Applies To:

Show Versions Show Versions

Release Note: BIG-IP LTM and TMOS version 10.2.3
Release Note

Original Publication Date: 10/15/2013

Summary:

This release note documents the version 10.2.3 release of BIG-IP Local Traffic Manager and TMOS.

Contents:

Supported hardware

You can apply the software upgrade to systems running software versions 9.3.x, 9.4.x, 9.6.x, and 10.x. For a list of supported platforms, see SOL9412: The BIG-IP release matrix. For information about which platforms support which module combinations, see SOL10288: BIG-IP software and platform support matrix.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP LTM / VE 10.2.3 Documentation page.

New in 10.2.3

TLS 1.2 Support

This release supports Transport Layer Security (TLS) 1.2, the SHA 2 Cipher, and SHA256 hash.

New in 10.2.2

VIPRION 2400

This release provides support for the new VIPRION 2400 platform, which is designed to provide superior performance. For more information, see Platform Guide: VIPRION 2400.

BIG-IP 8950S

This release provides support 8950S, which increases SSL acceleration capabilities (both bulk and handshake) by supporting a quad-processor acceleration card, For more information, see Platform Guide: 8950.

Hyper-V and XenServer hypervisors

BIG-IP Virtual Edition (VE), which runs as a virtual machine in specifically supported hypervisor environments, emulates a hardware-based BIG-IP system running a VE-compatible version of BIG-IP software. In addition to the VMware hypervisor support from earlier versions, this release supports additional hypervisors.

  • Microsoft Hyper-V Server 2008 R2 host using Hyper-V Manager management software
  • Citrix XenServer 5.6

New in 10.2.1

Application templates

This release includes one new application template and one upgraded application template. An application template corresponds to a particular application, such as email access, and provides a fast, efficient way to configure the BIG-IP system to process the associated traffic. The new and upgraded application templates provided in this release are:

  • Microsoft Exchange 2010
  • Citrix XenApp

NEBS support

This release adds support for the new Network Equipment-Building System (NEBS) compliant version of the BIG-IP 11050 platform, and a NEBS-compliant version of our latest high performance blade (PB200) for the VIPRION platforms. For a VIPRION system to be completely NEBS-compliant, you must use a NEBS-compliant chassis and blades. For more information, see the setup guides provided with the hardware, and the Platform Guide: 11050 and Platform Guide: VIPRION platform guides.

New in 10.2.0

BIG-IP Local Traffic Manager Virtual Edition

You can now run the BIG-IP system in a virtual machine environment. BIG-IP Local Traffic Manager Virtual Edition (VE) is a version of the BIG-IP system that runs as a virtual machine, packaged to run with a VMware hypervisor on a machine running Microsoft Windows, or on a Linux-hosted machine. BIG-IP Local Traffic Manager Virtual Edition includes all features of BIG-IP Local Traffic Manager, running on the standard BIG-IP Traffic Management Operating System (TMOS).

EtherIP tunneling between data centers

The EtherIP tunnel is designed as a generic way of bridging two remote data centers. To configure an EtherIP tunnel, you use VLANs that span pairs of BIG-IP systems in separate data centers. This enables uninterrupted support for existing IP connections before and after a live migration event in which the application resource is moved from the local to the remote data center.

Application templates

This release includes additional application templates. An application template corresponds to a particular application, such as generic DNS traffic management, and provides a fast, efficient way to configure the BIG-IP system to process the associated traffic. The application templates added in this release are:
  • Generic DNS
  • Microsoft Exchange 2010 Client Access server (CAS), (formerly known as Outlook Web Access), which supports Outlook Anywhere, POP3, and IMAP4 virtual servers
  • VMware View

XML content-based routing

You can now route XML messages to different destinations based on specific content in a document. The system queries document content using an XML Path Language (XPath) expression, which assures fast, simple, and accurate operation. For example, you can specify a purchase-order (PO) routing scheme, in which the system routes a PO totaling less than $10k to one pool member, and a PO totaling more than $10k to another pool member.

Receive Disable String (RECV drain string) monitor option

In this release, you can configure the Receive String attribute and a new Receive Disable String attribute Receive Disable String for HTTP, HTTPS, TCP, and UDP monitors. When configured in certain combinations, these attributes cause all existing connections to be methodically drained from the server instead of being dropped suddenly. This feature is helpful when you are planning to perform maintenance on the server. For configuration information, see Configuring Receive Disable String (RECV drain string) monitor option.

Virtual Location monitor

The Virtual Location monitor optimizes end-user response time in environments with dynamic distribution of application resources across multiple data centers. When using the Virtual Location monitor, the BIG-IP sets the Priority Group value of all local pool members to 2 (a higher priority). When a member of a load balancing pool migrates to a remote data center the Virtual Location monitor lowers the members Priority Group value to 1 (a lower priority). This value adjustment results in subsequent connections being sent to local pool members only if available. If no local pool members are available, connections are sent to the remote pool member.

TCP persist timeout configuration (CR75559-8)

There is now a TCP profile option for specifying the length of time that the TCP connection can receive zero-length window probes before the system closes the connection. The Zero Window Length option has default value of 20000 milliseconds. If you set the value to 0 (zero), the system closes the connection immediately upon receiving a zero-length window probe. The timer starts when an effective window size becomes zero, and stops when the window size becomes greater than zero. When the interval reaches the value specified, the connection is terminated. This setting is useful for handling slow clients with small buffers, such as cell phones.

User authentication lockout

You can now deny access to a user after a configured number of failed authentication attempts. The administrator can then reset the lock to re-enable access for the user.

Public Key Infrastructure/Common Access Card (PKI/CAC) support

The BIG-IP Kerberos Delegation authentication module has been extended so that the system can now transition SSL certificates to Kerberos credentials. More specifically, the BIG-IP Advanced Client Authentication component can offload SSL processing and authenticate the identity of an end-user based on an attribute obtained from a Common Access Card (CAC) certificate.

BIG-IP Access Policy Manager on 3600, 3900, 6900, 6900 FIPS, 8900, 8950, and 11050 platforms

You can provision a free ten-concurrent-connection license of the BIG-IP Access Policy Manager module for web application access management on the following BIG-IP platforms: 3600 (C103), 3900 (C106), 6900 (D104), 6900 FIPS (D104), 8900 (D106), 8950 (D107), and 11050 (E102). The BIG-IP Access Policy Manager is a software component of the BIG-IP hardware platform that provides your users with secured connection to Local Traffic Manager virtual servers, specific web applications, or the entire corporate network. For provisioning details, see BIG-IP Systems: Getting Started Guide. For more information about BIG-IP Access Policy Manager and its associated documentation, see Release Note: BIG-IP Access Policy Manager version 10.2.0.

Module integration into the Configuration utility

In this release, the Application Security Manager module and Web Accelerator system are now fully integrated into the BIG-IP Configuration utility.

Support for two new platforms

This release provides support for the new 8950 and 11050 platforms, which are designed to provide superior performance. For more information, see Platform Guide: 8950 and Platform Guide: 11050, available in the AskF5 Knowledge Base.

Logging to RADIUS or TACACS+ accounting servers

When you configure the new logging to RADIUS or TACACS+ accounting servers feature, the BIG-IP system forwards audit log messages to remote Remote Authentication Dial In User Service (RADIUS) and Terminal Access Controller Access-Control System Plus (TACACS+) servers in appropriate logging format. For configuration information, see Configuring logging to RADIUS or TACACS+ accounting servers.

When you configure the new logging to RADIUS or TACACS+ accounting servers feature, the BIG-IP system forwards audit log messages to remote Remote Authentication Dial In User Service (RADIUS) and Terminal Access Controller Access-Control System Plus (TACACS+) servers in appropriate logging format. For configuration information, see Configuring logging to RADIUS or TACACS+ accounting servers.

Installation overview

This document lists only the very basic steps for installing the software. The BIG-IP Systems: Getting Started Guide contains details and step-by-step instructions for completing an installation. F5 recommends that you consult the getting started guide for all installation operations.

Installation checklist

Before you begin:

  • If using partitions, reformat for the 10.1.0 and later partition size, if needed (partitions created using version 9.x or 10.0.x do not accommodate the 10.1.0 and later software).
  • Reactivate the license and update the service contract.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are upgrading from version 9.3.x or 9.4.x, run im <downloaded_filename.iso> to copy over the new installation utility.
  • If you are running WAN Optimization Manager, set provisioning to Minimum.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3

Post-installation tasks

This document lists only the very basic steps for installing the software. The BIG-IP Systems: Getting Started Guide contains details and step-by-step instructions for completing an installation. F5 recommends that you consult the getting started guide for all installation operations.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Log on to the browser-based Configuration utility.
  3. Run the Setup utility.
  4. Provision the modules.
 

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running. Software version 10.x introduced the ability to run multiple modules based on platform. The number and type of modules that can be run simultaneously is strictly enforced through licensing. For more information, see SOL10288: BIG-IP software and platform support matrix.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

Upgrading from version 9.6.x or 10.x

When you upgrade from software version 9.6.x or 10.x, you can use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help, or the relevant chapters in the BIG-IP Systems: Getting Started Guide.

Important: Upgrading a version 9.6.x platform to version 10.x also performs a BIOS upgrade. (You can find more information in the following Solution: SOL10633: BIOS update may be required before installing BIG-IP version 10.1.0 or later on the VIPRION platform.) If you also apply a version 10.x hotfix when you attempt the software upgrade, the operation fails to install the new BIOS. This can cause additional issues. For more information, see SOL10548: The BIOS of the VIPRION platform is not upgraded when installing BIG-IP version 10.0.x and a hotfix in a single step and SOL10016: A VIPRION kernel panic occurs following an upgrade to BIG-IP version 10.x.

Upgrading from version 9.3.x or 9.4.x

If you plan to install this version of the software onto a system running 9.3.x or 9.4.x, you must perform a one-time upgrade procedure to make your system ready for the new installation process. When you update from software version 9.3.x or 9.4.x to 10.x, you cannot use the Software Management screens in the Configuration utility. Instead, you must run the image2disk utility on the command line. For information about using the image2disk utility, see the BIG-IP Systems: Getting Started Guide.

Upgrading from versions earlier than 9.3.x

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x or from BIG-IP versions 9.0.x through 9.2.x. You must be running software version 9.3.x, 9.4.x, 9.6.x, or 10.x. For details about upgrading to those versions, see the release notes for the associated release.

Important: Beginning with version 10.0.0 of the software, a redundant system configuration must contain failover peer management addresses for each unit. If you roll forward a redundant system configuration from 9.3.x or 9.4.x, the units start up correctly, but the system logs a message every ten minutes reminding you to configure the peer management addresses. To configure the failover peer management addresses, navigate to System > High Availability > Network Failover , and specify the management IP address of the peer unit in the Peer Management Address field. Then do the same on the other unit in the configuration. Once you specify both IP addresses, the system should operate as expected. For more information, see SOL9947: Change in Behavior: The Peer Management Address setting is required for BIG-IP version 10.x systems configured for network failover.

Fixes in 10.2.3

The current release includes the fixes and enhancements from previous releases and the fixes that were distributed 10.2.2 Hotfix 1, 10.2.2 Hotfix 2, and 10.2.2 Hotfix 3. For more information, see SOL13109: Overview of BIG-IP version 10.2.2 cumulative hotfixes.

ID Number Description
ID 221972 Previously, connection flow timers were calculated using a reference from the system time (seconds since epoch). In the event that system time changed, connection flows could be aged out prematurely or removed entirely. Connection flow timers are now calculated using a monotonic timer derived from the system uptime (seconds since boot), not the system time.
ID 223836, CR132172 Support for RFC5746 (SSL renegotiation) has been implemented.
ID 225328 As a tool for diagnosing the cause of TCP RST packets, the system may be globally configured to include a very brief explanation as the payload in each RST packet and/or to log this reason whenever sending a RST packet. This behavior is controlled by setting the corresponding DB variables TM.RstCause.Pkt and/or TM.RstCause.Log to "enable". The default for both is "disable", and this should be considered the correct setting in a production environment, since use of this functionality may impair stability.
ID 225540 The iRule "catch" command now correctly suspends and no longer causes the TMM to crash.
ID 338289 Log throttling is no longer on by default for node status.
ID 342860 The iRule command TMM::cmp_unit can now be used in the RULE_INIT event.
ID 347665 SSL profile names can no longer begin with invalid characters when creating from the GUI. This now correctly matches the validation behavior from the command line.
ID 351133 An iRule with a slash inside of control statement followed by a return now correctly returns from the event.
ID 355501 The VLAN MTU default value is now correctly displayed in tmsh and in the GUI.
ID 357370 The TLS extension for secure renegotiation is now available from the GUI.
ID 357372 The TLS extension for secure renegotiation is now available within iControl.
ID 358609 The execution of an RTSP::respond command in an iRule no longer causes subsequent requests to the same virtual server to not be serviced.
ID 358811 HA pair partner's TMM no longer cores after a device trust has completed setup.
ID 359375 Errors no longer occur when using commands that suspend the iRule within the CLIENT_CLOSED and/or SERER_CLOSED events.
ID 359771 New HSB v2.1.40.20 Bitstream for the 11000 and 11050 platforms.
ID 359853 Using mkdsk to create a USB thumbdrive installation disk now works correctly on all platforms.
ID 362284 SSL session entries now correctly expire after cache timeout has expired.
ID 362619 A memory leak in real-time statistics (rtstats) has been fixed.
ID 363504 A defect which could cause TMM to core with a SIGFPE and the following panic message has been fixed: "Request for segment from middle of queue"
ID 363532 LTM no longer drops ICMP unreachable packets received from clients to VIPs configured for nPath.
ID 363547 In this release, the failsafe action correctly occurs immediately when a VLAN group member triggers a failsafe condition, regardless of the state of other VLANs in the group.
ID 364037 "Use 'tmsh modify gtm server <server_name> expose-route-domains yes' to allow the GTM server <server_name> to auto-discover LTM virtual servers from all route domains. This requires that GTM auto-discovery be enabled and server-level virtual server auto-discovery be enabled for the GTM server <server_name>. Notes: * This may cause ip address and/or port conflicts between GTM virtual servers for that server. * This flag must remain set to 'yes' for bigip monitor probing to work for the GTM virtual servers which correspond to LTM virtual servers from other route domains."
ID 364130 Using iRules with session tables, you are now able to get the values from table keys -subtable on both the client-side and server-side.
ID 365395 SNMP traps are now correctly sent, with OID .1.3.6.1.4.1.3375.2.4.0.93, when any 6900 or 8900 platform sensors exceed the acceptable threshold.
ID 365507 The required character sets jar file has been included to allow the MSSQL monitor to support multiple language encodings.
ID 365840 The software is now tied to a license flag to enforce throughput limits.
ID 365893 TMM now correctly validates the sequence number on RST packets before removing connections on Virtual Servers using a FastL4 profile.
ID 366057 Mirrored connections on a standby unit can now be deleted when the channel is down.
ID 366419 Evaluate transfer-encoding headers in a case-insensitive manner to ensure proper interaction of compression and chunked encoding.
ID 366505 Byte Range requests sent to the Admin GUI or an APM login page are now limited to at most 5 byte range sets, to prevent the vulnerability described in CVE-2011-3192.
ID 366601 The marketing name for part number 200-0194-04 is no longer incorrectly identified as a 6600 platform.
ID 366643 RIPD v7.5 nexthop logic was corrected using code from ZebOS 7.8. This change causes the appropriate nexthops to be deleted from the list of nexthops for a prefix based on its metric.
ID 366831 Removed the DigiNotar CA certificate.
ID 366881 Previously, if a chassis had a blade present at some point and then that blade was permanently removed (or specifically if the TMMs on that blade were permanently stopped), the remaining blades in the chassis would incorrectly think the missing blade had returned after a 25 day period. Traffic is no longer sent to the missing blade preventing lost traffic.
ID 366918 VIPRION 2400 blades now compute IPv6 checksums in hardware.
ID 367082 This release corrects an issue where gtmd could grow excessively.
ID 367297 TMM no longer leaks memory due to the usage of source address persistence with map proxies set to its default (enabled).
ID 368589 OPSWAT signatures have been updated to version 3.4.27.
ID 369337 The IP geolocation database was updated to a version dated 2011/10/06.

