Applies To:

Show Versions Show Versions

Release Note: BIG-IP GTM and BIG-IP Link Controller 11.2.1
Release Note

Original Publication Date: 08/30/2013

Summary:

This release note documents the version 11.2.1 release of BIG-IP Global Traffic Manager and BIG-IP Link Controller.

Contents:

- Supported hardware
- Configuration utility browser support
- User documentation for this release
- New in 11.2.1
- New in 11.2.0
- New in 11.1.0
- New in 11.0.0
- Installation overview
     - Installation checklist
     - Installing the software
     - Post-installation tasks
     - Installation tips
- Upgrading from earlier versions
- Fixes in 11.2.1
- Fixes in 11.2.0
- Fixes in 11.1.0
- Fixes in 11.0.0
- Behavior changes in 11.2.1
- Behavior changes in 11.2.0
- Known issues
- Contacting F5 Networks
- Legal notices

Supported hardware

You can apply the software upgrade to systems running software versions 10.x or 11.x. For a list of supported platforms, see SOL9412: The BIG-IP release matrix. For information about which platforms support which module combinations, see SOL10288: BIG-IP software and platform support matrix.

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 8.x and 9.x
  • Mozilla Firefox 15.0.x and 9.0.x
  • Google Chrome 21.x

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP GTM 11.2.1 Documentation page.

New in 11.2.1

There are no new features specific to Global Traffic Manager/Link Controller.

New in 11.2.0

Google Chrome support

This release provides full support for current releases of the Google Chrome browser.

DNS cache

In this release, you can configure a cache on the BIG-IP system to cache DNS responses. The next time the system receives a query for a response that exists in the cache, the system returns the response from the cache.

New in 11.1.0

New in 11.1.0

There are no new features specific to Global Traffic Manager/Link Controller.

New in 11.0.0

DNS Express

You can now configure DNS Express on BIG-IP Global Traffic Manager (GTM) to mitigate distributed denial-of-service attacks (DDoS) and improve performance of both the local BIND server on the BIG-IP system and any back-end DNS servers.

GTM on VIPRION

This release provides support for BIG-IP GTM on the VIPRION platforms.

Virtual Edition

BIG-IP GTM is now available as a Virtual Edition (VE).

IP Anycast

This release provides support for IP Anycast for DNS services on BIG-IP GTM. This configuration helps mitigate distributed denial-of-service attacks (DDoS), reduce DNS latency, improve the scalability of your network, and assist with global traffic management.

Device-specific Probing and Statistics Collection

With this release, you can configure BIG-IP Global Traffic Manager (GTM) to perform intelligent probing of your network resources to determine whether the resources are up or down. This allows you to specify which BIG-IP systems probe specific servers for health and performance data.

Life Span of Default System Certificates Extended

This release provides default system certificates with a ten year initial life span on BIG-IP GTM.

GTM Monitor Supports Route Domains

You can now deploy BIG-IP GTM on a network where BIG-IP Local Traffic Manager (LTM) systems are configured with route domains.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP System: Upgrading Active-Standby Systems and BIG-IP System: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Update/reactivate your system license, if needed, to ensure that you have a valid service check date.
  • Ensure that your system is running version 10.0.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running WAN Optimization Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP System: Upgrading Active-Standby Systems and BIG-IP System: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Log on to the browser-based Configuration utility.
  3. Run the Setup utility.
  4. Provision the modules.
  5. Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active/Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running. Software version 10.x introduced the ability to run multiple modules based on platform. The number and type of modules that can be run simultaneously is strictly enforced through licensing. For more information, see SOL10288: BIG-IP software and platform support matrix.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

Upgrading from version 10.x or 11.x

When you upgrade from version 10.x or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 10.x

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.x software. For details about upgrading to those versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Fixes in 11.2.1

ID Number Description
ID 387799 GTM pools using the ratio load balancing method with mixed IPv4 and IPv6 pool members now properly respect their member's ratios when generating responses to mixed A/AAAA queries

