.

SNMP trap IDs and 3-DNS MIB descriptions for server status changes (CR21590)
The descriptions in the 3-DNS MIB for changes in server status (for example, RED to GREEN, or GREEN to RED) now correspond correctly to the SNMP trap IDs.

SNMP traps for server status and virtual server status have been improved (CR21591)
The SNMP traps for server status and virtual server status now properly inherit their status from threednsTraps in the 3-DNS MIB.

big3d agent SNMP probing failures and misconfigured Alteon switches (CR21638)
On an Alteon switch that is misconfigured with a group that doesn't exist in the MIB, the big3d agent no longer fails when probing for virtual server status using SNMP.

Updated version of BIND (CR21639)
BIND has been updated from version 8.2.3 to version 8.3.1.

big3d argument with missing values and server errors (CR21647)
When a big3d argument requires a value, and you do not define a value, the 3-DNS Controller no longer experiences server errors.

Version 4.2PTF05

There are no fixes or enhancements for 3-DNS Controller in version 4.2PTF05.

Version 4.2PTF04

SNMP versions and host probing (CR19784, CR20916)
The 3-DNS Controller now uses the correct version of SNMP (1 or 2) depending on which version is supported by the SNMP agent on the host.

Support for iControl, version 2.1 (CR19847, CR20178)
This PTF includes support for iControl, version 2.1.

New command argument for 3ndc (CR19886)
You can now monitor DNS transactions without using tcpdump by using the 3ndc querylog command. For additional information, refer to the 3ndc man page.

Using snmpwalk and the 3-DNS MIB (CR19989, CR19994)
You no longer receive an OID error when you use snmpwalk on the 3-DNS MIB, and the following condition exists:  the string length (shorter to longer) and the lexicographic sort (a to z) of wide IP names and/or data center names in the MIB are in opposite order.

Denial of service (DOS) attacks and the UDP protocol for iQuery (CR20195, CR20199)
The 3dnsd daemon no longer marks the big3d agent (running on the same system) as down, under the following conditions:

  • The iQuery protocol is set to UDP (the default)
  • The DNS port experiences a DOS attack
  • The DNS attack generates more than 50,000 requests per second

Synchronization and viewing server status (CR20170)
When you make configuration changes on a receiver 3-DNS Controller in a sync group, and then view server and virtual server status on the principal 3-DNS Controller, the servers and virtual servers are no longer inaccurately marked as down (red ball).

IP Application Switch platform and probing hosts using TCP (CR20244)
Host probing no longer fails when you are running the 3-DNS Controller module on the IP Application Switch platform, and the big3d agent’s probe protocol is set to TCP.

Configuring default settings for SNMP (CR20258)
You can now reset the SNMP timeouts and retries to their default values.

Compilation errors in 3-DNS MIB (CR20466)
The 3-DNS MIB no longer causes compilation errors with some SNMP management tools.

Netmask on the public IP address when the 3-DNS Controller is behind a firewall (CR20792)
When the 3-DNS Controller is behind a firewall, and the public IP address is defined on the external VLAN, the netmask is now applied correctly; the public IP address is no longer improperly associated with the loopback device.

Removing virtual servers (CR20814)
Removing a virtual server that belongs to a pool that uses the Round Robin load balancing mode no longer causes server errors.

Getting up or down status for 3-DNS, GLOBAL-SITE, and EDGE-FX Cache systems from SNMP (CR21041)
You can now get the proper up or down status from the 3-DNS MIB for 3-DNS, BIG-IP, GLOBAL-SITE, and EDGE-FX Cache systems.

iQuery and backward compatibility for encryption (CR21270)
iQuery encryption between 3-DNS Controller, version 4.2 and 3-DNS Controller, version 4.0.1 now works properly.

Version 4.2PTF03

There are no fixes or enhancements for 3-DNS Controller in version 4.2PTF03.

Version 4.2PTF02

There are no fixes or enhancements for 3-DNS Controller in version 4.2PTF02.

Version 4.2PTF01

There are no fixes or enhancements for 3-DNS Controller in version 4.2PTF01.

[ Top ]

Configuration changes

The following section provides information about both required and optional configuration changes.

Required configuration changes

There are no required configuration changes in this PTF.

