- Upgrade installation instructions
- Upgrading from version 1.8.3
- Upgrading from version BETA2.0
- What's new in version 2.0 (since version 1.8.3)
- Bug fixes in version 2.0 (since version 1.8.3)
- Known issues in this release
- Special notes for international customers
- XBigPipe and BIG/load phase-out
Who should upgrade to 2.0?
This release is recommended, but not mandatory, for all customers. It contains significant new features and various bug fixes. When installing BIG/ip 2.0 before December 7, 1998, you will also need to install v2.0PTF-01, as it contains updates to the the F5 Configuration utility and bug fixes. Please refer to the PTF Note Version 2.0PTF-01 for information about updates to version 2.0.
Upgrade installation instructions
These installation instructions are also included in the main tarball.
- If you have any rate classes configured on the BIG/ip controller, you need to back up the /etc/rateclass.conf file before you install this version.
- Click here and follow the instructions for using the F5 Networks FTP site.
- Download the bigip.v2.0.domkit.tar file to the /var/tmp directory
on the target BIG/ip controller (International customers will need to download the bigip.v2.0.intlkit.tar file).
- Extract the bigip.v2.0.domkit.tar file in the /var/tmp directory (International customers will need to extract the bigip.v2.0.intlkit.tar file):
The following files are extracted:
/usr/contrib/bin/gtar -xvpUf bigip.v2.0.domkit.tar
|BIG/ip tar ball ( gzipped )
BIG/ip international tar ball (gzipped)
||List of files to be added for this upgrade
||List of files to be deleted in this upgrade
||List of customized files which will not be changed in this upgrade
- Execute the following command to upgrade to the 2.0 version:
- After the new files are installed, a configuration script for the new BIG/ip web server automatically runs. The setup program asks for an external host name and an internal host name. Two host names are required because the BIG/ip controller sits on two networks and has two IP addresses. If you enter the wrong host name or certificate information when configuring the BIG/ip web server, you can run the reconfig-httpd script to correct the problem.
- Reboot the BIG/ip controller.
- Be sure to review these Release Notes before you begin using the new BIG/ip software.
Warning: Be sure to review the following section, Upgrading from version 1.8.3. There are certain steps you need to do before you begin using the BIG/ip system.
Upgrading from version 1.8.3
- New syntax for SSL Session ID Persistence
The BIG/ip controller no longer supports the bigpipe ssl command. Instead, you set SSL Session ID Persistence when you define a virtual server using the bigpipe vip command with special parameters. When you use BIG/pipe, you can specify SSL settings only at the time you define the virtual server. In the F5 Configuration utility web application, however, you can change SSL settings on existing virtual servers at any time. You do not have to redefine the virtual server itself. For information on SSL Session ID persistence, refer to the section on working with persistence in Chapter 9 of the updated BIG/ip Installation and Users Guide.
- New switch for IP forwarding
Previous versions of the BIG/ip controller used the sysctl variable net.inet.ip.forwsrcrt to control whether packets that were not destined for a virtual server or a NAT were forwarded by the BIG/ip controller. This sysctl variable was being used incorrectly because the functionality that should be controlled by this variable is source-routing, not IP forwarding. Source routing is a relatively obscure IP feature that allows the source of a packet to dictate the specific route a packet would take to get to its destination. We generally recommend that this feature be turned off. This variable should not have been used to control IP forwarding, but it was done because the net.inet.ip.forwarding variable was permanently set to 1 so that the BIG/ip controller could forward traffic to virtual servers. Now, the BIG/ip controller no longer needs net.inet.ip.forwarding to be set to 1. The BIG/ip controller is able to send traffic to virtual servers whether or not IP forwarding is enabled.
IP forwarding is now controlled by the sysctl variable net.inet.ip.forwarding and source-routing is controlled by the sysctl variable net.inet.ip.forwsrcrt. If you have sysctl -w net.inet.ip.forwsrcrt=1 in the /etc/rc.sysctl file, you should replace the line with the lines sysctl -w net.inet.ip.forwsrcrt=0 and sysctl -w net.inet.ip.forwarding=1. This allows traffic to be forwarded through the BIG/ip controller that is not destined for a virtual server or a NAT. Note that the default setting for net.inet.ip.forwarding is now 0, and this default setting is suitable for the majority of BIG/ip controller installations.
- BIG/ip web server reconfiguration issues
If you change the administrative IP address or host name of the BIG/ip controller after installing version 2.0, we recommend that you run the reconfig-httpd command to reconfigure the BIG/ip web server, and regenerate the SSL server certificates (where applicable).
Working with nodes on different logical networks from the BIG/ip controller
- Changes to scp
The scp program included with F-Secure utilities has changed. The newest version displays a progress line that updates as a file is copied. Previously, the scp program did not display a status line. You can add the-q option to scp to disable the status line if desired.
- Enabling and disabling service checking
In the F5 Configuration utility, service checking is enabled by entering values other than 0 for the Service Check Frequency and Service Check Timeout options in the Global Node Port Properties screen. To disable service checking, set the values back to zero (the bigip.conf file is updated when you click Apply). However, if a port is shown as down in the Port Statistics list, then it remains in that state until you reload the bigip.conf file by using the following command:
bigpipe -f /etc/bigip.conf
This information also applies when you are using the command line to turn service checking on or off. You must explicitly save your changes to bigip.conf before reloading the file.
