Original Publication Date: 09/23/2015
These release notes document the version 4.5.0 release of BIG-IQ Security, which consists of the BIG-IQ Network Security and BIG-IQ Web Application Security modules.
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IQ Security 4.5.0 Documentation page.
BIG-IQ Network Security supports the following browsers and browser versions:
The BIG-IQ device runs as a virtual machine in specifically-supported hypervisors, or on a BIG-IQ 7000 platform. After you set up your virtual environment, you can incorporate the BIG-IQ system into your network as you would any other F5 Networks device.
For procedures about specifying network options and performing initial configuration, refer to the BIG-IQ System: Licensing and Initial Setup guide.
For details about BIG-IQ Network Security support for BIG-IP devices at various version levels, see the BIG-IQ Compatibility Matrix solution note:
Upgrading to BIG-IQ version 4.5 involves installing the new version of the software, booting into that new version, and making any other changes that might be required.
The process for upgrading a high availability (HA) configuration of BIG-IQ version 4.5 to a later build of version 4.5 differs from the process for upgrading from a version 4.3 or 4.4 HA configuration as described in the following sections. Refer to the BIG-IQ Security: Administration guide for details on the upgrade process.
If you are upgrading from BIG-IQ version 4.5 to a later build of BIG-IQ version 4.5, and the BIG-IQ system is in an HA configuration, the upgrade process includes:
If you are upgrading from BIG-IQ version 4.3 or 4.4 to BIG-IQ version 4.5, and the BIG-IQ system is in a high availability (HA) configuration, any existing BIG-IP devices in an HA peer group managed by BIG-IQ Security need to be removed and then rediscovered. The upgrade process includes:
With the Network Security module, BIG-IQ Security provides central firewall management for multiple BIG-IP systems that have Advanced Firewall Manager (AFM) installed and provisioned.
With the Web Application Security module, BIG-IQ Security provides application management for multiple BIG-IP systems that have Application Security Manager (ASM) installed and provisioned.
The following features are new in version 4.5.0.
|422114||Previously, the BIG-IQ system allowed a management firewall rule to contain an address list or an address with a route domain when the BIG-IP system did not allow it. Now the BIG-IQ system warns about this condition during the evaluation of a deployment.|
|426694||During a BIG-IP upgrade procedure, clustered BIG-IP devices may be left in a state where the installed versions differ.
Previously in such cases, if a BIG-IQ discovery occurred, the BIG-IQ identified the BIG-IP devices as being out-of-sync, but still allowed the discovery to complete and allowed the BIG-IP devices to appear as a clustered pair in the BIG-IQ system.
Now, the BIG-IQ system does not allow the mismatched pair of BIG-IP devices to complete the discovery process.
|437741||BIG-IP devices no longer populate the restjavad.o.logs with repeated messages from the IdentifiedDeviceWorker when the BIG-IQ system discovers the BIG-IP device on a VLAN other than a VLAN named internal.|
|444687||In earlier releases, deployment of a configuration where the rule to be deployed contained a nested address list or port list, and the nested list was assigned to a firewall context on a device that did not support the nested list type, no warning was provided when the nested address list or port list was assigned to the rule. Now an appropriate error appears during the evaluation phase of deployment.|
|446796||In a BIG-IQ HA environment, the primary node is responsible for running tasks. If a task is running on the primary node and that node fails, the secondary node takes over. Formerly, the tasks remained in a pending state indefinitely until the primary node recovered. Now the secondary node removes the pending tasks when it takes over.|
|467150, 440531||Query timeout could potentially make the GUI unresponsive. If a query times out, the BIG-IQ system user interface might become unresponsive.|
|469369||Web Application Security now correctly processes IPV6 addresses, including using them to discover BIG-IP devices.|
|469416||If the user deployed geolocation data to a BIG-IP version 11.4.1 device, the deployment finished with no indication of an error, despite the fact that BIG-IQ Security ignores the geolocation data. Now the evaluation phase of deployment ends with a warning about the geolocation data.|
|474147||It previously took up to 30 seconds for a new administrative user to appear in the list of users after you added it. Now a new administrative user appears in the list immediately.|
|474827||After you upgrade the BIG-IQ system to version 4.5.0, any user interface preferences you previously specified (such as panel widths, panel order, and hidden panels) now persist.|
|477084||BIG-IP v11.5.x allows assigning an address-list with geolocations to a rule in the management-IP firewall. However, a management-IP firewall must not make any references, direct, or indirect (using the address-list) to geolocations.
