Applies To:

Show Versions Show Versions

Archived Release Note: BIG-IP, version 4.5 PTF-04
Release Note

Software Release Date: 04/29/2003
Updated Date: 03/05/2007

This article has been archived, and is no longer maintained.

Summary:

This product temporary fix (PTF) provides enhancements and fixes for the BIG-IP software, version 4.5. The PTF includes all fixes released since version 4.5, including fixes originally released in prior PTFs, and it is recommended only for those customers who want the enhancements and fixes listed below. You can apply the software upgrade to BIG-IP software, version 4.5 and later. For information about installing the PTF, please refer to the instructions below. If you have the 3-DNS module or Link Controller module installed on the BIG-IP system, refer to the 3-DNS or Link Controller release notes for information on fixes and known issues.

Contents:

- Supported platforms
- Configuring OCSP support
- Understanding the system_check script
- Configuring SYN Check
- New format for the SSLClientCertSerialNumber header
- Script to set up core capture
- SSL Proxy caches server-side SSL sessions per IP address
- Kernel selection for SSL proxy performance increase
- Enhancements and fixes released in prior PTFs

Minimum system requirements

This section describes the minimum system requirements for this release.

  • Intel® Pentium® III 550MHz processor
  • 256MB disk drive or CompactFlash® card (if you have the 3-DNS module, you need a 512MB disk drive or CompactFlash® card)
  • 256MB RAM
  • Supported browsers: Microsoft® Internet Explorer 5.0 or 5.5; Netscape® Navigator 4.7x

 

Note: The IM package for this PTF is quite large. If the disk drive in your platform does not meet the minimum requirement, you may not be able to successfully install this PTF.

[ Top ]

 

Supported platforms

This release supports these platforms:

  • F35
  • D25
  • D30
  • D35 (BIG-IP 520 and 540)
  • D39 (BIG-IP 1000)
  • D44 (BIG-IP 2400)
  • D45 (BIG-IP 2000)
  • D50 (BIG-IP 5000)
  • D51 (BIG-IP 5100 and 5110)

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

[ Top ]

Installing the PTF

Important:  If you are upgrading a BIG-IP redundant system, both units must be upgraded. We do not support running different PTF versions on a BIG-IP redundant system.

Important:  If you are upgrading an IP Application Switch or a BIG-IP system that uses a CompactFlash® media drive, use the installation instructions here.

Important:  You must complete the authorization and licensing process before you run the configuration utility to configure the unit. If you do not obtain a license before you run the configuration utility, the system may behave in an unexpected manner.

Apply the PTF to the BIG-IP software, version 4.5 using the following process.  The install script saves your current configuration.

  1. Connect to the F5 Networks FTP site (ftp.f5.com).

  2. Use FTP in passive mode from the BIG-IP unit to download the file.  To place FTP in passive mode, type pass at the command line before transferring the file. 

  3. Download the PTF file BIGIP_4.5PTF-04.im to the /var/tmp/ directory on the target BIG-IP unit.

  4. Change your directory to /var/tmp/ by typing:
    cd /var/tmp/

  5. To install this PTF, type the following command:
    im BIGIP_4.5PTF-04.im

    The BIG-IP system automatically reboots once it completes installation.


To upgrade an IP Application Switch or a CompactFlash® media drive, use the following process.

  1. Create a memory file system, by typing the following:
    mount_mfs -s 200000 /mnt

  2. Type the following command:
    cd /mnt

  3. Connect to the FTP site (ftp.f5.com).

  4. Download the PTF file BIGIP_4.5PTF-04.im from the /crypto/bigip/ptfs/bigip45ptf4/ directory.

  5. On the BIG-IP unit, run the im upgrade script, using the file name from the previous step as an argument:
    im /mnt/<file name>

    When the im script is finished, the BIG-IP system reboots automatically.

Note:  This procedure provides over 90MB of temporary space on /mnt.  The partition and the im package file are deleted upon rebooting.

[ Top ]

Software enhancements and fixes

The following enhancements are included with this release. Because this PTF release contains many new features, we have created an additional BIG-IP New Features Guide for version 4.5 PTF-04. For each new feature that is described in detail in the BIG-IP New Features Guide for version 4.5 PTF-04 you will find a link in the description for each feature in the following section.

Configuring OCSP support

A significant feature in this release is support for the Online Certificate Status Protocol (OCSP). OCSP provides an alternative to a certificate revocation list (CRL), which is used during certificate verification to determine whether an SSL certificate presented by a client has been revoked. Because CRLs are updated only at regular intervals, the information in a CRL can sometimes be outdated at the time that it is checked. Using OCSP instead of a CRL eliminates this problem by ensuring that the revocation status of a client certificate is always current. For more information about configuring OCSP, please refer to the BIG-IP New Features Guide for version 4.5 PTF-04.

Understanding the system_check script

The system_check script is useful for displaying and logging hardware failures. For more information about the system_check script, please refer to the BIG-IP New Features Guide for version 4.5 PTF-04.

Configuring SYN Check

The new SYN CheckTM feature mitigates a particular type of denial-of-service attack known as a SYN flood. A SYN flood is an attack against a system for the purpose of exhausting that systems resources. For more information about configuring the SYN Check feature, please refer to the BIG-IP New Features Guide for version 4.5 PTF-04.

New format for the SSLClientCertSerialNumber header

We have made an enhancement to the SSL Accelerator proxy. This change to the SSLCLientCertSerialNumber header gives users who write rules based on certificate serial numbers the ability to write to a consistent format, regardless of the length of the serial number. For more information about this new format, please refer to the BIG-IP New Features Guide for version 4.5 PTF-04.

Script to set up core capture

We have added a new script to automate core capturing on a BIG-IP system. The script runs automatically after you install this PTF and reboot the system, if the system has a hard drive. It provides functionality to enable and disable core capture.

After you install this PTF, the script runs, and creates the /var/crash directory. In addition, if the swap partition on the primary drive is not sufficiently large to capture the core file, but another unused partition is found to be, that partition is used for core capture.

You can disable this functionality with the following command:
config_savecore -disable

You can re-enable the functionality with the following command:
config_savecore -enable

Important: As long as this functionality is enabled, you see the message savecore: no core dump during boot time.

SSL Proxy caches server-side SSL sessions per IP address

We have added a new global variable that provides the ability to change how the session ID is reused by server-side sessions for IP addresses. If you want the SSL proxy to attempt to re-use the same session ID no matter what the client (source) IP address is, set the global to the default setting disable. If you want the SSL proxy to reuse connection IDs this way, type the following command:
global sslproxy serverssl cache per client addr disable

When the variable is set to enable, the SSL proxy attempts to re-use a session ID only when the client (src) address is the same as it was in the original session with that ID. If you want the SSL proxy to reuse connections this way, type the following command:
global sslproxy serverssl cache per client addr enable

Kernel selection for SSL proxy performance increase

In previous releases, two-processor appliances had one processor dedicated to network I/O and one processor dedicated to other system processes that perform functions like handling SSL traffic. In certain cases, you can switch to SMP mode and have both processors dedicated to processing SSL traffic. You can achieve a performance gain in SSL processing by using SMP mode, but only if your configuration meets the following requirements:

  • The system is a Dual CPU platform
  • The system is for processing SSL only
  • The system is not handling significant quantities of L2 or L4 traffic
  • You want an increase in the SSL proxy performance

If your BIG-IP is handling mixed network traffic such as Virtual Addresses that only perform L2 traffic and Virtual Addresses that do SSL processing on the same box, you should leave the system configured the way it is, SMP mode will not help this configuration. SMP mode only helps the performance of systems that are exclusively using the BIG-IP for SSL traffic.

If you want the increased SSL proxy performance provided by the SMP mode, and are willing to sacrifice the processing of other types of network traffic, then you may want to consider switching your system to SMP mode. Type the following command to put the system in SMP mode:
b db set Local.Bigip.Boot.Kernel = SMP

 

After you change the kernel setting in the bigdb, type the following command to restart sod:
bigstart restart sod

After sod restarts, type the following command to reboot the system:
reboot

Type the following command if you want to switch back to ANIP mode:
b db set Local.Bigip.Boot.Kernel = ANIP

 

NOTE:   An alternative to putting the system in SMP mode is to create a scalable SSL configuration as described in the BIG-IP Controller Solutions Guide, Chapter 11, Configuring an SSL Accelerator.

CPU statistics reported correctly in multiprocessor mode (CR25018)
When the BIG-IP system is running in multiprocessor mode, CPU usage metrics are now reported correctly when you use the top utility.

Added bigpipe global broadcast command  (CR27622)
You can now use the bigpipe global broadcast command. This command provides the ability to accept or discard packets from the DELL kickstart installation utility. The following command has been converted to a global command:
bp internal set accept_broadcasts = 1

The new global commands for this setting are:
b global broadcast [ accept | discard | show ]

What’s fixed in this PTF

Removed the ability to change the CORBA port number in the Configuration Utility (CR19780)
We removed the ability to change the CORBA port number in the Configuration Utility. The CORBA IIOP port should only be set to the default setting of 683.

Raw ethernet packets in ANIP mode (CR20274)
We have corrected the way ANIP mode handles raw Ethernet packets. Previously, raw Ethernet packets would occasionally cause a race condition.

Removed limitations on the header insert and header erase attributes (CR21617)
There is no longer a 128 byte limitation on the header insert and header erase attributes.

Windows uploads (CR22043)
Delayed-acks no longer throttle Windows uploads at 40K per second.

Using the MGMT interface on units that include the Packet Velocity ASIC (CR22599)
It is important that you use the MGMT interface (3.1) on units that include the Packet Velocity ASIC for administration only. We recommend that you do not use the MGMT interface on a VLAN you plan to use for load balancing traffic.

Connection and packet display statistics with the bigtop utility (CR22709)
Connection and packet statistics now display correctly when you run the bigtop utility.

SIP persistence: two exact SIP UDP messages (CR24304)
The BIG-IP system no longer creates two connection table entries when two identical SIP UDP packets are received.

Using fallback persistence with SIP persistence (CR24306)
You can now use the simple_timeout simple persistence setting as a fallback for SIP persistence.

Using a VLAN group configuration in transparent or translucent mode (CR24409)
You can now configure the BIG-IP unit to bridge between two VLANs in either transparent or translucent mode without creating duplicate packets.

Corrected the process checking field in snmpd.conf (CR24450)
We have corrected the process checking field (proc) in the snmpd.conf. It now puts the correct information into the ucd prTable.

Remote authentication server responses (CR24487)
If you have remote authentication configured and you mistype a password or user login, the correct remote authentication server responds.

Audit logs now show the correct user name (CR24600)
The audit logs now show the correct user name when a user makes configuration changes.

SNMP virtualAddressEntry table and wildcard virtual servers (CR24647)
The SNMP virtualAddressEntry table can now handle wildcard virtual servers.

Name field on the Add VLAN Group and VLAN Group Properties page (CR24719)
The maximum number of characters for a VLAN group name is 15 characters.

Monitor names in the Configuration utility and from the command line (CR24864)
Monitor names typed in the Configuration utility and the command line are no longer limited to 31 characters.

Authorization: setting the user key to "user" (CR24880)
You can now set the authorization user key to user without causing a syntax error when you load the configuration.

Audit logs and resetting statistics for services (CR24923)
The audit logs now correctly show the services when you reset statistics with the command b global stats reset.

Resetting statistics for node server (CR24924)
The audit logs now display correctly when the statistics are reset for a node server.

Gratuitous ARPs with MAC masquerading and VLAN failsafe configured (CR24925)
Gratuitous ARPs are now handled correctly in an active/standby redundant scenario with MAC masquerading and VLAN failsafe configured. When the active unit detects no traffic on the VLAN, such as when the cable is unplugged, or the unit is rebooted, the other unit becomes active. When the unit that was demoted to standby reboots, it now sends a gratuitous ARP for its self IP addresses.

DELL: Large BSDi Partition and DOS in the FDISK table (CR24941)
We have corrected a problem that could have caused an error during installation on some DELL platforms.

SSH key generation now use hardware random number generators when available (CR24955)
SSH key generation now uses hardware random number generators when available. This increases the security of the SSH DSA host keys and reduces the probability that the key can be guessed, or that a random key collision could occur.

Corrected the rule hierarchy for direct node selection and cookie insert (CR24957)
We have changed the rule hierarchy so that direct node selection occurs before cookie insert.

DELL: watchdog timeout resetting (CR24962)
We have corrected watchdog timeout reset problems with fixes from the Broadcom erratum for BCM5700 chips.

Reaper no longer sends RSTs for unaccepted, timed-out connection requests (CR24984)
We have corrected a problem that could be caused if a SYN packet was sent from a client through a virtual server to a server, and the server did not answer before the connection timeout was reached. Previously, the reaper sent an RST in both directions.

TCP SYN packets to self IP that matches TIME_WAIT connection (CR24993)
We have corrected a problem with TCP SYN packets to a self IP address on the BIG-IP system that matches a connection with the same source and destination port and address, and exists in TIME_WAIT.

VLAN-keyed connections on the 2400 platform (CR25046)
We have corrected a problem with VLAN-keyed connections on the 2400 platform. The packet and byte statistics occasionally were not counted for pools and SNATs.

OID for the shutdown trap in the SNMP MIB (CR25059)
The shutdown trap, in the SNMP MIB, now has the correct object identifier (OID) associated with it.

SSL proxy was consuming all available file descriptors (CR25081)
We have corrected a problem that caused the SSL proxy to consume all available file descriptors.

Savecore captures on large hard drives (CR25083)
The savecore program now functions correctly on large hard drives.

Server FINs from early-closed late-bound connections do not return to client (CR25094)
Server FINs from early-closed late-bound connections are now returned properly to the client.

Pool::set_persist_mode() to type_expression through the iControl SDK without expression (CR25096)
You can now set up the Pool::set_persist_mode() to type_expression through the iControl SDK without an expression without causing system instability.

An error message displayed on shutdown (CR25110)
On switch platforms, we have corrected a situation that caused an error message to display as the system shut down to reboot.

Tcpdump on the 5000 series with mirror VLAN and mirror hash enabled (CR25129)
We have corrected a problem that prevented tcpdump from showing traffic on the 5000 series with mirror VLAN and mirror hash enabled.