[ Top ]

Optional configuration changes

Configuring network failover

Use the following instructions to configure the 3-DNS redundant system for network failover. Note that you can use network failover in addition to, or instead of, hard-wired failover.

To activate network failover using the Configuration utility

  1. In the navigation pane, click System.
    The System - General screen opens.
  2. Check the Network Failover box to enable network failover on this unit.
  3. Click Update.
    The controller updates the configuration with the new settings.
  4. Repeat the previous steps on the peer unit in the redundant system.

Fully closing TCP connections

Use the following instructions to close TCP connections fully.

To configure the big3d agent to fully close TCP connections

From the command line, type big3d -use-tcp-connect.

For additional options:

  • For additional syntax information, type big3d -h.
  • To revert back to default behavior, type bigstart restart big3d.

Working with the Manual Resume setting

Use the following instructions to activate the Manual Resume setting. Note that this setting affects all of the virtual servers in a wide IP.

To activate the Manual Resume setting using the Configuration utility

  1. In the navigation pane, click Wide IPs.
    The Wide IP List screen opens.
  2. In the Wide IP Name column, click the name of the wide IP that you want to modify.
    The Modify Wide IP screen opens.
  3. Check the Manual Resume box.
  4. Click Update.
    The Configuration utility updates the configuration with the changes.

When you activate the Manual Resume setting on a wide IP, all of the virtual servers in that wide IP’s pools are affected. When a virtual server changes status from up to down, the virtual server remains disabled even after it changes status from down to up. The following instructions describe how to determine whether a virtual server is disabled by the Manual Resume setting, and how to re-enable the virtual server.

To determine how a virtual server is disabled using the Configuration utility

  1. On the navigation pane, expand the Statistics item, and then click Disabled.
    The Disabled Objects screen opens.
  2. Using the Object Type and ID columns, locate the virtual server that you are reviewing.
  3. The Disabled By column for the virtual server that you want to review displays the method by which the virtual server was disabled. For example, if you see manual_resume, the virtual server is disabled by the Manual Resume setting, and will remain disabled indefinitely.

The following instructions describe how to re-enable a virtual server that has been disabled by the Manual Resume setting. Note that you re-enable the virtual server in the context of the pool and wide IP that it belongs to, not in the context of the server that it belongs to.

To re-enable a virtual server that is disabled by the Manual Resume setting using the Configuration utility

  1. In the navigation pane, click Wide IPs.
    The Wide IP List screen opens.
  2. In the Pools column, click # Pools for the wide IP that disabled the virtual server you want to re-enable.
    The Modify Pools screen opens.
  3. In the Virtual Servers column, click # Virtual Servers for the pool that disabled the virtual server you want to re-enable.
    The Modify Virtual Servers screen opens.
  4. Click the Status button for the virtual server that you want to re-enable.
    A popup screen appears to confirm that you want to enable the virtual server.
  5. Click OK.
    The screen refreshes and the virtual server is enabled.
[ Top ]

Known issues

The following items are known issues in the current release.

Statistics screens and viewing 3-DNS Controller status (CR9452)
When you disable a 3-DNS Controller that is a member of a sync group, the 3-DNS Statistics and Sync Group Statistics screens in the disabled system's Configuration utility display an inaccurate status (a red ball) for all of the other 3-DNS systems in the same sync group. You can see the correct status of the systems in the 3-DNS Statistics and Sync Group Statistics screens of any enabled 3-DNS Controller in the sync group.

Prober statistics and Internet Explorer 5.0 and later (CR10153)
When you are viewing Histograms or Metrics on the Prober Statistics screen, you might encounter errors if you are using Microsoft Internet Explorer 5.0 or later. We recommend using the following procedure to view the Histograms or Metrics.

  1. In the navigation pane, expand the Statistics item, and click Probers.
  2. In the Prober Statistics screen, click either Metrics or Histogram.
    A dialog box appears.
  3. Select Save this file to disk and click OK.

The browser saves the file, and you can now open the file using Microsoft Excel.

ArrowPoint CS150 and metrics collection (CR10361)
The 3-DNS Controller collects metrics on packets per second and kilobytes per second only for HTTP traffic on the current ArrowPoint CS150 server.

The kilobytes per second rate as displayed for the ArrowPoint CS150 is approximately 16 times smaller than it should be. The total byte count returned from the ArrowPoint MIB is 16 times smaller than the total byte count that was actually handled.

Java applets and the Configuration utility (CR10381)
Parts of the Configuration utility for the 3-DNS Controller use Java applets and require the presence of the Java Virtual Machine (JVM) on your local machine. However, some default installations of Internet Explorer do not contain the JVM. If your version of Internet Explorer does not contain a JVM, you can obtain a JVM by going to the Tools menu, choosing the Windows Update link, selecting PRODUCT UPDATES, and looking in the Additional Windows Features section. Alternately, you can go to the Internet Explorer section of Microsoft's web site.

Screen resolution and the Configuration utility (CR10518)
If the screen resolution on your monitor is set to less than 1024 x 768 pixels, you may not see the entire 3-DNS Controller toolbar in the Configuration utility. If your monitor allows it, we recommend that you set your screen resolution to 1024 x 768 pixels.

Netscape Navigator 6.0 (CR11008)
The Configuration utility does not currently support Netscape 6.0.

Non-crypto EDGE-FX Caches (CR11035)
When using an RSH session to connect to an EDGE-FX Cache that does not have SSH available (a non-crypto EDGE-FX Cache), you may get a connection refused error message.
To use an RSH session with a non-crypto EDGE-FX Cache

  1. Use Telnet or a terminal console to connect to the EDGE-FX Cache.
  2. In the /etc/inetd.conf file, remove the comment (#) character from the line:
    #shell stream tcp nowait root /usr/libexec/rshd rshd
  3. Type the following command:
    kill -HUP `cat /var/run/inetd.pid`
    This causes the inetd daemon to re-read its configuration.

Netscape Navigator and the Network Map (CR11161)
The Network Map does not display large configurations properly when you run Netscape on a UNIX or Linux platform. We recommend that you use a Windows-based browser to view large network configurations with the Network Map.

Network Map and multiple browser sessions (CR11173)
When you view the Network Map, you might get an error when you open additional browser sessions with Internet Explorer or Netscape. This error only occurs if the additional browser sessions use Java applets. We recommend that you close any additional browser sessions before viewing the Network Map.

Synchronization and prior 3-DNS Controller versions (CR11186)
3-DNS Controller version 4.2 does not synchronize with 3-DNS systems that are running versions prior to 4.2.

Wide IP production rules (CR11710)
When you create a wide IP production rule with a Date/Time time variable, the production rule action does not stop in the time frame that you specify in the Stop Time box. We recommend that you do not configure a production rule with the Date/Time time variable.

MindTerm SSH Client and multiple Netscape browser sessions (CR12121)
If you have more than one MindTerm SSH Client session open, and you are running Netscape, you can close only one session. We recommend that you open only one instance of the MindTerm SSH Client.

MindTerm SSH Client with Netscape Navigator on UNIX systems (CR12132)
If you are running Netscape on a UNIX (Linux, *BSD, Solaris) system, the MindTerm SSH Client item is not available in the navigation pane of the Configuration utility. Instead you can access the 3-DNS Controller command line utility using a standard SSH connection.

Global Availability or Ratio load balancing within a pool (CR13112)
When you create a pool for a new or for an existing wide IP, and you use the Global Availability or Ratio load balancing method, you may experience problems under the following circumstances:

  • You are using Internet Explorer 5.0 or 5.5.
  • You select Global Availability or Ratio in the Load Balancing Modes, Preferred list on the Configure Load Balancing for New Pool screen.
  • You have a large quantity of virtual servers in your configuration.

If you want to use the Global Availability or Ratio load balancing method, and you meet the previous criteria, please see the Using Global Availability or Ratio load balancing for pools work-around following this table.

The 3-DNS Maintenance menu and new installations (CR14777)
When you are working with a new 3-DNS Controller, before you can use the Edit 3-DNS Configuration command on the 3-DNS Maintenance menu, you need to add a data center and a 3-DNS Controller to the configuration using the Configuration utility.

Non-crypto systems and RSH (CR14832)
If you have non-crypto systems, you must configure RSH from the command line to establish secure communications between the 3-DNS Controller and other F5 Networks systems. If you have a mixed environment, with crypto and non-crypto systems, you must configure RSH as well as SSH on the crypto systems, so that they can communicate with the non-crypto systems. For details on how to configure the rsh utility, see the Configuring RSH on non-crypto systems work-around.

