Applies To:

Show Versions Show Versions

Archived Release Note: BIG-IP Link Controller version 4.5.11 Release Note
Release Note

Software Release Date: 12/03/2004
Updated Date: 03/05/2007

This article has been archived, and is no longer maintained.

Summary:

This release note documents version 4.5.11 of the Link Controller® software. You can apply the software upgrade to version 4.2 and later. For information about installing the software, please refer to the instructions below.

F5 now offers both maintenance and new feature releases. Version 4.5.11 is a maintenance release which includes security updates and enhancements that stabilize the version 4.5 software, but it contains no major new features. For more information on our new release polices, please see New Versioning Schema for F5 Software Releases.

Note: As of 4/7/05, we have changed and renamed the IM packages to prevent the configuration synchronization issue, where, on rare occasions, when you upgrade your system to version 4.5.11, the local LDAP database becomes corrupt, and breaks the configuration synchronization from the failover unit.

The new IM package prevents this configuration synchronization problem from occurring on upgrade, but the package does not repair a corrupt LDAP database. For instructions on how to restore a corrupt LDAP database, see SOL2499: How do I recreate the LDAP database if slapd will not start or will not authenticate? on the AskF5 Technical Support Web Site.

Contents:

- Adding a Link Controller to a 3-DNS sync group
- Configuring the fallback method for inbound load balancing
     - Forwarding non-IP traffic through VLAN groups and redundant systems (CR29806, CR29334)
     - ICMP monitors for self IP addresses, wildcard virtual servers, and link status (CR27998)


Minimum system requirements and supported browsers

The minimum system requirements for this release are:

  • Intel® Pentium® III 550MHz processor
  • 512MB disk drive or CompactFlash® card
  • 256MB RAM

The supported browsers for the Configuration utility are:

  • Microsoft® Internet Explorer 5.0, 5.5, and 6.0
  • Netscape® Navigator 4.7x
[ Top ]

Installing the software

Important:  If you are upgrading a Link Controller redundant system, you must upgrade both units. We do not support running different versions on a Link Controller redundant system. Additionally, If you are updating the Link Controller module on a BIG-IP system, refer to the BIG-IP version 4.5.11 note for instructions on installing the upgrade.

Important:  If you are upgrading an IP Application Switch or a Link Controller unit that uses a CompactFlash® media drive, use the installation instructions here.

Note:  If you have installed prior releases, this installation does not overwrite any configuration changes that you made for prior releases.

The following instructions explain how to install the BIG-IP Link Controller software version 4.5.11 onto existing systems running version 4.5 and later. The installation script saves your current configuration.

  1. Go to the Downloads site and locate the BIG-IP 4.5.11 upgrade file, BIGIP_4.5.11_Upgrade-a.im.

  2. Download the software image and the BIGIP_4.5.11_Upgrade-a.md5 file.

    For information about how to download software, refer to SOL167: Downloading software from F5 Networks.

  3. If you downloaded the image file to a directory other than /var/tmp, copy the image file to the /var/tmp/ directory on your BIG-IP system.

  4. Install the IM by typing the following command:

    im BIGIP_4.5.11_Upgrade-a.im

    The Link Controller automatically reboots once it completes installation.

To upgrade an IP Application Switch or a CompactFlash media drive, use the following process.

  1. Create a memory file system, by typing the following:

    mount_mfs -s 200000 /mnt

  2. Go to the Downloads site and locate the BIG-IP 4.5.11 upgrade file, BIGIP_4.5.11_Upgrade-a.im.

  3. Download the software image and the BIGIP_4.5.11_Upgrade-a.md5 file.

    For information about how to download software, refer to SOL167: Downloading software from F5 Networks.

  4. If you downloaded the image file to a directory other than /mnt, copy the image file to the /mnt directory on your BIG-IP system.

  5. On the BIG-IP unit, run the im upgrade script:

    im /mnt/BIGIP_4.5.11_Upgrade-a.im

    The Link Controller automatically reboots once it completes installation.

Note:  This procedure provides over 90MB of temporary space on /mnt.  The partition and the im package file are deleted upon rebooting.

[ Top ]

Activating the license

Once you install the upgrade and connect the unit to the network, you need a valid license certificate to activate the software. To gain a license certificate, you need to provide two items to the license server: a registration key and a dossier.

The registration key  is a 25-character string. You should have received the key by email. The registration key lets the license server know which F5 products you are entitled to license.

The dossier  is obtained from the software, and is an encrypted list of key characteristics used to identify the platform.

You can obtain a license certificate using one of the following methods:

  • Automatic license activation

    You perform automatic license activation from the command line or from the web-based Configuration utility of an upgraded unit. This method automatically retrieves and submits the dossier to the F5 license server, as well as installs the signed license certificate. In order for you to use this method, the unit must be installed on a network with Internet access.

  • Manual license activation

    You perform manual license activation from the Configuration utility, which is the software user interface. With this method, you submit the dossier to, and retrieve the signed license file from, the F5 license server manually. In order for you to use this method, the administrative workstation must have Internet access.

Note:  You can open the Configuration utility with Netscape Navigator version 4.7x, or Microsoft Internet Explorer version 5.0, 5.5, or 6.0.

To automatically activate a license from the command line for first time installation

  1. Type the user name root and the password default at the logon prompt.

  2. At the prompt, type license. The following prompts display:

    IP:
    Netmask:
    Default Route:
    Select interface to use to retrieve license:


    The unit uses this information to make an Internet connection to the license server.

  3. After you type the Internet connection information, continue to the following prompt:

    The Registration Key should have been included with the software or given when the order was placed. Do you have your Registration Key? [Y/N]:

    Type Y, and the following prompt displays:

    Registration Key:

  4. Type the 25-character registration key you received. If you received more than one key, enter all of the keys, separating each with a space.

    The dossier is retrieved and sent to the F5 license server, and a signed license file is returned and installed. A message displays indicating the process was successful.

  5. You are asked to accept the End User License Agreement.

    The system is not fully functional until you accept this agreement.

  6. You are prompted to reboot the system. Press Enter to reboot.

    The system is not fully functional until you reboot.

To automatically activate a license from the command line for upgrades

  1. Type your user name and password at the logon prompt.

  2. At the prompt, type setup.

  3. Choose menu option L.

  4. The following prompt displays:

    Number of keys: 1

    If you have more than one registration key, enter the appropriate number.

  5. The following prompt displays:

    Registration Key:

    Type the 25-character registration key you received. If you received more than one key, enter all of the keys, separating each with a space.
    The dossier is retrieved and sent to the F5 license server, and a signed license file is returned and installed. A message displays indicating the process was successful.

  6. When you are finished with the licensing process, type the following command to restart the services on the system:

    bigstart restart

To manually activate a license using the Configuration utility

  1. Open the Configuration utility according to the type of BIG-IP unit you are licensing:

    • If you are licensing a previously configured BIG-IP unit, open the Configuration utility using the configured address.

    • If you are licensing a new BIG-IP unit, from the administrative workstation, open the Configuration utility using one of the following addresses: https://192.168.1.245 or https://192.168.245.245. These are default addresses on the units local area network.
  2. Type the user name and password, based on the type of BIG-IP unit you are licensing:

    • If you are licensing a previously configured BIG-IP unit, type your user name and password at the logon prompt.

    • If you are licensing a new BIG-IP system, type the user name root, and the password default at the logon prompt.
    The Configuration utility menu displays.

  3. Click License Utility to open the License Administration screen.

  4. In the Registration Key box, type the 25-character registration key that you received. If you have more than one key to install, click Enter More Keys to install multiple keys. Once you have entered all registration keys, click Manual Authorization.

  5. At the Manual Authorization screen, retrieve the dossier using one of the following methods:

    • Copy the entire contents of the Product Dossier box.

    • Click Download Product Dossier, and save the dossier to the hard drive.
  6. Click the link in the License Server box.

    The Activate F5 License screen opens in a new browser window.

  7. From the Activate F5 License screen, submit the dossier using one of the following methods:

    • Paste the data you just copied into the Enter your dossier box, and click Activate.

    • At the Product Dossier box, click Browse to locate the dossier on the hard drive, and then click Activate.
    The screen returns a signed license file.

  8. Retrieve the license file using one of the following methods:

    • Copy the entire contents of the signed license file.

    • Click Download license, and save the license file to the hard drive.
  9. Return to the Manual Authorization screen, and click Continue.

  10. At the Install License screen, submit the license file using one of the following methods:

    • Paste the data you copied into the License Server Output box, and click Install License.

