Applies To:

Show Versions Show Versions

Release Note: ARX version 5.1.0
Release Note

Software Release Date: 12/30/2009
Updated Date: 08/29/2013

Summary:

This release note documents the version 5.1.0 release of the ARX software. We recommend this release for those customers who want the fixes and enhancements listed in Fixes and Enhancements in This Release.

This release is cumulative, and includes all fixes and enhancements released since version 3.2.3. You can apply the software upgrade to 3.2.3 and later. For information about installing the software, please refer to Installing the Software.

Note: F5 offers both feature releases and maintenance releases. For more information on our release policies, please see Description of the F5 Networks software version number formats.

Contents:

- User Documentation for This Release
- Minimum System Requirements and Supported Browsers
- Supported Platforms
     - New/Updated Certifications
- Installing the Software
     - Configuration Changes
- Fixes and Enhancements in This Release
     - Features
     - Fixes
- Fixes and Enhancements in Prior Releases
     - Version 5.0.6
     - Version 5.0.5
     - Version 5.0.1
     - Version 5.0.0
     - Version 4.1.3
     - Version 4.1.1
     - Version 4.1.0
     - Version 4.0.1
     - Version 4.0.0
- Required Configuration Changes
     - Upgrading the Secure Agent for NTLMv2 Support
     - CIFS Symlinks: New Scan for Existing Volumes
     - Verify that All Proxy Users Use an FQDN Domain
     - Windows 2003 Clusters
     - For Upgrades from Before 5.0.1
     - For Upgrades from Before 5.0.0
- Known Issues
- Workarounds for Known Issues
- Contacting F5 Networks


User Documentation for This Release

In addition to these release notes, the following user documentation is relevant to this release.

These manuals are available from the ARX® GUI or CLI. From the GUI, click on the Documentation link in the navigation panel. From the CLI, use the show software command for a complete listing of the ARX manuals, then use the following command to upload the manual from the ARX:

copy software manual-name destination-url

You can also find the product documentation on the F5 Online-Knowledge Base web site, along with an extensive solutions database.

[ Top ]

Minimum System Requirements and Supported Browsers

The minimum supported browsers for the ARX GUI are:

  • Microsoft® Internet Explorer® (IE), version 6.0
  • Mozilla® Firefox® 1.5, and other browsers that use the Mozilla engine

Later versions are also supported, such as IE 7 and Firefox 3.x.

[ Top ]

Supported Platforms

This release supports the following hardware platforms:

  • ARX®500
  • ARX®1000
  • ARX®2000
  • ARX®4000
  • ARX®6000

New/Updated Certifications

Windows 2008 has been certified as a Domain Controller (DC) in the ARX's Domain. This includes all variations of Writable DCs (WDCs), but does not include Read-Only DCs (RODCs). The ARX does not discover any RODCs in your Active-Directory forest, nor does it use RODCs to obtain Kerberos tickets. However, the ARX does honor tickets that clients have obtained from RODCs.

Windows 2008 clusters have been certified as file servers behind the ARX. A Windows Server 2008 R2 requires a configuration change for this usage; see Windows Server 2008 R2 for details.

Data Domain systems have been certified as file servers behind the ARX.

Windows 7 machines have been certified as clients for ARX services.

For a complete list of vendor equipment that is useable with this release, refer to the ARX Compatibility Matrix.

New/Updated Certifications in Release 5.0.5

In Release 5.0.5, F5 Data Solutions certified Storwize STN-series appliances for use file servers behind the ARX. Specifically, the certification was for Version 3.5.2.03 with NetApp Data ONTAP Release 7.3.1.1.

New/Updated Certifications in Release 5.0.0

In Release 5.0.0, F5 Data Solutions certified Windows 2008 for use as both a file server (behind the ARX) and as a client machine (in front of the ARX).

Windows Filer Servers that Support ARX Snapshots

The following Windows file servers have been certified for use with ARX snapshots:

  • Windows Server 2003
  • Windows Server 2008

The ARX manages snapshots on these file servers through Windows Remote Management (WinRM). This is included with Windows Server 2008, but you must install it on a 2003 server. After installation, create at least one WinRM listener, listening on HTTP port 80 (encrypted or unencrypted). Whether or not the HTTP connection is encrypted, the ARX authenticates through Kerberos.

You must use WinRM v1.1 or later

New/Updated Certifications in Release 4.1.0

In Release 4.1.0, F5 Data Solutions certified the following file servers and client machines for use with the ARX.

Filers and File Servers

F5 has tested and qualified Data ONTAP Release 7.3 and 7.3.1 for use on the following back-end filers:

  • NetApp, and
  • IBM N Series.

F5 has also tested and qualified EMC DART 5.6 for use as a back-end file server.

Client Machines

F5 has tested and confirmed the interoperability of the following client software with the ARX:

  • Mac OS X 10.5.5 with
  • Thursby DAVE 7.1.2.

Release 4.1.0 also supports photocopier/scanners as CIFS clients. These scanners can use their "Save As" feature to save a scanned image to a file on an ARX share. The ARX namespace must have a security setting disabled through the CLI (with the new cifs anonymous-access command) or the GUI to support this option.

F5 Data Solutions has tested and qualified the following Kyocera photocopiers/scanners:

  • KM-C2525
  • KM-C3232
  • KM-C3232E
  • KM-C4035E

New/Updated Certifications in Release 4.0.0

For Release 4.0.0, F5 Data Solutions tested and qualified the following 10-gigabit-networking devices with the ARX®4000:

  • F5 BigIP
    10GBASE-SR JDS Uniphase XFP F529937700F4
  • Cisco 4948
    Cisco X2 SR 10-gig Module
  • Force 10 S50N
    10-gig SR Module
  • SMC 8708L2
  • Chelsio NIC
    10GBASE-SR Intel XFP MYBG69N90U
  • Extreme 10G4Xa
    10GBASE-SR Intel SR XFP MYBG71G81W
  • Intel NIC
    10GBASE-SR Infineon XPAK 01564948
  • Netgear GSM7328S
    10GBASE-SR Netgear XFP SR AXM751
  • Netirion NIC
    10GBASE-SR Infineon XPAK 01564948
  • Nortel 5530-24TFD
    10GBASE-SR Intel SR XFP MYBG71G81W
  • Nortel 4526GTX-PWR
    10GBASE-SR Intel SR XFP MYBG71G81W
  • HP Procurve 2900
    10GBASE-SR Procurve X2 DE523RQ001
  • HP Procurve 3400
    10GBASE-SR Procurve X2 DE523RQ001
  • HP Procurve 3500
    10GBASE-SR Procurve X2 DE523RQ001
  • HP Procurve 4205
    10GBASE-SR Procurve X2 DE523RQ001
  • HP Procurve 5400
    10GBASE-SR Procurve X2 DE523RQ001
  • HP Procurve 8100
    10GBASE-SR Procurve X2 DE523RQ001

New/Updated Certifications in Release 3.2.1

In Release 3.2.1, F5 Data Solutions certified the following file-server operating systems for use with the ARX:

  • NetApp Data ONTAP Release 7.2.4 for CIFS-only, NFS-only and Multi-protocol
  • NetApp Data ONTAP Release 7.2.5 for CIFS-only, NFS-only and Multi-protocol
  • EMC Celerra 5.5 and 5.6 for CIFS-only, NFS-only and Multi-protocol
[ Top ]

Installing the Software

For an existing installation, you can upgrade to 5.1.0 from any of the following releases:

  • 5.0.6
  • 4.1.1
  • 4.0.1
  • 3.2.3

For installation instructions, refer to the Upgrading Software chapter in the CLI Maintenance Guide. If you must upgrade from an earlier Release (such as 2.7.1) or an interim release (such as 4.1.0), upgrade both peers to one of the above 3.x or 4.x releases before upgrading them both to the current release.

For systems with complex presentation (or direct) volumes, we recommend waiting 30 minutes between failovers to avoid Issue 34512.

NOTE: This release also includes a new version of firmware. You can upgrade the firmware during the software upgrade; the instructions in the above manual explain how and when to upgrade the firmware.
The firmware upgrade is required for the ARX4000 and the ARX2000 to function properly.

Configuration Changes

Once you install the software, refer to the Required configuration changes section, which contains important information about changes you must make before using the new software.

[ Top ]

Fixes and Enhancements in This Release

Release 5.1.0 includes the following fixes and enhancements:

Features

Release 5.1.0 adds the following new features to the ARX:

ARX®2000
Release 5.1.0 supports the new ARX®2000 hardware platform, which is a 2U device with 12 1Gbps interfaces.

A Multi-Protocol Volume Supports NFS Symbolic Links (Symlinks) for its CIFS Clients
As of Release 5.1.0, a multi-protocol (NFS and CIFS) volume can display NFS symlinks to its CIFS clients, and allow its CIFS clients to traverse those symlinks. For example, if an NFS client creates a symlink named "pointerDir" that points to "randomDir," any CIFS client can cd to the "pointerDir" symlink to access the "randomDir" directory.

After an upgrade, this feature is disabled in any multi-protocol volume that existed before the upgrade. You must enable the feature for the volume's CIFS clients to see or access NFS symlinks. Refer to the Required configuration changes section for instructions on enabling this feature. Any new multi-protocol volumes, created after the upgrade to 5.1.0, support CIFS symlinks by default.

This feature does not support absolute symlinks (such as a link to "/vol/vol2/myDir"). It supports relative symlinks, such as a link to "../myDir" from the current directory.

Limiting CIFS Connections To Tier 2 Filer Servers
Some Tier-2 file servers cannot tolerate a large number of simultaneous CIFS connections. Release 5.1.0 accommodates those file servers with a feature that allows you to set a maximum number of CIFS connections to such a filer. You can use a CLI command, cifs connection-limit, or its GUI equivalent to set this maximum.

Policy Enhancements
The policy engine offers a number of enhancements as of Release 5.1.0, including the following.

  • Finer Control Over Share Free Space
    Release 5.1.0 adds per-share controls over free space. For each share, you can establish a volume or percentage of free space to maintain. All policy rules, including share-farm directives, avoid consuming this free space. If a rule attempts to migrate any file to any share, it first verifies that the file will not reduce the share's free space below this level. If the file would violate this free-space limit, the rule pauses and monitors the share's free space. Once the share's free space rises to a higher level (perhaps because of other rules), the rule can resume migrating to the share.
    For any given share, you can control the amount of free space to maintain and the amount of free space required for the share to resume accepting file migrations.
  • Regular Reports on Inline Migrations
    A file-placement rule migrates files between volume scans. This occurs inline, whenever a client changes the file so that it no longer belongs on its current back-end share. For example, if a client changes the name of a file so that it fits a new fileset, a placement rule for that fileset migrates the file as needed. As of Release 5.1.0, you can create hourly or daily reports that show the number of migrated files, their combined size, the number of failed migrations, and other useful statistics.
  • Scheduling Enhancements
    One or more file-placement rules, snapshot rules, or other rules can use a schedule to run on a regular basis. Release 5.1.0 adds more options to the schedule, such as options to run on the first or last Tuesday of the month, or to run on the 1st and 15th of every month.

Support for NTLMv2
The Release 5.1.0 software supports NTLMv2 authentication for its CIFS clients.

NOTE: The 5.1.0 release of the ARX Secure Agent (ASA) also supports NTLMv2, and is required for the NTLMv2 implementation. Upgrade all ASAs to the 5.1.0 release after you upgrade the ARX to 5.1.0. Refer to the Required configuration changes section for instructions on upgrading the ASA software.

Kerberos Enhancements
Release 5.1.0 offers two enhancements for CIFS clients that authenticate with Kerberos:

  • Better Reliability in Lossy Networks
    The Kerberos software now uses TCP for its network communication instead of defaulting to UDP first.
  • Support for Forest-to-Forest Trusts with "Selective Authentication"
    In a Windows network, you can design a forest-to-forest trust with "Selective Authentication," where a specific list of Windows users in Forest A are allowed to access any services in Forest B. In previous releases of ARX software, Kerberos clients in Forest A could not use ARX services in Forest B. As of Release 5.1.0, you can configure the ARX software to use a special algorithm, auto-realm traversal, to fully support clients from the other side of a selective-authentication trust. From the CLI, you can use the Kerberos auto-realm-traversal command to use this algorithm.

Share-Import Priority
Release 5.1.0 introduces the import priority command to make a managed volume's file and directory mastership deterministic. A master directory is a directory in a managed volume that has duplicates on multiple back-end shares; one share has the master instance of the directory and the other shares have stripes with the same name, permissions, ACLs, and other attributes. A master file keeps its name, whereas matching files on other shares must change their names. You can use the new import priority command to set some shares to priority 1, so that they win mastership for all of their files and directories. This mastership is deterministic; higher-priority shares win mastership on every import and re-import.

Together with Seamless Import, which imports multiple shares while allowing full client access, this feature is a stepping stone toward a full DR solution. An import at Site A can now yield the same file/directory mastership as an import of the same data at DR Site B.

Fixes

Release 5.1.0 adds the following fixes to the ARX:

39032
Large file copies sometimes failed with "Error code 64: Network name is no longer specified."

38854
Active Directory domain controllers would go into reboot cycle after installing Secure Agent 5.1.5 HF1.

37904
Newly created snapshot entries now can be browsed as expected. Previously, the snapshots were not accessible in some cases.

39019
ARX 4000 units were erroneously raising traps indicating the nvram battery had failed. Implemented fix to raise the temperature threshold to appropriate level, thereby eliminating message.

34772
A particular race condition during a managed-volume import could trigger an unnecessary auto-sync operation. The race condition occurred when one ARX client attempted to remove a file while another attempted to rename it. The auto-sync operation, designed to refresh a volume's metadata after import, had no effect.

27125
The ARX policy engine never recognized that a previously-full target share now had free space. If a placement rule's target share filled to capacity, the rule never resumed after someone added free space.

35856
If a non-critical process failed to start properly, the ARX rebooted and created a core-memory file. Now a reboot (and failover) only occurs if a critical process fails to start.

36053
The file-tracking daemon sometimes failed to start after an ARX reboot.

26015
GUI did not sort cells correctly when they contained both alpha and numeric characters.

35944
The no shadow operation did not properly remove the shadow-copy database from the volume's file servers.

32521
The policy pause namespace volume operation, followed by a no policy pause, inappropriately caused a volume scan to start.

33470
The output from show load-balancing sometimes displayed the incorrect slot/port number.

34445
The output from show policy sometimes showed a volume as 'offline' when it was not.

34526
The show ip route command on an ARX4000 did not display "Mgmt" for the out-of-band management routes. It showed a VLAN instead.

34663
This release resolves some Open-SSH vulnerabilities in previous ARX releases.

35470
The ARX UI allowed a CIFS export with an illegal CIFS character, such as ":". It now blocks a name with any illegal CIFS character.

35542
The ARX did not adequately support the removal of multiple shares from a single volume. Now it allows you to remove multiple shares from the same volume without any errors.

35614
The CLI failed and created a core-memory file if an administrator entered the critical route command with an invalid subnet mask (such as "1.1.1.1").

35876
An internal metadata inconsistency caused a share removal to fail. (From the CLI, you can use remove-share migrate and similar commands to remove a share from a managed volume.) Managed-volume software can now successfully remove a share with these inconsistencies.

35925
The online help was inaccurate for the windows-mgmt-auth CLI command, and it appeared next to the incorrect option.

35426
If an administrator used an incorrect syntax for the copy command, the administrator's SSH connection hung.

36368
The no wins command did not allow optional arguments for ease of use. Now it does.

36545
When a managed-volume import failed due to a slow metadata share, there were no syslog messages indicating the cause of the failure. Now, syslog messages appear to describe the problem with the metadata share, and to associate the metadata-share issue with the failing import.

36186
When a CIFS namespace had an NFS export and someone invoked the GUI's Virtual Services page, the GUI failed. The current release does not allow a CIFS-only namespace to offer any NFS exports.

32574
The virtual server arx-name ? command should list the single valid VIP for the server, but it listed all the VIPs on the ARX. Now it only lists the correct VIP.

35502
The show snmp-server command displayed no output unless there was at least one host to receive SNMP traps. (The snmp-server host command adds a host to receive traps.) Now the command displays the current SNMP configuration under any circumstances.

36111
Kerberos was causing failure errors in DC logs.

36581
NFS write throughput to Data Domain dropped to zero. This issue has been fixed.

35282
The ARX was in a "too many open files" condition. This issue has been fixed.

35704
The ARX is persistently stuck due to metadata inconsistencies. This issue has been fixed.

30999
Reboot required after running config applied in order to get NTP to work. This issue has been fixed by by moving ntp server config to the end in running-config, so that ntpd starts polling the ntp server after running-config is done, without additional reboot or reset ntp server.

31365
A CIFS client could not traverse an NFS symlink to a directory. Release 5.1.0 introduces CIFS-Symlink Support to address this issue.

35738
The serial number was truncated in the GUI. This issue has been solved by adding the 2-digit manufacturer code before the serial number.

35541
Adding SNMP server information with a port number created two entries. This issue has been fixed.

35596
Managed Volume went offline after an upgrade. This issue has been fixed.

36609
A Data Domain filer behind a managed volume caused the volume to advertise "FAT32" as its file system. Now there is a CLI command that you can use to set the advertised file-system name.

36841
The ARX boot-config file was lost after a software upgrade. This problem has been fixed.

34454
Asymmetric network reboots, even when not joined back in the pair. This issue is now fixed.

36566
A VIP Created in the GUI was offline, but was online when created in the CLI. This issue has been fixed with a fix to netbiosd.

36421
A shadow copy from a pre-5.0.0 site to a post-5.0.0 site caused a failover at the source site. The current release allows a shadow copy to cross between these releases without causing a reboot.

35006
The GUI's Status page reported an incorrect value for available Files Allocated. This issue was fixed in the GUI by calculating the remaining files based on hardware type not configured VPUs.

36568
The GUI displayed a working CIFS service as disabled. This issue has now been fixed.

35025
The GUI and CLI warning When disabling a share, have GUI and CLI warning messages match. The GUI warning has been updated to reflect the warning.

35040
MPNS namespaces had poor CIFS performance, due to using UDP. The default now is for Kerberos to request TCP.

36110
Asymmetric read-only enabled by default on new share config. This issue has been fixed. As of 5.0.1, we support NetApp environments where the cifs.ntfs_ignore_unix_security_ops option is set to "on."

35185
Forest to Forest Trust did not work with selective authentication. Now there is a CLI command, kerberos auto-realm-traversal, that can configure the ARX to function with selective authentication.

36499
Accessing GUI through IE took a very long time. This issue is fixed in this release and the pages no longer take a long time to load.

36656
NTLM authentication server incorrectly shows offline if the IP address cannot be resolved by the ARX. This was fixed by adding 60 seconds before starting NTLM Secure-Agent monitoring during system startup.

37356
In a redundant pair where one ARX is upgraded to 5.1.0 and its peer is manufactured with 5.1.0, an administrator experienced a delay in logging in after a reboot. A login was not possible until the ARX reached global scope (that is, until it was possible to enter gbl mode in the CLI).

35757
Kerberos clients were unable to connect after an update 4.0.1. This issue is fixed and the ARX no longer advertises NTLMSSP in Kerberos namespaces unless they also have NTLM[v2] or else have anon-access enabled

35151
A customer experienced a failure to replicate a subshare. This issue is fixed and now the ARX deletes all subshare mapping records instead of generated only records.

34871
Full tree walks were happening after database rebuild, which was caused by the lack of synchronization in the shadow receiver. This issue was fixed by enabling the path lock at the right time and on right paths.

37047
An internal error caused the show chassis command to hang, and it caused the ARX to send fanFail traps.

35278
Watchdog reboots of slot 3 on both ARXes after upgrade. The fix prevents a possible reset of an ARX due to watchdog timeout for ARX6000s that are not directly connected on the redundancy link.

32631
The ARX 1000 failed to send a Linkup trap after channel configuration. Linkup traps for each physical interface and the channel now work.

34961
LIP_LIB & L2SW_LVL7 messages kept appearing every 5 minutes. The problem is cause because the ARX asks for Slot 2 processor 2 on an ARX 500, which does not exist this problem has been fixed.

35497
On an ARX 500, the GSMD cored during ARX startup. This problem has been resolved as reported in bug 35521.

35737
On an ARX 1000, the OOB mgmt no shutdown command did not work until reload. This problem has been fixed and it now works without a reload.

