Software Release Date: 04/17/2008
Updated Date: 03/08/2011
This release note documents the version 9.6.1 release of VIPRION™. We recommend this general sustaining release only for those customers who want the fixes listed in New features and fixes in this release and Features and fixes introduced in prior releases. You can run this version of the software only on the VIPRION chassis.
Note: F5 offers general availability releases and general sustaining releases. For detailed information on our policies, refer to Solution 8986, F5 software lifecycle policy, which is available in the AskF5SM Knowledge Base, http://support.f5.com.
In addition to these release notes, the following user documentation is relevant to this release.
You can find the product documentation and the solutions database on the AskF5 Knowledge Base web site.
The minimum system requirements for this release are a VIPRION system with a four-slot chassis with at least one blade installed.
The supported browsers for the browser-based Configuration utility are:
Note that we recommend that you leave the browser cache options at the default settings.
Important: Popup blockers and other browser add-ons or plug-ins might affect the usability of the Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.
Clustered dynamic routing
The VIPRION system now includes additional advanced routing modules for implementing dynamic routing. Based on the ZebOS set of dynamic routing protocols, these new modules correspond to the Border Gateway Protocol 4+ (BGP4+), Open Shortest Path First (OSPF) version 3, Routing Information Protocol (RIP) version 2, and Routing Information Protocol next generation (RIPng). BGP, OSPF version 3, and RIPng support the IPv6 addressing format. With the addition of these modules, this release now supports a comprehensive set of dynamic routing protocols:
Note: Although this version supports OSPF version 3, at this time we do not support graceful restart in OSPF version 3. Graceful restart is the process by which a restarting router informs its adjacent neighbors and peers of its condition.
Support for more than two boot locations
The VIPRION system now provides support for four boot locations.
General licensing properties display and browser refresh (CR79546)
This release corrects the occasional and intermittent incorrect display of the the General Properties screen for Licensing.
iRules using the persist command and connection failure (CR82130)
The system now correctly handles the persist lookup or persist add command in an iRule. Previously, use of these commands might have caused a failure that ended the connection in certain cases.
Error message misleading when creating duplicate-name monitor (CR84843)
In this release, when you attempt to create a monitor using a name that represents an existing monitor in another partition, the system presents the correct error message. Previously, if you tried to create a monitor named gate, and a monitor named gate existed in another partition, the system presented the following error message: The requested monitor template (gate 1) already exists. Now, the message content is similar to the following error message: The requested monitor template (gate ltm_obj) already exists.
Slot number reported by blade swapped to new slot (CR87103)
Previously, if you moved a blade to a different slot, the blade sent syslog messages using the previously active slot number, until the system reached the high configuration phase. Now, the blade uses the correct slot number as soon as you move it.
Device error messages in ltm.log file (CR87961)
The system no longer writes erroneous Device error messages into the ltm.log file. Now, the system logs as critical only those errors that actually are critical.
clusterd restart and fpdd restart with errors (CR88195)
In the previous release, when the clusterd process restarted, the fpdd process restarted as well. Now, only the clusterd process restarts, as expected.
syslog-ng error in boot.log when starting or restarting (CR88600-1)
The system now correctly handles loading of the macro escaping template, so there is no longer any erroneous syslog-ng error in the boot.log file.
bp load bigip_base.conf and daemon restart (CR88980)
The system now interprets the command bp load bigip_base.conf as a b base load command, and no longer incorrectly restarts all running processes.
stp parameter limits (CR89762)
The Configuration utility now correctly constrains input for the stp configuration revision parameter to its 65535 limit.
diskmonitor error in the var/log/ltm file (CR89776)
In this release, the system no longer writes a benign diskmonitor error message to the /var/log/ltm file once every half hour.
VLAN failsafe and bigstart restart command (CR89893)
In the previous release, if you disabled a configured VLAN fail-safe and then reenabled it, the system required a restart operation for the fail-safe definition to work. Now, the system correctly enables the VLAN fail-safe definition, and does not require a restart operation.
System services restart required message in Configuration utility (CR89976)
In the previous release, an erroneous restart required message might show in the Configuration utility after activating the license on a newly installed system. Now, the system correctly restarts, so the erroneous message no longer appears.
New license activation and daemon restart (CR90110)
In this release, when you activate a new license or add-on module on the chassis, the system automatically restarts the system daemons, so no manual intervention is required.
clusterd logs and min up members setting (CR90118)
In this release, when you specify a value for min up members, but you have not enabled the min up members feature, the clusterd process no longer logs the extraneous action clusterd: 013a0006:5: Too many members known unavailable, triggering min up members action.
bigpipe commands after blade swap (CR90244)
In this release, the primary blade performs the correct cleanup on secondary blades, which corrects the 16-minute delay condition that could occur in previous releases.
Active/standby cycling for units in a redundant system (CR90248)
In the previous release, both units in a redundant system could cycle through the active and standby states if the min active members conditions were not met. The system now handles this condition, so the units adopt the correct state, as appropriate.
VLAN MAC address and configuration changes (CR90445)
When adding or deleting VLANs, the VLAN Media Access Control addresses (MAC addresses) for existing VLANs are retained, so monitors no longer flip between up and down.
Software image deletion while performing an installation (CR90691)
In this release, the browser-based Configuration utility presents an error message and prevents you from deleting an installation image that is in the process of installing. Previous releases allowed the deletion of in-use installation images. This occurs only in the Configuration utility. The command line utility allows you to delete an in-use installation image, although doing so might have unexpected results.
Configuration files from the Windows environment (CR90692)
In the previous release, if you loaded a single configuration file that was created or modified on the Microsoft® Windows® platform, the system returned parsing errors because of the carriage returns in Windows text files. In this release, the system correctly loads single configuration files created or modified on the Windows operating system.
New blade in lower slot number than the primary blade (CR90945)
In the previous release, if you stopped all blades and then configured a new blade in a lower slot number than the primary, the new, lower-slot-number blade immediately became the primary, which caused startup issues. Now, the blades restart and the configuration loads correctly under these conditions.