    • At the License File box, click Browse to locate the license file on the hard drive, and then click Install License.
    The License Status screen displays status messages, and Process complete appears when the licensing activation is finished.

  11. Click License Terms, review the EULA, and accept it. The system is not fully functional until you accept this agreement.

  12. At the Reboot Prompt screen, select when you want to reboot the platform.
    License activation is complete only after rebooting.

To automatically activate a license using the Configuration utility

  1. Open the Configuration utility according to the type of BIG-IP unit you are licensing:

    • If you are licensing a previously configured BIG-IP unit, open the Configuration utility using the configured address.

    • If you are licensing a new BIG-IP unit, from the administrative workstation, open the Configuration utility using one of the following addresses: https://192.168.1.245 or https://192.168.245.245. These are default addresses on the units local area network.
  2. Type the name and password, based on what type of BIG-IP unit you are licensing:

    • If you are licensing a previously configured BIG-IP unit, type your user name and password at the logon prompt.

    • If you are licensing a new BIG-IP unit, type the user name root, and the password default at the logon prompt.
    The Configuration utility menu displays.

  3. Click License Utility to open the License Administration screen.

  4. In the Registration Key box, type the 25-character registration key that you received. If you have more than one key to install, click Enter More Keys to install multiple keys. Once you have entered all registration keys, click Automated Authorization.

    The License Status screen displays status messages, and Process complete appears when the licensing activation is finished.

  5. Click License Terms, review the EULA, and accept it. The system is not fully functional until you accept this agreement.

  6. At the Reboot Prompt screen, select when you want to reboot the platform.

    License activation is complete only after rebooting.
[ Top ]

Fixes and enhancements in this release

This release includes the following fixes and enhancements.

Auto-discovery and 127.0.0.X addresses (CR27252)
The auto-discovery process now excludes any addresses on a BIG-IP system that are in a non-routable address space (for example 127.0.0.2).

User roles in a redundant system configuration  (CR27477)
If you modify the default role for a user on one unit in a redundant system, when you synchronize the configuration, the modified role setting is copied over to the other unit correctly.

Hops calculations for Hops load balancing mode (CR27878)
In this release the 3-DNS Controller correctly calculates the number of hops for the Hops load balancing mode. In previous releases this issue caused all configured links to appear to use the same number of router hops.

The named-xfer command and transferring zone files (CR28497)
If you use the named-xfer command to transfer zone files from the command line, the command no longer incorrectly translates the ORIGIN address as the CNAME address.

Error message in Configuration utility and valid range for VLAN tags  (CR29793)
The allowable values for VLAN tags are 1 through 4094. If you inadvertently specify a value that is outside of the allowable range, the error message now indicates the correct set of allowable values.

Load balancing decisions that result in a tie  (CR30583)
The function that selects objects at random in cases where there is a load balancing decision that results in a tie works correctly in this release.

Viewing the Link Configuration options from the Configuration utility  (CR31005) (CR30560)
If you log in to the Link Controller system as one of the following user types: Web Read Only, Partial Web Read/Write, or CLI + Full Web Read Write, you no longer receive errors when you attempt to view any of the Link Controller-specific options under Link Configuration. In addition, if you log in to the system as a CLI + Full Web Read/Write user, you now have read/write access to this portion of the Configuration utility.

Disabling a data center with the Principal 3-DNS Controller  (CR31551)
The 3-DNS system now checks to make sure that the principal 3-DNS Controller is in a data center that is enabled. In previous releases, if you disabled a data center that included the principal 3-DNS Controller in a sync group, the 3-DNS Controller was disabled by inheritance. This disabled probing, which in turn caused all objects in the network to be marked as down.

One-time auto-discovery option  (CR32974) (CR32975)
In this release, the one-time auto-discovery option in the Setup utility runs only the first time you use the Setup utility. If you want to run this utility again, type the following:

b db set Local.Bigip.FTB.Autoconfig = Y

To apply this change, you must use the 3ndc restart command, or restart the 3dnsd daemon.

3dpipe syncgroup <syncgroup_name> show servers command  (CR34472)
If you use the 3dpipe syncgroup <syncgroup_name> show servers command, the system no longer incorrectly displays the principal 3-DNS system as a receiver.

Router probing using SNMP version 1  (CR36863)
The SNMP version 1 router and probing metrics for 64 bit integers are now calculated correctly.

Virtual server capacity load balancing  (CR36926)
When using the virtual server capacity load balancing mode, the Link Controller verifies that a virtual server is enabled before responding with the virtual server address.

Selecting links for probing  (CR36998)
If you have links defined, the 3dnsd utility now selects the best link to handle probing in all cases. In previous releases, the 3dnsd utility may have selected the best data center to handle probing instead of the best link.

Link traffic distribution using total traffic  (CR37131)
This release includes a new global variable, link_use_total_metrics, that allows you to configure traffic distribution for links using both egress and ingress traffic. By default, the system uses ingress traffic to control egress traffic, and the reverse.

Address translation for routers and link display  (CR37308)
If you have address translation configured for routers, links now display correctly in the BIG-IP Link Controller Configuration screen.

BIND root.hint file  (CR38838)
The BIND root.hint file is updated in this release.

libpng read security vulnerabilities  (CR39078)
The libpng read security issues described in the following CERT® vulnerability notes are addressed in this release:

  • VU#388984
  • VU#236656
  • VU#160448
  • VU#477512
  • VU#817368
  • VU#286464

For more information on the resolved security issues, see the CERT web site at http://www.cert.org.

[ Top ]

Fixes and enhancements in prior maintenance releases

The current release includes the fixes and enhancements that were distributed in prior maintenance releases, as listed below. (Prior releases are listed with the most recent first.)

Version 4.5.10

The auto-discovery process and obsolete self IP addresses  (CR29638)
The auto-discovery process now deletes obsolete self IP addresses.

LOAD-BAL-SYSTEM-MIB.txt file and service status object IDs  (CR30531)
The LOAD-BAL-SYSTEM-MIB.txt file now has object IDs (OIDs) defined for the up and down status of a service.

Configuration utility weathermap  (CR28023)
If you configure more than one link and create a wide IP that uses load balancing, when you view the Configuration utility weathermap, all configured links display data correctly.

File descriptors for named  (CR30283)
The maximum number of file descriptors used by the named process has been increased to 4096.

Default routes and specifying a router for path probing  (CR30310)
If you have not configured a default route, but you specify a router for path probing, the big3d agent now correctly uses the specified route instead of issuing an error message when the agent cannot find a default route.

The checktrap.pl script and the enterprise OID in traps  (CR31119)
When the checktrap.pl script issues traps, it sends the BIG-IP enterprise OID instead of the 3-DNS OID in the trap.

Version 4.5.9

OneConnect issue in BIG-IP version 4.5 PTF-08 causes random sessions to time out  (CR30588)
We have discovered a serious issue in BIG-IP version 4.5 PTF-08 that causes HTTP POST timeouts when delayed binding is configured. This issue may also prevent web pages from loading or displaying correctly. We have corrected this issue in this release.

BIND Vulnerability VU#734644, ISC BIND 8 vulnerable to cache poisoning via negative responses (CR30822)
This release includes BIND version 8.3.7. This version of BIND addresses the BIND vulnerability that is described in Vulnerability Note VU#734644 on the CERT® Coordination Center Web site. For more information on the vulnerability, see http://www.kb.cert.org/vuls/id/734644.

Version 4.5 PTF-08

Redundant systems and synchronizing the regkey.license file  (CR27020)
When you save a .ucs file or run the b config sync command on a unit in a redundant system, the processes no longer synchronize the regkey.license file between the two units. Note that this issue affected only redundant systems.

New option to save UCS files without including private keys  (CR27236)
You can now save a UCS file without including the private keys stored in the /config/bigconfig/ssl.key directory (only keys from this directory are excluded). To create a UCS file that does not include these private keys, use the following bigpipe command:

b config support save <filename>

Sync groups and the default wideip.conf file  (CR27366)
If you manage your Link Controllers using a sync group, and on one of the sync group members you delete the wideip.conf file and then restart the 3dnsd daemon, the 3dnsd daemon creates a new default wideip.conf file that contains only basic system configuration information. The new wideip.conf file no longer causes the sync process to overwrite the wideip.conf file of the other sync group members with the newer file, effectively erasing the real configuration.

Viewing router and link status in the Configuration utility  (CR27776)
The router status now displays correctly on the Metrics & Limits statistics screen, in the Configuration utility, when all the links for a router are down (red ball).

Parent object status and associated pools and virtual servers  (CR27920)
If a link or pool has a status of gray (never available to the system for load balancing), any associated child objects, such as virtual servers, now inherit the status of the parent object and are not available for load balancing.

Using virtual servers associated with rules for outbound load balancing in wide IPs  (CR28024)
When you associate a virtual server with a rule for inbound load balancing, that virtual server is now available for outbound load balancing also, in a wide IP. Previously, only virtual servers that were members of inbound load balancing pools were available for wide IPs.

Upgrades and overwriting the 3dns_snmptrap.conf file  (CR28152)
When you upgrade to the current PTF, the upgrade no longer overwrites the existing 3dns_snmptrap.conf file during the upgrade process. If you have added custom traps to the file, you no longer need to create a backup file before you apply the upgrade.

The checktrap.pl script and the enterprise OID in traps  (CR29481)
When the checktrap.pl script issues traps, it now sends the correct enterprise OID in the trap.

Timer error in BIND  (CR29795)
A rare issue with timer updates in the BIND version 8 code has been fixed.

Version 4.5 PTF-07

Error messages in the Link Configuration screens in the Configuration utility (CR26851, CR27177)
The Link Controller no longer generates intermittent JSP 500 error messages when you change settings on the Link Configuration screens.

New CORBA Watchdog  (CR27991)
This release contains a new monitor that checks the health of F5 CORBA and iControl related daemons. In order for CORBA and iControl to function properly, if any of these daemons fail, the monitor restarts all CORBA related daemons.

Version 4.5 PTF-06

There were no features or fixes for the BIG-IP Link Controller in version 4.5 PTF-06.

Version 4.5 PTF-05

The 4.5 PTF-05 release included the following features and fixes.

Specified gigabit duplex setting on switches with fixed duplex settings  (CR27755)
If the BIG-IP system is using gigabit interfaces and is plugged into a switch with a fixed duplex setting, you no longer need to configure both the BIG-IP system's gigabit interface and the port on the switch to Auto before applying this PTF. The link between the BIG-IP system and the switch now functions correctly.

Router link status no longer displays incorrectly  (CR27756)
Receiver 3-DNS Controllers in a sync group now correctly probe the state of the router links that are in their own data center. When the controller monitors virtual servers in the same data center, the virtual servers inherit the correct state of the router link.

Version 4.5 PTF-04

The 4.5 PTF-04 release included the following features and fixes.

SNMP trap sink  (CR19769, CR24111)
The SNMP trap source is now an IP address that is routable to the trap sink.

Rebooting the system and lost interrupt error message  (CR19813)
In certain circumstances when you reboot, you no longer receive the error message wd0: lost interrupt.

Changing the CORBA port number using the Configuration utility (CR19780)
You can no longer change the CORBA port number using the Configuration utility. The CORBA IIOP port should be set only to the default setting of 683.

SNMP checktrap  (CR21701)
When the port for the node that is being marked up or down is any, checktrap now correctly identifies the port.

Windows uploads (CR22043)
Delayed acknowledgement packets (ACKs) no longer restrict Windows uploads at 40K per second.

Default wildcard ports  (CR22191)
Default wildcard ports now can use ICMP monitoring.

Network virtual servers  (CR22203)
You can now create more than 1024 network virtual servers without causing the BIG-IP system to become unstable.

Short-lived rapid connections from the same source IP  (CR22232)
When dealing with short-lived rapid connections from the same source IP address, the BIG-IP system no longer arbitrarily resets some packets.

SNMP traffic and a VLAN that has port lockdown enabled (CR22677)
A VLAN configured with port lockdown enabled no longer passes SNMP traffic unless you have explicitly enabled the SNMP port using the open_snmp_port global setting.

Connection and packet display statistics with the bigtop utility (CR22709)
Connection and packet statistics now display correctly when you run the bigtop utility.

Upgrading from version 4.3 to version 4.5 and duplex billing status (CR23053, CR24773)
When you upgrade your Link Controller from version 4.3 to version 4.5, the upgrade process no longer enables duplex billing support, by default, for the links in your configuration.

Using a VLAN group configuration in transparent or translucent mode (CR24409)
You can now configure the BIG-IP system to bridge between two VLANs in either transparent or translucent mode without creating duplicate packets.

Upgrades and process checking in the snmpd.conf file (CR24450)
When you upgrade the software, the process checking entries (proc) in the snmpd.conf files are no longer populated with incorrect values.

Remote LDAP authentication and login errors (CR24487)
If you mistype the login name, and you are using remote LDAP authentication rather than RADIUS authentication, you no longer see a RADIUS error message.

Enabling one-time automatic discovery in the Setup utility (CR24565)
The Setup utility now includes an option to enable automatic discovery of the local system's configuration, and its peer's configuration, if applicable, when you run the Setup utility for the first time. This option is most useful if you are running the Link Controller module on a BIG-IP system.

Audit logs now show the correct user name (CR24600)
The audit logs now show the correct user name when a user makes configuration changes.

SNMP virtualAddressEntry table and wildcard virtual servers (CR24647)
The SNMP virtualAddressEntry table can now handle wildcard virtual servers.

Setting prepaid segments all to 0 (zero) and Over Prepaid setting on the Link Statistics screen (CR24680)
On the Link Statistics screen, in the Configuration utility, the Over Prepaid statistic now properly displays as No, under the following conditions:

  • You do not set any bandwidth limits when you create the link
  • You set the Prepaid Segment, on the Link Weighting screen, to 0 (zero)

Configuring the default gateway pool (CR24717, CR24740)
If you add only one default route when you run the Setup utility, the utility does not create a default gateway pool. If you then add a second link (and route) using the Link Configuration screen in the Configuration utility, the utility creates a default gateway pool and adds the second router to the pool. This process now automatically adds the first default route to the newly-created default gateway pool.

Name field on the Add VLAN Group and VLAN Group Properties pages (CR24719)
The maximum number of characters for a VLAN group name is 15 characters.

Monitor names in the Configuration utility and from the command line (CR24864)
Monitor names typed in the Configuration utility and the command line are no longer limited to 31 characters.

LDAP authentication and user names (CR24880)
If you use LDAP authentication, and you use the user name, user, the system no longer fails to update the configuration.

Audit logs and resetting statistics for services (CR24923)
The audit logs now correctly show the services when you reset statistics with the command b global stats reset.

Resetting statistics for node server (CR24924)
The audit logs now correctly show when you reset the statistics for a node server.

Gratuitous ARPs with MAC masquerading and VLAN failsafe configured (CR24925)
Gratuitous ARPs are now handled correctly in an active/standby redundant scenario with MAC masquerading and VLAN failsafe configured. When the active unit detects no traffic on the VLAN, such as when the cable is unplugged, or the unit is rebooted, the other unit becomes active. When the unit that was demoted to standby reboots, it now sends a gratuitous ARP for its self IP addresses.

SSH key generation now uses hardware random number generators when available (CR24955)
The BIG-IP system now uses hardware random number generators (when available) if you try to log in from an SSH client for which the BIG-IP system does not have a valid key. This increases the security of DSA host keys, and reduces the probability that the key can be guessed or that a random key collision could occur.

Reaper no longer sends RSTs for unaccepted, timed-out connection requests (CR24984)
We have corrected a problem that could be caused if a packet was sent from a client through a virtual server to a server, and the server did not answer before the connection timeout was reached, the reaper sent a reset packet (RST) in both directions.

TCP SYN packet to self IP that matches TIME_WAIT connection now handled correctly (CR24993)
If a TCP SYN packet is received for a self IP, and it matches an old connection that is in TIME_WAIT state (same source and destination address and port), the system no longer deletes the old connection and creates a new one.

Invalid OID for the shutdown trap in the SNMP MIB (CR25059)
The shutdown trap, in the SNMP MIB, now has the appropriate object identifier (OID) associated with it.

Connection table entry reaping for UDP packets with node address disabled (CR25186)
We have corrected a problem where in rare circumstances, connection table entries were not reaped for UDP packets when the node address was disabled.

MAC masquerade addresses and forcing a system to standby (CR25453)
When you purposefully change the state on a BIG-IP unit in a redundant system from active to standby, the first octet of the MAC address for any self IPs that you have configured no longer changes to 02. This happened only under certain conditions.

Turning off Total Traffic Limit after setting all limits (CR25466)
In the Configuration utility on the Link Configuration screen, you can now turn off the total traffic limit for a link once you have configured a limit for total traffic.

bigpipe interface show command returns data for interfaces (CR25470)
The bigpipe interface show command now returns data for interfaces that are passing traffic.

SNMP: enterprises.ucdavis.memory.* OID now returns valid information (CR25488)
The enterprises.ucdavis.memory.* now returns valid information.

Associating multiple monitors with the same service (CR25572)
You can now associate multiple monitors with the same service with the Configuration utility and not receive the message Error 132 - Monitor template not found.

Logging the forced down state for nodes (CR25614)
When you force a node to the DOWN state using the Configuration utility, or from the command line, the forced down state is now logged in the /var/log/bigd file.

Synchronizing Link Controllers with 3-DNS Controllers (CR25753)
If your network includes both 3-DNS Controllers and Link Controllers, you can add the Link Controllers to the 3-DNS sync group, if you have one configured. For details on adding a Link Controller to a 3-DNS sync group, see the Adding a Link Controller to a 3-DNS sync group section of this PTF note.

New proxy ARP exclusion class (CR25801)
You can now create a proxy ARP exclusion class on the Link Controller, proxy_arp_exclude. Use this class to prevent the Link Controller from generating gratuitous ARP requests to its peer unit when you have a redundant system. To configure the proxy_arp_exclude class, in the navigation pane, click Classes, and then click the Add Class button. (For assistance with the settings, click the Help button.) You can also find information about the proxy_arp_exclude class in the BIG-IP Reference Guide, version 4.5.

If you use VLAN groups, you must configure a proxy ARP forwarding exclusion list. We recommend that you configure this feature if you use VLAN groups with a BIG-IP redundant systems. The reason is that both BIG-IP units need to communicate directly with their gateways and the back-end nodes. Creating a proxy ARP exclusion list prevents traffic from being proxied through the active BIG-IP due to proxy ARP. This traffic needs to be sent directly to the destination, not proxied.

If you do not configure a proxy ARP exclusion group for systems configured with VLAN groups, you may see problems such as:

  • Nodes being marked down for a period of time after a failover.
  • The inability to access resources through the active BIG-IP unit when there are multiple physical or logical connections to the same VLAN group (especially likely to be noticed when there are multiple connections between the active and standby BIG-IP units).

Reboot of standby 2400 unit and connectivity with the active unit (CR26078)
We have corrected a problem where in certain cases, on the 2400 platform with network failover configured, rebooting the standby unit in an active/standby redundant configuration caused the active unit to lose existing connections. We recommend that if you require network failover, you configure the admin ports (port number 3.1) for failover.

Multiple VLAN SNATs when virtual servers are fully accelerated (CR26242)
On a platform with the Packet Velocity ASIC, when you have multiple VLAN SNATs configured, they are now partially accelerated when virtual servers are fully accelerated.

The b load command and connection limits (CR26451)
The b load command no longer causes connection limits to break.

The bigpipe command and values for ip_tos (CR26478)
The bigpipe command now limits the possible values for ip_tos to the correct value range (0 - 255).

The OpenSSL package has been upgraded (CR26518)
The OpenSSL package has been upgraded to version 0.9.7a. This upgrade addresses several recent security issues with OpenSSL. For more information on the resolved security issues, see the CERT web site at http://www.cert.org.

Port translation default settings for the Configuration utility and command line (CR26543)
The following settings are the default port translation settings for both the Configuration utility and the command line:

Type of object Port Translation
net:* disabled
ip:* disabled
vlan:* disabled
*:* disabled
ip:port enabled
net:port enabled
vlan:port enabled
*:port disabled

Losing connectivity during configuration of second unit in a redundant system (CR26705)
When you configure a unit from the command line Setup utility, we recommend that you reboot the unit after you complete the configuration. This activates the license and allows traffic to pass through the system. Also, before you reboot the system it is in the active mode and unlicensed. While the unit is in the active mode, the other unit in the redundant system is placed in standby mode. If left in this state, traffic can not pass through the system.

Log rotation for the ITCM.log file (CR26781)
The frequency of the log rotation for the ITCM.log file has been increased from once every 7 days to once every 24 hours. This improves the system efficiency if you are monitoring the controller with the iControl Services Manager.

Admin password for authentication and updating the configuration (CR26824)
The adminpw setting is now saved correctly when you load a configuration using the b config load command.

bge message on reboot (CR26827)
You no longer see the following message when you reboot the 1000 and 5100 series platforms:

bge0: bge_wait_bit_clr timeout: reg=0x468 mask=0x2

Network virtual server loading in a particular order with others on the same subnet (CR26988)
We have corrected a problem that was preventing network virtual servers on the same subnet from working if they were not ordered in the /conf/bigip.conf file in a particular order.

Transaction level on systems monitored by the iControl™ Services Manager (CR27192)
We have reduced the quantity of transactions generated on systems monitored by the iControl Services Manager.

Configuration utility: display warning if product is licensed however the EULA has not been accepted (CR27215)
A warning is now displayed if the system is licensed but you have not accepted the EULA.

Understanding the system_check script
The system_check script is useful for displaying and logging hardware failures. For more information about the system_check script, please refer to the BIG-IP New Features Guide for version 4.5 PTF-04.

Configuring SYN Check
The new SYN Check™ feature mitigates a particular type of denial-of-service attack known as a SYN flood. A SYN flood is an attack against a system for the purpose of exhausting that systems resources. For more information about configuring the SYN Check feature, refer to the BIG-IP New Features Guide for version 4.5 PTF-04.

Script to set up core capture
We have added a new script to automate core capturing on a BIG-IP system, if the system has a hard drive. The script runs automatically after you install this PTF and reboot the system. It provides functionality to enable and disable core capture.

After you install this PTF, the script runs, and creates the /var/crash directory. In addition, if the swap partition on the primary drive is not sufficiently large to capture the core file, but another unused partition is found to be, that partition is used for core capture.

You can disable this functionality with the following command:
config_savecore -disable

You can re-enable the functionality with the following command:
config_savecore -enable

Important: As long as this functionality is enabled, you see the message savecore: no core dump during boot time.

Version 4.5 PTF-03

There were no features or fixes for the BIG-IP Link Controller in version 4.5 PTF-03.

Version 4.5 PTF-02

The 4.5 PTF-02 release included the following features and fixes.

Enhancements to inbound load balancing
This PTF adds a new load balancing method, fallback, and two new load balancing modes for the fallback method, drop_packet and explicit_ip. The fallback method and load balancing modes are applicable to inbound load balancing only. The Link Controller uses the fallback method when the preferred and alternate load balancing modes do not provide an available virtual server to return as an answer to a query. When you specify the drop_packet mode, the Link Controller does nothing with the packet, and simply drops the request. (Note that a typical LDNS server iteratively queries other authoritative name servers when it times out on a query.) When you specify the explicit_ip mode, the 3-DNS Controller returns the IP address that you specify as the fallback IP as an answer to the query. Note that the IP address that you specify is not monitored for availability before being returned as an answer. When you use the explicit_ip mode, you can specify a disaster recovery site to return when no load balancing mode returns an available virtual server.

You can configure the fallback method only from the command line. For information on configuring the fallback method and load balancing mode, see the Configuring the fallback method for inbound load balancing section of this PTF note.

UDP checksums and TFTP packets  (CR22113, CR25181)
In rare instances, the checksums for TFTP packets were incorrect. This issue has been resolved.

Resets (RSTs) with incorrect sequence numbers   (CR22219)
Resets (RSTs) from aging-out connections no longer cause some connections to hang due to incorrect sequence numbers for the resets.

Apache web server and the CERT Coordination Center vulnerability, VU#672683 (CR24689)
This PTF addresses the vulnerability in the Tomcat package for the Apache web server that is described in Vulnerability Note VU#672683 on the CERT® Coordination Center web site. For more information on the vulnerability, see http://www.kb.cert.org/vuls/id/672683.

iControl BaseServer::get_interfaces function and the 3dnsd process (CR24912)
The following iControl function, ITCMGlobalLB::BaseServer::get_interfaces, no longer causes the 3dnsd process to stop running when you specify an invalid type within the function.

Root servers list for BIND (CR25064)
The root servers list file for BIND, root.hint, has been updated to include the most current list of root servers.

Invalid metrics statistics and graphs for down remote links (CR25146)
The Link Statistics screen, in the Configuration utility, no longer displays very large, invalid values for remote links that are down (red ball). The link statistics graphs now accurately display the data for both the link that is down, and any available links.

