Applies To:

Show Versions Show Versions

Release Note: BIG-IP PEM 11.4.0
Release Note

Original Publication Date: 05/21/2014

Summary:

This release note documents the version 11.4.0 release of BIG-IP Policy Enforcement Manager (PEM).

Contents:

- Supported platforms
- Configuration utility browser support
- User documentation for this release
- New in 11.4.0
- Supported high availability configuration for Policy Enforcement Manager
- Installation overview
     - Installation checklist
     - Installing the software
     - Post-installation tasks
     - Installation tips
- Fixes in 11.4.0
- Known issues
- Contacting F5 Networks
- Legal notices

Supported platforms

This version of the software is supported on the following platforms:

Platform name Platform ID
BIG-IP 1600 C102
BIG-IP 3600 C103
BIG-IP 3900 C106
BIG-IP 6900 D104
BIG-IP 8900 D106
BIG-IP 8950 D107
BIG-IP 11000 E101
BIG-IP 11050 E102
BIG-IP 2000s, BIG-IP 2200s C112
BIG-IP 4000s, BIG-IP 4200v C113
BIG-IP 5000s, BIG-IP 5200v C109
BIG-IP 7000s, BIG-IP 7200v D110
BIG-IP 10000s, BIG-IP 10200v D113
VIPRION B2100 Blade A109
VIPRION C2400 Chassis F100
VIPRION B4100 Blade A100, A105
VIPRION B4200 Blade A107, A111
VIPRION B4300 Blade A108
VIPRION B4340N Blade A110
VIPRION 4400 Chassis J100, J101
VIPRION 4480 Chassis J102, J103
VIPRION 4800 Chassis S100, S101

These platforms support various combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory on the platform or provisioned guest. For vCMP support and for Policy Enforcement Module (PEM) and Carrier-Grade NAT (CGNAT), the following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2100, B4200, B4300, B4340N
    • BIG-IP 5200v, 7200v, 10200v
  • PEM and CGNAT supported platforms
    • VIPRION B4300, B4340N
    • BIG-IP 5200v, 7200v, 10200v
    • BIG-IP Virtual Edition (VE) (Not including Amazon Web Service Virtual Edition)
    • PEM and CGNAT may be provisioned on the VIPRION B4200 but it is not recommended for production, only for evaluation. Use the B4300 or B4340N instead.

Memory: 12 GB or more

All module combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • Note that Global Traffic Manager (GTM) and Link Controller (LC) do not count toward the module-combination limit.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Note that GTM and LC do not count toward the module-combination limit.
  • New in 11.4.0, Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.

VIPRION and vCMP caching and deduplication requirements

Application Acceleration Manager (AAM) supports the following functionality when configuring vCMP and VIPRION platforms.

  • AAM does not support disk-based caching functionality on vCMP platforms. AAM requires memory-based caching when configuring it to run on vCMP platforms.
  • AAM supports disk-based caching functionality on VIPRION chassis or blades.
  • AAM does not support deduplication functionality on vCMP platforms, or VIPRION chassis or blades.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory - 3 GB) x (cpus_assigned_to_guest / total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 8.x and 9.x
  • Mozilla Firefox 15.0.x
  • Google Chrome 21.x

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP PEM / VE11.4.0 Documentation page.

New in 11.4.0

Debuggability and Troubleshooting

The Debuggability feature provides access to the BIG-IP system and subscriber statistics. The internal PEM information can be subscriber ID, sessions, and policies information. The statistical data provides more granular information, such as traffic statistics and number of flows. PEM supports both static and dynamic subscribers. For static subscribers, PEM conducts search only by subscriber ID, and not IP address. For dynamic subscribers, policy information is either a predefined PCC rule or dynamic PCC rule and the global policies are also applied to any type of subscriber.

Allow Policy Change

When a subscriber session policy is modified, the changes will be applied to the existing flows, as well to the new flows.

Direction Awareness

The Direction Awareness feature adds to the awareness of traffic direction (by Policy Enforcement Manager) about the level of certain policy actions of the QoS group. This feature uses the subscriber-network paradigm and downlink (from network to subscriber) as well as uplink (from subscriber to network) traffic direction, which involves mapping physical and virtual interfaces based on their connection to either a subscriber or network side.

CPM and PEM Integration

The Centralized Policy Matching (CPM) and Policy Enforcement Manager (PEM) integration features enables additional and internal classification engines to co-exist in a manner that gives PEM more classification abilities. This integration enables classification of HTTP-based traffic.

Session Inactivity Timer

The Session Inactivity Timer provides information about how long the session may stay idle, without any subscriber or network traffic encountered, after which the session is terminated. The transition timer is configurable through tmsh as sys db variables. The duration of time a session can stay in the idle state is controlled by the session inactivity timeout. The session inactivity timer can be configured either globally or per session.

Non-TCP and UDP Traffic

When configuring with TCP and UDP protocol, the BIG-IP system creates a new virtual server and adds it to the configuration. This new virtual sever enables forwarding of non-UDP and non-TCP traffic (only forwards traffic), and cannot be classified.