Unlicensed system and bigpipe commands (CR90946)
In the previous release, when a box was unlicensed, many bigpipe commands were not available on the secondary system, and some configuration changes such as hostname or ntp configuration were not propagated to the secondary system. Now, on the secondary system, the system supports the appropriate bigpipe commands, and propagates the appropriate configuration changes.
USB drive support (CR90773, CR90966)
The system now supports using a USB thumb drive as a source for an installation image. Previously, it did not.
Common partition and other external user access (CR91050)
Previous releases did not support partitions other than Common. This release supports the Common partition as well as other external user access partitions.
SCF import from previous SCF and benign daemon restart (CR91102)
Previously, if you imported a modified a 9.4.x single configuration file (SCF) that included cluster information and new interface names, on import of the SCF file, all daemons restarted. Now all daemons do not restart. This is correct behavior.
Remote authentication information in configuration file (CR91148)
In the previous release, some information for remote system authentication might have remained in the running configuration after an import default operation, although the system did not use the information. In this release, the system removes extra information from the running configuration after an import default operation.
Duplicate certificate subject display (CR91241)
In the previous release, CR91241 was erroneously listed as a known issue. In fact, the system did not display duplicate entries in the Certificate Subject(s) list.
Blade-specific management IP address (CR91355)
In the previous release, the system deleted management IP addresses you created before you plugged in the blade. Now, you can create the management IP address, and the system preserves it when you plug in the blade.
Mirroring FTP virtual servers (CR91356)
Configuring a redundant system with inter-cluster (between-cluster) mirroring on a virtual server that uses an FTP profile no longer affects file transfers through that virtual server. Beginning with this release, you can configure virtual servers using an FTP profile with mirroring enabled.
Cluster online help (CR91359)
In the previous release, some of the options in the Cluster online help did not match the screen. Now they do.
no cluster mbr address found message (CR91381)
In the previous release, when you clicked the Enable or Disable/Yield button on a Properties screen of a secondary device, the system incorrectly issued an error message similar to the following in /var/log/ltm: Dec 20 14:06:23 local/RackB29 err clusterd: 013a0004:3: no cluster mbr address found, though there was no error. In this release, the system no longer issues this extraneous error message.
Peer management IP address retention (CR92281)
The peer management IP address is now written to the bigip_base.conf file when configured using the Configuration utility, and the system retains the setting through subsequent b config sync and b load commands.
Nodes and pool members removed from bigip.conf (CR92882)
When you manually remove disabled nodes or pool members from the bigip.conf file, and then run the b load command to load the configuration, the system now correctly marks those nodes or pool members up.
VLAN fail-safe restart and system usability (CR92885)
The default VLAN fail-safe is Restart All, which causes a failover and restarts the Traffic Management Microkernel (TMM) and the bcm56xxd utility (but not all daemons). In addition, when the TMM restarts, the tmrouted service also restarts. We have found that this behavior for VLAN fail-safe makes the system more usable.
VLAN fail-safe re-arm timeout (CR92887)
The VLAN fail-safe timer now has new re-arm timeout functionality. Although the system preserves the user setting for the Failover.VlanFailsafe.StartupTimer setting, when the timer is rearmed after the VLAN fail-safe timer fires, it uses the re-arm timeout instead. This allows aggressive settings for VLAN fail-safe, while at the same time guarding against continuous, frequent firing of VLAN fail-safe. The default value is 90, and the valid range is from 30 to 32767. You can set the value using the b db Failover.VlanFailsafe.StartupTimer <value> command.
VLAN fail-safe failover actions (CR95204)
This version of the software contains new actions for VLAN fail-safe. These actions specify VLAN operation after a timeout. The actions are Failover, which specifies that the system fails over to its peer, and Failover Restart TM, which specifies that the system fails over to its peer and restarts the traffic manager.
Interface state after VLAN fail-safe restart (CR95542)
In the previous release, with the Restart All action set for VLAN fail-safe, after the VLAN timed out, interfaces that were in the Disable state were marked up or down. Now, the interfaces correctly remain in the Disable state after the Restart All VLAN fail-safe action completes.
Software Management screen and software image upload (New behavior)
In the previous release, the Software Management screen used a hard-coded value of 10 seconds to refresh the contents of a screen. In this release, the system initially uses the Screen Refresh Interval from the System: Preferences screen, which has a default of Disabled). The system then tracks the value you select in Screen Refresh Interval list (such as the one on the Preferences screen), or the value you select in an Auto Refresh list (such as one on any Statistics screen, or the one on the installation properties screen). If there is no value specified, when you start an installation operation, the screen does not show installation progress. If there is a value specified, the screen does not show installation progress until after the refresh interval passes. You can set or shorten the refresh interval to have the screen update more frequently. In addition, you can navigate to another screen, so that the screen updates when you navigate back to the installation properties screen. The software installs correctly, whether or not there is an interval set.
User exists behavior change (CR98048)
In previous releases, when you tried to create a user that already existed, the system presented an error message indicating such. In this release, the system detects this condition and instead of presenting an error message, changes the operation to a modify operation.
The current release includes the new and fixed items that were distributed in prior releases, as listed below. (Prior releases are listed with the most recent first.)
VIPRION system chassis hardware support
This release exists to support the VIPRION four-slot chassis. The multi-slot chassis significantly reduces the amount of rack space required for your systems by housing blades instead of traditional switch systems. Hardware resources such as cooling and power systems, normally required for individual BIG-IP systems, are now part of the chassis instead.
This version of Traffic Management Operating System™ (TMOS®) supports clustering of up to four blades in a chassis, so that the system can be managed as a single unit (cluster). The VIPRION™ system's cluster technology means that all blades in the cluster function as one high-performance VIPRION system. A cluster is a group of slots in the VIPRION system chassis. Each slot in the cluster represents a cluster member, and any blades that you insert into the slots of a cluster work together as a single VIPRION system to process application traffic. At all times, one of the blades functions as the primary blade, accepting management and application traffic requests and dispersing the workload to other blades in the cluster. With cluster technology, you utilize the power of multiple blades, but manage the entire cluster as if it were a single system.