Previously, the BIG-IQ system allowed users to deploy this mistaken configuration to BIG-IP systems. Now the BIG-IQ system rejects this configuration during the evaluation phase of deployment.
|484091||In earlier versions, when a managed BIG-IP system went offline, the BIG-IQ Web Application Security interface did not indicate that the device was unavailable. Now the BIG-IQ Web Application Security interface accurately displays the health of an offline BIG-IP device.|
|484098||The information displayed by the View Diff option on the Deployment detail screen has been changed and this option now correctly displays a comparison of BIG-IP and BIG-IQ information.|
|489450||In version 4.3.0, the BIG-IQ software failed to delete a cluster group when a user removed its last remaining node. An upgrade to version 4.4.0 should have removed any empty cluster groups, but instead kept it. The cluster group was then impossible to remove from the v4.4.0 GUI.
An upgrade to v4.5.0 removes all empty cluster groups.
|492325-1 (497744)||If you added new firewall contexts on a BIG-IQ system cluster and later declared management authority again on its managed BIG-IP devices, the new firewall contexts were sometimes lost. This issue no longer occurs in BIG-IQ system clusters.|
|ID number||Description||Workaround if applicable|
|471353||When the BIG-IP sends log items to the LOG-IQ node, it does not send the encoding. Therefore, some of the content displays as question mark characters instead of the real content.
For example, the request http://184.108.40.206/aXXXa (where "X" is a character with an unrecognized encoding).
The only attribute that the request displays correctly is the violation_details where all the buffers are base64 encoded.
|488748||Third-party authentication, such as RADIUS, cannot be used with the BIG-IQ Security ASM module. Although a local user with the Web Application Security Manager role can discover devices, remote users with that role, authenticated using a third-party such as RADIUS, cannot discover devices. This is because the BIG-IQ Web Application Security module does not support third-party authentication.|
|495725||Deleted tags in the Web Application Security event log continue to appear until the web browser window is reloaded. When viewing the Web Application Security event log, tags can be deleted but still be displayed. The tags will be removed from the display when the web browser window is reloaded (typically by pressing the F5 key).||After deleting tags from the Event log, reload the web browser display by pressing the F5 key.|
|496349||In Web Application Security, using Show Related Items on a device does not highlight policies when it should. In Web Application Security, when you use the Show Related Items on a BIG-IP device, the policies related to that device are not highlighted. Other related items for the device, such as virtual servers and so on, are highlighted correctly.|
|499489||When using a French language web browser to access BIG-IQ Security ASM event logging, words in the date may not display correctly. For example, the month "dcembre" is erroneously displayed as "décembre."|
|441559||ASM security policies attached to only one virtual server and deployed from the BIG-IQ system may attach to multiple virtual servers on the BIG-IP system. Example: Assume you have two ASM security policies: policy A is attached to 2 virtual servers, and policy B is attached to none. If you import the virtual servers and policies into the BIG-IQ Security system, and then apply policy B to only one of the virtual servers, policy B is erroneously attached to both virtual servers.|
|472773||An administrative account authenticated through RADIUS cannot manage BIG-IP systems with BIG-IQ Security. When you log in to the BIG-IQ Security manager with a RADIUS account, you cannot create, edit, or delete any web application policies.|
|488830||ASM Security policies cannot be deployed from snapshots. ASM Security policies can only be deployed from the latest working configuration and not from ASM snapshots.|
|490590||BIG-IQ ASM deployments may fail when multiple policy parameters are updated at the same time. When performing a Web Application Security deployment that contains multiple security policy parameter updates, that deployment may fail with an error similar to the following:
Could not update the Parameter <specific parameter name>. DBD::mysql::db do failed: Deadlock found when trying to get lock; try restarting transaction.
