Software Release Date: 06/24/2003
Updated Date: 03/05/2007
This product temporary fix (PTF) provides new features and fixes for 3-DNS Controller version 4.5. The PTF includes all fixes released since version 4.5, including fixes released in prior PTFs. We recommend this PTF only for those customers who want the new features and fixes listed below. You can apply the PTF to 3-DNS Controller version 4.5 and later. For information about installing the PTF, please refer to the instructions below.
This section describes the minimum system requirements for this release.
Note: The IM package for this PTF is quite large. If the disk drive in your platform does not meet the minimum requirement, you may not be able to successfully install this PTF.
The following instructions explain how to install the 3-DNS Controller version 4.5 PTF-06 onto existing systems running version 4.5 and later. The installation script saves your current configuration.
Important: If you are upgrading a 3-DNS Controller that belongs to a sync group, you must remove the controller from the sync group before you apply the PTF. Failure to do so may cause irrevocable damage to the controllers in the sync group that are running older versions of the software. Once you have upgraded all controllers to the same version, you can then re-create the sync group. For details on removing a controller from a sync group, see Removing a controller from a sync group. Once you have removed the controller from the sync group, you can proceed with the PTF installation.
Note: If you are updating the 3-DNS Controller module on a BIG-IP system, refer to the BIG-IP version 4.5 PTF-06 note for instructions on installing the PTF. Applying the PTF for BIG-IP version 4.5 also applies the PTF to the 3-DNS module. The enhancements, fixes, and known issues for the 3-DNS Controller, however, are available only in the 3-DNS Controller version 4.5 PTF-06 PTF note.
Note: If you have installed prior PTFs, this installation does not overwrite any configuration changes that you made for prior PTFs.
Once you install and license the software, refer to the Required configuration changes section, which contains important information about changes you must make before using the new software.
Note: This upgrade overwrites the 3dns_snmptrap.conf file. If you are running the 3-DNS software and you have added traps to the 3dns_snmptrap.conf file, before you apply the upgrade, we recommend that you make a copy of the 3dns_snmptrap.conf file.
To copy the 3dns_snmptrap.conf file, use the following command:
cp /etc/3dns_snmptrap.conf /etc/3dns_snmptrap.conf.save
After you apply the upgrade, edit the /etc/3dns_snmptrap.conf file and add your company's traps.
get /crypto/bigip/ptfs/bigip45ptf6/BIGIP_4.5-PTF06.im /var/tmp/BIGIP_4.5PTF-06.im
After the PTF installation has completed, you need to install the new version of the big3d agent on all BIG-IP systems and EDGE-FX Cache systems known to the 3-DNS Controller, as follows:
For more information about the big3d agent, see the 3-DNS Reference Guide.
The following features and fixes are new in the current release.
Limits for current connections on BIG-IP systems (CR27048)
When you set a limit on current connections for a BIG-IP system, the 3-DNS Controller no longer uses the virtual server belonging to the BIG-IP system as a response to a query if the current connection limit has been surpassed.
Fallback load balancing method and Round Robin load balancing mode (CR27590)
If you set the fallback load balancing method for a wide IP pool to Round Robin, and no virtual servers in the pool are available for load balancing, the 3-DNS Controller no longer returns only the first virtual server listed in the pool.
Adding virtual servers to hosts and Configuration utility errors (CR27926)
The Configuration utility no longer experiences fatal errors when you add a virtual server to an existing host definition.
The current PTF includes the following features and fixes, which were released in prior PTFs, as listed below. (Prior PTFs are listed with the most recent first.)
The following issues were resolved in the 4.5 PTF-05 release.
Specified gigabit duplex setting on switches with fixed duplex settings (CR27755)
If your 3-DNS Controller is using gigabit interfaces and is plugged into a switch with a fixed duplex setting, you no longer need to configure the 3-DNS Controller gigabit interface and the port on the switch to Auto before applying this PTF. The link between the 3-DNS Controller and the switch now functions correctly.
Router link status no longer displays incorrectly (CR27756)
Receiver 3-DNS Controllers in a sync group now correctly probe the state of the router links that are in their own data center. When the controller monitors virtual servers in the same data center, the virtual servers inherit the correct state of the router link.
bigpipe system configuration commands now function properly (CR27759)
The bigpipe commands that write system configuration information (such as b save and b list) now function properly on the 3-DNS Controller.
The following issues were resolved in the 4.5 PTF-04 release.
Changing the CORBA port number using the Configuration Utility (CR19780)
You can no longer change the CORBA port number using the Configuration Utility. The CORBA IIOP port should be set only to the default setting of 683.
SNMP traffic and a VLAN that has port lockdown enabled (CR22677)
A VLAN configured with port lockdown enabled no longer accepts SNMP traffic, unless you have explicitly enabled the SNMP port using the open_snmp_port global setting.
Disabling SNMP and rebooting the controller (CR22762)
When you disable SNMP using the Configuration utility and you reboot the controller, the bigstart script no longer generates a new snmp.conf file.
Network failover option (CR23127)
You can now configure network failover using the Configuration utility. You use either hard-wired failover or network failover when you have a redundant system. You configure network failover on the System - General screen, in the Configuration utility. For more information on the settings on this screen, click Help on the toolbar.
Address translation for host virtual servers (CR24370)
You can now configure address translations for host virtual servers. If firewall devices in your network separate the 3-DNS Controller from the host servers, you can use address translations to ensure that the 3-DNS Controller distributes the routable address for the virtual server, rather than the actual address. To configure address translations for host virtual servers, see the Configuring address translations for host virtual servers section of this PTF note.
Upgrades and process checking in the snmpd.conf file (CR24450)
When you upgrade the software, the process checking entries (proc) in the snmpd.conf file are no longer populated with incorrect values.
