Applies To:

Show Versions Show Versions

Release Note: BIG-IP GTM and BIG-IP Link Controller version 10.2.2
Release Note

Original Publication Date: 08/30/2013


This release note documents the version 10.2.2 release of BIG-IP Global Traffic Manager and BIG-IP Link Controller. To review what is new and fixed in this release, refer to New in 10.2.2 and Fixes in 10.2.2. For existing customers, you can apply the software upgrade to versions 9.3.x, 9.4.x, 9.6.x, and 10.x. For information about installing the software, refer to Installing the software.


- User documentation for this release
- Minimum system requirements and supported browsers
- Supported platforms
- Installing the software
- Upgrading from earlier versions
- New in 10.2.2
- New in 10.2.1
- New in 10.2.0
- Behavior changes in 10.2.2
- Fixes in 10.2.2
- Fixes in 10.2.1
- Fixes in 10.2.0
- Known issues
- Contacting F5 Networks
- Legal notices

[ Top ]

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP 10.2.2 GTM Documentation page.

[ Top ]

Minimum system requirements and supported browsers

The minimum system requirements for this release are:

  • System hard drive
  • 1 GB RAM

Important: Before you install this release on a BIG-IP 1500, 3400, or 3410 platform with the minimum 1 GB of RAM, you must read SOL11396: Error Message: Terminal error: System memory of 1 GiB is insufficient for 'format=volumes' with this product image; 1.5 GiB is required.

Note: You cannot run this software on a CompactFlash® media drive; you must use the system's hard drive.

You can work with the BIG-IP system Configuration utility using the following browsers:

  • Microsoft® Internet Explorer®, version 6.0x, and version 7.0x
  • Mozilla® Firefox®, version 3.0x

Note that we recommend that you leave the browser cache options at the default settings, and disable popup blockers and other browser add-ons or plug-ins.

[ Top ]

Supported platforms

This release supports the following platforms:

  • BIG-IP 1500 (C36) - minimum of 1 GB RAM
  • BIG-IP 1600 (C102)
  • BIG-IP 3400 (C62) - minimum of 1 GB RAM
  • BIG-IP 3410 (C100) - minimum of 1 GB RAM
  • BIG-IP 3600 (C103)
  • BIG-IP 3900 (C106)
  • BIG-IP 4100 (D46) - unit running Application Security Manager only
  • BIG-IP 4500 (D43) - unit running WebAccelerator System only
  • BIG-IP 6400 (D63)
  • BIG-IP 6800 (D68)
  • BIG-IP 6900 (D104)
  • BIG-IP 8400 (D84)
  • BIG-IP 8800 (D88)
  • BIG-IP 8900 (D106)
  • BIG-IP 8950 (D107)
  • BIG-IP 11050 (E102)

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

Note: The hardware and software for each unit in a redundant system configuration must match.

[ Top ]

Installing the software

This section lists only the very basic steps for installing the software. The BIG-IP® Systems: Getting Started Guide contains details and step-by-step instructions for completing an installation. F5 recommends that you consult the getting started guide for all installation operations.

Before you begin, ensure that you have completed the following:

  • Reformat for the 10.1.x and later partition size, if needed (partitions created using version 9.x or 10.0.x do not accommodate the 10.1.x and later software).
  • Reactivate the license and update the service contract.
  • Download the .iso file from F5 Downloads to /shared/images on the source for the operation.
    (If you need to create this directory, use this exact name /shared/images.)
  • Confirm that the drives have at least minimal formatting.
  • Configure a management port.
  • Set the baud rate to 19200, if it is not already.
  • Log on using the management port of the system you want to upgrade.
  • Log on to an installation location other than the target for the installation.
  • Log on using an account with administrative rights.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location.
  • Log on to the standby unit, and upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are upgrading from 9.3.x or 9.4.x, run im <downloaded_filename.iso> to copy over the new installation utility.
  • If you are running WAN Optimization Module, set the module's provisioning to Minimum before upgrading.

Installation consists of the following steps.

