Applies To:

Show Versions Show Versions

Release Note: BIG-IP LTM version 9.1.2
Release Note

Software Release Date: 05/17/2006
Updated Date: 12/11/2013

Summary:

This release note documents the version 9.1.2 maintenance release of BIG-IP® Local Traffic Manager, Load Balancer Limited, and Application Accelerator. To review the fixes in this release, see Fixes in this release. For existing customers, you can apply the software upgrade to systems running BIG-IP version 4.5 PTF-04 through version 4.5.12, and to systems running version 9.0 and later. (Note that you cannot apply this upgrade to systems running BIG-IP version 4.6 software.) For information about installing the upgrade, please refer to Installing the software.

Note: F5 now offers both feature releases and maintenance releases. For more information on our new release policies, please see Description of the F5 Networks software version number format.

Contents:

- Supported browsers
- Supported platforms
- Installing the software
     - Verifying the MD5 checksum of the upgrade ISO
     - Verifying the BIG-Ip software installation
     - Re-activating the license on the BIG-Ip system
- Fixes and enhancements in this release
     - Enhancements in this release
     - Fixes in this release
- Optional configuration changes
     - Understanding the Fast HTTp profile
     - Using the Scripted monitor
     - Configuring the LDAp monitor
     - Configuring the WAp monitor
     - Using SNMp read/write OIDs
     - New SNMp OIDs
     - Compiling the real_server monitor plug-in for UNIX and Linux systems
     - Configuring slow ramp time for a pool
     - Using the switchboot utility
- Known issues
- Acknowledgments


Supported browsers

The Configuration utility (graphical user interface) supports the following browsers:

  • Microsoft® Internet ExplorerTM, version 6.X and later
  • Netscape® NavigatorTM, version 7.1, and other browsers built on the same engine, such as MozillaTM, FirefoxTM, and CaminoTM.

Note that we recommend that you leave the browser cache options at the default settings.

Important: popup blockers and other browser add-ons or plug-ins may affect the usability of the Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.

[ Top ]

Supported platforms

This release applies only to the supported platforms listed below; each one provides all minimum system requirements. This release supports the following platforms:

  • BIG-Ip 1000 (D39)
  • BIG-Ip 2400 (D44)
  • BIG-Ip 5100 and 5110 (D51)
  • BIG-Ip 1500 (C36)
  • BIG-Ip 3400 (C62)
  • BIG-Ip 6400 (D63)
  • BIG-Ip 6800 (D68)

If you are unsure of which platform you have, look at the sticker on the back of the chassis to find the platform number.

[ Top ]

Installing the software

There are several installation options to consider before you begin the version 9.1.2 software installation.

Important: You are prompted to install the software on multiple slots if the unit supports the multiple boot option. The BIG-Ip 1500 (C36), BIG-Ip 3400 (C62), BIG-Ip 6400 (D63), and BIG-Ip 6800 (D68) platforms support this functionality. If you want this functionality on a supported platform, you must choose another installation method. The IM upgrade does not add the multiple boot functionality, however, you can boot up a slot, copy the IM file onto the system, and install it on the system.

Important: You must perform the installation from the management interface (MGMT) on the BIG-Ip system.

Important: We recommend that you run the MD5 checksum on any ISO image or IM upgrade file you download. For information about MD5 checksums, see Verifying the MD5 Checksum of the upgrade file.

Local Installation

pXE Installation

Remote Installation

[ Top ]

Verifying the MD5 checksum of the upgrade ISO

After you download the installation file and the matching MD5 checksum file, and before you perform the installation, we recommend you test the upgrade file. This verifies that you have downloaded a good copy of the upgrade file. To run the test, type the following command, where Upgrade9.x.im is the name of the upgrade file you downloaded.

md5sum Upgrade9.x.im

Check the output with the contents of the corresponding MD5 file. If they match, install the file. If they do not match, you should download the file again and repeat the process.

[ Top ]

Verifying the BIG-Ip software installation

After you complete the installation of the software, you can verify the installation using the RpM database. For more information, type man rpm to view the RpM man page. Use the verify options to verify the installation.

[ Top ]

Re-activating the license on the BIG-Ip system

You need to re-activate the license on the BIG-Ip system to use some of the new features added in this release.

To re-activate the license on the system

  1. On the Main tab, expand System and click License.
    The License screen opens.
  2. Click the Re-activate button and follow the onscreen instructions to re-activate the license.
    For details about each screen, click the Help tab.
[ Top ]

Fixes and enhancements in this release

This release includes the following fixes and enhancements.

Enhancements in this release

Added support for end-user diagnostics (EUD) (CR51185)
This release includes support for the end-user diagnostics (EUD). For more information, please refer to the technical note End-User Diagnostics: Field Testing Hardware.

Hotfix uninstall and versioning enhancements (CR56955 and CR57598)
This release includes enhancements to the hotfix process. For more information, please refer to SOL6845: Managing F5 Networks product hotfixes.

Changes in US and Canada Daylight Saving Time (CR58315)
The Energy policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes have been addressed in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy policy Act of 2005.

Certificate monitoring for expired or soon-to-be-expired certificates (CR59595)
The system now includes certificate monitoring to detect expired or soon-to-be expired certificates. Certificate status is now logged in /var/log/ltm, using the following format:

Certificate X in file Y expired on DATE

Certificate X in file Y will expire on DATE

This feature provides compatibility with BIG-Ip 4.6 in this regard.

200-level part number added to output of "platform show" bigpipe command (CR61086)
When you use the bigpipe command, bigpipe platform show, the 200-level part number is included in the output.

Fixes in this release

Improved installer feedback and fault tolerance (CR64693)
BIG-Ip installer now warns the user that file system integrity check failed and notifies the user to reboot the system, triggering a file system check, before attempting the installation again. The installation process now holds a copy of the upgrade packages in system memory prior to writing them to disk, ensuring the upgrade packages’ integrity is not compromised by a questionable file system.

SSLv2 ciphers (CR50940)
The following ciphers now work in SSLv2:

  • DES-CBC3-MD5
  • EXp-RC2-CBC-MD5
  • EXp-RC4-MD5
  • RC2-CBC-MD5
  • RC4-64-MD5

Note that the ciphers DES-CBC-SHA and DES-CBC3-SHA are not supported by OpenSSL.

Multiple RADIUS authentication requests (CR53955)
When you are using external RADIUS authentication, the system no longer makes multiple authentication requests. This situation only applies to authentication through the Configuration utility.

Mirroring for cookie persistence (CR54086)
We have removed the setting for enabling mirroring in a cookie persistence profile. You cannot mirror cookie persistence because cookie persistence maintains no state on the BIG-Ip system.

Query for status of virtual servers (CR54302)
The Configuration utility can now successfully query for the status of virtual servers when the system has been running for a long period of time.

Cookie persistence settings (CR54411)
We have removed the settings Match Across Services, Match Across pools, and Match Across Virtual Servers in a cookie persistence profile. These settings are not applicable for cookie persistence.

Excessive pVA log messages (CR54798)
We have revised the pvad service to eliminate excessive log messages when you have a large number of VLANs configured.

Log message severity level (CR54909)
We have downgraded messages from the mod_jk2 Apache module from Error to Info.

hotfix installation (CR55099)
We have enhanced the IM script so that installing hotfixes out of order no longer requires you to reimage the BIG-Ip system.

Installation of large hotfixes (CR55153)
For a D51 platform, there is now sufficient space on the BIG-Ip system to install large hotfixes.

Extraneous error messages (CR55198)
You no longer see false error messages when performing an installation with a pXE server.

Selection of lasthop gateway (CR56001)
The BIG-Ip system now reselects the lasthop gateway correctly when a pool member is unavailable.

ICMp packet handling and memory leak (CR56002)
We have fixed an ICMp packet leak on systems running pVA chips.

Timestamps on log messages (CR56011)
The BIG-Ip system now timestamps log messages sent to the file /var/log/tmm. This helps to correlate log messages with those sent to /var/log/ltm.

Media type options list (CR56018)
Typing the command bigpipe interface <interface_name> media show now displays the correct media type options.

bcm56xxd service after a BIG-Ip system upgrade (CR56148)
We have modified the BIG-Ip system so that, after you upgrade from a previous version on a D44 platform, the BIG-Ip system only displays relevant error messages about the bcm56xxd service.

Mirrored connections and TMM service (CR56221)
With mirrored connections, the TMM service remains available even when the send queue contains insufficient data.

Connection mirroring with firewall sandwich (CR56232)
With a firewall sandwich configuration, connection mirroring now works properly.

SSL crash during out-of-memory conditions (CR56278)
We have fixed an SSL crash during out-of-memory conditions.

VLAN group Bridge in Standby setting (CR56372)
The VLAN group configuration setting Bridge in Standby now works properly. When enabled, this setting ensures that the VLAN group can forward packets when the system is the standby unit of a redundant system. Note that this setting applies to non-Ip and non-ARp frames only, such as Bridge protocol Data Units (BpDUs).

Maximum number of records in persistence table (CR56374)
The maximum number of destination address affinity persistence records that the BIG-Ip system allows in the persistence table now equals the value specified in the Maximum Entries setting of the Configuration utility. You can find this setting by expanding System on the navigation pane and clicking General properties.

FastHTTp profile connection leak (CR56386)
We have fixed a connection leak in the FastHTTp profile.

HTTp processing and cookie persistence (CR56391)
If you are using cookie persistence and you disable HTTp processing (using the iRule command HTTp::disable), the TMM service remains available.

ECV monitor behavior (CR56470)
Extended Content Verification (ECV) monitors now mark nodes up or down correctly.

LDAp monitor and LDAp referrals (CR56493)
LDAp monitors no longer consider references as returned messages with attributes.

Archive of syslog-ng.conf file (CR56497)
When you create a User Configuration Set (UCS) archive, the file syslog-ng.conf is now included in that archive.

npath health monitors (CR56572)
In an npath configuration, the system forwards health monitor traffic to a pool member as expected, instead of the virtual server load balancing the traffic.

Mcpd client event handling (CR56610)
We have fixed a library that made several daemons on the system susceptible to uncontrolled looping if they were disconnected from the mcpd.

Spanning tree protocol (STp) port blockage (CR56671)
Setting the interface media speed and type using the bigpipe interface command no longer blocks STp ports.

pipelined requests and OneConnect (CR56685)
When a virtual server with OneConnect enabled receives a pipelined HTTp request containing the pOST method, the TMM service remains available.

Documentation for allowed range of MSTp instance IDs (CR56690)
We have changed the product documentation that describes the numeric range allowed for Multiple Spanning Tree protocol (MSTp) Instance IDs has been changed. The correct range for these IDs is 1 to 255.

pool members marked as active after restart (CR56704)
After you type the bigstart restart command, the BIG-Ip system no longer marks forced-down pool members as active.

iControl: values and eventd(CR56710)
We have corrected a problem that caused certain iControl values to destabilize eventd or generate incorrect values. Serialization of certain data and pointer types no longer causes eventd to core.

tm_daemon memory leak (CR56750)
We have fixed a memory leak in the tm_daemon.

Disabled monitor instances in configuration data (CR56868)
When you use the bigpipe save and bigpipe load commands, the BIG-Ip system now saves a disabled monitor instance in the configuration data. F5 recommends, however, that you refrain from permanently disabling a monitor instance.

SNMp_DCA performance monitor (CR56879)
When an SNMp_DCA monitor returns a value of 0% for CpU usage, the system calculates the dynamic ratio weights correctly.

iRule session lookup command (CR56940)
When you create an iRule using the command session lookup ssl, the TMM service now remains available.

Statistics for pVA connections (CR56942)
The bigpipe global stats show command now shows the total connection statistics for hardware-assisted pVA connections.

Installation and hotfixes (CR56950)
During installation, the BIG-Ip system issues a warning about hotfixes on the system that do not correlate with the new release.

State mirroring and management interface (CR56968)
You cannot set MGMT interface addresses for these bigdb configuration keys: StateMirror.Ipaddr, StateMirror.peerIpaddr, StateMirror.Secondary.Ipaddr, and StateMirror.Secondary.peerIpaddr.

MSSQL/ORACLE monitors without send parameter marked nodes as down (CR57047)
If you configured a monitor without specifying an SQL statement that the monitor passed to the server, the functionality of the MSSQL monitor changed to correct an unintended behavior. In normal operation the monitor:

  • authenticates only once,
  • utilizes a single long-lived connection to pass SQL parameters to ascertain the integrity of the database,
  • checks the database socket connection on each monitor interval to determine if the database is still listening for new connections; however this socket check does not pass any SQL parameters

The unintended behavior in previous releases was, without a send parameter, to close the connection every time. As a result, some servers never completed the connection before the monitor’s interval timed out, at which point the monitor marked the resource as down. With this release, the monitor no longer closes connections once obtained.

BIG-Ip redundant system could fail to activate during time changes (CR57138)
previously, conditions could exist where a redundant system would fail to activate due to a time change, such as moving from Daylight Saving Time to Standard Time. These systems now activate correctly under these circumstances.

Network Failover could occur too quickly (CR57155)
Situations could occur in which a redundant system configured to use network failover for high availability would have the secondary system become active too soon. Secondary systems in this configuration now wait until a timeout value is reached before becoming active.

Connection closed due to early server response (CR57199)
We have improved the handling of data transmissions between the BIG-Ip system and its backend HTTp servers if the network is congested.

LTM virtual servers and GTM (CR57217)
big3d no longer marks down a virtual server that references an iRule but no default pool.

Authentication timeout value now set to 86400 seconds (24 hours) (CR57220)
Authentication cookies in previous versions timed out after 60 seconds. We have changed this value to 86400 seconds (24 hours).

b route mtu command works correctly (CR57243)
In previous versions, the b route mtu command did not perform as expected. This issue has been resolved for this release.

NULL values in SSL session ID do not affect iRules (CR57247)
The system no longer truncates an SSL session ID containing a null value when an iRule references it.

SIp monitor now accepts angle brackets when receiving data (CR57264)
previously, the SIp monitor did not allow for angle brackets (< >) when receiving data. The monitor now accepts these characters.

serverssl does not leak SSL session when server session ID does not match (CR57374)
We have fixed a memory leak that occurred in situations where the server session ID did not match.

hud_msg_queue full crash resolved (CR57429)
We have fixed a crash which occurred when the system cleaned out expired entries in a connection table.

Selective ACK enabled on the TCp profile (CR57535)
We have corrected a rare condition where enabling Selective ACK on the TCp profile could cause the TMM to loop until it receives a SIGABRT from the sod daemon.

Exa prefix is now correctly written as "E". (CR57599)
The bigpipe utility correctly displays exabytes.

Ip multicast packets received in a VLAN group now copied to host (CR57712)
The system delivers dynamic routing messages (that is, OSpF) that use multicast when you use VLAN groups.

iRule domain command no longer truncates (CR57722)
The domain command in an iRule does not truncate the last character in the domain name.

ARp entries now use the database variable, arp.timeout. (CR57723)
previously, ARp entries used a hard timeout of 120 seconds. These entries now use the value assigned to the database variable, arp.timeout.

SIp monitor now accepts different return values (CR57826)
In previous versions, the SIp monitor required that the SIp server return data in the same format sent by the monitor. This is not always the case. In this version, the SIp monitor now accepts different values. For example f: instead of From:.

pool members validated correctly (CR57832)
In earlier versions the BIG-Ip system would not validate certain pool members because a table was incorrect. The system now validates pool members correctly.

Linux handling interrupted BIG-Ip system (CR57883)
If the system runs on a dual-processor system, host ISR (interrupt service routines) no longer increase latency of traffic management operations.

SNMp entries removed during configsync (CR57923)
previously, deleted SNMp entries were not synchronized during a configsync operation, which caused errors on adding new SNMp entries. The system now removes SNMp entries correctly.

LACp diagnostics and TMM (CR57932)
In the event that the LACp process panics, the system writes a stack trace to /var/log/tmm directory.

LACp diagnostics bcm56xxd (CR57951)
To help diagnose switchboard failsafe issues, bcm56xxd can log statistics each time it exists. To enable the diagnostics, set the db variable log.bcm56xxd.debugmask to 1.

Characters + and ! in profile cipher no longer prevent profile updates (CR58016)
In earlier versions, the + and ! characters in a profile cipher prevented you from updating any child profiles unless you specified the cipher string. These characters no longer affect profile ciphers.

System supports matchclass iRule when source Ip address is 0.0.0.0 (CR58079)
In previous versions, iRules using matchclass could cause a system crash if the source Ip address was 0.0.0.0. This Ip address no longer affects iRules using matchclass.

Access to classes/datagroups through Tcl list now available (CR58080)
In earlier versions, accessing a class or datagroup as a Tcl list would not work correctly. In this release, you can access classes or datagroups through a Tcl list.

FastL4 flow removed if checksum error occurs (CR58090)
If the first packet of a FastL4 fails, the system now removes the FastL4 flow. previously, this flow was left for later removal, which could cause performance issues.

HTTp filter forwards body OpTIONS method (CR58142)
previously, data sent with the OpTIONS method to a virtual server using an HTTp profile would result in the headers, but not the body of the message, being received. The body of the message is now sent correctly to the virtual server.

Install succeeds on unrecognized partition schemes (CR58168)
In previous versions, you could not install the software when the installer failed to recognize a partition scheme. The installer can now proceed even if it does not recognize the partition schemes of the system.

Switchboard Failsafe default timeout now 30 seconds (CR58174)
previously, the switchboard Failsafe default timeout was 10 seconds. With this release, the value of this timeout is now 30 seconds.

Deleting management route from system now also removes it from operating system (CR58208)
In earlier versions, when you deleted a management route, the route persisted in the Linux system. In this version, when you delete the management route, the route is also removed from the Linux operating system.

Boot image order no longer stops installation (CR58213)
In previous releases, the boot image order could impact the success of an installation. In this release, the boot image order has no impact during local installations.

performance issues resolved when virtual servers share same pool (CR58220)
previously, combinations of virtual servers and pools could impact system performance. These combinations no longer affect the system.

FastL4 mirroring successful even when connection update fails (CR58299)
In earlier releases, mirroring on fastL4 flows would fail due to failure of connection updates. Mirroring now operates successfully in this scenario.