Obsolete script (CR24478)
The 3-DNS Controller no longer uses the sync_requests script. This script has been removed from the controller.
Remote LDAP authentication and login errors (CR24487)
If you mistype the login name, as you are using remote LDAP authentication rather than RADIUS authentication, you no longer see a RADIUS error message.
Performance enhancements (CR24491)
The automatic discovery process, autoconf, has been improved so that it loads larger configurations more quickly.
Enabling one-time automatic discovery in the Setup utility (CR24565)
The Setup utility now includes an option to enable automatic discovery of the local system's configuration, and its peer's configuration, if applicable, when you run the Setup utility for the first time. Note that this option is most useful if you are running the 3-DNS Controller module on a BIG-IP system. You can find more information about automatic discovery (autoconf) in the 3-DNS Reference Guide, version 4.5.
Logging for synchronization (CR24598)
The synchronization process now generates informational and error log messages. You can view the synchronization log messages either by using the Configuration utility, or from the command line. To view the log messages using the Configuration utility, expand the Log Files item in the navigation pane, and then click 3-DNS.
Naming pools (CR24767)
When you create a new pool, and you use the name of a pool that already exists, the 3-DNS Controller no longer overwrites the original pool with the new pool's information.
LDAP authentication and user names (CR24880)
If you use LDAP authentication, and you use the user name, user, the system no longer fails to update the configuration.
Changing the iQuery protocol when you have a sync group configured (CR24927)
In the Configuration utility, on the System - General screen, when you change the iQuery Protocol setting from TCP to UDP, the synchronization process no longer breaks.
The OID for the shutdown trap in the SNMP MIB (CR25059)
The shutdown trap, in the SNMP MIB, now has the correct object identifier (OID) associated with it so this trap now functions properly.
Probing for host virtual servers and scalability (CR25153)
The service checks and probing for host virtual servers have been optimized so that the probing is more efficient. Host virtual server probes are better distributed throughout the probing interval, and require less system resources.
Broken links on the Configuration utility welcome screen (CR25249)
In the Configuration utility, under Additional Software Downloads on the welcome screen, the 3-DNS MIB and DNS MIB links now work properly.
The big3d agent for version 4.1.1 and version 4.1.1 PTFs (CR25251)
The big3d agent for products running version 4.1.1 software, or any version 4.1.1 PTF, is now included in this PTF. If you are running a version 4.1.1 system, be sure to update the big3d agent using the process in the Updating the big3d agent section of this PTF note.
Obsolete variables removed from system (CR25322, CR25325)
The following variables are now obsolete, and have been removed from the system:
|Configuration utility format||Command line format|
|Probe From Distance||probe_from_distance|
Several non-configurable variables no longer exposed in the Configuration utility (CR25324, CR25892)
The following non-configurable variables are no longer listed on the Global Statistics screen, in the Configuration utility:
dns_ttl, dump_regions, dump_topology, iquery_tag, link_compensate_inbound, link_compensate_outbound, link_compensation_history, link_limit_factor, link_prepaid_factor, lower_bound_pcnt_col, lower_bound_pcnt_row, max_link_over_limit_count, over_limit_link_limit_factor, paths_noclobber, persist_mask, probe_from_distance, resolver_rx_buf_size, resolver_tx_buf_size, rtt_allow_frag, rtt_retire_zero, rx_buf_size, tdapi_gap_ttl, tdapi_msg_ttl, timer_sync_state, traceroute_port, tx_buf_size.
The following settings were removed from the System - General screen, in the Configuration utility:
iQuery Settings, Transfer Buffer, iQuery Settings, Receive Buffer, Resolver Buffer Sizes, Transfer, Resolver Buffer Sizes, Receive.
Synchronization and removing the include geoloc "netIana.inc" directive (CR25402)
If you have a sync group configured, and you remove the include geoloc "netIana.inc" directive from one of the sync group members because you are not using Topology load balancing for any pool or wide IP, the synchronization process now removes the directive from the other members of the sync group.
Probing large configurations on BIG-IP systems and CPU usage (CR25407)
The big3d agent has been optimized so that it no longer consumes a large percentage of the CPU when the 3-DNS Controller is probing larger BIG-IP configurations.
BIG-IP virtual server status and node connection limits (CR25473)
When you have configured a node connection limit for a BIG-IP virtual server, the 3-DNS Controller no longer displays that virtual server as down (red ball) if the node connection limit is set to zero (0).
Error messages for the checkd process on standalone 3-DNS Controllers (CR25476)
If you have a standalone 3-DNS Controller, the checkd process (which is not used by the 3-DNS Controller) no longer generates error messages in the /var/log/bigd file.
Interoperating with SEE-IT® Network Manager (CR25573)
In 3-DNS Controller version 4.5, the format of the /VERSION file has been modified so that the version 4.5 software is now compatible with the SEE-IT Network Manager.
Synchronizing Link Controllers with 3-DNS Controllers (CR25753)
If your network includes both 3-DNS Controllers and Link Controllers, you can add the Link Controllers to the 3-DNS sync group, if you have one configured. For details on adding a Link Controller to a 3-DNS sync group, see the Adding a Link Controller to a 3-DNS sync group section of this PTF note.
New support for NetApp server (CR25847)
The 3-DNS Controller can now load balance to, and collect metrics from, the Network Appliance™ NetApp® server. In addition to load balancing to virtual servers on the NetApp server, the 3-DNS Controller can collect the following metrics: kilobytes per second throughput, packets per second throughput, current connections, disk usage percentage, memory usage percentage, CPU usage percentage.
You configure the NetApp server as a host server type. For more information on adding a NetApp server as a host server, see the Adding a NetApp server to the configuration section of this PTF note.
Errors in the 3dparse script and virtual server dependencies (CR26031)
If you configure a virtual server dependencies list for a virtual server that contains the virtual server itself, the 3dparse script no longer causes system errors.
Users with read-only or partial read/write permissions and deleting objects in the Configuration utility (CR26171)
Users who have read-only or partial read/write permissions for the Configuration utility can no longer delete self IPs for 3-DNS Controllers or for routers. By default, users with these permission levels are not able to delete any objects in the Configuration utility.
Loading large configurations and web server errors (CR26248)
When the 3-DNS Controller is loading a large configuration, you no longer see server errors in the Configuration utility.
Using the Hops load balancing method and CPU usage (CR26261)
The CPU usage no longer spikes under the following conditions:
The OpenSSL package has been upgraded (CR26518)
The OpenSSL package has been upgraded to version 0.9.7a. This upgrade addresses several recent security issues with OpenSSL. For more information on the resolved security issues, see the CERT web site at http://www.cert.org.
Virtual servers with disabled VLANs and memory leak (CR26535)
A virtual server with a disabled VLAN no longer causes the 3-DNS Controller to experience a slow memory leak.
Version 4.5 encryption key size and system errors on previous software versions (CR26550)
The encryption key size in version 4.5 software is now backward-compatible with BIG-IP systems running previous software versions. The affected software versions are BIG-IP version 3.1 through BIG-IP version 4.2 PTF-09.
Log rotation for the ITCM.log file (CR26781)
The frequency of the log rotation for the ITCM.log file has been increased from once every 7 days to once every 24 hours. This improves the system efficiency if you are monitoring the controller with the iControl Services Manager.
RADIUS authentication for the default role on the 3-DNS Controller module (CR26931)
If you are running the 3-DNS Controller module on a BIG-IP system, the module no longer ignores the RADIUS authentication parameters for the default user role.
OpenSSL timing attack vulnerability (VU#997481) (CR26966)
The vulnerability that is outlined in VU#997481, Cryptographic libraries and applications do not adequately defend against timing attacks, has been addressed in this PTF. For details on the vulnerability, see http://www.cert.org.
Memory leak in the 3dnsd daemon and large configurations (CR27015)
The 3dnsd daemon no longer experiences a memory leak if a BIG-IP definition in the configuration contains more than 50 virtual servers, and you are using automatic discovery (autoconf).
Script to set up core capture
We have added a new script to automate core capturing on a 3-DNS Controller, if the controller has a hard drive. The script runs automatically after you install this PTF and reboot the system. It provides functionality to enable and disable core capture.
After you install this PTF, the script runs, and creates the /var/crash directory. In addition, if the swap partition on the primary drive is not sufficiently large to capture the core file, but another unused partition is found to be, that partition is used for core capture.
You can disable this functionality with the following command:
You can re-enable the functionality with the following command:
Important: As long as this functionality is enabled, you see the message savecore: no core dump during boot time.
There are no fixes or enhancements for 3-DNS Controller in version 4.5 PTF-03.
The following issues were resolved in the 4.5 PTF-02 release.
Enhancements to load balancing
This PTF adds two new load balancing modes, Drop Packet and Explicit IP. We recommend that you use these new load balancing modes only for the fallback method. The 3-DNS Controller uses the fallback method when the preferred and alternate load balancing modes do not provide at least one virtual server to return as an answer to a query. When you specify the Drop Packet mode, the 3-DNS Controller does nothing with the packet, and simply drops the request. (Note that a typical LDNS server iteratively queries other authoritative name servers when it times out on a query.) When you specify the Explicit IP mode, the 3-DNS Controller returns the IP address that you specify as the fallback IP as an answer to the query. Note that the IP address that you specify is not monitored for availability before being returned as an answer. When you use the Explicit IP mode, you can specify a disaster recovery site to return when no load balancing mode returns an available virtual server.
You can configure the new load balancing modes for the fallback method either using the Configuration utility or from the command line. For information on configuring the fallback method with the new load balancing modes, see the Configuring the Drop Packet and Explicit IP load balancing modes section of this PTF note.
Large configurations and misleading error messages (CR19843)
When the 3dnsd process is loading a large configuration, you may see a warning message now, instead of an error message.
Updated 3-DNS Reference Guide PDF (CR22017)
The 3-DNS Reference Guide has been updated to include Appendix A, 3-DNS Configuration File. The updates to this appendix include the revised data structures and the new configuration options for routers and links.
UDP checksums and TFTP packets (CR22113, CR25181)
In rare instances, the checksums for TFTP packets were incorrect. This issue has been resolved.
Apache web server and the CERT Coordination Center vulnerability, VU#672683 (CR24689)
This PTF addresses the vulnerability in the Tomcat package for the Apache web server that is described in Vulnerability Note VU#672683 on the CERT® Coordination Center web site. For more information on the vulnerability, see http://www.kb.cert.org/vuls/id/672683.
Turning off automatic synchronization and persistent LDNS requests (CR24869)
If you turn off automatic synchronization on a 3-DNS Controller, and if the 3dnsd process on that controller loses network communications with the other 3dnsd processes in the network, the controller now synchronizes LDNS requests that occur during the time that the 3dnsd process is offline.
iControl BaseServer::get_interfaces function and the 3dnsd process (CR24912)
The following iControl function, ITCMGlobalLB::BaseServer::get_interfaces, no longer causes the 3dnsd process to stop running when you specify an invalid type within the function.
Synchronization and the netIana.inc file (CR24928)
The include geoloc "netIana.inc" directive is now synchronized between the members of a sync group.