|493663||Virtual servers created in Shared Security are not visible in Web Application Security. When a virtual server is created in Shared Security, that virtual server is visible and available in Shared Security and Network Security, but not in Web Application Security. The virtual server should be available in Web Application Security as well as Shared Security and Network Security.|
|498298||BIG-IQ ASM supports only BIG-IP devices version 11.6 or higher. When using BIG-IQ ASM to discover a BIG-IP device that is earlier than version 11.6, the discovery fails and an error is displayed.|
|494567||When you upgrade a BIG-IQ system, the analytic indexes from /var/config/rest/analytics are not copied to a new volume.||Perform the following steps each time you apply an upgrade to a new volume:
1) On a volume running the previous version of BIG-IQ, verify the backup script is executable from SSH by typing,
"chmod 555 backup_analytics_index," and then run it by typing "./backup_analytics_index."
This will stop REST services and zip the analytics indexes to the /shared directory, then restart REST services.
2) Once the upgrade has been applied to the new volume, make sure the restore backup script is executable using the same method as noted above. Run the script with "./restore_analytics_index."
This will stop REST services again, check for any new indexes and prompt for deletion if there are conflicting indexes (a merge of the indexes is not possible currently).
3) If there are no conflicts, the BIG-IQ system restores the backup file from the /shared to the /var/config/rest/analytics directory on the newly upgraded volume and restarts REST services.
|470986||For security purposes, the BIG-IQ system logs users out at a specified timeout. The timeout can be a maximum of 10 hours. At that time, any unsaved changes or unfinished jobs are lost without warning.|
|497266||Attempts to log in to the BIG-IQ system intermittently fail.||Remove all "device_manager" roles through the command line, using the following commands, where <password> is the admin password.
curl -uadmin:<password> -X "DELETE" https://localhost/mgmt/shared/authz/roles/device_manager
bigstart restart restjavad
The BIG-IQ system restores the default device_manager roles.
|486335||Device discovery fails with "Failed to establish trust" when the REST framework on BIG-IP is newer than the REST framework on the BIG-IQ system. Device discovery fails and the user is presented with a "Failed to establish trust" error message.||To avoid this issue, take one of the following actions:
From the BIG-IQ system: Force the REST framework downgrade using the /lib/dco/packages/upd-adc/update_bigip.sh script with the -f argument to force the install of the framework.
From the BIG-IP system: Remove the framework RPMs and retry discovery from the BIG-IQ system, specifying to upgrade the framework on discovery.
|467438||If you restore an 11.5-based snapshot of firewall rules to an 11.5.2 or 11.6 BIG-IP system, any inline rules (invalid in 11.5.2 or 11.6) are improperly restored to the 11.6 configuration on the BIG-IQ system. BIG-IP v11.5 and earlier allowed inline rules on firewalls. However, BIG-IP v11.5.2 and v11.6 does not. If you have upgraded the BIG-IP devices to v 11.5.2 or v11.6, the BIG-IP system automatically moves those inline rules into a system-defined policy. The restoration of the v11.5 or earlier snapshot incorrectly writes inline rules to the configuration of an 11.5.2 or 11.6 BIG-IP system.||After upgrading a BIG-IP system to v11.6, reimport its firewalls to the BIG-IQ Security system.
By default, BIG-IQ system takes a snapshot of the configuration prior to reimport. This default snapshot contains the BIG-IP v11.5 configuration with its original inline rules.
If, for any reason, you want to restore a snapshot taken at v11.5 or earlier, you must again reimport those upgraded devices after restoring the snapshot. This updates the BIG-IQ system to contain the current policy based firewall configurations for those 11.6.0 devices.
|472429||When roles are assigned to User Groups, the default UI landing page is not honored. Users with a role assigned to a User Group in System > Access Control have a default of the System > Access Control screen.||After the user logs in for the first time, they have the option to override the default landing page by clicking Admin in the top, right corner of the screen, selecting Global User Settings, and selecting an option from the Default View menu.|
|474096||You cannot access the BIG-IQ system user interface using Mozilla Firefox version 31 or later.||This issue is caused because of security changes in Firefox. You can view more specific information here:
This workaround has security implications.
