Software Release Date: 12/02/2004
Updated Date: 03/05/2007
This release note documents version 4.5.11 of the 3-DNS® Controller software. You can apply the software upgrade to version 4.2 and later. For information about installing the software, please refer to the instructions below.
F5 now offers both maintenance and new feature releases. Version 4.5.11 is a maintenance release which includes security updates and enhancements that stabilize the version 4.5 software, but it contains no major new features. For more information on our new release polices, please see Description of the F5 Networks software version number format.
Note: As of 4/7/05, we have changed and renamed the IM packages to prevent the configuration synchronization issue, where, on rare occasions, when you upgrade your system to version 4.5.11, the local LDAP database becomes corrupt, and breaks the configuration synchronization from the failover unit.
The new IM package prevents this configuration synchronization problem from occurring on upgrade, but the package does not repair a corrupt LDAP database. For instructions on how to restore a corrupt LDAP database, see SOL2499: Recreating the LDAP database to correct problems with slapd authentication on the AskF5 Technical Support Web Site.
The minimum system requirements for this release are:
The supported browsers for the Configuration utility are:
Note: The IM package for this release is quite large. If the disk drive in your platform does not meet the minimum requirement, you may not be able to successfully install this release.
Important: If you are upgrading a 3-DNS Controller that belongs to a sync group, you must remove the controller from the sync group before you apply the release. Failure to do so may cause irrevocable damage to the controllers in the sync group that are running older versions of the software. Once you have upgraded all controllers to the same version, you can then re-create the sync group. For details on removing a controller from a sync group, see Removing a controller from a sync group. Once you have removed the controller from the sync group, you can proceed with the installation.
Note: If you are installing the 3-DNS Controller module on a BIG-IP system, refer to the BIG-IP version 4.5.11 note for instructions on installing the software. Installing the 4.5.11 software on BIG-IP version 4.5 also applies the upgrade to the 3-DNS module. The enhancements, fixes, and known issues for the 3-DNS Controller, however, are available only in the 3-DNS Controller version 4.5.11 release note.
Note: If you have installed prior releases, this installation does not overwrite any configuration changes that you made for the prior releases.
The following instructions explain how to install the 3-DNS Controller version 4.5.11 onto existing systems running version 4.2 and later. The installation script saves your current configuration.
Once you install and license the software, refer to the Required configuration changes section, which contains important information about changes you must make before using the new software.
3-DNS is not listed as a product line on the Downloads site; the image file is listed under the BIG-IP 4.x product line.
For information about how to download software, refer to SOL167: Downloading software from F5 Networks.
The 3-DNS Controller automatically reboots once it completes installation.
After the installation has completed, you need to install the new version of the big3d agent on all BIG-IP systems and EDGE-FX systems known to the 3-DNS Controller, as follows:
For more information about the big3d agent, see the 3-DNS Reference Guide.
This release includes the following fixes and enhancements.
Auto-discovery and 127.0.0.X addresses (CR27252)
The auto-discovery process now excludes any addresses on a BIG-IP system that are in a non-routable address space (for example 127.0.0.2).
User roles in a redundant system configuration (CR27477)
If you modify the default role for a user on one unit in a redundant system, when you synchronize the configuration, the modified role setting is copied over to the other unit correctly.
Hops calculations for Hops load balancing mode (CR27878)
In this release the 3-DNS Controller correctly calculates the number of hops for the Hops load balancing mode. In previous releases this issue caused all configured links to appear to use the same number of router hops.
D35 system with system halt command (CR28079)
If you use the system halt command on a D35 system and then press the Enter key to reboot the system, the system reboots, but it enters into a netboot cycle. If you have this issue, we recommend that you power cycle the system, or push the reset button.
Creating user-defined regions using the Configuration utility (CR28101)
In the Configuration utility, when you create a user-defined region for Topology load balancing, you no longer receive a syntax error if you add more than 39 entries to the custom region.
The named-xfer command and transferring zone files (CR28497)
If you use the named-xfer command to transfer zone files from the command line, the command no longer incorrectly translates the ORIGIN address as the CNAME address.
Rerunning the Configure DNS option in the Setup utility and overwriting an existing named.conf file (CR28614)
In the Setup utility (setup), when you rerun the Configure DNS (D) option, the system prompts you to confirm that you want to overwrite the existing named.conf file with an empty named.conf file.
Log message typo (CR29474)
We have corrected a typo in the log messages from 3dnsd.
Disabling the auto-discovery process and self IP addresses for servers (CR29599)
If you disable, or turn off, the auto-discovery process for a particular server, the auto-discovery process is now turned off correctly.
Error message in Configuration utility and valid range for VLAN tags (CR29793)
The allowable values for VLAN tags are 1 through 4094. If you inadvertently specify a value that is outside of the allowable range, the error message now indicates the correct set of allowable values.
Virtual server dependencies (CR29869)
In this release, if you enable or disable a virtual server, all virtual servers that are dependant on that virtual server are also enabled or disabled. For example, if you disable virtual server 1, and virtual server 2 is dependant on virtual server 1, then virtual server 2 is marked disabled by parent.
Inaccurate log message for host virtual server status (CR30235)
When a host virtual server is marked down (red), the 3-DNS Controller now sends a log message that indicates that the virtual server is down. In previous releases, the log message may have incorrectly reported no nodes up.
Load balancing decisions that result in a tie (CR30583)
The function that selects objects at random in cases where there is a load balancing decision that results in a tie works correctly in this release.
Disabling a data center with the Principal 3-DNS Controller (CR31551)
The 3-DNS system now checks to make sure that the principal 3-DNS Controller is in a data center that is enabled. In previous releases, if you disabled a data center that included the principal 3-DNS Controller in a sync group, the 3-DNS Controller was disabled by inheritance. This disabled probing, which in turn caused all objects in the network to be marked as down.
Sync groups and zone file configuration (CR32148)
In certain instances, in previous versions, if you had a 3-DNS Controller configured in a Sync group, when the system copied over the zone file configuration, the sync_zones utility failed to start. The sync_zones utility now starts correctly.
Configuring BIG-IP virtual servers (CR32250)
If you add a duplicate IP address when configuring a BIG-IP virtual server, you receive an error message that indicates that you have entered a duplicate IP address.
Select Data Center screen (CR32254)
When you add a new BIG-IP system to the configuration, if you make an invalid entry on the Select Data Center screen, you are now able to advance to the next screen after you correct the error.
One-time auto-discovery option (CR32974) (CR32975)
In this release, the one-time auto-discovery option in the Setup utility runs only the first time you use the Setup utility. If you want to run this utility again, type the following:
b db set Local.Bigip.FTB.Autoconfig = Y
To apply this change, you must use the 3ndc restart command, or restart the 3dnsd daemon.
Allow Fragmentation (CR33624)
The obsolete Allow Fragmentation variable is removed from the Probers Statistics screen in this release.
3dpipe syncgroup <syncgroup_name> show servers command (CR34472)
If you use the 3dpipe syncgroup <syncgroup_name> show servers command, the system no longer incorrectly displays the principal 3-DNS system as a receiver.
Virtual server dependency list (CR34786)
If you use the Configuration utility to edit the Virtual Server Dependency list, you no longer have to remove all of the virtual servers from the Virtual Server Dependency box before you can make changes to this list.
Prober Statistics screen and redundant information (CR35134)
In the Configuration utility, the Prober Statistics screen no longer contains the Prober Link. Information previously displayed on this screen is now displayed in the Prober Statistics screen.
Specifying a wide IP TTL setting (CR35161)
When you create a wide IP, the wide IP TTL setting is correctly changed to the number of seconds you specify. In previous releases, the wide IP TTL remained at the default setting of 30 seconds when a TTL of 0 was specified.
Log messages for dependent objects (CR35576)
The 3-DNS system no longer generates an extremely long log message in cases where a number of dependent objects (servers, links, virtual servers) all go down at the same time.
Router probing using SNMP version 1 (CR36863)
The SNMP version 1 router and probing metrics for 64 bit integers are now calculated correctly.
Virtual server capacity load balancing (CR36926)
When using the virtual server capacity load balancing mode, the 3-DNS Controller verifies that a virtual server is enabled before responding with the virtual server address.
Selecting links for probing (CR36998)
If you have links defined, the 3dnsd utility now selects the best link to handle probing in all cases. In previous releases, the 3dnsd utility may have selected the best data center to handle probing instead of the best link.
