Original Publication Date: 04/22/2016
This release note documents the version 11.5.4 release of BIG-IP Policy Enforcement Manager (PEM).
This version of the software is supported on the following platforms:
|Platform name||Platform ID|
|BIG-IP 5000s, 5050s, 5200v, 5250v||C109|
|BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255||D110|
|BIG-IP 10150s-NEBS, 10350v (AC), 10350v-NEBS (requires 12.0.0 HF1), 10350v-FIPS (requires 11.5.4 HF1)||D112|
|BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255||D113|
|VIPRION B2100 Blade (for evaluation only)||A109|
|VIPRION B2150 Blade||A113|
|VIPRION B2250 Blade||A112|
|VIPRION B4200, B4200N Blade (for evaluation only)||A107, A111|
|VIPRION B4300, B4340N Blade||A108, A110|
|VIPRION C2200 Chassis||D114|
|VIPRION C2400 Chassis||F100|
|VIPRION C4400, C4400N Chassis||J100, J101|
|VIPRION C4480, C4480N Chassis||J102, J103|
|VIPRION C4800, C4800N Chassis||S100, S101|
|Virtual Edition (VE)||Z100|
These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.
Most of the support guidelines relate to memory. The following list applies for all memory levels:
All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.
The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory.
The following guidelines apply to platforms, and to VE guests provisioned with less than 8 GB and more than 4 GB of memory.
The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE guests provisioned with 4 GB or less of memory.
The BIG-IP Configuration Utility supports these browsers and versions:
SOL14592: Compatibility between BIG-IQ and BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP PEM / VE11.5.4 Documentation page.
|432950||The BIG-IP GUI and QoS model uses uplink, downlink, total terminology which corresponds to input, output and total terms respectively, defined by RFC 4006.|
Policy Enforcement Manager is supported in an active-standby and active-active configuration with two BIG-IP systems only.
Before you begin:
|Install to existing volume, migrate source configuration to destination||tmsh install sys software image [image name] volume [volume name]|
|Install from the browser-based Configuration utility||Use the Software Management screens in a web browser.|
The following command installs version 11.2.0 to volume 3 of the main hard drive.
tmsh install sys software image BIGIP-188.8.131.526.0.iso volume HD1.3
|398922||Only a single instance of the diameter-endpoint profile is supported in this release, the system-supplied default "gx-endpoint" profile. As a result, diameter-endpoint profiles cannot be created or deleted in the GUI or in TMSH. Workaround:|
|399119||If policy matched with flow filters 'drop' or 'redirect' the traffic, that traffic will not match other policy rules, which use classification filters. Workaround:|
|400372||The protocol msn_video is used by MSN Messenger for video conversations and is supported for MSN Messenger 8 and below. Workaround:|
|403374||On rare occasions, when a policy is installed with 15 rules and reporting is configured on them, only 14 of the reports are generated when multiple flows (traffic) are sent matching all of them. Maximum usage reports per subscriber is supported. Workaround:|
|412036||If a PEM enabled UDP virtual (i.e., a virtual that has SPM profile) was hit by DHCP broadcasting traffic, then SPM will create a subscriber session for address 0.0.0.0 Workaround: "Create a DHCP virtual that has subscriber discovery turned on. The subscriber discovery can be turned on via the DHCPv4 profile that is attached to the virtual. This way any DHCP broadcasting traffic should be handled by this virtual."|
|427844||"Any tunneling traffic such IPSEC, GRE and IPIP cannot be steered by BIG-IP to a different endpoint. This is due the fact of the traffic being encapsulated and targets only the destination endpoint." The tunnel has to be established. Otherwise, we can steer the entire tunnel before it has been established. No impact as we expected this behavior. Workaround:|
|441197||With PEM enabled, non-TCP,UDP or ICMP traffic is not forwarded by a NAT-enabled ipother virtual. "PEM is enabled SNAT is enabled on the ipother virtual" Workaround: Set snat.anyipprotocol to enable.|
|465937||If virtual server's port is specified as ANY for Gx/Gy(address is 0.0.0.0, MCP validation does not allow us to create it. A virtual-destination has to be unique. Workaround:|
|466162||If the destination address is set to be "::/0" in DHCPv6 relay mode, the multicasting traffic will not hit the DHCPv6 virtual. Workaround: Please use "ff02::1:2(IPv6 Default)" as destination address in DHCPv6 relay mode.|
|470890||While adding virtual servers from listener data plane page, in the GUI, only the first VLAN in the list is selected. Workaround: To workaround this, select all VLANs in the list or go to virtual server page and modify it there.|
|478399||If LTM virtual server has the RADIUS profile 'radiusLB-subscriber-awre' configured, the PEM subscriber session will be created, even if the BIG-IP system is not licensed for PEM, which can cause 100% TMM usage due to the overhead of processing RADIUS messages. The RADIUS profile 'radiusLB-subscriber-awre' is configured on the LTM virtual server for non-PEM configurations. 100% TMM usage due to PEM subscriber session being created, even when the BIG-IP system is not licensed for the PEM module. Workaround: The workaround is to avoid the misconfiguration by not associating the RADIUS profile 'radiusLB-subscriber-awre' to LTM virtual servers for non-PEM configurations, such as when there is no PEM license for the BIG-IP system.|
|503362||The PEM policy custom filter specifies iRules that evaluate to true or false. If the iRule command is asynchronous, the behavior is undefined. Workaround: Please make sure the iRule commands specified in the custom filter are not asynchronous.|
|507131||If the BIG-IP is updated with the latest software, then the custom TacDB will be lost. Workaround: To workaround this, please be sure to save a backup before upgrading the system.|
|563262||The "pem classify defer" and "pem classify" policy action logs an error when the application and protocol are not specified. Create an LTM policy which has classification rules for which the application and protocol have not been specified and this policy is attached to a virtual. The configuration processing returns an error which is logged in /var/log/ltm and the erroneous policy is not used. Workaround: Fix the policy by specifying the application/classification and protocol.|
For additional information, please visit http://www.f5.com.
You can find additional support resources and technical documentation through a variety of sources.
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.