35872
Smtp server names did not allow digits as their first characters. The ARX now complies with RFC1123 section 2.1, which allow smtp servers to have a hostname that starts with a digit.

36868
The managed-volume software failed and generated a core-memory file during import. This problem has been fixed.

35527
The ARX MIB was not compliant with RFC 2578. Now, the ARX MIB is compliant.

25983
The Remove Share report did not indicate shares that had an "access denied" problem. The software now indicates in the remove report whether the error came from the share being removed or he relocate-dirs share.

36587
The ARX would sometimes experience an NSM crash when processing CIFS traffic from previously disconnected trees. The ARX now properly drops this traffic.

25054
GUI: Added new status icons to the Exports page. These now include all of the following: Offline (red star), Degraded (yellow triangle), Online (green circle),Read Only (yellow triangle), Not Found (red star), Unavailable (red Star), and Snapshot (green circle).

34913
If power is lost to the ARX during the firmware upgrade process, the ACM processor gets stuck in downloading while booting up. This was due to a software change and the software has been fixed.

36179
The ARX2000 Hardware Installation Guide now cites the unit's typical power consumption.

35892
The "arp" command now works correctly and as expected; previously, there were several cases in which it did not behave as documented.

35941
The "no arp" command now works correctly and as expected; previously, there were several cases in which it did not behave as documented.

37433
An error in the power-supply numbering has been corrected in the ARX4000 Hardware Installation Guide.

36398
ARX 4000 data plane power supplies now are recognized correctly. Previously, there was a problem in which the power supplies were not being recognized by the chassis.

33927
Dynamic DNS can be configured now using the GUI.

35915
A note has been added to the Managed Volume Wizard indicating that volumes are created read-only.

36181, 36075
SNMP traps now reflect changes that have been made to the ARX's temperature thresholds.

36067, 36035
The handling of log rotation and compression has been enhanced to provide better performance.

36178
A display error in the output of the "show mac-address-table" command has been corrected.

36659
A problem in which the ARX erroneously advanced the day of the week by one when setting the time on CIFS clients using NET TIME has been fixed.

34709
Case sensitivity in dynamic-dns configuration.

36109
Policies appear stuck or hung.

36259
Snapshot policy is failing to stop when the namespace is disabled.

26747
"show statistics" migration history displays internal names in mpns migrations.

36853
Discovered SPN does not work for Kerberos Authentication making files unreachable.

37922
Documentation needs to account for new Secure Agent need pop-up.

35251, 37697
Cannot copy to namespace via NFS, but CIFS works in MP namespace.

37892
"per-vlan" not helping overcome asymmetric routing issues.

37455
ARX4000 SNMP CPU statistics don't work for processor higher than 2.3.

24904, 29418
Add option to filer export based on global-server NAME\\IP ADDRESS.

34468
GUI cores while attempting to import C$ share.

36114, 36010
If ARX4000 internal temperature exceeds 45 degrees C, box will not reload properly unless fully power cycled.

38307
Timeouts pertaining to certain internal operations occasionally caused volumes to go offline, preventing the ARX from acquiring the free space of targets. This has been corrected.

38000
A problem in which Mac OS X 10.6.3 clients were not able to access direct volumes correctly has been fixed..

34842
Make share remove force option more clear.

37512, 34517
NFS volume inaccessible until failover.

31861, 36682
ARX500+ V 5.0.5 quorum disk encrypted-password fails due to length.

36693
NSM core during HA configuration.

37229
ARX issuing STATUS_ACCESS_DENIED on SET_PATH_INFO.

32979
OpenSSL DSA client certificate vulnerability.

35311
Cache invalidations due to writes from same client.

37285
ADJOIN_PWCHANGE error during domain-join.

36161
Provide access to the virtual power button press without having to drop to shell.

35296, 35230
Directory not showing through the VIP.

27894
backup-operator group is missing default role.

37121, 37945
NSM core in 5.1.0.

37818
"show server-mapping" consumes all the memory.

38279
A problem that caused an outage during the import of shares has been fixed. Now, if a higher priority share fails to import its root directory, any lower priority shares will fail to import as well.

34941
Report what metadata filer/share was being accessed when a DFMDB error occurs.

36896, 37932
Shadow volume was stuck.

37815, 37939
SV rule stuck.

36473
SV needs a script to test mismatched shadow source and target versions.

37899
Secure Agent need pop-up warning of virus scanner issues.

37868
Issues writing to CIFS share after upgrade to 5.1.0.

36417
Steps to replace a failed data plane need to be streamlined.

37482
ARX500 v5.0.5.11742 snapshot unable to be viewed from the Previous Versions tab.

37522, 38337
XSDD cores.

34320
Users shouldn't be allowed to type in volume names that will prevent policies from working.

34511
Windows snapshot creation fails when the share name is multi-byte.

30574
Request ability to use NTLM version 2.

36393, 37033
Adding proxy addresses using "count 12" can cause mac / proc skew.

35810
Annotate debug configuration options with a comment in show running/global.

36184
cli_show.log file is missing line breaks.

36674
cli_show.log line termination issues.

35093, 32148
Combine multi-part captures into single file for ease of handling.

34968
Core in capture.

35477, 34500
New ARX4000s show NVRAM ECC error until NVRAM cleared.

24835, 32683
Need a string to tie the broken DR cast together.

37113
Possibly false ARX 4000+ control plane power supply absent traps raised.

29279
"show cifs-service kerberos-tickets" "Renew Till".

36716
"snmp-server" command allows you to specify a non-default port to send traps on but always sends on 162 anyway.

35186
"share-logon-failure-raise" not providing reason for logon failure.

34856, 37003
Stuck place rules.

35959, 36180
CSE-demo cores in afnnetd.

[ Top ]

Fixes and Enhancements in Prior Releases

The current release includes the fixes and enhancements that were distributed in prior releases, as listed below. (Prior releases are listed with the most recent first.)

Version 5.0.6

This was a Maintenance Release for the 5.00.nnn series of software releases. It did not include any new features or enhancements beyond those of Release 5.0.5. It contained the following fixes:

36812
Policy rules were stuck in a "Migrating" state after all selected files moved.

37382
A snapshot remove operation for a particular back-end share would always time out after 50 seconds. This was insufficient for some back-end servers. After your ARX gets the fix for this issue, F5 Support can set a higher timeout for snapshot-related commands if required for your site.

Version 5.0.5

Release 5.0.5 included the following fixes and enhancements:

Features

Release 5.0.5 is functionally equivalent to Release 5.0.1.

ARX 5.0.5 is a maintenance update that provides support for new ARX4000 hardware; specifically a new control plane with new power supplies.

You can identify whether or not you have the new hardware by a physical examination. The original version of the ARX4000 used a control plane containing six 3 1/2 inch disk drives. (The serial numbers of these commodity servers start with BZDS.) The new ARX4000 uses a control plane that contains two 2 1/2 inch disk drives. (The serial numbers of the new chassis start with 0700.)

If your installation has upgraded existing ARX4000 systems instead of upgrading to the new platform, the ARX4000 documentation for 5.0.5 contains some information that does not apply to your model. For former versions of the ARX4000 chassis, consult:

  • Rev E of the ARX4000 Hardware Installation Guide
  • Rev C of the ARX4000 Installation Card

These are included in your 5.0.5 release; you can retrieve these earlier versions from the GUI or download them from the CLI.

Fixes

36233
DNAS core and continuous reboots of cluster. This issue has been fixed.

Release 5.0.5 added the following fixes to the ARX:

36573
Snapshots fail with a managed volume with a share farm with two shares. Timeouts for the snapshots have been increased and this fixes the problem.

34347
If you issue a Snapshot Remove command, then all of the contents of the virtual snapshot you are removing will be removed regardless of the current snapshot contents settings.

35115
Spurious battery temperature values were being reported.

35243
There was an error in CPU speed calculation logic. Now the CPU speed is correctly reported.

35245
Previously, deleting a report would only unlink the report name from the file system. The disk space for the report file would only be freed when all references to that report were removed (unlinked). Other references to a report could include being opened for copying or collection, and so on.

Now, when a report is deleted, it is first truncated meaning that the report is terminated. There can be no remaining references to the report. After that, when the report file is removed, not only will its name be removed from the file system but its disk space will be freed immediately. Therefore, there can now be no discrepancy between the amount of disk space that is reported for /acopia/reports before and after the switch is reloaded.

35266
The ARX Manager can take a null pointer exception while editing an Export due to Back button use. Do not use the Back button in releases prior to 5.0.5. You can use the back button in 5.0.5 and higher.

35313
The no ip address command for the NTLM authentication server was not fully implemented. This operation is now allowed as long as the NTLM authentication server is not in use by a namespace.

35314
Previously, the maximum snmp-server entry limit was being checked prior to adding and deleting an entry. If the maximum snmp-server entry limit had already been reached, the operation failed. The fix was to only check the limit when adding a new entry.

35493
ARX4000+ Control plane power supply LEDs do not change to amber (or otherwise indicate failure).

It is difficult to detect a power supply fan failure on the new ARX4000 control plane. The control plane power supply LEDs do not change color or indicate failure in any way that you can detect visually. However, if you think a fan failure has occurred, you can inspect each power supply fan to determine if the fan is dead and to detect air movement (or the lack of air movement).

If you have access to the CLI, enter the show chassis chassinfo command which shows the status of all 4 power supplies. It is best not to rely on the LEDs because the LED states are different for each power supply manufacturer.

35505
Prior to release 5.0.5 the ARX4000 power supply numbering was inconsistent between the data plane and control plane.

Prior to 5.0.5, when facing the back of the ARX4000, the control plane power supplies were designated 1/1 (top) and 1/2 (bottom). The data plane power supplies were designated left-to-right as 2/2 and 2/1, respectively.

Starting with 5.0.5, the ARX4000 includes a new control plane (with new power supplies) and a re-numbering of the data plane power supplies. When facing the back of the box, the control plane power supplies are designated left-to-right as 1/1 and 1/2, respectively. The data plane power supplies are designated left-to-right as 2/1 and 2/2, respectively.