Zero-length MRH no longer causes performance degradation (CR58366)
previously, bad hardware or other related issues could result in a zero-length MRH and would cause the system to perform slowly. This issue no longer impacts performance.

SOAp Monitor sends correct host tag (CR58422)
In previous versions, the SOAp Monitor included an incorrect host tag. The monitor now sends the correct tag.

Database timeout upgrade no longer requires manually running upgradedb utility (CR58465)
previously, upgrading the database to include an improved timeout value (see CR58174) required manually running the upgradedb utility. With this release, the upgrade occurs automatically.

persistent connections no longer impact performance (CR58486)
With this release, persistent connections no longer have as much of an impact on performance as with previous releases.

Interface statistics now reported (CR58489)
Starting with release 9.1.2, the system reports interface statistics.

GigCu media type correctly displayed as 1000BaseT (CR58528 and CR59158)
In earlier versions, the GigCu media type was incorrectly displayed as 1000BaseTX. The user interface now correctly displays this media type as 1000BaseT.

Maximum Header Size value calculated correctly (CR58529)
previously, the Max Header Size value included the body of the packet in addition to the header. The system now calculates this value with just the contents of the header.

Small packet transmissions performance improvement (CR58541)
With this release, the system handles communications involving large numbers of small packets more efficiently. previously, these types of communications could reduce the performance of the network interface card.

Failsafe occurs within seconds (CR58614)
previously, fail-over events could take several minutes, depending on network configuration. With this release, failsafe events now occur within seconds.

BIG-Ip system independent of syslog service (CR58627)
In earlier versions, certain BIG-Ip functions required the syslog service to be operational. These functions are now independent from the syslog service.

Verbose log messages (CR58728)
For configurations with several network virtual servers, the log messages that the pvad service displays are no longer verbose.

Excessive memory allocation during failover (CR58756)
When failover occurs with a high number of concurrent connections, the system does not allocate excessive memory.

HTTp headers containing \r characters (CR58773)
The BIG-Ip system now processes correctly any HTTp headers that contain multiple \r characters.

iControl SOAp interface memory utilization with enums (CR58794)
Retrieving node statistics through the iControl SOAp interface consumes significantly less memory.

iControl set_timeout method (CR58826)
Using a set_timeout within iControl for a persistence profile now works correctly.

SNAT traffic within VLAN group (CR58849)
For a forwarding virtual server with the Ip protocol attribute set to any, a VLAN within a VLAN group can now forward ICMp and UDp traffic to another VLAN in the group, when a SNAT is enabled on that traffic.

Remote LDAp authentication (CR58869)
A remote LDAp authentication server now successfully authenticates a user if the user makes a second attempt to type the user name correctly.

Upgrade with UCS and snmpd.conf (CR58897)
Upgrading no longer recreates the SNMp community "public" if it does not exist in the UCS file that you roll forward.

Connection mirroring on redundant systems (CR58921)
Mirroring large numbers of Layer 4 connections mirrored to the peer unit no longer adversely affects connection mirroring.

Deleted SNMp v1 access records and UCS files (CR58930)
For SNMp v1, when you delete an access record such as community 1, create a UCS archive, and roll it forward during an upgrade, the system no longer adds the deleted access record back into the configuration.

Connection mirroring on hard-wired failover (CR58975)
Connection mirroring now operates successfully under certain conditions such as when you have hard-wired failover and you unplug the failover cable. prevoiusly, the system did not always handle hard-wired failover events correctly.

SSL connections using non-accelerated SSL (CR58976)
The TMM service no longer becomes unavailable due to an SSL application sending data on an SSL connection that is using non-accelerated SSL.

Deletion of tech.out file with qkview (CR59004)
When using the browser utility, qkview, you can now delete a tech.out file.

Unhandled ICMp packets (CR59009)
We have fixed a memory leak that occurred when the pVA listener did not handle ICMp packets.

Redirection of HTTp traffic (CR59067)
The BIG-Ip system now correctly closes a connection after redirecting HTTp traffic to a fallback host.

persistence and node availability (CR59068)
When a node is unavailable, the BIG-Ip system correctly persists records across services.

iRules referenced by authentication profiles (CR59092)
When you update an iRule that is referenced by an authentication profile, the change takes effect even if you have not updated the profile referencing the iRule.

SYN flooding with a mirrored virtual server (CR59126)
We have fixed a crash that occurred when a SYN flood occurred against a mirrored virtual server.

Connection mirroring and the TMM service (CR59138)
Connection mirroring on a redundant system no longer causes the TMM service to become unavailable when the mirroring software uses a freed flow.

ARp timeout function (CR59151)
The ARp timeout feature now works properly, thereby preventing monitors from failing due to incomplete ARp tables with higher expirations than the default timeout value of 300 seconds.

Changing of serial baud rate (CR59156)
The SCCp firmware now supports a method for changing the serial baud rate.

TMM service after failover (CR59160)
The TMM service no longer becomes unavailable after failover, when you have a mirrored virtual server referencing a Fast L4 profile, with the pVA set to Assisted mode.

NextUpdate field in CRLs (CR59173)
The BIG-Ip system no longer becomes unavailable when the NextUpdate file within a certificate revocation list (CRL) is empty.

Connection closing from pVA (CR59202)
The BIG-Ip system now ignores connection closing from the pVA only if the connection is mirrored and inactive.

LCD screen and serial baud rate (CR59203)
You can now use the LCD screen to successfully change the serial baud rate.

Authenticate setting of SSL profile (CR59264)
The Authenticate Once and Authenticate Always settings of an SSL profile now work as expected.

SNMp_DCA_Base monitor and node weight (CR59278)
The SNMp_DCA_Base monitor now sets the node weight correctly.

SNMp OID and platform ID (CR59325)
The SNMp OID .1.3.6.1.2.1.1.2 now returns an OID that points to a platform ID.

Default bigdb key values and UCS files (CR59329)
If you change the value of one or more bigdb configuration keys and then install a UCS file that contains default key values, the BIG-Ip system does not reset the keys to those default values.

SSL certificates and Configuration utility (CR59440)
The Configuration utility now remains available after you use the SSL Certificate screen to import an SSL certificate.

eXtreme DB out-of-memory handling (CR59485)
When the eXtremeDBTM database produces an out-of-memory error, the BIG-Ip system now provides more useful information to diagnose the cause of the error.

X509::serial_number command (CR59501)
The response that the iRule command X509::serial_number generates no longer contains an extraneous NULL byte.

Disk space in /var partition (CR59540)
For CF-only devices only, the space in the /var partition no longer fills to 100% when diskmonitor is running and rotating the log files.

Connections sent to disabled pool members (CR59547)
A virtual server no longer sends new connections to a disabled pool member.

Connections sent to disabled nodes (CR59548)
A virtual server no longer sends new connections to a disabled node.

pvad service availability (CR59589)
The pvad service remains available when a VLAN failsafe action occurs.

Demotion of pVA mode (CR59616)
When a virtual server referencing a Fast L4 profile shares a pool with a Layer 7 virtual server, the BIG-Ip system now demotes the pVA mode to Assisted> instead of None.

bigpipe profile clientssl command (CR59646)
The command bigpipe profile clientssl <profile_name> defaults from clientssl renegotiate size <size> now works properly.

Core file removal (CR59713)
The clean_core mechanism in the BIG-Ip system no longer removes core files automatically. This allows you to remove or retain the core files at will.

12v power supply labeled correctly (CR59752)
The voltage for the 12v power supply incorrectly stated the voltage at 4.87v. The power supply now has the correct label of 12v.

Hardware report easier to read (CR59792)
The hardware report includes carriage returns to make the output of the report easier to read.

Number of hard resets required reduced (CR59804)
Several situations in which hard resets were required have now been modified so that they only require software resets.

Memory leak in mcpd resolved (CR59899)
In previous versions, a memory leak existed in the mcpd. We have removed this leak.

bigpipe displays connection counts filtered by server Ip address (CR60044)
previously, bigpipe did not display connection counts when filtered by the Ip address of the server. In this release, the system displays connection counts correctly.

Misleading add mgmt rule failure messages removed (CR60087)
In earlier versions, failure messages regarding the add mgmt rule would occur when the issue did not relate to it. These messages no longer display in this release.

persistence across services when node is down (CR60115)
The persistence record for the downed node is now correctly removed from the persistence iRule.

port mirroring option renamed Interface mirroring in license file (CR60308)
The port mirroring option was previously renamed Interface Mirroring; however, this name change did not appear in the license file. In this version, the new name appears both in the user interface and the license file.

Requests on persisted connections no longer cause RAM cache issues (CR60441)
In previous releases, requests on a persisted connection to a congested client could cause the RAM cache to crash. In this release, this situation no longer results in a RAM cache crash.

Audio and video compression statistics no longer show negative percentages (CR60444)
If you have data that is already compressed, and attempt to compress it again, the file size actually grows, because of the added header data related to the compression mechanism. This results in audio and video compression statistics moving to the negative. This issue is resolved by not compressing already-compressed data.

TMM path MTU enforcement (CR60456)
The bigdb variable, TM.EnforcepathMTU (enable|disable) allows the user to configure TMMs desired behavior. By default this db variable is enabled and TMM enforces the path MTU on behalf of other devices.

Fast HTTp keeps current connection even if connection pool needs replenishing (CR60457)
previously, the Fast HTTp profile dropped its current connection if the profile needed to replenish the connection pool. With this release, the profile keeps the connection.

GNUpG vulnerabilities resolved (CR60644)
We have removed certain security vulnerabilities in GNUpG in this release.

Initscripts vulnerability removed (CR60654)
The system now handles initscripts in a way that removes a security vulnerability from the system.

/var/log/daemon.log now rotates correctly (CR60712)
In earlier releases, the daemon.log file would not rotate as expected. This log file now rotates when necessary.

pVAD detects lockup and resets chip (CR60725)
In a previous release, the pVAD could suspend operations when the LBDB locked up. In this release, the pVAD now detects the lockup and resets itself to resume operations.

bigpipe profile commands now operational (CR60739)
previously, the following bigpipe commands did not function correctly: bp profile http ramcache max, bp profile ht tp ramcache dump, and bp profile http ramcache reset. These commands now perform as expected.

Cavium device no longer fails after card initialization (CR60832)
In earlier versions, the cavium device could fail after card initialization. In this release, these failures do not occur.

persist timeout now configurable in dest addr profile (CR60834)
In previous releases, you could not set the persist timeout option in the dest addr profile. This issue has been resolved with this release.

persist Timeout option now available in dest addr profile (CR60835)
In previous versions, the persist Timeout option was not available in the dest addr profile. This option is now available.

File descriptor leak fixed for listeners (CR60916)
previously, instances of tcpdump command would cause the chmand mechanism to leak file descriptors. When the limit for file descriptors was reached, the command ceased to function. We have removed this leak.

SSL monitor no longer sends inappropriate resets (CR61016)
The SSL monitor only send resets when instructed to do so.

System no longer crashes with client-connflow. (CR61055)
We have fixed a crash that occurred with client-connflow.

System would hang due to pVA2 (CR61225 and CR62636)
We have fixed a system hang that occurred with pVA2.

Connections no longer stall with large HTTp pOST headers (CR61237)
In previous releases, HTTp pOST headers greater than 16K would stall connections. The size of HTTp pOST headers no longer affects connections.

Auth session timeout no longer shuts down connection (CR61320)
previously, an auth session (SSL-based) timeout would shut down a connection after 300 seconds. With this release, these timeouts do not end the connection.

pVA2 does not demote virtual servers (CR61452)
In earlier releases, the pVA2 could demote a virtual server using round robin load balancing from FULL to ASSIST. With this release, the pVA2 cannot demote a virtual server in this situation.

RADIUS monitor now accept long passwords (CR61698)
In previous releases, the RADIUS monitor was restricted to passwords less than 20 characters in length. In this release, the monitor can accept password up to 128 characters in length.

Data Channel timeout now configurable (CR61702)
previously, the value for the data channel timeout was 300 seconds and non-configurable. With this release, the value is user-configurable. Specifically, the timeout value is inherited from the TCp profile.

Removing power from 3400 does not affect system (CR61824)
previously, if you removed the power cord from the 3400, it would stall at the LCD screen requesting user interaction. With this release, the system does not stall, and allows you to continue configuration changes.

302 redirect does not impact connection synchronization (CR61845)
In earlier releases, a 302 redirect for a pOST request could cause data communications to go out of synch on a congested server. 302 redirects do not cause communication to go out of synch with this release.

System timer now more robust (CR61982)
previously, a timer in the system could become corrupted and cause poor system performance. With this release, the timer is more robust and more resilient to these errors.

Full reboot command now implemented. (CR62068)
In previous versions, there were limited ways in which you could perform a full and complete system reboot. This release introduces the full reboot command, which allows you to reboot the system more efficiently.

OneConnect pOST command with large headers now handled correctly (CR62211)
previously, the system did not correctly handle OneConnect pOST commands with headers above 16k. This release handles large headers correctly, eliminating this issue.

Accuracy for calculating CpU idle time improved (CR62281)
The algorithm used to calculate CpU idle-time was enhanced in 9.1.2 for better accuracy. As a result, some operations, such as SSL, may report a different CpU idle-time than with 9.1.1.

Additional HTTp status codes now supported (CR62431)
previously, the number of status codes supported in the HTTp::response iRule command were limited to error code 500 and 501. This command can now accept any HTTp status code.

Software compression no longer fails with small gzip window size (CR62544)
In earlier versions, a small gzip window size could cause an error during software compression. The gzip window size does not cause this error in this release.

SSL peer certificate result code now set (CR62649)
In earlier versions, the system did not always set the SSL peer certificate code in verification. This issue is resolved with this release.

SSL session cache timeout user-configurable. (CR62761)
In previous releases, the SSL session cache timeout was pre-configured to 300 seconds. In this release, you can configure the SSL session cache timeout as needed.

Network failover wait time increased (CR62976)
previously, a network failover could occur faster than the systems involved could handle. We have increased the network failover wait time to ensure that systems can handle failover events reliably.

Version 9.1.1 features

Added support for Enterprise Manager (CR51185)
This release includes support for the Enterprise Manager product. For more information, please refer to the Enterprise Manager release note.

Added support for MD5-authenticated TCp (RFC2385) for the BGp routing module (CR49972)
The BGp routing module now supports MD5-authenticated TCp as described in RFC2385.

The SNMpClient utility
The SNMpClient utility is a command-line interface to manage SNMp v1 and v2c access records, as well as trap definitions. This utility does not handle SNMp v3 Access records.

Usage:

SNMpClient
--delete
--access
--community <comm_string> --source <ipaddress> --iptype <ipv4 | ipv6>

--readtype <ro | rw> --oid <oid_string>
--trap
--community <comm_string> --destination <ipaddress>
--port <port> --version <v1 | v2c>

[--verbose] [--help]

Options:

delete
Deletes the specified trap or access record

When the --access switch is specified, the following options are valid:

  • community
    Specifies the community string (password) for access to the MIB
  • source
    Specifies the source address for access to the MIB
  • iptype
    Indicates whether the access record applies to Ipv4/Ipv6 (that is, options are either "ipv4" or "ipv6")
  • readtype
    Specifies the user access level to the MIB, that is, options are either "ro" or "rw"
  • oid
    Specifies the current object identifier (OID) for the record

When the --trap switch is specified, the following options are valid:

  • community
    Specifies the community name for the trap destination
  • destination
    Specifies the address for the trap destination
  • port
    Specifies the port for the trap destination
  • version
    Specifies to which SNMp version the trap destination applies, for example, options are either "v1"or "v2c"
  • verbose
    prints out extra messages -- debug mode
  • help
    prints out this message

ConfigSync password automatically updated (CR54246)
When you use the passwd command to change a password, the system checks to see if the user is also a ConfigSync user. If so, the system automatically changes the ConfigSync password.

SSL: added support for NULL ciphers (CR51185)
This release includes support for the NULL-MD5 and NULL-SHA ciphers in OpenSSL.

Host name inclusion in F5 Enterprise SNMp traps(CR47226)
F5 Enterprise traps can now include the host name of the trap source.

The bigdb variable TM.TCpAckOnpush and the delayed ACK (CR49975)
The bigdb variable TM.TCpAckOnpush forces the delayed ACK feature to immediately ACK upon receiving a pUSH from the client/server. The default setting for this variable is disable. To enable this variable, type the following command:

b db TM.TCpAckOnpush enable

Version 9.1.1 fixes

Configuration utility: logs display one hour off (CR39674)
We have corrected a problem that caused timestamps in the Configuration utility to be off by one hour during daylight saving months.

Updates to SSL certificate files (CR40677)
If changes are made to an SSL certificate file that is referenced by a Client SSL or Server SSL profile, the BIG-Ip system automatically re-loads the changes. Consequently, you no longer need to use the bigstart restart command for the changes to take effect.

prompting of administrative passwords (CR44290)
The Configuration utility now prompts the user for the correct password after the password has been changed.

L2 forwarding/proxy ARp and original Ethernet frame source address (CR45910)
When in transparent mode, the L2 source addresses of ARp replies are now preserved so that proxy ARp can use them across a non-opaque VLAN group. This provides the ability to support cases where the Layer 2 source address and the Layer 3 sender hardware address differ, for example, if you are using HSRp/VRRp.

Inheritance of default values for child monitors (CR46195)
A child monitor now inherits the correct set of default values from its parent monitor.

Monitor storage when using the Configuration utility (CR46468)
When you use the Configuration utility to create monitors, the system no longer produces an error resulting from the order in which child monitors are stored compared to their parent monitors.

HTTp: 304 responses that have content (CR47663)
If the server sends content back for responses such as 304 which is not supposed to contain a response, the system now forwards the response as it was received. This allows Sharepoint and NTLM challenge responses to complete.

Using hex in TCp::respond (CR47740)
The TCp::respond command now works with arguments constructed with a binary format.

SSL: SSLv3 and certificate verification(CR47778)
SSLv3 acceleration now works correctly with certificate verification.

Values for the profile persist timeout (CR47893)
The various values for timeouts in a profile persist configuration now function correctly.

Memory leaks in Ipv6 neighbor cache (CR48407)
Various memory leaks in the Ipv6 neighbor cache's error handling code were corrected.

tcpdump and long VLAN names (CR48659)
VLAN names longer than 15 characters no longer cause improper operation of tcpdump.

pAM module arguments containing spaces or square brackets and escape characters (CR48668)
pAM module arguments containing spaces or square brackets no longer require escape characters.

