Original Publication Date: 10/01/2001
This product temporary fix (PTF) provides fixes for BIG-IP Controller, version 4.0, and it is recommended only for those customers who want the enhancements and fixes listed below. The PTF includes all fixes released since version 4.0, including fixes originally released in prior PTFs.
Note: If you have an unconfigured BIG-IP Controller version 4.0, install the PTF before you configure the controller.
Apply the PTF to BIG-IP, version 4.0 using the following process. The install script saves your current configuration.
Use FTP in passive mode from the BIG-IP Controller to download the file. To place FTP in passive mode, type pass from the command line before transferring the file.
After you install the PTF, please refer to the Configuring and using the updated software.
BIG-IP is now stable under load (CR15119)
The BIG-IP is now stable under load. You no longer see the following error message: t_kill: connection node is NOT in bigip_table!
Telnetd security (CR15803)
Updated telnetd to improve security (CERT CA-2001-21.)
Suppressed benign message (CR16703)
Suppressed benign message: parse_http: ignoring unexpected client data
SSL virtual servers (CR16593)
Using SSL connection mirroring and SSL persistence mirroring on virtual servers no longer causes the BIG-IP to become unstable.
Malformed packet instability (CR15940 and CR16336)
Malformed packets no longer cause the BIG-IP to become unstable.
L2 forwarding (CR15346)
Standby system in an L2 forwarding configuration no longer logs spurious ARP overwrite messages.
SNAT timeout (CR15629)
SNATs with virtual servers defined now time out connections properly.
VLANs and multicast packets (CR15737)
VLANs now accept multicast packets properly.
GateD and address or routing changes (CR15738)
GateD now applies address and routing changes correctly to VLANs.
FTP connection tracking ephemeral ports (CR15893)
Enhanced the tracking of FTP data connections on ephemeral ports.
Auto lasthop feature and active FTP (CR15911)
Auto lasthop now properly handles active FTP data connections.
Node/member without route (CR15975)
You now receive a warning when you attempt to add a member to a pool that does not have a route.
HTTP redirect (CR16012)
Added the ability to specify a protocol identifier for the HTTP redirect feature. For more information, see Configurable protocol identifier for HTTP redirection.
SNMP node statistics (CR16107)
Made node statistics available through SNMP.
Setting ARP disable (CR16171)
Disabling ARP on a network virtual server no longer destabilizes the BIG-IP.
Automap with SSL proxy (CR16312)
SNAT automap now works properly with the SSL proxy.
Network and wildcard virtual servers (CR16364)
You can now disable network and wildcard virtual servers on a VLAN.
Intermittent throughput with SSL/akamaizer gateway (CR16493)
You no longer have intermittent throughput with the SSL/akamaizer gateway.
FIN-PUSH on small responses (CR16646)
The FIN-PUSH for small responses is now propagated properly when you are using rules and cookie persistence.
memberStatus reports incorrectly (SNMP) (CR15885)
The memberStatus now reports member status correctly.
System information report (iControl) (CR15913)
System information is now reported properly through iControl IDL.
Interfaces get_version (iControl) (CR16360)
The interfaces get_version IDL now properly reports the iControl version.
Using b load under heavy traffic
You can now use the b load command while passing traffic. (CR15288)
Using simple persistence with any IP or UDP no longer causes the BIG-IP Controller to become unstable. (CR15404)
You now configure FTP and telnet support access with two separate check boxes in the web-based First-Time Boot utility. For more information, see Changes to support access configuration in the web-based First-Time Boot utility. (CR15057)
Using the web-based First-Time Boot utility now correctly sets the XLB version of the product. (CR15232)
NIC media types
Using the web-based First-Time Boot utility now correctly sets the media type for NICs. (CR15247)
You no longer see the following spurious error message during bigstart boot up.
bigstart: startup portal
bigstart: kill portal 10 seconds expired
If a solid state drive is detected, the installation process does not allow you to install the standard PTF. Please contact F5 Services to get the upgrade for SSD. (CR15402)
Improved the performance of the f5isapi.dll. (CR15465)
VLAN naming has been adjusted to accommodate multiple interface network cards. (CR15474)
bigpipe now permits you to save very large configuration files. (CR15477)
You no longer need to re-enter certificate information when you re-run the web-based First-Time Boot utility. (CR15056)
VLANs and VLAN groups
You can no longer delete a VLAN that is a member of a VLAN group. (CR15283)
You can now delete static routes manually once the controller is up and running. (CR15373)
Auto lasthop for non-TCP traffic on a firewall sandwich no longer leads to routing loops. (CR15088)
Configuration synchronization and IP addresses
Configuration synchronization is no longer dependent on a peer IP address and its hostname IP address. (CR15017)
Configuration synchronization and uptime
Configuration synchronization no longer fails after a week of uptime. (CR15383)
First-Time Boot utility (web-based)
The Properties page for VLANs in the web-based First-Time Boot utility now displays correctly in Internet Explorer version 4.0. (CR15052)
The gigabit NIC now functions with older systems (for example, Pentium II). (CR14994)
Layer 2 forwarding
Layer 2 forwarding can now forward packets to off-interface hosts. (CR15313)
Lasthop routes and the ipforward cached route
The timing issue that was affecting lasthop routes and the ipforward cached route is now fixed. (CR14012)
Existing monitors are now retained when a "Monitor instance already exists" error occurs. (CR14908)
A virtual server with a wildcard service and an HTTP pool with port translation is now enabled. (CR14922)
VLANs (maximum number)
The maximum number of VLANs allowed is now 256. (CR14798)
An error no longer appears when you rename a VLAN from the Configuration utility. (CR15053)
Web administrator user account
The default web administrator user account is no longer left available after configuration when using the web-based First-Time Boot Utility. (CR15054)
This section contains descriptions of new features and enhancements added with this release.
