Applies To:

Show Versions Show Versions

Release Note: BIG-IP LTM version 9.0.5
Release Note

Software Release Date: 03/24/2005
Updated Date: 12/11/2013

Summary:

This release note documents the version 9.0.5 feature release of BIG-IP® Local Traffic Manager and Load Balancer Limited. To review the features introduced in this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to systems running BIG-IP version 4.5 PTF-04 through version 4.5.11, and to systems running version 9.0 and later. (Note that you cannot apply this upgrade to systems running BIG-IP version 4.6 software.) For information about installing the upgrade, please refer to Installing the software.
Note: F5 now offers both feature releases and maintenance releases. For more information on our new release policies, please see New Versioning Schema for F5 Software Releases.

Contents:

- Supported browsers
- Supported platforms
- Installing the software
- Verifying the MD5 checksum of the upgrade file
     - Verifying the BIG-IP software installation
     - Re-activating the license on the BIG-IP system
- New features and fixes in this release
     - New features in this release
     - Fixes in this release
- Optional configuration changes
     - Understanding the Fast HTTP profile
     - Using the Scripted monitor
     - Configuring the LDAP monitor
     - Configuring the WAP monitor
     - Using SNMP read/write OIDs
     - New SNMP OIDs
     - Compiling the real_server monitor plug-in for UNIX and Linux systems
     - Configuring slow ramp time for a pool
     - Using the switchboot utility
- Known issues
- Acknowledgments


Supported browsers

The Configuration utility (graphical user interface) supports the following browsers:

  • Microsoft® Internet ExplorerTM, version 6.X and later
  • Netscape® NavigatorTM, version 7.1, and other browsers built on the same engine, such as MozillaTM, FirefoxTM, and CaminoTM.

Note that we recommend that you leave the browser cache options at the default settings.

Important: Popup blockers and other browser add-ons or plug-ins may affect the usability of the Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.

[ Top ]

Supported platforms

This release applies only to the supported platforms listed below; each one provides all minimum system requirements. This release supports the following platforms:

  • BIG-IP 1000 (D39)
  • BIG-IP 2400 (D44)
  • BIG-IP 5100 and 5110 (D51)
  • BIG-IP 1500 (C36)
  • BIG-IP 3400 (C62)
  • BIG-IP 6400 (D63)
  • BIG-IP 6800 (D68)

If you are unsure of which platform you have, look at the sticker on the back of the chassis to find the platform number.

[ Top ]

Installing the software

Warning: If you have installed or upgraded to version 9.0.5, do not install or upgrade the system to version 9.0.5-a. This may render the system inoperative.

Important: You must perform the installation through the management interface (MGMT) on the BIG-IP system.

Important: We recommend that you run the MD5 checksum on any ISO image or IM upgrade file you download. For information about MD5 checksums, see Verifying the MD5 Checksum of the upgrade file.

There are several installation options to consider before you begin the version 9.0.5 software installation.

Important: You are prompted to install the software on multiple slots if the unit supports the multiple boot option. The BIG-IP 1500 (C36), BIG-IP 3400 (C62), and BIG-IP 6400 (D63) platforms support this functionality. The IM upgrade does not add the multiple boot functionality. If you want this functionality on a supported platform, you must choose another installation method.

To install the version 9.0.5 upgrade on a platform with a CompactFlash® card
This procedure describes how to use an IM package to upgrade a BIG-IP platform that contains a CompactFlash®. The BIG-IP platforms that contain a CompactFlash® card are:
 

  • BIG-IP 1000 (D39)
  • BIG-IP 2400 (D44)
  • BIG-IP 5100 and 5110 (D51)
  1. Log on as root to the system to be upgraded.
     
  2. Save the current running configuration by typing the following command:
    bigpipe config save backup_upgrade
     
  3. Stop all the system daemons by typing the following command:
    bigstart shutdown
     
  4. Create a temporary read-only memory file system (RAMFS) directory, using the following command:
    mkdir /var/ramfs
     
  5. Mount the file system by typing the following command:
    mount -t ramfs none /var/ramfs
     
  6. Change to the /var/ramfs directory by typing the following command:
    cd /var/ramfs

     

  7. Go to Downloads site and locate the BIG-IP 9.0.5 upgrade file, Upgrade9.x-to-9.0.5.59.7-a.im.

     

  8. Download the software image.

    For information about how to download software, refer to SOL167: Downloading software from F5 Networks.

  9. Install this upgrade by typing the following command:
    im /var/ramfs/Upgrade9.x-to-9.0.5.59.7-a.im

    Note:  The upgrade quits if you did not save the configuration. If the upgrade quits, and you want to create a new backup, you must reboot the system and restart the upgrade process. If the backup UCS found on the system is older than two hours, you are warned to create a new one. However, you can continue.

  10. Once the upgrade installation is complete, the system reboots. Rebooting the system finalizes the upgrade, and removes both the RAM file system and the upgrade package.

Note: You may see messages about clearing orphaned inodes during the upgrade process. These messages are benign.

Note: You may see messages about saving the configuration during the upgrade process. These messages are benign. See the known issue for CR44854 for more information.

To install the version 9.0.5 IM upgrade on a platform with a hard drive
This procedure describes how to use an IM package to upgrade a BIG-IP platform that contains a hard drive. The BIG-IP platforms that contain a hard drive are:
 

  • BIG-IP 1500 (C36)
  • BIG-IP 3400 (C62)
  • BIG-IP 6400 (D63)
  • BIG-IP 6800 (D68)

If you previously installed a version of the software that supports multiple boot functionality, this upgrade method supports the multiple boot configuration. If you are installing this IM upgrade on a system that does not support multiple boot functionality, such as version 9.0 and 9.0.1, the IM upgrade does not add this functionality. To add multiple boot functionality, you must perform a PXE install of the software. For more information about performing a clean install of the version 9.0.5 software, see Performing a clean installation of BIG-IP version 9.0.5 .

  1. Log on as root to the system to be upgraded.
     
  2. Save the current running configuration by typing the following command:
    bigpipe config save backup_upgrade
     
  3. Change to the /var/tmp directory by typing the following command:
    cd /var/tmp
     
  4. Go to Downloads site and locate the BIG-IP 9.0.5 upgrade file, Upgrade9.x-to-9.0.5.59.7-a.im.

     

  5. Download the software image.

    For information about how to download software, refer to SOL167: Downloading software from F5 Networks.

  6. Stop all the system daemons by typing the following command:
    bigstart shutdown
     
  7. Install this upgrade by typing the following command:
    im /var/tmp/Upgrade9.x-to-9.0.5.59.7-a.im

    Note:The upgrade quits if you did not save the configuration. If the upgrade quits, and you want to create a new backup, you must reboot the system and restart the upgrade process. If the backup UCS found on the system is older than two hours, you are warned to create a new one. However, you can continue.

  8. Once the upgrade installation is complete, the system reboots. Rebooting the system finalizes the upgrade, and removes both the RAM file system and the upgrade package.

Note: You may see messages about clearing orphaned inodes during the upgrade process. These messages are benign.

Note: You may see messages about saving the configuration during the upgrade process. These messages are benign. See the known issue for CR44854 for more information.

[ Top ]

Verifying the MD5 checksum of the upgrade file

After you download the installation file and the matching MD5 checksum file, and before you perform the installation, we recommend you test the upgrade file. This verifies that you have downloaded a good copy of the upgrade file. To run the test, type the following command, where Upgrade9.x.im is the name of the upgrade file you downloaded.

md5sum Upgrade9.x.im

Check the output with the contents of the corresponding MD5 file. If they match, install the file. If they do not match, you should download the file again and repeat the process.

Verifying the BIG-IP software installation

After you complete the installation of the software, you can verify the the installation using the RPM database. For more information, type man rpm to view the RPM man page. Use the verify options to verify the installation.

[ Top ]

Re-activating the license on the BIG-IP system

You need to re-activate the license on the BIG-IP system to use some of the new features added in this release.

To re-activate the license on the system

  1. On the Main tab, expand System and click License.
    The License screen opens.
     
  2. Click the Re-activate button and follow the onscreen instructions to re-activate the license.
    For details about each screen, click the Help tab.
[ Top ]

New features and fixes in this release

This release includes the following new features and fixes.

New features in this release

Configuring encrypted remote logging
This version of the BIG-IP software includes a new version of system logging software named syslog-ng. You can configure syslog-ng to send BIG-IP system log information to a remote logging host using an encrypted network connection. To implement this configuration, refer to Configuring Encrypted Remote Logging. To activate this feature, you must re-activate the software license on the BIG-IP system. To re-activate the license on the system, see Re-activating the license on the BIG-IP system.

Understanding RAM Caching
The RAM Cache feature is now available in the BIG-IP system. This feature is available as a module that you can purchase for the BIG-IP System. A RAM cache is a cache of HTTP objects stored in the BIG-IP system's RAM that are reused by subsequent connections to reduce the amount of load on the back-end servers. To implement this configuration, please refer to Understanding RAM Caching. To activate this feature, you must purchase a license key for the BIG-IP system. For more information about obtaining a license key, contact your F5 Networks Sales Representative.

SNMP MIB updates
This release includes SNMP OID updates related to new functionality. Refer to New SNMP OIDs added since the version 9.0 release .

Introducing the Application Accelerator product
This release includes a new product called the Application Accelerator. The Application Accelerator is designed to provide key features for accelerating application traffic at a lower price than the full BIG-IP version 9.0 system. For details about the features included in the Application Accelerator, see SOL4452: Overview of the BIG-IP Application Accelerator.

Fixes in this release

Loading monitors that get defaults from another monitor (CR46195)
Monitors that get their default values from a parent monitor now load the default values from the parent monitor correctly.

ICMP error messages from BIG-IP (CR46385)
An ICMP ECHO traceroute now works correctly through the BIG-IP system.

Serverssl session reuse (CR46391)
We have added Server SSL session reuse in this release.

big3d and SNMP probing (CR46403)
You can now use SNMP probing with the version of big3d on version 9.x.

Need to properly propagate MTU changes (CR46556)
The correct source address is set for ICMP packets destined for the host. If it is not destined for the host, the packet is dropped.

System can now perform Route Health Injection (RHI) (CR34067)
The system can now query the status of a virtual address. If the status is up, then the Advanced Routing Modules can advertise a route to the virtual address. Note that this functionality is available only if the Routing Modules bundle is licensed on your system.

Changing the system time zone in the Configuration utility and logging time stamps (CR41149)
When you change the time zone for the system on the System: General Properties screen, the log file entries now reflect the updated time immediately.

SSL client certificate LDAP authentication and using uppercase letters (CR41295)
In the Authentication profile for SSL client certificate LDAP authentication, the name of the profile is no longer case-sensitive.

Excessive Config Sync peer updated log messages (CR42332)
If you enable the Audit log options, and you have a redundant system, the system no longer generates an excessive amount of log messages related to the Config Sync process.

Configuration utility: Displaying virtual servers that use port 32768 or higher (CR42343)
The Configuration utility can now display virtual servers configured to listen on port 32768 or higher.

 

Explaining the :: notation (CR42431)
The online help for the redundancy settings has been updated to explain that the :: notation represents the IPv6 shorthand for all IP addresses. If you are configuring a redundant system, you must remove the ::, and replace it with a valid IP address.

MSRDP persistence for session directories bypasses load-balancing (CR42851)
The system now properly load balances session directory MSRDP persistence connections.

Using the tcpdump utility and VLANs with trunks (CR42908)
The tcpdump utility now properly reports traffic when you run the utility on a VLAN that has a trunk configured.

The bigpipe route command and self IP link routes (CR42981)
The b route <self_ip address> show command now displays the route for the self IP address, and you no longer see an Object not found error.

Remote authentication and the admin, root, and support users(CR43065)
We have restricted the admin, root, and support user accounts to have local authentication permissions only. You can no longer use these accounts over a remote connection.

Configuration utility: SSL Certificates screens (CR43155)
We have redesigned the SSL Certificates screens to make it easier to import and update SSL certificates.

Archiving SSL keys and certificates (CR43166)
When you are creating an archive (.tgz) file for SSL keys and certificates, if you do not type a name for the archive file, the system now generates an error .

Adding users from the command line (CR43250)
We have added the f5adduser command, which you can use to add users to the configuration from the command line. Previously, you could add users only using the Configuration utility.

Creating a read-only external data group (class) (CR43305)
You now can create an external data group (class) that has read-only access permissions.

Disabled interface continues to pass traffic (CR43355)
Disabled interfaces no longer pass traffic.

Using certain illegal characters in certificate names (CR43365)
When you create an SSL certificate, you can use certain special characters, and are warned when you use an illegal character. The system now warns you when you try to use an open or close parenthesis character ( or ), which are illegal characters. Previously, the system did not generate a warning for these particular characters.

The radvd utility and VLAN names with underscores and dashes (CR43654)
You can now specify VLAN names that contain underscores or dashes in the route advertisement (radvd) utility.

The bigpipe persist show command and the MSRDP persistence type (CR43699)
When you use the b persist show command to view persistent connections, the command now correctly lists the msrdp persistence type as uie.

Using IPv6 addresses and running ConfigSync (CR43832)
Config Sync now supports IPv6 addresses for ConfigSync communications.

SNMP UDP packets that arrive on the management port exit through a self IP on the system (CR43869)
We have corrected underlying architecture issues that prevented SNMP UDP packets from returning to the correct requesting address.

Authenticating the system (CR43891)
When the system is in the authentication phase, it no longer creates an erroneous PAM sym link, which was causing the system to effectively prevent all user access.

Gateway ICMP monitor and transparency setting (CR44039)
The Gateway ICMP monitor now has a transparency setting. Enable this setting when you are monitoring objects through a firewall.

Upgrading a version 9.0.2 configuration with priority groups to version 9.0.5 (CR44058)
The version 9.0.5 now supports upgrading configurations containing priority groups without adding the min up members enable setting. Previously this setting was required when upgrading from version 9.0.2 to version 9.0.3 or version 9.0.4.

System error on standby unit during a mirrored telnet session (CR44119)
The standby unit in a redundant system no longer experiences fatal system errors when the system is using a mirrored Telnet session.

Upgrading with an IM upgrade package and statistics on platforms with CompactFlash® drives only (CR44194) The location for the statsd utility backup data files changed in version 9.0.3. When you upgrade the system from version 9.0.2 to version 9.0.5 using the IM upgrade process, the system no longer generates error logs and the statistics in the Configuration utility no longer become unusable. This happened on platforms that contain a CompactFlash® drive only (no disk drive).

The bigstart add ntpd command and starting the ntpd utility (CR44221)
When you run the bigstart add ntpd command, the system now correctly starts the ntpd utility at system start time.

Online help for Interface Mirroring screen (CR44492)
In the Configuration utility, the Interfaces > Interface Mirroring screen now has online help available.

Terminating connections after an error is received (CR44704)
The system now correctly continues to reap expired connections even when it receives an error when terminating an individual flow.

Persistent TCP connections now handled properly (CR44792)
The system no longer attempts to send ACKs for existing persistent connections.

The big3d agent and corrupting translated addresses (CR44804)
3-DNS Controllers running version 4.X software no longer report an incorrect status for the virtual servers on a BIG-IP Local Traffic Manager version 9.X. This issue occurred because the big3d agent on the 3-DNS Controller was mishandling translated addresses from the BIG-IP system.

The big3d agent and gateway status probes (CR44805)
The big3d agent on 3-DNS Controllers running version 4.X software no longer changes gateway status probes into gateway probes.

Advertising CA list for acceptable client certificates (CR44834)
The system now properly advertises the certificate authority (CA) list, in the clientcertca file, for acceptable client certificates.

No valid configuration to save error messages during IM upgrade process (CR44854)
When you upgrade the software using the IM package, the system no longer generates the following error message:
BIGpipe: 010a0033:3: There is no valid configuration to save.

Key files that contain corrupt data and system errors (CR44916)
The system no longer experiences fatal errors if it tries to process key files that contain invalid or corrupt data.

Configuration utility and transparency for the gateway ICMP monitor (CR44956)
In the Configuration utility, the gateway ICMP monitor now includes a transparency setting. Use this setting when you are configuring communications through a firewall.

HTTP profiles and early server CLOSE packets (CR45004)
The system now properly sends HTTP headers to the client if the server closes the connection before it sends any of the HTTP payload.

TMM and bcm56xxd daemon and passing large amounts of traffic (CR45043)
Passing large amounts of traffic while running ssldump no longer causes the TMM and bcm56xxd daemon to restart.

VLAN names of 16 characters are truncated on the host side to 15 characters (CR45062)
The system host no longer truncates 16-character VLAN names to 15 characters.

Existing ICMP flow accepts the wrong identifier (CR45072)
The system now correctly maps ICMP flow identifiers to the right ICMP flow. It was previously mapping the identifiers to incorrect flows, which was causing ICMP pings to drop inappropriately.

SNMP and administrative address in traps (CR45182)
When the system sends an SNMP trap, it now configures the administrative address as a local host address.

Gateway pool members and overlapping routes (CR45213)
The system now properly checks for pools that contain members that use an address which is also the default route for the pool. This is not a valid configuration, and the system now rejects the configuration.

Extra CR/LF in HTTP response caused connection to terminate (CR45215)
When an HTTP response contains an extra carriage return/line feed (CR/LF), the system no longer erroneously terminates the connection.

Creating a wildcard IPv6 virtual server prevents creation of other virtual servers (CR45226)
Creating a wildcard IPv6 virtual server (any6:any) no longer prevents you from creating additional virtual servers.

Enhancements to SNATs and NATs (CR45279, 45345)
We have made several enhancements and fixes to NATs and SNATs, as follows:

  • NATs are no longer timing out, and the system no longer tracks the TCP state for NATs. This ensures that NATs are now stateless.
  • SNATs are no longer using the incorrect idle timeout if you have configured an idle timeout that is longer than the default 300 seconds.
  • On a pool, if you disable the Use NAT option, this action no longer disables the Use SNAT option, too.

 

Misleading error messages on 4.X 3-DNS Controllers managing 9.X systems (CR45293)
We have fixed a timing error that was generating the following error messages in the /var/log/3dns directory on 4.X 3-DNS Controllers that have 9.X systems in the configuration:

3dnsd: CFG:host_vs_put: could not find vs object
3dnsd: CFG:checkResources: Insufficient prober resources at <ip_address>. Can not dynamically increase the factory count as the maximum of 255 has been reached.:iqmaster.c:186

IPv4 default routes from ZebOS (CR45294)
The routing process now correctly handles IPv4 default routes generated by the Advanced Routing Modules (ZebOS).

WAP monitor and acceptable input for < RECEIVE string (CR45361)
The WAP monitor no longer erroneously accepts stderr data from the fakewap utility as input for an < RECEIVE string.

WAP monitor and upgraded fakewap utility (CR45362)
The fakewap utility, from kannel.org, has been upgraded to the gateway-1.4.0 version.

Slow ramp time and the Ratio load balancing mode (CR45531, CR45539)
The slow ramp time setting now works correctly when you are using the Ratio load balancing mode.

Cookie persistence not updated when load-balanced to a new node (CR45628)
The system now correctly updates the cookie persistence entry when the connection is directed to a new node.

Modifying an iRule referenced by a profile and fatal system errors (CR45681)
When you modify an iRule that is referenced by a profile, the system no longer experiences fatal errors.

SACK segments and the TCP stack (CR45686)
The BIG-IP system TCP stack now handles corrupt SACK packets correctly.

Monitors enabled on specific VLANs and reporting incorrect node status (CR45710)
When you enable a monitor on a specific VLAN, the system no longer reports the incorrect node status. Additionally, the monitor traffic is now properly restricted to the VLAN that you select.

Forwarding virtual server and the Packet Velocity ASIC (CR45806)
The Packet Velocity ASIC no longer restarts continuously when you have a forwarding virtual server configured.

Saving UCS files and excluding private keys (CR45854)
We have added a new command, bigpipe config support save <file_name>, which you can use to save a UCS configuration file that does not contain your system's private keys. This command is best used when you need to send a configuration file to Technical Support. Note that because this command removes the private keys, you cannot restore a UCS file created with this command. Use the bigpipe config save command if you need to create a UCS file that will be restored at some point.

Proxy ARP and overriding the ethernet frame source address (CR45909)
We have added a new bigdb variable, Arp.ProxyArpUsesSelfMac, that causes all proxied ARP packets to have the ethernet frame source address rewritten with the egress MAC address of the VLAN. The default setting for this variable is disabled. If you enable the new variable, this resolves an issue with using VRRP/HSRP in a VLAN group configuration, where a multicast ARP sender hardware address would otherwise be used as the Ethernet frame source address and be blocked by the switch.

Launching a process or sending an email with log messages (CR43698)
Added the ability to launch a process or send a log message in an email. To create a configuration that launches an email, you must configure the /etc/syslog-ng/syslog-ng.conf file. This configuration file contains the following settings.

  • filter
    The filter section of the configuration file matches the log messages that have a priority level of debug.

  • destination
    The destination section executes /usr/sbin/log2mail (a binary supplied by F5 Networks) by passing it the email address you want to use as the destination for the log messages.

  • log
    The log section of the configuration file simply combines the configuration parameters together.

This is an example of a configuration in the /etc/syslog-ng/syslog-ng.conf file. Type the destination email address for <your e-mail address>.

filter f_maildebug {
   level(debug);
};
destination d_maillog {
   program("/usr/sbin/log2mail <your e-mail address>");
};
log {
   source(local);
   filter(f_maildebug);
   destination(d_maillog);
};

[ Top ]

Features and fixes from previous releases

The current release includes the features and fixes that were distributed in prior releases, as listed below. (Prior releases are listed with the most recent first.)

Version 9.0.4

Configuring the BIG-IP system to respond to ARPs from multicast MAC addresses
In certain cases, the BIG-IP system ignores ARP requests from certain firewalls. When configured as a cluster, some firewalls use a multicast MAC address as their source address. The BIG-IP system does not answer ARP requests from multicast MAC addresses. A new feature in this release provides the ability to configure the BIG-IP system to answer ARPs with multicast source addresses. To enable this feature, set the following bigdb key:

bigpipe db TM.AllowEthernetSourceType unicast-multicast

UDP datagram by datagram load balancing (CR40787)
Normally, the BIG-IP system treats UDP packets coming from the same IP address and port as part of a connection and sends those packets to the same node as long as the connection lives. In some cases, it is preferable to ensure packet-by-packet UDP load balancing.

You can now configure the BIG-IP system to accept these packets. To configure this feature and enable the feature, add the parameter datagram lb enable to the UDP Profile.

 

To configure datagram by datagram load balancing

  1. On the Main tab, expand Local Traffic.
     
  2. Click Profiles.
    The Profiles screen opens.
     
  3. Click the UDP profile you want to configure.
     
  4. For Datagram LB, click a check in the box.
     
  5. Click Finished.

SSL version 2 connections to Virtual Servers with clientssl profiles (CR42211)
SSL virtual servers with Client SSL profiles now accept SSL version 2 connections.

iRules: HTTP::release command (CR42306)
iRules that use the HTTP::release command no longer destabilize the BIG-IP system.

iRules: x509::cert_fields and segmentation faults (CR42500)
We have corrected a problem that destabilized the BIG-IP system when an HTTP header was inserted using the X509::cert_fields command.

iRules: payload replace commands and binary data (CR42507)
The payload replace command now accepts typical binary values. In previous releases, this command only accepted small binary values.

IPv6 connection mirroring and the HTTP profile (CR42551)
The BIG-IP system can now mirror IPv6 connections successfully when using TCP or HTTP profiles.

Virtual Servers configured with OneConnect and SSL profiles (CR42946)
OneConnect can now handle SSL connections correctly.

Memory leak in HTTP profile when HTTP requests are rejected for exceeding the configured Maximum Header Size value (CR42967)
We have corrected a problem that caused memory utilization on the BIG-IP system to increase consistently under high HTTP traffic load when the header size exceeded the configured Maximum Header Size.

IP fragmentation handling and TMM stability (CR42979)
The system no longer becomes unstable when IP fragmentation is necessary, such as when handling large UDP packets, or when there is an MTU mismatch between client and server networks.

HTTP Pipelining between two pools may cause TMM to become unstable (CR43000)
The TMM no longer becomes unstable when a rule attempts to change the pool to which it is sending a pipelined HTTP request.

Data beyond a single request or use of a fallback host in an iRule and system stability (CR43780)
The fallback host now functions correctly.

Insufficient user space memory may cause lack of response from programs other than TMM (CR43812, CR43825, CR44092)
Sufficient memory is now allocated for user space programs.

Compression and truncated packets (CR44037)
We have corrected a problem where compression was truncating packets causing the system to resend the packets. The correct packets were resent, however, system performance was impacted.

Compression and CPU usage (CR44042)
The system no longer drops packets when compression is enabled and it is handling a high traffic load.

Error messages when a node responds to a POST before data transfer is completed (CR44110, CR44128)
The system no longer generates an error in the following situation:

  1. A client sends a POST or a PUT.
  2. The server replies before the client transmits the declared content length.
  3. The client closes the connection.
  4. The BIG-IP sees the FIN from the client, it resets the connection.

The iRule COMPRESS:: commands (CR44116)
The COMPRESS:: commands now work properly.

The HTTP::header remove command (CR44134)
The HTTP::header remove command now removes all instances of the specified header.

BIG-IP system and partial acknowledgements(CR44149)
We have corrected a problem where an incorrect response by the BIG-IP system caused large data transfers to fail.

Client window scaling and slow connections (CR44159)
The BIG-IP system no longer ignores client window scaling.

HTTP::respond rules may cause a crash when OneConnect transformations are disabled (CR44161)
The HTTP::respond rule now functions correctly with OneConnect transformations disabled

TCP keep-alive probes may not be passed to the client (CR44178)
TCP keep-alives now time out properly.

Packet length and selective acknowledgements (CR44330)
The selective acknowledgement feature now handles packet lengths correctly.

The IPv6 routing table and health checks (CR42666)
The IPv6 destination route cache is now managed properly.

Certain mis-formatted HTTP packets (CR44669)
We have corrected a problem where certain types of mis-formatted HTTP packets caused the TMM the system to become unstable.

Version 9.0.3

Using the Fast HTTP profile(CR41444)
The features provided in the Fast HTTP profile are designed to speed up certain types of HTTP connections. This profile provides the ability to tune these connections for the best possible network performance. When you use this profile with a virtual server, the virtual server processes traffic packet-by-packet and at a significantly higher speed. For more information about the Fast HTTP profile, see Understanding the Fast HTTP profile.

Configuring the FIPS hardware security module (CR40827)
A FIPS hardware security module (HSM) is available for creating and maintaining secure keys for SSL transactions. Currently, the FIPS HSM is available in the BIG-IP 6400 platform. For more information about configuring the FIPS HSM, refer to Configuring and Maintaining a FIPS Security Domain .

Using the Scripted monitor (CR42585)
The Scripted monitor provides the ability to write a simple script to monitor a server in the network. The Scripted monitor opens a TCP socket and from the file you specify by the filename parameter, reads send lines to be sent over the socket and expect lines to be expected from the socket. To activate this feature, you must re-activate the software license on the BIG-IP system. To re-activate the license on the system, see Re-activating the license on the BIG-IP system. For details about using this monitor, see Using the Scripted monitor.

LDAP monitor enhancements
The LDAP monitor contains a new option Mandatory Attributes. This option causes the LDAP monitor to behave differently if the value is yes or no. It is also important to note that this monitor no longer requires an entry in /etc/hosts for the LDAP servers. For details about using this monitor, see Configuring the LDAP monitor.

Using the WAP monitor (CR34093)
The WAP monitor is a health monitor for Wireless Application Protocol servers. This monitor provides the ability to check the status of a WAP server by checking for various types of information. To re-activate the license on the system, see Re-activating the license on the BIG-IP system. For details about using this monitor, see Configuring the WAP monitor.

SNMP: Read/Write SNMP OIDs for enabling and disabling the state of objects (CR42845)
With this release, you can now use SNMP to enable or disable the state of nodes, virtual servers, virtual addresses, and pool members. This provides the ability to use SNMP for certain management functions. For details about using the read/write SNMP OIDs, see Using SNMP read/write OIDs.

SNMP: MIB updates (CR41457, CR42698, CR43036)
This release includes SNMP OID updates related to new functionality. See the document, New SNMP Objects for a complete list.

Version 9.0.3 fixes

The tcpdump utility and viewing MGMT interface traffic (CR33009)
The tcpdump utility now accepts the mgmt argument if you want to view the traffic on the MGMT interface.

CPU performance graph and displaying data on unit with single processor (CR37236)
If you have a platform that has only one processor (CPU) in it, the CPU usage graph, on the Overview > Performance screen displays the CPU usage of all processes.

Log messages on a pre-licensed system (CR39523)
Before a system is licensed, you no longer see excessive warning log messages for features that are not yet available.

Running configuration synchronization between units with different time settings (CR39562)
The configuration synchronization process now verifies the time on the peer unit before attempting to run. If the time difference is greater than 600 seconds, the process stops, and you need to synchronize the times before continuing.

Configuring port mirroring and debug messages on the console (CR39711)
When you configure port mirroring for an interface using the Configuration utility, you no longer see debug messages on the console.

Configuring monitors for wildcard virtual servers (CR39808)
Monitors with a default port of * (any), when paired with a pool member with a destination port of *, now properly use the default port for the particular monitor/service type.

SNMP and multi-word community strings (CR39871)
Creating access records with multi-word community strings corrupts the snmpd.conf file. To avoid this problem, limit community strings to a single word.

Using the Server SSL profile and RSA keys larger than 2048 bits (CR39886)
If your configuration meets all of the following conditions, the system no longer resets server-side connections during the handshake operation:

  • The configuration contains a virtual server whose resource members are servers with RSA keys larger than 2048 bits.
  • The virtual server has a Server SSL profile associated with it.
  • In the Server SSL profile, the Server Certificate authentication option is set to ignore.

 

Link down on standby functionality (CR39902)
The failover link down on standby functionality is implemented in this release.

OTCU: Detecting gigabit fiber port media settings (CR39914)
The OTCU now properly detects the media settings for gigabit fiber ports.

HTTPS monitor no longer fails with EDH cipher (CR40629)
The HTTPS monitor now works properly with the EDH cipher.

The bigpipe utility and cipher names with hyphens (CR40661)
The bigpipe utility now properly recognizes cipher names that contain hyphens, for example, AES128-SHA.

Deleting virtual servers and virtual addresses in the Configuration utility (CR40944)
In the Configuration utility, when you modify a property on a virtual address (change it from the default), and then delete the virtual server with which the virtual address is associated, the system now properly removes the virtual address also.

Changing the system's time zone in the Configuration utility and logging time stamps (CR41149)
When you change the time zone for the system on the System: General Properties screen, the log file entries now properly reflect the updated time.

Obsolete MGMT route and upgrades (CR41382, CR42218)
When you upgrade to version 9.0.3, and apply an existing configuration (in a config.ucs file), if the rolled-forward configuration contains a MGMT route in the 192.168.*.* network, the system now properly deletes the route entry.

Using a USB CD-ROM drive for software installation (CR41543)
When you use a USB CD-ROM drive to install the BIG-IP software, you are now prompted to remove the CD-ROM after the installation has finished.

Cookie hash values are now properly stored in the persistence tables (CR41681)
When you use the Cookie Hash method for Cookie persistence, the system now correctly stores the persist values.

Virtual server with Client SSL profile using SSLv2 and ALL ciphers (CR42211)
If you configure a virtual server that references a Client SSL profile which uses the ciphers SSLv2 and ALL, the SSLv2 connections for the virtual server now complete properly.

Creating an external data group and data group type (CR42249)
If you do not specify a file path when you create an external data group, the system no longer overrides the type setting.

Deleting external data groups and errors in the Configuration utility (CR42252)
In the Configuration utility, when you delete an external data group, the Configuration utility now properly returns you to the Data Group List screen.

Using the HTTP::release option in an iRule and system errors (CR42306)
If you use the HTTP::release option in an iRule, and you do not use the corresponding HTTP::collect option, the system no longer becomes unstable.

IM package upgrades and the /SLOT file (CR42331)
When you update your software to version 9.0.3 using the IM package upgrade, the upgrade now creates the /SLOT file for the slots on the system.

Routing on the management interface (CR 42381)
We have corrected a problem with chmand. Chmand should now handle IPv4 routing correctly for the management interface.

MSRDP hash values are now properly stored in the persistence tables (CR42822)
When you enable Microsoft Remote Desktop Protocol persistence, the system now correctly stores the persist values.

Upgrading to version 9.0.3 and name changes to MSRDP persistence profile attribute (CR42972)
The msrdp no session dir <enable | disable> attribute has been renamed to msrdp session directory <enable | disable>. When you upgrade to version 9.0.3 from version 9.0 through 9.0.2, and you roll forward a UCS file that contains an MSRDP persistence profile, the system automatically converts the session directory attribute to the new format.

Upgrading to version 9.0.3 and rolling forward UCS files with SSL iRules (CR43252)
When you upgrade to version 9.0.3 from version 9.0 through 9.0.2, and you roll forward a UCS file that contains one or more SSL iRules, the system no longer generates rule parsing syntax errors.

Upgrading to version 9.0.3 and new configuration requirements for cookie persistence profile (CR43253)
When you upgrade to version 9.0.3, the system now requires that, in a cookie persistence profile, the persistence mode must be cookie hash if the persist mirroring setting is enabled. When you roll forward a UCS file that contains a cookie persistence profile, the system automatically disables the persist mirror setting if the mode is not cookie hash.

Excessive logging for SNAT ANY-IP denials (CR43257)
The system no longer generates excessive log entries for routine ICMP pings when you have SNAT ANY-IP configured.

Log file rotation for the tomcat utility (CR43266)
The system now properly performs log file rotation for the tomcat utility. For the log rotation to function correctly, the tomcat utility restarts every 24 hours.

Data group string classes no longer limited to a 64-character length (CR43414)
If you use the Configuration utility to add a string class to a data group, the string value is no longer truncated to a 64-character string.

Persistence tables are now mirrored properly for sticky persistence (CR43423)
We fixed an issue where persistence tables for a destination address affinity persistence (or sticky persistence) may not mirror properly in a failover.

HTTP profile now supports certain unrecognized HTTP methods (CR43477)
Previously, the HTTP profile did not support the unrecognized http method "SEARCH" to post XML to an Exchange server. The HTTP profile now supports these and other unrecognized HTTP methods that contain Content-Length or Transfer-Encoding headers.

The TCP::notify response command no longer causes a system crash (CR43585)
We corrected an issue where the system did not process the TCP::notify response command correctly and caused a system crash.

The Least Connections (node) load balancing method is fixed (CR43644)
Previously when you selected Least Connections (node) for your load balancing method, this method did not work properly. We corrected this issue so that the Least Connections (node) load balancing works properly.

SSL cipher selection errors (CR43658)
Previously, the system improperly handled SSLv2 cipher suite descriptors, which caused conflicts with Microsoft PCT extended option encodings and other SSLv2 applications. We corrected the issue to resolve these conflicts.

Version 9.0.2

Multiple boot installations (CR40912)
The version 9.0.2 release includes a new multiple boot capability. With this release, you can now install the software on multiple disk slots in the system. A slot is a portion of a drive with adequate space required for an installation. If the hardware supports multiple slots, you are prompted to install the software on multiple slots during the installation. The BIG-IP 1500 (C36), BIG-IP 3400 (C62), and BIG-IP 6400 (D63) platforms support this functionality. There are several benefits of running a system with a multiple slot installation.

  • The ability to select a different version of the software during boot time from the boot menu.
  • The ability to install a new version of the software on a slot without losing a previous installation on a different slot.
  • The ability to revert back to an old installation without having to re-install, roll back, or lose new installations.

You can use this new feature if the unit contains a supported hardware configuration. more than one drive (for example, a CompactFlash® media drive and a hard disk drive), or a hard drive. After you have installed the software on multiple slots, you can change which slot boots when you start the system. For details about using this functionality, see Using the switchboot utility.

Important:  The IM upgrade does not add the multiple boot functionality. If you want this functionality on a supported platform, you must choose another installation method.

 

High availability: New Restart All action (CR40406)
This release includes a new option for high availability, Restart All. When you select this option for a high availability setting, the system restarts all system services, not just the affected service. For additional information, review the online help for the configuration options on the System >> High Availability screens.

Local traffic pools: New Slow Ramp Time option (CR40590)
When you take a pool member offline, and then bring it back online, the pool member can become overloaded with connection requests, depending on the load balancing mode for the pool. For example, if you use the Least Connections load balancing mode, the system sends all new connections to the newly-enabled pool member (because technically it has the least amount of connections). When you configure the Slow Ramp Time option, the system sends less traffic to the newly-enabled pool member. The amount of traffic is based on the ratio of how long the pool member has been available compared to the slow ramp time. Once the pool member has been online for a time greater than the slow ramp time, the pool member receives a full proportion of the incoming traffic. To configure the slow ramp time option, review Configuring slow ramp time for a pool, in the Optional configuration changes section of this release note.

User authentication method now configurable for SSL client certificate LDAP authentication (CR37259)
If you use SSL client certificate LDAP (SSL CC LDAP) authentication, you can now specify a UserClass object, for client authorization. Previously, you could not configure the UserClass object. The default setting is StrongAuthenticationUser.

New options for iRules (CR40241, CR41153)
The following options have been added to the iRules syntax.

Option Description
HTTP_REQUEST_SEND This server-side event gets raised just before a request is sent to the server.
IP::ttl This command reports the TTL for an inbound IPv4 or IPv6 packet.

 

SNMP MIB updates (CR40526, CR40571, CR40849, CR40893)
This release includes SNMP OID updates related to new functionality. See the document, New SNMP Objects for a complete list.

 

HTTP profile: New Maximum Requests option (CR40859)
The HTTP profile now includes the Maximum Requests option. This setting specifies a maximum number of requests that can be made on a single keep-alive connection. When the limit is reached, the final response contains a Connection: close header, which closes the connection. The default behavior does not restrict the number of requests per connection.

Version 9.0.2 fixes

Both units in a redundant system remain in active mode after initial configuration (CR34060)
When you configure a redundant system, the first unit now goes into standby mode after you configure the second unit.

Modifying properties of a route (CR36732)
In the Configuration utility, you can now modify the properties of a route, in the Network section. For additional information, see the online help for the route properties screen.

ISO image/CD now includes the source for building the Real Monitor plug-in for UNIX and Linux systems (CR39359)
The version 9.0.2 ISO image now includes the source code for compiling the Real Monitor for RealServer 8.0 on Linux and UNIX systems. If you are load balancing to RealServer 8.0 servers, you need to compile the source so that you can use the real_server monitor. For additional information, see Compiling the real_server monitor plug-in for UNIX and Linux systems, in the Optional configuration changes section of this release note.

Error message when resetting iRules statistics in the Configuration utility (CR39580)
You no longer see the error message Statistics not implemented when you reset the iRules statistics from the Overview > Statistics > iRules screen.

License activation and system time (CR39659)
When you are activating a license, and the hardware clock time is more than 24 hours different than the time on the F5 Licensing server, the system now generates an error and redirects you to the License Keys screen. Re-type the registration keys and continue with the licensing process. The system regenerates the dossier with a current timestamp.

SNMP trap configuration (CR39782)
In the Configuration utility, on the SNMP > Traps > Configuration screen, changing the Device setting now works properly.

Setting active-active or active-standby mode on a redundant system (CR39829)
You no longer need to run the bigstart restart command to get the units in a redundant system into the correct mode.

OTCU: Converting node attributes (CR39842)
The One Time Conversion Utility (OTCU) now explicitly indicates that it does not convert the node attributes virtual or actual, if they are present in a 4.5.X configuration.

Changing failover peer IP address in the Configuration utility (CR39845)
In the Configuration utility, if you change the IP address for the failover peer (in a redundant system), the change now takes effect without additional configuration.

Clearing the Nokia SNMP alarm log (CR39901)
The snmpget command now properly clears the contents of the Nokia SNMP alarm log.

iRules: Setting renegotiation on SSL Client Certificate requirement (CR39918)
The SSL::cert mode require command now properly requires a client certificate for all URLs.

Running Config Sync or restoring a .ucs file and node monitors (CR39923)
When you run the Config Sync operation, or restore a *.ucs file, the system no longer resets all monitor instances for nodes.

Errors in the bigip.conf file and the pvad utility (CR39929)
When you edit the bigip.conf file by hand, and you introduce configuration errors, the pvad utility no longer generates a core file when you try to load the configuration.

Creating VLANs with no interfaces in the Configuration utility (CR40035)
In the Configuration utility, if you create a VLAN and you do not associate any interfaces with it, the system no longer generates a page error.

Resetting interface statistics (CR40059)
In the Configuration utility, if you reset the interface statistics, you no longer see an error message.

Deleting records from the dynamic ARP list in the Configuration utility (CR40073)
Using the Configuration utility to delete records from the dynamic ARP list no longer causes problems.

Manually adding a configuration item in the bigip.conf file and syntax errors (CR40206)
In the bigip.conf file, manually adding a configuration object in front of another object that the system cannot load no longer destabilizes the system.

Certificate chains in SSL (CR40580)
The system now processes intermediate certificates properly, when you have a certificate chain configured.

iRules log messages over 1024 characters (CR40560)
The system no longer experiences fatal errors when log messages for iRules contain more than 1024 characters.

iControl: Loading the SystemServer.so module (CR40684)
The iControl portal now loads the ITCMSystemServer.so module and the SystemServer.so module in the proper order, so that both modules are loaded correctly.

Adding self IP addresses without netmasks (CR40693)
When you add a self IP address, you must also add a netmask. Previously, you could add a self IP without a netmask, which generated errors.

Forcing the 1000baseFX media option for fiber gigabit ports (CR40706)
You can now force the system to use the 1000baseFX media setting for fiber gigabit ports, rather than having the system auto-negotiate the media setting. Note that this does not apply to copper gigabit ports.

BIG-IP version 9.0 examples in the iControl SDK (CR40830)
In the iControl SDK, the examples for BIG-IP version 9.0 now show the correct conversion for 64-bit counters.

Starting the radvd service and ppp0 interface error messages (CR40894)
If you are using the IPv6 module on the BIG-IP system, and you start the route advertising service (radvd) using the instructions in the following file, /etc/radvd.conf.example, you no longer see error messages regarding the ppp0 interface.

iControl: return response to IP addresses that contain all zeros (CR40974)
When an IPv4 or IPv6 address is composed of all zeros, iControl now returns returns 0.0.0.0 (IPv4) or 0:0:0:0:0:0:0:0 (IPv6), instead of none.

SSL hardware accelerator and processing obscure ciphers in OpenSSL (CR41056)
When OpenSSL is processing some obscure ciphers, it no longer causes the SSL hardware accelerator to stop functioning. This issue affected the following platforms: BIG-IP 1000, BIG-IP 2400, BIG-IP 5100, BIG-IP 5110.

Changing HTTP profile settings and updating the system (CR41118)
When you make changes to the HTTP profile settings, the system now properly updates all affected processes with those changes.

HTTP profile: Using Tcl expansion in header insert and fatal system errors (CR41119)
The system no longer experiences fatal errors if you define an HTTP profile with a header insert that uses Tcl expansion, and the expansion fails.

512-bit keys and the SSL hardware accelerator (CR41172)
The system now properly handles 512-bit keys on the following platforms: BIG-IP 1000, BIG-IP 2400, BIG-IP 5100, BIG-IP 5110.

Cookie headers with empty value and cookie parsing (CR41176)
If a Cookie header contains an empty value, cookie parsing no longer fails.

Advanced routing module service (zebosd) now starts by default (CR41329)
The system service that runs the advanced routing modules, zebosd, now starts automatically. Note that the advanced routing modules are available as an add-on feature, and are not part of the system by default.

snmp_dca monitor (CR41400)
The snmp_dca monitor now works properly.

Using multiple LDAP servers and modifying the PAM SSL Client Certificate LDAP Authentication module (CR41590)
If you specify multiple LDAP servers in the SSL Client Certificate LDAP Authentication PAM module, the system now properly manages the server entries.

iControl: Class::add_string_class_member on external read/write class (CR41703)
In the iControl API, if you use the Class::add_string_class_member method on an external read/write class, you now get the proper response instead of Operation Failed.

BGE driver and soft resetting due to transmitter failure error messages (CR42178)
We have corrected the issues that caused the BGE driver for the network interfaces to report the following error message: soft resetting due to transmitter failure.

X509::serial_number option in iRules and large serial numbers (CR42282)
When you use the X509::serial_number option in an iRule, the iRule no longer returns -1 for large serial numbers.

Version 9.0.1

ZLib compression library vulnerability (VU#238678)
We corrected a denial of service vulnerability that was found in the ZLib compression library versions 1.2.x. The problem arose from incorrect error handling in the inflate() and inflateBack() functions. The Common Vulnerabilities and Exposures (CVE) project assigned the ID CAN-2004-0797 to the problem.

SSL client certificate LDAP authentication and start_tls failure (CR38967)
Client certificate LDAP authentication now correctly handles start_tls failures.

LACP support (CR39554, CR39872)
Link aggregation control protocol (LACP) is fully supported in this release.

Connection mirroring (CR39548, CR39779, CR39892, CR39894, CR39895, CR39905)
Connection mirroring is fully implemented in this release.

Truncated subscription ID in error messages and iControl applications (CR39987)
The system no longer truncates the subscription ID when it generates an error message.

bigpipe daemon overdog watchdog disable command writing to bigip.conf correctly (CR40117)
The bigpipe daemon overdog watchdog disable command now handles default settings correctly when writing to the bigip.conf file.

SSL records that straddle packets may destabilize the system (CR40119)
Overlapping SSL records no longer destabilize the system.

[ Top ]

Optional configuration changes

Once you have installed the software, you can use any of the following new configuration options to update your configuration.

[ Top ]

Understanding the Fast HTTP profile

The Fast HTTP profile is a fast implementation of OneConnectTM and simple HTTP content-switching. It cannot be used in conjunction with Session Persistence, SSL, Deflate, RAM Cache, IPv6, or VLAN groups. It can be used with SNATs. You can associate the Fast HTTP profile with a virtual server. When you assign the Fast HTTP profile to a virtual server, it processes traffic packet-by-packet and at a significantly higher speed than the typical virtual server. This profile is incompatible with all other profiles. This profile has the following attributes:

  • client close timeout
    Specifies the number of seconds after which the system closes a client connection, when the system either receives a client FIN packet or sends a FIN packet. This setting overrides the idle timeout setting. The default setting is 5.
     
  • conn pool idle timeout override
    Specifies the number of seconds after which a server-side connection in a OneConnect pool is eligible for deletion, when the connection has no traffic. This setting overrides the idle timeout that you specify. The default is 0 seconds, which disables the override setting.
     
  • conn pool max reuse
    Specifies the maximum number of times that the system can re-use a current connection. The default setting is 0.
     
  • conn pool max size
    Specifies the maximum number of connections to a load balancing pool. A setting of 0 specifies that a pool can accept an unlimited number of connections. The default setting is 2048.
     
  • conn pool min size
    Specifies the minimum number of connections to a load balancing pool. A setting of 0 specifies that there is no minimum. The default setting is 10.
     
  • conn pool step
    Specifies the increment in which the system makes additional connections available, when all available connections are in use. The default setting is 4.
     
  • header insert
    Specifies a string that the system inserts as a header in an HTTP request. If the header exists already, the system does not replace it.
     
  • http11 close workarounds
    Specifies whether to enable or disable HTTP 1.1 close workarounds.
     
  • idle timeout
    Specifies the number of seconds after which a connection is eligible for deletion, when the connection has no traffic.
     
  • insert xforwarded for
    Specifies whether the system inserts the XForwarded For: header in an HTTP request with the client IP address, to use with connection pooling.
    • Enabled: Specifies that the system inserts the XForwarded For: header with the client IP address.
    • Disabled: Specifies that the system does not insert the XForwarded For: header

     
  • max header size
    Specifies the maximum amount of HTTP header data that the system buffers before making a load balancing decision. The default setting is 32768.
     
  • max requests
    Specifies the maximum number of requests that the system can receive on a client-side connection, before the system closes the connection. A setting of 0 specifies that requests are not limited. The default setting is 10.
     
  • mss override
    Specifies a maximum segment size (MSS) override for server-side connections. The default setting is 0, which corresponds to an MSS of 1450. You can specify any integer between 536 and 1450.
     
  • reset on timeout
    Specifies, when enabled, that the system sends a TCP RESET packet when a connection times out, and deletes the connection.
     
  • server close timeout
    Specifies the number of seconds after which the system closes a client connection, when the system either receives a client FIN packet or sends a FIN packet. This setting overrides the idle timeout setting. The default setting is 5.

Using rules with the Fast HTTP profile

The following rule events are supported by the Fast HTTP profile:

  • CLIENT_ACCEPTED
  • SERVER_CONNECTED
  • HTTP_REQUEST

The following HTTP rule commands are supported by the Fast HTTP profile:

  • HTTP::method
  • HTTP::uri
  • HTTP::version
  • HTTP::header exists
  • HTTP::header value
  • HTTP::header insert

Additional rule commands supported by the Fast HTTP profile

All layer 3 through layer 4 rule commands are supported. For example, IP::remote_addr, TCP::local_port, pool, snat, and others. In addition to the layer 3 and layer 4 rule commands, all global rule commands are supported. For example, md5, sha1, b64encode, and built-in TCL commands such as string -length, regexp, and others.

Statistics available with the Fast HTTP profile

The following statistics are available with the Fast HTTP profile. You can view statistics for requests, responses, and OneConnectTM.

Request statistic Description
Get Requests The total number of get requests.
Post Requests The total number of post requests.
Version 0.9 The total number of HTTP version 0.9 requests.
Version 1.0 The total number of HTTP version 1.0 requests.
Version 1.1 The total number of HTTP version 1.1 requests.
Unbuffered The total number of unbuffered requests.
Pipelined The number of pipelined HTTP requests detected.
Requests The total number of HTTP requests.
Parse Errors The total number of request parse errors.

 

Response statistic Description
Successful The number of 200-206 (success) server-side responses.
Redirection The number of 300-307 (redirect) server-side responses.
Client Errors The number of 400-417 (client error) server-side responses.
Server Errors The number of 500-505 (server errors) server-side responses.
Parse Errors Number of response parse errors.

 

OneConnect statistic Description
Currently Idle The number of available server-side flows in the reuse pool.
Maximum The maximum number of server-side flows in the reuse pool.
Total Reuses The number of times a server-side flow was reused.
Exhausted The number of times the reuse pool was exhausted.

 

Miscellaneous statistic Description
Client SYNs Total number of client SYN cookies generated.
Client Accepts Total number of client TCP accepts.
Server Connects Total number of server TCP connects.
Client Receive Failures The number of bad TCP segments dropped from the client.
Server Receive Failures The number of bad TCP segments dropped from the server.

 

[ Top ]

Using the Scripted monitor

With the scripted monitor, you can write a simple script to monitor a server in the network. The Scripted monitor opens a TCP socket and from the file you specify by the filename parameter, reads send lines to be sent over the socket and expect lines to be expected from the socket. These lines should be in the file in the sequence you want. For example, a simple SMTP sequence might be:
expect 220
send "HELO bigip1.somecompany.net\r\n"
expect "250"
send "quit\r\n"

 

Translation consists of first stripping off the leading send or expect, after determining which one of the two it is. Next, the leading and trailing spaces are stripped off. If there are no enclosing " " (double quotes), the line is not translated any further and is sent as is (note that for a send this means no new line is sent). If the line to be sent is enclosed with double quotes, then the quotes are stripped off and the line is examined for escaped characters, each of which is properly translated.

If the line is to be sent, it is now sent as translated. If the line is expected, then the socket is read until it either receives a line beginning with the expected sequence of characters or it times out. This means it could receive several lines before receiving the one that contains the expected sequence of characters at the beginning of the line. There may be other characters in the received line. The expect sequence of characters may not be the complete line, which can vary from one computer to another, but the first characters must match the expected sequence. The filename should be the name of a file contained in the directory /config/eav. Keeping these files under this directory allows them to be saved with the configuration.

[ Top ]

Configuring the LDAP monitor

The LDAP monitor contains a new option: Mandatory Attributes. This option causes the LDAP monitor to behave differently depending on if is is set to yes or no. It is also important to note that this monitor no longer requires an entry in /etc/hosts for the LDAP servers.

  • When the Mandatory Attributes option is set to yes, the LDAP filter search is a sub tree search (as opposed to the normal one-level search), and if no attributes are returned as a result of the search, the monitor does not report the node as up.
     
  • When the Mandatory Attributes option is set to no, to some other value, or is absent, the LDAP monitor performs a one-level search and does not require any attributes to be returned. For example, if the return indicates zero attributes for this filter, the service is still functioning and the node is considered up. This was the standard behavior of the LDAP monitor in previous versions of the BIG-IP software.

 

[ Top ]

Configuring the WAP monitor

The common usage for the WAP monitor is to specify the send and recv parameters only. The WAP monitor functions by requesting a URL (the send parameter) and finding the string in the receive (recv) parameter somewhere in the data returned by the URL response.

RADIUS accounting is optional. To implement RADIUS accounting, you must set the accounting port to a non-zero value. If the accounting port is set to a non-zero value, then the monitor assumes that RADIUS accounting is needed, and an accounting request is sent to the accounting node/port to Start accounting. This is done before the URL is requested. After the successful retrieval of the URL with the correct data, an accounting request is sent to Stop accounting.

[ Top ]

Using SNMP read/write OIDs

You can use the following SNMP OIDs in read/write mode. However, SNMP is not intended to be used as a general API for configuring the BIG-IP system. You can use the following SNMP OIDs in read/write mode.

OID Name OID Value
ltmVirtualServEnabled Enable/disable virtual server
ltmVirtualAddrEnabled Enable/disable virtual address
ltmNodeAddrNewSessionEnable Enable/disable node address
ltmNodeAddrMonitorState Force up/down node address
ltmPoolMemberNewSessionEnable Enable/disable pool member
ltmPoolMemberMonitorState Force up/down pool member

 

[ Top ]

New SNMP OIDs

The version 9.0.X releases often include SNMP OID updates related to new functionality. See the document, New SNMP Objects for a complete list.

[ Top ]


Compiling the real_server monitor plug-in for UNIX and Linux systems

The .iso image for the version 9.0.2 software now includes the source and makefiles for compiling the real_server monitor plug-in for UNIX and Linux systems. The following instructions explain how to access the files you need to compile the plug-in.

  1. Using the .iso image, burn a CD-ROM of the version 9.0.2 software.
     
  2. On the CD, navigate to the /downloads/rsplug-ins directory.
     
  3. Copy the F5RealMon.src.tar.gz tarball to the /var/tmp directory on the BIG-IP system.
     
  4. On the BIG-IP system, change to the /var/tmp directory.
    cd /var/tmp
     
  5. Untar the F5RealMon.src.tar.gz tarball.
    tar xvzf F5RealMon.src.tar.gz
     
  6. Change to the F5RealMon.src directory.
    cd F5RealMon.src
     
  7. To compile the source, use the instructions in the build_unix_note file, in the F5RealMon.src directory. Type ls to view the directory contents.
[ Top ]

Configuring slow ramp time for a pool

The following instructions explain how to configure the new slow ramp time option for local traffic pools, as described in the New features section of this release note. The slow ramp time option specifies a length of time during which a newly enabled pool member receives only a fraction of any new connections to the pool.

To configure slow ramp time using the Configuration utility

  1. In the Main tab, click Local Traffic, and then click Pools.
    The Pools List screen opens.
     
  2. Click a pool name.
    The properties screen for that pool opens.
     
  3. In the Configuration box, select Advanced.
    The configuration options expand.
     
  4. In the Slow Ramp Time box, type the number of seconds.
     
  5. Click the Update button.
    The system saves the change to the configuration file.
[ Top ]

Using the switchboot utility

Beginning with the version 9.0.2 release, functionality was added to install multiple versions of the BIG-IP software on different slots on one unit. A slot is a portion of a drive with adequate space required for an installation. If the hardware supports multiple slots, you are prompted to install the software on multiple slots during the installation. The BIG-IP 1500 (C36), BIG-IP 3400 (C62), and BIG-IP 6400 (D63) platforms support this functionality.

The switchboot utility is available to manage installations on different slots. You can use the switchboot utility from the command line to select which installed image boots. To run the switchboot utility, type the following command:
switchboot

A list of slots and their descriptions displays. Type the number of the slot you want to boot at startup. When you reboot the system, it starts from the slot you specify.

If there is only one slot available, the switchboot utility displays a message similar to this one and exits.
There is only one slot to choose from: title BIG-IP 9.0.2 Build 18.0 - drive hda.1

Note: Any change you make using the switchboot utility is saved in the boot configuration file, grub.conf.