Fixes in 10.2.2

The current release includes the fixes and enhancements from previous releases and the fixes that were distributed in SOL12729: Overview of BIG-IP version 10.2.1 HF1, SOL12778: Overview of BIG-IP version 10.2.1 HF2, and SOL12816: Overview of BIG-IP version 10.2.1 HF3.

ID Number Description
IPv6 trunk hashing IPv6 performance improvements for the BIG-IP 3900, 8900, and 8950 platforms, and VIPRION platforms using blade 4200 (also referred to as blade PB-200) by correcting the IPv6 trunk hashing issue.
UDP performance This release provides UDP performance improvements through use of the Stateless virtual server type.
ID 222455, CR119790 TMM previously queued only one packet per flow for a given destination when there was a pending neighbor ARP response. The default depth is four packets and can be configured by adding the bigdb variable tmm.nbr.pbqlen.
ID 224060, CR133759 On 1600, 3600, 3900, 6900, and 8900, and 8950 platforms, the values in the sysIfxStat portion of the F5-BIGIP-SYSTEM-MIB file are now updated properly.
ID 224966, CR138207 When the nameservers are changed using b db nameserver, the system restarts httpd service to reload the DNS configuration.
ID 227144, CR142802 When load balancing UDP datagrams, the flow table is properly checked in order to prevent a server-initiated flow from inadvertently using the same port as an in-progress client-initiated flow.
ID 339291 The default maximum size of the IPv6 routing table has been increased to 8192 entries.
ID 345944 BIND has been updated to mitigate two vulnerabilities, tracked by the Common Vulnerabilities and Exposures (CVE) project as CVE-2010-3613 and CVE-2010-3615.
ID 340336 The peer certificate mode auto is now the functional equivalent of ignore. The mode auto remains, but functions the same as ignore.
ID 341804 (ID 341276 duped to ID 341804) Predictive and observed load balancing methods now choose the expected pool member even when there are no other concurrent connections.
ID 346107 When using VLAN groups, egress traffic is correctly handled (no longer dropped) when the egress VLAN is the same as the ingress VLAN, when using a non-VLAN-group listener.
ID 346202 On the VIPRION system, the system_check utility now correctly checks the temperature on all blade types.
ID 346501 Clients can now connect with 4096-bit key/certificate pairs to virtual servers that utilize cryptographic acceleration hardware and require client certificate authentication.
ID 346901 The 8900 NEBS platform is now checked properly for timezone updates.
ID 347628 You can specify the netmask in an iRule in dotted quad format, for example, /255.255.255.0. In versions 10.0.0 through 10.2.1 of the software, this functionality was deprecated. In 10.2.2, the functionality has been restored.
ID 347838 This release corrects an issue that caused ICMPv6 traceroute to BIG-IP to always fail.
ID 349312 The firmware and bootloader versions for the 8900 platform are now correctly cached during system startup and no longer generate an error message.
ID 350434 In previous releases, certain iRule commands (for example, table and persist) might not complete when executed in the CLIENT_CLOSED event. In this release, commands of this type complete correctly.
ID 350218 Link Aggregation Control Protocol (LACP) now properly enforces the partner SysId match check to prevent aggregation of ports connected to different remote switches.
ID 353934 File and directory permissions for /shared/ssh/root now have the proper umask settings.
ID 355152 This release corrects a chmand process leak that occurred on the 1600, 3600, 3900, 6900, 8900, 8950, 11000, and 11050 platforms (more specifically, platforms with the Always-On Management (AOM) subsystem).
ID 356718 In appliance mode, running an edit command in tmsh invokes the nano editor instead of the vi editor.

Fixes in 10.2.1

The current release includes the fixes and enhancements from previous releases and the fixes that were distributed in SOL12729: Overview of BIG-IP version 10.2.1 HF1 and SOL12778: Overview of BIG-IP version 10.2.1 HF2.

ID Number Description
CR85137 The system now honors the Maximum Transmission Unit (MTU) value for VLANs.
ID 224391, CR135937 The system now correctly parses iRule if commands that contain an escape character previously described as a suspended command following an escaped newline character.
ID 224506 TCP connections on a FastL4 virtual server with mirroring enabled now have the handshake timeout set correctly.
ID 224726 Clustered multi-processing CMP enabled forward listeners no longer map ephemeral ports created for passive FTP clients to the incorrect VLAN when VLAN-keyed connections are disabled.
ID 224958 The CLIENTSSL_DATA event now fires correctly regardless of whether or not a pool or profile is configured.
ID 225257, CR138907 syscheck no longer causes cron to log the benign error message "chdir(HOME) failed: (No such file or directory).
ID 225448, CR139406 The system now correctly supports 4096-bit SSL keys to configure Server SSL profiles.
ID 225618 Session Initiation Protocol SIP support is now more stable when using the iRule drop command.
ID 225747 Enhancements have been made to the Traffic Management Microkernel TMM with respect to iRules and clustered multi-processing CMP.
ID 225930 When the Client SSL profile is configured to require a certificate, the client would reject the serverHello message due to excessive data, and the system logged a message Apr 26 16:31:56 local/tmm1 info tmm1[5208]: 01260013:6: SSL Handshake failed for TCP from 10.10.7.163:20000 to 10.10.1.0:35937. This has been corrected and clients no longer reject the serverHello message.
ID 225957 Previously, a pool member or a node that was previously set to Forced Offline was set to Enabled by a user, the pool member or node's state would be set to checking. Now, when a pool member or node is set to Enabled from the Forced Offline state, its status is set to Down until the associated health monitors bring it back up.
ID 226188 On early 8400 and 8800 platforms, using the 10 Gig-E interfaces, frame sizes of 1514 and 1518 bytes no longer cause a connected switch to report frame check sequence FCS errors, due to a mismatch between the physical MTU and the reported MTU.
ID 226397 FastL4 connections using SYN cookies and a profile with tcp generate isn set now work correctly.
ID 226399, ID 248017, CR141404 VIPRION systems correctly handle traffic after configuring a wildcard virtual server or a virtual server listening on UDP port 62720.
ID 226531 The WMI and Real Server monitors are now compatible with route domains.
ID 226783 BIND now responds correctly to DNS requests against IPv6 self IP addresses.
ID 226818, ID 226920 Enhancements have been made to SSL client certificate handling in resumed sessions.
ID 226969 Fragmented Datagram Transport Layer Security DTLS requests are now handled properly.
ID 226971 The SSL filter now properly responds with a full SSL handshake when an SSL connection is renegotiated with Firefox and Safari browsers.
ID 227062 Diameter flows are now torn down more reliably.
ID 247801 When the static ARP entry is added while a dynamic entry exists for the same address, the static ARP entry takes precedence, and you no longer see two ARP entries for the same address.
ID 248342, CR85137 Attempting to delete a nonexistent NTP server no longer causes the server to be added.
ID 324272 Log messages for pool member status changes are no longer throttled, so that the system reports all pool member status changes.
ID 324276 Statistics query performance for pool members and node addresses has been improved.
ID 324283 The SNMP DCA monitor now sends the Community string properly to monitored nodes.
ID 324287 The bgpd service no longer intermittently sends corrupted route update messages to peers.
ID 324297 The High Speed Logging feature can now correctly log binary data.
ID 324299, ID 324310 Memory configuration issues on the 3900, 6900, and 8900 platforms with Local Traffic Manager, Application Security Manager, and WebAccelerator system modules have been resolved.
ID 324303 A memory leak and crash condition with SSL has been fixed.
ID 324325 Performance improvements have been made to the FIPS driver to enhance performance on platforms with CMP Clustered Multi-Processing.
ID 324326 The BIG-IP system now supports pipelining for configured HTTP/1.0 clients.
ID 324329 Enhancements for Traffic Management Microkernel TMM stability now prevent a potential crash when an SSL renegotiation request is received after processing a shutdown event.
ID 324330 HTTP requests that did not specify the HTTP version that is, HTTP version 0.9 requests were erroneously reported as having a bad http version violation. This has been corrected.
ID 324334 An error with processing of packets smaller than 64 bytes and applying minimum size padding in hardware on platforms with HSB has been mitigated by switching to performing minimum size padding in software.
ID 324335 When using the ACCESS::session data get and ACCESS::respond combination in an iRule on systems with clustered multi-processing CMP, the tmm service could have become unresponsive. This has been resolved.
ID 324337, ID 337159 Clicking the Update button on the Network Failover screen in the browser-based Configuration utility no longer triggers a failover operation, which caused the active unit to switch to standby.
ID 324345 This release fixes a kg_accept_krb5 function vulnerability tracked by the Common Vulnerabilities and Exposures CVE project, which assigned the ID CVE-2010-1321 to the problem. For more information about the vulnerability, see CVE-2010-1321.
ID 324348 Memory allocation for WebAccelerator system can now be provisioned by administrators.
ID 324355 The Generic HTTP virtual server application template has been updated to contain the correct syntax for the HTTP monitor.
ID 324361 On platforms with Packet Velocity application-specific integrated circuit PVA, a restart of the pvad service no longer produces UDP path probes with bad checksum values, which caused the system to drop the packets. This issue has been resolved.
ID 324362 Under certain conditions in which the mcpd service received a high volume of messages, a timer became accelerated and triggered an early scrub of the Link Aggregation Control Protocol LACP packet registry, which prevented forwarding of packets, and resulted in lacpd warning messages in the logs. This version of the software corrects this issue.
ID 324363 This release fixes a GhostScript 8.70 and 8.64 parser function vulnerability tracked by the Common Vulnerabilities and Exposures CVE project, which assigned the ID CVE-2010-1869 to the problem. For more information about the vulnerability, see CVE-2010-1869.
ID 324364 Specifying GMT0 as the time zone no longer prevents the browser-based Configuration utility from updating the system configuration.
ID 324366 Users can now configure an SSL proxy between Enterprise Manager and a managed device.
ID 324368 Users who are not administrators or superusers that is, users with the role of Manager can now import/export on partitions for which they have access permissions.
ID 324372 Kerberos protocol transition now works with keep-alive settings.
ID 335621, CR140560 The mcpd process no longer restarts on secondary blades on the VIPRION system after resetting statistics on objects in administrative partitions other than the Common partition.
ID 336848 SSL certificates and their chain of authority certificates may now be contained in the same file.
ID 337378 Session tickets are now disabled for SSL sessions using COMPAT ciphers, which corrects an issue that occurred when session tickets were enabled.
ID 337382 Route domain selection is now honored properly for web applications with servers in route domains other than the default.
ID 338062 On 3400, 6400, 6800, 8400, and 8800 platforms, that is, platforms with Packet Velocity application-specific integrated circuit PVA, the system now correctly sends ICMP Unreachable - Fragmentation Needed packets to FastL4 virtual servers set for PVA assist.
ID 338148 Inherited Client SSL profile attributes changed on the parent are no longer out of sync between the primary and secondary blades on a VIPRION system.
ID 338708 The mcpd process no longer leaks memory when changes are made to node monitors in non-common partitions.
ID 338827 IPv6 autoconfiguration now works across VLAN groups.
ID 338852 Full hardware acceleration is more accurately applied on 6800 platforms.
ID 339379 Traffic Management Microkernel TMM now responds correctly when the virtual server references an iRule with the HTTP::header sanitize command.
ID 339524 Improvements have been made to SSL offloading when processing requests with malformed SSL application data.
ID 339586 The pvad service now properly marks nodes as up to allow for full Packet Velocity application-specific integrated circuit PVA acceleration.
ID 339735 When attempting to configure Web Cache Communication Protocol WCCP between a BIG-IP system and a Cisco Nexus 7000 switch using the Layer-2 routing method, the Cisco switch would log errors stating that the WCCP packet length was invalid. This has been corrected, and WCCP in Layer-2 routing mode now functions properly between BIG-IP systems and the Cisco Nexus 7000.
ID 339744 This release corrects the condition that caused the Traffic Management Microkernel TMM core events that produced a ** SIGSEGV ** that included the following notices: notice fault addr: 0x68 and notice fault code: 0x1.
ID 339847 The msktutil and domaintool utilities no longer crash when run by an unprivileged user, reporting the message glibc detected-msktutil: munmap_chunk: invalid pointer: 0xff920190. The output now correctly reports that the logged on user must be an administrator.
ID 339955 The Configuration utility now correctly updates the /config/bigip_sys.conf file so that ConfigSync or configuration reload does not disable initial network failover configuration.
ID 340407 Basic TCP monitors that are associated with a pool or pool member that is not listening on the monitored port, no longer erroneously mark a node up when it is actually down.
ID 340651 This release corrects the condition on VIPRION platforms, in which setting the db variable vlan mac assignment to global resulted in some or all of the VLANs receiving a zero MAC assignment, which could cause no traffic to pass on a VLAN. You can now set db variable vlan mac assignment to global and there are no longer VLANs with MAC address of zero.
ID 340696 The system now correctly handles a large number of self IP addresses or VLANs when starting up the ntpd process, and no longer halts with a segmentation violation or related crash.
ID 341217 The system now correctly removes the trailing semicolon ; and whitespace when removing an HTTP cookie from HTTP header data.
ID 341404 VLAN group Proxy Exclusion List now correctly loads on secondary blades in a VIPRION cluster.
ID 341414 The system no longer incorrectly uses the CompactFlash card as a swap partition. Now, the system correctly uses a swap partition on the system hard drive.
ID 341655 This release corrects a problem where ARP handling resulted in packet loss under certain packet-delay conditions.
ID 342010 Use of the table keys -subtable iRule command no longer causes a memory leak.
ID 342357 A defect in processing ActiveSync, clientless POST operations has been corrected.