Root servers list for BIND (CR25064)
The root servers list file for BIND, root.hint, has been updated to include the most current list of root servers.
Errors on the System - General screen in the Configuration utility (CR25143)
You can now change any of the settings on the System - General screen in the Configuration utility, and you no longer see error messages when you do so.
Invalid metrics statistics and graphs for down remote links (CR25146)
The Link Statistics screen, in the Configuration utility, no longer displays very large, invalid values for remote links that are down (red ball). The link statistics graphs now accurately display the data for both the link that is down, and any available links.
Path probing requests and data centers with no defined router (CR25155)
If a data center contains at least one 3-DNS Controller, BIG-IP system, or EDGE-FX system, the big3d agent now issues path probing requests to that data center, regardless of whether you have defined a router for the data center.
Using a serial terminal as a console (CR25183)
This PTF fixes the serial terminal as the console functionality, as described in the 3-DNS Reference Guide, Chapter 6, Monitoring and Administration, so that it works with all 2U controller platforms.
The following issue was resolved in the 4.5 PTF-01 release.
CA-2002-31, Multiple Vulnerabilities in BIND
This PTF addresses the security vulnerabilities that are listed in CERT® advisory, CA-2002-31, Multiple Vulnerabilities in BIND. This PTF upgrades the BIND package to version 8.3.4. For more information on the CERT advisory, see http://www.cert.org/advisories/CA-2002-31.html.
Once you have installed the software, you must make the following required configuration changes.
Updated big3d agent for version 4.5 and later (CR25255)
The big3d agent has been updated, and is not compatible with the previously-released big3d agents. Therefore, you must distribute the updated big3d agent to the BIG-IP systems in your network so that the metrics collection on the 3-DNS Controller functions properly. For details on distributing the updated big3d agent, see the Updating the big3d agent section of the installation instructions for this PTF.
The following sections provide details on configuring the features that are new in this release.
If you have both 3-DNS Controllers and one or more Link Controllers in your network, you can add the Link Controllers to the 3-DNS Controllers' sync group in a few simple steps. There are three tasks to adding a Link Controller to a 3-DNS sync group:
The following sections explain the specific steps for each of the previous tasks. You must perform these tasks in the order they are listed.
Important: Before you add the Link Controller to the 3-DNS sync group, we recommend that you back up both the 3-DNS configuration and the Link Controller configuration.
To run the merge_configs script
From the command line on the principal 3-DNS Controller, run the merge_configs script by typing the following command, where <ip_address> is the IP address of the Link Controller that you want to add to the sync group.
/usr/local/bin/merge_configs -peer <ip_address>
To make the sync group aware of the Link Controller
Using the Configuration utility on the principal 3-DNS Controller, add the Link Controller to the sync group.
To add the Link Controller to the sync group and start synchronization
The final step in adding the Link Controller to a 3-DNS sync group is to run the 3dns_add script on the Link Controller. The script moves the synchronized configuration to the Link Controller, and finalizes the sync group setup.
You add a NetApp server to the 3-DNS configuration as a host.
To add a NetApp server using the Configuration utility
Note: For more information on any of the settings on the screens in the Configuration utility, click Help on the toolbar.
You can configure the fallback method using the new load balancing modes either by using the Configuration utility, or by editing the wideip.conf file from the command line. You can specify either the Drop Packet load balancing mode, or the Explicit IP load balancing mode. Note that if you specify the Explicit IP mode, you also specify a fallback IP address.
To configure the fallback method with the Drop Packet mode using the Configuration utility
To configure the fallback method with the drop_packet mode from the command line
To configure the fallback method with the Explicit IP mode using the Configuration utility
To configure the fallback method with the explicit_ip mode from the command line
You can now configure address translations for host virtual servers. This is beneficial when there is a firewall separating the 3-DNS Controller from the host.
To configure an address translation for a host virtual server using the Configuration utility
Note: For more information on any of the settings on the screens in the Configuration utility, click Help on the toolbar.
The following items are known issues in the current release.
Statistics screens and viewing 3-DNS status (CR9452)
When you disable a 3-DNS Controller that is a member of a sync group, the 3-DNS Statistics and Sync Group Statistics screens (in the disabled system's Configuration utility only) display an inaccurate status (a red ball) for all of the other 3-DNS systems in the same sync group. You can see the correct status of the systems in the 3-DNS Statistics and Sync Group Statistics screens of any enabled 3-DNS Controller in the sync group.
Prober statistics and Internet Explorer 5.0 and later (CR10153)
When you are viewing Histograms or Metrics on the Prober Statistics screen, you might encounter errors if you are using Microsoft Internet Explorer 5.0 or later. We recommend using the following procedure to view the Histograms or Metrics.
The browser saves the file, and you can now open the file using Microsoft Excel.
ArrowPoint CS150 and metrics collection (CR10361)
The 3-DNS Controller collects metrics on packets per second and kilobytes per second only for HTTP traffic on the current ArrowPoint CS150 server.
The kilobytes per second rate as displayed for the ArrowPoint CS150 is approximately 16 times smaller than it should be. The total byte count returned from the ArrowPoint MIB is 16 times smaller than the total byte count that was actually handled.
Netscape Navigator and the Network Map (CR11161)
The Network Map does not display large configurations properly when you run Netscape on a UNIX or Linux platform. We recommend that you use a Windows-based browser to view large network configurations with the Network Map.
Network Map and multiple browser sessions (CR11173)
When you view the Network Map, you might get an error when you open additional browser sessions with Internet Explorer or Netscape Navigator. This error only occurs if the additional browser sessions use Java applets. We recommend that you close any additional browser sessions before viewing the Network Map.