Spanning Tree Protocol (STP) does not work properly if the BIG-IP Application Switch is the only active STP in the network (CR25162)
If the BIG-IP Application Switch is the only STP-enabled entity in the network, parallel ports go to a forwarding state because the switch ignores its returning bridge protocol data unit (BPDU) frames. This leaves the network open to bridge loops. To avoid this situation, we recommend that you disable STP if you only have one BIG-IP Application Switch in your network. Use the following command to disable STP on the BIG-IP system:

b stp <stp_name> disable

VLAN groups and non-IP traffic (CR25176)
VLAN groups can now forward non-IP traffic.

Connection table entry reaping for UDP packets with node address disabled (CR25186)
We have corrected a problem where, in rare circumstances, connection table entries were not reaped for UDP packets when the node address was disabled.

FIPS: nCipher driver no longer outputting debug messages (CR25308)
The FIPS nCipher driver no longer outputs debug messages.

E-Commerce Controller: Adding a virtual server with a wildcard port (CR25314)
When you add a virtual server with a wildcard port, port translation is now disabled by default in both the Configuration utility and from the command line.

Connection rebinding with members that have different priorities (CR25348)
Connection rebinding with members that have different priorities now works correctly.

Default VLANs on 5100 and 5110 platforms (CR25352)
The default VLANs on the 5100 and 5110 platforms are now mapped consistently in the following manner:
VLAN admin
untagged interfaces 3.1
VLAN external
untagged interfaces 2.1
VLAN internal
untagged interfaces 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 1.22 1.23 1.24 2.2 2.3 2.4

Improved clean up of logs during upgrade on systems with the Packet Velocity ASIC (CR25405)
We have improved clean up of logs during the upgrade on systems with the Packet Velocity ASIC.

SNMP: data from globalAttr* has been updated (CR25429)
We have updated the data for the SNMP globalAttr*. Also, we have corrected the following spelling errors:

globalAttrMaintenceMode is now globalAttrMaintenanceMode.

globalAttrPersistAccrossVirtuals is now globalAttrPersistAcrossVirtuals.

Also, we have changed the globalAttrPersistTimerUsedAsLimit to use either timeout or limit rather than true or false. The default setting is timeout.

MAC masquerade addresses and forcing a system to standby (CR25453)
When you purposefully change the state on a BIG-IP unit in a redundant system from active to standby, the first octet of the MAC address for any self IPs that you have configured may change to 02. This happens only when your configuration meets all of the following conditions:

  • You are running BIG-IP HA software
  • You have VLANs that are not a part of a VLAN group
  • The self IPs for those VLANs have a MAC masquerade address configured
  • You force the active unit in a redundant system to standby, without rebooting

 

Hardware Acceleration of forwarding pools (CR25462)
The Packet Velocity ASIC now partially accelerates forwarding pools.

bigpipe interface show command returns data for interfaces (CR25470)
The bigpipe interface show command no longer incorrectly reports statistics for interfaces that are in a VLAN but not in use.

SNMP: enterprises.ucdavis.memory.* OID now returns valid information (CR25488)
The enterprises.ucdavis.memory.* now returns valid information.

SSL proxy bigdb keys listed in /config/default.txt (CR25502)
We have updated the SSL proxy bigdb keys listed in /config/default.txt.

Using the persist dump command (CR25520)
We have corrected a problem with the b persist dump command that caused the error message Name exceeds maximum length to be displayed. This message is no longer displayed.

Virtual server bound to VLAN after deletion (CR25524)
We have corrected a problem where a virtual server was bound to a VLAN that had two or more networks configured even after you attempted to delete it.

/var/log/bigd: shut down of checkd now logged with the correct message (CR25525)
When checkd shuts down, the correct message is now logged in /var/log/bigd. The message is now checkd: exiting.

Memory usage with IP rate filtering or SSL proxy re-encryption (CR25542)
We have corrected a problem where under certain memory overload conditions, using IP rate filters or SSL proxy re-encryption could cause system instability.

The bigpipe interface media show command (CR25544)
The b interface media show command now shows the media type for the specified interface.

SSL proxy rewriting redirects in 302 responses after the first one is received in a keep-alive stream (CR25550)
The SSL proxy now correctly rewrites redirects in 302 responses after the first one is received in a keep-alive stream.

Associating multiple monitors with the same service (CR25572)
You can now associate multiple monitors with the same service using the Configuration utility, and not receive the message Error 132 - Monitor template not found.

Connection reuse and Fast Flow (CR25595)
We have streamlined how the Fast Flow feature reuses certain connections. The connections are now handled more efficiently.

Certificate expiration dates on the Certificate List Screen (CR25610)
The certificate expiration dates on the Certificate List Screen now display the correct expiration dates.

Logging forced down to /var/log/bigd (CR25614)
When you force a node to the DOWN state using the Configuration utility, or from the command line, the forced down state is now logged in /var/log/bigd.

SSL proxy: HTTP/0.9 request produces message 'no space in response line' with redirect rewriting (CR25624)
We corrected a problem with redirect rewrites for HTTP/0.9 requests on the SSL proxy that produced the log message No space in response line.

Support failover when nCipher card fails (CR25629)
The BIG-IP system now fails over to the peer unit when an nCipher card fails.

SSL proxy HTTP header insert can mistakenly assume end of header received (CR25671)
We have corrected a problem where, in rare circumstances, an SSL proxy performing an HTTP header insert could assume it had received the end of the header.

Failover daemon: use the SMP kernel when dual processors detected with no GNIC (CR25694)
The SMP kernel is now used automatically in dual processor systems with no gigabit Ethernet NICs.

New proxy ARP exclusion class (CR25801)
You can now create a proxy ARP exclusion class on the BIG-IP system, proxy_arp_exclude. Use this class to prevent the BIG-IP system from generating gratuitous ARP requests to its peer unit when you have a redundant system using VLAN Groups. To configure the proxy_arp_exclude class, in the navigation pane, click Classes, and then click the Add Class button. (For assistance with the settings, click the Help button.) You can also find information about the proxy_arp_exclude class in the BIG-IP Reference Guide , version 4.5.

Interrupt coalescing in the Intel wx driver (CR25823)
We have added an update from an errata for the Intel wx driver which caused an Intel gigabit network card to stop processing traffic. When the error occurred, the message "wx<n> device timeout" was logged. The fix is automatic for customers using the ANIP kernel. Please contact Support if you are running the SMP kernel on your system.

IP Application Switch: IS-IS multicast packets on the ingress port (CR25935)
IP Application Switch platforms no longer re-broadcast IS-IS multicast packets on the ingress port.

Dual processor system running in ANIP mode during core dump (CR25943)
Dual processor systems running in ANIP mode can now create core files that are more useful.

Command line and Configuration utility QoS values on pools (CR25944)
You can now only enter valid QoS values for pools. The valid range is 0 to 7.

Connection reaping if the client closes the connection without sending data (CR25983)
For late-binding connections, if the client negotiates a connection without sending any request, the connection is reaped.

Increased the swap partition to 2 Gigabytes (CR26010)
We have increased the swap partition size to 2 Gigabytes.