To use switchboot in non-interactive mode

If you know which slot you want to boot, you can type the following command and specify the slot number for <slot_number>:
switchboot -s <slot_number>

To use switchboot to list available slots and the currently active slot

If you want to list the available slots without specifying a new slot from which to boot, type the following command:
switchboot -l

To list options for switchboot

To list the options for the switchboot utility, type the following command:
switchboot -h

To view the contents of the boot configuration file using switchboot

You can view the complete contents of the boot configuration file (grub.conf) with the following command:
switchboot d

This command is slightly different from switchboot l in that l only lists the slot header lines, whiled displays the complete file.

[ Top ]

Known issues

The following items are known issues found since the 9.0 release. For a complete list of known issues in this release, refer to the BIG-IP version 9.0 Release Notes .

Improper shutdown of BIG-IP 2400 system and system startup (CR46618)
If the BIG-IP 2400 system (D44) is not shut down correctly, in very rare circumstances, the system may boot into an inoperable state and not pass traffic. If you log into the system, you may see messages similar to this one:

Mar 24 15:07:30 D44TTT root: Re-starting bcm56xxd

To correct this problem, reboot the system.

Configuration utility: wildcard virtual server setting and address translation setting (CR46645)
In the Configuration utility, when you create a wildcard virtual server with the Host button checked, address translation is enabled. We do not recommend enabling address translation for wildcard virtual servers. After you create a wildcard virtual server, change this setting to disabled.

Creating a wildcard virtual server without the virtual address entry (CR46657)
If you create a wildcard virtual server without a virtual address entry (0.0.0.0) with ARP disabled, ARP is set to enabled when the configuration is saved. After you create the wildcard virtual server, you can change the ARP setting back to disabled.

Benign error message when network booting from CD image (CR45998)
You may see the following benign error message when you boot the BIG-IP system from the CD image:

msg insmod e100: no module by that name found

Creating vlans with period in the name (CR46028)
Using the sysctl -a command prints the /proc/sys filesystem out about each file under the tree as if it were a variable separated by period (.), it translates the forward slash (/) into a period. When you create a vlan with a period in the name, sysctl translates that into a forward slash (/), but then cannot read the filename it just created.

The snmpdca monitor and the /var/agentx/client.info file (CR46111)
Using the snmpdca monitor causes the /var/agentx/client.info file to grow unrestricted. If this file grows too large, you may have to delete it.

Bigpipe: profile clientssl renegotiate size (CR46147)
The bigpipe command b profile clientssl <name> renegotiate size <NN> causes a syntax error.

Configuration utility: white space in imported certificates (CR46150)
Currently, white space in imported certificates is not handled correctly. Certificates with extra whitespace after the begin certificate or before the end certificate statements are rejected.

Configuration synchronization: existing temporary im files and the config save command (CR46374)
Existing temporary im files in /var/tmp may prevent the b config save command from saving the configuration. These temporary files may exist if you have stopped the configuration synchronization process in the middle of its operation. You can avoid this problem by deleting the temporary im files located in /var/tmp.

Non-IP traffic does not bridge through VLAN groups (CR46564)
Non-IP traffic, such as MPLS and CDP traffic, does not bridge through VLAN groups.

Virtual Server - No Nodes Available trap and log message (CR46596)
The No Nodes Available trap and log message do not exist in BIG-IP version 9.x. Currently, when all nodes in a virtual server are marked down, a message is logged for each pool member of the virtual server. For example, you might see a message like this for each member of a pool on the virtual server:

Mar 24 09:01:00 bip6400 mcpd[864]: 01070638:3: Pool member 10.10.10.40:80 monitor status down.

Attempting to use bigpipe immediately following the bigstart restart (CR44091)
After you run the bigstart restart command, the BIG-IP system takes a minute to initialize. If you run this command, you should wait at least a minute for the system to re-initialize before running additional bigpipe commands.

Creating client-side or server-side SSL profiles with certain SHA keys (CR44106)
You cannot create a client-side or server-side SSL profile with the SHA ciphers named DHE-RSA-AES128-SHA or DHE-RSA-AES128-SHA.

The BIG-IP system caches unreachable IPv6 destinations regardless of IPv6 route updates (CR44109)
A problem may occur where the BIG-IP system caches an unreachable IPv6 destination. This problem might occur if you add the wrong default route, delete it, and change to the correct route, only to find traffic fails to reach the destination.

fipsutil and using the Ctrl C key combination while initializing a FIPS card (CR44123)
If you press the Ctrl C key combination while using the fipsutil command to initialize a FIPS card, the card may not initialize properly.

Using the discard option during the upgrade process (CR44129)
The discard option does not remove the boot entry for the discarded installation from the grub.conf file. This means that installations that you have discarded may appear as options on the grub.conf list at boot time. The system cannot boot to a discarded installation, even if it appears on the grub.conf list at boot time.

Removing the default management IP address at boot time creates failure messages (CR44142)
Two benign log messages may be logged in the system log during boot time as the system removes the non-existent default IP route. You can ignore these messages.

Dec 27 18:40:08 D62 chmand[716]: 012a0003:3: sys_host_rule: netlink error = -3: No such process
Dec 27 18:40:08 D62 chmand[716]: 012a0003:3: sys_host_ip_addr: failed to add mgmt rule

FTP data channel with layer 7 FTP connections and non-equal MTUs (CR44165)
Non-equal MTUs may cause layer 7 FTP connections to stall. If you are using a switch to negotiate the MTU with the BIG-IP system, this is not likely to happen.

Fast L4 profile: Reset on timeout disable and the idle timeout value (CR44261)
Changing the Reset value on the timeout option to disable appears to change the idle timeout value. However, this affects only the value displayed by the system, not the system setting and the functionality of the system.

Configuration utility: Deleting floating IP addresses and non-floating IP addresses (CR44297)
In the Configuration utility, we recommend that you always delete floating IP addresses before you delete non-floating IP addresses.

IPv6: Transparent monitors(CR44388, CR44407, CR44408)
The current IPv6 implementation does not support transparent monitors.

Viewing connections on the BIG-IP system (CR44554)
Using the bigpipe conn show command to view connections on a heavily loaded system may have a detrimental affect the performance of user applications on the BIG-IP system.

Configuration utility: Deleting SNMP access control (CR44559)
In the Configuration utility, you may not be able to delete SNMP access control.

Tcpdump and port mirroring (CR44574)
We recommend that you turn off port mirroring before you run the tcpdump utility on a port.

Allowing specific UDP ports (CR44590)
You cannot add a specific UDP port to the allow list that includes the allow default setting. To add specific UDP ports to the allow list, remove the allow default setting and add each UDP port you want to add to the allow list.

User set serial speed and installing the software (CR44686, CR43722)
The installation distribution is hard-coded to use the serial settings 19200,N,1. If you have manually changed the serial settings on the BIG-IP system, you may see random characters during the installation.

Supported MTU for BIG-IP systems and IPv6 (CR44733)
The minimum supported MTU for BIG-IP system using IPv6 is 1280.

SSH: If logged in as non-root user, cannot use SSH to connect to another system (CR44734)
You cannot use SSH to connect to another system unless you are logged into the BIG-IP system as a root user.

Error when swapping RADIUS server keys during a re-load after swapping the server IP addresses (CR44769)
You may see an error when you attempt to swap RADIUS server keys during a configuration reload. You can work around this problem by unconfiguring one of the servers before redefining the other.

Various benign error messages on system during an upgrade (CR44783, CR44820)
You may see various benign error message when you upgrade the system. These errors are harmless.

Configuration utility: using tcpdump with unlimited setting (CR44819)
In the Configuration utility support screen, we recommend that you do not use the unlimited setting when you perform a tcpdump. Using this setting may destabilize the system.

Brackets in commented sections of rule syntax (CR44839)
Brackets in commented sections of rule syntax are counted in the bracket count. We recommend that you balance the brackets in the comments.

NAT and ICMP (CR44849) Currently, NATs do not forward ICMP packets.

Configuration utility: Load Balancer Light and the Fast L4 profile (CR44866)
The BIG-IP Load Balancer Light product does not provide the ability to create or edit a Fast L4 profile.

iRules: the lb_failed event and HTTP::redirect (CR45112)
The lb_failed event does not function with the HTTP::redirect rule.

Cookie hash persistence does not persist to the original pool member (CR45125)
The cookie hash persistence mode does not allow connections to persist to the original pool member.

Interface statistics tracking (CR40449)
The system may display erroneous statistics data for interfaces, for example, 4GB of dropped packets on a system that has been running for only an hour.

1500, 3400, and 6400 platforms: SSH session remains open after peer unit is rebooted (CR40503)
When you establish an SSH session between two units on the 1500, 3400, or 6400 platforms, and you reboot the unit to which you established the SSH session, the SSH session remains open until it reaches its timeout.

Using trunks on a BIG-IP 2400 (D44) IP Application Switch (CR40507)
On a BIG-IP 2400 platform, if you connect multiple ports to one switch you may form a bridging loop, which causes the TMM to restart repeatedly. To avoid this issue, enable spanning tree protocol if you connect multiple ports to one switch.

SIP persistence and persist iRule commands (CR40579)
In this release, the persist iRule commands do not support SIP persistence.

Client SSL and Server SSL profiles and time stamps on key or certificate files (CR40677)
The Client SSL and Server SSL profiles currently do not add time stamps to SSL certificate or SSL key files.

When specifying a default route for IPV6, you must specify a destination and netmask (CR40808)
Because the default configuration settings for Network Routes is for IPV4, you must specify both a destination and netmask value if to specify a default route for IPV6. To specify a IPV6 default route, you must first choose a type of route instead of default gateway. Then specify the destination as :: and the netmask as :: to set the appropriate IPV6 default route.

OTCU: Displaying monitors saved at pool level in the Configuration utility (CR40977)
After you run the OTCU to convert your 4.5.X configuration to a 9.0.X configuration, you cannot view the monitors on pool members until after you run the bigpipe load command twice, from the command line. Alternately, you can reboot the system.