- Change to the rc.local file to support ip and rate filters
The rc.local file has been modified, so that after reboot, the ip and rate filters are automatically re-installed into memory. During the upgrade, rc.local is one of the files that is backed up and replaced with the latest version of the file. If you have previously made changes to your rc.local file (version1.8.3), you will need to modify the new file to reflect these changes.
Upgrading from version BETA2.0
What's new in version 2.0 (since version 1.8.3)
The following highlights the features available in BIG/ip Controller 2.0. These features are documented in detail in the updated BIG/ip Installation and User's Guide.
- BIG/ip Installation and Users Guide
The BIG/ip Installation and Users Guide is updated for BIG/ip controller version 2.0. All F5 customers will receive copies of the new manual. Electronic copies of the manual are also available in PDF and HTML formats. To view the electronic copy, you need to have the Acrobat Reader from Adobe Systems, Inc. You can download the Acrobat Reader from http://www.adobe.com/prodindex/acrobat/readstep.html.
- F5 Configuration utility application
The F5 Configuration utility web application provides a user interface for configuring and monitoring the BIG/ip controller.
- BIG/ip web Server
The BIG/ip platform now includes the BIG/ip web server, which hosts the F5 Configuration utility application, provides downloads including the SNMP MIB and the SSH client, and also provides documentation on third-party components, such as GateD. BIG/ip product packages distributed within the US support SSL connections to the BIG/ip web server, but international product packages do not. See Chapters 3 and 6 for BIG/ip web server configuration information in the BIG/ip Installation and Users Guide. To access the BIG/ip web server:
|For SSL-equipped BIG/ip:
|For non-SSL BIG/ip:
The BIG/ip controller now includes a private F5 MIB. Prior versions of BIG/ip controller supported a very minimal amount of SNMP functionality. In version 2.0, however, SNMP provides access to almost any type of information that is available from the BIG/pipe utility. See Chapter 6 in the BIG/ip Installation and Users Guide.
Note: The BIG/ip MIB has been tested and verified with the MGSoft compiler, as well as UNIX utilities for parsing and compiling MIBs. If you experience inconsistent results with other proprietary MIB compilers, please contact F5 Networks.
- Configuring the web server
When installing the web server, you are prompted for the fully qualified domain name (FQDN) as it would be entered into a browser connecting to your server. These names are used to create the certificates which are used for encrypting data between the browser and the BIG/ip web server. The name you enter for your web server is significant, because the name entered in the browser must match the name in the certificate received from the server. For example, if you enter an IP address in the browser, it will not match the name in the certificate. To avoid Certificate Name Check warnings, you can do one of several things:
- Set up DNS resolution to resolve the name conflict.
- Set up a host file that contains a table of names and their associated IP addresses. This file is stored on your local computer.
- When configuring the web server, use the IP address instead of a server name.
- Configure your browser to ignore the server name mismatch, if you want to allow users to enter an IP address in the browser without receiving a warning message.
- SSL session ID persistence improvements
This version contains a complete redesign of the SSL session ID persistence mechanism. You can enable SSL persistence and set a timeout on individual virtual servers. Using BIG/pipe, you can only set SSL persistence when you create a virtual server. In the F5 Configuration utility application, you can change or define SSL persistence on individual virtual servers at any time. See Chapter 9 in the BIG/ip Installation and Users Guide.
Warning: Do not use SSL persistence with wildcard virtual servers when Transparent Node Mode is enabled. In this situation, SSL persistence creates a conflict that could cause the BIG/ip controller to reboot.
- Additional persistence modes
The BIG/ip controller now allows you to set a persistence mode where multiple persistent connections from a single client always go to the same node. An additional persistence mode allows for multiple persistent connections going to the same virtual address, but to different virtual servers associated with the virtual address, to be sent to the same node. Each of these persistence modes is controlled by a separate system control variable. See Chapter 9 for information about persistence, and Appendix C for information about setting system control variables, in the BIG/ip Installation and Users Guide.
- Extended Application Verification (EAV)
The BIG/ip controller now provides support for modular external service check programs. This feature allows you to extend the BIG/ip controller to verify content in new ways, for new types of servers. External service check programs are developed by customers, or by customers in conjunction with F5 Networks. See Chapter 7 in the BIG/ip Installation and Users Guide.
- Support for 3DNS
The BIG/ip controller now ships with the big3d daemon required for sharing information with the 3DNS WAN High Availability System. Customers who purchase 3DNS systems do not have to copy the big3d daemon onto BIG/ip controllers version 2.0 and above.
- Gigabit Ethernet
Gigabit Ethernet interfaces are now offered as an option on the BIG/ip controller. Contact our Sales staff for information.
- MAC masquerade improvements
Prior versions of the BIG/ip platform implemented MAC masquerading in a way that interfered with the basic operation of Ethernet switches. In version 2.0, however, only the active BIG/ip controller sets its MAC address to the shared MAC address. The standby BIG/ip controller changes its MAC address to the shared MAC address at the moment it becomes active, much in the same way that the BIG/ip controller handles the shared IP alias in a redundant configuration.