Fixes in 11.2.0

ID Number Description
ID 368721 An error that occurred during a config-sync has been corrected , specifically by synchronizing the GTM directory /var/named/config only, instead of /var/named.
ID 370962 The GTM search filter in the GUI now works correctly for Wide IPs and Servers.
ID 377453 DNS Express successful zone transfer statistics no longer continue to increment on failed transfers.
ID 377682 DNS Express zone transfer failures no longer cause the zxfrd.bin database file to indefinitely grow in size, or the zxfrd process to increase in memory.
ID 378182 TMM no longer leaks memory when GTM attempts to rewrite DNS responses.
ID 380814 A memory leak related to DNS Express zone transfers in the zxfrd process has been corrected.
ID 380767 The dnssec-on-miss flag makes the transparent cache always ask for DNSSEC (DO bit) when forwarding the query after a miss. All subsequent queries, w/ or w/o the DO bit will get the correct DNSSEC records. Note, the initial response will always contain DNSSEC data. The default of dnssec-on-miss is yes.
ID 381543 LTM is now provisioned as NOMINAL in an LTM/GTM combo when using DNS services such as DNS Express.
ID 383415 A defect which could cause some top-level zones to fail to load into DNS Express with large configurations has been corrected.
ID 384853 TMM no longer restarts with a SIGSEGV and the following log message while processing certain DNS Express traffic: xbuf_dma: Assertion 'valid magic' failed

Fixes in 11.1.0

Bug Description
ID 355937 This release fixes validation for pool members. They will now reference the pool member (rather than incorrectly referencing the backing VS).
ID 361548 After the first install on a cluster, an rndc reload may be necessary. This fix allows that to happen.
ID 364437 Link Controller GUI: removed the erroneous table columns from wideip member stats and wideip details stats tables.
ID 364918 Syncing configuration changes from a Link Controller to a Global Traffic Manager in the same sync group no longer causes the monitors to fail to load on the GTM.
ID 365582 A GTM iRule that refers to a pool without specifying the full path (e.g., [pool pool1]) will now work correctly when that pool is found in multiple folders. Correct behavior is to always choose the pool in the wideip's folder, and to dynamically switch if a pool (with the same name as in the iRule) is added/deleted in that folder.
ID 366165 Configuration changes to any/every GTM object now triggers the configuration file to be saved.
ID 367082 This release corrects an issue where gtmd could grow excessively.
ID 367836 This release corrects an issue involving excessive memory usage and crash/core when loading GTM configs with large numbers of virtual servers with topology records.
ID 368715 Corrected a condition where importing a ucs file generated from a previous release with depends_on in the configuration would fail.

Fixes in 11.0.0

Bug Description
226783 [Global Traffic Manager] Global Traffic Manager now correctly performs name resolution for the IPv6 addresses, and BIND responds correctly to DNS requests against IPv6 self IP addresses.
223590, CR130729 [Global Traffic Manager] This release provides the functionality for clearing link statistics.
343798 [Global Traffic Manager] This version of the software adds two read-only fields to gtm_dnssec_key_generation: creator and key_tag. The value of creator is a string representing the host name of the BIG-IP system that created the DNSSEC key generation. The value of key_tag is a hash calculated from the DNSKEY resource record (RR) for that generation. You can use these fields to help debug DNSSEC deployments. In addition, this release provides better constraint on which generations can rollover, which helps mitigate a potential race condition. Finally, this release provides additional debug logging.
348726 [Global Traffic Manager] The online help page for custom GTM SNMP monitors has been provided.

Behavior changes in 11.2.1

ID Number Description
ID 325241 If you set a value for the IPv6 NoError TTL property of a wide IP, when BIG-IP GTM returns a NOERROR DNS response for an IPv6 query, the response now contains an SOA record (with the negative caching TTL).
ID 387757 Added a new flag: -f, which forces the local big3d agent to be installed on the remote device regardless of versioning.
ID 408481 The default value for the global setting inactive-ldns-ttl has been changed from 2419200 to 2592000. If you have not changed from the default value, when you update from version 10.x, the system changes the default value to 2592000.