This release includes support for new syntax that allows you to configure a protocol identifier for the HTTP redirection feature. For example, you want to specify an HTTPS site for www.yoursite.com, you would type fallback https://www.yoursite.com instead of the standard fallback syntax in the bigip.conf.
The following example defaults to redirect to an HTTP URL:
The following example overrides the protocol identifier with an HTTPS prefix:
The following example overrides the protocol identifier with an FTP prefix:
Use the following command to get a list of appropriate media types for an interface.
ifconfig -m <interface name>
Tips on setting the preferred controller in redundant BIG-IP Controller installations
If you are using the force_master flag to set a specific controller to be the preferred active unit, we recommend that you set the force_slave flag on the controller that you want to run primarily as a secondary controller. The force-slave flag must be set if you are using network fail-over. For more information about these flags, see the BIG-IP Reference Guide, v.4.0, Setting a specific controller to be the preferred active unit. (CR12279)
The following items are known issues in the current release.
SSL proxy header insertion with SEARCH method
Recent changes to the SSL Proxy HTTP header insertion mechanism require client requests to begin with one of GET, POST, or HEAD; if the client request does not begin with one of these methods, HTTP headers are not inserted by the proxy. Certain versions of Internet Explorer send the non-standard SEARCH method while communicating with Outlook Web Access. This results in browser warnings regarding mixed secure and insecure content. Other applications may be affected by this issue.
In future releases BIG-IP will support inserting HTTP headers in client requests with methods specified in RFC 2616, as well as SEARCH and any other non-standard methods of which we become aware.
For users of the combined BIG-IP Controller and 3-DNS Controller, if you add more than one interface IP address to IIOP HOST (no-crypto) or FSSL HOST (crypto) on the BIG-IP Controller, 3dnsd may become unstable. (CR15392)
VLAN and interface assignments
When you install the BIG-IP Controller from scratch, the default VLAN and interface assignments may not match what the web-based or command line First-Time Boot utility has as the assignments. Once you configure the BIG-IP Controller, the assignments will be correct. (CR15080)
Using the WMI ISAPI Data Gathering agent with the winmgmt service
In order to work around certain functions in the winmgmnt service, the WMI ISAPI Data Gathering agent automatically restarts the winmgmt service every hour. You can customize this restart interval by editing the registry using the following steps:
Using NAT or SNAT with layer 2 forwarding
The layer 2 forwarding feature is not compatible for use with NATs or SNATs. (CR15342)
The OTCU does not migrate customizations to /etc/netstart
The OTCU does not migrate static route customizations to /etc/netstart. After you run the OTCU, you should add static route commands into /config/routes. (CR15528)
Web administrator password cannot contain a dollar sign ($)
The Web administrator password cannot contain a dollar sign ($). (CR15526)
Installing this release on an unsupported BIG-IP Controller platform
Do not install this release on an unsupported BIG-IP Controller platform. Installing this software on an unsupported platform may prevent the controller from booting up properly. CR N/A
cron jobs and sendmail configurations
After BIG-IP version 4.0 PTF-03 is installed, symbolic links in /config erroneously point to themselves. This prevents /config/weekly cron jobs and sendmail configurations from running successfully. If you see this error, either call F5 Networks Technical Support or install BIG-IP version 4.0 PTF-04 when it becomes available.
Changes to support access configuration in the web-based First-Time Boot utility
The functionality of the web-based First-Time Boot utility now matches the command line version of the First-Time Boot utility. In the crypto controller, the controls to allow support access via telnet and FTP have been removed from the web-based First-Time Boot utility.
In the non-crypto version of the software, the checkbox to allow the support account FTP and telnet access to the controller has been split into two separate check boxes. If you had previously configured a telnet or FTP support account on the BIG-IP Controller, you should verify the support logon is functional after the upgrade. If you change these settings at a later date, use the same configuration tool you used when you set them.