When upgrading an existing ARX4000 to 5.0.5, take note of these changes. If you experience a data plane power supply failure and consult the output of the show chassis chassinfo, it reflects the new designations. For example, the following output indicates a failure of the left-hand data plane power supply.

minturnA# show chassis chassinfo

 Identification:
 Hostname                             UUID
 ------------------------------------ --------------------------------------
 minturnA                             3d17e8ce-571e-11dc-9852-ef323fbb290f

 Chassis:
 Chassis Type  Model Number                          HW Ver.  Serial
 ------------  ------------------------------------  -------  -------------
 ARX-4000      SR2500ALLXR-F5                                 0700000006

 Chassis Environment:
 Base MAC Address    Power            Fan(setting)    Temperature
 -----------------   --------------   -------------   -------------
 00:0a:49:17:84:00   Online           Online          Normal(<45 C)

 Power Details:
 Supply   State
 ------   -----
 1/1      Online
 1/2      Online
 2/1      Failed
 2/2      Online

35727
An ARX cored during the import of share, due to an uninitialized structure. Import now correctly initializes this structure and this problem has been fixed.

Version 5.0.1

Release 5.0.1 included the following fixes and enhancements, also included in this release.

Features

Release 5.0.1 is functionally equivalent to Release 5.0.0.

Fixes

Release 5.0.1 adds the following fixes to the ARX:

36061
The CIFS security-id/name translation daemon was incorrectly handling cached information on untranslatable security-ids, causing assertion failures. This issue has been fixed.

36116
After an upgrade from 3.2.2 to 5.0.1 some MAC OSX users were not being able to login or they experienced degradation in network response. This issue has been fixed.

36122
Older snapshots were not being deleted by an ARX volume. This issue has been fixed.

36158
Mac users were getting significant performance hits through the ARX. This issue has now been fixed.

36965
If a managed volume already imported a share from an NTFS qtree, it was unable to import another share from an NTFS qtree with the "ntfs_ignore_unix_security_ops" option. The new share stayed indefinitely in the "Pending Import" state. This only occurred if the first share was imported before an upgrade and the remaining shares were imported after an upgrade.

36943
When CIFS clients unexpectedly cancelled their connections in the middle of a "find" operation (such as Transaction2FindFirst), NSM software allocated memory without freeing it. If this happened often enough, the ARX sent nsmResourceThreshold traps for the "cifsSidBitmap" resource. Eventually, some CIFS clients were unable to connect. The problem is resolved in this Release.

35721
A client could send a non-Latin 1 character sequence file name to a Latin 1 namespace during an import. We now restrict and deny non-Latin 1 sequence files during an import to a Latin 1 namespace.

34771
A direct (or presentation) volume could not attach to an NFSv3/UDP export unless the export also supported NFSv2. Direct volumes can now attach to NFSv3/UDP exports whether or not the exports also support NFSv2.

35679
An integer overflow prevented the shadow volume copy from copying files over 4G. In addition, there was the large memory consumption by shadow receiver. A fix was put in place to prevent integer overflow when the file size is over 4G. A throttle was implemented to prevent the potential large memory consumption by the shadow receiver.

36003
The NSM was generating a core when the NSM failed to handle an error reply from a file server for a transaction of snapshot. The issue occurred when multiple transactions were done at the same time while the ARX was waiting for response from the file server, the ARX deleted the cache information incorrectly, then caused an NSM core. This issue has been fixed.

35128
Mac OS X clients using SMB file sharing components that are part of the OS were unable to mount shares hosted on the ARX. This was caused by a crash of the NetAuthAgent component on Mac OS X. ARX software in this release works around this problem.

35210
Administrators were unable to change the quorum disk location when the quorum disk was offline. Administrators now can change the location of the quorum disk when it is offline.

35969
Previously, shadow volumes encountered sharing violations in .acopia_shadow and then cored. This has been fixed.

Version 5.0.0

Release 5.0.0 included the following fixes and enhancements, also included in this release.

Features

Release 5.0.0 adds the following features to the ARX:

File Tracking
An ARX managed volume moves files through tiers of back-end storage as time passes. Some installations use data-protection systems that perform backups and restores directly on their back-end filers. If a backup occurs on Filer A before an ARX volume migrates some files to Filer B, it is unclear which files should be restored to which filer. The new file tracking application resolves this issue.

You can configure an external file server as a file-history archive and configure a volume's snapshot rules so that they regularly store their file locations in that archive. Later, you can make queries about current file locations as well as their locations as they moved from tier to tier in the past. From the GUI, access the File History Query option from the navigation pane. From the CLI, use the commands described in the chapter, Tracking Files on your Back-End Storage in the CLI Maintenance Guide.

Seamless Managed-Volume Import
Previous ARX-software Releases blocked certain client operations, such as renaming directories, while a managed volume imported storage from its file servers. Release 5.000.000 lifts all client restrictions during a managed-volume import, so that clients can access the managed volume's storage as soon as it is enabled.

Kerberos Authentication for the ARX Proxy User
An ARX proxy user is a set of Windows credentials (a username, Windows domain, and password) that a managed volume can use as its identity for autonomous operations. A proxy user in previous releases always authenticated with back-end file servers using NTLM; as of Release 5.0.0, it can use Kerberos as well.

Copying Files Between ARX Maintenance Directories and ARX Volumes
Release 5.0.0 offers a new option for transporting maintenance files: you can transfer them to and from ARX volumes. This is designed for sites that do not permit FTP access (or other Internet access) to their data centers. You can use the copy {nfs | cifs} CLI command, or its GUI equivalent, to copy software-release files, diagnostic files, logs, or other maintenance-related files. Refer to the CLI Reference for detailed instructions on using the CLI command.

New Online Help in the GUI
The 5.0.0 GUI now offers extensive online help, with indexing, book marking, and a search interface. These new navigation tools give administrators the opportunity to pursue any given topic and learn more as needed.

Fixes

Release 5.0.0 fixes the following software issues:

35114
When clients repeatedly performed a metadata modifying operation (create, delete, or rename) on the same file or a permission/attribute modification on the same directory during import, the import software unnecessarily rescanned the modified object's directory. The import software no longer performs these redundant scans.

31073
The ARX CLI failed if you entered multi-byte characters (such as Japanese characters) through a terminal emulator that did not support UTF-8.

32636
The output from collect was inaccessible unless you explicitly specified a .tgz extension. The CLI and GUI formerly accepted this directive without the proper extension; the current release prompts for the .tgz extension if it is missing.

25487
The management address for an external filer, set with the ip address a.b.c.d management CLI command, could not be on the out-of-band (OOB) management subnet for the ARX. That restriction is now lifted.

31029
The show ntlm-auth-server status CLI command got an OPEN_SSL_ERROR string if the NTLM-server password was longer than 22 characters. It now allows up to 64 characters, as indicated by the documentation and online help.

32728
If you incorporated a non-existent filer snapshot into an ARX-snapshot rule (with the snapshot manage CLI command), the ARX erroneously created an empty ARX snapshot.

18135
Under rare circumstances, an nsck ... rebuild on a shadow volume made the volume stall in "importing" state.

30634
The ntp server command allowed v1 and v2 of the NTP protocol, two versions that were not supported. The command no longer offers those options.

32570
An ill-timed filer error sometimes resulted in a spurious "Completed" state for a file-placement rule. In the current release, all reports correctly show a failed migration whenever a filer issue causes a failure.

32609
The report for a failed file-placement rule may terminate with the RULE_INTERRUPTED error. This error is designed for rules that were interrupted by configuration changes and reboots. In former releases, it was also inappropriately used for filer errors and connection issues.

32468
The 'Files in Fileset' counter was incorrect in a File-Placement report and the 'show policy' (detailed) output. The counter for 'Files in Fileset' was higher than the actual number of files when it was incorrect. The counter is accurate in the current release.

32473
Incorrect "Snapshot State" appeared in snapshot reports and the output of the "show snapshot" CLI command. The "Snapshot State" of a sparse snapshot should appear as "Sparse" if any of the volume's shares are excluded for any reason. The snapshot state appeared as "Complete" when shares are excluded because of filer configuration. In this release, the snapshot state correctly appears as "Sparse."

30406
Shadow Volume sync performance for ARX4000 was poor compared to that of the ARX6000. Sync performance in the current Release is equivalent between the two hardware platforms.

34528
The output of the show global-config command displayed reserve file settings for direct volumes.

30414
Could not attach directory to . for a Windows file server.

28709
Conflicting place rules caused a deadlock when simultaneously migrating files between two separate share-farms. Each rule was asking the other rule for a particular share's index while holding a lock preventing simultaneous access.

31457
Dual switch reboot fixed by ignoring a latent disk heartbeat, which caused the junior switch to reboot.

31774
Too many alerts sent due to a transaction leak.

27986
Users could not log on due to authentication errors which were fixed with health check and load balancing improvements.

31083
A standard NFS error resulted in extra "DFM_FILE_ASSERT" messages in the syslog. The ARX no longer logs these unnecessary messages.

30753
When the dncd tried to send message with too many entries it cored. The NSM can only support up to 64K attach points. When processing a directory with a large number of sub directories, break up the request into multiple messages, which will keep dncd from coring.

33403
Previously, there was a problem display the Japanese character set in a share using a MAC 10.4 GUI on an ARX. This issues is resolved now in the handling of the RPC.

33676
Previously, the LED link light did not come on for 100Mbps setting for the 500+. This issue has been resolved.

31513
Removing an empty direct/presentation volume will cause disruption to all clients that are attached to that volume. A message now warns the user when the volume is still in use by an active global service (Virtual Service in ARX Manager) and asks if they want to destage anyway.

29292
Previously, log messages contained the use of forward and back slashes for path names. They used to use forward slashes in some cases and now they are consistent.

33057
Previously, If a file server was very busy, it was slow to respond to CIFS file close messages. Some clients would resend the close if they don't receive a response after some period of time. Multiple closes on the same file identifier would cause the internal state in the ARX to become corrupted resulting in a failure in an NSM processor. This is now resolved.

31779
A shadow-copy rule produced ambiguous errors when its target volume had no more file credits. The errors appeared in the shadow-copy report in the Target Information section, similar to this error:

% ERROR:  (38):
  Read source file attribute data failed; Unable to read file attributes;
File[share-name:file-path]
Open failed; STATUS_SHARING_VIOLATION
File: partial-file-path

Now the report includes a clearer message:

Shadow volume target has no free files

28482
The copy ... ftp CLI command (and its GUI equivalent) occasionally failed with the following error:

FTP Put error: 'remote file appears to be the same as the local file, 
upload is not necessary'.

This rare failure no longer occurs.