Fixes in 10.2.0

The current release includes the fixes and enhancements from previous releases and the fixes that were distributed in SOL11853: Overview of BIG-IP version 10.2.0 HF1 with the exception of the following Change Requests (CRs):

  • CR136629: The performance of queries for pool member and node address statistics.
  • CR139372: The High Speed Logging feature and logging binary data.

This release includes the following fix.

ID Number Description
CR134037 Corrected fixed-ratio calculations to improve performance and accuracy.
Note: After you have installed the software, you can use any of the following configuration options to update your configuration.

Configuring Receive Disable String (RECV drain string) monitor option

Receive Disable String (RECV drain string) monitor option: The Receive Disable String advanced configuration setting applies to HTTP, HTTPS, TCP, and UDP monitors. You can use a Receive String value together with a Receive Disable String value to match the value of a response from the origin web server and create one of three states for a pool member or node: Up (Enabled), Up (Disabled), or Down. When a pool member or node is Up (Enabled), a new connection can be made. When Up (Disabled), a new connection cannot be made, existing connections become depleted, and maintenance can be performed on the server. When Down, a new connection cannot be made, existing connections are immediately terminated, and maintenance can be performed on the server. Additionally, if you choose to set the Reverse setting to Yes, the Receive Disable String option becomes unavailable and the monitor marks the pool, pool member, or node Down when the test is successful.

Receive String matches Receive Disable String matches State of pool member or node
Yes No Up (Enabled)
No Yes Up (Disabled)
No No Down
Note: F5 Networks recommends using mutually exclusive values for Receive String and Receive Disable String. If a response matches both values, the monitor indicates the state as Up (Enabled).

Configuring logging to RADIUS or TACACS+ accounting servers

This release introduces RADIUS and TACACS+ accounting support, where syslog messages that are written to the /var/log/audit log are sent in encrypted form to either a RADIUS (port 1813) or TACACS+ (port 49) accounting server. You can use the Traffic Management shell (tmsh) to configure the RADIUS or TACACS+ components.

To configure the BIG-IP system for logging to RADIUS or TACACS+ accounting servers

  1. In the browser-based Configuration utility, navigate to System > Logs > Options and select Enable from the bigpipe list in the Audit Logging section.
  2. Using the tmsh utility on the command line, navigate to the /sys module.
  3. Within the /sys module, modify the config.auditing.forward.destination component to use an IPv4 or IPv6 address for the destination. For example, to configure a destination IPv4 address of 192.168.10.1, use the following command: tmsh modify sys db config.auditing.forward.destination value 192.168.10.1
  4. Modify the config.auditing.forward.sharedsecret component to use a secret string. For example, to configure a secret string called mysecret, use the following command: tmsh modify sys db config.auditing.forward.sharedsecret value mysecret
  5. Modify the config.auditing.forward.type component to use either radius or tacacs+. For example, to configure tacacs+, use the following command: tmsh modify sys db config.auditing.forward.type value tacacs+

After you complete these steps to configure RADIUS or TACACS+ accounting support, the system automatically creates a log file in the destination specified.

Note: Here are some additional considerations for configuring RADIUS or TACACS+ accounting support:
  • If connectivity to the remote auditing server is lost, messages are not transmitted and there is no message-retransmission mechanism. You can still find those messages in the /var/log/audit log on the BIG-IP system, however.
  • All messages are fully written to the log file on the BIG-IP system; however, on the accounting server, messages are truncated to 255 characters.
  • When you set the variable type to radius or tacacs+ for config.auditing.forward.type, you must also specify a secret string for config.auditing.forward.sharedsecret.
  • You must use port 1813 for logging to RADIUS accounting servers, and port 49 for logging to TACACS+ accounting servers.
  • To disable logging to RADIUS or TACACS+ accounting servers
  1. Navigate to the /sys module.
  2. Within the /sys module, set the config.auditing.forward.type component to none using the following command: tmsh modify sys db config.auditing.forward.type value none
  • To customize messages from the audit log to the accounting servers
  1. Modify the Tcl procedure called Transform in /etc/syslog-ng/audit_forwarder.tcl. (You must use the exact procedure name Transform.)
  2. To have the change take effect, run the command bigstart restart syslog-ng at the tmsh command line.
Note: This feature gives you total control over what is sent to the accounting server. However, although you can modify the script in any way to change what is sent to an accounting server, F5 Networks supports only the unmodified script.
Note: Here are some additional considerations for customized messages:
  • A Transform procedure for a customized message must return a transformed string.
  • Default functionality for a customized message leaves the message unchanged when the Tcl procedure is omitted, the Tcl file does not exist, or an error occurs on evaluation.
  • This procedure does not modify messages written to the /var/log/audit file.

Tcl Transform procedure options for customized messages

You can also use the following additional Tcl procedures. These procedures are mutually exclusive, so uncomment only the one you want to use and comment out the other one.

  • To configure the /etc/syslog-ng/audit_forwarder.tcl script not to send variants of bigpipe show and bigpipe list commands, comment out the top procedure and uncomment the second procedure in the file.
  • To modify the Tcl script to skip the first 16 characters, comment out the second procedure, and uncomment the third procedure. This eliminates the date and time portion of the message. Since the accounting server truncates messages to 256 characters, this might be useful to include more relevant data from longer messages.

Behavior changes in 10.2.3

There are no behavior changes specific to version 10.2.3.

Behavior changes in 10.2.2

ID Number Description
ID 226971, CR142479 In previous releases, the system reused client session IDs from previous sessions to reestablish SSL connections. Now, in situations where security changes in the BIG-IP configuration, for example, an iRule changes the security parameter to request or require client certificates, the system establishes a new SSL connection with the client and does not reuse the previously established session ID.
354518 The VIPRION 2400 has an RJ45-type connector for the Console port. Part of the updated functionality of the Always-On Management (AOM) serial port includes auto-baud, meaning that when you connect a cable to the Console port and issue a break from the keyboard, the system enables scrolling through baud rates using the return key. If you accidentally plug an active Ethernet cable (that is, a cable carrying network traffic rather than serial terminal data) into the Console port, when you power up the blade, the auto-baud functionality might engage, even though the cable is not connected to a valid serial terminal. This occurs because, depending on the traffic on the cable, network communications can simulate the effect of issuing a break, which initiates auto-baud. If you are already in this condition, after you remove the Ethernet cable and connect a valid serial cable, you will likely see garbled content on the serial terminal until you reset the AOM serial port’s baud rate to match the terminal’s baud rate. To synchronize AOM and terminal baud rates, follow these steps:
  1. Issue a break (using the <BREAK> key on the keyboard).
  2. Press return to have AOM cycle through the supported baud rates (115200, 57600, 38400, 19200, and 9600)
  3. When the baud rates are synchronized, the following prompt appears --- Press <ESC>( for AOM Command Menu. You can then press Esc ( to access the AOM Command Menu.

Behavior changes in 10.2.1

ID Number Description
Commands for --instslot and --format in image2disk utility Beginning in BIG-IP version 10.2.1 and Enterprise Manager version 2.1.0, the image2disk utility --instslot and --format options are mutually exclusive. If you attempt to invoke the image2disk utility specifying both options, the system returns the following error message: Terminal error: You cannot specify the target location when using the format option. You can specify the --format option to perform the formatting and installation operation simultaneously on all platforms except the 1500 and 3400 platforms with 1 GB of memory. For more information, see SOL12561: Change in Behavior: The image2disk utility --instslot and --format options are now mutually exclusive. For information about the 1500 and 3400 platforms, see SOL11396: Error message: Terminal error: System memory of 1 GiB is insufficient for 'format=volumes' with this product image; 1.5 GiB is required.
ID 207411, CR120157 In versions prior to 10.1.0, a null response from an HTTPS service with no receive string would be marked as UP. This behavior changed in version 10.1.0 to require at least one byte of data after SSL negotiation to be considered UP. For more information, see SOL10904: An HTTPS monitor incorrectly marks a node as UP when no data was sent in the server response.
ID 242666 Local users are no longer authenticated when remote authentication fails. This is intended behavior that worked differently in previous releases.

Behavior changes in 10.2.0

ID Number Description
CR109429-1 The browser-based Configuration utility increments the total requests statistic for virtual servers only when the virtual server uses an HTTP profile, or when the virtual server is a Performance (HTTP) type.
CR110198, CR127136, CR134054-1 F5 Networks has changed the default behavior for SSL profiles that do not have customized cipher lists. The set of ciphers negotiable by default no longer includes DES-CBC-SHA and all MD5 cipher suites. You can re-enable these ciphers by customizing the SSL profiles' ciphers attribute with the desired ciphers explicitly enabled and/or selecting the appropriate clientssl-insecure-compatible or serverssl-insecure-compatible profile from which to inherit default settings that include the deprecated ciphers.
CR131461 In version 10.2.0 when you boot from a DVD, thumb drive, or Pre-boot Execution Environment (PXE) server, the system presents a menu. You can press Enter to initiate an installation operation. The system indicates that you can also use Ctrl+C to access the command line shell to perform additional installation operations. In version 10.2.0, however, when you use Ctrl+C at this point, the system leaves a boot partition mounted, which causes all subsequent installation operations to fail. For more information about the known issue and its workaround, see Manufacturing installation menu and Ctrl+C to enter Bash (CR138343). In previous releases, the system did not present the menu, but instead presented the command line shell immediately.
CR135199 The BIG-IP products support an extensive range of SSL ciphers. You can find an overview of the SSL ciphers BIG-IP systems support in SOL8802: Overview of SSL ciphers supported in BIG-IP systems, and an updated list of all SSL ciphers supported on the BIG-IP product in SOL6808: SSL Ciphers supported on the BIG-IP 1500,1600, 3400, 3600, 3900, 6400, 6800, 6900, 8400, 8800, and 8900 platforms.
CR135548-1 When you create a new TCP, HTTP, or HTTPS monitor in version 10.2.0, you must include \r\n at the end of a non-empty Send String, for example GET /\r\n instead of GET /. If you do not include \r\n at the end of the Send String, the TCP, HTTP, or HTTPS monitor fails.
Communication between BIG-IP or 3-DNS version 4.x and version 10.1.0 or later A 3-DNS Controller or BIG-IP system running version 4.x cannot communicate with BIG-IP systems configured with version 10.1.0 or later. For more information, see SOL11106: Change in Behavior: iQuery communication is not supported between BIG-IP or 3-DNS version 4.x and BIG-IP LTM or GTM version 10.1.0 or later.
VLAN failsafe timeout value behavior change In software versions 9.x, the system did not enforce a minimum value for the VLAN failsafe timeout value. Beginning in version 10.0.0, the minimum allowed VLAN failsafe timeout value is 10 seconds. Before you upgrade from version 9.x to version 10.x, F5 Networks recommends that you change your VLAN failsafe timeout value to 10 or greater in order to ensure a successful configuration load after the upgrade has been completed. For more information, see SOL7066: Overview of VLAN failsafe.
ID 226957 The bigpipe syntax for creating pools has changed. In version 10.0.1, the syntax was b pool [PoolName] members [IP:Port] session [disable|enable]. In version 10.2.0, the syntax is b pool [PoolName] members [IP:Port] session user [disabled|enabled]. Any monitors you have that use the old syntax should be modified before or after upgrading. Going forward, it is recommended that you use tmsh instead of bigpipe for scripting.