This release adds support for session persistence mirroring when the Traffic Management Microkernel (TMM) is running in clustered multi-processing (CMP) mode. Previous releases of Traffic Management Operating System™ (TMOS®) supported persistence, but not when operating in CMP mode. Persistence mirroring is a mode of operation where the VIPRION system mirrors persistence records to other blades in the same cluster, or to the other cluster in a redundant system.
Clustered Live Install and configuration synchronization
It is possible to upgrade a cluster using the Configuration utility or the command line using the Live Install mechanism, so it's easier than ever to deploy a new software release. When you upgrade the software on the primary blade in the cluster of a running system, the system automatically propagates that software to the open boot location on other blades, with no interruption in traffic processing. When you configure Layer 2 and local traffic objects on the primary blade, and then insert a secondary blade, the system automatically propagates that configuration data to the secondary blade.
This release lists no specific fixes because it is a zero-level release.
The 9.6.1 release supports the following new, read-only Simple Network Management Protocol (SNMP) object identifiers (OIDs):
System OID Name
Blade temperature is too high.
A blade lost power. The blade may be removed.
The cluster daemon failed to respond for ten or more seconds.
A blade has failed and is offline.
A string that uniquely identifies a CPU. The string is constructed using the following format: [slot_id/]cpu[index].
The chassis slot in which the CPU resides. This is set to 0 in non-chassis systems.
This release contains the following known issues.
IPv6 addresses and prefixlen or slash notation (CR46710)
In IPv6-formatted addresses, you cannot use the prefixlen or slash notation (/24) for self IP address configuration. There is no workaround for this issue.
Sort order of profiles on different blades in a cluster (CR70849)
When you use the b profile <profile type> list command to display a specific type of profile, the sort order might differ from one blade to another in a cluster. There is no workaround for this issue.
Power cycle while Linux is loading during boot (CR71117)
Cycling the power at random intervals when Linux is loading during system boot can corrupt the file system in in random and varying degrees. This occurs only while Linux is loading during system boot; after Linux is booted and the system starts up, the problem does not occur.
EULA file and local upgrade (CR75971-2)
The End User License Agreement (EULA) file (/LICENSE.F5) is lost during a local upgrade. This file is created when the EULA is accepted when you use the browser-based Configuration utility for licensing. The file is not stored in the UCS file, so if the upgrade process does not require a new license, the file is lost.
iControl: get_boot_image_information command and save_active_config (CR76743)
The save_active_config call is used in the System.SoftwareManagement.get_boot_image_information() command. However, because save_active_config should really only be required in set_boot_image_information(), this is an extraneous call.
Duplicated ping replies on initial communication between trunks (CR79205)
When using the ping utility to communicate from a VLAN with a trunk on the same blade to a VLAN on a trunk with cross-blade interfaces, there are multiple duplicated Internet Control Message Protocol (ICMP) replies the first time the system processes the ping request. When sending a ping request from the other direction (that is, from the VLAN with cross-blade interfaces to the single-blade VLAN), there are no duplicate replies. After the initial duplicate entries, subsequent ping operations from the single-blade VLAN do not cause duplicated ICMP replies.
Local user name longer than 32 characters (CR79938)
You can create a local authentication user name that is 33 characters or longer. When you use this name to log on to the console, or when you log on using SSH, the system presents a parsing error. However, the system allows the same user to successfully log on to the Configuration utility. To work around this issue, always have users whose names are longer than 32 characters use the Configuration utility to log on to the system. For information about user names longer than 150 characters, see Local user name longer than 150 characters.
tomcat4 and httpd4 processes restart at certificate synchronization (CR80089)
The tomcat4 and httpd4 processes restart when the system synchronizes the web server certificate using the rsync utility. This is expected behavior. However, these processes might also occasionally restart even when not synchronizing the web server certificate.
Baud rate setting and serial console access (CR80191)
In order to change the baud rate when you are using a serial terminal console server, you must follow a specific sequence to change the baud rate in three places, or you can lose communication with the system.
Pool members status and connection limits (CR81778-1)
When the connection limit is reached on a pool member configured with a connection limit, the browser-based Configuration utility alternately marks the pool and the pool member unavailable and then available. The system should leave the pool and pool member unavailable until something causes a connection to close, at which time the system should change the status as appropriate.
Management traffic through external switches (CR81800)
The current version of the software does not automatically forward all management traffic to the cluster primary blade. As a consequence, you must connect each blade's management interface to an external switch on the management network. Doing so allows you to reach the cluster primary through the cluster management IP address, even if the cluster primary fails over from one blade to another.
iRules using the persist command and connection failure (CR82113, CR82129, CR82131)
Using the persist lookup or persist add command in an iRule might cause a failure that ends the connection in the following cases:
The workaround is to avoid using these persist commands in these cases. This condition might occur unpredictably because of how distributing persistence works in clustered multi-processing (CMP) systems, which could make it difficult to recognize the reason for this failure.
Link status after replacing tri-speed copper SFP with fiber SFP (CR83207)
If you replace a tri-speed copper small form-factor pluggable (SFP) module with a fiber SFP, you may have to reinsert the fiber SFP module a second time before it accurately reports link status.
Configuration errors in bigip_base prevent config templates instantiation (CR84135)
The first time you configure a unit, if there is a configuration error in the bigip_base.conf file during load, the system does not instantiate several commands. For example, the system and dns commands are unavailable until the base load completes. That means that there is also no command-line-level help available for these commands. Instead, you can consult the Configuration Guide for the VIPRION™ System.
Outstanding SYN cookies and mirroring to peer blade (CR85850)
If you are running within-cluster mirroring and you enable SYN cookies, there is a small chance that an outstanding client cookie might not validate properly if the primary blade fails. This might result in a reset of a client response that received a synchronize-acknowledgement (SYN-ACK) response with a SYN cookie prior to the failover, but did not reply with an acknowledgement (ACK) until after the failover. A retry from the client succeeds after the failover. Note that issue rarely occurs, since the embryonic connection count must exceed a predefined threshold (default 16384 * number of CPUs) before any SYN cookies are issued.
Cluster floating IP address of all zeroes (CR86078)
You cannot remove a cluster floating IP address of all zeros (0) using the command b cluster default addr none. To remove an IP address in this case, use the specific IP address instead.
ha table query lag time (CR86622)
Running the command bigpipe ha table can take a very long time to respond if you run the command within a short interval after the failover daemon is started. It might appear as if the system is halted, but it is not.
Cluster disable in Configuration utility and logon requirement (CR86716, CR90538)
If you use the Configuration utility to disable the cluster, you must log on again to reestablish a connection.
Activity and link LED reporting for management interfaces (CR86824)
The activity and link LEDs do not accurately indicate the speed and duplex mode of the management interface. The following table shows the current and correct functionality.
turns solid green
turns solid amber
turns solid amber
turns solid green
half duplex mode
full duplex mode
Unexpected proxy reply from %TMM (CR87279-1)
If the system sends a reset_stats message after a start_transaction message that has not been concluded with an end_transaction message, an error occurs similar to the following message: Oct 23 15:25:20 slot1.poritrin warning mcpd: 01070718:4: Unexpected proxy reply from %TMM.
400-level part numbers on Clusters screens (CR87406-6)
The Clusters screen in the browser-based Configuration utility shows 400-level part numbers that identify a specific revision of a hardware component. Such components include a blade's base-board and mezzanine board, and the chassis fan tray assembly. The screen should display the 400-level part numbers for all blades, however, in this release, an issue sometimes restricts display to only the 400-level part numbers of the blade to which you are directly attached. To work around this issue, navigate to the blade whose information you want to view and open the screen from there.
Firefox browser halt on image import cancellation (CR87968)
Canceling an image import while in progress causes the Mozilla® Firefox® browser to close unexpectedly and report an application error. Because the import partially completed, the failed operation leaves behind a file, named similar to the following: /shared/images/upload_00000005.tmp. This issue occurs only in Firefox browsers, and does not occur when using Microsoft® Internet Explorer®, version 6.x.
Error reporting for b mgmt route command (CR87969)
If you specify a management route that is not valid, the system does not post an error message as it should. The system also does not post an error message when a default route already exists and you specify another one. However, doing so has no effect.
session command in iRules (CR88446)
The iRules™ session command is not supported.
iControl support (CR88376, CR88434, CR88499, CR88695)
Not all methods available in the bigpipe utility are available in this release of iControl®. For example, this version of iControl supports some of the basic methods for the configuration of clustering, but not some of the more sophisticated capabilities that are specific to this release of the software.
Licensing or re-licensing from secondary blades (CR88721)
Although the system only supports licensing or re-licensing from the primary blade, the Configuration utility does not prevent you from doing so on secondary blades; however, the system then returns error messages. The error messages presented do not indicate the resolution, which is for you to complete licensing and re-licensing from the primary blade only.
Redundant system configuration (CR88878, CR90022)
When you configure a new redundant system, both units go offline momentarily until peer state is established. There is no workaround for this issue.
Cluster member status color (CR88918-15)
When you disable a cluster member, the Configuration utility correctly shows that member as black (unavailable), but running the b cluster command incorrectly reports the same member as green (available).
Case sensitivity for b software desired command parameter (CR89082)
The b software desired command parameter is case sensitive. Therefore, if you run the command b software desired HD1.1 active enable product big-ip version 9.6.0 build 572.0, it fails. If you run the command b software desired HD1.1 active enable product BIG-IP version 9.6.0 build 572.0, it completes successfully.
Empty data group (class) and configuration load (CR89147)
The command line interface does not prevent you from creating a data group with no entries. However, if you attempt to load the configuration, it fails.
Interface mirroring across blades (CR89283, CR89817)
This release does not support interface mirroring across blades. If you configure interface mirroring across blades, the system presents an error message and rejects the operation.
mcpd process on secondary blade when configuration validation fails (CR89312)
In this release, the mcpd process restarts and attempts to load the configuration again on the secondary blade when configuration validation fails.
Configuration changes during installation (CR89407)
During upgrade of an inactive boot location, if you make configuration changes after the installation process has started, the new installation does not reflect those changes. You should complete all configuration changes before installing software on the inactive boot location.
System description tables not found message when booting up (CR89447)
Every time the system boots, the system posts the following message:
Starting new kernel
ACPI: System description tables not found
ide2: ports already in use, skipping probe
Red Hat nash version 3.5.13 starting
Mounting /proc filesystem
These messages are benign, and you can safely ignore them.
Software Updates Auto Refresh Disabled option and screen refresh (CR89475)
If you select the Disabled option for Auto Refresh on the Software Updates screen and then manually refresh the screen, the system selects the 10 seconds option, and you must reselect Disabled.
b export command on a secondary blade (CR89508)
The system does not prevent you from running the command bp export <name>.scf file on a secondary blade; however, doing so causes the secondary blade to have files that the primary blade does not. Therefore, we recommend that you do not the bp export command on the secondary blade.
b interface stats reset command on management interfaces (CR89594)
Running the b stats reset command has no effect on management interfaces. Management interfaces on all slots are ignored and statistics are not reset.
LICENSE INVALID in temporary license file prompt (CR89807)
After a clean installation, if the license file has not yet propagated to the secondary system, the process creates a placeholder license file containing the following content:
[root@localhost:/S1-P:LICENSE INVALID] config # cat bigip.license
# Placeholder for mprov memory calculations
[root@localhost:/S1-P:LICENSE INVALID] config #
Once you complete a valid licensing procedure, this content is replaced with the correct information.
SYN cookies issued from fastL4-enabled virtual servers with persistence (CR89941-1)
If a SYN cookie is issued from a fastL4-enabled virtual server that also has persistence enabled, a multi-packet client request might initially experience packet loss. Once the server responds to the initial request, the connection continues without problems. Note that the virtual server does not issue SYN cookies unless you enable software SYN cookies on the fastL4 virtual server, and then only after the SYN threshold is exceeded.
httpd hostnamelookups default value (CR90021)
If you use the default httpd hostnamelookups value, the system writes the value to the bigip_sys.conf file. This is different from how the system treats most default values, where the system typically does not display the default value or explicitly write the default value to the configuration file. This does not affect httpd hostnamelookups functions.