30970
The redundancy software did not send an SNMP trap when the heartbeat directory was restricted to read-only access. The heartbeat directory is on the external filer used as a quorum-disk. Now the redundancy software raises the haPairQDiskOffline trap whenever this write failure occurs.

31854
The ARX had insufficient algorithms for checking the health of its remote Domain Controllers (DCs) and for quickly switching to a healthy redundant DC. As of Release 5.0.0, the ARX began using an LDAP query for its health checks, and offers an option to declare a set of "preferred" DCs in a given Windows Domain. The CLI Storage Guide contains instructions for setting DC preferences and changing the timeout for DC health-check queries.

32565
The ARX kept two copies of each core-memory file. Core files contain important diagnostic information for processes that failed; they typically consume large amounts of space on the internal disks. The ARX now keeps only a single copy of each core file.

30293
User access issues resolved by adding a separate auth queue to vcifs. This is used for incoming NEGOTIATE and SESSION SETUP requests.

32534
The Mibs.tgz file, available in the "software" directory, contained the Secure Agent code as well as the MIBs. The Secure Agent packages have been removed from the Mibs.tgz file. They are still available on the ARX, in the "software" directory alongside the Mibs.tgz file.

32080
A file-placement rule kept trying and failing to migrate files after its target share ran out of space.

33058
A syslog message from the policy engine, RULE_UPDATE_INLINE_FAILED, contained cryptic references to internal processes.

30303
If a file server behind an ARX volume ran out of space, directory renames locked out all other client access for 10 to 15 seconds. The directory renames now fail immediately, without locking out clients.

Workaround: Disable the rule that is scanning.

31258
The clear statistics cifs-auth CLI command did not clear all of the CIFS-authentication statistics. The Failure Reason Table at the end of the show statistics cifs-auth output retained its error strings. Now the clear command clears the full contents of the corresponding show command.

29951
The cancel import CLI command (or its GUI equivalent) failed for a share that had not yet started its import scan. This failure made it impossible to cancel the share import. It also prevented future import cancellations and volume controls in the share's volume.

31227
The POLICY_PEP logging component wrote misleading messages to the syslog during normal tiering operation:

DPRulePlaceTag::ValidateTarget(EvaluateFileContext*)[file-path]
        - no target specified.

These messages appeared when the POLICY_PEP component was at a logging level of "debug." They were not errors. We have rewritten these log messages to be less confusing in the current release.

 

30841
This redundancy configuration caused a dual reboot:

  • The quorum disk and a managed volume's metadata share are on the same back-end file server,
  • the metadata share is configured as a "critical resource" on the ARX, and
  • file server goes offline.

In the current release, no reboot or failover occurs.

 

30784
Share discovery used to not preserve back-end share descriptions. When creating ARX exports by scanning back-end storage, the ARX now initializes the ARX export description from the back end. ** Subsequent changes to the ARX export description will NOT be propagated to existing back-end shares or subshares.** .

34180
If a multi-protocol volume had a non-latin1 character (such as a Japanese character) in its name, the volume software sometimes failed and produced a core file. The failure only occurred if the namespace's NFS-side character encoding was set to "iso-8859-1;" from the CLI, you can set this with the character-encoding command.

31292
A reboot issue had no immediately client-visible effects, but had the potential to take services offline at a later time. An NSCK destage of one of the affected volumes could trigger the service loss. (From the CLI, you use the nsck ... destage command to destage a volume.) At the time of the destage, all of the volume's front-end services went offline. The root cause of this outage has been corrected.

27621
The show namespace CLI command and the GUI's Managed Volume Details screen both display the number of files used and files available on a volume's shares. The number in the CLI output was different from that of the GUI; one was rounded and the other was exact. In the current release, the numbers match in both interfaces.

31528
The option to ignore a back-end file/directory name was applied to directories during import, and it was applied to both files and directories after import. The CLI command was named ignore-directory, and its GUI equivalent had a similar name. As a result of this inconsistent treatment of ignored names, a file could successfully import into a managed volume and then be ignored by volume software, making it inaccessible to clients. The CLI command (and function) has been renamed to ignore-name: this command and its GUI equivalent now ignores all directory and file names that it matches.

Version 4.1.3

Release 4.1.3 was a maintenance release that fixed the following software issue:

37329
A file-placement rule sometimes stopped migrating with 199 files in a "pending migration" state. This was due to an internal resource-contention issue that is resolved in this release.

Version 4.1.1

Release 4.1.1 was a maintenance release that fixed the following software issues:

35416, 35648
A failed CIFS directory rename to the volume root of a multi-protocol namespace used to result in the retry operation failing. The solution was to specify a NFS protocol when updating the parents filehandles.

35786
Policy migrations were failing due to a rare internal failure. The internal failure has been corrected.

36187
If a back-end server stopped responding to an open CIFS session, and the NSM processor with the CIFS session had an increasing number of client queries for the server, the NSM processor sometimes failed.

36818
If you enabled a managed volume on an ARX500, failed over to its redundant peer, and then enabled the volume's CIFS service on the peer, the CIFS service sometimes got stuck in the 'starting' state.

36643
Mac OS X 10.4 & 10.5 "DAVE" CIFS clients were losing sight of files and/or folders exported from an ARX service.

35521
The internal hard drives supplied to F5 Networks, Inc. for some ARX500s and ARX1000s had a firmware issue. The issue sometimes caused the drives to be remounted as read-only, thereby taking the chassis offline. F5 issued letters to all customers known to have this issue, and replaced the faulty drives.

35947
Previously, when a user is tried to find a previous version of a file or directory using the Previous Versions tab in the Properties dialog box from Windows Explorer, previous versions of the file or directory that were part of at least one snapshot of the managed volume did not appear in the list of previous versions. In this case, the snapshots were available by browsing the available snapshots in the snapshot directory (whose name is configurable, but is "~snapshot" by default) on the managed volume. This has been fixed.

35140
After the maximum amount of NTP servers were configured, someone attempted to move one and it failed. This command now works as expected, and moving an NTP server is successful.

35486
Previously, a forced storage remove left old replica filehandles around with storage IDs that no longer existed in the volume. This problem has been fixed and old replica filehandles are no longer left behind.

45140
After the maximum amount of NTP servers were configured, someone attempted to move one and it failed. The command now works as expected.

33694
Two administrative operations often resulted in omTransactionsRaise traps from the ARX: those invoked by the collect and remove-share ... migrate CLI commands, or their GUI equivalents.

34855
If a managed volume with browsing enabled was importing when a process requested the volume's free space, the import slowed noticeably.

31748
UPN support. Added UPN support for NTLM.

29219
The cancel sync files CLI command had an issue with command completion. The syntax below showed all volumes on the ARX instead of the set of volumes in namespace:

cancel sync files namespace volume ?

Now the command shows only the list of volumes from the specified namespace.

 

32965
An ARX-snapshot removal is designed to remove each component snapshot from the ARX volume's file servers. If any file server failed to delete its snapshot, the ARX noted the failure and then removed all records of the ARX snapshot from its database. This made it impossible to delete the file-server snapshot from the ARX. Now the delete-snapshot operation keeps the ARX snapshot as a "sparse" snapshot; the sparse snapshot only includes the file-server snapshot(s) where the delete failed.

30951
EMC Checkpoints fail with error "Unable to find file system ID <FSID #>." It is possible that the query can fail to find the file system ID. The usual cause of this problem is that the management IP address set for the external-filer object does not identify the correct EMC Control Station for the file system. To view a list of file system IDs and names, run the command 'nas_fs -list' on the EMC Control Station's management console. If the file system ID reported in the error message is not in the list, then it is likely that the wrong Control Station IP address is configured for the external-filer.

33126, 33676
Previously, the LED link light did not come on for 100Mbps setting. This issue has been resolved.

33024
In a particular VPU configuration, a share-removal operation could cause volume software to restart and produce a core file. The restart occurred for a volume that shared its VPU domain with 63 other volumes. (You can remove a share with the remove-share CLI command or its GUI equivalent.)

32595
A shadow volume sometimes failed if it was backed by an NTFS qtree. The problem was that the shadow-copy rule was using NFS to write its database to the qtree. This release uses CIFS to write the shadow-copy database to an NTFS qtree.

33023
The policy engine failed to detect a rare metadata failure that made it impossible to operate successfully. File-placement rules continued to take CPU cycles without successfully migrating any files. The place rules added many messages to the syslog with this statement: "(No policy queue exists for this volume.)." In the current release, all rule processing stops for a managed volume with this failure.

33706
The snapshot manage CLI command had an unclear error message. The error message is clearer in this release.

33194
An NSM-core processor could fail with a rare combination of NLM transactions (from NFS clients) and file-server outages. These combinations no longer cause an NSM failure.

33312
The snapshot manage CLI command (or its GUI equivalent) failed unless it was preceded by a snapshot create operation in the same managed volume.

33217
When a CIFS-only volume on the ARX attempted to import a CIFS share from a NetApp filer, the import could fail due to an NFS security setting on the filer. The failure occurred only for an ARX volume configured for CIFS subshares, and for a NetApp share backed by a Unix qtree. The NetApp's Unix-security setting is now properly ignored by the CIFS-import process.

Version 4.1.0

Release 4.1.0 included the following fixes and enhancements, also included in this release.

Features

Release 4.1.0 added the following features to the ARX:

CIFS Access-Based Enumeration (ABE) Support
Release 4.1.0 adds CIFS support for Access-Based Enumeration (ABE). If an ARX volume has ABE enabled, its CIFS clients can only see the files that they have permission to read. That is, inaccessible files and directories do not appear in directory listings. This feature is designed to eliminate client curiosity about files and directories that they do not have permission to view.

The following ABE-supporting filers have been qualified for use behind ABE-supporting volumes:

  • EMC Celerra, software version 5.5.
  • NetApp, software versions 7.2.3 and 7.2.5.
  • Windows 2003 R2 SP2.
  • Windows 2003 SP1.

NOTE: For any ABE-supporting volume backed with NetApp filers, the volume's namespace requires a proxy-user with new access privileges. The proxy-user account must belong to the "Administrators" group on each ABE-supporting NetApp share. This is a higher level of access than the "Backup Operator" privileges required for file migrations.