Link traffic distribution using total traffic (CR37131)
This release includes a new global variable, link_use_total_metrics, that allows you to configure traffic distribution for links using both egress and ingress traffic. By default, the system uses ingress traffic to control egress traffic, and the reverse.
Wide IP alias and NameSurfer (CR38552)
When you create a wide IP with an alias, the alias now displays correctly in the NameSurfer UI.
3dnsd core after config sync (CR38795)
In previous releases, in certain rare circumstances, 3dnsd cored after synchronizing its configuration. This issue is corrected in this release.
BIND root.hint file (CR38838)
The BIND root.hint file is updated in this release.
libpng read security vulnerabilities (CR39078)
The libpng read security issues described in the following CERT® vulnerability notes are addressed in this release:
For more information on the resolved security issues, see the CERT web site at http://www.cert.org.
Deleting User Defined Topology records (CR40149)
If you delete a User Defined Topology record that contains negation, the record is deleted correctly in this release.
3-DNS and BIG-IP traps (CR40428)
3-DNS traps and BIG-IP traps are now thrown with the correct base OID.
The base OID in previous releases:
The base OID in this release:
The current release includes the fixes and enhancements that were distributed in prior maintenance releases, as listed below. (Prior releases are listed with the most recent first.)
Log Message Filtering (CR26017) (CR28127)
If you use the Configuration utility to view the 3-DNS log file, the Configuration utility no longer filters out log messages when you select No Filter.
Virtual server addresses that are dependent on virtual servers that are disabled (CR28636)
The 3-DNS system no longer replies to Wide IP queries with a virtual server address when the address is dependent upon a virtual server that is disabled.
The auto-discovery process and obsolete self IP addresses (CR29638)
The auto-discovery process now deletes obsolete self IP addresses.
Enabling virtual servers from the Pool Virtual Servers screen (CR29931)
If you try to enable a virtual server from the Modify Virtual Servers screen, and then try to enable that virtual server from the Modify Pool Virtual Servers screen, the Configuration utility no longer experiences internal errors.
Wide IP port numbers replaced by service names and configuration errors (CR29967)
The Configuration utility now displays the port number in the virtual server and hosts port field. Previously, the Configuration utility displayed the service name instead.
Wide IP persistence (CR30241)
Enabling or disabling persistence for a Wide IP no longer causes the 3-DNS system to become unstable as it previously did in rare instances.
File descriptors for named (CR30283)
The maximum number of file descriptors used by the named process has been increased to 4096.
Default routes and specifying a router for path probing (CR30310)
If you have not configured a default route, but you specify a router for path probing, the big3d agent now correctly uses the specified route instead of issuing an error message when the agent cannot find a default route.
Encrypted status messages for virtual servers and the big3d agent (CR30445)
When you are using encryption with iQuery, the big3d agent no longer generates corrupted messages for virtual servers.
Load balancing for Wide IPs with disabled virtual servers (CR30864)
If the last pool in a Wide IP contains only blue status virtual servers, and both the alternate and fallback load balancing modes are set to null (meaning move to the next pool), the 3dnsd utility no longer uses the Return to DNS load balancing mode incorrectly.
Adding a second server type (CR31047)
If you add an additional server type to an existing server, the newly added server status no longer defaults to Disabled by Parent.
The checktrap.pl script and the enterprise OID in traps (CR31119)
When the checktrap.pl script issues traps, it sends the BIG-IP enterprise OID instead of the 3-DNS OID in the trap.
Users with Partial Read/Write permissions (CR31424)
Users with Partial Read/Write permissions can now disable pool virtual servers using the Configuration utility.
BIND Vulnerability VU#734644, ISC BIND 8 vulnerable to cache poisoning via negative responses (CR30822)
This release includes BIND version 8.3.7. This version of BIND addresses the BIND vulnerability that is described in Vulnerability Note VU#734644 on the CERT® Coordination Center Web site. For more information on the vulnerability, see http://www.kb.cert.org/vuls/id/734644.
Global Availability or Ratio load balancing within a pool (CR13112)
The 3-DNS Controller now properly handles larger configurations when you create a pool for a new or for an existing wide IP, and you use the Global Availability or Ratio load balancing methods.
Log messages for enabled objects (CR25809)
The 3-DNS Controller now generates a log entry when a disabled object is re-enabled, either by a user or by the system.
Changing the prober IP address for a host (CR26318)
In the Configuration utility, on the Modify Host screen, if you change the prober IP address to an address other than the default, you can now reset the prober IP address back to the default (which is 127.0.0.1) without editing the wideip.conf file.
Enhancements to the big3d agent and service checks using the TCP protocol (CR26325)
You can now configure the big3d agent to fully close the connection when performing a service check (rather than having the agent just send a reset packet). For information on configuring this option, see Fully closing TCP connections.
Redundant systems and synchronizing the regkey.license file (CR27020)
When you save a .ucs file on a unit in a redundant system, the save process no longer synchronizes the regkey.license file between the two units. Note that this issue affected only redundant systems.
BIG-IP version 3.3.1 and compatibility with 3-DNS Controller version 4.5 (CR27201)
The big3d agent that is shipped in 3-DNS Controller version 4.5 no longer causes fatal errors on a BIG-IP system version 3.3.1 if you update the big3d agent on the BIG-IP system to the newer big3d agent.
New option to save UCS files without including private keys (CR27236)
You can now save a UCS file without including the private keys stored in the /config/bigconfig/ssl.key directory (only keys from this directory are excluded). To create a UCS file that does not include these private keys, use the following bigpipe command:
b config support save <filename>
Sync groups and the default wideip.conf file (CR27366)
If you manage your 3-DNS Controllers using a sync group, and on one of the sync group members you delete the wideip.conf file and then restart the 3dnsd daemon, the 3dnsd daemon creates a new default wideip.conf file that contains only basic system configuration information. The new wideip.conf file no longer causes the sync process to overwrite the wideip.conf file of the other sync group members with the newer file, effectively erasing the real configuration.
Viewing router and link status in the Configuration utility (CR27776)
The router status now displays correctly on the Metrics & Limits statistics screen, in the Configuration utility, when all the links for a router are down (red ball).
New Link Discovery setting for BIG-IP systems and 3-DNS Controllers (CR27790)
You can now specify whether the 3-DNS Controller automatically adds (discovers) the default router and associated links, by using the Link Discovery option, for the following server types: BIG-IP and 3-DNS. If you want the 3-DNS Controller to discover only system settings and virtual servers for these server types, then you select OFF for the Link Discovery setting. Note that the Discovery option must be set to ON in order for the Link Discovery option to work. For details on configuring the Link Discovery setting, see Configuring Link Discovery, in the Optional configuration changes section of this note.
The Check Static Depends settings and load balancing virtual servers (CR27919)
When the Check Static Dependencies global setting and the Check Static Depends setting for a specific wide IP pool are different, the 3-DNS Controller no longer overrides the specific pool setting with the global setting.
The include geoloc "netIana.inc" directive and modifying the configuration using the Configuration utility (CR27929)
When you use the Configuration utility to modify your configuration, and you have added the include geoloc "netIana.inc" directive to the wideip.conf file, the Configuration utility no longer deletes the include directive when you make changes to the configuration.
Adding virtual servers to host configurations and Configuration utility errors (CR27930)
The Configuration utility no longer experiences errors when you add more than one virtual server to a host server configuration.
The all-ip option for the big3d agent and self IP addresses (CR28086)
When you enable the all-ip option for the big3d agent, the agent now uses all of the configured self IPs addresses, including floating self IP addresses on redundant systems.
Upgrades and overwriting the 3dns_snmptrap.conf file (CR28152)
When you upgrade to the current PTF, the upgrade no longer overwrites the existing 3dns_snmptrap.conf file during the upgrade process. If you have added custom traps to the file, you no longer need to create a backup file before you apply the upgrade.
ECV service checks and FTP status code 125 (CR28295)
An ECV service check on the FTP service no longer causes the controller to incorrectly mark a virtual server as down (red ball) if that virtual server returns the FTP status code 125 in response to the ECV query. The 3-DNS Controller now recognizes the FTP status code 125.
ECV service monitors and setting the ECV scan level to None (CR28606)
When you configure ECV service monitors for a wide IP, and you set the scan level to None, those ECV service monitors are now recognized and probed by the 3dnsd process. Additionally, the ECV service monitors are now properly displayed on the ECV Statistics screen in the Configuration utility.
Configuring multiple router objects using the Configuration utility (CR29204)
Configuring multiple router objects no longer causes the Configuration utility to produce errors.
