Original Publication Date: 08/30/2013
This release note documents the version 10.2.1 release of BIG-IP® Global Traffic Manager™ and BIG-IP® Link Controller™. To review what is new and fixed in this release, refer to New in version 10.2.1 and Fixed in version 10.2.1. For existing customers, you can apply the software upgrade to versions 9.3.x, 9.4.x, 9.6.x, and 10.x. For information about installing the software, refer to Installing the software.
In addition to these release notes, the following user documentation is relevant to this release.
You can find the product documentation and the solutions database in the AskF5 Knowledge Base.
The minimum system requirements for this release are:
Important: Before you install this release on a BIG-IP 1500, 3400, or 3410 platform with the minimum 1 GB of RAM, you must read SOL11396: Error Message: Terminal error: System memory of 1 GiB is insufficient for 'format=volumes' with this product image; 1.5 GiB is required.
Note: You cannot run this software on a CompactFlash® media drive; you must use the system's hard drive.
You can work with the BIG-IP system Configuration utility using the following browsers:
Note that we recommend that you leave the browser cache options at the default settings, and disable popup blockers and other browser add-ons or plug-ins.
This release supports the following platforms:
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
Note: The hardware and software for each unit in a redundant system configuration must match.
This section lists only the very basic steps for installing the software. The BIG-IP® Systems: Getting Started Guide contains details and step-by-step instructions for completing an installation. F5 recommends that you consult the getting started guide for all installation operations.
Before you begin, ensure that you have completed the following:
Installation consists of the following steps.
Warning: Do not use the --nomoveconfig option described in the following procedure on systems with existing, running installations of Application Security Manager. Doing so removes all content from the associated database. Instead, ensure that the configuration on the source installation location matches the one on the destination. To do so, save the UCS configuration on the location you want to preserve, and apply that configuration to the destination before or after the installation operation.
After the installation finishes, you must complete the following steps before the system can pass traffic.
Each of these steps is covered in detail in the BIG-IP® Systems: Getting Started Guide, and we strongly recommend that you reference the guide to ensure successful completion of the installation process.
The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
To watch an in-progress installation operation, run the command watch b software status, which runs the b software status command every two seconds. Pressing Ctrl+C stops the watch feature.
If installation fails, you can view the log file. For image2disk installations, the system logs messages to the file you specify using the --t option. For other installations, the system stores the installation log file as /var/log/liveinstall.log.
Your upgrade process differs depending on the version of software you are currently running.
Warning: Do not use the 10.x installation methods (the Software Management screens, the b software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.
Important: BIG-IP version 10.x introduced the ability to run multiple modules based on platform. The number and type of modules that can be run simultaneously is strictly enforced through licensing. For more information, see SOL10288: Supported product module combinations by platform for the BIG-IP version 10.x software branch.
When you upgrade from software version 9.6.x or 10.x, you can use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help, or the relevant chapters in the BIG-IP® Systems: Getting Started Guide.
If you plan to install this version of the software onto a system running 9.3.x or 9.4.x, you must perform a one-time upgrade procedure to make your system ready for the new installation process. When you update from software version 9.3.x or 9.4.x to 10.x, you cannot use the Software Management screens in the Configuration utility. Instead, you must run the image2disk utility on the command line. For information about using the image2disk utility, see the BIG-IP® Systems: Getting Started Guide.
You cannot roll forward a configuration directly to this version from BIG-IP version 4.x or from BIG-IP versions 9.0.x through 9.2.x. You must be running software version 9.3.x, 9.4.x, 9.6.x, or 10.x. For details about upgrading to those versions, see the release notes for the associated release.
Important: Beginning with version 10.0.0 of the software, a redundant system configuration must contain failover peer management addresses for each unit. If you roll forward a redundant system configuration from 9.3.x or 9.4.x, the units start up in an offline state because each one needs a failover peer management address. To configure the failover peer management addresses, navigate to the Network Failover screen, available under High Availability on the System menu on the navigation pane, and specify the management IP address of the peer unit in the Peer Management Address field. Then do the same on the other unit in the redundant system. Once you specify both IP addresses, the system should operate as expected. For more information, see SOL9947: Change in Behavior: The Peer Management Address setting and communication using the management port is required for BIG-IP version 10.x systems configured for network failover.
There are no new Global Traffic Manager features specific to version 10.2.1.
New Wide IP Dependency Level for Distributed Applications (CR133521)
When you create a distributed application, you now have the option of setting the status of the distributed application to be dependent upon the status of a wide IP. When you configure a distributed application for wide IP dependency, the Global Traffic Manager™ considers all wide IPs that host that application to be unavailable, even if only one of the wide IPs is unavailable.