Known issues

ID Number Description
CR55926 If the active unit in a redundant system reboots, the standby unit goes active and handles any established connections that were mirrored. However, when the previously active box comes back up, it does not re-synchronize the state for the mirrored connections. This means that the mirrored connections are lost in a subsequent failure or a forced fail-back. This does not affect connections that end before the second restart and failover. Also, this does not apply to Fast L4 profiles.
CR79065, CR83552, ID 250921, ID 251174, ID 319551 When, due to time-to-live (TTL) exceeded, the BIG-IP system drops IPv6 traffic being sent through a network virtual server or SNAT, the BIG-IP system responds with a destination-unreachable ICMP6 message. The BIG-IP system's IP address should be listed as the source in the ICMP response, and the client IP address should be listed as the destination. However, the BIG-IP system incorrectly reports the dropped IPv6 packet's destination address as the source address of the ICMP6 response. The result, from the client's perspective, is that BIG-IP system does not show up as a hop; the server is seen in place of the BIG-IP system.
CR80191 In order to change the baud rate when you are using a serial terminal console server on the VIPRION platform, you must follow a specific sequence to change the baud rate in three places, or you can lose communication with the system.
  1. On each blade in the system, run the following command:
  2. bigpipe baud rate <your_baud_rate_value>
  3. Make sure to complete this change on all blades in the system before proceeding to step 2.
  4. Next, change the Serial Port Redirector (SPR) baud rate by pressing ESC( to access the SPR Command Menu. When the menu opens, select B -- Set baud rate, and select from the six settings displayed.
  5. Finally, change the baud rate of your serial terminal server.
  6. The syntax for completing this step varies depending on the terminal server you are using, so you should consult your serial terminal server documentation for more specific information.
CR83207 If you replace a tri-speed copper small form-factor pluggable (SFP) module with a fiber SFP, you may have to reinsert the fiber SFP module a second time before it accurately reports link status.
CR80078-1, CR128607 If you replace a copper (Cu) small form-factor pluggable (SFP) with a fiber SFP, the link might remain down, even when connected to an active peer. The workaround is to issue a bigstart restart bcm56xxd command.
CR87863 If the user configuration set (UCS) file you roll forward at installation time contains a problem, subsequent system load operations can fail. If this happens, the remote users and administrators cannot log on to the system. To work around the situation, log on to the system as the root user or as the admin local user.
CR90249, ID 227304 The Multiple Spanning Tree Protocol (MSTP) specifies that the system handles spanning tree packets in accordance with the MSTP protocol. When you create a new MSTP configuration on the system, the new MSTP configuration name is not retained following a system reboot or after running the bigstart restart command. For more information, see SOL8212: The BIG-IP LTM does not retain the MSTP configuration name following a reboot.
CR91719 If you have duplicate names for SNATs in the bigip.conf file, the pvad service restarts and writes out a core file. To work around this situation, make sure each SNAT in the configuration has a unique name.
CR92541 When RAM cache calculates the amount of memory available or allowed, it should take CMP into account. In this release, RAM cache does not take CMP into account.
CR93185, CR116200 Many load balancing methods are implemented so that the system divides the connection limit among running Traffic Management Microkernel (TMM) services. If you set the connection limit to low values, the results you see might not be what you expect. For example, some nodes might receive more connections than you expect, and other nodes that you expect to receive connections might not receive any. These apparent anomalies are discernible only with small numbers of connections, and disappear with large numbers of connections.
CR94039 When the pvad service queries a very large number of objects (for example, 2000 nodes), the pvad service might use as much as 27% of CPU. This condition is intermittent, and might have other requisites. There is no workaround.
CR96888 Occasionally, a system restart might result in the system posting to the console messages of the following type: sshd(pam_audit)[4559]: user=root(pqizzjl1l) tty=/def/pts/1 host=172.17.251.100 attempts=1 start="Tue Aug 5 17:25:09 2008" end="Tue Aug 5 17:27:54 2008". sshd(pam_audit)[4559]: 01070417:0: AUDIT - user root - RAW: sshd(pam_audit): user=root(pqizzjl1l) tty=/def/pts/1 host=172.17.251.100 attempts=1 start="Tue Aug 5 17:25:09 2008" end="Tue Aug 5 17:27:54 2008". These messages occur when the system shuts down logging to the syslog-ng file before all users who are logged on have logged off. Should this error occur, when the system comes back up, you can use the boot marker in the audit files to confirm that the system logged out the remaining users.
CR97188 Running the command b persist show on a cluster might return incomplete results in certain avoidable situations. To ensure complete results, leave the bigpipe shell read partition at all, and log on as a user who is authorized to view all partitions.
CR97299-1 The Status LED briefly shows green on power up. The LED should be blank or amber. Early during initialization, the software sets the LED color to amber, and finally to green once cluster quorum is reached. You can safely ignore the transient green LED on power up.
CR98536 When you are using Fast L4 profiles, make sure to set the PVA Acceleration setting to None if you also specify the Mimic setting for IP ToS to Client or IP ToS to Server. Otherwise, the system cannot perform the mimic functionality.
CR100240 When the bd process restarts, the system stops all internal connections. If the next event that arrives on a halted connection is an HTTP request, the attempt to disable the plugin in HTTP_REQUEST fails, which logs a Tcl error to the /var/log/ltm file. This is a benign error message that you can safely ignore.
CR102064 The b config check all command returns different results depending on whether you run the command on a chassis (such as a VIPRION system) or an appliance (such as a BIG-IP 6900). On a chassis, the system returns the message No reports have been received. On an appliance, the system returns a response similar to the following messages: DAEMON STATUS bcm56xxd Configuration OK at 14062d 21:07:29 Last error at 14062d 21:07:29 Message: Received remote heartbeat registration message: pid=8714, timeout=60
CR102918 When you click the Clear Performance Data button in any view, the operation clears data for all historical statistics, not just the data for the specific view you are in.
CR103199 When you specify the cluster management IP address, the netmask defaults to /32, or 255.255.255.255. In order to use cluster member addresses, the netmask must be no more than /30, or 255.255.255.252. Always specify the netmask when specifying the cluster management IP address if you plan ever to use cluster member addresses. That way, the address always gets set correctly, and you can configure the cluster member addresses on the same network.
CR103500 The 10.x installer creates four volumes by default, which differs from the two partitions that the 9.3.x and 9.4.x installer created.
CR104124 When you are on the license summary general properties screen and you refresh the browser after you reactivate a license, the system prompts you to log on again. There is no workaround for this issue.
CR104327, CR114895 If you install the 9.6.x version of the software on a volume that uses a nonstandard name (for example, HD.pc1 rather than HD1.1), you cannot access that volume using version 9.6.x of the software. To access volumes named in this manner, use version 10.x software.
CR104468, CR115056 The system does not prevent you from deleting all volumes, including the active volume, using the b software desired command. Doing so causes the system to boot into another location. To prevent potential system access problems, do not use the command line to delete the active volume.
CR104583, CR108667 Beginning with version 10.0.0, the system reports module memory mixed in with memory used by all processes. To determine actual memory usage, you must use standard Linux commands, such as ps, top, and other similar commands.
CR104647 On a VIPRION system with the active volume set above HD1.4, if you then add a blade that has 9.6.x installed and active, the system does not run the installation on the 9.6.x blade to bring it into the cluster. This occurs because 9.6.x is hardcoded to support volumes 1 through 4 and cannot dynamically create new volume sets. To work around this issue, make sure all blades you want to add are running 10.x, or use a volume set between 1 and 4.
CR105032 When you specify the host name for the b ntp servers add command, the system returns false positives when translating the host name to an IP address. The workaround is to add Network Time Protocol (NTP) servers using an IP address instead of a host name.
CR105101 If you use the high availability setup wizard and specify settings, when you click the Previous button, the system clears all the values you specified, so you must re-enter the values.
CR105216 When you are logged on to a cluster management address, and you or another user subsequently promotes one of the secondary blades to the primary, you and the other user might need to log on again.
CR105234 When you have the dashboard window open, the browser session never times out. When you close the dashboard window, the timeout interval takes effect again.
CR105511 If you configure secondary self IP addresses for a vlan/domain, the system uses the wrong self IP address for monitoring. In a typical scenario, the system uses the IP address that you created first as the primary IP address for monitoring. However, IPv6 in the Linux kernel does not set a preferred source by default. Because Linux treats routing domains like it treats IPv6 addresses, the Linux kernel does not set a preferred source. There is no workaround for this issue.
CR105604 If you reset the Host on a platform that contains an SCCP after the system has completed initialization, the system attempts to PXE boot, making DHCP requests repeatedly and indefinitely. The workaround is to first use the SCCP Command Menu option 2 to put the SCCP into the proper state, and then reboot the system. You can also recover by powering the unit off and back on again.
CR105627 In a redundant system that has Local Traffic Manager provisioned on both units and Global Traffic Manager provisioned on only one unit, you must provision Global Traffic Manager on the second unit. Failure to do so risks Global Traffic Manager becoming unprovisioned or unconfigured after a ConfigSync operation.
CR105797, CR114073 When you use the Software Management screens in the Configuration utility or the b software commands on the command line to create a volume on a system hard drive that is formatted using the partitioning scheme, the system appears to try to create the volume, but the operation fails. The system should alert you immediately that you cannot create a volume on a partitioned system hard drive. In general, the software does not support use of the volume management screens on systems that use the partitioning drive-formatting scheme.
CR106378 The system counts route domain health check traffic as part of IPv6 traffic statistic totals. If your configuration has a monitor on a pool in a routing domain, you will see an increase in IPv6 traffic. If you remove the monitor from the pool, the IPv6 statistics freeze (assuming there is no actual IPv6 traffic). There is no workaround for this issue.
CR106750 When you reboot a system from the serial console, the system reports the following message modprobe: modprobe: Can't locate module tun6to4... during the shutdown sequence. This message is benign, and you can safely ignore it.
CR106828 A display issue in the browser-based Configuration utility makes it appear as if users can modify user settings that they should not be able to access. For example, a user logs on using an account assigned a non-administrator role. When that user changes the password and clicks Update, the screen temporarily redisplays with available settings for file, partition, and shell access. The user can manipulate the controls, and select different settings. However, the system does not accept the change.
CR106830 This release supports only network failover for chassis-to-chassis failover on the VIPRION platform. Do not configure hardwired failover using any failover cable included with the VIPRION platform you received.
CR107046 The system requires a user to relogon after changing a password to the same password as the one previously configured. There is no workaround for this issue.
CR107415 Unlike in SSL profiles, the system does not validate keys and certificates used for SIP and HTTPS monitors. That means that you can specify non-matching or invalid keys and certificates. There is no checking on the command line or in the browser-based Configuration utility to make sure keys and certificates are valid and usable.
CR107443 If you use a SIP or HTTPS monitor on a server that requires authentication using a certificate signed by a certificate authority (CA), the monitor must use certificates signed by a CA that the server recognizes. Do not configure a monitor using certificates signed by an Intermediate CA because the monitor does not send such certificates to the server.
CR107852 On BIG-IP 8400 and 8800 platforms, IPv4 fragments of a large User Datagram Protocol (UDP) datagram will be incorrectly modified at offset 6 from the end of the IP header (the location that would be the UDP checksum if the fragment were a full UDP datagram) from 0xfff to 0x0000. Although there is no workaround for this issue, it is not a common case.
CR107874 The VIPRION platform may experience a kernel panic and reboot following an upgrade to BIG-IP version 10.0.0. This issue occurs if the system is running BIOS firmware earlier than build 461, and the VIPRION unit is upgraded to version 10.0.0 with the management interface connected to a subnet with live traffic. For more information and a workaround for this condition, see SOL10016: A VIPRION kernel panic occurs following an upgrade to BIG-IP version 10.0.0.
CR107883 This release does not support USB CD-ROM or DVD-ROM drives devices that exceed the high-power USB current specification of five unit loads (500mA) per port.
CR108728, CR113440 In the browser-based Configuration utility, if you try to set the provisioning level to Dedicated on a module when another module already has the Dedicated provisioning level, the system allows the change and sets the provisioning level to None on all other modules. When you use the command line for the same operation, the system presents an error: When a Dedicated provision level is set, all other module's provision levels must be set to None. To accomplish the change, you can use the Configuration utility, or you can use the command line to set the provisioning level to None for all other modules, and then set the Dedicated provisioning level on the module you want to configure. To do so, use the tmsh utility to issue the following commands (substituting your module names for <module-A> and <module-B>): (tmos)# create transaction batch mode](tmos)# modify sys provision <module-A> level dedicated batch mode](tmos)# modify sys provision <module-B> level none batch mode](tmos)# submit transaction
CR108819 The BIG-IP 8800 platform supports a maximum of 30,000 monitors in a single configuration. If you create more than 30,000 monitors, the BIG-IP 8800 might halt in a switchboard-failsafe state when you load the configuration.
CR108965, CR114966 When a user is logged on, if you use the b config install <ucs file>, b import <ucs file>, or b config sync commands, or when performing a ConfigSync operation in the Configuration utility to load a configuration that contains the same user, but with a different password, the system does not log off that user. After that user logs off, or when that user's session times out, that user must use the password from the new configuration to log on.
CR109131 On a system whose drives are formatted as volumes, on the Resource Provisioning screen in the Current Resource Allocation area, there is a section that displays Disk provisioning; if the drives are formatted as partitions, there is no Disk provisioning section. However, if you issue the b provision command on the command line, the results show a column for disk provisioning information.
CR109230-1 If you attempt to mirror virtual servers that have RAM Cache enabled, depending on the cache state, the system leaks the connection on the standby unit when the connection is closed on the active unit.
CR109301 If you have state mirroring enabled, when you upgrade one unit of a redundant system, the system post messages until both systems are running the same version of the software. tmm tmm[1917]: 01340001:3: HA Connection with peer 10.60.10.3:1028 established. There is no workaround for this condition. Both units in a redundant system must be running the same version of the software.
CR109381 After a b import default operation, the prompt is set to reboot, but the operation does not instigate the reboot operation on the primary blade, although it does on the secondary blade. This is intentional behavior: the operation causes a reboot on secondary blades, but the primary blade does not reboot automatically in this case. To activate the imported configuration, reboot the primary blade.
CR109472 Beginning with version 10.0.0, you no longer need the hotfix uninstall packages. Instead, you can use the b software commands to change the revision level of any 10.x image location to a higher or lower revision. For more information, see the man page for the b software command, available on the command line by typing man software.
CR109834 When a system timeout occurs, the system grays out the screen behind the timeout alert box. Although you can access the browser window scroll bars to view the contents of the grayed-out screen, none of the options are active.
CR109917 When you delete an interface that is configured for interface mirroring, the system halts mirroring on all other configured interfaces. To work around this issue, when you delete an interface-mirroring configuration, recreate the configuration using all interfaces. As an alternative, after deleting an interface, save the configuration and issue the command bigstart restart.
