Software Release Date: 01/23/2003
Updated Date: 03/05/2007
This product temporary fix (PTF) provides enhancements and fixes for the BIG-IP software, version 4.5. The PTF includes all fixes released since version 4.5, including fixes originally released in prior PTFs, and it is recommended only for those customers who want the enhancements and fixes listed below. You can apply the software upgrade to BIG-IP software, version 4.5 and later. For information about installing the PTF, please refer to the instructions below. If you have the 3-DNS module or Link Controller module installed on the BIG-IP system, refer to the 3-DNS or Link Controller release notes for information on fixes and known issues.
This release supports these platforms:
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
The installation method you choose depends upon the platform you are using. Choose the appropriate installation procedure below:
Important: We highly recommend that you apply this PTF to your system if you are currently running version 4.5, 4.5 PTF-01, or 4.5 PTF-02.
Note: If you are upgrading a BIG-IP redundant system, both units must be upgraded. We do not support running different PTF versions on the two units in a BIG-IP redundant system.
To upgrade a server appliance, use the following process.
The BIG-IP system automatically reboots once it completes installation.
To upgrade an IP Application Switch or a CompactFlash® media drive, use the following process.
When the im script is finished, the BIG-IP system reboots automatically.
Note: This procedure provides over 90MB of temporary space on /mnt. The partition and the im package file are deleted upon rebooting.
HTTP requests through a Layer 7 virtual server with a specific size (CR25868)
We corrected a problem in version 4.5 of the BIG-IP software that could cause the system to become unstable when HTTP requests of certain specific sizes were received through a rule using a Layer 7 variable or through a pool with a Layer 7 attribute.
Layer 7 Checksum Validation
A new global, l7_validate_checksums, is included in this release. We recommend that you do not change the value of this global variable unless you are instructed to do so by a support representative.
UDP checksums and TFTP packets (CR22113, CR25181)
In rare instances, the checksums for TFTP packets were incorrect. This issue has been resolved.
Apache web server and the CERT Coordination Center vulnerability, VU#672683 (CR24689)
This PTF addresses the vulnerability in the Tomcat package for the Apache web server that is described in Vulnerability Note VU#672683 on the CERT® Coordination Center website. For more information on the vulnerability, see http://www.kb.cert.org/vuls/id/672683.
iControl SOAP null nat_addr value for NAT::set_arp used with the iControlPortal (CR24914)
The iControlPortal no longer becomes unstable when it processes an iControl SOAP null nat_addr value for NAT::set_arp.
Zero length IP/UDP packets received by the system when forwarding (CR24931)
Zero length IP/UDP packets received when forwarding is enabled no longer destabilize the system.
Virtual server sending packets when TCP checksum incorrect (CR24983)
Virtual servers no longer send packets when the TCP checksum is incorrect. In order to implement this fix, please contact support.
Mid-stream SSL renegotiations with the SSL proxy (CR24989)
The SSL proxy can now handle mid-stream SSL renegotiations.
SSL proxy sending ACKs to clients with late binding (CR25015)
The SSL proxy now ACKs clients correctly when handling late binding connections.
Connection statistics when you change the configuration under load (CR25044)
On the 2400 platform, the connection statistics are now correct even if you change the configuration under load.
Root servers list for BIND (CR25064)
The root servers list file for BIND, root.hint, has been updated to include the most current list of root servers.
Dual processor system without a gigabit interface (CR25104)
The BIG-IP 540 platform now supports two processors correctly if there is no gigabit Ethernet interface installed in the platform.
Strict string evaluation for cookie hash persistence (CR25122)
Improved the cookie name lookup and hash mode for cookie hash persistence.
SSL TPS performance with increasing concurrent clients (CR25164)
Optimized the SSL transaction per second (TPS) performance when there is an increasing number of concurrent clients.
SSL proxy forwarding unparsed server response to client (CR25168)
When rewriting of redirects is enabled, the SSL proxy no longer forwards an unparsed server response to the client.
Using a serial terminal as console on certain platforms (CR25183, CR25414, and CR25445)
You can now configure the serial terminal as the console on all platforms.
SNAT current connections after deleting a SNAT and re-adding it to the configuration (CR25198)
The SNAT current connections statistics are now correct after you delete a SNAT and then add it back to the configuration.
Configuring rules using contains against a class (CR25236)
You can now use the contains, starts_with, and ends_with operators to compare class values.
Rolling Upgrade: when licensing in the web-based Configuration utility, peer traffic can halt (CR25239)
Corrected a problem when licensing the standby unit through the web-based Configuration utility that could cause traffic to stop on the active unit.
Instability when using Universal Inspection Engine redirect (CR25358)
The Universal Inspection Engine redirect feature no longer causes instability in the system.
Unit ID with a SNAT translation (CR25372)
You can now include a unit number after the SNAT translation address.
Added support for the 2400 platform
This release includes enhanced support for the F5 Networks 2400 platform.