BIG-IP systems with the 3-DNS module, and copying iQuery keys (CR14926)
When you use the Generate and Copy iQuery Encryption Key command on the 3-DNS Maintenance menu, the command sometimes fails to copy the key from a previously configured BIG-IP system on to a newly configured BIG-IP system with the 3-DNS module. The command may also copy the key to the local system and fail to copy the key to any remote system. If the copy fails (in either instance), re-run the command, and select either the Keep option (which retains the local system's key and copies it out to the other systems), or the Build option (which creates a new key and copies it out to the other systems). 

Sync group names in the Configuration utility (CR14955)
In the Configuration utility, you may get an internal server error, and you may not be able to delete the sync group, if you use special characters in the sync group names. To avoid this error, use only alphanumeric, space, underscore ( _ ), or hyphen ( - ) characters in the sync group names.

Data center names in the Configuration utility (CR14990)
In the Configuration utility, you may get an internal server error, and you may not be able to delete the data center, if you use special characters in the data center names. To avoid this error, use only alphanumeric, space, underscore ( _ ), or hyphen ( - ) characters in the data center names.

Opening PDF files from the 3-DNS Controller home screen (CR15901)
Occasionally, when you open any of the PDF files available on the home screen of the Configuration utility, the CPU usage for your work station may spike to 100%. To avoid this problem, right-click the name of the PDF file that you want to open, and choose Save Target As to save the PDF file on your workstation. You can then open the PDF file using Adobe® Acrobat® Reader, version 3.0 and later.

Adding servers using the Configuration utility and the Back button in Internet Explorer (CR17504)
Occasionally, when you add a new server to the 3-DNS Controller configuration using the Configuration utility, and you are using the Configuration utility in a Microsoft® Internet Explorer browser session, you may get an error when you use the Back button to return to a previous screen. The error is benign, and you can click any item in the navigation screen to clear the error.

Enabling the IP classifier (crypto systems only) (CR18264)
If you use the Topology load balancing feature, you must make the following change to the wideip.conf file so the 3-DNS Controller can classify continent and country of origin for local DNS servers.

  1. From the command line, open the 3-DNS Maintenance menu:
    3dnsmaint
  2. Using the arrow keys, choose Edit 3-DNS Configuration and press Enter.
  3. Add the following line to the include statement in the wideip.conf file.
    include geoloc "netIana.inc"
    The include statement loads the IP classifier so Topology load balancing can classify LDNS requests.

Using the 3-DNS Controller in bridge mode (CR18873)
In version 4.2, you cannot configure the 3-DNS Controller in bridge mode using a remote connection or using the Configuration utility. You must configure bridge mode using a local connection. For details on configuring bridge mode, see the Configuring bridge mode in version 4.2 section of this release note.

Using the web-based Setup utility to configure bridge or router mode (CR18892)
If you want to configure the 3-DNS Controller in bridge or router mode, you cannot use the web-based Setup utility. You can, however, use the Setup utility from the command line to configure bridge or router mode.

Deleting and renaming objects using the Configuration utility, and synchronization (CR19428, CR19443)
When you delete or rename objects (such as data centers and wide IPs) using the Configuration utility, the resulting changes are not properly synchronized to sync group members. Note that the synchronization feature works best if you make all configuration changes on one system, and then wait at least a minute before you verify the changes on the remaining sync group members.

Running the web-based Setup utility more than once (CR19627)
When you run the web-based Setup utility more than once, you may encounter runtime errors. The errors are benign. If you need to rerun the Setup utility, we recommend that you do so from the command line, by typing config.

Using the web-based Setup utility for initial configuration (CR19672)
When you use the web-based Setup utility for the initial configuration of the 3-DNS Controller, you use a default IP address in the URL to log in, for example, http://192.168.1.245. Once you have completed the configuration, refreshing the browser does not open the login screen for the 3-DNS Controller. Instead, you need to replace the default IP address in the URL with the IP address that you assigned to the 3-DNS Controller. If you are running a crypto 3-DNS Controller, you also need to change to the HTTPS protocol in the URL. For example, if you configure a crypto 3-DNS Controller with the 192.168.11.22 address, you would type https://192.168.11.22 in the address bar of the browser.