HTTP profiles for lan/wan optimized and b load requirement (CR90037)
After installation, if you find that the default HTTP profiles for http-lan-optimized-caching, http-wan-optimized-compression, http-wan-optimized-compression-caching did not automatically load, you can run the b load command to load them.
Relicensed chassis and bigdbd process restart (CR90086)
When you relicense the chassis, the bigdbd process restarts. The action produces no core file, just a message on the console that the process has restarted.
Manual resume and unexpected output from b pool commands (CR90139)
When you enable the manual resume option, the commands # b pool <pool name> show and # b pool <pool name> list all shows unexpectedly differing results. The pools work correctly, only difference in output is a display issue only.
Network failover command (CR90158)
Network failover continues to work even when set to disable. To completely disable failover, run the command bigpipe failover redundant disable.
Failover multicast traffic over a VLAN on a cross-blade trunk (CR90202)
Failover multicast traffic over a VLAN on a cross-blade trunk does not work.
Blade disable and re-enable (CR90270-2)
If you disable a blade, you must wait at least four seconds before enabling it again. If you enable the blade sooner, the system can get into an incorrect state, and might not function as expected. If your system is in that state because of rapid blade disabling and enabling, you can correct the problem by disabling the blade, waiting for at least four seconds, and then enabling it again.
STP hello time error message in log and system action (CR90281)
Running the stp hello command results in a logged error message does not match what the system does. A sample message is: Dec 4 15:21:02 slot1/P5-001 err stpd: 01280005:3: failed to set bridge parameters: Incompatible combination of Forward Delay, Max Age, and Hello Time. Contrary to this message, the system accepts even invalid parameters. This is true for all combinations of Forward Delay, Max Age, and Hello Time. Valid parameters for the stp hello command should be twice the value of Hello Time plus 1, is less than or equal to the value of Maximum Age (that is, 2*(Hello Time + 1) <= Maximum Age).
IPv4 and IPv6 and cluster and management IP addresses in Configuration utility (CR90309)
When you use the Configuration utility to change between IPv4 and IPv6 formats for cluster and management IP addresses, the system posts a general database error. To make this type of change without an error, use the command line utility.
Empty external class file creation (CR90363)
When you create an external class file, make sure you have at least one entry in the file. Otherwise, the system deletes the file, and the system cannot load the configuration.
Logon prompt without a corresponding password prompt (CR90556)
If you have LDAP configured as the authentication scheme, and try to log on through the console with an invalid password, the next series of logon prompts does not display a password prompt.
Invalid interface added to a trunk (CR90557)
The system does not prevent you from adding an invalid interface to a trunk. The system then displays the invalid interface when you run the the b interface command, but the invalid interface does not work. The trunk should still work, however.
Layer 7 connection loss of 1% on TMM failure events (CR90690)
For a redundant system configured for between-cluster mirroring, high concurrency (150,000 connections) results in a reset of approximately 1% (2000) of connections in a Traffic Management Microkernel (TMM) failure event.
tmctl utility and results delay (CR91064)
There is a ten-second or so delay when you use the tmctl command to display the blade tmm and hsb0_trunk_table tables from the High Speed Bridge (HSB). The tmctl utility is a debug tool, and there is a delay between configuration and display of the trunk.
EUD installation (CR91068)
In this release, you cannot use the Software Management feature to install the End User Diagnostics (EUD). To update the EUD, you can perform a complete software installation using net-boot or CD-ROM installation.
LED state after deleting the system license files (CR91864)
After deleting the bigip.license and backup files and running the command bigstart restart, the prompt correctly changes to NO LICENSE and the mcpd service logs a License notice message. However neither the blade nor the chassis Alarm LEDs illuminate. This is a display issue only. The blade is in the correct state.
LCD state after booting EUD (CR92181-6)
If you boot the End User Diagnostics (EUD) with one blade in the chassis, the LCD freezes the last screen displayed, and the LCD backlight option does not work. The system functions normally. Only the LCD does not operate correctly. The workaround is to boot the EUD with more than one blade in the chassis.
Brightness control option on LCD (CR92193)
There is a brightness control option on the LCD, but it has no effect.
Spinning-clock status icons during software image transfer (CR92657)
When installation on the primary blade is complete, and while a new image is transferring to other blades, if you run the b software desired command, you might see two or more spinning-clock status icons on the Software Management screen in the browser-based Configuration utility. This occurs when you have more than one instance of the same installation image on your system. The operation completes successfully. Only the icon status is incorrect.
Nonexistent interfaces and enabling and disabling (CR92949)
Using the command line, you can enable or disable a nonexistent interface. Doing so causes the nonexistent interface to show up when you run the b interface show command. This is a display issue only. The system does not use the nonexistent interfaces.
Load balancing methods and low connection limit with low number of connections on multiple TMM services (CR93185)
Many load balancing methods are implemented so that the system divides the connection limit among running Traffic Management Microkernel (TMM) services. If you set the connection limit to a value lower than the number of TMM services, and you have a low number of connections, the results you see might not be what you expect. For example, some nodes might receive more connections than you expect, and other nodes that you expect to receive connections might not receive any. These apparent anomalies are discernible only with small numbers of connections, and disappear with large numbers of connections.
Unplugged power supplies (CR94148-11)
The system check operation reads unplugged power supplies as missing instead of unplugged. There is no workaround for this issue. It is simply a somewhat misleading description of component status.
SNAT translation address disabled (CR94218)
You can disable a SNAT translation address. However, the system still translates the address. To completely disable SNAT translation, you must delete the SNAT or SNAT pool that is associated with the translation address.