Support for Maximum Age for Kerberos-Machine-Account Passwords
Some Domain Controllers (DCs) support a "Maximum Age" option that you can set for Machine-Account passwords. This is a secret password exchanged between a machine account (such as an ARX-CIFS service) and the DC when the machine/service first joins the Active-Directory domain. By default, the password lasts indefinitely. Administrators have an option on some DCs to set an expiration period, called a "maximum age." If the machine-account password expires for an ARX-CIFS service, the service can no longer use Kerberos to authenticate its CIFS clients.

Release 4.1.0 adds an operation to resolve this issue. For a site where the maximum age is set and about to expire, you can use the cifs rekey CLI command (or its GUI equivalent) to regenerate the key(s) for your ARX-CIFS service(s).

Fixes

Release 4.1.0 fixed the following software issues, also fixed in this release:

35421
On an ARX 6000 system, certain types of network control packets could exhaust all internal memory associated with the networking hardware in the system. No further network communication can occur on this port until an ARX failover is performed. This problem is fixed with this release.

35373
The FILER_CREATE_FILE_FAILED message caused an NSM core. We fixed memory corruption occurring in the NSM logging subsystem when formatting a log message longer than 130 bytes.

30623
A reboot failed to recover an ARX4000 in SSB-degraded mode. SSB-degraded mode means that the PCI connection has failed between the DP and the CP. In this release, the connection recovers after a CLI reload or its GUI equivalent.

32330
The snapshot timeout client-tolerance command is unsupportable in some file-server topologies. The solution to this issue is to automatically generate a suitable timeout value for ARX snapshots, and to remove the command.

32086
When an NSM fails in an ARX6000, certain CLI commands and GUI operations hang without ever completing.

31713
When removing a back-end share from a managed volume, a transient connectivity problem with the share's filer can stop the share-removal operation. The share-removal operation now retries for a longer period of time before canceling. (You can invoke a share-removal operation with the no share, no filer, or remove-share CLI commands, or their GUI equivalents.)

32161
Share-removal reports may contain spurious FF ("Found File") entries.

The solution to this problem is to issue a new CLI command, expect change-mfg-date.scr serial-number, where the serial-number is the one on the chassis label. This changes the output of show chassis chassinfo.

32323
Some processes on the SCM or ACM use progressively-more memory, causing the ARX to eventually refuse administrative logins and offer progressively-slower service to its clients.

31240
The ARX supports a single default route; this may be a problem in a multi-VLAN network with a certain firewall configuration.
The new ip route ... per-vlan CLI command allows an administrator to work around this issue. Refer to the CLI Reference for details on this command.

31674
An alarming syslog message, "xsdd_aipc_task: IPC service error 3...," may appear repeatedly on an ARX, often when the ARX is processing a large number of SID translations. This message does not typically indicate a service-affecting problem, so its severity has been downgraded.

31549
The CLI online help does not line up its options with the correct descriptions. For example, the description below should line up with the generic "Text" option instead of the specific "arx.testlab.sg" choice:

my-arx(gbl)# cifs ?
arx.testlab.sg      - Specify the global server hosting this CIFS service.
cifs.arxsg.com      -
nfs1.test.lab       -
Text<1-128>         -

my-arx(gbl)# 

30912
If an ARX with two internal disks (an ARX1000, ARX2000, ARX4000, or ARX6000) loses both of them, it fails to reboot so that its redundant peer can take over its storage services. The resolution to this issue is a proper reboot and a faster failover.

31805
An NSM processor fails and produces a core-memory file if it receives a particular error from a back-end-CIFS filer. This only occurs in a presentation (or "direct") volume.

32224
The following circumstances lead to progressively-more memory consumption on the SCM or ACM processor, 1.1:

  • a presentation (or "direct") volume uses a managed volume as one of its "filers", and
  • that managed volume is deleted.

The bespd daemon uses up progressively-more memory until it fails and restarts. This daemon's memory consumption is visible in the output of the show system task CLI command.

 

31488
If an ARX4000 NSM experiences certain driver issues, the driver writes an excessive number of repetitive log messages to the serial Console. This slows the performance of the network drivers, and masks useful driver logs.

32089
A DAVE 7.x client application can create an issue when opening directories in an ARX volume: if the ARX has a particular failure while opening the directory, the directory remains open after the DAVE client has left it. A directory in this state cannot be deleted or renamed by other clients.

31804
A pair of NSM processors can unexpectedly fail, causing a failover in a redundant pair of ARXes. This is due to the NSM software's incorrect assertion that an internal-memory buffer (for log messages) has overflowed.

31692
The ARX4000 does not reliably process jumbo frames. (You can enable or disable jumbo frames with the [no] jumbo mtu CLI command.)

Version 4.0.1

Release 4.0.1 included the following fixes and enhancements, also included in this release.

Features

Release 4.0.1 is functionally equivalent to Release 4.0.0. Unlike Release 4.0.0, this release has been fully qualified for use on the ARX®6000 as well as all the other ARX platforms.

Fixes

Release 4.0.1 fixed the following software issues. These fixes are also included in the current release:

32049
The ARX does not re-create its error.log or fastpath files if an administrator deletes one of them. (You can delete these files with the delete logs error.log or delete logs fastpath CLI commands, or their GUI equivalents.)

30720
If an ARX runs active VPUs on both redundant peers (configurable only on earlier versions of ARX software), the CLI or GUI may show incorrect used-file credits for those VPU(s).

31162
An NFS-access list with more than 128 IP addresses can cause the ARX to repetitively reboot if it is used in a presentation (or "direct") volume's attach point.

31255
The ARX4000 allows the Control Plane to power up when the Data Plane is powered off and/or disconnected. This is an unsupported configuration that causes a software loop and prevents the ARX from fully booting.

31483
If a client reads or writes a file with a particular byte sequence through an ARX4000 VIP, the ARX stops processing client traffic.

Version 4.0.0

This section describes the features and fixes from Release 4.0.0. Sites that upgrade from Release 3.2.0 and earlier get the benefit of all the features and fixes described here, in addition to the features and fixes described above.

Features

Release 4.0.0 adds the following features:

ARX®4000
Release 4.0.0 supports the new ARX®4000 hardware platform, which is a 4U device with 10-gigabit interfaces. The ARX®4000 has storage capabilities equal to an ARX®6000 with 2 ASMs and 2 NSMs. This platform supports a total of 10Gbps throughput.

Passive LACP
The Link Aggregation Control Protocol (LACP, defined in IEEE 802.3ad) dynamically manages the member ports in a channel. For example, if a configuration change disqualifies a port for channel membership, LACP processes automatically detect the change and stop using the port in the channel. Release 4.0.0 supports passive LACP, which you can configure with the lacp passive CLI command. Refer to the Layer-2 chapter in the CLI Network Guide for details on LACP and LACP configuration.

Fixes

Release 4.0.0 fixes the following software issues:

30441
The policy status showed scan complete/migration complete but the metadata report showed files left on source share.

27757
Deploying switches via template doesn't work with configuration order.

28613
Major inconsistencies revolving around the volume hosting home directories.

28647
When l2 failed on the senior switch, it detected a remote metalog error and causes the junior switch to fail. Since the senior is already rebooting due to the l2 failure, this causes a dual reboot.

29154
Cannot identify volumes using namespace-level metadata.

29416
CIFS AD forest names and Windows domain names are case-sensitive and should not be.

29417
GUI virtual services page does not display "joined" when no exports exist.

29450
A planned ARX reload during a large NTP-time skew can result in an unplanned reboot later.

29454
Remove-share nomigrate incorrectly requires "force" on failed import share. The "remove-share nomigrate" command used by the GUI and from priv-exec at the CLI required the "force" option to remove a share that failed import.

29565
A global server that references only disabled volumes can consume 99% of the CPU.

29667
Scripted creation of a VLAN in the ARX4000 CLI may fail.

29704
Policy is unable to move files from one share to another. When looking at the shares in the managed volume, freespace is being reported correctly, yet when a place rule is enabled, policy is unable to move files.

30269
Can't find active partition in config file.

30454
On the ARX4000, if the data plane is powered up after the control plane, the reload CLI command reboots the control plane but not the data plane.

30296
Cryptic error message needs to be more helpful. Superfluous text removed.

30301
Under cifs-service, the vol-path in the exports command is case-sensitive.

30343
If an NSM core has failed, nsm recovery is disabled, and you create a new CIFS service, the service cannot get past the "Starting" state.

[ Top ]

Required Configuration Changes

After the upgrade to 5.1.0, you require the following configuration changes to support all of the release's new features.

Upgrading the Secure Agent for NTLMv2 Support

The ARX cannot support NTLMv2 until all of its ARX Secure Agents (ASAs) are upgraded to 5.1.0, too. After you upgrade the ARX to this release, you must also upgrade at least one ASA. We recommend upgrading all of them. There is a 32-bit and a 64-bit version of the ASA kit available from the ARX. You can access these kits from the GUI (in the Documentation screen) or the CLI (with the show software and copy commands). Refer to the ARX Secure Agent Installation Guide for detailed ASA-installation instructions.

NOTE: The ASA formerly used pwdump to access a database on the DC; the 5.1.0 release of the ASA software uses other means instead. Please update any anti-virus (AV) application running on your DCs before you use the new ASA version. Refer to Solution Note 10026 for detailed instructions.

CIFS Symlinks: New Scan for Existing Volumes

If your system contained any multi-protocol (CIFS and NFS) volumes before the upgrade to Release 5.1.0, the volumes require a configuration change to take advantage of a software feature. The feature is symlink support for CIFS clients, described above. To activate CIFS symlinks for a multi-protocol volume, use the no cifs deny-symlinks CLI command. You can run this command from gbl-ns-vol mode for the multi-protocol volume. Once you allow CIFS symlinks, the volume must scan its back-end servers for NFS symlinks and record them in its metadata. A CLI prompt allows you to run the scan as a background process; enter yes to proceed with the scan.

For example, this command sequence adds CIFS symlinks support to the "insur~/claims" volume. The prompt indicates that a back-end scan is required, and offers the opportunity to run it in the background:

bstnA(gbl)# namespace insur volume /claims

bstnA(gbl-ns-vol[insur~/claims])# no cifs deny-symlinks

This volume's configuration has been upgraded from a prior software release.
If symlinks exist in the volume, the volume's metadata must be synchronized
before CIFS clients can take advantage of this feature. You can synchronize
the metadata at any time. User access is not affected by this process but it
may run for hours or days if the volume contains hundreds of millions of files.

Synchronize the metadata for the '/claims' volume now? [yes/no] yes
bstnA(gbl-ns-vol[insur~/claims])# ...