The Discovery setting and BIG-IP systems running the 3-DNS module (CR29270)
If you are running the 3-DNS module on a BIG-IP system, the options for the Discovery setting now display properly for both server types, in the Configuration utility.
The Restart big3d command in the 3-DNS Maintenance menu (CR29390)
The Restart big3d command, in the 3-DNS Maintenance menu, now restarts the big3d agent as expected.
Using a wildcard port in a wide IP port list and errors in the Configuration utility (CR29455)
The Configuration utility no longer experiences errors when you configure a wildcard port (port 0) in a wide IP port list.
The checktrap.pl script and the enterprise OID in traps (CR29481)
When the checktrap.pl script issues traps, it now sends the correct enterprise OID in the trap.
System errors and deleting paths that are in use by a peer sync group member (CR29682)
The 3-DNS Controller no longer experiences system errors when the system tries to delete a path that is in use by a peer sync group member. Note that this occurred in very rare circumstances, when the controller was under extreme load.
System errors and using the Round Robin LDNS option in a pool that has no virtual servers (CR29712)
The 3-DNS Controller no longer experiences system errors if you enable the Round Robin LDNS option on a pool that has no virtual servers configured.
Updating the big3d agent on BIG-IP systems running version 4.2PTF-01 through 4.2PTF-05 software (CR29783)
When you install the updated big3d agent on BIG-IP systems running the following software versions: 4.2PTF-01, 4.2PTF-02, 4.2PTF-03, 4.2PTF-04, 4.2PTF-05, the 3-DNS Controller now properly recognizes these software versions.
Timer error in BIND (CR29795)
A rare issue with timer updates in the BIND version 8 code has been fixed.
Adding disabled virtual servers to existing wide IPs and load balancing (CR29943)
When you add a virtual server to an existing wide IP, and the virtual server state is disabled or disabled by parent, the 3-DNS Controller no longer ignores the disabled status and uses the virtual server for load balancing.
The 4.5 PTF-07 release contained an important fix for BIG-IP Link Controller, and support for new BIG-IP Blade Controllers.
The 4.5 PTF-06 release included the following features and fixes.
Limits for current connections on BIG-IP systems (CR27048)
When you set a limit on current connections for a BIG-IP system, and that connection limit has been exceeded, the 3-DNS Controller no longer uses the virtual server belonging to the BIG-IP system as a response to a query.
Fallback load balancing method and Round Robin load balancing mode (CR27590)
If you set the fallback load balancing method for a wide IP pool to Round Robin, and no virtual servers in the pool are available for load balancing, the 3-DNS Controller no longer returns only the first virtual server listed in the pool.
Adding virtual servers to hosts and Configuration utility errors (CR27926)
The Configuration utility no longer experiences fatal errors when you add a virtual server to an existing host definition.
The 4.5 PTF-05 release included the following features and fixes.
Specified gigabit duplex setting on switches with fixed duplex settings (CR27755)
If your 3-DNS Controller is using gigabit interfaces and is plugged into a switch with a fixed duplex setting, you no longer need to configure the 3-DNS Controller gigabit interface and the port on the switch to Auto before applying this PTF. The link between the 3-DNS Controller and the switch now functions correctly.
Router link status no longer displays incorrectly (CR27756)
Receiver 3-DNS Controllers in a sync group now correctly probe the state of the router links that are in their own data center. When the controller monitors virtual servers in the same data center, the virtual servers inherit the correct state of the router link.
bigpipe system configuration commands now function properly (CR27759)
The bigpipe commands that write system configuration information (such as b save and b list) now function properly on the 3-DNS Controller.
The 4.5 PTF-04 release included the following features and fixes.
Changing the CORBA port number using the Configuration Utility (CR19780)
You can no longer change the CORBA port number using the Configuration Utility. The CORBA IIOP port should be set only to the default setting of 683.
SNMP traffic and a VLAN that has port lockdown enabled (CR22677)
A VLAN configured with port lockdown enabled no longer accepts SNMP traffic, unless you have explicitly enabled the SNMP port using the open_snmp_port global setting.
Disabling SNMP and rebooting the controller (CR22762)
When you disable SNMP using the Configuration utility and you reboot the controller, the bigstart script no longer generates a new snmp.conf file.
Network failover option (CR23127)
You can now configure network failover using the Configuration utility. You use either hard-wired failover or network failover when you have a redundant system. You configure network failover on the System - General screen, in the Configuration utility. For more information on the settings on this screen, click Help on the toolbar.
Address translation for host virtual servers (CR24370)
You can now configure address translations for host virtual servers. If firewall devices in your network separate the 3-DNS Controller from the host servers, you can use address translations to ensure that the 3-DNS Controller distributes the routable address for the virtual server, rather than the actual address. To configure address translations for host virtual servers, see the Configuring address translations for host virtual servers section of this PTF note.
Upgrades and process checking in the snmpd.conf file (CR24450)
When you upgrade the software, the process checking entries (proc) in the snmpd.conf file are no longer populated with incorrect values.
Obsolete script (CR24478)
The 3-DNS Controller no longer uses the sync_requests script. This script has been removed from the controller.
Remote LDAP authentication and login errors (CR24487)
If you mistype the login name, as you are using remote LDAP authentication rather than RADIUS authentication, you no longer see a RADIUS error message.
Performance enhancements (CR24491)
The automatic discovery process, autoconf, has been improved so that it loads larger configurations more quickly.
Enabling one-time automatic discovery in the Setup utility (CR24565)
The Setup utility now includes an option to enable automatic discovery of the local system's configuration, and its peer's configuration, if applicable, when you run the Setup utility for the first time. Note that this option is most useful if you are running the 3-DNS Controller module on a BIG-IP system. You can find more information about automatic discovery (autoconf) in the 3-DNS Reference Guide, version 4.5.
Logging for synchronization (CR24598)
The synchronization process now generates informational and error log messages. You can view the synchronization log messages either by using the Configuration utility, or from the command line. To view the log messages using the Configuration utility, expand the Log Files item in the navigation pane, and then click 3-DNS.
Naming pools (CR24767)
When you create a new pool, and you use the name of a pool that already exists, the 3-DNS Controller no longer overwrites the original pool with the new pool's information.
LDAP authentication and user names (CR24880)
If you use LDAP authentication, and you use the user name, user, the system no longer fails to update the configuration.
Changing the iQuery protocol when you have a sync group configured (CR24927)
In the Configuration utility, on the System - General screen, when you change the iQuery Protocol setting from TCP to UDP, the synchronization process no longer breaks.
The OID for the shutdown trap in the SNMP MIB (CR25059)
The shutdown trap, in the SNMP MIB, now has the correct object identifier (OID) associated with it so this trap now functions properly.
Probing for host virtual servers and scalability (CR25153)
The service checks and probing for host virtual servers have been optimized so that the probing is more efficient. Host virtual server probes are better distributed throughout the probing interval, and require less system resources.
Broken links on the Configuration utility welcome screen (CR25249)
In the Configuration utility, under Additional Software Downloads on the welcome screen, the 3-DNS MIB and DNS MIB links now work properly.
The big3d agent for version 4.1.1 and version 4.1.1 PTFs (CR25251)
The big3d agent for products running version 4.1.1 software, or any version 4.1.1 PTF, is now included in this PTF. If you are running a version 4.1.1 system, be sure to update the big3d agent using the process in the Updating the big3d agent section of this PTF note.
Obsolete variables removed from system (CR25322, CR25325)
The following variables are now obsolete, and have been removed from the system:
|Configuration utility format||Command line format|
|Probe From Distance||probe_from_distance|
Several non-configurable variables no longer exposed in the Configuration utility (CR25324, CR25892)
The following non-configurable variables are no longer listed on the Global Statistics screen, in the Configuration utility:
dns_ttl, dump_regions, dump_topology, iquery_tag, link_compensate_inbound, link_compensate_outbound, link_compensation_history, link_limit_factor, link_prepaid_factor, lower_bound_pcnt_col, lower_bound_pcnt_row, max_link_over_limit_count, over_limit_link_limit_factor, paths_noclobber, persist_mask, probe_from_distance, resolver_rx_buf_size, resolver_tx_buf_size, rtt_allow_frag, rtt_retire_zero, rx_buf_size, tdapi_gap_ttl, tdapi_msg_ttl, timer_sync_state, traceroute_port, tx_buf_size.
