Release Notes : BIG-IP PEM 12.0.0

Applies To:

Show Versions Show Versions

BIG-IP PEM

  • 12.0.0
Release Notes
Original Publication Date: 05/27/2016 Updated Date: 04/18/2019

Summary:

This release note documents the version 12.0.0 release of BIG-IP Policy Enforcement Manager (PEM).

Contents:

Platform support

This version of the software is supported on the following platforms:

Platform name Platform ID
BIG-IP 5000s, 5050s, 5200v, 5250v C109
BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255 D110
BIG-IP 12250v D111
BIG-IP 10150s-NEBS, 10350v (AC), 10350v-NEBS (requires 12.0.0 HF1) D112
BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255 D113
VIPRION B2100 Blade (for evaluation only) A109
VIPRION B2150 Blade A113
VIPRION B2250 Blade A112
VIPRION B4200, B4200N Blade (for evaluation only) A107, A111
VIPRION B4300, B4340N Blade A108, A110
VIPRION C2200 Chassis D114
VIPRION C2400 Chassis F100
VIPRION C4400, C4400N Chassis J100, J101
VIPRION C4480, C4480N Chassis J102, J103
VIPRION C4800, C4800N Chassis S100, S101
Virtual Edition (VE) Z100

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

  • PEM supported platforms
    • VIPRION B2100, B2150, B2250, B4300, B4340N
    • BIG-IP 5x00v(s), 7x00v(s), 10x00v(s)
    • BIG-IP Virtual Edition (VE) (Not including Amazon Web Service Virtual Edition) (3 GB, 10 GB production and combination lab models)
    • PEM may be provisioned on the VIPRION B4200, but it is not recommended for production, only for evaluation. PEM may be provisioned on the VIPRION B2100, but it is not recommended for production, only for evaluation. Use the B4300 or B4340N instead.

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory.

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • In the case of Access Policy Manager (APM) and SWG together, no module other than LTM may be provisioned, and LTM provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE guests provisioned with less than 8 GB and more than 4 GB of memory.

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • ASM can be provisioned with this amount of memory, but a sizing exercise should be performed to ensure that it does not hit capacity issues.

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 8.x, 11.x
  • Mozilla Firefox 27.x
  • Google Chrome 32.x

BIG-IQ – BIG-IP Compatibility

SOL14592: Compatibility between BIG-IQ and BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP PEM / VE12.0.0 Documentation page.

Fixes in 12.0.0

ID number Description
478399 A validation has been added to prevent the radius profile radiusLB-subscriber-awre from being mistakenly configured to the LTM virtual, when the BIG-IP system is not licensed to PEM.
465019 To ensure traffic is not blocked until quota bucket has been provisioned, make sure Gy session is created with RADIUS or send traffic initially that does not have any quota management needs.

Fixes in 11.6.0

ID number Description
404047 The BIG-IP system comes with a publisher called local-db-publisher. This publisher can now be used as an HSL endpoint for reporting.
406311 The client will not see any resets, when the gate status disabled action is enforced while using profile FastL4, after waiting for two or more flows for the connection.
406349 If the dynamic_spm_bwc_policy is not created, dynamic PCC rules are not applied. To work around this issue, ensure that the dynamic_spm_bwc_policy is configured with proper parameters prior to getting dynamic PCC rules from the PCRF.
409201 Currently, PEM does not support policy reevaluation for profile change in the middle of a flow.
454498 If you want to support broadcasting DHCP traffic, then the DHCP virtual has to be configured in relay mode rather than the forwarding mode.

Fixes in 11.5.1

ID number Description
432950 The BIG-IP GUI and QoS model uses uplink, downlink, total terminology which corresponds to input, output and total terms respectively, defined by RFC 4006.

New in 12.0.0

Extending support for RADIUS, DHCP and Gx AVPs

This release provides support for the capabilities in PEM to address enhancements of the subscriber discovery process, in order to obtain extended metadata belonging to subscriber identity and characteristics. It also provides the flexibility to pick AVPs as desired. Subscriber information is extracted from RADIUS, DHCP, and Gx messages, which in turn provides additional options for subscriber identification, policing, and reporting.

PEM Routing Domain Support

PEM provides the capability to handle overlapping IPs that are obtained from the RADIUS. The route domain for the RADIUS traffic is used for the incoming data traffic. This feature also supports the case where the RADIUS traffic is on a different route domain as the data traffic.

Detection of Mobile Device Type and OS

This feature includes further insight on the type of device and operating system (for example, IOS, Windows, and Android) that can be used to create service plans. This includes user agent, Type Allocation Code (TAC), which is the initial 8 digit part of the 15 digit IMEI to identify devices. It also includes other information like user agent, and TCP layer metrics that the can be used to determine if the subscriber may be tethering.

Gather and report on user-experience (QoE) as well as video usage characteristics

This feature provides support to specify policies based on video rate and offers insight into how much video for a subscriber is SD versus HD. This enables tailored plans or allows usage for network planning and business intelligence gathering purposes.

Add support for content insertion to enable in-browser notifications and ad-insertion

PEM provides support for service providers to configure insertion of content that includes in-browser notifications, ads, comments or some other content into HTML web-pages based on a PEM policy.