BIG-IP and TCP support

PEM supports fast L4 virtual server and all PEM actions are supported.

iControl

The 11.4.0 release now has iControl support with PEM.

IPv6

Since 11.3.0, there is IPv6 support.

Supported high availability configuration for Policy Enforcement Manager

Policy Enforcement Manager (PEM) is supported in an active-standby configuration with two BIG-IP systems only.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Active-Standby Systems and BIG-IP Systems: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  • Update/reactivate your system license, if needed, to ensure that you have a valid service check date.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Active-Standby Systems and BIG-IP Systems: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Fixes in 11.4.0

ID number Description
397157 Added Service Chain options configuration to Policy Enforcement > Forwarding > Service Chains screen in PEM.
398666 Added lsn-pool property to Forwarding Endpoint screen in PEM.
400065

New Classification Protocol Bundle provided with this version correctly classifies the active FTP over IPv6 data channel.

400799 The DIAMETER::state command is now implemented for the diameter-endpoint profile and any profiles derived from it (such as the gx-endpoint profile).
402868 Now the PEM susbscriber import feature properly imports files which include white space in the file's name.
400385 IPv6 RADIUS virtual servers no longer become unavailable when modified to use an IPv4 address.
404107 Now without restarting tmm when the Gx server IP is changed, the changes take effect and BIG-IP connects to the new PCRF.

Known issues

ID number Description
397397 When multiple static subscriber information is loaded from a .csv file, the subscriber information is lost if enter or CRLF is not entered at the end of each record line. To workaround this issue, press the Enter key or insert the CRLF character at the end of each row in the .csv file.
398416 If Gx reporting is selected for a rule, the BIG-IP system does not process the thresholds specified. It is expected that PCRF over Gx interface specifies the thresholds for each subscriber. Even though the option exists to specify the threshold for Gx reporting, it will be ignored.
398922 Only a single instance of the diameter-endpoint profile is supported in this release: the system-supplied default gx-endpoint profile. As a result, diameter-endpoint profiles cannot be created or deleted in the GUI or in tmsh.
399119 If a policy matched with flow filters drop or redirect the traffic, that traffic will not match other policy rules that use classification filters.
400370 The Gmail webmail traffic is identified as a standard Gmail application, even when the Gmail basic HTML view is opened.
400372 The protocol msn_video is used by MSN Messenger for video conversations and is supported for MSN Messenger 8 and earlier.
400893 The .csv file for uploading static subscribers has multiple lines with Mac end of line. To work around this issue, convert the file into WIN file format and upload from the GUI or tmsh. This resolves the issue.
401739 Creation of a large number (>10000) of custom categories or applications could lead to memory exhaustion and possibly crash the BIG-IP system.
403154 When updating Qosmos signatures,/classification_base.conf needs to be manually updated from the tmsh.
403374 On rare occasions, when a policy is installed with 15 rules and reporting is configured on them, only 14 of the reports are generated when multiple flows (traffic) are sent matching all of them. Maximum usage reports per subscriber is supported.
404047 The BIG-IP system comes with a publisher called local-db-publisher. This publisher cannot be used as hsl endpoint, as reporting will not work.
404107 A virtual server using the gx-endpoint profile will not disconnect from a pool member that is removed from the pool unless the service-down-action of the pool is set to either drop or reset. To work around this issue, configure the pool associated with the gx-endpoint virtual to have a service-down-action of either drop or reset.
404594 All the intermediate flows of the w-steering action will have the same BWC action when non-referential BWC policy is applied. To workaround this issue, modify the db var tmm.pem.srdb.entry.step to 240 (max).
406311 If gate status disabled action is enforced while using profile FastL4, the client will see unwanted connection resets. To workaround this issue, set the srDB using the db var tmm.pem.srdb.entry.step to 240.
406349 If the dynamic_spm_bwc_policy is not created, dynamic PCC rules are not applied. To workaround this issue, ensure that the dynamic_spm_bwc_policy is configured with proper parameters prior to getting dynamic PCC rules from the PCRF.
408153 For diameter messages (CCR and RAA messages) generated by the BIG-IP system, the P bit (proxy-able) is not set.
409201 If you change the SPM (PEM) profile of a virtual during a certain flow, the flow will not get policy reevaluation. Instead, only new flows will be using the new policies that are attached to the profile.
410763 If the monitoring key is longer than 1053 characters, an error message is issued. To workaround this issue, use monitoring keys lesser than 1053 characters.
419729 If an appliance in a config sync group did not update, the appliance where the change was made may be in changes pending CMI state.
420504 The Configuration Utility becomes unresponsive when the search function on the subscriber list page in the GUI is used, due to a large number of static subscribers in the BIG-IP system. In addition, attempts to navigate from the PEM policy list page to the subscribers list page using the subscriber count hyperlink has the same consequence, since the navigation applies a search. To work around this issue, restart the Configuration Utility and this can be done by performing a bigstart restart tomcat on the tmsh.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)