The following settings were removed from the System - General screen, in the Configuration utility:
iQuery Settings, Transfer Buffer, iQuery Settings, Receive Buffer, Resolver Buffer Sizes, Transfer, Resolver Buffer Sizes, Receive.
Synchronization and removing the include geoloc "netIana.inc" directive (CR25402)
If you have a sync group configured, and you remove the include geoloc "netIana.inc" directive from one of the sync group members because you are not using Topology load balancing for any pool or wide IP, the synchronization process now removes the directive from the other members of the sync group.
Probing large configurations on BIG-IP systems and CPU usage (CR25407)
The big3d agent has been optimized so that it no longer consumes a large percentage of the CPU when the 3-DNS Controller is probing larger BIG-IP configurations.
BIG-IP virtual server status and node connection limits (CR25473)
When you have configured a node connection limit for a BIG-IP virtual server, the 3-DNS Controller no longer displays that virtual server as down (red ball) if the node connection limit is set to zero (0).
Error messages for the checkd process on standalone 3-DNS Controllers (CR25476)
If you have a standalone 3-DNS Controller, the checkd process (which is not used by the 3-DNS Controller) no longer generates error messages in the /var/log/bigd file.
Interoperating with SEE-IT® Network Manager (CR25573)
In 3-DNS Controller version 4.5, the format of the /VERSION file has been modified so that the version 4.5 software is now compatible with the SEE-IT Network Manager.
Synchronizing Link Controllers with 3-DNS Controllers (CR25753)
If your network includes both 3-DNS Controllers and Link Controllers, you can add the Link Controllers to the 3-DNS sync group, if you have one configured. For details on adding a Link Controller to a 3-DNS sync group, see the Adding a Link Controller to a 3-DNS sync group section of this PTF note.
New support for NetApp server (CR25847)
The 3-DNS Controller can now load balance to, and collect metrics from, the Network Appliance™ NetApp® server. In addition to load balancing to virtual servers on the NetApp server, the 3-DNS Controller can collect the following metrics: kilobytes per second throughput, packets per second throughput, current connections, disk usage percentage, memory usage percentage, CPU usage percentage.
You configure the NetApp server as a host server type. For more information on adding a NetApp server as a host server, see the Adding a NetApp server to the configuration section of this PTF note.
Errors in the 3dparse script and virtual server dependencies (CR26031)
If you configure a virtual server dependencies list for a virtual server that contains the virtual server itself, the 3dparse script no longer causes system errors.
Users with read-only or partial read/write permissions and deleting objects in the Configuration utility (CR26171)
Users who have read-only or partial read/write permissions for the Configuration utility can no longer delete self IPs for 3-DNS Controllers or for routers. By default, users with these permission levels are not able to delete any objects in the Configuration utility.
Loading large configurations and web server errors (CR26248)
When the 3-DNS Controller is loading a large configuration, you no longer see server errors in the Configuration utility.
Using the Hops load balancing method and CPU usage (CR26261)
The CPU usage no longer spikes under the following conditions:
The OpenSSL package has been upgraded (CR26518)
The OpenSSL package has been upgraded to version 0.9.7a. This upgrade addresses several recent security issues with OpenSSL. For more information on the resolved security issues, see the CERT web site at http://www.cert.org.
Virtual servers with disabled VLANs and memory leak (CR26535)
A virtual server with a disabled VLAN no longer causes the 3-DNS Controller to experience a slow memory leak.
Version 4.5 encryption key size and system errors on previous software versions (CR26550)
The encryption key size in version 4.5 software is now backward-compatible with BIG-IP systems running previous software versions. The affected software versions are BIG-IP version 3.1 through BIG-IP version 4.2 PTF-09.
Log rotation for the ITCM.log file (CR26781)
The frequency of the log rotation for the ITCM.log file has been increased from once every 7 days to once every 24 hours. This improves the system efficiency if you are monitoring the controller with the iControl Services Manager.
RADIUS authentication for the default role on the 3-DNS Controller module (CR26931)
If you are running the 3-DNS Controller module on a BIG-IP system, the module no longer ignores the RADIUS authentication parameters for the default user role.
OpenSSL timing attack vulnerability (VU#997481) (CR26966)
The vulnerability that is outlined in VU#997481, Cryptographic libraries and applications do not adequately defend against timing attacks, has been addressed in this PTF. For details on the vulnerability, see http://www.cert.org.
Memory leak in the 3dnsd daemon and large configurations (CR27015)
The 3dnsd daemon no longer experiences a memory leak if a BIG-IP definition in the configuration contains more than 50 virtual servers, and you are using automatic discovery (autoconf).
Script to set up core capture
We have added a new script to automate core capturing on a 3-DNS Controller, if the controller has a hard drive. The script runs automatically after you install this PTF and reboot the system. It provides functionality to enable and disable core capture.
After you install this PTF, the script runs, and creates the /var/crash directory. In addition, if the swap partition on the primary drive is not sufficiently large to capture the core file, but another unused partition is found to be, that partition is used for core capture.
You can disable this functionality with the following command:
You can re-enable the functionality with the following command:
Important: As long as this functionality is enabled, you see the message savecore: no core dump during boot time.
There were no features or fixes for 3-DNS Controller in version 4.5 PTF-03.
The 4.5 PTF-02 release included the following features and fixes.
Enhancements to load balancing
This PTF adds two new load balancing modes, Drop Packet and Explicit IP. We recommend that you use these new load balancing modes only for the fallback method. The 3-DNS Controller uses the fallback method when the preferred and alternate load balancing modes do not provide at least one virtual server to return as an answer to a query. When you specify the Drop Packet mode, the 3-DNS Controller does nothing with the packet, and simply drops the request. (Note that a typical LDNS server iteratively queries other authoritative name servers when it times out on a query.) When you specify the Explicit IP mode, the 3-DNS Controller returns the IP address that you specify as the fallback IP as an answer to the query. Note that the IP address that you specify is not monitored for availability before being returned as an answer. When you use the Explicit IP mode, you can specify a disaster recovery site to return when no load balancing mode returns an available virtual server.
You can configure the new load balancing modes for the fallback method either using the Configuration utility or from the command line. For information on configuring the fallback method with the new load balancing modes, see the Configuring the Drop Packet and Explicit IP load balancing modes section of this PTF note.
Large configurations and misleading error messages (CR19843)
When the 3dnsd process is loading a large configuration, you may see a warning message now, instead of an error message.
Updated 3-DNS Reference Guide PDF (CR22017)
The 3-DNS Reference Guide has been updated to include Appendix A, 3-DNS Configuration File. The updates to this appendix include the revised data structures and the new configuration options for routers and links.
UDP checksums and TFTP packets (CR22113, CR25181)
In rare instances, the checksums for TFTP packets were incorrect. This issue has been resolved.
Apache web server and the CERT Coordination Center vulnerability, VU#672683 (CR24689)
This PTF addresses the vulnerability in the Tomcat package for the Apache web server that is described in Vulnerability Note VU#672683 on the CERT® Coordination Center web site. For more information on the vulnerability, see http://www.kb.cert.org/vuls/id/672683.
Turning off automatic synchronization and persistent LDNS requests (CR24869)
If you turn off automatic synchronization on a 3-DNS Controller, and if the 3dnsd process on that controller loses network communications with the other 3dnsd processes in the network, the controller now synchronizes LDNS requests that occur during the time that the 3dnsd process is offline.
iControl BaseServer::get_interfaces function and the 3dnsd process (CR24912)
The following iControl function, ITCMGlobalLB::BaseServer::get_interfaces, no longer causes the 3dnsd process to stop running when you specify an invalid type within the function.
Synchronization and the netIana.inc file (CR24928)
The include geoloc "netIana.inc" directive is now synchronized between the members of a sync group.
Root servers list for BIND (CR25064)
The root servers list file for BIND, root.hint, has been updated to include the most current list of root servers.
Errors on the System - General screen in the Configuration utility (CR25143)
You can now change any of the settings on the System - General screen in the Configuration utility, and you no longer see error messages when you do so.
Invalid metrics statistics and graphs for down remote links (CR25146)
The Link Statistics screen, in the Configuration utility, no longer displays very large, invalid values for remote links that are down (red ball). The link statistics graphs now accurately display the data for both the link that is down, and any available links.
Path probing requests and data centers with no defined router (CR25155)
If a data center contains at least one 3-DNS Controller, BIG-IP system, or EDGE-FX system, the big3d agent now issues path probing requests to that data center, regardless of whether you have defined a router for the data center.