Viewing licensing error log files from the Configuration utility (CR25055)
You can now view the log files for errors that occur during the licensing process using the Configuration utility. A View Log File button appears on the licensing screen when the licensing process generates errors.
Resets (RSTs) from aging-out connections can have incorrect sequence numbers (CR22219)
Resets (RSTs) from aging-out connections no longer cause some connections to hang due to incorrect sequence numbers for the resets.
CA-2002-31, Multiple Vulnerabilities in BIND (CR25085)
This PTF addresses the security vulnerabilities that are listed in CERT® advisory, CA-2002-31, Multiple Vulnerabilities in BIND. This PTF upgrades the BIND package to version 8.3.4. For more information on the CERT advisory, see http://www.cert.org/advisories/CA-2002-31.html.
The following items are the known issues identified since the release of BIG-IP software, version 4.5. For a list of the known issues in the 4.5 release, refer to the BIG-IP, version 4.5 Release Notes .
SSH access host restrictions are now configured in /etc/hosts.allow (C95236-2)
In previous versions /etc/ssh3/sshd2_config and /etc/sshd_config controlled SSH access. Upgrading to this version ignores previously configured SSH access restrictions configured in /etc/ssh3/sshd2_config and /etc/sshd_config. This upgrade reverts to an SSH access level that allows all hosts to connect. If you require restricted SSH access to certain networks/IP addresses, you need to reconfigure these restrictions once the upgrade has been completed. To do this, type the following command to start the Setup utility, and then press Enter:
Choose option S (Configure SSH) and set the restrictions you prefer.
The RADIUS port in /etc/services (CR20136)
Previous releases of this software use the RADIUS port 1645 as the default in /etc/services. This release uses the new IANA RADIUS port 1812.
Fan and temperature monitoring with SNMP
SNMP queries for fan speed, CPU temperature, and power supply status are functional for certain platforms. Currently, fan and temperature monitoring is supported only for the following platforms:
For these platforms, automatic periodic monitoring is not automatically enabled. You can enable periodic monitoring by uncommenting the line in /config/crontab which runs system_check every two minutes. However, the system_check script does affect performance. Fan and temperature SNMP monitoring are not supported in the following platforms with this version of the BIG-IP software:
Manually deleting connections handled by the Packet Velocity ASIC (CR22494)
Manually deleting connections that are handled by the Packet VelocityTM ASIC does not generate a TCP reset.
Configuring the admin port for node connectivity (CR22599)
We recommend that you do not configure the admin port for node connectivity.
Changing active-active failback values (CR22715)
In active-active configurations, we recommend that you do not change the default failback value of 60 seconds. If you change this value, failback may not work as designed.
Changing IP addresses on VLANs does not change the administration web server settings (CR24468)
If you use the Setup utility to change the floating IP addresses on VLANs, the web server settings are not updated. To update the web server settings, choose the (W) Configure web server option.
Platforms using Broadcom 570x controllers (CR24388 and CR25464)
On rare occasions, some platforms using Broadcom 570x controllers may experience short interruptions in network connectivity.
iControl SOAPPortal: .NET serialization errors on several methods (CR24862)
The following methods do not serialize correctly under certain situations. This is due to a problem in the .NET frameworks serialization. For nested structures within arrays, the framework cannot support an empty array represented as a single XML element.
For example, this method does not serialize:
<return type='Array' ArrayType='tns:someType/>
This method does serialize:
<return type='Array' ArrayType='tns:someType></return>
In certain configurations the BIG-IP system does not send gratuitous ARPs (CR24925)
In an active/standby redundant scenario with MAC masquerading and VLAN failsafe configured, when the active unit detects no traffic on the VLAN (such as when the cable is unplugged, or the unit is rebooted) the other unit becomes active. When the unit that was demoted to standby reboots, it does not send a gratuitous ARP. It is possible that a node, such as a management workstation, that has an ARP entry for the standby unit will not be able to connect to the BIG-IP system until the ARP table is refreshed. You can work around this problem by deleting the ARP entry for the standby unit on the node you are using to connect to the BIG-IP system.
Cookie insert overrides direct node selection (CR24957)
In systems with cookie insert and direct node selection configured, the cookie insert feature overrides the direct node selection feature.
Configuring a SNAT map with no virtual servers (CR24959)
On the 2400 platform, only connections that target a virtual server are accelerated by the Packet Velocity ASICTM.
TCP SYN packet to self IP that matches TIME_WAIT connection not handled correctly (CR24993)
If a TCP SYN packet is received for a self IP, and it matches an old connection that is in TIME_WAIT state (same source and destination address and port), the system deletes the old connection and creates a new one.
VLAN-keyed connections on the 2400 platform (CR25046)
With VLAN-keyed connections on the 2400 platform, occasionally packet and byte statistics may be not counted for pools and SNATs.
Invalid OID for the shutdown trap in the SNMP MIB (CR25059)
The shutdown trap, in the SNMP MIB, has an invalid object identifier (OID) associated with it. Therefore, this trap does not function properly.