  1. To copy the upgrade utility, run the command im (for first-time 9.x-to-10.x installation).
  2. To install the software and roll forward the configuration on the active installation location, use one of the following methods:

Warning: Do not use the --nomoveconfig option described in the following procedure on systems with existing, running installations of Application Security Manager. Doing so removes all content from the associated database. Instead, ensure that the configuration on the source installation location matches the one on the destination. To do so, save the UCS configuration on the location you want to preserve, and apply that configuration to the destination before or after the installation operation.

  • To format for volumes and migrate the configuration from the source to the destination (for fully 10.x environments), run the command:
    image2disk --format=volumes <downloaded_filename.iso>
  • To format for volumes and preserve the configuration on the destination (for fully 10.x environments), run the command:
    image2disk --nomoveconfig --format=volumes <downloaded_filename.iso>
  • To format for partitions (for mixed 9.x and 10.x environments), run the command:
    image2disk --format=partitions <downloaded_filename.iso>
  • To install from the command line without formatting (not for first-time 10.x installation), run the command:
    bigpipe software desired HD<n.n>version 10.x build <nnnn.n> product BIG-IP
  • To install from the version 10.x browser-based Configuration utility, use the Software Management screens.

After the installation finishes, you must complete the following steps before the system can pass traffic.

  1. Ensure the system rebooted to the new installation location.
  2. Log on to the browser-based Configuration utility.
  3. Run the Setup utility, if needed.
  4. Provision the modules.

Each of these steps is covered in detail in the BIG-IP® Systems: Getting Started Guide, and we strongly recommend that you reference the guide to ensure successful completion of the installation process.

The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.

To watch an in-progress installation operation, run the command watch b software status, which runs the b software status command every two seconds. Pressing Ctrl+C stops the watch feature.

If installation fails, you can view the log file. For image2disk installations, the system logs messages to the file you specify using the --t option. For other installations, the system stores the installation log file as /var/log/liveinstall.log.

[ Top ]

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

Important: BIG-IP version 10.x introduced the ability to run multiple modules based on platform. The number and type of modules that can be run simultaneously is strictly enforced through licensing. For more information, see SOL10288: Supported product module combinations by platform for the BIG-IP version 10.x software branch.

Upgrading from version 9.6.x or 10.x

When you upgrade from software version 9.6.x or 10.x, you can use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help, or the relevant chapters in the BIG-IP® Systems: Getting Started Guide.

Upgrading from version 9.3.x or 9.4.x

If you plan to install this version of the software onto a system running 9.3.x or 9.4.x, you must perform a one-time upgrade procedure to make your system ready for the new installation process. When you update from software version 9.3.x or 9.4.x to 10.x, you cannot use the Software Management screens in the Configuration utility. Instead, you must run the image2disk utility on the command line. For information about using the image2disk utility, see the BIG-IP® Systems: Getting Started Guide.

Upgrading from versions earlier than 9.3.x

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x or from BIG-IP versions 9.0.x through 9.2.x. You must be running software version 9.3.x, 9.4.x, 9.6.x, or 10.x. For details about upgrading to those versions, see the release notes for the associated release.

Important: Beginning with version 10.0.0 of the software, a redundant system configuration must contain failover peer management addresses for each unit. If you roll forward a redundant system configuration from 9.3.x or 9.4.x, the units start up in an offline state because each one needs a failover peer management address. To configure the failover peer management addresses, navigate to the Network Failover screen, available under High Availability on the System menu on the navigation pane, and specify the management IP address of the peer unit in the Peer Management Address field. Then do the same on the other unit in the redundant system. Once you specify both IP addresses, the system should operate as expected. For more information, see SOL9947: Change in Behavior: The Peer Management Address setting and communication using the management port is required for BIG-IP version 10.x systems configured for network failover.

[ Top ]

New in 10.2.2

DNSSEC key creation and rollover improvements (ID 343798)
This version of the software adds two read-only fields to gtm_dnssec_key_generation: creator and key_tag. The value of creator is a string representing the host name of the BIG-IP system that created the DNSSEC key generation. The value of key_tag is a hash calculated from the DNSKEY resource record (RR) for that generation. You can use these fields to help debug DNSSEC deployments. In addition, this release provides better constraint on which generations can rollover, which helps mitigate a potential race condition. Finally, this release provides additional debug logging.

New in 10.2.1

There are no new Global Traffic Manager features specific to version 10.2.1.

New in 10.2.0

New Wide IP Dependency Level for Distributed Applications (CR133521)
When you create a distributed application, you now have the option of setting the status of the distributed application to be dependent upon the status of a wide IP. When you configure a distributed application for wide IP dependency, the Global Traffic Manager considers all wide IPs that host that application to be unavailable, even if only one of the wide IPs is unavailable.

Global Traffic Manager listener and load balancing to a pool of DNS servers (CR131948)
You can now use a Global Traffic Manager system to seamlessly screen standard DNS BIND requests, and load balance those requests to a pool of external DNS servers instead of to the local BIND server running on the Global Traffic Manager system. First the system checks the incoming DNS query type. If the query is for an address record (A, AAAA, A6) or a CNAME, the system attempts to match the request against the list of configured wide IPs. If the query is for a wide IP, the system applies rules configured for the wide IP resource. Otherwise, if the request is for a non-address type, such as an MX record, or if the request is for an address that is not configured as a wide IP, the Global Traffic Manager system forwards the DNS query to one of the servers listed in the pool of DNS servers. The Global Traffic Manager system also inspects responses from the pool of external DNS servers, and if it finds a wide IP match for an address record embedded in a response, the Global Traffic Manager system intercepts and resolves the address record using normal Global Traffic Manager system functions. Finally, the Global Traffic Manager system rewrites the request as necessary before sending it back to the DNS client. Adding the DNSSEC module expands this capability to also allow standalone Global Traffic Manager systems to perform real-time DNSSEC signing as needed for any DNS response, including the standard BIND responses from the pool of DNS servers.

Virtual Location monitor and Global Traffic Manager
The Local Traffic Manager Virtual Location monitor uses the higher Priority Group setting of local pool members to optimize end-user response time in environments with dynamic distribution of application resources across multiple data centers. When a configured Virtual Location monitor is used in conjunction with the Global Traffic Manager, the total local pool member count is used to distribute new clients to data centers in a manner proportional to the percentage of available resources. For example, if data center 1's virtual server has 5 local pool members, and data center 2's has 10, then the Global Traffic Manager sends data center 2 twice the traffic as data center 1. As pool members migrate, the Global Traffic Manager adjusts traffic distribution.

Behavior changes in 10.2.2

[Global Traffic Manager] Constraint calculation for DNSSEC keys (ID 343798)
In previous releases, the value of the Rollover Period for a DNSSEC key had to be equal to or greater than one third the value of the Expiration Period of the key, and less than the Expiration Period. In this release, the value of the Rollover Period must be equal to or greater than one half the value of the Expiration Period, and less than the Expiration Period. If your DNSSEC keys do not meet this criteria, before you upgrade to this version, change the value of the Rollover Period for each DNSSEC key.

Fixes in 10.2.2

The current release includes the fixes and enhancements from previous releases and the fixes that were distributed in SOL12729: Overview of BIG-IP version 10.2.1 HF1, SOL12778: Overview of BIG-IP version 10.2.1 HF2, and SOL12816: Overview of BIG-IP version 10.2.1 HF3.

[Global Traffic Manager] Option to clear link statistics (ID 223590, CR130729)
This release provides the functionality for clearing link statistics.

Fixes in 10.2.1

[Global Traffic Manager] Discovery of multiple virtual servers with same IP:port (ID 222281)
A Global Traffic Manager system with virtual server discovery enabled now properly handles a Local Traffic Manager system configuration containing multiple virtual servers with the same IP address:Port combination, but with differing names/protocols. Now, the discovery operation returns only one virtual server for each unique IP address:Port combination, and no longer results in a configuration reload every 30 seconds.

[ZoneRunner] Zone names case sensitivity (ID 247684)
ZoneRunner now handles zone names in a completely case-insensitive manner. For example, with the zone, if a WideIP was created as EXAmple.Com, Zone Runner would attempt to create a new zone EXAmple.Com then log the following error: /var/log/gtm:Sep 3 16:15:47 local/d62 err zrd[19048]: 0115020b:3: Errors in config file named.conf:99: zone '': already exists previous definition: /tmp/named.conf.tmp.jOkxME:7

[ZoneRunner] Detailed view information (ID 247971)
Users using ZoneRunner with multiple views may now display a specific view's detailed information.

[Global Traffic Manager] Stability enhancements to gtmd (ID 328802)
Stability enhancements have been made to the gtmd service.

[Global Traffic Manager] Alternate load balancing method and corrupt configuration file (ID 336260)
When the pool's alternate load balancing method is different from the preferred method, and the system uses the alternate method, when the query returns to DNS, the configuration file no longer gets corrupted.

Fixes in 10.2.0

This release lists no specific fixes because it is a zero-level release.

Important: For platform-related or cross-product items, see Release Note: BIG-IP Local Traffic Manager and TMOS version 10.2.2.

[ Top ]

Known issues

This release contains the following known issues.

[Global Traffic Manager] Enable/disable object status (CR92216)
Occasionally, changes to object status (specifically, enable/disable) you make using the browser-based Configuration utility do not always immediately reflect in the Configuration utility. The corresponding config file (for example, wideip.conf) is correctly modified, but the object's visual status might remain in its previous state.

[Global Traffic Manager] Format of Unknown string behavior change (CR101680)
The system now returns a consistent Unknown string for continent and country tags for the IP Classifier or file. Previously, the system returned UNKNOWN for unknown country codes and unknown for unknown continent codes. This might impact you if you are using the whereis iRule command for the Global Traffic Manager.

[Global Traffic Manager] Monitor timeout and changing timeout values (CR101679)
If you have a large configuration, and you change a monitor's timeout and interval values at the same time, the system might report hosts changing to a down state immediately followed by an up state. In general it is best to change either the timeout or interval, but not both simultaneously. If you plan to use bigger values, change the timeout first. If you plan to use smaller values, change the interval first. In each case, always allow for a full configuration propagation in between changes.

[Global Traffic Manager] ?Active? string in command line prompt (CR106291)
When you load a large configuration, the command line prompt might change to ?Active?. Pressing return resets the prompt to Active, as expected.

[Global Traffic Manager] Translated IP and Port (CR113989)
Using the Traffic Management Shell (tmsh), it is possible to add only a translated IP address or only a translated port, rather than specifying both values together. If you only specify one, the system does not save the configuration, and uses 0 (zero) as the port. The workaround is to change the port, define the IP address, and then set the port to the value you want to use.

[Global Traffic Manager] mprov logging errors in /var/log/gtm (CR112754)
When you use the bigpipe utility or the tmsh utility to set provisioning, make sure to wait a minimum of 30 seconds (more, if you are provisioning several modules) before issuing any other provisioning command. If you do not, the system could end up misconfigured, which requires a full reboot to correct.

[Global Traffic Manager] Operator role and enable/disable pool members (CR111032)
Users with the Operator role can now use the interactive command line to enable and disable pool members. However, users with the Operator role cannot use the edit command to perform the same functions, because there is no way to determine what part of the configuration is legitimate for the Operator user to edit.

[Global Traffic Manager] Data centers across gateways (CR110976)
If you configure two data centers, one with a default gateway pool and links to another subnet, and the other with no links to another subnet, the system might show incorrect status until it resolves all the input from the links. In that case, you might see the following error message in the /var/log/gtm log:

Nov 3 11:28:22 local/gtm3603 crit gtmd: 011a1002:2: Can not find GATEWAY target member for pool default_gateway_pool

Although there is no workaround for this issue, the systems eventually sort out the conflicts and mark all objects up.

[Global Traffic Manager] Upgrade and sync groups (CR103265)
If you are upgrading from 9.2.x, and you have a Global Traffic Manager unit that belongs to a sync group, you must remove the unit from the sync group before you install the software or apply the upgrade. Failure to do so may cause irrevocable damage to the units in the sync group that are running older versions of the software. Once you have upgraded all units to the same version, you can then re-create the sync group. For details on removing a unit from a sync group, see the product documentation. Once you have removed the unit from the sync group, you can proceed with the installation or upgrade. Note that this is for upgrades from 9.2.x only.

[Global Traffic Manager] FTP monitor and multi-line responses (CR104562)
The Global Traffic Manager FTP monitor does not handle multi-line responses correctly. If an FTP server uses multi-line responses, you might encounter undefined behavior, which could include monitor flapping or consistent monitor failure.

[Global Traffic Manager/Link Controller] Licensing for Global Traffic Manager or Link Controller only (CR107158)
When you install the software for a Global Traffic Manager only or Link Controller only, the system reports provisioning only for Local Traffic Manager, even though the Global Traffic Manager and Link Controller menus are active. Before you can use Global Traffic Manager or Link Controller, you must open the Resource Provisioning screen on the System menu in the navigation pane, and provision Global Traffic Manager or Link Controller.

[Global Traffic Manager] Routing domains and Global Traffic Manager (CR107402)
Routing Domains are supported on internal interfaces only when there is a Global Traffic Manager system on the network and monitoring the Local Traffic Manager system. Routing Domains are supported on internal and external interfaces (virtual servers, self IP addresses, and so on) when there is Global Traffic Manager in the network or the operator decides not to monitor that Local Traffic Manager. Note that there is nothing in the software to prevent you from configuring Routing Domains on both the internal and external interfaces when there is a Global Traffic Manager system on the network. Therefore, it is the system administrators' responsibility to ensure the proper configuration for their network environment. Also note that Routing Domains are not supported on a Local Traffic Monitor system that is also running the Global Traffic Monitor product module.

[Global Traffic Manager/Link Controller] Roll forward from 9.x and Application Security Manager and Global Traffic Manager provisioning (CR120828)
When you roll forward a 9.x user configuration set (UCS) file that is configured for Application Security Manager and Global Traffic Manager, provisioning for Global Traffic Manager is not enabled. To enable Global Traffic Manager using the browser-based Configuration utility, in the navigation pane, expand System, and click Resource Provisioning. In the Module Resource Provisioning section, select the provisioning level you want from the Global Traffic (GTM) and Link Controller (LC) drop-down lists.

[Global Traffic Manager/Link Controller] Object enable and disable and screen refresh (CR125781)
The system can encounter a race condition in which the screen does not correctly register the state when you enable and disable objects. The work around is to manually refresh the page.

[DNSSEC] Repeat key create and sync (CR127441)
Using the Repeat button to create keys can cause a race condition in the syncing mechanism that results in the key not being created on the peer. The workaround is to add the next object once you see the generation object appear.

[DNSSEC] 4096 bit keys and FIPS (CR131190)
Federal Information Processing Standards (FIPS) does not support a key size of 4096. You can use FIPS with a smaller key size.

[DNSSEC] Intermittent err mcpd[3259] message (CR132153)
You might intermittently see the message err mcpd[3259]: 010712d7:3: DNSSEC Key Generation transaction failed with exception for [Can't save/checkpoint DB object, class:gtm_dnssec_key_generation status:13] in generation_create_cb. This error message is benign, and you can safely ignore it.

[Global Traffic Manager/Link Controller] Limit on length of object names (CR133288)
In order to display status or statistics for the following objects, their names can be no longer than 63 characters:

  • Data centers
  • Servers
  • Pools
  • Pool members
  • Links

Objects whose names are longer than 63 characters remain in the unknown (blue) state. Additionally, you cannot view statistics for the object. Previous releases did not have this object name limit. For more information, see SOL10871: BIG-IP GTM reports a status of Unknown and is unable to retrieve statistics for objects configured with a name longer than 63 characters.

[Global Traffic Manager] Empty region string (CR138719)
If you create a Region that has no member criteria, the system matches every region. To work around this issue, always specify at least one Member Type for the Member List.

[ Top ]

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802

For additional information, please visit

[ Top ]

Legal notices

Copyright ® 2010-2011, F5 Networks, Inc. All rights reserved.

For a current list of F5's trademarks and service marks, click here. All other product and company names herein may be trademarks of their respective owners.

This product may be protected by U.S. Patents 6,374,300; 6,473,802; 6,970,733; 7,047,301; 7,707,289. This list is believed to be current as of 5/25/2010.

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)