SSL proxy: 100 Continue responses (CR26034)
SSL Proxy now rewrites 302 redirects seen after a 100 Continue message (usually sent by the server after a POST operation).

Reboot of standby 2400 unit and connectivity with the active unit (CR26078)
We have corrected a problem where in certain cases, on the 2400 platform with network failover configured, rebooting the standby unit in an active/standby redundant configuration caused the active unit to lose existing connections. We recommend that if you require network failover, you configure the admin ports (port number 3.1) for failover.

Rules precedence problems (CR26097)
We have corrected a rules syntax precedence problem that could cause extra parenthesis to be added to rule syntax saved in the /config/bigip.conf.

Redirect rule and extra '/' (CR26107)
We have corrected a problem that added an extra forward slash (/) to redirect rule syntax.

Forwarding pool causes annunciator LED to flash yellow (CR26116)
If you configure a forwarding pool on any platform, the yellow alarm LED flashes yellow indicating a pool with zero active nodes. In this case, the yellow alarm LED is benign.

Connection rebinding for UDP with Fast Flow enabled (CR26135)
Connection rebinding now functions correctly with UDP packets when you have Fast Flow enabled.

Using the address 127.0.0.x as a member in a pool (CR26174) The BIG-IP will no longer lose connectivity to the network when using the address 127.0.0.x (where x is the host number) as a member in a pool.

Handling of 'Connection: close' header from client in HTTP/1.1 (CR26177)
We have corrected how the system handles Connection: close header from client in HTTP/1.1.

Closing connections with One Connect enabled (CR26178)
With One Connect enabled, the FIN-ACK was not being sent through to the client. We have corrected this problem. If you see this problem, please contact support for the solution.

Failover: Synchronization of mirrored connections on a standby box (CR26197)
Mirrored connections from an active unit are now mirrored on the standby unit as soon as the standby unit is rebooted or restarted.

Packets with a TCP checksum of 0 (CR26202)
We have corrected a problem that would cause packets with a TCP checksum of 0 get transformed to a checksum of 0xFFFF by Fast Flow.

Late-binding state can get out of synchronization with Keep-Alives (CR26221)
We have corrected a synchronization problem between the state of a connection handled by a late-binding virtual server and the keep-alive state of the connection on the server that could cause the connection to lock up or behave unpredictably. This problem affected the cookie insert feature, the hash cookie feature, and rules. One of the ways you could observe this problem was that a new connection could be paired with an existing connection and the existing content could be sent to the client requesting the new connection.

SSL proxy and error log messages when CRLs are out of date (CR26240)
The SSL proxy now logs an error message when a Certificate Revocation List (CRL) is out of date.

Multiple VLAN SNATs when virtual servers are fully accelerated (CR26242)
When you have multiple VLAN SNATs configured, they are now partially accelerated by the Packet VelocityTM ASIC when virtual servers are fully accelerated.

Advanced Routing Modules: OSPF module during an LSA update (CR26268)
We have corrected a problem during LSA updates that was destabilizing the OSPF module.

SIP persistence and virtual servers with address translation disabled (CR26278)
SIP persistence now works correctly with virtual servers that have address translation disabled.

The b load command and connection limits (CR26451)
The b load command no longer causes the connection count to be set to zero, which prevented connection limits from being honored.

bigpipe values allowed for ip_tos (CR26478)
The bigpipe command now limits the possible values for ip_tos to the correct value range (0 - 255).

SNMP: settings for virtualServerFailoverFlags (CR26509)
We have updated the values for virtualServerFailoverFlags. The appropriate values are nonmirroring and mirrorconnections.

Upgraded to OpenSSL 0.9.7a (CR26518)
We have upgraded OpenSSL to version 0.9.7a. This upgrade includes various security fixes and enhancements including the following:

  • Security: Important security-related bug fixes
  • Security: Support for OCSP, the Online Certificate Status Protocol
  • ENGINE: Can be built without the ENGINE framework
  • Assembler: IA32 assembler enhancements
  • Configuration: The no-err option now works properly
  • SSL/TLS: Now handles manual certificate chain building
  • SSL/TLS: Certain session ID malfunctions corrected

 

Port Translation default settings for the Configuration utility and command line (CR26543)
The following settings are the updated default port translation settings for both the Configuration utility and the command line:

Type of object Port Translation
net:* disabled
ip:* disabled
vlan:* disabled
*:* disabled
ip:port enabled
net:port enabled
vlan:port enabled
*:port disabled

URI with rule redirect using port (:p) when port is 80 (CR26618)
We have corrected a problem that was adding extra characters to the end of the URI redirected using the port 80.

Advanced Routing Modules: Configuration files not loaded when daemons are started up (CR26619)
The configuration files for the Advanced Routing Modules will now save and load correctly.

ITCM.log rotation (CR26781)
The ITCM.log is now rotated daily.

Advanced Routing Modules: full path for the log file (CR26783)
We have corrected a problem that was causing the Advanced Routing Modules to create a core file if the full path was not specified for the log file.

SSL proxy: certificate serial number consistency (CR26800)
The SSL proxy certificate serial numbers are now listed in a consistent format.

Authorization: adminpw value (CR26824)
The adminpw setting is now saved correctly when you load a configuration using the b config load command.

bge message on reboot (CR26827)
You no longer see the following unnecessary message when you reboot the 1000 and 5100 series platforms:
bge0: bge_wait_bit_clr timeout: reg=0x468 mask=0x2

bigpipe: imid parsing (CR26875)
We have corrected a problem that prevented the imid rule syntax from being parsed correctly with, or without braces.

wd0: lost interrupt message (CR26943)
You no longer see the following benign error message when you upgrade your system:
wd0: lost interrupt

RULES: Loading configuration with external classes (CR26952)
When the configuration loads, classes are now loaded before pools. This eliminates a problem with using external classes with mapclass2node option in the pool selection.

SSL: turn on RSA Blinding for software RSA private key operations (VU#997481) (CR26966)
We have turned on RSA Blinding for software RSA private key operations as noted in the CERT vulnerability note VU#997481. This may impact SSL performance to some degree.

T/TCP connection closing (CR26972)
We have corrected a problem that prevented some T/TCP connections from closing correctly.

Network virtual server loading in a particular order with others on the same subnetwork (CR26988)
We have corrected a problem that was preventing network virtual servers on the same subnetwork from working if they were not ordered in the /conf/bigip.conf file in a particular order. Now they work in any order.

SSL Proxy: handling BMP, IA5, and UTF8 certificate strings with LDAP authentication (CR27018)
The SSL proxy can now handle BMP, IA5, and UTF8 certificate strings with LDAP authentication. This increases the BIG-IP system's compatibility with Microsoft's SiteServer and Active Directory.

SSL proxy: CLOSED connections never freed on last hop pool (CR27040)
We have corrected a problem that could stop traffic through an SSL proxy virtual server configured with a last hop pool.

Transaction level on systems monitored by the iControlTM Services Manager (CR27192)
We have reduced the level of transactions generated on systems monitored by the iControlTM Services Manager.

Configuration Utility: display warning if product is licensed however the EULA has not been accepted (CR27215)
A warning is now displayed if the system is licensed but you have not accepted the EULA.

SSL proxy: a very long URI followed by header insert and another header value (CR27218)
The SSL proxy can now handle connections in situations where there is a very long URI and an inserted header with no client headers (just a bare request).

SSL proxy: 100 Continue responses (CR27234)
The SSL proxy now correctly handles 100 Continue responses that are up to 140 bytes. You can observe this activity only when the BIG-IP system and server have not made the three-way handshake by the time two halves of a POST are received by the BIG-IP system.

SSL proxy: session IDs rejected by the server (CR27274)
The SSL proxy no longer attempts to reuse session IDs rejected by the server.

Rotation of the /var/log/cron file (CR27355)
The /var/log/cron file is now rotated daily instead of weekly.

Enhancements and fixes released in prior PTFs

Version 4.5 PTF-03

HTTP requests through a Layer 7 virtual server with a specific size (CR25868)
We corrected a problem in version 4.5 of the BIG-IP software that could cause the system to become unstable when HTTP requests of certain specific sizes were received through a rule using a Layer 7 variable or through a pool with a Layer 7 attribute.

Version 4.5 PTF-02

Layer 7 Checksum Validation
A new global, l7_validate_checksums, is included in this release. We recommend that you do not change the value of this global variable unless you are instructed to by a support representative.

UDP checksums and TFTP packets  (CR22113, CR25181)
In rare instances, the checksums for TFTP packets were incorrect. This issue has been resolved.

Apache web server and the CERT Coordination Center vulnerability, VU#672683 (CR24689)
This PTF addresses the vulnerability in the Tomcat package for the Apache web server that is described in Vulnerability Note VU#672683 on the CERT® Coordination Center Web site. For more information on the vulnerability, see http://www.kb.cert.org/vuls/id/672683.

iControl SOAP null nat_addr value for NAT::set_arp used with the iControlPortal (CR24914)
The iControlPortal no longer becomes unstable when it processes an iControl SOAP null nat_addr value for NAT::set_arp.

Zero length IP/UDP packets received by the system when forwarding (CR24931)
Zero length IP/UDP packets received when forwarding is enabled no longer destabilize the system.

Virtual server sending packets when TCP checksum incorrect (CR24983)
Virtual servers no longer send packets when the TCP checksum is incorrect. In order to implement this fix, please contact support.

Mid-stream SSL renegotiations with the SSL proxy (CR24989)
The SSL proxy can now handle mid-stream SSL renegotiations.

SSL proxy sending ACKs to clients with late binding (CR25015)
The SSL proxy now sends acknowledgement packets (ACKs) to clients correctly when handling late binding connections.

Connection statistics when you change the configuration under load (CR25044)
On the 2400 platform, the connection statistics are now correct even if you change the configuration under load.

Root servers list for BIND (CR25064)
The root servers list file for BIND, root.hint, has been updated to include the most current list of root servers.

Dual processor system without a gigabit interface (CR25104)
The BIG-IP 540 platform now supports two processors correctly if there is no gigabit Ethernet interface installed in the platform.

Strict string evaluation for cookie hash persistence (CR25122)
Improved the cookie name lookup and hash mode for cookie hash persistence.

SSL TPS performance with increasing concurrent clients (CR25164)
Optimized the SSL transaction per second (TPS) performance when there is an increasing number of concurrent clients.

SSL proxy forwarding unparsed server response to client (CR25168)
When rewriting of redirects is enabled, the SSL proxy no longer forwards an unparsed server response to the client.

Using a serial terminal as console on certain platforms (CR25183, CR25414, and CR25445)
You can now configure the serial terminal as the console on all platforms.

SNAT current connections after deleting a SNAT and re-adding it to the configuration (CR25198)
The SNAT current connections statistics are now correct after you delete a SNAT and then add it back to the configuration.

Configuring rules using contains against a class (CR25236)
You can now use the contains, starts_with, and ends_with operators to compare class values.

Rolling Upgrade: when licensing in the web-based Configuration utility, peer traffic can halt (CR25239)
Corrected a problem when licensing the standby unit through the web-based Configuration utility that could cause traffic to stop on the active unit.

Instability when using Universal Inspection Engine redirect (CR25358)
The Universal Inspection Engine redirect feature no longer causes instability in the system.

Unit ID with a SNAT translation (CR25372)
You can now include a unit number after the SNAT translation address.

Version 4.5 PTF-01

Added support for the 2400 platform
This release includes enhanced support for the F5 Networks 2400 platform.

Viewing licensing error log files from the Configuration utility (CR25055)
You can now view the log files for errors that occur during the licensing process using the Configuration utility. A View Log File button appears on the licensing screen when the licensing process generates errors.

Resets (RSTs) from aging-out connections can have incorrect sequence numbers   (CR22219)
Resets (RSTs) from aging-out connections no longer cause some connections to hang due to incorrect sequence numbers for the resets.

CA-2002-31, Multiple Vulnerabilities in BIND (CR25085)
This PTF addresses the security vulnerabilities that are listed in CERT® advisory, CA-2002-31, Multiple Vulnerabilities in BIND. This PTF upgrades the BIND package to version 8.3.4. For more information on the CERT advisory, see http://www.cert.org/advisories/CA-2002-31.html.

[ Top ]

Known issues

The following items are the known issues identified since the release of BIG-IP software, version 4.5.

Specified gig duplex setting fails on Cisco switches  (CR27755)
If your BIG-IP system is using GIG interfaces and is plugged into a switch with a fixed duplex setting, you need to configure the BIG-IP GIG interface and the port on the switch to Auto before applying PTF-04. If the BIG-IP GIG interface and switch port are not set to Auto, the link between the BIG-IP and the switch will stop functioning after the upgrade.

Fan and temperature monitoring with SNMP
SNMP queries for fan speed, CPU temperature, and power supply status are functional for certain platforms. Currently, fan and temperature monitoring is supported only for the following platforms:

1000
2000
2400
5000
5100
5110

For these platforms, automatic periodic monitoring is automatically enabled. However, the system_check script does affect performance. You can disable the system_check script by commenting out (add leading # sign) to the line in /etc/crontab which runs the system_check utility. This version does not support fan and temperature SNMP monitoring in the following platforms:
D25
D30
F35
D35 (520 and 540)

Wildcard certificates in the Cert Admin screen (CR17426)
The Cert Admin screen in the Configuration utility currently only allows "*.<domain_name>" for wildcard certificates. A domain name of "*.*.<domain_name>" is not supported on the Cert Admin screen.

Upgrading the software and the MindTerm SSH Console (CR18436)
When you upgrade the software for the BIG-IP system, you cannot use the MindTerm SSH Console, because the upgrade stops and restarts the SSH service. To upgrade the software, use a serial console instead.

The RADIUS port in /etc/services (CR20136)
Previous releases of this software use the RADIUS port 1645 as the default in /etc/services. This release uses the new IANA RADIUS port 1812.

L2 proxy ARP forwarding exclusion list  (CR20647)
In order to prevent the active unit from forwarding ARP requests for the standby unit (or other hosts to which proxy ARP forwarding is not wanted), you can now define a proxy ARP exclusion list. To configure this feature, you can define a proxy_arp_exclude class, and add any self-IPs on the standby and active units to it. The BIG-IP units do not forward ARP requests from the hosts defined in this class.
For example, to create a proxy_arp_exclude class use the following syntax:
b class proxy_arp_exclude { host <self IP 1> host <self IP 2> ... host <self IP N> }

If you use VLAN groups, you must configure a proxy ARP forwarding exclusion list. We recommend that you configure this feature if you use VLAN groups with a BIG-IP redundant systems. The reason is that both BIG-IP units need to communicate directly with their gateways and the back-end nodes. Creating a proxy ARP exclusion list prevents traffic from being proxied through the active BIG-IP due to proxy ARP. This traffic needs to be sent directly to the destination, not proxied.

If you do not configure a proxy ARP exclusion group for systems configured with VLAN groups, you may see problems such as:

  • Nodes being marked down for a period of time after a failover
  • The inability to access resources through the active BIG-IP unit when there are multiple physical or logical connections to the same VLAN group (especially likely to be noticed when there are multiple connections between the active and standby BIG-IP units).

 

Default gateway pools are incompatible with SNAT automap (CR20801)
Default gateway pools are incompatible with SNAT automap. Configuring a default gateway pool with a forwarding virtual server or a forwarding pool is also incompatible. To work around this incompatibility, you can configure network wildcard virtual server in front of the SNAT. The wildcard virtual server routes by connection, using the cached routes.

ICMP pings are not updating the MAC addresses for all nodes in the ARP table (CR21228)
ICMP pings are not updating the MAC addresses for all nodes in the ARP table. This does not have any effect on the functionality of the BIG-IP system. The only way these entries are visible, is by typing the command arp -na to list the ARP table.

Manually deleting connections handled by the Packet Velocity ASIC (CR22494)
Manually deleting connections that are handled by the Packet VelocityTM ASIC does not generate a TCP reset.

Configuring the admin port for node connectivity (CR22599)
We recommend that you do not configure the admin port for node connectivity.

Changing active-active failback values (CR22715)
In active-active configurations, we recommend that you do not change the default failback value of 60 seconds. If you change this value, failback may not work as designed.

Default route missing after gated fails while you are creating node pools (CR23668)
In certain rare cases, the default route may be removed if you create a node pool at the same time gated fails. If this happens, run the Setup utility and add the default route back to the configuration. You can run the Setup utility from the command line by typing setup. You can access the Web-based Setup utility from the welcome page of the Web-based Configuration utility.

Changing IP addresses on VLANs does not change the administration web server settings (CR24468)
If you use the Setup utility to change the floating IP addresses on VLANs, the web server settings are not updated. To update the web server settings, choose the (W) Configure web server option.

FTP data connections have incorrect TOS or QoS values set (CR24644)
FTP data connections have incorrect TOS or QoS values set in the BIG-IP software. Both values are set to 0.

iControl SOAPPortal: .NET serialization errors on several methods (CR24862)
The following methods do not serialize correctly under certain situations. This is due to a problem in the .NET frameworks serialization. For nested structures within arrays, the framework cannot support an empty array represented as a single XML element.
For example, this method does not serialize:
<return type='Array' ArrayType='tns:someType[0]/>
This method does serialize:
<return type='Array' ArrayType='tns:someType[0]></return>

Configuring a SNAT map with no virtual servers (CR24959)
On the 2400 platform, only connections that target a virtual server are accelerated by the Packet VelocityTM ASIC.

TCP SYN packet to self IP that matches TIME_WAIT connection not handled correctly (CR24993)
If a TCP SYN packet is received for a self IP, and it matches an old connection that is in TIME_WAIT state (same source and destination address and port), the system deletes the old connection and creates a new one.

SSL proxy processes with non-idle connections may never exit (CR25080)
Connections may not be timed-out as long as the SSL proxy continues to receive data within the idle connection timeout, and the server-side connection remains open.

Product Announcement: Content converter feature for Akamai (ARLs) removed from BIG-IP products for EOL (CR25082)
With this release, we are announcing the End-of-Life (EOL) of the content converter feature for converting Akamai ARLs. This applies to all fully licensed BIG-IP products running version 4.5 PTF-04 or later. As a result of this action, newly shipped or upgraded versions of the BIG-IP software no longer include this feature. If you want to continue using this functionality, do not upgrade to this version of the software. If you do plan to upgrade to this version of the software, we recommend that you remove all related configuration information from the bigip.conf file before you upgrade.

The conn dump verbose command values displayed for packet or byte counts (CR25119)
The command b conn dump verbose may show incorrect values for packet and byte counts.

Single default gateway member is not displayed as a default gateway pool (CR25141)
If you only configure a single default gateway member, that address is configured as the default route. It is not displayed as a default gateway pool.

Simple persistence timers and the 2400 platform (CR25182)
Simple persistence timeout global settings function slightly differently on the 2400 platform than on other BIG-IP platforms. With the 2400 platform, the global mode global persist timer timeout causes the persist timer to be updated every 30 seconds when a connection that references the persist entry is still alive. On other platforms, the persist timer is updated with every packet inbound from the client.

HTTP header inserts and proxies (CR25246)
If header insertion is enabled in the proxy, and the proxy receives only the HTTP command as the first SSL record, the proxy assumes that the entire header has been sent, inserts its headers, and terminates the HTTP header block.

E-Commerce Controller and setting port translation option for wildcard ports (CR25336)
On the E-Commerce Controller only, when you configure a virtual server with a wildcard port (*) using the Configuration utility, the default port translation setting is set to enable instead of disable. Note that this does not occur when you use the bigpipe utility. If you want to configure virtual servers with wildcard ports, and you want to disable the port translation, add the virtual server using the following bigpipe command (rather than using the Configuration utility):
bigpipe virtual <ip_address:0> use pool <pool_name>

Harmless startup bigstpd: (pid 169) already running message during configuration (CR25399)
You may see the message startup bigstpd: (pid 169) already running during configuration. This message is harmless.

SNMP: updated the globalAttr* values (CR25429)
This release includes revised globalAttr* values for SNMP. These values include globalAttrOpen3DNSPorts and globalAttrOpenCorbaPorts. For a complete list of the updated descriptions, refer to the MIB.

Disabling a virtual server that is under heavy traffic load may fill the /var partition (CR25538)
If you disable a virtual server that is under heavy traffic load, the BIG-IP log may fill the /var partition. To work around this problem, you can configure syslogd to log to a remote system, or you can shut off logging on local0.*. For alternative solutions, contact support.

Certain SNMP OIDs are only supported by switch platforms (CR25458)
The SNMP OIDs dot1*, dot3*, and limited rmon OIDs are only supported by switch platforms. These platforms include the 1000, 2000, and 5000 series.

SSH access host restrictions are now configured in /etc/hosts.allow (CR25530)
In previous versions, /etc/ssh2/sshd2_config and /etc/sshd_config controlled SSH access. This upgrade reverts to an SSH access level that allows all hosts to connect. Upgrading to this version ignores previously configured SSH access restrictions configured in /etc/ssh2/sshd2_config and /etc/sshd_config. If you require restricted SSH access to certain networks/IP addresses, you need to reconfigure these restrictions once the upgrade has been completed. To do this, type the following command to start the Setup utility and then press Enter:
config
Choose option S (Configure SSH) and set the restrictions you prefer.