Using a serial terminal as a console (CR25183)
This PTF fixes the serial terminal as the console functionality, as described in the 3-DNS Reference Guide, Chapter 6, Monitoring and Administration, so that it works with all 2U controller platforms.
The 4.5 PTF-01 release included the following fix.
CA-2002-31, Multiple Vulnerabilities in BIND
This PTF addresses the security vulnerabilities that are listed in CERT® advisory, CA-2002-31, Multiple Vulnerabilities in BIND. This PTF upgrades the BIND package to version 8.3.4. For more information on the CERT advisory, see http://www.cert.org/advisories/CA-2002-31.html.
Updated big3d agent for version 4.5 and later (CR25255)
Once you have installed the software, you can use any of the following new configuration options to update your configuration. Note that these new configuration options are the result of one or more of the fixes or enhancements listed above.
If you have both 3-DNS Controllers and one or more Link Controllers in your network, you can add the Link Controllers to the 3-DNS Controllers' sync group in a few simple steps. There are three tasks to adding a Link Controller to a 3-DNS sync group:
Important: Before you add the Link Controller to the 3-DNS sync group, we recommend that you back up both the 3-DNS configuration and the Link Controller configuration.
To run the merge_configs script
From the command line on the principal 3-DNS Controller, run the merge_configs script by typing the following command, where <ip_address> is the IP address of the Link Controller that you want to add to the sync group.
/usr/local/bin/merge_configs -peer <ip_address>
To make the sync group aware of the Link Controller
Using the Configuration utility on the principal 3-DNS Controller, add the Link Controller to the sync group.
To add the Link Controller to the sync group and start synchronization
The final step in adding the Link Controller to a 3-DNS sync group is to run the 3dns_add script on the Link Controller. The script moves the synchronized configuration to the Link Controller, and finalizes the sync group setup.
You add a NetApp server to the 3-DNS configuration as a host.
To add a NetApp server using the Configuration utility
Note: For more information on any of the settings on the screens in the Configuration utility, click Help on the toolbar.
You can configure the fallback method using the new load balancing modes either by using the Configuration utility, or by editing the wideip.conf file from the command line. You can specify either the Drop Packet load balancing mode, or the Explicit IP load balancing mode. Note that if you specify the Explicit IP mode, you also specify a fallback IP address.
To configure the fallback method with the Drop Packet mode using the Configuration utility
To configure the fallback method with the drop_packet mode from the command line
To configure the fallback method with the Explicit IP mode using the Configuration utility
To configure the fallback method with the explicit_ip mode from the command line
You can now configure address translations for host virtual servers. This is beneficial when there is a firewall separating the 3-DNS Controller from the host.
To configure an address translation for a host virtual server using the Configuration utility
Note: For more information on any of the settings on the screens in the Configuration utility, click Help on the toolbar.
If you want the 3-DNS Controller to detect the links and associated routers for a BIG-IP system, you can configure the Link Discovery setting for that BIG-IP system. By default, the Link Discovery setting is not enabled. Additionally, you can configure the Link Discovery setting for any 3-DNS Controllers you have in the configuration.
To configure link discovery using the Configuration utility
Use the following instructions to configure the big3d agent so that the agent fully closes partial TCP connections. Note that the default behavior for the big3d agent is to issue a reset packet (RST) for partial TCP connections.
To configure the big3d agent to fully close TCP connections
From the command line, type big3d -use-tcp-connect, and press Enter.
The following additional options are available for the big3d agent:
The following items are known issues in the current release.
Multiple Configuration utility sessions and modifying a configuration (CR9333)
The 3-DNS Configuration utility does not refresh properly when you have multiple Configuration utility sessions open for more than one F5 system, and you make a change to the 3-DNS Controller's configuration. The Configuration utility for the controller that you are not modifying updates automatically, while the Configuration utility for the controller that you are modifying does not update automatically. Note that this happens only when you are either enabling or disabling objects, or setting limits for an object. You can avoid this issue by opening only one browser session at a time when you are modifying a configuration.
Statistics screens and viewing 3-DNS status (CR9452)
When you disable a 3-DNS Controller that is a member of a sync group, the 3-DNS Statistics and Sync Group Statistics screens (in the disabled system's Configuration utility only) display an inaccurate status (a red ball) for all of the other 3-DNS systems in the same sync group. You can see the correct status of the systems in the 3-DNS Statistics and Sync Group Statistics screens of any enabled 3-DNS Controller in the sync group.
Prober statistics and Internet Explorer 5.0 and later (CR10153)
When you are viewing Histograms or Metrics on the Prober Statistics screen, you might encounter errors if you are using Microsoft Internet Explorer 5.0 or later. We recommend using the following procedure to view the Histograms or Metrics.
The browser saves the file, and you can now open the file using Microsoft Excel.
ArrowPoint CS150 and metrics collection (CR10361)
The 3-DNS Controller collects metrics on packets per second and kilobytes per second only for HTTP traffic on the current ArrowPoint CS150 server.
The kilobytes per second rate as displayed for the ArrowPoint CS150 is approximately 16 times smaller than it should be. The total byte count returned from the ArrowPoint MIB is 16 times smaller than the total byte count that was actually handled.
Netscape Navigator and the Network Map (CR11161)
The Network Map does not display large configurations properly when you run Netscape on a UNIX or Linux platform. We recommend that you use a Windows-based browser to view large network configurations with the Network Map.
Network Map and multiple browser sessions (CR11173)
When you view the Network Map, you might get an error when you open additional browser sessions with Internet Explorer or Netscape Navigator. This error only occurs if the additional browser sessions use Java applets. We recommend that you close any additional browser sessions before viewing the Network Map.
Wide IP production rules (CR11710)
When you create a wide IP production rule with a Date/Time time variable, the production rule action does not stop in the time frame that you specify in the Stop Time box. We recommend that you do not configure a production rule with the Date/Time time variable.
Sync group names in the Configuration utility (CR14955)
In the Configuration utility, you may get an internal server error, and you may not be able to delete the sync group, if you use special characters in the sync group names. To avoid this error, use only alphanumeric, underscore ( _ ), hyphen ( - ) or space characters in the sync group names.
Adding servers using the Configuration utility and the Back button in Internet Explorer (CR15345)
Occasionally, when you add a new server to the 3-DNS configuration using the Configuration utility, and you are using the Configuration utility in a Microsoft® Internet Explorer browser session, you may get an error when you use the Back button to return to a previous screen. The error is benign, and you can click any item in the navigation screen to clear the error.
Opening PDF files from the 3-DNS Controller home screen (CR15901)
Occasionally, when you open any of the PDF files available on the home screen of the Configuration utility, the CPU usage for your work station may spike to 100%. To avoid this problem, right-click the name of the PDF file that you want to open, and choose Save Target As to save the PDF file on your workstation. You can then open the PDF file using Adobe® Acrobat® Reader, version 3.0 and later.
Enabling the IP classifier (CR18264)
If you use the Topology load balancing feature, you must make the following change to the wideip.conf file so the 3-DNS Controller can classify continent and country of origin for local DNS servers.
Note: If you have a sync group configured, you must enable the IP classifier on each member of the sync group.
Upgrading the software and the MindTerm SSH Console (CR18436)
When you upgrade the software for 3-DNS Controller, you cannot use the MindTerm SSH Console, because the upgrade stops and restarts the SSH service. To upgrade the software, use a serial console instead.
Using the 3-DNS Controller in bridge mode (CR18873)
You cannot configure the 3-DNS Controller in bridge mode using a remote connection or using the Configuration utility. You must configure bridge mode using a local connection. For details on configuring bridge mode, see the Configuring bridge mode section of this release note.
Special characters in pool names and viewing the Network Map (CR19756)
When you use the colon character ( : ) in a pool name, and then try to view the Network Map, the Network Map does not display. To avoid this error, do not use the colon character in pool names.
The 3dpipe utility and pool names (CR20183)
The 3dpipe utility does not properly parse pool names that contain numbers only.
CPU usage statistics for EDGE-FX Caches (CR21325)
On the EDGE-FX Cache Statistics screen, in the Configuration utility, the 3-DNS Controller incorrectly reports the CPU usage statistic for the EDGE-FX Cache.
Time-to-live (TTL) values for resource records (CR22025)
If you set the pool TTL to a value that is different from the wide IP TTL, the dig command displays the wide IP TTL rather than the pool TTL in the answer packet. This occurs only when all the virtual servers in the pool are unavailable. Resource records in the DNS configuration are set with the wide IP TTL instead of the pool TTL. If you change the pool TTL, the TTL for the resource records does not change to the updated TTL. Therefore, when the 3-DNS Controller is unable to load balance a request, and returns the request to DNS, the resource record contains the wide IP TTL rather than the pool TTL.