To perform the scan (and fully-activate CIFS symlinks) later, you can run the sync files namespace-name volume vol-name command on the volume's namespace. You can run this at any time.

The ARX Manager UI also provides an interface for running the no cifs deny-symlinks and/or the sync files operations.

This operation is not necessary for any multi-protocol volume created after the upgrade to 5.1.0. By default, new volumes allow CIFS clients to use symlinks, and the symlink scan is performed during the initial import of the volume's back-end shares.

NTLM Encryption Setting on Windows Server 2008 R2
 

By default, Windows 2008 R2 servers require 128-bit encryption for their NTLM SSP sessions. To use a Windows 2008 R2 server behind the ARX, you must disable this default requirement. From the Windows secpol.msc UI, under Local Policies -> Security Options, set the following option to "No minimum:"

Network security: Minimum session security for NTLM SSP based 
(including secure RPC) servers

Verify that All Proxy Users Use an FQDN Domain

Any namespace that supports CIFS access has a proxy user that it uses as its identity. The proxy-user configuration is a username, password, and Windows domain that is valid in your Windows network. The proxy user's Domain should always be an FQDN (such as "mysrvr.myco.com") instead of a short name (such as "mysrvr"). This ensures that the ARX can authenticate with Kerberos, which can be vitally important in some situations.

  1. Use show namespace namespace-name to find the name of the "proxy-user" for a given namespace.
  2. Use show proxy-user proxy-user-name to see the configured Windows Domain for the proxy user.
  3. If the Windows Domain is a short name, you can use the windows-domain command in gbl-proxy-user mode to change it to an FQDN. (Use the pre-win2k-name argument if you need to specify both the FQDN and a short name that is completely different from the FQDN.)

Windows 2003 Clusters

If you previously used a Windows 2003 cluster behind a managed volume, you require one of two configurations to continue using the cluster. The first is recommended as a best practice, and the second is for sites where the cluster does not have a shared Service-Principal Name (SPN):

  1. Add the cluster's shared SPN to its configuration on the ARX. From the CLI, you can use the gbl-ext-filer spn command to set this. For example, spn vsrvr@myco.com. This must be a virtual SPN, one that persists after a cluster failover.
    This implies that the cluster's virtual-CIFS service must join the local AD domain. For sites where this is not possible, use the option below.
  2. Do not configure any SPN for the Windows 2003 cluster. This is contrary to the user documentation, which states that an SPN is recommended for any Windows cluster or Kerberos-supporting server.
    From the CLI, you can use the gbl-ext-filer no spn command to remove the SPN configuration.

In either case, you can use the show external-filer command to map the Windows 2003 cluster's VIP to an "external filer" name on the ARX. Then use external-filer filer-name to enter the CLI mode for that filer, and then the spn or no spn command as needed.

For example, the following command sequence finds the external-filer name for a Windows 2003 cluster and sets its SPN:

gffstnA# show external-filer
  Name                       IP Address      Description
  ------------------------   -------------   ----------------------------
  ch-wd-win1                 192.168.158.93  Windows Server 1, back room
  ch-wd-win2                 192.168.158.106 Windows Server 2, cluster next to Win1
  ch-wd-nas                  192.168.158.94  NAS filer in computer lab
gffstnA# global

gffstnA(gbl)# external-filer ch-wd-win2
gffstnA(gbl-filer[ch-wd-win2])# spn fs2k8c95@GGH.MEDARCH.ORG
gffstnA(gbl-filer[ch-wd-win2])# ... 

For Upgrades from Before 5.0.1

This section only applies to installations that upgrade from Release 5.0.0 or earlier.

Once you have installed the software, you must make the following required configuration change(s).

Unicode Upgrade

This section is for administrators who need to upgrade from releases prior to 5.0.0. The 5.0.0 Release includes a new Unicode library that may have an effect on client files and/or directories. The new version of Unicode adds 168 lower-case versions of characters that were uppercase-only in the previous version. The characters derive from the following languages:

  • Native-American languages from modern-day Canada, including SENĆOŦEN.
  • Greek symbols for editorial markings.
  • Cyrillic letters that may not be current.
  • Georgian letters from an ancient ecclesiastical alphabet.
  • Glagolitic letters; Glagolitic is a historical Slavic alphabet.
  • Coptic letters, used by the original Christians in Egypt.

After the upgrade to Release 5.0.0, clients cannot open any files or directories with any of these rare characters in their names. This problem should be very rare. The symptoms are different for files than they are for directories, as explained below. If you see these symptoms on any of your files or directories, escalate the problem to F5 Support.

Files

If a Windows client attempts to open a file with one of these characters in its name, an error similar to this appears in Windows Explorer:

Cannot find the \\VIP\unicode/dir1/file%c8%ba.txt
Directories

Windows Explorer returns the following error if it attempts to open a directory with one of these characters in its name:

Refers to location that is unavailable

For Upgrades from Before 5.0.0

This section only applies to installations that upgrade from Release 4.1.1 or earlier.

Release 5.0.0 introduced two new maintenance features for shadow-copy rules. If your site uses shadow-copy rules, F5 recommends that you use these features after the upgrade to 5.0.0.

  • Moving the Shadow-Copy Database to the Metadata Share
    You can now place a rule's shadow-copy database on the target volume's metadata share. In previous releases, the shadow-copy database resided on the same back-end filers that held the target volume's copied files. As the set of copied files expanded, it became possible to run out of space on the target filer(s), thereby possibly corrupting the database. The shadow volume's metadata does not grow as fast as its user data, and there are SNMP traps to alert you of free-space issues on that share, so the metadata share is typically a better candidate for this database. From the CLI, you can go to gbl-ns-vol-shdwcp mode and use the database-location metadata-share command to move the shadow-volume database the next time the rule runs.
    This is only necessary for a shadow-copy rule from before the 5.0.0 upgrade. The next time the rule runs, it migrates the database to the metadata share.
  • Shadow Copying Names that Match the CIFS "8.3" Pattern
    This option only applies to an ARX volume that supports CIFS. CIFS-supporting filers typically create an alternate name for any file or directory whose name is longer than eight characters, or whose extension is longer than three characters. The alternate name matches the old-style "8.3" pattern, with up to eight characters that are optionally followed by a "." and up to three more characters. Typically, filers include a tilde (~) in this alternate name. If a real name on the source volume matches one of these alternate names in the shadow volume, the shadow-copy rule refuses to copy the file by default. This is a rare circumstance, but it is possible in any CIFS volume.
    You can change this with a new feature in 5.0.0. From the CLI, you can go to gbl-ns-vol-shdwcp mode and use the cifs-8dot3-resolution command to make the copy possible without overwriting the file with the alternate name.

Refer to the CLI Reference Guide for details on both of these commands.

NOTE: These are not strictly-required configuration changes, but F5 strongly recommends them for customers that use shadow-copy rules on the ARX.

[ Top ]

Known Issues

The following items are known issues in the current release.

The ARX4000 Data Plane (NSM side) cannot recover from a power failure until the Control Plane (ASM and SCM side) reboots. (29444)
If the Data Plane (the lower half of the chassis with the network ports) loses power independently of the Control Plane, the Data Plane cannot recover by itself. If both halves of the chassis lose power at the same time (a more-likely event), both halves reboot normally.

Best Practice: The Data Plane and Control Plane each have two power supplies. Connect one power supply from each Plane to one power source, and the other power supply from each Plane to an alternate power source.

Recovery: Stop and restart power on the Control Plane (the upper half of the ARX). This causes both modules to power up in the proper sequence.

The 'login-banner ... configs msg-file' operation does not persist after a reboot. (37006)
You can use the login-banner post-auth configs msg-file command (or its GUI equivalent) to create a login message from the named file. If the ARX reboots, this login message no longer appears when administrators log in.

Workaround: Enter the message text at the command line or directly into the GUI. Do not use a text file for this input.

File History Query Requires either File or Path name. (34523)
If you are on the File History Query page, and you leave the Path and File fields empty, and then press Query, it won't work and no error returns.

Workaround: Enter a Path or a File name, or both.

In the CLI and in the ARX Manager GUI, the "collect all" target file for nfs on VIP multi-protocol volume fails. (34695)
In a multi-protocol environment, if you specify an nfs target for the "collect all" command or the "copy" command, the target file will not be created.

Workaround: In a multi-protocol environment, specify a cifs target for the "collect all" command or the "copy" command. The target file will then be created.

The copy namespace command does not work on direct (presentation) mapped volumes. (34692 )
The interface that copy namespace uses to copy to cifs file servers does not support direct (presentation) mapped volumes.

Workaround: None.

On the ARX 4000, CoreCollector code has been change and may display old cores that were never collected and reported. (34722)
The new CoreCollector code now correctly reports all cores from the current release and previous releases. It may find cores that were never collected and reported.

Workaround: Take the time to notate the creation date of any new core files reported after upgrade, prior to contacting F5 Customer Support.

Workaround: If you're going to change the contents to include volume-config and metadata for a snapshot rule that already has managed snapshots, then remove the existing managed snapshots before adding the new contents.

When using "copy to a namespace" from a backup (peer) switch an incorrect error message displays. (34817)
The message you see is:% ERROR: CIFS_CONNECT_BADPATH_COPY_NAMESPACE (40960205): Unable to create file 'procdat' in volume '/max1-VOL1' in namespace 'max1'. Reason:Unable to establish a network connection.

Workaround: None. Copying to a namespace from a backup switch is not supported.

The GUI process uses 100% of CPU 1.1 on an ARX with thousands of reports. (31068)

The no monitor module CLI command does not completely disengage its network ports from their port-mirroring roles. (30435)
After you stop port mirroring from one network port to another, the ports retain some of their internal "mirroring" state. This prevents you from performing valid actions on the ports, such as adding them to a channel.

Workaround: Reboot the ARX after you use the no monitor module CLI command. You can use the priv-exec reload command to reboot the ARX from the CLI.

UTF-8 Chinese characters are truncated in namespace name. (30941)
If a user enters Chinese characters that exceed the GUI's limit for any input field, the GUI will not issue an error message but instead simply truncates the input.

The GUI input fields limit input based on characters and not bytes. When entering multi-byte characters, the input may be truncated if the total number of bytes representing the characters exceed the internal byte limit.