Global Traffic Manager listener and load balancing to a pool of DNS servers (CR131948)
You can now use a Global Traffic Manager system to seamlessly screen standard DNS BIND requests, and load balance those requests to a pool of external DNS servers instead of to the local BIND server running on the Global Traffic Manager system. First the system checks the incoming DNS query type. If the query is for an address record (A, AAAA, A6) or a CNAME, the system attempts to match the request against the list of configured wide IPs. If the query is for a wide IP, the system applies rules configured for the wide IP resource. Otherwise, if the request is for a non-address type, such as an MX record, or if the request is for an address that is not configured as a wide IP, the Global Traffic Manager system forwards the DNS query to one of the servers listed in the pool of DNS servers. The Global Traffic Manager system also inspects responses from the pool of external DNS servers, and if it finds a wide IP match for an address record embedded in a response, the Global Traffic Manager system intercepts and resolves the address record using normal Global Traffic Manager system functions. Finally, the Global Traffic Manager system rewrites the request as necessary before sending it back to the DNS client. Adding the DNSSEC module expands this capability to also allow standalone Global Traffic Manager systems to perform real-time DNSSEC signing as needed for any DNS response, including the standard BIND responses from the pool of DNS servers.
Virtual Location monitor and Global Traffic Manager
The Local Traffic Manager™ Virtual Location monitor uses the higher Priority Group setting of local pool members to optimize end-user response time in environments with dynamic distribution of application resources across multiple data centers. When a configured Virtual Location monitor is used in conjunction with the Global Traffic Manager™, the total local pool member count is used to distribute new clients to data centers in a manner proportional to the percentage of available resources. For example, if data center 1's virtual server has 5 local pool members, and data center 2's has 10, then the Global Traffic Manager sends data center 2 twice the traffic as data center 1. As pool members migrate, the Global Traffic Manager adjusts traffic distribution.
Important: For platform-related or cross-product items, see Release Note: BIG-IP Local Traffic Manager and TMOS version 10.2.0.
[Global Traffic Manager] Discovery of multiple virtual servers with same IP:port (ID 222281)
A Global Traffic Manager™ system with virtual server discovery enabled now properly handles a Local Traffic Manager™ system configuration containing multiple virtual servers with the same IP address:Port combination, but with differing names/protocols. Now, the discovery operation returns only one virtual server for each unique IP address:Port combination, and no longer results in a configuration reload every 30 seconds.
[ZoneRunner] Zone names case sensitivity (ID 247684)
ZoneRunner now handles zone names in a completely case-insensitive manner. For example, with the zone example.com, if a WideIP was created as EXAmple.Com, Zone Runner would attempt to create a new zone EXAmple.Com then log the following error: /var/log/gtm:Sep 3 16:15:47 local/d62 err zrd: 0115020b:3: Errors in config file named.conf:99: zone 'example.com': already exists previous definition: /tmp/named.conf.tmp.jOkxME:7
[ZoneRunner] Detailed view information (ID 247971)
Users using ZoneRunner with multiple views may now display a specific view's detailed information.
[Global Traffic Manager] Stability enhancements to gtmd (ID 328802)
Stability enhancements have been made to the gtmd service.
[Global Traffic Manager] Alternate load balancing method and corrupt configuration file (ID 336260)
When the pool's alternate load balancing method is different from the preferred method, and the system uses the alternate method, when the query returns to DNS, the configuration file no longer gets corrupted.
This release lists no specific fixes because it is a zero-level release.
This release contains the following known issues.
[Global Traffic Manager] Enable/disable object status (CR92216)
Occasionally, changes to object status (specifically, enable/disable) you make using the browser-based Configuration utility do not always immediately reflect in the Configuration utility. The corresponding config file (for example, wideip.conf) is correctly modified, but the object's visual status might remain in its previous state.
[Global Traffic Manager] Format of Unknown string behavior change (CR101680)
The system now returns a consistent Unknown string for continent and country tags for the IP Classifier or netIana.inc file. Previously, the system returned UNKNOWN for unknown country codes and unknown for unknown continent codes. This might impact you if you are using the whereis iRule command for the Global Traffic Manager™.
[Global Traffic Manager] Monitor timeout and changing timeout values (CR101679)
If you have a large configuration, and you change a monitor's timeout and interval values at the same time, the system might report hosts changing to a down state immediately followed by an up state. In general it is best to change either the timeout or interval, but not both simultaneously. If you plan to use bigger values, change the timeout first. If you plan to use smaller values, change the interval first. In each case, always allow for a full configuration propagation in between changes.
[Global Traffic Manager] ?Active? string in command line prompt (CR106291)
When you load a large configuration, the command line prompt might change to ?Active?. Pressing return resets the prompt to Active, as expected.
[Global Traffic Manager] Translated IP and Port (CR113989)
Using the Traffic Management Shell (tmsh), it is possible to add only a translated IP address or only a translated port, rather than specifying both values together. If you only specify one, the system does not save the configuration, and uses 0 (zero) as the port. The workaround is to change the port, define the IP address, and then set the port to the value you want to use.
[Global Traffic Manager] mprov logging errors in /var/log/gtm (CR112754)
When you use the bigpipe utility or the tmsh utility to set provisioning, make sure to wait a minimum of 30 seconds (more, if you are provisioning several modules) before issuing any other provisioning command. If you do not, the system could end up misconfigured, which requires a full reboot to correct.