Configuring a single VLAN in the Setup utility (CR19705)
During the initial configuration (using the Setup utility), when you configure a single VLAN with a single interface, you get the following error message when the 3-DNS Controller reboots:

/config/bigip_base.conf: The requested VLAN was not found." in line 20

To avoid this error, you can do one of two things:

  • You can configure two VLANs on the 3-DNS Controller
  • You can remove the default vlan internal definition from the bigip_base.conf file, using the following bigpipe command:
    b vlan internal delete

Special characters in pool names and viewing the Network Map (CR19756)
When you use the colon character ( : ) in a pool name, and then try to view the Network Map, the Network Map does not display. To avoid this error, do not use the colon character in pool names.

The Dump 3-DNS Statistics command on the 3-DNS Maintenance menu and viewing EDGE-FX Cache statistics (CR20000)
When you use the Dump 3-DNS Statistics command on the 3-DNS Maintenance menu, and you choose EDGE-FX, the command exits without a warning when you have no EDGE-FX Caches defined in your configuration.

The Restore a 3-DNS from a backup command on the 3-DNS Maintenance menu and the 3dnsd daemon (CR20024)
When you use the Restore a 3-DNS from a backup command on the 3-DNS Maintenance menu, you must manually restart the 3dnsd daemon after the restore process has completed. To restart the 3dnsd daemon, type 3ndc restart from the command line.

The 3-DNS Maintenance menu: the Dump 3dnsd Statistics command and wide IP statistics (CR20140)
When you select Wide IPs on the Dump 3dnsd Statistics command in the 3-DNS Maintenance menu, the statistics you see are not the same as the statistics that you see on the Wide IP Statistics screen in the Configuration utility.

The 3dpipe utility and pool names (CR20182, CR20183)
The 3dpipe utility does not properly parse pool names that contain numbers only, or pool names that contain hyphens.

CPU usage statistics for EDGE-FX Caches (CR21325)
On the EDGE-FX Cache Statistics screen, in the Configuration utility, the 3-DNS Controller incorrectly reports the CPU usage statistic for the EDGE-FX Cache.

Modifying wide IPs and errors in the Configuration utility (CR22038)
When you modify a wide IP using the Configuration utility, you may see error 331845. The error is benign, and occurs only if the NameSurfer® application is not enabled. Note that this known issue is not applicable to the 3-DNS Controller module on a BIG-IP system.

Disabling Round Robin LDNS and synchronization (CR22324)
If you have 3-DNS Controllers in a sync group, and you disable Round Robin LDNS (RR LDNS) in a pool on one of the controllers, the disable operation does not synchronize properly to the other members of the sync group. To work around this issue, after you have disabled RR LDNS on one controller, type 3ndc restart from the command line on the remaining controllers in the sync group.

Login formatting for LDAP authentication using the Configuration utility (CR26108)
When you log into an LDAP database using the Configuration utility, the utility does not accept spaces as part of the login name. Note that this error does not occur if you log into the LDAP database from the command line. If you want to use LDAP authentication in the Configuration utility, you must create login names that do not contain spaces.

Setting the Quality of Service load balancing mode and the QOS coefficients (CR26154)
In the Configuration utility, when you change the load balancing mode within a pool to Quality of Service, occasionally the Configuration utility may not properly update the QOS coefficients. Instead, you may see very large values for some of the coefficients, or you may see new values for coefficients that you did not change. To work around this issue, see the Setting the Quality of Service load balancing mode section of this PTF note.

Invalid cache dump metrics (CR26204)
Occasionally, when you first configure the 3-DNS Controller, you may see invalid numbers in the Next Cache Dump box on the Summary Statistics screen in the Configuration utility. If you see this error, reboot the controller.

Large requests file or large LDNS file and filling the /tmp directory (CR26250)
If the 3-DNS Controller is simultaneously processing a very large number of requests, or you have a very large LDNS file (more than 1.5 million local DNS servers), then the /tmp directory may fill up and cause the controller to stop running.

Configuring production rules and error messages in the 3-DNS Log (CR26316)
When you add, delete, or modify a production rule using the Configuration utility, the controller may generate error messages in the 3-DNS log. The error messages are benign, and the production rules function as expected.

Network Map does not show proper disabled status for pool virtual servers (CR27924)
If you are using the Network Map in the Configuration utility to view the status of virtual servers in a pool, the status icons for virtual servers stay green even when all nodes are either disabled or down. When all nodes are disabled or down, the virtual server status icon should be red. Status icons for virtual servers that are not configured in a pool display correctly.

Creating user-defined regions using the Configuration utility (CR28102)
In the Configuration utility, when you create a user-defined region for Topology load balancing, you get a syntax error if you add more than 39 entries to the custom region. To avoid this error, if you are creating a large user-defined region (with more than 39 entries), we recommend that you create the custom region from the command line, by editing the wideip.conf file.

Displaying data centers with 1000 or more defined servers (CR28228)
If you have 1000 or more servers defined for a certain data center, the 3-DNS Controller Configuration utility may, when displaying the defined servers, display an error. Disregard this error, as the screen eventually displays correctly all of the defined servers.

Viewing toolbars in the Configuration utility and resizing the screen (CR28331)
If you resize the browser window when viewing the Configuration utility, you may not be able to see the entire toolbar on some of the screens. We recommend that, to avoid this problem, you maximize the browser window, and use a screen resolution of at least 1024 X 768.

Replacing 3-DNS systems and resetting the SSH key (CR28409)
Installing a replacement unit into your network breaks the trust relationship between the 3-DNS Controller and any devices with which it interacts. As a result, synchronization between the systems in the sync group stops, and you cannot update the big3d agent. You can correct this situation by removing the newer SSH key (on the replacement unit), and synchronizing the updated 3-DNS Controller with other 3-DNS Controllers or BIG-IP systems. Refer to the Resetting the SSH key work-around to reset the SSH key and synchronize the systems in your network. Note that you must reset the SSH key before you run the Configure SSH communication with remote devices command on the 3-DNS Maintenance menu.

The named-xfer command and transferring zone files (CR28496)
If you use the named-xfer command to transfer zone files from the command line, the command incorrectly translates the ORIGIN address as the CNAME address.

Cisco CSS series (formerly ArrowPoint) servers and metrics collection
The 3-DNS Controller cannot collect the packets per second and the kilobytes per second metrics on Cisco CSS series (formerly ArrowPoint) software versions prior to 4.0.

Crypto 3-DNS systems and CD upgrades
(This applies only to crypto 3-DNS systems.)  When you rebuild a 3-DNS Controller (or a BIG-IP system) using a CD, the SSH key is changed. This breaks the trust relationship between the updated 3-DNS Controller and any devices with which it interacts. As a result, synchronization between the systems in the sync group stops, and you cannot update the big3d agent. You can correct this situation by removing the newer SSH key and synchronizing the updated 3-DNS Controller with other 3-DNS Controllers or BIG-IP systems. Refer to the Resetting the SSH key work-around to reset the SSH key and synchronize the systems in your network.

Solstice SNMP agent and metrics collection
The Solstice SNMP agent, which runs on some Sun systems, delays the updating of some metrics for longer than 30 seconds. As a result, in the 3-DNS SNMP Statistics screen, the packet rates and kilobytes per second rates can fluctuate from a zero value to a real value. If you are polling Sun Solaris servers in your network, you may want to set the SNMP polling time on the 3-DNS Controller to an interval greater than 60 seconds.

Round trip time and hops no longer work together, nor do UDP and ICMP (CR42529)
The round trip time (RTT) and latency (Hops) Quality of Service (QOS) coefficients no longer work together for QOS probing. If RTT and Hops are configured at the same time, the 3-DNS Controller uses RTT.

For local DNS (LDNS) probing, the 3-DNS Controller does not support using both UDP and ICMP. If you select UDP and ICMP, the 3-DNS Controller removes UDP from the list, and uses ICMP.

[ Top ]

Work-arounds for known issues

The following items are work-arounds for known issues in the previous section of the PTF note.

Allocating memory resources for the named daemon

You can allocate more memory resources for the named daemon using the following instructions.

  1. From the command line, open the /etc/named.conf file with the text editor of your choice (vi or pico).
  2. In the options statement, add the following line:
    datasize 128M;
  3. Save and close the /etc/named.conf file.
  4. Update the system with the changes.
    • If the named daemon is running, type this command:
      ndc reload
    • If the named daemon is not running, type this command:
      ndc start

The named daemon now can use up to 128MB of RAM if necessary.

[ Top ]

Configuring bridge mode in version 4.2

If you want to configure the 3-DNS Controller to run in bridge mode, you need to do so using a local connection to the 3-DNS Controller. First, you create a VLAN group that includes both the internal and external VLANs. Next, you delete the self IP address for the 3-DNS Controller, and re-assign the IP address to the newly-created VLAN group. Finally, you save the configuration. The following instructions detail how to configure bridge mode for version 4.2.

To configure bridge mode in 3-DNS Controller version 4.2

  1. Open the Setup utility by typing config from the command line.
  2. Type D, and press Enter, to configure the 3-DNS mode.
  3. Using the arrow keys, choose Bridge, and press Enter.
  4. Type Q to close the Setup utility.
  5. To create a VLAN group, type the following command, where <vlan 1> and <vlan 2> are the names of the two networks you want to link with bridge mode:
    b vlangroup <vlan group name> vlans add <vlan 1> <vlan 2>
  6. To delete the self IP address of the 3-DNS Controller interface, type the following command, where <ip address> is the IP address that you want to assign to the newly-created VLAN group:
    b self <ip address> delete
  7. To assign the IP address that you deleted as the self IP address in the previous step to the VLAN group, type the following command:
    b self <ip address> vlan <group name> netmask <netmask>
  8. To save the changes you just made, type the following command:
    b save
  9. Last, to save the entire base network configuration, type the following command:
    b base save

The 3-DNS Controller saves the changes and you can now use the 3-DNS Controller in bridge mode.

[ Top ]

Configuring RSH on non-crypto systems

The following instructions describe how to configure the rsh utility from the command line. You need to configure the rsh utility on all the non-crypto systems for which you want to establish secure communications, as well as crypto systems that communicate with non-crypto systems.

To set up the rsh utility from the command line

  1. Change to the /root directory.
  2. In the /root directory, create an .rhosts file.
  3. Add the IP address for the remote system to the newly-created .rhosts file.
  4. Save and close the file.
  5. For the .rhosts file, set the file permissions using the chmod 600 command.

You can now use the rsh utility to run commands on the remote system.

[ Top ]

Removing a controller from a sync group

If you are upgrading the software on 3-DNS Controllers that are in a sync group, you must remove the controllers from the sync group before you apply the software. This is because the synchronization process cannot synchronize controllers that are running different software versions, including different PTF versions.

Note: You can re-create the sync group once you have upgraded the software for all of the controllers that belong to the sync group.

To remove a controller from a sync group using the Configuration utility

  1. In the navigation pane, click 3-DNS Sync.
    The Synchronization screen opens.
  2. In the Remove column, next to the controller that you want to remove from the sync group, click the Remove button.
    A popup screen opens to confirm the removal of the controller.
  3. Click OK.
    The screen refreshes, and the controller is no longer listed as a member of the sync group.
  4. Repeat these tasks for any additional sync group members that you want to remove from the sync group.

Alternately, you can remove the entire sync group, instead of removing the controllers one at a time.

To remove a sync group using the Configuration utility

  1. In the navigation pane, click 3-DNS Sync.
    The Synchronization screen opens.
  2. On the toolbar, click Remove this Group.
    A popup screen opens to confirm the removal of the sync group.
  3. Click OK.
    The screen refreshes, and the Add a New Sync Group screen opens, where you can re-create your sync group once you have upgraded the software on all of the controllers that belong to the sync group.
[ Top ]

Resetting the SSH key

The following instructions describe how to reset the SSH key for a system that you have upgraded using a CD.

To reset the SSH key for an updated 3-DNS Controller

  1. From the command line of each 3-DNS Controller in the sync group that has not been upgraded, change to the /root/.ssh/ directory.
  2. In either the known_hosts file or the known_hosts2 file, remove the SSH key for the upgraded system. (The upgraded system's IP address is part if the key file name.)
  3. On the system that you upgraded, type 3dnsmaint at the command line to open the 3-DNS Maintenance menu.
  4. Choose Configure SSH communication with remote devices, and press Enter.
    The 3-DNS Controller updates all sync group members with the SSH key of the upgraded system.
  5. Press Enter to return to the 3-DNS Maintenance menu.
  6. Press Q to quit.
[ Top ]

Setting the Quality of Service load balancing mode

In the Configuration utility, if you change the load balancing mode in a pool to Quality of Service and the values for the QOS coefficients do not maintain your settings, use the following instructions.

  1. In the navigation pane, click Wide IPs.
    The Wide IP List screen opens.
  2. In the Wide IP Name column, select the wide IP that contains the pool that you want to modify.
    The Modify Wide IP screen opens.
  3. From the toolbar, click Modify Pool.
    The Modify Wide IP Pools screen opens.
  4. In the Pool Name column, click the pool that you want to modify.
    The Modify Load Balancing for [pool name] screen opens.
  5. In the Load Balancing Modes, Preferred box, select Quality of Service.
  6. Click Update.
    Note: Do not change the values of the QOS coefficients at this time.
  7. In the Quality of Service coefficients section of the screen, type the values that you want to set for the QOS coefficients.
  8. Click Update.
    The QOS coefficients should remain at the values that you typed.
[ Top ]

Using the Global Availability or Ratio load balancing mode within a pool

The following instructions describe how to configure the Global Availability or Ratio load balancing mode within a pool. You need to use these instructions only if you meet the criteria listed in the Using the Global Availability or Ratio load balancing mode within a pool item in the Known Issues section.

To configure Global Availability or Ratio load balancing within a pool in a new wide IP

  1. In the navigation pane, click Wide IPs.
    The Wide IP List screen opens.
  2. On the toolbar, click Add Wide IP.
    The Add a New Wide IP screen opens.
  3. Type the settings for the new wide IP, and click Next.
    The Configure Load Balancing for New Pool screen opens.
  4. Select a load balancing mode other than Global Availability in all of the following lists:
    • Load Balancing Modes, Preferred
    • Load Balancing Modes, Alternate
    • Load Balancing Modes, Fallback

    Note that you can accept the default settings, rather than changing the settings.
  5. Click Next.
    The Select Virtual Servers screen opens.
  6. Once you have finished configuring the virtual servers for the pool, click Finish to save your changes.
  7. On the Wide IP List screen, select the wide IP that you just created.
  8. On the toolbar, click Modify Pool.
    The Modify Wide IP Pools screen opens.
  9. Click the pool that you just created.
    The Modify Load Balancing for [pool name] screen opens.
  10. Select Global Availability, as appropriate, in the Load Balancing Modes, Preferred, or the Load Balancing Modes, Alternate, or the Load Balancing Modes, Fallback list, and click Update.
    The Modify Virtual Servers screen opens, where you can determine the order in which the 3-DNS Controller load balances to the virtual servers in the pool.

To configure Global Availability or Ratio load balancing within a pool in an existing wide IP

  1. In the navigation pane, click Wide IPs.
    The Wide IP List screen opens.
  2. On the toolbar, click Add Pool.
    The Configure Load Balancing for New Pool screen opens.
  3. Select a load balancing mode other than Global Availability in the following lists:
    • Load Balancing Modes, Preferred
    • Load Balancing Modes, Alternate
    • Load Balancing Modes, Fallback

    Note that you can accept the default settings; you do not have to change the settings.
  4. Once you have finished configuring the pool, click Finish to save your changes.
    The Wide IP List screen opens.
  5. In the Pools column, select the pools for the wide IP that you just modified.
    The Modify Wide IP Pools screen opens.
  6. In the Pool Name column, click the name of the pool that you just created.
    The Modify Load Balancing for [pool name] screen opens.
  7. Select Global Availability, as appropriate, in the Load Balancing Modes, Preferred list, or the Load Balancing Modes, Alternate list, or the Load Balancing Modes, Fallback list, and click Update.
    The Modify Virtual Servers screen opens, where you can determine the order in which the 3-DNS Controller load balances to the virtual servers in the pool.
[ Top ]

Acknowledgement updates

This product contains software based on oprofile, which is protected under the GNU Public License.

[ Top ]

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)