Applies To:

Show Versions Show Versions

Release Note: BIG-IP LTM version 9.4.4 and TMOS
Release Note

Software Release Date: 02/14/2008
Updated Date: 12/11/2013

Summary:

This release note documents the version 9.4.4 release of BIG-IP® Local Traffic Manager and TMOS. We recommend this general sustaining release only for those customers who want the fixes listed in New features and fixes in this release. For existing customers, you can apply the software upgrade to version 9.2.x, 9.3.x, or 9.4.x. For information about installing the software, refer to Installing the software.

Note: F5 offers general availability releases and general sustaining releases. For detailed information on our policies, refer to Solution 8986, F5 Networks software lifecycle policy, which is available in the AskF5SM Knowledge Base, http://support.f5.com.

Contents:

- User documentation for this release
- Minimum system requirements and supported browsers
- Supported platforms
- Installing the software
     - Performing a Windows hosted installation
     - Performing a USB mass storage device installation
     - Performing a local installation
     - Performing a PXE server installation
     - Performing a remote installation
     - Verifying the MD5 checksum of the installation file
     - Reactivating the license on the BIG-IP system
- New features and fixes in this release
     - New features in this release
     - Support for the ZebOS version 7.5 dynamic routing protocols
     - Fixes in this release
- Features and fixes introduced in prior releases
     - Features introduced in version 9.4.3
     - Fixes introduced in version 9.4.3
     - Features introduced in version 9.4.2
     - Fixes introduced in version 9.4.2
     - Features introduced in version 9.4.1
     - Fixes introduced in version 9.4.1
     - Features introduced in version 9.4
     - Fixes introduced in version 9.4
- Optional configuration changes
     - Using the switchboot utility
     - Configuring the database variable to disable CRL signature verification (CR75624)
- Known issues
- Workarounds for known issues
     - Swapping the tagged status of VLAN members (CR52674)
     - Configuring RAM Cache for an HTTP profile (CR54077)
     - Enabling port translation and address translation (CR65341, CR66193)
     - Adding remote users as local users (CR67912)
     - Deleting RAM Cache entries (CR72173)
     - Preventing the semicolon inserted by the HTTP::cookie insert iRule (CR73619)
- Contacting F5 Networks


User documentation for this release

In addition to these release notes, the following user documentation is relevant to this release.

You can find the product documentation and the solutions database on the Ask F5 Knowledge Base web site.


Minimum system requirements and supported browsers

The minimum system requirements for this release are:

  • 512 MB RAM (if installed as a stand-alone Local Traffic Manager or Global Traffic Manager product)
  • 768 MB RAM (if installed as a combination of BIG-IP systems, such as a Local Traffic Manager/Global Traffic Manager installation, or as a Link Controller installation)
  • 512 MB CompactFlash® media drive

Note: The 520/540 platform must meet certain requirements in order to support this version of the BIG-IP software. For more information, including memory requirements, see 520/540 Platform: Installing BIG-IP version 9.4.4.

The supported browsers for the BIG-IP Configuration utility are:

  • Microsoft® Internet Explorer®, version 6.x
  • Mozilla® Firefox®, version 1.5x and version 2.0x

Note that we recommend that you leave the browser cache options at the default settings.

Important: Popup blockers and other browser add-ons or plug-ins might affect the usability of the Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.

[ Top ]

Supported platforms

This release supports the following platforms:

  • BIG-IP 520 and 540 (D35), for more information, see 520/540 Platform: Installing BIG-IP version 9.4.4.
  • BIG-IP 1000 (D39)
  • BIG-IP 1500 (C36)
  • BIG-IP 2400 (D44)
  • BIG-IP 3400 (C62)
  • BIG-IP 3410 (C100)
  • BIG-IP 5100 and 5110 (D51)
  • BIG-IP 6400 (D63)
  • BIG-IP 6800 (D68)
  • BIG-IP 8400 (D84)
  • BIG-IP 8800 (D88)

Warning: If you plan to upgrade a system licensed for Link Controller, Global Traffic Manager, or a combination Local Traffic Manager and Global Traffic Manager system, the BIG-IP unit you intend to upgrade must have a minimum of 768 MB of RAM. Originally, the BIG-IP 1000 (D39) and BIG-IP 2400 (D44) platforms were shipped with 512 MB of memory only.

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

[ Top ]

Installing the software

There are several installation options to consider before you begin the version 9.4.4 software installation. Before you begin the installation process, you need to determine which installation option is appropriate: Windows® hosted, USB mass storage device, local, PXE server, or remote.

Warning: Version 4.5.x or 4.6.x installation. You cannot upgrade directly from BIG-IP version 4.x to 9.4.4. You must first upgrade to a 9.2.x or 9.3 version. For details about these installation methods, see the release notes for the associated release.

Warning: Version 9.0.x or 9.1.x installation. You cannot upgrade directly from BIG-IP versions 9.0.x through 9.1.x to 9.4.x. You must first upgrade to a 9.2.x or 9.3 version. For details about these installation methods, see the release notes for the associated release.

Warning: You can apply this upgrade only to BIG-IP version 9.2.x, 9.3, 9.3.1, or 9.4 through 9.4.3 systems.

Warning: A valid service contract is required to complete this upgrade.

Warning: You must reactivate an expired license on the BIG-IP system you intend to upgrade before you begin the installation.

Warning: Once you reactivate the license, make sure to save your configuration. The system does not roll forward unsaved portions of configurations. You can save your configuration by running the command b config save /config.ucs.

Warning: Once you save your configuration, copy the config.ucs file to a secure, remote location. The installation process overwrites the locally maintained UCS file, so you should maintain the UCS file remotely as a recovery strategy in case the upgrade does not perform as you expect.

Warning: You must turn off mirroring before you attempt to upgrade. Mirroring between units with differing versions of the BIG-IP software is not supported.

Important: You are prompted to install the software on multiple boot images if the unit supports the multiple boot option. The BIG-IP 1500 (C36), BIG-IP 3400 (C62), BIG-IP 3410 (C100), BIG-IP 6400 (D63), BIG-IP 6800 (D68), BIG-IP 8400 (D84), and BIG-IP 8800 (D88) platforms support this functionality.

Important: The 9.4.4 installer is capable of automatically generating UCS files at install-time. Installations of 9.4.2 and later will generate UCS files if there is not one already present in the root directory as /config.ucs. In order to roll-forward a pre-9.4.2 configuration, you must manually create the /config.ucs file before starting the installation.

Important: You must perform the installation from the management interface (Management) on the BIG-IP system.

Important: You should perform the installation on the standby system in a redundant system. If you are satisfied with the results, initiate failover and apply the upgrade to the other unit in the redundant system.

Important: Each unit in a redundant system must be running the same version of the software.

Important: We recommend that you run the MD5 checksum on any ISO image or IM upgrade file you download. For information about MD5 checksums, see Verifying the MD5 checksum of the installation file.

Performing a Windows hosted installation

Before performing Windows hosted installation, read the following information.

Performing a USB mass storage device installation

Before performing a USB mass storage installation, read the following information.

Performing a local installation

Before performing a local installation, read the following information.

Performing a PXE server installation

The procedure for performing a PXE installation depends on the version of the BIG-IP system you are currently running, and whether you have the 520/540 platform.

Performing a remote installation

The procedure for performing a remote installation depends on the version of the BIG-IP system you are currently running.

[ Top ]

Verifying the MD5 checksum of the installation file

After you download the installation file and its associated MD5 checksum file, and before you perform the installation, we recommend you test the integrity of the installation file. This verifies that you have downloaded a good copy of the file. To run the test, type the following commands, where local-install-9.4.4.65.1.im is the name of the file you downloaded, and local-install-9.4.4.65.1.im.md5 is the name of its associated MD5 checksum file.

md5sum local-install-9.4.4.65.1.im
cat local-install-9.4.4.65.1.im.md5

If the output from both commands does not exactly match, download the file again. Repeat the download process until the MD5 checksum of the downloaded file exactly matches the text string in the associated .md5 file.

[ Top ]

Reactivating the license on the BIG-IP system

You must reactivate the license on the BIG-IP system to use some of the new features added in this release.

To reactivate the license on the system

  1. On the Main tab, expand System and click License.
    The License screen opens.
  2. Click the Reactivate button and follow the onscreen instructions to reactivate the license.
    For details about each screen, click the Help tab.
[ Top ]

New features and fixes in this release

This release includes the following new features and fixes.

New features in this release

This release includes the following new features.

SIP load balancing improvements
In previous versions of the BIG-IP system, load balancing of Session Initiation Protocol (SIP) traffic was handled at the Layer 4 connection. In this version, the system determines load balancing based on the Layer 7 SIP message flow.

Enhanced routing support
Support for active/standby HA configurations has been improved. BGP, RIP (version 1, 2 and NG) and IS-IS routers now automatically advertise shared self-IP addresses (if available) as next-hop addresses to peers. OSPF (v2 and v3) automatically de-prioritizes routes advertised by the standby unit without any visible configuration changes.

The ZebOS software has been upgraded to version 7.5. A license for advanced routing (F5-ADD-BIG-ROUTING) enables all of the IPv4 routing protocols in ZebOS 7.5. These are:

  • RIPv1/v2
  • OSPFv2
  • BGP4
  • IS-ISv4

Units that have licenses for both advanced routing (F5-ADD-BIG-ROUTING), and IPv6 (F5-ADD-BIG-IPV6 or F5-ADD-VPR-IPV6) now have access to the IPv6 routing protocols in ZebOS 7.5 in addition to the IPv4 protocols above. The IPv6 routing protocols included are:

  • RIPng
  • OSPFv3
  • BGP4+
  • IS-ISv6

For more information, see Support for the ZebOS version 7.5 dynamic routing protocols, following.

ISIS dynamic routing
In version 9.4.4, F5 added dynamic routing support for the ISIS protocol. ISIS dynamic routing is only available in software released after February 1, 2008. The ISIS dynamic routing module is activated when a customer has the full routing module license and is running software that includes ISIS. Current customers who reactivate their license of the previously purchased all-protocol routing module, or an enterprise license that includes all the routing modules, will see the ISIS license listed on their system. However, to use ISIS, they must be running a software version released after February 1st 2008, which includes version 9.4.4.

[ Top ]

Support for the ZebOS version 7.5 dynamic routing protocols

The ZebOS software on the BIG-IP system has been upgraded to version 7.5. The Intermediate System-to-Intermediate System (IS-IS), Open Shortest Path First (OSPF) version 3, and Routing Information Protocol next generation (RIPng) modules have been added, along with the existing Border Gateway Protocol (BGP), OSPFv2, and Routing Information Protocol (RIP) versions 1 and 2 modules. The BGP module now supports IPv6, as do the OSPFv3, IS-IS, and RIPng modules.

With the addition of these modules, this release now supports a comprehensive set of dynamic routing protocols:

  • BGP4+ (IPv4 and IPv6)
  • IS-IS (IPv4 and IPv6)
  • OSPF version 2 (IPv4) and version 3 (IPv6)
  • RIP versions 1 and 2 (IPv4)
  • RIPng (IPv6)

Summarizing the differences between ZebOS version 5.4 and ZebOS version 7.5

A number of key differences exist between the previous advanced routing modules (based on ZebOS version 5.4) and the new modules (based on ZebOS version 7.5). They are:

  • IS-IS, OSPFv3, RIP version 2, and RIPng modules have been added, as well as IPv6 support for BGP. Some of these protocols support the IPv6 IP addressing format.
  • When you enable the dynamic routing subsystem, the BIG-IP system no longer creates the ZebOS.conf file. Instead, the system creates the file when you save the configuration from the Integrated Management Interface (IMI) shell (formerly the Virtual TeletYpe Terminal (VTY) shell).
  • The VTY shell has been replaced with the new IMI shell as the tool for configuring the ZebOS.conf file. However, due to a symbolic link between the VTY and IMI shells, you can still use the VTY command (vtysh) to configure the ZebOS.conf file.
  • Some of the arguments for the BIG-IP system zebos command have changed. The command zebos (start | stop) is no longer valid and has been replaced with the command zebos (enable | disable).
  • You can no longer use the zebos.* database keys. The BIG-IP system removes these keys when you install a user configuration set (UCS).
  • The advanced routing modules include new database keys, which begin with the string tmrouted.*.
  • You no longer need to configure database keys to control failover actions. The BIG-IP system now performs these actions automatically.

Starting and managing the advanced routing modules

The following information is useful when starting and managing the new version of the advanced routing modules:

  • The BIG-IP system tmrouted daemon starts and manages the daemons for the advanced routing modules.
  • The BIG-IP system always starts the core daemons (imi and nsm) when the daemon tmrouted is run, and database keys control the protocol daemons.
  • If you install a UCS from a previous version, then based on the contents of the ZebOS.conf file, the system automatically configures the database keys.
  • You configure the startup of advanced routing module daemons using the F5 Networks zebos script. The syntax of the zebos script is as follows:

    zebos (enable | disable) [bgp | isis | ospf | ospf6 | rip | ripng]
    zebos (check | rotate)
    zebos (cmd command1)[,command2]


  • The BIG-IP system starts the tmrouted daemon automatically when dynamic routing is enabled. If dynamic routing is disabled, this daemon does not run.

Protocol daemons

The following information is useful with respect to the advanced routing module daemons:

  • bgpd
    • This daemon supports both IPv4 and IPv6. IPv6 support is new for this release, and both versions advertise floating self IP addresses as next-hop addresses.
    • The next-hop address can be overridden by a route map.
    • Global IPv6 addresses are preferred over link-local, then floating over non-floating.
    • Global non-floating addresses are preferred over link-local floating addresses.
  • isisd (new for this release)
    • This daemon supports both IPv4 and IPv6. The daemon advertises floating self IP addresses for its interface addresses, if floating IP addresses are available.
    • Interface addresses must be link-local (for more information, see Routing IPv6 with IS-IS).
    • Users should contact F5 support for assistance in configuring link-local self IP addresses that are in IPv6 format.
  • ospfd
    • This daemon supports OSPFv2 (IPv4) only. The daemon does not use floating self IP addresses, and sets the link cost to its maximum value and uses a 0/0 not-advertise summary route when in the system is in standby mode.
  • ospf6d (new for this release)
    • This daemon supports OSPFv3 (IPv6) only. The daemon does not use floating self IP addresses, and sets the link cost to its maximum value and withdraws redistributed routes when in the system is in standby mode.
    • Unlike ospfd, this daemon is not supported on a VLAN group.
  • ripd
    • This daemon supports RIP versions 1 and 2 (IPv4) only. Like bgpd, ripd, this daemon advertises floating self IP addresses as next-hop addresses.
    • The next-hop addresses can be overridden by a route map.
  • ripngd (new for this release)
    • This daemon supports RIPng (IPv6) only. Like ripd, ripngd, this daemon advertises floating self IP addresses as next-hop addresses.
    • Unlike ripd, the next-hop address cannot be overridden by a route map. IP Infusion does not support this functionality in ripngd.
[ Top ]

Fixes in this release

This release includes the following fixes.

Monitors disabled from command-line re-enabled by b load (CR72141)
If a monitor instance is disabled by the command monitor [mon name] instance all disable, and then you run the bigpipe load command, the monitor instance is automatically enabled. In earlier versions the monitors would remain disabled after a bigpipe load command.

iRule support for larger remote syslog messages (CR73440)
A new database variable tmm.maxremoteloglength has been added to allow syslog messages larger than 1 KB. The following example allows a customer to log the first 4096 bytes of an HTTP POST request to syslog server 10.1.1.1 (default port is 514) with a facility/priority of local0.info, and assumes 10.1.1.1 is a remote syslog server that is routable using a TMM VLAN:

b db tmm.maxremoteloglength 4096
   rule log_rule {
      when HTTP_REQUEST {
         HTTP::collect 4096
      }
      when HTTP_RESPONSE {       
         log 10.1.1.1 local0.info "HTTP data is [HTTP::payload]"       
      }
 }

FTP connection and TMM halt on client-side failure (CR76052)
In rare instances, FTP in active mode can halt the Traffic Management Microkernel (TMM) when the initial TCP packet on the FTP data channel coming from the server causes an error on the client-side flow. The problem is resolved in this release.

Short EAV script monitors (CR77790)
Very short EAV (Extended Application Verification) Scripted monitors like echo up now work correctly.

RFE: Make lasthop iRule work with partial PVA acceleration (CR79220)
The lasthop iRule command now works with partial PVA acceleration.

Tcpdump/qkview from Configuration utility (CR79405)
Running tcpdump or qkview from the Configuration utility no longer uses excessive resources, which occasionally led to performance degradation or lockups in earlier versions.

CMP unnecessarily changes ICMP IDs (CR79701)
This release corrects additional errors that occurred with Clustered Multi-Processing (CMP) and Internet Control Message Protocol (ICMP) over and above the errors fixed in previous releases by the same CR number.

Eventd may consume memory (CR81826)
The eventd daemon now correctly removes queued event notifications to unreachable subscribers, and releases the associated memory.

Escaped double quote (CR84373)
BIG-IP system now correctly loads a class with escaped quotation marks (“) in both internal and external class definitions.

New Zealand time zone support (CR84864)
This release supports the extended daylight saving interval in the New Zealand time zone. That means that the BIG-IP system considers Daylight Saving Time (DST) in New Zealand to begin on the last Sunday in September, and ends on the first Sunday in the following April.

iControl and eventd portal memory usage (CR85134)
The iControlPortal.cgi and eventd programs are significantly more memory-efficient.

HTTP::payload rechunk gives < procedure error (CR85181)
An iRule that contains the HTTP:: payload rechunk command now loads correctly.

Load-balancing reselect loops in TMM (CR85186)
In the case of two members in a Local Traffic Manager pool, the iRule command LB::reselect now selects the next pool member if the first pool member is unavailable, which prevents an infinite loop condition.

ARP entry in a VLAN group incorrectly marked down (CR85463)
With a VLAN group configuration, the BIG-IP system no longer marks an Address Resolution Protocol (ARP) entry down if the ARP cache has expired, but instead now sends an ARP request immediately.

TMM on client/server connection (CR86063)
A server-side connection is now torn down only if initialized, correcting a condition that caused Traffic Microkernel Module (TMM) to crash on client/server connection.

Update PHP to 5.2.4 (CR86221)
This release upgrades PHP (PHP: Hypertext Preprocessor) to release 5.2.4. The upgrade adds security enhancements and fixes.

XConfig does not support FIPS keys (CR86517)
Enterprise Manager now fully supports FIPS-equipped BIG-IP systems.

TMM restarts due to ARP cache (CR86629)
We have significantly improved the performance of the Address Resolution Protocol (ARP) cache in this release.

b load performance improvement (CR86638)
The performance of the b load command in the command line utility is significantly improved for large configurations.

TMM performance improvement when modules un-licensed (CR86712)
Traffic Management Microkernel (TMM) no longer has the potential for performance issues when some modules are not licensed. (It is normal to have modules that are not licensed.)

HTTP::sanitize (CR87036)
If the HTTP header size in the iRule command HTTP::header sanitize is the same length as the HTTP header that follows, the following HTTP header is no longer removed.

Retransmission of dropped HTTP POST request (CR87176)
Previously if a client retransmitted HTTP POST data, the fasthttp profile did not track the TCP sequence numbers correctly, which led to a slow or failed connection. Using iRules frequently made the condition worse. The problem has been corrected in this release.

Logging port 4.2 on a 1500 (CR87184)
The 1500 platform log file /var/log/ltm no longer shows entries for port 4.2, which does not exist.

UDP virtual server with pool using reselect on service down (CR87268)
A UDP virtual server pool utilizing reselect on service down now works correctly.

Upgrade from 9.4.1 causes loss of timeout in persist profile (CR87329)
Configurations with persist profiles and customized timeout settings now maintain the customized timeout when upgraded to 9.4.4.

OpenSSL vulnerability CVE-2007-5135 (CR87358)
This release fixes an openssl process vulnerability tracked by the Common Vulnerabilities and Exposures (CVE) project, which assigned the ID CVE-2007-5135 to the problem. For more information about the vulnerability, see CVE-2007-5135.

CSSD does not honor configsync.peeripaddr database key (CR87402)
The Config Sync State Daemon, cssd, now correctly honors the configsync.peeripaddr database key, and overrides the value of the statemirror.peeripaddr database key for synchronizing configurations.

b memory calculations (CR87578)
The b memory command now accurately reports statistics when the host is provisioned with more than 2GB of memory.

bigtop can crash (CR87740)
The bigtop command no longer intermittently crashes on a system with eight or more administrative partitions.

HTTP Parser (CR87770)
If an HTTP header is segmented across TCP packets, the resulting dictionary is now built correctly, eliminating non-RFC compliance errors.

Eventd consumes CPU (CR87866)
eventd no longer consumes excessive CPU time while events are in its queue.

Delays with large numbers of monitors (CR87872)
When the system has a large number of monitors (greater than 500) configured, it no longer results in a long delay (20 to 30 seconds) between state changes.

HTTP header malformed (CR88092)
Traffic Management Microkernel (TMM) now correctly handles malformed HTTP header requests.

CACHE + HTTP iRules leak memory (CR88139)
This release resolves an issue where the use of the iRule cache command prior to HTTP::redirect or HTTP::respond iRule commands caused a memory leak.

Client connections using deferred accept (CR88145)
We have corrected a problem where, under some circumstances, when the TCP deferred accept option was used, the system did not release resources.

SSL connections (CR88223)
In SSL configurations using non-native ciphers, errors in previous SSL connections no longer affect subsequent SSL connections.

TMM resources (CR88955)
Traffic Management Microkernel (TMM) no longer crashes, and properly reclaims resources when a connection is stopped while using compression.

bigd receive string (CR89545)
The bigd process now releases resources properly when an HTTP monitor changes the receive string.

SSL CRL native ciphers. (CR89549)
When the cipher list for a clientssl profile contains only native ciphers, a customer provided certificate revocation list is now honored correctly.

SSL using ciphers in TMM (CR89559)
The system now correctly handles an SSL connection that has a large number of message fragments while using a cipher with native support in TMM.

SysInterfaceStat not available for mgmt interface (CR89587)
Management interface statistics are now being reported properly in SNMP.

ARP with an opaque VLAN group (CR89635)
The BIG-IP system may send proxy replies to ARP requests for addresses on the same VLAN as the requesting host. BIG-IP system no longer interferes with address resolution protocol (ARP) communication between hosts in a VLAN which is member of an opaque VLAN group.

CONNECT method (CR89679)
When the CONNECT method is used in association with several other events, pipelined data is now forwarded correctly.

HTTPS redirect rewriting should handle uppercase protocol specifier (CR89873)
When a customer server sends a 302 redirect in upper case letters such as HTTPS:// , the BIG-IP system no longer incorrectly rewrites the header as HTTPsS:// when using a redirect rewrite directive in a profile.

Native SSL memory (CR90178)
Handling of low-memory condition in the SSL filter is improved, preventing connection stalls and data corruption.

Passive mode FTP transactions failures (CR90205)
Handling of FTP passive mode transactions in a clustered multi-processing (CMP) mode has been corrected.

Packet leak in ping half proxy on disabled interface (CR90282)
Previously if VLAN failsafe was configured on VLANs whose interfaces were disabled, resources were not released. The problem is resolved in this release.

Fasthttp configuration changes and TMM (CR90456)
Configuration changes to the fasthttp profile no longer cause Traffic Management Microkernel (TMM) to crash. This only happened occasionally when some pool members were up and others were down.

Pool route dropped (CR90494)
The system no longer drops traffic matching a pool route if a static route to a subnet of the pool route is present in the configuration.
Example of configuration that was previously affected by the problem:

   		route 10.1.0.0/16 {
 			pool routers
 		}
 
 	 		route 10.1.1.0/24 {
 			gateway 1.1.1.1
 }

SSL::enable in iRule (CR90693)
In prior versions the iRule command SSL::enable did not work, and if the iRule command clientside SSL::enable was called on a SERVER_DATA event, Traffic Management Microkernel (TMM) would crash. Both of these problems are resolved in this release.

CVE-2008-0265 XSS vulnerability (CR90700, CR90703)
This release contains a resolution for the XSS vulnerability in the Search function for the web management interface. The Common Vulnerabilities and Exposures (CVE) project assigned the ID CVE-2008-0265 to the problem. For more information about the local vulnerability, see CVE-2008-0265.

Idle timeout for UDP SNAT connections (CR90793)
UDP traffic using a SNAT with the default UDP idle timeout no longer exhausts resources.

HA failover connections (CR90893)
Long-lived connections are no longer dropped by the system after failover in an HA pair when you use nPath configuration.

Static routes to subnets of directly connected networks (CR90986)
Routes to subnets of directly connected networks now work correctly.
Example of configuration that was previously affected by the problem:

            self 10.1.1.1 {
                 netmask 255.255.0.0
                 vlan v1
             }
 
              route 10.1.2.0/24 {
                 gateway 10.1.1.254
             }

Add switch head-of-line drops to interface drop counts (CR91184)
The bigpipe interface command now includes head-of-line discard counts in the drop counter statistics.

PVA pool member's MAC address (CR91256)
Previously when a server node changed its Media Access Control (MAC) address, on a hardware accelerated FastL4 virtual server, the BIG-IP system continued sending server-side packets to the server node's old MAC address. This problem is now fixed.

B profile http [profile] ramcache exact does not match host name properly (CR91316)
When using the command b profile http [profile] ramcache exact, the host name comparison is now done correctly.

Import password-protected key error (CR91616)
Encrypted SSL keys can now be imported using the Configuration utility.

Pvad does not set node's MAC address properly if node's VLAN name length >= 16 (CR91663)
In previous releases, on a virtual server using a FastL4 profile, if the server-side VLAN's name length exceeded 16 characters, the server-side node's MAC address would not be updated properly. This caused hardware acceleration mode to fail. This release fixes that problem.

Collision of self IP address and SNAT (CR91867)
Collision between the self IP address and SNAT translation address caused the BIG-IP system to ignore some ARP responses. Handling of Address Resolution Protocol (ARP) responses is improved in order to correctly detect responses to requests generated by the BIG-IP system.

Socket leak in DBDaemon java process (CR91889)
The logrotate script, which restarts the DBDaemon (Java) process, no longer leaves sockets in a CLOSE_WAIT state, which eventually ran the system out of sockets.

SIP monitor case-sensitive (CR92041)
TCP and UDP SIP monitors no longer mark nodes down if the name field in the response is a different case. The SIP monitors are no longer case-sensitive for responses.

IP subnet zero routes (CR92047)
The system now handles routes to so called "subnet zero" destinations (for example 10.1.0.0/24) correctly.

Sorting by name not working as expected in 3 list pages (CR92207)
In previous releases, attempting to sort by object names in the following three Configuration utility screens, would always sort in reverse alphabetical order. Now, they sort alphabetically.

  • Local Traffic-> SSL Certificates
  • Local Traffic-> Profiles-> SSL-> Client
  • Local Traffic-> Profiles-> SSL-> Server

Add BigDB variable to provision memory for Tomcat. (CR92434)
In this release, you can use the command line to configure Tomcat to use extra memory (Example: b db Provision.Tomcat.extraMB 452 followed by bigstart restart tomcat4). This assumes that sufficient memory is available from the kernel. Careless use of this variable could render the system unresponsive. This variable is generally changed by the user in conjunction with Linux memory variables.

Transparent TCP monitor (CR92875)
Server FINs are now correctly acknowledged if a transparent TCP monitor is defined to connect to a specific address:port with no send or receive string in the monitor. Previously, the connection would eventually time out, but could lead to large connection tables.

ARP failures on transparent monitors (CR92899)
Traffic Management Microkernel (TMM) no longer crashes when an Address Resolution Protocol (ARP) request that is generated by a transparent monitor fails, and exceeds the maximum number of retry attempts allowed.

[ Top ]

Features and fixes introduced in prior releases

The current release includes the features and fixes that were distributed in prior releases, as listed below. (Prior releases are listed with the most recent first.)

Features introduced in version 9.4.3

This release includes no new features.

Fixes introduced in version 9.4.3

This release includes the following fixes.

Missing httpd file and Configuration utility access (CR85993, CR80083)
In previous releases, a rare installation error condition or a clean installation could block creation of the Pluggable Authentication Modules (PAM) httpd file, which prevented access to the Configuration utility. In this release, the installation process correctly creates the httpd file, so this problem no longer occurs.

Features introduced in version 9.4.2

This release included the following new features.

Configuration utility support for remote TACACS+ user authentication
This release enhances support within the browser-based Configuration utility for configuring the authentication of remotely stored BIG-IP system user accounts. In addition to supporting the authentication of user accounts stored on remote servers running the Lightweight Directory Access Protocol (LDAP), Active Directory, and Remote Authentication Dial-in User Service (RADIUS) protocols, the Configuration utility now supports user authentication for accounts stored on remote servers running the Terminal Access Controller Access-Control System Plus (TACACS+) protocol.

New user roles for BIG-IP system user accounts
With this release come two new user roles that BIG-IP system administrators can assign to user accounts: Resource Administrator and User Manager. Users with the Resource Administrator role can perform the same tasks as users with the Administrator role, except for creating and managing user accounts. Users with the User Manager role create and manage user accounts exclusively. These two new user roles further expand the granularity of access control that BIG-IP system administrators can impose on other BIG-IP system users.

bigpipe utility
In this release, the bigpipe utility has four new features. Two of these features enhance your use of the bigpipe shell. The command history feature now persists across invocations of the bigpipe shell, and the bigpipe shell now supports grep functionality. The third feature, command auditing, logs all user-entered bigpipe commands, all commands that are run by user-entered bigpipe commands, and some bigpipe commands run by the system. Finally, with the command edit feature you can open a text editor and modify the values of the parameters of a bigpipe configuration command sequence.

single configuration file
This release includes a major enhancement known as the single configuration file (SCF). You can use the bigpipe export command to save the local traffic management and operating system configuration of a BIG-IP system in a single, flat, text file with the extension .scf. You can then use the bigpipe import command to replicate the configuration across multiple BIG-IP systems. Using the SCF feature, you can create a consistent, secure, comprehensive local traffic management environment on your network.

SIP support
SIP is an application-layer protocol that manages sessions consisting of multiple participants, thus enabling real-time messaging, voice, data, and video. The BIG-IP system now includes both a services and a persistence profile that you can use to manage Session Initiation Protocol (SIP) traffic. You create a SIP profile to configure the way that the system handles SIP sessions. Then, you assign the SIP profile to a virtual server. SIP sessions automatically persist on the Call-ID; however, you can customize the way that the system handles persistence for SIP sessions. To do this, you create a SIP persistence profile and assign it to the same virtual server.

Device security and auditing
This release increases security on the BIG-IP system through enhanced logging and auditing. You can now direct audit logs to a remote Syslog-ng server, generate audit reports for user logons and logoffs, and receive log messages when BIG-IP system administrators enable or disable a virtual server.

BIG-IP system logging
The BIG-IP system includes two enhancements to logging messages. First, log messages now include the name of the system or subsystem in which the event occurred. Second, log messages for traffic errors now include the name of the associated virtual server, pool, and profile.

TMOS Installer program
The Traffic Management Operating System (TMOS) Installer program used for upgrading BIG-IP version 9.X systems has been enhanced to support these new features: A Back button, automatic generation of a User Configuration Set (UCS) file, and a new order in which the TMOS Installer screens are presented to the user, to simplify certain types of installations.

Network map
This release includes a network map feature, which summarizes statistics and status for certain types of local traffic objects configured on the system (virtual servers, pools, pool members, nodes, and iRules). The network map also displays a hierarchical view of those objects and their relationships, including their current availability.

Stream Control Transmission Protocol profile
The BIG-IP system now includes a type of profile that you can use to manage Stream Control Transmission Protocol (SCTP) traffic. SCTP is a Layer 4, industry-standard transport protocol, designed for message-oriented applications that transport signaling data. You can use SCTP as the transport protocol for applications that require monitoring and detection of session loss.

Real Time Streaming Protocol profile
The BIG-IP system now includes a type of profile that you can use to manage Real Time Streaming Protocol (RTSP) traffic. RTSP is a Layer 7 industry-standard protocol used for streaming-media presentations. Using RTSP, a client system can control a remote streaming-media server and allow time-based access to files on a server.

snapshot utility
Users can now use a new snapshot utility to create or restore a complete BIG-IP system product image. The snapshot utility is a command line utility.

iRule persistence event
This release includes a new iRule event, PERSIST_DOWN. This event is triggered when the system finds a persistence entry for server-side connecting, when the pool member is unavailable. Within an iRule, users can specify the appropriate action for the system to take for this event, such as reject the connection, or allow the connection to continue.

HTTPS health monitor
The HTTPS health monitor on the BIG-IP system includes two enhancements regarding client certificates. First, the monitor now includes the new, optional attribute key, which users can use to specify the RSA private key to be used for client authentication. If the key attribute is specified, the cert attribute must also be specified. Secondly, users are no longer required to specify a path for the value of the cert attribute. Previously, users were required to specify a full path to a certificate. Now, if the path is missing, the system uses the path /config/ssl/ssl.crt.

Support for WMI monitors with IIS version 7.0
This release includes a new DLL that provides support for using the Windows Management Instrumentation (WMI) dynamic ratio performance monitor with IIS version 7.0.

Fixes introduced in version 9.4.2

This release included the following fixes.

SNAT implementation and TCP port 21 listener (CR48055)
The SNAT implementation no longer creates a TCP port 21 listener on all VLANs. Now, the system allows connections from nonstandard data port.

Forced interface speeds (CR52846)
In previous releases, setting a forced interface speed on an small form pluggable (SFP) fiber interface could falsely cause a link up condition. Now, you can force the speed of these interfaces, and the system correctly reads the link up or down condition.

jar_cache files and manual delete (CR66735)
In previous releases, the system created jar_cache files in the /var/cache/tomcat4/temp/ directory of some systems. These files had to be manually deleted. In this release, the system cleans up any jar_cache files it creates.

Redirect rewrite with nonstandard port (CR67241, CR67505, CR67509)
In previous releases, when you set an HTTP profile Redirect Rewrite setting to All, if the HTTPS virtual server was running on a nonstandard port, that port was not inserted into the rewritten location URL, and you had to use an iRule to work around this. In this release, the system correctly responds to the Redirect Rewrite setting, even when the HTTPS virtual server is running on a nonstandard port.

IP Infusion update for NSM halt (CR70607)
This release includes the IP Infusion® update for the ZebOS Network Services Module (NSM) halt condition.

Core files after failover on BIG-IP 8400 (CR71129, CR71201)
Previously, a failover event could cause processes on the two BIG-IP 8400 units in a redundant system to leave core files on the switch card control processor (SCCP). The failover process now removes these files correctly.

Reported CPU utilization and compression (CR71202)
Previously, the system incorrectly reported CPU utilization at 100% when compression tasks were running. Now, the system accurately reports CPU utilization.

bigpipe command completion and the space character (CR72287)
In previous releases, the command-completion functionality could change the command if you typed the entire command and the character following the command was a space. In this release, pressing the Tab key does not invoke command-completion when you have typed the entire command and the following character is a space. Now, pressing the Tab key leaves the command as it is.

Unit of measurement for OIDs (CR72510)
In previous releases, the descriptions for the OIDs ltmVirtualServStatCsMinConnDur, ltmVirtualServStatCsMaxConnDur, and ltmVirtualServStatCsMeanConnDur did not clearly indicate the unit of measurement. In this release, we have updated the OID descriptions to make clear the unit of measurement (milliseconds).

Network-dependent daemon and VLAN startup (CR72661)
In previous releases, if network-dependent daemons started before you had configured VLANs, self IP addresses, and routes on the system, the daemons might not have worked correctly. This applied only to system startup. This release now supports triggering startup of network-dependent daemons based on completion of network configuration (that is, completion of trunk, VLAN, self-IP address, and static route configuration).

Unrecognized HTTP methods without content-length or chunking header stall (CR73219)
In previous releases, unrecognized HTTP methods that contained no body, and that had no content-length or chunking header stalled in the HTTP filter. Now, the system passes any request in which the client has indicated the presence of body content by sending Content-Length or Transfer-Encoding headers, regardless of the method type.

Health checks performed over the management port (CR73624)
The bigd process no longer performs health checks over the management interface, and now correctly logs nodes configured for route-checking over the management interface.

iRules with two slashes and parsing (CR73814)
In previous releases, the system interpreted iRules that contained two slashes ( // ) as a code comment, which resulted in parsing problems. The parser now correctly recognizes the end of a command, so iRules containing two slashes are now parsed correctly.

b vlan fdb show command and trunk information (CR73890)
If a Layer 2 forwarding VLAN existed on a trunk of a VLAN, when you ran the b vlan fdb show command, the system presented VLAN and MAC address information, but no trunk information. Now, the system presents trunk information along with VLAN and MAC address information.

Double quotation marks in monitor send and receive strings (CR74452)
In previous releases, the Send String and Receive String fields in a monitor did not correctly handle a double quotation mark character. In this release, for every attribute that is a string value, monitors correctly handle double quotation marks preceded by an escape character.

Fourth octet of IP address greater than 247 (CR74486)
In previous releases, when you set the fourth octet of the IP address to a value greater than 247 (which should have been valid through 255), the system posted an error message. In this release, the system does not post the error when you set the fourth octet of the IP address to a value greater than 247 and less than 255. The system correctly posts the error when you specify a value greater than 255.

MCP processing of and heartbeat failure (CR74916)
Systems with large persistence tables no longer experience heartbeat failure as a result of translation of persistence information responses.

Incompatible profiles on virtual servers (CR75754)
Previous versions of the software did not prevent the assignment of incompatible profiles to virtual servers. For example, you could edit the bigip.conf file to use a User Datagram Protocol (UDP) timeout in an incompatible, IP-forwarding-type profile assigned to a virtual server. In this release, the system correctly restricts the use of profiles on IP-forwarding-type virtual servers to Fast L4 types of profiles.

HTTP Location header and the HTTP::header sanitize rule (CR75788)
In previous releases, the HTTP Location header was incorrectly removed when you ran the HTTP::header sanitize rule. Now, running the rule correctly leaves the Location header, as it is an essential header for certain redirect responses.

TCP retransmit under low-memory conditions (CR76231)
In previous releases, if TCP attempted to transmit data when there was no room for the TCP header in the first fragment, and the attempt to prepend a fragment to the packet failed, when TCP attempted to retransmit the packet, it tried to delete the TCP header from the packet. This caused Traffic Management Microkernel (TMM) to restart, as the TCP header was not present. This no longer occurs, even on low-memory systems, such as the BIG-IP 1500.

TMM and propagation of gratuitous ARP announcements (CR76400)
In previous releases, when one instance of Traffic Management Microkernel (TMM) received a gratuitous Address Resolution Protocol (ARP) announcement, the process did not propagate the new Media Access Control address (MAC address) to the other instances of TMM. In this release, all instances of TMM now receive the new MAC address.

Multiple default SNATs (CR76632)
In previous releases, if you configured multiple SNATs with the same origin, the system did not load the second SNAT, even though it was configured for different translations and associated with different VLANs. Now, the system correctly loads all SNATs.

tcpdump -i any command and TMM halt with core file (CR76740)
In previous releases, when you ran the command tcpdump -i any, the Traffic Management Microkernel (TMM) process caused the process to halt, creating a core file. In this release, the any argument is functionally equivalent to the 0.0 argument in the same command structure, which does not cause TMM to halt. Note that this operation of the any argument occurs only if there is no existing VLAN or trunk that is named any. If there is a VLAN or trunk that is named any, specifying that argument provides output relative to that VLAN or trunk.

Statistics and the New Connections graph (CR76848)
In previous releases, on the Performance screen with the All or Connections tabs selected, the New Connections graph showed the total count for all TCP connections, instead of the server-side connections for server connections. This release shows the correct statistics.

deflate process and User-Agent headers larger than 128 bytes (CR77126)
In previous releases, the deflate process ignored browser workarounds and logged an error if the User-Agent header was larger than 128 bytes. In this release, Traffic Management Microkernel (TMM) process correctly uses the first 128 bytes to detect the browser type, and no longer logs an error.

Log events and syslog-ng utility unavailable (CR77305)
In previous releases, if the Traffic Management Microkernel (TMM) process attempted to write a log message through the syslog-ng utility when the syslog-ng utility was unavailable, TMM stopped logging subsequent messages, even when the syslog-ng utility was later started.

Query routed from a gateway pool (CR77421)
In previous releases, when the system received an SNMP query from a client that was routed using a gateway pool, the system did not correctly forward the request. Now, Traffic Management Microkernel (TMM) correctly routes the query from clients routed by a gateway pool for IPv4-formatted self IP addresses. The system still does not handle SNMP queries on IPv6-formatted self-IP addresses.

Keep-alive interval of greater than 4294967294 set in the TCP profile (CR77629)
In previous releases, the system operated differently if you entered a value greater than 4294967294 for the keep-alive interval in the TCP profile. Using the Configuration utility, the system presented an error. When you edited the bigip.conf file and tried to load it, the system did not present an error. The upper limit is now 4294967295. If you specify 4294967295, the system responds the same way it does when you specify indefinite as the keep-alive interval in the TCP profile. If you specify a value larger than 4294967295, the system presents an error in both the Configuration utility and when you try to load the bigip.conf file using the b load command in the command line utility.

Content Type Compression statistics (CR78695)
In previous releases, the system always presented zeroes ( 0 ) for Content Type Compression, such as what you might find on the Statistics screen for HTTP Profiles Summary statistics. In this release, the system correctly reports these statistics.

Audit script and errors on the BIG-IP 2400 (CR78856)
In previous releases, running the audit script /usr/lib/install/audit on the BIG-IP 2400 produced errors in the /var/log/messages file. In this release, the system successfully runs the audit script without error.

In use class updates and TMM halt (CR78879)
In previous releases, when you used an iRule to assign a class to a Tcl variable, and then used the Tcl list commands (llength or lindex, for example) to operate on the variable, the process coerced the underlying class into a Tcl list. If you then modified that object (by changing it in the Configuration utility, for example), the Tcl parser stopped the Traffic Management Microkernel (TMM). In this release, the system prevents the error condition that caused the problem.

Stream profile and TMM halt (CR79374)
In previous releases, incorrect use of the default steam profile could cause Traffic Management Microkernel (TMM) to halt unexpectedly. In this release, the system disables the stream filter if an iRule attempts to set an invalid expression. In addition, the system correctly prevents you from enabling the stream filter when there is no expression present.

Certificate list for SSL servers (CR79708)
Some SSL servers can require the SSL client to send an empty certificate list if the client is not configured with a certificate. Previous versions of the Server SSL profile did not send any certificate list in this case, causing the server to fail the handshake. This release sends an empty certificate list if the client is not configured with a certificate, so the handshake completes successfully.

SIP monitor and Any option specified in the Additional Accepted Status Codes list (CR79747)
In previous releases, the system reported an error when configured a SIP monitor with the Any option specified in the Additional Accepted Status Codes list. This release handles that option without error.

PVA1 and PVA2 and UDP checksum 0 (CR79749)
Packet Velocity® ASIC (PVA) versions 1 and 2 (PVA1 and PVA2) did not handle a connection received with a User Datagram Protocol (UDP) checksum of zero ( 0 ). In this release, when PVA receives a UDP checksum 0, the system demotes the UDP flow to run in the assist mode. To handle the UDP checksum 0 condition, create a Fast L4 profile and set PVA acceleration to the assist mode for that profile. Then on PVA1 and PVA2 platforms for any UDP virtual IP address that might be receive a UDP checksum 0, use that customized Fast L4 profile instead of the standard Fast L4 profile for those UDP virtual IP addresses.

Rewrite option for TCP Window Scale Mode in Fast L4 profile (CR79819)
In previous releases, the Fast L4 profile setting TCP Window Scale Mode included the Rewrite option. The Rewrite option is no longer a valid setting, and it has been removed.

AES::decrypt unable to work with b64decoded data(CR79907)
The AES::decrypt iRule command now handles the output of the b64decode command.

Mirrored, Fast L4 virtual server memory leak (CR80120)
Using an iRule with a mirrored, Fast L4 virtual server no longer leaks memory.

Deflate compression filter and incomplete HTTP transfers (CR80178)
The deflate compression filter has been improved to correctly detect and handle incomplete HTTP transfers.

f5passwd utility and password update (CR80412)
In previous releases, the f5passwd utility did not correctly update user passwords. In this version, the f5passwd utility correctly interpolates variable arguments.

Deflate process and premature unchunking of responses (CR80637)
In previous releases, the deflate process could prematurely unchunk incompressible responses, which ended the connection. In this release, the deflate process requests unchunking of the response body only if the process is to compress the response, correctly preserving the connection.

Gateway fail-safe and BIG-IP 8400 and 8800 continuous restart (CR80814, CR81564)
In previous releases, on the BIG-IP 8400 and 8800, setting the gateway fail-safe action to reboot caused a continuous restart. In this release, the system resets the gateway fail-safe pool member information after a restart or a reboot, so the system determines the required information available prior to processing.

SNMP query operations on objects not in the Common partition (CR80987)
In previous releases, the system could not perform SNMP query operations to retrieve information on objects that were not in the Common partition. This release corrects this problem.

FTP monitor and TMM memory exhaustion (CR81113)
In version 9.3 (but not in earlier versions of 9.4), running an FTP monitor triggered a memory leak that could eventually exhaust all Traffic Management Microkernel (TMM) memory. In this version of the software, FTP traffic no longer triggers a memory leak in the TMM.

Route addition and deletion and MCP memory leak (CR81295)
In previous versions, when adding or deleting a route triggered an error, the error could cause a memory leak in the Master Control Program (MCP) database. This release correctly handles errors from route addition and deletion, so that no memory leak occurs.

Data compression and content truncation (CR81731)
In previous releases, the HTTP filter or compression filter could intermittently truncate compressed content destined for the client. In this release, the filter correctly handles compression so that no data is truncated.

Certificate bundle import in 9.4 (CR82095)
In the 9.4 release (but not in other, earlier releases), importing a certificate bundle imported only the first certificate in the bundle. In this release, all certificates in the bundle are imported.

SSL filter and SSL record version validation (CR82219)
In previous releases, the SSL filter did not check the SSL record version against the negotiated protocol version, which resulted in the system processing SSL records containing incorrect protocol versions. In this release, the system correctly validates the SSL record version prior to off-loading the record to hardware.

OneConnect and connection reuse Connection: Close for HTTP 1.0 client (CR82404)
In previous versions, on a virtual server enabled with OneConnect, the system might have erroneously returned server-side connections to the connection pool even after the client has been closed after sending the Connection: close request. Subsequent client requests to this server connection caused the server to close the connection and not service the associated request. In this release, we have disabled OneConnect reuse of server-side flows if the server has indicated that it is going to close.

LB:: Status iRule command and node status (CR82835)
In previous versions, node status as reported by the LB::Status iRule command never changed when node status changed. Now, the iRule correctly reports the node status.

User accounts missing after upgrading and relicensing (CR83055)
After upgrading in previous releases, when you relicensed and then restarted, the system reported only Administrator level users. Now, after upgrading, relicensing, and restarting, the system correctly reports all users.

mod_jk2 module upgrade (CR83564)
This release fixes several stability issues in the mod_jk2 module that the system uses.

LB::Reselect after HTTP::Response and TMM restart (CR84102)
In previous releases, having an iRule that performed an LB::Reselect command after a HTTP::Response command in the LB_FAILED event caused the Traffic Management Microkernel (TMM) to restart continually. Even though the sequencing of these commands was erroneous, this version of the software first checks the client-size connection, and if the system has already freed the connection, the process correctly closes the server-side connection.

Dynamic route and self IP address creation (CR84216)
In previous releases, when there was a dynamic route present in the routing table and you tried to create a self IP address for that dynamic route, Traffic Management Microkernel (TMM) halted and produced a core file. In this release, creating the self IP address for an existing dynamic route works correctly.

Formatting errors and USB mass storage device installation (CR84514)
In previous releases, when formatting problems prevented installation on certain thumb drives, the operation halted with inaccurate error messages. In this release, formatting errors produce the correct error messages.

[ Top ]

Features introduced in version 9.4.1

This release included no new features.

Fixes introduced in version 9.4.1

This release included the following fixes.

Assisted pvad mode and client-side throughput statistics (CR58721)
On a system where the Packet Velocity® ASIC (PVA) mode in a Fast L4 profile is set to Assisted, the system now reports correct statistics for client-side throughput.

ssldump and FIPS-imported keys (CR65894)
In previous releases, FIPS-imported keys were not included in ssldump utility results. In this release, ssldump utility results include FIPS-imported keys.

LDAP authentication configuration with empty search base DN (CR68072)
You can now complete an LDAP authentication configuration without specifying at least one server. Previously, the system required you to specify at least one server.

Blank user and certificate search base DN (CR68992)
In this release, you can use blank values for user and certificate map search base DN values when you configure the SSL Client Certificate LDAP type of Authentication Configuration profile. In previous releases, you could not leave these fields blank.

Server-side SSL session ID reuse percentage (CR70478, CR70480)
This release contains performance improvements in the system so that the SSL server cache ratio is higher.

Retransmission of packets by Fast HTTP profiles (CR71597)
In this release, the system preserves MSS and sequence numbers on retransmitted synchronization and acknowledgment (SYN-ACK) segments in Fast HTTP profiles.

Install license call error (CR71959)
This release addresses an error returned when calling Management::LicenseAdministration::install_license so that the call completes correctly.

UPN in x509v3 extensions SubjectAltName (CR72445)
In this release, parsing the Microsoft Universal Principal Name (UPN) from certificates returns a more user-friendly UPN name than in previous versions.

Fast HTTP SYN-ACK packets with new sequence numbers (CR72575)
Previously, if the connection entry in the synchronization (SYN) cookie cache was deleted due to overflow or timeout, the retransmitted synchronization and acknowledgment (SYN-ACK) packets carried a new sequence number. Now, all retransmitted SYN-ACK packets have the same sequence number as the first one.

Excessive memory growth in eventd process (CR72794)
In previous releases, the eventd process could grow over time, depending on the amount of activity, especially if eventd had trouble contacting the subscriber. This sort of growth could contribute directly to memory pressure, which could lead to failover. In this release, the process consumes less memory, which prevents this condition.

Client access with no trusted certificate authorities (CR72799)
This release addresses the issue in which clients were denied access when SSL was configured to request client certificates, but there were no trusted certificate authorities (CAs) specified. Now, the system correctly allows self-signed certificates, and other unverifiable certificates, when using this configuration.

SSLv2 ciphers and iRules (CR72968)
The SSL filter determines which cipher suite is selected by checking for a cipher ID. Because SSLv2 does not support cipher IDs, an iRule attempting to get the SSLv2 cipher name could return random garbage, which could eventually cause Traffic Management Microkernel (TMM) to restart. Now, the system correctly identifies SSLv2 ciphers from cipher information provided by OpenSSL at handshake completion.

Result of iControl call Management::LicenseAdministration::get_system_dossier (CR73156)
In this release, the license server successfully completes when using the dossier returned from the iControl call Management::LicenseAdministration::get_system_dossier.

MCP messages and heartbeat failure (CR73247)
The system now correctly terminates Master Control Program (MCP) result messages, which avoids the infinite message-splitting loop condition.

Compression and closing non-HTTP/1.1 connections (CR73277)
In previous releases, the system could improperly close non-HTTP/1.1 connections when compression was set. Now, the system correctly closes non-HTTP/1.1 connections, even when compression is set.

Cacheable header in HTTP class profile and TMM (CR73355)
In previous releases, when you specified a cacheable header (such as User-Agent, Host, Connection, and so on) in an HTTP class profile, if header matching was enabled, Traffic Management Microkernel (TMM) restarted. Now, TMM does not restart in this situation.

Connection handling with no active priority group members (CR73405)
The Traffic Management Microkernel (TMM) now moves connections to the next-in-order priority group instead of resetting connection when there is no active member in the group.

BIND version 9.3.4 (CR73531)
This release contains the version 9.3.4 upgrade of BIND (Berkeley Internet Name Domain), an implementation of the Domain Name System (DNS) protocols, which corrects several security issues.

Priority groups and connection limit interaction (CR73861)
Previous releases had several issues with priority groups and connection limits, including moving connections to a lower priority group when appropriate, correctly handling the disabling of pool members, clearing virtual IP addresses that remained after enabling and disabling pool members, and disabled nodes incorrectly passing traffic. In this release, the system handles these conditions correctly.

SCCP kernel driver 497-day timer wrap issue (CR73960)
Read errors no longer occur when the switch card control processor (SCCP) kernel driver wraps after 497 days. Now, the system appropriately handles the 497-day interval.

b load with external IP class files (CR73983)
Configurations with external IP class files no longer cause the system to reload the configuration file with each b load command if the file has not changed. Now, the system only reloads the configuration file when the file has changed.

Pool member traffic handling with disabled parent node (CR74063)
If a pool member fails and later passes a health check, the system correctly refrains from sending traffic to the pool member if its parent node is disabled.

Corrupted SIP message handling (CR74142)
The system now continues operating correctly when the Session Initiation Protocol (SIP) parser receives a corrupt message. Previously, when the system received a SIP message without the \r\n (carriage-return/line-feed) terminator, the system halted.

Enterprise Manager token module changes (CR74432)
This version supports external administrators in the Enterprise Manager software. Previous versions did not.

LB::server weight iRule command and system halt (CR74534)
In previous versions, using the LB::server weight iRule command could cause a divide by zero system halt. This release corrects this problem.

RULE_INIT event addition to existing iRules (CR74553)
The system no longer attaches RULE_INIT events to the virtual server, so no configuration problems occur when using this event in iRules.

Memory growth with repeated initialization calls (CR74557, CR74629)
In previous releases, memory growth occurred as a result of repeated initialization calls. Now, the system handles memory correctly during repeated initialization calls.

Outbound monitor packets and VLAN fail-safe (CR74652)
Outbound monitor packets no longer reset the VLAN timer, which prevented failover. Failover now occurs correctly.

Client ACK response to server reply to POST request and Fast HTTP (CR74825)
The system now accurately tracks the client-side sequence numbers when dealing with a PUT/POST body. Formerly, out-of-sequence sequence numbers caused the client to not respond to subsequent client packets, resulting eventually, in a connection reset.

FIPS error messages on system boot (CR74892)
The system no longer displays on the screen Library Initialization or card re-initialization request error messages when booting systems using Federal Information Processing Standard (FIPS) cards. The startup process now correctly waits for initialization of the driver that sent the message.

Processing server data held by TCP::collect (CR74924)
The system now processes server data held by TCP::collect when the system receives a finished (FIN) packet. Formerly, the system halted processing.

HTTP chunk headers with line-ending split across packets (CR74928)
The system no longer closes connections in response to an HTTP chunking header that has a \r\n (carriage return/line feed) split across packets. Now, the system processes the packets as expected.

PVA2 health check (CR75339)
Previously, an incorrectly integrated fix prevented the Packet Velocity® ASIC daemon (pvad) from properly resetting PVA when it locked up. Now, pvad correctly resets PVA2 after a lockup.

Server-side HTTP::disable command and client-side filtering (CR75545)
In previous releases, when an HTTP::disable command was issued on the server side of a connection, for example, the command was delivered twice to the client side of the connection, and not at all to the server side of the connection. Now, when the HTTP::disable command is issued on the server side of a connection, the system correctly disables both sides of the connection.

Database variable to disable CRL signature verification (CR75624)
In this release, there is a new database key that can be used to disable client revocation list (CRL) signature verification. Note that it is not recommended to disable CRL signature verification. For information about the procedure to disable CRL signature verification, see Configuring the database variable to disable CRL signature verification.

SSL initial handshake parser and heartbeat failure (CR75649)
The system now correctly handles receipt of a garbage record containing specific data patterns.

FTP-related connection with bad packet and TMM halt (CR76052)
In previous releases, an FTP-related connection that received a bad packet could cause Traffic Management Microkernel (TMM) to halt on the client side. Now, the system correctly handles the packet, so TMM does not halt.

Hotfix installation onto 9.4.x with CompactFlash drive and out-of-disk-space error (CR76106)
Attempting to install a hotfix onto version 9.4.x could result in an erroneous out-of-disk-space error on the CompactFlash® media drive. In this release, the installation process sets the correct space requirement for installation. Depending on the size of the hotfix and the size of the CompactFlash drive, you might still see an out-of-disk-space error, but it is not erroneous.

HTTP redirect persistence and TCL persistence keys (CR76145)
HTTP redirect calls in iRules no longer leak TCL persistence keys. In previous releases, the leak occurred with any form of HTTP request that was not actually sent by proxy to the server, including redirect, respond, ramcache, and drop/reject.

TMM reset and TCP headers (CR76276)
In previous releases, the system could reach a state in which it attempted to delete the TCP header from the packet when the header was not present. This caused Traffic Management Microkernel (TMM) to reset. This no longer occurs.

mcpd memory leak (CR76340)
This release corrects a Master Control Program daemon (mcpd) process memory leak that occurred when Enterprise Manager attempted to load dependency trees.

Header matching failures in HTTP class header list (CR76397)
In earlier releases, a line-ending caused the system to fail to match some pattern string entries in the HTTP class header list. This release corrects that issue.

SNAT listener and virtual listener combination (CR76502)
Client and server connection flows that match both a SNAT listener and a virtual listener now correctly take and release references to the SNAT listener. Previously, connections of this type took references but did not release them.

System log times after DST change (CR76567)
System logs now correctly reflect time zone and timestamp after the Daylight Saving Time (DST) change.

Server SSL session cache and reuse (CR76765)
In previous releases, server SSL sessions were only partially cached, so the cache appeared empty and the system could not reuse the session. Now, the system correctly caches and reuses server SSL sessions.

Compression with RAM Cache enabled (CR77092)
Previously, enabling and disabling compression with RAM Cache enabled could cause Traffic Management Microkernel (TMM) to restart. Now, the system correctly handles this configuration.

Cache-Control max-age, max-stale, or min-fresh with no value and TMM (CR77684)
In this release, the system correctly handles empty HTTP Cache-Control keywords max-age, max-stale, and min-fresh so that Traffic Management Microkernel (TMM) does not restart.

10 Gb port operation after cable removed and replaced (CR77947)
In previous releases, when you unplugged a cable or module from a 10 Gb XFP port on a BIG-IP 8400 platform and plugged it back in, the 10 Gb port lost its link speed setting, and was unable to pass any traffic. In this release, the unit and port now recover correctly after you unplug a cable or module and plug it back in.

Stale packet pointer reference and TMM (CR77954)
This release corrects a condition in which the system could reference a stale packet pointer, which caused Traffic Management Microkernel (TMM) to restart.

Least connections load balancing method and TMM (CR78002)
In previous releases, when you changed a pool's load balancing method to the least connections type, the system only accounted for pool members in the highest priority group, which caused Traffic Management Microkernel (TMM) to halt when all pool members went down. Now, the system correctly accounts for pool members in all priority groups, so TMM does not halt.

97 continuous days of operation and heartbeat restart loop (CR78171)
This release corrects a heartbeat failure restart loop that occurred after 97 continuous days of operation. In this release, the system correctly resets the timing mechanism that handles failover, so the heartbeat failure restart loop no longer occurs.

Cached server SSL session resume and TMM (CR79098)
In previous releases, attempting to resume a server SSL session that was cached caused Traffic Management Microkernel (TMM) to restart. Now, the session is resumed and TMM operates normally.

Fast HTTP receipt of ICMP packet during SYN phase and TMM (CR79397)
In previous releases, Internet Control Message Protocol (ICMP) processing for standard HTTP (that is, not fast HTTP) connections could cause Traffic Management Microkernel (TMM) to restart if the system received a packet during the synchronize (SYN) phase. Now, the system correctly handles such packets, and TMM does not restart.

HTTP profile with RAM Cache enabled and http::disable (CR79501)
In previous releases, configuring an HTTP profile with RAM Cache enabled completely stopped traffic through the virtual server in instances where http::disable was called. Now, the system correctly handles the http::disable call in this configuration.

CMP and ICMP error handling (CR79701)
This release corrects errors that occurred with clustered multi-processing (CMP) and Internet Control Message Protocol (ICMP).

CVE-2007-1856 vixie-cron local vulnerability (CR79973)
This release contains an updated vixie-cron package to resolve a local vulnerability. The Common Vulnerabilities and Exposures (CVE) project assigned the ID CVE-2007-1856 to the problem. For more information about the local vulnerability, see CVE-2007-1856.

CVE-2007-2926 BIND ISC BIND 9.0 through 9.5.0a5 vulnerability (CR83397)
This releases fixes a flaw that was found in the way the Internet Systems Consortium, Inc. (ISC) Berkeley Internet Name Domain (BIND) software versions 9.0 through 9.5.0a5 generate outbound DNS query IDs. This vulnerability affects only BIND servers. The Common Vulnerabilities and Exposures (CVE) project assigned the ID CVE-2007-2926 to the problem. For more information about the vulnerability, see CVE-2007-2926.

[ Top ]

Features introduced in version 9.4

The 9.4 release included several new features. Some of these features offer new capabilities for managing traffic, while other features offer enhanced security and system performance. For documentation and details for these features, see User documentation for this release.

USB thumb-drive installation
This release includes a utility named umdinstall, which formats a USB mass storage device (that is, a thumb drive). When a USB-boot-capable platform such as the 1500 platform is then booted to the thumb drive, a complete product installation can occur from that device.For more information, see Performing a USB mass storage device installation

Windows Installer utility
You can now install the BIG-IP system using the Windows Installer utility. For more information, see Performing a Microsoft Windows hosted installation.

8800 platform
The all-new 8800 platform is a high-end, multi-processor system offering performance designed to meet the needs of large enterprise computing environments. For details about this platform see the Platform Guide: 8400 and 8800. For additional deployment information, see 8800 Platform: Deployment Considerations.

Integration of the WebAccelerator module
The BIG-IP system now includes the WebAccelerator module. The WebAccelerator module improves site performance while off-loading traffic from origin servers. Installed on your corporate network between your application users and the servers on which your applications run, the WebAccelerator module accelerates the application response to HTTP requests. For more information, see BIG-IP WebAccelerator module version 9.4.

Clustered-multiprocessing
Available on the 8400 and 8800 platforms, clustered multi-processing (CMP) is a traffic acceleration feature that creates a separate instance of the Traffic Management Microkernel (TMM) service for each processing unit on the system. Note that CMP is not available on the 6400 or 6800 platform.

Administrative partitions
This release includes a major security enhancement known as administrative partitions. Using this feature, you can group BIG-IP system objects into partitions that you create. Then, by assigning user roles to BIG-IP system user accounts, you can grant or restrict user access to those partitions. Partitions offer a finer granularity of control because you can configure each user account to grant access to some partitions but not others.

User roles
Another important security enhancement in this release is the addition of new user roles. Each new user role grants a different amount and type of access to BIG-IP system objects. The user roles available in this release are: Administrator, Manager, Application Editor, Operator, Guest, and No Access. By configuring each user account, you can assign a user role that matches the work that the user must perform. For example, users with an operator role can enable and disable nodes and pool members only. They cannot create, modify, or delete BIG-IP system objects.

HTTP Class profile
An HTTP Class profile is a configuration tool that you can use to forward traffic to a pool or a URL, based on an examination of traffic headers or content. Use of an HTTP Class profile is an efficient way for the BIG-IP system to classify traffic based on criteria that you specify. Although you can perform these same traffic-classification functions using the iRules feature, using an HTTP Class profile simplifies this process. With an HTTP Class profile, you can specify strings that match host names, URIs, HTTP headers, or HTTP cookies.

HTTP and TCP optimization profiles
The BIG-IP system now includes a set of custom profiles that are already configured to provide the most efficient processing of TCP traffic, as well as to easily compress and cache HTTP responses.

New health monitors
This release includes three new health monitors. The SASP monitor uses the Server/Application State Protocol (SASP) to communicate and verify availability of resources managed through the IBM® Group Workload Manager. The RPC monitor verifies the availability of Remote Procedure Call (RPC) servers using the rpcinfo command. Finally, the SMB monitor employs Server Message Block (SMB) to verify whether either an SMB/CIFS server or a specific share on that server is available.

Enhancements to the MSSQL and Oracle health monitors
This release includes a new attribute for the MSSQL and Oracle monitors. The new attribute, count, defines the number of times that the system should use a JDBC connection with the database.

Enhanced connection mirroring
To address issues related to mirroring of Layer 3, 4, and 7 connections, this release includes a number of internal enhancements. Some of these enhancements improve the reliability of long-lived connections, the stability of mirrored connections when system resources are minimal, and maintenance for connections associated with mirrored persistence during failover.

iControl attribute for virtual server score
You can now use iControl to affect how Local Traffic Manager and Global Traffic Manager handle connections. Instead of setting a connection limit on a virtual server, and having the system calculate connections per second, you can set a score for a virtual server within iControl.

bigpipe shell
The bigpipe utility now includes an interactive shell that eases the task of typing bigpipe commands. You can invoke this shell by typing the bigpipe shell command at a BIG-IP system prompt. Using the bigpipe shell, you can type any bigpipe command sequence. The bigpipe shell includes several features designed to optimize your use of the bigpipe utility, such as command history and editing, command completion, and command continuation.

New HTTP profile settings
The HTTP profile type includes several new settings that simplify certain traffic-management tasks. These new settings replace the need to write an iRule to perform these tasks. For example, you can now use an HTTP profile to: watch for HTTP traffic and redirect that traffic to HTTPS on the same host, specify error codes for HTTP responses when you want responses with those error codes to redirect the response to a fallback host, and specify headers to allow in HTTP responses.

Manual Resume setting for monitors
The BIG-IP system includes a new attribute for certain monitors called Manual Resume. With the Manual Resume attribute, you can manually designate a resource (such as a node, pool, or pool member) as available, rather than allowing the BIG-IP system to do that automatically. This feature is useful if a monitor detects a resource as up, but you do not want the resource to begin receiving traffic yet.

Certificate Revocation List Distribution Point (CRLDP) authentication module
This release includes a new authentication module for authenticating application traffic. CRLDP is an industry-standard protocol that offers an alternative method for checking a standard certificate revocation list (CRL) to determine revocation status.

Restore of factory default settings
This release includes a script, sys-reset, that resets the configuration of the BIG-IP system to all of the default settings.

Passive monitoring of pool members
The BIG-IP system now includes a feature known as passive monitoring. With passive monitoring, a pool member can be marked down sooner than the customary three successive bigd health check failures. Implementation of this feature requires the use of the iRules feature.

Allocation of disk space for the log file
With this release, you can use the new resize-logFS command line script to adjust the amount of disk space that the system allocates for the log file. You can allocate additional disk space, or decrease the disk space, if necessary.

New iRule capability for remote authentication
When using a remote LDAP server to authenticate application traffic, you can now write an iRule that queries for the user's group membership, as well as for an indication that the user's password has expired. Because this data is typically stored in an LDAP tree as name/value pairs, iRules can perform a query for this information.

New Daylight Saving Time handling
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes have been addressed in this version of the product software. To find out more about this issue, see Solution 6551: F5 Networks software compliance with the Energy Policy Act of 2005.

Fixes introduced in version 9.4

This release contained no new fixes.

[ Top ]

Optional configuration changes

Once you have installed the software, you can use the following new configuration option to update your configuration.

Using the switchboot utility

Beginning with the version 9.0.2 release, we added functionality to install multiple versions of the BIG-IP software on different boot images on one unit. A boot image is a portion of a drive with adequate space required for an installation. If the hardware supports multiple boot images, you are prompted to install the software on multiple boot images during the installation. The BIG-IP 1500 (C36), BIG-IP 3400 (C62), BIG-IP 3410 (C100), BIG-IP 6400 (D63), BIG-IP 6800 (D68), and BIG-IP 8400 (D84) platforms support this functionality.

The switchboot utility is available to manage installations on different boot images. You can use the switchboot utility from the command line to select which installed image boots.

To run the switchboot utility
  1. Type the following command:
    switchboot
    A list of boot images and their descriptions displays.
  2. Type the number of the boot image you want to boot at startup.
    When you reboot the system, it starts from the slot you specify.

If there is only one boot image available, the switchboot utility displays a message similar to this one and exits.
There is only one boot image to choose from: title BIG-IP 9.3 Build 178.5 - drive hda.1

Note: Any change you make using the switchboot utility is saved in the boot configuration file, grub.conf.

To use switchboot in non-interactive mode
  • If you know which boot image you want to boot, you can type the following command and specify the boot image number for <bootimage_number>:
    switchboot -s <bootimage_number>
To use switchboot to list available boot images and the currently active boot images.
  • If you want to list the available boot images without specifying a new boot image from which to boot, type the following command:
    switchboot -l
To list options for switchboot
  • To list the options for the switchboot utility, type the following command:
    switchboot -h
To view the contents of the boot configuration file using switchboot
  • You can view the complete contents of the boot configuration file (grub.conf) with the following command:
    switchboot -d

    This command is slightly different from switchboot -l in that -l only lists the boot image header lines, while -d displays the complete file.

Configuring the database variable to disable CRL signature verification (CR75624)

This information describes how to set the database variable to disable and enable certificate revocation list (CRL) verification. For information about the fix, see Database variable to disable CRL signature verification.

To disable CRL signature verification
  1. Use bigdb_create to create a new database key by typing the following command:
    bigdb_create tamd.crldp.nosignature
  2. Enable the new key by typing the following command:
    b db tamd.crldp.nosignature enable
To resume CRL signature verification
  • Type either one of the following commands:
    b db tamd.crldp.nosignature disable
    bigdb_delete tamd.crldp.nosignature; restart tamd
[ Top ]

Known issues

This release contains the following known issues.

Error messages and system startup (CR31937, CR80048, CR86695)
The system logs a set of benign error messages upon every startup. They occur because the system is requesting that the CompactFlash® media drive perform a Direct Memory Access (DMA) operation, which it is not capable of (a CompactFlash media drive can perform only programmed i/o data transfer operations). The set of error messages appears similar to the following output:

May 20 21:15:31 localhost hda: SILICONSYSTEMS INC 512MB, ATA DISK drive
May 20 21:15:31 localhost hdc: WDC WD800BB-00FJA0, ATA DISK drive
May 20 21:15:31 localhost ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
May 20 21:15:31 localhost ide1 at 0x170-0x177,0x376 on irq 15
May 20 21:15:31 localhost hda: attached ide-disk driver.
May 20 21:15:31 localhost hda: task_no_data_intr: status=0x51 { DriveReady SeekComplete Error }
May 20 21:15:31 localhost hda: task_no_data_intr: error=0x04 { DriveStatusError }
May 20 21:15:31 localhost hdc: attached ide-disk driver.
May 20 21:15:31 localhost hdc: host protected area => 1
May 20 21:15:31 localhost Chose partition table type 1
May 20 21:15:31 localhost Chose partition table type 1
May 20 21:15:31 localhost 3ware 9000 Storage Controller device driver for Linux v2.24.04.007.
May 20 21:15:31 localhost 3w-9xxx: No cards successfully initialized.
May 20 21:15:31 localhost ip_tables: (C) 2000-2002 Netfilter core team
May 20 21:15:31 localhost RAMDISK: Compressed image found at block 0
May 20 21:15:31 localhost VFS: EINVAL err on root device "UUID=e4b20eaa-b187-44b 0-b477-d3bce40166ec" - -22
May 20 21:15:31 localhost VFS: Mounted root (ext2 filesystem).
May 20 21:15:31 localhost EXT3-fs warning: maximal mount count reached, running e2fsck is recommended
May 20 21:15:33 localhost viper: Cavium FIPS non-blocking PCI driver version 2.03

IPv6 virtual servers and acceleration (CR40930)
Although Packet Velocity® ASIC (PVA) does not accelerate IPv6 virtual servers, the system includes IPv6 virtual servers in the maximum number of virtual servers that PVA can accelerate (2000).

Trunk configuration on c62 and c62a platform (CR43570)
When the BIG-IP 3400 and 3400 RoHS systems have trunks configured, the activity lights might not display as often as expected, despite data being sent over the trunk members. This is a display issue only. Data is being sent over the trunk members.

Virtual server type change (CR43770)
If you create and configure a virtual server, and then change only the Type attribute of the virtual server, the BIG-IP system might generate an error message. This occurs because the virtual server attributes are different for each type of virtual server. Changing the Type attribute of a virtual server should reset the attributes of the virtual server, including any hidden attributes, but does not. For example, you can create a Performance (Layer4) virtual server, with Connection Mirroring enabled, and a Connection Limit of 100. Then, if you change only the Type attribute of that virtual server to Performance (HTTP), the BIG-IP system hides the Connection Mirroring attribute because the attribute does not apply to a Performance (HTTP) type of virtual server; however, the Connection Mirroring attribute erroneously remains enabled, even though the attribute is hidden, causing the BIG-IP system to display an error. To correct the situation in this example, change the Type of the virtual server back to Performance (Layer4), disable Connection Mirroring, and then change the type of the virtual server back to Performance (HTTP).

Connection counts on system and server (CR44256)
The BIG-IP system's connection counts are consistently higher than the server's, as measured both by running the netstat command on the server, and by checking the server's CPU usage. This is because by default, the system does not honor the Fast L4 TCP profile's TCP Handshake Timeout setting for Packet Velocity® ASIC (PVA) assisted connections. Resulting Fast L4-assisted connections take a full timeout before the system deletes it. This explains the mismatch between the connection counts.

Transparent TCP monitors and final ACK (CR44991)
A TCP monitor in Transparent mode does not send the last acknowledgement (ACK), leaving many of its connections open. There is no workaround at this time.

Asymmetric routed connections with enabled VLAN-keyed connections (CR45694)
When VLAN-keyed connections are enabled, the BIG-IP system drops asymmetric routed response traffic that arrives on a VLAN different from the one that sent the request. For more information and a workaround, see Solution ID: SOL4604 Known Issue: Asymmetric routed connections dropped when VLAN-keyed connections are enabled.

Non-FIPS key import into FIPS system (CR45853)
If you import non-Federal Information Processing Standard (FIPS) keys to a FIPS system, and then convert the non-FIPS keys to FIPS keys, the system continues to use the non-FIPS keys until you restart the Traffic Management Microkernel (TMM) process. You can perform this task from the command line, by running the command b load.

No Nodes Available trap and log message (CR46596)
The No Nodes Available trap and No Nodes Available log message do not exist in BIG-IP version 9.x. Currently, when all nodes in a virtual server are marked down, a message is logged for each pool member of the virtual server. For example, you might see a message like this for each member of a pool on the virtual server:
Mar 24 09:01:00 bip6400 mcpd[864]: 01070638:3: Pool member 10.10.10.40:80 monitor status down.

COMPRESS::method commands in iRules (CR46701)
The iRule command, COMPRESS::method prefer [gzip|deflate], does not work correctly. To set a preferred compression method, create an HTTP profile and set the compression Preferred Method to either gzip or Deflate.

Tcl and trailing white space (CR48213)
If you have a trailing white space on a Tcl If statement, the line continuation of the Else statement breaks.

System unavailability due to low memory (CR48465)
In certain low-memory situations related to Packet Velocity® ASIC (PVA), the system can become unavailable.

FDB timeout for servers (CR49238)
The forwarding database (FDB) timeout setting on server appliance platforms is fixed at 5 minutes, regardless of the value of the setting for the bigdb variable, FDB timeout.

Static Neighbor Discovery Protocol entries (CR49467)
When you create a static Neighbor Discovery Protocol entry, the bigpipe utility displays the entry as incomplete, and if there is already a non-static entry, the entry is not replaced by the static entry.

Object keys change (CR50019)
If an object has two or more distinct configuration keys (attributes), you cannot change one of the keys without changing all of the keys. Doing so causes the BIG-IP system to generate an error indicating that the object cannot be found. For example, if you try to rename a VLAN without also changing the VLAN ID, you receive an error. It is also important to note that if you do not change all of the keys prior to upgrading to 9.4.x, the configuration might fail to load on startup due to the above mentioned error condition.

CVE-2005-2096 zlib vulnerability (CR50275, CR67065)
The zlib compression library, versions 1.2 and later, allow remote attackers to cause a denial of service (crash) using a crafted compressed stream with an incomplete code description of a length greater than one, which leads to a buffer overflow. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2096 to this issue. For more information about this issue, see CVE-2005-2096.

Priority of an STP bridge (CR51039)
If you change the priority of an STP bridge, the change may cause an unstable STP topology until the new root bridge converges and the maximum age time is reached.

Tagged status of VLAN members (CR52674)
If you attempt to swap the tagged status of two interfaces that are members of separate VLANs, the connectivity between the VLANs breaks. For an example of a workaround for this issue, see Swapping the tagged status of VLAN members.

RAM Cache for HTTP profiles (CR54077)
If you create an HTTP profile that uses the RAM Cache feature, and you configure the URI Caching attribute with an empty URI Exclude List, the BIG-IP system caches data from all URIs. To work around this issue, you can create a data group (class) of cacheable items and use the commands CACHE::enable or CACHE::disable in an iRule. For an example of a workaround for this issue, see Configuring RAM Cache for an HTTP profile.

HTTP/0.9 statistics and application security (CR54221)
In the system statistics, the BIG-IP system reports any HTTP/0.9 requests that it sends to Application Security Manager as HTTP/1.0 requests. The system also reports the responses to those requests as HTTP/1.0 responses.

Standby Link Downtime feature for redundant systems (CR54343)
If the Failover.Standby.LinkDownTime bigdb configuration key is set to a value that is much larger than the Failover.NetTimeoutSec configuration key, problems can occur with the system. You can work around this problem by setting Failover.Standby.LinkDownTime to 1, and Failover.NetTimeoutSec to 5. To disable the Standby Link Downtime feature, use the default settings, by setting Failover.Standby.LinkDownTime to 0 and Failover.NetTimeoutSec to 3.

SSL certificate chains and compat ciphers (CR54400)
The SSL certificate chains that the BIG-IP system constructs for compat ciphers do not include the certificates specified by the chain attribute of the SSL profile. Therefore, when the BIG-IP system negotiates a compat cipher, a user may receive warning dialogs when connecting to SSL virtual servers.

Selective compression iRules (CR54676)
If you add a selective compression iRule to a virtual server, and the virtual server references an HTTP profile with compression enabled, the BIG-IP system ignores the compression-related profile settings, and does not issue a warning or error. There is no workaround for this condition.

Media type (CR54835)
When you set the media type on the Ethernet or fiber port of a BIG-IP 8400 system, the link fails momentarily. The workaround is to leave the media setting at its default value of Auto.

System response on 302 responses into http/compress profile (CR54923)
The system occasionally responds incorrectly when a 302 error is received into an http/compress profile. The exact behavior depends on system configuration. To resolve this issue, add an iRule that avoids compression when a 302 error is received.

Learned routes (CR55554)
When you use the bigpipe route show command, the system displays the routes learned by the ZebOS® Advanced Routing Modules as interface routes, instead of as gateway routes.

Media settings on disabled interfaces (CR55857)
You cannot change the media setting on a disabled interface. If you want to change the media setting on an interface that is currently disabled, you must first enable the interface manually, using the bigpipe interface x.x enable command, and then change the media setting. You can then disable the interface again, using the bigpipe interface x.x disable command.

L7 mirrored connections after restart and failover (CR55926)
If the active unit in a redundant system reboots, the standby unit goes active and handles any established connections that were mirrored. However, when the previously active box comes back up, it does not re-synchronize the state for the mirrored connections. This means that the mirrored connections are lost in a subsequent failure or a forced fail-back. This does not affect connections that end before the second restart and failover. Also, this does not apply to Fast L4 profiles.

Loss of links on SFP modules (CR56019, CR74013)
For D62/C62 systems, the system sometimes does not detect the loss of a link on SFP modules that are set for autonegotiation. You can work around this in software by removing the ports from the linkscan and manually enabling and disabling them.

Persistence profiles on virtual servers (CR56817)
When using the bigpipe utility to create a virtual server to which you assign a persistence profile, you might see a misleading error message. Please see the Configuration Guide for BIG-IP® Local Traffic Management for help in creating a virtual server with the appropriate profiles for the type of persistence that you want to configure.

Mirrored connections on certain platforms (CR56874)
On certain platforms, when the active unit of a BIG-IP redundant system with mirrored connections is under heavy load, the send buffer backs up. There is no workaround for this issue.

Restarts using the bigstart restart command (CR56902)
When you restart the system using the bigstart restart command, pool members and nodes that the system marks as active, are not immediately active. It may take 15 seconds or more for the system to bring these objects to an active state.

Active/inactive status difference in 9.x and 4.x (CR57309, CR66317)
In version 4.x, the output from the b pool show command showed the active or inactive status of a pool member based on priority and minimum active members, among other things. On version 9.x, even if a pool member is inactive due to its priority, the b pool show command displays it as active, which is not what version 4.x does. This is incorrect behavior. A node should be shown as active if all of the following conditions are met:

  • The node is enabled.
  • Monitoring shows that the node is healthy.
  • Traffic on the node is below its connection limit.
  • The node has high enough priority based on its number of active members.

tcpdump utility and counter increments (CR57457)
If a switch interface drops an ingress packet based on a no-forwarding decision, the relevant drop counter increments correctly only when the interface is utilizing the tcpdump utility.

MCP validation and incomplete base authentication profiles (CR57482)
Master Control Program (MCP) validation improperly allows a virtual server to reference an incomplete base authentication profile. Such profiles (for example, a stock ssl_ocsp profile without the config attribute set) should not be referenced by a virtual server.

Transparent HTTPS monitor support (CR57570)
This version of the software does not support transparent HTTPS monitors. When you create an HTTPS monitor, the Transparent option is not available.

iRules for server-side events (CR58667)
If you create an iRule for a server-side event, such as HTTP_RESPONSE, you must specify the clientside context when specifying the HTTP::disable command.

Memory use and TMM (CR58673)
Certain iControl operations (such as requesting a list of nodes and then statistics for those nodes) can trigger significant memory pressure, which causes the Traffic Management Microkernel (TMM) to stop running until resources are recaptured. You can work around the problem by increasing the amount of memory allocated to the host. TMM ordinarily leaves 224 MB for the host; increasing memory to 256 MB alleviates the problem.

Compat ciphers and SSL renegotiations (CR58838)
If you use the SSL::renegotiate command or renegotiation timers with compat ciphers, the ServerSSL mid-connection renegotiations fail. If you use compat ciphers, we recommend that you avoid using the SSL::renegotiate command or renegotiation timers.

Alternative to configuring a fallback host (CR59122)
If you configure a fallback host in an HTTP profile, in some cases the BIG-IP system sends a fallback redirection to the client. To work around this issue, create an iRule to designate the correct fallback host.

Pool rename by editing the bigip.conf (CR59739)
If you rename a pool by editing the bigip.conf file, and then reload the configuration file using the bigpipe load command, the system stops monitoring all members of the pool. To resume monitoring of the pool members, perform a second load of the configuration file.

Persistence and pool member selection (CR60667)
If you configure cookie persistence, and you use an iRule to select pool members directly, (for example, you use the iRule command pool <name> member <a.b.c.d>), the BIG-IP system does not insert a cookie into the server HTTP response. The result is that the connections do not persist to the selected pool member.

Resetting statistics for trunks (CR60740)
If you use the Configuration utility to refresh trunk statistics, you might receive this error message: An error has occurred while trying to process your request. If you have only one trunk, the system clears the statistics for the trunk, even if you receive the error message. If you have multiple trunks, the system clears the statistics for the first trunk, and then you receive the error message.

To view or refresh the trunk statistics, use the following commands:

  • To display trunk statistics use bigpipe trunk <trunk name> show
  • To reset trunk statistics use bigpipe trunk <trunk name> stats reset

ARP entries not on a local network (CR60747)
The system validation code does not prevent you from manually adding illegal address resolution protocol (ARP) entries to the ARP table.

VLAN group forwarding (CR61021)
When forwarding packets through a VLAN group, the system performs a route lookup to determine the next-hop when establishing new traffic flows. If you set the VLAN group's Transparency Mode to Opaque, the system responds with its own Media Access Control (MAC) address to Address Resolution Protocol (ARP) requests for hosts on other VLAN group member VLANs. If the destination IP address is on a different subnet than the source address, then the next-hop the system obtains might not match the next-hop the originating host intended to send the traffic to, for example, when you have a host that sends traffic through a gateway or firewall to an IP address in a subnet that is directly connected to the system. If the next hop to the destination is not in the VLAN group on which the packet was received, the system drops the packet. You can work around this issue by setting the VLAN group Transparency Mode to Translucent or Transparent.

RAM Cache functionality and the WebAccelerator system (CR61475)
When the WebAccelerator system is licensed and enabled on the BIG-IP system, do not enable the RAM Cache feature in an HTTP profile that you associate with a virtual server handling the accelerated traffic. Enabling the RAM Cache feature in this situation can have an adverse effect on that traffic.

Fast HTTP virtual servers (CR62049)
In the Configuration utility, when you select Performance HTTP from the Type field of the New Virtual Servers screen, the Connection Limit field is available; however, any entry you make in that field is invalid and ignored.

Imported certificates and system load (CR62066)
If you import a new certificate using the Local Traffic >> SSL Certificates >> Import SSL Certificates and Keys screen of the Configuration utility, you must run the bigpipe load command to load the new certificate. If you do not run the bigpipe load command, the profiles that reference the certificate do not use the new certificate.

Unreachable pool members (CR62101)
If you simultaneously add a new, unreachable member to a pool while removing an existing, available member from the pool, the system might not accurately report pool-member availability. That is, the BIG-IP system correctly marks the inactive pool as down, but might not accurately evaluate the minimum number of available pool members. This can occur because the system does not correctly evaluate the state of the deleted member. To work around this issue, do not add and remove members in the same operation.

Thumb drive installation (CR62235)
You cannot successfully transfer the BIG-IP system installer from a 3400, 6400, or 6800 system to a DataTraveler II, Model DTI, thumb drive with firmware revision 1.00. To work around this issue, plug the same thumb drive into a system running Microsoft Windows, and then load the BIG-IP system CD into the Windows system. You can now perform the transfer of the BIG-IP system installer (umdinstall.exe) to the thumb drive. You can find umdinstall.exe in the \windows directory of the CD.

Default monitors associated with pools, pool members, or nodes (CR62569)
The default monitors might not function correctly with every pool, pool member, or node, because an attribute necessary for the pool, pool member, or node is not configured in the default monitor. For example, the value of the Receive String setting in the default HTTP monitor is blank. To work around this issue, use the default HTTP monitor to create a new, custom monitor and specify a receive string. Then, you can associate that monitor with the pool, pool member, or node that you want to monitor.

iRules and configuration file load (CR62706)
When you use the bigpipe load command, the BIG-IP system sometimes reformats iRules that are specified in the bigip.conf file. Specifically, the system sometimes removes leading comments and blank lines, adversely affecting the readability of iRules in the bigip.conf file.

OneConnect with the Cookie persistence profile (CR62806)
If you use a Cookie persistence profile, and Keep-Alives are enabled on the back-end server, you must also configure a OneConnect profile. Otherwise, the system persists Keep-Alive requests to the node to which the first HTTP request in the Keep-Alive session was load balanced, and ignores any subsequent cookie.

PVA connection statistics (CR62885)
When you use the Configuration utility to view Packet Velocity® ASIC (PVA) statistics for virtual servers, statistics display in the Bits and Packets columns, but the Current, Maximum, and Total columns display zeroes. To view accurate PVA statistics for a virtual server, use the bigpipe utility to run the bigpipe profile virtual <virtual server key> stats show command.

Objects that do not reside in partitions (CR63027)
You cannot create an object in a partition, unless it is an object that must reside in a partition. For example, you cannot create a VLAN or a self IP address in a partition.

TCP::release and TCP::connect commands (CR63722)
If you use the TCP::release command in a CLIENT_DATA event, and then use the TCP::collect command to collect a specific amount of data, the Traffic Management Microkernel (TMM) service becomes unavailable. To avoid this issue, use the TCP::collect command without an argument, and then use logic to determine whether enough data has been collected in the CLIENT_DATA event.

Log messages for pool members in certain states (CR63775)
After rebooting the BIG-IP system, the log file does not display pool members that are in the forced down or down waiting man up states.

Trunk.Internal.FFP database variable (CR64209)
On the BIG-IP 8400 and 8800 systems, if you set the database variable, Trunk.Internal.FFP, to Disabled, clustered multi-processing (CMP) does not work, and traffic across external trunks might stop working.

Node and pool member status (CR64214)
After you designate a server as a node, you can add the node to a pool as a pool member. When you delete the pool containing the node, the node still exists in its original partition. If you attempt to use that node in a different partition, the system presents an error.

Management IP address update (CR64230, CR81351)
If you use the management port of the BIG-IP system to browse to the Configuration utility, and you change the IP address of the management port, you must immediately browse to a screen other than the Platform screen. Alternately, you can click the Update button before you submit the request to change the management port IP address.

Heartbeat option on the LCD panel (CR64270)
The heartbeat option on the Options menu on the LCD panel controls display of the heartbeat on the LCD screen. This heartbeat indicates whether the switch card control processor (SCCP) is running on the system. This heartbeat does not affect the failover mechanism of the system.

PVA virtual statistics frames display when using the tcpdump utility (CR64545)
When you use the tcpdump utility on an external VLAN, the BIG-IP system displays Packet Velocity® ASIC (PVA) virtual statistics frames. For example, 0xf6f6 frames. This message is benign.

Multiple tcpdump operation cancel (CR64564)
Running the tcpdump utility on several interfaces simultaneously, and then canceling the operation might initiate a failover operation. This is because the system halts the heartbeat update while it cancels the tcpdump operation and performs cleanup afterward. To work around this issue, do not cancel tcpdump operations on multiple interfaces.

SSL validation errors (CR64709)
When the SSL key pairs and certificates for a connection do not match, the BIG-IP system returns this error message: BIGpipe client SSL profile modification error: 01070317:3 profile clientssl's key and certificate do not match. This is a general message, and it is not specific to the system or circumstance.

System behavior when describing a partition (CR64832)
The system does not support the plus ( + ) or equals ( = ) characters in the Description field of a partition. When you use the plus character, the system replaces it with a space. When you use an equals character, the system deletes the character and removes any content that precedes it. To work around this condition, do not use the plus or equals characters in a description of a partition.

SNATs, SNAT pools, and partitions (CR64876)
SNAT pools reside in partitions. However, SNATs do not reside in partitions. When you use the Configuration utility to create a SNAT pool, the Configuration utility indicates that you are within a partition, and the SNAT pool resides in that partition. When you use the Configuration utility to create a SNAT, the Configuration utility indicates that you are within a partition; however, the SNAT does not reside in the partition.

Partition delete (CR65068)
You can delete all partitions except for the Common partition. If you want to use the Configuration utility to delete all of the partitions you have created, access the System >> Partitions screen. Then, click the Select All box (which selects all of the partitions in the list), and be sure to clear the Select box next to Common. If you do not clear the Select box next to Common, the system attempts to delete the Common partition and you receive an error.

Pool information on the command line (CR65288)
If you try to display information about all the members in a set of pools at the same time using the bigpipe pool <name> <name> ... members all show command, the system displays only the members of the first pool in the list. You can display pool information for one pool at a time.

Application security with wildcard virtual servers and pools (CR65341, CR66193)
If you configure a wildcard virtual server (* All Ports) or a wildcard pool (* All Services), and you are using an application security class on the virtual server, you must enable the port translation and address translation settings on the virtual server. If you do not enable these settings, the system does not properly route traffic through the Application Security Module. To enable port translation and address translation for a virtual server, see the workaround, Enabling port translation and address translation.

Note: For more information about wildcard virtual servers and wildcard pools, see the Configuration Guide for BIG-IP® Local Traffic Management, which is available on the Ask F5 Knowledge Base web site.

Results of large persistence table (CR65405)
If the persistence table of the BIG-IP system contains too many records, the Configuration utility cannot display the persistence records. If you attempt to retrieve the persistence records on a system with a large persistence table, you receive a general database error. You can use the bigpipe utility to display, filter, or capture these records using the bigpipe persist.

resolv.conf file changes (CR65533)
If you use the Configuration utility to make changes to the resolv.conf file, you must restart the HTTP service; only after the restart does an Apache PAM authentication system recognize the changes you made. To restart the HTTP service, use the bigstart restart httpd command.

Clock advance messages (CR65566)
The BIG-IP 8400 system intermittently reports the following message, 01010029:5: Clock advanced by XXXX ticks. This message is benign.

listen rule command (CR65899)
When using the listen rule command, the local variables of the connection are not available within the argument braces. You must either always use literal values or use global variables.

Loose connection limits on the BIG-IP 8400 and 8800 platforms (CR66127)
We do not support a connection limit on a virtual server that is less than the value of the tmm_cmp_size variable. For example on the 8400, the value of tmm_cmp_size is 2; therefore, do not set the Connection Limit on a virtual server to 2M or less, because the limit is not enforced. On the 8800, do not set the Connection Limit on a virtual server to 4 or less. If the virtual server must handle low connection limits, you can disable clustered multi-processing for the virtual server.

bigpipe interface mgmt show all command (CR66757)
The bigpipe interface mgmt show all command reports the correct flow control for the management interface, but then indicates that the reported value is an error. The error report is benign.

Client SSL profile and Cipher server preference (CR66797)
When you configure a Client SSL profile, enabling Cipher server preference in the Options List has no effect, because this option is always active.

RAM Cache settings on HTTP profiles (CR66867)
You can enable the RAM Cache setting on HTTP profiles; however, it is important to remember that even when these profiles reside in different partitions, they share resources (such as memory, which is limited).

Status/log message for pool member (CR66913)
The system generates incorrect pool member and node status if multiple monitors are associated with pool members or nodes. The system sends log messages with each status report. When multiple monitors are associated with pool members or nodes, the first monitor might report a node unavailable, and the second might report the same node as available. If your configuration uses log messages to respond to unavailable pool member or node messages, the response is incorrect, even though the system message is correct.

Primary failover address and the management IP address (CR67008)
You cannot configure the primary failover address to use the same address as one on the management network. You should use the failover VLAN instead. When you use the management network, at restart the system generates the following message in /var/log/ltm:
BIGpipe: management IP address modification error:
01070696:7: The state mirroring address, statemirror.ipaddr, 12.90.20.3 may not be on the same network as the management port

Link local addresses on VLANs (CR67033)
You can manually add a link local address to one VLAN. However, if you attempt to add a link local address to a second VLAN, the system presents an error. There is no workaround for this issue.

Hardware baud rate (CR67164)
The BIG-IP system does not support a baud rate of 38400.

bp load command on disabled interface (CR67232, CR67811)
If you run a bigpipe load command while an interface is disabled, the disabled interface goes down. The problem is that the process sets the media type incorrectly. You can issue the command b interface xxx media auto to fix the interface, or you can issue a bigstart restart command to re-enable the interface.

HTTP monitors for pool members (CR67348)
By default, you cannot enable HTTP monitors for a pool member for which the Service Port is set to All Services. However, you can enable an HTTP monitor for this type of pool member if the pool also has a pool member for which the Service Port is set to All Services. Please note that in this situation, if you remove the pool member for which the Service Port is set to All Services, the BIG-IP system marks that pool member as up even when the HTTP service is down. This behavior persists after a reboot of the system.

Interface media options (CR67429)
The results of the bigpipe interface media show command may show a SFP media option for a copper fixed port in error, but showing this option for a non-shared SFP port is correct.

Administrator account update (CR67609)
If you use the command line interface to assign a user the Administrator role and assign access only to the bigpipe shell, and later update the same user account using the Configuration utility, the BIG-IP system automatically grants that user access to the system prompt (bash shell).

User account creation (CR67672)
If you use the bigpipe user command to create a user account, be sure to use the correct syntax so that you do not inadvertently add an incorrect user. We suggest that you run the bigpipe user list command after you create a user account, the verify the accounts you created. Another option is to use the f5adduser command at the BIG-IP system prompt to add a user account.

System mode change and reload (CR67716)
If you use the command line interface to change the system mode from Multiple Spanning Tree protocol (MSTP) to another mode and then back again, you must run the bigpipe base load command.

USB mass storage device installation and quit (CR67819)
When loading the installation image onto a USB mass storage device, the system does not offer an option to cancel or quit the umdinstall.exe program once it starts. To cancel or quit the installation, when the system returns, Press ENTER when ready., press CTRL + C instead.

D35 system upgrade (CR67847)
When you install an upgrade on BIG-IP 520/540 (D35) systems, messages might stop displaying on the console, even as the installation continues. It can take up to 20 minutes for the installation to complete and the system to reboot. After the system reboots, check the software version on the machine. The installation completes successfully, despite the missing dialog on the console.

Remote users as local users (CR67912)
If a remote user, who does not have a local user account on the BIG-IP system, logs into the system, an administrator cannot subsequently add that user to the system as a local user. For an example of a workaround for this issue, see Adding remote users as local users.

HTTP::header exists expression (CR68246)
Do not use the HTTP::header exists expression to evaluate headers that can have a blank field value. If the value field in a header is not set, and you use the HTTP::header exists expression to try to identify the header, the expression does not find a match. This leads to undesired behavior in an iRule that expects to find a header.

Static Layer 2 forwarding database entries on trunks (CR68584)
The syntax of adding a static Layer 2 forwarding database entry on a trunk is slightly different from adding a static Layer 2 forwarding database entry to a VLAN. You can run the following command to add or delete a static Layer 2 forwarding database entry on the trunk:
b vlan <vlan_name> fdb < mac_address> trunk <trunk_name> add|delete
For example:
b vlan coppervlan2 fdb 00:E0:81:25:3A:32 trunk coppertrunk2 add

You can run the following command to add or delete a static Layer 2 forwarding database entry on a VLAN interface:
b vlan <vlan_name> fdb < mac_address> interface <interface_name> add|delete
For example:
b vlan external fdb 00:E0:81:25:3A:31 interface 2.1 add

Limited Transmit Recovery and system shutdown stalls (CR68618)
If you enable Limited Transmit Recovery in a TCP profile, certain traffic patterns might cause the system to ignore TCP-FIN packets. This might cause a stall in the system shutdown process. You can work around this issue by disabling Limited Transmit Recovery in the TCP profile.

Baud rate change (CR68644)
If you change the baud rate of the system from the switch card control processor (SCCP), the change does not display on the LCD menu on the unit. We recommend that you change the baud rate of the system either from the LCD menu on the unit, or using the bigpipe hardware baud rate command from the command line interface.

Deprecated variables (CR68720)
These variables are deprecated: Compression.Strategy and Compression.Tmm.MaxCPU.

Software upgrade and invalid Service Check Date (CR68795)
If you manually roll forward the system backup configuration file, *.ucs, and the file contains a license with an invalid Service Check Date, the system may become inoperative due to the invalid license. Note that if the manual roll forward of the system backup configuration file replaces the system license with the license in the *.ucs file, you receive this message on the console: Replacing the system's license file.... If the license on the system is not replaced, no message displays.

Removing an HTTP Class profile from a virtual server (CR68801)
If you assign an HTTP Class profile to a virtual server in order to make the WebAccelerator system active, and then later remove the profile, the Local Traffic Manager logs a Tcl error for any subsequent traffic.

Installing and rebooting the BIG-IP system (CR68834)
After you run the installation on the BIG-IP system, you reboot the system. On the first reboot, after the installation, you may see negative timestamps in the tcpdump utility. To correct the timestamps, use the bigstart restart command to restart all processes.

Client SSL profile (CR68842)
When creating a Client SSL profile, do not use the Immediate option for Cache Timeout. Although the Immediate option displays in the Cache Timeout list, it is not a valid option.

Partition change (CR68843)
You cannot move an object from one partition to another. You must delete the object and recreate it in another partition. If you try to move an object from one partition to another, you receive an obscure error message.

Indefinite SSL session cache timeout (CR68996)
Setting a client SSL profile cache timeout to Indefinite has the opposite effect: sessions are never resumed. In this release, the longest period you can set the cache timeout to is one day.

bigpipe base load command (CR69045)
If you run the bigpipe base load command from the command line interface, even if configuration load is successful, you may see this error message in the log file: Monitor to delete external does not exist.

Object name display (CR69266)
When you use the command line to display the names of objects, use the bigpipe <object_type> list or bigpipe <object_type> show commands. Do not use the bigpipe <object_type> all name command, because the system returns an error.

bigpipe unknown operation error (CR69458)
When you use bigpipe commands to perform user operations that result in an error, for example, errors due to partition access permissions, the message, bigpipe unknown operation error: displays before information specific to the error.

log rule command (CR69502)
The log rule command, limits the log messages that the BIG-IP system sends to Syslog. To ensure that the system displays all log messages, use the log <facility> <msg> command to directly specify the log facility.

Compression at high concurrence (CR69530)
If you want to set up a BIG-IP system to handle compression at high concurrence, you can create a standard HTTP profile containing compression settings that reduce memory utilization or otherwise aid with concurrence. For more information, see the Configuration Guide for BIG-IP® Local Traffic Management.

Statistics process halt (CR69604)
If a BIG-IP system process that is accessing statistics is interrupted, you might receive the following message: LTM log - mcpd[20912]: 01070718:4: Unexpected proxy reply from %TMM. Similarly, after you receive the results of a requested operation, but the requesting process has finished, you may receive the same message.

Partition create and name (CR69614)
When you create a partition, enter a name that contains only letters, numbers, and any of the following special characters: underscore ( _ ), period ( . ), and dash ( - ).

Manager and Application Editor access to default node monitor (CR69634)
Users assigned the Manager and Application Editor roles, who have access to either all partitions or only one partition, can disable the default node monitor. Be aware that this means that users can impact the status of the nodes in a partition to which they do not have access.

bigpipe hardware baud rate (CR69676)
If you run the bigpipe hardware baud rate <integer> command on the BIG-IP 6400 platform, you might receive an error message even if the operation was successful.

iRules and bad mask value in persist simple <mask> command (CR69706)
The system does not prevent you from specifying an invalid mask value when using the persist simple <mask> command in iRules. If you specify an invalid mask value, the system does not warn you or prevent you from doing so.

Operator role and settings on redundant systems (CR69708)
Users with the Operator role can only enable or disable nodes and sessions. However, these users cannot perform ConfigSync operations, so those settings are not updated to the other unit in a redundant system. The work around is to make such changes on both systems, or have an Administrator-type user perform the changes and ConfigSync operation.

Last hop pool maximum member (CR69976)
The last hop pool cannot contain more than two members. Therefore, do not add more than two members to a last hop pool.

CA certification support (CR70002)
When using the SSL client profile with Certificate Authority (CA) authentication, the system authenticates only the first six levels of certificates. This situation typically occurs only when a client attempts to authenticate to the SSL client profile with not only its own certificate, but its ancestors' certificates as well.

Regsub command and UTF8 codes translation to unicode (CR70017)
When creating an iRule, the regsub command translates UTF8 code characters into Unicode. To prevent this translation, use the regexp and expr commands instead.

Reset statistics and the Audit log (CR70039)
When you reset statistics for an object, the system does not update the Audit log with the reset action.

Reboot System option and unknown network interface (CR70101)
If you use the Reboot System command from the CD boot menu and the network interface for the system is unknown, the command fails. To reset the system, use the reset switch.

Manager role with limited access and reset status operations (CR70116)
If you attempt to perform operations with a user account other than Administrator, the system returns an error. Depending on the account's access rights, the message may be misleading. For example, if you log on as local_manager (a Manager account with access to a specific partition), and you try to reset global statistics using the bp>conn all delete command, the system returns the following error:

 BIGpipe unknown operation error:
    0107071b:3: Access denied: user (local_manager) does not have permission to 
reset global statistics, user must be an Administrator or be a Manager with 
a universal role.

Although the message implies that a Manager account with universal access could reset global statistics, that is incorrect. In fact, only Administrators can reset global statistics; Managers with a universal role cannot. The system presents messages with similar misleading text in other areas as well, including IP statistics and ICMP statistics.

Network address translation rule delete (CR70129)
When deleting network address translation (NAT) rules, the BIG-IP system might still apply the rule in rare circumstances.

Dependent daemons and the bigstart restart command (CR70151)
The man page for the bigstart restart command is incorrect. The bigstart restart command does not restart dependent services; it only restarts the services required for the BIG-IP system functionality.

Monitor attributes and the command line (CR70180)
You cannot disable the following monitor attributes from the command line: transparent, reverse, and manual resume. To disable these attributes, use the Configuration utility.

VLANs with self IP addresses: deletion order (CR70470)
When you delete a VLAN that has a self IP address, the system correctly generates an error message, but lists a self IP address of 0, instead of the actual self IP address. To avoid this situation, delete the self IP address before deleting the VLAN.

Multiple ConfigSync operations and low memory (CR70483)
If multiple, consecutive config sync operations (over 300) occur, system memory is reduced. In addition, the system can also fail to import keys. This issue rarely occurs, as such large numbers of consecutive config sync operations are highly uncommon.

IPv6 address change and routing table update (CR70575)
When you add the MGMT IP address to the system as an IPv6 address, and then modify or remove it, the BIG-IP system might not update the routing table entry for that address, which can cause misdirected packets.

Fast L4 profiles, iRules, and Packet Velocity virtual server acceleration (CR70618)
For virtual servers that use a Fast L4 profile and have iRules configured, the Packet Velocity® ASIC (PVA) might report the incorrect acceleration mode. Additionally, the PVA might try to accelerate connections that cannot be accelerated. This occurs when you use the connection rebind or clone pool options.

bigpipe conn <ip address> delete command operations (CR70656)
The bigpipe conn <ip address> delete command, when used alone, might not function. The syntax for this command is b conn (client|server) 172.24.67.10:32773 delete; that is, this command works as expected if you insert the word client or server before the IP address, for example,

b conn client 172.24.67.10:32773 delete

Multiple default routes in external VLAN and automatic licensing (CR70793)
If you add multiple default routes to the external VLAN, automatic licensing ceases to function. To re-enable automatic licensing, remove the default route from the VLAN.

WebAccelerator system installation (CR70920)
When installing the BIG-IP system, you cannot select an option that installs both the Local Traffic Manager and the WebAccelerator system. For information on installing the WebAccelerator system, see the BIG-IP® WebAccelerator System Version 9.4.2 release notes, available on the Ask F5 Knowledge Base web site.

Virtual IP address on tagged VLAN and packet loss (CR70962)
If you have a fully-accelerated virtual IP address enabled on a VLAN with tag 1, the system demotes the IP address; this can cause dropped packets. To resolve this issue, manually demote the virtual IP address.

Thumb drives and the BIG-IP 8400 or 8800 platform (CR70979)
If you plug a thumb drive into a BIG-IP 8400 or 8800 platform while the system is initializing the devices, any process that depends on mounting a local file system has problems. To avoid this issue, wait until the system completely boots up before you plug in the thumb drive. Also note that if plan to boot from the thumb drive, you must plug it in before you power on or reset the system.

Configuration synchronization using remote user account (CR70985)
If you assign authorization properties locally for a remote Administrator account and then set the authentication source to Local, the user name correctly appears in the list of allowed ConfigSync users. However, remote authentication fails when users type their remote passwords.

IPv4 addresses and mapping to IPv6 addresses (CR71005)
The bigpipe utility stores all IP addresses as IPv6 addresses. Therefore, entering 172.16.19.1 is exactly the same as entering ::ffff:172.16.19.1. However, using the IPv4 address causes a bigpipe command parsing error.

Command line response with actively logged on user (CR71007)
If users are logged on to the command line when the system administrator changes their partition roles, the system does not respond to the change. To work around this issue, ask users to log out, and then log back in after you make the change.

System response with actively logged in user (CR71012)
When the system administrator changes a partition role for a user who is logged in, the system takes 20 to 30 seconds to respond to the change.

Failover IP address or peer IP address reset (CR71153)
Resetting the failover.ipaddr or failover.peeripaddr bigdb variables to the default value of :: does not reset these values in the memory. This includes when you use the Configuration utility to change these addresses. To work around this issue, set the failover.ipaddr or failover.peeripaddr variables to a specific IP address instead.

b4encode iRule command (CR71221)
The system cannot properly decode the results of the iRule command, b4encode [SSL::cert 0], because the iRule command incorrectly translates the string 0x00 to 80co.

HTTP connections with caching and mirrored connections (CR71269)
Mirroring HTTP connections with caching sometimes fails. Failover sometimes resets the existing mirrored connection.

Access denial error messages (CR71319)
The BIG-IP system returns inconsistent error messages to users who attempt to manage objects in a partition to which they do not have access. These error messages vary, depending on the specific type of access they attempt.

Related connections when no server-side connection exists (CR71326)
If you attempt to set up a related connection without already having a server-side connection in place, the system restarts. This occurs when you use the following commands: cmd_relate, flow_relate_clientside, and flow_relate_serverside. To work around this issue, make sure that the server-side connection exists before setting up a related connection.

SMTP monitors and node status in systems under load (CR71397)
The SMTP monitor reports wrong node status intermittently when the system is under load. Because of how SMTP works, the system swaps out monitoring processes on a system under load, so the process fails to report node status in time. This can cause nodes to be incorrectly marked unavailable. To work around this issue when monitoring a large number of nodes, you can use a TCP monitor that sends a HELO message and expects back a 250 string. As an alternative, you can increase the monitoring interval.

Authentication filters and command line or Configuration utility changes (CR71444)
If you define authentication filters on the command line, and later try to change the authentication type using the Configuration utility, the defined filter remains, and authentication does not work correctly. Therefore, we advise you to configure all remote authentication settings either using the Configuration utility or from the command line, but not both.

Buffer size for bigpipe shell (CR71445)
If the buffer for the bigpipe shell fills up, (if you enter more than 1021 characters before you press Enter) the shell no longer accepts characters. You must press Ctrl+D to exit the shell.

Related client function in iRules (CR71451)
The iRules global command, relate_client does not function properly. Do no use this command in an iRule that you create.

Install and other utilities and mounted partitions (CR71507)
Currently the installer and other utilities such as audit and switchboot mount and unmount various partitions. If you are running these utilities concurrently, you might encounter unexpected results. For example, one utility might unmount a partition that another utility needs, or a partition might be left mounted even though no utility needs to use that partition. To work around this, run only one of these utilities at a time.

Out-of-space condition on successive ConfigSync operations (CR71529)
Running successive ConfigSync operations on the BIG-IP 2400, BIG-IP 5100, or BIG-IP 5110 platforms can result in an out-of-space condition. To work around this issue set the configuration rotation to 1.

Cookie rewrite and extra header (CR71665)
If you select the HTTP Cookie Rewrite option from the Cookie Method list in a Cookie Persistence Profile, the system rewrites the cookie with an extra header. There is no workaround for this issue.

Partner switch activity indicator (CR71696)
On power-up, the partner switch activity indicator on the BIG-IP 6400, BIG-IP 8400, and BIG-IP 8800 platforms may blink rapidly. This affects Ethernet ports (but not fiber ports) that are connected to partner switches. Once the switch driver configures the switch, the erroneous flashing stops, and the link and activity indicators respond as expected.

User name case-sensitivity (CR71702)
The system no longer prevents you from creating user names that differ only by case (for example, david and DAVID.) F5 Networks might re-instate case-sensitivity in a future release.

iControl LocalLB::Class::modify_string_class message (CR71705)
If you use the iControl command LocalLB::Class::modify_string_class on a class you created with iControl or with the bigpipe utility, the system returns an error, indicating that the request string class member <class_member> was not found. The workaround is to use the delete_class command with the name of your class, then pass to the create_string_class command the exact argument you would have passed to the modify_string_class command.

Pause control value changes on a disabled interface (CR71861)
If you use the bigpipe interface <interface_name> pause command to change the pause control values, and the interface is disabled, the system does not restore the settings when the interface is subsequently enabled. This may result in requested mcpd values that do not match the switch values. To work around this issue, make sure the interface is enabled when you change the pause control value.

Asymmetric PHY pause settings (CR71862)
The BIG-IP system supports the following symmetric pause settings: bigpipe interface x.x pause rx tx or bigpipe interface x.x pause none. We recommend that you avoid setting asymmetric Physical Layer Device (PHY) pause settings (bigpipe interface x.x pause rx or bigpipe interface x.x pause tx) because these flow control settings might not be advertised correctly.

PVA statistics reset (CR71886)
If you run the command b pva stats reset, the system returns an error and does not reset Packet Velocity® ASIC (PVA) statistics. You can use the bigstart restart command to reset these statistics.

MCP validation error and removal of unneeded self IP addresses (CR71896)
If you configure a self IP address and a floating self IP address on the same subnet and VLAN, and then add another self IP address (not floating) to the VLAN also on the same subnet, you cannot delete the original non-floating self IP address. To work around this issue, delete the first non-floating self IP address. If the second self IP address already exists, you can edit the configuration file and reload the configuration.

Translation addresses and NAT creation (CR71903)
When you create a Network Address Translation (NAT) the translation address cannot be a node address or pool member. This is not the case with Secure Network Address Translation (SNAT).

Calculation discrepancy between resize-logFS and the ls command (CR71945)
The resize-logFS command calculates 1 GB as 100000k but the ls command computes 1 GB as 1048576k. That means that the default 7 GB logFS partition appears to be only 6.7 GB according to ls. Any resized partition shows the same discrepancy of being smaller than what you specify. This is a cosmetic issue. The partition is actually the size you specify.

Manually editing the bigip.conf file (CR72012)
You can manually edit the bigip.conf file to define objects (SNATs, SNAT pools, and so forth). However, you should avoid defining the same object more than once. If you define an object multiple times in the bigip.conf file, and subsequently load the file, the pvad service may not restart successfully. To resolve this issue, use the bigpipe save command to remove the duplication definition from the file.

BIG-IP 8800 platform and compression (CR72092)
You might encounter corrupted data when using compression on a BIG-IP 8800 platform, if the server-side maximum segment lifetime (MSL) value is lower than 540. A server-side MSL value that is lower than 540 is very atypical, since such a setting counters the benefits of using compression. To avoid this issue, set the MSL value higher than 540.

Special character support in iRules (CR72139)
iRules do not handle special characters. To work around this issue, do not use special characters such as ampersand ( & ) in iRules.

Fast L4 profiles and the reject command (CR72170)
If you are using a Fast L4 profile with an iRule that contains the reject command, the system does not issue a reset (RST) to the client. The reject command works correctly, even though the system does not send the reset packet. This occurs only with Fast L4 profiles.

RAM Cache entries and delete (CR72173)
The bigpipe utility has a limited number of arguments that are available for deleting RAM Cache entries. For information on how to work around this issue, see Deleting RAM Cache entries.

stats reset command in iRules (CR72174)
If you have an iRule that is not associated with a virtual server, and you attempt to run the reset command, the system returns an error. To work around this issue, always associate an iRule with a virtual server.

Commands containing the all parameter (CR72201)
The BIG-IP system does not always complete the action for commands that contain the all parameter. For example, the virtual all snatpool <name> command does not apply the SNAT pool to the virtual server, and the system does not issue an error. This is also true for the following commands:

  •     virtual all rate class <name>
  •     virtual all pool <name>
  •     virtual all lasthop pool <name>
  •     virtual all persist <name>

User role or partition assignment change (CR72296)
If a user, who is assigned the Administrator role, attempts to change the role or partition that is assigned to a user who is logged in to the BIG-IP system, the system response time is slow. The system also generates multiple connection pool errors.

Flow control for the management interface (CR72442)
When you use the bigpipe command to query the management interface, the system returns error, instead of tx rx, as the second flow control value. This occurs only on the management interface. To work around this issue, use iControl to query for the flow control value.

Partition access change for users (CR72506)
If a user's partition is changed while that user is logged in, the bp shell list command still shows the previous partition as the write partition associated with the user. When the user issues the bp list command, the system correctly displays objects for the new partition, along with objects from the Common partition. If the user issues any other command, such as modify, delete, and create (if user has those permissions), the system presents an incorrect error message, indicating that the user does not have access permission. To correct shell write access, users must log off and then log back on. The following message is an example of the kind of error users might see:

BIGpipe unknown operation error:
    01070824:3: Write Access Denied: user (usr_2) does not have update access
 to partition (AAA_Partition), check your current "update/write" partition settings

Layer 4 virtual servers and PVA (CR72507)
Pinned Layer 4 virtual servers are incompatible when Packet Velocity® ASIC (PVA) acceleration is set to assist mode for SYN cookies. There is no workaround for this issue.

Self IP change update (CR72518)
If you modify a self IP address to change the associated VLAN, and then attempt to connect from a remote host to the self IP address, the self IP address continues to be associated with the interfaces of both the original and the new VLAN. The correct behavior is that the self IP address should be associated with the interfaces of the new VLAN only.

Logging for BIG-IP 8800 power-failure recovery (CR72553)
When the BIG-IP 8800 platform recovers from a power failure condition, such as when hot-swapping, the system does not create a log entry. Currently, the most recent log message indicates that the device is shutting down.

BIG-IP 8800 shut down message clarification (CR72554)
When the BIG-IP 8800 shuts down, the system presents the following message: WARNING: Shutting down in 120 sec. The 120-second interval represents the shutdown time for the switch card control processor (SCCP), which controls the hardware for the whole system. The host actually shuts down after 60 seconds. That means that, if you want to swap power supplies, you must complete the operation within 60 seconds, not 120 seconds.

iRules containing reject in CLIENT_ACCEPTED or SERVER_CONNECTED events (CR72623)
Using an iRule containing the reject call in CLIENT_ACCEPTED or SERVER_CONNECTED events causes an unexpected system restart. To work around this condition, do not use the reject call for CLIENT_ACCEPTED or SERVER_CONNECTED events.

Pool member statistics aggregation (CR72652)
On a BIG-IP system with a CMP-enable virtual server, the system divides the number of connections by the number of Traffic Management Microkernel (TMM) instances, and on the Pool Statistics screen, erroneously reports the result as the maximum number of connections allowed. However, the system does correctly respect any configured connection limit.

IP address change in redundant system (CR72676)
If you change unit 2's IP address on unit 1 (StateMirror.PeerIPaddr) of a redundant system, you must restart unit 1 to have the change take effect. If you do not restart unit 1, connection mirroring does not work. The only indication of a problem is in /var/log/ltm on unit 2, where repeated connection with peer lost messages are logged while it tries to connect.

Factory default for management IP address (CR72678)
You can use the command sys-reset -s to reset a system to its factory defaults. However, running this command does not set the management IP address to the 192.168.1.245 factory default on any type of system, except the BIG-IP 2400 platform. To reset the management IP address on other systems, configure the management IP address manually.

VLAN group delete using Configuration utility and from bigip_base.conf (CR72717)
When you delete a VLAN group using the browser-based Configuration utility, the system does not delete it from the bigip_base.conf file. To work around this issue, delete the VLAN group directly from the the bigip_base.conf file.

Startup process for a BIG-IP 8800 with one power supply (CR72730)
A BIG-IP 8800 requires two power supplies for operation. A BIG-IP 8800 platform that has only one power supply cannot complete the startup process, and shuts down before you can log on.

VLAN fail-safe option (CR72735)
If you use the Configuration utility to set the VLAN Fail-safe timeout option to 90 seconds (which is the default), the fail-safe timeout setting in the bigip_base.conf file is erroneously set to 30 seconds. To work around this issue in the Configuration utility, set the Fail-safe timeout option to either 89 or91 seconds.

Encrypted configuration files (CR72762)
When you use the bigpipe config save <*.ucs> passphrase command, you must include a password on the command line. The BIG-IP system does not prompt you for a password.

Export of FIPS keys (CR72809)
You cannot export FIPS keys. If you attempt to export FIPS keys, the system presents the error: An error has occurred while trying to process your request.

Archives of keys and certificates (CR72818)
If you attempt to create an archive consisting of only keys or only certificates, the system presents the error Page Error: there is no page content to display. To work around this issue, include both keys and certificates in an archive.

Documentation for the sys-reset command (CR72827)
The -s option is missing from the help presented for the sys-reset command. You can use the command sys-reset -s to prevent changes to the shared partition.

SSL hardware acceleration support (CR72997)
On the BIG-IP 2400, 5100, and 5110 platforms, you can only configure SSL functionality through the BIG-IP system software.

Closing brace and bigip.conf file editing (CR73005)
If you omit a closing brace in a command when you edit the bigip.conf file, and then you run the bigpipe load command, the system may not display any error messages, but it may be inoperative. To correct this, add the missing closing brace to the command in the bigip.conf file, and then run the bigpipe load command.

Chassis temperature status not found message (CR73008)
When you run the bigpipe platform command on the BIG-IP 1000, 2400, and 5100/5110 platforms, the system presents the following message:

unknown query error 1020032 - chassis_temperature_status not found

This error occurs because these platforms support a reading for the CPU temperature, but not the chassis temperature.

Broadcast rate-limiting (CR73037)
The BIG-IP 1000, 2400, 5100, and 5110 platforms do not support the broadcast rate-limiting feature. If the following error message appears in the /var/log/ltm directory on these platforms, you can ignore it:

[bs_if_set_rate_limit]bcm_rate_type_set() fails for unit 0: Feature unavailable if_bs.c(1383)

RAM Cache entry for last-sent date and time (CR73043)
Viewing the RAM Cache entry shows a line similar to the following:

Received: 2006-12-13 17:28:57 Last sent: 1166059746

Note that the Received date and time is correctly converted, but the Last sent time and date is not.

ICMPv6 filtering (CR73063)
Packet filters that are configured to filter ICMP traffic filter only ICMPv4. We do not currently support ICMPv6 filtering using packet filters.

Fasthttp virtual servers and IPv6 pool members (CR73103)
Performance (HTTP) type virtual servers do not support IPv6 pool members. Though you can create a virtual server of this type, attempts to use this configuration result in a traffic outage due to Traffic Management Microkernel (TMM) failure.

Configuration synchronization and system performance (CR73109)
When a remote user that is logged in as Other External Users performs a configuration synchronization, system performance may be adversely affected. Also, an error message regarding licensing might appear, and the Configuration utility menus might disappear. To correct the error message and menu issues, click a link in the utility.

Errors resulting from configuration synchronization (CR73110)
When a remote user that is logged in as Other External Users performs a configuration synchronization, clicking on the user name at the top of the screen generates an error message. You can ignore this message.

Boot menu and option to install version 9.4 (CR73430)
When using the Windows umdinstall utility, the option to install BIG-IP version 9.4 is not enabled by default. Consequently, if you click Continue without first selecting BIGIP940 from the Product to Install column, the umdinstall utility transfers only the install kernel and presents a boot menu that contains only three options: Configure Network Settings, Reboot System, and Exit to Maintenance Shell. To work around this issue, run the umdinstall utility again and select the BIGIP940 option from the Product to Install column before you click Continue.

HTTP::cookie insert iRule and trailing semicolon in cookie header (CR73619)
The HTTP::cookie insert iRule adds a semicolon to the end of the cookie header. This prevents some clients from working. You can use a different iRule to work around this issue. For information, see Preventing the semicolon inserted by the HTTP::cookie insert iRule.

TCP profile wait settings for immediate and indefinite (CR74242)
The system does not correctly handle the Immediate and Indefinite settings for the Time Wait, Fin Wait, or Close Wait options for a TCP profile To work around this issue, use specific values. For example, use 2 or 3 seconds to approximate Immediate.

VLAN Group Proxy Exclusion lists after group deletion (CR75761)
When you delete a group, the system still retains any configured VLAN group proxy exclusion lists. This condition does not affect system operation, so you can safely ignore the VLAN group proxy exclusion for a group that does not exist.

Leading and trailing spaces in passwords (CR76044)
The system supports the space character as part of a password. If the space character is the leading or trailing character, however, the system strips the space character. To work around this issue, use the space character within the password character string, but not as the leading or trailing character.

Time zone-related errors and sys-icheck (CR76714)
Because of an earlier Java® time zone update, running the sys-icheck command produces 110 time zone-related errors. These messages are benign and can be ignored. The following message is an example of this type of error:

ERROR: SM5..... /usr/java/j2re/lib/zi/Pacific/Midway

Memory reporting commands (CR77748, CR80851, CR82246)
In version 9.4, output from the commands b memory, b global host memory, and b global TMM memory incorrectly reported memory usage. In this version of the release, these commands return memory as they did in version 9.2.3. In this case, running the b memory command reports only Traffic Management Microkernel (TMM) total memory and used memory, and running the b global stats command reports two total/used entries: one for just TMM memory, and one for host and TMM memory combined. In versions 9.4.1, 9.4.2, 9.4.3 and 9.4.4 there is no command that reports all of the physical memory on a system.

PVA-assisted connections and idle time interval (CR78006)
The output from the bigpipe conn show all command does not correctly display the idle time for PVA-assisted connections. This issue is cosmetic only, as the system removes the connection at the correct timeout interval. For more information, see Solution ID: SOL7412 Known Issue: The output from the bigpipe conn show all command does not correctly display the idle time for PVA assisted connections.

Malformed /etc/shadow file and mcpd restart (CR78182)
A malformed /etc/shadow file can cause the mcpd process to restart. It is likely that errors of this type occur during manual editing of the /etc/shadow file, so make sure to use care when you edit this type of file. You can avoid this issue by not manually editing the file. An example of a malformed entry is one that is missing a field and its colon, similar to the following entry:

username:!!:0:99999:7:::

You can correct the entry by including the values, as shown in the following entry:

username:!!:13530:0:99999:7:::

Message regarding /var/log/lastlog message in /var/log/secure with debug logging enabled (CR78972)
When you have debug logging enabled, and a user logs in using SSH, the system logs several messages in the /var/log/secure file. These messages are benign. The following messages are examples of what the system might log.

May 2 17:03:37 system95 sshd[17837]: Accepted keyboard-interactive/pam for
   root from 192.168.40.173 port 2601 ssh3
 May 2 17:03:37 system95 sshd[17842]: lastlog_filetype: Couldn't stat
   /var/log/lastlog: No such file or directory
 May 2 17:03:37 system95 sshd[17842]: lastlog_openseek: /var/log/lastlog is not
   a file or directory!
 May 2 17:03:37 system95 sshd[17842]: lastlog_filetype: Couldn't stat
   /var/log/lastlog: No such file or directory
 May 2 17:03:37 system95 sshd[17842]: lastlog_openseek: /var/log/lastlog is not
   a file or directory!
 May 2 17:03:37 system95 sshd(pam_unix)[17842]: session opened for user root by
   root(uid=0)

Renegotiate size in Configuration utility and in configuration file (CR79224)
The system presents the SSL renegotiate size in bytes in Configuration utility. In the configuration files, however, renegotiate size is reported as Kmb. For example, if you specify 200000 in the Renegotiate Size box in a client or server SSL profile, the configuration file reports the following: renegotiate size 200Kmb.

SCTP profile use with multiple virtual servers (CR79382)
Defining a virtual server using the clientside or serverside modifier prevents use of a Stream Control Transmission Protocol (SCTP) profile in multiple virtual servers. If you want to associate an SCTP profile with more than one virtual server, you cannot include the clientside or serverside modifier when defining the virtual server.

fipskey delete and non-FIPS keys (CR79652)
When you use the command fipskey delete <key-name>, the system deletes the key you specify, even if the key you specify is not a FIPS key. To work around this issue, ensure that you specify FIPS keys when you issue the fipskey delete command.

Local user name longer than 32 characters (CR79938)
You can create a local authentication user name that is 33 characters or longer. When you use this name to log on to the console or log on using SSH, the system presents a parsing error. However, the system allows the same user to successfully log on to the Configuration utility. To work around this issue, always have users whose names are longer than 32 characters use the Configuration utility to log on to the system.

Console presentation in Microsoft Internet Explorer version 7 (CR80171)
If you use Microsoft® Internet Explorer® version 7 to navigate the browser-based Configuration utility, when you access the console screen (available by clicking the System item in the navigation pane), the system presents the console offset to the right, and you cannot see everything on the left. The console itself works fine, but the display is off-center. As a workaround, use one of the supported browsers listed in the Minimum system requirements and supported browsers section.

Password for configsync operation (CR80399)
When you run the b configsync command, the password you enter must match the one associated with the user. The system does not validate that the new password matches the user. If this is unacceptable in your setup, you should use the Configuration utility, which sets both passwords at the same time.

Hotfix install to CF-only devices through Enterprise Manager (CR80484)
You cannot use Enterprise Manager to install to systems that contain only a CompactFlash® media drive. Systems that contain only a CompactFlash media drive are the BIG-IP 1000 (D39), the BIG-IP 2400 (D44), and the BIG-IP 5100 and 5110 (D51). To work around this issue, you can use another installation method.

PVA acceleration and load balancing mode (CR80489)
The system uses the pool-member level load balancing setting when the Packet Velocity® ASIC (PVA) acceleration is set to PVA full and you have certain pool members set to use the ratio mode. The system should ignore the ratio settings of the pool members and use the pool's round robin mode, but it uses the ratio mode instead. To work around this issue, make sure to specify the same type of load balancing mode for the entire pool and each pool member.

Behavior change for Platform.DiskMonitor.GrowthAlert.var_run variable (CR80622)
To handle an error condition in the BIG-IP system, we have changed the setting of the Platform.DiskMonitor.GrowthAlert.var_run database variable to 25%. Upgrading the software changes the setting of this variable to 25%, so if you specified a different value, you must reset it after you upgrade.

Prompt and history variable values after user deletion in bigpipe shell utility (CR81078)
If you create a user and make some user-specific configuration changes such as customizing the user's prompt, the system stores those configuration changes, as shown in the bigpipe shell console window. If you then delete that user, and then create a new user with same user name, the system retains the previous values for the shell variables prompt and history. The workaround is to delete the .bigpiperc-<user> and .bphistory-<user> files for the deleted user, or delete that user's home directory.

Unit ID changes on pool (CR81097)
When a pool is defined with the ID of one unit in a redundant system, and you modify the pool to use the other unit's ID, the original unit continues to monitor the pool. This persists until you run a b load or bigstart restart command.

Command auto-complete in bigpipe shell (CR81184)
In the bigpipe shell, if you type the b character, a space character, and then the beginning of a command, the system does not automatically complete the command when you press the tab key. The workaround is not to type the b in front of the command. Command completion then works.

Error messages and system startup (CR31937, CR80048, CR86695)
The system logs a set of benign error messages upon every startup. They occur because the system is requesting that the CompactFlash® media drive perform a Direct Memory Access (DMA) operation, which it is not capable of (a CompactFlash media drive can perform only programmed i/o data transfer operations). The set of error messages appears similar to the following output:

May 20 21:15:31 localhost hda: SILICONSYSTEMS INC 512MB, ATA DISK drive
May 20 21:15:31 localhost hdc: WDC WD800BB-00FJA0, ATA DISK drive
May 20 21:15:31 localhost ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
May 20 21:15:31 localhost ide1 at 0x170-0x177,0x376 on irq 15
May 20 21:15:31 localhost hda: attached ide-disk driver.
May 20 21:15:31 localhost hda: task_no_data_intr: status=0x51 { DriveReady SeekComplete Error }
May 20 21:15:31 localhost hda: task_no_data_intr: error=0x04 { DriveStatusError }
May 20 21:15:31 localhost hdc: attached ide-disk driver.
May 20 21:15:31 localhost hdc: host protected area => 1
May 20 21:15:31 localhost Chose partition table type 1
May 20 21:15:31 localhost Chose partition table type 1
May 20 21:15:31 localhost 3ware 9000 Storage Controller device driver for Linux v2.24.04.007.
May 20 21:15:31 localhost 3w-9xxx: No cards successfully initialized.
May 20 21:15:31 localhost ip_tables: (C) 2000-2002 Netfilter core team
May 20 21:15:31 localhost RAMDISK: Compressed image found at block 0
May 20 21:15:31 localhost VFS: EINVAL err on root device "UUID=e4b20eaa-b187-44b 0-b477-d3bce40166ec" - -22
May 20 21:15:31 localhost VFS: Mounted root (ext2 filesystem).
May 20 21:15:31 localhost EXT3-fs warning: maximal mount count reached, running e2fsck is recommended
May 20 21:15:33 localhost viper: Cavium FIPS non-blocking PCI driver version 2.03

Monitor enable and disable and Configuration utility or command line (CR81507)
If you use the Configuration utility to disable a monitor instance, you can enable that same monitor instance using the b load command at the command line. There is no workaround for this issue.

Forced SFP media and swapping to different SFP type (CR81911)
If the system populates a small form-factor pluggable (SFP) port with a particular media type (for example, 1000baseSX), and the interface has been forced to this media option, when you swap the SFP with another media type (for example, 1000baseLX) without first resetting the media to run in automatic mode, the system does not correctly update the media option list, and the interface does not function correctly using the new SFP (1000baseLX) module. To work around this issue, before swapping the SFP media type, reset the media to run in automatic mode.

9.1.x/9.2.x installed after 9.3/9.4.x and sys-reset/sys-icheck (CR81916)
Installing earlier software, such as 9.1.x or 9.2.x, on a system that already contains later software, such as 9.3 or 9.4.x, causes subsequent sys-reset or sys-icheck operations to fail. You can work around this issue by starting up in the slot where you want to install the software. If you start the installation from the same slot that you are installing to, this issue does not occur. For additional information, refer to the Ask F5 Knowledge Base web site.

Clean installation and NTP time zone (CR82082)
When you perform a clean installation, and you configure the system using the Setup utility in the Configuration utility, the system does not save the Network Time Protocol (NTP) time zone configuration in the bigip_sys.conf file. To have the system save the NTP time zone, set the time zone after installation, and save the configuration directly.

Mirror ports and the tcpdump command (CR82208)
If you are using mirroring, you cannot simultaneously use the tcpdump command, which overrides the port mirror and causes other switch problems. To work around this issue, do not use the tcpdump command on a port that is set up for mirroring.

Kernel-tainted message and autolasthop kernel module loading (CR82407)
When the autolasthop kernel module is loaded, the system console presents the message will taint the kernel: non-GPL license - Commercial message. The log message is benign, and simply means that any issues caused by the kernel module should be reported to the vendor rather than to the Linux kernel maintainers. For more information, refer to What does it mean for a module to be tainted? on The linux-kernel mailing list FAQ.

Custom shell prompt randomly changes back to the default prompt (CR82567)
There is an intermittent problem where a prompt that you customized in the bigpipe shell randomly changes back to the default prompt. For example, this might occur in response to commands that should produce errors. There is no workaround for this issue.

Persistence profile mode change (CR82841)
Using the command line and iControl interfaces, you cannot change the mode of a persistence profile from cookie to sip. If you attempt to do this, the system presents an error. To work around this issue, create a new persistence profile setting the mode to sip. You can use the bigpipe profile persist command to create persistence profiles.

SCCP access (CR82984)
If you are using an Ethernet connection, there is no external switch card control processor (SCCP) access prior to host startup. You can get SCCP access by logging on using a serial console instead.

Pool name validation with SNAT pool (CR83063)
Adding a pool does not check for duplicated SNAT pool names, and generates the following MCP error: mcp error: 1030013 in mcpmsg_to_database However, adding a SNAT pool does check for duplicate pool names.

Special characters in user passwords and log on using the command line interface (CR83159)
The system does not prevent using the command line interface to create user passwords that certain special characters, such as the pound character ( # ) or exclamation point ( ! ). However, the system presents an error when you try to log on using the command line interface. To work around this issue, you can use the Configuration utility to log on when you have passwords that contain such special characters.

b arp <IP_address> delete and message after successful completion (CR83309)
You can use the b arp <IP_address> delete command to successfully delete an IP address, but the system presents errors after completing the operation. There is no workaround for this issue. The following message is an example of this type of error:

BIGpipe unknown operation error:
No such ARP entry


The operation completes successfully, this error is benign, and you can safely ignore this error.

SSL::disable in Server SSL profile setup (CR83395)
If a virtual IP address has an associated Server SSL profile and no Client SSL profile, when the server-side iRule context calls the SSL::disable command, the resulting operation does not disable the server-side SSL filter. To work around this issue, you can remove the server-side event and add the SSL::Disable serverside command directly to the iRule.

Maximum Dynamic Entries and the limit set by user (CR83434)
The value you specify for Maximum Dynamic Entries on the ARP properties Options screen does not serve to limit the number of entries that can be added in the Address Resolution Protocol (ARP) table. In this release, the Maximum Dynamic Entries setting does not represent a hard limit that prevents new ARP entries from being created.

i8225x driver performance during DNS flood (CR83462)
The i8225x driver on the BIG-IP 3500 system does not resolve every DNS request during a DNS flood. There is no workaround for this issue.

PVA error message at restart (CR83474)
Occasionally, when you start up the system or run the bigstart restart command, the Packet Velocity® ASIC (PVA) sends out errors such as the following: AsicFactory.cpp:553 Illegal Pva version. You might see from one to three messages of this type before PVA detects the correct version. The error might occur as a result of a system startup race condition. The messages are benign, and you can safely ignore them.

Adaptive compression with gzip level and iRules commands (CR83606)
Setting various gzip levels using iRule commands always results in null compression. You can use commands from iRules to override profile settings, but adaptive compression still alters the gzip level to reduce stress on the system. There is no workaround for this issue.

tmstat compress and bigpipe http show and display of null-compression statistics (CR83608)
The tmstat compress command does not clearly show when the system has reached compression licensing, nor does it show when the CPU-saver feature has been activated. In adaptive compression, tmstat compress command output shows when the gzip level is forced to zero because of system load. The bigpipe http show command shows the compression licensing conditions, but it does not clearly indicate that adaptive compression is forcing the gzip level to zero.

Bracket use in the Configuration utility fallback field (CR83669)
The Configuration utility does not accept the bracket characters ( [ ] ) in the Fallback Host field of an HTTP profile. If you use these characters when creating or modifying the fallback data for an HTTP profile using the command line interface, and then you attempt to alter the same profile using the Configuration utility, the system rejects the change. For the system to accept the change, you must either remove the iRule object from the Fallback Host field, or modify the contents of the field so that it does not contain the bracket characters.

snmpd community <object> list command and objects listed (CR83866)
You can run the snmpd community <object> list command to get information about a specific object. Along with this information, the system also presents unneeded information about additional SNMP objects. You can safely ignore the unneeded information.

Resource Administrator and system restart (CR84224)
User accounts configured with the Resource Administrator role cannot issue bigstart (start|stop|restart) commands in the bigpipe shell. The workaround is to have user accounts with the Administrator role run such commands.

configsync password and using the db command (CR84304)
You cannot use the db command to set the configsync.password variable. Setting the configsync.password and configsync.passphrase variables using the db command requires that you then enter a valid encrypted password, one that exists in the /etc/shadow file. At this stage, however, the system has encrypted only a portion of the password, so the system returns an error message. You can work around this error by setting the password from the bigpipe utility or using the browser-based Configuration utility. The following message is an example of this type of error:

BIGpipe BIGdb variable modification error:
01070928:3: The configsync.password is encrypted incorrectly.

Resource Administrator and import default command in partitions (CR84327)
When a user with the Resource Administrator role is logged on to a partition other than Common, running the import default command imports all of the objects in Common. The workaround is to have users with the Administrator role perform this type of operation.

Manual editing of bigip.conf and nodes differing partitions (CR84328)
You can edit the bigip.conf or single configuration file (.scf) file to add nodes and pool members to partitions. If you inadvertently add a node to one partition that belongs to another user-specific partition, you receive no error on when you load or save, but you do receive an error when you reboot the system or run the bigstart restart command. The workaround is to make sure the nodes or pool members you add to a partition belong to that partition, or use the Configuration utility to modify node and pool membership in partitions.

Rewrite option for TCP Window Scale Mode in Fast L4 profile and UCS roll-forward (CR84354)
In previous releases, the Fast L4 profile setting TCP Window Scale Mode included the Rewrite option. The Rewrite option is no longer a valid setting, and it has been removed. If you roll forward a UCS file that has this value set, the system presents the following message after restart.

BIGpipe parsing error (Line 173):
    012e0010:3: The requested value (rewrite) is invalid ((preserve | strip)) for
  'tcp wscale' in 'profile fastL4'

To work around this issue, change the TCP Window Scale Mode value to Preserve or Strip before rolling forward the UCS file.

Time zone differences during import and reboot before bp save all (CR84357)
If you import a file that has a different time zone, the system prompts you to reboot the system. If you reboot the system without first issuing a bp save all command, the system becomes out of sync. This is because when you run the bp import command, the system saves the imported file to the binary file, but doing so does not update the configuration files. The workaround is to always run a bp save all command after running a bp import command.

Escaped double quotation marks parsing in class names (CR84373)
If you create an internal or external data group (class) with a name that contains escaped quotation mark ( " ) characters, the configuration does not load correctly. To work around this issue, do not use escaped double quotation mark characters in internal or external data group names. If you must use the double quotation mark character, use the string \x22 instead.

No such file or directory message after installing (CR84502)
When you install this version of the software, the system presents the following messages:

info: strings: /usr/sbin/big3d: No such file or directory
info: No active big3d exists.


These messages are benign, and you can safely ignore them.

b interface commands and multiple interfaces (CR84535)
The b interface list and b interface show commands operate on all interfaces when they are passed a list of interfaces, but all other b interface commands operate only on the first interface in the list. The workaround is to run the b interface command multiple times, specifying only one interface at a time.

Audit log messages for deleted users (CR84577)
The auditing messages the system reports might be misleading or appear inaccurate. For example, if user-a (an account with the User Manager role) runs the b user user-b delete command on user-b (an account with the Administrator role), the command correctly fails with the following error on the command line:

b user user_b delete
BIGpipe unknown operation error:
   01070820:3: User Modification Denied: User Manager (user-a) may not delete Administrator (user-b)


The Audit screen (available by clicking System on the navigation pane and then clicking Logs) shows an apparently conflicting message:

Thu Aug 16 11:15:18 PDT 2007 user-a 0-0 deleted
 Thu Aug 16 11:15:18 PDT 2007 user-a 39668-1 USERDB_ENTRY deleted: name="user-b"

The command has completed successfully; only the auditing message is incorrect.

PXE install and unexpected error message (CR84579)
If you use the PXE installation method to install the software, you might see the following error flash briefly after entering the terminal type, just before the first installation menu comes up:

Unexpected error. See session log.

Because installation completes successfully, and the system does not log a message in the the session.log file, you can safely ignore this message.

Custom ConfigSync user and importing new user list (CR84587)
If you log on to the system as <configsync_user> (the user account currently set as the ConfigSync user), when you import a user list that does not contain <configsync_user>, and then list the current users, the <configsync_user> account remains. This is because the system prevents you from deleting the user who is currently active or the currently specified ConfigSync user. To work around this issue, set the ConfigSync user to a different user by running the command bp configsync user <user_name> before performing ConfigSync and importing the new user list.

Default support account and the ConfigSync user (CR84622)
The command line does not prevent you from setting the db variable configsync.username variable to the default support user support. You can do so even when the support account is not enabled. The Configuration utility prevents setting the db variable configsync.username variable to the default support user support. We recommend setting the db variable configsync.username variable to a user other than support.

Error message and remoterole set to deny (CR84685)
When you set remoterole to deny enable, users from the associated group cannot log on to the system. This is correct behavior. The error message that the system logs to the /var/log/secure file, however, is incorrect:

Aug 18 08:58:08 BIGIP-30 sshd[8228]: error: PAM: User account has expired for user_name from 198.68.122.20

Users are correctly prevented from logging on; only the error message is incorrect.

FTP monitor and pool member with IPv6-formatted addresses (CR84735)
If the custom FTP monitor you create monitors a pool member whose addresses is specified in IPv6 format, when you assign that monitor to a pool, the system marks the pool members down. In this case, the system does not support IPv6-formatted addresses that are monitored by customer FTP monitors. The workaround is to specify the address in IPv4 format

Inherited required objects (CR84992)
Objects that inherit required objects, require the child objects to re-specify required fields from the parent.

Network Map search error with unpaired parenthesis, plus sign, or comma (CR85030)
In the Network Map Search field, use of an unpaired parenthesis, that is, only an open parenthesis ( ( ) or only a close parenthesis ( ) ), a plus sign ( + ), or a comma ( , ) results in an alert indicating that an error occurred while the system was processing the request. To fix the problem, make sure to specify parentheses in pairs, and do not use the plus sign or a comma.

b failover and b fo command output (CR85108)
In this release, the command b failover no longer reports how long the unit has been active or standing by. Instead, it displays the status of the configuration class with the name failover. To obtain information on how long the unit has been active or standing by, use the command b fo.

Certificate/key change and display update (CR85125)
When you use the command line utility to configure the system to use a new certificate/key pair, the System Device Certificate screen in the Configuration utility does not update to show the new information. Instead, the screen shows that the default certificate/key pair is in use. In fact, however, the system uses the new certificate/key pair. There is no workaround for this issue.

bigstart restart command and running bigpipe shell sessions (CR85131)
If you issue a bigstart restart command, the bigpipe utility halts unexpectedly, which stops all running bigpipe shell sessions without warning users in currently active sessions, posts an error Segmentation fault (core dumped) on their systems, and writes a core file in the /var/core directory. Before running bigstart restart, you might want to warn users that a restart operation is about to occur, and recommend that they edit any running bigpipe shell sessions. Users can restart bigpipe shell when the restart operation completes.

b ntp servers delete caused add (CR85137)
If you run the b ntp servers delete command when no such server exists, the system adds the server instead of presenting an error. The workaround is to make sure the server exists before trying to delete it.

Multiple export operations on same files and encrypted password changes (CR85234)
The method that the system uses for encrypting passwords generates a different string each time the export process runs. The underlying password remains the same, however; only the encrypted string changes.

Timeout option in bigpipe shell (CR85293)
The inactivity timeout setting has no effect in this version of the bigpipe shell. The shell stays active regardless of the timeout setting you have specified. You must manually end each bigpipe shell session you open.

^M characters in file used for import (CR85379)
When the text file you are using for an import operation contains ^M control characters at the end of each line, the system presents errors, and the import operation does not complete. To work around this issue, remove all ^M control characters before importing the file.

Copy and paste option and oneline-formatted .scf file (CR85381)
If you export a single configuration file (SCF) using the b export oneline option, the system correctly writes out the bigpipe commands on one line instead of on separate lines. For example, if you export in the oneline format an SCF file containing the following pool:

pool dev_https3 {
    members
       10.60.10.105:https
       10.60.10.106:https
 }

The system writes the following line into the resulting file:

pool dev_https3 { members 10.60.10.105:https 10.60.10.106:https }

If any line in the exported .scf file is longer than 4,096 characters, when you paste that content at the prompt that appears when you run the b import - command, the import operation fails. To work around this issue, save the copied content to a file and use the b import <filename>.scf command instead.

Note: The BIG-IP® Command Line Interface Guide indicates that the 4K limit exists for the entire SCF. In fact, however, this limit applies only to a single line within an SCF exported using the b export online command.

Command line delete of FIPS key used by a profile (CR85529)
The system does not prevent you from using the fipskey delete command in the command line utility to delete a Federal Information Processing Standards (FIPS) key that is used by a profile. The browser-based Configuration utility prevents deletion of an in-use FIPS key. The workaround is always to delete FIPS keys using the Configuration utility, or make sure the FIPS key is not used by a profile when you try to delete it from the command line.

b persist all delete and multiple partition (CR85617)
Running the b persist all delete command deletes only the persistence entries that belong to the current write partition. To delete persistence entries in different virtual servers that belong to different partitions, first specify the write partition by running the command b shell write partition <partition-name>, and then run the delete command again.

b snat <name> automap origin all and pvad restart (CR85753)
If you run the command snat <name> automap origin all, the pvad process might restart on BIG-IP systems running Packet Velocity® ASIC version 10 (PVA10). If the restart occurs, the system displays the message Re-starting pva. This occurs because b snat <name> automap origin all is not the correct syntax for this command. To correctly specify this command, use any or any6 in place of all. The correct commands are as follows: snat <name> automap origin any (for IPv4-formatted SNATs) or snat <name> automap origin any6 (for IPv6-formatted SNATs).

Empty trunk as VLAN member and self Layer 3 connectivity (CR85801)
If an empty trunk is a member of a VLAN on system startup, then Layer 3 traffic might not pass over the trunk when interfaces are added to the trunk configuration later on. The workaround is to always add at least one interface to the trunk group before making that trunk a member of a VLAN.

iRule parser and opening brace followed by content (CR85806, CR89870)
The iRule parser can fail to correctly parse and load an iRule from the command line, even though the iRule loads correctly using the Configuration utility. This issue occurs when the parser encounters an opening brace followed by data or a command. This issue does not affect loading the iRule from the Configuration utility for the first time, but subsequent loads will fail when the iRule is read, as the iRule is copied verbatim to the configuration file. For more information about this issue, see SOL7988: The iRule parser can fail to correctly parse and load an iRule from the command line.

Local Administrator user same as remote Administrator user and delete local Administrator user (CR85867)
If your configuration has the same Administrator user with both a local account and a remote account, and you delete the local Administrator account, when the remote user later logs on and attempts to perform Administrator-related operations, the system presents an error. In this case, you should have another user with the Administrator role perform the operations.

persist show all command and persistence connection details (CR85914)
The persist show all command returns the value PERSIST, and does not give persistence connection details. The workaround for this is to use the command persist all show.

SNAT pool named default and system load (CR85933)
In previous releases, you could name a SNAT pool using the name default. In this release, the system no longer supports a SNAT pool named default. If your existing configuration contains a SNAT pool with the name default, the configuration cannot load, which leaves the system in an unusable state. To work around this issue, first rename the SNAT pool to another name, and then try loading the configuration.

Copper SFP support for the BIG-IP 3410 (CR85940)
This version of the software does not support copper Small Form Pluggable (SFP) interfaces on the BIG-IP 3410. The problem is restricted to the use of copper SFP interfaces on the BIG-IP 3410. This release does support the fiber SFP interfaces on the BIG-IP 3410.

Persistence profile and selection with iRules (CR85958)
You can select a persistence profile type using iRules. You cannot specify a persistence profile name. If you specify a persistence profile name, when you try to load the configuration, the system presents an error.

Archive-creation/UCS-restore and progress status indicator (CR85964)
When you create an archive or restore a UCS configuration, the system posts the following message during processing.

The "Operation status"
   "Saving active configuration..."

The operation does complete successfully, and sends confirmation output to the screen, but it might take longer than you expect. During the operation, there is no progress indicator, so there is no way to know that the operation is still proceeding. You can click the OK button, and navigate to the Archive list or objects screen. The resulting screen might not show the archive or objects you expect, however, if the operation is not complete. If you click an entry in the list, the screen might post a message indicating that the archive or object is loading. This is currently part of the archive-creation and UCS-restore process. The operations themselves complete successfully.

LCD brightness ON/OFF (CR85970)
There are LCD brightness ON/OFF options, available on the LCD panel on some BIG-IP platforms. Setting these brightness levels can affect the way the switch card control processor (SCCP) kernel turns off the backlight on the LCD. For example, if you set the brightness ON option to the minimum level and brightness OFF option to the maximum level, the LCD is now always on and turns off when you press a key. Other settings might result in other unexpected behavior in the LCD. There is no workaround, but these issues are display-related and do not affect system operation.

BIG-IP 8800 and the b platform show command (CR85976)
If you have a BIG-IP 8800, when you run the b platform show command, you might see BIG-IP 9400 as the output. This is an issue only in the text that the operation presents.

CPU fan speed low (120) alert (CR86023)
Occasionally, the first time the system returns a CPU fan speed setting, the system presents a possibly spurious alert indicating that the CPU fan speed is too low. If you receive the message CPU fan speed low (120), try running the command again. If the alert persists, it indicates an actual error condition. Often, however, running the command a second time clears the spurious alert and returns the correct setting.

configsync.password is encrypted incorrectly alert after upgrade (CR86031)
After upgrading you might encounter the error configsync.password is encrypted incorrectly. This error indicates that the system cannot use the encrypted password. The workaround is to change the encrypted password to a regular text string. You can make this change by modifying the line password crypt <encrypted_password> in the /config/bigip.conf file to read password <regular_text_password>. For example, if the line in your /config/bigip.conf file reads as follows:

password crypt egJiLT\[DAfHeAKjq=TQTT7MARj//>LNDE_q_TKK7:k?FrP

you would change it to this:

password admin

After changing the /config/bigip.conf file, run the b load command on the command line.

error: bigdbd has started, but mcpd hasn't alert and installation (CR86072)
If you need to run bigstart restart during installation, you might see the following alert error: bigdbd has started, but mcpd hasn't..... The appearance of the message is intermittent, incorrect, and occurs as a result of a timing issue. In fact, the mcpd process is starting up, and the system should start up correctly.

b import - and Ctrl + D with no content (CR86083)
If you invoke the b import - (the option that supports pasting previously copied text to the waiting prompt), and then type Ctrl + D without pasting content, the system, the system correctly overwrites the running configuration. The resulting configuration lacks base configuration information, so it cannot load properly. If you are already in this situation, you can recover by using the backup.scf file. A preferable option is to halt the in-progress import operation by typing Ctrl + C instead. This leaves the original configuration unchanged.

snapshot command and boot locations for the -s parameter (CR86131)
When performing a backup or restore operation, the snapshot command requires that you specify a boot location (using the -s parameter). The -s parameter requires a case-sensitive identification string, such as HD1.1 or HD1.2. Displaying help for the snapshot command using the snapshot -h command does not specifically identify the boot locations on your device. You can use the switchboot -l command to determine what boot locations are present on your device and what version is installed in each of them. The following list is an example of output from the switchboot -l command.

config # switchboot -l
 
 	 Current boot image:
     CF1.1 - BIG-IP 9.4.2 Build 228.6
 Default boot image:
     CF1.1 - BIG-IP 9.4.2 Build 228.6
 Available boot image(s):
     HD1.1 - BIG-IP 9.4.0 Build 529.7
     HD1.2 - BIG-IP 9.4.1 Build 29.8
     CF1.1 - BIG-IP 9.4.2 Build 228.6

Note that the snapshot -s command does not support CompactFlash® media drives, so boot location CF1.1 is not valid as a snapshot -s value.

NTP server time.f5net.com (CR86133)
The command bigpipe ntp servers time.f5net.com is an example given by b ntp help. When you run this command, the system presents an error: 012e0022:3: The requested value (time.f5net.com) is invalid. This occurs because time.f5net.com already exists as an NTP server.

IPv6 addresses as default routes (CR86164)
Although you can use the Configuration utility to add a default route pool using a pool of IPv6-formatted IP addresses, the system does not correctly save the information in the New Routes screen under Routes or in the bigip.conf file. In this case, the default route is not loaded into system correctly. You can specify an IPv6 default route by selecting Route from the Type list, and then specifying :: (two colons) in both the Destination and Netmask boxes.

b <object> edit command (CR86175)
Although the b <object> edit command is referenced in product documentation, the command is disabled in this release. If you run the b <object> edit command, the system presents an error indicating that the feature is not implemented in this release. For example, if you type b virtual edit, the system presents the following message:

BIGpipe parsing error:
    01020005:3: The requested operation is not implemented yet.

User role and access partition change in the same operation (CR86261)
Users with role of Administrator or Resource Administrator always have access to all partitions and the partition access is set to All automatically. If you change an Administrator or Resource Administrator to a lesser role, Manager, for example, and at the same time, you change partition access to a specific partition, the system registers only the user role change. The partition retains the old setting of All. To work around this issue, perform two operations, one to change the role and one to change the partition.

Partition access and the config save and install class of commands (CR86303)
When an administrator user with restricted partition read access performs configuration synchronization, the results might be unexpected. For example, administrators can set the read partition attribute to a specific partition (instead of all). When such a user then runs a b config save <filename.ucs> command, the system saves to the user configuration set (.ucs file) only those objects that match the specific partition. If another user, such as one with the Administrator role who has access to all partitions, runs the b config install <filename.ucs> command on the same file, the system tries to load the file containing only partition-specific objects, which might result in a nonfunctional system.

Note: We recommend using care when enabling advanced shell access (also called bash access) for users with the Resource Administrator role. Using the advanced shell can render the system inoperable in a number of ways. Therefore, we recommend assigning bigpipe shell access to Resource Administrator accounts.

Version 9.3, 9.4, 9.4.1 installation cancel on systems with other versions (CR86508)
If you have a system that contains existing 9.x installations on one or more slots, when you run the 9.3, 9.4, 9.4.1, and 9.4.2 installer, the process presents a summary screen, where you can choose to continue or cancel the operation. If you elect to cancel, the process halts. If you attempt to run a switchboot command at this point, the operation fails. If you run the 9.4.2 installer at this point, the process erroneously reports all slots as empty. After you cancel the 9.4.2 installer, before continuing, you should first run the grub_close command on the command line or reboot the system. Then when you run the 9.4.2 installer, the system recognizes the existing installations.

Virtual server using NAT IP address (CR86599)
A virtual server should not be allowed to use an IP address which is already present in translation address of a NAT. This rule is currently not enforced.

NAT using self IP address (CR86600)
A NAT should not be allowed to use a BIG-IP system's IP address, but currently does allow it.

iRule: TCP::bandwidth (CR86670)
If the command TCP::bandwidth is used in an iRule, the /var/log/ltm file entry incorrectly shows the bandwidth as 0.

ZebOS 7.5 (CR86692)
ZebOS is now upgraded to version 7.5.

Ramcache URI Caching drop down default (CR86812)
In the Configuration utility, navigate to Local Traffic-->Profiles-->http-->ramcache, add URI to PIN and update the screen.
The resulting screen shows Not configured in URI caching field.
Modify any other fields, or just click Update, and the PIN URI is also removed from the profile.
However, the URI is actually added in the PIN, which can be verified in command line utility.

Modifying cookie persistence hash method (CR87509)
In the Configuration utility, when the cookie persistence profile method Cookie hash is changed to HTTP cookie insert, it gives this incorrect MCP validation message: cookie mode hash requires a cookie name.

FTP stats (CR87641)
There are some statistics problems on standard FTP virtual server.
1. For active mode, the in/out distinction is reversed for virtual and virtual address.
2. For passive mode, pool and member stats are not incremented.
3. For either mode, one less inbound packet is counted against virtual address than for virtual. Relatively minor, but still a discrepancy.

Persistence methods using Configuration utility (CR87645)
The Configuration utility is unable to assign all supported persistence methods to fallback. The Configuration utility can only assign the source addr persist profile to fallback persistence. The workaround is to make the assignments using the command line utility. After that, the Configuration utility still does not display the profiles in the Fallback drop down list.

Copying license requires second reboot (CR87806)
If a license is manually copied to a server and the server is rebooted, a second REBOOT REQUIRED prompt is displayed.
A workaround to avoid having to perform the second reboot is to copy the license and then run the mprov command before rebooting.

ONECONNECT::detach iRule (CR87848)
When the ONECONNECT::detach command is used in an iRule, it does not detach the connection from the ONECONNECT pool.

iRule TCL class coerced to wrong type (CR87914)
If an iRule uses a TCL class as a command, the class is coerced into a TCL command name which renders is useless for any typical class use. Using the class in a matchclass command, causes an error as the command expects a class variable. Errors such as Invalid command name or Invalid matchclass operands are then written to the /var/log/ltm file.

Example code:
 class valid_methods  {
    "GET"
    "HEAD"
    "OPTIONS"
    "POST"
 }
 
 rule error_rule {
    when HTTP_REQUEST {
       log local0. "Hello [$::valid_methods]"
 
    }
 }

ip tos to client and server profile entries (CR88138)
A profile entry of ip tos to client 10 or ip tos to server 10 works for two consecutive requests, but does not work for the next two consecutive requests.

Help page for iiop command (CR88272)
There are currently no help/man pages available for the iiop command.

AuthZ password (CR88562)
The AuthZ Configuration utility for custom non-admin users does not change the password when the password is too short, but does not display an error message.

Guest user in Custom partition (CR89128)
A Guest user in a Custom partition is incorrectly allowed to reset pool statistics using the command bp pool all stats reset.

pvad warning message (CR89262)
The following warning message should be a debug message and can safely be ignored: WARN at ../modules/hudproxy/bigproto/pva/pva_connection.c:997 Unknown table type 5, discarding

Docs for TCP MSS proxy setting (CR89726)
F5 documentation indicates that MSS proxy is supposed to default to enable, but in fact defaults to disable.

Installing UCS on empty volume (CR89869)
There is a problem installing a saved UCS file to an empty volume on the same system because the host names are different. The workaround is to use the /bin/hostname command.

Statistics profile name (CR90027)
The statistics profile name should not start with a number. This is allowed by the Configuration utility, but not allowed by the command line interface. If a number is specified as the first character, a subsequent b load command produces the following example error: BIGpipe rule query error: 012e0010:3: Unrecognized value for the profile stats field3 attribute: 1test_C395050.

Spanning Tree General Database Error (CR90203)
On the Network -> Spanning Tree -> screen, clicking Last Topology Change results in a General Database Error. Subsequently, Spanning Tree information is no longer available.

Error messages during clean install (CR90976)
You can safely ignore these error message during a clean install (No roll forward configuration): ......error: 'Basexx.0.core' must be of the form name=value and Warning: loading /lib/modules/2.4.21-9.4.4.16.0smp/kernel/drivers/net/lasthop.o will taint the kernel: non-GPL license - Commercial

2400 platform copper to fiber failure (CR91157)
Traffic that was previously flowing through a copper port cannot resume when connectivity is moved to a fiber port until ARP timeout. This is despite both the fiber and copper ports belonging to the same VLAN.

Back button does not work (CR92148)
The Back button does not work in one instance in the installer. Run the installer normally, and choose Discard Installation for two slots without changing the third. Go all the way to the Summary screen, then use the Back button to get to the Setup Menu again. At this stage, the Back button only refreshes the Setup Menu, and the Select default boot location option no longer works, it just refreshes the Setup Menu.

SIP Info persist (CR92488)
If a virtual server is using a SIP profile, but no SIP Info Persist profile, persistence on the Call-Info SIP header is still performed. A workaround is to create a SIP Persist profile for a non-existent SIP field, and use the source IP address for the backup persist profile.

Dynamic routing with long VLAN names (CR92808)
The dynamic routing subsystem currently does not correctly handle VLAN names longer than 15 characters. The tmrouted daemon will keep restarting if a long VLAN name is present in the configuration.

Installer offers incompatible configurations (R92948)
When you run an older installer it finds and offers newer and incomparable configuration files in the Saved Configuration screen.

bigpipe version error on quit (CR92953)
When you type q to abort the command b version | more, the following error can safely be ignored:

BIGpipe parsing error:
 01020058:3: Error writing to a file.

Multiple interfaces in a VLAN never pass traffic (CR93045)
If a VLAN has multiple interfaces, disabling all of the interfaces, and then enabling them, results in all pool members being marked down and no traffic is passed on the VLAN. Running the bigstart restart command and a doing reboot does not mark the pool up. This does not happen with a single interface associated with a VLAN. A workaround is to physically disconnect the interfaces and then reconnect them.

pvad + TMM core when forwarding virtual server created (CR93078)
On a 3400 platform, the pvad daemon and Traffic Management Microkernel (TMM) both core dump and continuously restart after the first attempt of creating a virtual server of type forwarding IP/layer2. Subsequent attempts only core dumps pvad. The following errors show up in the var/log/ltm log file:

 
Jan 28 20:58:01 ltm59 pvad[1783]: 01130005:3: ../LogStream.cpp:89 - no obj 
w/key=fastL4 w/rel1 to obj w/key=test fastL4 - 
Expression 'relObj != Global::cfg.end()' failed in '../GraphBuilder.cpp', line: 301
 Jan 28 20:58:01 tmm tmm[1625]: 01010007:3: Config error: virtual_server_profile bad profile
 Jan 28 20:58:02 ltm59 pvad[7200]: 01130003:6: Starting pvad
 Jan 28 20:58:03 ltm59 pvad[7200]: 01130003:6: MCP connected!
 Jan 28 20:58:03 ltm59 pvad[7200]: 01130003:6: Log level changed to: Informational

SNMP configuration and upgrade (CR98109)
If you upgrade from 9.4.1, or earlier, to version 9.4.2, or later, the system does not roll forward the Simple Network Management Protocol Version 3 (SNMPv3) access records in the /config/snmp/snmpd.conf file. This occurs because the format of where the system stores SNMPv3 information has changed. In addition, there are some password-related limitations that prevent the upgrade process from automatically carrying forward the SNMPv3 access record information. Once you upgrade to version 9.4.2, or later, you must add the SNMPv3 access record information from your pre-9.4.2 configuration.

OID F5-BIGIP-LOCAL-MIB::ltmRuleEventScript (CR100412)
The OID F5-BIGIP-LOCAL-MIB::ltmRuleEventScript has been deprecated. As an alternative, you can use iControl functionality to monitor iRule content.

TM.ContinueMatching behavior change (CR112535)
In versions 9.0.x through 9.3.x, the variable bigpipe db TM.ContinueMatching is set to true. Beginning with version 9.4, the variable is set to false. This change in behavior affects how systems process traffic when the desired virtual server is disabled or down and a lower precedence virtual server is available. For more information, refer to SOL8009: Change in Behavior: The bigpipe db TM.ContinueMatching variable is now set to false and SOL6459: Change in Behavior: Order of precedence for virtual servers.

[ Top ]

Workarounds for known issues

The following sections describe workarounds for the corresponding known issues listed in the previous section.

Swapping the tagged status of VLAN members (CR52674)

This workaround describes how to swap the tagged status of VLAN members. For a description of the known issue, see Tagged status of VLAN members.

The workaround is to delete the members from both VLANs, and then add them to the VLANs again with the revised tag status.

For example, if you have the following configuration:

 vlan vlan1 {
 interface 1.1
 }
 vlan vlan2 {
 interface tagged 1.1
 }

You can swap the tagged status of interface 1.1 between vlan1 and vlan2 by first typing the following commands:

 bigpipe vlan vlan1 interface 1.1 delete
 bigpipe vlan vlan2 interface 1.1 delete

This deletes member 1.1 from each VLAN. Then, to add the members again, use the following commands:

 bigpipe vlan vlan1 interface tagged 1.1 add
 bigpipe vlan vlan2 interface 1.1 add

Alternately, you can modify bigip_base.conf file, as follows:

 vlan vlan1 {
 interface tagged 1.1
 }
 vlan vlan2 {
 interface 1.1
 }

Finally, you must run the bigpipe base load command.

[ Top ]

Configuring RAM Cache for an HTTP profile (CR54077)

This workaround describes how to use the CACHE::enable and CACHE::disable commands in an iRule to configure RAM Cache for an HTTP profile. For a description of the known issue, see RAM Cache for HTTP profiles.

 class cacheable {
  ".bmp"
  ".gif"
  ".jpg"
  ".pdf"
  ".BMP"
  ".GIF"
  ".JPG"
  ".PDF"
 }
 rule ramcache_rule {
  when HTTP_REQUEST {
    if { [matchclass [HTTP::path] ends_with $::cacheable] } {
      CACHE::enable
    }
    else {
      CACHE::disable
    }
  }
 }

[ Top ]

Enabling port translation and address translation (CR65341, CR66193)

This workaround describes how to enable port translation and address translation for the virtual server, which is required if you are using the Application Security Manager (ASM) with a wildcard virtual server or a wildcard pool. For information about the known issue, see Application security with wildcard virtual servers and pools.

Note: The following task assumes you are updating an existing virtual server.

To enable port translation and address translation
  1. On the Main tab of the navigation pane, expand Local Traffic, and then click Virtual Servers.
    The Virtual Servers screen opens.
  2. In the Name column, click the name of a virtual server.
    The Virtual Server Properties screen opens.
  3. Above the Configuration area, click Advanced.
    The screen refreshes, and you see additional configuration options.
  4. Check the Address Translation option.
  5. Check the Port Translation option.
  6. Click the Update button.
    The system saves any changes you have made, and displays Enabled next to the Address Translation and Port Translation options.
[ Top ]

Adding remote users as local users (CR67912)

This workaround describes how to use add remote users as local users. For a description of the known issue, see Remote users as local users.

To add a user to the system, you must log in as an administrator. Once logged in, you can use any of the following methods to add a remote user as a local user.

To add a user from the command line interface
  1. Delete the user from the system using the following command at the BIG-IP system prompt:
    f5rum delete <username>.
  2. Add the user to the system as a local user.
To add a user from the command line interface (alternative method)
  1. Delete all users from the system using the following command at the BIG-IP system prompt:
    tw_activate_keys users.localonly.
  2. Add the user to the system as a local user.
To add a user from the browser-based Configuration utility
  1. In the navigation pane, expand System and click Users.
    The User List screen opens.
  2. Click the Authentication tab.
    The Authentication screen opens.
  3. Click the Change button.
    The screen refreshes to show a list in User Directory.
  4. Without making any changes, click the Finished button.
    The Authentication screen opens.
  5. In the navigation pane, click Users.
    The User List screen opens.
  6. Click the Create button to open the Create User screen, where you can add the user as a local user.
[ Top ]

Deleting RAM Cache entries (CR72173)

The following workaround describes how you can delete RAM Cache entries. For information about the known issue, see RAM Cache entries and delete.

  • To delete an individual RAM Cache entry, you must fully specify the URI and host (for example,uri /Badger.html host 10.253.10.180:80 delete).
  • To delete all of the RAM Cache entries for one or more HTTP profiles, specify each HTTP profile name, separated by a space, followed by ramcache entry all delete (for example, bigpipe profile http myhttp yourhttp ramcache entry all delete).
  • To delete all of the RAM Cache entries for all of the HTTP profiles, use the following command: profile http all ramcache entry all delete.

Note that the http profile <profile http key list> ramcache entry show command allows more flexible matching of URI and host names than the above.

[ Top ]

Preventing the semicolon inserted by the HTTP::cookie insert iRule (CR73619)

You can use the following iRule to prevent the HTTP::cookie insert iRule from inserting the semicolon at the end of the cookie header. For information about the known issue, see HTTP::cookie insert iRule and trailing semicolon in cookie header.

when HTTP_RESPONSE {
  HTTP::cookie insert name "TZS" value "ABC123"
  HTTP::header replace Set-Cookie "[HTTP::header Set-Cookie] path=/code"
  HTTP::cookie insert name "OTHER" value "ABC123"
  HTTP::header replace Set-Cookie "[HTTP::header Set-Cookie] path=/other"
}

[ Top ]

Contacting F5 Networks

  Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com


Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)