1) Type about:config in the navigation bar of the Firefox browser.
2) Double-click the "security.use mozillapix verification" to set it to false.
|485346||Firefox 33 may have issues with self-signed SSL certificates. When using Mozilla Firefox 33, the BIG-IQ system user interface might freeze and not allow you to view the log in screen.||In Mozilla Firefox, open a new tab and in to the browser bar, type "about:support", then click the "Reset Firefox..." button. Alternatively, use Google Chrome version 34.x or later to access the BIG-IQ system.|
|449063||After upgrading or restarting a BIG-IQ system, the log in screen displays a message that your user credentials are invalid and the system does not allow you to log in.||Clear the browser cache and refresh. (You may have to refresh several times.) When the log in screen properly displays the host name of the BIG-IQ system, you can successfully log in.|
|481360||An erroneous warning icon with a "Device is not available" error might appear in either the BIG-IQ Device or BIG-IQ Security areas for managed BIG-IP devices even though the BIG-IQ system can reach those devices.|
|497253||Search fails in Cloud page if Roles or Users panel is undocked. If you specify a global search term in the user interface when the Users and Roles panels are not docked, BIG-IQ Cloud returns an error, and the Users and Roles panels display as empty.||Drag the Users and Roles panels to the left or right side of the screen to dock them and then apply the filter.|
|440333||If you delete a BIG-IQ peer from a high availability active- active pair, then add the same BIG-IQ system back to the same (or to another) high availability pair, data between the devices no longer synchronizes.||After you delete a BIG-IQ system from a high availability active- active pair, create a backup of the BIG-IQ system. Then reset the system to factory settings by typing the following command on that BIG-IQ system: bigstart stop restjavad && rm -rf /var/config/rest && bigstart start restjavad. Then, you can add it as a new backup in a high availability pair, and they properly synchronize.|
|NS Audit Log|
|450117||During initial HA setup, configuration settings for the audit logger archive are copied from the Active system to the Standby system.
After HA setup, any changes made on the Active system are not synced to the Standby system.
|Log in to the Standby system and update the Audit Logger configuration manually.|
|NS Clustering Big-IP|
|488527||When clustering multiple BIG-IP devices together in a common cluster group, BIG-IQ Security software does not verify the BIG-IP device has been provisioned with a common set of licensed software modules.||When adding a BIG-IP device to a cluster group, the user needs to ensure that the BIG-IP device has the same software modules provisioned as does the peer BIG-IP device.|
|423694||Discovery fails to import an address list that contains an address of 0.0.0.0%32300/15. This address list is accepted on BIG-IP devices (running 11.4.1) but not in BIG-IQ systems.|
|424326||Shared objects in folders are not discovered by BIG-IQ Security. Discovery of shared objects contained in folders is not supported in BIG-IQ Security.|
|426774, 451184||The error message "HA Firewalls in device 10.1.1.1 do not match those in peer device 10.1.1.2" is issued when there is a mismatch between firewalls.
This error message is not very specific about the types and names of the firewalls. Providing this information would aid the user in correcting the error.
|496372, 480189||Locked network objects cannot be saved during a reimport. If a network object is locked for edit during a reimport, the object will receive a generation error upon saving.
To recover, cancel out of the edit screen.
|496439||Cannot declare management authority on BIG-IP systems with certain virtual-server configurations. If the BIG-IP system has a virtual server policy with http_profile selected and "Protocol Security" enabled, the BIG-IQ system fails to to declare management authority on the BIG-IP device and discovery fails with the following message:
" messageDiscovery Failed! working-config subcollection push sender failed: Unsupported virtual profile /Common/http_security: Only profiles under BIG-IP LTM module (/ltm/profile) and Security DoS module (/security/dos) are supported.
|On the BIG-IP device, disable the "Protocol Security" feature on all virtual servers and retry the attempt to declare management authority.|
|467095||Cutting and pasting text that contains a control character (such as a tab character) into a BIG-IQ system description field (such as that in an address list or rule list) may lead to deployment differences.||To avoid this problem, do not cut and paste text containing control characters into a description field.|
|487014||There is a false error and failure when deploying a virtual server with a DoS profile and another profile. When a virtual server contains a DoS Profile and another profile that is required by the DoS Profile (such as a DNS profile or an HTTP profile), its deployment may fail with a false error. For example:
"Failed submitting iControl REST transaction xxxxxxxx: transaction failed:01071782:3: Virtual server (virtualServer): DoS profile with Application Security enabled requires HTTP profile".