- FTP allowed on nonstandard data ports
Changes to the special FTP protocol support now allow use of nonstandard data ports.
- FTP allowed in Transparent Node Mode
Changes to the special FTP protocol support now allow its use with Transparent Node Mode. See Chapter 7 in the BIG/ip Installation and Users Guide.
- Traceroute to a virtual address
The BIG/ip controller now responds to UDP packets for unreachable ports by generating an ICMP packet. This is the proper response to support the popular network test utility, traceroute, for virtual addresses.
- Notation for carriage returns and linefeeds in ECV send strings
In ECV send-strings in /etc/bigd.conf files, an \n is now interpreted as a carriage-return and linefeed when sending strings to servers under test. This makes it easier to compose more complex tests, such as HTTP requests with Authentication headers (see below).
- Support For ECV With Basic HTTP Authentication
The BIG/ip controller now includes a new command to assist in configuring ECV for testing web servers which require Basic HTTP Authentication (username and password). This works for both SSL and non-SSL servers. To run the new command, type auth_compose at the command line. The BIG/ip controller prompts you for the necessary information to automatically add an entry to the /etc/bigd.conf file.
- Termcap Entry For Linux Consoles
The terminal capability database is now updated to include information about Linux consoles.
Bug fixes in version 2.0 (since version 1.8.3)
Various bug fixes to the special FTP protocol support.
- Reliability improvements for ECV
The bug occurred when a search string arrived in the second packet of content.
- NAT for servers that are one or more router hops away from the BIG/ip controller
In 1.8.3, such configurations did not work. This problem is now corrected.
- XBigPipe may crash if a user presses the middle mouse button in a help screen
This problem is now corrected.
- IPFW logging
This corrects a deficiency in the way IPFW was originally integrated into BIG/ip controller kernel.
- BIG/top failure for unsupported terminal type
BIG/top automatically switches to -once mode on unsupported terminals.
- IP source check
Default setting for the sysctl variable, net.inet.ip.sourcecheck is changed to 0 in the /etc/rc.sysctl file.
Known issues in this release
- If you regenerate your certificates and then connect to the BIG/ip web server using a Netscape browser, you may receive the following message, "The server received bad data from the client." Netscape appears to use a cached version of the original certificate. To fix this problem:
- On the Navigation toolbar, click Security.
The Security Info dialog displays.
- Under Certificates, click Web Sites.
The dialog now displays all existing certificates in the list.
- Select the appropriate certificate. For example, bigip.external.net.
- Click Delete.
- Repeat steps 3 and 4, if necessary, for other certificates.
- Click OK.
- Close the Netscape browser.
- Restart the Netscape browser to continue working.
- If you run the F5 Configuration utility using a Netscape browser on a UNIX system, you may experience display anomalies when you resize the browser window.
- If you have any rate classes configured on the BIG/ip controller, you need to back up the /etc/rateclass.conf file before you install the upgrade.
- When setting up a network address translation (NAT), if you specify a NAT netmask without also specifying a NAT broadcast, the F5 Configuration utility generates an incorrect default broadcast address of >0.0.0.0. Once you reboot the BIG/ip controller, the NAT is no longer available. If you want to assign a netmask to a NAT, you must also specify a valid broadcast when using the F5 Configuration utility. This issue has been resolved in v.2.0PTF-01 . You can now define the netmask and broadcast when you create a virtual server on the Virtual Servers screen, as well as from the Virtual Address Properties screen.
- Instructions for configuring sendmail have been updated.
Special notes for international customers
The SSH secure shell is required to remotely administer the BIG/ip controller using command line utilities or X-Windows interfaces. This approach uses public-key cryptography to provide the highest level of security. Unfortunately, such a product is not exportable under the laws of the United States. Domestic versions of the BIG/ip platform include copies of a commercial version of SSH for Windows and UNIX, called F-Secure SSH. International customers should obtain their own copies of SSH.
F-Secure for Windows, Macintosh, and UNIX is available commercially from Data Fellows:
|Data Fellows Inc.
F-Secure SSH Sales
675 N. First Street, Suite 605
San Jose, CA 95112
tel (408) 938 6700
|Data Fellows Ltd.
F-Secure SSH Sales
tel +358-9-478 444
A free version of SSH for UNIX is available from: SSH Home Page.
The secure sockets layer is recommended for secure administration via the BIG/ip web server, and is necessary for performing extended content verification (ECV) on SSL servers behind the BIG/ip controller. Unfortunately, SSL implementations are not exportable under the laws of the United States. BIG/ip controller products distributed within the US include SSL pre-installed. International customers should obtain their own copies of SSL. Contact F5 Networks Support for information on obtaining SSL for the BIG/ip controller.
XBigPipe and BIG/load phase-out
- Version 2.0 is the last version of the BIG/ip platform that includes the X-Windows based tools, XBigPipe and BIG/load. XBigPipe is superseded by the new web based application, the F5 Configuration utility.