SNMP OID ltmVirtualServPool and reporting pool names (CR41587)
A query of the ltmVirtualServPool OID never returns any data despite having pools associated with a virtual server through a rule.

Time zone inconsistency between system time and log files in the Configuration utility (CR41639)
Currently there is an inconsistency between the system time and the time displayed on the log file entries in the Configuration utility. The log file entries in the Configuration utility do not reflect the system's time. You can view the log files from the command line to see the correct time stamp on the log file entries.

Configuration utility: case sensitivity in iRule names (CR42312)
In the Configuration utility, the names of iRules are not case-sensitive. If you create two iRules whose names are identical except for the case, the system overwrites the first rule with the second rule. To avoid this issue, use unique names for any iRules that you create.

Installing the software using a PXE server (CR42592)
When you are performing a clean installation of the BIG-IP software using a PXE server, you may see RPM package errors during the installation process. The errors are benign and can be ignored.

Configuration utility: Re-running the Setup Utility and VLAN configuration error messages (CR42790)
When you rerun the Setup Utility and use the Basic Configuration Wizard (which sets up the default internal and external VLANs, the configuration must follow these guidelines. If the configuration violates one of these conditions, you see error messages, and cannot complete the configuration.

  • No more than one non-floating IP may be associated with VLANs named external or internal.
  • No more than one floating IP may be associated with VLANs named external or internal.
  • The self IP addresses associated with the VLANs internal and external must use one of the following port settings: Allow Default, Allow 443, Allow None.
  • If The bigdb variable Statemirror.IPAddr must match the internal self IP.
  • A VLAN group may not be named external or internal.
  • A trunk may not be configured on VLAN external or internal. The default route must be of type Gateway.

Using a literal carriage return in a monitor parameter string (CR43128)
The system cannot interpret literal carriage returns in monitor strings that are created by pressing the Enter key. If the string you are creating requires a literal carriage return, type \r\n instead of pressing the Enter key.

Redundant systems and assigning duplicate IP addresses (CR43330)
If you have a redundant system, and on both units you assign the same IP addresses on the internal and external VLANS, the system does not generate an error message, and should. This is not a valid configuration.

The system does not preserve license files during a clean installation (CR43489)
If you perform a clean installation of the BIG-IP system, the license files do not carry over to the new installation. You must re-license the system after a clean installation.

Failover and virtual servers with a OneConnect profile, an HTTP profile, and connection mirroring enabled (CR43517)
In a redundant system, if the active unit fails over, and the configuration contains virtual servers with a OneConnect profile, an HTTP profile, and connection mirroring enabled, the failover process does not properly mirror the server-side OneConnect connections to the failover unit.

Changing the virtual server type (CR43546)
If you modify the virtual server type using the bigpipe utility, the Configuration utility may not always display the updated type.

Link activity lights on the BIG-IP 3400 (C62) platform (CR43570)
On the BIG-IP 3400 platform, if you have trunks configured, the link activity lights on the front panel may not properly indicate link activity (turn green).

Configuration utility: Changing the refresh interval on the Preferences screen applies the change only to statistics screens not viewed yet (CR43613)
In the Configuration utility, on the System > Preferences screen, if you change the Default Statistics Refresh interval, view some statistics screens, and then change the Default Statistics Refresh interval again, the system applies the second update only to those statistics screens that you have not viewed yet.

Configuration Guide for Local Traffic Management: error in iRules syntax example (CR43689)
In Figure 13.16, on page 13-37, the example syntax for matchclass ($::) is incorrect. The correct syntax is as follows:
if { [matchclass [IP::remote_addr] equals $::aol] } { ... }

Node and service messages and SNMP alerts (CR44436)
The BIG-IP system does not trigger node up/down and service up/down alerts on the following events:

Feb 28 09:22:23 fs27lbe000 bigd: 01060002:4: Node address detected UP for 3ffe:81cc:630:2::b monitor icmp.
Feb 28 09:23:09 fs27lbe000 bigd: 01060002:4: Node address detected DOWN for 3ffe:81cc:630:2::b monitor icmp.
Feb 28 09:23:14 fs27lbe000 bigd: 01060001:4: Service detected DOWN for 3ffe:81cc:630:2::b:80 monitor tcp.
Feb 28 09:23:53 fs27lbe000 bigd: 01060001:4: Service detected UP for 3ffe:81cc:630:2::b:80 monitor tcp.

Restoring a configuration and overwriting SSH keys (CR45173)
UCS files back up and restore host and root SSH keys, but there are many situations where these keys are stale, and break communications with the SCCP host subsystem.

Validating routes (CR45212)
Currently the system does not fully validate route configurations, and it is possible to add a route to the configuration for which the gateway router is on the destination network.

D39 platform and lock-ups of the host subsystem when transferring large files (CR45269)
On certain D39 platforms, the host subsystem locks up when the system is processing large file transfers. This is a result of a bad BIOS on the motherboard. To verify that your platform is affected, and to update the BIOS, contact Technical Support.

Viewing virtual address status (CR45307)
When you disable a virtual address, the system displays the wrong status of available (green circle) rather than unavailable (yellow triangle).

Using automatic licensing and errors in the Configuration utility (CR45369)
In the Configuration utility, when you select Automatic option for licensing, if the system cannot communicate with the F5 Licensing Server, the system generates a major application error. To work around this issue, close the current browser session, open a new session, and select the Manual option instead. Note that this happens only in rare instances.

L4 connection mirroring broken for fail-back (CR45480)
If the active unit in a redundant system reboots, the standby unit goes active and handles any established connections that were mirrored. However, when the previously active box comes back up, it does not synchronize the state for the mirrored connections. The means that the mirrored connections are lost in a subsequent failure or a forced fail-back.

Display discrepancies between Configuration utility and bigpipe for SSL profile setting (CR45537)
On the SSL Profile screen, select the Renegotiate Period option and leave it at the default setting, Indefinite. When you view the same setting in the bigip.conf file, you see this number, 138635524 (which equates to 4.396 years), instead of indefinite.

Application Accelerator: Logging options display for unavailable features (CR45546)
In the Configuration utility, on the System > Logs > Options screen, you see logging options for the Packet Velocity ASIC. This feature is not available on the Application Accelerator product.

Set-Cookie header insertions statistics not updated (CR45578)
The system is not updating the Set-Cookie header insertion statistics, and is reporting the statistic as 0 (zero).

VLAN-keyed connections not implemented (CR45693, CR45694)
The system does not currently support VLAN-keyed connections.

Renaming user-defined profiles from the command line and database synchronization errors (CR45706)
If you rename a user-defined profile from the command line (by editing the bigip.conf file), and do not update the name of the referenced profile in the virtual server configuration, you see MCP error messages due to database synchronization issues. To avoid this issue, if you need to rename a user-defined profile, we recommend that you do so from the Configuration utility.

Acceptable characters in SSL certificate names and common names (CR45721, CR45722)
If you create a certificate name or common name that uses invalid characters (for example asterisk, comma, question mark, exclamation, forward slash, ampersand), the system generates an error message that is incorrect. The error message states that these characters are valid, however the only acceptable characters are alphanumeric characters, hyphen, and underscore.

Generating SSL certificates and keys and Configuration utility errors (CR45725)
If you try to generate an archive file for SSL certificates and keys, and you do not type a name for the file, the system generates an error. If you then add a name and click the Generate and Download button, the system saves the file but the Configuration utility remains in the error state. Simply click Cancel after you have saved the file, which returns you to the SSL Certificate list screen.

Empty list notation in iRules in the Configuration utility (CR45767)
In the Configuration utility, on the iRules screen, you can currently specify an empty list with the following notation: {}. The configuration does not load properly with this syntax (no space between the braces). The correct syntax is as follows: { }. Note that the space is required.

Importing non-FIPS keys into a FIPS system (CR45853)
If you import non-FIPS keys to a FIPS system, and then convert the non-FIPS keys to FIPS keys, the system continues to use the non-FIPS keys until you restart the TMM process. You can perform this task from the command line, by typing bigstart restart.

The radvd utility and restarting or rebooting the system (CR45882)
In rare circumstances, the radvd utility may start too early when you restart or reboot the system. As a result, the utility does not properly advertise routes. If you experience this issue, simply restart the radvd utility, on the System > Services screen in the Configuration utility.

IM upgrades and modprobe dependencies error messages (CR45885)
When you upgrade your system using the IM upgrade process, you may see the following error message when the system starts the automatic reboot, after the installation completes:
modprobe: Can't open dependencies file
The error is benign, and can be ignored.

Invalid iRules commands for querying Keep-Alive headers and Redirect headers cause runtime errors (CR45939, CR45941)
In the Configuration Guide for Local Traffic Management, on page 13-18, Table 13.9 lists incorrect commands for querying Keep-Alive headers and Redirect headers.
The correct syntax for querying Keep-Alive headers is HTTP::header is_keepalive, not HTTP::is_keepalive.
The correct syntax for querying Redirect headers is HTTP::header is_redirect, not HTTP::is_redirect.

IM upgrades and kernel journalling error messages (CR45970)
When you use the IM upgrade process, you may see kernel journalling error messages on the console after the installation completes. The error messages are benign and can be ignored.

Changes in US and Canada Daylight Saving Time (CR58315)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes are not reflected in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.

[ Top ]

Acknowledgments

This section lists acknowledgments for software added in this release.

This product includes software developed by Balázs Scheidler <bazsi@balabit.hu>, which is protected under the GNU Public License.

This product includes software developed by Niels Möller <nisse@lysator.liu.se>, which is protected under the GNU Public License.

[ Top ]

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)