Clean installations of the 3-DNS Controller software and the Default data center (CR23028)
When you install the 3-DNS Controller version 4.5 software, and you do not have a previous configuration file, the controller creates a default data center labeled Default. To move any objects that are in the Default data center to a data center that you create, see Moving objects from the Default data center to a newly-created data center section of this release note. Note that this occurs only on a BIG-IP system with the 3-DNS module.
Renaming a wide IP that has aliases using the Configuration utility and synchronization (CR23224)
When you rename a wide IP, and the wide IP has aliases, the order of the wide IP name and alias may appear in reverse order when you look at the wide IP in the Configuration utility of another controller in the sync group. Note that this error does not affect domain name resolution.
Configuring production rules (CR23327)
In the Configuration utility, when you create a production rule, you cannot use the Description box to add a description of the production rule. If you type text into the Description box, the controller ignores it, and the text is not saved.
Upgrading the software and home screen errors in the Configuration utility (CR23710)
When you are upgrading a 3-DNS Controller from version 4.2 to version 4.5, you may see the BIG-IP system home screen instead of the 3-DNS home screen. This occurs only once: after you upgrade the software and before you upgrade the license file using the new licensing process. Note that this does not affect the 3-DNS Controller module on the BIG-IP system.
Graph titles on the P95 Billing Estimate statistics screen (CR23770)
When you change the date or time range on the P95 Billing Estimate statistics screen in the Link Statistics, the titles on the graphs do not update to reflect the changes. If you are using Internet Explorer, you can update the titles by holding down the Control key, right-clicking in the screen, and then clicking Refresh. If you are using Netscape Navigator, you can update the titles by holding down the Shift key, right-clicking in the screen, and then clicking Refresh.
Date ranges on the P95 statistics screen (CR23784)
The graphs on the P95 statistics screen do not check for dates in the future. If you enter a date that is past today's current date, you may get inaccurate graphs.
Synchronization and modifying the configuration (CR24081)
If you are updating a configuration using the Configuration utility, and another member of the sync group initiates the synchronization process, you get a notification screen that indicates that you cannot update the configuration. To work around this issue, wait for a minute, click the browser's Back button, and continue updating the configuration. Note that this issue is most likely to occur when you are using multiple browser sessions to update the sync group's configuration. We recommend that you use only one browser session (and controller) to update the sync group's configuration.
Unit ID numbers for a redundant system and the auto-configuration process (Discovery) (CR24734)
The auto-configuration process does not recognize the unit ID numbers for the units in redundant system. The process does, however, properly add the configuration information for both units.
The Network Map and viewing wide IP information (CR24750)
In the Network Map, in the Configuration utility, when you highlight a wide IP, the information table displays an IP address for the wide IP. The IP address is not a valid IP address; rather it is a randomly generated number. Note that this error is benign because the 3-DNS Controller no longer associates an IP address with a wide IP.
The Network Map and viewing the enabled/disable status of a virtual server (CR24751)
When you disable a virtual server that is in a wide IP that has manual resume enabled, the information table in the Network Map does not display the correct status for the virtual server. To view the correct status for the virtual server, in the navigation pane, expand the Statistics item, and then click Virtual Servers. The E/D column displays the correct status for the virtual server.
Viewing wide IPs created in the 3-DNS Controller module from the Link Controller module (CR24842)
Wide IPs that you create in the 3-DNS Controller module that contain more than one pool display only the first pool of the wide IP in the Inbound LB screen in the Link Controller module. You may encounter this known issue only when you are running a BIG-IP system with both the 3-DNS Controller module and the Link Controller module.
Single data center configuration and default gateway probing (CR25507, CR29281)
By default, the 3-DNS Controller, or another F5 product on behalf of a 3-DNS Controller, polls its default gateway with big3d using ICMP every two seconds. If no response is received from the default gateway, the 3-DNS Controller may mark all systems in the data center down. This behavior may be considered undesirable in a single data center configuration. If you have this type of configuration we recommend that you check to make sure that all 3-DNS Controllers, or F5 products probing on behalf of the 3-DNS Controller, are able to reach the default gateway through ICMP. If you are unable to configure all 3-DNS Controllers or F5 products probing on behalf of a 3-DNS Controller with ICMP access to the default gateway, we recommend that you limit probing to a single F5 product that is able to reach the default gateway through ICMP.
Configuring SSH access host restrictions (CR25530)
In previous versions, the /etc/ssh2/sshd2_config and /etc/sshd_config files controlled SSH access. Upgrading to version 4.5 ignores previously-configured SSH access restrictions configured in the /etc/ssh2/sshd2_config and /etc/sshd_config files. This upgrade reverts to an SSH access level that allows all hosts to connect. If you require restricted SSH access to certain networks/IP addresses, you need to reconfigure these restrictions once you have completed the upgrade. To do this, type the following command to start the Setup utility, and then press Enter:
Choose option (S) Configure SSH, and set the restrictions you prefer.
Adding support access after initial setup (CR25821)
If you add support access with the (Y) Set support access option in the Setup utility after you complete the initial setup of the system, the support IP addresses are not added to the hosts.allow file. To correct this situation, run the (S) Configure SSH option in the Setup utility to re-initialize the SSH information on the system.
VLAN names and syntax errors (CR25890)
VLAN names that start with the text vlan, and are followed by any number of digits (for example, vlan123), cause a syntax error. We recommend that you do not use the text, vlan, as the initial portion of a VLAN name.
Creating invalid interface names (CR25950)
It is possible to create invalid interface names in your configuration by entering an invalid VLAN name from the command line. For more information about invalid VLAN names, see (CR25890).
Changing iControl settings and restarting the CORBA portal (CR26384)
If you use the Setup utility (setup) to change iControl settings, you must manually restart the CORBA portal. To restart the CORBA portal, type the following commands from the command line:
bigstart shutdown portal
LDAP group name naming conventions (CR26418)
LDAP authentication for groups does not work properly when there are spaces in the group name. To avoid authentication issues with groups when you use LDAP authentication, do no use spaces in the group names.
Disabling the SNMP Auth Trap Enable setting using the Configuration utility (CR26610)
If you try to disable the Auth Trap Enable setting on the SNMP Administration screen in the Configuration utility, the SNMP configuration file, /etc/snmpd.conf , is modified with an incorrect setting of 0 (zero), and the following error is generated in the SNMP log:
"/etc/snmpd.conf: line ##: Error: authtrapenable must be 1 or 2To correct this error and disable the Auth Trap Enable setting, you can edit the /etc/snmpd.conf file, and change the authtrapenable value to 2, disable.
Losing connectivity during configuration of second unit in a redundant system (CR26705)
When you configure a unit from the command line Setup utility (setup), we recommend that you reboot the unit after you complete the configuration. This activates the license and allows traffic to pass through the system. Also, before you reboot the system, the unit is in the active mode and unlicensed. While the unit is in the active mode, the other unit in the redundant system is placed in standby mode. If left in this state, traffic cannot pass through the system.
Sync groups and upgrading software versions (CR26784)
When you are upgrading the software on 3-DNS Controllers that belong to a sync group, you must temporarily remove the controller you are upgrading from the sync group before you apply the upgrade. This is because the synchronization process cannot synchronize controllers that are running different software versions, including different PTF versions. See the Removing a controller from a sync group work-around, following the Known issues section of this release note, for configuration details.
The 3dns_add script and mixed versions of the 3-DNS software (CR26884)
If you are adding a new 3-DNS Controller to an existing sync group, the new 3-DNS Controller must be running the same version of the 3-DNS software as the controllers that are already in the sync group. If the controllers are running mixed versions of the 3-DNS software (for example, 3-DNS Controller, version 4.2 PTF-09, and 3-DNS Controller, version 4.5 PTF-03), the 3dns_add script fails because the script does not check versions. For more information on working with the 3dns_add script, see the 3-DNS Administrator Guide, version 4.5.
Changing the system IP address and updating the IP address for the CORBA portal in bigdb (CR27037)
If you change the IP address of the system using the Configuration utility, the system does not update the IP address for IIOP and FSSL for the CORBA portal in the bigdb. To change the CORBA address for IIOP and FSSL, run the Setup utility (setup) from the command line, and choose the option (I) Initialize iControl portal.