The CLI "show clock" output does not always show the correct time after a time-zone change. (24526)
You can use the clock timezone CLI command to set the time zone of the ARX. On rare occasions, the output from the show clock command does not show the correct time after this change. For example:

ARXa500# clock set 14:43:00 01/11/2007
ARXa500# show clock
        Local time:  Thu Jan 11 14:43:02 2007 EST -0500 America New_York
    Universal time:  Thu Jan 11 19:43:02 2007 UTC
ARXa500# config
ARXa500(cfg)# clock timezone America Denver
ARXa500(cfg)# show clock

        Local time:  Thu Jan 11 14:43:13 2007 EST -0500 America Denver
    Universal time:  Thu Jan 11 19:43:13 2007 UTC

The time does not conform to the new time zone, though the correct new time zone (America Denver) does appear in the output.

Workaround: Log out of the CLI and log back in.

During the hour of transition from daylight-savings time to standard time, the clock set CLI command incorrectly interprets times in some time zones. (24709)
Times are ambiguous in the hour when daylight-savings time reverts to standard time, once per year. Suppose the transition occurs at 3 AM on the day of the daylight-savings change: time passes from 3 to 4 AM in daylight-savings time, then the clock goes back to 3 AM for standard time, and then time passes from 3 to 4 AM again. In some time zones, if you reset the clock to a time between 3 and 4 AM, the clock set command may not interpret your time correctly. If this occurs, the ARX assumes that the transition to standard time has already occurred.

This only occurs in time zones that are East of the Prime Meridian, with positive offsets from UTC.

Workaround: Avoid the clock set command during the day and hour of transition.

The CLI displays unintended errors if you interrupt the copy CLI command (with <Ctrl-C>) during the file transfer. (32531)
The CLI copy command prints the following messages while it transfers a large file to or from the ARX:

% INFO: Transferred nnn of total megabytes; still copying . . .

If you press <Ctrl-C> while the CLI is printing these messages, some internal processes continue after the overall copy process halts. After 20-30 seconds, the CLI displays the following errors from those sub-processes:

gunzip: stdin: unexpected end of file
acrypt: Error, uncompress failed(256).

No output appears for the show statistics namespace fastpath CLI command. (34834)
This CLI command is designed to print statistics for every namespace on the ARX. It only prints statistics for specific namespaces. The CLI Maintenance Guide and the CLI Reference Guide incorrectly document the full, intended output for the command.

An ARX4000 does not support jumbo frames with 4.1.0 software and older firmware. (32103)
On an ARX4000 that is running 4.1.0 or later software with an earlier version of firmware, NSM cores fail if they are configured for jumbo frames. (You can enable or disable jumbo frames with the [no] jumbo mtu CLI command.)

Workaround: A workaround is only necessary if you upgrade an ARX4000 from Release 4.0.0 or earlier. In this case, upgrade the ARX4000 with the latest firmware as part of the installation process. For installation instructions, including the method for upgrading firmware, refer to the Upgrading Software chapter in the CLI Maintenance Guide.

The ARX cannot send E-mail messages through the out-of-band (OOB) management interface. NTP, DNS, RADIUS, and snapshot-management services (SSH and RSH) are also unsupported through the OOB interface. (24595)
All e-mail notifications from the ARX go out through an in-band (VLAN) management interface, configured with the interface vlan CLI command. At least one in-band-management interface must have a route to the E-mail server for E-mail notifications to function. The same applies to NTP, DNS, and RADIUS services, as well as SSH and RSH for managing filer snapshots.

Workaround: Use the cfg-mode ip route command (without the mgmt flag) to add a static IP route to the E-mail server(s), NTP server(s), DNS server(s), and/or RADIUS servers. All filers and file servers must have a route to be useable by the ARX at all, so this is less likely to be an issue for SSH and RSH.

Spurious errors appear in the syslog after an NSM failover. (25782)
NSM processors have redundant peers, even in an ARX that is not configured for overall redundancy. If an NSM processor fails, its peer processes packets for both. If nsm recovery is enabled, the failed processor comes back online and waits to take over for the running processor. The failed processor may repeatedly put the following message in the syslog:

 NAT rule TCP/ip-address:port for remote action ip-address-2:port-2 type 3 not found.

This syslog message is spurious.

Under very rare circumstances, the ARX may block administrative logins after a reboot. (32537)
An ARX in the F5-Development laboratory did not allow administrative logins after a reboot. Logins to the serial-Console port always timed out after entering the administrative password, and logins to the Out-of-Band Management port (typically labelled "MGMT") were rejected with this error message:

ssh_exchange_identification: Connection closed by remote host

F5 Development has been unable to reproduce this problem, despite hundreds of reboots. We note it here until the problem is proven to be unreproducible at any customer site.

Recovery: Power cycle the ARX.

The uninstall of the ARX Secure Agent may fail to reboot the DC. (35754)
The uninstall of the Secure Agent must reboot the host machine (typically a DC) to finish. The uninstall process has failed to reboot the host DC on some occasions, but the failure is rare.

Recovery: Manually reboot the DC if the uninstall process fails to reboot it automatically.

The show statistics cifs-auth command has incomplete statistics for unsupported protocols. (36608)
If a client attempts to authenticate with an unsupported CIFS protocol, the resulting failure is not counted in the main output of show statistics cifs-auth. The top two tables of that output show "n/a" for any protocol (Kerberos, NTLM, or NTLMv2) that is unsupported by the ARX service. The Kerberos Failure Reason Table at the bottom of the output counts these failures as "AUTH_PROT_NOT_ENAB".

The show exports command requires an external-filer object to examine a Windows cluster. (36728)
The CLI show exports command is designed to examine the shares on a filer or server before you define the server in the ARX database. However, the ARX requires a Service-Principal Name (SPN) to examine a Windows 2008 cluster, and the show exports command does not support an SPN option.

Workaround: Define an external-filer object for the cluster, set the correct spn in the external-filer object, and then use that external-filer object in the show exports command. The CLI Storage Guide provides detailed instructions on creating an external filer, setting its SPN, and using it in the show exports command.

The ARX erroneously allows you to assign the same secondary-IP address to multiple file-server configurations. (33211)
Two different file-servers (called "filers" in the CLI) cannot use the same IP address, but the ARX permits this mis-configuration.

You must separately export a CIFS managed volume if you use it as a "managed volume" in a CIFS presentation volume. (21231, 24359)
If a CIFS-managed volume is used as a managed volume in a CIFS-presentation volume, its CIFS front-end service must export the managed volume separately. This is in addition to the export for the presentation (or direct) volume. (The same CIFS service must export both volumes.)

An ARX takes a long time to restore attach points to service after a failover. (34512)
A background process configures all attach points (in presentation, or direct, volumes) after a failover. In a system with a large number of attach points, this can require several minutes. If another failover occurs before the process is finished, that failover may require nearly one hour to complete.

Workaround: Whenever a failover occurs on a system with many attach points, wait at least 30 minutes before invoking another failover. This is important for a software-upgrade scenario, which involves two or more failovers.

A client IP address remains in the output of show nfs-service mounts after the client unmounts. (24478)
The output of the show nfs-service mounts command is a table of NFS mounts from client machines. For each currently-active client mount, the table displays the Global Server, the mount point, the VIP, and the client IP address.

When the client is unmounted, there may be a slight lag in the update of table information, and a repeat of the show nfs-service mounts command may show the client still mounted.

Workaround: Retry the show nfs-service mounts command.

The active-directory alias operation fails for an ARX VIP unless the VIP's CIFS service has joined the "COMPUTERS" OU. (37048)
You use the active-directory alias command (or its GUI equivalent) to establish a service-principal name (SPN) for an ARX VIP. This operation fails unless the CIFS service for the VIP joined the "COMPUTERS" OU. From the CLI, the domain join command in gbl-cifs mode joins a CIFS service to a domain. By default, this operation joins the "COMPUTERS" OU at the domain's root.

Workaround: When you enter the domain-join command or its GUI equivalent, use only the default OU.

Snapshot rule spuriously reports that it failed when it gets a minor communication error. (32814)
A snapshot rule pauses a volume's policy migrations while it runs. When the rule completes its filer snapshots, it tells the policy engine to resume its standard migrations. The snapshot rule erroneously reports that it failed if the policy engine fails to respond to this "resume" request. The failure appears in the snapshot report, along with the following message at the bottom of the report:

Unable to notify policy engine to resume any active migrations.

The policyRuleRunSuspend trap does not indicate the cause of the policy suspension. (32756)
An ARX rule may be suspended manually, through a CLI or GUI instruction, or because its schedule has a limited duration that has expired. The trap does not currently indicate whether the suspension is manual or scheduled.

A shadow-copy rule runs indefinitely (instead of terminating immediately) when the RON connection to the target share fails. (32110)
A shadow-copy rule should fail as soon as the RON connection to the target filer fails. Instead, it continues indefinitely, waiting for the RON connection to return.

A Windows 7 client cannot see any ARX snapshots in the "Previous Versions" tab. (37195)
 

NSCK reports do not identify "marked" multi-protocol directories where you should run a sync files operation. (23891)
Some multi-protocol (NFS and CIFS) directories are "marked" for special processing. These directories contain files and/or subdirectories one of these naming issues:

  • the name resembles a Filer-Generated Name (FGN, such as "myfile~1.txt"), or
  • the name produces an FGN on its back-end filers (such as "my:file.txt," or "MYFILE" in the same directory as "myfile").

If a directory is marked with one of these naming issues, the volume performs extra processing whenever a client tries to introduce an entry with the other naming issue. Depending on the outcome of the processing, the new client entry could become NFS-only (inaccessible to CIFS clients). Refer to the CLI Maintenance Guide for details.

Clients can resolve these issues by accessing the volume through its VIP and renaming the directory's entries. However, the directory mark persists after all of its child entries have been correctly renamed; you use the sync files CLI command to remove the mark.

The issue is that there are no reports that identify a directory as "marked" after its entries have been correctly renamed.

Workaround: Use sync files to clear the directory mark immediately after renaming its entries.

Contacting F5 Networks

  F5 Online Knowledge Base: http://support.f5.com/
F5 Services Support Online: http://www.f5.com/training-support/customer-support/
F5 Online-Request Form: https://login.f5.com/resource/login.jsp
Email: support@f5.com
Telephone: http://www.f5.com/training-support/customer-support/contact/

For additional information, please visit http://www.f5.com.


Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)