Local user name longer than 150 characters (CR94228)
You can create a local authentication user name that is 150 characters or longer. When you use this name to log on to the Configuration utility, the system presents an error. To work around this issue, make sure user names consist of no more than 150 characters. For information about logging on with user names longer than 32 characters, see Local user name longer than 32 characters.
monitor status unchecked message (CR94812)
At startup, you might see an intermittent monitor status unchecked error message for pool members that are indeed monitored. The monitor status unchecked message should be followed by an up or down message that is correct. Although the first message is misleading, it is a cosmetic error only. The pool members operate correctly.
RAM Cache aging rate maximum value (CR94963)
You can use the command line to set an invalid value for the RAM Cache aging rate. The valid value range is from 1 through 9. This range is constrained in the Configuration utility, but not at the command line. To work around this issue, do not use the command line to set a value higher than 9 for the RAM Cache aging rate.
URI for compression and RAM Cache (CR94966)
At the command line, you can specify the same URI for include, exclude, and pinned options for compression and RAM Cache setting in HTTP profiles. If you specify the same URI for exclude as you do in include or pinned, the exclude option takes precedence, and the system does not perform compression or caching for the specified URI. Using the browser-based Configuration utility prevents you from specifying the same URI in these options, however, the Configuration utility does show the duplicate URIs if you set them at the command line.
ntpd version and IPv6 (CR95012)
The installed Network Time Protocol daemon (ntpd) version 4.1.2 does not support IPv6 for specifying an NTP server. The workaround is to specify an NTP server by host name or by using an IPv4-formatted IP address.
Disabling TMM on primary (CR95125)
If you manually disable the Traffic Management Microkernel (TMM) service on the primary blade, various issues occur. For example, the sod process loses communication with the failover peer and cannot determine when a failover condition occurs. Therefore, you should always disable the primary blade before manually disabling the TMM.
Error messages during installation (CR95231)
During installation, you might see certain errors when system daemons such as ntpd try to start up. An example of the type of message you might see is: Unable to find ntp config file at "/config/ntp.conf". These daemons should not be attempting to start up while an installation is in progress. Once installation is complete, the system starts up correctly.
min up members number and blade removal (CR95405)
When you modify the min up members number, make sure to set the number appropriately when you take blades down in a cluster. Otherwise, you can get into the condition where disabling a cluster member brings the cluster below the min up members number, which can cause the cluster to fail over to its peer.
ifconfig eth0:mgmt up command (CR95515)
Previous versions of the software supported the command ifconfig eth0:mgmt up. In this release, running this command renders the management interface inaccessible until you run the bigstart restart command.
Memory reported (CR95619)
Currently, running the b platform command shows only the chassis total memory that is accessible to Traffic Management Microkernel (TMM) and the host process on all blades, instead of reporting physical memory installed on all blades. In addition, the system does nor report the memory physically installed on each blade. There is no workaround for this issue.
LED state for management port (CR95624)
The management port shows a solid yellow LED for 1 gigabit links. The LED should be green.
Out-of-range errors on Authentication screen (CR95729)
In the Configuration utility, on the System: Users: Authentication screen, when you specify -1, or another unexpected value, you might see errors similar to the following: Must be an integer in the range 0 - 65,535 or Must be an integer in the range 0 - 4,294,967,295. The actual valid range is from 6 to 255 for Minimum Length, Minimum Duration, and Expiration Warning; from 0 to 127 for Numeric, Uppercase, Lowercase, Other, and Password Memory; and from 1 to 99999 for Maximum Duration.
Multiple zeroes as strong-password authentication settings (CR95730)
Using the command line and the Configuration utility, you can specify multiple zeroes ( 0 ) for the various fields for strong password authentication. The actual valid range is from 6 to 255 for minimum password length, minimum password duration, and password expiration warning; from 0 to 127 for password memory duration, and for number of numeric, uppercase, lowercase, or other characters; and from 1 to 99999 for the maximum password duration.
Asterisk in bigpipe shell commands (CR95731)
When you use the asterisk ( * ) in a command at the UNIX shell command line, you must escape it with a backslash ( \ ) character, or enclose it inside single quotation marks ( ' ). Otherwise, the bigpipe utility tries to parse the asterisk as part of the command. Although this is correct functionality, the user might consider the asterisk character to be the same as other special characters, and thus might not expect this behavior. Note that you do not have to escape the asterisk for commands that you run in the bigpipe shell.
root, admin, and support accounts and user role (CR95900)
The root, admin, and support accounts represent special users whose role should not be set to none or any other non-applicable role. The system does not prevent you from specifying any role for these users, however, doing so essentially locks out those users. To work around this issue, do not set the user role to anything other than admin for the root, admin, and support accounts.
Local users and the Common partition (CR95973)
To include a user as local user, that user must reside in the Common partition. There is no validation until you try to add the user as a local user. There is no workaround for this issue.
TMM instance ID numbers (CR96116)
When you run the command b tmm all show all, the system reports the ID number for Traffic Management Microkernel (TMM) instances as TMM id 0 instead of showing the specific ID numbers for the TMM instances. The TMM instances function correctly. Only the display is incorrect.
configsync user and the root account (CR96162)
The Configuration utility correctly prevents you from setting the root account as the ConfigSync User. The command line does not prevent this operation; however, you should not specify root as the configsync user.
Message for disallowed commands on secondary blades (CR96166)
The system should immediately present messages when an operation is not allowed on a secondary blade; however, the system does not display the message until the system attempts the operation.
Password change on secondary blades (CR96167)
You can use the passwd and f5passwd commands to change passwords on secondary blades. However, when you attempt to log on to secondary blades using those passwords, the attempt fails because the system overwrites those changed passwords with the ones from the primary blade. The system should prevent you from changing passwords on secondary blades, but it does not in this release.
User password change (CR96184)
Users cannot change their own passwords using the PuTTY terminal or the OpenSSH client (and possibly other connectivity tools). When a user enters a new password, the console window closes. The user password does not change, however, so they can log on again using the old password. For this release, only accounts with administrative rights may change any user's password.
VLAN names longer than 15 characters and dynamic routing (CR96395)
On this release, the system does not support dynamic routing on VLANs with names longer than 15 characters. To work around this issue, use only VLANs with names of 15 characters or less for dynamic routing.
Host name and UCS roll forward (CR96483)
When you roll forward a user configuration set (UCS) file configured with a hostname value that does not match the current system, the process does not remove from the /config/bigip/auth/pam.d/ file the previous configuration that controls the PAM functionality (authentication). To work around this, make sure the UCS file and the system have the same configured hostname.
IS-IS support (CR96543)
This release contains no support for the Intermediate System-to-Intermediate System (IS-IS) protocol.
ltm settings and default value (CR96656)
Arguments for the ltm command ignore the command to be set back to the default value. If you attempt to set one of these back to the default value, the system retains the previous setting. For example, running the command b ltm min path mtu 1500 sets the min path mtu to 1500. If you then run the command b ltm min path mtu default, the value remains 1500. To return to the default setting, you must specify the default value directly in the command. For the min path mtu setting, for example, the command is b ltm min path mtu 296.
Guest password change and error messages (CR96718)
When guest users or accounts with the User Manager role change passwords, the system logs error and warning messages in the /var/log/secure. The operation completes successfully, so you can safely ignore these messages. The messages appear similar to the following:
Mar 21 10:06:12 slot4/RackB29 notice system-auth(pam_unix): password changed for guestUser
Mar 21 10:06:15 slot4/RackB29 notice httpd(pam_unix): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=192.168.40.24 user=guestUser
Mar 21 10:06:17 slot4/RackB29 err httpd: [error] [client 192.168.40.24] AUTHCACHE PAM: user 'guestUser' - not authenticated: Authentication failure, referer: https://192.168.84.189/tmui/Control/form
Mar 21 10:06:17 slot4/RackB29 warning httpd(pam_audit): User=guestUser tty=(unknown) host=192.168.40.24 failed to login after 1 attempts (start=Fri Mar 21 10:06:15 2008 end=Fri Mar 21 10:06:17 2008).
Persistence access and iRule completion events (CR96849)
This release does not support iRules™ that combine persistence access (that is, using persist lookup, persist add, or persist delete) with iRule commands that raise completion events (which include the AUTH:: and NAME:: classes of events). The system sends a reset (RST) to connections attempting to run iRules that combine these operations.
Error messages and password change (CR96883)
A failed attempt to change a password writes irrelevant or additional messages into the /var/log/ltm file. For example, if you enter incorrect input when you try to change a password, the system presents an error message similar to the following: BIGpipe unknown operation error: 01070733:3: Incorrect password or you may not change your password yet. When you view the /var/log/ltm file, you see an irrelevant message in addition to the correct one. For example, Mar 24 23:49:32 slot1/3400_1 err mcpd: 01070732:3: PAM error during "pam_chauthtok"=20(Authentication token manipulation error)" Mar 24 23:49:32 slot1/3400_1 err mcpd: 01070733:3: Incorrect password or you may not change your password yet. These messages are benign, so you can safely ignore them.
Password messages and strict option (CR96902)
The system incorrectly posts Bad password (admin): BAD PASSWORD: it is too short messages even though the strict option is disabled for the password policy. These messages are benign, and the system takes no enforcement action.
UCS file and pool member down (CR96914)
When installing a user configuration set (UCS) file that contains pool members that are in the down or disabled state, the system does not log a message that the member is down or disabled. The system does log messages when the state changes after installation (for example, when the pool member becomes enabled or active). You can verify the state of pool members using the Configuration utility, or using the status command on the command line.
Primary cluster and software update (CR96925)
Make sure to wait for the software update process to complete on all blades before making a blade the primary in a cluster. That means that you should not run the command b software desired <software> active enable on a blade until all blades in the cluster have been updated with the new software.
Short timeouts and persist records (CR96945)
When you have a short (that is, 32 seconds or less) timeout set for mirrored persistence records, the system might not time out these records on the standby unit of a redundant system. To work around this problem, make sure to set the mirrored persistence record timeout to an interval longer than 32 seconds.
ErrorWritingLicenseFile message and license activation (CR97069)
Due to a rare timing condition between licensing values, the system might presents the error ErrorWritingLicenseFile once after you apply a new registration key using the browser-based Configuration utility. The license correctly activates. Only the message is incorrect.
Debug option in UDP monitor (CR97080)
The Debug setting for the UDP monitor correctly has no function, but in this release, the option remains. You can enable the Debug option for a UDP monitor, but the system does not write debug messages to the /var/log file. It is intended behavior that the Debug option has no operation, so you should ignore the interface option.
Maximum number of ARP entries (CR97163)
When you have 16,000 or more directly connected nodes, the number of Address Resolution Protocol (ARP) entries comes close to exceeding the maximum, which could result in a condition where you cannot access the system. To work around this condition, make sure your configuration has fewer than 16,000 directly connected nodes.
AOM remote logging for 1600 and 3600 platforms (CR97292)
The Always On Management (AOM) subsystem on BIG-IP 1600 and BIG-IP 3600 platforms logs locally to /var/log/messages, and should also send these log entries to the Host file system at /var/log/ltm. Currently it sends its remote logging to the Host file /var/log/secure. This is no workaround for this issue in this release.
Status LED state after startup (CR97299-1)
The Status LED briefly shows green on power up. The LED should be blank or amber. Early during initialization, the software sets the LED color to amber, and finally to green once cluster quorum is reached. Everything functions correctly; this is a minor cosmetic issue only.
External file synchronization and manual delete (CR97318)
It is possible for external files (that is, certificates, keys, external class files, and external monitor files) to be out of sync on blades under certain conditions. For example, if you manually delete the ssl.crt file that is referenced in a profile, and then issue a b load command, the system presents an error, and shows that the profile still contains the ssl.crt file. To work around this issue, do not manually delete in-use external files. If your system is already in this state, you can fix it by returning the file to the system and restarting the system. When you do so, you encounter another known issue, which is documented in Missing external file and system restart.
Renamed trunk and STP error (CR97393)
When you rename a trunk and then issue a b base load command, the system incorrectly posts a Spanning Tree Protocol (STP) error message. You can work around this by renaming the VLAN as well as the trunk, or by issuing a clsh bigstart restart command.
radvd startup on secondary blades (CR97462)
The router advertisement daemon (radvd) process fails to start on secondary blades, despite it being configured. To work around this issue, when you configure for the radvd process, you must run the command bigstart start radvd manually on all blades. You also need to run this command after a new install, when you are configured for using the radvd process.
SASP monitor support (CR97474)
This release contains no support for the Server/Application State Protocol (SASP) protocol monitor.
Packet filter rejecting packet with tcpdump (CR97531-1)
When a packet filter decides to reject a packet while the tcpdump process is capturing that network, the Traffic Management Microkernel (TMM) can halt unexpectedly. The workaround is not to run the tcpdump utility on networks with packet filters enabled
Configuration load and large number of ARP entries (CR97534)
A configuration might fail to load if it contains a very large number of Address Resolution Protocol (ARP) entries in the bigip_base.conf file. For example, one configuration failed to load contained 8,141 ARP entries. You can work around this issue by using fewer ARP entries.
Warning messages at boot (CR97542)
The kernel logs boot process messages as warnings, which is its default setting. Messages appear similar to the following:
local/RackB29 syslog warning Intel MultiProcessor Specification v1.4
syslog warning Processor #2 Pentium 4tm APIC version 16
local/RackB29 syslog warning xAPIC support is not present
These messages are correct, and the system load should proceed normally.
UCS file containing expired license and installation (CR97543)
In this release, you cannot install a user configuration set (UCS) file that contains an expired license onto a system that has not been licensed (that is, a system that contains no license file). To work around this issue, you must install, license the system, and issue the command b load to load a UCS with an expired license.
BGP advertises IPv4 next-hop address for IPv6 prefixes (CR97585)
If an IPv4 Border Gateway Protocol (BGP) peer is activated for address family IPv6, the next-hop supplied for IPv6 prefixes might instead be the IPv4 interface address. The Internet Engineering Task Force (IETF) RFC 2858 standard Multiprotocol Extensions for BGP-4) does not specify the acceptability of advertising IPv4 next-hop addresses for IPv6 prefixes. As a result, some BGP implementations might not accept such advertisements, and can terminate BGP sessions, which causes traffic disruption. To avoid potential traffic disruption, we recommend configuring separate peers for IPv4 and IPv6 prefixes. You should use route maps to make sure that the system advertises only IPv4 prefixes to IPv4 peers and only IPv6 prefixes to IPv6 peers.
httpd message at startup (CR97618)
Occasionally at initial startup after rolling forward a user configuration set (UCS), you might see an httpd process message on the system console. This message is benign, so you can safely ignore it. Following is an example of the type of message you might see: httpd: Could not determine the server's fully qualified domain name, using 127.0.0.1 for ServerName.
Users and access to objects in other partitions (CR97620)
Users with access to a specific partition might be able to view monitor instance objects that exist in another partition. For example, a user who can access partition AppA only, can run the command bp monitor instance to list monitor names and pool names that exist in another partition.
Authentication source (CR97662)
You can designate an authentication source that is not configured, and the system does not present an error message. To work around this issue, make sure to configure the source before you designate it as an authentication source.
system localusers command (CR97829)
Although the b system localusers command is referenced in product documentation and functioned in a previous release, the command is disabled in this release. If you run the command, the system presents an error message indicating that the feature is not supported in this release.
BGP and graceful restart (CR98003)
This release does not support graceful restart for IPv6 in Border Gateway Protocol (BGP). Although IPv6 works in this case, because graceful restart is not supported, your configuration might experience traffic disruption after primary blade failover. Therefore, in this release, do not configure graceful restart for IPv6 peers. Doing so can result in routes advertised by the peer being permanently lost after graceful restart.
Missing external file and system restart (CR98045)
If you remove one of the external files, such as certificates, keys, external class files, and external monitor files, the system posts a file cache error when you restart, and loads the default configuration. After you replace the file and restart the system again, the mcpd process restarts as well. Once the mcpd process finishes restarting, the correct configuration loads and the system operates normally. For information about a separate but related known issue, see External file synchronization and manual delete.
Trunk delete and trunk member count display (CR98114)
When an active trunk member is deleted from the bigip_base.conf file, the next bigpipe load operation can display incorrect trunk member counts in response to the command b trunk show all. The system operates correctly. This is a display issue only. Performing a subsequent bigpipe load operation clears the display issue.
External user and reauthentication (CR98206)
When an externally authenticated user (for example, users on systems configured for authentication using Remote Authentication Dial-In User Service (RADIUS), Lightweight Directory Access Protocol (LDAP), and so on) is logged into the administrative user interface, and the cluster primary changes, that user is reauthenticated with their original password. If the authentication system uses a one-time-password scheme, the user is prompted for the new password.
Resource Administrator and Administrator roles in partitions other than Common (CR98262)
In this release, you can create users with the Resource Administrator and Administrator roles only in the Common partition. If you create users with these roles in other partitions, when you load the configuration, the system posts the error: BIGpipe user modification error: 01070821:3: User Restriction Error: The system user (admin-users) must be created in the Common partition, and the configuration does not load. In addition, a Resource Administrator cannot load a configuration that has users who are not in the Common partition. There is no workaround for this issue.
Power supplies and no blade in DC chassis (CR100545)
If you operate multiple power supplies in a chassis that contains no blades, one or more of the power supply’s power-OK LEDs might turn off. This might also occur when you remove all the blades from a chassis, even if it is only for a short amount of time. If a power supply gets into this state, you can resolve it by removing the power supply a few inches, install at least one blade in the chassis, wait several seconds, and then reinsert the power supply. You can prevent the problem by installing the blades before installing the power supplies.
VIPRION and hardwired failover (CR106830)
This release supports only network failover for chassis-to-chassis failover on the VIPRION® platform. Do not configure hardwired failover using any failover cable included with the VIPRION system you received.
AUTH_RESULT and suspend commands (CR140154)
This release does not support using a command that suspends iRule processing (session, persist add/lookup/delete, table, after) in the AUTH_RESULT event in an iRule. There is no workaround for this issue.
For additional information, please visit http://www.f5.com