- Installing the PTF
- What's fixed in this PTF
- Configuring and using the updated software
- Logging port denials
- Known issues
Installing the PTF
You can apply this release to version 2.0.4.
Use the following process to install the software:
- Click here and follow the instructions for using the F5 Networks FTP site.
- Download the v204ptf2domkit.tar file to the /var/tmp/ directory on the target BIG/ip Controller system.
International customers need to use FTP in passive mode from the BIG/ip Controller to download the v204ptf2intlkit.tar file. To place FTP in passive mode, type pass from the command line before transferring the file.
- Enter the following commands to install this PTF:
tar -xvpf v204ptf2domkit.tar (Domestic HA/HA+ and LB)
tar -xvpf v204ptf2intlkit.tar (International HA/LB)
- Run the following commands:
- Follow the on-screen instructions.
The install script will back up a copy of rc.sysctl and snmpd.conf from the /etc directory to /var/save before making any modifications to it.
The checksums for this PTF are available in a file called sums, which can be downloaded from the FTP site.
Once you have installed the PTF software, please refer to the Configuring and using the updated software section below.
What's fixed in this PTF
The BIG/ip Controller version 2.0.4PTF-02 provides fixes for the following issues.
- Fix 2253: NICs appear to timeout and not let any more traffic through the BIG/ip Controller.
Fixes problems that could cause a timeout error from a network card in some heavily loaded situations.
- Fix 2204: Watchdog Card inoperable with FDDI NICs.
Previously, a problem occured when attempting to halt or reboot a BIG/ip Controller with multiple FDDI interface cards installed. The watchdog mechanism was hard-rebooting the controller before the halt or soft reboot was completed.
Fixes released in prior PTFs
BIG/ip Controller version 2.0.4PTF-01
- Fix 766: ECV default send string was "GET /".
Previously, if you did not specify a send string for ECV, the default send string "GET /" was used. Now, when no send string is specified, no send string will be sent. For details, see Known Issues.
- Fix 1818: bigtop was not showing VIPs or nodes.
The BIG/ip Controller now supports TELNET clients that do not support RFC 1073 (window size negotiation) by defaulting to 24 lines by 80 columns.
- Fix 1882: Unable to mount /dev/fd0 when memory is more than 512MB.
We have corrected the problem with mounting a floppy drive with over 512MB of memory.
- Fix 2144: Suppress the CMOS drive warning message at bootup.
An unnecessary warning message was removed from the startup sequence.
- Fix 2170: Add a switch to disable logging that is vulnerable to DoS (Denial-of-Service) attacks.
We have created a new system control variable, bigip.verbose_log_level, that allows customers to turn on logging of port denials when desired. This reverses the previous default of logging all messages. For details, see Logging port denials .
- Fix 2171: bigdnode should look up host names when logging.
Log messages that are related to service checking will now include host names.
- Fix 2181: Request to provide the ability to configure an alternate port for sending traps.
BIG/ip Controller now supports sending traps to different ports (other than port 162). Users can configure the port to which they send the authentication, cold start, and syslog-generated traps.
- Fix 2182: Variable Bindings (association between nodes and services) are needed for certain traps.
The BIG/ip Controller SNMP trap mechanism now supports variable bindings for the SNMP management applications that can distinguish between traps sent on the same OID to avoid writing over previously sent traps.
- Fix 2183: Modify SNMP so that it distinguishes between reset and reboot, and sends a different trap for each.
The BIG/ip Controller now sends different traps depending on whether the entire system was restarted or the configuration has been reloaded.
- Fix 2187: GNIC-II was dropping gratuitous ARP broadcasts.
If the BIG/ip Controller has GNIC cards, it now sends out ARP packets appropriately upon fail-over.
Configuring and using the updated software
There are no configuration changes required for this PTF.
Logging port denials
A customer is concerned that a Denial-of-Service attack could affect the BIG/ip Controller by making constant log Port Denial messages. A new system control variable was created to allow customers to turn on logging of port denials when desired. This variable reverses the way that logging of port denials works, changing the default from logging to no logging. This variable is:
The variable defaults to zero, specifying no logging. Add any of the following values to affect logging:
|sysctl -w bigip.verbose_log_level=0
|sysctl -w bigip.verbose_log_level=1
||Log UDP port denials (to BIG/ip address).
|sysctl -w bigip.verbose_log_level=2
||Log TCP port denials (to BIG/ip address).
|sysctl -w bigip.verbose_log_level=4
||Log UDP port denials (to VIP address).
|sysctl -w bigip.verbose_log_level=8
||Log TCP port denials (to VIP address).
|sysctl -w bigip.verbose_log_level=15
||Log all of the above.
In order to set the logging function permanently to other than the default setting, you must set that variable in the system control file.
A serious problem has been found with running tcpdump on this PTF version of the BIG/ip Controller. The problem has been isolated and will be fixed soon in an upcoming patch.
ECV null send string is not supported in the F5 Configuration utility
Fix 766 is not currently supported in the F5 Configuration utility. If you set up ECV in the F5 Configuration utility and leave the send string blank (null), the default send string that is issued is GET /. The F5 Configuration utility does not allow the send string to be null. If you require a null in the send string, you should set this up by manually editing the /etc/bigd.conf file.
If you have this set up to use null in the send string, and then use the Global Node Port Properties screen or the Node Properties screen to change any option on this screen (or if you just hit the Apply button), it updates the ECV service check, and will then generate a GET / in the send string.