Using a serial terminal as a console (CR25183)
This PTF fixes the serial terminal as the console functionality, as described in the 3-DNS Reference Guide, Chapter 6, Monitoring and Administration, so that it works with all 2U controller platforms.

Version 4.5 PTF-01

The 4.5 PTF-01 release included the following features and fixes.

CA-2002-31, Multiple Vulnerabilities in BIND
This PTF addresses the security vulnerabilities that are listed in CERT® advisory, CA-2002-31, Multiple Vulnerabilities in BIND. This PTF upgrades the BIND package to version 8.3.4. For more information on the CERT advisory, see http://www.cert.org/advisories/CA-2002-31.html.

Support for the 2400 platform
This release includes enhanced support for the F5 Networks 2400 platform.

Viewing licensing error log files from the Configuration utility (CR25055)
You can now view the log files for errors that occur during the licensing process using the Configuration utility. A View Log File button appears on the licensing screen when the licensing process generates errors.

[ Top ]

Optional configuration changes

Once the software is installed, you have the option of making any or all of the following configuration changes.

Adding a Link Controller to a 3-DNS sync group

If you have both 3-DNS Controllers and one or more Link Controllers in your network, you can add the Link Controllers to the 3-DNS Controllers' sync group, in a few simple steps. There are three tasks to adding a Link Controller to a 3-DNS sync group:

  • Run the merge_configs script on the sync group's principal controller.

  • Add the Link Controller to the sync group using the principal controller's Configuration utility.

  • Run the 3dns_add script on the Link Controller.

The following sections explain the specific steps for each of the previous tasks. You must perform these tasks in the order they are listed.

Important: Before you add the Link Controller to the 3-DNS sync group, we recommend that you back up both the 3-DNS configuration and the Link Controller configuration.

To run the merge_configs script

From the command line on the principal 3-DNS Controller, run the merge_configs script by typing the following command, where <ip_address>is the IP address of the Link Controller that you want to add to the sync group.

/usr/local/bin/merge_configs -peer <ip_address>

To make the sync group aware of the Link Controller

Using the Configuration utility on the principal 3-DNS Controller, add the Link Controller to the sync group.

  1. In the navigation pane, click 3-DNS Sync.

    The Synchronization screen opens.

  2. On the toolbar, click Add to Group.

    The Add a 3-DNS to a Sync Group screen opens.

  3. Check the box next to the controller that you want to add to the sync group, and click Add.

To add the Link Controller to the sync group and start synchronization

The final step in adding the Link Controller to a 3-DNS sync group is to run the 3dns_add script on the Link Controller. The script moves the synchronized configuration to the Link Controller, and finalizes the sync group setup.

  • From the command line of the Link Controller, run the 3dns_add script.

    3dns_add

    The script runs, and finalizes the setup of the sync group.
[ Top ]

Configuring the fallback method for inbound load balancing

You can configure the fallback method using the new load balancing modes either by using the Configuration utility, or by editing the wideip.conf file from the command line. You can specify either the Drop Packet load balancing mode, or the Explicit IP load balancing mode. Note that if you specify the Explicit IP mode, you also specify a fallback IP address.

To configure the fallback method with the Drop Packet mode using the Configuration utility

  1. In the navigation pane, expand the Link Configuration item, and then click Inbound LB.

    The Wide IP list screen opens.

  2. In the Wide IP column, click the name of the wide IP that you want to modify.

    The Wide IP Properties screen opens.

  3. Click the Wide IP Load Balancing tab.

    The Load Balancing Options screen opens.

  4. In the Fallback box, select Drop Packet.

  5. Click Apply.

    The Configuration utility updates the configuration with the changes.

To configure the fallback method using the drop_packet mode from the command line

  1. To ensure that the configuration files contain the same information as the memory cache, type the following command:

    3ndc dumpdb

  2. Open the /etc/wideip.conf file in a text editor (either vi or pico).

  3. Use the syntax highlighted in the sample below to configure the fallback method with the drop_packet mode.

  4. Save and close the file.

  5. Commit the changes to the configuration by typing:

    3ndc reload
Syntax example for the Drop Packet (drop_packet) load balancing mode.

wideip {
...
   pool {
      name     "Pool"
      dynamic_ratio     yes
      preferred     qos
      alternate     rr
      fallback     drop_packet
      address     <vs_ip_address>
      address     <vs_ip_address>

To configure the fallback method with the Explicit IP mode using the Configuration utility

  1. In the navigation pane, expand the Link Configuration item, and then click Inbound LB.
    The Wide IP list screen opens.

  2. In the Wide IP column, click the name of the wide IP that you want to modify.

    The Wide IP Properties screen opens.

  3. Click the Wide IP Load Balancing tab.

    The Load Balancing Options screen opens.

  4. In the Fallback box, select Explicit IP.

  5. In the Fallback IP box, type the IP address for the server or host to which you want the Link Controller to forward the packet.

  6. Click Apply.

    The Configuration utility updates the configuration with the changes.

To configure the fallback method with the explicit_ip mode from the command line

  1. To ensure that the configuration files contain the same information as the memory cache, type the following command:

    3ndc dumpdb

  2. Open the /etc/wideip.conf file in a text editor (either vi or pico).

  3. Use the syntax highlighted in the sample below to configure the fallback method with the explicit_ip mode.

  4. Save and close the file.

  5. Commit the changes to the configuration by typing:
    3ndc reload
Syntax example for the Explicit IP (explicit_ip) load balancing mode.

wideip {
...
   pool {
      name     "Pool"
      dynamic_ratio     yes
      preferred     qos
      alternate     rr
      fallback     explicit_ip
      fallback_ip     <ip_address>
      address     <vs_ip_address>
      address     <vs_ip_address>
[ Top ]

Known issues

The following items are known issues in the current release. Maintenance release known issues are cumulative, and include all known issues for a release.

Setting active-active mode using the web-based Configuration utility  (CR19794)
With network failover enabled, you cannot use the Configuration utility to configure active-active mode. When you have network failover enabled, use the command line interface to set active-active mode.

Values for Link Limits  (CR20744)
On the Modify Link screen in the Configuration utility, when you type values for bandwidth limits, and you type a number that is not divisible by 8, the Configuration utility rounds the value to the next lowest number that is divisible by 8.

Manually deleting connections handled by the Packet Velocity ASIC (CR22494)
Manually deleting connections that are handled by the Packet Velocity™ ASIC does not generate a TCP reset.

Using the MGMT interface on units that include the Packet Velocity ASIC (CR22599)
It is important that you use the MGMT interface (3.1) for system administration only on units that include the Packet Velocity ASIC. We recommend that you do not use the MGMT interface on a VLAN you plan to use for load balancing traffic.

Changing active-active failback values (CR22715)
In active-active configurations, we recommend that you do not change the default failback value of 60 seconds. If you change this value, failback may not work as designed.

Layer 2 (L2) forwarding two VLANs on one interface  (CR23460)
When a VLAN group is bridging across the internal and external VLANs with the same IP network on both sides of the BIG-IP system, and you configure only one interface, with VLAN tags for both internal and external VLANs, the network becomes unusable. In this type of configuration, you need to configure one interface for each VLAN in the VLAN group in order for the BIG-IP system to function correctly.

Titles for Billing Estimate graphs (CR23770)
When you change the date or time range on the Billing Estimate screen in the Link Statistics, the titles on the graphs do not update to reflect the changes. If you are using Internet Explorer, you can update the titles by holding down the Control key, right-clicking in the screen, and then clicking Refresh. If you are using Netscape Navigator, you can update the titles by holding down the Shift key, right-clicking in the screen, and then clicking Refresh.

Platforms using Broadcom 570x controllers (CR24388, CR25464)
On rare occasions, some platforms using Broadcom 570x controllers may experience short interruptions in network connectivity.

Changing IP addresses on VLANs and updating the administration web server settings (CR24468)
If you use the Setup utility to change the floating IP addresses on VLANs, the web server settings are not updated. To update the web server settings, choose the (W) Configure web server option.

Deleting the Default Gateway Pool using the Setup utility   (CR24519)
If you define a default gateway pool using the Setup utility, and then define a virtual server or other network objects on the pool, you will not be able to delete the pool using the Setup utility as long as the pool is in use. In order to delete the pool using the Setup utility, you must first remove all IP addresses and network objects associated with the pool.

TOS or QoS values in FTP data connections (CR24644)
FTP data connections have incorrect TOS or QoS values set. Both values are set to 0.