Wide IP production rules (CR11710)
When you create a wide IP production rule with a Date/Time time variable, the production rule action does not stop in the time frame that you specify in the Stop Time box. We recommend that you do not configure a production rule with the Date/Time time variable.
Global Availability or Ratio load balancing within a pool (CR13112)
When you create a pool for a new or for an existing wide IP, and you use the Global Availability or Ratio load balancing method, you may experience problems when all of the following circumstances are met:
If you want to use the Global Availability or Ratio load balancing method, and you meet the previous criteria, please see the Using the Global Availability or Ratio load balancing mode within a wide IP pool work-around following this section.
Sync group names in the Configuration utility (CR14955)
In the Configuration utility, you may get an internal server error, and you may not be able to delete the sync group, if you use special characters in the sync group names. To avoid this error, use only alphanumeric, underscore ( _ ), hyphen ( - ) or space characters in the sync group names.
Adding servers using the Configuration utility and the Back button in Internet Explorer (CR15345)
Occasionally, when you add a new server to the 3-DNS configuration using the Configuration utility, and you are using the Configuration utility in a Microsoft® Internet Explorer browser session, you may get an error when you use the Back button to return to a previous screen. The error is benign, and you can click any item in the navigation screen to clear the error.
Opening PDF files from the 3-DNS Controller home screen (CR15901)
Occasionally, when you open any of the PDF files available on the home screen of the Configuration utility, the CPU usage for your work station may spike to 100%. To avoid this problem, right-click the name of the PDF file that you want to open, and choose Save Target As to save the PDF file on your workstation. You can then open the PDF file using Adobe® Acrobat® Reader, version 3.0 and later.
Enabling the IP classifier (CR18264)
If you use the Topology load balancing feature, you must make the following change to the wideip.conf file so the 3-DNS Controller can classify continent and country of origin for local DNS servers.
Note: If you have a sync group configured, you must enable the IP classifier on each member of the sync group.
Upgrading the software and the MindTerm SSH Console (CR18436)
When you upgrade the software for 3-DNS Controller, you cannot use the MindTerm SSH Console, because the upgrade stops and restarts the SSH service. To upgrade the software, use a serial console instead.
Using the 3-DNS Controller in bridge mode (CR18873)
You cannot configure the 3-DNS Controller in bridge mode using a remote connection or using the Configuration utility. You must configure bridge mode using a local connection. For details on configuring bridge mode, see the Configuring bridge mode section of this release note.
Special characters in pool names and viewing the Network Map (CR19756)
When you use the colon character ( : ) in a pool name, and then try to view the Network Map, the Network Map does not display. To avoid this error, do not use the colon character in pool names.
The 3dpipe utility and pool names (CR20183)
The 3dpipe utility does not properly parse pool names that contain numbers only.
CPU usage statistics for EDGE-FX Caches (CR21325)
On the EDGE-FX Cache Statistics screen, in the Configuration utility, the 3-DNS Controller incorrectly reports the CPU usage statistic for the EDGE-FX Cache.
Time-to-live (TTL) values for resource records (CR22025)
If you set the pool TTL to a value that is different from the wide IP TTL, the dig command displays the wide IP TTL rather than the pool TTL in the answer packet. This occurs only when all the virtual servers in the pool are unavailable. Resource records in the DNS configuration are set with the wide IP TTL instead of the pool TTL. If you change the pool TTL, the TTL for the resource records does not change to the updated TTL. Therefore, when the 3-DNS Controller is unable to load balance a request, and returns the request to DNS, the resource record contains the wide IP TTL rather than the pool TTL.
Clean installations of the 3-DNS Controller software and the Default data center (CR23028)
When you install the 3-DNS Controller version 4.5 software, and you do not have a previous configuration file, the controller creates a default data center labeled Default. To move any objects that are in the Default data center to a data center that you create, see Moving objects from the Default data center to a newly-created data center section of this release note. Note that this occurs only on a BIG-IP system with the 3-DNS module.
Renaming a wide IP that has aliases using the Configuration utility and synchronization (CR23224)
When you rename a wide IP, and the wide IP has aliases, the order of the wide IP name and alias may appear in reverse order when you look at the wide IP in the Configuration utility of another controller in the sync group. Note that this error does not affect domain name resolution.
Configuring production rules (CR23327)
In the Configuration utility, when you create a production rule, you cannot use the Description box to add a description of the production rule. If you type text into the Description box, the controller ignores it, and the text is not saved.
Upgrading the software and home screen errors in the Configuration utility (CR23710)
When you are upgrading a 3-DNS Controller from version 4.2 to version 4.5, you may see the BIG-IP system home screen instead of the 3-DNS home screen. This occurs only once: after you upgrade the software and before you upgrade the license file using the new licensing process. Refer to the Activating the license section of this release note for details on upgrading your license file to the new version. Note that this does not affect the 3-DNS Controller module on the BIG-IP system.
Graph titles on the P95 Billing Estimate statistics screen (CR23770)
When you change the date or time range on the P95 Billing Estimate statistics screen in the Link Statistics, the titles on the graphs do not update to reflect the changes. If you are using Internet Explorer, you can update the titles by holding down the Control key, right-clicking in the screen, and then clicking Refresh. If you are using Netscape Navigator, you can update the titles by holding down the Shift key, right-clicking in the screen, and then clicking Refresh.
Date ranges on the P95 statistics screen (CR23784)
The graphs on the P95 statistics screen do not check for dates in the future. If you enter a date that is past today's current date, you may get inaccurate graphs.
Synchronization and modifying the configuration (CR24081)
If you are updating a configuration using the Configuration utility, and another member of the sync group initiates the synchronization process, you get a notification screen that indicates that you cannot update the configuration. To work around this issue, wait for a minute, click the browser's Back button, and continue updating the configuration. Note that this issue is most likely to occur when you are using multiple browser sessions to update the sync group's configuration. We recommend that you use only one browser session (and controller) to update the sync group's configuration.