Behavior changes in 11.2.0

ID Number Description
ID 346551 BIG-IP Global Traffic Manager now includes BIND version 9.7.3. This version of BIND requires that when a zone is created with a name server (NS) record that is contained in the zone, that NS record must have a matching A record. With this release, when you create a wide IP that requires the creation of a zone, BIG-IP GTM automatically creates not only an NS record, but also an A record for the NS record that points to the local host. The NS and A records are given a time-to-live (TTL) of 0 (zero). The administrator should change the NS record to match the desired NS record.

Known issues

ID Number Description
ID 222220 Distributed application statistics shows requests passed only to its first wide IP. It does not add requests passed to other wide IPs - members of this distributed app to the total numbers.
ID 225759 When you upgrade a BIG-IP Global Traffic Manager synchronization group to version 10.1.0 or later, the master key is not synchronized to all members within the synchronization group. For step-by-step instructions to fix this known issue, see SOL11868 at AskF5 (http://support.f5.com).
ID 246920 Transparent IPv6 and routing domain monitors (that use IPv6) do not work.
ID 337824 "GTM UI: Modifying virtual server (VS) attributes strips trailing spaces from the server name, causing the following error: VS <name_you_entered> server <server_name_you_entered> does not exist."
ID 341722 Global Traffic Manager uses BIND 9.7.3. This version of BIND can log a complicated message about not being able to load managed keys from a master file. If you have not configured Global Traffic Manager for DNSSEC Lookaside Validation (DLV), you might receive this message. It is cosmetic and you can ignore it. This is a known issue in BIND.
ID 343030 "The named process might log the following error in daemon.log: ""Oct 22 09:44:24 local/localhost err named[8832]: 22-Oct-2010 09:44:24.278 general: error: managed-keys-zone ./IN/external: loading from master file 3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys failed: file not found."" Although it reported the error, the daemon is up and running, so you can safely ignore the error."
ID 343467 Due to limitations in the firmware of the Cavium CN1620 FIPS 140 certified crypto accelerator, synchronization of FIPS security domains cannot be performed more than once every 5 minutes from the same device (using the device as the source for the synchronization).
ID 345930 "The ""IPv6 NoError Response"" and ""Enabled"" fields are missing input controls for Inbound Wide-IPs in the Link Controller UI. To workaround these problems: For IPv6 NoError Response: ""tmsh modify >wideip< ipv6-no-error-response enabled"" to enable/disable a Wide-IP: Either enable/disable through the Wide-IP List page: Link Controller > Inbound Wide-IPs > Wide-IP List Or, through tmsh: modify gtm wideip <Wide-IP> enabled"
ID 349621 "Drop to BIND performance has dropped in this release. The DNS Express feature in this release should alleviate the performance drop in BIND."
ID 354161 If a BIND zone that underlies a DNS Express zone expires, DNS Express will continue to handle queries for that zone. Disable or delete the DNS Express zone itself if you want DNS Express to stop answering queries.
ID 355018 GTM logging does not put the event name in the output. This is a widely known issue.
ID 355924 On DNS responses directly from a BIG-IP system (from GTM, DNSSEC, DNS Express) the edns0 nsid option len and data will be stripped. If the response is not modified by the BIG-IP system (from BIND or pool member), then it will not be stripped.
ID 356586 BIND v9.7, new in v11.0.0, requires an A (IP address) record for an in-zone nameserver (NS) entry in its configuration. In the past, an FQDN or CNAME for the NS was sufficient. This means that upgrades to v11.0.0 might fail to load if such an A record is not present (the symptom will be zrd stuck in a restart loop). The best solution is to create an A record for the NS before upgrading. Or you can create and disable a wideIP, which causes an A record to be created. (Note that this is for in-zone NS records only. An "out of zone" NS record should not have an A record, and if you add an A record for it, the named process generates a warning about "ignoring out of zone data".)
ID 357361 DNSSEC objects are owned by GTM (due to the need for wide-area sync). An LTM load only does a mark/sweep for LTM objects, not GTM. Therefore, an attempt (in the sweep) to delete the unsaved folder fails because the object unable to be swept, the DNSSEC object, still exists.