[Global Traffic Manager] Operator role and enable/disable pool members (CR111032)
Users with the Operator role can now use the interactive command line to enable and disable pool members. However, users with the Operator role cannot use the edit command to perform the same functions, because there is no way to determine what part of the configuration is legitimate for the Operator user to edit.
[Global Traffic Manager] Data centers across gateways (CR110976)
If you configure two data centers, one with a default gateway pool and links to another subnet, and the other with no links to another subnet, the system might show incorrect status until it resolves all the input from the links. In that case, you might see the following error message in the /var/log/gtm log:
Nov 3 11:28:22 local/gtm3603 crit gtmd: 011a1002:2: Can not find GATEWAY target member 10.20.0.254:0 for pool default_gateway_pool
Although there is no workaround for this issue, the systems eventually sort out the conflicts and mark all objects up.
[Global Traffic Manager] Upgrade and sync groups (CR103265)
If you are upgrading from 9.2.x, and you have a Global Traffic Manager™ unit that belongs to a sync group, you must remove the unit from the sync group before you install the software or apply the upgrade. Failure to do so may cause irrevocable damage to the units in the sync group that are running older versions of the software. Once you have upgraded all units to the same version, you can then re-create the sync group. For details on removing a unit from a sync group, see the product documentation. Once you have removed the unit from the sync group, you can proceed with the installation or upgrade. Note that this is for upgrades from 9.2.x only.
[Global Traffic Manager] FTP monitor and multi-line responses (CR104562)
The Global Traffic Manager FTP monitor does not handle multi-line responses correctly. If an FTP server uses multi-line responses, you might encounter undefined behavior, which could include monitor flapping or consistent monitor failure.
[Global Traffic Manager/Link Controller] Licensing for Global Traffic Manager or Link Controller only (CR107158)
When you install the software for a Global Traffic Manager™ only or Link Controller™ only, the system reports provisioning only for Local Traffic Manager, even though the Global Traffic Manager and Link Controller menus are active. Before you can use Global Traffic Manager or Link Controller, you must open the Resource Provisioning screen on the System menu in the navigation pane, and provision Global Traffic Manager or Link Controller.
[Global Traffic Manager] Routing domains and Global Traffic Manager (CR107402)
Routing Domains are supported on internal interfaces only when there is a Global Traffic Manager™ system on the network and monitoring the Local Traffic Manager system. Routing Domains are supported on internal and external interfaces (virtual servers, self IP addresses, and so on) when there is Global Traffic Manager in the network or the operator decides not to monitor that Local Traffic Manager. Note that there is nothing in the software to prevent you from configuring Routing Domains on both the internal and external interfaces when there is a Global Traffic Manager system on the network. Therefore, it is the system administrators' responsibility to ensure the proper configuration for their network environment. Also note that Routing Domains are not supported on a Local Traffic Monitor system that is also running the Global Traffic Monitor product module.
[Global Traffic Manager/Link Controller] Roll forward from 9.x and Application Security Manager and Global Traffic Manager provisioning (CR120828)
When you roll forward a 9.x user configuration set (UCS) file that is configured for Application Security Manager™ and Global Traffic Manager™, provisioning for Global Traffic Manager is not enabled. To enable Global Traffic Manager using the browser-based Configuration utility, in the navigation pane, expand System, and click Resource Provisioning. In the Module Resource Provisioning section, select the provisioning level you want from the Global Traffic (GTM) and Link Controller (LC) drop-down lists.
[Global Traffic Manager/Link Controller] Object enable and disable and screen refresh (CR125781)
The system can encounter a race condition in which the screen does not correctly register the state when you enable and disable objects. The work around is to manually refresh the page.
[DNSSEC] Repeat key create and sync (CR127441)
Using the Repeat button to create keys can cause a race condition in the syncing mechanism that results in the key not being created on the peer. The workaround is to add the next object once you see the generation object appear.
[DNSSEC] 4096 bit keys and FIPS (CR131190)
Federal Information Processing Standards (FIPS) does not support a key size of 4096. You can use FIPS with a smaller key size.
[DNSSEC] Intermittent err mcpd message (CR132153)
You might intermittently see the message err mcpd: 010712d7:3: DNSSEC Key Generation transaction failed with exception for [Can't save/checkpoint DB object, class:gtm_dnssec_key_generation status:13] in generation_create_cb. This error message is benign, and you can safely ignore it.
[Global Traffic Manager/Link Controller] Limit on length of object names (CR133288)
In order to display status or statistics for the following objects, their names can be no longer than 63 characters:
Objects whose names are longer than 63 characters remain in the unknown (blue) state. Additionally, you cannot view statistics for the object. Previous releases did not have this object name limit. For more information, see SOL10871: BIG-IP GTM reports a status of Unknown and is unable to retrieve statistics for objects configured with a name longer than 63 characters.
[Global Traffic Manager] Empty region string (CR138719)
If you create a Region that has no member criteria, the system matches every region. To work around this issue, always specify at least one Member Type for the Member List.
For additional information, please visit http://www.f5.com