Software Release Date: 11/03/2004
Updated Date: 12/11/2013
This release note documents the version 9.0.2 feature release of BIG-IP® Local Traffic Manager and Load Balancer Limited. To review the features introduced in this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to systems running BIG-IP version 4.5 PTF-04 through version 4.5.10, and to systems running version 9.0 and later. (Note that you cannot apply this upgrade to systems running BIG-IP version 4.6 software.) For information about installing the upgrade, please refer to Installing the software.
Note: F5 now offers both feature releases and maintenance releases. For more information on our new release policies, please see New Versioning Schema for F5 Software Releases.
The Configuration utility (graphical user interface) supports the following browsers:
Note that we recommend that you leave the browser cache options at the default settings.
Important: Popup blockers and other browser add-ons or plug-ins may affect the usability of the Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.
This release applies only to the supported platforms listed below; each one provides all minimum system requirements. This release supports the following platforms:
If you are unsure of which platform you have, look at the sticker on the back of the chassis to find the platform number.
There are several installation options to consider before you begin the version 9.0.2 software installation.
Important: You are prompted to install the software on multiple slots if the unit supports the multiple boot option. The BIG-IP 1500 (C36), BIG-IP 3400 (C62), and BIG-IP 6400 (D63) platforms support this functionality. The IM upgrade does not add the multiple boot functionality. If you want this functionality on a supported platform, you must choose another installation method.
For information about how to download software images, refer to SOL167: Downloading software from F5 Networks.
This release includes the following new features and fixes.
Multiple boot installations (CR40912)
The version 9.0.2 release includes a new multiple boot capability. With this release, you can now install the software on multiple disk slots in the system. A slot is a portion of a drive with adequate space required for an installation. If the hardware supports multiple slots, you are prompted to install the software on multiple slots during the installation. The BIG-IP 1500 (C36), BIG-IP 3400 (C62), and BIG-IP 6400 (D63) platforms support this functionality. There are several benefits of running a system with a multiple slot installation.
You can use this new feature if the unit contains a supported hardware configuration. more than one drive (for example, a CompactFlash® media drive and a hard disk drive), or a hard drive. After you have installed the software on multiple slots, you can change which slot boots when you start the system. For details about using this functionality, see Using the switchboot utility.
Important:The IM upgrade does not add the multiple boot functionality. If you want this functionality on a supported platform, you must choose another installation method.
High availability: New Restart All action (CR40406)
This release includes a new option for high availability, Restart All. When you select this option for a high availability setting, the system restarts all system services, not just the affected service. For additional information, review the online help for the configuration options on the System >> High Availability screens.
Local traffic pools: New Slow Ramp Time option (CR40590)
When you take a pool member offline, and then bring it back online, the pool member can become overloaded with connection requests, depending on the load balancing mode for the pool. For example, if you use the Least Connections load balancing mode, the system sends all new connections to the newly-enabled pool member (because technically it has the least amount of connections). When you configure the Slow Ramp Time option, the system sends less traffic to the newly-enabled pool member. The amount of traffic is based on the ratio of how long the pool member has been available compared to the slow ramp time. Once the pool member has been online for a time greater than the slow ramp time, the pool member receives a full proportion of the incoming traffic. To configure the slow ramp time option, review Configuring slow ramp time for a pool, in the Optional configuration changes section of this release note.
User authentication method now configurable for SSL client certificate LDAP authentication (CR37259)
If you use SSL client certificate LDAP (SSL CC LDAP) authentication, you can now specify a UserClass object, for client authorization. Previously, you could not configure the UserClass object. The default setting is StrongAuthenticationUser.
New options for iRules (CR40241, CR41153)
The following options have been added to the iRules syntax.
|HTTP_REQUEST_SEND||This server-side event gets raised just before a request is sent to the server.|
|IP::ttl||This command reports the TTL for an inbound IPv4 or IPv6 packet.|
SNMP MIB updates (CR40526, CR40571, CR40849, CR40893)
This release includes the following SNMP OID updates related to new functionality.
|OID Name||OID Value|
HTTP profile: New Maximum Requests option (CR40859)
The HTTP profile now includes the Maximum Requests option. This setting specifies a maximum number of requests that can be made on a single keep-alive connection. When the limit is reached, the final response contains a Connection: close header, which closes the connection. The default behavior does not restrict the number of requests per connection.
Both units in a redundant system remain in active mode after initial configuration (CR34060)
When you configure a redundant system, the first unit now goes into standby mode after you configure the second unit.
Modifying properties of a route (CR36732)
In the Configuration utility, you can now modify the properties of a route, in the Network section. For additional information, see the online help for the route properties screen.
ISO image/CD now includes the source for building the Real Monitor plug-in for UNIX and Linux systems (CR39359)
The version 9.0.2 ISO image now includes the source code for compiling the Real Monitor for RealServer 8.0 on Linux and UNIX systems. If you are load balancing to RealServer 8.0 servers, you need to compile the source so that you can use the real_server monitor. For additional information, see Compiling the real_server monitor plug-in for UNIX and Linux systems, in the Optional configuration changes section of this release note.
Error message when resetting iRules statistics in the Configuration utility (CR39580)
You no longer see the error message Statistics not implemented when you reset the iRules statistics from the Overview > Statistics > iRules screen.
License activation and system time (CR39659)
When you are activating a license, and the hardware clock time is more than 24 hours different than the time on the F5 Licensing server, the system now generates an error and redirects you to the License Keys screen. Re-type the registration keys and continue with the licensing process. The system regenerates the dossier with a current timestamp.
SNMP trap configuration (CR39782)
In the Configuration utility, on the SNMP > Traps > Configuration screen, changing the Device setting now works properly.
Setting active-active or active-standby mode on a redundant system (CR39829)
You no longer need to run the bigstart restart command to get the units in a redundant system into the correct mode.
OTCU: Converting node attributes (CR39842)
The One Time Conversion Utility (OTCU) now explicitly indicates that it does not convert the node attributes virtual or actual, if they are present in a 4.5.X configuration.
Changing failover peer IP address in the Configuration utility (CR39845)
In the Configuration utility, if you change the IP address for the failover peer (in a redundant system), the change now takes effect without additional configuration.
Clearing the Nokia SNMP alarm log (CR39901)
The snmpget command now properly clears the contents of the Nokia SNMP alarm log.
iRules: Setting renegotiation on SSL Client Certificate requirement (CR39918)
The SSL::cert mode require command now properly requires a client certificate for all URLs.
Running Config Sync or restoring a .ucs file and node monitors (CR39923)
When you run the Config Sync operation, or restore a *.ucs file, the system no longer resets all monitor instances for nodes.
Errors in the bigip.conf file and the pvad utility (CR39929)
When you edit the bigip.conf file by hand, and you introduce configuration errors, the pvad utility no longer generates a core file when you try to load the configuration.
Creating VLANs with no interfaces in the Configuration utility (CR40035)
In the Configuration utility, if you create a VLAN and you do not associate any interfaces with it, the system no longer generates a page error.
Resetting interface statistics (CR40059)
In the Configuration utility, if you reset the interface statistics, you no longer see an error message.
Deleting records from the dynamic ARP list in the Configuration utility (CR40073)
Using the Configuration utility to delete records from the dynamic ARP list no longer causes problems.
Manually adding a configuration item in the bigip.conf file and syntax errors (CR40206)
In the bigip.conf file, manually adding a configuration object in front of another object that the system cannot load no longer destabilizes the system.
Certificate chains in SSL (CR40580)
The system now processes intermediate certificates properly, when you have a certificate chain configured.
iRules log messages over 1024 characters (CR40560)
The system no longer experiences fatal errors when log messages for iRules contain more than 1024 characters.
iControl: Loading the SystemServer.so module (CR40684)
The iControl portal now loads the ITCMSystemServer.so module and the SystemServer.so module in the proper order, so that both modules are loaded correctly.
Adding self IP addresses without netmasks (CR40693)
When you add a self IP address, you must also add a netmask. Previously, you could add a self IP without a netmask, which generated errors.
Forcing the 1000baseFX media option for fiber gigabit ports (CR40706)
You can now force the system to use the 1000baseFX media setting for fiber gigabit ports, rather than having the system auto-negotiate the media setting. Note that this does not apply to copper gigabit ports.
BIG-IP version 9.0 examples in the iControl SDK (CR40830)
In the iControl SDK, the examples for BIG-IP version 9.0 now show the correct conversion for 64-bit counters.
Starting the radvd service and ppp0 interface error messages (CR40894)
If you are using the IPv6 module on the BIG-IP system, and you start the route advertising service (radvd) using the instructions in the following file, /etc/radvd.conf.example, you no longer see error messages regarding the ppp0 interface.
iControl: return response to IP addresses that contain all zeros (CR40974)
When an IPv4 or IPv6 address is composed of all zeros, iControl now returns returns 0.0.0.0 (IPv4) or 0:0:0:0:0:0:0:0 (IPv6), instead of none.
SSL hardware accelerator and processing obscure ciphers in OpenSSL (CR41056)
When OpenSSL is processing some obscure ciphers, it no longer causes the SSL hardware accelerator to stop functioning. This issue affected the following platforms: BIG-IP 1000, BIG-IP 2400, BIG-IP 5100, BIG-IP 5110.
Changing HTTP profile settings and updating the system (CR41118)
When you make changes to the HTTP profile settings, the system now properly updates all affected processes with those changes.
HTTP profile: Using Tcl expansion in header insert and fatal system errors (CR41119)
The system no longer experiences fatal errors if you define an HTTP profile with a header insert that uses Tcl expansion, and the expansion fails.
512-bit keys and the SSL hardware accelerator (CR41172)
The system now properly handles 512-bit keys on the following platforms: BIG-IP 1000, BIG-IP 2400, BIG-IP 5100, BIG-IP 5110.
Cookie headers with empty value and cookie parsing (CR41176)
If a Cookie header contains an empty value, cookie parsing no longer fails.
Advanced routing module service (zebosd) now starts by default (CR41329)
The system service that runs the advanced routing modules, zebosd, now starts automatically. Note that the advanced routing modules are available as an add-on feature, and are not part of the system by default.
snmp_dca monitor (CR41400)
The snmp_dca monitor now works properly.
Using multiple LDAP servers and modifying the PAM SSL Client Certificate LDAP Authentication module (CR41590)
If you specify multiple LDAP servers in the SSL Client Certificate LDAP Authentication PAM module, the system now properly manages the server entries.
iControl: Class::add_string_class_member on external read/write class (CR41703)
In the iControl API, if you use the Class::add_string_class_member method on an external read/write class, you now get the proper response instead of Operation Failed.
BGE driver and soft resetting due to transmitter failure error messages (CR42178)
We have corrected the issues that caused the BGE driver for the network interfaces to report the following error message: soft resetting due to transmitter failure.
X509::serial_number option in iRules and large serial numbers (CR42282)
When you use the X509::serial_number option in an iRule, the iRule no longer returns -1 for large serial numbers.
ZLib compression library vulnerability (VU#238678)
We corrected a denial of service vulnerability that was found in the ZLib compression library versions 1.2.x. The problem arose from incorrect error handling in the inflate() and inflateBack() functions. The Common Vulnerabilities and Exposures (CVE) project assigned the ID CAN-2004-0797 to the problem.
SSL client certificate LDAP authentication and start_tls failure (CR38967)
Client certificate LDAP authentication now correctly handles start_tls failures.
LACP support (CR39554, CR39872)
Link aggregation control protocol (LACP) is fully supported in this release.
Connection mirroring (CR39548, CR39779, CR39892, CR39894, CR39895, CR39905)
Connection mirroring is fully implemented in this release.
Truncated subscription ID in error messages and iControl applications (CR39987)
The system no longer truncates the subscription ID when it generates an error message.
bigpipe daemon overdog watchdog disable command writing to bigip.conf correctly (CR40117)
The bigpipe daemon overdog watchdog disable command now handles default settings correctly when writing to the bigip.conf file.
SSL records that straddle packets may destabilize the system (CR40119)
Overlapping SSL records no longer destabilize the system.
Once you have installed the software, you can use any of the following new configuration options to update your configuration.
The .iso image for the version 9.0.2 software now includes the source and makefiles for compiling the real_server monitor plug-in for UNIX and Linux systems. The following instructions explain how to access the files you need to compile the plug-in.
The following instructions explain how to configure the new slow ramp time option for local traffic pools, as described in the New features section of this release note. The slow ramp time option specifies a length of time during which a newly enabled pool member receives only a fraction of any new connections to the pool.
To configure slow ramp time using the Configuration utility
You can use the switchboot utility from the command line to select which installed image boots. To run the switchboot utility, type the following command:
A list of slots and their descriptions displays. Type the number of the slot you want to boot at startup. When you reboot the system, it boots from the slot you specify. The file /SLOT contains one line, where <n> is the slot number relative to zero from which you are currently booted:
If there is only one slot available, the switchboot utility displays a message similar to this one and exits.
There is only one slot to choose from: title BIG-IP 9.0.2 Build 18.0 - drive hda.1
Note: Any change you make using the switchboot utility is saved in the boot configuration file, grub.conf.
To use switchboot in non-interactive mode
If you know which slot you want to boot, you can type the following command and specify the slot number for <slot_number>:
switchboot -s <slot_number>
To use switchboot to list available slots
If you want to list the available slots without specifying a new slot from which to boot, type the following command:
To list options for switchboot
To list the options for the switchboot utility, type the following command:
To view the contents of the boot configuration file using switchboot
You can view the complete contents of the boot configuration file (grub.conf) with the following command:
This command is slightly different from switchboot l in that l only lists the slot header lines, while d displays the complete file.
The following items are known issues found in the 9.0.2 release. For a complete list of known issues in this release, refer to the BIG-IP version 9.0 Release Notes .
Manually copying a UCS file to a slot with a clean installation (CR 41518)
We recommend that you use the installer functionality to install UCS files on installation slots. A UCS file copied manually to a slot with a clean install may not load properly. The reason for this is that the host name must be set prior to installing the UCS. The installer automatically picks up the host name when it rolls a UCS file forward.
Interface statistics tracking (CR40449)
The system may display erroneous statistics data for interfaces, for example, 4GB of dropped packets on a system that has been running for only an hour.
1500, 3400, and 6400 platforms: SSH session remains open after peer unit is rebooted (CR40503)
When you establish an SSH session between two units on the 1500, 3400, or 6400 platforms, and you reboot the unit to which you established the SSH session, the SSH session remains open until it reaches its timeout.
Using trunks on a BIG-IP 2400 (D44) IP Application Switch (CR40507)
On a BIG-IP 2400 platform, if you connect multiple ports to one switch you may form a bridging loop, which causes the TMM to restart repeatedly. To avoid this issue, enable spanning tree protocol if you connect multiple ports to one switch.
SIP persistence and persist iRule commands (CR40579)
In this release, the persist iRule commands do not support SIP persistence.
HTTPS monitor fails with EDH cipher (CR40629)
The HTTPS monitor does not work properly with the EDH cipher.
The bigpipe utility and cipher names with hyphens (CR40661)
The bigpipe utility does not properly recognize cipher names that contain hyphens, for example, AES128-SHA.
Client SSL and Server SSL profiles and time stamps on key or certificate files (CR40677)
The Client SSL and Server SSL profiles currently do not add time stamps to SSL certificate or SSL key files.
Deleting virtual servers and virtual addresses in the Configuration utility (CR40944)
In the Configuration utility, when you modify a property on a virtual address (change it from the default), and then delete the virtual server with which the virtual address is associated, the virtual address remains in the configuration and you cannot delete it. To work around this issue, you can edit the bigip.conf file from the command line, and then run the bigpipe load command to update the configuration file.
OTCU: Displaying monitors saved at pool level in the Configuration utility (CR40977)
After you run the OTCU to convert your 4.5.X configuration to a 9.0.X configuration, you cannot view the monitors on pool members until after you run the bigpipe load command twice, from the command line. Alternately, you can reboot the system.
Changing the system's time zone in the Configuration utility and logging time stamps (CR41149)
When you change the time zone for the system on the System: General Properties screen, the log file entries do not reflect the updated time until you run the bigstart restart command from the command line.
SCCP and errors after switching back to a slot with a 9.0.1 installation (CR42216)
On a multiple boot system, when you change to a slot with a 9.0.1 installation from a slot with a 9.0.2 installation, you may encounter errors with some system services. To avoid these errors, you must reboot the SCCP after you boot the 9.0.1 software. To reboot the SCCP, follow these instructions.
SSL client certificate LDAP authentication and using uppercase letters (CR41295)
In the Authentication profile for SSL client certificate LDAP authentication, you must use only lowercase letters in the name of the profile. The system does not recognize uppercase letters in this instance.
Obsolete MGMT route left in file after upgrade disables communications with peer (CR41382, CR42218)
When you upgrade to version 9.0.2, and apply an existing configuration (in a config.ucs file), if the rolled-forward configuration contains a MGMT route in the 192.168.*.* network, you must delete the route entry before the system can communicate with its peer.
Using a USB CD-ROM drive for software installation (CR41543)
When you use a USB CD-ROM drive to install the BIG-IP software, you are not prompted to remove the CD-ROM after the installation has finished. Note that you should remove the installation CD-ROM before you reboot the system.
SNMP OID ltmVirtualServPool and reporting pool names (CR41587)
A query of the ltmVirtualServPool OID never returns any data despite having pools associated with a virtual server through a rule.
Time zone inconsistency between system time and log files in the Configuration utility (CR41639)
Currently there is an inconsistency between the system time and the time displayed on the log file entries in the Configuration utility. The log file entries in the Configuration utility do not reflect the system's time. You can view the log files from the command line to see the correct time stamp on the log file entries.
Remote upgrades on version 4.5.X software (CR42160)
If you are performing a remote upgrade to version 9.0.2 on version 4.5.X software, you must use the HTTP protocol to transfer the upgrade files. The NFS protocol is not supported at this time.
Virtual server with Client SSL profile using SSLv2 and ALL ciphers does not complete SSLv2 connection (CR42211)
If you configure a virtual server which references a Client SSL profile that uses the ciphers SSLv2 and ALL, the SSLv2 connections for the virtual server never complete.
Creating an external data group may default to string type (CR42249)
If you do not specify a file path when you create an external data group, the system overrides the type setting and generates the data group as a string type.
Deleting external data groups and errors in the Configuration utility (CR42252)
In the Configuration utility, when you delete an external data group, the Configuration utility returns you to the iRules List screen instead of to the Data Group List screen.
Using the HTTP::release option in an iRule and system errors (CR42306)
If you use the HTTP::release option in an iRule, and you do not use the corresponding HTTP::collect option, you may cause the system to become unstable.
Configuration utility: case sensitivity in iRule names (CR42312)
In the Configuration utility, the names of iRules are not case-sensitive. If you create two iRules whose names are identical except for the case, the system overwrites the first rule with the second rule. To avoid this issue, use unique names for any iRules that you create.
IM package upgrades and the /SLOT file (CR42331)
When you update your software to version 9.0.2 using the IM package upgrade, the upgrade does not create the /SLOT file for the slots on the system.
Changes in US and Canada Daylight Saving Time (CR58315)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes are not reflected in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.