|Deploy the configuration in two steps:
1. Associate the virtual profile (such as a DNS or HTTP profile) to the virtual server and deploy it first.
2. Associate the DoS Profile to the virtual server and deploy it again.
|494941||On the BIG-IQ system, when attempting to update the framework for a BIG-IP device using the Update Framework on Save check box, the device can be put into a pending state. This state causes the BIG-IQ system user interface to report either a 'Collecting...' or 'Framework Failed' message.||If the BIG-IQ system user interface displayed a 'Collecting...' message, refresh the web browser and attempt the same operation again.
If the BIG-IQ system user interface displayed a 'Framework Failed' message, update the BIG-IP device framework from the BIG-IQ system command line using the update_bigip.sh script.
|474135||Deployment occasionally fails during distribution with the error, "There is no transaction created for this user.". This failure is rare and is related to timeouts experienced for large configuration changes and devices under heavy load.||Once deployment to a specific device fails due to this bug, retry the deployment operation on the same device.|
|NS GUI Common|
|474651||Device discovery on the BIG-IQ system never completes after deploying framework to a v11.4.1 BIG-IP system. The BIG-IQ system user interface continually shows the Identifying device dialog box and never transitions to downloading firewall configuration data.||Cancel the currently running discovery task and discover the device again. On the second discovery attempt, the Update Framework check box should remain unselected.|
|NS GUI Editor|
|495576||When the current navigation selection is the Global firewall context and a navigation bar filter is cleared, the Global firewall content panel does not refresh to show the unfiltered list of Global firewall contexts.||To refresh the list, select another navigation menu item and then return to the selection of the Global firewall contexts.|
|NS GUI Shared Security|
|484161||Cannot deploy virtual server with UDP profiles selected. If you create a virtual server on a BIG-IQ Security system that uses the UDP protocol, and has UDP selected in the client profile and server profile, that virtual server will signal an error and fail to deploy.
BIG-IQ Security does not support the assignment of SSL profiles needed to support the UDP protocol.
|487477||VLANs associated with a Shared Security self IP must be in the default route domain with the Common partition and an ID of 0 (/Common/0).
If the VLAN is a member of any other route domain in a partition, the deployment containing this self IP will fail.
|497516||There is a known issue when dealing with double quoted text that occurs on the Logging Profiles screen, within the User-Defined Storage Format field where you can enter free text. Using double quotes within the User-Defined free text can cause deployment issues, unless each double quote is escaped by a backward slash "\" character.
This is because the double quotes may be stripped out and cause a deployment difference or a reimport conflict between the BIG-IP device and the BIG-IQ system.
|To avoid unexpected deployment differences or unexpected reimport conflicts, any double quote in text must be preceded by a backward slash "\" when the logging profile is created or edited on the BIG-IQ system.|
|NS Gossip HA|
|493751||If a failover occurs while adding a new device, (under rare circumstances) it might be impossible to complete the add-device task from the backup BIG-IQ device. Consider the following situation:
- From Security -> Network Security or Shared Security -> Devices -> +, you add a device and the device-discovery process hangs,
- the BIG-IQ device fails over to its standby peer, and
- device-discovery is still hanging when the standby peer comes up.
You cannot add the device from the standby peer, even if you cancel the add-device process from the standby peer first.
|Contact F5 Support if you encounter this situation.|
|473463||If you remove the standby BIG-IQ Security configured in a high availability cluster, BIG-IQ Security displays 404 errors.||You can reset BIG-IQ Security to the factory settings by logging in to the BIG-IQ Security command line and typing the following commands: 1) bigstart stop restjavad 2) rm -rf /var/config/rest/ 3) bigstart start restjavad.|
|NS Running State|
|476276||Auto-generated policy names created by an upgrade to 11.5.2 or 11.6 or later may cause conflicts in the BIG-IQ working configuration. BIG- IP version 11.5.2 and 11.6 added a restriction that firewall contexts would only support firewall policy objects.
