Original Publication Date: 10/09/2002
Use the following instructions to apply the PTF to the BIG-IP Link Controller, version 4.3.
Apply the PTF to the BIG-IP Link Controller, version 4.3 using the following process. Note that the install script saves your current configuration.
When the im script is finished, the unit reboots automatically.
Note: This procedure provides over 90MB of temporary space on /mnt. The partition and the im package file are deleted upon rebooting.
CERT Vulnerability Note VU#797201 against tcpdump (CR22051)
We have addressed the vulnerabilities detailed in the CERT Vulnerability Note VU#797201 against tcpdump.
EDNS0 requests from BIND 8.3.3 and BIND 9 name servers (CR22215)
The Link Controller can now process EDNS0 requests that originate from BIND 8.3.3 and BIND 9 name servers. When the Link Controller receives an EDNS0 request, the controller embeds the additional EDNS0 record in the DNS response packet.
Graphing link traffic for multiple links (CR23725)
We have added the ability to graph link traffic for more than four links on the Link Report graphs.
BIG3D problem with GetInterfaces() (CR23780)
The big3d no longer hangs or shuts down prematurely in certain configurations with a large number of self IP/virtual server address combinations configured.
CERT Advisory CA-2002-18, OpenSSH Vulnerabilities in Challenge Response Handling (CR23813)
The OpenSSH software running on the Link Controller has been upgraded to version 3.4p1 to address the security vulnerability that is outlined in CERT Advisory CA-2002-18.
CERT Advisory CA-2002-23, Multiple Vulnerabilities In OpenSSL (CR23814)
In this PTF, we have addressed the following vulnerabilities in the CERT release on OpenSSL: VU#102795, VU#258555, VU#561275, VU#308891, VU#748355.
CERT Advisory CA-2002-19, Buffer Overflows in Multiple DNS Resolver Libraries (VU#803539) (CR23815)
Vulnerability #803539 (DNS stub resolvers vulnerable to buffer overflow) has been addressed in this PTF. For more information on this vulnerability see http://www.kb.cert.org/vuls/id/803539.
BSDI security vulnerability (CR23816)
A potential denial of service vulnerability in the C library (libc) of BSDI has been addressed. For information about the vulnerability, see Vulnerability Note VU#808552 (Multiple ftpd implementations contain buffer overflows) which is available on the CERT website at http://www.cert.org.
CERT Advisory CA-2002-17, Apache Web Server Chunk Handling Vulnerability (CR23818)
The security vulnerability that is outlined in CERT Advisory CA-2002-17 (Apache Web Server Chunk Handling Vulnerability) has been fixed.
New Link Report statistics screens in the Configuration utility
You can now view a set of graphs, on the Link Report statistics screens in the Configuration utility, that show the link usage information in relation to the bandwidth pricing information for the links in your configuration. The set of graphs pertain to the following time periods: the previous 30 minutes, the previous 6 hours, and the previous 24 hours. To view the Link Report screens, follow these steps:
BIG-IP is not adversely affected by broadcast pings originating from itself (CR19901)
BIG-IP is not adversely affected by broadcast pings originating from itself.
BIG-IP now sends a TCP RST when no routes are available (CR20114)
BIG-IP now sends a reset (RST) when auto-lasthop is enabled and no route is available. This enhances the performance of clients that do not resend TCP packets.
There are no required configuration changes in this PTF.
The following items are known issues in the current release.
Port mirroring on the IP Application Switch (CR18435)
Ports not configured in a VLAN are not mirrored on the IP Application Switch platform.
proxy_arp does not fail over on VLAN group (CR18928)
When the BIG-IP goes from active to standby and MAC masquerading is not configured, layer 2 forwarding VLAN groups continue to forward packets until the packets source ARP cache times out.
Sequence number tracking (CR19392)
Out of order packets to a delayed binding virtual server may cause synchronization errors in sequence number tracking.
TCP 4-way close detection (CR19591)
When an upstream device drops packets, or sends packets out of order, TCP 4-way close may not be properly detected.
Syslog pinger requires changes for increased resilience (CR19874)
If you define, delete, and then redefine a monitor, without deleting the changes in the /etc/syslog.conf file, the monitor may not function properly.
Error message on Modify Wide IP screen (CR20204)
You may occasionally see an error message (# 331845) on the Modify Wide IP screen. This message is benign.
Unique self IP addresses with different masks are seen as being on the same network (CR20378)
The Link Controller does not support supernetting. You cannot define two networks on the Link Controller where one of the networks includes the other.
Viewing link statistics and internal system traffic(CR20689)
When you review the Link Statistics screen in the Configuration utility, the data transfer rates do not include internal system traffic.
Upgrading the software and the /etc/hosts.allow file (CR20715)
When you upgrade the BIG-IP Link Controller version 4.3 software, and you use the im --force <filename>.im command, the /etc/hosts.allow file is deleted. You can resolve this issue by adding the following line to the /etc/hosts.allow file after you perform the upgrade:
big3d : ALL.
Values for Link Limits (CR20744)
When you type values for bandwidth limits, on the Modify Link screen in the Configuration utility, and you type a number that is not divisible by 8, the Configuration utility rounds the value to the next lowest number that is divisible by 8.
SNMP and link statistics (CR20849)
When you switch from internal statistics to SNMP-gathered statistics, the metrics display a 10-second long Mbps incongruity. This may result in very large rate values. This data value may take some time to flush out of the history averages. However, it affects the load-balancing algorithm for only one 10-second period.
Redundant system failover behavior (CR20851)
If you synchronize the Link Controller configuration from the standby unit to the active unit, failover occurs, and the standby unit becomes active. If you synchronize the Link Controller configuration from the active unit to the standby unit, no failover occurs.
Undefined virtual server error message in the Configuration Checker (CR20873)
If you run the Configuration Checker before you have completely configured the Link Controller, you may see the following error message about an undefined virtual server:
ERROR: Virtual server 0.15.254.0:0 is not associated with a currently defined vlan.
The error is benign. To avoid this error, refrain from running the Configuration Checker until you have performed all of the configuration tasks. Review Chapter 3, Configuring Links for Simple ISP Load Balancing, in the BIG-IP Link Controller Solutions Guide, for details on the configuration tasks.
Disabling a link and outbound traffic (CR21078)
When you disable a link from the Link List screen in the Configuration utility, the Link Controller does not stop sending current outbound traffic.
Adding users in a redundant system (CR21118)
When you add users on one unit in a redundant system, you must manually add the same user information to the second unit in the redundant system. If you add users only to one unit, the config sync process fails.
Nodes unexpectedly disabled (CR 21144)
If a configuration file contains a node disable command, followed by any number of node limit commands, the nodes listed in the node disable commands are errantly disabled. To work around this, enable the affected nodes using the node enable command. You can use the node enable command in the bigpipe utility, or you can insert the node enable command in the configuration file immediately following the node limit commands.
Using the prepaid segment cost variable and standby links (CR21202)
In the following situation, some traffic is not correctly distributed according to cost.
Note: You do not see this problem if all links have a prepaid segment defined, or if no links have a prepaid segment defined.The work around for this problem is to add the link_prepaid_factor global variable, as explained in the following instructions.
The Link Controller now distributes all traffic to the first link, up to the traffic limit that you set for the prepaid segment.