Transparent VLAN group mode with Fast Flow acceleration (CR25727)
The transparent VLAN group mode is not accelerated by the Fast Flow feature.

Adding support access after initial setup does not add the IP addresses to host.allow (CR25821)
If you add support access with the (Y) Set support access option in the Setup utility after you complete the initial setup of the system, the support IP addresses are not added to the host.allow file. To correct this situation, run the Setup utility (S) Configure SSH option to re-initialize the SSH information on the system.

VLAN names with "vlan" followed by any number of digits cause a syntax error (CR25890)
VLAN names with the text "vlan" followed by any number of digits causes a syntax error. For example, vlan123 causes a syntax error.

Creating invalid interface names (CR25950)
It is possible to create invalid interface names in your configuration by entering an invalid VLAN name from the command line. For more information about invalid VLAN names, see (CR25890).

Late binding virtual server with 500 MTU router and large request (CR26025)
If a client sends a large request, greater than 500K, through a router set to 500 MTU, the BIG-IP system does not forward the request to the server.

Switching to a single route configuration if you have a gateway pool in use (CR26143)
If you create a default gateway pool, and then you decide to change to a single route, we recommend that you do not delete the gateway pool even if you change the router configuration so that there is only one router in the pool.

Using 127.0.0.x as a pool member locks up the system (CR26184)
If you add a node with an IP address of 127.0.0.x to a pool, the system loses connectivity to the network. The only way to reboot the system after this happens is to use the reboot switch. We recommend that you do not add nodes with this address to a pool.

Added CRL path files are checked after reloading configuration (CR26203)
If you replace an existing CRL file in /config/bigconfig/ssl.crl directory, you must then type the b load command to activate the new CRL.

Configuration utility: changing iControl settings does not restart CORBA (CR26384)
If you use the Configuration utility to change iControl settings, you must manually restart CORBA. To restart CORBA, type the following commands from the command line:

bigstart shutdown portal
bigstart startup

LDAP group authentication does not work if there are spaces in the group name (CR26418)
LDAP group authentication does not function correctly if you place a space in the LDAP group name.

Generating certificates with openSSL after upgrading the software (CR26456)
After you upgrade the software, you may run into issues when you use the openSSL command line utility to generate certificates or certificate signing requests (CSRs). If you experience difficulties with this task, run the genconf command to update the openssl.conf file.

SSL proxy: proxy is down however b proxy show shows enabled (CR26487)
If the SSL proxy is down due to an error condition, the b proxy show command still shows the proxy is enabled.

Proxies configured using the command line interface do not recognize the default CRL  (CR26515)
When you use the command line interface to configure a proxy, if you do not specify a CRL path, the default CRL path is not used and all client certificates are accepted regardless of their status. In order for the proxy to validate certificates properly through CRL, you must define a specific CRL path or file in the proxy. The default CRL path is recognized when you use the Configuration utility to configure a proxy.

Error message is invalid for ip_tos values (CR26566)
The valid ip_tos values are 0 - 255 or 65536, which returns ip_tos to a blank state. If you type an invalid value, you see the following incorrect error message: The requested IP TOS value is invalid. [0..65535].

bigpipe creates a "mirror conn disable" virtual server with connection mirroring enabled (CR26601)
If you use the bigpipe command mirror conn disable or mirror conn disable when you create a virtual server, connection mirroring is enabled. To avoid enabling this variable when you set up a virtual server, do not use the mirror conn disable attribute. If you define a virtual server without the mirror conn enable or mirror conn disable attribute, connection mirroring is disabled.

Configuration utility: authtrap enable disable does not set authtrap correctly. (CR26610)
If you attempt to disable the authtrap enable setting in the Configuration utility, the /etc/snmpd.conf file is modified with the incorrect value 0 <zero>. To correct this, you can manually edit the /etc/snmpd.conf file and change the authtrap enable value to 2, enable.

Message from /etc/daily script in regards to beholder (CR26612)
When /etc/daily runs, it checks to see if there is a /var/run/beholder.pid file and if it exists, it attempts to rotate the /var/log/rmon.log file. When the rotate log function runs, the following message is logged to /var/log/daily.out for the beholder script:

bigstart: @293: start script beholder not found

Advanced Routing Modules: Terminal settings incorrect after exiting vtysh (CR26631)
With the Advanced Routing Modules, after you enter the vtysh router interface, your terminal settings are incorrect. If this problem occurs, type reset to correct the problem.

Losing connectivity during configuration of second unit in a redundant system (CR26705)
When you configure a unit from the command line Setup utility, we recommend that you reboot the unit after you complete the configuration. This activates the license and allows traffic to pass through the system. Also, before you reboot the system, it is in the active mode and unlicensed. While the unit is in the active mode, the other unit in the redundant system is placed in standby mode. If left in this state, traffic cannot pass through the system.

Verbose log level 32 (Stat Reset Detail) does not log a message when you reset the statistics (CR26822)
The verbose log level 32 (Stat Reset Detail) does not log a message when you reset the statistics.

Wrong MSS advertised to backend servers on SSL proxy connections (CR26839)
The BIG-IP system advertises the wrong maximum segment size (MSS) to the backend server if your configuration has an SSL proxy connecting to virtual server on the loopback device (lo0). The advertised MSS respects the MTU of lo0 which is, by default, 4352 (so the resulting MSS is 4312).

Upgrade installation adds node * monitor use icmp to e-Commerce Controller (CR26877)
The BIG-IP 4.5 scratch CD installation adds the following line to the bigip.conf file on the e-Commerce Controller:

node * monitor use icmp
This monitor type is not supported on the e-Commerce Controller.

Transparent monitors cannot be combined using an "and" rule (CR26915)
You can not combine transparent monitors using an and rule.

The Setup utility does not preserve MAC masquerade settings (CR26922)
The Setup utility does not preserve MAC masquerade settings. We recommend that you use the bigpipe utility or the web-based Configuration utility to make configuration changes after you have completed your initial setup. However, if you want to use the Setup utility to make changes to the configuration, and you want to preserve the MAC masquerade settings, then after you finish your configuration changes, recreate your MAC masquerade settings with bigpipe or the Configuration utility before you reboot the unit.

CPU Temperature Readings on 2765 BIOS rev 111201 - Older motherboard revisions may incorrectly display 'CPU too hot' messages (CR26954)
Some older motherboard revisions may incorrectly display CPU too hot messages. For more information about this issue, please refer to SOL2116: Error message: CPU too hot!.

Get no data when access sticky persistence table through iControl (CR26957)
If you have a pool with sticky persistence turned on, and mask set to 255.255.255.0, with a network virtual server, you will not get any records when you attempt to access the data through the iControl methods get_sticky_connection_table or get_persistent_connection_table. To work around this problem, call get_sticky_mask before passing the traffic.

Regkey.license should not be synchronized or save in the .ucs file (CR27020)
The regkey.license file is synchronized when you perform a configuration synchronization or save a .ucs file. You can avoid this problem by adding the file to the list of files that are ignored when generating .ucs files, and synchronizing the configuration in the bigdb. For example, you could type the following command to set this value:

b db set Common.Bigip.CS.save.120.ignore = "regkey.license"

Configuration utility: change IP system IP address does not change the CORBA address in bigdb (CR27037)
If you change the IP address of the system in the Configuration utility, the change is not made to the the CORBA address for IIOP and FSSL in the bigdb. To change the CORBA address for IIOP and FSSL, run the Setup utility and choose the option (I) Initialize iControl portal.