ID 361129 "To save memory and CPU processing, we only store the first 255 characters of an object name in the stats segment. All objects with matching names in the stats segments have their stats merged. If more than one object has a name that matches in the first 255 characters, the stats for those objects will be merged into one row."
ID 361330 Enabling longest match on the topology list will re-order the list. This will be problematic for larger lists and if the customer is making use of a unique ordering for their inbound LDNSs.
ID 361650 "Starting with 11.0.0, it takes minimum of 15 seconds to a maximum of 60 seconds for BIG-IP GTM to save any configuration change, regardless of whether it is made in the Configuration utility or in tmsh. The only way to speed up this process is to run the following command in tmsh: save sys config partitions all gtm-only No equivalent of this command exists in the Configuration utility."
ID 362142 Loading large geoip databases can cause tmm to miss its heartbeat timeout - SOD then sig aborts tmm.
ID 362356 When a device in a GTM device group restarts for any reason, and if the MCP database (/var/db/mcpdb.*) is missing, devices could lose configuration changes that happened during the restart.
ID 362413 If a monitor send or receive string contains a backslash character, this backslash will be escaped (prepended with another backslash) when the monitor is listed in tmsh. This causes no harm; the monitor still functions properly.
ID 363134 Links get auto-discovered when global Auto-Discovery is disabled and Link Discovery is on.
ID 363137 "When running an Active Directory (AD) auth access policy, the session might fail with the AD module, reporting a message such as: ""AD module: authentication with '...' failed: Cannot contact any KDC for realm ...""."
ID 363142 [Link Controller] global Auto-Discovery can be disabled while having a link with bigip_link monitor.
ID 365764 Loading a UCS with no custom partition in it fails on a system that has any GTM objects defined in a custom partition.
ID 367459 The BIG-IP Configuration utility might incorrectly allow you to assign certain health monitors to pools and server objects that are configured with a wildcard service port. For more information, see SOL12400 at http://support.f5.com/kb/en-us/solutions/public/12000/400/sol12400.html?sr=20262082.
ID 375574 iApps application service objects will not be synced to GTM devices.
ID 381036 Global Quality of Service (QoS) load-balancing factors were accessible only through the bigpipe script, which is no longer available, and were not available from tmsh.
ID 381433 Using sideband connections within iRules to recurse without limit will eventually cause a core due to OOM. If using sideband connections within an iRule to connect back to the virtual firing the event, ensure that the sideband request does not cause the same event and same condition.
ID 384630 If the matchregion command is given only one argument, the TMM (or GTM, for versions earlier than 11.0.0) will core.
ID 385229 In GTM iRules for 10.2.x, IP::addr will incorrectly always return FALSE when comparing addresses with different masks.
ID 395558 "When using tmsh tab expansion on the virtual server 'source-address-translation' attribute, the displayed list of pools include pools of both 'snat' and 'lsn' types. It is not restricted to the given type on the command line nor the current configured value. If a pool is selected that differs from the specified (or currently configured type), the command will fail."
ID 403125 [Global Traffic Manager] If GTM v11.x has LTM v10.x virtual servers auto-discovered and later LTM gets upgraded to 11.x, GTM auto-discovers a new set of virtual servers with their names in 11.x format (with partition path being added to their 10.x names). If virtual server discovery was enabled, LTM virtual servers get re-discovered with the new names effectively deleting their previous memberships in the GTM pools. If virtual server discovery was enabled with no delete option then the pre-existing set of LTM virtual servers and their pool memberships stay intact but a second set of LTM virtual servers with the new names gets auto-discovered by the GTM.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, fill out the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email). To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you would like to subscribe with. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)