Unit ID numbers for a redundant system and the auto-configuration process (Discovery) (CR24734)
The auto-configuration process does not recognize the unit ID numbers for the units in redundant system. The process does, however, properly add the configuration information for both units.
The Network Map and viewing wide IP information (CR24750)
In the Network Map, in the Configuration utility, when you highlight a wide IP, the information table displays an IP address for the wide IP. The IP address is not a valid IP address; rather it is a randomly generated number. Note that this error is benign because the 3-DNS Controller no longer associates an IP address with a wide IP.
The Network Map and viewing the enabled/disable status of a virtual server (CR24751)
When you disable a virtual server that is in a wide IP that has manual resume enabled, the information table in the Network Map does not display the correct status for the virtual server. To view the correct status for the virtual server, in the navigation pane, expand the Statistics item, and then click Virtual Servers. The E/D column displays the correct status for the virtual server.
Viewing wide IPs created in the 3-DNS Controller module from the Link Controller module (CR24842)
Wide IPs that you create in the 3-DNS Controller module that contain more than one pool display only the first pool of the wide IP in the Inbound LB screen in the Link Controller module. You may encounter this known issue only when you are running a BIG-IP system with both the 3-DNS Controller module and the Link Controller module.
Configuring SSH access host restrictions (CR25530)
In previous versions, the /etc/ssh3/sshd2_config and /etc/sshd_config files controlled SSH access. Upgrading to version 4.5 ignores previously-configured SSH access restrictions configured in the /etc/ssh3/sshd2_config and /etc/sshd_config files. This upgrade reverts to an SSH access level that allows all hosts to connect. If you require restricted SSH access to certain networks/IP addresses, you need to reconfigure these restrictions once you have completed the upgrade. To do this, type the following command to start the Setup utility, and then press Enter:
Choose option (S) Configure SSH, and set the restrictions you prefer.
Adding support access after initial setup (CR25821)
If you add support access with the (Y) Set support access option in the Setup utility after you complete the initial setup of the system, the support IP addresses are not added to the hosts.allow file. To correct this situation, run the (S) Configure SSH option in the Setup utility to re-initialize the SSH information on the system.
VLAN names and syntax errors (CR25890)
VLAN names that start with the text vlan, and are followed by any number of digits (for example, vlan123), cause a syntax error. We recommend that you do not use the text, vlan, as the initial portion of a VLAN name.
Creating invalid interface names (CR25950)
It is possible to create invalid interface names in your configuration by entering an invalid VLAN name from the command line. For more information about invalid VLAN names, see (CR25890).
Changing the prober IP address for a host (CR26318)
In the Configuration utility, on the Modify Host screen, you can successfully change the prober IP address to an address other than the default (which is 127.0.0.1), however, you cannot subsequently change the prober IP address back to the default. You can edit the wideip.conf file to work around this issue, as explained in the Setting the host prober IP address to the default section following these known issues.
Changing iControl settings and restarting the CORBA portal (CR26384)
If you use the Setup utility (setup) to change iControl settings, you must manually restart the CORBA portal. To restart the CORBA portal, type the following commands from the command line:
bigstart shutdown portal
LDAP group name naming conventions (CR26418)
LDAP authentication for groups does not work properly when there are spaces in the group name. To avoid authentication issues with groups when you use LDAP authentication, do no use spaces in the group names.
Disabling the SNMP Auth Trap Enable setting using the Configuration utility (CR26610)
If you try to disable the Auth Trap Enable setting on the SNMP Administration screen in the Configuration utility, the SNMP configuration file, /etc/snmpd.conf , is modified with an incorrect setting of 0 (zero), and the following error is generated in the SNMP log:
"/etc/snmpd.conf: line ##: Error: authtrapenable must be 1 or 2To correct this error and disable the Auth Trap Enable setting, you can edit the /etc/snmpd.conf file, and change the authtrapenable value to 2, disable.
Losing connectivity during configuration of second unit in a redundant system (CR26705)
When you configure a unit from the command line Setup utility (setup), we recommend that you reboot the unit after you complete the configuration. This activates the license and allows traffic to pass through the system. Also, before you reboot the system, the unit is in the active mode and unlicensed. While the unit is in the active mode, the other unit in the redundant system is placed in standby mode. If left in this state, traffic cannot pass through the system.
Sync groups and upgrading software versions (CR26784)
When you are upgrading the software on 3-DNS Controllers that belong to a sync group, you must temporarily remove the controller you are upgrading from the sync group before you apply the upgrade. This is because the synchronization process cannot synchronize controllers that are running different software versions, including different PTF versions. See the Removing a controller from a sync group work-around, following the Known issues section of this release note, for configuration details.
The 3dns_add script and mixed versions of the 3-DNS software (CR26884)
If you are adding a new 3-DNS Controller to an existing sync group, the new 3-DNS Controller must be running the same version of the 3-DNS software as the controllers that are already in the sync group. If the controllers are running mixed versions of the 3-DNS software (for example, 3-DNS Controller, version 4.2 PTF-09, and 3-DNS Controller, version 4.5 PTF-03), the 3dns_add script fails because the script does not check versions. For more information on working with the 3dns_add script, see the 3-DNS Administrator Guide, version 4.5.