Key management: displaying BMP and UTF8 strings (CR27049)
The key management system does not properly display BMP and UTF8 strings in certificates.

Resetting statistics on the Firewall, Cache, Load Balancer Controllers causes core (CR27060)
The command b pool stats reset causes core dump on the Firewall, Cache, Load Balancer Controllers. Resetting the statistics from the Configuration utility causes the same core dump.

5000 series with 256 MB Compact Flash and multiple .ucs files (CR27064)
Because of file system size limitations on the 256 MB drive, we recommend that you limit the number of .ucs files you save on the system.

The header erase feature only looks at first header (CR27084)
The header erase feature only looks at first header. Subsequent headers are not erased.

Changing the virtual server target under load (CR27090)
If you change the virtual server target from a pool to a rule, or a rule to a pool, under load, the system could core dump.

Misleading message 'proxyd[pid]: No proxies were successfully configured. Exiting.' (CR27091)
On scratch CD installs, you may see the misleading message in /var/log/proxyd:

'proxyd[pid]: No proxies were successfully configured. Exiting.'
This message is benign.

Adding a switch interface to the admin vlan causes large volumes of traffic (CR27103)
Adding a switch interface to the admin VLAN causes large volumes of traffic. We recommend that you do not add a switch interface to the admin VLAN.

Certain load balancing modes do not honor node connection limits  (CR27124)
When using observed_member, predictive_member, predictive, or observed load balancing modes, the member and node addresses do not honor node connection limits.

CompactFlash® media drives and logging for named  (CR27132)
When named is running, it generates status and usage messages as part of its normal behavior. If you are running named on a system with a CompactFlash media drive, these messages may fill up the /var/log/ messages directory. To avoid this, periodically delete the status and usage messages for named.

Configuration files with a large number of proxies   (CR27159)
Configuration files with a large number of proxies may take a long time to load.

The BIG-IP system may not honor certain client MSS limits  (CR27160)
Under certain circumstances the BIG-IP system may not honor certain client maximum segment size (MSS) limits. This problem is rare and happens only if multiple clients with different MSS limits access the BIG-IP from the same source address through address translation.

Setting the reaper hiwater and reaper lowater values  (CR27169)
If you set the reaper hiwater and reaper lowater values to same number, you do not receive an error message, but the bigip.conf file does not load. In order for the BIG-IP configuration to load properly, reaper hiwater and reaper lowater cannot be set to the same value.

Dynamic ratio load balancing and snmpdca with Counter32 OIDs  (CR27202)
If you are using dynamic ratio load balancing with the snmpdca pinger for metrics collection, and you configure an OID that returns type Counter32 (that is, the WindowsTM 2000 Server Enterprise OID), the returned data may not be interpreted correctly. As a result, dynamic ratio load balancing does not function properly.

Server-side proxy listening on port 80 with TCP half-close  (CR27203)
When you have a proxy configured that is listening on port 80, and you are using server-side SSL, client TCP connections using half-close may not complete properly.

RADIUS server configuration and Netscape  (CR27212)
If you configure remote login for RADIUS, and you set an invalid IP address for the primary RADIUS server, and a valid IP address for the secondary RADIUS server, you may not be able to log in using a Netscape browser. This can also happen if your primary RADIUS server is down. We recommend that you use an alternative browser with this type of configuration.

User administration for remote authentication using the Configuration utility  (CR27223)
With remote authentication configured, if you use the Configuration utility to add a new user, you may receive an internal server error message when you click Enter and then click the Done button. The user is added when you click Enter. When using local authorization, the Enter key is ignored and you must click the Done button in order to add a new user.

FIPS 140 with a very large configuration  (CR27237)
If you are using FIPS 140 with a very large configuration (greater than 400 configuration items such as pools, virtual servers, monitors, etc.) you may experience a compatibility issue. The BIG-IP system returns SSL handshake failures to clients connecting on proxies using FIPS-protected keys. To check if you have this issue, from the command line, type # enquiry. If the result is Server not running, then the issue is present. To resolve this issue use the following workaround:

If you have one FIPS card, add the following lines to line 115 of /etc/bigstart/scripts/nfast-ctrl:

if [ -z "$NFP_DEVICES" ]; then
  NFP_DEVICES=/dev/nfp0
fi

If you have two FIPS cards, add the following lines to line 115 of /etc/bigstart/scripts/nfast-ctrl:

if [ -z "$NFP_DEVICES" ]; then
  NFP_DEVICES=/dev/nfp0:/dev/nfp1
fi

Incorrect UDP checksum generated if incoming request has 0 UDP checksum   (CR27240)
If an incoming UDP request has an initial checksum of 0, when the request is routed back through the BIG-IP system, the UDP checksum may be calculated incorrectly.

Condition in Fast Flow causes T/TCP packets to be out of order (CR27245)
A condition in Fast Flow can cause T/TCP packets to be out of order.

Deleting the default gateway pool using the Setup utility  (CR27260)
The command line Setup utility, (setup), does not delete the default gateway pool when you remove all of the pool's members. To work around this issue, delete the default gateway pool using the browser-based Configuration utility.

SSL: Oscillating performance when viewed with IxWeb (CR27297)
An enhancement added to increase SSL performance with large numbers of concurrent connections may cause some performance tools to exhibit fluctuations in the maximum TPS when you use them to perform benchmark tests. For example, when you check SSL performance using the IxWeb tool you may see oscillating SSL performance readings. These variations have very little effect on the actual metric performance.

open_telnet_port does not get set to its default value  (CR27331)
If you have a redundant configuration and you disable open_telnet_port on the active unit before you synchronize the configuration, the configuration file leaves open_telnet_port at its last state (enabled) rather then disabling it. After you load this type of configuration, we recommend that you check the state of the open_telnet_port setting.

SSL performance degradation when running in ANIP mode  (CR27333)
When you are running the BIG-IP system in ANIP mode, you may experience a 12-15% decrease in SSL performance. This decrease in performance is due to the addition of Openssl version 0.9.7a.

Unsupported system_check tool  (CR27354)
The system_check script is running on all BIG-IP platforms. The system_check script is supported only on IP Application Switch platforms. This script does not have any adverse effect on unsupported platforms.

SSL proxy : OCSP hang occurs on client certificate request  (CR27620)
The internal BIG-IP system clock and the responder clock must be synchronized. If they are note synchronized to within 5 minutes of eachother, the SSL proxy may hang. In order to keep the clocks synchronized, you can use NTP on the BIG-IP system.

SSL proxy : OCSP status unclear  (CR27621)
The status returned from the inserted header ClientCertStatus may display the incorrect error code, error 1, when a certificate is revoked.

SSL proxy : OCSP has an effect on performance  (CR27622)
If you configure the OCSP feature, you may see an impact on SSL proxy performance.

Changes in US and Canada Daylight Saving Time (CR58321)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes are not reflected in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.

[ Top ]

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)