CR110014 The secondary blades in a chassis log messages using the user name mcpd-primary. That means that when the root user issues certain commands on the primary blade, such as one to disable a virtual server, the system logs messages similar to the following: Oct 21 13:29:39 slot4/prd-061 alert mcpd[2415]: 01070921:1: Virtual Server 'new_test_virtual_8255' on partition 'Common' disabled by user 'root'. Oct 21 13:29:39 slot3/prd-061 alert mcpd[11909]: 01070921:1: Virtual Server 'new_test_virtual_8255' on partition 'Common' disabled by user 'mcpd-primary'. Oct 21 13:29:39 slot1/prd-061 alert mcpd[27136]: 01070921:1: Virtual Server 'new_test_virtual_8255' on partition 'Common' disabled by user 'mcpd-primary'. These messages accurately represent the action taken and the origin of the command, and do not indicate an error condition.
CR110269 In version 10.0.0, when attaching a child class to a parent class, the system takes into account the rate of the parent class when verifying that the parent's rate ceiling is not exceeded. Now, the sum of a parent class' rate and child classes' rates cannot exceed the parent's rate ceiling. In previous releases, the system allowed the parent's rate to be, at most, equal to the rate ceiling, regardless of the rates of the child classes. This could have led to oversubscribing the configured rate ceiling in certain cases where traffic was assigned directly to a parent class. If you are rolling forward a configuration from a previous build, a quick workaround is to set the rates of all parent classes to 0bps by running the following command: bigpipe rate class <parent class name> rate 0bps. As a general rule, avoid assigning non-zero rates to parent rate classes.
CR110761, CR113485 There is a new iRules feature that provides support for suspending a running iRule (for example, with the after command). If you are running an indefinite collect operation (that is, the iRule is running a ::collect command with no arguments), and in response to a CLIENT_DATA event the iRule processes the payload to a certain point and then suspends iRule operation, when iRule operation resumes and the iRule issues a ::release command, the operation might release more data than the iRule processed. Specifically, data that arrives when the iRule is suspended does not trigger an additional CLIENT_DATA event. Here is an example of how to ensure that an iRule releases only the data that it has already processed: before running any command that suspends a running iRule, have the iRule save the ::payload length in a variable. When iRule operation resumes, have the iRule issue a ::release $payload_length command. You can find extensive information about iRules on the Dev Central web site, available at http://devcentral.f5.com/.
CR110791 If you deprovision a module, the system does not remove the configuration attributes associated with the module. Some configuration data, such as endpoint attribute definitions for the WAN Optimization Module, might interfere with Local Traffic Manager tunnel operations. In this case, when the definitions for endpoint advertised route, endpoint local, and endpoint remote remain in the configuration after deprovisioning WAN Optimization Module, the Local Traffic Manager tunnel resets connections that were established when you had the module provisioned. As a workaround, remove the definitions from the bigip.conf files on both BIG-IP systems.
CR111495 Version 10.0.0 of the software introduced new ha actions that the upgrade process cannot easily map to previous version's ha actions for daemon heartbeats. If you changed the ha actions for a daemon heartbeat, the upgrade process returns the action to the default. After the upgrade installation finishes, you can configure the daemon heartbeat ha actions you want. (In the Configuration utility System > High Availability > Fail-safe screen.)
CR111700 When a user configured for one role is logged on to the browser-based Configuration utility, and you change that user's role to another type, also using the Configuration utility, the system logs off that user. When that user logs back on, the system writes to the catalina.out file error messages such as com.f5.mcp.io.McpIOException: java.io.EOFException: Error while reading message at. These messages are benign, and you can safely ignore them.
CR112077 The system requires that you run the Setup utility in the browser-based Configuration utility, even if you have already configured the system using the command line. This occurs because there is a hard-coded requirement for the Setup utility to run at least once. You can prevent the Setup utility from running by running the following command: b db setup.run false.
CR112120 When you create a pool in one partition that includes a node from the Common partition, if the node has no associated screen name, when that node is referenced from a third partition, the system posts the error 01070726:3: A pool may only reference nodes in the same partition or the common partition (xyz_pool:1.1.1.1) and removes the node from the Common partition. The workaround is to add a screen name to the node. To do so, at the command line, issue a command similar to the following example: b node 1.1.1.1 { screen dontremove }
CR112128 The help frame crops the right edge of some of the formula definitions on the Performance statistics screen. As a workaround, you can click the Launch button to view the full text.
CR112411-2 The version 10.1.0 release contains the new OpenSSH client and server, which addresses the vulnerability Plaintext Recovery Attack Against SSH, reported as CPNI-957037. When an older client connects to the new server, however, a vulnerability exists. If you are still using old SSH clients, you should manually set those client's cipher list to only include CTR ciphers. To use only CTR ciphers for the OpenSSH client, the command line must include the following option: -c aes128-ctr,aes192-ctr,aes256-ctr.
CR112953 When you start or stop the tcpdump utility on a VIPRION system, the system logs messages similar to the following entries in the /var/log/ltm file: slot1/tmm warning pu[24652]: 01230114:4: port movement detected for 00:01:23:45:67:10, vlan tmm_bp - 0.0 to 0.1 These messages are benign, and you can safely ignore them.
CR113055 If you issue the commands b cluster all ha state or b cluster default ha state, the system always returns the result offline. This is because there is no cluster ha state to report. To get the state of a system, you can use the browser-based Configuration utility. The system displays the state at the top of every screen.
CR113134-6 Occasionally, when you create an installation repository on a USB thumb drive from the BIG-IP system, the operation fails while copying the repository files to the thumb drive. (The failure might also occur when reading or writing any large file to the thumb drive from the BIG-IP system.) When the failure occurs, the system reboots and writes a log entry similar to the following in the /var/log/ltm file: Dec 10 11:13:12 local/8900 notice overdog[2401]: 01140108:5: Overdog scheduling exceeded 1/2 timeout of 5 seconds (measured:8060 ms) The workaround is to create the installation repository on a USB thumb drive using a Linux workstation, as documented in the BIG-IP Systems: Getting Started Guide. In any case, do not perform the operation on a BIG-IP system that is actively in production to prevent the potential failure from affecting live traffic.
CR113322 On a system with a very large persistence table (millions of entries) running the command b persist show might cause the system to become unstable or fail over. To show an individual record, you can use the command b persist client <client_addr> show.
CR113601 The Templates and Wizards menu does not change even when templates are not available under the license.
CR113812 If you use wildcard characters to specify IP addresses in the b httpd allow command, the result is that the system forbids all access to the browser-based Configuration utility. The workaround is to use other forms of specifying IP addresses. For example, b httpd allow 10.10.*.* does not work; instead use a command similar to b httpd allow 10.10.0.0/255.255.0.0.
CR113919 If you are in a partition other than Common when you reactivate a license, the system automatically changes the partition to the Common partition. There is no workaround for this issue.
CR114167 Invoking a TCP::collect method from the SERVER_CONNECTED iRule event might cause associated connections to stall and timeout when running the tmm.debug daemon. This should not affect typical deployments since the tmm.default daemon behaves as expected in this configuration, and an administrator must explicitly configure the Traffic Management Microkernel (TMM) to use debug mode. Note that you should set TMM to debug mode only when requested to do so by an F5 Technical Support representative. The F5 Networks Technical Support representative will ensure that your system stays stabilized in this mode and will assist you in interpreting the debug output.
CR114381 Configuring a virtual server for multicast communications inside a route domain does not work. Do not configure a virtual server for multicast communications inside a route domain.
CR114766 When the license expires, if you are on the License Summary page on a partition other than Common, the system automatically returns you to the Common partition, but does not activate the Reactivate button. The workaround is to select a different partition and then reselect the Common partition. This should reset the Reactivate button to an active state.
CR115139, CR130414 Do not use the b software add | delete commands on a partitioned system. Doing so results in the access errors on the partitions. For example, if you try to delete an existing partition using the b software delete command, the system posts a failed to delete volumeset error. In this case, run the command b software product none version none build none on the partition. This removes the installation from the partition, and you can install the software again. If you try to add a partition using the b software add command and see a failed to create volumeset error, in this case, run the command b software delete on the partition you tried to create. This removes the failed attempt from the Software Status table, so you can try your installation operation again.
CR115326, CR115328 You should not use the SSL::respond method with a CLIENTSSL_CLIENTCERT iRule event. This can result in a handshake failure, because the CLIENTSSL_CLIENTCERT event can fire before the connection is ready for the transmission of user data.
CR115670 If you add a user, either explicitly or by restoring a user configuration set (UCS) file that contains the user, and that user has different access or role settings, the system reports an error similar to the following: Nov 6 09:02:08 slot4/p4-019 err mcpd[3533]: 0107082a:3: Disconnecting user yyy2 on change of user role data (partition:Common->PartitionOne). This is a benign message, and you can safely ignore it.
CR115774 If you move blades between a chassis running software version 9.6.x and a chassis running 10.x, the 10.x system might report incorrect volume information about the blade that came from the 9.6.x chassis. F5 Networks does not recommend switching blades between chassis running differing versions of the software.
CR115916 There is an extremely rare chance that, if the high-availability mirroring connection fails and recovers, the result might be a new persistence record and an expired record using the same key to send their respective messages. For example, if a record comes in that would have matched an old one on the active system, it is possible that the old record's expiration action might arrive after the new record's update action. If the key matching the old record expires, the standby system incorrectly deletes the corresponding new record.
CR116108 USB1.1 CD-ROM Drives are not supported on the BIG-IP 8900 platform.
CR116929 Because the CompactFlash media drive is not a valid installation target, the system should prevent you from selecting it. However, this version of the software allows you to target a CompactFlash drive. If you accidentally installed to the CompactFlash drive, the system posts a failed to install state for the CompactFlash drive. The workaround to return to the original state is to issue the command b software CF1.x product none version none build none and then issue the command bigstart restart lind on the command line.
CR117427 In this version of the software, you cannot use Global Traffic Manager to monitor or send traffic to any virtual servers that are in a route domain. Therefore, Global Traffic Manager is not supported to run on a Local Traffic Manager system that is using route domains.
CR117428 If you are using the ZebOS advanced routing modules, it is important to consider the following:
  • Dynamic routing is supported on interfaces in the default route domain. The advanced routing modules cannot access interfaces, self IP and virtual addresses, and static routes in non-default route domains. A static route is considered as belonging to a non-default route domain if either the destination or the nexthop gateway address belongs to a route domain other than the default route domain.
  • All routes learned by way of dynamic routing protocols are inserted into the routing table for the default route domain only.
  • With respect to advertising routes, virtual addresses, or self IP addresses to other routers, the advanced routing modules advertise only those routes or addresses that are in the default route domain. As previously stated, the advanced routing modules are not aware of routes or addresses in other route domains.
CR117429 The route domains feature does not support IPv6-formatted IP addresses in this version of the software.
CR117430 Some command line diagnostic tools, such as curl and traceroute do not work with route domains.
CR117431 Custom monitors that are not IPv6 aware (for example, EAV (Extended Application Verification) monitors) do not work with route domains.
CR117480 There is the possibility of a failed version 9.4.7 installation when installing on a system that also contains version 10.x software. When the failure occurs, the last three lines in the /var/tmp/install/session.log file are: install.error: An installation error has occurred; code 130 install.debug: Session ended install.error: Critical failure; no fallback possible. To work around the issue, you can use the PXE or thumb-drive methods to install the software.
CR115798 The small form-factor pluggable (SFP) ports on BIG-IP 8900 platforms are 10Gbps-only ports. On a BIG-IP 8900 platform, a SFP plus can operate at 1Gbps speed in an SFP slot, but SFP modules do not operate at 1Gbps speeds in an SFP plus slot. This is a hardware constraint.
CR117359 Do not use the b sshd include parameter without assistance from the F5 Technical Support team. The system does not validate the commands issued using the include parameter. If you use this parameter incorrectly, you put the functionality of the system at risk.
CR117809 If you run the grub_default -d command to view the boot configuration information of the grub.conf file, the initial arrow key press moves the menu selector highlight two spaces instead of one. After, the initial key press, the arrow keys operate normally when maneuvering (meaning that if you press the arrow keys once, the highlight moves one space in the arrow direction).
CR118049 Enterprise Manager software versions 1.2, 1.4, 1.6, and 1.7 do not support BIG-IP system software version 10.0.0. There is no workaround for this issue.
CR119247-1 When you swap a blade to the same slot in a different VIPRION chassis, the system uses VLAN MAC addresses based on the old chassis. The workaround is to avoid moving a blade to the same slot in another chassis. If necessary, shift blades around in the target chassis so that the incoming blade always goes into a slot that is different from the one it came out of.
CR120321 After installing, you might see a message similar to the following in the ltm log file. Apr 23 11:38:16 slot3/p4-019 err clusterd[2707]: 013a0004:3: Error deleting cluster mgmt addr, HAL error 7 This message is benign, and you can safely ignore it.
CR120550 This version of the software supports systems with multiple drives using the RAID disk management operations. We have not removed the sparedisk utility, which was included in version 10.0.1 to support operations on multi-drive systems. The workaround is to use the RAID features for these types of operations. You should use the sparedisk utility only on version 10.0.1 systems. For related issues, see the known issue for CR120550, CR127003, and CR138582 .
CR120190-2, CR127965-2 Do not use the --nomoveconfig option with the image2disk command (or the db variable LiveInstall.MoveConfig set to disabled) for systems with existing installations of Application Security Manager. Doing so removes all content from the associated database. Instead, you should ensure that the configuration on the installation source matches the one on the installation destination. To do so, save the UCS configuration file on the location you want to preserve, and apply that configuration to the destination before beginning the installation operation. Here are the steps to perform.
  1. Boot into the location containing the configuration and database you want to preserve.
  2. To save the existing configuration and database, run the command bigpipe config save <your_ucs_file>.
  3. Copy the .ucs file to a secure, remote location.
  4. Boot into the location you want to update.
  5. To move the configuration and database to the target installation location, run the command bigpipe config install <your_ucs_file>.
  6. Install or upgrade the software using procedures described in the section Installing the software.
CR120828 When you roll forward a 9.x user configuration set (UCS) file that is configured for Application Security Manager and Global Traffic Manager, provisioning for Global Traffic Manager is not enabled. To enable Global Traffic Manager using the browser-based Configuration utility, in the navigation pane, expand System, and click Resource Provisioning. In the Module Resource Provisioning section, select the provisioning level you want from the Global Traffic (GTM) and Link Controller (LC) drop-down lists.