PEM Steering endpoint enhancement for CARP persistence

This feature ensures that CARP persistence is supported with PEM forwarding endpoints for use with service chaining action, when forwarding traffic to a pool. PEM persistence also supports load balancing.

AVR report of PEM subscribers

This feature provides insight on the usage patterns of the subscribers. This information can be used for business intelligence gathering, as well as for creating custom plans for subscribers based on their usage.

UDP proxy behavior enhancement for PEM virtual

UDP proxy behavior on the PEM virtual is enhanced (consistent with the UDP proxying behavior on the standard forwarding virtual), so that infinite loop on UDP packets can be avoided.

SCTP support for DIAMETER

Gx provides support over a secure reliable protocol like SCTP. This feature provides support for DIAMETER interfaces over Gx and Gy.

Tethering

This feature adds the capability to detect that traffic is coming from more than one device and polices, and allows for authorized Tethering. The tethering device acts as a default router for all tethered devices and is the only one that has a public and routable IP address.

PEM performance improvements

PEM provides a switch decision from standard or full proxy to BIG-IP TCP systems based on subscriber information, TCP/IP based classification (srDB), preliminary PEM policy evaluation and actions that are likely to match.

URLCAT support with webroot cloud DB lookup

PEM supports the webroot cloud DB lookup for customers, which requires better URL coverage. In case that URL still cannot be categorized, PEM reports such missing URL.

TCP Rate Pacing Enhancements

You can now limit the pace of the network flow before the first packet drop. This feature does not allow any single flow to be faster than the slowest network segment. Another key benefit of this feature is initiating rate pacing from the beginning of a flow, which leads to minimal packet loss. For example, the service provider can set a maximum flow rate in the TCP profile, under the Congestion Control section. Once a value other than 0 is set, rate pacing starts at the beginning of the flow at the rate set. This minimizes packet drops.

TMOS cMetrics Cache Aging

The congestion metrics, or cMetrics, cache includes information about network characteristics relevant to a specific subscriber, such as congestion window, round-trip time etc. You can change the maximum lifetime of cMetrics data from the default, based on how long your network characteristics are stable. Cache entries will expire after the configured period following their last update by a TCP connection to that subscriber.

TCP Fast Open

This feature minimizes the amount of time needed for the initial TCP handshake on small transmissions. TCP Fast Open is a standard that allows properly configured clients to transmit some of the data in the initial SYN portion of the handshake to open the connection. This standard saves some round trips, which speeds transmission.

TCP Profile Auto-Tuning Nagle

This implements the ability to toggle on and off an Auto setting for Nagle. Doing so leaves the decision of whether or not to use Nagle to the BIG-IP system based on client characteristics it detects.

Supported high availability configuration for Policy Enforcement Manager

Policy Enforcement Manager is supported in an active-standby and active-active configuration with two BIG-IP systems only.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference the information to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
  • Update/reactivate your system license, if needed, to ensure that you have a valid service check date.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference the information to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Known issues