Viewing wide IPs created in the 3-DNS Controller module from the Link Controller module (CR24842)
Wide IPs that you create in the 3-DNS Controller module that contain more than one pool, display only the first pool of the wide IP in the Inbound LB screen in the Link Controller module. You may encounter this known issue only when you are running a BIG-IP system with both the 3-DNS Controller module and the Link Controller module.

iControl SOAPPortal: .NET serialization errors on several methods (CR24862)
The following methods do not serialize correctly under certain situations. This is due to a problem in the .NET frameworks serialization. For nested structures within arrays, the framework cannot support an empty array represented as a single XML element.

For example, this method does not serialize:
<return type='Array' ArrayType='tns:someType[0]/>

This method does serialize:
<return type='Array' ArrayType='tns:someType[0]></return>

The BIG-IP Link Controller Solutions Guide in the Configuration utility (CR24946)
The BIG-IP Link Controller Solutions Guide is not available from the Welcome screen in the Configuration utility. You can obtain this guide from the Software and Documentation CD by navigating to the /doc directory, and opening the lc_solutions.pdf file. You can also obtain the guide from the AskF5 web site (http://tech.f5.com).

SNAT automap and acceleration (CR24959)
On the 2400 platform, if you configure SNAT automap and do not associate the SNAT with a virtual server, the traffic is not accelerated by the Packet Velocity TM ASIC. Note that you can associate the SNAT with a wildcard virtual server to accelerate any SNAT automap traffic.

Changing the hardware acceleration mode and resetting connections (CR25009)
When you change the hardware acceleration mode for a pool, and there are current connections for the nodes in the pool, the connections do not reset when you use the b conn reset command. The connections do close when they reach their time-to-live (TTL) value.

The b conn dump verbose command and values for packet counts or byte counts (CR25119)
The bigpipe command, b conn dump verbose, displays incorrect values for packet counts and byte counts.

Microsoft® Internet Explorer security settings and the Link Configuration screens (CR25444)
If you are using a browser session in Internet Explorer to view the Configuration utility, and you have changed the security level for the browser to a setting higher than Medium (the default), then the Link Configuration screens do not work properly. The errors in the Link Configuration screens occur because the Link Controller's web server uses cookies. To avoid this error, set the security level for the browser session to Medium or lower.

Configuring SSH access host restrictions (CR25530)
In previous versions, the /etc/ssh2/sshd2_config and /etc/sshd_config files controlled SSH access. Upgrading to version 4.5 ignores previously-configured SSH access restrictions configured in the /etc/ssh2/sshd2_config and /etc/sshd_config files. This upgrade reverts to an SSH access level that allows all hosts to connect. If you require restricted SSH access to certain networks/IP addresses, you need to reconfigure these restrictions once you have completed the upgrade. To do this, type the following command to start the Setup utility, and then press Enter:

setup

Choose option (S) Configure SSH, and set the restrictions you prefer.

Adding support access after initial setup (CR25821)
If you add support access with the (Y) Set support access option in the Setup utility after you complete the initial setup of the system, the support IP addresses are not added to the hosts.allow file. To correct this situation, run the (S) Configure SSH option in the Setup utility to re-initialize the SSH information on the system.

VLAN names and syntax errors (CR25890)
VLAN names that start with the text vlan, and are followed by any number of digits (for example, vlan123), cause a syntax error. We recommend that you do not use the text, vlan, as the initial portion of a VLAN name.

Creating invalid interface names (CR25950)
It is possible to create invalid interface names in your configuration by entering an invalid VLAN name from the command line. For more information about invalid VLAN names, see (CR25890).

Using 127.0.0.x as a pool member and network connectivity (CR26184)
If you add a node with an IP address of 127.0.0.x to a pool, the system loses connectivity to the network. The only way to reboot the system after this happens is to use the reboot switch. We recommend that you do not add nodes with this address range to a pool.

Changing iControl settings and restarting the CORBA portal (CR26384)
If you use the Setup utility (setup) to change iControl settings, you must manually restart the CORBA portal. To restart the CORBA portal, type the following commands from the command line:

bigstart shutdown portal
bigstart startup

LDAP group name naming conventions (CR26418)
LDAP authentication for groups does not work properly when there are spaces in the group name. To avoid authentication issues with groups when you use LDAP authentication, do no use spaces in the group names.

Error message for ip_tos values (CR26566)
If you type an invalid value for the ip_tos setting, you see the following incorrect error message: The requested IP TOS value is invalid. [0..65535]. The valid ip_tos values are 0 - 255 or 65536, which returns ip_tos to a blank state.

Disabling the SNMP Auth Trap Enable setting using the Configuration utility (CR26610)
If you try to disable the Auth Trap Enable setting on the SNMP Administration screen in the Configuration utility, the SNMP configuration file, /etc/snmpd.conf, is modified with an incorrect setting of 0 (zero), and the following error is generated in the SNMP log:

"/etc/snmpd.conf: line ##: Error: authtrapenable must be 1 or 2

To correct this error and disable the Auth Trap Enable setting, you can edit the /etc/snmpd.conf file, and change the authtrapenable value to 2, disable.

Losing connectivity during configuration of second unit in a redundant system (CR26705)
When you configure a unit from the command line Setup utility, we recommend that you reboot the unit after you complete the configuration. This activates the license and allows traffic to pass through the system. Before you reboot the system, it is in the active mode and unlicensed. While the unit is in the active mode, the other unit in the redundant system is placed in standby mode. If the units are left in this state, traffic cannot pass through the system.

The Setup utility and MAC masquerade settings (CR26922)
The Setup utility, setup, does not preserve MAC masquerade settings. We recommend that you use the bigpipe utility or the web-based Configuration utility to make configuration changes after you have completed your initial setup. However, if you want to use the Setup utility to make changes to the configuration, and you want to preserve the MAC masquerade settings, then after you finish your configuration changes, recreate your MAC masquerade settings with bigpipe or the Configuration utility before you reboot the unit.

Changing the system IP address and updating the IP address for the CORBA portal in bigdb (CR27037)
If you change the IP address of the system using the Configuration utility, the system does not update the IP address for IIOP and FSSL for the CORBA portal in the bigdb. To change the CORBA address for IIOP and FSSL, run the Setup utility (setup) from the command line, and choose the option (I) Initialize iControl portal.

Adding a switch interface to the admin vlan (CR27103)
Adding a switch interface to the admin VLAN causes large volumes of traffic. We recommend that you do not add a switch interface to the admin VLAN.

Load balancing modes and honoring node connection limits  (CR27124)
When using the observed_member, predictive_member, predictive, or observed load balancing modes, the member and node addresses do not honor node connection limits.

CompactFlash® media drives and logging for the named daemon (CR27132)
When the named daemon is running, it generates status and usage messages as part of its normal behavior. If you are running the named daemon on a system with a CompactFlash media drive, these messages may fill up the /var/log/messages file. To avoid this, periodically delete the status and usage messages for the named daemon.

RADIUS server configuration and Netscape  (CR27212)
If you configure remote login for RADIUS, and you set an invalid IP address for the primary RADIUS server, and a valid IP address for the secondary RADIUS server, you may not be able to log in using a Netscape browser. This can also happen if your primary RADIUS server is down. We recommend that you use an alternative browser with this type of configuration.

User administration for remote authentication using the Configuration utility  (CR27223)
With remote authentication configured, if you use the Configuration utility to add a new user, you may receive an internal server error message when you press Enter, and then click the Done button. The user is added when you press Enter. When using local authorization, the Enter key is ignored, and you must click the Done button in order to add a new user.

UDP packet checksum calculations  (CR27240)
The checksum deltas for UDP packets whose initial checksum is 0 (zero) are not calculated correctly, so the BIG-IP system may return traffic to the client with an invalid checksum.

Deleting the default gateway pool using the Setup utility (CR27260)
The command line Setup utility, (setup), does not delete the default gateway pool when you remove all of the pool's members. To work around this issue, delete the default gateway pool using the browser-based Configuration utility.

Unsupported system_check tool  (CR27354)
Though the system_check script is running on all BIG-IP platforms, it is supported on the IP Application Switch platforms only. This script has no adverse effects on unsupported platforms.

User roles in a redundant system configuration  (CR27477)
If you modify the default role for a user on one unit in a redundant system, when you synchronize the configuration, the modified role setting is not copied over to the other unit. In order to have the same user roles specified on both units, you must configure this setting on both units in the redundant system.

Configuring ratio as an alternate load balancing method  (CR27547)
If you use the Configuration utility to create a wide IP and you configure Ratio load balancing as the alternate method, when you click the Virtual Servers tab, there is currently no option available for setting the ratio value for each member of the wide IP pool. This option is available through the Configuration utility only when you select Ratio as the preferred method. If you have a configuration that uses Ratio as the alternate method, we recommend that you use the command line utility to configure these settings.

Redundant configurations in active/active mode  (CR27639)
When you have a BIG-IP redundant system, with both units in active/active mode, the Configuration utility in certain cases may incorrectly display the self IP as unit 1 when it should be unit 2. This issue does not affect the performance of the BIG-IP system.

Copper gigabit NICs and setting media speeds  (CR27772)
If you want to set media speeds, and you have a copper gigabit NIC, you must configure auto-negotiate between the BIG-IP system and the connected switches.

Using the Setup utility to configure the media type for an interface  (CR27793)
When you use the Setup utility to configure the media type for an interface, the BIG-IP system does not save this setting when you rerun the Setup utility. You must configure this setting each time you run the Setup utility.

MindTerm SSH console, Java™ Virtual Machine, and the Configuration utility (CR27864)
The Configuration utility may become unresponsive, when all of the following conditions are met:

  • You have Java Virtual Machine enabled on a Windows® workstation

  • You are using the Configuration utility to configure the system

  • You open a MindTerm SSH console session from the navigation pane

  • You return to the Configuration utility without closing the MindTerm SSH console

If you experience this problem, you must use the Windows Task Manager to close both the browser session and the SSH session. To avoid this issue, we recommend that you either disable Java Virtual Machine while you are configuring the system, or close the MindTerm SSH console session before returning to the Configuration utility.

SNMP version and probing (CR27971)
If you have enabled SNMP probing for a host or similar device, and you specify SNMP version 2, the SNMP probing may fail if the host or device is using SNMP version 1. This happens because SNMP version 2 uses 64-bit counters and SNMP version 1 uses 32-bit counters. To avoid this error, ensure that you specify the SNMP version (1 or 2) that corresponds with the SNMP version on the device that is being probed.

ICMP monitors and availability status for routers and links (CR27998)
When you configure an ICMP monitor for a link (which also monitors the link's router), and you enable the Any IP setting and the SNAT Automap setting for the wildcard virtual server, the Link Controller may incorrectly mark the availability status for the link (and its router) as down (red ball), and subsequently stop using the link for load balancing. This happens because the Link Controller is using the same self IP address for self traffic and any IP traffic. If you experience this known issue, refer to the ICMP monitors for self IP addresses, wildcard virtual servers, and link status workaround in the following section of this PTF note.

Setup utility and VLAN tag configuration  (CR28027)
If you use the Setup utility to configure VLAN tags or add new VLANs with tags and self IPs, and you use the command line utility to modify interfaces after VLAN tags are added, all of the tagged interfaces and associated data (self and shared IPs) are removed from the configuration files. You may need to reconfigure these settings, or use the backup file to restore these settings.

BIG-IP virtual server information and updates to the wideip.conf file (CR28057)
When you add or delete a BIG-IP virtual server, which specifies the same IP address but a different port than an existing virtual server, the Link Controller does not properly make the change in the wideip.conf file.

Deleting links and the Link Statistics screen  (CR28072)
In the Configuration utility, the Link Statistics screen incorrectly displays links that have been deleted from the configuration. This issue can occur if you are running the 3-DNS module on a BIG-IP sytem, and you have autoconf with no delete enabled on the 3-DNS Controller, and can affect system functionality as well as display. For instance, if you delete the link on the BIG-IP system/software and the 3-DNS Controller thinks a link exists, then the system does not function properly.

Reconfiguring a standalone system as a unit in a redundant system (CR28116)
If you have a standalone system that you later decide to reconfigure as a unit in a redundant system, the system may experience failures when you reconfigure the networking and IP addresses.

Incorrect product version in log files  (CR28133)
The BIG-IP system log files may report the incorrect version of the product. This has no effect on the functionality of the BIG-IP system. To view the correct product version, type cat /VERSION at the command line.

Changes to the checktrap.pl script  (28405)
This version of the BIG-IP software includes two changes in the behavior of the checktrap.pl script. First, rebuild events are no longer logged to the alarm_* files. Second, if the very first event is a clear, the BIG-IP system triggers a rebuild, and sends a corresponding "rebuild event" trap, and not a "clear" trap. (See the /etc/snmptrap.conf file for a list of clears.)

LDAP authentication  (CR28431)
If you use the Setup utility to configure remote LDAP authentication, and give an LDAP user full read/write and command line utility access, when you log in through the LDAP server as a full access user, certain portions of the Configuration utility may continue to show objects as having Read Only Access.

bigpipe commands that contain invalid trailing arguments  (CR28581)
If you type a bigpipe command that contains an invalid trailing argument, the bigpipe utility produces a syntax error, but may run the command anyway. In this situation, the command should fail.

Rerunning the Configure DNS option in the Setup utility and overwriting an existing named.conf file  (CR28614)
In the Setup utility (setup), when you rerun the Configure DNS (D) option, you overwrite the existing named.conf file with an empty named.conf file. To avoid this issue, before you rerun the Configure DNS (D) option in the Setup utility, we recommend that you create a backup copy of the named.conf file. Once you have rerun the Configure DNS (D) option, you can copy the contents of the backup copy of the named.conf file into the new named.conf file.

Configuration utility error messages  (CR29360)
In rare instances, when you modify the Link Configuration screens in the Configuration utility, you may experience errors. If you click Inbound LB, and then immediately click Links during the config sync process, you may receive the following error:

An error has occurred in the Configuration utility. You may need to restart one or more daemons, or the system, to resolve this error. Contact support for more information.

This type of error may also occur on the target BIG-IP system when you click the links described above, and then are prompted to re-authenticate while the config sync process is still running on the peer BIG-IP system.
In rare instances, a white HTML screen may display. If you experience any of these error conditions, you can safely restore the Configuration utility by clicking any of the links under Link Configuration.

The checktrap.pl script and the enterprise OID in traps  (CR29481) (CR35534)
When the checktrap.pl script issues traps, does not send the correct enterprise OID in the trap.

Error message in Configuration utility and valid range for VLAN tags  (CR29793)
The allowable values for VLAN tags are 1 through 4094. However, if you inadvertently specify a value that is outside of the allowable range, you see the following error message:

Error 335953 -- You have entered an invalid VLAN tag value. VLAN tags must be between 1 and 4096.

The error message incorrectly specifies a range of 1 through 4096, rather than 1 through 4094.

Forwarding non-IP traffic through VLAN groups and redundant systems  (CR29806, CR29334)
We introduced the ability to forward non-IP traffic through VLAN groups in BIG-IP version 4.5 PTF-04, and the functionality was enabled by default. When this functionality is enabled, the BIG-IP system also forwards non-IP traffic through both the active and standby units in a redundant system, which can result in a bridge loop. To mitigate this known issue, in this release (version 4.5 PTF-08), we are changing the default setting so that the functionality is disabled by default. If you understand the current limitations of this feature, and want to enable the feature, see Forwarding non-IP traffic through VLAN groups and redundant systems in the Workarounds for known issues section.

Dynamic ratio load balancing and IIS6.0 Windows 2003 Server  (CR30072) (CR30073) (CR30074)
If you need to use dynamic ratio load balancing, we recommend that you configure dynamic ratio through SNMP. Due to compatibility issues, you must configure redirection on the Microsoft® Windows® Internet Information Services (IIS) 6.0 webserver (which is part of Microsoft® Windows® 2003 server product) without the aid of F5 Networks software. The BIG-IP system does not currently support the following functionality on IIS 6.0 webserver:

  • Real Media monitor
  • Dynamic Ratio Load Balancing
  • SSL Redirect

Default setting for min_active_members  (CR30143)
The default value for min_active_members is incorrect and may cause the BIG-IP system to prioritize traffic incorrectly. The default value for min_active_members is currently set to 0. We recommend that you configure min_active_members to a value of 1 or greater.

bigpipe l2_aging_time setting  (CR30152)
When you reboot the Link Controller system, the bigpipe l2_aging_time setting in the bigip_base.conf file returns to the default setting (300).

automap default SNAT and VLAN configuration  (CR30153) (CR30585)
The automap default SNAT does not allow you to disable VLANs. If you attempt to disable VLANS on the automap default SNAT, you receive an error message.

Inaccurate log message for virtual server status  (CR30235)
When a virtual server is marked down (red), the Link Controller sends a log message that says no nodes up. Instead, the log message should indicate that the virtual server is down.

Default routes and specifying a router for path probing  (CR30310)
When you have not configured a default route, but you specify a router for path probing, the big3d agent ignores the specified route and issues an error message because the agent cannot find a default route. To work around this issue, we recommend that you configure a default route.

Redundant systems and software upgrades from BIG-IP version 4.2, to BIG-IP version 4.5 and later  (CR30500)
When you upgrade a standby unit from BIG-IP version 4.2, to BIG-IP version 4.5 and later, the unit is unlicensed for a brief time. During the time that the unit is unlicensed, it may change from standby to active.

Errors disabling VLANs for a default SNAT  (CR30585)
When you create a default SNAT using the automap option, and then later try to disable one or more of the default SNAT's enabled VLANs, the system generates an error and the VLANs are not disabled. Note that the error occurs when you make this change using either the Configuration utility or bigpipe.

bigpipe monitor command  (CR30600)
You receive a syntax error if you use both <ip addr>:<service> and <ip addr> in the IP list for the bigpipe monitor command <ip list> <enable | disable>.

Configuration utility statistics  (CR31009)
The Configuration utility statistics for Max Conn Deny and Memory Usage are inaccurate. We recommend that you use the command line utility to view these statistics.

Using the IP address 213.13.118.129:80  (CR31104)
If you add a pool with a member node with the IP address 213.13.118.129:80, when the address and port select a virtual server on the local system, it causes the BIG-IP system to panic and the configuration to be deleted. The issue occurs only when the address and service numbers are 213.13.118.129 and 80 respectively. If you want to avoid this issue, we recommend that you do not assign the IP address 213.13.118.129 to nodes on the BIG-IP system.

Principal Link Controller in a sync group  (CR31551)
If you disable a data center that includes the principal Link Controller in a sync group, the Link Controller is disabled by inheritance. This disables probing, which in turn causes all objects in the network to be marked as down.

sync groups and zone file configuration  (CR32148)
In rare instances, if you have a Link Controller configured in a sync group, when the system copies over the zone file configuration, the sync_zones utility may fail to start.

Random load balancing method  (CR32762)
If you configure a Wide IP and use Random as the load balancing method for pools, the load is incorrectly distributed in a way that is similar to Ratio load balancing.

External self IP address configuration  (CR32962)
When you remove an external self IP address from the configuration, the link to the external IP address may display in the Links screen up to several minutes after the address is removed. If you click on the link, you receive a JSP 500 error.

One-time auto-discovery option  (CR32974) (CR32975)
The one-time auto-discovery option in the Setup utility now runs only the first time you use the Setup utility. If you want to run this utility again, type the following:

Local.Bigip.FTB.Autoconfig = Y

Wide IP port numbers replaced by service names and configuration errors  (CR32977)
In the Configuration utility, the Link Controller is automatically replacing wide IP port numbers with service names. If you subsequently modify any settings for the wide IP, you see an invalid port error message when you click Update. To work around this issue, when you modify the wide IP, change the wide IP port setting back to the port number before you click Update.

Link Autoconf On/No Delete setting  (CR32989)
If you delete a self IP address that matches a link, the Link Controller Configuration utility does not display the associated self IP and VLAN. This issue does not affect the Link Controller configuration.

Autoconf and BIG-IP virtual servers  (CR33161)
Autoconf does not compile a complete list of BIG-IP virtual servers in all cases.

Incorrect pending values in the Configuration utility  (CR33666)
In certain circumstances when a link goes down, the Configuration displays an incorrect "Pending" value for the link. This value may display in the Configuration utility until you use the 3ndc restart command.

Static depends configuration  (CR33671)
If you enable or disable Static Depends, you must use the 3ndc restart command in order for the virtual server to be updated correctly.

Gray status icon for virtual servers  (CR34599)
If the status icon for a virtual server is gray on the Pool, Virtual Servers, or Virtual Server Statistics screens, this indicates that the Link Controller can not locate the virtual server in the network managed by the controller.

Creating virtual servers using the Configuration utility  (CR35019)
In order for virtual servers to display in the Link Statistics or Virtual Server screens, you must be add them to a wide IP.

Error messages logged in /var/log/3dns  (CR35714)
If you use the bigstart restart all command, the following error messages may be stored in the /var/log/3dns log:

sod-portal: One or more of the corba daemons has been incorrectly restarted.
sod-portal: Killing corba daemons in order to insure clean restart.
sod-portal: Restarting corba daemons.


You can disregard these error messages.

TTL settings for zones associated with wide-IPs  (CR35963)
If you are using NameSurfer and you add a wide-IP to a zone, the wide-IP time-to-live (TTL) setting is used instead of any previously configured TTL setting for that zone. If you add two wide-IPs with different TTL settings to the same zone, the second wide-IP TTL is used.

Modifying zones that are associated with wide-IPs  (CR35963)
If you use NameSurfer to add records to a zone associated with one or more wide-IPs, if you use the Configuration utility to modify one of the wide-IPs, the records may be overwritten. In addition, if you use the Configuration utility to change the TTL for a zone, the records will be overwritten.

NameSurfer and wide IP display  (CR36729)
If you use the Configuration utility to configure virtual servers and a wide IP, the Link Controller wide IP displays automatically in the 3-DNS wide IP list, but the wide IP (zone or host file) does not display in the NameSurfer UI.

NTP settings  (CR36782)
If you run the Setup utility and you re-configure the NTP settings, you must use the bigstart restart ntpd command in order for your changes to take effect.

Principal controllers in redundant systems  (CR36864)
If you have two Link Controllers in a redundant system configuration and you shut down the principal system (3ndc stop), the standby Link Controller does not become principal system.

Selecting links for probing  (CR36998)
If you have links defined, in certain cases the 3dnsd utility picks the best data center to handle probing instead of the best link. In most cases, the data center is adequate for probing.

Traps and logging (CR39325)
If you configure the system to send out traps, rapid logging may cause traps and log messages to be dropped. This type of rapid logging may occur when you load a configuration of several hundred nodes. At that time all of the nodes are checked and their status is logged. You can avoid this issue by adjusting the log levels for syslog configuration items. In addition, you may want to edit the /etc/snmptrap.conf files and comment out traps that are unimportant for your configuration.

Microsoft® Internet Explorer 6.x and link creation  (CR40319)
If you are using Microsoft® Internet Explorer 6.x, when you create a new link and are return to the Links list screen, if you refresh the screen, you may receive the following ITCM/jcapi error:

An error has occurred in the Configuration utility. You may need to restart one or more daemons, or the system, to resolve this error. Contact support for more information.

This error does not affect the functionality of the Link Controller system.

Round trip time and hops no longer work together, nor do UDP and ICMP (CR42529)
The round trip time (RTT) and latency (Hops) Quality of Service (QOS) coefficients no longer work together for QOS probing. If RTT and Hops are configured at the same time, the 3-DNS Controller uses RTT.

For local DNS (LDNS) probing, the 3-DNS Controller does not support using both UDP and ICMP. If you select UDP and ICMP, the 3-DNS Controller removes UDP from the list, and uses ICMP.

Changes in US and Canada Daylight Saving Time (CR58321)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes are not reflected in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.

[ Top ]

Workarounds for known issues

The following sections describe workarounds for the corresponding known issues listed in the previous section.


Forwarding non-IP traffic through VLAN groups and redundant systems (CR29806, CR29334)

We recommend that you enable this feature only if you fully understand its current limitations.

To forward non-IP traffic through VLAN groups

  1. Enable non-IP traffic forwarding by typing the following command:

    echo "b internal set vlangroup_nonip=1">>/config/routes

  2. If you have a redundant system, type the following command to update the peer unit:

    b configsync all

  3. Reboot the BIG-IP system.

The non-IP traffic forwarding feature is now enabled, and the BIG-IP system will forward non-IP traffic through VLAN groups, and through both the active and the standby units in redundant systems.


ICMP monitors for self IP addresses, wildcard virtual servers, and link status (CR27998)

If you experience the ICMP monitors and availability status for routers and links known issue, described in the previous section, then one of the two following workarounds may help you resolve the issue in your network.

One workaround is to use an additional self IP address in the interfaces list. The additional self IP address needs to have SNAT automap disabled, and needs to be listed before the self IP address that has SNAT automap enabled. If your network is limited by available IP addresses, then you may need to use the second workaround to address this known issue.

The second workaround is to disable the Any IP setting on the wildcard virtual server.

[ Top ]

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)