CR120943 If you deprovision the WebAccelerator system, Application Security Manager, or Protocol Security Module, the system retains the mysql database volume. Because the database might contain important configuration data for the deprovisioned modules, you must determine whether or not to retain the mysql database volume. For information about locating and removing an unneeded mysql database volume, see the associated Solution in the AskF5 Knowledge Base.
CR120550, CR127003, and CR138582 On 6900 and 8900 platforms, the RAID functionality supersedes the sparedisk utility, which was provided in version 10.0.1 to support operations on multi-drive systems. The 8950 and 11050 platforms do not support the sparedisk utility, although the utility is present on those platforms as well. In this version of the software, although you should not use the sparedisk utility for any operation, F5 Networks has not removed the utility. Running various commands (for example, making a disk active using the command sparedisk -m) can result in an unstable disk situation. Instead, you should use the RAID features for all multi-disk operations. You should use the sparedisk utility only on 6900 and 8900 platforms running version 10.0.1.
CR121134 The 8900 platform comes with a post-10.0.0 version of the software installed both hard drives. If you decide to downgrade to version 10.0.0, the software installs correctly. However, the version 10.0.0 software management scheme was not designed to work with a second hard drive. If you downgrade to version 10.0.0 on the second hard drive, do not operate on the second hard drive using the b software commands or the Software Management screens in the browser-based Configuration utility.
CR122160 If there are static Address Resolution Protocol (ARP) entries targeted to the management network in either the existing configuration or in the configuration being installed or used in a ConfigSync operation, the configuration may fail to load. To work around the issue, first delete any static ARP entries targeted at the management network and then complete the configuration load or ConfigSync operation.
CR119132, CR125534, ID 222400 Depending on what processes run after restarting the system, you might see the following error message: warning process `<processname>' is using deprecated sysctl (syscall) net.ipv6.neigh.tmm0.base_reachable_time; Use net.ipv6.neigh.tmm0.base_reachable_time_ms instead This is a benign message, and you can safely ignore it.
CR125790 After deprovisioning modules, the system might run sluggishly or respond slowly to commands. The system returns to a normal operational state after approximately 1 minute if you leave the system to recover, or approximately three minutes if you run commands during this time. The slow response time occurs while the system recovers virtual memory after a deprovisioning operation.
CR125800 The iRule statistics counters inaccurately report an inflated number of iterations of an iRule when an iRule event suspends. There is no workaround for this issue.
CR126842-1 On platforms equipped with Packet Velocity application-specific integrated circuit (ASIC) version 10 (PVA10), specifically the BIG-IP 8400 and BIG-IP 8800 platforms, client-requested TCP maximum segment size (MSS) may not be honored if the PVA10 is in hardware syn-cookie mode. This can result in a larger-than-requested MSS being set with the back-end server, causing the server packets to be dropped before reaching the client. This problem occurs because of a problem in the PVA10 hardware. To avoid this problem, disable hardware syn cookies by setting the connection threshold to 0 (zero) by running the following command on the system command line: b db Pva.SynCookies.ConnectionThreshold = 0.
CR126976 If you run the tcpdump utility from a PB100 blade on a VIPRION chassis containing a mix of PB100 and PB200 blades, the process does not show packets from the PB200 blades. To work around this issue, run the tcpdump operation from the PB200 blade.
CR127003 Although you should not use the sparedisk utility in this version of the software (see known issue CR120550), the utility remains in the software. If you run the command sparedisk -m, the system marks an active disk as a spare disk without notice or warning. Changing the active disk to a spare can result in an unstable disk situation. The workaround is to use the RAID features for these types of operations. You should use the sparedisk utility only on version 10.0.1 systems.
CR127123 Every time you run a b load command on 1600, 6900, and 8900 platforms, the system posts a message similar to the following: local/tmm3 notice tmm3[19557]: 01010029:5: Clock advanced by 112 ticks. This message is a diagnostic message only, so you can safely ignore this message.
CR127332 As of version 10.1.0, the system no longer supports user accounts with custom home directories. If you upgrade a configuration containing user accounts with custom home directories, after reboot, the system becomes inoperative because it cannot load the configuration. You can prevent the issue before upgrading by running the following command to change the user's home directory, or you can run the following command after upgrading to recover from the error condition: tmsh modify auth user <name> home-dir /home/<name>
CR127435 When you run the image2disk utility from the Management Operating System (MOS) of a system, the process has no active configuration to use for installation, so the operation halts with an error: error: No configuration found in HD1.1 (location looks empty). Use '--nosaveconfig' if appropriate. To work around this issue, run the command again, and specify the --nosaveconfig option.
CR127754 When you use the Weighted Least Connections (Node) load balancing method, you must set a connection limit for each node prior to adding the pool member to the pool. In this release, you must use the following process to accomplish this.
  1. Create a pool that uses the Weighted Least Connections (Node) load balancing method.
  2. Explicitly create the node entries for the pool members on the Local Traffic > Nodes > Node List (create) screen.
  3. For each node, specify a value other than 0 (zero) in the Connection Limit box.
  4. Return to the pool configuration screen by clicking its link in the Local Traffic > Pools > Pool List .
  5. Select the Members tab and add the pool members to the pool, using the same IP addresses as the nodes that you configured in the earlier step.
If you fail to specify the connection limit for the node prior to adding the pool members, the system presents a configuration validation error.
CR127803 When you view the Software Management List screen or the result of the b software desired show command, you might see the CF designation that represents the CompactFlash drive listed as a possible installation destination. 10.x installation is not supported on the CompactFlash drive, so do not select it as an installation target. This happens only on systems with drives using the partitioning formatting scheme.
CR127971 When a drive is replicating or being added or removed in the Management Operating System (MOS), the md operation outputs all its status to the terminal, which can make it difficult to perform recovery operations, such as removing or adding a drive. The workaround is to wait for the replication operation to complete before performing recovery operations.
CR128272 When you specify any method other than Round Robin for load balancing traffic from virtual servers configured with RADIUS, Diameter, or SIP profiles, you can see unexpected results, such as the system sending most of the traffic to only one pool member. To work around this issue, use the Round Robin load balancing method with virtual servers configured with RADIUS, Diameter, or SIP profiles.
CR128600 Provisioning statistics shows the size on only one physical disk. To find the size of your datastor on a multi-disk system, review the output of running the command b datastor list all. As a general rule, if you have two disks installed, the cache is always double the size indicated in the provisioning statistics.
CR128875 If you perform an operation that requires loading the configuration on a volume that has insufficient disk space to contain it, the operation fails at the module-provisioning step. Depending on the modules you provision and the space available, the failure might occur when rolling forward a configuration at installation, running bigpipe config install <config.ucs>, or provisioning modules in a command line operation. When the provisioning failure occurs, the system logs a message in the /var/log/ltm file: 01071008:3: Provisioning failed with error 1 - 'Disk limit exceeded. <nnn> MB are required to provision these modules, but only <nnn> MB are available.' To recover, free up sufficient disk space by removing unneeded volumes using the command: bigpipe software desired HDn.n delete, and then try the operation again.
CR129216 We have changed from using a Linux 2.4 kernel to a Linux 2.6 kernel. This has resulted in a difference in how Linux accounting reports CPU usage. Linux accounting shows CPU spikes even when the Traffic Management Microkernel (TMM) is lightly loaded. These spikes represent artifacts, and you can safely ignore them.
CR129458 The output of the b platform command incorrectly refers to the 3600 and 3900 platforms as a blade. Specifically, the output reads BLADE TEMPERATURE (slot/sensor) instead of CHASSIS TEMPERATURE. The error is cosmetic only.
CR129674 When the Configuration Utility restarts, the system writes the following messages to catalina.out: log4j:ERROR A "org.apache.log4j.ConsoleAppender" object is not assignable to a "org.apache.log4j.Appender" variable. log4j:ERROR The class "org.apache.log4j.Appender" was loaded by log4j:ERROR [org.apache.catalina.loader.StandardClassLoader@1359c1b] whereas object of type log4j:ERROR "org.apache.log4j.ConsoleAppender" was loaded by [WebappClassLoader These messages are benign, and you can safely ignore them.
CR129698 When you change the idle timeout in System :: Preferences, the system must restart the httpd process. This results in a set of error messages similar to the following example: err httpd[6246]: [error] [client 127.0.0.1] Invalid method in request OPTIONS * HTTP/1.0 err httpd[6320]: [error] (9)Bad file descriptor: apr_socket_accept: (client socket) warning httpd[3064]: [warn] RSA server certificate CommonName (CN) `dhcp-137' does NOT match server name!? warning fcgi-[6376]: [warn] FastCGI: server "/usr/local/www/mcpq/mcpq" started (pid 6377) err httpd[6379]: [error] [client 127.0.0.1] Invalid method in request OPTIONS * HTTP/1.0 warning httpd[3064]: [warn] long lost child came home! (pid 6239) These messages occur primarily as a result of the process restart, and you can safely ignore them.
CR129710 Enabling the TCP option for MD5 signatures does not cause TCP connections without MD5 signatures to be rejected or ignored. Enabling MD5 signatures allows the MD5 signature to be validated when it is present.
CR129711 At system startup, you might see messages similar to the following: mdadm: Unrecognised md component device - /dev/mapper/vg--db--sda-mdm.app.wom.dat.datastor mdadm: Unrecognised md component device - /dev/mapper/vg--db--sdb-mdm.app.wom.dat.datastor This occurs because datastor volumes are not intended to be combined into a redundant array. The disk management subsystem unintentionally tries to join them into an array, but fails. No adverse result occurs, and you can safely ignore these messages.
CR129786 When you enable Display Host Names when Possible in System :: Preferences, and then display objects whose addresses exist in a route domain other than 0, the address might display with the % notation on some screens in the browser-based Configuration utility. There is no workaround for this issue.
CR129836 There is no edit capability for the NTLM profile in the tmsh utility. There is no workaround for this issue.
CR130427 You cannot simply change the speed of an existing interface in a trunk, you must either delete all the interfaces and add them back at the new speed, or delete the trunk and recreate it.
CR130468 In the ltm.log file, you might see mcpd warning messages similar to the following: warning mcpd[3002]: 01070156:4: Could not remove file /config/bigip/auth/pam.d/tmm_ldap. Please remove this file manually. When you navigate to the specified directory, you do not find the files. These messages are incorrect, and you can safely ignore them.
CR130582 When the following series of events happen, the client system can perceive the BIG-IP system as unresponsive, and eventually the connection times out as a results of reaching the TCP timeout interval. This is the series of events.
  • client1 sends a Capabilities-Exchange-Request (CER) command.
  • server1 responds with a Capabilities-Exchange-Answer (CEA) command.
  • client1 sends an Accounting-Request (ACR) command.
  • The BIG-IP system sends the connection to server2 (that is, the BIG-IP system sends a CER to server2 first, before it sends an ACR).
  • server2, however, responds with CEA result-code 5010 (that is, there are no common applications supported between the peers), so the BIG-IP system deletes the connection with server2.
  • client1 continues to wait for a response to its ACR.
  • The BIG-IP system has no response forclient1, however.
  • Eventually, client1 connection may be closed because the connection reaches the TCP timeout.
CR130639 RAMCACHE, IPV6, and SSL Compression were added by default to the base Local Traffic Manager license in the version 10.0.0 software release. The feature flags are enabled and the system reports them when you run the b version command. However, on the 1500, 3400, and 6400 platforms, the system displays these features in the Optional Modules section of the License screen in the browser-based Configuration utility.
CR130662 In a multi-drive system, if a drive fails or it suddenly removed from the unit, the system retains knowledge of the drive so you might see messages like: info: /dev/vg-db-sdb/mdm.dat.share: read failed after 0 of 4096 at 0: Input/output error err kernel: scsi 1:0:0:0: rejecting I/O to dead device. These occur on the screen if you are connected using a serial console, or in the kernel log file if you are through SSH. To completely eliminate these messages, you can reboot to clear the system's knowledge of the removed drive.
CR130702 When you have versions 10.0.x and 10.1.x simultaneously installed on a multi-drive system, booting from a 10.1.x to a 10.0.x location sometimes fails. This is due to a constraint in logical volume management (LVM) for the version 10.0.x software. To prevent this issue, reduce the number of installation locations before rebooting to versions earlier than 10.1.0. You should have only two HDn.n installation locations or one MDn.n installation location in addition to the pre-10.1.0 installation location. To remove installation locations, run the command bigpipe software desired HD1.n delete.
CR130720 There is a duplicate MODULE-COMPLIANCE section in the F5-BIGIP-COMMON-MIB.txt file. You can correct this error by editing the file to remove the duplicate entry. This might be difficult, since the /usr file system is read only, making it difficult to edit /usr/share files. However, you can still edit the file by changing the fstab file and rebooting the system.
CR130798 On a multi-drive system, if the LED is flashing when you remove a drive from the unit, the LED status does not turn green (as it should) when disk replication begins. If the LED is not flashing, the LED turns green immediately in the transition to replicating a drive. This is a cosmetic issue only, and has no effect on functionality.
CR130844 When you create a new profile or edit an existing profile using the all-properties option of the tmsh utility, unless you remove some options, all properties become custom; that is, profile properties no longer inherit parent settings. The workaround is to use the tmsh utility create and modify commands operations. When you do so, the system preserves the profile's properties inheritance.
CR130846 If you have WAN Optimization Module provisioned on multi-drive systems, and you use the command array --remove or tmsh modify sys raid array MD1 remove to remove a drive, the system removes all but the datastor volume on the removed drive. If you then try to add the drive back, the operation fails. To work around this issue, deprovision the WAN Optimization Module, and then run the command array --add or tmsh modify sys raid array MD1 add to add the drive back. Then you can provision WAN Optimization Module back to its original setting.
CR130902 If you are in the tmsh utility, you can run the bigpipe utility to view dynamic Address Resolution Protocol (ARP) entries for a different route domain. To do so, run the command run util bigpipe arp <args...> at the tmsh command line.
CR131108, CR132835 The serial console baud rate of systems with Always-On Management (AOM) (1600, 3600, 3900, 6900, and 8900 platforms) can be corrupted if you install using a serial console baud rate other than 19200. When the corruption occurs, you see garbage characters on the serial console. To prevent this issue, change the baud rate to 19200 before installing. When reboot after installation is complete, you can set a different baud rate.
CR131168 In this release, when you use the LCD to change from a higher baud rate down to 19200, the host serial console can become garbled, while Always-On Management (AOM) displays correctly. To recover, reboot the system. Note that you can successfully change baud rates for the host from low to high using the LCD, and output is not garbled.
CR131188 When you complete a new installation, the Firefox browser may not recognize the SSL certificate. When this occurs, the browser-cased Configuration utility posts the message Please wait while this BIG-IP device reboots, shutting down device. This spins forever and never returns. This behavior is Firefox-browser specific, so when the certificate is no longer viewed as valid, the Firefox browser ignores subsequent HTTP requests. The issue happens only when doing a fresh install. A configuration you roll forward includes the device certificates, so this is not an issue. The Microsoft Internet Explorer browser posts an accept-certificate dialog box when you restart the system.
CR131256 The text-display mode for the switchboot utility supports a maximum of six volume locations. To boot to a location higher than volume six, you can use the switchboot -b option on the command line.
CR131317 If you encounter an installation operation that fails with a final error failed to install because of a process lock, retry the operation.
