- Installing the PTF
- What's fixed in this PTF
- Configuring and using the updated software
- Logging port denials
- Known issues
Installing the PTF
Apply the PTF to BIG/ip Controller version 2.0.4, BIG/ip Controller 2.0.4PTF-01, or BIG/ip Controller 2.0.4PTF-02 using the following process:
- Click here and follow the instructions for using the F5 Networks FTP site.
Use FTP in passive mode from the BIG/ip Controller to download the file. To place FTP in passive mode, type pass from the command line before transferring the file.
- Download the appropriate file to the /var/tmp/ directory on the target BIG/ip Controller:
- For US BIG/ip Controllers, download the v204ptf3domkit.tar file.
- For international BIG/ip Controllers, download the v204ptf3intlkit.tar file.
- Enter the following commands to install this PTF:
tar -xvpf v204ptf3domkit.tar (Domestic HA/HA+ and LB)
tar -xvpf v204ptf3intlkit.tar (International HA/LB)
- Run the following commands:
- Follow the on-screen instructions.
The install script backs up a copy of rc.sysctl and snmpd.conf from the /etc directory to /var/save before making any modifications to it.
The checksums for this PTF are available in a file called sums, which can be downloaded from the FTP site.
Once you have installed the PTF software, please refer to the Configuring and using the updated software section below.
What's fixed in this PTF
The current PTF-03 includes the following fixes, and also includes fixes originally released in 2.0.4PTF-01 and 2.0.4PTF-02 as described below.
- Fix 2379: Tcpdump problem
Corrected a serious problem with running tcpdump on a BIG/ip Controller upgraded to version 2.0.4 PTF-02.
- Fix 2408: Bigsnmpd fails when attempting to walk the ISO and .184.108.40.206.4.1.3375 OIDs
Fixed a problem that would cause bigsnmpd to timeout when attempting to walk the MIBs provided for the BIG/ip Controller.
- Fix 3087: Hard setting speed and duplex not working with 82259 Intel NIC
The speed and duplex settings on the 82259 version of the Intel NIC can now be manually configured. Previously, the speed and duplex settings could only be configured by auto-negotiation.
Fixes released in prior PTFs
BIG/ip Controller version 2.0.4PTF-02
- Fix 2253: NICs appear to timeout and not let any more traffic through the BIG/ip Controller
Fixes problems that could cause a timeout error from a network card in some heavily loaded situations.
- Fix 2204: Watchdog Card inoperable with FDDI NICs.
Previously, a problem occured when attempting to halt or reboot a BIG/ip Controller with multiple FDDI interface cards installed. The watchdog mechanism was hard-rebooting the controller before the halt or soft reboot was completed.
BIG/ip Controller version 2.0.4PTF-01
- Fix 766: ECV default send string was "GET /".
Previously, if you did not specify a send string for ECV, the default send string "GET /" was used. Now, when no send string is specified, no send string will be sent. For details, see Known Issues.
- Fix 1818: bigtop was not showing VIPs or nodes.
The BIG/ip Controller now supports TELNET clients that do not support RFC 1073 (window size negotiation) by defaulting to 24 lines by 80 columns.
- Fix 1882: Unable to mount /dev/fd0 when memory is more than 512MB.
We have corrected the problem with mounting a floppy drive with over 512MB of memory.
- Fix 2144: Suppress the CMOS drive warning message at bootup.
An unnecessary warning message was removed from the startup sequence.
- Fix 2170: Add a switch to disable logging that is vulnerable to DoS (Denial-of-Service) attacks.
We have created a new system control variable, bigip.verbose_log_level, that allows customers to turn on logging of port denials when desired. This reverses the previous default of logging all messages. For details, see Logging port denials.
- Fix 2171: bigdnode should look up host names when logging.
Log messages that are related to service checking will now include host names.
- Fix 2181: Request to provide the ability to configure an alternate port for sending traps.
BIG/ip now supports sending traps to different ports (other than port 162). Users can configure the port to which they send the authentication, cold start, and syslog-generated traps.
- Fix 2182: Variable Bindings (association between nodes and services) are needed for certain traps.
The BIG/ip Controller SNMP trap mechanism now supports variable bindings for the SNMP management applications that can distinguish between traps sent on the same OID to avoid writing over previously sent traps.
- Fix 2183: Modify SNMP so that it distinguishes between reset and reboot, and sends a different trap for each.
The BIG/ip Controller now sends different traps depending on whether the entire system was restarted or the configuration has been reloaded.
- Fix 2187: GNIC-II was dropping gratuitous ARP broadcasts.
If the BIG/ip Controller has GNIC cards, it now sends out ARP packets appropriately upon fail-over.
Configuring and using the updated software
There are no configuration changes required for this PTF.
Logging port denials
A customer is concerned that a Denial-of-Service attack could affect the BIG/ip Controller by making constant log Port Denial messages. A new system control variable was created to allow customers to turn on logging of port denials when desired. This variable reverses the way that logging of port denials works, changing the default from logging to no logging. This variable is:
The variable defaults to zero, specifying no logging. Add any of the following values to affect logging:
|sysctl -w bigip.verbose_log_level=0
|sysctl -w bigip.verbose_log_level=1
||Log UDP port denials (to BIG/ip address).
|sysctl -w bigip.verbose_log_level=2
||Log TCP port denials (to BIG/ip address).
|sysctl -w bigip.verbose_log_level=4
||Log UDP port denials (to VIP address).
|sysctl -w bigip.verbose_log_level=8
||Log TCP port denials (to VIP address).
|sysctl -w bigip.verbose_log_level=15
||Log all of the above.
In order to set the logging function permanently to other than the default setting, you must set that variable in the system control file.
ECV null send string is not supported in the F5 Configuration utility
Fix 766 is not currently supported in the F5 Configuration utility. If you set up ECV in the F5 Configuration utility and leave the send string blank (null), the default send string that is issued is GET /. The F5 Configuration utility does not allow the send string to be null. If you require a null in the send string, you should set this up by manually editing the /etc/bigd.conf file.
If you have this set up to use null in the send string, and make changes in the Global Node Port Properties screen or Node Properties screen, and then click apply, it updates the ECV service check, and then generates a GET / in the send string.