ID number Description
397397 When multiple static subscriber information is loaded from a .csv file, the subscriber information is lost if enter or CRLF is not entered at the end of each record line. To workaround this issue, press the Enter key or insert the CRLF character at the end of each row in the .csv file.
398416 In this release, volume threshold is supported. However, time threshold does not qualify for Gx reporting as it is not specified in the standard. To workaround this issue, do not use time threshold.
398922 Only a single instance of the diameter-endpoint profile is supported in this release: the system-supplied default gx-endpoint profile. As a result, diameter-endpoint profiles cannot be created or deleted in the GUI or in tmsh.
399119 If a policy rule matched with flow filters drop or redirect the traffic, that traffic will not match other policy rules that use classification filters.
400372 The protocol msn_video is used by MSN Messenger for video conversations and is supported for MSN Messenger 8 and earlier.
400893 The .csv file for uploading static subscribers has multiple lines with Mac end-of-line. To work around this issue, convert the file into WIN file format and upload from the GUI or tmsh. This resolves the issue.
403374 On rare occasions, when a policy is installed with 15 rules and reporting is configured on them, only 14 of the reports are generated when multiple flows (traffic) are sent matching all of them. Maximum usage reports per subscriber is supported.
410763 If the monitoring key is longer than 1053 characters, an error message is issued. To work around this issue, use monitoring keys fewer than 1053 characters.
417139 Modifying Session state through iRules may cause issues over Gx. To work around this issue, do not modify the session state if session is active.
427429 No statistics are available for troubleshooting with the new "show pem irule" stats command.
428420 Some IP addresses are categorized as unknown on the BIG-IP system, even though they are categorized in the cloud database of webroot.
428456 Usage monitoring count received via CCA does not work. It will be always 0.
435596 The CEC hitless upgrade does not sync files between active-standby setup, using device group. To work around this issue, change standby to active to do CEC hitless upgrade.
438549 If you turn on the SNAT pool or SNAT Automap on IPOther virtual, no traffic passes through in most cases. In some cases, the traffic passes but the out stats (packets and bytes) is zero. To workaround this, do not turn on SNAT pool or SNAT Automap on IPOther virtual that processes IPsec traffic.
453959 The UDP virtual used by PEM treats TTL differently than the standard UDP forwarding virtual. The standard UDP forwarding virtual decrements TTL whereas the UDP virtual reinitializes TTL to 255. In the event that there is a routing loop in the network, which traverses a BIG-IP running PEM, this behavior would prevent TTL from expiring and thus exacerbate the effects of the loop.
461531 The tower column in the Active Sessions table (Policy Enforcement > Subscribers) is displayed incorrectly.
465937 If a virtual server's port is specified as ANY for Gx/Gy(address is 0.0.0.0, MCP validation does not allow us to create it. A virtual-destination has to be unique.
465946 If both DHCP and RADIUS protocol is used to discover subscriber, the subscriber discovery is unpredictable. Both methods cannot be used simultaneously for subscriber discovery.
466162 If the destination address is set to be ::/0 in DHCPv6 relay mode, the multicasting traffic will not hit the DHCPv6 virtual.
466891 If a classification profile is disabled in virtual server settings, the PEM policy Flow Reporting action and PEM policy Header Insert Action are not applied. To work around this issue, enable classification on the Virtual Server settings page.
470890 While adding virtual servers from the listener data plane page, (in the GUI) only the first VLAN in the list is selected. To work around this, select all VLANs from the list, or go to the virtual server page and modify there.
484245 Using the GUI to delete a network firewall rule causes a change to other rules that specify ports. This occurs when using the GUI to delete a firewall rule, and there are other rules that are limited to specific ports. The port changes to 'any' in all network firewall rules that specify ports. For example, any firewall rules that match traffic on port '80' change to match on port 'any' when this issue occurs. Use tmsh, iControl, and BIG-IQ to manage firewall rules. Use port lists instead of specifying ports. These could include lists with a single port.
501896 If a small piece of custom configuration is to be added in PEM GUI, in the existing built-in protocol profile for using it, a new protocol profile has to be manually created from the scratch. To workaround this, use tmsh's cp command: cp _sys_radius_proto_all CUSTOM_RADIUS_PP.
503362 The PEM policy custom filter specifies irules that evaluate to true or false. If the iRule command is asynchronous, the behavior is undefined. To workaround this, please make sure the iRule commands specified in the custom filter are not asynchronous.
507131 If the BIG-IP system is updated with the latest software, then the custom TacDB will be lost. To workaround this, please be sure to save a backup before upgrading the system.
509684 When CCR-U is not initiated by RADIUS Accounting, it does not contain configured custom AVPs.
522934 Some PCRF's require subscription ID in all CCR messages over Gx/Gy for easier session management. To workaround this, set sys db variable tmm.diameter.application.encode.subscriber.id.in.all.ccr to True to see Subscription ID in CCR-u and CCR-T messages as well. By default, it is set to true.
524339 Present design accepts Custom TAC-DB to be defined in specific format and fields. For example, TAC-ID, Make, Model, OS-info needs to be in same order. Change in order results in improper log messages and also affects the DTOS and Tethering functionality.
524350 TMSH command, create ltm tacdb customdb to import the custom TAC-DB through URL method only supports local file location.
525633 Currently if PEM sends CCR-U and PCRF responds with CCA-U (PCRF lost session), PEM ignores and sends CCR-U. PCRF session is lost, that implies reboot or failover and it responds to session update requests with unknown session id. To work around this, delete the session on PEM end (configurable) and also recreate the same session (configurable) so that PCRF can get the context back up. tmm.pem.diameter.application.trigger.delete.onPeerfailure should be set to TRUE if PEM should delete the session based when PCRF complains session ID unknown. tmm.pem.session.ppe.recreate.afterPeerFailure Should be set to true if PEM should recreate the session.
528787 If a session delete is initiated through tmsh or RADIUS when connection is down, the session delete does not seem to be complete. When the connection comes up and RAR is sent immediately with an empty policy, PEM responds with RAA with DIAMETER_SUCCESS code even though session has been deleted.
528238 If a same policy with quota management action is added multiple times to the session through RAR (or CCA-u) then after 32 installs, any flow for the session is reset.
534323 When PEM is configured to support dual stack, one IPv4 and one IPv6 address, and if the interim contains the first IP address along with the new or second IP address of the session then PEM deletes the existing session and creates a new session.
537034 CPU spike seen after during Stress Test.
533734 Packet traces show DHCPv6 packets arriving via IP6 IP4 tunnel, are forwarded to the VIP but the packet is not forwarded to the backend server on VIPRION.
535041 Any virtual server with UDP profile executing iRule using parking command such as table set. The BIG-IP drops all UDP packets received while waiting for iRule execution to be completed. To workaround this, enable datagram-load-balancing in UDP profile associated with the virtual server. It will aggregate flows and process them in parallel, based on the timeout setting.
540227 When a TCP virtual with a Gx profile listens on port 3868 (DIAMETER port#), the virtual picks up packets from the Internet targeting port 3868 since there is no source IP filter. These packets were found to be bogus with no valid DIAMETER content. This led to triggering ASSERTs in the DIAMETER code.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices