Applies To:

Show Versions Show Versions

Release Note: BIG-IP LTM version 9.2.5 and TMOS
Release Note

Software Release Date: 01/22/2007
Updated Date: 12/11/2013

Summary:

This release note documents the version 9.2.5 feature release of the BIG-IP® Local Traffic Manager and TMOSTM. To review the features in this release, see New features and fixes in this release. This release is cumulative, and includes all fixes and enhancements released since version 9.2. For existing customers, you can apply the software upgrade to systems running BIG-IP version 4.5 PTF-04 through version 4.5.13, and version 4.6 through version 4.6.4, and to systems running version 9.0 and later. For information about installing the software, please refer to Installing the software.

Note: F5 now offers both feature releases and maintenance releases. For more information on our new release policies, please see SOL2965: New Versioning Schema for F5 Software Releases.

Warning: This is a feature release, not a maintenance release. Unless you need specific features that are new to this feature release, please upgrade to the latest maintenance release instead.

Contents:

- User documentation for this release
- Minimum system requirements and supported browsers
- Supported platforms
- Installing the software
     - Performing a local installation
     - Performing a PXE server installation
     - Performing a remote installation
     - Verifying the MD5 checksum of the upgrade file
     - Re-activating the license on the BIG-IP system
- New features and fixes in this release
     - New features in this release
     - New fixes in this release
- Features and fixes in prior releases
     - Features from version 9.2
- Optional configuration changes
     - Using SNMP read/write OIDs
     - New SNMP OIDs
     - Using the switchboot utility
- Known issues
- Workarounds for known issues


User documentation for this release

In addition to these release notes, the following user documentation is relevant to this release.

You can find the product documentation and the solutions database on the Ask F5 Technical Support web site.

[ Top ]

Minimum system requirements and supported browsers

The minimum system requirements for this release are:

  • 512MB RAM (if installed as a stand-alone Local Traffic Manager or Global Traffic Manager product)
  • 768MB RAM (if installed as a combination of BIG-IP systems, such as a Local Traffic Manager/Global Traffic Manager installation, or as a Link Controller installation)
  • 512MB CompactFlash® media drive

Note: The 520/540 platform must meet certain requirements in order to support this version of the BIG-IP software. For more information, including memory requirements, see 520/540 Platform: Installing BIG-IP version 9.2.5.

The supported browsers for the BIG-IP Configuration utility are:

  • Microsoft® Internet Explorer®, version 6.x
  • Mozilla® Firefox®, version 1.5x

Note that we recommend that you leave the browser cache options at the default settings.

Important: Popup blockers and other browser add-ons or plug-ins may affect the usability of the Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.

[ Top ]

Supported platforms

This release supports the following platforms:

  • BIG-IP 520 and 540 (D35), for more information, see 520/540 platform support.
  • BIG-IP 1000 (D39)
  • BIG-IP 1500 (C36)
  • BIG-IP 2400 (D44)
  • BIG-IP 3400 (C62)
  • BIG-IP 5100 and 5110 (D51)
  • BIG-IP 6400 (D63)
  • BIG-IP 6800 (D68)
  • BIG-IP 8400 (D84)

Warning:  If you plan to upgrade a system licensed for Link Controller, Global Traffic Manager, or a combination Local Traffic Manager and Global Traffic Manager system, the BIG-IP unit you intend to upgrade must have a minimum of 768 MB of RAM. Originally, the BIG-IP 1000 (D39) and BIG-IP 2400 (D44) platforms were shipped with 512 MB of memory only.

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

[ Top ]

Installing the software

There are several installation options to consider before you begin the version 9.2.5 software installation. Before you begin the installation process, you need to determine which installation option is appropriate: local, PXE server, or remote.

Warning:  A valid service contract is required to complete this upgrade.

Warning:  You must reactivate the license on the BIG-IP system you intend to upgrade before you begin the upgrade.

Warning:  You must turn off mirroring before you attempt to upgrade to version 9.2.5. We do not support mirroring between units that are not running the same version of the software.

Important: You are prompted to install the software on multiple boot images if the unit supports the multiple boot option. The BIG-IP 1500 (C36), BIG-IP 3400 (C62), BIG-IP 6400 (D63), BIG-IP 6800 (D68), and BIG-IP 8400 (D84) platforms support this functionality.

Important: You must perform the installation from the management interface (Management) on the BIG-IP system.

Important: You should perform the installation on the standby system in a redundant system. If you are satisfied with the results, initiate failover and apply the upgrade to the other unit in the redundant system.

Important: We recommend that you run the MD5 checksum on any ISO image or IM upgrade file you download. For information about MD5 checksums, see Verifying the MD5 Checksum of the upgrade file.

Performing a local installation

Before performing a local installation, read the following information.

Performing a PXE server installation

The procedure for performing a PXE installation depends on the version of the BIG-IP system you are currently running, and whether you have the 520/540 platform.

Performing a remote installation

The procedure for performing a remote installation depends on the version of the BIG-IP system you are currently running. The remote upgrade provides the ability to run the upgrade from a management workstation that is not directly connected to the system you intend to upgrade.

[ Top ]

Verifying the MD5 checksum of the upgrade file

After you download the installation file and the matching MD5 checksum file, and before you perform the installation, we recommend you test the install file. This verifies that you have downloaded a good copy of the file. To run the test, type the following commands, where local-install-9.2.5.5.1.im is the name of the file you downloaded.

md5sum local-install-9.2.5.5.1.im
Check the output with the contents of the corresponding MD5 file. If they match, install the file. If they do not match, you should download the file again and repeat the process.

[ Top ]

Re-activating the license on the BIG-IP system

You need to re-activate the license on the BIG-IP system to use some of the new features added in this release.

To re-activate the license on the system

  1. On the Main tab, expand System and click License.
    The License screen opens.
     
  2. Click the Re-activate button and follow the onscreen instructions to re-activate the license.
    For details about each screen, click the Help tab.
[ Top ]

New features and fixes in this release

This release includes the following new features and fixes.

New features in this release

This release contains the following new features.

Cavium RoHS FIPS card support
System drivers in this release work with Cavium Restriction of Hazardous Substances Directive (RoHS) Federal Information Processing Standard (FIPS) cards.

New fixes in this release

This release contains the following fixes.

Note: For features and fixes in earlier releases, see Features and fixes in prior releases.

RADIUS log on without password then with password (CR52340)
Previously, using RADIUS authentication to validate a logging on user who first did not specify a password, then did, resulted in multiple logon attempts and slow system response. Now, the system correctly handles logon attempts.

RTSP filter rule commands and events (CR53957)
The Real Time Streaming Protocol (RTSP) filter now supports RTSP::collect, RTSP::release RTSP::payload length, and RTSP::payload replace rule commands as well as RTSP_REQUEST_DATA and RTSP_RESPONSE_DATA events.

Partial match size limit enforcement (CR55382)
In previous releases, certain matches caused the stream filter to accumulate too much data, resulting in a system halt. This release addresses the situation by having the stream filter correctly halt connections that accumulate too much data.

Console baud rate on upgrade from 9.1.x to 9.2.3 (CR59186, CR59156, CR59242)
During previous upgrades from BIG-IP version 9.1.x to version 9.2.3, if the console baud rate was a value other than 19200, you lost the console connection to the system after reboot. Now, the upgrade handles baud rate differences correctly.

HTTP Class matching in iRules (CR59261)
This release disables HTTP Class matching for the current request, if you configure iRulesTM to redirect or respond to the request. This allows HTTP Classes and Application Security Manager more straightforward use of HTTP::redirect and HTTP::respond commands.

Display of imported SSL certificates containing special characters (CR60884)
In previous releases, when importing an SSL Certificate containing special characters, such as the accented e or the apostrophe character, the system presented the following error: ! General database error retrieving information in webui.log Now, the system correctly imports certificates containing special characters, and displays the name properly.

File system errors during local installation (CR64693)
This release handles file system errors encountered during local installation. Now, if the share disk fails the disk integrity test, the process moves the install packages to RAM so that the system can repartition the disk, and presents a warning before proceeding.

HTTP::respond command and binary payload (CR64809, CR64834)
This release corrects a Tcl encoding issue that prevented using the HTTP::respond command for binary payload data. Now, you can use the HTTP:: command with binary payload data.

Floating point support in iRules (CR68915)
Use of floating point equations in iRulesTM in previous releases did not return expected results. This release supports floating point operations in iRules.

Responses with loss of former client's request and ACK (CR69272, CR69459)
In previous releases, lost packets from client requests directed to a virtual server configured with a Fast HTTP profile resulted in responses being passed to the incorrect client. This release corrects that condition, so responses go to the correct client, regardless of packet loss.

OneConnect™ transformations and 4xx server responses (CR66220)
Previously, when the OneConnect Transformations setting was enabled in the HTTP profile and the server sent an HTTP 4xx response, the system did not transform the connection header in an HTTP request to a Keep-Alive header. Now the system does perform the transformation.

System response after clearing the configuration (CR68540)
This release addresses an issue in which the Packet Velocity® ASIC (PVA) daemon created a core file while clearing the configuration after a Traffic Management Microkernel (TMM) disconnect. The system now clears the configuration correctly, and no core file is created.

HTTP requests with leading return or line-feed characters (CR68832, CR69642)
In this release, the HTTP filter correctly ignores return or line-feed characters preceding a new request, as specified in the HTTP RFC.

Pipelined HTTP request with congested client and shut-down server (CR69568, CR69723)
This release corrects a condition where the system sent a request after the client shut down, resulting in a system halt. Now, the system transitions from the shut-down state, so that after sending all packets from the client, the system sends a delayed shut-down request, and the connection halts correctly.

Mirrored passive FTP connections (CR69705)
This release addresses the failure of the system to mirror PASV (passive) and EPSV (extended passive) FTP (File Transfer Protocol) connections. Now, the system correctly mirrors these to the standby unit.

HTTP filter treatment of leading tabs when determining header value (CR69767, CR69924)
Now, the system correctly handles a tab character following the colon that separates the header name and value, per RFC 2616. In addition, the system correctly trims the trailing whitespace in header names.

Persist information and Tcl string object leak (CR70058, CR70119)
This release corrects a Tcl string object leak condition when persistence is specified in an iRule (UIE persistence, for instance), so that the leak no longer occurs.

HTTP requests spanning multiple TCP frames (CR70394, CR70631)
In previous releases, the system occasionally failed to transmit the initial segment of an HTTP request on a server-side flow that spanned multiple TCP frames. Now, the system always correctly transmits when data is present.

HTTP cookie removal (CR70528)
This release corrects an iRule behavior with the HTTP cookie where, if the cookie was at the end of a list of cookies, the HTTP::cookie remove command resulted in all cookies being removed. Now, only the HTTP cookie is removed with this command.

PVA and timeout values (CR70547)
In previous releases, the FastL4 profile did not restrict a maximum timeout value; however, the Packet Velocity® ASIC (PVA) daemon could not handle timeout values over certain amounts. (The exact timeout value depends on the PVA version.) When the PVA timeout value was exceeded, idle connections could close prematurely. With this release, if the maximum timeout is exceeded, the system demotes the PVA to Assisted mode, which allows the system to control the timeout value.

Extra characters added to IP and MAC addresses (CR70635)
This release corrects an issue in which the xbuf_scanf could add extra characters and append them to an IP address or MAC address.

Memory leak with HTTP responses (CR70761)
This release corrects a memory leak caused by HTTP responses with chunked header and no data.

Small MSS size and NITROX queues (CR70819)
Previously, if an incoming record had more than 32 records, it could fail to clear the SSL filter, causing the NITROX® queue to stall. With this release, the SSL filter is cleared appropriately.

Fast HTTP and out-of-sequence packet segments (CR70928)
Now, the Fast HTTP profile operates correctly even if packets are acknowledged out of sequence.

Core files after failover (CR71129)
Previously, a failover event could cause the two 8400 units in a redundant system to retain their core files. The failover process now removes these files correctly.

System driver state information (CR71568)
This release fixes an issue in which a system driver could send outdated compression state information. The system no longer sends outdated compression state information.

System driver and TMM interoperation (CR71826)
This release resolves an issue in which a system driver was out of sync with the TMM, resulting in the system reading invalid data. Now, the system driver now remains synchronized and reads data correctly.

Persistent HTTP connections with TMM (CR71953)
Now, the system correctly handles persistent HTTP connections on a OneConnect™ virtual server using secure network address translation (SNAT).

Cavium RoHS FIPS card operation (CR72826)
System drivers in this release work with Cavium Restriction of Hazardous Substances Directive (RoHS) Federal Information Processing Standard (FIPS) cards.

NITROX chip driver performance (CR72837)
With this release, NITROX® chip drivers successfully operate during initialization.

Version 9.2.5 local installation of version 9.4 (CR73598)
In this release, you cannot roll forward a 9.4 UCS file into an installation of version 9.2.5.

End-User Diagnostics version upgrade (CR73599)
This release contains an upgraded version of the End-User Diagnostics (EUD).

Version 9.1.2 UCS files and rolling forward (CR73600)
In this release, rolling forward the UCS file completes as expected.

[ Top ]

Features and fixes in prior releases

The current release includes the fixes and enhancements that were distributed in prior releases, as listed below. (Prior releases are listed with the most recent first.)

Version 9.2.4 features and fixes

The 9.2.4 release included the following features and fixes.

Features from version 9.2.4

Switch card control processor
This release provides an updated switch card control processor (SCCP), the hardware that provides the hardware control over the whole unit.

End-user diagnostics for hardware
This release contains an updated end-user diagnostics (EUD) test suite. The EUD provides the ability to diagnose hardware-related problems on the 1500 (C36), 3400 (C62), 6400 (D63), 6800 (D68), and 8400 (D84) platforms. For more information, see End-User Diagnostics: Field Testing Hardware.

Fixes from version 9.2.4

Adding certificate not picked up (CR40677)
This release corrects an issue where certificates added to an already-existing Certificate Authority (CA) file were not picked up by subsequent load operations without restarting the system. In this release, bigpipe always updates SSL certificates and key files.

MSS and maximum header size mismatch resets connection (CR50924)
This release fixes a problem where the system reset a connection if the maximum segment size (MSS) was less than the maximum header size.

SSL sends unnecessary resets after connection ends (CR67974)
In previous releases, SSL monitors sent an unnecessary reset after the connection ended. In this release, SSL monitors cleanly shut down the SSL session, and no longer just reset the connection.

Management interface media set to none (CR68007)
In previous releases, the system set the management interface media to none when the management interface went down. In this release, the management interface remains properly configured, even when the interface goes down.

Renegotiation does not pick up mode changes (CR68008)
In previous releases, the renegotiation driver did not pick up peer certificate mode changes. In this release, the renegotiation driver correctly requests a certificate from the client, when certificates are required.

Loss of persistence-across-services connections (CR68122)
In previous releases, when persist across services was enabled, the system lost persistence connections when a node went down. In this release, the system retains and handles persistence-across-services connections when a node goes down.

Persistence connections and node availability (CR68123)
In previous releases, the system sent persistence connections to the wrong node after a node went down and came back up. In this release, the system sends persistence connections to the correct node. The resolution of this CR also results in the deletion of the persistence connection that was established with the other virtual server.

Translating virtual server and validation reports on pool connections (CR68131)
In releases 9.1.1, 9.1.2, and 9.2.3, validation falsely reported pools as not being directly connected when there was any translating virtual IP address. In this release, users can add pool members without seeing any error message.

System propagation of enabled VLANs to deleted/recreated listeners (CR68132, CR70506)
In previous releases, if you added a SNAT with VLANs enabled, and then modified the origin address, the update did not propagate the enabled VLANs to the deleted/recreated listeners. In this release, the system propagates the enabled VLANs to the deleted/recreated listeners.

System handling of unadorned cipherlists in SSL cipher string (CR68151)
In previous releases, the system moved existing unadorned cipherlists in the SSL cipher string to end of list. In this release, SSL enables/moves only disabled suites when performing the cipher suite add operation (unadorned cipherlist). Previously enabled suites are left in their current location.

Back-end connections from FastHTTP (CR68152)
This release addresses a problem with back-end connections from FastHTTP, which continued to send SYN messages when there was no server present. This release limits the maximum number of SYN messages to three, when there is no server present.

Mirrored Layer 4 connection expiration (CR68185)
This release corrects a problem with mirrored Layer 4 connections, which expired on the standby system if you set the service-down action to reject. In this release, connections are mirrored correctly.

Profile count limitation (CR68188)
In previous releases, the system was limited to a profile count of 16. In this release, a virtual server can have any number of profiles.

Virtual server IP address combinations causes system restart (CR68191)
In previous releases, certain sets of network virtual server IP address combinations could cause system restart. The Packet Velocity® ASIC daemon (pvad) no longer restarts with certain configurations.

Requests on persistent connection by congested client and RAM cache restart (CR68193)
In previous releases, requests on the persistent connection by a congested client could cause RAM cache restart. In this release, the system works as expected, regardless of client congestion.

Mirroring undetected and unhandled virtual servers and TMM restart (CR68200)
In previous releases, Traffic Management Microkernel (TMM) restarted when mirroring Layer 4 and Layer 7 connections that were not detected or handled by the UDP-based virtual server. In this release, the system prevents Layer 4 mirroring to Layer 7 connections on the standby system from Layer 4 connections on the active system, so TMM no longer restarts.

System restart and active-active redundant system status (CR68219)
In previous releases, system restart could cause an active-active redundant system status. In this release, the system waits a sufficient length of time to prevent the active-active condition from occurring.

Caching of responses containing HTTP::retry or HTTP::respond command (CR68263)
In previous releases, caching an HTTP_RESPONSE containing HTTP::retry or HTTP::respond commands caused a system halt. In this release, the system disables caching of HTTP_RESPONSE when the server issues an HTTP::retry or HTTP::respond command.

Status codes used in HTTP::respond (CR68264)
In previous releases, the HTTP:respond command in an iRule did not allow responses to a 503 status code. This has been corrected.

MSS and SSL record size mismatch (CR68270)
In previous releases, certain combinations of small maximum segment size (MSS) and large SSL record sizes could cause connection problems. In this release, the combination no longer causes a connection leak.

Invalid session ID logged when receiving SSLv3 handshake (CR68273)
In previous releases, the system could log an invalid session ID when receiving the SSLv3 handshake. In this release, the system logs a valid session ID when receiving SSLv3 handshake.

FTP connections with persistence (CR68289)
In previous releases, active FTP data connections from control client flow with persistence set caused Traffic Management Microkernel (TMM) to halt. In this release, the system inherits SNAT pool members from the originating flow only when the flow actually originates from the server.

Invalid key in iRule (CR68290)
In previous releases, an invalid key in an iRule caused a system halt. In this release, the system presents an error message for an invalid key, and the system proceeds without a system halt.

Connection failure on redundant system when requiring Client Certificate (CR68371)
In previous releases, setting the Client Certificate setting to require on a redundant system could time out, resulting in connection failure. In this release, the SSL processing queue is large enough to handle the condition of establishing a connection when client certificates are required.

Changes in US and Canada Daylight Saving Time (CR68781)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes have been addressed in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.

System halt with load-balancing database-busy messages (CR69117)
In previous releases, the system halted, posting messages to the /var/log/ltm logs: "Pva2AsicFactory.cpp:726 - Dropping stat msg. LDBD was busy. This is a message from the Packet Velocity™ application-specific integrated circuit (ASIC) daemon, that indicates a busy status for the load-balancing database. The resulting dropped packets caused a switchboard failsafe condition. In this release, the system detects the condition, and resets the system after receiving more than five contiguous messages of this type.

MSS size of zero (CR69126)
In previous releases, a specific combination of maximum segment size (MSS) and specific path maximum transmission unit (MTU) could result in a connection flow object with an MSS of zero. In this release, no combination results in an MSS of zero.

Autonegotiation enabled when forcing speed on the management port (CR69151)
In previous releases, autonegotiation was enabled when forcing speed on the management port. In this release, the system checks the autonegotiation value, and only returns without forcing the speed if autonegotiation is disabled.

TMM memory use determination (CR69158)
In previous releases, Traffic Management Microkernel (TMM) could use the incorrect amount of memory. In this release, the TMM startup script correctly determines how much extra memory it needs, based on its licensing scheme.

VLAN failsafe timer reset (CR69309)
In previous releases, the VLAN failsafe timer was reset incorrectly. In this release, the system has a flag, ResetTimerOnAnyFrame, that, when set to true, resets the failsafe timer on any frame received. The flag is off by default.

[ Top ]

Version 9.2.3 features and fixes

The 9.2.3 release included the following features and fixes.

Features from version 9.2.3

Secure password policy
With this release of the BIG-IP system, you can create and implement a secure password policy. Implementing a secure password policy ensures that user-created passwords adhere to criteria such as minimum length, allowed character types, expiration periods, and so on. For more information see, SOL5962: Configuring a Secure Password Policy for the BIG-IP System.

[ Top ]

Fixes from version 9.2.3

System rebooting after power loss (CR61356)
In this release, the system boots up correctly after power loss without user intervention on 3400, 6400, and 6800 platforms.

New bigdb key Common.Bigip.Bigd.ReuseSocket (CR56494)
In some situations, a server taking a long time to respond to a BIG-IP system health check might not be marked up. If this occurs, you can configure a new bigdb key Common.Bigip.Bigd.ReuseSocket. When the key is set to 1, or when it is not set, the behavior is as it was before. When the key is set to 0, the bigd function always closes the previous socket and opens a new socket at each ping interval for internal monitors, regardless of the result of the previous ping. Whenever you change the value of that bigdb key, the bigd function does not pick up that change automatically, and you must take these steps to make that key takes effect:

  1. Restart bigd by running the bigstart restart bigd command
  2. Find the bigd process ID (using the command cat "/var/run/bigd.pid" or "ps -ax | grep bigd")
  3. Send a USR1 signal to bigd by using the command kill -USR1 <bigd’s pid>)

Race condition after mcpd/TMM disconnect/reconnect (CR56608)
A disconnect/reconnect action from the Master Control Program (MCPD)/Traffic Management Microkernel (TMM) daemon was causing a race condition in the Packet Velocity™ service. This race condition no longer occurs.

Build number on core file (CR57206)
In this release, the pvad core file shows the correct build number after you install an upgrade.

sysctl.conf setting net.ipv4.tcp_timestamps (CR57261)
The new sysctl.conf setting net.ipv4.tcp_timestamps = 0 is no longer dropped when rolling a UCS file forward from version 9.1.

Use of protocols that rely on IP multicast (CR57268)
In this release, IP multicast packets received by a VLAN group are copied to the host, allowing proper communication for local daemons that use protocols relying on IP multicast (such as OSPF and RIPv2).

Missing certificate credential message (CR57483)
In previous releases, the authentication subsystem did not treat an empty certificate credential message as an indication that this credential was absent. In this release, the authentication subsystem correctly recognizes an empty certificate credential message as a missing credential.

LDAP mandatoryattrs parameter (CR57524)
When the LDAP monitor parameter mandatoryattrs is set to yes and the monitor returns referrals only, the system no longer behaves as though attributes were returned.

Removal of authentication configuration object from profile (CR57531)
Removing a reference to an authentication configuration from a parent authentication profile no longer causes problems for other profiles that inherit from that parent.

Controllable rate limits for switch chips (CR57536)
The system includes three new bigdb variables for limiting packet rates: switchboard.max.DlfRate, switchboard.rmax.BcastRate, and switchboard.rmax.McastRate.

qkview error message (CR57558)
Running version 6.2.0 of qkview no longer produces an error message.

Premature termination of connections (CR57569)
During high congestion, the system flushes data and preserves the connection when the server begins transmitting a response before the request has been fully sent to the server.

SNAT use of SNAT pool members (CR57636)
When you have a SNAT pool in which all IP addresses are on the same VLAN and network (known as a homogeneous SNAT), the system no longer chooses the same SNAT pool member (IP address) for every SNAT that it creates.

Linux cURL vulnerability (CR57668)
The Linux cURL package no longer contains a local vulnerability that allowed a user to run arbitrary code on a client machine.

iRule domain command (CR57745)
The iRule domain command no longer truncates the domain name.

Configuration synchronization of bigdb SNMP keys (CR57788)
In this release, the BIG-IP system handles SNMP-related bigdb keys properly during configuration synchronization.

SSL: determining the issuer of a certificate provided by a client during handshake (CR57959)
In this release, the BIG-IP system SSL filter can determines the client certificate's issuer certificate in cases where the client sends this issuer in its Certificate handshake message. This was observed in a multi-level public key infrastructure (PKI) where only the root CA is trusted by the BIG-IP system and attempting to use [SSL::cert issuer 0] in a CLIENTSSL_CLIENTCERT rule.

SIP monitor acceptance of Call-ID and From lines (CR57997)
In this release, the SIP monitor accepts alternate forms of the Call-ID: and From: lines from a server. Specifically, the monitor can accept lines beginning with the alternate forms i: and f: for the Call-ID: and From: lines, respectively.

Checksum of first packet from connections controlled by Fast L4 profiles (CR58164)
If the first packet from connections controlled by Fast L4 profiles fails the checksum test, the connection is halted. This eliminates a denial of service attack known as a SYN flood vulnerability on accelerated virtual servers.

CPU usage by Linux interrupt handler and TMM service (CR58211)
Linux no longer handles interrupts on the same CPU as that used by the Traffic Management Microkernel (TMM) service. This prevents certain network performance problems from occurring.

High availability connection for connection mirroring (CR58300)
Under high load, and in certain circumstances, a redundant system no longer loses connections in the HA channel.

Licensing BIG-IP system version 9.2 on the D44 platform (CR58368)
In this release, the licensing process works correctly when you are licensing version 9.2 of the BIG-IP system on the D44 platform.

Truncated SSL session IDs (CR58395)
The iRulesTM feature no longer truncates an SSL session ID containing null bytes.

Host header from SOAP monitor (CR58423)
The SOAP monitor no longer sends IPv4 addresses as IPv4-mapped IPv6 addresses (for example, ::ffff:192.0.2.128).

Persistence hash table and system performance (CR58487)
We have increased the size of the persistence hash table to ensure that system performance is satisfactory when you are using session persistence.

TMM hash table size (CR58494)
We have increased the size of the Traffic Management Microkernel (TMM) hash table to ensure that system performance is satisfactory.

Installation of f5-webui package (CR58497)
When you install the f5-webui package, the BIG-IP system no longer displays warning messages.

Dependency of the bcm56xxd service on the Syslog-ng utility (CR58625)
The bcm56xxd service no longer depends on the starting of the Syslog-ng utility. Therefore, if the Syslog-ng utility cannot start for any reason, the bcm56xxd service still runs.

Information shown by the qkview utility (CR58718)
In this release, the qkview utility shows more comprehensive information by no longer omitting core file and other types of information.

Memory use resulting from behavior of iControl SOAP interfaces (CR58774)
iControl SOAP interfaces no longer disrupt Traffic Management Microkernel (TMM) traffic due to excessive memory use.

SCCP debug information from the qkview utility (CR58840)
In this release, the qkview utility provides additional SCCP debug information.

pvad log messages on large configurations (CR58888)
On systems with more than either 16 VLANs or 32 network virtual servers, log messages that the pvad service generates are no longer as verbose.

PVA data transmission (CR59100)
For accelerated virtual servers, the Packet Velocity ASIC® (PVA) no longer transmits corrupted data to the Traffic Management Microkernel (TMM) service.

SSL connections during mid-stream handshake (CR59167)
For SSL connections using a Cavium-supported suite, the system correctly handles SSL connections during mid-stream handshake.

Alerts for closed SSL sessions (CR59210)
In certain circumstances where an SSL session has already been closed, the BIG-IP system prevents the Traffic Management Microkernel (TMM) service from sending an SSL alert.

Space limitations on Compact flash (CR59341)
This release corrects a problem with space limitations when you installed hotfixes on certain 9.2.x platforms. In this release, there is adequate space on the Compact flash to install hotfixes on all 9.2.x platforms.

Trunks and load balancing of egress traffic (CR59401)
In this release, on 8400 platforms with trunks implemented, the system is load balancing egress traffic correctly.

[ Top ]

Version 9.2.2 features and fixes

The 9.2.2 maintenance release included the following features and fixes.

Features from version 9.2.2

8400 platform support
This release includes support for the new 8400 platform.

Global Traffic Manager
In this release, you have the option to license the TMOS integrated Global Traffic Manager. For more information about the Global Traffic Manager, see the Global Traffic Manager release notes.

Link Controller
In this release, you have the option to license the TMOS integrated Link Controller. For more information about the Link Controller, see the Link Controller release notes.

Using a literal carriage return in a monitor parameter string (CR43128)
In this release, the system can interpret literal carriage returns in monitor strings that are created by pressing the Enter key. If the string you are creating requires a literal carriage return, press the Enter key.

[ Top ]

Fixes from version 9.2.2

Redundant systems and assigning duplicate IP addresses (CR43330)
If you have a redundant system, and on both units you assign the same IP addresses on the internal and external VLANS, the system generates an error message. This is not a valid configuration.

Discard option during the upgrade process (CR44129)
In this release, the discard option handles the boot entry for the discarded installation from the grub.conf file correctly. This means that installations that you have discarded do not appear as options on the grub.conf list at boot time.

HTTP: redirect rewrite and ports (CR45211)
In this release, the HTTP redirect rewrite feature removes the port string from the redirect response if it is the node's port.

HTTP: Support for the CONNECT method (CR45526)
In this release, the system supports the CONNECT method correctly.

L4 connection mirroring and fail-back (CR45480)
In this release, L4 connection mirroring works correctly with the fail-back feature.

Benign error message when network booting from CD image (CR45998)
This release corrects the problem that caused the following benign error message when you boot the BIG-IP system from the CD image:
msg insmod e100: no module by that name found
You no longer see this message.

Forcing speed and duplex settings on the management interface (CR46765)
In this release, you can force the speed and duplex settings on the management interface. In previous releases, if you tried to force the media settings of the management interface, bigpipe would fail silently.

bigpipe: syntax for adding a pool member (CR47907)
To add a member with a connection limit to an existing pool requires only one command. Use this command syntax to add the member and the connection limit, like this:

b pool poolname member 10.0.0.5:80 limit 5000 add

Configuration utility: Host Name on the Platform screen (CR50443)
In this release, the host name is correctly validated on the Platform screen in the Configuration utility.

SCCP: log files and disk space (CR52506)
This release corrects a problem that could cause the SCCP log files to grow too large and take up disk space.

F5KM: Self-signed certificates missing NULL parameter in signature data (CR52590)
In this release, the self-signed certificates generated on the system are encoded with an RFC-specified NULL parameter value.

Active-Active connection mirroring (CR52826)
In this release, the system mirrors active-active secrets correctly.

Resetting ephemeral statistics (CR52968)
In this release, ephemeral statistics are reset when you reset statistics for a virtual server.

Mirrored connections for SIP persistence (CR53039)
In this release, Session Initiation Protocol (SIP) persistence works for mirrored connections when failover occurs.

Dropping the SX link for a fiber interface (CR53045)
In this release, the Configuration utility reports the correct status for fiber interfaces.

Changing the terminal baud rate setting (CR53026)
When performing a PXE boot, the terminal baud speed setting is set correctly in this release.

Configuration utility: New Connections detail graph title (CR53308)
We have changed the title of the New ClientSSL Accepts/Connects graph to the correct title New Accepts/Connects.

Reciprocal ARP entries (CR53318)
In this release, the system creates reciprocal Address Resolution Protocol (ARP) entries using the correct timeout value (arp.timeout).

Hardware acceleration: virtual servers with mixed software and hardware acceleration attributes (CR53440)
In this release, virtual servers with software and hardware acceleration attributes use hardware acceleration appropriately.

Log files and HTML/Javascript (CR53532)
Log files displayed in the Configuration utility no longer contain HTML or Javascript.

Configuration utility: STP configuration on list page (CR53628)
In this release, you can save the STP configuration on the list page in the Configuration utility.

Erroneous HTTP profile setting for virtual servers (CR53645)
On the Configuration utility screen for creating a forwarding type of virtual server, the utility no longer displays the HTTP Profile setting.

OneConnect™: detaching for HTTP/1.0 304 messages (CR53841)
In this release, OneConnect handles HTTP/1.0 304 messages correctly.

End-User Diagnostics menu item is available after installing version 9.1 (CR53894)
Installation of version 9.1.1 does not remove the End-User Diagnostics (EUD) menu item.

Clone pools are not demoted (CR53948)
In this release, clone pools are handled correctly with hardware acceleration.

Virtual servers referencing multiple iRules (CR53976)
The system no longer experiences problems when a virtual server references more than one iRule.

Changing rule order or priority on virtual servers (CR54042)
Changing the order of two rules referenced by the same virtual server and reloading the configuration no longer destabilizes the system.

Other External User Role option synchronization across multiple systems (CR54207)
When you assign a value to the Other External User Role option to one system, that value overwrites the default value on another system if that system has remained with the default value, No access. You no longer have to log on to the additional systems and modify the value manually.

ConfigSync user roles are no longer configurable (CR54267)
Users who are assigned as the ConfigSync user can no longer change their role unless they are unassigned as the ConfigSync user.

Configuration utility: application error on New Profile screen (CR54321)
We have corrected a major application error that occurred when you clicked the Next button on the Create New Profile screen.

Server profiles page and actual server profiles (CR54322)
In this release, the Server Profiles displays all appropriate server profiles.

Swiftcurrent platforms: SSL handshake resume and OCSP and Client Certificate LDAP authentication (CR54511)
In this release, OCSP or Client Certificate LDAP authentication works correctly on the following platforms.

  • BIG-IP 1000 (D39)
  • BIG-IP 2400 (D44)
  • BIG-IP 5100 and 5110 (D51)

SNMP trap ID ranges (CR54747)
The range of SNMP trap IDs that the BIG-IP system uses no longer overlaps the range of trap IDs that the 3-DNS product uses.

iRule LINK::qos command (CR54791)
In this release, the iRule LINK::qos command behaves as expected.

Large configurations with several VLANs (CR54799)
When loading a large configuration (such as 257 VLANs) on the BIG-IP system, the system no longer generates PVA statistics errors regarding packet deserialization.

OpenSSL update (CR55070)
In response to various security advisories, we have updated the version of OpenSSL to version 0.9.7i.

TMM availability and NULL pool members (CR55251)
The Traffic Management Microkernel (TMM) service no longer becomes unavailable due to a pool member being set to NULL.

Escape characters for send and receive strings in monitors (CR55366)
In this release, the Monitors chapter of the Configuration Guide for Local Traffic Management explains how to use escape characters to specify multi-line Send String and Receive String values.

Modification of the StateMirror.^IPaddr bigdb key (CR55483)
The Traffic Management Microkernel (TMM) service is no longer adversely affected when you modify the bigdb key StateMirror.^IPaddr.

Reselection of last hop gateway (CR55761)
In this release, the BIG-IP system reselects the correct last hop gateway when a pool member is unavailable.

Enabling and disabling VLAN groups on a virtual server (CR56577)
In this release, when configuring the VLAN Traffic setting of a virtual server configuration, if you specify a VLAN group, hardware acceleration demotes to Assisted mode. A way to avoid this is to separate the VLAN group into its VLAN members, specifying the individual members in the VLAN Traffic setting.

Returned From string and SIP monitor (CR56819)
In this release, the SIP monitor accepts a returned From string regardless of whether the URI is encased in angle brackets (<>) or not.

Monitors: MSSQL monitor and send parameter (CR57045)
In this release, you can use the MSSQL monitor without the send parameter configured.

SSL monitor: Stale SSL handle goes bad and stays bad (CR63815)
In previous releases, an SSL monitor's SSL* structure could become stale or corrupt and could not be reused. This condition has been corrected.

Version 9.2 features and fixes

The 9.2 release included the following features and fixes.

Features from version 9.2

Integrated Application Security Manager (ASM)
In this release, you have the option to license the TMOS integrated Application Security Manager (ASM). For more information about ASM, see the BIG-IP Application Security Module version 9.2 release notes.

520/540 platform support
This release is supported on the 520/540 (D35) platforms.

End-user diagnostics for hardware
This release contains the end-user diagnostics (EUD) test suite. The EUD provides the ability to diagnose hardware related problems on the 1500 (C36), 3400 (C62), 6400 (D63), and 6800 (D68) platforms. For more information, see End-User Diagnostics: Field Testing Hardware.

Statistics Profile
The Statistics profile provides user-defined statistical counters. Each profile contains 32 fields (Field1 through Field32), which define named counters. Using a Tcl-based iRule command, you can use the names to manipulate the counters while processing traffic. For more information, see Chapter 5, Understanding Profiles, in the Configuration Guide for Local Traffic Management.

[ Top ]

Optional configuration changes

Once you have installed the software, you can use any of the following configuration options to update your configuration.

Note that these new configuration options are the result of one or more of the fixes or enhancements listed above.

Using SNMP read/write OIDs

You can use the following SNMP OIDs in read/write mode. However, SNMP is not intended to be used as a general API for configuring the BIG-IP system. These SNMP OIDs are shown in this table.

OID Name OID Value
ltmVirtualServEnabled Enable/disable virtual server
ltmVirtualAddrEnabled Enable/disable virtual address
ltmNodeAddrNewSessionEnable Enable/disable node address
ltmNodeAddrMonitorState Force up/down node address
ltmPoolMemberNewSessionEnable Enable/disable pool member
ltmPoolMemberMonitorState Force up/down pool member
[ Top ]

New SNMP OIDs

The version 9.x releases often include SNMP OID updates related to new functionality. See the document, New SNMP Objects for a complete list.

[ Top ]

Using the switchboot utility

Beginning with the version 9.0.2 release, functionality was added to install multiple versions of the BIG-IP software on different boot images on one unit. A boot image is a portion of a drive with adequate space required for an installation. If the hardware supports multiple boot images, you are prompted to install the software on multiple boot images during the installation. The BIG-IP 1500 (C36), BIG-IP 3400 (C62), BIG-IP 6400 (D63), BIG-IP 6800 (D68), and BIG-IP 8400 (D84) platforms support this functionality.

The switchboot utility is available to manage installations on different boot images. You can use the switchboot utility from the command line to select which installed image boots. To run the switchboot utility, type the following command:
switchboot

A list of boot images and their descriptions displays. Type the number of the boot image you want to boot at startup. When you reboot the system, it starts from the slot you specify.

If there is only one boot image available, the switchboot utility displays a message similar to this one and exits.
There is only one boot image to choose from: title BIG-IP 9.2.2 Build 167.4 - drive hda.1

Note: Any change you make using the switchboot utility is saved in the boot configuration file, grub.conf.

To use switchboot in non-interactive mode

If you know which boot image you want to boot, you can type the following command and specify the boot image number for <bootimage_number>:
switchboot -s <bootimage_number>

To use switchboot to list available boot images and the currently active boot images.

If you want to list the available boot images without specifying a new boot image from which to boot, type the following command:
switchboot -l

To list options for switchboot

To list the options for the switchboot utility, type the following command:
switchboot -h

To view the contents of the boot configuration file using switchboot

You can view the complete contents of the boot configuration file (grub.conf) with the following command:
switchboot -d

This command is slightly different from switchboot -l in that -d only lists the boot image header lines, while -d displays the complete file.

[ Top ]

Known issues

The following items are known issues in the current release. Maintenance release known issues are cumulative, and include all known issues for a release.

1500, 3400, and 6400 platforms: SSH session remains open after peer reboot (CR40503)
When you establish an secure shell (SSH) session between two units on the 1500, 3400, or 6400 platforms, and you reboot the unit to which you established the SSH session, the SSH session remains open until it reaches its timeout.

Trunks on a BIG-IP 2400 (D44) IP Application Switch (CR40507)
On a BIG-IP 2400 platform, if you connect multiple ports to one switch, you may form a bridging loop, which causes Traffic Management Microkernel (TMM) to restart repeatedly. The best solution is to configure the network so no bridging loops exist. If this cannot be accomplished in your configuration, you can resolve the problem by enabling spanning tree protocol if you connect multiple ports to one switch.

SIP persistence and persist iRule commands (CR40579)
In this release, the persist iRule commands do not support session initiation protocol (SIP) persistence.

Default route specification for IPv6 (CR40808)
Because the default configuration settings for Network Routes is for Internet Protocol version 4 (IPv4), you must specify both a destination and netmask value to specify a default route for Internet Protocol version 6 (IPv6). To specify a IPv6 default route, you must first choose a type of route instead of default gateway. Then specify the destination as :: and the netmask as :: to set the appropriate IPv6 default route.

OTCU: Displaying monitors saved at pool level in the Configuration utility (CR40977)
After you run the OTCU to convert your 4.5.x or 4.6.x configuration to a 9.x configuration, you cannot view the monitors on pool members until after you run the bigpipe load command twice, from the command line. Alternately, you can reboot the system.

Configuration utility: Re-running the Setup Utility and VLAN configuration error messages (CR42790)
When you rerun the Setup Utility and use the Basic Configuration Wizard (which sets up the default internal and external VLANs), the configuration must follow the following guidelines. If the configuration violates one of these conditions, you see error messages, and cannot complete the configuration.

  • No more than one non-floating IP may be associated with VLANs named external or internal.
  • No more than one floating IP may be associated with VLANs named external or internal.
  • The self IP addresses associated with the VLANs internal and external must use one of the following port settings: Allow Default, Allow 443, Allow None.
  • The bigdb variable Statemirror.IPAddr must match the internal self IP.
  • A VLAN group may not be named external or internal.
  • A trunk may not be configured on VLAN external or internal. The default route must be of type Gateway.

Failover and virtual servers with a OneConnect™ profile, an HTTP profile, and connection mirroring enabled (CR43517)
In a redundant system, if the active unit fails over, and the configuration contains virtual servers with a OneConnect profile, an HTTP profile, and connection mirroring enabled, the failover process does not properly mirror the server-side OneConnect connections to the failover unit.

Link activity lights on the BIG-IP 3400 (C62) platform (CR43570)
On the BIG-IP 3400 platform, if you have trunks configured, the link activity lights on the front panel may not properly indicate link activity (turn green).

Configuration utility: Changing the refresh interval on the Preferences screen applies the change only to statistics screens not viewed yet (CR43613)
In the Configuration utility, on the System > Preferences screen, if you change the Default Statistics Refresh interval, view some statistics screens, and then change the Default Statistics Refresh interval again, the system applies the second update only to those statistics screens that you have not viewed yet.

bigpipe command immediately following bigstart restart command (CR44091)
After you run the bigstart restart command, the BIG-IP system takes a minute to initialize. If you run this command, you should wait at least a minute for the system to re-initialize before running additional bigpipe commands.

BIG-IP system caches unreachable IPv6 destinations regardless of IPv6 route updates (CR44109)
A problem may occur where the BIG-IP system caches an unreachable IPv6 destination. This problem might occur if you add the wrong default route, delete it, and change to the correct route, only to find traffic fails to reach the destination.

FTP data channel with Layer 7 FTP connections and non-equal MTUs (CR44165)
Non-equal MTUs may cause Layer 7 FTP connections to stall. If you are using a switch to negotiate the MTU with the BIG-IP system, this is not likely to happen.

Fast L4 profile: Reset on timeout disable and the idle timeout value (CR44261)
Changing the Reset value on the timeout option to disable appears to change the idle timeout value. However, this affects only the value displayed by the system, not the system setting and the functionality of the system.

Configuration utility: Deleting floating IP addresses and non-floating IP addresses (CR44297)
In the Configuration utility, we recommend that you always delete floating IP addresses before you delete non-floating IP addresses.

IPv6: Transparent monitors (CR44388, CR44407, CR44408)
The current IPv6 implementation does not support transparent monitors.

Supported MTU for BIG-IP systems and IPv6 (CR44733)
The minimum supported MTU for BIG-IP system using IPv6 is 1280.

Error when swapping RADIUS server keys during a re-load after swapping the server IP addresses (CR44769)
You may see an error when you attempt to swap RADIUS server keys during a configuration reload. You can work around this problem by unconfiguring one of the servers before redefining the other.

Brackets in commented sections of rule syntax (CR44839)
Brackets in commented sections of rule syntax are counted in the bracket count. We recommend that you balance the brackets in the comments.

NAT and ICMP (CR44849)
Currently, Network Address Translation (NAT) tables do not forward Internet Control Message Protocol (ICMP) packets.

Configuration utility: Load Balancer Limited and the Fast L4 profile (CR44866)
The BIG-IP Load Balancer Limited product does not provide the ability to create or edit a Fast L4 profile.

Restoring a configuration and overwriting SSH keys (CR45173)
UCS files back up and restore host and root SSH keys, but there are many situations where these keys are stale, and break communications with the SCCP host subsystem.

Validating routes (CR45212)
Currently the system does not fully validate route configurations, and it is possible to add a route to the configuration for which the gateway router is on the destination network.

SNAT translation addresses and idle timeout values (CR45352)
If you create a SNAT that is not associated with a virtual server, and the idle timeout of the translation address is indefinite, the system uses the default timeout defined in the Fast L4 profile (300 seconds). Also, creating a default SNAT with an idle timeout value lower than the Fast L4 timeout value can cause problems.

Using automatic licensing and errors in the Configuration utility (CR45369)
In the Configuration utility, when you select Automatic option for licensing, if the system cannot communicate with the F5 Licensing Server, the system generates a major application error. To work around this issue, close the current browser session, open a new session, and select the Manual option instead. Note that this happens only in rare instances.

Configuration utility and bigpipe for SSL profile setting display discrepancies (CR45537)
On the SSL Profile screen, select the Renegotiate Period option and leave it at the default setting, Indefinite. When you view the same setting in the bigip.conf file, you see this number, 138635524 (which equates to 4.396 years), instead of indefinite.

Application Accelerator: Logging options display for unavailable features (CR45546)
In the Configuration utility, on the System > Logs > Options screen, you see logging options for the Packet Velocity™ ASIC. This feature is not available on the Application Accelerator product.

Acceptable characters in SSL certificate names and common names (CR45721, CR45722)
If you create a certificate name or common name that uses invalid characters (for example asterisk, comma, question mark, exclamation, forward slash, ampersand), the system generates an error message that is incorrect. The error message states that these characters are valid, however the only acceptable characters are alphanumeric characters, hyphen, and underscore.

Generating SSL certificates and keys and Configuration utility errors (CR45725)
If you try to generate an archive file for SSL certificates and keys, and you do not type a name for the file, the system generates an error. If you then add a name and click the Generate and Download button, the system saves the file but the Configuration utility remains in the error state. Simply click Cancel after you have saved the file, which returns you to the SSL Certificate list screen.

Parsing iRules syntax requirement (CR45767, CR59340)
The system cannot load an iRule when there is no space between a set of braces ( {} ). To work around this issue, add a space between the braces, as follows: { }. Note that the space is required.

Importing non-FIPS keys into a FIPS system (CR45853)
If you import non-FIPS keys to a FIPS system, and then convert the non-FIPS keys to FIPS keys, the system continues to use the non-FIPS keys until you restart the Traffic Management Microkernel (TMM) process. You can perform this task from the command line, by typing bigstart restart.

radvd utility and restarting or rebooting the system (CR45882)

In rare circumstances, the radvd utility may start too early when you restart or reboot the system. As a result, the utility does not properly advertise routes. If you experience this issue, simply restart the radvd utility, on the System > Services screen in the Configuration utility.

IM upgrades and modprobe dependencies error messages (CR45885)
When you upgrade your system using the IM upgrade process, you may see the following error message when the system starts the automatic reboot, after the installation completes:
modprobe: Can't open dependencies file
You can ignore this error; it is benign.

IM upgrades and kernel journaling error messages (CR45970)
When you use the IM upgrade process, you may see kernel journaling error messages on the console after the installation completes. The error messages are benign and can be ignored.

Creating VLANs with period in the name (CR46028)
Using the sysctl -a command prints the /proc/sys file system. This command displays the information about each file under the tree as if it were a variable separated by period (.). It also translates the forward slash (/) into a period. When you create a VLAN with a period in the name, sysctl translates that into a forward slash (/), but then cannot read the file name it just created.

Configuration utility: white space in imported certificates (CR46150)
Currently, white space in imported certificates is not handled correctly. Certificates with extra whitespace after the begin certificate or before the end certificate statements are rejected.

Virtual Server - No Nodes Available trap and log message (CR46596)
The No Nodes Available trap and log message do not exist in BIG-IP version 9.x. Currently, when all nodes in a virtual server are marked down, a message is logged for each pool member of the virtual server. For example, you might see a message like this for each member of a pool on the virtual server:
Mar 24 09:01:00 bip6400 mcpd[864]: 01070638:3: Pool member 10.10.10.40:80 monitor status down.

BIG-IP system behavior when the product license expires (CR46636)
Currently, when the product license expires on the BIG-IP system, it does not fail over to a peer system with an active valid license.

Creating a wildcard virtual server without the virtual address entry (CR46657)
If you create a wildcard virtual server without a virtual address entry (0.0.0.0) with Address Resolution Protocol (ARP) disabled, ARP is set to enabled when the configuration is saved. After you create the wildcard virtual server, you can change the ARP setting back to disabled.

Changing an existing pool into a gateway failsafe pool (CR46870)
To change an existing pool into a gateway failsafe pool, you must first delete the existing pool and recreate it as a gateway pool type.

Preservation of Configuration utility preferences through upgrades (CR46872)
If you have made any changes to the system settings of the Configuration utility, you must re-implement those settings when you upgrade the system, as these settings are not carried through during the upgrade process.

bigtop utility and failover (CR47361)
If you are running the bigtop utility on an active unit, and then the system fails over, you need to restart bigtop to refresh the bigtop statistics.

Serial console messages during bootstrap (CR47395)
When booting up certain BIG-IP systems, you might see some corrupted messages on the serial console. This issue occurs rarely, and does not affect system usability or performance. You can ignore these messages.

SSL certificates: native serverssl stack does not support client-side certificates (CR47702)
When using Server SSL (SSL re-encryption) and the node requests a client certificate, the BIG-IP system does not send a client-side certificate. To work around this issue, specify ALL as the cipher in the server SSL profile.

SSL session ID persistence breaks on re-handshake (CR48114)
Session ID persistence is unaware of mid-connection renegotiations. This may cause new persistence entries not to be added for a new session ID if there are any negotiated in the middle of a connection.

Trailing whitespace on Tcl if statement and line continuation of else (CR48213)
Any trailing white space in a Tcl statement breaks the line continuation of the rule statement. To avoid this problem, remove any white space at the end of each line of the Tcl statement.

Cavium FIPS card and TMM traffic (CR48321)
If the Cavium FIPS card is not logged in, the Traffic Management Microkernel (TMM) service does not pass traffic. To work around this issue, reboot the system. This runs the /etc/rc.d/init.d/cavium script, which logs in the Cavium card.

Deleting select ports from a multi-port mirror configuration (CR48376)
You cannot delete select ports from a multi-port mirror configuration. You must delete the entire multi-port mirror configuration and reconfigure it with a new port list.

LCD reports active while the command line prompt states the system is inoperative (CR48409)
The LCD can report only three types of system status: Active, Standby, or Standalone. If the system is in a different state, it may not be reported on the LCD screen.

RADIUS: white space in the client ID (CR48453)
Blank spaces in RADIUS client IDs are not supported by the system. Any part of the ID that appears after the blank space does not display correctly.

Configuring multiple RADIUS server objects that use the same server IP address and port (CR48464)
You cannot configure multiple RADIUS server objects that share the same server IP address and port.

System unavailability due to low memory (CR48465)
In certain low-memory situations related to Packet Velocity™ ASIC (PVA), the system can become unavailable.

Loading large external classes (CR48489)
Loading an external class file with more than 100,000 kilobytes of data may cause the system to become unstable.

TCP::collect implicitly holds the accepted event (CR48592)
The TCP::collect command is not appropriate for some protocols where the server sends data first, such as banner protocols.

System unavailability due to memory depletion (CR48594)
When processing an extremely high number of connections per second (approximately 30,000), with very large window sizes for compression, the system can run out of memory, causing a system failure. Occurrence of this event is highly unlikely.

Support for link down time on failover (CR48728)
For BIG-IP 520/540 (D35) systems that make use of VLAN groups, the Link Down Time on Failover feature is unsupported

BIG-IP system using UTC time for hardware (CR48737)
After upgrading the system from BIG-IP version 9.1, you may receive timestamp errors when you install a saved BIG-IP version 9.1 UCS file. These errors are benign. The system clock will correct itself.

Using the base FastHTTP profile (CR49182)
Once you configure the BIG-IP system to use the base FastHTTP profile, the profile continues to prime server-side connections, even if there are no virtual servers currently configured to use the FastHTTP profile.

Misconfigured iRule can cause TMM to restart (CR49375)
If an iRule is not configured to use the variable name form to access the class or data group (matchclass or findclass), then Traffic Management Microkernel (TMM) restarts.

Checking product version when licensing features. (CR49435)
When you request licensing for additional modules, the license server does not check that you are running a product version that supports those modules.

drop and reject commands for UDP traffic (CR49445)
When processing UDP traffic, the system does not always handle the iRule commands drop and reject properly.

ssldump utility on BIG-IP 1000 platforms (CR49446)
On BIG-IP system 1000 platforms only, the Traffic Management Microkernel (TMM) service can become unavailable due to a problem with the ssldump utility.

Fast HTTP profile Header Insert option (CR49530)
The Fast HTTP profile's Header Insert option does not perform a variable expansion in its configured header insert. For example, [IP::client_addr] is inserted literally. Although this is inconsistent with the HTTP profile, this was done to increase HTTP performance. To configure the Fast HTTP profile to insert the original client IP address as a standard XForwarded-For header value, modify the Fast HTTP profile and enable the XForwarded-For header option. Additionally, Fast HTTP supports the HTTP_REQUEST iRule event as well as the HTTP::header insert iRule command, which you can use to insert arbitrary HTTP headers.

Configuration load message about VLANs (CR50019)
Loading a new configuration over an existing one can generate a message when the two configurations include a VLAN with the same name but different interfaces assigned to them.

FTP monitor in default mode does not query resources (CR50237)
The default mode for the FTP monitor is passive. This mode instructs the monitor to only determine if the resource attempts to communicate with the BIG-IP system, which is not an effective FTP test. We recommend you change the mode of the FTP monitor to a setting other than passive.

Mirroring data between units in a redundant pair (CR50330)
If the configurations for both units in a redundant system do not match, it can cause state mirroring to fail and result in general system instability.

Invalid configuration can result in inoperative system (CR50389)
If you create an invalid configuration (typically through the command-line interface), you can render the system inoperative. We recommend you back up your configuration prior to making changes, and then after changing the configuration, run the b load command to ensure the configuration is valid.

Deleting system authorization iRules (CR50407)
You cannot delete system authorization iRules. If you attempt to use the delete checkbox next to a system authorization iRule in the iRule List, you receive an error.

VLANs with dashes ( - ) in the name (CR50441)
The Linux router advertisement daemon (radvd) cannot process an interface name containing a dash ( - ). To avoid errors, verify that the VLAN name, on which radvd is enabled, does not contain dashes.

Exporting SSL Keys on a BIG-IP 6400 FIPS system (CR50553)
If you attempt to export a non-FIPS SSL Key on a BIG-IP 6400 FIPS system, BIG-IP system returns a Cannot export FIPS keys error. You can workaround this if you have SSH or command line access to the system. For example, you can copy the keys from the /config/ssl/ssl.key/ directory using the scp command.

Installing BIG-IP version 9.2.3 on a system with an unformatted boot drive (CR50733)
When you install BIG-IP version 9.2.3 on a system that contains a boot drive that has not been formatted, or was formatted by an installation of BIG-IP version 4.x, the BIG-IP system returns the following error: 4.x upg : sfdisk: ERROR: sector 32164 does not have an msdos signature. This message is benign and has no affect on the installation.

Settings for tcp_timestamps (CR50852)
If you have previously turned off tcp_timestamps, you may have to re-disable tcp_timestamps by adding the following line to /etc/sysctl.conf:
net.ipv4.tcp_timestamps = 0

Loading a new BIG-IP system configuration (CR50872)
If you try to load a new configuration that eliminates a network object referenced by another network object in the previous (currently-loaded) configuration, the BIG-IP system returns an error. To work around this issue, remove from the previous configuration the reference to the object that is eliminated in the new configuration, and then load the new configuration. For example, if in the previous configuration a VLAN is referenced by a VLAN group, and that VLAN does not exist in the new configuration, you must remove from the VLAN group the reference to the eliminated VLAN, before you load the new configuration.

ICMP flows (CR51133)
The VLAN failsafe process generates multiple ICMP flows in a 300-second period. These ICMP flows are benign.

Interrupted TCP connections are aborted unnecessarily (CR51197)
If an Address Resolution Protocol (ARP) or Neighbor Discovery Protocol (NDP) entry times out or the peer is not responding, the connection is interrupted. These connections should only end when the system is unable to establish a connection.

Reuse of HTTP client connections (CR51406)
Allowing infinite reuse of HTTP client connections can cause problems. To prevent this, verify that you have specified a value for the Maximum Requests setting in your HTTP profiles.

Licensing a system that was upgraded from BIG-IP system version 4.6.2 (CR51472)
After you upgrade the BIG-IP system from version 4.6.2 to 9.2.3 and open the Configuration utility to license the new system, the License screen fails to automatically display the 9.2.3 registration key. If this occurs, populate the registration key field manually.

Gratuitous ARP messages sent on disabled virtual server (CR51833)
The system sends a gratuitous Address Resolution Protocol (ARP) message during failover, when the virtual server is disabled.

Trunk statistics (CR51893)
Statistics for trunks do not display properly.

Preferred active status and long-lived mirrored connections (CR52003)
If you reboot a BIG-IP unit that has preferred active status enabled (Failover.ForceActive=enabled), the peer unit does not continue to mirror the existing long-lived mirrored connections while the preferred active unit is inactive. This results in dropped long-lived mirrored connections.

The b global stats reset command (CR52004)
The b global stats reset command does not reset the following statistics: PVA assisted connections, HTTP requests, OneConnect™, and Stream replacements.

Remote RADIUS authentication (CR52073)
When you configure the system to use remote RADIUS authentication, the system also authenticates local users. This is by design.

Display of additional SSL TPS in Configuration utility (CR52164)
The License screen within the Configuration utility does not display the correct amount of additional SSL TPS licensed for that system.

Modification of destination address for custom transparent monitor (CR52255)
After creating a custom monitor with Transparent mode set to Yes, you cannot modify the Alias Address and Alias Service Port properties.

Inaccurate license error occurs on re-license (CR52277)
When re-licensing a 6400 system, the following message can appear: Warning: loading /lib/modules/2.4.21-9.2.0.142.0smp/kernel/drivers/crypto/vkd.o will taint the kernel: no license. See http://www.tux.org/lkml/#export-tainted for information about tainted modules. This message does not indicate a license issue and does not affect performance.

LDAP authentication configuration object (CR52300)
When you create an LDAP authentication configuration object, the User Template and Bind Password setting should be mutually exclusive. You should define one setting or the other, but not both.

Harmless progress messages during product installation (CR52337)
If you initiate the Installer application using a local-install IM package, some of the progress messages might incorrectly refer to a remote installation process, that is, one that requires an installation server. For example, the output of the boot loader application might temporarily list the entry remote-install-<x>. Although incorrect, these references to a remote installation are harmless.

TX/RX pause link negotiation (CR52459)
TX/RX pause negotiation of links is not available on 520/540 (D35) platforms.

Premature closing of HTTP connections (CR52482)
With a one-armed configuration, server-side HTTP connections sometimes close prematurely.

Error message regarding externally-stored classes when loading configuration data (CR52507)
If you are running the One-Time Conversion Utility (OTCU), and a UCS file includes an externally-stored class with a line containing an invalid netmask (such as 255.25.255.0), the bigpipe utility reports an error. In this case, you must find the external file, manually correct the error, and reload and save the configuration data.

Neighbor Discovery and global addresses (CR52573)
The timeout on global Neighbor Discovery (ND) v6 entries can block ND solicitation for received traffic.

Redefining routes when assigning a MAC masquerade address for a VLAN (CR52602)
When you assign a MAC masquerade address to an existing VLAN, Linux automatically drops any existing static routes pertaining to the interfaces associated with that VLAN. To correct this problem, redefine the static routes using the bigpipe route command, or run the bigstart restart command.

Slow Ramp Time setting for pools (CR52670)
When creating a load balancing pool, the Slow Ramp Time setting is required. Failing to specify a value causes automatic use of an incorrect value.

Mirroring connections to IPv6 nodes (CR52696)
When mirroring connections to a load balancing pool that contains both IPv4 and IPv6 pool members, only the connections to IPv4 nodes are mirrored. Connections to IPv6 nodes are not mirrored.

Forced interface speeds (CR52846)
Setting a forced interface speed on an SFP Fiber interface can falsely cause a link up condition.

Timeout values for SNAT pool members (CR53064)
When adding a member to a SNAT pool, the system removes the timeout values that are currently set for the other members of the SNAT pool.

Trunk destabilization when loading configuration data (CR53181)
Reloading configuration data can temporarily destabilize any existing trunks, causing random trunk messages to appear. The trunks eventually return to normal.

Display of SSL profile options display (CR53196)
When using the Configuration utility to display an SSL profile, some settings do not appear when the certificate name has a .pem file name extension instead of a .crt extension.

trunk command on the BIG-IP 6800 platform (CR53254)
On a 6800 (D68) platform only, when using the bigpipe trunk command to create a trunk, the trunk can fail to pass traffic after you add the first interface to the trunk. To fix the problem, type the following command: bigstart restart bcm56xxd

Behavior when attempting to load a non-existent configuration file (CR53396)
When you type the command bigpipe load <filename>, the system reloads the full configuration if the specified file does not exist, and does not generate an error message.

SSL certificate and key names (CR53446)
SSL certificate and key file names that include square brackets ([]) remain in the configuration data even when excluded from an archive. You must use the command line interface, and not the Configuration utility, to remove these certificates and keys from the configuration.

Certificate revocation lists and Client SSL profiles (CR53837)
The Traffic Management Microkernel (TMM) service becomes unavailable whenever a virtual server references a client SSL profile that specifies a certificate revocation list (CRL). This behavior may indicate that the referenced CRL file does not exist.

Encrypted ucs file installation when config.encryption flag set to off (CR54052)
If you disable encryption, you cannot install an encrypted .ucs file into the system. This issue is resolved by activating the encryption option, and then installing the file.

RAM Cache: empty URI excludes list causes everything to be cached (CR54077)
If you have an empty URI excludes, the system will cache everything possible. You can work around this by creating an iRule that defines what items should be cached.

Log rotation and Tomcat™ service (CR54081)
In the event that the destination for the Tomcat service log files becomes full, the system automatically rotates log files to ensure that the most recent data is captured. However, the Tomcat service requires a restart each time it rotates a log file. This issue is resolved by ensuring there is adequate hard disk space for the Tomcat service, or by archiving log files on a scheduled basis.

User interface cannot install ucs files using special characters (CR54141)
When creating a ucs file, the command-line interface allows you to include special characters. However, these characters are not supported in by the Configuration utility, resulting in the Configuration utility being unable to install the ucs file. This issue is resolved by avoiding special characters when creating ucs files.

Connection limit for priority activation groups (CR54291)
When a priority group within a pool reaches its connection limit, the next connection does not move to the next-highest priority activation group.

Cookie persistence profile settings (CR54410)
For cookie persistence profiles in which the Cookie Method setting is not set to Cookie Hash, the system should not display the settings Mirror Persistence, Match Across Services, Match Across Virtual Server, and Match Across Pools, but does. You should ignore these settings.

User role for accounts on remote authentication servers (CR54412)
When you change the default user role for accounts that are authenticated remotely, the user role for user accounts labeled as Other External Users does not change accordingly.

ZebOS and MD5 interoperability (CR54440)
On systems running both the ZebOS module and MD5, a race condition can occur when using the MD5 signature settings within a TCP profile. We recommend that you refrain from using the MD5 signature settings within a TCP profile.

Error message on non-Cavium systems (CR54443)
During a local installation, the system erroneously inserts the error message modprobe: modprobe - Can't locate module char-major-240 in the var/log/daemon.log file. This occurs on non-Cavium systems only.

ConfigSync encryption enabling or disabling (CR54446)
If you previously enabled encryption of configuration synchronization data and want to disable it using the Configuration utility, make sure that you first disable encryption using the Encryption setting on the ConfigSync screen. Then use the Preferences screen to set the Archive Encryption setting to Off. Doing these steps in this order prevents the occurrence of unexpected encryption behavior.

ARP requests and the management port (CR54468)
On a 6800 platform, packets sent through the external management port become corrupted and the system can no longer send Address Resolution Protocol (ARP) requests.

iControl and configuration synchronization (CR54587)
iControl does not indicate an exception if configuration synchronization does not succeed.

10GB interface option cannot be set (CR54832)
In the Configuration utility, certain interfaces contain the option to select 10GB. However, this version does not support this setting.

Media type on the 8400 platform (CR54835)
On the 8400 platform, setting the media type on SFP fiber ports causes a brief loss of link. This can cause the upstream switch to flush its Address Resolution Protocol (ARP) entry for the BIG-IP system.

System response on 302 responses into http/compress profile (CR54923)
The local traffic management (LTM) system occasionally responds incorrectly when a 302 error is received into an http/compress profile. The exact behavior depends on the LTM configuration. To resolve this issue, add an iRule that avoids compression when a 302 error is received.

PVA: virtual servers with unmatched MTUs (CR55240)
If you have VLANs with different MTU sizes, you should manually demote virtual servers or set the db variable Pva.Acceleration to none. An alternative is to set acceleration on a per-virtual server basis using a Fast L4 profile.

tcpdump utility on Packet Velocity ASIC 10 systems (CR55498)
When using the Linux tcpdump utility to see TCP packets on a VLAN, the utility does not produce expected results on BIG-IP systems that include the Packet Velocity™ ASIC (PVA) 10 feature. Note that the tcpdump utility works on interfaces or external trunks on PVA10 systems.

Cipher List setting in HTTPS monitor (CR55875)
When users other than admin use the Configuration utility to display an HTTPS type of monitor, the value of the Cipher List setting is truncated.

L7 mirrored connections are not re-mirrored after reboot and failover (CR55926)
If the active unit in a redundant system reboots, the standby unit goes active and handles any established connections that were mirrored. However, when the previously active box comes back up, it does not re-synchronize the state for the mirrored connections. This means that the mirrored connections are lost in a subsequent failure or a forced fail-back. This does not affect connections that end before the second reboot and failover. Also, this does not apply to Fast L4 profiles.

Image selection after discard (CR55997)
On a 6400 platform, when you boot an image and then select that image to be discarded, the system does not require you to select another image. To work around this issue, you can use the switchboot utility to specify the default image to which you want the system to boot during startup.

Loss of links on SFP modules (CR56019)
For D62/C62 systems, the system sometimes does not detect the loss of a link on SFP modules that are set for autonegotiation.

Partial acknowledgements can result in TMM issues (CR56110)
When a mirrored connection receives a partial acknowledgement (ACK) and the data being acknowledged has not passed through TCP4 yet, the Traffic Management Microkernel (TMM) service might generate warnings, as there may be insufficient data in send queue to drop. There is no workaround for this issue.

Receiver side SACK report can contain stale information (CR56169)
During normal operations, the receiver side SACK report can contain stale information. There is no workaround for this issue.

Non-existent last hop pool and virtual server (CR56234)
You should not be able to assign a pool of last hop routers to a virtual sever when that pool does not exist but currently the system allows it.

Non-existent clone pool and virtual server (CR56238)
You should not be able to assign a clone pool to a virtual server when that clone pool does not exist but currently the system allows it.

ConfigSync User passwords (CR56405)
When you use the command line interface to change the ConfigSync User password on a unit of a redundant system, the BIG-IP system should display a reminder to change the password on the peer unit. However, it currently does not. For configuration synchronization to succeed, the passwords on the two units must match.

Rule setting for authentication profiles (CR56510)
When the system displays the New Authentication Profile screen for a specific type of profile and you change the Type setting to a different profile type, the value of the Rule setting does not change accordingly. You must explicitly change the value of the Rule setting to match the newly-selected profile type.

Saving Syslog-ng data (CR56679)
When you create a .ucs file, the saved configuration data does not include the Syslog-ng configuration file, /etc/syslog-ng/syslog-ng.conf. Consequently, restoring the saved configuration does not restore any Syslog-ng configuration changes that you made prior to saving the data.

Stats profiles and the bigpipe utility (CR56708)
When using the bigpipe virtual to assign a Stats profile to a virtual server, the system does not automatically assign the necessary TCP profile. To work around this, either use the Configuration utility to create the virtual server and assign the Stats profile, or specify a TCP profile name on the bigpipe virtual command line.

Time zone specification after configuration synchronization (CR56739)
When you perform a configuration synchronization from one unit of a redundant system to another, the BIG-IP system assumes that the target unit is in the same time zone as its peer. The system therefore overwrites the time zone of the target unit with the time zone of the peer unit.

SSL connection on BIG-IP version 9.0.5-to-9.1.1 systems (CR56742)
For pre-9.1.0 systems that have been upgraded to version 9.1.1 and include a FIPS card and a Client SSL profile assigned to a virtual server, the system inadvertently terminates client SSL connections. You must reinitialize the FIPS cards after upgrading.

Prefer Fixed setting on copper and fiber cables (CR56810)
When both a copper and SFP fiber connection are used between two similar combo ports of two BIG-IP 8400 platforms, and the Prefer Fixed copper medium is selected as preferred on both ends, the SFP fiber becomes and remains active following system initialization.

Virtual servers and SSL profiles (CR56817)
If you assign an SSL profile to a virtual server a message about an FTP profile may appear. This message is benign.

Performance and mirrored connections (CR56874)
On certain BIG-IP system platforms, a heavy traffic load (such as 100 megabytes of HTTP traffic) could adversely affect performance when the connections are being mirrored to the peer unit.

Media setting for management interface (CR56897)
If you set the media setting of the management interface to something other than auto (the default setting), and then save the configuration, remove the interface configuration data from the bigip_base.conf file, and reload the configuration data, the media setting for the interface does not reflect the default setting. The interface retains its previous media setting.

Passing traffic on newly-active system (CR56902)
After you configure the BIG-IP system, save the configuration, and restart the system using the bigstart restart command, the system indicates that it is active. However, you might experience a slight delay, from a few seconds to a minute, before the system begins to pass traffic.

Link status on peer system (CR56905)
When you disable a combo port, the link light turns off on the BIG-IP system. However, the link is not down on the peer system.

Online help for the Routes screen (CR56960)
The Configuration utility does not display the online help for the Routes screens.

Display of time zone in log messages (CR57033)
When you use the Configuration utility to change the time zone on the BIG-IP system, any log messages resulting from creating a pool or an archive show the previously-defined time zone. You can synchronize the new time zone and the subsequent log messages by using the bigstart restart command.

Configuration synchronization and remaining files (CR57245)
When configuration synchronization does not succeed, several files remain on the system in the /var/tmp directory instead of being automatically deleted.

The iRule SSL::session_id command (CR57248)
When you use the iRule command SSL::session_id to specify an SSL session ID, and that session ID includes a null character, the session ID is truncated.

TMM memory allocation restrictions and iRules (CR57252)
If an iRule attempts to buffer more than four megabytes of data into a Tcl variable, the Traffic Management Microkernel (TMM) service could become unavailable. This is due to a 4-megabyte TMM restriction on contiguous memory allocation.

Node status on removal of ICMP monitor (CR57256)
When you remove the ICMP monitor from a node, the node status should show that the node is not being checked.

OTCU does not check if passwords do not match (CR57259)
When running the One-Time Configuration Utility (OTCU), if you change the password, you are asked to type the new password twice. However, the OTCU does not check to make sure these two password entries match. The passwords are displayed on the screen. We recommend you verify that the passwords are correct before completing the password change. In the event that you mistype the password the second time, the first password is accepted.

False error occurs during bcm56xxd startup (CR57293)
When the bcm56xxd utility starts, you can get a false error message: bs_if_initialize_all: can't init <fname></ifname>. This error occurs unnecessarily and does not affect product performance.

Source and Target settings in Stream profiles (CR57307)
In a Stream profile, you cannot use the slash (/) character when specifying values for the Source and Target settings.

b pool show command lists inactive pools as active (CR57309)
In version 9.x, if you use the b pool show command, the system lists pools as active, even if they are inactive due to priority or load balancing settings. The status of the pool appears correctly in the Configuration Utility.

Upgrading from a newer to an older version (CR57354)
When using the im script to upgrade a local BIG-IP system installation from a newer version to an older version, you must specify the -force argument.

EUD does not adequately isolate external connections (CR57360, CR57362)
When the EUD runs, it assumes that there will be no external traffic in or out of the BIG-IP system, but external peers can still detect link connectivity and send traffic to the BIG-IP system. This can cause the EUD internal packet path test to fail.

Certain profile options are overwritten by Configuration utility (CR57421)
You can configure the following Client SSL or Server SSL profile options using the command line, but not the Configuration utility: MICROSOFT_SESS_ID_BUG, NETSCAPE_CHALLENGE_BUG, PASSIVE_CLOSE, and SSLREF2_REUSE_CERT_TYPE_BUG. If you modify the profile in the Configuration utility, you disable these options. We recommend that, if you need to use these options, you do not use the Configuration utility to configure them.

Fast L4 profile reset on timeout (CR57425)
When you disable the Reset on Timeout setting on a Fast L4 profile and specify an Idle Timeout value, the BIG-IP system still sends a reset (RST) packet and deletes the connection after the specified idle timeout value has expired.

RAM Cache performance degrades with Nagle enabled (CR57440)
The Nagle's Algorithm option in the TCP profile causes the system to copy the cached response. For larger cached responses, this can degrade performance. We recommend that you disable the Nagle's Algorithm option if RAM Cache is in use and performance is critical.

The domain command in iRules feature (CR57448)
The iRule domain command inadvertently truncates the domain name.

Counting of dropped packets (CR57456)
The drop count behavior for unicast packets with matching source and destination MAC addresses not associated with the receiving BIG-IP system differs between BIG-IP 1000 (D39), BIG-IP 2400 (D44), BIG-IP 5100 and 5110 (D51) and the BIG-IP 1500 (C36), BIG-IP 3400 (C62), BIG-IP 6400 (D63), BIG-IP 6800 (D68), BIG-IP 8400 (D84) platforms due to switch hardware counter differences.

IPv6 lasthop pool node not chosen (CR57466)
When using IPv6, disabling the bigdb key connection.autolasthop sends the connection to the existing default route instead of a lasthop pool node.

Interface statistics and trunks (CR57478)
When you remove an interface from a VLAN and assign the interface to a trunk, the trunk inherits the statistics of the interface in the VLAN. The trunk should show new statistics rather than inheriting them from the interface.

Load sharing by 10-gigabit interfaces in a trunk (CR57479)
After you add a 10-gigabit interface to a working trunk that has another 10-gigabit interface, the load is not shared between both interfaces. Restart the lacpd service to fix the problem.

MCP validation improperly allows a virtual server to reference an incomplete base auth profile (CR57482)
Such profiles (for example, a stock ssl_ocsp profile without the config attribute set) should not be referenced by a virtual server.

Forwarding of IP fragments (CR57638)
When the Fast L4 profile setting Reassemble IP Fragments is set to the default value of disable and the size of the first fragment is less than 246 bytes, the system does not always forward egress fragments. To prevent this problem, make sure that the first fragment is greater than 246 bytes.

Link transmission status for media types (CR57564)
A disabled 10 Gigabit Ethernet interface on a 8400 may still indicate link up to its partner switch, which results in the link down on failover feature not working properly.

Syslog-ng: uninitialized interfaces after syslog-ng fails to start or if it has been manually configured(CR57698)
If syslog-ng does not start or if you have manually configured the syslog-ng daemon, the system interfaces may not initialize properly after you upgrade the system. For more information, see SOL5872: BIG-IP does not pass traffic and non-management interfaces are non-responsive after upgrading BIG-IP to version 9.1.1 or 9.2.3 and SOL5879: BIG-IP does not pass traffic and non-management interfaces are non-responsive if syslog-ng fails to start.

RIP version 1 non-functional on Local Traffic Manager version 9.0 or later (CR57708)
Certain advanced routing protocols (such as RIP v1) that depend on the BIG-IP system receiving directed IP broadcasts do not work on BIG-IP system version 9.x. This might affect the dynamic updating of the BIG-IP system's routing table.

bigpipe base list command output (CR57784)
When you type the command bigpipe base list, the output erroneously shows the default port lockdown value for the udp/520 protocol name as udp efs instead of the correct protocol name, router.

Excessive implementation of EXPORT ciphers degrades performance (CR57798)
The greater the number of EXPORT ciphers implemented in a configuration, the greater the chance of slower performance from the Local Traffic Manager. If the Local Traffic Manager is performing slower than expected, we recommend looking at the number of EXPORT ciphers in place and seeing if any of them can be removed or refactored.

Invalid user-modified variables (CR58128)
The BIG-IP system should not accept invalid values of user-modified variables that contain all zeroes. We therefore recommend that you do not use values containing all zeroes.

Data compression using deflatexxx and x-gzip (CR58225)
If the BIG-IP system receives an HTTP response with a Accept-Encoding header value that contains the string gzip or deflate, the data is erroneously compressed using the corresponding gzip or deflate compression algorithm. For example, if the header value is deflatexxx, the system compresses the data using the deflate algorithm. This is incorrect. The system should only use the gzip or deflate algorithm when the header value matches the algorithm name exactly (that is, when the header value is gzip or deflate).

Configuration synchronization password message (CR58256)
When you use the Allow Console Access check box on the Users screen to enable or disable console access, the system displays an unrelated message about the ConfigSync password. You can ignore this message.

User names in the ConfigSync User list (CR58267)
In the Configuration utility, for the ConfigSync User setting, user names for administrative users other than admin do not appear in the list of user names.

Command line support for Administrator-role users with remote accounts (CR58292)
If your user account has the Administrator role assigned to it and is stored on a remote authentication server, you do not have command line interface access to other remote user accounts. However, you can access remote user accounts through the Configuration utility.

Invalid IP address error message (CR58431)
When you assign an invalid IP address to a pool member, the system displays the follow error message, which is not indicative of the actual problem:

BIGpipe: pool member creation error:
01070636:3: IP V6 not licensed (pool member 18d7:4308::)

Password expiration prompt (CR58444)
When your password is due to expire and the system prompts you to enter a new password, the New Password box is mistakenly populated with your old password. If you simply click Update, the system accepts the old password instead of requiring a new one.

User account removal (CR58498)
When you delete a user account from the BIG-IP system, the user entry in the file /etc/security/opasswd is not automatically deleted.

Secure password enforcement for root account (CR58544)
When a password expiration warning is displayed for the root account, the system erroneously applies the secure password enforcement settings to the new password. These settings should only be applied to non-Administrator user accounts.

VLAN assignment for virtual servers (CR58607)
In certain configurations, you can erroneously assign a virtual server to a VLAN other than the VLAN of the virtual server destination IP address. The system should perform data validation to prevent this from occurring.

References in authentication profiles to configuration objects (CR58629)
When you modify the default SSL Client Certificate LDAP profile to add a reference to an authentication configuration object, the system prevents you from removing that reference later. You cannot select None in the Configuration profile setting, and any custom profiles you create from that default profile continue to reference that same configuration object. We recommend that you create a custom profile instead of directly modifying the default profile.

Dynamic routes buffer size (CR58743)
When you are using the Advanced Routing Modules, the system does not distribute all dynamic routes to the Linux routing table, due to a buffer size being too small. This requires you to manually configure certain ZebOS settings to change the buffer sizes.

ConfigSync status in Configuration utility (CR58820)
After you perform a configuration synchronization from an active unit to a standby unit, the ConfigSync Status in the Configuration utility continues to recommend synchronizing the configuration. You can ignore this recommendation.

Warning message for password expiration (CR58828)
When a user's password is due to expire in less than 24 hours, the warning message states that the password will expire soon. If you see this warning message, change your password as soon as possible.

bigstart utility and Perl script error (CR58877)
Running the bigstart utility repeatedly on the BIG-IP system can trigger a Perl script error, causing the system to become inoperative and requiring you to reboot the system.

RAM cache maximum size (CR59037)
Using a zero value for the size of the RAM cache (0) erroneously disables the RAM Cache feature altogether. In previous versions, the system treated a zero value as an unlimited RAM cache size. This is no longer the case for BIG-IP version 9.2 systems.

Illegal character in URL for OCSP responder configuration (CR59277)
You cannot use a tilde character (~) in the URL box on the New OCSP Responder screen of the Configuration utility. To work around this problem, you can use the %7E escape character.

Profile configurations in the bigip.conf file (CR59279)
Changes that you manually make to profile configurations in the bigip.conf file do not take effect until you issue a bigstart restart command.

Configuration utility options for Application Accelerator product (CR59307)
When you are using the Application Accelerator product, the Configuration utility displays certain profile and virtual-server types that are not valid for that product. If you select any of those types, the system displays an error message.

Output of bigpipe trunk command (CR59393)
If you have a trunk between two BIG-IP systems, and you stop the lacpd service on one system and disable link aggregation on the other system but retain the link, and then restart the lacpd service on the first system, when you type a b trunk show all command, the system erroneously reports that the links are still aggregated.

HTTP header processing of multiple returns (CR59893)
An HTTP header value that contains one or more extra \r return characters before the terminating \r\n return/line-end causes a truncated header block to be sent through, which halts the connection until idle timeout. Although this construction is acceptable according to the Requests for Information (RFCs), RFC 822 in particular, occurrences of the construction are rare in typical usage.

Rate of alert messages (CR59902)
When a stress-related Packet Velocity™ ASIC (PVA) failure occurs, the system sends alert messages at a rate of over 200 entries per second. In this context, a stress-related failure would be a BIG-IP 6800 with 16 virtual servers configured with FastL4 profiles, each with HTTP-monitored pools of 6 nodes, processing 80 kb connections per second.

Accumulate command in iRules (CR59977)
There is a typo on the Wiki page of Dev Central that makes unusable the example iRule using the accumulate command. Although the accumulate command is supported in all versions of the software, you need to move the accumulate command above the point where you are checking the HTTP payload in a rule. For an example of a working iRule containing the accumulate command, see the workaround Using the accumulate command in an iRule.

OSPF packets to host are subject to SNAT (CR60096)
The system erroneously applies Secure Network Address Translation (SNAT) to Open Shortest Path First (OSPF) packets forwarded to the host. Even if there are no active SNAT definitions, the default multicast listeners that are used to deliver OSPF packets to the host are not reconfigured after SNAT is removed from the running configuration. You can reconfigure the OSPF-related listeners by running the bigstart restart tmm command or rebooting the system.

Results always shows expiration time of 0 (CR60325)
When a server response contains an Expires date, ramcache makes a new request to the server only after that date has passed. However, the results of running the b profile http myhttp ramcache dump command always shows an expiration time of 0.

VLAN group properties from Self IP screen (CR60593)
On the Self IP screen, when you click a VLAN group link in the VLAN column, the system presents the following error: An error has occurred while trying to process your request. To get the properties of a VLAN group, navigate to the VLAN Groups List on the VLANs screen under the Network item, and click the name of the VLAN group whose properties you want to view.

Alert system use (CR60829)
The alert system that controls the Alarm LED and triggers SNMP traps is not supported in this release. However, you can modify the syslog-ng.conf file to work around the problem. For information, see the workaround Creating an alert system that controls the Alarm LED and triggers SNMP traps.

Media types after upgrade (CR60857)
Four media types no longer exist after upgrade to 9.2.x. Because of these changes, the bigip_base.conf fails to load after upgrade. To remedy this situation, you must manually change the associated interface entries in the bigip_base.conf file. Here is the list of old media to new media conversions:

Old media type | New media type
   1000baseFX ===> 1000baseSX
   1000baseTX ===> 1000baseT
   10000baseTX ===> 10GbaseT
   10000baseFX ===> 10GbaseT

VLAN failsafe feature and ARP for non-local nodes (CR60924)
The VLAN failsafe operation should send an Address Resolution Protocol (ARP) message for directly attached nodes and gateways only. However, it also sends an ARP message for non-local nodes. The erroneous ARP message should have no harmful effects because the remote node does not respond.

Stale virtual address when changing virtual server address (CR61110)
When you change an existing network virtual address from a specific one to the general (for example, changing to any:any or 0.0.0.0/0.0.0.0), the process does not remove the previously configured address. The problem with network virtual addresses is that they respond to Address Resolution Protocol (ARP) and Internet Control Message Protocol (ICMP) requests, so having stale network virtual addresses could cause problems, or at least result in unexpected behavior. To work around this problem, remove the out-of-date virtual address by navigating to the Virtual Address List tab from the Virtual Servers screen under Local Traffic, or remove the stale address from the bigip.conf file, and type b load at the command line.

3400 halt after power loss when using LCD to boot up (CR61356)
If you power-up the BIG-IP 3400 using the LCD, and then experience a loss of power, the system halts at the LCD, waiting for user interaction.

HTTP-based authentication timeout resets connection after 300 seconds (CR61385)
For HTTP-based authentication methods (LDAP, RADIUS, TACACS), even though a connection is active, the system resets the connection when no HTTP request is received within the authentication timeout interval. Because long-lived HTTP connections probably include multiple HTTP requests, each resetting the authentication session idle timer, you may not encounter this problem. However, you can increase the auth session idle timeout value to eliminate the issue.

Converting deprecated interface media none to disable (CR61454)
Prior to 9.2, you could configure an interface as media none in bigip_base.conf. Support for this configuration was removed in 9.2. However, no allowance was made for such a configuration being present when upgrading from 9.1.x. To work around this issue, before you upgrade to 9.2.5, set Requested Media to None, or manually add an entry to the bigip_base.conf file, and reload the configuration.

RADIUS monitor and user passwords longer than 20 characters (CR61765)
The RADIUS monitor takes several items of configuration data and converts them into RADIUS protocol attributes. One of those items is the user password. The RADIUS monitor on the BIG-IP system expects the user password to be less than or equal to 16 characters, but the RFC allows for a maximum of 128. If you use more than 20 characters, the monitor does not work. For this release, do not configure a RADIUS monitor that has a long user password.

Virtual address ARP disable->enable configuration load problem (CR61790)
When the virtual address is set to arp enable, the system removes it from bigip.conf. This is correct behavior, since arp enable is the default. However, there is a validation problem when reloading, and the system does not clear out the old virtual address configuration. To work around this problem, you can manually add the following line to the bigip.conf file, and then run the b load command.
   virtual address 1.2.3.4 {
      arp enable
   }

System deletion of DNS server variables (CR61834)
When you use the browser-based interface to remove all servers from the DNS Lookup Server List on the DNS screen, available on the Device screen under the System item, you cannot then use the command line to add DNS servers. To work around this situation, use the browser-based interface to add DNS servers.

Traffic on transparent ICMP monitors and virtual servers whose destination addresses match (CR61838)
An ICMP monitor configured as transparent does not send monitor traffic if the virtual server's destination address matches the destination of the transparent monitor. There are several workarounds:

  • If the service is not HTTPS, you can use the transparent monitor associated with the pool member, instead of the transparent ICMP monitor.
  • You can remove the virtual server configuration.
  • You can disable the Transparent setting in the ICMP monitor configuration.
  • You can disable the virtual server on the VLAN on which the monitor traffic is routed or passed.

HTTP fallback host use with nodes that are available (CR61942)
The HTTP profile uses the specified fallback host even when nodes are available, if Reselect is specified for the Action On Service Down setting for the pool. This can occur if persistence or node priority is configured and the target node stops responding, but the state change has not yet been detected by the monitor, or when there is no monitor. For an iRule you can use to work around this situation, see the workaround Controlling fallback with an iRule.

TCP and UDP port iRule commands on Performance (Layer 4) virtual servers (CR61947)
On virtual servers configured with as Performance (Layer 4) types, running the TCP::local_port command on the client side should give you the destination port of the inbound packet, and on the server side, running the same command should give you the source port of the outbound packet. However, in this release the TCP::local_port is constrained to virtual servers configured as Performance (HTTP) and Standard type.

ICMP monitor use of ICMP IDs for multiple requests (CR61990)
In environments where the nodes are behind additional gateway router hops, the BIG-IP system may keep sending an existing ICMP monitor connection through a downed gateway. This causes service outages even when the gateway has already failed over. The reason the ICMP connection persists through the same next-hop address, even though the gateway pool member to that next-hop address has been disabled, is that the ICMP traffic sent from the Linux operating system is matched by the same connection, so it reuses the next-hop address entry until it times out. You can work around this problem by running the b conn all delete command. That causes the ICMP request and reply to be reestablished, so all nodes reflect the correct state.

ZebOS.conf inclusion in ConfigSync operations (CR62069)
By default, the ZebOS.conf file is included in ConfigSync operations, synchronizing the configuration from one unit in a redundant system to another. Because the ZebOS.conf file often contains unit-specific information, such as host name and router IDs, you might prefer not to synchronize the information from this file. You can exclude this file from the .ucs archive, which prevents the file from being included in a ConfigSync operation. For more information, see SOL4422: Viewing and modifying the files that are configured for inclusion in a UCS archive.

VLAN group and traffic forwarding (CR62075)
The system is not VLAN-aware when detecting a port collision. Lack of VLAN awareness leads to false positives on flow collisions, resulting in connections being refused. This is especially a problem with traffic that flows through the system twice with loose initiation enabled. You can work around this problem by creating four virtual servers to handle bi-directional traffic (that is, flows originating from both internal networks). Create two virtual servers to handle outbound traffic from one internal network to the other (through the firewall) using pool-based network wildcard virtual servers enabled only on the ingress VLANs, and two to handle traffic from the firewall to internal networks through network wildcard IP forwarding virtual servers enabled only on ingress VLANs.

OneConnect profile properties maximum size label (CR62381)
In the properties of the OneConnect™ profile, the Maximum Size setting is displayed with the unit bytes, instead of connections. The actual value is in connections. This is a field-labeling error only; the data is actually reported in bytes.

SNAT mirroring when connections handled by another virtual server (CR62394)
In a way, SNATs are actually wildcard forwarding virtual servers that are active only for traffic sourced from certain addresses. However, the forwarding part of SNAT has very low priority, so as soon as there is any other virtual server matching the flow, SNATs turn into pure address manipulation, and all flows are created and managed by the virtual server matched based on destination (or VLAN). Since the forwarding virtual server might not have mirroring turned on, no flows are mirrored. To work around this situation, you must create a SNAT specifically for traffic that you want mirrored (using the origin and mask). You must then create a forwarding virtual server whose traffic does not match the SNAT (using destination address, or enabled on VLAN setting, or iRule), and turn on mirroring there.

Streaming HTTP data and the deflate operation (CR62558)
The dispatch_buffer_size for the deflate operation is causing streaming HTTP data to get stuck in the precompression buffer without being dispatched to the compression device. The deflate operation waits until either it receives the specified amount of data, or the response is finished. If this takes as long as the client's idle_timeout, the system resets both sides of the connection without any data making its way to the client. For an example iRule you can use to work around this situation, see the workaround Using an iRule to prevent connection reset when the deflate operation times out.

HTTP redirect_rewrite and long destination addresses (CR62828)
The system stops processing an HTTPS connection when rewrites are enabled and the server sends a long destination URI. In this case, "long" is a URI approaching 1500 bytes. To work around this problem, disable the Redirect Rewrite setting in the HTTP profile. For an example of how to do this if you are rewriting HTTP-to-HTTPS addresses, see the workaround Rewriting long URIs in HTTP-to-HTTPS addresses.

Reboot cycle using minimum active member as fail-safe action (CR63132)
Setting a minimum number of pool members that must be available as fail-safe action can result in a reboot cycle. When you configure a gateway fail-safe action that uses the Threshold setting of a minimum number of available pool members, the system may initiate the action right after boot up, before the monitors have had a chance to engage all the nodes. Because the system detects an insufficient number of members, this results in immediate fail-safe action. If the Action you configure is Reboot, this can put the box into an endless reboot cycle. To avoid this situation, do not configure these two settings together.

No support for Cache-Control: no-cache (CR63732)
Currently, the system honors the Pragma: no-cache client header command, but there is no support for Cache-Control: no-cache. In most cases, the client sends both of these headers. If you experience this problem, you can use an iRule to work around it. For the example iRule, see the workaround Using an iRule to support the Cache-Control: no-cache client header command.

LACP-enabled trunk on the 2.x links on BIG-IP 5100, 2400, and 1000 fails to aggregate (CR63734)
An LACP-enabled trunk on the 2.x links on BIG-IP 5100, 2400, and 1000 fails to aggregate. This is only applicable to 2.x interfaces, which are fiber ports.

Pool member status changes do not get logged to /var/log/ltm if mcpd log = debug (CR63829)
When the MCPD log is set to debug, the system does not write monitor status changes messages to the /var/log/ltm file. To remedy this situation, turn off debug logging for MCPD. Also turn off debug logging because it can fill up your disk. To change the setting, run the following command at the command line:
   b db Log.Mcpd.Level notice

ConfigSync intermittently fails, producing errors (CR63860)
Sometimes, when the system attempts a ConfigSync operation, the system receives a null response after issuing the command. This can happen for various reasons: for example, trying to initiate a ConfigSync operation to an IP address with no physical device attached. Although the operation fails, the system does not present an error message at the command line. In the browser-based interface, the system presents the message: Error executing shell command. However, because subsequent operations expect content on the screen instead of a message, the error condition causes the ConfigSync operation to fail. This condition occurs very intermittently; there is no reliable set of steps that reproduce the problem. You can work around this issue by running the ConfigSync command from the command line.

Redirect rewrite of host (CR64136)
Although ASM never changes a server response, the BIG-IP system should, but does not rewrite the location header when ASM is enabled. You can use an iRule to work around this condition. Before using the iRule, make sure you disable rewrite redirect in the HTTP profile by selecting None in the Redirect Rewrite list. You can rewrite location header for an HTTP_RESPONSE event with an iRule. For an example of an iRule you can use, see the workaround Rewriting the location header when ASM is enabled

Pool member iRule command failure with member down (CR64173)
If a monitor has marked a specific pool member down, and that member is specified with a port number in a pool member iRule command, then the connection is directed to another node. If no port number is specified, then the connection is not directed to that node, and the system reports an LB_FAILED event. To work around this issue, always specify a port number.

User accounts added on command line and modified in browser (CR65041)
User accounts added using the adduser command (or equivalent) are missing a necessary bit of configuration stored in BigDB.dat (user.name.<username>). You can view the added user account in the browser-based interface, though the user account is marked disabled. If you then attempt to change the new user account's role, the system presents a search-failed error. Subsequent manipulation of the user account eventually results in restarting the system. To work around this issue, add user accounts using the browser-based Configuration utility.

System response to ICMP echo requests after 20 days (CR65177)
Occasionally, the system may stop responding to ICMP echo requests. The problem occurs only when more than 20 days pass between ping operations to the system's self IP addresses. To prevent this problem, perform a ping operation on the system's self IP addresses every few days. If the system has already stopped responding, restarting the Traffic Management Microkernel (TMM) process returns the system to normal operation. To restart TMM, run the bigstart restart tmm command on the command line.

Application security with wildcard virtual servers and pools (CR65341, CR66193)
If you configure a wildcard virtual server (* All Ports) or a wildcard pool (* All Services), and you are using an application security class on the virtual server, you must enable the port translation and address translation settings on the virtual server. If you do not enable these settings, the system does not properly route traffic through the Application Security Manager (ASM). To enable port translation and address translation for a virtual server, see the workaround, Enabling port translation and address translation.

Note: For more information about wildcard virtual servers and wildcard pools, refer to the Configuration Guide for Local Traffic Management, which is available on the Ask F5 web site.

FastHTTP profile and SYN packets with ECN and CWR TCP flags set (CR66194)
A FastHTTP profile drops the Synchronize (SYN) segments that have both the Explicit Congestion Notification-Echo (ECE) and Congestion Window Reduced (CWR) TCP flags set. Although there is no specific requirement that FastHTTP profiles support ECN (or CWR), the system should not drop packets received with the flags set. In this release, there is no workaround for this issue.

TMM and HTTP::redirect/respond commands in LB_SELECTED event (CR66199)
Calling the HTTP::redirect/respond command in the LB_SELECTED event can cause Traffic Management Microkernel (TMM) to restart, because the TCP proxy does not expect the client-side connection to be reset while the proxy is in the middle of making the connection to the server. The recurring restart is due to the use of the HTTP::redirect command within an LB_SELECTED event in an iRule. To prevent this situation, do not call the HTTP::redirect or HTTP::respond command in an LB_SELECTED event in an iRule.

Active/inactive status difference in 9.x and 4.x (CR66317)
In version 4.x, the output from the b pool show command showed the active or inactive status of a pool member based on priority and minimum active members, among other things. On version 9.x, even if a pool member is inactive due to its priority, the b pool show command displays it as active, which is not what version 4.x does. This is incorrect behavior. A node should be shown as active if all of the following conditions are met:

  • The node is enabled.
  • Monitoring shows that the node is healthy.
  • Traffic on the node is below its connection limit.
  • The node has high enough priority based on its number of active members.

SNMP agent and application context query without name (CR66454)
The SNMP query for application context status does not contain an application name. This problem occurs when you define gtm_application. This results in an error message being logged in the /var/log/gtm log file.

b config save <filename> command and load conditions (CR66502)
Running the b config save <filename> command can causes the failover heartbeat to fail, if the system is simultaneously experiencing high load conditions. The heartbeats are missed while the save is occurring. To work around this, you can change the timeout and retry settings.

HTTP::disable command and server responses (CR66569)
The HTTP::disable command logic assumes that the HTTP::disable command is always called with a client-side connection flow. This is incorrect, and can cause problems that lead to the system not passing the server response back to the client after the HTTP::disable command has been called on a connection. To work around this issue, when you are calling from the server side, use the client-side { HTTP::disable } command.

Fallback redirect after RST packet from server (CR66570)
If you configure a fallback host in the HTTP profile, and the BIG-IP system receives an RST packet from the server after the server-side connection is established, but before the BIG-IP system receives a complete response header, the BIG-IP system sends the client a fallback redirect. The BIG-IP system does not issue an LB_FAILED event prior to this, unlike other fallback redirects. In contrast, if the BIG-IP system receives a FIN packet from the server during that same window, the BIG-IP system passes it through, and closes the client-side connection without sending any redirect. Correct behavior after receiving an RST packet from the server in this window is to similarly pass the RST packet through to the client, rather than sending a redirect. You can use an iRule to work around this issue. For an example of an iRule you can use, see the workaround Using an iRule to manage fallback redirection after receiving a reset packet.

jar_cache files filling up /var directory (CR66759)
In some cases, the system creates jar_cache files that accumulate in the /var/cache/tomcat4/temp/ directory. This may be a side effect of the Java Virtual Machine (JVM) being halted in an unclean state. To work around this situation, you can manually delete the files periodically.

Timeout getting disk information (CR66856)
When the system uses a monitor to get disk information on a Windows® 2003 server, the system sometimes prematurely returns errors to the client. This is because of a too-short timeout for getting disk information. You can work around this problem by setting a longer default timeout when querying for disk info.

System report of pool member or node status when using multiple monitors (CR66918)
When multiple monitors are used, the system posts a misleading change status/log message for a pool member. When the first instance is set to up and the monitor rule is evaluated, the pool member is still considered down because the message for the second monitor instance has not yet marked it up. As a result, the system issues a log message that indicates that the pool member or node is down. You can ignore this message. As soon as the second monitor instance message arrives, the pool member is marked up.

Management IP for ConfigSync and state-mirroring (CR67009)
The log message regarding the use of the Management port for state-mirroring should say: WARNING: use of the management port for state-mirroring traffic may severely impact state-mirror functionality!

Changes to monitors after adding and deleting different types (CR67063)
The system does not properly display service member changes in cases where you specify one type of health monitor, delete it and assign another, receive an error message, and then restore the original type of health monitor. You can check for the correct type using the b list show command. You can correct this issue by issuing a b load command on the command line.

Effect of enabling ARP on NAT after it was disabled (CR67095)
A NAT that was successfully responding to an Address Resolution Protocol (ARP) request no longer responds after you disable and then re-enable ARP settings. To work around this issue, delete the NAT and set it up again, or enable NAT on a specific VLAN.

Existing connection-pool flow and new client event masks (CR67171)
If the client-side iRule event handler disables event handlers when the server-side connection pool selects the existing flow, the reused server-side flow does not inherit the client-side event mask, so disabled handlers can fire inexplicably on the server-side.

Support for pool name "gateway" (CR67312)
You can create a pool named gateway. You can then use the newly created pool to specify a route. However, running the b load command on the command line then fails. If the system is configured as a redundant system, the ConfigSync operation also fails with syntax errors. To work around this issue, do not create a pool named gateway.

Response to HTTPD mod_rewrite module vulnerability (CR67501)
All BIG-IP 9.1.x and v9.2.x software versions ship with Apache's mod_rewrite module, which contains an issue that a remote attacker might be able exploit to run arbitrary code in some circumstances. In order to exploit the vulnerability, the system must have mod_rewrite configured and enabled in the configuration. On BIG-IP systems however, the mod_rewrite module is not enabled, so BIG-IP systems are not open to the vulnerability at this time.

Redirect rewrite with non-standard port (CR67505)
When you set an HTTP profile's Redirect Rewrite setting to All, if the HTTPS virtual server is running on a non-standard port, that port is not inserted into the rewritten location URL. The node sends an HTTP redirect whose URL uses the node's IP address. On the client side, the redirect URL is translated to HTTPS protocol and the virtual server's IP address, but no port is present. You can use an iRule to work around this. For an example of an iRule you can use to work around this situation, see the workaround Rewriting the redirect address when using a non-standard port.

Authentication module and LDAP referral (CR67721)
Authentication uses OpenLDAP to connect to the LDAP server. The BIG-IP system is using version 2.0.27, in which there is no application argument for the rebind_proc callback function. This causes problems in multi-threaded scenarios. Resolving this issue requires a later version of the OpenLDAP library or a patch to correct 2.0.27, and an updated version of the BIG-IP software.

Running bp load when interface disabled (CR67811)
If you run a bigpipe load command while an interface is disabled, the disabled interface goes down. The problem is that the process sets the media type incorrectly. You can issue the command b interface xxx media auto to fix the interface, or you can issue a bigstart restart command to re-enable the interface.

SNAT statistics report (CR67871)
When two SNATs have overlapping origin lists, the more specific SNAT correctly translates the traffic. However, both the general SNAT and specific SNAT increment their statistics, indicating that both SNATs handled the connection, which is incorrect.

HTTP 404 response and Content-Length requirement (CR68238)
The system delays passing on a server's HTTP response to a HEAD request if the response is HTTP 404 and indicates no Content-Length. The system does not forward the server response on to the client until the server or client closes the connection.

LACP warning when timeouts are short (CR68424)
In LACP short mode on external trunks, the default 1.5 second timeout results in warning messages. One lost packet or an accumulated roundtrip delay of .5 seconds causes the warning.

LB_FAILED event when using Fast L4 profiles (CR68583)
During the LB_FAILED event, the system does not return any information from the LB::server call when using Fast L4 profiles. There is no workaround for this situation in this release.

Adding static Layer 2 forwarding database entries to a trunk (CR68584)
The syntax of adding a static Layer 2 forwarding database entry on a trunk is slightly different from adding a static Layer 2 forwarding database entry to a VLAN. You can run the following command to add or delete a static Layer 2 forwarding database entry on the trunk:
   b vlan <vlan_name> fdb <mac_address> trunk <trunk_name> add|delete
For example:
   b vlan coppervlan2 fdb 00:E0:81:25:3A:32 trunk coppertrunk2 add

You can run the following command to add or delete a static Layer 2 forwarding database entry on a VLAN interface:
   b vlan <vlan_name> fdb <mac_address> interface <interface_name> add|delete
For example:
   b vlan external fdb 00:E0:81:25:3A:31 interface 2.1 add

STP in pass-through mode on BIG-IP models 1000, 2400, and 5100 (CR68803)
Using spanning tree protocol (STP) in pass-through mode on a BIG-IP model 1000, 2400, or 5100 could cause a bridging loop. The Big-IP model 1000, 2400, or 5100 forwards the bridge protocol data unit (BPDU) on with a VLAN tag, even if you do not have tags enabled in the interfaces. So if the Layer 2 switch is not looking for tagged frames, the BPDUs are discarded, and the bridging loop is created. You can work around this problem by enabling 802.1q VLAN tags on the Layer 2 switch so it does not discard the BPDU that the BIG-IP systems send with tags. This only occurs on BIG-IP model 1000, 2400, or 5100.

iRule command use in Fast HTTP profiles (CR69212)
When using Fast HTTP profiles, you can use an iRule to select a pool but not a pool member.

Duplicate keys inside the FIPS card (CR69385)
If you rename .exp files (the exported keys) to a different name and reimport them, the system creates duplicate keys inside the FIPS card. To work around this issue, do not rename and reimport exported key files.

ConfigSync status on out of sync pair (CR69389)
After making a change to one system and performing a ConfigSync to the second system, the first system immediately notes that something has changed on the second system, and recommends that they be synchronized. This is because of a timing issue when receiving update information.

Chassis power supply message (CR69611)
On systems with dual power supplies that are not turned on or plugged in, the system reports the message Chassis power supply 101: status (0) is bad. This is incorrect. The system should report that the power supply is not turned on or not connected to power.

Configuration load when configuration contains VLAN named failover (CR69663)
You can create a VLAN named failover, but loading the configuration fails. This prevents the system from booting up. To work around this issue, do not use the name failover for a VLAN.

Note: You can find more information about reserved words in SOL3653: Reserved words that should not be used in BIG-IP system configurations.

VLAN removed from STP instance zero (CR69726)
When you set up Multiple Spanning Tree protocol (MSTP), by default all VLANs exist in instance 0. If you remove a VLAN from the instance and then issue a b base load command, the removed VLAN returns. This is by design, so that users do not have to explicitly add all their VLANs and interfaces when they turn on STP. You can work around this by disabling interface STP on specific ports to limit outgoing STP traffic.

Handling of 2007 changes in time zones for Edmonton and Vancouver (CR69967)
Starting in 2007, Daylight Saving Time in North America starts three weeks earlier and ends one week later than it did in 2006. Although this version of the software supports the change in the Toronto and Montreal time zones, it has not been updated to support the change in the Edmonton and Vancouver time zones.

ICMP unreachable not matching existing flow (CR70084)
If you configure a forwarding virtual server and select Immediate in the Idle Timeout list, disable Reset on Timeout, and enable Loose Close in the profile (to close a loosely-initiated connection when the system receives the first FIN packet from either the client or the server), the BIG-IP system drops ICMP port unreachable messages from a node. This configuration causes immediate flow removal, so when an ICMP packet arrives after the flow has been removed, it is dropped. To work around this issue, you can configure a nonimmediate timeout value, which permits the ICMP messages to pass.

iRule returning partial hash values (CR70114)
Certain types of data cause the iRule function sha1 to return only 18 or 19 bytes of the correct 20-byte value. This is because the hash function uses Tcl byte arrays instead of Tcl strings.

9.1.x hotfixes and 9.2.x hotfixes that Global Traffic Manager installed (CR70143)
A hotfix installed on a 9.1.x Local Traffic Manager-licensed BIG-IP system can overwrite a 9.2.x hotfix that was installed by a Global Traffic Manager-licensed BIG-IP. This results in the Global Traffic Manager marking the Local Traffic Manager down after it loses its iQuery connection. A workaround is to rerun big3d_install on the Global Traffic Manager unit after the upgrade.

System restart and loss of connection to MCPD (CR70229)
Infrequently, the BIGD health monitor service loses its connection to the Master Control Program (MCPD) and restarts itself to re-establish the connection.

ARP requests from 127.0.0.1 for named requests (CR70245)
For more information about this issue, see SOL7246: Known Issue: ARP requests are sent with the incorrect source IP address of 127.0.0.1.

Performance with SSL session pool priming (CR70479)
In this release, the system creates up to 64 slots of session IDs for reuse to a particular remote IP-remote port combination, and randomly chooses a slot for use. Over time, the system fills all of the slots, and the probability of matching a session ID increases. Allowing a varying number of slots, from 1 to 64, varies the probability of finding an unused slot. Since improved reuse noticeably changes timing within the system, this may expose an existing issue that is seldom triggered otherwise. To work around this problem, you can disable the Limited Transmit Recovery option in the TCP profile.

Running ZebOS with other routing protocol (CR70609)
The ZebOS® Network Services Module (NSM) daemon can halt unexpectedly while trying to delete a route from its internal database. This problem occurs in configurations that are running Open Shortest Path First (OSPF) together with other routing protocol, for example, Routing Information Protocol (RIP) or Border Gateway Protocol (BGP). The problem is not unique to BIG-IP systems or platform adaptation. Although the problem is configuration- and timing-dependent, there is no way to prevent the problem other than not using the affected configuration.

Persist cookie insert behavior change (CR70660)
In previous releases, specifying an expiration of 0d 00:00:00 used session cookies for cookie persistence. In this release, specifying 0d 00:00:00 results in the system using the default persistence timeout of 180 seconds. To avoid this problem, manually set an expiration time.

Modifying heartbeat failure and rebooting (CR70927)
Rebooting the system removes a heartbeat-failure setting you may have modified using the browser-based interface. To work around this issue, use the command line to specify the heartbeat failure setting.

Delete of pool assigned to an HTTP class (CR71478)
The system does not warn or stop you from deleting a pool that is assigned to an HTTP class, even if the HTTP class is assigned to a virtual server. After you delete the pool, the system shows None as the pool property of the HTTP class. Upon deletion of the pool, any traffic that could pass through the HTTP class does not pass. If you then create a new pool of the same name (with members), the system automatically uses this pool for the pool property of the HTTP class, and the traffic passes as if you never deleted the pool.

[ Top ]

Workarounds for known issues

This section describes the workaround for the corresponding known issue listed in the previous section.

Using the accumulate command in an iRule (CR59977)

This workaround describes how to use the accumulate command in an iRule. For information about the known issue, see Accumulate command in an iRule.
      when HTTP_REQUEST {
         if { [HTTP::payload] contains "ABC" } {
            pool web_pool
         }
         elseif { [HTTP::collect] < 20 } {
            accumulate
         }
         else {
            discard
         }
      }

Creating an alert system that controls the Alarm LED and triggers SNMP traps (CR60829)

This workaround describes how to create an alert system that controls the Alarm LED and triggers SNMP traps. For information about the known issue, see Alert system use.

  1. Add the following entries to /etc/syslog-ng/syslog-ng.conf:

    # *.*          |/var/run/alert.pipe
    destination d_alertd {
       pipe("/var/run/alert.pipe");
    };

    log {
       source(local);
       destination(d_alertd);
       flags(catchall); #ignore the source, catch all messages
    };

     
  2. Restart syslog-ng by typing the following command:
    /etc/init.d/syslog-ng restart
     
  3. If you plan to use SNMP traps, configure the SNMP trap destination to receive traps.
     
  4. Restart alertd by typing the following command:
    bigstart restart alertd

Controlling fallback with an iRule (CR61942)

This workaround contains a sample iRule you can use to control fallback in situations in which there are still available nodes. For information about the known issue, see HTTP fallback host use with nodes that are available.

   rule my_lb_failed {
     when LB_FAILED {
    if { [active_members [LB::server pool]] != 0 } {
     ## As long as there are still active_members, we don't need to do the fallback.
    } else {
     ## Pool has no active members, according to monitors. Let's fallback
     HTTP::fallback "http://www.f5.com/index.html"
     }
   }
   }

Using an iRule to prevent connection reset when the deflate operation times out (CR62558)

This workaround describes how to use an iRule to prevent connection reset when the deflate operation times out. For information about the known issue, see Streaming HTTP data and the deflate operation.

   rule compression_rule {
     when HTTP_RESPONSE {
    COMPRESS::nodelay enable
   }
   }

Rewriting long URIs in HTTP-to-HTTPS addresses (CR62828)

This workaround describes how to rewrite long URIs in HTTP-to-HTTPS addresses. For information about the known issue, see HTTP redirect_rewrite and long destination addresses.

   rule do_redirection_rewrite {
    When HTTP_REPONSE {
      if {[HTTP::status] == 302} {
        set location [HTTP::header Location]
        if {$location contains "http:"} {
          set location [string replace $location 0 5 "https:"]
          HTTP::header replace Location $location
        }
      }
    }
  }

Using an iRule to support the Cache-Control: no-cache client header command (CR63732)

This workaround describes how to use an iRule to support the Cache-Control: no-cache client header command. For information about the known issue, see No support for Cache-Control: no-cache.

   rule no-cache {
    when HTTP_REQUEST {
      if {[HTTP::header Cache-Control] equals "no-cache"}{
        CACHE::disable
     }
    }
   }

Rewriting the location header when ASM is enabled (CR64136)

This workaround describes how to rewrite the location header when ASM is enabled. For information about the known issue, see Redirect rewrite of host.

To use this iRule, at a minimum you need to modify the following line to match your setup:

   set ::redirect_rewrite [list "http://172.16.0.10 https://172.16.0.123" "http://172.16.0.222 https://172.16.0.123"]

Here is the example iRule you can use:

  rule redirect_rewrite {
  when RULE_INIT {
  # Replace with your redirect url,
  # syntax [list "a b"] , server redirect url "a" is rewritten to "b"
    set ::redirect_rewrite [list "http://172.16.0.10 https://172.16.0.123" "http://172.16.0.222 https://172.16.0.123"]
  }
  when HTTP_REQUEST {
    set host [HTTP::host];
  }
  when HTTP_RESPONSE {
    if { [HTTP::status] starts_with "3" } {
        set location [HTTP::header "Location"];
        if { $location == "" } {
          return;
        }
    } else {
        return;
    }

    log LOCAL0.debug "Location: $location (check for rewrites)";

    foreach x $::redirect_rewrite {
      set a [getfield $x " " 1];
      log LOCAL0.debug " ? starts_with '$a' ... ";
      if { $location starts_with $a } {
        set b [getfield $x " " 2];
        log LOCAL0.debug "...yes, replace '$a' with '$b'";
        set len [string length $a];
        set tmp [substr $location $len];
    #   set location "${b}${tmp}";
        set location "https://$host$tmp"
        log LOCAL0.debug "Location: $location";
        HTTP::header replace "Location" $location;
        break;
      }
    }
  }
  }

Enabling port translation and address translation (CR65341, CR66193)

This workaround describes how to enable port translation and address translation for the virtual server, which is required if you are using the Application Security Manager (ASM) with a wildcard virtual server or a wildcard pool. For information about the known issue, see Application security with wildcard virtual servers and pools.

Note: The following task assumes you are updating an existing virtual server.

To enable port translation and address translation
  1. On the Main tab of the navigation pane, expand Local Traffic, and then click Virtual Servers.
    The Virtual Servers screen opens.
  2. In the Name column, click the name of a virtual server.
    The Virtual Server Properties screen opens.
  3. Above the Configuration area, click Advanced.
    The screen refreshes, and you see additional configuration options.
  4. Check the Address Translation option.
  5. Check the Port Translation option.
  6. Click the Update button.
    The system saves any changes you have made, and displays Enabled next to the Address Translation and Port Translation options.

Using an iRule to manage fallback redirection after receiving a reset packet (CR66570)

This workaround describes how to use an iRule to manage fallback redirection after receiving a reset packet from the server. For information about the known issue, see Fallback redirect after RST packet from server.

To implement this workaround, first remove the fallback host for the configured HTTP profile. Then, add the following iRule to the profile:

  when LB_FAILED {
    ## Comment out either HTTP::fallback below to silently close/abort,
    ## or uncomment to send redirect.
    if { [active_members [LB::server pool]] != 0 } {
      ## Selected a member, but connect failed or no response.
      # HTTP::fallback "http://fallback-host/try-again.txt"
    } else {
      ## Pool has no active members, according to monitors.
      HTTP::fallback "http://fallback-host/service-down.txt"
    }
  }

Within the iRule, in either case, you have two options:

  • Simply close the connection.
    Comment out the HTTP::fallback line.
    The system sends an RST packet to the client (or performs a four-way shutdown).
  • Redirect to fallback URL.
    Another problem may prevent use of the commands HTTP::redirect, HTTP::respond, or even TCP::close without complications. But using the HTTP::fallback command to set the fallback URL at run-time does not have the same issues.

We recommend closing the connection in the first case (transient failure), and redirecting to the fallback URL in the second (pool empty). Regardless of which option you select in the first case, if the selected member sends an RST packet immediately after connection establishment, the system passes that through as-is to the client, rather than passing the spurious fallback redirect. This is generally the safest thing to do, and why this is recommended.

Rewriting the redirect address when using a non-standard port (CR67505)

This workaround describes how to use an iRule to rewrite the redirect address when using a non-standard port. For information about the known issue, see Redirect rewrite with non-standard port.

  when HTTP_RESPONSE {
    if {[HTTP::header exists Location]} {
      set loc [HTTP::header value Location]
      clientside {
        set vhost [IP::local_addr]
        set vport [TCP::local_port]
      }
      set uri "https://$vhost/"
      set len [expr [string length $uri] - 1]
      if {$loc starts_with $uri} {
        set loc [string replace $loc $len $len ":$vport/"]
        HTTP::header replace Location $loc
      }
    }
  }

[ Top ]

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)