CR131332 When you import a single configuration file (SCF file) that contain VLANs of the same name but in different administrative partitions, the operation fails with a BIGpipe unknown operation error. To work around this issue, before installing an SCF file, run the b import default command. This returns the system to the default configuration, so subsequent configuration import operations should succeed as expected.
CR131343 The version of the image2disk utility that shipped with version 9.4.5 does not support the -format option. You can install a new version of the image2disk utility from a version 10.x ISO. First, to uninstall the version of the utility that shipped with 9.4.5, run the command rpm -e tm_install-2-1.0.96.0. The command removes the utility, but posts no message at completion. Then, to install a new version of the utility, run the command im /var/tmp/<iso_file>. For more information, see SOL10702: The image2disk utility that shipped with BIG-IP version 9.4.5 does not support the --format option.
CR131470 Enabling TCP MD5 authentication of TCP connections for BGP on VIPRION systems might result in extended time required for BGP sessions to be established. It may also cause BGP failure of the graceful restart after changing the primary location due to the timeout condition causing temporary loss of BGP peering and deletion of routes learned and advertised through BGP, and resulting in temporary traffic disruption. We do not recommend using TCP MD5 authentication for BGP on the VIPRION system.
CR131475 If you create VLANs in an administrative partition other than Common, but do not create a route domain in that partition, then the VLANs you create in that partition are automatically assigned to route domain 0. If you later change the default route domain of that partition, the VLAN stays in its existing route domain, unless the VLAN has a self IP address or virtual IP address assigned to it. In that case, the VLAN moves to the new default route domain.
CR131544 If you restart the mcpd process and try to create a FIPS key, the operation occasionally fails with the message Key generation failed: error 11 - Would overwrite file To work around this, restart mcpd and try the operation again.
CR131555 On a system using Packet Velocity application-specific integrated circuit (ASIC) version 2 (PVA2) and version 10 (PVA10), specifically the 3400, 6400, 6800, 8400, and 8800 platforms, if you configure an inband monitor on a virtual server configured for Fast L4 traffic, the Traffic Management Microkernel (TMM) never receives the traffic necessary to mark pool members up or down. You can work around this issue by setting Fast L4 Profile option PVA Acceleration to Assisted on these platforms.
CR131632 If you have 10.1.x installed on a 8400 or 8800 platform and plan to downgrade to 9.4.x, you must net-boot, or boot from removable media. Using the direct installation method results in a failed operation, and the system hangs at logon time.
CR131760 Using an iRule command that suspends operation (for example, after, table, and persist), in a NAME_RESOLVED event causes the iRule to never resume. The workaround is to use the RESOLV::lookup command that suspends operation until resolution, and then returns the lookup result inline.
CR131880 You might see an intermittent blank top banner in the browser-based configuration utility after an upgrade or installation operation. This might be especially likely when you use Microsoft Internet Explorer version 7 on a VIPRION system, and you leave the browser window open between the end of installation and the completion of the reboot operation. In this case, when you log on, the top banner is blank. You can use the browser refresh operation (F5 or Ctrl + F5) to redisplay the banner correctly.
CR131999 The software does not support running small form-factor pluggable (SFP)+ on SFP ports on VIPRION systems that contain PB100 blades, even if the ports are running at 1 GB. Although the system does not prevent you from doing so, and you might find such a configuration functional, we do not support nor recommend running in this configuration.
CR132270 When you run the command b software desired to install the software, when you look at the output of bigpipe software status on the command line or looking at the progress bar in the Configuration utility, you might notice that progress suspends for approximately three minutes when the operation reaches 10% complete, and again for approximately 1 minute at 100%. These are part of the normal operation of the installation process, and you can safely ignore the suspended activity.
CR132382 If you use the nano command-line editor to edit a multi-line alias command, the operation fails unless you have enabled long line wrap in the nano editor. If the alias is only one line long, the operation works successfully. To enable long line wrap in nano press Esc + l (the lowercase letter "L," not the number "one.") For more help, see the help for the nano editor. You can also use the vi editor to modify multi-line alias commands.
CR132465 Do not issue the command modify cli admin-partitions while the system is completing a batch mode transaction. If you do, you might encounter a problem that you can remedy by pressing Ctrl + C. Otherwise, the operation eventually times out. You can review content returned when running the command help cli transaction for information about how to remove the admin-partitions command from the transaction.
CR132482 A b load operation fails when pool member are configured with port numbers 63, 66, 172, 211, 564, and 629. The workaround is to use numbers other than these for pool member port configuration. You can also disable the bigpipe utility from converting service names by running the command bigpipe db bigpipe.displayservicenames false.
R132580 If you set the import save value to 1 and import a single configuration file (SCF), the import operation halts and does not resume. To work around this issue, set the import save value to 2 or more.
CR132691 On the 1500, 3400, 3410, 4100, 6400, 6800, 8400, and 8800 platforms, you cannot establish an outgoing connection from the SCCP using SCCP version 12.0.8.4.0, the version of the SCCP that ships with the 10.1.0 software. To work around this issue, use SCCP version 12.0.6.5.0, the version that ships with version 9.4.8 software.
CR132782 If you modify your password and shell access at the same time, the system does not register the password change. To work around this issue, modify the password and the shell access separately.
CR132909 When you use the domaintool utility to delete a domain when you are configuring Kerberos delegation, if that domain serves as the default, the system removes the domain but leaves it as the designated default. To work around this issue, change the default to a different domain before the delete operation.
CR132974 Certain packet-size related events can result in messages similar to the following: crit tmm4[5689]: 01010025:2: Device error: hsb internal error PIM_RX_PORT_0_ERRS address 0x0000103c status 0x004e0100 These messages are benign, and you can safely ignore them.
CR132979 The system does not include the .tmshrc file in a ConfigSync operation. That means that the each unit in a redundant system configuration has a different set of remote users. You can manually sync the two files by using a utility to copy the file from one system to another.
CR132985 This version of the software does not support monitoring of Microsoft SQL Server 2000 servers.
CR133035 You can create an external monitor that references an executable in the /usr/share/monitors directory. On a VIPRION system, when the system attempts to validate the monitor on a secondary blade (for example, when the primary blade loads a secondary blade), the system posts an error message similar to the following: emerg mcpd[2822]: 0107094e:0: File cache: fatal error (can't create backup file for (/usr/bin/monitors/builtins/SYSLOG_monitor), Read-only file system) (FileCache.cpp:1523) For the monitor to function properly and to prevent this error on VIPRION systems, copy any executable used by an external monitor to the /config/monitors directory.
CR133179 If you have previously run the image2disk utility to install the software, when you run the image2disk utility a subsequent time without specifying a --format style, the system posts the message: Terminal error: SVM (Software Volume Management) is available, and this is not a format request. Please use SVM. This occurs because the 10.0.1 and later software management scheme provides a more substantive set of installation methods: the Software Management screens in the browser-based Configuration utility, the command line use of tmsh install and b software commands, and support for automated and enterprise-level installation and upgrade management operations through Enterprise Manager and the F5 Management Pack using the iControl API. You should use the image2disk utility only for initial installation operations and for subsequent installation operations that also include formatting.
CR133844, ID 224073 Floating route domain self IP addresses do not respond to ping utility commands from the Linux host. If you need to access floating IP addresses using the ping utility, use an external source.
CR133981, CR135997 Currently shipping Federal Information Processing Standards (FIPS) hardware does not support 4096-bit keys. If you try to create a 4096-bit FIPS key, the system posts an error similar to the following: gencert generating 4096 bit FIPS key: error 18 - ERR_KEY_HANDLE_INVALID. This error indicates that the FIPS card cannot handle 4096 bit, in this context. If you try to use the converted key, the system restarts tmm and statsd services, posting emerg logger: Re-starting <service> messages and creating core files.
CR134115 The online help for SSL certificates lists an incorrect command for retrieving not-valid-before certificates. The correct command is openssl x509 -noout -text -in /config/httpd/conf/ssl.crt/server.crt.
CR134321 There is a pause negotiation mismatch in a trunk containing a mix of fiber and copper. To work around this issue, do not mix fiber and copper in the same trunk.
CR134694 The system does not prevent you from deleting a self IP address that an EtherIP tunnel uses, or from creating an EtherIP tunnel using a nonexistent IP addresses. Doing so, however, results in an inoperable tunnel. To ensure that an EtherIP tunnel operates as expected, do not delete any of the self IP addresses that are associated with VLAN "wan" and specified in the EtherIP tunnel object.
CR135422 The system does not support state mirroring with overlapping IP addresses. If you configure connection mirroring using route domain-compatible state mirror IP addresses, the system does not mirror the connections.
CR135745 When you are connected using the serial console to a multi-drive platform, you might see messages similar to the following: warning kernel: RAID1 conf printout and warning kernel: disk 0, wo:0, o:1, dev:dm-14. The messages are also logged in /var/log/kern.log file. These messages appear during the time a drive is rebuilding, and you can safely ignore them. Note that the messages appear only when you are directly connected by serial console. They do not appear when you are logged in using SSH.
CR135992 When you specify a custom ConfigSync user (that is, an account other than admin), if you have specified a maximum number of password failures, the ConfigSync account is subject to the password lockout after the specified number of failures. To work around this issue, use the admin account as the ConfigSync user, or reset the non-standard account that is locked out.
CR136646 The bcm56xxd service's small form-factor pluggable (SFP) plug check mechanism looks for module-detect signal changes every five seconds, and can miss a pluggable media type swap (that is, a swap from fiber SFP to copper SFP or SFP+) since the check does not look at pluggable media type changes. This can result in link failures, due to internal media settings that are still associated with a previously populated pluggable module. In addition, the Inter-Integrated Circuit (I2C) SFP plug check currently does not update the media option list after detecting module status changes and prior to publishing the information. Media options are otherwise updated/published on link-UP events.
CR136763 After deleting an object, if you change partitions or refresh the screen, the system presents an error message similar to the following: General database error retrieving information. This occurs because the system is trying to display the properties screen for the now-deleted object. To work around this issue, refrain from changing partitions or refreshing the browser until the system correctly registers the delete operation, by navigating to a different location or re-selecting the same location from the navigation menu.
CR136848 When using two Open Shortest Path First (OSPF) router processes with ZebOS, changes on one routing process deletes routes that still exist on the other. There is no workaround for this issue.
CR137220 VLAN groups are partitionable objects, so that a VLAN group created in one partition cannot be modified in another partition. Proxy exclusion is a VLAN group setting, so the partition restrictions should be in effect. However, the system does not prevent you from adding proxy exclusion for a VLAN group in another partition. Doing so results in issues for VLAN groups, so you should not attempt such a configuration.
CR137290 When you use the Wireshark program to view a packet from an EtherIP tunnel, the Wireshark program displays the EtherIP version as 0 rather than 3, as it should. This occurs because Wireshark evaluates the version based on the bottom four bits rather than the top. The Linux EtherIP implementation follows the same format used by coding developer David Kushi, which is correct according to RFC 3378 - EtherIP: Tunneling Ethernet Frames in IP Datagrams.
CR137376, CR138046, ID 342197 Installing or upgrading a system that has a full disk can fail. A disk might be full for several reasons, for example:
  • WAN Optimization Module is provisioned as Nominal, which does not allow the system to allocate enough space for the new Maintenance Operating System (MOS) or installation location
  • There are too many installation locations configured
  • Application Security Manager or WebAccelerator System is provisioned for multiple installation locations
  • You are installing/upgrading to version 10.1.0 or later on a version 10.0.x or 9.x partition, which is too small to hold the version 10.1.0 or later image
  • You are upgrading a 6900 or 6800 platform
There are several workarounds, depending on the cause of the disk-full condition. One option is to back up your existing configuration and perform a clean installation, another is to remove unneeded boot locations, another is to deprovision WAN Optimization Module and then save and reboot before upgrading, and there are others. For more information, see SOL10636: Upgrading to BIG-IP version 10.1.0 fails with a 'Disk full' error message.
CR137447-1 Although syslog remote server now supports IPv6 addresses, it does not support IPv6-resolvable hostnames. To use syslog on a remote server, you must use the IPv6 address, and not the hostname that resolves to the IPv6 address.
CR137680 Pagination does not work properly in the browser-based Configuration utility when using the Status filter. The workaround is to look through all pages when using that filter in order to determine the number of objects with the selected status.
CR137868 Occasionally during system startup, you might see an error message similar to the following: err : Could not make connection with MCP, err 16908360 The error is benign, and you can safely ignore it.
CR137877, CR139101 Occasionally during system startup, you might see multiple instances of error message similar to one of the following: err mcpd[3980]: 01070994:3: tmstat_request: tmstat_subscribe failed: No such file or directory. err mcpd[3682]: 01070994:3: tmstat_request: tmstat_subscribe failed: Unknown error 4126537205. After the system fully initializes, the message disappears and the system runs as expected, so you can safely ignore this message.
CR138146, ID 247909, ID 321972 You might encounter an issue in which the NTP servers do not sync after a system reboot. You can recognize this by running the command ntpq -p to determine whether some of the NTP servers continue to have a refid of .INIT. You might find the issue more pronounced on the VIPRION platform because every blade is an NTP peer of every other blade. (Note that a refid of .INIT is normal for any system with no defined NTP server. F5 strongly recommends defining an NTP server.) This appears to occur only on networks accessible through VLANs, and does not occur with NTP servers serviced by the management port. The issue can be particularly problematic for IPv6 addresses because the system caches the unreachable destination information. To work around the issue, when tmm is up and servicing traffic, run the command bigstart restart ntpd to restart the ntpd process.
CR138343 If you halt an in-progress installation operation (for example, by pressing Ctrl + C in response to the manufacturing installation menu that appears when booting from a DVD, thumb drive, or Pre-boot Execution Environment (PXE) server) the system leaves a boot partition mounted, which causes all subsequent installation-related operations to fail. When this occurs, the system posts errors and messages similar to the following: info: Initializing partition table on disk: hda1 error: sfdisk failed; bc_ratio=504, total_KiB=8257032, total_cyl=16383 Can't save log permanently; no boot volume available. Log saved to /tmp/install.log To work around this issue, you can unmount the boot partition. To do so, run the following command, substituting the disk name listed in your error messages for /hda1: umount /dev/hda1. You can now proceed with other command-line installation tasks such as diskinit and image2disk operations.
CR138348 On the 11050 platform, if the system halts unexpectedly, or when you shut down the system using Always-On Management (AOM) menu option 3 (or other AOM shutdown options), the LCD does not reset. It simply freezes and shows whatever was on the LCD when the system went down. On other platforms, the LCD changes to show that the system is powered off or shutting down.
CR138432 HTTP Class profiles are prioritized alphabetically rather than in the order given. There is no workaround for this issue.