CompactFlash® media drives and logging for the named daemon (CR27132)
When the named daemon is running, it generates status and usage messages as part of its normal behavior. If you are running the named daemon on a system with a CompactFlash media drive, these messages may fill up the /var/log/messages file. To avoid this, periodically delete the status and usage messages for the named daemon.
RADIUS server configuration and Netscape (CR27212)
If you configure remote login for RADIUS, and you set an invalid IP address for the primary RADIUS server, and a valid IP address for the secondary RADIUS server, you may not be able to log in using a Netscape browser. This can also happen if your primary RADIUS server is down. We recommend that you use an alternative browser with this type of configuration.
User administration for remote authentication using the Configuration utility (CR27223)
With remote authentication configured, if you use the Configuration utility to add a new user, you may receive an internal server error message when you press Enter, and then click the Done button. The user is added when you press Enter. When using local authorization, the Enter key is ignored, and you must click the Done button in order to add a new user.
Deleting the default gateway pool using the Setup utility (CR27260)
The command line Setup utility, (setup), does not delete the default gateway pool when you remove all of the pool's members. To work around this issue, delete the default gateway pool using the browser-based Configuration utility.
Installing the PTF from CD and 3dnsd utility error messages (CR27501)
When you install the version 4.5 PTF-05 software from a CD, you may see the following error message just before you run the Setup utility:
ERR: An instance of 3dnsd (pid:xxx) is already running! Exiting.
The error message is benign and does not affect the software installation in any way.
SNMP probing with Foundry systems (CR27667)
If you configure a Foundry system as a host and then use SNMP probing to get virtual server information from the Foundry system, the 3-DNS Controller may report a non-existent virtual server on the Foundry system.
SNMP version 2 with Foundry systems (CR27758)
The 3-DNS Controller does not currently support using SNMP version 2 probing with Foundry systems.
Copper gigabit NICs and setting media speeds (CR27772)
If you want to set media speeds, and you have a copper gigabit NIC, you must configure auto-negotiate between the 3-DNS Controller and the connected switches.
Using the Setup utility to configure the media type for an interface (CR27793)
When you use the Setup utility to configure the media type for an interface, the BIG-IP system does not save this setting when you rerun the Setup utility. You must configure this setting each time you run the Setup utility.
Installing iQuery keys and errors in the install-key script (CR27799)
The install-key script may display the following error message during the key exchange process:
ERROR: Cannot connect to any of the following selfIP(s) for a server:
This error message is incorrect and does not affect the iQuery key exchange process.
HTTP ECV service checks and file names (CR27823)
When you configure an HTTP ECV service check for a wide IP using the Configuration utility, the Configuration utility incorrectly adds a slash ( / ) to the beginning of the file name. To work around this issue, you can either configure the HTTP ECV service check in the wideip.conf file from the command line, or you can edit the wideip.conf file and remove the slash.
NameSurfer application and PTR records (CR27832)
The NameSurfer application deletes PTR records when you change the time-to-live (TTL) value.
MindTerm SSH console, Java™ Virtual Machine, and the Configuration utility (CR27864)
The Configuration utility may become unresponsive, when all of the following conditions are met:
Running 3-DNS Maintenance menu commands and 3dparse warning messages (CR27910)
If the wideip.conf file contains configuration errors (for example, you have a wide IP pool configured that does not contain any virtual servers), and you run one of the following commands in the 3-DNS Maintenance menu: Install and start big3d, Check remote versions of big3d, or Configure SSH communication with remote devices, you see 3dparse warning messages on the console. The warning messages are benign, and do not affect the functionality of the commands.
Network Map and the enabled or disabled status for pool virtual servers (CR27923)
The Network Map does not display the correct enabled or disabled status for virtual servers, in the context of a wide IP pool. To see the correct enabled or disabled status of the virtual servers, view the Disabled Objects statistics screen.
SNMP version and probing (CR27971)
If you have enabled SNMP probing for a host or similar device, and you specify SNMP version 2, the SNMP probing may fail if the host or device is using SNMP version 1. This happens because SNMP version 2 uses 64-bit counters and SNMP version 1 uses 32-bit counters. To avoid this error, ensure that you specify the SNMP version (1 or 2) that corresponds with the SNMP version on the device that is being probed.
Setup utility and VLAN tag configuration (CR28027)
If you use the Setup utility to configure VLAN tags or add new VLANs with tags and self IPs, and you use the command line utility to modify interfaces after VLAN tags are added, all of the tagged interfaces and associated data (self and shared IPs) are removed from the configuration files. You may need to reconfigure these settings, or use the backup file to restore these settings.
Probing from the BIG-IP system (CR28099)
When a BIG-IP system is the only F5 system in a data center, and you disable all factories in the BIG-IP definition, the BIG-IP system continues to probe the router in its data center. To avoid this issue, you can create a prober access control list (ACL) and add the router to the ACL.
Reconfiguring a standalone system as a unit in a redundant system (CR28116)
If you have a standalone system that you later decide to reconfigure as a unit in a redundant system, the system may experience failures when you reconfigure the networking and IP addresses.
ECV check and SNMP traps (CR28210)
If you configure an ECV check and enable SNMP traps on a BIG-IP system with a 3-DNS module, if the ECV check fails, SNMP traps messages for ECV failures are logged in the 3-DNS log file, but not in BIG-IP log file. The system logs trap messages for the failure of the associated virtual servers and wide IPs correctly.
Viewing toolbars in the Configuration utility and resizing the screen (CR28330)
If you resize the browser window when viewing the Configuration utility, you may not be able to see the entire toolbar on some of the screens. We recommend that, to avoid this problem, you maximize the browser window, and use a screen resolution of at least 1024 X 768.
Disabling the default data center (CR28348)
In the Configuration utility, you cannot disable the data center, Default. This data center is automatically created by the controller when you are running the 3-DNS Controller module on a BIG-IP system. We recommend that you create a new data center and move the servers from the data center, Default, to the newly-created data center. To do this, see the workaround Moving objects from the Default data center to a newly-created data center following this section of the release note.
Replacing 3-DNS systems and resetting the SSH key (CR28408)
Installing a replacement unit into your network breaks the trust relationship between the 3-DNS Controller and any devices with which it interacts. As a result, synchronization between the systems in the sync group stops, and you cannot update the big3d agent. You can correct this situation by removing the newer SSH key (on the replacement unit), and synchronizing the updated 3-DNS Controller with other 3-DNS Controllers or BIG-IP systems. Refer to the Resetting the SSH key work-around to reset the SSH key and synchronize the systems in your network. Note that you must reset the SSH key before you run the Configure SSH communication with remote devices command, on the 3-DNS Maintenance menu.
Modifying a data center configuration and memory errors (CR28459)
You may see a memory error in the Configuration utility, when all of the following conditions are met:
Displaying data centers with 1000 or more defined servers (CR28529)
If you have 1000 or more servers defined for a certain data center, the 3-DNS Controller Configuration utility may, when displaying the defined servers, display an error. Disregard this error, as the screen eventually displays correctly all of the defined servers.
bigpipe commands that contain invalid trailing arguments (CR28581)
If you type a bigpipe command that contains an invalid trailing argument, the bigpipe utility produces a syntax error, but may run the command anyway. In this situation, the command should fail.
The NameSurfer log file does not get rotated by the system (CR28615)
The NameSurfer™ application, /var/log/namesurfer.log, does not get rotated. This can result in the log file becoming large. If you find that the NameSurfer log file has become too large, you can remove the file from the system, and then run the bigstart restart namesurfer command.
Setting the length of time to disable a pool (CR28901)
In the Configuration utility, when you disable a pool, you can specify an unrealistic time for the Length of time to disable setting. The Configuration utility does not enforce an upper limit for this setting. We recommend that you use caution when you specify a length of time to disable a pool.
Using the Sun ® Java® client and working with Topology (CR29626)
If you have the Sun Java client (version 1.4.x) installed on your workstation, and you are using the browser-based Configuration utility to modify the topology statement, you cannot delete topology records. To work around this issue, we recommend that you modify the topology statement from the command line.
Reporting state for a proxy on a BIG-IP system (CR30139)
When you have a proxy configured on a BIG-IP system, and the proxy is configured with a target server (rather than a target virtual server), the 3-DNS Controller reports the monitoring state of the proxy as unknown (a blue ball in the Configuration utility statistics screens).
