Applies To:

Show Versions Show Versions

Release Note: BIG-IP LTM version 9.2.3
Release Note

Software Release Date: 05/22/2006
Updated Date: 12/11/2013

Summary:

This release note documents the version 9.2.3 feature release of BIG-IP® Local Traffic Manager, Load Balancer Limited, and Application Accelerator. To review the features in this release, see New features in this release. For existing customers, you can apply the software upgrade to systems running BIG-IP version 4.5 PTF-04 through version 4.5.13, and version 4.6 through version 4.6.4, and to systems running version 9.0 and later. For information about installing the upgrade, please refer to Installing the software.

Note: F5 now offers both feature releases and maintenance releases. For more information on our new release policies, please see New Versioning Schema for F5 Software Releases.

Warning: This is a feature release, not a maintenance release. Unless you need specific features that are new to this feature release, please upgrade to the latest maintenance release instead.

Contents:

- Supported browsers
- Supported platforms
- Installing the software
- Performing a local installation
- Performing a PXE server installation
- Performing a remote installation
- Verifying the MD5 checksum of the upgrade file
- Re-activating the license on the BIG-IP system
- New features and fixes in this release
     - New features in this release
     - New fixes in this release
- Features and fixes in prior releases
     - Features from version 9.2.2
     - Fixes from version 9.2.2
     - New features from version 9.2.0
- Optional configuration changes
- Using SNMP read/write OIDs
- New SNMP OIDs
- Using the switchboot utility
- Known issues
- Acknowledgments


Supported browsers

The Configuration utility (graphical user interface) supports the following browsers:

  • Microsoft® Internet ExplorerTM, version 6.x and later
  • Netscape® NavigatorTM, version 7.1, and other browsers built on the same engine, such as MozillaTM, FirefoxTM, and CaminoTM.

We recommend that you leave the browser cache options at the default settings.

Important: Popup blockers and other browser add-ons or plug-ins may affect the usability of the Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.

[ Top ]

Supported platforms

This release applies only to the supported platforms listed below; each one provides all minimum system requirements. This release supports the following platforms:

  • BIG-IP 520 and 540 (D35), for more information, see 520/540 platform support.
  • BIG-IP 1000 (D39)
  • BIG-IP 1500 (C36)
  • BIG-IP 2400 (D44)
  • BIG-IP 3400 (C62)
  • BIG-IP 5100 and 5110 (D51)
  • BIG-IP 6400 (D63)
  • BIG-IP 6800 (D68)
  • BIG-IP 8400 (D84)

If you are unsure of which platform you have, look at the sticker on the back of the chassis to find the platform number.

[ Top ]

Installing the software

There are several installation options to consider before you begin the version 9.2.3 software installation. Before you begin the installation process, you need to determine which installation option is appropriate: local, PXE server, or remote.

Warning:  A valid service contract is required to complete this upgrade.

Warning:  You must reactivate the license on the BIG-IP system you intend to upgrade before you begin the upgrade.

Warning:  You must turn off mirroring before you attempt to upgrade to version 9.2.3. Mirroring between units with previous versions of the BIG-IP software installed and version 9.2.3 is not supported.

Important: You are prompted to install the software on multiple boot images if the unit supports the multiple boot option. The BIG-IP 1500 (C36), BIG-IP 3400 (C62), BIG-IP 6400 (D63), BIG-IP 6800 (D68), and BIG-IP 8400 (D84) platforms support this functionality.

Important: You must perform the installation logged in as root from the management interface (Management) on the BIG-IP system.

Important: You should perform the installation on the standby system in a redundant system. If you are satisfied with the results, initiate failover and apply the upgrade to the other unit in the redundant system.

Important: We recommend that you run the MD5 checksum on any ISO image or IM upgrade file you download. For information about MD5 checksums, see Verifying the MD5 Checksum of the upgrade file.

Performing a local installation

Before performing a local installation, read the following information.

Performing a PXE server installation

The procedure for performing a PXE installation depends on the version of the BIG-IP system you area currently running, and whether you have the 520/540 platform.

Performing a remote installation

The procedure for performing a remote installation depends on the version of the BIG-IP system you area currently running.

[ Top ]

Verifying the MD5 checksum of the upgrade file

After you download the installation file and the matching MD5 checksum file, and before you perform the installation, we recommend you test the upgrade file. This verifies that you have downloaded a good copy of the upgrade ISO. To run the test, type the following commands, where Upgrade9.x.iso is the name of the upgrade file you downloaded.

md5sum Upgrade9.x.iso

Check the output with the contents of the corresponding MD5 file. If they match, install the file. If they do not match, you should download the file again and repeat the process.

[ Top ]

Re-activating the license on the BIG-IP system

You need to re-activate the license on the BIG-IP system to use some of the new features added in this release.

To re-activate the license on the system

  1. On the Main tab, expand System and click License.

    The License screen opens.
     
  2. Click the Re-activate button and follow the onscreen instructions to re-activate the license.

    For details about each screen, click the Help tab.
[ Top ]

New features and fixes in this release

This release includes the following new features and fixes.

New features in this release

Secure password policy
With this release of the BIG-IP system, you can now create and implement a secure password policy. Implementing a secure password policy ensures that user-created passwords adhere to criteria such as minimum length, allowed character types, expiration periods, and so on. For more information see, SOL5962: Configuring a Secure Password Policy for the BIG-IP System.

New fixes in this release

This section lists and describes the fixes included in this release for issues found in BIG-IP system version 9.2.2.

New bigdb key Common.Bigip.Bigd.ReuseSocket (CR56494)
In some situations, a server taking a long time to respond to a BIG-IP system health check might not be marked up. If this occurs, you can configure a new bigdb key Common.Bigip.Bigd.ReuseSocket. When the key is set to 1 or it is not set, the behavior is still same as before. When the key is set to 0, the bigd function always closes the previous socket and opens a new socket at each ping interval for internal monitors, regardless of the result of the previous ping. Whenever you change the value of that bigdb key, the bigd function does not pick up that change automatically, and you must take these steps to make that key take effect:

  1. Restart bigd by running the bigstart restart bigd command
  2. Find the bigd process ID (using the command cat /var/run/bigd.pid or ps -ax | grep bigd)
  3. Send a USR1 signal to bigd by using the command kill -USR1 <bigds pid>)

Race condition after an mcpd/TMM disconnect/reconnect (CR56608)
An mcpd/TMM disconnect/reconnect action was causing a race condition in the pvad service. This race condition no longer occurs.

Build number on core file CR57206)
The pvad core file now shows the correct build number after you install an upgrade.

sysctl.conf setting net.ipv4.tcp_timestamps (CR57261)
The new sysctl.conf setting net.ipv4.tcp_timestamps = 0 is no longer dropped when rolling a UCS file forward from version 9.1.

Use of protocols that rely on IP multicast (CR57268)
IP multicast packets received by a VLAN group are now copied to the host, allowing proper communication for local daemons that use protocols relying on IP multicast (such as OSPF and RIPv2).

Missing certificate credential message (CR57483)
Previously, the authentication subsystem did not treat an empty certificate credential message as an indication that this credential was absent. Now, the authentication subsystem correctly recognizes an empty certificate credential message as a missing credential.

LDAP mandatoryattrs parameter (CR57524)
When the LDAP monitor parameter mandatoryattrs is set to yes and the monitor returns referrals only, the system no longer behaves as though attributes were returned.

Removal of authentication configuration object from profile (CR57531)
Removing a reference to an authentication configuration from a parent authentication profile no longer causes problems for other profiles that inherit from that parent.

Controllable rate limits for switch chips (CR57536)
The system includes three new bigdb variables for limiting packet rates: switchboard.max.DlfRate, switchboard.rmax.BcastRate, and switchboard.rmax.McastRate.

qkview error message(CR57558)
Running version 6.2.0 of qkview no longer produces an error message.

Premature termination of connections (CR57569)
During high congestion, the system flushes data and preserves the connection when the server begins transmitting a response before the request has been fully sent to the server.

SNAT use of SNAT pool members (CR57636)
When you have a SNAT pool in which all IP addresses are on the same VLAN and network (known as a homogeneous SNAT), the system no longer chooses the same SNAT pool member (IP address) for every SNAT that it creates.

Linux cURL vulnerability (CR57668)
The Linux cURL package no longer contains a local vulnerability that allowed a user to run arbitrary code on a client machine.

iRule domain command (CR57745)
The iRule domain command no longer truncates the domain name.

Configuration synchronization of bigdb SNMP keys (CR57788)
The BIG-IP system now handles SNMP-related bigdb keys properly during configuration synchronization.

SIP monitor acceptance of Call-ID and From lines (CR57997)
The SIP monitor now accepts alternate forms of the Call-ID: and From: lines from a server. Specifically, the monitor can now accept lines beginning with the alternate forms i: and f: for the Call-ID: and From: lines, respectively.

Checksum of first packet from Fast L4 flow (CR58164)
If the first packet from a Fast L4 flow fails the checksum test, the flow is removed. This removes a SYN flood vulnerability on accelerated virtual servers.

CPU usage by Linux interrupt handler and TMM service (CR58211)
Linux no longer handles interrupts on the same CPU as that used by the TMM service. This prevents certain network performance problems from occurring.

High availability connection for connection mirroring (CR58300)
Under high load, and in certain circumstances, a redundant system no longer loses connections in the HA channel.

Licensing BIG-IP system version 9.2.0 on the D44 platform (CR58368)
The licensing process now works correctly when you are licensing version 9.2.0 of the BIG-IP system on the D44 platform.

Truncated SSL session IDs (CR58395)
The iRules feature no longer truncates an SSL session ID containing null bytes.

Host header from SOAP monitor (CR58423)
The SOAP monitor no longer sends IPv4 addresses as IPv4-mapped IPv6 addresses (for example, ::ffff:192.0.2.128).

Persistence hash table and system performance (CR58487)
We have increased the size of the persistence hash table to ensure that system performance is satisfactory when you are using session persistence.

TMM hash table size (CR58494)
We have increased the size of the TMM hash table to ensure that system performance is satisfactory.

Installation of f5-webui package (CR58497)
When you install the f5-webui package, the BIG-IP system no longer displays warning messages.

Dependency of the bcm56xxd service on the Syslog-ng utility (CR58625)
The bcm56xxd service no longer depends on the starting of the Syslog-ng utility. Therefore, if the Syslog-ng utility cannot start for any reason, the bcm56xxd service still runs.

Information shown by the qkview utility (CR58718)
The qkview utility now shows more comprehensive information by no longer omitting core file and other types of information.

Memory use resulting from behavior of iControl SOAP interfaces(CR58774)
iControl SOAP interfaces no longer disrupt TMM traffic due to excessive memory use.

SCCP debug information from the qkview utility(CR58840)
The qkview utility now provides additional SCCP debug information.

pvad log messages on large configurations (CR58888)
On systems with more than either 16 VLANs or 32 network virtual servers, log messages that the pvad service generates are no longer as verbose.

PVA data transmission (CR59100)
For accelerated virtual servers, the Packet Velocity ASIC® (PVA) no longer transmits corrupted data to the TMM service.

SSL connections during mid-stream handshake (CR59167)
For SSL connections using a Cavium-supported suite, the system now correctly handles SSL connections during mid-stream handshake.

Alerts for closed SSL sessions (CR59210)
In certain circumstances where an SSL session has already been closed, the BIG-IP system now prevents the TMM service from sending an SSL alert.

Space limitations on Compact flash (CR59341)
There was a problem with space limitations when you installed hotfixes on certain 9.2.x platforms. There is now adequate space on the Compact flash to install hotfixes on all 9.2.x platforms.

Trunks and load balancing of egress traffic (CR59401)
On 8400 platforms with trunks implemented, the system is now load balancing egress traffic correctly.

SSL: determining the issuer of a certificate provided by a client during handshake (CR57959)
The BIG-IP system SSL filter can now determine the client certificate's issuer certificate in cases where the client sends this issuer in its Certificate handshake message. This was observed in a multi-level public key infrastructure (PKI) where only the root CA is trusted by BIG-IP and attempting to use [SSL::cert issuer 0] in a CLIENTSSL_CLIENTCERT rule.

System rebooting after power loss (CR61356)
The system now boots up correctly after power loss without user intervention on 3400, 6400, and 6800 platforms.

Features and fixes in prior releases

The current release includes the features and fixes that were distributed in prior feature releases, as listed below.

Features from version 9.2.2

8400 platform support
This release includes support for the new 8400 platform.

Global Traffic Manager (GTM)
You now have the option to license the TMOS integrated Global Traffic Manager (GTM). For more information about the Global Traffic Manager, see the Global Traffic Manager release notes.

Link Controller
You now have the option to license the TMOS integrated Link Controller (LC). For more information about the Global Traffic Manager, see the Global Traffic Manager release notes.

Using a literal carriage return in a monitor parameter string (CR43128)
The system can now interpret literal carriage returns in monitor strings that are created by pressing the Enter key. If the string you are creating requires a literal carriage return, press the Enter key.

Fixes from version 9.2.2

Redundant systems and assigning duplicate IP addresses (CR43330)
If you have a redundant system, and on both units you assign the same IP addresses on the internal and external VLANS, the system generates an error message. This is not a valid configuration.

Discard option during the upgrade process (CR44129)
The discard option now handles the boot entry for the discarded installation from the grub.conf file correctly. This means that installations that you have discarded do not appear as options on the grub.conf list at boot time.

HTTP: redirect rewrite and ports (CR45211)
The HTTP redirect rewrite feature now removes the port string from the redirect response if it is the node's port.

HTTP: Support for the CONNECT method (CR45526)
The system now supports the CONNECT method correctly.

L4 connection mirroring and fail-back (CR45480)
L4 connection mirroring now works correctly with the fail-back feature.

Benign error message when network booting from CD image (CR45998)
We have corrected the problem that caused the following benign error message when you boot the BIG-IP system from the CD image:

msg insmod e100: no module by that name found

You no longer see this message.

Forcing speed and duplex settings on the management interface (CR46765)
You can now force the speed and duplex settings on the management interface. Previously, if you tried to force the media settings of the management interface, bigpipe would fail silently.

bigpipe: syntax for adding a pool member (CR47907)
To add a member with a connection limit to an existing pool requires only one command. Use this command syntax to add the member and the connection limit, like this:

b pool poolname member 10.0.0.5:80 limit 5000 add

Configuration utility: Host Name on the Platform screen (CR50443)
The host name is now correctly validated on the Platform screen in the Configuration utility.

SCCP: log files and disk space (CR52506)
We have corrected a problem that could cause the SCCP log files to grow too large and take up disk space.

F5KM: Self-signed certificates missing NULL parameter in signature data (CR52590)
The self-signed certificates generated on the system are now encoded with an RFC-specified NULL parameter value.

Active-Active connection mirroring (CR52826)
The system now mirrors active-active secrets correctly.

Resetting ephemeral statistics (CR52968)
Ephemeral statistics are now reset when you reset statistics for a virtual server.

Mirrored connections for SIP persistence (CR53039)
Session Initiation Protocol (SIP) persistence works for mirrored connections when failover occurs.

Dropping the SX link for a fiber interface (CR53045)
The Configuration utility now reports the correct status for fiber interfaces.

Changing the terminal baud rate setting (CR53026)
When performing a PXE boot, the terminal baud speed setting is now set correctly.

Configuration utility: New Connections detail graph title (CR53308)
We have changed the title of the New ClientSSL Accepts/Connects graph to the correct title New Accepts/Connects.

Reciprocal ARP entries (CR53318)
The system now creates reciprocal ARP entries using the correct timeout value (arp.timeout).

Hardware acceleration: virtual servers with mixed software and hardware acceleration attributes (CR53440)
Virtual servers with software and hardware acceleration attributes now use hardware acceleration appropriately.

Log files and HTML/Javascript (CR53532)
Log files displayed in the Configuration utility no longer contain HTML or Javascript.

Configuration utility: STP configuration on list page (CR53628)
You can now save the STP configuration on the list page in the Configuration utility.

Erroneous HTTP profile setting for virtual servers (CR53645)
On the Configuration utility screen for creating a forwarding type of virtual server, the utility no longer displays the HTTP Profile setting.

OneConnect: detaching for HTTP/1.0 304 messages (CR53841)
OneConnect now handles HTTP/1.0 304 messages correctly.

End User Diagnostics menu item is available after installing version 9.1 (CR53894)
Installation of version 9.1.1 does not remove the End User Diagnostics (EUD) menu item.

Clone pools are not demoted (CR53948)
Clone pools are now handled correctly with hardware acceleration.

Virtual servers referencing multiple iRules (CR53976)
The system no longer experiences problems when a virtual server references more than one iRule.

Changing rule order or priority on virtual servers (CR54042)
Changing the order of two rules referenced by the same virtual server and reloading the configuration no longer destabilizes the system.

The option, Other External User Role is now synchronized across multiple systems (CR54207)
When you assign a value to the Other External User Role option to one system, that value overwrites the default value on another system if that system has remained with the default value, No access. You no longer have to log into the additional systems and modify the value manually.

Config sync user roles are no longer configurable (CR54267)
Users who are assigned as the ConfigSync user can no longer change their role unless they are unassigned as the ConfigSync user.

Configuration utility: application error on New Profile screen (CR54321)
We have corrected a major application error that occurred when you clicked the Next button on the Create New Profile screen.

Server profiles page and actual server profiles (CR54322)
The Server Profiles now displays all appropriate server profiles.

Swiftcurrent platforms: SSL handshake resume and OCSP and Client Certificate LDAP authentication (CR54511)
OCSP or Client Certificate LDAP authentication now works correctly on the following platforms.

  • BIG-IP 1000 (D39)
  • BIG-IP 2400 (D44)
  • BIG-IP 5100 and 5110 (D51)

SNMP trap ID ranges (CR54747)
The range of SNMP trap IDs that the BIG-IP system uses no longer overlaps the range of trap IDs that the 3-DNS product uses.

iRule LINK::qos command (CR54791)
The iRule LINK::qos command now behaves as expected.

Large configurations with several VLANs (CR54799)
When loading a large configuration (such as 257 VLANs) on the BIG-IP system, the system no longer generates PVA statistics errors regarding packet deserialization.

OpenSSL update (CR55070)
In response to various security advisories, we have updated the version of OpenSSL to version 0.9.7i.

TMM availability and NULL pool members (CR55251)
The TMM service no longer becomes unavailable due to a pool member being set to NULL.

Escape characters for send and receive strings in monitors (CR55366)
The Monitors chapter of the Configuration Guide for Local Traffic Management now explains how to use escape characters to specify multi-line Send String and Receive String values.

Modification of the StateMirror.^IPaddr bigdb key (CR55483)
The TMM service is no longer adversely affected when you modify the bigdb key StateMirror.^IPaddr.

Reselection of last hop gateway (CR55761)
The BIG-IP system now reselects the correct last hop gateway when a pool member is unavailable.

Enabling and disabling VLAN groups on a virtual server (CR56577)
When configuring the VLAN Traffic setting of a virtual server configuration, if you specify a VLAN group, hardware acceleration now demotes to Assisted mode. A way to avoid this is to separate the VLAN group into its VLAN members, specifying the individual members in the VLAN Traffic setting.

Returned From string and SIP monitor (CR56819)
The SIP monitor now accepts a returned From string regardless of whether the URI is encased in angle brackets (<>) or not.

Monitors: MSSQL monitor and send parameter (CR57045)
You can now use the MSSQL monitor without the send parameter configured.

[ Top ]

New features from version 9.2.0

Integrated Application Security Module (ASM)
You now have the option to license the TMOS integrated Application Security Module. For more information about the Application Security Module, see the Application Security Module release notes.

520/540 platform support
This release is supported on the 520/540 (D35) platforms.

End-user diagnostics for hardware
This release contains the end-user diagnostics (EUD) test suite. The EUD provides the ability to diagnose hardware related problems on the 1500 (C36), 3400 (C62), 6400 (D63), and 6800 (D68) platforms. For more information, see End-User Diagnostics: Field Testing Hardware.

Statistics Profile
The Statistics profile provides user-defined statistical counters. Each profile contains 32 fields (Field1 through Field32), which define named counters. Using a Tcl-based iRule command, you can use the names to manipulate the counters while processing traffic. For more information, see Chapter 5, Understanding Profiles, in the Configuration Guide for Local Traffic Management.

[ Top ]

Optional configuration changes

Once you have installed the software, you can use any of the following configuration options to update your configuration.

Using SNMP read/write OIDs

You can use the following SNMP OIDs in read/write mode. However, SNMP is not intended to be used as a general API for configuring the BIG-IP system. These SNMP OIDs are shown in this table.

OID Name OID Value
ltmVirtualServEnabled Enable/disable virtual server
ltmVirtualAddrEnabled Enable/disable virtual address
ltmNodeAddrNewSessionEnable Enable/disable node address
ltmNodeAddrMonitorState Force up/down node address
ltmPoolMemberNewSessionEnable Enable/disable pool member
ltmPoolMemberMonitorState Force up/down pool member
[ Top ]

New SNMP OIDs

The version 9.x releases often include SNMP OID updates related to new functionality. See the document, New SNMP Objects for a complete list.

[ Top ]


Using the switchboot utility

Beginning with the version 9.0.2 release, functionality was added to install multiple versions of the BIG-IP software on different boot images on one unit. A boot image is a portion of a drive with adequate space required for an installation. If the hardware supports multiple boot images, you are prompted to install the software on multiple boot images during the installation. The BIG-IP 1500 (C36), BIG-IP 3400 (C62), BIG-IP 6400 (D63), BIG-IP 6800 (D68), and BIG-IP 8400 (D84) platforms support this functionality.

The switchboot utility is available to manage installations on different boot images. You can use the switchboot utility from the command line to select which installed image boots. To run the switchboot utility, type the following command:

switchboot

A list of boot images and their descriptions displays. Type the number of the boot image you want to boot at startup. When you reboot the system, it starts from the slot you specify.

If there is only one boot image available, the switchboot utility displays a message similar to this one and exits.
There is only one boot image to choose from: title BIG-IP 9.2.2 Build 167.4 - drive hda.1

Note: Any change you make using the switchboot utility is saved in the boot configuration file, grub.conf.

To use switchboot in non-interactive mode

If you know which boot image you want to boot, you can type the following command and specify the boot image number for <bootimage_number>:
switchboot -s <bootimage_number>

To use switchboot to list available boot images and the currently active boot images.

If you want to list the available boot images without specifying a new boot image from which to boot, type the following command:
switchboot -l

To list options for switchboot

To list the options for the switchboot utility, type the following command:
switchboot -h

To view the contents of the boot configuration file using switchboot

You can view the complete contents of the boot configuration file (grub.conf) with the following command:
switchboot -d

This command is slightly different from switchboot -l in that -d only lists the boot image header lines, while -d displays the complete file.

[ Top ]

Known issues

The following items are known issues in the current release.

1500, 3400, and 6400 platforms: SSH session remains open after peer unit is rebooted (CR40503)
When you establish an SSH session between two units on the 1500, 3400, or 6400 platforms, and you reboot the unit to which you established the SSH session, the SSH session remains open until it reaches its timeout.

Trunks on a BIG-IP 2400 (D44) IP Application Switch (CR40507)
On a BIG-IP 2400 platform, if you connect multiple ports to one switch, you may form a bridging loop, which causes the TMM to restart repeatedly. To avoid this issue, enable spanning tree protocol if you connect multiple ports to one switch.

SIP persistence and persist iRule commands (CR40579)
In this release, the persist iRule commands do not support SIP persistence.

Client SSL and Server SSL profiles and time stamps on key or certificate files (CR40677)
The Client SSL and Server SSL profiles currently do not add time stamps to SSL certificate or SSL key files.

Default route specification for IPV6 (CR40808)
Because the default configuration settings for Network Routes is for IPV4, you must specify both a destination and netmask value to specify a default route for IPV6. To specify a IPV6 default route, you must first choose a type of route instead of default gateway. Then specify the destination as :: and the netmask as :: to set the appropriate IPV6 default route.

OTCU: Displaying monitors saved at pool level in the Configuration utility (CR40977)
After you run the OTCU to convert your 4.5.x or 4.6.x configuration to a 9.x configuration, you cannot view the monitors on pool members until after you run the bigpipe load command twice, from the command line. Alternately, you can reboot the system.

Configuration utility: Re-running the Setup Utility and VLAN configuration error messages (CR42790)
When you rerun the Setup Utility and use the Basic Configuration Wizard (which sets up the default internal and external VLANs), the configuration must follow the following guidelines. If the configuration violates one of these conditions, you see error messages, and cannot complete the configuration.

  • No more than one non-floating IP may be associated with VLANs named external or internal.
  • No more than one floating IP may be associated with VLANs named external or internal.
  • The self IP addresses associated with the VLANs internal and external must use one of the following port settings: Allow Default, Allow 443, Allow None.
  • The bigdb variable Statemirror.IPAddr must match the internal self IP.
  • A VLAN group may not be named external or internal.
  • A trunk may not be configured on VLAN external or internal. The default route must be of type Gateway.

Failover and virtual servers with a OneConnectTM profile, an HTTP profile, and connection mirroring enabled (CR43517)
In a redundant system, if the active unit fails over, and the configuration contains virtual servers with a OneConnect profile, an HTTP profile, and connection mirroring enabled, the failover process does not properly mirror the server-side OneConnect connections to the failover unit.

Link activity lights on the BIG-IP 3400 (C62) platform (CR43570)
On the BIG-IP 3400 platform, if you have trunks configured, the link activity lights on the front panel may not properly indicate link activity (turn green).

Configuration utility: Changing the refresh interval on the Preferences screen applies the change only to statistics screens not viewed yet (CR43613)
In the Configuration utility, on the System > Preferences screen, if you change the Default Statistics Refresh interval, view some statistics screens, and then change the Default Statistics Refresh interval again, the system applies the second update only to those statistics screens that you have not viewed yet.

bigipe command immediately following bigstart restart command (CR44091)
After you run the bigstart restart command, the BIG-IP system takes a minute to initialize. If you run this command, you should wait at least a minute for the system to re-initialize before running additional bigpipe commands.

BIG-IP system caches unreachable IPv6 destinations regardless of IPv6 route updates (CR44109)
A problem may occur where the BIG-IP system caches an unreachable IPv6 destination. This problem might occur if you add the wrong default route, delete it, and change to the correct route, only to find traffic fails to reach the destination.

FTP data channel with Layer 7 FTP connections and non-equal MTUs (CR44165)
Non-equal MTUs may cause Layer 7 FTP connections to stall. If you are using a switch to negotiate the MTU with the BIG-IP system, this is not likely to happen.

Fast L4 profile: Reset on timeout disable and the idle timeout value (CR44261)
Changing the Reset value on the timeout option to disable appears to change the idle timeout value. However, this affects only the value displayed by the system, not the system setting and the functionality of the system.

Configuration utility: Deleting floating IP addresses and non-floating IP addresses (CR44297)
In the Configuration utility, we recommend that you always delete floating IP addresses before you delete non-floating IP addresses.

IPv6: Transparent monitors(CR44388, CR44407, CR44408)
The current IPv6 implementation does not support transparent monitors.

Allowing specific UDP ports (CR44590)
You cannot add a specific UDP port to the allow list that includes the allow default setting. To add specific UDP ports to the allow list, remove the allow default setting and add each UDP port you want to add to the allow list.

Supported MTU for BIG-IP systems and IPv6 (CR44733)
The minimum supported MTU for BIG-IP system using IPv6 is 1280.

Error when swapping RADIUS server keys during a re-load after swapping the server IP addresses (CR44769)
You may see an error when you attempt to swap RADIUS server keys during a configuration reload. You can work around this problem by unconfiguring one of the servers before redefining the other.

Brackets in commented sections of rule syntax (CR44839)
Brackets in commented sections of rule syntax are counted in the bracket count. We recommend that you balance the brackets in the comments.

NAT and ICMP (CR44849)
Currently, NATs do not forward ICMP packets.

Configuration utility: Load Balancer Limited and the Fast L4 profile (CR44866)
The BIG-IP Load Balancer Limited product does not provide the ability to create or edit a Fast L4 profile.

Restoring a configuration and overwriting SSH keys (CR45173)
UCS files back up and restore host and root SSH keys, but there are many situations where these keys are stale, and break communications with the SCCP host subsystem.

Validating routes (CR45212)
Currently the system does not fully validate route configurations, and it is possible to add a route to the configuration for which the gateway router is on the destination network.

SNAT translation addresses and idle timeout values (CR45352)
If you create a SNAT that is not associated with a virtual server, and the idle timeout of the translation address is indefinite, the system uses the default timeout defined in the Fast L4 profile (300 seconds). Also, creating a default SNAT with an idle timeout value lower than the Fast L4 timeout value can cause problems.

Using automatic licensing and errors in the Configuration utility (CR45369)
In the Configuration utility, when you select Automatic option for licensing, if the system cannot communicate with the F5 Licensing Server, the system generates a major application error. To work around this issue, close the current browser session, open a new session, and select the Manual option instead. Note that this happens only in rare instances.

Configuration utility and bigpipe for SSL profile setting Display discrepancies (CR45537)
On the SSL Profile screen, select the Renegotiate Period option and leave it at the default setting, Indefinite. When you view the same setting in the bigip.conf file, you see this number, 138635524 (which equates to 4.396 years), instead of indefinite.

Application Accelerator: Logging options display for unavailable features (CR45546)
In the Configuration utility, on the System > Logs > Options screen, you see logging options for the Packet Velocity ASIC. This feature is not available on the Application Accelerator product.

Acceptable characters in SSL certificate names and common names (CR45721, CR45722)
If you create a certificate name or common name that uses invalid characters (for example asterisk, comma, question mark, exclamation, forward slash, ampersand), the system generates an error message that is incorrect. The error message states that these characters are valid, however the only acceptable characters are alphanumeric characters, hyphen, and underscore.

Generating SSL certificates and keys and Configuration utility errors (CR45725)
If you try to generate an archive file for SSL certificates and keys, and you do not type a name for the file, the system generates an error. If you then add a name and click the Generate and Download button, the system saves the file but the Configuration utility remains in the error state. Simply click Cancel after you have saved the file, which returns you to the SSL Certificate list screen.

Empty list notation in iRules in the Configuration utility (CR45767)
In the Configuration utility, on the iRules screen, you can currently specify an empty list with the following notation: {}. The configuration does not load properly with this syntax (no space between the braces). The correct syntax is as follows: { }. Note that the space is required.

Importing non-FIPS keys into a FIPS system (CR45853)
If you import non-FIPS keys to a FIPS system, and then convert the non-FIPS keys to FIPS keys, the system continues to use the non-FIPS keys until you restart the TMM process. You can perform this task from the command line, by typing bigstart restart.

radvd utility and restarting or rebooting the system (CR45882)
In rare circumstances, the radvd utility may start too early when you restart or reboot the system. As a result, the utility does not properly advertise routes. If you experience this issue, simply restart the radvd utility, on the System > Services screen in the Configuration utility.

IM upgrades and modprobe dependencies error messages (CR45885)
When you upgrade your system using the IM upgrade process, you may see the following error message when the system starts the automatic reboot, after the installation completes:

modprobe: Can't open dependencies file

You can ignore this error; it is benign.

IM upgrades and kernel journaling error messages (CR45970)
When you use the IM upgrade process, you may see kernel journaling error messages on the console after the installation completes. The error messages are benign and can be ignored.

Creating VLANs with period in the name (CR46028)
Using the sysctl -a command prints the /proc/sys file system. This command displays the information about each file under the tree as if it were a variable separated by period (.). It also translates the forward slash (/) into a period. When you create a VLAN with a period in the name, sysctl translates that into a forward slash (/), but then cannot read the file name it just created.

Configuration utility: white space in imported certificates (CR46150)
Currently, white space in imported certificates is not handled correctly. Certificates with extra whitespace after the begin certificate or before the end certificate statements are rejected.

Virtual Server - No Nodes Available trap and log message (CR46596)
The No Nodes Available trap and log message do not exist in BIG-IP version 9.x. Currently, when all nodes in a virtual server are marked down, a message is logged for each pool member of the virtual server. For example, you might see a message like this for each member of a pool on the virtual server:

Mar 24 09:01:00 bip6400 mcpd[864]: 01070638:3: Pool member 10.10.10.40:80 monitor status down.

BIG-IP system behavior when the product license expires (CR46636)
Currently, when the product license expires on the BIG-IP system, it does not fail over to a peer system with an active valid license.

Creating a wildcard virtual server without the virtual address entry (CR46657)
If you create a wildcard virtual server without a virtual address entry (0.0.0.0) with ARP disabled, ARP is set to enabled when the configuration is saved. After you create the wildcard virtual server, you can change the ARP setting back to disabled.

Changing an existing pool into a gateway failsafe pool (CR46870)
To change an existing pool into a gateway failsafe pool, you must first delete the existing pool and recreate it as a gateway pool type.

Preservation of Configuration Utility preferences through upgrades (CR46872)
If you have made any changes to the system settings of the Configuration Utility, you must re-implement those settings when you upgrade the system, as these settings are not carried through during the upgrade process.

bigtop utility and failover (CR47361)
If you are running the bigtop utility on an active unit, and then the system fails over, you need to restart bigtop to refresh the bigtop statistics.

Serial console messages during bootstrap (CR47395)
When booting up certain BIG-IP systems, you might see some corrupted messages on the serial console. This issue occurs rarely, and does not affect system usability or performance. You can ignore these messages.

SSL certificates: native serverssl stack does not support client-side certificates (CR47702)
When using Server SSL (SSL re-encryption) and the node requests a client certificate, the BIG-IP system does not send a client-side certificate. To work around this issue, specify ALL as the cipher in the server SSL profile.

SSL session ID persistence breaks on re-handshake (CR48114)
Session ID persistence is unaware of mid-connection renegotiations. This may cause new persistence entries not to be added for a new session ID if there are any negotiated in the middle of a connection.

Trailing whitespace on Tcl if statement and line continuation of else (CR48213)
Any trailing white space in a Tcl statement breaks the line continuation of the rule statement. To avoid this problem, remove any white space at the end of each line of the Tcl statement.

Cavium card and TMM traffic (CR48321)
If the Cavium card is not logged in, the TMM service does not pass traffic. To work around this issue, reboot the system. This runs the /etc/rc.d/init.d/cavium script, which logs in the Cavium card.

Deleting select ports from a multi-port mirror configuration (CR48376)
You cannot delete select ports from a multi-port mirror configuration. You must delete the entire multi-port mirror configuration and reconfigure it with a new port list.

LCD reports active while the command line prompt states the system is inoperative (CR48409)
The LCD can report only three types of system status: Active, Standby, or Standalone. If the system is in a different state, it may not be reported on the LCD screen.

RADIUS: white space in the client ID (CR48453)
Blank spaces in RADIUS client IDs are not supported by the system. Any part of the ID that appears after the blank space does not display correctly.

Configuring multiple RADIUS server objects that use the same server IP address and port (CR48464)
You cannot configure multiple radius server objects that share the same server IP address and port.

System unavailability due to low memory (CR48465)
In certain low-memory situations related to Packet Velocity ASIC (PVA), the system can become unavailable.

Loading large external classes (CR48489)
Loading an external class file with more than 100,000 kilobytes of data may cause the system to become unstable.

TCP::collect implicitly holds the accepted event (CR48592)
The TCP::collect command is not appropriate for some protocols where the server sends data first, such as banner protocols.

System unavailability due to memory depletion (CR48594)
When processing an extremely high number of connections per second (approximately 30,000), with very large window sizes for compression, the system can run out of memory, causing a system failure. Occurrence of this event is highly unlikely.

Support for link down time on failover (CR48728)
For BIG-IP 520/540 (D35) systems that make use of VLAN groups, the Link Down Time on Failover feature is unsupported

BIG-IP system now uses UTC time for hardware (CR48737)
After upgrading the system from BIG-IP version 9.1, you may receive timestamp errors when you install a saved BIG-IP version 9.1 UCS file. These errors are benign. The system clock will correct itself.

Using the base FastHTTP profile (CR49182)
Once you configure the BIG-IP system to use the base FastHTTP profile, the profile continues to prime server-side connections, even if there are no virtual servers currently configured to use the FastHTTP profile.

Misconfigured iRule can cause TMM to restart (CR49375)
If an iRule is not configured to use the variable name form to access the class or data group (matchclass or findclass), then TMM restarts.

Checking product version when licensing features. (CR49435)
When you request licensing for additional modules, the license server does not check that you are running a product version that supports those modules.

drop and reject commands for UDP traffic (CR49445)
When processing UDP traffic, the system does not always handle the iRule commands drop and reject properly.

ssldump utility on BIG-IP 1000 platforms (CR49446)
On BIG-IP system 1000 platforms only, the TMM service can become unavailable due to a problem with the ssldump utility.

Fast HTTP profile Header Insert option (CR49530)
The Fast HTTP profile's Header Insert option does not perform a variable expansion in its configured header insert. For example, [IP::client_addr] is inserted literally. Although this is inconsistent with the HTTP profile, this was done to increase HTTP performance. To configure the Fast HTTP profile to insert the original client IP address as a standard XForwarded-For header value, modify the Fast HTTP profile and enable the XForwarded-For header option. Additionally, Fast HTTP supports the HTTP_REQUEST iRule event as well as the HTTP::header insert iRule command, which you can use to insert arbitrary HTTP headers.

Configuration load message about VLANs (CR50019)
Loading a new configuration over an existing one can generate a message when the two configurations include a VLAN with the same name but different interfaces assigned to them.

FTP monitor in default mode does not query resources (CR50237)
The default mode for the FTP monitor is passive. This mode instructs the monitor to only determine if the resource attempts to communicate with the BIG-IP system, which is not an effective FTP test. We recommend you change the mode of the FTP monitor to a setting other than passive.

Mirroring data between units in a redundant pair (CR50330)
If the configurations for both units in a redundant system do not match, it can cause state mirroring to fail and result in general system instability.

Invalid configuration can result in inoperative system (CR50389)
If you create an invalid configuration (typically through the command-line interface), you can render the system inoperative. We recommend you back up your configuration prior to making changes, and then after changing the configuration, run the b load command to ensure the configuration is valid.

Deleting system authorization iRules (CR50407)
You cannot delete system authorization iRules. If you attempt to use the delete checkbox next to a system authorization iRule in the iRule List, you receive an error.

VLANs with dashes ( - ) in the name (CR50441)
The Linux router advertisement daemon (radvd) cannot process an interface name containing a dash ( - ). To avoid errors, verify that the VLAN name, on which radvd is enabled, does not contain dashes.

Exporting SSL Keys on a BIG-IP 6400 FIPS system (CR50553)
If you attempt to export a non-FIPS SSL Key on a BIG-IP 6400 FIPS system, BIG-IP system returns a Cannot export FIPS keys error. There is no workaround.

Installing BIG-IP version 9.2.3 on a system with an unformatted boot drive (CR50733)
When you install BIG-IP version 9.2.3 on a system that contains a boot drive that has not been formatted, or was formatted by an installation of BIG-IP version 4.x, the BIG-IP system returns the following error: 4.x upg : sfdisk: ERROR: sector 32164 does not have an msdos signature. This message is benign and has no affect on the installation.

Settings for tcp_timestamps (CR50852)
If you have previously turned off tcp_timestamps, you may have to re-disable tcp_timestamps by adding the following line to /etc/sysctl.conf:

net.ipv4.tcp_timestamps = 0

Loading a new BIG-IP system configuration (CR50872)
If you try to load a new configuration that eliminates a network object referenced by another network object in the previous (currently-loaded) configuration, the BIG-IP system returns an error. To work around this issue, remove from the previous configuration the reference to the object that is eliminated in the new configuration, and then load the new configuration. For example, if in the previous configuration a VLAN is referenced by a VLAN group, and that VLAN does not exist in the new configuration, you must remove from the VLAN group the reference to the eliminated VLAN, before you load the new configuration.

Maximum header size (CR50924)
The BIG-IP system resets a connection it receives in a packet with a segment size higher than the maximum header size, when the maximum header size is set to a value that is less than the maximum segment size (MSS). The BIG-IP system resets the connection under these conditions, even if the packet contains some or all of the body.

ICMP flows (CR51133)
The VLAN failsafe process generates multiple ICMP flows in a 300-second period. These ICMP flows are benign.

Interrupted TCP connections are aborted unnecessarily (CR51197)
If an ARP or NDP entry times out or the peer is not responding, the connection is interrupted. These connections should only end when the system is unable to establish a connection.

Reuse of HTTP client connections (CR51406)
Allowing infinite reuse of HTTP client connections can cause problems. To prevent this, verify that you have specified a value for the Maximum Requests setting in your HTTP profiles.

Licensing a system that was upgraded from BIG-IP system version 4.6.2 (CR51472)
After you upgrade the BIG-IP system from version 4.6.2 to 9.2.3 and open the Configuration utility to license the new system, the License screen fails to automatically display the 9.2.3 registration key. If this occurs, populate the registration key field manually.

Gratuitous ARP messages sent on disabled virtual server (CR51833)
The system sends a gratuitous ARP message during failover, when the virtual server is disabled.

Trunk statistics (CR51893)
Statistics for trunks do not display properly.

Preferred active status and long-lived mirrored connections (CR52003)
If you reboot a BIG-IP unit that has preferred active status enabled (Failover.ForceActive=enabled), the peer unit does not continue to mirror the existing long-lived mirrored connections while the preferred active unit is inactive. This results in dropped long-lived mirrored connections.

The b global stats reset command (CR52004)
The b global stats reset command does not reset the following statistics: PVA assisted connections, HTTP requests, OneConnectTM, and Stream replacements.

Remote RADIUS authentication (CR52073)
When you configure the system to use remote RADIUS authentication, the system also authenticates local users. This is by design.

Display of additional SSL TPS in Configuration utility (CR52164)
The License screen within the Configuration utility does not display the correct amount of additional SSL TPS licensed for that system.

Modification of destination address for custom transparent monitor (CR52255)
After creating a custom monitor with Transparent mode set to Yes, you cannot modify the Alias Address and Alias Service Port properties.

Inaccurate license error occurs on re-license (CR52277)
When re-licensing a 6400 system, the following message can appear: Warning: loading /lib/modules/2.4.21-9.2.0.142.0smp/kernel/drivers/crypto/vkd.o will taint the kernel: no license. See http://www.tux.org/lkml/#export-tainted for information about tainted modules. This message does not indicate a license issue and does not affect performance.

LDAP authentication configuration object (CR52300)
When you create an LDAP authentication configuration object, the User Template and Bind Password setting should be mutually exclusive. You should define one setting or the other, but not both.

Harmless progress messages during product installation (CR52337)
If you initiate the Installer application using a local-install IM package, some of the progress messages might incorrectly refer to a remote installation process, that is, one that requires an installation server. For example, the output of the boot loader application might temporarily list the entry remote-install-<x>. Although incorrect, these references to a remote installation are harmless.

TX/RX pause link negotiation (CR52459)
TX/RX pause negotiation of links is not available on 520/540 (D35) platforms.

Premature closing of HTTP connections (CR52482)
With a one-armed configuration, server-side HTTP connections sometimes close prematurely.

Error message regarding externally-stored classes when loading configuration data (CR52507)
If you are running the One-Time Conversion Utility (OTCU), and a UCS file includes an externally-stored class with a line containing an invalid netmask (such as 255.25.255.0), the bigpipe utility reports an error. In this case, you must find the external file, manually correct the error, and reload and save the configuration data.

Neighbor Discovery and global addresses (CR52573)
The timeout on global Neighbor Discovery (ND) v6 entries can block ND solicitation for received traffic.

Redefining routes when assigning a MAC masquerade address for a VLAN (CR52602)
When you assign a MAC masquerade address to an existing VLAN, Linux automatically drops any existing static routes pertaining to the interfaces associated with that VLAN. To correct this problem, redefine the static routes using the bigpipe route command, or run the bigstart restart command.

Slow Ramp Time setting for pools (CR52670)
When creating a load balancing pool, the Slow Ramp Time setting is required. Failing to specify a value causes automatic use of an incorrect value.

Mirroring connections to IPv6 nodes (CR52696)
When mirroring connections to a load balancing pool that contains both IPv4 and IPv6 pool members, only the connections to IPv4 nodes are mirrored. Connections to IPv6 nodes are not mirrored.

Forced interface speeds (CR52846)
Setting a forced interface speed on an SFP Fiber interface can falsely cause a link up condition.

Timeout values for SNAT pool members (CR53064)
When adding a member to a SNAT pool, the system removes the timeout values that are currently set for the other members of the SNAT pool.

Trunk destabilization when loading configuration data (CR53181)
Reloading configuration data can temporarily destabilize any existing trunks, causing random trunk messages to appear. The trunks eventually return to normal.

Display of SSL profile options Display (CR53196)
When using the Configuration utility to display an SSL profile, some settings do not appear when the certificate name has a .pem file name extension instead of a .crt extension.

trunk command on the BIG-IP 6800 platform (CR53254)
On a 6800 (D68) platform only, when using the bigpipe trunk command to create a trunk, the trunk can fail to pass traffic after you add the first interface to the trunk. To fix the problem, type the following command: bigstart restart bcm56xxd

Behavior when attempting to load a non-existent configuration file (CR53396)
When you type the command bigpipe load <filename>, the system reloads the full configuration if the specified file does not exist, and does not generate an error message.

SSL certificate and key names (CR53446)
SSL certificate and key file names that include square brackets ([]) remain in the configuration data even when excluded from an archive. You must use the command line interface, and not the Configuration utility, to remove these certificates and keys from the configuration.

Certificate revocation lists and Client SSL profiles (CR53837)
The TMM service becomes unavailable whenever a virtual server references a client SSL profile that specifies a certificate revocation list (CRL).

Encrypted ucs file installation when config.encryption flag set to off (CR54052)
If you disable encryption, you will be unable to install an encrypted ucs file into the system. This issue is resolved by activating the encryption option, and then installing the file.

RAM Cache: empty URI excludes list causes everything to be cached (CR54077)
If you have an empty URI excludes, the system will cache everything possible. You can work around this by creating an iRule that defines what items should be cached.

Log rotation and Tomcat service (CR54081)
In the event that the destination for Tomcat log files becomes full, the system automatically rotates log files to ensure that the most recent data is captured. However, Tomcat requires a restart each time it rotates a log file. This issue is resolved by ensuring there is adequate hard disk space for Tomcat, or by archiving log files on a scheduled basis.

User interface cannot install ucs files using special characters (CR54141)
When creating a ucs file, the command-line interface allows you to include special characters. However, these characters are not supported in by the Configuration utility, resulting in the Configuration utility being unable to install the ucs file. This issue is resolved by avoiding special characters when creating ucs files.

Connection limit for priority activation groups (CR54291)
When a priority group within a pool reaches its connection limit, the next connection does not move to the next-highest priority activation group.

Cookie persistence profile settings (CR54410)
For cookie persistence profiles in which the Cookie Method setting is not set to Cookie Hash, the system should not display the settings Mirror Persistence, Match Across Services, Match Across Virtual Server, and Match Across Pools, but does. You should ignore these settings.

User role for accounts on remote authentication servers (CR54412)
When you change the default user role for accounts that are authenticated remotely, the user role for user accounts labeled as Other External Users does not change accordingly.

ZebOS and MD5 interoperability (CR54440)
On systems running both the ZebOS module and MD5, a race condition can occur when using the MD5 signature settings within a TCP profile. We recommend that you refrain from using the MD5 signature settings within a TCP profile.

Error message on non-Cavium systems (CR54443)
During a local installation, the system erroneously inserts the error message modprobe: modprobe - Can't locate module char-major-240 in the var/log/daemon.log file. This occurs on non-Cavium systems only.

ConfigSync encryption enabling or disabling (CR54446)
If you previously enabled encryption of configuration synchronization data and want to disable it using the Configuration utility, make sure that you first disable encryption using the Encryption setting on the ConfigSync screen. Then use the Preferences screen to set the Archive Encryption setting to Off. Doing these steps in this order prevents the occurrence of unexpected encryption behavior.

ARP requests and the management port (CR54468)
On a 6800 platform, packets sent through the external management port become corrupted and the system can no longer send ARP requests.

iControl and configuration synchronization (CR54587)
iControl does not indicate an exception if configuration synchronization does not succeed.

10GB interface option cannot be set (CR54832)
In the Configuration utility, certain interfaces contain the option to select 10GB. However, this version does not support this setting.

Media type on the 8400 platform (CR54835)
On the 8400 platform, setting the media type on SFP fiber ports causes a brief loss of link. This can cause the upstream switch to flush its ARP entry for the BIG-IP system.

LTM responds incorrectly on 302 responses into http/compress profile (CR54923)
The local traffic management (LTM) system occasionally responds incorrectly when a 302 error is received into an http/compress profile. The exact behavior depends on the LTM configuration. To resolve this issue, add an iRule that avoids compression when a 302 error is received.

PVA: virtual servers with unmatched MTUs (CR55240)
If you have VLANs with different MTU sizes, you should manually demote virtual servers or set the db variable Pva.Acceleration to none. An alternative is to set acceleration on a per-virtual server basis using a Fast L4 profile.

tcpdump utility on Packet Velocity ASIC 10 systems (CR55498)
When using the Linux tcpdump utility to see TCP packets on a VLAN, the utility does not produce expected results on BIG-IP systems that include the Packet Velocity ASIC (PVA) 10 feature. Note that the tcpdump utility works on interfaces or external trunks on PVA10 systems.

Cipher List setting in HTTPS monitor (CR55875)
When users other than admin use the Configuration utility to display an HTTPS type of monitor, the value of the Cipher List setting is truncated.

L7 mirrored connections are not re-mirrored after reboot and failover (CR55926)
If the active unit in a redundant system reboots, the standby unit goes active and handles any established connections that were mirrored. However, when the previously active box comes back up, it does not re-synchronize the state for the mirrored connections. This means that the mirrored connections are lost in a subsequent failure or a forced fail-back. This does not affect connections that end before the second reboot and failover. Also, this does not apply to Fast L4 profiles.

Image selection after discard (CR55997)
On a 6400 platform, when you boot an image and then select that image to be discarded, the system does not require you to select another image. To work around this issue, you can use the switchboot utility to specify the default image to which you want the system to boot during startup.

Loss of links on SFP modules (CR56019)
For D62/C62 systems, the system sometimes does not detect the loss of a link on SFP modules that are set for autonegotiation.

Partial acknowledgements can result in TMM issues (CR56110)
When a mirrored connection receives a partial acknowledgement (ACK) and the data being acknowledged has not passed through TCP4 yet, the TMM service might generate warnings, as there may be insufficient data in send queue to drop. There is no workaround for this issue.

Receiver side SACK report can contain stale information (CR56169)
During normal operations, the receiver side SACK report can contain stale information. There is no workaround for this issue.

Non-existent last hop pool and virtual server (CR56234)
You should not be able to assign a pool of last hop routers to a virtual sever when that pool does not exist but currently the system allows it.

Non-existent clone pool and virtual server (CR56238)
You should not be able to assign a clone pool to a virtual server when that clone pool does not exist but currently the system allows it.

ConfigSync User passwords (CR56405)
When you use the command line interface to change the ConfigSync User password on a unit of a redundant system, the BIG-IP system should display a reminder to change the password on the peer unit. However, it currently does not. For configuration synchronization to succeed, the passwords on the two units must match.

Rule setting for authentication profiles (CR56510)
When the system displays the New Authentication Profile screen for a specific type of profile and you change the Type setting to a different profile type, the value of the Rule setting does not change accordingly. You must explicitly change the value of the Rule setting to match the newly-selected profile type.

Saving Syslog-ng data (CR56679)
When you create a .ucs file, the saved configuration data does not include the Syslog-ng configuration file, /etc/syslog-ng/syslog-ng.conf. Consequently, restoring the saved configuration does not restore any Syslog-ng configuration changes that you made prior to saving the data.

Stats profiles and the bigpipe utility (CR56708)
When using the bigpipe virtual to assign a Stats profile to a virtual server, the system does not automatically assign the necessary TCP profile. To work around this, either use the Configuration utility to create the virtual server and assign the Stats profile, or specify a TCP profile name on the bigpipe virtual command line.

Time zone specification after configuration synchronization (CR56739)
When you perform a configuration synchronization from one unit of a redundant system to another, the BIG-IP system assumes that the target unit is in the same time zone as its peer. The system therefore overwrites the time zone of the target unit with the time zone of the peer unit.

SSL connection on BIG-IP version 9.0.5-to-9.1.1 systems (CR56742)
For BIG-IP version 9.0.5 systems that have been upgraded to version 9.1.1 and include a FIPS card and a Client SSL profile assigned to a virtual server, the system inadvertently terminates client SSL connections.

Prefer Fixed setting on copper and fiber cables (CR56810)
When both a copper and SFP fiber connection are used between two similar combo ports of two BIG-IP 8400 platforms, and the Prefer Fixed copper medium is selected as preferred on both ends, the SFP fiber becomes and remains active following system initialization.

Virtual servers and SSL profiles (CR56817)
If you assign an SSL profile to a virtual server a message about an FTP profile may appear. This message is benign.

Performance and mirrored connections (CR56874)
On certain BIG-IP system platforms, a heavy traffic load (such as 100 megabytes of HTTP traffic) could adversely affect performance when the connections are being mirrored to the peer unit.

Media setting for management interface (CR56897)
If you set the media setting of the management interface to something other than auto (the default setting), and then save the configuration, remove the interface configuration data from the bigip_base.conf file, and reload the configuration data, the media setting for the interface does not reflect the default setting. The interface retains its previous media setting.

Passing traffic on newly-active system (CR56902)
After you configure the BIG-IP system, save the configuration, and restart the system using the bigstart restart command, the system indicates that it is active. However, you might experience a slight delay, from a few seconds to a minute, before the system begins to pass traffic.

Link status on peer system (CR56905)
When you disable a combo port, the link light turns off on the BIG-IP system. However, the link is not down on the peer system.

Online help for the Routes screen (CR56960)
The Configuration utility does not display the online help for the Routes screens.

Display of time zone in log messages (CR57033)
When you use the Configuration utility to change the time zone on the BIG-IP system, any log messages resulting from creating a pool or an archive show the previously-defined time zone. You can synchronize the new time zone and the subsequent log messages by using the bigstart restart command.

Configuration synchronization and remaining files (CR57245)
When configuration synchronization does not succeed, several files remain on the system in the /var/tmp directory instead of being automatically deleted.

The iRule SSL::session_id command (CR57248)
When you use the iRule command SSL::session_id to specify an SSL session ID, and that session ID includes a null character, the session ID is truncated.

TMM memory allocation restrictions and iRules (CR57252)
If an iRule attempts to buffer more than four megabytes of data into a TCL variable, the TMM service could become unavailable. This is due to a 4-megabyte TMM restriction on contiguous memory allocation.

Node status on removal of ICMP monitor (CR57256)
When you remove the ICMP monitor from a node, the node status should show that the node is not being checked.

OTCU does not check if passwords do not match (CR57259)
When running the One-Time Configuration Utility (OTCU), if you change the password, you are asked to type the new password twice. However, the OTCU does not check to make sure these two password entries match. The passwords are displayed on the screen. We recommend you verify that the passwords are correct before completing the password change. In the event that you mistype the password the second time, the first password is accepted.

False error occurs during bcm56xxd startup (CR57293)
When the bcm56xxd utility starts, you can get a false error message: bs_if_initialize_all: can't init . This error occurs unnecessarily and does not affect product performance.

Source and Target settings in Stream profiles (CR57307)
In a Stream profile, you cannot use the slash (/) character when specifying values for the Source and Target settings.

b pool show command lists inactive pools as active (CR57309)
In version 9.x, if you use the b pool show command, the system lists pools as active, even if they are inactive due to priority or load balancing settings. The status of the pool appears correctly in the Configuration Utility.

Upgrading from a newer to an older version (CR57354)
When using the im script to upgrade a local BIG-IP system installation from a newer version to an older version, you must specify the -force argument.

EUD does not adequately isolate external connections (CR57360, CR57362)
When the EUD runs, it assumes that there will be no external traffic in or out of the BIG-IP system, but external peers can still detect link connectivity and send traffic to the BIG-IP system. This can cause the EUD internal packet path test to fail.

Certain profile options are overwritten by Configuration Utility (CR57421)
You can configure the following Client SSL or Server SSL profile options using the command line, but not the Configuration utility: MICROSOFT_SESS_ID_BUG, NETSCAPE_CHALLENGE_BUG, PASSIVE_CLOSE, and SSLREF2_REUSE_CERT_TYPE_BUG. If you modify the profile in the Configuration utility, you disable these options. We recommend that, if you need to use these options, you do not use the Configuration utility to configure them.

FastL4 profile reset on timeout (CR57425)
When you disable the Reset on Timeout setting on a Fast L4 profile and specify an Idle Timeout value, the BIG-IP system still sends a reset (RST) packet and deletes the connection after the specified idle timeout value has expired.

RAM Cache performance degrades with Nagle enabled (CR57440)
The Nagle's Algorithm option in the TCP profile causes the system to copy the cached response. For larger cached responses, this can degrade performance. We recommend that you disable the Nagle's Algorithm option if RAM Cache is in use and performance is critical.

The domain command in iRules feature (CR57448)
The iRule domain command inadvertently truncates the domain name.

Counting of dropped packets (CR57456)
The drop count behavior for unicast packets with matching source and destination MAC addresses not associated with the receiving BIG-IP system differs between BIG-IP 1000 (D39), BIG-IP 2400 (D44), BIG-IP 5100 and 5110 (D51) and the BIG-IP 1500 (C36), BIG-IP 3400 (C62), BIG-IP 6400 (D63), BIG-IP 6800 (D68), BIG-IP 8400 (D84) platforms due to switch hardware counter differences.

IPv6 lasthop pool node not chosen (CR57466)
When using IPv6, disabling the bigdb key connection.autolasthop sends the connection to the existing default route instead of a lasthop pool node.

Interface statistics and trunks (CR57478)
When you remove an interface from a VLAN and assign the interface to a trunk, the trunk inherits the statistics of the interface in the VLAN. The trunk should show new statistics rather than inheriting them from the interface.

Load sharing by 10-gigabit interfaces in a trunk (CR57479)
After you add a 10-gigabit interface to a working trunk that has another 10-gigabit interface, the load is not shared between both interfaces. Restart the lacpd service to fix the problem.

MCP validation improperly allows a virtual server to reference an incomplete base auth profile (CR57482)
Such profiles (for example, a stock ssl_ocsp profile without the config attribute set) should not be referenced by a virtual server.

Link transmission status for media types (CR57564)
A disabled 10 Gigabit Ethernet interface on a 8400 may still indicate link up to its partner switch, which results in the link down on failover feature not working properly.

Forwarding of IP fragments (CR57638)
When the Fast L4 profile setting Reassemble IP Fragments is set to the default value of disable amd the size of the first fragment is less than 246 bytes, the system does not always forward egress fragments. To prevent this problem, make sure that the first fragment is greater than 246 bytes.

Syslog-ng: uninitialized interfaces after syslog-ng fails to start or if it has been manually configured(CR57698)
If syslog-ng does not start or if you have manually configured the syslog-ng daemon, the system interfaces may not initialize properly after you upgrade the system. For more information, see SOL5872: BIG-IP does not pass traffic and non-management interfaces are non-responsive after upgrading BIG-IP to version 9.1.1 or 9.2.3 and SOL5879: BIG-IP does not pass traffic and non-management interfaces are non-responsive if syslog-ng fails to start.

RIP version 1 non-functional on Local Traffic Manager version 9.0 or later (CR57708)
Certain advanced routing protocols (such as RIP v1) that depend on the BIG-IP system receiving directed IP broadcasts do not work on BIG-IP system version 9.x. This might affect the dynamic updating of the BIG-IP system's routing table.

bigpipe base list command output (CR57784)

When you type the command bigpipe base list, the output erroneously shows the default port lockdown value for the udp/520 protocol name as udp efs instead of the correct protocol name, router.

Excessive implementation of EXPORT ciphers degrades performance (CR57798)
The greater the number of EXPORT ciphers implemented in a configuration, the greater the chance of slower performance from the Local Traffic Manager. If the Local Traffic Manager is performing slower than expected, we recommend looking at the number of EXPORT ciphers in place and seeing if any of them can be removed or refactored.

Invalid user-modified variables (CR58128)
The BIG-IP system should not accept invalid values of user-modified variables that contain all zeroes. We therefore recommend that you do not use values containing all zeroes.

(CR58225)
If the BIG-IP system receives an HTTP response with a Accept-Encoding header value that includes the string gzip or deflate, the data is erroneously compressed using the corresponding gzip or deflate compression algorithm. For example, if the header value is deflatexxx, the system compresses the data using the deflate algorithm. This is incorrect. The system should only use the gzip or deflate algorithm when the header value matches the algorithm name exactly (that is, the header value is gzip or deflate).

Configuration synchronization password message (CR58256)
When you use the Allow Console Accesss check box on the Users screen to enable or disable console access, the system displays an unrelated message about the ConfigSync passsword. You can ignore this message.

User names in the ConfigSync User list (CR58267)
In the Configuration utility, for the ConfigSync User setting, user names for administrative users other than admin do not appear in the list of user names.

Command line support for Administrator-role users with remote accounts (CR58292)
If your user account has the Administrator role assigned to it and is stored on a remote authentication server, you do not have command line interface access to other remote user accounts. However, you can access remote user accounts through the Configuration utility.

Error message for invalid IP address error message (CR58431)
When you assign an invalid IP address to a pool member, the system displays the follow error message, which is not indicative of the actual problem:

BIGpipe: pool member creation error: 01070636:3: IP V6 not licensed (pool member 18d7:4308::)

Password expiration prompt (CR58444)
When your password is due to expire and the system prompts you to enter a new password, the New Password box is mistakenly populated with your old password. If you simply click Update, the system accepts the old password instead of requiring a new one.

User account removal (CR58498)
When you delete a user account from the BIG-IP system, the user entry in the file /etc/security/opasswd is not automatically deleted.

Secure password enforcement for root account (CR58544)
When a password expiration warning is displayed for the root account, the system erroneously applies the secure password enforcement settings to the new password. These settings should only be applied to non-Administrator user accounts.

VLAN assignment for virtual servers (CR58607)
In certain configurations, you can erroneously assign a virtual server to a VLAN other than the VLAN of the virtual server destination IP address. The system should perform data validation to prevent this from occurring.

References in authentication profiles to configuration objects (CR58629)
When you modify the default SSL Client Certificate LDAP profile to add a reference to an authentication configuration object, the system prevents you from removing that reference later. You cannot select None in the Configuration profile setting, and any custom profiles you create from that default profile continue to reference that same configuration object. We recommend that you create a custom profile instead of directly modifying the default profile.

Dynamic routes buffer size (CR58743)
When you are using the Advanced Routing Modules, the system does not distribute all dynamic routes to the Linux routing table, due to a buffer size being too small. This requires you to manually configure certain ZebOS settings to change the buffer sizes.

ConfigSync status in Configuration utility (CR58820)
After you perform a configuration synchronization from an active unit to a standby unit, the ConfigSync Status in the Configuration utility continues to recommend synchronizing the configuration. You can ignore this recommendation.

Warning message for password expiration (CR58828)
When a user's password is due to expire in less than 24 hours, the warning message states that the password will expire soon. If you see this warning message, change your password as soon as possible.

bigstart utility and Perl script error (CR58877)
Running the bigstart utility repeatedly on the BIG-IP system can trigger a Perl script error, causing the system to become inoperative and requiring you to reboot the system.

RAM cache maximum size (CR59037)
Using a zero value for the size of the RAM cache (0) erroneously disables the RAM Cache feature altogether. In previous versions, the system treated a zero value as an unlimited RAM cache size. This is no longer the case for BIG-IP version 9.2 systems.

Console baud rate on upgrade from 9.1.x to 9.2.3 (CR59186, CR59156)
During the upgrade from BIG-IP version 9.1.x to version 9.2.3, if console baud rate is set to a different value than 19200, you will lose the console connection to the system. We recommend that you reset the unit baud rate and console baud rate to 19200 before you begin the upgrade.

Illegal character in URL for OCSP responder configuration (CR59277)
You cannot use a tilde character (~) in the URL box on the New OCSP Responder screen of the Configuration utility. To work around this problem, you can use the %7E escape character.

Profile configurations in the bigip.conf file (CR59279)
Changes that you manually make to profile configurations in the bigip.conf file do not take effect until you issue a bigstart restart command.

Configuration utility options for Application Accelerator product (CR59307)
When you are using the Application Accelerator product, the Configuration utility displays certain profile and virtual-server types that are not valid for that product. If you select any of those types, the system displays an error message.

Parsing iRules syntax (CR59340)
The BIG-IP system cannot load an iRule when there is no extra space between a set of braces ( {} ). To work around this issue, add an extra space between a set of braces.

Output of bigpipe trunk command (CR59393)
If you have a trunk between two BIG-IP systems, and you stop the lacpd service on one system and disable link aggregation on the other system but retain the link, and then restart the lacpd service on the first system, when you type a b trunk show all command, the system erroneously reports that the links are still aggregated.

Using the alert system in this release (CR60829)
The alert system that controls the Alarm LED and triggers SNMP traps is not functional in this release. However, you can use the following procedure to work around the problem.

  1. Add the following entries to /etc/syslog-ng/syslog-ng.conf:

    # *.*          |/var/run/alert.pipe
    destination d_alertd {
       pipe("/var/run/alert.pipe");
    };

    log {
       source(local);
       destination(d_alertd);
       flags(catchall); #ignore the source, catch all messages
    };

  2. Restart syslog-ng by typing the following command:

    /etc/init.d/syslog-ng restart

  3. If you plan to use SNMP traps, configure the SNMP trap destination to receive traps.
     
  4. Restart alertd by typing the following command:

    bigtstart restart alertd

Benign error with SCCP reboot and the 8400-E platform (CR64063)
After the initial installation you may see the following benign error message on the console with the 8400-E platform.

Error:pfm_sccp_d84_ifmap fail: bus: 0, agent: 15, vendor: 14e4, device: 5673

Timezone setting does not persist (CR64143)
If you upgrade a system and have changed the time zone for that system to anything other than Pacific Standard Time, the upgrade process resets the time zone back to Pacific Standard Time. After you complete the upgrade, you must reset the time zone for the system.

Changes in US and Canada Daylight Saving Time (CR68781)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes are not reflected in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.

[ Top ]

Acknowledgments

This section lists acknowledgments for software added in this release.

This product includes software developed by Balázs Scheidler <bazsi@balabit.hu>, which is protected under the GNU Public License.

This product includes software developed by Niels Müller <nisse@lysator.liu.se>, which is protected under the GNU Public License.

[ Top ]

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)