To deal with configurations where in-line rules or rule-lists were directly applied to a firewall context, policy objects are auto-generated on upgrade to 11.5.2 or 11.6.
These auto-generated policies are named VersionUpgradeAutoGenPolicy- <firewall context name>. For common firewall context names like global and route domain 0, these auto-generated policy objects have an increased chance of conflicting with policies from other devices being managed by the BIG-IQ system.
|1) Find the policy with the auto-generated name starting with "VersionUpgradeAutoGenPolicy."
2) Clone that policy.
3) Save the clone with a new, unique name that is unlikely to conflict with other upgraded devices, for example: <device_name>_<context>_policy or <cluster_name>_<context>_policy.
4) Replace the auto-generated policy with the clone policy, by editing the firewall context(s) where it is used and replacing the auto- generated policy with the cloned policy.
5) Repeat steps 1-4 for any other auto-generated policies.
6) Deploy the change out to the devices with the auto-generated policy.
7) Remove the VersionUpgradeAutoGenPolicy-<context name> version of the policies from the BIG-IQ working configuration.
|479606||Virtual server deployment fails if the virtual server was the last one to contain a particular log profile, and that profile is not one of the default log profiles (global-network, local-dos, Log all requests, or Log illegal requests).
The deployment fails with this error:
Failed submitting iControl REST transaction <txn-id>: transaction failed:01070635:3: The security log profile
(/Common/lp-test13) is referenced by one or more virtual servers.
|Log into the BIG-IP device that contains the virtual server. On the BIG-IP device, remove the log profile from all the Virtual Servers that use it. Then deploy the configuration from the BIG-IQ system to the BIG-IP device.|
|NS Working State|
|424206||Deployment fails if the Management IP firewall configuration contains both IPV4-formatted addresses and IPV6-formatted addresses. IPv4- formatted addresses are allowed or IPv6-formatted addresses are allowed, but both are not allowed at the same time.||Follow the instructions provided in the deployment error message for locating the source of the deployment failure.|
|459888||The BIG-IQ system is unaware of default route domain assignments in non-default BIG-IP partitions. For example, assume you have a non- default partition with a default route domain setting of something other than zero and /partitionA has a default route domain of 5. If, from the BIG- IQ system, you assign an IP address to any firewall in /partitionA without specifying the route domain (such as 192.168.25.4), and then deploy the firewall to the BIG-IP system, the BIG-IP system assigns the default route domain (5) to the IP address. The firewall on the BIG-IQ system is still shown as 192.168.25.4, while on the BIG-IP system it is 192.168.25.4%5.
The address is clear on the BIG-IP system (192.168.25.4%5), but it is less clear on the BIG-IQ system where the route domain is omitted.
|You can ignore the IP-address settings in the BIG-IQ system. They are benign.|
|478963||The BIG-IQ Security software only supports route-domain 0 as the default route-domain. Only route-domain 0 can have VLANs from other partitions.
All other route-domains should have their assigned VLAN from the same partition.
|489436||Self IP deployments may fail due to incompatible tunnel types. When a self IP that contains a tunnel is deployed, and that tunnel was defined on the BIG-IP device with an encapsulation type of tcp-forward or ppp, that deployment fails because those types are not supported by BIG-IQ Security.
The error appears similar to the following:
Failed submitting iControl REST transaction 1415382609058546: transaction failed:0107032e:3: PPP tunnel (/Common/socks-tunnel) cannot be assigned a Self IP.