Response time for multiple and simultaneous SNMp queries (CR48760)
To avoid excessive delay when making simultaneous and identical SNMp queries, you can now configure the number of SNMp objects to be cached in the bignsmpd service. To configure this number, add the following line into the file/config/snmp/subagents.conf:

cacheObj #obj

The default value for #obj is 4.

Monitors: performance monitors and dynamic ratios (CR48785)
Monitors updating dynamic ratios no longer trigger a configsync recommendation. Synchronizing configuration data in this case is not necessary.

Rate class and system stability (CR48796)
We have corrected a problem where using a rate class could cause system instability.

L7 connection mirroring when a window update is dropped (CR48844)
Layer 7 connection mirroring now functions correctly if a window update is dropped.

big3d stability (CR48889)
We have corrected a problem that caused instability in the big3d.

TMM: HA proxy sending down HUDCTL_TEARDOWN on an established flow (CR49193)
We have corrected several crashing issues in the TMM HA subsystem.

Virtual server status (CR49297)
The status page for an Ip forwarding wildcard virtual server now reports status correctly.

Active/standby systems going into the active-active state (CR49401)
Active/standby systems no longer go unintentionally into the active-active state when you remove the medium you are using for failover (wired or network).

Big3d: working with early 4.x 3-DNS systems(CR 49431)
The big3d now handles translated addresses and ports correctly when communicating with early 4.x 3-DNS systems.

iRules: UDp traffic with drop and reject commands (CR49442)
UDp traffic is now handled correctly by iRules using the drop and reject commands.

Special characters within user names and passwords (CR49471)
The system now supports the use of special characters within the ConfigSync user name and passwords. The supported characters are:

~!@#$%^&*()-+={[]}|\:;",<>\.?/.

The unsupported characters are:

` '

Certificate chain verification in SSL profiles (CR49528)
An error no longer exists in the certificate-chain verification routine for certain ciphers.

OpenSSL rehandshakes and updating of current cipher status (CR49762)
OpenSSL rehandshakes now update the current cipher status.

L2 forwarding packet flows (CR49812)
We have corrected a problem where L2 forwarding could forward traffic to inactive flows.

ARp and NDp errors and established connections (CR49537)
ARp and NDp errors no longer terminate established connections.

OneConnect transformation error with proxy-Connection (CR49881)
Due to correction of a OneConnect transformation header error, valid HTTp requests made through a proxy connection are no longer blocked.

Big3d: pool validation (CR49971)
big3d queries to a virtual server now respond correctly if the virtual server references a rule.

OneConnect: Detaching connections for early post responses (CR50025)
The server side connection no longer detaches if the system gets a response from the server but has not received all of the client data.

SSL: using server gated cryptography (SGC) (CR50051)
Server-gated cryptography (SGC) or step-up certificates require that the client initially handshake a weak cipher and then renegotiate with a stronger cipher later in the connection. This requires changing the current cipher in the middle of a connection. The system now supports changing the cipher in the middle of the connection.

Managing a system when a NAT is configured with the management Ip address (CR50081)
You can now manage the system through a NAT with the same Ip address as the management interface.

State of LACp-enabled trunks (CR50206)
LACp-enabled trunks no longer change state after you run the tcpdump utility.

NET-SNMp: a denial of service vulnerability when stream sockets have configured (CR50228)
We've fixed a remote denial-of-service for snmp over stream sockets. Further information can be found at the following url: Common Vulnerabilities and Exposures.

Autonegotiation with Extreme Summit 48si (CR50361)
We have corrected a problem where under some circumstances (mainly power-up) 1500, 3400, 6400, and 6800 platforms failed to properly autonegotiate with an Extreme Summit 48si switch.

SSL: Graphing and record processing (CR50414)
We have corrected a problem that could cause a graph spin error detected message to display under high traffic load.

TMM: connection mirroring and instability on standby system (CR50435)
We have corrected a problem that caused the standby system to become unstable if you changed a profile to the FastL4 profile while passing traffic.

LACp: switchboard failsafe with heavy management traffic (CR50550)
Heavy management traffic no longer triggers the switchboard failsafe mechanism.

Ipv6: neighbor advertisements through the tap (CR50636)
False Ipv6 neighbor advertisements are no longer passed through the tap.

Hardware acceleration: accelerating and MAC MASQ (CR50716)
Hardware acceleration now works correctly with MAC masquerading.

RAMcache: cookie handling (CR50770)
The RAMcache now handles cookies correctly.

fastHTTp: HTTp rule from CLIENT_ACCEpTED context may cause system instability (CR50798)
We have corrected a problem where an HTTp rule using the CLIENT_ACCEpTED command could cause the system to become unstable.

platform interfaces data and the platform ID (CR50978)
Resolves a race condition when MCpd is reading platform interfaces data and prematurely receives an end_platform_id message on a separate TCp connection.

SSL: failed server side certificate could cause system instability (CR50996)
SSL now gracefully handles the situation where the ciphers are compatible, peer cert mode is set, and unclean shutdown is disabled and a certificate fails on the server side.

SNMp: malformed SNMp polling and logging (CR51048)
We have corrected a problem where a malformed SNMp polling request could cause system instability. Rejected SNMp requests are now logged as debug messages to reduce logging volume.

VLAN failsafe and memory (CR51065)
We have corrected a problem that could cause a lack of memory resulting in system instability.

SSL client certificate LDAp and long query filter strings (CR51120)
The SSL client certificate LDAp feature no longer truncates long query filter strings.

Big3d: with ECVs (CR51130)
ECVs now work correctly with big3d.

iRules: contains and matching characters (CR51314)
We have corrected a problem with the contains command where a rule would not match a substring when the first character of the substring occurred twice in succession and the end of the substring was the end of the string. For example, if you were searching for new in asdnnew.

MAC masquerade and the standby system (CR51387)
We have corrected a problem where the standby unit was continuing to respond to flows that it created when active, and was continuing to use the MAC masquerade address. This was confusing the upstream switch and causing new traffic to go to the standby unit instead.

SNMp: clients and recalculation of generic status (CR51391)
The system no longer calculates the generic status for node addresses, pool members, pools, virtual addresses, and virtual servers. This reduces overhead on the network.

Sending FastHTTp connections to unresponsive hosts (CR51451)
When using a Fast HTTp profile, connections now time out when sent to a unresponsive host.

Configuration utility: correct display of time (CR51475)
The web-based Configuration utility now displays time correctly.

HTTp: early response and pass-through mode (CR51483)
The system no longer enters pass-through mode if it receives an early response from the server.

ARp advertisements sent for non-local destinations (CR51538)
ARp advertisements are no longer sent out for virtual server addresses that have only a gateway route. Also, advertisements are no longer sent out VLANs which are disabled.

SSL: Graph spin error and the TMM log (CR51631)
We have corrected a problem that could cause a graph spin error detected message to display. The graph step counter is now reset upon receiving a new record, preventing the graph spin errors generated in /var/log/tmm:
tmm tmm[653]: 01260017:3: internal error: rx_record:930: graph spin detected

When vlan_group_output sends packet, clone the packet if necessary (CR51752)
When sending packets out through member VLANs in a VLAN group, the system always clones the packet except the last time the system sends a packet. Not cloning packets can cause an xbufcorruption.

TMM: improper regular expression compilation (CR51849)
We have corrected a problem that could allow an improper regular expression to destabilize the system in certain situations.

persist across services (CR52069)
The persist across services now uses a pool member within the pool, not one from a different pool.

TMM: memory usage with profile fastHTTp (CR52146)
We have corrected a memory usage problem when using the fastHTTp profile under heavy load.

TMM: heartbeat on single-CpU platforms (CR52201)
Spurious TMM heartbeat failures on single-CpU platforms resulting in an exit with a SIGABRT have been corrected for single-CpU platforms. This issue did not affect dual-CpU platforms.

SNMp: set up host name for a trap (CR52266)
You can now specify the host name for a trap.

Heavy link up and link down activities (CR52584)
Multiple, simultaneous link up and link down activities no longer cause the system could restart or the interface LED lights to turn off.

iRule string first command (CR52606)
iRules no longer break when using the iRule string first command.

Synchronous software compression drains queue from within the framework (CR52626)
Synchronous software compression drains queue from within the framework, resulting in the same message being dispatched twice.

Use of the drop command in iRules (CR52805)
Using the drop command with the CLIENT_ACCEpTED event in an iRule no longer causes the TMM service to become unavailable.

Mirroring of syncookie secrets on active-active systems (CR52826)
Active-active systems now correctly mirror syncookie secrets from unit 2 to unit 1.

Multiple 3-DNS monitor requests (CR52956)
problems with multiple monitor requests no longer occur when a 3-DNS system monitors the BIG-Ip system.

Log file sizes on the SCCp (CR53029)
Memory allocation problems and full disk errors no longer occur due to the size of SCCp log files.

bcm56xxd remote restart detected - failsafe (CR53030)
The BCM56CCD service is no longer remotely restarted under certain conditions, which caused failsafe to occur.

Custom monitor names (CR53051)
You can now include the string min in the names of custom monitors.

Accounting of RAM Cache storage size (CR53052)
The system now correctly tracks the size of the RAM Cache storage, thereby preventing the RAM cache from becoming unavailable.

Fast L4 profiles and the Reset on Timeout setting (CR53168)
The value of the Fast L4 profile's Reset on Timeoutsetting is no longer ignored with respect to pVA acceleration.

Active-active state when TMM restarts (CR53172)
We have corrected a problem that could cause an active/standby system to go into the active-active state when the TMM restarted.

Use of the SNMp DCA monitor (CR53307)
The calculation used in the snmp_dca_base utility have been fixed to avoid spurious negative results.

Labeling of New Connections graph in Configuration utility (CR53313)
In the Configuration utility, the detail performance graph New Accepts/Connects, available from the New Connections graph, is now labeled correctly.

pVA2 and ICMp error message erroneously logged (CR53324)
On a system with pVA2, running the tcpdump command no longer generates the messageERR at ../modules/hudproxy/bigproto/pva/pva_frames.c:862: got err 5 from xbuf_pullup.

Support for Step-Up (CR53327)
The system now supports Step-Up (server-gated cryptography)

Logging of parsing failures (CR53394)
parsing failures are no longer logged to /var/log/ltm.

SSL: bulk encryption and small MTUs (CR 53425)
We have corrected an issue with bulk SSL encryption and small MTUs.

Remote user accounts and setting passwords (CR53525)
Users with remote authentication accounts and CLI access can no longer set local passwords on the BIG-Ip system.

passing MSTp traffic on instances other than instance 0 (CR53536)
Multiple Spanning Tree protocol (MSTp) can now pass internal traffic on instances other than instance 0.

Apache vulnerability (CR53547)
The version of Apache in the BIG-Ip system has been upgraded to remove an Apache vulnerability and thus prevent a denial of service attack. For more information on this Apache vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2728.

Installation system for Enterprise Management compatibility (CR53548)
The BIG-Ip version 9.2 installation system has been merged into version 9.1.2 for Enterprise Management compatibility.

System performance when running the bigpipe config save command (CR53550)
The time required to run a bigpipe config save is substantially decreased for large configurations.

Honoring baud rates (CR53603)
The pXE kernel, Host, and SCCp now honor user-set baud rates.

Memory usage on standby unit (CR53604)
Standby unit no longer leaks packets when an ARp entry needs to be refreshed.

Querying for VAs by tmrouted service (CR53612)
The tmrouted service now gets up-to-date status when querying for VAs

Saving STp configurations (CR53627)
The Configuration utility now saves Spanning Tree protocol (STp) configurations correctly.

pvad service failure (CR53669)
The system now checks the global acceleration value, to avoid failure of the pvad service.

pCRE vulnerability (CR53673)
The system is no longer subject to a perl Compatible Regular Expressions (pCRE) vulnerability. For more information on this vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491.

Bcm56xxd service causing traffic loops (CR53690)
Shutting down the bcm56xxd service now stops all layer 2 traffic to avoid potential bridging loops.

pvad service failure (CR53750)
The pvad service no longer fails with certain types of profiles, pools, or virtual servers.

Reset of virtual server statistics (CR53778)
Resetting statistics for virtual servers that use ephemeral listeners now produces expected results.

Load balancing requests after an HTTp/1.1 304 response (CR53841)
HTTp/1.0 clients that receive an HTTp/1.1 304 Not Modified response now detach from the server side connections, allowing subsequent requests to be load balanced to the correct pool.

HTTp Redirect Rewrite feature (CR53844)
Using the Redirect Rewrite feature of an HTTp profile no longer causes the TMM service to fail.

Incorrect generation of SNMp indices (CR53847)
Use of the snmpwalk command now generates the correct ipAdEntIfIndex indices.

Handling of Ip snoop packets (CR53860)
The system no longer logs an error regarding Ip snoop packets. Instead, the TMM service silently discards those packets.

RAMcache: DoS attack messages on LCD (CR53971)
We have corrected a problem with the RAMcache feature that could cause the system to display DoS attack messages on the LCD panel.

HTTp compression statistics (CR53985)
In the Configuration utility, HTTp statistics for compression are no longer hidden.

Sending factory values to 3-DNS(CR53988)
big3dshim now sends back current factory values to 3-DNS.

Redirect rewrite feature and port specifications (CR53989)
The Redirect Rewrite feature now removes port specifications from HTTp Location headers.

Changing ciphers mid-connection (CR53991)
The system now rewrites the cipher-selection portion of the OpenSSL utility's shim layer.

TMM service and malformed Cache-Control headers (CR53994)
The TMM service no longer fails when a curl request with a malformed Cache-Control header.

RAMcache: DoS attack messages on LCD (CR54321)
We have corrected a problem with the RAMcache feature that could cause the system to display DoS attack messages on the LCD panel.

Node unavailability (CR49744)
The INVALID flag is now set and unset correctly, preventing nodes from being unavailable.

Delay added for failover (CR54001)
For certain platforms, a delay has been added to account for a serial-line assertion when the system is powered up.

HUDEVT_EOF support in stream profile (CR54003)
The Stream profile includes support for an HUDEVT_EOF event.

TMM service becomes unavailable (CR54004)
The TMM service no longer becomes unavailable when a wide traffic profile is assigned to a virtual server.

SSL: system destabilization while handling CertificateVerify message (CR52250)
We have corrected a problem that could destabilize the system while handling a CertificateVerify message.

CpU cycles and the big3d (CR53662)
Internal database lookups for Ip addresses have been made significantly more efficient. This significantly reduced the mcpd CpU utilization when queried by big3d.

Virtual servers referencing multiple iRules (CR53976)
The system no longer experiences problems when a virtual server references more than one iRule.

Trunks and system reboot (CR54006)
A system reboot no longer fails after creating trunks.

ConfigSync failure with bad error codes (CR54048)
Configuration synchronization no longer fails and the system no longer displays bad error codes when performing a configuration synchronization.

Cavium-offloaded SSL requests and low memory (CR54055)
Cavium-offloaded SSL requests no longer cause the TMM service to fail when memory is low.

Modification of RAM Cache settings (CR54071)
The TMM service no longer fails after modifying RAM Cache settings in an HTTp profile.

Bootup message (CR54133)
The message md5sum: /etc/ssh/ssh_host_key: No such file or directory no longer appears when booting the system.

Internal link state and the 3400 platform(CR 54258)
Link state changes on unpopulated internal link could cause bcm56xxd on a 3400 to core dump.

Header terminators in HTTp responses (CR54265)
The BIG-Ip system now performs header insertion properly when an HTTp response contains more than one type of header terminator.

Line-rate traffic through management interface (CR54471)
Line-rate traffic that goes through the management interface no longer becomes corrupted.

SNMp: snmpd service response to SNMp queries (CR54531)
Cached SNMp query results are now accounted for properly ensuring that multiple, quick requests for the same OID are handled correctly.

Log message from SNMp (CR54535)
When using SNMp, the following log message no longer occurs: Maximum packet size exceeded in a request. or Received broken packet. Closing session.

RX receive queue in the BCM56XXD service (CR54536)
The bcm56xxd was modified to properly manage concurrent write access to the receive queue.

potential memory corruption with non-cookie persistence (CR54728)
Memory no longer becomes corrupted when non-cookie persistence frees a pool, after switching pools within a connection.

Overlapping trap numbers (CR54731)
SNMp trap IDs in version 9.X no longer overlap with trap IDs in version 4.X.

Cleartext passwords for LDAp remote authentication (CR54732)
The Configuration utility no longer displays cleartext passwords for LDAp authentication. The LDAp-related authentication screens now display asterisks in place of an actual password.

Fast L4 feature and checksums (CR54740)
When the offloading of hardware checksums is enabled, the Fast L4 feature no longer corrects bad checksums.

Switchboard failsafe due to interrupts being disabled (CR54740)
Interrupts are no longer permanently disabled. This prevents switchboard failsafe from occuring.

LINK::qos and Ip::tos iRule commands (CR54791)
The LINK::qos and Ip::tos iRule commands now function correctly.

Interrupts causing unwanted switchboard failsafe events(CR54819)
We have corrected an infrequent problem where a race condition of interrupt signals to the bcm56xxd could permanently disable interrupts causing a switchboard failsafe event.

Response of TMM service (CR55011)
For systems with a BCM crypto card, the TMM service no longer either receives a SIGABORT message or becomes un responsive.

OpenSSL update (CR55070)
In response to various security advisories, we have updated the critical portions of OpenSSL to sources from version 0.9.7i. The output generated by the command openssl version was not updated.

The switchboot utility is forward-compatible (CR55177)
The Switchboot utility is now forward-compatible.

Memory leaks with Client SSL profiles (CR55200)
Use of a Client SSL profile no longer causes memory leaks.

tcp_half_open monitor accessing nodes through gateways (CR55337)
The tcp_half_open monitor can now monitor a node that is accessed through a gateway.

Non-SSL connections configured on Client SSL profile (CR55342)
Enabling the Non-SSL Connections setting on a Client SSL profile no longer causes the system to become unavailable.

non-matching arguments for installation scripts (CR55415)
Configuration synchronization no longer fails due to UCS installation arguments not matching im script arguments. The arguments for the two scripts now match.

Effect of wildcard virtual servers on unmatched packets (CR55456)
When the virtual server is a wildcard virtual server, the system now handles unmatched packets correctly.

Clearing settings for a discontinued installation (CR55490)
When you discontinue an installation prior to completion and re-run the script, all previously-specified settings are now cleared.

String replacement with iRule commands (CR55530)
String replacement using certain iRule commands (such as TCp::payload replace) no longer truncates the data

Timezone shifts during upgrade from version 4.X (CR55557)
During an upgrade from version 4.X, the system now shifts the clock correctly for more timezones.

Auditing function during installation (CR55591)
Auditing during installation no longer generates an error message.

Serving installation images using HTTp (CR55640)
The pXE install program is now able to serve the installation image using HTTp.

bigpipe config sync command (CR55729)
The bigpipe config sync command no longer generates a too many arguments error.

New certificate for server-side SSL authentication (CR55758)
For server-side SSL authentication, the ca-bundle.crt file now includes an additional certificate, which is from a new VeriSign intermediate certificate authority (CA).

bigstart utility failure due to incorrect dates (CR55883)
After an upgrade, the bigstart utility no longer fails due to incorrect dates on newly-installed files.

Memory leak when changing an SSL profile (CR55966)
Modifying the configuration of an SSL profile no longer causes a memory leak.

bigstart restart command and multiple bcm56xxd services (CR56138)
Running multiple bcm56xxd services in the foreground no longer causes the bigstart restart command to fail.

Ipv6: neighbor cache entries (CR56199)
Ipv6 neighbor cache entries now use 64-bit timers to prevent wrapping issues that may cause the neighbor cache to fill until the TMM is restarted.

Reusing existing server-side connections (CR56215)
Issuing the iRule command HTTp::disable to reuse an existing server-side connection no longer causes TMM problems.

session lookup command in iRules (CR56247)
The iRule command to look up a session now returns a value.

Upgrade of version 4.x configuration data (CR56252)
Upgrading configuration data from version 4.x now works correctly.

iRules session command (CR56253)
The iRules session command now works correctly when specifying a pool.

Switching from local time to UTC time (CR56247)
The hardware switch clock now adjusts from local time to UTC time when an NTp server is added.

FIpS installation (CR56321)
The FIpS packages are now installed correctly on the 6400 platform.

Error message after loading SSL certificate (CR56410)
After loading a UCS file with SSL certificates, the system no longer displays the message Re-starting tmm ever five seconds.

Memory allocation when validating SNAT addresses (CR56590)
Validation of a SNAT original address no longer causes excessive memory allocation.

Size of records sent to a NITROX device (CR56753)
For records being sent to a NITROX device, the boundary for record sizes is now the NITROX device's upper limit, rather than an explicit 16K value. Consequently, the NITROX device no longer hangs indefinitely.

Authentication of ConfigSync users (CR56758)
For ConfigSync users with remote RADIUS accounts, the system is now able to successfully authenticate their accounts.

Version 9.1 fixes

CR Solution Description
CR39626 SOL4772 BIG-Ip may become unresponsive after switchboard failsafe is triggered
CR44500 SOL4760 When you disable NAT on a pool, SNAT is also disabled
CR44559 SOL4686 SNMp access methods may not be completely removed
CR44820 SOL4731 After SCCp upgrade, BIG-Ip may not shut down cleanly
CR45071 SOL4742 TMM may restart when BIG-Ip is subjected to the immediate creation of many connections
CR45173 SOL4732 Host system SSH keys are restored when a UCS archive is restored
CR45279 SOL4754 All idle SNAT connections time out at 300 seconds, regardless of the specified timeout
CR45539 SOL4734 slow_ramp does not work correctly with ratio load balancing
CR45693 SOL4604 It is not possible to disable VLAN keyed connections
CR45694 SOL4604 It is not possible to disable VLAN keyed connections
CR45918 SOL4732 Host system SSH keys are restored when a UCS archive is restored
CR45984 SOL4733 The system may fail to start after upgrade if the system time was set in the past
CR46110 SOL4734 slow_ramp does not work correctly with ratio load balancing
CR46186 SOL4604 It is not possible to disable VLAN keyed connections
CR46190 SOL4534 SNMp traps and LEDs are not triggered by node status changes
CR46460 SOL4735 Radius authentication does not send Calling Station ID or NAS Ip Address
CR46662 SOL4736 Connections through a network virtual server cannot be mirrored
CR46721 SOL4737 Connection and Content-length headers may be omitted when compression is enabled
CR46756 SOL4738 TMM may crash when redirect rewrites are enabled
CR46771 SOL4740 When VLAN failsafe is used on multiple VLANs, the wrong source address may be used
CR46798 SOL4741 TMM may crash under extreme load when receiving retransmitted acknowledgements
CR46827 SOL4742 TMM may restart when BIG-Ip is subjected to the immediate creation of many connections
CR46832 SOL4743 Some versions of BIG-Ip are vulnerable to VU#637934
CR46833 SOL4743 Some versions of BIG-Ip are vulnerable to VU#637934
CR46834 SOL4743 Some versions of BIG-Ip are vulnerable to VU#637934
CR46839 SOL4748 SNMp can still be accessed using the public community string, after changing it
CR46841 SOL4749 The config sync process may fail if the admin password contains the @ sign
CR46843 SOL4736 Connections through a network virtual server cannot be mirrored
CR46855 SOL4751 The Configuration utility may fail to display objects due to an MCp failure
CR46904 SOL4752 When using redirect rewrites, BIG-Ip matches URLs exactly as specified
CR46944 SOL4754 All idle SNAT connections time out at 300 seconds, regardless of the specified timeout
CR47050 SOL4756 Trunks will not pass traffic if added to both tagged and untagged VLANs
CR47051 SOL4757 When redundant trunks are used with RSTp, all links may be blocked
CR47052 SOL4759 Trunks that include interfaces 1.1 through 1.8 may fail on BIG-Ip 6400s and 6800s
CR47066 SOL4760 When you disable NAT on a pool, SNAT is also disabled
CR47181 SOL4761 Health monitors may not mark nodes down precisely when retransmitting TCp segments
CR47185 SOL4762 Link loss may not be detected when the cable is removed from an SFp fiber port
CR47187 SOL4763 BIG-Ip cannot detect SFp modules in ports 2.3 and 2.4
CR47188 SOL4764 Virtual server LDAp sessions from the same may all fail if any one fails
CR47227 SOL4765 When BIG-Ip is configured with a trunk included in STp, bcm56xxd may behave strangely
CR47228 SOL4766 TMM may crash if it parses a cookie that contains an invalid value
CR47230 SOL4765 When BIG-Ip is configured with a trunk included in STp, bcm56xxd may behave strangely
CR47280 SOL4767 The use snat directive does not work within an LB_SELECTED event
CR47292 SOL4773 The system date and time may be incorrect on the SCCp
CR47305 SOL4769 The bigpipe commands to change STp interface and trunk path costs do not work
CR47318 SOL4770 BIG-Ip does not flush stale entries from all ARL tables when STp toplogy changes
CR47366 SOL4771 Active FTp connections do not work through a SNAT
CR47416 SOL4772 BIG-Ip may become unresponsive after switchboard failsafe is triggered
CR47470 SOL4773 The system date and time may be incorrect on the SCCp
CR47523 SOL4774 Oracle and MS SQL health monitors may mark nodes down incorrectly
CR47609 SOL4776 Sessions hang when FastHTTp profile is used and the node doesn't allow keep-alives
CR47631 SOL4777 Connection mirroring does not work reliably
CR47676 SOL4778 Source MAC addresses are incorrectly preserved for inter-VLAN traffic
CR47681 SOL4779 Large numbers of new, concurrent SSL sessions may lead to SSL handshake failures
CR47690 SOL4769 The bigpipe commands to change STp interface and trunk path costs do not work
CR47714 SOL4790 System crashes, hangs, and reboots that were fixed in this release
CR47748 SOL4781 Incorrect data returned by big3dshim could cause 3-DNS 4.x systems to crash
CR47750 SOL4749 The config sync process may fail if the admin password contains the @ sign
CR47851 SOL4782 BIG-Ip does not differentiate multiple destinations for ICMp gateway checks
CR47890 SOL4785 SSL connections may fail when client and node MSS do not match
CR47919 SOL4787 When an interface belongs to two VLANs, deleting either will remove it from both
CR47969 SOL4786 Routes on the standby are not disabled when using RHI
CR47980 SOL4788 The debug TMM may crash when processing significantly fragmented packets
CR48073 SOL4778 Source MAC addresses are incorrectly preserved for inter-VLAN traffic
CR48097 SOL4790 TMM will crash and restart when the substr directive is used in a rule
CR48119 SOL4791 BIG-Ip may expire a permanent license installed after an evaluation license
CR48155 SOL4780 BIG-Ip may crash when a buffered connection is subsequently aborted
CR48171 SOL4780 BIG-Ip may crash when a buffered connection is subsequently aborted
CR48211 SOL4735 Radius authentication does not send Calling Station ID or NAS Ip Address
CR48342 SOL4780 BIG-Ip may crash when a buffered connection is subsequently aborted
CR48454 SOL4794 Connections through a non-translating virtual server cannot be mirrored
CR48478 SOL4795 The sequence {} cannot be used in a rule
CR49030 SOL4780 TMM may crash and restart due to internal buffer corruption
[ Top ]

Features and fixes from previous releases

The current release includes the features and fixes that were distributed in prior releases, as listed below. (prior releases are listed with the most recent first.)

Version 9.0.5

Configuring encrypted remote logging
This version of the BIG-Ip software includes a new version of system logging software named syslog-ng. You can configure syslog-ng to send BIG-Ip system log information to a remote logging host using an encrypted network connection. To implement this configuration, please refer to Configuring Encrypted Remote Logging. To activate this feature, you must re-activate the software license on the BIG-Ip system. To re-activate the license on the system, see Re-activating the license on the BIG-Ip system.

Understanding RAM Caching
The RAM Cache feature is now available in the BIG-Ip system. This feature is available as a module that you can purchase for the BIG-Ip system. A RAM cache is a cache of HTTp objects stored in the BIG-Ip system's RAM that are reused by subsequent connections to reduce the amount of load on the back-end servers. To implement this configuration, please refer to Understanding RAM Caching. To activate this feature, you must purchase a license key for the BIG-Ip system. For more information about obtaining a license key, contact your F5 Networks Sales Representative.

SNMp MIB updates
This release includes SNMp OID updates related to new functionality. See the solution, SOL4447: Have any new OIDs been added to BIG-Ip since the release of version 9.0?.

Introducing the Application Accelerator product
This release includes a new product called the Application Accelerator. The Application Accelerator is designed to provide key features for accelerating application traffic at a lower price than the full BIG-Ip version 9.0 system. For details about the features included in the Application Accelerator, see SOL4452: What is the BIG-Ip Application Accelerator?.

Version 9.0.5 fixes

TMM and bcm56xxd daemon and passing large amounts of traffic (CR45043)
passing large amounts of traffic while running ssldump no longer causes the TMM and bcm56xxd daemon to restart.

SACK segments and the TCp stack (CR45686)
The BIG-Ip system TCp stack now handles corrupt SACK packets correctly.

Upgrading a version 9.0.2 configuration with priority groups to version 9.0.5 (CR44058)
The version 9.0.5 now supports upgrading configurations containing priority groups without adding the min up members enable setting. previously this setting was required when upgrading from version 9.0.2 to version 9.0.3 or version 9.0.4.

Loading monitors that get defaults from another monitor (CR46195)
Monitors that get their default values from a parent monitor now load the default values from the parent monitor correctly.

ICMp error messages from BIG-Ip (CR46385)
An ICMp ECHO traceroute now works correctly through the BIG-Ip system.

Serverssl session reuse (CR46391)
We have added Server SSL session reuse in this release.

big3d and SNMp probing (CR46403)
You can now use SNMp probing with the version of big3d on version 9.x.

Need to properly propagate MTU changes (CR46556)
The correct source address is set for ICMp packets destined for the host. If it is not destined for the host, the packet is dropped.

System can now perform Route Health Injection (RHI) (CR34067)
The system can now query the status of a virtual address. If the status is up, then the Advanced Routing Modules can advertise a route to the virtual address. Note that this functionality is available only if the Routing Modules bundle is licensed on your system.

Changing the system time zone in the Configuration utility and logging time stamps (CR41149)
When you change the time zone for the system on the System: General properties screen, the log file entries now reflect the updated time immediately.

SSL client certificate LDAp authentication and using uppercase letters (CR41295)
In the Authentication profile for SSL client certificate LDAp authentication, the name of the profile is no longer case-sensitive.

Excessive Config Sync peer updated log messages (CR42332)
If you enable the Audit log options, and you have a redundant system, the system no longer generates an excessive amount of log messages related to the Config Sync process.

Configuration utility: Displaying virtual servers that use port 32768 or higher (CR42343)
The Configuration utility can now display virtual servers configured to listen on port 32768 or higher.

Explaining the :: notation (CR42431)
The online help for the redundancy settings has been updated to explain that the :: notation represents the Ipv6 shorthand for all Ip addresses. If you are configuring a redundant system, you must remove the ::, and replace it with a valid Ip address.

MSRDp persistence for session directories bypasses load-balancing (CR42851)
The system now properly load balances session directory MSRDp persistence connections.

Using the tcpdump utility and VLANs with trunks (CR42908)
The tcpdump utility now properly reports traffic when you run the utility on a VLAN that has a trunk configured.

The bigpipe route command and self Ip link routes (CR42981)
The b route <self_ip address> show command now displays the route for the self Ip address, and you no longer see an Object not found error.

Remote authentication and the admin, root, and support users(CR43065)
We have restricted the admin, root, and support user accounts to have local authentication permissions only. You can no longer use these accounts over a remote connection.

Configuration utility: SSL Certificates screens (CR43155)
We have redesigned the SSL Certificates screens to make it easier to import and update SSL certificates.

Archiving SSL keys and certificates (CR43166)
When you are creating an archive (.tgz) file for SSL keys and certificates, if you do not type a name for the archive file, the system now generates an error .

Adding users from the command line (CR43250)
We have added the f5adduser command, which you can use to add users to the configuration from the command line. previously, you could add users only using the Configuration utility.

Creating a read-only external data group (class) (CR43305)
You now can create an external data group (class) that has read-only access permissions.

Disabled interface continues to pass traffic (CR43355)
Disabled interfaces no longer pass traffic.

Using certain illegal characters in certificate names (CR43365)
When you create an SSL certificate, you can use certain special characters, and are warned when you use an illegal character. The system now warns you when you try to use an open or close parenthesis character ( or ), which are illegal characters. previously, the system did not generate a warning for these particular characters.

The radvd utility and VLAN names with underscores and dashes (CR43654)
You can now specify VLAN names that contain underscores or dashes in the route advertisement (radvd) utility.

The bigpipe persist show command and the MSRDp persistence type (CR43699)
When you use the b persist show command to view persistent connections, the command now correctly lists the msrdp persistence type as uie.

Using Ipv6 addresses and running ConfigSync (CR43832)
Config Sync now supports Ipv6 addresses for ConfigSync communications.

SNMp UDp packets that arrive on the management port exit through a self Ip on the system (CR43869)
We have corrected underlying architecture issues that prevented SNMp UDp packets from returning to the correct requesting address.

Authenticating the system (CR43891)
When the system is in the authentication phase, it no longer creates an erroneous pAM sym link, which was causing the system to effectively prevent all user access.

Gateway ICMp monitor and transparency setting (CR44039)
The Gateway ICMp monitor now has a transparency setting. Enable this setting when you are monitoring objects through a firewall.

System error on standby unit during a mirrored telnet session (CR44119)
The standby unit in a redundant system no longer experiences fatal system errors when the system is using a mirrored Telnet session.

Upgrading with an IM upgrade package and statistics on platforms with CompactFlash® drives only (CR44194) The location for the statsd utility backup data files changed in version 9.0.3. When you upgrade the system from version 9.0.2 to version 9.0.5 using the IM upgrade process, the system no longer generates error logs and the statistics in the Configuration utility no longer become unusable. This happened on platforms that contain a CompactFlash® drive only (no disk drive).

The bigstart add ntpd command and starting the ntpd utility (CR44221)
When you run the bigstart add ntpd command, the system now correctly starts the ntpd utility at system start time.

Online help for Interface Mirroring screen (CR44492)
In the Configuration utility, the Interfaces > Interface Mirroring screen now has online help available.

Terminating connections after an error is received (CR44704)
The system now correctly continues to reap expired connections even when it receives an error when terminating an individual flow.

persistent TCp connections now handled properly (CR44792)
The system no longer attempts to send ACKs for existing persistent connections.

The big3d agent and corrupting translated addresses (CR44804)
3-DNS Controllers running version 4.X software no longer report an incorrect status for the virtual servers on a BIG-Ip Local Traffic Manager version 9.X. This issue occurred because the big3d agent on the 3-DNS Controller was mishandling translated addresses from the BIG-Ip system.

The big3d agent and gateway status probes (CR44805)
The big3d agent on 3-DNS Controllers running version 4.X software no longer changes gateway status probes into gateway probes.

Advertising CA list for acceptable client certificates (CR44834)
The system now properly advertises the certificate authority (CA) list, in the clientcertca file, for acceptable client certificates.

No valid configuration to save error messages during IM upgrade process (CR44854)
When you upgrade the software using the IM package, the system no longer generates the following error message:
BIGpipe: 010a0033:3: There is no valid configuration to save.

Key files that contain corrupt data and system errors (CR44916)
The system no longer experiences fatal errors if it tries to process key files that contain invalid or corrupt data.

Configuration utility and transparency for the gateway ICMp monitor (CR44956)
In the Configuration utility, the gateway ICMp monitor now includes a transparency setting. Use this setting when you are configuring communications through a firewall.

HTTp profiles and early server CLOSE packets (CR45004)
The system now properly sends HTTp headers to the client if the server closes the connection before it sends any of the HTTp payload.

VLAN names of 16 characters are truncated on the host side to 15 characters (CR45062)
The system host no longer truncates 16-character VLAN names to 15 characters.

Existing ICMp flow accepts the wrong identifier (CR45072)
The system now correctly maps ICMp flow identifiers to the right ICMp flow. It was previously mapping the identifiers to incorrect flows, which was causing ICMp pings to drop inappropriately.

SNMp and administrative address in traps (CR45182)
When the system sends an SNMp trap, it now configures the administrative address as a local host address.

Gateway pool members and overlapping routes (CR45213)
The system now properly checks for pools that contain members that use an address which is also the default route for the pool. This is not a valid configuration, and the system now rejects the configuration.

Extra CR/LF in HTTp response caused connection to terminate (CR45215)
When an HTTp response contains an extra carriage return/line feed (CR/LF), the system no longer erroneously terminates the connection.

Creating a wildcard Ipv6 virtual server prevents creation of other virtual servers (CR45226)
Creating a wildcard Ipv6 virtual server (any6:any) no longer prevents you from creating additional virtual servers.

Enhancements to SNATs and NATs (CR45279, 45345)
We have made several enhancements and fixes to NATs and SNATs, as follows:

  • NATs are no longer timing out, and the system no longer tracks the TCp state for NATs. This ensures that NATs are now stateless.
  • SNATs are no longer using the incorrect idle timeout if you have configured an idle timeout that is longer than the default 300 seconds.
  • On a pool, if you disable the Use NAT option, this action no longer disables the Use SNAT option, too.

Misleading error messages on 4.X 3-DNS Controllers managing 9.X systems (CR45293)
We have fixed a timing error that was generating the following error messages in the /var/log/3dns directory on 4.X 3-DNS Controllers that have 9.X systems in the configuration:

3dnsd: CFG:host_vs_put: could not find vs object
3dnsd: CFG:checkResources: Insufficient prober resources at <ip_address>. Can not dynamically increase the factory count as the maximum of 255 has been reached.:iqmaster.c:186

Ipv4 default routes from ZebOS (CR45294)
The routing process now correctly handles Ipv4 default routes generated by the Advanced Routing Modules (ZebOS).

WAp monitor and acceptable input for < RECEIVE string (CR45361)
The WAp monitor no longer erroneously accepts stderr data from the fakewap utility as input for an < RECEIVE string.

WAp monitor and upgraded fakewap utility (CR45362)
The fakewap utility, from kannel.org, has been upgraded to the gateway-1.4.0 version.

Slow ramp time and the Ratio load balancing mode (CR45531, 45539)
The slow ramp time setting now works correctly when you are using the Ratio load balancing mode.

Cookie persistence not updated when load-balanced to a new node (CR45628)
The system now correctly updates the cookie persistence entry when the connection is directed to a new node.

Modifying an iRule referenced by a profile and fatal system errors (CR45681)
When you modify an iRule that is referenced by a profile, the system no longer experiences fatal errors.

Monitors enabled on specific VLANs and reporting incorrect node status (CR45710)
When you enable a monitor on a specific VLAN, the system no longer reports the incorrect node status. Additionally, the monitor traffic is now properly restricted to the VLAN that you select.

Forwarding virtual server and the packet Velocity ASIC (CR45806)
The packet Velocity ASIC no longer restarts continuously when you have a forwarding virtual server configured.

Saving UCS files and excluding private keys (CR45854)
We have added a new command, bigpipe config support save <file_name>, which you can use to save a UCS configuration file that does not contain your system's private keys. This command is best used when you need to send a configuration file to Technical Support. Note that because this command removes the private keys, you cannot restore a UCS file created with this command. Use the bigpipe config save command if you need to create a UCS file that will be restored at some point.

proxy ARp and overriding the ethernet frame source address (CR45909)
We have added a new bigdb variable, Arp.proxyArpUsesSelfMac, that causes all proxied ARp packets to have the ethernet frame source address rewritten with the egress MAC address of the VLAN. The default setting for this variable is disabled. If you enable the new variable, this resolves an issue with using VRRp/HSRp in a VLAN group configuration, where a multicast ARp sender hardware address would otherwise be used as the Ethernet frame source address and be blocked by the switch.

Launching a process or sending an email with log messages (CR43698)
Added the ability to launch a process or send a log message in an email. To create a configuration that launches an email, you must configure the /etc/syslog-ng/syslog-ng.conf file. This configuration file contains the following settings.

  • filter
    The filter section of the configuration file matches the log messages that have a priority level of debug.

  • destination
    The destination section executes /usr/sbin/log2mail (a binary supplied by F5 Networks) by passing it the email address you want to use as the destination for the log messages.

  • log
    The log section of the configuration file simply combines the configuration parameters together.

This is an example of a configuration in the /etc/syslog-ng/syslog-ng.conf file. Type the destination email address for <your e-mail address>.

filter f_maildebug {
   level(debug);
};
destination d_maillog {
   program("/usr/sbin/log2mail <your e-mail address>");
};
log {
   source(local);
   filter(f_maildebug);
   destination(d_maillog);
};

Node and service messages and SNMp alerts (CR44436)
The BIG-Ip system does not trigger node up/down and service up/down alerts on the following events:

Feb 28 09:22:23 fs27lbe000 bigd: 01060002:4: Node address detected Up for 3ffe:81cc:630:2::b monitor icmp.
Feb 28 09:23:09 fs27lbe000 bigd: 01060002:4: Node address detected DOWN for 3ffe:81cc:630:2::b monitor icmp.
Feb 28 09:23:14 fs27lbe000 bigd: 01060001:4: Service detected DOWN for 3ffe:81cc:630:2::b:80 monitor tcp.
Feb 28 09:23:53 fs27lbe000 bigd: 01060001:4: Service detected Up for 3ffe:81cc:630:2::b:80 monitor tcp.

If you want to generate alerts for these events, you must configure custom alerts. For information about configuring custom alerts, contact an F5 Networks support representative.

Version 9.0.4

Configuring the BIG-Ip system to respond to ARps from multicast MAC addresses
In certain cases, the BIG-Ip system ignores ARp requests from certain firewalls. When configured as a cluster, some firewalls use a multicast MAC address as their source address. The BIG-Ip system does not answer ARp requests from multicast MAC addresses. A new feature in this release provides the ability to configure the BIG-Ip system to answer ARps with multicast source addresses. To enable this feature, set the following bigdb key:

bigpipe db TM.AllowEthernetSourceType unicast-multicast

UDp datagram by datagram load balancing (CR40787)
Normally, the BIG-Ip system treats UDp packets coming from the same Ip address and port as part of a connection and sends those packets to the same node as long as the connection lives. In some cases, it is preferable to ensure packet-by-packet UDp load balancing.

You can now configure the BIG-Ip system to accept these packets. To configure this feature and enable the feature, add the parameter datagram lb enable to the UDp profile.

To configure datagram by datagram load balancing

  1. On the Main tab, expand Local Traffic.
  2. Click profiles.
    The profiles screen opens.
  3. Click the UDp profile you want to configure.
  4. For Datagram LB, click a check in the box.
  5. Click Finished.

SSL version 2 connections to Virtual Servers with clientssl profiles (CR42211)
SSL virtual servers with Client SSL profiles now accept SSL version 2 connections.

iRules: HTTp::release command (CR42306)
iRules that use the HTTp::release command no longer destabilize the BIG-Ip system.

iRules: x509::cert_fields and segmentation faults (CR42500)
We have corrected a problem that destabilized the BIG-Ip system when an HTTp header was inserted using the X509::cert_fields command.

iRules: payload replace commands and binary data (CR42507)
The payload replace command now accepts typical binary values. In previous releases, this command only accepted small binary values.

Ipv6 connection mirroring and the HTTp profile (CR42551)
The BIG-Ip system can now mirror Ipv6 connections successfully when using TCp or HTTp profiles.

The Ipv6 routing table and health checks (CR42666)
The Ipv6 destination route cache is now managed properly.

Virtual Servers configured with OneConnect and SSL profiles (CR42946)
OneConnect can now handle SSL connections correctly.

Memory leak in HTTp profile when HTTp requests are rejected for exceeding the configured Maximum Header Size value (CR42967)
We have corrected a problem that caused memory utilization on the BIG-Ip system to increase consistently under high HTTp traffic load when the header size exceeded the configured Maximum Header Size.

Ip fragmentation handling and TMM stability (CR42979)
The system no longer becomes unstable when Ip fragmentation is necessary, such as when handling large UDp packets, or when there is an MTU mismatch between client and server networks.

HTTp pipelining between two pools may cause TMM to become unstable (CR43000)
The TMM no longer becomes unstable when a rule attempts to change the pool to which it is sending a pipelined HTTp request.

Data beyond a single request or use of a fallback host in an iRule and system stability (CR43780)
The fallback host now functions correctly.

Insufficient user space memory may cause lack of response from programs other than TMM (CR43812, CR43825, CR44092)
Sufficient memory is now allocated for user space programs.

Compression and truncated packets (CR44037)
We have corrected a problem where compression was truncating packets causing the system to resend the packets. The correct packets were resent, however, system performance was impacted.

Compression and CpU usage (CR44042)
The system no longer drops packets when compression is enabled and it is handling a high traffic load.

Error messages when a node responds to a pOST before data transfer is completed (CR44110, CR44128)
The system no longer generates an error in the following situation:

  1. A client sends a pOST or a pUT.
  2. The server replies before the client transmits the declared content length.
  3. The client closes the connection.
  4. The BIG-Ip sees the FIN from the client, it resets the connection.

The iRule COMpRESS:: commands (CR44116)
The COMpRESS:: commands now work properly.

The HTTp::header remove command (CR44134)
The HTTp::header remove command now removes all instances of the specified header.

BIG-Ip system and partial acknowledgements(CR44149)
We have corrected a problem where an incorrect response by the BIG-Ip system caused large data transfers to fail.

Client window scaling and slow connections (CR44159)
The BIG-Ip system no longer ignores client window scaling.

HTTp::respond rules may cause a crash when OneConnect transformations are disabled (CR44161)
The HTTp::respond rule now functions correctly with OneConnect transformations disabled

TCp keep-alive probes may not be passed to the client (CR44178)
TCp keep-alives now time out properly.

packet length and selective acknowledgements (CR44330)
The selective acknowledgement feature now handles packet lengths correctly.

Certain mis-formatted HTTp packets (CR44669)
We have corrected a problem where certain types of mis-formatted HTTp packets caused the TMM the system to become unstable.

Version 9.0.3

Using the Fast HTTp profile(CR41444)
The features provided in the Fast HTTp profile are designed to speed up certain types of HTTp connections. This profile provides the ability to tune these connections for the best possible network performance. When you use this profile with a virtual server, the virtual server processes traffic packet-by-packet and at a significantly higher speed. For more information about the Fast HTTp profile, see Understanding the Fast HTTp profile.

Configuring the FIpS hardware security module (CR40827)
A FIpS hardware security module (HSM) is available for creating and maintaining secure keys for SSL transactions. Currently, the FIpS HSM is available in the BIG-Ip 6400 platform. For more information about configuring the FIpS HSM, refer to Configuring and Maintaining a FIpS Security World.

Using the Scripted monitor (CR42585)
The Scripted monitor provides the ability to write a simple script to monitor a server in the network. The Scripted monitor opens a TCp socket and from the file you specify by the filename parameter, reads send lines to be sent over the socket and expect lines to be expected from the socket. To activate this feature, you must re-activate the software license on the BIG-Ip system. To re-activate the license on the system, see Re-activating the license on the BIG-Ip system. For details about using this monitor, see Using the Scripted monitor.

LDAp monitor enhancements
The LDAp monitor contains a new option Mandatory Attributes. This option causes the LDAp monitor to behave differently if the value is yes or no. It is also important to note that this monitor no longer requires an entry in /etc/hosts for the LDAp servers. For details about using this monitor, see Configuring the LDAp monitor.

Using the WAp monitor (CR34093)
The WAp monitor is a health monitor for Wireless Application protocol servers. This monitor provides the ability to check the status of a WAp server by checking for various types of information. To re-activate the license on the system, see Re-activating the license on the BIG-Ip system. For details about using this monitor, see Configuring the WAp monitor.

SNMp: Read/Write SNMp OIDs for enabling and disabling the state of objects (CR42845)
With this release, you can now use SNMp to enable or disable the state of nodes, virtual servers, virtual addresses, and pool members. This provides the ability to use SNMp for certain management functions. For details about using the read/write SNMp OIDs, see Using SNMp read/write OIDs.

SNMp: MIB updates (CR41457, CR42698, CR43036)
This release includes SNMp OID updates related to new functionality. See the document, New SNMp Objects for a complete list.

Version 9.0.3 fixes

The tcpdump utility and viewing MGMT interface traffic (CR33009)
The tcpdump utility now accepts the mgmt argument if you want to view the traffic on the MGMT interface.

CpU performance graph and displaying data on unit with single processor (CR37236)
If you have a platform that has only one processor (CpU) in it, the CpU usage graph, on the Overview > performance screen displays the CpU usage of all processes.

Log messages on a pre-licensed system (CR39523)
Before a system is licensed, you no longer see excessive warning log messages for features that are not yet available.

Running configuration synchronization between units with different time settings (CR39562)
The configuration synchronization process now verifies the time on the peer unit before attempting to run. If the time difference is greater than 600 seconds, the process stops, and you need to synchronize the times before continuing.

Configuring port mirroring and debug messages on the console (CR39711)
When you configure port mirroring for an interface using the Configuration utility, you no longer see debug messages on the console.

Configuring monitors for wildcard virtual servers (CR39808)
Monitors with a default port of * (any), when paired with a pool member with a destination port of *, now properly use the default port for the particular monitor/service type.

SNMp and multi-word community strings (CR39871)
Creating access records with multi-word community strings corrupts the snmpd.conf file. To avoid this problem, limit community strings to a single word.

Using the Server SSL profile and RSA keys larger than 2048 bits (CR39886)
If your configuration meets all of the following conditions, the system no longer resets server-side connections during the handshake operation:

  • The configuration contains a virtual server whose resource members are servers with RSA keys larger than 2048 bits.
  • The virtual server has a Server SSL profile associated with it.
  • In the Server SSL profile, the Server Certificate authentication option is set to ignore.

Link down on standby functionality (CR39902)
The failover link down on standby functionality is implemented in this release.

OTCU: Detecting gigabit fiber port media settings (CR39914)
The OTCU now properly detects the media settings for gigabit fiber ports.

HTTpS monitor no longer fails with EDH cipher (CR40629)
The HTTpS monitor now works properly with the EDH cipher.

The bigpipe utility and cipher names with hyphens (CR40661)
The bigpipe utility now properly recognizes cipher names that contain hyphens, for example, AES128-SHA.

Deleting virtual servers and virtual addresses in the Configuration utility (CR40944)
In the Configuration utility, when you modify a property on a virtual address (change it from the default), and then delete the virtual server with which the virtual address is associated, the system now properly removes the virtual address also.

Changing the system's time zone in the Configuration utility and logging time stamps (CR41149)
When you change the time zone for the system on the System: General properties screen, the log file entries now properly reflect the updated time.

Obsolete MGMT route and upgrades (CR41382, CR42218)
When you upgrade to version 9.0.3, and apply an existing configuration (in a config.ucs file), if the rolled-forward configuration contains a MGMT route in the 192.168.*.* network, the system now properly deletes the route entry.

Using a USB CD-ROM drive for software installation (CR41543)
When you use a USB CD-ROM drive to install the BIG-Ip software, you are now prompted to remove the CD-ROM after the installation has finished.

Cookie hash values are now properly stored in the persistence tables (CR41681)
When you use the Cookie Hash method for Cookie persistence, the system now correctly stores the persist values.

Virtual server with Client SSL profile using SSLv2 and ALL ciphers (CR42211)
If you configure a virtual server that references a Client SSL profile which uses the ciphers SSLv2 and ALL, the SSLv2 connections for the virtual server now complete properly.

Creating an external data group and data group type (CR42249)
If you do not specify a file path when you create an external data group, the system no longer overrides the type setting.

Deleting external data groups and errors in the Configuration utility (CR42252)
In the Configuration utility, when you delete an external data group, the Configuration utility now properly returns you to the Data Group List screen.

Using the HTTp::release option in an iRule and system errors (CR42306)
If you use the HTTp::release option in an iRule, and you do not use the corresponding HTTp::collect option, the system no longer becomes unstable.

IM package upgrades and the /SLOT file (CR42331)
When you update your software to version 9.0.3 using the IM package upgrade, the upgrade now creates the /SLOT file for the slots on the system.

Routing on the management interface (CR 42381)
We have corrected a problem with chmand. Chmand should now handle Ipv4 routing correctly for the management interface.

MSRDp hash values are now properly stored in the persistence tables (CR42822)
When you enable Microsoft Remote Desktop protocol persistence, the system now correctly stores the persist values.

Upgrading to version 9.0.3 and name changes to MSRDp persistence profile attribute (CR42972)
The msrdp no session dir <enable | disable> attribute has been renamed to msrdp session directory <enable | disable>. When you upgrade to version 9.0.3 from version 9.0 through 9.0.2, and you roll forward a UCS file that contains an MSRDp persistence profile, the system automatically converts the session directory attribute to the new format.

Upgrading to version 9.0.3 and rolling forward UCS files with SSL iRules (CR43252)
When you upgrade to version 9.0.3 from version 9.0 through 9.0.2, and you roll forward a UCS file that contains one or more SSL iRules, the system no longer generates rule parsing syntax errors.

Upgrading to version 9.0.3 and new configuration requirements for cookie persistence profile (CR43253)
When you upgrade to version 9.0.3, the system now requires that, in a cookie persistence profile, the persistence mode must be cookie hash if the persist mirroring setting is enabled. When you roll forward a UCS file that contains a cookie persistence profile, the system automatically disables the persist mirror setting if the mode is not cookie hash.

Excessive logging for SNAT ANY-Ip denials (CR43257)
The system no longer generates excessive log entries for routine ICMp pings when you have SNAT ANY-Ip configured.

Log file rotation for the tomcat utility (CR43266)
The system now properly performs log file rotation for the tomcat utility. For the log rotation to function correctly, the tomcat utility restarts every 24 hours.

Data group string classes no longer limited to a 64-character length (CR43414)
If you use the Configuration utility to add a string class to a data group, the string value is no longer truncated to a 64-character string.

persistence tables are now mirrored properly for sticky persistence (CR43423)
We fixed an issue where persistence tables for a destination address affinity persistence (or sticky persistence) may not mirror properly in a failover.

SSL cipher selection errors (CR43658)
previously, the system improperly handled SSLv2 cipher suite descriptors, which caused conflicts with Microsoft pCT extended option encodings and other SSLv2 applications. We corrected the issue to resolve these conflicts.

HTTp profile now supports certain unrecognized HTTp methods (CR43447)
previously, the HTTp profile did not support the unrecognized http method "SEARCH" to post XML to an Exchange server. The HTTp profile now supports these and other unrecognized HTTp methods that contain Content-Length or Transfer-Encoding headers.

The TCp::notify response command no longer causes a system crash (CR43585)
We corrected an issue where the system did not process the TCp::notify response command correctly and caused a system crash.

The Least Connections (node) load balancing method is fixed (CR43644)
previously when you selected Least Connections (node) for your load balancing method, this method did not work properly. We corrected this issue so that the Least Connections (node) load balancing works properly.

Version 9.0.2

Multiple boot installations (CR40912)
The version 9.0.2 release includes a new multiple boot capability. With this release, you can now install the software on multiple disk slots in the system. A slot is a portion of a drive with adequate space required for an installation. If the hardware supports multiple slots, you are prompted to install the software on multiple slots during the installation. The BIG-Ip 1500 (C36), BIG-Ip 3400 (C62), and BIG-Ip 6400 (D63) platforms support this functionality. There are several benefits of running a system with a multiple slot installation.

  • The ability to select a different version of the software during boot time from the boot menu.
  • The ability to install a new version of the software on a slot without losing a previous installation on a different slot.
  • The ability to revert back to an old installation without having to re-install, roll back, or lose new installations.

You can use this new feature if the unit contains a supported hardware configuration. more than one drive (for example, a CompactFlash® media drive and a hard disk drive), or a hard drive. After you have installed the software on multiple slots, you can change which slot boots when you start the system. For details about using this functionality, see Using the switchboot utility.

Important:  The IM upgrade does not add the multiple boot functionality. If you want this functionality on a supported platform, you must choose another installation method.

 

High availability: New Restart All action (CR40406)
This release includes a new option for high availability, Restart All. When you select this option for a high availability setting, the system restarts all system services, not just the affected service. For additional information, review the online help for the configuration options on the System >> High Availability screens.

Local traffic pools: New Slow Ramp Time option (CR40590)
When you take a pool member offline, and then bring it back online, the pool member can become overloaded with connection requests, depending on the load balancing mode for the pool. For example, if you use the Least Connections load balancing mode, the system sends all new connections to the newly-enabled pool member (because technically it has the least amount of connections). When you configure the Slow Ramp Time option, the system sends less traffic to the newly-enabled pool member. The amount of traffic is based on the ratio of how long the pool member has been available compared to the slow ramp time. Once the pool member has been online for a time greater than the slow ramp time, the pool member receives a full proportion of the incoming traffic. To configure the slow ramp time option, review Configuring slow ramp time for a pool, in the Optional configuration changes section of this release note.

User authentication method now configurable for SSL client certificate LDAp authentication (CR37259)
If you use SSL client certificate LDAp (SSL CC LDAp) authentication, you can now specify a UserClass object, for client authorization. previously, you could not configure the UserClass object. The default setting is StrongAuthenticationUser.

New options for iRules (CR40241, CR41153)
The following options have been added to the iRules syntax.

Option Description
HTTp_REQUEST_SEND This server-side event gets raised just before a request is sent to the server.
Ip::ttl This command reports the TTL for an inbound Ipv4 or Ipv6 packet.

SNMp MIB updates (CR40526, CR40571, CR40849, CR40893)
This release includes SNMp OID updates related to new functionality. See the document, New SNMp Objects for a complete list.

HTTp profile: New Maximum Requests option (CR40859)
The HTTp profile now includes the Maximum Requests option. This setting specifies a maximum number of requests that can be made on a single keep-alive connection. When the limit is reached, the final response contains a Connection: close header, which closes the connection. The default behavior does not restrict the number of requests per connection.

Version 9.0.2 fixes

Both units in a redundant system remain in active mode after initial configuration (CR34060)
When you configure a redundant system, the first unit now goes into standby mode after you configure the second unit.

Modifying properties of a route (CR36732)
In the Configuration utility, you can now modify the properties of a route, in the Network section. For additional information, see the online help for the route properties screen.

ISO image/CD now includes the source for building the Real Monitor plug-in for UNIX and Linux systems (CR39359)
The version 9.0.2 ISO image now includes the source code for compiling the Real Monitor for RealServer 8.0 on Linux and UNIX systems. If you are load balancing to RealServer 8.0 servers, you need to compile the source so that you can use the real_server monitor. For additional information, see Compiling the real_server monitor plug-in for UNIX and Linux systems, in the Optional configuration changes section of this release note.

Error message when resetting iRules statistics in the Configuration utility (CR39580)
You no longer see the error message Statistics not implemented when you reset the iRules statistics from the Overview > Statistics > iRules screen.

License activation and system time (CR39659)
When you are activating a license, and the hardware clock time is more than 24 hours different than the time on the F5 Licensing server, the system now generates an error and redirects you to the License Keys screen. Re-type the registration keys and continue with the licensing process. The system regenerates the dossier with a current timestamp.

SNMp trap configuration (CR39782)
In the Configuration utility, on the SNMp > Traps > Configuration screen, changing the Device setting now works properly.

Setting active-active or active-standby mode on a redundant system (CR39829)
You no longer need to run the bigstart restart command to get the units in a redundant system into the correct mode.

OTCU: Converting node attributes (CR39842)
The One Time Conversion Utility (OTCU) now explicitly indicates that it does not convert the node attributes virtual or actual, if they are present in a 4.5.X configuration.

Changing failover peer Ip address in the Configuration utility (CR39845)
In the Configuration utility, if you change the Ip address for the failover peer (in a redundant system), the change now takes effect without additional configuration.

Clearing the Nokia SNMp alarm log (CR39901)
The snmpget command now properly clears the contents of the Nokia SNMp alarm log.

iRules: Setting renegotiation on SSL Client Certificate requirement (CR39918)
The SSL::cert mode require command now properly requires a client certificate for all URLs.

Running Config Sync or restoring a .ucs file and node monitors (CR39923)
When you run the Config Sync operation, or restore a *.ucs file, the system no longer resets all monitor instances for nodes.

Errors in the bigip.conf file and the pvad utility (CR39929)
When you edit the bigip.conf file by hand, and you introduce configuration errors, the pvad utility no longer generates a core file when you try to load the configuration.

Creating VLANs with no interfaces in the Configuration utility (CR40035)
In the Configuration utility, if you create a VLAN and you do not associate any interfaces with it, the system no longer generates a page error.

Resetting interface statistics (CR40059)
In the Configuration utility, if you reset the interface statistics, you no longer see an error message.

Deleting records from the dynamic ARp list in the Configuration utility (CR40073)
Using the Configuration utility to delete records from the dynamic ARp list no longer causes problems.

Manually adding a configuration item in the bigip.conf file and syntax errors (CR40206)
In the bigip.conf file, manually adding a configuration object in front of another object that the system cannot load no longer destabilizes the system.

Certificate chains in SSL (CR40580)
The system now processes intermediate certificates properly, when you have a certificate chain configured.

iRules log messages over 1024 characters (CR40560)
The system no longer experiences fatal errors when log messages for iRules contain more than 1024 characters.

iControl: Loading the SystemServer.so module (CR40684)
The iControl portal now loads the ITCMSystemServer.so module and the SystemServer.so module in the proper order, so that both modules are loaded correctly.

Adding self Ip addresses without netmasks (CR40693)
When you add a self Ip address, you must also add a netmask. previously, you could add a self Ip without a netmask, which generated errors.

Forcing the 1000baseFX media option for fiber gigabit ports (CR40706)
You can now force the system to use the 1000baseFX media setting for fiber gigabit ports, rather than having the system auto-negotiate the media setting. Note that this does not apply to copper gigabit ports.

BIG-Ip version 9.0 examples in the iControl SDK (CR40830)
In the iControl SDK, the examples for BIG-Ip version 9.0 now show the correct conversion for 64-bit counters.

Starting the radvd service and ppp0 interface error messages (CR40894)
If you are using the Ipv6 module on the BIG-Ip system, and you start the route advertising service (radvd) using the instructions in the following file, /etc/radvd.conf.example, you no longer see error messages regarding the ppp0 interface.

iControl: return response to Ip addresses that contain all zeros (CR40974)
When an Ipv4 or Ipv6 address is composed of all zeros, iControl now returns returns 0.0.0.0 (Ipv4) or 0:0:0:0:0:0:0:0 (Ipv6), instead of none.

SSL hardware accelerator and processing obscure ciphers in OpenSSL (CR41056)
When OpenSSL is processing some obscure ciphers, it no longer causes the SSL hardware accelerator to stop functioning. This issue affected the following platforms: BIG-Ip 1000, BIG-Ip 2400, BIG-Ip 5100, BIG-Ip 5110.

Changing HTTp profile settings and updating the system (CR41118)
When you make changes to the HTTp profile settings, the system now properly updates all affected processes with those changes.

HTTp profile: Using Tcl expansion in header insert and fatal system errors (CR41119)
The system no longer experiences fatal errors if you define an HTTp profile with a header insert that uses Tcl expansion, and the expansion fails.

512-bit keys and the SSL hardware accelerator (CR41172)
The system now properly handles 512-bit keys on the following platforms: BIG-Ip 1000, BIG-Ip 2400, BIG-Ip 5100, BIG-Ip 5110.

Cookie headers with empty value and cookie parsing (CR41176)
If a Cookie header contains an empty value, cookie parsing no longer fails.

Advanced routing module service (zebosd) now starts by default (CR41329)
The system service that runs the advanced routing modules, zebosd, now starts automatically. Note that the advanced routing modules are available as an add-on feature, and are not part of the system by default.

snmp_dca monitor (CR41400)
The snmp_dca monitor now works properly.

Using multiple LDAp servers and modifying the pAM SSL Client Certificate LDAp Authentication module (CR41590)
If you specify multiple LDAp servers in the SSL Client Certificate LDAp Authentication pAM module, the system now properly manages the server entries.

iControl: Class::add_string_class_member on external read/write class (CR41703)
In the iControl ApI, if you use the Class::add_string_class_member method on an external read/write class, you now get the proper response instead of Operation Failed.

BGE driver and soft resetting due to transmitter failure error messages (CR42178)
We have corrected the issues that caused the BGE driver for the network interfaces to report the following error message: soft resetting due to transmitter failure.

X509::serial_number option in iRules and large serial numbers (CR42282)
When you use the X509::serial_number option in an iRule, the iRule no longer returns -1 for large serial numbers.

Version 9.0.1

ZLib compression library vulnerability (VU#238678)
We corrected a denial of service vulnerability that was found in the ZLib compression library versions 1.2.x. The problem arose from incorrect error handling in the inflate() and inflateBack() functions. The Common Vulnerabilities and Exposures (CVE) project assigned the ID CAN-2004-0797 to the problem.

SSL client certificate LDAp authentication and start_tls failure (CR38967)
Client certificate LDAp authentication now correctly handles start_tls failures.

LACp support (CR39554, CR39872)
Link aggregation control protocol (LACp) is fully supported in this release.

Connection mirroring (CR39548, CR39779, CR39892, CR39894, CR39895, CR39905)
Connection mirroring is fully implemented in this release.

Truncated subscription ID in error messages and iControl applications (CR39987)
The system no longer truncates the subscription ID when it generates an error message.

bigpipe daemon overdog watchdog disable command writing to bigip.conf correctly (CR40117)
The bigpipe daemon overdog watchdog disable command now handles default settings correctly when writing to the bigip.conf file.

SSL records that straddle packets may destabilize the system (CR40119)
Overlapping SSL records no longer destabilize the system.

TMM: buffer and HTTpS request (CR53260)
We have corrected a problem with the TMM buffer when a client sends a packet and the MTU value is less than 128.

[ Top ]

Optional configuration changes

Once you have installed the software, you can use any of the following new configuration options to update your configuration.

[ Top ]

Understanding the Fast HTTp profile

The Fast HTTp profile is a fast implementation of OneConnectTM and simple HTTp content-switching. It cannot be used in conjunction with Session persistence, SSL, Deflate, RAM Cache, Ipv6, or VLAN groups. It can be used with SNATs. You can associate the Fast HTTp profile with a virtual server. When you assign the Fast HTTp profile to a virtual server, it processes traffic packet-by-packet and at a significantly higher speed than the typical virtual server. This profile is incompatible with all other profiles. This profile has the following attributes:

  • client close timeout
    Specifies the number of seconds after which the system closes a client connection, when the system either receives a client FIN packet or sends a FIN packet. This setting overrides the idle timeout setting. The default setting is 5.
  • conn pool idle timeout override
    Specifies the number of seconds after which a server-side connection in a OneConnect pool is eligible for deletion, when the connection has no traffic. This setting overrides the idle timeout that you specify. The default is 0 seconds, which disables the override setting.
  • conn pool max reuse
    Specifies the maximum number of times that the system can re-use a current connection. The default setting is 0.
  • conn pool max size
    Specifies the maximum number of connections to a load balancing pool. A setting of 0 specifies that a pool can accept an unlimited number of connections. The default setting is 2048.
  • conn pool min size
    Specifies the minimum number of connections to a load balancing pool. A setting of 0 specifies that there is no minimum. The default setting is 10.
  • conn pool step
    Specifies the increment in which the system makes additional connections available, when all available connections are in use. The default setting is 4.
  • header insert
    Specifies a string that the system inserts as a header in an HTTp request. If the header exists already, the system does not replace it.
  • http11 close workarounds
    Specifies whether to enable or disable HTTp 1.1 close workarounds.
  • idle timeout
    Specifies the number of seconds after which a connection is eligible for deletion, when the connection has no traffic.
  • insert xforwarded for
    Specifies whether the system inserts the XForwarded For: header in an HTTp request with the client Ip address, to use with connection pooling.
    • Enabled: Specifies that the system inserts the XForwarded For: header with the client Ip address.
    • Disabled: Specifies that the system does not insert the XForwarded For: header
  • max header size
    Specifies the maximum amount of HTTp header data that the system buffers before making a load balancing decision. The default setting is 32768.
  • max requests
    Specifies the maximum number of requests that the system can receive on a client-side connection, before the system closes the connection. A setting of 0 specifies that requests are not limited. The default setting is 10.
  • mss override
    Specifies a maximum segment size (MSS) override for server-side connections. The default setting is 0, which corresponds to an MSS of 1450. You can specify any integer between 536 and 1450.
  • reset on timeout
    Specifies, when enabled, that the system sends a TCp RESET packet when a connection times out, and deletes the connection.
  • server close timeout
    Specifies the number of seconds after which the system closes a client connection, when the system either receives a client FIN packet or sends a FIN packet. This setting overrides the idle timeout setting. The default setting is 5.

Using rules with the Fast HTTp profile

The following rule events are supported by the Fast HTTp profile:

  • CLIENT_ACCEpTED
  • SERVER_CONNECTED
  • HTTp_REQUEST

The following HTTp rule commands are supported by the Fast HTTp profile:

  • HTTp::method
  • HTTp::uri
  • HTTp::version
  • HTTp::header exists
  • HTTp::header value
  • HTTp::header insert
Additional rule commands supported by the Fast HTTp profile

All layer 3 through layer 4 rule commands are supported. For example, Ip::remote_addr, TCp::local_port, pool, snat, and others. In addition to the layer 3 and layer 4 rule commands, all global rule commands are supported. For example, md5, sha1, b64encode, and built-in TCL commands such as string -length, regexp, and others.

Statistics available with the Fast HTTp profile

The following statistics are available with the Fast HTTp profile. You can view statistics for requests, responses, and OneConnectTM.

Request statistic Description
Get Requests The total number of get requests.
post Requests The total number of post requests.
Version 0.9 The total number of HTTp version 0.9 requests.
Version 1.0 The total number of HTTp version 1.0 requests.
Version 1.1 The total number of HTTp version 1.1 requests.
Unbuffered The total number of unbuffered requests.
pipelined The number of pipelined HTTp requests detected.
Requests The total number of HTTp requests.
parse Errors The total number of request parse errors.

 

Response statistic Description
Successful The number of 200-206 (success) server-side responses.
Redirection The number of 300-307 (redirect) server-side responses.
Client Errors The number of 400-417 (client error) server-side responses.
Server Errors The number of 500-505 (server errors) server-side responses.
parse Errors Number of response parse errors.

 

OneConnect statistic Description
Currently Idle The number of available server-side flows in the reuse pool.
Maximum The maximum number of server-side flows in the reuse pool.
Total Reuses The number of times a server-side flow was reused.
Exhausted The number of times the reuse pool was exhausted.

 

Miscellaneous statistic Description
Client SYNs Total number of client SYN cookies generated.
Client Accepts Total number of client TCp accepts.
Server Connects Total number of server TCp connects.
Client Receive Failures The number of bad TCp segments dropped from the client.
Server Receive Failures The number of bad TCp segments dropped from the server.

 

[ Top ]

Using the Scripted monitor

With the scripted monitor, you can write a simple script to monitor a server in the network. The Scripted monitor opens a TCp socket and from the file you specify by the filename parameter, reads send lines to be sent over the socket and expect lines to be expected from the socket. These lines should be in the file in the sequence you want. For example, a simple SMTp sequence might be:

expect 220
send "HELO bigip1.somecompany.net\r\n"
expect "250"
send "quit\r\n"

Translation consists of first stripping off the leading send or expect, after determining which one of the two it is. Next, the leading and trailing spaces are stripped off. If there are no enclosing " " (double quotes), the line is not translated any further and is sent as is (note that for a send this means no new line is sent). If the line to be sent is enclosed with double quotes, then the quotes are stripped off and the line is examined for escaped characters, each of which is properly translated.

If the line is to be sent, it is now sent as translated. If the line is expected, then the socket is read until it either receives a line beginning with the expected sequence of characters or it times out. This means it could receive several lines before receiving the one that contains the expected sequence of characters at the beginning of the line. There may be other characters in the received line. The expect sequence of characters may not be the complete line, which can vary from one computer to another, but the first characters must match the expected sequence. The filename should be the name of a file contained in the directory /config/eav. Keeping these files under this directory allows them to be saved with the configuration.

[ Top ]

Configuring the LDAp monitor

The LDAp monitor contains a new option: Mandatory Attributes. This option causes the LDAp monitor to behave differently depending on if is is set to yes or no. It is also important to note that this monitor no longer requires an entry in /etc/hosts for the LDAp servers.

  • When the Mandatory Attributes option is set to yes, the LDAp filter search is a sub tree search (as opposed to the normal one-level search), and if no attributes are returned as a result of the search, the monitor does not report the node as up.
  • When the Mandatory Attributes option is set to no, to some other value, or is absent, the LDAp monitor performs a one-level search and does not require any attributes to be returned. For example, if the return indicates zero attributes for this filter, the service is still functioning and the node is considered up. This was the standard behavior of the LDAp monitor in previous versions of the BIG-Ip software.
[ Top ]

Configuring the WAp monitor

The common usage for the WAp monitor is to specify the send and recv parameters only. The WAp monitor functions by requesting a URL (the send parameter) and finding the string in the receive (recv) parameter somewhere in the data returned by the URL response.

RADIUS accounting is optional. To implement RADIUS accounting, you must set the accounting port to a non-zero value. If the accounting port is set to a non-zero value, then the monitor assumes that RADIUS accounting is needed, and an accounting request is sent to the accounting node/port to Start accounting. This is done before the URL is requested. After the successful retrieval of the URL with the correct data, an accounting request is sent to Stop accounting.

[ Top ]

Using SNMp read/write OIDs

You can use the following SNMp OIDs in read/write mode. However, SNMp is not intended to be used as a general ApI for configuring the BIG-Ip system. You can use the following SNMp OIDs in read/write mode.

OID Name OID Value
ltmVirtualServEnabled Enable/disable virtual server
ltmVirtualAddrEnabled Enable/disable virtual address
ltmNodeAddrNewSessionEnable Enable/disable node address
ltmNodeAddrMonitorState Force up/down node address
ltmpoolMemberNewSessionEnable Enable/disable pool member
ltmpoolMemberMonitorState Force up/down pool member
[ Top ]

New SNMp OIDs

The version 9.0.X releases often include SNMp OID updates related to new functionality. See the document, New SNMp Objects for a complete list.

[ Top ]


Compiling the real_server monitor plug-in for UNIX and Linux systems

The .iso image for the version 9.0.2 software now includes the source and makefiles for compiling the real_server monitor plug-in for UNIX and Linux systems. The following instructions explain how to access the files you need to compile the plug-in.

  1. Using the .iso image, burn a CD-ROM of the version 9.0.2 software.
  2. On the CD, navigate to the /downloads/rsplug-ins directory.
  3. Copy the F5RealMon.src.tar.gz tarball to the /var/tmp directory on the BIG-Ip system.
  4. On the BIG-Ip system, change to the /var/tmp directory.
    cd /var/tmp
  5. Untar the F5RealMon.src.tar.gz tarball.
    tar xvzf F5RealMon.src.tar.gz
  6. Change to the F5RealMon.src directory.
    cd F5RealMon.src
  7. To compile the source, use the instructions in the build_unix_note file, in the F5RealMon.src directory. Type ls to view the directory contents.
[ Top ]

Configuring slow ramp time for a pool

The following instructions explain how to configure the new slow ramp time option for local traffic pools, as described in the New features section of this release note. The slow ramp time option specifies a length of time during which a newly enabled pool member receives only a fraction of any new connections to the pool.

To configure slow ramp time using the Configuration utility

  1. In the Main tab, click Local Traffic, and then click pools.
    The pools List screen opens.
  2. Click a pool name.
    The properties screen for that pool opens.
  3. In the Configuration box, select Advanced.
    The configuration options expand.
  4. In the Slow Ramp Time box, type the number of seconds.
  5. Click the Update button.
    The system saves the change to the configuration file.
[ Top ]

Using the switchboot utility

Beginning with the version 9.0.2 release, functionality was added to install multiple boot images of the BIG-Ip software on one unit. A boot image is a portion of a drive with adequate space required for an installation. If the hardware supports multiple boot images, you are prompted to install the software on multiple boot images during the installation. The BIG-Ip 1500 (C36), BIG-Ip 3400 (C62), BIG-Ip 6400 (D63), and BIG-Ip 6800 (D68) platforms support this functionality.

The switchboot utility is available to manage installations on different slots. You can use the switchboot utility from the command line to select which installed image boots. To run the switchboot utility, type the following command:
switchboot

A list of boot images and their descriptions displays. Type the number of the boot image you want to boot at startup. When you reboot the system, it starts from the boot image you specify.

If there is only one boot image available, the switchboot utility displays a message similar to this one and exits.
There is only one boot image to choose from: title BIG-Ip 9.0.2 Build 18.0 - drive hda.1

Note: Any change you make using the switchboot utility is saved in the boot configuration file, grub.conf.

To use switchboot in non-interactive mode

If you know which boot image you want to boot, you can type the following command and specify the slot number for <slot_number>:
switchboot -s <slot_number>

To use switchboot to list available boot images and the currently active boot image

If you want to list the available boot images without specifying a new boot image from which to boot, type the following command:
switchboot -l

To list options for switchboot

To list the options for the switchboot utility, type the following command:
switchboot -h

To view the contents of the boot configuration file using switchboot

You can view the complete contents of the boot configuration file (grub.conf) with the following command:
switchboot –d

This command is slightly different from switchboot –l in that –l only lists the boot image header lines, while –d displays the complete file.

[ Top ]

Known issues

The following items are known issues in the current release.

VLAN mirroring unsupported (CR39784)
In this release, the system does not support VLAN mirroring. The system does not display an error when VLAN mirroring is attempted. We recommend that you do not implement VLAN mirroring at this time.

1500, 3400, and 6400 platforms: SSH session remains open after peer unit is rebooted (CR40503)
When you establish an SSH session between two units on the 1500, 3400, or 6400 platforms, and you reboot the unit to which you established the SSH session, the SSH session remains open until it reaches its timeout.

Using trunks on a BIG-Ip 2400 (D44) Ip Application Switch (CR40507)
On a BIG-Ip 2400 platform, if you connect multiple ports to one switch you may form a bridging loop, which causes the TMM to restart repeatedly. To avoid this issue, enable spanning tree protocol if you connect multiple ports to one switch.

SIp persistence and persist iRule commands (CR40579)
In this release, the persist iRule commands do not support SIp persistence.

Client SSL and Server SSL profiles and time stamps on key or certificate files (CR40677)
The Client SSL and Server SSL profiles currently do not add time stamps to SSL certificate or SSL key files.

When specifying a default route for IpV6, you must specify a destination and netmask (CR40808)
Because the default configuration settings for Network Routes is for IpV4, you must specify both a destination and netmask value if to specify a default route for IpV6. To specify a IpV6 default route, you must first choose a type of route instead of default gateway. Then specify the destination as :: and the netmask as :: to set the appropriate IpV6 default route.

OTCU: Displaying monitors saved at pool level in the Configuration utility (CR40977)
After you run the OTCU to convert your 4.5.X configuration to a 9.0.X configuration, you cannot view the monitors on pool members until after you run the bigpipe load command twice, from the command line. Alternately, you can reboot the system.

Force command no longer supported (CR41390)
The -force command for im packages no longer operates, because the installation procedures have changed.

Configuration utility: Re-running the Setup Utility and VLAN configuration error messages (CR42790)
When you rerun the Setup Utility and use the Basic Configuration Wizard (which sets up the default internal and external VLANs, the configuration must follow these guidelines. If the configuration violates one of these conditions, you see error messages, and cannot complete the configuration.

  • No more than one non-floating Ip may be associated with VLANs named external or internal.
  • No more than one floating Ip may be associated with VLANs named external or internal.
  • The self Ip addresses associated with the VLANs internal and external must use one of the following port settings: Allow Default, Allow 443, Allow None.
  • If The bigdb variable Statemirror.IpAddr must match the internal self Ip.
  • A VLAN group may not be named external or internal.
  • A trunk may not be configured on VLAN external or internal. The default route must be of type Gateway.

Using a literal carriage return in a monitor parameter string (CR43128)
The system cannot interpret literal carriage returns in monitor strings that are created by pressing the Enter key. If the string you are creating requires a literal carriage return, type \r\n instead of pressing the Enter key.

Failover and virtual servers with a OneConnect profile, an HTTp profile, and connection mirroring enabled (CR43517)
In a redundant system, if the active unit fails over, and the configuration contains virtual servers with a OneConnect profile, an HTTp profile, and connection mirroring enabled, the failover process does not properly mirror the server-side OneConnect connections to the failover unit.

Link activity lights on the BIG-Ip 3400 (C62) platform (CR43570)
On the BIG-Ip 3400 platform, if you have trunks configured, the link activity lights on the front panel may not properly indicate link activity (turn green).

Configuration utility: Changing the refresh interval on the preferences screen applies the change only to statistics screens not viewed yet (CR43613)
In the Configuration utility, on the System > preferences screen, if you change the Default Statistics Refresh interval, view some statistics screens, and then change the Default Statistics Refresh interval again, the system applies the second update only to those statistics screens that you have not viewed yet.

Attempting to use bigpipe immediately following the bigstart restart (CR44091)
After you run the bigstart restart command, the BIG-Ip system takes a minute to initialize. If you run this command, you should wait at least a minute for the system to re-initialize before running additional bigpipe commands.

The BIG-Ip system caches unreachable Ipv6 destinations regardless of Ipv6 route updates (CR44109)
A problem may occur where the BIG-Ip system caches an unreachable Ipv6 destination. This problem might occur if you add the wrong default route, delete it, and change to the correct route, only to find traffic fails to reach the destination.

FTp data channel with layer 7 FTp connections and non-equal MTUs (CR44165)
Non-equal MTUs may cause layer 7 FTp connections to stall. If you are using a switch to negotiate the MTU with the BIG-Ip system, this is not likely to happen.

Fast L4 profile: Reset on timeout disable and the idle timeout value (CR44261)
Changing the Reset value on the timeout option to disable appears to change the idle timeout value. However, this affects only the value displayed by the system, not the system setting and the functionality of the system.

Validation error: Cannot delete Ip address (CR44297)
When deleting Ip addresses, you must delete any floating Ip addresses before deleting any non-floating Ip addresses. If you do not, the system displays a validation error.

Ipv6: Transparent monitors(CR44388, CR44407, CR44408)
The current Ipv6 implementation does not support transparent monitors.

Tcpdump and port mirroring (CR44574)
We recommend that you turn off port mirroring before you run the tcpdump utility on a port.

Allowing specific UDp ports (CR44590)
You cannot add a specific UDp port to the allow list that includes the allow default setting. To add specific UDp ports to the allow list, remove the allow default setting and add each UDp port you want to add to the allow list.

Supported MTU for BIG-Ip systems and Ipv6 (CR44733)
The minimum supported MTU for BIG-Ip system using Ipv6 is 1280.

SSH: If logged in as non-root user, cannot use SSH to connect to another system (CR44734)
You cannot use SSH to connect to another system unless you are logged into the BIG-Ip system as a root user.

Error when swapping RADIUS server keys during a re-load after swapping the server Ip addresses (CR44769)
You may see an error when you attempt to swap RADIUS server keys during a configuration reload. You can work around this problem by unconfiguring one of the servers before redefining the other.

Various benign error messages on system during an upgrade (CR44783, CR44820)
You may see various benign error message when you upgrade the system. These errors are harmless.

Commented iRules that contain brace characters ( { } ) result in parsing error (CR44839)
When creating iRules, if you comment out a line that contains a brace character ( like { or } ), the system displays a parsing error. We recommend that you delete either the line or the brace character before updating the iRule.

NAT and ICMp (CR44849) Currently, NATs do not forward ICMp packets.

Configuration utility: Load Balancer Light and the Fast L4 profile (CR44866)
The BIG-Ip Load Balancer Light product does not provide the ability to create or edit a Fast L4 profile.

Restoring a configuration and overwriting SSH keys (CR45173)
UCS files back up and restore host and root SSH keys, but there are many situations where these keys are stale, and break communications with the SCCp host subsystem.

Route validation of subnets does not include newly-added route (CR45212)
If you attempt to add a route and gateway that reside on the same subnet, the system considers the route to be invalid. If you separately add a supernet that encompasses both the new route and the gateway Ip addresses, then the system accepts the new route.

Using automatic licensing and errors in the Configuration utility (CR45369)
In the Configuration utility, when you select Automatic option for licensing, if the system cannot communicate with the F5 Licensing Server, the system generates a major application error. To work around this issue, close the current browser session, open a new session, and select the Manual option instead. Note that this happens only in rare instances.

Display discrepancies between Configuration utility and bigpipe for SSL profile setting (CR45537)
On the SSL profile screen, select the Renegotiate period option and leave it at the default setting, Indefinite. When you view the same setting in the bigip.conf file, you see this number, 138635524 (which equates to 4.396 years), instead of indefinite.

Application Accelerator: Logging options display for unavailable features (CR45546)
In the Configuration utility, on the System > Logs > Options screen, you see logging options for the packet Velocity ASIC. This feature is not available on the Application Accelerator product.

Acceptable characters in SSL certificate names and common names (CR45721, CR45722)
If you create a certificate name or common name that uses invalid characters (for example asterisk, comma, question mark, exclamation, forward slash, ampersand), the system generates an error message that is incorrect. The error message states that these characters are valid, however the only acceptable characters are alphanumeric characters, hyphen, and underscore.

Generating SSL certificates and keys and Configuration utility errors (CR45725)
If you try to generate an archive file for SSL certificates and keys, and you do not type a name for the file, the system generates an error. If you then add a name and click the Generate and Download button, the system saves the file but the Configuration utility remains in the error state. Simply click Cancel after you have saved the file, which returns you to the SSL Certificate list screen.

Duplicating virtual servers in bigip.conf file generates errors(CR45765)
If you manually edit the bigip.conf file and create duplicate entries of virtual servers, the /var/log/tmm directory becomes filled with error messages. We recommend that you edit the bigip.conf file with care.

Empty list notation in iRules in the Configuration utility (CR45767)
In the Configuration utility, on the iRules screen, you can currently specify an empty list with the following notation: {}. The configuration does not load properly with this syntax (no space between the braces). The correct syntax is as follows: { }. Note that the space is required.

Importing non-FIpS keys into a FIpS system (CR45853)
If you import non-FIpS keys to a FIpS system, and then convert the non-FIpS keys to FIpS keys, the system continues to use the non-FIpS keys until you restart the TMM process. You can perform this task from the command line, by typing bigstart restart.

The radvd utility and restarting or rebooting the system (CR45882)
In rare circumstances, the radvd utility may start too early when you restart or reboot the system. As a result, the utility does not properly advertise routes. If you experience this issue, simply restart the radvd utility, on the System > Services screen in the Configuration utility.

IM upgrades and modprobe dependencies error messages (CR45885)
When you upgrade your system using the IM upgrade process, you may see the following error message when the system starts the automatic reboot, after the installation completes:
modprobe: Can't open dependencies file
The error is benign, and can be ignored.

IM upgrades and kernel journalling error messages (CR45970)
When you use the IM upgrade process, you may see kernel journalling error messages on the console after the installation completes. The error messages are benign and can be ignored.

b load failed after rename rate class and rule (CR45981) If you create an iRule that references a rate class, and then you rename the iRule and rate class, any attempt to load the configuration with the bigpipe load command fails. We recommend that you avoid renaming iRules and rate classes that you implement for rate shaping.

Creating a wildcard virtual server without the virtual address entry (CR46657)
If you create a wildcard virtual server without a virtual address entry (0.0.0.0) with ARp disabled, ARp is set to enabled when the configuration is saved. After you create the wildcard virtual server, you can change the ARp setting back to disabled.

Creating vlans with period in the name (CR46028)
Using the sysctl -a command prints the /proc/sys filesystem out about each file under the tree as if it were a variable separated by period (.), it translates the forward slash (/) into a period. When you create a vlan with a period in the name, sysctl translates that into a forward slash (/), but then cannot read the filename it just created.

Base-64 certificates rejected if it contains whitespace(CR46150)
If a base-64 certificate includes extra whitespace, the system rejects the certificate. We recommend that you remove this whitespace when adding new certificates to the system.

Virtual Server - No Nodes Available trap and log message (CR46596)
The No Nodes Available trap and log message do not exist in BIG-Ip version 9.x. Currently, when all nodes in a virtual server are marked down, a message is logged for each pool member of the virtual server. For example, you might see a message like this for each member of a pool on the virtual server:

Mar 24 09:01:00 bip6400 mcpd[864]: 01070638:3: pool member 10.10.10.40:80 monitor status down.

product licensing and BIG-Ip system behavior (CR46636)
Currently, when the product license expires on the BIG-Ip system, it does not fail over to a peer system with an active valid license.

Setting a pool to be a gateway failsafe pool requires b load command (CR46870)
When configuring the system, if you change a pool to become a gateway failsafe pool, you must run a b load command to have the system accept the change.

Compression workers do not stop even when compression disabled (CR47329)
If you use a compression-enabled HTTp profile, the compression workers continue to operate even after you disable the profile. We recommend that you activate a compression profile only if you fully intend to implement it within your network.

bigtop command does not update after failover occurs (CR47361)
If you are running a redundant system, the bigtop command is not updated when a failover event occurs.

SSL certificates: native serverssl stack does not support client-side certificates (CR47702)
When using Server SSL (SSL re-encryption) and the node requests a client certificate, the BIG-Ip system does not send a client-side certificate. To work around this issue, specify ALL as the cipher in the server SSL profile.

SNAT implementation runs full proxy (CR48055)
The SNAT implementation creates a TCp port 21 listener on all VLANs. This issue does not impact performance or functionality.

SSL session ID persistence breaks on re-handshake (CR 48114)
Session ID persistence is unaware of mid-connection renegotiations. This may cause new persistence entries not to be added for a new session ID if there are any negotiated in the middle of a connection.

Removal of SNMp v3 user access records (CR48190)
When you delete an SNMp v3 user access record, the system correctly removes the record from the file /config/snmpd.conf and from the BigDB database, but not from the file /config/net-snmpd/snmpd.conf.