Updating the big3d agent and BIG-IP version 3.1 systems (CR30242)
Updating the big3d agent fails if you have BIG-IP systems that meet both of the following conditions:
Viewing data on the BIG-IP Statistics screen (CR30464)
Occasionally, in the Configuration utility, the BIG-IP Statistics screen displays the BIG-IP data incorrectly.
LDNS statistics (CR31239)
If you use the Configuration utility to clear LDNS statistics from the LDNS Statistics screen, the LDNS statistics are not cleared correctly. We recommend that you use the command line utility to clear LDNS statistics.
Default gateway pools (CR31928)
You can not configure a default gateway pool on the 3-DNS Controller.
Random load balancing method (CR32762)
If you configure a Wide IP and use Random as the load balancing method for pools, the load is incorrectly distributed in a way that is similar to Ratio load balancing.
Wide IP port numbers replaced by service names and configuration errors (CR32977)
In the Configuration utility, the Link Controller is automatically replacing wide IP port numbers with service names. If you subsequently modify any settings for the wide IP, you see an invalid port error message when you click Update. To work around this issue, when you modify the wide IP, change the wide IP port setting back to the port number before you click Update.
Autoconf and BIG-IP virtual servers (CR33161)
Autoconf does not compile a complete list of BIG-IP virtual servers in all cases.
NameSurfer and remote Radius authentication (CR33665)
If you are using Namesurfer and you have remote Radius authentication enabled, if you log in to the 3-DNS system using the Configuration utility, you must log in again in order to configure Namesurfer settings. If you want to return to the 3-DNS Configuration utility you must close the browser, open a new browser, and log in again.
Incorrect pending values in the Configuration utility (CR33666)
In certain circumstances when a link goes down, the Configuration displays an incorrect "Pending" value for the link. This value may display in the Configuration utility until you use the 3ndc restart command.
Static depends configuration (CR33671)
If you enable or disable Static Depends, you must use the 3ndc restart command in order for the virtual server to be updated correctly.
Incorrect virtual server status icons (CR35061)
If you have Autoconf enabled and you use the Configuration utility to delete a BIG-IP system from the network configuration, in certain circumstances the virtual server status icons for the BIG-IP system display as gray. The icons may incorrectly remain in a gray state until you restart the 3dnsd utility.
Error messages logged in /var/log/3dns (CR35714)
If you use the bigstart restart all command, the following error messages may be stored in the /var/log/3dns log:
sod-portal: One or more of the corba daemons has been incorrectly restarted.
sod-portal: Killing corba daemons in order to insure clean restart.
sod-portal: Restarting corba daemons.
You can disregard these error messages.
TTL settings for zones associated with wide IPs (CR35963)
If you are using NameSurfer and you add a wide IP to a zone, the wide IP time-to-live (TTL) setting is used instead of any previously configured TTL setting for that zone. If you add two wide IPs with different TTL settings to the same zone, the second wide IP TTL is used.
Modifying zones that are associated with wide IPs (CR35963)
If you use NameSurfer to add records to a zone associated with one or more wide IPs, if you use the Configuration utility to modify one of the wide IPs, the records may be overwritten. In addition, if you use the Configuration utility to change the TTL for a zone, the records will be overwritten.
NTP settings (CR36782)
If you run the Setup utility and you re-configure the NTP settings, you must use the bigstart restart ntpd command in order for your changes to take effect.
Principal controllers in redundant systems (CR36864)
If you have two 3-DNS Controllers or Link Controllers in a redundant configuration and you shut down the principal system (3ndc stop), the standby Link Controller or 3-DNS Controller does not become Principal system.
Load balancing method and fallback mode (CR38163)
When a query does not return a virtual server, the null result causes the load balancing method to fail over to the fallback mode.
Alternate load balancing method (CR38491)
The Explicit IP, None, Return to DNS, and Drop Packet load balancing modes may fail to select a virtual server. If you configure one of these load balancing modes, the virtual server is not selected and the system uses the next specified load balancing mode.
Traps and logging (CR39325)
If you configure the system to send out traps, rapid logging may cause traps and log messages to be dropped. This type of rapid logging may occur when you load a configuration of several hundred nodes. At that time all of the nodes are checked and their status is logged. You can avoid this issue by adjusting the log levels for syslog configuration items. In addition, you may want to edit the /etc/snmptrap.conf files and comment out traps that are unimportant for your configuration.
Concurrently running different versions of 3-DNS Controller causing 3dnsd daemons failure (CR39967)
Concurrently running old versions (4.0x and earlier) of 3-DNS Controller with newer versions (4.1 and later) may cause the 3dnsd daemons on the newer versions to fail. This failure happens only if the big3d daemons running on a shared prober (a BIG-IP system) are the old version (4.0x and earlier).
Note that we do not support concurrently running multiple 3-DNS systems of differing versions, and we highly recommend upgrading to the latest version of the big3d daemon as it b ecomes available.
Adding new 3-DNS Controllers to an existing Sync group (CR41715)
If you use the 3dns_add script to add a new 3-DNS Controller to a Sync group, the new 3-DNS Controller's named.conf file overwrites the existing Sync group's named.conf file, causing existing DNS services on the 3-DNS system to go down. To prevent the new 3-DNS Controller from overwriting the existing configuration, we recommend that you delete the named.conf file on the new 3-DNS Controller before you run the 3dns_add script. For more information, see Solution 3497 (SOL3497) on the AskF5 website, http://tech.f5.com.
Round trip time and hops no longer work together, nor do UDP and ICMP (CR42529)
The round trip time (RTT) and latency (Hops) Quality of Service (QOS) coefficients no longer work together for QOS probing. If RTT and Hops are configured at the same time, the 3-DNS Controller uses RTT.
For local DNS (LDNS) probing, the 3-DNS Controller does not support using both UDP and ICMP. If you select UDP and ICMP, the 3-DNS Controller removes UDP from the list, and uses ICMP.
Changes in US and Canada Daylight Saving Time (CR58321)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes are not reflected in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.
Cisco CSS series (formerly ArrowPoint) servers and metrics collection
The 3-DNS Controller cannot collect the packets per second and the kilobytes per second metrics on Cisco CSS series (formerly ArrowPoint) software versions prior to 4.0.
3-DNS Controllers and CD upgrades
When you rebuild a 3-DNS Controller (or a BIG-IP system) using a CD, the SSH key changes. This breaks the trust relationship between the updated 3-DNS Controller and any devices with which it interacts. As a result, synchronization between the systems in the sync group stops, and you cannot update the big3d agent. You can correct this situation by removing the newer SSH key and synchronizing the updated 3-DNS Controller with other 3-DNS Controllers or BIG-IP systems. Refer to the Resetting the SSH key work-around to reset the SSH key and synchronize the systems in your network.
Solstice SNMP agent and metrics collection
The Solstice SNMP agent, which runs on some Sun systems, delays the updating of some metrics for longer than 30 seconds. As a result, in the 3-DNS SNMP Statistics screen the packet rates and kilobytes per second rates can fluctuate from a zero value to a real value. If you are polling Sun Solaris servers in your network, you may want to set the SNMP polling time on the 3-DNS Controller to an interval greater than 60 seconds.
The following sections describe workarounds for the corresponding known issues listed in the previous section.
If you want to configure the 3-DNS Controller to run in bridge mode, you need to do so using a local connection to the 3-DNS Controller. First, you create a VLAN group that includes both the internal and external VLANs. Next, you delete the self IP address for the 3-DNS Controller, and re-assign the IP address to the newly-created VLAN group. Finally, you save the configuration. The following instructions detail how to configure bridge mode.
To configure bridge mode
The 3-DNS Controller saves the changes and you can now use the 3-DNS Controller in bridge mode.
The following instructions describe how to move objects from the default data center to a data center that you create.
To move objects from the data center, Default, to a newly-created data center
If you are upgrading the software on 3-DNS Controllers that are in a sync group, you must remove the controllers from the sync group before you apply the software. This is because the synchronization process cannot synchronize controllers that are running different software versions, including different PTF versions.
Note: You can re-create the sync group once you have upgraded the software for all of the controllers that belong to the sync group.
To remove a controller from a sync group using the Configuration utility
Alternately, you can remove the entire sync group, instead of removing the controllers one at a time.
To remove a sync group using the Configuration utility
The following instructions describe how to reset the SSH key for a system that you have upgraded using a CD.
To reset the SSH key for an updated 3-DNS Controller
Before you can update the original big3d agent for a BIG-IP system, version 3.1, to the current version, you must stop all instances of the agent. Note that you can do this from the command line only.
To stop the big3d agent on the BIG-IP system