HTTP chunking when CRLF straddles boundary (CR25068)
The BIG-IP system incorrectly interprets carriage-return/line-feed (CRLF) when it is split across two packets.
Direct node selection fails to fallback to persistence (CR25077)
If you have direct node selection configured and a connection fails, the BIG-IP system does not maintain simple persistence for the connection.
proxyd processes with non-idle connections may never exit (CR25080)
Connections may not be timed out as long as the proxyd continues to receive data within the idle connection timeout, and the server-side connection remains open.
Pool::set_persist_mode() to type_expression (CR25096)
If you call Pool::set_persist_mode() to persist_mode_expression using iControl, and you do not set the persist_expression variable, when a packet comes through that virtual server, the system may become unstable.
An error message may display on shutdown (CR25110)
On switch platforms, an error message may display as the system shuts down when you reboot. You can ignore this warning, the reboot corrects the error situation.
The conn dump verbose command values displayed for packet or byte counts (CR25119)
The command b conn dump verbose may show incorrect values for packet and byte counts.
The tcpdump utility on a switch platform with mirror VLAN and mirror hash enabled (CR25129)
When you use the tcpdump utility to view traffic on a switch platform that has mirror VLAN and mirror hash enabled, the utility does not properly display the traffic.
Single default gateway member is not displayed as a default gateway pool (CR25141)
If you only configure a single default gateway member, that address is configured as the default route. It is not displayed as a default gateway pool.
Spanning Tree Protocol (STP) does not work properly if the BIG-IP Application Switch is the only active STP in the network (CR25162)
If the BIG-IP Application Switch is the only STP-enabled device in the network, parallel ports go to a forwarding state because the switch ignores its returning BPDU frames. This leaves the network open to bridge loops. To avoid this situation, we recommend that you disable STP if you only have one STP-enabled device in your network.
Simple persistence timers and the 2400 platform (CR25182)
Simple persistence timeout global settings function slightly differently on the 2400 platform than on other BIG-IP platforms. With the 2400 platform, the global mode global persist timer timeout causes the persist timer to be updated every 30 seconds when a connection that references the persist entry is still alive. On other platforms, the persist timer is updated with every packet inbound from the client.
HTTP header inserts and proxies (CR25246)
If header insertion is enabled in the proxy, and the proxy receives only the HTTP command as the first SSL record, the proxy assumes that the entire header has been sent, inserts its headers, and terminates the HTTP header block.
E-Commerce Controller and setting port translation option for wildcard ports (CR25336)
On the E-Commerce Controller only, when you configure a virtual server with a wildcard port (*) using the Configuration utility, the default port translation setting is set to enable instead of disable. Note that this does not occur when you use the bigpipe utility. If you want to configure virtual servers with wildcard ports, and you want to disable the port translation, add the virtual server using the following bigpipe command (rather than using the Configuration utility):
bigpipe virtual <ip_address:0> use pool <pool_name>
Harmless startup bigstpd: (pid 169) already running message during configuration (CR25399)
You may see the message startup bigstpd: (pid 169) already running during configuration. This message is harmless.
SNMP: updated the globalAttr* values (CR25429)
This release includes revised globalAttr* values for SNMP. These values include globalAttrOpen3DNSPorts and globalAttrOpenCorbaPorts. For a complete list of the updated descriptions, refer to the MIB.
MAC masquerade addresses and forcing a system to standby (CR25453)
When you purposefully change the state on a BIG-IP unit in a redundant system from active to standby, the first octet of the MAC address (for any self IPs that you have configured) may change to 02. This happens only when your configuration meets all of the following conditions:
Certain SNMP OIDs are only supported by switch platforms (CR25458)
The SNMP OIDs dot1*, dot3*, and limited rmon OIDs are only supported by switch platforms. These platforms include the 1000, 2000, and 5000 series.
bigpipe interface show command returns data for interfaces (CR25470)
The bigpipe interface show command returns data for interfaces that are not passing traffic.
Disabling a virtual server that is under heavy traffic load may fill the /var partition (CR25538)
If you disable a virtual server that is under heavy traffic load, the BIG-IP log may fill the /var partition. To work around this problem, you can configure syslogd to log to a remote system, or you can shut off logging on local0.*. For alternative solutions, contact support.
Memory exhaustion with IP rate filtering or SSL proxy re-encryption (CR25542)
Under certain memory overload conditions, using IP rate filters or SSL proxy re-encryption can cause system instability.
Reboot of standby 2400 unit may cause loss of connectivity on the active unit (CR26078)
In certain cases on the 2400 platform with network failover configured, rebooting the standby unit in an active/standby redundant configuration may cause the active unit to lose existing connections. We recommend that if you require network failover, you configure the admin ports (port number 3.1) for failover.
Changes in US and Canada Daylight Saving Time (CR58321)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes are not reflected in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.