|Do not deploy BIG-IQ Security self IPs that contain tunnels with an encapsulation type of tcp-forward or ppp, since those types are not supported.|
|Package (RPM) Management|
|475095||BIG-IQ system is unable to discover 11.4.1 BIG-IP VIPRION system with automatic REST framework upgrade. When discovering a BIG-IP device running version 11.3.x or 11.4.x with a BIG-IQ system running version 4.2 or later, the process might fail with the error message "You must update the device's framework before you can manage it".||You can delete the file /config/f5-rest-device-id from the BIG-IP device, discover the device again, select the "Auto Update Framework" check box, and provide the admin and root credentials.|
|489584||After upgrading the BIG-IQ system from version 4.3.0 to version 4.5.0, rediscovery of a previously managed BIG-IP device running version 11.5.1-HF6 software BIG-IP might fail.||Update the BIG-IP device using the update_bigip.sh script, and then reimport and declare management authority over the version 11.5.1-HF6 BIG-IP device.|
|496091||You might not be able to click-to-provision a BIG-IP VE machine on an ESXi host if there is a time stamp issue on the ESXi host.||
To determine if this is a time issue, view the BIG-IQ system's /var/log/restjavad.0.log file and look for something similar to the following line:Illegal state, startTime is before oldStartTime: startTime=Wed Dec 10 22:10:27 GMT 2014; oldStartTime=Wed Dec 10 22:25:41 GMT 2014.
|497373||Re-discovering a VIPRION device will always trigger a framework upgrade. When the BIG-IQ system discovers or re-discovers a multi-slot BIG- IP VIPRION device, it prompts the device to upgrade its framework, regardless of its current version.
You can upgrade devices with multiple active slots only through the command line. The BIG-IQ system cannot currently validate the existing framework revision with this technique.
|Always allow discovery to upgrade the framework, even in cases where it seems unnecessary. You can upgrade devices with multiple active slots only through the command line. The BIG-IQ system cannot currently validate the existing framework revision with this technique.|
|498790||Unable to update REST Framework after BIG-IQ upgrade. When a user tries to update the REST Framework on a BIG-IP device by rediscovering that BIG-IP device, it will fail with a message saying that it failed to update the REST Framework.
When looking at restjavad.0.log on the BIG-IP device , users will see a WARNING message like:
[WARNING][24 Dec 2014 00:47:49 UTC][8100/shared/diagnostics RestServerDiagnosticsWorker][logAndFailDrainedOperation]
Referrer:http://localhost:8100/shared/package-deployments/e8ec026f- 5f79-4e12-b8f1-e8f3703c7af6/worker, Method:GET,
Exception:java.util.concurrent.TimeoutException: remoteSender:10.10.20.86, method:GET.
|First on the BIG-IP device, issue the command "bigstart restart restjavad."
Then, on the BIG-IQ system, re-discover the BIG-IP device again.
|499273||When managing a large number (dozens to hundreds) of BIG-IP devices, you might notice the memory utilization for the BIG-IQ system is high and reports OutOfMemory exceptions in /var/log/restjavad.*.log or /var/tmp/restjavad.out.||If you cannot communicate with the managed BIG-IP devices, attempt to fix any network communication problems by pinging or routing the BIG-IP device from the BIG-IQ system, and then restart the restjavad process on the BIG-IQ system by typing the following command:
# bigstart restart restjavad
|SNS Network Objects|
|491480||The BIG-IQ system accepts a source IP address without a prefix for a virtual server, only to have the address rejected during deployment to a BIG-IP device. This problem occurs when you create a virtual server within shared security and then enter a Source IP address without a prefix length (for example, 220.127.116.11 instead of 18.104.22.168/24).
When deploying this virtual server to a BIG-IP system, the deployment fails and the virtual server cannot be created on the BIG-IP device, due to the missing prefix length.
|483837||The BIG-IQ system does not discover Single Endpoint attack types. The BIG-IQ Shared Security interface does not discover two Device DoS properties that may be configured on the BIG-IP device: Single Endpoint Flood, or Single Endpoint Sweep. Even if their values are set on the BIG-IP device, the values do not appear in these BIG-IQ fields.
These fields appear at Security -> Shared Security -> Device DoS -> (select any BIG-IP device) -> Device Configuration tab -> Single Endpoint row.
|496899||A benign log message is marked as [SEVERE] in the log. The /var/log/restjavad.<n>.log file might contain messages similar to the following:
[SEVERE]...PipelineManagerTaskWorker][failed] failed to register for worker notifications.
These messages are benign and have no impact on the BIG-IQ system's functionality.
For additional information, please visit http://www.f5.com.
You can find additional support resources and technical documentation through a variety of sources.
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.