The regkey.license file, synchronization, and system backup files (CR27020)
In a redundant system, the regkey.license file is synchronized, both when you synchronize the configuration (using the b config sync command), and when you create a system backup file (*.ucs), and it should not be. To avoid this issue, you can add the regkey.license file to the list of files in the bigdb database that are ignored when you either synchronize the system or create a backup file. To add the regkey.license file to the list of files that are ignored, type the following command:
b db set Common.Bigip.CS.save.120.ignore = "regkey.license"
Changing the system IP address and updating the IP address for the CORBA portal in bigdb (CR27037)
If you change the IP address of the system using the Configuration utility, the system does not update the IP address for IIOP and FSSL for the CORBA portal in the bigdb. To change the CORBA address for IIOP and FSSL, run the Setup utility (setup) from the command line, and choose the option (I) Initialize iControl portal.
CompactFlash® media drives and logging for the named daemon (CR27132)
When the named daemon is running, it generates status and usage messages as part of its normal behavior. If you are running the named daemon on a system with a CompactFlash media drive, these messages may fill up the /var/log/messages file. To avoid this, periodically delete the status and usage messages for the named daemon.
BIG-IP version 3.3.1 and compatibility with 3-DNS Controller version 4.5 (CR27201)
The big3d agent that is shipped in 3-DNS Controller version 4.5 may cause fatal errors on a BIG-IP system version 3.3.1 if you update the big3d agent on the BIG-IP system to the newer big3d agent. To avoid this issue, do not update the big3d agent on BIG-IP systems running version 3.3.1 software.
RADIUS server configuration and Netscape (CR27212)
If you configure remote login for RADIUS, and you set an invalid IP address for the primary RADIUS server, and a valid IP address for the secondary RADIUS server, you may not be able to log in using a Netscape browser. This can also happen if your primary RADIUS server is down. We recommend that you use an alternative browser with this type of configuration.
User administration for remote authentication using the Configuration utility (CR27223)
With remote authentication configured, if you use the Configuration utility to add a new user, you may receive an internal server error message when you press Enter, and then click the Done button. The user is added when you press Enter. When using local authorization, the Enter key is ignored, and you must click the Done button in order to add a new user.
Auto-discovery and 127.0.0.X addresses (CR27252)
The auto-discovery process discovers all addresses on a BIG-IP system, even those in a non-routable address space (for example 127.0.0.X). This may cause the 3dnsd daemon to stop running. To avoid this issue, turn off auto-discovery for the BIG-IP systems that manage resources on a non-routable subnet, as detailed in the Turning off the auto-discovery process for a BIG-IP system work-around, which follows the Known issues section of this release note.
Deleting the default gateway pool using the Setup utility (CR27260)
The command line Setup utility, (setup), does not delete the default gateway pool when you remove all of the pool's members. To work around this issue, delete the default gateway pool using the browser-based Configuration utility.
Sync groups and the default wideip.conf file (CR27366)
If you manage your 3-DNS Controllers using a sync group, and on one of the sync group members, you delete the wideip.conf file and then restart the 3dnsd daemon, the 3dnsd daemon creates a new default wideip.conf file that contains only basic system configuration information. The new wideip.conf file has the most recent time stamp, so the sync process overwrites the wideip.conf file of the other sync group members with the newer file, effectively erasing the real configuration. We recommend that you do not remove the wideip.conf file, and then restart the 3dnsd daemon, on a controller that is a sync group member. Remove the controller from the sync group first.
Installing the PTF from CD and 3dnsd error messages (CR27501)
When you install the version 4.5 PTF-05 software from a CD, you may see the following error message just before you run the Setup utility:
ERR: An instance of 3dnsd (pid:xxx) is already running! Exiting.
The error message is benign and does not affect the software installation in any way.
The NameSurfer log file does not get rotated by the system (CR27542)
The NameSurfer™ application does not use the syslog utility to rotate its log file, /var/log/namesurfer.log, so the file does not get rotated on a regular basis. This can result in the log file becoming large. If you find that the NameSurfer log file has become too large, you can remove the file from the system, and then run the bigstart restart namesurfer command.
Copper gigabit NICs and setting media speeds (CR27772)
If you want to set media speeds, and you have a copper gigabit NIC, you must configure auto-negotiate between the 3-DNS Controller and the connected switches.
Viewing router and link status in the Configuration utility (CR27776)
In the Configuration utility, on the Metrics & Limits statistics screen, when all the links for a router are down (red ball), the router status may not be updated or display correctly. The incorrect router status display does not affect load balancing.
HTTP ECV service checks and file names (CR27823)
When you configure an HTTP ECV service check for a wide IP using the Configuration utility, the Configuration utility incorrectly adds a slash ( / ) to the beginning of the file name. To work around this issue, you can either configure the HTTP ECV service check in the wideip.conf file from the command line, or you can edit the wideip.conf file and remove the slash.
NameSurfer application and PTR records (CR27832)
The NameSurfer application deletes PTR records when you change the time-to-live (TTL) value.
MindTerm SSH console, Java™ Virtual Machine, and the Configuration utility (CR27864)
The Configuration utility may become unresponsive, when all of the following conditions are met:
If you experience this problem, you must use the Windows Task Manager to close the browser session and the SSH session. To avoid this issue, we recommend that you either disable Java Virtual Machine while you are configuring the system, or that you close the MindTerm SSH console session before returning to the Configuration utility.
Hops calculations for Hops load balancing mode (CR27878)
The 3-DNS Controller is inaccurately calculating the number of hops for the Hops load balancing mode for inbound load balancing. This results in all configured links appearing to use the same number of router hops for inbound traffic. We recommend that you use one of the other load balancing modes for inbound load balancing. Note that this also affects the data for average router hops on the Internet Weather Map screen, in the Configuration utility.
Running 3-DNS Maintenance menu commands and 3dparse warning messages (CR27910)
If the wideip.conf file contains configuration errors (for example, you have a wide IP pool configured that does not contain any virtual servers), and you run one of the following commands in the 3-DNS Maintenance menu: Install and start big3d, Check remote versions of big3d, or Configure SSH communication with remote devices, you see 3dparse warning messages on the console. The warning messages are benign, and do not affect the functionality of the commands.