CR138442 On a system that is actively learning dynamic routes, if you run a b import default command, tmm asserts, and writes to the log file error messages similar to the following: 0x0050da4c in tmm_panic, 0x0050da81 in tmm_assert, 0x006fcdf3 in route_delete, and others. To work around this issue, do not run the b import default command while a system is actively learning dynamic routes.
CR138558 A Diameter origin-host attribute with 50 or more characters causes BIG-IP systems to fail on Device-Watchdog-Request (DWR). The workaround is to use origin-host attributes of fewer than 50 characters.
CR138780 On first boot after initial installation on VIPRION systems, occasionally the system needs to reboot. In these cases, during the shutdown preceding reboot, you may see warnings from bigstart about getdb failing. In this context, these messages are harmless and may be ignored.
CR139347 The installer allows you to install version 9.x software onto 8950 (D107) or 11050 (E102) platforms; however, version 9.x software does not support the 8950 or 11050 platform. Installing 9.x software onto 8950 or 11050 platforms might result in a nonfunctional system, so do not install version 9.x software onto 8950 or 11050 platforms.
CR131945, CR139352 Do not use the image2disk utility command --noarray option in conjunction with the --format=partitions option. Doing so can result in a nonfunctional system. Any command containing the --noarray option should always include the --format=volumes option. This essentially removes RAID and replaces it with a single disk that uses logical volume management (LVM).
CR139534 If you use the bigpipe or tmsh utilities to set the import save limit to 1 (one) (by using the tmsh command modify cli global-settings import-save 1 or the bigpipe command cli import save 1), the system appears to hang when you import a single configuration file (SCF). To work around this issue, set the import limit to a value greater than 1. The default value is 2.
CR139563 When a server is one hop away in a route domain configuration, after a bigstart restart operation, the BIG-IP system fails to communicate with that server. To enable communication, the system must first resolve the IP address for the gateway, so you can work around this issue by monitoring the gateway IP address.
CR139588 On a partitioned system, if a 9.x installation operation fails or halts for any reason, including being canceled by the customer, subsequent installation operations fail and post the following messages to the liveinstall.log file: info: /dev/sda5 is mounted; will not make a filesystem here! error: VolumeSet_rebuild_fs(sda, 1) failed Terminal error: Failed to install. See log file. To work around this issue, always reboot the system after a failed installation operation, and then try the operation again. Note that this occurs only with halted version 9.x installation operations. Halted version 10.x installation operations do not exhibit the issue.
CR139591 When you run the command tmsh list ltm pool <pool_name> all-properties, the system does not display the status property for the pool member, unless you have forced the pool member down, in which case the system shows a status of down. To work around this issue, run the command tmsh show ltm pool <pool_name> detail.
CR139668 You should not use the tmsh utility commands session monitor-enabled | disabled or the equivalent bigpipe utility commands session mon enabled | disabled; however, the system does not prevent you from doing so. This type of status should be controlled by the monitor option Receive Disable String. Running these commands overrides the actual state of the pool member or node, so that the system reports a disabled state regardless of whether the monitor sets the pool member or node into the disabled state. The state remains disabled until you run the b load command, which returns you to the correct state. If you meant to enable or disable the pool members or nodes, you can use the tmsh utility commands session enabled | disabled or the bigpipe utility commands session user enabled | disabled.
CR139754 On the 1500 and 3400 platforms with 1 GB of memory, you cannot simultaneously format and upgrade to version 10.2.x. If you run the image2disk command with the --format=volumes or --format=partitions option on a 1 GB 1500 and 3400 platform formatted for partitions, the installation operation halts with the following message: Terminal error: System memory of 1 GiB is insufficient for 'format=volumes' with this product image; 1.5 GiB is required This occurs because the system must move into memory all of the product sources so that the disk can be reformatted. This occurs only when formatting and upgrading to version 10.2.0 simultaneously. The workaround is to use a thumb drive or DVD USB drive as the installation source, or to use a PXE installation method. For more information, see SOL11396: Error message: Terminal error: System memory of 1 GiB is insufficient for 'format=volumes' with this product image; 1.5 GiB is required. Note that in all cases, when upgrading from 9.x, you must first run the im command against the 10.x.iso file to extract the 10.x installation utility. You can find specific instructions in Upgrading from earlier versions.
CR139782 The online help for pool member ratio states that the supported range is from 1 to 65535. The actual supported range is from 1 to 100.
CR139786 If you use special characters in a pool name, the system posts an error message stating that only the following characters are allowed .*/-:_?=@,&. In fact, pool names only accept period (.), underscore (_), and hyphen (-).
CR140154 This release does not support using a command that suspends iRule processing (session, persist add/lookup/delete, table, after) in the AUTH_RESULT event in an iRule. There is no workaround for this issue.
CR140238 When you apply a version 10.x hotfix, the base software ISO image must be present in the /shared/images directory, along with the hotfix image. If there is no base software ISO image, no hotfix update operation begins, and the system presents a message similar to the following: waiting for image (BIG-IP 10.0.1 402.16). This message is misleading. The system is actually waiting for the base image. For example, for version 10.0.1, the base image is BIGIP-10.0.1.283.0.iso. To work around this issue, copy the base ISO image BIGIP-10. x.x.xxx.x.iso file to the /shared/images directory, and try the hotfix update again.
ID 223787 On a back-end server that has a passive monitor assigned to it along with an active pool member or an active node monitor, when a monitor other than the passive monitor marks a pool member down, the system writes out a core file and posts the following message: notice panic: ../base/pool.c:3453: Assertion "Pool member is passive downed" failed. The workaround is to remove the passive monitor from the pool member.
ID 223959 A BIG-IP system has limits to the number of objects that may be configured when the configuration contains virtual servers for which Packet Velocity ASIC (PVA) acceleration is required. If more than the specified maximum number of objects is configured, virtual servers that otherwise qualify for PVA acceleration are demoted to wire mode (no PVA acceleration). For more information about the maximum number of objects allowed for the PVA, refer to SOL11038: Configuration sizing and PVA acceleration.
ID 339850 Although the system allows you to create a node whose name contains a leading digit, the bigpipe utility rejects service names with leading digits. This can cause bigip.conf to fail to load, including a bigip.conf file that you upgraded from version 9.x. For example, if you have a pool with a member named 3446, when you load the bigip.conf file, the system posts the error: BIGpipe parsing error: 012e0022:3: The requested value (10.0.0.1:3comfaxrpc }) is invalid (show | <pool member list> | none) [add | delete]) for 'members' in 'pool' To work around this issue, run the command b cli service number to have bigpipe use service numbers instead of names.
ID 343150 When you specify Use Primary Connection Mirror Address as the ConfigSync Peer setting, and Network Mirroring is configured with IPv6 addresses, ConfigSync output contain following strings: [root@ltm-61:Active] config # b config sync Checking configuration on local system and peer system... Peer's IP address: 2222::2 Synchronizing Master Keys...Sync: No peer Address or invalid peer address Saving active configuration... To work around this issue, you can use IPv4 addresses, or you can select the ConfigSync Peer setting Specify IP Address and specify the IPv6 address manually.
ID 345909 To halt a VIPRION 2400 blade, use the halt command rather than the shutdown command. If you use the shutdown -h now command, the system does not halt, but instead reboots.
ID 347605 During hardware power-up, you might observe diagnostic output similar to the following messages: BoardInit0 HvmLoadStart CpuInit0 These messages represent diagnostic output from the BIOS that has no effect on the operation of the system. You can safely ignore these messages.
ID 349340 You cannot simultaneously move to logical volume management (LVM) and install a hotfix. If you run the image2disk command with both the --hotfix and --format=volumes options, the system completes the hotfix installation, but does not format the drives. To work around this issue, format the system for volumes first, and then install the hotfix update.
ID 350888 This version of the software does not support IPv6-formatted IP addresses on the management port. To work around this issue, you can use IPv4-formatted IP addresses for configuring the management port.
ID 351874 When importing an ISO image into the Software Management screens in the Configuration utility, some browsers (for example, Microsoft Internet Explorer and Google Chrome), show /fakepath/ instead of the actual file path. This is expected behavior for HTML5-compatible browsers. You can work around this by adding the site to trusted sites. In addition, in Internet Explorer by setting the option Include local directory path when uploading files to a server in Internet Explorer Tools > Internet Option > Security > Custom level Security Settings - Internet Zone screen.
ID 354467 When you create an opaque VLAN group before creating the route domain to assign it to, opaque mode does not work. To work around this issue, you can add the VLAN group to the route domain and then set its mode to opaque, or if you are already in this state, you can restart the tmm daemon.
ID 354518 The VIPRION 2400 has an RJ45-type connector for the Console port. Part of the updated functionality of the Always-On Management (AOM) serial port includes auto-baud, meaning that when you connect a cable to the Console port and issue a break from the keyboard, the system enables scrolling through baud rates using the return key. If you accidentally plug an active Ethernet cable (that is, a cable carrying network traffic rather than serial terminal data) into the Console port, when you power up the blade, the auto-baud functionality might engage, even though the cable is not connected to a valid serial terminal. This occurs because, depending on the traffic on the cable, network communications can simulate the effect of issuing a break, which initiates auto-baud. If you are already in this condition, after you remove the Ethernet cable and connect a valid serial cable, you will likely see garbled content on the serial terminal until you reset the AOM serial port’s baud rate to match the terminal’s baud rate. To synchronize AOM and terminal baud rates
  1. Issue a break (using the <BREAK> key on the keyboard).
  2. Press return to have AOM cycle through the supported baud rates (115200, 57600, 38400, 19200, and 9600)
  3. When the baud rates are synchronized, the following prompt appears --- Press <ESC>( for AOM Command Menu. You can then press Esc ( to access the AOM Command Menu.
ID 355294 On a cluster, installing a User Configuration Set (.ucs) file containing dynamic routing fails to assign IP addresses to the ZebOS Network Services Module (NSM) interface. As a result, dynamic routing does not work. The workaround is to restart the tmrouted daemon by running the following command: clsh bigstart restart tmrouted.
ID 355432 When a watchdog event happens, chmand logs false power-related failures. Here is the complete message from the ltm log related to the watchdog event: Mar 30 11:51:31 RackC641 notice chmand[3557]: 012a0005:5: CPLD indicates prior Host CPU subsystem reset Mar 30 11:51:31 RackC641 notice chmand[3557]: 012a0005:5: CPLD indicates prior System error Mar 30 11:51:31 RackC641 notice chmand[3557]: 012a0005:5: CPLD indicates prior Host CPU subsystem power-off Mar 30 11:51:31 RackC641 notice chmand[3557]: 012a0005:5: Host CPU subsystem reset - PCI reset asserted Mar 30 11:51:31 RackC641 notice chmand[3557]: 012a0005:5: Host CPU subsystem reset caused by a Southbridge system reset Mar 30 11:51:31 RackC641 warning chmand[3557]: 012a0004:4: System error caused by Host CPU(s) indicating thermal trip event Mar 30 11:51:31 RackC641 warning chmand[3557]: 012a0004:4: System error caused by DC-DC converter power output suspect Mar 30 11:51:31 RackC641 warning chmand[3557]: 012a0004:4: Mercury CPLD DC power error register = 0xff Mar 30 11:51:31 RackC641 warning chmand[3557]: 012a0004:4: Mercury CMOS Host Watchdog Reset Counter indicates 1 previous watchdog timer reset(s). These messages are incorrect, and you can safely ignore them.
ID 355555 Virtual servers attached to a Fast HTTP profile sometimes send TCP resets after getting HTTP headers on the first few connections. This starts to clear up on its own after the first few connections.
ID 356467 IPv6 traffic is not evenly balanced across the links of a trunk. There is no workaround for this issue in this release.
ID 356611 You can invoke imish (the shell for configuring dynamic routing) from tmsh. When you subsequently press Ctrl + Z, sshd and imishd start consuming CPU until the imish shell times out. This occurs when tmsh is not the login shell. If the system is already in this state, run the fg command, and then exit imish.
ID 358685 You may see messages similar to the following on starting up the VIPRION 2400. These are innocuous and may be ignored: PCI: Cannot allocate resource region 2 of device 0000:0a:00.0 PCI: Cannot allocate resource region 2 of device 0000:0a:00.1 PCI: Cannot allocate resource region 2 of device 0000:0c:00.0 PCI: Cannot allocate resource region 2 of device 0000:0c:00.1
ID 359864 If the power cord to the power supply unit (PSU) is removed, the primary blade alarm LED lights, but there might not be warning messages on the LCD or console until two minutes after power cord removal. When the message appears, you can clear the alarm LED/LCD by pressing the Check button on the LCD module. If the LCD is not plugged in when the power cord is removed, the warning message appears on the LCD screen within two minutes of plugging the LCD module into the primary blade USB port, at which time you can clear the message by pressing the Check button on the LCD module. If you want to see the warning immediately, you can run the command system_check -D after removing the power cord. If the PSU is removed during the two-minute interval after the power cord is removed, the PSU-removal warning message might not display on the LCD module or the console screen, although the blade alarm LED turns red right away. To clear the blade alarm LED, you must run the command clearlcd_emergency.
ID 360263 In this release, the VIPRION 2400 reports a CPU Count of 8 instead of the expected 4 on the Device Configuration screen in the browser-based Configuration utility. This occurs because the implementation of hyper-threading causes the system to report double the actual number of cores. There is no workaround for this issue.
ID 360673 Intermittently, a blade might not achieve active (green) status. When that occurs, there is an associated notice in the tmm log file: notice MPI stream: connection to node 127.10.4.5 lost. This occurs when a blade other than the primary blade comes up as blade 1 at start up. This issue does not occur when the blades are licensed. To work around the problem, license the blades before rebooting them.
ID 360677 Upon issuing the halt command the blade's LEDs immediately reflect the halt state. However, the blade is not truly halted for several more seconds. Make sure to wait until the halt process completes before removing a blade. You can tell the blade is halted by the message on the console: System Halted. If you are not on the console, you can tell a blade is halted when you can no longer ping the slot using the ping slot3 (or similar) command. You can also determine halt status by running the command tmsh show sys cluster. When the system returns unknown enabled false unknown shutdown for the blade, the blade is halted, and you can safely remove it.
ID 361028 In rare instances the bigpipe interface might show the management port (MGMT) as UP when there is no Ethernet physically connected to the port. The issue can usually be remedied with a blade reboot.
ID 361068 Very rarely, the system can panic on startup or during reboot with the following error: Kernel BUG at mm/slab.c:2650 invalid opcode: 0000 [1] SMP. This issue occurs on all platforms except on 2000s, 2200s, 4000s, and 4200v platforms, or on Virtual Edition and any vCMP Guest. For this error to occur, the system must be running one of the following versions: TMOS v10.2.3 (including HF1 and HF2), and TMOS v10.2.4 (including HF1, HF2, HF3, HF4, HF5, HF6, and HF7). The issue might be seen after a number of sequential reboot operations. When the issue occurs, the system posts the error and reboots the system. Although there is no workaround, after the error occurs, the system should reset itself and boot up normally.
ID 363331 The BIG-IP system might not allocate swap space after an upgrade or fresh install. This occurs on BIG-IP systems using the partitions disk formatting scheme. see SOL13061: The BIG-IP system may not allocate swap space after installation or upgrade. To work around this issue, you can enable the partition for swap space. To do so, perform the following procedure:
Important: The procedure requires the BIG-IP system to be rebooted which might result in a service interruption.
  1. Log in to the BIG-IP system command line.
  2. Back up a copy of the /etc/sysconfig/init file by typing the command cp –p /etc/sysconfig/init /var/tmp/init.sol13061.
  3. Open the /etc/sysconfig/init file using a text editor.
  4. Change the option AUTOSWAP=no to AUTOSWAP=yes.
  5. Save the file, and exit the text editor.
  6. Activate the change by rebooting the BIG-IP system by typing the command reboot.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices

 

 

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)