Release Notes : BIG-IP PEM 11.5.4

Applies To:

Show Versions Show Versions

BIG-IP PEM

  • 11.5.4
Release Notes
Original Publication Date: 04/22/2016 Updated Date: 04/18/2019

Summary:

This release note documents the version 11.5.4 release of BIG-IP Policy Enforcement Manager (PEM).

Contents:

Platform support

This version of the software is supported on the following platforms:

Platform name Platform ID
BIG-IP 5000s, 5050s, 5200v, 5250v C109
BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255 D110
BIG-IP 10150s-NEBS, 10350v (AC), 10350v-NEBS (requires 12.0.0 HF1), 10350v-FIPS (requires 11.5.4 HF1) D112
BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255 D113
VIPRION B2100 Blade (for evaluation only) A109
VIPRION B2150 Blade A113
VIPRION B2250 Blade A112
VIPRION B4200, B4200N Blade (for evaluation only) A107, A111
VIPRION B4300, B4340N Blade A108, A110
VIPRION C2200 Chassis D114
VIPRION C2400 Chassis F100
VIPRION C4400, C4400N Chassis J100, J101
VIPRION C4480, C4480N Chassis J102, J103
VIPRION C4800, C4800N Chassis S100, S101
Virtual Edition (VE) Z100

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

  • PEM supported platforms
    • VIPRION B2100, B2150, B2250, B4300, B4340N
    • BIG-IP 5x00v(s), 7x00v(s), 10x00v(s)
    • BIG-IP Virtual Edition (VE) (Not including Amazon Web Service Virtual Edition) (3 GB, 10 GB production and combination lab models)
    • PEM may be provisioned on the VIPRION B4200, but it is not recommended for production, only for evaluation. PEM may be provisioned on the VIPRION B2100, but it is not recommended for production, only for evaluation. Use the B4300 or B4340N instead.

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory.

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • In the case of Access Policy Manager (APM) and SWG together, no module other than LTM may be provisioned, and LTM provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE guests provisioned with less than 8 GB and more than 4 GB of memory.

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • ASM can be provisioned with this amount of memory, but a sizing exercise should be performed to ensure that it does not hit capacity issues.

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 8.x, 11.x
  • Mozilla Firefox 27.x
  • Google Chrome 32.x

BIG-IQ – BIG-IP compatibility

SOL14592: Compatibility between BIG-IQ and BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP PEM / VE11.5.4 Documentation page.

Fixes in 11.5.4

There are no known fixes in this release.

Fixes in 11.5.3

There are no known fixes in this release.

Fixes in 11.5.2

There are no known fixes in this release.

Fixes in 11.5.1

ID number Description
432950 The BIG-IP GUI and QoS model uses uplink, downlink, total terminology which corresponds to input, output and total terms respectively, defined by RFC 4006.

New in 11.5.4

There are no new features specific to Policy Enforcement Manager.

New in 11.5.3

There are no new features specific to Policy Enforcement Manager.

New in 11.5.2

There are no new features specific to Policy Enforcement Manager.

New in 11.5.1

There are no new features specific to Policy Enforcement Manager.

Supported high availability configuration for Policy Enforcement Manager

Policy Enforcement Manager is supported in an active-standby and active-active configuration with two BIG-IP systems only.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in the following guides, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  • Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see SOL7727 - License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in the following guides, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.
After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Known issues

ID number Description
398922 Only a single instance of the diameter-endpoint profile is supported in this release, the system-supplied default "gx-endpoint" profile. As a result, diameter-endpoint profiles cannot be created or deleted in the GUI or in TMSH. Workaround:
399119 If policy matched with flow filters 'drop' or 'redirect' the traffic, that traffic will not match other policy rules, which use classification filters. Workaround:
400372 The protocol msn_video is used by MSN Messenger for video conversations and is supported for MSN Messenger 8 and below. Workaround:
403374 On rare occasions, when a policy is installed with 15 rules and reporting is configured on them, only 14 of the reports are generated when multiple flows (traffic) are sent matching all of them. Maximum usage reports per subscriber is supported. Workaround:
412036 If a PEM enabled UDP virtual (i.e., a virtual that has SPM profile) was hit by DHCP broadcasting traffic, then SPM will create a subscriber session for address 0.0.0.0 Workaround: "Create a DHCP virtual that has subscriber discovery turned on. The subscriber discovery can be turned on via the DHCPv4 profile that is attached to the virtual. This way any DHCP broadcasting traffic should be handled by this virtual."
427844 "Any tunneling traffic such IPSEC, GRE and IPIP cannot be steered by BIG-IP to a different endpoint. This is due the fact of the traffic being encapsulated and targets only the destination endpoint." The tunnel has to be established. Otherwise, we can steer the entire tunnel before it has been established. No impact as we expected this behavior. Workaround:
441197 With PEM enabled, non-TCP,UDP or ICMP traffic is not forwarded by a NAT-enabled ipother virtual. "PEM is enabled SNAT is enabled on the ipother virtual" Workaround: Set snat.anyipprotocol to enable.
465937 If virtual server's port is specified as ANY for Gx/Gy(address is 0.0.0.0, MCP validation does not allow us to create it. A virtual-destination has to be unique. Workaround:
466162 If the destination address is set to be "::/0" in DHCPv6 relay mode, the multicasting traffic will not hit the DHCPv6 virtual. Workaround: Please use "ff02::1:2(IPv6 Default)" as destination address in DHCPv6 relay mode.
470890 While adding virtual servers from listener data plane page, in the GUI, only the first VLAN in the list is selected. Workaround: To workaround this, select all VLANs in the list or go to virtual server page and modify it there.
478399 If LTM virtual server has the RADIUS profile 'radiusLB-subscriber-awre' configured, the PEM subscriber session will be created, even if the BIG-IP system is not licensed for PEM, which can cause 100% TMM usage due to the overhead of processing RADIUS messages. The RADIUS profile 'radiusLB-subscriber-awre' is configured on the LTM virtual server for non-PEM configurations. 100% TMM usage due to PEM subscriber session being created, even when the BIG-IP system is not licensed for the PEM module. Workaround: The workaround is to avoid the misconfiguration by not associating the RADIUS profile 'radiusLB-subscriber-awre' to LTM virtual servers for non-PEM configurations, such as when there is no PEM license for the BIG-IP system.
503362 The PEM policy custom filter specifies iRules that evaluate to true or false. If the iRule command is asynchronous, the behavior is undefined. Workaround: Please make sure the iRule commands specified in the custom filter are not asynchronous.
507131 If the BIG-IP is updated with the latest software, then the custom TacDB will be lost. Workaround: To workaround this, please be sure to save a backup before upgrading the system.
563262 The "pem classify defer" and "pem classify" policy action logs an error when the application and protocol are not specified. Create an LTM policy which has classification rules for which the application and protocol have not been specified and this policy is attached to a virtual. The configuration processing returns an error which is logged in /var/log/ltm and the erroneous policy is not used. Workaround: Fix the policy by specifying the application/classification and protocol.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices