Applies To:

Show Versions Show Versions

Release Note: BIG-IP LTM version 9.1.3 and TMOS
Release Note

Software Release Date: 07/30/2007
Updated Date: 12/11/2013


This release note documents the version 9.1.3 maintenance release of BIG-IP® Local Traffic Manager, Load Balancer Limited, and Application Accelerator. To review the fixes in this release, see Fixes in this release. For existing customers, you can apply the software upgrade to systems running BIG-IP version 4.5 PTF-04 through version 4.5.12, and to systems running version 9.0 through 9.1.2. (Note that you cannot apply this upgrade to systems running BIG-IP version 4.6 software.) For information about installing the software, see Installing the software.

Note: F5 Networks offers both feature releases and maintenance releases. For more information on our release policies, please see Description of the F5 Networks software version number format.


- User documentation for this release
- Minimum system requirements and supported browsers
- Supported platforms
- Installing the software
     - Local installation
     - PXE installation
     - Remote installation
     - Verifying the MD5 checksum of the installation file
     - Verifying the BIG-IP software installation
     - Re-activating the license on the BIG-IP system
- Fixes and enhancements in this release
     - Enhancements in this release
     - Fixes in this release
- Fixes and enhancements in prior maintenance releases
     - Enhancements in version 9.1.2
     - Fixes in version 9.1.2
     - Enhancements in version 9.1.1
     - Fixes in version 9.1.1
     - Enhancements in version 9.1
     - Fixes in version 9.1
- Optional configuration changes
     - Using SNMP read/write OIDs
     - New SNMP OIDs
     - Using the switchboot utility
- Known issues
- Workarounds for known issues
     - Preventing premature connection closure (CR52482)
     - Adding nondefault management routes (CR55546)
     - Forcing the send of an extra certificate (CR58020)
     - Rewriting the redirect address when using a non-standard port (CR67241, CR67505)
     - Triggering certificate insert with an iRule (CR67515)
     - Rewriting long URIs in HTTP-to-HTTPS addresses (CR71317)
     - Preventing incorrect reset of monitor resource status (CR80980)
- Acknowledgments

User documentation for this release

In addition to these release notes, the following user documentation is relevant to this release.

You can find the product documentation and the solutions database on the AskF5 Technical Support web site.

[ Top ]

Minimum system requirements and supported browsers

The minimum system requirements for this release are:

  • 512 MB RAM
  • 512 MB CompactFlash® media drive

The supported browsers for the BIG-IP Configuration utility are:

  • Microsoft® Internet Explorer®, version 6.x
  • Mozilla® Firefox®, version 1.5x

Note that we recommend that you leave the browser cache options at the default settings.

Important: Popup blockers and other browser add-ons or plug-ins might affect the usability of the Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.

[ Top ]

Supported platforms

This release supports the following platforms:

  • BIG-IP 1000 (D39)
  • BIG-IP 1500 (C36)
  • BIG-IP 2400 (D44)
  • BIG-IP 3400 (C62)
  • BIG-IP 5100 and 5110 (D51)
  • BIG-IP 6400 (D63)
  • BIG-IP 6800 (D68)
  • BIG-IP 8400 (D84)

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

[ Top ]

Installing the software

There are several installation options to consider before you begin the version 9.1.3 software installation. Before you begin the installation process, you need to determine which installation option is appropriate: local, PXE server, or remote.

Important: You are prompted to install the software on multiple boot images if the unit supports the multiple boot option. The BIG-IP 1500 (C36), BIG-IP 3400 (C62), BIG-IP 6400 (D63), BIG-IP 6800 (D68), and BIG-IP 8400 (D84) platforms support this functionality.

Important: You must perform the installation from the management interface (MGMT or Management) on the BIG-IP system.

Important: We recommend that you run the MD5 checksum on any ISO image or installation manager (IM) package you download. For information about MD5 checksums, see Verifying the MD5 checksum of the installation file.

Local installation

PXE installation

Remote installation

  • Remote upgrade from version 9.0 through 9.1.2 to 9.1.3
    The remote upgrade provides the ability to run the upgrade from a management workstation that is not directly connected to the system you intend to upgrade. The instructions for this upgrade option describe how upgrade a version 9.0 through 9.1.2 installation to version 9.1.3. For more information about this upgrade option, see Remote Installation: Upgrading from BIG-IP software versions 9.0 through 9.1.2 to BIG-IP software version 9.1.3.
  • Remote upgrade from version 4.5 PTF-04 through version 4.5.12 to 9.1.3
    The remote upgrade provides the ability to run the upgrade from a management workstation that is not directly connected to the system you intend to upgrade. The instructions for this upgrade option describe how convert a version 4.5 PTF-04 through version 4.5.12 configuration and license for use on a 9.x system. For more information about this upgrade option, see Remote Installation: Upgrading from BIG-IP software versions 4.5 PTF-04 through 4.5.12 to BIG-IP software version 9.1.3. Note that you cannot upgrade to version 9.1.3 from versions 4.5.13 or 4.5.14, or any version 4.6.x. You must first upgrade to version 9.0 through 9.1.2.
[ Top ]

Verifying the MD5 checksum of the installation file

After you download the installation file and its associated MD5 checksum file, and before you perform the installation, we recommend you test the integrity of the install file. This verifies that you have downloaded a good copy of the file. To run the test, type the following commands, where is the name of the file you downloaded, and is the name of its associated MD5 checksum file.

If the output from both commands does not exactly match, download the file again. Repeat the download process until the MD5 checksum of the downloaded file exactly matches the text string in the associated .md5 file.

[ Top ]

Verifying the BIG-IP software installation

After you complete the installation of the software, you can verify the installation using the RPM database. For more information, type man rpm to view the RPM man page. Use the verify options to verify the installation.

[ Top ]

Re-activating the license on the BIG-IP system

You need to re-activate the license on the BIG-IP system to use some of the new features added in this release.

To re-activate the license on the system

  1. On the Main tab, expand System and click License.
    The License screen opens.
  2. Click the Re-activate button and follow the onscreen instructions to re-activate the license.
    For details about each screen, click the Help tab.
[ Top ]

Fixes and enhancements in this release

This release includes the following fixes and enhancements.

Enhancements in this release

BIG-IP version 9.1.3 comes with switch card control processor (SCCP) v12.0.4 and end-user diagnostics (EUD) v10.0.5.

Fixes in this release

This release includes the following fixes.

clientssl session cache resize (CR34771)
We increased the size of the global SSL session cache from 32 kilobytes to 256 kilobytes. Note this is a global cache that is shared among all SSL profiles, client and server. The total number of stored sessions between all profiles cannot exceed 256 kilobytes.

Client SSL and Server SSL profiles and time stamps on key or certificate files (CR40677)
In prior releases, certificates added to an already-existing Certificate Authority (CA) files were not picked up by subsequent load operations without restarting the system. In this release, the bigpipe utility always updates SSL certificates and key files.

Tcpdump and port mirroring (CR44574)
In previous releases, if you ran the tcpdump utility on mirrored ports, the system could cause problems in the bcm56xxd utility. Now when you run the tcpdump utility on mirrored ports, the system does not cause those problems.

System upgrade and benign messages (CR44783, CR44820)
Previously, you might have seen various benign error message when you upgraded the system. Now, the system always performs a restart, so these messages no longer occur.

Routes redefinition when assigning a MAC masquerade address for a VLAN (CR52602)
In previous releases, when you assigned a MAC masquerade address to an existing VLAN, Linux automatically dropped any existing static routes pertaining to the interfaces associated with that VLAN. Now, enabling MAC masquerading on an existing VLAN no longer drops attached routes in the Linux routing table.

Last file of key/certificate archive and importing (CR53534)
Previously, when you imported a key/certificate archive, the last file in the archive was missing. Now, the system correctly processes key/certificate archive import operations, and the process imports all files correctly.

IM upgrade package and synchronization (CR54980)
Previously, when you installed an installation manager (IM) upgrade package and immediately restarted the system, you could lose changes because the IM package was not synchronized with the system. Now, upgrading synchronizes with the system.

Authenticate Once option and session resumption when set to False (CR55371)
In previous releases, when you set the Authenticate option to Always, the system did not always force authentication. Now it does.

Partial ACKs and TMM issues (CR56110, CR56221)
Previously, when a mirrored connection received a partial acknowledgement (ACK) and the data being acknowledged had not passed through TCP yet, the Traffic Management Microkernel (TMM) service might have halted, generated warnings, and could not drop the send queue because it contained insufficient data. Now, the TMM does not halt or generate warnings, and correctly drops the send queue regardless of the amount of data it contains.

cURL local vulnerability (CR56208)
Previous releases reported a known issue of a cURL vulnerability in the code. We discovered that the vulnerability did not apply to the version of cURL used in the version 9.1.x release.

Continuous pvad restart (CR56464)
In previous releases, as a result of constraint handling, the Packet Velocity® ASIC (PVA) daemon (pvad) process could get into a recursion loop that caused the process to consume a large amount of system resources and slow down the processing of traffic. This release corrects the recursion loop so that the process consumes the correct amount of memory and does not slow the processing of traffic.

CVE-2004-0968, CVE-2004-1382, and CVE-2004-1453 glibc script vulnerability (CR56669)
This release contains a patch for the glibc library. The minor local vulnerability issue, which pertained to two scripts packaged with glibc, catchsegv and glibcbug, has been eliminated with this update. The Common Vulnerabilities and Exposures (CVE) project assigned the IDs CVE-2004-0968, CVE-2004-1382, and CVE-2004-1453 to the problem. For more information about the vulnerability, see CVE-2004-0968, CVE-2004-1382, and CVE-2004-1453, .

MSTP instance IDs allowed range (CR56690)
In previous releases, product documentation incorrectly reported the numeric range for Multiple Spanning Tree Protocol (MSTP) Instance IDs as 1 to 4095. We have corrected the documentation to report the correct range for these IDs: 1 to 255.

Pool members marked as active after restart (CR56704)
In this release, the system no longer marks forced-down pool members as active when you type the bigstart restart command. In previous releases, the system marked forced-down pool members as active upon startup.

Large class redefinition and the extremedb process (CR56743)
In this version, if you create a class or class list with many members, and then later redefine the contents of the class or class list, you no longer receive an invalid cursor error. Instead, the redefinition process completes successfully.

CVE-2005-3962, CVE-2005-0448, and CVE-2004-0976 Perl local vulnerabilities (CR57926)
This release contains updated Perl modules to resolve local vulnerabilities. The Common Vulnerabilities and Exposures (CVE) project assigned the IDs CVE-2005-3962, CVE-2005-0448, and CVE-2004-0976 to the problems. For more information about the vulnerability, see CVE-2005-3962, CVE-2005-0448, and CVE-2004-0976.

CVE-2005-3962, CVE-2005-0448, and CVE-2006-0225 OpenSSH local vulnerability (CR59238)
This release contains updated OpenSSH packages to resolve local vulnerabilities. The Common Vulnerabilities and Exposures (CVE) project assigned the IDs CVE-2005-3962, CVE-2005-0448, and CVE-2006-0225 to the problem. For more information about the vulnerabilities, see CVE-2005-3962, CVE-2005-0448, and CVE-2006-0225.

Linux kernel vulnerabilities (CR61681)
This release contains upgraded Linux kernel packages that resolve several vulnerabilities. The Common Vulnerabilities and Exposures (CVE) project assigned the IDs CVE-2002-2185, CVE-2005-0124, CVE-2005-1263, CVE-2005-2458, CVE-2005-2490, CVE-2005-2708, CVE-2005-2709, CVE-2005-2973, CVE-2005-3180, CVE-2005-3273, CVE-2005-3275, CVE-2005-3276, CVE-2005-3806, and CVE-2005-3857 to the problems. For more information about the vulnerabilities, see CVE-2002-2185, CVE-2005-0124, CVE-2005-1263, CVE-2005-2458, CVE-2005-2490, CVE-2005-2708, CVE-2005-2709, CVE-2005-2973, CVE-2005-3180, CVE-2005-3273, CVE-2005-3275, CVE-2005-3276, CVE-2005-3806, and CVE-2005-3857.

Certificates verification, revocation, and expiration and SSL alerts (CR62632, CR62974)
This release addresses several issues that involve SSL certificates. In this release, the system always sets the certificate verify result upon errors. In addition, the system provides the proper SSL alert for revoked and expired certificates. The previous releases did not.

HTTP requests with large SSL application data records (CR63474)
In previous releases, the combination of a small maximum segment size (MSS) and large SSL record size (16400 bytes) could cause SSL to stall. In this release, the system correctly processes large HTTP requests resulting in an SSL application data record size of 16400 bytes.

Time zone setting after upgrade (CR64081, CR64142)
Previously, if you upgraded a system and changed the time zone to anything other than Pacific Standard Time, the upgrade process reset the time zone to Pacific Standard Time. Now, upgrading the system does not reset the time zone.

All nodes down and resolving traffic (CR64514)
In previous releases, the system could get into a state in which traffic still resolved on Global Traffic Manager systems even when all nodes were down. Now, the system correctly reports status, so the system does not resolve traffic when all nodes are down.

SSL record containing exactly 33 fragments (CR64844)
In previous releases, an SSL record with exactly 33 fragments caused the connection to close. This release correctly handles SSL records containing exactly 33 fragments, so connections no longer close unexpectedly.

Virtual server status with no associated pool members enabled (CR65706)
Previously, when a virtual server had no associated pool members enabled, the system still showed the virtual server status as available and enabled. Now, when no associated pool members are enabled, the system shows the virtual server as unavailable.

Cipher lists in SSL cipher string (CR65841)
In this release, the list of existing ciphers matching unadorned cipher lists in an SSL cipher string is no longer moved to the end. SSL now enables and moves only disabled suites when performing the cipher suite add operation. The operation does not move cipher suites that were previously enabled.

Large POST data and Client SSL profile with EXPORT ciphers (CR67244)
In previous releases, the Client SSL profile did not transfer all POST data larger than 14336 bytes if you specified EXPORT ciphers in the Client SSL profile. Now, when you you specify EXPORT ciphers in the Client SSL profile, the system transfers all of the data.

CVE-2006-3747 HTTPD mod_rewrite module vulnerability (VU#395412) (CR67501)
Previous software versions shipped with the Apache mod_rewrite module, which contains an issue that a remote attacker might be able exploit to run arbitrary code in some circumstances. In previous versions, the mod_rewrite module was not configured or enabled, so the BIG-IP systems were not vulnerable to the attack. In this version, the module has been removed completely. The Common Vulnerabilities and Exposures (CVE) project assigned the ID CVE-2006-3747 to the problem. For more information about the vulnerability, see CVE-2006-3747.

Connection reset and XML message processing (CR67747)
In earlier releases, a frequently resetting connection could cause the system to stop processing incoming XML messages. In this release, the system properly handles XML messages, even when connections reset frequently.

Incomplete connection and process halt (CR67748)
In earlier releases, when the system attempted to write to an incomplete connection, the process halted. Now, the system does not incorrectly write to an incomplete connection.

Max pending limit in Global Traffic Manager (CR67749)
In this release, Global Traffic Manager correctly enforces the maximum connections pending limit, so that no requests back up in the queue and cause the system to use too much memory.

Connection handling in Global Traffic Manager (CR67753)
In previous releases, a connection could get stuck in the unavailable state, which caused connection lock-ups in Global Traffic Manager. In this release, the connection does not get stuck in the unavailable state, so the connection lock-ups do not occur in Global Traffic Manager.

CVE-2006-3746 GnuPG local vulnerability (CR67834)
This release corrects a local vulnerability found in GnuPG. The Common Vulnerabilities and Exposures (CVE) project assigned the ID CVE-2006-3746 to the problem. For more information about the vulnerability, see CVE-2006-3746.

Fast HTTP profile and packet sequence numbers (CR68526)
In this release, when the client issues an acknowledgement (ACK) for a packet sequence number that is greater than the sequence number of the finished and acknowledgment (FIN-ACK) packet, the system resets the connection as expected.

HTTP requests with leading return or line-feed characters (CR68832)
In this release, the HTTP filter correctly ignores return or line-feed characters preceding a new request, as specified in the HTTP RFC.

CVE-2005-2641 pam_ldap vulnerability (VU#778916) (CR68903)
This release corrects a vulnerability in the pam_ldap module. The Common Vulnerabilities and Exposures (CVE) project assigned the ID CVE-2005-2641 to the problem. For more information about the vulnerability, see CVE-2005-2641.

Responses with loss of former client's request and acknowledgement (CR69272)
In previous releases, lost packets from client requests directed to a virtual server configured with a Fast HTTP profile resulted in responses being passed to the incorrect client. In this release, responses go to the correct client, regardless of packet loss.

SSL queue and memory and CPU cycle consumption (CR69478)
In previous releases, certain configurations, for example, specifying re-encryption data on an SSL connection, could cause data to be queued, which could result in excessive memory consumption and eventually excessive CPU cycle consumption. In this release, processing correctly prevents clients from consuming large amounts of memory and CPU cycles.

CVE-2006-4335, CVE-2006-4336, and CVE-2006-4337 gzip vulnerability (VU#381508, VU#554780, and VU#773548) (CR69560)
This release corrects vulnerabilities in the gzip program. The Common Vulnerabilities and Exposures (CVE) project assigned the IDs CVE-2006-4335, CVE-2006-4336, and CVE-2006-4337 to the problems. For more information about the vulnerabilities, see CVE-2006-4335, CVE-2006-4336, and CVE-2006-4337.

Pipelined HTTP request with congested client and shut-down server (CR69568)
Previously, the system sent a request after the client shut down, resulting in a system halt. Now, the system transitions from the shut-down state, so that after sending all packets from the client, the system sends a delayed shut-down request, and the connection halts correctly.

HTTP filter and headers containing leading tabs (CR69767)
Now, the system correctly handles a tab character following the colon that separates the header name and value, per RFC 2616. In addition, the system correctly trims the trailing whitespace in header names. In a prior release, the system did not forward the POST body in POST communications whose Content-Length header value was preceded by the Tab character, nor did the system correctly trim the trailing white space of header names.

CVE-2006-3738 and CVE-2006-4343 OpenSSL local vulnerabilities (VU#547300 and VU#386964) (CR69852)
This release corrects two local vulnerabilities in OpenSSL. The Common Vulnerabilities and Exposures (CVE) project assigned the IDs CVE-2006-3738 and CVE-2006-4343 to the problems. For more information about the vulnerabilities, see CVE-2006-3738 and CVE-2006-4343.

Server-side SSL session ID reuse percentage (CR70478)
This release contains performance improvements in the server-side SSL session ID reuse so that the SSL server cache percentage is higher.

Empty chunked HTTP response with headers (CR70761)
In previous releases, receiving a zero-length chunked HTTP response in the same packet as the response headers, a single empty xbuf is leaked. Over time, this could result in memory exhaustion in the TMM. Now, the system does not leak an empty xbuf.

Fast HTTP and out-of-order packet segments (CR70928)
Previously, out-of-sequence acknowledgements could result in monitors reporting incomplete requests. Now, the Fast HTTP profile operates correctly even if packets are acknowledged out of sequence.

Retransmission of packets by Fast HTTP profiles (CR71597)
In this release, the system ensures that Fast HTTP correctly sets the maximum segment size (MSS) on the server side of a connection.

HTTP request split across multiple packets and fast HTTP (CR72101)
In this release, HTTP headers that are split across multiple packets no longer cause the Traffic Management Microkernel (TMM) to restart when fast HTTP is enabled.

SSL profile modification and TMM halt (CR72320)
In previous releases, modifying an SSL profile while it was in use by active connections could cause the Traffic Management Microkernel (TMM) to halt unexpectedly. In this release, the system properly handles modifying an SSL profile while it is in use by active connections.

Fast HTTP SYN-ACK packets with new sequence numbers (CR72575)
Previously, if the connection entry in the synchronization (SYN) cookie cache was deleted due to overflow or timeout, the retransmitted synchronization and acknowledgment (SYN-ACK) packets carried a new sequence number. Now, all retransmitted SYN-ACK packets have the same sequence number as the first one.

Client access with no trusted certificate authorities (CR72799)
This release fixes the issue in which clients were denied access when SSL was configured to request client certificates, but there were no trusted certificate authorities (CAs) specified. Now, the system correctly allows self-signed certificates, and other unverifiable certificates, when using this configuration.

SSLv2 ciphers and iRules (CR72968)
The SSL filter determines which cipher suite is selected by checking for a cipher ID. Because SSLv2 does not support cipher IDs, an iRule attempting to get the SSLv2 cipher name could return random garbage, which could eventually cause Traffic Management Microkernel (TMM) to restart. Now, the system correctly identifies SSLv2 ciphers from cipher information provided by OpenSSL at handshake completion.

BIND 9.3.4 upgrade (CR73531)
This release contains the upgraded version 9.3.4 of BIND (Berkeley Internet Name Domain). This version contains resolutions to the vulnerabilities of previous versions of BIND.


eXtremeDB b-tree index corruption and MCP halt (CR74262)
In previous releases, index corruption within the eXtremeDB database could cause the Master Control Program (MCP) to halt unexpectedly. This issue has been corrected in this release.

Memory growth with repeated initialization calls (CR74557, CR74629)
In previous releases, memory growth occurred as a result of repeated initialization calls. Now, the system handles memory correctly during repeated initialization calls.

Outbound monitor packets and VLAN fail-safe (CR74652)
Outbound monitor packets no longer reset the VLAN timer, which prevented failover. Failover now occurs correctly.

Client ACK response to server reply to POST request and Fast HTTP (CR74825)
The system now accurately tracks the client-side sequence numbers when dealing with a PUT/POST body. Formerly, out-of-sequence sequence numbers caused the client to not respond to subsequent client packets, resulting eventually in a connection reset.

Unmonitored pool member status interpretation (CR76025)
Global Traffic Manager now interprets the status of Local Traffic Manager virtual servers correctly. Thus, unmonitored pool members associated with a Local Traffic Manager virtual server now result in available Global Traffic Manager virtual servers.

Network failover operation with long timeout (CR76122)
In earlier releases, if a long timeout was specified (20 seconds) and the peer system was not communicating, unit 2 alternated between active and standby states, holding each state for less than a minute. In this release, the system does not clear the network failover timeout count unless a valid response is received from the peer system.

Standby operation with long timeout (CR76191)
In earlier releases, if a long timeout was specified (20 seconds) and the peer system was not communicating, the active unit briefly became the standby unit before returning to the active state. In this release, the active unit remains active without toggling when its peer is stopped, or physically removed from the network.

ZoneRunner error in log file (CR76376)
After you install a hotfix, a zone that matches a Wide IP no longer generates an error in the Global Traffic Manager log file.

Empty xbuf with server-side HTTP::respond/redirect call (CR76613)
In previous releases, a server-side HTTP::respond/redirect call could leak an empty xbuf. Over time, this could result in memory exhaustion in the Traffic Management Microkernel (TMM). Now, the system does not leak an empty xbuf.

Midstream renegotiation and SSL session reference leak (CR76768)
This release no longer leaks an SSL session reference when the client attempts to locate a session for midstream renegotiation.

CVE-2007-2926 BIND ISC BIND 9.0 through 9.5.0a5 vulnerability (CR83397)
This releases fixes a flaw that was found in the way the Internet Systems Consortium, Inc. (ISC) Berkeley Internet Name Domain (BIND) software versions 9.0 through 9.5.0a5 generate outbound DNS query IDs. This vulnerability affects only BIND servers. The Common Vulnerabilities and Exposures (CVE) project assigned the ID CVE-2007-2926 to the problem. For more information about the vulnerability, see CVE-2007-2926.

mod_jk2 module upgrade (CR83564)
This release fixes several stability issues in the mod_jk2 module the system uses.

[ Top ]

Fixes and enhancements in prior maintenance releases

The current release includes the fixes and enhancements that were distributed in prior maintenance releases, as listed below. (Prior releases are listed with the most recent first.)

Enhancements in version 9.1.2

Version 9.1.2 contained the following enhancements.

Added support for end-user diagnostics (EUD) (CR51185)
This release includes support for the end-user diagnostics (EUD). For more information, please refer to the technical note End-User Diagnostics: Field Testing Hardware.

Hotfix uninstall and versioning enhancements (CR56955 and CR57598)
This release includes enhancements to the hotfix process. For more information, please refer to the technical note SOL6845: Managing F5 Networks product hotfixes.

Changes in US and Canada Daylight Saving Time (CR58315)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes have been addressed in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.

Certificate monitoring for expired or soon-to-be-expired certificates (CR59595)
The system now includes certificate monitoring to detect expired or soon-to-be expired certificates. Certificate status is now logged in /var/log/ltm, using the following format:

  • Certificate X in file Y expired on DATE
  • Certificate X in file Y will expire on DATE

This feature provides compatibility with BIG-IP 4.6 in this regard.

200-level part number added to output of platform show bigpipe command (CR61086)
When you use the bigpipe command, bigpipe platform show, the 200-level part number is included in the output.

Fixes in version 9.1.2

Version 9.1.2 contained the following fixes.

SSLv2 ciphers (CR50940)
The following ciphers now work in SSLv2:

  • DES-CBC3-MD5
  • EXP-RC4-MD5
  • RC2-CBC-MD5
  • RC4-64-MD5

Note that the ciphers DES-CBC-SHA and DES-CBC3-SHA are not supported by OpenSSL.

Multiple RADIUS authentication requests (CR53955)
When you are using external RADIUS authentication, the system no longer makes multiple authentication requests. This situation only applies to authentication through the Configuration utility.

Mirroring for cookie persistence (CR54086, CR54223)
We have removed the setting for enabling mirroring in a cookie persistence profile. You cannot mirror cookie persistence because cookie persistence maintains no state on the BIG-IP system.

Query for status of virtual servers (CR54302)
The Configuration utility can now successfully query for the status of virtual servers when the system has been running for a long period of time.

Cookie persistence settings (CR54411)
We have removed the settings Match Across Services, Match Across Pools, and Match Across Virtual Servers in a cookie persistence profile. These settings are not applicable for cookie persistence.

Excessive PVA log messages (CR54798)
We have revised the Packet Velocity® ASIC (PVA) daemon (pvad) service to eliminate excessive log messages when you have a large number of VLANs configured.

Hotfix installation (CR55099)
We have enhanced the installation manager (IM) script so that installing hotfixes out of order no longer requires you to reimage the BIG-IP system.

Installation of large hotfixes (CR55153)
For a D51 platform, there is now sufficient space on the BIG-IP system to install large hotfixes.

Extraneous error messages (CR55198)
You no longer see false error messages when performing an installation with a PXE server.

Selection of last hop gateway (CR55748, CR56001)
The system now reselects the last hop gateway correctly when a pool member is unavailable.

ICMP packet handling and memory leak (CR56002)
We have fixed an ICMP packet leak on systems running Packet Velocity® ASIC (PVA) chips.

Timestamps on log messages (CR56011)
The BIG-IP system now timestamps log messages sent to the file /var/log/tmm. This helps to correlate log messages with those sent to /var/log/ltm.

Media type options list (CR56018)
Typing the command bigpipe interface <interface_name> media show now displays the correct media type options.

bcm56xxd service after a BIG-IP system upgrade (CR56148)
We have modified the BIG-IP system so that, after you upgrade from a previous version on a D44 platform, the BIG-IP system only displays relevant error messages about the bcm56xxd service.

Mirrored connections and TMM service (CR56221)
With mirrored connections, the Traffic Management Microkernel (TMM) service remains available even when the send queue contains insufficient data.

Connection mirroring with firewall sandwich (CR56232)
With a firewall sandwich configuration, connection mirroring now works properly.

SSL crash during out-of-memory conditions (CR56278)
We have fixed an SSL crash during out-of-memory conditions.

VLAN group Bridge in Standby setting (CR56372)
The VLAN group configuration setting Bridge in Standby now works properly. When enabled, this setting ensures that the VLAN group can forward packets when the system is the standby unit of a redundant system. Note that this setting applies to non-IP and non-ARP frames only, such as Bridge Protocol Data Units (BPDUs).

Maximum number of records in persistence table (CR56374)
The maximum number of destination address affinity persistence records that the BIG-IP system allows in the persistence table now equals the value specified in the Maximum Entries setting of the Configuration utility. You can find this setting by expanding System on the navigation pane and clicking General Properties.

FastHTTP profile connection leak (CR56386)
We have fixed a connection leak in the FastHTTP profile.

HTTP processing and cookie persistence (CR56391)
If you are using cookie persistence and you disable HTTP processing (using the iRule command HTTP::disable), the Traffic Management Microkernel (TMM) service remains available.

ECV monitor behavior (CR56470)
Extended Content Verification (ECV) monitors now mark nodes up or down correctly.

LDAP monitor and LDAP referrals (CR56493)
LDAP monitors no longer consider references as returned messages with attributes.

nPath health monitors (CR56572)
In an nPath configuration, the system now forwards health monitor traffic to a pool member as expected, instead of to the virtual server load balancing the traffic.

Mcpd client event handling (CR56610)
We have fixed a library that made several daemons on the system susceptible to uncontrolled looping if they were disconnected from the mcpd.

Spanning tree protocol (STP) port blockage (CR56671)
Setting the interface media speed and type using the bigpipe interface command no longer blocks STP ports.

Pipelined requests and OneConnect (CR56685)
When a virtual server with OneConnect enabled receives a pipelined HTTP request containing the POST method, the Traffic Management Microkernel (TMM) service now remains available.

iControl: values and eventd (CR56710)
We have corrected a problem that caused certain iControl values to destabilize eventd or generate incorrect values. Serialization of certain data and pointer types no longer causes the eventd process to halt.

tm_daemon memory leak (CR56750)
We have fixed a memory leak in the tm_daemon.

Disabled monitor instances in configuration data (CR56868)
When you use the bigpipe save and bigpipe load commands, the BIG-IP system now saves a disabled monitor instance in the configuration data. F5 recommends, however, that you refrain from permanently disabling a monitor instance.

SNMP_DCA performance monitor (CR56879)
When an SNMP_DCA monitor returns a value of 0% for CPU usage, the system calculates the dynamic ratio weights correctly.

iRule session lookup command (CR56940)
When you create an iRule using the command session lookup ssl, the Traffic Management Microkernel (TMM) service now remains available.

Statistics for PVA connections (CR56942)
The bigpipe global stats show command now shows the total connection statistics for hardware-assisted Packet Velocity® ASIC (PVA) connections.

Installation and hotfixes (CR56950)
During installation, the BIG-IP system issues a warning about hotfixes on the system that do not correlate with the new release.

State mirroring and management interface (CR56968)
You cannot set MGMT interface addresses for these bigdb configuration keys: StateMirror.Ipaddr, StateMirror.PeerIpaddr, StateMirror.Secondary.Ipaddr, and StateMirror.Secondary.PeerIpaddr.

MSSQL/ORACLE monitors without send parameter marked nodes as down (CR57047)
If you configured a monitor without specifying an SQL statement that the monitor passed to the server, the functionality of the MSSQL monitor changed to correct an unintended behavior. In normal operation the monitor:

  • Authenticates only once
  • Utilizes a single long-lived connection to pass SQL parameters to ascertain the integrity of the database
  • Checks the database socket connection on each monitor interval to determine if the database is still listening for new connections; however this socket check does not pass any SQL parameters

The unintended behavior in previous releases was, without a send parameter, to close the connection every time. As a result, some servers never completed the connection before the monitor’s interval timed out, at which point the monitor marked the resource as down. With this release, the monitor no longer closes connections once obtained.

BIG-IP redundant system could fail to activate during time changes (CR57138)
Previously, conditions could exist where a redundant system would fail to activate due to a time change, such as moving from Daylight Saving Time to Standard Time. These systems now activate correctly under these circumstances.

Network Failover could occur too quickly (CR57155)
Situations could occur in which a redundant system configured to use network failover for high availability would have the secondary system become active too soon. Secondary systems in this configuration now wait until a timeout value is reached before becoming active.

Connection closed due to early server response (CR57199)
We have improved the handling of data transmissions between the BIG-IP system and its backend HTTP servers if the network is congested.

Local Traffic Manager virtual servers and Global Traffic Manager (CR57217)
big3d no longer marks down a virtual server that references an iRule but no default pool.

Authentication timeout value now set to 86400 seconds (24 hours) (CR57220)
Authentication cookies in previous versions timed out after 60 seconds. We have changed this value to 86400 seconds (24 hours).

b route mtu command works correctly (CR57243)
In previous versions, the b route mtu command did not perform as expected. This issue has been resolved for this release.

NULL values in SSL session ID do not affect iRules (CR57247)
The system no longer truncates an SSL session ID containing a null value when an iRule references it.

SIP monitor now accepts angle brackets when receiving data (CR57264)
Previously, the SIP monitor did not allow for angle brackets (< >) when receiving data. The monitor now accepts these characters.

serverssl does not leak SSL session when server session ID does not match (CR57374)
We have fixed a memory leak that occurred in situations where the server session ID did not match.

hud_msg_queue full crash resolved (CR57429)
We have fixed a crash which occurred when the system cleaned out expired entries in a connection table.

Selective ACK enabled on the TCP profile (CR57535)
We have corrected a rare condition where enabling Selective ACK on the TCP profile could cause the Traffic Management Microkernel (TMM) to loop until it receives a SIGABRT from the sod daemon.

Exa prefix is now correctly written as "E" (CR57599)
The bigpipe utility correctly displays exabytes.

IP multicast packets received in a VLAN group now copied to host (CR57712)
The system delivers dynamic routing messages (that is, OSPF) that use multicast when you use VLAN groups.

iRule domain command no longer truncates (CR57722)
The domain command in an iRule does not truncate the last character in the domain name.

ARP entries now use the database variable, arp.timeout. (CR57723)
Previously, ARP entries used a hard timeout of 120 seconds. These entries now use the value assigned to the database variable, arp.timeout.

SIP monitor now accepts different return values (CR57826)
In previous versions, the SIP monitor required that the SIP server return data in the same format sent by the monitor. This is not always the case. In this version, the SIP monitor now accepts different values. For example f: instead of From:.

Pool members validated correctly (CR57832)
In earlier versions the BIG-IP system would not validate certain pool members because a table was incorrect. The system now validates pool members correctly.

Linux handling interrupted BIG-IP system (CR57883)
If the system runs on a dual-processor system, host ISR (interrupt service routines) no longer increase latency of traffic management operations.

SNMP entries removed during configsync (CR57923)
Previously, deleted SNMP entries were not synchronized during a configsync operation, which caused errors on adding new SNMP entries. The system now removes SNMP entries correctly.

LACP diagnostics and TMM (CR57932)
In the event that the Link Aggregation Control Protocol (LACP) process panics, the system writes a stack trace to /var/log/tmm directory.

LACP diagnostics bcm56xxd (CR57951)
To help diagnose switchboard fail-safe issues, bcm56xxd can log statistics each time it exists. To enable the diagnostics, set the db variable log.bcm56xxd.debugmask to 1.

Characters + and ! in profile cipher no longer prevent profile updates (CR58016)
In earlier versions, the plus ( + ) and ( ! ) characters in a profile cipher prevented you from updating any child profiles unless you specified the cipher string. These characters no longer affect profile ciphers.

System supports matchclass iRule when source IP address is (CR58079)
In previous versions, iRules using the matchclass command could cause a system crash if the source IP address was This IP address no longer affects iRules using the matchclass command.

Access to classes/datagroups through Tcl list now available (CR58080)
In earlier versions, accessing a class or datagroup as a Tcl list would not work correctly. In this release, you can access classes or datagroups through a Tcl list.

FastL4 flow removed if checksum error occurs (CR58090)
If the first packet of a FastL4 fails, the system now removes the FastL4 flow. Previously, this flow was left for later removal, which could cause performance issues.

HTTP filter forwards body OPTIONS method (CR58142)
Previously, data sent with the OPTIONS method to a virtual server using an HTTP profile would result in the headers, but not the body of the message, being received. The body of the message is now sent correctly to the virtual server.

Install succeeds on unrecognized partition schemes (CR58168)
In previous versions, you could not install the software when the installer failed to recognize a partition scheme. The installer can now proceed even if it does not recognize the partition schemes of the system.

Switchboard fail-safe default timeout now 30 seconds (CR58174)
Previously, the switchboard fail-safe default timeout was 10 seconds. With this release, the value of this timeout is now 30 seconds.

Deleting management route from system now also removes it from operating system (CR58208)
In earlier versions, when you deleted a management route, the route persisted in the Linux system. In this version, when you delete the management route, the route is also removed from the Linux operating system.

Boot image order no longer stops installation (CR58213)
In previous releases, the boot image order could impact the success of an installation. In this release, the boot image order has no impact during local installations.

Performance issues resolved when virtual servers share same pool (CR58220)
Previously, combinations of virtual servers and pools could impact system performance. These combinations no longer affect the system.

FastL4 mirroring successful even when connection update fails (CR58299)
In earlier releases, mirroring on fastL4 flows would fail due to failure of connection updates. Mirroring now operates successfully in this scenario.

Zero-length MRH no longer causes performance degradation (CR58366)
Previously, bad hardware or other related issues could result in a zero-length MRH and would cause the system to perform slowly. This issue no longer impacts performance.

SOAP Monitor sends correct host tag (CR58422)
In previous versions, the SOAP Monitor included an incorrect host tag. The monitor now sends the correct tag.

Database timeout upgrade no longer requires manually running upgradedb utility (CR58465)
Previously, upgrading the database to include an improved timeout value (see CR58174) required manually running the upgradedb utility. With this release, the upgrade occurs automatically.

Persistent connections no longer impact performance (CR58486)
With this release, persistent connections no longer have as much of an impact on performance as with previous releases.

Interface statistics now reported (CR58489)
Starting with release 9.1.2, the system reports interface statistics.

GigCu media type correctly displayed as 1000BaseT (CR58528 and CR59158)
In earlier versions, the GigCu media type was incorrectly displayed as 1000BaseTX. The user interface now correctly displays this media type as 1000BaseT.

Maximum Header Size value calculated correctly (CR58529)
Previously, the Max Header Size value included the body of the packet in addition to the header. The system now calculates this value with just the contents of the header.

Small packet transmissions performance improvement (CR58541)
With this release, the system handles communications involving large numbers of small packets more efficiently. Previously, these types of communications could reduce the performance of the network interface card.

Fail-safe occurs within seconds (CR58614)
Previously, failover events could take several minutes, depending on network configuration. With this release, fail-safe events now occur within seconds.

BIG-IP system independent of syslog service (CR58627)
In earlier versions, certain BIG-IP functions required the syslog service to be operational. These functions are now independent from the syslog service.

Verbose log messages (CR58728)
For configurations with several network virtual servers, the log messages that the Packet Velocity® ASIC (PVA) daemon (pvad) service displays are no longer verbose.

Excessive memory allocation during failover (CR58756)
When failover occurs with a high number of concurrent connections, the system does not allocate excessive memory.

HTTP headers containing \r characters (CR58773)
The BIG-IP system now processes correctly any HTTP headers that contain multiple \r characters.

iControl SOAP interface memory utilization with enums (CR58794)
Retrieving node statistics through the iControl SOAP interface consumes significantly less memory.

iControl set_timeout method (CR58826)
Using a set_timeout within iControl for a persistence profile now works correctly.

SNAT traffic within VLAN group (CR58849)
For a forwarding virtual server with the IP Protocol attribute set to any, a VLAN within a VLAN group can now forward ICMP and UDP traffic to another VLAN in the group, when a SNAT is enabled on that traffic.

Remote LDAP authentication (CR58869)
A remote LDAP authentication server now successfully authenticates a user if the user makes a second attempt to type the user name correctly.

Upgrade with UCS and snmpd.conf (CR58897)
Upgrading no longer recreates the SNMP community public if it does not exist in the User Configuration Set (UCS) file that you roll forward.

Connection mirroring on redundant systems (CR58921)
Mirroring large numbers of Layer 4 connections mirrored to the peer unit no longer adversely affects connection mirroring.

Deleted SNMP v1 access records and UCS files (CR58930)
For SNMP v1, when you delete an access record such as community 1, create a User Configuration Set (UCS) archive, and roll it forward during an upgrade, the system no longer adds the deleted access record back into the configuration.

Connection mirroring on hard-wired failover (CR58975)
Connection mirroring now operates successfully under certain conditions such as when you have hard-wired failover and you unplug the failover cable. Previously, the system did not always handle hard-wired failover events correctly.

SSL connections using non-accelerated SSL (CR58976)
The Traffic Management Microkernel (TMM) service no longer becomes unavailable due to an SSL application sending data on an SSL connection that is using non-accelerated SSL.

Deletion of tech.out file with qkview (CR59004)
When using the browser utility, qkview, you can now delete a tech.out file.

Unhandled ICMP packets (CR59009)
We have fixed a memory leak that occurred when the Packet Velocity® ASIC (PVA) listener did not handle Internet Control Message Protocol (ICMP) packets.

Redirection of HTTP traffic (CR59067)
The BIG-IP system now correctly closes a connection after redirecting HTTP traffic to a fallback host.

Persistence and node availability (CR59068)
When a node is unavailable, the BIG-IP system correctly persists records across services.

iRules referenced by authentication profiles (CR59092)
When you update an iRule that is referenced by an authentication profile, the change takes effect even if you have not updated the profile referencing the iRule.

SYN flooding with a mirrored virtual server (CR59126)
We have fixed a crash that occurred when a SYN flood occurred against a mirrored virtual server.

Connection mirroring and the TMM service (CR59138)
Connection mirroring on a redundant system no longer causes the Traffic Management Microkernel (TMM) service to become unavailable when the mirroring software uses a freed flow.

ARP timeout function (CR59151)
The ARP timeout feature now works properly, thereby preventing monitors from failing due to incomplete ARP tables with higher expirations than the default timeout value of 300 seconds.

Changing of serial baud rate (CR59156)
The SCCP firmware now supports a method for changing the serial baud rate.

TMM service after failover (CR59160)
The Traffic Management Microkernel (TMM) service no longer becomes unavailable after failover, when you have a mirrored virtual server referencing a Fast L4 profile, with the Packet Velocity® ASIC (PVA) set to Assisted mode.

NextUpdate field in CRLs (CR59173)
The BIG-IP system no longer becomes unavailable when the NextUpdate file within a certificate revocation list (CRL) is empty.

Connection closing from PVA (CR59202)
The BIG-IP system now ignores connection closing from the Packet Velocity® ASIC (PVA) only if the connection is mirrored and inactive.

LCD screen and serial baud rate (CR59203)
You can now use the LCD screen to successfully change the serial baud rate.

Authenticate setting of SSL profile (CR59264)
The Authenticate Once and Authenticate Always settings of an SSL profile now work as expected.

SNMP_DCA_Base monitor and node weight (CR59278)
The SNMP_DCA_Base monitor now sets the node weight correctly.

SNMP OID and platform ID (CR59325)
The SNMP OID . now returns an OID that points to a platform ID.

Default bigdb key values and UCS files (CR59329)
If you change the value of one or more bigdb configuration keys and then install a User Configuration Set (UCS) file that contains default key values, the BIG-IP system does not reset the keys to those default values.

SSL certificates and Configuration utility (CR59440)
The Configuration utility now remains available after you use the SSL Certificate screen to import an SSL certificate.

eXtreme DB out-of-memory handling (CR59485)
When the eXtremeDBTM database produces an out-of-memory error, the BIG-IP system now provides more useful information to diagnose the cause of the error.

X509::serial_number command (CR59501)
The response that the iRule command X509::serial_number generates no longer contains an extraneous NULL byte.

Disk space in /var partition (CR59540)
For CF-only devices only, the space in the /var partition no longer fills to 100% when diskmonitor is running and rotating the log files.

Connections sent to disabled pool members (CR59547)
A virtual server no longer sends new connections to a disabled pool member.

Connections sent to disabled nodes (CR59548)
A virtual server no longer sends new connections to a disabled node.

pvad service availability (CR59589)
The Packet Velocity® ASIC (PVA) daemon (pvad) service remains available when a VLAN fail-safe action occurs.

Demotion of PVA mode (CR59616)
When a virtual server referencing a Fast L4 profile shares a pool with a Layer 7 virtual server, the BIG-IP system now demotes the Packet Velocity® ASIC (PVA) mode to Assisted instead of None.

bigpipe profile clientssl command (CR59646)
The command bigpipe profile clientssl <profile_name> defaults from clientssl renegotiate size <size> now works properly.

Core file removal (CR59713)
The clean_core mechanism in the BIG-IP system no longer removes core files automatically. This allows you to remove or retain the core files at will.

12v power supply labeled correctly (CR59752)
The voltage for the 12v power supply incorrectly stated the voltage at 4.87v. The power supply now has the correct label of 12v.

Hardware report easier to read (CR59792)
The hardware report includes carriage returns to make the output of the report easier to read.

Number of hard resets required reduced (CR59804)
Several situations in which hard resets were required have now been modified so that they only require software resets.

Memory leak in mcpd resolved (CR59899)
In previous versions, a memory leak existed in the mcpd. We have removed this leak.

bigpipe displays connection counts filtered by server IP address (CR60044)
Previously, bigpipe did not display connection counts when filtered by the IP address of the server. In this release, the system displays connection counts correctly.

Misleading add mgmt rule failure messages removed (CR60087)
In earlier versions, failure messages regarding the add mgmt rule would occur when the issue did not relate to it. These messages no longer display in this release.

Persistence across services when node is down (CR60115)
The persistence record for the downed node is now correctly removed from the persistence iRule.

Port mirroring option renamed Interface mirroring in license file (CR60308)
The port mirroring option was previously renamed Interface Mirroring; however, this name change did not appear in the license file. In this version, the new name appears both in the user interface and the license file.

Requests on persisted connections no longer cause RAM cache issues (CR60441)
In previous releases, requests on a persisted connection to a congested client could cause the RAM cache to crash. In this release, this situation no longer results in a RAM cache crash.

Audio and video compression statistics no longer show negative percentages (CR60444)
If you have data that is already compressed, and attempt to compress it again, the file size actually grows, because of the added header data related to the compression mechanism. This results in audio and video compression statistics moving to the negative. This issue is resolved by not compressing already-compressed data.

TMM path MTU enforcement (CR60456)
The bigdb variable, TM.EnforcePathMTU (enable|disable) allows the user to configure the Traffic Management Microkernel's (TMM) desired behavior. By default this database variable is enabled and TMM enforces the path Maximum Transfer Unit (MTU) on behalf of other devices.

Fast HTTP keeps current connection even if connection pool needs replenishing (CR60457)
Previously, the Fast HTTP profile dropped its current connection if the profile needed to replenish the connection pool. With this release, the profile keeps the connection.

GNUPG vulnerabilities resolved (CR60644)
We have removed certain security vulnerabilities in GNUPG in this release.

Initscripts vulnerability removed (CR60654)
The system now handles initscripts in a way that removes a security vulnerability from the system.

/var/log/daemon.log now rotates correctly (CR60712)
In earlier releases, the daemon.log file would not rotate as expected. This log file now rotates when necessary.

PVA daemon detects lockup and resets chip (CR60725)
In a previous release, the Packet Velocity® ASIC (PVA) daemon (pvad) could suspend operations when the LBDB locked up. In this release, the PVAD now detects the lockup and resets itself to resume operations.

bigpipe profile commands now operational (CR60739)
Previously, the following bigpipe commands did not function correctly: bp profile http ramcache max, bp profile ht tp ramcache dump, and bp profile http ramcache reset. These commands now perform as expected.

Cavium device no longer fails after card initialization (CR60832)
In earlier versions, the cavium device could fail after card initialization. In this release, these failures do not occur.

Persist timeout now configurable in dest addr profile (CR60834)
In previous releases, you could not set the persist timeout option in the dest addr profile. This issue has been resolved with this release.

Persist Timeout option now available in dest addr profile (CR60835)
In previous versions, the Persist Timeout option was not available in the dest addr profile. This option is now available.

File descriptor leak fixed for listeners (CR60916)
Previously, instances of tcpdump command would cause the chmand mechanism to leak file descriptors. When the limit for file descriptors was reached, the command ceased to function. We have removed this leak.

SSL monitor no longer sends inappropriate resets (CR61016)
The SSL monitor only send resets when instructed to do so.

System no longer crashes with client-connflow. (CR61055)
We have fixed a crash that occurred with client-connflow.

System would hang due to PVA2 (CR61225 and CR62636)
We have fixed a system hang that occurred with Packet Velocity® ASIC (PVA) version 2 (PVA2).

Connections no longer stall with large HTTP POST headers (CR61237)
In previous releases, HTTP POST headers greater than 16K would stall connections. The size of HTTP POST headers no longer affects connections.

Auth session timeout no longer shuts down connection (CR61320)
Previously, an auth session (SSL-based) timeout would shut down a connection after 300 seconds. With this release, these timeouts do not end the connection.

PVA2 does not demote virtual servers (CR61452)
In earlier releases, the Packet Velocity® ASIC (PVA) version 2 (PVA2) could demote a virtual server using round robin load balancing from FULL to ASSIST. With this release, the PVA2 cannot demote a virtual server in this situation.

RADIUS monitor now accept long passwords (CR61698)
In previous releases, the RADIUS monitor was restricted to passwords less than 20 characters in length. In this release, the monitor can accept password up to 128 characters in length.

Data Channel timeout now configurable (CR61702)
Previously, the value for the data channel timeout was 300 seconds and non-configurable. With this release, the value is user-configurable. Specifically, the timeout value is inherited from the TCP profile.

Removing power from 3400 does not affect system (CR61824)
Previously, if you removed the power cord from the 3400, it would stall at the LCD screen requesting user interaction. With this release, the system does not stall, and allows you to continue configuration changes.

302 redirect does not impact connection synchronization (CR61845)
In earlier releases, a 302 redirect for a POST request could cause data communications to go out of synch on a congested server. 302 redirects do not cause communication to go out of synch with this release.

System timer now more robust (CR61982)
Previously, a timer in the system could become corrupted and cause poor system performance. With this release, the timer is more robust and more resilient to these errors.

Full reboot command now implemented. (CR62068)
In previous versions, there were limited ways in which you could perform a full and complete system reboot. This release introduces the full reboot command, which allows you to reboot the system more efficiently.

OneConnect POST command with large headers now handled correctly (CR62211)
Previously, the system did not correctly handle OneConnect POST commands with headers above 16 kb. This release handles large headers correctly, eliminating this issue.

Accuracy for calculating CPU idle time improved (CR62281)
The algorithm used to calculate CPU idle-time was enhanced in 9.1.2 for better accuracy. As a result, some operations, such as SSL, may report a different CPU idle-time than with 9.1.1.

Additional HTTP status codes now supported (CR62431)
Previously, the number of status codes supported in the HTTP::response iRule command were limited to error code 500 and 501. This command can now accept any HTTP status code.

Software compression no longer fails with small gzip window size (CR62544)
In earlier versions, a small gzip window size could cause an error during software compression. The gzip window size does not cause this error in this release.

SSL peer certificate result code now set (CR62649)
In earlier versions, the system did not always set the SSL peer certificate code in verification. This issue is resolved with this release.

SSL session cache timeout user-configurable. (CR62761)
In previous releases, the SSL session cache timeout was pre-configured to 300 seconds. In this release, you can configure the SSL session cache timeout as needed.

Network failover wait time increased (CR62976)
Previously, a network failover could occur faster than the systems involved could handle. We have increased the network failover wait time to ensure that systems can handle failover events reliably.

Improved installer feedback and fault tolerance (CR64693)
BIG-IP installer now warns the user that file system integrity check failed and notifies the user to reboot the system, triggering a file system check, before attempting the installation again. The installation process now holds a copy of the upgrade packages in system memory prior to writing them to disk, ensuring the upgrade packages’ integrity is not compromised by a questionable file system.

[ Top ]

Enhancements in version 9.1.1

Version 9.1.1 contained the following enhancements.

Added support for Enterprise Manager (CR51185)
This release includes support for the Enterprise Manager product. For more information, please refer to the Enterprise Manager release note.

Added support for MD5-authenticated TCP (RFC2385) for the BGP routing module (CR49972)
The BGP routing module now supports MD5-authenticated TCP as described in RFC2385.

The SNMPClient utility
The SNMPClient utility is a command-line interface to manage SNMP v1 and v2c access records, as well as trap definitions. This utility does not handle SNMP v3 Access records.


--community <comm_string> --source <ipaddress> --iptype <ipv4 | ipv6>

--readtype <ro | rw> --oid <oid_string>
--community <comm_string> --destination <ipaddress>
--port <port> --version <v1 | v2c>

[--verbose] [--help]



Deletes the specified trap or access record

When the --access switch is specified, the following options are valid:

  • community
    Specifies the community string (password) for access to the MIB
  • source
    Specifies the source address for access to the MIB
  • iptype
    Indicates whether the access record applies to IPv4/IPv6 (that is, options are either "ipv4" or "ipv6")
  • readtype
    Specifies the user access level to the MIB, that is, options are either "ro" or "rw"
  • oid
    Specifies the current object identifier (OID) for the record

When the --trap switch is specified, the following options are valid:

  • community
    Specifies the community name for the trap destination
  • destination
    Specifies the address for the trap destination
  • port
    Specifies the port for the trap destination
  • version
    Specifies to which SNMP version the trap destination applies, for example, options are either "v1"or "v2c"
  • verbose
    Prints out extra messages -- debug mode
  • help
    Prints out this message

ConfigSync password automatically updated (CR54246)
When you use the passwd command to change a password, the system checks to see if the user is also a ConfigSync user. If so, the system automatically changes the ConfigSync password.

SSL: added support for NULL ciphers (CR51185)
This release includes support for the NULL-MD5 and NULL-SHA ciphers in OpenSSL.

Host name inclusion in F5 Enterprise SNMP traps (CR47226)
F5 Enterprise traps can now include the host name of the trap source.

The bigdb variable TM.TCPAckOnPush and the delayed ACK (CR49975)
The bigdb variable TM.TCPAckOnPush forces the delayed ACK feature to immediately ACK upon receiving a PUSH from the client/server. The default setting for this variable is disable. To enable this variable, type the following command:

b db TM.TCPAckOnPush enable

Fixes in version 9.1.1

Version 9.1.1 contained the following fixes.

Configuration utility: logs display one hour off (CR39674)
We have corrected a problem that caused timestamps in the Configuration utility to be off by one hour during daylight saving months.

Updates to SSL certificate files (CR40677)
If changes are made to an SSL certificate file that is referenced by a Client SSL or Server SSL profile, the BIG-IP system automatically re-loads the changes. Consequently, you no longer need to use the bigstart restart command for the changes to take effect.

Prompting of administrative passwords (CR44290)
The Configuration utility now prompts the user for the correct password after the password has been changed.

L2 forwarding/proxy ARP and original Ethernet frame source address (CR45910)
When in transparent mode, the L2 source addresses of ARP replies are now preserved so that Proxy ARP can use them across a non-opaque VLAN group. This provides the ability to support cases where the Layer 2 source address and the Layer 3 sender hardware address differ, for example, if you are using HSRP/VRRP.

Inheritance of default values for child monitors (CR46195)
A child monitor now inherits the correct set of default values from its parent monitor.

Monitor storage when using the Configuration utility (CR46468)
When you use the Configuration utility to create monitors, the system no longer produces an error resulting from the order in which child monitors are stored compared to their parent monitors.

HTTP: 304 responses that have content (CR47663)
If the server sends content back for responses such as 304 which is not supposed to contain a response, the system now forwards the response as it was received. This allows Sharepoint and NTLM challenge responses to complete.

Using hex in TCP::respond (CR47740)
The TCP::respond command now works with arguments constructed with a binary format.

SSL: SSLv3 and certificate verification (CR47778)
SSLv3 acceleration now works correctly with certificate verification.

Values for the profile persist timeout (CR47893)
The various values for timeouts in a profile persist configuration now function correctly.

Memory leaks in IPv6 neighbor cache (CR48407)
Various memory leaks in the IPv6 neighbor cache's error handling code were corrected.

tcpdump and long VLAN names (CR48659)
VLAN names longer than 15 characters no longer cause improper operation of tcpdump.

PAM module arguments containing spaces or square brackets and escape characters (CR48668)
PAM module arguments containing spaces or square brackets no longer require escape characters.

Response time for multiple and simultaneous SNMP queries (CR48760)
To avoid excessive delay when making simultaneous and identical SNMP queries, you can now configure the number of SNMP objects to be cached in the bignsmpd service. To configure this number, add the following line into the file/config/snmp/subagents.conf:

cacheObj #obj

The default value for #obj is 4.

Monitors: Performance monitors and dynamic ratios (CR48785)
Monitors updating dynamic ratios no longer trigger a configsync recommendation. Synchronizing configuration data in this case is not necessary.

Rate class and system stability (CR48796)
We have corrected a problem where using a rate class could cause system instability.

L7 connection mirroring when a window update is dropped (CR48844)
Layer 7 connection mirroring now functions correctly if a window update is dropped.

big3d stability (CR48889)
We have corrected a problem that caused instability in the big3d.

TMM: HA proxy sending down HUDCTL_TEARDOWN on an established flow (CR49193)
We have corrected several crashing issues in the Traffic Management Microkernel (TMM) HA subsystem.

Virtual server status (CR49297)
The status page for an IP forwarding wildcard virtual server now reports status correctly.

Active/standby systems going into the active-active state (CR49401)
Active/standby systems no longer go unintentionally into the active-active state when you remove the medium you are using for failover (wired or network).

Big3d: working with early 4.x 3-DNS systems (CR49431)
The big3d now handles translated addresses and ports correctly when communicating with early 4.x 3-DNS systems.

iRules: UDP traffic with drop and reject commands (CR49442)
UDP traffic is now handled correctly by iRules using the drop and reject commands.

Special characters within user names and passwords (CR49471)
The system now supports the use of special characters within the ConfigSync user name and passwords. The supported characters are:


The unsupported characters are:

` '

Certificate chain verification in SSL profiles (CR49528)
An error no longer exists in the certificate-chain verification routine for certain ciphers.

OpenSSL rehandshakes and updating of current cipher status (CR49762)
OpenSSL rehandshakes now update the current cipher status.

L2 forwarding packet flows (CR49812)
We have corrected a problem where L2 forwarding could forward traffic to inactive flows.

ARP and NDP errors and established connections (CR49537)
ARP and NDP errors no longer terminate established connections.

OneConnect transformation error with Proxy-Connection (CR49881)
Due to correction of a OneConnect transformation header error, valid HTTP requests made through a proxy connection are no longer blocked.

Big3d: pool validation (CR49971)
big3d queries to a virtual server now respond correctly if the virtual server references a rule.

OneConnect: Detaching connections for early post responses (CR50025)
The server-side connection no longer detaches if the system gets a response from the server but has not received all of the client data.

SSL: using server gated cryptography (SGC) (CR50051)
Server-gated cryptography (SGC) or step-up certificates require that the client initially handshake a weak cipher and then renegotiate with a stronger cipher later in the connection. This requires changing the current cipher in the middle of a connection. The system now supports changing the cipher in the middle of the connection.

Managing a system when a NAT is configured with the management IP address (CR50081)
You can now manage the system through a NAT with the same IP address as the management interface.

State of LACP-enabled trunks (CR50206)
LACP-enabled trunks no longer change state after you run the tcpdump utility.

CVE-2005-2177 NET-SNMP: a denial of service vulnerability when stream sockets have configured (CR50228)
We've fixed a remote denial-of-service for SNMP over stream sockets. The Common Vulnerabilities and Exposures (CVE) project assigned the ID CVE-2005-2177 to the problem. For more information about the vulnerability, see CVE-2005-2177.

Autonegotiation with Extreme Summit 48si (CR50361)
We have corrected a problem where under some circumstances (mainly power-up) 1500, 3400, 6400, and 6800 platforms failed to properly autonegotiate with an Extreme Summit 48si switch.

SSL: Graphing and record processing (CR50414)
We have corrected a problem that could cause a graph spin error detected message to display under high traffic load.

TMM: connection mirroring and instability on standby system (CR50435)
We have corrected a problem that caused the standby system to become unstable if you changed a profile to the FastL4 profile while passing traffic.

LACP: switchboard fail-safe with heavy management traffic (CR50550)
Heavy management traffic no longer triggers the switchboard fail-safe mechanism.

IPv6: neighbor advertisements through the tap (CR50636)
False IPv6 neighbor advertisements are no longer passed through the tap.

Hardware acceleration: accelerating and MAC MASQ (CR50716)
Hardware acceleration now works correctly with MAC masquerading.

RAMcache: cookie handling (CR50770)
The RAMcache now handles cookies correctly.

fastHTTP: HTTP rule from CLIENT_ACCEPTED context may cause system instability (CR50798)
We have corrected a problem where an HTTP rule using the CLIENT_ACCEPTED command could cause the system to become unstable.

Platform interfaces data and the platform ID (CR50978)
Resolves a race condition when MCPd is reading platform interfaces data and prematurely receives an end_platform_id message on a separate TCP connection.

SSL: failed server-side certificate could cause system instability (CR50996)
SSL now gracefully handles the situation where the ciphers are compatible, peer cert mode is set, and unclean shutdown is disabled and a certificate fails on the server side.

SNMP: malformed SNMP polling and logging (CR51048)
We have corrected a problem where a malformed SNMP polling request could cause system instability. Rejected SNMP requests are now logged as debug messages to reduce logging volume.

VLAN fail-safe and memory (CR51065)
We have corrected a problem that could cause a lack of memory resulting in system instability.

SSL client certificate LDAP and long query filter strings (CR51120)
The SSL client certificate LDAP feature no longer truncates long query filter strings.

Big3d: with ECVs (CR51130)
ECVs now work correctly with big3d.

iRules: contains and matching characters (CR51314)
We have corrected a problem with the contains command where a rule would not match a substring when the first character of the substring occurred twice in succession and the end of the substring was the end of the string. For example, if you were searching for new in asdnnew.

MAC masquerade and the standby system (CR51387)
We have corrected a problem where the standby unit was continuing to respond to flows that it created when active, and was continuing to use the MAC masquerade address. This was confusing the upstream switch and causing new traffic to go to the standby unit instead.

SNMP: clients and recalculation of generic status (CR51391)
The system no longer calculates the generic status for node addresses, pool members, pools, virtual addresses, and virtual servers. This reduces overhead on the network.

Sending FastHTTP connections to unresponsive hosts (CR51451)
When using a Fast HTTP profile, connections now time out when sent to a unresponsive host.

Configuration utility: correct display of time (CR51475)
The web-based Configuration utility now displays time correctly.

HTTP: early response and pass-through mode (CR51483)
The system no longer enters pass-through mode if it receives an early response from the server.

ARP advertisements sent for non-local destinations (CR51538)
ARP advertisements are no longer sent out for virtual server addresses that have only a gateway route. Also, advertisements are no longer sent out VLANs which are disabled.

SSL: Graph spin error and the TMM log (CR51631)
We have corrected a problem that could cause a graph spin error detected message to display. The graph step counter is now reset upon receiving a new record, preventing the graph spin errors generated in /var/log/tmm:
tmm tmm[653]: 01260017:3: internal error: rx_record:930: graph spin detected

When vlan_group_output sends packet, clone the packet if necessary (CR51752)
When sending packets out through member VLANs in a VLAN group, the system always clones the packet except the last time the system sends a packet. Not cloning packets can cause an xbufcorruption.

TMM: improper regular expression compilation (CR51849)
We have corrected a problem that could allow an improper regular expression to destabilize the system in certain situations.

Persist across services (CR52069)
The persist across services now uses a pool member within the pool, not one from a different pool.

TMM: memory usage with profile fastHTTP (CR52146)
We have corrected a memory usage problem when using the fastHTTP profile under heavy load.

TMM: heartbeat on single-CPU platforms (CR52201)
Spurious Traffic Management Microkernel (TMM) heartbeat failures on single-CPU platforms resulting in an exit with a SIGABRT have been corrected for single-CPU platforms. This issue did not affect dual-CPU platforms.

SNMP: set up host name for a trap (CR52266)
You can now specify the host name for a trap.

Heavy link up and link down activities (CR52584)
Multiple, simultaneous link up and link down activities no longer cause the system could restart or the interface LED lights to turn off.

iRule string first command (CR52606)
iRules no longer break when using the iRule string first command.

Synchronous software compression drains queue from within the framework (CR52626)
Synchronous software compression drains queue from within the framework, resulting in the same message being dispatched twice.

Use of the drop command in iRules (CR52805)
Using the drop command with the CLIENT_ACCEPTED event in an iRule no longer causes the Traffic Management Microkernel (TMM) service to become unavailable.

Mirroring of syncookie secrets on active-active systems (CR52826)
Active-active systems now correctly mirror syncookie secrets from unit 2 to unit 1.

Multiple 3-DNS monitor requests (CR52956)
Problems with multiple monitor requests no longer occur when a 3-DNS system monitors the BIG-IP system.

Log file sizes on the SCCP (CR53029)
Memory allocation problems and full disk errors no longer occur due to the size of SCCP log files.

bcm56xxd remote restart detected - fail-safe (CR53030)
The BCM56CCD service is no longer remotely restarted under certain conditions, which caused fail-safe to occur.

Custom monitor names (CR53051)
You can now include the string min in the names of custom monitors.

Accounting of RAM Cache storage size (CR53052)
The system now correctly tracks the size of the RAM Cache storage, thereby preventing the RAM cache from becoming unavailable.

Fast L4 profiles and the Reset on Timeout setting (CR53168)
The value of the Fast L4 profile's Reset on Timeout setting is no longer ignored with respect to Packet Velocity® ASIC (PVA) acceleration.

Active-active state when TMM restarts (CR53172)
We have corrected a problem that could cause an active/standby system to go into the active-active state when the Traffic Management Microkernel (TMM) restarted.

Use of the SNMP DCA monitor (CR53307)
The calculation used in the snmp_dca_base utility have been fixed to avoid spurious negative results.

Labeling of New Connections graph in Configuration utility (CR53313)
In the Configuration utility, the detail performance graph New Accepts/Connects, available from the New Connections graph, is now labeled correctly.

PVA2 and ICMP error message erroneously logged (CR53324)
On a system with Packet Velocity® ASIC (PVA) version 2 (PVA2), running the tcpdump command no longer generates the message ERR at ../modules/hudproxy/bigproto/pva/pva_frames.c:862: got err 5 from xbuf_pullup.

Support for Step-Up (CR53327)
The system now supports Step-Up (server-gated cryptography)

Logging of parsing failures (CR53394)
Parsing failures are no longer logged to /var/log/ltm.

SSL: bulk encryption and small MTUs (CR53425)
We have corrected an issue with bulk SSL encryption and small MTUs.

Remote user accounts and setting passwords (CR53525)
Users with remote authentication accounts and CLI access can no longer set local passwords on the BIG-IP system.

Passing MSTP traffic on instances other than instance 0 (CR53536)
Multiple Spanning Tree Protocol (MSTP) can now pass internal traffic on instances other than instance 0.

CVE-2005-2728 Apache vulnerability (CR53547)
The version of Apache in the BIG-IP system has been upgraded to remove an Apache vulnerability and thus prevent a denial of service attack. The Common Vulnerabilities and Exposures (CVE) project assigned the ID CVE-2005-2728 to the problem. For more information about the vulnerability, see CVE-2005-2728.

Installation system for Enterprise Management compatibility (CR53548)
The BIG-IP version 9.2 installation system has been merged into version 9.1.2 for Enterprise Management compatibility.

System performance when running the bigpipe config save command (CR53550)
The time required to run a bigpipe config save is substantially decreased for large configurations.

Honoring baud rates (CR53603)
The PXE kernel, Host, and SCCP now honor user-set baud rates.

Memory usage on standby unit (CR53604)
Standby unit no longer leaks packets when an ARP entry needs to be refreshed.

Querying for VAs by tmrouted service (CR53612)
The tmrouted service now gets up-to-date status when querying for VAs

Saving STP configurations (CR53627)
The Configuration utility now saves Spanning Tree Protocol (STP) configurations correctly.

pvad service failure (CR53669)
The system now checks the global acceleration value, to avoid failure of the Packet Velocity® ASIC (PVA) daemon (pvad) service.

CVE-2005-2491 PCRE vulnerability (CR53673)
The system is no longer subject to a Perl Compatible Regular Expressions (PCRE) vulnerability. The Common Vulnerabilities and Exposures (CVE) project assigned the ID CVE-2005-2491 to the problem. For more information about the vulnerability, see CVE-2005-2491.

Bcm56xxd service causing traffic loops (CR53690)
Shutting down the bcm56xxd service now stops all layer 2 traffic to avoid potential bridging loops.

pvad service failure (CR53750)
The Packet Velocity® ASIC (PVA) daemon (pvad) service no longer fails with certain types of profiles, pools, or virtual servers.

Reset of virtual server statistics (CR53778)
Resetting statistics for virtual servers that use ephemeral listeners now produces expected results.

Load balancing requests after an HTTP/1.1 304 response (CR53841)
HTTP/1.0 clients that receive an HTTP/1.1 304 Not Modified response now detach from the server-side connections, allowing subsequent requests to be load balanced to the correct pool.

HTTP Redirect Rewrite feature (CR53844)
Using the Redirect Rewrite feature of an HTTP profile no longer causes the Traffic Management Microkernel (TMM) service to fail.

Incorrect generation of SNMP indices (CR53847)
Use of the snmpwalk command now generates the correct ipAdEntIfIndex indices.

Handling of IP snoop packets (CR53860)
The system no longer logs an error regarding IP snoop packets. Instead, the Traffic Management Microkernel (TMM) service silently discards those packets.

RAMcache: DoS attack messages on LCD (CR53971)
We have corrected a problem with the RAMcache feature that could cause the system to display DoS attack messages on the LCD panel.

HTTP compression statistics (CR53985)
In the Configuration utility, HTTP statistics for compression are no longer hidden.

Sending factory values to 3-DNS (CR53988)
big3dshim now sends back current factory values to 3-DNS.

Redirect rewrite feature and port specifications (CR53989)
The Redirect Rewrite feature now removes port specifications from HTTP Location headers.

Changing ciphers mid-connection (CR53991)
The system now rewrites the cipher-selection portion of the OpenSSL utility's shim layer.

TMM service and malformed Cache-Control headers (CR53994)
The Traffic Management Microkernel (TMM) service no longer fails when a curl request with a malformed Cache-Control header.

RAMcache: DoS attack messages on LCD (CR54321)
We have corrected a problem with the RAMcache feature that could cause the system to display DoS attack messages on the LCD panel.

Node unavailability (CR49744)
The INVALID flag is now set and unset correctly, preventing nodes from being unavailable.

Delay added for failover (CR54001)
For certain platforms, a delay has been added to account for a serial-line assertion when the system is powered up.

HUDEVT_EOF support in stream profile (CR54003)
The Stream profile includes support for an HUDEVT_EOF event.

TMM service becomes unavailable (CR54004)
The Traffic Management Microkernel (TMM) service no longer becomes unavailable when a wide traffic profile is assigned to a virtual server.

SSL: system destabilization while handling CertificateVerify message (CR52250)
We have corrected a problem that could destabilize the system while handling a CertificateVerify message.

CPU cycles and the big3d (CR53662)
Internal database lookups for IP addresses have been made significantly more efficient. This significantly reduced the mcpd CPU utilization when queried by big3d.

Virtual servers referencing multiple iRules (CR53976)
The system no longer experiences problems when a virtual server references more than one iRule.

Trunks and system reboot (CR54006)
A system reboot no longer fails after creating trunks.

ConfigSync failure with bad error codes (CR54048)
Configuration synchronization no longer fails and the system no longer displays bad error codes when performing a configuration synchronization.

Cavium-offloaded SSL requests and low memory (CR54055)
Cavium-offloaded SSL requests no longer cause the Traffic Management Microkernel (TMM) service to fail when memory is low.

Modification of RAM Cache settings (CR54071)
The Traffic Management Microkernel (TMM) service no longer fails after modifying RAM Cache settings in an HTTP profile.

Bootup message (CR54133)
The message md5sum: /etc/ssh/ssh_host_key: No such file or directory no longer appears when booting the system.

Internal link state and the 3400 platform (CR54258)
Link state changes on unpopulated internal link could cause bcm56xxd on a 3400 to core dump.

Header terminators in HTTP responses (CR54265)
The BIG-IP system now performs header insertion properly when an HTTP response contains more than one type of header terminator.

Line-rate traffic through management interface (CR54471)
Line-rate traffic that goes through the management interface no longer becomes corrupted.

SNMP: snmpd service response to SNMP queries (CR54531)
Cached SNMP query results are now accounted for properly ensuring that multiple, quick requests for the same OID are handled correctly.

Log message from SNMP (CR54535)
When using SNMP, the following log message no longer occurs: Maximum packet size exceeded in a request. or Received broken packet. Closing session.

RX receive queue in the BCM56XXD service (CR54536)
The bcm56xxd was modified to properly manage concurrent write access to the receive queue.

Potential memory corruption with non-cookie persistence (CR54728)
Memory no longer becomes corrupted when non-cookie persistence frees a pool, after switching pools within a connection.

Overlapping trap numbers (CR54731)
SNMP trap IDs in version 9.X no longer overlap with trap IDs in version 4.X.

Cleartext passwords for LDAP remote authentication (CR54732)
The Configuration utility no longer displays cleartext passwords for LDAP authentication. The LDAP-related authentication screens now display asterisks in place of an actual password.

Fast L4 feature and checksums (CR54740)
When the offloading of hardware checksums is enabled, the Fast L4 feature no longer corrects bad checksums.

Switchboard fail-safe due to interrupts being disabled (CR54740)
Interrupts are no longer permanently disabled. This prevents switchboard fail-safe from occurring.

LINK::qos and IP::tos iRule commands (CR54791)
The LINK::qos and IP::tos iRule commands now function correctly.

Interrupts causing unwanted switchboard fail-safe events (CR54819)
We have corrected an infrequent problem where a race condition of interrupt signals to the bcm56xxd could permanently disable interrupts causing a switchboard fail-safe event.

Response of TMM service (CR55011)
For systems with a BCM crypto card, the Traffic Management Microkernel (TMM) service no longer either receives a SIGABORT message or becomes un responsive.

OpenSSL update (CR55070)
In response to various security advisories, we have updated the critical portions of OpenSSL to sources from version 0.9.7i. The output generated by the command openssl version was not updated.

The switchboot utility is forward-compatible (CR55177)
The Switchboot utility is now forward-compatible.

Memory leaks with Client SSL profiles (CR55200)
Use of a Client SSL profile no longer causes memory leaks.

tcp_half_open monitor accessing nodes through gateways (CR55337)
The tcp_half_open monitor can now monitor a node that is accessed through a gateway.

Non-SSL connections configured on Client SSL profile (CR55342)
Enabling the Non-SSL Connections setting on a Client SSL profile no longer causes the system to become unavailable.

non-matching arguments for installation scripts (CR55415)
Configuration synchronization no longer fails due to User Configuration Set (UCS) installation arguments not matching im script arguments. The arguments for the two scripts now match.

Effect of wildcard virtual servers on unmatched packets (CR55456)
When the virtual server is a wildcard virtual server, the system now handles unmatched packets correctly.

Clearing settings for a discontinued installation (CR55490)
When you discontinue an installation prior to completion and re-run the script, all previously specified settings are now cleared.

String replacement with iRule commands (CR55530)
String replacement using certain iRule commands (such as TCP::payload replace) no longer truncates the data

Time zone shifts during upgrade from version 4.x (CR55557)
During an upgrade from version 4.x, the system now shifts the clock correctly for more time zones.

Auditing function during installation (CR55591)
Auditing during installation no longer generates an error message.

Serving installation images using HTTP (CR55640)
The PXE install program is now able to serve the installation image using HTTP.

bigpipe config sync command (CR55729)
The bigpipe config sync command no longer generates a too many arguments error.

New certificate for server-side SSL authentication (CR55758)
For server-side SSL authentication, the ca-bundle.crt file now includes an additional certificate, which is from a new VeriSign intermediate certificate authority (CA).

bigstart utility failure due to incorrect dates (CR55883)
After an upgrade, the bigstart utility no longer fails due to incorrect dates on newly installed files.

Memory leak when changing an SSL profile (CR55966)
Modifying the configuration of an SSL profile no longer causes a memory leak.

bigstart restart command and multiple bcm56xxd services (CR56138)
Running multiple bcm56xxd services in the foreground no longer causes the bigstart restart command to fail.

IPv6: neighbor cache entries (CR56199)
IPv6 neighbor cache entries now use 64-bit timers to prevent wrapping issues that may cause the neighbor cache to fill until the Traffic Management Microkernel (TMM) is restarted.

Reusing existing server-side connections (CR56215)
Issuing the iRule command HTTP::disable to reuse an existing server-side connection no longer causes Traffic Management Microkernel (TMM) problems.

session lookup command in iRules (CR56247)
The iRule command to look up a session now returns a value.

Upgrade of version 4.x configuration data (CR56252)
Upgrading configuration data from version 4.x now works correctly.

iRules session command (CR56253)
The iRules session command now works correctly when specifying a pool.

Switching from local time to UTC time (CR56247)
The hardware switch clock now adjusts from local time to UTC time when an NTP server is added.

FIPS installation (CR56321)
The FIPS packages are now installed correctly on the 6400 platform.

Error message after loading SSL certificate (CR56410)
After loading a User Configuration Set (UCS) file with SSL certificates, the system no longer displays the message Re-starting tmm ever five seconds.

Memory allocation when validating SNAT addresses (CR56590)
Validation of a SNAT original address no longer causes excessive memory allocation.

Size of records sent to a NITROX device (CR56753)
For records being sent to a NITROX device, the boundary for record sizes is now the NITROX device's upper limit, rather than an explicit 16K value. Consequently, the NITROX device no longer hangs indefinitely.

Authentication of ConfigSync users (CR56758)
For ConfigSync users with remote RADIUS accounts, the system is now able to successfully authenticate their accounts.

[ Top ]

Enhancements in version 9.1

Version 9.1 included no enhancements.

Fixes in version 9.1

Version 9.1 contained the following fixes.

CR Solution Description
CR39626 SOL4772 BIG-IP may become unresponsive after switchboard fail-safe is triggered
CR44500 SOL4760 When you disable NAT on a pool, SNAT is also disabled
CR44559 SOL4686 SNMP access methods may not be completely removed
CR44820 SOL4731 After SCCP upgrade, BIG-IP may not shut down cleanly
CR45071 SOL4742 TMM may restart when BIG-IP is subjected to the immediate creation of many connections
CR45173 SOL4732 Host system SSH keys are restored when a UCS archive is restored
CR45279 SOL4754 All idle SNAT connections time out at 300 seconds, regardless of the specified timeout
CR45539 SOL4734 slow_ramp does not work correctly with ratio load balancing
CR45693 SOL4604 It is not possible to disable VLAN keyed connections
CR45694 SOL4604 It is not possible to disable VLAN keyed connections
CR45918 SOL4732 Host system SSH keys are restored when a UCS archive is restored
CR45984 SOL4733 The system may fail to start after upgrade if the system time was set in the past
CR46110 SOL4734 slow_ramp does not work correctly with ratio load balancing
CR46186 SOL4604 It is not possible to disable VLAN keyed connections
CR46190 SOL4534 SNMP traps and LEDs are not triggered by node status changes
CR46460 SOL4735 Radius authentication does not send Calling Station ID or NAS IP Address
CR46662 SOL4736 Connections through a network virtual server cannot be mirrored
CR46721 SOL4737 Connection and Content-length headers may be omitted when compression is enabled
CR46756 SOL4738 TMM may crash when redirect rewrites are enabled
CR46771 SOL4740 When VLAN fail-safe is used on multiple VLANs, the wrong source address may be used
CR46798 SOL4741 TMM may crash under extreme load when receiving retransmitted acknowledgements
CR46827 SOL4742 TMM may restart when BIG-IP is subjected to the immediate creation of many connections
CR46832 SOL4743 Some versions of BIG-IP are vulnerable to VU#637934
CR46833 SOL4743 Some versions of BIG-IP are vulnerable to VU#637934
CR46834 SOL4743 Some versions of BIG-IP are vulnerable to VU#637934
CR46839 SOL4748 SNMP can still be accessed using the public community string, after changing it
CR46841 SOL4749 The config sync process may fail if the admin password contains the @ sign
CR46843 SOL4736 Connections through a network virtual server cannot be mirrored
CR46855 SOL4751 The Configuration utility may fail to display objects due to an MCP failure
CR46904 SOL4752 When using redirect rewrites, BIG-IP matches URLs exactly as specified
CR46944 SOL4754 All idle SNAT connections time out at 300 seconds, regardless of the specified timeout
CR47050 SOL4756 Trunks will not pass traffic if added to both tagged and untagged VLANs
CR47051 SOL4757 When redundant trunks are used with RSTP, all links may be blocked
CR47052 SOL4759 Trunks that include interfaces 1.1 through 1.8 may fail on BIG-IP 6400s and 6800s
CR47066 SOL4760 When you disable NAT on a pool, SNAT is also disabled
CR47181 SOL4761 Health monitors may not mark nodes down precisely when retransmitting TCP segments
CR47185 SOL4762 Link loss may not be detected when the cable is removed from an SFP fiber port
CR47187 SOL4763 BIG-IP cannot detect SFP modules in ports 2.3 and 2.4
CR47188 SOL4764 Virtual server LDAP sessions from the same may all fail if any one fails
CR47227 SOL4765 When BIG-IP is configured with a trunk included in STP, bcm56xxd may behave strangely
CR47228 SOL4766 TMM may crash if it parses a cookie that contains an invalid value
CR47230 SOL4765 When BIG-IP is configured with a trunk included in STP, bcm56xxd may behave strangely
CR47280 SOL4767 The use snat directive does not work within an LB_SELECTED event
CR47292 SOL4773 The system date and time may be incorrect on the SCCP
CR47296 SOL4583 The management interface is vulnerable to VU#222750
CR47305 SOL4769 The bigpipe commands to change STP interface and trunk path costs do not work
CR47318 SOL4770 BIG-IP does not flush stale entries from all ARL tables when STP topology changes
CR47366 SOL4771 Active FTP connections do not work through a SNAT
CR47416 SOL4772 BIG-IP may become unresponsive after switchboard fail-safe is triggered
CR47470 SOL4773 The system date and time may be incorrect on the SCCP
CR47523 SOL4774 Oracle and MS SQL health monitors may mark nodes down incorrectly
CR47609 SOL4776 Sessions hang when FastHTTP profile is used and the node doesn't allow keep-alives
CR47631 SOL4777 Connection mirroring does not work reliably
CR47676 SOL4778 Source MAC addresses are incorrectly preserved for inter-VLAN traffic
CR47681 SOL4779 Large numbers of new, concurrent SSL sessions may lead to SSL handshake failures
CR47690 SOL4769 The bigpipe commands to change STP interface and trunk path costs do not work
CR47714 SOL4790 System crashes, hangs, and reboots that were fixed in this release
CR47748 SOL4781 Incorrect data returned by big3dshim could cause 3-DNS 4.x systems to crash
CR47750 SOL4749 The config sync process may fail if the admin password contains the @ sign
CR47851 SOL4782 BIG-IP does not differentiate multiple destinations for ICMP gateway checks
CR47890 SOL4785 SSL connections may fail when client and node MSS do not match
CR47919 SOL4787 When an interface belongs to two VLANs, deleting either will remove it from both
CR47969 SOL4786 Routes on the standby are not disabled when using RHI
CR47980 SOL4788 The debug TMM may crash when processing significantly fragmented packets
CR48073 SOL4778 Source MAC addresses are incorrectly preserved for inter-VLAN traffic
CR48097 SOL4790 TMM will crash and restart when the substr directive is used in a rule
CR48119 SOL4791 BIG-IP may expire a permanent license installed after an evaluation license
CR48155 SOL4780 BIG-IP may crash when a buffered connection is subsequently aborted
CR48171 SOL4780 BIG-IP may crash when a buffered connection is subsequently aborted
CR48211 SOL4735 Radius authentication does not send Calling Station ID or NAS IP Address
CR48342 SOL4780 BIG-IP may crash when a buffered connection is subsequently aborted
CR48454 SOL4794 Connections through a non-translating virtual server cannot be mirrored
CR48478 SOL4795 The sequence {} cannot be used in a rule
CR49030 SOL4780 TMM may crash and restart due to internal buffer corruption
[ Top ]

Optional configuration changes

Once you have installed the software, you can use any of the following configuration options to update your configuration.

Note that these new configuration options are the result of one or more of the fixes or enhancements listed above.

Using SNMP read/write OIDs

You can use the following SNMP OIDs in read/write mode. However, SNMP is not intended to be used as a general API for configuring the BIG-IP system. These SNMP OIDs are shown in this table.

OID Name OID Value
ltmVirtualServEnabled Enable/disable virtual server
ltmVirtualAddrEnabled Enable/disable virtual address
ltmNodeAddrNewSessionEnable Enable/disable node address
ltmNodeAddrMonitorState Force up/down node address
ltmPoolMemberNewSessionEnable Enable/disable pool member
ltmPoolMemberMonitorState Force up/down pool member
[ Top ]


The version 9.x releases often include SNMP OID updates related to new functionality. See the document, New SNMP Objects for a complete list.

[ Top ]

Using the switchboot utility

Beginning with the version 9.0.2 release, we added functionality to install multiple versions of the BIG-IP software on different boot images on one unit. A boot image is a portion of a drive with adequate space required for an installation. If the hardware supports multiple boot images, you are prompted to install the software on multiple boot images during the installation. The BIG-IP 1500 (C36), BIG-IP 3400 (C62), BIG-IP 6400 (D63), BIG-IP 6800 (D68), and BIG-IP 8400 (D84) platforms support this functionality.

The switchboot utility is available to manage installations on different boot images. You can use the switchboot utility from the command line to select which installed image boots.

To run the switchboot utility

  1. Type the following command:
    A list of boot images and their descriptions displays.
  2. Type the number of the boot image you want to boot at startup.
    When you reboot the system, it starts from the slot you specify.

If there is only one boot image available, the switchboot utility displays a message similar to this one and exits.
There is only one boot image to choose from: title BIG-IP <build_number>

Note: Any change you make using the switchboot utility is saved in the boot configuration file, grub.conf.

To use switchboot in non-interactive mode

If you know which boot image you want to boot, you can type the following command and specify the boot image number for <bootimage_number>:
switchboot -s <bootimage_number>

To use switchboot to list available boot images and the currently active boot images.

If you want to list the available boot images without specifying a new boot image from which to boot, type the following command:
switchboot -l

To list options for switchboot

To list the options for the switchboot utility, type the following command:
switchboot -h

To view the contents of the boot configuration file using switchboot

You can view the complete contents of the boot configuration file (grub.conf) with the following command:
switchboot -d

This command is slightly different from switchboot -l in that -l only lists the boot image header lines, while -d displays the complete file.

[ Top ]

Known issues

The following items are known issues in the current release.

VLAN mirroring unsupported (CR39784)
In this release, the system does not support VLAN mirroring. The system does not display an error when VLAN mirroring is attempted. We recommend that you do not implement VLAN mirroring at this time.

1500, 3400, and 6400 platforms: SSH session remains open after peer reboot (CR40503)
When you establish an secure shell (SSH) session between two units on the 1500, 3400, or 6400 platforms, and you reboot the unit to which you established the SSH session, the SSH session remains open until it reaches its timeout.

Trunks on a BIG-IP 2400 (D44) IP Application Switch (CR40507)
On a BIG-IP 2400 platform, if you connect multiple ports to one switch, you might form a bridging loop, which causes Traffic Management Microkernel (TMM) to restart repeatedly. The best solution is to configure the network so no bridging loops exist. If this cannot be accomplished in your configuration, you can resolve the problem by enabling spanning tree protocol (STP) if you connect multiple ports to one switch.

SIP persistence and persist iRule commands (CR40579)
In this release, the persist iRule commands do not support SIP persistence.

Default route specification for IPv6 (CR40808)
Because the default configuration settings for Network Routes is for Internet Protocol version 4 (IPv4), you must specify both a destination and netmask value to specify a default route for Internet Protocol version 6 (IPv6). To specify a IPv6 default route, you must first choose a type of route instead of default gateway. Then specify the destination as :: and the netmask as :: to set the appropriate IPv6 default route.

OTCU and monitors saved at pool level in the Configuration utility (CR40977)
After you run the the One Time Conversion Utility (OTCU) to convert your 4.x configuration to a 9.x configuration, you cannot view the monitors on pool members until after you run the bigpipe load command twice, from the command line. Alternately, you can restart the system.

Force command support (CR41390)
The -force command for .im packages no longer operates because the installation procedures have changed.

Setup Utility and VLAN configuration (CR42790)
When you rerun the Setup Utility and use the Basic Configuration Wizard (which sets up the default internal and external VLANs), the configuration must meet certain guidelines. If the configuration violates one of these conditions, the system presents error messages, and does not complete the configuration. This is by design. The configuration must meet the following guidelines:

  • No more than one non-floating IP is associated with VLANs named external or internal.
  • No more than one floating IP is associated with VLANs named external or internal.
  • The self IP addresses associated with the VLANs internal and external must use one of the following port settings: Allow Default, Allow 443, Allow None.
  • The bigdb variable Statemirror.IPAddr must match the internal self IP.
  • A VLAN group cannot be named external or internal.
  • A trunk may cannot be configured on VLAN external or internal.
  • The default route must be of type Gateway.

Monitor parameter string containing literal carriage return (CR43128)
The system cannot interpret literal carriage returns in monitor strings that are created by pressing the Enter key. If the string you are creating requires a literal carriage return, type \n instead of pressing the Enter key.

Failover and virtual servers with a OneConnect profile, an HTTP profile, and connection mirroring enabled (CR43517)
In a redundant system, if the active unit fails over, and the configuration contains virtual servers with a OneConnect profile, an HTTP profile, and connection mirroring enabled, the failover process does not properly mirror the server-side OneConnect connections to the failover unit.

Link activity lights on the BIG-IP 3400 (C62) platform (CR43570)
On the BIG-IP 3400 platform, if you have trunks configured, the link activity lights on the front panel might not properly indicate link activity (turn green).

Configuration utility: Refresh interval and statistics screens not viewed yet (CR43613)
In the Configuration utility, on the System > Preferences screen, if you change the Default Statistics Refresh interval, view some statistics screens, and then change the Default Statistics Refresh interval again, the system applies the second update only to those statistics screens that you have not viewed yet.

bigpipe command immediately following bigstart restart command (CR44091)
After you run the bigstart restart command, the BIG-IP system takes a minute to initialize. If you run this command, you should wait at least a minute for the system to re-initialize before running additional bigpipe commands.

System caching of unreachable IPv6 destinations (CR44109)
A problem might occur where the BIG-IP system caches an unreachable IPv6 destination. This problem might occur if you add the wrong default route, delete it, and change to the correct route, only to find traffic fails to reach the destination.

Fast L4 profile: Reset on timeout disable and the idle timeout value (CR44261)
Changing the Reset value on the timeout option to disable appears to change the idle timeout value. However, this affects only the value displayed by the system, not the system setting and the functionality of the system.

Simultaneous delete of floating IP addresses and non-floating IP addresses (CR44297)
In the Configuration utility, we recommend that you delete floating IP addresses before you delete non-floating IP addresses to avoid the error 01070393:3: Cannot delete IP because it would leave a floating IP with no non-floating IP on this network.

IPv6 and Transparent monitors (CR44388, CR44407, CR44408)
The current IPv6 implementation does not support transparent monitors.

Allowing specific UDP ports (CR44590)
You cannot add a specific UDP port to the allow list that includes the allow default setting. To add specific UDP ports to the allow list, remove the allow default setting and add each UDP port you want to add to the allow list.

Supported MTU for BIG-IP systems and IPv6 (CR44733)
The minimum supported MTU for BIG-IP system using IPv6 is 1280.

SSH: If logged in as non-root user, cannot use SSH to connect to another system (CR44734)
You cannot use SSH to connect to another system unless you are logged into the BIG-IP system as a root user.

RADIUS server key swapped during re-load, after swapping the server IP addresses (CR44769)
You might see an error when you attempt to swap RADIUS server keys during a configuration reload. You can work around this problem by unconfiguring one of the servers before redefining the other.

Brackets in commented sections of rule syntax (CR44839)
Brackets in commented sections of rule syntax are counted in the bracket count. We recommend that you balance the brackets in the comments.

NAT and ICMP (CR44849)
Currently, Network Address Translation (NAT) tables do not forward Internet Control Message Protocol (ICMP) packets.

Configuration utility: Load Balancer Limited and the Fast L4 profile (CR44866)
The BIG-IP Load Balancer Limited product does not provide the ability to create or edit a Fast L4 profile.

Configuration restoration and overwriting SSH keys (CR45173)
User Configuration Set (UCS) files back up and restore host and root SSH keys, but there are many situations where these keys are stale, and break communications with the SCCP host subsystem. For more information about UCS files, see Solution ID: SOL4423 Overview of UCS archives.

Route validation of subnets and newly added routes (CR45212)
If you attempt to add a route and gateway that reside on the same subnet, the system considers the route to be invalid. If you separately add a supernet that encompasses both the new route and the gateway IP addresses, then the system accepts the new route.

Automatic licensing and Configuration utility errors (CR45369)
In the Configuration utility, when you select Automatic option for licensing, if the system cannot communicate with the F5 Licensing Server, the system generates a major application error. To work around this issue, close the current browser session, open a new session, and select the Manual option instead. Note that this happens only in rare instances.

Configuration utility and bigpipe for SSL profile setting display discrepancies (CR45537)
On the SSL Profile screen, select the Renegotiate Period option and leave it at the default setting, Indefinite. When you view the same setting in the bigip.conf file, you see this number, 138635524 (which equates to 4.396 years), instead of indefinite.

Application Accelerator: Logging options display for unavailable features (CR45546)
In the Configuration utility, on the System > Logs > Options screen, you see logging options for the Packet Velocity® ASIC. This feature is not available on the Application Accelerator product.

Acceptable characters in SSL certificate names and common names (CR45721, CR45722)
If you create a certificate name or common name that uses invalid characters (for example asterisk, comma, question mark, exclamation, forward slash, ampersand), the system generates an error message that is incorrect. The error message states that these characters are valid, however the only acceptable characters are alphanumeric characters, hyphen, and underscore.

SSL certificate and key generation and Configuration utility errors (CR45725)
If you try to generate an archive file for SSL certificates and keys, and you do not type a name for the file, the system generates an error. If you then add a name and click the Generate and Download button, the system saves the file but the Configuration utility remains in the error state. Simply click Cancel after you have saved the file, which returns you to the SSL Certificate list screen.

Duplicate virtual servers in bigip.conf file (CR45765)
If you manually edit the bigip.conf file and create duplicate entries of virtual servers, the /var/log/tmm directory becomes filled with error messages. We recommend that you edit the bigip.conf file with care.

iRules parsing syntax requirement (CR45767, CR59340)
The system cannot load an iRule when there is no space between a set of braces ( {} ). To work around this issue, add a space between the braces, as follows: { }. Note that the space is required.

Non-FIPS key import into FIPS system (CR45853)
If you import non-FIPS keys to a FIPS system, and then convert the non-FIPS keys to FIPS keys, the system continues to use the non-FIPS keys until you restart the Traffic Management Microkernel (TMM) process. You can perform this task from the command line, by typing bigstart restart.

radvd utility and restarting or rebooting the system (CR45882)
In rare circumstances, the radvd utility might start too early when you restart or reboot the system. As a result, the utility does not properly advertise routes. If you experience this issue, simply restart the radvd utility, on the System > Services screen in the Configuration utility.

IM upgrades and modprobe dependencies error messages (CR45885)
When you upgrade the system using the installation manager (IM) upgrade process, you might see the following error message when the system starts the automatic reboot, after the installation completes:
modprobe: Can't open dependencies file
You can ignore this error; it is benign.

IM upgrades and kernel journaling error messages (CR45970)
When you use the installation manager (IM) upgrade process, you might see kernel journaling error messages on the console after the installation completes. These error messages are benign and can be ignored.

b load after rate class and iRule rename (CR45981)
If you create an iRule that references a rate class, and then you rename the iRule and rate class, any attempt to load the configuration with the bigpipe load command fails. We recommend that you avoid renaming iRules and rate classes that you implement for rate shaping.

VLAN names containing period (CR46028)
Using the sysctl -a command prints the /proc/sys file system. This command displays the information about each file under the tree as if it were a variable separated by period (.). It also translates the forward slash (/) into a period. When you create a VLAN with a period in the name, sysctl translates that into a forward slash (/), but then cannot read the file name it just created. To work around this situation, do not use the period character in a VLAN name.

White space in imported certificates (CR46150)
Currently, white space in imported certificates is not handled correctly. Certificates with extra whitespace after the begin certificate or before the end certificate statements are rejected. To work around this condition, you can remove white space in imported certificates.

No Nodes Available trap and log message (CR46596)
The No Nodes Available trap and No Nodes Available log message do not exist in BIG-IP version 9.x. Currently, when all nodes in a virtual server are marked down, a message is logged for each pool member of the virtual server. For example, you might see a message like this for each member of a pool on the virtual server:
Mar 24 09:01:00 bip6400 mcpd[864]: 01070638:3: Pool member monitor status down.

BIG-IP system behavior when the product license expires (CR46636)
Currently, when the product license expires on the BIG-IP system, it does not fail over to a peer system with an active valid license.

Wildcard virtual server without the virtual address entry (CR46657)
If you create a wildcard virtual server without a virtual address entry ( with Address Resolution Protocol (ARP) disabled, ARP is set to enabled when the configuration is saved. After you create the wildcard virtual server, you can change the ARP setting back to disabled.

Pool change to gateway fail-safe pool and b load command requirement (CR46870)
When configuring the system, if you change a pool to become a gateway fail-safe pool, you must run a b load command to have the system accept the change.

Compression processes after compression disable (CR47329)
If you use a compression-enabled HTTP profile, the compression processes continue even after you disable the profile. For more information, see SOL6775: Known Issue: BIG-IP performance graphs report the CPU 0 usage at 100 percent if the BIG-IP system is licensed for hardware compression.

bigtop utility and failover (CR47361)
If you are running the bigtop utility on an active unit, and then the system fails over, you need to restart bigtop to refresh the bigtop statistics.

SSL certificates: native serverssl stack and client-side certificates (CR47702)
When using Server SSL (SSL re-encryption) and the node requests a client certificate, the BIG-IP system does not send a client-side certificate. To work around this issue, specify ALL as the cipher in the server SSL profile.

SNAT implementation and TCP port 21 listener (CR48055)
The SNAT implementation creates a TCP port 21 listener on all VLANs. This issue does not impact performance or functionality.

SSL session ID persistence and re-handshake (CR48114)
Session ID persistence is unaware of mid-connection renegotiations. This might cause new persistence entries not to be added for a new session ID if there are any negotiated in the middle of a connection.

SNMP v3 user access record removal (CR48190)
When you delete an SNMP v3 user access record, the system correctly removes the record from the file /config/snmpd.conf and from the BigDB database, but not from the file /config/net-snmpd/snmpd.conf.

User access record file permission (CR48191)
When you use the Configuration utility to create a new SNMP v1, v2c, or v3 user access record, the system incorrectly assigns a default permission of read/write (rw). The correct default permission for a new user access record is read-only (ro).

Trailing white space on Tcl if statement and line continuation of else (CR48213)
Any trailing white space in a Tcl statement breaks the line continuation of the rule statement. To avoid this problem, remove any white space at the end of each line of the Tcl statement.

Multi-interface mirror and interface delete (CR48376)
When more than one interface is mirrored to another interface, and you delete one of those mirrored interfaces, all mirrored interfaces are inadvertently deleted. For example, if interfaces 1.2 and 1.3 are mirrored to interface 1.1, and you delete interface mirror 1.2, then interface mirror 1.3 is also deleted.

LCD and command line status report (CR48409)
The LCD can report three types of system status: Active, Standby, or Standalone. If the system is in a different state, the command line might report the status, but the LCD might report a different status.

OneConnect and applications that use NT Challenge/Response (NTCR) (CR48426)
OneConnect does not support applications that use NT Challenge/Response (NTCR).

Multiple RADIUS server objects with the same server IP address and port (CR48464)
You cannot configure multiple RADIUS server objects that share the same server IP address and port. This might happen if you create a traffic authentication profile with a RADIUS server, and then set up system authentication, which uses its own RADIUS server object. In this case, the two collide and create an error condition. To work around this situation, set up system authentication first, and then use the system_auth_radius1 server in the traffic authentication profile configuration.

System unavailability due to low memory (CR48465)
In certain low-memory situations related to Packet Velocity® ASIC (PVA), the system can become unavailable.

Large external class file load and system performance (CR48489)
Loading external class file can negatively impact performance if too much data is loaded at the same time. We recommend that you load data in four-megabyte chunks or smaller.

TCP::collect implicitly holds the accepted event (CR48592)
The TCP::collect command is not appropriate for some protocols where the server sends data first, such as banner protocols.

System unavailability due to memory depletion (CR48594)
When processing an extremely high number of connections per second (approximately 30,000), with very large window sizes for compression, the system can run out of memory, causing a system failure. Occurrence of this event is highly unlikely.

Mirrored FTP connections and peer system restart (CR48663)
Restarting a peer to which FTP connections are mirrored prevents the FTP connections from being reincarnated on that peer. This issue exists because you cannot associate the Fast L4 profile with FTP virtual servers. There is no workaround for this condition.

Escape characters in PAM authentication configure files (CR48682)
Authentication configurations created by the Master Control Program (MCP) trigger the creation of Pluggable Authentication Module (PAM) service configuration files. Without proper escaping of spaces and square brackets, PAM module arguments listed in the service configuration file might be improperly parsed by the modules themselves. For more information on escape character rules, see Linux-PAM primary distribution site.

Profiles on IP forwarding virtual servers (CR48980)
The Configuration utility restricts to Fast L4 the types of profiles that can be set on IP forwarding virtual servers. The command line allows any type of profile to be added to a virtual server. There is no workaround for this.

Fast HTTP profile and server-side connection priming (CR49182)
Once you configure the system to use the base Fast HTTP profile, the profile continues to prime server-side connections, even if there are no virtual servers currently configured to use the Fast HTTP profile. We recommend that you create a custom Fast HTTP profile instead of using the default Fast HTTP profile.

iRule misconfiguration and TMM restart (CR49375)
If an iRule is not configured to use the variable name form (that is, including the $) of the matchclass or findclass commands to access the class or data group, Traffic Management Microkernel (TMM) restarts. To work around this issue, always use the variable name form of the matchclass or findclass commands in iRules.

drop and reject commands for UDP traffic (CR49445)
When processing UDP traffic, the system does not always handle the iRule commands drop and reject properly.

Management interface and TMM traffic (CR49456)
In certain cases, when no TMM default gateway is defined, network traffic that should use a TMM interface uses the management interface instead. Examples of cases when this can occur are when you are using a forwarding virtual server, or when traffic for a client on an internal VLAN is using a SNAT.

Fast HTTP profile Header Insert option (CR49530)
The Fast HTTP profile Header Insert option does not perform a variable expansion in its configured header insert. For example, [IP::client_addr] is inserted literally. Although this is inconsistent with the HTTP profile, this was done to increase HTTP performance. To configure the Fast HTTP profile to insert the original client IP address as a standard XForwarded-For header value, modify the Fast HTTP profile and enable the XForwarded-For header option. Additionally, Fast HTTP supports the HTTP_REQUEST iRule event as well as the HTTP::header insert iRule command, which you can use to insert arbitrary HTTP headers.

Interrupted TCP connections (CR51197)
If an Address Resolution Protocol (ARP) or Neighbor Discovery Protocol (NDP) entry times out or the peer is not responding, the connection is interrupted. These connections should only end when the system is unable to establish a connection.

Password configuration for BGP routing module's MD5 authentication (CR51590)
If the Border Gateway Protocol (BGP) MD5 authentication password is configured for a peer group, the authentication fails. As a workaround, you can configure MD5 authentication on a per-BGP-neighbor address basis rather than on a per-peer-group basis.

Class names and matchclass (CR51593)
If you use the matchclass command in an iRule that contains a malformed class name, the Traffic Management Microkernel (TMM) process restarts. The following iRule contains an example of a malformed class name used with the matchclass command.

class test {}
rule test { if { [matchclass ... equals $::test-rule] } ...

In this example, the failure occurs because the hyphen ( - ) character causes the variable name to be split. To work around this issue, always use valid class names.

Configuration utility and mod_jk messages (CR51705)
When you use the Configuration utility, certain mod_jk-related error messages are logged. These messages are extraneous and can be ignored. An example of such a message is [error] mod_jk child init 1 -2.

Gratuitous ARP messages on disabled virtual servers (CR51833)
The system sends a gratuitous Address Resolution Protocol (ARP) message during failover, when the virtual server is disabled.

Menu items in Configuration utility (CR52062)
In some cases, extraneous Configuration utility menu items appear on the Main tab of the navigation pane.

Total SSL TPS displayed by Configuration utility (CR52164)
The Configuration utility does not currently report the total amount of SSL transactions per second (TPS) for which the BIG-IP system is licensed. To determine this value, you can view the file bigip.license directly.

Node status during ConfigSync (CR52171)
During configuration synchronization, the system changes node status and logs those status changes, logging messages such as node up and node down, unchecked, checking, and so on. There is no way to prevent the system from logging those status change messages.

HTTP connection closure (CR52482)
With a one-armed configuration, server-side HTTP connections sometimes close prematurely after the first HTTP/1.1 200 response. For an iRule you can use to work around this situation, see Preventing premature connection closure.

Failover and sod service behavior (CR52499)
When you have defined a preferred active unit of a redundant system and failover occurs, the sod service starts too soon, before other resources (such as pools) are ready to accept traffic.

SNAT timeout values (CR52675)
The timeout values for SNAT translations have a default value of Indefinite. For SNAT-only configurations (that is, those not associated with a virtual server), this could result in too many connections, which in turn could result in unexpected closing of connections. To prevent this problem, set SNAT timeouts to a value other than Indefinite.

Remote RADIUS authentication (CR53068)
When a user who has been remotely authenticated by a RADIUS server closes the browser session and then opens a new session within a 24-hour period, the system requests the user's authentication information, but does not send the request to the RADIUS server for authentication. This is intentional. To minimize the number of authentication requests, the system caches the user's authentication information for 24 hours.

iRule performance (CR53569)
Including string operations in iRules can negatively impact performance. For example, when including string-related operations in an iRule in a Fast HTTP profile, each invocation of string first or string range cost approximately 5000 tps. The only workaround is not to include string operations in iRules .

mcpmsg_to_database messages and trunk modification (CR53608)
Certain conditions can cause the TMM and mcpd process databases to get out of sync. When that happens, the system issues mcpmsg_to_database messages. The messages might be associated with trying to modify a trunk that the system cannot locate in its database. These conditions are very rare, and are often resolved by restarting the system.

Data loss during failover with certain IP address configurations (CR53636)
If you configure a redundant system to use full proxy, and set the gateway IP address to a self IP address of one of the units in the redundant system, you might experience data loss for 2-3 seconds during a failover event. We recommend avoiding this configuration if at all possible.

SNMP service start or restart and traps sent (CR53741)
When SNMP service starts or restarts, it does not send the traps bigipAgentStart and bigipAgentRestart. Instead, the service only sends those traps on service shutdown.

RAM cache and empty URI (CR54077)
If you have an empty URI excludes list, the system caches everything possible. You can work around this by creating an iRule that defines what items should be cached.

FIPS card and memory reporting (CR54307)
When updating memory on a system with a FIPS card, the system might not show the correct amount of memory. This is a display issue only; the full amount of memory is available to the system.

SSL fields changes (CR54398)
To retain changes to fields in SSL profiles, you must first disable SSL and then click the Finished button. Then you can re-enable SSL, make the necessary modifications, and click the Finished button again. Without doing this, the changes you make do not persist.

UCS file and system license information (CR54418)
The User Configuration Set (UCS) contains the license file, which prevents using the UCS as a means of copying a configuration from one machine to another. If you need to migrate a configuration to another machine, please contact technical support. For more information about UCS files, see SOL4423: Overview of UCS archives and SOL4422: Viewing and modifying the files that are configured for inclusion in a UCS archive.

VNC connections over secure win32 tunnel to client SSL profile (CR54579)
When you use Virtual Network Computing (VNC) over a win32 secure tunnel to a client SSL profile, the connection ends prematurely. To resolve this issue, use the OpenSSL stack instead of the native one, using the command: ciphers: 'ALL:!NATIVE'.

bge reset and firmware handshake failure (CR54590)
A bge reset can often result in a firmware handshake failure. There is no workaround for this issue.

Install kernel and SCCP MAC filter (CR54769)
Currently the install kernel does not enable the switch card control processor (SCCP) MAC filter. To enable this filter, run the sccp_bridge_mode script.

Log message severity level (CR54909)
The system might log the following messages when the mod_jk2 Apache module is initialized:
httpd[<PID>]: [error] jk2_init() Can't find child <PID> in scoreboard httpd[<PID>]: [error] mod_jk child init 1 -2 These messages are benign. They provide information about expected conditions that occur when the system is working correctly.

System response on 302 responses into http/compress profile (CR54923)
The system occasionally responds incorrectly when a 302 error is received into an http/compress profile. The exact behavior depends on system configuration. To resolve this issue, add an iRule that avoids compression when a 302 error is received.

Password utility and special characters (CR55171)
When you specify or change a password, the system does not prevent you from using the single quote ( ' ), slash ( / ), backslash ( \ ), and accent characters ( ` ). Those characters are not valid, however, and the resulting password does not work. To work around this issue, do not use those characters when creating or changing a password.

EXPORT ciphers and slow performance with SSL (CR55478)
When you implement EXPORT ciphers with SSL, performance is be slower than without the ciphers.

Nondefault management routes and GATEWAY entry in configuration file (CR55546)
When you add a nondefault management route at the BIG-IP command line, the system also adds an erroneous GATEWAY entry to the configuration file in the /etc/sysconfig/networks directory. If your configuration is loading correctly, the system should work as expected. If configuration load fails, however, system restart results in incorrect gateway settings, which can prevent you from remotely accessing the system. If your system is already in this state and you can reach the system through a serial console connection you can remove the nondefault route from the /config/bigip_base.conf file. You must also delete the extraneous GATEWAY entry in the configuration file in the /etc/sysconfig/networks directory. If you are using ZebOS®, this results in interference between nondefault management routes and default routes learned though dynamic routing protocols, which forces you to manually restart ZebOS after system restart. Note that the default management route still prevents dynamic protocols from learning any default routes. This is associated with the ZebOS dynamic routing capability. For a workaround for this issue, see Adding nondefault management routes.

Date on UCS file is always in Pacific Daylight Time (PDT) (CR55583)
The date assigned to a User Configuration Set (UCS) by the system is always in PDT format. There is no workaround for this issue.

Countdown of VLAN fail-safe and message logging (CR55593)
In this version of the software, the countdown message for VLAN fail-safe is not logged. There is no workaround for this issue.

HTTP::host accessor with Fast HTTP profile (CR55688)
When using a Fast HTTP profile and an iRule containing [HTTP::host], the system displays an error. To resolve this issue, use the accessor, [HTTP:header "host"], which is the equivalent of [HTTP::host].

L7 mirrored connections after restart and failover (CR55926)
If the active unit in a redundant system reboots, the standby unit goes active and handles any established connections that were mirrored. However, when the previously active box comes back up, it does not re-synchronize the state for the mirrored connections. This means that the mirrored connections are lost in a subsequent failure or a forced fail-back. This does not affect connections that end before the second restart and failover. Also, this does not apply to Fast L4 profiles.

Receiver side SACK report and stale information (CR56169)
During normal operations, the receiver side SACK report can contain stale information. There is no workaround for this issue.

[HTTP::uri] accessor in LB_Failed iRule with HTTP profile (CR56173)
The system currently does not allow the accessor [HTTP::uri] in an LB_FAILED iRule event with an HTTP profile. There is no workaround for this issue.

Preferred Method setting in HTTP profile (CR56196)
The set of HTTP profile settings in the Configuration utility does not display the Preferred Method setting for HTTP data compression when the Compression add-on is licensed. Although the setting does not show, the system uses Deflate as the default setting. This default value differs from the 9.2.x default value, which is Gzip.

HTTP::disable command and server responses (CR56257)
The HTTP::disable command logic assumes that the HTTP::disable command is always called with a client-side connection flow. This is incorrect, and can cause problems that lead to the system not passing the server response back to the client after the HTTP::disable command has been called on a connection. To work around this issue, when you are calling from the server side, use the client-side { HTTP::disable } command.

Persist records for IPv6 nodes (CR56375)
When you run the b persist show command to view pools that contain IPv6-formatted nodes, the system truncates the output to show only the last four bytes of the IPv6 address.

Archive of syslog-ng.conf file (CR56497)
When you create a User Configuration Set (UCS) archive, the file syslog-ng.conf is not included. For more information about UCS files, see SOL4423: Overview of UCS archives and SOL4422: Viewing and modifying the files that are configured for inclusion in a UCS archive.

Media type for D51F platform (CR56557)
The Configuration utility incorrectly shows the media type for the D51F SX interfaces as being 100baseT. The correct value is 100baseSX.

Interrupting the remote install (CR57014)
Interrupting the remote install process on the BIG-IP 1000 (D39), BIG-IP 2400 (D44), BIG-IP 5100 and 5110 (D51) platforms may cause the install to fail when you attempt to restart the install process.

TMM memory allocation restrictions and iRules (CR57252)
If an iRule attempts to buffer more than four megabytes of data into a Tcl variable, the Traffic Management Microkernel (TMM) service could become unavailable. This is due to a four-megabyte TMM restriction on contiguous memory allocation.

EUD and external connections (CR57360, CR57362)
When the End User Diagnostics (EUD) software runs, it assumes that there is no external traffic in or out of the BIG-IP system, but external peers can still detect link connectivity and send traffic to the BIG-IP system. This can cause the EUD internal packet path test to fail. We recommend that you remove all external connections from the BIG-IP system before running the EUD.

ConfigSync saving syslog.conf instead of syslog-ng.conf (CR57597)
The ConfigSync operation does not include the the syslog file, syslog-ng.conf.

Syslog-ng: uninitialized interfaces after syslog-ng fails to start or if it has been manually configured (CR57698)
If the syslog-ng utility does not start or if you have manually configured the syslog-ng utility, the system interfaces might not initialize properly after you upgrade the system. For more information, see SOL5872: BIG-IP does not pass traffic and non-management interfaces are non-responsive after upgrading BIG-IP to version 9.1.1 or 9.2.2 and SOL5879: BIG-IP does not pass traffic and non-management interfaces are non-responsive if syslog-ng fails to start.

Chain certificate and client EXPORT cipher (CR58020)
You can use the chain attribute of the SSL profile to instruct the virtual IP address to send an extra certificate to the client. If the client connects with an EXPORT cipher, however, the virtual IP address does not send the extra certificate. You can force the virtual IP address to send the extra certificate by specifying that same certificate or the chain's issuer certificate in the ca file attribute. For an example of how to configure the ca file attribute, see Forcing the send of an extra certificate.

Console baud rate on upgrade from 9.x to 9.1.2 (CR59186, CR59156)
During the upgrade from BIG-IP version 9.x to version 9.1.2, if console baud rate is set to a different value than 19200, you will lose the console connection to the system. For more information about this situation, see SOL5916: Loss of console access after upgrading from v9.x to v9.1.2. For information about setting the serial console baud rate for BIG-IP version 9.1.2, see SOL5919: Setting the serial console baud rate for BIG-IP version 9.1.2.

Large number of items in a file to be merged (CR59487)
When a file you are merging contains over 30 items, running the b merge command to update pools from the command line produces the following error:

BIGpipe: pool member deletion error:
01030060:3: eXtremeDB - cursor is not valid

You might be able to prevent the error by issuing a b save command before the b merge command.

Detached client-side connections (CR59667)
The bigpipe conn command should report detached client-side connections as being detached, rather than showing statistics rolled over from server-side connections.

Renegotiate size command in SSL profile(CR60596)
Although you can specify a value for the Renegotiate Size option in the client and server SSL profiles, the system does not use the value for SSL renegotiation throughput size.

Client SSL and Server SSL profile statistic (CR61705)
For Client SSL and Server SSL profiles, the in value for the (in, out) = decrypt statistic always shows 0. This is a display issue and does not impact the functionality of the profile.

EXPORT ciphers in SSL profiles (CR61828)
When you use the EXPORT ciphers in an SSL profile, the BIG-IP system cannot resume an SSL session and therefore causes a client to request a reauthentication each time a new page is loaded.

Self-signed certificates and NULL parameter in signature data (CR61979)
The BIG-IP system-provided self-signed certificates are missing the NULL parameter in the signature data. For more information, see SOL5786: Known Issue: BIG-IP self-signed certificates may be formatted incorrectly.

4.x-to-9.1.x upgrade of SNAT pools (CR61983)
If you are upgrading from version 4.5 PTF-04 through version 4.5.12 to version 9.1.3 and your configuration contains SNAT pools, the One Time Conversion Utility (OTCU) halts when attempting to convert them. To work around this issue, remove any SNAT pools you have before running the OTCU. Then re-create the SNAT pools after upgrade to version 9.x is complete.

Baud rate change and logon requirement (CR62606)
When you change the baud rate, the system requires you to log in again. This is because the change to the baud rate necessitates stopping and restarting the processes associated with maintaining the status of logged on users.

SNAT mirroring when connections handled by another virtual server (CR62736)
In a way, SNATs are actually wildcard forwarding virtual servers that are active only for traffic sourced from certain addresses. However, the forwarding part of SNAT has very low priority, so as soon as there is any other virtual server matching the flow, SNATs turn into pure address manipulation, and all flows are created and managed by the virtual server matched based on destination (or VLAN). Since the forwarding virtual server might not have mirroring turned on, no flows are mirrored. To work around this situation, you must create a SNAT specifically for traffic that you want mirrored (using the origin and mask). You must then create a forwarding virtual server whose traffic does not match the SNAT (using destination address, or enabled on VLAN setting, or iRule), and turn on mirroring there.

SSL and method-switching in open session (CR63250)
The Secure Sockets Layer (SSL) filter can switch methods on OpenSSL after the session has opened, which can cause a system halt. This appears to be a problem in the OpenSSL stack.

Virtual address and ARP disable-enable (CR63429)
When you enable Address Resolution Protocol (ARP) on a virtual address and then synchronize the configuration to the peer unit, the ARP setting is not enabled properly in the running configuration on the peer unit. When this occurs, the peer unit sends erroneous service unavailable messages. To work around this issue, enable the ARP setting directly on the peer unit as well as on the running configuration.

Command line interface and deletion of active system authentication source definition (CR63575)
Using the command line interface, you can delete an active system authentication source definition. No validation check is being done.

ConfigSync and null responses (CR63857, CR63860)
Sometimes, when the system attempts a ConfigSync operation, the system receives a null response after issuing the command. This can happen for various reasons: for example, trying to start a ConfigSync operation to an IP address with no physical device attached. Although the operation fails, the system does not present an error message at the command line. In the browser-based interface, the system presents the message: Error executing shell command. However, because subsequent operations expect content on the screen instead of a message, the error condition causes the ConfigSync operation to fail. This condition occurs very intermittently; there is no reliable set of steps that reproduce the problem. You can work around this issue by running the ConfigSync command from the command line.

pool member iRule command when specified member is down (CR64173)
If a monitor marks a specific pool member down, and that member is specified in a pool member iRule command with a port number, the system directs the connection to that node. If you do not specify a port number, the system does not direct the connection to that node, and an LB_FAILED event occurs.

Fifth add-on key and license (CR64176)
In order to activate a fifth registration key, you must remove one of the existing add-on registration keys and then add the key you want. Then, you can add back the key that you previously removed, and all add-on registration keys will be enabled.

FIPS card after failed initialization (CR64530)
On systems containing Federal Information Processing Standard (FIPS) cards, if you ignore the warnings and create a password shorter than seven characters, the resultant installation does not work. If your system is already in this state, you can resolve the issue by installing a 9.2.x version of the software, reinitializing the FIPS card under that version, and then reloading under version 9.1.3.

Fastest (node) load balancing method for pools (CR65037)
In the Load Balancing Method list for pools, there is a Fastest (node) option. When you select the option, however, the system uses round-robin style load balancing instead.

Missing log entry after syslog-ng restart (CR67159)
The syslog-ng utility appears to miss the first message after restarting the syslog-ng process. The first event after restart is not written to the log, and the system does not send the message to the remote syslog server.

Redirect rewrite with non-standard port (CR67241, CR67505, CR67509)
When you set an HTTP profile Redirect Rewrite setting to All, if the HTTPS virtual server is running on a non-standard port, that port is not inserted into the rewritten location URL. The node sends an HTTP redirect whose URL uses the node's IP address. On the client side, the redirect URL is translated to HTTPS protocol and the virtual server's IP address, but no port is present. You can use an iRule to work around this. For an example of an iRule you can use to work around this situation, see the workaround Rewriting the redirect address when using a non-standard port.

Full or assisted acceleration in Fast L4 profile and RST packet (CR67454)
In virtual servers configured with a Fast L4 profile with PVA Acceleration set to Full or Assisted, the system does not send a reset packet (RST) after the connection times out even though Reset on Timeout is enabled.

Small client MTU and EXPORT cipher (CR67515)
When the cipher EXPORT40:HIGH:MEDIUM is set in the client SSL profile, and the client maximum transmission unit (MTU) size is small (for example, less than 640), the iRule fails to insert the certificate. For an example iRule you can use to work around this issue, see Triggering certificate insert with an iRule.

Indefinite SSL session cache timeout (CR68996)
Setting a client SSL profile cache timeout to Indefinite results in a timeout of five seconds. As a result, sessions are never resumed. In this release, the longest period you can set the cache timeout to is one day.

VLAN fail-safe timeout algorithm and low timeout values (CR69383)
When the VLAN fail-safe is set to a small value (for example, 10 seconds), a rounding error in the VLAN fail-safe algorithm can trigger VLAN fail-safe every four or eight hours under sustained load. To work around this issue, set the VLAN fail-safe Timeout to a value larger than 15 seconds

Interaction between SSL cipher settings and server key size in browser (CR69433)
When you set ciphers EXPORT in a client SSL profile, and the server public key length is less than or equal to 512 bits, Microsoft® Internet Explorer® terminates the SSL handshake. This does not occur when the key length is 1024 or longer.

Default SSL profile change propagation (CR70569)
Changes to the default client SSL profile do not automatically propagate to child profiles. The workaround is to create an intermediary profile from the default client SSL profile, and then use that profile as the parent.

ZebOS and other routing protocol (CR70610)
The ZebOS® Network Services Module (NSM) daemon might halt unexpectedly while trying to delete a route from its internal database. This problem occurs in configurations running Open Shortest Path First (OSPF) together with other routing protocols, for example, Routing Information Protocol (RIP) or Border Gateway Protocol (BGP).

HTTP redirect_rewrite and long destination addresses (CR71317)
The system stops processing an HTTPS connection when rewrites are enabled and the server sends a long destination URI. In this case, "long" is a URI approaching 1500 bytes. To work around this problem, disable the Redirect Rewrite setting in the HTTP profile. For an example of how to do this if you are rewriting HTTP-to-HTTPS addresses, see the workaround Rewriting long URIs in HTTP-to-HTTPS addresses.

UPN in x509v3 extensions SubjectAltName (CR72445)
The system does not successfully parse and return the Microsoft Universal Principal Name (UPN) from certificates.

Database variable using default value in UCS not restored over explicit value (CR73680)
If you have a User Configuration Set (UCS) that contains a bigdb database variable that uses a default value, the process of upgrading overwrites any explicitly set current value. That is, if you saved a UCS file, and then later changed a bigdb database variable to a value other than the default, rolling forward the old UCS retains the currently specified value. If you want to return bigdb database values to their default state after rolling forward such a configuration, you must explicitly reset the values.

Node status update (CR73808)
Once the system reaches the connection limit for the node, its status changes to Unavailable, and never returns to Available even though all remaining connections end. To correct the status, run the command bp load, or run both of the following commands: bp node <node_number> disable and bp node <node_number> enable.

ConfigSync with administrator password containing a space (CR73854)
The ConfigSync operation fails if the administrator password contains a space. To work around this issue, do not use the space character for administrator passwords.

TCP profile wait settings for immediate and indefinite (CR74242)
The system does not correctly handle the Immediate and Indefinite settings for the Time Wait, Fin Wait, or Close Wait options for a TCP profile. To work around this issue, use specific values. For example, use 2 or 3 seconds to approximate Immediate.

tmsnmpd and overwriting the OID sysObjectID (CR74893)
Under some situations when the sysObjectID OID gets overwritten, a system restart of the tmsnmpd process produces a core file named tmsnmpd.<bld#>.core.gz in /var/core.

Node status when node in multiple pools (CR76667)
When a node is a member of multiple pools (for example, pool_a and pool_b), if the node status is UP in pool_a, but the status is DOWN in pool_b, the system does not indicate that the node is in multiple states. Instead, the system uses the status from only one of the pools, the one whose status was most recently modified.

Very large number of VLANS, new bigip.conf, and host reboot during configuration restore (CR77562)
When you try to restore a configuration that contains a very large number of VLANS (more than 200), and you have a new configuration in the bigip.conf file, the system can spend too long parsing the configuration, which causes watchdog process failures and triggers a host reboot.

Gateway entry and deleting default management route (CR78167)
When you add a default management route, the system adds a corresponding GATEWAY entry to the /etc/sysconfig/network file. If you later remove the default management route, the system does not delete the GATEWAY entry. As a workaround, you can manually remove the GATEWAY statement from the /etc/sysconfig/networks file after deleting the default management route.

iRules with matchclass reference to nonexistent class or object (CR78914)
You can define iRules containing a matchclass statement with a reference to a class or object that does not exist. The iRule loads without error, but running the iRule fails when it attempts to access the missing class or object.

9.1.3 installation onto systems containing 9.3 or 9.4.x (CR79230)
If the system where you are installing already contains 9.3 or 9.4.x software on a slot and you try to install version 9.1.3, installation fails. To work around this issue, you can use the im –force local-install-<> command to force the local installer past the error that stops installation.

Leading asterisk in monitor recv string (CR79580)
In this release, when you specify a leading asterisk in a monitor recv string at the command line, the system returns a cryptic-and-non-critical command line interface error message that references the eXtreme DB tree, but says nothing about the asterisk character. You can prevent the error by specifying a period instead of an asterisk in the monitor definition, which avoids the ambiguous error when you run the bp load command.

System delays resetting monitored resource status to up (CR80980)
If a pool member becomes disconnected from the network, the system marks that pool member as down. If the network connection is restored to the pool member after approximately 48 seconds, the system does not mark the pool member as up until 96 seconds later. For an example of how to work around this issue, see Preventing incorrect reset of monitor resource status.

Report of compression rate limit being exceeded (CR82090)
Because rate-limiting occurs at Layer 7, it is possible for data to be queued up in TCP before it makes its way to the deflate filter for processing, and that could cause communications to spike to over 100Mb/s under the right conditions. This can cause the system to incorrectly report that the compression limit has been exceeded, even if traffic is lower than the license limit.

OneConnect and connection reuse Connection: Close for HTTP 1.0 client (CR82404)
On a virtual server enabled with OneConnect, the system might erroneously return server-side connections to the connection pool even after the client has been closed after sending the Connection: close request. Subsequent client requests might be sent to this server connection, which causes the server to close the connection and not service the associated request. You can work around this issue by using an iRule that disables OneConnect reuse in HTTP_RESPONSE using the command OneConnect::reuse disable. The system handles this condition internally for HTTP 1.1 clients.

UCS conversion and f5emsvr user (CR82704)
The user f5emsvr is created automatically in the /etc/passwd file on a clean installation of version 9.1.2 or 9.1.3. This enables communication between the F5 Networks Enterprise Manager and the BIG-IP system. The upgrade process removes the f5emsvr user if you roll forward a .ucs file that does not contain the user. For more information about User Configuration Set (UCS) archives, see SOL4422: Viewing and modifying the files that are configured for inclusion in a UCS archive.

[ Top ]

Workarounds for known issues

This section describes the workaround for the corresponding known issue listed in the previous section.

Preventing premature connection closure (CR52482)

This workaround describes how to use an iRule to prevent premature closure of server-size HTTP connections in one-armed configurations. For a description of the known issue, see HTTP connection closure.

 rule xxx {
      if {[HTTP::status] == 200} {
         ONECONNECT::reuse enable
      } else if {[HTTP::status] == 401} {
         ONECONNECT::detach disable

Adding nondefault management routes (CR55546)

This workaround describes how to add nondefault management routes to the /etc/sysconfig/network-scripts/route-eth0 Linux routes configuration file directly. For information about the known issue, see Nondefault management routes and GATEWAY entry in configuration file. The following example shows a sample command in the BIG-IP command line interface.

mgmt route gateway

To create the equivalent route, you type the following entry in the /etc/sysconfig/network-scripts/route-eth0 Linux routes configuration file. via

Forcing the send of an extra certificate (CR58020)

This workaround describes how you can force the virtual IP address to send the extra certificate in the event of a client who connects with an EXPORT cipher. For information about the known issue, see Chain certificate and client EXPORT cipher. Here is an example you can follow to create a workaround specific to your configuration.

In the following example:
  server_mid.crt represents the server certificate signed by midca.crt
  midca.crt represents the intermediate Certificate Authority (CA) certificate
  super.crt represents the top-level CA certificate

  profile clientssl testssl {
    defaults from clientssl
    key "server_mid.key"
    cert "server_mid.crt"
    chain "midca.crt"
    ca file "super.crt"

Rewriting the redirect address when using a non-standard port (CR67241, CR67505)

This workaround describes how to use an iRule to rewrite the redirect address when using a non-standard port. For information about the known issue, see Redirect rewrite with non-standard port.

    if {[HTTP::header exists Location]} {
      set loc [HTTP::header value Location]
      clientside {
        set vhost [IP::local_addr]
        set vport [TCP::local_port]
      set uri "https://$vhost/"
      set len [expr [string length $uri] - 1]
      if {$loc starts_with $uri} {
        set loc [string replace $loc $len $len ":$vport/"]
        HTTP::header replace Location $loc

Triggering certificate insert with an iRule (CR67515)

This workaround describes an iRule you can use to insert a certificate because of a known issue. For information about the known issue, see Small client MTU and EXPORT cipher.

  rule cert_insertwa {
      set cur [SSL::sessionid]
      set ask [session lookup ssl $cur]
      if { $ask eq "" } {
        session add ssl [SSL::sessionid] [SSL::cert 0] }
    when HTTP_REQUEST {
      set id [SSL::sessionid]
      set the_cert [X509::whole [session lookup ssl $id]]
      if { $the_cert != "" } {
        regsub -all "\n" $the_cert "" client_cert_insert
        HTTP::header insert SSL_CLIENT_CERTIFICATE $client_cert_insert

Rewriting long URIs in HTTP-to-HTTPS addresses (CR71317)

This workaround describes how to rewrite long URIs in HTTP-to-HTTPS addresses. For information about the known issue, see HTTP redirect_rewrite and long destination addresses.

   rule do_redirection_rewrite {
      if {[HTTP::status] == 302} {
        set location [HTTP::header Location]
        if {$location contains "http:"} {
          set location [string replace $location 0 5 "https:"]
          HTTP::header replace Location $location

Preventing incorrect reset of monitor resource status (CR80980)

You can work around the issue of system delays incorrectly resetting monitored resource status by adding the following lines to the /etc/sysctl.conf file. For information about the known issue, see System delays resetting monitored resource status to up.

# Limit TCP connection initiation attempts to 2 SYN retransmissions
net.ipv4.tcp_syn_retries = 2

After you update this file, reboot the system. You can verify that the system implemented the change by running the following command:

cat /proc/sys/net/ipv4/tcp_syn_retires

If the system implemented the change, the result returned is 2. The system then marks pool members that had network connections removed and subsequently restored as up in fewer than 96 seconds.

[ Top ]


This section lists acknowledgments for software added in this release.

This product includes software developed by Balázs Scheidler <>, which is protected under the GNU Public License.

This product includes software developed by Niels Möller <>, which is protected under the GNU Public License.

[ Top ]

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)