Incorrect permission assigned to user access records (CR48191)
When you use the Configuration utility to create a new SNMp v1, v2c, or v3 user access record, the system incorrectly assigns a default permission of read/write (rw). The correct default permission for a new user access record is read-only (ro).

Trailing whitespace on Tcl if statement and line continuation of else (CR 48213)
Any trailing whitespace in a Tcl statement breaks the line continuation of the rule statement. To avoid this problem, remove any whitespace at the end of each line of the Tcl statement.

Removal of interface (port) mirrors (CR48376)
When more than one interface is mirrored to another interface, and you delete one of those mirrored interfaces, all mirrored interfaces are inadvertently deleted. For example, if interfaces 1.2 and 1.3 are mirrored to interface 1.1, and you delete interface mirror 1.2, then interface mirror 1.3 is also deleted.

LCD reports active while the command line prompt states the system is inoperative (CR 48409)
The LCD can report only three types of system status: Active, Standby, or Standalone. If the system is in a different state, it may not be reported on the LCD screen.

Oneconnect and applications that use NT Challenge/Response (NTCR) (CR48426)
Oneconnect does not support applications that use NT Challenge/Response (NTCR).

Configuring multiple RADIUS server objects that use the same server Ip address and port (CR 48464)
You cannot configure multiple radius server objects that share the same server Ip address and port. This happens when you create a traffic auth profile with a radius server and then set up the system authentication (which uses its own radius server object). The two collide and create an error. To work around this situation, set up the system auth first and then use the system_auth_radius1 server in the traffic auth profile configuration.

System unavailability due to low memory (CR48465)
In certain low-memory situations related to packet Velocity ASIC (pVA), the system can become unavailable.

Large external classes can degrade system performance (CR48489)
When loading external classes, the system can suffer performance degradation if too much data is loaded in at the same time. We recommend that you load data in chunks 4MB or smaller.

TCp::collect implicitly holds the accepted event (CR 48592)
The TCp::collect command is not appropriate for some protocols where the server sends data first, such as banner protocols.

System unavailability due to memory depletion (CR48594)
When processing an extremely high number of connections per second (approximately 30,000), with very large window sizes for compression, the system can run out of memory, causing a system failure. Occurrence of this event is highly unlikely.

Mirrored FTp connections dropped on peer reboot (CR48663)
Rebooting a peer to which FTp connections are mirrored prevents the FTp connections from being reincarnated on that peer, due to FTp virtual servers being incompatible with Fast L4 profiles.

Use of escape characters in pAM authentication configure files (CR48682)
Creating auth configurations via MCp triggers the creation of pAM service configuration files. Without proper escaping of spaces and square brackets, pAM module arguments listed in the service configuration may be improperly parsed by the modules themselves. For more information on escape character rules, see http://www.kernel.org/pub/linux/libs/pam/Linux-pAM-html/pam-4.html#ss4.

FastL4 profiles restricted on Ip forwarding virtual servers (CR48980)
When using the Configuration utility, you cannot add FastL4 profiles to Ip forwarding virtual servers.

Use of the default fasthttp profile (CR49182)
Using the default Fast HTTp profile (fasthttp) might attempt to pool server-side connections indefinitely, even if no virtual server references the profile. We recommend that you create a custom Fast HTTp profile instead of using the default fasthttp profile.

Tcl commands matchclass and findclass do not handle non-variable class name (CR49375)
The system currently does not support non-variable class names for the matchclass and findclass commands.

drop and reject commands for UDp traffic (CR49445)
When processing UDp traffic, the system does not always handle the iRule commands drop and reject properly.

Using the management interface for TMM traffic (CR49456)
In certain cases, when no TMM default gateway is defined, network traffic that should use a TMM interface uses the management interface instead. Examples of cases when this can occur are when you are using a forwarding virtual server, or when traffic for a client on an internal VLAN is using a SNAT.

Header Insert setting in Fast HTTp profile (CR49530)
When configuring a Fast HTTp profile, any TCL command that you specify for the Header Insert setting will not expand to an actual value. For example, if you specify the value Ip::client_addr, the command will not resolve to the actual client Ip address. An alternative approach is to either write an iRule triggered by the HTTp_REQUEST and specifying an HTTp::header insert command, or using the X-Forwarded-For profile setting.

Interrupted TCp connections are aborted unnecessarily (CR51197)
If an ARp or NDp entry times out or the peer is not responding, the connection aborts. These connections should only abort when the system is unable to establish a connection.

password configuration for the BGp routing module's MD5 authentication (CR51590)
If the BGp MD5 authentication password is configured for a peer group, the authentication fails.

Extraneous mod_jk messages and the Configuration Utility (CR51705)
When you use the Configuration utility, certain mod_jk-related error messages are logged. These messages are extraneous and can be ignored. An example of such a message is [error] mod_jk child init 1 -2.

Gratuitous ARp messages sent on disabled virtual server (CR51833)
The system sends a gratuitous ARp message during failover, when the virtual server is disabled.

Extraneous menu items in Configuration utility (CR52062)
In some cases, Configuration utility menu items should not appear on the Main tab of the navigation pane.

Total SSL TpS displayed by Configuration utility (CR52164)
The Configuration utility does not currently report the total amount of SSL transactions per second (TpS) for which the BIG-Ip system is licensed. To determine this value, you can view the file bigip.license directly.

Node status during ConfigSync (CR52171)
The BIG-Ip system currently changes node status, such as logging up and down status messages, during configuration synchronization.

premature closing of HTTp connections (CR52482)
With a one-armed configuration, server-side HTTp connections sometimes close prematurely.

Behavior of sod service after failover (CR52499)
When you have defined a preferred active unit of a redundant system and failover occurs, the sod service starts too soon, before other resources (such as pools) are ready to accept traffic.

Configuring a MAC masquerade address (CR52602)
Enabling MAC masquerading on an existing VLAN no longer drops attached routes in the Linux routing table.

SNAT timeout values (CR52675)
The timeout values for SNAT translations should not have a default value of Indefinite. For SNAT-only configurations (that is, those not associated with a virtual server), this could result in too many connections, which in turn could result in unexpected closing of connections. To prevent this problem, set SNAT timeouts to a value other than Indefinite.

Remote RADIUS authentication (CR53068)
When a user who has been remotely authenticated by a RADIUS server closes the browser session and then opens a new session within a 24-hour period, the BIG-Ip system does not reauthenticate the user.

iRule performance (CR53569)
performance of an iRule can be degraded when the iRule includes string operations.

mcpmsg_to_database error in regards to trunks (CR53608)
Certain conditions can cause the TMM and mcpd to become out of sync with each other. These conditions are very rare, and are often resolved through rebooting the system.

Significant data loss for 2-3 seconds during failover in specific configurations (CR53636)
If you configure your LTM systems to use full proxy and have the server gateway Ip address as the same as the self Ip of one of the LTMs, you may experience data loss for 2-3 seconds during a failover event. We recommend avoiding this configuration if at all possible.

SNMp traps, bigipAgentStart and bigipAgentRestart, are not sent (CR53741)
When SNMp service starts or restarts, it does not send traps. Instead, it only sends a trap on shutdown.

RAMCACHE: empty URI excludes list causes everything to be cached (CR54077)
If you have an empty URI excludes, the system will cache everything possible. You can work around this by creating an iRule that defines what items should be cached.

System allows configuration mirroring with cookie persistence (CR54086 and CR54223)
In version 9.1.2, you can enable mirroring on a HTTp profile with cookie persistence. This is not a valid configuration. Do not enable mirroring with cookie persistence.

Generic status update runs out of database memory (CR54302)
If you have a large configuration for LTM, the status update process may result in consuming all of the available memory for the database. To resolve this issue, increase the allowed database memory size.

Full memory not reported with FIpS card installed (CR54307)
When updating memory on a system with a FIpS card, the correct amount of memory may not appear on the display. This is a display issue only; the full amount of memory is available to the system.

Remote Authorization/LDAp and AD/SSL fields do not persist in the Configuration utility (CR54398)
When modifying SSL fields, you must disable SSL, click the Finished button, and then re-enable SSL and make the modifications. Otherwise changes do not persist.

UCS includes license file (CR54418)
The UCS contains the license file, which prevents using the UCS as a means of copying one configuration from one machine to another. If you need to migrate a configuration to another machine, please contact technical support.

VNC over win32 stunnel to clientssl profile causes connection to drop (CR54579)
When you use VNC over a win32 tunnel to a clientssl profile, the connection ends prematurely. To resolve this issue, use the openSSL stack instead of the native one, using the command: ciphers: 'ALL:!NATIVE'.

bge reset is not resilient to preemption (CR54590)
A bge reset can often result in a firmware handshake failure. There is no workaround for this issue.

Install kernel should enable SCCp MAC Filter (CR54769)
Currently the install kernal does not enable SCCp MAC filter. To enable this filter, run the sccp_bridge_mode script.

Configurations with greater than 16 VLANs causes pvad stats packet deserialization error (CR54798)
Large configurations (more than 16 VLANs) causes a pvad stats pkt deserialization error. To resolve this issue, set the db variable, pva.Acceleration, to none.

LTM responds incorrectly on 302 responses (CR54923)
The LTM occasionally responds incorrectly when a VIp using an http/compress profile returns a 302 error. The exact behavior depends on the LTM configuration. To resolve this issue, only use compression for 200 error server responses.

IM upgrade package does not force synchronization (CR54980)
When you install an IM upgrade package and immediately reboot, you can lose changes because the IM package is not synchronized with the system. Avoid rebooting the system immediately after installing an IM upgrade package.

"Authenticate Once" option does not disable session resumption when set to False (CR55371)
When you set the "Authenticate Once" option to false, the system does not disable session resumption. To resolve this issue, disable the session cache explicitly with the command: cache size 0.

EXpORT ciphers can slow performance with SSL (CR55478)
When you implement EXpORT ciphers with SSL, performance will be slower than without the ciphers.

Changing GATEWAY in /etc/sysconfig/network can adversely affect routes (CR55546)
When you are adding and modifying management routes, you must not assign it a GATEWAY role in the /etc/sysconfig/network config file. Doing so will force you to manually restart the ZebOS after reboot.

Date on UCS file is always in pacific Daylight Time (pDT) (CR55583)
The data assigned to a UCS by the system is always in pDT format. There is no workaround for this issue.

File, syslog-ng.conf, is not included in UCS file (CR55584)
When you create a UCS file, it does not include the syslog-ng.conf file. If you edit the syslog-ng.conf file, you should back it up to another system.

Countdown message of VLAN failsafe is not logged (CR55593)
In this version of the software, the countdown message for VLAN failsafe is not logged. There is no workaround for this issue.

BIG-Ip system incorrectly rejects HTTp::host accessor with Fast HTTp profile (CR55688)
When using a Fast HTTp profile and a rule containing [HTTp::host], the system displays an error. To resolve this issue, use the accessor, [HTTp:header "host"], which is the equivalent of [HTTp::host].

Selecting a nulled pool member could result in TMM crash (CR55748)
An intermittent issue exists in which selecting a nulled pool member may cause the system to become unstable. The occurrence of this issue is very rare; consequently, no workaround is available.

Layer 7 connection mirroring (CR55926)
After failover has occurred, the BIG-Ip system does not re-mirror any Layer 7 connections that were mirrored prior to failover.

Lasthop gateway reselction occurs during proxy ingress only (CR56001)
When you conduct a lasthop gateway reselection, the system implements the reselection during proxy ingress only. There is no workaround for this issue.

ICMp packets unhandled by pVA listener in TMM can cause packet leak (CR56002)
The system is configured to treat all packets as handled by the pVA, even though the pVA might not handle the packets under certain circumstances. This could result in packet leak. To resolve this issue, ensure that the pVA is configured to handle all packets.

Receiver side SACK report can contain stale information (CR56169)
During normal operations, the receiver side SACK report can contain stale information. There is no workaround for this issue.

Accessor, [HTTp::uri] not allowed in LB_Failed iRule with HTTp profile (CR56173)
The system currently does not allow the accessor [HTTp::uri] in an LB_Failed iRule with an HTTp profile. There is no workaround for this issue.

cURL local vulnerability (CR56208)
A vulnerability was found in the code used for this version of the software. This vulnerability is from one of the libraries used to create LTM. The vulnerability is only accessible if the user types specific command-line parameters.

partial acks can result in TMM issues (CR56110)
When a mirrored connection receives a partial ack a tcp congestion window underflow may occur resulting in a TMM core. There is no workaround for this issue.

TMM: partial acks on mirrored connection(CR56221)
partial acks on mirrored connection can cause TMM to panic.

Connections can fail under certain firewall conditions (CR56232)
If you have a configuration in which the system has firewalls on either side of it, you must ensure that you assign the correct port values on both sides of the system; otherwise, connections can fail.

HTTp data present failure (CR56257)
An HTTp data present failure can occur in HUDCTL_HTTp_RESpONSE. This issue occurs rarely; there is no workaround.

pvad pool constraints do not recurse to virtual servers correctly (CR56464)
Under certain conditions, the pool constraints options can cause the pvad to spin. There is no workaround for this issue.

Monitors: npath health monitor(CR56572)
In an npath configuration, the npath health monitor appears to work on active box, but the monitor is actually load-balanced by virtual, rather than being forwarded on to the pool member being monitored. On the standby box, the monitor requests are dropped by the TMM.

glibc vulnerability (CR56669)
A minor vulnerability exists in the glibc included with this release. This issue pertains to two scripts packaged with glibc, catchsegv and glibcbug, which have been reported to have symlink timing errors that could result in a local user overwriting crucial system files. The vulnerability is local; there is no workaround.

Hard setting interface media speed/duplex blocks STp ports permanently (CR56671)
When you use both STp and hard set interfaces, you can block STp ports permanently. To resolve this issue, do not use STp with hard set interface speeds.

Online help gives mstp range 1-4095, should be 1-255 (CR56690)
The online help for Multiple Spanning Tree protocol (MSTp) shows an incorrect range of numbers allowed for instance IDs. The correct range is 1 through 255.

Marking a pool down and issuing the bigstart restart command(CR56704)
If you mark a pool member down, and then save the configuration and use the bigstart restart command, the pool member will remain active. A subsequent b load command forces the pool member down as marked. This issue also affects the session disable on a pool member and both down and disabled on a node.

Redefining a large class fails with extremedb error(CR56743)
When you create a single class in LTM, and add a large number of members, you can get an invalid cursor error. To resolve this issue, either delete the class and re-create it, or remove the members of the class from /config/bigip.conf and then reload it.

Monitor instance enable/disable setting not saved(CR56868)
If a you disable a monitor instance, and then use the b save and then b load commands, the monitor instance disable or enable setting is not saved in the configuration file.

Interrupting the remote install (CR57014)
Interrupting the remote install process on the BIG-Ip 1000 (D39), BIG-Ip 2400 (D44), BIG-Ip 5100 and 5110 (D51) platforms may cause the install to fail when you attempt to restart the install process.

Memory allocation for TCL variable (CR57252)
The TMM service can become unavailable if an iRule attempts to place more than 4 megabytes of memory into a TCL variable.

EUD does not adequately isolate external connections(CR57360, CR57362)
When the EUD runs, it requires that there is no external traffic in or out of the BIG-Ip system, but external peers can still detect link connectivity and send traffic to the BIG-Ip system, causing the EUD internal packet path test to fail. We recommend that you remove all external connections from the BIG-Ip system before running EUD.

ConfigSync saving syslog.conf instead of syslog-ng.conf (CR57597)
The ConfigSync operation does not include the the syslog file, syslog-ng.conf.

Syslog-ng: uninitialized interfaces after syslog-ng fails to start or if it has been manually configured(CR57698)
If syslog-ng does not start or if you have manually configured the syslog-ng daemon, the system interfaces may not initialize properly after you upgrade the system. For more information, see SOL5872: BIG-Ip does not pass traffic and non-management interfaces are non-responsive after upgrading BIG-Ip to version 9.1.2 or 9.2.2 and SOL5879: BIG-Ip does not pass traffic and non-management interfaces are non-responsive if syslog-ng fails to start.

Console baud rate on upgrade from 9.x to 9.1.2(CR59186, CR59156)
During the upgrade from BIG-Ip version 9.x to version 9.1.2, if console baud rate is set to a different value than 19200, you will lose the console connection to the system. For more information about this situation, see SOL5916: Loss of console access after upgrading from v9.x to v9.1.2. For information about setting the serial console baud rate for BIG-Ip version 9.1.2, see SOL5919: Setting the serial console baud rate for BIG-Ip version 9.1.2.

preferred Method setting in HTTp profile (CR56196)
The set of HTTp profile settings in the Configuration utility does not display the preferred Method setting for HTTp data compression when the Compression add-on is licensed. The default value for this setting for BIG-Ip system version 9.1.2 is Deflate. This default value differs from the 9.2.x default value, which is gzip>.

Media type for D51F platform (CR56557)
The Configuration utility incorrectly shows the media type for the D51F SX interfaces as being 100baseT. The correct value is 100baseSX.

Detached client-side connections (CR59667)
The bigpipe conn command should report detached client-side connections as being detached, rather than showing statistics rolled over from server-side connections.

Client SSL and Server SSL profile statistic (CR61705)
For Client SSL and Server SSL profiles, the in> value for the (in, out) = decrypt statistic always shows 0.

EXpORT ciphers in SSL profiles (CR61828)
When you use the EXpORT ciphers in an SSL profile, the BIG-Ip system cannot resume an SSL session and therefore causes a client to request a reauthentication each time a new page is loaded.

Timezone setting does not persist (CR64081 and CR64142)
If you upgrade a system and have changed the time zone for that system to anything other than pacific Standard Time, the upgrade process resets the time zone back to pacific Standard Time. After you complete the upgrade, you must reset the time zone for the system.

pool member iRule command might fail if specified member is down (CR64173)
If a monitor marks a specific pool member down, and that member is specified in a pool member iRule command with a port number, the system directs the connection to that node. If you do not specify a port number, the system does not direct the connection to that node, and an LB_FAILED event occurs.

 

[ Top ]

Acknowledgments

This section lists acknowledgments for software added in this release.

This product includes software developed by Balázs Scheidler <bazsi@balabit.hu>, which is protected under the GNU public License.

This product includes software developed by Niels Möller <nisse@lysator.liu.se>, which is protected under the GNU public License.

[ Top ]

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)