The Check Static Depends settings and load balancing virtual servers (CR27919)
When the Check Static Dependencies global setting and the Check Static Depends setting for a specific wide IP pool are different, the 3-DNS Controller may load balance to unavailable virtual servers in the pool. This is because the controller is bypassing the wide IP pool setting, and using only the global setting, for load balancing calculations.
Network Map and the enabled or disabled status for pool virtual servers (CR27923)
The Network Map does not display the correct enabled or disabled status for virtual servers, in the context of a wide IP pool. To see the correct enabled or disabled status of the virtual servers, view the Disabled Objects statistics screen.
The include geoloc "netIana.inc" directive and modifying the configuration using the Configuration utility (CR27929)
When you use the Configuration utility to modify your configuration, and you have added the include geoloc "netIana.inc" directive to the wideip.conf file, the Configuration utility deletes the include directive when you make any changes to the configuration.
SNMP version and probing (CR27971)
If you have enabled SNMP probing for a host or similar device, and you specify SNMP version 2, the SNMP probing may fail if the host or device is using SNMP version 1. This happens because SNMP version 2 uses 64-bit counters and SNMP version 1 uses 32-bit counters. To avoid this error, ensure that you specify the SNMP version (1 or 2) that corresponds with the SNMP version on the device that is being probed.
Creating user-defined regions using the Configuration utility (CR28101)
In the Configuration utility, when you create a user-defined region for Topology load balancing, you get a syntax error if you add more than 39 entries to the custom region. To avoid this error if you are creating a large user-defined region (with more than 39 entries), we recommend that you create the custom region from the command line, by editing the wideip.conf file.
Reconfiguring a standalone system as a unit in a redundant system (CR28116)
If you have a standalone system that you later decide to reconfigure as a unit in a redundant system, the system may experience failures when you reconfigure the networking and IP addresses.
Duplicate node UP messages in the log table (CR28194)
In certain circumstances you may see duplicate node UP messages in the log table (/var/run/alarm_log_tbl). You can ignore these messages; they do not affect the function of the BIG-IP system.
Changes in US and Canada Daylight Saving Time (CR58321)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes are not reflected in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.
Cisco CSS series (formerly ArrowPoint) servers and metrics collection
The 3-DNS Controller cannot collect the packets per second and the kilobytes per second metrics on Cisco CSS series (formerly ArrowPoint) software versions prior to 4.0.
3-DNS Controllers and CD upgrades
When you rebuild a 3-DNS Controller (or a BIG-IP system) using a CD, the SSH key changes. This breaks the trust relationship between the updated 3-DNS Controller and any devices with which it interacts. As a result, synchronization between the systems in the sync group stops, and you cannot update the big3d agent. You can correct this situation by removing the newer SSH key and synchronizing the updated 3-DNS Controller with other 3-DNS Controllers or BIG-IP systems. Refer to the Resetting the SSH key work-around to reset the SSH key and synchronize the systems in your network.
Solstice SNMP agent and metrics collection
The Solstice SNMP agent, which runs on some Sun systems, delays the updating of some metrics for longer than 30 seconds. As a result, in the 3-DNS SNMP Statistics screen, the packet rates and kilobytes per second rates can fluctuate from a zero value to a real value. If you are polling Sun Solaris servers in your network, you may want to set the SNMP polling time on the 3-DNS Controller to an interval greater than 60 seconds.
The following sections describe work-arounds for some of the known issues listed in the previous section.
If you want to configure the 3-DNS Controller to run in bridge mode, you need to do so using a local connection to the 3-DNS Controller. First, you create a VLAN group that includes both the internal and external VLANs. Next, you delete the self IP address for the 3-DNS Controller, and re-assign the IP address to the newly-created VLAN group. Finally, you save the configuration. The following instructions detail how to configure bridge mode.
To configure bridge mode
The 3-DNS Controller saves the changes and you can now use the 3-DNS Controller in bridge mode.
The following instructions describe how to move objects from the default data center to a data center that you create.
To move objects from the data center, Default, to a newly-created data center
If you are upgrading the software on 3-DNS Controllers that are in a sync group, you must remove the controllers from the sync group before you apply the software. This is because the synchronization process cannot synchronize controllers that are running different software versions, including different PTF versions.
Note: You can re-create the sync group once you have upgraded the software for all of the controllers that belong to the sync group.
To remove a controller from a sync group using the Configuration utility
Alternately, you can remove the entire sync group, instead of removing the controllers one at a time.
To remove a sync group using the Configuration utility
The following instructions describe how to reset the SSH key for a system that you have upgraded using a CD.
To reset the SSH key for an updated 3-DNS Controller
In the Configuration utility, on the Modify Host screen, when you change the prober IP address to a value other than the default, and later try to change it back to the default, 127.0.0.1, the change does not take effect. If you have modified the prober IP address, and you now want to return it to the default setting, you can do so using the following process.
To return the host prober IP address to the default setting
You can turn off auto-discovery for a BIG-IP system using the following process. We recommend that you do not use auto-discovery when you are managing a non-routable address space with the BIG-IP system.
To turn off auto-discovery for a BIG-IP system
The following instructions describe how to configure the Global Availability or Ratio load balancing mode within a pool. You need to use these instructions only if you meet the criteria listed in the Using the Global Availability or Ratio load balancing mode within a pool item in the Known Issues section.
To configure Global Availability or Ratio load balancing within a pool in a new wide IP
To configure Global Availability or Ratio load balancing within a pool in an existing wide IP